Warning: Permanently added '10.128.15.209' (ED25519) to the list of known hosts. 2025/05/25 02:00:27 ignoring optional flag "sandboxArg"="0" 2025/05/25 02:00:28 parsed 1 programs [ 67.540438][ T2472] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 68.270588][ T1373] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 68.279236][ T1373] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 68.286808][ T1373] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 68.294454][ T1373] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 68.302351][ T1373] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3 [ 68.309599][ T1373] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 68.987885][ T2485] chnl_net:caif_netlink_parms(): no params data found [ 70.619843][ T2485] 8021q: adding VLAN 0 to HW filter on device bond0 [ 71.616559][ T2485] 8021q: adding VLAN 0 to HW filter on device batadv0 2025/05/25 02:00:34 executed programs: 0 [ 73.377703][ T1373] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 73.385458][ T1373] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 73.392935][ T1373] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 73.400094][ T1373] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1 [ 73.412038][ T1373] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9 [ 73.423332][ T2976] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9 [ 73.431572][ T2976] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4 [ 73.438205][ T2981] Bluetooth: hci4: unexpected cc 0x0c03 length: 249 > 1 [ 73.438895][ T2976] Bluetooth: hci1: unexpected cc 0x0c25 length: 249 > 3 [ 73.446773][ T2981] Bluetooth: hci4: unexpected cc 0x1003 length: 249 > 9 [ 73.453158][ T2976] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2 [ 73.460280][ T2981] Bluetooth: hci4: unexpected cc 0x1001 length: 249 > 9 [ 73.471017][ T2976] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1 [ 73.475019][ T2981] Bluetooth: hci4: unexpected cc 0x0c23 length: 249 > 4 [ 73.488343][ T2981] Bluetooth: hci4: unexpected cc 0x0c25 length: 249 > 3 [ 73.489061][ T2492] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 73.495961][ T2981] Bluetooth: hci4: unexpected cc 0x0c38 length: 249 > 2 [ 73.503439][ T2492] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3 [ 73.516953][ T2981] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 73.517431][ T2492] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9 [ 73.524265][ T2981] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1 [ 73.532246][ T2492] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9 [ 73.546290][ T48] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4 [ 73.551822][ T2981] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9 [ 73.553751][ T48] Bluetooth: hci3: unexpected cc 0x0c25 length: 249 > 3 [ 73.571478][ T2981] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2 [ 73.579643][ T2981] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9 [ 73.606897][ T2970] Bluetooth: hci2: unexpected cc 0x0c23 length: 249 > 4 [ 73.620520][ T2492] Bluetooth: hci2: unexpected cc 0x0c25 length: 249 > 3 [ 73.628799][ T2492] Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2 [ 73.845043][ T1169] bond0 (unregistering): Released all slaves [ 74.290623][ T2969] chnl_net:caif_netlink_parms(): no params data found [ 74.322290][ T2966] chnl_net:caif_netlink_parms(): no params data found [ 74.361571][ T2978] chnl_net:caif_netlink_parms(): no params data found [ 74.395405][ T2975] chnl_net:caif_netlink_parms(): no params data found [ 74.443003][ T2974] chnl_net:caif_netlink_parms(): no params data found [ 75.571426][ T2492] Bluetooth: hci4: command tx timeout [ 75.576878][ T1373] Bluetooth: hci1: command tx timeout [ 75.652268][ T2492] Bluetooth: hci2: command tx timeout [ 75.657720][ T1373] Bluetooth: hci3: command tx timeout [ 75.664062][ T2970] Bluetooth: hci0: command tx timeout [ 77.654800][ T2492] Bluetooth: hci4: command tx timeout [ 77.660245][ T2492] Bluetooth: hci1: command tx timeout [ 77.731609][ T1373] Bluetooth: hci2: command tx timeout [ 77.734618][ T2492] Bluetooth: hci3: command tx timeout [ 77.737011][ T1373] Bluetooth: hci0: command tx timeout [ 79.731393][ T1373] Bluetooth: hci1: command tx timeout [ 79.732921][ T2492] Bluetooth: hci4: command tx timeout [ 79.811396][ T2492] Bluetooth: hci0: command tx timeout [ 79.811415][ T1373] Bluetooth: hci3: command tx timeout [ 79.816810][ T2970] Bluetooth: hci2: command tx timeout [ 80.493610][ T2966] 8021q: adding VLAN 0 to HW filter on device bond0 [ 80.519817][ T2969] 8021q: adding VLAN 0 to HW filter on device bond0 [ 80.689779][ T2978] 8021q: adding VLAN 0 to HW filter on device bond0 [ 80.746775][ T2975] 8021q: adding VLAN 0 to HW filter on device bond0 [ 80.930051][ T2974] 8021q: adding VLAN 0 to HW filter on device bond0 [ 81.813295][ T2970] Bluetooth: hci1: command tx timeout [ 81.813316][ T1373] Bluetooth: hci4: command tx timeout [ 81.893941][ T1373] Bluetooth: hci3: command tx timeout [ 81.896452][ T2970] Bluetooth: hci2: command tx timeout [ 81.899354][ T2492] Bluetooth: hci0: command tx timeout [ 84.567089][ T2966] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 84.585925][ T2969] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 84.895038][ T2975] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 84.959399][ T2978] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 85.075683][ T2974] 8021q: adding VLAN 0 to HW filter on device batadv0 2025/05/25 02:00:53 executed programs: 10 [ 92.181684][ T4948] binder: 4946:4948 ioctl c0046209 0 returned -22 [ 92.369073][ T4973] binder: 4971:4973 ioctl c0046209 0 returned -22 [ 92.445285][ T4985] binder: 4982:4985 ioctl c0046209 0 returned -22 [ 92.529526][ T5003] binder: 4998:5003 ioctl c0046209 0 returned -22 [ 92.551836][ T4998] ================================================================== [ 92.559950][ T4998] BUG: KASAN: slab-use-after-free in binderfs_evict_inode+0x1ac/0x280 [ 92.568217][ T4998] Write of size 8 at addr ffff88810f3ab408 by task syz.3.19/4998 [ 92.575929][ T4998] [ 92.578266][ T4998] CPU: 0 UID: 0 PID: 4998 Comm: syz.3.19 Not tainted 6.13.0-rc3-syzkaller #0 [ 92.587016][ T4998] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 [ 92.597157][ T4998] Call Trace: [ 92.600447][ T4998] [ 92.603379][ T4998] dump_stack_lvl+0xf5/0x170 [ 92.607965][ T4998] ? __pfx_dump_stack_lvl+0x10/0x10 [ 92.613174][ T4998] ? __pfx__printk+0x10/0x10 [ 92.617758][ T4998] ? _raw_spin_lock_irqsave+0xa6/0xe0 [ 92.623110][ T4998] ? __virt_addr_valid+0x142/0x270 [ 92.628193][ T4998] ? __virt_addr_valid+0x223/0x270 [ 92.633275][ T4998] print_report+0xac/0x230 [ 92.637662][ T4998] ? binderfs_evict_inode+0x1ac/0x280 [ 92.643005][ T4998] kasan_report+0x118/0x150 [ 92.647480][ T4998] ? binderfs_evict_inode+0x1ac/0x280 [ 92.652823][ T4998] binderfs_evict_inode+0x1ac/0x280 [ 92.657994][ T4998] evict+0x440/0x940 [ 92.661879][ T4998] ? iput+0x476/0x6a0 [ 92.665834][ T4998] ? __pfx_evict+0x10/0x10 [ 92.670244][ T4998] ? do_raw_spin_unlock+0x122/0x240 [ 92.675417][ T4998] ? _raw_spin_unlock+0x28/0x50 [ 92.680244][ T4998] ? iput+0x476/0x6a0 [ 92.684248][ T4998] __dentry_kill+0x194/0x5c0 [ 92.689245][ T4998] ? shrink_kill+0xd/0xa0 [ 92.693555][ T4998] shrink_kill+0x29/0xa0 [ 92.697768][ T4998] shrink_dentry_list+0x1b4/0x410 [ 92.702766][ T4998] shrink_dcache_parent+0xa2/0x1d0 [ 92.707918][ T4998] ? __pfx_do_raw_spin_lock+0x10/0x10 [ 92.713275][ T4998] ? __pfx_shrink_dcache_parent+0x10/0x10 [ 92.718972][ T4998] ? d_walk+0x3ff/0x540 [ 92.723097][ T4998] ? _raw_spin_unlock+0x28/0x50 [ 92.728182][ T4998] do_one_tree+0x1b/0xd0 [ 92.732396][ T4998] shrink_dcache_for_umount+0x6f/0x100 [ 92.737830][ T4998] generic_shutdown_super+0x61/0x260 [ 92.743094][ T4998] kill_anon_super+0x3f/0x1f0 [ 92.747745][ T4998] binderfs_kill_super+0x40/0x80 [ 92.752655][ T4998] deactivate_locked_super+0x9b/0x390 [ 92.758000][ T4998] cleanup_mnt+0x114/0x300 [ 92.762388][ T4998] ? do_raw_spin_unlock+0x122/0x240 [ 92.767556][ T4998] task_work_run+0x14a/0x1e0 [ 92.772116][ T4998] ? __pfx_task_work_run+0x10/0x10 [ 92.777206][ T4998] ? __pfx___se_sys_close_range+0x10/0x10 [ 92.782897][ T4998] resume_user_mode_work+0x52/0x60 [ 92.787987][ T4998] syscall_exit_to_user_mode+0x77/0xc0 [ 92.793419][ T4998] do_syscall_64+0x9c/0x170 [ 92.797980][ T4998] ? fpregs_assert_state_consistent+0x48/0x60 [ 92.804058][ T4998] ? clear_bhb_loop+0x55/0xb0 [ 92.808804][ T4998] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 92.814682][ T4998] RIP: 0033:0x7fbdfc78e969 [ 92.819086][ T4998] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 92.838751][ T4998] RSP: 002b:00007ffeb5bffff8 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4 [ 92.847149][ T4998] RAX: 0000000000000000 RBX: 0000000000016950 RCX: 00007fbdfc78e969 [ 92.855093][ T4998] RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003 [ 92.863045][ T4998] RBP: 00007fbdfc9b7ba0 R08: 0000000000000001 R09: 00000006b5c002ef [ 92.871077][ T4998] R10: 00007fbdfc600000 R11: 0000000000000246 R12: 00007fbdfc9b5fac [ 92.879117][ T4998] R13: 00007fbdfc9b5fa0 R14: ffffffffffffffff R15: 00007ffeb5c00110 [ 92.887069][ T4998] [ 92.890076][ T4998] [ 92.892388][ T4998] Allocated by task 2975: [ 92.896786][ T4998] kasan_save_track+0x3e/0x80 [ 92.901444][ T4998] __kasan_kmalloc+0x93/0xb0 [ 92.906006][ T4998] __kmalloc_cache_noprof+0x221/0x410 [ 92.911361][ T4998] binderfs_binder_device_create+0x14e/0x970 [ 92.917493][ T4998] binderfs_fill_super+0x926/0xd00 [ 92.922583][ T4998] get_tree_nodev+0xa4/0x120 [ 92.927257][ T4998] vfs_get_tree+0x84/0x1a0 [ 92.931645][ T4998] do_new_mount+0x1c9/0x850 [ 92.936117][ T4998] __se_sys_mount+0x21c/0x2c0 [ 92.940772][ T4998] do_syscall_64+0x8f/0x170 [ 92.945427][ T4998] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 92.951295][ T4998] [ 92.953593][ T4998] Freed by task 8: [ 92.957281][ T4998] kasan_save_track+0x3e/0x80 [ 92.961929][ T4998] kasan_save_free_info+0x46/0x50 [ 92.966935][ T4998] __kasan_slab_free+0x62/0x70 [ 92.971678][ T4998] kfree+0x17a/0x3e0 [ 92.975547][ T4998] binder_proc_dec_tmpref+0x1e5/0x420 [ 92.980896][ T4998] binder_deferred_func+0xef/0x1360 [ 92.986092][ T4998] process_scheduled_works+0x989/0x12d0 [ 92.991619][ T4998] worker_thread+0x850/0xc50 [ 92.996215][ T4998] kthread+0x235/0x290 [ 93.000255][ T4998] ret_from_fork+0x32/0x70 [ 93.004647][ T4998] ret_from_fork_asm+0x1a/0x30 [ 93.009382][ T4998] [ 93.011767][ T4998] The buggy address belongs to the