last executing test programs: 1.135086561s ago: executing program 0 (id=143): syz_init_net_socket$ax25(0x3, 0x2, 0x0) 868.515512ms ago: executing program 1 (id=145): openat(0xffffffffffffff9c, &(0x7f0000000040)='/proc/asound/card0/oss_mixer', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/proc/asound/card0/oss_mixer', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/proc/asound/card0/oss_mixer', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/proc/asound/card0/oss_mixer', 0x800, 0x0) 779.986839ms ago: executing program 0 (id=146): gettid() 690.815036ms ago: executing program 0 (id=147): pselect6(0x0, &(0x7f0000000000), &(0x7f0000000000), &(0x7f0000000000), &(0x7f0000000000), &(0x7f0000000000)) 592.638804ms ago: executing program 1 (id=148): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/uinput', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/uinput', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/uinput', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/uinput', 0x800, 0x0) 592.513694ms ago: executing program 0 (id=149): execve(&(0x7f0000000000), &(0x7f0000000000), &(0x7f0000000000)) 431.596586ms ago: executing program 1 (id=150): fstat(0xffffffffffffffff, &(0x7f0000000000)) 431.398686ms ago: executing program 0 (id=151): kexec_load(0x0, 0x0, &(0x7f0000000000), 0x0) 351.429762ms ago: executing program 1 (id=152): capset(&(0x7f0000000000), &(0x7f0000000000)) 256.26777ms ago: executing program 1 (id=153): socket$inet_sctp(0x2, 0x1, 0x84) 255.97136ms ago: executing program 0 (id=154): mbind(0x0, 0x0, 0x0, &(0x7f0000000000), 0x0, 0x0) 0s ago: executing program 1 (id=156): openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/btrfs-control', 0x0, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/btrfs-control', 0x1, 0x0) openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/btrfs-control', 0x2, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/btrfs-control', 0x800, 0x0) kernel console output (not intermixed with test programs): Warning: Permanently added '[localhost]:57002' (ED25519) to the list of known hosts. [ 132.070183][ T30] audit: type=1400 audit(131.890:48): avc: denied { name_bind } for pid=3302 comm="sshd-session" src=30003 scontext=system_u:system_r:sshd_t tcontext=system_u:object_r:tcs_port_t tclass=tcp_socket permissive=1 [ 132.345048][ T30] audit: type=1400 audit(132.160:49): avc: denied { execute } for pid=3303 comm="sh" name="syz-executor" dev="vda" ino=1867 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:etc_runtime_t tclass=file permissive=1 [ 132.350028][ T30] audit: type=1400 audit(132.170:50): avc: denied { execute_no_trans } for pid=3303 comm="sh" path="/syz-executor" dev="vda" ino=1867 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:etc_runtime_t tclass=file permissive=1 [ 136.106169][ T30] audit: type=1400 audit(135.920:51): avc: denied { mounton } for pid=3303 comm="syz-executor" path="/syzcgroup/unified" dev="vda" ino=1868 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 136.114572][ T30] audit: type=1400 audit(135.930:52): avc: denied { mount } for pid=3303 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 136.143454][ T3303] cgroup: Unknown subsys name 'net' [ 136.162367][ T30] audit: type=1400 audit(135.980:53): avc: denied { unmount } for pid=3303 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 136.505713][ T3303] cgroup: Unknown subsys name 'cpuset' [ 136.533432][ T3303] cgroup: Unknown subsys name 'rlimit' [ 136.842069][ T30] audit: type=1400 audit(136.660:54): avc: denied { setattr } for pid=3303 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=701 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 136.848094][ T30] audit: type=1400 audit(136.670:55): avc: denied { create } for pid=3303 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 