program:
r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR_EXT(r0, 0x4018620d, &(0x7f0000000100))
r1 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000180)='./binderfs/binder0\x00', 0x0, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000080)={0x8, 0x0, &(0x7f0000000400)=[@increfs], 0x0, 0x0, 0x0})
r2 = dup3(r1, r0, 0x0)
r3 = openat$binderfs(0xffffffffffffff9c, &(0x7f0000000040)='./binderfs/binder0\x00', 0x0, 0x0)
mmap$binder(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0x1, 0x11, r3, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR_EXT(r3, 0x4018620d, &(0x7f0000000040))
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f00000003c0)={0x10, 0x0, &(0x7f0000000240)=[@acquire, @decrefs], 0x0, 0x0, 0x0})
ioctl$BINDER_WRITE_READ(r0, 0xc0306201, &(0x7f00000001c0)={0x4c, 0x0, &(0x7f0000000300)=[@transaction_sg={0x400c6313, {0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x48, 0x18, &(0x7f0000000540)={@flat=@handle, @flat=@weak_binder={0x73682a85}, @flat=@weak_handle}, &(0x7f0000000200)={0x0, 0x18, 0x30}}}], 0x0, 0x0, 0x0})
[ 89.213927][ T5103] Bluetooth: hci0: command tx timeout
[ 90.243537][ T5120] binder: 5119:5120 unknown command 0
[ 90.252966][ T5120] binder: 5119:5120 ioctl c0306201 200001c0 returned -22
[ 90.256185][ T785] ==================================================================
[ 90.259127][ T785] BUG: KASAN: slab-use-after-free in __list_del_entry_valid_or_report+0x2f/0x140
[ 90.262548][ T785] Read of size 8 at addr ffff8880007d3308 by task kworker/0:2/785
[ 90.265688][ T785]
[ 90.266683][ T785] CPU: 0 UID: 0 PID: 785 Comm: kworker/0:2 Not tainted 6.12.0-rc1-syzkaller-00125-g0c559323bbaa #0
[ 90.270951][ T785] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[ 90.275325][ T785] Workqueue: events binder_deferred_func
[ 90.277641][ T785] Call Trace:
[ 90.279051][ T785]
[ 90.280229][ T785] dump_stack_lvl+0x241/0x360
[ 90.282129][ T785] ? __pfx_dump_stack_lvl+0x10/0x10
[ 90.284332][ T785] ? __pfx__printk+0x10/0x10
[ 90.286328][ T785] ? _printk+0xd5/0x120
[ 90.287991][ T785] ? __virt_addr_valid+0x183/0x530
[ 90.290161][ T785] ? __virt_addr_valid+0x183/0x530
[ 90.292276][ T785] print_report+0x169/0x550
[ 90.293939][ T785] ? __virt_addr_valid+0x183/0x530
[ 90.295845][ T785] ? __virt_addr_valid+0x183/0x530
[ 90.298043][ T785] ? __virt_addr_valid+0x45f/0x530
[ 90.300594][ T785] ? __phys_addr+0xba/0x170
[ 90.302722][ T785] ? __list_del_entry_valid_or_report+0x2f/0x140
[ 90.305098][ T785] kasan_report+0x143/0x180
[ 90.307016][ T785] ? __list_del_entry_valid_or_report+0x2f/0x140
[ 90.309512][ T785] __list_del_entry_valid_or_report+0x2f/0x140
[ 90.311926][ T785] binder_release_work+0xc7/0x480
[ 90.313822][ T785] binder_deferred_func+0x1275/0x1460
[ 90.316714][ T785] ? process_scheduled_works+0x976/0x1850
[ 90.320342][ T785] process_scheduled_works+0xa63/0x1850
[ 90.322863][ T785] ? __pfx_process_scheduled_works+0x10/0x10
[ 90.325210][ T785] ? assign_work+0x364/0x3d0
[ 90.326979][ T785] worker_thread+0x870/0xd30
[ 90.328736][ T785] ? __kthread_parkme+0x169/0x1d0
[ 90.330474][ T785] ? __pfx_worker_thread+0x10/0x10
[ 90.332412][ T785] kthread+0x2f0/0x390
[ 90.333899][ T785] ? __pfx_worker_thread+0x10/0x10
[ 90.335704][ T785] ? __pfx_kthread+0x10/0x10
[ 90.337525][ T785] ret_from_fork+0x4b/0x80
