program: r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$sock_bt_hci(r0, 0x400448cb, 0x0) bpf$PROG_LOAD(0x5, &(0x7f00000004c0)={0x6, 0x10, &(0x7f0000000000)=ANY=[@ANYBLOB="18000000000000000000000000000000b708"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @xdp, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x94) syz_emit_vhci(&(0x7f0000000000)=ANY=[@ANYBLOB="043e751d"], 0x24) syz_emit_vhci(&(0x7f0000000140)=@HCI_EVENT_PKT={0x4, @hci_ev_key_refresh_complete={{0x30, 0x3}, {0x7, 0xc8}}}, 0x6) r1 = socket$packet(0x11, 0x3, 0x300) ioctl$sock_SIOCGIFINDEX(r1, 0x8933, &(0x7f00000000c0)={'bridge0\x00', 0x0}) r3 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route(r3, &(0x7f00000006c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000100)=@newlink={0x20, 0x10, 0x40d, 0x70bd2b, 0x0, {0x0, 0x0, 0x0, r2, 0xa000}}, 0x20}}, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) ioctl$sock_SIOCGIFINDEX(r4, 0x8933, &(0x7f00000001c0)={'bridge0\x00', 0x0}) sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000240)=ANY=[@ANYBLOB="3800000055002f03020000000000000007000000", @ANYRES32=r5, @ANYBLOB="200001"], 0x38}}, 0x0) r6 = socket$nl_generic(0x10, 0x3, 0x10) r7 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff) ioctl$sock_SIOCGIFINDEX_80211(r6, 0x8933, &(0x7f00000000c0)={'wlan0\x00', 0x0}) sendmsg$NL80211_CMD_SET_INTERFACE(r6, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)={0x24, r7, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r8}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x3}]}, 0x24}}, 0x0) r9 = socket$nl_route(0x10, 0x3, 0x0) ioctl$sock_ipv4_tunnel_SIOCDELTUNNEL(0xffffffffffffffff, 0x89f2, 0x0) ioctl$sock_SIOCGIFINDEX_80211(0xffffffffffffffff, 0x8933, &(0x7f0000000040)={'wlan0\x00'}) ioctl(r9, 0x8b1a, &(0x7f0000000040)) r10 = socket(0x10, 0x3, 0x0) sendmmsg(r10, &(0x7f0000000000), 0x4000000000001f2, 0x0) syz_emit_vhci(&(0x7f0000000040)=ANY=[@ANYBLOB="043e1f1b"], 0x22) openat$snapshot(0xffffffffffffff9c, &(0x7f00000002c0), 0x40040, 0x0) syz_emit_vhci(&(0x7f0000000040)=ANY=[@ANYBLOB="040e0402030c"], 0x7) [ 58.768485][ T5322] bridge0: port 2(bridge_slave_1) entered disabled state [ 58.771878][ T5322] bridge0: port 1(bridge_slave_0) entered disabled state [ 58.791156][ T5322] warning: `syz.0.0' uses wireless extensions which will stop working for Wi-Fi 7 hardware; use nl80211 [ 58.795724][ T5322] Zero length message leads to an empty skb [ 58.799534][ T5308] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:585 [ 58.803335][ T5308] in_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 5308, name: kworker/u5:2 [ 58.807018][ T5308] preempt_count: 0, expected: 0 [ 58.809782][ T5308] RCU nest depth: 1, expected: 0 [ 58.811771][ T5308] 4 locks held by kworker/u5:2/5308: [ 58.813921][ T5308] #0: ffff888042849148 ((wq_completion)hci0#2){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1850 [ 58.818533][ T5308] #1: ffffc9000d437d00 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1850 [ 58.823124][ T5308] #2: ffff888041e34078 (&hdev->lock){+.