136.850003][ T30] audit: type=1400 audit(136.670:56): avc: denied { write } for pid=3303 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 136.853487][ T30] audit: type=1400 audit(136.670:57): avc: denied { module_request } for pid=3303 comm="syz-executor" kmod="net-pf-16-proto-16-family-nl802154" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1 [ 137.342181][ T3307] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). [ 137.348675][ T30] kauditd_printk_skb: 3 callbacks suppressed [ 137.349779][ T30] audit: type=1400 audit(137.160:61): avc: denied { relabelto } for pid=3307 comm="mkswap" name="swap-file" dev="vda" ino=1871 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 137.351855][ T30] audit: type=1400 audit(137.170:62): avc: denied { write } for pid=3307 comm="mkswap" path="/swap-file" dev="vda" ino=1871 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" Setting up swapspace version 1, size = 127995904 bytes [ 137.412862][ T30] audit: type=1400 audit(137.230:63): avc: denied { read } for pid=3303 comm="syz-executor" name="swap-file" dev="vda" ino=1871 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 137.415650][ T30] audit: type=1400 audit(137.230:64): avc: denied { open } for pid=3303 comm="syz-executor" path="/swap-file" dev="vda" ino=1871 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t" [ 137.426604][ T3303] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 145.068963][ T30] audit: type=1400 audit(144.890:65): avc: denied { execmem } for pid=3308 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 145.113136][ T30] audit: type=1400 audit(144.930:66): avc: denied { read } for pid=3310 comm="syz-executor" dev="nsfs" ino=4026531840 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1 [ 145.117921][ T30] audit: type=1400 audit(144.940:67): avc: denied { open } for pid=3310 comm="syz-executor" path="net:[4026531840]" dev="nsfs" ino=4026531840 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1 [ 145.131282][ T30] audit: type=1400 audit(144.950:68): avc: denied { mounton } for pid=3310 comm="syz-executor" path="/" dev="vda" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:root_t tclass=dir permissive=1 [ 145.737979][ T30] audit: type=1400 audit(145.560:69): avc: denied { mount } for pid=3310 comm="syz-executor" name="/" dev="tmpfs" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=1 [ 145.747321][ T30] audit: type=1400 audit(145.570:70): avc: denied { mounton } for pid=3310 comm="syz-executor" path="/syzkaller.T8xw3r/syz-tmp/newroot/dev" dev="tmpfs" ino=3 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_tmpfs_t tclass=dir permissive=1 [ 145.757070][ T30] audit: type=1400 audit(145.580:71): avc: denied { mount } for pid=3310 comm="syz-executor" name="/" dev="proc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:proc_t tclass=filesystem permissive=1 [ 145.773874][ T30] audit: type=1400 audit(145.590:72): avc: denied { mounton } for pid=3310 comm="syz-executor" path="/syzkaller.T8xw3r/syz-tmp/newroot/sys/kernel/debug" dev="debugfs" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:debugfs_t tclass=dir permissive=1 [ 145.781745][ T30] audit: type=1400 audit(145.600:73): avc: denied { mounton } for pid=3310 comm="syz-executor" path="/syzkaller.T8xw3r/syz-tmp/newroot/proc/sys/fs/binfmt_misc" dev="proc" ino=3090 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:sysctl_fs_t tclass=dir permissive=1 [ 145.797506][ T30] audit: type=1400 audit(145.620:74): avc: denied { unmount } for pid=3310 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:fs_t tclass=filesystem permissive=1 [ 150.262617][ T30] kauditd_printk_skb: 17 callbacks suppressed [ 150.273923][ T30] audit: type=1400 audit(150.080:92): avc: denied { create } for pid=3349 