Warning: Permanently added '10.128.0.56' (ED25519) to the list of known hosts.
[ 73.214289][ T1334] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 73.227187][ T1334] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[ 73.267698][ T3450] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 73.276495][ T3450] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[ 73.287197][ T3450] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 73.296657][ T3450] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[ 73.319593][ T3450] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 73.330701][ T3450] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
[ 73.341259][ T1334] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 73.351800][ T1334] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[ 73.398704][ T1334] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 73.416653][ T1334] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
executing program
executing program
executing program
[ 73.443039][ T13] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 73.452582][ T13] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
executing program
executing program
executing program
executing program
executing program
executing program
executing program
[ 73.529526][ T1334] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 73.554552][ T1334] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
executing program
executing program
[ 73.604141][ T13] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 73.616435][ T5836] ==================================================================
[ 73.624542][ T5836] BUG: KASAN: slab-use-after-free in binder_add_device+0x6b/0xb0
[ 73.632313][ T5836] Write of size 8 at addr ffff8880294cd808 by task syz-executor128/5836
[ 73.639248][ T13] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[ 73.640643][ T5836]
executing program
executing program
[ 73.640679][ T5836] CPU: 0 UID: 0 PID: 5836 Comm: syz-executor128 Not tainted 6.15.0-rc7-next-20250523-syzkaller #0 PREEMPT(full)
[ 73.640700][ T5836] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
[ 73.640716][ T5836] Call Trace:
[ 73.640725][ T5836]
[ 73.640732][ T5836] dump_stack_lvl+0x189/0x250
[ 73.640750][ T5836] ? __virt_addr_valid+0x1c8/0x5c0
[ 73.640767][ T5836] ? rcu_is_watching+0x15/0xb0
[ 73.640781][ T5836] ? __kasan_check_byte+0x12/0x40
[ 73.640802][ T5836] ? __pfx_dump_stack_lvl+0x10/0x10
executing program
executing program
[ 73.640817][ T5836] ? rcu_is_watching+0x15/0xb0
[ 73.640832][ T5836] ? lock_release+0x4b/0x3e0
[ 73.640855][ T5836] ? __virt_addr_valid+0x1c8/0x5c0
[ 73.640872][ T5836] ? __virt_addr_valid+0x4a5/0x5c0
[ 73.640890][ T5836] print_report+0xd2/0x2b0
[ 73.640911][ T5836] ? binder_add_device+0x6b/0xb0
[ 73.640926][ T5836] kasan_report+0x118/0x150
[ 73.640943][ T5836] ? binder_add_device+0x6b/0xb0
[ 73.640961][ T5836] binder_add_device+0x6b/0xb0
[ 73.640977][ T5836] binderfs_binder_device_create+0x9e7/0xc40
executing program
executing program
[ 73.641007][ T5836] ? __pfx_binderfs_binder_device_create+0x10/0x10
[ 73.641032][ T5836] ? do_raw_spin_unlock+0x122/0x240
[ 73.641053][ T5836] binderfs_fill_super+0xa0e/0xe90
[ 73.641079][ T5836] ? __pfx_binderfs_fill_super+0x10/0x10
[ 73.641112][ T5836] ? shrinker_register+0x16b/0x230
[ 73.641140][ T5836] ? sget_fc+0x962/0xa40
[ 73.641162][ T5836] ? __pfx_set_anon_super_fc+0x10/0x10
[ 73.641185][ T5836] ? __pfx_binderfs_fill_super+0x10/0x10
[ 73.641208][ T5836] get_tree_nodev+0xbb/0x150
executing program
executing program
executing program
executing program
executing program
[ 73.641232][ T5836] vfs_get_tree+0x92/0x2b0
[ 73.641249][ T5836] do_new_mount+0x24a/0xa40
[ 73.641271][ T5836] __se_sys_mount+0x317/0x410
[ 73.641291][ T5836] ? __pfx___se_sys_mount+0x10/0x10
[ 73.641312][ T5836] ? do_syscall_64+0xbe/0x3b0
[ 73.641334][ T5836] ? __x64_sys_mount+0x20/0xc0
[ 73.641353][ T5836] do_syscall_64+0xfa/0x3b0
[ 73.641372][ T5836] ? lockdep_hardirqs_on+0x9c/0x150
[ 73.641388][ T5836] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 73.641405][ T5836] ? clear_bhb_loop+0x60/0xb0
executing program
executing program
executing program
[ 73.641423][ T5836] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 73.641439][ T5836] RIP: 0033:0x7f125f40678a
