================================================================== BUG: KASAN: slab-use-after-free in hci_cmd_work+0x66d/0x6d0 Read of size 2 at addr ffff88802079f678 by task kworker/u11:8/307 CPU: 1 UID: 0 PID: 307 Comm: kworker/u11:8 Not tainted 6.18.0-rc5-next-20251114 #1 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 Workqueue: hci0 hci_cmd_work Call Trace: dump_stack_lvl+0xca/0x120 print_report+0xcb/0x610 kasan_report+0xca/0x100 hci_cmd_work+0x66d/0x6d0 process_one_work+0x8e1/0x19c0 worker_thread+0x67e/0xe90 kthread+0x3c8/0x740 ret_from_fork+0x67a/0x7a0 ret_from_fork_asm+0x1a/0x30 Allocated by task 4821: kasan_save_stack+0x24/0x50 kasan_save_track+0x14/0x30 __kasan_slab_alloc+0x59/0x70 kmem_cache_alloc_node_noprof+0x228/0x6b0 __alloc_skb+0x2ab/0x370 hci_cmd_sync_alloc+0x34/0x300 __hci_cmd_sync_sk+0xf7/0x5c0 __hci_cmd_sync_status_sk+0x4d/0x1a0 hci_cmd_sync_status+0x4c/0x70 hci_dev_cmd+0x695/0x980 hci_sock_ioctl+0x493/0x810 sock_do_ioctl+0xd1/0x240 sock_ioctl+0x40d/0x630 __x64_sys_ioctl+0x18f/0x210 do_syscall_64+0xbf/0x430 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 307: kasan_save_stack+0x24/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3a/0x60 __kasan_slab_free+0x43/0x70 kmem_cache_free+0x26f/0x500 kfree_skbmem+0x18a/0x1f0 sk_skb_reason_drop+0x10e/0x1b0 hci_send_frame+0x3a1/0x420 hci_cmd_work+0x281/0x6d0 process_one_work+0x8e1/0x19c0 worker_thread+0x67e/0xe90 kthread+0x3c8/0x740 ret_from_fork+0x67a/0x7a0 ret_from_fork_asm+0x1a/0x30 The buggy address belongs to the object at ffff88802079f640 which belongs to the cache skbuff_head_cache of size 232 The buggy address is located 56 bytes inside of freed 232-byte region [ffff88802079f640, ffff88802079f728) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2079f memcg:ffff88801babbb01 flags: 0x100000000000000(node=0|zone=1) page_type: f5(slab) raw: 0100000000000000 ffff8880096c78c0 ffffea000034fc80 dead000000000004 raw: 0000000000000000 00000000800c000c 00000000f5000000 ffff88801babbb01 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88802079f500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88802079f580: 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc >ffff88802079f600: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ^ ffff88802079f680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88802079f700: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc ================================================================== Bluetooth: hci0: Opcode 0x080f failed: -22 audit: type=1326 audit(1763296316.927:17): auid=0 uid=0 gid=0 ses=4 subj=system_u:system_r:kernel_t:s0 pid=4825 comm="syz-executor.7" exe="/syz-executor.7" sig=31 arch=c000003e syscall=202 compat=0 ip=0x7f2e82108b19 code=0x0 audit: type=1326 audit(1763296317.753:18): auid=0 uid=0 gid=0 ses=4 subj=system_u:system_r:kernel_t:s0 pid=4825 comm="syz-executor.7" exe="/syz-executor.7" sig=31 arch=c000003e syscall=202 compat=0 ip=0x7f2e82108b19 code=0x0 Bluetooth: hci0: command tx timeout audit: type=1326 audit(1763296325.525:19): auid=0 uid=0 gid=0 ses=4 subj=system_u:system_r:kernel_t:s0 pid=4849 comm="syz-executor.7" exe="/syz-executor.7" sig=31 arch=c000003e syscall=202 compat=0 ip=0x7f2e82108b19 code=0x0 audit: type=1400 audit(1763296325.560:20): avc: denied { watch_reads } for pid=4854 comm="syz-executor.4" path="/syzkaller-testdir821626568/syzkaller.I72Cu3/28/file0" dev="tmpfs" ino=1 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=1 sr 1:0:0:0: [sr0] tag#0 unaligned transfer I/O error, dev sr0, sector 0 op 0x1:(WRITE) flags 0x800 phys_seg 3 prio class 2 Buffer I/O error on dev sr0, logical block 0, lost async page write Buffer I/O error on dev sr0, logical block 1, lost async page write Buffer I/O error on dev sr0, logical block 2, lost async page write