[ 90.339343][ T785] ? __pfx_kthread+0x10/0x10
[ 90.341385][ T785] ret_from_fork_asm+0x1a/0x30
[ 90.343511][ T785]
[ 90.345046][ T785]
[ 90.346257][ T785] Allocated by task 5120:
[ 90.348135][ T785] kasan_save_track+0x3f/0x80
[ 90.350083][ T785] __kasan_kmalloc+0x98/0xb0
[ 90.351880][ T785] __kmalloc_cache_noprof+0x19c/0x2c0
[ 90.354037][ T785] binder_ioctl_write_read+0xe7f/0xb560
[ 90.356328][ T785] binder_ioctl+0x436/0x1cc0
[ 90.358098][ T785] __se_sys_ioctl+0xf9/0x170
[ 90.360219][ T785] do_syscall_64+0xf3/0x230
[ 90.362515][ T785] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 90.365237][ T785]
[ 90.366434][ T785] Freed by task 785:
[ 90.368000][ T785] kasan_save_track+0x3f/0x80
[ 90.370028][ T785] kasan_save_free_info+0x40/0x50
[ 90.372048][ T785] __kasan_slab_free+0x59/0x70
[ 90.373935][ T785] kfree+0x1a0/0x440
[ 90.375791][ T785] binder_deferred_func+0x11df/0x1460
[ 90.377839][ T785] process_scheduled_works+0xa63/0x1850
[ 90.379936][ T785] worker_thread+0x870/0xd30
[ 90.381849][ T785] kthread+0x2f0/0x390
[ 90.383583][ T785] ret_from_fork+0x4b/0x80
[ 90.385355][ T785] ret_from_fork_asm+0x1a/0x30
[ 90.387034][ T785]
[ 90.387860][ T785] The buggy address belongs to the object at ffff8880007d3300
[ 90.387860][ T785] which belongs to the cache kmalloc-64 of size 64
[ 90.392607][ T785] The buggy address is located 8 bytes inside of
[ 90.392607][ T785] freed 64-byte region [ffff8880007d3300, ffff8880007d3340)
[ 90.398779][ T785]
[ 90.399882][ T785] The buggy address belongs to the physical page:
[ 90.402647][ T785] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7d3
[ 90.406027][ T785] ksm flags: 0x7ff00000000000(node=0|zone=0|lastcpupid=0x7ff)
[ 90.408912][ T785] page_type: f5(slab)
[ 90.410507][ T785] raw: 007ff00000000000 ffff88801ac418c0 ffffea0000739480 dead000000000003
[ 90.413778][ T785] raw: 0000000000000000 0000000080200020 00000001f5000000 0000000000000000
[ 90.417670][ T785] page dumped because: kasan: bad access detected
[ 90.420783][ T785] page_owner tracks the page as allocated
[ 90.423201][ T785] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 4813, tgid 4813 (dhcpcd), ts 52434106215, free_ts 52420469835
[ 90.430149][ T785] post_alloc_hook+0x1f3/0x230
[ 90.432092][ T785] get_page_from_freelist+0x3045/0x3190
[ 90.434142][ T785] __alloc_pages_noprof+0x256/0x6c0
[ 90.436560][ T785] alloc_pages_mpol_noprof+0x3e8/0x680
[ 90.439011][ T785] alloc_slab_page+0x6a/0x120
[ 90.440580][ T785] allocate_slab+0x5a/0x2f0
[ 90.442311][ T785] ___slab_alloc+0xcd1/0x14b0
[ 90.444110][ T785] __slab_alloc+0x58/0xa0
[ 90.445989][ T785] __kmalloc_cache_noprof+0x1d5/0x2c0
[ 90.448515][ T785] register_netdevice+0x59c/0x1b00
[ 90.451193][ T785] lapbeth_device_event+0x770/0xa00
[ 90.453322][ T785] notifier_call_chain+0x19f/0x3e0
[ 90.455326][ T785] __dev_notify_flags+0x207/0x400
[ 90.457196][ T785] dev_change_flags+0xf0/0x1a0
[ 90.458975][ T785] devinet_ioctl+0xa4e/0x1aa0
[ 90.460767][ T785] inet_ioctl+0x3d7/0x4f0
[ 90.462527][ T785] page last free pid 4894 tgid 4894 stack trace:
[ 90.465398][ T785] free_unref_folios+0xf12/0x18d0
[ 90.467716][ T785] folios_put_refs+0x76c/0x860
[ 90.469920][ T785] free_pages_and_swap_cache+0x5c8/0x690
[ 90.472179][ T785] tlb_flush_mmu+0x3a3/0x680
[ 90.473907][ T785] tlb_finish_mmu+0xd4/0x200
