last executing test programs: 1.413575836s ago: executing program 1 (id=269): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/ndctl0', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/ndctl0', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/ndctl0', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/ndctl0', 0x800, 0x0) 1.345190411s ago: executing program 1 (id=271): lsm_list_modules(&(0x7f0000000000), &(0x7f0000000000), 0x0) 1.214353978s ago: executing program 1 (id=273): openat(0xffffffffffffff9c, &(0x7f0000000040)='/selinux/commit_pending_bools', 0x1, 0x0) 1.126488414s ago: executing program 1 (id=275): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dsp', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/dsp', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/dsp', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp', 0x800, 0x0) 1.126216684s ago: executing program 0 (id=276): openat(0xffffffffffffff9c, &(0x7f0000000040)='/sys/fs/smackfs/logging', 0x2, 0x0) 1.01007171s ago: executing program 0 (id=277): openat(0xffffffffffffff9c, &(0x7f0000000040)='/sys/fs/smackfs/load', 0x2, 0x0) 1.00968811s ago: executing program 1 (id=278): socket$pppl2tp(0x18, 0x1, 0x1) 915.202716ms ago: executing program 0 (id=279): delete_module(&(0x7f0000000000), 0x0) 834.366421ms ago: executing program 0 (id=280): open_by_handle_at(0xffffffffffffffff, &(0x7f0000000000), 0x0) 715.826708ms ago: executing program 0 (id=282): fchmod(0xffffffffffffffff, 0x0) 645.929792ms ago: executing program 0 (id=283): rt_sigreturn() 0s ago: executing program 1 (id=281): mmap(&(0x7efffffff000/0x1000)=nil, 0x1000, 0x0, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0000000000/0x1000000)=nil, 0x1000000, 0x7, 0x32, 0xffffffffffffffff, 0x0) mmap(&(0x7f0001000000/0x1000)=nil, 0x1000, 0x0, 0x32, 0xffffffffffffffff, 0x0) kernel console output (not intermixed with test programs): Warning: Permanently added '[localhost]:31323' (ED25519) to the list of known hosts. syzkaller login: [ 71.696135][ T3287] cgroup: Unknown subsys name 'net' [ 72.042551][ T3287] cgroup: Unknown subsys name 'cpuset' [ 72.071237][ T3287] cgroup: Unknown subsys name 'rlimit' Setting up swapspace version 1, size = 127995904 bytes [ 72.739020][ T3287] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 81.830966][ T3384] mmap: syz.1.79 (3384) uses deprecated remap_file_pages() syscall. See Documentation/mm/remap_file_pages.rst. [ 91.891121][ T3603] soft_limit_in_bytes is deprecated and will be removed. Please report your usecase to linux-mm@kvack.org if you depend on this functionality. [ 92.319357][ T3300] ================================================================== [ 92.324569][ T3300] BUG: KASAN: slab-use-after-free in binderfs_evict_inode+0xe8/0x114 [ 92.325545][ T3300] Write at addr f6f000000a0cfd88 by task syz-executor/3300 [ 92.325847][ T3300] Pointer tag: [f6], memory tag: [f2] [ 92.326012][ T3300] [ 92.326740][ T3300] CPU: 1 UID: 0 PID: 3300 Comm: syz-executor Not tainted 6.15.0-rc5-syzkaller-00204-g0e1329d4045c #0 PREEMPT [ 92.327089][ T3300] Hardware name: linux,dummy-virt (DT) [ 92.327335][ T3300] Call trace: [ 92.327517][ T3300] show_stack+0x18/0x24 (C) [ 92.327786][ T3300] dump_stack_lvl+0x78/0x90 [ 92.327951][ T3300] print_report+0x108/0x630 [ 92.328071][ T3300] kasan_report+0x88/0xac [ 92.328186][ T3300] __do_kernel_fault+0x170/0x1c8 [ 92.328310][ T3300] do_tag_check_fault+0x78/0x8c [ 92.328427][ T3300] do_mem_abort+0x44/0x94 [ 92.328543][ T3300] el1_abort+0x40/0x60 [ 92.328660][ T3300] el1h_64_sync_handler+0xa4/0x120 [ 92.328777][ T3300] el1h_64_sync+0x6c/0x70 [ 92.328987][ T3300] binderfs_evict_inode+0xe8/0x114 (P) [ 92.329111][ T3300] evict+0xec/0x240 [ 92.329227][ T3300] iput+0xfc/0x1b8 [ 92.329341][ T3300] dentry_unlink_inode+0xc0/0x188 [ 92.329459][ T3300] __dentry_kill+0x7c/0x1d4 [ 92.329575][ T3300] shrink_dentry_list+0x74/0xe4 [ 92.329691][ T3300] shrink_dcache_parent+0xcc/0x14c [ 92.329825][ T3300] shrink_dcache_for_umount+0x3c/0x1c8 [ 92.329949][ T3300] generic_shutdown_super+0x24/0x100 [ 92.330068][ T3300] kill_anon_super+0x20/0x90 [ 92.330186][ T3300] kill_litter_super+0x28/0x38 [ 92.330303][ T3300] binderfs_kill_super+0x18/0x40 [ 92.330420][ T3300] deactivate_locked_super+0x50/0x12c [ 92.330534][ T3300] deactivate_super+0x84/0x9c [ 92.330651][ T3300] cleanup_mnt+0xf4/0x184 [ 92.330769][ T3300] __cleanup_mnt+0x14/0x20 [ 92.330891][ T3300] task_work_run+0x78/0xd4 [ 92.331008][ T3300] do_exit+0x2c8/0x944 [ 92.331124][ T3300] do_group_exit+0x34/0x90 [ 92.331239][ T3300] copy_siginfo_to_user+0x0/0xec [ 92.331356][ T3300] do_signal+0xf0/0x360 [ 92.331473][ T3300] do_notify_resume+0xd8/0x164 [ 92.331589][ T3300] el0_svc+0xc0/0xe0 [ 92.331706][ T3300] el0t_64_sync_handler+0x10c/0x138 [ 92.331823][ T3300] el0t_64_sync+0x1a4/0x1a8 [ 92.332073][ T3300] [ 92.334161][ T3300] Freed by task 3301: [ 92.334426][ T3300] kasan_save_stack+0x3c/0x64 [ 92.334680][ T3300] save_stack_info+0x40/0x158 [ 92.334846][ T3300] kasan_save_free_info+0x18/0x24 [ 92.335014][ T3300] __kasan_slab_free+0x74/0x8c [ 92.335173][ T3300] kfree+0xfc/0x30c [ 92.335336][ T3300] binderfs_evict_inode+0x100/0x114 [ 92.335500][ T3300] evict+0xec/0x240 [ 92.335660][ T3300] iput+0xfc/0x1b8 [ 92.335818][ T3300] dentry_unlink_inode+0xc0/0x188 [ 92.335985][ T3300] __dentry_kill+0x7c/0x1d4 [ 92.336216][ T3300] shrink_dentry_list+0x74/0xe4 [ 92.336380][ T3300] shrink_dcache_parent+0xcc/0x14c [ 92.336544][ T3300] shrink_dcache_for_umount+0x3c/0x1c8 [ 92.336705][ T3300] generic_shutdown_super+0x24/0x100 [ 92.336906][ T3300] kill_anon_super+0x20/0x90 [ 92.337072][ T3300] kill_litter_super+0x28/0x38 [ 92.337234][ T3300] binderfs_kill_super+0x18/0x40 [ 92.337396][ T3300] deactivate_locked_super+0x50/0x12c [ 92.337554][ T3300] deactivate_super+0x84/0x9c [ 92.337755][ T3300] cleanup_mnt+0xf4/0x184 [ 92.337925][ T3300] __cleanup_mnt+0x14/0x20 [ 92.338088][ T3300] task_work_run+0x78/0xd4 [ 92.338250][ T3300] do_exit+0x2c8/0x944 [ 92.338410][ T3300] do_group_exit+0x34/0x90 [ 92.338568][ T3300] copy_siginfo_to_user+0x0/0xec [ 92.338729][ T3300] do_signal+0x94/0x360 [ 92.338895][ T3300] do_notify_resume+0xd8/0x164 [ 92.339057][ T3300] el0_svc+0xc0/0xe0 [ 92.339221][ T3300] el0t_64_sync_handler+0x10c/0x138 [ 92.339382][ T3300] el0t_64_sync+0x1a4/0x1a8 [ 92.339572][ T3300] [ 92.339710][ T3300] The buggy address belongs to the object at fff000000a0cfd80 [ 92.339710][ T3300] which belongs to the cache kmalloc-192 of size 192 [ 92.339918][ T3300] The buggy address is located 8 bytes inside of [ 92.339918][ T3300] 144-byte region [fff000000a0cfd80, fff000000a0cfe10) [ 92.340101][ T3300] [ 92.340355][ T3300] The buggy address belongs to the physical page: [ 92.340613][ T3300] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4a0cf [ 92.341045][ T3300] flags: 0x1ffc00000000000(node=0|zone=0|lastcpupid=0x7ff|kasantag=0x0) [ 92.341472][ T3300] page_type: f5(slab) [ 92.341917][ T3300] raw: 01ffc00000000000 f4f0000003001300 ffffc1ffc00c6c00 0000000000000002 [ 92.342111][ T3300] raw: 0000000000000000 0000000000150015 00000000f5000000 0000000000000000 SYZFAIL: failed to recv rpc fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor) [ 92.342314][ T3300] page dumped because: kasan: bad access detected [ 92.342459][ T3300] [ 92.342589][ T3300] Memory state around the buggy address: [ 92.342879][ T3300] fff000000a0cfb00: fd fd fd fd fb fb fb fb fb fb fb fb fb fb fb fb [ 92.343082][ T3300] fff000000a0cfc00: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 fe fd fd fd fd [ 92.343254][ T3300] >fff000000a0cfd00: fd fd fd fd fd fe fe fe f2 f2 f2 f2 f2 f2 f2 f2 [ 92.343420][ T3300] ^ [ 92.343611][ T3300] fff000000a0cfe00: f2 fe fe fe fb fb fb fb fb fb fb fb fb fb fb fe [ 92.343764][ T3300] fff000000a0cff00: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 fe fe fe fe [ 92.343946][ T3300] ================================================================== [ 92.345016][ T3300] Disabling lock debugging due to kernel taint VM DIAGNOSIS: 21:59:26 Registers: info registers vcpu 0 CPU#0 PC=ffff800081631714 X00=f3f0000003df0100 X01=0000000000000002 X02=0000000000000140 X03=f5f0000006268f00 X04=f5f0000006269060 X05=0000000000000036 X06=f5f0000006268f00 X07=0000000000000000 X08=00000000ffff8000 X09=ffff800081967160 X10=0000000000155cc0 X11=0000001580985bc9 X12=0000000000000001 X13=0000000000000001 X14=000000000000032c X15=ffff80008307b9f0 X16=ffff800080000000 X17=fff07ffffd022000 X18=00000000ffffffff X19=ffffc1ffc00f7c00 X20=f3f0000003df0100 X21=ffff80008162de68 X22=f4f000000339e500 X23=27cf8000801662e8 X24=0000000000000001 X25=0000000000000000 X26=ffff8000828d1000 X27=f4f000000339e500 X28=000000000002c8e4 X29=ffff800080002e20 X30=2fdf800080318d5c SP=ffff800080002e20 PSTATE=80402009 N--- EL2h SVCR=00000000 -- BTYPE=0 FPCR=00000000 FPSR=00000000 P00=0000000000000000 P01=0000000000000000 P02=0000000000000000 P03=0000000000000000 P04=0000000000000000 P05=0000000000000000 P06=0000000000000000 P07=0000000000000000 P08=0000000000000000 P09=0000000000000000 P10=0000000000000000 P11=0000000000000000 P12=0000000000000000 P13=0000000000000000 P14=0000000000000000 P15=0000000000000000 FFR=0000000000000000 Z00=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:2525252525252525:2525252525252525 Z01=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:6572207265767265:730073250a0d0a0d Z02=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:3d3d3d3d3d3d3d3d:3d3d3d3d3d3d3d3d Z03=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:00ff00ff00000000 