last executing test programs:

2.659402202s ago: executing program 0 (id=40):
syz_open_dev$drirender(&(0x7f0000000040), 0x0, 0x0)
syz_open_dev$drirender(&(0x7f0000000080), 0x0, 0x1)
syz_open_dev$drirender(&(0x7f00000000c0), 0x0, 0x2)
syz_open_dev$drirender(&(0x7f0000000100), 0x0, 0x800)
syz_open_dev$drirender(&(0x7f0000000140), 0x1, 0x0)
syz_open_dev$drirender(&(0x7f0000000180), 0x1, 0x1)
syz_open_dev$drirender(&(0x7f00000001c0), 0x1, 0x2)
syz_open_dev$drirender(&(0x7f0000000200), 0x1, 0x800)
syz_open_dev$drirender(&(0x7f0000000240), 0x2, 0x0)
syz_open_dev$drirender(&(0x7f0000000280), 0x2, 0x1)
syz_open_dev$drirender(&(0x7f00000002c0), 0x2, 0x2)
syz_open_dev$drirender(&(0x7f0000000300), 0x2, 0x800)
syz_open_dev$drirender(&(0x7f0000000340), 0x3, 0x0)
syz_open_dev$drirender(&(0x7f0000000380), 0x3, 0x1)
syz_open_dev$drirender(&(0x7f00000003c0), 0x3, 0x2)
syz_open_dev$drirender(&(0x7f0000000400), 0x3, 0x800)
syz_open_dev$drirender(&(0x7f0000000440), 0x4, 0x0)
syz_open_dev$drirender(&(0x7f0000000480), 0x4, 0x1)
syz_open_dev$drirender(&(0x7f00000004c0), 0x4, 0x2)
syz_open_dev$drirender(&(0x7f0000000500), 0x4, 0x800)

2.576868028s ago: executing program 0 (id=48):
ioprio_set$auto(0x0, 0x0, 0x0)

2.527923989s ago: executing program 0 (id=53):
sigaltstack(&(0x7f0000000000), 0x0)

2.516348902s ago: executing program 0 (id=60):
lstat(&(0x7f0000000000), &(0x7f0000000000))

2.459727132s ago: executing program 0 (id=63):
flistxattr(0xffffffffffffffff, &(0x7f0000000000), 0x0)

2.437720632s ago: executing program 0 (id=68):
rt_sigreturn()

886.843741ms ago: executing program 4 (id=224):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/binder', 0x0, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/binder', 0x1, 0x0)
openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/binder', 0x2, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/binder', 0x800, 0x0)

864.513859ms ago: executing program 4 (id=227):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sequencer', 0x0, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/sequencer', 0x1, 0x0)
openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/sequencer', 0x2, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/sequencer', 0x800, 0x0)

819.451408ms ago: executing program 4 (id=232):
eventfd(0x0)

793.438807ms ago: executing program 4 (id=236):
syz_open_dev$hidraw(&(0x7f0000000040), 0x0, 0x0)
syz_open_dev$hidraw(&(0x7f0000000080), 0x0, 0x1)
syz_open_dev$hidraw(&(0x7f00000000c0), 0x0, 0x2)
syz_open_dev$hidraw(&(0x7f0000000100), 0x0, 0x800)
syz_open_dev$hidraw(&(0x7f0000000140), 0x1, 0x0)
syz_open_dev$hidraw(&(0x7f0000000180), 0x1, 0x1)
syz_open_dev$hidraw(&(0x7f00000001c0), 0x1, 0x2)
syz_open_dev$hidraw(&(0x7f0000000200), 0x1, 0x800)
syz_open_dev$hidraw(&(0x7f0000000240), 0x2, 0x0)
syz_open_dev$hidraw(&(0x7f0000000280), 0x2, 0x1)
syz_open_dev$hidraw(&(0x7f00000002c0), 0x2, 0x2)
syz_open_dev$hidraw(&(0x7f0000000300), 0x2, 0x800)
syz_open_dev$hidraw(&(0x7f0000000340), 0x3, 0x0)
syz_open_dev$hidraw(&(0x7f0000000380), 0x3, 0x1)
syz_open_dev$hidraw(&(0x7f00000003c0), 0x3, 0x2)
syz_open_dev$hidraw(&(0x7f0000000400), 0x3, 0x800)
syz_open_dev$hidraw(&(0x7f0000000440), 0x4, 0x0)
syz_open_dev$hidraw(&(0x7f0000000480), 0x4, 0x1)
syz_open_dev$hidraw(&(0x7f00000004c0), 0x4, 0x2)
syz_open_dev$hidraw(&(0x7f0000000500), 0x4, 0x800)

