program: socket$netlink(0x10, 0x3, 0x0) (async) r0 = socket$netlink(0x10, 0x3, 0x0) bind$netlink(r0, &(0x7f0000514ff4)={0x10, 0x0, 0x0, 0x2ffffffff}, 0xc) r1 = socket(0x2a, 0x2, 0x0) r2 = socket$rxrpc(0x21, 0x2, 0x2) bind$rxrpc(r2, &(0x7f0000000140)=@in4={0x21, 0x3, 0x2, 0x10, {0x2, 0x0, @local}}, 0x24) (async) bind$rxrpc(r2, &(0x7f0000000140)=@in4={0x21, 0x3, 0x2, 0x10, {0x2, 0x0, @local}}, 0x24) r3 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0) ioctl$BINDER_SET_CONTEXT_MGR_EXT(r3, 0x40046207, 0x0) (async) ioctl$BINDER_SET_CONTEXT_MGR_EXT(r3, 0x40046207, 0x0) openat$binderfs(0xffffffffffffff9c, &(0x7f0000000140)='./binderfs/binder0\x00', 0x0, 0x0) (async) r4 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000140)='./binderfs/binder0\x00', 0x0, 0x0) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f0000000000)={0x8, 0x0, &(0x7f00000003c0)=[@increfs], 0x0, 0x0, 0x0}) (async) ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f0000000000)={0x8, 0x0, &(0x7f00000003c0)=[@increfs], 0x0, 0x0, 0x0}) dup3(r4, r3, 0x0) ioctl$BINDER_WRITE_READ(r3, 0xc0306201, &(0x7f0000000180)={0xc, 0x0, &(0x7f0000000400)=[@dead_binder_done={0x400c6313}], 0x0, 0x0, 0x0}) bind$rxrpc(r2, &(0x7f0000000100)=@in4={0x21, 0x3, 0x2, 0x10, {0x2, 0x0, @multicast2}}, 0x24) sendmsg$nl_route_sched(0xffffffffffffffff, &(0x7f0000000300)={0x0, 0x0, &(0x7f0000000400)={&(0x7f00000005c0)=@newqdisc={0x24}, 0x24}}, 0x0) getsockname$packet(r1, &(0x7f0000000200)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000040)=0x14) seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(0x1, 0x0, &(0x7f0000002180)={0x1, &(0x7f0000000380)=[{0x6}]}) (async) r6 = seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(0x1, 0x0, &(0x7f0000002180)={0x1, &(0x7f0000000380)=[{0x6}]}) socket$nl_netfilter(0x10, 0x3, 0xc) (async) socket$nl_netfilter(0x10, 0x3, 0xc) r7 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000100), 0x0, 0x0) ioctl$TIOCSETD(r7, 0x5423, &(0x7f0000000140)=0x15) (async) ioctl$TIOCSETD(r7, 0x5423, &(0x7f0000000140)=0x15) r8 = syz_open_dev$ttys(0xc, 0x2, 0x1) ioctl$TIOCSETD(r8, 0x5423, &(0x7f0000000000)=0x15) close_range(r6, 0xffffffffffffffff, 0x0) sendmsg$nl_route_sched(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000440)=@newqdisc={0x44, 0x24, 0xf0b, 0x0, 0x0, {0x0, 0x0, 0x0, r5, {}, {0xffff, 0xffff}}, [@qdisc_kind_options=@q_hfsc={{0x9}, {0x14, 0x2, @TCA_HFSC_FSC={0x10, 0x2, {0x9, 0x1}}}}]}, 0x44}}, 0x0) sendmsg$nl_route_sched(r1, &(0x7f0000000340)={0x0, 0x0, &(0x7f0000000100)={&(0x7f00000010c0)=@newtfilter={0x44, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r5, {0x0, 0x9}, {}, {0x1c, 0xfff1}}, [@filter_kind_options=@f_flow={{0x9}, {0x14, 0x2, [@TCA_FLOW_MODE={0x8, 0x2, 0x1}, @TCA_FLOW_KEYS={0x8, 0x1, 0x8c30}]}}]}, 0x44}}, 0x0) (async) sendmsg$nl_route_sched(r1, &(0x7f0000000340)={0x0, 0x0, &(0x7f0000000100)={&(0x7f00000010c0)=@newtfilter={0x44, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r5, {0x0, 0x9}, {}, {0x1c, 0xfff1}}, [@filter_kind_options=@f_flow={{0x9}, {0x14, 0x2, [@TCA_FLOW_MODE={0x8, 0x2, 0x1}, @TCA_FLOW_KEYS={0x8, 0x1, 0x8c30}]}}]}, 0x44}}, 0x0) r9 = socket$nl_route(0x10, 0x3, 0x0) socket$inet6_icmp_raw(0xa, 0x3, 0x3a) (async) r10 = socket$inet6_icmp_raw(0xa, 0x3, 0x3a) ioctl$sock_SIOCGIFINDEX(r10, 0x8933, &(0x7f0000000000)={'bridge0\x00', 0x0}) sendmsg$nl_route(r9, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000580)={&(0x7f0000000740)=@newlink={0x50, 0x10, 0x403, 0x0, 0x0, {0x0, 0x0, 0x0, 0x0, 0x2a005}, [@IFLA_LINKINFO={0x28, 0x12, 0x0, 0x1, @vlan={{0x9}, {0x18, 0x2, 0x0, 0x1, [@IFLA_VLAN_FLAGS={0xc, 0x2, {0xa54, 0x18}}, @IFLA_VLAN_ID={0x6, 0x1, 0x1}]}}}, @IFLA_LINK={0x8, 0x5, r11}]}, 0x50}, 0x1, 0xba01}, 0x0) r12 = socket$netlink(0x10, 0x3, 0x0) sendmsg$NL80211_CMD_NEW_KEY(0xffffffffffffffff, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={&(0x7f0000000000)={0x14, 0x0, 0x0, 0x0, 0x0, {{}, {@void, @void}}}, 0x14}}, 0x4000080) ioctl$sock_SIOCBRDELBR(r12, 0x89a2, &(0x7f0000000000)='bridge0\x00') [ 73.325986][ T48] Bluetooth: hci0: command tx timeout [ 74.243062][ T5112] binder: BINDER_SET_CONTEXT_MGR already set [ 74.248617][ T24] audit: type=1326 audit(1727691923.199:2): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=5111 comm="syz.0.0" exe="/syz-executor" sig=31 arch=c000003e syscall=202 compat=0 ip=0x7fe8f0f7dff9 code=0x0 [ 74.263528][ T5112] binder: 5111:5112 ioctl 40046207 0 returned -16 [ 74.266802][ T24] audit: type=1326 audit(1727691923.209:3): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined pid=5111 comm="syz.0.0" exe="/syz-executor" sig=31 arch=c000003e syscall=202 compat=0 ip=0x7fe8f0f7dff9 code=0x0 [ 74.414149][ T9] ================================================================== [ 74.417173][ T9] BUG: KASAN: slab-use-after-free in __list_del_entry_valid_or_report+0x2f/0x140 [ 74.421498][ T9] Read of size 8 at addr ffff88803dea1188 by task kworker/0:1/9 [ 74.424815][ T9] [ 74.425790][ T9] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:1 Not tainted 6.12.0-rc1-syzkaller #0 [ 74.429144][ T9] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 74.433505][ T9] Workqueue: events binder_deferred_func [ 74.435996][ T9] Call Trace: [ 74.437586][ T9] [ 74.439008][ T9] dump_stack_lvl+0x241/0x360 [ 74.441077][ T9] ? __pfx_dump_stack_lvl+0x10/0x10 [ 74.443126][ T9] ? __pfx__printk+0x10/0x10 [ 74.444855][ T9] ? _printk+0xd5/0x120 [ 74.446482][ T9] ? __virt_addr_valid+0x183/0x530 [ 74.448499][ T9] ? __virt_addr_valid+0x183/0x530 [ 74.450621][ T9] print_report+0x169/0x550 [ 74.452591][ T9] ? __virt_addr_valid+0x183/0x530 [ 74.454936][ T9] ? __virt_addr_valid+0x183/0x530 [ 74.457219][ T9] ? __virt_addr_valid+0x45f/0x530 [ 74.459252][ T9] ? __phys_addr+0xba/0x170 [ 74.461069][ T9] ? __list_del_entry_valid_or_report+0x2f/0x140 [ 74.463468][ T9] kasan_report+0x143/0x180 [ 74.465145][ T9] ? __list_del_entry_valid_or_report+0x2f/0x140 [ 74.467701][ T9] __list_del_entry_valid_or_report+0x2f/0x140 [ 74.470345][ T9] binder_release_work+0xc7/0x480 [ 74.472510][ T9] binder_deferred_func+0x1275/0x1460 [ 74.474626][ T9] ? process_scheduled_works+0x976/0x1850 [ 74.476797][ T9] process_scheduled_works+0xa63/0x1850 [ 74.479237][ T9] ? __pfx_process_scheduled_works+0x10/0x10 [ 74.482007][ T9] ? assign_work+0x364/0x3d0 [ 74.484478][ T9] worker_thread+0x870/0xd30 [ 74.486771][ T9] ? __kthread_parkme+0x169/0x1d0 [ 74.488932][ T9] ? __pfx_worker_thread+0x10/0x10 [ 74.490980][ T9] kthread+0x2f0/0x390 [ 74.492368][ T9] ? __pfx_worker_thread+0x10/0x10 [ 74.494254][ T9] ? __pfx_kthread+0x10/0x10 [ 74.495968][ T9] ret_from_fork+0x4b/0x80 [ 74.497542][ T9] ? __pfx_kthread+0x10/0x10 [ 74.499325][ T9] ret_from_fork_asm+0x1a/0x30 [ 74.501152][ T9] [ 74.502140][ T9] [ 74.502946][ T9] Allocated by task 5113: [ 74.504391][ T9] kasan_save_track+0x3f/0x80 [ 74.506474][ T9] __kasan_kmalloc+0x98/0xb0 [ 74.508678][ T9] __kmalloc_cache_noprof+0x19c/0x2c0 [ 74.511403][ T9] binder_ioctl_write_read+0xe7f/0xb560 [ 74.514083][ T9] binder_ioctl+0x436/0x1cc0 [ 74.516119][ T9] __se_sys_ioctl+0xf9/0x170 [ 74.518349][ T9] do_syscall_64+0xf3/0x230 [ 74.520035][ T9] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 74.522365][ T9] [ 74.523343][ T9] Freed by task 9: [ 74.525116][ T9] kasan_save_track+0x3f/0x80 [ 74.527147][ T9] kasan_save_free_info+0x40/0x50 [ 74.529471][ T9] __kasan_slab_free+0x59/0x70 [ 74.531473][ T9] kfree+0x1a0/0x440 [ 74.532833][ T9] binder_deferred_func+0x11df/0x1460 [ 74.534790][ T9] process_scheduled_works+0xa63/0x1850 [ 74.536776][ T9] worker_thread+0x870/0xd30 [ 74.538540][ T9] kthread+0x2f0/0x390 [ 74.540132][ T9] ret_from_fork+0x4b/0x80 [ 74.541891][ T9] ret_from_fork_asm+0x1a/0x30 [ 74.543954][ T9] [ 74.544976][ T9] The buggy address belongs to the object at ffff88803dea1180 [ 74.544976][ T9] which belongs to the cache kmalloc-64 of size 64 [ 74.550683][ T9] The buggy address is located 8 bytes inside of [ 74.550683][ T9] freed 64-byte region [ffff88803dea1180, ffff88803dea11c0) [ 74.555729][ T9] [ 74.556715][ T9] The buggy address belongs to the physical page: [ 74.559303][ T9] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x3dea1 [ 74.563352][ T9] ksm flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff) [ 74.566550][ T9] page_type: f5(slab) [ 74.568327][ T9] raw: 04fff00000000000 ffff88801ac418c0 ffffea000001ba40 dead000000000003 [ 74.571585][ T9] raw: 0000000000000000 0000000000200020 00000001f5000000 0000000000000000 [ 74.574884][ T9] page dumped because: kasan: bad access detected [ 74.577652][ T9] page_owner tracks the page as allocated [ 74.580312][ T9] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 4814, tgid 4814 (dhcpcd), ts 43389777972, free_ts 43367585254 [ 74.587465][ T9] post_alloc_hook+0x1f3/0x230 [ 74.589283][ T9] get_page_from_freelist+0x3045/0x3190 [ 74.591488][ T9] __alloc_pages_noprof+0x256/0x6c0 [ 74.593721][ T9] alloc_pages_mpol_noprof+0x3e8/0x680 [ 74.596424][ T9] alloc_slab_page+0x6a/0x120 [ 74.598534][ T9] allocate_slab+0x5a/0x2f0 [ 74.600328][ T9] ___slab_alloc+0xcd1/0x14b0 [ 74.602157][ T9] __slab_alloc+0x58/0xa0 [ 74.603693][ T9] __kmalloc_cache_noprof+0x1d5/0x2c0 [ 74.605712][ T9] register_netdevice+0x59c/0x1b00 [ 74.607898][ T9] bpq_device_event+0x49b/0x8b0 [ 74.610058][ T9] notifier_call_chain+0x19f/0x3e0 [ 74.612378][ T9] __dev_notify_flags+0x207/0x400 [ 74.614345][ T9] dev_change_flags+0xf0/0x1a0 [ 74.616301][ T9] devinet_ioctl+0xa4e/0x1aa0 [ 74.618063][ T9] inet_ioctl+0x3d7/0x4f0 [ 74.619751][ T9] page last free pid 4611 tgid 4611 stack trace: [ 74.622247][ T9] free_unref_page+0xcfb/0xf20 [ 74.624355][ T9] __slab_free+0x31b/0x3d0 [ 74.626287][ T9] qlist_free_all+0x9a/0x140 [ 74.628550][ T9] kasan_quarantine_reduce+0x14f/0x170 [ 74.630947][ T9] __kasan_slab_alloc+0x23/0x80 [ 74.632818][ T9] kmem_cache_alloc_node_noprof+0x16b/0x320 [ 74.635035][ T9] __alloc_skb+0x1c3/0x440 [ 74.636725][ T9] netlink_sendmsg+0x638/0xcb0 [ 74.638626][ T9] __sock_sendmsg+0x221/0x270 [ 74.640666][ T9] ____sys_sendmsg+0x52a/0x7e0 [ 74.643026][ T9] __sys_sendmsg+0x292/0x380 [ 74.644984][ T9] do_syscall_64+0xf3/0x230 [ 74.646944][ T9] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 74.649208][ T9] [ 74.650148][ T9] Memory state around the buggy address: [ 74.652316][ T9] ffff88803dea1080: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 74.655366][ T9] ffff88803dea1100: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc [ 74.658454][ T9] >ffff88803dea1180: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 74.661720][ T9] ^ [ 74.663598][ T9] ffff88803dea1200: 00 00 00 00 04 fc fc fc fc fc fc fc fc fc fc fc [ 74.666731][ T9] ffff88803dea1280: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 74.669679][ T9] ================================================================== [ 74.674165][ T9] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 74.677279][ T9] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:1 Not tainted 6.12.0-rc1-syzkaller #0 [ 74.680803][ T9] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 74.684691][ T9] Workqueue: events binder_deferred_func [ 74.686898][ T9] Call Trace: [ 74.688401][ T9] [ 74.689818][ T9] dump_stack_lvl+0x241/0x360 [ 74.691949][ T9] ? __pfx_dump_stack_lvl+0x10/0x10 [ 74.693928][ T9] ? __pfx__printk+0x10/0x10 [ 74.695673][ T9] ? lock_release+0xbf/0xa30 [ 74.697435][ T9] ? vscnprintf+0x5d/0x90 [ 74.699282][ T9] panic+0x349/0x880 [ 74.701061][ T9] ? check_panic_on_warn+0x21/0xb0 [ 74.703352][ T9] ? __pfx_panic+0x10/0x10 [ 74.705320][ T9] ? mark_lock+0x9a/0x360 [ 74.706977][ T9] ? _raw_spin_unlock_irqrestore+0xd8/0x140 [ 74.709160][ T9] ? _raw_spin_unlock_irqrestore+0xdd/0x140 [ 74.711670][ T9] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 74.714063][ T9] ? print_report+0x502/0x550 [ 74.715768][ T9] check_panic_on_warn+0x86/0xb0 [ 74.717659][ T9] ? __list_del_entry_valid_or_report+0x2f/0x140 [ 74.720101][ T9] end_report+0x77/0x160 [ 74.721693][ T9] kasan_report+0x154/0x180 [ 74.723544][ T9] ? __list_del_entry_valid_or_report+0x2f/0x140 [ 74.726753][ T9] __list_del_entry_valid_or_report+0x2f/0x140 [ 74.729632][ T9] binder_release_work+0xc7/0x480 [ 74.731643][ T9] binder_deferred_func+0x1275/0x1460 [ 74.733585][ T9] ? process_scheduled_works+0x976/0x1850 [ 74.735887][ T9] process_scheduled_works+0xa63/0x1850 [ 74.737993][ T9] ? __pfx_process_scheduled_works+0x10/0x10 [ 74.740209][ T9] ? assign_work+0x364/0x3d0 [ 74.741942][ T9] worker_thread+0x870/0xd30 [ 74.743755][ T9] ? __kthread_parkme+0x169/0x1d0 [ 74.745962][ T9] ? __pfx_worker_thread+0x10/0x10 [ 74.748358][ T9] kthread+0x2f0/0x390 [ 74.750142][ T9] ? __pfx_worker_thread+0x10/0x10 [ 74.752532][ T9] ? __pfx_kthread+0x10/0x10 [ 74.754631][ T9] ret_from_fork+0x4b/0x80 [ 74.756379][ T9] ? __pfx_kthread+0x10/0x10 [ 74.758140][ T9] ret_from_fork_asm+0x1a/0x30 [ 74.760033][ T9] [ 74.761561][ T9] Kernel Offset: disabled [ 74.763189][ T9] Rebooting in 86400 seconds..