------------[ cut here ]------------
kernel BUG at drivers/android/binder.c:1173!
Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 UID: 0 PID: 3715 Comm: syz.0.122 Not tainted 6.11.0-rc2-syzkaller-00257-g5189dafa4cf9 #0
Hardware name: linux,dummy-virt (DT)
pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : binder_get_ref_for_node_olocked drivers/android/binder.c:1173 [inline]
pc : binder_inc_ref_for_node+0xdcc/0xe6c drivers/android/binder.c:1476
lr : binder_get_ref_for_node_olocked drivers/android/binder.c:1160 [inline]
lr : binder_inc_ref_for_node+0x500/0xe6c drivers/android/binder.c:1476
sp : ffff80008ec877f0
x29: ffff80008ec877f0 x28: ffff00000e4a3900 x27: ffff000011636010
x26: ffff000011636020 x25: 0000000000000000 x24: ffff000014725ae0
x23: ffff000011636e04 x22: ffff800085d35b20 x21: ffff800085d36c20
x20: ffff80008ec87a20 x19: ffff000014725800 x18: 00000000cf7dd805
x17: ffff0000115c0000 x16: 0000000000000000 x15: ffff0000115c0a80
x14: 1fffe000022b814f x13: 1fffe000022b8159 x12: ffff700011345935
x11: 1ffff00011345934 x10: ffff700011345934 x9 : dfff800000000000
x8 : 0000000000000003 x7 : 0000000000000001 x6 : ffff700011345934
x5 : ffff800089a2c9a0 x4 : 1fffe000022c6dcb x3 : dfff800000000000
x2 : 0000000000000000 x1 : 0000000000000007 x0 : 0000000000000000
Call trace:
 get_ref_desc_olocked drivers/android/binder.c:1078 [inline]
 binder_get_ref_for_node_olocked drivers/android/binder.c:1152 [inline]
 binder_inc_ref_for_node+0xdcc/0xe6c drivers/android/binder.c:1476
 binder_thread_write+0xa64/0x39f4 drivers/android/binder.c:3944
 binder_ioctl_write_read drivers/android/binder.c:5161 [inline]
 binder_ioctl+0x1d8c/0x2ef8 drivers/android/binder.c:5447
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:907 [inline]
 __se_sys_ioctl fs/ioctl.c:893 [inline]
 __arm64_sys_ioctl+0x124/0x190 fs/ioctl.c:893
 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
 invoke_syscall+0x6c/0x258 arch/arm64/kernel/syscall.c:49
 el0_svc_common.constprop.0+0xac/0x230 arch/arm64/kernel/syscall.c:132
 do_el0_svc+0x40/0x58 arch/arm64/kernel/syscall.c:151
 el0_svc+0x50/0x180 arch/arm64/kernel/entry-common.c:712
 el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:730
 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598
Code: d2d00004 f94043e0 f2fbffe4 17fffd36 (d4210000) 
---[ end trace 0000000000000000 ]---