Warning: Permanently added '10.128.0.117' (ED25519) to the list of known hosts.
executing program
executing program
executing program
[   86.739677][ T5820] ==================================================================
[   86.747827][ T5820] BUG: KASAN: slab-use-after-free in binder_add_device+0x5f/0xa0
[   86.755612][ T5820] Write of size 8 at addr ffff888027726808 by task syz-executor325/5820
[   86.763949][ T5820] 
[   86.766283][ T5820] CPU: 0 UID: 0 PID: 5820 Comm: syz-executor325 Not tainted 6.15.0-rc5-syzkaller-00022-g01f95500a162 #0 PREEMPT(full) 
[   86.766313][ T5820] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/29/2025
executing program
executing program
executing program
[   86.766328][ T5820] Call Trace:
[   86.766337][ T5820]  <TASK>
[   86.766347][ T5820]  dump_stack_lvl+0x189/0x250
[   86.766391][ T5820]  ? __kasan_check_byte+0x12/0x40
[   86.766439][ T5820]  ? __pfx_dump_stack_lvl+0x10/0x10
[   86.766472][ T5820]  ? srso_alias_return_thunk+0x5/0xfbef5
[   86.766501][ T5820]  ? lock_release+0x4b/0x3e0
[   86.766535][ T5820]  ? lock_release+0x4b/0x3e0
[   86.766570][ T5820]  ? srso_alias_return_thunk+0x5/0xfbef5
[   86.766597][ T5820]  ? __virt_addr_valid+0x469/0x540
[   86.766635][ T5820]  print_report+0xb4/0x290
[   86.766666][ T5820]  ? binder_add_device+0x5f/0xa0
[   86.766698][ T5820]  kasan_report+0x118/0x150
[   86.766727][ T5820]  ? srso_alias_return_thunk+0x5/0xfbef5
[   86.766757][ T5820]  ? binder_add_device+0x5f/0xa0
[   86.766792][ T5820]  binder_add_device+0x5f/0xa0
[   86.766825][ T5820]  binderfs_binder_device_create+0x8b7/0xaf0
[   86.766862][ T5820]  binderfs_fill_super+0xa0e/0xe90
[   86.766897][ T5820]  ? __pfx_binderfs_fill_super+0x10/0x10
[   86.766941][ T5820]  ? shrinker_register+0x16b/0x230
[   86.766967][ T5820]  ? srso_alias_return_thunk+0x5/0xfbef5
[   86.766993][ T5820]  ? sget_fc+0x962/0xa40
[   86.767017][ T5820]  ? __pfx_set_anon_super_fc+0x10/0x10
[   86.767048][ T5820]  ? __pfx_binderfs_fill_super+0x10/0x10
[   86.767077][ T5820]  get_tree_nodev+0xbb/0x150
[   86.767104][ T5820]  vfs_get_tree+0x92/0x2b0
[   86.767133][ T5820]  do_new_mount+0x24a/0xa40
[   86.767169][ T5820]  __se_sys_mount+0x317/0x410
[   86.767204][ T5820]  ? __pfx___se_sys_mount+0x10/0x10
[   86.767238][ T5820]  ? srso_alias_return_thunk+0x5/0xfbef5
[   86.767265][ T5820]  ? __x64_sys_mount+0x20/0xc0
[   86.767297][ T5820]  do_syscall_64+0xf6/0x210
[   86.767328][ T5820]  ? srso_alias_return_thunk+0x5/0xfbef5
[   86.767356][ T5820]  ? exc_page_fault+0x91/0x110
[   86.767383][ T5820]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   86.767407][ T5820] RIP: 0033:0x7f7c80c6be0a
[   86.767428][ T5820] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 6e 07 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[   86.767449][ T5820] RSP: 002b:00007ffe2e50a228 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[   86.767473][ T5820] RAX: ffffffffffffffda RBX: 00007f7c80cac04b RCX: 00007f7c80c6be0a
[   86.767492][ T5820] RDX: 00007f7c80cac1e7 RSI: 00007f7c80cac04b RDI: 00007f7c80cac1e7
[   86.767509][ T5820] RBP: 00007f7c80cac1b7 R08: 0000000000000000 R09: 0000000000000000
[   86.767524][ T5820] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f7c80cac162
[   86.767539][ T5820] R13: 00007f7c80cb1cdc R14: 00007f7c80cac138 R15: 0000000000000001
[   86.767566][ T5820]  </TASK>
[   86.767574][ T5820] 
[   87.039732][ T5820] Allocated by task 5827:
[   87.044068][ T5820]  kasan_save_track+0x3e/0x80
[   87.048751][ T5820]  __kasan_kmalloc+0x93/0xb0
[   87.053344][ T5820]  __kmalloc_cache_noprof+0x230/0x3d0
[   87.058718][ T5820]  binderfs_binder_device_create+0x17f/0xaf0
[   87.064700][ T5820]  binderfs_fill_super+0xa0e/0xe90
