ffff888013199000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888013199080: 00 00 00 00 00 fc fc fc fc fc fc fc fc 00 00 00 ================================================================== Disabling lock debugging due to kernel taint ------------[ cut here ]------------ kobject: '“JŠ˙˙˙˙¤' (00000000eb8bb199): is not initialized, yet kobject_put() is being called. WARNING: CPU: 0 PID: 8833 at lib/kobject.c:750 kobject_put+0x22b/0x540 lib/kobject.c:750 Modules linked in: CPU: 0 PID: 8833 Comm: syz-executor.5 Tainted: G B 5.12.0-rc8-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:kobject_put+0x22b/0x540 lib/kobject.c:750 Code: e8 aa ad 94 fd 48 89 e8 48 c1 e8 03 42 80 3c 20 00 0f 85 97 02 00 00 48 8b 75 00 48 89 ea 48 c7 c7 40 09 e3 89 e8 88 74 f6 04 <0f> 0b e9 32 fe ff ff e8 79 ad 94 fd 4d 89 f9 48 89 e9 4c 89 f2 49 RSP: 0018:ffffc900018df7d8 EFLAGS: 00010286 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: ffff888025efb580 RSI: ffffffff815bf005 RDI: fffff5200031beed RBP: ffff888013199340 R08: 0000000000000000 R09: 0000000000000000 R10: ffffffff815bd3bb R11: 0000000000000000 R12: dffffc0000000000 R13: ffff88801319937c R14: ffffffff8fc41f00 R15: 0000000000000067 FS: 0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000561a16ba7160 CR3: 0000000013381000 CR4: 0000000000350ef0 Call Trace: put_device+0x1b/0x30 drivers/base/core.c:3341 hci_conn_put include/net/bluetooth/hci_core.h:1139 [inline] hci_chan_del+0x144/0x200 net/bluetooth/hci_conn.c:1781 l2cap_conn_del+0x478/0x7b0 net/bluetooth/l2cap_core.c:1906 l2cap_disconn_cfm net/bluetooth/l2cap_core.c:8168 [inline] l2cap_disconn_cfm+0x98/0xd0 net/bluetooth/l2cap_core.c:8161 hci_disconn_cfm include/net/bluetooth/hci_core.h:1486 [inline] hci_conn_hash_flush+0x127/0x260 net/bluetooth/hci_conn.c:1598 hci_dev_do_close+0x569/0x1140 net/bluetooth/hci_core.c:1778 hci_unregister_dev+0x263/0x1150 net/bluetooth/hci_core.c:3989 vhci_release+0x70/0xe0 drivers/bluetooth/hci_vhci.c:340 __fput+0x288/0x920 fs/file_table.c:280 task_work_run+0xdd/0x1a0 kernel/task_work.c:140 exit_task_work include/linux/task_work.h:30 [inline] do_exit+0xbfc/0x2a80 kernel/exit.c:825 do_group_exit+0x125/0x310 kernel/exit.c:922 get_signal+0x47f/0x2210 kernel/signal.c:2781 arch_do_signal_or_restart+0x2a8/0x1eb0 arch/x86/kernel/signal.c:789 handle_signal_work kernel/entry/common.c:147 [inline] exit_to_user_mode_loop kernel/entry/common.c:171 [inline] exit_to_user_mode_prepare+0x124/0x200 kernel/entry/common.c:208 __syscall_exit_to_user_mode_work kernel/entry/common.c:290 [inline] syscall_exit_to_user_mode+0x19/0x50 kernel/entry/common.c:301 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x4651c7 Code: Unable to access opcode bytes at RIP 0x46519d. RSP: 002b:00007ffea71497a8 EFLAGS: 00000206 ORIG_RAX: 0000000000000057 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00000000004651c7 RDX: 00007ffea71497e0 RSI: 00007ffea71497e0 RDI: 00007ffea7149870 RBP: 00007ffea7149870 R08: 0000000000000001 R09: 00007ffea7149640 R10: 0000000001aa5853 R11: 0000000000000206 R12: 00000000004ae4e9 R13: 00007ffea714a920 R14: 0000000001aa5810 R15: 0000000000000003 irq event stamp: 14256590 hardirqs last enabled at (14256589): [] __free_object+0x638/0xde0 lib/debugobjects.c:421 hardirqs last disabled at (14256590): [] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline] hardirqs last disabled at (14256590): [] _raw_spin_lock_irqsave+0x4e/0x50 kernel/locking/spinlock.c:159 softirqs last enabled at (14253698): [] invoke_softirq kernel/softirq.c:221 [inline] softirqs last enabled at (14253698): [] __irq_exit_rcu+0x17f/0x200 kernel/softirq.c:422 softirqs last disabled at (14253615): [] invoke_softirq