last executing test programs: 1.419012409s ago: executing program 0 (id=161): socket$inet6_mptcp(0xa, 0x1, 0x106) 1.278927177s ago: executing program 0 (id=163): syz_open_dev$dri(&(0x7f0000000040), 0x0, 0x0) syz_open_dev$dri(&(0x7f0000000080), 0x0, 0x1) syz_open_dev$dri(&(0x7f00000000c0), 0x0, 0x2) syz_open_dev$dri(&(0x7f0000000100), 0x0, 0x800) syz_open_dev$dri(&(0x7f0000000140), 0x1, 0x0) syz_open_dev$dri(&(0x7f0000000180), 0x1, 0x1) syz_open_dev$dri(&(0x7f00000001c0), 0x1, 0x2) syz_open_dev$dri(&(0x7f0000000200), 0x1, 0x800) syz_open_dev$dri(&(0x7f0000000240), 0x2, 0x0) syz_open_dev$dri(&(0x7f0000000280), 0x2, 0x1) syz_open_dev$dri(&(0x7f00000002c0), 0x2, 0x2) syz_open_dev$dri(&(0x7f0000000300), 0x2, 0x800) syz_open_dev$dri(&(0x7f0000000340), 0x3, 0x0) syz_open_dev$dri(&(0x7f0000000380), 0x3, 0x1) syz_open_dev$dri(&(0x7f00000003c0), 0x3, 0x2) syz_open_dev$dri(&(0x7f0000000400), 0x3, 0x800) syz_open_dev$dri(&(0x7f0000000440), 0x4, 0x0) syz_open_dev$dri(&(0x7f0000000480), 0x4, 0x1) syz_open_dev$dri(&(0x7f00000004c0), 0x4, 0x2) syz_open_dev$dri(&(0x7f0000000500), 0x4, 0x800) 1.108835867s ago: executing program 0 (id=165): socket$unix(0x1, 0x1, 0x0) 968.718105ms ago: executing program 0 (id=167): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/tlk_device', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/tlk_device', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/tlk_device', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/tlk_device', 0x800, 0x0) 968.275435ms ago: executing program 1 (id=168): pselect6(0x0, &(0x7f0000000000), &(0x7f0000000000), &(0x7f0000000000), &(0x7f0000000000), &(0x7f0000000000)) 867.152261ms ago: executing program 0 (id=169): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/hwrng', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/hwrng', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/hwrng', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/hwrng', 0x800, 0x0) 855.244721ms ago: executing program 1 (id=170): openat(0xffffffffffffff9c, &(0x7f0000000040)='/sys/fs/smackfs/ambient', 0x2, 0x0) 718.147779ms ago: executing program 0 (id=171): name_to_handle_at(0xffffffffffffffff, &(0x7f0000000000), &(0x7f0000000000), &(0x7f0000000000), 0x0) 639.863234ms ago: executing program 1 (id=172): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dlm-monitor', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/dlm-monitor', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/dlm-monitor', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dlm-monitor', 0x800, 0x0) 427.722956ms ago: executing program 1 (id=174): faccessat2(0xffffffffffffffff, &(0x7f0000000000), 0x0, 0x0) 228.994177ms ago: executing program 1 (id=175): openat(0xffffffffffffff9c, &(0x7f0000000040)='/selinux/mls', 0x0, 0x0) 0s ago: executing program 1 (id=176): request_key(&(0x7f0000000000), &(0x7f0000000000), &(0x7f0000000000), 0x0) kernel console output (not intermixed with test programs): Warning: Permanently added '[localhost]:34006' (ED25519) to the list of known hosts. [ 125.000424][ T30] audit: type=1400 audit(124.790:48): avc: denied { name_bind } for pid=3302 comm="sshd-session" src=30003 scontext=system_u:system_r:sshd_t tcontext=system_u:object_r:tcs_port_t tclass=tcp_socket permissive=1 [ 125.345165][ T30] audit: type=1400 audit(125.130:49): avc: denied { execute } for pid=3303 comm="sh" name="syz-executor" dev="vda" ino=1867 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:etc_runtime_t tclass=file permissive=1 [ 125.348613][ T30] audit: type=1400 audit(125.140:50): avc: denied { execute_no_trans } for pid=3303 comm="sh" path="/syz-executor" dev="vda" ino=1867 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:etc_runtime_t tclass=file permissive=1 [ 128.928148][ T30] audit: type=1400 audit(128.720:51): avc: denied { mounton } for pid=3303 comm="syz-executor" path="/syzcgroup/unified" dev="vda" ino=1868 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 128.937780][ T30] audit: type=1400 audit(128.730:52): avc: denied { mount } for pid=3303 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 128.966903][ T3303] cgroup: Unknown subsys name 'net' [ 128.986366][ T30] audit: type=1400 audit(128.780:53): avc: denied { unmount } for pid=3303 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 129.410913][ T3303] cgroup: Unknown subsys name 'cpuset' [ 129.440348][ T3303] cgroup: Unknown subsys name 'rlimit' [ 129.859258][ T30] audit: type=1400 audit(129.650:54): avc: denied { setattr } for pid=3303 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=701 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 129.864270][ T30] audit: type=1400 audit(129.650:55): avc: denied { create } for pid=3303 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 129.870595][ T30] audit: type=1400 audit(129.660:56): avc: denied { write } for pid=3303 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 129.876275][ T30] audit: type=1400 audit(129.670:57): avc: denied { module_request } for pid=3303 comm="syz-executor" kmod="net-pf-16-proto-16-family-nl802154" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1 [ 130.016046][ T30] audit: type=1400 audit(129.810:58): avc: denied { read } for pid=3303 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 130.032357][ T30] audit: type=1400 audit(129.820:59): avc: denied { mounton } for pid=3303 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1 [ 130.041871][ T30] audit: type=1400 audit(129.830:60): avc: denied { mount } for pid=3303 comm="syz-executor" name="/" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=filesystem permissive=1 [ 130.424460][ T3306] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). [ 130.428153][ T30] audit: type=1400 audit(130.220:61): avc: denied { relabelto } for pid=3306 comm="mkswap" name="swap-file" dev="vda" ino=1871 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 130.431582][ T30] audit: type=1400 audit(130.220:62): avc: denied { write } for pid=3306 comm="mkswap" path="/swap-file" dev="vda" ino=1871 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" Setting up swapspace version 1, size = 127995904 bytes [ 130.502034][ T30] audit: type=1400 audit(130.290:63): avc: denied { read } for pid=3303 comm="syz-executor" name="swap-file" dev="vda" ino=1871 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 130.506927][ T30] audit: type=1400 audit(130.290:64): avc: denied { open } for pid=3303 comm="syz-executor" path="/swap-file" dev="vda" ino=1871 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 130.522854][ T3303] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 140.316475][ T30] audit: type=1400 audit(140.110:65): avc: denied { execmem } for pid=3307 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 140.457212][ T30] audit: type=1400 audit(140.250:66): avc: denied { read } for pid=3309 comm="syz-executor" dev="nsfs" ino=4026531840 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1 [ 140.464571][ T30] audit: type=1400 audit(140.250:67): avc: denied { open } for pid=3309 comm="syz-executor" path="net:[4026531840]" dev="nsfs" ino=4026531840 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1 [ 140.476783][ T30] audit: type=1400 audit(140.270:68): avc: denied { mounton } for pid=3309 comm="syz-executor" path="/" dev="vda" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:root_t tclass=dir permissive=1 [ 141.112752][ T30] audit: type=1400 audit(140.900:69): avc: denied { mount } for pid=3309 