program: r0 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route(r0, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000040)=@delneigh={0x30, 0x20, 0x2f70e4bbd079cd81, 0x70bd25, 0x25dfdbfe, {0x2, 0x0, 0x0, 0x0, 0x0, 0x73, 0x3}, [@NDA_CACHEINFO={0x14, 0x3, {0x0, 0xfffffffa, 0x5}}]}, 0x30}, 0x1, 0x0, 0x0, 0x20000800}, 0x20000000) r1 = socket$netlink(0x10, 0x3, 0xc) bind$netlink(r1, &(0x7f0000514ff4)={0x10, 0x0, 0x0, 0x2ffffffff}, 0xc) bpf$PROG_LOAD(0x5, &(0x7f00000004c0)={0x6, 0x10, &(0x7f0000000000)=ANY=[@ANYBLOB="18000000000000000000000000000000b7080000000000007b8af8ff00000000b7"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @xdp, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x94) syz_emit_vhci(&(0x7f0000000000)=ANY=[@ANYBLOB="043e751d"], 0x24) syz_emit_vhci(&(0x7f0000000040)=ANY=[@ANYBLOB="043e1f1b"], 0x22) r2 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$NFT_BATCH(r2, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000940)={{0x14}, [@NFT_MSG_NEWTABLE={0x20, 0x0, 0xa, 0x301, 0x0, 0x0, {0x1}, [@NFTA_TABLE_NAME={0x9, 0x1, 'syz0\x00'}]}], {0x14}}, 0x48}}, 0x0) r3 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$NFT_BATCH(r3, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000100)={{0x14}, [@NFT_MSG_NEWCHAIN={0x2c, 0x3, 0xa, 0x201, 0x0, 0x0, {0x1}, [@NFTA_CHAIN_TABLE={0x9, 0x1, 'syz0\x00'}, @NFTA_CHAIN_NAME={0x9, 0x3, 'syz1\x00'}]}, @NFT_MSG_NEWRULE={0x64, 0x6, 0xa, 0x401, 0x0, 0x0, {0x1}, [@NFTA_RULE_CHAIN_ID={0x8}, @NFTA_RULE_EXPRESSIONS={0x3c, 0x4, 0x0, 0x1, [{0x38, 0x1, 0x0, 0x1, @immediate={{0xe}, @val={0x24, 0x2, 0x0, 0x1, [@NFTA_IMMEDIATE_DREG={0x8}, @NFTA_IMMEDIATE_DATA={0x18, 0x2, 0x0, 0x1, [@NFTA_DATA_VERDICT={0x14, 0x2, 0x0, 0x1, [@NFTA_VERDICT_CHAIN_ID={0x8}, @NFTA_VERDICT_CODE={0x8, 0x1, 0x0, 0x1, 0xfffffffffffffffd}]}]}]}}}]}, @NFTA_RULE_TABLE={0x9, 0x1, 'syz0\x00'}]}], {0x14}}, 0xb8}}, 0x0) r4 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCBRDELBR(r2, 0x89a1, &(0x7f0000000000)='wg2\x00') r5 = syz_genetlink_get_family_id$nl802154(&(0x7f0000001440), 0xffffffffffffffff) ioctl$sock_SIOCGIFINDEX_802154(r4, 0x8933, &(0x7f00000017c0)={'wpan0\x00', 0x0}) r7 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10) r8 = msgget$private(0x0, 0x0) msgsnd(r8, &(0x7f0000000380)={0xa3df54513196af36, "b2257fb3c8f04104f37407b0df713943663d95be6acce1c7290d93fa7d8525304b0bdd8921014dce17f6d40dfc9cab19dcba41efe6a19ee39bca25c6"}, 0x44, 0x0) msgsnd(r8, &(0x7f0000000340)=ANY=[@ANYBLOB="0200"], 0x8, 0x0) msgrcv(r8, &(0x7f0000000240)={0x0, ""/190}, 0xc6, 0x1, 0x4800) sendmsg$NL802154_CMD_DEL_SEC_LEVEL(r7, &(0x7f0000001b40)={0x0, 0x0, &(0x7f0000001b00)={&(0x7f0000001a40)={0x40, r5, 0x1, 0x0, 0x0, {}, [@NL802154_ATTR_IFINDEX={0x8, 