last executing test programs: 10.659802635s ago: executing program 0 (id=103): inotify_init1(0x0) 10.533912864s ago: executing program 0 (id=105): rt_sigtimedwait(&(0x7f0000000000), 0x0, &(0x7f0000000000), 0x0) 10.330107428s ago: executing program 0 (id=107): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/cachefiles', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/cachefiles', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/cachefiles', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/cachefiles', 0x800, 0x0) 10.250378405s ago: executing program 0 (id=108): listxattr(&(0x7f0000000000), &(0x7f0000000000), 0x0) 10.029398431s ago: executing program 0 (id=110): pause() 1.420203747s ago: executing program 1 (id=177): syz_open_dev$evdev(&(0x7f0000000040), 0x0, 0x0) syz_open_dev$evdev(&(0x7f0000000080), 0x0, 0x1) syz_open_dev$evdev(&(0x7f00000000c0), 0x0, 0x2) syz_open_dev$evdev(&(0x7f0000000100), 0x0, 0x800) syz_open_dev$evdev(&(0x7f0000000140), 0x1, 0x0) syz_open_dev$evdev(&(0x7f0000000180), 0x1, 0x1) syz_open_dev$evdev(&(0x7f00000001c0), 0x1, 0x2) syz_open_dev$evdev(&(0x7f0000000200), 0x1, 0x800) syz_open_dev$evdev(&(0x7f0000000240), 0x2, 0x0) syz_open_dev$evdev(&(0x7f0000000280), 0x2, 0x1) syz_open_dev$evdev(&(0x7f00000002c0), 0x2, 0x2) syz_open_dev$evdev(&(0x7f0000000300), 0x2, 0x800) syz_open_dev$evdev(&(0x7f0000000340), 0x3, 0x0) syz_open_dev$evdev(&(0x7f0000000380), 0x3, 0x1) syz_open_dev$evdev(&(0x7f00000003c0), 0x3, 0x2) syz_open_dev$evdev(&(0x7f0000000400), 0x3, 0x800) syz_open_dev$evdev(&(0x7f0000000440), 0x4, 0x0) syz_open_dev$evdev(&(0x7f0000000480), 0x4, 0x1) syz_open_dev$evdev(&(0x7f00000004c0), 0x4, 0x2) syz_open_dev$evdev(&(0x7f0000000500), 0x4, 0x800) 1.080450581s ago: executing program 1 (id=178): copy_file_range(0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0) 1.010053246s ago: executing program 1 (id=179): socket$kcm(0x29, 0x2, 0x0) 929.038392ms ago: executing program 1 (id=180): shmdt(0x0) 818.104101ms ago: executing program 1 (id=181): process_mrelease(0xffffffffffffffff, 0x0) 719.930237ms ago: executing program 1 (id=182): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/full', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/full', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/full', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/full', 0x800, 0x0) 0s ago: executing program 0 (id=184): openat(0xffffffffffffff9c, &(0x7f0000000040)='/sys/kernel/debug/bluetooth/6lowpan_control', 0x2, 0x0) kernel console output (not intermixed with test programs): Warning: Permanently added '[localhost]:17926' (ED25519) to the list of known hosts. [ 117.999166][ T30] audit: type=1400 audit(117.790:48): avc: denied { name_bind } for pid=3301 comm="sshd-session" src=30005 scontext=system_u:system_r:sshd_t tcontext=system_u:object_r:unreserved_port_t tclass=tcp_socket permissive=1 [ 118.290217][ T30] audit: type=1400 audit(118.080:49): avc: denied { execute } for pid=3302 comm="sh" name="syz-executor" dev="vda" ino=1867 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:etc_runtime_t tclass=file permissive=1 [ 118.293764][ T30] audit: type=1400 audit(118.080:50): avc: denied { execute_no_trans } for pid=3302 comm="sh" path="/syz-executor" dev="vda" ino=1867 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:etc_runtime_t tclass=file permissive=1 [ 