KASAN: slab-use-after-free Write in binder_add_device
==================================================================
BUG: KASAN: slab-use-after-free in hlist_add_head include/linux/list.h:1026 [inline]
BUG: KASAN: slab-use-after-free in binder_add_device+0x5f/0xa0 drivers/android/binder.c:6932
Write of size 8 at addr ffff888101eb2008 by task syz-executor/326
CPU: 0 UID: 0 PID: 326 Comm: syz-executor Not tainted 6.14.0-rc3-syzkaller-00267-gff202c5028a1 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
Call Trace:
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x184/0x200 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:408 [inline]
print_report+0x163/0x570 mm/kasan/report.c:521
kasan_report+0x15f/0x190 mm/kasan/report.c:634
__asan_report_store8_noabort+0x17/0x20 mm/kasan/report_generic.c:386
hlist_add_head include/linux/list.h:1026 [inline]
binder_add_device+0x5f/0xa0 drivers/android/binder.c:6932
binderfs_binder_device_create+0x841/0xaa0 drivers/android/binderfs.c:210
binderfs_fill_super+0x8fb/0xdd0 drivers/android/binderfs.c:729
vfs_get_super fs/super.c:1280 [inline]
get_tree_nodev+0xb9/0x160 fs/super.c:1299
binderfs_fs_context_get_tree+0x1c/0x30 drivers/android/binderfs.c:749
vfs_get_tree+0x8c/0x2c0 fs/super.c:1814
do_new_mount+0x2ba/0xb40 fs/namespace.c:3560
path_mount+0x67c/0x1000 fs/namespace.c:3887
do_mount fs/namespace.c:3900 [inline]
__do_sys_mount fs/namespace.c:4111 [inline]
__se_sys_mount+0x2c1/0x3b0 fs/namespace.c:4088
__x64_sys_mount+0xbf/0xe0 fs/namespace.c:4088
x64_sys_call+0x2c9e/0x2df0 arch/x86/include/generated/asm/syscalls_64.h:166
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x50/0x110 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x7f10b0d8e58a
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffcd93e3bf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007f10b0e0e663 RCX: 00007f10b0d8e58a
RDX: 00007f10b0e1dda7 RSI: 00007f10b0e0e663 RDI: 00007f10b0e1dda7
RBP: 00007f10b0e0e8ac R08: 0000000000000000 R09: 00000000000001ff
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f10b0deb1a8
R13: 00007f10b0deb180 R14: 0000000000000009 R15: 0000000000000000
Allocated by task 320:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3b/0x70 mm/kasan/common.c:68
kasan_save_alloc_info+0x38/0x50 mm/kasan/generic.c:562
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0x99/0xb0 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:260 [inline]
__kmalloc_cache_noprof+0x15f/0x2d0 mm/slub.c:4325
kmalloc_noprof include/linux/slab.h:901 [inline]
kzalloc_noprof include/linux/slab.h:1037 [inline]
binderfs_binder_device_create+0x159/0xaa0 drivers/android/binderfs.c:147
binderfs_fill_super+0x8fb/0xdd0 drivers/android/binderfs.c:729
vfs_get_super fs/super.c:1280 [inline]
get_tree_nodev+0xb9/0x160 fs/super.c:1299
binderfs_fs_context_get_tree+0x1c/0x30 drivers/android/binderfs.c:749
vfs_get_tree+0x8c/0x2c0 fs/super.c:1814
do_new_mount+0x2ba/0xb40 fs/namespace.c:3560
path_mount+0x67c/0x1000 fs/namespace.c:3887
do_mount fs/namespace.c:3900 [inline]
__do_sys_mount fs/namespace.c:4111 [inline]
__se_sys_mount+0x2c1/0x3b0 fs/namespace.c:4088
__x64_sys_mount+0xbf/0xe0 fs/namespace.c:4088
x64_sys_call+0x2c9e/0x2df0 arch/x86/include/generated/asm/syscalls_64.h:166
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x50/0x110 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x76/0x7e
Freed by task 811502080:
------------[ cut here ]------------
pool index 100480 out of bounds (371) for stack id ffff8881
WARNING: CPU: 0 PID: 326 at lib/stackdepot.c:452 depot_fetch_stack lib/stackdepot.c:451 [inline]
WARNING: CPU: 0 PID: 326 at lib/stackdepot.c:452 stack_depot_fetch+0x83/0xc0 lib/stackdepot.c:714
Modules linked in:
CPU: 0 UID: 0 PID: 326 Comm: syz-executor Not tainted 6.14.0-rc3-syzkaller-00267-gff202c5028a1 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
RIP: 0010:depot_fetch_stack lib/stackdepot.c:451 [inline]
RIP: 0010:stack_depot_fetch+0x83/0xc0 lib/stackdepot.c:714
Code: 3f 00 00 83 7c 18 1c 00 74 44 48 01 d8 74 1d 48 8d 48 20 49 89 0f 44 8b 70 14 eb 1e 48 c7 c7 24 77 cb 86 89 d9 e8 6d 7b 75 fe <0f> 0b 48 c7 c7 a4 76 cb 86 e8 5f 7b 75 fe 0f 0b 44 89 f0 5b 41 5c
RSP: 0018:ffffc90001407760 EFLAGS: 00010046
RAX: ccd9066301344f00 RBX: 00000000ffff8881 RCX: ffff8881037a5500
