linux-kernel - KASAN: slab-use-after-free in _raw_spin_lock_bh (freed froml2cap_sock

lists.openwall.net		lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Sun, 16 Jun 2024 13:49:07 -0400
From: Shuangpeng Bai <shuangpengbai@...il.com>
To: marcel@...tmann.org,
 johan.hedberg@...il.com,
 luiz.dentz@...il.com
Cc: linux-bluetooth@...r.kernel.org,
 linux-kernel@...r.kernel.org,
 syzkaller@...glegroups.com
Subject: KASAN: slab-use-after-free in _raw_spin_lock_bh (freed
 froml2cap_sock_release)

Hi Kernel Maintainers,

Our tool found a kernel bug KASAN: slab-use-after-free in _raw_spin_lock_bh (l2cap_sock_release related). Please see the details below.

Kernel commit: v6.9 (Commits on May 12, 2024)
Kernel config: attachment
C/Syz reproducer: attachment

Please let me know if there is anything I can help.

Best,
Shuangpeng


[  796.198988][ T8206] ==================================================================
[ 796.201978][ T8206] BUG: KASAN: slab-use-after-free in _raw_spin_lock_bh (./include/linux/instrumented.h:96 ./include/linux/atomic/atomic-instrumented.h:1301 ./include/asm-generic/qspinlock.h:111 ./include/linux/spinlock.h:187 ./include/linux/spinlock_api_smp.h:127 kernel/locking/spinlock.c:178) 
[  796.205018][ T8206] Write of size 4 at addr ffff888021f53940 by task kworker/u11:4/8206
[  796.206698][ T8206]
[  796.207173][ T8206] CPU: 1 PID: 8206 Comm: kworker/u11:4 Not tainted 6.9.0 #8
[  796.208636][ T8206] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
[  796.210619][ T8206] Workqueue: hci0 hci_rx_work
[  796.213141][ T8206] Call Trace:
[  796.213903][ T8206]  <TASK>
[ 796.214662][ T8206] dump_stack_lvl (lib/dump_stack.c:117) 
[ 796.215808][ T8206] print_report (mm/kasan/report.c:378 mm/kasan/report.c:488) 
[ 796.216926][ T8206] ? __phys_addr (arch/x86/mm/physaddr.c:32 (discriminator 4)) 
[ 796.217916][ T8206] ? _raw_spin_lock_bh (./include/linux/instrumented.h:96 ./include/linux/atomic/atomic-instrumented.h:1301 ./include/asm-generic/qspinlock.h:111 ./include/linux/spinlock.h:187 ./include/linux/spinlock_api_smp.h:127 kernel/locking/spinlock.c:178) 
[ 796.219097][ T8206] kasan_report (mm/kasan/report.c:603) 
[ 796.220057][ T8206] ? _raw_spin_lock_bh (./include/linux/instrumented.h:96 ./include/linux/atomic/atomic-instrumented.h:1301 ./include/asm-generic/qspinlock.h:111 ./include/linux/spinlock.h:187 ./include/linux/spinlock_api_smp.h:127 kernel/locking/spinlock.c:178) 
[ 796.221115][ T8206] kasan_check_range (mm/kasan/generic.c:183 mm/kasan/generic.c:189) 
[ 796.222265][ T8206] _raw_spin_lock_bh (./include/linux/instrumented.h:96 ./include/linux/atomic/atomic-instrumented.h:1301 ./include/asm-generic/qspinlock.h:111 ./include/linux/spinlock.h:187 ./include/linux/spinlock_api_smp.h:127 kernel/locking/spinlock.c:178) 
[ 796.223319][ T8206] ? __pfx__raw_spin_lock_bh (kernel/locking/spinlock.c:177) 
[ 796.224445][ T8206] ? kthread_data (kernel/kthread.c:77 kernel/kthread.c:244) 
[ 796.225455][ T8206] __lock_sock (./include/net/sock.h:1774 net/core/sock.c:2962) 
[ 796.226551][ T8206] ? __pfx___lock_sock (net/core/sock.c:2953) 
