program:
r0 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$netlink(r0, &(0x7f0000001f80)={0x0, 0x0, &(0x7f0000001f00)=[{&(0x7f0000000c40)=ANY=[@ANYBLOB="1401000027000100000000000000000001"], 0x114}], 0x1}, 0x240880c0)
r1 = socket$inet_udp(0x2, 0x2, 0x0)
setsockopt$EBT_SO_SET_ENTRIES(r1, 0x0, 0x80, &(0x7f00000003c0)=@filter={'filter\x00', 0xe, 0x2, 0x250, [0x0, 0x20000100, 0x20000130, 0x20000280], 0x0, 0x0, &(0x7f0000000100)=ANY=[@ANYBLOB="00000000000000000000000000000000000000100000000000000000000000000000002000000000ffffffff0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0100000003000000000000000000697036677265300000000000000000007465616d30000000000000000000000076657468305f746f5f626f6e6400000076657468305f746f5f626f6e64000000aaaaaaaaaa0000000000000024ffffffffff0000000000000000f0000000f0000000200100006c696d697400000000000000000000000000000000000000000000000000000020000000000000000000f4bd5979a5172e0700000000000000000000000000000000000000000000636c757374657200006db693c555d12b0101000000000000000000000000000010000000000000000000000000000000000000000000000041554449540000000000000000000000000000000000000000000000000000000800000000000000004493000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000feffffff0100000011000000000000000000766c616e3000000000000000000000006c6f0000000000000000000000000000726f736530000000000000000000000062726964676530000000000000000000ffffffffffff000000000000aaaaaaaaaa0000000000000000007000000070000000a000000041554449540000000000000000000000000000000000000000000000000000000800"/592]}, 0x2c8)
r2 = socket$netlink(0x10, 0x3, 0xc)
bind$netlink(r2, &(0x7f0000514ff4)={0x10, 0x0, 0x0, 0x2ffffffff}, 0xc)
r3 = socket$inet6_sctp(0xa, 0x5, 0x84)
bind$inet6(r3, &(0x7f00004b8fe4)={0xa, 0x4e23, 0x0, @loopback}, 0x1c)
sendto$inet6(r3, &(0x7f0000847fff)='X', 0x34000, 0x0, &(0x7f000005ffe4)={0xa, 0x4e23, 0x0, @loopback}, 0x1c)
setsockopt$inet_sctp6_SCTP_PEER_ADDR_PARAMS(r3, 0x84, 0x9, &(0x7f0000000a00)={0x0, @in6={{0xa, 0x4e23, 0x0, @loopback}}, 0x0, 0x0, 0x0, 0x0, 0x54}, 0x9c)
r4 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR_EXT(r4, 0x40046207, 0x0)
r5 = syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
bpf$PROG_LOAD(0x5, &(0x7f0000000440)={0x15, 0x6, &(0x7f0000000000)=@framed={{0x5, 0x0, 0x0, 0x0, 0x0, 0x69, 0x11, 0x1e}, [@func={0x85, 0x0, 0x1, 0x0, 0x2}, @call={0x85, 0x0, 0x0, 0xa0}, @exit], {0x95, 0x0, 0x5a5}}, &(0x7f0000000080)='GPL\x00', 0x5, 0x29e, &(0x7f000000cf3d)=""/195, 0x0, 0x0, '\x00', 0x0, @sk_reuseport, 0xffffffffffffffff, 0x6, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x70)
ptrace(0x10, r5)
ptrace$cont(0x1f, r5, 0x0, 0x0)
r6 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0)
ioctl$BINDER_WRITE_READ(r6, 0xc0306201, &(0x7f0000000000)={0x8, 0x0, &(0x7f00000003c0)=[@increfs], 0x0, 0x0, 0x0})
dup3(r6, r4, 0x0)
socket$nl_sock_diag(0x10, 0x3, 0x4)
ioctl$BINDER_WRITE_READ(r4, 0xc0306201, &(0x7f0000000240)={0x10, 0x0, &(0x7f00000002c0)=[@request_death={0x400c6313}], 0x0, 0x0, 0x0})
[ 79.679547][ T5092] Bluetooth: hci0: command tx timeout
[ 80.525978][ T5106] netlink: 256 bytes leftover after parsing attributes in process `syz.0.0'.
