program:
r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0)
r1 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000100)='net\x00') (async)
seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(0x1, 0xa, &(0x7f0000000040)={0x3, &(0x7f00000000c0)=[{0x0, 0x0, 0x1, 0x6}, {}, {0x6}]})
getdents(r1, 0x0, 0x0) (async)
getdents(r1, 0x0, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR_EXT(r0, 0x40046207, 0x0) (async)
r2 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000100)='./binderfs/binder0\x00', 0x1802, 0x0)
syz_clone(0x11, 0x0, 0x0, 0x0, 0x0, 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000000)={0x8, 0x0, &(0x7f00000003c0)=[@increfs], 0x0, 0x0, 0x0})
r3 = dup3(r2, r0, 0x0)
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f0000000240)={0x10, 0x0, &(0x7f00000002c0)=[@request_death={0x400c6313}], 0x0, 0x0, 0x0}) (async)
syz_mount_image$ext4(&(0x7f0000000040)='ext4\x00', &(0x7f0000000080)='./mnt\x00', 0x50, &(0x7f00000000c0)={[{@init_itable_val={'init_itable', 0x3d, 0x5}}]}, 0x0, 0x25e, &(0x7f0000000640)="$eJzs3U9oHGUYB+B3ZncTkywSFUEQVBARDYToSfASQRQCEkRE0EBExJMkQkyuWU9eRPSsEjx4CR41eiy5hF5aCj2FNof0UmhDDw09tIcpu5OkabNpm+xmp2SeB+YvM/N+k5nf9wXCkABKazgixiOiEhEjEVHLV+95JZ+GdzaXBtamI7LskxtJJHvbuWRnORQRjYh4JyJW0ySyLGJh5YvNW+sfvv7TfO21v1Y+H+jlPe7a2tz4aPuPyR//nXhr4fzFa5NJjEf9vvvqvqTNvmoS8exJFHtCJNWiW8Dj+Of9539uhv25iHi1lf9apJE/vF/m+lZr8ebvh5376/ULL/ayrUD3ZVmtOQY2MqB00oioR5KORkS+nqajo/nv8Jcqg+m3s3Pfj3wzOz/zddE9FdAt9YiND/7v/2/ogfxfreT5B06vZv4//Xj5cnN9u1J0a4BeauZ/5MvFN0L+4RT78+12ew/PfyF/mgN6yPgP5SX/UF7yD+Ul/1Be8g/l9ZD89xXVJqA3jP9QGgfG9M7z39+NdgEF2J9/AKBcsv6iv0AGilJ0/wMAAAAAAAAAAAAAAAAAABy0NLA2vTv1qubZ3yK23ouIarv6ldb/I454qjUfvJk0D9uT5Kd1ZOrlDi/Qob9P4Ovro/xMnr7S/fpHce6lYusvzkQ0foiIsWr14PuX7Lx/x1FrzZ951FFfHbtAV7z7WbH17ywXW39iPeJMs/8Za9f/pPFCa7nb/zSm9p9b33vKx/fd7Q4vAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQM/cDQAA///W3G/S")
[ 69.914437][ T5328] Bluetooth: hci0: command tx timeout
[ 69.983630][ T24] audit: type=1326 audit(1732824404.542:2): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=5341 comm="syz.0.0" exe="/syz-executor" sig=31 arch=c000003e syscall=202 compat=0 ip=0x7f2b72380809 code=0x0
[ 70.099409][ T5345] loop0: detected capacity change from 0 to 128
[ 70.107597][ T5345] =======================================================
[ 70.107597][ T5345] WARNING: The mand mount option has been deprecated and
[ 70.107597][ T5345] and is ignored by this kernel. Remove the mand
[ 70.107597][ T5345] option from the mount to silence this warning.
[ 70.107597][ T5345] =======================================================
[ 70.133612][ T5345] EXT4-fs warning (device loop0): ext4_init_metadata_csum:4626: metadata_csum and uninit_bg are redundant flags; please run fsck.
