==================================================================
BUG: KASAN: slab-use-after-free in __list_del_entry_valid_or_report+0x8c/0x1b4 lib/list_debug.c:62
Read of size 8 at addr ffff0000d312f578 by task kworker/u9:2/6576

CPU: 1 UID: 0 PID: 6576 Comm: kworker/u9:2 Tainted: G             L      syzkaller #0 PREEMPT 
Tainted: [L]=SOFTLOCKUP
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/03/2025
Workqueue: hci3 hci_error_reset
Call trace:
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:499 (C)
 __dump_stack+0x30/0x40 lib/dump_stack.c:94
 dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120
 print_address_description+0xa8/0x238 mm/kasan/report.c:378
 print_report+0x68/0x84 mm/kasan/report.c:482
 kasan_report+0xb0/0x110 mm/kasan/report.c:595
 __asan_report_load8_noabort+0x20/0x2c mm/kasan/report_generic.c:381
 __list_del_entry_valid_or_report+0x8c/0x1b4 lib/list_debug.c:62
 __list_del_entry_valid include/linux/list.h:132 [inline]
 __list_del_entry include/linux/list.h:223 [inline]
 list_del_init include/linux/list.h:295 [inline]
 bt_accept_unlink+0x40/0x26c net/bluetooth/af_bluetooth.c:259
 l2cap_sock_teardown_cb+0x148/0x388 net/bluetooth/l2cap_sock.c:1616
 l2cap_chan_del+0xb8/0x498 net/bluetooth/l2cap_core.c:656
 l2cap_conn_del+0x2b8/0x53c net/bluetooth/l2cap_core.c:1788
 l2cap_disconn_cfm+0x90/0x104 net/bluetooth/l2cap_core.c:7326
 hci_disconn_cfm include/net/bluetooth/hci_core.h:2146 [inline]
 hci_conn_hash_flush+0x108/0x23c net/bluetooth/hci_conn.c:2637
 hci_dev_close_sync+0x65c/0xfd0 net/bluetooth/hci_sync.c:5326
 hci_dev_do_close net/bluetooth/hci_core.c:501 [inline]
 hci_error_reset+0xfc/0x40c net/bluetooth/hci_core.c:1034
 process_one_work+0x7c0/0x1558 kernel/workqueue.c:3257
 process_scheduled_works kernel/workqueue.c:3340 [inline]
 worker_thread+0x958/0xed8 kernel/workqueue.c:3421
 kthread+0x5fc/0x75c kernel/kthread.c:463
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:844

Allocated by task 8408:
 kasan_save_stack mm/kasan/common.c:56 [inline]
 kasan_save_track+0x40/0x78 mm/kasan/common.c:77
 kasan_save_alloc_info+0x44/0x54 mm/kasan/generic.c:570
 poison_kmalloc_redzone mm/kasan/common.c:397 [inline]
 __kasan_kmalloc+0x9c/0xb4 mm/kasan/common.c:414
 kasan_kmalloc include/linux/kasan.h:262 [inline]
 __do_kmalloc_node mm/slub.c:5657 [inline]
 __kmalloc_node_track_caller_noprof+0x510/0x778 mm/slub.c:5764
 kmalloc_reserve+0x124/0x268 net/core/skbuff.c:608
 __alloc_skb+0x208/0x3b0 net/core/skbuff.c:690
 alloc_skb include/linux/skbuff.h:1383 [inline]
 alloc_skb_with_frags+0xb8/0x678 net/core/skbuff.c:6712
 sock_alloc_send_pskb+0x758/0x874 net/core/sock.c:2995
 sock_alloc_send_skb include/net/sock.h:1885 [inline]
 __ip6_append_data+0x2584/0x3664 net/ipv6/ip6_output.c:1675
 ip6_append_data+0x178/0x314 net/ipv6/ip6_output.c:1870
 icmp6_send+0xe1c/0x1528 net/ipv6/icmp.c:819
 __icmpv6_send include/linux/icmpv6.h:28 [inline]
 icmpv6_send include/linux/icmpv6.h:49 [inline]
 ip6_link_failure+0x44/0x4a8 net/ipv6/route.c:2843
 dst_link_failure include/net/dst.h:432 [inline]
 ndisc_error_report+0x11c/0x170 net/ipv6/ndisc.c:732
 neigh_invalidate+0x29c/0x4b0 net/core/neighbour.c:1081
 neigh_timer_handler+0x80c/0xe90 net/core/neighbour.c:1172
 call_timer_fn+0x19c/0x814 kernel/time/timer.c:1748
 expire_timers kernel/time/timer.c:1799 [inline]
 __run_timers kernel/time/timer.c:2373 [inline]
 __run_timer_base+0x51c/0x76c kernel/time/timer.c:2385
 run_timer_base kernel/time/timer.c:2394 [inline]
