last executing test programs:
432.174479ms ago: executing program 0 (id=45):
prlimit64(0x0, 0x0, 0x0, 0x0)
358.970247ms ago: executing program 0 (id=49):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/sys/devices/platform/vhci_hcd.0/attach', 0x1, 0x0)
358.42823ms ago: executing program 0 (id=52):
sched_yield()
303.987025ms ago: executing program 0 (id=59):
fgetxattr(0xffffffffffffffff, &(0x7f0000000000), &(0x7f0000000000), 0x0)
303.595667ms ago: executing program 3 (id=62):
socket$hf(0x13, 0x2, 0x0)
295.651097ms ago: executing program 0 (id=63):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/hpet', 0x0, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/hpet', 0x1, 0x0)
openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/hpet', 0x2, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/hpet', 0x800, 0x0)
236.343814ms ago: executing program 0 (id=67):
syz_open_dev$audion(&(0x7f0000000040), 0x0, 0x0)
syz_open_dev$audion(&(0x7f0000000080), 0x0, 0x1)
syz_open_dev$audion(&(0x7f00000000c0), 0x0, 0x2)
syz_open_dev$audion(&(0x7f0000000100), 0x0, 0x800)
syz_open_dev$audion(&(0x7f0000000140), 0x1, 0x0)
syz_open_dev$audion(&(0x7f0000000180), 0x1, 0x1)
syz_open_dev$audion(&(0x7f00000001c0), 0x1, 0x2)
syz_open_dev$audion(&(0x7f0000000200), 0x1, 0x800)
syz_open_dev$audion(&(0x7f0000000240), 0x2, 0x0)
syz_open_dev$audion(&(0x7f0000000280), 0x2, 0x1)
syz_open_dev$audion(&(0x7f00000002c0), 0x2, 0x2)
syz_open_dev$audion(&(0x7f0000000300), 0x2, 0x800)
syz_open_dev$audion(&(0x7f0000000340), 0x3, 0x0)
syz_open_dev$audion(&(0x7f0000000380), 0x3, 0x1)
syz_open_dev$audion(&(0x7f00000003c0), 0x3, 0x2)
syz_open_dev$audion(&(0x7f0000000400), 0x3, 0x800)
syz_open_dev$audion(&(0x7f0000000440), 0x4, 0x0)
syz_open_dev$audion(&(0x7f0000000480), 0x4, 0x1)
syz_open_dev$audion(&(0x7f00000004c0), 0x4, 0x2)
syz_open_dev$audion(&(0x7f0000000500), 0x4, 0x800)
235.804626ms ago: executing program 4 (id=70):
syz_open_dev$hiddev(&(0x7f0000000040), 0x0, 0x0)
syz_open_dev$hiddev(&(0x7f0000000080), 0x0, 0x1)
syz_open_dev$hiddev(&(0x7f00000000c0), 0x0, 0x2)
syz_open_dev$hiddev(&(0x7f0000000100), 0x0, 0x800)
syz_open_dev$hiddev(&(0x7f0000000140), 0x1, 0x0)
syz_open_dev$hiddev(&(0x7f0000000180), 0x1, 0x1)
syz_open_dev$hiddev(&(0x7f00000001c0), 0x1, 0x2)
syz_open_dev$hiddev(&(0x7f0000000200), 0x1, 0x800)
syz_open_dev$hiddev(&(0x7f0000000240), 0x2, 0x0)
syz_open_dev$hiddev(&(0x7f0000000280), 0x2, 0x1)
syz_open_dev$hiddev(&(0x7f00000002c0), 0x2, 0x2)
syz_open_dev$hiddev(&(0x7f0000000300), 0x2, 0x800)
syz_open_dev$hiddev(&(0x7f0000000340), 0x3, 0x0)
syz_open_dev$hiddev(&(0x7f0000000380), 0x3, 0x1)
syz_open_dev$hiddev(&(0x7f00000003c0), 0x3, 0x2)
syz_open_dev$hiddev(&(0x7f0000000400), 0x3, 0x800)
syz_open_dev$hiddev(&(0x7f0000000440), 0x4, 0x0)
syz_open_dev$hiddev(&(0x7f0000000480), 0x4, 0x1)
syz_open_dev$hiddev(&(0x7f00000004c0), 0x4, 0x2)