[ 796.227765][ T8206] ? _raw_read_unlock (./arch/x86/include/asm/preempt.h:103 ./include/linux/rwlock_api_smp.h:233 kernel/locking/spinlock.c:260) 
[ 796.228924][ T8206] ? __pfx_autoremove_wake_function (kernel/sched/wait.c:383) 
[ 796.230327][ T8206] ? __pfx__raw_spin_lock_bh (kernel/locking/spinlock.c:177) 
[ 796.231483][ T8206] ? __pfx_l2cap_global_chan_by_psm (net/bluetooth/l2cap_core.c:1811) 
[ 796.232820][ T8206] lock_sock_nested (net/core/sock.c:3540) 
[ 796.233925][ T8206] l2cap_sock_recv_cb (net/bluetooth/l2cap_sock.c:1456) 
[ 796.235096][ T8206] l2cap_recv_frame (net/bluetooth/l2cap_core.c:6748 net/bluetooth/l2cap_core.c:6801) 
[ 796.236187][ T8206] ? kvm_sched_clock_read (arch/x86/kernel/kvmclock.c:91) 
[ 796.237445][ T8206] ? sched_clock (arch/x86/kernel/tsc.c:286 (discriminator 3)) 
[ 796.238509][ T8206] ? sched_clock_cpu (kernel/sched/clock.c:394) 
[ 796.239634][ T8206] ? __pfx_l2cap_recv_frame (net/bluetooth/l2cap_core.c:6760) 
[ 796.240967][ T8206] ? mm_cid_get (kernel/sched/sched.h:3408) 
[ 796.242084][ T8206] ? _raw_spin_lock_irqsave (./arch/x86/include/asm/atomic.h:115 ./include/linux/atomic/atomic-arch-fallback.h:2170 ./include/linux/atomic/atomic-instrumented.h:1302 ./include/asm-generic/qspinlock.h:111 ./include/linux/spinlock.h:187 ./include/linux/spinlock_api_smp.h:111 kernel/locking/spinlock.c:162) 
[ 796.243354][ T8206] ? __switch_to (arch/x86/kernel/process_64.c:713 (discriminator 1)) 
[ 796.244417][ T8206] ? _raw_spin_lock (./arch/x86/include/asm/atomic.h:115 ./include/linux/atomic/atomic-arch-fallback.h:2170 ./include/linux/atomic/atomic-instrumented.h:1302 ./include/asm-generic/qspinlock.h:111 ./include/linux/spinlock.h:187 ./include/linux/spinlock_api_smp.h:134 kernel/locking/spinlock.c:154) 
[ 796.245536][ T8206] ? __pfx__raw_spin_lock (kernel/locking/spinlock.c:153) 
[ 796.246820][ T8206] ? hci_conn_enter_active_mode (net/bluetooth/hci_conn.c:2529) 
[ 796.248205][ T8206] ? __pfx_hci_conn_enter_active_mode (net/bluetooth/hci_conn.c:2529) 
[ 796.249752][ T8206] l2cap_recv_acldata (net/bluetooth/l2cap_core.c:7503) 
[ 796.250981][ T8206] hci_rx_work (net/bluetooth/hci_core.c:3939 net/bluetooth/hci_core.c:4175) 
[ 796.252029][ T8206] process_one_work (kernel/workqueue.c:3272) 
[ 796.253146][ T8206] ? kthread_data (kernel/kthread.c:77 kernel/kthread.c:244) 
[ 796.254134][ T8206] worker_thread (kernel/workqueue.c:3342 kernel/workqueue.c:3429) 
[ 796.255228][ T8206] ? __pfx_worker_thread (kernel/workqueue.c:3375) 
[ 796.256388][ T8206] kthread (kernel/kthread.c:388) 
[ 796.257418][ T8206] ? __pfx_kthread (kernel/kthread.c:341) 
[ 796.258498][ T8206] ret_from_fork (arch/x86/kernel/process.c:153) 
[ 796.259395][ T8206] ? __pfx_kthread (kernel/kthread.c:341) 
[ 796.260256][ T8206] ret_from_fork_asm (arch/x86/entry/entry_64.S:257) 
[  796.261404][ T8206]  </TASK>
[  796.262148][ T8206]
[  796.262718][ T8206] Allocated by task 8942:
[ 796.263688][ T8206] kasan_save_stack (mm/kasan/common.c:48) 
[ 796.264717][ T8206] kasan_save_track (./arch/x86/include/asm/current.h:49 mm/kasan/common.c:60 mm/kasan/common.c:69) 
