last executing test programs: 3.187184275s ago: executing program 0 (id=134): syz_open_dev$dmmidi(&(0x7f0000000040), 0x0, 0x0) syz_open_dev$dmmidi(&(0x7f0000000080), 0x0, 0x1) syz_open_dev$dmmidi(&(0x7f00000000c0), 0x0, 0x2) syz_open_dev$dmmidi(&(0x7f0000000100), 0x0, 0x800) syz_open_dev$dmmidi(&(0x7f0000000140), 0x1, 0x0) syz_open_dev$dmmidi(&(0x7f0000000180), 0x1, 0x1) syz_open_dev$dmmidi(&(0x7f00000001c0), 0x1, 0x2) syz_open_dev$dmmidi(&(0x7f0000000200), 0x1, 0x800) syz_open_dev$dmmidi(&(0x7f0000000240), 0x2, 0x0) syz_open_dev$dmmidi(&(0x7f0000000280), 0x2, 0x1) syz_open_dev$dmmidi(&(0x7f00000002c0), 0x2, 0x2) syz_open_dev$dmmidi(&(0x7f0000000300), 0x2, 0x800) syz_open_dev$dmmidi(&(0x7f0000000340), 0x3, 0x0) syz_open_dev$dmmidi(&(0x7f0000000380), 0x3, 0x1) syz_open_dev$dmmidi(&(0x7f00000003c0), 0x3, 0x2) syz_open_dev$dmmidi(&(0x7f0000000400), 0x3, 0x800) syz_open_dev$dmmidi(&(0x7f0000000440), 0x4, 0x0) syz_open_dev$dmmidi(&(0x7f0000000480), 0x4, 0x1) syz_open_dev$dmmidi(&(0x7f00000004c0), 0x4, 0x2) syz_open_dev$dmmidi(&(0x7f0000000500), 0x4, 0x800) 2.648024951s ago: executing program 0 (id=136): sched_rr_get_interval(0x0, &(0x7f0000000000)) 2.387476079s ago: executing program 0 (id=138): faccessat(0xffffffffffffffff, &(0x7f0000000000), 0x0) 2.074070618s ago: executing program 0 (id=140): mprotect(0x0, 0x0, 0x0) 1.985360511s ago: executing program 1 (id=141): socket$inet_tcp(0x2, 0x1, 0x0) 1.894891104s ago: executing program 0 (id=142): syz_open_dev$media(&(0x7f0000000040), 0x0, 0x0) syz_open_dev$media(&(0x7f0000000080), 0x0, 0x1) syz_open_dev$media(&(0x7f00000000c0), 0x0, 0x2) syz_open_dev$media(&(0x7f0000000100), 0x0, 0x800) syz_open_dev$media(&(0x7f0000000140), 0x1, 0x0) syz_open_dev$media(&(0x7f0000000180), 0x1, 0x1) syz_open_dev$media(&(0x7f00000001c0), 0x1, 0x2) syz_open_dev$media(&(0x7f0000000200), 0x1, 0x800) syz_open_dev$media(&(0x7f0000000240), 0x2, 0x0) syz_open_dev$media(&(0x7f0000000280), 0x2, 0x1) syz_open_dev$media(&(0x7f00000002c0), 0x2, 0x2) syz_open_dev$media(&(0x7f0000000300), 0x2, 0x800) syz_open_dev$media(&(0x7f0000000340), 0x3, 0x0) syz_open_dev$media(&(0x7f0000000380), 0x3, 0x1) syz_open_dev$media(&(0x7f00000003c0), 0x3, 0x2) syz_open_dev$media(&(0x7f0000000400), 0x3, 0x800) syz_open_dev$media(&(0x7f0000000440), 0x4, 0x0) syz_open_dev$media(&(0x7f0000000480), 0x4, 0x1) syz_open_dev$media(&(0x7f00000004c0), 0x4, 0x2) syz_open_dev$media(&(0x7f0000000500), 0x4, 0x800) 1.551807293s ago: executing program 0 (id=143): prlimit64(0x0, 0x0, 0x0, 0x0) 1.519361084s ago: executing program 1 (id=144): openat(0xffffffffffffff9c, &(0x7f0000000040)='/proc/keys', 0x0, 0x0) 861.440794ms ago: executing program 1 (id=146): socket$nl_rdma(0x10, 0x3, 0x14) 536.766294ms ago: executing program 1 (id=147): setresuid(0x0, 0x0, 0x0) 226.042503ms ago: executing program 1 (id=148): syz_open_dev$mouse(&(0x7f0000000040), 0x0, 0x0) syz_open_dev$mouse(&(0x7f0000000080), 0x0, 0x1) syz_open_dev$mouse(&(0x7f00000000c0), 0x0, 0x2) syz_open_dev$mouse(&(0x7f0000000100), 0x0, 0x800) syz_open_dev$mouse(&(0x7f0000000140), 0x1, 0x0) syz_open_dev$mouse(&(0x7f0000000180), 0x1, 0x1) syz_open_dev$mouse(&(0x7f00000001c0), 0x1, 0x2) syz_open_dev$mouse(&(0x7f0000000200), 0x1, 0x800) syz_open_dev$mouse(&(0x7f0000000240), 0x2, 0x0) syz_open_dev$mouse(&(0x7f0000000280), 0x2, 0x1) syz_open_dev$mouse(&(0x7f00000002c0), 0x2, 0x2) syz_open_dev$mouse(&(0x7f0000000300), 0x2, 0x800) syz_open_dev$mouse(&(0x7f0000000340), 0x3, 0x0) syz_open_dev$mouse(&(0x7f0000000380), 0x3, 