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90001407780 R08: ffffffff816d858e R09: 1ffff1103edc4e62
R10: ffffed103edc4e63 R11: ffffed103edc4e63 R12: ffffc90001407840
R13: ffff888101eb2008 R14: 0000000000000000 R15: ffffc90001407790
FS: 0000555565731500(0000) GS:ffff8881f6e00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f10b0e1dda0 CR3: 000000010a672000 CR4: 00000000003526b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
stack_depot_print+0x26/0x60 lib/stackdepot.c:752
print_track mm/kasan/report.c:281 [inline]
describe_object_stacks mm/kasan/report.c:343 [inline]
describe_object mm/kasan/report.c:353 [inline]
print_address_description mm/kasan/report.c:412 [inline]
print_report+0x20b/0x570 mm/kasan/report.c:521
kasan_report+0x15f/0x190 mm/kasan/report.c:634
__asan_report_store8_noabort+0x17/0x20 mm/kasan/report_generic.c:386
hlist_add_head include/linux/list.h:1026 [inline]
binder_add_device+0x5f/0xa0 drivers/android/binder.c:6932
binderfs_binder_device_create+0x841/0xaa0 drivers/android/binderfs.c:210
binderfs_fill_super+0x8fb/0xdd0 drivers/android/binderfs.c:729
vfs_get_super fs/super.c:1280 [inline]
get_tree_nodev+0xb9/0x160 fs/super.c:1299
binderfs_fs_context_get_tree+0x1c/0x30 drivers/android/binderfs.c:749
vfs_get_tree+0x8c/0x2c0 fs/super.c:1814
do_new_mount+0x2ba/0xb40 fs/namespace.c:3560
path_mount+0x67c/0x1000 fs/namespace.c:3887
do_mount fs/namespace.c:3900 [inline]
__do_sys_mount fs/namespace.c:4111 [inline]
__se_sys_mount+0x2c1/0x3b0 fs/namespace.c:4088
__x64_sys_mount+0xbf/0xe0 fs/namespace.c:4088
x64_sys_call+0x2c9e/0x2df0 arch/x86/include/generated/asm/syscalls_64.h:166
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x50/0x110 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x7f10b0d8e58a
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffcd93e3bf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007f10b0e0e663 RCX: 00007f10b0d8e58a
RDX: 00007f10b0e1dda7 RSI: 00007f10b0e0e663 RDI: 00007f10b0e1dda7
RBP: 00007f10b0e0e8ac R08: 0000000000000000 R09: 00000000000001ff
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f10b0deb1a8
R13: 00007f10b0deb180 R14: 0000000000000009 R15: 0000000000000000
---[ end trace 0000000000000000 ]---
------------[ cut here ]------------
corrupt handle or use after stack_depot_put()
WARNING: CPU: 0 PID: 326 at lib/stackdepot.c:719 stack_depot_fetch+0x91/0xc0 lib/stackdepot.c:719
Modules linked in:
CPU: 0 UID: 0 PID: 326 Comm: syz-executor Tainted: G W 6.14.0-rc3-syzkaller-00267-gff202c5028a1 #0
Tainted: [W]=WARN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
RIP: 0010:stack_depot_fetch+0x91/0xc0 lib/stackdepot.c:719
Code: 1d 48 8d 48 20 49 89 0f 44 8b 70 14 eb 1e 48 c7 c7 24 77 cb 86 89 d9 e8 6d 7b 75 fe 0f 0b 48 c7 c7 a4 76 cb 86 e8 5f 7b 75 fe <0f> 0b 44 89 f0 5b 41 5c 41 5e 41 5f 5d c3 cc cc cc cc 0f 0b eb de
RSP: 0018:ffffc90001407760 EFLAGS: 00010046
RAX: ccd9066301344f00 RBX: 00000000ffff8881 RCX: ffff8881037a5500
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90001407780 R08: ffffffff816d858e R09: 1ffff1103edc4e62
R10: ffffed103edc4e63 R11: ffffed103edc4e63 R12: ffffc90001407840
R13: ffff888101eb2008 R14: 0000000000000000 R15: ffffc90001407790
FS: 0000555565731500(0000) GS:ffff8881f6e00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f10b0e1dda0 CR3: 000000010a672000 CR4: 00000000003526b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
stack_depot_print+0x26/0x60 lib/stackdepot.c:752
print_track mm/kasan/report.c:281 [inline]
describe_object_stacks mm/kasan/report.c:343 [inline]
describe_object mm/kasan/report.c:353 [inline]
print_address_description mm/kasan/report.c:412 [inline]
print_report+0x20b/0x570 mm/kasan/report.c:521
kasan_report+0x15f/0x190 mm/kasan/report.c:634
__asan_report_store8_noabort+0x17/0x20 mm/kasan/report_generic.c:386
hlist_add_head include/linux/list.h:1026 [inline]
binder_add_device+0x5f/0xa0 drivers/android/binder.c:6932
binderfs_binder_device_create+0x841/0xaa0 drivers/android/binderfs.c:210
binderfs_fill_super+0x8fb/0xdd0 drivers/android/binderfs.c:729
vfs_get_super fs/super.c:1280 [inline]
get_tree_nodev+0xb9/0x160 fs/super.c:1299
binderfs_fs_context_get_tree+0x1c/0x30 drivers/android/binderfs.c:749
vfs_get_tree+0x8c/0x2c0 fs/super.c:1814
