program:
r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR_EXT(r0, 0x4018620d, &(0x7f0000000300))
r1 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000180)='./binderfs/binder0\x00', 0x0, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000080)={0x8, 0x0, &(0x7f0000000400)=[@increfs], 0x0, 0x0, 0x0})
r2 = dup3(r1, r0, 0x0)
r3 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000040)='./binderfs/binder0\x00', 0x0, 0x0)
mmap$binder(&(0x7f0000ffc000/0x2000)=nil, 0x2000, 0x1, 0x11, r3, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR_EXT(r3, 0x4018620d, &(0x7f0000000040))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0x8, 0x0, &(0x7f0000000000)=[@acquire], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000002c0)={0x4c, 0x0, &(0x7f0000000340)=[@transaction_sg={0x40486311, {0x1, 0x0, 0x0, 0x0, 0x30, 0x0, 0x0, 0x0, 0x18, 0x0, &(0x7f0000000280)={0x30, 0x30, 0x30}}, 0x1000}], 0x50, 0x0, &(0x7f0000000440)="e5c0ca304a2a7b53a10a2beba492b547df36c0926c71357304fb53ff71c4381e3c952221a37fd23596966b13d4b104fa4b53ec30653382d39d2a7688b4b0b6a647f7b5234ae93f414418636de2e52987"})
r4 = openat$iommufd(0xffffffffffffff9c, &(0x7f0000000000), 0x10180, 0x0)
ioctl$IOMMU_IOAS_ALLOC(r4, 0x3b81, &(0x7f0000000080)={0xc})
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000840)={0xe8, 0x0, &(0x7f0000000700)=[@increfs={0x40046304, 0x2}, @clear_death={0x400c630f, 0x1}, @request_death={0x400c630e, 0x3}, @clear_death={0x400c630f, 0x1}, @increfs={0x40046304, 0x1}, @acquire={0x40046305, 0x1}, @transaction={0x400c6313, {0x1, 0x0, 0x0, 0x0, 0x11, 0x0, 0x0, 0x58, 0x18, &(0x7f0000000100)={@ptr={0x70742a85, 0x0, &(0x7f00000001c0)=""/177, 0xb1, 0x1, 0x17}, @flat=@handle={0x73682a85, 0x1, 0x3}, @fd={0x66642a85, 0x0, r0}}, &(0x7f00000004c0)={0x0, 0x28, 0x40}}}, @reply={0x40406301, {0x3, 0x0, 0x0, 0x0, 0x10, 0x0, 0x0, 0x68, 0x18, &(0x7f0000000640)={@fd={0x66642a85, 0x0, r3}, @ptr={0x70742a85, 0x0, &(0x7f0000000540)=""/33, 0x21, 0x1, 0x2a}, @ptr={0x70742a85, 0x1, &(0x7f0000000600), 0x0, 0x2, 0x3c}}, &(0x7f00000006c0)={0x0, 0x18, 0x40}}}, @release={0x40046306, 0x1}, @clear_death={0x400c630f, 0x3}], 0x0, 0x0, &(0x7f0000000800)})

[   80.366707][ T5096] Bluetooth: hci0: command tx timeout
[   81.488054][ T5111] binder: 5110:5111 unknown command 0
[   81.489966][ T5111] binder: 5110:5111 ioctl c0306201 20000840 returned -22
[   81.492751][ T4672] ==================================================================
[   81.495613][ T4672] BUG: KASAN: slab-use-after-free in __list_del_entry_valid_or_report+0x2f/0x140
[   81.498859][ T4672] Read of size 8 at addr ffff88801f104088 by task kworker/0:3/4672
[   81.501538][ T4672] 
[   81.502423][ T4672] CPU: 0 UID: 0 PID: 4672 Comm: kworker/0:3 Not tainted 6.12.0-rc1-syzkaller-00031-ge32cde8d2bd7 #0
[   81.506243][ T4672] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   81.510110][ T4672] Workqueue: events binder_deferred_func
[   81.513111][ T4672] Call Trace:
[   81.514336][ T4672]  <TASK>
[   81.515492][ T4672]  dump_stack_lvl+0x241/0x360
[   81.517221][ T4672]  ? __pfx_dump_stack_lvl+0x10/0x10
[   81.518977][ T4672]  ? __pfx__printk+0x10/0x10
[   81.520593][ T4672]  ? _printk+0xd5/0x120
[   81.522201][ T4672]  ? __virt_addr_valid+0x183/0x530
[   81.524045][ T4672]  ? __virt_addr_valid+0x183/0x530
[   81.525825][ T4672]  print_report+0x169/0x550
[   81.527585][ T4672]  ? __virt_addr_valid+0x183/0x530
[   81.529528][ T4672]  ? __virt_addr_valid+0x183/0x530
[   81.531099][ T4672]  ? __virt_addr_valid+0x45f/0x530
[   81.532897][ T4672]  ? __phys_addr+0xba/0x170
[   81.534624][ T4672]  ? __list_del_entry_valid_or_report+0x2f/0x140
[   81.537039][ T4672]  kasan_report+0x143/0x180
[   81.538763][ T4672]  ? __list_del_entry_valid_or_report+0x2f/0x140
[   81.541131][ T4672]  __list_del_entry_valid_or_report+0x2f/0x140
