Bluetooth: Unknown BR/EDR signaling command 0x0d
Bluetooth: Wrong link type (-22)
Bluetooth: Unknown BR/EDR signaling command 0x0f
Bluetooth: Wrong link type (-22)
Bluetooth: Unknown BR/EDR signaling command 0x11
Bluetooth: Wrong link type (-22)
==================================================================
BUG: KASAN: slab-use-after-free in l2cap_build_cmd net/bluetooth/l2cap_core.c:2951 [inline]
BUG: KASAN: slab-use-after-free in l2cap_send_cmd+0x788/0x920 net/bluetooth/l2cap_core.c:954
Read of size 4 at addr ffff888060453810 by task kworker/u9:0/20749
CPU: 1 UID: 0 PID: 20749 Comm: kworker/u9:0 Not tainted 6.11.0-rc6-syzkaller-00308-gb31c44928842 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
Workqueue: hci6 hci_rx_work
Call Trace:
__dump_stack lib/dump_stack.c:93 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:119
print_address_description mm/kasan/report.c:377 [inline]
print_report+0xc3/0x620 mm/kasan/report.c:488
kasan_report+0xd9/0x110 mm/kasan/report.c:601
l2cap_build_cmd net/bluetooth/l2cap_core.c:2951 [inline]
l2cap_send_cmd+0x788/0x920 net/bluetooth/l2cap_core.c:954
l2cap_sig_send_rej net/bluetooth/l2cap_core.c:5510 [inline]
l2cap_sig_channel net/bluetooth/l2cap_core.c:5546 [inline]
l2cap_recv_frame+0x2360/0x8eb0 net/bluetooth/l2cap_core.c:6825
l2cap_recv_acldata+0x9b4/0xb70 net/bluetooth/l2cap_core.c:7514
hci_acldata_packet net/bluetooth/hci_core.c:3791 [inline]
hci_rx_work+0xaab/0x1610 net/bluetooth/hci_core.c:4028
process_one_work+0x9c8/0x1b40 kernel/workqueue.c:3231
process_scheduled_works kernel/workqueue.c:3312 [inline]
worker_thread+0x6c8/0xed0 kernel/workqueue.c:3389
kthread+0x2c4/0x3a0 kernel/kthread.c:389
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
Allocated by task 22788:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:370 [inline]
__kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:387
kmalloc_noprof include/linux/slab.h:681 [inline]
kzalloc_noprof include/linux/slab.h:807 [inline]
l2cap_conn_add.part.0+0x60/0xa60 net/bluetooth/l2cap_core.c:6868
l2cap_conn_add net/bluetooth/l2cap_core.c:69 [inline]
l2cap_connect_cfm+0x428/0xf80 net/bluetooth/l2cap_core.c:7245
hci_connect_cfm include/net/bluetooth/hci_core.h:1960 [inline]
hci_remote_features_evt+0x54b/0x9e0 net/bluetooth/hci_event.c:3721
hci_event_func net/bluetooth/hci_event.c:7446 [inline]
hci_event_packet+0x9ee/0x1180 net/bluetooth/hci_event.c:7498
hci_rx_work+0x2c6/0x1610 net/bluetooth/hci_core.c:4023
process_one_work+0x9c8/0x1b40 kernel/workqueue.c:3231
process_scheduled_works kernel/workqueue.c:3312 [inline]
worker_thread+0x6c8/0xed0 kernel/workqueue.c:3389
kthread+0x2c4/0x3a0 kernel/kthread.c:389
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
Freed by task 22788:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:579
poison_slab_object+0xf7/0x160 mm/kasan/common.c:240
__kasan_slab_free+0x32/0x50 mm/kasan/common.c:256
kasan_slab_free include/linux/kasan.h:184 [inline]
slab_free_hook mm/slub.c:2256 [inline]
slab_free mm/slub.c:4477 [inline]
kfree+0x12a/0x3b0 mm/slub.c:4598
l2cap_conn_free net/bluetooth/l2cap_core.c:1810 [inline]
kref_put include/linux/kref.h:65 [inline]
l2cap_conn_put net/bluetooth/l2cap_core.c:1822 [inline]
l2cap_conn_del+0x59d/0x730 net/bluetooth/l2cap_core.c:1802
l2cap_connect_cfm+0x9e6/0xf80 net/bluetooth/l2cap_core.c:7241
hci_connect_cfm include/net/bluetooth/hci_core.h:1960 [inline]
hci_conn_failed+0x1c6/0x370 net/bluetooth/hci_conn.c:1265
hci_abort_conn_sync+0x75a/0xb50 net/bluetooth/hci_sync.c:5583
abort_conn_sync+0x197/0x360 net/bluetooth/hci_conn.c:2917
hci_cmd_sync_work+0x1a7/0x410 net/bluetooth/hci_sync.c:328
process_one_work+0x9c8/0x1b40 kernel/workqueue.c:3231
process_scheduled_works kernel/workqueue.c:3312 [inline]
worker_thread+0x6c8/0xed0 kernel/workqueue.c:3389
kthread+0x2c4/0x3a0 kernel/kthread.c:389
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
Last potentially related work creation:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
__kasan_record_aux_stack+0xba/0xd0 mm/kasan/generic.c:541
insert_work+0x36/0x230 kernel/workqueue.c:2185
__queue_work+0x97e/0x1070 kernel/workqueue.c:2341
call_timer_fn+0x1a3/0x610 kernel/time/timer.c:1792
expire_timers kernel/time/timer.c:1838 [inline]
__run_timers+0x567/0xaf0 kernel/time/timer.c:2417
__run_timer_base kernel/time/timer.c:2428 [inline]
__run_timer_base kernel/time/timer.c:2421 [inline]
run_timer_base+0x111/0x190 kernel/time/timer.c:2437
run_timer_softirq+0x1a/0x40 kernel/time/timer.c:2447
handle_softirqs+0x219/0x8f0 kernel/softirq.c:554
__do_softirq kernel/softirq.c:588 [inline]
invoke_softirq kernel/softirq.c:428 [inline]
__irq_exit_rcu kernel/softirq.c:637 [inline]
irq_exit_rcu+0xbb/0x120 kernel/softirq.c:649
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
sysvec_apic_timer_interrupt+0x95/0xb0 arch/x86/kernel/apic/apic.c:1043
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
Second to last potentially related work creation:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
__kasan_record_aux_stack+0xba/0xd0 mm/kasan/generic.c:541
insert_work+0x36/0x230 kernel/workqueue.c:2185
__queue_work+0x3f8/0x1070 kernel/workqueue.c:2345
queue_work_on+0x11a/0x140 kernel/workqueue.c:2392
queue_work include/linux/workqueue.h:621 [inline]
l2cap_conn_ready net/bluetooth/l2cap_core.c:1640 [inline]
l2cap_connect_cfm+0x9c9/0xf80 net/bluetooth/l2cap_core.c:7286
hci_connect_cfm include/net/bluetooth/hci_core.h:1960 [inline]
