last executing test programs:

565.933566ms ago: executing program 0 (id=195):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/pmem0', 0x0, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/pmem0', 0x1, 0x0)
openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/pmem0', 0x2, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/pmem0', 0x800, 0x0)

429.798686ms ago: executing program 0 (id=198):
setregid(0x0, 0x0)

367.480411ms ago: executing program 1 (id=199):
syz_init_net_socket$bt_cmtp(0x1f, 0x3, 0x5)

367.378922ms ago: executing program 0 (id=200):
syz_init_net_socket$bt_rfcomm(0x1f, 0x1, 0x3)

201.228164ms ago: executing program 1 (id=201):
getpid()

200.685564ms ago: executing program 0 (id=202):
splice(0xffffffffffffffff, &(0x7f0000000000), 0xffffffffffffffff, &(0x7f0000000000), 0x0, 0x0)

139.884429ms ago: executing program 1 (id=203):
exit_group(0x0)

76.898774ms ago: executing program 1 (id=204):
setrlimit(0x0, &(0x7f0000000000))

76.669233ms ago: executing program 0 (id=205):
lgetxattr(&(0x7f0000000000), &(0x7f0000000000), &(0x7f0000000000), 0x0)

76.526013ms ago: executing program 1 (id=206):
mq_timedreceive(0xffffffffffffffff, &(0x7f0000000000), 0x0, 0x0, 0x0)

131.94µs ago: executing program 1 (id=207):
getcwd(&(0x7f0000000000), 0x0)

0s ago: executing program 0 (id=208):
syz_open_dev$admmidi(&(0x7f0000000040), 0x0, 0x0)
syz_open_dev$admmidi(&(0x7f0000000080), 0x0, 0x1)
syz_open_dev$admmidi(&(0x7f00000000c0), 0x0, 0x2)
syz_open_dev$admmidi(&(0x7f0000000100), 0x0, 0x800)
syz_open_dev$admmidi(&(0x7f0000000140), 0x1, 0x0)
syz_open_dev$admmidi(&(0x7f0000000180), 0x1, 0x1)
syz_open_dev$admmidi(&(0x7f00000001c0), 0x1, 0x2)
syz_open_dev$admmidi(&(0x7f0000000200), 0x1, 0x800)
syz_open_dev$admmidi(&(0x7f0000000240), 0x2, 0x0)
syz_open_dev$admmidi(&(0x7f0000000280), 0x2, 0x1)
syz_open_dev$admmidi(&(0x7f00000002c0), 0x2, 0x2)
syz_open_dev$admmidi(&(0x7f0000000300), 0x2, 0x800)
syz_open_dev$admmidi(&(0x7f0000000340), 0x3, 0x0)
syz_open_dev$admmidi(&(0x7f0000000380), 0x3, 0x1)
syz_open_dev$admmidi(&(0x7f00000003c0), 0x3, 0x2)
syz_open_dev$admmidi(&(0x7f0000000400), 0x3, 0x800)
syz_open_dev$admmidi(&(0x7f0000000440), 0x4, 0x0)
syz_open_dev$admmidi(&(0x7f0000000480), 0x4, 0x1)
syz_open_dev$admmidi(&(0x7f00000004c0), 0x4, 0x2)
syz_open_dev$admmidi(&(0x7f0000000500), 0x4, 0x800)

kernel console output (not intermixed with test programs):

