syzbot

==================================================================
BUG: KASAN: slab-use-after-free in __list_del_entry_valid_or_report+0x1d4/0x200 lib/list_debug.c:62
Read of size 8 at addr ffff88805ea58558 by task syz.0.694/8928

CPU: 1 UID: 0 PID: 8928 Comm: syz.0.694 Not tainted 6.16.0-rc2-syzkaller-00269-g11313e2f7812 #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:408 [inline]
 print_report+0xcd/0x680 mm/kasan/report.c:521
 kasan_report+0xe0/0x110 mm/kasan/report.c:634
 __list_del_entry_valid_or_report+0x1d4/0x200 lib/list_debug.c:62
 __list_del_entry_valid include/linux/list.h:124 [inline]
 __list_del_entry include/linux/list.h:215 [inline]
 list_del_init include/linux/list.h:287 [inline]
 bt_accept_unlink+0x34/0x2e0 net/bluetooth/af_bluetooth.c:259
 l2cap_sock_teardown_cb+0x1a3/0x3c0 net/bluetooth/l2cap_sock.c:1613
 l2cap_chan_del+0xbd/0x8f0 net/bluetooth/l2cap_core.c:655
 l2cap_conn_del+0x37a/0x730 net/bluetooth/l2cap_core.c:1787
 l2cap_disconn_cfm net/bluetooth/l2cap_core.c:7302 [inline]
 l2cap_disconn_cfm+0x96/0xd0 net/bluetooth/l2cap_core.c:7295
 hci_disconn_cfm include/net/bluetooth/hci_core.h:2069 [inline]
 hci_conn_hash_flush+0x10e/0x260 net/bluetooth/hci_conn.c:2560
 hci_dev_close_sync+0x602/0x11d0 net/bluetooth/hci_sync.c:5250
 hci_dev_do_close+0x2e/0x90 net/bluetooth/hci_core.c:483
 hci_unregister_dev+0x213/0x620 net/bluetooth/hci_core.c:2691
 vhci_release+0x79/0xf0 drivers/bluetooth/hci_vhci.c:665
 __fput+0x3ff/0xb70 fs/file_table.c:465
 task_work_run+0x150/0x240 kernel/task_work.c:227
 exit_task_work include/linux/task_work.h:40 [inline]
 do_exit+0x864/0x2bd0 kernel/exit.c:955
 do_group_exit+0xd3/0x2a0 kernel/exit.c:1104
 get_signal+0x2673/0x26d0 kernel/signal.c:3034
 arch_do_signal_or_restart+0x8f/0x7d0 arch/x86/kernel/signal.c:337
 exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:330 [inline]
 irqentry_exit_to_user_mode+0x12a/0x270 kernel/entry/common.c:184
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0033:0x7f7935c67d90
Code: Unable to access opcode bytes at 0x7f7935c67d66.
RSP: 002b:00007ffc25ccbec0 EFLAGS: 00000212
RAX: 00007f7935488ad0 RBX: 00007f793546d0b0 RCX: ffffffff81600f88
RDX: ffffffff81600f88 RSI: ffffffff81600f88 RDI: 00007f7935489020
RBP: 00007f793546cb60 R08: 00007f793547adb8 R09: 00007f7935fa2000
R10: 00007f79353ff008 R11: 000000000000000d R12: 00007f793546cb58
R13: 000000000000001d R14: 00007ffc25ccbfe8 R15: 00007f79353ff008
 </TASK>

