================================================================== BUG: KFENCE: use-after-free read in __list_del_entry_valid_or_report+0x2d/0x1c0 lib/list_debug.c:50 Use-after-free read at 0xffff88807ec0e008 (in kfence-#6): __list_del_entry_valid_or_report+0x2d/0x1c0 lib/list_debug.c:50 __list_del_entry_valid include/linux/list.h:124 [inline] __list_del_entry include/linux/list.h:215 [inline] list_del_init include/linux/list.h:287 [inline] binder_dequeue_work_head_ilocked drivers/android/binder.c:540 [inline] binder_release_work+0x9b/0x490 drivers/android/binder.c:5110 binder_deferred_release drivers/android/binder.c:6261 [inline] binder_deferred_func+0xe6e/0x12e0 drivers/android/binder.c:6296 process_one_work+0x958/0x1b30 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 kfence-#6: 0xffff88807ec0e000-0xffff88807ec0e027, size=40, cache=kmalloc-64 allocated by task 19246 on cpu 3 at 890.683468s (0.030610s ago): kmalloc_noprof include/linux/slab.h:878 [inline] kzalloc_noprof include/linux/slab.h:1014 [inline] binder_request_freeze_notification drivers/android/binder.c:3855 [inline] binder_thread_write+0xe19/0x4c60 drivers/android/binder.c:4485 binder_ioctl_write_read drivers/android/binder.c:5387 [inline] binder_ioctl+0x268b/0x7050 drivers/android/binder.c:5718 compat_ptr_ioctl+0x6b/0xa0 fs/ioctl.c:946 __do_compat_sys_ioctl+0x259/0x2b0 fs/ioctl.c:1007 do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline] __do_fast_syscall_32+0x73/0x120 arch/x86/entry/common.c:386 do_fast_syscall_32+0x32/0x80 arch/x86/entry/common.c:411 entry_SYSENTER_compat_after_hwframe+0x84/0x8e freed by task 17248 on cpu 3 at 890.690122s (0.036148s ago): binder_free_ref drivers/android/binder.c:1355 [inline] binder_deferred_release drivers/android/binder.c:6256 [inline] binder_deferred_func+0xdd7/0x12e0 drivers/android/binder.c:6296 process_one_work+0x958/0x1b30 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 CPU: 3 UID: 0 PID: 17248 Comm: kworker/3:6 Not tainted 6.12.0-rc6-syzkaller #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Workqueue: events binder_deferred_func RIP: 0010:__list_del_entry_valid_or_report+0x2d/0x1c0 lib/list_debug.c:49 Code: fa 48 89 fe 48 83 c7 08 48 83 ec 18 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 19 01 00 00 48 89 f2 <48> 8b 4e 08 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 RSP: 0018:ffffc90007b77be0 EFLAGS: 00010246 RAX: dffffc0000000000 RBX: ffff88807ec0e000 RCX: ffffffff816a98dd RDX: ffff88807ec0e000 RSI: ffff88807ec0e000 RDI: ffff88807ec0e008 RBP: 0000000000000001 R08: 0000000000000001 R09: fffff52000f6ef72 R10: 0000000000000003 R11: 0000000000000000 R12: dffffc0000000000 R13: ffff88802398a2d0 R14: ffff88802398a0d8 R15: ffff88807ec0e008 FS: 0000000000000000(0000) GS:ffff88802b700000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff88807ec0e008 CR3: 0000000012202000 CR4: 0000000000352ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000400 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Call Trace: __list_del_entry_valid include/linux/list.h:124 [inline] __list_del_entry include/linux/list.h:215 [inline] list_del_init include/linux/list.h:287 [inline] binder_dequeue_work_head_ilocked drivers/android/binder.c:540 [inline] binder_release_work+0x9b/0x490 drivers/android/binder.c:5110 binder_deferred_release drivers/android/binder.c:6261 [inline] binder_deferred_func+0xe6e/0x12e0 drivers/android/binder.c:6296 process_one_work+0x958/0x1b30 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 ================================================================== ---------------- Code disassembly (best guess): 0: fa cli 1: 48 89 fe mov %rdi,%rsi 4: 48 83 c7 08 add $0x8,%rdi 8: 48 83 ec 18 sub $0x18,%rsp c: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax 13: fc ff df 16: 48 89 fa mov %rdi,%rdx 19: 48 c1 ea 03 shr $0x3,%rdx 1d: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) 21: 0f 85 19 01 00 00 jne 0x140 27: 48 89 f2 mov %rsi,%rdx * 2a: 48 8b 4e 08 mov 0x8(%rsi),%rcx <-- trapping instruction 2e: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax 35: fc ff df 38: 48 c1 ea 03 shr $0x3,%rdx 3c: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1)