700.611789ms ago: executing program 4 (id=245):
tee(0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0)

643.427799ms ago: executing program 4 (id=249):
pause()

439.976021ms ago: executing program 3 (id=267):
syz_open_dev$loop(&(0x7f0000000040), 0x0, 0x0)
syz_open_dev$loop(&(0x7f0000000080), 0x0, 0x1)
syz_open_dev$loop(&(0x7f00000000c0), 0x0, 0x2)
syz_open_dev$loop(&(0x7f0000000100), 0x0, 0x800)
syz_open_dev$loop(&(0x7f0000000140), 0x1, 0x0)
syz_open_dev$loop(&(0x7f0000000180), 0x1, 0x1)
syz_open_dev$loop(&(0x7f00000001c0), 0x1, 0x2)
syz_open_dev$loop(&(0x7f0000000200), 0x1, 0x800)
syz_open_dev$loop(&(0x7f0000000240), 0x2, 0x0)
syz_open_dev$loop(&(0x7f0000000280), 0x2, 0x1)
syz_open_dev$loop(&(0x7f00000002c0), 0x2, 0x2)
syz_open_dev$loop(&(0x7f0000000300), 0x2, 0x800)
syz_open_dev$loop(&(0x7f0000000340), 0x3, 0x0)
syz_open_dev$loop(&(0x7f0000000380), 0x3, 0x1)
syz_open_dev$loop(&(0x7f00000003c0), 0x3, 0x2)
syz_open_dev$loop(&(0x7f0000000400), 0x3, 0x800)
syz_open_dev$loop(&(0x7f0000000440), 0x4, 0x0)
syz_open_dev$loop(&(0x7f0000000480), 0x4, 0x1)
syz_open_dev$loop(&(0x7f00000004c0), 0x4, 0x2)
syz_open_dev$loop(&(0x7f0000000500), 0x4, 0x800)

430.67045ms ago: executing program 1 (id=272):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/pktcdvd/control', 0x0, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/pktcdvd/control', 0x1, 0x0)
openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/pktcdvd/control', 0x2, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/pktcdvd/control', 0x800, 0x0)

428.820154ms ago: executing program 3 (id=273):
socket$inet_udplite(0x2, 0x2, 0x88)

375.822358ms ago: executing program 2 (id=275):
pwrite64(0xffffffffffffffff, &(0x7f0000000000), 0x0, 0x0)

375.6623ms ago: executing program 5 (id=276):
syz_open_dev$amidi(&(0x7f0000000040), 0x0, 0x0)
syz_open_dev$amidi(&(0x7f0000000080), 0x0, 0x1)
syz_open_dev$amidi(&(0x7f00000000c0), 0x0, 0x2)
syz_open_dev$amidi(&(0x7f0000000100), 0x0, 0x800)
syz_open_dev$amidi(&(0x7f0000000140), 0x1, 0x0)
syz_open_dev$amidi(&(0x7f0000000180), 0x1, 0x1)
syz_open_dev$amidi(&(0x7f00000001c0), 0x1, 0x2)
syz_open_dev$amidi(&(0x7f0000000200), 0x1, 0x800)
syz_open_dev$amidi(&(0x7f0000000240), 0x2, 0x0)
syz_open_dev$amidi(&(0x7f0000000280), 0x2, 0x1)
syz_open_dev$amidi(&(0x7f00000002c0), 0x2, 0x2)
syz_open_dev$amidi(&(0x7f0000000300), 0x2, 0x800)
syz_open_dev$amidi(&(0x7f0000000340), 0x3, 0x0)
syz_open_dev$amidi(&(0x7f0000000380), 0x3, 0x1)
syz_open_dev$amidi(&(0x7f00000003c0), 0x3, 0x2)
syz_open_dev$amidi(&(0x7f0000000400), 0x3, 0x800)
syz_open_dev$amidi(&(0x7f0000000440), 0x4, 0x0)
syz_open_dev$amidi(&(0x7f0000000480), 0x4, 0x1)
syz_open_dev$amidi(&(0x7f00000004c0), 0x4, 0x2)
syz_open_dev$amidi(&(0x7f0000000500), 0x4, 0x800)

