last executing test programs:

0s ago: executing program 0 (id=1):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm', 0x0, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm', 0x1, 0x0)
openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm', 0x2, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/kvm', 0x800, 0x0)

kernel console output (not intermixed with test programs):

Warning: Permanently added '[localhost]:44206' (ED25519) to the list of known hosts.
[  718.251539][   T24] audit: type=1400 audit(717.320:69): avc:  denied  { name_bind } for  pid=3302 comm="sshd" src=30001 scontext=system_u:system_r:sshd_t tcontext=system_u:object_r:unreserved_port_t tclass=tcp_socket permissive=1
[  719.516248][   T24] audit: type=1400 audit(718.590:70): avc:  denied  { execute } for  pid=3304 comm="sh" name="syz-executor" dev="vda" ino=1735 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:etc_runtime_t tclass=file permissive=1
[  719.550326][   T24] audit: type=1400 audit(718.620:71): avc:  denied  { execute_no_trans } for  pid=3304 comm="sh" path="/syz-executor" dev="vda" ino=1735 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:etc_runtime_t tclass=file permissive=1
[  749.197660][   T24] audit: type=1400 audit(748.270:72): avc:  denied  { mounton } for  pid=3304 comm="syz-executor" path="/syzcgroup/unified" dev="vda" ino=1737 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1
[  749.261130][   T24] audit: type=1400 audit(748.320:73): avc:  denied  { mount } for  pid=3304 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1
[  749.379763][ T3304] cgroup: Unknown subsys name 'net'
[  749.446589][   T24] audit: type=1400 audit(748.520:74): avc:  denied  { unmount } for  pid=3304 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1
[  749.950008][ T3304] cgroup: Unknown subsys name 'cpuset'
[  750.085736][ T3304] cgroup: Unknown subsys name 'rlimit'
[  751.499931][   T24] audit: type=1400 audit(750.560:75): avc:  denied  { setattr } for  pid=3304 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=701 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[  751.519037][   T24] audit: type=1400 audit(750.590:76): avc:  denied  { create } for  pid=3304 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1
[  751.574031][   T24] audit: type=1400 audit(750.610:77): avc:  denied  { write } for  pid=3304 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1
[  751.577394][   T24] audit: type=1400 audit(750.620:78): avc:  denied  { module_request } for  pid=3304 comm="syz-executor" kmod="net-pf-16-proto-16-family-nl802154" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1
[  752.188730][   T24] audit: type=1400 audit(751.250:79): avc:  denied  { read } for  pid=3304 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1
[  752.276957][   T24] audit: type=1400 audit(751.330:80): avc:  denied  { mounton } for  pid=3304 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1
[  752.280620][   T24] audit: type=1400 audit(751.340:81): avc:  denied  { mount } for  pid=3304 comm="syz-executor" name="/" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=filesystem permissive=1
[  753.627058][ T3308] SELinux:  Context root:object_r:swapfile_t is not valid (left unmapped).
Setting up swapspace version 1, size = 127995904 bytes
[  753.981637][ T3304] Adding 124996k swap on ./swap-file.  Priority:0 extents:1 across:124996k 
[  810.978856][   T24] kauditd_printk_skb: 4 callbacks suppressed
[  810.979149][   T24] audit: type=1400 audit(810.050:86): avc:  denied  { execmem } for  pid=3309 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1
[  811.363136][   T24] audit: type=1400 audit(810.430:87): avc:  denied  { read } for  pid=3311 comm="syz-executor" dev="nsfs" ino=4026531840 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1
