Bluetooth: hci2: hardware error 0x00 ========================= WARNING: held lock freed! 6.0.0-rc7-syzkaller-18095-gbbed346d5a96 #0 Not tainted ------------------------- kworker/u5:1/3071 is freeing memory ffff000101a61800-ffff000101a61fff, with a lock still held there! ffff000101a61d20 (&chan->lock/1){+.+.}-{3:3}, at: l2cap_chan_lock include/net/bluetooth/l2cap.h:855 [inline] ffff000101a61d20 (&chan->lock/1){+.+.}-{3:3}, at: l2cap_conn_del+0x1a4/0x38c net/bluetooth/l2cap_core.c:1920 7 locks held by kworker/u5:1/3071: #0: ffff0000c9820d38 ((wq_completion)hci2){+.+.}-{0:0}, at: process_one_work+0x270/0x504 kernel/workqueue.c:2262 #1: ffff800012833d80 ((work_completion)(&hdev->error_reset)){+.+.}-{0:0}, at: process_one_work+0x29c/0x504 kernel/workqueue.c:2264 #2: ffff0000cafecfd0 (&hdev->req_lock){+.+.}-{3:3}, at: hci_dev_do_close net/bluetooth/hci_core.c:552 [inline] #2: ffff0000cafecfd0 (&hdev->req_lock){+.+.}-{3:3}, at: hci_error_reset+0xa4/0x154 net/bluetooth/hci_core.c:1050 #3: ffff0000cafec078 (&hdev->lock){+.+.}-{3:3}, at: hci_dev_close_sync+0x200/0x9e0 net/bluetooth/hci_sync.c:4463 #4: ffff80000d832b98 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_disconn_cfm include/net/bluetooth/hci_core.h:1776 [inline] #4: ffff80000d832b98 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_conn_hash_flush+0x64/0x148 net/bluetooth/hci_conn.c:2366 #5: ffff0000c98272d8 (&conn->chan_lock){+.+.}-{3:3}, at: l2cap_conn_del+0x130/0x38c net/bluetooth/l2cap_core.c:1915 #6: ffff000101a61d20 (&chan->lock/1){+.+.}-{3:3}, at: l2cap_chan_lock include/net/bluetooth/l2cap.h:855 [inline] #6: ffff000101a61d20 (&chan->lock/1){+.+.}-{3:3}, at: l2cap_conn_del+0x1a4/0x38c net/bluetooth/l2cap_core.c:1920 stack backtrace: CPU: 0 PID: 3071 Comm: kworker/u5:1 Not tainted 6.0.0-rc7-syzkaller-18095-gbbed346d5a96 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/30/2022 Workqueue: hci2 hci_error_reset Call trace: dump_backtrace+0x1c4/0x1f0 arch/arm64/kernel/stacktrace.c:156 show_stack+0x2c/0x54 arch/arm64/kernel/stacktrace.c:163 __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x104/0x16c lib/dump_stack.c:106 dump_stack+0x1c/0x58 lib/dump_stack.c:113 print_freed_lock_bug kernel/locking/lockdep.c:6422 [inline] debug_check_no_locks_freed+0x184/0x19c kernel/locking/lockdep.c:6455 slab_free_hook mm/slub.c:1731 [inline] slab_free_freelist_hook mm/slub.c:1785 [inline] slab_free mm/slub.c:3539 [inline] kfree+0x138/0x348 mm/slub.c:4567 l2cap_chan_destroy net/bluetooth/l2cap_core.c:503 [inline] kref_put include/linux/kref.h:65 [inline] l2cap_chan_put+0xcc/0x160 net/bluetooth/l2cap_core.c:527 a2mp_chan_close_cb+0x20/0x30 net/bluetooth/a2mp.c:713 l2cap_conn_del+0x1c0/0x38c net/bluetooth/l2cap_core.c:1924 l2cap_disconn_cfm+0x68/0xac net/bluetooth/l2cap_core.c:8212 hci_disconn_cfm include/net/bluetooth/hci_core.h:1779 [inline] hci_conn_hash_flush+0x88/0x148 net/bluetooth/hci_conn.c:2366 hci_dev_close_sync+0x48c/0x9e0 net/bluetooth/hci_sync.c:4476 hci_dev_do_close net/bluetooth/hci_core.c:554 [inline] hci_error_reset+0xac/0x154 