From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from relay.yourmailgateway.de (relay.yourmailgateway.de [188.68.61.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0FF7D1F4C8E for ; Tue, 19 May 2026 15:35:41 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=188.68.61.107 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779204944; cv=none; b=Dfxc6S9mPukJ2C10xayNbscbsdCrZKdTWQMoRirJJRlQ05aPpGbAEoUB2A80gWuMivPHj8XJr7V336qCO8R5ELFlVsIEJzFEsfDVXHubSvcDSjjOmycQPi+kAv3Dhev9CKItEK/LofsyRKqV/RBN89eWPh+9UVyGQ1FE6fQF2r4= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779204944; c=relaxed/simple; bh=60CEL4FRNk+QiQfAfoi7DSttLt4Ez6wYZJfEzQk2eBg=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=ZaXUqw7aXctwudk6ZoYZqxfzEB4rXw6Cbv5ErYp7KQFxrf3PdCNtqpJnv3LdCRXNFvVLPF79xmEEgkLs90d70ef68eTePb7Yjxt9vc635ilRJM3NtF+oXo2HxSac0CCI2ZIV74pHa/QxYJSA+yXA4j3Gh7YkfDt8ywwBTlD2Vso= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=phwe.de; spf=pass smtp.mailfrom=phwe.de; dkim=pass (2048-bit key) header.d=phwe.de header.i=@phwe.de header.b=Jcz0vv1H; arc=none smtp.client-ip=188.68.61.107 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=phwe.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=phwe.de Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=phwe.de header.i=@phwe.de header.b="Jcz0vv1H" Received: from mors-relay-8405.netcup.net (localhost [127.0.0.1]) by mors-relay-8405.netcup.net (Postfix) with ESMTPS id 4gKdzT4y0mz70Xd; Tue, 19 May 2026 17:35:33 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=phwe.de; s=key2; t=1779204933; bh=60CEL4FRNk+QiQfAfoi7DSttLt4Ez6wYZJfEzQk2eBg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Jcz0vv1Hw4mjheKOVJUkkUrKYddN2DocwQhOOfOl3dTM6djttn8MJMIJTIYqas27d jMVIcjT/JdqHC2gum68SXeqZ1NrUPwrfcH6hbnRwUbGzkNvs+5+jWykxmYAG7BIW53 ZZpmccYN6xdL3OybAGID/jlLSZHXQQ+iCXS/QgvlbvF0Yg2P2G/es/K28emvRPN9VY UEgzfb2LYNnoTZyesBxj3Yti957a/QPlDQGWiTbFcE/g+NylFYDyboCIOBvw8vpP/V otxGcJDMc5WyHwoP3bmm50eGJsO0qM4lv5zCWq6I2tNJm8J8r1oKMb3nZ/WiovkufI nsOKnFPbSr/9w== Received: from policy01-mors.netcup.net (unknown [46.38.225.35]) by mors-relay-8405.netcup.net (Postfix) with ESMTPS id 4gKdzG6cvqz70lP; Tue, 19 May 2026 17:35:22 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at policy01-mors.netcup.net X-Spam-Flag: NO X-Spam-Score: -2.901 X-Spam-Level: Received: from mxe95c.netcup.net (unknown [10.243.12.53]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by policy01-mors.netcup.net (Postfix) with ESMTPS id 4gKdzG2Bbmz8tbh; Tue, 19 May 2026 17:35:22 +0200 (CEST) Received: from mandalore.fritz.box (p5dd24ed4.dip0.t-ipconnect.de [93.210.78.212]) by mxe95c.netcup.net (Postfix) with ESMTPSA id 505B8800AF; Tue, 19 May 2026 17:35:21 +0200 (CEST) Authentication-Results: mxe95c; spf=pass (sender IP is 93.210.78.212) smtp.mailfrom=kernel@phwe.de smtp.helo=mandalore.fritz.box Received-SPF: pass (mxe95c: connection is authenticated) From: Philipp Weber To: syzbot+d06554f43a8fb48030b0@syzkaller.appspotmail.com Cc: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com Subject: Re: [syzbot] [bluetooth?] [usb?] KASAN: slab-use-after-free Read in skb_dequeue (2) Date: Tue, 19 May 2026 17:35:00 +0200 Message-ID: <20260519153500.12948-1-kernel@phwe.de> X-Mailer: git-send-email 2.53.0 In-Reply-To: <6a0c3fc4.a00a0220.2ee31e.0002.GAE@google.com> References: <6a0c3fc4.a00a0220.2ee31e.0002.GAE@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-PPP-Message-ID: <177920492186.3415773.5980961259216995636@mxe95c.netcup.net> X-NC-CID: 6V9nxoB1oKXHgns1Mo6tPyvrU19tXU+7RxXyFgxsHQ== #syz test Drain rx_work in btusb_disconnect() before kfree(data) so that any work item rescheduled by a late URB completion callback during btusb_close() is waited for before the backing data is freed. --- drivers/bluetooth/btusb.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c index 7f5fce93d984..5d4ea44cd3c9 100644 --- a/drivers/bluetooth/btusb.c +++ b/drivers/bluetooth/btusb.c @@ -4462,6 +4462,15 @@ static void btusb_disconnect(struct usb_interface *intf) usb_driver_release_interface(&btusb_driver, data->intf); } + /* + * rx_work is scheduled from URB completion handlers; btusb_close() + * (called via hci_unregister_dev) uses a non-sync cancel, so a work + * item may still be queued or executing when we reach this point. + * Wait for it before freeing data, otherwise the worker dereferences + * freed memory through skb_dequeue(&data->acl_q). + */ + cancel_delayed_work_sync(&data->rx_work); + hci_free_dev(hdev); kfree(data); } -- 2.53.0