[ 73.641460][ T5836] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 7e 09 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[ 73.641473][ T5836] RSP: 002b:00007ffd0b7667d8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[ 73.641492][ T5836] RAX: ffffffffffffffda RBX: 00007f125f44a038 RCX: 00007f125f40678a
[ 73.641505][ T5836] RDX: 00007f125f44a1eb RSI: 00007f125f44a038 RDI: 00007f125f44a1eb
executing program
executing program
executing program
executing program
[ 73.641517][ T5836] RBP: 00007f125f44a1bb R08: 0000000000000000 R09: 0000000000000000
[ 73.641527][ T5836] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f125f44a123
[ 73.641538][ T5836] R13: 0000000000000003 R14: 00007f125f481160 R15: 00007ffd0b76681a
[ 73.641556][ T5836]
[ 73.641562][ T5836]
[ 73.678785][ T5836] Allocated by task 5837:
[ 73.678796][ T5836] kasan_save_track+0x3e/0x80
[ 73.678822][ T5836] __kasan_kmalloc+0x93/0xb0
executing program
executing program
executing program
executing program
[ 73.756740][ T1334] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 73.760427][ T5836] __kmalloc_cache_noprof+0x230/0x3d0
[ 73.760450][ T5836] binderfs_binder_device_create+0x1eb/0xc40
[ 73.767395][ T1334] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
[ 73.770736][ T5836] binderfs_fill_super+0xa0e/0xe90
[ 73.770763][ T5836] get_tree_nodev+0xbb/0x150
[ 73.770783][ T5836] vfs_get_tree+0x92/0x2b0
[ 73.770797][ T5836] do_new_mount+0x24a/0xa40
[ 73.770812][ T5836] __se_sys_mount+0x317/0x410
[ 73.770826][ T5836] do_syscall_64+0xfa/0x3b0
executing program
executing program
executing program
executing program
executing program
[ 73.770844][ T5836] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 74.008498][ T5836]
[ 74.010831][ T5836] Freed by task 43:
[ 74.014642][ T5836] kasan_save_track+0x3e/0x80
[ 74.019346][ T5836] kasan_save_free_info+0x46/0x50
[ 74.024399][ T5836] __kasan_slab_free+0x62/0x70
[ 74.029183][ T5836] kfree+0x18e/0x440
[ 74.033100][ T5836] binder_proc_dec_tmpref+0x228/0x4f0
[ 74.038569][ T5836] binder_deferred_func+0x13a5/0x1520
[ 74.043967][ T5836] process_scheduled_works+0xade/0x17b0
[ 74.049641][ T5836] worker_thread+0x8a0/0xda0
executing program
executing program
executing program
[ 74.054252][ T5836] kthread+0x711/0x8a0
[ 74.058341][ T5836] ret_from_fork+0x3fc/0x770
[ 74.062957][ T5836] ret_from_fork_asm+0x1a/0x30
[ 74.067750][ T5836]
[ 74.070081][ T5836] The buggy address belongs to the object at ffff8880294cd800
[ 74.070081][ T5836] which belongs to the cache kmalloc-512 of size 512
[ 74.084158][ T5836] The buggy address is located 8 bytes inside of
[ 74.084158][ T5836] freed 512-byte region [ffff8880294cd800, ffff8880294cda00)
[ 74.097885][ T5836]
[ 74.100222][ T5836] The buggy address belongs to the physical page:
executing program
executing program
executing program
executing program
[ 74.106641][ T5836] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x294cc
[ 74.115449][ T5836] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 74.124331][ T5836] flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
[ 74.131910][ T5836] page_type: f5(slab)
[ 74.135911][ T5836] raw: 00fff00000000040 ffff88801a441c80 ffffea0000a53500 dead000000000002
[ 74.144589][ T5836] raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
executing program
executing program
executing program
executing program
executing program
[ 74.153542][ T5836] head: 00fff00000000040 ffff88801a441c80 ffffea0000a53500 dead000000000002
[ 74.162230][ T5836] head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
[ 74.170930][ T5836] head: 00fff00000000002 ffffea0000a53301 00000000ffffffff 00000000ffffffff
[ 74.179622][ T5836] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004
[ 74.188301][ T5836] page dumped because: kasan: bad access detected
[ 74.194751][ T5836] page_owner tracks the page as allocated
executing program
executing program
executing program
[ 74.200478][ T5836] page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 10347034507, free_ts 0
[ 74.220722][ T5836] post_alloc_hook+0x240/0x2a0
[ 74.225508][ T5836] get_page_from_freelist+0x21e4/0x22c0
[ 74.231078][ T5836] __alloc_frozen_pages_noprof+0x181/0x370
[ 74.236911][ T5836] alloc_pages_mpol+0x232/0x4a0
[ 74.241780][ T5836] allocate_slab+0x8a/0x3b0
[ 74.246297][ T5836] ___slab_alloc+0xbfc/0x1480
[ 74.250985][ T5836] __kmalloc_cache_noprof+0x296/0x3d0
executing program
executing program
executing program
[ 74.256383][ T5836] device_add+0xbe/0xb50
[ 74.260646][ T5836] usb_hub_create_port_device+0x3c2/0xb90
[ 74.266561][ T5836] hub_probe+0x25af/0x36e0
