program:
perf_event_open(&(0x7f0000000500)={0x2, 0x80, 0x72, 0x1, 0x0, 0x0, 0x0, 0x7fed, 0x180, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x107b7b, 0x1, @perf_bp={0x0, 0x4}, 0x2200, 0x2e, 0xfffffbff, 0x2, 0x2, 0x0, 0x6, 0x0, 0x0, 0x0, 0x2003}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x9)
pipe(&(0x7f00000000c0)={<r0=>0xffffffffffffffff, <r1=>0xffffffffffffffff})
r2 = socket$netlink(0x10, 0x3, 0x0)
splice(r0, 0x0, r2, 0x0, 0x84ffe0, 0x0)
bind$netlink(r0, &(0x7f0000000080)={0x10, 0x0, 0x25dfdbff, 0x10000}, 0xc)
r3 = socket$inet6_mptcp(0xa, 0x1, 0x106)
bind$inet6(r3, &(0x7f0000000000)={0xa, 0x3, 0x0, @loopback}, 0x1c)
r4 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR_EXT(r4, 0x40046207, 0x0)
r5 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000100)='./binderfs/binder0\x00', 0x1802, 0x0)
syz_clone(0x11, 0x0, 0x0, 0x0, 0x0, 0x0)
ioctl$BINDER_WRITE_READ(r5, 0xc0306201, &(0x7f0000000000)={0x8, 0x0, &(0x7f00000003c0)=[@increfs], 0x0, 0x0, 0x0})
r6 = dup3(r5, r4, 0x0)
ioctl$BINDER_WRITE_READ(r6, 0xc0306201, &(0x7f0000000240)={0x10, 0x0, &(0x7f00000002c0)=[@request_death={0x400c6313}], 0x0, 0x0, 0x0})
r7 = ioctl$LOOP_CTL_ADD(r0, 0x4c80, 0xc)
ioctl$LOOP_CTL_ADD(r1, 0x4c80, r7)
connect$inet6(r3, &(0x7f0000000040)={0xa, 0x3, 0x0, @loopback}, 0x1c)
setsockopt$inet6_int(r3, 0x29, 0x2, &(0x7f0000000380)=0x8, 0x4)
syz_open_dev$usbfs(&(0x7f0000000e40), 0xb, 0x101301)

[   58.355446][ T5325] Bluetooth: hci0: command tx timeout
[   58.917053][    T8] ==================================================================
[   58.920193][    T8] BUG: KASAN: slab-use-after-free in __list_del_entry_valid_or_report+0x2f/0x140
[   58.923545][    T8] Read of size 8 at addr ffff8880400ebc08 by task kworker/0:0/8
[   58.926127][    T8] 
[   58.926983][    T8] CPU: 0 UID: 0 PID: 8 Comm: kworker/0:0 Not tainted 6.12.0-syzkaller-10689-g7af08b57bcb9 #0
[   58.930218][    T8] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   58.933806][    T8] Workqueue: events binder_deferred_func
[   58.935814][    T8] Call Trace:
[   58.937137][    T8]  <TASK>
[   58.938455][    T8]  dump_stack_lvl+0x241/0x360
[   58.940282][    T8]  ? __pfx_dump_stack_lvl+0x10/0x10
[   58.942180][    T8]  ? __pfx__printk+0x10/0x10
[   58.943895][    T8]  ? _printk+0xd5/0x120
[   58.945338][    T8]  ? __virt_addr_valid+0x183/0x530
[   58.947142][    T8]  ? __virt_addr_valid+0x183/0x530
[   58.949024][    T8]  print_report+0x169/0x550
[   58.950725][    T8]  ? __virt_addr_valid+0x183/0x530
[   58.952754][    T8]  ? __virt_addr_valid+0x183/0x530
[   58.954968][    T8]  ? __virt_addr_valid+0x45f/0x530
[   58.956885][    T8]  ? __phys_addr+0xba/0x170
[   58.958615][    T8]  ? __list_del_entry_valid_or_report+0x2f/0x140
[   58.961111][    T8]  kasan_report+0x143/0x180
[   58.962713][    T8]  ? __list_del_entry_valid_or_report+0x2f/0x140
[   58.965100][    T8]  __list_del_entry_valid_or_report+0x2f/0x140
[   58.967368][    T8]  binder_release_work+0xc7/0x480
[   58.969184][    T8]  binder_deferred_func+0x1275/0x1460
[   58.971228][    T8]  ? process_scheduled_works+0x976/0x1840
[   58.973361][    T8]  process_scheduled_works+0xa66/0x1840
[   58.975284][    T8]  ? __pfx_process_scheduled_works+0x10/0x10
[   58.977560][    T8]  ? assign_work+0x364/0x3d0
[   58.979250][    T8]  worker_thread+0x870/0xd30
[   58.980947][    T8]  ? __kthread_parkme+0x169/0x1d0
[   58.982794][    T8]  ? __pfx_worker_thread+0x10/0x10
[   58.984770][    T8]  kthread+0x2f0/0x390
