last executing test programs: 2.501515114s ago: executing program 0 (id=1): ioctl(0xffffffffffffffff, 0x0, &(0x7f0000000000)) 1.352308344s ago: executing program 0 (id=3): close(0xffffffffffffffff) 0s ago: executing program 0 (id=4): munmap(0x0, 0x0) kernel console output (not intermixed with test programs): Warning: Permanently added '[localhost]:4051' (ED25519) to the list of known hosts. [ 490.117102][ T24] audit: type=1400 audit(489.510:64): avc: denied { name_bind } for pid=3280 comm="sshd" src=30001 scontext=system_u:system_r:sshd_t tcontext=system_u:object_r:unreserved_port_t tclass=tcp_socket permissive=1 [ 490.964893][ T24] audit: type=1400 audit(490.370:65): avc: denied { execute } for pid=3282 comm="sh" name="syz-executor" dev="vda" ino=1735 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:etc_runtime_t tclass=file permissive=1 [ 490.990060][ T24] audit: type=1400 audit(490.390:66): avc: denied { execute_no_trans } for pid=3282 comm="sh" path="/syz-executor" dev="vda" ino=1735 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:etc_runtime_t tclass=file permissive=1 [ 513.297816][ T24] audit: type=1400 audit(512.700:67): avc: denied { mounton } for pid=3282 comm="syz-executor" path="/syzcgroup/unified" dev="vda" ino=1737 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 513.335743][ T24] audit: type=1400 audit(512.730:68): avc: denied { mount } for pid=3282 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 513.410106][ T3282] cgroup: Unknown subsys name 'net' [ 513.455621][ T24] audit: type=1400 audit(512.860:69): avc: denied { unmount } for pid=3282 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 513.823650][ T3282] cgroup: Unknown subsys name 'cpuset' [ 513.909163][ T3282] cgroup: Unknown subsys name 'rlimit' [ 514.784505][ T24] audit: type=1400 audit(514.180:70): avc: denied { setattr } for pid=3282 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=701 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 514.814338][ T24] audit: type=1400 audit(514.200:71): avc: denied { create } for pid=3282 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 514.834373][ T24] audit: type=1400 audit(514.230:72): avc: denied { write } for pid=3282 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 514.856713][ T24] audit: type=1400 audit(514.250:73): avc: denied { module_request } for pid=3282 comm="syz-executor" kmod="net-pf-16-proto-16-family-nl802154" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1 [ 515.294102][ T24] audit: type=1400 audit(514.690:74): avc: denied { read } for pid=3282 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 515.344603][ T24] audit: type=1400 audit(514.740:75): avc: denied { mounton } for pid=3282 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1 [ 515.365567][ T24] audit: type=1400 audit(514.760:76): avc: denied { mount } for pid=3282 comm="syz-executor" name="/" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=filesystem permissive=1 [ 516.330760][ T3286] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). Setting up swapspace version 1, size = 127995904 bytes [ 516.556361][ T3282] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 552.355932][ T24] kauditd_printk_skb: 4 callbacks suppressed [ 552.356207][ T24] audit: type=1400 audit(551.760:81): avc: denied { execmem } for pid=3287 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 552.623721][ T24] audit: type=1400 audit(552.020:82): avc: denied { read } for pid=3289 comm="syz-executor" dev="nsfs" ino=4026531840 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1 [ 552.656757][ T24] audit: type=1400 audit(552.060:83): avc: denied { open } for pid=3289 comm="syz-executor" path="net:[4026531840]" dev="nsfs" ino=4026531840 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1 [ 552.744594][ T24] audit: type=1400 audit(552.130:84): avc: denied { mounton } for pid=3289 comm="syz-executor" path="/" dev="vda" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:root_t tclass=dir permissive=1 [ 554.442981][ T24] audit: type=1400 audit(553.830:85): avc: denied { mount } for pid=3289 comm="syz-executor" name="/" dev="tmpfs" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=1 [ 554.516685][ T24] audit: type=1400 audit(553.920:86): avc: denied { mounton } for pid=3289 comm="syz-executor" path="/syzkaller.nGrZF3/syz-tmp/newroot/dev" dev="tmpfs" ino=3 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_tmpfs_t tclass=dir permissive=1 [ 554.596631][ T24] audit: type=1400 audit(554.000:87): avc: denied { mount } for pid=3289 comm="syz-executor" name="/" dev="proc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:proc_t tclass=filesystem permissive=1 [ 554.736073][ T24] audit: type=1400 audit(554.140:88): avc: denied { mounton } for pid=3289 comm="syz-executor" path="/syzkaller.nGrZF3/syz-tmp/newroot/sys/kernel/debug" dev="debugfs" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:debugfs_t tclass=dir permissive=1 [ 554.797556][ T24] audit: type=1400 audit(554.180:89): avc: denied { mounton } for pid=3289 comm="syz-executor" path="/syzkaller.nGrZF3/syz-tmp/newroot/proc/sys/fs/binfmt_misc" dev="proc" ino=2830 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:sysctl_fs_t tclass=dir permissive=1 [ 554.899677][ T24] audit: type=1400 audit(554.300:90): avc: denied { unmount } for pid=3289 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fs_t tclass=filesystem permissive=1 [ 565.382189][ T3294] ================================================================== [ 565.384540][ T3294] BUG: KASAN: slab-use-after-free in binder_add_device+0xf4/0xf8 [ 565.386899][ T3294] Write of size 8 at addr 8ff0000016f81e08 by task syz-executor/3294 [ 565.388087][ T3294] Pointer tag: [8f], memory tag: [06] [ 565.389099][ T3294] [ 565.390499][ T3294] CPU: 0 UID: 0 PID: 3294 Comm: syz-executor Not tainted 6.14.0-rc2-syzkaller-g29281a76709c #0 [ 565.391018][ T3294] Hardware name: linux,dummy-virt (DT) [ 565.391465][ T3294] Call trace: [ 565.391783][ T3294] show_stack+0x2c/0x3c (C) [ 565.392318][ T3294] __dump_stack+0x30/0x40 [ 565.392668][ T3294] dump_stack_lvl+0xd8/0x12c [ 565.392936][ T3294] print_address_description+0xac/0x290 [ 565.393175][ T3294] print_report+0x84/0xa0 [ 565.393449][ T3294] kasan_report+0xb0/0x110 [ 565.393709][ T3294] kasan_tag_mismatch+0x28/0x3c [ 565.393885][ T3294] __hwasan_tag_mismatch+0x30/0x60 [ 565.394086][ T3294] binder_add_device+0xf4/0xf8 [ 565.394272][ T3294] binderfs_binder_device_create+0xbfc/0xc28 [ 565.394490][ T3294] binderfs_fill_super+0xb30/0xe20 [ 565.394677][ T3294] get_tree_nodev+0xdc/0x1cc [ 565.394920][ T3294] binderfs_fs_context_get_tree+0x28/0x38 [ 565.395105][ T3294] vfs_get_tree+0xc4/0x3cc [ 565.395355][ T3294] do_new_mount+0x2a0/0x988 [ 565.395607][ T3294] path_mount+0x650/0x101c [ 565.395841][ T3294] __arm64_sys_mount+0x36c/0x468 [ 565.396085][ T3294] invoke_syscall+0x90/0x2b4 [ 565.396332][ T3294] el0_svc_common+0x180/0x2f4 [ 565.396589][ T3294] do_el0_svc+0x58/0x74 [ 565.396820][ T3294] el0_svc+0x58/0x134 [ 565.396991][ T3294] el0t_64_sync_handler+0x78/0x108 [ 565.397167][ T3294] el0t_64_sync+0x198/0x19c [ 565.397668][ T3294] [ 565.411114][ T3294] Allocated by task 3289: [ 565.411979][ T3294] kasan_save_stack+0x40/0x6c [ 565.412871][ T3294] save_stack_info+0x30/0x138 [ 565.413658][ T3294] kasan_save_alloc_info+0x14/0x20 [ 565.414449][ T3294] __kasan_kmalloc+0x8c/0x90 [ 565.415245][ T3294] __kmalloc_cache_noprof+0x2a0/0x404 [ 565.416138][ T3294] binderfs_binder_device_create+0x1ac/0xc28 [ 565.416980][ T3294] binderfs_fill_super+0xb30/0xe20 [ 565.417787][ T3294] get_tree_nodev+0xdc/0x1cc [ 565.418607][ T3294] binderfs_fs_context_get_tree+0x28/0x38 [ 565.419446][ T3294] vfs_get_tree+0xc4/0x3cc [ 565.420210][ T3294] do_new_mount+0x2a0/0x988 [ 565.421020][ T3294] path_mount+0x650/0x101c [ 565.421826][ T3294] __arm64_sys_mount+0x36c/0x468 [ 565.422672][ T3294] invoke_syscall+0x90/0x2b4 [ 565.423490][ T3294] el0_svc_common+0x180/0x2f4 [ 565.424278][ T3294] do_el0_svc+0x58/0x74 [ 565.425075][ T3294] el0_svc+0x58/0x134 [ 565.425833][ T3294] el0t_64_sync_handler+0x78/0x108 [ 565.426617][ T3294] el0t_64_sync+0x198/0x19c [ 565.427453][ T3294] [ 565.427973][ T3294] Freed by task 3289: [ 565.428630][ T3294] kasan_save_stack+0x40/0x6c [ 565.429467][ T3294] save_stack_info+0x30/0x138 [ 565.430172][ T3294] kasan_save_free_info+0x18/0x24 [ 565.430966][ T3294] __kasan_slab_free+0x64/0x68 [ 565.431798][ T3294] kfree+0x148/0x44c [ 565.432599][ T3294] binderfs_evict_inode+0x1e8/0x2b8 [ 565.433399][ T3294] evict+0x4d4/0xbe8 [ 565.434089][ T3294] iput+0x928/0x9e0 [ 565.434860][ T3294] dentry_unlink_inode+0x624/0x660 [ 565.435675][ T3294] __dentry_kill+0x224/0x808 [ 565.436443][ T3294] shrink_kill+0xd4/0x2cc [ 565.437186][ T3294] shrink_dentry_list+0x420/0x970 [ 565.438010][ T3294] shrink_dcache_parent+0x80/0x200 [ 565.438805][ T3294] do_one_tree+0x2c/0x148 [ 565.439581][ T3294] shrink_dcache_for_umount+0xb0/0x198 [ 565.440417][ T3294] generic_shutdown_super+0x84/0x424 [ 565.441249][ T3294] kill_litter_super+0xa4/0xdc [ 565.442089][ T3294] binderfs_kill_super+0x50/0xcc [ 565.442865][ T3294] deactivate_locked_super+0xf0/0x17c [ 565.443737][ T3294] deactivate_super+0xf4/0x104 [ 565.444559][ T3294] cleanup_mnt+0x3fc/0x484 [ 565.445403][ T3294] __cleanup_mnt+0x20/0x30 [ 565.446190][ T3294] task_work_run+0x1bc/0x254 [ 565.447031][ T3294] do_exit+0x740/0x23b0 [ 565.447765][ T3294] do_group_exit+0x1d4/0x2ac [ 565.448528][ T3294] get_signal+0x1440/0x1554 [ 565.449297][ T3294] do_signal+0x23c/0x3ecc [ 565.450098][ T3294] do_notify_resume+0x78/0x27c [ 565.450893][ T3294] el0_svc+0xb0/0x134 [ 565.451606][ T3294] el0t_64_sync_handler+0x78/0x108 [ 565.452383][ T3294] el0t_64_sync+0x198/0x19c [ 565.453137][ T3294] [ 565.453752][ T3294] The buggy address belongs to the object at fff0000016f81e00 [ 565.453752][ T3294] which belongs to the cache kmalloc-512 of size 512 [ 565.455051][ T3294] The buggy address is located 8 bytes inside of [ 565.455051][ T3294] 448-byte region [fff0000016f81e00, fff0000016f81fc0) [ 565.456290][ T3294] [ 565.456924][ T3294] The buggy address belongs to the physical page: [ 565.457970][ T3294] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x56f81 [ 565.459237][ T3294] flags: 0x1ffc00000000000(node=0|zone=0|lastcpupid=0x7ff|kasantag=0x0) [ 565.462504][ T3294] page_type: f5(slab) [ 565.463725][ T3294] raw: 01ffc00000000000 35f000000c801900 ffffc1ffc0533e00 0000000000000002 [ 565.464744][ T3294] raw: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000 [ 565.465783][ T3294] page dumped because: kasan: bad access detected [ 565.466573][ T3294] [ 565.467117][ T3294] Memory state around the buggy address: [ 565.468100][ T3294] fff0000016f81c00: b4 b4 b4 b4 b4 b4 b4 b4 b4 b4 b4 b4 b4 b4 b4 b4 [ 565.469096][ T3294] fff0000016f81d00: b4 b4 b4 fe fe fe fe fe fe fe fe fe fe fe fe fe [ 565.470069][ T3294] >fff0000016f81e00: 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 06 [ 565.470964][ T3294] ^ [ 565.471782][ T3294] fff0000016f81f00: 06 06 06 06 06 06 06 06 06 06 06 06 fe fe fe fe [ 565.472734][ T3294] fff0000016f82000: 70 70 70 70 70 70 70 70 70 70 70 70 70 70 70 70 [ 565.473732][ T3294] ================================================================== SYZFAIL: failed to recv rpc fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor) [ 566.235568][ T3294] Disabling lock debugging due to kernel taint [ 567.250301][ T3294] soft_limit_in_bytes is deprecated and will be removed. Please report your usecase to linux-mm@kvack.org if you depend on this functionality. VM DIAGNOSIS: 13:05:57 Registers: info registers vcpu 0 CPU#0 PC=ffff80008046b4e4 X00=0000000000000000 X01=ffff80008c09e47d X02=0000000000000000 X03=ffff80008c09e47b X04=ffff80008709b88e X05=ffff80008fd57478 X06=ffff8000864c4768 X07=ffff800080d9cffc X08=acf000001245ba80 X09=0000000000000000 X10=0000000000ff0100 X11=ffff800087632eb8 X12=00000000000000fe X13=00000083a3c19133 X14=0000000000000000 X15=00000000000000ac X16=0000000000000006 X17=000000000000008f X18=00000000000000ac X19=efff800000000000 X20=ffff80008fd574e0 X21=00000000000000ff X22=00000000000000c0 X23=00000000ffffe378 X24=80000000ffffe378 X25=00000000000000c0 X26=0000000000000000 X27=0000000000000000 X28=0000000000000027 X29=ffff80008fd573e0 X30=ffff80008047d6f0 SP=ffff80008fd573d0 PSTATE=614020c9 -ZC- EL2h SVCR=00000000 -- BTYPE=0 FPCR=00000000 FPSR=00000000 P00=0000 P01=0000 P02=0000 P03=0000 P04=0000 P05=0000 P06=0000 P07=0000 P08=0000 P09=0000 P10=0000 P11=0000 P12=0000 P13=0000 P14=0000 P15=0000 FFR=0000 Z00=0000000000000000:4a9aea98d6c6423a Z01=0000000000000000:438e961935da8f78 Z02=0000000000000000:09ca763eb7950b70 Z03=ffff000000000000:0000000004746406 Z04=0000000000000000:00000000a94b1398 Z05=0000000000000000:00000000a94b1398 Z06=0000000000000000:0000000000000000 Z07=0000000000000000:0000000000000000 Z08=0000000000000000:0000000000000000 Z09=0000000000000000:0000000000000000 Z10=0000000000000000:0000000000000000 Z11=0000000000000000:0000000000000000 Z12=0000000000000000:0000000000000000 Z13=0000000000000000:0000000000000000 Z14=0000000000000000:0000000000000000 Z15=0000000000000000:0000000000000000 Z16=0000ffffd4b25820:0000ffffd4b25820 Z17=ffffff80ffffffd0:0000ffffd4b257f0 Z18=0000000000000000:0000000000000000 Z19=0000000000000000:0000000000000000 Z20=0000000000000000:0000000000000000 Z21=0000000000000000:0000000000000000 Z22=0000000000000000:0000000000000000 Z23=0000000000000000:0000000000000000 Z24=0000000000000000:0000000000000000 Z25=0000000000000000:0000000000000000 Z26=0000000000000000:0000000000000000 Z27=0000000000000000:0000000000000000 Z28=0000000000000000:0000000000000000 Z29=0000000000000000:0000000000000000 Z30=0000000000000000:0000000000000000 Z31=0000000000000000:0000000000000000