program: syz_emit_vhci(&(0x7f0000000540)=ANY=[@ANYBLOB="043e1f0a"], 0x22) syz_emit_vhci(&(0x7f0000000040)=ANY=[@ANYBLOB="0200300c000800"], 0x11) sendmsg$NFT_BATCH(0xffffffffffffffff, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000240)=ANY=[@ANYBLOB="140000001000f0ffffff00000000000080000000000000001100010000000000000000000000000a"], 0x28}}, 0x0) r0 = socket$inet_udplite(0x2, 0x2, 0x88) getsockopt$sock_cred(r0, 0x1, 0x11, &(0x7f0000000240)={0x0, 0x0}, &(0x7f0000000280)=0x5) setuid(r2) setpriority(0x2, 0xff, 0x0) ioctl$FS_IOC_SET_ENCRYPTION_POLICY(0xffffffffffffffff, 0x40086602, 0x0) timer_create(0x2, &(0x7f00000000c0)={0x0, 0x14, 0x2, @tid=r1}, &(0x7f0000000100)=0x0) timer_settime(r3, 0x0, &(0x7f00000001c0)={{0x77359400}, {0x0, 0x3938700}}, &(0x7f0000000200)) socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000000)) syz_emit_vhci(&(0x7f0000000080)=ANY=[@ANYBLOB="0405"], 0x7) syz_emit_vhci(&(0x7f0000000140)=@HCI_EVENT_PKT={0x4, @inquiry_info_with_rssi={{0x22, 0x55}, {0x6, [{@fixed={'\xaa\xaa\xaa\xaa\xaa', 0x12}, 0x6, 0x1, "b05988", 0x3, 0x1}, {@none, 0x5, 0xf4, "7ccc48", 0x77, 0x3}, {@any, 0x4, 0x1, "2b8834", 0xfffc, 0x1}, {@any, 0x81, 0x1, "613085", 0x4, 0x6}, {@none, 0xff, 0x4, "3fcfa7", 0x7, 0x5}, {@any, 0x8, 0x8, "feb2b0", 0x4}]}}}, 0x58) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0) [ 102.227379][ T5304] Bluetooth: hci0: command tx timeout [ 102.350716][ T5323] UDPLite: UDP-Lite is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list [ 104.263856][ T4666] Bluetooth: hci0: command tx timeout [ 104.423511][ T5304] ================================================================== [ 104.427759][ T5304] BUG: KASAN: slab-use-after-free in hci_conn_drop+0x34/0x2a0 [ 104.431223][ T5304] Write of size 4 at addr ffff88801fce8010 by task kworker/u5:2/5304 [ 104.434573][ T5304] [ 104.435604][ T5304] CPU: 0 UID: 0 PID: 5304 Comm: kworker/u5:2 Not tainted syzkaller #0 PREEMPT(full) [ 104.435617][ T5304] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 104.435624][ T5304] Workqueue: hci0 hci_cmd_sync_work [ 104.435638][ T5304] Call Trace: [ 104.435643][ T5304] [ 104.435647][ T5304] dump_stack_lvl+0xe8/0x150 [ 104.435660][ T5304] print_report+0xba/0x230 [ 104.435671][ T5304] ? hci_conn_drop+0x34/0x2a0 [ 104.435680][ T5304] kasan_report+0x117/0x150 [ 104.435689][ T5304] ? hci_conn_drop+0x34/0x2a0 [ 104.435699][ T5304] kasan_check_range+0x264/0x2c0 [ 104.435708][ T5304] hci_conn_drop+0x34/0x2a0 [ 104.435717][ T5304] ? __pfx_le_read_features_complete+0x10/0x10 [ 104.435730][ T5304] hci_cmd_sync_work+0x262/0x400 [ 104.435742][ T5304] ? process_scheduled_works+0xa8d/0x18c0 [ 104.435758][ T5304] process_scheduled_works+0xb6e/0x18c0 [ 104.435778][ T5304] ? __pfx_process_scheduled_works+0x10/0x10 [ 104.435794][ T5304] ? assign_work+0x3d5/0x5e0 [ 104.435807][ T5304] worker_thread+0xa53/0xfc0 [ 104.435823][ T5304] kthread+0x388/0x470 [ 104.435831][ T5304] ? __pfx_worker_thread+0x10/0x10 [ 104.435842][ T5304] ? __pfx_kthread+0x10/0x10 [ 104.435849][ T5304] ret_from_fork+0x51e/0xb90 [ 104.435861][ T5304] ? __pfx_ret_from_fork+0x10/0x10 [ 104.435871][ T5304] ? __switch_to+0xc7d/0x1450 [ 104.435880][ T5304] ? __pfx_kthread+0x10/0x10 [ 104.435887][ T5304] ret_from_fork_asm+0x1a/0x30 [ 104.435902][ T5304] [ 104.435905][ T5304] [ 104.502297][ T5304] Allocated by task 5304: [ 104.504442][ T5304] kasan_save_track+0x3e/0x80 [ 104.506972][ T5304] __kasan_kmalloc+0x93/0xb0 [ 104.509211][ T5304] __kmalloc_cache_noprof+0x31c/0x660 [ 104.511617][ T5304] __hci_conn_add+0x3c4/0x1e00 [ 104.513952][ T5304] le_conn_complete_evt+0x706/0x1430 [ 104.516410][ T5304] hci_le_enh_conn_complete_evt+0x189/0x490 [ 104.519093][ T5304] hci_event_packet+0x7af/0x12c0 [ 104.521345][ T5304] hci_rx_work+0x3ee/0x1030 [ 104.523607][ T5304] process_scheduled_works+0xb6e/0x18c0 [ 104.526707][ T5304] worker_thread+0xa53/0xfc0 [ 104.529388][ T5304] kthread+0x388/0x470 [ 104.531323][ T5304] ret_from_fork+0x51e/0xb90 [ 104.533399][ T5304] ret_from_fork_asm+0x1a/0x30 [ 104.535516][ T5304] [ 104.536602][ T5304] Freed by task 4666: [ 104.538439][ T5304] kasan_save_track+0x3e/0x80 [ 104.540714][ T5304] kasan_save_free_info+0x46/0x50 [ 104.543048][ T5304] __kasan_slab_free+0x5c/0x80 [ 104.545703][ T5304] kfree+0x1c1/0x630 [ 104.547955][ T5304] device_release+0x9e/0x1d0 [ 104.550558][ T5304] kobject_put+0x228/0x560 [ 104.552655][ T5304] hci_conn_del+0xc36/0x1230 [ 104.554676][ T5304] hci_disconn_complete_evt+0x64e/0x950 [ 104.557204][ T5304] hci_event_packet+0x805/0x12c0 [ 104.559489][ T5304] hci_rx_work+0x3ee/0x1030 [ 104.561555][ T5304] process_scheduled_works+0xb6e/0x18c0 [ 104.564448][ T5304] worker_thread+0xa53/0xfc0 [ 104.567733][ T5304] kthread+0x388/0x470 [ 104.570437][ T5304] ret_from_fork+0x51e/0xb90 [ 104.572589][ T5304] ret_from_fork_asm+0x1a/0x30 [ 104.574815][ T5304] [ 104.575948][ T5304] The buggy address belongs to the object at ffff88801fce8000 [ 104.575948][ T5304] which belongs to the cache kmalloc-8k of size 8192 [ 104.582342][ T5304] The buggy address is located 16 bytes inside of [ 104.582342][ T5304] freed 8192-byte region [ffff88801fce8000, ffff88801fcea000) [ 104.588422][ T5304] [ 104.589831][ T5304] The buggy address belongs to the physical page: [ 104.594094][ T5304] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1fce8 [ 104.598522][ T5304] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 104.602385][ T5304] flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff) [ 104.605839][ T5304] page_type: f5(slab) [ 104.607620][ T5304] raw: 00fff00000000040 ffff88801ac42280 dead000000000122 0000000000000000 [ 104.611224][ T5304] raw: 0000000000000000 0000000800020002 00000000f5000000 0000000000000000 [ 104.615288][ T5304] head: 00fff00000000040 ffff88801ac42280 dead000000000122 0000000000000000 [ 104.620085][ T5304] head: 0000000000000000 0000000800020002 00000000f5000000 0000000000000000 [ 104.624146][ T5304] head: 00fff00000000003 ffffea00007f3a01 00000000ffffffff 00000000ffffffff [ 104.628015][ T5304] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 [ 104.632469][ T5304] page dumped because: kasan: bad access detected [ 104.636711][ T5304] page_owner tracks the page as allocated [ 104.639751][ T5304] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1138, tgid 1138 (kworker/u4:10), ts 99774301804, free_ts 98852599918 [ 104.649517][ T5304] post_alloc_hook+0x231/0x280 [ 104.652065][ T5304] get_page_from_freelist+0x24dc/0x2580 [ 104.654716][ T5304] __alloc_frozen_pages_noprof+0x18d/0x380 [ 104.657444][ T5304] allocate_slab+0x77/0x660 [ 104.659625][ T5304] refill_objects+0x331/0x3c0 [ 104.661849][ T5304] __pcs_replace_empty_main+0x2e6/0x730 [ 104.664452][ T5304] __kmalloc_noprof+0x474/0x760 [ 104.666752][ T5304] __sta_info_alloc+0x93/0x2630 [ 104.669054][ T5304] ieee80211_ibss_add_sta+0x5b7/0x870 [ 104.671547][ T5304] ieee80211_ibss_rx_queued_mgmt+0x155e/0x2cd0 [ 104.674269][ T5304] ieee80211_iface_work+0x84e/0x1340 [ 104.676624][ T5304] cfg80211_wiphy_work+0x2ab/0x4a0 [ 104.678981][ T5304] process_scheduled_works+0xb6e/0x18c0 [ 104.681498][ T5304] worker_thread+0xa53/0xfc0 [ 104.683608][ T5304] kthread+0x388/0x470 [ 104.685496][ T5304] ret_from_fork+0x51e/0xb90 [ 104.687557][ T5304] page last free pid 72 tgid 72 stack trace: [ 104.690284][ T5304] free_unref_folios+0xed5/0x16d0 [ 104.692540][ T5304] shrink_folio_list+0x2a0f/0x5290 [ 104.695036][ T5304] evict_folios+0x4795/0x5880 [ 104.697372][ T5304] try_to_shrink_lruvec+0xb62/0xfa0 [ 104.700120][ T5304] shrink_one+0x25c/0x710 [ 104.702569][ T5304] shrink_node+0x3197/0x3a90 [ 104.705057][ T5304] kswapd+0x1742/0x2e10 [ 104.707143][ T5304] kthread+0x388/0x470 [ 104.709058][ T5304] ret_from_fork+0x51e/0xb90 [ 104.711157][ T5304] ret_from_fork_asm+0x1a/0x30 [ 104.713391][ T5304] [ 104.714559][ T5304] Memory state around the buggy address: [ 104.717996][ T5304] ffff88801fce7f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 104.722064][ T5304] ffff88801fce7f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 104.725648][ T5304] >ffff88801fce8000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 104.729364][ T5304] ^ [ 104.731665][ T5304] ffff88801fce8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 104.735958][ T5304] ffff88801fce8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 104.739861][ T5304] ================================================================== [ 104.745059][ T5304] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 104.748350][ T5304] CPU: 0 UID: 0 PID: 5304 Comm: kworker/u5:2 Not tainted syzkaller #0 PREEMPT(full) [ 104.753402][ T5304] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 104.758838][ T5304] Workqueue: hci0 hci_cmd_sync_work [ 104.761306][ T5304] Call Trace: [ 104.762794][ T5304] [ 104.764151][ T5304] vpanic+0x56c/0xa60 [ 104.765915][ T5304] ? __pfx_vpanic+0x10/0x10 [ 104.767866][ T5304] panic+0xc5/0xd0 [ 104.769583][ T5304] ? __pfx_panic+0x10/0x10 [ 104.771588][ T5304] ? preempt_schedule_thunk+0x16/0x30 [ 104.774215][ T5304] ? preempt_schedule_thunk+0x16/0x30 [ 104.777422][ T5304] ? hci_conn_drop+0x34/0x2a0 [ 104.780245][ T5304] check_panic_on_warn+0x89/0xb0 [ 104.782489][ T5304] ? hci_conn_drop+0x34/0x2a0 [ 104.784573][ T5304] end_report+0x73/0x180 [ 104.786465][ T5304] ? hci_conn_drop+0x34/0x2a0 [ 104.788562][ T5304] kasan_report+0x128/0x150 [ 104.790593][ T5304] ? hci_conn_drop+0x34/0x2a0 [ 104.792745][ T5304] kasan_check_range+0x264/0x2c0 [ 104.795307][ T5304] hci_conn_drop+0x34/0x2a0 [ 104.797731][ T5304] ? __pfx_le_read_features_complete+0x10/0x10 [ 104.801010][ T5304] hci_cmd_sync_work+0x262/0x400 [ 104.803242][ T5304] ? process_scheduled_works+0xa8d/0x18c0 [ 104.805635][ T5304] process_scheduled_works+0xb6e/0x18c0 [ 104.808076][ T5304] ? __pfx_process_scheduled_works+0x10/0x10 [ 104.810826][ T5304] ? assign_work+0x3d5/0x5e0 [ 104.813251][ T5304] worker_thread+0xa53/0xfc0 [ 104.815770][ T5304] kthread+0x388/0x470 [ 104.817866][ T5304] ? __pfx_worker_thread+0x10/0x10 [ 104.820299][ T5304] ? __pfx_kthread+0x10/0x10 [ 104.822280][ T5304] ret_from_fork+0x51e/0xb90 [ 104.824295][ T5304] ? __pfx_ret_from_fork+0x10/0x10 [ 104.826497][ T5304] ? __switch_to+0xc7d/0x1450 [ 104.828663][ T5304] ? __pfx_kthread+0x10/0x10 [ 104.831257][ T5304] ret_from_fork_asm+0x1a/0x30 [ 104.833740][ T5304] [ 104.835565][ T5304] Kernel Offset: disabled [ 104.837446][ T5304] Rebooting in 86400 seconds..