last executing test programs:

0s ago: executing program 3 (id=4):
r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0)
ioctl$BINDER_SET_CONTEXT_MGR_EXT(r0, 0x4018620d, &(0x7f0000000080)={0x73622a85, 0x280b})
r1 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0)
r2 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0)
ioctl$BINDER_WRITE_READ(r2, 0xc0306201, &(0x7f0000000000)={0x8, 0x0, &(0x7f00000003c0)=[@increfs], 0x0, 0x0, 0x0})
dup3(r2, r1, 0x0)
ioctl$BINDER_WRITE_READ(r1, 0xc0306201, &(0x7f0000000580)={0x10, 0x0, &(0x7f0000000040)=[@request_death={0x400c6313, 0x0, 0xffffff7f00000000}], 0x0, 0x1000000000000, 0x0})
r3 = openat$binder_debug(0xffffffffffffff9c, &(0x7f00000002c0)='/sys/kernel/debug/binder/state\x00', 0x0, 0x0)
lseek(r3, 0x851, 0x0)

kernel console output (not intermixed with test programs):

[   12.338709][   T24] audit: type=1400 audit(1733042261.439:62): avc:  denied  { noatsecure } for  pid=219 comm="sshd" scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1
[   12.341744][   T24] audit: type=1400 audit(1733042261.439:63): avc:  denied  { write } for  pid=219 comm="sh" path="pipe:[1849]" dev="pipefs" ino=1849 scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:sshd_t tclass=fifo_file permissive=1
[   12.345060][   T24] audit: type=1400 audit(1733042261.439:64): avc:  denied  { rlimitinh } for  pid=219 comm="sh" scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1
[   12.348060][   T24] audit: type=1400 audit(1733042261.439:65): avc:  denied  { siginh } for  pid=219 comm="sh" scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1
Warning: Permanently added '10.128.10.6' (ED25519) to the list of known hosts.
[   18.961796][   T24] audit: type=1400 audit(1733042268.069:66): avc:  denied  { mounton } for  pid=273 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=1925 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1
[   18.962791][  T273] cgroup: Unknown subsys name 'net'
[   18.964892][   T24] audit: type=1400 audit(1733042268.069:67): avc:  denied  { mount } for  pid=273 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1
[   18.968593][   T24] audit: type=1400 audit(1733042268.079:68): avc:  denied  { unmount } for  pid=273 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1
[   18.968729][  T273] cgroup: Unknown subsys name 'devices'
[   19.057418][  T273] cgroup: Unknown subsys name 'hugetlb'
[   19.062812][  T273] cgroup: Unknown subsys name 'rlimit'
[   19.290087][   T24] audit: type=1400 audit(1733042268.399:69): avc:  denied  { setattr } for  pid=273 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=249 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
[   19.313091][   T24] audit: type=1400 audit(1733042268.399:70): avc:  denied  { mounton } for  pid=273 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1
[   19.318220][  T276] SELinux:  Context root:object_r:swapfile_t is not valid (left unmapped).