kernel/softirq.c:221 [inline] softirqs last disabled at (14253615): [] __irq_exit_rcu+0x17f/0x200 kernel/softirq.c:422 ---[ end trace 2f79cd434fc308af ]--- ------------[ cut here ]------------ refcount_t: underflow; use-after-free. WARNING: CPU: 0 PID: 8833 at lib/refcount.c:28 refcount_warn_saturate+0x286/0x290 lib/refcount.c:28 Modules linked in: CPU: 0 PID: 8833 Comm: syz-executor.5 Tainted: G B W 5.12.0-rc8-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:refcount_warn_saturate+0x286/0x290 lib/refcount.c:28 Code: e9 43 fe ff ff 48 89 df e8 87 98 f2 fd e9 d5 fd ff ff e8 0d e2 ad fd 48 c7 c7 80 aa df 89 c6 05 59 38 c7 09 01 e8 fd a8 0f 05 <0f> 0b e9 17 fe ff ff 0f 1f 00 41 56 41 55 41 54 55 48 bd 00 00 00 RSP: 0018:ffffc900018df7c0 EFLAGS: 00010286 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: ffff888025efb580 RSI: ffffffff815bf005 RDI: fffff5200031beea RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000 R10: ffffffff815bd3bb R11: 0000000000000000 R12: dffffc0000000000 R13: ffff88801319937c R14: ffff888013199378 R15: 0000000000000067 FS: 0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000561a16ba7160 CR3: 0000000013381000 CR4: 0000000000350ef0 Call Trace: __refcount_sub_and_test include/linux/refcount.h:283 [inline] __refcount_dec_and_test include/linux/refcount.h:315 [inline] refcount_dec_and_test include/linux/refcount.h:333 [inline] kref_put include/linux/kref.h:64 [inline] kobject_put+0x2f6/0x540 lib/kobject.c:753 put_device+0x1b/0x30 drivers/base/core.c:3341 hci_conn_put include/net/bluetooth/hci_core.h:1139 [inline] hci_chan_del+0x144/0x200 net/bluetooth/hci_conn.c:1781 l2cap_conn_del+0x478/0x7b0 net/bluetooth/l2cap_core.c:1906 l2cap_disconn_cfm net/bluetooth/l2cap_core.c:8168 [inline] l2cap_disconn_cfm+0x98/0xd0 net/bluetooth/l2cap_core.c:8161 hci_disconn_cfm include/net/bluetooth/hci_core.h:1486 [inline] hci_conn_hash_flush+0x127/0x260 net/bluetooth/hci_conn.c:1598 hci_dev_do_close+0x569/0x1140 net/bluetooth/hci_core.c:1778 hci_unregister_dev+0x263/0x1150 net/bluetooth/hci_core.c:3989 vhci_release+0x70/0xe0 drivers/bluetooth/hci_vhci.c:340 __fput+0x288/0x920 fs/file_table.c:280 task_work_run+0xdd/0x1a0 kernel/task_work.c:140 exit_task_work include/linux/task_work.h:30 [inline] do_exit+0xbfc/0x2a80 kernel/exit.c:825 do_group_exit+0x125/0x310 kernel/exit.c:922 get_signal+0x47f/0x2210 kernel/signal.c:2781 arch_do_signal_or_restart+0x2a8/0x1eb0 arch/x86/kernel/signal.c:789 handle_signal_work kernel/entry/common.c:147 [inline] exit_to_user_mode_loop kernel/entry/common.c:171 [inline] exit_to_user_mode_prepare+0x124/0x200 kernel/entry/common.c:208 __syscall_exit_to_user_mode_work kernel/entry/common.c:290 [inline] syscall_exit_to_user_mode+0x19/0x50 kernel/entry/common.c:301 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x4651c7 Code: Unable to access opcode bytes at RIP 0x46519d. RSP: 002b:00007ffea71497a8 EFLAGS: 00000206 ORIG_RAX: 0000000000000057 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00000000004651c7 RDX: 00007ffea71497e0 RSI: 00007ffea71497e0 RDI: 00007ffea7149870 RBP: 00007ffea7149870 R08: 0000000000000001 R09: 00007ffea7149640 R10: 0000000001aa5853 R11: 0000000000000206 R12: 00000000004ae4e9 R13: 00007ffea714a920 R14: 0000000001aa5810 R15: 0000000000000003 irq event stamp: 14256590 hardirqs last enabled at (14256589): [] __free_object+0x638/0xde0 lib/debugobjects.c:421 hardirqs last disabled at (14256590): [] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline] hardirqs last disabled at (14256590): [] _raw_spin_lock_irqsave+0x4e/0x50 kernel/locking/spinlock.c:159 softirqs last enabled at (14253698): [] invoke_softirq