0x1) syz_open_dev$mouse(&(0x7f00000003c0), 0x3, 0x2) syz_open_dev$mouse(&(0x7f0000000400), 0x3, 0x800) syz_open_dev$mouse(&(0x7f0000000440), 0x4, 0x0) syz_open_dev$mouse(&(0x7f0000000480), 0x4, 0x1) syz_open_dev$mouse(&(0x7f00000004c0), 0x4, 0x2) syz_open_dev$mouse(&(0x7f0000000500), 0x4, 0x800) 0s ago: executing program 1 (id=149): rt_sigreturn() kernel console output (not intermixed with test programs): Warning: Permanently added '[localhost]:44812' (ED25519) to the list of known hosts. [ 248.741245][ T29] audit: type=1400 audit(248.250:58): avc: denied { name_bind } for pid=3276 comm="sshd" src=30003 scontext=system_u:system_r:sshd_t tcontext=system_u:object_r:tcs_port_t tclass=tcp_socket permissive=1 [ 249.438796][ T29] audit: type=1400 audit(248.950:59): avc: denied { execute } for pid=3278 comm="sh" name="syz-executor" dev="vda" ino=1735 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:etc_runtime_t tclass=file permissive=1 [ 249.450226][ T29] audit: type=1400 audit(248.960:60): avc: denied { execute_no_trans } for pid=3278 comm="sh" path="/syz-executor" dev="vda" ino=1735 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:etc_runtime_t tclass=file permissive=1 [ 256.021140][ T29] audit: type=1400 audit(255.530:61): avc: denied { mounton } for pid=3278 comm="syz-executor" path="/syzcgroup/unified" dev="vda" ino=1736 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 256.043197][ T29] audit: type=1400 audit(255.550:62): avc: denied { mount } for pid=3278 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 256.100012][ T3278] cgroup: Unknown subsys name 'net' [ 256.143634][ T29] audit: type=1400 audit(255.650:63): avc: denied { unmount } for pid=3278 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 256.684546][ T3278] cgroup: Unknown subsys name 'cpuset' [ 256.745840][ T3278] cgroup: Unknown subsys name 'rlimit' [ 257.146031][ T29] audit: type=1400 audit(256.660:64): avc: denied { setattr } for pid=3278 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=701 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 257.148020][ T29] audit: type=1400 audit(256.660:65): avc: denied { create } for pid=3278 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 257.156914][ T29] audit: type=1400 audit(256.670:66): avc: denied { write } for pid=3278 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 257.158634][ T29] audit: type=1400 audit(256.670:67): avc: denied { module_request } for pid=3278 comm="syz-executor" kmod="net-pf-16-proto-16-family-nl802154" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1 [ 257.345504][ T29] audit: type=1400 audit(256.860:68): avc: denied { read } for pid=3278 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 257.377882][ T29] audit: type=1400 audit(256.880:69): avc: denied { mounton } for pid=3278 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1 [ 257.379786][ T29] audit: type=1400 audit(256.890:70): avc: denied { mount } for pid=3278 comm="syz-executor" name="/" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=filesystem permissive=1 [ 257.940363][ T3281] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). Setting up swapspace version 1, size = 127995904 bytes [ 258.139732][ T3278] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 270.509723][ T29] kauditd_printk_skb: 4 callbacks suppressed [ 270.509949][ T29] audit: type=1400 audit(270.020:75): avc: denied { execmem } for pid=3282 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 270.622347][ T29] audit: type=1400 audit(270.130:76): avc: denied { read } for pid=3284 comm="syz-executor" dev="nsfs" ino=4026531840 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1 [ 270.628989][ T29] audit: type=1400 audit(270.140:77): avc: denied { open } for pid=3284 comm="syz-executor" path="net:[4026531840]" dev="nsfs" ino=4026531840 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1 [ 270.656256][ T29] audit: type=1400 audit(270.170:78): avc: denied { mounton } for pid=3284 comm="syz-executor" path="/" dev="vda" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:root_t tclass=dir permissive=1 [ 271.609898][ T29] audit: type=1400 audit(271.120:79): avc: denied { mount } for pid=3285 comm="syz-executor" name="/" dev="tmpfs" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=1 [ 271.634523][ T29] audit: type=1400 audit(271.150:80): avc: denied { mounton } for pid=3285 comm="syz-executor" path="/syzkaller.7rY4u1/syz-tmp/newroot/dev" dev="tmpfs" ino=3 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_tmpfs_t tclass=dir permissive=1 [ 271.666346][ T29] audit: type=1400 audit(271.180:81): avc: denied { mount } for pid=3285 comm="syz-executor" name="/" dev="proc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:proc_t tclass=filesystem permissive=1 [ 271.718247][ T29] audit: type=1400 audit(271.230:82): avc: denied { mounton } for pid=3285 comm="syz-executor" path="/syzkaller.7rY4u1/syz-tmp/newroot/sys/kernel/debug" dev="debugfs" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:debugfs_t tclass=dir permissive=1 [ 271.747697][ T29] audit: type=1400 audit(271.260:83): avc: denied { mounton } for pid=3285 comm="syz-executor" path="/syzkaller.7rY4u1/syz-tmp/newroot/proc/sys/fs/binfmt_misc" dev="proc" ino=1730 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:sysctl_fs_t tclass=dir permissive=1 [ 271.798289][ T29] audit: type=1400 audit(271.310:84): avc: denied { unmount } for pid=3284 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fs_t tclass=filesystem permissive=1 [ 275.610198][ T29] kauditd_printk_skb: 13 callbacks suppressed [ 275.610334][ T29] audit: type=1400 audit(275.120:98): avc: denied { create } for pid=3305 comm="syz.1.17" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=bluetooth_socket permissive=1 [ 276.276799][ T29] audit: type=1400 audit(275.790:99): avc: denied { create } for pid=3310 comm="syz.0.21" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=sctp_socket permissive=1 [ 278.655100][ T29] audit: type=1400 audit(278.170:100): avc: denied { write } for pid=3324 comm="syz.1.34" name="random" dev="devtmpfs" ino=8 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:random_device_t tclass=chr_file permissive=1 [ 279.489747][ T29] audit: type=1400 audit(279.000:101): avc: denied { create } for pid=3328 comm="syz.0.39" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=tipc_socket permissive=1 [ 280.371815][ T29] audit: type=1400 audit(279.880:102): avc: denied { read } for pid=3334 comm="syz.1.44" name="loop-control" dev="devtmpfs" ino=636 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:loop_control_device_t tclass=chr_file permissive=1 [ 280.374222][ T29] audit: type=1400 audit(279.890:103): avc: denied { open } for pid=3334 comm="syz.1.44" path="/dev/loop-control" dev="devtmpfs" ino=636 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:loop_control_device_t tclass=chr_file permissive=1 [ 280.386784][ T29] audit: type=1400 audit(279.890:104): avc: denied { write } for pid=3334 comm="syz.1.44" name="loop-control" dev="devtmpfs" ino=636 