Warning: Permanently added '10.128.1.243' (ED25519) to the list of known hosts. executing program [ 54.018443][ T4025] [ 54.019098][ T4025] ===================================== [ 54.020498][ T4025] WARNING: bad unlock balance detected! [ 54.021921][ T4025] 5.15.167-syzkaller #0 Not tainted [ 54.023312][ T4025] ------------------------------------- [ 54.024764][ T4025] kworker/u5:2/4025 is trying to release lock (&chan->lock) at: [ 54.026771][ T4025] [] l2cap_recv_frame+0xf60/0x6c28 [ 54.028595][ T4025] but there are no more locks to release! [ 54.030176][ T4025] [ 54.030176][ T4025] other info that might help us debug this: [ 54.032333][ T4025] 2 locks held by kworker/u5:2/4025: [ 54.033798][ T4025] #0: ffff0000cbe5e138 ((wq_completion)hci0#2){+.+.}-{0:0}, at: process_one_work+0x66c/0x11b8 [ 54.036637][ T4025] #1: ffff80001ff57c00 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_one_work+0x6ac/0x11b8 [ 54.039647][ T4025] [ 54.039647][ T4025] stack backtrace: [ 54.041280][ T4025] CPU: 1 PID: 4025 Comm: kworker/u5:2 Not tainted 5.15.167-syzkaller #0 [ 54.043399][ T4025] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 [ 54.046045][ T4025] Workqueue: hci0 hci_rx_work [ 54.047260][ T4025] Call trace: [ 54.048189][ T4025] dump_backtrace+0x0/0x530 [ 54.049376][ T4025] show_stack+0x2c/0x3c [ 54.050444][ T4025] dump_stack_lvl+0x108/0x170 [ 54.051688][ T4025] dump_stack+0x1c/0x58 [ 54.052760][ T4025] print_unlock_imbalance_bug+0x250/0x2a4 [ 54.054261][ T4025] lock_release+0x4b8/0xa1c [ 54.055470][ T4025] __mutex_unlock_slowpath+0xe0/0x6d4 [ 54.056881][ T4025] mutex_unlock+0x8c/0xe0 [ 54.058054][ T4025] l2cap_recv_frame+0xf60/0x6c28 [ 54.059402][ T4025] l2cap_recv_acldata+0x4f4/0x163c [ 54.060849][ T4025] hci_rx_work+0x3a0/0x7c4 [ 54.062054][ T4025] process_one_work+0x790/0x11b8 [ 54.063331][ T4025] worker_thread+0x910/0x1034 [ 54.064606][ T4025] kthread+0x37c/0x45c [ 54.065673][ T4025] ret_from_fork+0x10/0x20 executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 56.026802][ T7] Bluetooth: hci0: command 0x0409 tx timeout executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 56.687177][ T4025] ================================================================== [ 56.689318][ T4025] BUG: KASAN: use-after-free in do_raw_spin_lock+0x244/0x35c [ 56.691074][ T4025] Read of size 4 at addr ffff0000d8e0a08c by task kworker/u5:2/4025 [ 56.693071][ T4025] [ 56.693579][ T4025] CPU: 1 PID: 4025 Comm: kworker/u5:2 Not tainted 5.15.167-syzkaller #0 [ 56.695732][ T4025] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 [ 56.698367][ T4025] Workqueue: hci0 hci_rx_work [ 56.699702][ T4025] Call trace: [ 56.700362][ T4025] dump_backtrace+0x0/0x530 [ 56.701532][ T4025] show_stack+0x2c/0x3c [ 56.702601][ T4025] dump_stack_lvl+0x108/0x170 [ 56.703756][ T4025] print_address_description+0x7c/0x3f0 [ 56.705120][ T4025] kasan_report+0x174/0x1e4 [ 56.706264][ T4025] __asan_report_load4_noabort+0x44/0x50 [ 56.707663][ T4025] do_raw_spin_lock+0x244/0x35c [ 56.708899][ T4025] _raw_spin_lock_bh+0x12c/0x1c4 [ 56.710203][ T4025] __lock_sock+0x170/0x2d4 [ 56.711383][ T4025] lock_sock_nested+0x138/0x1ec [ 56.712678][ T4025] l2cap_sock_recv_cb+0x5c/0x1c0 [ 56.713924][ T4025] l2cap_recv_frame+0xeb4/0x6c28 [ 56.715251][ T4025] l2cap_recv_acldata+0x4f4/0x163c [ 56.716642][ T4025] hci_rx_work+0x3a0/0x7c4 [ 56.717733][ T4025] process_one_work+0x790/0x11b8 [ 56.718906][ T4025] worker_thread+0x910/0x1034 [ 56.719973][ T4025] kthread+0x37c/0x45c [ 56.721043][ T4025] ret_from_fork+0x10/0x20 [ 56.722243][ T4025] [ 56.722838][ T4025] Allocated by task 4266: [ 56.723863][ T4025] ____kasan_kmalloc+0xbc/0xfc [ 56.725098][ T4025] __kasan_kmalloc+0x10/0x1c [ 56.726262][ T4025] __kmalloc+0x29c/0x4c8 [ 56.727435][ T4025] sk_prot_alloc+0xc4/0x1f0 [ 56.728535][ T4025] sk_alloc+0x40/0x3e0 [ 56.729652][ T4025] l2cap_sock_create+0x140/0x33c [ 56.730796][ T4025] bt_sock_create+0x14c/0x248 [ 56.732080][ T4025] __sock_create+0x43c/0x884 [ 56.733286][ T4025] __sys_socket+0x168/0x310 [ 56.734483][ T4025] __arm64_sys_socket+0x7c/0x94 [ 56.735786][ T4025] invoke_syscall+0x98/0x2b8 [ 56.736916][ T4025] el0_svc_common+0x138/0x258 [ 56.738128][ T4025] do_el0_svc+0x58/0x14c [ 56.739317][ T4025] el0_svc+0x7c/0x1f0 [ 56.740404][ T4025] el0t_64_sync_handler+0x84/0xe4 [ 56.741704][ T4025] el0t_64_sync+0x1a0/0x1a4 [ 56.742753][ T4025] [ 56.743381][ T4025] Freed by task 4266: [ 56.744456][ T4025] kasan_set_track+0x4c/0x84 [ 56.745709][ T4025] kasan_set_free_info+0x28/0x4c [ 56.746958][ T4025] ____kasan_slab_free+0x118/0x164 [ 56.748301][ T4025] __kasan_slab_free+0x18/0x28 [ 56.749568][ T4025] slab_free_freelist_hook+0x128/0x1ec [ 56.751009][ T4025] kfree+0x178/0x410 [ 56.752010][ T4025] __sk_destruct+0x418/0x600 [ 56.753195][ T4025] __sk_free+0x37c/0x4e8 [ 56.754346][ T4025] sk_free+0x68/0xdc [ 56.755349][ T4025] l2cap_sock_kill+0x114/0x228 [ 56.756510][ T4025] l2cap_sock_release+0x138/0x1b4 [ 56.757840][ T4025] sock_close+0xb8/0x1fc [ 56.759005][ T4025] __fput+0x1c4/0x800 [ 56.759964][ T4025] ____fput+0x20/0x30 [ 56.760997][ T4025] task_work_run+0x130/0x1e4 [ 56.762216][ T4025] do_notify_resume+0x262c/0x32b8 [ 56.763358][ T4025] el0_svc+0xfc/0x1f0 [ 56.764461][ T4025] el0t_64_sync_handler+0x84/0xe4 [ 56.765740][ T4025] el0t_64_sync+0x1a0/0x1a4 [ 56.766837][ T4025] [ 56.767414][ T4025] The buggy address belongs to the object at ffff0000d8e0a000 [ 56.767414][ T4025] which belongs to the cache kmalloc-2k of size 2048 [ 56.771044][ T4025] The buggy address is located 140 bytes inside of [ 56.771044][ T4025] 2048-byte region [ffff0000d8e0a000, ffff0000d8e0a800) [ 56.774414][ T4025] The buggy address belongs to the page: [ 56.775828][ T4025] page:00000000ab999386 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x118e08 [ 56.778478][ T4025] head:00000000ab999386 order:3 compound_mapcount:0 compound_pincount:0 [ 56.780695][ T4025] flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff) [ 56.782630][ T4025] raw: 05ffc00000010200 0000000000000000 dead000000000122 ffff0000c0002900 [ 56.784928][ T4025] raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000 [ 56.787309][ T4025] page dumped because: kasan: bad access detected [ 56.788951][ T4025] [ 56.789570][ T4025] Memory state around the buggy address: [ 56.790820][ T4025] ffff0000d8e09f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 56.792973][ T4025] ffff0000d8e0a000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 56.795107][ T4025] >ffff0000d8e0a080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 56.797092][ T4025] ^ [ 56.798240][ T4025] ffff0000d8e0a100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 56.800208][ T4025] ffff0000d8e0a180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 56.802370][ T4025] ================================================================== executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 58.106895][ T1533] Bluetooth: hci0: command 0x041b tx timeout executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 60.186864][ T1533] Bluetooth: hci0: command 0x040f tx timeout executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 62.266861][ T1533] Bluetooth: hci0: command 0x0419 tx timeout executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program