Warning: Permanently added '10.128.0.146' (ED25519) to the list of known hosts.
executing program
executing program
executing program
[   86.620948][ T5823] ==================================================================
[   86.629154][ T5823] BUG: KASAN: slab-use-after-free in binder_add_device+0x5f/0xa0
[   86.636929][ T5823] Write of size 8 at addr ffff888031a12408 by task syz-executor301/5823
[   86.645436][ T5823] 
[   86.647761][ T5823] CPU: 1 UID: 0 PID: 5823 Comm: syz-executor301 Not tainted 6.15.0-rc5-syzkaller-00022-g01f95500a162 #0 PREEMPT(full) 
[   86.647786][ T5823] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/29/2025
[   86.647799][ T5823] Call Trace:
[   86.647807][ T5823]  <TASK>
[   86.647816][ T5823]  dump_stack_lvl+0x189/0x250
[   86.647850][ T5823]  ? __kasan_check_byte+0x12/0x40
[   86.647915][ T5823]  ? __pfx_dump_stack_lvl+0x10/0x10
[   86.647944][ T5823]  ? srso_alias_return_thunk+0x5/0xfbef5
[   86.647969][ T5823]  ? lock_release+0x4b/0x3e0
[   86.647996][ T5823]  ? lock_release+0x4b/0x3e0
[   86.648032][ T5823]  ? srso_alias_return_thunk+0x5/0xfbef5
[   86.648055][ T5823]  ? __virt_addr_valid+0x469/0x540
[   86.648084][ T5823]  print_report+0xb4/0x290
[   86.648110][ T5823]  ? binder_add_device+0x5f/0xa0
[   86.648137][ T5823]  kasan_report+0x118/0x150
[   86.648161][ T5823]  ? srso_alias_return_thunk+0x5/0xfbef5
[   86.648187][ T5823]  ? binder_add_device+0x5f/0xa0
[   86.648217][ T5823]  binder_add_device+0x5f/0xa0
[   86.648244][ T5823]  binderfs_binder_device_create+0x8b7/0xaf0
[   86.648276][ T5823]  binderfs_fill_super+0xa0e/0xe90
[   86.648307][ T5823]  ? __pfx_binderfs_fill_super+0x10/0x10
[   86.648345][ T5823]  ? shrinker_register+0x16b/0x230
[   86.648367][ T5823]  ? srso_alias_return_thunk+0x5/0xfbef5
[   86.648390][ T5823]  ? sget_fc+0x962/0xa40
[   86.648410][ T5823]  ? __pfx_set_anon_super_fc+0x10/0x10
[   86.648431][ T5823]  ? __pfx_binderfs_fill_super+0x10/0x10
[   86.648456][ T5823]  get_tree_nodev+0xbb/0x150
[   86.648479][ T5823]  vfs_get_tree+0x92/0x2b0
[   86.648503][ T5823]  do_new_mount+0x24a/0xa40
[   86.648533][ T5823]  __se_sys_mount+0x317/0x410
[   86.648563][ T5823]  ? __pfx___se_sys_mount+0x10/0x10
[   86.648592][ T5823]  ? srso_alias_return_thunk+0x5/0xfbef5
[   86.648615][ T5823]  ? __x64_sys_mount+0x20/0xc0
[   86.648642][ T5823]  do_syscall_64+0xf6/0x210
[   86.648669][ T5823]  ? srso_alias_return_thunk+0x5/0xfbef5
[   86.648692][ T5823]  ? exc_page_fault+0x91/0x110
[   86.648716][ T5823]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   86.648736][ T5823] RIP: 0033:0x7fee80b7e68a
[   86.648753][ T5823] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 6e 07 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[   86.648770][ T5823] RSP: 002b:00007ffc2210f728 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[   86.648791][ T5823] RAX: ffffffffffffffda RBX: 00007fee80bbf038 RCX: 00007fee80b7e68a
[   86.648807][ T5823] RDX: 00007fee80bbf1c8 RSI: 00007fee80bbf038 RDI: 00007fee80bbf1c8
[   86.648825][ T5823] RBP: 00007fee80bbf198 R08: 0000000000000000 R09: 0000000000000140
[   86.648838][ T5823] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fee80bc4c9c
[   86.648851][ T5823] R13: 00007fee80bbf100 R14: 0000000000000001 R15: 0000000000000001
[   86.648873][ T5823]  </TASK>
[   86.648890][ T5823] 
[   86.923182][ T5823] Allocated by task 5821:
[   86.927511][ T5823]  kasan_save_track+0x3e/0x80
[   86.932195][ T5823]  __kasan_kmalloc+0x93/0xb0
[   86.936791][ T5823]  __kmalloc_cache_noprof+0x230/0x3d0
[   86.942172][ T5823]  binderfs_binder_device_create+0x17f/0xaf0
[   86.948167][ T5823]  binderfs_fill_super+0xa0e/0xe90
[   86.953288][ T5823]  get_tree_nodev+0xbb/0x150
[   86.957883][ T5823]  vfs_get_tree+0x92/0x2b0
[   86.962323][ T5823]  do_new_mount+0x24a/0xa40
[   86.966841][ T5823]  __se_sys_mount+0x317/0x410
[   86.971627][ T5823]  do_syscall_64+0xf6/0x210