do_new_mount+0x2ba/0xb40 fs/namespace.c:3560
path_mount+0x67c/0x1000 fs/namespace.c:3887
do_mount fs/namespace.c:3900 [inline]
__do_sys_mount fs/namespace.c:4111 [inline]
__se_sys_mount+0x2c1/0x3b0 fs/namespace.c:4088
__x64_sys_mount+0xbf/0xe0 fs/namespace.c:4088
x64_sys_call+0x2c9e/0x2df0 arch/x86/include/generated/asm/syscalls_64.h:166
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x50/0x110 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x7f10b0d8e58a
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffcd93e3bf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007f10b0e0e663 RCX: 00007f10b0d8e58a
RDX: 00007f10b0e1dda7 RSI: 00007f10b0e0e663 RDI: 00007f10b0e1dda7
RBP: 00007f10b0e0e8ac R08: 0000000000000000 R09: 00000000000001ff
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f10b0deb1a8
R13: 00007f10b0deb180 R14: 0000000000000009 R15: 0000000000000000
---[ end trace 0000000000000000 ]---
The buggy address belongs to the object at ffff888101eb2000
which belongs to the cache kmalloc-192 of size 192
The buggy address is located 8 bytes inside of
freed 192-byte region [ffff888101eb2000, ffff888101eb20c0)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101eb2
anon flags: 0x4000000000000000(zone=1)
page_type: f5(slab)
raw: 4000000000000000 ffff8881000413c0 0000000000000000 dead000000000001
raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52c00(GFP_NOIO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 1, tgid 1 (swapper/0), ts 2628429007, free_ts 2145272999
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1db/0x200 mm/page_alloc.c:1551
prep_new_page mm/page_alloc.c:1559 [inline]
get_page_from_freelist+0x47ee/0x4880 mm/page_alloc.c:3477
__alloc_frozen_pages_noprof+0x3c3/0x7d0 mm/page_alloc.c:4739
allocate_slab+0x76/0x420 mm/slub.c:2587
new_slab mm/slub.c:2640 [inline]
___slab_alloc+0x767/0xc00 mm/slub.c:3826
__slab_alloc+0x5d/0xb0 mm/slub.c:3916
__slab_alloc_node mm/slub.c:3991 [inline]
slab_alloc_node mm/slub.c:4152 [inline]
__do_kmalloc_node mm/slub.c:4293 [inline]
__kmalloc_noprof+0x206/0x3f0 mm/slub.c:4306
kmalloc_noprof include/linux/slab.h:905 [inline]
bio_kmalloc+0x46/0x50 block/bio.c:616
bio_map_kern block/blk-map.c:342 [inline]
blk_rq_map_kern+0x2e2/0x760 block/blk-map.c:720
scsi_execute_cmd+0x314/0x11a0 drivers/scsi/scsi_lib.c:316
scsi_probe_lun drivers/scsi/scsi_scan.c:708 [inline]
scsi_probe_and_add_lun+0x5a8/0x3ac0 drivers/scsi/scsi_scan.c:1217
__scsi_scan_target+0x1f5/0xde0 drivers/scsi/scsi_scan.c:1774
scsi_scan_channel drivers/scsi/scsi_scan.c:1862 [inline]
scsi_scan_host_selected+0x334/0x600 drivers/scsi/scsi_scan.c:1891
do_scsi_scan_host drivers/scsi/scsi_scan.c:2030 [inline]
scsi_scan_host+0x3ae/0x680 drivers/scsi/scsi_scan.c:2062
virtscsi_probe+0x90c/0xc40 drivers/scsi/virtio_scsi.c:982
virtio_dev_probe+0x8db/0xb90 drivers/virtio/virtio.c:341
page last free pid 1 tgid 1 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1127 [inline]
__free_pages_ok+0x70e/0x8a0 mm/page_alloc.c:1271
free_frozen_pages+0x2f9/0xa50 mm/page_alloc.c:2656
__folio_put+0x314/0x380 mm/swap.c:112
folio_put include/linux/mm.h:1489 [inline]
free_large_kmalloc+0xad/0xf0 mm/slub.c:4728
kfree+0x1d2/0x350 mm/slub.c:4751
kvfree+0x35/0x40 mm/util.c:705
btf_add_type kernel/bpf/btf.c:1618 [inline]
btf_check_all_metas+0x619/0xac0 kernel/bpf/btf.c:5230
btf_parse_base+0x354/0x5b0 kernel/bpf/btf.c:6197
btf_parse_vmlinux+0xab/0x320 kernel/bpf/btf.c:6230
bpf_get_btf_vmlinux+0x41/0x70 kernel/bpf/verifier.c:22966
btf_get_module_btf+0x92/0x210 kernel/bpf/btf.c:8166
__register_btf_kfunc_id_set+0x9f/0x1cb0 kernel/bpf/btf.c:8585
register_btf_kfunc_id_set+0xa3/0xe0 kernel/bpf/btf.c:8620
register_xfrm_state_bpf+0x1a/0x20 net/xfrm/xfrm_state_bpf.c:132
xfrm_init+0x3c/0x50 net/xfrm/xfrm_policy.c:4403
ip_rt_init+0x307/0x400 net/ipv4/route.c:3756
Memory state around the buggy address:
ffff888101eb1f00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
ffff888101eb1f80: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
>ffff888101eb2000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888101eb2080: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
ffff888101eb2100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Warning: Permanently added '10.128.1.74' (ED25519) to the list of known hosts.
