syzbot

==================================================================
BUG: KASAN: use-after-free in __list_del_entry_valid+0x2f/0x120 lib/list_debug.c:46
Read of size 8 at addr ffff88811ebaa308 by task kworker/1:1/39

CPU: 1 PID: 39 Comm: kworker/1:1 Not tainted 5.15.161-syzkaller-00463-g8e36931104ac #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
Workqueue: events binder_deferred_func

Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x151/0x1c0 lib/dump_stack.c:106
 print_address_description+0x87/0x3b0 mm/kasan/report.c:248
 __kasan_report mm/kasan/report.c:427 [inline]
 kasan_report+0x179/0x1c0 mm/kasan/report.c:444
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report_generic.c:309
 __list_del_entry_valid+0x2f/0x120 lib/list_debug.c:46
 __list_del_entry include/linux/list.h:132 [inline]
 list_del_init include/linux/list.h:204 [inline]
 binder_dequeue_work_head_ilocked drivers/android/binder.c:515 [inline]
 binder_release_work+0xcd/0x680 drivers/android/binder.c:5185
 binder_deferred_release drivers/android/binder.c:6341 [inline]
 binder_deferred_func+0x1847/0x1bc0 drivers/android/binder.c:6376
 process_one_work+0x6bb/0xc10 kernel/workqueue.c:2325
 worker_thread+0xad5/0x12a0 kernel/workqueue.c:2472
 kthread+0x421/0x510 kernel/kthread.c:337
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:300
 </TASK>

Allocated by task 335:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track mm/kasan/common.c:45 [inline]
 set_alloc_info mm/kasan/common.c:433 [inline]
 ____kasan_kmalloc+0xdb/0x110 mm/kasan/common.c:512
 __kasan_kmalloc+0x9/0x10 mm/kasan/common.c:521
 kasan_kmalloc include/linux/kasan.h:227 [inline]
 kmem_cache_alloc_trace+0x115/0x210 mm/slub.c:3267
 kmalloc include/linux/slab.h:603 [inline]
 kzalloc include/linux/slab.h:733 [inline]
 binder_request_freeze_notification drivers/android/binder.c:3897 [inline]
 binder_thread_write+0x9f5/0x6ec0 drivers/android/binder.c:4537
 binder_ioctl_write_read+0x1ba/0xd00 drivers/android/binder.c:5472
 binder_ioctl+0x371/0x2640 drivers/android/binder.c:5789
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:874 [inline]
 __se_sys_ioctl+0x114/0x190 fs/ioctl.c:860
 __x64_sys_ioctl+0x7b/0x90 fs/ioctl.c:860
 x64_sys_call+0x98/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:17
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x66/0xd0

Freed by task 39:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track+0x4b/0x70 mm/kasan/common.c:45
 kasan_set_free_info+0x23/0x40 mm/kasan/generic.c:370
 ____kasan_slab_free+0x126/0x160 mm/kasan/common.c:365
 __kasan_slab_free+0x11/0x20 mm/kasan/common.c:373
 kasan_slab_free include/linux/kasan.h:193 [inline]
 slab_free_hook mm/slub.c:1723 [inline]
 slab_free_freelist_hook+0xbd/0x190 mm/slub.c:1749
 slab_free mm/slub.c:3519 [inline]
 kfree+0xc8/0x220 mm/slub.c:4579
 binder_free_ref+0x128/0x260 drivers/android/binder.c:1467
 binder_deferred_release drivers/android/binder.c:6336 [inline]
 binder_deferred_func+0x171c/0x1bc0 drivers/android/binder.c:6376
 process_one_work+0x6bb/0xc10 kernel/workqueue.c:2325
 worker_thread+0xad5/0x12a0 kernel/workqueue.c:2472
 kthread+0x421/0x510 kernel/kthread.c:337
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:300

