program: perf_event_open(&(0x7f0000000500)={0x2, 0x80, 0x72, 0x1, 0x0, 0x0, 0x0, 0x7fed, 0x180, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x107b7b, 0x1, @perf_bp={0x0, 0x4}, 0x2200, 0x2e, 0xfffffbff, 0x2, 0x2, 0x0, 0x6, 0x0, 0x0, 0x0, 0x2003}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x9) pipe(&(0x7f00000000c0)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff}) r2 = socket$netlink(0x10, 0x3, 0x0) splice(r0, 0x0, r2, 0x0, 0x84ffe0, 0x0) bind$netlink(r0, &(0x7f0000000080)={0x10, 0x0, 0x25dfdbff, 0x10000}, 0xc) r3 = socket$inet6_mptcp(0xa, 0x1, 0x106) bind$inet6(r3, &(0x7f0000000000)={0xa, 0x3, 0x0, @loopback}, 0x1c) r4 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0) ioctl$BINDER_SET_CONTEXT_MGR_EXT(r4, 0x40046207, 0x0) r5 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000100)='./binderfs/binder0\x00', 0x1802, 0x0) syz_clone(0x11, 0x0, 0x0, 0x0, 0x0, 0x0) ioctl$BINDER_WRITE_READ(r5, 0xc0306201, &(0x7f0000000000)={0x8, 0x0, &(0x7f00000003c0)=[@increfs], 0x0, 0x0, 0x0}) r6 = dup3(r5, r4, 0x0) ioctl$BINDER_WRITE_READ(r6, 0xc0306201, &(0x7f0000000240)={0x10, 0x0, &(0x7f00000002c0)=[@request_death={0x400c6313}], 0x0, 0x0, 0x0}) r7 = ioctl$LOOP_CTL_ADD(r0, 0x4c80, 0xc) ioctl$LOOP_CTL_ADD(r1, 0x4c80, r7) connect$inet6(r3, &(0x7f0000000040)={0xa, 0x3, 0x0, @loopback}, 0x1c) setsockopt$inet6_int(r3, 0x29, 0x2, &(0x7f0000000380)=0x8, 0x4) syz_open_dev$usbfs(&(0x7f0000000e40), 0xb, 0x101301) [ 58.355446][ T5325] Bluetooth: hci0: command tx timeout [ 58.917053][ T8] ================================================================== [ 58.920193][ T8] BUG: KASAN: slab-use-after-free in __list_del_entry_valid_or_report+0x2f/0x140 [ 58.923545][ T8] Read of size 8 at addr ffff8880400ebc08 by task kworker/0:0/8 [ 58.926127][ T8] [ 58.926983][ T8] CPU: 0 UID: 0 PID: 8 Comm: kworker/0:0 Not tainted 6.12.0-syzkaller-10689-g7af08b57bcb9 #0 [ 58.930218][ T8] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 58.933806][ T8] Workqueue: events binder_deferred_func [ 58.935814][ T8] Call Trace: [ 58.937137][ T8] <TASK> [ 58.938455][ T8] dump_stack_lvl+0x241/0x360 [ 58.940282][ T8] ? __pfx_dump_stack_lvl+0x10/0x10 [ 58.942180][ T8] ? __pfx__printk+0x10/0x10 [ 58.943895][ T8] ? _printk+0xd5/0x120 [ 58.945338][ T8] ? __virt_addr_valid+0x183/0x530 [ 58.947142][ T8] ? __virt_addr_valid+0x183/0x530 [ 58.949024][ T8] print_report+0x169/0x550 [ 58.950725][ T8] ? __virt_addr_valid+0x183/0x530 [ 58.952754][ T8] ? __virt_addr_valid+0x183/0x530 [ 58.954968][ T8] ? __virt_addr_valid+0x45f/0x530 [ 58.956885][ T8] ? __phys_addr+0xba/0x170 [ 58.958615][ T8] ? __list_del_entry_valid_or_report+0x2f/0x140 [ 58.961111][ T8] kasan_report+0x143/0x180 [ 58.962713][ T8] ? __list_del_entry_valid_or_report+0x2f/0x140 [ 58.965100][ T8] __list_del_entry_valid_or_report+0x2f/0x140 [ 58.967368][ T8] binder_release_work+0xc7/0x480 [ 58.969184][ T8] binder_deferred_func+0x1275/0x1460 [ 58.971228][ T8] ? process_scheduled_works+0x976/0x1840 [ 58.973361][ T8] process_scheduled_works+0xa66/0x1840 [ 58.975284][ T8] ? __pfx_process_scheduled_works+0x10/0x10 [ 58.977560][ T8] ? assign_work+0x364/0x3d0 [ 58.979250][ T8] worker_thread+0x870/0xd30 [ 