last executing test programs:

430.677704ms ago: executing program 1 (id=2):
symlinkat(&(0x7f0000000000), 0xffffffffffffffff, &(0x7f0000000000))

418.028486ms ago: executing program 4 (id=5):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/selinux/commit_pending_bools', 0x1, 0x0)

362.953418ms ago: executing program 3 (id=4):
lremovexattr(&(0x7f0000000000), &(0x7f0000000000))

362.784084ms ago: executing program 1 (id=14):
rt_tgsigqueueinfo(0x0, 0x0, 0x0, &(0x7f0000000000))

351.944261ms ago: executing program 4 (id=16):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/input/mice', 0x0, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/input/mice', 0x1, 0x0)
openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/input/mice', 0x2, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/input/mice', 0x800, 0x0)

347.923288ms ago: executing program 3 (id=17):
sched_setaffinity(0x0, 0x0, &(0x7f0000000000))

291.145104ms ago: executing program 3 (id=20):
socket$inet_dccp(0x2, 0x6, 0x0)

291.109302ms ago: executing program 1 (id=21):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/proc/sys/net/ipv4/tcp_congestion_control', 0x1, 0x0)

287.908774ms ago: executing program 3 (id=24):
socket$rxrpc(0x21, 0x2, 0x0)

281.77494ms ago: executing program 4 (id=26):
msync(0x0, 0x0, 0x0)

274.228539ms ago: executing program 2 (id=27):
remap_file_pages(0x0, 0x0, 0x0, 0x0, 0x0)

227.341098ms ago: executing program 1 (id=28):
mlockall(0x0)

227.220287ms ago: executing program 4 (id=29):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/ocfs2_control', 0x0, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/ocfs2_control', 0x1, 0x0)
openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/ocfs2_control', 0x2, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/ocfs2_control', 0x800, 0x0)

227.098051ms ago: executing program 3 (id=30):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/selinux/avc/cache_threshold', 0x2, 0x0)

226.984169ms ago: executing program 0 (id=31):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/vcsu', 0x0, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/vcsu', 0x1, 0x0)
openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/vcsu', 0x2, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/vcsu', 0x800, 0x0)

226.874729ms ago: executing program 4 (id=32):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/video1', 0x2, 0x0)

226.83913ms ago: executing program 1 (id=33):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/rfkill', 0x0, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/rfkill', 0x1, 0x0)
openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/rfkill', 0x2, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/rfkill', 0x800, 0x0)

183.489282ms ago: executing program 0 (id=35):
getrandom(&(0x7f0000000000), 0x0, 0x0)

183.315637ms ago: executing program 1 (id=36):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/ppp', 0x0, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/ppp', 0x1, 0x0)
openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/ppp', 0x2, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/ppp', 0x800, 0x0)

183.25863ms ago: executing program 2 (id=37):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dma_heap/system', 0x0, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/dma_heap/system', 0x1, 0x0)
openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/dma_heap/system', 0x2, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dma_heap/system', 0x800, 0x0)

183.09699ms ago: executing program 4 (id=38):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/xen/evtchn', 0x0, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/xen/evtchn', 0x1, 0x0)
openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/xen/evtchn', 0x2, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/xen/evtchn', 0x800, 0x0)

152.833605ms ago: executing program 0 (id=39):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/md0', 0x0, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/md0', 0x1, 0x0)
openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/md0', 0x2, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/md0', 0x800, 0x0)