121.844880][ T30] audit: type=1400 audit(121.630:51): avc: denied { mounton } for pid=3302 comm="syz-executor" path="/syzcgroup/unified" dev="vda" ino=1868 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 121.852462][ T30] audit: type=1400 audit(121.640:52): avc: denied { mount } for pid=3302 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 121.876897][ T3302] cgroup: Unknown subsys name 'net' [ 121.892924][ T30] audit: type=1400 audit(121.680:53): avc: denied { unmount } for pid=3302 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 122.239680][ T3302] cgroup: Unknown subsys name 'cpuset' [ 122.268237][ T3302] cgroup: Unknown subsys name 'rlimit' [ 122.601610][ T30] audit: type=1400 audit(122.390:54): avc: denied { setattr } for pid=3302 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=701 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 122.608476][ T30] audit: type=1400 audit(122.400:55): avc: denied { create } for pid=3302 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 122.610951][ T30] audit: type=1400 audit(122.400:56): avc: denied { write } for pid=3302 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 122.613627][ T30] audit: type=1400 audit(122.400:57): avc: denied { module_request } for pid=3302 comm="syz-executor" kmod="net-pf-16-proto-16-family-nl802154" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1 [ 123.118874][ T3305] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). [ 123.122508][ T30] kauditd_printk_skb: 3 callbacks suppressed [ 123.123016][ T30] audit: type=1400 audit(122.910:61): avc: denied { relabelto } for pid=3305 comm="mkswap" name="swap-file" dev="vda" ino=1871 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 123.128594][ T30] audit: type=1400 audit(122.910:62): avc: denied { write } for pid=3305 comm="mkswap" path="/swap-file" dev="vda" ino=1871 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" Setting up swapspace version 1, size = 127995904 bytes [ 123.198948][ T30] audit: type=1400 audit(122.980:63): avc: denied { read } for pid=3302 comm="syz-executor" name="swap-file" dev="vda" ino=1871 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 123.199594][ T30] audit: type=1400 audit(122.990:64): avc: denied { open } for pid=3302 comm="syz-executor" path="/swap-file" dev="vda" ino=1871 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 123.219470][ T3302] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 129.007692][ T30] audit: type=1400 audit(128.800:65): avc: denied { execmem } for pid=3306 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 129.072108][ T30] audit: type=1400 audit(128.860:66): avc: denied { read } for pid=3308 comm="syz-executor" dev="nsfs" ino=4026531840 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1 [ 129.078441][ T30] audit: type=1400 audit(128.870:67): avc: denied { open } for pid=3308 comm="syz-executor" path="net:[4026531840]" dev="nsfs" ino=4026531840 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1 [ 129.087885][ T30] audit: type=1400 audit(128.870:68): avc: denied { mounton } for pid=3308 comm="syz-executor" path="/" dev="vda" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:root_t tclass=dir permissive=1 [ 129.774288][ T30] audit: type=1400 audit(129.560:69): avc: denied { mount } for pid=3308 comm="syz-executor" name="/" dev="tmpfs" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=1 [ 129.786066][ T30] audit: type=1400 audit(129.570:70): avc: denied { mounton } for pid=3308 comm="syz-executor" path="/syzkaller.Aj3uEf/syz-tmp/newroot/dev" dev="tmpfs" ino=3 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_tmpfs_t tclass=dir permissive=1 [ 129.805868][ T30] audit: type=1400 audit(129.590:71): avc: denied { mount } for pid=3309 comm="syz-executor" name="/" dev="proc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:proc_t tclass=filesystem permissive=1 [ 129.821289][ T30] audit: type=1400 audit(129.610:72): avc: denied { mounton } for pid=3309 comm="syz-executor" path="/syzkaller.OZz4xH/syz-tmp/newroot/sys/kernel/debug" dev="debugfs" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:debugfs_t tclass=dir permissive=1 [ 129.831534][ T30] audit: type=1400 audit(129.620:73): avc: denied { mounton } for pid=3309 comm="syz-executor" path="/syzkaller.OZz4xH/syz-tmp/newroot/proc/sys/fs/binfmt_misc" dev="proc" ino=2707 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:sysctl_fs_t tclass=dir permissive=1 [ 129.847680][ T30] audit: type=1400 audit(129.630:74): avc: denied { unmount } for pid=3309 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fs_t tclass=filesystem permissive=1 [ 134.639302][ T30] kauditd_printk_skb: 16 callbacks suppressed [ 134.650975][ T30] audit: type=1400 audit(134.430:91): avc: denied { create } for pid=3356 comm="syz.1.42" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=bluetooth_socket permissive=1 [ 135.651488][ T30] audit: type=1400 audit(135.440:92): avc: denied { create } for pid=3367 comm="syz.1.52" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=can_socket permissive=1 [ 136.003533][ T30] audit: type=1400 audit(135.790:93): avc: denied { create } for pid=3372 comm="syz.0.58" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=rxrpc_socket permissive=1 [ 136.319881][ T30] audit: type=1400 audit(136.110:94): avc: denied { sys_module } for pid=3375 comm="syz.1.60" capability=16 scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=capability permissive=1 [ 136.529644][ T30] audit: type=1400 audit(136.320:95): avc: denied { read write } for pid=3378 comm="syz.0.63" name="vhost-net" dev="devtmpfs" ino=713 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:vhost_device_t tclass=chr_file permissive=1 [ 136.536405][ T30] audit: type=1400 audit(136.320:96): avc: denied { open } for pid=3378 comm="syz.0.63" path="/dev/vhost-net" dev="devtmpfs" ino=713 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:vhost_device_t tclass=chr_file permissive=1 [ 139.012362][ T30] audit: type=1400 audit(138.800:97): avc: denied { create } for pid=3408 comm="syz.0.92" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=llc_socket permissive=1 [ 139.406342][ T30] audit: type=1400 audit(139.190:98): avc: denied { write } for pid=3414 comm="syz.0.99" name="random" dev="devtmpfs" ino=8 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:random_device_t tclass=chr_file permissive=1 [ 140.723580][ T30] audit: type=1400 audit(140.510:99): avc: denied { create } for pid=3429 comm="syz.1.114" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=dccp_socket permissive=1 [ 141.171400][ T30] audit: type=1400 audit(140.960:100): avc: denied { read } for pid=3432 comm="syz.1.115" name="uinput" dev="devtmpfs" ino=706 