2025/02/22 11:42:08 ignoring optional flag "sandboxArg"="0"
2025/02/22 11:42:09 parsed 1 programs
[ 31.813666][ T30] audit: type=1400 audit(1740224529.258:66): avc: denied { node_bind } for pid=299 comm="syz-execprog" saddr=::1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:node_t tclass=tcp_socket permissive=1
[ 33.013205][ T30] audit: type=1400 audit(1740224530.458:67): avc: denied { mounton } for pid=308 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=1926 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1
[ 33.014433][ T308] cgroup: Unknown subsys name 'net'
[ 33.035862][ T30] audit: type=1400 audit(1740224530.458:68): avc: denied { mount } for pid=308 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1
[ 33.062817][ T30] audit: type=1400 audit(1740224530.488:69): avc: denied { unmount } for pid=308 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1
[ 33.063015][ T308] cgroup: Unknown subsys name 'devices'
[ 33.225213][ T308] cgroup: Unknown subsys name 'cpuset'
[ 33.231060][ T308] cgroup: Unknown subsys name 'hugetlb'
[ 33.236540][ T308] cgroup: Unknown subsys name 'rlimit'
[ 33.241880][ T308] cgroup: Unknown subsys name 'memory'
[ 33.336159][ T30] audit: type=1400 audit(1740224530.788:70): avc: denied { setattr } for pid=308 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=254 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 33.359119][ T30] audit: type=1400 audit(1740224530.788:71): avc: denied { create } for pid=308 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1
[ 33.379250][ T30] audit: type=1400 audit(1740224530.788:72): avc: denied { write } for pid=308 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1
[ 33.399290][ T30] audit: type=1400 audit(1740224530.788:73): avc: denied { read } for pid=308 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1
[ 33.419466][ T30] audit: type=1400 audit(1740224530.788:74): avc: denied { module_request } for pid=308 comm="syz-executor" kmod="netdev-wpan0" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1
[ 33.429603][ T311] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped).
[ 33.441067][ T30] audit: type=1400 audit(1740224530.788:75): avc: denied { mounton } for pid=308 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1
[ 33.480271][ T308] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k
[ 34.324129][ T319] request_module fs-gadgetfs succeeded, but still no fs?
[ 34.543063][ T326] ==================================================================
[ 34.550973][ T326] BUG: KASAN: slab-use-after-free in binder_add_device+0x5f/0xa0
[ 34.558516][ T326] Write of size 8 at addr ffff888101eb2008 by task syz-executor/326
[ 34.566330][ T326]
[ 34.568514][ T326] CPU: 0 UID: 0 PID: 326 Comm: syz-executor Not tainted 6.14.0-rc3-syzkaller-00267-gff202c5028a1 #0
[ 34.568539][ T326] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
[ 34.568556][ T326] Call Trace:
[ 34.568564][ T326]
[ 34.568572][ T326] dump_stack_lvl+0x184/0x200
[ 34.568597][ T326] ? __pfx_dump_stack_lvl+0x10/0x10
[ 34.568615][ T326] ? vprintk+0x1d/0x30
[ 34.568638][ T326] ? _printk+0xd1/0x120
[ 34.568661][ T326] print_report+0x163/0x570
[ 34.568681][ T326] ? __virt_addr_valid+0x2a4/0x380
[ 34.568708][ T326] ? kasan_complete_mode_report_info+0x71/0x210
[ 34.568736][ T326] kasan_report+0x15f/0x190
[ 34.568755][ T326] ? binder_add_device+0x5f/0xa0
[ 34.568786][ T326] ? binder_add_device+0x5f/0xa0
[ 34.568814][ T326] __asan_report_store8_noabort+0x17/0x20
[ 34.568842][ T326] binder_add_device+0x5f/0xa0
[ 34.568870][ T326] binderfs_binder_device_create+0x841/0xaa0
[ 34.568901][ T326] binderfs_fill_super+0x8fb/0xdd0
[ 34.568930][ T326] ? __pfx_binderfs_fill_super+0x10/0x10
[ 34.568963][ T326] ? shrinker_register+0x166/0x220
[ 34.568984][ T326] ? sget_fc+0x95b/0xa50
[ 34.569010][ T326] ? __pfx_set_anon_super_fc+0x10/0x10
[ 34.569042][ T326] get_tree_nodev+0xb9/0x160
[ 34.569070][ T326] ? __pfx_binderfs_fill_super+0x10/0x10
[ 34.569098][ T326] binderfs_fs_context_get_tree+0x1c/0x30
[ 34.569126][ T326] vfs_get_tree+0x8c/0x2c0
[ 34.569145][ T326] do_new_mount+0x2ba/0xb40
[ 34.569166][ T326] ? __pfx_do_new_mount+0x10/0x10
[ 34.569186][ T326] ? security_capable+0x7c/0x90
[ 34.569206][ T326] ? ns_capable+0x8a/0xf0
[ 34.569235][ T326] path_mount+0x67c/0x1000
[ 34.569256][ T326] __se_sys_mount+0x2c1/0x3b0
[ 34.569279][ T326] ? __pfx___se_sys_mount+0x10/0x10
[ 34.569303][ T326] __x64_sys_mount+0xbf/0xe0
[ 34.569324][ T326] x64_sys_call+0x2c9e/0x2df0
[ 34.569352][ T326] do_syscall_64+0x50/0x110
[ 34.569375][ T326] ? clear_bhb_loop+0x35/0x90
[ 34.569400][ T326] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 34.569427][ T326] RIP: 0033:0x7f10b0d8e58a