hci_remote_features_evt+0x54b/0x9e0 net/bluetooth/hci_event.c:3721
hci_event_func net/bluetooth/hci_event.c:7446 [inline]
hci_event_packet+0x9ee/0x1180 net/bluetooth/hci_event.c:7498
hci_rx_work+0x2c6/0x1610 net/bluetooth/hci_core.c:4023
process_one_work+0x9c8/0x1b40 kernel/workqueue.c:3231
process_scheduled_works kernel/workqueue.c:3312 [inline]
worker_thread+0x6c8/0xed0 kernel/workqueue.c:3389
kthread+0x2c4/0x3a0 kernel/kthread.c:389
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
The buggy address belongs to the object at ffff888060453800
which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 16 bytes inside of
freed 1024-byte region [ffff888060453800, ffff888060453c00)
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x60450
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xfdffffff(slab)
raw: 00fff00000000040 ffff88801ac41dc0 ffffea0001e32400 dead000000000002
raw: 0000000000000000 0000000000100010 00000001fdffffff 0000000000000000
head: 00fff00000000040 ffff88801ac41dc0 ffffea0001e32400 dead000000000002
head: 0000000000000000 0000000000100010 00000001fdffffff 0000000000000000
head: 00fff00000000003 ffffea0001811401 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d2820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 11007, tgid 11004 (syz.2.586), ts 1166299455698, free_ts 1166073021186
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1500
prep_new_page mm/page_alloc.c:1508 [inline]
get_page_from_freelist+0x1351/0x2e50 mm/page_alloc.c:3446
__alloc_pages_noprof+0x22b/0x2460 mm/page_alloc.c:4702
__alloc_pages_node_noprof include/linux/gfp.h:269 [inline]
alloc_pages_node_noprof include/linux/gfp.h:296 [inline]
alloc_slab_page+0x4e/0xf0 mm/slub.c:2325
allocate_slab mm/slub.c:2488 [inline]
new_slab+0x84/0x260 mm/slub.c:2541
___slab_alloc+0xdac/0x1870 mm/slub.c:3727
__slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3817
__slab_alloc_node mm/slub.c:3870 [inline]
slab_alloc_node mm/slub.c:4029 [inline]
__do_kmalloc_node mm/slub.c:4161 [inline]
__kmalloc_node_track_caller_noprof+0x355/0x430 mm/slub.c:4181
kmalloc_reserve+0xef/0x2c0 net/core/skbuff.c:605
__alloc_skb+0x164/0x380 net/core/skbuff.c:674
skb_copy+0x17a/0x340 net/core/skbuff.c:2143
mac80211_hwsim_tx_frame_no_nl.isra.0+0xb7f/0x12f0 drivers/net/wireless/virtual/mac80211_hwsim.c:1866
mac80211_hwsim_tx+0x7a2/0x25d0 drivers/net/wireless/virtual/mac80211_hwsim.c:2084
drv_tx net/mac80211/driver-ops.h:37 [inline]
wake_tx_push_queue net/mac80211/util.c:298 [inline]
ieee80211_handle_wake_tx_queue+0x18d/0x260 net/mac80211/util.c:315
drv_wake_tx_queue net/mac80211/driver-ops.h:1362 [inline]
schedule_and_wake_txq net/mac80211/driver-ops.h:1369 [inline]
ieee80211_queue_skb+0x12b8/0x2010 net/mac80211/tx.c:1664
__ieee80211_xmit_fast+0x69d/0x2ba0 net/mac80211/tx.c:3732
page last free pid 11007 tgid 11004 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1101 [inline]
free_unref_page+0x64a/0xe40 mm/page_alloc.c:2619
__put_partials+0x14c/0x170 mm/slub.c:3055
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x4e/0x140 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x192/0x1e0 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:322
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook mm/slub.c:3992 [inline]
slab_alloc_node mm/slub.c:4041 [inline]
kmem_cache_alloc_node_noprof+0x153/0x310 mm/slub.c:4084
kmalloc_reserve+0x18b/0x2c0 net/core/skbuff.c:583
__alloc_skb+0x164/0x380 net/core/skbuff.c:674
alloc_skb include/linux/skbuff.h:1320 [inline]
sock_wmalloc+0xd4/0x120 net/core/sock.c:2664
l2tp_ip_sendmsg+0x1ae/0x14e0 net/l2tp/l2tp_ip.c:439
inet_sendmsg+0x11c/0x140 net/ipv4/af_inet.c:853
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg net/socket.c:745 [inline]
____sys_sendmsg+0x992/0xc90 net/socket.c:2597
___sys_sendmsg+0x135/0x1e0 net/socket.c:2651
__sys_sendmmsg+0x1a1/0x450 net/socket.c:2737
__do_sys_sendmmsg net/socket.c:2766 [inline]
__se_sys_sendmmsg net/socket.c:2763 [inline]
__x64_sys_sendmmsg+0x9c/0x100 net/socket.c:2763
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
Memory state around the buggy address:
ffff888060453700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888060453780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888060453800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888060453880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888060453900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
==================================================================
BUG: KASAN: slab-use-after-free in l2cap_build_cmd net/bluetooth/l2cap_core.c:2964 [inline]
BUG: KASAN: slab-use-after-free in l2cap_send_cmd+0x882/0x920 net/bluetooth/l2cap_core.c:954
Read of size 8 at addr ffff888060453800 by task kworker/u9:0/20749
CPU: 1 UID: 0 PID: 20749 Comm: kworker/u9:0 Tainted: G B 6.11.0-rc6-syzkaller-00308-gb31c44928842 #0
Tainted: [B]=BAD_PAGE
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
Workqueue: hci6 hci_rx_work
Call Trace:
__dump_stack lib/dump_stack.c:93 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:119
print_address_description mm/kasan/report.c:377 [inline]
print_report+0xc3/0x620 mm/kasan/report.c:488
kasan_report+0xd9/0x110 mm/kasan/report.c:601
l2cap_build_cmd net/bluetooth/l2cap_core.c:2964 [inline]
l2cap_send_cmd+0x882/0x920 net/bluetooth/l2cap_core.c:954
l2cap_sig_send_rej net/bluetooth/l2cap_core.c:5510 [inline]
l2cap_sig_channel net/bluetooth/l2cap_core.c:5546 [inline]
l2cap_recv_frame+0x2360/0x8eb0 net/bluetooth/l2cap_core.c:6825
