last executing test programs: 1.491760506s ago: executing program 0 (id=274): fanotify_mark(0xffffffffffffffff, 0x0, 0x0, 0xffffffffffffffff, &(0x7f0000000000)) 1.318534456s ago: executing program 0 (id=277): userfaultfd(0x0) 1.147037676s ago: executing program 0 (id=278): setfsgid(0x0) 1.000981534s ago: executing program 0 (id=281): chmod(&(0x7f0000000000), 0x0) 898.811839ms ago: executing program 1 (id=282): inotify_rm_watch(0xffffffffffffffff, 0x0) 776.724346ms ago: executing program 1 (id=283): capget(&(0x7f0000000000), &(0x7f0000000000)) 776.435586ms ago: executing program 0 (id=284): clock_settime(0x0, &(0x7f0000000000)) 608.912595ms ago: executing program 1 (id=285): listxattr(&(0x7f0000000000), &(0x7f0000000000), 0x0) 608.657346ms ago: executing program 0 (id=286): socket$can_bcm(0x1d, 0x2, 0x2) 436.807905ms ago: executing program 1 (id=287): setresgid(0x0, 0x0, 0x0) 207.341398ms ago: executing program 1 (id=289): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/video37', 0x2, 0x0) 0s ago: executing program 1 (id=290): socket$pptp(0x18, 0x1, 0x2) kernel console output (not intermixed with test programs): Warning: Permanently added '[localhost]:48084' (ED25519) to the list of known hosts. [ 129.091189][ T30] audit: type=1400 audit(128.780:58): avc: denied { name_bind } for pid=3295 comm="sshd" src=30005 scontext=system_u:system_r:sshd_t tcontext=system_u:object_r:unreserved_port_t tclass=tcp_socket permissive=1 [ 129.522262][ T30] audit: type=1400 audit(129.210:59): avc: denied { execute } for pid=3297 comm="sh" name="syz-executor" dev="vda" ino=1735 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:etc_runtime_t tclass=file permissive=1 [ 129.530172][ T30] audit: type=1400 audit(129.220:60): avc: denied { execute_no_trans } for pid=3297 comm="sh" path="/syz-executor" dev="vda" ino=1735 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:etc_runtime_t tclass=file permissive=1 [ 133.306482][ T30] audit: type=1400 audit(132.990:61): avc: denied { mounton } for pid=3297 comm="syz-executor" path="/syzcgroup/unified" dev="vda" ino=1736 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 133.322228][ T30] audit: type=1400 audit(133.010:62): avc: denied { mount } for pid=3297 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 133.396487][ T3297] cgroup: Unknown subsys name 'net' [ 133.435729][ T30] audit: type=1400 audit(133.120:63): avc: denied { unmount } for pid=3297 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 133.859990][ T3297] cgroup: Unknown subsys name 'cpuset' [ 133.928041][ T3297] cgroup: Unknown subsys name 'rlimit' [ 134.358226][ T30] audit: type=1400 audit(134.050:64): avc: denied { setattr } for pid=3297 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=701 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 134.365143][ T30] audit: type=1400 audit(134.050:65): avc: denied { create } for pid=3297 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 134.370961][ T30] audit: type=1400 audit(134.060:66): avc: denied { write } for pid=3297 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 134.376512][ T30] audit: type=1400 audit(134.060:67): avc: denied { module_request } for pid=3297 comm="syz-executor" kmod="net-pf-16-proto-16-family-nl802154" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1 [ 134.551911][ T30] audit: type=1400 audit(134.240:68): avc: denied { read } for pid=3297 