[ 34.569452][ T326] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[ 34.569469][ T326] RSP: 002b:00007ffcd93e3bf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[ 34.569495][ T326] RAX: ffffffffffffffda RBX: 00007f10b0e0e663 RCX: 00007f10b0d8e58a
[ 34.569509][ T326] RDX: 00007f10b0e1dda7 RSI: 00007f10b0e0e663 RDI: 00007f10b0e1dda7
[ 34.569524][ T326] RBP: 00007f10b0e0e8ac R08: 0000000000000000 R09: 00000000000001ff
[ 34.569536][ T326] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f10b0deb1a8
[ 34.569549][ T326] R13: 00007f10b0deb180 R14: 0000000000000009 R15: 0000000000000000
[ 34.569566][ T326]
[ 34.569573][ T326]
[ 34.834880][ T326] Allocated by task 320:
[ 34.838960][ T326] kasan_save_track+0x3b/0x70
[ 34.843481][ T326] kasan_save_alloc_info+0x38/0x50
[ 34.848421][ T326] __kasan_kmalloc+0x99/0xb0
[ 34.852848][ T326] __kmalloc_cache_noprof+0x15f/0x2d0
[ 34.858055][ T326] binderfs_binder_device_create+0x159/0xaa0
[ 34.863868][ T326] binderfs_fill_super+0x8fb/0xdd0
[ 34.868817][ T326] get_tree_nodev+0xb9/0x160
[ 34.873240][ T326] binderfs_fs_context_get_tree+0x1c/0x30
[ 34.878799][ T326] vfs_get_tree+0x8c/0x2c0
[ 34.883051][ T326] do_new_mount+0x2ba/0xb40
[ 34.887401][ T326] path_mount+0x67c/0x1000
[ 34.891658][ T326] __se_sys_mount+0x2c1/0x3b0
[ 34.896165][ T326] __x64_sys_mount+0xbf/0xe0
[ 34.900591][ T326] x64_sys_call+0x2c9e/0x2df0
[ 34.905184][ T326] do_syscall_64+0x50/0x110
[ 34.909522][ T326] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 34.915252][ T326]
[ 34.917419][ T326] Freed by task 811502080:
[ 34.921683][ T326] ------------[ cut here ]------------
[ 34.926975][ T326] pool index 100480 out of bounds (371) for stack id ffff8881
[ 34.934392][ T326] WARNING: CPU: 0 PID: 326 at lib/stackdepot.c:452 stack_depot_fetch+0x83/0xc0
[ 34.943144][ T326] Modules linked in:
[ 34.946871][ T326] CPU: 0 UID: 0 PID: 326 Comm: syz-executor Not tainted 6.14.0-rc3-syzkaller-00267-gff202c5028a1 #0
[ 34.957457][ T326] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
[ 34.967355][ T326] RIP: 0010:stack_depot_fetch+0x83/0xc0
[ 34.972740][ T326] Code: 3f 00 00 83 7c 18 1c 00 74 44 48 01 d8 74 1d 48 8d 48 20 49 89 0f 44 8b 70 14 eb 1e 48 c7 c7 24 77 cb 86 89 d9 e8 6d 7b 75 fe <0f> 0b 48 c7 c7 a4 76 cb 86 e8 5f 7b 75 fe 0f 0b 44 89 f0 5b 41 5c
[ 34.992698][ T326] RSP: 0018:ffffc90001407760 EFLAGS: 00010046
[ 34.998606][ T326] RAX: ccd9066301344f00 RBX: 00000000ffff8881 RCX: ffff8881037a5500
[ 35.006407][ T326] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[ 35.014221][ T326] RBP: ffffc90001407780 R08: ffffffff816d858e R09: 1ffff1103edc4e62
[ 35.022034][ T326] R10: ffffed103edc4e63 R11: ffffed103edc4e63 R12: ffffc90001407840
[ 35.029842][ T326] R13: ffff888101eb2008 R14: 0000000000000000 R15: ffffc90001407790
[ 35.037656][ T326] FS: 0000555565731500(0000) GS:ffff8881f6e00000(0000) knlGS:0000000000000000
[ 35.046592][ T326] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 35.053015][ T326] CR2: 00007f10b0e1dda0 CR3: 000000010a672000 CR4: 00000000003526b0
[ 35.060829][ T326] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 35.068638][ T326] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 35.076454][ T326] Call Trace:
[ 35.079586][ T326]
[ 35.082381][ T326] ? show_regs+0x59/0x60
[ 35.086434][ T326] ? __warn+0x166/0x3e0
[ 35.090426][ T326] ? stack_depot_fetch+0x83/0xc0
[ 35.095203][ T326] ? report_bug+0x4d5/0x740
[ 35.099542][ T326] ? stack_depot_fetch+0x83/0xc0
[ 35.104318][ T326] ? handle_bug+0x65/0x90
[ 35.108477][ T326] ? exc_invalid_op+0x1b/0x50
[ 35.112993][ T326] ? asm_exc_invalid_op+0x1b/0x20
[ 35.117854][ T326] ? __warn_printk+0x28e/0x360
[ 35.122451][ T326] ? stack_depot_fetch+0x83/0xc0
[ 35.127235][ T326] stack_depot_print+0x26/0x60
[ 35.131826][ T326] print_report+0x20b/0x570
[ 35.136164][ T326] ? __virt_addr_valid+0x2a4/0x380
[ 35.141113][ T326] ? kasan_complete_mode_report_info+0x71/0x210
[ 35.147207][ T326] kasan_report+0x15f/0x190
[ 35.151530][ T326] ? binder_add_device+0x5f/0xa0
[ 35.156301][ T326] ? binder_add_device+0x5f/0xa0
[ 35.161075][ T326] __asan_report_store8_noabort+0x17/0x20
[ 35.166631][ T326] binder_add_device+0x5f/0xa0
[ 35.171228][ T326] binderfs_binder_device_create+0x841/0xaa0
[ 35.177141][ T326] binderfs_fill_super+0x8fb/0xdd0
[ 35.182082][ T326] ? __pfx_binderfs_fill_super+0x10/0x10
[ 35.187552][ T326] ? shrinker_register+0x166/0x220
[ 35.192492][ T326] ? sget_fc+0x95b/0xa50
[ 35.196572][ T326] ? __pfx_set_anon_super_fc+0x10/0x10
[ 35.201893][ T326] get_tree_nodev+0xb9/0x160
[ 35.206295][ T326] ? __pfx_binderfs_fill_super+0x10/0x10
