last executing test programs: 1.570937192s ago: executing program 0 (id=176): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/vsock', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/vsock', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/vsock', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/vsock', 0x800, 0x0) 1.443460479s ago: executing program 0 (id=177): openat(0xffffffffffffff9c, &(0x7f0000000040)='/sys/fs/smackfs/change-rule', 0x2, 0x0) 1.213009992s ago: executing program 0 (id=180): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/video37', 0x2, 0x0) 998.006164ms ago: executing program 0 (id=182): sched_getaffinity(0x0, 0x0, &(0x7f0000000000)) 813.820434ms ago: executing program 0 (id=184): munlockall() 730.297399ms ago: executing program 1 (id=185): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/infiniband/uverbs0', 0x2, 0x0) 591.347017ms ago: executing program 1 (id=186): socket$inet6_udplite(0xa, 0x2, 0x88) 591.032227ms ago: executing program 0 (id=187): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/audio1', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/audio1', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/audio1', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/audio1', 0x800, 0x0) 433.124716ms ago: executing program 1 (id=188): socket$igmp(0x2, 0x3, 0x2) 233.783877ms ago: executing program 1 (id=189): setresuid(0x0, 0x0, 0x0) 150.539811ms ago: executing program 1 (id=190): syz_open_dev$sndpcmc(&(0x7f0000000040), 0x0, 0x0) syz_open_dev$sndpcmc(&(0x7f0000000080), 0x0, 0x1) syz_open_dev$sndpcmc(&(0x7f00000000c0), 0x0, 0x2) syz_open_dev$sndpcmc(&(0x7f0000000100), 0x0, 0x800) syz_open_dev$sndpcmc(&(0x7f0000000140), 0xa, 0x0) syz_open_dev$sndpcmc(&(0x7f0000000180), 0xa, 0x1) syz_open_dev$sndpcmc(&(0x7f00000001c0), 0xa, 0x2) syz_open_dev$sndpcmc(&(0x7f0000000200), 0xa, 0x800) syz_open_dev$sndpcmc(&(0x7f0000000240), 0x14, 0x0) syz_open_dev$sndpcmc(&(0x7f0000000280), 0x14, 0x1) syz_open_dev$sndpcmc(&(0x7f00000002c0), 0x14, 0x2) syz_open_dev$sndpcmc(&(0x7f0000000300), 0x14, 0x800) syz_open_dev$sndpcmc(&(0x7f0000000340), 0x1e, 0x0) syz_open_dev$sndpcmc(&(0x7f0000000380), 0x1e, 0x1) syz_open_dev$sndpcmc(&(0x7f00000003c0), 0x1e, 0x2) syz_open_dev$sndpcmc(&(0x7f0000000400), 0x1e, 0x800) syz_open_dev$sndpcmc(&(0x7f0000000440), 0x28, 0x0) syz_open_dev$sndpcmc(&(0x7f0000000480), 0x28, 0x1) syz_open_dev$sndpcmc(&(0x7f00000004c0), 0x28, 0x2) syz_open_dev$sndpcmc(&(0x7f0000000500), 0x28, 0x800) 0s ago: executing program 1 (id=191): personality(0x0) kernel console output (not intermixed with test programs): Warning: Permanently added '[localhost]:64193' (ED25519) to the list of known hosts. [ 175.033749][ T30] audit: type=1400 audit(174.660:48): avc: denied { name_bind } for pid=3306 comm="sshd-session" src=30003 scontext=system_u:system_r:sshd_t tcontext=system_u:object_r:tcs_port_t tclass=tcp_socket permissive=1 [ 175.395600][ T30] audit: type=1400 audit(175.030:49): avc: denied { execute } for pid=3307 comm="sh" name="syz-executor" dev="vda" ino=1867 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:etc_runtime_t tclass=file permissive=1 [ 175.402238][ T30] audit: type=1400 audit(175.030:50): avc: denied { execute_no_trans } for pid=3307 comm="sh" path="/syz-executor" dev="vda" ino=1867 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:etc_runtime_t