last executing test programs: 1.810903781s ago: executing program 0 (id=200): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/cdrom', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/cdrom', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/cdrom', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/cdrom', 0x800, 0x0) 1.550348531s ago: executing program 1 (id=201): get_mempolicy(&(0x7f0000000000), &(0x7f0000000000), 0x0, 0x0, 0x0) 1.283193851s ago: executing program 0 (id=202): sched_rr_get_interval(0x0, &(0x7f0000000000)) 1.282823801s ago: executing program 1 (id=203): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/vsock', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/vsock', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/vsock', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/vsock', 0x800, 0x0) 1.159054611s ago: executing program 0 (id=204): socket$inet6_dccp(0xa, 0x6, 0x0) 1.029246851s ago: executing program 1 (id=205): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/ptmx', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/ptmx', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/ptmx', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/ptmx', 0x800, 0x0) 533.033419ms ago: executing program 1 (id=206): listen(0xffffffffffffffff, 0x0) 421.829788ms ago: executing program 1 (id=207): times(&(0x7f0000000000)) 319.695015ms ago: executing program 0 (id=208): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/video0', 0x2, 0x0) 220.162753ms ago: executing program 1 (id=209): openat(0xffffffffffffff9c, &(0x7f0000000040)='/sys/devices/platform/vhci_hcd.0/attach', 0x1, 0x0) 143.407199ms ago: executing program 0 (id=210): fchown(0xffffffffffffffff, 0x0, 0x0) 0s ago: executing program 0 (id=211): socket$alg(0x26, 0x5, 0x0) kernel console output (not intermixed with test programs): Warning: Permanently added '[localhost]:18021' (ED25519) to the list of known hosts. [ 171.027783][ T30] audit: type=1400 audit(170.580:48): avc: denied { name_bind } for pid=3306 comm="sshd-session" src=30003 scontext=system_u:system_r:sshd_t tcontext=system_u:object_r:tcs_port_t tclass=tcp_socket permissive=1 [ 171.410558][ T30] audit: type=1400 audit(170.960:49): avc: denied { execute } for pid=3307 comm="sh" name="syz-executor" dev="vda" ino=1867 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:etc_runtime_t tclass=file permissive=1 [ 171.417736][ T30] audit: type=1400 audit(170.970:50): avc: denied { execute_no_trans } for pid=3307 comm="sh" path="/syz-executor" dev="vda" ino=1867 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:etc_runtime_t tclass=file permissive=1 [ 175.396168][ T30] audit: type=1400 audit(174.930:51): avc: denied { mounton } for pid=3307 comm="syz-executor" path="/syzcgroup/unified" dev="vda" ino=1868 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 175.401651][ T30] audit: type=1400 audit(174.940:52): avc: denied { mount } for pid=3307 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 175.419620][ T3307] cgroup: Unknown subsys name 'net' [ 175.437856][ T30] audit: type=1400 audit(174.990:53): avc: denied { unmount } for pid=3307 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 175.827597][ T3307] cgroup: Unknown subsys name 'cpuset' [ 175.871662][ T3307] cgroup: Unknown subsys name 'rlimit' [ 176.330591][ T30] audit: type=1400 audit(175.880:54): avc: denied { setattr } for pid=3307 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=701 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 176.356157][ T30] audit: type=1400 audit(175.900:55): avc: denied { create } for pid=3307 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 176.357558][ T30] audit: type=1400 audit(175.900:56): avc: denied { write } for pid=3307 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 176.358115][ T30] audit: type=1400 audit(175.900:57): avc: denied { module_request } for pid=3307 comm="syz-executor" kmod="net-pf-16-proto-16-family-nl802154" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1 [ 176.622564][ T30] audit: type=1400 audit(176.170:58): avc: denied { read } for pid=3307 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 176.639079][ T30] audit: type=1400 audit(176.190:59): avc: denied { mounton } for pid=3307 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1 [ 176.647704][ T30] audit: type=1400 audit(176.200:60): avc: denied { mount } for pid=3307 comm="syz-executor" name="/" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=filesystem permissive=1 [ 177.020311][ T3310] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). [ 177.031088][ T30] audit: type=1400 audit(176.580:61): avc: denied { relabelto } for pid=3310 comm="mkswap" name="swap-file" dev="vda" ino=1871 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 177.037105][ T30] audit: type=1400 audit(176.580:62): avc: denied { write } for pid=3310 comm="mkswap" path="/swap-file" dev="vda" ino=1871 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" Setting up swapspace version 1, size = 127995904 bytes [ 177.127129][ T30] audit: type=1400 audit(176.680:63): avc: denied { read } for pid=3307 comm="syz-executor" name="swap-file" dev="vda" ino=1871 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 177.149205][ T3307] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 192.282666][ T30] kauditd_printk_skb: 1 callbacks suppressed [ 192.287435][ T30] audit: type=1400 audit(191.830:65): avc: denied { execmem } for pid=3312 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 192.342613][ T30] audit: type=1400 audit(191.890:66): avc: denied { read } for pid=3314 comm="syz-executor" dev="nsfs" ino=4026531840 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1 [ 192.354623][ T30] audit: type=1400 audit(191.900:67): avc: denied { open } for pid=3314 comm="syz-executor" path="net:[4026531840]" dev="nsfs" ino=4026531840 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1 [ 192.358211][ T30] audit: type=1400 audit(191.910:68): avc: denied { mounton } for pid=3314 comm="syz-executor" path="/" dev="vda" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:root_t tclass=dir permissive=1 [ 193.151498][ T30] audit: type=1400 audit(192.700:69): avc: denied { mount } for pid=3314 comm="syz-executor" name="/" dev="tmpfs" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=1 [ 193.154342][ T30] audit: type=1400 audit(192.700:70): avc: denied { mount } for pid=3313 comm="syz-executor" name="/" dev="tmpfs" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=1 [ 193.167783][ T30] audit: type=1400 audit(192.720:71): avc: denied { mounton } for pid=3313 comm="syz-executor" path="/syzkaller.jG8k4m/syz-tmp/newroot/dev" dev="tmpfs" ino=3 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_tmpfs_t tclass=dir permissive=1 [ 193.188245][ T30] audit: type=1400 audit(192.740:72): avc: denied { mount } for pid=3313 comm="syz-executor" name="/" dev="proc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:proc_t tclass=filesystem permissive=1 [ 193.260026][ T30] audit: type=1400 audit(192.780:73): avc: denied { mounton } for pid=3314 comm="syz-executor" path="/syzkaller.DQdzUn/syz-tmp/newroot/sys/kernel/debug" dev="debugfs" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:debugfs_t tclass=dir permissive=1 [ 193.261314][ T30] audit: type=1400 audit(192.780:74): avc: denied { mounton } for pid=3314 comm="syz-executor" path="/syzkaller.DQdzUn/syz-tmp/newroot/proc/sys/fs/binfmt_misc" dev="proc" ino=3377 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:sysctl_fs_t tclass=dir permissive=1 [ 198.606713][ T30] kauditd_printk_skb: 13 callbacks suppressed [ 198.607982][ T30] audit: type=1400 audit(198.160:88): avc: denied { create } for pid=3368 comm="syz.0.51" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=dccp_socket permissive=1 [ 200.791684][ T30] audit: type=1400 audit(200.340:89): avc: denied { read } for pid=3391 comm="syz.1.72" name="snapshot" dev="devtmpfs" ino=85 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:acpi_bios_t tclass=chr_file permissive=1 [ 