================================================================== BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline] BUG: KASAN: slab-use-after-free in atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:252 [inline] BUG: KASAN: slab-use-after-free in __refcount_add include/linux/refcount.h:182 [inline] BUG: KASAN: slab-use-after-free in __refcount_inc include/linux/refcount.h:239 [inline] BUG: KASAN: slab-use-after-free in refcount_inc include/linux/refcount.h:256 [inline] BUG: KASAN: slab-use-after-free in sock_hold include/net/sock.h:760 [inline] BUG: KASAN: slab-use-after-free in sco_sock_timeout+0x64/0x25c net/bluetooth/sco.c:88 Write of size 4 at addr ffff0001437dc080 by task kworker/0:7/8867 CPU: 0 PID: 8867 Comm: kworker/0:7 Tainted: G B 6.8.0-rc5-syzkaller-g9abbc24128bc #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 Workqueue: events sco_sock_timeout Call trace: dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:291 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:298 __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd0/0x124 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:377 [inline] print_report+0x178/0x518 mm/kasan/report.c:488 kasan_report+0xd8/0x138 mm/kasan/report.c:601 kasan_check_range+0x254/0x294 mm/kasan/generic.c:189 __kasan_check_write+0x20/0x30 mm/kasan/shadow.c:37 instrument_atomic_read_write include/linux/instrumented.h:96 [inline] atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:252 [inline] __refcount_add include/linux/refcount.h:182 [inline] __refcount_inc include/linux/refcount.h:239 [inline] refcount_inc include/linux/refcount.h:256 [inline] sock_hold include/net/sock.h:760 [inline] sco_sock_timeout+0x64/0x25c net/bluetooth/sco.c:88 process_one_work+0x694/0x1204 kernel/workqueue.c:2633 process_scheduled_works kernel/workqueue.c:2706 [inline] worker_thread+0x938/0xef4 kernel/workqueue.c:2787 kthread+0x288/0x310 kernel/kthread.c:388 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860 The buggy address belongs to the object at ffff0001437dc000 which belongs to the cache kmalloc-2k of size 2048 The buggy address is located 128 bytes inside of freed 2048-byte region [ffff0001437dc000, ffff0001437dc800) The buggy address belongs to the physical page: page:00000000549b2e02 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff0001437dc000 pfn:0x1837d8 head:00000000549b2e02 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0x5ffc00000000a40(workingset|slab|head|node=0|zone=2|lastcpupid=0x7ff) page_type: 0xffffffff() raw: 05ffc00000000a40 ffff0000c0002000 fffffdffc4fa3a10 fffffdffc4be8c10 raw: ffff0001437dc000 0000000000080006 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff0001437dbf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff0001437dc000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff0001437dc080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff0001437dc100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff0001437dc180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ------------[ cut here ]------------ refcount_t: addition on 0; use-after-free. WARNING: CPU: 0 PID: 8867 at lib/refcount.c:25 refcount_warn_saturate+0x1a8/0x20c lib/refcount.c:25 Modules linked in: CPU: 0 PID: 8867 Comm: kworker/0:7 Tainted: G B 6.8.0-rc5-syzkaller-g9abbc24128bc #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 Workqueue: events sco_sock_timeout pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : refcount_warn_saturate+0x1a8/0x20c lib/refcount.c:25 lr : refcount_warn_saturate+0x1a8/0x20c lib/refcount.c:25 sp : ffff8000983f7af0 x29: ffff8000983f7af0 