comm="syz.0.34" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=icmp_socket permissive=1 [ 151.165853][ T30] audit: type=1400 audit(150.970:93): avc: denied { read } for pid=3357 comm="syz.1.42" name="rtc0" dev="devtmpfs" ino=707 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:clock_device_t tclass=chr_file permissive=1 [ 151.166500][ T30] audit: type=1400 audit(150.980:94): avc: denied { open } for pid=3357 comm="syz.1.42" path="/dev/rtc0" dev="devtmpfs" ino=707 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:clock_device_t tclass=chr_file permissive=1 [ 151.167223][ T30] audit: type=1400 audit(150.980:95): avc: denied { write } for pid=3357 comm="syz.1.42" name="rtc0" dev="devtmpfs" ino=707 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:clock_device_t tclass=chr_file permissive=1 [ 151.590499][ T30] audit: type=1400 audit(151.410:96): avc: denied { create } for pid=3361 comm="syz.1.46" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=can_socket permissive=1 [ 151.966732][ T30] audit: type=1400 audit(151.760:97): avc: denied { create } for pid=3366 comm="syz.0.50" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=rawip_socket permissive=1 [ 152.061631][ T30] audit: type=1400 audit(151.880:98): avc: denied { create } for pid=3367 comm="syz.1.52" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=llc_socket permissive=1 [ 152.413863][ T30] audit: type=1400 audit(152.230:99): avc: denied { read } for pid=3372 comm="syz.0.57" name="autofs" dev="devtmpfs" ino=91 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:autofs_device_t tclass=chr_file permissive=1 [ 152.429174][ T30] audit: type=1400 audit(152.250:100): avc: denied { open } for pid=3372 comm="syz.0.57" path="/dev/autofs" dev="devtmpfs" ino=91 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:autofs_device_t tclass=chr_file permissive=1 [ 152.433475][ T30] audit: type=1400 audit(152.250:101): avc: denied { write } for pid=3372 comm="syz.0.57" name="autofs" dev="devtmpfs" ino=91 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:autofs_device_t tclass=chr_file permissive=1 [ 155.573534][ T3411] mmap: syz.1.94 (3411) uses deprecated remap_file_pages() syscall. See Documentation/mm/remap_file_pages.rst. [ 156.511994][ T30] kauditd_printk_skb: 3 callbacks suppressed [ 156.513205][ T30] audit: type=1400 audit(156.330:105): avc: denied { create } for pid=3424 comm="syz.1.106" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=tipc_socket permissive=1 [ 157.163295][ T30] audit: type=1400 audit(156.980:106): avc: denied { create } for pid=3433 comm="syz.0.115" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=bluetooth_socket permissive=1 [ 157.225948][ T30] audit: type=1400 audit(157.040:107): avc: denied { read } for pid=3434 comm="syz.1.116" name="vga_arbiter" dev="devtmpfs" ino=4 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:xserver_misc_device_t tclass=chr_file permissive=1 [ 157.228230][ T30] audit: type=1400 audit(157.040:108): avc: denied { open } for pid=3434 comm="syz.1.116" path="/dev/vga_arbiter" dev="devtmpfs" ino=4 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:xserver_misc_device_t tclass=chr_file permissive=1 [ 157.241646][ T30] audit: type=1400 audit(157.060:109): avc: denied { write } for pid=3434 comm="syz.1.116" name="vga_arbiter" dev="devtmpfs" ino=4 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:xserver_misc_device_t tclass=chr_file permissive=1 [ 157.528203][ T30] audit: type=1400 audit(157.340:110): avc: denied { read } for pid=3438 comm="syz.0.119" name="usbmon0" dev="devtmpfs" ino=695 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:usbmon_device_t tclass=chr_file permissive=1 [ 157.528782][ T30] audit: type=1400 audit(157.340:111): avc: denied { open } for pid=3438 comm="syz.0.119" path="/dev/usbmon0" dev="devtmpfs" ino=695 