[ 90.475738][ T785] relocate_vma_down+0x527/0x630
[ 90.477718][ T785] setup_arg_pages+0x668/0xc10
[ 90.480064][ T785] load_elf_binary+0xb7d/0x2710
[ 90.482690][ T785] bprm_execve+0xaf8/0x1770
[ 90.484843][ T785] do_execveat_common+0x55f/0x6f0
[ 90.487084][ T785] __x64_sys_execve+0x92/0xb0
[ 90.488839][ T785] do_syscall_64+0xf3/0x230
[ 90.490531][ T785] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 90.492833][ T785]
[ 90.493782][ T785] Memory state around the buggy address:
[ 90.495895][ T785] ffff8880007d3200: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
[ 90.498977][ T785] ffff8880007d3280: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
[ 90.502528][ T785] >ffff8880007d3300: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[ 90.506260][ T785] ^
[ 90.508056][ T785] ffff8880007d3380: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
[ 90.511113][ T785] ffff8880007d3400: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
[ 90.514182][ T785] ==================================================================
[ 90.518667][ T785] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 90.521925][ T785] CPU: 0 UID: 0 PID: 785 Comm: kworker/0:2 Not tainted 6.12.0-rc1-syzkaller-00125-g0c559323bbaa #0
[ 90.525934][ T785] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[ 90.529912][ T785] Workqueue: events binder_deferred_func
[ 90.532062][ T785] Call Trace:
[ 90.533496][ T785]
[ 90.534901][ T785] dump_stack_lvl+0x241/0x360
[ 90.537233][ T785] ? __pfx_dump_stack_lvl+0x10/0x10
[ 90.539839][ T785] ? __pfx__printk+0x10/0x10
[ 90.541961][ T785] ? lock_release+0xbf/0xa30
[ 90.543762][ T785] ? vscnprintf+0x5d/0x90
[ 90.545309][ T785] panic+0x349/0x880
[ 90.546926][ T785] ? check_panic_on_warn+0x21/0xb0
[ 90.548888][ T785] ? __pfx_panic+0x10/0x10
[ 90.550590][ T785] ? mark_lock+0x9a/0x360
[ 90.552147][ T785] ? _raw_spin_unlock_irqrestore+0xd8/0x140
[ 90.554424][ T785] ? _raw_spin_unlock_irqrestore+0xdd/0x140
[ 90.556772][ T785] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[ 90.559554][ T785] ? print_report+0x502/0x550
[ 90.561796][ T785] check_panic_on_warn+0x86/0xb0
[ 90.564550][ T785] ? __list_del_entry_valid_or_report+0x2f/0x140
[ 90.567135][ T785] end_report+0x77/0x160
[ 90.568769][ T785] kasan_report+0x154/0x180
[ 90.570587][ T785] ? __list_del_entry_valid_or_report+0x2f/0x140
[ 90.572920][ T785] __list_del_entry_valid_or_report+0x2f/0x140
[ 90.575422][ T785] binder_release_work+0xc7/0x480
[ 90.577646][ T785] binder_deferred_func+0x1275/0x1460
[ 90.580116][ T785] ? process_scheduled_works+0x976/0x1850
[ 90.582801][ T785] process_scheduled_works+0xa63/0x1850
[ 90.585061][ T785] ? __pfx_process_scheduled_works+0x10/0x10
[ 90.587324][ T785] ? assign_work+0x364/0x3d0
[ 90.589087][ T785] worker_thread+0x870/0xd30
[ 90.590883][ T785] ? __kthread_parkme+0x169/0x1d0
[ 90.592818][ T785] ? __pfx_worker_thread+0x10/0x10
[ 90.594996][ T785] kthread+0x2f0/0x390
[ 90.597140][ T785] ? __pfx_worker_thread+0x10/0x10
[ 90.599992][ T785] ? __pfx_kthread+0x10/0x10
[ 90.601816][ T785] ret_from_fork+0x4b/0x80
[ 90.603340][ T785] ? __pfx_kthread+0x10/0x10
[ 90.605047][ T785] ret_from_fork_asm+0x1a/0x30
[ 90.607321][ T785]
[ 90.609136][ T785] Kernel Offset: disabled
[ 90.611099][ T785] Rebooting in 86400 seconds..