[   58.986155][    T8]  ? __pfx_worker_thread+0x10/0x10
[   58.987994][    T8]  ? __pfx_kthread+0x10/0x10
[   58.989703][    T8]  ret_from_fork+0x4b/0x80
[   58.991319][    T8]  ? __pfx_kthread+0x10/0x10
[   58.993016][    T8]  ret_from_fork_asm+0x1a/0x30
[   58.994744][    T8]  </TASK>
[   58.995910][    T8] 
[   58.996820][    T8] Allocated by task 5340:
[   58.998400][    T8]  kasan_save_track+0x3f/0x80
[   59.000078][    T8]  __kasan_kmalloc+0x98/0xb0
[   59.001830][    T8]  __kmalloc_cache_noprof+0x243/0x390
[   59.003785][    T8]  binder_ioctl_write_read+0xe7f/0xb570
[   59.005797][    T8]  binder_ioctl+0x436/0x1cb0
[   59.007587][    T8]  __se_sys_ioctl+0xf5/0x170
[   59.009131][    T8]  do_syscall_64+0xf3/0x230
[   59.010775][    T8]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   59.012922][    T8] 
[   59.013792][    T8] Freed by task 8:
[   59.015162][    T8]  kasan_save_track+0x3f/0x80
[   59.016895][    T8]  kasan_save_free_info+0x40/0x50
[   59.018694][    T8]  __kasan_slab_free+0x59/0x70
[   59.020360][    T8]  kfree+0x196/0x430
[   59.021789][    T8]  binder_deferred_func+0x11df/0x1460
[   59.023711][    T8]  process_scheduled_works+0xa66/0x1840
[   59.025758][    T8]  worker_thread+0x870/0xd30
[   59.027525][    T8]  kthread+0x2f0/0x390
[   59.029097][    T8]  ret_from_fork+0x4b/0x80
[   59.030660][    T8]  ret_from_fork_asm+0x1a/0x30
[   59.032441][    T8] 
[   59.033343][    T8] The buggy address belongs to the object at ffff8880400ebc00
[   59.033343][    T8]  which belongs to the cache kmalloc-64 of size 64
[   59.038232][    T8] The buggy address is located 8 bytes inside of
[   59.038232][    T8]  freed 64-byte region [ffff8880400ebc00, ffff8880400ebc40)
[   59.043610][    T8] 
[   59.044547][    T8] The buggy address belongs to the physical page:
[   59.046785][    T8] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x400eb
[   59.050326][    T8] flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
[   59.053715][    T8] page_type: f5(slab)
[   59.055196][    T8] raw: 04fff00000000000 ffff88801ac418c0 ffffea0000cfd140 dead000000000002
[   59.058457][    T8] raw: 0000000000000000 0000000000200020 00000001f5000000 0000000000000000
[   59.061521][    T8] page dumped because: kasan: bad access detected
[   59.063781][    T8] page_owner tracks the page as allocated
[   59.065913][    T8] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52c40(GFP_NOFS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5235, tgid 5235 (sshd), ts 43699374557, free_ts 43695100919
[   59.073921][    T8]  post_alloc_hook+0x1f3/0x230
[   59.076082][    T8]  get_page_from_freelist+0x365c/0x37a0
[   59.078598][    T8]  __alloc_pages_noprof+0x292/0x710
[   59.081011][    T8]  alloc_pages_mpol_noprof+0x3e8/0x680
[   59.083664][    T8]  alloc_slab_page+0x6a/0x140
[   59.085755][    T8]  allocate_slab+0x5a/0x2f0
[   59.087903][    T8]  ___slab_alloc+0xcd1/0x14b0
[   59.090158][    T8]  __slab_alloc+0x58/0xa0
[   59.092262][    T8]  __kmalloc_noprof+0x2e6/0x4c0
[   59.094317][    T8]  tomoyo_encode+0x26f/0x540
[   59.096238][    T8]  tomoyo_realpath_from_path+0x59e/0x5e0
[   59.098123][    T8]  tomoyo_path_perm+0x2b7/0x740
[   59.099628][    T8]  security_inode_getattr+0x130/0x330
[   59.101576][    T8]  vfs_getattr+0x2a/0x3b0
[   59.103285][    T8]  vfs_fstatat+0xa8/0x130
[   59.104924][    T8]  __x64_sys_newfstatat+0x11d/0x1a0
[   59.106669][    T8] page last free pid 16 tgid 16 stack trace:
[   59.108771][    T8]  free_unref_page+0xdef/0x1130
[   59.110513][    T8]  rcu_core+0xaaa/0x17a0
[   59.111987][    T8]  handle_softirqs+0x2d4/0x9b0
[   59.113751][    T8]  run_ksoftirqd+0xca/0x130
[   59.115355][    T8]  smpboot_thread_fn+0x544/0xa30
[   59.117147][    T8]  kthread+0x2f0/0x390
[   59.118665][    T8]  ret_from_fork+0x4b/0x80
[   59.120237][    T8]  ret_from_fork_asm+0x1a/0x30
[   59.121924][    T8] 
[   59.122749][    T8] Memory state around the buggy address:
[   59.124686][    T8]  ffff8880400ebb00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   59.127493][    T8]  ffff8880400ebb80: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
[   59.130421][    T8] >ffff8880400ebc00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   59.132950][    T8]                       ^
[   59.134439][    T8]  ffff8880400ebc80: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
[   59.137478][    T8]  ffff8880400ebd00: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   59.140263][    T8] ==================================================================
[   59.143829][    T8] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   59.146625][    T8] CPU: 0 UID: 0 PID: 8 Comm: kworker/0:0 Not tainted 6.12.0-syzkaller-10689-g7af08b57bcb9 #0
[   59.150267][    T8] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   59.154388][    T8] Workqueue: events binder_deferred_func
[   59.156495][    T8] Call Trace:
[   59.157739][    T8]  <TASK>
[   59.158856][    T8]  dump_stack_lvl+0x241/0x360
[   59.160418][    T8]  ? __pfx_dump_stack_lvl+0x10/0x10
[   59.162096][    T8]  ? __pfx__printk+0x10/0x10
[   59.163724][    T8]  ? lock_release+0xbf/0xa30
[   59.165396][    T8]  ? vscnprintf+0x5d/0x90
[   59.167261][    T8]  panic+0x349/0x880
[   59.169175][    T8]  ? check_panic_on_warn+0x21/0xb0
[   59.171595][    T8]  ? __pfx_panic+0x10/0x10
[   59.173654][    T8]  ? mark_lock+0x9a/0x360
[   59.175171][    T8]  ? _raw_spin_unlock_irqrestore+0xd8/0x140
[   59.177356][    T8]  ? _raw_spin_unlock_irqrestore+0xdd/0x140
[   59.179577][    T8]  ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[   59.182727][    T8]  ? print_report+0x502/0x550
[   59.185250][    T8]  check_panic_on_warn+0x86/0xb0
[   59.187721][    T8]  ? __list_del_entry_valid_or_report+0x2f/0x140
[   59.190917][    T8]  end_report+0x77/0x160
[   59.193138][    T8]  kasan_report+0x154/0x180
[   59.195417][    T8]  ? __list_del_entry_valid_or_report+0x2f/0x140
[   59.198464][    T8]  __list_del_entry_valid_or_report+0x2f/0x140
[   59.201428][    T8]  binder_release_work+0xc7/0x480
[   59.203868][    T8]  binder_deferred_func+0x1275/0x1460
[   59.206461][    T8]  ? process_scheduled_works+0x976/0x1840
[   59.208947][    T8]  process_scheduled_works+0xa66/0x1840
[   59.210929][    T8]  ? __pfx_process_scheduled_works+0x10/0x10
[   59.213131][    T8]  ? assign_work+0x364/0x3d0
[   59.214884][    T8]  worker_thread+0x870/0xd30
[   59.216531][    T8]  ? __kthread_parkme+0x169/0x1d0
[   59.218691][    T8]  ? __pfx_worker_thread+0x10/0x10
[   59.220694][    T8]  kthread+0x2f0/0x390
[   59.222240][    T8]  ? __pfx_worker_thread+0x10/0x10
[   59.224129][    T8]  ? __pfx_kthread+0x10/0x10
[   59.225766][    T8]  ret_from_fork+0x4b/0x80
[   59.227269][    T8]  ? __pfx_kthread+0x10/0x10
[   59.228923][    T8]  ret_from_fork_asm+0x1a/0x30
[   59.230714][    T8]  </TASK>
[   59.232144][    T8] Kernel Offset: disabled
[   59.233779][    T8] Rebooting in 86400 seconds..