last executing test programs:

135.090054ms ago: executing program 0 (id=255):
sched_setaffinity(0x0, 0x0, &(0x7f0000000000))

134.973956ms ago: executing program 2 (id=256):
readlink(&(0x7f0000000000), &(0x7f0000000000), 0x0)

134.747846ms ago: executing program 3 (id=259):
fchmod(0xffffffffffffffff, 0x0)

134.566161ms ago: executing program 0 (id=260):
getsockname(0xffffffffffffffff, &(0x7f0000000000), &(0x7f0000000000))

134.498917ms ago: executing program 1 (id=261):
mbind(0x0, 0x0, 0x0, &(0x7f0000000000), 0x0, 0x0)

134.456555ms ago: executing program 2 (id=262):
pselect6(0x0, &(0x7f0000000000), &(0x7f0000000000), &(0x7f0000000000), &(0x7f0000000000), &(0x7f0000000000))

75.281001ms ago: executing program 3 (id=263):
unlinkat(0xffffffffffffffff, &(0x7f0000000000), 0x0)

75.172249ms ago: executing program 0 (id=264):
cachestat(0xffffffffffffffff, &(0x7f0000000000), &(0x7f0000000000), 0x0)

74.99255ms ago: executing program 1 (id=265):
map_shadow_stack(0x0, 0x0, 0x0)

74.960394ms ago: executing program 2 (id=266):
listen(0xffffffffffffffff, 0x0)

74.920381ms ago: executing program 3 (id=267):
setreuid(0x0, 0x0)

74.8863ms ago: executing program 0 (id=268):
io_cancel(0x0, &(0x7f0000000000), &(0x7f0000000000))

74.8295ms ago: executing program 1 (id=269):
times(&(0x7f0000000000))

69.417609ms ago: executing program 3 (id=270):
getegid()

69.111215ms ago: executing program 2 (id=271):
pread64(0xffffffffffffffff, &(0x7f0000000000), 0x0, 0x0)

53.262505ms ago: executing program 1 (id=272):
utimensat(0xffffffffffffffff, &(0x7f0000000000), &(0x7f0000000000), 0x0)

935.075µs ago: executing program 0 (id=273):
acct(0x0)

725.608µs ago: executing program 3 (id=274):
shmdt(0x0)

651.232µs ago: executing program 2 (id=275):
execveat(0xffffffffffffffff, &(0x7f0000000000), &(0x7f0000000000), &(0x7f0000000000), 0x0)

472.187µs ago: executing program 1 (id=276):
pivot_root(&(0x7f0000000000), &(0x7f0000000000))

251.336µs ago: executing program 3 (id=277):
preadv2(0xffffffffffffffff, &(0x7f0000000000), 0x0, 0x0, 0x0, 0x0)

174.497µs ago: executing program 0 (id=278):
mkdir(&(0x7f0000000000), 0x0)

115.312µs ago: executing program 1 (id=279):
getgroups(0x0, &(0x7f0000000000))

0s ago: executing program 2 (id=280):
splice(0xffffffffffffffff, &(0x7f0000000000), 0xffffffffffffffff, &(0x7f0000000000), 0x0, 0x0)

kernel console output (not intermixed with test programs):

