Warning: Permanently added '10.128.1.228' (ED25519) to the list of known hosts. [ 37.979192][ T4014] cgroup: Unknown subsys name 'net' [ 38.224937][ T4014] cgroup: Unknown subsys name 'rlimit' executing program [ 38.555357][ T4020] [ 38.555905][ T4020] ===================================== [ 38.556993][ T4020] WARNING: bad unlock balance detected! [ 38.558067][ T4020] 5.15.166-syzkaller #0 Not tainted [ 38.559114][ T4020] ------------------------------------- [ 38.560193][ T4020] kworker/u5:2/4020 is trying to release lock (&chan->lock) at: [ 38.561760][ T4020] [] l2cap_recv_frame+0xf60/0x6c28 [ 38.563093][ T4020] but there are no more locks to release! [ 38.564235][ T4020] [ 38.564235][ T4020] other info that might help us debug this: [ 38.565913][ T4020] 2 locks held by kworker/u5:2/4020: [ 38.567003][ T4020] #0: ffff0000da77a138 ((wq_completion)hci0#2){+.+.}-{0:0}, at: process_one_work+0x66c/0x11b8 [ 38.569070][ T4020] #1: ffff80001dbd7c00 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_one_work+0x6ac/0x11b8 [ 38.571359][ T4020] [ 38.571359][ T4020] stack backtrace: [ 38.572539][ T4020] CPU: 1 PID: 4020 Comm: kworker/u5:2 Not tainted 5.15.166-syzkaller #0 [ 38.574269][ T4020] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 [ 38.576204][ T4020] Workqueue: hci0 hci_rx_work [ 38.577137][ T4020] Call trace: [ 38.577739][ T4020] dump_backtrace+0x0/0x530 [ 38.578620][ T4020] show_stack+0x2c/0x3c [ 38.579453][ T4020] dump_stack_lvl+0x108/0x170 [ 38.580421][ T4020] dump_stack+0x1c/0x58 [ 38.581283][ T4020] print_unlock_imbalance_bug+0x250/0x2a4 [ 38.582478][ T4020] lock_release+0x4b8/0xa1c [ 38.583378][ T4020] __mutex_unlock_slowpath+0xe0/0x6d4 [ 38.584575][ T4020] mutex_unlock+0x8c/0xe0 [ 38.585454][ T4020] l2cap_recv_frame+0xf60/0x6c28 [ 38.586508][ T4020] l2cap_recv_acldata+0x4f4/0x163c [ 38.587640][ T4020] hci_rx_work+0x3a0/0x7c4 [ 38.588516][ T4020] process_one_work+0x790/0x11b8 [ 38.589443][ T4020] worker_thread+0x910/0x1034 [ 38.590368][ T4020] kthread+0x37c/0x45c [ 38.591142][ T4020] ret_from_fork+0x10/0x20 executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 40.229241][ T4020] ================================================================== [ 40.230937][ T4020] BUG: KASAN: use-after-free in do_raw_spin_lock+0x244/0x35c [ 40.232396][ T4020] Read of size 4 at addr ffff0000d0a0b08c by task kworker/u5:2/4020 [ 40.234011][ T4020] [ 40.234438][ T4020] CPU: 0 PID: 4020 Comm: kworker/u5:2 Not tainted 5.15.166-syzkaller #0 [ 40.236057][ T4020] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 [ 40.238088][ T4020] Workqueue: hci0 hci_rx_work [ 40.238980][ T4020] Call trace: [ 40.239730][ T4020] dump_backtrace+0x0/0x530 [ 40.240641][ T4020] show_stack+0x2c/0x3c [ 40.241543][ T4020] dump_stack_lvl+0x108/0x170 [ 40.242494][ T4020] print_address_description+0x7c/0x3f0 [ 40.243671][ T4020] kasan_report+0x174/0x1e4 [ 40.244797][ T4020] __asan_report_load4_noabort+0x44/0x50 [ 40.245982][ T4020] do_raw_spin_lock+0x244/0x35c [ 40.247084][ T4020] _raw_spin_lock_bh+0x12c/0x1c4 [ 40.248224][ T4020] __lock_sock+0x170/0x2d4 [ 40.249161][ T4020] lock_sock_nested+0x138/0x1ec [ 40.250194][ T4020] l2cap_sock_recv_cb+0x5c/0x1c0 [ 40.251277][ T4020] l2cap_recv_frame+0xeb4/0x6c28 [ 40.252360][ T4020] l2cap_recv_acldata+0x4f4/0x163c [ 40.253452][ T4020] hci_rx_work+0x3a0/0x7c4 [ 40.254455][ T4020] process_one_work+0x790/0x11b8 [ 40.255449][ T4020] worker_thread+0x910/0x1034 [ 40.256396][ T4020] kthread+0x37c/0x45c [ 40.257306][ T4020] ret_from_fork+0x10/0x20 [ 40.258281][ T4020] [ 40.258744][ T4020] Allocated by task 4153: [ 40.259610][ T4020] ____kasan_kmalloc+0xbc/0xfc [ 40.260623][ T4020] __kasan_kmalloc+0x10/0x1c [ 