[ 80.529940][ T5106] unsupported nlmsg_type 40
[ 81.359622][ T5091] ==================================================================
[ 81.363180][ T5091] BUG: KASAN: slab-use-after-free in __list_del_entry_valid_or_report+0x2f/0x140
[ 81.366964][ T5091] Read of size 8 at addr ffff8880123a7088 by task kworker/0:3/5091
[ 81.370102][ T5091]
[ 81.371224][ T5091] CPU: 0 UID: 0 PID: 5091 Comm: kworker/0:3 Not tainted 6.12.0-rc1-syzkaller-00046-g7ec462100ef9 #0
[ 81.376903][ T5091] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[ 81.381202][ T5091] Workqueue: events binder_deferred_func
[ 81.383365][ T5091] Call Trace:
[ 81.384645][ T5091]
[ 81.385730][ T5091] dump_stack_lvl+0x241/0x360
[ 81.387494][ T5091] ? __pfx_dump_stack_lvl+0x10/0x10
[ 81.389419][ T5091] ? __pfx__printk+0x10/0x10
[ 81.391182][ T5091] ? _printk+0xd5/0x120
[ 81.392888][ T5091] ? __virt_addr_valid+0x183/0x530
[ 81.395088][ T5091] ? __virt_addr_valid+0x183/0x530
[ 81.397902][ T5091] print_report+0x169/0x550
[ 81.400664][ T5091] ? __virt_addr_valid+0x183/0x530
[ 81.403428][ T5091] ? __virt_addr_valid+0x183/0x530
[ 81.405657][ T5091] ? __virt_addr_valid+0x45f/0x530
[ 81.407522][ T5091] ? __phys_addr+0xba/0x170
[ 81.409214][ T5091] ? __list_del_entry_valid_or_report+0x2f/0x140
[ 81.411516][ T5091] kasan_report+0x143/0x180
[ 81.413249][ T5091] ? __list_del_entry_valid_or_report+0x2f/0x140
[ 81.415626][ T5091] __list_del_entry_valid_or_report+0x2f/0x140
[ 81.418004][ T5091] binder_release_work+0xc7/0x480
[ 81.420113][ T5091] binder_deferred_func+0x1275/0x1460
[ 81.422706][ T5091] ? process_scheduled_works+0x976/0x1850
[ 81.425519][ T5091] process_scheduled_works+0xa63/0x1850
[ 81.428030][ T5091] ? __pfx_process_scheduled_works+0x10/0x10
[ 81.430447][ T5091] ? assign_work+0x364/0x3d0
[ 81.432321][ T5091] worker_thread+0x870/0xd30
[ 81.434192][ T5091] ? __kthread_parkme+0x169/0x1d0
[ 81.436449][ T5091] ? __pfx_worker_thread+0x10/0x10
[ 81.438887][ T5091] kthread+0x2f0/0x390
[ 81.440986][ T5091] ? __pfx_worker_thread+0x10/0x10
[ 81.443299][ T5091] ? __pfx_kthread+0x10/0x10
[ 81.445252][ T5091] ret_from_fork+0x4b/0x80
[ 81.447042][ T5091] ? __pfx_kthread+0x10/0x10
[ 81.448895][ T5091] ret_from_fork_asm+0x1a/0x30
[ 81.450805][ T5091]
[ 81.452278][ T5091]
[ 81.453236][ T5091] Allocated by task 5107:
[ 81.455024][ T5091] kasan_save_track+0x3f/0x80
[ 81.456913][ T5091] __kasan_kmalloc+0x98/0xb0
[ 81.458728][ T5091] __kmalloc_cache_noprof+0x19c/0x2c0
[ 81.460906][ T5091] binder_ioctl_write_read+0xe7f/0xb560
[ 81.463119][ T5091] binder_ioctl+0x436/0x1cc0
[ 81.465012][ T5091] __se_sys_ioctl+0xf9/0x170
[ 81.466887][ T5091] do_syscall_64+0xf3/0x230
[ 81.468753][ T5091] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 81.471109][ T5091]
[ 81.472075][ T5091] Freed by task 5091:
[ 81.473686][ T5091] kasan_save_track+0x3f/0x80
[ 81.475567][ T5091] kasan_save_free_info+0x40/0x50
[ 81.477592][ T5091] __kasan_slab_free+0x59/0x70