comm="syz-executor" name="/" dev="tmpfs" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=1 [ 141.120060][ T30] audit: type=1400 audit(140.910:70): avc: denied { mounton } for pid=3309 comm="syz-executor" path="/syzkaller.tUOkKa/syz-tmp/newroot/dev" dev="tmpfs" ino=3 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_tmpfs_t tclass=dir permissive=1 [ 141.133987][ T30] audit: type=1400 audit(140.920:71): avc: denied { mount } for pid=3309 comm="syz-executor" name="/" dev="proc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:proc_t tclass=filesystem permissive=1 [ 141.152946][ T30] audit: type=1400 audit(140.940:72): avc: denied { mounton } for pid=3309 comm="syz-executor" path="/syzkaller.tUOkKa/syz-tmp/newroot/sys/kernel/debug" dev="debugfs" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:debugfs_t tclass=dir permissive=1 [ 141.162458][ T30] audit: type=1400 audit(140.950:73): avc: denied { mounton } for pid=3309 comm="syz-executor" path="/syzkaller.tUOkKa/syz-tmp/newroot/proc/sys/fs/binfmt_misc" dev="proc" ino=3189 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:sysctl_fs_t tclass=dir permissive=1 [ 141.184329][ T30] audit: type=1400 audit(140.970:74): avc: denied { unmount } for pid=3309 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fs_t tclass=filesystem permissive=1 [ 145.370660][ T30] kauditd_printk_skb: 17 callbacks suppressed [ 145.373599][ T30] audit: type=1400 audit(145.160:92): avc: denied { create } for pid=3356 comm="syz.0.42" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=ieee802154_socket permissive=1 [ 145.734546][ T30] audit: type=1400 audit(145.520:93): avc: denied { create } for pid=3358 comm="syz.0.44" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=tipc_socket permissive=1 [ 145.796010][ T30] audit: type=1400 audit(145.590:94): avc: denied { create } for pid=3360 comm="syz.1.45" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=rose_socket permissive=1 [ 147.781508][ T30] audit: type=1400 audit(147.570:95): avc: denied { create } for pid=3382 comm="syz.1.66" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=pppox_socket permissive=1 [ 148.695524][ T30] audit: type=1400 audit(148.480:96): avc: denied { create } for pid=3392 comm="syz.1.75" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=rds_socket permissive=1 [ 149.631646][ T30] audit: type=1400 audit(149.420:97): avc: denied { create } for pid=3404 comm="syz.0.87" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=rawip_socket permissive=1 [ 150.332975][ T30] audit: type=1400 audit(150.120:98): avc: denied { read } for pid=3413 comm="syz.1.96" name="uhid" dev="devtmpfs" ino=712 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:uhid_device_t tclass=chr_file permissive=1 [ 150.357243][ T30] audit: type=1400 audit(150.150:99): avc: denied { open } for pid=3413 comm="syz.1.96" path="/dev/uhid" dev="devtmpfs" ino=712 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:uhid_device_t tclass=chr_file permissive=1 [ 150.362310][ T30] audit: type=1400 audit(150.150:100): avc: denied { write } for pid=3413 comm="syz.1.96" name="uhid" dev="devtmpfs" ino=712 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:uhid_device_t tclass=chr_file permissive=1 [ 150.460360][ T30] audit: type=1400 audit(150.250:101): avc: denied { allowed } for pid=3414 comm="syz.0.97" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=io_uring permissive=1 [ 150.924723][ T3420] mmap: syz.1.103 (3420) uses deprecated remap_file_pages() syscall. See Documentation/mm/remap_file_pages.rst. [ 152.577069][ T30] audit: type=1400 audit(152.370:102): avc: denied { read } for pid=3442 comm="syz.0.125" name="kvm" dev="devtmpfs" ino=84 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:kvm_device_t