==================================================================
BUG: KASAN: slab-out-of-bounds in __list_del_entry_valid+0xcc/0xf0 lib/list_debug.c:42
Read of size 8 at addr ffff88801ecd50b8 by task kworker/u16:5/3888

CPU: 3 PID: 3888 Comm: kworker/u16:5 Not tainted 5.18.0-syzkaller-12007-g17d8e3d90b69 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014
Workqueue: netns cleanup_net
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
 print_address_description.constprop.0.cold+0xeb/0x467 mm/kasan/report.c:313
 print_report mm/kasan/report.c:429 [inline]
 kasan_report.cold+0xf4/0x1c6 mm/kasan/report.c:491
 __list_del_entry_valid+0xcc/0xf0 lib/list_debug.c:42
 __list_del_entry include/linux/list.h:134 [inline]
 list_del include/linux/list.h:148 [inline]
 cttimeout_net_exit+0x211/0x540 net/netfilter/nfnetlink_cttimeout.c:617
 ops_exit_list+0xb0/0x170 net/core/net_namespace.c:162
 cleanup_net+0x4ea/0xb00 net/core/net_namespace.c:594
 process_one_work+0x996/0x1610 kernel/workqueue.c:2289
 worker_thread+0x665/0x1080 kernel/workqueue.c:2436
 kthread+0x2e9/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
 </TASK>

Allocated by task 7528:
 kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
 kasan_set_track mm/kasan/common.c:45 [inline]
 set_alloc_info mm/kasan/common.c:436 [inline]
 ____kasan_kmalloc mm/kasan/common.c:515 [inline]
 ____kasan_kmalloc mm/kasan/common.c:474 [inline]
 __kasan_kmalloc+0xa6/0xd0 mm/kasan/common.c:524
 kasan_kmalloc include/linux/kasan.h:234 [inline]
 __do_kmalloc mm/slab.c:3696 [inline]
 __kmalloc+0x209/0x4d0 mm/slab.c:3705
 kmalloc include/linux/slab.h:605 [inline]
 kzalloc include/linux/slab.h:733 [inline]
 cttimeout_new_timeout+0x51f/0xa50 net/netfilter/nfnetlink_cttimeout.c:156
 nfnetlink_rcv_msg+0xbcd/0x13f0 net/netfilter/nfnetlink.c:297
 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2501
 nfnetlink_rcv+0x1ac/0x420 net/netfilter/nfnetlink.c:655
 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]
 netlink_unicast+0x543/0x7f0 net/netlink/af_netlink.c:1345
 netlink_sendmsg+0x917/0xe10 net/netlink/af_netlink.c:1921
 sock_sendmsg_nosec net/socket.c:714 [inline]
 sock_sendmsg+0xcf/0x120 net/socket.c:734
 ____sys_sendmsg+0x6eb/0x810 net/socket.c:2492
 ___sys_sendmsg+0xf3/0x170 net/socket.c:2546
 __sys_sendmsg net/socket.c:2575 [inline]
 __do_sys_sendmsg net/socket.c:2584 [inline]
 __se_sys_sendmsg net/socket.c:2582 [inline]
 __x64_sys_sendmsg+0x132/0x220 net/socket.c:2582
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x46/0xb0

The buggy address belongs to the object at ffff88801ecd5000
 which belongs to the cache kmalloc-128 of size 128
The buggy address is located 56 bytes to the right of
 128-byte region [ffff88801ecd5000, ffff88801ecd5080)

