last executing test programs: 1.349074716s ago: executing program 0 (id=1): ioctl(0xffffffffffffffff, 0x0, &(0x7f0000000000)) 1.129090623s ago: executing program 1 (id=2): close(0xffffffffffffffff) 0s ago: executing program 0 (id=3): eventfd2(0x0, 0x0) kernel console output (not intermixed with test programs): Warning: Permanently added '[localhost]:6845' (ED25519) to the list of known hosts. [ 493.838955][ T24] audit: type=1400 audit(493.270:64): avc: denied { name_bind } for pid=3282 comm="sshd" src=30001 scontext=system_u:system_r:sshd_t tcontext=system_u:object_r:unreserved_port_t tclass=tcp_socket permissive=1 [ 494.712265][ T24] audit: type=1400 audit(494.140:65): avc: denied { execute } for pid=3284 comm="sh" name="syz-executor" dev="vda" ino=1735 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:etc_runtime_t tclass=file permissive=1 [ 494.735745][ T24] audit: type=1400 audit(494.170:66): avc: denied { execute_no_trans } for pid=3284 comm="sh" path="/syz-executor" dev="vda" ino=1735 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:etc_runtime_t tclass=file permissive=1 [ 517.187303][ T24] audit: type=1400 audit(516.620:67): avc: denied { mounton } for pid=3284 comm="syz-executor" path="/syzcgroup/unified" dev="vda" ino=1737 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 517.211596][ T24] audit: type=1400 audit(516.640:68): avc: denied { mount } for pid=3284 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 517.294410][ T3284] cgroup: Unknown subsys name 'net' [ 517.343434][ T24] audit: type=1400 audit(516.770:69): avc: denied { unmount } for pid=3284 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 517.723015][ T3284] cgroup: Unknown subsys name 'cpuset' [ 517.806427][ T3284] cgroup: Unknown subsys name 'rlimit' [ 518.690589][ T24] audit: type=1400 audit(518.120:70): avc: denied { setattr } for pid=3284 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=701 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 518.717242][ T24] audit: type=1400 audit(518.150:71): avc: denied { create } for pid=3284 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 518.731971][ T24] audit: type=1400 audit(518.160:72): avc: denied { write } for pid=3284 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 518.741945][ T24] audit: type=1400 audit(518.170:73): avc: denied { module_request } for pid=3284 comm="syz-executor" kmod="net-pf-16-proto-16-family-nl802154" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1 [ 519.157512][ T24] audit: type=1400 audit(518.580:74): avc: denied { read } for pid=3284 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 519.207159][ T24] audit: type=1400 audit(518.640:75): avc: denied { mounton } for pid=3284 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1 [ 519.224212][ T24] audit: type=1400 audit(518.650:76): avc: denied { mount } for pid=3284 comm="syz-executor" name="/" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=filesystem permissive=1 [ 520.212150][ T3288] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). Setting up swapspace version 1, size = 127995904 bytes [ 520.445455][ T3284] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 562.523796][ T24] kauditd_printk_skb: 4 callbacks suppressed [ 562.524051][ T24] audit: type=1400 audit(561.960:81): avc: denied { execmem } for pid=3294 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 563.051911][ T24] audit: type=1400 audit(562.480:82): avc: denied { read } for pid=3296 comm="syz-executor" dev="nsfs" ino=4026531840 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1 [ 563.094983][ T24] audit: type=1400 audit(562.530:83): avc: denied { open } for pid=3296 comm="syz-executor" path="net:[4026531840]" dev="nsfs" ino=4026531840 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1 [ 563.241564][ T24] audit: type=1400 audit(562.670:84): avc: denied { mounton } for pid=3296 comm="syz-executor" path="/" dev="vda" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:root_t tclass=dir permissive=1 [ 565.500735][ T24] audit: type=1400 audit(564.920:85): avc: denied { mount } for pid=3296 comm="syz-executor" name="/" dev="tmpfs" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=1 [ 565.574447][ T24] audit: type=1400 audit(565.010:86): avc: denied { mounton } for pid=3296 comm="syz-executor" path="/syzkaller.SL08O8/syz-tmp/newroot/dev" dev="tmpfs" ino=3 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_tmpfs_t tclass=dir permissive=1 [ 565.652011][ T24] audit: type=1400 audit(565.080:87): avc: denied { mount } for pid=3296 comm="syz-executor" name="/" dev="proc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:proc_t tclass=filesystem permissive=1 [ 565.790917][ T24] audit: type=1400 audit(565.210:88): avc: denied { mounton } for pid=3296 comm="syz-executor" path="/syzkaller.SL08O8/syz-tmp/newroot/sys/kernel/debug" dev="debugfs" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:debugfs_t tclass=dir permissive=1 [ 565.853838][ T24] audit: type=1400 audit(565.260:89): avc: denied { mounton } for pid=3297 comm="syz-executor" path="/syzkaller.rUuNXV/syz-tmp/newroot/proc/sys/fs/binfmt_misc" dev="proc" ino=2878 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:sysctl_fs_t tclass=dir permissive=1 [ 565.953265][ T24] audit: type=1400 audit(565.370:90): avc: denied { unmount } for pid=3297 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fs_t tclass=filesystem permissive=1 [ 573.092511][ T24] kauditd_printk_skb: 9 callbacks suppressed [ 573.092786][ T24] audit: type=1400 audit(572.480:100): avc: denied { create } for pid=3304 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=user_namespace permissive=1 [ 573.281912][ T24] audit: type=1400 audit(572.710:101): avc: denied { sys_admin } for pid=3304 comm="syz-executor" capability=21 scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=cap_userns permissive=1 [ 575.034005][ T3305] ================================================================== [ 575.036543][ T3305] BUG: KASAN: slab-use-after-free in binder_add_device+0xf4/0xf8 [ 575.038919][ T3305] Write of size 8 at addr b7f0000014f4e208 by task syz-executor/3305 [ 575.040116][ T3305] Pointer tag: [b7], memory tag: [a6] [ 575.041225][ T3305] [ 575.042616][ T3305] CPU: 0 UID: 0 PID: 3305 Comm: syz-executor Not tainted 6.14.0-rc2-syzkaller-g29281a76709c #0 [ 575.043122][ T3305] Hardware name: linux,dummy-virt (DT) [ 575.043573][ T3305] Call trace: [ 575.043920][ T3305] show_stack+0x2c/0x3c (C) [ 575.044472][ T3305] __dump_stack+0x30/0x40 [ 575.044831][ T3305] dump_stack_lvl+0xd8/0x12c [ 575.045105][ T3305] print_address_description+0xac/0x290 [ 575.045345][ T3305] print_report+0x84/0xa0 [ 575.045567][ T3305] kasan_report+0xb0/0x110 [ 575.045866][ T3305] kasan_tag_mismatch+0x28/0x3c [ 575.046048][ T3305] __hwasan_tag_mismatch+0x30/0x60 [ 575.046252][ T3305] binder_add_device+0xf4/0xf8 [ 575.046440][ T3305] binderfs_binder_device_create+0xbfc/0xc28 [ 575.046633][ T3305] binderfs_fill_super+0xb30/0xe20 [ 575.046837][ T3305] get_tree_nodev+0xdc/0x1cc [ 575.047085][ T3305] binderfs_fs_context_get_tree+0x28/0x38 [ 575.047274][ T3305] vfs_get_tree+0xc4/0x3cc [ 575.047560][ T3305] do_new_mount+0x2a0/0x988 [ 575.047844][ T3305] path_mount+0x650/0x101c [ 575.048088][ T3305] __arm64_sys_mount+0x36c/0x468 [ 575.048335][ T3305] invoke_syscall+0x90/0x2b4 [ 575.048577][ T3305] el0_svc_common+0x180/0x2f4 [ 575.048837][ T3305] do_el0_svc+0x58/0x74 [ 575.049071][ T3305] el0_svc+0x58/0x134 [ 575.049248][ T3305] el0t_64_sync_handler+0x78/0x108 [ 575.049428][ T3305] el0t_64_sync+0x198/0x19c [ 575.049909][ T3305] [ 575.065842][ T3305] Allocated by task 3297: [ 575.066811][ T3305] kasan_save_stack+0x40/0x6c [ 575.067827][ T3305] save_stack_info+0x30/0x138 [ 575.068683][ T3305] kasan_save_alloc_info+0x14/0x20 [ 575.069563][ T3305] __kasan_kmalloc+0x8c/0x90 [ 575.070447][ T3305] __kmalloc_cache_noprof+0x2a0/0x404 [ 575.071401][ T3305] binderfs_binder_device_create+0x1ac/0xc28 [ 575.072292][ T3305] binderfs_fill_super+0xb30/0xe20 [ 575.073139][ T3305] get_tree_nodev+0xdc/0x1cc [ 575.073995][ T3305] binderfs_fs_context_get_tree+0x28/0x38 [ 575.074865][ T3305] vfs_get_tree+0xc4/0x3cc [ 575.075745][ T3305] do_new_mount+0x2a0/0x988 [ 575.076556][ T3305] path_mount+0x650/0x101c [ 575.077447][ T3305] __arm64_sys_mount+0x36c/0x468 [ 575.078332][ T3305] invoke_syscall+0x90/0x2b4 [ 575.079203][ T3305] el0_svc_common+0x180/0x2f4 [ 575.080068][ T3305] do_el0_svc+0x58/0x74 [ 575.080880][ T3305] el0_svc+0x58/0x134 [ 575.081667][ T3305] el0t_64_sync_handler+0x78/0x108 [ 575.082504][ T3305] el0t_64_sync+0x198/0x19c [ 575.083373][ T3305] [ 575.083998][ T3305] Freed by task 3297: [ 575.084694][ T3305] kasan_save_stack+0x40/0x6c [ 575.085524][ T3305] save_stack_info+0x30/0x138 [ 575.086335][ T3305] kasan_save_free_info+0x18/0x24 [ 575.087213][ T3305] __kasan_slab_free+0x64/0x68 [ 575.088110][ T3305] kfree+0x148/0x44c [ 575.088942][ T3305] binderfs_evict_inode+0x1e8/0x2b8 [ 575.089793][ T3305] evict+0x4d4/0xbe8 [ 575.090546][ T3305] iput+0x928/0x9e0 [ 575.091368][ T3305] dentry_unlink_inode+0x624/0x660 [ 575.092324][ T3305] __dentry_kill+0x224/0x808 [ 575.093159][ T3305] shrink_kill+0xd4/0x2cc [ 575.093931][ T3305] shrink_dentry_list+0x420/0x970 [ 575.094808][ T3305] shrink_dcache_parent+0x80/0x200 [ 575.095739][ T3305] do_one_tree+0x2c/0x148 [ 575.096522][ T3305] shrink_dcache_for_umount+0xb0/0x198 [ 575.097376][ T3305] generic_shutdown_super+0x84/0x424 [ 575.098239][ T3305] kill_litter_super+0xa4/0xdc [ 575.099070][ T3305] binderfs_kill_super+0x50/0xcc [ 575.099941][ T3305] deactivate_locked_super+0xf0/0x17c [ 575.100847][ T3305] deactivate_super+0xf4/0x104 [ 575.101708][ T3305] cleanup_mnt+0x3fc/0x484 [ 575.102551][ T3305] __cleanup_mnt+0x20/0x30 [ 575.103406][ T3305] task_work_run+0x1bc/0x254 [ 575.104317][ T3305] do_exit+0x740/0x23b0 [ 575.105062][ T3305] do_group_exit+0x1d4/0x2ac [ 575.105860][ T3305] get_signal+0x1440/0x1554 [ 575.106607][ T3305] do_signal+0x23c/0x3ecc [ 575.107467][ T3305] do_notify_resume+0x78/0x27c [ 575.108319][ T3305] el0_svc+0xb0/0x134 [ 575.109046][ T3305] el0t_64_sync_handler+0x78/0x108 [ 575.109881][ T3305] el0t_64_sync+0x198/0x19c [ 575.110710][ T3305] [ 575.111297][ T3305] The buggy address belongs to the object at fff0000014f4e200 [ 575.111297][ T3305] which belongs to the cache kmalloc-512 of size 512 [ 575.112788][ T3305] The buggy address is located 8 bytes inside of [ 575.112788][ T3305] 272-byte region [fff0000014f4e200, fff0000014f4e310) [ 575.114075][ T3305] [ 575.114720][ T3305] The buggy address belongs to the physical page: [ 575.115867][ T3305] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x54f4e [ 575.117216][ T3305] anon flags: 0x1ffc00000000000(node=0|zone=0|lastcpupid=0x7ff|kasantag=0x0) [ 575.118741][ T3305] page_type: f5(slab) [ 575.120033][ T3305] raw: 01ffc00000000000 7ef000000c801900 0000000000000000 