program:
r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR_EXT(r0, 0x4018620d, &(0x7f0000000300)) (async)
ioctl$BINDER_SET_CONTEXT_MGR_EXT(r0, 0x4018620d, &(0x7f0000000300))
r1 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0)
r2 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000000)={0x8, 0x0, &(0x7f00000003c0)=[@increfs], 0x0, 0x0, 0x0}) (async)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000000)={0x8, 0x0, &(0x7f00000003c0)=[@increfs], 0x0, 0x0, 0x0})
r3 = dup3(r2, r1, 0x0)
ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f0000000580)={0x10, 0x0, &(0x7f0000000700)=[@request_death={0x400c6313, 0x0, 0xffffff7f00000000}], 0x0, 0x1000000000000, 0x0})

[   61.633534][ T5318] Bluetooth: hci0: command tx timeout
[   61.722989][ T5333] binder: BINDER_SET_CONTEXT_MGR already set
[   61.727011][ T5333] binder: 5332:5333 ioctl 4018620d 20000300 returned -16
[   61.733559][    T9] ==================================================================
[   61.736897][    T9] BUG: KASAN: slab-use-after-free in __list_del_entry_valid_or_report+0x2f/0x140
[   61.740345][    T9] Read of size 8 at addr ffff888040635a08 by task kworker/0:1/9
[   61.743251][    T9] 
[   61.744194][    T9] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:1 Not tainted 6.12.0-syzkaller-10681-g65ae975e97d5 #0
[   61.748117][    T9] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   61.751947][    T9] Workqueue: events binder_deferred_func
[   61.754116][    T9] Call Trace:
[   61.755423][    T9]  <TASK>
[   61.756617][    T9]  dump_stack_lvl+0x241/0x360
[   61.758352][    T9]  ? __pfx_dump_stack_lvl+0x10/0x10
[   61.760386][    T9]  ? __pfx__printk+0x10/0x10
[   61.762227][    T9]  ? _printk+0xd5/0x120
[   61.763835][    T9]  ? __virt_addr_valid+0x183/0x530
[   61.765625][    T9]  ? __virt_addr_valid+0x183/0x530
[   61.767459][    T9]  print_report+0x169/0x550
[   61.769250][    T9]  ? __virt_addr_valid+0x183/0x530
[   61.771253][    T9]  ? __virt_addr_valid+0x183/0x530
[   61.773306][    T9]  ? __virt_addr_valid+0x45f/0x530
[   61.775303][    T9]  ? __phys_addr+0xba/0x170
[   61.777001][    T9]  ? __list_del_entry_valid_or_report+0x2f/0x140
[   61.779402][    T9]  kasan_report+0x143/0x180
[   61.781175][    T9]  ? __list_del_entry_valid_or_report+0x2f/0x140
[   61.783476][    T9]  __list_del_entry_valid_or_report+0x2f/0x140
[   61.785753][    T9]  binder_release_work+0xc7/0x480
[   61.787666][    T9]  binder_deferred_func+0x1275/0x1460
[   61.789648][    T9]  ? process_scheduled_works+0x976/0x1850
[   61.791811][    T9]  process_scheduled_works+0xa63/0x1850
[   61.793699][    T9]  ? __pfx_process_scheduled_works+0x10/0x10
[   61.796012][    T9]  ? assign_work+0x364/0x3d0
[   61.797802][    T9]  worker_thread+0x870/0xd30
[   61.799530][    T9]  ? __kthread_parkme+0x169/0x1d0
[   61.801383][    T9]  ? __pfx_worker_thread+0x10/0x10
[   61.803015][    T9]  kthread+0x2f0/0x390
[   61.804525][    T9]  ? __pfx_worker_thread+0x10/0x10
[   61.806207][    T9]  ? __pfx_kthread+0x10/0x10
[   61.807816][    T9]  ret_from_fork+0x4b/0x80
[   61.809563][    T9]  ? __pfx_kthread+0x10/0x10
[   61.811292][    T9]  ret_from_fork_asm+0x1a/0x30
[   61.813141][    T9]  </TASK>
[   61.814344][    T9] 
[   61.815278][    T9] Allocated by task 5333:
[   61.816855][    T9]  kasan_save_track+0x3f/0x80
[   61.818705][    T9]  __kasan_kmalloc+0x98/0xb0
[   61.820477][    T9]  __kmalloc_cache_noprof+0x243/0x390
[   61.822604][    T9]  binder_ioctl_write_read+0xe7f/0xb560
[   61.824639][    T9]  binder_ioctl+0x436/0x1cc0
[   61.826266][    T9]  __se_sys_ioctl+0xf5/0x170
[   61.827925][    T9]  do_syscall_64+0xf3/0x230
[   61.829722][    T9]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   61.831766][    T9] 
[   61.832631][    T9] Freed by task 9:
[   61.834037][    T9]  kasan_save_track+0x3f/0x80
[   61.835811][    T9]  kasan_save_free_info+0x40/0x50
[   61.837918][    T9]  __kasan_slab_free+0x59/0x70
[   61.839764][    T9]  kfree+0x196/0x420
[   61.841209][    T9]  binder_deferred_func+0x11df/0x1460
[   61.843262][    T9]  process_scheduled_works+0xa63/0x1850
[   61.845350][    T9]  worker_thread+0x870/0xd30
[   61.846988][    T9]  kthread+0x2f0/0x390
[   61.848423][    T9]  ret_from_fork+0x4b/0x80
[   61.849979][    T9]  ret_from_fork_asm+0x1a/0x30
[   61.851680][    T9] 
[   61.852588][    T9] The buggy address belongs to the object at ffff888040635a00
[   61.852588][    T9]  which belongs to the cache kmalloc-64 of size 64
[   61.857297][    T9] The buggy address is located 8 bytes inside of
[   61.857297][    T9]  freed 64-byte region [ffff888040635a00, ffff888040635a40)
[   61.862064][    T9] 
[   61.862926][    T9] The buggy address belongs to the physical page:
[   61.865594][    T9] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x40635
[   61.868788][    T9] flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
[   61.871170][    T9] page_type: f5(slab)
[   61.872643][    T9] raw: 04fff00000000000 ffff88801ac418c0 ffffea000101f840 0000000000000006
[   61.875602][    T9] raw: 0000000000000000 0000000080200020 00000001f5000000 0000000000000000
[   61.878757][    T9] page dumped because: kasan: bad access detected
[   61.880953][    T9] page_owner tracks the page as allocated
[   61.882879][    T9] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52c40(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 4743, tgid 4743 (udevd), ts 57175914360, free_ts 57136534443
[   61.889129][    T9]  post_alloc_hook+0x1f3/0x230
[   61.890805][    T9]  get_page_from_freelist+0x3649/0x3790
[   61.892770][    T9]  __alloc_pages_noprof+0x292/0x710
[   61.894306][    T9]  alloc_pages_mpol_noprof+0x3e8/0x680
[   61.895931][    T9]  alloc_slab_page+0x6a/0x140
[   61.897586][    T9]  allocate_slab+0x5a/0x2f0
[   61.899263][    T9]  ___slab_alloc+0xcd1/0x14b0
[   61.900934][    T9]  __slab_alloc+0x58/0xa0
[   61.902521][    T9]  __kmalloc_noprof+0x2e6/0x4c0
[   61.904253][    T9]  security_inode_init_security+0x126/0x480
[   61.906424][    T9]  shmem_mknod+0x1ff/0x3d0
[   61.908198][    T9]  path_openat+0x1c03/0x3590
[   61.909736][    T9]  do_filp_open+0x27f/0x4e0
[   61.911346][    T9]  do_sys_openat2+0x13e/0x1d0
[   61.913274][    T9]  __x64_sys_openat+0x247/0x2a0
[   61.914939][    T9]  do_syscall_64+0xf3/0x230
[   61.916538][    T9] page last free pid 5300 tgid 5300 stack trace:
[   61.918810][    T9]  free_unref_page+0xdf9/0x1140
[   61.920550][    T9]  vfree+0x186/0x2e0
[   61.921994][    T9]  kcov_close+0x28/0x50
[   61.923619][    T9]  __fput+0x23c/0xa50