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:event_device_t tclass=chr_file permissive=1 [ 141.186170][ T30] audit: type=1400 audit(140.960:101): avc: denied { open } for pid=3432 comm="syz.1.115" path="/dev/uinput" dev="devtmpfs" ino=706 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:event_device_t tclass=chr_file permissive=1 [ 141.193151][ T30] audit: type=1400 audit(140.980:102): avc: denied { write } for pid=3432 comm="syz.1.115" name="uinput" dev="devtmpfs" ino=706 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:event_device_t tclass=chr_file permissive=1 [ 143.140834][ T30] audit: type=1400 audit(142.930:103): avc: denied { read write } for pid=3447 comm="syz.1.129" name="udmabuf" dev="devtmpfs" ino=676 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 143.155876][ T30] audit: type=1400 audit(142.930:104): avc: denied { open } for pid=3447 comm="syz.1.129" path="/dev/udmabuf" dev="devtmpfs" ino=676 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 144.018785][ T30] audit: type=1400 audit(143.810:105): avc: denied { create } for pid=3455 comm="syz.1.136" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=pppox_socket permissive=1 [ 144.377586][ T30] audit: type=1400 audit(144.170:106): avc: denied { create } for pid=3457 comm="syz.1.137" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=sctp_socket permissive=1 [ 144.492851][ T30] audit: type=1400 audit(144.280:107): avc: denied { read } for pid=3458 comm="syz.1.138" name="fuse" dev="devtmpfs" ino=92 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fuse_device_t tclass=chr_file permissive=1 [ 144.496343][ T30] audit: type=1400 audit(144.280:108): avc: denied { open } for pid=3458 comm="syz.1.138" path="/dev/fuse" dev="devtmpfs" ino=92 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fuse_device_t tclass=chr_file permissive=1 [ 145.963447][ T30] kauditd_printk_skb: 1 callbacks suppressed [ 145.964381][ T30] audit: type=1400 audit(145.750:110): avc: denied { create } for pid=3473 comm="syz.1.152" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=rose_socket permissive=1 [ 147.192010][ T30] audit: type=1400 audit(146.970:111): avc: denied { create } for pid=3485 comm="syz.1.163" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=tipc_socket permissive=1 [ 147.946687][ T30] audit: type=1400 audit(147.740:112): avc: denied { create } for pid=3493 comm="syz.1.170" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=smc_socket permissive=1 [ 149.259512][ T30] audit: type=1400 audit(149.050:113): avc: denied { create } for pid=3502 comm="syz.1.179" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=kcm_socket permissive=1 [ 150.419995][ T3308] ================================================================== [ 150.420753][ T3308] BUG: KASAN: slab-use-after-free in binderfs_evict_inode+0x2ac/0x2b4 [ 150.421585][ T3308] Write of size 8 at addr ffff00001a851808 by task syz-executor/3308 [ 150.421680][ T3308] [ 150.422492][ T3308] CPU: 0 UID: 0 PID: 3308 Comm: syz-executor Not tainted 6.15.0-rc7-syzkaller-00142-g4856ebd99715 #0 PREEMPT [ 150.422599][ T3308] Hardware name: linux,dummy-virt (DT) [ 150.422898][ T3308] Call trace: [ 150.423074][ T3308] show_stack+0x18/0x24 (C) [ 150.423222][ T3308] dump_stack_lvl+0xa4/0xf4 [ 150.423288][ T3308] print_report+0xf4/0x60c [ 150.423337][ T3308] kasan_report+0xc8/0x108 [ 150.423378][ T3308] __asan_report_store8_noabort+0x20/0x2c [ 150.423419][ T3308] binderfs_evict_inode+0x2ac/0x2b4 [ 150.423460][ T3308] evict+0x2c0/0x67c [ 150.423500][ T3308] iput+0x3b0/0x6b4 [ 150.423535][ T3308] dentry_unlink_inode+0x208/0x46c [ 150.423576][ T3308] __dentry_kill+0x150/0x52c [ 150.423615][ T3308] shrink_dentry_list+0x114/0x3a4 [ 150.423655][ T3308] shrink_dcache_parent+0x158/0x354 [ 150.423702][ T3308] shrink_dcache_for_umount+0x88/0x304 [ 150.423746][ T3308] generic_shutdown_super+0x60/0x2e8 [ 150.423791][ T3308] kill_litter_super+0x68/0xa4 [ 150.423832][ T3308] binderfs_kill_super+0x38/0x88 [ 150.423873][ T3308] deactivate_locked_super+0x98/0x17c [ 150.423922][ T3308] deactivate_super+0xb0/0xd4 [ 150.423967][ T3308] cleanup_mnt+0x198/0x424 [ 150.424007][ T3308] __cleanup_mnt+0x14/0x20 [ 150.424047][ T3308] task_work_run+0x128/0x210 [ 150.424088][ T3308] do_exit+0x7ac/0x1f68 [ 150.424128][ T3308] do_group_exit+0xa4/0x208 [ 150.424167][ T3308] get_signal+0x1b00/0x1ba8 [ 150.424208][ T3308] do_signal+0x160/0x620 [ 150.424245][ T3308] do_notify_resume+0x18c/0x258 [ 150.424286][ T3308] el0_svc_compat+0xfc/0x17c [ 150.424325][ T3308] el0t_32_sync_handler+0x98/0x13c [ 150.424364][ T3308] el0t_32_sync+0x19c/0x1a0 [ 150.424556][ T3308] [ 150.425468][ T3308] Allocated by task 3309: [ 150.425715][ T3308] kasan_save_stack+0x3c/0x64 [ 150.425831][ T3308] kasan_save_track+0x20/0x3c [ 150.425923][ T3308] kasan_save_alloc_info+0x40/0x54 [ 150.426021][ T3308] __kasan_kmalloc+0xb8/0xbc [ 150.426104][ T3308] __kmalloc_cache_noprof+0x1b0/0x3cc [ 150.426186][ T3308] binderfs_binder_device_create.isra.0+0x140/0x9a0 [ 150.426268][ T3308] binderfs_fill_super+0x69c/0xed4 [ 150.426348][ T3308] get_tree_nodev+0xac/0x148 [ 150.426423][ T3308] binderfs_fs_context_get_tree+0x18/0x24 [ 150.426504][ T3308] vfs_get_tree+0x74/0x280 [ 150.426592][ T3308] path_mount+0xe54/0x1808 [ 150.426673][ T3308] __arm64_sys_mount+0x304/0x3dc [ 150.426757][ T3308] invoke_syscall+0x6c/0x258 [ 150.426837][ T3308] el0_svc_common.constprop.0+0xac/0x230 [ 150.426920][ T3308] do_el0_svc_compat+0x40/0x68 [ 150.426998][ T3308] el0_svc_compat+0x4c/0x17c [ 150.427073][ T3308] el0t_32_sync_handler+0x98/0x13c [ 150.427149][ T3308] el0t_32_sync+0x19c/0x1a0 [ 150.427256][ T3308] [ 150.427339][ T3308] Freed by task 3309: [ 150.427424][ T3308] kasan_save_stack+0x3c/0x64 [ 150.427511][ T3308] kasan_save_track+0x20/0x3c [ 150.427590][ T3308] kasan_save_free_info+0x4c/0x74 [ 150.427667][ T3308] __kasan_slab_free+0x50/0x6c [ 150.427746][ T3308] kfree+0x1bc/0x444 [ 150.427822][ T3308] binderfs_evict_inode+0x238/0x2b4 [ 150.427902][ T3308] evict+0x2c0/0x67c [ 150.427984][ T3308] iput+0x3b0/0x6b4 [ 150.428058][ T3308] dentry_unlink_inode+0x208/0x46c [ 150.428137][ T3308] __dentry_kill+0x150/0x52c [ 150.428214][ T3308] shrink_dentry_list+0x114/0x3a4 [ 150.428299][ T3308] shrink_dcache_parent+0x158/0x354 [ 150.428381][ T3308] shrink_dcache_for_umount+0x88/0x304 [ 150.428461][ T3308] generic_shutdown_super+0x60/0x2e8 [ 150.428542][ T3308] kill_litter_super+0x68/0xa4 [ 150.428622][ T3308] binderfs_kill_super+0x38/0x88 [ 150.428701][ T3308] deactivate_locked_super+0x98/0x17c [ 150.428782][ T3308] deactivate_super+0xb0/0xd4 [ 150.428861][ T3308] cleanup_mnt+0x198/0x424 [ 150.428946][ T3308] __cleanup_mnt+0x14/0x20 [ 150.429025][ T3308] task_work_run+0x128/0x210 [ 150.429101][ T3308] do_exit+0x7ac/0x1f68 [ 150.429182][ T3308] do_group_exit+0xa4/0x208 [ 150.429259][ T3308] get_signal+0x1b00/0x1ba8 [ 150.429338][ T3308] do_signal+0x160/0x620 [ 150.429421][ T3308] do_notify_resume+0x18c/0x258 [ 150.429502][ T3308] el0_svc_compat+0xfc/0x17c [ 150.429610][ T3308] el0t_32_sync_handler+0x98/0x13c [ 150.429695][ T3308] el0t_32_sync+0x19c/0x1a0 [ 150.429791][ T3308] [ 150.429907][ T3308] The buggy address belongs to the object at ffff00001a851800 [ 150.429907][ T3308] which belongs to the cache kmalloc-512 of size 512 [ 150.430097][ T3308] The buggy address is located 8 bytes inside of [ 150.430097][ T3308] freed 512-byte region [ffff00001a851800, ffff00001a851a00) [ 150.430191][ T3308] [ 150.430324][ T3308] The buggy address belongs to the physical page: [ 150.430750][ T3308] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff00001a850c00 pfn:0x5a850 [ 150.431288][ T3308] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 150.431432][ T3308] anon flags: 0x1ffc00000000040(head|node=0|zone=0|lastcpupid=0x7ff) [ 150.431910][ T3308] page_type: f5(slab) [ 150.432319][ T3308] raw: 01ffc00000000040 ffff00000dc01c80 0000000000000000 dead000000000001 [ 150.432420][ T3308] raw: ffff00001a850c00 0000000000100004 00000000f5000000 0000000000000000 [ 150.432566][ T3308] head: 01ffc00000000040 ffff00000dc01c80 0000000000000000 dead000000000001 [ 150.432650][ T3308] head: ffff00001a850c00 0000000000100004 00000000f5000000 0000000000000000 [ 150.432726][ T3308] head: 01ffc00000000002 fffffdffc06a1401 00000000ffffffff 00000000ffffffff [ 150.432800][ T3308] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 150.432913][ T3308] page dumped because: kasan: bad access detected [ 150.433007][ T3308] [ 150.433079][ T3308] Memory state around the buggy address: [ 150.433405][ T3308] ffff00001a851700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 150.433521][ T3308] ffff00001a851780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 150.433616][ T3308] >ffff00001a851800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 150.433709][ T3308] ^ [ 150.433853][ T3308] ffff00001a851880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 150.433939][ T3308] ffff00001a851900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 150.434100][ T3308] ================================================================== [ 150.520831][ T3308] Disabling lock debugging due to kernel taint SYZFAIL: failed to recv rpc fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor) [ 150.706203][ T30] audit: type=1400 audit(150.490:114): avc: denied { mounton } for pid=3507 comm="syz-executor" path="/syzkaller.u38DnE/syz-tmp" dev="vda" ino=1878 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 VM DIAGNOSIS: 23:18:01 Registers: info registers vcpu 0 CPU#0 PC=ffff800081a96f60 X00=ffff80008d50d004 X01=0000000000000000 X02=1fffe00002e02e07 X03=1fffe00002e02e05 X04=1fffe00001fb2b18 X05=0000000000000000 X06=ffff00000e8a2a38 X07=0000000000000000 X08=0000000000000000 X09=ffff800089734000 X10=ffff00000e8a28d0 X11=0000000000000002 X12=000000000000000d X13=0000000000000000 X14=1fffe00002e2bacd X15=18508f552a71f2f7 X16=3ecf0000816dffff X17=b1d968918e83618d X18=ffff000012e27c80 X19=ffff000017017000 X20=0000000000000001 X21=1fffe00002e02e08 X22=0000000000000003 X23=ffff000013834c80 X24=1fffe00002db1200 X25=ffff00000fd958c4 X26=0000000000000040 