program:
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000340)={<r0=>0xffffffffffffffff})
ioctl$sock_SIOCETHTOOL(r0, 0x8946, &(0x7f00000000c0)={'bridge_slave_1\x00', &(0x7f0000000000)=@ethtool_ts_info})
r1 = openat$sndseq(0xffffffffffffff9c, &(0x7f0000000040), 0x42002)
ioctl$SNDRV_SEQ_IOCTL_CREATE_QUEUE(r1, 0xc08c5332, &(0x7f00000001c0)={0x0, 0x0, 0x0, 'queue1\x00'})
write$sndseq(r1, &(0x7f0000000000)=[{0x84, 0x77, 0x0, 0x0, @tick, {}, {0x2}, @raw32}], 0x1c)
r2 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR_EXT(r2, 0x40046207, 0x0)
openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000280)='memory.events\x00', 0x26e1, 0x0)
r3 = socket$inet6(0xa, 0x1, 0x84)
getsockopt$bt_hci(r3, 0x84, 0x6d, 0x0, &(0x7f0000000040))
pipe(&(0x7f0000000000)={<r4=>0xffffffffffffffff, <r5=>0xffffffffffffffff})
openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000140)='memory.events\x00', 0x7a05, 0x1700)
splice(r4, 0x0, r4, 0x0, 0x88040cc, 0x4)
fcntl$setpipe(r5, 0x407, 0x100004)
write$eventfd(r5, &(0x7f0000000240), 0xffffff14)
r6 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000100)='./binderfs/binder0\x00', 0x1802, 0x0)
r7 = bpf$PROG_LOAD(0x5, &(0x7f0000000040)={0x2, 0x4, &(0x7f0000000200)=ANY=[], &(0x7f0000000180)='GPL\x00', 0x4, 0x0, 0x0, 0x100, 0x70, '\x00', 0x0, @fallback, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x94)
bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000300)={r7, 0x0, 0x38, 0x2, @val=@tcx={@void, @value}}, 0x40)
syz_clone(0x11, 0x0, 0x0, 0x0, 0x0, 0x0)
ioctl$BINDER_WRITE_READ(r6, 0xc0306201, &(0x7f0000000000)={0x8, 0x0, &(0x7f00000003c0)=[@increfs], 0x0, 0x0, 0x0})
r8 = dup3(r6, r2, 0x0)
ioctl$BINDER_WRITE_READ(r8, 0xc0306201, &(0x7f0000000240)={0x10, 0x0, &(0x7f00000002c0)=[@request_death={0x400c6313}], 0x0, 0x0, 0x0})
ioctl$AUTOFS_DEV_IOCTL_READY(r4, 0xc0189376, &(0x7f0000000380)={{0x1, 0x1, 0x18, <r9=>r3, {0x9}}, './file0\x00'})
sendmsg$RDMA_NLDEV_CMD_PORT_GET(r9, &(0x7f00000004c0)={&(0x7f0000000400)={0x10, 0x0, 0x0, 0x10000000}, 0xc, &(0x7f0000000480)={&(0x7f0000000440)={0x40, 0x1405, 0x4, 0x70bd2a, 0x25dfdbfd, "", [{{0x8, 0x1, 0x1}, {0x8, 0x3, 0x3}}, {{0x8}, {0x8, 0x3, 0x3}}, {{0x8}, {0x8, 0x3, 0x1}}]}, 0x40}, 0x1, 0x0, 0x0, 0x4814}, 0x4011)

[   68.660616][ T4682] Bluetooth: hci0: command tx timeout
[   69.561917][ T5333] ==================================================================
[   69.565045][ T5333] BUG: KASAN: slab-use-after-free in __list_del_entry_valid_or_report+0x2f/0x140
[   69.568696][ T5333] Read of size 8 at addr ffff8880123a9a08 by task kworker/0:5/5333
[   69.571830][ T5333] 
[   69.572769][ T5333] CPU: 0 UID: 0 PID: 5333 Comm: kworker/0:5 Not tainted 6.12.0-syzkaller-10689-g7af08b57bcb9 #0
[   69.576852][ T5333] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   69.580932][ T5333] Workqueue: events binder_deferred_func
[   69.588404][ T5333] Call Trace:
[   69.589662][ T5333]  <TASK>
