last executing test programs: 1.144100245s ago: executing program 1 (id=165): rt_sigaction(0x0, &(0x7f0000000000), 0x0, 0x0, &(0x7f0000000000)) 997.953234ms ago: executing program 0 (id=167): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/cdrom', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/cdrom', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/cdrom', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/cdrom', 0x800, 0x0) 997.707494ms ago: executing program 1 (id=168): futex(&(0x7f0000000000), 0x0, 0x0, &(0x7f0000000000), &(0x7f0000000000), 0x0) 871.306411ms ago: executing program 0 (id=169): capget(&(0x7f0000000000), &(0x7f0000000000)) 767.288957ms ago: executing program 1 (id=170): syz_open_dev$loop(&(0x7f0000000040), 0x0, 0x0) syz_open_dev$loop(&(0x7f0000000080), 0x0, 0x1) syz_open_dev$loop(&(0x7f00000000c0), 0x0, 0x2) syz_open_dev$loop(&(0x7f0000000100), 0x0, 0x800) syz_open_dev$loop(&(0x7f0000000140), 0x1, 0x0) syz_open_dev$loop(&(0x7f0000000180), 0x1, 0x1) syz_open_dev$loop(&(0x7f00000001c0), 0x1, 0x2) syz_open_dev$loop(&(0x7f0000000200), 0x1, 0x800) syz_open_dev$loop(&(0x7f0000000240), 0x2, 0x0) syz_open_dev$loop(&(0x7f0000000280), 0x2, 0x1) syz_open_dev$loop(&(0x7f00000002c0), 0x2, 0x2) syz_open_dev$loop(&(0x7f0000000300), 0x2, 0x800) syz_open_dev$loop(&(0x7f0000000340), 0x3, 0x0) syz_open_dev$loop(&(0x7f0000000380), 0x3, 0x1) syz_open_dev$loop(&(0x7f00000003c0), 0x3, 0x2) syz_open_dev$loop(&(0x7f0000000400), 0x3, 0x800) syz_open_dev$loop(&(0x7f0000000440), 0x4, 0x0) syz_open_dev$loop(&(0x7f0000000480), 0x4, 0x1) syz_open_dev$loop(&(0x7f00000004c0), 0x4, 0x2) syz_open_dev$loop(&(0x7f0000000500), 0x4, 0x800) 667.393272ms ago: executing program 0 (id=171): setresuid(0x0, 0x0, 0x0) 577.656068ms ago: executing program 1 (id=172): stat(&(0x7f0000000000), &(0x7f0000000000)) 497.282512ms ago: executing program 0 (id=173): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/uinput', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/uinput', 0x800, 0x0) 417.144046ms ago: executing program 1 (id=174): splice(0xffffffffffffffff, &(0x7f0000000000), 0xffffffffffffffff, &(0x7f0000000000), 0x0, 0x0) 317.847632ms ago: executing program 0 (id=175): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/random', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/random', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/random', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/random', 0x800, 0x0) 317.652012ms ago: executing program 1 (id=176): pkey_free(0xffffffffffffffff) 0s ago: executing program 0 (id=178): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/v4l/by-path/platform-soc@0:qcom_cam-req-mgr-video-index0', 0x2, 0x0) kernel console output (not intermixed with test programs): Warning: Permanently added '[localhost]:52084' (ED25519) to the list of known hosts. [ 126.721714][ T30] audit: type=1400 audit(126.460:58): avc: denied { name_bind } for pid=3297 comm="sshd" src=30005 scontext=system_u:system_r:sshd_t tcontext=system_u:object_r:unreserved_port_t tclass=tcp_socket permissive=1 [ 127.031900][ T30] audit: type=1400 audit(126.770:59): avc: denied { execute } for pid=3299 comm="sh" name="syz-executor" dev="vda" ino=1735 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:etc_runtime_t tclass=file permissive=1 [ 127.038273][ T30] audit: type=1400 audit(126.780:60): avc: denied { execute_no_trans } for pid=3299 comm="sh" path="/syz-executor" dev="vda" ino=1735 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:etc_runtime_t tclass=file permissive=1 [ 130.811696][ T30] audit: type=1400 audit(130.550:61): avc: denied { mounton } for pid=3299 comm="syz-executor" path="/syzcgroup/unified" dev="vda" ino=1736 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 130.821848][ T30] audit: type=1400 audit(130.560:62): avc: denied { mount } for pid=3299 