200.815628][ T30] audit: type=1400 audit(200.370:90): avc: denied { open } for pid=3391 comm="syz.1.72" path="/dev/snapshot" dev="devtmpfs" ino=85 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:acpi_bios_t tclass=chr_file permissive=1 [ 200.950196][ T30] audit: type=1400 audit(200.500:91): avc: denied { write } for pid=3391 comm="syz.1.72" name="snapshot" dev="devtmpfs" ino=85 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:acpi_bios_t tclass=chr_file permissive=1 [ 201.700160][ T30] audit: type=1400 audit(201.250:92): avc: denied { create } for pid=3399 comm="syz.1.80" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=icmp_socket permissive=1 [ 202.114415][ T30] audit: type=1400 audit(201.650:93): avc: denied { create } for pid=3404 comm="syz.1.85" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=ieee802154_socket permissive=1 [ 202.136465][ T30] audit: type=1400 audit(201.690:94): avc: denied { write } for pid=3405 comm="syz.0.86" name="random" dev="devtmpfs" ino=8 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:random_device_t tclass=chr_file permissive=1 [ 202.529385][ T30] audit: type=1400 audit(202.080:95): avc: denied { read } for pid=3408 comm="syz.0.88" name="raw-gadget" dev="devtmpfs" ino=701 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 202.533084][ T30] audit: type=1400 audit(202.080:96): avc: denied { open } for pid=3408 comm="syz.0.88" path="/dev/raw-gadget" dev="devtmpfs" ino=701 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 202.540761][ T30] audit: type=1400 audit(202.090:97): avc: denied { write } for pid=3408 comm="syz.0.88" name="raw-gadget" dev="devtmpfs" ino=701 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 203.626396][ T3420] mmap: syz.1.98 (3420) uses deprecated remap_file_pages() syscall. See Documentation/mm/remap_file_pages.rst. [ 203.872582][ T30] kauditd_printk_skb: 5 callbacks suppressed [ 203.873717][ T30] audit: type=1400 audit(203.420:103): avc: denied { read } for pid=3422 comm="syz.1.100" name="fb0" dev="devtmpfs" ino=619 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:framebuf_device_t tclass=chr_file permissive=1 [ 203.881037][ T30] audit: type=1400 audit(203.430:104): avc: denied { create } for pid=3423 comm="syz.0.101" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=bluetooth_socket permissive=1 [ 203.885614][ T30] audit: type=1400 audit(203.440:105): avc: denied { open } for pid=3422 comm="syz.1.100" path="/dev/fb0" dev="devtmpfs" ino=619 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:framebuf_device_t tclass=chr_file permissive=1 [ 203.898507][ T30] audit: type=1400 audit(203.450:106): avc: denied { write } for pid=3422 comm="syz.1.100" name="fb0" dev="devtmpfs" ino=619 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:framebuf_device_t tclass=chr_file permissive=1 [ 204.805282][ T30] audit: type=1400 audit(204.360:107): avc: denied { create } for pid=3430 comm="syz.1.107" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=rawip_socket permissive=1 [ 205.055400][ T30] audit: type=1400 audit(204.600:108): avc: denied { create } for pid=3433 comm="syz.0.110" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=kcm_socket permissive=1 [ 205.619728][ T30] audit: type=1400 audit(205.160:109): avc: denied { create } for pid=3438 comm="syz.0.115" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=caif_socket permissive=1 [ 205.779014][ T3440] UDPLite: UDP-Lite is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list [ 207.108184][ T30] audit: type=1400 audit(206.660:110): avc: denied { sys_module } for pid=3454 comm="syz.0.130" capability=16 scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=capability permissive=1 [ 207.914207][ T30] audit: type=1400 audit(207.460:111): avc: denied { create } for pid=3463 comm="syz.1.139" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=tipc_socket permissive=1 [ 208.689045][ T30] audit: type=1400 audit(208.240:112): avc: denied { kexec_image_load } for pid=3471 