Bluetooth: hci0: hardware error 0xff ========================= WARNING: held lock freed! 6.0.0-rc6-syzkaller-17742-gc194837ebb57 #0 Not tainted ------------------------- kworker/u5:0/44 is freeing memory ffff0000cb1fc800-ffff0000cb1fcfff, with a lock still held there! ffff0000cb1fcd20 (&chan->lock/1){+.+.}-{3:3}, at: l2cap_chan_lock include/net/bluetooth/l2cap.h:855 [inline] ffff0000cb1fcd20 (&chan->lock/1){+.+.}-{3:3}, at: l2cap_conn_del+0x1a4/0x38c net/bluetooth/l2cap_core.c:1920 7 locks held by kworker/u5:0/44: #0: ffff0000c7bdf938 ((wq_completion)hci0){+.+.}-{0:0}, at: process_one_work+0x270/0x504 kernel/workqueue.c:2262 #1: ffff80000f653d80 ((work_completion)(&hdev->error_reset)){+.+.}-{0:0}, at: process_one_work+0x29c/0x504 kernel/workqueue.c:2264 #2: ffff0000c7132fd0 (&hdev->req_lock){+.+.}-{3:3}, at: hci_dev_do_close net/bluetooth/hci_core.c:552 [inline] #2: ffff0000c7132fd0 (&hdev->req_lock){+.+.}-{3:3}, at: hci_error_reset+0xa4/0x154 net/bluetooth/hci_core.c:1050 #3: ffff0000c7132078 (&hdev->lock){+.+.}-{3:3}, at: hci_dev_close_sync+0x200/0x9e0 net/bluetooth/hci_sync.c:4463 #4: ffff80000d832b18 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_disconn_cfm include/net/bluetooth/hci_core.h:1776 [inline] #4: ffff80000d832b18 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_conn_hash_flush+0x64/0x148 net/bluetooth/hci_conn.c:2366 #5: ffff0000c7bed2d8 (&conn->chan_lock){+.+.}-{3:3}, at: l2cap_conn_del+0x130/0x38c net/bluetooth/l2cap_core.c:1915 #6: ffff0000cb1fcd20 (&chan->lock/1){+.+.}-{3:3}, at: l2cap_chan_lock include/net/bluetooth/l2cap.h:855 [inline] #6: ffff0000cb1fcd20 (&chan->lock/1){+.+.}-{3:3}, at: l2cap_conn_del+0x1a4/0x38c net/bluetooth/l2cap_core.c:1920 stack backtrace: CPU: 0 PID: 44 Comm: kworker/u5:0 Not tainted 6.0.0-rc6-syzkaller-17742-gc194837ebb57 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022 Workqueue: hci0 hci_error_reset Call trace: dump_backtrace+0x1c4/0x1f0 arch/arm64/kernel/stacktrace.c:156 show_stack+0x2c/0x54 arch/arm64/kernel/stacktrace.c:163 __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x104/0x16c lib/dump_stack.c:106 dump_stack+0x1c/0x58 lib/dump_stack.c:113 print_freed_lock_bug kernel/locking/lockdep.c:6422 [inline] debug_check_no_locks_freed+0x184/0x19c kernel/locking/lockdep.c:6455 slab_free_hook mm/slub.c:1726 [inline] slab_free_freelist_hook mm/slub.c:1780 [inline] slab_free mm/slub.c:3534 [inline] kfree+0x138/0x348 mm/slub.c:4562 l2cap_chan_destroy net/bluetooth/l2cap_core.c:503 [inline] kref_put include/linux/kref.h:65 [inline] l2cap_chan_put+0xcc/0x160 net/bluetooth/l2cap_core.c:527 a2mp_chan_close_cb+0x20/0x30 net/bluetooth/a2mp.c:713 l2cap_conn_del+0x1c0/0x38c net/bluetooth/l2cap_core.c:1924 l2cap_disconn_cfm+0x68/0xac net/bluetooth/l2cap_core.c:8212 hci_disconn_cfm include/net/bluetooth/hci_core.h:1779 [inline] hci_conn_hash_flush+0x88/0x148 net/bluetooth/hci_conn.c:2366 hci_dev_close_sync+0x48c/0x9e0 net/bluetooth/hci_sync.c:4476 hci_dev_do_close