last executing test programs:

869.8348ms ago: executing program 0 (id=203):
syz_open_dev$admmidi(&(0x7f0000000040), 0x0, 0x0)
syz_open_dev$admmidi(&(0x7f0000000080), 0x0, 0x1)
syz_open_dev$admmidi(&(0x7f00000000c0), 0x0, 0x2)
syz_open_dev$admmidi(&(0x7f0000000100), 0x0, 0x800)
syz_open_dev$admmidi(&(0x7f0000000140), 0x1, 0x0)
syz_open_dev$admmidi(&(0x7f0000000180), 0x1, 0x1)
syz_open_dev$admmidi(&(0x7f00000001c0), 0x1, 0x2)
syz_open_dev$admmidi(&(0x7f0000000200), 0x1, 0x800)
syz_open_dev$admmidi(&(0x7f0000000240), 0x2, 0x0)
syz_open_dev$admmidi(&(0x7f0000000280), 0x2, 0x1)
syz_open_dev$admmidi(&(0x7f00000002c0), 0x2, 0x2)
syz_open_dev$admmidi(&(0x7f0000000300), 0x2, 0x800)
syz_open_dev$admmidi(&(0x7f0000000340), 0x3, 0x0)
syz_open_dev$admmidi(&(0x7f0000000380), 0x3, 0x1)
syz_open_dev$admmidi(&(0x7f00000003c0), 0x3, 0x2)
syz_open_dev$admmidi(&(0x7f0000000400), 0x3, 0x800)
syz_open_dev$admmidi(&(0x7f0000000440), 0x4, 0x0)
syz_open_dev$admmidi(&(0x7f0000000480), 0x4, 0x1)
syz_open_dev$admmidi(&(0x7f00000004c0), 0x4, 0x2)
syz_open_dev$admmidi(&(0x7f0000000500), 0x4, 0x800)

779.179716ms ago: executing program 0 (id=204):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/fuse', 0x2, 0x0)

778.970986ms ago: executing program 0 (id=205):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/sys/kernel/debug/bluetooth/6lowpan_enable', 0x2, 0x0)

709.457161ms ago: executing program 0 (id=207):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/sys/kernel/debug/bluetooth/6lowpan_control', 0x2, 0x0)

630.209467ms ago: executing program 0 (id=208):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/sys/fs/smackfs/onlycap', 0x2, 0x0)

549.868302ms ago: executing program 0 (id=210):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/dsp1', 0x0, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/dsp1', 0x1, 0x0)
openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/dsp1', 0x2, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/dsp1', 0x800, 0x0)

549.612502ms ago: executing program 1 (id=211):
syz_open_dev$sg(&(0x7f0000000040), 0x0, 0x0)
syz_open_dev$sg(&(0x7f0000000080), 0x0, 0x1)
syz_open_dev$sg(&(0x7f00000000c0), 0x0, 0x2)
syz_open_dev$sg(&(0x7f0000000100), 0x0, 0x800)
syz_open_dev$sg(&(0x7f0000000140), 0x1, 0x0)
syz_open_dev$sg(&(0x7f0000000180), 0x1, 0x1)
syz_open_dev$sg(&(0x7f00000001c0), 0x1, 0x2)
syz_open_dev$sg(&(0x7f0000000200), 0x1, 0x800)
syz_open_dev$sg(&(0x7f0000000240), 0x2, 0x0)
syz_open_dev$sg(&(0x7f0000000280), 0x2, 0x1)
syz_open_dev$sg(&(0x7f00000002c0), 0x2, 0x2)
syz_open_dev$sg(&(0x7f0000000300), 0x2, 0x800)
syz_open_dev$sg(&(0x7f0000000340), 0x3, 0x0)
syz_open_dev$sg(&(0x7f0000000380), 0x3, 0x1)
syz_open_dev$sg(&(0x7f00000003c0), 0x3, 0x2)
syz_open_dev$sg(&(0x7f0000000400), 0x3, 0x800)
syz_open_dev$sg(&(0x7f0000000440), 0x4, 0x0)
syz_open_dev$sg(&(0x7f0000000480), 0x4, 0x1)
syz_open_dev$sg(&(0x7f00000004c0), 0x4, 0x2)
syz_open_dev$sg(&(0x7f0000000500), 0x4, 0x800)

409.658772ms ago: executing program 1 (id=212):
sigaltstack(&(0x7f0000000000), 0x0)

315.068068ms ago: executing program 1 (id=213):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/video2', 0x2, 0x0)

170.068008ms ago: executing program 1 (id=215):
getrlimit(0x0, &(0x7f0000000000))

89.692024ms ago: executing program 1 (id=216):
truncate(&(0x7f0000000000), 0x0)

