KASAN: slab-use-after-free Write in binder_add_device ================================================================== BUG: KASAN: slab-use-after-free in hlist_add_head include/linux/list.h:1026 [inline] BUG: KASAN: slab-use-after-free in binder_add_device+0x64/0xac drivers/android/binder.c:6932 Write of size 8 at addr ffff0000cd895c08 by task syz-executor/6070 CPU: 1 UID: 0 PID: 6070 Comm: syz-executor Not tainted 6.14.0-rc4-syzkaller-00169-g1e15510b71c9 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024 Call trace: show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:466 (C) __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0x178/0x530 mm/kasan/report.c:521 kasan_report+0xd8/0x138 mm/kasan/report.c:634 __asan_report_store8_noabort+0x20/0x2c mm/kasan/report_generic.c:386 hlist_add_head include/linux/list.h:1026 [inline] binder_add_device+0x64/0xac drivers/android/binder.c:6932 binderfs_binder_device_create+0x7fc/0x9fc drivers/android/binderfs.c:210 binderfs_fill_super+0x7f4/0xc8c drivers/android/binderfs.c:729 vfs_get_super fs/super.c:1280 [inline] get_tree_nodev+0xb4/0x144 fs/super.c:1299 binderfs_fs_context_get_tree+0x28/0x38 drivers/android/binderfs.c:749 vfs_get_tree+0x90/0x28c fs/super.c:1814 do_new_mount+0x278/0x900 fs/namespace.c:3560 path_mount+0x590/0xe04 fs/namespace.c:3887 do_mount fs/namespace.c:3900 [inline] __do_sys_mount fs/namespace.c:4111 [inline] __se_sys_mount fs/namespace.c:4088 [inline] __arm64_sys_mount+0x4f4/0x5d0 fs/namespace.c:4088 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744 el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600 Allocated by task 6063: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x40/0x78 mm/kasan/common.c:68 kasan_save_alloc_info+0x40/0x50 mm/kasan/generic.c:562 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0xac/0xc4 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __kmalloc_cache_noprof+0x2cc/0x428 mm/slub.c:4325 kmalloc_noprof include/linux/slab.h:901 [inline] kzalloc_noprof include/linux/slab.h:1037 [inline] binderfs_binder_device_create+0x18c/0x9fc drivers/android/binderfs.c:147 binderfs_fill_super+0x7f4/0xc8c drivers/android/binderfs.c:729 vfs_get_super fs/super.c:1280 [inline] get_tree_nodev+0xb4/0x144 fs/super.c:1299 binderfs_fs_context_get_tree+0x28/0x38 drivers/android/binderfs.c:749 vfs_get_tree+0x90/0x28c fs/super.c:1814 do_new_mount+0x278/0x900 fs/namespace.c:3560 path_mount+0x590/0xe04 fs/namespace.c:3887 do_mount fs/namespace.c:3900 [inline] __do_sys_mount fs/namespace.c:4111 [inline] __se_sys_mount fs/namespace.c:4088 [inline] __arm64_sys_mount+0x4f4/0x5d0 fs/namespace.c:4088 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744 el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600 Freed by task 6063: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x40/0x78 mm/kasan/common.c:68 kasan_save_free_info+0x54/0x6c mm/kasan/generic.c:576 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x64/0x8c mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2353 [inline] slab_free mm/slub.c:4609 [inline] kfree+0x180/0x478 mm/slub.c:4757 binderfs_evict_inode+0x160/0x220 drivers/android/binderfs.c:278 evict+0x444/0x978 fs/inode.c:796 iput_final fs/inode.c:1946 [inline] iput+0x740/0x8e8 fs/inode.c:1972 dentry_unlink_inode+0x3a0/0x4e0 fs/dcache.c:440 __dentry_kill+0x178/0x5e8 fs/dcache.c:643 shrink_kill+0xd4/0x2cc fs/dcache.c:1088 shrink_dentry_list+0x31c/0x768 fs/dcache.c:1115 shrink_dcache_parent+0xc4/0x374 do_one_tree+0x30/0xfc fs/dcache.c:1578 shrink_dcache_for_umount+0xd8/0x188 fs/dcache.c:1595 generic_shutdown_super+0x68/0x2bc fs/super.c:620 kill_anon_super fs/super.c:1237 [inline] kill_litter_super+0x74/0xb8 fs/super.c:1247 binderfs_kill_super+0x44/0x9c