l2cap_recv_acldata+0x9b4/0xb70 net/bluetooth/l2cap_core.c:7514
hci_acldata_packet net/bluetooth/hci_core.c:3791 [inline]
hci_rx_work+0xaab/0x1610 net/bluetooth/hci_core.c:4028
process_one_work+0x9c8/0x1b40 kernel/workqueue.c:3231
process_scheduled_works kernel/workqueue.c:3312 [inline]
worker_thread+0x6c8/0xed0 kernel/workqueue.c:3389
kthread+0x2c4/0x3a0 kernel/kthread.c:389
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
Allocated by task 22788:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:370 [inline]
__kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:387
kmalloc_noprof include/linux/slab.h:681 [inline]
kzalloc_noprof include/linux/slab.h:807 [inline]
l2cap_conn_add.part.0+0x60/0xa60 net/bluetooth/l2cap_core.c:6868
l2cap_conn_add net/bluetooth/l2cap_core.c:69 [inline]
l2cap_connect_cfm+0x428/0xf80 net/bluetooth/l2cap_core.c:7245
hci_connect_cfm include/net/bluetooth/hci_core.h:1960 [inline]
hci_remote_features_evt+0x54b/0x9e0 net/bluetooth/hci_event.c:3721
hci_event_func net/bluetooth/hci_event.c:7446 [inline]
hci_event_packet+0x9ee/0x1180 net/bluetooth/hci_event.c:7498
hci_rx_work+0x2c6/0x1610 net/bluetooth/hci_core.c:4023
process_one_work+0x9c8/0x1b40 kernel/workqueue.c:3231
process_scheduled_works kernel/workqueue.c:3312 [inline]
worker_thread+0x6c8/0xed0 kernel/workqueue.c:3389
kthread+0x2c4/0x3a0 kernel/kthread.c:389
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
Freed by task 22788:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:579
poison_slab_object+0xf7/0x160 mm/kasan/common.c:240
__kasan_slab_free+0x32/0x50 mm/kasan/common.c:256
kasan_slab_free include/linux/kasan.h:184 [inline]
slab_free_hook mm/slub.c:2256 [inline]
slab_free mm/slub.c:4477 [inline]
kfree+0x12a/0x3b0 mm/slub.c:4598
l2cap_conn_free net/bluetooth/l2cap_core.c:1810 [inline]
kref_put include/linux/kref.h:65 [inline]
l2cap_conn_put net/bluetooth/l2cap_core.c:1822 [inline]
l2cap_conn_del+0x59d/0x730 net/bluetooth/l2cap_core.c:1802
l2cap_connect_cfm+0x9e6/0xf80 net/bluetooth/l2cap_core.c:7241
hci_connect_cfm include/net/bluetooth/hci_core.h:1960 [inline]
hci_conn_failed+0x1c6/0x370 net/bluetooth/hci_conn.c:1265
hci_abort_conn_sync+0x75a/0xb50 net/bluetooth/hci_sync.c:5583
abort_conn_sync+0x197/0x360 net/bluetooth/hci_conn.c:2917
hci_cmd_sync_work+0x1a7/0x410 net/bluetooth/hci_sync.c:328
process_one_work+0x9c8/0x1b40 kernel/workqueue.c:3231
process_scheduled_works kernel/workqueue.c:3312 [inline]
worker_thread+0x6c8/0xed0 kernel/workqueue.c:3389
kthread+0x2c4/0x3a0 kernel/kthread.c:389
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
Last potentially related work creation:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
__kasan_record_aux_stack+0xba/0xd0 mm/kasan/generic.c:541
insert_work+0x36/0x230 kernel/workqueue.c:2185
__queue_work+0x97e/0x1070 kernel/workqueue.c:2341
call_timer_fn+0x1a3/0x610 kernel/time/timer.c:1792
expire_timers kernel/time/timer.c:1838 [inline]
__run_timers+0x567/0xaf0 kernel/time/timer.c:2417
__run_timer_base kernel/time/timer.c:2428 [inline]
__run_timer_base kernel/time/timer.c:2421 [inline]
run_timer_base+0x111/0x190 kernel/time/timer.c:2437
run_timer_softirq+0x1a/0x40 kernel/time/timer.c:2447
handle_softirqs+0x219/0x8f0 kernel/softirq.c:554
__do_softirq kernel/softirq.c:588 [inline]
invoke_softirq kernel/softirq.c:428 [inline]
__irq_exit_rcu kernel/softirq.c:637 [inline]
irq_exit_rcu+0xbb/0x120 kernel/softirq.c:649
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
sysvec_apic_timer_interrupt+0x95/0xb0 arch/x86/kernel/apic/apic.c:1043
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
Second to last potentially related work creation:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
__kasan_record_aux_stack+0xba/0xd0 mm/kasan/generic.c:541
insert_work+0x36/0x230 kernel/workqueue.c:2185
__queue_work+0x3f8/0x1070 kernel/workqueue.c:2345
queue_work_on+0x11a/0x140 kernel/workqueue.c:2392
queue_work include/linux/workqueue.h:621 [inline]
l2cap_conn_ready net/bluetooth/l2cap_core.c:1640 [inline]
l2cap_connect_cfm+0x9c9/0xf80 net/bluetooth/l2cap_core.c:7286
hci_connect_cfm include/net/bluetooth/hci_core.h:1960 [inline]
hci_remote_features_evt+0x54b/0x9e0 net/bluetooth/hci_event.c:3721
hci_event_func net/bluetooth/hci_event.c:7446 [inline]
hci_event_packet+0x9ee/0x1180 net/bluetooth/hci_event.c:7498
hci_rx_work+0x2c6/0x1610 net/bluetooth/hci_core.c:4023
process_one_work+0x9c8/0x1b40 kernel/workqueue.c:3231
process_scheduled_works kernel/workqueue.c:3312 [inline]
worker_thread+0x6c8/0xed0 kernel/workqueue.c:3389
kthread+0x2c4/0x3a0 kernel/kthread.c:389
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
The buggy address belongs to the object at ffff888060453800
which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 0 bytes inside of
freed 1024-byte region [ffff888060453800, ffff888060453c00)
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x60450
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xfdffffff(slab)
raw: 00fff00000000040 ffff88801ac41dc0 ffffea0001e32400 dead000000000002
raw: 0000000000000000 0000000000100010 00000001fdffffff 0000000000000000
head: 00fff00000000040 ffff88801ac41dc0 ffffea0001e32400 dead000000000002
head: 0000000000000000 0000000000100010 00000001fdffffff 0000000000000000
head: 00fff00000000003 ffffea0001811401 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d2820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 11007, tgid 11004 (syz.2.586), ts 1166299455698, free_ts 1166073021186