net/bluetooth/hci_core.c:1050 process_one_work+0x2d8/0x504 kernel/workqueue.c:2289 worker_thread+0x340/0x610 kernel/workqueue.c:2436 kthread+0x12c/0x158 kernel/kthread.c:376 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860 ------------[ cut here ]------------ refcount_t: underflow; use-after-free. WARNING: CPU: 0 PID: 3071 at lib/refcount.c:28 refcount_warn_saturate+0x1a0/0x1c8 lib/refcount.c:28 Modules linked in: CPU: 0 PID: 3071 Comm: kworker/u5:1 Not tainted 6.0.0-rc7-syzkaller-18095-gbbed346d5a96 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/30/2022 Workqueue: hci2 hci_error_reset pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : refcount_warn_saturate+0x1a0/0x1c8 lib/refcount.c:28 lr : refcount_warn_saturate+0x1a0/0x1c8 lib/refcount.c:28 sp : ffff800012833bb0 x29: ffff800012833bb0 x28: ffff0000c9827260 x27: 0000000000000003 x26: ffff000101a61cb8 x25: ffff000101a61800 x24: ffff000101a61c88 x23: 0000000000000001 x22: ffff0000c9827270 x21: 0000000000000067 x20: 0000000000000003 x19: ffff80000d8c8000 x18: 00000000000000c0 x17: 6e69676e45206574 x16: 0000000000000001 x15: 0000000000000000 x14: 0000000000000000 x13: 205d313730335420 x12: 5b5d393533393939 x11: ff808000081c0d5c x10: 0000000000000000 x9 : da07e1372a5dfc00 x8 : da07e1372a5dfc00 x7 : 205b5d3935333939 x6 : ffff80000819545c x5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000000 x2 : ffff0001fefbecd0 x1 : 0000000100000000 x0 : 0000000000000026 Call trace: refcount_warn_saturate+0x1a0/0x1c8 lib/refcount.c:28 __refcount_sub_and_test include/linux/refcount.h:283 [inline] __refcount_dec_and_test include/linux/refcount.h:315 [inline] refcount_dec_and_test include/linux/refcount.h:333 [inline] kref_put include/linux/kref.h:64 [inline] l2cap_chan_put+0xec/0x160 net/bluetooth/l2cap_core.c:527 l2cap_conn_del+0x1d0/0x38c net/bluetooth/l2cap_core.c:1927 l2cap_disconn_cfm+0x68/0xac net/bluetooth/l2cap_core.c:8212 hci_disconn_cfm include/net/bluetooth/hci_core.h:1779 [inline] hci_conn_hash_flush+0x88/0x148 net/bluetooth/hci_conn.c:2366 hci_dev_close_sync+0x48c/0x9e0 net/bluetooth/hci_sync.c:4476 hci_dev_do_close net/bluetooth/hci_core.c:554 [inline] hci_error_reset+0xac/0x154 net/bluetooth/hci_core.c:1050 process_one_work+0x2d8/0x504 kernel/workqueue.c:2289 worker_thread+0x340/0x610 kernel/workqueue.c:2436 kthread+0x12c/0x158 kernel/kthread.c:376 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860 irq event stamp: 2409 hardirqs last enabled at (2409): [] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:151 [inline] hardirqs last enabled at (2409): [] _raw_spin_unlock_irqrestore+0x48/0x8c kernel/locking/spinlock.c:194 hardirqs last disabled at (2408): [] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline] hardirqs last disabled at (2408): [] _raw_spin_lock_irqsave+0xa4/0xb4 kernel/locking/spinlock.c:162 softirqs last enabled at (2144): [] _stext+0x2e4/0x37c softirqs last disabled at (2109): [] ____do_softirq+0x14/0x20 arch/arm64/kernel/irq.c:79 ---[ end trace 0000000000000000 ]--- Bluetooth: hci2: Opcode 0x c03 failed: -110