================================================================== BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline] BUG: KASAN: slab-use-after-free in atomic_dec_and_test include/linux/atomic/atomic-instrumented.h:1383 [inline] BUG: KASAN: slab-use-after-free in hci_conn_drop+0x34/0x2a4 include/net/bluetooth/hci_core.h:1688 Write of size 4 at addr ffff0000ed28c010 by task kworker/u9:0/53 CPU: 0 UID: 0 PID: 53 Comm: kworker/u9:0 Tainted: G L syzkaller #0 PREEMPT Tainted: [L]=SOFTLOCKUP Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/03/2025 Workqueue: hci2 hci_cmd_sync_work Call trace: show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:499 (C) __dump_stack+0x30/0x40 lib/dump_stack.c:94 dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120 print_address_description+0xa8/0x238 mm/kasan/report.c:378 print_report+0x68/0x84 mm/kasan/report.c:482 kasan_report+0xb0/0x110 mm/kasan/report.c:595 check_region_inline mm/kasan/generic.c:-1 [inline] kasan_check_range+0x264/0x2a4 mm/kasan/generic.c:200 __kasan_check_write+0x20/0x30 mm/kasan/shadow.c:37 instrument_atomic_read_write include/linux/instrumented.h:96 [inline] atomic_dec_and_test include/linux/atomic/atomic-instrumented.h:1383 [inline] hci_conn_drop+0x34/0x2a4 include/net/bluetooth/hci_core.h:1688 le_read_features_complete+0x54/0xec net/bluetooth/hci_sync.c:7344 hci_cmd_sync_work+0x204/0x38c net/bluetooth/hci_sync.c:334 process_one_work+0x7c0/0x1558 kernel/workqueue.c:3257 process_scheduled_works kernel/workqueue.c:3340 [inline] worker_thread+0x958/0xed8 kernel/workqueue.c:3421 kthread+0x5fc/0x75c kernel/kthread.c:463 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:844 Allocated by task 6569: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x40/0x78 mm/kasan/common.c:78 kasan_save_alloc_info+0x44/0x54 mm/kasan/generic.c:570 poison_kmalloc_redzone mm/kasan/common.c:398 [inline] __kasan_kmalloc+0x9c/0xb4 mm/kasan/common.c:415 kasan_kmalloc include/linux/kasan.h:263 [inline] __kmalloc_cache_noprof+0x3b8/0x698 mm/slub.c:5776 kmalloc_noprof include/linux/slab.h:957 [inline] kzalloc_noprof include/linux/slab.h:1094 [inline] __hci_conn_add+0x2f8/0x1630 net/bluetooth/hci_conn.c:963 hci_conn_add_unset+0x80/0x128 net/bluetooth/hci_conn.c:1084 le_conn_complete_evt+0x5fc/0x1064 net/bluetooth/hci_event.c:5714 hci_le_conn_complete_evt+0x114/0x410 net/bluetooth/hci_event.c:5847 hci_le_meta_evt+0x2dc/0x500 net/bluetooth/hci_event.c:7408 hci_event_func net/bluetooth/hci_event.c:7716 [inline] hci_event_packet+0x6bc/0xf50 net/bluetooth/hci_event.c:7773 hci_rx_work+0x300/0xd80 net/bluetooth/hci_core.c:4076 process_one_work+0x7c0/0x1558 kernel/workqueue.c:3257 process_scheduled_works kernel/workqueue.c:3340 [inline] worker_thread+0x958/0xed8 kernel/workqueue.c:3421 kthread+0x5fc/0x75c kernel/kthread.c:463 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:844 Freed by task 6569: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x40/0x78 mm/kasan/common.c:78 kasan_save_free_info+0x58/0x70 mm/kasan/generic.c:584 poison_slab_object mm/kasan/common.c:253 [inline] __kasan_slab_free+0x74/0xa4 mm/kasan/common.c:285 kasan_slab_free include/linux/kasan.h:235 [inline] slab_free_hook mm/slub.c:2540 [inline] slab_free mm/slub.c:6670 [inline] kfree+0x1c4/0x5fc mm/slub.c:6878 bt_link_release+0x20/0x30 net/bluetooth/hci_sysfs.c:16 device_release+0x8c/0x1ac drivers/base/core.c:-1 kobject_cleanup lib/kobject.c:689 [inline] kobject_release lib/kobject.c:720 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0x2c8/0x4f4 lib/kobject.c:737 put_device drivers/base/core.c:3797 [inline] device_unregister+0x3c/0xf4 drivers/base/core.c:3920 hci_conn_del_sysfs+0xf0/0x198 net/bluetooth/hci_sysfs.c:79 hci_conn_cleanup net/bluetooth/hci_conn.c:173 [inline] hci_conn_del+0xa40/0xfb0 net/bluetooth/hci_conn.c:1234 hci_disconn_complete_evt+0x548/0x858 net/bluetooth/hci_event.c:3451 hci_event_func net/bluetooth/hci_event.c:7719 [inline] hci_event_packet+0x704/0xf50 net/bluetooth/hci_event.c:7773 