program: r0 = epoll_create(0x7) (async) r1 = epoll_create1(0x0) (async) r2 = epoll_create(0x7) epoll_ctl$EPOLL_CTL_ADD(r1, 0x1, r0, &(0x7f0000000180)) (async) epoll_ctl$EPOLL_CTL_ADD(r2, 0x1, r1, &(0x7f00000000c0)) r3 = epoll_create1(0x0) r4 = epoll_create(0xfff7effe) epoll_ctl$EPOLL_CTL_ADD(r4, 0x1, r3, &(0x7f00000000c0)) (async, rerun: 64) epoll_ctl$EPOLL_CTL_ADD(r3, 0x1, r2, &(0x7f0000000100)) (rerun: 64) socketpair$nbd(0x1, 0x1, 0x0, &(0x7f0000000040)={0xffffffffffffffff, 0xffffffffffffffff}) (async) r6 = epoll_create1(0x0) epoll_ctl$EPOLL_CTL_ADD(r0, 0x1, r6, &(0x7f0000000080)) (async) r7 = bpf$MAP_CREATE(0x0, &(0x7f00000003c0)=ANY=[@ANYBLOB="010000000400000003000000a400000000000000", @ANYRES32=0x1, @ANYBLOB='\x00'/20, @ANYRES32=0x0, @ANYRES32, @ANYBLOB="00000000000000000000000000000000000000000000000000000000f1eac4f326e8053ed5dc92a40cd7f7bbd843be065b9c0234847e5f74fe0da284118fa85abe8b67a8683c5154345bf9c86b48fbea4db6e804d2298fa270354ec6f18d5305cd43130aee62fec2b9c41825cf8aede5a1384961223291c8917b51be9c4fa24ea0a299a2bfef6ed95b734b4b7d28e7841424454c1399bbed73a6dc4ab36d3d9c343fc919ec03af0ce89f31ad2c6176e2cebf84e469bfee9327df065e1baa0433350dee9cc74f5807469c689c088170bf984d3f6e4ffc31697b"], 0x48) bpf$MAP_UPDATE_BATCH(0x1a, &(0x7f00000002c0)={0x0, 0x0, 0x0, 0x0, 0x0, r7, 0x4}, 0x38) epoll_ctl$EPOLL_CTL_ADD(r6, 0x1, r5, &(0x7f0000000200)) (async) r8 = socket$nl_route(0x10, 0x3, 0x0) (async, rerun: 32) bpf$PROG_LOAD(0x5, &(0x7f0000000500)={0x4, 0x10, &(0x7f0000000000)=ANY=[@ANYBLOB="18000000000000000000000000000000b708"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x52, '\x00', 0x0, @fallback=0x9, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x94) (async, rerun: 32) sendmsg$IPSET_CMD_CREATE(0xffffffffffffffff, &(0x7f0000000100)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000640)=ANY=[@ANYBLOB="141b000000000011000000000000000000000000a4e642d96bd8e9a7116809c6721d65368cd5c342655ffc94f2377626fa00aba20a323bb5d2c00347a23cf71dc02cd620b6c1736f54007cd5907e0c8794cc894d14475fd106f9363f390ae12d09f553bb554347cf9cc4101a5bfe2fc8001730ba35ec401d0b50d747359a3020666164c519f0701e63c66125a95a236b85da8e7439e666d39bd314c1145bf297208af59fe2f0eaed8f07afce8aa5bfcc81df8d4e61a5c9cc6fc336a377973a18cb2a9a021c09f83770daab2021e83d5a86519032f60fae78e05275fd519736ebc1fa925899fe817bb5b333c6550d94123c56e00930535b0e6ee3e05efb4587b8b0f295d8b86dd7888bad33ec80d3196b47873914b3d138b27d4e99ad1c3949cd79320c93dab5997878cb9eee789aa484cac24802c9028f005197e8088be25fe96d7e37e4321c1ff6ce6e53a7ca34de8dcb7321b5c0ff9686670d36052c11a793ff49abe23b7e0fe673d115cc4a76"], 0x14}}, 