152.729453ms ago: executing program 2 (id=40):
syz_open_dev$vcsa(&(0x7f0000000040), 0x0, 0x0)
syz_open_dev$vcsa(&(0x7f0000000080), 0x0, 0x1)
syz_open_dev$vcsa(&(0x7f00000000c0), 0x0, 0x2)
syz_open_dev$vcsa(&(0x7f0000000100), 0x0, 0x800)
syz_open_dev$vcsa(&(0x7f0000000140), 0x1, 0x0)
syz_open_dev$vcsa(&(0x7f0000000180), 0x1, 0x1)
syz_open_dev$vcsa(&(0x7f00000001c0), 0x1, 0x2)
syz_open_dev$vcsa(&(0x7f0000000200), 0x1, 0x800)
syz_open_dev$vcsa(&(0x7f0000000240), 0x2, 0x0)
syz_open_dev$vcsa(&(0x7f0000000280), 0x2, 0x1)
syz_open_dev$vcsa(&(0x7f00000002c0), 0x2, 0x2)
syz_open_dev$vcsa(&(0x7f0000000300), 0x2, 0x800)
syz_open_dev$vcsa(&(0x7f0000000340), 0x3, 0x0)
syz_open_dev$vcsa(&(0x7f0000000380), 0x3, 0x1)
syz_open_dev$vcsa(&(0x7f00000003c0), 0x3, 0x2)
syz_open_dev$vcsa(&(0x7f0000000400), 0x3, 0x800)
syz_open_dev$vcsa(&(0x7f0000000440), 0x4, 0x0)
syz_open_dev$vcsa(&(0x7f0000000480), 0x4, 0x1)
syz_open_dev$vcsa(&(0x7f00000004c0), 0x4, 0x2)
syz_open_dev$vcsa(&(0x7f0000000500), 0x4, 0x800)

81.197786ms ago: executing program 0 (id=43):
syz_open_dev$usbfs(&(0x7f0000000040), 0x1, 0x0)
syz_open_dev$usbfs(&(0x7f0000000080), 0x1, 0x1)
syz_open_dev$usbfs(&(0x7f00000000c0), 0x1, 0x2)
syz_open_dev$usbfs(&(0x7f0000000100), 0x1, 0x800)
syz_open_dev$usbfs(&(0x7f0000000140), 0xb, 0x0)
syz_open_dev$usbfs(&(0x7f0000000180), 0xb, 0x1)
syz_open_dev$usbfs(&(0x7f00000001c0), 0xb, 0x2)
syz_open_dev$usbfs(&(0x7f0000000200), 0xb, 0x800)
syz_open_dev$usbfs(&(0x7f0000000240), 0x15, 0x0)
syz_open_dev$usbfs(&(0x7f0000000280), 0x15, 0x1)
syz_open_dev$usbfs(&(0x7f00000002c0), 0x15, 0x2)
syz_open_dev$usbfs(&(0x7f0000000300), 0x15, 0x800)
syz_open_dev$usbfs(&(0x7f0000000340), 0x1f, 0x0)
syz_open_dev$usbfs(&(0x7f0000000380), 0x1f, 0x1)
syz_open_dev$usbfs(&(0x7f00000003c0), 0x1f, 0x2)
syz_open_dev$usbfs(&(0x7f0000000400), 0x1f, 0x800)
syz_open_dev$usbfs(&(0x7f0000000440), 0x29, 0x0)
syz_open_dev$usbfs(&(0x7f0000000480), 0x29, 0x1)
syz_open_dev$usbfs(&(0x7f00000004c0), 0x29, 0x2)
syz_open_dev$usbfs(&(0x7f0000000500), 0x29, 0x800)

81.078417ms ago: executing program 2 (id=44):
syz_open_dev$sndmidi(&(0x7f0000000040), 0x1, 0x0)
syz_open_dev$sndmidi(&(0x7f0000000080), 0x1, 0x1)
syz_open_dev$sndmidi(&(0x7f00000000c0), 0x1, 0x2)
syz_open_dev$sndmidi(&(0x7f0000000100), 0x1, 0x800)
syz_open_dev$sndmidi(&(0x7f0000000140), 0xb, 0x0)
syz_open_dev$sndmidi(&(0x7f0000000180), 0xb, 0x1)
syz_open_dev$sndmidi(&(0x7f00000001c0), 0xb, 0x2)
syz_open_dev$sndmidi(&(0x7f0000000200), 0xb, 0x800)
syz_open_dev$sndmidi(&(0x7f0000000240), 0x15, 0x0)
syz_open_dev$sndmidi(&(0x7f0000000280), 0x15, 0x1)
syz_open_dev$sndmidi(&(0x7f00000002c0), 0x15, 0x2)
syz_open_dev$sndmidi(&(0x7f0000000300), 0x15, 0x800)
syz_open_dev$sndmidi(&(0x7f0000000340), 0x1f, 0x0)
syz_open_dev$sndmidi(&(0x7f0000000380), 0x1f, 0x1)
syz_open_dev$sndmidi(&(0x7f00000003c0), 0x1f, 0x2)
syz_open_dev$sndmidi(&(0x7f0000000400), 0x1f, 0x800)
syz_open_dev$sndmidi(&(0x7f0000000440), 0x29, 0x0)
syz_open_dev$sndmidi(&(0x7f0000000480), 0x29, 0x1)
syz_open_dev$sndmidi(&(0x7f00000004c0), 0x29, 0x2)
syz_open_dev$sndmidi(&(0x7f0000000500), 0x29, 0x800)