hci_rx_work+0x300/0xd80 net/bluetooth/hci_core.c:4076 process_one_work+0x7c0/0x1558 kernel/workqueue.c:3257 process_scheduled_works kernel/workqueue.c:3340 [inline] worker_thread+0x958/0xed8 kernel/workqueue.c:3421 kthread+0x5fc/0x75c kernel/kthread.c:463 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:844 The buggy address belongs to the object at ffff0000ed28c000 which belongs to the cache kmalloc-8k of size 8192 The buggy address is located 16 bytes inside of freed 8192-byte region [ffff0000ed28c000, ffff0000ed28e000) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12d288 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0x5ffc00000000040(head|node=0|zone=2|lastcpupid=0x7ff) page_type: f5(slab) raw: 05ffc00000000040 ffff0000c0002280 dead000000000122 0000000000000000 raw: 0000000000000000 0000000000020002 00000000f5000000 0000000000000000 head: 05ffc00000000040 ffff0000c0002280 dead000000000122 0000000000000000 head: 0000000000000000 0000000000020002 00000000f5000000 0000000000000000 head: 05ffc00000000003 fffffdffc3b4a201 00000000ffffffff 00000000ffffffff head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff0000ed28bf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff0000ed28bf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff0000ed28c000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff0000ed28c080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff0000ed28c100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ------------[ cut here ]------------ ODEBUG: assert_init not available (active state 0) object: 000000000fdee488 object type: timer_list hint: hci_conn_idle+0x0/0x47c net/bluetooth/hci_conn.c:624 WARNING: lib/debugobjects.c:615 at debug_print_object+0x168/0x1e0 lib/debugobjects.c:612, CPU#0: kworker/u9:0/53 Modules linked in: CPU: 0 UID: 0 PID: 53 Comm: kworker/u9:0 Tainted: G B L syzkaller #0 PREEMPT Tainted: [B]=BAD_PAGE, [L]=SOFTLOCKUP Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/03/2025 Workqueue: hci2 hci_cmd_sync_work pstate: 634000c5 (nZCv daIF +PAN -UAO +TCO +DIT -SSBS BTYPE=--) pc : debug_print_object+0x168/0x1e0 lib/debugobjects.c:612 lr : debug_print_object+0x168/0x1e0 lib/debugobjects.c:612 sp : ffff800099467750 x29: ffff800099467750 x28: dfff800000000000 x27: 0000000000000000 x26: ffff80008f871000 x25: dfff800000000000 x24: ffff0000ed28cbd8 x23: ffff80008b5aa820 x22: ffff80008a193b48 x21: ffff80008b079660 x20: 0000000000000000 x19: ffff80008b5aa300 x18: 00000000ffffffff x17: 3d3d3d3d3d3d3d3d x16: ffff800082e5e68c x15: 0000000000000001 x14: 1fffe0003377d0fa x13: 0000000000000000 x12: 0000000000000000 x11: ffff60003377d0fb x10: 0000000000ff0100 x9 : b61907e19fe3c700 x8 : b61907e19fe3c700 x7 : 0000000000000001 x6 : ffff8000805761f8 x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff8000807f1034 x2 : 0000000000000001 x1 : 0000000100000000 x0 : 0000000000000000 Call trace: debug_print_object+0x168/0x1e0 lib/debugobjects.c:612 (P) debug_object_assert_init+0x250/0x2c8 lib/debugobjects.c:1020 debug_timer_assert_init kernel/time/timer.c:803 [inline] debug_assert_init kernel/time/timer.c:848 [inline] __timer_delete+0x48/0x354 kernel/time/timer.c:1366 timer_delete+0x24/0x34 kernel/time/timer.c:1406 try_to_grab_pending kernel/workqueue.c:2061 [inline] work_grab_pending+0xc0/0x830 kernel/workqueue.c:2154 __cancel_work+0x50/0x218 kernel/workqueue.c:4368 cancel_delayed_work+0x24/0x38 kernel/workqueue.c:4456 hci_conn_drop+0xb0/0x2a4 include/net/bluetooth/hci_core.h:1694 le_read_features_complete+0x54/0xec net/bluetooth/hci_sync.c:7344 hci_cmd_sync_work+0x204/0x38c net/bluetooth/hci_sync.c:334 process_one_work+0x7c0/0x1558 kernel/workqueue.c:3257 process_scheduled_works kernel/workqueue.c:3340 [inline] worker_thread+0x958/0xed8 kernel/workqueue.c:3421 kthread+0x5fc/0x75c kernel/kthread.c:463 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:844 irq event stamp: 12421 hardirqs last enabled at (12421): [] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:151 [inline] hardirqs