Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 ================================================================== BUG: KASAN: slab-use-after-free in hci_cmd_work+0x5d0/0x7b0 Read of size 2 at addr ffff88816ca6c338 by task kworker/u11:0/56 CPU: 0 UID: 0 PID: 56 Comm: kworker/u11:0 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 Workqueue: hci0 hci_cmd_work Call Trace: dump_stack_lvl+0x189/0x250 print_report+0xca/0x240 kasan_report+0x118/0x150 hci_cmd_work+0x5d0/0x7b0 process_one_work+0x93a/0x15e0 worker_thread+0x9b0/0xee0 kthread+0x711/0x8a0 ret_from_fork+0x599/0xb30 ret_from_fork_asm+0x1a/0x30 Allocated by task 6001: kasan_save_track+0x3e/0x80 __kasan_slab_alloc+0x6c/0x80 kmem_cache_alloc_node_noprof+0x43c/0x710 __alloc_skb+0x112/0x2d0 hci_cmd_sync_alloc+0x3d/0x3b0 __hci_cmd_sync_sk+0x1a7/0xc70 hci_cmd_sync_status+0x4d/0x150 hci_dev_cmd+0x431/0x7d0 sock_do_ioctl+0xdc/0x300 sock_ioctl+0x576/0x790 __se_sys_ioctl+0xfc/0x170 do_syscall_64+0xfa/0xfa0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 6003: kasan_save_track+0x3e/0x80 kasan_save_free_info+0x46/0x50 __kasan_slab_free+0x5c/0x80 kmem_cache_free+0x197/0x640 vhci_read+0x49a/0x5b0 vfs_read+0x200/0xa30 ksys_read+0x145/0x250 do_syscall_64+0xfa/0xfa0 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff88816ca6c300 which belongs to the cache skbuff_head_cache of size 240 The buggy address is located 56 bytes inside of freed 240-byte region [ffff88816ca6c300, ffff88816ca6c3f0) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x16ca6c head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 anon flags: 0x57ff00000000040(head|node=1|zone=2|lastcpupid=0x7ff) page_type: f5(slab) raw: 057ff00000000040 ffff8881616a78c0 0000000000000000 dead000000000001 raw: 0000000000000000 0000000000150015 00000000f5000000 0000000000000000 head: 057ff00000000040 ffff8881616a78c0 0000000000000000 dead000000000001 head: 0000000000000000 0000000000150015 00000000f5000000 0000000000000000 head: 057ff00000000001 ffffea0005b29b01 00000000ffffffff 00000000ffffffff head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 1, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5291, tgid 5291 (udevd), ts 33642680595, free_ts 13452841945 post_alloc_hook+0x240/0x2a0 get_page_from_freelist+0x2365/0x2440 __alloc_frozen_pages_noprof+0x181/0x370 alloc_pages_mpol+0x232/0x4a0 allocate_slab+0x86/0x3b0 ___slab_alloc+0xf56/0x1990 __slab_alloc+0x65/0x100 kmem_cache_alloc_node_noprof+0x4ce/0x710 __alloc_skb+0x112/0x2d0 netlink_sendmsg+0x5c6/0xb30 __sock_sendmsg+0x21c/0x270 ____sys_sendmsg+0x505/0x870 ___sys_sendmsg+0x21f/0x2a0 __x64_sys_sendmsg+0x19b/0x260 do_syscall_64+0xfa/0xfa0 entry_SYSCALL_64_after_hwframe+0x77/0x7f page last free pid 9 tgid 9 stack trace: __free_frozen_pages+0xbc8/0xd30 vfree+0x25a/0x400 delayed_vfree_work+0x55/0x80 process_one_work+0x93a/0x15e0 worker_thread+0x9b0/0xee0 kthread+0x711/0x8a0 ret_from_fork+0x599/0xb30 ret_from_fork_asm+0x1a/0x30 Memory state around the buggy address: ffff88816ca6c200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc ffff88816ca6c280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff88816ca6c300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88816ca6c380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc ffff88816ca6c400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ==================================================================