[   86.976236][ T5823]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   86.982128][ T5823] 
[   86.984443][ T5823] Freed by task 5829:
[   86.988445][ T5823]  kasan_save_track+0x3e/0x80
[   86.993225][ T5823]  kasan_save_free_info+0x46/0x50
[   86.998276][ T5823]  __kasan_slab_free+0x62/0x70
[   87.003054][ T5823]  kfree+0x193/0x440
[   87.006960][ T5823]  binder_proc_dec_tmpref+0x228/0x4f0
[   87.012349][ T5823]  binder_deferred_func+0x13a5/0x1520
[   87.017724][ T5823]  process_scheduled_works+0xade/0x17a0
[   87.023281][ T5823]  worker_thread+0x8a0/0xda0
[   87.027965][ T5823]  kthread+0x711/0x8a0
[   87.032065][ T5823]  ret_from_fork+0x4e/0x80
[   87.036499][ T5823]  ret_from_fork_asm+0x1a/0x30
[   87.041259][ T5823] 
[   87.043574][ T5823] The buggy address belongs to the object at ffff888031a12400
[   87.043574][ T5823]  which belongs to the cache kmalloc-512 of size 512
[   87.057725][ T5823] The buggy address is located 8 bytes inside of
[   87.057725][ T5823]  freed 512-byte region [ffff888031a12400, ffff888031a12600)
[   87.071437][ T5823] 
[   87.073752][ T5823] The buggy address belongs to the physical page:
[   87.080152][ T5823] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x31a10
[   87.089005][ T5823] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   87.097530][ T5823] anon flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
[   87.105623][ T5823] page_type: f5(slab)
[   87.109602][ T5823] raw: 00fff00000000040 ffff88801a041c80 0000000000000000 dead000000000001
[   87.118187][ T5823] raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
[   87.126857][ T5823] head: 00fff00000000040 ffff88801a041c80 0000000000000000 dead000000000001
[   87.135529][ T5823] head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
[   87.144245][ T5823] head: 00fff00000000002 ffffea0000c68401 00000000ffffffff 00000000ffffffff
[   87.152953][ T5823] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004
[   87.161626][ T5823] page dumped because: kasan: bad access detected
[   87.168037][ T5823] page_owner tracks the page as allocated
[   87.173747][ T5823] page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 24974876976, free_ts 0
[   87.193728][ T5823]  post_alloc_hook+0x1d8/0x230
[   87.198507][ T5823]  get_page_from_freelist+0x21ce/0x22b0
[   87.204066][ T5823]  __alloc_frozen_pages_noprof+0x181/0x370
[   87.209882][ T5823]  alloc_pages_mpol+0x232/0x4a0
[   87.214747][ T5823]  allocate_slab+0x8a/0x3b0
[   87.219243][ T5823]  ___slab_alloc+0xbfc/0x1480
[   87.223993][ T5823]  __kmalloc_node_track_caller_noprof+0x2f8/0x4e0
[   87.230416][ T5823]  krealloc_noprof+0x122/0x330
[   87.235218][ T5823]  add_sysfs_param+0xc9/0xa20
[   87.239936][ T5823]  kernel_add_sysfs_param+0xb4/0x130
[   87.245257][ T5823]  param_sysfs_builtin+0x1de/0x290
[   87.250483][ T5823]  param_sysfs_builtin_init+0x32/0x40
[   87.255857][ T5823]  do_one_initcall+0x236/0x820
[   87.260625][ T5823]  do_initcall_level+0x137/0x1f0
[   87.265560][ T5823]  do_initcalls+0x69/0xd0
[   87.269913][ T5823]  kernel_init_freeable+0x3d9/0x570
[   87.275118][ T5823] page_owner free stack trace missing
[   87.280473][ T5823] 
[   87.282783][ T5823] Memory state around the buggy address:
[   87.288408][ T5823]  ffff888031a12300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   87.296556][ T5823]  ffff888031a12380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   87.304614][ T5823] >ffff888031a12400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   87.312753][ T5823]                       ^
executing program
executing program
[   87.317076][ T5823]  ffff888031a12480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   87.325230][ T5823]  ffff888031a12500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   87.333297][ T5823] ==================================================================
[   87.363576][ T5823] Kernel panic - not syncing: KASAN: panic_on_warn set ...
