| Title | Replies (including bot) | Last reply |
|---|---|---|
| [syzbot] [bluetooth?] [bcachefs?] KASAN: slab-use-after-free Read in hci_uart_write_work | 3 (9) | 2025/07/22 02:07 |
syzbot |
sign-in | mailing list | source | docs |
| Title | Replies (including bot) | Last reply |
|---|---|---|
| [syzbot] [bluetooth?] [bcachefs?] KASAN: slab-use-after-free Read in hci_uart_write_work | 3 (9) | 2025/07/22 02:07 |
| Kernel | Title | Rank 🛈 | Repro | Cause bisect | Fix bisect | Count | Last | Reported | Patched | Status |
|---|---|---|---|---|---|---|---|---|---|---|
| android-6-12 | KASAN: slab-use-after-free Read in hci_uart_write_work | 19 | 1 | 83d | 83d | 0/1 | premoderation: reported on 2025/09/11 04:00 | |||
| android-5-15 | KASAN: use-after-free Read in hci_uart_write_work | 19 | 1 | 68d | 68d | 0/2 | premoderation: reported on 2025/09/26 00:52 | |||
| android-6-1 | KASAN: use-after-free Read in hci_uart_write_work | 19 | 7 | 66d | 86d | 0/2 | premoderation: reported on 2025/09/08 09:39 | |||
| android-5-10 | KASAN: use-after-free Read in hci_uart_write_work | 19 | 2 | 34d | 47d | 0/2 | premoderation: reported on 2025/10/16 23:25 |
| Created | Duration | User | Patch | Repo | Result |
|---|---|---|---|---|---|
| 2025/11/07 03:22 | 19m | retest repro | upstream | report log | |
| 2025/10/17 03:42 | 20m | retest repro | upstream | report log | |
| 2025/07/27 13:44 | 19m | retest repro | upstream | report log | |
| 2025/07/22 02:07 | 21m | ipravdin.official@gmail.com | git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git master | report log | |
| 2025/07/15 08:32 | 20m | hdanton@sina.com | patch | upstream | OK log |
| 2025/07/15 04:30 | 20m | hdanton@sina.com | patch | upstream | report log |
| 2025/07/15 01:09 | 20m | hdanton@sina.com | patch | upstream | report log |
================================================================== BUG: KASAN: slab-use-after-free in hci_uart_write_work+0x2ca/0x550 drivers/bluetooth/hci_ldisc.c:165 Read of size 8 at addr ffff888023cf7358 by task kworker/0:0/9 CPU: 0 UID: 0 PID: 9 Comm: kworker/0:0 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 Workqueue: events hci_uart_write_work Call Trace: <TASK> dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 hci_uart_write_work+0x2ca/0x550 drivers/bluetooth/hci_ldisc.c:165 process_one_work kernel/workqueue.c:3263 [inline] process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3346 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427 kthread+0x711/0x8a0 kernel/kthread.c:463 ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK> Allocated by task 52: kasan_save_stack mm/kasan/common.c:56 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:77 unpoison_slab_object mm/kasan/common.c:342 [inline] __kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:368 kasan_slab_alloc include/linux/kasan.h:252 [inline] slab_post_alloc_hook mm/slub.c:4978 [inline] slab_alloc_node mm/slub.c:5288 [inline] kmem_cache_alloc_node_noprof+0x433/0x710 mm/slub.c:5340 __alloc_skb+0x112/0x2d0 net/core/skbuff.c:660 alloc_skb include/linux/skbuff.h:1383 [inline] bt_skb_alloc include/net/bluetooth/bluetooth.h:510 [inline] hci_cmd_sync_alloc+0x3d/0x380 net/bluetooth/hci_sync.c:58 hci_cmd_sync_add net/bluetooth/hci_sync.c:99 [inline] __hci_cmd_sync_sk+0x1a7/0xbc0 net/bluetooth/hci_sync.c:168 __hci_cmd_sync_status_sk net/bluetooth/hci_sync.c:263 [inline] __hci_cmd_sync_status net/bluetooth/hci_sync.c:287 [inline] hci_read_local_features_sync net/bluetooth/hci_sync.c:3708 [inline] hci_init_stage_sync net/bluetooth/hci_sync.c:3623 [inline] hci_init1_sync net/bluetooth/hci_sync.c:3755 [inline] hci_init_sync net/bluetooth/hci_sync.c:4867 [inline] hci_dev_init_sync net/bluetooth/hci_sync.c:5059 [inline] hci_dev_open_sync+0x14be/0x2b60 net/bluetooth/hci_sync.c:5137 hci_dev_do_open net/bluetooth/hci_core.c:430 [inline] hci_power_on+0x1b4/0x680 net/bluetooth/hci_core.c:959 process_one_work kernel/workqueue.c:3263 [inline] process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3346 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427 kthread+0x711/0x8a0 kernel/kthread.c:463 ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Freed by task 6337: kasan_save_stack mm/kasan/common.c:56 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:77 __kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:587 kasan_save_free_info mm/kasan/kasan.h:406 [inline] poison_slab_object mm/kasan/common.c:252 [inline] __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:284 kasan_slab_free include/linux/kasan.h:234 [inline] slab_free_hook mm/slub.c:2543 [inline] slab_free mm/slub.c:6642 [inline] kmem_cache_free+0x19b/0x690 mm/slub.c:6752 kfree_skb_reason include/linux/skbuff.h:1322 [inline] kfree_skb include/linux/skbuff.h:1331 [inline] hci_uart_flush+0x9d/0x1b0 drivers/bluetooth/hci_ldisc.c:235 hci_uart_close drivers/bluetooth/hci_ldisc.c:268 [inline] hci_uart_tty_close+0x99/0x290 drivers/bluetooth/hci_ldisc.c:545 tty_ldisc_kill+0xa3/0x1a0 drivers/tty/tty_ldisc.c:613 tty_ldisc_hangup+0x3a2/0x4b0 drivers/tty/tty_ldisc.c:729 __tty_hangup+0x40c/0x680 drivers/tty/tty_io.c:621 tty_vhangup drivers/tty/tty_io.c:691 [inline] tty_ioctl+0x757/0xde0 drivers/tty/tty_io.c:2732 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff888023cf7280 which belongs to the cache skbuff_head_cache of size 240 The buggy address is located 216 bytes inside of freed 240-byte region [ffff888023cf7280, ffff888023cf7370) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888023cf7780 pfn:0x23cf7 flags: 0xfff00000000200(workingset|node=0|zone=1|lastcpupid=0x7ff) page_type: f5(slab) raw: 00fff00000000200 ffff88801ded18c0 ffffea0001779550 ffffea0000c4fad0 raw: ffff888023cf7780 00000000000c000b 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5194, tgid 5194 (udevadm), ts 32838646103, free_ts 32588892773 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x234/0x290 mm/page_alloc.c:1845 prep_new_page mm/page_alloc.c:1853 [inline] get_page_from_freelist+0x2365/0x2440 mm/page_alloc.c:3879 __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5178 alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2416 alloc_slab_page mm/slub.c:3059 [inline] allocate_slab+0x96/0x350 mm/slub.c:3232 new_slab mm/slub.c:3286 [inline] ___slab_alloc+0xf56/0x1990 mm/slub.c:4655 __slab_alloc+0x65/0x100 mm/slub.c:4778 __slab_alloc_node mm/slub.c:4854 [inline] slab_alloc_node mm/slub.c:5276 [inline] kmem_cache_alloc_noprof+0x3f9/0x6e0 mm/slub.c:5295 skb_clone+0x212/0x3a0 net/core/skbuff.c:2050 do_one_broadcast net/netlink/af_netlink.c:1457 [inline] netlink_broadcast_filtered+0x6ae/0x1000 net/netlink/af_netlink.c:1535 netlink_broadcast+0x37/0x50 net/netlink/af_netlink.c:1559 uevent_net_broadcast_untagged lib/kobject_uevent.c:331 [inline] kobject_uevent_net_broadcast+0x378/0x560 lib/kobject_uevent.c:410 kobject_uevent_env+0x55b/0x8c0 lib/kobject_uevent.c:608 kobject_synth_uevent+0x527/0xb00 lib/kobject_uevent.c:207 bus_uevent_store+0x115/0x170 drivers/base/bus.c:832 kernfs_fop_write_iter+0x3af/0x540 fs/kernfs/file.c:352 page last free pid 5198 tgid 5198 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1394 [inline] __free_frozen_pages+0xbc4/0xd30 mm/page_alloc.c:2901 discard_slab mm/slub.c:3330 [inline] __put_partials+0x146/0x170 mm/slub.c:3876 put_cpu_partial+0x1f2/0x2e0 mm/slub.c:3951 __slab_free+0x2b9/0x390 mm/slub.c:5929 qlink_free mm/kasan/quarantine.c:163 [inline] qlist_free_all+0x97/0x140 mm/kasan/quarantine.c:179 kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286 __kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:352 kasan_slab_alloc include/linux/kasan.h:252 [inline] slab_post_alloc_hook mm/slub.c:4978 [inline] slab_alloc_node mm/slub.c:5288 [inline] kmem_cache_alloc_noprof+0x367/0x6e0 mm/slub.c:5295 getname_flags+0xb8/0x540 fs/namei.c:146 getname include/linux/fs.h:2924 [inline] do_sys_openat2+0xbc/0x1c0 fs/open.c:1431 do_sys_open