[BUG] KASAN: slab-use-after-free in rfcomm_security_cfm

[Bai, Shuangpeng]

Hi Kernel Maintainers,

I hit the following KASAN report while testing current upstream kernel:

KASAN: slab-use-after-free in rfcomm_security_cfm

on commit: e8c2f9fdadee7cbc75134dc463c1e0d856d6e5c7 (May 25 2026)

To help trigger the bug more reliably, we applied a minimal diagnostic patch
that only adds delays and print statements.

The reproducer and .config files are here.
https://gist.github.com/shuangpengbai/ab3bd255f7f73a6b2bcf64de5c834c10

I’m happy to test debug patches or provide additional information.

Reported-by: Shuangpeng Bai <shuangpeng.kernel@xxxxxxxxx>

[  102.584461][ T4448] ==================================================================
[  102.585392][ T4448] BUG: KASAN: slab-use-after-free in rfcomm_security_cfm (./include/linux/instrumented.h:112 ./include/asm-generic/bitops/instrumented-atomic.h:85 net/bluetooth/rfcomm/core.c:2161)
[  102.586293][ T4448] Write of size 8 at addr ffff88811b6b4678 by task kworker/u11:1/4448
[  102.587178][ T4448]
[  102.587488][ T4448] Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[  102.587493][ T4448] Workqueue: hci0 hci_rx_work
[  102.587527][ T4448] Call Trace:
[  102.587536][ T4448]  <TASK>
[  102.587542][ T4448]  dump_stack_lvl (lib/dump_stack.c:94 lib/dump_stack.c:120)
[  102.587559][ T4448]  print_report (mm/kasan/report.c:378 mm/kasan/report.c:482)
[  102.587589][ T4448]  kasan_report (mm/kasan/report.c:595)
[  102.587599][ T4448]  kasan_check_range (mm/kasan/generic.c:? mm/kasan/generic.c:200)
[  102.587604][ T4448]  rfcomm_security_cfm (./include/linux/instrumented.h:112 ./include/asm-generic/bitops/instrumented-atomic.h:85 net/bluetooth/rfcomm/core.c:2161)
[  102.587660][ T4448]  hci_encrypt_cfm (./include/net/bluetooth/hci_core.h:2215)
[  102.587671][ T4448]  hci_encrypt_change_evt (net/bluetooth/hci_event.c:3689)
[  102.587679][ T4448]  hci_event_packet (net/bluetooth/hci_event.c:7796 net/bluetooth/hci_event.c:7847)
[  102.587716][ T4448]  hci_rx_work (net/bluetooth/hci_core.c:4077)
[  102.587721][ T4448]  process_scheduled_works (kernel/workqueue.c:3314 kernel/workqueue.c:3397)
[  102.587734][ T4448]  worker_thread (kernel/workqueue.c:3478)
[  102.587745][ T4448]  kthread (kernel/kthread.c:436)
[  102.587767][ T4448]  ret_from_fork (arch/x86/kernel/process.c:158)
[  102.587789][ T4448]  ret_from_fork_asm (arch/x86/entry/entry_64.S:245)
[  102.587795][ T4448]  </TASK>
[  102.587797][ T4448]
[  102.610751][ T4448] Freed by task 2678 on cpu 1 at 102.524678s:
[  102.611389][ T4448]  kasan_save_track (mm/kasan/common.c:57 mm/kasan/common.c:78)
[  102.611908][ T4448]  kasan_save_free_info (mm/kasan/generic.c:584)
[  102.612458][ T4448]  __kasan_slab_free (mm/kasan/common.c:253 mm/kasan/common.c:285)
[  102.612968][ T4448]  kfree (./include/linux/kasan.h:235 mm/slub.c:2689 mm/slub.c:6251 mm/slub.c:6566)
[  102.613403][ T4448]  __rfcomm_dlc_close (net/bluetooth/rfcomm/core.c:329 ./include/net/bluetooth/rfcomm.h:257 net/bluetooth/rfcomm/core.c:350 net/bluetooth/rfcomm/core.c:498)
[  102.613919][ T4448]  rfcomm_run (net/bluetooth/rfcomm/core.c:? net/bluetooth/rfcomm/core.c:2048 net/bluetooth/rfcomm/core.c:2131)
[  102.614395][ T4448]  kthread (kernel/kthread.c:436)
[  102.614402][ T4448]  ret_from_fork (arch/x86/kernel/process.c:158)
[  102.614407][ T4448]  ret_from_fork_asm (arch/x86/entry/entry_64.S:245)
[  102.614412][ T4448]
[  102.614414][ T4448] The buggy address belongs to the object at ffff88811b6b4600
[  102.614414][ T4448]  which belongs to the cache kmalloc-256 of size 256
[  102.617515][ T4448] The buggy address is located 120 bytes inside of
[  102.617515][ T4448]  freed 256-byte region [ffff88811b6b4600, ffff88811b6b4700)


Best,
Shuangpeng