tclass=file permissive=1 [ 180.281747][ T30] audit: type=1400 audit(179.910:51): avc: denied { mounton } for pid=3307 comm="syz-executor" path="/syzcgroup/unified" dev="vda" ino=1868 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 180.303387][ T30] audit: type=1400 audit(179.920:52): avc: denied { mount } for pid=3307 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 180.346650][ T3307] cgroup: Unknown subsys name 'net' [ 180.372933][ T30] audit: type=1400 audit(180.000:53): avc: denied { unmount } for pid=3307 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 180.765432][ T3307] cgroup: Unknown subsys name 'cpuset' [ 180.805818][ T3307] cgroup: Unknown subsys name 'rlimit' [ 181.208169][ T30] audit: type=1400 audit(180.840:54): avc: denied { setattr } for pid=3307 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=701 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 181.209411][ T30] audit: type=1400 audit(180.840:55): avc: denied { create } for pid=3307 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 181.220840][ T30] audit: type=1400 audit(180.840:56): avc: denied { write } for pid=3307 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 181.227411][ T30] audit: type=1400 audit(180.850:57): avc: denied { module_request } for pid=3307 comm="syz-executor" kmod="net-pf-16-proto-16-family-nl802154" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1 [ 181.368473][ T30] audit: type=1400 audit(181.000:58): avc: denied { read } for pid=3307 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 181.387070][ T30] audit: type=1400 audit(181.020:59): avc: denied { mounton } for pid=3307 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1 [ 181.403523][ T30] audit: type=1400 audit(181.020:60): avc: denied { mount } for pid=3307 comm="syz-executor" name="/" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=filesystem permissive=1 [ 181.798917][ T3310] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). Setting up swapspace version 1, size = 127995904 bytes [ 181.947451][ T3307] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 194.531315][ T30] kauditd_printk_skb: 4 callbacks suppressed [ 194.534047][ T30] audit: type=1400 audit(194.140:65): avc: denied { execmem } for pid=3311 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 194.611404][ T30] audit: type=1400 audit(194.240:66): avc: denied { read } for pid=3313 comm="syz-executor" dev="nsfs" ino=4026531840 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1 [ 194.624499][ T30] audit: type=1400 audit(194.250:67): avc: denied { open } for pid=3314 comm="syz-executor" path="net:[4026531840]" dev="nsfs" ino=4026531840 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1 [ 194.632171][ T30] audit: type=1400 audit(194.260:68): avc: denied { mounton } for pid=3314 comm="syz-executor" path="/" dev="vda" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:root_t tclass=dir permissive=1 [ 195.545871][ T30] audit: type=1400 audit(195.180:69): avc: denied { mount } for pid=3313 comm="syz-executor" name="/" dev="tmpfs" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=1 [ 195.563957][ T30] audit: type=1400 audit(195.190:70): avc: denied { mounton } for pid=3313 comm="syz-executor" path="/syzkaller.Ff7BNz/syz-tmp/newroot/dev" dev="tmpfs" ino=3 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_tmpfs_t tclass=dir permissive=1 [ 195.572180][ T30] audit: type=1400 audit(195.200:71): avc: denied { mount } for pid=3313 comm="syz-executor" name="/" dev="proc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:proc_t tclass=filesystem permissive=1 [ 195.590104][ T30] audit: type=1400 audit(195.220:72): avc: denied { mounton } for pid=3313 comm="syz-executor" path="/syzkaller.Ff7BNz/syz-tmp/newroot/sys/kernel/debug" dev="debugfs" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:debugfs_t tclass=dir permissive=1 [ 195.598522][ T30] audit: type=1400 audit(195.230:73): avc: denied { mounton } for pid=3313 comm="syz-executor" path="/syzkaller.Ff7BNz/syz-tmp/newroot/proc/sys/fs/binfmt_misc" dev="proc" ino=2000 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:sysctl_fs_t tclass=dir permissive=1 [ 195.619626][ T30] audit: type=1400 audit(195.250:74): avc: denied { unmount } for pid=3313 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fs_t tclass=filesystem permissive=1 [ 201.299987][ T30] kauditd_printk_skb: 21 callbacks suppressed [ 201.300970][ T30] audit: type=1400 audit(200.930:96): avc: denied { read } for pid=3365 comm="syz.1.45" name="autofs" dev="devtmpfs" ino=91 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:autofs_device_t tclass=chr_file permissive=1 [ 201.311141][ T30] audit: type=1400 audit(200.940:97): avc: denied { open } for pid=3365 comm="syz.1.45" path="/dev/autofs" dev="devtmpfs" ino=91 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:autofs_device_t tclass=chr_file permissive=1 [ 201.321896][ T30] audit: type=1400 audit(200.950:98): avc: denied { write } for pid=3365 comm="syz.1.45" name="autofs" dev="devtmpfs" ino=91 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:autofs_device_t tclass=chr_file permissive=1 [ 201.681772][ T30] audit: type=1400 audit(201.310:99): avc: denied { read write } for pid=3368 comm="syz.1.47" name="fuse" dev="devtmpfs" ino=92 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fuse_device_t tclass=chr_file permissive=1 [ 201.691149][ T30] audit: type=1400 audit(201.320:100): avc: denied { open } for pid=3368 comm="syz.1.47" path="/dev/fuse" dev="devtmpfs" ino=92 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fuse_device_t tclass=chr_file permissive=1 [ 202.011266][ T30] audit: type=1400 audit(201.640:101): avc: denied { read } for pid=3371 comm="syz.0.49" name="uhid" dev="devtmpfs" ino=712 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:uhid_device_t tclass=chr_file permissive=1 [ 202.048999][ T30] audit: type=1400 audit(201.680:102): avc: denied { open } for pid=3371 comm="syz.0.49" path="/dev/uhid" dev="devtmpfs" ino=712 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:uhid_device_t tclass=chr_file permissive=1 [ 202.089551][ T30] audit: type=1400 audit(201.710:103): avc: denied { write } for pid=3371 comm="syz.0.49" name="uhid" dev="devtmpfs" ino=712 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:uhid_device_t tclass=chr_file permissive=1 [ 203.094128][ T30] audit: type=1400 audit(202.720:104): avc: denied { create } for pid=3379 comm="syz.0.58" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=rxrpc_socket permissive=1 [ 205.641492][ T30] audit: type=1400 audit(205.270:105): avc: denied { create } for pid=3398 comm="syz.1.76" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=phonet_socket permissive=1 [ 207.186462][ T30] audit: type=1400 audit(206.820:106): avc: denied { create } for pid=3408 comm="syz.0.85" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_netfilter_socket permissive=1 [ 209.818228][ T30] audit: type=1400 audit(209.450:107): avc: denied { read } for pid=3433 comm="syz.0.109" name="mice" dev="devtmpfs" ino=704 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:mouse_device_t tclass=chr_file permissive=1 [ 209.829568][ T30] audit: type=1400 audit(209.450:108): avc: denied { open } for pid=3433 comm="syz.0.109" path="/dev/input/mice" dev="devtmpfs" ino=704 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:mouse_device_t tclass=chr_file permissive=1 [ 209.838931][ T30] audit: type=1400 audit(209.470:109): avc: denied { write } for pid=3433 comm="syz.0.109" name="mice" dev="devtmpfs" ino=704 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:mouse_device_t tclass=chr_file permissive=1 [ 210.158698][ T30] audit: type=1400 audit(209.790:110): avc: denied { create } for pid=3437 comm="syz.1.113" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=can_socket permissive=1 [ 210.246500][ T30] audit: type=1400 audit(209.870:111): avc: denied { create } for pid=3438 comm="syz.0.114" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_xfrm_socket permissive=1 [ 210.575280][ T30] audit: type=1400 audit(210.210:112): avc: denied { create } for pid=3442 comm="syz.0.118" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=dccp_socket permissive=1 [ 211.387536][ T30] audit: type=1400 audit(211.020:113): avc: denied { create } for pid=3448 comm="syz.0.122" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=ieee802154_socket permissive=1 [ 212.497982][ T30] audit: type=1400 audit(212.130:114): avc: denied { create } for pid=3456 comm="syz.1.129" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=can_socket permissive=1 [ 213.253276][ T30] audit: type=1400 audit(212.880:115): avc: denied { sys_module } for pid=3465 comm="syz.0.138" capability=16 scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=capability permissive=1 [ 216.943240][ T30] audit: type=1400 audit(216.570:116): avc: denied { write } for pid=3491 comm="syz.1.162" name="urandom" dev="devtmpfs" ino=9 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:urandom_device_t tclass=chr_file permissive=1 [ 217.774800][ T30] audit: type=1400 audit(217.390:117): avc: denied { create } for pid=3498 comm="syz.1.170" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=rawip_socket permissive=1 [ 218.220422][ T30] audit: type=1400 audit(217.800:118): avc: denied { create } for pid=3500 comm="syz.0.172" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_rdma_socket permissive=1 [ 218.528642][ T30] audit: type=1400 audit(218.160:119): avc: denied { create } for pid=3502 comm="syz.1.174" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=ax25_socket permissive=1 [ 219.797514][ T3515] UDPLite6: UDP-Lite is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list [ 221.006685][ T3314] ================================================================== [ 221.007457][ T3314] BUG: KASAN: slab-use-after-free in binderfs_evict_inode+0x2ac/0x2b4 [ 221.008315][ T3314] Write of size 8 at addr ffff000013eb9408 by task syz-executor/3314 [ 221.008417][ T3314] [ 221.009300][ T3314] CPU: 0 UID: 0 PID: 3314 Comm: syz-executor Not tainted 6.15.0-rc6-syzkaller-00278-g172a9d94339c #0 