last executing test programs: 1.611350878s ago: executing program 0 (id=1): ioctl(0xffffffffffffffff, 0x0, &(0x7f0000000000)) 1.311737315s ago: executing program 1 (id=2): munmap(0x0, 0x0) 0s ago: executing program 0 (id=3): close(0xffffffffffffffff) kernel console output (not intermixed with test programs): Warning: Permanently added '[localhost]:1254' (ED25519) to the list of known hosts. [ 494.743408][ T24] audit: type=1400 audit(494.140:59): avc: denied { name_bind } for pid=3276 comm="sshd" src=30001 scontext=system_u:system_r:sshd_t tcontext=system_u:object_r:unreserved_port_t tclass=tcp_socket permissive=1 [ 496.051469][ T24] audit: type=1400 audit(495.450:60): avc: denied { execute } for pid=3278 comm="sh" name="syz-executor" dev="vda" ino=1735 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:etc_runtime_t tclass=file permissive=1 [ 496.065040][ T24] audit: type=1400 audit(495.450:61): avc: denied { execute_no_trans } for pid=3278 comm="sh" path="/syz-executor" dev="vda" ino=1735 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:etc_runtime_t tclass=file permissive=1 [ 518.295483][ T24] audit: type=1400 audit(517.700:62): avc: denied { mounton } for pid=3278 comm="syz-executor" path="/syzcgroup/unified" dev="vda" ino=1737 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 518.334736][ T24] audit: type=1400 audit(517.730:63): avc: denied { mount } for pid=3278 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 518.405610][ T3278] cgroup: Unknown subsys name 'net' [ 518.448721][ T24] audit: type=1400 audit(517.850:64): avc: denied { unmount } for pid=3278 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 518.805481][ T3278] cgroup: Unknown subsys name 'cpuset' [ 518.895104][ T3278] cgroup: Unknown subsys name 'rlimit' [ 519.773722][ T24] audit: type=1400 audit(519.170:65): avc: denied { setattr } for pid=3278 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=701 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 519.804918][ T24] audit: type=1400 audit(519.210:66): avc: denied { create } for pid=3278 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 519.823629][ T24] audit: type=1400 audit(519.220:67): avc: denied { write } for pid=3278 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 519.843236][ T24] audit: type=1400 audit(519.240:68): avc: denied { module_request } for pid=3278 comm="syz-executor" kmod="net-pf-16-proto-16-family-nl802154" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1 [ 520.267016][ T24] audit: type=1400 audit(519.660:69): avc: denied { read } for pid=3278 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 520.312730][ T24] audit: type=1400 audit(519.710:70): avc: denied { mounton } for pid=3278 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1 [ 520.333287][ T24] audit: type=1400 audit(519.720:71): avc: denied { mount } for pid=3278 comm="syz-executor" name="/" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=filesystem permissive=1 [ 521.308592][ T3281] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). Setting up swapspace version 1, size = 127995904 bytes [ 521.538310][ T3278] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 558.701741][ T24] kauditd_printk_skb: 4 callbacks suppressed [ 558.702074][ T24] audit: type=1400 audit(558.060:76): avc: denied { execmem } for pid=3282 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 559.222053][ T24] audit: type=1400 audit(558.580:77): avc: denied { read } for pid=3284 comm="syz-executor" dev="nsfs" ino=4026531840 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1 [ 559.224511][ T24] audit: type=1400 audit(558.620:78): avc: denied { open } for pid=3284 comm="syz-executor" path="net:[4026531840]" dev="nsfs" ino=4026531840 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1 [ 559.371431][ T24] audit: type=1400 audit(558.760:79): avc: denied { mounton } for pid=3284 comm="syz-executor" path="/" dev="vda" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:root_t tclass=dir permissive=1 [ 562.640725][ T24] audit: type=1400 audit(562.030:80): avc: denied { mount } for pid=3284 comm="syz-executor" name="/" dev="tmpfs" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=1 [ 562.780725][ T24] audit: type=1400 audit(562.170:81): avc: denied { mounton } for pid=3284 comm="syz-executor" path="/syzkaller.G5qoGM/syz-tmp/newroot/dev" dev="tmpfs" ino=3 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_tmpfs_t tclass=dir permissive=1 [ 562.963436][ T24] audit: type=1400 audit(562.310:82): avc: denied { mount } for pid=3284 comm="syz-executor" name="/" dev="proc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:proc_t tclass=filesystem permissive=1 [ 563.190749][ T24] audit: type=1400 audit(562.580:83): avc: denied { mounton } for pid=3284 comm="syz-executor" path="/syzkaller.G5qoGM/syz-tmp/newroot/sys/kernel/debug" dev="debugfs" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:debugfs_t tclass=dir permissive=1 [ 563.301065][ T24] audit: type=1400 audit(562.660:84): avc: denied { mounton } for pid=3284 comm="syz-executor" path="/syzkaller.G5qoGM/syz-tmp/newroot/proc/sys/fs/binfmt_misc" dev="proc" ino=2852 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:sysctl_fs_t tclass=dir permissive=1 [ 563.458418][ T24] audit: type=1400 audit(562.860:85): avc: denied { unmount } for pid=3285 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fs_t tclass=filesystem permissive=1 [ 563.822022][ T24] kauditd_printk_skb: 2 callbacks suppressed [ 563.822276][ T24] audit: type=1400 audit(563.220:89): avc: denied { mount } for pid=3284 comm="syz-executor" name="/" dev="binder" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=filesystem permissive=1 [ 563.858425][ T24] audit: type=1400 audit(563.260:90): avc: denied { mount } for pid=3284 comm="syz-executor" name="/" dev="fusectl" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fusefs_t tclass=filesystem permissive=1 [ 563.881480][ T24] audit: type=1400 audit(563.200:88): avc: denied { mounton } for pid=3285 comm="syz-executor" path="/sys/fs/fuse/connections" dev="fusectl" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fusefs_t tclass=dir permissive=1 [ 564.014760][ T24] audit: type=1400 audit(563.410:91): avc: denied { read write } for pid=3284 comm="syz-executor" name="loop0" dev="devtmpfs" ino=637 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [ 564.063581][ T24] audit: type=1400 audit(563.460:92): avc: denied { open } for pid=3285 comm="syz-executor" path="/dev/loop1" dev="devtmpfs" ino=638 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [ 564.180564][ T24] audit: type=1400 audit(563.490:93): avc: denied { ioctl } for pid=3284 comm="syz-executor" path="/dev/loop0" dev="devtmpfs" ino=637 ioctlcmd=0x4c01 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fixed_disk_device_t tclass=blk_file permissive=1 [ 572.322243][ T24] audit: type=1400 audit(571.720:94): avc: denied { sys_module } for pid=3293 comm="syz-executor" capability=16 scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=capability permissive=1 [ 572.402006][ T3290] ================================================================== [ 572.403452][ T3290] BUG: KASAN: invalid-access in binder_add_device+0xf4/0xf8 [ 572.407678][ T3290] Write of size 8 at addr d9f000001772ec08 by task syz-executor/3290 [ 572.408754][ T3290] Pointer tag: [d9], memory tag: [85] [ 572.409752][ T3290] [ 572.411137][ T3290] CPU: 0 UID: 0 PID: 3290 Comm: syz-executor Not tainted 6.14.0-rc2-syzkaller-g29281a76709c #0 [ 572.411612][ T3290] Hardware name: linux,dummy-virt (DT) [ 572.412056][ T3290] Call trace: [ 572.412376][ T3290] show_stack+0x2c/0x3c (C) [ 572.412916][ T3290] __dump_stack+0x30/0x40 [ 572.413273][ T3290] dump_stack_lvl+0xd8/0x12c [ 572.413545][ T3290] print_address_description+0xac/0x290 [ 572.413808][ T3290] print_report+0x84/0xa0 [ 572.414056][ T3290] kasan_report+0xb0/0x110 [ 572.414314][ T3290] kasan_tag_mismatch+0x28/0x3c [ 572.414489][ T3290] __hwasan_tag_mismatch+0x30/0x60 [ 572.414687][ T3290] binder_add_device+0xf4/0xf8 [ 572.414873][ T3290] binderfs_binder_device_create+0xbfc/0xc28 [ 572.415093][ T3290] binderfs_fill_super+0xb30/0xe20 [ 572.415277][ T3290] get_tree_nodev+0xdc/0x1cc [ 572.415519][ T3290] binderfs_fs_context_get_tree+0x28/0x38 [ 572.415705][ T3290] vfs_get_tree+0xc4/0x3cc [ 572.415961][ T3290] do_new_mount+0x2a0/0x988 [ 572.416212][ T3290] path_mount+0x650/0x101c [ 572.416443][ T3290] __arm64_sys_mount+0x36c/0x468 [ 572.416689][ T3290] invoke_syscall+0x90/0x2b4 [ 572.416929][ T3290] el0_svc_common+0x180/0x2f4 [ 572.417186][ T3290] do_el0_svc+0x58/0x74 [ 572.417419][ T3290] el0_svc+0x58/0x134 [ 572.417592][ T3290] el0t_64_sync_handler+0x78/0x108 [ 572.417788][ T3290] el0t_64_sync+0x198/0x19c [ 572.418268][ T3290] [ 572.431876][ T3290] The buggy address belongs to the physical page: [ 572.432925][ T3290] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x4df000001772e000 pfn:0x5772e [ 572.434367][ T3290] flags: 0x1ffde8000000000(node=0|zone=0|lastcpupid=0x7ff|kasantag=0x7a) [ 572.435756][ T3290] page_type: f2(table) [ 572.437019][ T3290] raw: 01ffde8000000000 0000000000000000 dead000000000122 0000000000000000 [ 572.438104][ T3290] raw: 4df000001772e000 0000000000000000 00000001f2000000 0000000000000000 [ 572.439137][ T3290] page dumped because: kasan: bad access detected [ 572.439967][ T3290] [ 572.440533][ T3290] Memory state around the buggy address: [ 572.441532][ T3290] fff000001772ea00: 85 85 85 85 85 85 85 85 85 85 85 85 85 85 85 85 [ 572.442527][ T3290] fff000001772eb00: 85 85 85 85 85 85 85 85 85 85 85 85 85 85 85 85 [ 572.443522][ T3290] >fff000001772ec00: 85 85 85 85 85 85 85 85 85 85 85 85 85 85 85 85 [ 572.444406][ T3290] ^ [ 572.445224][ T3290] fff000001772ed00: 85 85 85 85 85 85 85 85 85 85 85 85 85 85 85 85 [ 572.446211][ T3290] fff000001772ee00: 85 85 85 85 85 85 85 85 85 85 85 85 85 85 85 85 [ 572.447194][ T3290] ================================================================== SYZFAIL: failed to recv rpc [ 572.618925][ T3290] Disabling lock debugging due to kernel taint fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor) [ 572.802629][ T24] audit: type=1401 audit(572.200:95): op=setxattr invalid_context="u:object_r:app_data_file:s0:c512,c768" VM DIAGNOSIS: 08:40:58 Registers: info registers vcpu 0 CPU#0 PC=ffff8000864d1fb4 X00=0000000000000001 X01=0000000000000001 X02=0000000000000001 X03=ffff800080448c48 X04=0000000000000001 X05=0000000000000000 X06=ffff8000864c45ac X07=ffff800080d9cffc X08=00000000000000c0 X09=ffffffffffffffff X10=0000000000000000 X11=0000000000000008 X12=0fff00000142e3a8 X13=00000000ffffffff X14=0000000000000000 X15=0000000000000008 X16=0000000000000085 X17=00000000000000d9 X18=0000000000000008 X19=efff800000000000 X20=00000000000000c0 X21=ffff800087713070 X22=00000000000000c0 X23=ffff80008f0975f8 X24=00000000ffffffff X25=0000000000000000 X26=00000000ffffffff X27=000000000000003a X28=00000000000000e0 X29=ffff80008f0974b0 X30=ffff8000864d1fa0 SP=ffff80008f0974b0 PSTATE=614020c9 -ZC- EL2h SVCR=00000000 -- BTYPE=0 FPCR=00000000 FPSR=00000000 P00=0000 P01=0000 P02=0000 P03=0000 P04=0000 P05=0000 P06=0000 P07=0000 P08=0000 P09=0000 P10=0000 P11=0000 P12=0000 P13=0000 P14=0000 P15=0000 FFR=0000 Z00=0000000000000000:0000000000002af7 Z01=0000000000000000:0000000000002af7 Z02=0000000000000000:0000000000000000 Z03=ff00000000000000:ffffff0000000000 Z04=0000000000000000:f0000000fff00000 Z05=0000000000000000:0000000000000000 Z06=0000000000000000:0000000000000000 Z07=0000000000000000:0000000000000000 Z08=0000000000000000:0000000000000000 Z09=0000000000000000:0000000000000000 Z10=0000000000000000:0000000000000000 Z11=0000000000000000:0000000000000000 Z12=0000000000000000:0000000000000000 Z13=0000000000000000:0000000000000000 Z14=0000000000000000:0000000000000000 Z15=0000000000000000:0000000000000000 Z16=0000ffffe50759d0:0000ffffe50759d0 Z17=ffffff80ffffffd0:0000ffffe50759a0 Z18=0000000000000000:0000000000000000 Z19=0000000000000000:0000000000000000 Z20=0000000000000000:0000000000000000 Z21=0000000000000000:0000000000000000 Z22=0000000000000000:0000000000000000 Z23=0000000000000000:0000000000000000 Z24=0000000000000000:0000000000000000 Z25=0000000000000000:0000000000000000 Z26=0000000000000000:0000000000000000 Z27=0000000000000000:0000000000000000 Z28=0000000000000000:0000000000000000 Z29=0000000000000000:0000000000000000 Z30=0000000000000000:0000000000000000 Z31=0000000000000000:0000000000000000