drivers/android/binderfs.c:791 deactivate_locked_super+0xc4/0x12c fs/super.c:473 deactivate_super+0xe0/0x100 fs/super.c:506 cleanup_mnt+0x34c/0x3dc fs/namespace.c:1413 __cleanup_mnt+0x20/0x30 fs/namespace.c:1420 task_work_run+0x230/0x2e0 kernel/task_work.c:227 exit_task_work include/linux/task_work.h:40 [inline] do_exit+0x4e8/0x1acc kernel/exit.c:938 do_group_exit+0x194/0x22c kernel/exit.c:1087 get_signal+0x13e4/0x1500 kernel/signal.c:3036 do_signal+0x22c/0x3a04 arch/arm64/kernel/signal.c:1658 do_notify_resume+0x74/0x1f4 arch/arm64/kernel/entry-common.c:148 exit_to_user_mode_prepare arch/arm64/kernel/entry-common.c:169 [inline] exit_to_user_mode arch/arm64/kernel/entry-common.c:178 [inline] el0_svc+0xac/0x168 arch/arm64/kernel/entry-common.c:745 el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600 The buggy address belongs to the object at ffff0000cd895c00 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 8 bytes inside of freed 512-byte region [ffff0000cd895c00, ffff0000cd895e00) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10d894 head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0x5ffc00000000040(head|node=0|zone=2|lastcpupid=0x7ff) page_type: f5(slab) raw: 05ffc00000000040 ffff0000c0001c80 fffffdffc334fd00 dead000000000002 raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000 head: 05ffc00000000040 ffff0000c0001c80 fffffdffc334fd00 dead000000000002 head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000 head: 05ffc00000000002 fffffdffc3362501 ffffffffffffffff 0000000000000000 head: 0000000000000004 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff0000cd895b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff0000cd895b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff0000cd895c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff0000cd895c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff0000cd895d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== Warning: Permanently added '10.128.1.111' (ED25519) to the list of known hosts. 1970/01/01 00:00:34 ignoring optional flag "sandboxArg"="0" 1970/01/01 00:00:35 parsed 1 programs [ 38.261901][ T6057] cgroup: Unknown subsys name 'net' [ 38.516495][ T6057] cgroup: Unknown subsys name 'cpuset' [ 38.521297][ T6057] cgroup: Unknown subsys name 'rlimit' [ 38.522990][ T6057] cgroup: Unknown subsys name 'memory' [ 38.744686][ T6057] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k SS [ 52.086236][ T6070] ================================================================== [ 52.088352][ T6070] BUG: KASAN: slab-use-after-free in binder_add_device+0x64/0xac [ 52.090534][ T6070] Write of size 8 at addr ffff0000cd895c08 by task syz-executor/6070 [ 52.092718][ T6070] [ 52.093368][ T6070] CPU: 1 UID: 0 PID: 6070 Comm: syz-executor Not tainted 6.14.0-rc4-syzkaller-00169-g1e15510b71c9 #0 [ 52.093383][ T6070] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024 [ 52.093390][ T6070] Call trace: [ 52.093393][ T6070] show_stack+0x2c/0x3c (C) [ 52.093411][ T6070] dump_stack_lvl+0xe4/0x150 [ 52.093425][ T6070] print_report+0x178/0x530 [ 52.093437][ T6070] kasan_report+0xd8/0x138 [ 52.093447][ T6070] __asan_report_store8_noabort+0x20/0x2c [ 52.093460][ T6070] binder_add_device+0x64/0xac [ 52.093473][ T6070] binderfs_binder_device_create+0x7fc/0x9fc [ 52.093486][ T6070] binderfs_fill_super+0x7f4/0xc8c [ 52.093498][ T6070] get_tree_nodev+0xb4/0x144 [ 52.093509][ T6070] binderfs_fs_context_get_tree+0x28/0x38 [ 52.093522][ T6070] vfs_get_tree+0x90/0x28c [ 52.093532][ T6070] do_new_mount+0x278/0x900 [ 52.093544][ T6070] path_mount+0x590/0xe04 [ 52.093554][ T6070] __arm64_sys_mount+0x4f4/0x5d0 [ 52.093565][ T6070] invoke_syscall+0x98/0x2b8 [ 52.093576][ T6070] el0_svc_common+0x130/0x23c [ 52.093587][ T6070] do_el0_svc+0x48/0x58 [ 52.093606][ T6070] el0_svc+0x54/0x168 [ 52.093620][ T6070] el0t_64_sync_handler+0x84/0x108 [ 52.093639][ T6070] el0t_64_sync+0x198/0x19c [ 52.093651][ T6070] [ 52.127996][ T6070] Allocated by task 6063: [ 52.129240][ T6070] kasan_save_track+0x40/0x78 [ 52.130476][ T6070] kasan_save_alloc_info+0x40/0x50 [ 52.131902][ T6070] __kasan_kmalloc+0xac/0xc4 [ 52.133164][ T6070] __kmalloc_cache_noprof+0x2cc/0x428 [ 52.134659][ T6070] binderfs_binder_device_create+0x18c/0x9fc [ 52.136374][ T6070] binderfs_fill_super+0x7f4/0xc8c [ 52.137771][ T6070] get_tree_nodev+0xb4/0x144 [ 52.139020][ T6070] binderfs_fs_context_get_tree+0x28/0x38 [ 52.140616][ T6070] vfs_get_tree+0x90/0x28c [ 52.141835][ T6070] do_new_mount+0x278/0x900 [ 52.143105][ T6070] path_mount+0x590/0xe04 [ 52.144193][ T6070] __arm64_sys_mount+0x4f4/0x5d0 [ 52.145547][ T6070] invoke_syscall+0x98/0x2b8 [ 52.146877][ T6070] el0_svc_common+0x130/0x23c [ 52.148168][ T6070] do_el0_svc+0x48/0x58 [ 52.149339][ T6070] el0_svc+0x54/0x168 [ 52.150445][ T6070] el0t_64_sync_handler+0x84/0x108 [ 52.151863][ T6070] el0t_64_sync+0x198/0x19c [ 52.153154][ T6070] [ 52.153787][ T6070] Freed by task 6063: [ 52.154888][ T6070] kasan_save_track+0x40/0x78 [ 52.156210][ T6070] kasan_save_free_info+0x54/0x6c [ 52.157600][ T6070] __kasan_slab_free+0x64/0x8c [ 52.158944][ T6070] kfree+0x180/0x478 [ 52.160158][ T6070] binderfs_evict_inode+0x160/0x220 [ 52.161693][ T6070] evict+0x444/0x978 [ 52.162768][ T6070] iput+0x740/0x8e8 [ 52.163772][ T6070] dentry_unlink_inode+0x3a0/0x4e0 [ 52.165182][ T6070] __dentry_kill+0x178/0x5e8 [ 52.166476][ T6070] shrink_kill+0xd4/0x2cc [ 52.167654][ T6070] shrink_dentry_list+0x31c/0x768 [ 52.169079][ T6070] shrink_dcache_parent+0xc4/0x374 [ 52.170470][ T6070] do_one_tree+0x30/0xfc [ 52.171650][ T6070] shrink_dcache_for_umount+0xd8/0x188 [ 52.173158][ T6070] generic_shutdown_super+0x68/0x2bc [ 52.174639][ T6070] kill_litter_super+0x74/0xb8 [ 52.175967][ T6070] binderfs_kill_super+0x44/0x9c [ 52.177340][ T6070] deactivate_locked_super+0xc4/0x12c [ 52.178833][ T6070] deactivate_super+0xe0/0x100 [ 52.180199][ T6070] cleanup_mnt+0x34c/0x3dc [ 52.181482][ T6070] __cleanup_mnt+0x20/0x30 [ 52.182659][ T6070] task_work_run+0x230/0x2e0 [ 52.183918][ T6070] do_exit+0x4e8/0x1acc [ 52.185069][ T6070] do_group_exit+0x194/0x22c [ 52.186339][ T6070] get_signal+0x13e4/0x1500 [ 52.187618][ T6070] do_signal+0x22c/0x3a04 [ 52.188865][ T6070] do_notify_resume+0x74/0x1f4 [ 52.190178][ T6070] el0_svc+0xac/0x168 [ 52.191255][ T6070] el0t_64_sync_handler+0x84/0x108 [ 52.192621][ T6070] el0t_64_sync+0x198/0x19c [ 52.193813][ T6070] [ 52.194448][ T6070] The buggy address belongs to the object at ffff0000cd895c00 [ 52.194448][ T6070] which belongs to the cache kmalloc-512 of size 512 [ 52.198355][ T6070] The buggy address is located 8 bytes inside of [ 52.198355][ T6070] freed 512-byte region [ffff0000cd895c00, ffff0000cd895e00) [ 52.202125][ T6070] [ 52.202734][ T6070] The buggy address belongs to the physical page: [ 52.204494][ T6070] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10d894 [ 52.207089][ T6070] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 52.209348][ T6070] flags: 0x5ffc00000000040(head|node=0|zone=2|lastcpupid=0x7ff) [ 52.211367][ T6070] page_type: f5(slab) [ 52.212481][ T6070] raw: 05ffc00000000040 ffff0000c0001c80 fffffdffc334fd00 dead000000000002 [ 52.214801][ T6070] raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000 [ 52.217119][ T6070] head: 05ffc00000000040 ffff0000c0001c80 fffffdffc334fd00 dead000000000002 [ 52.219543][ T6070] head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000 [ 52.221981][ T6070] head: 05ffc00000000002 fffffdffc3362501 ffffffffffffffff 0000000000000000 [ 52.224322][ T6070] head: 0000000000000004 0000000000000000 00000000ffffffff 0000000000000000 [ 52.226653][ T6070] page dumped because: kasan: bad access detected [ 52.228386][ T6070] [ 52.229009][ T6070] Memory state around the buggy address: [ 52.230517][ T6070] ffff0000cd895b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 52.232793][ T6070] ffff0000cd895b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 52.234982][ T6070] >ffff0000cd895c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 52.237193][ T6070] ^ [ 52.238474][ T6070] ffff0000cd895c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 52.240624][ T6070] ffff0000cd895d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 52.242833][ T6070] ================================================================== [ 52.245409][ T6070] Disabling lock debugging due to kernel taint [ 52.386178][ T6075] ================================================================== [ 52.388386][ T6075] BUG: KFENCE: use-after-free write in binder_add_device+0x64/0xac [ 52.388386][ T6075] [ 52.391142][ T6075] Use-after-free write at 0x00000000e027ae32 (in kfence-#152): [ 52.393175][ T6075] binder_add_device+0x64/0xac [ 52.394447][ T6075] binderfs_binder_device_create+0x7fc/0x9fc [ 52.396051][ T6075] binderfs_fill_super+0x7f4/0xc8c [ 52.397436][ T6075] get_tree_nodev+0xb4/0x144 [ 52.398684][ T6075] binderfs_fs_context_get_tree+0x28/0x38 [ 52.400235][ T6075] vfs_get_tree+0x90/0x28c [ 52.401526][ T6075] do_new_mount+0x278/0x900 [ 52.402819][ T6075] path_mount+0x590/0xe04 [ 52.403986][ T6075] __arm64_sys_mount+0x4f4/0x5d0 [ 52.405280][ T6075] invoke_syscall+0x98/0x2b8 [ 52.406568][ T6075] el0_svc_common+0x130/0x23c [ 52.407857][ T6075] do_el0_svc+0x48/0x58 [ 52.409049][ T6075] el0_svc+0x54/0x168 [ 52.410123][ T6075] el0t_64_sync_handler+0x84/0x108 [ 52.411602][ T6075] el0t_64_sync+0x198/0x19c [ 52.412838][ T6075] [ 52.413431][ T6075] kfence-#152: 0x00000000eebdafbb-0x00000000ee9d6c80, size=280, cache=kmalloc-512 [ 52.413431][ T6075] [ 52.416436][ T6075] allocated by task 6070 on cpu 1 at 52.247095s (0.169340s ago): [ 52.418576][ T6075] binderfs_binder_device_create+0x18c/0x9fc [ 52.420198][ T6075] binderfs_fill_super+0x7f4/0xc8c [ 52.421531][ T6075] get_tree_nodev+0xb4/0x144 [ 52.422725][ T6075] binderfs_fs_context_get_tree+0x28/0x38 [ 52.424262][ T6075] vfs_get_tree+0x90/0x28c [ 52.425390][ T6075] do_new_mount+0x278/0x900 [ 52.426632][ T6075] path_mount+0x590/0xe04 [ 52.427846][ T6075] __arm64_sys_mount+0x4f4/0x5d0 [ 52.429204][ T6075] invoke_syscall+0x98/0x2b8 [ 52.430431][ T6075] el0_svc_common+0x130/0x23c [ 52.431723][ T6075] do_el0_svc+0x48/0x58 [ 52.432891][ T6075] el0_svc+0x54/0x168 [ 52.433931][ T6075] el0t_64_sync_handler+0x84/0x108 [ 52.435360][ T6075] el0t_64_sync+0x198/0x19c [ 52.436590][ T6075] [ 52.437255][ T6075] freed by task 6070 on cpu 0 at 52.334029s (0.103224s ago): [ 52.439277][ T6075] binderfs_evict_inode+0x160/0x220 [ 52.440654][ T6075] evict+0x444/0x978 [ 52.441804][ T6075] iput+0x740/0x8e8 [ 52.442875][ T6075] dentry_unlink_inode+0x3a0/0x4e0 [ 52.444270][ T6075] __dentry_kill+0x178/0x5e8 [ 52.445522][ T6075] shrink_kill+0xd4/0x2cc [ 52.446690][ T6075] shrink_dentry_list+0x31c/0x768 [ 52.448003][ T6075] shrink_dcache_parent+0xc4/0x374 [ 52.449343][ T6075] do_one_tree+0x30/0xfc [ 52.450498][ T6075] shrink_dcache_for_umount+0xd8/0x188 [ 52.452034][ T6075] generic_shutdown_super+0x68/0x2bc [ 52.453456][ T6075] kill_litter_super+0x74/0xb8 [ 52.454790][ T6075] binderfs_kill_super+0x44/0x9c [ 52.456164][ T6075] deactivate_locked_super+0xc4/0x12c [ 52.457605][ T6075] deactivate_super+0xe0/0x100 [ 52.458838][ T6075] cleanup_mnt+0x34c/0x3dc [ 52.460020][ T6075] __cleanup_mnt+0x20/0x30 [ 52.461217][ T6075] task_work_run+0x230/0x2e0 [ 52.462498][ T6075] do_exit+0x4e8/0x1acc [ 52.463632][ T6075] do_group_exit+0x194/0x22c [ 52.464848][ T6075] get_signal+0x13e4/0x1500 [ 52.466051][ T6075] do_signal+0x22c/0x3a04 [ 52.467253][ T6075] do_notify_resume+0x74/0x1f4 [ 52.468573][ T6075] el0_svc+0xac/0x168 [ 52.469674][ T6075] el0t_64_sync_handler+0x84/0x108 [ 52.471140][ T6075] el0t_64_sync+0x198/0x19c [ 52.472370][ T6075] [ 52.472984][ T6075] CPU: 1 UID: 0 PID: 6075 Comm: syz-executor Tainted: G B 6.14.0-rc4-syzkaller-00169-g1e15510b71c9 #0 [ 52.476348][ T6075] Tainted: [B]=BAD_PAGE [ 52.477467][ T6075] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024 [ 52.480168][ T6075] ================================================================== [ 52.629469][ T6080] ================================================================== [ 52.631650][ T6080] BUG: KFENCE: use-after-free write in binder_add_device+0x64/0xac [ 52.631650][ T6080] [ 52.634337][ T6080] Use-after-free write at 0x00000000e91506c0 (in kfence-#154): [ 52.636435][ T6080] binder_add_device+0x64/0xac [ 52.637763][ T6080] binderfs_binder_device_create+0x7fc/0x9fc [ 52.639436][ T6080] binderfs_fill_super+0x7f4/0xc8c [ 52.640818][ T6080] get_tree_nodev+0xb4/0x144 [ 52.642109][ T6080] binderfs_fs_context_get_tree+0x28/0x38 [ 52.643619][ T6080] vfs_get_tree+0x90/0x28c [ 52.644846][ T6080] do_new_mount+0x278/0x900 [ 52.646091][ T6080] path_mount+0x590/0xe04 [ 52.647288][ T6080] __arm64_sys_mount+0x4f4/0x5d0 [ 52.648607][ T6080] invoke_syscall+0x98/0x2b8 [ 52.649871][ T6080] el0_svc_common+0x130/0x23c [ 52.651139][ T6080] do_el0_svc+0x48/0x58 [ 52.652255][ T6080] el0_svc+0x54/0x168 [ 52.653299][ T6080] el0t_64_sync_handler+0x84/0x108 [ 52.654733][ T6080] el0t_64_sync+0x198/0x19c [ 52.655964][ T6080] [ 52.656601][ T6080] kfence-#154: 0x00000000a40fdf7a-0x000000005b3deaea, size=280, cache=kmalloc-512 [ 52.656601][ T6080] [ 52.659610][ T6080] allocated by task 6075 on cpu 1 at 52.482735s (0.176873s ago): [ 52.661745][ T6080] binderfs_binder_device_create+0x18c/0x9fc [ 52.663393][ T6080] binderfs_fill_super+0x7f4/0xc8c [ 52.664780][ T6080] get_tree_nodev+0xb4/0x144 [ 52.665974][ T6080] binderfs_fs_context_get_tree+0x28/0x38 [ 52.667566][ T6080] vfs_get_tree+0x90/0x28c [ 52.668778][ T6080] do_new_mount+0x278/0x900 [ 52.670021][ T6080] path_mount+0x590/0xe04 [ 52.671321][ T6080] __arm64_sys_mount+0x4f4/0x5d0 [ 52.672638][ T6080] invoke_syscall+0x98/0x2b8 [ 52.673876][ T6080] el0_svc_common+0x130/0x23c [ 52.675237][ T6080] do_el0_svc+0x48/0x58 [ 52.676405][ T6080] el0_svc+0x54/0x168 [ 52.677501][ T6080] el0t_64_sync_handler+0x84/0x108 [ 52.678921][ T6080] el0t_64_sync+0x198/0x19c [ 52.680108][ T6080] [ 52.680721][ T6080] freed by task 6075 on cpu 0 at 52.571880s (0.108840s ago): [ 52.682766][ T6080] binderfs_evict_inode+0x160/0x220 [ 52.684086][ T6080] evict+0x444/0x978 [ 52.685207][ T6080] iput+0x740/0x8e8 [ 52.686277][ T6080] dentry_unlink_inode+0x3a0/0x4e0 [ 52.687616][ T6080] __dentry_kill+0x178/0x5e8 [ 52.688876][ T6080] shrink_kill+0xd4/0x2cc [ 52.690011][ T6080] shrink_dentry_list+0x31c/0x768 [ 52.691405][ T6080] shrink_dcache_parent+0xc4/0x374 [ 52.692839][ T6080] do_one_tree+0x30/0xfc [ 52.693947][ T6080] shrink_dcache_for_umount+0xd8/0x188 [ 52.695398][ T6080] generic_shutdown_super+0x68/0x2bc [ 52.696979][ T6080] kill_litter_super+0x74/0xb8 [ 52.698261][ T6080] binderfs_kill_super+0x44/0x9c [ 52.699577][ T6080] deactivate_locked_super+0xc4/0x12c [ 52.701026][ T6080] deactivate_super+0xe0/0x100 [ 52.702312][ T6080] cleanup_mnt+0x34c/0x3dc [ 52.703527][ T6080] __cleanup_mnt+0x20/0x30 [ 52.704734][ T6080] task_work_run+0x230/0x2e0 [ 52.705958][ T6080] do_exit+0x4e8/0x1acc [ 52.707147][ T6080] do_group_exit+0x194/0x22c [ 52.708452][ T6080] get_signal+0x13e4/0x1500 [ 52.709647][ T6080] do_signal+0x22c/0x3a04 [ 52.710829][ T6080] do_notify_resume+0x74/0x1f4 [ 52.712107][ T6080] el0_svc+0xac/0x168 [ 52.713169][ T6080] el0t_64_sync_handler+0x84/0x108 [ 52.714565][ T6080] el0t_64_sync+0x198/0x19c [ 52.715790][ T6080] [ 52.716453][ T6080] CPU: 1 UID: 0 PID: 6080 Comm: syz-executor Tainted: G B 6.14.0-rc4-syzkaller-00169-g1e15510b71c9 #0 [ 52.719849][ T6080] Tainted: [B]=BAD_PAGE [ 52.720997][ T6080] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024 [ 52.723722][ T6080] ================================================================== [ 53.231708][ T6105] chnl_net:caif_netlink_parms(): no params data found [ 53.250183][ T6105] bridge0: port 1(bridge_slave_0) entered blocking state [ 53.252142][ T6105] bridge0: port 1(bridge_slave_0) entered disabled state [ 53.254322][ T6105] bridge_slave_0: entered allmulticast mode [ 53.256297][ T6105] bridge_slave_0: entered promiscuous mode [ 53.258854][ T6105] bridge0: port 2(bridge_slave_1) entered blocking state [ 53.260689][ T6105] bridge0: port 2(bridge_slave_1) entered disabled state [ 53.262675][ T6105] bridge_slave_1: entered allmulticast mode [ 53.264751][ T6105] bridge_slave_1: entered promiscuous mode [ 53.272446][ T6105] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 53.276080][ T6105] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 53.284423][ T6105] team0: Port device team_slave_0 added [ 53.286698][ T6105] team0: Port device team_slave_1 added [ 53.293315][ T6105] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 53.295337][ T6105] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 53.302259][ T6105] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 53.308511][ T6105] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 53.310413][ T6105] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 53.317987][ T6105] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 53.329446][ T6105] hsr_slave_0: entered promiscuous mode [ 53.331300][ T6105] hsr_slave_1: entered promiscuous mode [ 53.450443][ T6105] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 53.453906][ T6105] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 53.457098][ T6105] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 53.460064][ T6105] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 53.471241][ T6105] bridge0: port 2(bridge_slave_1) entered blocking state [ 53.473160][ T6105] bridge0: port 2(bridge_slave_1) entered forwarding state [ 53.475207][ T6105] bridge0: port 1(bridge_slave_0) entered blocking state [ 53.477152][ T6105] bridge0: port 1(bridge_slave_0) entered forwarding state [ 53.494019][ T6105] 8021q: adding VLAN 0 to HW filter on device bond0 [ 53.500060][ T5055] bridge0: port 1(bridge_slave_0) entered disabled state [ 53.502407][ T5055] bridge0: port 2(bridge_slave_1) entered disabled state [ 53.507494][ T6105] 8021q: adding VLAN 0 to HW filter on device team0 [ 53.511461][ T13] bridge0: port 1(bridge_slave_0) entered blocking state [ 53.513479][ T13] bridge0: port 1(bridge_slave_0) entered forwarding state [ 53.517765][ T13] bridge0: port 2(bridge_slave_1) entered blocking state [ 53.519680][ T13] bridge0: port 2(bridge_slave_1) entered forwarding state [ 53.577441][ T6105] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 53.588808][ T6105] veth0_vlan: entered promiscuous mode [ 53.592106][ T6105] veth1_vlan: entered promiscuous mode [ 53.603266][ T6105] veth0_macvtap: entered promiscuous mode [ 53.606812][ T6105] veth1_macvtap: entered promiscuous mode [ 53.612742][ T6105] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 53.617840][ T6105] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 53.620821][ T6105] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 