================================================================== BUG: KASAN: slab-use-after-free in __mutex_waiter_is_first kernel/locking/mutex.c:197 [inline] BUG: KASAN: slab-use-after-free in __mutex_lock_common kernel/locking/mutex.c:681 [inline] BUG: KASAN: slab-use-after-free in __mutex_lock+0x6cb/0xcc0 kernel/locking/mutex.c:747 Read of size 8 at addr ffff88807c9d40a0 by task khidpd_16bf5505/17840 CPU: 0 PID: 17840 Comm: khidpd_16bf5505 Not tainted syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/14/2025 Call Trace: dump_stack_lvl+0x16c/0x230 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:364 [inline] print_report+0xac/0x220 mm/kasan/report.c:468 kasan_report+0x117/0x150 mm/kasan/report.c:581 __mutex_waiter_is_first kernel/locking/mutex.c:197 [inline] __mutex_lock_common kernel/locking/mutex.c:681 [inline] __mutex_lock+0x6cb/0xcc0 kernel/locking/mutex.c:747 l2cap_unregister_user+0x6a/0x1a0 net/bluetooth/l2cap_core.c:1728 hidp_session_thread+0x3c8/0x410 net/bluetooth/hidp/core.c:1304 kthread+0x2fa/0x390 kernel/kthread.c:388 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:152 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:293 Allocated by task 17662: kasan_save_stack mm/kasan/common.c:45 [inline] kasan_set_track+0x4e/0x70 mm/kasan/common.c:52 ____kasan_kmalloc mm/kasan/common.c:374 [inline] __kasan_kmalloc+0x8f/0xa0 mm/kasan/common.c:383 kasan_kmalloc include/linux/kasan.h:198 [inline] __do_kmalloc_node mm/slab_common.c:1007 [inline] __kmalloc+0xb4/0x240 mm/slab_common.c:1020 kmalloc include/linux/slab.h:604 [inline] kzalloc include/linux/slab.h:721 [inline] hci_alloc_dev_priv+0x28/0x2040 net/bluetooth/hci_core.c:2441 hci_alloc_dev include/net/bluetooth/hci_core.h:1629 [inline] __vhci_create_device drivers/bluetooth/hci_vhci.c:399 [inline] vhci_create_device+0x11b/0x6e0 drivers/bluetooth/hci_vhci.c:472 vhci_get_user drivers/bluetooth/hci_vhci.c:529 [inline] vhci_write+0x3b5/0x470 drivers/bluetooth/hci_vhci.c:609 call_write_iter include/linux/fs.h:2018 [inline] new_sync_write fs/read_write.c:491 [inline] vfs_write+0x43b/0x940 fs/read_write.c:584 ksys_write+0x147/0x250 fs/read_write.c:637 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x55/0xb0 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x68/0xd2 Freed by task 20673: kasan_save_stack mm/kasan/common.c:45 [inline] kasan_set_track+0x4e/0x70 mm/kasan/common.c:52 kasan_save_free_info+0x2e/0x50 mm/kasan/generic.c:522 ____kasan_slab_free+0x126/0x1e0 mm/kasan/common.c:236 kasan_slab_free include/linux/kasan.h:164 [inline] slab_free_hook mm/slub.c:1806 [inline] slab_free_freelist_hook+0x130/0x1b0 mm/slub.c:1832 slab_free mm/slub.c:3816 [inline] __kmem_cache_free+0xba/0x1f0 mm/slub.c:3829 bt_host_release+0x82/0x90 net/bluetooth/hci_sysfs.c:87 device_release+0x96/0x1c0 drivers/base/core.c:-1 kobject_cleanup lib/kobject.c:689 [inline] kobject_release lib/kobject.c:720 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0x221/0x470 lib/kobject.c:737 vhci_release+0x8b/0xd0 drivers/bluetooth/hci_vhci.c:667 __fput+0x234/0x970 fs/file_table.c:384 task_work_run+0x1ce/0x250 kernel/task_work.c:239 exit_task_work include/linux/task_work.h:43 [inline] do_exit+0x90b/0x23c0 