[  811.410547][   T24] audit: type=1400 audit(810.480:88): avc:  denied  { open } for  pid=3311 comm="syz-executor" path="net:[4026531840]" dev="nsfs" ino=4026531840 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1
[  811.527260][   T24] audit: type=1400 audit(810.600:89): avc:  denied  { mounton } for  pid=3311 comm="syz-executor" path="/" dev="vda" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:root_t tclass=dir permissive=1
[  813.249118][   T24] audit: type=1400 audit(812.320:90): avc:  denied  { sys_module } for  pid=3312 comm="syz-executor" capability=16  scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=capability permissive=1
[  814.216967][   T24] audit: type=1400 audit(813.280:91): avc:  denied  { mount } for  pid=3311 comm="syz-executor" name="/" dev="tmpfs" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=1
[  814.335039][   T24] audit: type=1400 audit(813.400:92): avc:  denied  { mounton } for  pid=3311 comm="syz-executor" path="/syzkaller.KRh838/syz-tmp/newroot/dev" dev="tmpfs" ino=3 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_tmpfs_t tclass=dir permissive=1
[  814.454894][   T24] audit: type=1400 audit(813.500:93): avc:  denied  { mount } for  pid=3311 comm="syz-executor" name="/" dev="proc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:proc_t tclass=filesystem permissive=1
[  814.671708][   T24] audit: type=1400 audit(813.740:94): avc:  denied  { mounton } for  pid=3311 comm="syz-executor" path="/syzkaller.KRh838/syz-tmp/newroot/sys/kernel/debug" dev="debugfs" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:debugfs_t tclass=dir permissive=1
[  814.813901][   T24] audit: type=1400 audit(813.830:95): avc:  denied  { mounton } for  pid=3311 comm="syz-executor" path="/syzkaller.KRh838/syz-tmp/newroot/proc/sys/fs/binfmt_misc" dev="proc" ino=2840 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:sysctl_fs_t tclass=dir permissive=1
[  816.684189][   T24] kauditd_printk_skb: 9 callbacks suppressed
[  816.684514][   T24] audit: type=1400 audit(815.740:105): avc:  denied  { read } for  pid=3316 comm="syz.0.1" name="kvm" dev="devtmpfs" ino=84 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:kvm_device_t tclass=chr_file permissive=1
[  816.714527][   T24] audit: type=1400 audit(815.780:106): avc:  denied  { open } for  pid=3316 comm="syz.0.1" path="/dev/kvm" dev="devtmpfs" ino=84 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:kvm_device_t tclass=chr_file permissive=1
[  816.964667][   T24] audit: type=1400 audit(816.010:107): avc:  denied  { write } for  pid=3316 comm="syz.0.1" name="kvm" dev="devtmpfs" ino=84 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:kvm_device_t tclass=chr_file permissive=1
[  826.017299][ T3323] ==================================================================
[  826.020135][ T3323] BUG: KASAN: slab-use-after-free in binder_add_device+0x54/0x8c
[  826.022862][ T3323] Write of size 8 at addr 81f00000124ffa08 by task syz-executor/3323
[  826.024740][ T3323] Pointer tag: [81], memory tag: [84]
[  826.025921][ T3323] 
[  826.027485][ T3323] CPU: 0 UID: 0 PID: 3323 Comm: syz-executor Not tainted 6.14.0-rc2-syzkaller-g29281a76709c #0
[  826.028016][ T3323] Hardware name: linux,dummy-virt (DT)
[  826.028478][ T3323] Call trace:
[  826.028745][ T3323]  show_stack+0x2c/0x3c (C)
[  826.029461][ T3323]  dump_stack_lvl+0xe4/0x150
[  826.029880][ T3323]  print_report+0x1b4/0x500
[  826.030255][ T3323]  kasan_report+0xd8/0x138
[  826.030615][ T3323]  kasan_tag_mismatch+0x28/0x3c
[  826.030966][ T3323]  __hwasan_tag_mismatch+0x30/0x60
[  826.031324][ T3323]  binder_add_device+0x54/0x8c
[  826.031620][ T3323]  binderfs_binder_device_create+0x64c/0x6a0