0s ago: executing program 1 (id=217):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/fb1', 0x0, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/fb1', 0x1, 0x0)
openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/fb1', 0x2, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/fb1', 0x800, 0x0)

kernel console output (not intermixed with test programs):

Warning: Permanently added '[localhost]:6045' (ED25519) to the list of known hosts.
syzkaller login: [   69.748273][ T3294] cgroup: Unknown subsys name 'net'
[   70.064412][ T3294] cgroup: Unknown subsys name 'cpuset'
[   70.083391][ T3294] cgroup: Unknown subsys name 'rlimit'
Setting up swapspace version 1, size = 127995904 bytes
[   70.733244][ T3294] Adding 124996k swap on ./swap-file.  Priority:0 extents:1 across:124996k 
[   81.136147][ T3381] mmap: syz.1.68 (3381) uses deprecated remap_file_pages() syscall. See Documentation/mm/remap_file_pages.rst.
[   82.157420][ T3405] UDPLite6: UDP-Lite is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list
[   85.606054][ T3499] UDPLite: UDP-Lite is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list
[   87.233996][ T3303] ==================================================================
[   87.239624][ T3303] BUG: KASAN: slab-use-after-free in binderfs_evict_inode+0xe8/0x114
[   87.240616][ T3303] Write at addr f5f0000009e86e48 by task syz-executor/3303
[   87.240940][ T3303] Pointer tag: [f5], memory tag: [fe]
[   87.241101][ T3303] 
[   87.241828][ T3303] CPU: 0 UID: 0 PID: 3303 Comm: syz-executor Not tainted 6.15.0-rc7-syzkaller-00142-g4856ebd99715 #0 PREEMPT 
[   87.242186][ T3303] Hardware name: linux,dummy-virt (DT)
[   87.242416][ T3303] Call trace:
[   87.242611][ T3303]  show_stack+0x18/0x24 (C)
[   87.242904][ T3303]  dump_stack_lvl+0x78/0x90
[   87.243070][ T3303]  print_report+0x108/0x630
[   87.243193][ T3303]  kasan_report+0x88/0xac
[   87.243315][ T3303]  __do_kernel_fault+0x170/0x1c8
[   87.243445][ T3303]  do_tag_check_fault+0x78/0x8c
[   87.243567][ T3303]  do_mem_abort+0x44/0x94
[   87.243691][ T3303]  el1_abort+0x40/0x60
[   87.243815][ T3303]  el1h_64_sync_handler+0xa4/0x120
[   87.243936][ T3303]  el1h_64_sync+0x6c/0x70
[   87.244122][ T3303]  binderfs_evict_inode+0xe8/0x114 (P)
[   87.244248][ T3303]  evict+0xec/0x240
[   87.244367][ T3303]  iput+0xfc/0x1b8
[   87.244503][ T3303]  dentry_unlink_inode+0xc0/0x188
[   87.244629][ T3303]  __dentry_kill+0x7c/0x1d4
[   87.244747][ T3303]  shrink_dentry_list+0x74/0xe4
[   87.244865][ T3303]  shrink_dcache_parent+0xcc/0x14c
[   87.244984][ T3303]  shrink_dcache_for_umount+0x3c/0x1c8
[   87.245103][ T3303]  generic_shutdown_super+0x24/0x100
[   87.245224][ T3303]  kill_anon_super+0x20/0x90
[   87.245343][ T3303]  kill_litter_super+0x28/0x38
[   87.245463][ T3303]  binderfs_kill_super+0x18/0x40
[   87.245585][ T3303]  deactivate_locked_super+0x50/0x12c
[   87.245705][ T3303]  deactivate_super+0x84/0x9c
[   87.245825][ T3303]  cleanup_mnt+0xf4/0x184
[   87.245948][ T3303]  __cleanup_mnt+0x14/0x20
[   87.246067][ T3303]  task_work_run+0x78/0xd4
[   87.246190][ T3303]  do_exit+0x2c8/0x944
[   87.246321][ T3303]  do_group_exit+0x34/0x90
[   87.246445][ T3303]  copy_siginfo_to_user+0x0/0xec
[   87.246567][ T3303]  do_signal+0xf0/0x360
[   87.246686][ T3303]  do_notify_resume+0xd8/0x164
[   87.246807][ T3303]  el0_svc+0xc0/0xe0
[   87.246936][ T3303]  el0t_64_sync_handler+0x10c/0x138