375.353848ms ago: executing program 1 (id=277):
lsm_set_self_attr(0x0, &(0x7f0000000000), 0x0, 0x0)

374.155467ms ago: executing program 2 (id=278):
getpriority(0x0, 0x0)

361.770396ms ago: executing program 5 (id=279):
socket$inet(0x2, 0x1, 0x0)

352.267761ms ago: executing program 1 (id=280):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/sys/fs/smackfs/change-rule', 0x2, 0x0)

352.12461ms ago: executing program 3 (id=281):
link(&(0x7f0000000000), &(0x7f0000000000))

292.054443ms ago: executing program 2 (id=282):
getresuid(&(0x7f0000000000), &(0x7f0000000000), &(0x7f0000000000))

291.883403ms ago: executing program 1 (id=283):
syz_open_dev$sndpcmc(&(0x7f0000000040), 0x0, 0x0)
syz_open_dev$sndpcmc(&(0x7f0000000080), 0x0, 0x1)
syz_open_dev$sndpcmc(&(0x7f00000000c0), 0x0, 0x2)
syz_open_dev$sndpcmc(&(0x7f0000000100), 0x0, 0x800)
syz_open_dev$sndpcmc(&(0x7f0000000140), 0xa, 0x0)
syz_open_dev$sndpcmc(&(0x7f0000000180), 0xa, 0x1)
syz_open_dev$sndpcmc(&(0x7f00000001c0), 0xa, 0x2)
syz_open_dev$sndpcmc(&(0x7f0000000200), 0xa, 0x800)
syz_open_dev$sndpcmc(&(0x7f0000000240), 0x14, 0x0)
syz_open_dev$sndpcmc(&(0x7f0000000280), 0x14, 0x1)
syz_open_dev$sndpcmc(&(0x7f00000002c0), 0x14, 0x2)
syz_open_dev$sndpcmc(&(0x7f0000000300), 0x14, 0x800)
syz_open_dev$sndpcmc(&(0x7f0000000340), 0x1e, 0x0)
syz_open_dev$sndpcmc(&(0x7f0000000380), 0x1e, 0x1)
syz_open_dev$sndpcmc(&(0x7f00000003c0), 0x1e, 0x2)
syz_open_dev$sndpcmc(&(0x7f0000000400), 0x1e, 0x800)
syz_open_dev$sndpcmc(&(0x7f0000000440), 0x28, 0x0)
syz_open_dev$sndpcmc(&(0x7f0000000480), 0x28, 0x1)
syz_open_dev$sndpcmc(&(0x7f00000004c0), 0x28, 0x2)
syz_open_dev$sndpcmc(&(0x7f0000000500), 0x28, 0x800)

291.829721ms ago: executing program 2 (id=284):
munlock(0x0, 0x0)

291.709627ms ago: executing program 3 (id=285):
sched_setattr(0x0, &(0x7f0000000000), 0x0)

291.616499ms ago: executing program 5 (id=286):
pivot_root(&(0x7f0000000000), &(0x7f0000000000))

285.104365ms ago: executing program 1 (id=287):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm_plock', 0x0, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/dlm_plock', 0x1, 0x0)
openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/dlm_plock', 0x2, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dlm_plock', 0x800, 0x0)

270.443905ms ago: executing program 3 (id=288):
socket$can_raw(0x1d, 0x3, 0x1)

220.009371ms ago: executing program 2 (id=289):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/input/mice', 0x0, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/input/mice', 0x1, 0x0)
openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/input/mice', 0x2, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/input/mice', 0x800, 0x0)

