debugfs: Directory 'hsr0' with parent 'hsr' already present!
Cannot create hsr debugfs directory
BUG: MAX_LOCKDEP_CHAINS too low!
turning off the locking correctness validator.
CPU: 0 UID: 0 PID: 9186 Comm: syz-executor Not tainted 6.15.0-rc4-syzkaller-ge0f4c8dd9d2d #0 PREEMPT 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Call trace:
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:466 (C)
 __dump_stack+0x30/0x40 lib/dump_stack.c:94
 dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120
 dump_stack+0x1c/0x28 lib/dump_stack.c:129
 add_chain_cache kernel/locking/lockdep.c:-1 [inline]
 lookup_chain_cache_add kernel/locking/lockdep.c:3856 [inline]
 validate_chain kernel/locking/lockdep.c:3877 [inline]
 __lock_acquire+0xf50/0x3058 kernel/locking/lockdep.c:5235
 lock_acquire+0x14c/0x2e0 kernel/locking/lockdep.c:5866
 __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
 _raw_spin_lock+0x48/0x60 kernel/locking/spinlock.c:154
 spin_lock include/linux/spinlock.h:351 [inline]
 failover_get_bymac+0x44/0x314 net/core/failover.c:25
 failover_slave_register+0xf4/0x35c net/core/failover.c:58
 failover_event+0x128/0x3a0 net/core/failover.c:196
 notifier_call_chain+0x1b8/0x4e4 kernel/notifier.c:85
 raw_notifier_call_chain+0x3c/0x50 kernel/notifier.c:453
 call_netdevice_notifiers_info net/core/dev.c:2176 [inline]
 call_netdevice_notifiers_extack net/core/dev.c:2214 [inline]
 call_netdevice_notifiers+0x10c/0x18c net/core/dev.c:2228
 register_netdevice+0xdf4/0x1258 net/core/dev.c:11047
 nsim_init_netdevsim drivers/net/netdevsim/netdev.c:960 [inline]
 nsim_create+0x99c/0xd20 drivers/net/netdevsim/netdev.c:1028
 __nsim_dev_port_add+0x518/0x86c drivers/net/netdevsim/dev.c:1393
 nsim_dev_port_add_all+0x4c/0x110 drivers/net/netdevsim/dev.c:1449
 nsim_drv_probe+0x774/0x958 drivers/net/netdevsim/dev.c:1607
 nsim_bus_probe+0x20/0x30 drivers/net/netdevsim/bus.c:391
 call_driver_probe drivers/base/dd.c:-1 [inline]
 really_probe+0x394/0x910 drivers/base/dd.c:657
 __driver_probe_device+0x180/0x2d4 drivers/base/dd.c:799
 driver_probe_device+0x78/0x330 drivers/base/dd.c:829
 __device_attach_driver+0x290/0x4e0 drivers/base/dd.c:957
 bus_for_each_drv+0x220/0x2b4 drivers/base/bus.c:462
 __device_attach+0x26c/0x388 drivers/base/dd.c:1029
 device_initial_probe+0x24/0x34 drivers/base/dd.c:1078
 bus_probe_device+0x178/0x240 drivers/base/bus.c:537
 device_add+0x71c/0xa60 drivers/base/core.c:3692
 device_register+0x28/0x38 drivers/base/core.c:3774
 nsim_bus_dev_new drivers/net/netdevsim/bus.c:442 [inline]
 new_device_store+0x2c0/0x594 drivers/net/netdevsim/bus.c:173
 bus_attr_store+0x80/0xa4 drivers/base/bus.c:172
 sysfs_kf_write+0x1a8/0x23c fs/sysfs/file.c:145
 kernfs_fop_write_iter+0x314/0x488 fs/kernfs/file.c:334
 new_sync_write fs/read_write.c:591 [inline]
 vfs_write+0x62c/0x97c fs/read_write.c:684
 ksys_write+0x120/0x210 fs/read_write.c:736
 __do_sys_write fs/read_write.c:747 [inline]
 __se_sys_write fs/read_write.c:744 [inline]
 __arm64_sys_write+0x7c/0x90 fs/read_write.c:744
 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
 el0_svc+0x58/0x150 arch/arm64/kernel/entry-common.c:744
 el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:762
 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600
netdevsim netdevsim7 netdevsim0: renamed from eth0
netdevsim netdevsim7 netdevsim1: renamed from eth1
netdevsim netdevsim7 netdevsim2: renamed from eth2
netdevsim netdevsim7 netdevsim3: renamed from eth3
8021q: adding VLAN 0 to HW filter on device bond0
8021q: adding VLAN 0 to HW filter on device team0
hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network
hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network
8021q: adding VLAN 0 to HW filter on device batadv0
veth0_vlan: entered promiscuous mode
veth1_vlan: entered promiscuous mode
veth0_macvtap: entered promiscuous mode
veth1_macvtap: entered promiscuous mode
batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_0
batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_0
batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_0
batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_0
batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
batman_adv: batadv0: Interface activated: batadv_slave_0
batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3f) already exists on: batadv_slave_1
batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3f) already exists on: batadv_slave_1
batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3f) already exists on: batadv_slave_1
batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3f) already exists on: batadv_slave_1
batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems!
batman_adv: batadv0: Interface activated: batadv_slave_1
netdevsim netdevsim7 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim7 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim7 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim7 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
ieee80211 phy18: Selected rate control algorithm 'minstrel_ht'
ieee80211 phy19: Selected rate control algorithm 'minstrel_ht'
==================================================================
BUG: KASAN: slab-use-after-free in hlist_add_head include/linux/list.h:1026 [inline]
BUG: KASAN: slab-use-after-free in binder_add_device+0x64/0xac drivers/android/binder.c:6932
Write of size 8 at addr ffff0000d876f008 by task syz-executor/9186

