syzbot

BUG: sleeping function called from invalid context at net/core/sock.c:3545
in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 5232, name: kworker/u9:4
preempt_count: 1, expected: 0
RCU nest depth: 0, expected: 0
6 locks held by kworker/u9:4/5232:
 #0: ffff888022682948 ((wq_completion)hci4#2){+.+.}-{0:0}, at: process_one_work+0x1277/0x1b40 kernel/workqueue.c:3206
 #1: ffffc900032afd80 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_one_work+0x921/0x1b40 kernel/workqueue.c:3207
 #2: ffff88802cb98078 (&hdev->lock){+.+.}-{3:3}, at: hci_sync_conn_complete_evt+0x118/0xa10 net/bluetooth/hci_event.c:4926
 #3: ffffffff8fc880e8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_connect_cfm include/net/bluetooth/hci_core.h:1962 [inline]
 #3: ffffffff8fc880e8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_sync_conn_complete_evt+0x336/0xa10 net/bluetooth/hci_event.c:5009
 #4: ffff8880217dfa20 (&conn->lock#2){+.+.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline]
 #4: ffff8880217dfa20 (&conn->lock#2){+.+.}-{2:2}, at: sco_conn_ready net/bluetooth/sco.c:1277 [inline]
 #4: ffff8880217dfa20 (&conn->lock#2){+.+.}-{2:2}, at: sco_connect_cfm+0x2d1/0xc10 net/bluetooth/sco.c:1362
 #5: ffff88807e735258 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1607 [inline]
 #5: ffff88807e735258 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: sco_conn_ready net/bluetooth/sco.c:1290 [inline]
 #5: ffff88807e735258 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: sco_connect_cfm+0x3ee/0xc10 net/bluetooth/sco.c:1362
Preemption disabled at:
[<0000000000000000>] 0x0
CPU: 0 UID: 0 PID: 5232 Comm: kworker/u9:4 Not tainted 6.11.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
Workqueue: hci4 hci_rx_work
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:93 [inline]
 dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:119
 __might_resched+0x3c0/0x5e0 kernel/sched/core.c:8463
 lock_sock_nested+0x4b/0xf0 net/core/sock.c:3545
 lock_sock include/net/sock.h:1607 [inline]
 sco_conn_ready net/bluetooth/sco.c:1290 [inline]
 sco_connect_cfm+0x3ee/0xc10 net/bluetooth/sco.c:1362
 hci_connect_cfm include/net/bluetooth/hci_core.h:1965 [inline]
 hci_sync_conn_complete_evt+0x3a1/0xa10 net/bluetooth/hci_event.c:5009
 hci_event_func net/bluetooth/hci_event.c:7446 [inline]
 hci_event_packet+0x9eb/0x1180 net/bluetooth/hci_event.c:7498
 hci_rx_work+0x2c6/0x1610 net/bluetooth/hci_core.c:4017
 process_one_work+0x9c5/0x1b40 kernel/workqueue.c:3231
 process_scheduled_works kernel/workqueue.c:3312 [inline]
 worker_thread+0x6c8/0xed0 kernel/workqueue.c:3389
 kthread+0x2c1/0x3a0 kernel/kthread.c:389
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>
==================================================================
BUG: KASAN: slab-use-after-free in __lock_acquire+0x2de0/0x3cb0 kernel/locking/lockdep.c:5007
Read of size 8 at addr ffff88807e7351d8 by task kworker/u9:4/5232

CPU: 0 UID: 0 PID: 5232 Comm: kworker/u9:4 Tainted: G        W          6.11.0-rc5-syzkaller #0
Tainted: [W]=WARN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
Workqueue: hci4 hci_rx_work
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:93 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:119
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0xc3/0x620 mm/kasan/report.c:488
 kasan_report+0xd9/0x110 mm/kasan/report.c:601
 __lock_acquire+0x2de0/0x3cb0 kernel/locking/lockdep.c:5007
 lock_acquire kernel/locking/lockdep.c:5759 [inline]
 lock_acquire+0x1b1/0x560 kernel/locking/lockdep.c:5724
 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline]
 _raw_spin_lock_bh+0x33/0x40 kernel/locking/spinlock.c:178
 spin_lock_bh include/linux/spinlock.h:356 [inline]
 lock_sock_nested+0x5f/0xf0 net/core/sock.c:3546
 lock_sock include/net/sock.h:1607 [inline]
 sco_conn_ready net/bluetooth/sco.c:1290 [inline]
 sco_connect_cfm+0x3ee/0xc10 net/bluetooth/sco.c:1362
 hci_connect_cfm include/net/bluetooth/hci_core.h:1965 [inline]
 hci_sync_conn_complete_evt+0x3a1/0xa10 net/bluetooth/hci_event.c:5009
 hci_event_func net/bluetooth/hci_event.c:7446 [inline]
 hci_event_packet+0x9eb/0x1180 net/bluetooth/hci_event.c:7498
 hci_rx_work+0x2c6/0x1610 net/bluetooth/hci_core.c:4017
 process_one_work+0x9c5/0x1b40 kernel/workqueue.c:3231
 process_scheduled_works kernel/workqueue.c:3312 [inline]
 worker_thread+0x6c8/0xed0 kernel/workqueue.c:3389
 kthread+0x2c1/0x3a0 kernel/kthread.c:389
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>