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:loop_control_device_t tclass=chr_file permissive=1 [ 280.527962][ T29] audit: type=1400 audit(280.040:105): avc: denied { read } for pid=3335 comm="syz.1.45" name="dlm-control" dev="devtmpfs" ino=87 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 280.531247][ T29] audit: type=1400 audit(280.040:106): avc: denied { open } for pid=3335 comm="syz.1.45" path="/dev/dlm-control" dev="devtmpfs" ino=87 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 280.549210][ T29] audit: type=1400 audit(280.060:107): avc: denied { write } for pid=3335 comm="syz.1.45" name="dlm-control" dev="devtmpfs" ino=87 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 281.732616][ T29] audit: type=1400 audit(281.240:108): avc: denied { create } for pid=3341 comm="syz.0.51" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=rawip_socket permissive=1 [ 281.745806][ T3341] UDPLite: UDP-Lite is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list [ 291.702500][ T29] audit: type=1400 audit(291.210:109): avc: denied { sys_module } for pid=3369 comm="syz.0.78" capability=16 scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=capability permissive=1 [ 298.493246][ T29] audit: type=1400 audit(297.990:110): avc: denied { create } for pid=3394 comm="syz.1.102" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=ax25_socket permissive=1 [ 299.161175][ T29] audit: type=1400 audit(298.670:111): avc: denied { read write } for pid=3398 comm="syz.0.105" name="vhost-net" dev="devtmpfs" ino=713 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:vhost_device_t tclass=chr_file permissive=1 [ 299.166433][ T29] audit: type=1400 audit(298.680:112): avc: denied { open } for pid=3398 comm="syz.0.105" path="/dev/vhost-net" dev="devtmpfs" ino=713 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:vhost_device_t tclass=chr_file permissive=1 [ 299.579461][ T29] audit: type=1400 audit(299.090:113): avc: denied { create } for pid=3401 comm="syz.0.107" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_rdma_socket permissive=1 [ 300.809134][ T29] audit: type=1400 audit(300.320:114): avc: denied { read } for pid=3407 comm="syz.0.113" name="snapshot" dev="devtmpfs" ino=85 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:acpi_bios_t tclass=chr_file permissive=1 [ 300.826170][ T29] audit: type=1400 audit(300.340:115): avc: denied { open } for pid=3407 comm="syz.0.113" path="/dev/snapshot" dev="devtmpfs" ino=85 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:acpi_bios_t tclass=chr_file permissive=1 [ 301.057359][ T29] audit: type=1400 audit(300.570:116): avc: denied { write } for pid=3407 comm="syz.0.113" name="snapshot" dev="devtmpfs" ino=85 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:acpi_bios_t tclass=chr_file permissive=1 [ 301.078892][ T29] audit: type=1400 audit(300.590:117): avc: denied { create } for pid=3408 comm="syz.1.115" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=pppox_socket permissive=1 [ 302.602011][ T29] audit: type=1400 audit(302.110:118): avc: denied { read } for pid=3417 comm="syz.1.123" name="usbmon0" dev="devtmpfs" ino=695 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:usbmon_device_t tclass=chr_file permissive=1 [ 302.603701][ T29] audit: type=1400 audit(302.110:119): avc: denied { open } for pid=3417 comm="syz.1.123" path="/dev/usbmon0" dev="devtmpfs" ino=695 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:usbmon_device_t tclass=chr_file permissive=1 [ 305.402962][ T29] kauditd_printk_skb: 1 callbacks suppressed [ 305.403160][ T29] audit: type=1400 audit(304.900:121): avc: denied { create } for pid=3431 comm="syz.1.137" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=key_socket permissive=1 [ 308.293574][ T3442] ================================================================== [ 308.294629][ T3442] BUG: KASAN: slab-use-after-free in binder_add_device+0x98/0xb0 [ 308.295748][ T3442] Write of size 8 at addr ffff00000f72c808 by task syz-executor/3442 [ 308.296281][ T3442] [ 308.297325][ T3442] CPU: 0 UID: 0 PID: 3442 Comm: syz-executor Not tainted 6.13.0-syzkaller-09147-ge2ee2e9b1590 #0 [ 308.298006][ T3442] Hardware name: linux,dummy-virt (DT) [ 308.298707][ T3442] Call trace: [ 308.298876][ T3442] show_stack+0x18/0x24 (C) [ 308.299021][ T3442] dump_stack_lvl+0xa4/0xf4 [ 308.299094][ T3442] print_report+0xf4/0x5a0 [ 308.299139][ T3442] kasan_report+0xc8/0x108 [ 308.299176][ T3442] __asan_report_store8_noabort+0x20/0x2c [ 308.299265][ T3442] binder_add_device+0x98/0xb0 [ 308.299320][ T3442] binderfs_binder_device_create.isra.0+0x798/0x960 [ 308.299361][ T3442] binderfs_fill_super+0x668/0xe9c [ 308.299397][ T3442] get_tree_nodev+0xac/0x148 [ 308.299434][ T3442] binderfs_fs_context_get_tree+0x18/0x24 [ 308.299470][ T3442] vfs_get_tree+0x74/0x280 [ 308.299508][ T3442] path_mount+0x750/0x1684 [ 308.299546][ T3442] __arm64_sys_mount+0x26c/0x4d8 [ 308.299583][ T3442] invoke_syscall+0x6c/0x258 [ 308.299617][ T3442] el0_svc_common.constprop.0+0xac/0x230 [ 308.299650][ T3442] do_el0_svc+0x40/0x58 [ 308.299681][ T3442] el0_svc+0x50/0x180 [ 308.299719][ T3442] el0t_64_sync_handler+0x10c/0x138 [ 308.299753][ T3442] el0t_64_sync+0x198/0x19c [ 308.299937][ T3442] [ 308.304992][ T3442] Allocated by task 3284: [ 308.305388][ T3442] kasan_save_stack+0x3c/0x64 [ 308.305714][ T3442] kasan_save_track+0x20/0x3c [ 308.305934][ T3442] kasan_save_alloc_info+0x40/0x54 [ 308.306163][ T3442] __kasan_kmalloc+0xb8/0xbc [ 308.306406][ T3442] __kmalloc_cache_noprof+0x1b4/0x3d0 [ 308.306635][ T3442] binderfs_binder_device_create.isra.0+0x140/0x960 [ 308.306894][ T3442] binderfs_fill_super+0x668/0xe9c [ 308.307125][ T3442] get_tree_nodev+0xac/0x148 [ 308.307347][ T3442] binderfs_fs_context_get_tree+0x18/0x24 [ 308.307579][ T3442] vfs_get_tree+0x74/0x280 [ 308.307791][ T3442] path_mount+0x750/0x1684 [ 308.307998][ T3442] __arm64_sys_mount+0x26c/0x4d8 [ 308.308226][ T3442] invoke_syscall+0x6c/0x258 [ 308.308507][ T3442] el0_svc_common.constprop.0+0xac/0x230 [ 308.308762][ T3442] do_el0_svc+0x40/0x58 [ 308.308980][ T3442] el0_svc+0x50/0x180 [ 308.309196][ T3442] el0t_64_sync_handler+0x10c/0x138 [ 308.309468][ T3442] el0t_64_sync+0x198/0x19c [ 308.309756][ T3442] [ 308.309941][ T3442] Freed by task 3284: [ 308.310165][ T3442] kasan_save_stack+0x3c/0x64 [ 308.310515][ T3442] kasan_save_track+0x20/0x3c [ 308.310793][ T3442] kasan_save_free_info+0x4c/0x74 [ 308.311017][ T3442] __kasan_slab_free+0x50/0x6c [ 308.311466][ T3442] kfree+0x1bc/0x444 [ 308.311710][ T3442] binderfs_evict_inode+0x1c4/0x214 [ 308.311961][ T3442] evict+0x2d0/0x6b0 [ 308.312251][ T3442] iput+0x3b0/0x6b4 [ 308.312450][ T3442] dentry_unlink_inode+0x208/0x46c [ 308.312677][ T3442] __dentry_kill+0x150/0x52c [ 308.312892][ T3442] shrink_dentry_list+0x114/0x3a4 [ 308.313174][ T3442] shrink_dcache_parent+0x158/0x364 [ 308.313424][ T3442] shrink_dcache_for_umount+0x88/0x304 [ 308.313707][ T3442] generic_shutdown_super+0x60/0x2e8 [ 308.313940][ T3442] kill_litter_super+0x68/0xa4 [ 308.314163][ T3442] binderfs_kill_super+0x38/0x88 [ 308.314415][ T3442] deactivate_locked_super+0x98/0x17c [ 308.314692][ T3442] deactivate_super+0xb0/0xd4 [ 308.314920][ T3442] cleanup_mnt+0x174/0x324 [ 308.315124][ T3442] __cleanup_mnt+0x14/0x20 [ 308.315344][ T3442] task_work_run+0x128/0x210 [ 308.315615][ T3442] do_exit+0x7a0/0x2044 [ 308.315824][ T3442] do_group_exit+0xa4/0x208 [ 308.316032][ T3442] get_signal+0x1a60/0x1b08 [ 308.316250][ T3442] do_signal+0x160/0x620 [ 308.316463][ T3442] do_notify_resume+0x18c/0x258 [ 308.316679][ T3442] el0_svc+0x100/0x180 [ 308.316966][ T3442] el0t_64_sync_handler+0x10c/0x138 [ 308.317193][ T3442] el0t_64_sync+0x198/0x19c [ 308.317467][ T3442] [ 308.317711][ T3442] The buggy address belongs to the object at ffff00000f72c800 [ 308.317711][ T3442] which belongs to the cache kmalloc-512 of size 512 [ 308.318189][ T3442] The buggy address is located 8 bytes inside of [ 308.318189][ T3442] freed 512-byte region [ffff00000f72c800, ffff00000f72ca00) [ 308.318660][ T3442] [ 308.318884][ T3442] The buggy address belongs to the physical page: [ 308.319520][ T3442] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4f72c [ 308.320232][ T3442] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 308.320888][ T3442] flags: 0x1ffc00000000040(head|node=0|zone=0|lastcpupid=0x7ff) [ 308.321853][ T3442] page_type: f5(slab) [ 308.322457][ T3442] raw: 01ffc00000000040 ffff00000d401c80 fffffdffc0532b00 dead000000000002 [ 308.322777][ T3442] raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000 [ 308.323201][ T3442] head: 01ffc00000000040 ffff00000d401c80 fffffdffc0532b00 dead000000000002 [ 308.323508][ T3442] head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000 [ 308.323798][ T3442] head: 01ffc00000000002 fffffdffc03dcb01 ffffffffffffffff 0000000000000000 [ 308.324092][ T3442] head: 0000000000000004 0000000000000000 00000000ffffffff 0000000000000000 [ 308.324438][ T3442] page dumped because: kasan: bad access detected [ 308.324753][ T3442] [ 308.324932][ T3442] Memory state around the buggy address: [ 308.325475][ T3442] ffff00000f72c700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 308.325842][ T3442] ffff00000f72c780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 308.326147][ T3442] >ffff00000f72c800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 308.326449][ T3442] ^ [ 308.326733][ T3442] ffff00000f72c880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 308.326999][ T3442] ffff00000f72c900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 308.327355][ T3442] ================================================================== SYZFAIL: failed to recv rpc fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor) [ 308.373398][ T3442] Disabling lock debugging due to kernel taint [ 308.379111][ T29] audit: type=1400 audit(307.890:122): avc: denied { mount } for pid=3442 comm="syz-executor" name="/" dev="fusectl" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fusefs_t tclass=filesystem permissive=1 VM DIAGNOSIS: 17:57:31 Registers: info registers vcpu 0 CPU#0 PC=ffff80008530f278 X00=ffff8000a0ee7172 X01=0000000000000000 X02=0000000000000000 X03=0000000000000000 X04=0000000000000002 X05=1ffff000141dce2e X06=0000000000000000 X07=ffff7000141dce0c X08=0000000041b58ab3 X09=ffff8000a0ee6fc4 X10=0000000000000000 X11=0000000000000000 X12=0000000000000000 X13=00000000ffffffff X14=0000000000000000 X15=0000000000000000 X16=0000000000000000 X17=0000000000000000 X18=00000000be1c50b8 X19=ffff80008634d8f1 