========================= WARNING: held lock freed! 6.0.0-rc7-syzkaller-18095-gbbed346d5a96 #0 Not tainted ------------------------- kworker/u5:2/3073 is freeing memory ffff0000fbb35000-ffff0000fbb357ff, with a lock still held there! ffff0000fbb35520 (&chan->lock/1){+.+.}-{3:3}, at: l2cap_chan_lock include/net/bluetooth/l2cap.h:855 [inline] ffff0000fbb35520 (&chan->lock/1){+.+.}-{3:3}, at: l2cap_conn_del+0x1a4/0x38c net/bluetooth/l2cap_core.c:1920 7 locks held by kworker/u5:2/3073: #0: ffff0000c7cabd38 ((wq_completion)hci4){+.+.}-{0:0}, at: process_one_work+0x270/0x504 kernel/workqueue.c:2262 #1: ffff800012c83d80 ((work_completion)(&hdev->error_reset)){+.+.}-{0:0}, at: process_one_work+0x29c/0x504 kernel/workqueue.c:2264 #2: ffff00010d6e2fd0 (&hdev->req_lock){+.+.}-{3:3}, at: hci_dev_do_close net/bluetooth/hci_core.c:552 [inline] #2: ffff00010d6e2fd0 (&hdev->req_lock){+.+.}-{3:3}, at: hci_error_reset+0xa4/0x154 net/bluetooth/hci_core.c:1050 #3: ffff00010d6e2078 (&hdev->lock){+.+.}-{3:3}, at: hci_dev_close_sync+0x200/0x9e0 net/bluetooth/hci_sync.c:4463 #4: ffff80000d832b98 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_disconn_cfm include/net/bluetooth/hci_core.h:1776 [inline] #4: ffff80000d832b98 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_conn_hash_flush+0x64/0x148 net/bluetooth/hci_conn.c:2366 #5: ffff0000c7cbb6d8 (&conn->chan_lock){+.+.}-{3:3}, at: l2cap_conn_del+0x130/0x38c net/bluetooth/l2cap_core.c:1915 #6: ffff0000fbb35520 (&chan->lock/1){+.+.}-{3:3}, at: l2cap_chan_lock include/net/bluetooth/l2cap.h:855 [inline] #6: ffff0000fbb35520 (&chan->lock/1){+.+.}-{3:3}, at: l2cap_conn_del+0x1a4/0x38c net/bluetooth/l2cap_core.c:1920 stack backtrace: CPU: 1 PID: 3073 Comm: kworker/u5:2 Not tainted 6.0.0-rc7-syzkaller-18095-gbbed346d5a96 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/30/2022 Workqueue: hci4 hci_error_reset Call trace: dump_backtrace+0x1c4/0x1f0 arch/arm64/kernel/stacktrace.c:156 show_stack+0x2c/0x54 arch/arm64/kernel/stacktrace.c:163 __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x104/0x16c lib/dump_stack.c:106 dump_stack+0x1c/0x58 lib/dump_stack.c:113 print_freed_lock_bug kernel/locking/lockdep.c:6422 [inline] debug_check_no_locks_freed+0x184/0x19c kernel/locking/lockdep.c:6455 slab_free_hook mm/slub.c:1731 [inline] slab_free_freelist_hook mm/slub.c:1785 [inline] slab_free mm/slub.c:3539 [inline] kfree+0x138/0x348 mm/slub.c:4567 l2cap_chan_destroy net/bluetooth/l2cap_core.c:503 [inline] kref_put include/linux/kref.h:65 [inline] l2cap_chan_put+0xcc/0x160 net/bluetooth/l2cap_core.c:527 a2mp_chan_close_cb+0x20/0x30 net/bluetooth/a2mp.c:713 l2cap_conn_del+0x1c0/0x38c net/bluetooth/l2cap_core.c:1924 l2cap_disconn_cfm+0x68/0xac net/bluetooth/l2cap_core.c:8212 hci_disconn_cfm include/net/bluetooth/hci_core.h:1779 [inline] hci_conn_hash_flush+0x88/0x148 net/bluetooth/hci_conn.c:2366 hci_dev_close_sync+0x48c/0x9e0 net/bluetooth/hci_sync.c:4476 hci_dev_do_close net/bluetooth/hci_core.c:554 [inline] hci_error_reset+0xac/0x154 net/bluetooth/hci_core.c:1050 process_one_work+0x2d8/0x504 kernel/workqueue.c:2289 worker_thread+0x340/0x610 kernel/workqueue.c:2436 kthread+0x12c/0x158 kernel/kthread.c:376 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860 ------------[ cut here ]------------ refcount_t: underflow; use-after-free. WARNING: CPU: 1 PID: 3073 at lib/refcount.c:28 refcount_warn_saturate+0x1a0/0x1c8 lib/refcount.c:28 Modules linked in: CPU: 1 PID: 3073 Comm: kworker/u5:2 Not tainted 6.0.0-rc7-syzkaller-18095-gbbed346d5a96 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/30/2022 Workqueue: hci4 hci_error_reset pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : refcount_warn_saturate+0x1a0/0x1c8 lib/refcount.c:28 lr : refcount_warn_saturate+0x1a0/0x1c8 lib/refcount.c:28 sp : ffff800012c83bb0 x29: ffff800012c83bb0 x28: ffff0000c7cbb660 x27: 0000000000000003 x26: ffff0000fbb354b8 x25: ffff0000fbb35000 x24: ffff0000fbb35488 x23: 0000000000000001 x22: ffff0000c7cbb670 x21: 0000000000000067 x20: 0000000000000003 x19: ffff80000d8c8000 x18: 00000000000000c0 x17: 6020737365636f72 x16: 0000000000000001 x15: 0000000000000000 x14: 0000000000000000 x13: 205d333730335420 x12: 5b5d383938393037 x11: ff808000081c0d5c