last executing test programs: 1.310831629s ago: executing program 0 (id=156): lgetxattr(&(0x7f0000000000), &(0x7f0000000000), &(0x7f0000000000), 0x0) 1.131766163s ago: executing program 0 (id=158): socket$tipc(0x1e, 0x2, 0x0) 769.912961ms ago: executing program 0 (id=162): syz_open_dev$evdev(&(0x7f0000000040), 0x0, 0x0) syz_open_dev$evdev(&(0x7f0000000080), 0x0, 0x1) syz_open_dev$evdev(&(0x7f00000000c0), 0x0, 0x2) syz_open_dev$evdev(&(0x7f0000000100), 0x0, 0x800) syz_open_dev$evdev(&(0x7f0000000140), 0x1, 0x0) syz_open_dev$evdev(&(0x7f0000000180), 0x1, 0x1) syz_open_dev$evdev(&(0x7f00000001c0), 0x1, 0x2) syz_open_dev$evdev(&(0x7f0000000200), 0x1, 0x800) syz_open_dev$evdev(&(0x7f0000000240), 0x2, 0x0) syz_open_dev$evdev(&(0x7f0000000280), 0x2, 0x1) syz_open_dev$evdev(&(0x7f00000002c0), 0x2, 0x2) syz_open_dev$evdev(&(0x7f0000000300), 0x2, 0x800) syz_open_dev$evdev(&(0x7f0000000340), 0x3, 0x0) syz_open_dev$evdev(&(0x7f0000000380), 0x3, 0x1) syz_open_dev$evdev(&(0x7f00000003c0), 0x3, 0x2) syz_open_dev$evdev(&(0x7f0000000400), 0x3, 0x800) syz_open_dev$evdev(&(0x7f0000000440), 0x4, 0x0) syz_open_dev$evdev(&(0x7f0000000480), 0x4, 0x1) syz_open_dev$evdev(&(0x7f00000004c0), 0x4, 0x2) syz_open_dev$evdev(&(0x7f0000000500), 0x4, 0x800) 701.114676ms ago: executing program 1 (id=163): fchownat(0xffffffffffffffff, &(0x7f0000000000), 0x0, 0x0, 0x0) 570.744556ms ago: executing program 1 (id=164): sigaltstack(&(0x7f0000000000), 0x0) 476.152473ms ago: executing program 1 (id=165): socket$inet6_icmp(0xa, 0x2, 0x3a) 369.837331ms ago: executing program 0 (id=166): pselect6(0x0, &(0x7f0000000000), &(0x7f0000000000), &(0x7f0000000000), &(0x7f0000000000), &(0x7f0000000000)) 369.240692ms ago: executing program 1 (id=167): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dri/renderD128', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/dri/renderD128', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/dri/renderD128', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dri/renderD128', 0x800, 0x0) 243.457651ms ago: executing program 1 (id=168): eventfd2(0x0, 0x0) 142.929289ms ago: executing program 0 (id=169): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/infiniband/rdma_cm', 0x2, 0x0) 142.769418ms ago: executing program 1 (id=170): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/audio1', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/audio1', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/audio1', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/audio1', 0x800, 0x0) 0s ago: executing program 0 (id=171): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/kvm', 0x800, 0x0) kernel console output (not intermixed with test programs): Warning: Permanently added '[localhost]:34464' (ED25519) to the list of known hosts. [ 127.145331][ T30] audit: type=1400 audit(126.950:46): avc: denied { name_bind } for pid=3311 comm="sshd-session" src=30003 scontext=system_u:system_r:sshd_t tcontext=system_u:object_r:tcs_port_t tclass=tcp_socket permissive=1 [ 127.408406][ T30] audit: type=1400 audit(127.220:47): avc: denied { execute } for pid=3312 comm="sh" name="syz-executor" dev="vda" ino=1867 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:etc_runtime_t tclass=file permissive=1 [ 127.417277][ T30] audit: type=1400 audit(127.220:48): avc: denied { execute_no_trans } for pid=3312 comm="sh" path="/syz-executor" dev="vda" ino=1867 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:etc_runtime_t tclass=file permissive=1 [ 130.838825][ T30] audit: type=1400 audit(130.650:49): avc: denied { mounton } for pid=3312 comm="syz-executor" path="/syzcgroup/unified" dev="vda" ino=1868 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 130.846233][ T30] audit: type=1400 audit(130.650:50): avc: denied { mount } for