syz_open_dev$hiddev(&(0x7f0000000500), 0x4, 0x800)
172.116552ms ago: executing program 4 (id=74):
munlockall()
171.786089ms ago: executing program 3 (id=77):
syz_open_dev$sndctrl(&(0x7f0000000040), 0x0, 0x0)
syz_open_dev$sndctrl(&(0x7f0000000080), 0x0, 0x1)
syz_open_dev$sndctrl(&(0x7f00000000c0), 0x0, 0x2)
syz_open_dev$sndctrl(&(0x7f0000000100), 0x0, 0x800)
syz_open_dev$sndctrl(&(0x7f0000000140), 0x1, 0x0)
syz_open_dev$sndctrl(&(0x7f0000000180), 0x1, 0x1)
syz_open_dev$sndctrl(&(0x7f00000001c0), 0x1, 0x2)
syz_open_dev$sndctrl(&(0x7f0000000200), 0x1, 0x800)
syz_open_dev$sndctrl(&(0x7f0000000240), 0x2, 0x0)
syz_open_dev$sndctrl(&(0x7f0000000280), 0x2, 0x1)
syz_open_dev$sndctrl(&(0x7f00000002c0), 0x2, 0x2)
syz_open_dev$sndctrl(&(0x7f0000000300), 0x2, 0x800)
syz_open_dev$sndctrl(&(0x7f0000000340), 0x3, 0x0)
syz_open_dev$sndctrl(&(0x7f0000000380), 0x3, 0x1)
syz_open_dev$sndctrl(&(0x7f00000003c0), 0x3, 0x2)
syz_open_dev$sndctrl(&(0x7f0000000400), 0x3, 0x800)
syz_open_dev$sndctrl(&(0x7f0000000440), 0x4, 0x0)
syz_open_dev$sndctrl(&(0x7f0000000480), 0x4, 0x1)
syz_open_dev$sndctrl(&(0x7f00000004c0), 0x4, 0x2)
syz_open_dev$sndctrl(&(0x7f0000000500), 0x4, 0x800)
171.718698ms ago: executing program 2 (id=78):
preadv2(0xffffffffffffffff, &(0x7f0000000000), 0x0, 0x0, 0x0, 0x0)
171.561302ms ago: executing program 1 (id=79):
syz_open_dev$sndhw(&(0x7f0000000040), 0x0, 0x0)
syz_open_dev$sndhw(&(0x7f0000000080), 0x0, 0x1)
syz_open_dev$sndhw(&(0x7f00000000c0), 0x0, 0x2)
syz_open_dev$sndhw(&(0x7f0000000100), 0x0, 0x800)
syz_open_dev$sndhw(&(0x7f0000000140), 0xa, 0x0)
syz_open_dev$sndhw(&(0x7f0000000180), 0xa, 0x1)
syz_open_dev$sndhw(&(0x7f00000001c0), 0xa, 0x2)
syz_open_dev$sndhw(&(0x7f0000000200), 0xa, 0x800)
syz_open_dev$sndhw(&(0x7f0000000240), 0x14, 0x0)
syz_open_dev$sndhw(&(0x7f0000000280), 0x14, 0x1)
syz_open_dev$sndhw(&(0x7f00000002c0), 0x14, 0x2)
syz_open_dev$sndhw(&(0x7f0000000300), 0x14, 0x800)
syz_open_dev$sndhw(&(0x7f0000000340), 0x1e, 0x0)
syz_open_dev$sndhw(&(0x7f0000000380), 0x1e, 0x1)
syz_open_dev$sndhw(&(0x7f00000003c0), 0x1e, 0x2)
syz_open_dev$sndhw(&(0x7f0000000400), 0x1e, 0x800)
syz_open_dev$sndhw(&(0x7f0000000440), 0x28, 0x0)
syz_open_dev$sndhw(&(0x7f0000000480), 0x28, 0x1)
syz_open_dev$sndhw(&(0x7f00000004c0), 0x28, 0x2)
syz_open_dev$sndhw(&(0x7f0000000500), 0x28, 0x800)
129.319893ms ago: executing program 4 (id=80):
syz_open_dev$vbi(&(0x7f0000000040), 0x0, 0x0)
syz_open_dev$vbi(&(0x7f0000000080), 0x0, 0x1)
syz_open_dev$vbi(&(0x7f00000000c0), 0x0, 0x2)
syz_open_dev$vbi(&(0x7f0000000100), 0x0, 0x800)
129.102129ms ago: executing program 2 (id=81):
geteuid()
128.917232ms ago: executing program 1 (id=82):
open_by_handle_at(0xffffffffffffffff, &(0x7f0000000000), 0x0)
128.72046ms ago: executing program 3 (id=83):
pipe(&(0x7f0000000000))
128.643347ms ago: executing program 2 (id=84):
syz_init_net_socket$nfc_llcp(0x27, 0x1, 0x1)