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 134.595315][ T30] audit: type=1400 audit(134.280:69): avc: denied { mounton } for pid=3297 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1 [ 134.599187][ T30] audit: type=1400 audit(134.290:70): avc: denied { mount } for pid=3297 comm="syz-executor" name="/" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=filesystem permissive=1 [ 134.938387][ T3300] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). [ 134.943648][ T30] audit: type=1400 audit(134.630:71): avc: denied { relabelto } for pid=3300 comm="mkswap" name="swap-file" dev="vda" ino=1739 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 134.950100][ T30] audit: type=1400 audit(134.640:72): avc: denied { write } for pid=3300 comm="mkswap" path="/swap-file" dev="vda" ino=1739 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" Setting up swapspace version 1, size = 127995904 bytes [ 135.014990][ T30] audit: type=1400 audit(134.700:73): avc: denied { read } for pid=3297 comm="syz-executor" name="swap-file" dev="vda" ino=1739 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 135.030390][ T3297] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 140.703233][ T30] kauditd_printk_skb: 1 callbacks suppressed [ 140.716500][ T30] audit: type=1400 audit(140.390:75): avc: denied { execmem } for pid=3301 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 140.813900][ T30] audit: type=1400 audit(140.500:76): avc: denied { read } for pid=3303 comm="syz-executor" dev="nsfs" ino=4026531840 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1 [ 140.820371][ T30] audit: type=1400 audit(140.510:77): avc: denied { open } for pid=3303 comm="syz-executor" path="net:[4026531840]" dev="nsfs" ino=4026531840 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1 [ 140.850575][ T30] audit: type=1400 audit(140.540:78): avc: denied { mounton } for pid=3303 comm="syz-executor" path="/" dev="vda" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:root_t tclass=dir permissive=1 [ 141.673894][ T30] audit: type=1400 audit(141.360:79): avc: denied { mount } for pid=3304 comm="syz-executor" name="/" dev="tmpfs" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=1 [ 141.688964][ T30] audit: type=1400 audit(141.380:80): avc: denied { mounton } for pid=3304 comm="syz-executor" path="/syzkaller.rMIo3z/syz-tmp/newroot/dev" dev="tmpfs" ino=3 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_tmpfs_t tclass=dir permissive=1 [ 141.708939][ T30] audit: type=1400 audit(141.400:81): avc: denied { mount } for pid=3304 comm="syz-executor" name="/" dev="proc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:proc_t tclass=filesystem permissive=1 [ 141.731118][ T30] audit: type=1400 audit(141.420:82): avc: denied { mounton } for pid=3304 comm="syz-executor" path="/syzkaller.rMIo3z/syz-tmp/newroot/sys/kernel/debug" dev="debugfs" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:debugfs_t tclass=dir permissive=1 [ 141.745174][ T30] audit: type=1400 audit(141.430:83): avc: denied { mounton } for pid=3303 comm="syz-executor" path="/syzkaller.my0taw/syz-tmp/newroot/proc/sys/fs/binfmt_misc" dev="proc" ino=2351 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:sysctl_fs_t tclass=dir permissive=1 [ 141.748102][ T30] audit: type=1400 audit(141.430:84): avc: denied { mounton } for pid=3304 