program:
r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR_EXT(r0, 0x40046207, 0x0) (async, rerun: 32)
r1 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000100)='./binderfs/binder0\x00', 0x1802, 0x0) (rerun: 32)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000000)={0x8, 0x0, &(0x7f00000003c0)=[@increfs], 0x0, 0x0, 0x0})
r2 = dup3(r1, r0, 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000240)={0x10, 0x0, &(0x7f00000002c0)=[@request_death={0x400c6313}], 0x0, 0x0, 0x0})
syz_usb_connect(0x0, 0x2d, &(0x7f0000000180)=ANY=[@ANYBLOB="1201fb0019030320d812010079de01ec020109021b0001000003000904000001785ecc00090585020004"], 0x0)
syz_open_dev$char_usb(0xc, 0xb4, 0x0)
r3 = syz_open_dev$usbfs(&(0x7f0000000080), 0xf, 0x8041)
ioctl$USBDEVFS_DISCONNECT_CLAIM(r3, 0x8108551b, &(0x7f0000000300)={0x0, 0x2, "4cf90fba85c830e42a3ca4b10f01bbcb15f3806c4853e7c44a6974759d9f643905a56baa4195fb396d9bfa306999f1586e5d1ca49add100a36b751a7d9fe0b182ebf2c8a0e66f72c1c08260030752f07cd4089473e52885a3c85bacf3ccfac5bb9435fe036dcfccd7254bbd8bce90e2284d29e1f17d6652270fd0abcb8729f16ff602b438bd122a9e09984e2799d0dbfef7533d1a930ea4f4b57605ace45f5815450693650ae000034aa0c5ca5e793516d156e5a5b34d6c17c40d753426a3d8e15e726d0f2622e873e0cbe63751bb62c68594d4cb0a21b92ad2e80f24a9b290a9eee6779022a0b7f5223e4e8c9f53f501ec8c439724078fdc076a51d50760566"})
[ 79.870947][ T5321] Bluetooth: hci0: command tx timeout
[ 79.876394][ T1307] ieee802154 phy0 wpan0: encryption failed: -22
[ 79.879033][ T1307] ieee802154 phy1 wpan1: encryption failed: -22
[ 79.985715][ T5335] binder: BINDER_SET_CONTEXT_MGR already set
[ 79.988126][ T5335] binder: 5334:5335 ioctl 40046207 0 returned -16
[ 79.996443][ T5335] binder: BINDER_SET_CONTEXT_MGR already set
[ 80.002618][ T5335] binder: 5334:5335 ioctl 40046207 0 returned -16
[ 80.011205][ T5335] binder: BINDER_SET_CONTEXT_MGR already set
[ 80.013459][ T5335] binder: 5334:5335 ioctl 40046207 0 returned -16
[ 80.016916][ T5335] binder: BINDER_SET_CONTEXT_MGR already set
[ 80.027959][ T5335] binder: 5334:5335 ioctl 40046207 0 returned -16
[ 80.031842][ T5335] binder: BINDER_SET_CONTEXT_MGR already set
[ 80.034206][ T5335] binder: 5334:5335 ioctl 40046207 0 returned -16
[ 80.036745][ T5335] binder: BINDER_SET_CONTEXT_MGR already set
[ 80.039018][ T5335] binder: 5334:5335 ioctl 40046207 0 returned -16
[ 80.042110][ T5335] binder: BINDER_SET_CONTEXT_MGR already set
[ 80.044376][ T5335] binder: 5334:5335 ioctl 40046207 0 returned -16
[ 80.046829][ T5335] binder: BINDER_SET_CONTEXT_MGR already set
[ 80.048991][ T5335] binder: 5334:5335 ioctl 40046207 0 returned -16
[ 80.052926][ T5335] binder: BINDER_SET_CONTEXT_MGR already set
[ 80.055303][ T5335] binder: 5334:5335 ioctl 40046207 0 returned -16
[ 80.057861][ T5335] binder: BINDER_SET_CONTEXT_MGR already set
[ 80.060772][ T5335] binder: 5334:5335 ioctl 40046207 0 returned -16
[ 80.063358][ T5335] binder: BINDER_SET_CONTEXT_MGR already set
[ 80.065713][ T5335] binder: 5334:5335 ioctl 40046207 0 returned -16
[ 80.068460][ T5335] binder: BINDER_SET_CONTEXT_MGR already set
[ 80.073974][ T5335] binder: 5334:5335 ioctl 40046207 0 returned -16
[ 80.076694][ T5335] binder: BINDER_SET_CONTEXT_MGR already set
[ 80.079044][ T5335] binder: 5334:5335 ioctl 40046207 0 returned -16
[ 80.082052][ T5335] binder: BINDER_SET_CONTEXT_MGR already set