[   87.069832][ T5820]  get_tree_nodev+0xbb/0x150
[   87.074421][ T5820]  vfs_get_tree+0x92/0x2b0
[   87.078836][ T5820]  do_new_mount+0x24a/0xa40
[   87.083339][ T5820]  __se_sys_mount+0x317/0x410
[   87.088024][ T5820]  do_syscall_64+0xf6/0x210
[   87.092539][ T5820]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   87.098435][ T5820] 
[   87.100746][ T5820] Freed by task 10:
[   87.104544][ T5820]  kasan_save_track+0x3e/0x80
[   87.109222][ T5820]  kasan_save_free_info+0x46/0x50
[   87.114256][ T5820]  __kasan_slab_free+0x62/0x70
[   87.119022][ T5820]  kfree+0x193/0x440
[   87.122927][ T5820]  binder_proc_dec_tmpref+0x228/0x4f0
[   87.128312][ T5820]  binder_deferred_func+0x13a5/0x1520
[   87.133686][ T5820]  process_scheduled_works+0xade/0x17a0
[   87.139245][ T5820]  worker_thread+0x8a0/0xda0
[   87.143835][ T5820]  kthread+0x711/0x8a0
[   87.147905][ T5820]  ret_from_fork+0x4e/0x80
[   87.152317][ T5820]  ret_from_fork_asm+0x1a/0x30
[   87.157089][ T5820] 
[   87.159403][ T5820] The buggy address belongs to the object at ffff888027726800
[   87.159403][ T5820]  which belongs to the cache kmalloc-512 of size 512
[   87.173468][ T5820] The buggy address is located 8 bytes inside of
[   87.173468][ T5820]  freed 512-byte region [ffff888027726800, ffff888027726a00)
[   87.187098][ T5820] 
[   87.189413][ T5820] The buggy address belongs to the physical page:
[   87.195810][ T5820] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x27724
[   87.204565][ T5820] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   87.213067][ T5820] flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
[   87.220604][ T5820] page_type: f5(slab)
[   87.224582][ T5820] raw: 00fff00000000040 ffff88801a041c80 ffffea0000bc0f00 dead000000000002
[   87.233186][ T5820] raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
[   87.241780][ T5820] head: 00fff00000000040 ffff88801a041c80 ffffea0000bc0f00 dead000000000002
[   87.250453][ T5820] head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
[   87.259127][ T5820] head: 00fff00000000002 ffffea00009dc901 00000000ffffffff 00000000ffffffff
[   87.267804][ T5820] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004
[   87.276465][ T5820] page dumped because: kasan: bad access detected
[   87.282871][ T5820] page_owner tracks the page as allocated
[   87.288572][ T5820] page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 10576969953, free_ts 0
[   87.308295][ T5820]  post_alloc_hook+0x1d8/0x230
[   87.313099][ T5820]  get_page_from_freelist+0x21ce/0x22b0
[   87.318661][ T5820]  __alloc_frozen_pages_noprof+0x181/0x370
[   87.324476][ T5820]  alloc_pages_mpol+0x232/0x4a0
[   87.329329][ T5820]  allocate_slab+0x8a/0x3b0
[   87.333830][ T5820]  ___slab_alloc+0xbfc/0x1480
[   87.338518][ T5820]  __kmalloc_cache_noprof+0x296/0x3d0
[   87.343896][ T5820]  dev_pm_qos_constraints_allocate+0x8f/0x3f0
[   87.349962][ T5820]  __dev_pm_qos_add_request+0x123/0x4c0
[   87.355499][ T5820]  dev_pm_qos_add_request+0x36/0x60
[   87.360688][ T5820]  usb_hub_create_port_device+0x48f/0xb90
[   87.366413][ T5820]  hub_probe+0x25af/0x36e0
[   87.370832][ T5820]  usb_probe_interface+0x644/0xbc0
[   87.375951][ T5820]  really_probe+0x26d/0x9a0
[   87.380453][ T5820]  __driver_probe_device+0x18c/0x2f0
[   87.385736][ T5820]  driver_probe_device+0x4f/0x430
[   87.390765][ T5820] page_owner free stack trace missing
[   87.396120][ T5820] 
[   87.398431][ T5820] Memory state around the buggy address:
[   87.404047][ T5820]  ffff888027726700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   87.412103][ T5820]  ffff888027726780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   87.420159][ T5820] >ffff888027726800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   87.428208][ T5820]                       ^