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 130.849922][ T3299] cgroup: Unknown subsys name 'net' [ 130.867058][ T30] audit: type=1400 audit(130.600:63): avc: denied { unmount } for pid=3299 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 131.278339][ T3299] cgroup: Unknown subsys name 'cpuset' [ 131.310678][ T3299] cgroup: Unknown subsys name 'rlimit' [ 131.676780][ T30] audit: type=1400 audit(131.420:64): avc: denied { setattr } for pid=3299 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=701 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 131.680691][ T30] audit: type=1400 audit(131.420:65): avc: denied { create } for pid=3299 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 131.683387][ T30] audit: type=1400 audit(131.420:66): avc: denied { write } for pid=3299 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 131.687761][ T30] audit: type=1400 audit(131.420:67): avc: denied { module_request } for pid=3299 comm="syz-executor" kmod="net-pf-16-proto-16-family-nl802154" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1 [ 131.805356][ T30] audit: type=1400 audit(131.540:68): avc: denied { read } for pid=3299 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 131.817904][ T30] audit: type=1400 audit(131.560:69): avc: denied { mounton } for pid=3299 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1 [ 131.819821][ T30] audit: type=1400 audit(131.560:70): avc: denied { mount } for pid=3299 comm="syz-executor" name="/" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=filesystem permissive=1 [ 132.091150][ T3302] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). [ 132.097489][ T30] audit: type=1400 audit(131.830:71): avc: denied { relabelto } for pid=3302 comm="mkswap" name="swap-file" dev="vda" ino=1739 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 132.103356][ T30] audit: type=1400 audit(131.840:72): avc: denied { write } for pid=3302 comm="mkswap" path="/swap-file" dev="vda" ino=1739 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" Setting up swapspace version 1, size = 127995904 bytes [ 132.160117][ T30] audit: type=1400 audit(131.900:73): avc: denied { read } for pid=3299 comm="syz-executor" name="swap-file" dev="vda" ino=1739 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 132.161970][ T30] audit: type=1400 audit(131.900:74): avc: denied { open } for pid=3299 comm="syz-executor" path="/swap-file" dev="vda" ino=1739 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 132.172387][ T3299] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 137.661880][ T30] audit: type=1400 audit(137.400:75): avc: denied { execmem } for pid=3303 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 137.743945][ T30] audit: type=1400 audit(137.480:76): avc: denied { read } for pid=3305 comm="syz-executor" dev="nsfs" ino=4026531840 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1 [ 137.748094][ T30] audit: type=1400 audit(137.480:77): avc: denied { open } for pid=3305 comm="syz-executor" path="net:[4026531840]" dev="nsfs" ino=4026531840 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1 [ 137.762354][ T30] audit: type=1400 audit(137.500:78): avc: denied { mounton } for pid=3305 comm="syz-executor" path="/" dev="vda" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:root_t tclass=dir permissive=1 [ 138.445498][ T30] audit: type=1400 audit(138.180:79): avc: denied { mount } for pid=3306 comm="syz-executor" name="/" dev="tmpfs" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=1 [ 138.453183][ T30] audit: type=1400 audit(138.190:80): avc: denied { mounton } for pid=3306 comm="syz-executor" path="/syzkaller.ean3mZ/syz-tmp/newroot/dev" dev="tmpfs" ino=3 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_tmpfs_t tclass=dir permissive=1 [ 138.465851][ T30] audit: type=1400 audit(138.200:81): avc: denied { mount } for pid=3306 