[   69.590942][ T5333]  dump_stack_lvl+0x241/0x360
[   69.592999][ T5333]  ? __pfx_dump_stack_lvl+0x10/0x10
[   69.595000][ T5333]  ? __pfx__printk+0x10/0x10
[   69.596789][ T5333]  ? _printk+0xd5/0x120
[   69.598458][ T5333]  ? __virt_addr_valid+0x183/0x530
[   69.600618][ T5333]  ? __virt_addr_valid+0x183/0x530
[   69.602597][ T5333]  print_report+0x169/0x550
[   69.604404][ T5333]  ? __virt_addr_valid+0x183/0x530
[   69.606446][ T5333]  ? __virt_addr_valid+0x183/0x530
[   69.608392][ T5333]  ? __virt_addr_valid+0x45f/0x530
[   69.610313][ T5333]  ? __phys_addr+0xba/0x170
[   69.612006][ T5333]  ? __list_del_entry_valid_or_report+0x2f/0x140
[   69.614295][ T5333]  kasan_report+0x143/0x180
[   69.615997][ T5333]  ? __list_del_entry_valid_or_report+0x2f/0x140
[   69.618326][ T5333]  __list_del_entry_valid_or_report+0x2f/0x140
[   69.620581][ T5333]  binder_release_work+0xc7/0x480
[   69.622439][ T5333]  binder_deferred_func+0x1275/0x1460
[   69.624441][ T5333]  ? process_scheduled_works+0x976/0x1840
[   69.626558][ T5333]  process_scheduled_works+0xa66/0x1840
[   69.628624][ T5333]  ? __pfx_process_scheduled_works+0x10/0x10
[   69.630813][ T5333]  ? assign_work+0x364/0x3d0
[   69.632509][ T5333]  worker_thread+0x870/0xd30
[   69.634214][ T5333]  ? _raw_spin_unlock_irqrestore+0xdd/0x140
[   69.636473][ T5333]  ? __kthread_parkme+0x169/0x1d0
[   69.638342][ T5333]  ? __pfx_worker_thread+0x10/0x10
[   69.640267][ T5333]  kthread+0x2f0/0x390
[   69.641784][ T5333]  ? __pfx_worker_thread+0x10/0x10
[   69.643696][ T5333]  ? __pfx_kthread+0x10/0x10
[   69.645454][ T5333]  ret_from_fork+0x4b/0x80
[   69.647067][ T5333]  ? __pfx_kthread+0x10/0x10
[   69.648786][ T5333]  ret_from_fork_asm+0x1a/0x30
[   69.650567][ T5333]  </TASK>
[   69.651736][ T5333] 
[   69.652634][ T5333] Allocated by task 5336:
[   69.654263][ T5333]  kasan_save_track+0x3f/0x80
[   69.656016][ T5333]  __kasan_kmalloc+0x98/0xb0
[   69.657725][ T5333]  __kmalloc_cache_noprof+0x243/0x390
[   69.659728][ T5333]  binder_ioctl_write_read+0xe7f/0xb570
[   69.661773][ T5333]  binder_ioctl+0x436/0x1cb0
[   69.663482][ T5333]  __se_sys_ioctl+0xf5/0x170
[   69.665221][ T5333]  do_syscall_64+0xf3/0x230
[   69.666896][ T5333]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   69.668888][ T5333] 
[   69.669688][ T5333] Freed by task 5333:
[   69.671033][ T5333]  kasan_save_track+0x3f/0x80
[   69.672713][ T5333]  kasan_save_free_info+0x40/0x50
[   69.674574][ T5333]  __kasan_slab_free+0x59/0x70
[   69.679992][ T5333]  kfree+0x196/0x430
[   69.681464][ T5333]  binder_deferred_func+0x11df/0x1460
[   69.683436][ T5333]  process_scheduled_works+0xa66/0x1840
[   69.685505][ T5333]  worker_thread+0x870/0xd30
[   69.687221][ T5333]  kthread+0x2f0/0x390
[   69.688706][ T5333]  ret_from_fork+0x4b/0x80
[   69.690507][ T5333]  ret_from_fork_asm+0x1a/0x30
[   69.692278][ T5333] 
[   69.693148][ T5333] The buggy address belongs to the object at ffff8880123a9a00
