last executing test programs: 1.196859129s ago: executing program 1 (id=233): socket$inet6_dccp(0xa, 0x6, 0x0) 771.988891ms ago: executing program 0 (id=236): openat(0xffffffffffffff9c, &(0x7f0000000040)='/selinux/create', 0x2, 0x0) 648.5457ms ago: executing program 0 (id=237): rt_sigpending(&(0x7f0000000000), 0x0) 647.980591ms ago: executing program 1 (id=238): openat(0xffffffffffffff9c, &(0x7f0000000040)='/proc/sys/fs/binfmt_misc/syz0', 0x2, 0x0) 547.539259ms ago: executing program 0 (id=239): inotify_init1(0x0) 455.513446ms ago: executing program 1 (id=240): openat(0xffffffffffffff9c, &(0x7f0000000040)='/sys/fs/smackfs/access', 0x2, 0x0) 454.441396ms ago: executing program 0 (id=241): syz_open_dev$usbfs(&(0x7f0000000040), 0x0, 0x0) syz_open_dev$usbfs(&(0x7f0000000080), 0x0, 0x1) syz_open_dev$usbfs(&(0x7f00000000c0), 0x0, 0x2) syz_open_dev$usbfs(&(0x7f0000000100), 0x0, 0x800) syz_open_dev$usbfs(&(0x7f0000000140), 0xa, 0x0) syz_open_dev$usbfs(&(0x7f0000000180), 0xa, 0x1) syz_open_dev$usbfs(&(0x7f00000001c0), 0xa, 0x2) syz_open_dev$usbfs(&(0x7f0000000200), 0xa, 0x800) syz_open_dev$usbfs(&(0x7f0000000240), 0x14, 0x0) syz_open_dev$usbfs(&(0x7f0000000280), 0x14, 0x1) syz_open_dev$usbfs(&(0x7f00000002c0), 0x14, 0x2) syz_open_dev$usbfs(&(0x7f0000000300), 0x14, 0x800) syz_open_dev$usbfs(&(0x7f0000000340), 0x1e, 0x0) syz_open_dev$usbfs(&(0x7f0000000380), 0x1e, 0x1) syz_open_dev$usbfs(&(0x7f00000003c0), 0x1e, 0x2) syz_open_dev$usbfs(&(0x7f0000000400), 0x1e, 0x800) syz_open_dev$usbfs(&(0x7f0000000440), 0x28, 0x0) syz_open_dev$usbfs(&(0x7f0000000480), 0x28, 0x1) syz_open_dev$usbfs(&(0x7f00000004c0), 0x28, 0x2) syz_open_dev$usbfs(&(0x7f0000000500), 0x28, 0x800) 326.863405ms ago: executing program 1 (id=242): lsm_set_self_attr(0x0, &(0x7f0000000000), 0x0, 0x0) 208.929164ms ago: executing program 0 (id=243): openat(0xffffffffffffff9c, &(0x7f0000000040)='/proc/capi/capi20ncci', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/proc/capi/capi20ncci', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/proc/capi/capi20ncci', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/proc/capi/capi20ncci', 0x800, 0x0) 208.578174ms ago: executing program 1 (id=244): pidfd_send_signal(0xffffffffffffffff, 0x0, &(0x7f0000000000), 0x0) 87.969694ms ago: executing program 0 (id=245): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/hpet', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/hpet', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/hpet', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/hpet', 0x800, 0x0) 0s ago: executing program 1 (id=246): rename(&(0x7f0000000000), &(0x7f0000000000)) kernel console output (not intermixed with test programs): Warning: Permanently added '[localhost]:64509' (ED25519) to the list of known hosts. [ 117.070687][ T30] audit: type=1400 audit(116.830:48): avc: denied { name_bind } for pid=3302 comm="sshd-session" src=30005 scontext=system_u:system_r:sshd_t tcontext=system_u:object_r:unreserved_port_t tclass=tcp_socket permissive=1 [ 117.326426][ T30] audit: type=1400 audit(117.090:49): avc: denied { execute } for pid=3303 comm="sh" name="syz-executor" dev="vda" ino=1867 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:etc_runtime_t tclass=file permissive=1 [ 117.332016][ T30] audit: type=1400 audit(117.090:50): avc: denied { execute_no_trans } for pid=3303 comm="sh" path="/syz-executor" dev="vda" ino=1867 