comm="syz-executor" name="/" dev="proc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:proc_t tclass=filesystem permissive=1 [ 138.489318][ T30] audit: type=1400 audit(138.230:82): avc: denied { mounton } for pid=3305 comm="syz-executor" path="/syzkaller.wtEeS1/syz-tmp/newroot/sys/kernel/debug" dev="debugfs" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:debugfs_t tclass=dir permissive=1 [ 138.496746][ T30] audit: type=1400 audit(138.240:83): avc: denied { mounton } for pid=3305 comm="syz-executor" path="/syzkaller.wtEeS1/syz-tmp/newroot/proc/sys/fs/binfmt_misc" dev="proc" ino=611 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:sysctl_fs_t tclass=dir permissive=1 [ 138.513814][ T30] audit: type=1400 audit(138.250:84): avc: denied { unmount } for pid=3305 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fs_t tclass=filesystem permissive=1 [ 142.950677][ T30] kauditd_printk_skb: 21 callbacks suppressed [ 142.951936][ T30] audit: type=1400 audit(142.690:106): avc: denied { create } for pid=3365 comm="syz.1.53" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=rxrpc_socket permissive=1 [ 144.299168][ T30] audit: type=1400 audit(144.040:107): avc: denied { read } for pid=3382 comm="syz.1.68" name="snapshot" dev="devtmpfs" ino=85 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:acpi_bios_t tclass=chr_file permissive=1 [ 144.301274][ T30] audit: type=1400 audit(144.040:108): avc: denied { open } for pid=3382 comm="syz.1.68" path="/dev/snapshot" dev="devtmpfs" ino=85 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:acpi_bios_t tclass=chr_file permissive=1 [ 144.361796][ T30] audit: type=1400 audit(144.100:109): avc: denied { write } for pid=3382 comm="syz.1.68" name="snapshot" dev="devtmpfs" ino=85 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:acpi_bios_t tclass=chr_file permissive=1 [ 144.774600][ T30] audit: type=1400 audit(144.510:110): avc: denied { create } for pid=3388 comm="syz.0.74" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=icmp_socket permissive=1 [ 145.290481][ T30] audit: type=1400 audit(145.030:111): avc: denied { read } for pid=3393 comm="syz.0.79" name="loop-control" dev="devtmpfs" ino=636 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:loop_control_device_t tclass=chr_file permissive=1 [ 145.292538][ T30] audit: type=1400 audit(145.030:112): avc: denied { open } for pid=3393 comm="syz.0.79" path="/dev/loop-control" dev="devtmpfs" ino=636 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:loop_control_device_t tclass=chr_file permissive=1 [ 145.294458][ T30] audit: type=1400 audit(145.030:113): avc: denied { write } for pid=3393 comm="syz.0.79" name="loop-control" dev="devtmpfs" ino=636 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:loop_control_device_t tclass=chr_file permissive=1 [ 146.489060][ T30] audit: type=1400 audit(146.230:114): avc: denied { create } for pid=3406 comm="syz.0.91" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_rdma_socket permissive=1 [ 146.716214][ T30] audit: type=1400 audit(146.450:115): avc: denied { create } for pid=3408 comm="syz.0.93" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_tcpdiag_socket permissive=1 [ 152.988656][ T30] kauditd_printk_skb: 1 callbacks suppressed [ 152.995435][ T30] audit: type=1400 audit(152.730:117): avc: denied { kexec_image_load } for pid=3453 comm="syz.0.137" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=system permissive=1 [ 154.042565][ T30] audit: type=1400 audit(153.780:118): avc: denied { create } for pid=3464 comm="syz.0.148" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=dccp_socket permissive=1 [ 155.243878][ T30] audit: type=1400 audit(154.980:119): avc: denied { create } for pid=3474 comm="syz.1.156" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=can_socket permissive=1 [ 155.360481][ T3475] mmap: syz.0.157 (3475) uses deprecated remap_file_pages() syscall. See