The buggy address belongs to the physical page:
page:ffffea00007b3540 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88801ecd5b00 pfn:0x1ecd5
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 ffffea000069e708 ffffea00006c1ac8 ffff888010c40400
raw: ffff88801ecd5b00 ffff88801ecd5000 000000010000000d 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x242220(__GFP_HIGH|__GFP_ATOMIC|__GFP_NOWARN|__GFP_COMP|__GFP_THISNODE), pid 5931, tgid 5929 (syz-executor.3), ts 214986674972, free_ts 206286789442
 prep_new_page mm/page_alloc.c:2456 [inline]
 get_page_from_freelist+0x1290/0x3b70 mm/page_alloc.c:4198
 __alloc_pages_slowpath.constprop.0+0x2e9/0x2160 mm/page_alloc.c:4973
 __alloc_pages+0x436/0x510 mm/page_alloc.c:5439
 __alloc_pages_node include/linux/gfp.h:587 [inline]
 kmem_getpages mm/slab.c:1363 [inline]
 cache_grow_begin+0x75/0x350 mm/slab.c:2569
 cache_alloc_refill+0x27f/0x380 mm/slab.c:2942
 ____cache_alloc mm/slab.c:3024 [inline]
 ____cache_alloc mm/slab.c:3007 [inline]
 __do_cache_alloc mm/slab.c:3253 [inline]
 slab_alloc mm/slab.c:3295 [inline]
 __do_kmalloc mm/slab.c:3694 [inline]
 __kmalloc_track_caller+0x3b0/0x4d0 mm/slab.c:3711
 __do_krealloc mm/slab_common.c:1185 [inline]
 krealloc+0x87/0xf0 mm/slab_common.c:1218
 nf_ct_ext_add+0x19f/0x3d0 net/netfilter/nf_conntrack_extend.c:117
 nf_ct_labels_ext_add include/net/netfilter/nf_conntrack_labels.h:45 [inline]
 init_conntrack.constprop.0+0x563/0x1270 net/netfilter/nf_conntrack_core.c:1734
 resolve_normal_ct net/netfilter/nf_conntrack_core.c:1830 [inline]
 nf_conntrack_in+0xc86/0x1790 net/netfilter/nf_conntrack_core.c:1985
 ipv4_conntrack_local+0x113/0x260 net/netfilter/nf_conntrack_proto.c:213
 nf_hook_entry_hookfn include/linux/netfilter.h:142 [inline]
 nf_hook_slow+0xc5/0x1f0 net/netfilter/core.c:620
 nf_hook+0x1cb/0x5b0 include/linux/netfilter.h:262
 __ip_local_out+0x262/0x520 net/ipv4/ip_output.c:115
 ip_local_out net/ipv4/ip_output.c:124 [inline]
 __ip_queue_xmit+0x853/0x1be0 net/ipv4/ip_output.c:532
 dccp_transmit_skb+0x7e9/0x1420 net/dccp/output.c:138
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1371 [inline]
 free_pcp_prepare+0x549/0xd20 mm/page_alloc.c:1421
 free_unref_page_prepare mm/page_alloc.c:3343 [inline]
 free_unref_page+0x19/0x6a0 mm/page_alloc.c:3438
 slab_destroy mm/slab.c:1615 [inline]
 slabs_destroy+0x89/0xc0 mm/slab.c:1635
 cache_flusharray mm/slab.c:3397 [inline]
 ___cache_free+0x34e/0x670 mm/slab.c:3460
 qlink_free mm/kasan/quarantine.c:168 [inline]
 qlist_free_all+0x4f/0x1b0 mm/kasan/quarantine.c:187
 kasan_quarantine_reduce+0x180/0x200 mm/kasan/quarantine.c:294
 ____kasan_kmalloc mm/kasan/common.c:481 [inline]
 __kasan_kmalloc+0xba/0xd0 mm/kasan/common.c:524
 kasan_kmalloc include/linux/kasan.h:234 [inline]
 __do_kmalloc mm/slab.c:3696 [inline]
 __kmalloc+0x209/0x4d0 mm/slab.c:3705
 kmalloc include/linux/slab.h:605 [inline]
 kzalloc include/linux/slab.h:733 [inline]
 tomoyo_encode2.part.0+0xe9/0x3a0 security/tomoyo/realpath.c:45
 tomoyo_encode2 security/tomoyo/realpath.c:31 [inline]
 tomoyo_encode+0x28/0x50 security/tomoyo/realpath.c:80
 tomoyo_path_perm+0x368/0x400 security/tomoyo/file.c:831
 tomoyo_path_symlink+0x94/0xe0 security/tomoyo/tomoyo.c:199
 security_path_symlink+0xdf/0x150 security/security.c:1182
 do_symlinkat+0x106/0x2e0 fs/namei.c:4372
 __do_sys_symlinkat fs/namei.c:4394 [inline]
 __se_sys_symlinkat fs/namei.c:4391 [inline]
 __x64_sys_symlinkat+0x93/0xc0 fs/namei.c:4391
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80

Memory state around the buggy address:
 ffff88801ecd4f80: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
 ffff88801ecd5000: 00 00 00 00 00 00 00 00 00 00 00 00 00 04 fc fc
>ffff88801ecd5080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                                        ^
 ffff88801ecd5100: 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc
 ffff88801ecd5180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================