kernel/softirq.c:221 [inline] softirqs last enabled at (14253698): [] __irq_exit_rcu+0x17f/0x200 kernel/softirq.c:422 softirqs last disabled at (14253615): [] invoke_softirq kernel/softirq.c:221 [inline] softirqs last disabled at (14253615): [] __irq_exit_rcu+0x17f/0x200 kernel/softirq.c:422 ---[ end trace 2f79cd434fc308b0 ]--- ================================================================================ UBSAN: array-index-out-of-bounds in kernel/locking/qspinlock.c:130:9 index 7451 is out of range for type 'long unsigned int [8]' CPU: 1 PID: 8833 Comm: syz-executor.5 Tainted: G B W 5.12.0-rc8-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0xfa/0x151 lib/dump_stack.c:120 ubsan_epilogue+0xb/0x5a lib/ubsan.c:148 __ubsan_handle_out_of_bounds.cold+0x62/0x6c lib/ubsan.c:288 decode_tail kernel/locking/qspinlock.c:130 [inline] __pv_queued_spin_lock_slowpath+0xa3f/0xb40 kernel/locking/qspinlock.c:468 pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:554 [inline] queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:51 [inline] queued_spin_lock include/asm-generic/qspinlock.h:85 [inline] do_raw_spin_lock+0x200/0x2b0 kernel/locking/spinlock_debug.c:113 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:117 [inline] _raw_spin_lock_irqsave+0x41/0x50 kernel/locking/spinlock.c:159 skb_dequeue+0x1c/0x180 net/core/skbuff.c:3094 skb_queue_purge+0x21/0x30 net/core/skbuff.c:3132 hci_chan_del+0x14d/0x200 net/bluetooth/hci_conn.c:1783 l2cap_conn_del+0x478/0x7b0 net/bluetooth/l2cap_core.c:1906 l2cap_disconn_cfm net/bluetooth/l2cap_core.c:8168 [inline] l2cap_disconn_cfm+0x98/0xd0 net/bluetooth/l2cap_core.c:8161 hci_disconn_cfm include/net/bluetooth/hci_core.h:1486 [inline] hci_conn_hash_flush+0x127/0x260 net/bluetooth/hci_conn.c:1598 hci_dev_do_close+0x569/0x1140 net/bluetooth/hci_core.c:1778 hci_unregister_dev+0x263/0x1150 net/bluetooth/hci_core.c:3989 vhci_release+0x70/0xe0 drivers/bluetooth/hci_vhci.c:340 __fput+0x288/0x920 fs/file_table.c:280 task_work_run+0xdd/0x1a0 kernel/task_work.c:140 exit_task_work include/linux/task_work.h:30 [inline] do_exit+0xbfc/0x2a80 kernel/exit.c:825 do_group_exit+0x125/0x310 kernel/exit.c:922 get_signal+0x47f/0x2210 kernel/signal.c:2781 arch_do_signal_or_restart+0x2a8/0x1eb0 arch/x86/kernel/signal.c:789 handle_signal_work kernel/entry/common.c:147 [inline] exit_to_user_mode_loop kernel/entry/common.c:171 [inline] exit_to_user_mode_prepare+0x124/0x200 kernel/entry/common.c:208 __syscall_exit_to_user_mode_work kernel/entry/common.c:290 [inline] syscall_exit_to_user_mode+0x19/0x50 kernel/entry/common.c:301 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x4651c7 Code: Unable to access opcode bytes at RIP 0x46519d. RSP: 002b:00007ffea71497a8 EFLAGS: 00000206 ORIG_RAX: 0000000000000057 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00000000004651c7 RDX: 00007ffea71497e0 RSI: 00007ffea71497e0 RDI: 00007ffea7149870 RBP: 00007ffea7149870 R08: 0000000000000001 R09: 00007ffea7149640 R10: 0000000001aa5853 R11: 0000000000000206 R12: 00000000004ae4e9 R13: 00007ffea714a920 R14: 0000000001aa5810 R15: 0000000000000003 ================================================================================ general protection fault, probably for non-canonical address 0xdffffc00004bc32a: 0000 [#1] PREEMPT SMP KASAN KASAN: probably user-memory-access in range [0x00000000025e1950-0x00000000025e1957] CPU: 1 PID: 8833 Comm: syz-executor.5 Tainted: G B W 5.12.0-rc8-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:__pv_queued_spin_lock_slowpath+0x55a/0xb40 kernel/locking/qspinlock.c:471 Code: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 e5 04 00 00 4a 03 1c e5 e0 26 32 8b 48 b8 00 00 