object at ffff88810f3ab400 [ 93.011767][ T4998] which belongs to the cache kmalloc-512 of size 512 [ 93.025788][ T4998] The buggy address is located 8 bytes inside of [ 93.025788][ T4998] freed 512-byte region [ffff88810f3ab400, ffff88810f3ab600) [ 93.039380][ T4998] [ 93.041685][ T4998] The buggy address belongs to the physical page: [ 93.048094][ T4998] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10f3a8 [ 93.056921][ T4998] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 93.065387][ T4998] flags: 0x100000000000040(head|node=0|zone=2) [ 93.071517][ T4998] page_type: f5(slab) [ 93.075465][ T4998] raw: 0100000000000040 ffff888100041c80 ffffea0004481700 dead000000000002 [ 93.084017][ T4998] raw: 0000000000000000 0000000000100010 00000001f5000000 0000000000000000 [ 93.092572][ T4998] head: 0100000000000040 ffff888100041c80 ffffea0004481700 dead000000000002 [ 93.101210][ T4998] head: 0000000000000000 0000000000100010 00000001f5000000 0000000000000000 [ 93.109849][ T4998] head: 0100000000000002 ffffea00043cea01 ffffffffffffffff 0000000000000000 [ 93.118486][ T4998] head: 0000000000000004 0000000000000000 00000000ffffffff 0000000000000000 [ 93.127131][ T4998] page dumped because: kasan: bad access detected [ 93.133519][ T4998] page_owner tracks the page as allocated [ 93.139203][ T4998] page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1414, tgid 1414 (S02acpid), ts 7496181167, free_ts 4922515553 [ 93.159671][ T4998] post_alloc_hook+0xf2/0x120 [ 93.164355][ T4998] get_page_from_freelist+0x3799/0x38a0 [ 93.169870][ T4998] __alloc_pages_noprof+0x1e4/0x430 [ 93.175047][ T4998] alloc_pages_mpol_noprof+0x1d5/0x380 [ 93.180475][ T4998] alloc_slab_page+0x5d/0x110 [ 93.185123][ T4998] allocate_slab+0x5d/0x260 [ 93.189595][ T4998] ___slab_alloc+0x9de/0x10e0 [ 93.194241][ T4998] __kmalloc_noprof+0x2ea/0x500 [ 93.199059][ T4998] tomoyo_init_log+0x178f/0x1cf0 [ 93.203966][ T4998] tomoyo_supervisor+0x2d3/0xdd0 [ 93.208874][ T4998] tomoyo_check_open_permission+0x28f/0x520 [ 93.214839][ T4998] security_file_open+0x45/0xd0 [ 93.219745][ T4998] do_dentry_open+0x2fd/0x1060 [ 93.224508][ T4998] vfs_open+0x36/0x2b0 [ 93.228546][ T4998] path_openat+0x23b7/0x2b80 [ 93.233107][ T4998] do_filp_open+0x1e2/0x3c0 [ 93.237579][ T4998] page last free pid 43 tgid 43 stack trace: [ 93.243527][ T4998] free_unref_page+0xa87/0xc60 [ 93.248262][ T4998] vfree+0x103/0x200 [ 93.252132][ T4998] delayed_vfree_work+0x3c/0x70 [ 93.256949][ T4998] process_scheduled_works+0x989/0x12d0 [ 93.262468][ T4998] worker_thread+0x850/0xc50 [ 93.267036][ T4998] kthread+0x235/0x290 [ 93.271163][ T4998] ret_from_fork+0x32/0x70 [ 93.275550][ T4998] ret_from_fork_asm+0x1a/0x30 [ 93.280370][ T4998] [ 93.282683][ T4998] Memory state around the buggy address: [ 93.288280][ T4998] ffff88810f3ab300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 93.296313][ T4998] ffff88810f3ab380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 93.304431][ T4998] >ffff88810f3ab400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 93.312462][ T4998] ^ [ 93.316936][ T4998] ffff88810f3ab480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 93.324998][ T4998] ffff88810f3ab500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 93.333028][ T4998] ================================================================== [ 93.341558][ T4998] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 93.348982][ T4998] Kernel Offset: disabled [ 93.353291][ T4998] Rebooting in 86400 seconds..