Bluetooth: hci6: unexpected cc 0x1001 length: 249 > 9 Bluetooth: hci6: unexpected cc 0x0c23 length: 249 > 4 Bluetooth: hci6: unexpected cc 0x0c38 length: 249 > 2 ================================================================== BUG: KASAN: slab-use-after-free in hci_cmd_work+0x66d/0x6d0 Read of size 2 at addr ffff88800d88c7b8 by task kworker/u11:6/305 CPU: 1 UID: 0 PID: 305 Comm: kworker/u11:6 Not tainted 6.18.0-rc5-next-20251114 #1 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 Workqueue: hci6 hci_cmd_work Call Trace: dump_stack_lvl+0xca/0x120 print_report+0xcb/0x610 kasan_report+0xca/0x100 hci_cmd_work+0x66d/0x6d0 process_one_work+0x8e1/0x19c0 worker_thread+0x67e/0xe90 kthread+0x3c8/0x740 ret_from_fork+0x67a/0x7a0 ret_from_fork_asm+0x1a/0x30 Allocated by task 296: kasan_save_stack+0x24/0x50 kasan_save_track+0x14/0x30 __kasan_slab_alloc+0x59/0x70 kmem_cache_alloc_node_noprof+0x228/0x6b0 __alloc_skb+0x2ab/0x370 hci_cmd_sync_alloc+0x34/0x300 __hci_cmd_sync_sk+0xf7/0x5c0 hci_write_ca_timeout_sync+0x8f/0x1e0 hci_dev_open_sync+0x1874/0x1f60 hci_power_on+0xdb/0x5d0 process_one_work+0x8e1/0x19c0 worker_thread+0x67e/0xe90 kthread+0x3c8/0x740 ret_from_fork+0x67a/0x7a0 ret_from_fork_asm+0x1a/0x30 Freed by task 4567: kasan_save_stack+0x24/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3a/0x60 __kasan_slab_free+0x43/0x70 kmem_cache_free+0x26f/0x500 kfree_skbmem+0x18a/0x1f0 sk_skb_reason_drop+0x10e/0x1b0 vhci_read+0x3d5/0x5d0 vfs_read+0x1eb/0xc70 ksys_read+0x121/0x240 do_syscall_64+0xbf/0x430 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff88800d88c780 which belongs to the cache skbuff_head_cache of size 232 The buggy address is located 56 bytes inside of freed 232-byte region [ffff88800d88c780, ffff88800d88c868) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xd88c anon flags: 0x100000000000000(node=0|zone=1) page_type: f5(slab) raw: 0100000000000000 ffff8880096c78c0 ffffea000037d880 0000000000000003 raw: 0000000000000000 00000000800c000c 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88800d88c680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88800d88c700: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc >ffff88800d88c780: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88800d88c800: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc ffff88800d88c880: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ================================================================== scsi_io_completion_action: 93 callbacks suppressed sr 1:0:0:0: [sr0] tag#0 FAILED Result: hostbyte=DID_OK driverbyte=DRIVER_OK cmd_age=0s sr 1:0:0:0: [sr0] tag#0 Sense Key : Not Ready [current] sr 1:0:0:0: [sr0] tag#0 Add. Sense: Medium not present sr 1:0:0:0: [sr0] tag#0 CDB: Read(10) 28 00 00 00 00 00 00 00 40 00 blk_print_req_error: 92 callbacks suppressed I/O error, dev sr0, sector 0 op 0x0:(READ) flags 0x84700 phys_seg 32 prio class 2 sr 1:0:0:0: [sr0] tag#0 FAILED Result: hostbyte=DID_OK driverbyte=DRIVER_OK cmd_age=0s sr 1:0:0:0: [sr0] tag#0 Sense Key : Not Ready [current] sr 1:0:0:0: [sr0] tag#0 Add. Sense: Medium not present sr 1:0:0:0: [sr0] tag#0 CDB: Read(10) 28 00 00 00 00 40 00 00 40 00 I/O error, dev sr0, sector 256 op 0x0:(READ) flags 0x84700 phys_seg 32 prio class 2 sr 1:0:0:0: [sr0] tag#0 