tclass=chr_file permissive=1 [ 152.579099][ T30] audit: type=1400 audit(152.370:103): avc: denied { open } for pid=3442 comm="syz.0.125" path="/dev/kvm" dev="devtmpfs" ino=84 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:kvm_device_t tclass=chr_file permissive=1 [ 152.595137][ T30] audit: type=1400 audit(152.380:104): avc: denied { write } for pid=3442 comm="syz.0.125" name="kvm" dev="devtmpfs" ino=84 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:kvm_device_t tclass=chr_file permissive=1 [ 152.821449][ T30] audit: type=1400 audit(152.610:105): avc: denied { create } for pid=3444 comm="syz.0.128" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=caif_socket permissive=1 [ 152.928820][ T30] audit: type=1400 audit(152.720:106): avc: denied { read } for pid=3447 comm="syz.1.129" name="event0" dev="devtmpfs" ino=747 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:event_device_t tclass=chr_file permissive=1 [ 152.930741][ T30] audit: type=1400 audit(152.720:107): avc: denied { open } for pid=3447 comm="syz.1.129" path="/dev/input/event0" dev="devtmpfs" ino=747 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:event_device_t tclass=chr_file permissive=1 [ 152.932839][ T30] audit: type=1400 audit(152.720:108): avc: denied { write } for pid=3447 comm="syz.1.129" name="event0" dev="devtmpfs" ino=747 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:event_device_t tclass=chr_file permissive=1 [ 153.532889][ T30] audit: type=1400 audit(153.320:109): avc: denied { read } for pid=3452 comm="syz.0.134" name="loop-control" dev="devtmpfs" ino=636 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:loop_control_device_t tclass=chr_file permissive=1 [ 153.535812][ T30] audit: type=1400 audit(153.320:110): avc: denied { open } for pid=3452 comm="syz.0.134" path="/dev/loop-control" dev="devtmpfs" ino=636 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:loop_control_device_t tclass=chr_file permissive=1 [ 156.728961][ T30] kauditd_printk_skb: 1 callbacks suppressed [ 156.731355][ T30] audit: type=1400 audit(156.520:112): avc: denied { sys_module } for pid=3475 comm="syz.1.156" capability=16 scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=capability permissive=1 [ 157.252167][ T30] audit: type=1400 audit(157.040:113): avc: denied { read } for pid=3482 comm="syz.0.163" name="card0" dev="devtmpfs" ino=617 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:dri_device_t tclass=chr_file permissive=1 [ 157.257709][ T30] audit: type=1400 audit(157.040:114): avc: denied { open } for pid=3482 comm="syz.0.163" path="/dev/dri/card0" dev="devtmpfs" ino=617 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:dri_device_t tclass=chr_file permissive=1 [ 157.266864][ T30] audit: type=1400 audit(157.060:115): avc: denied { write } for pid=3482 comm="syz.0.163" name="card0" dev="devtmpfs" ino=617 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:dri_device_t tclass=chr_file permissive=1 [ 157.710271][ T30] audit: type=1400 audit(157.500:116): avc: denied { write } for pid=3488 comm="syz.0.169" name="hwrng" dev="devtmpfs" ino=83 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:random_device_t tclass=chr_file permissive=1 [ 158.818538][ T3310] ================================================================== [ 158.819309][ T3310] BUG: KASAN: slab-use-after-free in binderfs_evict_inode+0x2ac/0x2b4 [ 158.820159][ T3310] Write of size 8 at addr ffff000019145c08 by task syz-executor/3310 [ 158.820258][ T3310] [ 158.821005][ T3310] CPU: 1 UID: 0 PID: 3310 Comm: syz-executor Not tainted 6.15.0-rc5-syzkaller-00204-g0e1329d4045c #0 PREEMPT [ 158.821101][ T3310] Hardware name: linux,dummy-virt (DT) [ 158.821397][ T3310] Call trace: [ 158.821572][ T3310] show_stack+0x18/0x24 (C) [ 158.821713][ T3310] dump_stack_lvl+0xa4/0xf4 [ 158.821777][ T3310] print_report+0xf4/0x60c [ 158.821826][ T3310] kasan_report+0xc8/0x108 [ 158.821866][ T3310] __asan_report_store8_noabort+0x20/0x2c [ 158.821910][ T3310] binderfs_evict_inode+0x2ac/0x2b4 [ 158.821951][ T3310] evict+0x2c0/0x67c [ 158.821990][ T3310] iput+0x3b0/0x6b4 [ 158.822024][ T3310] dentry_unlink_inode+0x208/0x46c [ 158.822063][ T3310] __dentry_kill+0x150/0x52c [ 158.822099][ T3310] shrink_dentry_list+0x114/0x3a4 [ 158.822137][ T3310] shrink_dcache_parent+0x158/0x354 [ 158.822174][ T3310] shrink_dcache_for_umount+0x88/0x304 [ 158.822212][ T3310] generic_shutdown_super+0x60/0x2e8 [ 158.822253][ T3310] kill_litter_super+0x68/0xa4 [ 158.822292][ T3310] binderfs_kill_super+0x38/0x88 [ 158.822330][ T3310] deactivate_locked_super+0x98/0x17c [ 158.822369][ T3310] deactivate_super+0xb0/0xd4 [ 158.822408][ T3310] cleanup_mnt+0x198/0x424 [ 158.822446][ T3310] __cleanup_mnt+0x14/0x20 [ 158.822484][ T3310] task_work_run+0x128/0x210 [ 158.822521][ T3310] do_exit+0x7ac/0x1f68 [ 158.822559][ T3310] do_group_exit+0xa4/0x208 [ 158.822594][ T3310] get_signal+0x1b00/0x1ba8 [ 158.822634][ T3310] do_signal+0x160/0x620 [ 158.822669][ T3310] do_notify_resume+0x18c/0x258 [ 158.822707][ T3310] el0_svc+0x100/0x180 [ 158.822742][ T3310] el0t_64_sync_handler+0x10c/0x138 [ 158.822776][ T3310] el0t_64_sync+0x198/0x19c [ 158.822958][ T3310] [ 158.823901][ T3310] Allocated by task 3309: [ 158.824152][ T3310] kasan_save_stack+0x3c/0x64 [ 158.824266][ T3310] kasan_save_track+0x20/0x3c [ 158.824350][ T3310] kasan_save_alloc_info+0x40/0x54 [ 158.824426][ T3310] __kasan_kmalloc+0xb8/0xbc [ 158.824504][ T3310] __kmalloc_cache_noprof+0x1b0/0x3cc [ 158.824584][ T3310] binderfs_binder_device_create.isra.0+0x140/0x9a0 [ 158.824665][ T3310] binderfs_fill_super+0x69c/0xed4 [ 158.824745][ T3310] get_tree_nodev+0xac/0x148 [ 158.824821][ T3310] binderfs_fs_context_get_tree+0x18/0x24 [ 158.824909][ T3310] vfs_get_tree+0x74/0x280 [ 158.824990][ T3310] path_mount+0xe54/0x1808 [ 158.825070][ T3310] __arm64_sys_mount+0x304/0x3dc [ 158.825149][ T3310] invoke_syscall+0x6c/0x258 [ 158.825257][ T3310] el0_svc_common.constprop.0+0xac/0x230 [ 158.825335][ T3310] do_el0_svc+0x40/0x58 [ 158.825429][ T3310] el0_svc+0x50/0x180 [ 158.825508][ T3310] el0t_64_sync_handler+0x10c/0x138 [ 158.825589][ T3310] el0t_64_sync+0x198/0x19c [ 158.825698][ T3310] [ 158.825782][ T3310] Freed by task 3309: [ 158.825868][ T3310] kasan_save_stack+0x3c/0x64 [ 158.825963][ T3310] kasan_save_track+0x20/0x3c [ 158.826042][ T3310] kasan_save_free_info+0x4c/0x74 [ 158.826117][ T3310] __kasan_slab_free+0x50/0x6c [ 158.826196][ T3310] kfree+0x1bc/0x444 [ 158.826270][ T3310] binderfs_evict_inode+0x238/0x2b4 [ 158.826350][ T3310] evict+0x2c0/0x67c [ 158.826424][ T3310] iput+0x3b0/0x6b4 [ 158.826496][ T3310] dentry_unlink_inode+0x208/0x46c [ 158.826574][ T3310] __dentry_kill+0x150/0x52c [ 158.826650][ T3310] shrink_dentry_list+0x114/0x3a4 [ 158.826727][ T3310] shrink_dcache_parent+0x158/0x354 [ 158.826811][ T3310] shrink_dcache_for_umount+0x88/0x304 [ 158.826895][ T3310] generic_shutdown_super+0x60/0x2e8 [ 158.826976][ T3310] kill_litter_super+0x68/0xa4 [ 158.827078][ T3310] binderfs_kill_super+0x38/0x88 [ 158.827159][ T3310] deactivate_locked_super+0x98/0x17c [ 158.827238][ T3310] deactivate_super+0xb0/0xd4 [ 158.827316][ T3310] cleanup_mnt+0x198/0x424 [ 158.827393][ T3310] __cleanup_mnt+0x14/0x20 [ 158.827472][ T3310] task_work_run+0x128/0x210 [ 158.827547][ T3310] do_exit+0x7ac/0x1f68 [ 158.827623][ T3310] do_group_exit+0xa4/0x208 [ 158.827698][ T3310] get_signal+0x1b00/0x1ba8 [ 158.827777][ T3310] do_signal+0x160/0x620 [ 158.827850][ T3310] do_notify_resume+0x18c/0x258 [ 158.827935][ T3310] el0_svc+0x100/0x180 [ 158.828008][ T3310] el0t_64_sync_handler+0x10c/0x138 [ 158.828083][ T3310] el0t_64_sync+0x198/0x19c [ 158.828169][ T3310] [ 158.828286][ T3310] The buggy address belongs to the object at ffff000019145c00 [ 158.828286][ T3310] which belongs to the cache kmalloc-512 of size 512 [ 158.828436][ T3310] The buggy address is located 8 bytes inside of [ 158.828436][ T3310] freed 512-byte region [ffff000019145c00, ffff000019145e00) [ 158.828530][ T3310] [ 158.828662][ T3310] The buggy address belongs to the physical page: [ 158.829065][ T3310] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff000019147400 pfn:0x59144 [ 158.829572][ T3310] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 158.829721][ T3310] flags: 0x1ffc00000000240(workingset|head|node=0|zone=0|lastcpupid=0x7ff) [ 158.830176][ T3310] page_type: f5(slab) [ 158.830579][ T3310] raw: 01ffc00000000240 ffff00000dc01c80 fffffdffc03d7d10 fffffdffc0521710 [ 158.830681][ T3310] raw: ffff000019147400 0000000000100005 00000000f5000000 0000000000000000 [ 158.830823][ T3310] head: 01ffc00000000240 ffff00000dc01c80 fffffdffc03d7d10 fffffdffc0521710 [ 158.830914][ T3310] head: ffff000019147400 0000000000100005 00000000f5000000 0000000000000000 [ 158.830990][ T3310] head: 01ffc00000000002 fffffdffc0645101 00000000ffffffff 00000000ffffffff [ 158.831093][ T3310] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 158.831211][ T3310] page dumped because: kasan: bad access detected [ 158.831296][ T3310] [ 158.831367][ T3310] Memory state around the buggy address: [ 158.831693][ T3310] ffff000019145b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 158.831815][ T3310] ffff000019145b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 158.831921][ T3310] >ffff000019145c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 158.832018][ T3310] ^ [ 158.832153][ T3310] ffff000019145c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 158.832226][ T3310] ffff000019145d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 158.832358][ T3310] ================================================================== SYZFAIL: failed to recv rpc fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor) [ 158.975124][ T3310] Disabling lock debugging due to kernel taint [ 159.109306][ T30] audit: type=1400 audit(158.900:117): avc: denied { create } for pid=3497 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=user_namespace permissive=1 [ 159.127020][ T30] audit: type=1400 audit(158.920:118): avc: denied { sys_admin } for pid=3497 comm="syz-executor" capability=21 scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=cap_userns permissive=1 [ 159.537805][ T30] audit: type=1400 audit(159.330:119): avc: denied { mounton } for pid=3498 comm="syz-executor" path="/syzkaller.9gWBcx/syz-tmp" dev="vda" ino=1872 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 159.547288][ T30] audit: type=1400 audit(159.340:120): avc: denied { mount } for pid=3498 comm="syz-executor" name="/" dev="proc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:proc_t tclass=filesystem permissive=1 [ 159.578117][ T30] audit: type=1400 audit(159.370:121): avc: denied { sys_chroot } for pid=3498 comm="syz-executor" capability=18 scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=cap_userns permissive=1 [ 159.671819][ T3498] soft_limit_in_bytes is deprecated and will be removed. Please report your usecase to linux-mm@kvack.org if you depend on this functionality. VM DIAGNOSIS: 21:43:34 Registers: info registers vcpu 0 CPU#0 PC=ffff800081a93d20 X00=ffff80008d50d004 X01=0000000000000000 X02=1fffe00002a9f447 X03=1fffe00002a9f445 X04=1fffe00001f43d18 X05=0000000000000000 X06=ffff00000e8866b8 X07=0000000000000000 X08=0000000000000000 