+.}-{3:3}, at: hci_le_create_big_complete_evt+0xcf/0xae0 [ 58.827158][ T5308] #3: ffffffff8e939f60 (rcu_read_lock){....}-{1:2}, at: hci_le_create_big_complete_evt+0xdb/0xae0 [ 58.832723][ T5308] CPU: 0 UID: 0 PID: 5308 Comm: kworker/u5:2 Not tainted 6.12.0-syzkaller-00971-g158f238aa69d #0 [ 58.836760][ T5308] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 58.840524][ T5308] Workqueue: hci0 hci_rx_work [ 58.842070][ T5308] Call Trace: [ 58.843131][ T5308] [ 58.844134][ T5308] dump_stack_lvl+0x241/0x360 [ 58.845906][ T5308] ? __pfx_dump_stack_lvl+0x10/0x10 [ 58.847912][ T5308] ? __pfx__printk+0x10/0x10 [ 58.849661][ T5308] __might_resched+0x5d4/0x780 [ 58.851527][ T5308] ? __mutex_lock+0x112/0xd70 [ 58.853405][ T5308] ? __pfx___might_resched+0x10/0x10 [ 58.855406][ T5308] __mutex_lock+0xc1/0xd70 [ 58.857098][ T5308] ? __pfx_lock_acquire+0x10/0x10 [ 58.859086][ T5308] ? hci_le_create_big_complete_evt+0x3d9/0xae0 [ 58.861494][ T5308] ? __pfx_lock_release+0x10/0x10 [ 58.863427][ T5308] ? __pfx___mutex_lock+0x10/0x10 [ 58.865427][ T5308] ? trace_contention_end+0x3c/0x120 [ 58.867385][ T5308] ? skb_pull_data+0x112/0x230 [ 58.869056][ T5308] ? hci_conn_set_handle+0x9a/0x270 [ 58.871005][ T5308] hci_le_create_big_complete_evt+0x3d9/0xae0 [ 58.873272][ T5308] ? __copy_skb_header+0x437/0x5b0 [ 58.875283][ T5308] ? hci_le_create_big_complete_evt+0xdb/0xae0 [ 58.877796][ T5308] ? __pfx_hci_le_create_big_complete_evt+0x10/0x10 [ 58.880435][ T5308] ? hci_le_meta_evt+0x366/0x580 [ 58.882331][ T5308] ? __pfx_hci_le_create_big_complete_evt+0x10/0x10 [ 58.884855][ T5308] hci_event_packet+0xa55/0x1540 [ 58.886754][ T5308] ? __pfx_hci_le_meta_evt+0x10/0x10 [ 58.888706][ T5308] ? __pfx_hci_event_packet+0x10/0x10 [ 58.890726][ T5308] ? do_raw_spin_unlock+0x58/0x8b0 [ 58.892589][ T5308] ? hci_send_to_monitor+0xd8/0x7f0 [ 58.894435][ T5308] ? kcov_remote_start+0x97/0x7d0 [ 58.896362][ T5308] hci_rx_work+0x3e8/0xca0 [ 58.898024][ T5308] ? process_scheduled_works+0x976/0x1850 [ 58.900146][ T5308] process_scheduled_works+0xa63/0x1850 [ 58.902313][ T5308] ? __pfx_process_scheduled_works+0x10/0x10 [ 58.904543][ T5308] ? assign_work+0x364/0x3d0 [ 58.906269][ T5308] worker_thread+0x870/0xd30 [ 58.907957][ T5308] ? _raw_spin_unlock_irqrestore+0xdd/0x140 [ 58.910229][ T5308] ? __kthread_parkme+0x169/0x1d0 [ 58.912142][ T5308] ? __pfx_worker_thread+0x10/0x10 [ 58.914032][ T5308] kthread+0x2f0/0x390 [ 58.915557][ T5308] ? __pfx_worker_thread+0x10/0x10 [ 58.917461][ T5308] ? __pfx_kthread+0x10/0x10 [ 58.919190][ T5308] ret_from_fork+0x4b/0x80 [ 58.920854][ T5308] ? __pfx_kthread+0x10/0x10 [ 58.922464][ T5308] ret_from_fork_asm+0x1a/0x30 [ 58.924368][ T5308] [ 58.932012][ T5308] [ 58.933024][ T5308] ============================= [ 58.934865][ T5308] [ BUG: Invalid wait context ] [ 58.936741][ T5308] 