219.807951ms ago: executing program 5 (id=290):
syz_open_dev$usbmon(&(0x7f0000000040), 0x0, 0x0)
syz_open_dev$usbmon(&(0x7f0000000080), 0x0, 0x1)
syz_open_dev$usbmon(&(0x7f00000000c0), 0x0, 0x2)
syz_open_dev$usbmon(&(0x7f0000000100), 0x0, 0x800)
syz_open_dev$usbmon(&(0x7f0000000140), 0x1, 0x0)
syz_open_dev$usbmon(&(0x7f0000000180), 0x1, 0x1)
syz_open_dev$usbmon(&(0x7f00000001c0), 0x1, 0x2)
syz_open_dev$usbmon(&(0x7f0000000200), 0x1, 0x800)
syz_open_dev$usbmon(&(0x7f0000000240), 0x2, 0x0)
syz_open_dev$usbmon(&(0x7f0000000280), 0x2, 0x1)
syz_open_dev$usbmon(&(0x7f00000002c0), 0x2, 0x2)
syz_open_dev$usbmon(&(0x7f0000000300), 0x2, 0x800)
syz_open_dev$usbmon(&(0x7f0000000340), 0x3, 0x0)
syz_open_dev$usbmon(&(0x7f0000000380), 0x3, 0x1)
syz_open_dev$usbmon(&(0x7f00000003c0), 0x3, 0x2)
syz_open_dev$usbmon(&(0x7f0000000400), 0x3, 0x800)
syz_open_dev$usbmon(&(0x7f0000000440), 0x4, 0x0)
syz_open_dev$usbmon(&(0x7f0000000480), 0x4, 0x1)
syz_open_dev$usbmon(&(0x7f00000004c0), 0x4, 0x2)
syz_open_dev$usbmon(&(0x7f0000000500), 0x4, 0x800)

219.650326ms ago: executing program 1 (id=291):
pkey_mprotect(0x0, 0x0, 0x0, 0xffffffffffffffff)

219.559253ms ago: executing program 3 (id=292):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/ttyS3', 0x0, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/ttyS3', 0x1, 0x0)
openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/ttyS3', 0x2, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/ttyS3', 0x800, 0x0)

216.093618ms ago: executing program 2 (id=293):
syz_open_dev$audion(&(0x7f0000000040), 0x0, 0x0)
syz_open_dev$audion(&(0x7f0000000080), 0x0, 0x1)
syz_open_dev$audion(&(0x7f00000000c0), 0x0, 0x2)
syz_open_dev$audion(&(0x7f0000000100), 0x0, 0x800)
syz_open_dev$audion(&(0x7f0000000140), 0x1, 0x0)
syz_open_dev$audion(&(0x7f0000000180), 0x1, 0x1)
syz_open_dev$audion(&(0x7f00000001c0), 0x1, 0x2)
syz_open_dev$audion(&(0x7f0000000200), 0x1, 0x800)
syz_open_dev$audion(&(0x7f0000000240), 0x2, 0x0)
syz_open_dev$audion(&(0x7f0000000280), 0x2, 0x1)
syz_open_dev$audion(&(0x7f00000002c0), 0x2, 0x2)
syz_open_dev$audion(&(0x7f0000000300), 0x2, 0x800)
syz_open_dev$audion(&(0x7f0000000340), 0x3, 0x0)
syz_open_dev$audion(&(0x7f0000000380), 0x3, 0x1)
syz_open_dev$audion(&(0x7f00000003c0), 0x3, 0x2)
syz_open_dev$audion(&(0x7f0000000400), 0x3, 0x800)
syz_open_dev$audion(&(0x7f0000000440), 0x4, 0x0)
syz_open_dev$audion(&(0x7f0000000480), 0x4, 0x1)
syz_open_dev$audion(&(0x7f00000004c0), 0x4, 0x2)
syz_open_dev$audion(&(0x7f0000000500), 0x4, 0x800)

70.299596ms ago: executing program 5 (id=296):
llistxattr(&(0x7f0000000000), &(0x7f0000000000), 0x0)

