program: r0 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCGIFINDEX_802154(0xffffffffffffffff, 0x8933, 0x0) sendmsg$IEEE802154_LLSEC_ADD_DEV(r0, &(0x7f0000000000)={0x0, 0x0, 0x0, 0x4, 0x700000000000000}, 0x0) write$binfmt_elf32(0xffffffffffffffff, 0x0, 0xfffffffffffffc7e) r1 = bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000080)={0x6, 0x4, &(0x7f0000013d40)=ANY=[@ANYBLOB="18000000000000000000000000000000b5000000087c950095"], &(0x7f0000000140)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x25, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x90) r2 = socket$packet(0x11, 0x2, 0x300) ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000000)={'bond0\x00', 0x0}) bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000040)={r1, r3, 0x25, 0x2, @void}, 0x10) r4 = socket$inet6_udp(0xa, 0x2, 0x0) ioctl$sock_SIOCGIFINDEX(r4, 0x8933, &(0x7f00000001c0)={'bond_slave_0\x00', 0x0}) r6 = perf_event_open(&(0x7f0000002080)={0x2, 0x80, 0xfe, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}, 0x20, 0x0, 0x0, 0x6, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x5}, 0x0, 0x0, 0xffffffffffffffff, 0x0) ioctl$PERF_EVENT_IOC_SET_FILTER(r6, 0x40082406, &(0x7f0000000100)=')\x00') bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000000)={r1, r5, 0x25, 0x0, @void}, 0x10) bpf$PROG_LOAD(0x5, &(0x7f00000004c0)={0x6, 0x10, &(0x7f0000000000)=ANY=[@ANYBLOB="18000000000000000000000000000000b708"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @xdp, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x94) syz_emit_vhci(&(0x7f0000000000)=ANY=[@ANYBLOB="043e751d"], 0x24) syz_emit_vhci(&(0x7f0000000040)=ANY=[@ANYBLOB="043e1f1b"], 0x22) syz_init_net_socket$nl_generic(0x10, 0x3, 0x10) (async) ioctl$sock_SIOCGIFINDEX_802154(0xffffffffffffffff, 0x8933, 0x0) (async) sendmsg$IEEE802154_LLSEC_ADD_DEV(r0, &(0x7f0000000000)={0x0, 0x0, 0x0, 0x4, 0x700000000000000}, 0x0) (async) write$binfmt_elf32(0xffffffffffffffff, 0x0, 0xfffffffffffffc7e) (async) bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000080)={0x6, 0x4, &(0x7f0000013d40)=ANY=[@ANYBLOB="18000000000000000000000000000000b5000000087c950095"], &(0x7f0000000140)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x25, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x90) (async) socket$packet(0x11, 0x2, 0x300) (async) ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000000)={'bond0\x00'}) (async) bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000040)={r1, r3, 0x25, 0x2, @void}, 0x10) (async) socket$inet6_udp(0xa, 0x2, 0x0) (async) ioctl$sock_SIOCGIFINDEX(r4, 0x8933, &(0x7f00000001c0)={'bond_slave_0\x00'}) (async) perf_event_open(&(0x7f0000002080)={0x2, 0x80, 0xfe, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}, 0x20, 0x0, 0x0, 0x6, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x5}, 0x0, 0x0, 0xffffffffffffffff, 0x0) (async) ioctl$PERF_EVENT_IOC_SET_FILTER(r6, 0x40082406, &(0x7f0000000100)=')\x00') (async) bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000000)={r1, r5, 0x25, 0x0, @void}, 0x10) (async) bpf$PROG_LOAD(0x5, &(0x7f00000004c0)={0x6, 