================================================================== BUG: KASAN: slab-use-after-free in hci_uart_write_work+0x81c/0x950 drivers/bluetooth/hci_ldisc.c:165 Read of size 4 at addr ffff88808087be30 by task kworker/0:3/5805 CPU: 0 UID: 0 PID: 5805 Comm: kworker/0:3 Tainted: G L syzkaller #0 PREEMPT(full) Tainted: [L]=SOFTLOCKUP Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/13/2026 Workqueue: events hci_uart_write_work Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x156/0x4c9 mm/kasan/report.c:482 kasan_report+0xdf/0x1a0 mm/kasan/report.c:595 hci_uart_write_work+0x81c/0x950 drivers/bluetooth/hci_ldisc.c:165 process_one_work+0x9c2/0x1840 kernel/workqueue.c:3257 process_scheduled_works kernel/workqueue.c:3340 [inline] worker_thread+0x5da/0xe40 kernel/workqueue.c:3421 kthread+0x3b3/0x730 kernel/kthread.c:463 ret_from_fork+0x754/0xaf0 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 Allocated by task 5805: kasan_save_stack+0x30/0x50 mm/kasan/common.c:57 kasan_save_track+0x14/0x30 mm/kasan/common.c:78 unpoison_slab_object mm/kasan/common.c:340 [inline] __kasan_slab_alloc+0x89/0x90 mm/kasan/common.c:366 kasan_slab_alloc include/linux/kasan.h:253 [inline] slab_post_alloc_hook mm/slub.c:4953 [inline] slab_alloc_node mm/slub.c:5263 [inline] kmem_cache_alloc_node_noprof+0x303/0x880 mm/slub.c:5315 __alloc_skb+0x156/0x410 net/core/skbuff.c:679 alloc_skb include/linux/skbuff.h:1383 [inline] bcsp_prepare_pkt+0xe0/0xa90 drivers/bluetooth/hci_bcsp.c:218 bcsp_dequeue+0x237/0x4b0 drivers/bluetooth/hci_bcsp.c:308 hci_uart_dequeue drivers/bluetooth/hci_ldisc.c:107 [inline] hci_uart_write_work+0x4d9/0x950 drivers/bluetooth/hci_ldisc.c:161 process_one_work+0x9c2/0x1840 kernel/workqueue.c:3257 process_scheduled_works kernel/workqueue.c:3340 [inline] worker_thread+0x5da/0xe40 kernel/workqueue.c:3421 kthread+0x3b3/0x730 kernel/kthread.c:463 ret_from_fork+0x754/0xaf0 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 The buggy address belongs to the object at ffff88808087bdc0 which belongs to the cache skbuff_head_cache of size 240 The buggy address is located 112 bytes inside of freed 240-byte region [ffff88808087bdc0, ffff88808087beb0) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8087b memcg:ffff888053d4af01 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) page_type: f5(slab) raw: 00fff00000000000 ffff88801da9f8c0 ffffea0002022940 dead000000000004 raw: 0000000000000000 00000000000c000c 00000000f5000000 ffff888053d4af01 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5484, tgid 5484 (dhcpcd), ts 939172685770, free_ts 939114137040 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x1e1/0x250 mm/page_alloc.c:1884 prep_new_page mm/page_alloc.c:1892 [inline] get_page_from_freelist+0xe3d/0x2e10 mm/page_alloc.c:3945 __alloc_frozen_pages_noprof+0x26c/0x2410 mm/page_alloc.c:5240 alloc_pages_mpol+0x1fb/0x550 mm/mempolicy.c:2486 alloc_slab_page mm/slub.c:3075 [inline] allocate_slab mm/slub.c:3248 [inline] new_slab+0x2c4/0x440 mm/slub.c:3302 ___slab_alloc+0xda3/0x1ca0 mm/slub.c:4656 __slab_alloc.isra.0+0x63/0x110 mm/slub.c:4779 __slab_alloc_node mm/slub.c:4855 [inline] slab_alloc_node mm/slub.c:5251 [inline] kmem_cache_alloc_node_noprof+0x51e/0x880 mm/slub.c:5315 __alloc_skb+0x156/0x410 net/core/skbuff.c:679 alloc_skb include/linux/skbuff.h:1383 [inline] alloc_skb_with_frags+0xe0/0x810 net/core/skbuff.c:6715 sock_alloc_send_pskb+0x801/0x980 net/core/sock.c:2995 unix_dgram_sendmsg+0x3c7/0x1820 net/unix/af_unix.c:2130 unix_seqpacket_sendmsg+0x12a/0x1d0 net/unix/af_unix.c:2531 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg net/socket.c:742 [inline] sock_write_iter+0x566/0x610 net/socket.c:1195 new_sync_write fs/read_write.c:593 [inline] vfs_write+0x6ac/0x1070 fs/read_write.c:686 ksys_write+0x1f8/0x250 fs/read_write.c:738 page last free pid 5818 tgid 5818 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1433 [inline] __free_frozen_pages+0x822/0x1130 mm/page_alloc.c:2973 __pagetable_free include/linux/mm.h:3204 [inline] pagetable_free include/linux/mm.h:3228 [inline] pagetable_dtor_free include/linux/mm.h:3332 [inline] __pgd_free include/asm-generic/pgalloc.h:303 [inline] _pgd_free arch/x86/mm/pgtable.c:319 [inline] pgd_free+0x3f4/0x560 arch/x86/mm/pgtable.c:381 mm_free_pgd kernel/fork.c:584 [inline] __mmdrop+0xe5/0x750 kernel/fork.c:726 mmdrop include/linux/sched/mm.h:55 [inline] mmdrop_sched include/linux/sched/mm.h:83 [inline] mmdrop_lazy_tlb_sched include/linux/sched/mm.h:110 [inline] finish_task_switch.isra.0+0x76e/0xb70 kernel/sched/core.c:5143 context_switch kernel/sched/core.c:5263 [inline] __schedule+0xfec/0x5e10 kernel/sched/core.c:6867 __schedule_loop kernel/sched/core.c:6949 [inline] schedule+0xdd/0x390 kernel/sched/core.c:6964 do_nanosleep+0x206/0x560 kernel/time/hrtimer.c:2116 hrtimer_nanosleep+0x156/0x360 kernel/time/hrtimer.c:2163 common_nsleep+0xa1/0xd0 kernel/time/posix-timers.c:1352 __do_sys_clock_nanosleep kernel/time/posix-timers.c:1398 [inline] __se_sys_clock_nanosleep kernel/time/posix-timers.c:1375 [inline] __x64_sys_clock_nanosleep+0x336/0x480 kernel/time/posix-timers.c:1375 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xc9/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Memory state around the buggy address: ffff88808087bd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc ffff88808087bd80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb >ffff88808087be00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88808087be80: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc ffff88808087bf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ==================================================================