[ 80.084355][ T5335] binder: 5334:5335 ioctl 40046207 0 returned -16
[ 80.086833][ T5335] binder: BINDER_SET_CONTEXT_MGR already set
[ 80.090288][ T5335] binder: 5334:5335 ioctl 40046207 0 returned -16
[ 80.092668][ T5335] binder: BINDER_SET_CONTEXT_MGR already set
[ 80.095339][ T5335] binder: 5334:5335 ioctl 40046207 0 returned -16
[ 80.098446][ T5335] binder: BINDER_SET_CONTEXT_MGR already set
[ 80.101868][ T5335] binder: 5334:5335 ioctl 40046207 0 returned -16
[ 80.104411][ T5335] binder: BINDER_SET_CONTEXT_MGR already set
[ 80.106742][ T5335] binder: 5334:5335 ioctl 40046207 0 returned -16
[ 80.111832][ T5335] binder: BINDER_SET_CONTEXT_MGR already set
[ 80.114138][ T5335] binder: 5334:5335 ioctl 40046207 0 returned -16
[ 80.116688][ T5335] binder: BINDER_SET_CONTEXT_MGR already set
[ 80.119113][ T5335] binder: 5334:5335 ioctl 40046207 0 returned -16
[ 80.123138][ T5335] binder: BINDER_SET_CONTEXT_MGR already set
[ 80.125518][ T5335] binder: 5334:5335 ioctl 40046207 0 returned -16
[ 80.128046][ T5335] binder: BINDER_SET_CONTEXT_MGR already set
[ 80.131649][ T5335] binder: 5334:5335 ioctl 40046207 0 returned -16
[ 80.134174][ T5335] binder: BINDER_SET_CONTEXT_MGR already set
[ 80.136502][ T5335] binder: 5334:5335 ioctl 40046207 0 returned -16
[ 80.139000][ T5335] binder: BINDER_SET_CONTEXT_MGR already set
[ 80.142086][ T5335] binder: 5334:5335 ioctl 40046207 0 returned -16
[ 80.144529][ T5335] binder: BINDER_SET_CONTEXT_MGR already set
[ 80.146710][ T5335] binder: 5334:5335 ioctl 40046207 0 returned -16
[ 80.149032][ T5335] binder: BINDER_SET_CONTEXT_MGR already set
[ 80.153512][ T5335] binder: 5334:5335 ioctl 40046207 0 returned -16
[ 80.156037][ T5335] binder: BINDER_SET_CONTEXT_MGR already set
[ 80.158481][ T5335] binder: 5334:5335 ioctl 40046207 0 returned -16
[ 80.161623][ T5335] binder: BINDER_SET_CONTEXT_MGR already set
[ 80.164169][ T5335] binder: 5334:5335 ioctl 40046207 0 returned -16
[ 80.166772][ T5335] binder: BINDER_SET_CONTEXT_MGR already set
[ 80.169110][ T5335] binder: 5334:5335 ioctl 40046207 0 returned -16
[ 80.173281][ T5335] binder: BINDER_SET_CONTEXT_MGR already set
[ 80.176010][ T5335] binder: 5334:5335 ioctl 40046207 0 returned -16
[ 80.178545][ T5335] binder: BINDER_SET_CONTEXT_MGR already set
[ 80.181350][ T5335] binder: 5334:5335 ioctl 40046207 0 returned -16
[ 80.187849][ T56] ==================================================================
[ 80.190807][ T56] BUG: KASAN: slab-use-after-free in __list_del_entry_valid_or_report+0x2f/0x140
[ 80.194257][ T56] Read of size 8 at addr ffff88803f02e108 by task kworker/0:2/56
[ 80.197203][ T56]
[ 80.198152][ T56] CPU: 0 UID: 0 PID: 56 Comm: kworker/0:2 Not tainted 6.12.0-syzkaller-10689-g7af08b57bcb9 #0
[ 80.201992][ T56] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[ 80.206004][ T56] Workqueue: events binder_deferred_func
[ 80.208114][ T56] Call Trace:
[ 80.209448][ T56]
[ 80.210636][ T56] dump_stack_lvl+0x241/0x360
[ 80.212414][ T56] ? __pfx_dump_stack_lvl+0x10/0x10
[ 80.214331][ T56] ? __pfx__printk+0x10/0x10
[ 80.216079][ T56] ? _printk+0xd5/0x120
[ 80.217623][ T56] ? __virt_addr_valid+0x183/0x530
[ 80.219494][ T56] ? __virt_addr_valid+0x183/0x530
[ 80.221407][ T56] print_report+0x169/0x550
[ 80.223182][ T56] ? __virt_addr_valid+0x183/0x530
[ 80.225243][ T56] ? __virt_addr_valid+0x183/0x530
[ 80.227024][ T56] ? __virt_addr_valid+0x45f/0x530