80.641021ms ago: executing program 1 (id=85):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/sys/kernel/debug/damon/init_regions', 0x0, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000080)='/sys/kernel/debug/damon/init_regions', 0x1, 0x0)
openat(0xffffffffffffff9c, &(0x7f00000000c0)='/sys/kernel/debug/damon/init_regions', 0x2, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000100)='/sys/kernel/debug/damon/init_regions', 0x800, 0x0)
80.479536ms ago: executing program 2 (id=86):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/selinux/enforce', 0x0, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000080)='/selinux/enforce', 0x1, 0x0)
openat(0xffffffffffffff9c, &(0x7f00000000c0)='/selinux/enforce', 0x2, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000100)='/selinux/enforce', 0x800, 0x0)
80.357144ms ago: executing program 4 (id=87):
pread64(0xffffffffffffffff, &(0x7f0000000000), 0x0, 0x0)
80.266114ms ago: executing program 3 (id=88):
syz_open_dev$loop(&(0x7f0000000040), 0x0, 0x0)
syz_open_dev$loop(&(0x7f0000000080), 0x0, 0x1)
syz_open_dev$loop(&(0x7f00000000c0), 0x0, 0x2)
syz_open_dev$loop(&(0x7f0000000100), 0x0, 0x800)
syz_open_dev$loop(&(0x7f0000000140), 0x1, 0x0)
syz_open_dev$loop(&(0x7f0000000180), 0x1, 0x1)
syz_open_dev$loop(&(0x7f00000001c0), 0x1, 0x2)
syz_open_dev$loop(&(0x7f0000000200), 0x1, 0x800)
syz_open_dev$loop(&(0x7f0000000240), 0x2, 0x0)
syz_open_dev$loop(&(0x7f0000000280), 0x2, 0x1)
syz_open_dev$loop(&(0x7f00000002c0), 0x2, 0x2)
syz_open_dev$loop(&(0x7f0000000300), 0x2, 0x800)
syz_open_dev$loop(&(0x7f0000000340), 0x3, 0x0)
syz_open_dev$loop(&(0x7f0000000380), 0x3, 0x1)
syz_open_dev$loop(&(0x7f00000003c0), 0x3, 0x2)
syz_open_dev$loop(&(0x7f0000000400), 0x3, 0x800)
syz_open_dev$loop(&(0x7f0000000440), 0x4, 0x0)
syz_open_dev$loop(&(0x7f0000000480), 0x4, 0x1)
syz_open_dev$loop(&(0x7f00000004c0), 0x4, 0x2)
syz_open_dev$loop(&(0x7f0000000500), 0x4, 0x800)
80.214327ms ago: executing program 4 (id=89):
symlink(&(0x7f0000000000), &(0x7f0000000000))
80.144335ms ago: executing program 1 (id=90):
sched_setaffinity(0x0, 0x0, &(0x7f0000000000))
64.520566ms ago: executing program 2 (id=91):
io_uring_enter(0xffffffffffffffff, 0x0, 0x0, 0x0, &(0x7f0000000000), 0x0)
55.832075ms ago: executing program 1 (id=92):
wait4(0x0, 0x0, 0x0, 0x0)
55.714388ms ago: executing program 4 (id=93):
fstatfs(0xffffffffffffffff, &(0x7f0000000000))
54.952267ms ago: executing program 3 (id=94):
userfaultfd(0x0)
78.539µs ago: executing program 2 (id=95):
syslog(0x0, 0x0, 0x0)
30.816µs ago: executing program 1 (id=96):
select(0x0, &(0x7f0000000000), &(0x7f0000000000), &(0x7f0000000000), &(0x7f0000000000))
0s ago: executing program 3 (id=98):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/selinux/validatetrans', 0x1, 0x0)
kernel console output (not intermixed with test programs):
Warning: Permanently added '10.128.0.29' (ED25519) to the list of known hosts.