6.12.0-syzkaller-00971-g158f238aa69d #0 Tainted: G W [ 58.939647][ T5308] ----------------------------- [ 58.941641][ T5308] kworker/u5:2/5308 is trying to lock: [ 58.943759][ T5308] ffffffff8fe472a8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_le_create_big_complete_evt+0x3d9/0xae0 [ 58.947667][ T5308] other info that might help us debug this: [ 58.949831][ T5308] context-{4:4} [ 58.951196][ T5308] 4 locks held by kworker/u5:2/5308: [ 58.953220][ T5308] #0: ffff888042849148 ((wq_completion)hci0#2){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1850 [ 58.957451][ T5308] #1: ffffc9000d437d00 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1850 [ 58.961960][ T5308] #2: ffff888041e34078 (&hdev->lock){+.+.}-{3:3}, at: hci_le_create_big_complete_evt+0xcf/0xae0 [ 58.965737][ T5308] #3: ffffffff8e939f60 (rcu_read_lock){....}-{1:2}, at: hci_le_create_big_complete_evt+0xdb/0xae0 [ 58.969371][ T5308] stack backtrace: [ 58.970749][ T5308] CPU: 0 UID: 0 PID: 5308 Comm: kworker/u5:2 Tainted: G W 6.12.0-syzkaller-00971-g158f238aa69d #0 [ 58.975134][ T5308] Tainted: [W]=WARN [ 58.976601][ T5308] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 58.980582][ T5308] Workqueue: hci0 hci_rx_work [ 58.982453][ T5308] Call Trace: [ 58.983792][ T5308] [ 58.984959][ T5308] dump_stack_lvl+0x241/0x360 [ 58.986813][ T5308] ? __pfx_dump_stack_lvl+0x10/0x10 [ 58.988760][ T5308] ? __pfx__printk+0x10/0x10 [ 58.990482][ T5308] __lock_acquire+0x154a/0x2050 [ 58.992219][ T5308] lock_acquire+0x1ed/0x550 [ 58.993821][ T5308] ? hci_le_create_big_complete_evt+0x3d9/0xae0 [ 58.996167][ T5308] ? __pfx_lock_acquire+0x10/0x10 [ 58.998012][ T5308] ? __mutex_lock+0x112/0xd70 [ 58.999965][ T5308] ? __pfx___might_resched+0x10/0x10 [ 59.002050][ T5308] __mutex_lock+0x136/0xd70 [ 59.003899][ T5308] ? hci_le_create_big_complete_evt+0x3d9/0xae0 [ 59.006299][ T5308] ? __pfx_lock_acquire+0x10/0x10 [ 59.008186][ T5308] ? hci_le_create_big_complete_evt+0x3d9/0xae0 [ 59.010470][ T5308] ? __pfx_lock_release+0x10/0x10 [ 59.012234][ T5308] ? __pfx___mutex_lock+0x10/0x10 [ 59.014101][ T5308] ? trace_contention_end+0x3c/0x120 [ 59.015873][ T5308] ? skb_pull_data+0x112/0x230 [ 59.017650][ T5308] ? hci_conn_set_handle+0x9a/0x270 [ 59.019628][ T5308] hci_le_create_big_complete_evt+0x3d9/0xae0 [ 59.021965][ T5308] ? __copy_skb_header+0x437/0x5b0 [ 59.023866][ T5308] ? hci_le_create_big_complete_evt+0xdb/0xae0 [ 59.026135][ T5308] ? __pfx_hci_le_create_big_complete_evt+0x10/0x10 [ 59.028654][ T5308] ? hci_le_meta_evt+0x366/0x580 [ 59.030389][ T5308] ? __pfx_hci_le_create_big_complete_evt+0x10/0x10 [ 59.032680][ T5308] hci_event_packet+0xa55/0x1540 [ 59.034441][ T5308] ? __pfx_hci_le_meta_evt+0x10/0x10 [ 59.036512][ T5308] ? __pfx_hci_event_packet+0x10/0x10 [ 59.038585][ T5308] ? do_raw_spin_unlock+0x58/0x8b0 [ 59.040590][ T5308] ? hci_send_to_monitor+0xd8/0x7f0 [ 59.042544][ T5308] ? kcov_remote_start+0x97/0x7d0 [ 59.044422][ T5308] hci_rx_work+0x3e8/0xca0 [ 59.046080][ T5308] ? process_scheduled_works+0x976/0x1850 [ 59.048312][ T5308] process_scheduled_works+0xa63/0x1850 [ 59.050408][ T5308] ? __pfx_process_scheduled_works+0x10/0x10 [ 59.052653][ T5308] ? assign_work+0x364/0x3d0 [ 59.054380][ T5308] worker_thread+0x870/0xd30 [ 59.056050][ T5308] ? _raw_spin_unlock_irqrestore+0xdd/0x140 [ 59.058201][ T5308] ? __kthread_parkme+0x169/0x1d0 [ 59.060111][ T5308] ? __pfx_worker_thread+0x10/0x10 [ 59.062015][ T5308] kthread+0x2f0/0x390 [ 59.063549][ T5308] ? __pfx_worker_thread+0x10/0x10 [ 59.065455][ T5308] ? __pfx_kthread+0x10/0x10 [ 59.067131][ T5308] ret_from_fork+0x4b/0x80 [ 59.068813][ T5308] ? __pfx_kthread+0x10/0x10 [ 59.070452][ T5308] ret_from_fork_asm+0x1a/0x30 [ 59.072238][ T5308] [ 59.082138][ T5308] ================================================================== [ 59.084994][ T5308] BUG: KASAN: slab-use-after-free in hci_le_create_big_complete_evt+0x383/0xae0 [ 59.088215][ T5308] Read of size 8 at addr ffff88801faa4000 by task kworker/u5:2/5308 [ 59.091127][ T5308] [ 59.092045][ T5308] CPU: 0 UID: 0 PID: 5308 Comm: kworker/u5:2 Tainted: G W 6.12.0-syzkaller-00971-g158f238aa69d #0 [ 59.096609][ T5308] Tainted: [W]=WARN [ 59.098157][ T5308] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 59.102176][ T5308] Workqueue: hci0 hci_rx_work [ 59.104019][ T5308] Call Trace: [ 59.105293][ T5308] [ 59.106426][ T5308] dump_stack_lvl+0x241/0x360 [ 59.108279][ T5308] ? __pfx_dump_stack_lvl+0x10/0x10 [ 59.110202][ T5308] ? __pfx__printk+0x10/0x10 [ 59.112029][ T5308] ? _printk+0xd5/0x120 [ 59.113667][ T5308] ? __virt_addr_valid+0x183/0x530 [ 59.115626][ T5308] ? __virt_addr_valid+0x183/0x530 [ 59.117609][ T5308] print_report+0x169/0x550 [ 59.119381][ T5308] ? __virt_addr_valid+0x183/0x530 [ 59.121414][ T5308] ? __virt_addr_valid+0x183/0x530 [ 59.123435][ T5308] ? __virt_addr_valid+0x45f/0x530 [ 59.125339][ T5308] ? __phys_addr+0xba/0x170 [ 59.127052][ T5308] ? hci_le_create_big_complete_evt+0x383/0xae0 [ 59.129436][ T5308] kasan_report+0x143/0x180 [ 59.131101][ T5308] ? hci_le_create_big_complete_evt+0x383/0xae0 [ 59.133318][ T5308] hci_le_create_big_complete_evt+0x383/0xae0 [ 59.135521][ T5308] ? __copy_skb_header+0x437/0x5b0 [ 59.137393][ T5308] ? hci_le_create_big_complete_evt+0xdb/0xae0 [ 59.139657][ T5308] ? __pfx_hci_le_create_big_complete_evt+0x10/0x10 [ 59.142130][ T5308] ? hci_le_meta_evt+0x366/0x580 [ 59.144011][ T5308] ? __pfx_hci_le_create_big_complete_evt+0x10/0x10 [ 59.146507][ T5308] hci_event_packet+0xa55/0x1540 [ 59.148463][ T5308] ? __pfx_hci_le_meta_evt+0x10/0x10 [ 59.150477][ T5308] ? __pfx_hci_event_packet+0x10/0x10 [ 59.152572][ T5308] ? do_raw_spin_unlock+0x58/0x8b0 [ 59.154465][ T5308] ? hci_send_to_monitor+0xd8/0x7f0 [ 59.156408][ T5308] ? kcov_remote_start+0x97/0x7d0 [ 59.158472][ T5308] hci_rx_work+0x3e8/0xca0 [ 59.160110][ T5308] ? process_scheduled_works+0x976/0x1850 [ 