================================================================== Bluetooth: hci0: Opcode 0x0c20 failed: -22 BUG: KASAN: slab-use-after-free in hci_cmd_work+0x66d/0x6d0 Read of size 2 at addr ffff8880556dd038 by task kworker/u11:1/291 CPU: 1 UID: 0 PID: 291 Comm: kworker/u11:1 Not tainted 6.18.0-rc5-next-20251114 #1 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 Workqueue: hci0 hci_cmd_work Call Trace: dump_stack_lvl+0xca/0x120 print_report+0xcb/0x610 kasan_report+0xca/0x100 hci_cmd_work+0x66d/0x6d0 process_one_work+0x8e1/0x19c0 worker_thread+0x67e/0xe90 kthread+0x3c8/0x740 ret_from_fork+0x67a/0x7a0 ret_from_fork_asm+0x1a/0x30 Bluetooth: hci0: Opcode 0x0c20 failed: -4 Allocated by task 61223: kasan_save_stack+0x24/0x50 kasan_save_track+0x14/0x30 __kasan_slab_alloc+0x59/0x70 kmem_cache_alloc_node_noprof+0x228/0x6b0 __alloc_skb+0x2ab/0x370 hci_cmd_sync_alloc+0x34/0x300 __hci_cmd_sync_sk+0xf7/0x5c0 __hci_cmd_sync_status_sk+0x4d/0x1a0 hci_cmd_sync_status+0x4c/0x70 hci_dev_cmd+0x3c1/0x980 hci_sock_ioctl+0x493/0x810 sock_do_ioctl+0xd1/0x240 sock_ioctl+0x40d/0x630 __x64_sys_ioctl+0x18f/0x210 do_syscall_64+0xbf/0x430 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 291: kasan_save_stack+0x24/0x50 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3a/0x60 __kasan_slab_free+0x43/0x70 kmem_cache_free+0x26f/0x500 kfree_skbmem+0x18a/0x1f0 sk_skb_reason_drop+0x10e/0x1b0 hci_send_frame+0x3a1/0x420 hci_cmd_work+0x281/0x6d0 process_one_work+0x8e1/0x19c0 worker_thread+0x67e/0xe90 kthread+0x3c8/0x740 ret_from_fork+0x67a/0x7a0 ret_from_fork_asm+0x1a/0x30 The buggy address belongs to the object at ffff8880556dd000 which belongs to the cache skbuff_head_cache of size 232 The buggy address is located 56 bytes inside of freed 232-byte region [ffff8880556dd000, ffff8880556dd0e8) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x556dd flags: 0x100000000000000(node=0|zone=1) page_type: f5(slab) raw: 0100000000000000 ffff8880096c78c0 ffffea00002a9d00 dead000000000008 raw: 0000000000000000 00000000000c000c 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880556dcf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8880556dcf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff8880556dd000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880556dd080: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc ffff8880556dd100: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ================================================================== Bluetooth: hci0: Opcode 0x0c20 failed: -22 Bluetooth: hci0: Opcode 0x0c20 failed: -22 Bluetooth: hci0: Opcode 0x0c20 failed: -22 Bluetooth: hci0: command tx timeout audit: type=1326 audit(1763108188.245:186): auid=0 uid=0 gid=0 ses=4 subj=system_u:system_r:kernel_t:s0 pid=61826 comm="syz-executor.6" exe="/syz-executor.6" sig=31 arch=c000003e syscall=202 compat=0 ip=0x7f989661eb19 code=0x0 audit: type=1326 audit(1763108189.069:187): auid=0 uid=0 gid=0 ses=4 subj=system_u:system_r:kernel_t:s0 pid=61826 comm="syz-executor.6" exe="/syz-executor.6" sig=31 arch=c000003e syscall=202 compat=0 ip=0x7f989661eb19 code=0x0 audit: type=1326 audit(1763108189.187:188): auid=0 uid=0 gid=0 ses=4 subj=system_u:system_r:kernel_t:s0 pid=62194 comm="syz-executor.6" exe="/syz-executor.6" sig=31 arch=c000003e syscall=202 compat=0 ip=0x7f989661eb19 code=0x0 audit: type=1326 audit(1763108190.125:189): auid=0 uid=0 gid=0 ses=4 subj=system_u:system_r:kernel_t:s0 pid=62501 comm="syz-executor.6" exe="/syz-executor.6" sig=31 arch=c000003e syscall=202 compat=0 ip=0x7f989661eb19 code=0x0 Bluetooth: MGMT ver 1.23 loop4: detected capacity change from 0 to 264192 audit: type=1326 audit(1763108191.054:190): auid=0 uid=0 gid=0 ses=4 subj=system_u:system_r:kernel_t:s0 pid=63041 comm="syz-executor.6" exe="/syz-executor.6" sig=31 arch=c000003e syscall=202 compat=0 ip=0x7f989661eb19 code=0x0 loop4: detected capacity change from 0 to 264192 loop2: detected capacity change from 0 to 264192 loop2: detected capacity change from 0 to 264192 tmpfs: Invalid gid '0x00000000ffffffff' loop2: detected capacity change from 0 to 264192 tmpfs: Invalid gid '0x00000000ffffffff' tmpfs: Invalid gid '0x00000000ffffffff' tmpfs: Invalid gid '0x00000000ffffffff' tmpfs: Invalid gid '0x00000000ffffffff' tmpfs: Invalid gid '0x00000000ffffffff' tmpfs: Invalid gid '0x00000000ffffffff' tmpfs: Invalid gid '0x00000000ffffffff' tmpfs: Invalid gid '0x00000000ffffffff' tmpfs: Invalid gid '0x00000000ffffffff' tmpfs: Invalid gid '0x00000000ffffffff' tmpfs: Invalid gid '0x00000000ffffffff' tmpfs: Invalid gid '0x00000000ffffffff' tmpfs: Invalid gid '0x00000000ffffffff' tmpfs: Invalid gid '0x00000000ffffffff' tmpfs: Invalid gid '0x00000000ffffffff' cgroup2: Unknown parameter 'rlimit' loop2: detected capacity change from 0 to 128 loop3: detected capacity change from 0 to 128 loop2: detected capacity change from 0 to 128 loop3: detected capacity change from 0 to 128 loop2: detected capacity change from 0 to 128 loop1: detected capacity change from 0 to 128 loop3: detected capacity change from 0 to 128 loop1: detected capacity change from 0 to 128 loop1: detected capacity change from 0 to 128 sr 1:0:0:0: [sr0] tag#0 FAILED Result: hostbyte=DID_OK driverbyte=DRIVER_OK cmd_age=0s sr 1:0:0:0: [sr0] tag#0 Sense Key : Not Ready [current] sr 1:0:0:0: [sr0] tag#0 Add. Sense: Medium not present sr 1:0:0:0: [sr0] tag#0 CDB: Read(10) 28 00 00 00 00 00 00 00 06 00 blk_print_req_error: 14 callbacks suppressed I/O error, dev sr0, sector 0 op 0x0:(READ) flags 0x200000 phys_seg 3 prio class 2 sr 1:0:0:0: [sr0] tag#0 FAILED Result: hostbyte=DID_OK driverbyte=DRIVER_OK cmd_age=0s sr 1:0:0:0: [sr0] tag#0 Sense Key : Not Ready [current] sr 1:0:0:0: [sr0] tag#0 Add. Sense: Medium not present sr 1:0:0:0: [sr0] tag#0 CDB: Read(10) 28 00 00 00 00 00 00 00 06 00 I/O error, dev sr0, sector 0 op 0x0:(READ) flags 0x200000 phys_seg 2 prio class 2