The buggy address belongs to the object at ffff88811ebaa300
 which belongs to the cache kmalloc-64 of size 64
The buggy address is located 8 bytes inside of
 64-byte region [ffff88811ebaa300, ffff88811ebaa340)
The buggy address belongs to the page:
page:ffffea00047aea80 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11ebaa
flags: 0x4000000000000200(slab|zone=1)
raw: 4000000000000200 0000000000000000 dead000000000122 ffff888100042780
raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 334, ts 64755460672, free_ts 64755056436
 set_page_owner include/linux/page_owner.h:33 [inline]
 post_alloc_hook+0x1a3/0x1b0 mm/page_alloc.c:2605
 prep_new_page+0x1b/0x110 mm/page_alloc.c:2611
 get_page_from_freelist+0x3550/0x35d0 mm/page_alloc.c:4485
 __alloc_pages+0x27e/0x8f0 mm/page_alloc.c:5779
 allocate_slab mm/slub.c:1932 [inline]
 new_slab+0x9a/0x4e0 mm/slub.c:1995
 ___slab_alloc+0x39e/0x830 mm/slub.c:3028
 __slab_alloc+0x4a/0x90 mm/slub.c:3115
 slab_alloc_node mm/slub.c:3206 [inline]
 slab_alloc mm/slub.c:3248 [inline]
 kmem_cache_alloc_trace+0x142/0x210 mm/slub.c:3265
 kmalloc include/linux/slab.h:603 [inline]
 get_mountpoint+0x212/0x450 fs/namespace.c:751
 attach_recursive_mnt+0x16d/0x1560 fs/namespace.c:2170
 graft_tree fs/namespace.c:2293 [inline]
 do_add_mount fs/namespace.c:2908 [inline]
 do_new_mount_fc fs/namespace.c:2947 [inline]
 do_new_mount+0x7f2/0xb30 fs/namespace.c:3007
 path_mount+0x671/0x1070 fs/namespace.c:3335
 do_mount fs/namespace.c:3348 [inline]
 __do_sys_mount fs/namespace.c:3556 [inline]
 __se_sys_mount+0x2c4/0x3b0 fs/namespace.c:3533
 __x64_sys_mount+0xbf/0xd0 fs/namespace.c:3533
 x64_sys_call+0x49d/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:166
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:80
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:26 [inline]
 free_pages_prepare mm/page_alloc.c:1472 [inline]
 free_pcp_prepare mm/page_alloc.c:1544 [inline]
 free_unref_page_prepare+0x7c8/0x7d0 mm/page_alloc.c:3534
 free_unref_page+0xe8/0x750 mm/page_alloc.c:3616
 free_the_page mm/page_alloc.c:805 [inline]
 __free_pages+0x61/0xf0 mm/page_alloc.c:5855
 free_pages+0x7c/0x90 mm/page_alloc.c:5866
 selinux_genfs_get_sid+0x24d/0x2a0 security/selinux/hooks.c:1375
 inode_doinit_with_dentry+0x8d2/0x1070 security/selinux/hooks.c:1570
 sb_finish_set_opts+0x8b8/0xa90 security/selinux/hooks.c:589
 selinux_set_mnt_opts+0x1622/0x20d0 security/selinux/hooks.c:862
 security_sb_set_mnt_opts+0x74/0xe0 security/security.c:996
 vfs_get_tree+0x156/0x290 fs/super.c:1542
 do_new_mount+0x2ba/0xb30 fs/namespace.c:3005
 path_mount+0x671/0x1070 fs/namespace.c:3335
 do_mount fs/namespace.c:3348 [inline]
 __do_sys_mount fs/namespace.c:3556 [inline]
 __se_sys_mount+0x2c4/0x3b0 fs/namespace.c:3533
 __x64_sys_mount+0xbf/0xd0 fs/namespace.c:3533
 x64_sys_call+0x49d/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:166
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:80