48.221643ms ago: executing program 0 (id=45):
syz_open_dev$usbfs(&(0x7f0000000040), 0x2, 0x0)
syz_open_dev$usbfs(&(0x7f0000000080), 0x2, 0x1)
syz_open_dev$usbfs(&(0x7f00000000c0), 0x2, 0x2)
syz_open_dev$usbfs(&(0x7f0000000100), 0x2, 0x800)
syz_open_dev$usbfs(&(0x7f0000000140), 0xc, 0x0)
syz_open_dev$usbfs(&(0x7f0000000180), 0xc, 0x1)
syz_open_dev$usbfs(&(0x7f00000001c0), 0xc, 0x2)
syz_open_dev$usbfs(&(0x7f0000000200), 0xc, 0x800)
syz_open_dev$usbfs(&(0x7f0000000240), 0x16, 0x0)
syz_open_dev$usbfs(&(0x7f0000000280), 0x16, 0x1)
syz_open_dev$usbfs(&(0x7f00000002c0), 0x16, 0x2)
syz_open_dev$usbfs(&(0x7f0000000300), 0x16, 0x800)
syz_open_dev$usbfs(&(0x7f0000000340), 0x20, 0x0)
syz_open_dev$usbfs(&(0x7f0000000380), 0x20, 0x1)
syz_open_dev$usbfs(&(0x7f00000003c0), 0x20, 0x2)
syz_open_dev$usbfs(&(0x7f0000000400), 0x20, 0x800)
syz_open_dev$usbfs(&(0x7f0000000440), 0x2a, 0x0)
syz_open_dev$usbfs(&(0x7f0000000480), 0x2a, 0x1)
syz_open_dev$usbfs(&(0x7f00000004c0), 0x2a, 0x2)
syz_open_dev$usbfs(&(0x7f0000000500), 0x2a, 0x800)

47.624266ms ago: executing program 2 (id=46):
syz_open_dev$sndmidi(&(0x7f0000000040), 0x2, 0x0)
syz_open_dev$sndmidi(&(0x7f0000000080), 0x2, 0x1)
syz_open_dev$sndmidi(&(0x7f00000000c0), 0x2, 0x2)
syz_open_dev$sndmidi(&(0x7f0000000100), 0x2, 0x800)
syz_open_dev$sndmidi(&(0x7f0000000140), 0xc, 0x0)
syz_open_dev$sndmidi(&(0x7f0000000180), 0xc, 0x1)
syz_open_dev$sndmidi(&(0x7f00000001c0), 0xc, 0x2)
syz_open_dev$sndmidi(&(0x7f0000000200), 0xc, 0x800)
syz_open_dev$sndmidi(&(0x7f0000000240), 0x16, 0x0)
syz_open_dev$sndmidi(&(0x7f0000000280), 0x16, 0x1)
syz_open_dev$sndmidi(&(0x7f00000002c0), 0x16, 0x2)
syz_open_dev$sndmidi(&(0x7f0000000300), 0x16, 0x800)
syz_open_dev$sndmidi(&(0x7f0000000340), 0x20, 0x0)
syz_open_dev$sndmidi(&(0x7f0000000380), 0x20, 0x1)
syz_open_dev$sndmidi(&(0x7f00000003c0), 0x20, 0x2)
syz_open_dev$sndmidi(&(0x7f0000000400), 0x20, 0x800)
syz_open_dev$sndmidi(&(0x7f0000000440), 0x2a, 0x0)
syz_open_dev$sndmidi(&(0x7f0000000480), 0x2a, 0x1)
syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2a, 0x2)
syz_open_dev$sndmidi(&(0x7f0000000500), 0x2a, 0x800)

