last executing test programs:
338.40302ms ago: executing program 4 (id=119):
socket$pptp(0x18, 0x1, 0x2)
293.496171ms ago: executing program 4 (id=128):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/sys/kernel/debug/damon/attrs', 0x0, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000080)='/sys/kernel/debug/damon/attrs', 0x1, 0x0)
openat(0xffffffffffffff9c, &(0x7f00000000c0)='/sys/kernel/debug/damon/attrs', 0x2, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000100)='/sys/kernel/debug/damon/attrs', 0x800, 0x0)
257.360328ms ago: executing program 4 (id=133):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/sys/kernel/debug/damon/init_regions', 0x0, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000080)='/sys/kernel/debug/damon/init_regions', 0x1, 0x0)
openat(0xffffffffffffff9c, &(0x7f00000000c0)='/sys/kernel/debug/damon/init_regions', 0x2, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000100)='/sys/kernel/debug/damon/init_regions', 0x800, 0x0)
256.9833ms ago: executing program 3 (id=135):
times(&(0x7f0000000000))
256.843994ms ago: executing program 4 (id=137):
getegid()
210.476823ms ago: executing program 3 (id=140):
clock_settime(0x0, &(0x7f0000000000))
210.215074ms ago: executing program 4 (id=143):
sched_getattr(0x0, &(0x7f0000000000), 0x0, 0x0)
204.00408ms ago: executing program 1 (id=146):
getpgrp(0x0)
192.871775ms ago: executing program 4 (id=147):
rt_sigreturn()
192.504975ms ago: executing program 3 (id=148):
socket$inet_udplite(0x2, 0x2, 0x88)
130.763921ms ago: executing program 0 (id=149):
symlinkat(&(0x7f0000000000), 0xffffffffffffffff, &(0x7f0000000000))
130.354728ms ago: executing program 0 (id=150):
eventfd2(0x0, 0x0)
130.149692ms ago: executing program 1 (id=151):
fdatasync(0xffffffffffffffff)
130.085742ms ago: executing program 2 (id=152):
socket$pppl2tp(0x18, 0x1, 0x1)
129.906478ms ago: executing program 0 (id=153):
fspick(0xffffffffffffffff, &(0x7f0000000000), 0x0)
129.682431ms ago: executing program 1 (id=154):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/binder', 0x0, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/binder', 0x1, 0x0)
openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/binder', 0x2, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/binder', 0x800, 0x0)
129.501832ms ago: executing program 2 (id=155):
nanosleep(&(0x7f0000000000), 0x0)
122.637641ms ago: executing program 3 (id=156):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/vcs', 0x0, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/vcs', 0x1, 0x0)
openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/vcs', 0x2, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/vcs', 0x800, 0x0)
113.292261ms ago: executing program 2 (id=157):
io_uring_enter(0xffffffffffffffff, 0x0, 0x0, 0x0, &(0x7f0000000000), 0x0)
66.651027ms ago: executing program 1 (id=158):
socket$inet_icmp(0x2, 0x2, 0x1)
66.550395ms ago: executing program 0 (id=159):
setresgid(0x0, 0x0, 0x0)
66.395003ms ago: executing program 3 (id=160):
madvise(0x0, 0x0, 0x0)
66.335198ms ago: executing program 1 (id=161):
statfs(&(0x7f0000000000), &(0x7f0000000000))
66.275474ms ago: executing program 2 (id=162):
inotify_init1(0x0)
66.155927ms ago: executing program 0 (id=163):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/selinux/relabel', 0x2, 0x0)
65.974304ms ago: executing program 2 (id=164):
lookup_dcookie(0x0, &(0x7f0000000000), 0x0)
64.719378ms ago: executing program 3 (id=165):
fsopen(&(0x7f0000000000), 0x0)
55.066554ms ago: executing program 1 (id=166):
fchdir(0xffffffffffffffff)
108.682µs ago: executing program 0 (id=168):
msgsnd(0x0, &(0x7f0000000000), 0x0, 0x0)
0s ago: executing program 2 (id=169):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/hwbinder', 0x0, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/hwbinder', 0x1, 0x0)
openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/hwbinder', 0x2, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/hwbinder', 0x800, 0x0)
kernel console output (not intermixed with test programs):
Warning: Permanently added '10.128.0.144' (ED25519) to the list of known hosts.