pid=3312 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 130.869312][ T3312] cgroup: Unknown subsys name 'net' [ 130.885372][ T30] audit: type=1400 audit(130.700:51): avc: denied { unmount } for pid=3312 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 131.069732][ T3312] cgroup: Unknown subsys name 'cpuset' [ 131.108582][ T3312] cgroup: Unknown subsys name 'rlimit' [ 131.300016][ T30] audit: type=1400 audit(131.110:52): avc: denied { setattr } for pid=3312 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=703 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 131.307402][ T30] audit: type=1400 audit(131.110:53): avc: denied { create } for pid=3312 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 131.308427][ T30] audit: type=1400 audit(131.120:54): avc: denied { write } for pid=3312 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 131.317912][ T30] audit: type=1400 audit(131.120:55): avc: denied { module_request } for pid=3312 comm="syz-executor" kmod="net-pf-16-proto-16-family-nl802154" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1 [ 131.848723][ T3315] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). Setting up swapspace version 1, size = 127995904 bytes [ 131.942056][ T3312] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 140.614689][ T30] kauditd_printk_skb: 7 callbacks suppressed [ 140.615301][ T30] audit: type=1400 audit(140.420:63): avc: denied { execmem } for pid=3316 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 140.657441][ T30] audit: type=1400 audit(140.470:64): avc: denied { read } for pid=3318 comm="syz-executor" dev="nsfs" ino=4026531840 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1 [ 140.660384][ T30] audit: type=1400 audit(140.470:65): avc: denied { open } for pid=3318 comm="syz-executor" path="net:[4026531840]" dev="nsfs" ino=4026531840 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1 [ 140.676066][ T30] audit: type=1400 audit(140.490:66): avc: denied { mounton } for pid=3318 comm="syz-executor" path="/" dev="vda" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:root_t tclass=dir permissive=1 [ 141.295054][ T30] audit: type=1400 audit(141.100:67): avc: denied { mount } for pid=3318 comm="syz-executor" name="/" dev="tmpfs" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=1 [ 141.303276][ T30] audit: type=1400 audit(141.110:68): avc: denied { mounton } for pid=3318 comm="syz-executor" path="/syzkaller.0uehwf/syz-tmp/newroot/dev" dev="tmpfs" ino=3 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_tmpfs_t tclass=dir permissive=1 [ 141.314315][ T30] audit: type=1400 audit(141.120:69): avc: denied { mount } for pid=3318 comm="syz-executor" name="/" dev="proc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:proc_t tclass=filesystem permissive=1 [ 141.335952][ T30] audit: type=1400 audit(141.150:70): avc: denied { mounton } for pid=3318 comm="syz-executor" path="/syzkaller.0uehwf/syz-tmp/newroot/sys/kernel/debug" dev="debugfs" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:debugfs_t tclass=dir permissive=1 [ 141.343378][ T30] audit: type=1400 audit(141.150:71): avc: denied { mounton } for pid=3318 comm="syz-executor" path="/syzkaller.0uehwf/syz-tmp/newroot/proc/sys/fs/binfmt_misc" dev="proc" ino=3232 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:sysctl_fs_t tclass=dir permissive=1 [ 141.361657][ T30] audit: type=1400 audit(141.170:72): avc: denied { unmount } for pid=3318 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fs_t tclass=filesystem permissive=1 [ 144.200858][ T3347] UDPLite6: UDP-Lite is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list [ 146.202904][ T30] kauditd_printk_skb: 22 callbacks suppressed [ 146.203439][ T30] audit: type=1400 audit(146.010:95): avc: denied { create } for