[ 80.228835][ T56] ? __phys_addr+0xba/0x170
[ 80.230555][ T56] ? __list_del_entry_valid_or_report+0x2f/0x140
[ 80.232955][ T56] kasan_report+0x143/0x180
[ 80.234842][ T56] ? __list_del_entry_valid_or_report+0x2f/0x140
[ 80.237042][ T56] __list_del_entry_valid_or_report+0x2f/0x140
[ 80.239351][ T56] binder_release_work+0xc7/0x480
[ 80.241370][ T56] binder_deferred_func+0x1275/0x1460
[ 80.243497][ T56] ? process_scheduled_works+0x976/0x1840
[ 80.245792][ T56] process_scheduled_works+0xa66/0x1840
[ 80.247935][ T56] ? __pfx_process_scheduled_works+0x10/0x10
[ 80.250244][ T56] ? assign_work+0x364/0x3d0
[ 80.251996][ T56] worker_thread+0x870/0xd30
[ 80.253684][ T56] ? __kthread_parkme+0x169/0x1d0
[ 80.255599][ T56] ? __pfx_worker_thread+0x10/0x10
[ 80.257497][ T56] kthread+0x2f0/0x390
[ 80.259070][ T56] ? __pfx_worker_thread+0x10/0x10
[ 80.260890][ T56] ? __pfx_kthread+0x10/0x10
[ 80.262462][ T56] ret_from_fork+0x4b/0x80
[ 80.263972][ T56] ? __pfx_kthread+0x10/0x10
[ 80.265569][ T56] ret_from_fork_asm+0x1a/0x30
[ 80.267239][ T56]
[ 80.268457][ T56]
[ 80.269414][ T56] Allocated by task 5336:
[ 80.271110][ T56] kasan_save_track+0x3f/0x80
[ 80.272940][ T56] __kasan_kmalloc+0x98/0xb0
[ 80.274712][ T56] __kmalloc_cache_noprof+0x243/0x390
[ 80.276785][ T56] binder_ioctl_write_read+0xe7f/0xb570
[ 80.278897][ T56] binder_ioctl+0x436/0x1cb0
[ 80.280734][ T56] __se_sys_ioctl+0xf5/0x170
[ 80.282445][ T56] do_syscall_64+0xf3/0x230
[ 80.284199][ T56] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 80.286427][ T56]
[ 80.287388][ T56] Freed by task 56:
[ 80.288878][ T56] kasan_save_track+0x3f/0x80
[ 80.290727][ T56] kasan_save_free_info+0x40/0x50
[ 80.292714][ T56] __kasan_slab_free+0x59/0x70
[ 80.294564][ T56] kfree+0x196/0x430
[ 80.296154][ T56] binder_deferred_func+0x11df/0x1460
[ 80.298292][ T56] process_scheduled_works+0xa66/0x1840
[ 80.300403][ T56] worker_thread+0x870/0xd30
[ 80.302202][ T56] kthread+0x2f0/0x390
[ 80.303773][ T56] ret_from_fork+0x4b/0x80
[ 80.305524][ T56] ret_from_fork_asm+0x1a/0x30
[ 80.307431][ T56]
[ 80.308374][ T56] The buggy address belongs to the object at ffff88803f02e100
[ 80.308374][ T56] which belongs to the cache kmalloc-64 of size 64
[ 80.313604][ T56] The buggy address is located 8 bytes inside of
[ 80.313604][ T56] freed 64-byte region [ffff88803f02e100, ffff88803f02e140)
[ 80.318729][ T56]
[ 80.319695][ T56] The buggy address belongs to the physical page:
[ 80.322130][ T56] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x3f02e
[ 80.325475][ T56] flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
[ 80.328243][ T56] page_type: f5(slab)
[ 80.329806][ T56] raw: 04fff00000000000 ffff88801ac418c0 dead000000000100 dead000000000122
[ 80.333111][ T56] raw: 0000000000000000 0000000000200020 00000001f5000000 0000000000000000
[ 80.336333][ T56] page dumped because: kasan: bad access detected
[ 80.338782][ T56] page_owner tracks the page as allocated
[ 80.340931][ T56] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 73, tgid 73 (kworker/u4:4), ts 18277832771, free_ts 0
[ 80.347793][ T56] post_alloc_hook+0x1f3/0x230
[ 80.349674][ T56] get_page_from_freelist+0x365c/0x37a0
[ 80.351831][ T56] __alloc_pages_noprof+0x292/0x710
[ 80.353813][ T56] alloc_pages_mpol_noprof+0x3e8/0x680
[ 80.355882][ T56] alloc_slab_page+0x6a/0x140
[ 80.357673][ T56] allocate_slab+0x5a/0x2f0