[ 70.152652][ T5345] EXT4-fs (loop0): filesystem is read-only
[ 70.155083][ T5345] EXT4-fs (loop0): bad geometry: first data block is 0 with a 1k block and cluster size
[ 70.799965][ T5335] ==================================================================
[ 70.803028][ T5335] BUG: KASAN: slab-use-after-free in __list_del_entry_valid_or_report+0x2f/0x140
[ 70.806575][ T5335] Read of size 8 at addr ffff88804295d988 by task kworker/0:4/5335
[ 70.809572][ T5335]
[ 70.810529][ T5335] CPU: 0 UID: 0 PID: 5335 Comm: kworker/0:4 Not tainted 6.12.0-syzkaller-10681-g65ae975e97d5 #0
[ 70.814370][ T5335] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[ 70.818448][ T5335] Workqueue: events binder_deferred_func
[ 70.820498][ T5335] Call Trace:
[ 70.821747][ T5335]
[ 70.822887][ T5335] dump_stack_lvl+0x241/0x360
[ 70.824412][ T5335] ? __pfx_dump_stack_lvl+0x10/0x10
[ 70.826233][ T5335] ? __pfx__printk+0x10/0x10
[ 70.828054][ T5335] ? _printk+0xd5/0x120
[ 70.829650][ T5335] ? __virt_addr_valid+0x183/0x530
[ 70.831443][ T5335] ? __virt_addr_valid+0x183/0x530
[ 70.833296][ T5335] print_report+0x169/0x550
[ 70.835100][ T5335] ? __virt_addr_valid+0x183/0x530
[ 70.837035][ T5335] ? __virt_addr_valid+0x183/0x530
[ 70.838866][ T5335] ? __virt_addr_valid+0x45f/0x530
[ 70.840749][ T5335] ? __phys_addr+0xba/0x170
[ 70.842499][ T5335] ? __list_del_entry_valid_or_report+0x2f/0x140
[ 70.844784][ T5335] kasan_report+0x143/0x180
[ 70.846506][ T5335] ? __list_del_entry_valid_or_report+0x2f/0x140
[ 70.848950][ T5335] __list_del_entry_valid_or_report+0x2f/0x140
[ 70.851196][ T5335] binder_release_work+0xc7/0x480
[ 70.853026][ T5335] binder_deferred_func+0x1275/0x1460
[ 70.855065][ T5335] ? process_scheduled_works+0x976/0x1850
[ 70.857085][ T5335] process_scheduled_works+0xa63/0x1850
[ 70.859150][ T5335] ? __pfx_process_scheduled_works+0x10/0x10
[ 70.861375][ T5335] ? assign_work+0x364/0x3d0
[ 70.863183][ T5335] worker_thread+0x870/0xd30
[ 70.864960][ T5335] ? _raw_spin_unlock_irqrestore+0xdd/0x140
[ 70.867184][ T5335] ? __kthread_parkme+0x169/0x1d0
[ 70.868963][ T5335] ? __pfx_worker_thread+0x10/0x10
[ 70.870514][ T5335] kthread+0x2f0/0x390
[ 70.871888][ T5335] ? __pfx_worker_thread+0x10/0x10
[ 70.873670][ T5335] ? __pfx_kthread+0x10/0x10
[ 70.875320][ T5335] ret_from_fork+0x4b/0x80
[ 70.876910][ T5335] ? __pfx_kthread+0x10/0x10
[ 70.878487][ T5335] ret_from_fork_asm+0x1a/0x30
[ 70.880159][ T5335]
[ 70.881251][ T5335]
[ 70.882117][ T5335] Allocated by task 5342:
[ 70.883771][ T5335] kasan_save_track+0x3f/0x80
[ 70.885555][ T5335] __kasan_kmalloc+0x98/0xb0
[ 70.887156][ T5335] __kmalloc_cache_noprof+0x243/0x390
[ 70.889094][ T5335] binder_ioctl_write_read+0xe7f/0xb560
[ 70.891191][ T5335] binder_ioctl+0x436/0x1cc0
[ 70.892783][ T5335] __se_sys_ioctl+0xf5/0x170
[ 70.894428][ T5335] do_syscall_64+0xf3/0x230
[ 70.896173][ T5335] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 70.898375][ T5335]
[ 70.899262][ T5335] Freed by task 5335:
[ 70.900682][ T5335] kasan_save_track+0x3f/0x80
[ 70.902443][ T5335] kasan_save_free_info+0x40/0x50
[ 70.904262][ T5335] __kasan_slab_free+0x59/0x70
[ 70.905967][ T5335] kfree+0x196/0x420
[ 70.907401][ T5335] binder_deferred_func+0x11df/0x1460
[ 70.909459][ T5335] process_scheduled_works+0xa63/0x1850
[ 70.911603][ T5335] worker_thread+0x870/0xd30
[ 70.913320][ T5335] kthread+0x2f0/0x390
[ 70.914833][ T5335] ret_from_fork+0x4b/0x80
[ 70.916509][ T5335] ret_from_fork_asm+0x1a/0x30
[ 70.918226][ T5335]
[ 70.919199][ T5335] The buggy address belongs to the object at ffff88804295d980
[ 70.919199][ T5335] which belongs to the cache kmalloc-64 of size 64
[ 70.924547][ T5335] The buggy address is located 8 bytes inside of
[ 70.924547][ T5335] freed 64-byte region [ffff88804295d980, ffff88804295d9c0)
[ 70.929569][ T5335]
[ 70.930504][ T5335] The buggy address belongs to the physical page:
[ 70.932963][ T5335] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4295d
[ 70.936293][ T5335] anon flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
[ 70.939093][ T5335] page_type: f5(slab)
[ 70.940650][ T5335] raw: 04fff00000000000 ffff88801ac418c0 ffffea0000fbcb40 0000000000000005
[ 70.944152][ T5335] raw: 0000000000000000 0000000000200020 00000001f5000000 0000000000000000
[ 70.947963][ T5335] page dumped because: kasan: bad access detected
[ 70.950549][ T5335] page_owner tracks the page as allocated
[ 70.952821][ T5335] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 4865, tgid 4865 (kworker/0:3), ts 60247366369, free_ts 58610899760
[ 70.960036][ T5335] post_alloc_hook+0x1f3/0x230
[ 70.961875][ T5335] get_page_from_freelist+0x3649/0x3790
[ 70.963953][ T5335] __alloc_pages_noprof+0x292/0x710
[ 70.965899][ T5335] alloc_pages_mpol_noprof+0x3e8/0x680
[ 70.967921][ T5335] alloc_slab_page+0x6a/0x140
[ 70.969701][ T5335] allocate_slab+0x5a/0x2f0
[ 70.971411][ T5335] ___slab_alloc+0xcd1/0x14b0
[ 70.973141][ T5335] __slab_alloc+0x58/0xa0
[ 70.974851][ T5335] __kmalloc_noprof+0x2e6/0x4c0
[ 70.976714][ T5335] virtqueue_add+0x545/0x4770
[ 70.978512][ T5335] virtqueue_add_sgs+0xfe/0x120
[ 70.980329][ T5335] virtio_gpu_queue_fenced_ctrl_buffer+0xa88/0xff0
[ 70.982726][ T5335] virtio_gpu_primary_plane_update+0x44a/0x1590
[ 70.985101][ T5335] drm_atomic_helper_commit_planes+0x5ee/0xe00
[ 70.987496][ T5335] drm_atomic_helper_commit_tail+0x5e/0x500
[ 70.989751][ T5335] commit_tail+0x2c1/0x3c0
[ 70.991498][ T5335] page last free pid 5321 tgid 5321 stack trace:
[ 70.993944][ T5335] free_unref_page+0xdf9/0x1140
[ 70.995811][ T5335] tlb_finish_mmu+0x11f/0x200
[ 70.997411][ T5335] exit_mmap+0x496/0xc40
[ 70.998937][ T5335] __mmput+0x115/0x3c0
[ 71.000394][ T5335] exit_mm+0x220/0x310
[ 71.001942][ T5335] do_exit+0x9b2/0x28e0
[ 71.003546][ T5335] do_group_exit+0x207/0x2c0
[ 71.005212][ T5335] __x64_sys_exit_group+0x3f/0x40
[ 71.007195][ T5335] x64_sys_call+0x26a8/0x26b0
[ 71.008735][ T5335] do_syscall_64+0xf3/0x230
[ 71.010212][ T5335] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 71.012200][ T5335]