[   61.925284][    T9]  __x64_sys_close+0x7f/0x110
[   61.927281][    T9]  do_syscall_64+0xf3/0x230
[   61.929359][    T9]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   61.931984][    T9] 
[   61.933048][    T9] Memory state around the buggy address:
[   61.935478][    T9]  ffff888040635900: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
[   61.938971][    T9]  ffff888040635980: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
[   61.942009][    T9] >ffff888040635a00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   61.945100][    T9]                       ^
[   61.946807][    T9]  ffff888040635a80: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   61.949479][    T9]  ffff888040635b00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   61.952421][    T9] ==================================================================
[   61.955955][    T9] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   61.958697][    T9] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:1 Not tainted 6.12.0-syzkaller-10681-g65ae975e97d5 #0
[   61.962293][    T9] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   61.966161][    T9] Workqueue: events binder_deferred_func
[   61.968047][    T9] Call Trace:
[   61.969210][    T9]  <TASK>
[   61.970248][    T9]  dump_stack_lvl+0x241/0x360
[   61.971934][    T9]  ? __pfx_dump_stack_lvl+0x10/0x10
[   61.973785][    T9]  ? __pfx__printk+0x10/0x10
[   61.975435][    T9]  ? lock_release+0xbf/0xa30
[   61.977161][    T9]  ? vscnprintf+0x5d/0x90
[   61.978729][    T9]  panic+0x349/0x880
[   61.980276][    T9]  ? check_panic_on_warn+0x21/0xb0
[   61.982202][    T9]  ? __pfx_panic+0x10/0x10
[   61.983960][    T9]  ? mark_lock+0x9a/0x360
[   61.985698][    T9]  ? _raw_spin_unlock_irqrestore+0xd8/0x140
[   61.987897][    T9]  ? _raw_spin_unlock_irqrestore+0xdd/0x140
[   61.990082][    T9]  ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[   61.992410][    T9]  ? print_report+0x502/0x550
[   61.993921][    T9]  check_panic_on_warn+0x86/0xb0
[   61.995750][    T9]  ? __list_del_entry_valid_or_report+0x2f/0x140
[   61.998096][    T9]  end_report+0x77/0x160
[   61.999517][    T9]  kasan_report+0x154/0x180
[   62.001032][    T9]  ? __list_del_entry_valid_or_report+0x2f/0x140
[   62.003250][    T9]  __list_del_entry_valid_or_report+0x2f/0x140
[   62.005526][    T9]  binder_release_work+0xc7/0x480
[   62.007372][    T9]  binder_deferred_func+0x1275/0x1460
[   62.009267][    T9]  ? process_scheduled_works+0x976/0x1850
[   62.011174][    T9]  process_scheduled_works+0xa63/0x1850
[   62.013329][    T9]  ? __pfx_process_scheduled_works+0x10/0x10
[   62.015654][    T9]  ? assign_work+0x364/0x3d0
[   62.017493][    T9]  worker_thread+0x870/0xd30
[   62.019376][    T9]  ? __kthread_parkme+0x169/0x1d0
[   62.021258][    T9]  ? __pfx_worker_thread+0x10/0x10
[   62.023282][    T9]  kthread+0x2f0/0x390
[   62.024933][    T9]  ? __pfx_worker_thread+0x10/0x10
[   62.026910][    T9]  ? __pfx_kthread+0x10/0x10
[   62.028915][    T9]  ret_from_fork+0x4b/0x80
[   62.030789][    T9]  ? __pfx_kthread+0x10/0x10
[   62.032403][    T9]  ret_from_fork_asm+0x1a/0x30
[   62.034092][    T9]  </TASK>
[   62.035481][    T9] Kernel Offset: disabled
[   62.037215][    T9] Rebooting in 86400 seconds..