612.861µs ago: executing program 0 (id=47):
syz_open_dev$usbfs(&(0x7f0000000040), 0x3, 0x0)
syz_open_dev$usbfs(&(0x7f0000000080), 0x3, 0x1)
syz_open_dev$usbfs(&(0x7f00000000c0), 0x3, 0x2)
syz_open_dev$usbfs(&(0x7f0000000100), 0x3, 0x800)
syz_open_dev$usbfs(&(0x7f0000000140), 0xd, 0x0)
syz_open_dev$usbfs(&(0x7f0000000180), 0xd, 0x1)
syz_open_dev$usbfs(&(0x7f00000001c0), 0xd, 0x2)
syz_open_dev$usbfs(&(0x7f0000000200), 0xd, 0x800)
syz_open_dev$usbfs(&(0x7f0000000240), 0x17, 0x0)
syz_open_dev$usbfs(&(0x7f0000000280), 0x17, 0x1)
syz_open_dev$usbfs(&(0x7f00000002c0), 0x17, 0x2)
syz_open_dev$usbfs(&(0x7f0000000300), 0x17, 0x800)
syz_open_dev$usbfs(&(0x7f0000000340), 0x21, 0x0)
syz_open_dev$usbfs(&(0x7f0000000380), 0x21, 0x1)
syz_open_dev$usbfs(&(0x7f00000003c0), 0x21, 0x2)
syz_open_dev$usbfs(&(0x7f0000000400), 0x21, 0x800)
syz_open_dev$usbfs(&(0x7f0000000440), 0x2b, 0x0)
syz_open_dev$usbfs(&(0x7f0000000480), 0x2b, 0x1)
syz_open_dev$usbfs(&(0x7f00000004c0), 0x2b, 0x2)
syz_open_dev$usbfs(&(0x7f0000000500), 0x2b, 0x800)

0s ago: executing program 2 (id=48):
syz_open_dev$sndmidi(&(0x7f0000000040), 0x3, 0x0)
syz_open_dev$sndmidi(&(0x7f0000000080), 0x3, 0x1)
syz_open_dev$sndmidi(&(0x7f00000000c0), 0x3, 0x2)
syz_open_dev$sndmidi(&(0x7f0000000100), 0x3, 0x800)
syz_open_dev$sndmidi(&(0x7f0000000140), 0xd, 0x0)
syz_open_dev$sndmidi(&(0x7f0000000180), 0xd, 0x1)
syz_open_dev$sndmidi(&(0x7f00000001c0), 0xd, 0x2)
syz_open_dev$sndmidi(&(0x7f0000000200), 0xd, 0x800)
syz_open_dev$sndmidi(&(0x7f0000000240), 0x17, 0x0)
syz_open_dev$sndmidi(&(0x7f0000000280), 0x17, 0x1)
syz_open_dev$sndmidi(&(0x7f00000002c0), 0x17, 0x2)
syz_open_dev$sndmidi(&(0x7f0000000300), 0x17, 0x800)
syz_open_dev$sndmidi(&(0x7f0000000340), 0x21, 0x0)
syz_open_dev$sndmidi(&(0x7f0000000380), 0x21, 0x1)
syz_open_dev$sndmidi(&(0x7f00000003c0), 0x21, 0x2)
syz_open_dev$sndmidi(&(0x7f0000000400), 0x21, 0x800)
syz_open_dev$sndmidi(&(0x7f0000000440), 0x2b, 0x0)
syz_open_dev$sndmidi(&(0x7f0000000480), 0x2b, 0x1)
syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2b, 0x2)
syz_open_dev$sndmidi(&(0x7f0000000500), 0x2b, 0x800)

kernel console output (not intermixed with test programs):