0x10, &(0x7f0000000000)=ANY=[@ANYBLOB="18000000000000000000000000000000b708"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @xdp, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x94) (async) syz_emit_vhci(&(0x7f0000000000)=ANY=[@ANYBLOB="043e751d"], 0x24) (async) syz_emit_vhci(&(0x7f0000000040)=ANY=[@ANYBLOB="043e1f1b"], 0x22) (async) [ 74.721656][ T5310] Bluetooth: hci0: command tx timeout [ 74.860566][ T5310] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:585 [ 74.865112][ T5310] in_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 5310, name: kworker/u5:2 [ 74.868660][ T5310] preempt_count: 0, expected: 0 [ 74.870639][ T5310] RCU nest depth: 1, expected: 0 [ 74.872624][ T5310] 4 locks held by kworker/u5:2/5310: [ 74.875992][ T5310] #0: ffff888040b56148 ((wq_completion)hci0#2){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1850 [ 74.880414][ T5310] #1: ffffc9000cfefd00 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1850 [ 74.885283][ T5310] #2: ffff88804e268078 (&hdev->lock){+.+.}-{3:3}, at: hci_le_create_big_complete_evt+0xcf/0xae0 [ 74.889278][ T5310] #3: ffffffff8e939f20 (rcu_read_lock){....}-{1:2}, at: hci_le_create_big_complete_evt+0xdb/0xae0 [ 74.893256][ T5310] CPU: 0 UID: 0 PID: 5310 Comm: kworker/u5:2 Not tainted 6.12.0-syzkaller-00233-g9fb2cfa4635a #0 [ 74.897071][ T5310] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 74.900447][ T5310] Workqueue: hci0 hci_rx_work [ 74.901885][ T5310] Call Trace: [ 74.902963][ T5310] [ 74.903934][ T5310] dump_stack_lvl+0x241/0x360 [ 74.905452][ T5310] ? __pfx_dump_stack_lvl+0x10/0x10 [ 74.906997][ T5310] ? __pfx__printk+0x10/0x10 [ 74.908686][ T5310] __might_resched+0x5d4/0x780 [ 74.910568][ T5310] ? __mutex_lock+0x112/0xd70 [ 74.912435][ T5310] ? __pfx___might_resched+0x10/0x10 [ 74.914439][ T5310] __mutex_lock+0xc1/0xd70 [ 74.916146][ T5310] ? __pfx_lock_acquire+0x10/0x10 [ 74.918082][ T5310] ? hci_le_create_big_complete_evt+0x3d9/0xae0 [ 74.920458][ T5310] ? __pfx_lock_release+0x10/0x10 [ 74.922429][ T5310] ? __pfx___mutex_lock+0x10/0x10 [ 74.924377][ T5310] ? trace_contention_end+0x3c/0x120 [ 74.926431][ T5310] ? skb_pull_data+0x112/0x230 [ 74.928299][ T5310] ? hci_conn_set_handle+0x9a/0x270 [ 74.930302][ T5310] hci_le_create_big_complete_evt+0x3d9/0xae0 [ 74.932443][ T5310] ? __copy_skb_header+0x437/0x5b0 [ 74.934374][ T5310] ? hci_le_create_big_complete_evt+0xdb/0xae0 [ 74.936488][ T5310] ? __pfx_hci_le_create_big_complete_evt+0x10/0x10 [ 74.938813][ T5310] ? hci_le_meta_evt+0x366/0x580 [ 74.940617][ T5310] ? __pfx_hci_le_create_big_complete_evt+0x10/0x10 [ 74.942957][ T5310] hci_event_packet+0xa55/0x1540 [ 74.944904][ T5310] ? __pfx_hci_le_meta_evt+0x10/0x10 [ 74.946889][ T5310] ? __pfx_hci_event_packet+0x10/0x10 [ 74.948951][ T5310] ? do_raw_spin_unlock+0x58/0x8b0 [ 74.950948][ T5310] ? hci_send_to_monitor+0xd8/0x7f0 [ 74.952912][ T5310] ? kcov_remote_start+0x97/0x7d0 [ 74.954813][ T5310] hci_rx_work+0x3e8/0xca0 [ 74.956356][ T5310] ? process_scheduled_works+0x976/0x1850 [ 74.958489][ T5310] process_scheduled_works+0xa63/0x1850 [ 74.960576][ T5310] ? __pfx_process_scheduled_works+0x10/0x10 [ 74.962846][ T5310] ? assign_work+0x364/0x3d0 [ 74.964508][ T5310] worker_thread+0x870/0xd30 [ 74.966174][ T5310] ? _raw_spin_unlock_irqrestore+0xdd/0x140 [ 74.968056][ T5310] ? __kthread_parkme+0x169/0x1d0 [ 74.969805][ T5310] ? __pfx_worker_thread+0x10/0x10 [ 74.971671][ T5310] kthread+0x2f0/0x390 [ 74.973273][ T5310] ? __pfx_worker_thread+0x10/0x10 [ 74.975170][ T5310] ? __pfx_kthread+0x10/0x10 [ 74.976846][ T5310] ret_from_fork+0x4b/0x80 [ 74.979071][ T5310] ? __pfx_kthread+0x10/0x10 [ 74.980574][ T5310] ret_from_fork_asm+0x1a/0x30 [ 74.982388][ T5310] [ 74.991367][ T5310] [ 74.992346][ T5310] ============================= [ 74.994265][ T5310] [ BUG: Invalid wait context ] [ 74.996180][ T5310] 6.12.0-syzkaller-00233-g9fb2cfa4635a #0 Tainted: G W [ 74.999395][ T5310] ----------------------------- [ 75.001265][ T5310] kworker/u5:2/5310 is trying to lock: [ 75.003169][ T5310] ffffffff8fe450a8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_le_create_big_complete_evt+0x3d9/0xae0 [ 75.006941][ T5310] other info that might help us debug this: [ 75.009079][ T5310] context-{4:4} [ 75.010317][ T5310] 4 locks held by kworker/u5:2/5310: [ 75.012151][ T5310] #0: ffff888040b56148 ((wq_completion)hci0#2){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1850 [ 75.015878][ T5310] #1: ffffc9000cfefd00 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1850 [ 75.020199][ T5310] #2: ffff88804e268078 (&hdev->lock){+.+.}-{3:3}, at: hci_le_create_big_complete_evt+0xcf/0xae0 [ 75.024375][ T5310] #3: ffffffff8e939f20 (rcu_read_lock){....}-{1:2}, at: hci_le_create_big_complete_evt+0xdb/0xae0 [ 75.028523][ T5310] stack backtrace: [ 75.029872][ T5310] CPU: 0 UID: 0 PID: 5310 Comm: kworker/u5:2 Tainted: G W 6.12.0-syzkaller-00233-g9fb2cfa4635a #0 [ 75.034264][ T5310] Tainted: [W]=WARN [ 75.035739][ T5310] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 75.039870][ T5310] Workqueue: hci0 hci_rx_work [ 75.041690][ T5310] Call Trace: [ 75.042989][ T5310] [ 75.044163][ T5310] dump_stack_lvl+0x241/0x360 [ 75.045930][ T5310] ? __pfx_dump_stack_lvl+0x10/0x10 [ 75.047909][ T5310] ? __pfx__printk+0x10/0x10 [ 75.049708][ T5310] __lock_acquire+0x154a/0x2050 [ 75.051604][ T5310] lock_acquire+0x1ed/0x550 [ 75.053378][ T5310] ? hci_le_create_big_complete_evt+0x3d9/0xae0 [ 75.055751][ T5310] ? __pfx_lock_acquire+0x10/0x10 [ 75.057712][ T5310] ? __mutex_lock+0x112/0xd70 [ 75.059497][ T5310] ? __pfx___might_resched+0x10/0x10 [ 75.061487][ T5310] __mutex_lock+0x136/0xd70 [ 75.063270][ T5310] ? hci_le_create_big_complete_evt+0x3d9/0xae0 [ 75.065699][ T5310] ? __pfx_lock_acquire+0x10/0x10 [ 75.067558][ T5310] ? hci_le_create_big_complete_evt+0x3d9/0xae0 [ 75.069750][ T5310] ? __pfx_lock_release+0x10/0x10 [ 75.071504][ T5310] ? __pfx___mutex_lock+0x10/0x10 [ 75.073312][ T5310] ? trace_contention_end+0x3c/0x120 [ 75.075233][ T5310] ? skb_pull_data+0x112/0x230 [ 75.076962][ T5310] ? hci_conn_set_handle+0x9a/0x270 [ 75.078837][ T5310] hci_le_create_big_complete_evt+0x3d9/0xae0 [ 75.081194][ T5310] ? __copy_skb_header+0x437/0x5b0 [ 