FAILED Result: hostbyte=DID_OK driverbyte=DRIVER_OK cmd_age=0s sr 1:0:0:0: [sr0] tag#0 Sense Key : Not Ready [current] sr 1:0:0:0: [sr0] tag#0 Add. Sense: Medium not present sr 1:0:0:0: [sr0] tag#0 CDB: Read(10) 28 00 00 00 00 80 00 00 40 00 I/O error, dev sr0, sector 512 op 0x0:(READ) flags 0x84700 phys_seg 32 prio class 2 sr 1:0:0:0: [sr0] tag#0 FAILED Result: hostbyte=DID_OK driverbyte=DRIVER_OK cmd_age=0s sr 1:0:0:0: [sr0] tag#0 Sense Key : Not Ready [current] sr 1:0:0:0: [sr0] tag#0 Add. Sense: Medium not present sr 1:0:0:0: [sr0] tag#0 CDB: Read(10) 28 00 00 00 00 c0 00 00 40 00 I/O error, dev sr0, sector 768 op 0x0:(READ) flags 0x84700 phys_seg 32 prio class 2 sr 1:0:0:0: [sr0] tag#0 FAILED Result: hostbyte=DID_OK driverbyte=DRIVER_OK cmd_age=0s sr 1:0:0:0: [sr0] tag#0 Sense Key : Not Ready [current] sr 1:0:0:0: [sr0] tag#0 Add. Sense: Medium not present sr 1:0:0:0: [sr0] tag#0 CDB: Read(10) 28 00 00 00 01 00 00 00 40 00 I/O error, dev sr0, sector 1024 op 0x0:(READ) flags 0x84700 phys_seg 32 prio class 2 sr 1:0:0:0: [sr0] tag#0 FAILED Result: hostbyte=DID_OK driverbyte=DRIVER_OK cmd_age=0s sr 1:0:0:0: [sr0] tag#0 Sense Key : Not Ready [current] sr 1:0:0:0: [sr0] tag#0 Add. Sense: Medium not present sr 1:0:0:0: [sr0] tag#0 CDB: Read(10) 28 00 00 00 01 40 00 00 40 00 I/O error, dev sr0, sector 1280 op 0x0:(READ) flags 0x84700 phys_seg 32 prio class 2 sr 1:0:0:0: [sr0] tag#0 FAILED Result: hostbyte=DID_OK driverbyte=DRIVER_OK cmd_age=0s sr 1:0:0:0: [sr0] tag#0 Sense Key : Not Ready [current] sr 1:0:0:0: [sr0] tag#0 Add. Sense: Medium not present sr 1:0:0:0: [sr0] tag#0 CDB: Read(10) 28 00 00 00 01 80 00 00 40 00 I/O error, dev sr0, sector 1536 op 0x0:(READ) flags 0x84700 phys_seg 32 prio class 2 sr 1:0:0:0: [sr0] tag#0 FAILED Result: hostbyte=DID_OK driverbyte=DRIVER_OK cmd_age=0s sr 1:0:0:0: [sr0] tag#0 Sense Key : Not Ready [current] sr 1:0:0:0: [sr0] tag#0 Add. Sense: Medium not present sr 1:0:0:0: [sr0] tag#0 CDB: Read(10) 28 00 00 00 01 c0 00 00 40 00 I/O error, dev sr0, sector 1792 op 0x0:(READ) flags 0x80700 phys_seg 32 prio class 2 sr 1:0:0:0: [sr0] tag#0 FAILED Result: hostbyte=DID_OK driverbyte=DRIVER_OK cmd_age=0s sr 1:0:0:0: [sr0] tag#0 Sense Key : Not Ready [current] sr 1:0:0:0: [sr0] tag#0 Add. Sense: Medium not present sr 1:0:0:0: [sr0] tag#0 CDB: Read(10) 28 00 00 00 02 00 00 00 40 00 I/O error, dev sr0, sector 2048 op 0x0:(READ) flags 0x84700 phys_seg 32 prio class 2 sr 1:0:0:0: [sr0] tag#0 FAILED Result: hostbyte=DID_OK driverbyte=DRIVER_OK cmd_age=0s sr 1:0:0:0: [sr0] tag#0 Sense Key : Not Ready [current] sr 1:0:0:0: [sr0] tag#0 Add. Sense: Medium not present sr 1:0:0:0: [sr0] tag#0 CDB: Read(10) 28 00 00 00 02 40 00 00 40 00 I/O error, dev sr0, sector 2304 op 0x0:(READ) flags 0x84700 phys_seg 32 prio class 2 Bluetooth: hci6: command tx timeout Bluetooth: hci6: command tx timeout Bluetooth: hci6: command tx timeout scsi_io_completion_action: 361 callbacks suppressed sr 1:0:0:0: [sr0] tag#0 FAILED Result: hostbyte=DID_OK driverbyte=DRIVER_OK cmd_age=0s sr 1:0:0:0: [sr0] tag#0 Sense Key : Not Ready [current] sr 1:0:0:0: [sr0] tag#0 Add. Sense: Medium not present sr 1:0:0:0: [sr0] tag#0 CDB: Read(10) 28 00 00 00 5b b0 00 00 40 00 blk_print_req_error: 361 callbacks suppressed I/O error, dev sr0, sector 93888 op 0x0:(READ) flags 0x84700 phys_seg 3 prio class 2 sr 1:0:0:0: [sr0] tag#0 FAILED Result: hostbyte=DID_OK driverbyte=DRIVER_OK cmd_age=0s sr 1:0:0:0: [sr0] tag#0 Sense Key : Not Ready [current] sr 1:0:0:0: [sr0] tag#0 Add. Sense: Medium not present sr 1:0:0:0: [sr0] tag#0 CDB: Read(10) 28 00 00 00 5b f0 00 00 40 00 I/O error, dev sr0, sector 94144 op 0x0:(READ) flags 0x84700 phys_seg 3 prio class 2 sr 1:0:0:0: [sr0] tag#0 FAILED Result: hostbyte=DID_OK driverbyte=DRIVER_OK cmd_age=0s sr 1:0:0:0: [sr0] tag#0 Sense Key : Not Ready [current] sr 1:0:0:0: [sr0] tag#0 Add. Sense: Medium not present sr 1:0:0:0: [sr0] tag#0 CDB: Read(10) 28 00 00 00 5c 30 00 00 40 00 I/O error, dev sr0, sector 94400 op 0x0:(READ) flags 0x84700 phys_seg 3 prio class 2 sr 1:0:0:0: [sr0] tag#0 FAILED Result: hostbyte=DID_OK driverbyte=DRIVER_OK cmd_age=0s sr 1:0:0:0: [sr0] tag#0 Sense Key : Not Ready [current] sr 1:0:0:0: [sr0] tag#0 Add. Sense: Medium not present sr 1:0:0:0: [sr0] tag#0 CDB: Read(10) 28 00 00 00 5c 70 00 00 40 00 I/O error, dev sr0, sector 94656 op 0x0:(READ) flags 0x84700 phys_seg 3 prio class 2 sr 1:0:0:0: [sr0] tag#0 FAILED Result: hostbyte=DID_OK driverbyte=DRIVER_OK cmd_age=0s sr 1:0:0:0: [sr0] tag#0 Sense Key : Not Ready [current] sr 1:0:0:0: [sr0] tag#0 Add. Sense: Medium not present sr 1:0:0:0: [sr0] tag#0 CDB: Read(10) 28 00 00 00 5c b0 00 00 40 00 I/O error, dev sr0, sector 94912 op 0x0:(READ) flags 0x84700 phys_seg 3 prio class 2 sr 1:0:0:0: [sr0] tag#0 FAILED Result: hostbyte=DID_OK driverbyte=DRIVER_OK cmd_age=0s sr 1:0:0:0: [sr0] tag#0 Sense Key : Not Ready [current] sr 1:0:0:0: [sr0] tag#0 Add. Sense: Medium not present sr 1:0:0:0: [sr0] tag#0 CDB: Read(10) 28 00 00 00 5c f0 00 00 40 00 I/O error, dev sr0, sector 95168 op 0x0:(READ) flags 0x84700 phys_seg 3 prio class 2 sr 1:0:0:0: [sr0] tag#0 FAILED Result: hostbyte=DID_OK driverbyte=DRIVER_OK cmd_age=0s sr 1:0:0:0: [sr0] tag#0 Sense Key : Not Ready [current] sr 1:0:0:0: [sr0] tag#0 Add. Sense: Medium not present sr 1:0:0:0: [sr0] tag#0 CDB: Read(10) 28 00 00 00 5d 30 00 00 40 00 I/O error, dev sr0, sector 95424 op 0x0:(READ) flags 0x84700 phys_seg 3 prio class 2 sr 1:0:0:0: [sr0] tag#0 FAILED Result: hostbyte=DID_OK driverbyte=DRIVER_OK cmd_age=0s sr 1:0:0:0: [sr0] tag#0 Sense Key : Not Ready [current] sr 1:0:0:0: [sr0] tag#0 Add. Sense: Medium not present sr 1:0:0:0: [sr0] tag#0 CDB: Read(10) 28 00 00 00 5d 70 00 00 40 00 I/O error, dev sr0, sector 95680 op 0x0:(READ) flags 0x84700 phys_seg 3 prio class 2 sr 1:0:0:0: [sr0] tag#0 FAILED Result: hostbyte=DID_OK driverbyte=DRIVER_OK cmd_age=0s sr 1:0:0:0: [sr0] tag#0 Sense Key : Not Ready [current] sr 1:0:0:0: [sr0] tag#0 Add. Sense: Medium not present sr 1:0:0:0: [sr0] tag#0 CDB: Read(10) 28 00 00 00 5d b0 00 00 40 00 I/O error, dev sr0, sector 95936 op 0x0:(READ) flags 0x84700 phys_seg 3 prio class 2 sr 1:0:0:0: [sr0] tag#0 FAILED Result: hostbyte=DID_OK driverbyte=DRIVER_OK cmd_age=0s sr 1:0:0:0: [sr0] tag#0 Sense Key : Not Ready [current] sr 1:0:0:0: [sr0] tag#0 Add. Sense: Medium not present sr 1:0:0:0: [sr0] tag#0 CDB: Read(10) 28 00 00 00 5d f0 00 00 40 00 I/O error, dev sr0, sector 96192 op 0x0:(READ) flags 0x84700 phys_seg 3 prio class 2 Bluetooth: hci6: command tx timeout