executing program
executing program
executing program
[   87.370828][ T5823] CPU: 1 UID: 0 PID: 5823 Comm: syz-executor301 Not tainted 6.15.0-rc5-syzkaller-00022-g01f95500a162 #0 PREEMPT(full) 
[   87.383274][ T5823] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/29/2025
[   87.393401][ T5823] Call Trace:
[   87.396693][ T5823]  <TASK>
[   87.399640][ T5823]  dump_stack_lvl+0x99/0x250
[   87.404273][ T5823]  ? __asan_memcpy+0x40/0x70
[   87.408978][ T5823]  ? __pfx_dump_stack_lvl+0x10/0x10
[   87.414498][ T5823]  ? __pfx__printk+0x10/0x10
executing program
[   87.419148][ T5823]  ? srso_alias_return_thunk+0x5/0xfbef5
[   87.424803][ T5823]  panic+0x2db/0x790
[   87.428730][ T5823]  ? __pfx_preempt_schedule+0x10/0x10
[   87.434131][ T5823]  ? __pfx_panic+0x10/0x10
[   87.438581][ T5823]  ? srso_alias_return_thunk+0x5/0xfbef5
[   87.444243][ T5823]  ? srso_alias_return_thunk+0x5/0xfbef5
[   87.449890][ T5823]  ? _raw_spin_unlock_irqrestore+0xfd/0x110
[   87.455793][ T5823]  ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[   87.462169][ T5823]  ? binder_add_device+0x5f/0xa0
[   87.467225][ T5823]  check_panic_on_warn+0x89/0xb0
[   87.472182][ T5823]  ? binder_add_device+0x5f/0xa0
[   87.477138][ T5823]  end_report+0x78/0x160
[   87.481383][ T5823]  kasan_report+0x129/0x150
[   87.485902][ T5823]  ? srso_alias_return_thunk+0x5/0xfbef5
[   87.491546][ T5823]  ? binder_add_device+0x5f/0xa0
[   87.496502][ T5823]  binder_add_device+0x5f/0xa0
[   87.501287][ T5823]  binderfs_binder_device_create+0x8b7/0xaf0
[   87.507286][ T5823]  binderfs_fill_super+0xa0e/0xe90
[   87.512407][ T5823]  ? __pfx_binderfs_fill_super+0x10/0x10
[   87.518058][ T5823]  ? shrinker_register+0x16b/0x230
[   87.523178][ T5823]  ? srso_alias_return_thunk+0x5/0xfbef5
[   87.529084][ T5823]  ? sget_fc+0x962/0xa40
[   87.533328][ T5823]  ? __pfx_set_anon_super_fc+0x10/0x10
[   87.538784][ T5823]  ? __pfx_binderfs_fill_super+0x10/0x10
[   87.544421][ T5823]  get_tree_nodev+0xbb/0x150
[   87.549014][ T5823]  vfs_get_tree+0x92/0x2b0
[   87.553432][ T5823]  do_new_mount+0x24a/0xa40
[   87.558016][ T5823]  __se_sys_mount+0x317/0x410
[   87.562706][ T5823]  ? __pfx___se_sys_mount+0x10/0x10
[   87.568056][ T5823]  ? srso_alias_return_thunk+0x5/0xfbef5
[   87.573688][ T5823]  ? __x64_sys_mount+0x20/0xc0
[   87.578485][ T5823]  do_syscall_64+0xf6/0x210
[   87.582997][ T5823]  ? srso_alias_return_thunk+0x5/0xfbef5
[   87.588636][ T5823]  ? exc_page_fault+0x91/0x110
[   87.593404][ T5823]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   87.599298][ T5823] RIP: 0033:0x7fee80b7e68a
[   87.603707][ T5823] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 6e 07 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[   87.623495][ T5823] RSP: 002b:00007ffc2210f728 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[   87.631941][ T5823] RAX: ffffffffffffffda RBX: 00007fee80bbf038 RCX: 00007fee80b7e68a
[   87.639926][ T5823] RDX: 00007fee80bbf1c8 RSI: 00007fee80bbf038 RDI: 00007fee80bbf1c8
[   87.647928][ T5823] RBP: 00007fee80bbf198 R08: 0000000000000000 R09: 0000000000000140
[   87.655903][ T5823] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fee80bc4c9c
[   87.663877][ T5823] R13: 00007fee80bbf100 R14: 0000000000000001 R15: 0000000000000001
[   87.671888][ T5823]  </TASK>
[   87.675275][ T5823] Kernel Offset: disabled
[   87.679599][ T5823] Rebooting in 86400 seconds..