Allocated by task 8464:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
 __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394
 kasan_kmalloc include/linux/kasan.h:260 [inline]
 __do_kmalloc_node mm/slub.c:4328 [inline]
 __kmalloc_noprof+0x223/0x510 mm/slub.c:4340
 kmalloc_noprof include/linux/slab.h:909 [inline]
 sk_prot_alloc+0x1a8/0x2a0 net/core/sock.c:2247
 sk_alloc+0x36/0xc20 net/core/sock.c:2303
 bt_sock_alloc+0x3b/0x3a0 net/bluetooth/af_bluetooth.c:151
 l2cap_sock_alloc.constprop.0+0x33/0x1d0 net/bluetooth/l2cap_sock.c:1891
 l2cap_sock_create+0x123/0x1f0 net/bluetooth/l2cap_sock.c:1933
 bt_sock_create+0x182/0x350 net/bluetooth/af_bluetooth.c:135
 __sock_create+0x335/0x8d0 net/socket.c:1541
 sock_create net/socket.c:1599 [inline]
 __sys_socket_create net/socket.c:1636 [inline]
 __sys_socket+0x14d/0x260 net/socket.c:1683
 __do_sys_socket net/socket.c:1697 [inline]
 __se_sys_socket net/socket.c:1695 [inline]
 __x64_sys_socket+0x72/0xb0 net/socket.c:1695
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 8462:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:576
 poison_slab_object mm/kasan/common.c:247 [inline]
 __kasan_slab_free+0x51/0x70 mm/kasan/common.c:264
 kasan_slab_free include/linux/kasan.h:233 [inline]
 slab_free_hook mm/slub.c:2381 [inline]
 slab_free mm/slub.c:4643 [inline]
 kfree+0x2b4/0x4d0 mm/slub.c:4842
 sk_prot_free net/core/sock.c:2286 [inline]
 __sk_destruct+0x740/0x980 net/core/sock.c:2381
 sk_destruct+0xc2/0xf0 net/core/sock.c:2409
 __sk_free+0xf4/0x3e0 net/core/sock.c:2420
 sk_free+0x6a/0x90 net/core/sock.c:2431
 sock_put include/net/sock.h:1960 [inline]
 l2cap_sock_kill net/bluetooth/l2cap_sock.c:1265 [inline]
 l2cap_sock_kill+0x171/0x2d0 net/bluetooth/l2cap_sock.c:1250
 l2cap_sock_release+0x189/0x210 net/bluetooth/l2cap_sock.c:1435
 __sock_release+0xb0/0x270 net/socket.c:647
 sock_close+0x1c/0x30 net/socket.c:1391
 __fput+0x3ff/0xb70 fs/file_table.c:465
 task_work_run+0x150/0x240 kernel/task_work.c:227
 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
 exit_to_user_mode_loop+0xeb/0x110 kernel/entry/common.c:114
 exit_to_user_mode_prepare include/linux/entry-common.h:330 [inline]
 syscall_exit_to_user_mode_work include/linux/entry-common.h:414 [inline]
 syscall_exit_to_user_mode include/linux/entry-common.h:449 [inline]
 do_syscall_64+0x3f6/0x4c0 arch/x86/entry/syscall_64.c:100
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff88805ea58000
 which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 1368 bytes inside of
 freed 2048-byte region [ffff88805ea58000, ffff88805ea58800)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88805ea5b000 pfn:0x5ea58
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000240(workingset|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000240 ffff88801b842000 ffffea00015c3610 ffffea0000dac010
raw: ffff88805ea5b000 0000000000080003 00000000f5000000 0000000000000000
head: 00fff00000000240 ffff88801b842000 ffffea00015c3610 ffffea0000dac010
head: ffff88805ea5b000 0000000000080003 00000000f5000000 0000000000000000
head: 00fff00000000003 ffffea00017a9601 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5811, tgid 5811 (syz-executor), ts 64053826853, free_ts 50864812015
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x1c0/0x230 mm/page_alloc.c:1704
 prep_new_page mm/page_alloc.c:1712 [inline]
 get_page_from_freelist+0x1321/0x3890 mm/page_alloc.c:3669
 __alloc_frozen_pages_noprof+0x261/0x23f0 mm/page_alloc.c:4959
 alloc_pages_mpol+0x1fb/0x550 mm/mempolicy.c:2419
 alloc_slab_page mm/slub.c:2451 [inline]
 allocate_slab mm/slub.c:2619 [inline]
 new_slab+0x23b/0x330 mm/slub.c:2673
 ___slab_alloc+0xd9c/0x1940 mm/slub.c:3859
 __slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3949
 __slab_alloc_node mm/slub.c:4024 [inline]
 slab_alloc_node mm/slub.c:4185 [inline]
 __do_kmalloc_node mm/slub.c:4327 [inline]
 __kmalloc_node_track_caller_noprof+0x2ee/0x510 mm/slub.c:4347
 kmalloc_reserve+0xef/0x2c0 net/core/skbuff.c:601
 __alloc_skb+0x166/0x380 net/core/skbuff.c:670
 alloc_skb include/linux/skbuff.h:1336 [inline]
 nlmsg_new include/net/netlink.h:1041 [inline]
 rtmsg_ifinfo_build_skb+0x81/0x280 net/core/rtnetlink.c:4390
 rtmsg_ifinfo_event net/core/rtnetlink.c:4432 [inline]
 rtmsg_ifinfo_event net/core/rtnetlink.c:4422 [inline]
 rtmsg_ifinfo+0x9f/0x1a0 net/core/rtnetlink.c:4441
 __dev_notify_flags+0x24c/0x2e0 net/core/dev.c:9493
 rtnl_configure_link+0x1b5/0x280 net/core/rtnetlink.c:3589
 rtnl_newlink_create net/core/rtnetlink.c:3833 [inline]
 __rtnl_newlink net/core/rtnetlink.c:3940 [inline]
 rtnl_newlink+0xcd9/0x2000 net/core/rtnetlink.c:4055
 rtnetlink_rcv_msg+0x95e/0xe90 net/core/rtnetlink.c:6944
page last free pid 5697 tgid 5697 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1248 [inline]
 __free_frozen_pages+0x7fe/0x1180 mm/page_alloc.c:2706
 discard_slab mm/slub.c:2717 [inline]
 __put_partials+0x16d/0x1c0 mm/slub.c:3186
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x4d/0x120 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x195/0x1e0 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:329
 kasan_slab_alloc include/linux/kasan.h:250 [inline]
 slab_post_alloc_hook mm/slub.c:4148 [inline]
 slab_alloc_node mm/slub.c:4197 [inline]
 __do_kmalloc_node mm/slub.c:4327 [inline]
 __kmalloc_noprof+0x1d4/0x510 mm/slub.c:4340
 kmalloc_noprof include/linux/slab.h:909 [inline]
 tomoyo_realpath_from_path+0xc2/0x6e0 security/tomoyo/realpath.c:251
 tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
 tomoyo_path_perm+0x274/0x460 security/tomoyo/file.c:822
 security_inode_getattr+0x116/0x290 security/security.c:2377
 vfs_getattr fs/stat.c:259 [inline]
 vfs_fstat+0x4b/0xe0 fs/stat.c:281
 __do_sys_newfstat+0x87/0x100 fs/stat.c:555
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffff88805ea58400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88805ea58480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88805ea58500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                    ^
 ffff88805ea58580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88805ea58600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================