PREEMPT [ 221.009583][ T3314] Hardware name: linux,dummy-virt (DT) [ 221.009932][ T3314] Call trace: [ 221.010114][ T3314] show_stack+0x18/0x24 (C) [ 221.010268][ T3314] dump_stack_lvl+0xa4/0xf4 [ 221.010338][ T3314] print_report+0xf4/0x60c [ 221.010389][ T3314] kasan_report+0xc8/0x108 [ 221.010430][ T3314] __asan_report_store8_noabort+0x20/0x2c [ 221.010472][ T3314] binderfs_evict_inode+0x2ac/0x2b4 [ 221.010514][ T3314] evict+0x2c0/0x67c [ 221.010555][ T3314] iput+0x3b0/0x6b4 [ 221.010591][ T3314] dentry_unlink_inode+0x208/0x46c [ 221.010631][ T3314] __dentry_kill+0x150/0x52c [ 221.010685][ T3314] shrink_dentry_list+0x114/0x3a4 [ 221.010726][ T3314] shrink_dcache_parent+0x158/0x354 [ 221.010766][ T3314] shrink_dcache_for_umount+0x88/0x304 [ 221.010807][ T3314] generic_shutdown_super+0x60/0x2e8 [ 221.010851][ T3314] kill_litter_super+0x68/0xa4 [ 221.010894][ T3314] binderfs_kill_super+0x38/0x88 [ 221.010935][ T3314] deactivate_locked_super+0x98/0x17c [ 221.010977][ T3314] deactivate_super+0xb0/0xd4 [ 221.011018][ T3314] cleanup_mnt+0x198/0x424 [ 221.011058][ T3314] __cleanup_mnt+0x14/0x20 [ 221.011098][ T3314] task_work_run+0x128/0x210 [ 221.011137][ T3314] do_exit+0x7ac/0x1f68 [ 221.011177][ T3314] do_group_exit+0xa4/0x208 [ 221.011216][ T3314] get_signal+0x1b00/0x1ba8 [ 221.011257][ T3314] do_signal+0x160/0x620 [ 221.011294][ T3314] do_notify_resume+0x18c/0x258 [ 221.011333][ T3314] el0_svc+0x100/0x180 [ 221.011371][ T3314] el0t_64_sync_handler+0x10c/0x138 [ 221.011408][ T3314] el0t_64_sync+0x198/0x19c [ 221.011598][ T3314] [ 221.012694][ T3314] Allocated by task 3313: [ 221.012970][ T3314] kasan_save_stack+0x3c/0x64 [ 221.013090][ T3314] kasan_save_track+0x20/0x3c [ 221.013275][ T3314] kasan_save_alloc_info+0x40/0x54 [ 221.013354][ T3314] __kasan_kmalloc+0xb8/0xbc [ 221.013431][ T3314] __kmalloc_cache_noprof+0x1b0/0x3cc [ 221.013511][ T3314] binderfs_binder_device_create.isra.0+0x140/0x9a0 [ 221.013589][ T3314] binderfs_fill_super+0x69c/0xed4 [ 221.013675][ T3314] get_tree_nodev+0xac/0x148 [ 221.013749][ T3314] binderfs_fs_context_get_tree+0x18/0x24 [ 221.013827][ T3314] vfs_get_tree+0x74/0x280 [ 221.013905][ T3314] path_mount+0xe54/0x1808 [ 221.013988][ T3314] __arm64_sys_mount+0x304/0x3dc [ 221.014068][ T3314] invoke_syscall+0x6c/0x258 [ 221.014146][ T3314] el0_svc_common.constprop.0+0xac/0x230 [ 221.014230][ T3314] do_el0_svc+0x40/0x58 [ 221.014304][ T3314] el0_svc+0x50/0x180 [ 221.014377][ T3314] el0t_64_sync_handler+0x10c/0x138 [ 221.014453][ T3314] el0t_64_sync+0x198/0x19c [ 221.014564][ T3314] [ 221.014655][ T3314] Freed by task 3313: [ 221.014741][ T3314] kasan_save_stack+0x3c/0x64 [ 221.014827][ T3314] kasan_save_track+0x20/0x3c [ 221.014910][ T3314] kasan_save_free_info+0x4c/0x74 [ 221.014985][ T3314] __kasan_slab_free+0x50/0x6c [ 221.015063][ T3314] kfree+0x1bc/0x444 [ 221.015138][ T3314] binderfs_evict_inode+0x238/0x2b4 [ 221.015217][ T3314] evict+0x2c0/0x67c [ 221.015291][ T3314] iput+0x3b0/0x6b4 [ 221.015363][ T3314] dentry_unlink_inode+0x208/0x46c [ 221.015440][ T3314] __dentry_kill+0x150/0x52c [ 221.015516][ T3314] shrink_dentry_list+0x114/0x3a4 [ 221.015593][ T3314] shrink_dcache_parent+0x158/0x354 [ 221.015678][ T3314] shrink_dcache_for_umount+0x88/0x304 [ 221.015760][ T3314] generic_shutdown_super+0x60/0x2e8 [ 221.015840][ T3314] kill_litter_super+0x68/0xa4 [ 221.015921][ T3314] binderfs_kill_super+0x38/0x88 [ 221.016008][ T3314] deactivate_locked_super+0x98/0x17c [ 221.016089][ T3314] deactivate_super+0xb0/0xd4 [ 221.016169][ T3314] cleanup_mnt+0x198/0x424 [ 221.016247][ T3314] __cleanup_mnt+0x14/0x20 [ 221.016326][ T3314] task_work_run+0x128/0x210 [ 221.016402][ T3314] do_exit+0x7ac/0x1f68 [ 221.016507][ T3314] do_group_exit+0xa4/0x208 [ 221.016589][ T3314] get_signal+0x1b00/0x1ba8 [ 221.016675][ T3314] do_signal+0x160/0x620 [ 221.016753][ T3314] do_notify_resume+0x18c/0x258 [ 221.016831][ T3314] el0_svc+0x100/0x180 [ 221.016906][ T3314] el0t_64_sync_handler+0x10c/0x138 [ 221.016981][ T3314] el0t_64_sync+0x198/0x19c [ 221.017069][ T3314] [ 221.017191][ T3314] The buggy address belongs to the object at ffff000013eb9400 [ 221.017191][ T3314] which belongs to the cache kmalloc-512 of size 512 [ 221.017339][ T3314] The buggy address is located 8 bytes inside of [ 221.017339][ T3314] freed 512-byte region [ffff000013eb9400, ffff000013eb9600) [ 221.017431][ T3314] [ 221.017565][ T3314] The buggy address belongs to the physical page: [ 221.017977][ T3314] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x53eb8 [ 221.018529][ T3314] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 221.018720][ T3314] flags: 0x1ffc00000000040(head|node=0|zone=0|lastcpupid=0x7ff) [ 221.019282][ T3314] page_type: f5(slab) [ 221.019719][ T3314] raw: 01ffc00000000040 ffff00000dc01c80 dead000000000100 dead000000000122 [ 221.019822][ T3314] raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000 [ 221.019969][ T3314] head: 01ffc00000000040 ffff00000dc01c80 dead000000000100 dead000000000122 [ 221.020049][ T3314] head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000 [ 221.020124][ T3314] head: 01ffc00000000002 fffffdffc04fae01 00000000ffffffff 00000000ffffffff [ 221.020196][ T3314] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 221.020309][ T3314] page dumped because: kasan: bad access detected [ 221.020396][ T3314] [ 221.020468][ T3314] Memory state around the buggy address: [ 221.020881][ T3314] ffff000013eb9300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 221.021005][ T3314] ffff000013eb9380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 221.021101][ T3314] >ffff000013eb9400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 221.021195][ T3314] ^ [ 221.021341][ T3314] ffff000013eb9480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 221.021423][ T3314] ffff000013eb9500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 221.021563][ T3314] ================================================================== SYZFAIL: failed to recv rpc [ 221.233334][ T3314] Disabling lock debugging due to kernel taint fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor) VM DIAGNOSIS: 07:30:06 Registers: info registers vcpu 0 CPU#0 PC=ffff800081a8a1e8 X00=0000000000000007 X01=000000000000ffff X02=ffff000016d84000 X03=0000000000000000 X04=1fffe00002d87cc5 X05=0000000000000000 X06=ffff0000133dc850 X07=0000000000000000 X08=0000000000000000 X09=ffff800089734000 X10=ffff0000133dc710 X11=0000000000000002 X12=000000000000000d X13=0000000000000000 X14=1fffe00003678acd X15=185026c56b6e1234 X16=a62e00002c90ffff X17=ebd2b4b1a3291cd4 X18=ffff000012c89dc0 X19=ffff000016c3e600 X20=0000000000000001 X21=1fffe00002d87cc8 X22=0000000000000003 X23=ffff00001a75ec80 X24=1fffe00002db0800 X25=ffff00000e8bfcc4 X26=0000000000000040 