==================================================================
BUG: KASAN: slab-use-after-free in hlist_add_head include/linux/list.h:1026 [inline]
BUG: KASAN: slab-use-after-free in binder_add_device+0x64/0xac drivers/android/binder.c:6932
Write of size 8 at addr ffff0000ddb1c008 by task syz-executor/6698

CPU: 1 UID: 0 PID: 6698 Comm: syz-executor Not tainted 6.15.0-rc7-syzkaller-gd7fa1af5b33e #0 PREEMPT 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Call trace:
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:466 (C)
 __dump_stack+0x30/0x40 lib/dump_stack.c:94
 dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120
 print_address_description+0xa8/0x254 mm/kasan/report.c:408
 print_report+0x68/0x84 mm/kasan/report.c:521
 kasan_report+0xb0/0x110 mm/kasan/report.c:634
 __asan_report_store8_noabort+0x20/0x2c mm/kasan/report_generic.c:386
 hlist_add_head include/linux/list.h:1026 [inline]
 binder_add_device+0x64/0xac drivers/android/binder.c:6932
 binderfs_binder_device_create+0x7d0/0x9d0 drivers/android/binderfs.c:210
 binderfs_fill_super+0x7c8/0xc54 drivers/android/binderfs.c:730
 vfs_get_super fs/super.c:1280 [inline]
 get_tree_nodev+0xb4/0x144 fs/super.c:1299
 binderfs_fs_context_get_tree+0x28/0x38 drivers/android/binderfs.c:750
 vfs_get_tree+0x90/0x28c fs/super.c:1759
 do_new_mount+0x228/0x814 fs/namespace.c:3881
 path_mount+0x5b4/0xde0 fs/namespace.c:4208
 do_mount fs/namespace.c:4221 [inline]
 __do_sys_mount fs/namespace.c:4432 [inline]
 __se_sys_mount fs/namespace.c:4409 [inline]
 __arm64_sys_mount+0x3e8/0x468 fs/namespace.c:4409
 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
 el0_svc+0x58/0x17c arch/arm64/kernel/entry-common.c:767
 el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:786
 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600

Allocated by task 6703:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x40/0x78 mm/kasan/common.c:68
 kasan_save_alloc_info+0x44/0x54 mm/kasan/generic.c:562
 poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
 __kasan_kmalloc+0x9c/0xb4 mm/kasan/common.c:394
 kasan_kmalloc include/linux/kasan.h:260 [inline]
 __kmalloc_cache_noprof+0x2a4/0x3fc mm/slub.c:4358
 kmalloc_noprof include/linux/slab.h:905 [inline]
 kzalloc_noprof include/linux/slab.h:1039 [inline]
 mld_add_delrec net/ipv6/mcast.c:746 [inline]
 igmp6_leave_group net/ipv6/mcast.c:2676 [inline]
 igmp6_group_dropped+0x2d8/0xc9c net/ipv6/mcast.c:726
 __ipv6_dev_mc_dec+0x29c/0x348 net/ipv6/mcast.c:1018
 addrconf_leave_solict net/ipv6/addrconf.c:2254 [inline]
 __ipv6_ifa_notify+0x3c0/0x988 net/ipv6/addrconf.c:6302
 addrconf_ifdown+0xbf4/0x148c net/ipv6/addrconf.c:3981
 addrconf_notify+0x2f4/0xcdc net/ipv6/addrconf.c:-1
 notifier_call_chain+0x1b8/0x4e4 kernel/notifier.c:85
 raw_notifier_call_chain+0x3c/0x50 kernel/notifier.c:453
 call_netdevice_notifiers_info net/core/dev.c:2176 [inline]
 call_netdevice_notifiers_extack net/core/dev.c:2214 [inline]
 call_netdevice_notifiers net/core/dev.c:2228 [inline]
 dev_close_many+0x2d4/0x448 net/core/dev.c:1731
 unregister_netdevice_many_notify+0x664/0x1fbc net/core/dev.c:11942
 unregister_netdevice_many net/core/dev.c:12036 [inline]
 default_device_exit_batch+0x838/0x8b4 net/core/dev.c:12530
 ops_exit_list net/core/net_namespace.c:177 [inline]
 cleanup_net+0x650/0x9c0 net/core/net_namespace.c:654
 process_one_work+0x7e8/0x156c kernel/workqueue.c:3238
 process_scheduled_works kernel/workqueue.c:3319 [inline]
 worker_thread+0x958/0xed8 kernel/workqueue.c:3400
 kthread+0x5fc/0x75c kernel/kthread.c:464
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:847