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:usbmon_device_t tclass=chr_file permissive=1 [ 157.554464][ T30] audit: type=1400 audit(157.350:112): avc: denied { write } for pid=3438 comm="syz.0.119" name="usbmon0" dev="devtmpfs" ino=695 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:usbmon_device_t tclass=chr_file permissive=1 [ 157.740609][ T30] audit: type=1400 audit(157.560:113): avc: denied { read } for pid=3440 comm="syz.1.120" name="fb0" dev="devtmpfs" ino=619 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:framebuf_device_t tclass=chr_file permissive=1 [ 157.743937][ T30] audit: type=1400 audit(157.560:114): avc: denied { open } for pid=3440 comm="syz.1.120" path="/dev/fb0" dev="devtmpfs" ino=619 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:framebuf_device_t tclass=chr_file permissive=1 [ 161.227454][ T3311] ================================================================== [ 161.228196][ T3311] BUG: KASAN: slab-use-after-free in binderfs_evict_inode+0x2ac/0x2b4 [ 161.229505][ T3311] Write of size 8 at addr ffff0000190ba008 by task syz-executor/3311 [ 161.229637][ T3311] [ 161.230429][ T3311] CPU: 1 UID: 0 PID: 3311 Comm: syz-executor Not tainted 6.15.0-rc7-syzkaller-00014-gd608703fcdd9 #0 PREEMPT [ 161.230641][ T3311] Hardware name: linux,dummy-virt (DT) [ 161.230940][ T3311] Call trace: [ 161.231112][ T3311] show_stack+0x18/0x24 (C) [ 161.231257][ T3311] dump_stack_lvl+0xa4/0xf4 [ 161.231337][ T3311] print_report+0xf4/0x60c [ 161.231431][ T3311] kasan_report+0xc8/0x108 [ 161.231479][ T3311] __asan_report_store8_noabort+0x20/0x2c [ 161.231520][ T3311] binderfs_evict_inode+0x2ac/0x2b4 [ 161.231568][ T3311] evict+0x2c0/0x67c [ 161.231609][ T3311] iput+0x3b0/0x6b4 [ 161.231645][ T3311] dentry_unlink_inode+0x208/0x46c [ 161.231687][ T3311] __dentry_kill+0x150/0x52c [ 161.231727][ T3311] shrink_dentry_list+0x114/0x3a4 [ 161.231768][ T3311] shrink_dcache_parent+0x158/0x354 [ 161.231809][ T3311] shrink_dcache_for_umount+0x88/0x304 [ 161.231850][ T3311] generic_shutdown_super+0x60/0x2e8 [ 161.231895][ T3311] kill_litter_super+0x68/0xa4 [ 161.231937][ T3311] binderfs_kill_super+0x38/0x88 [ 161.231978][ T3311] deactivate_locked_super+0x98/0x17c [ 161.232020][ T3311] deactivate_super+0xb0/0xd4 [ 161.232062][ T3311] cleanup_mnt+0x198/0x424 [ 161.232103][ T3311] __cleanup_mnt+0x14/0x20 [ 161.232144][ T3311] task_work_run+0x128/0x210 [ 161.232187][ T3311] do_exit+0x7ac/0x1f68 [ 161.232228][ T3311] do_group_exit+0xa4/0x208 [ 161.232267][ T3311] get_signal+0x1b00/0x1ba8 [ 161.232317][ T3311] do_signal+0x160/0x620 [ 161.232356][ T3311] do_notify_resume+0x18c/0x258 [ 161.232397][ T3311] el0_svc+0x100/0x180 [ 161.232436][ T3311] el0t_64_sync_handler+0x10c/0x138 [ 161.232474][ T3311] el0t_64_sync+0x198/0x19c [ 161.232664][ T3311] [ 161.233503][ T3311] Allocated by task 3310: [ 161.233749][ T3311] kasan_save_stack+0x3c/0x64 [ 161.233870][ T3311] kasan_save_track+0x20/0x3c [ 161.233961][ T3311] kasan_save_alloc_info+0x40/0x54 [ 161.234042][ T3311] __kasan_kmalloc+0xb8/0xbc [ 161.234124][ T3311] __kmalloc_cache_noprof+0x1b0/0x3cc [ 161.234208][ T3311] binderfs_binder_device_create.isra.0+0x140/0x9a0 [ 161.234301][ T3311] binderfs_fill_super+0x69c/0xed4 [ 161.234386][ T3311] get_tree_nodev+0xac/0x148 [ 161.234464][ T3311] binderfs_fs_context_get_tree+0x18/0x24 [ 161.234547][ T3311] vfs_get_tree+0x74/0x280 [ 161.234675][ T3311] path_mount+0xe54/0x1808 [ 161.234788][ T3311] __arm64_sys_mount+0x304/0x3dc [ 161.234874][ T3311] invoke_syscall+0x6c/0x258 [ 161.234957][ T3311] el0_svc_common.constprop.0+0xac/0x230 [ 161.235037][ T3311] do_el0_svc+0x40/0x58 [ 161.235115][ T3311] el0_svc+0x50/0x180 [ 161.235193][ T3311] el0t_64_sync_handler+0x10c/0x138 [ 161.235279][ T3311] el0t_64_sync+0x198/0x19c [ 161.235430][ T3311] [ 161.235526][ T3311] Freed by task 3310: [ 161.235617][ T3311] kasan_save_stack+0x3c/0x64 [ 161.235712][ T3311] kasan_save_track+0x20/0x3c [ 161.235797][ T3311] kasan_save_free_info+0x4c/0x74 [ 161.235877][ T3311] __kasan_slab_free+0x50/0x6c [ 161.235960][ T3311] kfree+0x1bc/0x444 [ 161.236038][ T3311] binderfs_evict_inode+0x238/0x2b4 [ 161.236122][ T3311] evict+0x2c0/0x67c [ 161.236199][ T3311] iput+0x3b0/0x6b4 [ 161.236283][ T3311] dentry_unlink_inode+0x208/0x46c [ 161.236367][ T3311] __dentry_kill+0x150/0x52c [ 161.236448][ T3311] shrink_dentry_list+0x114/0x3a4 [ 161.236530][ T3311] shrink_dcache_parent+0x158/0x354 [ 161.236613][ T3311] shrink_dcache_for_umount+0x88/0x304 [ 161.236696][ T3311] generic_shutdown_super+0x60/0x2e8 [ 161.236780][ T3311] kill_litter_super+0x68/0xa4 [ 161.236863][ T3311] binderfs_kill_super+0x38/0x88 [ 161.236945][ T3311] deactivate_locked_super+0x98/0x17c [ 161.237029][ T3311] deactivate_super+0xb0/0xd4 [ 161.237112][ T3311] cleanup_mnt+0x198/0x424 [ 161.237194][ T3311] __cleanup_mnt+0x14/0x20 [ 161.237283][ T3311] task_work_run+0x128/0x210 [ 161.237365][ T3311] do_exit+0x7ac/0x1f68 [ 161.237445][ T3311] do_group_exit+0xa4/0x208 [ 161.237525][ T3311] get_signal+0x1b00/0x1ba8 [ 161.237607][ T3311] do_signal+0x160/0x620 [ 161.237685][ T3311] do_notify_resume+0x18c/0x258 [ 161.237767][ T3311] el0_svc+0x100/0x180 [ 161.237845][ T3311] el0t_64_sync_handler+0x10c/0x138 [ 161.237927][ T3311] el0t_64_sync+0x198/0x19c [ 161.238021][ T3311] [ 161.238140][ T3311] The buggy address belongs to the object at ffff0000190ba000 [ 161.238140][ T3311] which belongs to the cache kmalloc-512 of size 512 [ 161.238293][ T3311] The buggy address is located 8 bytes inside of [ 161.238293][ T3311] freed 512-byte region [ffff0000190ba000, ffff0000190ba200) [ 161.238389][ T3311] [ 161.238521][ T3311] The buggy address belongs to the physical page: [ 161.238890][ T3311] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff0000190bbc00 pfn:0x590b8 [ 161.239465][ T3311] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 161.239627][ T3311] flags: 0x1ffc00000000240(workingset|head|node=0|zone=0|lastcpupid=0x7ff) [ 161.240074][ T3311] page_type: f5(slab) [ 161.240457][ T3311] raw: 01ffc00000000240 ffff00000dc01c80 fffffdffc05ea510 fffffdffc0513210 [ 161.240562][ T3311] raw: ffff0000190bbc00 0000000000100008 00000000f5000000 0000000000000000 [ 161.240710][ T3311] head: 01ffc00000000240 ffff00000dc01c80 fffffdffc05ea510 fffffdffc0513210 [ 161.240795][ T3311] head: ffff0000190bbc00 0000000000100008 00000000f5000000 0000000000000000 [ 161.240886][ T3311] head: 01ffc00000000002 fffffdffc0642e01 00000000ffffffff 00000000ffffffff [ 161.240967][ T3311] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 [ 161.241084][ T3311] page dumped because: kasan: bad access detected [ 161.241172][ T3311] [ 161.241247][ T3311] Memory state around the buggy address: [ 161.241584][ T3311] ffff0000190b9f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 161.241704][ T3311] ffff0000190b9f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 161.241803][ T3311] >ffff0000190ba000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 161.241901][ T3311] ^ [ 161.242037][ T3311] ffff0000190ba080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 161.242112][ T3311] ffff0000190ba100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 161.242248][ T3311] ================================================================== SYZFAIL: failed to recv rpc fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor) [ 161.345989][ T3311] Disabling lock debugging due to kernel taint VM DIAGNOSIS: 09:07:25 Registers: info registers vcpu 0 CPU#0 PC=ffff800081a96d20 X00=ffff80008d50d004 X01=0000000000000000 X02=1fffe00002a39d87 X03=1fffe00002a39d85 X04=1fffe00001d1b798 X05=0000000000000000 