================================================================== BUG: KASAN: use-after-free in __list_del_entry_valid+0x88/0x158 lib/list_debug.c:59 Read of size 8 at addr ffff0000cec0c518 by task syz.4.121/4725 CPU: 0 PID: 4725 Comm: syz.4.121 Not tainted syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026 Call trace: dump_backtrace+0x1c0/0x1ec arch/arm64/kernel/stacktrace.c:158 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165 __dump_stack+0x30/0x40 lib/dump_stack.c:88 dump_stack_lvl+0xf4/0x15c lib/dump_stack.c:106 print_address_description+0x88/0x218 mm/kasan/report.c:316 print_report+0x50/0x68 mm/kasan/report.c:420 kasan_report+0xa8/0xfc mm/kasan/report.c:524 __asan_report_load8_noabort+0x2c/0x38 mm/kasan/report_generic.c:351 __list_del_entry_valid+0x88/0x158 lib/list_debug.c:59 __list_del_entry include/linux/list.h:134 [inline] list_del_init include/linux/list.h:206 [inline] bt_accept_unlink+0x40/0x240 net/bluetooth/af_bluetooth.c:232 l2cap_sock_teardown_cb+0x148/0x35c net/bluetooth/l2cap_sock.c:1643 l2cap_chan_del+0xbc/0x558 net/bluetooth/l2cap_core.c:680 l2cap_conn_del+0x324/0x608 net/bluetooth/l2cap_core.c:1955 l2cap_disconn_cfm+0x90/0xdc net/bluetooth/l2cap_core.c:8459 hci_disconn_cfm include/net/bluetooth/hci_core.h:1832 [inline] hci_conn_hash_flush+0x108/0x26c net/bluetooth/hci_conn.c:2504 hci_dev_close_sync+0x7e0/0xee8 net/bluetooth/hci_sync.c:5247 hci_dev_do_close net/bluetooth/hci_core.c:528 [inline] hci_unregister_dev+0x214/0x4c0 net/bluetooth/hci_core.c:2731 vhci_release+0x7c/0xcc drivers/bluetooth/hci_vhci.c:573 __fput+0x1bc/0x7b8 fs/file_table.c:320 ____fput+0x20/0x30 fs/file_table.c:348 task_work_run+0x1ec/0x278 kernel/task_work.c:203 exit_task_work include/linux/task_work.h:39 [inline] do_exit+0x550/0x19b0 kernel/exit.c:880 do_group_exit+0x194/0x22c kernel/exit.c:1022 get_signal+0x11cc/0x1304 kernel/signal.c:2871 do_signal arch/arm64/kernel/signal.c:1095 [inline] do_notify_resume+0x33c/0x2aa4 arch/arm64/kernel/signal.c:1148 prepare_exit_to_user_mode arch/arm64/kernel/entry-common.c:137 [inline] exit_to_user_mode arch/arm64/kernel/entry-common.c:142 [inline] el0_svc+0x98/0x128 arch/arm64/kernel/entry-common.c:638 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585 Allocated by task 5772: kasan_save_stack mm/kasan/common.c:46 [inline] kasan_set_track+0x4c/0x80 mm/kasan/common.c:53 kasan_save_alloc_info+0x24/0x30 mm/kasan/generic.c:505 ____kasan_kmalloc mm/kasan/common.c:375 [inline] __kasan_kmalloc+0xa0/0xb8 mm/kasan/common.c:384 kasan_kmalloc include/linux/kasan.h:211 [inline] __do_kmalloc_node mm/slab_common.c:936 [inline] __kmalloc_node_track_caller+0xe0/0x16c mm/slab_common.c:956 kmalloc_reserve net/core/skbuff.c:446 [inline] pskb_expand_head+0x190/0x1030 net/core/skbuff.c:1848 netlink_trim+0x160/0x204 net/netlink/af_netlink.c:1299 netlink_broadcast+0x70/0x1058 net/netlink/af_netlink.c:1500 nlmsg_multicast include/net/netlink.h:1078 [inline] nlmsg_notify+0xf4/0x1d4 net/netlink/af_netlink.c:2554 rtnl_notify net/core/rtnetlink.c:799 [inline] rtmsg_ifinfo_send net/core/rtnetlink.c:3996 [inline] rtmsg_ifinfo_event net/core/rtnetlink.c:4012 [inline] rtmsg_ifinfo+0x160/0x1d4 net/core/rtnetlink.c:4018 __dev_notify_flags+0xe8/0x490 net/core/dev.c:8711 __dev_set_promiscuity+0x168/0x510 net/core/dev.c:8487 dev_set_promiscuity+0x60/0xf4 net/core/dev.c:8507 hsr_portdev_setup net/hsr/hsr_slave.c:144 [inline] hsr_add_port+0x3b0/0x624 net/hsr/hsr_slave.c:197 hsr_dev_finalize+0x53c/0x748 net/hsr/hsr_device.c:694 hsr_newlink+0x4b4/0x54c net/hsr/hsr_netlink.c:102 rtnl_newlink_create net/core/rtnetlink.c:3427 [inline] __rtnl_newlink net/core/rtnetlink.c:3647 [inline] rtnl_newlink+0x1050/0x1a54 net/core/rtnetlink.c:3660 rtnetlink_rcv_msg+0x698/0xcdc net/core/rtnetlink.c:6157 netlink_rcv_skb+0x218/0x3e8 net/netlink/af_netlink.c:2511 rtnetlink_rcv+0x28/0x38 net/core/rtnetlink.c:6175 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x60c/0x814 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x6f4/0x9c0 net/netlink/af_netlink.c:1872 sock_sendmsg_nosec net/socket.c:718 [inline] __sock_sendmsg net/socket.c:730 [inline] __sys_sendto+0x324/0x440 net/socket.c:2152 __do_sys_sendto net/socket.c:2164 [inline] __se_sys_sendto net/socket.c:2160 [inline] __arm64_sys_sendto+0xd8/0xf8 net/socket.c:2160 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] invoke_syscall+0x98/0x2b4 arch/arm64/kernel/syscall.c:52 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:140 do_el0_svc+0x58/0x130 arch/arm64/kernel/syscall.c:204 el0_svc+0x58/0x128 arch/arm64/kernel/entry-common.c:637 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585 Freed by task 5772: kasan_save_stack mm/kasan/common.c:46 [inline] kasan_set_track+0x4c/0x80 mm/kasan/common.c:53 kasan_save_free_info+0x38/0x5c mm/kasan/generic.c:516 ____kasan_slab_free+0x148/0x1b0 mm/kasan/common.c:237 __kasan_slab_free+0x18/0x28 mm/kasan/common.c:245 kasan_slab_free include/linux/kasan.h:177 [inline] slab_free_hook mm/slub.c:1729 [inline] slab_free_freelist_hook+0x16c/0x1e8 mm/slub.c:1755 slab_free mm/slub.c:3687 [inline] __kmem_cache_free+0xbc/0x218 mm/slub.c:3700 kfree+0xd0/0x1a8 mm/slab_common.c:988 skb_free_head net/core/skbuff.c:762 [inline] skb_release_data+0x434/0x63c net/core/skbuff.c:791 skb_release_all net/core/skbuff.c:856 [inline] __kfree_skb net/core/skbuff.c:870 [inline] consume_skb+0xa0/0x104 net/core/skbuff.c:1035 netlink_broadcast+0xf04/0x1058 net/netlink/af_netlink.c:1521 nlmsg_multicast include/net/netlink.h:1078 [inline] nlmsg_notify+0xf4/0x1d4 net/netlink/af_netlink.c:2554 rtnl_notify net/core/rtnetlink.c:799 [inline] rtmsg_ifinfo_send net/core/rtnetlink.c:3996 [inline] rtmsg_ifinfo_event net/core/rtnetlink.c:4012 [inline] rtmsg_ifinfo+0x160/0x1d4 net/core/rtnetlink.c:4018 __dev_notify_flags+0xe8/0x490 net/core/dev.c:8711 __dev_set_promiscuity+0x168/0x510 net/core/dev.c:8487 dev_set_promiscuity+0x60/0xf4 net/core/dev.c:8507 hsr_portdev_setup net/hsr/hsr_slave.c:144 [inline] hsr_add_port+0x3b0/0x624 net/hsr/hsr_slave.c:197 hsr_dev_finalize+0x53c/0x748 net/hsr/hsr_device.c:694 hsr_newlink+0x4b4/0x54c net/hsr/hsr_netlink.c:102 rtnl_newlink_create net/core/rtnetlink.c:3427 [inline] __rtnl_newlink net/core/rtnetlink.c:3647 [inline] rtnl_newlink+0x1050/0x1a54 net/core/rtnetlink.c:3660 rtnetlink_rcv_msg+0x698/0xcdc net/core/rtnetlink.c:6157 netlink_rcv_skb+0x218/0x3e8 net/netlink/af_netlink.c:2511 rtnetlink_rcv+0x28/0x38 net/core/rtnetlink.c:6175 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x60c/0x814 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x6f4/0x9c0 net/netlink/af_netlink.c:1872 sock_sendmsg_nosec net/socket.c:718 [inline] __sock_sendmsg net/socket.c:730 [inline] __sys_sendto+0x324/0x440 net/socket.c:2152 __do_sys_sendto net/socket.c:2164 [inline] __se_sys_sendto