[ 64.417031][ T30] audit: type=1400 audit(1748337744.130:65): avc: denied { mounton } for pid=5796 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=2022 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1
[ 64.421773][ T5796] cgroup: Unknown subsys name 'net'
[ 64.439830][ T30] audit: type=1400 audit(1748337744.130:66): avc: denied { mount } for pid=5796 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1
[ 64.470180][ T30] audit: type=1400 audit(1748337744.190:67): avc: denied { unmount } for pid=5796 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1
[ 64.615861][ T5796] cgroup: Unknown subsys name 'cpuset'
[ 64.624228][ T5796] cgroup: Unknown subsys name 'rlimit'
[ 64.754352][ T30] audit: type=1400 audit(1748337744.470:68): avc: denied { setattr } for pid=5796 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=820 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[ 64.787331][ T30] audit: type=1400 audit(1748337744.470:69): avc: denied { create } for pid=5796 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1
[ 64.810320][ T30] audit: type=1400 audit(1748337744.470:70): avc: denied { write } for pid=5796 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1
[ 64.835976][ T30] audit: type=1400 audit(1748337744.470:71): avc: denied { read } for pid=5796 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1
[ 64.856818][ T30] audit: type=1400 audit(1748337744.480:72): avc: denied { mounton } for pid=5796 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1
[ 64.874752][ T5798] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped).
Setting up swapspace version 1, size = 127995904 bytes
[ 64.881830][ T30] audit: type=1400 audit(1748337744.480:73): avc: denied { mount } for pid=5796 comm="syz-executor" name="/" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=filesystem permissive=1
[ 64.913563][ T30] audit: type=1400 audit(1748337744.520:74): avc: denied { read } for pid=5477 comm="dhcpcd" scontext=system_u:system_r:dhcpc_t tcontext=system_u:system_r:dhcpc_t tclass=netlink_kobject_uevent_socket permissive=1
[ 65.850189][ T5796] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k
[ 67.863399][ T5825] UDPLite6: UDP-Lite is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list
[ 68.617334][ T5808] ==================================================================
[ 68.625430][ T5808] BUG: KASAN: slab-use-after-free in binderfs_evict_inode+0x335/0x340
[ 68.633601][ T5808] Write of size 8 at addr ffff8881417f2408 by task syz-executor/5808
[ 68.641670][ T5808]