[   19.337546][   T24] audit: type=1400 audit(1733042268.399:71): avc:  denied  { mount } for  pid=273 comm="syz-executor" name="/" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=filesystem permissive=1
Setting up swapspace version 1, size = 127995904 bytes
[   19.368876][   T24] audit: type=1400 audit(1733042268.449:72): avc:  denied  { relabelto } for  pid=276 comm="mkswap" name="swap-file" dev="sda1" ino=1928 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t"
[   19.394157][   T24] audit: type=1400 audit(1733042268.449:73): avc:  denied  { write } for  pid=276 comm="mkswap" path="/root/swap-file" dev="sda1" ino=1928 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t"
[   19.422379][   T24] audit: type=1400 audit(1733042268.529:74): avc:  denied  { read } for  pid=273 comm="syz-executor" name="swap-file" dev="sda1" ino=1928 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t"
[   19.447688][   T24] audit: type=1400 audit(1733042268.529:75): avc:  denied  { open } for  pid=273 comm="syz-executor" path="/root/swap-file" dev="sda1" ino=1928 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:unlabeled_t tclass=file permissive=1 trawcon="root:object_r:swapfile_t"
[   19.473595][  T273] Adding 124996k swap on ./swap-file.  Priority:0 extents:1 across:124996k 
[   20.422896][  T283] bridge0: port 1(bridge_slave_0) entered blocking state
[   20.429783][  T283] bridge0: port 1(bridge_slave_0) entered disabled state
[   20.437048][  T283] device bridge_slave_0 entered promiscuous mode
[   20.443665][  T283] bridge0: port 2(bridge_slave_1) entered blocking state
[   20.450676][  T283] bridge0: port 2(bridge_slave_1) entered disabled state
[   20.457870][  T283] device bridge_slave_1 entered promiscuous mode
[   20.470909][  T284] bridge0: port 1(bridge_slave_0) entered blocking state
[   20.477787][  T284] bridge0: port 1(bridge_slave_0) entered disabled state
[   20.484820][  T284] device bridge_slave_0 entered promiscuous mode
[   20.491561][  T284] bridge0: port 2(bridge_slave_1) entered blocking state
[   20.498453][  T284] bridge0: port 2(bridge_slave_1) entered disabled state
[   20.505588][  T284] device bridge_slave_1 entered promiscuous mode
[   20.544654][  T287] bridge0: port 1(bridge_slave_0) entered blocking state
[   20.551513][  T287] bridge0: port 1(bridge_slave_0) entered disabled state
[   20.558745][  T287] device bridge_slave_0 entered promiscuous mode
[   20.565107][  T285] bridge0: port 1(bridge_slave_0) entered blocking state
[   20.571942][  T285] bridge0: port 1(bridge_slave_0) entered disabled state
[   20.579119][  T285] device bridge_slave_0 entered promiscuous mode
[   20.585722][  T285] bridge0: port 2(bridge_slave_1) entered blocking state
[   20.592589][  T285] bridge0: port 2(bridge_slave_1) entered disabled state
[   20.599791][  T285] device bridge_slave_1 entered promiscuous mode
[   20.612078][  T287] bridge0: port 2(bridge_slave_1) entered blocking state
[   20.619072][  T287] bridge0: port 2(bridge_slave_1) entered disabled state
[   20.626398][  T287] device bridge_slave_1 entered promiscuous mode
[   20.666385][  T286] bridge0: port 1(bridge_slave_0) entered blocking state
[   20.673224][  T286] bridge0: port 1(bridge_slave_0) entered disabled state
[   20.680580][  T286] device bridge_slave_0 entered promiscuous mode
[   20.687327][  T286] bridge0: port 2(bridge_slave_1) entered blocking state
[   20.694155][  T286] bridge0: port 2(bridge_slave_1) entered disabled state
[   20.701397][  T286] device bridge_slave_1 entered promiscuous mode
[   20.791837][  T283] bridge0: port 2(bridge_slave_1) entered blocking state
[   20.798715][  T283] bridge0: port 2(bridge_slave_1) entered forwarding state
[   20.805798][  T283] bridge0: port 1(bridge_slave_0) entered blocking state
[   20.812592][  T283] bridge0: port 1(bridge_slave_0) entered forwarding state
[   20.847286][  T287] bridge0: port 2(bridge_slave_1) entered blocking state
[   20.854139][  T287] bridge0: port 2(bridge_slave_1) entered forwarding state
[   20.861225][  T287] bridge0: port 1(bridge_slave_0) entered blocking state
