[ 446.651298][ T5406] ==================================================================
[ 446.659405][ T5406] BUG: KASAN: slab-use-after-free in sco_conn_del+0xa5/0x310
[ 446.666795][ T5406] Write of size 4 at addr ffff88807bd72080 by task syz-executor.0/5406
[ 446.675026][ T5406]
[ 446.677344][ T5406] CPU: 0 UID: 0 PID: 5406 Comm: syz-executor.0 Not tainted 6.12.0-rc4-syzkaller-gc2ee9f594da8-dirty #0
[ 446.688371][ T5406] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
[ 446.698420][ T5406] Call Trace:
[ 446.701705][ T5406]
[ 446.704629][ T5406] dump_stack_lvl+0x241/0x360
[ 446.709309][ T5406] ? __pfx_dump_stack_lvl+0x10/0x10
[ 446.714506][ T5406] ? __pfx__printk+0x10/0x10
[ 446.719097][ T5406] ? srso_alias_return_thunk+0x5/0xfbef5
[ 446.724750][ T5406] ? _printk+0xd5/0x120
[ 446.728912][ T5406] ? __virt_addr_valid+0x183/0x530
[ 446.734022][ T5406] ? srso_alias_return_thunk+0x5/0xfbef5
[ 446.739660][ T5406] print_report+0x169/0x550
[ 446.744163][ T5406] ? __virt_addr_valid+0x183/0x530
[ 446.749273][ T5406] ? srso_alias_return_thunk+0x5/0xfbef5
[ 446.754912][ T5406] ? __virt_addr_valid+0x45f/0x530
[ 446.760017][ T5406] ? srso_alias_return_thunk+0x5/0xfbef5
[ 446.765776][ T5406] ? __phys_addr+0xba/0x170
[ 446.770286][ T5406] ? sco_conn_del+0xa5/0x310
[ 446.774892][ T5406] kasan_report+0x143/0x180
[ 446.779411][ T5406] ? sco_conn_del+0xa5/0x310
[ 446.784008][ T5406] kasan_check_range+0x282/0x290
[ 446.788950][ T5406] sco_conn_del+0xa5/0x310
[ 446.793364][ T5406] ? srso_alias_return_thunk+0x5/0xfbef5
[ 446.799006][ T5406] ? __pfx_sco_disconn_cfm+0x10/0x10
[ 446.804287][ T5406] hci_conn_hash_flush+0x101/0x240
[ 446.809403][ T5406] hci_dev_close_sync+0x9ef/0x11a0
[ 446.814509][ T5406] hci_unregister_dev+0x20b/0x510
[ 446.819524][ T5406] vhci_release+0x80/0xd0
[ 446.823879][ T5406] ? __pfx_vhci_release+0x10/0x10
[ 446.828894][ T5406] __fput+0x241/0x880
[ 446.832873][ T5406] task_work_run+0x251/0x310
[ 446.837458][ T5406] ? kasan_quarantine_put+0xdc/0x230
[ 446.842759][ T5406] ? __pfx_task_work_run+0x10/0x10
[ 446.847863][ T5406] ? do_exit+0xa2a/0x28e0
[ 446.852187][ T5406] ? srso_alias_return_thunk+0x5/0xfbef5
[ 446.857846][ T5406] ? kmem_cache_free+0x1a2/0x420
[ 446.862785][ T5406] ? do_exit+0xa2a/0x28e0
[ 446.867110][ T5406] do_exit+0xa2f/0x28e0
[ 446.871260][ T5406] ? __pfx_do_exit+0x10/0x10
[ 446.875847][ T5406] ? lockdep_hardirqs_on_prepare+0x43d/0x780
[ 446.881836][ T5406] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 446.888167][ T5406] ? _raw_spin_unlock_irq+0x23/0x50
[ 446.893356][ T5406] ? srso_alias_return_thunk+0x5/0xfbef5
[ 446.899105][ T5406] ? lockdep_hardirqs_on+0x99/0x150
[ 446.904317][ T5406] do_group_exit+0x207/0x2c0
[ 446.908902][ T5406] __x64_sys_exit_group+0x3f/0x40
[ 446.913947][ T5406] x64_sys_call+0x2634/0x2640
[ 446.918627][ T5406] do_syscall_64+0xf3/0x230
[ 446.923133][ T5406] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 446.929022][ T5406] RIP: 0033:0x7f018087de69
[ 446.933427][ T5406] Code: Unable to access opcode bytes at 0x7f018087de3f.