0s ago: executing program 5 (id=297):
syncfs(0xffffffffffffffff)

kernel console output (not intermixed with test programs):

Warning: Permanently added '10.128.1.3' (ED25519) to the list of known hosts.
[   81.028808][ T5816] cgroup: Unknown subsys name 'net'
[   81.125879][ T5816] cgroup: Unknown subsys name 'cpuset'
[   81.134710][ T5816] cgroup: Unknown subsys name 'rlimit'
Setting up swapspace version 1, size = 127995904 bytes
[   82.700602][ T5816] Adding 124996k swap on ./swap-file.  Priority:0 extents:1 across:124996k 
[   87.357008][ T6114] UDPLite: UDP-Lite is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list
[   87.941608][ T6137] ==================================================================
[   87.949840][ T6137] BUG: KASAN: slab-use-after-free in binder_add_device+0xa4/0xb0
[   87.957639][ T6137] Write of size 8 at addr ffff88806d78ec08 by task syz-executor/6137
[   87.965907][ T6137] 
[   87.968247][ T6137] CPU: 0 UID: 0 PID: 6137 Comm: syz-executor Not tainted 6.13.0-syzkaller-09030-g6d61a53dd6f5 #0
[   87.968290][ T6137] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
[   87.968312][ T6137] Call Trace:
[   87.968323][ T6137]  <TASK>
[   87.968336][ T6137]  dump_stack_lvl+0x116/0x1f0
[   87.968384][ T6137]  print_report+0xc3/0x620
[   87.968442][ T6137]  ? srso_alias_return_thunk+0x5/0xfbef5
[   87.968503][ T6137]  ? srso_alias_return_thunk+0x5/0xfbef5
[   87.968563][ T6137]  ? __phys_addr+0xc6/0x150
[   87.968602][ T6137]  kasan_report+0xd9/0x110
[   87.968659][ T6137]  ? binder_add_device+0xa4/0xb0
[   87.968704][ T6137]  ? binder_add_device+0xa4/0xb0
[   87.968751][ T6137]  binder_add_device+0xa4/0xb0
[   87.968793][ T6137]  binderfs_binder_device_create.isra.0+0x95f/0xb70
[   87.968855][ T6137]  binderfs_fill_super+0x8d6/0x1360
[   87.968910][ T6137]  ? __pfx_binderfs_fill_super+0x10/0x10
[   87.968962][ T6137]  ? srso_alias_return_thunk+0x5/0xfbef5
[   87.969037][ T6137]  ? shrinker_register+0x1a8/0x260
[   87.969085][ T6137]  ? srso_alias_return_thunk+0x5/0xfbef5
[   87.969144][ T6137]  ? sget_fc+0x808/0xc20
[   87.969197][ T6137]  ? apparmor_capable+0x114/0x1d0
[   87.969257][ T6137]  ? __pfx_set_anon_super_fc+0x10/0x10
[   87.969304][ T6137]  ? __pfx_binderfs_fill_super+0x10/0x10
[   87.969356][ T6137]  get_tree_nodev+0xdd/0x190
[   87.969407][ T6137]  vfs_get_tree+0x8e/0x340
[   87.969448][ T6137]  path_mount+0x14e6/0x1f10
[   87.969506][ T6137]  ? srso_alias_return_thunk+0x5/0xfbef5
[   87.969565][ T6137]  ? kmem_cache_free+0x2e2/0x4d0
[   87.969620][ T6137]  ? __pfx_path_mount+0x10/0x10
[   87.969679][ T6137]  ? srso_alias_return_thunk+0x5/0xfbef5
[   87.969739][ T6137]  ? putname+0x13c/0x180
[   87.969775][ T6137]  __x64_sys_mount+0x28f/0x310
[   87.969834][ T6137]  ? __pfx___x64_sys_mount+0x10/0x10
[   87.969900][ T6137]  do_syscall_64+0xcd/0x250
[   87.969948][ T6137]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   87.970000][ T6137] RIP: 0033:0x7f883618e54a
[   87.970026][ T6137] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   87.970062][ T6137] RSP: 002b:00007fffb7de19d8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[   87.970095][ T6137] RAX: ffffffffffffffda RBX: 00007f883620e663 RCX: 00007f883618e54a