[ 796.265758][ T8206] __kasan_kmalloc (mm/kasan/common.c:391) 
[ 796.266766][ T8206] __kmalloc (./include/linux/kasan.h:211 mm/slub.c:3972 mm/slub.c:3985) 
[ 796.267687][ T8206] sk_prot_alloc (net/core/sock.c:2082) 
[ 796.268723][ T8206] sk_alloc (net/core/sock.c:2134) 
[ 796.269685][ T8206] bt_sock_alloc (net/bluetooth/af_bluetooth.c:149) 
[ 796.270788][ T8206] l2cap_sock_create (net/bluetooth/l2cap_sock.c:1817 net/bluetooth/l2cap_sock.c:1854) 
[ 796.271994][ T8206] bt_sock_create (net/bluetooth/af_bluetooth.c:133) 
[ 796.273058][ T8206] __sock_create (net/socket.c:1572) 
[ 796.274082][ T8206] __sys_socket (net/socket.c:1660 net/socket.c:1644 net/socket.c:1706) 
[ 796.275085][ T8206] __x64_sys_socket (net/socket.c:1718) 
[ 796.276066][ T8206] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) 
[ 796.277117][ T8206] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) 
[  796.278518][ T8206]
[  796.279036][ T8206] Freed by task 8940:
[ 796.279983][ T8206] kasan_save_stack (mm/kasan/common.c:48) 
[ 796.281054][ T8206] kasan_save_track (./arch/x86/include/asm/current.h:49 mm/kasan/common.c:60 mm/kasan/common.c:69) 
[ 796.282176][ T8206] kasan_save_free_info (mm/kasan/generic.c:582) 
[ 796.283310][ T8206] __kasan_slab_free (mm/kasan/common.c:274) 
[ 796.284371][ T8206] kfree (mm/slub.c:4286 mm/slub.c:4396) 
[ 796.285212][ T8206] __sk_destruct (net/core/sock.c:2116 net/core/sock.c:2208) 
[ 796.286233][ T8206] sk_destruct (net/core/sock.c:2224) 
[ 796.287248][ T8206] __sk_free (net/core/sock.c:2235) 
[ 796.288162][ T8206] sk_free (net/core/sock.c:2246) 
[ 796.289015][ T8206] l2cap_sock_kill (./include/net/sock.h:1950 net/bluetooth/l2cap_sock.c:1213 net/bluetooth/l2cap_sock.c:1202) 
[ 796.290126][ T8206] l2cap_sock_release (./include/net/bluetooth/l2cap.h:818 net/bluetooth/l2cap_sock.c:1386) 
[ 796.291306][ T8206] __sock_release (net/socket.c:660) 
[ 796.292382][ T8206] sock_close (net/socket.c:1423) 
[ 796.293314][ T8206] __fput (fs/file_table.c:423) 
[ 796.294203][ T8206] __fput_sync (fs/file_table.c:508) 
[ 796.295105][ T8206] __x64_sys_close (fs/open.c:1559 fs/open.c:1541 fs/open.c:1541) 
[ 796.296196][ T8206] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) 
[ 796.297269][ T8206] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) 
[  796.298567][ T8206]
[  796.299075][ T8206] The buggy address belongs to the object at ffff888021f53800
[  796.299075][ T8206]  which belongs to the cache kmalloc-1k of size 1024
[  796.302366][ T8206] The buggy address is located 320 bytes inside of
[  796.302366][ T8206]  freed 1024-byte region [ffff888021f53800, ffff888021f53c00)
[  796.305330][ T8206]
[  796.305832][ T8206] The buggy address belongs to the physical page:
[  796.307258][ T8206] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x21f50
[  796.309174][ T8206] head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[  796.310906][ T8206] flags: 0xfff00000000840(slab|head|node=0|zone=1|lastcpupid=0x7ff)
[  796.312684][ T8206] page_type: 0xffffffff()
[  796.313578][ T8206] raw: 00fff00000000840 ffff888011c41dc0 dead000000000122 0000000000000000
