================================================================== BUG: KASAN: slab-use-after-free in hci_send_acl+0xd43/0x1150 net/bluetooth/hci_core.c:3228 Read of size 8 at addr ffff88810da4d618 by task kworker/1:2/421 CPU: 1 PID: 421 Comm: kworker/1:2 Not tainted 6.5.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023 Workqueue: events l2cap_info_timeout Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x3d/0x60 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:364 [inline] print_report+0xc4/0x620 mm/kasan/report.c:475 kasan_report+0xda/0x110 mm/kasan/report.c:588 hci_send_acl+0xd43/0x1150 net/bluetooth/hci_core.c:3228 l2cap_send_conn_req+0x1c5/0x240 net/bluetooth/l2cap_core.c:1286 l2cap_conn_start+0x615/0x870 net/bluetooth/l2cap_core.c:1661 process_one_work+0x922/0x1370 kernel/workqueue.c:2600 worker_thread+0xfb/0xe40 kernel/workqueue.c:2751 kthread+0x278/0x330 kernel/kthread.c:389 ret_from_fork+0x2c/0x70 arch/x86/kernel/process.c:145 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304 Allocated by task 2322: kasan_save_stack+0x33/0x50 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 ____kasan_kmalloc mm/kasan/common.c:374 [inline] __kasan_kmalloc+0xa2/0xb0 mm/kasan/common.c:383 kmalloc include/linux/slab.h:582 [inline] kzalloc include/linux/slab.h:703 [inline] hci_chan_create+0x88/0x360 net/bluetooth/hci_conn.c:2683 l2cap_conn_add.part.0+0x12/0xd10 net/bluetooth/l2cap_core.c:7841 l2cap_conn_add include/net/bluetooth/hci_core.h:1495 [inline] l2cap_chan_connect+0x11eb/0x1b10 net/bluetooth/l2cap_core.c:8053 bt_6lowpan_connect net/bluetooth/6lowpan.c:894 [inline] lowpan_control_write+0x33b/0x600 net/bluetooth/6lowpan.c:1129 full_proxy_write+0xf1/0x150 fs/debugfs/file.c:236 vfs_write+0x208/0xc80 fs/read_write.c:582 ksys_write+0xf6/0x1d0 fs/read_write.c:637 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Freed by task 1404: kasan_save_stack+0x33/0x50 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:522 ____kasan_slab_free mm/kasan/common.c:236 [inline] ____kasan_slab_free+0x15e/0x1b0 mm/kasan/common.c:200 kasan_slab_free include/linux/kasan.h:162 [inline] slab_free_hook mm/slub.c:1792 [inline] slab_free_freelist_hook+0x10b/0x1e0 mm/slub.c:1818 slab_free mm/slub.c:3801 [inline] __kmem_cache_free+0xba/0x340 mm/slub.c:3814 hci_chan_list_flush+0x6d/0xd0 net/bluetooth/hci_conn.c:2723 hci_conn_cleanup net/bluetooth/hci_conn.c:152 [inline] hci_conn_del+0x181/0xb70 net/bluetooth/hci_conn.c:1135 hci_abort_conn_sync+0x351/0x870 net/bluetooth/hci_sync.c:5417 hci_cmd_sync_work+0x173/0x340 net/bluetooth/hci_sync.c:306 process_one_work+0x922/0x1370 kernel/workqueue.c:2600 worker_thread+0xfb/0xe40 kernel/workqueue.c:2751 kthread+0x278/0x330 kernel/kthread.c:389 ret_from_fork+0x2c/0x70 arch/x86/kernel/process.c:145 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304 Last potentially related work creation: kasan_save_stack+0x33/0x50 mm/kasan/common.c:45 __kasan_record_aux_stack+0xbc/0xd0 mm/kasan/generic.c:492 kvfree_call_rcu+0x63/0x970 kernel/rcu/tree.c:3368 kernfs_unlink_open_file+0x2b4/0x380 fs/kernfs/file.c:633 kernfs_fop_release+0xce/0x1c0 fs/kernfs/file.c:805 __fput+0x339/0xa20 fs/file_table.c:384 task_work_run+0x114/0x1f0 kernel/task_work.c:179 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] exit_to_user_mode_loop kernel/entry/common.c:171 [inline] exit_to_user_mode_prepare+0x13f/0x150 kernel/entry/common.c:204 __syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline] syscall_exit_to_user_mode+0x16/0x30 kernel/entry/common.c:297 do_syscall_64+0x44/0xb0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x63/0xcd The buggy address belongs to the object at ffff88810da4d600 which belongs to the cache kmalloc-128 of size 128 The buggy address is located 24 bytes inside of freed 128-byte region [ffff88810da4d600, ffff88810da4d680) The buggy address belongs to the physical page: page:ffffea0004369340 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10da4d flags: 0x100000000000200(slab|node=0|zone=2) page_type: 0xffffffff() raw: 0100000000000200 ffff8881000418c0 ffffea0004369280 dead000000000004 raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 1, tgid 1 (swapper/0), ts 2575840749, free_ts 2563289409 set_page_owner include/linux/page_owner.h:31 [inline] post_alloc_hook+0x281/0x2f0 mm/page_alloc.c:1570 prep_new_page mm/page_alloc.c:1577 [inline] get_page_from_freelist+0x1131/0x3d90 mm/page_alloc.c:3221 __alloc_pages+0x1d0/0x470 mm/page_alloc.c:4477 alloc_page_interleave+0xf/0x200 mm/mempolicy.c:2125 alloc_slab_page mm/slub.c:1862 [inline] allocate_slab+0x24e/0x360 mm/slub.c:2009 new_slab mm/slub.c:2062 [inline] ___slab_alloc+0x7a7/0x1000 mm/slub.c:3215 __slab_alloc.constprop.0+0x4d/0x90 mm/slub.c:3314 __slab_alloc_node mm/slub.c:3367 [inline] slab_alloc_node mm/slub.c:3460 [inline] __kmem_cache_alloc_node+0x143/0x390 mm/slub.c:3509 kmalloc_trace+0x25/0xb0 mm/slab_common.c:1076 kmalloc include/linux/slab.h:582 [inline] kzalloc include/linux/slab.h:703 [inline] acpi_device_add+0x46d/0xae0 drivers/acpi/scan.c:697 acpi_add_single_object+0xa15/0x1810 drivers/acpi/scan.c:1854 acpi_bus_check_add+0x1a6/0x490 drivers/acpi/scan.c:2080 acpi_bus_scan+0x8d/0x400 drivers/acpi/scan.c:2484 acpi_scan_init+0x1ea/0x630 drivers/acpi/scan.c:2652 acpi_init+0x380/0x870 drivers/acpi/bus.c:1394 do_one_initcall+0xcd/0x3c0 init/main.c:1232 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1161 [inline] free_unref_page_prepare+0x5ac/0xcf0 mm/page_alloc.c:2348 free_unref_page+0x33/0x350 mm/page_alloc.c:2443 __unfreeze_partials+0x1f1/0x210 mm/slub.c:2647 qlink_free mm/kasan/quarantine.c:166 [inline] qlist_free_all+0x6a/0x170 mm/kasan/quarantine.c:185 kasan_quarantine_remove_cache+0xe7/0x170 mm/kasan/quarantine.c:370 kmem_cache_shrink+0xd/0x20 mm/slab_common.c:519 acpi_os_purge_cache+0x9/0x10 drivers/acpi/osl.c:1580 acpi_purge_cached_objects+0xa8/0xf0 drivers/acpi/acpica/utxface.c:240 acpi_initialize_objects+0x1c/0x70 drivers/acpi/acpica/utxfinit.c:250 acpi_bus_init drivers/acpi/bus.c:1293 [inline] acpi_init+0x12f/0x870 drivers/acpi/bus.c:1381 do_one_initcall+0xcd/0x3c0 init/main.c:1232 do_initcall_level init/main.c:1294 [inline] do_initcalls init/main.c:1310 [inline] do_basic_setup init/main.c:1329 [inline] kernel_init_freeable+0x504/0x840 init/main.c:1546 kernel_init+0x1a/0x1c0 init/main.c:1437 ret_from_fork+0x2c/0x70 arch/x86/kernel/process.c:145 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304 Memory state around the buggy address: ffff88810da4d500: 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc ffff88810da4d580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff88810da4d600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88810da4d680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88810da4d700: 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc ==================================================================