Warning: Permanently added '10.128.0.242' (ED25519) to the list of known hosts.
[   90.962137][   T12] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[   90.973018][   T12] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[   91.000013][   T12] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[   91.009570][   T12] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[   91.050798][   T12] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[   91.059697][   T12] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[   91.087155][   T12] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[   91.095528][   T12] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[   91.105249][   T12] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[   91.120135][   T12] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[   91.149508][ T2123] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[   91.157981][ T2123] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
executing program
executing program
executing program
[   91.217921][   T49] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[   91.243433][   T49] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
executing program
executing program
executing program
[   91.269839][   T49] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[   91.285117][   T49] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
executing program
[   91.328049][ T3548] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[   91.338616][ T3548] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
[   91.366877][ T5837] ==================================================================
[   91.375012][ T5837] BUG: KASAN: slab-use-after-free in binder_add_device+0x6b/0xb0
[   91.382874][ T5837] Write of size 8 at addr ffff888033323008 by task syz-executor412/5837
[   91.391228][ T5837] 
[   91.393611][ T5837] CPU: 0 UID: 0 PID: 5837 Comm: syz-executor412 Not tainted 6.15.0-rc7-next-20250523-syzkaller #0 PREEMPT(full) 
[   91.393637][ T5837] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
[   91.393658][ T5837] Call Trace:
[   91.393672][ T5837]  <TASK>
[   91.393694][ T5837]  dump_stack_lvl+0x189/0x250
[   91.393789][ T5837]  ? __virt_addr_valid+0x1c8/0x5c0
[   91.393847][ T5837]  ? rcu_is_watching+0x15/0xb0
[   91.393884][ T5837]  ? __kasan_check_byte+0x12/0x40
[   91.393948][ T5837]  ? __pfx_dump_stack_lvl+0x10/0x10
[   91.393965][ T5837]  ? rcu_is_watching+0x15/0xb0
[   91.393982][ T5837]  ? lock_release+0x4b/0x3e0
[   91.394030][ T5837]  ? __virt_addr_valid+0x1c8/0x5c0
[   91.394050][ T5837]  ? __virt_addr_valid+0x4a5/0x5c0
[   91.394072][ T5837]  print_report+0xd2/0x2b0
[   91.394103][ T5837]  ? binder_add_device+0x6b/0xb0
[   91.394122][ T5837]  kasan_report+0x118/0x150
[   91.394144][ T5837]  ? binder_add_device+0x6b/0xb0
[   91.394170][ T5837]  binder_add_device+0x6b/0xb0
[   91.394189][ T5837]  binderfs_binder_device_create+0x9e7/0xc40
[   91.394233][ T5837]  ? __pfx_binderfs_binder_device_create+0x10/0x10
[   91.394267][ T5837]  ? do_raw_spin_unlock+0x122/0x240
[   91.394297][ T5837]  binderfs_fill_super+0xa0e/0xe90
[   91.394331][ T5837]  ? __pfx_binderfs_fill_super+0x10/0x10
[   91.394373][ T5837]  ? shrinker_register+0x16b/0x230
[   91.394416][ T5837]  ? sget_fc+0x962/0xa40
[   91.394456][ T5837]  ? __pfx_set_anon_super_fc+0x10/0x10