last enabled at (12421): [] _raw_spin_unlock_irqrestore+0x38/0x98 kernel/locking/spinlock.c:194 hardirqs last disabled at (12420): [] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline] hardirqs last disabled at (12420): [] _raw_spin_lock_irqsave+0x2c/0x7c kernel/locking/spinlock.c:162 softirqs last enabled at (12386): [] local_bh_enable+0x10/0x34 include/linux/bottom_half.h:32 softirqs last disabled at (12384): [] local_bh_disable+0x10/0x34 include/linux/bottom_half.h:19 ---[ end trace 0000000000000000 ]--- ------------[ cut here ]------------ ODEBUG: assert_init not available (active state 0) object: 000000007798428b object type: timer_list hint: hci_le_big_terminate net/bluetooth/hci_conn.c:-1 [inline] ODEBUG: assert_init not available (active state 0) object: 000000007798428b object type: timer_list hint: hci_conn_timeout+0x0/0x210 net/bluetooth/hci_conn.c:860 WARNING: lib/debugobjects.c:615 at debug_print_object+0x168/0x1e0 lib/debugobjects.c:612, CPU#0: kworker/u9:0/53 Modules linked in: CPU: 0 UID: 0 PID: 53 Comm: kworker/u9:0 Tainted: G B W L syzkaller #0 PREEMPT Tainted: [B]=BAD_PAGE, [W]=WARN, [L]=SOFTLOCKUP Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/03/2025 Workqueue: hci2 hci_cmd_sync_work pstate: 634000c5 (nZCv daIF +PAN -UAO +TCO +DIT -SSBS BTYPE=--) pc : debug_print_object+0x168/0x1e0 lib/debugobjects.c:612 lr : debug_print_object+0x168/0x1e0 lib/debugobjects.c:612 sp : ffff800099467750 x29: ffff800099467750 x28: dfff800000000000 x27: 0000000000000001 x26: ffff80008f871000 x25: dfff800000000000 x24: ffff0000ed28ca88 x23: ffff80008b5aa820 x22: ffff80008a1938e0 x21: ffff80008b079660 x20: 0000000000000000 x19: ffff80008b5aa300 x18: 00000000ffffffff x17: 3d3d3d3d3d3d3d3d x16: ffff800082e5e68c x15: 0000000000000001 x14: 1ffff0001328ce20 x13: 0000000000000000 x12: 0000000000000000 x11: 00000000000015c5 x10: 0000000000ff0100 x9 : b61907e19fe3c700 x8 : b61907e19fe3c700 x7 : 0000000000000001 x6 : ffff8000805761f8 x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000002 x2 : 0000000000000001 x1 : 0000000100000000 x0 : 0000000000000000 Call trace: debug_print_object+0x168/0x1e0 lib/debugobjects.c:612 (P) debug_object_assert_init+0x250/0x2c8 lib/debugobjects.c:1020 debug_timer_assert_init kernel/time/timer.c:803 [inline] debug_assert_init kernel/time/timer.c:848 [inline] __timer_delete+0x48/0x354 kernel/time/timer.c:1366 timer_delete+0x24/0x34 kernel/time/timer.c:1406 try_to_grab_pending kernel/workqueue.c:2061 [inline] work_grab_pending+0xc0/0x830 kernel/workqueue.c:2154 __cancel_work+0x50/0x218 kernel/workqueue.c:4368 cancel_delayed_work+0x24/0x38 kernel/workqueue.c:4456 hci_conn_drop+0x128/0x2a4 include/net/bluetooth/hci_core.h:1709 le_read_features_complete+0x54/0xec net/bluetooth/hci_sync.c:7344 hci_cmd_sync_work+0x204/0x38c net/bluetooth/hci_sync.c:334 process_one_work+0x7c0/0x1558 kernel/workqueue.c:3257 process_scheduled_works kernel/workqueue.c:3340 [inline] worker_thread+0x958/0xed8 kernel/workqueue.c:3421 kthread+0x5fc/0x75c kernel/kthread.c:463 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:844 irq event stamp: 12421 hardirqs last enabled at (12421): [] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:151 [inline] hardirqs last enabled at (12421): [] _raw_spin_unlock_irqrestore+0x38/0x98 kernel/locking/spinlock.c:194 hardirqs last disabled at (12420): [] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline] hardirqs last disabled at (12420): [] _raw_spin_lock_irqsave+0x2c/0x7c kernel/locking/spinlock.c:162 softirqs last enabled at (12386): [] local_bh_enable+0x10/0x34 include/linux/bottom_half.h:32 softirqs last disabled at (12384): [] local_bh_disable+0x10/0x34 include/linux/bottom_half.h:19 ---[ end trace 0000000000000000 ]--- Bluetooth: hci1: command tx timeout Bluetooth: hci4: command tx timeout Bluetooth: hci1: command tx timeout Bluetooth: hci4: command tx timeout Bluetooth: hci1: command tx timeout Bluetooth: hci4: command tx timeout Bluetooth: hci1: command tx timeout