 run_timer_softirq+0xcc/0x194 kernel/time/timer.c:2404
 handle_softirqs+0x31c/0xc88 kernel/softirq.c:622
 __do_softirq+0x14/0x20 kernel/softirq.c:656

Freed by task 23:
 kasan_save_stack mm/kasan/common.c:56 [inline]
 kasan_save_track+0x40/0x78 mm/kasan/common.c:77
 kasan_save_free_info+0x58/0x70 mm/kasan/generic.c:584
 poison_slab_object mm/kasan/common.c:252 [inline]
 __kasan_slab_free+0x74/0xa4 mm/kasan/common.c:284
 kasan_slab_free include/linux/kasan.h:234 [inline]
 slab_free_hook mm/slub.c:2540 [inline]
 slab_free mm/slub.c:6668 [inline]
 kfree+0x1c4/0x5fc mm/slub.c:6876
 skb_kfree_head net/core/skbuff.c:1068 [inline]
 skb_free_head+0xe4/0x198 net/core/skbuff.c:1080
 skb_release_data+0x4d4/0x664 net/core/skbuff.c:1107
 skb_release_all net/core/skbuff.c:1182 [inline]
 __kfree_skb net/core/skbuff.c:1196 [inline]
 sk_skb_reason_drop+0x148/0x1b0 net/core/skbuff.c:1234
 kfree_skb_reason include/linux/skbuff.h:1322 [inline]
 icmpv6_rcv+0x1154/0x1888 net/ipv6/icmp.c:-1
 ip6_protocol_deliver_rcu+0x9a4/0x12d4 net/ipv6/ip6_input.c:438
 ip6_input_finish+0x154/0x350 net/ipv6/ip6_input.c:489
 NF_HOOK+0x2c4/0x358 include/linux/netfilter.h:318
 ip6_input+0x15c/0x270 net/ipv6/ip6_input.c:500
 dst_input include/net/dst.h:474 [inline]
 ip6_rcv_finish+0x1f0/0x21c net/ipv6/ip6_input.c:79
 NF_HOOK+0x2c4/0x358 include/linux/netfilter.h:318
 ipv6_rcv+0x9c/0xbc net/ipv6/ip6_input.c:311
 __netif_receive_skb_one_core net/core/dev.c:6137 [inline]
 __netif_receive_skb+0xcc/0x2a8 net/core/dev.c:6250
 process_backlog+0x608/0x10e8 net/core/dev.c:6602
 __napi_poll+0xb0/0x310 net/core/dev.c:7666
 napi_poll net/core/dev.c:7729 [inline]
 net_rx_action+0x548/0xcf0 net/core/dev.c:7881
 handle_softirqs+0x31c/0xc88 kernel/softirq.c:622
 run_ksoftirqd+0x70/0xc0 kernel/softirq.c:1063
 smpboot_thread_fn+0x4d8/0x9cc kernel/smpboot.c:160
 kthread+0x5fc/0x75c kernel/kthread.c:463
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:844

The buggy address belongs to the object at ffff0000d312f000
 which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 1400 bytes inside of
 freed 2048-byte region [ffff0000d312f000, ffff0000d312f800)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff0000d312b000 pfn:0x113128
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x5ffc00000000240(workingset|head|node=0|zone=2|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 05ffc00000000240 ffff0000c0002000 fffffdffc3181210 fffffdffc3893010
raw: ffff0000d312b000 0000000000080006 00000000f5000000 0000000000000000
head: 05ffc00000000240 ffff0000c0002000 fffffdffc3181210 fffffdffc3893010
head: ffff0000d312b000 0000000000080006 00000000f5000000 0000000000000000
head: 05ffc00000000003 fffffdffc34c4a01 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff0000d312f400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff0000d312f480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff0000d312f500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                                ^
 ffff0000d312f580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff0000d312f600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
 slab kmalloc-2k start ffff0000d312f000 pointer offset 1400 size 2048
list_del corruption. prev->next should be ffff0000c6925578, but was 0000000000000000. (prev=ffff0000d312f578)
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:64!