[  796.315421][ T8206] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
[  796.317278][ T8206] head: 00fff00000000840 ffff888011c41dc0 dead000000000122 0000000000000000
[  796.319058][ T8206] head: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
[  796.320915][ T8206] head: 00fff00000000003 ffffea000087d401 ffffea000087d448 00000000ffffffff
[  796.322884][ T8206] head: 0000000800000000 0000000000000000 00000000ffffffff 0000000000000000
[  796.324774][ T8206] page dumped because: kasan: bad access detected
[  796.326166][ T8206] page_owner tracks the page as allocated
[  796.327426][ T8206] page last allocated via order 3, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 8911, tgid 8909 (a.out), ts 796139165485, fr9
[ 796.331744][ T8206] post_alloc_hook (./include/linux/page_owner.h:32 mm/page_alloc.c:1534) 
[ 796.332693][ T8206] get_page_from_freelist (mm/page_alloc.c:1543 mm/page_alloc.c:3317) 
[ 796.333805][ T8206] __alloc_pages (mm/page_alloc.c:4576) 
[ 796.334742][ T8206] allocate_slab (mm/slub.c:2181 mm/slub.c:2343) 
[ 796.335657][ T8206] ___slab_alloc (mm/slub.c:3531) 
[ 796.336620][ T8206] __slab_alloc.constprop.0 (mm/slub.c:3615) 
[ 796.337786][ T8206] kmalloc_trace (mm/slub.c:3668 mm/slub.c:3841 mm/slub.c:3998) 
[ 796.338760][ T8206] l2cap_chan_create (net/bluetooth/l2cap_core.c:450) 
[ 796.339798][ T8206] l2cap_sock_create (net/bluetooth/l2cap_sock.c:1824 net/bluetooth/l2cap_sock.c:1854) 
[ 796.340909][ T8206] bt_sock_create (net/bluetooth/af_bluetooth.c:133) 
[ 796.341934][ T8206] __sock_create (net/socket.c:1572) 
[ 796.342728][ T8206] __sys_socket (net/socket.c:1660 net/socket.c:1644 net/socket.c:1706) 
[ 796.343184][ T8206] __x64_sys_socket (net/socket.c:1718) 
[ 796.343639][ T8206] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) 
[ 796.344114][ T8206] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) 
[  796.344836][ T8206] page last free pid 8863 tgid 8863 stack trace:
[ 796.345527][ T8206] free_unref_page_prepare (./include/linux/page_owner.h:25 mm/page_alloc.c:1141 mm/page_alloc.c:2347) 
[ 796.346121][ T8206] free_unref_page (mm/page_alloc.c:2487) 
[ 796.346643][ T8206] __put_partials (mm/slub.c:2906) 
[ 796.347185][ T8206] qlist_free_all (mm/kasan/quarantine.c:174) 
[ 796.347734][ T8206] kasan_quarantine_reduce (./include/linux/srcu.h:285 mm/kasan/quarantine.c:287) 
[ 796.348300][ T8206] __kasan_slab_alloc (mm/kasan/common.c:322) 
[ 796.348830][ T8206] kmem_cache_alloc (mm/slub.c:3805 mm/slub.c:3851 mm/slub.c:3858) 
[ 796.349360][ T8206] vm_area_alloc (kernel/fork.c:468) 
[ 796.350239][ T8206] mmap_region (mm/mmap.c:2808) 
[ 796.351186][ T8206] do_mmap (mm/mmap.c:1386) 
[ 796.352075][ T8206] vm_mmap_pgoff (mm/util.c:573) 
[ 796.353035][ T8206] ksys_mmap_pgoff (mm/mmap.c:1431) 
[ 796.354062][ T8206] __x64_sys_mmap (arch/x86/kernel/sys_x86_64.c:86 arch/x86/kernel/sys_x86_64.c:79 arch/x86/kernel/sys_x86_64.c:79) 
[ 796.355081][ T8206] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) 
[ 796.356066][ T8206] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) 
[  796.357347][ T8206]