comm="syz-executor" path="/syzkaller.rMIo3z/syz-tmp/newroot/proc/sys/fs/binfmt_misc" dev="proc" ino=3366 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:sysctl_fs_t tclass=dir permissive=1 [ 146.283135][ T30] kauditd_printk_skb: 15 callbacks suppressed [ 146.289560][ T30] audit: type=1400 audit(145.970:100): avc: denied { create } for pid=3358 comm="syz.0.52" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=rxrpc_socket permissive=1 [ 148.155902][ T30] audit: type=1400 audit(147.850:101): avc: denied { create } for pid=3370 comm="syz.0.63" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_xfrm_socket permissive=1 [ 148.964965][ T30] audit: type=1400 audit(148.650:102): avc: denied { create } for pid=3377 comm="syz.0.70" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=vsock_socket permissive=1 [ 149.396830][ T30] audit: type=1400 audit(149.090:103): avc: denied { create } for pid=3381 comm="syz.0.74" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=can_socket permissive=1 [ 149.512457][ T30] audit: type=1400 audit(149.200:104): avc: denied { create } for pid=3382 comm="syz.0.75" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=icmp_socket permissive=1 [ 150.017429][ T30] audit: type=1400 audit(149.700:105): avc: denied { create } for pid=3387 comm="syz.0.80" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=smc_socket permissive=1 [ 150.960869][ T30] audit: type=1400 audit(150.650:106): avc: denied { kexec_image_load } for pid=3397 comm="syz.0.90" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=system permissive=1 [ 151.218751][ T30] audit: type=1400 audit(150.910:107): avc: denied { create } for pid=3400 comm="syz.0.93" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_crypto_socket permissive=1 [ 152.873837][ T30] audit: type=1400 audit(152.560:108): avc: denied { create } for pid=3417 comm="syz.0.110" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=phonet_socket permissive=1 [ 153.130520][ T30] audit: type=1400 audit(152.820:109): avc: denied { create } for pid=3419 comm="syz.0.111" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=bluetooth_socket permissive=1 [ 153.305001][ T30] audit: type=1400 audit(152.990:110): avc: denied { create } for pid=3421 comm="syz.1.112" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=tipc_socket permissive=1 [ 154.063654][ T30] audit: type=1400 audit(153.750:111): avc: denied { sys_module } for pid=3429 comm="syz.1.119" capability=16 scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=capability permissive=1 [ 154.285957][ T30] audit: type=1400 audit(153.970:112): avc: denied { write } for pid=3431 comm="syz.1.121" name="random" dev="devtmpfs" ino=8 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:random_device_t tclass=chr_file permissive=1 [ 154.778362][ T30] audit: type=1400 audit(154.470:113): avc: denied { create } for pid=3439 comm="syz.1.128" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_netfilter_socket permissive=1 [ 155.072199][ T30] audit: type=1400 audit(154.760:114): avc: denied { create } for pid=3441 comm="syz.0.130" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=ax25_socket permissive=1 [ 156.000329][ T30] audit: type=1400 audit(155.690:115): avc: denied { create } for pid=3453 comm="syz.1.141" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=ieee802154_socket permissive=1 [ 156.375020][ T30] audit: type=1400 audit(156.060:116): avc: denied { create } for pid=3457 comm="syz.1.143" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=nfc_socket permissive=1 [ 156.718732][ T30] audit: type=1400 audit(156.410:117): avc: denied { read } for pid=3460 comm="syz.1.147" name="autofs" dev="devtmpfs" ino=91 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:autofs_device_t tclass=chr_file permissive=1 [ 158.563529][ T30] kauditd_printk_skb: 3 callbacks suppressed [ 158.575737][ T30] audit: type=1400 audit(158.250:121): avc: denied { create } for pid=3484 comm="syz.1.169" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=packet_socket permissive=1 [ 159.195290][ T30] audit: type=1400 audit(158.880:122): avc: denied { create } for pid=3488 comm="syz.1.173" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=sctp_socket permissive=1 [ 159.686689][ T30] audit: type=1400 audit(159.360:123): avc: denied { read } for pid=3494 comm="syz.0.179" name="uhid" dev="devtmpfs" ino=712 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:uhid_device_t tclass=chr_file permissive=1 [ 159.691639][ T30] audit: type=1400 audit(159.380:124): avc: denied { open } for pid=3494 comm="syz.0.179" path="/dev/uhid" dev="devtmpfs" ino=712 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:uhid_device_t tclass=chr_file permissive=1 [ 159.705145][ T30] audit: type=1400 audit(159.390:125): avc: denied { write } for pid=3494 comm="syz.0.179" name="uhid" dev="devtmpfs" ino=712 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:uhid_device_t tclass=chr_file permissive=1 [ 160.365369][ T30] audit: type=1400 audit(160.040:126): avc: denied { create } for pid=3503 comm="syz.0.188" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_tcpdiag_socket permissive=1 [ 160.589067][ T30] audit: type=1400 audit(160.280:127): avc: denied { read } for pid=3505 comm="syz.0.190" name="fb0" dev="devtmpfs" ino=619 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:framebuf_device_t tclass=chr_file permissive=1 [ 160.603573][ T30] audit: type=1400 audit(160.280:128): avc: denied { open } for pid=3505 comm="syz.0.190" path="/dev/fb0" dev="devtmpfs" ino=619 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:framebuf_device_t tclass=chr_file permissive=1 [ 160.611904][ T30] audit: type=1400 audit(160.300:129): avc: denied { write } for pid=3505 comm="syz.0.190" name="fb0" dev="devtmpfs" ino=619 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:framebuf_device_t tclass=chr_file permissive=1 [ 160.912930][ T30] audit: type=1400 audit(160.600:130): avc: denied { read } for pid=3510 comm="syz.1.195" name="vga_arbiter" dev="devtmpfs" ino=4 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:xserver_misc_device_t tclass=chr_file permissive=1 [ 166.653468][ T30] kauditd_printk_skb: 2 callbacks suppressed [ 166.657760][ T30] audit: type=1400 audit(166.340:133): avc: denied { create } for pid=3563 comm="syz.1.247" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=xdp_socket permissive=1 [ 170.712168][ T3304] ================================================================== [ 170.712989][ T3304] BUG: KASAN: slab-use-after-free in binderfs_evict_inode+0x2ac/0x2b4 [ 170.713880][ T3304] Write of size 8 at addr ffff00001794b808 by task syz-executor/3304 [ 170.713978][ T3304] [ 170.714884][ T3304] CPU: 1 UID: 0 PID: 3304 Comm: syz-executor Not tainted 6.15.0-rc4-syzkaller-00147-gebd297a2affa #0 PREEMPT [ 170.714988][ T3304] Hardware name: linux,dummy-virt (DT) [ 170.715301][ T3304] Call trace: [ 170.715485][ T3304] show_stack+0x18/0x24 (C) [ 170.715630][ T3304] dump_stack_lvl+0xa4/0xf4 [ 170.715698][ T3304] print_report+0xf4/0x60c [ 170.715752][ T3304] kasan_report+0xc8/0x108 [ 170.715796][ T3304] __asan_report_store8_noabort+0x20/0x2c [ 170.715837][ T3304] binderfs_evict_inode+0x2ac/0x2b4 [ 170.715882][ T3304] evict+0x2c0/0x67c [ 170.715925][ T3304] iput+0x3b0/0x6b4 [ 170.715963][ T3304] dentry_unlink_inode+0x208/0x46c [ 170.716005][ T3304] __dentry_kill+0x150/0x52c [ 170.716047][ T3304] shrink_dentry_list+0x114/0x3a4 [ 170.716106][ T3304] shrink_dcache_parent+0x158/0x354 [ 170.716150][ T3304] shrink_dcache_for_umount+0x88/0x304 [ 170.716193][ T3304] generic_shutdown_super+0x60/0x2e8 [ 170.716239][ T3304] kill_litter_super+0x68/0xa4 [ 170.716282][ T3304] binderfs_kill_super+0x38/0x88 [ 170.716331][ T3304] deactivate_locked_super+0x98/0x17c [ 170.716376][ T3304] deactivate_super+0xb0/0xd4 [ 170.716419][ T3304] cleanup_mnt+0x198/0x424 [ 170.716462][ T3304] __cleanup_mnt+0x14/0x20 [ 170.716504][ T3304] task_work_run+0x128/0x210 [ 170.716547][ T3304] do_exit+0x7ac/0x1f68 [ 170.716589][ T3304] do_group_exit+0xa4/0x208 [ 170.716631][ T3304] get_signal+0x1b00/0x1ba8 [ 170.716674][ T3304] do_signal+0x160/0x620 [ 170.716713][ T3304] do_notify_resume+0x18c/0x258 [ 170.716756][ T3304] el0_svc_compat+0xfc/0x17c [ 170.716795][ T3304] el0t_32_sync_handler+0x98/0x13c [ 170.716834][ T3304] el0t_32_sync+0x19c/0x1a0 [ 170.717014][ T3304] [ 170.717110][ T3304] Allocated by task 3303: [ 170.717372][ T3304] kasan_save_stack+0x3c/0x64 [ 170.717796][ T3304] kasan_save_track+0x20/0x3c [ 170.717887][ T3304] kasan_save_alloc_info+0x40/0x54 [ 170.717967][ T3304] __kasan_kmalloc+0xb8/0xbc [ 170.718051][ T3304] __kmalloc_cache_noprof+0x1b0/0x3cc [ 170.718136][ T3304] binderfs_binder_device_create.isra.0+0x140/0x9a0 [ 170.718219][ T3304] binderfs_fill_super+0x69c/0xed4 [ 170.718305][ T3304] get_tree_nodev+0xac/0x148 [ 170.718382][ T3304] binderfs_fs_context_get_tree+0x18/0x24 [ 170.718462][ T3304] vfs_get_tree+0x74/0x280 [ 170.718548][ T3304] path_mount+0xe54/0x1808 [ 170.718630][ T3304] __arm64_sys_mount+0x304/0x3dc [ 170.718711][ T3304] invoke_syscall+0x6c/0x258 [ 170.718790][ T3304] el0_svc_common.constprop.0+0xac/0x230 [ 170.718867][ T3304] do_el0_svc_compat+0x40/0x68 [ 170.718945][ T3304] el0_svc_compat+0x4c/0x17c [ 170.719026][ T3304] el0t_32_sync_handler+0x98/0x13c [ 170.719111][ T3304] el0t_32_sync+0x19c/0x1a0 [ 170.719218][ T3304] [ 170.719308][ T3304] Freed by task 3303: [ 170.719398][ T3304] kasan_save_stack+0x3c/0x64 [ 170.719491][ T3304] kasan_save_track+0x20/0x3c [ 170.719574][ T3304] kasan_save_free_info+0x4c/0x74 [ 170.719653][ T3304] __kasan_slab_free+0x50/0x6c [ 170.719735][ T3304] kfree+0x1bc/0x444 [ 170.719812][ T3304] binderfs_evict_inode+0x238/0x2b4 [ 170.719895][ T3304] evict+0x2c0/0x67c [ 170.719971][ T3304] iput+0x3b0/0x6b4 [ 170.720052][ T3304] dentry_unlink_inode+0x208/0x46c [ 170.720134][ T3304] __dentry_kill+0x150/0x52c [ 170.720214][ T3304] shrink_dentry_list+0x114/0x3a4 [ 170.720301][ T3304] shrink_dcache_parent+0x158/0x354 [ 170.720384][ T3304] shrink_dcache_for_umount+0x88/0x304 [ 170.720466][ T3304] generic_shutdown_super+0x60/0x2e8 [ 170.720548][ T3304] kill_litter_super+0x68/0xa4 [ 170.720630][ T3304] binderfs_kill_super+0x38/0x88 [ 