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:etc_runtime_t tclass=file permissive=1 [ 120.807012][ T30] audit: type=1400 audit(120.570:51): avc: denied { mounton } for pid=3303 comm="syz-executor" path="/syzcgroup/unified" dev="vda" ino=1868 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 120.816916][ T30] audit: type=1400 audit(120.580:52): avc: denied { mount } for pid=3303 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 120.844805][ T3303] cgroup: Unknown subsys name 'net' [ 120.860655][ T30] audit: type=1400 audit(120.620:53): avc: denied { unmount } for pid=3303 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 121.042672][ T3303] cgroup: Unknown subsys name 'cpuset' [ 121.074483][ T3303] cgroup: Unknown subsys name 'rlimit' [ 121.356972][ T30] audit: type=1400 audit(121.120:54): avc: denied { setattr } for pid=3303 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=701 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 121.373809][ T30] audit: type=1400 audit(121.130:55): avc: denied { create } for pid=3303 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 121.382776][ T30] audit: type=1400 audit(121.140:56): avc: denied { write } for pid=3303 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 121.389383][ T30] audit: type=1400 audit(121.150:57): avc: denied { module_request } for pid=3303 comm="syz-executor" kmod="net-pf-16-proto-16-family-nl802154" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1 [ 121.919251][ T3306] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). Setting up swapspace version 1, size = 127995904 bytes [ 122.015095][ T3303] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 129.121929][ T30] kauditd_printk_skb: 7 callbacks suppressed [ 129.122463][ T30] audit: type=1400 audit(128.880:65): avc: denied { execmem } for pid=3307 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 129.180181][ T30] audit: type=1400 audit(128.940:66): avc: denied { read } for pid=3309 comm="syz-executor" dev="nsfs" ino=4026531840 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1 [ 129.184707][ T30] audit: type=1400 audit(128.940:67): avc: denied { open } for pid=3309 comm="syz-executor" path="net:[4026531840]" dev="nsfs" ino=4026531840 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1 [ 129.194724][ T30] audit: type=1400 audit(128.960:68): avc: denied { mounton } for pid=3309 comm="syz-executor" path="/" dev="vda" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:root_t tclass=dir permissive=1 [ 129.826719][ T30] audit: type=1400 audit(129.590:69): avc: denied { mount } for pid=3309 comm="syz-executor" name="/" dev="tmpfs" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=1 [ 129.836083][ T30] audit: type=1400 audit(129.600:70): avc: denied { mounton } for pid=3309 comm="syz-executor" path="/syzkaller.YVx87w/syz-tmp/newroot/dev" dev="tmpfs" ino=3 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_tmpfs_t tclass=dir permissive=1 [ 129.847144][ T30] audit: type=1400 audit(129.610:71): avc: denied { mount } for pid=3309 comm="syz-executor" name="/" dev="proc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:proc_t tclass=filesystem permissive=1 [ 129.864705][ T30] audit: type=1400 audit(129.630:72): avc: denied { mounton } for pid=3309 comm="syz-executor" path="/syzkaller.YVx87w/syz-tmp/newroot/sys/kernel/debug" dev="debugfs" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:debugfs_t tclass=dir permissive=1 [ 129.873482][ T30] audit: type=1400 audit(129.630:73): avc: denied { mounton } for pid=3309 comm="syz-executor" path="/syzkaller.YVx87w/syz-tmp/newroot/proc/sys/fs/binfmt_misc" dev="proc" ino=2425 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:sysctl_fs_t tclass=dir permissive=1 [ 129.892413][ T30] audit: type=1400 audit(129.650:74): avc: denied { unmount } for pid=3309 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fs_t tclass=filesystem permissive=1 [ 130.377678][ T3316] UDPLite6: UDP-Lite is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list [ 134.374672][ T30] kauditd_printk_skb: 18 callbacks suppressed [ 134.375215][ T30] audit: type=1400 audit(134.140:93): avc: denied { read } for pid=3369 comm="syz.0.55" name="card0" dev="devtmpfs" ino=617 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:dri_device_t tclass=chr_file permissive=1 [ 134.384120][ T30] audit: type=1400 audit(134.150:94): avc: denied { open } for pid=3369 comm="syz.0.55" path="/dev/dri/card0" dev="devtmpfs" ino=617 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:dri_device_t tclass=chr_file permissive=1 [ 134.450802][ T30] audit: type=1400 audit(134.210:95): avc: denied { write } for pid=3369 comm="syz.0.55" name="card0" dev="devtmpfs" ino=617 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:dri_device_t tclass=chr_file permissive=1 [ 135.022289][ T30] audit: type=1400 audit(134.780:96): avc: denied { create } for pid=3377 comm="syz.1.63" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=icmp_socket permissive=1 [ 135.059298][ T30] audit: type=1400 audit(134.820:97): avc: denied { create } for pid=3378 comm="syz.0.64" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_netfilter_socket permissive=1 [ 135.215912][ T30] audit: type=1400 audit(134.980:98): avc: denied { read } for pid=3380 comm="syz.0.66" name="rtc0" dev="devtmpfs" ino=707 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:clock_device_t tclass=chr_file permissive=1 [ 135.219257][ T30] audit: type=1400 audit(134.980:99): avc: denied { open } for pid=3380 comm="syz.0.66" path="/dev/rtc0" dev="devtmpfs" ino=707 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:clock_device_t tclass=chr_file permissive=1 [ 135.226192][ T30] audit: type=1400 audit(134.990:100): avc: denied { write } for pid=3380 comm="syz.0.66" name="rtc0" dev="devtmpfs" ino=707 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:clock_device_t tclass=chr_file permissive=1 [ 138.016254][ T30] audit: type=1400 audit(137.780:101): avc: denied { read write } for pid=3407 comm="syz.0.93" name="vhost-vsock" dev="devtmpfs" ino=714 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:vhost_device_t tclass=chr_file permissive=1 [ 138.018123][ T30] audit: type=1400 audit(137.780:102): avc: denied { open } for pid=3407 comm="syz.0.93" path="/dev/vhost-vsock" dev="devtmpfs" ino=714 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:vhost_device_t tclass=chr_file permissive=1 [ 139.902542][ T30] kauditd_printk_skb: 2 callbacks suppressed [ 139.905648][ T30] audit: type=1400 audit(139.660:105): avc: denied { create } for pid=3430 comm="syz.0.115" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_crypto_socket permissive=1 [ 140.309870][ T30] audit: type=1400 audit(140.070:106): avc: denied { create } for pid=3436 comm="syz.1.121" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=ax25_socket permissive=1 [ 140.482863][ T30] audit: type=1400 audit(140.250:107): avc: denied { create } for pid=3439 comm="syz.0.123" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=tipc_socket permissive=1 [ 141.924388][ T30] audit: type=1400 audit(141.690:108): avc: denied { create } for pid=3456 comm="syz.0.139" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=xdp_socket permissive=1 [ 142.258078][ T30] audit: type=1400 audit(142.020:109): avc: denied { create } for pid=3459 comm="syz.1.142" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=bluetooth_socket permissive=1 [ 142.748446][ T30] audit: type=1400 audit(142.510:110): avc: denied { create } for pid=3463 comm="syz.0.145" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=vsock_socket permissive=1 [ 142.803566][ T30] audit: type=1400 audit(142.560:111): avc: denied { create } for pid=3464 comm="syz.1.146" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=can_socket permissive=1 [ 143.797587][ T30] audit: type=1400 audit(143.560:112): avc: denied { create } for pid=3474 comm="syz.1.156" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=pppox_socket permissive=1 [ 144.237472][ T3481] UDPLite: UDP-Lite is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list [ 144.681861][ T30] audit: type=1400 audit(144.430:113): avc: denied { read } for pid=3486 comm="syz.0.164" name="snapshot" dev="devtmpfs" ino=85 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:acpi_bios_t tclass=chr_file permissive=1 [ 144.682479][ T30] audit: type=1400 audit(144.440:114): avc: denied { open } for pid=3486 comm="syz.0.164" path="/dev/snapshot" dev="devtmpfs" ino=85 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:acpi_bios_t tclass=chr_file permissive=1 [ 145.305496][ T30] kauditd_printk_skb: 2 callbacks suppressed [ 145.305974][ T30] audit: type=1400 audit(145.060:117): avc: denied { create } for pid=3496 comm="syz.1.174" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_xfrm_socket permissive=1 [ 146.236957][ T3508] mmap: syz.1.186 (3508) uses deprecated remap_file_pages() syscall. See Documentation/mm/remap_file_pages.rst. [ 146.862163][ T30] audit: type=1400 audit(146.620:118): avc: denied { write } for pid=3516 comm="syz.0.194" name="random" dev="devtmpfs" ino=8 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:random_device_t tclass=chr_file permissive=1 [ 149.057503][ T30] audit: type=1400 audit(148.820:119): avc: denied { create } for pid=3546 comm="syz.1.223" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=nfc_socket permissive=1 [ 149.299730][ T30] audit: type=1400 audit(149.060:120): avc: denied { read write } for pid=3549 comm="syz.1.226" name="rdma_cm" dev="devtmpfs" ino=711 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:infiniband_device_t tclass=chr_file permissive=1 [ 149.310127][ T30] audit: type=1400 audit(149.070:121): avc: denied { open } for pid=3549 comm="syz.1.226" path="/dev/infiniband/rdma_cm" dev="devtmpfs" ino=711 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:infiniband_device_t tclass=chr_file permissive=1 [ 149.766399][ T30] audit: type=1400 audit(149.530:122): avc: denied { create } for pid=3556 comm="syz.1.233" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=dccp_socket permissive=1 [ 151.345053][ T3309] ================================================================== [ 151.345816][ T3309] BUG: KASAN: slab-use-after-free in binderfs_evict_inode+0x2ac/0x2b4 [ 151.346640][ T3309] Write of size 8 at addr ffff000016592408 by task syz-executor/3309 [ 151.346737][ T3309] [ 151.347533][ T3309] CPU: 1 UID: 0 PID: 3309 Comm: syz-executor Not tainted 6.15.0-syzkaller-03589-gfeacb1774bd5 #0 PREEMPT [ 151.347742][ T3309] Hardware name: linux,dummy-virt (DT) [ 151.348042][ T3309] Call trace: [ 151.348222][ T3309] show_stack+0x18/0x24 (C) [ 151.348361][ T3309] dump_stack_lvl+0xa4/0xf4 [ 151.348426][ T3309] print_report+0xf4/0x60c [ 151.348475][ T3309] kasan_report+0xc8/0x108 [ 151.348516][ T3309] __asan_report_store8_noabort+0x20/0x2c [ 151.348555][ T3309] binderfs_evict_inode+0x2ac/0x2b4 [ 151.348593][ T3309] evict+0x2c0/0x67c [ 151.348639][ T3309] iput+0x3b0/0x6b4 [ 151.348680][ T3309] dentry_unlink_inode+0x208/0x46c [ 151.348719][ T3309] __dentry_kill+0x150/0x52c [ 151.348758][ T3309] shrink_dentry_list+0x114/0x3ac [ 151.348797][ T3309] shrink_dcache_parent+0x158/0x354 [ 151.348837][ T3309] shrink_dcache_for_umount+0x88/0x304 [ 151.348877][ T3309] generic_shutdown_super+0x60/0x2e8 [ 151.348920][ T3309] kill_litter_super+0x68/0xa4 [ 151.348961][ T3309] binderfs_kill_super+0x38/0x88 [ 151.348998][ T3309] deactivate_locked_super+0x98/0x17c [ 151.349042][ T3309] deactivate_super+0xb0/0xd4 [ 151.349083][ T3309] cleanup_mnt+0x198/0x424 [ 151.349166][ T3309] __cleanup_mnt+0x14/0x20 [ 151.349209][ T3309] task_work_run+0x128/0x210 [ 151.349256][ T3309] do_exit+0x7b4/0x1f68 [ 151.349295][ T3309] do_group_exit+0xa4/0x208 [ 151.349332][ T3309] get_signal+0x1b04/0x1bac [ 151.349373][ T3309] do_signal+0x160/0x620 [ 151.349410][ T3309] do_notify_resume+0x18c/0x258 [ 151.349450][ T3309] el0_svc_compat+0xfc/0x17c [ 151.349492][ T3309] el0t_32_sync_handler+0x98/0x13c [ 151.349532][ T3309] el0t_32_sync+0x19c/0x1a0 [ 151.349710][ T3309] [ 151.350518][ T3309] Allocated by task 3310: [ 151.350754][ T3309] kasan_save_stack+0x3c/0x64 [ 151.350875][ T3309] kasan_save_track+0x20/0x3c [ 151.350959][ T3309] kasan_save_alloc_info+0x40/0x54 [ 151.351133][ T3309] __kasan_kmalloc+0xb8/0xbc [ 151.351222][ T3309] __kmalloc_cache_noprof+0x1b0/0x3cc [ 151.351304][ T3309] binderfs_binder_device_create.isra.0+0x150/0xa28 [ 151.351384][ T3309] binderfs_fill_super+0x69c/0xed4 [ 151.351460][ T3309] get_tree_nodev+0xac/0x148 [ 151.351540][ T3309] binderfs_fs_context_get_tree+0x18/0x24 [ 151.351617][ T3309] vfs_get_tree+0x74/0x280 [ 151.351695][ T3309] path_mount+0xe54/0x1830 [ 151.351847][ T3309] __arm64_sys_mount+0x304/0x3dc [ 151.351931][ T3309] invoke_syscall+0x6c/0x258 [ 151.352010][ T3309] el0_svc_common.constprop.0+0xac/0x230 [ 151.352086][ T3309] do_el0_svc_compat+0x40/0x68 [ 151.352172][ T3309] el0_svc_compat+0x4c/0x17c [ 151.352249][ T3309] el0t_32_sync_handler+0x98/0x13c [ 151.352328][ T3309] el0t_32_sync+0x19c/0x1a0 [ 151.352445][ T3309] [ 151.352530][ T3309] Freed by task 3310: [ 151.352618][ T3309] kasan_save_stack+0x3c/0x64 [ 151.352703][ T3309] kasan_save_track+0x20/0x3c [ 151.352781][ T3309] kasan_save_free_info+0x4c/0x74 [ 151.352855][ T3309] __kasan_slab_free+0x50/0x6c [ 151.352933][ T3309] kfree+0x1bc/0x444 [ 151.353008][ T3309] binderfs_evict_inode+0x238/0x2b4 [ 151.353084][ T3309] evict+0x2c0/0x67c [ 151.353207][ T3309] iput+0x3b0/0x6b4 [ 151.353286][ T3309] dentry_unlink_inode+0x208/0x46c [ 151.353364][ T3309] __dentry_kill+0x150/0x52c [ 151.353442][ T3309] shrink_dentry_list+0x114/0x3ac [ 151.353520][ T3309] shrink_dcache_parent+0x158/0x354 [ 151.353602][ T3309] shrink_dcache_for_umount+0x88/0x304 [ 151.353681][ T3309] generic_shutdown_super+0x60/0x2e8 [ 151.353762][ T3309] kill_litter_super+0x68/0xa4 [ 151.353840][ T3309] binderfs_kill_super+0x38/0x88 [ 151.353916][ T3309] deactivate_locked_super+0x98/0x17c [ 151.353999][ T3309] deactivate_super+0xb0/0xd4 [ 151.354078][ T3309] cleanup_mnt+0x198/0x424 [ 151.354169][ T3309] __cleanup_mnt+0x14/0x20 [ 151.354248][ T3309] task_work_run+0x128/0x210 [ 151.354328][ T3309] do_exit+0x7b4/0x1f68 [ 151.354403][ T3309] do_group_exit+0xa4/0x208 [ 151.354478][ T3309] get_signal+0x1b04/0x1bac [ 151.354556][ T3309] do_signal+0x160/0x620 [ 151.354631][ T3309] do_notify_resume+0x18c/0x258 [ 151.354709][ T3309] el0_svc_compat+0xfc/0x17c [ 151.354786][ T3309] el0t_32_sync_handler+0x98/0x13c [ 151.354863][ T3309] el0t_32_sync+0x19c/0x1a0 [ 151.354979][ T3309] [ 151.355109][ T3309] The buggy address belongs to the object at ffff000016592400 [ 151.355109][ T3309] which belongs to the cache kmalloc-512 of size 512 [ 151.355262][ T3309] The buggy address is located 8 bytes inside of [ 151.355262][ T3309] freed 512-byte region [ffff000016592400, ffff000016592600) [ 151.355356][ T3309] [ 151.355486][ T3309] The buggy address belongs to the physical page: [ 151.355908][ T3309] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x56590 [ 151.356429][ T3309] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 151.356565][ T3309] anon flags: 0x1ffc00000000040(head|node=0|zone=0|lastcpupid=0x7ff) [ 151.357000][ T3309] page_type: f5(slab) [ 151.357442][ T3309] raw: 01ffc00000000040 ffff00000dc01c80 0000000000000000 dead000000000001 [ 151.357549][ T3309] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 151.357692][ T3309] head: 01ffc00000000040 ffff00000dc01c80 0000000000000000 dead000000000001 [ 151.357773][ T3309] head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 151.357848][ T3309] head: 01ffc00000000002 fffffdffc0596401 00000000ffffffff 00000000ffffffff [ 151.357922][ T3309] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 151.358034][ T3309] page dumped because: kasan: bad access detected [ 151.358128][ T3309] [ 151.358201][ T3309] Memory state around the buggy address: [ 151.358517][ T3309] ffff000016592300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 151.358635][ T3309] ffff000016592380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 151.358730][ T3309] >ffff000016592400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 151.358824][ T3309] ^ [ 151.358954][ T3309] ffff000016592480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 151.359027][ T3309] ffff000016592500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 151.359167][ T3309] ================================================================== SYZFAIL: failed to recv rpc [ 151.529399][ T3309] Disabling lock debugging due to kernel taint fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor) VM DIAGNOSIS: 15:15:45 Registers: info registers vcpu 0 CPU#0 PC=ffff800081040b04 X00=ffff000012b94f00 X01=ffff800080007a80 X02=0000000000000000 X03=1fffe00001df2001 X04=0000000000000001 X05=ffff800080007ac0 X06=ffff700011a68ef7 X07=0000000000000000 X08=ffff800080007a18 X09=dfff800000000000 X10=ffff700010000f42 X11=1ffff00010000f42 X12=ffff8000872cbde0 X13=0000000000000000 X14=1fffe0000d4174d6 X15=ffff00000e3bd080 X16=ffff80008707efc0 X17=ffff80008707efc0 X18=ffff80008000787c X19=ffff800080986314 X20=ffff800089746cc0 X21=0000000000000002 X22=ffff00000e14db40 X23=ffff8000803e11bc