[ 68.644009][ T5808] CPU: 0 UID: 0 PID: 5808 Comm: syz-executor Not tainted 6.15.0-syzkaller-01972-g914873bc7df9 #0 PREEMPT(full)
[ 68.644035][ T5808] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
[ 68.644050][ T5808] Call Trace:
[ 68.644056][ T5808]
[ 68.644064][ T5808] dump_stack_lvl+0x116/0x1f0
[ 68.644094][ T5808] print_report+0xcd/0x680
[ 68.644113][ T5808] ? __virt_addr_valid+0x81/0x610
[ 68.644132][ T5808] ? __phys_addr+0xe8/0x180
[ 68.644150][ T5808] ? binderfs_evict_inode+0x335/0x340
[ 68.644176][ T5808] kasan_report+0xe0/0x110
[ 68.644194][ T5808] ? binderfs_evict_inode+0x335/0x340
[ 68.644222][ T5808] ? __pfx_binderfs_evict_inode+0x10/0x10
[ 68.644248][ T5808] binderfs_evict_inode+0x335/0x340
[ 68.644275][ T5808] evict+0x3e6/0x920
[ 68.644295][ T5808] ? __pfx_evict+0x10/0x10
[ 68.644317][ T5808] ? iput+0x519/0x880
[ 68.644340][ T5808] iput+0x521/0x880
[ 68.644361][ T5808] dentry_unlink_inode+0x29c/0x480
[ 68.644382][ T5808] __dentry_kill+0x1d0/0x600
[ 68.644402][ T5808] ? shrink_dentry_list+0x11a/0x5d0
[ 68.644427][ T5808] shrink_dentry_list+0x140/0x5d0
[ 68.644450][ T5808] ? shrink_dcache_parent+0x22/0x530
[ 68.644473][ T5808] shrink_dcache_parent+0xe1/0x530
[ 68.644495][ T5808] ? __pfx_shrink_dcache_parent+0x10/0x10
[ 68.644524][ T5808] ? d_walk+0x44c/0xa60
[ 68.644548][ T5808] shrink_dcache_for_umount+0xa5/0x3e0
[ 68.644574][ T5808] generic_shutdown_super+0x6c/0x390
[ 68.644599][ T5808] kill_litter_super+0x70/0xa0
[ 68.644621][ T5808] binderfs_kill_super+0x3b/0xa0
[ 68.644645][ T5808] deactivate_locked_super+0xc1/0x1a0
[ 68.644669][ T5808] deactivate_super+0xde/0x100
[ 68.644693][ T5808] cleanup_mnt+0x225/0x450
[ 68.644720][ T5808] task_work_run+0x14d/0x240
[ 68.644747][ T5808] ? __pfx_task_work_run+0x10/0x10
[ 68.644773][ T5808] ? __put_net+0x61/0x70
[ 68.644794][ T5808] do_exit+0xae2/0x2c70
[ 68.644818][ T5808] ? __pfx_do_exit+0x10/0x10
[ 68.644839][ T5808] ? do_raw_spin_lock+0x12c/0x2b0
[ 68.644866][ T5808] ? find_held_lock+0x2b/0x80
[ 68.644886][ T5808] do_group_exit+0xd3/0x2a0
[ 68.644910][ T5808] get_signal+0x2673/0x26d0
[ 68.644934][ T5808] ? __pfx_get_signal+0x10/0x10
[ 68.644957][ T5808] arch_do_signal_or_restart+0x8f/0x7d0
[ 68.644987][ T5808] ? __pfx_arch_do_signal_or_restart+0x10/0x10
[ 68.645018][ T5808] ? ksys_read+0x1ac/0x250
[ 68.645043][ T5808] ? __pfx_ksys_read+0x10/0x10
[ 68.645071][ T5808] syscall_exit_to_user_mode+0x13b/0x290
[ 68.645097][ T5808] do_syscall_64+0xda/0x260
[ 68.645122][ T5808] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 68.645142][ T5808] RIP: 0033:0x7f3c42b8d33d
[ 68.645156][ T5808] Code: Unable to access opcode bytes at 0x7f3c42b8d313.