[   20.868024][  T287] bridge0: port 1(bridge_slave_0) entered forwarding state
[   20.877951][  T286] bridge0: port 2(bridge_slave_1) entered blocking state
[   20.884778][  T286] bridge0: port 2(bridge_slave_1) entered forwarding state
[   20.891885][  T286] bridge0: port 1(bridge_slave_0) entered blocking state
[   20.898685][  T286] bridge0: port 1(bridge_slave_0) entered forwarding state
[   20.917877][  T284] bridge0: port 2(bridge_slave_1) entered blocking state
[   20.924713][  T284] bridge0: port 2(bridge_slave_1) entered forwarding state
[   20.932279][  T284] bridge0: port 1(bridge_slave_0) entered blocking state
[   20.939049][  T284] bridge0: port 1(bridge_slave_0) entered forwarding state
[   20.947405][  T285] bridge0: port 2(bridge_slave_1) entered blocking state
[   20.954231][  T285] bridge0: port 2(bridge_slave_1) entered forwarding state
[   20.961342][  T285] bridge0: port 1(bridge_slave_0) entered blocking state
[   20.968132][  T285] bridge0: port 1(bridge_slave_0) entered forwarding state
[   20.993028][   T49] bridge0: port 1(bridge_slave_0) entered disabled state
[   21.000076][   T49] bridge0: port 2(bridge_slave_1) entered disabled state
[   21.007205][   T49] bridge0: port 1(bridge_slave_0) entered disabled state
[   21.014125][   T49] bridge0: port 2(bridge_slave_1) entered disabled state
[   21.021255][   T49] bridge0: port 1(bridge_slave_0) entered disabled state
[   21.028212][   T49] bridge0: port 2(bridge_slave_1) entered disabled state
[   21.035024][   T49] bridge0: port 1(bridge_slave_0) entered disabled state
[   21.042522][   T49] bridge0: port 2(bridge_slave_1) entered disabled state
[   21.049549][   T49] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   21.056959][   T49] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[   21.065147][   T49] bridge0: port 2(bridge_slave_1) entered disabled state
[   21.072708][   T49] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[   21.079856][   T49] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   21.098755][   T49] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   21.106430][   T49] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[   21.114337][   T49] bridge0: port 1(bridge_slave_0) entered blocking state
[   21.121099][   T49] bridge0: port 1(bridge_slave_0) entered forwarding state
[   21.128789][   T49] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[   21.137500][   T49] bridge0: port 2(bridge_slave_1) entered blocking state
[   21.144313][   T49] bridge0: port 2(bridge_slave_1) entered forwarding state
[   21.151506][   T49] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[   21.159522][   T49] bridge0: port 2(bridge_slave_1) entered blocking state
[   21.166356][   T49] bridge0: port 2(bridge_slave_1) entered forwarding state
[   21.174548][   T49] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[   21.182637][   T49] bridge0: port 1(bridge_slave_0) entered blocking state
[   21.189485][   T49] bridge0: port 1(bridge_slave_0) entered forwarding state
[   21.213275][   T49] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[   21.221127][   T49] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[   21.228936][   T49] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[   21.237374][   T49] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[   21.249864][   T49] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   21.258164][   T49] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[   21.266390][   T49] bridge0: port 2(bridge_slave_1) entered blocking state
[   21.273206][   T49] bridge0: port 2(bridge_slave_1) entered forwarding state
[   21.288735][   T49] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   21.296249][   T49] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[   21.304322][   T49] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[   21.313031][   T49] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[   21.321091][   T49] bridge0: port 1(bridge_slave_0) entered blocking state
[   21.327932][   T49] bridge0: port 1(bridge_slave_0) entered forwarding state