[ 59.822107][ T5820] cgroup: Unknown subsys name 'net'
[ 59.929800][ T5820] cgroup: Unknown subsys name 'cpuset'
[ 59.938322][ T5820] cgroup: Unknown subsys name 'rlimit'
Setting up swapspace version 1, size = 127995904 bytes
[ 61.238084][ T5820] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k
[ 63.835856][ T5926] UDPLite6: UDP-Lite is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list
[ 64.219504][ T5988] UDPLite: UDP-Lite is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list
[ 64.839621][ T6008] ==================================================================
[ 64.847732][ T6008] BUG: KASAN: slab-use-after-free in binder_add_device+0x5f/0xa0
[ 64.855520][ T6008] Write of size 8 at addr ffff888011804408 by task syz-executor/6008
[ 64.863597][ T6008]
[ 64.865939][ T6008] CPU: 0 UID: 0 PID: 6008 Comm: syz-executor Not tainted 6.13.0-next-20250123-syzkaller #0
[ 64.865954][ T6008] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
[ 64.865965][ T6008] Call Trace:
[ 64.865971][ T6008]
[ 64.865977][ T6008] dump_stack_lvl+0x241/0x360
[ 64.865995][ T6008] ? __pfx_dump_stack_lvl+0x10/0x10
[ 64.866008][ T6008] ? __pfx__printk+0x10/0x10
[ 64.866020][ T6008] ? _printk+0xd5/0x120
[ 64.866030][ T6008] ? __virt_addr_valid+0x183/0x530
[ 64.866048][ T6008] ? __virt_addr_valid+0x183/0x530
[ 64.866065][ T6008] print_report+0x169/0x550
[ 64.866084][ T6008] ? __virt_addr_valid+0x183/0x530
[ 64.866100][ T6008] ? __virt_addr_valid+0x183/0x530
[ 64.866116][ T6008] ? __virt_addr_valid+0x45f/0x530
[ 64.866132][ T6008] ? __phys_addr+0xba/0x170
[ 64.866149][ T6008] ? binder_add_device+0x5f/0xa0
[ 64.866166][ T6008] kasan_report+0x143/0x180
[ 64.866184][ T6008] ? binder_add_device+0x5f/0xa0
[ 64.866202][ T6008] binder_add_device+0x5f/0xa0
[ 64.866219][ T6008] binderfs_binder_device_create+0x7bf/0x9c0
[ 64.866239][ T6008] binderfs_fill_super+0x944/0xd90
[ 64.866257][ T6008] ? __pfx_binderfs_fill_super+0x10/0x10
[ 64.866281][ T6008] ? shrinker_register+0x160/0x230
[ 64.866296][ T6008] ? sget_fc+0x909/0x9c0
[ 64.866311][ T6008] ? __pfx_set_anon_super_fc+0x10/0x10
[ 64.866327][ T6008] ? __pfx_binderfs_fill_super+0x10/0x10
[ 64.866343][ T6008] get_tree_nodev+0xb7/0x140
[ 64.866359][ T6008] vfs_get_tree+0x90/0x2b0
[ 64.866376][ T6008] do_new_mount+0x2be/0xb40
[ 64.866390][ T6008] ? __pfx_do_new_mount+0x10/0x10
[ 64.866405][ T6008] __se_sys_mount+0x2d6/0x3c0
[ 64.866423][ T6008] ? lockdep_hardirqs_on_prepare+0x43d/0x780
[ 64.866440][ T6008] ? __pfx___se_sys_mount+0x10/0x10
[ 64.866453][ T6008] ? do_syscall_64+0x100/0x230
[ 64.866466][ T6008] ? __x64_sys_mount+0x20/0xc0
[ 64.866479][ T6008] do_syscall_64+0xf3/0x230
[ 64.866491][ T6008] ? clear_bhb_loop+0x35/0x90
[ 64.866509][ T6008] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 64.866528][ T6008] RIP: 0033:0x7f95e338e4ca
[ 64.866545][ T6008] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[ 64.866555][ T6008] RSP: 002b:00007ffd528e8f38 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[ 64.866569][ T6008] RAX: ffffffffffffffda RBX: 00007f95e340e663 RCX: 00007f95e338e4ca