kernel/exit.c:883 do_group_exit+0x21b/0x2d0 kernel/exit.c:1024 get_signal+0x12fc/0x1400 kernel/signal.c:2902 arch_do_signal_or_restart+0x96/0x780 arch/x86/kernel/signal.c:310 exit_to_user_mode_loop+0x70/0x110 kernel/entry/common.c:174 exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:210 irqentry_exit_to_user_mode+0x9/0x40 kernel/entry/common.c:315 exc_page_fault+0x8f/0x110 arch/x86/mm/fault.c:1524 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:608 Last potentially related work creation: kasan_save_stack+0x3e/0x60 mm/kasan/common.c:45 __kasan_record_aux_stack+0xaf/0xc0 mm/kasan/generic.c:492 insert_work+0x3d/0x310 kernel/workqueue.c:1651 __queue_work+0xc39/0x1020 kernel/workqueue.c:1800 queue_work_on+0x121/0x1e0 kernel/workqueue.c:1835 l2cap_chan_send+0x3a3/0x2580 net/bluetooth/l2cap_core.c:-1 l2cap_sock_sendmsg+0x1ae/0x2c0 net/bluetooth/l2cap_sock.c:1127 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] sock_sendmsg+0x225/0x370 net/socket.c:768 hidp_send_frame net/bluetooth/hidp/core.c:627 [inline] hidp_process_transmit+0x190/0x380 net/bluetooth/hidp/core.c:641 hidp_session_run+0x138b/0x1490 net/bluetooth/hidp/core.c:1234 hidp_session_thread+0x28d/0x410 net/bluetooth/hidp/core.c:1288 kthread+0x2fa/0x390 kernel/kthread.c:388 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:152 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:293 Second to last potentially related work creation: kasan_save_stack+0x3e/0x60 mm/kasan/common.c:45 __kasan_record_aux_stack+0xaf/0xc0 mm/kasan/generic.c:492 insert_work+0x3d/0x310 kernel/workqueue.c:1651 __queue_work+0xc39/0x1020 kernel/workqueue.c:1800 queue_work_on+0x121/0x1e0 kernel/workqueue.c:1835 l2cap_chan_send+0x3a3/0x2580 net/bluetooth/l2cap_core.c:-1 l2cap_sock_sendmsg+0x1ae/0x2c0 net/bluetooth/l2cap_sock.c:1127 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] sock_sendmsg+0x225/0x370 net/socket.c:768 hidp_send_frame net/bluetooth/hidp/core.c:627 [inline] hidp_process_transmit+0x190/0x380 net/bluetooth/hidp/core.c:641 hidp_session_run+0x138b/0x1490 net/bluetooth/hidp/core.c:1234 hidp_session_thread+0x28d/0x410 net/bluetooth/hidp/core.c:1288 kthread+0x2fa/0x390 kernel/kthread.c:388 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:152 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:293 The buggy address belongs to the object at ffff88807c9d4000 which belongs to the cache kmalloc-8k of size 8192 The buggy address is located 160 bytes inside of freed 8192-byte region [ffff88807c9d4000, ffff88807c9d6000) The buggy address belongs to the physical page: page:ffffea0001f27400 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7c9d0 head:ffffea0001f27400 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 anon flags: 0xfff00000000840(slab|head|node=0|zone=1|lastcpupid=0x7ff) page_type: 0xffffffff() raw: 00fff00000000840 ffff888017842280 0000000000000000 dead000000000001 raw: 0000000000000000 0000000000020002 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d2820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 15913, tgid 15912 (syz.2.3621), ts 689430848679, free_ts 668912898693 set_page_owner include/linux/page_owner.h:31 [inline] post_alloc_hook+0x1cd/0x210 