[ 35.211770][ T326] binderfs_fs_context_get_tree+0x1c/0x30
[ 35.217317][ T326] vfs_get_tree+0x8c/0x2c0
[ 35.221567][ T326] do_new_mount+0x2ba/0xb40
[ 35.225908][ T326] ? __pfx_do_new_mount+0x10/0x10
[ 35.230769][ T326] ? security_capable+0x7c/0x90
[ 35.235458][ T326] ? ns_capable+0x8a/0xf0
[ 35.239712][ T326] path_mount+0x67c/0x1000
[ 35.243962][ T326] __se_sys_mount+0x2c1/0x3b0
[ 35.248481][ T326] ? __pfx___se_sys_mount+0x10/0x10
[ 35.253510][ T326] __x64_sys_mount+0xbf/0xe0
[ 35.257934][ T326] x64_sys_call+0x2c9e/0x2df0
[ 35.262447][ T326] do_syscall_64+0x50/0x110
[ 35.266786][ T326] ? clear_bhb_loop+0x35/0x90
[ 35.271303][ T326] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 35.277028][ T326] RIP: 0033:0x7f10b0d8e58a
[ 35.281285][ T326] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[ 35.300724][ T326] RSP: 002b:00007ffcd93e3bf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[ 35.308969][ T326] RAX: ffffffffffffffda RBX: 00007f10b0e0e663 RCX: 00007f10b0d8e58a
[ 35.316781][ T326] RDX: 00007f10b0e1dda7 RSI: 00007f10b0e0e663 RDI: 00007f10b0e1dda7
[ 35.324592][ T326] RBP: 00007f10b0e0e8ac R08: 0000000000000000 R09: 00000000000001ff
[ 35.332400][ T326] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f10b0deb1a8
[ 35.340214][ T326] R13: 00007f10b0deb180 R14: 0000000000000009 R15: 0000000000000000
[ 35.348036][ T326]
[ 35.350979][ T326] ---[ end trace 0000000000000000 ]---
[ 35.356272][ T326] ------------[ cut here ]------------
[ 35.361563][ T326] corrupt handle or use after stack_depot_put()
[ 35.361684][ T326] WARNING: CPU: 0 PID: 326 at lib/stackdepot.c:719 stack_depot_fetch+0x91/0xc0
[ 35.376607][ T326] Modules linked in:
[ 35.380335][ T326] CPU: 0 UID: 0 PID: 326 Comm: syz-executor Tainted: G W 6.14.0-rc3-syzkaller-00267-gff202c5028a1 #0
[ 35.392408][ T326] Tainted: [W]=WARN
[ 35.396041][ T326] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
[ 35.405940][ T326] RIP: 0010:stack_depot_fetch+0x91/0xc0
[ 35.411327][ T326] Code: 1d 48 8d 48 20 49 89 0f 44 8b 70 14 eb 1e 48 c7 c7 24 77 cb 86 89 d9 e8 6d 7b 75 fe 0f 0b 48 c7 c7 a4 76 cb 86 e8 5f 7b 75 fe <0f> 0b 44 89 f0 5b 41 5c 41 5e 41 5f 5d c3 cc cc cc cc 0f 0b eb de
[ 35.430962][ T326] RSP: 0018:ffffc90001407760 EFLAGS: 00010046
[ 35.436860][ T326] RAX: ccd9066301344f00 RBX: 00000000ffff8881 RCX: ffff8881037a5500
[ 35.444671][ T326] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[ 35.452482][ T326] RBP: ffffc90001407780 R08: ffffffff816d858e R09: 1ffff1103edc4e62
[ 35.460295][ T326] R10: ffffed103edc4e63 R11: ffffed103edc4e63 R12: ffffc90001407840
[ 35.468104][ T326] R13: ffff888101eb2008 R14: 0000000000000000 R15: ffffc90001407790
[ 35.475916][ T326] FS: 0000555565731500(0000) GS:ffff8881f6e00000(0000) knlGS:0000000000000000
[ 35.484683][ T326] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 35.491105][ T326] CR2: 00007f10b0e1dda0 CR3: 000000010a672000 CR4: 00000000003526b0
[ 35.498921][ T326] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 35.506726][ T326] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 35.514542][ T326] Call Trace:
[ 35.517663][ T326]
[ 35.520442][ T326] ? show_regs+0x59/0x60
[ 35.524521][ T326] ? __warn+0x166/0x3e0
[ 35.528530][ T326] ? stack_depot_fetch+0x91/0xc0
[ 35.533289][ T326] ? report_bug+0x4d5/0x740
[ 35.537626][ T326] ? stack_depot_fetch+0x91/0xc0
[ 35.542404][ T326] ? handle_bug+0x65/0x90
[ 35.546654][ T326] ? exc_invalid_op+0x1b/0x50
[ 35.551180][ T326] ? asm_exc_invalid_op+0x1b/0x20
[ 35.556028][ T326] ? __warn_printk+0x28e/0x360
[ 35.560629][ T326] ? stack_depot_fetch+0x91/0xc0
[ 35.565402][ T326] stack_depot_print+0x26/0x60
[ 35.570000][ T326] print_report+0x20b/0x570
[ 35.574347][ T326] ? __virt_addr_valid+0x2a4/0x380
[ 35.579286][ T326] ? kasan_complete_mode_report_info+0x71/0x210
[ 35.585364][ T326] kasan_report+0x15f/0x190
[ 35.589703][ T326] ? binder_add_device+0x5f/0xa0
[ 35.594475][ T326] ? binder_add_device+0x5f/0xa0
[ 35.599258][ T326] __asan_report_store8_noabort+0x17/0x20
[ 35.604805][ T326] binder_add_device+0x5f/0xa0
[ 35.609402][ T326] binderfs_binder_device_create+0x841/0xaa0
[ 35.615222][ T326] binderfs_fill_super+0x8fb/0xdd0
[ 35.620168][ T326] ? __pfx_binderfs_fill_super+0x10/0x10
[ 35.625639][ T326] ? shrinker_register+0x166/0x220
[ 35.630583][ T326] ? sget_fc+0x95b/0xa50
[ 35.634659][ T326] ? __pfx_set_anon_super_fc+0x10/0x10
[ 35.639956][ T326] get_tree_nodev+0xb9/0x160
[ 35.644383][ T326] ? __pfx_binderfs_fill_super+0x10/0x10
[ 35.649851][ T326] binderfs_fs_context_get_tree+0x1c/0x30
[ 35.655491][ T326] vfs_get_tree+0x8c/0x2c0
[ 35.659744][ T326] do_new_mount+0x2ba/0xb40
[ 35.664092][ T326] ? __pfx_do_new_mount+0x10/0x10