Warning: Permanently added '10.128.0.6' (ED25519) to the list of known hosts.
[   62.252525][ T5818] cgroup: Unknown subsys name 'net'
[   62.380979][ T5818] cgroup: Unknown subsys name 'cpuset'
[   62.389796][ T5818] cgroup: Unknown subsys name 'rlimit'
Setting up swapspace version 1, size = 127995904 bytes
[   63.755533][ T5818] Adding 124996k swap on ./swap-file.  Priority:0 extents:1 across:124996k 
[   65.825058][ T5863] mmap: syz.2.27 (5863) uses deprecated remap_file_pages() syscall. See Documentation/mm/remap_file_pages.rst.
[   66.253237][ T5878] ==================================================================
[   66.261442][ T5878] BUG: KASAN: slab-use-after-free in binder_add_device+0x5f/0xa0
[   66.269208][ T5878] Write of size 8 at addr ffff888079d15008 by task syz-executor/5878
[   66.277375][ T5878] 
[   66.279817][ T5878] CPU: 1 UID: 0 PID: 5878 Comm: syz-executor Not tainted 6.13.0-next-20250123-syzkaller #0
[   66.279837][ T5878] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
[   66.279851][ T5878] Call Trace:
[   66.279858][ T5878]  <TASK>
[   66.279865][ T5878]  dump_stack_lvl+0x241/0x360
[   66.279890][ T5878]  ? __pfx_dump_stack_lvl+0x10/0x10
[   66.279906][ T5878]  ? __pfx__printk+0x10/0x10
[   66.279922][ T5878]  ? _printk+0xd5/0x120
[   66.279936][ T5878]  ? __virt_addr_valid+0x183/0x530
[   66.279958][ T5878]  ? __virt_addr_valid+0x183/0x530
[   66.279980][ T5878]  print_report+0x169/0x550
[   66.280004][ T5878]  ? __virt_addr_valid+0x183/0x530
[   66.280024][ T5878]  ? __virt_addr_valid+0x183/0x530
[   66.280043][ T5878]  ? __virt_addr_valid+0x45f/0x530
[   66.280062][ T5878]  ? __phys_addr+0xba/0x170
[   66.280082][ T5878]  ? binder_add_device+0x5f/0xa0
[   66.280103][ T5878]  kasan_report+0x143/0x180
[   66.280125][ T5878]  ? binder_add_device+0x5f/0xa0
[   66.280147][ T5878]  binder_add_device+0x5f/0xa0
[   66.280168][ T5878]  binderfs_binder_device_create+0x7bf/0x9c0
[   66.280192][ T5878]  binderfs_fill_super+0x944/0xd90
[   66.280215][ T5878]  ? __pfx_binderfs_fill_super+0x10/0x10
[   66.280243][ T5878]  ? shrinker_register+0x160/0x230
[   66.280264][ T5878]  ? sget_fc+0x909/0x9c0
[   66.280283][ T5878]  ? __pfx_set_anon_super_fc+0x10/0x10
[   66.280302][ T5878]  ? __pfx_binderfs_fill_super+0x10/0x10
[   66.280322][ T5878]  get_tree_nodev+0xb7/0x140
[   66.280342][ T5878]  vfs_get_tree+0x90/0x2b0
[   66.280362][ T5878]  do_new_mount+0x2be/0xb40
[   66.280380][ T5878]  ? __pfx_do_new_mount+0x10/0x10
[   66.280399][ T5878]  __se_sys_mount+0x2d6/0x3c0
[   66.280414][ T5878]  ? lockdep_hardirqs_on_prepare+0x43d/0x780
[   66.280435][ T5878]  ? __pfx___se_sys_mount+0x10/0x10
[   66.280451][ T5878]  ? do_syscall_64+0x100/0x230
[   66.280469][ T5878]  ? __x64_sys_mount+0x20/0xc0
[   66.280485][ T5878]  do_syscall_64+0xf3/0x230
[   66.280501][ T5878]  ? clear_bhb_loop+0x35/0x90
[   66.280524][ T5878]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   66.280547][ T5878] RIP: 0033:0x7ff0f2b8e4ca
[   66.280566][ T5878] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   66.280579][ T5878] RSP: 002b:00007ffef54b37f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[   66.280597][ T5878] RAX: ffffffffffffffda RBX: 00007ff0f2c0e663 RCX: 00007ff0f2b8e4ca