170.720710][ T3304] deactivate_locked_super+0x98/0x17c [ 170.720792][ T3304] deactivate_super+0xb0/0xd4 [ 170.720873][ T3304] cleanup_mnt+0x198/0x424 [ 170.720953][ T3304] __cleanup_mnt+0x14/0x20 [ 170.721033][ T3304] task_work_run+0x128/0x210 [ 170.721114][ T3304] do_exit+0x7ac/0x1f68 [ 170.721222][ T3304] do_group_exit+0xa4/0x208 [ 170.721348][ T3304] get_signal+0x1b00/0x1ba8 [ 170.721431][ T3304] do_signal+0x1f4/0x620 [ 170.721508][ T3304] do_notify_resume+0x18c/0x258 [ 170.721589][ T3304] el0_svc_compat+0xfc/0x17c [ 170.721666][ T3304] el0t_32_sync_handler+0x98/0x13c [ 170.721743][ T3304] el0t_32_sync+0x19c/0x1a0 [ 170.721836][ T3304] [ 170.721956][ T3304] The buggy address belongs to the object at ffff00001794b800 [ 170.721956][ T3304] which belongs to the cache kmalloc-512 of size 512 [ 170.722144][ T3304] The buggy address is located 8 bytes inside of [ 170.722144][ T3304] freed 512-byte region [ffff00001794b800, ffff00001794ba00) [ 170.722250][ T3304] [ 170.722389][ T3304] The buggy address belongs to the physical page: [ 170.722804][ T3304] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff00001794a800 pfn:0x57948 [ 170.723318][ T3304] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 170.723477][ T3304] flags: 0x1ffc00000000240(workingset|head|node=0|zone=0|lastcpupid=0x7ff) [ 170.723927][ T3304] page_type: f5(slab) [ 170.724391][ T3304] raw: 01ffc00000000240 ffff00000dc01c80 fffffdffc04f3c10 fffffdffc062de10 [ 170.724500][ T3304] raw: ffff00001794a800 0000000000100005 00000000f5000000 0000000000000000 [ 170.724662][ T3304] head: 01ffc00000000240 ffff00000dc01c80 fffffdffc04f3c10 fffffdffc062de10 [ 170.724748][ T3304] head: ffff00001794a800 0000000000100005 00000000f5000000 0000000000000000 [ 170.724831][ T3304] head: 01ffc00000000002 fffffdffc05e5201 00000000ffffffff 00000000ffffffff [ 170.724907][ T3304] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 170.725024][ T3304] page dumped because: kasan: bad access detected [ 170.725117][ T3304] [ 170.725218][ T3304] Memory state around the buggy address: [ 170.725627][ T3304] ffff00001794b700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 170.725749][ T3304] ffff00001794b780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 170.725848][ T3304] >ffff00001794b800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 170.725944][ T3304] ^ [ 170.726086][ T3304] ffff00001794b880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 170.726163][ T3304] ffff00001794b900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 170.726307][ T3304] ================================================================== [ 170.796233][ T3304] Disabling lock debugging due to kernel taint SYZFAIL: failed to recv rpc fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor) VM DIAGNOSIS: 02:25:47 Registers: info registers vcpu 0 CPU#0 PC=ffff800085461adc X00=ffff800085461ad8 X01=ffff800083d69d80 X02=0000000000000000 X03=ffff800080402390 X04=ffff700011a26359 X05=ffff80008d131ac0 X06=ffff700011a26358 X07=0000000000000001 X08=ffff80008d131ac3 X09=dfff800000000000 X10=ffff700011a26358 X11=1ffff00011a26358 X12=ffff700011a26359 X13=0000000000000000 X14=1fffe0000d417876 X15=18501dac3f8dcec4 X16=b0430000b638ffff X17=b955ac389fc142bd X18=ffff0000170d1dd0 X19=ffff80008d131ac0 X20=0000002794ca2400 X21=ffff800084a99b44 X22=dfff800000000000 X23=00000000000080c2 X24=ffff800084a99b44 X25=ffff8000870bde50 