Bluetooth: hci4: Entering manufacturer mode failed (-110) Bluetooth: hci5: Entering manufacturer mode failed (-110) Bluetooth: hci3: Entering manufacturer mode failed (-110) Bluetooth: hci4: command tx timeout ================================================================== BUG: KASAN: use-after-free in hci_cmd_timeout+0x1b8/0x1c0 net/bluetooth/hci_core.c:2573 Read of size 8 at addr ffff88808c044858 by task kworker/1:3/7266 CPU: 1 PID: 7266 Comm: kworker/1:3 Not tainted 4.19.131-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events hci_cmd_timeout Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1fc/0x2fe lib/dump_stack.c:118 print_address_description.cold+0x54/0x219 mm/kasan/report.c:256 kasan_report_error.cold+0x8a/0x1c7 mm/kasan/report.c:354 kasan_report mm/kasan/report.c:412 [inline] __asan_report_load8_noabort+0x88/0x90 mm/kasan/report.c:433 hci_cmd_timeout+0x1b8/0x1c0 net/bluetooth/hci_core.c:2573 process_one_work+0x864/0x1570 kernel/workqueue.c:2155 worker_thread+0x64c/0x1130 kernel/workqueue.c:2298 kthread+0x30b/0x410 kernel/kthread.c:246 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 Allocated by task 7744: kmem_cache_alloc+0x122/0x370 mm/slab.c:3559 skb_clone+0x151/0x3d0 net/core/skbuff.c:1284 hci_cmd_work+0xdc/0x2a0 net/bluetooth/hci_core.c:4395 process_one_work+0x864/0x1570 kernel/workqueue.c:2155 worker_thread+0x64c/0x1130 kernel/workqueue.c:2298 kthread+0x30b/0x410 kernel/kthread.c:246 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 Freed by task 7801: __cache_free mm/slab.c:3503 [inline] kmem_cache_free+0x7f/0x260 mm/slab.c:3765 kfree_skbmem+0xc1/0x140 net/core/skbuff.c:586 __kfree_skb net/core/skbuff.c:646 [inline] kfree_skb+0x127/0x3d0 net/core/skbuff.c:663 hci_dev_do_open+0xa3b/0x12b0 net/bluetooth/hci_core.c:1509 hci_power_on+0x101/0x4f0 net/bluetooth/hci_core.c:2130 process_one_work+0x864/0x1570 kernel/workqueue.c:2155 worker_thread+0x64c/0x1130 kernel/workqueue.c:2298 kthread+0x30b/0x410 kernel/kthread.c:246 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 The buggy address belongs to the object at ffff88808c044780 which belongs to the cache skbuff_head_cache of size 232 The buggy address is located 216 bytes inside of 232-byte region [ffff88808c044780, ffff88808c044868) The buggy address belongs to the page: page:ffffea0002301100 count:1 mapcount:0 mapping:ffff88821b685cc0 index:0x0 flags: 0xfffe0000000100(slab) raw: 00fffe0000000100 ffffea0002314188 ffffea0002313f88 ffff88821b685cc0 raw: 0000000000000000 ffff88808c044000 000000010000000c 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88808c044700: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc ffff88808c044780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff88808c044800: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc ^ ffff88808c044880: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ffff88808c044900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================