0x0) (async) syz_emit_vhci(&(0x7f0000000000)=ANY=[@ANYBLOB="043e751d"], 0x24) syz_emit_vhci(&(0x7f0000000040)=ANY=[@ANYBLOB="043e1f1b"], 0x22) (async) ioctl$ifreq_SIOCGIFINDEX_batadv_hard(r8, 0x8933, &(0x7f0000000200)={'batadv_slave_0\x00', 0x0}) (async) r10 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route(r10, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000600)=ANY=[@ANYRESOCT=r3, @ANYRES32=r9, @ANYBLOB="06001500070000000800170000000000"], 0x34}}, 0x0) socket$inet6_sctp(0xa, 0x1, 0x84) (async) r11 = socket$packet(0x11, 0x2, 0x300) setsockopt$packet_int(r11, 0x107, 0xa, &(0x7f0000000080)=0x2, 0x4) setsockopt$packet_rx_ring(r11, 0x107, 0x5, &(0x7f0000000040)=@req3={0x1000, 0x3a, 0x1000, 0x3a, 0x9, 0x0, 0xffffffff}, 0x1c) (async) socket$packet(0x11, 0x2, 0x300) (async) r12 = socket$rxrpc(0x21, 0x2, 0x2) setsockopt$RXRPC_SECURITY_KEYRING(r12, 0x110, 0x2, &(0x7f0000000140)='-}\x81f\x00', 0x5) [ 75.415487][ T4672] Bluetooth: hci0: command tx timeout [ 75.420357][ T1304] ieee802154 phy0 wpan0: encryption failed: -22 [ 75.422915][ T1304] ieee802154 phy1 wpan1: encryption failed: -22 [ 75.522500][ T4672] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:585 [ 75.526249][ T4672] in_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 4672, name: kworker/u5:1 [ 75.533789][ T4672] preempt_count: 0, expected: 0 [ 75.535704][ T4672] RCU nest depth: 1, expected: 0 [ 75.538078][ T4672] 4 locks held by kworker/u5:1/4672: [ 75.540113][ T4672] #0: ffff888043592948 ((wq_completion)hci0#2){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1850 [ 75.544397][ T4672] #1: ffffc9000d6f7d00 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1850 [ 75.550149][ T4672] #2: ffff888040b84078 (&hdev->lock){+.+.}-{3:3}, at: hci_le_create_big_complete_evt+0xcf/0xae0 [ 75.561848][ T4672] #3: ffffffff8e937da0 (rcu_read_lock){....}-{1:2}, at: hci_le_create_big_complete_evt+0xdb/0xae0 [ 75.565786][ T4672] CPU: 0 UID: 0 PID: 4672 Comm: kworker/u5:1 Not tainted 6.12.0-rc6-syzkaller-00279-gde2f378f2b77 #0 [ 75.569629][ T4672] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 75.573655][ T4672] Workqueue: hci0 hci_rx_work [ 75.575458][ T4672] Call Trace: [ 75.576715][ T4672] [ 75.577854][ T4672] dump_stack_lvl+0x241/0x360 [ 75.579646][ T4672] ? __pfx_dump_stack_lvl+0x10/0x10 [ 75.581402][ T4672] ? __pfx__printk+0x10/0x10 [ 75.583115][ T4672] __might_resched+0x5d4/0x780 [ 75.584911][ T4672] ? __mutex_lock+0x112/0xd70 [ 75.586665][ T4672] ? __pfx___might_resched+0x10/0x10 [ 75.588681][ T4672] __mutex_lock+0xc1/0xd70 [ 75.590364][ T4672] ? __pfx_lock_acquire+0x10/0x10 [ 75.592136][ T4672] ? hci_le_create_big_complete_evt+0x3d9/0xae0 [ 75.594280][ T4672] ? __pfx_lock_release+0x10/0x10 [ 75.596082][ T4672] ? __pfx___mutex_lock+0x10/0x10 [ 75.597897][ T4672] ? trace_contention_end+0x3c/0x120 [ 75.599800][ T4672] ? skb_pull_data+0x112/0x230 [ 75.601533][ T4672] ? hci_conn_set_handle+0x9a/0x270 [ 75.603377][ T4672] hci_le_create_big_complete_evt+0x3d9/0xae0 [ 75.605621][ T4672] ? __copy_skb_header+0x437/0x5b0 [ 75.607646][ T4672] ? hci_le_create_big_complete_evt+0xdb/0xae0 [ 75.609878][ T4672] ? __pfx_hci_le_create_big_complete_evt+0x10/0x10 [ 75.612232][ T4672] ? hci_le_meta_evt+0x366/0x580 [ 75.613999][ T4672] ? __pfx_hci_le_create_big_complete_evt+0x10/0x10 [ 75.616340][ T4672] hci_event_packet+0xa55/0x1540 [ 75.618071][ T4672] ? __pfx_hci_le_meta_evt+0x10/0x10 [ 75.619894][ T4672] ? __pfx_hci_event_packet+0x10/0x10 [ 75.621892][ T4672] ? set_secure_conn_complete+0x5c0/0x630 [ 75.624070][ T4672] ? kcov_remote_start+0x97/0x7d0 [ 75.625915][ T4672] hci_rx_work+0x3fe/0xd80 [ 75.627650][ T4672] ? process_scheduled_works+0x976/0x1850 [ 75.629787][ T4672] process_scheduled_works+0xa63/0x1850 [ 75.631834][ T4672] ? __pfx_process_scheduled_works+0x10/0x10 [ 75.634006][ T4672] ? assign_work+0x364/0x3d0 [ 75.635736][ T4672] worker_thread+0x870/0xd30 [ 75.637434][ T4672] ? _raw_spin_unlock_irqrestore+0xdd/0x140 [ 75.639560][ T4672] ? __kthread_parkme+0x169/0x1d0 [ 75.641398][ T4672] ? __pfx_worker_thread+0x10/0x10 [ 75.643275][ T4672] kthread+0x2f0/0x390 [ 75.644762][ T4672] ? __pfx_worker_thread+0x10/0x10 [ 75.646550][ T4672] ? __pfx_kthread+0x10/0x10 [ 75.648261][ T4672] ret_from_fork+0x4b/0x80 [ 75.649920][ T4672] ? __pfx_kthread+0x10/0x10 [ 75.651700][ T4672] ret_from_fork_asm+0x1a/0x30 [ 75.653452][ T4672] [ 75.660380][ T4672] [ 75.661327][ T4672] ============================= [ 75.663143][ T4672] [ BUG: Invalid wait context ] [ 75.664996][ T4672] 6.12.0-rc6-syzkaller-00279-gde2f378f2b77 #0 Tainted: G W [ 75.668084][ T4672] ----------------------------- [ 75.669905][ T4672] kworker/u5:1/4672 is trying to lock: [ 75.671924][ T4672] ffffffff8fe402a8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_le_create_big_complete_evt+0x3d9/0xae0 [ 75.675857][ T4672] other info that might help us debug this: [ 75.677997][ T4672] context-{4:4} [ 75.679276][ T4672] 4 locks held by kworker/u5:1/4672: [ 75.681329][ T4672] #0: ffff888043592948 ((wq_completion)hci0#2){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1850 [ 75.685295][ T4672] #1: ffffc9000d6f7d00 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1850 [ 75.689671][ T4672] #2: ffff888040b84078 (&hdev->lock){+.