------------[ cut here ]------------
kernel BUG at drivers/android/binder.c:1173!
Internal error: Oops - BUG: 0 [#1] PREEMPT SMP ARM
Modules linked in:
CPU: 0 UID: 0 PID: 6014 Comm: syz.0.301 Not tainted 6.11.0-rc2-syzkaller #0
Hardware name: ARM-Versatile Express
PC is at binder_get_ref_for_node_olocked drivers/android/binder.c:1173 [inline]
PC is at binder_inc_ref_for_node+0x524/0x580 drivers/android/binder.c:1476
LR is at binder_get_ref_for_node_olocked drivers/android/binder.c:1160 [inline]
LR is at binder_inc_ref_for_node+0x1e0/0x580 drivers/android/binder.c:1476
pc : [<81322920>]    lr : [<813225dc>]    psr: 60000013
sp : dfc65d20  ip : dfc65d20  fp : dfc65d64
r10: 85becd1c  r9 : 00000000  r8 : 841cb994
r7 : 00000000  r6 : 00000001  r5 : 841cb800  r4 : 85987980
r3 : 85becd10  r2 : 00000000  r1 : 841cb814  r0 : 85bec29c
Flags: nZCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
Control: 30c5387d  Table: 852c31c0  DAC: fffffffd
Register r0 information: slab kmalloc-64 start 85bec280 pointer offset 28 size 64
Register r1 information: slab kmalloc-512 start 841cb800 pointer offset 20 size 512
Register r2 information: NULL pointer
Register r3 information: slab kmalloc-64 start 85becd00 pointer offset 16 size 64
Register r4 information: slab kmalloc-128 start 85987980 pointer offset 0 size 128
Register r5 information: slab kmalloc-512 start 841cb800 pointer offset 0 size 512
Register r6 information: non-paged memory
Register r7 information: NULL pointer
Register r8 information: slab kmalloc-512 start 841cb800 pointer offset 404 size 512
Register r9 information: NULL pointer
Register r10 information: slab kmalloc-64 start 85becd00 pointer offset 28 size 64
Register r11 information: 2-page vmalloc region starting at 0xdfc64000 allocated at kernel_clone+0xac/0x3e4 kernel/fork.c:2781
Register r12 information: 2-page vmalloc region starting at 0xdfc64000 allocated at kernel_clone+0xac/0x3e4 kernel/fork.c:2781
Process syz.0.301 (pid: 6014, stack limit = 0xdfc64000)
Stack: (0xdfc65d20 to 0xdfc66000)
5d20: 00000013 828e3464 841cb814 85becd20 841cb810 85bec280 00000dc0 00000001
5d40: 00000001 00000000 20000208 dfc65eb8 841cba00 841cb800 dfc65e54 dfc65d68
5d60: 81327c7c 81322408 dfc65dc8 00000000 00000000 00000000 824bc5a8 dddd35a8
5d80: dfc65dac dfc65d90 8020c014 8020cff0 00000000 00000001 855082b0 836ab000
5da0: dfc65dec 855082b4 20000200 2000024c 40086303 40106309 b5003500 b5403587
5dc0: 836ab000 ffbfff78 00000000 00000000 00000000 00000000 0000014c 836ab000
5de0: dfc65e14 dfc65df0 8027cfbc 802acb1c 00000000 00000000 841cba00 841cb990
5e00: 00000000 00000000 00000000 de0cd519 dfc65e2c dfc65e20 8197e948 c0306201
5e20: 8290bd54 de0cd519 00000000 0000004c 00000000 c0306201 836ab000 dfc65eb0
5e40: 841cb800 837199c0 dfc65f14 dfc65e58 8132ba74 81327774 0000004c dfc65eb8
5e60: 20000200 00000000 00000000 00000000 00000000 00000000 00000062 837199c0
5e80: 00000004 836ab000 dfc65ee4 841cba00 20000480 841cb800 8290bd54 00000001
5ea0: dfc65eb4 00000000 854abb50 83351440 0000004c 00000000 00000000 00000000
5ec0: 20000200 00000000 00000000 00000000 00000000 00000000 00000000 00000000
5ee0: 806f6bb8 de0cd519 dfc65f14 c0306201 00000000 837199c1 20000480 837199c0
5f00: 00000004 836ab000 dfc65fa4 dfc65f18 8051a1d0 8132a708 dfc65f3c dfc65f28
5f20: 80256c9c 8197e9c4 836ab000 00000000 dfc65f64 dfc65f40 80256e00 80256c68
5f40: 00000000 00000000 00000008 de0cd519 b5403587 76ae4a74 dfc65fa4 dfc65f68
5f60: 80257030 80256d68 0014cc30 fffbfeff ffffffff de0cd519 00000000 00000000
5f80: 00000000 00266378 00000036 8020029c 836ab000 00000036 00000000 dfc65fa8
5fa0: 80200060 8051a0a8 00000000 00000000 00000004 c0306201 20000480 00000000
5fc0: 00000000 00000000 00266378 00000036 00000000 00006364 003d0f00 76ae40bc
5fe0: 76ae3ec0 76ae3eb0 000188c0 00132780 60000010 00000004 00000000 00000000
Call trace: 
[<813223fc>] (binder_inc_ref_for_node) from [<81327c7c>] (binder_thread_write+0x514/0x1560 drivers/android/binder.c:3944)
 r10:841cb800 r9:841cba00 r8:dfc65eb8 r7:20000208 r6:00000000 r5:00000001
 r4:00000001
[<81327768>] (binder_thread_write) from [<8132ba74>] (binder_ioctl_write_read drivers/android/binder.c:5161 [inline])
[<81327768>] (binder_thread_write) from [<8132ba74>] (binder_ioctl+0x1378/0x1884 drivers/android/binder.c:5447)
 r10:837199c0 r9:841cb800 r8:dfc65eb0 r7:836ab000 r6:c0306201 r5:00000000
 r4:0000004c
[<8132a6fc>] (binder_ioctl) from [<8051a1d0>] (vfs_ioctl fs/ioctl.c:51 [inline])
[<8132a6fc>] (binder_ioctl) from [<8051a1d0>] (do_vfs_ioctl fs/ioctl.c:861 [inline])
[<8132a6fc>] (binder_ioctl) from [<8051a1d0>] (__do_sys_ioctl fs/ioctl.c:905 [inline])
[<8132a6fc>] (binder_ioctl) from [<8051a1d0>] (sys_ioctl+0x134/0xda4 fs/ioctl.c:893)
 r10:836ab000 r9:00000004 r8:837199c0 r7:20000480 r6:837199c1 r5:00000000
 r4:c0306201
[<8051a09c>] (sys_ioctl) from [<80200060>] (ret_fast_syscall+0x0/0x1c arch/arm/mm/proc-v7.S:67)
Exception stack(0xdfc65fa8 to 0xdfc65ff0)
5fa0:                   00000000 00000000 00000004 c0306201 20000480 00000000
5fc0: 00000000 00000000 00266378 00000036 00000000 00006364 003d0f00 76ae40bc
5fe0: 76ae3ec0 76ae3eb0 000188c0 00132780
 r10:00000036 r9:836ab000 r8:8020029c r7:00000036 r6:00266378 r5:00000000
 r4:00000000
Code: eafffef1 e1a0000a ebc666bf eafffeee (e7f001f2) 
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
   0:	eafffef1 	b	0xfffffbcc
   4:	e1a0000a 	mov	r0, sl
   8:	ebc666bf 	bl	0xff199b0c
   c:	eafffeee 	b	0xfffffbcc
* 10:	e7f001f2 	udf	#18 <-- trapping instruction