53.623108][ T6105] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 53.626183][ T6105] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 53.628578][ T6105] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 53.722705][ T53] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 53.725046][ T53] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 53.727016][ T53] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 53.729262][ T53] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 53.731326][ T53] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3 [ 53.733421][ T53] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 54.065377][ T613] netdevsim netdevsim0 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 54.115601][ T613] netdevsim netdevsim0 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 54.195942][ T613] netdevsim netdevsim0 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 54.205549][ T486] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 54.207683][ T486] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 54.215749][ T13] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 54.217775][ T13] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 54.255320][ T613] netdevsim netdevsim0 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 1970/01/01 00:00:54 executed programs: 0 [ 54.643913][ T5618] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 54.646514][ T5618] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 54.648564][ T5618] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 54.650861][ T5618] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 54.653047][ T5618] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3 [ 54.655715][ T5618] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 54.697839][ T6150] chnl_net:caif_netlink_parms(): no params data found [ 54.716075][ T6150] bridge0: port 1(bridge_slave_0) entered blocking state [ 54.718087][ T6150] bridge0: port 1(bridge_slave_0) entered disabled state [ 54.719985][ T6150] bridge_slave_0: entered allmulticast mode [ 54.721905][ T6150] bridge_slave_0: entered promiscuous mode [ 54.725787][ T6150] bridge0: port 2(bridge_slave_1) entered blocking state [ 54.727613][ T6150] bridge0: port 2(bridge_slave_1) entered disabled state [ 54.729712][ T6150] bridge_slave_1: entered allmulticast mode [ 54.731704][ T6150] bridge_slave_1: entered promiscuous mode [ 54.740798][ T6150] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 54.744582][ T6150] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 54.752950][ T6150] team0: Port device team_slave_0 added [ 54.755726][ T6150] team0: Port device team_slave_1 added [ 54.762313][ T6150] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 54.764453][ T6150] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 54.771605][ T6150] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 54.775655][ T6150] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 54.777495][ T6150] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 54.784750][ T6150] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 54.796681][ T6150] hsr_slave_0: entered promiscuous mode [ 54.798748][ T6150] hsr_slave_1: entered promiscuous mode [ 54.800411][ T6150] debugfs: Directory 'hsr0' with parent 'hsr' already present! [ 54.802333][ T6150] Cannot create hsr debugfs directory [ 56.724216][ T5618] Bluetooth: hci0: command tx timeout [ 57.143066][ T613] bridge_slave_1: left allmulticast mode [ 57.144905][ T613] bridge_slave_1: left promiscuous mode [ 57.146575][ T613] bridge0: port 2(bridge_slave_1) entered disabled state [ 57.149386][ T613] bridge_slave_0: left allmulticast mode [ 57.150904][ T613] bridge_slave_0: left promiscuous mode [ 57.152461][ T613] bridge0: port 1(bridge_slave_0) entered disabled state [ 58.675603][ T613] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface [ 58.716300][ T613] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface [ 58.765143][ T613] bond0 (unregistering): Released all slaves [ 58.805091][ T5618] Bluetooth: hci0: command tx timeout [ 58.827389][ T613] hsr_slave_0: left promiscuous mode [ 58.829101][ T613] hsr_slave_1: left promiscuous mode [ 58.830729][ T613] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 58.832732][ T613] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 58.835765][ T613] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 58.837758][ T613] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 58.841403][ T613] veth1_macvtap: left promiscuous mode [ 58.842920][ T613] veth0_macvtap: left promiscuous mode [ 58.844464][ T613] veth1_vlan: left promiscuous mode [ 58.845906][ T613] veth0_vlan: left promiscuous mode [ 60.684857][ T613] team0 (unregistering): Port device team_slave_1 removed [ 60.884232][ T5618] Bluetooth: hci0: command tx timeout [ 60.904938][ T613] team0 (unregistering): Port device team_slave_0 removed syzkaller build log: go env (err=) GO111MODULE='auto' GOARCH='amd64' GOBIN='' GOCACHE='/syzkaller/.cache/go-build' GOENV='/syzkaller/.config/go/env' GOEXE='' GOEXPERIMENT='' GOFLAGS='' GOHOSTARCH='amd64' GOHOSTOS='linux' GOINSECURE='' GOMODCACHE='/syzkaller/jobs-2/linux/gopath/pkg/mod' GONOPROXY='' GONOSUMDB='' GOOS='linux' GOPATH='/syzkaller/jobs-2/linux/gopath' GOPRIVATE='' GOPROXY='https://proxy.golang.org,direct' GOROOT='/syzkaller/jobs-2/linux/gopath/pkg/mod/golang.org/toolchain@v0.0.1-go1.23.6.linux-amd64' GOSUMDB='sum.golang.org' GOTMPDIR='' GOTOOLCHAIN='auto' GOTOOLDIR='/syzkaller/jobs-2/linux/gopath/pkg/mod/golang.org/toolchain@v0.0.1-go1.23.6.linux-amd64/pkg/tool/linux_amd64' GOVCS='' GOVERSION='go1.23.6' GODEBUG='' GOTELEMETRY='local' GOTELEMETRYDIR='/syzkaller/.config/go/telemetry' GCCGO='gccgo' GOAMD64='v1' AR='ar' CC='gcc' CXX='g++' CGO_ENABLED='1' GOMOD='/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod' GOWORK='' CGO_CFLAGS='-O2 -g' CGO_CPPFLAGS='' CGO_CXXFLAGS='-O2 -g' CGO_FFLAGS='-O2 -g' CGO_LDFLAGS='-O2 -g' PKG_CONFIG='pkg-config' GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build3393772438=/tmp/go-build -gno-record-gcc-switches' git status (err=) HEAD detached at 6a8fcbc4a6 nothing to commit, working tree clean tput: No value for $TERM and no -T specified tput: No value for $TERM and no -T specified Makefile:31: run command via tools/syz-env for best compatibility, see: Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen make .descriptions tput: No value for $TERM and no -T specified tput: No value for $TERM and no -T specified Makefile:31: run command via tools/syz-env for best compatibility, see: Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env bin/syz-sysgen touch .descriptions GOOS=linux GOARCH=arm64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=6a8fcbc4a6172c831c89c507007f59fba13408aa -X 'github.com/google/syzkaller/prog.gitRevisionDate=20250226-150939'" -o ./bin/linux_arm64/syz-execprog github.com/google/syzkaller/tools/syz-execprog mkdir -p ./bin/linux_arm64 aarch64-linux-gnu-g++ -o ./bin/linux_arm64/syz-executor executor/executor.cc \ -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include -DGOOS_linux=1 -DGOARCH_arm64=1 \ -DHOSTGOOS_linux=1 -DGIT_REVISION=\"6a8fcbc4a6172c831c89c507007f59fba13408aa\" /usr/lib/gcc-cross/aarch64-linux-gnu/12/../../../../aarch64-linux-gnu/bin/ld: /tmp/ccIUOig4.o: in function `Connection::Connect(char const*, char const*)': executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0xd8): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking