last executing test programs:
1.338363021s ago: executing program 4 (id=67):
setgid(0x0)
1.29420832s ago: executing program 4 (id=69):
getuid()
1.293308668s ago: executing program 4 (id=75):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/sys/kernel/debug/damon/target_ids', 0x0, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000080)='/sys/kernel/debug/damon/target_ids', 0x1, 0x0)
openat(0xffffffffffffff9c, &(0x7f00000000c0)='/sys/kernel/debug/damon/target_ids', 0x2, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000100)='/sys/kernel/debug/damon/target_ids', 0x800, 0x0)
1.229763749s ago: executing program 4 (id=80):
mbind(0x0, 0x0, 0x0, &(0x7f0000000000), 0x0, 0x0)
1.229543157s ago: executing program 4 (id=83):
time(&(0x7f0000000000))
1.210751947s ago: executing program 4 (id=86):
pause()
874.284975ms ago: executing program 2 (id=112):
remap_file_pages(0x0, 0x0, 0x0, 0x0, 0x0)
873.221214ms ago: executing program 3 (id=115):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/proc/keys', 0x0, 0x0)
865.127675ms ago: executing program 2 (id=116):
setpriority(0x0, 0x0, 0x0)
816.270742ms ago: executing program 3 (id=119):
mkdir(&(0x7f0000000000), 0x0)
816.014396ms ago: executing program 2 (id=120):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/snd/seq', 0x0, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/snd/seq', 0x1, 0x0)
openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/snd/seq', 0x2, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/snd/seq', 0x800, 0x0)
815.800321ms ago: executing program 1 (id=122):
inotify_add_watch(0xffffffffffffffff, &(0x7f0000000000), 0x0)
815.736303ms ago: executing program 3 (id=123):
clock_settime(0x0, &(0x7f0000000000))
815.69153ms ago: executing program 3 (id=124):
creat(&(0x7f0000000000), 0x0)
815.5954ms ago: executing program 0 (id=125):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/acpi_thermal_rel', 0x0, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/acpi_thermal_rel', 0x1, 0x0)
openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/acpi_thermal_rel', 0x2, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/acpi_thermal_rel', 0x800, 0x0)
766.218692ms ago: executing program 2 (id=126):
setitimer(0x0, &(0x7f0000000000), 0x0)
766.114018ms ago: executing program 1 (id=127):
syslog(0x0, 0x0, 0x0)
766.011322ms ago: executing program 3 (id=128):
syz_open_dev$sndhw(&(0x7f0000000040), 0x0, 0x0)
syz_open_dev$sndhw(&(0x7f0000000080), 0x0, 0x1)
syz_open_dev$sndhw(&(0x7f00000000c0), 0x0, 0x2)
syz_open_dev$sndhw(&(0x7f0000000100), 0x0, 0x800)
syz_open_dev$sndhw(&(0x7f0000000140), 0xa, 0x0)
syz_open_dev$sndhw(&(0x7f0000000180), 0xa, 0x1)
syz_open_dev$sndhw(&(0x7f00000001c0), 0xa, 0x2)
syz_open_dev$sndhw(&(0x7f0000000200), 0xa, 0x800)
syz_open_dev$sndhw(&(0x7f0000000240), 0x14, 0x0)
syz_open_dev$sndhw(&(0x7f0000000280), 0x14, 0x1)
syz_open_dev$sndhw(&(0x7f00000002c0), 0x14, 0x2)
syz_open_dev$sndhw(&(0x7f0000000300), 0x14, 0x800)
syz_open_dev$sndhw(&(0x7f0000000340), 0x1e, 0x0)
syz_open_dev$sndhw(&(0x7f0000000380), 0x1e, 0x1)
syz_open_dev$sndhw(&(0x7f00000003c0), 0x1e, 0x2)
syz_open_dev$sndhw(&(0x7f0000000400), 0x1e, 0x800)
syz_open_dev$sndhw(&(0x7f0000000440), 0x28, 0x0)
syz_open_dev$sndhw(&(0x7f0000000480), 0x28, 0x1)
syz_open_dev$sndhw(&(0x7f00000004c0), 0x28, 0x2)
syz_open_dev$sndhw(&(0x7f0000000500), 0x28, 0x800)
765.938929ms ago: executing program 2 (id=129):
sync()
765.886134ms ago: executing program 1 (id=130):
exit(0x0)
765.839226ms ago: executing program 0 (id=131):
syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
748.661873ms ago: executing program 1 (id=132):
fsmount(0xffffffffffffffff, 0x0, 0x0)
738.156573ms ago: executing program 3 (id=133):
getpgrp(0x0)
686.287203ms ago: executing program 0 (id=134):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/xen/evtchn', 0x0, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/xen/evtchn', 0x1, 0x0)
openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/xen/evtchn', 0x2, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/xen/evtchn', 0x800, 0x0)
686.182648ms ago: executing program 1 (id=135):
symlink(&(0x7f0000000000), &(0x7f0000000000))
673.003534ms ago: executing program 0 (id=138):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/ptmx', 0x0, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/ptmx', 0x1, 0x0)
openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/ptmx', 0x2, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/ptmx', 0x800, 0x0)
617.43236ms ago: executing program 0 (id=139):
flistxattr(0xffffffffffffffff, &(0x7f0000000000), 0x0)
554.264763ms ago: executing program 0 (id=140):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/sys/fs/smackfs/load', 0x2, 0x0)
28.87896ms ago: executing program 1 (id=136):
mmap(&(0x7efffffff000/0x1000)=nil, 0x1000, 0x0, 0x32, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000000000/0x1000000)=nil, 0x1000000, 0x7, 0x32, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0001000000/0x1000)=nil, 0x1000, 0x0, 0x32, 0xffffffffffffffff, 0x0)
0s ago: executing program 2 (id=142):
mmap(&(0x7efffffff000/0x1000)=nil, 0x1000, 0x0, 0x32, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000000000/0x1000000)=nil, 0x1000000, 0x7, 0x32, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0001000000/0x1000)=nil, 0x1000, 0x0, 0x32, 0xffffffffffffffff, 0x0)
kernel console output (not intermixed with test programs):
Warning: Permanently added '10.128.0.236' (ED25519) to the list of known hosts.
[ 64.088294][ T30] audit: type=1400 audit(1748265121.044:66): avc: denied { mounton } for pid=5803 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=2022 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1
[ 64.095898][ T5803] cgroup: Unknown subsys name 'net'
[ 64.111049][ T30] audit: type=1400 audit(1748265121.044:67): avc: denied { mount } for pid=5803 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1
[ 64.138576][ T30] audit: type=1400 audit(1748265121.074:68): avc: denied { unmount } for pid=5803 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1
[ 64.254685][ T5803] cgroup: Unknown subsys name 'cpuset'
[ 64.263907][ T5803] cgroup: Unknown subsys name 'rlimit'
[ 64.483792][ T30] audit: type=1400 audit(1748265121.444:69): avc: denied { setattr } for pid=5803 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=820 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 64.507155][ T30] audit: type=1400 audit(1748265121.444:70): avc: denied { create } for pid=5803 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1
[ 64.546841][ T30] audit: type=1400 audit(1748265121.444:71): avc: denied { write } for pid=5803 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1
[ 64.567490][ T30] audit: type=1400 audit(1748265121.444:72): avc: denied { read } for pid=5803 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1
[ 64.589006][ T30] audit: type=1400 audit(1748265121.474:73): avc: denied { mounton } for pid=5803 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1
[ 64.614580][ T30] audit: type=1400 audit(1748265121.474:74): avc: denied { mount } for pid=5803 comm="syz-executor" name="/" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=filesystem permissive=1
Setting up swapspace version 1, size = 127995904 bytes
[ 64.638045][ T30] audit: type=1400 audit(1748265121.494:75): avc: denied { read } for pid=5480 comm="dhcpcd" scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:dhcpc_t tclass=netlink_kobject_uevent_socket permissive=1
[ 64.659557][ T5805] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped).
[ 65.618285][ T5803] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k
[ 68.444493][ T5941] mmap: syz.2.112 (5941) uses deprecated remap_file_pages() syscall. See Documentation/mm/remap_file_pages.rst.
[ 69.185770][ T5968] soft_limit_in_bytes is deprecated and will be removed. Please report your usecase to linux-mm@kvack.org if you depend on this functionality.