comm="syz.1.145" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=system permissive=1 [ 210.108610][ T30] audit: type=1400 audit(209.660:113): avc: denied { read } for pid=3485 comm="syz.0.160" name="vga_arbiter" dev="devtmpfs" ino=4 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:xserver_misc_device_t tclass=chr_file permissive=1 [ 210.116310][ T30] audit: type=1400 audit(209.670:114): avc: denied { open } for pid=3485 comm="syz.0.160" path="/dev/vga_arbiter" dev="devtmpfs" ino=4 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:xserver_misc_device_t tclass=chr_file permissive=1 [ 210.124952][ T30] audit: type=1400 audit(209.670:115): avc: denied { write } for pid=3485 comm="syz.0.160" name="vga_arbiter" dev="devtmpfs" ino=4 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:xserver_misc_device_t tclass=chr_file permissive=1 [ 211.974015][ T30] audit: type=1400 audit(211.520:116): avc: denied { read } for pid=3504 comm="syz.0.176" name="rtc0" dev="devtmpfs" ino=707 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:clock_device_t tclass=chr_file permissive=1 [ 211.974667][ T30] audit: type=1400 audit(211.520:117): avc: denied { open } for pid=3504 comm="syz.0.176" path="/dev/rtc0" dev="devtmpfs" ino=707 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:clock_device_t tclass=chr_file permissive=1 [ 211.975261][ T30] audit: type=1400 audit(211.520:118): avc: denied { write } for pid=3504 comm="syz.0.176" name="rtc0" dev="devtmpfs" ino=707 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:clock_device_t tclass=chr_file permissive=1 [ 212.733945][ T30] audit: type=1400 audit(212.280:119): avc: denied { create } for pid=3512 comm="syz.0.185" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=rxrpc_socket permissive=1 [ 214.874245][ T30] audit: type=1400 audit(214.380:120): avc: denied { write } for pid=3525 comm="syz.1.195" name="pfkey" dev="proc" ino=4026532766 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:proc_net_t tclass=file permissive=1 [ 217.438249][ T30] audit: type=1400 audit(216.990:121): avc: denied { create } for pid=3543 comm="syz.0.211" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=alg_socket permissive=1 [ 217.994574][ T3314] ================================================================== [ 217.995385][ T3314] BUG: KASAN: slab-use-after-free in binderfs_evict_inode+0x2ac/0x2b4 [ 217.996336][ T3314] Write of size 8 at addr ffff0000182df008 by task syz-executor/3314 [ 217.996443][ T3314] [ 217.997313][ T3314] CPU: 1 UID: 0 PID: 3314 Comm: syz-executor Not tainted 6.15.0-syzkaller-01972-g914873bc7df9 #0 PREEMPT [ 217.997527][ T3314] Hardware name: linux,dummy-virt (DT) [ 217.997883][ T3314] Call trace: [ 217.998061][ T3314] show_stack+0x18/0x24 (C) [ 217.998205][ T3314] dump_stack_lvl+0xa4/0xf4 [ 217.998273][ T3314] print_report+0xf4/0x60c [ 217.998321][ T3314] kasan_report+0xc8/0x108 [ 217.998363][ T3314] __asan_report_store8_noabort+0x20/0x2c [ 217.998401][ T3314] binderfs_evict_inode+0x2ac/0x2b4 [ 217.998443][ T3314] evict+0x2c0/0x67c [ 217.998488][ T3314] iput+0x3b0/0x6b4 [ 217.998528][ T3314] dentry_unlink_inode+0x208/0x46c [ 217.998567][ T3314] __dentry_kill+0x150/0x52c [ 217.998606][ T3314] shrink_dentry_list+0x114/0x3ac [ 217.998645][ T3314] shrink_dcache_parent+0x158/0x354 [ 217.998685][ T3314] shrink_dcache_for_umount+0x88/0x304 [ 217.998725][ T3314] generic_shutdown_super+0x60/0x2e8 [ 217.998776][ T3314] kill_litter_super+0x68/0xa4 [ 217.998865][ T3314] binderfs_kill_super+0x38/0x88 [ 217.998927][ T3314] deactivate_locked_super+0x98/0x17c [ 217.998973][ T3314] deactivate_super+0xb0/0xd4 [ 217.999014][ T3314] cleanup_mnt+0x198/0x424 [ 217.999060][ T3314] __cleanup_mnt+0x14/0x20 [ 217.999101][ T3314] task_work_run+0x128/0x210 [ 217.999145][ T3314] do_exit+0x7b4/0x1f68 [ 217.999185][ T3314] do_group_exit+0xa4/0x208 [ 217.999222][ T3314] get_signal+0x1b04/0x1bac [ 217.999263][ T3314] do_signal+0x160/0x620 [ 217.999300][ T3314] do_notify_resume+0x18c/0x258 [ 217.999382][ T3314] el0_svc+0x100/0x180 [ 217.999435][ T3314] el0t_64_sync_handler+0x10c/0x138 [ 217.999475][ T3314] el0t_64_sync+0x198/0x19c [ 217.999676][ T3314] [ 218.000569][ T3314] Allocated by task 3313: [ 218.000909][ T3314] kasan_save_stack+0x3c/0x64 [ 218.001050][ T3314] kasan_save_track+0x20/0x3c [ 218.001185][ T3314] kasan_save_alloc_info+0x40/0x54 [ 218.001271][ T3314] __kasan_kmalloc+0xb8/0xbc [ 218.001353][ T3314] __kmalloc_cache_noprof+0x1b0/0x3cc [ 218.001437][ T3314] binderfs_binder_device_create.isra.0+0x150/0xa28 [ 218.001521][ T3314] binderfs_fill_super+0x69c/0xed4 [ 218.001603][ T3314] get_tree_nodev+0xac/0x148 [ 218.001683][ T3314] binderfs_fs_context_get_tree+0x18/0x24 [ 218.001767][ T3314] vfs_get_tree+0x74/0x280 [ 218.001923][ T3314] path_mount+0xe54/0x1830 [ 218.002007][ T3314] __arm64_sys_mount+0x304/0x3dc [ 218.002096][ T3314] invoke_syscall+0x6c/0x258 [ 218.002235][ T3314] el0_svc_common.constprop.0+0xac/0x230 [ 218.002369][ T3314] do_el0_svc+0x40/0x58 [ 218.002450][ T3314] el0_svc+0x50/0x180 [ 218.002526][ T3314] el0t_64_sync_handler+0x10c/0x138 [ 218.002605][ T3314] el0t_64_sync+0x198/0x19c [ 218.002808][ T3314] [ 218.002962][ T3314] Freed by task 3313: [ 218.003055][ T3314] kasan_save_stack+0x3c/0x64 [ 218.003148][ T3314] kasan_save_track+0x20/0x3c [ 218.003316][ T3314] kasan_save_free_info+0x4c/0x74 [ 218.003401][ T3314] __kasan_slab_free+0x50/0x6c [ 218.003482][ T3314] kfree+0x1bc/0x444 [ 218.003558][ T3314] binderfs_evict_inode+0x238/0x2b4 [ 218.003640][ T3314] evict+0x2c0/0x67c [ 218.003720][ T3314] iput+0x3b0/0x6b4 [ 218.003830][ T3314] dentry_unlink_inode+0x208/0x46c [ 218.003929][ T3314] __dentry_kill+0x150/0x52c [ 218.004015][ T3314] shrink_dentry_list+0x114/0x3ac [ 218.004096][ T3314] shrink_dcache_parent+0x158/0x354 [ 218.004176][ T3314] shrink_dcache_for_umount+0x88/0x304 [ 218.004257][ T3314] generic_shutdown_super+0x60/0x2e8 [ 218.004340][ T3314] kill_litter_super+0x68/0xa4 [ 218.004423][ T3314] binderfs_kill_super+0x38/0x88 [ 218.004504][ T3314] deactivate_locked_super+0x98/0x17c [ 218.004586][ T3314] deactivate_super+0xb0/0xd4 [ 218.004669][ T3314] cleanup_mnt+0x198/0x424 [ 218.004748][ T3314] __cleanup_mnt+0x14/0x20 [ 218.004839][ T3314] task_work_run+0x128/0x210 [ 218.004922][ T3314] do_exit+0x7b4/0x1f68 [ 218.004999][ T3314] do_group_exit+0xa4/0x208 [ 218.005076][ T3314] get_signal+0x1b04/0x1bac [ 218.005155][ T3314] do_signal+0x160/0x620 [ 218.005232][ T3314] do_notify_resume+0x18c/0x258 [ 218.005311][ T3314] el0_svc+0x100/0x180 [ 218.005394][ T3314] el0t_64_sync_handler+0x10c/0x138 [ 218.005473][ T3314] el0t_64_sync+0x198/0x19c [ 218.005571][ T3314] [ 218.005747][ T3314] The buggy address belongs to the object at ffff0000182df000 [ 218.005747][ T3314] which belongs to the cache kmalloc-512 of size 512 [ 218.005940][ T3314] The buggy address is located 8 bytes inside of [ 218.005940][ T3314] freed 512-byte region [ffff0000182df000, ffff0000182df200) [ 218.006094][ T3314] [ 218.006236][ T3314] The buggy address belongs to the physical page: [ 218.006704][ T3314] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x582dc [ 218.007310][ T3314] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 218.007461][ T3314] flags: 0x1ffc00000000040(head|node=0|zone=0|lastcpupid=0x7ff) [ 218.007916][ T3314] page_type: f5(slab) [ 218.008302][ T3314] raw: 01ffc00000000040 ffff00000dc01c80 fffffdffc0495f00 dead000000000002 [ 218.008406][ T3314] raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000 [ 218.008551][ T3314] head: 01ffc00000000040 ffff00000dc01c80 fffffdffc0495f00 dead000000000002 [ 218.008658][ T3314] head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000 [ 218.008735][ T3314] head: 01ffc00000000002 fffffdffc060b701 00000000ffffffff 00000000ffffffff [ 218.008819][ T3314] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 218.008935][ T3314] page dumped because: kasan: bad access detected [ 218.009021][ T3314] [ 218.009093][ T3314] Memory state around the buggy address: [ 218.009417][ T3314] ffff0000182def00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 