75.083151][ T5310] ? hci_le_create_big_complete_evt+0xdb/0xae0 [ 75.085393][ T5310] ? __pfx_hci_le_create_big_complete_evt+0x10/0x10 [ 75.087706][ T5310] ? hci_le_meta_evt+0x366/0x580 [ 75.089512][ T5310] ? __pfx_hci_le_create_big_complete_evt+0x10/0x10 [ 75.091897][ T5310] hci_event_packet+0xa55/0x1540 [ 75.093727][ T5310] ? __pfx_hci_le_meta_evt+0x10/0x10 [ 75.095768][ T5310] ? __pfx_hci_event_packet+0x10/0x10 [ 75.097840][ T5310] ? do_raw_spin_unlock+0x58/0x8b0 [ 75.099864][ T5310] ? hci_send_to_monitor+0xd8/0x7f0 [ 75.102033][ T5310] ? kcov_remote_start+0x97/0x7d0 [ 75.103826][ T5310] hci_rx_work+0x3e8/0xca0 [ 75.105320][ T5310] ? process_scheduled_works+0x976/0x1850 [ 75.107464][ T5310] process_scheduled_works+0xa63/0x1850 [ 75.109663][ T5310] ? __pfx_process_scheduled_works+0x10/0x10 [ 75.112026][ T5310] ? assign_work+0x364/0x3d0 [ 75.113889][ T5310] worker_thread+0x870/0xd30 [ 75.115720][ T5310] ? _raw_spin_unlock_irqrestore+0xdd/0x140 [ 75.118043][ T5310] ? __kthread_parkme+0x169/0x1d0 [ 75.119983][ T5310] ? __pfx_worker_thread+0x10/0x10 [ 75.121966][ T5310] kthread+0x2f0/0x390 [ 75.123484][ T5310] ? __pfx_worker_thread+0x10/0x10 [ 75.125483][ T5310] ? __pfx_kthread+0x10/0x10 [ 75.127273][ T5310] ret_from_fork+0x4b/0x80 [ 75.129010][ T5310] ? __pfx_kthread+0x10/0x10 [ 75.130794][ T5310] ret_from_fork_asm+0x1a/0x30 [ 75.132697][ T5310] [ 75.139750][ T5310] ================================================================== [ 75.142881][ T5310] BUG: KASAN: slab-use-after-free in hci_le_create_big_complete_evt+0x383/0xae0 [ 75.146236][ T5310] Read of size 8 at addr ffff88804343c000 by task kworker/u5:2/5310 [ 75.149307][ T5310] [ 75.150259][ T5310] CPU: 0 UID: 0 PID: 5310 Comm: kworker/u5:2 Tainted: G W 6.12.0-syzkaller-00233-g9fb2cfa4635a #0 [ 75.154864][ T5310] Tainted: [W]=WARN [ 75.156328][ T5310] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 75.160609][ T5310] Workqueue: hci0 hci_rx_work [ 75.162496][ T5310] Call Trace: [ 75.163857][ T5310] [ 75.165065][ T5310] dump_stack_lvl+0x241/0x360 [ 75.166915][ T5310] ? __pfx_dump_stack_lvl+0x10/0x10 [ 75.169046][ T5310] ? __pfx__printk+0x10/0x10 [ 75.170818][ T5310] ? _printk+0xd5/0x120 [ 75.172445][ T5310] ? __virt_addr_valid+0x183/0x530 [ 75.174519][ T5310] ? __virt_addr_valid+0x183/0x530 [ 75.176665][ T5310] print_report+0x169/0x550 [ 75.178523][ T5310] ? __virt_addr_valid+0x183/0x530 [ 75.180523][ T5310] ? __virt_addr_valid+0x183/0x530 [ 75.182474][ T5310] ? __virt_addr_valid+0x45f/0x530 [ 75.184383][ T5310] ? __phys_addr+0xba/0x170 [ 75.186125][ T5310] ? hci_le_create_big_complete_evt+0x383/0xae0 [ 75.188509][ T5310] kasan_report+0x143/0x180 [ 75.190229][ T5310] ? hci_le_create_big_complete_evt+0x383/0xae0 [ 75.192665][ T5310] hci_le_create_big_complete_evt+0x383/0xae0 [ 75.195017][ T5310] ? __copy_skb_header+0x437/0x5b0 [ 75.196623][ T5310] ? hci_le_create_big_complete_evt+0xdb/0xae0 [ 75.198860][ T5310] ? __pfx_hci_le_create_big_complete_evt+0x10/0x10 [ 75.201412][ T5310] ? hci_le_meta_evt+0x366/0x580 [ 75.203312][ T5310] ? __pfx_hci_le_create_big_complete_evt+0x10/0x10 [ 