59.162365][ T5308] process_scheduled_works+0xa63/0x1850 [ 59.164497][ T5308] ? __pfx_process_scheduled_works+0x10/0x10 [ 59.166874][ T5308] ? assign_work+0x364/0x3d0 [ 59.168660][ T5308] worker_thread+0x870/0xd30 [ 59.170446][ T5308] ? _raw_spin_unlock_irqrestore+0xdd/0x140 [ 59.172709][ T5308] ? __kthread_parkme+0x169/0x1d0 [ 59.174610][ T5308] ? __pfx_worker_thread+0x10/0x10 [ 59.176499][ T5308] kthread+0x2f0/0x390 [ 59.178129][ T5308] ? __pfx_worker_thread+0x10/0x10 [ 59.179975][ T5308] ? __pfx_kthread+0x10/0x10 [ 59.181643][ T5308] ret_from_fork+0x4b/0x80 [ 59.183316][ T5308] ? __pfx_kthread+0x10/0x10 [ 59.185090][ T5308] ret_from_fork_asm+0x1a/0x30 [ 59.186817][ T5308] [ 59.187872][ T5308] [ 59.188699][ T5308] Allocated by task 5308: [ 59.190269][ T5308] kasan_save_track+0x3f/0x80 [ 59.192133][ T5308] __kasan_kmalloc+0x98/0xb0 [ 59.193927][ T5308] __kmalloc_cache_noprof+0x19c/0x2c0 [ 59.196106][ T5308] __hci_conn_add+0x2f9/0x1850 [ 59.197998][ T5308] hci_le_big_sync_established_evt+0x414/0xc20 [ 59.200337][ T5308] hci_event_packet+0xa55/0x1540 [ 59.202255][ T5308] hci_rx_work+0x3e8/0xca0 [ 59.203922][ T5308] process_scheduled_works+0xa63/0x1850 [ 59.205957][ T5308] worker_thread+0x870/0xd30 [ 59.207709][ T5308] kthread+0x2f0/0x390 [ 59.209245][ T5308] ret_from_fork+0x4b/0x80 [ 59.210994][ T5308] ret_from_fork_asm+0x1a/0x30 [ 59.212795][ T5308] [ 59.213676][ T5308] Freed by task 5308: [ 59.215173][ T5308] kasan_save_track+0x3f/0x80 [ 59.216930][ T5308] kasan_save_free_info+0x40/0x50 [ 59.218894][ T5308] __kasan_slab_free+0x59/0x70 [ 59.220747][ T5308] kfree+0x1a0/0x440 [ 59.222198][ T5308] device_release+0x99/0x1c0 [ 59.224006][ T5308] kobject_put+0x22f/0x480 [ 59.225677][ T5308] hci_conn_del+0x8c4/0xc40 [ 59.227397][ T5308] hci_le_create_big_complete_evt+0x619/0xae0 [ 59.229796][ T5308] hci_event_packet+0xa55/0x1540 [ 59.231624][ T5308] hci_rx_work+0x3e8/0xca0 [ 59.233346][ T5308] process_scheduled_works+0xa63/0x1850 [ 59.235448][ T5308] worker_thread+0x870/0xd30 [ 59.237240][ T5308] kthread+0x2f0/0x390 [ 59.238794][ T5308] ret_from_fork+0x4b/0x80 [ 59.240507][ T5308] ret_from_fork_asm+0x1a/0x30 [ 59.242320][ T5308] [ 59.243237][ T5308] The buggy address belongs to the object at ffff88801faa4000 [ 59.243237][ T5308] which belongs to the cache kmalloc-8k of size 8192 [ 59.248405][ T5308] The buggy address is located 0 bytes inside of [ 59.248405][ T5308] freed 8192-byte region [ffff88801faa4000, ffff88801faa6000) [ 59.253545][ T5308] [ 59.254476][ T5308] The buggy address belongs to the physical page: [ 59.256562][ T5308] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1faa0 [ 59.259552][ T5308] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 59.262415][ T5308] flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff) [ 59.265059][ T5308] page_type: f5(slab) [ 59.266575][ T5308] raw: 00fff00000000040 ffff88801ac42280 ffffea0000470800 dead000000000002 [ 59.269733][ T5308] raw: 0000000000000000 0000000080020002 00000001f5000000 0000000000000000 [ 59.272922][ T5308] head: 00fff00000000040 ffff88801ac42280 ffffea0000470800 dead000000000002 [ 59.276074][ T5308] head: 0000000000000000 0000000080020002 00000001f5000000 0000000000000000 [ 59.279365][ T5308] head: 00fff00000000003 ffffea00007ea801 ffffffffffffffff 0000000000000000 [ 59.282606][ T5308] head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000 [ 59.285667][ T5308] page dumped because: kasan: bad access detected [ 59.288023][ T5308] page_owner tracks the page as allocated [ 59.290104][ T5308] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5105, tgid 5105 (S50sshd), ts 36232589223, free_ts 35991541340 [ 59.297297][ T5308] post_alloc_hook+0x1f3/0x230 [ 59.299111][ T5308] get_page_from_freelist+0x3649/0x3790 [ 59.301120][ T5308] __alloc_pages_noprof+0x292/0x710 [ 59.302910][ T5308] alloc_pages_mpol_noprof+0x3e8/0x680 [ 59.304942][ T5308] alloc_slab_page+0x6a/0x140 [ 59.306665][ T5308] allocate_slab+0x5a/0x2f0 [ 59.308330][ T5308] ___slab_alloc+0xcd1/0x14b0 [ 59.310097][ T5308] __slab_alloc+0x58/0xa0 [ 59.311759][ T5308] __kmalloc_cache_noprof+0x1d5/0x2c0 [ 59.313746][ T5308] tomoyo_init_log+0x11cd/0x2050 [ 59.315516][ T5308] tomoyo_supervisor+0x38a/0x11f0 [ 59.317337][ T5308] tomoyo_env_perm+0x178/0x210 [ 59.319039][ T5308] tomoyo_find_next_domain+0x146e/0x1d40 [ 59.321162][ T5308] tomoyo_bprm_check_security+0x114/0x180 [ 59.323247][ T5308] security_bprm_check+0x86/0x250 [ 59.325139][ T5308] bprm_execve+0xa56/0x1770 [ 59.326956][ T5308] page last free pid 5094 tgid 5094 stack trace: [ 59.329257][ T5308] free_unref_page+0xdf9/0x1140 [ 59.331063][ T5308] __put_partials+0xeb/0x130 [ 59.332869][ T5308] put_cpu_partial+0x17c/0x250 [ 59.334671][ T5308] __slab_free+0x2ea/0x3d0 [ 59.336301][ T5308] qlist_free_all+0x9a/0x140 [ 59.338014][ T5308] kasan_quarantine_reduce+0x14f/0x170 [ 59.340020][ T5308] __kasan_slab_alloc+0x23/0x80 [ 59.341812][ T5308] __kmalloc_node_noprof+0x1d2/0x440 [ 59.343765][ T5308] __kvmalloc_node_noprof+0x72/0x190 [ 59.345709][ T5308] seq_read_iter+0x20c/0xd70 [ 59.347435][ T5308] proc_reg_read_iter+0x1c2/0x290 [ 59.349324][ T5308] vfs_read+0x991/0xb70 [ 59.350898][ T5308] ksys_read+0x18f/0x2b0 [ 59.352551][ T5308] do_syscall_64+0xf3/0x230 [ 59.354212][ T5308] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 59.356462][ T5308] [ 59.357387][ T5308] Memory state around the buggy address: [ 59.359443][ T5308] ffff88801faa3f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 59.362331][ T5308] ffff88801faa3f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 59.365303][ T5308] >ffff88801faa4000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 59.368316][ T5308] ^ [ 59.369871][ T5308] ffff88801faa4080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 59.372837][ T5308] ffff88801faa4100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 59.375720][ T5308] ================================================================== [ 59.382183][ T5308] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 59.384568][ T5308] CPU: 0 UID: 0 PID: 5308 Comm: kworker/u5:2 Tainted: G W 6.12.0-syzkaller-00971-g158f238aa69d #0 [ 59.388910][ T5308] Tainted: [W]=WARN [ 59.390371][ T5308] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 59.394425][ T5308] Workqueue: hci0 hci_rx_work [ 59.396302][ T5308] Call Trace: [ 59.397572][ T5308] [ 59.398641][ T5308] dump_stack_lvl+0x241/0x360 [ 59.400332][ T5308] ? __pfx_dump_stack_lvl+0x10/0x10 [ 59.402257][ T5308] ? __pfx__printk+0x10/0x10 [ 59.404166][ T5308] ? rcu_is_watching+0x15/0xb0 [ 59.406030][ T5308] ? preempt_schedule+0xe1/0xf0 [ 59.407954][ T5308] ? vscnprintf+0x5d/0x90 [ 59.409610][ T5308] panic+0x349/0x880 [ 59.411091][ T5308] ? check_panic_on_warn+0x21/0xb0 [ 59.413033][ T5308] ? __pfx_panic+0x10/0x10 [ 59.414778][ T5308] ? _raw_spin_unlock_irqrestore+0x130/0x140 [ 59.417086][ T5308] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 59.419551][ T5308] ? print_report+0x502/0x550 [ 59.421402][ T5308] check_panic_on_warn+0x86/0xb0 [ 59.423213][ T5308] ? hci_le_create_big_complete_evt+0x383/0xae0 [ 59.425348][ T5308] end_report+0x77/0x160 [ 59.426735][ T5308] kasan_report+0x154/0x180 [ 59.428196][ T5308] ? hci_le_create_big_complete_evt+0x383/0xae0 [ 59.430501][ T5308] hci_le_create_big_complete_evt+0x383/0xae0 [ 59.432896][ T5308] ? __copy_skb_header+0x437/0x5b0 [ 59.434852][ T5308] ? hci_le_create_big_complete_evt+0xdb/0xae0 [ 59.437051][ T5308] ? __pfx_hci_le_create_big_complete_evt+0x10/0x10 [ 59.439531][ T5308] ? hci_le_meta_evt+0x366/0x580 [ 59.441407][ T5308] ? __pfx_hci_le_create_big_complete_evt+0x10/0x10 [ 59.443794][ T5308] hci_event_packet+0xa55/0x1540 [ 59.445558][ T5308] ? __pfx_hci_le_meta_evt+0x10/0x10 [ 59.447412][ T5308] ? __pfx_hci_event_packet+0x10/0x10 [ 59.449305][ T5308] ? do_raw_spin_unlock+0x58/0x8b0 [ 59.451065][ T5308] ? hci_send_to_monitor+0xd8/0x7f0 [ 59.452928][ T5308] ? kcov_remote_start+0x97/0x7d0 [ 59.454745][ T5308] hci_rx_work+0x3e8/0xca0 [ 59.456357][ T5308] ? process_scheduled_works+0x976/0x1850 [ 59.458406][ T5308] process_scheduled_works+0xa63/0x1850 [ 59.460347][ T5308] ? __pfx_process_scheduled_works+0x10/0x10 [ 59.462656][ T5308] ? assign_work+0x364/0x3d0 [ 59.464437][ T5308] worker_thread+0x870/0xd30 [ 59.466087][ T5308] ? _raw_spin_unlock_irqrestore+0xdd/0x140 [ 59.468164][ T5308] ? __kthread_parkme+0x169/0x1d0 [ 59.469974][ T5308] ? __pfx_worker_thread+0x10/0x10 [ 59.471767][ T5308] kthread+0x2f0/0x390 [ 59.473189][ T5308] ? __pfx_worker_thread+0x10/0x10 [ 59.474962][ T5308] ? __pfx_kthread+0x10/0x10 [ 59.476700][ T5308] ret_from_fork+0x4b/0x80 [ 59.478445][ T5308] ? __pfx_kthread+0x10/0x10 [ 59.480207][ T5308] ret_from_fork_asm+0x1a/0x30 [ 59.482002][ T5308] [ 59.483481][ T5308] Kernel Offset: disabled [ 59.485111][ T5308] Rebooting in 86400 seconds..