[ 80.359459][ T56] ___slab_alloc+0xcd1/0x14b0
[ 80.361344][ T56] __slab_alloc+0x58/0xa0
[ 80.362998][ T56] __kmalloc_noprof+0x2e6/0x4c0
[ 80.364804][ T56] security_task_alloc+0x4a/0x340
[ 80.366650][ T56] copy_process+0x166c/0x3d50
[ 80.368339][ T56] kernel_clone+0x226/0x8e0
[ 80.369986][ T56] user_mode_thread+0x132/0x1a0
[ 80.371762][ T56] call_usermodehelper_exec_work+0x5c/0x230
[ 80.373895][ T56] process_scheduled_works+0xa66/0x1840
[ 80.375816][ T56] worker_thread+0x870/0xd30
[ 80.377501][ T56] page_owner free stack trace missing
[ 80.379426][ T56]
[ 80.380338][ T56] Memory state around the buggy address:
[ 80.382489][ T56] ffff88803f02e000: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
[ 80.385487][ T56] ffff88803f02e080: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[ 80.388552][ T56] >ffff88803f02e100: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[ 80.391538][ T56] ^
[ 80.393166][ T56] ffff88803f02e180: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[ 80.396206][ T56] ffff88803f02e200: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[ 80.399172][ T56] ==================================================================
[ 80.402697][ T56] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 80.405445][ T56] CPU: 0 UID: 0 PID: 56 Comm: kworker/0:2 Not tainted 6.12.0-syzkaller-10689-g7af08b57bcb9 #0
[ 80.409169][ T56] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[ 80.413271][ T56] Workqueue: events binder_deferred_func
[ 80.415365][ T56] Call Trace:
[ 80.416616][ T56]
[ 80.417740][ T56] dump_stack_lvl+0x241/0x360
[ 80.419490][ T56] ? __pfx_dump_stack_lvl+0x10/0x10
[ 80.421482][ T56] ? __pfx__printk+0x10/0x10
[ 80.423298][ T56] ? lock_release+0xbf/0xa30
[ 80.425111][ T56] ? vscnprintf+0x5d/0x90
[ 80.426783][ T56] panic+0x349/0x880
[ 80.428302][ T56] ? check_panic_on_warn+0x21/0xb0
[ 80.430240][ T56] ? __pfx_panic+0x10/0x10
[ 80.431947][ T56] ? mark_lock+0x9a/0x360
[ 80.433650][ T56] ? _raw_spin_unlock_irqrestore+0xd8/0x140
[ 80.435878][ T56] ? _raw_spin_unlock_irqrestore+0xdd/0x140
[ 80.438156][ T56] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[ 80.440560][ T56] ? print_report+0x502/0x550
[ 80.442352][ T56] check_panic_on_warn+0x86/0xb0
[ 80.444182][ T56] ? __list_del_entry_valid_or_report+0x2f/0x140
[ 80.446567][ T56] end_report+0x77/0x160
[ 80.448368][ T56] kasan_report+0x154/0x180
[ 80.450278][ T56] ? __list_del_entry_valid_or_report+0x2f/0x140
[ 80.452616][ T56] __list_del_entry_valid_or_report+0x2f/0x140
[ 80.454910][ T56] binder_release_work+0xc7/0x480
[ 80.456999][ T56] binder_deferred_func+0x1275/0x1460
[ 80.458893][ T56] ? process_scheduled_works+0x976/0x1840
[ 80.460726][ T56] process_scheduled_works+0xa66/0x1840
[ 80.462817][ T56] ? __pfx_process_scheduled_works+0x10/0x10
[ 80.464829][ T56] ? assign_work+0x364/0x3d0
[ 80.466356][ T56] worker_thread+0x870/0xd30
[ 80.468068][ T56] ? __kthread_parkme+0x169/0x1d0
[ 80.470378][ T56] ? __pfx_worker_thread+0x10/0x10
[ 80.472445][ T56] kthread+0x2f0/0x390
[ 80.474050][ T56] ? __pfx_worker_thread+0x10/0x10
[ 80.475983][ T56] ? __pfx_kthread+0x10/0x10
[ 80.477808][ T56] ret_from_fork+0x4b/0x80
[ 80.479532][ T56] ? __pfx_kthread+0x10/0x10
[ 80.481316][ T56] ret_from_fork_asm+0x1a/0x30
[ 80.483231][ T56]
[ 80.484655][ T56] Kernel Offset: disabled
[ 80.486302][ T56] Rebooting in 86400 seconds..