x28: 1fffe0001b25ef8a x27: dfff800000000000 x26: ffff0000c1058008 x25: ffff0000d92f7c50 x24: ffff0001b4015700 x23: dfff800000000000 x22: 0000000000000000 x21: 0000000000000002 x20: ffff0001437dc080 x19: ffff800091cb1000 x18: dfff800000000000 x17: 3d3d3d3d3d3d3d3d x16: ffff80008ad5bbdc x15: 0000000000000001 x14: 1fffe00036800402 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000003 x10: 0000000000ff0100 x9 : f1fa31f989f50a00 x8 : f1fa31f989f50a00 x7 : 69646461203a745f x6 : ffff80008035fe88 x5 : 0000000000000000 x4 : 0000000000000001 x3 : ffff8000805b98b4 x2 : 0000000000000001 x1 : 0000000100000001 x0 : 0000000000000000 Call trace: refcount_warn_saturate+0x1a8/0x20c lib/refcount.c:25 __refcount_inc include/linux/refcount.h:239 [inline] refcount_inc include/linux/refcount.h:256 [inline] sock_hold include/net/sock.h:760 [inline] sco_sock_timeout+0x19c/0x25c net/bluetooth/sco.c:88 process_one_work+0x694/0x1204 kernel/workqueue.c:2633 process_scheduled_works kernel/workqueue.c:2706 [inline] worker_thread+0x938/0xef4 kernel/workqueue.c:2787 kthread+0x288/0x310 kernel/kthread.c:388 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860 irq event stamp: 0 hardirqs last enabled at (0): [<0000000000000000>] 0x0 hardirqs last disabled at (0): [] copy_process+0x1318/0x3478 kernel/fork.c:2441 softirqs last enabled at (0): [] copy_process+0x1340/0x3478 kernel/fork.c:2442 softirqs last disabled at (0): [<0000000000000000>] 0x0 ---[ end trace 0000000000000000 ]--- ------------[ cut here ]------------ refcount_t: underflow; use-after-free. WARNING: CPU: 0 PID: 8867 at lib/refcount.c:28 refcount_warn_saturate+0x1c8/0x20c lib/refcount.c:28 Modules linked in: CPU: 0 PID: 8867 Comm: kworker/0:7 Tainted: G B W 6.8.0-rc5-syzkaller-g9abbc24128bc #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024 Workqueue: events sco_sock_timeout pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : refcount_warn_saturate+0x1c8/0x20c lib/refcount.c:28 lr : refcount_warn_saturate+0x1c8/0x20c lib/refcount.c:28 sp : ffff8000983f7af0 x29: ffff8000983f7af0 x28: 1fffe0001b25ef8a x27: dfff800000000000 x26: ffff0000c1058008 x25: ffff0000d92f7c50 x24: ffff0001b4015700 x23: dfff800000000000 x22: 0000000000000000 x21: 0000000000000003 x20: ffff0001437dc080 x19: ffff800091cb1000 x18: dfff800000000000 x17: 3d3d3d3d3d3d3d3d x16: ffff80008ad5bbdc x15: 0000000000000001 x14: 1fffe00036800402 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000002 x10: 0000000000ff0100 x9 : f1fa31f989f50a00 x8 : f1fa31f989f50a00 x7 : 65646e75203a745f x6 : ffff80008035fe88 x5 : 0000000000000000 x4 : 0000000000000001 x3 : ffff8000805b98b4 x2 : 0000000000000001 x1 : 0000000100000000 x0 : 0000000000000000 Call trace: refcount_warn_saturate+0x1c8/0x20c lib/refcount.c:28 __refcount_sub_and_test include/linux/refcount.h:272 [inline] __refcount_dec_and_test include/linux/refcount.h:304 [inline] refcount_dec_and_test include/linux/refcount.h:322 [inline] sock_put include/net/sock.h:1960 [inline] sco_sock_timeout+0x1b0/0x25c net/bluetooth/sco.c:100 process_one_work+0x694/0x1204 kernel/workqueue.c:2633 process_scheduled_works kernel/workqueue.c:2706 [inline] worker_thread+0x938/0xef4 kernel/workqueue.c:2787 kthread+0x288/0x310 kernel/kthread.c:388 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860 irq event stamp: 0 hardirqs last enabled at (0): [<0000000000000000>] 0x0 hardirqs last disabled at (0): [] copy_process+0x1318/0x3478 kernel/fork.c:2441 softirqs last enabled at (0): [] copy_process+0x1340/0x3478 kernel/fork.c:2442 softirqs last disabled at (0): [<0000000000000000>] 0x0 ---[ end trace 0000000000000000 ]---