58.980947][ T8] ? __kthread_parkme+0x169/0x1d0 [ 58.982794][ T8] ? __pfx_worker_thread+0x10/0x10 [ 58.984770][ T8] kthread+0x2f0/0x390 [ 58.986155][ T8] ? __pfx_worker_thread+0x10/0x10 [ 58.987994][ T8] ? __pfx_kthread+0x10/0x10 [ 58.989703][ T8] ret_from_fork+0x4b/0x80 [ 58.991319][ T8] ? __pfx_kthread+0x10/0x10 [ 58.993016][ T8] ret_from_fork_asm+0x1a/0x30 [ 58.994744][ T8] </TASK> [ 58.995910][ T8] [ 58.996820][ T8] Allocated by task 5340: [ 58.998400][ T8] kasan_save_track+0x3f/0x80 [ 59.000078][ T8] __kasan_kmalloc+0x98/0xb0 [ 59.001830][ T8] __kmalloc_cache_noprof+0x243/0x390 [ 59.003785][ T8] binder_ioctl_write_read+0xe7f/0xb570 [ 59.005797][ T8] binder_ioctl+0x436/0x1cb0 [ 59.007587][ T8] __se_sys_ioctl+0xf5/0x170 [ 59.009131][ T8] do_syscall_64+0xf3/0x230 [ 59.010775][ T8] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 59.012922][ T8] [ 59.013792][ T8] Freed by task 8: [ 59.015162][ T8] kasan_save_track+0x3f/0x80 [ 59.016895][ T8] kasan_save_free_info+0x40/0x50 [ 59.018694][ T8] __kasan_slab_free+0x59/0x70 [ 59.020360][ T8] kfree+0x196/0x430 [ 59.021789][ T8] binder_deferred_func+0x11df/0x1460 [ 59.023711][ T8] process_scheduled_works+0xa66/0x1840 [ 59.025758][ T8] worker_thread+0x870/0xd30 [ 59.027525][ T8] kthread+0x2f0/0x390 [ 59.029097][ T8] ret_from_fork+0x4b/0x80 [ 59.030660][ T8] ret_from_fork_asm+0x1a/0x30 [ 59.032441][ T8] [ 59.033343][ T8] The buggy address belongs to the object at ffff8880400ebc00 [ 59.033343][ T8] which belongs to the cache kmalloc-64 of size 64 [ 59.038232][ T8] The buggy address is located 8 bytes inside of [ 59.038232][ T8] freed 64-byte region [ffff8880400ebc00, ffff8880400ebc40) [ 59.043610][ T8] [ 59.044547][ T8] The buggy address belongs to the physical page: [ 59.046785][ T8] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x400eb [ 59.050326][ T8] flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff) [ 59.053715][ T8] page_type: f5(slab) [ 59.055196][ T8] raw: 04fff00000000000 ffff88801ac418c0 ffffea0000cfd140 dead000000000002 [ 59.058457][ T8] raw: 0000000000000000 0000000000200020 00000001f5000000 0000000000000000 [ 59.061521][ T8] page dumped because: kasan: bad access detected [ 59.063781][ T8] page_owner tracks the page as allocated [ 59.065913][ T8] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52c40(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5235, tgid 5235 (sshd), ts 43699374557, free_ts 43695100919 [ 59.073921][ T8] post_alloc_hook+0x1f3/0x230 [ 59.076082][ T8] get_page_from_freelist+0x365c/0x37a0 [ 59.078598][ T8] __alloc_pages_noprof+0x292/0x710 [ 59.081011][ T8] alloc_pages_mpol_noprof+0x3e8/0x680 [ 59.083664][ T8] alloc_slab_page+0x6a/0x140 [ 59.085755][ T8] allocate_slab+0x5a/0x2f0 [ 59.087903][ T8] ___slab_alloc+0xcd1/0x14b0 [ 59.090158][ T8] __slab_alloc+0x58/0xa0 [ 59.092262][ T8] __kmalloc_noprof+0x2e6/0x4c0 [ 59.094317][ T8] tomoyo_encode+0x26f/0x540 [ 59.096238][ T8] tomoyo_realpath_from_path+0x59e/0x5e0 [ 59.098123][ T8] tomoyo_path_perm+0x2b7/0x740 [ 59.099628][ T8] security_inode_getattr+0x130/0x330 [ 59.101576][ T8] vfs_getattr+0x2a/0x3b0 [ 59.103285][ T8] vfs_fstatat+0xa8/0x130 [ 59.104924][ T8] __x64_sys_newfstatat+0x11d/0x1a0 [ 59.106669][ T8] page last free pid 16 tgid 16 stack trace: [ 59.108771][ T8] free_unref_page+0xdef/0x1130 [ 59.110513][ T8] rcu_core+0xaaa/0x17a0 [ 59.111987][ T8] handle_softirqs+0x2d4/0x9b0 [ 59.113751][ T8] run_ksoftirqd+0xca/0x130 [ 59.115355][ T8] smpboot_thread_fn+0x544/0xa30 [ 59.117147][ T8] kthread+0x2f0/0x390 [ 59.118665][ T8] ret_from_fork+0x4b/0x80 [ 59.120237][ T8] ret_from_fork_asm+0x1a/0x30 [ 59.121924][ T8] [ 59.122749][ T8] Memory state around the buggy address: [ 59.124686][ T8] ffff8880400ebb00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 59.127493][ T8] ffff8880400ebb80: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc [ 59.130421][ T8] >ffff8880400ebc00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 59.132950][ T8] ^ [ 59.134439][ T8] ffff8880400ebc80: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc [ 59.137478][ T8] ffff8880400ebd00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 59.140263][ T8] ================================================================== [ 59.143829][ T8] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 59.146625][ T8] CPU: 0 UID: 0 PID: 8 Comm: kworker/0:0 Not tainted 6.12.0-syzkaller-10689-g7af08b57bcb9 #0 [ 59.150267][ T8] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 59.154388][ T8] Workqueue: events binder_deferred_func [ 59.156495][ T8] Call Trace: [ 59.157739][ T8] <TASK> [ 59.158856][ T8] dump_stack_lvl+0x241/0x360 [ 59.160418][ T8] ? __pfx_dump_stack_lvl+0x10/0x10 [ 59.162096][ T8] ? __pfx__printk+0x10/0x10 [ 59.163724][ T8] ? lock_release+0xbf/0xa30 [ 59.165396][ T8] ? vscnprintf+0x5d/0x90 [ 59.167261][ T8] panic+0x349/0x880 [ 59.169175][ T8] ? check_panic_on_warn+0x21/0xb0 [ 59.171595][ T8] ? __pfx_panic+0x10/0x10 [ 59.173654][ T8] ? mark_lock+0x9a/0x360 [ 59.175171][ T8] ? _raw_spin_unlock_irqrestore+0xd8/0x140 [ 59.177356][ T8] ? _raw_spin_unlock_irqrestore+0xdd/0x140 [ 59.179577][ T8] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 59.182727][ T8] ? print_report+0x502/0x550 [ 59.185250][ T8] check_panic_on_warn+0x86/0xb0 [ 59.187721][ T8] ? __list_del_entry_valid_or_report+0x2f/0x140 [ 59.190917][ T8] end_report+0x77/0x160 [ 59.193138][ T8] kasan_report+0x154/0x180 [ 59.195417][ T8] ? __list_del_entry_valid_or_report+0x2f/0x140 [ 59.198464][ T8] __list_del_entry_valid_or_report+0x2f/0x140 [ 59.201428][ T8] binder_release_work+0xc7/0x480 [ 59.203868][ T8] binder_deferred_func+0x1275/0x1460 [ 59.206461][ T8] ? process_scheduled_works+0x976/0x1840 [ 59.208947][ T8] process_scheduled_works+0xa66/0x1840 [ 59.210929][ T8] ? __pfx_process_scheduled_works+0x10/0x10 [ 59.213131][ T8] ? assign_work+0x364/0x3d0 [ 59.214884][ T8] worker_thread+0x870/0xd30 [ 59.216531][ T8] ? __kthread_parkme+0x169/0x1d0 [ 59.218691][ T8] ? __pfx_worker_thread+0x10/0x10 [ 59.220694][ T8] kthread+0x2f0/0x390 [ 59.222240][ T8] ? __pfx_worker_thread+0x10/0x10 [ 59.224129][ T8] ? __pfx_kthread+0x10/0x10 [ 59.225766][ T8] ret_from_fork+0x4b/0x80 [ 59.227269][ T8] ? __pfx_kthread+0x10/0x10 [ 59.228923][ T8] ret_from_fork_asm+0x1a/0x30 [ 59.230714][ T8] </TASK> [ 59.232144][ T8] Kernel Offset: disabled [ 59.233779][ T8] Rebooting in 86400 seconds..