Warning: Permanently added '[localhost]:49910' (ED25519) to the list of known hosts.
syzkaller login: [   74.585882][ T3295] cgroup: Unknown subsys name 'net'
[   74.882237][ T3295] cgroup: Unknown subsys name 'cpuset'
[   74.901672][ T3295] cgroup: Unknown subsys name 'rlimit'
Setting up swapspace version 1, size = 127995904 bytes
[   75.553644][ T3295] Adding 124996k swap on ./swap-file.  Priority:0 extents:1 across:124996k 
[   86.096668][ T3421] UDPLite: UDP-Lite is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list
[   89.991663][ T3301] ==================================================================
[   89.996626][ T3301] BUG: KASAN: slab-use-after-free in binderfs_evict_inode+0xe8/0x114
[   89.997631][ T3301] Write at addr fcf00000075b60c8 by task syz-executor/3301
[   89.997949][ T3301] Pointer tag: [fc], memory tag: [fe]
[   89.998102][ T3301] 
[   89.998685][ T3301] CPU: 0 UID: 0 PID: 3301 Comm: syz-executor Not tainted 6.15.0-rc7-syzkaller-00099-g94305e83eccb #0 PREEMPT 
[   89.999021][ T3301] Hardware name: linux,dummy-virt (DT)
[   89.999230][ T3301] Call trace:
[   89.999411][ T3301]  show_stack+0x18/0x24 (C)
[   89.999706][ T3301]  dump_stack_lvl+0x78/0x90
[   89.999865][ T3301]  print_report+0x108/0x630
[   89.999986][ T3301]  kasan_report+0x88/0xac
[   90.000102][ T3301]  __do_kernel_fault+0x170/0x1c8
[   90.000221][ T3301]  do_tag_check_fault+0x78/0x8c
[   90.000338][ T3301]  do_mem_abort+0x44/0x94
[   90.000471][ T3301]  el1_abort+0x40/0x60
[   90.000591][ T3301]  el1h_64_sync_handler+0xa4/0x120
[   90.000714][ T3301]  el1h_64_sync+0x6c/0x70
[   90.000897][ T3301]  binderfs_evict_inode+0xe8/0x114 (P)
[   90.001021][ T3301]  evict+0xec/0x240
[   90.001139][ T3301]  iput+0xfc/0x1b8
[   90.001254][ T3301]  dentry_unlink_inode+0xc0/0x188
[   90.001372][ T3301]  __dentry_kill+0x7c/0x1d4
[   90.001489][ T3301]  shrink_dentry_list+0x74/0xe4
[   90.001611][ T3301]  shrink_dcache_parent+0xcc/0x14c
[   90.001745][ T3301]  shrink_dcache_for_umount+0x3c/0x1c8
[   90.001866][ T3301]  generic_shutdown_super+0x24/0x100
[   90.001986][ T3301]  kill_anon_super+0x20/0x90
[   90.002104][ T3301]  kill_litter_super+0x28/0x38
[   90.002219][ T3301]  binderfs_kill_super+0x18/0x40
[   90.002338][ T3301]  deactivate_locked_super+0x50/0x12c
[   90.002454][ T3301]  deactivate_super+0x84/0x9c
[   90.002570][ T3301]  cleanup_mnt+0xf4/0x184
[   90.002695][ T3301]  __cleanup_mnt+0x14/0x20
[   90.002813][ T3301]  task_work_run+0x78/0xd4
[   90.002931][ T3301]  do_exit+0x2c8/0x944
[   90.003048][ T3301]  do_group_exit+0x34/0x90
[   90.003190][ T3301]  copy_siginfo_to_user+0x0/0xec
[   90.003311][ T3301]  do_signal+0x94/0x360
[   90.003429][ T3301]  do_notify_resume+0xd8/0x164
[   90.003546][ T3301]  el0_svc+0xc0/0xe0
[   90.003669][ T3301]  el0t_64_sync_handler+0x10c/0x138
[   90.003787][ T3301]  el0t_64_sync+0x1a4/0x1a8
[   90.004034][ T3301] 
[   90.006026][ T3301] Freed by task 3302:
[   90.006266][ T3301]  kasan_save_stack+0x3c/0x64
[   90.006514][ T3301]  save_stack_info+0x40/0x158
[   90.006684][ T3301]  kasan_save_free_info+0x18/0x24
[   90.006886][ T3301]  __kasan_slab_free+0x74/0x8c