X26=0000000000000038 X27=0000000000000000 X28=0000000000000000 X29=ffff800080006d70 X30=ffff800083d69d98 SP=ffff800080006d70 PSTATE=60000005 -ZC- EL1h FPCR=00000000 FPSR=00000000 Q00=0000000000000000:0671126faf970900 Q01=0000000000000000:0000000000000000 Q02=0000000000000000:0000000000000000 Q03=0000000000000000:0000000018dafd29 Q04=f00ff00ff00ff00f:0000000000000000 Q05=00000000000f0f00:0000000000000000 Q06=000000000000c00c:000000000000c00c Q07=0000aaaac00bf790:000002da00000000 Q08=0000000000000000:0000000000000000 Q09=0000000000000000:0000000000000000 Q10=0000000000000000:0000000000000000 Q11=0000000000000000:0000000000000000 Q12=0000000000000000:0000000000000000 Q13=0000000000000000:0000000000000000 Q14=0000000000000000:0000000000000000 Q15=0000000000000000:0000000000000000 Q16=0000000000002000:0000000000000000 Q17=000000000000000b:0000000000000000 Q18=0000000000000000:0000000000000000 Q19=0000000000000000:0000000000000000 Q20=0000000000000000:0000000000000000 Q21=0000000000000000:0000000000000000 Q22=0000000000000000:0000000000000000 Q23=0000000000000000:0000000000000000 Q24=0000000000000000:0000000000000000 Q25=0000000000000000:0000000000000000 Q26=0000000000000000:0000000000000000 Q27=0000000000000000:0000000000000000 Q28=0000000000000000:0000000000000000 Q29=0000000000000000:0000000000000000 Q30=0000000000000000:0000000000000000 Q31=0000000000000000:0000000000000000 info registers vcpu 1 CPU#1 PC=ffff800081b67fb0 X00=0000000000000002 X01=0000000000000000 X02=0000000000000002 X03=dfff800000000000 X04=0000000000000018 X05=ffff80008d9579e0 X06=ffff700011b2af3c X07=0000000000000001 X08=0000000000000003 X09=dfff800000000000 X10=ffff700011b2af3c X11=1ffff00011b2af3c X12=ffff700011b2af3d X13=0000000000008000 X14=0000000000000000 X15=0000000000000000 X16=0000000000000000 X17=0000000000000000 X18=0000000000000000 X19=ffff00000f5a5080 X20=ffff80008d43b018 X21=ffff800087a92820 X22=0000000000000020 X23=dfff800000000000 X24=ffff00000f5b6002 X25=0000000000000001 X26=0000000000000f01 X27=1fffe00001eb4a5a X28=ffff00000f5a52d0 X29=ffff80008d957990 X30=ffff800081b6823c SP=ffff80008d957990 PSTATE=800000c5 N--- EL1h FPCR=00000000 FPSR=00000000 Q00=0a0a0a0a0a0a0a0a:0a0a0a0a0a0a0a0a Q01=5f72657672657378:3a0000313d657669 Q02=f00ff00ff00ff00f:f00ff00ff00ff00f Q03=0000000000000000:000ff00000000000 Q04=f00ff00ff00ff00f:f00ff00ff00ff00f Q05=000000000ff00000:000000000ff00000 Q06=cccccccccc00c300:cccccccccc00c300 Q07=0000000000000000:0000000000000000 Q08=0000000000000000:0000000000000000 Q09=0000000000000000:0000000000000000 Q10=0000000000000000:0000000000000000 Q11=0000000000000000:0000000000000000 Q12=0000000000000000:0000000000000000 Q13=0000000000000000:0000000000000000 Q14=0000000000000000:0000000000000000 Q15=0000000000000000:0000000000000000 Q16=0000000000000000:0000000000000000 Q17=0000000000000000:0000000000000000 Q18=0000000000000000:0000000000000000 Q19=0000000000000000:0000000000000000 Q20=0000000000000000:0000000000000000 Q21=0000000000000000:0000000000000000 Q22=0000000000000000:0000000000000000 Q23=0000000000000000:0000000000000000 Q24=0000000000000000:0000000000000000 Q25=0000000000000000:0000000000000000 Q26=0000000000000000:0000000000000000 Q27=0000000000000000:0000000000000000 Q28=0000000000000000:0000000000000000 Q29=0000000000000000:0000000000000000 Q30=0000000000000000:0000000000000000 Q31=0000000000000000:0000000000000000