------------[ cut here ]------------
kernel BUG at drivers/android/binder.c:1173!
Internal error: Oops - BUG: 0 [#1] PREEMPT SMP ARM
Modules linked in:
CPU: 1 UID: 0 PID: 32619 Comm: syz.0.6669 Not tainted 6.11.0-rc2-syzkaller #0
Hardware name: ARM-Versatile Express
PC is at binder_get_ref_for_node_olocked drivers/android/binder.c:1173 [inline]
PC is at binder_inc_ref_for_node+0x524/0x580 drivers/android/binder.c:1476
LR is at binder_get_ref_for_node_olocked drivers/android/binder.c:1160 [inline]
LR is at binder_inc_ref_for_node+0x1e0/0x580 drivers/android/binder.c:1476
pc : [<81322920>]    lr : [<813225dc>]    psr: 60000013
sp : dffc9d20  ip : dffc9d20  fp : dffc9d64
r10: 8503e61c  r9 : 00000000  r8 : 8536c594
r7 : 00000000  r6 : 00000001  r5 : 8536c400  r4 : 859ee880
r3 : 8503e610  r2 : 00000000  r1 : 8536c414  r0 : 85039d9c
Flags: nZCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
Control: 30c5387d  Table: 8503e4c0  DAC: 00000000
Register r0 information: slab kmalloc-64 start 85039d80 pointer offset 28 size 64
Register r1 information: slab kmalloc-512 start 8536c400 pointer offset 20 size 512
Register r2 information: NULL pointer
Register r3 information: slab kmalloc-64 start 8503e600 pointer offset 16 size 64
Register r4 information: slab kmalloc-128 start 859ee880 pointer offset 0 size 128
Register r5 information: slab kmalloc-512 start 8536c400 pointer offset 0 size 512
Register r6 information: non-paged memory
Register r7 information: NULL pointer
Register r8 information: slab kmalloc-512 start 8536c400 pointer offset 404 size 512
Register r9 information: NULL pointer
Register r10 information: slab kmalloc-64 start 8503e600 pointer offset 28 size 64
Register r11 information: 2-page vmalloc region starting at 0xdffc8000 allocated at kernel_clone+0xac/0x3e4 kernel/fork.c:2781
Register r12 information: 2-page vmalloc region starting at 0xdffc8000 allocated at kernel_clone+0xac/0x3e4 kernel/fork.c:2781
Process syz.0.6669 (pid: 32619, stack limit = 0xdffc8000)
Stack: (0xdffc9d20 to 0xdffca000)
9d20: 00000003 00000060 8536c414 8503e620 8536c410 85039d80 dffc9d8c 00000001
9d40: 00000001 00000000 20000588 dffc9eb8 8536c600 8536c400 dffc9e54 dffc9d68
9d60: 81327c7c 81322408 dffc9dc8 00000001 00000000 58dbc680 00000060 0000000b
9d80: dffc9dac dffc9d90 8020c014 8020cff0 00000000 00000001 84747a30 841eec00
9da0: dffc9dec 84747a34 20000580 200005cc 40086303 40106309 b5003500 b5403587
9dc0: 841eec00 ffbfff78 00000000 00000000 00000000 00000000 00000000 841eec00
9de0: dffc9e14 dffc9df0 8027cfbc 802acb1c 00000000 00000000 00000000 8536c590
9e00: 00000000 00000000 00000000 58dbc680 dffc9e2c dffc9e20 8197e948 c0306201
9e20: 8290bd54 58dbc680 00000000 0000004c 00000000 c0306201 841eec00 dffc9eb0
9e40: 8536c400 8444e780 dffc9f14 dffc9e58 8132ba74 81327774 0000004c dffc9eb8
9e60: 20000580 00000000 00000000 00000000 00000000 00000000 00000062 8444e780
9e80: 00000003 841eec00 dffc9ee4 8536c600 20000480 8536c400 8290bd54 00000001
9ea0: dffc9eb4 00000000 84740910 83239cc0 0000004c 00000000 00000000 00000000
9ec0: 20000580 00000000 00000000 00000000 00000000 00000000 00000000 00000000
9ee0: 806f6bb8 58dbc680 dffc9f14 c0306201 00000000 8444e781 20000480 8444e780
9f00: 00000003 841eec00 dffc9fa4 dffc9f18 8051a1d0 8132a708 841eec00 00000001
9f20: ecac8b10 841eec00 dffc9f44 dffc9f38 81972e70 81972d40 dffc9f5c dffc9f48
9f40: 8024bb50 8027b53c 40000000 dffc9fb0 dffc9f84 dffc9f60 80202dd8 8024bb0c
9f60: 8261c9cc dffc9fb0 0014cc30 ecac8b10 80202cc0 58dbc680 dffc9fac 00000000
9f80: 00000000 002662e8 00000036 8020029c 841eec00 00000036 00000000 dffc9fa8
9fa0: 80200060 8051a0a8 00000000 00000000 00000003 c0306201 20000480 00000000
9fc0: 00000000 00000000 002662e8 00000036 00000000 00006364 003d0f00 76b510bc
9fe0: 76b50ec0 76b50eb0 000188c0 00132780 60000010 00000003 00000000 00000000
Call trace: 
[<813223fc>] (binder_inc_ref_for_node) from [<81327c7c>] (binder_thread_write+0x514/0x1560 drivers/android/binder.c:3944)
 r10:8536c400 r9:8536c600 r8:dffc9eb8 r7:20000588 r6:00000000 r5:00000001
 r4:00000001
[<81327768>] (binder_thread_write) from [<8132ba74>] (binder_ioctl_write_read drivers/android/binder.c:5161 [inline])
[<81327768>] (binder_thread_write) from [<8132ba74>] (binder_ioctl+0x1378/0x1884 drivers/android/binder.c:5447)
 r10:8444e780 r9:8536c400 r8:dffc9eb0 r7:841eec00 r6:c0306201 r5:00000000
 r4:0000004c
[<8132a6fc>] (binder_ioctl) from [<8051a1d0>] (vfs_ioctl fs/ioctl.c:51 [inline])
[<8132a6fc>] (binder_ioctl) from [<8051a1d0>] (do_vfs_ioctl fs/ioctl.c:861 [inline])
[<8132a6fc>] (binder_ioctl) from [<8051a1d0>] (__do_sys_ioctl fs/ioctl.c:905 [inline])
[<8132a6fc>] (binder_ioctl) from [<8051a1d0>] (sys_ioctl+0x134/0xda4 fs/ioctl.c:893)
 r10:841eec00 r9:00000003 r8:8444e780 r7:20000480 r6:8444e781 r5:00000000
 r4:c0306201
[<8051a09c>] (sys_ioctl) from [<80200060>] (ret_fast_syscall+0x0/0x1c arch/arm/mm/proc-v7.S:67)
Exception stack(0xdffc9fa8 to 0xdffc9ff0)
9fa0:                   00000000 00000000 00000003 c0306201 20000480 00000000
9fc0: 00000000 00000000 002662e8 00000036 00000000 00006364 003d0f00 76b510bc
9fe0: 76b50ec0 76b50eb0 000188c0 00132780
 r10:00000036 r9:841eec00 r8:8020029c r7:00000036 r6:002662e8 r5:00000000
 r4:00000000
Code: eafffef1 e1a0000a ebc666bf eafffeee (e7f001f2) 
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
   0:	eafffef1 	b	0xfffffbcc
   4:	e1a0000a 	mov	r0, sl
   8:	ebc666bf 	bl	0xff199b0c
   c:	eafffeee 	b	0xfffffbcc
* 10:	e7f001f2 	udf	#18 <-- trapping instruction