Allocated by task 5246:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:370 [inline]
 __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:387
 kasan_kmalloc include/linux/kasan.h:211 [inline]
 __do_kmalloc_node mm/slub.c:4158 [inline]
 __kmalloc_noprof+0x1e8/0x400 mm/slub.c:4170
 kmalloc_noprof include/linux/slab.h:685 [inline]
 sk_prot_alloc+0x1a8/0x2a0 net/core/sock.c:2096
 sk_alloc+0x36/0xb90 net/core/sock.c:2149
 bt_sock_alloc+0x3b/0x3a0 net/bluetooth/af_bluetooth.c:148
 sco_sock_alloc net/bluetooth/sco.c:500 [inline]
 sco_sock_create+0xe3/0x3c0 net/bluetooth/sco.c:531
 bt_sock_create+0x182/0x350 net/bluetooth/af_bluetooth.c:132
 __sock_create+0x32e/0x800 net/socket.c:1571
 sock_create net/socket.c:1622 [inline]
 __sys_socket_create net/socket.c:1659 [inline]
 __sys_socket+0x14f/0x260 net/socket.c:1706
 __do_sys_socket net/socket.c:1720 [inline]
 __se_sys_socket net/socket.c:1718 [inline]
 __x64_sys_socket+0x72/0xb0 net/socket.c:1718
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 5246:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:579
 poison_slab_object+0xf7/0x160 mm/kasan/common.c:240
 __kasan_slab_free+0x32/0x50 mm/kasan/common.c:256
 kasan_slab_free include/linux/kasan.h:184 [inline]
 slab_free_hook mm/slub.c:2252 [inline]
 slab_free mm/slub.c:4473 [inline]
 kfree+0x12a/0x3b0 mm/slub.c:4594
 sk_prot_free net/core/sock.c:2132 [inline]
 __sk_destruct+0x5eb/0x720 net/core/sock.c:2224
 sk_destruct+0xc2/0xf0 net/core/sock.c:2239
 __sk_free+0xf4/0x3e0 net/core/sock.c:2250
 sk_free+0x6a/0x90 net/core/sock.c:2261
 sock_put include/net/sock.h:1884 [inline]
 sco_sock_kill net/bluetooth/sco.c:431 [inline]
 sco_sock_kill+0x11a/0x1c0 net/bluetooth/sco.c:421
 sco_sock_release+0x154/0x2d0 net/bluetooth/sco.c:1259
 __sock_release+0xb0/0x270 net/socket.c:659
 sock_close+0x1c/0x30 net/socket.c:1421
 __fput+0x408/0xbb0 fs/file_table.c:422
 __fput_sync+0x47/0x50 fs/file_table.c:507
 __do_sys_close fs/open.c:1566 [inline]
 __se_sys_close fs/open.c:1551 [inline]
 __x64_sys_close+0x86/0x100 fs/open.c:1551
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff88807e735000
 which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 472 bytes inside of
 freed 2048-byte region [ffff88807e735000, ffff88807e735800)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7e730
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xfdffffff(slab)
raw: 00fff00000000040 ffff888015842000 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000080008 00000001fdffffff 0000000000000000
head: 00fff00000000040 ffff888015842000 dead000000000122 0000000000000000
head: 0000000000000000 0000000000080008 00000001fdffffff 0000000000000000
head: 00fff00000000003 ffffea0001f9cc01 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5210, tgid 5210 (strace-static-x), ts 79502271719, free_ts 79437350591
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1493
 prep_new_page mm/page_alloc.c:1501 [inline]
 get_page_from_freelist+0x1351/0x2e50 mm/page_alloc.c:3439
 __alloc_pages_noprof+0x22b/0x2460 mm/page_alloc.c:4695
 __alloc_pages_node_noprof include/linux/gfp.h:269 [inline]
 alloc_pages_node_noprof include/linux/gfp.h:296 [inline]
 alloc_slab_page+0x4e/0xf0 mm/slub.c:2321
 allocate_slab mm/slub.c:2484 [inline]
 new_slab+0x84/0x260 mm/slub.c:2537
 ___slab_alloc+0xdac/0x1870 mm/slub.c:3723
 __slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3813
 __slab_alloc_node mm/slub.c:3866 [inline]
 slab_alloc_node mm/slub.c:4025 [inline]
 __do_kmalloc_node mm/slub.c:4157 [inline]
 __kmalloc_noprof+0x367/0x400 mm/slub.c:4170
 kmalloc_noprof include/linux/slab.h:685 [inline]
 sk_prot_alloc+0x1a8/0x2a0 net/core/sock.c:2096
 sk_alloc+0x36/0xb90 net/core/sock.c:2149
 __netlink_create+0x5e/0x2c0 net/netlink/af_netlink.c:646
 netlink_create+0x3a4/0x630 net/netlink/af_netlink.c:704
 __sock_create+0x32e/0x800 net/socket.c:1571
 sock_create net/socket.c:1622 [inline]
 __sys_socket_create net/socket.c:1659 [inline]
 __sys_socket+0x14f/0x260 net/socket.c:1706
 __do_sys_socket net/socket.c:1720 [inline]
 __se_sys_socket net/socket.c:1718 [inline]
 __x64_sys_socket+0x72/0xb0 net/socket.c:1718
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
page last free pid 5210 tgid 5210 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1094 [inline]
 free_unref_page+0x64a/0xe40 mm/page_alloc.c:2612
 __put_partials+0x14c/0x170 mm/slub.c:3051
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x4e/0x140 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x192/0x1e0 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:322
 kasan_slab_alloc include/linux/kasan.h:201 [inline]
 slab_post_alloc_hook mm/slub.c:3988 [inline]
 slab_alloc_node mm/slub.c:4037 [inline]
 kmem_cache_alloc_noprof+0x121/0x2f0 mm/slub.c:4044
 getname_flags.part.0+0x4c/0x550 fs/namei.c:139
 getname_flags+0x93/0xf0 include/linux/audit.h:322
 user_path_at+0x24/0x60 fs/namei.c:3001
 path_getxattr+0x9d/0x1a0 fs/xattr.c:785
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffff88807e735080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88807e735100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88807e735180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                    ^
 ffff88807e735200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88807e735280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================