net/bluetooth/hci_core.c:554 [inline] hci_error_reset+0xac/0x154 net/bluetooth/hci_core.c:1050 process_one_work+0x2d8/0x504 kernel/workqueue.c:2289 worker_thread+0x340/0x610 kernel/workqueue.c:2436 kthread+0x12c/0x158 kernel/kthread.c:376 ret_from_fork+0x10/0x20 ------------[ cut here ]------------ refcount_t: underflow; use-after-free. WARNING: CPU: 0 PID: 44 at lib/refcount.c:28 refcount_warn_saturate+0x1a0/0x1c8 lib/refcount.c:28 Modules linked in: CPU: 0 PID: 44 Comm: kworker/u5:0 Not tainted 6.0.0-rc6-syzkaller-17742-gc194837ebb57 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022 Workqueue: hci0 hci_error_reset pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : refcount_warn_saturate+0x1a0/0x1c8 lib/refcount.c:28 lr : refcount_warn_saturate+0x1a0/0x1c8 lib/refcount.c:28 sp : ffff80000f653bb0 x29: ffff80000f653bb0 x28: ffff0000c7bed260 x27: 0000000000000003 x26: ffff0000cb1fccb8 x25: ffff0000cb1fc800 x24: ffff0000cb1fcc88 x23: 0000000000000001 x22: ffff0000c7bed270 x21: 0000000000000067 x20: 0000000000000003 x19: ffff80000d8c8000 x18: 00000000000000c0 x17: 6e69676e45206574 x16: 0000000000000001 x15: 0000000000000000 x14: 0000000000000000 x13: 205d343454202020 x12: 5b5d353631323438 x11: ff808000081c1630 x10: 0000000000000000 x9 : 20cab974b89e3800 x8 : 20cab974b89e3800 x7 : 205b5d3536313234 x6 : ffff800008195d30 x5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000000 x2 : 0000000000000000 x1 : 0000000100000000 x0 : 0000000000000026 Call trace: refcount_warn_saturate+0x1a0/0x1c8 lib/refcount.c:28 __refcount_sub_and_test include/linux/refcount.h:283 [inline] __refcount_dec_and_test include/linux/refcount.h:315 [inline] refcount_dec_and_test include/linux/refcount.h:333 [inline] kref_put include/linux/kref.h:64 [inline] l2cap_chan_put+0xec/0x160 net/bluetooth/l2cap_core.c:527 l2cap_conn_del+0x1d0/0x38c net/bluetooth/l2cap_core.c:1927 l2cap_disconn_cfm+0x68/0xac net/bluetooth/l2cap_core.c:8212 hci_disconn_cfm include/net/bluetooth/hci_core.h:1779 [inline] hci_conn_hash_flush+0x88/0x148 net/bluetooth/hci_conn.c:2366 hci_dev_close_sync+0x48c/0x9e0 net/bluetooth/hci_sync.c:4476 hci_dev_do_close net/bluetooth/hci_core.c:554 [inline] hci_error_reset+0xac/0x154 net/bluetooth/hci_core.c:1050 process_one_work+0x2d8/0x504 kernel/workqueue.c:2289 worker_thread+0x340/0x610 kernel/workqueue.c:2436 kthread+0x12c/0x158 kernel/kthread.c:376 ret_from_fork+0x10/0x20 irq event stamp: 731 hardirqs last enabled at (731): [] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:151 [inline] hardirqs last enabled at (731): [] _raw_spin_unlock_irqrestore+0x48/0x8c kernel/locking/spinlock.c:194 hardirqs last disabled at (730): [] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline] hardirqs last disabled at (730): [] _raw_spin_lock_irqsave+0xa4/0xb4 kernel/locking/spinlock.c:162 softirqs last enabled at (0): [] copy_process+0x948/0x171c kernel/fork.c:2202 softirqs last disabled at (0): [<0000000000000000>] 0x0 ---[ end trace 0000000000000000 ]---