pid=3371 comm="syz.0.48" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=xdp_socket permissive=1 [ 146.631301][ T30] audit: type=1400 audit(146.440:96): avc: denied { read } for pid=3377 comm="syz.0.53" name="card0" dev="devtmpfs" ino=617 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:dri_device_t tclass=chr_file permissive=1 [ 146.638297][ T30] audit: type=1400 audit(146.450:97): avc: denied { open } for pid=3377 comm="syz.0.53" path="/dev/dri/card0" dev="devtmpfs" ino=617 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:dri_device_t tclass=chr_file permissive=1 [ 146.660829][ T30] audit: type=1400 audit(146.470:98): avc: denied { write } for pid=3377 comm="syz.0.53" name="card0" dev="devtmpfs" ino=617 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:dri_device_t tclass=chr_file permissive=1 [ 147.081717][ T30] audit: type=1400 audit(146.890:99): avc: denied { create } for pid=3381 comm="syz.1.57" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=rxrpc_socket permissive=1 [ 147.637492][ T30] audit: type=1400 audit(147.450:100): avc: denied { create } for pid=3389 comm="syz.1.62" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=can_socket permissive=1 [ 147.844603][ T30] audit: type=1400 audit(147.640:101): avc: denied { write } for pid=3391 comm="syz.0.64" name="urandom" dev="devtmpfs" ino=9 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:urandom_device_t tclass=chr_file permissive=1 [ 148.183827][ T30] audit: type=1400 audit(147.990:102): avc: denied { create } for pid=3396 comm="syz.0.69" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=caif_socket permissive=1 [ 148.861025][ T30] audit: type=1400 audit(148.640:103): avc: denied { write } for pid=3403 comm="syz.0.75" name="random" dev="devtmpfs" ino=8 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:random_device_t tclass=chr_file permissive=1 [ 148.893577][ T30] audit: type=1400 audit(148.700:104): avc: denied { sys_module } for pid=3404 comm="syz.1.76" capability=16 scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=capability permissive=1 [ 152.765776][ T30] kauditd_printk_skb: 4 callbacks suppressed [ 152.766314][ T30] audit: type=1400 audit(152.580:109): avc: denied { create } for pid=3453 comm="syz.1.125" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=bluetooth_socket permissive=1 [ 152.985145][ T30] audit: type=1400 audit(152.790:110): avc: denied { create } for pid=3456 comm="syz.0.127" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=pppox_socket permissive=1 [ 153.229156][ T30] audit: type=1400 audit(153.040:111): avc: denied { read } for pid=3458 comm="syz.1.128" name="loop-control" dev="devtmpfs" ino=636 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:loop_control_device_t tclass=chr_file permissive=1 [ 153.232413][ T30] audit: type=1400 audit(153.040:112): avc: denied { open } for pid=3458 comm="syz.1.128" path="/dev/loop-control" dev="devtmpfs" ino=636 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:loop_control_device_t tclass=chr_file permissive=1 [ 153.237311][ T30] audit: type=1400 audit(153.040:113): avc: denied { write } for pid=3458 comm="syz.1.128" name="loop-control" dev="devtmpfs" ino=636 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:loop_control_device_t tclass=chr_file permissive=1 [ 153.462784][ T30] audit: type=1400 audit(153.270:114): avc: denied { read } for pid=3461 comm="syz.1.131" name="autofs" dev="devtmpfs" ino=91 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:autofs_device_t tclass=chr_file permissive=1 [ 153.465465][ T30] audit: type=1400 audit(153.270:115): avc: denied { open } for pid=3461 comm="syz.1.131" path="/dev/autofs" dev="devtmpfs" ino=91 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:autofs_device_t tclass=chr_file permissive=1 [ 153.471873][ T30] audit: type=1400 audit(153.280:116): avc: denied { write } for pid=3461 comm="syz.1.131" name="autofs" dev="devtmpfs" ino=91 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:autofs_device_t tclass=chr_file permissive=1 [ 155.053566][ T3481] mmap: syz.1.150 (3481) uses deprecated remap_file_pages() syscall. See Documentation/mm/remap_file_pages.rst. [ 155.697181][ T30] audit: type=1400 audit(155.510:117): avc: denied { create } for pid=3489 comm="syz.0.158" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=tipc_socket permissive=1 [ 156.320077][ T30] audit: type=1400 audit(156.130:118): avc: denied { create } for pid=3497 comm="syz.1.165" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=icmp_socket permissive=1 [ 157.608766][ T3319] ================================================================== [ 157.609548][ T3319] BUG: KASAN: slab-use-after-free in binderfs_evict_inode+0x2ac/0x2b4 [ 157.610435][ T3319] Write of size 8 at addr ffff00001b1f2408 by task syz-executor/3319 [ 157.610529][ T3319] [ 157.611308][ T3319] CPU: 1 UID: 0 PID: 3319 Comm: syz-executor Not tainted 6.15.0-syzkaller-11061-g7f9039c524a3 #0 PREEMPT [ 157.611516][ T3319] Hardware name: linux,dummy-virt (DT) [ 157.611813][ T3319] Call trace: [ 157.612011][ T3319] show_stack+0x18/0x24 (C) [ 157.612155][ T3319] dump_stack_lvl+0xa4/0xf4 [ 157.612258][ T3319] print_report+0xf4/0x60c [ 157.612343][ T3319] kasan_report+0xc8/0x108 [ 157.612409][ T3319] __asan_report_store8_noabort+0x20/0x2c [ 157.612450][ T3319] binderfs_evict_inode+0x2ac/0x2b4 [ 157.612490][ T3319] evict+0x2c0/0x67c [ 157.612533][ T3319] iput+0x3b0/0x6b4 [ 157.612570][ T3319] dentry_unlink_inode+0x208/0x46c [ 157.612605][ T3319] __dentry_kill+0x150/0x52c [ 157.612640][ T3319] shrink_dentry_list+0x114/0x3ac [ 157.612677][ T3319] shrink_dcache_parent+0x158/0x354 [ 157.612731][ T3319] shrink_dcache_for_umount+0x88/0x304 [ 157.612800][ T3319] generic_shutdown_super+0x60/0x2e8 [ 157.612842][ T3319] kill_litter_super+0x68/0xa4 [ 157.612879][ T3319] binderfs_kill_super+0x38/0x88 [ 157.612915][ T3319] deactivate_locked_super+0x98/0x17c [ 157.612960][ T3319] deactivate_super+0xb0/0xd4 [ 157.612998][ T3319] cleanup_mnt+0x198/0x424 [ 157.613035][ T3319] __cleanup_mnt+0x14/0x20 [ 157.613070][ T3319] task_work_run+0x128/0x210 [ 157.613109][ T3319] do_exit+0x5e8/0x1f6c [ 157.613147][ T3319] do_group_exit+0xa4/0x208 [ 157.613184][ T3319] get_signal+0x1b04/0x1bac [ 157.613224][ T3319] do_signal+0x160/0x6a8 [ 157.613259][ T3319] do_notify_resume+0x198/0x264 [ 157.613297][ T3319] el0_svc+0x118/0x198 [ 157.613337][ T3319] el0t_64_sync_handler+0x10c/0x138 [ 157.613383][ T3319] el0t_64_sync+0x198/0x19c [ 157.613581][ T3319] [ 157.614461][ T3319] Allocated by task 3318: [ 157.614711][ T3319] kasan_save_stack+0x3c/0x64 [ 157.614823][ T3319] kasan_save_track+0x20/0x3c [ 157.614904][ T3319] kasan_save_alloc_info+0x40/0x54 [ 157.614993][ T3319] __kasan_kmalloc+0xb8/0xbc [ 157.615069][ T3319] __kmalloc_cache_noprof+0x1b0/0x3cc [ 157.615151][ T3319] binderfs_binder_device_create.isra.0+0x150/0xa28 [ 157.615230][ T3319] binderfs_fill_super+0x69c/0xed4 [ 157.615306][ T3319] get_tree_nodev+0xac/0x148 [ 157.615381][ T3319] binderfs_fs_context_get_tree+0x18/0x24 [ 157.615457][ T3319] vfs_get_tree+0x74/0x280 [ 157.615532][ T3319] path_mount+0xe54/0x1834 [ 157.615607][ T3319] __arm64_sys_mount+0x304/0x3dc [ 157.615682][ T3319] invoke_syscall+0x6c/0x258 [ 157.615760][ T3319] el0_svc_common.constprop.0+0xac/0x230 [ 157.615835][ T3319] do_el0_svc+0x40/0x58 [ 157.615908][ T3319] el0_svc+0x50/0x198 [ 157.615993][ T3319] el0t_64_sync_handler+0x10c/0x138 [ 157.616073][ T3319] el0t_64_sync+0x198/0x19c [ 157.616176][ T3319] [ 157.616258][ T3319] Freed by task 3318: [ 157.616343][ T3319] kasan_save_stack+0x3c/0x64 [ 157.616423][ T3319] kasan_save_track+0x20/0x3c [ 157.616498][ T3319] kasan_save_free_info+0x4c/0x74 [ 157.616575][ T3319] __kasan_slab_free+0x50/0x6c [ 157.616650][ T3319] kfree+0x1bc/0x444 [ 157.616726][ T3319] binderfs_evict_inode+0x238/0x2b4 [ 157.616802][ T3319] evict+0x2c0/0x67c [ 157.616877][ T3319] iput+0x3b0/0x6b4 [ 157.616959][ T3319] dentry_unlink_inode+0x208/0x46c [ 157.617034][ T3319] __dentry_kill+0x150/0x52c [ 157.617107][ T3319] shrink_dentry_list+0x114/0x3ac [ 157.617180][ T3319] shrink_dcache_parent+0x158/0x354 [ 157.617255][ T3319] shrink_dcache_for_umount+0x88/0x304 [ 157.617329][ T3319] generic_shutdown_super+0x60/0x2e8 [ 157.617404][ T3319] kill_litter_super+0x68/0xa4 [ 157.617479][ T3319] binderfs_kill_super+0x38/0x88 [ 157.617553][ T3319] deactivate_locked_super+0x98/0x17c [ 157.617628][ T3319] deactivate_super+0xb0/0xd4 [ 157.617704][ T3319] cleanup_mnt+0x198/0x424 [ 157.617777][ T3319] __cleanup_mnt+0x14/0x20 [ 157.617851][ T3319] task_work_run+0x128/0x210 [ 157.617925][ T3319] do_exit+0x5e8/0x1f6c [ 157.618040][ T3319] do_group_exit+0xa4/0x208 [ 157.618118][ T3319] get_signal+0x1b04/0x1bac [ 157.618195][ T3319] do_signal+0x160/0x6a8 [ 157.618270][ T3319] do_notify_resume+0x198/0x264 [ 157.618347][ T3319] el0_svc+0x118/0x198 [ 157.618424][ T3319] el0t_64_sync_handler+0x10c/0x138 [ 157.618502][ T3319] el0t_64_sync+0x198/0x19c [ 157.618588][ T3319] [ 157.618707][ T3319] The buggy address belongs to the object at ffff00001b1f2400 [ 157.618707][ T3319] which belongs to the cache kmalloc-512 of size 512 [ 157.618848][ T3319] The buggy address is located 8 bytes inside of [ 157.618848][ T3319] freed 512-byte region [ffff00001b1f2400, ffff00001b1f2600) [ 157.618937][ T3319] [ 157.619076][ T3319] The buggy address belongs to the physical page: [ 157.619451][ T3319] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff00001b1f3c00 pfn:0x5b1f0 [ 157.619989][ T3319] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 157.620143][ T3319] flags: 0x1ffc00000000240(workingset|head|node=0|zone=0|lastcpupid=0x7ff) [ 157.620585][ T3319] page_type: f5(slab) [ 157.620972][ T3319] raw: 01ffc00000000240 ffff00000dc01c80 fffffdffc04f7610 fffffdffc0609110 [ 157.621076][ T3319] raw: ffff00001b1f3c00 0000000000100003 00000000f5000000 0000000000000000 [ 157.621218][ T3319] head: 01ffc00000000240 ffff00000dc01c80 fffffdffc04f7610 fffffdffc0609110 [ 157.621296][ T3319] head: ffff00001b1f3c00 0000000000100003 00000000f5000000 0000000000000000 [ 157.621369][ T3319] head: 01ffc00000000002 fffffdffc06c7c01 00000000ffffffff 00000000ffffffff [ 157.621444][ T3319] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 157.621556][ T3319] page dumped because: kasan: bad access detected [ 157.621638][ T3319] [ 157.621710][ T3319] Memory state around the buggy address: [ 157.622064][ T3319] ffff00001b1f2300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 157.622192][ T3319] ffff00001b1f2380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 157.622298][ T3319] >ffff00001b1f2400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 157.622468][ T3319] ^ [ 157.622611][ T3319] ffff00001b1f2480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 157.622683][ T3319] ffff00001b1f2500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 157.622877][ T3319] ================================================================== [ 157.639599][ T3319] Disabling lock debugging due to kernel taint SYZFAIL: failed to recv rpc fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor) VM DIAGNOSIS: 21:25:30 Registers: info registers vcpu 0 CPU#0 PC=ffff800084a7819c X00=ffff8000800368b8 X01=0000000000000000 X02=1ffff00010e29bef X03=1fffe0000d413115 X04=0000000000000001 X05=0000000000040000 X06=ffff00000e95c800 