[ 69.242566][ T30] kauditd_printk_skb: 67 callbacks suppressed
[ 69.242582][ T30] audit: type=1400 audit(1748265126.204:143): avc: denied { sys_chroot } for pid=5973 comm="syz-executor" capability=18 scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=cap_userns permissive=1
[ 69.289048][ T30] audit: type=1401 audit(1748265126.244:144): op=setxattr invalid_context="u:object_r:app_data_file:s0:c512,c768"
[ 69.464759][ T5973] ==================================================================
[ 69.472847][ T5973] BUG: KASAN: slab-use-after-free in binderfs_evict_inode+0x335/0x340
[ 69.481005][ T5973] Write of size 8 at addr ffff88807b446808 by task syz-executor/5973
[ 69.489069][ T5973]
[ 69.491409][ T5973] CPU: 0 UID: 0 PID: 5973 Comm: syz-executor Not tainted 6.15.0-syzkaller #0 PREEMPT(full)
[ 69.491434][ T5973] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
[ 69.491451][ T5973] Call Trace:
[ 69.491458][ T5973]
[ 69.491468][ T5973] dump_stack_lvl+0x116/0x1f0
[ 69.491501][ T5973] print_report+0xc3/0x670
[ 69.491521][ T5973] ? __virt_addr_valid+0x5e/0x590
[ 69.491547][ T5973] ? __phys_addr+0xc6/0x150
[ 69.491569][ T5973] ? binderfs_evict_inode+0x335/0x340
[ 69.491588][ T5973] kasan_report+0xe0/0x110
[ 69.491608][ T5973] ? binderfs_evict_inode+0x335/0x340
[ 69.491629][ T5973] ? __pfx_binderfs_evict_inode+0x10/0x10
[ 69.491647][ T5973] binderfs_evict_inode+0x335/0x340
[ 69.491665][ T5973] evict+0x3e6/0x920
[ 69.491687][ T5973] ? __pfx_evict+0x10/0x10
[ 69.491710][ T5973] ? iput+0x519/0x880
[ 69.491733][ T5973] iput+0x521/0x880
[ 69.491756][ T5973] dentry_unlink_inode+0x29c/0x480
[ 69.491778][ T5973] __dentry_kill+0x1d0/0x600
[ 69.491799][ T5973] ? shrink_dentry_list+0x11a/0x5d0
[ 69.491823][ T5973] shrink_dentry_list+0x140/0x5d0
[ 69.491849][ T5973] ? shrink_dcache_parent+0x22/0x530
[ 69.491873][ T5973] shrink_dcache_parent+0xe1/0x530
[ 69.491897][ T5973] ? __pfx_shrink_dcache_parent+0x10/0x10
[ 69.491924][ T5973] ? d_walk+0x44c/0xa60
[ 69.491948][ T5973] shrink_dcache_for_umount+0xa5/0x3e0
[ 69.491976][ T5973] generic_shutdown_super+0x6c/0x390
[ 69.492001][ T5973] kill_litter_super+0x70/0xa0
[ 69.492026][ T5973] binderfs_kill_super+0x3b/0xa0
[ 69.492053][ T5973] deactivate_locked_super+0xc1/0x1a0
[ 69.492079][ T5973] deactivate_super+0xde/0x100
[ 69.492105][ T5973] cleanup_mnt+0x225/0x450
[ 69.492132][ T5973] task_work_run+0x150/0x240
[ 69.492153][ T5973] ? __pfx_task_work_run+0x10/0x10
[ 69.492172][ T5973] ? __put_net+0x3a/0x70
[ 69.492197][ T5973] do_exit+0xafb/0x2c30
[ 69.492225][ T5973] ? __pfx_do_exit+0x10/0x10
[ 69.492250][ T5973] ? do_raw_spin_lock+0x12c/0x2b0
[ 69.492270][ T5973] ? find_held_lock+0x2b/0x80
[ 69.492295][ T5973] do_group_exit+0xd3/0x2a0
[ 69.492328][ T5973] get_signal+0x2673/0x26d0
[ 69.492352][ T5973] ? rcu_is_watching+0x12/0xc0
[ 69.492378][ T5973] ? __pfx_get_signal+0x10/0x10
[ 69.492400][ T5973] ? putname+0x154/0x1a0
[ 69.492423][ T5973] arch_do_signal_or_restart+0x8f/0x7d0
[ 69.492449][ T5973] ? __pfx_arch_do_signal_or_restart+0x10/0x10
[ 69.492474][ T5973] ? __pfx_do_unlinkat+0x10/0x10
[ 69.492501][ T5973] syscall_exit_to_user_mode+0x150/0x2a0
[ 69.492528][ T5973] do_syscall_64+0xda/0x260
[ 69.492555][ T5973] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 69.492574][ T5973] RIP: 0033:0x7f8dc918df17
[ 69.492593][ T5973] Code: Unable to access opcode bytes at 0x7f8dc918deed.