[ 64.866578][ T6008] RDX: 00007f95e341dd57 RSI: 00007f95e340e663 RDI: 00007f95e341dd57
[ 64.866587][ T6008] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[ 64.866594][ T6008] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f95e3428440
[ 64.866603][ T6008] R13: 00007ffd528e8fb8 R14: 0000000000000009 R15: 0000000000000000
[ 64.866615][ T6008]
[ 64.866619][ T6008]
[ 65.138867][ T6008] Allocated by task 5830:
[ 65.143288][ T6008] kasan_save_track+0x3f/0x80
[ 65.147966][ T6008] __kasan_kmalloc+0x98/0xb0
[ 65.152675][ T6008] __kmalloc_cache_noprof+0x243/0x390
[ 65.158036][ T6008] binderfs_binder_device_create+0x16c/0x9c0
[ 65.164005][ T6008] binderfs_fill_super+0x944/0xd90
[ 65.169112][ T6008] get_tree_nodev+0xb7/0x140
[ 65.173714][ T6008] vfs_get_tree+0x90/0x2b0
[ 65.178140][ T6008] do_new_mount+0x2be/0xb40
[ 65.182632][ T6008] __se_sys_mount+0x2d6/0x3c0
[ 65.187295][ T6008] do_syscall_64+0xf3/0x230
[ 65.191784][ T6008] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 65.197669][ T6008]
[ 65.199980][ T6008] Freed by task 5830:
[ 65.204077][ T6008] kasan_save_track+0x3f/0x80
[ 65.208830][ T6008] kasan_save_free_info+0x40/0x50
[ 65.213849][ T6008] __kasan_slab_free+0x59/0x70
[ 65.218614][ T6008] kfree+0x196/0x430
[ 65.222527][ T6008] evict+0x4e8/0x9a0
[ 65.226412][ T6008] __dentry_kill+0x20d/0x630
[ 65.230995][ T6008] shrink_kill+0xa9/0x2c0
[ 65.235359][ T6008] shrink_dentry_list+0x2c0/0x5b0
[ 65.240516][ T6008] shrink_dcache_parent+0xcb/0x3b0
[ 65.245635][ T6008] do_one_tree+0x23/0xe0
[ 65.249883][ T6008] shrink_dcache_for_umount+0xb4/0x180
[ 65.255429][ T6008] generic_shutdown_super+0x6a/0x2d0
[ 65.260707][ T6008] kill_litter_super+0x76/0xb0
[ 65.265464][ T6008] binderfs_kill_super+0x44/0x90
[ 65.270395][ T6008] deactivate_locked_super+0xc4/0x130
[ 65.275800][ T6008] cleanup_mnt+0x41f/0x4b0
[ 65.280381][ T6008] task_work_run+0x24f/0x310
[ 65.285138][ T6008] do_exit+0xa2a/0x28e0
[ 65.289318][ T6008] do_group_exit+0x207/0x2c0
[ 65.293907][ T6008] get_signal+0x16b2/0x1750
[ 65.298569][ T6008] arch_do_signal_or_restart+0x96/0x860
[ 65.304431][ T6008] syscall_exit_to_user_mode+0xce/0x340
[ 65.309969][ T6008] do_syscall_64+0x100/0x230
[ 65.314555][ T6008] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 65.320731][ T6008]
[ 65.323053][ T6008] The buggy address belongs to the object at ffff888011804400
[ 65.323053][ T6008] which belongs to the cache kmalloc-512 of size 512
[ 65.337290][ T6008] The buggy address is located 8 bytes inside of
[ 65.337290][ T6008] freed 512-byte region [ffff888011804400, ffff888011804600)
[ 65.350910][ T6008]
[ 65.353240][ T6008] The buggy address belongs to the physical page:
[ 65.359832][ T6008] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11804
[ 65.368678][ T6008] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 65.377185][ T6008] ksm flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