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1500
prep_new_page mm/page_alloc.c:1508 [inline]
get_page_from_freelist+0x1351/0x2e50 mm/page_alloc.c:3446
__alloc_pages_noprof+0x22b/0x2460 mm/page_alloc.c:4702
__alloc_pages_node_noprof include/linux/gfp.h:269 [inline]
alloc_pages_node_noprof include/linux/gfp.h:296 [inline]
alloc_slab_page+0x4e/0xf0 mm/slub.c:2325
allocate_slab mm/slub.c:2488 [inline]
new_slab+0x84/0x260 mm/slub.c:2541
___slab_alloc+0xdac/0x1870 mm/slub.c:3727
__slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3817
__slab_alloc_node mm/slub.c:3870 [inline]
slab_alloc_node mm/slub.c:4029 [inline]
__do_kmalloc_node mm/slub.c:4161 [inline]
__kmalloc_node_track_caller_noprof+0x355/0x430 mm/slub.c:4181
kmalloc_reserve+0xef/0x2c0 net/core/skbuff.c:605
__alloc_skb+0x164/0x380 net/core/skbuff.c:674
skb_copy+0x17a/0x340 net/core/skbuff.c:2143
mac80211_hwsim_tx_frame_no_nl.isra.0+0xb7f/0x12f0 drivers/net/wireless/virtual/mac80211_hwsim.c:1866
mac80211_hwsim_tx+0x7a2/0x25d0 drivers/net/wireless/virtual/mac80211_hwsim.c:2084
drv_tx net/mac80211/driver-ops.h:37 [inline]
wake_tx_push_queue net/mac80211/util.c:298 [inline]
ieee80211_handle_wake_tx_queue+0x18d/0x260 net/mac80211/util.c:315
drv_wake_tx_queue net/mac80211/driver-ops.h:1362 [inline]
schedule_and_wake_txq net/mac80211/driver-ops.h:1369 [inline]
ieee80211_queue_skb+0x12b8/0x2010 net/mac80211/tx.c:1664
__ieee80211_xmit_fast+0x69d/0x2ba0 net/mac80211/tx.c:3732
page last free pid 11007 tgid 11004 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1101 [inline]
free_unref_page+0x64a/0xe40 mm/page_alloc.c:2619
__put_partials+0x14c/0x170 mm/slub.c:3055
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x4e/0x140 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x192/0x1e0 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:322
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook mm/slub.c:3992 [inline]
slab_alloc_node mm/slub.c:4041 [inline]
kmem_cache_alloc_node_noprof+0x153/0x310 mm/slub.c:4084
kmalloc_reserve+0x18b/0x2c0 net/core/skbuff.c:583
__alloc_skb+0x164/0x380 net/core/skbuff.c:674
alloc_skb include/linux/skbuff.h:1320 [inline]
sock_wmalloc+0xd4/0x120 net/core/sock.c:2664
l2tp_ip_sendmsg+0x1ae/0x14e0 net/l2tp/l2tp_ip.c:439
inet_sendmsg+0x11c/0x140 net/ipv4/af_inet.c:853
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg net/socket.c:745 [inline]
____sys_sendmsg+0x992/0xc90 net/socket.c:2597
___sys_sendmsg+0x135/0x1e0 net/socket.c:2651
__sys_sendmmsg+0x1a1/0x450 net/socket.c:2737
__do_sys_sendmmsg net/socket.c:2766 [inline]
__se_sys_sendmmsg net/socket.c:2763 [inline]
__x64_sys_sendmmsg+0x9c/0x100 net/socket.c:2763
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
Memory state around the buggy address:
ffff888060453700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888060453780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888060453800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888060453880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888060453900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
==================================================================
BUG: KASAN: slab-use-after-free in l2cap_build_cmd net/bluetooth/l2cap_core.c:2964 [inline]
BUG: KASAN: slab-use-after-free in l2cap_send_cmd+0x7c7/0x920 net/bluetooth/l2cap_core.c:954
Read of size 1 at addr ffff888029d678fb by task kworker/u9:0/20749
CPU: 1 UID: 0 PID: 20749 Comm: kworker/u9:0 Tainted: G B 6.11.0-rc6-syzkaller-00308-gb31c44928842 #0
Tainted: [B]=BAD_PAGE
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
Workqueue: hci6 hci_rx_work
Call Trace:
__dump_stack lib/dump_stack.c:93 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:119
print_address_description mm/kasan/report.c:377 [inline]
print_report+0xc3/0x620 mm/kasan/report.c:488
kasan_report+0xd9/0x110 mm/kasan/report.c:601
l2cap_build_cmd net/bluetooth/l2cap_core.c:2964 [inline]
l2cap_send_cmd+0x7c7/0x920 net/bluetooth/l2cap_core.c:954
l2cap_sig_send_rej net/bluetooth/l2cap_core.c:5510 [inline]
l2cap_sig_channel net/bluetooth/l2cap_core.c:5546 [inline]
l2cap_recv_frame+0x2360/0x8eb0 net/bluetooth/l2cap_core.c:6825
l2cap_recv_acldata+0x9b4/0xb70 net/bluetooth/l2cap_core.c:7514
hci_acldata_packet net/bluetooth/hci_core.c:3791 [inline]
hci_rx_work+0xaab/0x1610 net/bluetooth/hci_core.c:4028
process_one_work+0x9c8/0x1b40 kernel/workqueue.c:3231
process_scheduled_works kernel/workqueue.c:3312 [inline]
worker_thread+0x6c8/0xed0 kernel/workqueue.c:3389
kthread+0x2c4/0x3a0 kernel/kthread.c:389
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
Allocated by task 20749:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
unpoison_slab_object mm/kasan/common.c:312 [inline]
__kasan_slab_alloc+0x89/0x90 mm/kasan/common.c:338
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook mm/slub.c:3992 [inline]
slab_alloc_node mm/slub.c:4041 [inline]
kmem_cache_alloc_node_noprof+0x153/0x310 mm/slub.c:4084
__alloc_skb+0x2b1/0x380 net/core/skbuff.c:664
__netdev_alloc_skb+0x76/0x900 net/core/skbuff.c:738
netdev_alloc_skb include/linux/skbuff.h:3348 [inline]
dev_alloc_skb include/linux/skbuff.h:3361 [inline]
hsr_init_skb+0x11c/0x520 net/hsr/hsr_device.c:261
send_hsr_supervision_frame+0xbe/0x9f0 net/hsr/hsr_device.c:306
hsr_announce+0x16a/0x3e0 net/hsr/hsr_device.c:408
call_timer_fn+0x1a3/0x610 kernel/time/timer.c:1792
expire_timers kernel/time/timer.c:1843 [inline]