Memory state around the buggy address:
 ffff88811ebaa200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88811ebaa280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88811ebaa300: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
                      ^
 ffff88811ebaa380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88811ebaa400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
general protection fault, probably for non-canonical address 0xfa33fc2160000004: 0000 [#1] PREEMPT SMP KASAN
KASAN: maybe wild-memory-access in range [0xd1a0010b00000020-0xd1a0010b00000027]
CPU: 1 PID: 39 Comm: kworker/1:1 Tainted: G    B             5.15.161-syzkaller-00463-g8e36931104ac #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
Workqueue: events binder_deferred_func
RIP: 0010:__list_del_entry_valid+0x75/0x120 lib/list_debug.c:59
Code: 1e 48 85 db 74 68 4d 85 ff 74 74 48 ba 00 01 00 00 00 00 ad de 48 39 d3 74 76 48 83 c2 22 49 39 d7 74 7e 4c 89 f8 48 c1 e8 03 <42> 80 3c 20 00 74 08 4c 89 ff e8 3c b4 48 ff 49 8b 17 4c 39 f2 75
RSP: 0018:ffffc9000028fc00 EFLAGS: 00010a03
RAX: 1a34002160000004 RBX: ffff8881073dde00 RCX: ffffffff8269fff9
RDX: dead000000000122 RSI: 0000000000000282 RDI: ffff88811ebaa300
RBP: ffffc9000028fc20 R08: ffffffff814194db R09: 0000000000000003
R10: fffffbfff0e99e4c R11: dffffc0000000001 R12: dffffc0000000000
R13: ffff88811ebaa300 R14: ffff88811ebaa300 R15: d1a0010b00000027
FS:  0000000000000000(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f23265d00e0 CR3: 000000011ebba000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 __list_del_entry include/linux/list.h:132 [inline]
 list_del_init include/linux/list.h:204 [inline]
 binder_dequeue_work_head_ilocked drivers/android/binder.c:515 [inline]
 binder_release_work+0xcd/0x680 drivers/android/binder.c:5185
 binder_deferred_release drivers/android/binder.c:6341 [inline]
 binder_deferred_func+0x1847/0x1bc0 drivers/android/binder.c:6376
 process_one_work+0x6bb/0xc10 kernel/workqueue.c:2325
 worker_thread+0xad5/0x12a0 kernel/workqueue.c:2472
 kthread+0x421/0x510 kernel/kthread.c:337
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:300
 </TASK>
Modules linked in:
---[ end trace 0e057a23bce586ed ]---
RIP: 0010:__list_del_entry_valid+0x75/0x120 lib/list_debug.c:59
Code: 1e 48 85 db 74 68 4d 85 ff 74 74 48 ba 00 01 00 00 00 00 ad de 48 39 d3 74 76 48 83 c2 22 49 39 d7 74 7e 4c 89 f8 48 c1 e8 03 <42> 80 3c 20 00 74 08 4c 89 ff e8 3c b4 48 ff 49 8b 17 4c 39 f2 75
RSP: 0018:ffffc9000028fc00 EFLAGS: 00010a03
RAX: 1a34002160000004 RBX: ffff8881073dde00 RCX: ffffffff8269fff9
RDX: dead000000000122 RSI: 0000000000000282 RDI: ffff88811ebaa300
RBP: ffffc9000028fc20 R08: ffffffff814194db R09: 0000000000000003
R10: fffffbfff0e99e4c R11: dffffc0000000001 R12: dffffc0000000000
R13: ffff88811ebaa300 R14: ffff88811ebaa300 R15: d1a0010b00000027
FS:  0000000000000000(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f23265d00e0 CR3: 0000000006a0f000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess), 1 bytes skipped:
   0:	48 85 db             	test   %rbx,%rbx
   3:	74 68                	je     0x6d
   5:	4d 85 ff             	test   %r15,%r15
   8:	74 74                	je     0x7e
   a:	48 ba 00 01 00 00 00 	movabs $0xdead000000000100,%rdx
  11:	00 ad de
  14:	48 39 d3             	cmp    %rdx,%rbx
  17:	74 76                	je     0x8f
  19:	48 83 c2 22          	add    $0x22,%rdx
  1d:	49 39 d7             	cmp    %rdx,%r15
  20:	74 7e                	je     0xa0
  22:	4c 89 f8             	mov    %r15,%rax
  25:	48 c1 e8 03          	shr    $0x3,%rax
* 29:	42 80 3c 20 00       	cmpb   $0x0,(%rax,%r12,1) <-- trapping instruction
  2e:	74 08                	je     0x38
  30:	4c 89 ff             	mov    %r15,%rdi
  33:	e8 3c b4 48 ff       	call   0xff48b474
  38:	49 8b 17             	mov    (%r15),%rdx
  3b:	4c 39 f2             	cmp    %r14,%rdx
  3e:	75                   	.byte 0x75