Warning: Permanently added '10.128.0.34' (ECDSA) to the list of known hosts. syzkaller login: [ 34.655324][ T3036] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 executing program [ 34.657604][ T3038] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 34.659684][ T3038] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 34.662420][ T3038] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 34.664620][ T3038] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3 [ 34.666462][ T3038] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 34.687911][ T44] Bluetooth: hci0: hardware error 0xff [ 34.782684][ T44] [ 34.783345][ T44] ========================= [ 34.784497][ T44] WARNING: held lock freed! [ 34.785567][ T44] 6.0.0-rc6-syzkaller-17742-gc194837ebb57 #0 Not tainted [ 34.787263][ T44] ------------------------- [ 34.788152][ T44] kworker/u5:0/44 is freeing memory ffff0000cb1fc800-ffff0000cb1fcfff, with a lock still held there! [ 34.790807][ T44] ffff0000cb1fcd20 (&chan->lock/1){+.+.}-{3:3}, at: l2cap_conn_del+0x1a4/0x38c [ 34.793031][ T44] 7 locks held by kworker/u5:0/44: [ 34.794126][ T44] #0: ffff0000c7bdf938 ((wq_completion)hci0){+.+.}-{0:0}, at: process_one_work+0x270/0x504 [ 34.796654][ T44] #1: ffff80000f653d80 ((work_completion)(&hdev->error_reset)){+.+.}-{0:0}, at: process_one_work+0x29c/0x504 [ 34.799697][ T44] #2: ffff0000c7132fd0 (&hdev->req_lock){+.+.}-{3:3}, at: hci_error_reset+0xa4/0x154 [ 34.802110][ T44] #3: ffff0000c7132078 (&hdev->lock){+.+.}-{3:3}, at: hci_dev_close_sync+0x200/0x9e0 [ 34.804609][ T44] #4: ffff80000d832b18 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_conn_hash_flush+0x64/0x148 [ 34.807111][ T44] #5: ffff0000c7bed2d8 (&conn->chan_lock){+.+.}-{3:3}, at: l2cap_conn_del+0x130/0x38c [ 34.809562][ T44] #6: ffff0000cb1fcd20 (&chan->lock/1){+.+.}-{3:3}, at: l2cap_conn_del+0x1a4/0x38c [ 34.811840][ T44] [ 34.811840][ T44] stack backtrace: [ 34.813178][ T44] CPU: 0 PID: 44 Comm: kworker/u5:0 Not tainted 6.0.0-rc6-syzkaller-17742-gc194837ebb57 #0 [ 34.815734][ T44] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022 [ 34.818325][ T44] Workqueue: hci0 hci_error_reset [ 34.819619][ T44] Call trace: [ 34.820471][ T44] dump_backtrace+0x1c4/0x1f0 [ 34.821741][ T44] show_stack+0x2c/0x54 [ 34.822746][ T44] dump_stack_lvl+0x104/0x16c [ 34.824011][ T44] dump_stack+0x1c/0x58 [ 34.825047][ T44] debug_check_no_locks_freed+0x184/0x19c [ 34.826540][ T44] kfree+0x138/0x348 [ 34.827534][ T44] l2cap_chan_put+0xcc/0x160 [ 34.828693][ T44] a2mp_chan_close_cb+0x20/0x30 [ 34.829972][ T44] l2cap_conn_del+0x1c0/0x38c [ 34.831142][ T44] l2cap_disconn_cfm+0x68/0xac [ 34.832339][ T44] hci_conn_hash_flush+0x88/0x148 [ 34.833602][ T44] hci_dev_close_sync+0x48c/0x9e0 [ 34.834871][ T44] hci_error_reset+0xac/0x154 [ 34.836060][ T44] process_one_work+0x2d8/0x504 [ 34.837344][ T44] worker_thread+0x340/0x610 [ 34.838318][ T44] kthread+0x12c/0x158 [ 34.839338][ T44] ret_from_fork+0x10/0x20 [ 34.840813][ T44] ------------[ cut here ]------------ [ 34.842165][ T44] refcount_t: underflow; use-after-free. [ 34.843681][ T44] WARNING: CPU: 0 PID: 44 at lib/refcount.c:28 refcount_warn_saturate+0x1a0/0x1c8 [ 34.845968][ T44] Modules linked in: [ 34.846900][ T44] CPU: 0 PID: 44 Comm: kworker/u5:0 Not tainted 6.0.0-rc6-syzkaller-17742-gc194837ebb57 #0 [ 34.849341][ T44] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022 [ 34.851792][ T44] Workqueue: hci0 hci_error_reset [ 34.853062][ T44] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 34.855107][ T44] pc : refcount_warn_saturate+0x1a0/0x1c8 [ 34.856563][ T44] lr : refcount_warn_saturate+0x1a0/0x1c8 [ 34.858021][ T44] sp : ffff80000f653bb0 [ 34.859036][ T44] x29: ffff80000f653bb0 x28: ffff0000c7bed260 x27: 0000000000000003 [ 34.861072][ T44] x26: ffff0000cb1fccb8 x25: ffff0000cb1fc800 x24: ffff0000cb1fcc88 [ 34.863128][ T44] x23: 0000000000000001 x22: ffff0000c7bed270 x21: 0000000000000067 [ 34.865120][ T44] x20: 0000000000000003 x19: ffff80000d8c8000 x18: 00000000000000c0 [ 34.867190][ T44] x17: 6e69676e45206574 x16: 0000000000000001 x15: 0000000000000000 [ 34.869190][ T44] x14: 0000000000000000 x13: 205d343454202020 x12: 5b5d353631323438 [ 34.871201][ T44] x11: ff808000081c1630 x10: 0000000000000000 x9 : 20cab974b89e3800 [ 34.873313][ T44] x8 : 20cab974b89e3800 x7 : 205b5d3536313234 x6 : ffff800008195d30 [ 34.875166][ T44] x5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000000 [ 34.877229][ T44] x2 : 0000000000000000 x1 : 0000000100000000 x0 : 0000000000000026 [ 34.879258][ T44] Call trace: [ 34.880062][ T44] refcount_warn_saturate+0x1a0/0x1c8 [ 34.881426][ T44] l2cap_chan_put+0xec/0x160 [ 34.882633][ T44] l2cap_conn_del+0x1d0/0x38c [ 34.883896][ T44] l2cap_disconn_cfm+0x68/0xac [ 34.885132][ T44] hci_conn_hash_flush+0x88/0x148 [ 34.886428][ T44] hci_dev_close_sync+0x48c/0x9e0 [ 34.887741][ T44] hci_error_reset+0xac/0x154 [ 34.888921][ T44] process_one_work+0x2d8/0x504 [ 34.890190][ T44] worker_thread+0x340/0x610 [ 34.891362][ T44] kthread+0x12c/0x158 [ 34.892382][ T44] ret_from_fork+0x10/0x20 [ 34.893459][ T44] irq event stamp: 731 [ 34.894505][ T44] hardirqs last enabled at (731): [] _raw_spin_unlock_irqrestore+0x48/0x8c [ 34.897165][ T44] hardirqs last disabled at (730): [] _raw_spin_lock_irqsave+0xa4/0xb4 [ 34.899796][ T44] softirqs last enabled at (0): [] copy_process+0x948/0x171c [ 34.902052][ T44] softirqs last disabled at (0): [<0000000000000000>] 0x0 [ 34.903915][ T44] ---[ end trace 0000000000000000 ]---