__run_timers+0x74b/0xaf0 kernel/time/timer.c:2417
__run_timer_base kernel/time/timer.c:2428 [inline]
__run_timer_base kernel/time/timer.c:2421 [inline]
run_timer_base+0x111/0x190 kernel/time/timer.c:2437
run_timer_softirq+0x1a/0x40 kernel/time/timer.c:2447
handle_softirqs+0x219/0x8f0 kernel/softirq.c:554
__do_softirq kernel/softirq.c:588 [inline]
invoke_softirq kernel/softirq.c:428 [inline]
__irq_exit_rcu kernel/softirq.c:637 [inline]
irq_exit_rcu+0xbb/0x120 kernel/softirq.c:649
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
sysvec_apic_timer_interrupt+0x95/0xb0 arch/x86/kernel/apic/apic.c:1043
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
Freed by task 20749:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:579
poison_slab_object+0xf7/0x160 mm/kasan/common.c:240
__kasan_slab_free+0x32/0x50 mm/kasan/common.c:256
kasan_slab_free include/linux/kasan.h:184 [inline]
slab_free_hook mm/slub.c:2256 [inline]
slab_free mm/slub.c:4477 [inline]
kmem_cache_free+0x12f/0x3a0 mm/slub.c:4552
kfree_skbmem+0x1a4/0x1f0 net/core/skbuff.c:1146
__kfree_skb net/core/skbuff.c:1203 [inline]
sk_skb_reason_drop+0x140/0x200 net/core/skbuff.c:1240
kfree_skb_reason include/linux/skbuff.h:1260 [inline]
kfree_skb include/linux/skbuff.h:1269 [inline]
hsr_forward_skb+0x1446/0x25d0 net/hsr/hsr_forward.c:729
send_hsr_supervision_frame+0x4bb/0x9f0 net/hsr/hsr_device.c:351
hsr_announce+0x16a/0x3e0 net/hsr/hsr_device.c:408
call_timer_fn+0x1a3/0x610 kernel/time/timer.c:1792
expire_timers kernel/time/timer.c:1843 [inline]
__run_timers+0x74b/0xaf0 kernel/time/timer.c:2417
__run_timer_base kernel/time/timer.c:2428 [inline]
__run_timer_base kernel/time/timer.c:2421 [inline]
run_timer_base+0x111/0x190 kernel/time/timer.c:2437
run_timer_softirq+0x1a/0x40 kernel/time/timer.c:2447
handle_softirqs+0x219/0x8f0 kernel/softirq.c:554
__do_softirq kernel/softirq.c:588 [inline]
invoke_softirq kernel/softirq.c:428 [inline]
__irq_exit_rcu kernel/softirq.c:637 [inline]
irq_exit_rcu+0xbb/0x120 kernel/softirq.c:649
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
sysvec_apic_timer_interrupt+0x95/0xb0 arch/x86/kernel/apic/apic.c:1043
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
The buggy address belongs to the object at ffff888029d678c0
which belongs to the cache skbuff_head_cache of size 240
The buggy address is located 59 bytes inside of
freed 240-byte region [ffff888029d678c0, ffff888029d679b0)
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x29d67
ksm flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xfdffffff(slab)
raw: 00fff00000000000 ffff88801e6e6780 ffffea00012aac40 0000000000000003
raw: 0000000000000000 00000000000c000c 00000001fdffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x152820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL), pid 938, tgid 938 (kworker/1:2), ts 3476803666671, free_ts 3383737363998
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1500
prep_new_page mm/page_alloc.c:1508 [inline]
get_page_from_freelist+0x1351/0x2e50 mm/page_alloc.c:3446
__alloc_pages_noprof+0x22b/0x2460 mm/page_alloc.c:4702
__alloc_pages_node_noprof include/linux/gfp.h:269 [inline]
alloc_pages_node_noprof include/linux/gfp.h:296 [inline]
alloc_slab_page+0x4e/0xf0 mm/slub.c:2325
allocate_slab mm/slub.c:2488 [inline]
new_slab+0x84/0x260 mm/slub.c:2541
___slab_alloc+0xdac/0x1870 mm/slub.c:3727
__slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3817
__slab_alloc_node mm/slub.c:3870 [inline]
slab_alloc_node mm/slub.c:4029 [inline]
kmem_cache_alloc_node_noprof+0xed/0x310 mm/slub.c:4084
__alloc_skb+0x2b1/0x380 net/core/skbuff.c:664
alloc_skb include/linux/skbuff.h:1320 [inline]
nsim_dev_trap_skb_build drivers/net/netdevsim/dev.c:748 [inline]
nsim_dev_trap_report drivers/net/netdevsim/dev.c:805 [inline]
nsim_dev_trap_report_work+0x2a4/0xc80 drivers/net/netdevsim/dev.c:850
process_one_work+0x9c8/0x1b40 kernel/workqueue.c:3231
process_scheduled_works kernel/workqueue.c:3312 [inline]
worker_thread+0x6c8/0xed0 kernel/workqueue.c:3389
kthread+0x2c4/0x3a0 kernel/kthread.c:389
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
page last free pid 23145 tgid 23145 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1101 [inline]
free_unref_page+0x64a/0xe40 mm/page_alloc.c:2619
vfree+0x181/0x7a0 mm/vmalloc.c:3367
kcov_put kernel/kcov.c:438 [inline]
kcov_put+0x2a/0x40 kernel/kcov.c:434
kcov_close+0x10/0x20 kernel/kcov.c:534
__fput+0x40b/0xbb0 fs/file_table.c:422
task_work_run+0x151/0x250 kernel/task_work.c:228
exit_task_work include/linux/task_work.h:40 [inline]
do_exit+0xaa3/0x2bb0 kernel/exit.c:882
do_group_exit+0xd3/0x2a0 kernel/exit.c:1031
get_signal+0x25fb/0x2770 kernel/signal.c:2917
arch_do_signal_or_restart+0x90/0x7e0 arch/x86/kernel/signal.c:310
exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0x150/0x2a0 kernel/entry/common.c:218
do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff888029d67780: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888029d67800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
>ffff888029d67880: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
^
ffff888029d67900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888029d67980: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
==================================================================
==================================================================
BUG: KASAN: slab-use-after-free in l2cap_send_cmd+0x90a/0x920 net/bluetooth/l2cap_core.c:964
Read of size 8 at addr ffff888060453800 by task kworker/u9:0/20749