[   66.280608][ T5878] RDX: 00007ff0f2c1dd57 RSI: 00007ff0f2c0e663 RDI: 00007ff0f2c1dd57
[   66.280619][ T5878] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[   66.280629][ T5878] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ff0f2c28440
[   66.280639][ T5878] R13: 00007ffef54b3878 R14: 0000000000000009 R15: 0000000000000000
[   66.280654][ T5878]  </TASK>
[   66.280660][ T5878] 
[   66.554669][ T5878] Allocated by task 5832:
[   66.559074][ T5878]  kasan_save_track+0x3f/0x80
[   66.563744][ T5878]  __kasan_kmalloc+0x98/0xb0
[   66.568412][ T5878]  __kmalloc_cache_noprof+0x243/0x390
[   66.573870][ T5878]  binderfs_binder_device_create+0x16c/0x9c0
[   66.579851][ T5878]  binderfs_fill_super+0x944/0xd90
[   66.584982][ T5878]  get_tree_nodev+0xb7/0x140
[   66.589561][ T5878]  vfs_get_tree+0x90/0x2b0
[   66.593993][ T5878]  do_new_mount+0x2be/0xb40
[   66.598492][ T5878]  __se_sys_mount+0x2d6/0x3c0
[   66.603160][ T5878]  do_syscall_64+0xf3/0x230
[   66.607672][ T5878]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   66.613555][ T5878] 
[   66.615865][ T5878] Freed by task 5832:
[   66.619827][ T5878]  kasan_save_track+0x3f/0x80
[   66.624583][ T5878]  kasan_save_free_info+0x40/0x50
[   66.629594][ T5878]  __kasan_slab_free+0x59/0x70
[   66.634354][ T5878]  kfree+0x196/0x430
[   66.638234][ T5878]  evict+0x4e8/0x9a0
[   66.642120][ T5878]  __dentry_kill+0x20d/0x630
[   66.646968][ T5878]  shrink_kill+0xa9/0x2c0
[   66.651383][ T5878]  shrink_dentry_list+0x2c0/0x5b0
[   66.656493][ T5878]  shrink_dcache_parent+0xcb/0x3b0
[   66.661677][ T5878]  do_one_tree+0x23/0xe0
[   66.666084][ T5878]  shrink_dcache_for_umount+0xb4/0x180
[   66.671535][ T5878]  generic_shutdown_super+0x6a/0x2d0
[   66.676926][ T5878]  kill_litter_super+0x76/0xb0
[   66.681681][ T5878]  binderfs_kill_super+0x44/0x90
[   66.686607][ T5878]  deactivate_locked_super+0xc4/0x130
[   66.691967][ T5878]  cleanup_mnt+0x41f/0x4b0
[   66.696377][ T5878]  task_work_run+0x24f/0x310
[   66.700954][ T5878]  do_exit+0xa2a/0x28e0
[   66.705122][ T5878]  do_group_exit+0x207/0x2c0
[   66.709702][ T5878]  get_signal+0x16b2/0x1750
[   66.714193][ T5878]  arch_do_signal_or_restart+0x96/0x860
[   66.719727][ T5878]  syscall_exit_to_user_mode+0xce/0x340
[   66.725259][ T5878]  do_syscall_64+0x100/0x230
[   66.729861][ T5878]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   66.735829][ T5878] 
[   66.738142][ T5878] The buggy address belongs to the object at ffff888079d15000
[   66.738142][ T5878]  which belongs to the cache kmalloc-512 of size 512
[   66.752180][ T5878] The buggy address is located 8 bytes inside of
[   66.752180][ T5878]  freed 512-byte region [ffff888079d15000, ffff888079d15200)
[   66.765844][ T5878] 
[   66.768220][ T5878] The buggy address belongs to the physical page:
[   66.774649][ T5878] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x79d14
[   66.783504][ T5878] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   66.792080][ T5878] flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
[   66.799625][ T5878] page_type: f5(slab)