[  796.357856][ T8206] Memory state around the buggy address:
[  796.359093][ T8206]  ffff888021f53800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  796.360751][ T8206]  ffff888021f53880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  796.362469][ T8206] >ffff888021f53900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  796.364018][ T8206]                                            ^
[  796.365218][ T8206]  ffff888021f53980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  796.366799][ T8206]  ffff888021f53a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  796.368351][ T8206] ==================================================================
[  796.370005][ T8206] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[  796.371406][ T8206] CPU: 1 PID: 8206 Comm: kworker/u11:4 Not tainted 6.9.0 #8
[  796.372891][ T8206] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
6.374810][ T8206] Workqueue: hci0 hci_rx_work
[  796.375995][ T8206] Call Trace:
[  796.376735][ T8206]  <TASK>
[ 796.377392][ T8206] dump_stack_lvl (lib/dump_stack.c:118 (discriminator 4)) 
[ 796.378853][ T8206] panic (kernel/panic.c:348) 
[ 796.379765][ T8206] ? snprintf (lib/vsprintf.c:2954) 
[ 796.380687][ T8206] ? __pfx_panic (kernel/panic.c:282) 

M[ 796.38163essage9] fr[ oT8206] ? asm_sysvec_apic_timer_interrupmt+0x1a/0x20 
[ 796.382852][ T8206] ? _raw_spin_lock_bh (./include/linux/instrumented.h:96 ./include/linux/atomic/atomic-instrumented.h:1301 ./include/asm-generic/qspinlock.h:111 ./include/linux/spinlock.h:187 ./include/linux/spinlock_api_smp.h:127 kernel/locking/spinlock.c:178) 
[ 796.383421][ T8206] ? c hsyeck_panic_on_warn+0x1f/0xc0 
[ 796.384368][ T8206] ? _raw_spin_lock_bh (./include/linux/instrumented.h:96 ./include/linux/atomic/atomic-instrumented.h:1301 ./include/asm-generic/qspinlock.h:111 ./include/linux/spinlock.h:187 ./include/linux/spinlock_api_smp.h:127 kernel/locking/spinlock.c:178) 
[ 796.385500][ T8206] check_panic_on_warn (kernel/panic.c:241) 
[ 796.386618][ T8206] end_report (mm/kasan/report.c:226) 
[ 796.387516][ T8206] kasan_report (./arch/x86/include/asm/smap.h:56 mm/kasan/report.c:606) 
[ 796.388471][ T8206] ? _raw_spin_lock_bh (./include/linux/instrumented.h:96 ./include/linux/atomic/atomic-instrumented.h:1301 ./include/asm-generic/qspinlock.h:111 ./include/linux/spinlock.h:187 ./include/linux/spinlock_api_smp.h:127 kernel/locking/spinlock.c:178) 
[ 796.389594][ T8206] kasan_check_range (mm/kasan/generic.c:183 mm/kasan/generic.c:189) 
[ 796.390648][ T8206] _raw_spin_lock_bh (./include/linux/instrumented.h:96 ./include/linux/atomic/atomic-instrumented.h:1301 ./include/asm-generic/qspinlock.h:111 ./include/linux/spinlock.h:187 ./include/linux/spinlock_api_smp.h:127 kernel/locking/spinlock.c:178) 
[ 796.391701][ T8206] ? __pfx__raw_spin_lock_bh (kernel/locking/spinlock.c:177) 
[ 796.392809][ T8206] ? kthread_data (kernel/kthread.c:77 kernel/kthread.c:244) 
[ 796.393803][ T8206] __lock_sock (./include/net/sock.h:1774 net/core/sock.c:2962) 
[ 796.394777][ T8206] ? __pfx___lock_sock (net/core/sock.c:2953) 