0x3, r6}, @NL802154_ATTR_SEC_LEVEL={0x24, 0x2d, 0x0, 0x1, [@NL802154_SECLEVEL_ATTR_LEVELS={0x5}, @NL802154_SECLEVEL_ATTR_DEV_OVERRIDE={0x5}, @NL802154_SECLEVEL_ATTR_FRAME={0x8, 0x2, 0x3}, @NL802154_SECLEVEL_ATTR_CMD_FRAME={0x8, 0x3, 0xef}]}]}, 0x40}}, 0x0) r9 = socket$igmp(0x2, 0x3, 0x2) r10 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$NFT_BATCH(r10, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000200)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a20000000000a010300000000000000000100fffd0900010073797a300000000040000000030a01020000000000000000010000000900030073797a3200000000140004800800024032658aeb08000140000000010900010073797a300000000044000000060a010400000000000001040100000008000b40000000000900010073797a30000000001c000480180001800d00010073796e70726f7879000000000400028014000000110001"], 0xcc}}, 0x0) syz_emit_ethernet(0x3a, &(0x7f0000000140)={@local, @broadcast, @void, {@ipv4={0x800, @tcp={{0x5, 0x4, 0x0, 0x0, 0x2c, 0x0, 0x0, 0x0, 0x6, 0x0, @empty, @empty}, {{0x0, 0x4e26, 0x41424344, 0x41424344, 0x0, 0x0, 0x6, 0x10, 0x1, 0x0, 0x0, {[@fastopen={0x22, 0x2}, @fastopen={0x22, 0x2}]}}}}}}}, 0x0) setsockopt$MRT_ADD_VIF(r9, 0x0, 0xca, &(0x7f0000000040)={0x9, 0x1, 0xb, 0x4, @vifc_lcl_addr=@multicast2, @private=0xa010101}, 0x10) [ 81.981474][ T5091] Bluetooth: hci0: command tx timeout [ 83.065671][ T5091] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:585 [ 83.069109][ T5091] in_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 5091, name: kworker/u5:2 [ 83.074488][ T5091] preempt_count: 0, expected: 0 [ 83.077332][ T5091] RCU nest depth: 1, expected: 0 [ 83.079253][ T5091] 4 locks held by kworker/u5:2/5091: [ 83.083128][ T5091] #0: ffff88803bd50148 ((wq_completion)hci0#2){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1850 [ 83.087401][ T5091] #1: ffffc90002ddfd00 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1850 [ 83.092170][ T5091] #2: ffff888035bd4078 (&hdev->lock){+.+.}-{3:3}, at: hci_le_create_big_complete_evt+0xcf/0xae0 [ 83.096893][ T5091] #3: ffffffff8e937de0 (rcu_read_lock){....}-{1:2}, at: hci_le_create_big_complete_evt+0xdb/0xae0 [ 83.101751][ T5091] CPU: 0 UID: 0 PID: 5091 Comm: kworker/u5:2 Not tainted 6.12.0-rc1-syzkaller-00306-g27cc6fdf7201 #0 [ 83.105841][ T5091] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 83.109756][ T5091] Workqueue: hci0 hci_rx_work [ 83.111553][ T5091] Call Trace: [ 83.112851][ T5091] [ 83.113988][ T5091] dump_stack_lvl+0x241/0x360 [ 83.115805][ T5091] ? __pfx_dump_stack_lvl+0x10/0x10 [ 83.117738][ T5091] ? __pfx__printk+0x10/0x10 [ 83.119594][ T5091] __might_resched+0x5d4/0x780 [ 83.121413][ T5091] ? __mutex_lock+0x112/0xd70 [ 83.123270][ T5091] ? __pfx___might_resched+0x10/0x10 [ 83.125305][ T5091] __mutex_lock+0xc1/0xd70 [ 83.126993][ T5091] ? __pfx_lock_acquire+0x10/0x10 [ 83.128868][ T5091] ? hci_le_create_big_complete_evt+0x3d9/0xae0 [ 83.131174][ T5091] ? __pfx_lock_release+0x10/0x10 [ 83.133064][ T5091] ? __pfx___mutex_lock+0x10/0x10 [ 83.134918][ T5091] ? trace_contention_end+0x3c/0x120 [ 83.137041][ T5091] ? skb_pull_data+0x112/0x230 [ 83.138929][ T5091] ? hci_conn_set_handle+0x9a/0x270 [ 83.141138][ T5091] hci_le_create_big_complete_evt+0x3d9/0xae0 [ 83.144149][ T5091] ? __copy_skb_header+0x437/0x5b0 [ 83.146445][ T5091] ? hci_le_create_big_complete_evt+0xdb/0xae0 [ 83.148869][ T5091] ? __pfx_hci_le_create_big_complete_evt+0x10/0x10 [ 83.151351][ T5091] ? hci_le_meta_evt+0x366/0x580 [ 83.153340][ T5091] ? __pfx_hci_le_create_big_complete_evt+0x10/0x10 [ 83.156350][ T5091] hci_event_packet+0xa55/0x1540 [ 83.158392][ T5091] ? __pfx_hci_le_meta_evt+0x10/0x10 [ 83.160489][ T5091] ? __pfx_hci_event_packet+0x10/0x10 [ 83.162469][ T5091] ? set_advertising_complete+0x600/0x6f0 [ 83.164555][ T5091] ? kcov_remote_start+0x97/0x7d0 [ 83.166415][ T5091] hci_rx_work+0x3fe/0xd80 [ 83.168135][ T5091] ? process_scheduled_works+0x976/0x1850 [ 83.170266][ T5091] process_scheduled_works+0xa63/0x1850 [ 83.172782][ T5091] ? __pfx_process_scheduled_works+0x10/0x10 [ 83.175614][ T5091] ? assign_work+0x364/0x3d0 [ 83.177521][ T5091] worker_thread+0x870/0xd30 [ 83.179324][ T5091] ? _raw_spin_unlock_irqrestore+0xdd/0x140 [ 83.181189][ T5091] ? __kthread_parkme+0x169/0x1d0 [ 83.182754][ T5091] ? __pfx_worker_thread+0x10/0x10 [ 83.184892][ T5091] kthread+0x2f0/0x390 [ 83.187561][ T5091] ? __pfx_worker_thread+0x10/0x10 [ 83.190524][ T5091] ? __pfx_kthread+0x10/0x10 [ 83.192286][ T5091] ret_from_fork+0x4b/0x80 [ 83.193897][ T5091] ? __pfx_kthread+0x10/0x10 [ 83.195640][ T5091] ret_from_fork_asm+0x1a/0x30 [ 83.197326][ T5091] [ 83.206057][ T5091] [ 83.207228][ T5091] ============================= [ 83.209201][ T5091] [ BUG: Invalid wait context ] [ 83.211071][ T5091] 6.12.0-rc1-syzkaller-00306-g27cc6fdf7201 #0 Tainted: G W [ 83.213968][ T5091] ----------------------------- [ 83.215911][ T5091] kworker/u5:2/5091 is trying to lock: [ 83.218394][ T5091] ffffffff8fe3e2e8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_le_create_big_complete_evt+0x3d9/0xae0 [ 83.223092][ T5091] other info that might help us debug this: [ 83.225307][ T5091] context-{4:4} [ 83.226617][ T5091] 4 locks held by kworker/u5:2/5091: [ 83.228565][ T5091] #0: ffff88803bd50148 ((wq_completion)hci0#2){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1850 [ 83.232398][ T5091] #1: ffffc90002ddfd00 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1850 [ 83.237523][ T5091] #2: ffff888035bd4078 (&hdev->lock){+.