[   66.803591][ T5878] raw: 00fff00000000040 ffff88801ac41c80 dead000000000122 0000000000000000
[   66.812158][ T5878] raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
[   66.820733][ T5878] head: 00fff00000000040 ffff88801ac41c80 dead000000000122 0000000000000000
[   66.829398][ T5878] head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
[   66.838106][ T5878] head: 00fff00000000002 ffffea0001e74501 ffffffffffffffff 0000000000000000
[   66.846769][ T5878] head: 0000000700000004 0000000000000000 00000000ffffffff 0000000000000000
[   66.855463][ T5878] page dumped because: kasan: bad access detected
[   66.861888][ T5878] page_owner tracks the page as allocated
[   66.867596][ T5878] page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5831, tgid 5831 (syz-executor), ts 65669144125, free_ts 61637236059
[   66.889030][ T5878]  post_alloc_hook+0x1f4/0x240
[   66.893798][ T5878]  get_page_from_freelist+0x365c/0x37a0
[   66.899335][ T5878]  __alloc_frozen_pages_noprof+0x292/0x710
[   66.905133][ T5878]  alloc_pages_mpol+0x311/0x660
[   66.909970][ T5878]  allocate_slab+0x8f/0x3a0
[   66.914460][ T5878]  ___slab_alloc+0xc27/0x14a0
[   66.919123][ T5878]  __slab_alloc+0x58/0xa0
[   66.923530][ T5878]  __kmalloc_cache_noprof+0x27b/0x390
[   66.928922][ T5878]  binderfs_binder_device_create+0x16c/0x9c0
[   66.934897][ T5878]  binderfs_fill_super+0x944/0xd90
[   66.940009][ T5878]  get_tree_nodev+0xb7/0x140
[   66.944624][ T5878]  vfs_get_tree+0x90/0x2b0
[   66.949032][ T5878]  do_new_mount+0x2be/0xb40
[   66.953529][ T5878]  __se_sys_mount+0x2d6/0x3c0
[   66.958191][ T5878]  do_syscall_64+0xf3/0x230
[   66.963120][ T5878]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   66.969024][ T5878] page last free pid 5818 tgid 5818 stack trace:
[   66.975352][ T5878]  free_unref_folios+0xe40/0x18b0
[   66.980565][ T5878]  folios_put_refs+0x76c/0x860
[   66.985340][ T5878]  free_pages_and_swap_cache+0x2e5/0x690
[   66.990999][ T5878]  tlb_flush_mmu+0x3a3/0x680
[   66.995600][ T5878]  tlb_finish_mmu+0xd4/0x200
[   67.000186][ T5878]  vms_clear_ptes+0x432/0x530
[   67.004853][ T5878]  vms_complete_munmap_vmas+0x210/0x8f0
[   67.010401][ T5878]  do_vmi_align_munmap+0x5ef/0x6f0
[   67.015506][ T5878]  do_vmi_munmap+0x24e/0x2d0
[   67.020119][ T5878]  __vm_munmap+0x372/0x510
[   67.024558][ T5878]  __x64_sys_munmap+0x60/0x70
[   67.029244][ T5878]  do_syscall_64+0xf3/0x230
[   67.033750][ T5878]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   67.039734][ T5878] 
[   67.042080][ T5878] Memory state around the buggy address:
[   67.047793][ T5878]  ffff888079d14f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
SYZFAIL: failed to recv rpc
fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor)
[   67.055850][ T5878]  ffff888079d14f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   67.063984][ T5878] >ffff888079d15000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   67.072116][ T5878]                       ^
[   67.076452][ T5878]  ffff888079d15080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   67.084511][ T5878]  ffff888079d15100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   67.092645][ T5878] ==================================================================