[ 68.645165][ T5808] RSP: 002b:00007ffc6fae6b88 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 68.645183][ T5808] RAX: fffffffffffffe00 RBX: 0000000000000003 RCX: 00007f3c42b8d33d
[ 68.645196][ T5808] RDX: 0000000000000030 RSI: 00007ffc6fae6c20 RDI: 00000000000000f9
[ 68.645208][ T5808] RBP: 00007ffc6fae6bcc R08: 000000000000000a R09: 00007ffc6fae68d7
[ 68.645220][ T5808] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000016
[ 68.645231][ T5808] R13: 00000000000927c0 R14: 0000000000010b92 R15: 00007ffc6fae6c20
[ 68.645250][ T5808]
[ 68.645256][ T5808]
[ 68.958507][ T5808] Allocated by task 5810:
[ 68.962832][ T5808] kasan_save_stack+0x33/0x60
[ 68.967519][ T5808] kasan_save_track+0x14/0x30
[ 68.972203][ T5808] __kasan_kmalloc+0xaa/0xb0
[ 68.976803][ T5808] binderfs_binder_device_create.isra.0+0x189/0xc30
[ 68.983401][ T5808] binderfs_fill_super+0x8d4/0x1360
[ 68.988605][ T5808] get_tree_nodev+0xdd/0x190
[ 68.993198][ T5808] vfs_get_tree+0x8e/0x340
[ 68.997605][ T5808] path_mount+0x14d4/0x1f70
[ 69.002100][ T5808] __x64_sys_mount+0x28d/0x310
[ 69.006853][ T5808] do_syscall_64+0xcd/0x260
[ 69.011357][ T5808] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 69.017233][ T5808]
[ 69.019538][ T5808] Freed by task 5810:
[ 69.023504][ T5808] kasan_save_stack+0x33/0x60
[ 69.028173][ T5808] kasan_save_track+0x14/0x30
[ 69.032861][ T5808] kasan_save_free_info+0x3b/0x60
[ 69.037874][ T5808] __kasan_slab_free+0x51/0x70
[ 69.042620][ T5808] kfree+0x2b4/0x4d0
[ 69.046504][ T5808] binderfs_evict_inode+0x29f/0x340
[ 69.051692][ T5808] evict+0x3e6/0x920
[ 69.055572][ T5808] iput+0x521/0x880
[ 69.059365][ T5808] dentry_unlink_inode+0x29c/0x480
[ 69.064474][ T5808] __dentry_kill+0x1d0/0x600
[ 69.069054][ T5808] shrink_dentry_list+0x140/0x5d0
[ 69.074068][ T5808] shrink_dcache_parent+0xe1/0x530
[ 69.079167][ T5808] shrink_dcache_for_umount+0xa5/0x3e0
[ 69.084613][ T5808] generic_shutdown_super+0x6c/0x390
[ 69.089894][ T5808] kill_litter_super+0x70/0xa0
[ 69.094674][ T5808] binderfs_kill_super+0x3b/0xa0
[ 69.099604][ T5808] deactivate_locked_super+0xc1/0x1a0
[ 69.104966][ T5808] deactivate_super+0xde/0x100
[ 69.109717][ T5808] cleanup_mnt+0x225/0x450
[ 69.114128][ T5808] task_work_run+0x14d/0x240
[ 69.118708][ T5808] do_exit+0xae2/0x2c70
[ 69.122852][ T5808] do_group_exit+0xd3/0x2a0
[ 69.127341][ T5808] get_signal+0x2673/0x26d0
[ 69.131829][ T5808] arch_do_signal_or_restart+0x8f/0x7d0
[ 69.137373][ T5808] syscall_exit_to_user_mode+0x13b/0x290
[ 69.143006][ T5808] do_syscall_64+0xda/0x260
[ 69.147536][ T5808] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 69.153415][ T5808]
[ 69.155720][ T5808] The buggy address belongs to the object at ffff8881417f2400
[ 69.155720][ T5808] which belongs to the cache kmalloc-512 of size 512
[ 69.169760][ T5808] The buggy address is located 8 bytes inside of
[ 69.169760][ T5808] freed 512-byte region [ffff8881417f2400, ffff8881417f2600)
[ 69.183363][ T5808]
[ 69.185677][ T5808] The buggy address belongs to the physical page:
[ 69.192075][ T5808] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1417f0
[ 69.200908][ T5808] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 69.209388][ T5808] flags: 0x57ff00000000040(head|node=1|zone=2|lastcpupid=0x7ff)
[ 69.217008][ T5808] page_type: f5(slab)
[ 69.220971][ T5808] raw: 057ff00000000040 ffff88801b441c80 dead000000000100 dead000000000122
