==================================================================
BUG: KASAN: global-out-of-bounds in ref_tracker_free+0x5e8/0x69c lib/ref_tracker.c:244
Read of size 1 at addr ffff80008d3c9df0 by task kworker/u8:1/26

CPU: 0 UID: 0 PID: 26 Comm: kworker/u8:1 Not tainted 6.15.0-rc4-syzkaller-00291-g2a239ffbebb5 #0 PREEMPT 
Hardware name: linux,dummy-virt (DT)
Workqueue: netns cleanup_net
Call trace:
 show_stack+0x18/0x24 arch/arm64/kernel/stacktrace.c:466 (C)
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0xa4/0xf4 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:408 [inline]
 print_report+0xf4/0x60c mm/kasan/report.c:521
 kasan_report+0xc8/0x108 mm/kasan/report.c:634
 __asan_report_load1_noabort+0x20/0x2c mm/kasan/report_generic.c:378
 ref_tracker_free+0x5e8/0x69c lib/ref_tracker.c:244
 netdev_tracker_free include/linux/netdevice.h:4351 [inline]
 netdev_put include/linux/netdevice.h:4368 [inline]
 netdev_put include/linux/netdevice.h:4364 [inline]
 in_dev_finish_destroy+0x80/0x180 net/ipv4/devinet.c:258
 in_dev_put include/linux/inetdevice.h:290 [inline]
 inet_rcu_free_ifa+0xac/0xfc net/ipv4/devinet.c:228
 rcu_do_batch kernel/rcu/tree.c:2568 [inline]
 rcu_core+0x910/0x1ab8 kernel/rcu/tree.c:2824
 rcu_core_si+0x10/0x1c kernel/rcu/tree.c:2841
 handle_softirqs+0x2d8/0xdb4 kernel/softirq.c:579
 __do_softirq+0x14/0x20 kernel/softirq.c:613
 ____do_softirq+0x10/0x1c arch/arm64/kernel/irq.c:81
 call_on_irq_stack+0x24/0x4c arch/arm64/kernel/entry.S:891
 do_softirq_own_stack+0x1c/0x2c arch/arm64/kernel/irq.c:86
 invoke_softirq kernel/softirq.c:460 [inline]
 __irq_exit_rcu+0x3f8/0x554 kernel/softirq.c:680
 irq_exit_rcu+0x14/0x80 kernel/softirq.c:696
 __el1_irq arch/arm64/kernel/entry-common.c:561 [inline]
 el1_interrupt+0x38/0x54 arch/arm64/kernel/entry-common.c:575
 el1h_64_irq_handler+0x18/0x24 arch/arm64/kernel/entry-common.c:580
 el1h_64_irq+0x6c/0x70 arch/arm64/kernel/entry.S:596
 __daif_local_irq_restore arch/arm64/include/asm/irqflags.h:175 [inline] (P)
 arch_local_irq_restore arch/arm64/include/asm/irqflags.h:195 [inline] (P)
 lockdep_unregister_key+0xdc/0x148 kernel/locking/lockdep.c:6611 (P)
 __qdisc_destroy+0xd8/0x408 net/sched/sch_generic.c:1080
 qdisc_put+0xc0/0xdc net/sched/sch_generic.c:1106
 shutdown_scheduler_queue+0x74/0xdc net/sched/sch_generic.c:1159
 netdev_for_each_tx_queue include/linux/netdevice.h:2650 [inline]
 dev_shutdown+0xa4/0x3f4 net/sched/sch_generic.c:1491
 unregister_netdevice_many_notify+0x824/0x1be8 net/core/dev.c:11969
 unregister_netdevice_many net/core/dev.c:12046 [inline]
 default_device_exit_batch+0x614/0x88c net/core/dev.c:12538
 ops_exit_list+0xf0/0x140 net/core/net_namespace.c:177
 cleanup_net+0x438/0x93c net/core/net_namespace.c:654
 process_one_work+0x7cc/0x18d4 kernel/workqueue.c:3238
 process_scheduled_works kernel/workqueue.c:3319 [inline]
 worker_thread+0x734/0xb84 kernel/workqueue.c:3400
 kthread+0x348/0x5fc kernel/kthread.c:464
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:862

The buggy address belongs to the variable:
 binder_devices+0x10/0x40

The buggy address belongs to the virtual mapping at
 [ffff800087080000, ffff80008d431000) created by:
 declare_kernel_vmas arch/arm64/mm/mmu.c:774 [inline]
 paging_init+0x3d4/0x564 arch/arm64/mm/mmu.c:815