[   81.543232][ T4672]  binder_release_work+0xc7/0x480
[   81.545056][ T4672]  binder_deferred_func+0x1275/0x1460
[   81.546941][ T4672]  ? process_scheduled_works+0x976/0x1850
[   81.549386][ T4672]  process_scheduled_works+0xa63/0x1850
[   81.551690][ T4672]  ? __pfx_process_scheduled_works+0x10/0x10
[   81.553922][ T4672]  ? assign_work+0x364/0x3d0
[   81.555531][ T4672]  worker_thread+0x870/0xd30
[   81.557153][ T4672]  ? _raw_spin_unlock_irqrestore+0xdd/0x140
[   81.559290][ T4672]  ? __kthread_parkme+0x169/0x1d0
[   81.561347][ T4672]  ? __pfx_worker_thread+0x10/0x10
[   81.563258][ T4672]  kthread+0x2f0/0x390
[   81.564673][ T4672]  ? __pfx_worker_thread+0x10/0x10
[   81.566337][ T4672]  ? __pfx_kthread+0x10/0x10
[   81.568098][ T4672]  ret_from_fork+0x4b/0x80
[   81.569828][ T4672]  ? __pfx_kthread+0x10/0x10
[   81.571636][ T4672]  ret_from_fork_asm+0x1a/0x30
[   81.573323][ T4672]  </TASK>
[   81.574383][ T4672] 
[   81.575318][ T4672] Allocated by task 5111:
[   81.576903][ T4672]  kasan_save_track+0x3f/0x80
[   81.578646][ T4672]  __kasan_kmalloc+0x98/0xb0
[   81.580425][ T4672]  __kmalloc_cache_noprof+0x19c/0x2c0
[   81.582348][ T4672]  binder_ioctl_write_read+0xe7f/0xb560
[   81.584388][ T4672]  binder_ioctl+0x436/0x1cc0
[   81.586173][ T4672]  __se_sys_ioctl+0xf9/0x170
[   81.587983][ T4672]  do_syscall_64+0xf3/0x230
[   81.589653][ T4672]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   81.591861][ T4672] 
[   81.592718][ T4672] Freed by task 4672:
[   81.594145][ T4672]  kasan_save_track+0x3f/0x80
[   81.595664][ T4672]  kasan_save_free_info+0x40/0x50
[   81.597504][ T4672]  __kasan_slab_free+0x59/0x70
[   81.599263][ T4672]  kfree+0x1a0/0x440
[   81.600741][ T4672]  binder_deferred_func+0x11df/0x1460
[   81.602690][ T4672]  process_scheduled_works+0xa63/0x1850
[   81.604738][ T4672]  worker_thread+0x870/0xd30
[   81.606500][ T4672]  kthread+0x2f0/0x390
[   81.607999][ T4672]  ret_from_fork+0x4b/0x80
[   81.609650][ T4672]  ret_from_fork_asm+0x1a/0x30
[   81.611463][ T4672] 
[   81.612338][ T4672] The buggy address belongs to the object at ffff88801f104080
[   81.612338][ T4672]  which belongs to the cache kmalloc-64 of size 64
[   81.617313][ T4672] The buggy address is located 8 bytes inside of
[   81.617313][ T4672]  freed 64-byte region [ffff88801f104080, ffff88801f1040c0)
[   81.622126][ T4672] 
[   81.622990][ T4672] The buggy address belongs to the physical page:
[   81.625255][ T4672] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1f104
[   81.628207][ T4672] anon flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[   81.630870][ T4672] page_type: f5(slab)
[   81.632268][ T4672] raw: 00fff00000000000 ffff88801ac418c0 0000000000000000 0000000000000001
[   81.635230][ T4672] raw: 0000000000000000 0000000080200020 00000001f5000000 0000000000000000
[   81.638398][ T4672] page dumped because: kasan: bad access detected
[   81.640905][ T4672] page_owner tracks the page as allocated
[   81.643017][ T4672] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5095, tgid 5095 (syz-executor), ts 76840137306, free_ts 76835750351
[   81.650118][ T4672]  post_alloc_hook+0x1f3/0x230
[   81.651992][ T4672]  get_page_from_freelist+0x3045/0x3190
[   81.654097][ T4672]  __alloc_pages_noprof+0x256/0x6c0
[   81.656091][ T4672]  alloc_pages_mpol_noprof+0x3e8/0x680
[   81.658160][ T4672]  alloc_slab_page+0x6a/0x120
[   81.659899][ T4672]  allocate_slab+0x5a/0x2f0
[   81.661591][ T4672]  ___slab_alloc+0xcd1/0x14b0
[   81.663211][ T4672]  __slab_alloc+0x58/0xa0
[   81.664805][ T4672]  __kmalloc_cache_noprof+0x1d5/0x2c0
[   81.666726][ T4672]  __alloc_workqueue+0x174/0x1f20
[   81.668613][ T4672]  alloc_workqueue+0xd6/0x210
[   81.670383][ T4672]  tipc_topsrv_init_net+0x303/0x9d0
[   81.672266][ T4672]  ops_init+0x31e/0x590
[   81.673853][ T4672]  setup_net+0x287/0x9e0