[   87.247059][ T3303]  el0t_64_sync+0x1a4/0x1a8
[   87.247308][ T3303] 
[   87.249378][ T3303] Freed by task 3302:
[   87.249648][ T3303]  kasan_save_stack+0x3c/0x64
[   87.249902][ T3303]  save_stack_info+0x40/0x158
[   87.250068][ T3303]  kasan_save_free_info+0x18/0x24
[   87.250235][ T3303]  __kasan_slab_free+0x74/0x8c
[   87.250406][ T3303]  kfree+0xfc/0x30c
[   87.250573][ T3303]  binderfs_evict_inode+0x100/0x114
[   87.250742][ T3303]  evict+0xec/0x240
[   87.250905][ T3303]  iput+0xfc/0x1b8
[   87.251068][ T3303]  dentry_unlink_inode+0xc0/0x188
[   87.251231][ T3303]  __dentry_kill+0x7c/0x1d4
[   87.251431][ T3303]  shrink_dentry_list+0x74/0xe4
[   87.251616][ T3303]  shrink_dcache_parent+0xcc/0x14c
[   87.251785][ T3303]  shrink_dcache_for_umount+0x3c/0x1c8
SYZFAIL: failed to recv rpc
fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor)
[   87.251954][ T3303]  generic_shutdown_super+0x24/0x100
[   87.252121][ T3303]  kill_anon_super+0x20/0x90
[   87.252289][ T3303]  kill_litter_super+0x28/0x38
[   87.252461][ T3303]  binderfs_kill_super+0x18/0x40
[   87.252649][ T3303]  deactivate_locked_super+0x50/0x12c
[   87.252815][ T3303]  deactivate_super+0x84/0x9c
[   87.252979][ T3303]  cleanup_mnt+0xf4/0x184
[   87.253145][ T3303]  __cleanup_mnt+0x14/0x20
[   87.253312][ T3303]  task_work_run+0x78/0xd4
[   87.253485][ T3303]  do_exit+0x2c8/0x944
[   87.253651][ T3303]  do_group_exit+0x34/0x90
[   87.253822][ T3303]  copy_siginfo_to_user+0x0/0xec
[   87.253988][ T3303]  do_signal+0xf0/0x360
[   87.254158][ T3303]  do_notify_resume+0xd8/0x164
[   87.254326][ T3303]  el0_svc+0xc0/0xe0
[   87.254499][ T3303]  el0t_64_sync_handler+0x10c/0x138
[   87.254665][ T3303]  el0t_64_sync+0x1a4/0x1a8
[   87.254863][ T3303] 
[   87.255007][ T3303] The buggy address belongs to the object at fff0000009e86e40
[   87.255007][ T3303]  which belongs to the cache kmalloc-192 of size 192
[   87.255215][ T3303] The buggy address is located 8 bytes inside of
[   87.255215][ T3303]  192-byte region [fff0000009e86e40, fff0000009e86f00)
[   87.255405][ T3303] 
[   87.255653][ T3303] The buggy address belongs to the physical page:
[   87.255894][ T3303] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xfaf0000009e86000 pfn:0x49e86
[   87.256283][ T3303] anon flags: 0x1ffc00000000000(node=0|zone=0|lastcpupid=0x7ff|kasantag=0x0)
[   87.256773][ T3303] page_type: f5(slab)
[   87.257221][ T3303] raw: 01ffc00000000000 f5f0000003001300 0000000000000000 0000000000000001
[   87.257422][ T3303] raw: faf0000009e86000 000000000015000c 00000000f5000000 0000000000000000
[   87.257628][ T3303] page dumped because: kasan: bad access detected
[   87.257775][ T3303] 
[   87.257907][ T3303] Memory state around the buggy address:
[   87.258189][ T3303]  fff0000009e86c00: f0 f0 f0 f0 f0 f0 f0 f0 f0 f0 f0 f0 fe fe fe fe
[   87.258414][ T3303]  fff0000009e86d00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
[   87.258628][ T3303] >fff0000009e86e00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
[   87.258803][ T3303]                                ^
[   87.259004][ T3303]  fff0000009e86f00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
[   87.259157][ T3303]  fff0000009e87000: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
[   87.259335][ T3303] ==================================================================
[   87.260765][ T3303] Disabling lock debugging due to kernel taint