[   91.394485][ T5837]  ? __pfx_binderfs_fill_super+0x10/0x10
[   91.394516][ T5837]  get_tree_nodev+0xbb/0x150
[   91.394548][ T5837]  vfs_get_tree+0x92/0x2b0
[   91.394574][ T5837]  do_new_mount+0x24a/0xa40
[   91.394605][ T5837]  __se_sys_mount+0x317/0x410
[   91.394630][ T5837]  ? __pfx___se_sys_mount+0x10/0x10
[   91.394656][ T5837]  ? do_syscall_64+0xbe/0x3b0
[   91.394731][ T5837]  ? __x64_sys_mount+0x20/0xc0
[   91.394754][ T5837]  do_syscall_64+0xfa/0x3b0
[   91.394782][ T5837]  ? lockdep_hardirqs_on+0x9c/0x150
[   91.394804][ T5837]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   91.394843][ T5837]  ? clear_bhb_loop+0x60/0xb0
[   91.394866][ T5837]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   91.394885][ T5837] RIP: 0033:0x7f437c1f154a
[   91.394912][ T5837] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 1e 09 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[   91.394940][ T5837] RSP: 002b:00007ffd8bc72d58 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[   91.394965][ T5837] RAX: ffffffffffffffda RBX: 00007f437c23604b RCX: 00007f437c1f154a
[   91.394980][ T5837] RDX: 00007f437c2361eb RSI: 00007f437c23604b RDI: 00007f437c2361eb
[   91.394994][ T5837] RBP: 00007f437c2361bb R08: 0000000000000000 R09: 0000000000000000
[   91.395006][ T5837] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f437c236123
[   91.395019][ T5837] R13: 0000000000000003 R14: 00007f437c2673c0 R15: 00007ffd8bc72d9a
[   91.395042][ T5837]  </TASK>
[   91.395049][ T5837] 
[   91.676641][ T5837] Allocated by task 5835:
[   91.680992][ T5837]  kasan_save_track+0x3e/0x80
[   91.685702][ T5837]  __kasan_kmalloc+0x93/0xb0
[   91.690294][ T5837]  __kmalloc_cache_noprof+0x230/0x3d0
[   91.695684][ T5837]  binderfs_binder_device_create+0x1eb/0xc40
[   91.701699][ T5837]  binderfs_fill_super+0xa0e/0xe90
[   91.706884][ T5837]  get_tree_nodev+0xbb/0x150
[   91.711494][ T5837]  vfs_get_tree+0x92/0x2b0
[   91.716081][ T5837]  do_new_mount+0x24a/0xa40
[   91.720596][ T5837]  __se_sys_mount+0x317/0x410
[   91.725292][ T5837]  do_syscall_64+0xfa/0x3b0
[   91.729815][ T5837]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   91.735732][ T5837] 
[   91.738060][ T5837] Freed by task 977:
[   91.742063][ T5837]  kasan_save_track+0x3e/0x80
[   91.746806][ T5837]  kasan_save_free_info+0x46/0x50
[   91.751864][ T5837]  __kasan_slab_free+0x62/0x70
[   91.756633][ T5837]  kfree+0x18e/0x440
[   91.760533][ T5837]  binder_proc_dec_tmpref+0x228/0x4f0
[   91.765941][ T5837]  binder_deferred_func+0x13a5/0x1520
[   91.771333][ T5837]  process_scheduled_works+0xade/0x17b0
[   91.776935][ T5837]  worker_thread+0x8a0/0xda0
[   91.781527][ T5837]  kthread+0x711/0x8a0
[   91.785699][ T5837]  ret_from_fork+0x3fc/0x770
[   91.790330][ T5837]  ret_from_fork_asm+0x1a/0x30
[   91.795104][ T5837] 
[   91.797430][ T5837] The buggy address belongs to the object at ffff888033323000
[   91.797430][ T5837]  which belongs to the cache kmalloc-512 of size 512
[   91.811486][ T5837] The buggy address is located 8 bytes inside of
[   91.811486][ T5837]  freed 512-byte region [ffff888033323000, ffff888033323200)
[   91.825115][ T5837] 
[   91.827441][ T5837] The buggy address belongs to the physical page:
[   91.833850][ T5837] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x33320