Freed by task 12:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x40/0x78 mm/kasan/common.c:68
 kasan_save_free_info+0x58/0x70 mm/kasan/generic.c:576
 poison_slab_object mm/kasan/common.c:247 [inline]
 __kasan_slab_free+0x68/0x88 mm/kasan/common.c:264
 kasan_slab_free include/linux/kasan.h:233 [inline]
 slab_free_hook mm/slub.c:2380 [inline]
 slab_free_freelist_hook mm/slub.c:2409 [inline]
 slab_free_bulk mm/slub.c:4666 [inline]
 kmem_cache_free_bulk+0x2e0/0x51c mm/slub.c:5243
 kfree_bulk include/linux/slab.h:794 [inline]
 kvfree_rcu_bulk+0xfc/0x1f0 mm/slab_common.c:1516
 kfree_rcu_work+0xb8/0x140 mm/slab_common.c:1594
 process_one_work+0x7e8/0x156c kernel/workqueue.c:3238
 process_scheduled_works kernel/workqueue.c:3319 [inline]
 worker_thread+0x958/0xed8 kernel/workqueue.c:3400
 kthread+0x5fc/0x75c kernel/kthread.c:464
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:847

Last potentially related work creation:
 kasan_save_stack+0x40/0x6c mm/kasan/common.c:47
 kasan_record_aux_stack+0xb0/0xc8 mm/kasan/generic.c:548
 kvfree_call_rcu+0xa4/0x3f0 mm/slab_common.c:1962
 mld_clear_delrec+0x190/0x5f4 net/ipv6/mcast.c:828
 ipv6_mc_destroy_dev+0x50/0x510 net/ipv6/mcast.c:2842
 addrconf_ifdown+0x103c/0x148c net/ipv6/addrconf.c:4000
 addrconf_notify+0x2f4/0xcdc net/ipv6/addrconf.c:-1
 notifier_call_chain+0x1b8/0x4e4 kernel/notifier.c:85
 raw_notifier_call_chain+0x3c/0x50 kernel/notifier.c:453
 call_netdevice_notifiers_info net/core/dev.c:2176 [inline]
 call_netdevice_notifiers_extack net/core/dev.c:2214 [inline]
 call_netdevice_notifiers net/core/dev.c:2228 [inline]
 unregister_netdevice_many_notify+0x125c/0x1fbc net/core/dev.c:11972
 unregister_netdevice_many net/core/dev.c:12036 [inline]
 default_device_exit_batch+0x838/0x8b4 net/core/dev.c:12530
 ops_exit_list net/core/net_namespace.c:177 [inline]
 cleanup_net+0x650/0x9c0 net/core/net_namespace.c:654
 process_one_work+0x7e8/0x156c kernel/workqueue.c:3238
 process_scheduled_works kernel/workqueue.c:3319 [inline]
 worker_thread+0x958/0xed8 kernel/workqueue.c:3400
 kthread+0x5fc/0x75c kernel/kthread.c:464
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:847

The buggy address belongs to the object at ffff0000ddb1c000
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 8 bytes inside of
 freed 512-byte region [ffff0000ddb1c000, ffff0000ddb1c200)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff0000ddb1e400 pfn:0x11db1c
head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x5ffc00000000240(workingset|head|node=0|zone=2|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 05ffc00000000240 ffff0000c0001c80 fffffdffc3c43710 fffffdffc366ee10
raw: ffff0000ddb1e400 000000000010000f 00000000f5000000 0000000000000000
head: 05ffc00000000240 ffff0000c0001c80 fffffdffc3c43710 fffffdffc366ee10
head: ffff0000ddb1e400 000000000010000f 00000000f5000000 0000000000000000
head: 05ffc00000000002 fffffdffc376c701 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff0000ddb1bf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff0000ddb1bf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff0000ddb1c000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                      ^
 ffff0000ddb1c080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff0000ddb1c100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================