x10: 0000000000000000 x9 : 15c5db896f369500 x8 : 15c5db896f369500 x7 : 205b5d3839383930 x6 : ffff80000819545c x5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000000 x2 : 0000000000000000 x1 : 0000000100000000 x0 : 0000000000000026 Call trace: refcount_warn_saturate+0x1a0/0x1c8 lib/refcount.c:28 __refcount_sub_and_test include/linux/refcount.h:283 [inline] __refcount_dec_and_test include/linux/refcount.h:315 [inline] refcount_dec_and_test include/linux/refcount.h:333 [inline] kref_put include/linux/kref.h:64 [inline] l2cap_chan_put+0xec/0x160 net/bluetooth/l2cap_core.c:527 l2cap_conn_del+0x1d0/0x38c net/bluetooth/l2cap_core.c:1927 l2cap_disconn_cfm+0x68/0xac net/bluetooth/l2cap_core.c:8212 hci_disconn_cfm include/net/bluetooth/hci_core.h:1779 [inline] hci_conn_hash_flush+0x88/0x148 net/bluetooth/hci_conn.c:2366 hci_dev_close_sync+0x48c/0x9e0 net/bluetooth/hci_sync.c:4476 hci_dev_do_close net/bluetooth/hci_core.c:554 [inline] hci_error_reset+0xac/0x154 net/bluetooth/hci_core.c:1050 process_one_work+0x2d8/0x504 kernel/workqueue.c:2289 worker_thread+0x340/0x610 kernel/workqueue.c:2436 kthread+0x12c/0x158 kernel/kthread.c:376 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860 irq event stamp: 95845 hardirqs last enabled at (95845): [] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:151 [inline] hardirqs last enabled at (95845): [] _raw_spin_unlock_irqrestore+0x48/0x8c kernel/locking/spinlock.c:194 hardirqs last disabled at (95844): [] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline] hardirqs last disabled at (95844): [] _raw_spin_lock_irqsave+0xa4/0xb4 kernel/locking/spinlock.c:162 softirqs last enabled at (86280): [] _stext+0x2e4/0x37c softirqs last disabled at (86097): [] ____do_softirq+0x14/0x20 arch/arm64/kernel/irq.c:79 ---[ end trace 0000000000000000 ]--- Bluetooth: hci4: Opcode 0x c03 failed: -110 Bluetooth: hci5: unexpected event 0x48 length: 15 > 3 Bluetooth: hci5: wrong event for mode 0 Bluetooth: hci5: unexpected event 0x48 length: 15 > 3 Bluetooth: hci5: wrong event for mode 0 Bluetooth: hci5: unexpected event 0x48 length: 15 > 3 Bluetooth: hci5: wrong event for mode 0 ------------[ cut here ]------------ WARNING: CPU: 1 PID: 3073 at net/bluetooth/hci_conn.c:582 hci_conn_timeout+0x118/0x180 net/bluetooth/hci_conn.c:582 Modules linked in: CPU: 1 PID: 3073 Comm: kworker/u5:2 Tainted: G W 6.0.0-rc7-syzkaller-18095-gbbed346d5a96 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/30/2022 Workqueue: hci5 hci_conn_timeout pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : hci_conn_timeout+0x118/0x180 net/bluetooth/hci_conn.c:582 lr : hci_conn_timeout+0x118/0x180 net/bluetooth/hci_conn.c:582 sp : ffff800012c83d50 x29: ffff800012c83d50 x28: ffff80000d28b000 x27: ffff0000c6d23605 x26: ffff000108cd3210 x25: 0000000000000005 x24: ffff0000c6d23605 x23: ffff00010d8f1250 x22: ffff0000c0f33000 x21: 0000000000000000 x20: 00000000ffffffff x19: ffff00010d8f1000 x18: 000000000000021c x17: ffff80000bffd6bc x16: 0000000000000082 x15: 0000000000000001 x14: 0000000000000010 x13: 0000000000000010 x12: ffff0000c0dbcc10 x11: ff8080000b92c444 x10: 0000000000000000 x9 : ffff80000b92c444 x8 : ffff0000c68d3500 x7 : 2e2e2f2e2e2f2e2e x6 : ffff800008136cf4 x5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000000 x2 : 0000000000000000 x1 : 00000000ffffffff x0 : 0000000000000000 Call trace: hci_conn_timeout+0x118/0x180 net/bluetooth/hci_conn.c:582 process_one_work+0x2d8/0x504 kernel/workqueue.c:2289 worker_thread+0x340/0x610 kernel/workqueue.c:2436 kthread+0x12c/0x158 kernel/kthread.c:376 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860 irq event stamp: 95845 hardirqs last enabled at (95845): [] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:151 [inline] hardirqs last enabled at (95845): [] _raw_spin_unlock_irqrestore+0x48/0x8c kernel/locking/spinlock.c:194 hardirqs last disabled at (95844): [] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline] hardirqs last disabled at (95844): [] _raw_spin_lock_irqsave+0xa4/0xb4 kernel/locking/spinlock.c:162 softirqs last enabled at (86280): [] _stext+0x2e4/0x37c softirqs last disabled at (86097): [] ____do_softirq+0x14/0x20 arch/arm64/kernel/irq.c:79 ---[ end trace 0000000000000000 ]---