================================================================== BUG: KASAN: use-after-free in __mutex_waiter_is_first kernel/locking/mutex.c:197 [inline] BUG: KASAN: use-after-free in __mutex_lock_common+0xb10/0x1f60 kernel/locking/mutex.c:681 Read of size 8 at addr ffff0000f67b0060 by task khidpd_16bf5505/5962 CPU: 0 PID: 5962 Comm: khidpd_16bf5505 Not tainted syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/03/2025 Call trace: dump_backtrace+0x1c0/0x1ec arch/arm64/kernel/stacktrace.c:158 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165 __dump_stack+0x30/0x40 lib/dump_stack.c:88 dump_stack_lvl+0xf4/0x15c lib/dump_stack.c:106 print_address_description+0x88/0x218 mm/kasan/report.c:316 print_report+0x50/0x68 mm/kasan/report.c:420 kasan_report+0xa8/0xfc mm/kasan/report.c:524 __asan_report_load8_noabort+0x2c/0x38 mm/kasan/report_generic.c:351 __mutex_waiter_is_first kernel/locking/mutex.c:197 [inline] __mutex_lock_common+0xb10/0x1f60 kernel/locking/mutex.c:681 __mutex_lock kernel/locking/mutex.c:747 [inline] mutex_lock_nested+0x38/0x44 kernel/locking/mutex.c:799 l2cap_unregister_user+0x70/0x18c net/bluetooth/l2cap_core.c:1895 hidp_session_thread+0x3e8/0x478 net/bluetooth/hidp/core.c:1305 kthread+0x250/0x2d8 kernel/kthread.c:376 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:850 The buggy address belongs to the physical page: page:0000000054ab392b refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1367b0 flags: 0x5ffc00000000000(node=0|zone=2|lastcpupid=0x7ff) raw: 05ffc00000000000 fffffc0003b5f308 ffff00019f56eeb0 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff0000f67aff00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff0000f67aff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff0000f67b0000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff0000f67b0080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff0000f67b0100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== ================================================================================ UBSAN: array-index-out-of-bounds in kernel/locking/qspinlock.c:131:9 index 5831 is out of range for type 'unsigned long[8]' CPU: 0 PID: 5962 Comm: khidpd_16bf5505 Tainted: G B syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/03/2025 Call trace: dump_backtrace+0x1c0/0x1ec arch/arm64/kernel/stacktrace.c:158 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165 __dump_stack+0x30/0x40 lib/dump_stack.c:88 dump_stack_lvl+0xf4/0x15c lib/dump_stack.c:106 dump_stack+0x1c/0x5c lib/dump_stack.c:113 ubsan_epilogue+0x14/0x48 lib/ubsan.c:151 __ubsan_handle_out_of_bounds+0xd0/0xf8 lib/ubsan.c:282 decode_tail kernel/locking/qspinlock.c:131 [inline] queued_spin_lock_slowpath+0x8a8/0xc18 kernel/locking/qspinlock.c:471 queued_spin_lock include/asm-generic/qspinlock.h:114 [inline] do_raw_spin_lock+0x2f4/0x2f8 kernel/locking/spinlock_debug.c:115 __raw_spin_lock include/linux/spinlock_api_smp.h:134 [inline] _raw_spin_lock+0x5c/0x6c kernel/locking/spinlock.c:154 __mutex_unlock_slowpath+0x2e4/0x5dc kernel/locking/mutex.c:932 mutex_unlock+0x24/0x30 kernel/locking/mutex.c:543 l2cap_unregister_user+0x170/0x18c net/bluetooth/l2cap_core.c:1904 hidp_session_thread+0x3e8/0x478 net/bluetooth/hidp/core.c:1305 kthread+0x250/0x2d8 kernel/kthread.c:376 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:850 ================================================================================