Warning: Permanently added '10.128.1.13' (ED25519) to the list of known hosts.
[   65.045525][ T5820] cgroup: Unknown subsys name 'net'
[   65.162204][ T5820] cgroup: Unknown subsys name 'cpuset'
[   65.171742][ T5820] cgroup: Unknown subsys name 'rlimit'
Setting up swapspace version 1, size = 127995904 bytes
[   66.692561][ T5820] Adding 124996k swap on ./swap-file.  Priority:0 extents:1 across:124996k 
[   69.977581][ T6072] mmap: syz.0.230 (6072) uses deprecated remap_file_pages() syscall. See Documentation/mm/remap_file_pages.rst.
[   70.550616][ T5889] ==================================================================
[   70.558725][ T5889] BUG: KASAN: slab-use-after-free in binderfs_evict_inode+0x335/0x340
[   70.566914][ T5889] Write of size 8 at addr ffff8880290d5c08 by task syz.1.52/5889
[   70.574652][ T5889] 
[   70.576997][ T5889] CPU: 0 UID: 0 PID: 5889 Comm: syz.1.52 Not tainted 6.14.0-rc6-syzkaller-00016-g0fed89a961ea #0
[   70.577025][ T5889] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
[   70.577041][ T5889] Call Trace:
[   70.577049][ T5889]  <TASK>
[   70.577058][ T5889]  dump_stack_lvl+0x116/0x1f0
[   70.577104][ T5889]  print_report+0xc3/0x670
[   70.577126][ T5889]  ? __virt_addr_valid+0x5e/0x590
[   70.577149][ T5889]  ? __phys_addr+0xc6/0x150
[   70.577172][ T5889]  kasan_report+0xd9/0x110
[   70.577193][ T5889]  ? binderfs_evict_inode+0x335/0x340
[   70.577227][ T5889]  ? binderfs_evict_inode+0x335/0x340
[   70.577262][ T5889]  ? __pfx_binderfs_evict_inode+0x10/0x10
[   70.577294][ T5889]  binderfs_evict_inode+0x335/0x340
[   70.577326][ T5889]  evict+0x409/0x960
[   70.577351][ T5889]  ? __pfx_evict+0x10/0x10
[   70.577380][ T5889]  iput+0x52a/0x890
[   70.577405][ T5889]  dentry_unlink_inode+0x29c/0x480
[   70.577436][ T5889]  __dentry_kill+0x1d0/0x600
[   70.577459][ T5889]  ? shrink_dentry_list+0x11a/0x5d0
[   70.577487][ T5889]  shrink_dentry_list+0x140/0x5d0
[   70.577515][ T5889]  ? shrink_dcache_parent+0x75/0x530
[   70.577542][ T5889]  shrink_dcache_parent+0xe2/0x530
[   70.577569][ T5889]  ? __pfx_shrink_dcache_parent+0x10/0x10
[   70.577602][ T5889]  shrink_dcache_for_umount+0xa1/0x3e0
[   70.577632][ T5889]  generic_shutdown_super+0x6c/0x390
[   70.577660][ T5889]  kill_litter_super+0x70/0xa0
[   70.577687][ T5889]  binderfs_kill_super+0x3b/0xa0
[   70.577717][ T5889]  deactivate_locked_super+0xbe/0x1a0
[   70.577746][ T5889]  deactivate_super+0xde/0x100
[   70.577775][ T5889]  cleanup_mnt+0x222/0x450
[   70.577804][ T5889]  task_work_run+0x14e/0x250
[   70.577834][ T5889]  ? __pfx_task_work_run+0x10/0x10
[   70.577862][ T5889]  ? __put_net+0x3a/0x70
[   70.577887][ T5889]  do_exit+0xad8/0x2d70
[   70.577913][ T5889]  ? proc_coredump_connector+0x2d2/0x4f0
[   70.577947][ T5889]  ? __pfx_do_exit+0x10/0x10
[   70.577975][ T5889]  do_group_exit+0xd3/0x2a0
[   70.577999][ T5889]  get_signal+0x24ed/0x26c0
[   70.578036][ T5889]  ? force_sig_fault+0xc5/0x110
[   70.578068][ T5889]  ? __pfx_get_signal+0x10/0x10
[   70.578104][ T5889]  arch_do_signal_or_restart+0x90/0x7e0
[   70.578132][ T5889]  ? __pfx_arch_do_signal_or_restart+0x10/0x10
[   70.578157][ T5889]  ? __bad_area_nosemaphore+0x334/0x6a0
[   70.578189][ T5889]  ? do_user_addr_fault+0x920/0x13f0
[   70.578222][ T5889]  irqentry_exit_to_user_mode+0x13f/0x280
[   70.578255][ T5889]  asm_exc_page_fault+0x26/0x30