Internal error: Oops - BUG: 00000000f2000800 [#1]  SMP
Modules linked in:
CPU: 1 UID: 0 PID: 6576 Comm: kworker/u9:2 Tainted: G    B        L      syzkaller #0 PREEMPT 
Tainted: [B]=BAD_PAGE, [L]=SOFTLOCKUP
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/03/2025
Workqueue: hci3 hci_error_reset
pstate: 63400005 (nZCv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--)
pc : __list_del_entry_valid_or_report+0x17c/0x1b4 lib/list_debug.c:62
lr : __list_del_entry_valid_or_report+0x17c/0x1b4 lib/list_debug.c:62
sp : ffff8000a4b67750
x29: ffff8000a4b67750 x28: ffff0000e0dddac0 x27: dfff800000000000
x26: ffff0000cb2a300c x25: 1fffe00019654602 x24: dfff800000000000
x23: 1fffe0001a625eaf x22: dfff800000000000 x21: ffff0000d312f578
x20: ffff0000d312f578 x19: ffff0000c6925578 x18: 1fffe00033781890
x17: 20747562202c3837 x16: ffff800082e5c71c x15: 0000000000000001
x14: 1ffff0001496ce28 x13: 0000000000000000 x12: 0000000000000000
x11: 0000000000001498 x10: 0000000000ff0100 x9 : 646b84a818f69e00
x8 : 646b84a818f69e00 x7 : 0000000000000001 x6 : ffff800080575c38
x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000002
x2 : 0000000000000001 x1 : 0000000100000000 x0 : 000000000000006d
Call trace:
 __list_del_entry_valid_or_report+0x17c/0x1b4 lib/list_debug.c:62 (P)
 __list_del_entry_valid include/linux/list.h:132 [inline]
 __list_del_entry include/linux/list.h:223 [inline]
 list_del_init include/linux/list.h:295 [inline]
 bt_accept_unlink+0x40/0x26c net/bluetooth/af_bluetooth.c:259
 l2cap_sock_teardown_cb+0x148/0x388 net/bluetooth/l2cap_sock.c:1616
 l2cap_chan_del+0xb8/0x498 net/bluetooth/l2cap_core.c:656
 l2cap_conn_del+0x2b8/0x53c net/bluetooth/l2cap_core.c:1788
 l2cap_disconn_cfm+0x90/0x104 net/bluetooth/l2cap_core.c:7326
 hci_disconn_cfm include/net/bluetooth/hci_core.h:2146 [inline]
 hci_conn_hash_flush+0x108/0x23c net/bluetooth/hci_conn.c:2637
 hci_dev_close_sync+0x65c/0xfd0 net/bluetooth/hci_sync.c:5326
 hci_dev_do_close net/bluetooth/hci_core.c:501 [inline]
 hci_error_reset+0xfc/0x40c net/bluetooth/hci_core.c:1034
 process_one_work+0x7c0/0x1558 kernel/workqueue.c:3257
 process_scheduled_works kernel/workqueue.c:3340 [inline]
 worker_thread+0x958/0xed8 kernel/workqueue.c:3421
 kthread+0x5fc/0x75c kernel/kthread.c:463
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:844
Code: 91018000 aa1303e1 aa1503e3 974a9f9f (d4210000) 
---[ end trace 0000000000000000 ]---