[   67.146574][ T5878] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   67.153829][ T5878] CPU: 1 UID: 0 PID: 5878 Comm: syz-executor Not tainted 6.13.0-next-20250123-syzkaller #0
[   67.163833][ T5878] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
[   67.173907][ T5878] Call Trace:
[   67.177199][ T5878]  <TASK>
[   67.180148][ T5878]  dump_stack_lvl+0x241/0x360
[   67.184933][ T5878]  ? __pfx_dump_stack_lvl+0x10/0x10
[   67.190148][ T5878]  ? __pfx__printk+0x10/0x10
[   67.194835][ T5878]  ? preempt_schedule+0xe1/0xf0
[   67.199711][ T5878]  ? vscnprintf+0x5d/0x90
[   67.204060][ T5878]  panic+0x349/0x880
[   67.207967][ T5878]  ? check_panic_on_warn+0x21/0xb0
[   67.213097][ T5878]  ? __pfx_panic+0x10/0x10
[   67.217542][ T5878]  ? _raw_spin_unlock_irqrestore+0x130/0x140
[   67.223548][ T5878]  ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[   67.229883][ T5878]  ? print_report+0x502/0x550
[   67.234583][ T5878]  check_panic_on_warn+0x86/0xb0
[   67.239532][ T5878]  ? binder_add_device+0x5f/0xa0
[   67.244475][ T5878]  end_report+0x77/0x160
[   67.248717][ T5878]  kasan_report+0x154/0x180
[   67.253217][ T5878]  ? binder_add_device+0x5f/0xa0
[   67.258148][ T5878]  binder_add_device+0x5f/0xa0
[   67.262914][ T5878]  binderfs_binder_device_create+0x7bf/0x9c0
[   67.268977][ T5878]  binderfs_fill_super+0x944/0xd90
[   67.274085][ T5878]  ? __pfx_binderfs_fill_super+0x10/0x10
[   67.279719][ T5878]  ? shrinker_register+0x160/0x230
[   67.284844][ T5878]  ? sget_fc+0x909/0x9c0
[   67.289082][ T5878]  ? __pfx_set_anon_super_fc+0x10/0x10
[   67.294541][ T5878]  ? __pfx_binderfs_fill_super+0x10/0x10
[   67.300173][ T5878]  get_tree_nodev+0xb7/0x140
[   67.304758][ T5878]  vfs_get_tree+0x90/0x2b0
[   67.309175][ T5878]  do_new_mount+0x2be/0xb40
[   67.313670][ T5878]  ? __pfx_do_new_mount+0x10/0x10
[   67.318685][ T5878]  __se_sys_mount+0x2d6/0x3c0
[   67.323377][ T5878]  ? lockdep_hardirqs_on_prepare+0x43d/0x780
[   67.329440][ T5878]  ? __pfx___se_sys_mount+0x10/0x10
[   67.334644][ T5878]  ? do_syscall_64+0x100/0x230
[   67.339398][ T5878]  ? __x64_sys_mount+0x20/0xc0
[   67.344150][ T5878]  do_syscall_64+0xf3/0x230
[   67.348674][ T5878]  ? clear_bhb_loop+0x35/0x90
[   67.353356][ T5878]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   67.359332][ T5878] RIP: 0033:0x7ff0f2b8e4ca
[   67.363745][ T5878] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   67.383352][ T5878] RSP: 002b:00007ffef54b37f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[   67.391850][ T5878] RAX: ffffffffffffffda RBX: 00007ff0f2c0e663 RCX: 00007ff0f2b8e4ca
[   67.400046][ T5878] RDX: 00007ff0f2c1dd57 RSI: 00007ff0f2c0e663 RDI: 00007ff0f2c1dd57
[   67.408014][ T5878] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[   67.415976][ T5878] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ff0f2c28440
[   67.423959][ T5878] R13: 00007ffef54b3878 R14: 0000000000000009 R15: 0000000000000000
[   67.431957][ T5878]  </TASK>
[   67.435344][ T5878] Kernel Offset: disabled
[   67.439750][ T5878] Rebooting in 86400 seconds..