syzbot

==================================================================
BUG: KASAN: slab-out-of-bounds in __list_del_entry_valid+0x80/0x120 lib/list_debug.c:59
Read of size 8 at addr ffff88806248f520 by task syz-executor/4184

CPU: 1 PID: 4184 Comm: syz-executor Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
Call Trace:
 <TASK>
 dump_stack_lvl+0x168/0x230 lib/dump_stack.c:106
 print_address_description+0x60/0x2d0 mm/kasan/report.c:248
 __kasan_report mm/kasan/report.c:434 [inline]
 kasan_report+0xdf/0x130 mm/kasan/report.c:451
 __list_del_entry_valid+0x80/0x120 lib/list_debug.c:59
 __list_del_entry include/linux/list.h:132 [inline]
 list_del_init include/linux/list.h:204 [inline]
 bt_accept_unlink+0x35/0x230 net/bluetooth/af_bluetooth.c:209
 l2cap_sock_teardown_cb+0x1af/0x380 net/bluetooth/l2cap_sock.c:1591
 l2cap_chan_del+0xab/0x620 net/bluetooth/l2cap_core.c:655
 l2cap_conn_del+0x3c1/0x6a0 net/bluetooth/l2cap_core.c:1930
 hci_disconn_cfm include/net/bluetooth/hci_core.h:1520 [inline]
 hci_conn_hash_flush+0x107/0x220 net/bluetooth/hci_conn.c:1622
 hci_dev_do_close+0x991/0x1030 net/bluetooth/hci_core.c:1795
 hci_unregister_dev+0x2d7/0x580 net/bluetooth/hci_core.c:4040
 vhci_release+0x73/0xc0 drivers/bluetooth/hci_vhci.c:345
 __fput+0x234/0x930 fs/file_table.c:311
 task_work_run+0x125/0x1a0 kernel/task_work.c:188
 exit_task_work include/linux/task_work.h:33 [inline]
 do_exit+0x61e/0x20a0 kernel/exit.c:883
 do_group_exit+0x12e/0x300 kernel/exit.c:997
 get_signal+0x6ca/0x12c0 kernel/signal.c:2900
 arch_do_signal_or_restart+0xc1/0x1300 arch/x86/kernel/signal.c:867
 handle_signal_work kernel/entry/common.c:154 [inline]
 exit_to_user_mode_loop+0x9e/0x130 kernel/entry/common.c:178
 exit_to_user_mode_prepare+0xee/0x180 kernel/entry/common.c:214
 __syscall_exit_to_user_mode_work kernel/entry/common.c:296 [inline]
 syscall_exit_to_user_mode+0x16/0x40 kernel/entry/common.c:307
 do_syscall_64+0x58/0xa0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x66/0xd0
RIP: 0033:0x7f45cbb268dc
Code: Unable to access opcode bytes at RIP 0x7f45cbb268b2.
RSP: 002b:00007ffcd46ff7d0 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: fffffffffffffe00 RBX: 00000000ffffffff RCX: 00007f45cbb268dc
RDX: 0000000000000030 RSI: 00007ffcd46ff890 RDI: 00000000000000f9
RBP: 00007ffcd46ff83c R08: 0000000000000000 R09: 0079746972756365
R10: 00007f45cbd4d800 R11: 0000000000000246 R12: 0000000000000258
R13: 0000000000000000 R14: 00000000000f9672 R15: 00007ffcd46ff890
 </TASK>

Allocated by task 4968:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:434 [inline]
 ____kasan_kmalloc mm/kasan/common.c:513 [inline]
 __kasan_kmalloc+0xb5/0xf0 mm/kasan/common.c:522
 kmalloc_reserve net/core/skbuff.c:356 [inline]
 __alloc_skb+0x22c/0x750 net/core/skbuff.c:427
 alloc_skb include/linux/skbuff.h:1162 [inline]
 nsim_dev_trap_skb_build drivers/net/netdevsim/dev.c:664 [inline]
 nsim_dev_trap_report drivers/net/netdevsim/dev.c:721 [inline]
 nsim_dev_trap_report_work+0x2a1/0xb40 drivers/net/netdevsim/dev.c:762
 process_one_work+0x863/0x1000 kernel/workqueue.c:2310
 worker_thread+0xaa8/0x12a0 kernel/workqueue.c:2457
 kthread+0x436/0x520 kernel/kthread.c:334
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:287