X09=ffff800089734000 X10=ffff00000e886550 X11=0000000000000002 X12=000000000000000d X13=0000000000000000 X14=1fffe000037faacd X15=1850db880ef4a29f X16=850d00005895ffff X17=c3ac010b99b8e97c X18=ffff00000f8f8280 X19=ffff0000154fa200 X20=0000000000000001 X21=1fffe00002a9f448 X22=0000000000000003 X23=ffff000013567b40 X24=1fffe00002e65000 X25=ffff00000fa1e8c4 X26=0000000000000040 X27=0000000000000000 X28=0000000000a4d0f4 X29=ffff8000800061a0 X30=ffff800081a77aa8 SP=ffff8000800061a0 PSTATE=10000005 ---V EL1h FPCR=00000000 FPSR=00000000 Q00=0000000000000000:0000000000000000 Q01=0000000000000000:0000000000000000 Q02=0000000000000000:0000000000000000 Q03=0000000000000000:0000000000000000 Q04=0000000000000000:0000000000000000 Q05=0000000000000000:0000000000000000 Q06=0000000000000000:0000000000000000 Q07=0000000000000000:0000000000000000 Q08=0000000000000000:0000000000000000 Q09=0000000000000000:0000000000000000 Q10=0000000000000000:0000000000000000 Q11=0000000000000000:0000000000000000 Q12=0000000000000000:0000000000000000 Q13=0000000000000000:0000000000000000 Q14=0000000000000000:0000000000000000 Q15=0000000000000000:0000000000000000 Q16=0000000000000000:0000000000000000 Q17=0000000000000000:0000000000000000 Q18=0000000000000000:0000000000000000 Q19=0000000000000000:0000000000000000 Q20=0000000000000000:0000000000000000 Q21=0000000000000000:0000000000000000 Q22=0000000000000000:0000000000000000 Q23=0000000000000000:0000000000000000 Q24=0000000000000000:0000000000000000 Q25=0000000000000000:0000000000000000 Q26=0000000000000000:0000000000000000 Q27=0000000000000000:0000000000000000 Q28=0000000000000000:0000000000000000 Q29=0000000000000000:0000000000000000 Q30=0000000000000000:0000000000000000 Q31=0000000000000000:0000000000000000 info registers vcpu 1 CPU#1 PC=ffff8000803109c0 X00=ffff80008039a240 X01=ffff80008705a348 X02=0000000000000001 X03=ffff800080c77074 X04=ffff60000251f01f X05=ffff0000128f80f0 X06=ffff600001c2c71c X07=0000000000000001 X08=ffff00000e1638e7 X09=dfff800000000000 X10=ffff600001c2c71b X11=1fffe00001c2c71b X12=ffff600001c2c71c X13=0000000000000000 X14=3d3d3d3d3d3d3d3d X15=3d3d3d3d3d3d3d3d X16=3d3d3d3d3d3d3d3d X17=3d3d3d3d3d3d3d3d X18=00000000000005ca X19=ffff00000e333c80 X20=ffff8000872bd9e0 X21=ffff8000872bd9e0 X22=0000000000000000 X23=ffff800086445de0 X24=ffff00001779cb20 X25=00000000ffffffff X26=0000000000000000 X27=ffff00000e333c80 X28=dfff800000000000 X29=ffff80008d6674a0 X30=ffff800085462628 SP=ffff80008d6674e0 PSTATE=400000c5 -Z-- EL1h FPCR=00000000 FPSR=00000000 Q00=5f7463656a626f3a:755f6d6574737973 Q01=00745f6563697665:643a725f7463656a Q02=0000000000000000:00000f0000000000 Q03=0000000000000000:ffffffffffffffff Q04=ffffffffffffffff:00000000ffffffff Q05=ffffffffffffffff:0000000000000000 Q06=63627c2a6476787c:2a64767c2a72737c Q07=7361647c2a737369:63637c2a65686361 Q08=0000000000000000:0000000000000000 Q09=0000000000000000:0000000000000000 Q10=0000000000000000:0000000000000000 Q11=0000000000000000:0000000000000000 Q12=0000000000000000:0000000000000000 Q13=0000000000000000:0000000000000000 Q14=0000000000000000:0000000000000000 Q15=0000000000000000:0000000000000000 Q16=0000ffffe0ebfd60:0000ffffe0ebfd60 Q17=ffffff80ffffffd0:0000ffffe0ebfd30 Q18=0000000000000000:0000000000000000 Q19=0000000000000000:0000000000000000 Q20=0000000000000000:0000000000000000 Q21=0000000000000000:0000000000000000 Q22=0000000000000000:0000000000000000 Q23=0000000000000000:0000000000000000 Q24=0000000000000000:0000000000000000 Q25=0000000000000000:0000000000000000 Q26=0000000000000000:0000000000000000 Q27=0000000000000000:0000000000000000 Q28=0000000000000000:0000000000000000 Q29=0000000000000000:0000000000000000 Q30=0000000000000000:0000000000000000 Q31=0000000000000000:0000000000000000