[   87.432523][ T5820]  ffff888027726880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   87.440572][ T5820]  ffff888027726900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   87.448620][ T5820] ==================================================================
[   87.463581][ T5820] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   87.470810][ T5820] CPU: 0 UID: 0 PID: 5820 Comm: syz-executor325 Not tainted 6.15.0-rc5-syzkaller-00022-g01f95500a162 #0 PREEMPT(full) 
[   87.483218][ T5820] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/29/2025
[   87.493270][ T5820] Call Trace:
[   87.496550][ T5820]  <TASK>
[   87.499474][ T5820]  dump_stack_lvl+0x99/0x250
[   87.504080][ T5820]  ? __asan_memcpy+0x40/0x70
[   87.508672][ T5820]  ? __pfx_dump_stack_lvl+0x10/0x10
[   87.513880][ T5820]  ? __pfx__printk+0x10/0x10
[   87.518472][ T5820]  ? srso_alias_return_thunk+0x5/0xfbef5
[   87.524116][ T5820]  panic+0x2db/0x790
[   87.528024][ T5820]  ? __pfx_preempt_schedule+0x10/0x10
[   87.533400][ T5820]  ? __pfx_panic+0x10/0x10
[   87.537822][ T5820]  ? srso_alias_return_thunk+0x5/0xfbef5
[   87.543457][ T5820]  ? srso_alias_return_thunk+0x5/0xfbef5
[   87.549089][ T5820]  ? _raw_spin_unlock_irqrestore+0xfd/0x110
[   87.554982][ T5820]  ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[   87.561309][ T5820]  ? binder_add_device+0x5f/0xa0
[   87.566249][ T5820]  check_panic_on_warn+0x89/0xb0
[   87.571189][ T5820]  ? binder_add_device+0x5f/0xa0
[   87.576132][ T5820]  end_report+0x78/0x160
[   87.580375][ T5820]  kasan_report+0x129/0x150
[   87.584878][ T5820]  ? srso_alias_return_thunk+0x5/0xfbef5
[   87.590543][ T5820]  ? binder_add_device+0x5f/0xa0
[   87.595486][ T5820]  binder_add_device+0x5f/0xa0
[   87.600251][ T5820]  binderfs_binder_device_create+0x8b7/0xaf0
[   87.606237][ T5820]  binderfs_fill_super+0xa0e/0xe90
[   87.611353][ T5820]  ? __pfx_binderfs_fill_super+0x10/0x10
[   87.616997][ T5820]  ? shrinker_register+0x16b/0x230
[   87.622108][ T5820]  ? srso_alias_return_thunk+0x5/0xfbef5
[   87.627737][ T5820]  ? sget_fc+0x962/0xa40
[   87.631975][ T5820]  ? __pfx_set_anon_super_fc+0x10/0x10
[   87.637512][ T5820]  ? __pfx_binderfs_fill_super+0x10/0x10
[   87.643143][ T5820]  get_tree_nodev+0xbb/0x150
[   87.647729][ T5820]  vfs_get_tree+0x92/0x2b0
[   87.652144][ T5820]  do_new_mount+0x24a/0xa40
[   87.656650][ T5820]  __se_sys_mount+0x317/0x410
[   87.661329][ T5820]  ? __pfx___se_sys_mount+0x10/0x10
[   87.666528][ T5820]  ? srso_alias_return_thunk+0x5/0xfbef5
[   87.672160][ T5820]  ? __x64_sys_mount+0x20/0xc0
[   87.676925][ T5820]  do_syscall_64+0xf6/0x210
[   87.681456][ T5820]  ? srso_alias_return_thunk+0x5/0xfbef5
[   87.687103][ T5820]  ? exc_page_fault+0x91/0x110
[   87.691869][ T5820]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   87.697760][ T5820] RIP: 0033:0x7f7c80c6be0a
[   87.702169][ T5820] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 6e 07 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[   87.721781][ T5820] RSP: 002b:00007ffe2e50a228 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[   87.730202][ T5820] RAX: ffffffffffffffda RBX: 00007f7c80cac04b RCX: 00007f7c80c6be0a
[   87.738170][ T5820] RDX: 00007f7c80cac1e7 RSI: 00007f7c80cac04b RDI: 00007f7c80cac1e7
[   87.746141][ T5820] RBP: 00007f7c80cac1b7 R08: 0000000000000000 R09: 0000000000000000
[   87.754104][ T5820] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f7c80cac162
[   87.762069][ T5820] R13: 00007f7c80cb1cdc R14: 00007f7c80cac138 R15: 0000000000000001
[   87.770059][ T5820]  </TASK>
[   87.773293][ T5820] Kernel Offset: disabled
[   87.777615][ T5820] Rebooting in 86400 seconds..