CPU: 1 UID: 0 PID: 20749 Comm: kworker/u9:0 Tainted: G B 6.11.0-rc6-syzkaller-00308-gb31c44928842 #0
Tainted: [B]=BAD_PAGE
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
Workqueue: hci6 hci_rx_work
Call Trace:
__dump_stack lib/dump_stack.c:93 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:119
print_address_description mm/kasan/report.c:377 [inline]
print_report+0xc3/0x620 mm/kasan/report.c:488
kasan_report+0xd9/0x110 mm/kasan/report.c:601
l2cap_send_cmd+0x90a/0x920 net/bluetooth/l2cap_core.c:964
l2cap_sig_send_rej net/bluetooth/l2cap_core.c:5510 [inline]
l2cap_sig_channel net/bluetooth/l2cap_core.c:5546 [inline]
l2cap_recv_frame+0x2360/0x8eb0 net/bluetooth/l2cap_core.c:6825
l2cap_recv_acldata+0x9b4/0xb70 net/bluetooth/l2cap_core.c:7514
hci_acldata_packet net/bluetooth/hci_core.c:3791 [inline]
hci_rx_work+0xaab/0x1610 net/bluetooth/hci_core.c:4028
process_one_work+0x9c8/0x1b40 kernel/workqueue.c:3231
process_scheduled_works kernel/workqueue.c:3312 [inline]
worker_thread+0x6c8/0xed0 kernel/workqueue.c:3389
kthread+0x2c4/0x3a0 kernel/kthread.c:389
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
Allocated by task 22788:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:370 [inline]
__kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:387
kmalloc_noprof include/linux/slab.h:681 [inline]
kzalloc_noprof include/linux/slab.h:807 [inline]
l2cap_conn_add.part.0+0x60/0xa60 net/bluetooth/l2cap_core.c:6868
l2cap_conn_add net/bluetooth/l2cap_core.c:69 [inline]
l2cap_connect_cfm+0x428/0xf80 net/bluetooth/l2cap_core.c:7245
hci_connect_cfm include/net/bluetooth/hci_core.h:1960 [inline]
hci_remote_features_evt+0x54b/0x9e0 net/bluetooth/hci_event.c:3721
hci_event_func net/bluetooth/hci_event.c:7446 [inline]
hci_event_packet+0x9ee/0x1180 net/bluetooth/hci_event.c:7498
hci_rx_work+0x2c6/0x1610 net/bluetooth/hci_core.c:4023
process_one_work+0x9c8/0x1b40 kernel/workqueue.c:3231
process_scheduled_works kernel/workqueue.c:3312 [inline]
worker_thread+0x6c8/0xed0 kernel/workqueue.c:3389
kthread+0x2c4/0x3a0 kernel/kthread.c:389
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
Freed by task 22788:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:579
poison_slab_object+0xf7/0x160 mm/kasan/common.c:240
__kasan_slab_free+0x32/0x50 mm/kasan/common.c:256
kasan_slab_free include/linux/kasan.h:184 [inline]
slab_free_hook mm/slub.c:2256 [inline]
slab_free mm/slub.c:4477 [inline]
kfree+0x12a/0x3b0 mm/slub.c:4598
l2cap_conn_free net/bluetooth/l2cap_core.c:1810 [inline]
kref_put include/linux/kref.h:65 [inline]
l2cap_conn_put net/bluetooth/l2cap_core.c:1822 [inline]
l2cap_conn_del+0x59d/0x730 net/bluetooth/l2cap_core.c:1802
l2cap_connect_cfm+0x9e6/0xf80 net/bluetooth/l2cap_core.c:7241
hci_connect_cfm include/net/bluetooth/hci_core.h:1960 [inline]
hci_conn_failed+0x1c6/0x370 net/bluetooth/hci_conn.c:1265
hci_abort_conn_sync+0x75a/0xb50 net/bluetooth/hci_sync.c:5583
abort_conn_sync+0x197/0x360 net/bluetooth/hci_conn.c:2917
hci_cmd_sync_work+0x1a7/0x410 net/bluetooth/hci_sync.c:328
process_one_work+0x9c8/0x1b40 kernel/workqueue.c:3231
process_scheduled_works kernel/workqueue.c:3312 [inline]
worker_thread+0x6c8/0xed0 kernel/workqueue.c:3389
kthread+0x2c4/0x3a0 kernel/kthread.c:389
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
Last potentially related work creation:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
__kasan_record_aux_stack+0xba/0xd0 mm/kasan/generic.c:541
insert_work+0x36/0x230 kernel/workqueue.c:2185
__queue_work+0x97e/0x1070 kernel/workqueue.c:2341
call_timer_fn+0x1a3/0x610 kernel/time/timer.c:1792
expire_timers kernel/time/timer.c:1838 [inline]
__run_timers+0x567/0xaf0 kernel/time/timer.c:2417
__run_timer_base kernel/time/timer.c:2428 [inline]
__run_timer_base kernel/time/timer.c:2421 [inline]
run_timer_base+0x111/0x190 kernel/time/timer.c:2437
run_timer_softirq+0x1a/0x40 kernel/time/timer.c:2447
handle_softirqs+0x219/0x8f0 kernel/softirq.c:554
__do_softirq kernel/softirq.c:588 [inline]
invoke_softirq kernel/softirq.c:428 [inline]
__irq_exit_rcu kernel/softirq.c:637 [inline]
irq_exit_rcu+0xbb/0x120 kernel/softirq.c:649
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
sysvec_apic_timer_interrupt+0x95/0xb0 arch/x86/kernel/apic/apic.c:1043
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
Second to last potentially related work creation:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
__kasan_record_aux_stack+0xba/0xd0 mm/kasan/generic.c:541
insert_work+0x36/0x230 kernel/workqueue.c:2185
__queue_work+0x3f8/0x1070 kernel/workqueue.c:2345
queue_work_on+0x11a/0x140 kernel/workqueue.c:2392
queue_work include/linux/workqueue.h:621 [inline]
l2cap_conn_ready net/bluetooth/l2cap_core.c:1640 [inline]
l2cap_connect_cfm+0x9c9/0xf80 net/bluetooth/l2cap_core.c:7286
hci_connect_cfm include/net/bluetooth/hci_core.h:1960 [inline]
hci_remote_features_evt+0x54b/0x9e0 net/bluetooth/hci_event.c:3721
hci_event_func net/bluetooth/hci_event.c:7446 [inline]
hci_event_packet+0x9ee/0x1180 net/bluetooth/hci_event.c:7498
hci_rx_work+0x2c6/0x1610 net/bluetooth/hci_core.c:4023
process_one_work+0x9c8/0x1b40 kernel/workqueue.c:3231
process_scheduled_works kernel/workqueue.c:3312 [inline]
worker_thread+0x6c8/0xed0 kernel/workqueue.c:3389
kthread+0x2c4/0x3a0 kernel/kthread.c:389
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
The buggy address belongs to the object at ffff888060453800
which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 0 bytes inside of
freed 1024-byte region [ffff888060453800, ffff888060453c00)
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x60450
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xfdffffff(slab)
raw: 00fff00000000040 ffff88801ac41dc0 ffffea0001e32400 dead000000000002
raw: 0000000000000000 0000000000100010 00000001fdffffff 0000000000000000
head: 00fff00000000040 ffff88801ac41dc0 ffffea0001e32400 dead000000000002
head: 0000000000000000 0000000000100010 00000001fdffffff 0000000000000000
head: 00fff00000000003 ffffea0001811401 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d2820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 11007, tgid 11004 (syz.2.586), ts 1166299455698, free_ts 1166073021186
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1500
prep_new_page mm/page_alloc.c:1508 [inline]
get_page_from_freelist+0x1351/0x2e50 mm/page_alloc.c:3446
__alloc_pages_noprof+0x22b/0x2460 mm/page_alloc.c:4702
__alloc_pages_node_noprof include/linux/gfp.h:269 [inline]
alloc_pages_node_noprof include/linux/gfp.h:296 [inline]
alloc_slab_page+0x4e/0xf0 mm/slub.c:2325
allocate_slab mm/slub.c:2488 [inline]
new_slab+0x84/0x260 mm/slub.c:2541
___slab_alloc+0xdac/0x1870 mm/slub.c:3727
__slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3817
__slab_alloc_node mm/slub.c:3870 [inline]
slab_alloc_node mm/slub.c:4029 [inline]
__do_kmalloc_node mm/slub.c:4161 [inline]
__kmalloc_node_track_caller_noprof+0x355/0x430 mm/slub.c:4181
kmalloc_reserve+0xef/0x2c0 net/core/skbuff.c:605
__alloc_skb+0x164/0x380 net/core/skbuff.c:674
skb_copy+0x17a/0x340 net/core/skbuff.c:2143
mac80211_hwsim_tx_frame_no_nl.isra.0+0xb7f/0x12f0 drivers/net/wireless/virtual/mac80211_hwsim.c:1866
mac80211_hwsim_tx+0x7a2/0x25d0 drivers/net/wireless/virtual/mac80211_hwsim.c:2084
drv_tx net/mac80211/driver-ops.h:37 [inline]
wake_tx_push_queue net/mac80211/util.c:298 [inline]
ieee80211_handle_wake_tx_queue+0x18d/0x260 net/mac80211/util.c:315
drv_wake_tx_queue net/mac80211/driver-ops.h:1362 [inline]
schedule_and_wake_txq net/mac80211/driver-ops.h:1369 [inline]
ieee80211_queue_skb+0x12b8/0x2010 net/mac80211/tx.c:1664
__ieee80211_xmit_fast+0x69d/0x2ba0 net/mac80211/tx.c:3732
page last free pid 11007 tgid 11004 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1101 [inline]
free_unref_page+0x64a/0xe40 mm/page_alloc.c:2619
__put_partials+0x14c/0x170 mm/slub.c:3055
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x4e/0x140 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x192/0x1e0 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:322
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook mm/slub.c:3992 [inline]
slab_alloc_node mm/slub.c:4041 [inline]
kmem_cache_alloc_node_noprof+0x153/0x310 mm/slub.c:4084
kmalloc_reserve+0x18b/0x2c0 net/core/skbuff.c:583
__alloc_skb+0x164/0x380 net/core/skbuff.c:674
alloc_skb include/linux/skbuff.h:1320 [inline]
sock_wmalloc+0xd4/0x120 net/core/sock.c:2664
l2tp_ip_sendmsg+0x1ae/0x14e0 net/l2tp/l2tp_ip.c:439
inet_sendmsg+0x11c/0x140 net/ipv4/af_inet.c:853
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg net/socket.c:745 [inline]
____sys_sendmsg+0x992/0xc90 net/socket.c:2597
___sys_sendmsg+0x135/0x1e0 net/socket.c:2651
__sys_sendmmsg+0x1a1/0x450 net/socket.c:2737
__do_sys_sendmmsg net/socket.c:2766 [inline]
__se_sys_sendmmsg net/socket.c:2763 [inline]
__x64_sys_sendmmsg+0x9c/0x100 net/socket.c:2763
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
Memory state around the buggy address:
ffff888060453700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888060453780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888060453800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888060453880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888060453900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
==================================================================
BUG: KASAN: use-after-free in l2cap_send_cmd+0x8b7/0x920 net/bluetooth/l2cap_core.c:964
Read of size 8 at addr ffff888029d688a0 by task kworker/u9:0/20749
CPU: 1 UID: 0 PID: 20749 Comm: kworker/u9:0 Tainted: G B 6.11.0-rc6-syzkaller-00308-gb31c44928842 #0
Tainted: [B]=BAD_PAGE
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
Workqueue: hci6 hci_rx_work
Call Trace:
__dump_stack lib/dump_stack.c:93 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:119
print_address_description mm/kasan/report.c:377 [inline]
print_report+0xc3/0x620 mm/kasan/report.c:488
kasan_report+0xd9/0x110 mm/kasan/report.c:601
l2cap_send_cmd+0x8b7/0x920 net/bluetooth/l2cap_core.c:964
l2cap_sig_send_rej net/bluetooth/l2cap_core.c:5510 [inline]
l2cap_sig_channel net/bluetooth/l2cap_core.c:5546 [inline]
l2cap_recv_frame+0x2360/0x8eb0 net/bluetooth/l2cap_core.c:6825
l2cap_recv_acldata+0x9b4/0xb70 net/bluetooth/l2cap_core.c:7514
hci_acldata_packet net/bluetooth/hci_core.c:3791 [inline]
hci_rx_work+0xaab/0x1610 net/bluetooth/hci_core.c:4028
process_one_work+0x9c8/0x1b40 kernel/workqueue.c:3231
process_scheduled_works kernel/workqueue.c:3312 [inline]
worker_thread+0x6c8/0xed0 kernel/workqueue.c:3389
kthread+0x2c4/0x3a0 kernel/kthread.c:389
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888029d68000 pfn:0x29d68
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xbfffffff(buddy)
raw: 00fff00000000000 ffffea0001693f08 ffffea0000a26108 0000000000000000
raw: ffff888029d68000 0000000000000002 00000000bfffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x540dc0(GFP_USER|__GFP_COMP|__GFP_ZERO|__GFP_ACCOUNT), pid 23627, tgid 23627 (syz-executor), ts 3369766185319, free_ts 3383420912839
