------------[ cut here ]------------ kernel BUG at drivers/android/binder.c:1173! Internal error: Oops - BUG: 0 [#1] PREEMPT SMP ARM Modules linked in: CPU: 1 UID: 0 PID: 15278 Comm: syz.1.2795 Not tainted 6.11.0-rc2-syzkaller #0 Hardware name: ARM-Versatile Express PC is at binder_get_ref_for_node_olocked drivers/android/binder.c:1173 [inline] PC is at binder_inc_ref_for_node+0x524/0x580 drivers/android/binder.c:1476 LR is at binder_get_ref_for_node_olocked drivers/android/binder.c:1160 [inline] LR is at binder_inc_ref_for_node+0x1e0/0x580 drivers/android/binder.c:1476 pc : [<81322920>] lr : [<813225dc>] psr: 60000013 sp : eb161d20 ip : eb161d20 fp : eb161d64 r10: 82cb481c r9 : 00000000 r8 : 844ed994 r7 : 00000000 r6 : 00000001 r5 : 844ed800 r4 : 85404200 r3 : 82cb4810 r2 : 00000000 r1 : 844ed814 r0 : 8495da1c Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none Control: 30c5387d Table: 84845380 DAC: 00000000 Register r0 information: slab kmalloc-64 start 8495da00 pointer offset 28 size 64 Register r1 information: slab kmalloc-512 start 844ed800 pointer offset 20 size 512 Register r2 information: NULL pointer Register r3 information: slab kmalloc-64 start 82cb4800 pointer offset 16 size 64 Register r4 information: slab kmalloc-128 start 85404200 pointer offset 0 size 128 Register r5 information: slab kmalloc-512 start 844ed800 pointer offset 0 size 512 Register r6 information: non-paged memory Register r7 information: NULL pointer Register r8 information: slab kmalloc-512 start 844ed800 pointer offset 404 size 512 Register r9 information: NULL pointer Register r10 information: slab kmalloc-64 start 82cb4800 pointer offset 28 size 64 Register r11 information: 2-page vmalloc region starting at 0xeb160000 allocated at kernel_clone+0xac/0x3e4 kernel/fork.c:2781 Register r12 information: 2-page vmalloc region starting at 0xeb160000 allocated at kernel_clone+0xac/0x3e4 kernel/fork.c:2781 Process syz.1.2795 (pid: 15278, stack limit = 0xeb160000) Stack: (0xeb161d20 to 0xeb162000) 1d20: 00000003 00000060 844ed814 82cb4820 844ed810 8495da00 eb161d8c 00000001 1d40: 00000001 00000000 20000588 eb161eb8 844ede00 844ed800 eb161e54 eb161d68 1d60: 81327c7c 81322408 eb161dc8 00000001 00000000 17f934e5 00000060 0000000b 1d80: eb161dac eb161d90 8020c014 8020cff0 00000000 00000001 84b3bfb0 83e56000 1da0: eb161dec 84b3bfb4 20000580 200005cc 40086303 40106309 b5003500 b5403587 1dc0: 83e56000 ffbfff78 00000000 00000000 00000000 00000000 00000000 83e56000 1de0: eb161e14 eb161df0 8027cfbc 802acb1c 00000000 00000000 00000000 844ed990 1e00: 00000000 00000000 00000000 17f934e5 eb161e2c eb161e20 8197e948 c0306201 1e20: 8290bd54 17f934e5 00000000 0000004c 00000000 c0306201 83e56000 eb161eb0 1e40: 844ed800 85572900 eb161f14 eb161e58 8132ba74 81327774 0000004c eb161eb8 1e60: 20000580 00000000 00000000 00000000 00000000 00000000 00000062 85572900 1e80: 00000003 83e56000 eb161ee4 844ede00 20000480 844ed800 8290bd54 00000001 1ea0: eb161eb4 00000000 84bc1550 833f03b8 0000004c 00000000 00000000 00000000 1ec0: 20000580 00000000 00000000 00000000 00000000 00000000 00000000 00000000 1ee0: 806f6bb8 17f934e5 eb161f14 c0306201 00000000 85572901 20000480 85572900 1f00: 00000003 83e56000 eb161fa4 eb161f18 8051a1d0 8132a708 83e56000 00000001 1f20: ecac8b10 83e56000 eb161f44 eb161f38 81972e70 81972d40 eb161f5c eb161f48 1f40: 8024bb50 8027b53c 40000000 eb161fb0 eb161f84 eb161f60 80202dd8 8024bb0c 1f60: 8261c9cc eb161fb0 0014cc30 ecac8b10 80202cc0 17f934e5 eb161fac 00000000 1f80: 00000000 002662e8 00000036 8020029c 83e56000 00000036 00000000 eb161fa8 1fa0: 80200060 8051a0a8 00000000 00000000 00000003 c0306201 20000480 00000000 1fc0: 00000000 00000000 002662e8 00000036 00000000 00006364 003d0f00 76b6a0bc 1fe0: 76b69ec0 76b69eb0 000188c0 00132780 60000010 00000003 00000000 00000000 Call trace: [<813223fc>] (binder_inc_ref_for_node) from [<81327c7c>] (binder_thread_write+0x514/0x1560 drivers/android/binder.c:3944) r10:844ed800 r9:844ede00 r8:eb161eb8 r7:20000588 r6:00000000 r5:00000001 r4:00000001 [<81327768>] (binder_thread_write) from [<8132ba74>] (binder_ioctl_write_read drivers/android/binder.c:5161 [inline]) [<81327768>] (binder_thread_write) from [<8132ba74>] (binder_ioctl+0x1378/0x1884 drivers/android/binder.c:5447) r10:85572900 r9:844ed800 r8:eb161eb0 r7:83e56000 r6:c0306201 r5:00000000 r4:0000004c [<8132a6fc>] (binder_ioctl) from [<8051a1d0>] (vfs_ioctl fs/ioctl.c:51 [inline]) [<8132a6fc>] (binder_ioctl) from [<8051a1d0>] (do_vfs_ioctl fs/ioctl.c:861 [inline]) [<8132a6fc>] (binder_ioctl) from [<8051a1d0>] (__do_sys_ioctl fs/ioctl.c:905 [inline]) [<8132a6fc>] (binder_ioctl) from [<8051a1d0>] (sys_ioctl+0x134/0xda4 fs/ioctl.c:893) r10:83e56000 r9:00000003 r8:85572900 r7:20000480 r6:85572901 r5:00000000 r4:c0306201 [<8051a09c>] (sys_ioctl) from [<80200060>] (ret_fast_syscall+0x0/0x1c arch/arm/mm/proc-v7.S:67) Exception stack(0xeb161fa8 to 0xeb161ff0) 1fa0: 00000000 00000000 00000003 c0306201 20000480 00000000 1fc0: 00000000 00000000 002662e8 00000036 00000000 00006364 003d0f00 76b6a0bc 1fe0: 76b69ec0 76b69eb0 000188c0 00132780 r10:00000036 r9:83e56000 r8:8020029c r7:00000036 r6:002662e8 r5:00000000 r4:00000000 Code: eafffef1 e1a0000a ebc666bf eafffeee (e7f001f2) ---[ end trace 0000000000000000 ]--- ---------------- Code disassembly (best guess): 0: eafffef1 b 0xfffffbcc 4: e1a0000a mov r0, sl 8: ebc666bf bl 0xff199b0c c: eafffeee b 0xfffffbcc * 10: e7f001f2 udf #18 <-- trapping instruction