+.}-{3:3}, at: hci_le_create_big_complete_evt+0xcf/0xae0 [ 83.241574][ T5091] #3: ffffffff8e937de0 (rcu_read_lock){....}-{1:2}, at: hci_le_create_big_complete_evt+0xdb/0xae0 [ 83.245418][ T5091] stack backtrace: [ 83.246861][ T5091] CPU: 0 UID: 0 PID: 5091 Comm: kworker/u5:2 Tainted: G W 6.12.0-rc1-syzkaller-00306-g27cc6fdf7201 #0 [ 83.251954][ T5091] Tainted: [W]=WARN [ 83.253973][ T5091] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 83.258340][ T5091] Workqueue: hci0 hci_rx_work [ 83.260054][ T5091] Call Trace: [ 83.261321][ T5091] [ 83.262413][ T5091] dump_stack_lvl+0x241/0x360 [ 83.264196][ T5091] ? __pfx_dump_stack_lvl+0x10/0x10 [ 83.266207][ T5091] ? __pfx__printk+0x10/0x10 [ 83.268116][ T5091] __lock_acquire+0x154a/0x2050 [ 83.270281][ T5091] lock_acquire+0x1ed/0x550 [ 83.272700][ T5091] ? hci_le_create_big_complete_evt+0x3d9/0xae0 [ 83.275390][ T5091] ? __pfx_lock_acquire+0x10/0x10 [ 83.277349][ T5091] ? __mutex_lock+0x112/0xd70 [ 83.279206][ T5091] ? __pfx___might_resched+0x10/0x10 [ 83.281157][ T5091] __mutex_lock+0x136/0xd70 [ 83.282799][ T5091] ? hci_le_create_big_complete_evt+0x3d9/0xae0 [ 83.285318][ T5091] ? __pfx_lock_acquire+0x10/0x10 [ 83.287648][ T5091] ? hci_le_create_big_complete_evt+0x3d9/0xae0 [ 83.290372][ T5091] ? __pfx_lock_release+0x10/0x10 [ 83.292598][ T5091] ? __pfx___mutex_lock+0x10/0x10 [ 83.294545][ T5091] ? trace_contention_end+0x3c/0x120 [ 83.296451][ T5091] ? skb_pull_data+0x112/0x230 [ 83.298087][ T5091] ? hci_conn_set_handle+0x9a/0x270 [ 83.299935][ T5091] hci_le_create_big_complete_evt+0x3d9/0xae0 [ 83.302468][ T5091] ? __copy_skb_header+0x437/0x5b0 [ 83.304750][ T5091] ? hci_le_create_big_complete_evt+0xdb/0xae0 [ 83.307549][ T5091] ? __pfx_hci_le_create_big_complete_evt+0x10/0x10 [ 83.309990][ T5091] ? hci_le_meta_evt+0x366/0x580 [ 83.311844][ T5091] ? __pfx_hci_le_create_big_complete_evt+0x10/0x10 [ 83.314382][ T5091] hci_event_packet+0xa55/0x1540 [ 83.316335][ T5091] ? __pfx_hci_le_meta_evt+0x10/0x10 [ 83.318380][ T5091] ? __pfx_hci_event_packet+0x10/0x10 [ 83.320533][ T5091] ? set_advertising_complete+0x600/0x6f0 [ 83.324198][ T5091] ? kcov_remote_start+0x97/0x7d0 [ 83.326226][ T5091] hci_rx_work+0x3fe/0xd80 [ 83.327632][ T5091] ? process_scheduled_works+0x976/0x1850 [ 83.329356][ T5091] process_scheduled_works+0xa63/0x1850 [ 83.331185][ T5091] ? __pfx_process_scheduled_works+0x10/0x10 [ 83.333195][ T5091] ? assign_work+0x364/0x3d0 [ 83.334638][ T5091] worker_thread+0x870/0xd30 [ 83.336362][ T5091] ? _raw_spin_unlock_irqrestore+0xdd/0x140 [ 83.338639][ T5091] ? __kthread_parkme+0x169/0x1d0 [ 83.340590][ T5091] ? __pfx_worker_thread+0x10/0x10 [ 83.342544][ T5091] kthread+0x2f0/0x390 [ 83.344285][ T5091] ? __pfx_worker_thread+0x10/0x10 [ 83.346579][ T5091] ? __pfx_kthread+0x10/0x10 [ 83.348920][ T5091] ret_from_fork+0x4b/0x80 [ 83.351434][ T5091] ? __pfx_kthread+0x10/0x10 [ 83.353301][ T5091] ret_from_fork_asm+0x1a/0x30 [ 83.355202][ T5091] [ 83.373069][ T5091] ================================================================== [ 83.376178][ T5091] BUG: KASAN: slab-use-after-free in hci_le_create_big_complete_evt+0x383/0xae0 [ 83.379658][ T5091] Read of size 8 at addr ffff88803f704000 by task kworker/u5:2/5091 [ 83.383156][ T5091] [ 83.384437][ T5091] CPU: 0 UID: 0 PID: 5091 Comm: kworker/u5:2 Tainted: G W 6.12.0-rc1-syzkaller-00306-g27cc6fdf7201 #0 [ 83.389837][ T5091] Tainted: [W]=WARN [ 83.391277][ T5091] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 83.395688][ T5091] Workqueue: hci0 hci_rx_work [ 83.397675][ T5091] Call Trace: [ 83.399074][ T5091] [ 83.400333][ T5091] dump_stack_lvl+0x241/0x360 [ 83.402421][ T5091] ? __pfx_dump_stack_lvl+0x10/0x10 [ 83.404487][ T5091] ? __pfx__printk+0x10/0x10 [ 83.405998][ T5091] ? _printk+0xd5/0x120 [ 83.407427][ T5091] ? __virt_addr_valid+0x183/0x530 [ 83.409502][ T5091] ? __virt_addr_valid+0x183/0x530 [ 83.411685][ T5091] print_report+0x169/0x550 [ 83.413687][ T5091] ? __virt_addr_valid+0x183/0x530 [ 83.415925][ T5091] ? __virt_addr_valid+0x183/0x530 [ 83.417966][ T5091] ? __virt_addr_valid+0x45f/0x530 [ 83.419895][ T5091] ? __phys_addr+0xba/0x170 [ 83.421856][ T5091] ? hci_le_create_big_complete_evt+0x383/0xae0 [ 83.424350][ T5091] kasan_report+0x143/0x180 [ 83.426130][ T5091] ? hci_le_create_big_complete_evt+0x383/0xae0 [ 83.428675][ T5091] hci_le_create_big_complete_evt+0x383/0xae0 [ 83.430989][ T5091] ? __copy_skb_header+0x437/0x5b0 [ 83.433567][ T5091] ? hci_le_create_big_complete_evt+0xdb/0xae0 [ 83.436630][ T5091] ? __pfx_hci_le_create_big_complete_evt+0x10/0x10 [ 83.439215][ T5091] ? hci_le_meta_evt+0x366/0x580 [ 83.441107][ T5091] ? __pfx_hci_le_create_big_complete_evt+0x10/0x10 [ 83.443559][ T5091] hci_event_packet+0xa55/0x1540 [ 83.445518][ T5091] ? __pfx_hci_le_meta_evt+0x10/0x10 [ 83.447798][ T5091] ? __pfx_hci_event_packet+0x10/0x10 [ 83.450103][ T5091] ? set_advertising_complete+0x600/0x6f0 [ 83.452401][ T5091] ? kcov_remote_start+0x97/0x7d0 [ 83.454141][ T5091] hci_rx_work+0x3fe/0xd80 [ 83.455820][ T5091] ? process_scheduled_works+0x976/0x1850 [ 83.458129][ T5091] process_scheduled_works+0xa63/0x1850 [ 83.460457][ T5091] ? __pfx_process_scheduled_works+0x10/0x10 [ 83.462818][ T5091] ? assign_work+0x364/0x3d0 [ 83.464770][ T5091] worker_thread+0x870/0xd30 [ 83.466607][ T5091] ? _raw_spin_unlock_irqrestore+0xdd/0x140 [ 83.469101][ T5091] ? __kthread_parkme+0x169/0x1d0 [ 83.471496][ T5091] ? __pfx_worker_thread+0x10/0x10 [ 83.473773][ T5091] kthread+0x2f0/0x390 [ 83.475422][ T5091] ? __pfx_worker_thread+0x10/0x10 [ 83.477351][ T5091] ? __pfx_kthread+0x10/0x10 [ 83.479113][ T5091] ret_from_fork+0x4b/0x80 [ 83.480906][ T5091] ? __pfx_kthread+0x10/0x10 [ 83.482623][ T5091] ret_from_fork_asm+0x1a/0x30 [ 83.484451][ T5091] [ 83.485661][ T5091] [ 83.486586][ T5091] Allocated by task 5091: [ 83.488238][ T5091] kasan_save_track+0x3f/0x80 [ 83.490154][ T5091] __kasan_kmalloc+0x98/0xb0 [ 83.492104][ T5091] __kmalloc_cache_noprof+0x19c/0x2c0 [ 83.494323][ T5091] __hci_conn_add+0x2f9/0x1850 [ 83.496345][ T5091] hci_le_big_sync_established_evt+0x414/0xc20 [ 83.498559][ T5091] hci_event_packet+0xa55/0x1540 [ 83.500499][ T5091] hci_rx_work+0x3fe/0xd80 [ 83.502307][ T5091] process_scheduled_works+0xa63/0x1850 [ 83.504489][ T5091] worker_thread+0x870/0xd30 [ 83.506171][ T5091] kthread+0x2f0/0x390 [ 83.507786][ T5091] ret_from_fork+0x4b/0x80 [ 83.509570][ T5091] ret_from_fork_asm+0x1a/0x30 [ 83.511537][ T5091] [ 83.512480][ T5091] Freed by task 5091: [ 83.514068][ T5091] kasan_save_track+0x3f/0x80 [ 83.515943][ T5091] kasan_save_free_info+0x40/0x50 [ 83.517932][ T5091] __kasan_slab_free+0x59/0x70 [ 83.519776][ T5091] kfree+0x1a0/0x440 [ 83.521261][ T5091] device_release+0x99/0x1c0 [ 83.523143][ T5091] kobject_put+0x22f/0x480 [ 83.524874][ T5091] hci_conn_del+0x8c4/0xc40 [ 83.526624][ T5091] hci_le_create_big_complete_evt+0x619/0xae0 [ 83.528952][ T5091] hci_event_packet+0xa55/0x1540 [ 83.530826][ T5091] hci_rx_work+0x3fe/0xd80 [ 83.532586][ T5091] process_scheduled_works+0xa63/0x1850 [ 83.534650][ T5091] worker_thread+0x870/0xd30 [ 83.536467][ T5091] kthread+0x2f0/0x390 [ 83.537992][ T5091] ret_from_fork+0x4b/0x80 [ 83.539468][ T5091] ret_from_fork_asm+0x1a/0x30 [ 83.541155][ T5091] [ 83.541983][ T5091] The buggy address belongs to the object at ffff88803f704000 [ 83.541983][ T5091] which belongs to the cache kmalloc-8k of size 8192 [ 83.547714][ T5091] The buggy address is located 0 bytes inside of [ 83.547714][ T5091] freed 8192-byte region [ffff88803f704000, ffff88803f706000) [ 83.556486][ T5091] [ 83.557345][ T5091] The buggy address belongs to the physical page: [ 83.559695][ T5091] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x3f700 [ 83.562995][ T5091] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 83.566143][ T5091] flags: 0x4fff00000000040(head|node=1|zone=1|lastcpupid=0x7ff) [ 83.569170][ T5091] page_type: f5(slab) [ 83.570943][ T5091] raw: 04fff00000000040 ffff88801ac42280 ffffea0000fd8e00 0000000000000002 [ 83.574624][ T5091] raw: 