Freed by task 4968:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track+0x4b/0x70 mm/kasan/common.c:46
 kasan_set_free_info+0x1f/0x40 mm/kasan/generic.c:360
 ____kasan_slab_free+0xd5/0x110 mm/kasan/common.c:366
 kasan_slab_free include/linux/kasan.h:230 [inline]
 slab_free_hook mm/slub.c:1710 [inline]
 slab_free_freelist_hook+0xea/0x170 mm/slub.c:1736
 slab_free mm/slub.c:3504 [inline]
 kfree+0xef/0x2a0 mm/slub.c:4564
 skb_free_head net/core/skbuff.c:655 [inline]
 skb_release_data+0x6fe/0x850 net/core/skbuff.c:677
 skb_release_all net/core/skbuff.c:742 [inline]
 __kfree_skb net/core/skbuff.c:756 [inline]
 consume_skb+0xa2/0x100 net/core/skbuff.c:914
 nsim_dev_trap_report drivers/net/netdevsim/dev.c:737 [inline]
 nsim_dev_trap_report_work+0x7cb/0xb40 drivers/net/netdevsim/dev.c:762
 process_one_work+0x863/0x1000 kernel/workqueue.c:2310
 worker_thread+0xaa8/0x12a0 kernel/workqueue.c:2457
 kthread+0x436/0x520 kernel/kthread.c:334
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:287

The buggy address belongs to the object at ffff88806248e000
 which belongs to the cache kmalloc-4k of size 4096
The buggy address is located 1312 bytes to the right of
 4096-byte region [ffff88806248e000, ffff88806248f000)
The buggy address belongs to the page:
page:ffffea0001892200 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x62488
head:ffffea0001892200 order:3 compound_mapcount:0 compound_pincount:0
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010200 0000000000000000 dead000000000122 ffff888016842140
raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d2a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 4968, ts 1021456979052, free_ts 1017669431337
 prep_new_page mm/page_alloc.c:2426 [inline]
 get_page_from_freelist+0x1b77/0x1c60 mm/page_alloc.c:4192
 __alloc_pages+0x1e1/0x470 mm/page_alloc.c:5487
 alloc_slab_page mm/slub.c:1780 [inline]
 allocate_slab mm/slub.c:1917 [inline]
 new_slab+0xc0/0x4b0 mm/slub.c:1980
 ___slab_alloc+0x81e/0xdf0 mm/slub.c:3013
 __slab_alloc mm/slub.c:3100 [inline]
 slab_alloc_node mm/slub.c:3191 [inline]
 __kmalloc_node_track_caller+0x1fc/0x3a0 mm/slub.c:4963
 kmalloc_reserve net/core/skbuff.c:356 [inline]
 __alloc_skb+0x22c/0x750 net/core/skbuff.c:427
 alloc_skb include/linux/skbuff.h:1162 [inline]
 nsim_dev_trap_skb_build drivers/net/netdevsim/dev.c:664 [inline]
 nsim_dev_trap_report drivers/net/netdevsim/dev.c:721 [inline]
 nsim_dev_trap_report_work+0x2a1/0xb40 drivers/net/netdevsim/dev.c:762
 process_one_work+0x863/0x1000 kernel/workqueue.c:2310
 worker_thread+0xaa8/0x12a0 kernel/workqueue.c:2457
 kthread+0x436/0x520 kernel/kthread.c:334
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:287
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1340 [inline]
 free_pcp_prepare mm/page_alloc.c:1391 [inline]
 free_unref_page_prepare+0x637/0x6c0 mm/page_alloc.c:3317
 free_unref_page+0x94/0x280 mm/page_alloc.c:3396
 __vunmap+0x8ab/0xa40 mm/vmalloc.c:2628
 kcov_mmap+0x89/0x120 kernel/kcov.c:498
 call_mmap include/linux/fs.h:2177 [inline]
 mmap_file+0x5d/0xb0 mm/util.c:1092
 __mmap_region mm/mmap.c:1796 [inline]
 mmap_region+0xf8f/0x1660 mm/mmap.c:2933
 do_mmap+0x81f/0xea0 mm/mmap.c:1586
 vm_mmap_pgoff+0x1b2/0x2b0 mm/util.c:551
 ksys_mmap_pgoff+0x542/0x780 mm/mmap.c:1635
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x66/0xd0

Memory state around the buggy address:
 ffff88806248f400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88806248f480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88806248f500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                               ^
 ffff88806248f580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88806248f600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================