[   69.693148][ T5333]  which belongs to the cache kmalloc-64 of size 64
[   69.698142][ T5333] The buggy address is located 8 bytes inside of
[   69.698142][ T5333]  freed 64-byte region [ffff8880123a9a00, ffff8880123a9a40)
[   69.702997][ T5333] 
[   69.703897][ T5333] The buggy address belongs to the physical page:
[   69.706234][ T5333] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x123a9
[   69.709411][ T5333] anon flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[   69.712168][ T5333] page_type: f5(slab)
[   69.713634][ T5333] raw: 00fff00000000000 ffff88801ac418c0 ffffea00007c1580 dead000000000005
[   69.716733][ T5333] raw: 0000000000000000 0000000000200020 00000001f5000000 0000000000000000
[   69.719829][ T5333] page dumped because: kasan: bad access detected
[   69.722116][ T5333] page_owner tracks the page as allocated
[   69.724161][ T5333] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52c40(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 4744, tgid 4744 (udevd), ts 23373260416, free_ts 23141478075
[   69.730689][ T5333]  post_alloc_hook+0x1f3/0x230
[   69.732439][ T5333]  get_page_from_freelist+0x365c/0x37a0
[   69.734446][ T5333]  __alloc_pages_noprof+0x292/0x710
[   69.736358][ T5333]  alloc_pages_mpol_noprof+0x3e8/0x680
[   69.738353][ T5333]  alloc_slab_page+0x6a/0x140
[   69.740059][ T5333]  allocate_slab+0x5a/0x2f0
[   69.741676][ T5333]  ___slab_alloc+0xcd1/0x14b0
[   69.743363][ T5333]  __slab_alloc+0x58/0xa0
[   69.744900][ T5333]  __kmalloc_noprof+0x2e6/0x4c0
[   69.746687][ T5333]  tomoyo_encode+0x26f/0x540
[   69.748402][ T5333]  tomoyo_realpath_from_path+0x59e/0x5e0
[   69.750493][ T5333]  tomoyo_check_open_permission+0x258/0x4f0
[   69.752524][ T5333]  security_file_open+0xac/0x250
[   69.754259][ T5333]  do_dentry_open+0x328/0x1b70
[   69.756164][ T5333]  vfs_open+0x3e/0x330
[   69.757715][ T5333]  path_openat+0x2c84/0x3590
[   69.759412][ T5333] page last free pid 4745 tgid 4745 stack trace:
[   69.761784][ T5333]  free_unref_page+0xdef/0x1130
[   69.763739][ T5333]  __put_partials+0xeb/0x130
[   69.765596][ T5333]  put_cpu_partial+0x17c/0x250
[   69.767489][ T5333]  __slab_free+0x2ea/0x3d0
[   69.769219][ T5333]  qlist_free_all+0x9a/0x140
[   69.771069][ T5333]  kasan_quarantine_reduce+0x14f/0x170
[   69.773163][ T5333]  __kasan_slab_alloc+0x23/0x80
[   69.775084][ T5333]  kmem_cache_alloc_noprof+0x1d9/0x380
[   69.777200][ T5333]  getname_flags+0xb7/0x540
[   69.778949][ T5333]  do_readlinkat+0xd8/0x3a0
[   69.780696][ T5333]  __x64_sys_readlink+0x7f/0x90
[   69.782590][ T5333]  do_syscall_64+0xf3/0x230
[   69.784379][ T5333]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   69.786805][ T5333] 
[   69.787776][ T5333] Memory state around the buggy address:
[   69.789932][ T5333]  ffff8880123a9900: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
[   69.793064][ T5333]  ffff8880123a9980: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