Z04=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:000000000f0f0000 Z05=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:3d3d3d3d3d3d3d3d:3d3d3d3d3d3d3d3d Z06=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:656e72656b206465:746172656e65676f Z07=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:3136306434333166:30203a79656b206c Z08=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z09=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z10=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z11=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z12=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z13=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z14=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z15=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z16=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000ffffd2113aa0:0000ffffd2113aa0 Z17=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:ffffff80ffffffd8:0000ffffd2113a70 Z18=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z19=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z20=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z21=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z22=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z23=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z24=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z25=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z26=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z27=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z28=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z29=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z30=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z31=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 info registers vcpu 1 CPU#1 PC=ffff80008166cfc8 X00=fbf00000060d4800 X01=ffff800082d13948 X02=0000000000000100 X03=fcf00000060dd8d1 X04=00000000000000d4 X05=fcf00000060dd8cc X06=00000000000000cc X07=00000000000006c0 X08=ffff800082d13a48 X09=ffffffffffffffff X10=fefefeff2f647166 X11=7f7f7f7f7f7f7f7f X12=0101010101010101 X13=0000000000000020 X14=0000000000000000 X15=ffff800089403030 X16=1f7e000000db7a81 X17=0000000000000000 X18=00000000ffffffff X19=fbf00000060d4800 X20=faf0000007acc000 X21=ffff800082b286c8 X22=0000000000000000 X23=00000000ffffffff X24=fcf00000060dd800 X25=0000000000000000 X26=0000000000000011 X27=0000000000000000 X28=0000000000000000 X29=ffff800082d13a20 X30=ffff800080710434 SP=ffff800082d13a40 PSTATE=00402009 ---- EL2h SVCR=00000000 -- BTYPE=0 FPCR=00000000 FPSR=00000000 P00=0000000000000000 P01=0000000000000000 P02=0000000000000000 P03=0000000000000000 P04=0000000000000000 P05=0000000000000000 P06=0000000000000000 P07=0000000000000000 P08=0000000000000000 P09=0000000000000000 P10=0000000000000000 P11=0000000000000000 P12=0000000000000000 P13=0000000000000000 P14=0000000000000000 P15=0000000000000000 FFR=0000000000000000 Z00=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z01=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z02=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z03=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z04=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z05=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z06=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z07=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z08=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z09=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z10=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z11=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z12=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z13=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z14=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z15=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z16=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z17=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z18=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z19=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z20=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z21=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z22=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z23=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z24=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z25=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z26=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z27=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z28=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z29=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z30=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000 Z31=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000