[ 81.479536][ T5091] kfree+0x1a0/0x440
[ 81.481103][ T5091] binder_deferred_func+0x11df/0x1460
[ 81.483233][ T5091] process_scheduled_works+0xa63/0x1850
[ 81.485504][ T5091] worker_thread+0x870/0xd30
[ 81.487351][ T5091] kthread+0x2f0/0x390
[ 81.489025][ T5091] ret_from_fork+0x4b/0x80
[ 81.490795][ T5091] ret_from_fork_asm+0x1a/0x30
[ 81.492738][ T5091]
[ 81.493625][ T5091] The buggy address belongs to the object at ffff8880123a7080
[ 81.493625][ T5091] which belongs to the cache kmalloc-64 of size 64
[ 81.498964][ T5091] The buggy address is located 8 bytes inside of
[ 81.498964][ T5091] freed 64-byte region [ffff8880123a7080, ffff8880123a70c0)
[ 81.504412][ T5091]
[ 81.505396][ T5091] The buggy address belongs to the physical page:
[ 81.507960][ T5091] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x123a7
[ 81.511853][ T5091] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[ 81.515092][ T5091] page_type: f5(slab)
[ 81.516877][ T5091] raw: 00fff00000000000 ffff88801ac418c0 dead000000000100 dead000000000122
[ 81.520114][ T5091] raw: 0000000000000000 0000000000200020 00000001f5000000 0000000000000000
[ 81.523509][ T5091] page dumped because: kasan: bad access detected
[ 81.526268][ T5091] page_owner tracks the page as allocated
[ 81.528790][ T5091] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52c40(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5089, tgid 5089 (sh), ts 74356188753, free_ts 72295173526
[ 81.535975][ T5091] post_alloc_hook+0x1f3/0x230
[ 81.537926][ T5091] get_page_from_freelist+0x3045/0x3190
[ 81.540117][ T5091] __alloc_pages_noprof+0x256/0x6c0
[ 81.542223][ T5091] alloc_pages_mpol_noprof+0x3e8/0x680
[ 81.544375][ T5091] alloc_slab_page+0x6a/0x120
[ 81.546271][ T5091] allocate_slab+0x5a/0x2f0
[ 81.548133][ T5091] ___slab_alloc+0xcd1/0x14b0
[ 81.550042][ T5091] __slab_alloc+0x58/0xa0
[ 81.551771][ T5091] __kmalloc_noprof+0x25a/0x400
[ 81.553665][ T5091] tomoyo_commit_ok+0x29/0x1d0
[ 81.555599][ T5091] tomoyo_update_domain+0x557/0x8b0
[ 81.557643][ T5091] tomoyo_write_file+0x397/0xe50
[ 81.559638][ T5091] tomoyo_write_domain2+0x1e0/0x250
[ 81.561741][ T5091] tomoyo_supervisor+0xf09/0x11f0
[ 81.563714][ T5091] tomoyo_path_permission+0x243/0x360
[ 81.565887][ T5091] tomoyo_path_perm+0x480/0x740
[ 81.567844][ T5091] page last free pid 5085 tgid 5085 stack trace:
[ 81.570365][ T5091] free_unref_page+0xcfb/0xf20
[ 81.572267][ T5091] __slab_free+0x31b/0x3d0
[ 81.574037][ T5091] qlist_free_all+0x9a/0x140
[ 81.576037][ T5091] kasan_quarantine_reduce+0x14f/0x170
[ 81.578182][ T5091] __kasan_slab_alloc+0x23/0x80
[ 81.580083][ T5091] kmem_cache_alloc_noprof+0x135/0x2a0
[ 81.581996][ T5091] vm_area_alloc+0x24/0x1d0
[ 81.583594][ T5091] mmap_region+0x1132/0x2990
[ 81.585273][ T5091] do_mmap+0x8f0/0x1000
[ 81.586744][ T5091] vm_mmap_pgoff+0x1dd/0x3d0
[ 81.588393][ T5091] ksys_mmap_pgoff+0x4eb/0x720
[ 81.590089][ T5091] do_syscall_64+0xf3/0x230
