------------[ cut here ]------------
kernel BUG at drivers/android/binder.c:1173!
Internal error: Oops - BUG: 0 [#1] PREEMPT SMP ARM
Modules linked in:
CPU: 1 UID: 0 PID: 9697 Comm: syz.0.1896 Not tainted 6.11.0-rc2-syzkaller #0
Hardware name: ARM-Versatile Express
PC is at binder_get_ref_for_node_olocked drivers/android/binder.c:1173 [inline]
PC is at binder_inc_ref_for_node+0x524/0x580 drivers/android/binder.c:1476
LR is at binder_get_ref_for_node_olocked drivers/android/binder.c:1160 [inline]
LR is at binder_inc_ref_for_node+0x1e0/0x580 drivers/android/binder.c:1476
pc : [<81322920>]    lr : [<813225dc>]    psr: 60000013
sp : dfb21d20  ip : dfb21d20  fp : dfb21d64
r10: 850982dc  r9 : 00000000  r8 : 84cea794
r7 : 00000000  r6 : 00000001  r5 : 84cea600  r4 : 844c0700
r3 : 850982d0  r2 : 00000000  r1 : 84cea614  r0 : 844b19dc
Flags: nZCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
Control: 30c5387d  Table: 8532c240  DAC: 00000000
Register r0 information: slab kmalloc-64 start 844b19c0 pointer offset 28 size 64
Register r1 information: slab kmalloc-512 start 84cea600 pointer offset 20 size 512
Register r2 information: NULL pointer
Register r3 information: slab kmalloc-64 start 850982c0 pointer offset 16 size 64
Register r4 information: slab kmalloc-128 start 844c0700 pointer offset 0 size 128
Register r5 information: slab kmalloc-512 start 84cea600 pointer offset 0 size 512
Register r6 information: non-paged memory
Register r7 information: NULL pointer
Register r8 information: slab kmalloc-512 start 84cea600 pointer offset 404 size 512
Register r9 information: NULL pointer
Register r10 information: slab kmalloc-64 start 850982c0 pointer offset 28 size 64
Register r11 information: 2-page vmalloc region starting at 0xdfb20000 allocated at kernel_clone+0xac/0x3e4 kernel/fork.c:2781
Register r12 information: 2-page vmalloc region starting at 0xdfb20000 allocated at kernel_clone+0xac/0x3e4 kernel/fork.c:2781
Process syz.0.1896 (pid: 9697, stack limit = 0xdfb20000)
Stack: (0xdfb21d20 to 0xdfb22000)
1d20: 20000013 828d19d4 84cea614 850982e4 84cea610 844b19c0 00000000 00000001
1d40: 00000001 00000000 20000308 dfb21eb8 8457f400 84cea600 dfb21e54 dfb21d68
1d60: 81327c7c 81322408 dfb21dc8 dfb21d78 804bc5b4 80826fd4 00000000 00000000
1d80: dfb21dac dfb21d90 8020c014 8020cff0 00000000 00000001 84eefc30 82f0ec00
1da0: dfb21dec 84eefc34 20000300 20000308 40086303 40106309 b5003500 b5403587
1dc0: 82f0ec00 ffbfff78 00000000 00000000 00000000 00000000 00000000 82f0ec00
1de0: dfb21e14 dfb21df0 8027cfbc 802acb1c 00000000 00000000 00000000 84cea790
1e00: 00000000 00000000 00000000 e2d2131c dfb21e2c dfb21e20 8197e948 c0306201
1e20: 8290bd54 e2d2131c 00000000 00000008 00000000 c0306201 82f0ec00 dfb21eb0