40.261592][ T4020] __kmalloc+0x29c/0x4c8 [ 40.262397][ T4020] sk_prot_alloc+0xc4/0x1f0 [ 40.263421][ T4020] sk_alloc+0x40/0x3e0 [ 40.264288][ T4020] l2cap_sock_create+0x140/0x33c [ 40.265371][ T4020] bt_sock_create+0x14c/0x248 [ 40.266421][ T4020] __sock_create+0x43c/0x884 [ 40.267514][ T4020] __sys_socket+0x168/0x310 [ 40.268436][ T4020] __arm64_sys_socket+0x7c/0x94 [ 40.269445][ T4020] invoke_syscall+0x98/0x2b8 [ 40.270495][ T4020] el0_svc_common+0x138/0x258 [ 40.271463][ T4020] do_el0_svc+0x58/0x14c [ 40.272350][ T4020] el0_svc+0x7c/0x1f0 [ 40.273225][ T4020] el0t_64_sync_handler+0x84/0xe4 [ 40.274229][ T4020] el0t_64_sync+0x1a0/0x1a4 [ 40.275180][ T4020] [ 40.275693][ T4020] Freed by task 4153: [ 40.276488][ T4020] kasan_set_track+0x4c/0x84 [ 40.277446][ T4020] kasan_set_free_info+0x28/0x4c [ 40.278620][ T4020] ____kasan_slab_free+0x118/0x164 [ 40.279722][ T4020] __kasan_slab_free+0x18/0x28 [ 40.280770][ T4020] slab_free_freelist_hook+0x128/0x1ec [ 40.281879][ T4020] kfree+0x178/0x410 [ 40.282733][ T4020] __sk_destruct+0x418/0x600 [ 40.283697][ T4020] __sk_free+0x37c/0x4e8 [ 40.284561][ T4020] sk_free+0x68/0xdc [ 40.285444][ T4020] l2cap_sock_kill+0x114/0x228 [ 40.286394][ T4020] l2cap_sock_release+0x138/0x1b4 [ 40.287478][ T4020] sock_close+0xb8/0x1fc [ 40.288452][ T4020] __fput+0x1c4/0x800 [ 40.289294][ T4020] ____fput+0x20/0x30 [ 40.290189][ T4020] task_work_run+0x130/0x1e4 [ 40.291214][ T4020] do_notify_resume+0x262c/0x32b8 [ 40.292269][ T4020] el0_svc+0xfc/0x1f0 [ 40.293105][ T4020] el0t_64_sync_handler+0x84/0xe4 [ 40.294220][ T4020] el0t_64_sync+0x1a0/0x1a4 [ 40.295205][ T4020] [ 40.295664][ T4020] The buggy address belongs to the object at ffff0000d0a0b000 [ 40.295664][ T4020] which belongs to the cache kmalloc-2k of size 2048 [ 40.298480][ T4020] The buggy address is located 140 bytes inside of [ 40.298480][ T4020] 2048-byte region [ffff0000d0a0b000, ffff0000d0a0b800) [ 40.301352][ T4020] The buggy address belongs to the page: [ 40.302597][ T4020] page:000000006a4a2dfd refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x110a08 [ 40.304702][ T4020] head:000000006a4a2dfd order:3 compound_mapcount:0 compound_pincount:0 [ 40.306327][ T4020] flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff) [ 40.308003][ T4020] raw: 05ffc00000010200 0000000000000000 dead000000000122 ffff0000c0002900 [ 40.309695][ T4020] raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000 [ 40.311593][ T4020] page dumped because: kasan: bad access detected [ 40.312985][ T4020] [ 40.313469][ T4020] Memory state around the buggy address: [ 40.314617][ T4020] ffff0000d0a0af80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 40.316329][ T4020] ffff0000d0a0b000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 40.318169][ T4020] >ffff0000d0a0b080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 40.319970][ T4020] ^ [ 40.320823][ T4020] ffff0000d0a0b100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 40.322380][ T4020] ffff0000d0a0b180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 40.324088][ T4020] ================================================================== executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 40.508896][ T4015] Bluetooth: hci0: command 0x0409 tx timeout executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 42.588934][ T4015] Bluetooth: hci0: command 0x041b tx timeout executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 44.668927][ T4015] Bluetooth: hci0: command 0x040f tx timeout executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 46.748863][ T4015] Bluetooth: hci0: command 0x0419 tx timeout executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program