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1500
prep_new_page mm/page_alloc.c:1508 [inline]
get_page_from_freelist+0x1351/0x2e50 mm/page_alloc.c:3446
__alloc_pages_noprof+0x22b/0x2460 mm/page_alloc.c:4702
alloc_pages_mpol_noprof+0x275/0x610 mm/mempolicy.c:2263
pagetable_alloc_noprof include/linux/mm.h:2872 [inline]
__pte_alloc_one_noprof include/asm-generic/pgalloc.h:70 [inline]
pte_alloc_one+0x20/0x370 arch/x86/mm/pgtable.c:33
do_fault_around mm/memory.c:5013 [inline]
do_read_fault mm/memory.c:5052 [inline]
do_fault mm/memory.c:5191 [inline]
do_pte_missing mm/memory.c:3947 [inline]
handle_pte_fault mm/memory.c:5521 [inline]
__handle_mm_fault+0x3be6/0x5660 mm/memory.c:5664
handle_mm_fault+0x498/0xa60 mm/memory.c:5832
do_user_addr_fault+0x60d/0x13f0 arch/x86/mm/fault.c:1338
handle_page_fault arch/x86/mm/fault.c:1481 [inline]
exc_page_fault+0x5c/0xc0 arch/x86/mm/fault.c:1539
asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623
page last free pid 23632 tgid 23627 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1101 [inline]
free_unref_folios+0x9e9/0x1390 mm/page_alloc.c:2667
folios_put_refs+0x560/0x760 mm/swap.c:1039
free_pages_and_swap_cache+0x45f/0x510 mm/swap_state.c:335
__tlb_batch_free_encoded_pages+0xf9/0x290 mm/mmu_gather.c:136
tlb_batch_pages_flush mm/mmu_gather.c:149 [inline]
tlb_flush_mmu_free mm/mmu_gather.c:366 [inline]
tlb_flush_mmu mm/mmu_gather.c:373 [inline]
tlb_finish_mmu+0x168/0x7b0 mm/mmu_gather.c:465
exit_mmap+0x3d1/0xb20 mm/mmap.c:3425
__mmput+0x12a/0x480 kernel/fork.c:1345
mmput+0x62/0x70 kernel/fork.c:1367
exit_mm kernel/exit.c:571 [inline]
do_exit+0x9bf/0x2bb0 kernel/exit.c:869
do_group_exit+0xd3/0x2a0 kernel/exit.c:1031
get_signal+0x25fb/0x2770 kernel/signal.c:2917
arch_do_signal_or_restart+0x90/0x7e0 arch/x86/kernel/signal.c:310
exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0x150/0x2a0 kernel/entry/common.c:218
do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff888029d68780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888029d68800: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff888029d68880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff888029d68900: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888029d68980: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000064: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000320-0x0000000000000327]
CPU: 0 UID: 0 PID: 20749 Comm: kworker/u9:0 Tainted: G B 6.11.0-rc6-syzkaller-00308-gb31c44928842 #0
Tainted: [B]=BAD_PAGE
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
Workqueue: hci6 hci_rx_work
RIP: 0010:l2cap_send_cmd+0x5d0/0x920 net/bluetooth/l2cap_core.c:964
Code: 80 3c 02 00 0f 85 02 03 00 00 49 8b ac 24 e0 0f 00 00 48 b8 00 00 00 00 00 fc ff df 48 8d bd 22 03 00 00 48 89 fa 48 c1 ea 03 <0f> b6 04 02 48 89 fa 83 e2 07 38 d0 7f 08 84 c0 0f 85 ea 02 00 00
RSP: 0018:ffffc9000468f998 EFLAGS: 00010212
RAX: dffffc0000000000 RBX: ffff88802f250780 RCX: ffffc900104c1000
RDX: 0000000000000064 RSI: ffffffff81e995ce RDI: 0000000000000322
RBP: 0000000000000000 R08: 0000000000000007 R09: 0000000000000000
R10: 0000000000000000 R11: 3d3d3d3d3d3d3d3d R12: ffff888029d678c0
R13: ffff88806556ee48 R14: ffffc9000468fae8 R15: ffff888060453800
FS: 0000000000000000(0000) GS:ffff8880b8800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000110c31a605 CR3: 000000000db7c000 CR4: 0000000000350ef0
Call Trace:
l2cap_sig_send_rej net/bluetooth/l2cap_core.c:5510 [inline]
l2cap_sig_channel net/bluetooth/l2cap_core.c:5546 [inline]
l2cap_recv_frame+0x2360/0x8eb0 net/bluetooth/l2cap_core.c:6825
l2cap_recv_acldata+0x9b4/0xb70 net/bluetooth/l2cap_core.c:7514
hci_acldata_packet net/bluetooth/hci_core.c:3791 [inline]
hci_rx_work+0xaab/0x1610 net/bluetooth/hci_core.c:4028
process_one_work+0x9c8/0x1b40 kernel/workqueue.c:3231
process_scheduled_works kernel/workqueue.c:3312 [inline]
worker_thread+0x6c8/0xed0 kernel/workqueue.c:3389
kthread+0x2c4/0x3a0 kernel/kthread.c:389
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:l2cap_send_cmd+0x5d0/0x920 net/bluetooth/l2cap_core.c:964
Code: 80 3c 02 00 0f 85 02 03 00 00 49 8b ac 24 e0 0f 00 00 48 b8 00 00 00 00 00 fc ff df 48 8d bd 22 03 00 00 48 89 fa 48 c1 ea 03 <0f> b6 04 02 48 89 fa 83 e2 07 38 d0 7f 08 84 c0 0f 85 ea 02 00 00
RSP: 0018:ffffc9000468f998 EFLAGS: 00010212
RAX: dffffc0000000000 RBX: ffff88802f250780 RCX: ffffc900104c1000
RDX: 0000000000000064 RSI: ffffffff81e995ce RDI: 0000000000000322
RBP: 0000000000000000 R08: 0000000000000007 R09: 0000000000000000
R10: 0000000000000000 R11: 3d3d3d3d3d3d3d3d R12: ffff888029d678c0
R13: ffff88806556ee48 R14: ffffc9000468fae8 R15: ffff888060453800
FS: 0000000000000000(0000) GS:ffff8880b8900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f97258fbab8 CR3: 000000005e9c8000 CR4: 0000000000350ef0
----------------
Code disassembly (best guess):
0: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1)
4: 0f 85 02 03 00 00 jne 0x30c
a: 49 8b ac 24 e0 0f 00 mov 0xfe0(%r12),%rbp
11: 00
12: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
19: fc ff df
1c: 48 8d bd 22 03 00 00 lea 0x322(%rbp),%rdi
23: 48 89 fa mov %rdi,%rdx
26: 48 c1 ea 03 shr $0x3,%rdx
* 2a: 0f b6 04 02 movzbl (%rdx,%rax,1),%eax <-- trapping instruction
2e: 48 89 fa mov %rdi,%rdx
31: 83 e2 07 and $0x7,%edx
34: 38 d0 cmp %dl,%al
36: 7f 08 jg 0x40
38: 84 c0 test %al,%al
3a: 0f 85 ea 02 00 00 jne 0x32a