[ 69.492602][ T5973] RSP: 002b:00007f8dc94decb8 EFLAGS: 00000206 ORIG_RAX: 0000000000000057
[ 69.492620][ T5973] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f8dc918df17
[ 69.492633][ T5973] RDX: 00007f8dc94dece0 RSI: 00007f8dc94ded70 RDI: 00007f8dc94ded70
[ 69.492645][ T5973] RBP: 00007f8dc94ded70 R08: 0000000000000000 R09: 0000000000000000
[ 69.492657][ T5973] R10: 0000000000000100 R11: 0000000000000206 R12: 00007f8dc94dfe00
[ 69.492670][ T5973] R13: 00007f8dc921089d R14: 0000000000010eda R15: 00007f8dc94dfe40
[ 69.492689][ T5973]
[ 69.492696][ T5973]
[ 69.806095][ T5973] Allocated by task 5968:
[ 69.810406][ T5973] kasan_save_stack+0x33/0x60
[ 69.815069][ T5973] kasan_save_track+0x14/0x30
[ 69.819739][ T5973] __kasan_kmalloc+0xaa/0xb0
[ 69.824320][ T5973] binderfs_binder_device_create.isra.0+0x17a/0xb70
[ 69.830894][ T5973] binderfs_fill_super+0x8d4/0x1360
[ 69.836077][ T5973] get_tree_nodev+0xda/0x190
[ 69.840664][ T5973] vfs_get_tree+0x8b/0x340
[ 69.845064][ T5973] path_mount+0x14d4/0x1f20
[ 69.849551][ T5973] __x64_sys_mount+0x28d/0x310
[ 69.854303][ T5973] do_syscall_64+0xcd/0x260
[ 69.858795][ T5973] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 69.864670][ T5973]
[ 69.866974][ T5973] Freed by task 5968:
[ 69.870935][ T5973] kasan_save_stack+0x33/0x60
[ 69.875594][ T5973] kasan_save_track+0x14/0x30
[ 69.880259][ T5973] kasan_save_free_info+0x3b/0x60
[ 69.885273][ T5973] __kasan_slab_free+0x51/0x70
[ 69.890031][ T5973] kfree+0x2b6/0x4d0
[ 69.893915][ T5973] binderfs_evict_inode+0x29f/0x340
[ 69.899094][ T5973] evict+0x3e6/0x920
[ 69.902971][ T5973] iput+0x521/0x880
[ 69.906761][ T5973] dentry_unlink_inode+0x29c/0x480
[ 69.911856][ T5973] __dentry_kill+0x1d0/0x600
[ 69.916433][ T5973] shrink_dentry_list+0x140/0x5d0
[ 69.921447][ T5973] shrink_dcache_parent+0xe1/0x530
[ 69.926543][ T5973] shrink_dcache_for_umount+0xa5/0x3e0
[ 69.931988][ T5973] generic_shutdown_super+0x6c/0x390
[ 69.937348][ T5973] kill_litter_super+0x70/0xa0
[ 69.942099][ T5973] binderfs_kill_super+0x3b/0xa0
[ 69.947027][ T5973] deactivate_locked_super+0xc1/0x1a0
[ 69.952388][ T5973] deactivate_super+0xde/0x100
[ 69.957138][ T5973] cleanup_mnt+0x225/0x450
[ 69.961546][ T5973] task_work_run+0x150/0x240
[ 69.966121][ T5973] do_exit+0xafb/0x2c30
[ 69.970268][ T5973] do_group_exit+0xd3/0x2a0
[ 69.974765][ T5973] get_signal+0x2673/0x26d0
[ 69.979257][ T5973] arch_do_signal_or_restart+0x8f/0x7d0
[ 69.984797][ T5973] irqentry_exit_to_user_mode+0x13f/0x280
[ 69.990507][ T5973] asm_exc_page_fault+0x26/0x30
[ 69.995349][ T5973]
[ 69.997665][ T5973] The buggy address belongs to the object at ffff88807b446800
[ 69.997665][ T5973] which belongs to the cache kmalloc-512 of size 512
[ 70.011702][ T5973] The buggy address is located 8 bytes inside of
[ 70.011702][ T5973] freed 512-byte region [ffff88807b446800, ffff88807b446a00)
[ 70.025306][ T5973]
[ 70.027610][ T5973] The buggy address belongs to the physical page:
[ 70.034008][ T5973] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7b444
[ 70.042747][ T5973] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 70.051227][ T5973] flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
[ 70.058758][ T5973] page_type: f5(slab)
[ 70.062723][ T5973] raw: 00fff00000000040 ffff88801b441c80 ffffea0000a53200 dead000000000002