X27=0000000000000000 X28=0000000000a472e4 X29=ffff8000800061a0 X30=ffff800081a7aa08 SP=ffff8000800061a0 PSTATE=10000005 ---V EL1h FPCR=00000000 FPSR=00000000 Q00=0a0a0a0a0a0a0a0a:0a0a0a0a0a0a0a0a Q01=79733a725f6d6461:00007473696c2067 Q02=7320646e61206465:7461636572706564 Q03=0000000000000000:ffff000000000000 Q04=0000000000000000:00000000ff000000 Q05=657361656c70202c:35323032206e6920 Q06=203a29323a303431:2e30342874696475 Q07=2035393237363934:3932343d64697561 Q08=0000000000000000:0000000000000000 Q09=0000000000000000:0000000000000000 Q10=0000000000000000:0000000000000000 Q11=0000000000000000:0000000000000000 Q12=0000000000000000:0000000000000000 Q13=0000000000000000:0000000000000000 Q14=0000000000000000:0000000000000000 Q15=0000000000000000:0000000000000000 Q16=0000ffffeda98400:0000ffffeda98400 Q17=ffffff80ffffffd8:0000ffffeda983d0 Q18=0000000000000000:0000000000000000 Q19=0000000000000000:0000000000000000 Q20=0000000000000000:0000000000000000 Q21=0000000000000000:0000000000000000 Q22=0000000000000000:0000000000000000 Q23=0000000000000000:0000000000000000 Q24=0000000000000000:0000000000000000 Q25=0000000000000000:0000000000000000 Q26=0000000000000000:0000000000000000 Q27=0000000000000000:0000000000000000 Q28=0000000000000000:0000000000000000 Q29=0000000000000000:0000000000000000 Q30=0000000000000000:0000000000000000 Q31=0000000000000000:0000000000000000 info registers vcpu 1 CPU#1 PC=ffff800081b6ad98 X00=0000000000000002 X01=0000000000000000 X02=0000000000000002 X03=dfff800000000000 X04=0000000000000018 X05=ffff80008d9579e0 X06=ffff700011b2af3c X07=0000000000000001 X08=0000000000000003 X09=dfff800000000000 X10=ffff700011b2af3c X11=1ffff00011b2af3c X12=ffff700011b2af3d X13=0000000000008000 X14=7475636578652d7a X15=7420746f4e20726f X16=36206465746e6961 X17=63722d302e35312e X18=0000000000000000 X19=ffff00000f5b6080 X20=ffff80008d43b018 X21=ffff800087a926e0 X22=000000000000002d X23=dfff800000000000 X24=ffff00000f5d0055 X25=0000000000000004 X26=0000000000000f01 X27=1fffe00001eb6c5a X28=ffff00000f5b62d0 X29=ffff80008d957990 X30=ffff800081b6b024 SP=ffff80008d957990 PSTATE=800000c5 N--- EL1h FPCR=00000000 FPSR=00000000 Q00=6f727073006b6300:3036393837313638 Q01=00000000ff0000ff:0000000000000000 Q02=0000000000000000:0000f00f00000000 Q03=0000000000000000:ffffffffff0000ff Q04=0000000000000000:00000000fffff00f Q05=0000000000000000:00000000cccccc00 Q06=0000000000000073:0000aaab03e3c3e0 Q07=0000000000000074:0000aaab03e39620 Q08=0000000000000000:0000000000000000 Q09=0000000000000000:0000000000000000 Q10=0000000000000000:0000000000000000 Q11=0000000000000000:0000000000000000 Q12=0000000000000000:0000000000000000 Q13=0000000000000000:0000000000000000 Q14=0000000000000000:0000000000000000 Q15=0000000000000000:0000000000000000 Q16=0000fffffba5caa0:0000fffffba5caa0 Q17=ffffff80ffffffd8:0000fffffba5ca70 Q18=0000000000000000:0000000000000000 Q19=0000000000000000:0000000000000000 Q20=0000000000000000:0000000000000000 Q21=0000000000000000:0000000000000000 Q22=0000000000000000:0000000000000000 Q23=0000000000000000:0000000000000000 Q24=0000000000000000:0000000000000000 Q25=0000000000000000:0000000000000000 Q26=0000000000000000:0000000000000000 Q27=0000000000000000:0000000000000000 Q28=0000000000000000:0000000000000000 Q29=0000000000000000:0000000000000000 Q30=0000000000000000:0000000000000000 Q31=0000000000000000:0000000000000000