[ 35.668941][ T326] ? security_capable+0x7c/0x90
[ 35.673633][ T326] ? ns_capable+0x8a/0xf0
[ 35.677796][ T326] path_mount+0x67c/0x1000
[ 35.682052][ T326] __se_sys_mount+0x2c1/0x3b0
[ 35.686562][ T326] ? __pfx___se_sys_mount+0x10/0x10
[ 35.691597][ T326] __x64_sys_mount+0xbf/0xe0
[ 35.696032][ T326] x64_sys_call+0x2c9e/0x2df0
[ 35.700534][ T326] do_syscall_64+0x50/0x110
[ 35.704875][ T326] ? clear_bhb_loop+0x35/0x90
[ 35.709390][ T326] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 35.715121][ T326] RIP: 0033:0x7f10b0d8e58a
[ 35.719373][ T326] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[ 35.738818][ T326] RSP: 002b:00007ffcd93e3bf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[ 35.747058][ T326] RAX: ffffffffffffffda RBX: 00007f10b0e0e663 RCX: 00007f10b0d8e58a
[ 35.754866][ T326] RDX: 00007f10b0e1dda7 RSI: 00007f10b0e0e663 RDI: 00007f10b0e1dda7
[ 35.762678][ T326] RBP: 00007f10b0e0e8ac R08: 0000000000000000 R09: 00000000000001ff
[ 35.770491][ T326] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f10b0deb1a8
[ 35.778301][ T326] R13: 00007f10b0deb180 R14: 0000000000000009 R15: 0000000000000000
[ 35.786121][ T326]
[ 35.788980][ T326] ---[ end trace 0000000000000000 ]---
[ 35.794276][ T326]
[ 35.796441][ T326] The buggy address belongs to the object at ffff888101eb2000
[ 35.796441][ T326] which belongs to the cache kmalloc-192 of size 192
[ 35.810327][ T326] The buggy address is located 8 bytes inside of
[ 35.810327][ T326] freed 192-byte region [ffff888101eb2000, ffff888101eb20c0)
[ 35.823789][ T326]
[ 35.825953][ T326] The buggy address belongs to the physical page:
[ 35.832202][ T326] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101eb2
[ 35.840881][ T326] anon flags: 0x4000000000000000(zone=1)
[ 35.846355][ T326] page_type: f5(slab)
[ 35.850197][ T326] raw: 4000000000000000 ffff8881000413c0 0000000000000000 dead000000000001
[ 35.858591][ T326] raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
[ 35.867006][ T326] page dumped because: kasan: bad access detected
[ 35.873261][ T326] page_owner tracks the page as allocated
[ 35.878807][ T326] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52c00(GFP_NOIO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 1, tgid 1 (swapper/0), ts 2628429007, free_ts 2145272999
[ 35.896775][ T326] post_alloc_hook+0x1db/0x200
[ 35.901376][ T326] get_page_from_freelist+0x47ee/0x4880
[ 35.906753][ T326] __alloc_frozen_pages_noprof+0x3c3/0x7d0
[ 35.912407][ T326] allocate_slab+0x76/0x420
[ 35.916741][ T326] ___slab_alloc+0x767/0xc00
[ 35.921166][ T326] __slab_alloc+0x5d/0xb0
[ 35.925332][ T326] __kmalloc_noprof+0x206/0x3f0
[ 35.930017][ T326] bio_kmalloc+0x46/0x50
[ 35.934095][ T326] blk_rq_map_kern+0x2e2/0x760
[ 35.938694][ T326] scsi_execute_cmd+0x314/0x11a0
[ 35.943467][ T326] scsi_probe_and_add_lun+0x5a8/0x3ac0
[ 35.948762][ T326] __scsi_scan_target+0x1f5/0xde0
[ 35.953625][ T326] scsi_scan_host_selected+0x334/0x600
[ 35.958954][ T326] scsi_scan_host+0x3ae/0x680
[ 35.963433][ T326] virtscsi_probe+0x90c/0xc40
[ 35.967952][ T326] virtio_dev_probe+0x8db/0xb90
[ 35.972634][ T326] page last free pid 1 tgid 1 stack trace:
[ 35.978271][ T326] __free_pages_ok+0x70e/0x8a0
[ 35.982871][ T326] free_frozen_pages+0x2f9/0xa50
[ 35.987653][ T326] __folio_put+0x314/0x380
[ 35.991896][ T326] free_large_kmalloc+0xad/0xf0
[ 35.996584][ T326] kfree+0x1d2/0x350
[ 36.000324][ T326] kvfree+0x35/0x40
[ 36.003962][ T326] btf_check_all_metas+0x619/0xac0
[ 36.008915][ T326] btf_parse_base+0x354/0x5b0
[ 36.013444][ T326] btf_parse_vmlinux+0xab/0x320
[ 36.018119][ T326] bpf_get_btf_vmlinux+0x41/0x70
[ 36.022883][ T326] btf_get_module_btf+0x92/0x210
[ 36.027658][ T326] __register_btf_kfunc_id_set+0x9f/0x1cb0
[ 36.033299][ T326] register_btf_kfunc_id_set+0xa3/0xe0
[ 36.038600][ T326] register_xfrm_state_bpf+0x1a/0x20
[ 36.043735][ T326] xfrm_init+0x3c/0x50
[ 36.047623][ T326] ip_rt_init+0x307/0x400
[ 36.051789][ T326]
[ 36.053968][ T326] Memory state around the buggy address:
[ 36.059430][ T326] ffff888101eb1f00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[ 36.067326][ T326] ffff888101eb1f80: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
[ 36.075313][ T326] >ffff888101eb2000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 36.083205][ T326] ^
[ 36.087371][ T326] ffff888101eb2080: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[ 36.095269][ T326] ffff888101eb2100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 36.103167][ T326] ==================================================================
[ 36.117184][ T326] Disabling lock debugging due to kernel taint