[   70.578286][ T5889] RIP: 0033:0x0
[   70.578301][ T5889] Code: Unable to access opcode bytes at 0xffffffffffffffd6.
[   70.578312][ T5889] RSP: 002b:0000400000000008 EFLAGS: 00010217
[   70.578331][ T5889] RAX: 0000000000000000 RBX: 00007f566aba5fa0 RCX: 00007f566a98d169
[   70.578346][ T5889] RDX: 0000400000000000 RSI: 0000400000000000 RDI: 0000000000000000
[   70.578361][ T5889] RBP: 00007f566aa0e2a0 R08: 0000400000000000 R09: 0000000000000000
[   70.578376][ T5889] R10: 0000400000000000 R11: 0000000000000246 R12: 0000000000000000
[   70.578390][ T5889] R13: 00007f566aba5fa0 R14: 00007f566aba5fa0 R15: 0000000000000005
[   70.578418][ T5889]  </TASK>
[   70.578426][ T5889] 
[   70.875287][ T5889] Allocated by task 5829:
[   70.879611][ T5889]  kasan_save_stack+0x33/0x60
[   70.884296][ T5889]  kasan_save_track+0x14/0x30
[   70.888975][ T5889]  __kasan_kmalloc+0xaa/0xb0
[   70.893564][ T5889]  binderfs_binder_device_create.isra.0+0x17a/0xb70
[   70.900156][ T5889]  binderfs_fill_super+0x8d6/0x1360
[   70.905358][ T5889]  get_tree_nodev+0xda/0x190
[   70.909959][ T5889]  vfs_get_tree+0x8b/0x340
[   70.914632][ T5889]  path_mount+0x14e6/0x1f10
[   70.919126][ T5889]  __x64_sys_mount+0x28f/0x310
[   70.923882][ T5889]  do_syscall_64+0xcd/0x250
[   70.928392][ T5889]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   70.934288][ T5889] 
[   70.936600][ T5889] Freed by task 5829:
[   70.940566][ T5889]  kasan_save_stack+0x33/0x60
[   70.945247][ T5889]  kasan_save_track+0x14/0x30
[   70.949925][ T5889]  kasan_save_free_info+0x3b/0x60
[   70.954946][ T5889]  __kasan_slab_free+0x51/0x70
[   70.959711][ T5889]  kfree+0x2c4/0x4d0
[   70.963603][ T5889]  binderfs_evict_inode+0x29f/0x340
[   70.968803][ T5889]  evict+0x409/0x960
[   70.972692][ T5889]  iput+0x52a/0x890
[   70.976495][ T5889]  dentry_unlink_inode+0x29c/0x480
[   70.981600][ T5889]  __dentry_kill+0x1d0/0x600
[   70.986184][ T5889]  shrink_dentry_list+0x140/0x5d0
[   70.991208][ T5889]  shrink_dcache_parent+0xe2/0x530
[   70.996350][ T5889]  shrink_dcache_for_umount+0xa1/0x3e0
[   71.001816][ T5889]  generic_shutdown_super+0x6c/0x390
[   71.007105][ T5889]  kill_litter_super+0x70/0xa0
[   71.011869][ T5889]  binderfs_kill_super+0x3b/0xa0
[   71.016811][ T5889]  deactivate_locked_super+0xbe/0x1a0
[   71.022181][ T5889]  deactivate_super+0xde/0x100
[   71.026944][ T5889]  cleanup_mnt+0x222/0x450
[   71.031359][ T5889]  task_work_run+0x14e/0x250
[   71.035953][ T5889]  do_exit+0xad8/0x2d70
[   71.040108][ T5889]  do_group_exit+0xd3/0x2a0
[   71.044608][ T5889]  get_signal+0x24ed/0x26c0
[   71.049110][ T5889]  arch_do_signal_or_restart+0x90/0x7e0
[   71.054677][ T5889]  syscall_exit_to_user_mode+0x150/0x2a0
[   71.060314][ T5889]  do_syscall_64+0xda/0x250
[   71.064817][ T5889]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   71.070710][ T5889] 
[   71.073036][ T5889] The buggy address belongs to the object at ffff8880290d5c00
[   71.073036][ T5889]  which belongs to the cache kmalloc-512 of size 512
[   71.087095][ T5889] The buggy address is located 8 bytes inside of
[   71.087095][ T5889]  freed 512-byte region [ffff8880290d5c00, ffff8880290d5e00)
[   71.100892][ T5889] 
[   71.103212][ T5889] The buggy address belongs to the physical page:
[   71.109622][ T5889] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff8880290d5800 pfn:0x290d4