X27=0000000000000000 X28=0000000000a35f91 X29=ffff8000800061a0 X30=ffff800081a7acf0 SP=ffff8000800061a0 PSTATE=10000005 ---V EL1h FPCR=00000000 FPSR=00000000 Q00=2525252525252525:2525252525252525 Q01=6572207265767265:730073250a0d0a0d Q02=6c6c696b5f736672:65646e696220205d Q03=0000000000000000:00ff00ff00000000 Q04=0000000000000000:000000000f0f0000 Q05=72656c6c616b7a79:732d3763722d302e Q06=203a29323a303433:2e38322874696475 Q07=2035393237363934:3932343d64697561 Q08=0000000000000000:0000000000000000 Q09=0000000000000000:0000000000000000 Q10=0000000000000000:0000000000000000 Q11=0000000000000000:0000000000000000 Q12=0000000000000000:0000000000000000 Q13=0000000000000000:0000000000000000 Q14=0000000000000000:0000000000000000 Q15=0000000000000000:0000000000000000 Q16=0000ffffffa646f0:0000ffffffa646f0 Q17=ffffff80ffffffd8:0000ffffffa646c0 Q18=0000000000000000:0000000000000000 Q19=0000000000000000:0000000000000000 Q20=0000000000000000:0000000000000000 Q21=0000000000000000:0000000000000000 Q22=0000000000000000:0000000000000000 Q23=0000000000000000:0000000000000000 Q24=0000000000000000:0000000000000000 Q25=0000000000000000:0000000000000000 Q26=0000000000000000:0000000000000000 Q27=0000000000000000:0000000000000000 Q28=0000000000000000:0000000000000000 Q29=0000000000000000:0000000000000000 Q30=0000000000000000:0000000000000000 Q31=0000000000000000:0000000000000000 info registers vcpu 1 CPU#1 PC=ffff80008031128c X00=ffff800088c1e7d8 X01=0000000100000000 X02=0000000000000001 X03=1fffe00002b333c9 X04=0000000000000001 X05=ffff8000a13e7890 X06=dfff800000000000 X07=ffff8000a13e77a0 X08=0000000000000000 X09=ffff70001427cef4 X10=0000000041b58ab3 X11=ffff8000a13e7ac0 X12=ffff00001715cc92 X13=0000000000000000 X14=0000000000000003 X15=0000000000000001 X16=ffff00001715d562 X17=0000000000000000 X18=1fffe00002e2baac X19=ffff000012e27c80 X20=dfff800000000000 X21=ffff00001715d548 X22=ffff000012e27ca8 X23=ffff00001715cd68 X24=ffff8000a13e7ad0 X25=ffff000012e27cb4 X26=0000000000000000 X27=1fffe000025c4f96 X28=ffff00001715cc80 X29=ffff8000a13e7540 X30=ffff8000844957dc SP=ffff8000a13e7540 PSTATE=400000c5 -Z-- EL1h FPCR=00000000 FPSR=00000000 Q00=0000000000000000:0000000000000000 Q01=0000000000000000:0000000000000000 Q02=0000000000000000:0000000000000000 Q03=0000000000000000:0000000000000000 Q04=0000000000000000:0000000000000000 Q05=0000000000000000:0000000000000000 Q06=0000000000000000:0000000000000000 Q07=0000000000000000:0000000000000000 Q08=0000000000000000:0000000000000000 Q09=0000000000000000:0000000000000000 Q10=0000000000000000:0000000000000000 Q11=0000000000000000:0000000000000000 Q12=0000000000000000:0000000000000000 Q13=0000000000000000:0000000000000000 Q14=0000000000000000:0000000000000000 Q15=0000000000000000:0000000000000000 Q16=0000000000000000:0000000000000000 Q17=0000000000000000:0000000000000000 Q18=dfcd8f15d5451686:3a08c947972f2ab1 Q19=9db80f9df012e772:bce54fb1b91daba1 Q20=0303c4aa2f6c4363:a8af1d7a067eaa49 Q21=7e536ea80a9d75e2:3b03ce09d1f31b80 Q22=dfcd8f15d54d168e:3a0fc94997272ab1 Q23=9dbe0f99f01ee774:bce54fb1b911a9a1 Q24=94cb0c814bb7a8e4:e08970ea769058ba Q25=9aabc5475df3cf40:adfcc125a4cae5de Q26=23bdbcf7032327a5:24506bdce47bcded Q27=402e469d2f61728a:619117b35ac16dd0 Q28=211064068cd3386d:7f8a420a35e1e309 Q29=b907d15ff969b89d:b3d69f1f32a9502b Q30=5d999832d7222b0b:7e3501137109d8aa Q31=9134000655511f4c:3dcc36c098fac073