program: r0 = openat$cuse(0xffffffffffffff9c, &(0x7f0000000000), 0x2, 0x0) r1 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0) ioctl$BINDER_SET_CONTEXT_MGR_EXT(r1, 0x40046207, 0x0) r2 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000100)='./binderfs/binder0\x00', 0x1802, 0x0) syz_clone(0x11, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000000)={0x8, 0x0, &(0x7f00000003c0)=[@increfs], 0x0, 0x0, 0x0}) r3 = openat$sw_sync(0xffffffffffffff9c, &(0x7f0000000ac0), 0x0, 0x0) ioctl$SW_SYNC_IOC_CREATE_FENCE(r3, 0xc0285700, &(0x7f0000000b00)={0x4, "abacd211119ca94c63377526aeb5ab2c7b9ca5fa07558139ede6dc06270ee042", 0xffffffffffffffff}) ioctl$SYNC_IOC_MERGE(r4, 0xc0303e03, &(0x7f0000000a00)={"d1ed39d88b014976ab94c1fb10628c46d2e61e0df12c5e00", r3}) r5 = dup3(r2, r1, 0x0) ioctl$BINDER_WRITE_READ(r5, 0xc0306201, &(0x7f0000000240)={0x10, 0x0, &(0x7f00000002c0)=[@request_death={0x400c6313}], 0x0, 0x0, 0x0}) r6 = openat$fuse(0xffffffffffffff9c, &(0x7f00000000c0), 0x2, 0x0) syz_mount_image$fuse(&(0x7f0000000040), &(0x7f0000000000)='./file0\x00', 0x0, &(0x7f0000002300)=ANY=[@ANYBLOB='fd=', @ANYRESHEX=r6, @ANYBLOB=',rootmode=00000000000000000040000,user_id=', @ANYRESDEC=0x0, @ANYBLOB=',group_id=', @ANYRESDEC=0x0], 0x0, 0x0, 0x0) read$FUSE(r6, &(0x7f0000006340)={0x2020, 0x0, 0x0}, 0x2058) write$FUSE_INIT(r6, &(0x7f0000002200)={0x50, 0x0, r7, {0x7, 0x27, 0x0, 0x1dd880}}, 0x50) write$FUSE_OPEN(r0, &(0x7f0000000100)={0x20, 0x8000000000000007, r7, {0x0, 0xa}}, 0x20) migrate_pages(0x0, 0x3, &(0x7f0000000300)=0x3, &(0x7f0000000340)=0x101) [ 58.684149][ T5320] Bluetooth: hci0: command tx timeout [ 59.386065][ T5329] ================================================================== [ 59.389482][ T5329] BUG: KASAN: slab-use-after-free in __list_del_entry_valid_or_report+0x2f/0x140 [ 59.393343][ T5329] Read of size 8 at addr ffff88803d476908 by task kworker/0:4/5329 [ 59.396698][ T5329] [ 59.397707][ T5329] CPU: 0 UID: 0 PID: 5329 Comm: kworker/0:4 Not tainted 6.12.0-syzkaller-10689-g7af08b57bcb9 #0 [ 59.401920][ T5329] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 59.406246][ T5329] Workqueue: events binder_deferred_func [ 59.408720][ T5329] Call Trace: [ 59.410167][ T5329] [ 59.411499][ T5329] dump_stack_lvl+0x241/0x360 [ 59.413465][ T5329] ? __pfx_dump_stack_lvl+0x10/0x10 [ 59.415704][ T5329] ? __pfx__printk+0x10/0x10 [ 59.417500][ T5329] ? _printk+0xd5/0x120 [ 59.419246][ T5329] ? __virt_addr_valid+0x183/0x530 [ 59.421118][ T5329] ? __virt_addr_valid+0x183/0x530 [ 59.423095][ T5329] print_report+0x169/0x550 [ 59.424657][ T5329] ? __virt_addr_valid+0x183/0x530 [ 59.426508][ T5329] ? __virt_addr_valid+0x183/0x530 [ 59.428487][ T5329] ? __virt_addr_valid+0x45f/0x530 [ 59.430435][ T5329] ? __phys_addr+0xba/0x170 [ 59.432091][ T5329] ? __list_del_entry_valid_or_report+0x2f/0x140 [ 59.434388][ T5329] kasan_report+0x143/0x180 [ 59.436073][ T5329] ? __list_del_entry_valid_or_report+0x2f/0x140 [ 59.438417][ T5329] __list_del_entry_valid_or_report+0x2f/0x140 [ 59.440697][ T5329] binder_release_work+0xc7/0x480 [ 59.442421][ T5329] binder_deferred_func+0x1275/0x1460 [ 59.444207][ T5329] ? process_scheduled_works+0x976/0x1840 [ 59.446292][ T5329] process_scheduled_works+0xa66/0x1840 [ 59.448483][ T5329] ? __pfx_process_scheduled_works+0x10/0x10 [ 59.450863][ T5329] ? assign_work+0x364/0x3d0 [ 59.452659][ T5329] worker_thread+0x870/0xd30 [ 59.454406][ T5329] ? _raw_spin_unlock_irqrestore+0xdd/0x140 [ 59.456457][ T5329] ? __kthread_parkme+0x169/0x1d0 [ 59.458147][ T5329] ? __pfx_worker_thread+0x10/0x10 [ 59.460010][ T5329] kthread+0x2f0/0x390 [ 59.461501][ T5329] ? __pfx_worker_thread+0x10/0x10 [ 59.463361][ T5329] ? __pfx_kthread+0x10/0x10 [ 59.465035][ T5329] ret_from_fork+0x4b/0x80 [ 59.466653][ T5329] ? __pfx_kthread+0x10/0x10 [ 59.468344][ T5329] ret_from_fork_asm+0x1a/0x30 [ 59.470054][ T5329] [ 59.471205][ T5329] [ 59.472052][ T5329] Allocated by task 5337: [ 59.473691][ T5329] kasan_save_track+0x3f/0x80 [ 59.475418][ T5329] __kasan_kmalloc+0x98/0xb0 [ 59.477093][ T5329] __kmalloc_cache_noprof+0x243/0x390 [ 59.479030][ T5329] binder_ioctl_write_read+0xe7f/0xb570 [ 59.481102][ T5329] binder_ioctl+0x436/0x1cb0 [ 59.482878][ T5329] __se_sys_ioctl+0xf5/0x170 [ 59.484574][ T5329] do_syscall_64+0xf3/0x230 [ 59.486189][ T5329] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 59.488408][ T5329] [ 59.489312][ T5329] Freed by task 5329: [ 59.490802][ T5329] kasan_save_track+0x3f/0x80 [ 59.492591][ T5329] kasan_save_free_info+0x40/0x50 [ 59.494452][ T5329] __kasan_slab_free+0x59/0x70 [ 59.496260][ T5329] kfree+0x196/0x430 [ 59.497734][ T5329] binder_deferred_func+0x11df/0x1460 [ 59.499800][ T5329] process_scheduled_works+0xa66/0x1840 [ 59.501860][ T5329] worker_thread+0x870/0xd30 [ 59.503606][ T5329] kthread+0x2f0/0x390 [ 59.505128][ T5329] ret_from_fork+0x4b/0x80 [ 59.506759][ T5329] ret_from_fork_asm+0x1a/0x30 [ 59.508521][ T5329] [ 59.509384][ T5329] The buggy address belongs to the object at ffff88803d476900 [ 59.509384][ T5329] which belongs to the cache kmalloc-64 of size 64 [ 59.514271][ T5329] The buggy address is located 8 bytes inside of [ 59.514271][ T5329] freed 64-byte region [ffff88803d476900, ffff88803d476940) [ 59.519054][ T5329] [ 59.519951][ T5329] The buggy address belongs to the physical page: [ 59.522191][ T5329] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x3d476 [ 59.525316][ T5329] anon flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff) [ 59.528185][ T5329] page_type: f5(slab) [ 59.529660][ T5329] raw: 04fff00000000000 ffff88801ac418c0 0000000000000000 dead000000000001 [ 59.532693][ T5329] raw: 0000000000000000 0000000000200020 00000001f5000000 0000000000000000 [ 59.535863][ T5329] page dumped because: kasan: bad access detected [ 59.538121][ T5329] page_owner tracks the page as allocated [ 59.540425][ T5329] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52c40(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 4751, tgid 4751 (udevd), ts 24389938910, free_ts 24319756885 [ 59.546969][ T5329] post_alloc_hook+0x1f3/0x230 [ 59.548688][ T5329] get_page_from_freelist+0x365c/0x37a0 [ 59.550698][ T5329] __alloc_pages_noprof+0x292/0x710 [ 59.552523][ T5329] alloc_pages_mpol_noprof+0x3e8/0x680 [ 59.554602][ T5329] alloc_slab_page+0x6a/0x140 [ 59.556253][ T5329] allocate_slab+0x5a/0x2f0 [ 59.557955][ T5329] ___slab_alloc+0xcd1/0x14b0 [ 59.559644][ T5329] __slab_alloc+0x58/0xa0 [ 59.561209][ T5329] __kmalloc_noprof+0x2e6/0x4c0 [ 59.563023][ T5329] tomoyo_encode+0x26f/0x540 [ 59.564720][ T5329] tomoyo_realpath_from_path+0x59e/0x5e0 [ 59.566733][ T5329] tomoyo_path_perm+0x2b7/0x740 [ 59.568535][ T5329] security_inode_getattr+0x130/0x330 [ 59.570484][ T5329] vfs_getattr+0x2a/0x3b0 [ 59.572087][ T5329] vfs_fstatat+0xa8/0x130 [ 59.573743][ T5329] __x64_sys_newfstatat+0x11d/0x1a0 [ 59.575826][ T5329] page last free pid 4744 tgid 4744 stack trace: [ 59.578142][ T5329] free_unref_page+0xdef/0x1130 [ 59.579957][ T5329] __put_partials+0xeb/0x130 [ 59.581677][ T5329] put_cpu_partial+0x17c/0x250 [ 59.583434][ T5329] __slab_free+0x2ea/0x3d0 [ 59.585081][ T5329] qlist_free_all+0x9a/0x140 [ 59.586805][ T5329] kasan_quarantine_reduce+0x14f/0x170 [ 59.588901][ T5329] __kasan_slab_alloc+0x23/0x80 [ 59.590720][ T5329] kmem_cache_alloc_noprof+0x1d9/0x380 [ 59.592711][ T5329] getname_flags+0xb7/0x540 [ 59.594440][ T5329] do_sys_openat2+0xd2/0x1d0 [ 59.596124][ T5329] __x64_sys_openat+0x247/0x2a0 [ 59.597863][ T5329] do_syscall_64+0xf3/0x230 [ 59.599551][ T5329] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 59.601721][ T5329] [ 59.602666][ T5329] Memory state around the buggy address: [ 59.604730][ T5329] ffff88803d476800: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc [ 59.607693][ T5329] ffff88803d476880: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc [ 59.610740][ T5329] >ffff88803d476900: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 59.613779][ T5329] ^ [ 59.615431][ T5329] ffff88803d476980: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc [ 59.618462][ T5329] ffff88803d476a00: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc [ 59.621407][ T5329] ================================================================== [ 59.625134][ T5329] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 59.627849][ T5329] CPU: 0 UID: 0 PID: 5329 Comm: kworker/0:4 Not tainted 6.12.0-syzkaller-10689-g7af08b57bcb9 #0 [ 59.631530][ T5329] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 59.635601][ T5329] Workqueue: events binder_deferred_func [ 59.637686][ T5329] Call Trace: [ 59.638886][ T5329] [ 59.640024][ T5329] dump_stack_lvl+0x241/0x360 [ 59.641903][ T5329] ? __pfx_dump_stack_lvl+0x10/0x10 [ 59.643865][ T5329] ? __pfx__printk+0x10/0x10 [ 59.645566][ T5329] ? lock_release+0xbf/0xa30 [ 59.647411][ T5329] ? vscnprintf+0x5d/0x90 [ 59.649033][ T5329] panic+0x349/0x880 [ 59.650570][ T5329] ? check_panic_on_warn+0x21/0xb0 [ 59.652495][ T5329] ? __pfx_panic+0x10/0x10 [ 59.654221][ T5329] ? mark_lock+0x9a/0x360 [ 59.655935][ T5329] ? _raw_spin_unlock_irqrestore+0xd8/0x140 [ 59.658183][ T5329] ? _raw_spin_unlock_irqrestore+0xdd/0x140 [ 59.660552][ T5329] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 59.662820][ T5329] ? print_report+0x502/0x550 [ 59.664616][ T5329] check_panic_on_warn+0x86/0xb0 [ 59.666518][ T5329] ? __list_del_entry_valid_or_report+0x2f/0x140 [ 59.668957][ T5329] end_report+0x77/0x160 [ 59.670576][ T5329] kasan_report+0x154/0x180 [ 59.672263][ T5329] ? __list_del_entry_valid_or_report+0x2f/0x140 [ 59.674564][ T5329] __list_del_entry_valid_or_report+0x2f/0x140 [ 59.676799][ T5329] binder_release_work+0xc7/0x480 [ 59.678643][ T5329] binder_deferred_func+0x1275/0x1460 [ 59.680689][ T5329] ? process_scheduled_works+0x976/0x1840 [ 59.682752][ T5329] process_scheduled_works+0xa66/0x1840 [ 59.684834][ T5329] ? __pfx_process_scheduled_works+0x10/0x10 [ 59.687076][ T5329] ? assign_work+0x364/0x3d0 [ 59.688822][ T5329] worker_thread+0x870/0xd30 [ 59.690610][ T5329] ? _raw_spin_unlock_irqrestore+0xdd/0x140 [ 59.692869][ T5329] ? __kthread_parkme+0x169/0x1d0 [ 59.694789][ T5329] ? __pfx_worker_thread+0x10/0x10 [ 59.696638][ T5329] kthread+0x2f0/0x390 [ 59.698186][ T5329] ? __pfx_worker_thread+0x10/0x10 [ 59.700129][ T5329] ? __pfx_kthread+0x10/0x10 [ 59.701887][ T5329] ret_from_fork+0x4b/0x80 [ 59.703514][ T5329] ? __pfx_kthread+0x10/0x10 [ 59.705272][ T5329] ret_from_fork_asm+0x1a/0x30 [ 59.707070][ T5329] [ 59.708451][ T5329] Kernel Offset: disabled [ 59.710028][ T5329] Rebooting in 86400 seconds..