[ 446.940427][ T5406] RSP: 002b:00007fffa31fb468 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[ 446.948835][ T5406] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f018087de69
[ 446.956822][ T5406] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000043
[ 446.964786][ T5406] RBP: 00007f01808ca45b R08: 00007fffa31f9207 R09: 000000000006d03d
[ 446.972753][ T5406] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000006
[ 446.980713][ T5406] R13: 000000000006d03d R14: 000000000006ccf5 R15: 0000000000000004
[ 446.988684][ T5406]
[ 446.991691][ T5406]
[ 446.994002][ T5406] Allocated by task 5400:
[ 446.998312][ T5406] kasan_save_track+0x3f/0x80
[ 447.002983][ T5406] __kasan_slab_alloc+0x66/0x80
[ 447.007828][ T5406] kmem_cache_alloc_noprof+0x135/0x2a0
[ 447.013281][ T5406] getname_flags+0xb7/0x540
[ 447.017803][ T5406] __x64_sys_unlink+0x3a/0x50
[ 447.022479][ T5406] do_syscall_64+0xf3/0x230
[ 447.026976][ T5406] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 447.032863][ T5406]
[ 447.035171][ T5406] Freed by task 5400:
[ 447.039154][ T5406] kasan_save_track+0x3f/0x80
[ 447.043830][ T5406] kasan_save_free_info+0x40/0x50
[ 447.048964][ T5406] __kasan_slab_free+0x59/0x70
[ 447.053742][ T5406] kmem_cache_free+0x1a2/0x420
[ 447.058525][ T5406] do_unlinkat+0x7b0/0x830
[ 447.062937][ T5406] __x64_sys_unlink+0x47/0x50
[ 447.067607][ T5406] do_syscall_64+0xf3/0x230
[ 447.072106][ T5406] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 447.078002][ T5406]
[ 447.080309][ T5406] The buggy address belongs to the object at ffff88807bd71100
[ 447.080309][ T5406] which belongs to the cache names_cache of size 4096
[ 447.094436][ T5406] The buggy address is located 3968 bytes inside of
[ 447.094436][ T5406] freed 4096-byte region [ffff88807bd71100, ffff88807bd72100)
[ 447.108482][ T5406]
[ 447.110790][ T5406] The buggy address belongs to the physical page:
[ 447.117183][ T5406] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7bd70
[ 447.125956][ T5406] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 447.134476][ T5406] flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
[ 447.142184][ T5406] page_type: f5(slab)
[ 447.146159][ T5406] raw: 00fff00000000040 ffff8880162f4780 dead000000000122 0000000000000000
[ 447.154731][ T5406] raw: 0000000000000000 0000000000070007 00000001f5000000 0000000000000000
[ 447.163311][ T5406] head: 00fff00000000040 ffff8880162f4780 dead000000000122 0000000000000000
[ 447.171993][ T5406] head: 0000000000000000 0000000000070007 00000001f5000000 0000000000000000
[ 447.180662][ T5406] head: 00fff00000000003 ffffea0001ef5c01 ffffffffffffffff 0000000000000000
[ 447.189323][ T5406] head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
[ 447.197976][ T5406] page dumped because: kasan: bad access detected
[ 447.204376][ T5406] page_owner tracks the page as allocated
[ 447.210077][ T5406] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5400, tgid 5400 (udevd), ts 432009536360, free_ts 431999575653
