================================================================== BUG: KASAN: global-out-of-bounds in ref_tracker_free+0x570/0x694 lib/ref_tracker.c:244 Read of size 1 at addr ffff8000974c08b0 by task ksoftirqd/0/15 CPU: 0 UID: 0 PID: 15 Comm: ksoftirqd/0 Not tainted 6.15.0-rc7-syzkaller-gd7fa1af5b33e #0 PREEMPT Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 Call trace: show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:466 (C) __dump_stack+0x30/0x40 lib/dump_stack.c:94 dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120 print_address_description+0xa8/0x254 mm/kasan/report.c:408 print_report+0x68/0x84 mm/kasan/report.c:521 kasan_report+0xb0/0x110 mm/kasan/report.c:634 __asan_report_load1_noabort+0x20/0x2c mm/kasan/report_generic.c:378 ref_tracker_free+0x570/0x694 lib/ref_tracker.c:244 netdev_tracker_free include/linux/netdevice.h:4351 [inline] netdev_put include/linux/netdevice.h:4368 [inline] in_dev_finish_destroy+0x94/0x1a4 net/ipv4/devinet.c:258 in_dev_put include/linux/inetdevice.h:290 [inline] inet_rcu_free_ifa+0x84/0xf4 net/ipv4/devinet.c:228 rcu_do_batch kernel/rcu/tree.c:2568 [inline] rcu_core+0x848/0x17a4 kernel/rcu/tree.c:2824 rcu_core_si+0x10/0x1c kernel/rcu/tree.c:2841 handle_softirqs+0x328/0xc88 kernel/softirq.c:579 run_ksoftirqd+0x70/0xc0 kernel/softirq.c:968 smpboot_thread_fn+0x4d8/0x9cc kernel/smpboot.c:164 kthread+0x5fc/0x75c kernel/kthread.c:464 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:847 The buggy address belongs to the variable: binder_devices+0x10/0x20 The buggy address belongs to the virtual mapping at [ffff80008f290000, ffff800097531000) created by: declare_kernel_vmas+0xa8/0xb8 arch/arm64/mm/mmu.c:774 The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2100c0 flags: 0x5ffc00000002000(reserved|node=0|zone=2|lastcpupid=0x7ff) raw: 05ffc00000002000 fffffdffc7403008 fffffdffc7403008 0000000000000000 raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8000974c0780: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 ffff8000974c0800: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 >ffff8000974c0880: f9 f9 f9 f9 00 f9 f9 f9 00 00 f9 f9 00 00 00 00 ^ ffff8000974c0900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8000974c0980: 00 00 00 00 00 00 00 00 00 00 04 f9 f9 f9 f9 f9 ================================================================== list_del corruption, ffff8000974c08a0->prev is NULL ------------[ cut here ]------------ kernel BUG at lib/list_debug.c:55! Internal error: Oops - BUG: 00000000f2000800 [#1] SMP Modules linked in: CPU: 0 UID: 0 PID: 15 Comm: ksoftirqd/0 Tainted: G B 6.15.0-rc7-syzkaller-gd7fa1af5b33e #0 PREEMPT Tainted: [B]=BAD_PAGE Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 pstate: 604000c5 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : __list_del_entry_valid_or_report+0xfc/0x1b4 lib/list_debug.c:54 lr : __list_del_entry_valid_or_report+0xfc/0x1b4 lib/list_debug.c:54 sp : ffff800097687860 x29: ffff800097687860 x28: ffff800089947078 x27: 000000000000000a x26: dfff800000000000 x25: ffff700012ed0f18 x24: 1ffff00012e98116 x23: ffff8000974c08b0 x22: dfff800000000000 x21: 0000000000000000 x20: ffff0000d5b25000 x19: ffff8000974c08a0 x18: 1fffe0003386aa76 x17: 0000000000000000 x16: ffff80008adbe9e4 x15: 0000000000000001 x14: 1fffe0003386aae2 x13: 0000000000000000 x12: 0000000000000000 x11: ffff60003386aae3 x10: 0000000000ff0100 x9 : 5496030a5a49a600 x8 : 5496030a5a49a600 x7 : 0000000000000001 x6 : 0000000000000001 x5 : ffff8000976871f8 x4 : ffff80008f415ba0 x3 : ffff8000807b4b68 x2 : 0000000000000001 x1 : 0000000100000101 x0 : 0000000000000033 Call trace: __list_del_entry_valid_or_report+0xfc/0x1b4 lib/list_debug.c:54 (P) __list_del_entry_valid include/linux/list.h:124 [inline] __list_del_entry include/linux/list.h:215 [inline] list_move_tail include/linux/list.h:310 [inline] ref_tracker_free+0x148/0x694 lib/ref_tracker.c:262 netdev_tracker_free include/linux/netdevice.h:4351 [inline] netdev_put include/linux/netdevice.h:4368 [inline] in_dev_finish_destroy+0x94/0x1a4 net/ipv4/devinet.c:258 in_dev_put include/linux/inetdevice.h:290 [inline] inet_rcu_free_ifa+0x84/0xf4 net/ipv4/devinet.c:228 rcu_do_batch kernel/rcu/tree.c:2568 [inline] rcu_core+0x848/0x17a4 kernel/rcu/tree.c:2824 rcu_core_si+0x10/0x1c kernel/rcu/tree.c:2841 handle_softirqs+0x328/0xc88 kernel/softirq.c:579 run_ksoftirqd+0x70/0xc0 kernel/softirq.c:968 smpboot_thread_fn+0x4d8/0x9cc kernel/smpboot.c:164 kthread+0x5fc/0x75c kernel/kthread.c:464 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:847 Code: b0041e60 913e8000 aa1303e1 97438d92 (d4210000) ---[ end trace 0000000000000000 ]---