VM DIAGNOSIS:
23:02:21  Registers:
info registers vcpu 0

CPU#0
 PC=ffff800081b14ebc X00=ffff800081b14eb8 X01=f7f00000032b36c0
X02=0000000000000000 X03=0000000000000004 X04=0000000000000001
X05=ffff8000828d4480 X06=0000000000155cc0 X07=fbf00000030db800
X08=0000000e59bd5c8e X09=fffffffffff0b515 X10=0000000000155cc0
X11=fff000007f8d4b00 X12=0000000000000000 X13=0000000000000001
X14=000000000000016e X15=ffff800081b610e0 X16=ffff800080000000
X17=fff07ffffd022000 X18=00000000ffffffff X19=0000000000000000
X20=ffff8000829e2e08 X21=ffff8000829e2e00 X22=0000000000000000
X23=0000000000000004 X24=ffff8000829e2e08 X25=0000000000000028
X26=ffff8000828ff530 X27=ffff8000828a84c0 X28=0000000000000000
X29=ffff8000800034a0 X30=ffff80008017b624  SP=ffff8000800034a0
PSTATE=604020c9 -ZC- EL2h  SVCR=00000000 --  BTYPE=0     FPCR=00000000 FPSR=00000000
P00=0000000000000000 P01=0000000000000000 P02=0000000000000000
P03=0000000000000000 P04=0000000000000000 P05=0000000000000000
P06=0000000000000000 P07=0000000000000000 P08=0000000000000000
P09=0000000000000000 P10=0000000000000000 P11=0000000000000000
P12=0000000000000000 P13=0000000000000000 P14=0000000000000000
P15=0000000000000000 FFR=0000000000000000
Z00=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000ffff9b5f2a90:0000ff006b736964
Z01=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:ffff000000000000:ffff00ff00000000
Z02=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:ff000000ff0f0000
Z03=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:ffffffffffff00ff
Z04=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:00000000ffffff0f
Z05=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:00000000cccccc00
Z06=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000073:0000aaaaf0589cb0
Z07=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000074:0000aaaaf0586f90
Z08=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z09=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z10=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z11=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z12=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z13=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z14=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z15=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z16=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000ffffdd7d2370:0000ffffdd7d2370
Z17=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:ffffff80ffffffd8:0000ffffdd7d2340
Z18=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z19=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z20=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z21=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z22=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z23=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z24=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z25=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z26=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z27=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z28=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z29=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z30=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
Z31=0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000:0000000000000000
info registers vcpu 1

CPU#1
 PC=0000ffffbb76e328 X00=0000000000000000 X01=0000aaaadccde950
X02=00000000000000ff X03=0000000000000000 X04=0000000000000000
X05=0000000000000000 X06=0000000000000000 X07=0000000000000001
X08=000000000000003f X09=0000000000000000 X10=000000000000000a
X11=00000000ffffffd0 X12=2ce33e6c02ce33e7 X13=8f5c28f5c28f5c29
X14=0000000000000000 X15=028f5c28f5c28f5c X16=0000ffffbb951be8
X17=0000ffffbb7c7340 X18=000000000000000a X19=0000ffffbb637128
X20=0000aaaadccde910 X21=0000aaaadccde950 X22=0000000000000000
X23=0000ffffbb952000 X24=0000ffffbb952000 X25=0000aaaadccde956
X26=0000ffffbb9528d4 X27=0000aaaaca508d70 X28=0000000000000000
X29=0000ffffd8118db0 X30=0000ffffbb76e34c  SP=0000ffffd8118db0
PSTATE=80001000 N--- EL0t  SVCR=00000000 --  BTYPE=0     FPCR=00000000 FPSR=00000000
Q00=2525252525252525:2525252525252525 Q01=65642f000a732520:7325207334362e25
Q02=316c6520205d3330:333354205b5d3139 Q03=000000ff0000ff00:00ff0000000000ff
Q04=0000000000000000:000f00f00f00000f Q05=2820747269762d79:6d6d75642c78756e
Q06=752d62616c73203a:4e4153414b203a47 Q07=6e6920656572662d:72657466612d6573
Q08=0000000000000000:0000000000000000 Q09=0000000000000000:0000000000000000
Q10=0000000000000000:0000000000000000 Q11=0000000000000000:0000000000000000
Q12=0000000000000000:0000000000000000 Q13=0000000000000000:0000000000000000
Q14=0000000000000000:0000000000000000 Q15=0000000000000000:0000000000000000
Q16=0000ffffd8118ce0:0000ffffd8118ce0 Q17=ffffff80ffffffd0:0000ffffd8118cb0
Q18=0000000000000000:0000000000000000 Q19=0000000000000000:0000000000000000
Q20=0000000000000000:0000000000000000 Q21=0000000000000000:0000000000000000
Q22=0000000000000000:0000000000000000 Q23=0000000000000000:0000000000000000
Q24=0000000000000000:0000000000000000 Q25=0000000000000000:0000000000000000
Q26=0000000000000000:0000000000000000 Q27=0000000000000000:0000000000000000
Q28=0000000000000000:0000000000000000 Q29=0000000000000000:0000000000000000
Q30=0000000000000000:0000000000000000 Q31=0000000000000000:0000000000000000