[   69.796181][ T5333] >ffff8880123a9a00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   69.799236][ T5333]                       ^
[   69.800859][ T5333]  ffff8880123a9a80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   69.803936][ T5333]  ffff8880123a9b00: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
[   69.807062][ T5333] ==================================================================
[   69.811492][ T5333] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   69.814280][ T5333] CPU: 0 UID: 0 PID: 5333 Comm: kworker/0:5 Not tainted 6.12.0-syzkaller-10689-g7af08b57bcb9 #0
[   69.818339][ T5333] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   69.822450][ T5333] Workqueue: events binder_deferred_func
[   69.824631][ T5333] Call Trace:
[   69.825966][ T5333]  <TASK>
[   69.827705][ T5333]  dump_stack_lvl+0x241/0x360
[   69.829895][ T5333]  ? __pfx_dump_stack_lvl+0x10/0x10
[   69.831907][ T5333]  ? __pfx__printk+0x10/0x10
[   69.833744][ T5333]  ? lock_release+0xbf/0xa30
[   69.835589][ T5333]  ? vscnprintf+0x5d/0x90
[   69.837240][ T5333]  panic+0x349/0x880
[   69.838751][ T5333]  ? check_panic_on_warn+0x21/0xb0
[   69.840756][ T5333]  ? __pfx_panic+0x10/0x10
[   69.842471][ T5333]  ? mark_lock+0x9a/0x360
[   69.844167][ T5333]  ? _raw_spin_unlock_irqrestore+0xd8/0x140
[   69.846472][ T5333]  ? _raw_spin_unlock_irqrestore+0xdd/0x140
[   69.848835][ T5333]  ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[   69.851307][ T5333]  ? print_report+0x502/0x550
[   69.853184][ T5333]  check_panic_on_warn+0x86/0xb0
[   69.855278][ T5333]  ? __list_del_entry_valid_or_report+0x2f/0x140
[   69.857617][ T5333]  end_report+0x77/0x160
[   69.859266][ T5333]  kasan_report+0x154/0x180
[   69.860971][ T5333]  ? __list_del_entry_valid_or_report+0x2f/0x140
[   69.863359][ T5333]  __list_del_entry_valid_or_report+0x2f/0x140
[   69.865780][ T5333]  binder_release_work+0xc7/0x480
[   69.867714][ T5333]  binder_deferred_func+0x1275/0x1460
[   69.869750][ T5333]  ? process_scheduled_works+0x976/0x1840
[   69.871927][ T5333]  process_scheduled_works+0xa66/0x1840
[   69.874055][ T5333]  ? __pfx_process_scheduled_works+0x10/0x10
[   69.876364][ T5333]  ? assign_work+0x364/0x3d0
[   69.878113][ T5333]  worker_thread+0x870/0xd30
[   69.879957][ T5333]  ? _raw_spin_unlock_irqrestore+0xdd/0x140
[   69.882149][ T5333]  ? __kthread_parkme+0x169/0x1d0
[   69.884086][ T5333]  ? __pfx_worker_thread+0x10/0x10
[   69.886188][ T5333]  kthread+0x2f0/0x390
[   69.887749][ T5333]  ? __pfx_worker_thread+0x10/0x10
[   69.889684][ T5333]  ? __pfx_kthread+0x10/0x10
[   69.891477][ T5333]  ret_from_fork+0x4b/0x80
[   69.893197][ T5333]  ? __pfx_kthread+0x10/0x10
[   69.895069][ T5333]  ret_from_fork_asm+0x1a/0x30
[   69.896881][ T5333]  </TASK>
[   69.898331][ T5333] Kernel Offset: disabled
[   69.899994][ T5333] Rebooting in 86400 seconds..