[   87.970120][ T6137] RDX: 00007f883621dda7 RSI: 00007f883620e663 RDI: 00007f883621dda7
[   87.970144][ T6137] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[   87.970172][ T6137] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f8836228480
[   87.970195][ T6137] R13: 00007fffb7de1a58 R14: 0000000000000009 R15: 0000000000000000
[   87.970228][ T6137]  </TASK>
[   87.970240][ T6137] 
[   88.233791][ T6137] Allocated by task 5830:
[   88.238132][ T6137]  kasan_save_stack+0x33/0x60
[   88.242868][ T6137]  kasan_save_track+0x14/0x30
[   88.247588][ T6137]  __kasan_kmalloc+0xaa/0xb0
[   88.252223][ T6137]  binderfs_binder_device_create.isra.0+0x17a/0xb70
[   88.258859][ T6137]  binderfs_fill_super+0x8d6/0x1360
[   88.264119][ T6137]  get_tree_nodev+0xdd/0x190
[   88.268855][ T6137]  vfs_get_tree+0x8e/0x340
[   88.273337][ T6137]  path_mount+0x14e6/0x1f10
[   88.277889][ T6137]  __x64_sys_mount+0x28f/0x310
[   88.282793][ T6137]  do_syscall_64+0xcd/0x250
[   88.287344][ T6137]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   88.293722][ T6137] 
[   88.296060][ T6137] Freed by task 5830:
[   88.300058][ T6137]  kasan_save_stack+0x33/0x60
[   88.304781][ T6137]  kasan_save_track+0x14/0x30
[   88.309504][ T6137]  kasan_save_free_info+0x3b/0x60
[   88.314562][ T6137]  __kasan_slab_free+0x51/0x70
[   88.319376][ T6137]  kfree+0x2c4/0x4d0
[   88.323347][ T6137]  binderfs_evict_inode+0x1e0/0x250
[   88.328590][ T6137]  evict+0x40c/0x960
[   88.332519][ T6137]  iput+0x52a/0x890
[   88.336359][ T6137]  dentry_unlink_inode+0x29c/0x480
[   88.341499][ T6137]  __dentry_kill+0x1d0/0x600
[   88.346126][ T6137]  shrink_dentry_list+0x140/0x5d0
[   88.351193][ T6137]  shrink_dcache_parent+0xe2/0x530
[   88.356341][ T6137]  shrink_dcache_for_umount+0xa1/0x3e0
[   88.361837][ T6137]  generic_shutdown_super+0x6c/0x390
[   88.367245][ T6137]  kill_litter_super+0x70/0xa0
[   88.372050][ T6137]  binderfs_kill_super+0x3b/0xa0
[   88.377029][ T6137]  deactivate_locked_super+0xc1/0x1a0
[   88.382441][ T6137]  deactivate_super+0xde/0x100
[   88.387588][ T6137]  cleanup_mnt+0x222/0x450
[   88.392045][ T6137]  task_work_run+0x151/0x250
[   88.396675][ T6137]  do_exit+0xad8/0x2d70
[   88.400862][ T6137]  do_group_exit+0xd3/0x2a0
[   88.405399][ T6137]  get_signal+0x24ed/0x26c0
[   88.409952][ T6137]  arch_do_signal_or_restart+0x90/0x7e0
[   88.415535][ T6137]  syscall_exit_to_user_mode+0x150/0x2a0
[   88.421211][ T6137]  do_syscall_64+0xda/0x250
[   88.425754][ T6137]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   88.431694][ T6137] 
[   88.434029][ T6137] The buggy address belongs to the object at ffff88806d78ec00
[   88.434029][ T6137]  which belongs to the cache kmalloc-512 of size 512
[   88.448130][ T6137] The buggy address is located 8 bytes inside of
[   88.448130][ T6137]  freed 512-byte region [ffff88806d78ec00, ffff88806d78ee00)
[   88.461871][ T6137] 
[   88.464236][ T6137] The buggy address belongs to the physical page:
[   88.470659][ T6137] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x6d78c
[   88.480319][ T6137] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   88.488839][ T6137] flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
