================================================================== BUG: KASAN: slab-use-after-free in __list_del_entry_valid_or_report+0x154/0x198 lib/list_debug.c:49 Read of size 8 at addr ffff000017af7908 by task kworker/0:1/8244 CPU: 0 UID: 0 PID: 8244 Comm: kworker/0:1 Not tainted 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Hardware name: linux,dummy-virt (DT) Workqueue: events binder_deferred_func Call trace: dump_backtrace+0x9c/0x11c arch/arm64/kernel/stacktrace.c:319 show_stack+0x18/0x24 arch/arm64/kernel/stacktrace.c:326 __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0xa4/0xf4 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:377 [inline] print_report+0xf4/0x5a4 mm/kasan/report.c:488 kasan_report+0xc8/0x108 mm/kasan/report.c:601 __asan_report_load8_noabort+0x20/0x2c mm/kasan/report_generic.c:381 __list_del_entry_valid_or_report+0x154/0x198 lib/list_debug.c:49 __list_del_entry_valid include/linux/list.h:124 [inline] __list_del_entry include/linux/list.h:215 [inline] list_del_init include/linux/list.h:287 [inline] binder_dequeue_work_head_ilocked drivers/android/binder.c:540 [inline] binder_release_work+0x94/0x414 drivers/android/binder.c:5110 binder_deferred_release drivers/android/binder.c:6261 [inline] binder_deferred_func+0xbac/0x10d0 drivers/android/binder.c:6296 process_one_work+0x7b8/0x189c kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x730/0xb74 kernel/workqueue.c:3391 kthread+0x27c/0x300 kernel/kthread.c:389 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860 Allocated by task 9220: kasan_save_stack+0x3c/0x64 mm/kasan/common.c:47 kasan_save_track+0x20/0x3c mm/kasan/common.c:68 kasan_save_alloc_info+0x40/0x54 mm/kasan/generic.c:565 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0xb8/0xbc mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:257 [inline] __kmalloc_cache_noprof+0x188/0x2f8 mm/slub.c:4295 kmalloc_noprof include/linux/slab.h:878 [inline] kzalloc_noprof include/linux/slab.h:1014 [inline] binder_request_freeze_notification drivers/android/binder.c:3855 [inline] binder_thread_write+0xd60/0x4b48 drivers/android/binder.c:4485 binder_ioctl_write_read drivers/android/binder.c:5387 [inline] binder_ioctl+0x1d78/0x2f04 drivers/android/binder.c:5718 compat_ptr_ioctl+0x5c/0xa4 fs/ioctl.c:946 __do_compat_sys_ioctl fs/ioctl.c:1007 [inline] __se_compat_sys_ioctl fs/ioctl.c:950 [inline] __arm64_compat_sys_ioctl+0x1d4/0x21c fs/ioctl.c:950 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x6c/0x258 arch/arm64/kernel/syscall.c:49 el0_svc_common.constprop.0+0xac/0x230 arch/arm64/kernel/syscall.c:132 do_el0_svc_compat+0x40/0x68 arch/arm64/kernel/syscall.c:157 el0_svc_compat+0x4c/0x17c arch/arm64/kernel/entry-common.c:852 el0t_32_sync_handler+0x98/0x13c arch/arm64/kernel/entry-common.c:862 el0t_32_sync+0x194/0x198 arch/arm64/kernel/entry.S:603 Freed by task 8244: kasan_save_stack+0x3c/0x64 mm/kasan/common.c:47 kasan_save_track+0x20/0x3c mm/kasan/common.c:68 kasan_save_free_info+0x4c/0x74 mm/kasan/generic.c:579 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x50/0x6c mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:230 [inline] slab_free_hook mm/slub.c:2342 [inline] slab_free mm/slub.c:4579 [inline] kfree+0x130/0x460 mm/slub.c:4727 binder_free_ref drivers/android/binder.c:1355 [inline] binder_deferred_release drivers/android/binder.c:6256 [inline] binder_deferred_func+0xb3c/0x10d0 drivers/android/binder.c:6296 process_one_work+0x7b8/0x189c kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x730/0xb74 kernel/workqueue.c:3391 kthread+0x27c/0x300 kernel/kthread.c:389 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860 The buggy address belongs to the object at ffff000017af7900 which belongs to the cache kmalloc-64 of size 64 The buggy address is located 8 bytes inside of freed 64-byte region [ffff000017af7900, ffff000017af7940) The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x57af7 flags: 0x1ffc00000000000(node=0|zone=0|lastcpupid=0x7ff) page_type: f5(slab) raw: 01ffc00000000000 ffff00000d4018c0 fffffdffc060e9c0 dead000000000002 raw: 0000000000000000 0000000080200020 00000001f5000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff000017af7800: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc ffff000017af7880: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc >ffff000017af7900: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ^ ffff000017af7980: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc ffff000017af7a00: 00 00 00 00 00 00 00 05 fc fc fc fc fc fc fc fc ================================================================== Unable to handle kernel paging request at virtual address e08a006300000406 KASAN: maybe wild-memory-access in range [0x0454031800002030-0x0454031800002037] Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault Data abort info: ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [e08a006300000406] address between user and kernel address ranges Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP Modules linked in: CPU: 0 UID: 0 PID: 8244 Comm: kworker/0:1 Tainted: G B 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0 Tainted: [B]=BAD_PAGE Hardware name: linux,dummy-virt (DT) Workqueue: events binder_deferred_func pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : __list_del_entry_valid_or_report+0x7c/0x198 lib/list_debug.c:62 lr : __list_del_entry_valid_or_report+0x168/0x198 lib/list_debug.c:50 sp : ffff80008db279b0 x29: ffff80008db279b0 x28: ffff800085de1e60 x27: ffff800085de1ea0 x26: 0000000000000001 x25: 1fffe00002c17c1b x24: ffff0000160be2d0 x23: ffff0000160be0d8 x22: ffff800085de3fe0 x21: ffff800085de1de0 x20: dfff800000000000 x19: ffff0000252eff00 x18: 00000000966a1e90 x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 x14: 0000000000000000 x13: 205d343432385420 x12: ffff700011b64f34 x11: 1ffff00011b64f33 x10: ffff700011b64f33 x9 : dfff800000000000 x8 : ffff80008db279a0 x7 : 0000000000000000 x6 : ffff700011b64f28 x5 : ffff80008db27940 x4 : 0000000000000000 x3 : 0454031800002034 x2 : 008a806300000406 x1 : ffff000017af7900 x0 : dfff800000000000 Call trace: __list_del_entry_valid_or_report+0x7c/0x198 lib/list_debug.c:62 __list_del_entry_valid include/linux/list.h:124 [inline] __list_del_entry include/linux/list.h:215 [inline] list_del_init include/linux/list.h:287 [inline] binder_dequeue_work_head_ilocked drivers/android/binder.c:540 [inline] binder_release_work+0x94/0x414 drivers/android/binder.c:5110 binder_deferred_release drivers/android/binder.c:6261 [inline] binder_deferred_func+0xbac/0x10d0 drivers/android/binder.c:6296 process_one_work+0x7b8/0x189c kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x730/0xb74 kernel/workqueue.c:3391 kthread+0x27c/0x300 kernel/kthread.c:389 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860 Code: 540004e0 d343fc62 d2d00000 f2fbffe0 (38e06840) ---[ end trace 0000000000000000 ]--- ---------------- Code disassembly (best guess): 0: 540004e0 b.eq 0x9c // b.none 4: d343fc62 lsr x2, x3, #3 8: d2d00000 mov x0, #0x800000000000 // #140737488355328 c: f2fbffe0 movk x0, #0xdfff, lsl #48 * 10: 38e06840 ldrsb w0, [x2, x0] <-- trapping instruction