[ 81.591687][ T5091] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 81.593774][ T5091]
[ 81.594658][ T5091] Memory state around the buggy address:
[ 81.596855][ T5091] ffff8880123a6f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 81.599947][ T5091] ffff8880123a7000: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
[ 81.603019][ T5091] >ffff8880123a7080: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[ 81.606182][ T5091] ^
[ 81.607916][ T5091] ffff8880123a7100: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
[ 81.610933][ T5091] ffff8880123a7180: 00 00 00 00 00 00 05 fc fc fc fc fc fc fc fc fc
[ 81.613846][ T5091] ==================================================================
[ 81.617887][ T5091] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 81.620757][ T5091] CPU: 0 UID: 0 PID: 5091 Comm: kworker/0:3 Not tainted 6.12.0-rc1-syzkaller-00046-g7ec462100ef9 #0
[ 81.624885][ T5091] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[ 81.628933][ T5091] Workqueue: events binder_deferred_func
[ 81.631103][ T5091] Call Trace:
[ 81.632455][ T5091]
[ 81.633628][ T5091] dump_stack_lvl+0x241/0x360
[ 81.635500][ T5091] ? __pfx_dump_stack_lvl+0x10/0x10
[ 81.637585][ T5091] ? __pfx__printk+0x10/0x10
[ 81.639447][ T5091] ? lock_release+0xbf/0xa30
[ 81.641320][ T5091] ? vscnprintf+0x5d/0x90
[ 81.643043][ T5091] panic+0x349/0x880
[ 81.644616][ T5091] ? check_panic_on_warn+0x21/0xb0
[ 81.646687][ T5091] ? __pfx_panic+0x10/0x10
[ 81.648490][ T5091] ? mark_lock+0x9a/0x360
[ 81.650255][ T5091] ? _raw_spin_unlock_irqrestore+0xd8/0x140
[ 81.652645][ T5091] ? _raw_spin_unlock_irqrestore+0xdd/0x140
[ 81.655025][ T5091] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[ 81.657549][ T5091] ? print_report+0x502/0x550
[ 81.659412][ T5091] check_panic_on_warn+0x86/0xb0
[ 81.661370][ T5091] ? __list_del_entry_valid_or_report+0x2f/0x140
[ 81.663874][ T5091] end_report+0x77/0x160
[ 81.665613][ T5091] kasan_report+0x154/0x180
[ 81.667430][ T5091] ? __list_del_entry_valid_or_report+0x2f/0x140
[ 81.670169][ T5091] __list_del_entry_valid_or_report+0x2f/0x140
[ 81.672564][ T5091] binder_release_work+0xc7/0x480
[ 81.674091][ T5091] binder_deferred_func+0x1275/0x1460
[ 81.675950][ T5091] ? process_scheduled_works+0x976/0x1850
[ 81.677976][ T5091] process_scheduled_works+0xa63/0x1850
[ 81.680058][ T5091] ? __pfx_process_scheduled_works+0x10/0x10
[ 81.682916][ T5091] ? assign_work+0x364/0x3d0
[ 81.685188][ T5091] worker_thread+0x870/0xd30
[ 81.687554][ T5091] ? __kthread_parkme+0x169/0x1d0
[ 81.689930][ T5091] ? __pfx_worker_thread+0x10/0x10
[ 81.691835][ T5091] kthread+0x2f0/0x390
[ 81.693483][ T5091] ? __pfx_worker_thread+0x10/0x10
[ 81.695651][ T5091] ? __pfx_kthread+0x10/0x10
[ 81.697617][ T5091] ret_from_fork+0x4b/0x80
[ 81.699446][ T5091] ? __pfx_kthread+0x10/0x10
[ 81.701395][ T5091] ret_from_fork_asm+0x1a/0x30
[ 81.703282][ T5091]
[ 81.704730][ T5091] Kernel Offset: disabled
[ 81.706380][ T5091] Rebooting in 86400 seconds..