[   88.496407][ T6137] page_type: f5(slab)
[   88.500416][ T6137] raw: 00fff00000000040 ffff88801b041c80 dead000000000122 0000000000000000
[   88.509210][ T6137] raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
[   88.517824][ T6137] head: 00fff00000000040 ffff88801b041c80 dead000000000122 0000000000000000
[   88.526583][ T6137] head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
[   88.535320][ T6137] head: 00fff00000000002 ffffea0001b5e301 ffffffffffffffff 0000000000000000
[   88.544027][ T6137] head: 0000000700000004 0000000000000000 00000000ffffffff 0000000000000000
[   88.552716][ T6137] page dumped because: kasan: bad access detected
[   88.559753][ T6137] page_owner tracks the page as allocated
[   88.565481][ T6137] page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5830, tgid 5830 (syz-executor), ts 84816543475, free_ts 80806494759
[   88.586895][ T6137]  post_alloc_hook+0x181/0x1b0
[   88.591710][ T6137]  get_page_from_freelist+0xfce/0x2f80
[   88.597224][ T6137]  __alloc_frozen_pages_noprof+0x221/0x2470
[   88.603193][ T6137]  alloc_pages_mpol+0x1fc/0x540
[   88.608117][ T6137]  new_slab+0x23d/0x330
[   88.612373][ T6137]  ___slab_alloc+0xc5d/0x1720
[   88.617096][ T6137]  __slab_alloc.constprop.0+0x56/0xb0
[   88.622526][ T6137]  __kmalloc_cache_noprof+0xfa/0x410
[   88.627873][ T6137]  rxrpc_alloc_peer+0x93/0x440
[   88.632687][ T6137]  rxrpc_service_prealloc_one+0xb4f/0xef0
[   88.638476][ T6137]  rxrpc_kernel_charge_accept+0xd7/0x120
[   88.644173][ T6137]  afs_charge_preallocation+0xce/0x330
[   88.649710][ T6137]  afs_open_socket+0x2b3/0x380
[   88.654553][ T6137]  afs_net_init+0x95d/0xc60
[   88.659115][ T6137]  ops_init+0x1e2/0x5f0
[   88.663335][ T6137]  setup_net+0x21f/0x860
[   88.667638][ T6137] page last free pid 5816 tgid 5816 stack trace:
[   88.674030][ T6137]  free_unref_folios+0xa7b/0x1500
[   88.679105][ T6137]  folios_put_refs+0x587/0x7b0
[   88.683999][ T6137]  free_pages_and_swap_cache+0x351/0x500
[   88.689682][ T6137]  __tlb_batch_free_encoded_pages+0xf9/0x290
[   88.695987][ T6137]  tlb_finish_mmu+0x168/0x7b0
[   88.700724][ T6137]  vms_clear_ptes+0x560/0x770
[   88.705454][ T6137]  vms_complete_munmap_vmas+0x1ca/0x970
[   88.711057][ T6137]  do_vmi_align_munmap+0x619/0x890
[   88.716228][ T6137]  do_vmi_munmap+0x208/0x3e0
[   88.720877][ T6137]  __vm_munmap+0x19b/0x390
[   88.725412][ T6137]  __x64_sys_munmap+0x59/0x80
[   88.730141][ T6137]  do_syscall_64+0xcd/0x250
[   88.734695][ T6137]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   88.740641][ T6137] 
[   88.742982][ T6137] Memory state around the buggy address:
[   88.748898][ T6137]  ffff88806d78eb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   88.757003][ T6137]  ffff88806d78eb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   88.765097][ T6137] >ffff88806d78ec00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   88.773195][ T6137]                       ^
[   88.777562][ T6137]  ffff88806d78ec80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   88.785656][ T6137]  ffff88806d78ed00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
SYZFAIL: failed to recv rpc
fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor)
