last executing test programs: 3.891172602s ago: executing program 1 (id=2): mmap(0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) 3.615583185s ago: executing program 0 (id=1): ioctl(0xffffffffffffffff, 0x0, &(0x7f0000000000)) 1.993611037s ago: executing program 1 (id=3): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/kvm', 0x800, 0x0) 1.773230975s ago: executing program 0 (id=4): munmap(0x0, 0x0) 361.735331ms ago: executing program 0 (id=5): write(0xffffffffffffffff, &(0x7f0000000000), 0x0) 0s ago: executing program 1 (id=6): close(0xffffffffffffffff) kernel console output (not intermixed with test programs): Warning: Permanently added '[localhost]:62039' (ED25519) to the list of known hosts. [ 489.305327][ T24] audit: type=1400 audit(488.720:64): avc: denied { name_bind } for pid=3280 comm="sshd" src=30001 scontext=system_u:system_r:sshd_t tcontext=system_u:object_r:unreserved_port_t tclass=tcp_socket permissive=1 [ 490.176795][ T24] audit: type=1400 audit(489.590:65): avc: denied { execute } for pid=3282 comm="sh" name="syz-executor" dev="vda" ino=1735 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:etc_runtime_t tclass=file permissive=1 [ 490.193416][ T24] audit: type=1400 audit(489.600:66): avc: denied { execute_no_trans } for pid=3282 comm="sh" path="/syz-executor" dev="vda" ino=1735 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:etc_runtime_t tclass=file permissive=1 [ 512.475470][ T24] audit: type=1400 audit(511.890:67): avc: denied { mounton } for pid=3282 comm="syz-executor" path="/syzcgroup/unified" dev="vda" ino=1737 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 512.512862][ T24] audit: type=1400 audit(511.920:68): avc: denied { mount } for pid=3282 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 512.588711][ T3282] cgroup: Unknown subsys name 'net' [ 512.643714][ T24] audit: type=1400 audit(512.060:69): avc: denied { unmount } for pid=3282 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 513.049184][ T3282] cgroup: Unknown subsys name 'cpuset' [ 513.126122][ T3282] cgroup: Unknown subsys name 'rlimit' [ 514.020925][ T24] audit: type=1400 audit(513.420:70): avc: denied { setattr } for pid=3282 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=701 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 514.026086][ T24] audit: type=1400 audit(513.430:71): avc: denied { create } for pid=3282 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 514.061381][ T24] audit: type=1400 audit(513.470:72): avc: denied { write } for pid=3282 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 514.068123][ T24] audit: type=1400 audit(513.470:73): avc: denied { module_request } for pid=3282 comm="syz-executor" kmod="net-pf-16-proto-16-family-nl802154" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1 [ 514.496362][ T24] audit: type=1400 audit(513.900:74): avc: denied { read } for pid=3282 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 514.544318][ T24] audit: type=1400 audit(513.950:75): avc: denied { mounton } for pid=3282 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1 [ 514.562777][ T24] audit: type=1400 audit(513.970:76): avc: denied { mount } for pid=3282 comm="syz-executor" name="/" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=filesystem permissive=1 [ 515.528540][ T3286] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). Setting up swapspace version 1, size = 127995904 bytes [ 515.753394][ T3282] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 555.262180][ T24] kauditd_printk_skb: 4 callbacks suppressed [ 555.262454][ T24] audit: type=1400 audit(554.660:81): avc: denied { execmem } for pid=3292 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 555.533209][ T24] audit: type=1400 audit(554.930:82): avc: denied { read } for pid=3294 comm="syz-executor" dev="nsfs" ino=4026531840 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1 [ 555.572051][ T24] audit: type=1400 audit(554.970:83): avc: denied { open } for pid=3294 comm="syz-executor" path="net:[4026531840]" dev="nsfs" ino=4026531840 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1 [ 555.644033][ T24] audit: type=1400 audit(555.060:84): avc: denied { mounton } for pid=3294 comm="syz-executor" path="/" dev="vda" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:root_t tclass=dir permissive=1 [ 557.780693][ T24] audit: type=1400 audit(557.190:85): avc: denied { mount } for pid=3294 comm="syz-executor" name="/" dev="tmpfs" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=1 [ 557.922686][ T24] audit: type=1400 audit(557.320:86): avc: denied { mounton } for pid=3294 comm="syz-executor" path="/syzkaller.SmFytt/syz-tmp/newroot/dev" dev="tmpfs" ino=3 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_tmpfs_t tclass=dir permissive=1 [ 558.050587][ T24] audit: type=1400 audit(557.450:87): avc: denied { mount } for pid=3294 comm="syz-executor" name="/" dev="proc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:proc_t tclass=filesystem permissive=1 [ 558.310574][ T24] audit: type=1400 audit(557.720:88): avc: denied { mounton } for pid=3294 comm="syz-executor" path="/syzkaller.SmFytt/syz-tmp/newroot/sys/kernel/debug" dev="debugfs" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:debugfs_t tclass=dir permissive=1 [ 558.460519][ T24] audit: type=1400 audit(557.810:89): avc: denied { mounton } for pid=3294 comm="syz-executor" path="/syzkaller.SmFytt/syz-tmp/newroot/proc/sys/fs/binfmt_misc" dev="proc" ino=2862 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:sysctl_fs_t tclass=dir permissive=1 [ 558.616102][ T24] audit: type=1400 audit(558.030:90): avc: denied { unmount } for pid=3294 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fs_t tclass=filesystem permissive=1 [ 562.135886][ T24] kauditd_printk_skb: 8 callbacks suppressed [ 562.136138][ T24] audit: type=1400 audit(561.550:99): avc: denied { read } for pid=3300 comm="syz.1.3" name="kvm" dev="devtmpfs" ino=84 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:kvm_device_t tclass=chr_file permissive=1 [ 562.223096][ T24] audit: type=1400 audit(561.630:100): avc: denied { open } for pid=3300 comm="syz.1.3" path="/dev/kvm" dev="devtmpfs" ino=84 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:kvm_device_t tclass=chr_file permissive=1 [ 562.335459][ T24] audit: type=1400 audit(561.680:101): avc: denied { write } for pid=3300 comm="syz.1.3" name="kvm" dev="devtmpfs" ino=84 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:kvm_device_t tclass=chr_file permissive=1 [ 571.439295][ T3306] ================================================================== [ 571.440760][ T3306] BUG: KASAN: slab-use-after-free in binder_add_device+0xf4/0xf8 [ 571.442380][ T3306] Write of size 8 at addr 95f0000014c09208 by task syz-executor/3306 [ 571.442622][ T3306] Pointer tag: [95], memory tag: [b0] [ 571.442751][ T3306] [ 571.443664][ T3306] CPU: 0 UID: 0 PID: 3306 Comm: syz-executor Not tainted 6.14.0-rc2-syzkaller-g29281a76709c #0 [ 571.444138][ T3306] Hardware name: linux,dummy-virt (DT) [ 571.444585][ T3306] Call trace: [ 571.444898][ T3306] show_stack+0x2c/0x3c (C) [ 571.445442][ T3306] __dump_stack+0x30/0x40 [ 571.445764][ T3306] dump_stack_lvl+0xd8/0x12c [ 571.446024][ T3306] print_address_description+0xac/0x290 [ 571.446278][ T3306] print_report+0x84/0xa0 [ 571.446501][ T3306] kasan_report+0xb0/0x110 [ 571.446757][ T3306] kasan_tag_mismatch+0x28/0x3c [ 571.446930][ T3306] __hwasan_tag_mismatch+0x30/0x60 [ 