[ 71.012949][ T5335] Memory state around the buggy address:
[ 71.014910][ T5335] ffff88804295d880: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[ 71.017679][ T5335] ffff88804295d900: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
[ 71.020717][ T5335] >ffff88804295d980: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[ 71.023803][ T5335] ^
[ 71.025231][ T5335] ffff88804295da00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[ 71.027999][ T5335] ffff88804295da80: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
[ 71.030758][ T5335] ==================================================================
[ 71.034464][ T5335] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 71.036928][ T5335] CPU: 0 UID: 0 PID: 5335 Comm: kworker/0:4 Not tainted 6.12.0-syzkaller-10681-g65ae975e97d5 #0
[ 71.040622][ T5335] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[ 71.044630][ T5335] Workqueue: events binder_deferred_func
[ 71.046787][ T5335] Call Trace:
[ 71.048108][ T5335]
[ 71.049240][ T5335] dump_stack_lvl+0x241/0x360
[ 71.051006][ T5335] ? __pfx_dump_stack_lvl+0x10/0x10
[ 71.052865][ T5335] ? __pfx__printk+0x10/0x10
[ 71.054492][ T5335] ? lock_release+0xbf/0xa30
[ 71.056185][ T5335] ? vscnprintf+0x5d/0x90
[ 71.057895][ T5335] panic+0x349/0x880
[ 71.059465][ T5335] ? check_panic_on_warn+0x21/0xb0
[ 71.061158][ T5335] ? __pfx_panic+0x10/0x10
[ 71.062839][ T5335] ? mark_lock+0x9a/0x360
[ 71.064421][ T5335] ? _raw_spin_unlock_irqrestore+0xd8/0x140
[ 71.066541][ T5335] ? _raw_spin_unlock_irqrestore+0xdd/0x140
[ 71.068779][ T5335] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[ 71.070999][ T5335] ? print_report+0x502/0x550
[ 71.072716][ T5335] check_panic_on_warn+0x86/0xb0
[ 71.074558][ T5335] ? __list_del_entry_valid_or_report+0x2f/0x140
[ 71.076943][ T5335] end_report+0x77/0x160
[ 71.078610][ T5335] kasan_report+0x154/0x180
[ 71.080450][ T5335] ? __list_del_entry_valid_or_report+0x2f/0x140
[ 71.082942][ T5335] __list_del_entry_valid_or_report+0x2f/0x140
[ 71.085275][ T5335] binder_release_work+0xc7/0x480
[ 71.087212][ T5335] binder_deferred_func+0x1275/0x1460
[ 71.089165][ T5335] ? process_scheduled_works+0x976/0x1850
[ 71.091342][ T5335] process_scheduled_works+0xa63/0x1850
[ 71.093293][ T5335] ? __pfx_process_scheduled_works+0x10/0x10
[ 71.095556][ T5335] ? assign_work+0x364/0x3d0
[ 71.097288][ T5335] worker_thread+0x870/0xd30
[ 71.099087][ T5335] ? _raw_spin_unlock_irqrestore+0xdd/0x140
[ 71.101364][ T5335] ? __kthread_parkme+0x169/0x1d0
[ 71.103284][ T5335] ? __pfx_worker_thread+0x10/0x10
[ 71.105223][ T5335] kthread+0x2f0/0x390
[ 71.106762][ T5335] ? __pfx_worker_thread+0x10/0x10
[ 71.108700][ T5335] ? __pfx_kthread+0x10/0x10
[ 71.110463][ T5335] ret_from_fork+0x4b/0x80
[ 71.112136][ T5335] ? __pfx_kthread+0x10/0x10
[ 71.113902][ T5335] ret_from_fork_asm+0x1a/0x30
[ 71.115740][ T5335]
[ 71.117151][ T5335] Kernel Offset: disabled
[ 71.118787][ T5335] Rebooting in 86400 seconds..