[   71.119683][ T5889] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   71.128175][ T5889] anon flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
[   71.136157][ T5889] page_type: f5(slab)
[   71.140177][ T5889] raw: 00fff00000000040 ffff88801b041c80 0000000000000000 dead000000000001
[   71.148757][ T5889] raw: ffff8880290d5800 000000000010000f 00000000f5000000 0000000000000000
[   71.157376][ T5889] head: 00fff00000000040 ffff88801b041c80 0000000000000000 dead000000000001
[   71.166178][ T5889] head: ffff8880290d5800 000000000010000f 00000000f5000000 0000000000000000
[   71.174854][ T5889] head: 00fff00000000002 ffffea0000a43501 ffffffffffffffff 0000000000000000
[   71.183516][ T5889] head: 0000000000000004 0000000000000000 00000000ffffffff 0000000000000000
[   71.192196][ T5889] page dumped because: kasan: bad access detected
[   71.198611][ T5889] page_owner tracks the page as allocated
[   71.204320][ T5889] page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5222, tgid 5222 (udevadm), ts 30673243450, free_ts 30319293045
[   71.225252][ T5889]  post_alloc_hook+0x181/0x1b0
[   71.230032][ T5889]  get_page_from_freelist+0xfce/0x2f80
[   71.235517][ T5889]  __alloc_frozen_pages_noprof+0x221/0x2470
[   71.241421][ T5889]  alloc_pages_mpol+0x1fc/0x540
[   71.246264][ T5889]  new_slab+0x23d/0x330
[   71.250420][ T5889]  ___slab_alloc+0xc5d/0x1720
[   71.255093][ T5889]  __slab_alloc.constprop.0+0x56/0xb0
[   71.260471][ T5889]  __kmalloc_cache_noprof+0xfa/0x410
[   71.265761][ T5889]  kernfs_fop_open+0x28b/0xdb0
[   71.270518][ T5889]  do_dentry_open+0x735/0x1c40
[   71.275280][ T5889]  vfs_open+0x82/0x3f0
[   71.279374][ T5889]  path_openat+0x1e88/0x2d80
[   71.284055][ T5889]  do_filp_open+0x20c/0x470
[   71.288581][ T5889]  do_sys_openat2+0x17a/0x1e0
[   71.293260][ T5889]  __x64_sys_openat+0x175/0x210
[   71.298111][ T5889]  do_syscall_64+0xcd/0x250
[   71.302617][ T5889] page last free pid 25 tgid 25 stack trace:
[   71.308594][ T5889]  free_frozen_pages+0x6db/0xfb0
[   71.313537][ T5889]  rcu_core+0x79d/0x14d0
[   71.317770][ T5889]  handle_softirqs+0x213/0x8f0
[   71.322534][ T5889]  run_ksoftirqd+0x3a/0x60
[   71.326950][ T5889]  smpboot_thread_fn+0x661/0xa30
[   71.331884][ T5889]  kthread+0x3af/0x750
[   71.335951][ T5889]  ret_from_fork+0x45/0x80
[   71.340370][ T5889]  ret_from_fork_asm+0x1a/0x30
[   71.345135][ T5889] 
[   71.347458][ T5889] Memory state around the buggy address:
[   71.353085][ T5889]  ffff8880290d5b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   71.361149][ T5889]  ffff8880290d5b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   71.369381][ T5889] >ffff8880290d5c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   71.377433][ T5889]                       ^
[   71.381748][ T5889]  ffff8880290d5c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   71.389802][ T5889]  ffff8880290d5d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
SYZFAIL: failed to recv rpc
fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor)
[   71.397850][ T5889] ==================================================================
[   71.503518][ T5889] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   71.510758][ T5889] CPU: 0 UID: 0 PID: 5889 Comm: syz.1.52 Not tainted 6.14.0-rc6-syzkaller-00016-g0fed89a961ea #0