[   21.335130][   T49] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[   21.343269][   T49] bridge0: port 1(bridge_slave_0) entered blocking state
[   21.350119][   T49] bridge0: port 1(bridge_slave_0) entered forwarding state
[   21.360010][  T286] device veth0_vlan entered promiscuous mode
[   21.371676][  T287] device veth0_vlan entered promiscuous mode
[   21.378476][   T49] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[   21.386556][   T49] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready
[   21.393736][   T49] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready
[   21.401153][   T49] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[   21.409405][   T49] bridge0: port 2(bridge_slave_1) entered blocking state
[   21.416786][   T49] bridge0: port 2(bridge_slave_1) entered forwarding state
[   21.424077][   T49] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[   21.431877][   T49] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[   21.439836][   T49] bridge0: port 2(bridge_slave_1) entered blocking state
[   21.446676][   T49] bridge0: port 2(bridge_slave_1) entered forwarding state
[   21.456812][   T49] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready
[   21.463984][   T49] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready
[   21.482721][   T49] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready
[   21.491238][   T49] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[   21.499174][   T49] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready
[   21.507564][   T49] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[   21.515222][   T49] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready
[   21.523234][   T49] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[   21.532110][   T49] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready
[   21.540177][   T49] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[   21.549336][   T49] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready
[   21.557211][   T49] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[   21.565503][  T286] device veth1_macvtap entered promiscuous mode
[   21.575546][   T49] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready
[   21.583356][   T49] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready
[   21.591659][   T49] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[   21.599989][   T49] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready
[   21.608161][   T49] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[   21.616648][  T287] device veth1_macvtap entered promiscuous mode
[   21.624625][   T49] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready
[   21.632263][   T49] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready
[   21.640262][   T49] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[   21.661268][   T49] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready
[   21.669224][   T49] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[   21.677123][   T49] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready
[   21.684944][   T49] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[   21.692991][   T49] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready
[   21.701268][   T49] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[   21.709408][   T49] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready
[   21.717349][   T49] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
[   21.725354][   T49] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready
[   21.733114][   T49] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[   21.740885][   T49] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready
[   21.749093][   T49] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
[   21.757317][   T49] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready
[   21.764531][   T49] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready
[   21.776766][  T283] device veth0_vlan entered promiscuous mode
[   21.786882][   T49] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready
[   21.795040][   T49] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[   21.803144][   T49] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready
[   21.811300][   T49] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[   21.819313][   T49] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready
[   21.826636][   T49] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready
[   21.834952][  T284] device veth0_vlan entered promiscuous mode
[   21.847038][  T283] device veth1_macvtap entered promiscuous mode
[   21.857083][   T49] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready
[   21.864935][   T49] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[   21.874007][   T49] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready
[   21.884053][   T49] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready
[   21.892421][   T49] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[   21.906911][  T285] device veth0_vlan entered promiscuous mode
[   21.912891][   T49] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready
[   21.921667][   T49] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[   21.930016][   T49] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready
[   21.938703][   T49] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
[   21.947087][   T49] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready
[   21.954694][   T49] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[   21.963075][  T286] cgroup: cgroup: disabling cgroup2 socket matching due to net_prio or net_cls activation
[   21.967011][  T284] device veth1_macvtap entered promiscuous mode
[   21.989544][  T307] ==================================================================
[   21.994905][  T285] device veth1_macvtap entered promiscuous mode
[   21.997436][  T307] BUG: KASAN: use-after-free in __list_del_entry_valid+0x2f/0x120
[   21.997445][  T307] Read of size 8 at addr ffff88810e278708 by task kworker/1:3/307
[   21.997456][  T307] 
[   22.020955][  T307] CPU: 1 PID: 307 Comm: kworker/1:3 Not tainted 5.10.226-syzkaller-00184-g139a6bb26d9d #0
[   22.030659][  T307] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
[   22.040562][  T307] Workqueue: events binder_deferred_func
[   22.046022][  T307] Call Trace:
[   22.049150][  T307]  dump_stack_lvl+0x1e2/0x24b
[   22.053657][  T307]  ? bfq_pos_tree_add_move+0x43b/0x43b
[   22.058952][  T307]  ? panic+0x812/0x812
[   22.062860][  T307]  print_address_description+0x81/0x3b0
[   22.068250][  T307]  ? ____kasan_slab_free+0x12c/0x160
[   22.073360][  T307]  kasan_report+0x179/0x1c0
[   22.077701][  T307]  ? __list_del_entry_valid+0x2f/0x120
[   22.082994][  T307]  ? __list_del_entry_valid+0x2f/0x120
[   22.088289][  T307]  __asan_report_load8_noabort+0x14/0x20
[   22.093756][  T307]  __list_del_entry_valid+0x2f/0x120
[   22.098878][  T307]  binder_release_work+0xcd/0x680
[   22.103737][  T307]  binder_deferred_func+0x1847/0x1bc0
[   22.108949][  T307]  ? read_word_at_a_time+0x12/0x20
[   22.113894][  T307]  process_one_work+0x6dc/0xbd0
[   22.118595][  T307]  worker_thread+0xaea/0x1510
[   22.123092][  T307]  ? _raw_spin_lock+0x1b0/0x1b0
[   22.127783][  T307]  ? __kasan_check_read+0x11/0x20
[   22.132641][  T307]  kthread+0x34b/0x3d0
[   22.136545][  T307]  ? worker_clr_flags+0x180/0x180
[   22.141406][  T307]  ? kthread_blkcg+0xd0/0xd0
[   22.145830][  T307]  ret_from_fork+0x1f/0x30
[   22.150087][  T307] 
[   22.152253][  T307] Allocated by task 309:
[   22.156334][  T307]  ____kasan_kmalloc+0xdb/0x110
[   22.161019][  T307]  __kasan_kmalloc+0x9/0x10
[   22.165361][  T307]  kmem_cache_alloc_trace+0x18a/0x2e0
[   22.170568][  T307]  binder_thread_write+0x9ce/0x6c70
[   22.175599][  T307]  binder_ioctl_write_read+0x216/0x6a80
[   22.180981][  T307]  binder_ioctl+0x314/0x1e00
[   22.185410][  T307]  __se_sys_ioctl+0x114/0x190
[   22.189921][  T307]  __x64_sys_ioctl+0x7b/0x90
[   22.194347][  T307]  do_syscall_64+0x34/0x70
[   22.198602][  T307]  entry_SYSCALL_64_after_hwframe+0x61/0xcb
[   22.204323][  T307] 
[   22.206494][  T307] Freed by task 307:
[   22.210235][  T307]  kasan_set_track+0x4b/0x70