[ 447.230998][ T5406] post_alloc_hook+0x1f3/0x230
[ 447.235770][ T5406] get_page_from_freelist+0x3045/0x3190
[ 447.241310][ T5406] __alloc_pages_noprof+0x292/0x710
[ 447.246502][ T5406] alloc_pages_mpol_noprof+0x3e8/0x680
[ 447.251961][ T5406] alloc_slab_page+0x6a/0x120
[ 447.256631][ T5406] allocate_slab+0x5a/0x2f0
[ 447.261150][ T5406] ___slab_alloc+0xcd1/0x14b0
[ 447.265850][ T5406] __slab_alloc+0x58/0xa0
[ 447.270185][ T5406] kmem_cache_alloc_noprof+0x1c1/0x2a0
[ 447.275649][ T5406] getname_flags+0xb7/0x540
[ 447.280159][ T5406] vfs_fstatat+0x12c/0x190
[ 447.284579][ T5406] __x64_sys_newfstatat+0x11d/0x1a0
[ 447.289876][ T5406] do_syscall_64+0xf3/0x230
[ 447.294385][ T5406] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 447.300312][ T5406] page last free pid 4552 tgid 4552 stack trace:
[ 447.306645][ T5406] free_unref_page+0xcfb/0xf20
[ 447.311496][ T5406] __put_partials+0xeb/0x130
[ 447.316086][ T5406] put_cpu_partial+0x17c/0x250
[ 447.320845][ T5406] __slab_free+0x2ea/0x3d0
[ 447.325252][ T5406] qlist_free_all+0x9a/0x140
[ 447.329829][ T5406] kasan_quarantine_reduce+0x14f/0x170
[ 447.335280][ T5406] __kasan_slab_alloc+0x23/0x80
[ 447.340124][ T5406] __kmalloc_noprof+0x1a6/0x400
[ 447.344973][ T5406] tomoyo_realpath_from_path+0xcf/0x5e0
[ 447.350525][ T5406] tomoyo_path_perm+0x2b7/0x740
[ 447.355387][ T5406] security_inode_getattr+0x130/0x330
[ 447.360755][ T5406] vfs_getattr+0x45/0x430
[ 447.365094][ T5406] vfs_fstatat+0xe4/0x190
[ 447.369424][ T5406] __x64_sys_newfstatat+0x11d/0x1a0
[ 447.374622][ T5406] do_syscall_64+0xf3/0x230
[ 447.379119][ T5406] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 447.385011][ T5406]
[ 447.387319][ T5406] Memory state around the buggy address:
[ 447.392933][ T5406] ffff88807bd71f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 447.400978][ T5406] ffff88807bd72000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 447.409024][ T5406] >ffff88807bd72080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 447.417076][ T5406] ^
[ 447.421126][ T5406] ffff88807bd72100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 447.429174][ T5406] ffff88807bd72180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 447.437218][ T5406] ==================================================================
[ 447.445663][ T5406] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 447.452868][ T5406] CPU: 0 UID: 0 PID: 5406 Comm: syz-executor.0 Not tainted 6.12.0-rc4-syzkaller-gc2ee9f594da8-dirty #0
[ 447.463911][ T5406] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
[ 447.473981][ T5406] Call Trace:
[ 447.477258][ T5406]
[ 447.480185][ T5406] dump_stack_lvl+0x241/0x360
[ 447.484884][ T5406] ? __pfx_dump_stack_lvl+0x10/0x10
[ 447.490269][ T5406] ? __pfx__printk+0x10/0x10
[ 447.494870][ T5406] ? srso_alias_return_thunk+0x5/0xfbef5
[ 447.500520][ T5406] ? vscnprintf+0x5d/0x90
[ 447.504866][ T5406] panic+0x349/0x880
[ 447.508767][ T5406] ? check_panic_on_warn+0x21/0xb0
[ 447.513885][ T5406] ? __pfx_panic+0x10/0x10
[ 447.518314][ T5406] ? mark_lock+0x9a/0x360
[ 447.522648][ T5406] ? _raw_spin_unlock_irqrestore+0xd8/0x140
[ 447.528545][ T5406] ? srso_alias_return_thunk+0x5/0xfbef5
[ 447.534195][ T5406] ? _raw_spin_unlock_irqrestore+0xdd/0x140
[ 447.540096][ T5406] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[ 447.546424][ T5406] ? print_report+0x502/0x550
[ 447.551113][ T5406] check_panic_on_warn+0x86/0xb0
[ 447.556058][ T5406] ? sco_conn_del+0xa5/0x310
[ 447.560653][ T5406] end_report+0x77/0x160
[ 447.564905][ T5406] kasan_report+0x154/0x180
[ 447.569421][ T5406] ? sco_conn_del+0xa5/0x310
[ 447.574019][ T5406] kasan_check_range+0x282/0x290
[ 447.578970][ T5406] sco_conn_del+0xa5/0x310
[ 447.583389][ T5406] ? srso_alias_return_thunk+0x5/0xfbef5
[ 447.589036][ T5406] ? __pfx_sco_disconn_cfm+0x10/0x10
[ 447.594328][ T5406] hci_conn_hash_flush+0x101/0x240
[ 447.599458][ T5406] hci_dev_close_sync+0x9ef/0x11a0
[ 447.604575][ T5406] hci_unregister_dev+0x20b/0x510
[ 447.609603][ T5406] vhci_release+0x80/0xd0
[ 447.613936][ T5406] ? __pfx_vhci_release+0x10/0x10
[ 447.618960][ T5406] __fput+0x241/0x880
[ 447.622950][ T5406] task_work_run+0x251/0x310
[ 447.627546][ T5406] ? kasan_quarantine_put+0xdc/0x230
[ 447.632837][ T5406] ? __pfx_task_work_run+0x10/0x10
[ 447.637952][ T5406] ? do_exit+0xa2a/0x28e0
[ 447.642284][ T5406] ? srso_alias_return_thunk+0x5/0xfbef5
[ 447.647931][ T5406] ? kmem_cache_free+0x1a2/0x420
[ 447.652881][ T5406] ? do_exit+0xa2a/0x28e0
[ 447.657217][ T5406] do_exit+0xa2f/0x28e0
[ 447.661379][ T5406] ? __pfx_do_exit+0x10/0x10
[ 447.665971][ T5406] ? lockdep_hardirqs_on_prepare+0x43d/0x780
[ 447.671974][ T5406] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[ 447.678354][ T5406] ? _raw_spin_unlock_irq+0x23/0x50
[ 447.683571][ T5406] ? srso_alias_return_thunk+0x5/0xfbef5
[ 447.689250][ T5406] ? lockdep_hardirqs_on+0x99/0x150
[ 447.694481][ T5406] do_group_exit+0x207/0x2c0
[ 447.699090][ T5406] __x64_sys_exit_group+0x3f/0x40
[ 447.704124][ T5406] x64_sys_call+0x2634/0x2640
[ 447.708818][ T5406] do_syscall_64+0xf3/0x230
[ 447.713405][ T5406] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 447.719370][ T5406] RIP: 0033:0x7f018087de69
[ 447.723789][ T5406] Code: Unable to access opcode bytes at 0x7f018087de3f.
[ 447.730816][ T5406] RSP: 002b:00007fffa31fb468 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[ 447.739249][ T5406] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f018087de69
[ 447.747251][ T5406] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000043
[ 447.755253][ T5406] RBP: 00007f01808ca45b R08: 00007fffa31f9207 R09: 000000000006d03d
[ 447.763241][ T5406] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000006
[ 447.771212][ T5406] R13: 000000000006d03d R14: 000000000006ccf5 R15: 0000000000000004
[ 447.779193][ T5406]
[ 447.782457][ T5406] Kernel Offset: disabled
[ 447.786772][ T5406] Rebooting in 86400 seconds..