Documentation/mm/remap_file_pages.rst. [ 156.755893][ T30] audit: type=1400 audit(156.490:120): avc: denied { read } for pid=3491 comm="syz.0.173" name="uinput" dev="devtmpfs" ino=706 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:event_device_t tclass=chr_file permissive=1 [ 156.756450][ T30] audit: type=1400 audit(156.490:121): avc: denied { open } for pid=3491 comm="syz.0.173" path="/dev/uinput" dev="devtmpfs" ino=706 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:event_device_t tclass=chr_file permissive=1 [ 156.756907][ T30] audit: type=1400 audit(156.490:122): avc: denied { write } for pid=3491 comm="syz.0.173" name="uinput" dev="devtmpfs" ino=706 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:event_device_t tclass=chr_file permissive=1 [ 156.951060][ T30] audit: type=1400 audit(156.690:123): avc: denied { write } for pid=3493 comm="syz.0.175" name="random" dev="devtmpfs" ino=8 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:random_device_t tclass=chr_file permissive=1 [ 157.472199][ T3305] ================================================================== [ 157.473024][ T3305] BUG: KASAN: slab-use-after-free in binderfs_evict_inode+0x2ac/0x2b4 [ 157.473862][ T3305] Write of size 8 at addr ffff000019989c08 by task syz-executor/3305 [ 157.473965][ T3305] [ 157.474653][ T3305] CPU: 1 UID: 0 PID: 3305 Comm: syz-executor Not tainted 6.15.0-rc4-syzkaller-00256-g95d3481af6dc #0 PREEMPT [ 157.474909][ T3305] Hardware name: linux,dummy-virt (DT) [ 157.475219][ T3305] Call trace: [ 157.475455][ T3305] show_stack+0x18/0x24 (C) [ 157.475603][ T3305] dump_stack_lvl+0xa4/0xf4 [ 157.475670][ T3305] print_report+0xf4/0x60c [ 157.475721][ T3305] kasan_report+0xc8/0x108 [ 157.475764][ T3305] __asan_report_store8_noabort+0x20/0x2c [ 157.475817][ T3305] binderfs_evict_inode+0x2ac/0x2b4 [ 157.475865][ T3305] evict+0x2c0/0x67c [ 157.475906][ T3305] iput+0x3b0/0x6b4 [ 157.475942][ T3305] dentry_unlink_inode+0x208/0x46c [ 157.475986][ T3305] __dentry_kill+0x150/0x52c [ 157.476031][ T3305] shrink_dentry_list+0x114/0x3a4 [ 157.476072][ T3305] shrink_dcache_parent+0x158/0x354 [ 157.476113][ T3305] shrink_dcache_for_umount+0x88/0x304 [ 157.476154][ T3305] generic_shutdown_super+0x60/0x2e8 [ 157.476199][ T3305] kill_litter_super+0x68/0xa4 [ 157.476241][ T3305] binderfs_kill_super+0x38/0x88 [ 157.476281][ T3305] deactivate_locked_super+0x98/0x17c [ 157.476324][ T3305] deactivate_super+0xb0/0xd4 [ 157.476365][ T3305] cleanup_mnt+0x198/0x424 [ 157.476406][ T3305] __cleanup_mnt+0x14/0x20 [ 157.476446][ T3305] task_work_run+0x128/0x210 [ 157.476485][ T3305] do_exit+0x7ac/0x1f68 [ 157.476526][ T3305] do_group_exit+0xa4/0x208 [ 157.476564][ T3305] get_signal+0x1b00/0x1ba8 [ 157.476607][ T3305] do_signal+0x1f4/0x620 [ 157.476644][ T3305] do_notify_resume+0x18c/0x258 [ 157.476685][ T3305] el0_svc_compat+0xfc/0x17c [ 157.476724][ T3305] el0t_32_sync_handler+0x98/0x13c [ 157.476762][ T3305] el0t_32_sync+0x19c/0x1a0 [ 157.476982][ T3305] [ 157.477840][ T3305] Allocated by task 3306: [ 157.478086][ T3305] kasan_save_stack+0x3c/0x64 [ 157.478204][ T3305] kasan_save_track+0x20/0x3c [ 157.478291][ T3305] kasan_save_alloc_info+0x40/0x54 [ 157.478370][ T3305] __kasan_kmalloc+0xb8/0xbc [ 157.478453][ T3305] __kmalloc_cache_noprof+0x1b0/0x3cc [ 157.478537][ T3305] binderfs_binder_device_create.isra.0+0x140/0x9a0 [ 157.478622][ T3305] binderfs_fill_super+0x69c/0xed4 [ 157.478704][ T3305] get_tree_nodev+0xac/0x148 [ 157.478792][ T3305] binderfs_fs_context_get_tree+0x18/0x24 [ 157.478876][ T3305] vfs_get_tree+0x74/0x280 [ 157.478957][ T3305] path_mount+0xe54/0x1808 [ 157.479039][ T3305] __arm64_sys_mount+0x304/0x3dc [ 157.479122][ T3305] invoke_syscall+0x6c/0x258 [ 157.479202][ T3305] el0_svc_common.constprop.0+0xac/0x230 [ 157.479281][ T3305] do_el0_svc_compat+0x40/0x68 [ 157.479359][ T3305] el0_svc_compat+0x4c/0x17c [ 157.479436][ T3305] el0t_32_sync_handler+0x98/0x13c [ 157.479514][ T3305] el0t_32_sync+0x19c/0x1a0 [ 157.479618][ T3305] [ 157.479703][ T3305] Freed by task 3306: [ 157.479802][ T3305] kasan_save_stack+0x3c/0x64 [ 157.479891][ T3305] kasan_save_track+0x20/0x3c [ 157.479973][ T3305] kasan_save_free_info+0x4c/0x74 [ 157.480051][ T3305] __kasan_slab_free+0x50/0x6c [ 157.480132][ T3305] kfree+0x1bc/0x444 [ 157.480211][ T3305] binderfs_evict_inode+0x238/0x2b4 [ 157.480293][ T3305] evict+0x2c0/0x67c [ 157.480369][ T3305] iput+0x3b0/0x6b4 [ 157.480447][ T3305] dentry_unlink_inode+0x208/0x46c [ 157.480527][ T3305] __dentry_kill+0x150/0x52c [ 157.480608][ T3305] shrink_dentry_list+0x114/0x3a4 [ 157.480689][ T3305] shrink_dcache_parent+0x158/0x354 [ 157.480773][ T3305] shrink_dcache_for_umount+0x88/0x304 [ 157.480872][ T3305] generic_shutdown_super+0x60/0x2e8 [ 157.480994][ T3305] kill_litter_super+0x68/0xa4 [ 157.481082][ T3305] binderfs_kill_super+0x38/0x88 [ 157.481163][ T3305] deactivate_locked_super+0x98/0x17c [ 157.481246][ T3305] deactivate_super+0xb0/0xd4 [ 157.481329][ T3305] cleanup_mnt+0x198/0x424 [ 157.481418][ T3305] __cleanup_mnt+0x14/0x20 [ 157.481502][ T3305] task_work_run+0x128/0x210 [ 157.481583][ T3305] do_exit+0x7ac/0x1f68 [ 157.481663][ T3305] do_group_exit+0xa4/0x208 [ 157.481742][ T3305] get_signal+0x1b00/0x1ba8 [ 157.481839][ T3305] do_signal+0x160/0x620 [ 157.481919][ T3305] do_notify_resume+0x18c/0x258 [ 157.481999][ T3305] el0_svc_compat+0xfc/0x17c [ 157.482076][ T3305] el0t_32_sync_handler+0x98/0x13c [ 157.482155][ T3305] el0t_32_sync+0x19c/0x1a0 [ 157.482248][ T3305] [ 157.482372][ T3305] The buggy address belongs to the object at ffff000019989c00 [ 157.482372][ T3305] which belongs to the cache kmalloc-512 of size 512 [ 157.482523][ T3305] The buggy address is located 8 bytes inside of [ 157.482523][ T3305] freed 512-byte region [ffff000019989c00, ffff000019989e00) [ 157.482618][ T3305] [ 157.482748][ T3305] The buggy address belongs to the physical page: [ 157.483150][ T3305] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff00001998ac00 pfn:0x59988 [ 157.483668][ T3305] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 157.483830][ T3305] flags: 0x1ffc00000000240(workingset|head|node=0|zone=0|lastcpupid=0x7ff) [ 157.484281][ T3305] page_type: f5(slab) [ 157.484666][ T3305] raw: 01ffc00000000240 ffff00000dc01c80 fffffdffc04b1d10 fffffdffc04ba110 [ 157.484816][ T3305] raw: ffff00001998ac00 000000000010000f 00000000f5000000 0000000000000000 [ 157.485050][ T3305] head: 01ffc00000000240 ffff00000dc01c80 fffffdffc04b1d10 fffffdffc04ba110 [ 157.485143][ T3305] head: ffff00001998ac00 000000000010000f 00000000f5000000 0000000000000000 [ 157.485223][ T3305] head: 01ffc00000000002 fffffdffc0666201 00000000ffffffff 00000000ffffffff [ 157.485300][ T3305] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 157.485460][ T3305] page dumped because: kasan: bad access detected [ 157.485549][ T3305] [ 157.485626][ T3305] Memory state around the buggy address: [ 157.485964][ T3305] ffff000019989b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 157.486085][ T3305] ffff000019989b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 157.486183][ T3305] >ffff000019989c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 157.486287][ T3305] ^ [ 157.486423][ T3305] ffff000019989c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 157.486499][ T3305] ffff000019989d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 157.486633][ T3305] ================================================================== [ 157.573670][ T3305] Disabling lock debugging due to kernel taint SYZFAIL: failed to recv rpc fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor) VM DIAGNOSIS: 07:14:02 Registers: info registers vcpu 0 CPU#0 PC=ffff800081b690f8 X00=0000000000000002 X01=0000000000000000 X02=0000000000000002 