[ 70.071291][ T5973] raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
[ 70.079854][ T5973] head: 00fff00000000040 ffff88801b441c80 ffffea0000a53200 dead000000000002
[ 70.088506][ T5973] head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
[ 70.097163][ T5973] head: 00fff00000000002 ffffea0001ed1101 00000000ffffffff 00000000ffffffff
[ 70.105817][ T5973] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004
[ 70.114464][ T5973] page dumped because: kasan: bad access detected
[ 70.120865][ T5973] page_owner tracks the page as allocated
[ 70.126558][ T5973] page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5154, tgid 5154 (mount), ts 19840711568, free_ts 17993577120
[ 70.146514][ T5973] post_alloc_hook+0x181/0x1b0
[ 70.151280][ T5973] get_page_from_freelist+0x135c/0x3920
[ 70.156806][ T5973] __alloc_frozen_pages_noprof+0x261/0x23f0
[ 70.162681][ T5973] alloc_pages_mpol+0x1fb/0x550
[ 70.167514][ T5973] new_slab+0x244/0x340
[ 70.171659][ T5973] ___slab_alloc+0xd9c/0x1940
[ 70.176326][ T5973] __slab_alloc.constprop.0+0x56/0xb0
[ 70.181688][ T5973] __kmalloc_noprof+0x2f2/0x510
[ 70.186519][ T5973] tomoyo_init_log+0x1385/0x2140
[ 70.191447][ T5973] tomoyo_supervisor+0x302/0x13b0
[ 70.196461][ T5973] tomoyo_mount_acl+0x50c/0x850
[ 70.201306][ T5973] tomoyo_mount_permission+0x16d/0x420
[ 70.206761][ T5973] security_sb_mount+0x9b/0x260
[ 70.211602][ T5973] path_mount+0x128/0x1f20
[ 70.216000][ T5973] __x64_sys_mount+0x28d/0x310
[ 70.220832][ T5973] do_syscall_64+0xcd/0x260
[ 70.225334][ T5973] page last free pid 1 tgid 1 stack trace:
[ 70.231130][ T5973] __free_frozen_pages+0x69d/0xff0
[ 70.236243][ T5973] free_contig_range+0x135/0x3f0
[ 70.241175][ T5973] destroy_args+0x66f/0x830
[ 70.245665][ T5973] debug_vm_pgtable+0x130e/0x2d50
[ 70.250674][ T5973] do_one_initcall+0x120/0x6e0
[ 70.255426][ T5973] kernel_init_freeable+0x5c2/0x900
[ 70.260606][ T5973] kernel_init+0x1c/0x2b0
[ 70.264918][ T5973] ret_from_fork+0x45/0x80
[ 70.269317][ T5973] ret_from_fork_asm+0x1a/0x30
[ 70.274073][ T5973]
[ 70.276376][ T5973] Memory state around the buggy address:
[ 70.281985][ T5973] ffff88807b446700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 70.290026][ T5973] ffff88807b446780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 70.298070][ T5973] >ffff88807b446800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 70.306109][ T5973] ^
[ 70.310414][ T5973] ffff88807b446880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
SYZFAIL: failed to recv rpc
fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor)
[ 70.318456][ T5973] ffff88807b446900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 70.326500][ T5973] ==================================================================
[ 70.438230][ T5973] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 70.445466][ T5973] CPU: 1 UID: 0 PID: 5973 Comm: syz-executor Not tainted 6.15.0-syzkaller #0 PREEMPT(full)
[ 70.455536][ T5973] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
[ 70.465592][ T5973] Call Trace:
[ 70.468870][ T5973]
[ 70.471798][ T5973] dump_stack_lvl+0x3d/0x1f0
[ 70.476405][ T5973] panic+0x71c/0x800
[ 70.480316][ T5973] ? __pfx_panic+0x10/0x10
[ 70.484741][ T5973] ? irqentry_exit+0x3b/0x90