218.009532][ T3314] ffff0000182def80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 218.009627][ T3314] >ffff0000182df000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 218.009727][ T3314] ^ [ 218.009925][ T3314] ffff0000182df080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 218.010006][ T3314] ffff0000182df100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 218.010156][ T3314] ================================================================== SYZFAIL: failed to recv rpc fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor) [ 218.151687][ T3314] Disabling lock debugging due to kernel taint [ 220.938708][ T3546] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 220.960455][ T3546] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 223.025617][ T3546] hsr_slave_0: entered promiscuous mode [ 223.037534][ T3546] hsr_slave_1: entered promiscuous mode [ 223.908816][ T3546] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 223.927201][ T3546] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 223.945615][ T3546] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 223.961485][ T3546] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 225.092572][ T3546] 8021q: adding VLAN 0 to HW filter on device bond0 [ 228.770019][ T3546] veth0_vlan: entered promiscuous mode [ 228.839000][ T3546] veth1_vlan: entered promiscuous mode [ 228.976247][ T3546] veth0_macvtap: entered promiscuous mode [ 229.003792][ T3546] veth1_macvtap: entered promiscuous mode [ 229.142262][ T3546] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 229.146439][ T3546] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 229.147006][ T3546] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 229.147346][ T3546] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 229.370161][ T30] audit: type=1400 audit(228.920:122): avc: denied { mounton } for pid=3546 comm="syz-executor" path="/syzkaller.lQfs61/syz-tmp" dev="vda" ino=1874 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 229.400130][ T30] audit: type=1400 audit(228.950:123): avc: denied { mounton } for pid=3546 comm="syz-executor" path="/syzkaller.lQfs61/syz-tmp/newroot/dev" dev="tmpfs" ino=3 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_tmpfs_t tclass=dir permissive=1 [ 229.409764][ T30] audit: type=1400 audit(228.960:124): avc: denied { mount } for pid=3546 comm="syz-executor" name="/" dev="proc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:proc_t tclass=filesystem permissive=1 [ 229.447806][ T30] audit: type=1400 audit(229.000:125): avc: denied { mounton } for pid=3546 comm="syz-executor" path="/dev/gadgetfs" dev="devtmpfs" ino=1545 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:device_t tclass=dir permissive=1 [ 229.601506][ T3546] soft_limit_in_bytes is deprecated and will be removed. Please report your usecase to linux-mm@kvack.org if you depend on this functionality. [ 230.270221][ T40] netdevsim netdevsim0 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 230.417026][ T40] netdevsim netdevsim0 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 230.702525][ T40] netdevsim netdevsim0 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 231.028309][ T40] netdevsim netdevsim0 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 231.348432][ T30] audit: type=1400 audit(230.900:126): avc: denied { read } for pid=3157 comm="dhcpcd" scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:dhcpc_t tclass=netlink_kobject_uevent_socket permissive=1 [ 233.637524][ T40] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface [ 233.715742][ T40] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface [ 233.776764][ T40] bond0 (unregistering): Released all slaves [ 233.902162][ T40] hsr_slave_0: left promiscuous mode [ 233.908075][ T40] hsr_slave_1: left promiscuous mode [ 233.950482][ T40] veth1_macvtap: left promiscuous mode [ 233.951299][ T40] veth0_macvtap: left promiscuous mode [ 233.951887][ T40] veth1_vlan: left promiscuous mode [ 233.964673][ T40] veth0_vlan: left