[ 65.385087][ T6008] page_type: f5(slab)
[ 65.389062][ T6008] raw: 00fff00000000040 ffff88801ac41c80 ffffea00009fc300 dead000000000003
[ 65.397636][ T6008] raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
[ 65.406210][ T6008] head: 00fff00000000040 ffff88801ac41c80 ffffea00009fc300 dead000000000003
[ 65.414870][ T6008] head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
[ 65.423531][ T6008] head: 00fff00000000002 ffffea0000460101 ffffffffffffffff 0000000000000000
[ 65.432190][ T6008] head: 0000000000000004 0000000000000000 00000000ffffffff 0000000000000000
[ 65.440843][ T6008] page dumped because: kasan: bad access detected
[ 65.447252][ T6008] page_owner tracks the page as allocated
[ 65.452953][ T6008] page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5221, tgid 5221 (udevd), ts 35344703798, free_ts 32715727301
[ 65.473800][ T6008] post_alloc_hook+0x1f4/0x240
[ 65.478559][ T6008] get_page_from_freelist+0x365c/0x37a0
[ 65.484094][ T6008] __alloc_frozen_pages_noprof+0x292/0x710
[ 65.489895][ T6008] alloc_pages_mpol+0x311/0x660
[ 65.494735][ T6008] allocate_slab+0x8f/0x3a0
[ 65.499229][ T6008] ___slab_alloc+0xc27/0x14a0
[ 65.503906][ T6008] __slab_alloc+0x58/0xa0
[ 65.508226][ T6008] __kmalloc_cache_noprof+0x27b/0x390
[ 65.513757][ T6008] kernfs_fop_open+0x3e0/0xd10
[ 65.518509][ T6008] do_dentry_open+0xdec/0x1960
[ 65.523304][ T6008] vfs_open+0x3b/0x370
[ 65.527532][ T6008] path_openat+0x2c81/0x3590
[ 65.532113][ T6008] do_filp_open+0x27f/0x4e0
[ 65.536649][ T6008] do_sys_openat2+0x13e/0x1d0
[ 65.541347][ T6008] __x64_sys_openat+0x247/0x2a0
[ 65.546276][ T6008] do_syscall_64+0xf3/0x230
[ 65.550776][ T6008] page last free pid 5212 tgid 5212 stack trace:
[ 65.557173][ T6008] free_frozen_pages+0xe0d/0x10e0
[ 65.562189][ T6008] __slab_free+0x2c2/0x380
[ 65.566626][ T6008] qlist_free_all+0x9a/0x140
[ 65.571206][ T6008] kasan_quarantine_reduce+0x14f/0x170
[ 65.576655][ T6008] __kasan_slab_alloc+0x23/0x80
[ 65.581495][ T6008] kmem_cache_alloc_noprof+0x1d9/0x380
[ 65.586942][ T6008] getname_flags+0xb7/0x540
[ 65.591436][ T6008] vfs_fstatat+0x3f/0x130
[ 65.595761][ T6008] __x64_sys_newfstatat+0x117/0x190
[ 65.600943][ T6008] do_syscall_64+0xf3/0x230
[ 65.605438][ T6008] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 65.611323][ T6008]
[ 65.613635][ T6008] Memory state around the buggy address:
[ 65.619247][ T6008] ffff888011804300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 65.627388][ T6008] ffff888011804380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 65.635461][ T6008] >ffff888011804400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 65.643523][ T6008] ^
[ 65.647851][ T6008] ffff888011804480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 65.655901][ T6008] ffff888011804500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 65.663948][ T6008] ==================================================================
SYZFAIL: failed to recv rpc
fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor)
[ 65.749204][ T6008] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 65.756452][ T6008] CPU: 0 UID: 0 PID: 6008 Comm: syz-executor Not tainted 6.13.0-next-20250123-syzkaller #0
[ 65.766451][ T6008] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
[ 65.776524][ T6008] Call Trace:
[ 65.779822][ T6008]
[ 65.782762][ T6008] dump_stack_lvl+0x241/0x360
[ 65.787542][ T6008] ? __pfx_dump_stack_lvl+0x10/0x10
[ 65.792847][ T6008] ? __pfx__printk+0x10/0x10
[ 65.797453][ T6008] ? preempt_schedule+0xe1/0xf0
[ 65.802586][ T6008] ? vscnprintf+0x5d/0x90
[ 65.806928][ T6008] panic+0x349/0x880
[ 65.810833][ T6008] ? check_panic_on_warn+0x21/0xb0
[ 65.816048][ T6008] ? __pfx_panic+0x10/0x10
[ 65.820589][ T6008] ? _raw_spin_unlock_irqrestore+0x130/0x140
[ 65.826609][ T6008] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[ 65.832968][ T6008] ? print_report+0x502/0x550
[ 65.837762][ T6008] check_panic_on_warn+0x86/0xb0
[ 65.842719][ T6008] ? binder_add_device+0x5f/0xa0
[ 65.847673][ T6008] end_report+0x77/0x160
[ 65.851934][ T6008] kasan_report+0x154/0x180
[ 65.856461][ T6008] ? binder_add_device+0x5f/0xa0
[ 65.861434][ T6008] binder_add_device+0x5f/0xa0
[ 65.866390][ T6008] binderfs_binder_device_create+0x7bf/0x9c0
[ 65.872424][ T6008] binderfs_fill_super+0x944/0xd90
[ 65.877642][ T6008] ? __pfx_binderfs_fill_super+0x10/0x10
[ 65.883298][ T6008] ? shrinker_register+0x160/0x230
[ 65.888419][ T6008] ? sget_fc+0x909/0x9c0
[ 65.892666][ T6008] ? __pfx_set_anon_super_fc+0x10/0x10
[ 65.898198][ T6008] ? __pfx_binderfs_fill_super+0x10/0x10
[ 65.903829][ T6008] get_tree_nodev+0xb7/0x140
[ 65.908415][ T6008] vfs_get_tree+0x90/0x2b0
[ 65.912828][ T6008] do_new_mount+0x2be/0xb40
[ 65.917332][ T6008] ? __pfx_do_new_mount+0x10/0x10
[ 65.922347][ T6008] __se_sys_mount+0x2d6/0x3c0
[ 65.927015][ T6008] ? lockdep_hardirqs_on_prepare+0x43d/0x780
[ 65.932994][ T6008] ? __pfx___se_sys_mount+0x10/0x10
[ 65.938179][ T6008] ? do_syscall_64+0x100/0x230
[ 65.942931][ T6008] ? __x64_sys_mount+0x20/0xc0
[ 65.947682][ T6008] do_syscall_64+0xf3/0x230
[ 65.952175][ T6008] ? clear_bhb_loop+0x35/0x90
[ 65.956847][ T6008] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 65.962731][ T6008] RIP: 0033:0x7f95e338e4ca
[ 65.967136][ T6008] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[ 65.986732][ T6008] RSP: 002b:00007ffd528e8f38 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[ 65.995136][ T6008] RAX: ffffffffffffffda RBX: 00007f95e340e663 RCX: 00007f95e338e4ca
[ 66.003125][ T6008] RDX: 00007f95e341dd57 RSI: 00007f95e340e663 RDI: 00007f95e341dd57
[ 66.011285][ T6008] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[ 66.019354][ T6008] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f95e3428440
[ 66.027421][ T6008] R13: 00007ffd528e8fb8 R14: 0000000000000009 R15: 0000000000000000
[ 66.035399][ T6008]
[ 66.038691][ T6008] Kernel Offset: disabled
[ 66.043039][ T6008] Rebooting in 86400 seconds..