[   88.793921][ T6137] ==================================================================
[   88.848214][ T6137] Kernel panic - not syncing: kasan.fault=panic_on_write set ...
[   88.856160][ T6137] CPU: 0 UID: 0 PID: 6137 Comm: syz-executor Not tainted 6.13.0-syzkaller-09030-g6d61a53dd6f5 #0
[   88.866692][ T6137] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
[   88.876861][ T6137] Call Trace:
[   88.880160][ T6137]  <TASK>
[   88.883109][ T6137]  dump_stack_lvl+0x3d/0x1f0
[   88.887742][ T6137]  panic+0x71d/0x800
[   88.891670][ T6137]  ? __pfx_panic+0x10/0x10
[   88.896122][ T6137]  ? lockdep_hardirqs_on+0x7c/0x110
[   88.901360][ T6137]  ? srso_alias_return_thunk+0x5/0xfbef5
[   88.907056][ T6137]  ? srso_alias_return_thunk+0x5/0xfbef5
[   88.912830][ T6137]  ? preempt_schedule_common+0x44/0xc0
[   88.918331][ T6137]  ? srso_alias_return_thunk+0x5/0xfbef5
[   88.924020][ T6137]  ? preempt_schedule_thunk+0x1a/0x30
[   88.929443][ T6137]  end_report+0x169/0x180
[   88.933824][ T6137]  kasan_report+0xe9/0x110
[   88.938314][ T6137]  ? binder_add_device+0xa4/0xb0
[   88.943276][ T6137]  ? binder_add_device+0xa4/0xb0
[   88.948241][ T6137]  binder_add_device+0xa4/0xb0
[   88.953026][ T6137]  binderfs_binder_device_create.isra.0+0x95f/0xb70
[   88.959654][ T6137]  binderfs_fill_super+0x8d6/0x1360
[   88.964898][ T6137]  ? __pfx_binderfs_fill_super+0x10/0x10
[   88.970573][ T6137]  ? srso_alias_return_thunk+0x5/0xfbef5
[   88.976288][ T6137]  ? shrinker_register+0x1a8/0x260
[   88.981447][ T6137]  ? srso_alias_return_thunk+0x5/0xfbef5
[   88.987125][ T6137]  ? sget_fc+0x808/0xc20
[   88.991406][ T6137]  ? apparmor_capable+0x114/0x1d0
[   88.996471][ T6137]  ? __pfx_set_anon_super_fc+0x10/0x10
[   89.002581][ T6137]  ? __pfx_binderfs_fill_super+0x10/0x10
[   89.008256][ T6137]  get_tree_nodev+0xdd/0x190
[   89.012884][ T6137]  vfs_get_tree+0x8e/0x340
[   89.017326][ T6137]  path_mount+0x14e6/0x1f10
[   89.021874][ T6137]  ? srso_alias_return_thunk+0x5/0xfbef5
[   89.027545][ T6137]  ? kmem_cache_free+0x2e2/0x4d0
[   89.032534][ T6137]  ? __pfx_path_mount+0x10/0x10
[   89.037426][ T6137]  ? srso_alias_return_thunk+0x5/0xfbef5
[   89.043101][ T6137]  ? putname+0x13c/0x180
[   89.047367][ T6137]  __x64_sys_mount+0x28f/0x310
[   89.052177][ T6137]  ? __pfx___x64_sys_mount+0x10/0x10
[   89.057512][ T6137]  do_syscall_64+0xcd/0x250
[   89.062311][ T6137]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   89.068244][ T6137] RIP: 0033:0x7f883618e54a
[   89.072758][ T6137] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   89.092402][ T6137] RSP: 002b:00007fffb7de19d8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[   89.100846][ T6137] RAX: ffffffffffffffda RBX: 00007f883620e663 RCX: 00007f883618e54a
[   89.108948][ T6137] RDX: 00007f883621dda7 RSI: 00007f883620e663 RDI: 00007f883621dda7
[   89.116933][ T6137] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[   89.124921][ T6137] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f8836228480
[   89.132924][ T6137] R13: 00007fffb7de1a58 R14: 0000000000000009 R15: 0000000000000000
[   89.141705][ T6137]  </TASK>
[   89.144996][ T6137] Kernel Offset: disabled
[   89.149323][ T6137] Rebooting in 86400 seconds..