[  826.031905][ T3323]  binderfs_fill_super+0x5d4/0x814
[  826.032175][ T3323]  get_tree_nodev+0x98/0x110
[  826.032522][ T3323]  binderfs_fs_context_get_tree+0x28/0x38
[  826.032802][ T3323]  vfs_get_tree+0x68/0x1e4
[  826.033118][ T3323]  do_new_mount+0x218/0x5d8
[  826.033454][ T3323]  path_mount+0x428/0xa64
[  826.033759][ T3323]  __arm64_sys_mount+0x3dc/0x48c
[  826.034074][ T3323]  invoke_syscall+0x78/0x1b8
[  826.034395][ T3323]  el0_svc_common+0xe8/0x1b0
[  826.034669][ T3323]  do_el0_svc+0x40/0x50
[  826.034927][ T3323]  el0_svc+0x54/0x14c
[  826.035200][ T3323]  el0t_64_sync_handler+0x84/0x108
[  826.035508][ T3323]  el0t_64_sync+0x198/0x19c
[  826.036111][ T3323] 
[  826.056697][ T3323] Allocated by task 3311:
[  826.057978][ T3323]  kasan_save_stack+0x40/0x6c
[  826.059332][ T3323]  save_stack_info+0x34/0x144
[  826.060617][ T3323]  kasan_save_alloc_info+0x14/0x20
[  826.061915][ T3323]  __kasan_kmalloc+0x98/0x9c
[  826.063160][ T3323]  __kmalloc_cache_noprof+0x2cc/0x434
[  826.064548][ T3323]  binderfs_binder_device_create+0x124/0x6a0
[  826.065855][ T3323]  binderfs_fill_super+0x5d4/0x814
[  826.067080][ T3323]  get_tree_nodev+0x98/0x110
[  826.068425][ T3323]  binderfs_fs_context_get_tree+0x28/0x38
[  826.069707][ T3323]  vfs_get_tree+0x68/0x1e4
[  826.070936][ T3323]  do_new_mount+0x218/0x5d8
[  826.072074][ T3323]  path_mount+0x428/0xa64
[  826.073257][ T3323]  __arm64_sys_mount+0x3dc/0x48c
[  826.074565][ T3323]  invoke_syscall+0x78/0x1b8
[  826.075661][ T3323]  el0_svc_common+0xe8/0x1b0
[  826.076822][ T3323]  do_el0_svc+0x40/0x50
[  826.077948][ T3323]  el0_svc+0x54/0x14c
[  826.079129][ T3323]  el0t_64_sync_handler+0x84/0x108
[  826.080400][ T3323]  el0t_64_sync+0x198/0x19c
[  826.081636][ T3323] 
[  826.082482][ T3323] Freed by task 3311:
[  826.083540][ T3323]  kasan_save_stack+0x40/0x6c
[  826.084760][ T3323]  save_stack_info+0x34/0x144
[  826.085944][ T3323]  kasan_save_free_info+0x18/0x24
[  826.087268][ T3323]  __kasan_slab_free+0x64/0x68
[  826.088532][ T3323]  kfree+0x14c/0x450
[  826.089690][ T3323]  binderfs_evict_inode+0x124/0x194
[  826.090829][ T3323]  evict+0x2e4/0x610
[  826.092007][ T3323]  iput+0x564/0x5d8
[  826.093164][ T3323]  dentry_unlink_inode+0x2e0/0x310
[  826.094468][ T3323]  __dentry_kill+0x130/0x3e8
[  826.095637][ T3323]  shrink_kill+0xf8/0x324
[  826.096771][ T3323]  shrink_dentry_list+0x280/0x4ec
[  826.097987][ T3323]  shrink_dcache_parent+0x88/0x21c
[  826.099210][ T3323]  do_one_tree+0x2c/0xc0
[  826.100413][ T3323]  shrink_dcache_for_umount+0x90/0x118
[  826.101686][ T3323]  generic_shutdown_super+0x50/0x214
[  826.102971][ T3323]  kill_litter_super+0x64/0x90
[  826.104131][ T3323]  binderfs_kill_super+0x3c/0x88
[  826.105368][ T3323]  deactivate_locked_super+0xa8/0x110
[  826.106659][ T3323]  deactivate_super+0xdc/0xe0
[  826.107863][ T3323]  cleanup_mnt+0x228/0x298
[  826.108963][ T3323]  __cleanup_mnt+0x20/0x30
[  826.110207][ T3323]  task_work_run+0x154/0x1c4
[  826.111442][ T3323]  do_exit+0x3b8/0x10dc
[  826.112577][ T3323]  do_group_exit+0xfc/0x13c
[  826.113743][ T3323]  get_signal+0xd1c/0xd94
[  826.114975][ T3323]  do_signal+0x17c/0x29a4
[  826.116114][ T3323]  do_notify_resume+0x7c/0x1b8
[  826.117391][ T3323]  el0_svc+0xac/0x14c
[  826.118524][ T3323]  el0t_64_sync_handler+0x84/0x108
[  826.119731][ T3323]  el0t_64_sync+0x198/0x19c
[  826.120914][ T3323] 
[  826.121735][ T3323] The buggy address belongs to the object at fff00000124ffa00
[  826.121735][ T3323]  which belongs to the cache kmalloc-512 of size 512
[  826.123768][ T3323] The buggy address is located 8 bytes inside of
[  826.123768][ T3323]  288-byte region [fff00000124ffa00, fff00000124ffb20)
[  826.125667][ T3323] 
[  826.126594][ T3323] The buggy address belongs to the physical page:
[  826.127935][ T3323] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x524ff
[  826.129767][ T3323] anon flags: 0x1ffc00000000000(node=0|zone=0|lastcpupid=0x7ff|kasantag=0x0)
[  826.131724][ T3323] page_type: f5(slab)
[  826.133354][ T3323] raw: 01ffc00000000000 28f000000a001900 0000000000000000 0000000000000001
[  826.134943][ T3323] raw: 0000000000000000 0000000080080008 00000000f5000000 0000000000000000
[  826.136455][ T3323] page dumped because: kasan: bad access detected
[  826.137693][ T3323] 
[  826.138515][ T3323] Memory state around the buggy address:
[  826.139884][ T3323]  fff00000124ff800: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01
[  826.141325][ T3323]  fff00000124ff900: 01 01 01 01 fe fe fe fe fe fe fe fe fe fe fe fe
[  826.142758][ T3323] >fff00000124ffa00: 84 84 84 84 84 84 84 84 84 84 84 84 84 84 84 84
[  826.144113][ T3323]                    ^
[  826.145224][ T3323]  fff00000124ffb00: 84 84 fe fe fe fe fe fe fe fe fe fe fe fe fe fe
[  826.146655][ T3323]  fff00000124ffc00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
[  826.148108][ T3323] ==================================================================
[  826.694541][ T3323] Disabling lock debugging due to kernel taint
SYZFAIL: failed to recv rpc
fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor)
[  826.855144][   T24] audit: type=1400 audit(825.910:108): avc:  denied  { mount } for  pid=3323 comm="syz-executor" name="/" dev="fusectl" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fusefs_t tclass=filesystem permissive=1

VM DIAGNOSIS:
06:53:24  Registers:
info registers vcpu 0

CPU#0
 PC=ffff8000813d8cdc X00=0000000000000003 X01=0000000000000002
X02=000000000000005a X03=ffff8000813d8bdc X04=0000000000000001
X05=0000000000000000 X06=ffff8000813d79f0 X07=ffff8000808736dc
X08=c9ff8000899cb000 X09=0000000000000030 X10=0000000000ff0100
X11=0000000000000101 X12=54f0000012538000 X13=0000000000000007
X14=0000000000000000 X15=54f0000012538a90 X16=00000000000000d8
X17=0000000000000000 X18=0000000000000003 X19=0000000000000030
X20=0000000000000002 X21=c9ff8000899cb000 X22=d8f000000b3f517a
X23=0000000000000000 X24=d8f000000b3f50c8 X25=c9ff8000899cb018
X26=d8f000000b3f52d8 X27=ffff80008976864d X28=0000000000000f01
X29=ffff80008c7f7330 X30=ffff8000813d8cd4  SP=ffff80008c7f7330
PSTATE=814020c9 N--- EL2h  SVCR=00000000 --  BTYPE=0     FPCR=00000000 FPSR=00000000
P00=0000 P01=0000 P02=0000 P03=0000 P04=0000 P05=0000 P06=0000 P07=0000
P08=0000 P09=0000 P10=0000 P11=0000 P12=0000 P13=0000 P14=0000 P15=0000
FFR=0000
Z00=007363696d6f7461:0000000000323363 Z01=f000000000000000:f00ff00ff0000000
Z02=f00ff00ff00ff00f:f00ff00ff00ff00f Z03=f0000000fffff000:f0000000fffff000
Z04=0000000000000000:0000000000000000 Z05=0000000000000000:0000000000000000
Z06=0000000000000000:0000000000000000 Z07=0000000000000000:0000000000000000
Z08=0000000000000000:0000000000000000 Z09=0000000000000000:0000000000000000
Z10=0000000000000000:0000000000000000 Z11=0000000000000000:0000000000000000
Z12=0000000000000000:0000000000000000 Z13=0000000000000000:0000000000000000
Z14=0000000000000000:0000000000000000 Z15=0000000000000000:0000000000000000
Z16=0000000000000000:0000000000000000 Z17=0000000000000000:0000000000000000
Z18=0000000000000000:0000000000000000 Z19=0000000000000000:0000000000000000
Z20=0000000000000000:0000000000000000 Z21=0000000000000000:0000000000000000
Z22=0000000000000000:0000000000000000 Z23=0000000000000000:0000000000000000
Z24=0000000000000000:0000000000000000 Z25=0000000000000000:0000000000000000
Z26=0000000000000000:0000000000000000 Z27=0000000000000000:0000000000000000
Z28=0000000000000000:0000000000000000 Z29=0000000000000000:0000000000000000
Z30=0000000000000000:0000000000000000 Z31=0000000000000000:0000000000000000