fs/open.c:1452 [inline] __do_sys_openat fs/open.c:1468 [inline] __se_sys_openat fs/open.c:1463 [inline] __x64_sys_openat+0x138/0x170 fs/open.c:1463 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Memory state around the buggy address: ffff888023cf7200: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc ffff888023cf7280: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff888023cf7300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc ^ ffff888023cf7380: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ffff888023cf7400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================
| Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2025/11/24 03:54 | upstream | d13f3ac64efb | 4fb8ef37 | .config | console log | report | syz / log | [disk image] [vmlinux] [kernel image] [mounted in repro #1] [mounted in repro #2 (clean fs)] | ci-upstream-kasan-gce-root | KASAN: slab-use-after-free Read in hci_uart_write_work | ||
| 2025/10/24 03:10 | upstream | ab431bc39741 | c0460fcd | .config | console log | report | syz / log | [disk image (non-bootable)] [vmlinux] [kernel image] | ci-snapshot-upstream-root | KASAN: slab-use-after-free Read in hci_uart_write_work | ||
| 2025/07/13 13:35 | upstream | 3f31a806a62e | 3cda49cf | .config | console log | report | syz / log | [disk image (non-bootable)] [vmlinux] [kernel image] [mounted in repro] | ci-snapshot-upstream-root | KASAN: slab-use-after-free Read in hci_uart_write_work | ||
| 2025/11/24 01:28 | upstream | d13f3ac64efb | 4fb8ef37 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-root | KASAN: slab-use-after-free Read in hci_uart_write_work | ||
| 2025/11/24 01:20 | upstream | d13f3ac64efb | 4fb8ef37 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-root | KASAN: slab-use-after-free Read in hci_uart_write_work | ||
| 2025/11/24 00:33 | upstream | d13f3ac64efb | 4fb8ef37 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-root | KASAN: slab-use-after-free Read in hci_uart_write_work | ||
| 2025/09/24 03:13 | upstream | cec1e6e5d1ab | 0abd0691 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-selinux-root | KASAN: slab-use-after-free Read in hci_uart_write_work | ||
| 2025/09/22 01:37 | upstream | 07e27ad16399 | 67c37560 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-selinux-root | KASAN: slab-use-after-free Read in hci_uart_write_work | ||
| 2025/11/25 05:47 | upstream | ac3fd01e4c1e | bf6fe8fe | .config | console log | report | [disk image (non-bootable)] [vmlinux] [kernel image] | ci-snapshot-upstream-root | KASAN: slab-use-after-free Read in hci_uart_write_work | |||
| 2025/10/23 23:45 | upstream | ab431bc39741 | c0460fcd | .config | console log | report | [disk image (non-bootable)] [vmlinux] [kernel image] | ci-snapshot-upstream-root | KASAN: slab-use-after-free Read in hci_uart_write_work | |||
| 2025/10/03 03:11 | upstream | f79e772258df | 49379ee0 | .config | console log | report | info | [disk image (non-bootable)] [vmlinux] [kernel image] | ci-qemu-upstream | KASAN: slab-use-after-free Read in hci_uart_write_work | ||
| 2025/10/02 02:02 | upstream | d3479214c05d | 267f56c6 | .config | console log | report | info | [disk image (non-bootable)] [vmlinux] [kernel image] | ci-qemu-upstream | KASAN: slab-use-after-free Read in hci_uart_write_work | ||
| 2025/10/01 12:57 | upstream | 50c19e20ed2e | 3af39644 | .config | console log | report | info | [disk image (non-bootable)] [vmlinux] [kernel image] | ci-qemu-upstream | KASAN: slab-use-after-free Read in hci_uart_write_work | ||
| 2025/07/13 08:56 | upstream | 3f31a806a62e | 3cda49cf | .config | console log | report | [disk image (non-bootable)] [vmlinux] [kernel image] | ci-snapshot-upstream-root | KASAN: slab-use-after-free Read in hci_uart_write_work | |||
| 2025/12/03 09:42 | linux-next | b2c27842ba85 | d6526ea3 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-linux-next-kasan-gce-root | KASAN: slab-use-after-free Read in hci_uart_write_work |