CPU: 0 UID: 0 PID: 9186 Comm: syz-executor Not tainted 6.15.0-rc4-syzkaller-ge0f4c8dd9d2d #0 PREEMPT 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Call trace:
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:466 (C)
 __dump_stack+0x30/0x40 lib/dump_stack.c:94
 dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120
 print_address_description+0xa8/0x254 mm/kasan/report.c:408
 print_report+0x68/0x84 mm/kasan/report.c:521
 kasan_report+0xb0/0x110 mm/kasan/report.c:634
 __asan_report_store8_noabort+0x20/0x2c mm/kasan/report_generic.c:386
 hlist_add_head include/linux/list.h:1026 [inline]
 binder_add_device+0x64/0xac drivers/android/binder.c:6932
 binderfs_binder_device_create+0x7d0/0x9d0 drivers/android/binderfs.c:210
 binderfs_fill_super+0x7c8/0xc54 drivers/android/binderfs.c:730
 vfs_get_super fs/super.c:1280 [inline]
 get_tree_nodev+0xb4/0x144 fs/super.c:1299
 binderfs_fs_context_get_tree+0x28/0x38 drivers/android/binderfs.c:750
 vfs_get_tree+0x90/0x28c fs/super.c:1759
 do_new_mount+0x228/0x814 fs/namespace.c:3884
 path_mount+0x5b4/0xde0 fs/namespace.c:4211
 do_mount fs/namespace.c:4224 [inline]
 __do_sys_mount fs/namespace.c:4435 [inline]
 __se_sys_mount fs/namespace.c:4412 [inline]
 __arm64_sys_mount+0x3e8/0x468 fs/namespace.c:4412
 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
 el0_svc+0x58/0x150 arch/arm64/kernel/entry-common.c:744
 el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:762
 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600

Allocated by task 9509:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x40/0x78 mm/kasan/common.c:68
 kasan_save_alloc_info+0x44/0x54 mm/kasan/generic.c:562
 poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
 __kasan_kmalloc+0x9c/0xb4 mm/kasan/common.c:394
 kasan_kmalloc include/linux/kasan.h:260 [inline]
 __do_kmalloc_node mm/slub.c:4341 [inline]
 __kmalloc_noprof+0x2fc/0x4c8 mm/slub.c:4353
 kmalloc_noprof include/linux/slab.h:909 [inline]
 kzalloc_noprof include/linux/slab.h:1039 [inline]
 copy_splice_read+0x12c/0x848 fs/splice.c:337
 do_splice_read fs/splice.c:979 [inline]
 splice_file_to_pipe+0x374/0x5a8 fs/splice.c:1289
 do_sendfile+0x37c/0x658 fs/read_write.c:1374
 __do_sys_sendfile64 fs/read_write.c:1429 [inline]
 __se_sys_sendfile64 fs/read_write.c:1415 [inline]
 __arm64_sys_sendfile64+0x1b4/0x274 fs/read_write.c:1415
 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
 el0_svc+0x58/0x150 arch/arm64/kernel/entry-common.c:744
 el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:762
 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600

Freed by task 9509:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x40/0x78 mm/kasan/common.c:68
 kasan_save_free_info+0x58/0x70 mm/kasan/generic.c:576
 poison_slab_object mm/kasan/common.c:247 [inline]
 __kasan_slab_free+0x68/0x88 mm/kasan/common.c:264
 kasan_slab_free include/linux/kasan.h:233 [inline]
 slab_free_hook mm/slub.c:2398 [inline]
 slab_free mm/slub.c:4656 [inline]
 kfree+0x17c/0x474 mm/slub.c:4855
 copy_splice_read+0x6ec/0x848 fs/splice.c:-1
 do_splice_read fs/splice.c:979 [inline]
 splice_file_to_pipe+0x374/0x5a8 fs/splice.c:1289
 do_sendfile+0x37c/0x658 fs/read_write.c:1374
 __do_sys_sendfile64 fs/read_write.c:1429 [inline]
 __se_sys_sendfile64 fs/read_write.c:1415 [inline]
 __arm64_sys_sendfile64+0x1b4/0x274 fs/read_write.c:1415
 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
 el0_svc+0x58/0x150 arch/arm64/kernel/entry-common.c:744
 el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:762
 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600

The buggy address belongs to the object at ffff0000d876f000
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 8 bytes inside of
 freed 512-byte region [ffff0000d876f000, ffff0000d876f200)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11876c
head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x5ffc00000000040(head|node=0|zone=2|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 05ffc00000000040 ffff0000c0001c80 fffffdffc31e3e00 dead000000000002
raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
head: 05ffc00000000040 ffff0000c0001c80 fffffdffc31e3e00 dead000000000002
head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
head: 05ffc00000000002 fffffdffc361db01 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff0000d876ef00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff0000d876ef80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff0000d876f000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                      ^
 ffff0000d876f080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff0000d876f100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================