[ 36.487675][ T340] bridge0: port 1(bridge_slave_0) entered blocking state
[ 36.496638][ T340] bridge0: port 1(bridge_slave_0) entered disabled state
[ 36.503543][ T340] bridge_slave_0: entered allmulticast mode
[ 36.534899][ T340] bridge_slave_0: entered promiscuous mode
[ 36.555307][ T340] bridge0: port 2(bridge_slave_1) entered blocking state
[ 36.562158][ T340] bridge0: port 2(bridge_slave_1) entered disabled state
[ 36.569141][ T340] bridge_slave_1: entered allmulticast mode
[ 36.575829][ T340] bridge_slave_1: entered promiscuous mode
[ 36.733836][ T340] bridge0: port 2(bridge_slave_1) entered blocking state
[ 36.740724][ T340] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 36.747871][ T340] bridge0: port 1(bridge_slave_0) entered blocking state
[ 36.754730][ T340] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 36.798781][ T12] bridge0: port 1(bridge_slave_0) entered disabled state
[ 36.806489][ T12] bridge0: port 2(bridge_slave_1) entered disabled state
[ 36.819226][ T12] bridge0: port 1(bridge_slave_0) entered blocking state
[ 36.826210][ T12] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 36.836011][ T12] bridge0: port 2(bridge_slave_1) entered blocking state
[ 36.842871][ T12] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 36.876065][ T340] veth0_vlan: entered promiscuous mode
[ 36.889620][ T340] veth1_macvtap: entered promiscuous mode
[ 36.912969][ T30] kauditd_printk_skb: 29 callbacks suppressed
2025/02/22 11:42:14 executed programs: 0
[ 36.912988][ T30] audit: type=1400 audit(1740224534.358:105): avc: denied { mounton } for pid=340 comm="syz-executor" path="/root/syzkaller.pHozG7/syz-tmp/newroot/dev" dev="tmpfs" ino=3 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_tmpfs_t tclass=dir permissive=1
[ 36.945387][ T30] audit: type=1400 audit(1740224534.398:106): avc: denied { mounton } for pid=340 comm="syz-executor" path="/dev/gadgetfs" dev="devtmpfs" ino=521 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:device_t tclass=dir permissive=1
[ 37.019299][ T377] bridge0: port 1(bridge_slave_0) entered blocking state
[ 37.026344][ T377] bridge0: port 1(bridge_slave_0) entered disabled state
[ 37.033197][ T377] bridge_slave_0: entered allmulticast mode
[ 37.039564][ T377] bridge_slave_0: entered promiscuous mode
[ 37.046281][ T377] bridge0: port 2(bridge_slave_1) entered blocking state
[ 37.053117][ T377] bridge0: port 2(bridge_slave_1) entered disabled state
[ 37.060288][ T377] bridge_slave_1: entered allmulticast mode
[ 37.066468][ T377] bridge_slave_1: entered promiscuous mode
[ 37.118143][ T377] bridge0: port 2(bridge_slave_1) entered blocking state
[ 37.125132][ T377] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 37.132200][ T377] bridge0: port 1(bridge_slave_0) entered blocking state
[ 37.139020][ T377] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 37.161577][ T362] bridge0: port 1(bridge_slave_0) entered disabled state
[ 37.168666][ T362] bridge0: port 2(bridge_slave_1) entered disabled state
[ 37.178229][ T12] bridge0: port 1(bridge_slave_0) entered blocking state
[ 37.185089][ T12] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 37.195069][ T362] bridge0: port 2(bridge_slave_1) entered blocking state
[ 37.202003][ T362] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 37.227705][ T377] veth0_vlan: entered promiscuous mode
[ 37.239092][ T377] veth1_macvtap: entered promiscuous mode
[ 37.334580][ T340] syz-executor (340) used greatest stack depth: 21008 bytes left
syzkaller build log:
go env (err=)
GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/syzkaller/jobs-2/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs-2/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/syzkaller/jobs-2/linux/gopath/pkg/mod/golang.org/toolchain@v0.0.1-go1.23.6.linux-amd64'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/syzkaller/jobs-2/linux/gopath/pkg/mod/golang.org/toolchain@v0.0.1-go1.23.6.linux-amd64/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.23.6'
GODEBUG=''
GOTELEMETRY='local'
GOTELEMETRYDIR='/syzkaller/.config/go/telemetry'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build583813038=/tmp/go-build -gno-record-gcc-switches'
git status (err=)
HEAD detached at ef44b750e8
nothing to commit, working tree clean
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=ef44b750e8fab8d6d5cb84920680581b13e0d470 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20250207-152458'" -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"ef44b750e8fab8d6d5cb84920680581b13e0d470\"
/usr/bin/ld: /tmp/cccxXmfX.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x104): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking