------------[ cut here ]------------
kernel BUG at drivers/android/binder.c:1173!
Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 UID: 0 PID: 4558 Comm: syz.1.468 Not tainted 6.11.0-rc2-syzkaller-00239-g34ac1e82e5a7 #0
Hardware name: linux,dummy-virt (DT)
pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : binder_get_ref_for_node_olocked drivers/android/binder.c:1173 [inline]
pc : binder_inc_ref_for_node+0xdcc/0xe6c drivers/android/binder.c:1476
lr : binder_get_ref_for_node_olocked drivers/android/binder.c:1160 [inline]
lr : binder_inc_ref_for_node+0x500/0xe6c drivers/android/binder.c:1476
sp : ffff80008c2677b0
x29: ffff80008c2677b0 x28: ffff000012eeea00 x27: ffff000014499f10
x26: ffff000014499f20 x25: 0000000000000000 x24: ffff0000157822e0
x23: ffff000014499d04 x22: ffff800085d35b20 x21: ffff800085d36c20
x20: ffff80008c2679e0 x19: ffff000015782000 x18: 000000002eac1b30
x17: ffff00000bfb3c00 x16: 0000000000000000 x15: ffff00000bfb4680
x14: 1fffe000017f68cf x13: 1fffe000017f68d9 x12: ffff700011345935
x11: 1ffff00011345934 x10: ffff700011345934 x9 : dfff800000000000
x8 : 0000000000000003 x7 : 0000000000000001 x6 : ffff700011345934
x5 : ffff800089a2c9a0 x4 : 1fffe000028933ab x3 : dfff800000000000
x2 : 0000000000000000 x1 : 0000000000000007 x0 : 0000000000000000
Call trace:
 get_ref_desc_olocked drivers/android/binder.c:1078 [inline]
 binder_get_ref_for_node_olocked drivers/android/binder.c:1152 [inline]
 binder_inc_ref_for_node+0xdcc/0xe6c drivers/android/binder.c:1476
 binder_thread_write+0xa64/0x39f4 drivers/android/binder.c:3944
 binder_ioctl_write_read drivers/android/binder.c:5161 [inline]
 binder_ioctl+0x1d8c/0x2ef8 drivers/android/binder.c:5447
 compat_ptr_ioctl+0x5c/0xa4 fs/ioctl.c:946
 __do_compat_sys_ioctl fs/ioctl.c:1007 [inline]
 __se_compat_sys_ioctl fs/ioctl.c:950 [inline]
 __arm64_compat_sys_ioctl+0x1d4/0x21c fs/ioctl.c:950
 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
 invoke_syscall+0x6c/0x258 arch/arm64/kernel/syscall.c:49
 el0_svc_common.constprop.0+0xac/0x230 arch/arm64/kernel/syscall.c:132
 do_el0_svc_compat+0x40/0x68 arch/arm64/kernel/syscall.c:157
 el0_svc_compat+0x4c/0x17c arch/arm64/kernel/entry-common.c:852
 el0t_32_sync_handler+0x98/0x13c arch/arm64/kernel/entry-common.c:862
 el0t_32_sync+0x194/0x198 arch/arm64/kernel/entry.S:603
Code: d2d00004 f94043e0 f2fbffe4 17fffd36 (d4210000) 
---[ end trace 0000000000000000 ]---