[   22.214656][  T307]  kasan_set_free_info+0x23/0x40
[   22.219950][  T307]  ____kasan_slab_free+0x121/0x160
[   22.224905][  T307]  __kasan_slab_free+0x11/0x20
[   22.229591][  T307]  slab_free_freelist_hook+0xc0/0x190
[   22.234799][  T307]  kfree+0xc3/0x270
[   22.238447][  T307]  binder_free_ref+0x128/0x260
[   22.243050][  T307]  binder_deferred_func+0x171c/0x1bc0
[   22.248255][  T307]  process_one_work+0x6dc/0xbd0
[   22.252938][  T307]  worker_thread+0xaea/0x1510
[   22.257454][  T307]  kthread+0x34b/0x3d0
[   22.261366][  T307]  ret_from_fork+0x1f/0x30
[   22.265604][  T307] 
[   22.267781][  T307] The buggy address belongs to the object at ffff88810e278700
[   22.267781][  T307]  which belongs to the cache kmalloc-64 of size 64
[   22.281498][  T307] The buggy address is located 8 bytes inside of
[   22.281498][  T307]  64-byte region [ffff88810e278700, ffff88810e278740)
[   22.294341][  T307] The buggy address belongs to the page:
[   22.299819][  T307] page:ffffea0004389e00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10e278
[   22.309962][  T307] flags: 0x4000000000000200(slab)
[   22.315177][  T307] raw: 4000000000000200 dead000000000100 dead000000000122 ffff888100043800
[   22.323599][  T307] raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000
[   22.332003][  T307] page dumped because: kasan: bad access detected
[   22.338265][  T307] page_owner tracks the page as allocated
[   22.343813][  T307] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 286, ts 21981172341, free_ts 21981114239
[   22.359527][  T307]  prep_new_page+0x166/0x180
[   22.363943][  T307]  get_page_from_freelist+0x2d8c/0x2f30
[   22.369328][  T307]  __alloc_pages_nodemask+0x435/0xaf0
[   22.374535][  T307]  new_slab+0x80/0x400
[   22.378441][  T307]  ___slab_alloc+0x302/0x4b0
[   22.382863][  T307]  __slab_alloc+0x63/0xa0
[   22.387032][  T307]  kmem_cache_alloc_trace+0x1bd/0x2e0
[   22.392240][  T307]  __request_module+0x28c/0x8d0
[   22.396927][  T307]  xt_request_find_table_lock+0x91/0xf0
[   22.402306][  T307]  do_ip6t_get_ctl+0x86c/0x1890
[   22.407003][  T307]  nf_getsockopt+0x26c/0x290
[   22.411421][  T307]  ipv6_getsockopt+0x1dc1/0x3010
[   22.416204][  T307]  tcp_getsockopt+0x216/0x4a10
[   22.420795][  T307]  sock_common_getsockopt+0x99/0xb0
[   22.425829][  T307]  __sys_getsockopt+0x298/0x470
[   22.430519][  T307]  __x64_sys_getsockopt+0xbf/0xd0
[   22.435371][  T307] page last free stack trace:
[   22.439891][  T307]  free_unref_page_prepare+0x2ae/0x2d0
[   22.445181][  T307]  free_the_page+0x9e/0x370
[   22.449523][  T307]  __free_pages+0x67/0xc0
[   22.453689][  T307]  __vunmap+0x7bc/0x8f0
[   22.457678][  T307]  vfree+0x5c/0x80
[   22.461237][  T307]  do_ip6t_get_ctl+0x11da/0x1890
[   22.466012][  T307]  nf_getsockopt+0x26c/0x290
[   22.470438][  T307]  ipv6_getsockopt+0x1dc1/0x3010
[   22.475214][  T307]  tcp_getsockopt+0x216/0x4a10
[   22.479814][  T307]  sock_common_getsockopt+0x99/0xb0
[   22.484845][  T307]  __sys_getsockopt+0x298/0x470
[   22.489535][  T307]  __x64_sys_getsockopt+0xbf/0xd0
[   22.494439][  T307]  do_syscall_64+0x34/0x70
[   22.498645][  T307]  entry_SYSCALL_64_after_hwframe+0x61/0xcb
[   22.504369][  T307] 
[   22.506551][  T307] Memory state around the buggy address:
[   22.512011][  T307]  ffff88810e278600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   22.519999][  T307]  ffff88810e278680: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc
[   22.527906][  T307] >ffff88810e278700: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   22.535788][  T307]                       ^
[   22.539957][  T307]  ffff88810e278780: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
[   22.547948][  T307]  ffff88810e278800: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   22.555839][  T307] ==================================================================
[   22.563737][  T307] Disabling lock debugging due to kernel taint
[   22.571235][  T307] general protection fault, probably for non-canonical address 0xf9f7fc2220000026: 0000 [#1] PREEMPT SMP KASAN