X20=ffff8000a0ee73a8 X21=ffff80008634d8f1 X22=ffff8000a0ee7640 X23=ffff8000a0ee7170 X24=0000000000000403 X25=1ffff000141dce0c X26=ffff8000a0ee7080 X27=ffff8000a0ee7088 X28=0000000000000003 X29=ffff8000a0ee6ff0 X30=ffff80008531a1e0 SP=ffff8000a0ee6ff0 PSTATE=100000c5 ---V EL1h FPCR=00000000 FPSR=00000000 Q00=2525252525252525:2525252525252525 Q01=0000303030303031:0000000000000a64 Q02=0000000000000000:0000000000000000 Q03=ffff000000000000:ffffffffffff0000 Q04=0000000000000000:ff000000ffffff00 Q05=0000000000000000:0000000000000000 Q06=0000000000000000:0000000000000000 Q07=0000000000000000:0000000000000000 Q08=0000000000000000:0000000000000000 Q09=0000000000000000:0000000000000000 Q10=0000000000000000:0000000000000000 Q11=0000000000000000:0000000000000000 Q12=0000000000000000:0000000000000000 Q13=0000000000000000:0000000000000000 Q14=0000000000000000:0000000000000000 Q15=0000000000000000:0000000000000000 Q16=0000fffff3c4bab0:0000fffff3c4bab0 Q17=ffffff80ffffffd0:0000fffff3c4ba80 Q18=0000000000000000:0000000000000000 Q19=0000000000000000:0000000000000000 Q20=0000000000000000:0000000000000000 Q21=0000000000000000:0000000000000000 Q22=0000000000000000:0000000000000000 Q23=0000000000000000:0000000000000000 Q24=0000000000000000:0000000000000000 Q25=0000000000000000:0000000000000000 Q26=0000000000000000:0000000000000000 Q27=0000000000000000:0000000000000000 Q28=0000000000000000:0000000000000000 Q29=0000000000000000:0000000000000000 Q30=0000000000000000:0000000000000000 Q31=0000000000000000:0000000000000000 info registers vcpu 1 CPU#1 PC=ffff800080389520 X00=ffff800086e00718 X01=0000000000000000 X02=0000000000000000 X03=ffff8000a1146b80 X04=00000000f204f1f1 X05=ffff700014228d68 X06=dfff800000000000 X07=00000000f1f1f1f1 X08=ffff700014228d66 X09=000000001b822ee5 X10=451c6a7185d33dd2 X11=1fffe00003b0948a X12=ffff600003b0948b X13=ffff00001202a8d0 X14=1ffff000110f5d04 X15=1fffe00002405516 X16=0000000000000000 X17=ffff7fffe3393000 X18=00000000b822ee51 X19=ffff800080033828 X20=ffff8000a1146bc0 X21=ffff000012029e40 X22=0000000000000001 X23=ffff800080033958 X24=0000000000000001 X25=1ffff00014228d9a X26=ffff600003b094ab X27=0000000000000001 X28=ffffffffffffc005 X29=ffff8000a1146c00 X30=ffff80008053a058 SP=ffff8000a1146bc0 PSTATE=800000c5 N--- EL1h FPCR=00000000 FPSR=00000000 Q00=0000000000000000:0000000000000000 Q01=63206f742064656c:6961460064252f68 Q02=f00ff00ff00ff00f:f00ff00ff00ff00f Q03=0000000000000000:0000000f000f0000 Q04=f00ff00ff00ff00f:f00ff00ff00ff00f Q05=00000000000f0f00:00000000000f0f00 Q06=000000000000c00c:000000000000c00c Q07=0000aaaaec5b1790:000002da00000000 Q08=0000000000000000:0000000000000000 Q09=0000000000000000:0000000000000000 Q10=0000000000000000:0000000000000000 Q11=0000000000000000:0000000000000000 Q12=0000000000000000:0000000000000000 Q13=0000000000000000:0000000000000000 Q14=0000000000000000:0000000000000000 Q15=0000000000000000:0000000000000000 Q16=0000000000002000:0000000000000000 Q17=000000000000000b:0000000000000000 Q18=0000000000000000:0000000000000000 Q19=0000000000000000:0000000000000000 Q20=0000000000000000:0000000000000000 Q21=0000000000000000:0000000000000000 Q22=0000000000000000:0000000000000000 Q23=0000000000000000:0000000000000000 Q24=0000000000000000:0000000000000000 Q25=0000000000000000:0000000000000000 Q26=0000000000000000:0000000000000000 Q27=0000000000000000:0000000000000000 Q28=0000000000000000:0000000000000000 Q29=0000000000000000:0000000000000000 Q30=0000000000000000:0000000000000000 Q31=0000000000000000:0000000000000000