[ 69.229550][ T5808] raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
[ 69.238120][ T5808] head: 057ff00000000040 ffff88801b441c80 dead000000000100 dead000000000122
[ 69.246773][ T5808] head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
[ 69.255426][ T5808] head: 057ff00000000002 ffffea000505fc01 00000000ffffffff 00000000ffffffff
[ 69.264084][ T5808] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004
[ 69.272731][ T5808] page dumped because: kasan: bad access detected
[ 69.279129][ T5808] page_owner tracks the page as allocated
[ 69.284824][ T5808] page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd2000(__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 7446305366, free_ts 0
[ 69.302865][ T5808] post_alloc_hook+0x1c0/0x230
[ 69.307622][ T5808] get_page_from_freelist+0x135c/0x3950
[ 69.313157][ T5808] __alloc_frozen_pages_noprof+0x261/0x23f0
[ 69.319040][ T5808] alloc_pages_mpol+0x1fb/0x550
[ 69.323873][ T5808] new_slab+0x23b/0x330
[ 69.328027][ T5808] ___slab_alloc+0xd9c/0x1940
[ 69.332691][ T5808] __slab_alloc.constprop.0+0x56/0xb0
[ 69.338052][ T5808] __kmalloc_cache_noprof+0xfb/0x3e0
[ 69.343327][ T5808] device_add+0xccc/0x1a70
[ 69.347728][ T5808] __add_disk+0x457/0xf00
[ 69.352049][ T5808] add_disk_fwnode+0x13f/0x5d0
[ 69.356802][ T5808] loop_add+0x90f/0xb70
[ 69.360942][ T5808] loop_init+0x164/0x270
[ 69.365170][ T5808] do_one_initcall+0x120/0x6e0
[ 69.369916][ T5808] kernel_init_freeable+0x5c2/0x900
[ 69.375101][ T5808] kernel_init+0x1c/0x2b0
[ 69.379414][ T5808] page_owner free stack trace missing
[ 69.384760][ T5808]
[ 69.387066][ T5808] Memory state around the buggy address:
[ 69.392682][ T5808] ffff8881417f2300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 69.400724][ T5808] ffff8881417f2380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 69.408768][ T5808] >ffff8881417f2400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
SYZFAIL: failed to recv rpc
fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor)
[ 69.416807][ T5808] ^
[ 69.421114][ T5808] ffff8881417f2480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 69.429157][ T5808] ffff8881417f2500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 69.437205][ T5808] ==================================================================
[ 69.740723][ T30] kauditd_printk_skb: 61 callbacks suppressed
[ 69.740739][ T30] audit: type=1400 audit(1748337749.450:136): avc: denied { read } for pid=5164 comm="syslogd" name="log" dev="sda1" ino=2010 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:var_t tclass=lnk_file permissive=1
[ 69.869020][ T30] audit: type=1400 audit(1748337749.450:137): avc: denied { search } for pid=5164 comm="syslogd" name="/" dev="tmpfs" ino=1 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=1
[ 69.898334][ T30] audit: type=1400 audit(1748337749.450:138): avc: denied { write } for pid=5164 comm="syslogd" name="/" dev="tmpfs" ino=1 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=1
[ 69.906534][ T5808] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 69.906552][ T5808] CPU: 0 UID: 0 PID: 5808 Comm: syz-executor Not tainted 6.15.0-syzkaller-01972-g914873bc7df9 #0 PREEMPT(full)
[ 69.906577][ T5808] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
[ 69.906588][ T5808] Call Trace:
[ 69.906594][ T5808]