75.205922][ T5310] hci_event_packet+0xa55/0x1540 [ 75.207844][ T5310] ? __pfx_hci_le_meta_evt+0x10/0x10 [ 75.209891][ T5310] ? __pfx_hci_event_packet+0x10/0x10 [ 75.211884][ T5310] ? do_raw_spin_unlock+0x58/0x8b0 [ 75.213886][ T5310] ? hci_send_to_monitor+0xd8/0x7f0 [ 75.215909][ T5310] ? kcov_remote_start+0x97/0x7d0 [ 75.217924][ T5310] hci_rx_work+0x3e8/0xca0 [ 75.219668][ T5310] ? process_scheduled_works+0x976/0x1850 [ 75.222171][ T5310] process_scheduled_works+0xa63/0x1850 [ 75.224354][ T5310] ? __pfx_process_scheduled_works+0x10/0x10 [ 75.227477][ T5310] ? assign_work+0x364/0x3d0 [ 75.229387][ T5310] worker_thread+0x870/0xd30 [ 75.231163][ T5310] ? _raw_spin_unlock_irqrestore+0xdd/0x140 [ 75.233384][ T5310] ? __kthread_parkme+0x169/0x1d0 [ 75.235260][ T5310] ? __pfx_worker_thread+0x10/0x10 [ 75.237052][ T5310] kthread+0x2f0/0x390 [ 75.238515][ T5310] ? __pfx_worker_thread+0x10/0x10 [ 75.240530][ T5310] ? __pfx_kthread+0x10/0x10 [ 75.242253][ T5310] ret_from_fork+0x4b/0x80 [ 75.243943][ T5310] ? __pfx_kthread+0x10/0x10 [ 75.245622][ T5310] ret_from_fork_asm+0x1a/0x30 [ 75.247601][ T5310] [ 75.248681][ T5310] [ 75.249588][ T5310] Allocated by task 5310: [ 75.251248][ T5310] kasan_save_track+0x3f/0x80 [ 75.253067][ T5310] __kasan_kmalloc+0x98/0xb0 [ 75.254933][ T5310] __kmalloc_cache_noprof+0x19c/0x2c0 [ 75.256996][ T5310] __hci_conn_add+0x2f9/0x1850 [ 75.259025][ T5310] hci_le_big_sync_established_evt+0x414/0xc20 [ 75.261501][ T5310] hci_event_packet+0xa55/0x1540 [ 75.263323][ T5310] hci_rx_work+0x3e8/0xca0 [ 75.264971][ T5310] process_scheduled_works+0xa63/0x1850 [ 75.266970][ T5310] worker_thread+0x870/0xd30 [ 75.268769][ T5310] kthread+0x2f0/0x390 [ 75.270128][ T5310] ret_from_fork+0x4b/0x80 [ 75.271731][ T5310] ret_from_fork_asm+0x1a/0x30 [ 75.273484][ T5310] [ 75.274379][ T5310] Freed by task 5310: [ 75.275800][ T5310] kasan_save_track+0x3f/0x80 [ 75.277454][ T5310] kasan_save_free_info+0x40/0x50 [ 75.279375][ T5310] __kasan_slab_free+0x59/0x70 [ 75.281300][ T5310] kfree+0x1a0/0x440 [ 75.282760][ T5310] device_release+0x99/0x1c0 [ 75.284387][ T5310] kobject_put+0x22f/0x480 [ 75.286072][ T5310] hci_conn_del+0x8c4/0xc40 [ 75.287786][ T5310] hci_le_create_big_complete_evt+0x619/0xae0 [ 75.290135][ T5310] hci_event_packet+0xa55/0x1540 [ 75.291968][ T5310] hci_rx_work+0x3e8/0xca0 [ 75.293684][ T5310] process_scheduled_works+0xa63/0x1850 [ 75.295793][ T5310] worker_thread+0x870/0xd30 [ 75.297510][ T5310] kthread+0x2f0/0x390 [ 75.299064][ T5310] ret_from_fork+0x4b/0x80 [ 75.300792][ T5310] ret_from_fork_asm+0x1a/0x30 [ 75.302630][ T5310] [ 75.303574][ T5310] The buggy address belongs to the object at ffff88804343c000 [ 75.303574][ T5310] which belongs to the cache kmalloc-8k of size 8192 [ 75.308782][ T5310] The buggy address is located 0 bytes inside of [ 75.308782][ T5310] freed 8192-byte region [ffff88804343c000, ffff88804343e000) [ 75.313719][ T5310] [ 75.314663][ T5310] The buggy address belongs to the physical page: [ 75.317139][ T5310] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x43438 [ 75.320485][ T5310] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 75.323669][ T5310] ksm flags: 0x4fff00000000040(head|node=1|zone=1|lastcpupid=0x7ff) [ 75.326754][ T5310] page_type: f5(slab) [ 75.328259][ T5310] raw: 04fff00000000040 ffff88801ac42280 ffffea0000d82400 0000000000000003 [ 75.331585][ T5310] raw: 0000000000000000 0000000080020002 00000001f5000000 0000000000000000 [ 75.334910][ T5310] head: 04fff00000000040 ffff88801ac42280 ffffea0000d82400 0000000000000003 [ 75.338187][ T5310] head: 0000000000000000 0000000080020002 00000001f5000000 0000000000000000 [ 75.341288][ T5310] head: 04fff00000000003 ffffea00010d0e01 ffffffffffffffff 0000000000000000 [ 75.344458][ T5310] head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000 [ 75.347419][ T5310] page dumped because: kasan: bad access detected [ 75.349817][ T5310] page_owner tracks the page as allocated [ 75.351792][ T5310] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5305, tgid 5305 (syz-executor), ts 64297400855, free_ts 64297160885 [ 75.358747][ T5310] post_alloc_hook+0x1f3/0x230 [ 75.360407][ T5310] get_page_from_freelist+0x3649/0x3790 [ 75.362301][ T5310] __alloc_pages_noprof+0x292/0x710 [ 75.363935][ T5310] alloc_pages_mpol_noprof+0x3e8/0x680 [ 75.365855][ T5310] alloc_slab_page+0x6a/0x140 [ 75.367707][ T5310] allocate_slab+0x5a/0x2f0 [ 75.369404][ T5310] ___slab_alloc+0xcd1/0x14b0 [ 75.371261][ T5310] __slab_alloc+0x58/0xa0 [ 75.372966][ T5310] __kmalloc_cache_noprof+0x1d5/0x2c0 [ 75.375083][ T5310] tomoyo_init_log+0x11cd/0x2050 [ 75.377044][ T5310] tomoyo_supervisor+0x38a/0x11f0 [ 75.379782][ T5310] tomoyo_env_perm+0x178/0x210 [ 75.381635][ T5310] tomoyo_find_next_domain+0x146e/0x1d40 [ 75.383745][ T5310] tomoyo_bprm_check_security+0x114/0x180 [ 75.385709][ T5310] security_bprm_check+0x86/0x250 [ 75.387464][ T5310] bprm_execve+0xa56/0x1770 [ 75.388950][ T5310] page last free pid 5305 tgid 5305 stack trace: [ 75.391010][ T5310] free_unref_page+0xdf9/0x1140 [ 75.392854][ T5310] __slab_free+0x31b/0x3d0 [ 75.394628][ T5310] qlist_free_all+0x9a/0x140 [ 75.396404][ T5310] kasan_quarantine_reduce+0x14f/0x170 [ 75.398440][ T5310] __kasan_slab_alloc+0x23/0x80 [ 75.400257][ T5310] __kmalloc_cache_noprof+0x132/0x2c0 [ 75.402163][ T5310] tomoyo_init_log+0x11cd/0x2050 [ 75.403975][ T5310] tomoyo_supervisor+0x38a/0x11f0 [ 75.405928][ T5310] tomoyo_env_perm+0x178/0x210 [ 75.407725][ T5310] tomoyo_find_next_domain+0x146e/0x1d40 [ 75.409914][ T5310] tomoyo_bprm_check_security+0x114/0x180 [ 75.412110][ T5310] security_bprm_check+0x86/0x250 [ 75.413994][ T5310] bprm_execve+0xa56/0x1770 [ 75.415730][ T5310] do_execveat_common+0x55f/0x6f0 [ 75.417732][ T5310] __x64_sys_execve+0x92/0xb0 [ 75.419576][ T5310] do_syscall_64+0xf3/0x230 [ 75.421318][ T5310] [ 75.422233][ T5310] Memory state around the buggy address: [ 75.424301][ T5310] ffff88804343bf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 75.427165][ T5310] ffff88804343bf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 75.429983][ T5310] >ffff88804343c000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.432875][ T5310] ^ [ 75.434371][ T5310] ffff88804343c080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.437609][ T5310] ffff88804343c100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.440673][ T5310] ================================================================== [ 75.459803][ T5310] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 75.462563][ T5310] CPU: 0 UID: 0 PID: 5310 Comm: kworker/u5:2 Tainted: G W 6.12.0-syzkaller-00233-g9fb2cfa4635a #0 [ 75.467033][ T5310] Tainted: [W]=WARN [ 75.468420][ T5310] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 75.472241][ T5310] Workqueue: hci0 hci_rx_work [ 75.474120][ T5310] Call Trace: [ 75.475514][ T5310] [ 75.476659][ T5310] dump_stack_lvl+0x241/0x360 [ 75.479471][ T5310] ? __pfx_dump_stack_lvl+0x10/0x10 [ 75.481544][ T5310] ? __pfx__printk+0x10/0x10 [ 75.483371][ T5310] ? rcu_is_watching+0x15/0xb0 [ 75.485252][ T5310] ? preempt_schedule+0xe1/0xf0 [ 75.487101][ T5310] ? vscnprintf+0x5d/0x90 [ 75.488710][ T5310] panic+0x349/0x880 [ 75.490190][ T5310] ? check_panic_on_warn+0x21/0xb0 [ 75.492231][ T5310] ? __pfx_panic+0x10/0x10 [ 75.494045][ T5310] ? _raw_spin_unlock_irqrestore+0x130/0x140 [ 75.496363][ T5310] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 75.498787][ T5310] ? print_report+0x502/0x550 [ 75.500606][ T5310] check_panic_on_warn+0x86/0xb0 [ 75.502381][ T5310] ? hci_le_create_big_complete_evt+0x383/0xae0 [ 75.504809][ T5310] end_report+0x77/0x160 [ 75.506452][ T5310] kasan_report+0x154/0x180 [ 75.508016][ T5310] ? hci_le_create_big_complete_evt+0x383/0xae0 [ 75.510090][ T5310] hci_le_create_big_complete_evt+0x383/0xae0 [ 75.511957][ T5310] ? __copy_skb_header+0x437/0x5b0 [ 75.513539][ T5310] ? hci_le_create_big_complete_evt+0xdb/0xae0 [ 75.515584][ T5310] ? __pfx_hci_le_create_big_complete_evt+0x10/0x10 [ 75.517670][ T5310] ? hci_le_meta_evt+0x366/0x580 [ 75.519310][ T5310] ? __pfx_hci_le_create_big_complete_evt+0x10/0x10 [ 75.521539][ T5310] hci_event_packet+0xa55/0x1540 [ 75.523343][ T5310] ? __pfx_hci_le_meta_evt+0x10/0x10 [ 75.525362][ T5310] ? __pfx_hci_event_packet+0x10/0x10 [ 75.527353][ T5310] ? do_raw_spin_unlock+0x58/0x8b0 [ 75.529424][ T5310] ? hci_send_to_monitor+0xd8/0x7f0 [ 75.531534][ T5310] ? kcov_remote_start+0x97/0x7d0 [ 75.533467][ T5310] hci_rx_work+0x3e8/0xca0 [ 75.535194][ T5310] ? process_scheduled_works+0x976/0x1850 [ 75.537423][ T5310] process_scheduled_works+0xa63/0x1850 [ 75.539484][ T5310] ? __pfx_process_scheduled_works+0x10/0x10 [ 75.541903][ T5310] ? assign_work+0x364/0x3d0 [ 75.543696][ T5310] worker_thread+0x870/0xd30 [ 75.545476][ T5310] ? _raw_spin_unlock_irqrestore+0xdd/0x140 [ 75.547773][ T5310] ? __kthread_parkme+0x169/0x1d0 [ 75.549724][ T5310] ? __pfx_worker_thread+0x10/0x10 [ 75.551672][ T5310] kthread+0x2f0/0x390 [ 75.553312][ T5310] ? __pfx_worker_thread+0x10/0x10 [ 75.555280][ T5310] ? __pfx_kthread+0x10/0x10 [ 75.557052][ T5310] ret_from_fork+0x4b/0x80 [ 75.558764][ T5310] ? __pfx_kthread+0x10/0x10 [ 75.560477][ T5310] ret_from_fork_asm+0x1a/0x30 [ 75.562331][ T5310] [ 75.563768][ T5310] Kernel Offset: disabled [ 75.565478][ T5310] Rebooting in 86400 seconds..