last executing test programs: 13.35055632s ago: executing program 1 (id=2): munmap(0x0, 0x0) 13.043321373s ago: executing program 0 (id=1): ioctl(0xffffffffffffffff, 0x0, &(0x7f0000000000)) 11.177753252s ago: executing program 1 (id=3): mmap(0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0) 10.990199044s ago: executing program 0 (id=4): eventfd2(0x0, 0x0) 0s ago: executing program 0 (id=6): mmap(&(0x7efffffff000/0x1000)=nil, 0x1000, 0x0, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000000000/0x1000000)=nil, 0x1000000, 0x7, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0001000000/0x1000)=nil, 0x1000, 0x0, 0x32, 0xffffffffffffffff, 0x0) kernel console output (not intermixed with test programs): Warning: Permanently added '[localhost]:63990' (ED25519) to the list of known hosts. [ 707.940224][ T24] audit: type=1400 audit(707.000:69): avc: denied { name_bind } for pid=3295 comm="sshd" src=30001 scontext=system_u:system_r:sshd_t tcontext=system_u:object_r:unreserved_port_t tclass=tcp_socket permissive=1 [ 710.671360][ T24] audit: type=1400 audit(709.750:70): avc: denied { execute } for pid=3297 comm="sh" name="syz-executor" dev="vda" ino=1735 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:etc_runtime_t tclass=file permissive=1 [ 710.740674][ T24] audit: type=1400 audit(709.820:71): avc: denied { execute_no_trans } for pid=3297 comm="sh" path="/syz-executor" dev="vda" ino=1735 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:etc_runtime_t tclass=file permissive=1 [ 740.304531][ T24] audit: type=1400 audit(739.400:72): avc: denied { mounton } for pid=3297 comm="syz-executor" path="/syzcgroup/unified" dev="vda" ino=1737 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 740.367796][ T24] audit: type=1400 audit(739.450:73): avc: denied { mount } for pid=3297 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 740.482263][ T3297] cgroup: Unknown subsys name 'net' [ 740.545710][ T24] audit: type=1400 audit(739.640:74): avc: denied { unmount } for pid=3297 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 741.052618][ T3297] cgroup: Unknown subsys name 'cpuset' [ 741.192689][ T3297] cgroup: Unknown subsys name 'rlimit' [ 742.583870][ T24] audit: type=1400 audit(741.670:75): avc: denied { setattr } for pid=3297 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=701 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 742.623401][ T24] audit: type=1400 audit(741.720:76): avc: denied { create } for pid=3297 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 742.641564][ T24] audit: type=1400 audit(741.730:77): avc: denied { write } for pid=3297 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 742.681073][ T24] audit: type=1400 audit(741.760:78): avc: denied { module_request } for pid=3297 comm="syz-executor" kmod="net-pf-16-proto-16-family-nl802154" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1 [ 743.283974][ T24] audit: type=1400 audit(742.380:79): avc: denied { read } for pid=3297 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 743.356875][ T24] audit: type=1400 audit(742.450:80): avc: denied { mounton } for pid=3297 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1 [ 743.382554][ T24] audit: type=1400 audit(742.470:81): avc: denied { mount } for pid=3297 comm="syz-executor" name="/" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=filesystem permissive=1 [ 744.767659][ T3301] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). Setting up swapspace version 1, size = 127995904 bytes [ 745.107195][ T3297] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 807.406753][ T24] kauditd_printk_skb: 4 callbacks suppressed [ 807.407041][ T24] audit: type=1400 audit(806.500:86): avc: denied { execmem } for pid=3307 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 