[   71.521280][ T5889] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
[   71.531443][ T5889] Call Trace:
[   71.534739][ T5889]  <TASK>
[   71.537699][ T5889]  dump_stack_lvl+0x3d/0x1f0
[   71.542322][ T5889]  panic+0x71d/0x800
[   71.546276][ T5889]  ? __pfx_panic+0x10/0x10
[   71.550726][ T5889]  ? preempt_schedule_thunk+0x1a/0x30
[   71.556129][ T5889]  ? preempt_schedule_common+0x44/0xc0
[   71.561716][ T5889]  ? check_panic_on_warn+0x1f/0xb0
[   71.566863][ T5889]  check_panic_on_warn+0xab/0xb0
[   71.571838][ T5889]  end_report+0x117/0x180
[   71.576197][ T5889]  kasan_report+0xe9/0x110
[   71.580648][ T5889]  ? binderfs_evict_inode+0x335/0x340
[   71.586062][ T5889]  ? binderfs_evict_inode+0x335/0x340
[   71.591477][ T5889]  ? __pfx_binderfs_evict_inode+0x10/0x10
[   71.597231][ T5889]  binderfs_evict_inode+0x335/0x340
[   71.602467][ T5889]  evict+0x409/0x960
[   71.606400][ T5889]  ? __pfx_evict+0x10/0x10
[   71.610849][ T5889]  iput+0x52a/0x890
[   71.614688][ T5889]  dentry_unlink_inode+0x29c/0x480
[   71.619832][ T5889]  __dentry_kill+0x1d0/0x600
[   71.624453][ T5889]  ? shrink_dentry_list+0x11a/0x5d0
[   71.629686][ T5889]  shrink_dentry_list+0x140/0x5d0
[   71.634741][ T5889]  ? shrink_dcache_parent+0x75/0x530
[   71.640061][ T5889]  shrink_dcache_parent+0xe2/0x530
[   71.645205][ T5889]  ? __pfx_shrink_dcache_parent+0x10/0x10
[   71.650978][ T5889]  shrink_dcache_for_umount+0xa1/0x3e0
[   71.656477][ T5889]  generic_shutdown_super+0x6c/0x390
[   71.661796][ T5889]  kill_litter_super+0x70/0xa0
[   71.666592][ T5889]  binderfs_kill_super+0x3b/0xa0
[   71.671573][ T5889]  deactivate_locked_super+0xbe/0x1a0
[   71.677068][ T5889]  deactivate_super+0xde/0x100
[   71.681881][ T5889]  cleanup_mnt+0x222/0x450
[   71.686339][ T5889]  task_work_run+0x14e/0x250
[   71.690971][ T5889]  ? __pfx_task_work_run+0x10/0x10
[   71.696162][ T5889]  ? __put_net+0x3a/0x70
[   71.700442][ T5889]  do_exit+0xad8/0x2d70
[   71.704633][ T5889]  ? proc_coredump_connector+0x2d2/0x4f0
[   71.710303][ T5889]  ? __pfx_do_exit+0x10/0x10
[   71.714942][ T5889]  do_group_exit+0xd3/0x2a0
[   71.719476][ T5889]  get_signal+0x24ed/0x26c0
[   71.724018][ T5889]  ? force_sig_fault+0xc5/0x110
[   71.728903][ T5889]  ? __pfx_get_signal+0x10/0x10
[   71.733800][ T5889]  arch_do_signal_or_restart+0x90/0x7e0
[   71.739446][ T5889]  ? __pfx_arch_do_signal_or_restart+0x10/0x10
[   71.745629][ T5889]  ? __bad_area_nosemaphore+0x334/0x6a0
[   71.751238][ T5889]  ? do_user_addr_fault+0x920/0x13f0
[   71.756571][ T5889]  irqentry_exit_to_user_mode+0x13f/0x280
[   71.762338][ T5889]  asm_exc_page_fault+0x26/0x30
[   71.767226][ T5889] RIP: 0033:0x0
[   71.770702][ T5889] Code: Unable to access opcode bytes at 0xffffffffffffffd6.
[   71.778120][ T5889] RSP: 002b:0000400000000008 EFLAGS: 00010217
[   71.784213][ T5889] RAX: 0000000000000000 RBX: 00007f566aba5fa0 RCX: 00007f566a98d169
[   71.792230][ T5889] RDX: 0000400000000000 RSI: 0000400000000000 RDI: 0000000000000000
[   71.800322][ T5889] RBP: 00007f566aa0e2a0 R08: 0000400000000000 R09: 0000000000000000
[   71.808319][ T5889] R10: 0000400000000000 R11: 0000000000000246 R12: 0000000000000000
[   71.816311][ T5889] R13: 00007f566aba5fa0 R14: 00007f566aba5fa0 R15: 0000000000000005
[   71.824320][ T5889]  </TASK>
[   71.827639][ T5889] Kernel Offset: disabled
[   71.831958][ T5889] Rebooting in 86400 seconds..