[   22.582747][  T307] KASAN: maybe wild-memory-access in range [0xcfc0011100000130-0xcfc0011100000137]
[   22.591862][  T307] CPU: 1 PID: 307 Comm: kworker/1:3 Tainted: G    B             5.10.226-syzkaller-00184-g139a6bb26d9d #0
[   22.602965][  T307] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
[   22.612866][  T307] Workqueue: events binder_deferred_func
[   22.618335][  T307] RIP: 0010:__list_del_entry_valid+0x75/0x120
[   22.624230][  T307] Code: 1e 48 85 db 74 68 4d 85 ff 74 74 48 ba 00 01 00 00 00 00 ad de 48 39 d3 74 76 48 83 c2 22 49 39 d7 74 7e 4c 89 f8 48 c1 e8 03 <42> 80 3c 20 00 74 08 4c 89 ff e8 1c 97 51 ff 49 8b 17 4c 39 f2 75
[   22.643669][  T307] RSP: 0018:ffffc90000d57c20 EFLAGS: 00010a02
[   22.649582][  T307] RAX: 19f8002220000026 RBX: ffff8881085cf100 RCX: ffffffff8256bf49
[   22.657385][  T307] RDX: dead000000000122 RSI: 0000000000000286 RDI: ffff88810e278700
[   22.665196][  T307] RBP: ffffc90000d57c40 R08: ffffffff813e2a7b R09: 0000000000000003
[   22.673012][  T307] R10: fffffbfff0e10e48 R11: dffffc0000000001 R12: dffffc0000000000
[   22.680821][  T307] R13: ffff88810e278700 R14: ffff88810e278700 R15: cfc0011100000133
[   22.688715][  T307] FS:  0000000000000000(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000
[   22.697480][  T307] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   22.703903][  T307] CR2: 0000001b2d81fffc CR3: 000000000660f000 CR4: 00000000003506a0
[   22.711721][  T307] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   22.719526][  T307] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   22.727333][  T307] Call Trace:
[   22.730470][  T307]  ? __die_body+0x62/0xb0
[   22.734629][  T307]  ? die_addr+0x9f/0xd0
[   22.738635][  T307]  ? exc_general_protection+0x3ff/0x490
[   22.744005][  T307]  ? check_panic_on_warn+0x65/0xb0
[   22.748951][  T307]  ? asm_exc_general_protection+0x1e/0x30
[   22.754508][  T307]  ? check_panic_on_warn+0x5b/0xb0
[   22.759454][  T307]  ? __list_del_entry_valid+0x49/0x120
[   22.764756][  T307]  ? __list_del_entry_valid+0x75/0x120
[   22.770059][  T307]  binder_release_work+0xcd/0x680
[   22.774916][  T307]  binder_deferred_func+0x1847/0x1bc0
[   22.780117][  T307]  ? read_word_at_a_time+0x12/0x20
[   22.785057][  T307]  process_one_work+0x6dc/0xbd0
[   22.789745][  T307]  worker_thread+0xaea/0x1510
[   22.794260][  T307]  ? _raw_spin_lock+0x1b0/0x1b0
[   22.798944][  T307]  ? __kasan_check_read+0x11/0x20
[   22.803802][  T307]  kthread+0x34b/0x3d0
[   22.807709][  T307]  ? worker_clr_flags+0x180/0x180
[   22.812569][  T307]  ? kthread_blkcg+0xd0/0xd0
[   22.816997][  T307]  ret_from_fork+0x1f/0x30
[   22.821245][  T307] Modules linked in:
[   22.825715][  T307] ---[ end trace e13c6563ed378aa9 ]---
[   22.831510][  T307] RIP: 0010:__list_del_entry_valid+0x75/0x120
[   22.837555][  T307] Code: 1e 48 85 db 74 68 4d 85 ff 74 74 48 ba 00 01 00 00 00 00 ad de 48 39 d3 74 76 48 83 c2 22 49 39 d7 74 7e 4c 89 f8 48 c1 e8 03 <42> 80 3c 20 00 74 08 4c 89 ff e8 1c 97 51 ff 49 8b 17 4c 39 f2 75
[   22.856975][  T307] RSP: 0018:ffffc90000d57c20 EFLAGS: 00010a02
[   22.862857][  T307] RAX: 19f8002220000026 RBX: ffff8881085cf100 RCX: ffffffff8256bf49
[   22.870700][  T307] RDX: dead000000000122 RSI: 0000000000000286 RDI: ffff88810e278700
[   22.878497][  T307] RBP: ffffc90000d57c40 R08: ffffffff813e2a7b R09: 0000000000000003
[   22.886324][  T307] R10: fffffbfff0e10e48 R11: dffffc0000000001 R12: dffffc0000000000
[   22.894109][  T307] R13: ffff88810e278700 R14: ffff88810e278700 R15: cfc0011100000133
[   22.901962][  T307] FS:  0000000000000000(0000) GS:ffff8881f7100000(0000) knlGS:0000000000000000
[   22.910745][  T307] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   22.917126][  T307] CR2: 0000001b2d81fffc CR3: 000000000660f000 CR4: 00000000003506a0
[   22.924922][  T307] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   22.932749][  T307] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   22.940547][  T307] Kernel panic - not syncing: Fatal exception
[   22.946628][  T307] Kernel Offset: disabled
[   22.950751][  T307] Rebooting in 86400 seconds..