X24=0000000000112100 X25=0000000000000000 X26=0000000000000000 X27=ffff000012b94f00 X28=0000000000000001 X29=ffff800080007890 X30=ffff80008546601c SP=ffff800080007890 PSTATE=10000005 ---V EL1h FPCR=00000000 FPSR=00000000 Q00=44455a494c414954:494e495f43455355 Q01=44455a494c414954:494e495f43455355 Q02=0000000000000000:ffff0000f0000000 Q03=0000ff0000ff0000:ffff000000ff0000 Q04=0000000000000000:00f00f00ff000f00 Q05=0000000000000000:00000000cccccc00 Q06=63627c2a6476787c:2a64767c2a72737c Q07=7361647c2a737369:63637c2a65686361 Q08=0000000000000000:0000000000000000 Q09=0000000000000000:0000000000000000 Q10=0000000000000000:0000000000000000 Q11=0000000000000000:0000000000000000 Q12=0000000000000000:0000000000000000 Q13=0000000000000000:0000000000000000 Q14=0000000000000000:0000000000000000 Q15=0000000000000000:0000000000000000 Q16=0000ffffefbcce00:0000ffffefbcce00 Q17=ffffff80ffffffd0:0000ffffefbccdd0 Q18=0000000000000000:0000000000000000 Q19=0000000000000000:0000000000000000 Q20=0000000000000000:0000000000000000 Q21=0000000000000000:0000000000000000 Q22=0000000000000000:0000000000000000 Q23=0000000000000000:0000000000000000 Q24=0000000000000000:0000000000000000 Q25=0000000000000000:0000000000000000 Q26=0000000000000000:0000000000000000 Q27=0000000000000000:0000000000000000 Q28=0000000000000000:0000000000000000 Q29=0000000000000000:0000000000000000 Q30=0000000000000000:0000000000000000 Q31=0000000000000000:0000000000000000 info registers vcpu 1 CPU#1 PC=ffff800085465e80 X00=ffff8000801ae4ec X01=ffff80008580d8e0 X02=0000000000000000 X03=0000000000000000 X04=0000000000000008 X05=ffff80008db17468 X06=ffff80008db17480 X07=ffff80008db17530 X08=ffff80008db17447 X09=dfff800000000000 X10=ffff700011b62e88 X11=ffff80008706a34c X12=0000000000000546 X13=0000000000000000 X14=ffff800080906bd8 X15=ffff800084b3d3c8 X16=ffff8000803a4278 X17=ffff8000803a5844 X18=1ffff0001430ef38 X19=ffff00000f4b9e40 X20=ffff80008db17388 X21=ffff00000f4b9e40 X22=0000000000000000 X23=ffff000016ae7318 X24=dfff800000000000 X25=ffff000012930000 X26=ffff00000f4b9e40 X27=1fffe00002d5ce63 X28=ffff000012930000 X29=ffff80008db17390 X30=ffff80008546601c SP=ffff80008db174d0 PSTATE=100000c5 ---V EL1h FPCR=00000000 FPSR=00000000 Q00=0000000000000000:0000000000000000 Q01=0000000000000000:0000000000000000 Q02=0000000000000000:0000000000000000 Q03=0000000000000000:0000000000000000 Q04=0000000000000000:0000000000000000 Q05=0000000000000000:0000000000000000 Q06=0000000000000000:0000000000000000 Q07=0000000000000000:0000000000000000 Q08=0000000000000000:0000000000000000 Q09=0000000000000000:0000000000000000 Q10=0000000000000000:0000000000000000 Q11=0000000000000000:0000000000000000 Q12=0000000000000000:0000000000000000 Q13=0000000000000000:0000000000000000 Q14=0000000000000000:0000000000000000 Q15=0000000000000000:0000000000000000 Q16=0000000000000000:0000000000000000 Q17=0000000000000000:0000000000000000 Q18=0000000000000000:0000000000000000 Q19=0000000000000000:0000000000000000 Q20=0000000000000000:0000000000000000 Q21=0000000000000000:0000000000000000 Q22=0000000000000000:0000000000000000 Q23=0000000000000000:0000000000000000 Q24=0000000000000000:0000000000000000 Q25=0000000000000000:0000000000000000 Q26=0000000000000000:0000000000000000 Q27=0000000000000000:0000000000000000 Q28=0000000000000000:0000000000000000 Q29=0000000000000000:0000000000000000 Q30=0000000000000000:0000000000000000 Q31=0000000000000000:0000000000000000