[ 74.270995][ T5836] usb_probe_interface+0x644/0xbc0
[ 74.276134][ T5836] really_probe+0x26d/0x9a0
[ 74.280646][ T5836] __driver_probe_device+0x18c/0x2f0
[ 74.285955][ T5836] driver_probe_device+0x4f/0x430
[ 74.290996][ T5836] __device_attach_driver+0x2ce/0x530
[ 74.296521][ T5836] bus_for_each_drv+0x24e/0x2e0
[ 74.301390][ T5836] page_owner free stack trace missing
executing program
executing program
executing program
executing program
[ 74.306774][ T5836]
[ 74.309111][ T5836] Memory state around the buggy address:
[ 74.314755][ T5836] ffff8880294cd700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 74.322843][ T5836] ffff8880294cd780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 74.330924][ T5836] >ffff8880294cd800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 74.339000][ T5836] ^
[ 74.343349][ T5836] ffff8880294cd880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
executing program
executing program
executing program
executing program
[ 74.351578][ T5836] ffff8880294cd900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 74.359768][ T5836] ==================================================================
[ 74.368879][ T5836] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 74.376279][ T5836] CPU: 0 UID: 0 PID: 5836 Comm: syz-executor128 Not tainted 6.15.0-rc7-next-20250523-syzkaller #0 PREEMPT(full)
[ 74.388185][ T5836] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
[ 74.398278][ T5836] Call Trace:
[ 74.401598][ T5836]
executing program
executing program
executing program
executing program
[ 74.404545][ T5836] dump_stack_lvl+0x99/0x250
[ 74.409165][ T5836] ? __asan_memcpy+0x40/0x70
[ 74.413951][ T5836] ? __pfx_dump_stack_lvl+0x10/0x10
[ 74.419164][ T5836] ? __pfx__printk+0x10/0x10
[ 74.423789][ T5836] panic+0x2db/0x790
[ 74.427719][ T5836] ? __pfx_panic+0x10/0x10
[ 74.432162][ T5836] ? _raw_spin_unlock_irqrestore+0xa8/0x110
[ 74.438088][ T5836] ? _raw_spin_unlock_irqrestore+0xad/0x110
[ 74.444290][ T5836] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[ 74.451293][ T5836] ? print_memory_metadata+0x314/0x400
executing program
[ 74.456786][ T5836] ? binder_add_device+0x6b/0xb0
[ 74.461746][ T5836] check_panic_on_warn+0x89/0xb0
[ 74.466709][ T5836] ? binder_add_device+0x6b/0xb0
[ 74.471749][ T5836] end_report+0x78/0x160
[ 74.475987][ T5836] kasan_report+0x129/0x150
[ 74.480486][ T5836] ? binder_add_device+0x6b/0xb0
[ 74.485414][ T5836] binder_add_device+0x6b/0xb0
[ 74.490185][ T5836] binderfs_binder_device_create+0x9e7/0xc40
[ 74.496162][ T5836] ? __pfx_binderfs_binder_device_create+0x10/0x10
[ 74.502658][ T5836] ? do_raw_spin_unlock+0x122/0x240
[ 74.507852][ T5836] binderfs_fill_super+0xa0e/0xe90
[ 74.512971][ T5836] ? __pfx_binderfs_fill_super+0x10/0x10
[ 74.518623][ T5836] ? shrinker_register+0x16b/0x230
[ 74.523729][ T5836] ? sget_fc+0x962/0xa40
[ 74.528014][ T5836] ? __pfx_set_anon_super_fc+0x10/0x10
[ 74.533468][ T5836] ? __pfx_binderfs_fill_super+0x10/0x10
[ 74.539101][ T5836] get_tree_nodev+0xbb/0x150
[ 74.543690][ T5836] vfs_get_tree+0x92/0x2b0
[ 74.548095][ T5836] do_new_mount+0x24a/0xa40
[ 74.552594][ T5836] __se_sys_mount+0x317/0x410
[ 74.557261][ T5836] ? __pfx___se_sys_mount+0x10/0x10
[ 74.562457][ T5836] ? do_syscall_64+0xbe/0x3b0
[ 74.567129][ T5836] ? __x64_sys_mount+0x20/0xc0
[ 74.571903][ T5836] do_syscall_64+0xfa/0x3b0
[ 74.576406][ T5836] ? lockdep_hardirqs_on+0x9c/0x150
[ 74.581608][ T5836] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 74.587663][ T5836] ? clear_bhb_loop+0x60/0xb0
[ 74.592329][ T5836] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 74.598213][ T5836] RIP: 0033:0x7f125f40678a
[ 74.602622][ T5836] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 7e 09 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[ 74.622224][ T5836] RSP: 002b:00007ffd0b7667d8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[ 74.630670][ T5836] RAX: ffffffffffffffda RBX: 00007f125f44a038 RCX: 00007f125f40678a
[ 74.638720][ T5836] RDX: 00007f125f44a1eb RSI: 00007f125f44a038 RDI: 00007f125f44a1eb
[ 74.646690][ T5836] RBP: 00007f125f44a1bb R08: 0000000000000000 R09: 0000000000000000
[ 74.654652][ T5836] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f125f44a123
[ 74.662611][ T5836] R13: 0000000000000003 R14: 00007f125f481160 R15: 00007ffd0b76681a
[ 74.670577][ T5836]
[ 74.673900][ T5836] Kernel Offset: disabled
[ 74.678227][ T5836] Rebooting in 86400 seconds..