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4d5c9
flags: 0x1ffc00000002000(reserved|node=0|zone=0|lastcpupid=0x7ff)
raw: 01ffc00000002000 fffffdffc0357248 fffffdffc0357248 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff80008d3c9c80: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 00 00 f9 f9
 ffff80008d3c9d00: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
>ffff80008d3c9d80: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
                                                             ^
 ffff80008d3c9e00: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
 ffff80008d3c9e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
list_del corruption, ffff80008d3c9de0->prev is NULL
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:54!
Internal error: Oops - BUG: 00000000f2000800 [#1]  SMP
Modules linked in:
CPU: 0 UID: 0 PID: 26 Comm: kworker/u8:1 Tainted: G    B               6.15.0-rc4-syzkaller-00291-g2a239ffbebb5 #0 PREEMPT 
Tainted: [B]=BAD_PAGE
Hardware name: linux,dummy-virt (DT)
Workqueue: netns cleanup_net
pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : __list_del_entry_valid_or_report+0xfc/0x1fc lib/list_debug.c:54
lr : __list_del_entry_valid_or_report+0xfc/0x1fc lib/list_debug.c:54
sp : ffff800080007b70
x29: ffff800080007b70 x28: 0000000000000003 x27: 1fffe000027d8565
x26: ffff00000e881e40 x25: ffff000013ec2b20 x24: ffff000013018648
x23: 0000000001fc0237 x22: 0000000000000000 x21: 0000000000000000
x20: ffff00001784d400 x19: ffff80008d3c9de0 x18: ffff80008000787c
x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000
x14: 0000000000000000 x13: 0000000000000001 x12: ffff60000d413ad3
x11: 1fffe0000d413ad2 x10: ffff60000d413ad2 x9 : dfff800000000000
x8 : ffff00006a09d693 x7 : 0000000000000001 x6 : ffff60000d413ad2
x5 : ffff00006a09d690 x4 : 1fffe00001d103c9 x3 : 0000000000000000
x2 : 0000000000000000 x1 : ffff00000e881e40 x0 : 0000000000000033
Call trace:
 __list_del_entry_valid_or_report+0xfc/0x1fc lib/list_debug.c:54 (P)
 __list_del_entry_valid include/linux/list.h:124 [inline]
 __list_del_entry include/linux/list.h:215 [inline]
 list_move_tail include/linux/list.h:310 [inline]
 ref_tracker_free+0x164/0x69c lib/ref_tracker.c:262
 netdev_tracker_free include/linux/netdevice.h:4351 [inline]
 netdev_put include/linux/netdevice.h:4368 [inline]
 netdev_put include/linux/netdevice.h:4364 [inline]
 in_dev_finish_destroy+0x80/0x180 net/ipv4/devinet.c:258
 in_dev_put include/linux/inetdevice.h:290 [inline]
 inet_rcu_free_ifa+0xac/0xfc net/ipv4/devinet.c:228
 rcu_do_batch kernel/rcu/tree.c:2568 [inline]
 rcu_core+0x910/0x1ab8 kernel/rcu/tree.c:2824
 rcu_core_si+0x10/0x1c kernel/rcu/tree.c:2841
 handle_softirqs+0x2d8/0xdb4 kernel/softirq.c:579
 __do_softirq+0x14/0x20 kernel/softirq.c:613
 ____do_softirq+0x10/0x1c arch/arm64/kernel/irq.c:81
 call_on_irq_stack+0x24/0x4c arch/arm64/kernel/entry.S:891
 do_softirq_own_stack+0x1c/0x2c arch/arm64/kernel/irq.c:86
 invoke_softirq kernel/softirq.c:460 [inline]
 __irq_exit_rcu+0x3f8/0x554 kernel/softirq.c:680
 irq_exit_rcu+0x14/0x80 kernel/softirq.c:696
 __el1_irq arch/arm64/kernel/entry-common.c:561 [inline]
 el1_interrupt+0x38/0x54 arch/arm64/kernel/entry-common.c:575
 el1h_64_irq_handler+0x18/0x24 arch/arm64/kernel/entry-common.c:580
 el1h_64_irq+0x6c/0x70 arch/arm64/kernel/entry.S:596
 __daif_local_irq_restore arch/arm64/include/asm/irqflags.h:175 [inline] (P)
 arch_local_irq_restore arch/arm64/include/asm/irqflags.h:195 [inline] (P)
 lockdep_unregister_key+0xdc/0x148 kernel/locking/lockdep.c:6611 (P)
 __qdisc_destroy+0xd8/0x408 net/sched/sch_generic.c:1080
 qdisc_put+0xc0/0xdc net/sched/sch_generic.c:1106
 shutdown_scheduler_queue+0x74/0xdc net/sched/sch_generic.c:1159
 netdev_for_each_tx_queue include/linux/netdevice.h:2650 [inline]
 dev_shutdown+0xa4/0x3f4 net/sched/sch_generic.c:1491
 unregister_netdevice_many_notify+0x824/0x1be8 net/core/dev.c:11969
 unregister_netdevice_many net/core/dev.c:12046 [inline]
 default_device_exit_batch+0x614/0x88c net/core/dev.c:12538
 ops_exit_list+0xf0/0x140 net/core/net_namespace.c:177
 cleanup_net+0x438/0x93c net/core/net_namespace.c:654
 process_one_work+0x7cc/0x18d4 kernel/workqueue.c:3238
 process_scheduled_works kernel/workqueue.c:3319 [inline]
 worker_thread+0x734/0xb84 kernel/workqueue.c:3400
 kthread+0x348/0x5fc kernel/kthread.c:464
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:862
Code: 911f0000 aa1303e1 910a0000 97bbefa8 (d4210000) 
---[ end trace 0000000000000000 ]---