================================================================== BUG: KASAN: slab-use-after-free in __list_del_entry_valid_or_report+0x154/0x198 lib/list_debug.c:49 Read of size 8 at addr ffff000016037408 by task kworker/0:1/7762 CPU: 0 UID: 0 PID: 7762 Comm: kworker/0:1 Not tainted 6.12.0-rc7-syzkaller-00070-g0a9b9d17f3a7 #0 Hardware name: linux,dummy-virt (DT) Workqueue: events binder_deferred_func Call trace: dump_backtrace+0x9c/0x11c arch/arm64/kernel/stacktrace.c:319 show_stack+0x18/0x24 arch/arm64/kernel/stacktrace.c:326 __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0xa4/0xf4 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:377 [inline] print_report+0xf4/0x5a4 mm/kasan/report.c:488 kasan_report+0xc8/0x108 mm/kasan/report.c:601 __asan_report_load8_noabort+0x20/0x2c mm/kasan/report_generic.c:381 __list_del_entry_valid_or_report+0x154/0x198 lib/list_debug.c:49 __list_del_entry_valid include/linux/list.h:124 [inline] __list_del_entry include/linux/list.h:215 [inline] list_del_init include/linux/list.h:287 [inline] binder_dequeue_work_head_ilocked drivers/android/binder.c:540 [inline] binder_release_work+0x94/0x414 drivers/android/binder.c:5110 binder_deferred_release drivers/android/binder.c:6261 [inline] binder_deferred_func+0xbac/0x10d0 drivers/android/binder.c:6296 process_one_work+0x7b8/0x189c kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x730/0xb74 kernel/workqueue.c:3391 kthread+0x27c/0x300 kernel/kthread.c:389 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860 Allocated by task 9598: kasan_save_stack+0x3c/0x64 mm/kasan/common.c:47 kasan_save_track+0x20/0x3c mm/kasan/common.c:68 kasan_save_alloc_info+0x40/0x54 mm/kasan/generic.c:565 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0xb8/0xbc mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:257 [inline] __kmalloc_cache_noprof+0x188/0x2f8 mm/slub.c:4295 kmalloc_noprof include/linux/slab.h:878 [inline] kzalloc_noprof include/linux/slab.h:1014 [inline] binder_request_freeze_notification drivers/android/binder.c:3855 [inline] binder_thread_write+0xd60/0x4b40 drivers/android/binder.c:4485 binder_ioctl_write_read drivers/android/binder.c:5387 [inline] binder_ioctl+0x2120/0x2f64 drivers/android/binder.c:5718 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl fs/ioctl.c:893 [inline] __arm64_sys_ioctl+0x124/0x190 fs/ioctl.c:893 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x6c/0x258 arch/arm64/kernel/syscall.c:49 el0_svc_common.constprop.0+0xac/0x230 arch/arm64/kernel/syscall.c:132 do_el0_svc+0x40/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x50/0x180 arch/arm64/kernel/entry-common.c:712 el0t_64_sync_handler+0x100/0x12c arch/arm64/kernel/entry-common.c:730 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598 Freed by task 7762: kasan_save_stack+0x3c/0x64 mm/kasan/common.c:47 kasan_save_track+0x20/0x3c mm/kasan/common.c:68 kasan_save_free_info+0x4c/0x74 mm/kasan/generic.c:579 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x50/0x6c mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:230 [inline] slab_free_hook mm/slub.c:2342 [inline] slab_free mm/slub.c:4579 [inline] kfree+0x130/0x460 mm/slub.c:4727 binder_free_ref drivers/android/binder.c:1355 [inline] binder_deferred_release drivers/android/binder.c:6256 [inline] binder_deferred_func+0xb3c/0x10d0 drivers/android/binder.c:6296 process_one_work+0x7b8/0x189c kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x730/0xb74 kernel/workqueue.c:3391 kthread+0x27c/0x300 kernel/kthread.c:389 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860 The buggy address belongs to the object at ffff000016037400 which belongs to the cache kmalloc-64 of size 64 The buggy address is located 8 bytes inside of freed 64-byte region [ffff000016037400, ffff000016037440) The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x56037 flags: 0x1ffc00000000000(node=0|zone=0|lastcpupid=0x7ff) page_type: f5(slab) raw: 01ffc00000000000 ffff00000d4018c0 fffffdffc05947c0 dead000000000002 raw: 0000000000000000 0000000080200020 00000001f5000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff000016037300: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc ffff000016037380: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc >ffff000016037400: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ^ ffff000016037480: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc ffff000016037500: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc ================================================================== Unable to handle kernel paging request at virtual address e0e1c066000003ca KASAN: maybe wild-memory-access in range [0x0712033000001e50-0x0712033000001e57] Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault Data abort info: ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [e0e1c066000003ca] address between user and kernel address ranges Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP Modules linked in: CPU: 0 UID: 0 PID: 7762 Comm: kworker/0:1 Tainted: G B 6.12.0-rc7-syzkaller-00070-g0a9b9d17f3a7 #0 Tainted: [B]=BAD_PAGE Hardware name: linux,dummy-virt (DT) Workqueue: events binder_deferred_func pstate: 00000005 (nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : __list_del_entry_valid_or_report+0x7c/0x198 lib/list_debug.c:62 lr : __list_del_entry_valid_or_report+0x168/0x198 lib/list_debug.c:50 sp : ffff8000a1c579b0 x29: ffff8000a1c579b0 x28: ffff800085de12a0 x27: ffff800085de12e0 x26: 0000000000000002 x25: 1fffe00002e0391b x24: ffff00001701cad0 x23: ffff00001701c8d8 x22: ffff800085de3420 x21: ffff800085de1220 x20: dfff800000000000 x19: ffff000012347f00 x18: 00000000397b8e18 x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 x14: 0000000000000000 x13: 205d323637375420 x12: ffff70001438af34 x11: 1ffff0001438af33 x10: ffff70001438af33 x9 : dfff800000000000 x8 : ffff8000a1c579a0 x7 : 0000000000000000 x6 : ffff70001438af28 x5 : ffff8000a1c57940 x4 : 0000000000000000 x3 : 0712033000001e52 x2 : 00e24066000003ca x1 : ffff000016037400 x0 : dfff800000000000 Call trace: __list_del_entry_valid_or_report+0x7c/0x198 lib/list_debug.c:62 __list_del_entry_valid include/linux/list.h:124 [inline] __list_del_entry include/linux/list.h:215 [inline] list_del_init include/linux/list.h:287 [inline] binder_dequeue_work_head_ilocked drivers/android/binder.c:540 [inline] binder_release_work+0x94/0x414 drivers/android/binder.c:5110 binder_deferred_release drivers/android/binder.c:6261 [inline] binder_deferred_func+0xbac/0x10d0 drivers/android/binder.c:6296 process_one_work+0x7b8/0x189c kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x730/0xb74 kernel/workqueue.c:3391 kthread+0x27c/0x300 kernel/kthread.c:389 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860 Code: 540004e0 d343fc62 d2d00000 f2fbffe0 (38e06840) ---[ end trace 0000000000000000 ]--- ---------------- Code disassembly (best guess): 0: 540004e0 b.eq 0x9c // b.none 4: d343fc62 lsr x2, x3, #3 8: d2d00000 mov x0, #0x800000000000 // #140737488355328 c: f2fbffe0 movk x0, #0xdfff, lsl #48 * 10: 38e06840 ldrsb w0, [x2, x0] <-- trapping instruction