[ 69.906602][ T5808] dump_stack_lvl+0x3d/0x1f0
[ 69.906631][ T5808] panic+0x71c/0x800
[ 69.906655][ T5808] ? __pfx_panic+0x10/0x10
[ 69.906677][ T5808] ? irqentry_exit+0x3b/0x90
[ 69.906700][ T5808] ? lockdep_hardirqs_on+0x7c/0x110
[ 69.906722][ T5808] ? preempt_schedule_thunk+0x16/0x30
[ 69.906744][ T5808] ? binderfs_evict_inode+0x335/0x340
[ 69.906770][ T5808] ? preempt_schedule_common+0x44/0xc0
[ 69.906793][ T5808] ? check_panic_on_warn+0x1f/0xb0
[ 69.906818][ T5808] ? binderfs_evict_inode+0x335/0x340
[ 69.906844][ T5808] check_panic_on_warn+0xab/0xb0
[ 69.906868][ T5808] end_report+0x107/0x170
[ 69.906886][ T5808] kasan_report+0xee/0x110
[ 69.906905][ T5808] ? binderfs_evict_inode+0x335/0x340
[ 69.906933][ T5808] ? __pfx_binderfs_evict_inode+0x10/0x10
[ 69.906959][ T5808] binderfs_evict_inode+0x335/0x340
[ 69.906985][ T5808] evict+0x3e6/0x920
[ 69.907006][ T5808] ? __pfx_evict+0x10/0x10
[ 69.907028][ T5808] ? iput+0x519/0x880
[ 69.907050][ T5808] iput+0x521/0x880
[ 69.907072][ T5808] dentry_unlink_inode+0x29c/0x480
[ 69.907093][ T5808] __dentry_kill+0x1d0/0x600
[ 69.907113][ T5808] ? shrink_dentry_list+0x11a/0x5d0
[ 69.907137][ T5808] shrink_dentry_list+0x140/0x5d0
[ 69.907161][ T5808] ? shrink_dcache_parent+0x22/0x530
[ 69.907184][ T5808] shrink_dcache_parent+0xe1/0x530
[ 69.907208][ T5808] ? __pfx_shrink_dcache_parent+0x10/0x10
[ 69.907251][ T5808] ? d_walk+0x44c/0xa60
[ 69.907274][ T5808] shrink_dcache_for_umount+0xa5/0x3e0
[ 69.907300][ T5808] generic_shutdown_super+0x6c/0x390
[ 69.907324][ T5808] kill_litter_super+0x70/0xa0
[ 69.907348][ T5808] binderfs_kill_super+0x3b/0xa0
[ 69.907372][ T5808] deactivate_locked_super+0xc1/0x1a0
[ 69.907398][ T5808] deactivate_super+0xde/0x100
[ 69.907423][ T5808] cleanup_mnt+0x225/0x450
[ 69.907449][ T5808] task_work_run+0x14d/0x240
[ 69.907481][ T5808] ? __pfx_task_work_run+0x10/0x10
[ 69.907507][ T5808] ? __put_net+0x61/0x70
[ 69.907528][ T5808] do_exit+0xae2/0x2c70
[ 69.907553][ T5808] ? __pfx_do_exit+0x10/0x10
[ 69.907575][ T5808] ? do_raw_spin_lock+0x12c/0x2b0
[ 69.907601][ T5808] ? find_held_lock+0x2b/0x80
[ 69.907621][ T5808] do_group_exit+0xd3/0x2a0
[ 69.907644][ T5808] get_signal+0x2673/0x26d0
[ 69.907668][ T5808] ? __pfx_get_signal+0x10/0x10
[ 69.907690][ T5808] arch_do_signal_or_restart+0x8f/0x7d0
[ 69.907720][ T5808] ? __pfx_arch_do_signal_or_restart+0x10/0x10
[ 69.907751][ T5808] ? ksys_read+0x1ac/0x250
[ 69.907775][ T5808] ? __pfx_ksys_read+0x10/0x10
[ 69.907803][ T5808] syscall_exit_to_user_mode+0x13b/0x290
[ 69.907828][ T5808] do_syscall_64+0xda/0x260
[ 69.907853][ T5808] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 69.907872][ T5808] RIP: 0033:0x7f3c42b8d33d
[ 69.907886][ T5808] Code: Unable to access opcode bytes at 0x7f3c42b8d313.
[ 69.907895][ T5808] RSP: 002b:00007ffc6fae6b88 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 69.907913][ T5808] RAX: fffffffffffffe00 RBX: 0000000000000003 RCX: 00007f3c42b8d33d
[ 69.907926][ T5808] RDX: 0000000000000030 RSI: 00007ffc6fae6c20 RDI: 00000000000000f9
[ 69.907938][ T5808] RBP: 00007ffc6fae6bcc R08: 000000000000000a R09: 00007ffc6fae68d7
[ 69.907950][ T5808] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000016
[ 69.907961][ T5808] R13: 00000000000927c0 R14: 0000000000010b92 R15: 00007ffc6fae6c20
[ 69.907980][ T5808]
[ 69.919983][ T5808] Kernel Offset: disabled