QAT: Invalid ioctl Bluetooth: hci0 command 0x1001 tx timeout Bluetooth: hci0 sending frame failed (-49) Bluetooth: hci0 command 0x1009 tx timeout ================================================================== BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:183 [inline] BUG: KASAN: use-after-free in atomic_read arch/x86/include/asm/atomic.h:27 [inline] BUG: KASAN: use-after-free in refcount_read include/linux/refcount.h:42 [inline] BUG: KASAN: use-after-free in skb_unref include/linux/skbuff.h:952 [inline] BUG: KASAN: use-after-free in kfree_skb+0x2e9/0x340 net/core/skbuff.c:659 Read of size 4 at addr ffff88809f7e4e24 by task syz-executor.5/8287 CPU: 1 PID: 8287 Comm: syz-executor.5 Not tainted 4.14.152 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x138/0x197 lib/dump_stack.c:53 print_address_description.cold+0x7c/0x1dc mm/kasan/report.c:252 kasan_report_error mm/kasan/report.c:351 [inline] kasan_report mm/kasan/report.c:409 [inline] kasan_report.cold+0xa9/0x2af mm/kasan/report.c:393 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:429 __read_once_size include/linux/compiler.h:183 [inline] atomic_read arch/x86/include/asm/atomic.h:27 [inline] refcount_read include/linux/refcount.h:42 [inline] skb_unref include/linux/skbuff.h:952 [inline] kfree_skb+0x2e9/0x340 net/core/skbuff.c:659 bcsp_close+0xc7/0x130 drivers/bluetooth/hci_bcsp.c:761 hci_uart_tty_close+0x1cb/0x230 drivers/bluetooth/hci_ldisc.c:551 tty_ldisc_close.isra.0+0x99/0xd0 drivers/tty/tty_ldisc.c:498 tty_ldisc_kill+0x4b/0xc0 drivers/tty/tty_ldisc.c:644 tty_ldisc_release+0xb6/0x230 drivers/tty/tty_ldisc.c:811 tty_release_struct+0x1b/0x50 drivers/tty/tty_io.c:1603 tty_release+0xaa3/0xd60 drivers/tty/tty_io.c:1776 __fput+0x275/0x7a0 fs/file_table.c:210 ____fput+0x16/0x20 fs/file_table.c:244 task_work_run+0x114/0x190 kernel/task_work.c:113 tracehook_notify_resume include/linux/tracehook.h:191 [inline] exit_to_usermode_loop+0x1da/0x220 arch/x86/entry/common.c:164 prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline] syscall_return_slowpath arch/x86/entry/common.c:270 [inline] do_syscall_64+0x4bc/0x640 arch/x86/entry/common.c:297 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x413db1 RSP: 002b:00007ffc22b5c000 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: 0000000000000000 RBX: 0000000000000006 RCX: 0000000000413db1 RDX: 0000000000000000 RSI: 0000000000000989 RDI: 0000000000000005 RBP: 0000000000000001 R08: 000000006f7aa989 R09: 000000006f7aa98d R10: 00007ffc22b5c0e0 R11: 0000000000000293 R12: 000000000075c9a0 R13: 000000000075c9a0 R14: 00000000007608d0 R15: 000000000075c07c Allocated by task 2244: save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59 save_stack+0x45/0xd0 mm/kasan/kasan.c:447 set_track mm/kasan/kasan.c:459 [inline] kasan_kmalloc mm/kasan/kasan.c:551 [inline] kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:529 kasan_slab_alloc+0xf/0x20 mm/kasan/kasan.c:489 kmem_cache_alloc_node+0x144/0x780 mm/slab.c:3642 __alloc_skb+0x9c/0x500 net/core/skbuff.c:193 alloc_skb include/linux/skbuff.h:980 [inline] bt_skb_alloc include/net/bluetooth/bluetooth.h:336 [inline] bcsp_recv+0x38a/0x1450 drivers/bluetooth/hci_bcsp.c:684 hci_uart_tty_receive+0x1f4/0x4d0 drivers/bluetooth/hci_ldisc.c:616 tty_ldisc_receive_buf+0x14d/0x1a0 drivers/tty/tty_buffer.c:459 tty_port_default_receive_buf+0x73/0xa0 drivers/tty/tty_port.c:37 receive_buf drivers/tty/tty_buffer.c:475 [inline] flush_to_ldisc+0x1ec/0x400 drivers/tty/tty_buffer.c:527 process_one_work+0x863/0x1600 kernel/workqueue.c:2114 worker_thread+0x5d9/0x1050 kernel/workqueue.c:2248 kthread+0x319/0x430 kernel/kthread.c:232 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404 Freed by task 2244: save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59 save_stack+0x45/0xd0 mm/kasan/kasan.c:447 set_track mm/kasan/kasan.c:459 [inline] kasan_slab_free+0x75/0xc0 mm/kasan/kasan.c:524 __cache_free mm/slab.c:3496 [inline] kmem_cache_free+0x83/0x2b0 mm/slab.c:3758 kfree_skbmem net/core/skbuff.c:586 [inline] kfree_skbmem+0xac/0x120 net/core/skbuff.c:580 __kfree_skb net/core/skbuff.c:646 [inline] kfree_skb+0xbd/0x340 net/core/skbuff.c:663 bcsp_recv+0x28c/0x1450 drivers/bluetooth/hci_bcsp.c:622 hci_uart_tty_receive+0x1f4/0x4d0 drivers/bluetooth/hci_ldisc.c:616 tty_ldisc_receive_buf+0x14d/0x1a0 drivers/tty/tty_buffer.c:459 tty_port_default_receive_buf+0x73/0xa0 drivers/tty/tty_port.c:37 receive_buf drivers/tty/tty_buffer.c:475 [inline] flush_to_ldisc+0x1ec/0x400 drivers/tty/tty_buffer.c:527 process_one_work+0x863/0x1600 kernel/workqueue.c:2114 worker_thread+0x5d9/0x1050 kernel/workqueue.c:2248 kthread+0x319/0x430 kernel/kthread.c:232 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404 The buggy address belongs to the object at ffff88809f7e4d40 which belongs to the cache skbuff_head_cache of size 232 The buggy address is located 228 bytes inside of 232-byte region [ffff88809f7e4d40, ffff88809f7e4e28) The buggy address belongs to the page: page:ffffea00027df900 count:1 mapcount:0 mapping:ffff88809f7e40c0 index:0xffff88809f7e4c00 flags: 0x1fffc0000000100(slab) raw: 01fffc0000000100 ffff88809f7e40c0 ffff88809f7e4c00 0000000100000003 raw: ffffea00027e8e20 ffffea00029235e0 ffff88821b7203c0 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88809f7e4d00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ffff88809f7e4d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff88809f7e4e00: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc ^ ffff88809f7e4e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88809f7e4f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc ==================================================================