[   81.675527][ T4672]  copy_net_ns+0x33f/0x570
[   81.677259][ T4672]  create_new_namespaces+0x425/0x7b0
[   81.679227][ T4672] page last free pid 79 tgid 79 stack trace:
[   81.681555][ T4672]  free_unref_folios+0xf12/0x18d0
[   81.683520][ T4672]  shrink_folio_list+0x2d3d/0x8cc0
[   81.685525][ T4672]  evict_folios+0x549b/0x7b50
[   81.687331][ T4672]  try_to_shrink_lruvec+0x9ab/0xbb0
[   81.689347][ T4672]  shrink_one+0x3b9/0x850
[   81.691011][ T4672]  shrink_node+0x3799/0x3de0
[   81.692821][ T4672]  kswapd+0x1ca3/0x3700
[   81.694394][ T4672]  kthread+0x2f0/0x390
[   81.695952][ T4672]  ret_from_fork+0x4b/0x80
[   81.697666][ T4672]  ret_from_fork_asm+0x1a/0x30
[   81.699518][ T4672] 
[   81.700430][ T4672] Memory state around the buggy address:
[   81.702595][ T4672]  ffff88801f103f80: 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc
[   81.705583][ T4672]  ffff88801f104000: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
[   81.708556][ T4672] >ffff88801f104080: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   81.711450][ T4672]                       ^
[   81.713054][ T4672]  ffff88801f104100: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   81.716054][ T4672]  ffff88801f104180: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
[   81.719102][ T4672] ==================================================================
[   81.722758][ T4672] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   81.725594][ T4672] CPU: 0 UID: 0 PID: 4672 Comm: kworker/0:3 Not tainted 6.12.0-rc1-syzkaller-00031-ge32cde8d2bd7 #0
[   81.729707][ T4672] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   81.733706][ T4672] Workqueue: events binder_deferred_func
[   81.735759][ T4672] Call Trace:
[   81.737041][ T4672]  <TASK>
[   81.738111][ T4672]  dump_stack_lvl+0x241/0x360
[   81.739845][ T4672]  ? __pfx_dump_stack_lvl+0x10/0x10
[   81.741800][ T4672]  ? __pfx__printk+0x10/0x10
[   81.743580][ T4672]  ? lock_release+0xbf/0xa30
[   81.745390][ T4672]  ? vscnprintf+0x5d/0x90
[   81.747047][ T4672]  panic+0x349/0x880
[   81.748535][ T4672]  ? check_panic_on_warn+0x21/0xb0
[   81.750525][ T4672]  ? __pfx_panic+0x10/0x10
[   81.752232][ T4672]  ? mark_lock+0x9a/0x360
[   81.753913][ T4672]  ? _raw_spin_unlock_irqrestore+0xd8/0x140
[   81.756183][ T4672]  ? _raw_spin_unlock_irqrestore+0xdd/0x140
[   81.758430][ T4672]  ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[   81.760881][ T4672]  ? print_report+0x502/0x550
[   81.762675][ T4672]  check_panic_on_warn+0x86/0xb0
[   81.764586][ T4672]  ? __list_del_entry_valid_or_report+0x2f/0x140
[   81.766982][ T4672]  end_report+0x77/0x160
[   81.768652][ T4672]  kasan_report+0x154/0x180
[   81.770400][ T4672]  ? __list_del_entry_valid_or_report+0x2f/0x140
[   81.772892][ T4672]  __list_del_entry_valid_or_report+0x2f/0x140
[   81.775244][ T4672]  binder_release_work+0xc7/0x480
[   81.777253][ T4672]  binder_deferred_func+0x1275/0x1460
[   81.779294][ T4672]  ? process_scheduled_works+0x976/0x1850
[   81.781488][ T4672]  process_scheduled_works+0xa63/0x1850
[   81.783593][ T4672]  ? __pfx_process_scheduled_works+0x10/0x10
[   81.785861][ T4672]  ? assign_work+0x364/0x3d0
[   81.787643][ T4672]  worker_thread+0x870/0xd30
[   81.789463][ T4672]  ? _raw_spin_unlock_irqrestore+0xdd/0x140
[   81.791829][ T4672]  ? __kthread_parkme+0x169/0x1d0
[   81.793861][ T4672]  ? __pfx_worker_thread+0x10/0x10
[   81.795865][ T4672]  kthread+0x2f0/0x390
[   81.797380][ T4672]  ? __pfx_worker_thread+0x10/0x10
[   81.799357][ T4672]  ? __pfx_kthread+0x10/0x10
[   81.801206][ T4672]  ret_from_fork+0x4b/0x80
[   81.802977][ T4672]  ? __pfx_kthread+0x10/0x10
[   81.804500][ T4672]  ret_from_fork_asm+0x1a/0x30
[   81.806693][ T4672]  </TASK>
[   81.808171][ T4672] Kernel Offset: disabled
[   81.809999][ T4672] Rebooting in 86400 seconds..