807.826262][ T24] audit: type=1400 audit(806.920:87): avc: denied { read } for pid=3309 comm="syz-executor" dev="nsfs" ino=4026531840 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1 [ 807.874202][ T24] audit: type=1400 audit(806.970:88): avc: denied { open } for pid=3309 comm="syz-executor" path="net:[4026531840]" dev="nsfs" ino=4026531840 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1 [ 807.973741][ T24] audit: type=1400 audit(807.070:89): avc: denied { mounton } for pid=3309 comm="syz-executor" path="/" dev="vda" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:root_t tclass=dir permissive=1 [ 810.183853][ T24] audit: type=1400 audit(809.270:90): avc: denied { mount } for pid=3309 comm="syz-executor" name="/" dev="tmpfs" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=1 [ 810.311380][ T24] audit: type=1400 audit(809.390:91): avc: denied { mounton } for pid=3309 comm="syz-executor" path="/syzkaller.D7xB0b/syz-tmp/newroot/dev" dev="tmpfs" ino=3 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_tmpfs_t tclass=dir permissive=1 [ 810.445540][ T24] audit: type=1400 audit(809.500:92): avc: denied { mount } for pid=3309 comm="syz-executor" name="/" dev="proc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:proc_t tclass=filesystem permissive=1 [ 810.633787][ T24] audit: type=1400 audit(809.730:93): avc: denied { mounton } for pid=3309 comm="syz-executor" path="/syzkaller.D7xB0b/syz-tmp/newroot/sys/kernel/debug" dev="debugfs" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:debugfs_t tclass=dir permissive=1 [ 810.703547][ T24] audit: type=1400 audit(809.790:94): avc: denied { mounton } for pid=3309 comm="syz-executor" path="/syzkaller.D7xB0b/syz-tmp/newroot/proc/sys/fs/binfmt_misc" dev="proc" ino=2845 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:sysctl_fs_t tclass=dir permissive=1 [ 810.852388][ T24] audit: type=1400 audit(809.920:95): avc: denied { unmount } for pid=3309 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fs_t tclass=filesystem permissive=1 [ 821.861780][ T24] kauditd_printk_skb: 10 callbacks suppressed [ 821.862100][ T24] audit: type=1400 audit(820.950:106): avc: denied { create } for pid=3320 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=bluetooth_socket permissive=1 [ 826.214158][ T3319] ================================================================== [ 826.217027][ T3319] BUG: KASAN: slab-use-after-free in binder_add_device+0x54/0x8c [ 826.219913][ T3319] Write of size 8 at addr 9df00000103da008 by task syz-executor/3319 [ 826.221878][ T3319] Pointer tag: [9d], memory tag: [56] [ 826.223118][ T3319] [ 826.224660][ T3319] CPU: 0 UID: 0 PID: 3319 Comm: syz-executor Not tainted 6.14.0-rc2-syzkaller-g29281a76709c #0 [ 826.225177][ T3319] Hardware name: linux,dummy-virt (DT) [ 826.225640][ T3319] Call trace: [ 826.225897][ T3319] show_stack+0x2c/0x3c (C) [ 826.226664][ T3319] dump_stack_lvl+0xe4/0x150 [ 826.227079][ T3319] print_report+0x1b4/0x500 [ 826.227444][ T3319] kasan_report+0xd8/0x138 [ 826.227783][ T3319] kasan_tag_mismatch+0x28/0x3c [ 826.228124][ T3319] __hwasan_tag_mismatch+0x30/0x60 [ 826.228478][ T3319] binder_add_device+0x54/0x8c [ 826.228770][ T3319] binderfs_binder_device_create+0x64c/0x6a0 [ 826.229050][ T3319] binderfs_fill_super+0x5d4/0x814 [ 826.229345][ T3319] get_tree_nodev+0x98/0x110 [ 826.229697][ T3319] binderfs_fs_context_get_tree+0x28/0x38 [ 826.229974][ T3319] vfs_get_tree+0x68/0x1e4 [ 826.230344][ T3319] do_new_mount+0x218/0x5d8 [ 826.230680][ T3319] path_mount+0x428/0xa64 [ 826.230985][ T3319] __arm64_sys_mount+0x3dc/0x48c [ 826.231319][ T3319] invoke_syscall+0x78/0x1b8 [ 826.231606][ T3319] el0_svc_common+0xe8/0x1b0 [ 826.231872][ T3319] do_el0_svc+0x40/0x50 [ 826.232126][ T3319] el0_svc+0x54/0x14c [ 826.232406][ T3319] el0t_64_sync_handler+0x84/0x108 [ 826.232701][ T3319] el0t_64_sync+0x198/0x19c [ 826.233300][ T3319] [ 826.254244][ T3319] Allocated by task 3309: [ 826.255528][ T3319] kasan_save_stack+0x40/0x6c [ 826.256804][ T3319] save_stack_info+0x34/0x144 [ 826.258046][ T3319] kasan_save_alloc_info+0x14/0x20 [ 826.259443][ T3319] __kasan_kmalloc+0x98/0x9c [ 826.260693][ T3319] __kmalloc_cache_noprof+0x2cc/0x434 [ 826.261937][ T3319] binderfs_binder_device_create+0x124/0x6a0 [ 826.263393][ T3319] binderfs_fill_super+0x5d4/0x814 [ 826.264630][ T3319] get_tree_nodev+0x98/0x110 [ 826.265701][ T3319] binderfs_fs_context_get_tree+0x28/0x38 [ 826.267012][ T3319] vfs_get_tree+0x68/0x1e4 [ 826.268215][ T3319] do_new_mount+0x218/0x5d8 [ 826.269333][ T3319] path_mount+0x428/0xa64 [ 826.270516][ T3319] __arm64_sys_mount+0x3dc/0x48c [ 826.271774][ T3319] invoke_syscall+0x78/0x1b8 [ 826.272818][ T3319] el0_svc_common+0xe8/0x1b0 [ 826.273985][ T3319] do_el0_svc+0x40/0x50 [ 826.275161][ T3319] el0_svc+0x54/0x14c [ 826.276312][ T3319] el0t_64_sync_handler+0x84/0x108 [ 826.277432][ T3319] el0t_64_sync+0x198/0x19c [ 826.278682][ T3319] [ 826.279507][ T3319] Freed by task 3309: [ 826.280530][ T3319] kasan_save_stack+0x40/0x6c [ 826.281746][ T3319] save_stack_info+0x34/0x144 [ 826.283040][ T3319] kasan_save_free_info+0x18/0x24 [ 826.284341][ T3319] __kasan_slab_free+0x64/0x68 [ 826.285506][ T3319] kfree+0x14c/0x450 [ 826.286703][ T3319] binderfs_evict_inode+0x124/0x194 [ 826.287912][ T3319] evict+0x2e4/0x610 [ 826.289109][ T3319] iput+0x564/0x5d8 [ 826.290182][ T3319] dentry_unlink_inode+0x2e0/0x310 [ 826.291441][ T3319] __dentry_kill+0x130/0x3e8 [ 826.292630][ T3319] shrink_kill+0xf8/0x324 [ 826.293760][ T3319] shrink_dentry_list+0x280/0x4ec [ 826.294980][ T3319] shrink_dcache_parent+0x88/0x21c [ 826.296260][ T3319] do_one_tree+0x2c/0xc0 [ 826.297383][ T3319] shrink_dcache_for_umount+0x90/0x118 [ 826.298530][ T3319] generic_shutdown_super+0x50/0x214 [ 826.299823][ T3319] kill_litter_super+0x64/0x90 [ 826.301106][ T3319] binderfs_kill_super+0x3c/0x88 [ 826.302380][ T3319] deactivate_locked_super+0xa8/0x110 [ 826.303539][ T3319] deactivate_super+0xdc/0xe0 [ 826.304743][ T3319] cleanup_mnt+0x228/0x298 [ 826.305915][ T3319] __cleanup_mnt+0x20/0x30 [ 826.307073][ T3319] task_work_run+0x154/0x1c4 [ 826.308268][ T3319] do_exit+0x3b8/0x10dc [ 826.309438][ T3319] do_group_exit+0xfc/0x13c [ 826.310645][ T3319] get_signal+0xd1c/0xd94 [ 826.311733][ T3319] do_signal+0x17c/0x29a4 [ 826.312863][ T3319] do_notify_resume+0x7c/0x1b8 [ 826.314154][ T3319] el0_svc+0xac/0x14c [ 826.315286][ T3319] el0t_64_sync_handler+0x84/0x108 [ 826.316353][ T3319] el0t_64_sync+0x198/0x19c [ 826.317508][ T3319] [ 826.318356][ T3319] The buggy address belongs to the object at fff00000103da000 [ 826.318356][ T3319] which belongs to the cache kmalloc-512 of size 512 [ 826.320408][ T3319] The buggy address is located 8 bytes inside of [ 826.320408][ T3319] 288-byte region [fff00000103da000, fff00000103da120) [ 826.322341][ T3319] [ 826.323206][ T3319] The buggy address belongs to the physical page: [ 826.324659][ T3319] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x503da [ 826.326511][ T3319] flags: 0x1ffc00000000000(node=0|zone=0|lastcpupid=0x7ff|kasantag=0x0) [ 826.328362][ T3319] page_type: f5(slab) [ 826.329955][ T3319] raw: 01ffc00000000000 9df000000a001900 ffffc1ffc040d380 0000000000000008 [ 826.331464][ T3319] raw: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000 [ 826.332979][ T3319] page dumped because: kasan: bad access detected [ 826.334285][ T3319] [ 826.335082][ T3319] Memory state around the buggy address: [ 826.336460][ T3319] fff00000103d9e00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe [ 826.337888][ T3319] fff00000103d9f00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe [ 826.339313][ T3319] >fff00000103da000: 56 56 56 56 56 56 56 56 56 56 56 56 56 56 56 56 [ 826.340691][ T3319] ^ [ 826.341776][ T3319] fff00000103da100: 56 56 fe fe fe fe fe fe fe fe fe fe fe fe fe fe [ 826.343181][ T3319] fff00000103da200: 6e 6e 6e 6e 6e 6e 6e 6e 6e 6e 6e 6e 6e 6e 6e 6e [ 826.344528][ T3319] ================================================================== SYZFAIL: failed to recv rpc fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor) [ 827.449834][ T3319] Disabling lock debugging due to kernel taint [ 827.540126][ T24] audit: type=1400 audit(826.630:107): avc: denied { mount } for pid=3319 comm="syz-executor" name="/" dev="fusectl" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fusefs_t tclass=filesystem permissive=1 [ 829.930050][ T24] audit: type=1400 audit(829.010:108): avc: denied { sys_module } for pid=3323 comm="syz-executor" capability=16 scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=capability permissive=1 [ 836.457782][ T3323] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 836.504338][ T3323] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 839.736759][ T3323] hsr_slave_0: entered promiscuous mode [ 839.763070][ T3323] hsr_slave_1: entered promiscuous mode [ 841.570134][ T3323] netdevsim netdevsim2 netdevsim0: renamed from eth0 [ 841.665672][ T3323] netdevsim netdevsim2 netdevsim1: renamed from eth1 [ 841.774416][ T3323] netdevsim netdevsim2 netdevsim2: renamed from eth2 [ 841.847164][ T3323] netdevsim netdevsim2 netdevsim3: renamed from eth3 [ 845.293711][ T3323] 8021q: adding VLAN 0 to HW filter on device bond0 VM DIAGNOSIS: 18:51:06 Registers: info registers vcpu 0 CPU#0 PC=ffff8000813d8c6c X00=0000000000000003 X01=0000000000000002 X02=000000000000005a X03=ffff8000813d8bdc X04=0000000000000001 X05=0000000000000000 X06=ffff8000813d79f0 X07=ffff8000808736dc X08=a7f000001026d7c0 X09=0000000000000000 X10=0000000000ff0100 X11=0000000000000101 X12=a7f000001026d7c0 X13=0000000000000007 X14=0000000000000000 X15=a7f000001026e250 X16=00000000000000e9 X17=0000000000000000 X18=0000000000000003 X19=0000000000000061 X20=efff800000000000 X21=0000000000000002 X22=e9f000000b3f517a X23=e9f000000b3f52c8 X24=e9f000000b3f50c8 X25=64ff8000899cb018 X26=e9f000000b3f52d8 X27=ffff80008976864d X28=0000000000000f01 X29=ffff80008c8a7330 X30=ffff8000813d8c6c SP=ffff80008c8a7330 PSTATE=804020c9 N--- EL2h SVCR=00000000 -- BTYPE=0 FPCR=00000000 FPSR=00000000 P00=0000 P01=0000 P02=0000 P03=0000 P04=0000 P05=0000 P06=0000 P07=0000 P08=0000 P09=0000 P10=0000 P11=0000 P12=0000 P13=0000 P14=0000 P15=0000 FFR=0000 Z00=0000000000000000:0000000000000000 Z01=0000000000000000:0000000000000000 Z02=0000000000000000:0000000000000000 Z03=0000000000000000:0000000000000000 Z04=0000000000000000:0000000000000000 Z05=0000000000000000:0000000000000000 Z06=0000000000000000:0000000000000000 Z07=0000000000000000:0000000000000000 Z08=0000000000000000:0000000000000000 Z09=0000000000000000:0000000000000000 Z10=0000000000000000:0000000000000000 Z11=0000000000000000:0000000000000000 Z12=0000000000000000:0000000000000000 Z13=0000000000000000:0000000000000000 Z14=0000000000000000:0000000000000000 Z15=0000000000000000:0000000000000000 Z16=0000000000000000:0000000000000000 Z17=0000000000000000:0000000000000000 Z18=0000000000000000:0000000000000000 Z19=0000000000000000:0000000000000000 Z20=0000000000000000:0000000000000000 Z21=0000000000000000:0000000000000000 Z22=0000000000000000:0000000000000000 Z23=0000000000000000:0000000000000000 Z24=0000000000000000:0000000000000000 Z25=0000000000000000:0000000000000000 Z26=0000000000000000:0000000000000000 Z27=0000000000000000:0000000000000000 Z28=0000000000000000:0000000000000000 Z29=0000000000000000:0000000000000000 Z30=0000000000000000:0000000000000000 Z31=0000000000000000:0000000000000000