571.447178][ T3306] binder_add_device+0xf4/0xf8 [ 571.447376][ T3306] binderfs_binder_device_create+0xbfc/0xc28 [ 571.447563][ T3306] binderfs_fill_super+0xb30/0xe20 [ 571.447741][ T3306] get_tree_nodev+0xdc/0x1cc [ 571.447982][ T3306] binderfs_fs_context_get_tree+0x28/0x38 [ 571.448174][ T3306] vfs_get_tree+0xc4/0x3cc [ 571.448424][ T3306] do_new_mount+0x2a0/0x988 [ 571.448660][ T3306] path_mount+0x650/0x101c [ 571.448891][ T3306] __arm64_sys_mount+0x36c/0x468 [ 571.449129][ T3306] invoke_syscall+0x90/0x2b4 [ 571.449384][ T3306] el0_svc_common+0x180/0x2f4 [ 571.449619][ T3306] do_el0_svc+0x58/0x74 [ 571.449848][ T3306] el0_svc+0x58/0x134 [ 571.450018][ T3306] el0t_64_sync_handler+0x78/0x108 [ 571.450202][ T3306] el0t_64_sync+0x198/0x19c [ 571.450657][ T3306] [ 571.450783][ T3306] Allocated by task 3295: [ 571.451120][ T3306] kasan_save_stack+0x40/0x6c [ 571.451451][ T3306] save_stack_info+0x30/0x138 [ 571.451629][ T3306] kasan_save_alloc_info+0x14/0x20 [ 571.451794][ T3306] __kasan_kmalloc+0x8c/0x90 [ 571.452018][ T3306] __kmalloc_cache_noprof+0x2a0/0x404 [ 571.452300][ T3306] binderfs_binder_device_create+0x1ac/0xc28 [ 571.452482][ T3306] binderfs_fill_super+0xb30/0xe20 [ 571.452648][ T3306] get_tree_nodev+0xdc/0x1cc [ 571.452869][ T3306] binderfs_fs_context_get_tree+0x28/0x38 [ 571.453041][ T3306] vfs_get_tree+0xc4/0x3cc [ 571.453291][ T3306] do_new_mount+0x2a0/0x988 [ 571.453528][ T3306] path_mount+0x650/0x101c [ 571.453757][ T3306] __arm64_sys_mount+0x36c/0x468 [ 571.453997][ T3306] invoke_syscall+0x90/0x2b4 [ 571.454240][ T3306] el0_svc_common+0x180/0x2f4 [ 571.454474][ T3306] do_el0_svc+0x58/0x74 [ 571.454695][ T3306] el0_svc+0x58/0x134 [ 571.454853][ T3306] el0t_64_sync_handler+0x78/0x108 [ 571.455046][ T3306] el0t_64_sync+0x198/0x19c [ 571.455312][ T3306] [ 571.455401][ T3306] Freed by task 3295: [ 571.455517][ T3306] kasan_save_stack+0x40/0x6c [ 571.455756][ T3306] save_stack_info+0x30/0x138 [ 571.455920][ T3306] kasan_save_free_info+0x18/0x24 [ 571.456084][ T3306] __kasan_slab_free+0x64/0x68 [ 571.456345][ T3306] kfree+0x148/0x44c [ 571.456590][ T3306] binderfs_evict_inode+0x1e8/0x2b8 [ 571.456763][ T3306] evict+0x4d4/0xbe8 [ 571.456918][ T3306] iput+0x928/0x9e0 [ 571.457141][ T3306] dentry_unlink_inode+0x624/0x660 [ 571.457372][ T3306] __dentry_kill+0x224/0x808 [ 571.457557][ T3306] shrink_kill+0xd4/0x2cc [ 571.457741][ T3306] shrink_dentry_list+0x420/0x970 [ 571.457934][ T3306] shrink_dcache_parent+0x80/0x200 [ 571.458132][ T3306] do_one_tree+0x2c/0x148 [ 571.458342][ T3306] shrink_dcache_for_umount+0xb0/0x198 [ 571.458548][ T3306] generic_shutdown_super+0x84/0x424 [ 571.458772][ T3306] kill_litter_super+0xa4/0xdc [ 571.459018][ T3306] binderfs_kill_super+0x50/0xcc [ 571.459215][ T3306] deactivate_locked_super+0xf0/0x17c [ 571.459455][ T3306] deactivate_super+0xf4/0x104 [ 571.459671][ T3306] cleanup_mnt+0x3fc/0x484 [ 571.459902][ T3306] __cleanup_mnt+0x20/0x30 [ 571.460133][ T3306] task_work_run+0x1bc/0x254 [ 571.460395][ T3306] do_exit+0x740/0x23b0 [ 571.460562][ T3306] do_group_exit+0x1d4/0x2ac [ 571.460732][ T3306] get_signal+0x1440/0x1554 [ 571.460917][ T3306] do_signal+0x23c/0x3ecc SYZFAIL: failed to recv rpc [ 571.461143][ T3306] do_notify_resume+0x78/0x27c [ 571.461355][ T3306] el0_svc+0xb0/0x134 [ 571.461511][ T3306] el0t_64_sync_handler+0x78/0x108 [ 571.461674][ T3306] el0t_64_sync+0x198/0x19c [ 571.461853][ T3306] [ 571.461951][ T3306] The buggy address belongs to the object at fff0000014c09200 [ 571.461951][ T3306] which belongs to the cache kmalloc-512 of size 512 [ 571.462142][ T3306] The buggy address is located 8 bytes inside of [ 571.462142][ T3306] 320-byte region [fff0000014c09200, fff0000014c09340) [ 571.462371][ T3306] [ 571.462524][ T3306] The buggy address belongs to the physical page: [ 571.462867][ T3306] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x54c09 [ 571.463417][ T3306] flags: 0x1ffc00000000000(node=0|zone=0|lastcpupid=0x7ff|kasantag=0x0) [ 571.464011][ T3306] page_type: f5(slab) [ 571.464683][ T3306] raw: 01ffc00000000000 aff000000c801900 dead000000000122 0000000000000000 [ 571.464919][ T3306] raw: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000 [ 571.465170][ T3306] page dumped because: kasan: bad access detected [ 571.465320][ T3306] [ 571.465420][ T3306] Memory state around the buggy address: fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor) [ 571.465764][ T3306] fff0000014c09000: 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 60 [ 571.465951][ T3306] fff0000014c09100: 60 fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe [ 571.466127][ T3306] >fff0000014c09200: b0 b0 b0 b0 b0 b0 b0 b0 b0 b0 b0 b0 b0 b0 b0 b0 [ 571.466280][ T3306] ^ [ 571.466523][ T3306] fff0000014c09300: b0 b0 b0 b0 fe fe fe fe fe fe fe fe fe fe fe fe [ 571.466696][ T3306] fff0000014c09400: bc bc bc bc bc bc bc bc bc bc bc bc bc bc bc bc [ 571.466893][ T3306] ================================================================== [ 571.820595][ T3306] Disabling lock debugging due to kernel taint [ 571.937799][ T24] audit: type=1400 audit(571.350:102): avc: denied { mount } for pid=3306 comm="syz-executor" name="/" dev="fusectl" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fusefs_t tclass=filesystem permissive=1 VM DIAGNOSIS: 01:07:17 Registers: info registers vcpu 0 CPU#0 PC=ffff800085872734 X00=0000000000000000 X01=0000000000000000 X02=0000000000000001 X03=ffff800085872648 X04=000000000000b2b1 X05=0000000000000016 X06=0000000000000007 X07=0000000000000000 X08=7ff000000d4e0008 X09=efff800000000000 X10=000000000000007f X11=000000000000007f X12=0000000100000101 X13=0000000000000011 X14=0000000000000000 X15=000000000000007f X16=000000000000007f X17=0000000000000034 X18=000000000000007f X19=bff00000130e6400 X20=efff800000000000 X21=9df00000140a1900 X22=73f00000140e6f00 X23=000000000000ffff X24=000000000000b2b1 X25=000000000f02000a X26=0000000000000016 X27=0000000000000007 X28=bff00000130e6494 X29=ffff8000800077a0 X30=ffff80008582f3f0 SP=ffff8000800077a0 PSTATE=60402009 -ZC- EL2h SVCR=00000000 -- BTYPE=0 FPCR=00000000 FPSR=00000000 P00=0000 P01=0000 P02=0000 P03=0000 P04=0000 P05=0000 P06=0000 P07=0000 P08=0000 P09=0000 P10=0000 P11=0000 P12=0000 P13=0000 P14=0000 P15=0000 FFR=0000 Z00=0000000000000000:0000000000000000 Z01=0000000000000000:0000000000000000 Z02=0000000000000000:0000000000000000 Z03=0000000000000000:0000000000000000 Z04=0000000000000000:0000000000000000 Z05=0000000000000000:0000000000000000 Z06=0000000000000000:0000000000000000 Z07=0000000000000000:0000000000000000 Z08=0000000000000000:0000000000000000 Z09=0000000000000000:0000000000000000 Z10=0000000000000000:0000000000000000 Z11=0000000000000000:0000000000000000 Z12=0000000000000000:0000000000000000 Z13=0000000000000000:0000000000000000 Z14=0000000000000000:0000000000000000 Z15=0000000000000000:0000000000000000 Z16=0000000000000000:0000000000000000 Z17=0000000000000000:0000000000000000 Z18=0000000000000000:0000000000000000 Z19=0000000000000000:0000000000000000 Z20=0000000000000000:0000000000000000 Z21=0000000000000000:0000000000000000 Z22=0000000000000000:0000000000000000 Z23=0000000000000000:0000000000000000 Z24=0000000000000000:0000000000000000 Z25=0000000000000000:0000000000000000 Z26=0000000000000000:0000000000000000 Z27=0000000000000000:0000000000000000 Z28=0000000000000000:0000000000000000 Z29=0000000000000000:0000000000000000 Z30=0000000000000000:0000000000000000 Z31=0000000000000000:0000000000000000