================================================================== BUG: KFENCE: use-after-free read in sco_chan_del+0xd0/0x4b0 net/bluetooth/sco.c:174 Use-after-free read at 0xffff88823be6cf00 (in kfence-#53): sco_chan_del+0xd0/0x4b0 net/bluetooth/sco.c:174 __sco_sock_close+0xf2/0x640 net/bluetooth/sco.c:459 sco_sock_shutdown+0x1b0/0x350 net/bluetooth/sco.c:1225 __sys_shutdown_sock net/socket.c:2448 [inline] __sys_shutdown_sock net/socket.c:2442 [inline] __sys_shutdown+0x102/0x1c0 net/socket.c:2460 __do_sys_shutdown net/socket.c:2468 [inline] __se_sys_shutdown net/socket.c:2466 [inline] __x64_sys_shutdown+0x53/0x80 net/socket.c:2466 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f kfence-#53: 0xffff88823be6cf00-0xffff88823be6cfff, size=256, cache=kmalloc-256 allocated by task 12973 on cpu 0 at 1145.489360s (0.171321s ago): kmalloc_noprof include/linux/slab.h:878 [inline] kzalloc_noprof include/linux/slab.h:1014 [inline] sco_conn_add.part.0+0x43/0x2d0 net/bluetooth/sco.c:137 sco_conn_add net/bluetooth/sco.c:266 [inline] sco_connect net/bluetooth/sco.c:278 [inline] sco_sock_connect+0x6c9/0xb00 net/bluetooth/sco.c:596 __sys_connect_file+0x150/0x190 net/socket.c:2071 __sys_connect+0x147/0x180 net/socket.c:2088 __do_sys_connect net/socket.c:2098 [inline] __se_sys_connect net/socket.c:2095 [inline] __x64_sys_connect+0x72/0xb0 net/socket.c:2095 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f freed by task 12917 on cpu 0 at 1145.586088s (0.119850s ago): sco_conn_del+0x1d4/0x2a0 net/bluetooth/sco.c:214 sco_connect_cfm+0x257/0xc10 net/bluetooth/sco.c:1364 hci_connect_cfm include/net/bluetooth/hci_core.h:1960 [inline] hci_conn_failed+0x1c6/0x340 net/bluetooth/hci_conn.c:1265 hci_conn_cleanup_child net/bluetooth/hci_conn.c:1075 [inline] hci_conn_unlink+0x727/0xa00 net/bluetooth/hci_conn.c:1102 hci_conn_del+0x61/0xdb0 net/bluetooth/hci_conn.c:1128 hci_abort_conn_sync+0x75a/0xb50 net/bluetooth/hci_sync.c:5586 hci_disconnect_all_sync.constprop.0+0x104/0x3c0 net/bluetooth/hci_sync.c:5609 hci_suspend_sync+0x772/0xab0 net/bluetooth/hci_sync.c:6086 hci_suspend_dev+0x2ac/0x480 net/bluetooth/hci_core.c:2826 hci_suspend_notifier+0x28d/0x2f0 net/bluetooth/hci_core.c:2412 notifier_call_chain+0xbc/0x410 kernel/notifier.c:93 notifier_call_chain_robust kernel/notifier.c:128 [inline] blocking_notifier_call_chain_robust kernel/notifier.c:353 [inline] blocking_notifier_call_chain_robust+0xc9/0x170 kernel/notifier.c:341 pm_notifier_call_chain_robust+0x27/0x60 kernel/power/main.c:102 snapshot_open+0x189/0x2b0 kernel/power/user.c:77 misc_open+0x35d/0x420 drivers/char/misc.c:165 chrdev_open+0x23a/0x6a0 fs/char_dev.c:414 do_dentry_open+0x6cd/0x1530 fs/open.c:958 vfs_open+0x82/0x3f0 fs/open.c:1088 do_open fs/namei.c:3774 [inline] path_openat+0x1e6a/0x2d60 fs/namei.c:3933 do_filp_open+0x1dc/0x430 fs/namei.c:3960 do_sys_openat2+0x17a/0x1e0 fs/open.c:1415 do_sys_open fs/open.c:1430 [inline] __do_sys_openat fs/open.c:1446 [inline] __se_sys_openat fs/open.c:1441 [inline] __x64_sys_openat+0x175/0x210 fs/open.c:1441 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f CPU: 0 UID: 0 PID: 12972 Comm: syz.3.1199 Not tainted 6.12.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 RIP: 0010:sco_chan_del+0xd0/0x4b0 net/bluetooth/sco.c:174 Code: 05 00 00 00 00 00 00 4c 89 f7 e8 cb bf fe 00 48 89 ea 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 88 03 00 00 <48> 8b 6d 00 48 85 ed 0f 84 11 01 00 00 e8 7e 66 69 f7 0f 1f 44 00 RSP: 0018:ffffc90003ecfdd0 EFLAGS: 00010246 RAX: dffffc0000000000 RBX: ffff88805c16e000 RCX: 0000000000000000 RDX: 1ffff110477cd9e0 RSI: 0000000000000004 RDI: 0000000000000001 RBP: ffff88823be6cf00 R08: 0000000000000000 R09: ffffed10477cd9e1 R10: ffff88823be6cf0b R11: 0000000000000019 R12: 0000000000000068 R13: ffff88805c16e5a0 R14: ffff88823be6cf08 R15: 0000000000000000 FS: 00007f20af9406c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff88823be6cf00 CR3: 0000000052446000 CR4: 0000000000350ef0 Call Trace: __sco_sock_close+0xf2/0x640 net/bluetooth/sco.c:459 sco_sock_shutdown+0x1b0/0x350 net/bluetooth/sco.c:1225 __sys_shutdown_sock net/socket.c:2448 [inline] __sys_shutdown_sock net/socket.c:2442 [inline] __sys_shutdown+0x102/0x1c0 net/socket.c:2460 __do_sys_shutdown net/socket.c:2468 [inline] __se_sys_shutdown net/socket.c:2466 [inline] __x64_sys_shutdown+0x53/0x80 net/socket.c:2466 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f20aeb7dff9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f20af940038 EFLAGS: 00000246 ORIG_RAX: 0000000000000030 RAX: ffffffffffffffda RBX: 00007f20aed36058 RCX: 00007f20aeb7dff9 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 RBP: 00007f20aebf0296 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f20aed36058 R15: 00007ffd97bedbc8 ================================================================== ---------------- Code disassembly (best guess): 0: 05 00 00 00 00 add $0x0,%eax 5: 00 00 add %al,(%rax) 7: 4c 89 f7 mov %r14,%rdi a: e8 cb bf fe 00 call 0xfebfda f: 48 89 ea mov %rbp,%rdx 12: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax 19: fc ff df 1c: 48 c1 ea 03 shr $0x3,%rdx 20: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) 24: 0f 85 88 03 00 00 jne 0x3b2 * 2a: 48 8b 6d 00 mov 0x0(%rbp),%rbp <-- trapping instruction 2e: 48 85 ed test %rbp,%rbp 31: 0f 84 11 01 00 00 je 0x148 37: e8 7e 66 69 f7 call 0xf76966ba 3c: 0f .byte 0xf 3d: 1f (bad) 3e: 44 rex.R