X03=dfff800000000000 X04=0000000000000030 X05=ffff800087a17000 X06=ffff700010f42e00 X07=0000000000000001 X08=ffff800087a17000 X09=dfff800000000000 X10=ffff700010f42e00 X11=1ffff00010f42e00 X12=ffff700010f42e01 X13=0000000000008000 X14=7475636578652d7a X15=7420746f4e20726f X16=36206465746e6961 X17=63722d302e35312e X18=0000000000000000 X19=ffff00000f716080 X20=ffff80008d43b030 X21=ffff800087a92820 X22=1fffe00001ee2c5b X23=0000000000000000 X24=ffff80008d947da8 X25=1ffff00011b28fb5 X26=0000000000000000 X27=1fffe00001ee2c5a X28=ffff00000f7162d0 X29=ffff80008d947a10 X30=ffff800081b69950 SP=ffff80008d947a10 PSTATE=800000c5 N--- EL1h FPCR=00000000 FPSR=00000000 Q00=6f732e78756e696c:657362696c00322e Q01=0000000000000000:00000000000f0000 Q02=f00ff00ff00ff00f:f00ff00ff00ff00f Q03=0000000000000f00:0000000000000f00 Q04=3003300330033003:3003300330033003 Q05=f00ff00ff00ff00f:f00ff00ff00ff00f Q06=0000000000000c00:0000000000000c00 Q07=0000000000000000:0000000000000000 Q08=0000000000000000:0000000000000000 Q09=0000000000000000:0000000000000000 Q10=0000000000000000:0000000000000000 Q11=0000000000000000:0000000000000000 Q12=0000000000000000:0000000000000000 Q13=0000000000000000:0000000000000000 Q14=0000000000000000:0000000000000000 Q15=0000000000000000:0000000000000000 Q16=0000000000000000:0000000000000000 Q17=0000000000000000:0000000000000000 Q18=0000000000000000:0000000000000000 Q19=0000000000000000:0000000000000000 Q20=0000000000000000:0000000000000000 Q21=0000000000000000:0000000000000000 Q22=0000000000000000:0000000000000000 Q23=0000000000000000:0000000000000000 Q24=0000000000000000:0000000000000000 Q25=0000000000000000:0000000000000000 Q26=0000000000000000:0000000000000000 Q27=0000000000000000:0000000000000000 Q28=0000000000000000:0000000000000000 Q29=0000000000000000:0000000000000000 Q30=0000000000000000:0000000000000000 Q31=0000000000000000:0000000000000000 info registers vcpu 1 CPU#1 PC=ffff80008038d034 X00=0000000000000000 X01=ffff8000872bda60 X02=0000000000000000 X03=1fffe00001d143c9 X04=000000001a81dbe5 X05=0000000000000000 X06=ffff00000e8a2998 X07=9344a1795eadf0e9 X08=0000000000000000 X09=ffff800089733000 X10=ffff00000e8a28d0 X11=0000000000000002 X12=0000000000000006 X13=0000000000000000 X14=3d3d3d3d3d3d3d3d X15=3d3d3d3d3d3d3d3d X16=3d3d3d3d3d3d3d3d X17=3d3d3d3d3d3d3d3d X18=00000000000005c3 X19=ffff80008705a648 X20=ffff800089733c38 X21=ffff80008d0ee000 X22=0000000000000005 X23=ffff800086445b20 X24=ffff000018d7ab20 X25=ffff00000f880000 X26=ffff000018d7aaf8 X27=ffff00000f8800b0 X28=dfff800000000000 X29=ffff80008d667490 X30=ffff800080376488 SP=ffff80008d667430 PSTATE=10000005 ---V EL1h FPCR=00000000 FPSR=00000000 Q00=0000000000000000:0000000000000000 Q01=0000000000000000:0000000000000000 Q02=0000000000000000:0000000000000000 Q03=0000000000000000:0000000000000000 Q04=0000000000000000:0000000000000000 Q05=0000000000000000:0000000000000000 Q06=0000000000000000:0000000000000000 Q07=0000000000000000:0000000000000000 Q08=0000000000000000:0000000000000000 Q09=0000000000000000:0000000000000000 Q10=0000000000000000:0000000000000000 Q11=0000000000000000:0000000000000000 Q12=0000000000000000:0000000000000000 Q13=0000000000000000:0000000000000000 Q14=0000000000000000:0000000000000000 Q15=0000000000000000:0000000000000000 Q16=0000000000000000:0000000000000000 Q17=0000000000000000:0000000000000000 Q18=0000000000000000:0000000000000000 Q19=0000000000000000:0000000000000000 Q20=0000000000000000:0000000000000000 Q21=0000000000000000:0000000000000000 Q22=0000000000000000:0000000000000000 Q23=0000000000000000:0000000000000000 Q24=0000000000000000:0000000000000000 Q25=0000000000000000:0000000000000000 Q26=0000000000000000:0000000000000000 Q27=0000000000000000:0000000000000000 Q28=0000000000000000:0000000000000000 Q29=0000000000000000:0000000000000000 Q30=0000000000000000:0000000000000000 Q31=0000000000000000:0000000000000000