mm/page_alloc.c:1554 prep_new_page mm/page_alloc.c:1561 [inline] get_page_from_freelist+0x195c/0x19f0 mm/page_alloc.c:3191 __alloc_pages+0x1e3/0x460 mm/page_alloc.c:4457 alloc_slab_page+0x5d/0x170 mm/slub.c:1876 allocate_slab mm/slub.c:2023 [inline] new_slab+0x87/0x2e0 mm/slub.c:2076 ___slab_alloc+0xc6d/0x12f0 mm/slub.c:3230 __slab_alloc mm/slub.c:3329 [inline] __slab_alloc_node mm/slub.c:3382 [inline] slab_alloc_node mm/slub.c:3475 [inline] __kmem_cache_alloc_node+0x1a2/0x260 mm/slub.c:3524 __do_kmalloc_node mm/slab_common.c:1006 [inline] __kmalloc_node_track_caller+0xa2/0x230 mm/slab_common.c:1027 kmalloc_reserve+0x117/0x260 net/core/skbuff.c:581 pskb_expand_head+0x185/0x1230 net/core/skbuff.c:2099 __skb_cow include/linux/skbuff.h:3649 [inline] skb_cow_head include/linux/skbuff.h:3683 [inline] ip_tunnel_xmit+0x1a9c/0x2360 net/ipv4/ip_tunnel.c:849 __gre_xmit net/ipv4/ip_gre.c:478 [inline] ipgre_xmit+0x7a6/0xb20 net/ipv4/ip_gre.c:674 __netdev_start_xmit include/linux/netdevice.h:4943 [inline] netdev_start_xmit include/linux/netdevice.h:4957 [inline] xmit_one net/core/dev.c:3619 [inline] dev_hard_start_xmit+0x246/0x740 net/core/dev.c:3635 __dev_queue_xmit+0x1a64/0x35a0 net/core/dev.c:4425 dev_queue_xmit include/linux/netdevice.h:3113 [inline] __bpf_tx_skb+0x189/0x250 net/core/filter.c:2145 ____bpf_clone_redirect net/core/filter.c:2471 [inline] bpf_clone_redirect+0x270/0x3d0 net/core/filter.c:2441 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1154 [inline] free_unref_page_prepare+0x7ce/0x8e0 mm/page_alloc.c:2336 free_unref_page+0x32/0x2e0 mm/page_alloc.c:2429 discard_slab mm/slub.c:2122 [inline] __unfreeze_partials+0x1cf/0x210 mm/slub.c:2662 put_cpu_partial+0x17c/0x250 mm/slub.c:2738 __slab_free+0x31d/0x410 mm/slub.c:3686 qlink_free mm/kasan/quarantine.c:166 [inline] qlist_free_all+0x75/0xe0 mm/kasan/quarantine.c:185 kasan_quarantine_reduce+0x143/0x160 mm/kasan/quarantine.c:292 __kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:305 kasan_slab_alloc include/linux/kasan.h:188 [inline] slab_post_alloc_hook+0x6e/0x4d0 mm/slab.h:767 slab_alloc_node mm/slub.c:3485 [inline] __kmem_cache_alloc_node+0x13e/0x260 mm/slub.c:3524 kmalloc_trace+0x2a/0xe0 mm/slab_common.c:1098 kmalloc include/linux/slab.h:600 [inline] usb_control_msg+0x74/0x3e0 drivers/usb/core/message.c:144 get_bMaxPacketSize0 drivers/usb/core/hub.c:4813 [inline] hub_port_init+0xbf3/0x2760 drivers/usb/core/hub.c:5009 hub_port_connect drivers/usb/core/hub.c:5458 [inline] hub_port_connect_change drivers/usb/core/hub.c:5669 [inline] port_event drivers/usb/core/hub.c:5833 [inline] hub_event+0x251d/0x49c0 drivers/usb/core/hub.c:5915 process_one_work kernel/workqueue.c:2634 [inline] process_scheduled_works+0xa45/0x15b0 kernel/workqueue.c:2711 worker_thread+0xa55/0xfc0 kernel/workqueue.c:2792 Memory state around the buggy address: ffff88807c9d3f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88807c9d4000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff88807c9d4080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88807c9d4100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88807c9d4180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================