0000000000000000 0000000000020002 00000001f5000000 0000000000000000 [ 83.578433][ T5091] head: 04fff00000000040 ffff88801ac42280 ffffea0000fd8e00 0000000000000002 [ 83.582239][ T5091] head: 0000000000000000 0000000000020002 00000001f5000000 0000000000000000 [ 83.585806][ T5091] head: 04fff00000000003 ffffea0000fdc001 ffffffffffffffff 0000000000000000 [ 83.589081][ T5091] head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000 [ 83.592868][ T5091] page dumped because: kasan: bad access detected [ 83.596958][ T5091] page_owner tracks the page as allocated [ 83.599275][ T5091] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5087, tgid 5087 (syz-executor), ts 75693162595, free_ts 75659798289 [ 83.607067][ T5091] post_alloc_hook+0x1f3/0x230 [ 83.608936][ T5091] get_page_from_freelist+0x3045/0x3190 [ 83.611166][ T5091] __alloc_pages_noprof+0x256/0x6c0 [ 83.613370][ T5091] alloc_pages_mpol_noprof+0x3e8/0x680 [ 83.615721][ T5091] alloc_slab_page+0x6a/0x120 [ 83.617825][ T5091] allocate_slab+0x5a/0x2f0 [ 83.619611][ T5091] ___slab_alloc+0xcd1/0x14b0 [ 83.621390][ T5091] __slab_alloc+0x58/0xa0 [ 83.623084][ T5091] __kmalloc_cache_noprof+0x1d5/0x2c0 [ 83.625093][ T5091] tomoyo_init_log+0x11cd/0x2050 [ 83.627051][ T5091] tomoyo_supervisor+0x38a/0x11f0 [ 83.629050][ T5091] tomoyo_env_perm+0x178/0x210 [ 83.631474][ T5091] tomoyo_find_next_domain+0x146e/0x1d40 [ 83.634193][ T5091] tomoyo_bprm_check_security+0x114/0x180 [ 83.636241][ T5091] security_bprm_check+0x86/0x250 [ 83.637873][ T5091] bprm_execve+0xa56/0x1770 [ 83.639468][ T5091] page last free pid 5086 tgid 5086 stack trace: [ 83.641668][ T5091] free_unref_page+0xcfb/0xf20 [ 83.643389][ T5091] vfree+0x186/0x2e0 [ 83.644750][ T5091] kcov_close+0x28/0x50 [ 83.646242][ T5091] __fput+0x23f/0x880 [ 83.647773][ T5091] __x64_sys_close+0x7f/0x110 [ 83.649542][ T5091] do_syscall_64+0xf3/0x230 [ 83.651699][ T5091] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 83.654390][ T5091] [ 83.655533][ T5091] Memory state around the buggy address: [ 83.658146][ T5091] ffff88803f703f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 83.661217][ T5091] ffff88803f703f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 83.664109][ T5091] >ffff88803f704000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 83.666537][ T5091] ^ [ 83.667940][ T5091] ffff88803f704080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 83.670884][ T5091] ffff88803f704100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 83.674424][ T5091] ================================================================== [ 83.690536][ T5091] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 83.693472][ T5091] CPU: 0 UID: 0 PID: 5091 Comm: kworker/u5:2 Tainted: G W 6.12.0-rc1-syzkaller-00306-g27cc6fdf7201 #0 [ 83.698245][ T5091] Tainted: [W]=WARN [ 83.699765][ T5091] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 83.704386][ T5091] Workqueue: hci0 hci_rx_work [ 83.706495][ T5091] Call Trace: [ 83.708092][ T5091] [ 83.709416][ T5091] dump_stack_lvl+0x241/0x360 [ 83.711468][ T5091] ? __pfx_dump_stack_lvl+0x10/0x10 [ 83.713567][ T5091] ? __pfx__printk+0x10/0x10 [ 83.715565][ T5091] ? rcu_is_watching+0x15/0xb0 [ 83.717439][ T5091] ? preempt_schedule+0xe1/0xf0 [ 83.719407][ T5091] ? vscnprintf+0x5d/0x90 [ 83.721955][ T5091] panic+0x349/0x880 [ 83.724403][ T5091] ? check_panic_on_warn+0x21/0xb0 [ 83.726406][ T5091] ? __pfx_panic+0x10/0x10 [ 83.728274][ T5091] ? _raw_spin_unlock_irqrestore+0x130/0x140 [ 83.730669][ T5091] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 83.732703][ T5091] ? print_report+0x502/0x550 [ 83.734315][ T5091] check_panic_on_warn+0x86/0xb0 [ 83.735977][ T5091] ? hci_le_create_big_complete_evt+0x383/0xae0 [ 83.738060][ T5091] end_report+0x77/0x160 [ 83.739605][ T5091] kasan_report+0x154/0x180 [ 83.741645][ T5091] ? hci_le_create_big_complete_evt+0x383/0xae0 [ 83.744578][ T5091] hci_le_create_big_complete_evt+0x383/0xae0 [ 83.746651][ T5091] ? __copy_skb_header+0x437/0x5b0 [ 83.748264][ T5091] ? hci_le_create_big_complete_evt+0xdb/0xae0 [ 83.750537][ T5091] ? __pfx_hci_le_create_big_complete_evt+0x10/0x10 [ 83.753160][ T5091] ? hci_le_meta_evt+0x366/0x580 [ 83.755278][ T5091] ? __pfx_hci_le_create_big_complete_evt+0x10/0x10 [ 83.758377][ T5091] hci_event_packet+0xa55/0x1540 [ 83.761059][ T5091] ? __pfx_hci_le_meta_evt+0x10/0x10 [ 83.763788][ T5091] ? __pfx_hci_event_packet+0x10/0x10 [ 83.765923][ T5091] ? set_advertising_complete+0x600/0x6f0 [ 83.767675][ T5091] ? kcov_remote_start+0x97/0x7d0 [ 83.769203][ T5091] hci_rx_work+0x3fe/0xd80 [ 83.770688][ T5091] ? process_scheduled_works+0x976/0x1850 [ 83.772683][ T5091] process_scheduled_works+0xa63/0x1850 [ 83.774822][ T5091] ? __pfx_process_scheduled_works+0x10/0x10 [ 83.776982][ T5091] ? assign_work+0x364/0x3d0 [ 83.778667][ T5091] worker_thread+0x870/0xd30 [ 83.780553][ T5091] ? _raw_spin_unlock_irqrestore+0xdd/0x140 [ 83.783119][ T5091] ? __kthread_parkme+0x169/0x1d0 [ 83.785407][ T5091] ? __pfx_worker_thread+0x10/0x10 [ 83.787658][ T5091] kthread+0x2f0/0x390 [ 83.789381][ T5091] ? __pfx_worker_thread+0x10/0x10 [ 83.791293][ T5091] ? __pfx_kthread+0x10/0x10 [ 83.793037][ T5091] ret_from_fork+0x4b/0x80 [ 83.794875][ T5091] ? __pfx_kthread+0x10/0x10 [ 83.796883][ T5091] ret_from_fork_asm+0x1a/0x30 [ 83.799111][ T5091] [ 83.801177][ T5091] Kernel Offset: disabled [ 83.803283][ T5091] Rebooting in 86400 seconds..