[ 796.395875][ T8206] ? _raw_read_unlock (./arch/x86/include/asm/preempt.h:103 ./include/linux/rwlock_api_smp.h:233 kernel/locking/spinlock.c:260) 
[ 796.396892][ T8206] ? __pfx_autoremove_wake_function (kernel/sched/wait.c:383) 
[ 796.398202][ T8206] ? __pfx__raw_spin_lock_bh (kernel/locking/spinlock.c:177) 
[ 796.399323][ T8206] ? __pfx_l2cap_global_chan_by_psm (net/bluetooth/l2cap_core.c:1811) 
[ 796.400645][ T8206] lock_sock_nested (net/core/sock.c:3540) 
[ 796.401690][ T8206] l2cap_sock_recv_cb (net/bluetooth/l2cap_sock.c:1456) 
[ 796.402741][ T8206] l2cap_recv_frame (net/bluetooth/l2cap_core.c:6748 net/bluetooth/l2cap_core.c:6801) 
[ 796.403830][ T8206] ? kvm_sched_clock_read (arch/x86/kernel/kvmclock.c:91) 
[ 796.404930][ T8206] ? sched_clock (arch/x86/kernel/tsc.c:286 (discriminator 3)) 
[ 796.405869][ T8206] ? sched_clock_cpu (kernel/sched/clock.c:394) 
[ 796.406909][ T8206] ? __pfx_l2cap_recv_frame (net/bluetooth/l2cap_core.c:6760) 
[ 796.408080][ T8206] ? mm_cid_get (kernel/sched/sched.h:3408) 
[ 796.409047][ T8206] ? _raw_spin_lock_irqsave (./arch/x86/include/asm/atomic.h:115 ./include/linux/atomic/atomic-arch-fallback.h:2170 ./include/linux/atomic/atomic-instrumented.h:1302 ./include/asm-generic/qspinlock.h:111 ./include/linux/spinlock.h:187 ./include/linux/spinlock_api_smp.h:111 kernel/locking/spinlock.c:162) 
[ 796.410251][ T8206] ? __switch_to (arch/x86/kernel/process_64.c:713 (discriminator 1)) 
[ 796.411287][ T8206] ? _raw_spin_lock (./arch/x86/include/asm/atomic.h:115 ./include/linux/atomic/atomic-arch-fallback.h:2170 ./include/linux/atomic/atomic-instrumented.h:1302 ./include/asm-generic/qspinlock.h:111 ./include/linux/spinlock.h:187 ./include/linux/spinlock_api_smp.h:134 kernel/locking/spinlock.c:154) 
[ 796.412326][ T8206] ? __pfx__raw_spin_lock (kernel/locking/spinlock.c:153) 
[ 796.413413][ T8206] ? hci_conn_enter_active_mode (net/bluetooth/hci_conn.c:2529) 
[ 796.414710][ T8206] ? __pfx_hci_conn_enter_active_mode (net/bluetooth/hci_conn.c:2529) 
[ 796.415993][ T8206] l2cap_recv_acldata (net/bluetooth/l2cap_core.c:7503) 
[ 796.417068][ T8206] hci_rx_work (net/bluetooth/hci_core.c:3939 net/bluetooth/hci_core.c:4175) 
[ 796.417962][ T8206] process_one_work (kernel/workqueue.c:3272) 
[ 796.419021][ T8206] ? kthread_data (kernel/kthread.c:77 kernel/kthread.c:244) 
[ 796.419941][ T8206] worker_thread (kernel/workqueue.c:3342 kernel/workqueue.c:3429) 
[ 796.420888][ T8206] ? __pfx_worker_thread (kernel/workqueue.c:3375) 
[ 796.421932][ T8206] kthread (kernel/kthread.c:388) 
[ 796.422811][ T8206] ? __pfx_kthread (kernel/kthread.c:341) 
[ 796.423777][ T8206] ret_from_fork (arch/x86/kernel/process.c:153) 
[ 796.424744][ T8206] ? __pfx_kthread (kernel/kthread.c:341) 
[ 796.425694][ T8206] ret_from_fork_asm (arch/x86/entry/entry_64.S:257) 
[  796.426720][ T8206]  </TASK>
[  796.427522][ T8206] Kernel Offset: disabled
[  796.428432][ T8206] Rebooting in 86400 seconds..


Download attachment "repro.c" of type "application/octet-stream" (19095 bytes)

Download attachment ".config" of type "application/octet-stream" (247339 bytes)