syzbot

Bluetooth: hci1: Opcode 0x0406 failed: -4
Bluetooth: hci1: Opcode 0x0406 failed: -4
Bluetooth: hci2: Opcode 0x0c1a failed: -4
Bluetooth: hci2: Opcode 0x0406 failed: -4
------------[ cut here ]------------
refcount_t: underflow; use-after-free.
WARNING: CPU: 0 PID: 10541 at lib/refcount.c:28 refcount_warn_saturate+0x15a/0x1d0 lib/refcount.c:28
Modules linked in:
CPU: 0 UID: 0 PID: 10541 Comm: syz.2.1919 Not tainted 6.12.0-syzkaller-09073-g9f16d5e6f220 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
RIP: 0010:refcount_warn_saturate+0x15a/0x1d0 lib/refcount.c:28
Code: e0 64 5f 8c e8 17 33 a9 fc 90 0f 0b 90 90 eb 99 e8 8b 8d e8 fc c6 05 d6 15 59 0b 01 90 48 c7 c7 40 65 5f 8c e8 f7 32 a9 fc 90 <0f> 0b 90 90 e9 76 ff ff ff e8 68 8d e8 fc c6 05 b0 15 59 0b 01 90
RSP: 0018:ffffc9000489ef38 EFLAGS: 00010246
RAX: dbe0113176482a00 RBX: ffff88801cbab078 RCX: 0000000000080000
RDX: ffffc9000bfea000 RSI: 000000000006023b RDI: 000000000006023c
RBP: 0000000000000003 R08: ffffffff815687d2 R09: fffffbfff1cfa8a0
R10: dffffc0000000000 R11: fffffbfff1cfa8a0 R12: ffff88801cbab060
R13: ffffffff85ee3a30 R14: 1ffff1100397560c R15: ffff88801cbab060
FS:  00007f4534f846c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fe194e1ef7e CR3: 000000006ccf4000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 __refcount_sub_and_test include/linux/refcount.h:275 [inline]
 __refcount_dec_and_test include/linux/refcount.h:307 [inline]
 refcount_dec_and_test include/linux/refcount.h:325 [inline]
 kref_put include/linux/kref.h:64 [inline]
 klist_dec_and_del+0x3ec/0x3f0 lib/klist.c:206
 klist_put lib/klist.c:217 [inline]
 klist_del lib/klist.c:230 [inline]
 klist_remove+0x25e/0x480 lib/klist.c:249
 device_move+0x1b4/0x710 drivers/base/core.c:4643
 hci_conn_del_sysfs+0xac/0x160 net/bluetooth/hci_sysfs.c:75
 hci_conn_cleanup net/bluetooth/hci_conn.c:174 [inline]
 hci_conn_del+0x8c4/0xc40 net/bluetooth/hci_conn.c:1164
 hci_abort_conn_sync+0x583/0xe00 net/bluetooth/hci_sync.c:5603
 hci_disconnect_all_sync+0x264/0x460 net/bluetooth/hci_sync.c:5626
 hci_suspend_sync+0x41a/0xca0 net/bluetooth/hci_sync.c:6103
 hci_suspend_dev+0x203/0x3e0 net/bluetooth/hci_core.c:2832
 hci_suspend_notifier+0xf2/0x2b0 net/bluetooth/hci_core.c:2412
 notifier_call_chain+0x19f/0x3e0 kernel/notifier.c:93
 notifier_call_chain_robust kernel/notifier.c:128 [inline]
 blocking_notifier_call_chain_robust+0xe8/0x1e0 kernel/notifier.c:353
 pm_notifier_call_chain_robust+0x2c/0x60 kernel/power/main.c:102
 snapshot_open+0x19b/0x280 kernel/power/user.c:77
 misc_open+0x2cc/0x340 drivers/char/misc.c:165
 chrdev_open+0x521/0x600 fs/char_dev.c:414
 do_dentry_open+0xbe1/0x1b70 fs/open.c:945
 vfs_open+0x3e/0x330 fs/open.c:1075
 do_open fs/namei.c:3828 [inline]
 path_openat+0x2c84/0x3590 fs/namei.c:3987
 do_filp_open+0x27f/0x4e0 fs/namei.c:4014
 do_sys_openat2+0x13e/0x1d0 fs/open.c:1402
 do_sys_open fs/open.c:1417 [inline]
 __do_sys_openat fs/open.c:1433 [inline]
 __se_sys_openat fs/open.c:1428 [inline]
 __x64_sys_openat+0x247/0x2a0 fs/open.c:1428
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f453417e819
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f4534f84038 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007f4534335fa0 RCX: 00007f453417e819
RDX: 0000000000004000 RSI: 00000000200002c0 RDI: ffffffffffffff9c
RBP: 00007f45341f175e R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f4534335fa0 R15: 00007ffc9eec0e38
 </TASK>