X06=ffff000012ec2a10 X07=0000000000000000 X08=0000000000000000 X09=ffff800089734000 X10=ffff000012ec28d0 X11=0000000000000002 X12=000000000000000d X13=0000000000000000 X14=1fffe0000326ec65 X15=1850a9a4504bbe37 X16=baab0000b28fffff X17=bf75ec9b1252b66f X18=ffff000018ed5140 X19=ffff0000151cec00 X20=0000000000000001 X21=1fffe00002a39d88 X22=0000000000000003 X23=ffff00001b3ae280 X24=1fffe00002eff000 X25=ffff00000e8dbcc4 X26=0000000000000040 X27=0000000000000000 X28=0000000000a51dbf X29=ffff8000800061a0 X30=ffff800081a7aaa8 SP=ffff8000800061a0 PSTATE=10000005 ---V EL1h FPCR=00000000 FPSR=00000000 Q00=2525252525252525:2525252525252525 Q01=65642f000a732520:7325207334362e25 Q02=745f6d6461737973:3a725f6d64617379 Q03=000000ff0000ff00:00ff0000000000ff Q04=0000000000000000:000f00f00f00000f Q05=79733d747865746e:6f637420745f6d64 Q06=2f2e206e6f207061:7773206b36393934 Q07=6f69725020202e65:6c69662d70617773 Q08=0000000000000000:0000000000000000 Q09=0000000000000000:0000000000000000 Q10=0000000000000000:0000000000000000 Q11=0000000000000000:0000000000000000 Q12=0000000000000000:0000000000000000 Q13=0000000000000000:0000000000000000 Q14=0000000000000000:0000000000000000 Q15=0000000000000000:0000000000000000 Q16=0000ffffd46071d0:0000ffffd46071d0 Q17=ffffff80ffffffd0:0000ffffd46071a0 Q18=0000000000000000:0000000000000000 Q19=0000000000000000:0000000000000000 Q20=0000000000000000:0000000000000000 Q21=0000000000000000:0000000000000000 Q22=0000000000000000:0000000000000000 Q23=0000000000000000:0000000000000000 Q24=0000000000000000:0000000000000000 Q25=0000000000000000:0000000000000000 Q26=0000000000000000:0000000000000000 Q27=0000000000000000:0000000000000000 Q28=0000000000000000:0000000000000000 Q29=0000000000000000:0000000000000000 Q30=0000000000000000:0000000000000000 Q31=0000000000000000:0000000000000000 info registers vcpu 1 CPU#1 PC=ffff800081b6ae38 X00=0000000000000002 X01=0000000000000000 X02=0000000000000002 X03=dfff800000000000 X04=0000000000000018 X05=ffff80008d9479e0 X06=ffff700011b28f3c X07=0000000000000001 X08=0000000000000003 X09=dfff800000000000 X10=ffff700011b28f3c X11=1ffff00011b28f3c X12=ffff700011b28f3d X13=0000000000008000 X14=0000000000000000 X15=0000000000000000 X16=0000000000000000 X17=0000000000000000 X18=0000000000000000 X19=ffff00000f712080 X20=ffff80008d43b018 X21=ffff800087a92720 X22=000000000000006c X23=dfff800000000000 X24=ffff00000f72001b X25=0000000000000002 X26=0000000000000f01 X27=1fffe00001ee245a X28=ffff00000f7122d0 X29=ffff80008d947990 X30=ffff800081b6b0c4 SP=ffff80008d947990 PSTATE=800000c5 N--- EL1h FPCR=00000000 FPSR=00000000 Q00=0000000000000000:0000000000000000 Q01=000000000069256e:0075253a75256325 Q02=0000000000000000:ffffffffffffff00 Q03=ffffffffff00ff00:ff00ff0000ff00ff Q04=0000000000000000:fffff0f0f0f00f0f Q05=0000000000000000:30000000cccccccc Q06=63627c2a6476787c:2a64767c2a72737c Q07=7361647c2a737369:63637c2a65686361 Q08=0000000000000000:0000000000000000 Q09=0000000000000000:0000000000000000 Q10=0000000000000000:0000000000000000 Q11=0000000000000000:0000000000000000 Q12=0000000000000000:0000000000000000 Q13=0000000000000000:0000000000000000 Q14=0000000000000000:0000000000000000 Q15=0000000000000000:0000000000000000 Q16=0000fffff9574120:0000fffff9574120 Q17=ffffff80ffffffd0:0000fffff95740f0 Q18=0000000000000000:0000000000000000 Q19=0000000000000000:0000000000000000 Q20=0000000000000000:0000000000000000 Q21=0000000000000000:0000000000000000 Q22=0000000000000000:0000000000000000 Q23=0000000000000000:0000000000000000 Q24=0000000000000000:0000000000000000 Q25=0000000000000000:0000000000000000 Q26=0000000000000000:0000000000000000 Q27=0000000000000000:0000000000000000 Q28=0000000000000000:0000000000000000 Q29=0000000000000000:0000000000000000 Q30=0000000000000000:0000000000000000 Q31=0000000000000000:0000000000000000