Warning: Permanently added '10.128.1.75' (ED25519) to the list of known hosts. [ 35.882055][ T6017] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 35.884618][ T6017] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 35.887668][ T6017] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 35.890539][ T6017] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 35.892900][ T6017] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3 [ 35.894982][ T6017] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 37.986123][ T5585] Bluetooth: hci0: command 0x0409 tx timeout executing program executing program executing program executing program [ 40.057042][ T5585] Bluetooth: hci0: command 0x041b tx timeout [ 40.216198][ T5815] ================================================================== [ 40.218481][ T5815] BUG: KASAN: slab-use-after-free in hci_send_acl+0x54/0xb54 [ 40.220487][ T5815] Read of size 8 at addr ffff0000c2c3db18 by task kworker/0:3/5815 [ 40.222639][ T5815] [ 40.223290][ T5815] CPU: 0 PID: 5815 Comm: kworker/0:3 Not tainted 6.6.0-rc3-syzkaller-g2e530aeb342b #0 [ 40.225781][ T5815] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023 [ 40.228477][ T5815] Workqueue: events l2cap_info_timeout [ 40.230000][ T5815] Call trace: [ 40.230885][ T5815] dump_backtrace+0x1b8/0x1e4 [ 40.232175][ T5815] show_stack+0x2c/0x44 [ 40.233252][ T5815] dump_stack_lvl+0xd0/0x124 [ 40.234446][ T5815] print_report+0x174/0x514 [ 40.235641][ T5815] kasan_report+0xd8/0x138 [ 40.236892][ T5815] __asan_report_load8_noabort+0x20/0x2c [ 40.238414][ T5815] hci_send_acl+0x54/0xb54 [ 40.239552][ T5815] l2cap_send_cmd+0x52c/0x76c [ 40.240793][ T5815] l2cap_send_conn_req+0x188/0x2c4 [ 40.242141][ T5815] l2cap_start_connection+0x118/0x2fc [ 40.243581][ T5815] l2cap_conn_start+0x928/0xd8c [ 40.244856][ T5815] l2cap_info_timeout+0x68/0xb8 [ 40.246183][ T5815] process_one_work+0x694/0x1204 [ 40.247517][ T5815] worker_thread+0x938/0xef4 [ 40.248739][ T5815] kthread+0x288/0x310 [ 40.249853][ T5815] ret_from_fork+0x10/0x20 [ 40.251045][ T5815] [ 40.251641][ T5815] Allocated by task 6021: [ 40.252785][ T5815] kasan_set_track+0x4c/0x7c [ 40.254007][ T5815] kasan_save_alloc_info+0x24/0x30 [ 40.255370][ T5815] __kasan_kmalloc+0xac/0xc4 [ 40.256622][ T5815] kmalloc_trace+0x70/0x88 [ 40.257834][ T5815] hci_chan_create+0xb0/0x298 [ 40.259054][ T5815] l2cap_conn_add+0x78/0x998 [ 40.260283][ T5815] l2cap_chan_connect+0x5bc/0xcc8 [ 40.261590][ T5815] lowpan_control_write+0x4e8/0x824 [ 40.263004][ T5815] full_proxy_write+0x110/0x1f8 [ 40.264280][ T5815] vfs_write+0x2a0/0x93c [ 40.265409][ T5815] ksys_write+0x15c/0x26c [ 40.266560][ T5815] __arm64_sys_write+0x7c/0x90 [ 40.267857][ T5815] invoke_syscall+0x98/0x2b8 [ 40.269107][ T5815] el0_svc_common+0x130/0x23c [ 40.270365][ T5815] do_el0_svc+0x48/0x58 [ 40.271540][ T5815] el0_svc+0x58/0x16c [ 40.272591][ T5815] el0t_64_sync_handler+0x84/0xfc [ 40.273932][ T5815] el0t_64_sync+0x190/0x194 [ 40.275164][ T5815] [ 40.275818][ T5815] Freed by task 5585: [ 40.277014][ T5815] kasan_set_track+0x4c/0x7c [ 40.278268][ T5815] kasan_save_free_info+0x38/0x5c [ 40.279631][ T5815] ____kasan_slab_free+0x144/0x1c0 [ 40.281070][ T5815] __kasan_slab_free+0x18/0x28 [ 40.282342][ T5815] __kmem_cache_free+0x2ac/0x480 [ 40.283739][ T5815] kfree+0xb8/0x19c [ 40.284744][ T5815] hci_chan_del+0x148/0x1ac [ 40.285950][ T5815] hci_conn_del+0x3cc/0xa90 [ 40.287177][ T5815] hci_conn_failed+0x204/0x2a4 [ 40.288461][ T5815] hci_abort_conn_sync+0x8a8/0xd90 [ 40.289879][ T5815] abort_conn_sync+0x5c/0x8c [ 40.291129][ T5815] hci_cmd_sync_work+0x1d8/0x30c [ 40.292441][ T5815] process_one_work+0x694/0x1204 [ 40.293772][ T5815] worker_thread+0x938/0xef4 [ 40.295016][ T5815] kthread+0x288/0x310 [ 40.296120][ T5815] ret_from_fork+0x10/0x20 [ 40.297359][ T5815] [ 40.297997][ T5815] Last potentially related work creation: [ 40.299501][ T5815] kasan_save_stack+0x40/0x6c [ 40.300740][ T5815] __kasan_record_aux_stack+0xcc/0xe8 [ 40.302149][ T5815] kasan_record_aux_stack_noalloc+0x14/0x20 [ 40.303796][ T5815] kvfree_call_rcu+0xac/0x674 [ 40.305127][ T5815] kernfs_unlink_open_file+0x398/0x448 [ 40.306561][ T5815] kernfs_fop_release+0x130/0x198 [ 40.307903][ T5815] __fput+0x324/0x7f8 [ 40.308975][ T5815] __fput_sync+0x60/0x9c [ 40.310164][ T5815] __arm64_sys_close+0x150/0x1e0 [ 40.311505][ T5815] invoke_syscall+0x98/0x2b8 [ 40.312732][ T5815] el0_svc_common+0x130/0x23c [ 40.314008][ T5815] do_el0_svc+0x48/0x58 [ 40.315092][ T5815] el0_svc+0x58/0x16c [ 40.316144][ T5815] el0t_64_sync_handler+0x84/0xfc [ 40.317499][ T5815] el0t_64_sync+0x190/0x194 [ 40.318715][ T5815] [ 40.319328][ T5815] Second to last potentially related work creation: [ 40.321107][ T5815] kasan_save_stack+0x40/0x6c [ 40.322390][ T5815] __kasan_record_aux_stack+0xcc/0xe8 [ 40.323805][ T5815] kasan_record_aux_stack_noalloc+0x14/0x20 [ 40.325387][ T5815] kvfree_call_rcu+0xac/0x674 [ 40.326617][ T5815] kernfs_unlink_open_file+0x398/0x448 [ 40.328125][ T5815] kernfs_fop_release+0x130/0x198 [ 40.329486][ T5815] __fput+0x324/0x7f8 [ 40.330578][ T5815] __fput_sync+0x60/0x9c [ 40.331722][ T5815] __arm64_sys_close+0x150/0x1e0 [ 40.333024][ T5815] invoke_syscall+0x98/0x2b8 [ 40.334211][ T5815] el0_svc_common+0x130/0x23c [ 40.335468][ T5815] do_el0_svc+0x48/0x58 [ 40.336618][ T5815] el0_svc+0x58/0x16c [ 40.337749][ T5815] el0t_64_sync_handler+0x84/0xfc [ 40.339143][ T5815] el0t_64_sync+0x190/0x194 [ 40.340338][ T5815] [ 40.340944][ T5815] The buggy address belongs to the object at ffff0000c2c3db00 [ 40.340944][ T5815] which belongs to the cache kmalloc-128 of size 128 [ 40.344671][ T5815] The buggy address is located 24 bytes inside of [ 40.344671][ T5815] freed 128-byte region [ffff0000c2c3db00, ffff0000c2c3db80) [ 40.348411][ T5815] [ 40.349044][ T5815] The buggy address belongs to the physical page: [ 40.350761][ T5815] page:000000008dd779ee refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102c3d [ 40.353526][ T5815] flags: 0x5ffc00000000800(slab|node=0|zone=2|lastcpupid=0x7ff) [ 40.355561][ T5815] page_type: 0xffffffff() [ 40.356784][ T5815] raw: 05ffc00000000800 ffff0000c00018c0 fffffc00032ed580 dead000000000004 [ 40.359100][ T5815] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 [ 40.361417][ T5815] page dumped because: kasan: bad access detected [ 40.363111][ T5815] [ 40.363733][ T5815] Memory state around the buggy address: [ 40.365230][ T5815] ffff0000c2c3da00: 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc [ 40.367446][ T5815] ffff0000c2c3da80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 40.369561][ T5815] >ffff0000c2c3db00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 40.371733][ T5815] ^ [ 40.373102][ T5815] ffff0000c2c3db80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 40.375253][ T5815] ffff0000c2c3dc00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 40.377440][ T5815] ================================================================== [ 40.379893][ T5815] Disabling lock debugging due to kernel taint executing program executing program executing program executing program executing program executing program executing program executing program [ 42.135775][ T5585] Bluetooth: hci0: command 0x040f tx timeout executing program executing program executing program executing program executing program executing program executing program executing program [ 44.215700][ T5585] Bluetooth: hci0: command 0x0419 tx timeout executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 46.295715][ T5585] Bluetooth: hci0: command 0x0405 tx timeout executing program executing program executing program executing program executing program executing program executing program executing program [ 48.375779][ T5585] Bluetooth: hci0: command 0x0405 tx timeout executing program executing program executing program executing program executing program executing program