[ 70.489340][ T5973] ? lockdep_hardirqs_on+0x7c/0x110
[ 70.494546][ T5973] ? preempt_schedule_thunk+0x16/0x30
[ 70.499922][ T5973] ? binderfs_evict_inode+0x335/0x340
[ 70.505297][ T5973] ? preempt_schedule_common+0x44/0xc0
[ 70.510767][ T5973] ? check_panic_on_warn+0x1f/0xb0
[ 70.515883][ T5973] ? binderfs_evict_inode+0x335/0x340
[ 70.521265][ T5973] check_panic_on_warn+0xab/0xb0
[ 70.526205][ T5973] end_report+0x107/0x170
[ 70.530543][ T5973] kasan_report+0xee/0x110
[ 70.534964][ T5973] ? binderfs_evict_inode+0x335/0x340
[ 70.540333][ T5973] ? __pfx_binderfs_evict_inode+0x10/0x10
[ 70.546038][ T5973] binderfs_evict_inode+0x335/0x340
[ 70.551224][ T5973] evict+0x3e6/0x920
[ 70.555124][ T5973] ? __pfx_evict+0x10/0x10
[ 70.559535][ T5973] ? iput+0x519/0x880
[ 70.563509][ T5973] iput+0x521/0x880
[ 70.567311][ T5973] dentry_unlink_inode+0x29c/0x480
[ 70.572416][ T5973] __dentry_kill+0x1d0/0x600
[ 70.577117][ T5973] ? shrink_dentry_list+0x11a/0x5d0
[ 70.582313][ T5973] shrink_dentry_list+0x140/0x5d0
[ 70.587338][ T5973] ? shrink_dcache_parent+0x22/0x530
[ 70.592618][ T5973] shrink_dcache_parent+0xe1/0x530
[ 70.597726][ T5973] ? __pfx_shrink_dcache_parent+0x10/0x10
[ 70.603443][ T5973] ? d_walk+0x44c/0xa60
[ 70.607601][ T5973] shrink_dcache_for_umount+0xa5/0x3e0
[ 70.613058][ T5973] generic_shutdown_super+0x6c/0x390
[ 70.618341][ T5973] kill_litter_super+0x70/0xa0
[ 70.623101][ T5973] binderfs_kill_super+0x3b/0xa0
[ 70.628038][ T5973] deactivate_locked_super+0xc1/0x1a0
[ 70.633407][ T5973] deactivate_super+0xde/0x100
[ 70.638171][ T5973] cleanup_mnt+0x225/0x450
[ 70.642583][ T5973] task_work_run+0x150/0x240
[ 70.647161][ T5973] ? __pfx_task_work_run+0x10/0x10
[ 70.652259][ T5973] ? __put_net+0x3a/0x70
[ 70.656493][ T5973] do_exit+0xafb/0x2c30
[ 70.660646][ T5973] ? __pfx_do_exit+0x10/0x10
[ 70.665230][ T5973] ? do_raw_spin_lock+0x12c/0x2b0
[ 70.670245][ T5973] ? find_held_lock+0x2b/0x80
[ 70.674916][ T5973] do_group_exit+0xd3/0x2a0
[ 70.679414][ T5973] get_signal+0x2673/0x26d0
[ 70.683910][ T5973] ? rcu_is_watching+0x12/0xc0
[ 70.688666][ T5973] ? __pfx_get_signal+0x10/0x10
[ 70.693506][ T5973] ? putname+0x154/0x1a0
[ 70.697742][ T5973] arch_do_signal_or_restart+0x8f/0x7d0
[ 70.703281][ T5973] ? __pfx_arch_do_signal_or_restart+0x10/0x10
[ 70.709428][ T5973] ? __pfx_do_unlinkat+0x10/0x10
[ 70.714365][ T5973] syscall_exit_to_user_mode+0x150/0x2a0
[ 70.719996][ T5973] do_syscall_64+0xda/0x260
[ 70.724503][ T5973] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 70.730388][ T5973] RIP: 0033:0x7f8dc918df17
[ 70.734790][ T5973] Code: Unable to access opcode bytes at 0x7f8dc918deed.
[ 70.741790][ T5973] RSP: 002b:00007f8dc94decb8 EFLAGS: 00000206 ORIG_RAX: 0000000000000057
[ 70.750189][ T5973] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f8dc918df17
[ 70.758147][ T5973] RDX: 00007f8dc94dece0 RSI: 00007f8dc94ded70 RDI: 00007f8dc94ded70
[ 70.766106][ T5973] RBP: 00007f8dc94ded70 R08: 0000000000000000 R09: 0000000000000000
[ 70.774064][ T5973] R10: 0000000000000100 R11: 0000000000000206 R12: 00007f8dc94dfe00
[ 70.782023][ T5973] R13: 00007f8dc921089d R14: 0000000000010eda R15: 00007f8dc94dfe40
[ 70.790071][ T5973]
[ 70.793282][ T5973] Kernel Offset: disabled
[ 70.797588][ T5973] Rebooting in 86400 seconds..