00 00 00 fc ff df 48 89 da 48 c1 ea 03 <80> 3c 02 00 0f 85 b5 04 00 00 4c 8d 6b 14 48 89 6c 24 08 48 8b 2c RSP: 0018:ffffc900018df648 EFLAGS: 00010012 RAX: dffffc0000000000 RBX: 00000000025e1950 RCX: 0000000000000000 RDX: 00000000004bc32a RSI: ffffffff8159aa9f RDI: ffffffff8b330fb8 RBP: ffff888013198f38 R08: 0000000000000000 R09: 0000000000000000 R10: ffffffff88e7ec30 R11: 0000000000000000 R12: 0000000000001d1b R13: 0000000000000001 R14: 0000000000080000 R15: ffff8880b9d35f40 FS: 0000000000000000(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fdeda98d000 CR3: 0000000013381000 CR4: 0000000000350ee0 Call Trace: pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:554 [inline] queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:51 [inline] queued_spin_lock include/asm-generic/qspinlock.h:85 [inline] do_raw_spin_lock+0x200/0x2b0 kernel/locking/spinlock_debug.c:113 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:117 [inline] _raw_spin_lock_irqsave+0x41/0x50 kernel/locking/spinlock.c:159 skb_dequeue+0x1c/0x180 net/core/skbuff.c:3094 skb_queue_purge+0x21/0x30 net/core/skbuff.c:3132 hci_chan_del+0x14d/0x200 net/bluetooth/hci_conn.c:1783 l2cap_conn_del+0x478/0x7b0 net/bluetooth/l2cap_core.c:1906 l2cap_disconn_cfm net/bluetooth/l2cap_core.c:8168 [inline] l2cap_disconn_cfm+0x98/0xd0 net/bluetooth/l2cap_core.c:8161 hci_disconn_cfm include/net/bluetooth/hci_core.h:1486 [inline] hci_conn_hash_flush+0x127/0x260 net/bluetooth/hci_conn.c:1598 hci_dev_do_close+0x569/0x1140 net/bluetooth/hci_core.c:1778 hci_unregister_dev+0x263/0x1150 net/bluetooth/hci_core.c:3989 vhci_release+0x70/0xe0 drivers/bluetooth/hci_vhci.c:340 __fput+0x288/0x920 fs/file_table.c:280 task_work_run+0xdd/0x1a0 kernel/task_work.c:140 exit_task_work include/linux/task_work.h:30 [inline] do_exit+0xbfc/0x2a80 kernel/exit.c:825 do_group_exit+0x125/0x310 kernel/exit.c:922 get_signal+0x47f/0x2210 kernel/signal.c:2781 arch_do_signal_or_restart+0x2a8/0x1eb0 arch/x86/kernel/signal.c:789 handle_signal_work kernel/entry/common.c:147 [inline] exit_to_user_mode_loop kernel/entry/common.c:171 [inline] exit_to_user_mode_prepare+0x124/0x200 kernel/entry/common.c:208 __syscall_exit_to_user_mode_work kernel/entry/common.c:290 [inline] syscall_exit_to_user_mode+0x19/0x50 kernel/entry/common.c:301 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x4651c7 Code: Unable to access opcode bytes at RIP 0x46519d. RSP: 002b:00007ffea71497a8 EFLAGS: 00000206 ORIG_RAX: 0000000000000057 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00000000004651c7 RDX: 00007ffea71497e0 RSI: 00007ffea71497e0 RDI: 00007ffea7149870 RBP: 00007ffea7149870 R08: 0000000000000001 R09: 00007ffea7149640 R10: 0000000001aa5853 R11: 0000000000000206 R12: 00000000004ae4e9 R13: 00007ffea714a920 R14: 0000000001aa5810 R15: 0000000000000003 Modules linked in: ---[ end trace 2f79cd434fc308b1 ]--- RIP: 0010:__pv_queued_spin_lock_slowpath+0x55a/0xb40 kernel/locking/qspinlock.c:471 Code: 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 e5 04 00 00 4a 03 1c e5 e0 26 32 8b 48 b8 00 00 00 00 00 fc ff df 48 89 da 48 c1 ea 03 <80> 3c 02 00 0f 85 b5 04 00 00 4c 8d 6b 14 48 89 6c 24 08 48 8b 2c RSP: 0018:ffffc900018df648 EFLAGS: 00010012 RAX: dffffc0000000000 RBX: 00000000025e1950 RCX: 0000000000000000 RDX: 00000000004bc32a RSI: ffffffff8159aa9f RDI: ffffffff8b330fb8 RBP: ffff888013198f38 R08: 0000000000000000 R09: 0000000000000000 R10: ffffffff88e7ec30 R11: 0000000000000000 R12: 0000000000001d1b R13: 0000000000000001 R14: 0000000000080000 R15: ffff8880b9d35f40 FS: 0000000000000000(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fdeda98d000 CR3: 0000000013381000 CR4: 0000000000350ee0