================================================================== BUG: KASAN: slab-use-after-free in __mutex_waiter_is_first kernel/locking/mutex.c:199 [inline] BUG: KASAN: slab-use-after-free in __mutex_lock_common+0xd18/0x2678 kernel/locking/mutex.c:694 Read of size 8 at addr ffff0000dc6280a8 by task khidpd_15c25886/6784 CPU: 0 UID: 0 PID: 6784 Comm: khidpd_15c25886 Tainted: G L syzkaller #0 PREEMPT Tainted: [L]=SOFTLOCKUP Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/03/2025 Call trace: show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:499 (C) __dump_stack+0x30/0x40 lib/dump_stack.c:94 dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120 print_address_description+0xa8/0x238 mm/kasan/report.c:378 print_report+0x68/0x84 mm/kasan/report.c:482 kasan_report+0xb0/0x110 mm/kasan/report.c:595 __asan_report_load8_noabort+0x20/0x2c mm/kasan/report_generic.c:381 __mutex_waiter_is_first kernel/locking/mutex.c:199 [inline] __mutex_lock_common+0xd18/0x2678 kernel/locking/mutex.c:694 __mutex_lock kernel/locking/mutex.c:776 [inline] mutex_lock_nested+0x2c/0x38 kernel/locking/mutex.c:828 l2cap_unregister_user+0x74/0x190 net/bluetooth/l2cap_core.c:1729 hidp_session_thread+0x3d0/0x490 net/bluetooth/hidp/core.c:1304 kthread+0x5fc/0x75c kernel/kthread.c:463 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:844 Allocated by task 6563: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x40/0x78 mm/kasan/common.c:78 kasan_save_alloc_info+0x44/0x54 mm/kasan/generic.c:570 poison_kmalloc_redzone mm/kasan/common.c:398 [inline] __kasan_kmalloc+0x9c/0xb4 mm/kasan/common.c:415 kasan_kmalloc include/linux/kasan.h:263 [inline] __do_kmalloc_node mm/slub.c:5657 [inline] __kmalloc_node_track_caller_noprof+0x510/0x778 mm/slub.c:5764 kmalloc_reserve+0x124/0x268 net/core/skbuff.c:608 __alloc_skb+0x208/0x3b0 net/core/skbuff.c:690 alloc_skb include/linux/skbuff.h:1383 [inline] alloc_skb_with_frags+0xb8/0x678 net/core/skbuff.c:6712 sock_alloc_send_pskb+0x758/0x874 net/core/sock.c:2995 unix_dgram_sendmsg+0x39c/0x132c net/unix/af_unix.c:2130 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg net/socket.c:742 [inline] sock_write_iter+0x298/0x3d0 net/socket.c:1195 new_sync_write fs/read_write.c:593 [inline] vfs_write+0x540/0xa3c fs/read_write.c:686 ksys_write+0x120/0x210 fs/read_write.c:738 __do_sys_write fs/read_write.c:749 [inline] __se_sys_write fs/read_write.c:746 [inline] __arm64_sys_write+0x7c/0x90 fs/read_write.c:746 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x254 arch/arm64/kernel/syscall.c:49 el0_svc_common+0xe8/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x5c/0x26c arch/arm64/kernel/entry-common.c:724 el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:743 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:596 Freed by task 6210: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x40/0x78 mm/kasan/common.c:78 kasan_save_free_info+0x58/0x70 mm/kasan/generic.c:584 poison_slab_object mm/kasan/common.c:253 [inline] __kasan_slab_free+0x74/0xa4 mm/kasan/common.c:285 kasan_slab_free include/linux/kasan.h:235 [inline] slab_free_hook mm/slub.c:2540 [inline] slab_free mm/slub.c:6670 [inline] kfree+0x1c4/0x5fc mm/slub.c:6878 skb_kfree_head net/core/skbuff.c:1068 [inline] skb_free_head+0xe4/0x198 net/core/skbuff.c:1080 skb_release_data+0x4d4/0x664 net/core/skbuff.c:1107 skb_release_all net/core/skbuff.c:1182 [inline] __kfree_skb net/core/skbuff.c:1196 [inline] consume_skb+0xb0/0x130 net/core/skbuff.c:1428 skb_free_datagram+0x20/0x30 net/core/datagram.c:324 __unix_dgram_recvmsg+0x7ec/0xb7c net/unix/af_unix.c:2658 unix_dgram_recvmsg+0xd0/0xe8 net/unix/af_unix.c:2675 sock_recvmsg_nosec net/socket.c:1078 [inline] sock_recvmsg net/socket.c:1100 [inline] ____sys_recvmsg+0x24c/0x744 net/socket.c:2812 ___sys_recvmsg+0x188/0x45c net/socket.c:2854 __sys_recvmsg net/socket.c:2887 [inline] __do_sys_recvmsg net/socket.c:2893 [inline] __se_sys_recvmsg net/socket.c:2890 [inline] __arm64_sys_recvmsg+0x180/0x234 net/socket.c:2890 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x254 arch/arm64/kernel/syscall.c:49 el0_svc_common+0xe8/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x5c/0x26c arch/arm64/kernel/entry-common.c:724 el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:743 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:596 The buggy address belongs to the object at ffff0000dc628000 which belongs to the cache kmalloc-cg-512 of size 512 The buggy address is located 168 bytes inside of freed 512-byte region [ffff0000dc628000, ffff0000dc628200) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11c628 head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 memcg:ffff0000e9cfad01 flags: 0x5ffc00000000040(head|node=0|zone=2|lastcpupid=0x7ff) page_type: f5(slab) raw: 05ffc00000000040 ffff0000c000b140 dead000000000122 0000000000000000 raw: 0000000000000000 0000000080100010 00000000f5000000 ffff0000e9cfad01 head: 05ffc00000000040 ffff0000c000b140 dead000000000122 0000000000000000 head: 0000000000000000 0000000080100010 00000000f5000000 ffff0000e9cfad01 head: 05ffc00000000002 fffffdffc3718a01 00000000ffffffff 00000000ffffffff head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff0000dc627f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff0000dc628000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff0000dc628080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff0000dc628100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff0000dc628180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== slab kmalloc-cg-512 start ffff0000dc628000 pointer offset 168 size 512 list_del corruption. prev->next should be ffff8000a10e7ba0, but was 0000000000000000. (prev=ffff0000dc6280a8) ------------[ cut here ]------------ kernel BUG at lib/list_debug.c:64! Internal error: Oops - BUG: 00000000f2000800 [#1] SMP Modules linked in: CPU: 0 UID: 0 PID: 6784 Comm: khidpd_15c25886 Tainted: G B L syzkaller #0 PREEMPT Tainted: [B]=BAD_PAGE, [L]=SOFTLOCKUP Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/03/2025 pstate: 634000c5 (nZCv daIF +PAN -UAO +TCO +DIT -SSBS BTYPE=--) pc : __list_del_entry_valid_or_report+0x17c/0x1b4 lib/list_debug.c:62 lr : __list_del_entry_valid_or_report+0x17c/0x1b4 lib/list_debug.c:62 sp : ffff8000a10e7a00 x29: ffff8000a10e7a00 x28: ffff8000a10e7ba0 x27: ffff8000a10e7b80 x26: ffff0000cb8026d8 x25: 0000000000000000 x24: dfff800000000000 x23: 1fffe0001b8c5015 x22: dfff800000000000 x21: ffff0000dc6280a8 x20: ffff0000dc6280a8 x19: ffff8000a10e7ba0 x18: 1fffe0003377d090 x17: 20747562202c3061 x16: ffff800082e5e68c x15: 0000000000000001 x14: 1ffff0001229b888 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000871 x10: 0000000000ff0100 x9 : a182f5e9975e7100 x8 : a182f5e9975e7100 x7 : 0000000000000001 x6 : ffff8000805761f8 x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff8000807f1034 x2 : 0000000000000001 x1 : 0000000100000002 x0 : 000000000000006d Call trace: __list_del_entry_valid_or_report+0x17c/0x1b4 lib/list_debug.c:62 (P) __list_del_entry_valid include/linux/list.h:132 [inline] __list_del_entry include/linux/list.h:223 [inline] list_del include/linux/list.h:237 [inline] __mutex_remove_waiter kernel/locking/mutex.c:221 [inline] __mutex_lock_common+0x114c/0x2678 kernel/locking/mutex.c:742 __mutex_lock kernel/locking/mutex.c:776 [inline] mutex_lock_nested+0x2c/0x38 kernel/locking/mutex.c:828 l2cap_unregister_user+0x74/0x190 net/bluetooth/l2cap_core.c:1729 hidp_session_thread+0x3d0/0x490 net/bluetooth/hidp/core.c:1304 kthread+0x5fc/0x75c kernel/kthread.c:463 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:844 Code: 91058000 aa1303e1 aa1503e3 974a97c3 (d4210000) ---[ end trace 0000000000000000 ]---