net/socket.c:2160 [inline] __arm64_sys_sendto+0xd8/0xf8 net/socket.c:2160 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] invoke_syscall+0x98/0x2b4 arch/arm64/kernel/syscall.c:52 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:140 do_el0_svc+0x58/0x130 arch/arm64/kernel/syscall.c:204 el0_svc+0x58/0x128 arch/arm64/kernel/entry-common.c:637 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585 Last potentially related work creation: kasan_save_stack+0x40/0x70 mm/kasan/common.c:46 __kasan_record_aux_stack+0xc0/0xdc mm/kasan/generic.c:486 kasan_record_aux_stack_noalloc+0x14/0x20 mm/kasan/generic.c:496 kvfree_call_rcu+0xb4/0x6e8 kernel/rcu/tree.c:3405 tcf_block_destroy net/sched/cls_api.c:429 [inline] __tcf_block_put+0x2f0/0x3b8 net/sched/cls_api.c:1196 tcf_block_put_ext net/sched/cls_api.c:1403 [inline] tcf_block_put+0x164/0x260 net/sched/cls_api.c:1413 qfq_destroy_qdisc+0x50/0x40c net/sched/sch_qfq.c:1503 __qdisc_destroy+0x12c/0x4f8 net/sched/sch_generic.c:1079 qdisc_put net/sched/sch_generic.c:1107 [inline] dev_shutdown+0x35c/0x478 net/sched/sch_generic.c:1468 unregister_netdevice_many_notify+0x9a4/0x1834 net/core/dev.c:11014 unregister_netdevice_many net/core/dev.c:11077 [inline] unregister_netdevice_queue+0x2b8/0x30c net/core/dev.c:10960 unregister_netdevice include/linux/netdevice.h:3075 [inline] __tun_detach+0xb04/0x1224 drivers/net/tun.c:685 tun_detach drivers/net/tun.c:701 [inline] tun_chr_close+0x118/0x1f4 drivers/net/tun.c:3492 __fput+0x1bc/0x7b8 fs/file_table.c:320 ____fput+0x20/0x30 fs/file_table.c:348 task_work_run+0x1ec/0x278 kernel/task_work.c:203 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] do_notify_resume+0x1fa0/0x2aa4 arch/arm64/kernel/signal.c:1151 prepare_exit_to_user_mode arch/arm64/kernel/entry-common.c:137 [inline] exit_to_user_mode arch/arm64/kernel/entry-common.c:142 [inline] el0_svc+0x98/0x128 arch/arm64/kernel/entry-common.c:638 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585 Second to last potentially related work creation: kasan_save_stack+0x40/0x70 mm/kasan/common.c:46 __kasan_record_aux_stack+0xc0/0xdc mm/kasan/generic.c:486 kasan_record_aux_stack_noalloc+0x14/0x20 mm/kasan/generic.c:496 call_rcu+0x100/0x94c kernel/rcu/tree.c:2849 sk_destruct net/core/sock.c:2190 [inline] __sk_free+0x338/0x430 net/core/sock.c:2203 sk_free+0x60/0xc4 net/core/sock.c:2214 sock_put include/net/sock.h:2085 [inline] j1939_sk_release+0x49c/0x5dc net/can/j1939/socket.c:661 __sock_release net/socket.c:654 [inline] sock_close+0xb4/0x1f8 net/socket.c:1399 __fput+0x1bc/0x7b8 fs/file_table.c:320 ____fput+0x20/0x30 fs/file_table.c:348 task_work_run+0x1ec/0x278 kernel/task_work.c:203 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] do_notify_resume+0x1fa0/0x2aa4 arch/arm64/kernel/signal.c:1151 prepare_exit_to_user_mode arch/arm64/kernel/entry-common.c:137 [inline] exit_to_user_mode arch/arm64/kernel/entry-common.c:142 [inline] el0_svc+0x98/0x128 arch/arm64/kernel/entry-common.c:638 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585 The buggy address belongs to the object at ffff0000cec0c000 which belongs to the cache kmalloc-2k of size 2048 The buggy address is located 1304 bytes inside of 2048-byte region [ffff0000cec0c000, ffff0000cec0c800) The buggy address belongs to the physical page: page:000000000e495f53 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10ec08 head:000000000e495f53 order:3 compound_mapcount:0 compound_pincount:0 flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff) raw: 05ffc00000010200 dead000000000100 dead000000000122 ffff0000c0002900 raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff0000cec0c400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff0000cec0c480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff0000cec0c500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff0000cec0c580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff0000cec0c600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== list_del corruption. prev->next should be ffff0000cab4d518, but was 0000000000000000. (prev=ffff0000cec0c518) ------------[ cut here ]------------ kernel BUG at lib/list_debug.c:61! Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP Modules linked in: CPU: 1 PID: 4725 Comm: syz.4.121 Tainted: G B syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026 pstate: 62400005 (nZCv daif +PAN -UAO +TCO -DIT -SSBS BTYPE=--) pc : __list_del_entry_valid+0x13c/0x158 lib/list_debug.c:59 lr : __list_del_entry_valid+0x13c/0x158 lib/list_debug.c:59 sp : ffff800021317490 x29: ffff800021317490 x28: 0000000000000003 x27: ffff0000d20ac01c x26: ffff0000d20ac000 x25: 1fffe0001a415804 x24: dfff800000000000 x23: dfff800000000000 x22: dfff800000000000 x21: ffff0000cec0c518 x20: ffff0000cec0c518 x19: ffff0000cab4d518 x18: ffff800011b9bf60 x17: 20747562202c3831 x16: ffff80000804309c x15: 0000000000000000 x14: 0000000000000001 x13: 1fffe00033eaa5a3 x12: 0000000000ff0100 x11: ff00800008311668 x10: 0000000000000000 x9 : b0e83c22e9d79a00 x8 : b0e83c22e9d79a00 x7 : 0000000000000001 x6 : 0000000000000001 x5 : ffff800021316f58 x4 : ffff800015304cc0 x3 : ffff8000085388c8 x2 : 0000000000000001 x1 : 0000000100000000 x0 : 000000000000006d Call trace: __list_del_entry_valid+0x13c/0x158 lib/list_debug.c:59 __list_del_entry include/linux/list.h:134 [inline] list_del_init include/linux/list.h:206 [inline] bt_accept_unlink+0x40/0x240 net/bluetooth/af_bluetooth.c:232 l2cap_sock_teardown_cb+0x148/0x35c net/bluetooth/l2cap_sock.c:1643 l2cap_chan_del+0xbc/0x558 net/bluetooth/l2cap_core.c:680 l2cap_conn_del+0x324/0x608 net/bluetooth/l2cap_core.c:1955 l2cap_disconn_cfm+0x90/0xdc net/bluetooth/l2cap_core.c:8459 hci_disconn_cfm include/net/bluetooth/hci_core.h:1832 [inline] hci_conn_hash_flush+0x108/0x26c net/bluetooth/hci_conn.c:2504 hci_dev_close_sync+0x7e0/0xee8 net/bluetooth/hci_sync.c:5247 hci_dev_do_close net/bluetooth/hci_core.c:528 [inline] hci_unregister_dev+0x214/0x4c0 net/bluetooth/hci_core.c:2731 vhci_release+0x7c/0xcc drivers/bluetooth/hci_vhci.c:573 __fput+0x1bc/0x7b8 fs/file_table.c:320 ____fput+0x20/0x30 fs/file_table.c:348 task_work_run+0x1ec/0x278 kernel/task_work.c:203 exit_task_work include/linux/task_work.h:39 [inline] do_exit+0x550/0x19b0 kernel/exit.c:880 do_group_exit+0x194/0x22c kernel/exit.c:1022 get_signal+0x11cc/0x1304 kernel/signal.c:2871 do_signal arch/arm64/kernel/signal.c:1095 [inline] do_notify_resume+0x33c/0x2aa4 arch/arm64/kernel/signal.c:1148 prepare_exit_to_user_mode arch/arm64/kernel/entry-common.c:137 [inline] exit_to_user_mode arch/arm64/kernel/entry-common.c:142 [inline] el0_svc+0x98/0x128 arch/arm64/kernel/entry-common.c:638 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585 Code: 91040000 aa1303e1 aa1503e3 95c1f8cf (d4210000) ---[ end trace 0000000000000000 ]---