1e40: 84cea600 852bbd80 dfb21f14 dfb21e58 8132ba74 81327774 00000008 dfb21eb8
1e60: 20000300 00000000 00000000 00000000 00000000 00000000 00000062 852bbd80
1e80: 00000007 82f0ec00 dfb21ee4 8457f400 200003c0 84cea600 8290bd54 00000001
1ea0: dfb21eb4 00000000 852b3250 83321330 00000008 00000000 00000000 00000000
1ec0: 20000300 00000000 00000000 00000000 00000000 00000000 00000000 00000000
1ee0: 806f6bb8 e2d2131c dfb21f14 c0306201 00000000 852bbd81 200003c0 852bbd80
1f00: 00000007 82f0ec00 dfb21fa4 dfb21f18 8051a1d0 8132a708 82f0ec00 00000001
1f20: ecac8b10 82f0ec00 dfb21f44 dfb21f38 81972e70 81972d40 dfb21f5c dfb21f48
1f40: 8024bb50 8027b53c 40000000 dfb21fb0 dfb21f84 dfb21f60 80202dd8 8024bb0c
1f60: 8261c9cc dfb21fb0 0014cc30 ecac8b10 80202cc0 e2d2131c dfb21fac 00000000
1f80: 00000000 00266408 00000036 8020029c 82f0ec00 00000036 00000000 dfb21fa8
1fa0: 80200060 8051a0a8 00000000 00000000 00000007 c0306201 200003c0 00000000
1fc0: 00000000 00000000 00266408 00000036 00000000 00006364 003d0f00 76b960bc
1fe0: 76b95ec0 76b95eb0 000188c0 00132780 60000010 00000007 00000000 00000000
Call trace: 
[<813223fc>] (binder_inc_ref_for_node) from [<81327c7c>] (binder_thread_write+0x514/0x1560 drivers/android/binder.c:3944)
 r10:84cea600 r9:8457f400 r8:dfb21eb8 r7:20000308 r6:00000000 r5:00000001
 r4:00000001
[<81327768>] (binder_thread_write) from [<8132ba74>] (binder_ioctl_write_read drivers/android/binder.c:5161 [inline])
[<81327768>] (binder_thread_write) from [<8132ba74>] (binder_ioctl+0x1378/0x1884 drivers/android/binder.c:5447)
 r10:852bbd80 r9:84cea600 r8:dfb21eb0 r7:82f0ec00 r6:c0306201 r5:00000000
 r4:00000008
[<8132a6fc>] (binder_ioctl) from [<8051a1d0>] (vfs_ioctl fs/ioctl.c:51 [inline])
[<8132a6fc>] (binder_ioctl) from [<8051a1d0>] (do_vfs_ioctl fs/ioctl.c:861 [inline])
[<8132a6fc>] (binder_ioctl) from [<8051a1d0>] (__do_sys_ioctl fs/ioctl.c:905 [inline])
[<8132a6fc>] (binder_ioctl) from [<8051a1d0>] (sys_ioctl+0x134/0xda4 fs/ioctl.c:893)
 r10:82f0ec00 r9:00000007 r8:852bbd80 r7:200003c0 r6:852bbd81 r5:00000000
 r4:c0306201
[<8051a09c>] (sys_ioctl) from [<80200060>] (ret_fast_syscall+0x0/0x1c arch/arm/mm/proc-v7.S:67)
Exception stack(0xdfb21fa8 to 0xdfb21ff0)
1fa0:                   00000000 00000000 00000007 c0306201 200003c0 00000000
1fc0: 00000000 00000000 00266408 00000036 00000000 00006364 003d0f00 76b960bc
1fe0: 76b95ec0 76b95eb0 000188c0 00132780
 r10:00000036 r9:82f0ec00 r8:8020029c r7:00000036 r6:00266408 r5:00000000
 r4:00000000
Code: eafffef1 e1a0000a ebc666bf eafffeee (e7f001f2) 
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
   0:	eafffef1 	b	0xfffffbcc
   4:	e1a0000a 	mov	r0, sl
   8:	ebc666bf 	bl	0xff199b0c
   c:	eafffeee 	b	0xfffffbcc
* 10:	e7f001f2 	udf	#18 <-- trapping instruction