[   91.842636][ T5837] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   91.851142][ T5837] flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
[   91.858705][ T5837] page_type: f5(slab)
[   91.862698][ T5837] raw: 00fff00000000040 ffff88801a441c80 ffffea000085dd00 dead000000000002
[   91.871291][ T5837] raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
[   91.879888][ T5837] head: 00fff00000000040 ffff88801a441c80 ffffea000085dd00 dead000000000002
[   91.888567][ T5837] head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
[   91.897241][ T5837] head: 00fff00000000002 ffffea0000ccc801 00000000ffffffff 00000000ffffffff
[   91.905910][ T5837] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004
[   91.914659][ T5837] page dumped because: kasan: bad access detected
[   91.921103][ T5837] page_owner tracks the page as allocated
[   91.926815][ T5837] page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5205, tgid 5205 (udevadm), ts 41515187397, free_ts 41508905938
[   91.947760][ T5837]  post_alloc_hook+0x240/0x2a0
[   91.952562][ T5837]  get_page_from_freelist+0x21e4/0x22c0
[   91.958125][ T5837]  __alloc_frozen_pages_noprof+0x181/0x370
[   91.963946][ T5837]  alloc_pages_mpol+0x232/0x4a0
[   91.968809][ T5837]  allocate_slab+0x8a/0x3b0
[   91.973405][ T5837]  ___slab_alloc+0xbfc/0x1480
[   91.978092][ T5837]  __kmalloc_cache_noprof+0x296/0x3d0
[   91.983466][ T5837]  kernfs_fop_open+0x397/0xca0
[   91.988255][ T5837]  do_dentry_open+0xdf0/0x1970
[   91.993029][ T5837]  vfs_open+0x3b/0x340
[   91.997104][ T5837]  path_openat+0x2ee5/0x3830
[   92.001712][ T5837]  do_filp_open+0x1fa/0x410
[   92.006222][ T5837]  do_sys_openat2+0x121/0x1c0
[   92.010909][ T5837]  __x64_sys_openat+0x138/0x170
[   92.015767][ T5837]  do_syscall_64+0xfa/0x3b0
[   92.020276][ T5837]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   92.026174][ T5837] page last free pid 5205 tgid 5205 stack trace:
[   92.032496][ T5837]  __free_frozen_pages+0xc71/0xe70
[   92.037619][ T5837]  __put_partials+0x161/0x1c0
[   92.042303][ T5837]  put_cpu_partial+0x17c/0x250
[   92.047075][ T5837]  __slab_free+0x2f7/0x400
[   92.051512][ T5837]  qlist_free_all+0x97/0x140
[   92.056127][ T5837]  kasan_quarantine_reduce+0x148/0x160
[   92.061613][ T5837]  __kasan_slab_alloc+0x22/0x80
[   92.066470][ T5837]  __kmalloc_cache_noprof+0x1be/0x3d0
[   92.071847][ T5837]  kernfs_fop_open+0x397/0xca0
[   92.076614][ T5837]  do_dentry_open+0xdf0/0x1970
[   92.081383][ T5837]  vfs_open+0x3b/0x340
[   92.085455][ T5837]  path_openat+0x2ee5/0x3830
[   92.090055][ T5837]  do_filp_open+0x1fa/0x410
[   92.094564][ T5837]  do_sys_openat2+0x121/0x1c0
[   92.099251][ T5837]  __x64_sys_openat+0x138/0x170
[   92.104110][ T5837]  do_syscall_64+0xfa/0x3b0
[   92.108631][ T5837] 
[   92.110955][ T5837] Memory state around the buggy address:
[   92.116595][ T5837]  ffff888033322f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   92.124656][ T5837]  ffff888033322f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   92.132725][ T5837] >ffff888033323000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   92.140785][ T5837]                       ^
[   92.145113][ T5837]  ffff888033323080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   92.153185][ T5837]  ffff888033323100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   92.161255][ T5837] ==================================================================
[   92.170504][ T5837] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   92.177843][ T5837] CPU: 0 UID: 0 PID: 5837 Comm: syz-executor412 Not tainted 6.15.0-rc7-next-20250523-syzkaller #0 PREEMPT(full) 
[   92.189743][ T5837] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
[   92.199803][ T5837] Call Trace:
[   92.203084][ T5837]  <TASK>
[   92.206018][ T5837]  dump_stack_lvl+0x99/0x250
[   92.210618][ T5837]  ? __asan_memcpy+0x40/0x70
[   92.215223][ T5837]  ? __pfx_dump_stack_lvl+0x10/0x10
[   92.220425][ T5837]  ? __pfx__printk+0x10/0x10
[   92.225026][ T5837]  panic+0x2db/0x790
[   92.228960][ T5837]  ? __pfx_panic+0x10/0x10
[   92.233391][ T5837]  ? _raw_spin_unlock_irqrestore+0xa8/0x110
[   92.239327][ T5837]  ? _raw_spin_unlock_irqrestore+0xad/0x110
[   92.245226][ T5837]  ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[   92.251556][ T5837]  ? print_memory_metadata+0x314/0x400
[   92.257040][ T5837]  ? binder_add_device+0x6b/0xb0
[   92.261984][ T5837]  check_panic_on_warn+0x89/0xb0
[   92.266949][ T5837]  ? binder_add_device+0x6b/0xb0
[   92.271892][ T5837]  end_report+0x78/0x160
[   92.276146][ T5837]  kasan_report+0x129/0x150
[   92.280656][ T5837]  ? binder_add_device+0x6b/0xb0
[   92.285619][ T5837]  binder_add_device+0x6b/0xb0
[   92.290390][ T5837]  binderfs_binder_device_create+0x9e7/0xc40
[   92.296400][ T5837]  ? __pfx_binderfs_binder_device_create+0x10/0x10
[   92.302915][ T5837]  ? do_raw_spin_unlock+0x122/0x240
[   92.308125][ T5837]  binderfs_fill_super+0xa0e/0xe90
[   92.313256][ T5837]  ? __pfx_binderfs_fill_super+0x10/0x10
[   92.318912][ T5837]  ? shrinker_register+0x16b/0x230
[   92.324038][ T5837]  ? sget_fc+0x962/0xa40
[   92.328296][ T5837]  ? __pfx_set_anon_super_fc+0x10/0x10
[   92.333768][ T5837]  ? __pfx_binderfs_fill_super+0x10/0x10
[   92.339416][ T5837]  get_tree_nodev+0xbb/0x150
[   92.344023][ T5837]  vfs_get_tree+0x92/0x2b0
[   92.348463][ T5837]  do_new_mount+0x24a/0xa40
[   92.352977][ T5837]  __se_sys_mount+0x317/0x410
[   92.357678][ T5837]  ? __pfx___se_sys_mount+0x10/0x10
[   92.362896][ T5837]  ? do_syscall_64+0xbe/0x3b0
[   92.367598][ T5837]  ? __x64_sys_mount+0x20/0xc0
[   92.372374][ T5837]  do_syscall_64+0xfa/0x3b0
[   92.376890][ T5837]  ? lockdep_hardirqs_on+0x9c/0x150
[   92.382095][ T5837]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   92.388170][ T5837]  ? clear_bhb_loop+0x60/0xb0
[   92.392854][ T5837]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   92.398799][ T5837] RIP: 0033:0x7f437c1f154a
[   92.403224][ T5837] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 1e 09 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[   92.422850][ T5837] RSP: 002b:00007ffd8bc72d58 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[   92.431271][ T5837] RAX: ffffffffffffffda RBX: 00007f437c23604b RCX: 00007f437c1f154a
[   92.439249][ T5837] RDX: 00007f437c2361eb RSI: 00007f437c23604b RDI: 00007f437c2361eb
[   92.447253][ T5837] RBP: 00007f437c2361bb R08: 0000000000000000 R09: 0000000000000000
[   92.455325][ T5837] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f437c236123
[   92.463314][ T5837] R13: 0000000000000003 R14: 00007f437c2673c0 R15: 00007ffd8bc72d9a
[   92.471313][ T5837]  </TASK>
[   92.474496][ T5837] Kernel Offset: disabled
[   92.478918][ T5837] Rebooting in 86400 seconds..