X07=7735a49fdf4d53df X08=0000000000000000 X09=ffff8000897d9000 X10=ffff00000e95c710 X11=1ffff00010000cc4 X12=ffff700010000cc5 X13=0000000000000000 X14=1fffe00002468c65 X15=18500d639cc85a54 X16=0d260000f9b3ffff X17=a3a5fedd4ac5f672 X18=ffff00001b1dedc0 X19=0000000000000002 X20=ffff00000e95bc80 X21=ffff800084a790ac X22=ffff00000e95bc80 X23=dfff800000000000 X24=ffff00001b24c988 X25=ffff00000efdc9e0 X26=ffff00001b24c990 X27=0000000000000000 X28=ffff00000efdc800 X29=ffff800080006740 X30=ffff800084a783cc SP=ffff800080006740 PSTATE=10000005 ---V EL1h FPCR=00000000 FPSR=00000000 Q00=0000000000000000:0000000000000000 Q01=0000000000000000:0000000000000000 Q02=0000000000000000:0000000000000000 Q03=0000000000000000:0000000000000000 Q04=0000000000000000:0000000000000000 Q05=0000000000000000:0000000000000000 Q06=0000000000000000:0000000000000000 Q07=0000000000000000:0000000000000000 Q08=0000000000000000:0000000000000000 Q09=0000000000000000:0000000000000000 Q10=0000000000000000:0000000000000000 Q11=0000000000000000:0000000000000000 Q12=0000000000000000:0000000000000000 Q13=0000000000000000:0000000000000000 Q14=0000000000000000:0000000000000000 Q15=0000000000000000:0000000000000000 Q16=0000000000000000:0000000000000000 Q17=0000000000000000:0000000000000000 Q18=0000000000000000:0000000000000000 Q19=0000000000000000:0000000000000000 Q20=0000000000000000:0000000000000000 Q21=0000000000000000:0000000000000000 Q22=0000000000000000:0000000000000000 Q23=0000000000000000:0000000000000000 Q24=0000000000000000:0000000000000000 Q25=0000000000000000:0000000000000000 Q26=0000000000000000:0000000000000000 Q27=0000000000000000:0000000000000000 Q28=0000000000000000:0000000000000000 Q29=0000000000000000:0000000000000000 Q30=0000000000000000:0000000000000000 Q31=0000000000000000:0000000000000000 info registers vcpu 1 CPU#1 PC=ffff8000800322d8 X00=0000000000000000 X01=000000000000000d X02=0000000000000018 X03=ffff80008001076c X04=ffff8000a0ec8000 X05=0000000000000001 X06=ffff00001855bc80 X07=ffff80008001159c X08=0000000000000070 X09=ffff00001922a890 X10=ffff7000141d8ef8 X11=1ffff000141d8ef8 X12=ffff7000141d8ef9 X13=0000000000000000 X14=00000000f1f1f1f1 X15=0000000000000000 X16=0000000000000000 X17=0000000000000000 X18=0000000000000000 X19=ffff8000800368b8 X20=ffff8000a0ec7a20 X21=0000000000000000 X22=0000000000000000 X23=ffff8000800369e8 X24=0000000000112110 X25=0000000000000000 X26=0000000000000000 X27=0000000000000000 X28=ffff00001855bc80 X29=ffff8000a0ec7ab0 X30=ffff80008054fee0 SP=ffff8000a0ec7a30 PSTATE=80000005 N--- EL1h FPCR=00000000 FPSR=00000000 Q00=0000000000000000:0000000000000000 Q01=31706f6f6c2f6b63:6f6c622f6c617574 Q02=0000000000000371:000000302f716d00 Q03=0000000000000000:00000000ff000000 Q04=3303330333033303:3303330333033303 Q05=bcbcbc00bcc030fc:bcbcbc00bcc030fc Q06=0000000000000073:0000aaaae9e6f3e0 Q07=0000000000000074:0000aaaae9e6c620 Q08=0000000000000000:0000000000000000 Q09=0000000000000000:0000000000000000 Q10=0000000000000000:0000000000000000 Q11=0000000000000000:0000000000000000 Q12=0000000000000000:0000000000000000 Q13=0000000000000000:0000000000000000 Q14=0000000000000000:0000000000000000 Q15=0000000000000000:0000000000000000 Q16=0000ffffd3e23e70:0000ffffd3e23e70 Q17=ffffff80ffffffd0:0000ffffd3e23e40 Q18=0000000000000000:0000000000000000 Q19=0000000000000000:0000000000000000 Q20=0000000000000000:0000000000000000 Q21=0000000000000000:0000000000000000 Q22=0000000000000000:0000000000000000 Q23=0000000000000000:0000000000000000 Q24=0000000000000000:0000000000000000 Q25=0000000000000000:0000000000000000 Q26=0000000000000000:0000000000000000 Q27=0000000000000000:0000000000000000 Q28=0000000000000000:0000000000000000 Q29=0000000000000000:0000000000000000 Q30=0000000000000000:0000000000000000 Q31=0000000000000000:0000000000000000