promiscuous mode VM DIAGNOSIS: 13:25:57 Registers: info registers vcpu 0 CPU#0 PC=ffff8000803df304 X00=ffff0000692624d0 X01=ffff000019630000 X02=0000000000000000 X03=1fffe000032c600f X04=00000000ffffffff X05=0000000000000040 X06=ffff6000032c6005 X07=0000000000000000 X08=0000000000000000 X09=0000003d00000000 X10=0000000100000000 X11=0000000000000000 X12=0000000000000000 X13=00ca00d800ec0008 X14=1fffe00002f40c65 X15=185072b1e158b683 X16=cc2900001ef8ffff X17=1ce72aca1dea7e82 X18=ffff0000131f8dc0 X19=ffff00000fc74940 X20=ffff0000172b8198 X21=1fffe000032c601a X22=ffff000019630b40 X23=0000000000000000 X24=ffff000019630080 X25=0000000000000036 X26=ffff000019630000 X27=ffff000017d5adca X28=ffff00000fc74000 X29=ffff8000800060d0 X30=ffff800084f19488 SP=ffff8000800060b0 PSTATE=20000005 --C- EL1h FPCR=00000000 FPSR=00000000 Q00=0000000000000000:0000000000000000 Q01=0000000000000000:0000000000000000 Q02=0000000000000000:0000000000000000 Q03=0000000000000000:0000000000000000 Q04=0000000000000000:0000000000000000 Q05=0000000000000000:0000000000000000 Q06=0000000000000000:0000000000000000 Q07=0000000000000000:0000000000000000 Q08=0000000000000000:0000000000000000 Q09=0000000000000000:0000000000000000 Q10=0000000000000000:0000000000000000 Q11=0000000000000000:0000000000000000 Q12=0000000000000000:0000000000000000 Q13=0000000000000000:0000000000000000 Q14=0000000000000000:0000000000000000 Q15=0000000000000000:0000000000000000 Q16=0000000000000000:0000000000000000 Q17=0000000000000000:0000000000000000 Q18=0000000000000000:0000000000000000 Q19=0000000000000000:0000000000000000 Q20=0000000000000000:0000000000000000 Q21=0000000000000000:0000000000000000 Q22=0000000000000000:0000000000000000 Q23=0000000000000000:0000000000000000 Q24=0000000000000000:0000000000000000 Q25=0000000000000000:0000000000000000 Q26=0000000000000000:0000000000000000 Q27=0000000000000000:0000000000000000 Q28=0000000000000000:0000000000000000 Q29=0000000000000000:0000000000000000 Q30=0000000000000000:0000000000000000 Q31=0000000000000000:0000000000000000 info registers vcpu 1 CPU#1 PC=ffff80008545ce5c X00=ffff80008545ce58 X01=0000000000000000 X02=0000000000000000 X03=1fffe0000276a791 X04=00000000d40ef12f X05=0000000000040000 X06=ffff000013b54760 X07=ba5f27cc0da4b2c2 X08=0000000000000000 X09=ffff800089723000 X10=ffff000013b54710 X11=0000000000000000 X12=000000000000009e X13=0000000000000000 X14=ffff00006a09f5b0 X15=0000000000000000 X16=ffff80008705efc0 X17=ffff80008705efc0 X18=ffff80008d43787c X19=ffff8000872eea70 X20=ffff000013b53c80 X21=0000000000000003 X22=0000000000000028 X23=dfff800000000000 X24=ffff8000872eea40 X25=0000000000000000 X26=0000000000000004 X27=ffff8000872eea70 X28=ffff00006a0c2580 X29=ffff80008d437810 X30=ffff80008041fbf4 SP=ffff80008d437810 PSTATE=100000c5 ---V EL1h FPCR=00000000 FPSR=00000000 Q00=0000000000000000:0000000000000000 Q01=31706f6f6c2f6b63:6f6c622f6c617574 Q02=00000000000000e1:0000000000000000 Q03=000000000000ff00:00000000ff0000ff Q04=3303330333033303:3303330333033303 Q05=c000003000003003:c000003000003003 Q06=0000000000000073:0000aaaad5c033e0 Q07=0000000000000074:0000aaaad5c00620 Q08=0000000000000000:0000000000000000 Q09=0000000000000000:0000000000000000 Q10=0000000000000000:0000000000000000 Q11=0000000000000000:0000000000000000 Q12=0000000000000000:0000000000000000 Q13=0000000000000000:0000000000000000 Q14=0000000000000000:0000000000000000 Q15=0000000000000000:0000000000000000 Q16=0000ffffd666b660:0000ffffd666b660 Q17=ffffff80ffffffd8:0000ffffd666b630 Q18=0000000000000000:0000000000000000 Q19=0000000000000000:0000000000000000 Q20=0000000000000000:0000000000000000 Q21=0000000000000000:0000000000000000 Q22=0000000000000000:0000000000000000 Q23=0000000000000000:0000000000000000 Q24=0000000000000000:0000000000000000 Q25=0000000000000000:0000000000000000 Q26=0000000000000000:0000000000000000 Q27=0000000000000000:0000000000000000 Q28=0000000000000000:0000000000000000 Q29=0000000000000000:0000000000000000 Q30=0000000000000000:0000000000000000 Q31=0000000000000000:0000000000000000