[   90.007102][ T3301]  kfree+0xfc/0x30c
[   90.007270][ T3301]  binderfs_evict_inode+0x100/0x114
[   90.007433][ T3301]  evict+0xec/0x240
[   90.007593][ T3301]  iput+0xfc/0x1b8
[   90.007758][ T3301]  dentry_unlink_inode+0xc0/0x188
[   90.007921][ T3301]  __dentry_kill+0x7c/0x1d4
[   90.008082][ T3301]  shrink_dentry_list+0x74/0xe4
[   90.008244][ T3301]  shrink_dcache_parent+0xcc/0x14c
[   90.008407][ T3301]  shrink_dcache_for_umount+0x3c/0x1c8
[   90.008569][ T3301]  generic_shutdown_super+0x24/0x100
[   90.008738][ T3301]  kill_anon_super+0x20/0x90
[   90.008901][ T3301]  kill_litter_super+0x28/0x38
[   90.009060][ T3301]  binderfs_kill_super+0x18/0x40
[   90.009222][ T3301]  deactivate_locked_super+0x50/0x12c
[   90.009382][ T3301]  deactivate_super+0x84/0x9c
[   90.009542][ T3301]  cleanup_mnt+0xf4/0x184
[   90.009708][ T3301]  __cleanup_mnt+0x14/0x20
[   90.009886][ T3301]  task_work_run+0x78/0xd4
[   90.010047][ T3301]  do_exit+0x2c8/0x944
[   90.010207][ T3301]  do_group_exit+0x34/0x90
[   90.010367][ T3301]  copy_siginfo_to_user+0x0/0xec
[   90.010528][ T3301]  do_signal+0xf0/0x360
[   90.010695][ T3301]  do_notify_resume+0xd8/0x164
[   90.010856][ T3301]  el0_svc+0xc0/0xe0
[   90.011018][ T3301]  el0t_64_sync_handler+0x10c/0x138
[   90.011180][ T3301]  el0t_64_sync+0x1a4/0x1a8
[   90.011371][ T3301] 
[   90.011507][ T3301] The buggy address belongs to the object at fff00000075b60c0
[   90.011507][ T3301]  which belongs to the cache kmalloc-192 of size 192
[   90.011717][ T3301] The buggy address is located 8 bytes inside of
[   90.011717][ T3301]  192-byte region [fff00000075b60c0, fff00000075b6180)
[   90.011899][ T3301] 
[   90.012137][ T3301] The buggy address belongs to the physical page:
SYZFAIL: failed to recv rpc
[   90.012369][ T3301] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xfdf00000075b6000 pfn:0x475b6
[   90.012725][ T3301] flags: 0x1ffc00000000000(node=0|zone=0|lastcpupid=0x7ff|kasantag=0x0)
[   90.013135][ T3301] page_type: f5(slab)
[   90.013564][ T3301] raw: 01ffc00000000000 f3f0000003001300 dead000000000122 0000000000000000
[   90.013781][ T3301] raw: fdf00000075b6000 0000000080150012 00000000f5000000 0000000000000000
[   90.013988][ T3301] page dumped because: kasan: bad access detected
[   90.014133][ T3301] 
[   90.014269][ T3301] Memory state around the buggy address:
[   90.014545][ T3301]  fff00000075b5e00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
[   90.014746][ T3301]  fff00000075b5f00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
[   90.014918][ T3301] >fff00000075b6000: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
[   90.015082][ T3301]                                                        ^
[   90.015274][ T3301]  fff00000075b6100: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
[   90.015427][ T3301]  fff00000075b6200: fe fe fe fe f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3
[   90.015622][ T3301] ==================================================================
[   90.017214][ T3301] Disabling lock debugging due to kernel taint
fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor)

