Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9
==================================================================
BUG: KFENCE: use-after-free read in hci_cmd_work+0x33d/0x7b0 net/bluetooth/hci_core.c:4174

Use-after-free read at 0xffff88823be86f38 (in kfence-#66):
 hci_cmd_work+0x33d/0x7b0 net/bluetooth/hci_core.c:4174
 process_one_work+0x93a/0x15e0 kernel/workqueue.c:3261
 process_scheduled_works kernel/workqueue.c:3344 [inline]
 worker_thread+0x9b0/0xee0 kernel/workqueue.c:3425
 kthread+0x711/0x8a0 kernel/kthread.c:463
 ret_from_fork+0x599/0xb30 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246

kfence-#66: 0xffff88823be86f00-0xffff88823be86fef, size=240, cache=skbuff_head_cache

allocated by task 5841 on cpu 0 at 102.001449s (0.075459s ago):
 __alloc_skb+0x112/0x2d0 net/core/skbuff.c:664
 alloc_skb include/linux/skbuff.h:1383 [inline]
 bt_skb_alloc include/net/bluetooth/bluetooth.h:510 [inline]
 hci_cmd_sync_alloc+0x3d/0x3b0 net/bluetooth/hci_sync.c:58
 hci_cmd_sync_add net/bluetooth/hci_sync.c:99 [inline]
 __hci_cmd_sync_sk+0x1a7/0xc70 net/bluetooth/hci_sync.c:168
 __hci_cmd_sync_status_sk net/bluetooth/hci_sync.c:263 [inline]
 __hci_cmd_sync_status net/bluetooth/hci_sync.c:287 [inline]
 hci_read_dev_class_sync+0x2c/0x120 net/bluetooth/hci_sync.c:3768
 hci_init_stage_sync net/bluetooth/hci_sync.c:3623 [inline]
 hci_init2_sync net/bluetooth/hci_sync.c:4047 [inline]
 hci_init_sync net/bluetooth/hci_sync.c:4881 [inline]
 hci_dev_init_sync net/bluetooth/hci_sync.c:5066 [inline]
 hci_dev_open_sync+0x227c/0x2dc0 net/bluetooth/hci_sync.c:5144
 hci_dev_do_open net/bluetooth/hci_core.c:430 [inline]
 hci_power_on+0x1b4/0x720 net/bluetooth/hci_core.c:959
 process_one_work+0x93a/0x15e0 kernel/workqueue.c:3261
 process_scheduled_works kernel/workqueue.c:3344 [inline]
 worker_thread+0x9b0/0xee0 kernel/workqueue.c:3425
 kthread+0x711/0x8a0 kernel/kthread.c:463
 ret_from_fork+0x599/0xb30 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246

freed by task 5840 on cpu 1 at 102.001762s (0.137767s ago):
 kfree_skb_reason include/linux/skbuff.h:1322 [inline]
 kfree_skb include/linux/skbuff.h:1331 [inline]
 vhci_read+0x49a/0x5b0 drivers/bluetooth/hci_vhci.c:593
 vfs_read+0x200/0xa30 fs/read_write.c:570
 ksys_read+0x145/0x250 fs/read_write.c:715
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

CPU: 1 UID: 0 PID: 5842 Comm: kworker/u9:4 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Workqueue: hci3 hci_cmd_work
RIP: 0010:hci_cmd_work+0x33d/0x7b0 net/bluetooth/hci_core.c:4174
Code: f7 4d 89 27 4c 8b 2c 24 49 bc 00 00 00 00 00 fc ff df 49 83 c6 38 4c 89 f0 48 c1 e8 03 42 0f b6 04 20 84 c0 0f 85 7b 02 00 00 <41> 0f b7 2e 31 ff 89 ee e8 56 9a 6c f7 85 ed 74 51 e8 0d 36 53 f7
RSP: 0018:ffffc9000412fa38 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 1ffff110065649ab RCX: ffffffff8931f833
RDX: 0000000000000001 RSI: 0000000000000004 RDI: ffff8880604d5860
RBP: 0000000000000001 R08: ffff8880604d5863 R09: 1ffff1100c09ab0c
R10: dffffc0000000000 R11: ffffed100c09ab0d R12: dffffc0000000000
R13: ffff888032b24b18 R14: ffff88823be86f38 R15: ffff888032b24e50
FS:  0000000000000000(0000) GS:ffff888125dbb000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff88823be86f38 CR3: 000000006748a000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 process_one_work+0x93a/0x15e0 kernel/workqueue.c:3261
 process_scheduled_works kernel/workqueue.c:3344 [inline]
 worker_thread+0x9b0/0xee0 kernel/workqueue.c:3425
 kthread+0x711/0x8a0 kernel/kthread.c:463
 ret_from_fork+0x599/0xb30 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
 </TASK>
==================================================================
----------------
Code disassembly (best guess), 1 bytes skipped:
   0:	4d 89 27             	mov    %r12,(%r15)
   3:	4c 8b 2c 24          	mov    (%rsp),%r13
   7:	49 bc 00 00 00 00 00 	movabs $0xdffffc0000000000,%r12
   e:	fc ff df
  11:	49 83 c6 38          	add    $0x38,%r14
  15:	4c 89 f0             	mov    %r14,%rax
  18:	48 c1 e8 03          	shr    $0x3,%rax
  1c:	42 0f b6 04 20       	movzbl (%rax,%r12,1),%eax
  21:	84 c0                	test   %al,%al
  23:	0f 85 7b 02 00 00    	jne    0x2a4
* 29:	41 0f b7 2e          	movzwl (%r14),%ebp <-- trapping instruction
  2d:	31 ff                	xor    %edi,%edi
  2f:	89 ee                	mov    %ebp,%esi
  31:	e8 56 9a 6c f7       	call   0xf76c9a8c
  36:	85 ed                	test   %ebp,%ebp
  38:	74 51                	je     0x8b
  3a:	e8 0d 36 53 f7       	call   0xf753364c