Bluetooth: hci3: hardware error 0x00 ================================================================== BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline] BUG: KASAN: slab-use-after-free in atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:252 [inline] BUG: KASAN: slab-use-after-free in __refcount_add include/linux/refcount.h:193 [inline] BUG: KASAN: slab-use-after-free in __refcount_inc include/linux/refcount.h:250 [inline] BUG: KASAN: slab-use-after-free in refcount_inc include/linux/refcount.h:267 [inline] BUG: KASAN: slab-use-after-free in sock_hold include/net/sock.h:777 [inline] BUG: KASAN: slab-use-after-free in sco_conn_del+0xb9/0x2d0 net/bluetooth/sco.c:193 Write of size 4 at addr ffff88802c8fb080 by task kworker/u5:3/15715 CPU: 0 PID: 15715 Comm: kworker/u5:3 Not tainted 6.5.0-rc1-syzkaller-00201-g2772d7df3c93 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/03/2023 Workqueue: hci3 hci_error_reset Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:364 [inline] print_report+0xc4/0x620 mm/kasan/report.c:475 kasan_report+0xda/0x110 mm/kasan/report.c:588 check_region_inline mm/kasan/generic.c:181 [inline] kasan_check_range+0xef/0x190 mm/kasan/generic.c:187 instrument_atomic_read_write include/linux/instrumented.h:96 [inline] atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:252 [inline] __refcount_add include/linux/refcount.h:193 [inline] __refcount_inc include/linux/refcount.h:250 [inline] refcount_inc include/linux/refcount.h:267 [inline] sock_hold include/net/sock.h:777 [inline] sco_conn_del+0xb9/0x2d0 net/bluetooth/sco.c:193 sco_disconn_cfm+0x76/0xb0 net/bluetooth/sco.c:1392 hci_disconn_cfm include/net/bluetooth/hci_core.h:1836 [inline] hci_conn_hash_flush+0x114/0x230 net/bluetooth/hci_conn.c:2517 hci_dev_close_sync+0x643/0x11d0 net/bluetooth/hci_sync.c:4944 hci_dev_do_close+0x2e/0x70 net/bluetooth/hci_core.c:554 hci_error_reset+0xa2/0x140 net/bluetooth/hci_core.c:1059 process_one_work+0xaa2/0x16f0 kernel/workqueue.c:2597 worker_thread+0x687/0x1110 kernel/workqueue.c:2748 kthread+0x33a/0x430 kernel/kthread.c:389 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 Allocated by task 21899: kasan_save_stack+0x33/0x50 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 ____kasan_kmalloc mm/kasan/common.c:374 [inline] __kasan_kmalloc+0xa3/0xb0 mm/kasan/common.c:383 kmalloc include/linux/slab.h:582 [inline] kzalloc include/linux/slab.h:703 [inline] __check_func_call+0x3b1/0x16f0 kernel/bpf/verifier.c:8758 check_func_call kernel/bpf/verifier.c:8858 [inline] do_check kernel/bpf/verifier.c:16400 [inline] do_check_common+0x80c7/0xd2a0 kernel/bpf/verifier.c:18799 do_check_main kernel/bpf/verifier.c:18862 [inline] bpf_check+0x84b8/0xb160 kernel/bpf/verifier.c:19486 bpf_prog_load+0x153a/0x2260 kernel/bpf/syscall.c:2707 __sys_bpf+0xb8a/0x4e10 kernel/bpf/syscall.c:5137 __do_sys_bpf kernel/bpf/syscall.c:5241 [inline] __se_sys_bpf kernel/bpf/syscall.c:5239 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5239 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Freed by task 21899: kasan_save_stack+0x33/0x50 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 kasan_save_free_info+0x28/0x40 mm/kasan/generic.c:522 ____kasan_slab_free mm/kasan/common.c:236 [inline] ____kasan_slab_free+0x13f/0x190 mm/kasan/common.c:200 kasan_slab_free include/linux/kasan.h:162 [inline] __cache_free mm/slab.c:3370 [inline] __do_kmem_cache_free mm/slab.c:3557 [inline] __kmem_cache_free+0xcc/0x2d0 mm/slab.c:3564 free_func_state kernel/bpf/verifier.c:1697 [inline] free_func_state kernel/bpf/verifier.c:1691 [inline] prepare_func_exit kernel/bpf/verifier.c:9109 [inline] do_check kernel/bpf/verifier.c:16455 [inline] do_check_common+0x895c/0xd2a0 kernel/bpf/verifier.c:18799 do_check_main kernel/bpf/verifier.c:18862 [inline] bpf_check+0x84b8/0xb160 kernel/bpf/verifier.c:19486 bpf_prog_load+0x153a/0x2260 kernel/bpf/syscall.c:2707 __sys_bpf+0xb8a/0x4e10 kernel/bpf/syscall.c:5137 __do_sys_bpf kernel/bpf/syscall.c:5241 [inline] __se_sys_bpf kernel/bpf/syscall.c:5239 [inline] __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:5239 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Last potentially related work creation: kasan_save_stack+0x33/0x50 mm/kasan/common.c:45 __kasan_record_aux_stack+0x78/0x80 mm/kasan/generic.c:492 insert_work+0x4a/0x330 kernel/workqueue.c:1553 __queue_work+0x5f5/0x1040 kernel/workqueue.c:1714 queue_work_on+0xed/0x110 kernel/workqueue.c:1744 queue_work include/linux/workqueue.h:506 [inline] rpm_suspend+0x121d/0x16f0 drivers/base/power/runtime.c:660 rpm_idle+0x579/0x6f0 drivers/base/power/runtime.c:534 __pm_runtime_idle+0xbe/0x160 drivers/base/power/runtime.c:1102 pm_runtime_put include/linux/pm_runtime.h:462 [inline] hub_configure drivers/usb/core/hub.c:1673 [inline] hub_probe+0x1f38/0x3050 drivers/usb/core/hub.c:1899 usb_probe_interface+0x307/0x930 drivers/usb/core/driver.c:396 call_driver_probe drivers/base/dd.c:579 [inline] really_probe+0x234/0xc90 drivers/base/dd.c:658 __driver_probe_device+0x1de/0x4b0 drivers/base/dd.c:798 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:828 __device_attach_driver+0x1d4/0x300 drivers/base/dd.c:956 bus_for_each_drv+0x157/0x1d0 drivers/base/bus.c:457 __device_attach+0x1e8/0x4b0 drivers/base/dd.c:1028 proc_ioctl+0x585/0x6a0 drivers/usb/core/devio.c:2365 proc_ioctl_default drivers/usb/core/devio.c:2400 [inline] usbdev_do_ioctl drivers/usb/core/devio.c:2756 [inline] usbdev_ioctl+0x16fe/0x3eb0 drivers/usb/core/devio.c:2816 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl fs/ioctl.c:856 [inline] __x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd The buggy address belongs to the object at ffff88802c8fb000 which belongs to the cache kmalloc-2k of size 2048 The buggy address is located 128 bytes inside of freed 2048-byte region [ffff88802c8fb000, ffff88802c8fb800) The buggy address belongs to the physical page: page:ffffea0000b23ec0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2c8fb flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff) page_type: 0x1() raw: 00fff00000000200 ffff888012840800 ffffea0000f883d0 ffffea0001cbaa50 raw: 0000000000000000 ffff88802c8fb000 0000000100000001 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x3d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL|__GFP_THISNODE), pid 20602, tgid 20592 (syz-executor.1), ts 1742521189853, free_ts 1742494225395 set_page_owner include/linux/page_owner.h:31 [inline] post_alloc_hook+0x2d2/0x350 mm/page_alloc.c:1570 prep_new_page mm/page_alloc.c:1577 [inline] get_page_from_freelist+0x10a9/0x31e0 mm/page_alloc.c:3221 __alloc_pages+0x1d0/0x4a0 mm/page_alloc.c:4477 __alloc_pages_node include/linux/gfp.h:237 [inline] kmem_getpages mm/slab.c:1356 [inline] cache_grow_begin+0x99/0x3a0 mm/slab.c:2550 cache_alloc_refill+0x294/0x3a0 mm/slab.c:2923 ____cache_alloc mm/slab.c:2999 [inline] ____cache_alloc mm/slab.c:2982 [inline] __do_cache_alloc mm/slab.c:3182 [inline] slab_alloc_node mm/slab.c:3230 [inline] __kmem_cache_alloc_node+0x3c9/0x470 mm/slab.c:3521 __do_kmalloc_node mm/slab_common.c:984 [inline] __kmalloc_node_track_caller+0x4d/0x100 mm/slab_common.c:1005 kmalloc_reserve+0xef/0x270 net/core/skbuff.c:575 pskb_expand_head+0x236/0x1170 net/core/skbuff.c:2042 netlink_trim+0x1eb/0x240 net/netlink/af_netlink.c:1321 netlink_broadcast+0xb5/0xea0 net/netlink/af_netlink.c:1517 nlmsg_multicast include/net/netlink.h:1083 [inline] nlmsg_notify+0x99/0x210 net/netlink/af_netlink.c:2592 qdisc_notify.isra.0+0x1cd/0x330 net/sched/sch_api.c:1030 notify_and_destroy net/sched/sch_api.c:1044 [inline] qdisc_graft+0xd0e/0x1680 net/sched/sch_api.c:1144 tc_modify_qdisc+0xcd2/0x1bf0 net/sched/sch_api.c:1731 rtnetlink_rcv_msg+0x439/0xd30 net/core/rtnetlink.c:6424 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1161 [inline] free_unref_page_prepare+0x508/0xb90 mm/page_alloc.c:2348 free_unref_page_list+0xe6/0xb30 mm/page_alloc.c:2489 release_pages+0x32a/0x14e0 mm/swap.c:1042 __folio_batch_release+0x77/0xe0 mm/swap.c:1062 folio_batch_release include/linux/pagevec.h:83 [inline] truncate_inode_pages_range+0x33e/0xfb0 mm/truncate.c:372 kill_bdev block/bdev.c:76 [inline] blkdev_flush_mapping+0x156/0x320 block/bdev.c:647 blkdev_put_whole+0xb9/0xe0 block/bdev.c:678 blkdev_put+0x40f/0x8e0 block/bdev.c:915 deactivate_locked_super+0x9a/0x170 fs/super.c:330 deactivate_super+0xde/0x100 fs/super.c:361 cleanup_mnt+0x222/0x3d0 fs/namespace.c:1254 task_work_run+0x14d/0x240 kernel/task_work.c:179 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] exit_to_user_mode_loop kernel/entry/common.c:171 [inline] exit_to_user_mode_prepare+0x210/0x240 kernel/entry/common.c:204 __syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline] syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:297 do_syscall_64+0x44/0xb0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x63/0xcd Memory state around the buggy address: ffff88802c8faf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88802c8fb000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff88802c8fb080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88802c8fb100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88802c8fb180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================