VM DIAGNOSIS:
11:00:48  Registers:
info registers vcpu 0

CPU#0
 PC=ffff8000808c1a90 X00=0000000000000002 X01=0000000000000018
X02=ffff800082ca5018 X03=ffff800082a61f98 X04=f4f00000030dd880
X05=000000000000000a X06=3b3a39392578657e X07=0000000000000000
X08=7f7f7f7f7f7f7f7f X09=ffff800082a61fc8 X10=0000000000000001
X11=ffff80008307be10 X12=ffff8000829b0b88 X13=ffff80008307bb7d
X14=ffff80008307bb88 X15=ffff80008307b9f0 X16=ffff800080000000
X17=fff07ffffd022000 X18=00000000ffffffff X19=f5f000000303c050
X20=ffff8000808c1b40 X21=f4f00000030dd880 X22=f5f000000303c050
X23=ffff8000808c1b40 X24=0000000000000050 X25=0000000000000001
X26=f3f0000003f60000 X27=0000000000000000 X28=0000000000000000
X29=ffff80008307bc90 X30=ffff8000808c1b68  SP=ffff80008307bc90
PSTATE=804020c9 N--- EL2h  SVCR=00000000 --  BTYPE=0     FPCR=00000000 FPSR=00000000
P00=0000000000000000 P01=0000000000000000 P02=0000000000000000
P03=0000000000000000 P04=0000000000000000 P05=0000000000000000
P06=0000000000000000 P07=0000000000000000 P08=0000000000000000
P09=0000000000000000 P10=0000000000000000 P11=0000000000000000
P12=0000000000000000 P13=0000000000000000 P14=0000000000000000
P15=0000000000000000 FFR=0000000000000000
Z00=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z01=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z02=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000ffff8503c050:0000ffffdb4f3000
Z03=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000ffffdb4f3060
Z04=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000ffffdb4f3218:0000aaaac16791b0
Z05=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000ffff8503c02c:0000ffffdb4f3000
Z06=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000ffff8503c0a0:0000000000000000
Z07=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000ffff8503c400:0000ffffdb4f3150
Z08=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z09=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z10=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z11=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z12=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z13=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z14=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z15=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z16=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000ffffdb4f3380:0000ffffdb4f3380
Z17=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:ffffff80ffffffd0:0000ffffdb4f3350
Z18=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z19=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z20=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z21=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z22=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z23=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z24=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z25=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z26=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z27=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z28=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z29=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z30=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z31=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
info registers vcpu 1

CPU#1
 PC=ffff8000803833c4 X00=0000000000000000 X01=f6f000000612002d
X02=0000000000000007 X03=2f00000000000000 X04=2f6c617574726976
X05=0000000000000038 X06=0000000000000000 X07=ffff800088f63a70
X08=ffff80008244bbe0 X09=ffff80008244bbe0 X10=0d0f80007dc5bcb0
X11=0000000000000000 X12=0000000000000000 X13=0000000000000000
X14=0000000000000000 X15=0000000000000000 X16=0000000000000000
X17=0000000000000000 X18=0000000000000000 X19=f3f00000049433c0
X20=f0f000000317e000 X21=f8f0000003042860 X22=f2f00000032ef000
X23=0000000000000000 X24=61c8864680b583eb X25=ffff8000829f0a08
X26=0000000000000002 X27=f6f0000006120035 X28=0000000000000000
X29=ffff800088f63a70 X30=21bf800080376ebc  SP=ffff800088f63a50
PSTATE=61402009 -ZC- EL2h  SVCR=00000000 --  BTYPE=0     FPCR=00000000 FPSR=00000000
P00=0000000000000000 P01=0000000000000000 P02=0000000000000000
P03=0000000000000000 P04=0000000000000000 P05=0000000000000000
P06=0000000000000000 P07=0000000000000000 P08=0000000000000000
P09=0000000000000000 P10=0000000000000000 P11=0000000000000000
P12=0000000000000000 P13=0000000000000000 P14=0000000000000000
P15=0000000000000000 FFR=0000000000000000
Z00=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:000065676e616863:00746e657665752f
Z01=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:ffff000000000000:ff00000000000000
Z02=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:ff000000f0000000
Z03=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:00000000000000ff
Z04=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:3303330333033303:3303330333033303
Z05=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:bcbcbc0000000003:bcbcbc0000000003
Z06=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000073:0000aaaac30a1cb0
Z07=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000074:0000aaaac309ef90
Z08=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z09=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z10=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z11=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z12=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z13=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z14=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z15=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z16=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000fffff97f5780:0000fffff97f5780
Z17=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:ffffff80ffffffd0:0000fffff97f5750
Z18=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z19=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z20=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z21=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z22=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z23=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z24=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z25=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z26=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z27=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z28=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z29=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z30=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z31=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000