0000000000000001 [ 575.121118][ T3305] raw: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000 [ 575.122263][ T3305] page dumped because: kasan: bad access detected [ 575.123135][ T3305] [ 575.123760][ T3305] Memory state around the buggy address: [ 575.124841][ T3305] fff0000014f4e000: 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 [ 575.125846][ T3305] fff0000014f4e100: 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 [ 575.126832][ T3305] >fff0000014f4e200: a6 a6 a6 a6 a6 a6 a6 a6 a6 a6 a6 a6 a6 a6 a6 a6 [ 575.127799][ T3305] ^ [ 575.128651][ T3305] fff0000014f4e300: a6 fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe [ 575.129611][ T3305] fff0000014f4e400: 35 35 35 35 35 35 35 35 35 35 35 35 35 35 35 35 [ 575.130711][ T3305] ================================================================== SYZFAIL: failed to recv rpc fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor) [ 575.821401][ T3305] Disabling lock debugging due to kernel taint [ 575.866098][ T24] audit: type=1400 audit(575.300:102): avc: denied { mount } for pid=3305 comm="syz-executor" name="/" dev="fusectl" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fusefs_t tclass=filesystem permissive=1 [ 576.158907][ T24] audit: type=1400 audit(575.590:103): avc: denied { sys_chroot } for pid=3306 comm="syz-executor" capability=18 scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=cap_userns permissive=1 VM DIAGNOSIS: 20:42:19 Registers: info registers vcpu 0 CPU#0 PC=ffff80008047d714 X00=0000000000000000 X01=0000000000000080 X02=0000000000000001 X03=ffff80008047d664 X04=ffff80008709b88e X05=ffff80008f0f7478 X06=ffff8000864c4768 X07=ffff800080d9cffc X08=00000000000000c0 X09=0000000000000000 X10=0000000000ff0100 X11=ffff800087632eb8 X12=00000000000000fe X13=00000085e30fd588 X14=0000000000000000 X15=0000000000000063 X16=00000000000000a6 X17=00000000000000b7 X18=0000000000000063 X19=efff800000000000 X20=ffff80008f0f74e0 X21=00000000000000ff X22=00000000000000c0 X23=00000000ffffe37b X24=80000000ffffe37b X25=00000000000000c0 X26=0000000000000000 X27=0000000000000000 X28=0000000000000027 X29=ffff80008f0f73e0 X30=ffff80008047d6f0 SP=ffff80008f0f73d0 PSTATE=614020c9 -ZC- EL2h SVCR=00000000 -- BTYPE=0 FPCR=00000000 FPSR=00000000 P00=0000 P01=0000 P02=0000 P03=0000 P04=0000 P05=0000 P06=0000 P07=0000 P08=0000 P09=0000 P10=0000 P11=0000 P12=0000 P13=0000 P14=0000 P15=0000 FFR=0000 Z00=2525252525252525:2525252525252525 Z01=0000303030303031:0000000000000a64 Z02=0000000000000000:0000000000000000 Z03=ffff000000000000:ffffffffffff0000 Z04=0000000000000000:ff000000ffffff00 Z05=0000000000000000:0000000000000000 Z06=0000000000000000:0000000000000000 Z07=0000000000000000:0000000000000000 Z08=0000000000000000:0000000000000000 Z09=0000000000000000:0000000000000000 Z10=0000000000000000:0000000000000000 Z11=0000000000000000:0000000000000000 Z12=0000000000000000:0000000000000000 Z13=0000000000000000:0000000000000000 Z14=0000000000000000:0000000000000000 Z15=0000000000000000:0000000000000000 Z16=0000ffff9ae9ff60:0000ffff9ae9ff60 Z17=ffffff80ffffffd0:0000ffff9ae9ff30 Z18=0000000000000000:0000000000000000 Z19=0000000000000000:0000000000000000 Z20=0000000000000000:0000000000000000 Z21=0000000000000000:0000000000000000 Z22=0000000000000000:0000000000000000 Z23=0000000000000000:0000000000000000 Z24=0000000000000000:0000000000000000 Z25=0000000000000000:0000000000000000 Z26=0000000000000000:0000000000000000 Z27=0000000000000000:0000000000000000 Z28=0000000000000000:0000000000000000 Z29=0000000000000000:0000000000000000 Z30=0000000000000000:0000000000000000 Z31=0000000000000000:0000000000000000