+.}-{3:3}, at: hci_le_create_big_complete_evt+0xcf/0xae0 [ 75.693457][ T4672] #3: ffffffff8e937da0 (rcu_read_lock){....}-{1:2}, at: hci_le_create_big_complete_evt+0xdb/0xae0 [ 75.697430][ T4672] stack backtrace: [ 75.698809][ T4672] CPU: 0 UID: 0 PID: 4672 Comm: kworker/u5:1 Tainted: G W 6.12.0-rc6-syzkaller-00279-gde2f378f2b77 #0 [ 75.703278][ T4672] Tainted: [W]=WARN [ 75.704736][ T4672] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 75.708735][ T4672] Workqueue: hci0 hci_rx_work [ 75.710471][ T4672] Call Trace: [ 75.711789][ T4672] [ 75.712934][ T4672] dump_stack_lvl+0x241/0x360 [ 75.714686][ T4672] ? __pfx_dump_stack_lvl+0x10/0x10 [ 75.716656][ T4672] ? __pfx__printk+0x10/0x10 [ 75.718365][ T4672] __lock_acquire+0x154a/0x2050 [ 75.720186][ T4672] lock_acquire+0x1ed/0x550 [ 75.721893][ T4672] ? hci_le_create_big_complete_evt+0x3d9/0xae0 [ 75.724178][ T4672] ? __pfx_lock_acquire+0x10/0x10 [ 75.725971][ T4672] ? __mutex_lock+0x112/0xd70 [ 75.727770][ T4672] ? __pfx___might_resched+0x10/0x10 [ 75.729699][ T4672] __mutex_lock+0x136/0xd70 [ 75.731369][ T4672] ? hci_le_create_big_complete_evt+0x3d9/0xae0 [ 75.733709][ T4672] ? __pfx_lock_acquire+0x10/0x10 [ 75.735613][ T4672] ? hci_le_create_big_complete_evt+0x3d9/0xae0 [ 75.737837][ T4672] ? __pfx_lock_release+0x10/0x10 [ 75.739823][ T4672] ? __pfx___mutex_lock+0x10/0x10 [ 75.741783][ T4672] ? trace_contention_end+0x3c/0x120 [ 75.743715][ T4672] ? skb_pull_data+0x112/0x230 [ 75.745521][ T4672] ? hci_conn_set_handle+0x9a/0x270 [ 75.747496][ T4672] hci_le_create_big_complete_evt+0x3d9/0xae0 [ 75.749753][ T4672] ? __copy_skb_header+0x437/0x5b0 [ 75.751936][ T4672] ? hci_le_create_big_complete_evt+0xdb/0xae0 [ 75.754280][ T4672] ? __pfx_hci_le_create_big_complete_evt+0x10/0x10 [ 75.756637][ T4672] ? hci_le_meta_evt+0x366/0x580 [ 75.758444][ T4672] ? __pfx_hci_le_create_big_complete_evt+0x10/0x10 [ 75.761021][ T4672] hci_event_packet+0xa55/0x1540 [ 75.762900][ T4672] ? __pfx_hci_le_meta_evt+0x10/0x10 [ 75.764789][ T4672] ? __pfx_hci_event_packet+0x10/0x10 [ 75.766805][ T4672] ? set_secure_conn_complete+0x5c0/0x630 [ 75.768887][ T4672] ? kcov_remote_start+0x97/0x7d0 [ 75.770767][ T4672] hci_rx_work+0x3fe/0xd80 [ 75.772862][ T4672] ? process_scheduled_works+0x976/0x1850 [ 75.775390][ T4672] process_scheduled_works+0xa63/0x1850 [ 75.777838][ T4672] ? __pfx_process_scheduled_works+0x10/0x10 [ 75.780218][ T4672] ? assign_work+0x364/0x3d0 [ 75.781943][ T4672] worker_thread+0x870/0xd30 [ 75.783703][ T4672] ? _raw_spin_unlock_irqrestore+0xdd/0x140 [ 75.785795][ T4672] ? __kthread_parkme+0x169/0x1d0 [ 75.787682][ T4672] ? __pfx_worker_thread+0x10/0x10 [ 75.789561][ T4672] kthread+0x2f0/0x390 [ 75.791086][ T4672] ? __pfx_worker_thread+0x10/0x10 [ 75.793242][ T4672] ? __pfx_kthread+0x10/0x10 [ 75.795026][ T4672] ret_from_fork+0x4b/0x80 [ 75.796846][ T4672] ? __pfx_kthread+0x10/0x10 [ 75.798593][ T4672] ret_from_fork_asm+0x1a/0x30 [ 75.800392][ T4672] [ 75.806223][ T4672] ================================================================== [ 75.809250][ T4672] BUG: KASAN: slab-use-after-free in hci_le_create_big_complete_evt+0x383/0xae0 [ 75.812580][ T4672] Read of size 8 at addr ffff888040b80000 by task kworker/u5:1/4672 [ 75.815305][ T4672] [ 75.816244][ T4672] CPU: 0 UID: 0 PID: 4672 Comm: kworker/u5:1 Tainted: G W 6.12.0-rc6-syzkaller-00279-gde2f378f2b77 #0 [ 75.820627][ T4672] Tainted: [W]=WARN [ 75.822015][ T4672] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 75.826051][ T4672] Workqueue: hci0 hci_rx_work [ 75.827800][ T4672] Call Trace: [ 75.829076][ T4672] [ 75.830197][ T4672] dump_stack_lvl+0x241/0x360 [ 75.831973][ T4672] ? __pfx_dump_stack_lvl+0x10/0x10 [ 75.833855][ T4672] ? __pfx__printk+0x10/0x10 [ 75.835438][ T4672] ? _printk+0xd5/0x120 [ 75.837041][ T4672] ? __virt_addr_valid+0x183/0x530 [ 75.838932][ T4672] ? __virt_addr_valid+0x183/0x530 [ 75.840878][ T4672] print_report+0x169/0x550 [ 75.842631][ T4672] ? __virt_addr_valid+0x183/0x530 [ 75.844825][ T4672] ? __virt_addr_valid+0x183/0x530 [ 75.846720][ T4672] ? __virt_addr_valid+0x45f/0x530 [ 75.848564][ T4672] ? __phys_addr+0xba/0x170 [ 75.850049][ T4672] ? hci_le_create_big_complete_evt+0x383/0xae0 [ 75.852439][ T4672] kasan_report+0x143/0x180 [ 75.854158][ T4672] ? hci_le_create_big_complete_evt+0x383/0xae0 [ 75.856423][ T4672] hci_le_create_big_complete_evt+0x383/0xae0 [ 75.858666][ T4672] ? __copy_skb_header+0x437/0x5b0 [ 75.860494][ T4672] ? hci_le_create_big_complete_evt+0xdb/0xae0 [ 75.862796][ T4672] ? __pfx_hci_le_create_big_complete_evt+0x10/0x10 [ 75.865272][ T4672] ? hci_le_meta_evt+0x366/0x580 [ 75.867120][ T4672] ? __pfx_hci_le_create_big_complete_evt+0x10/0x10 [ 75.869597][ T4672] hci_event_packet+0xa55/0x1540 [ 75.871454][ T4672] ? __pfx_hci_le_meta_evt+0x10/0x10 [ 75.873355][ T4672] ? __pfx_hci_event_packet+0x10/0x10 [ 75.875449][ T4672] ? set_secure_conn_complete+0x5c0/0x630 [ 75.877594][ T4672] ? kcov_remote_start+0x97/0x7d0 [ 75.879475][ T4672] hci_rx_work+0x3fe/0xd80 [ 75.881090][ T4672] ? process_scheduled_works+0x976/0x1850 [ 75.883241][ T4672] process_scheduled_works+0xa63/0x1850 [ 75.885249][ T4672] ? __pfx_process_scheduled_works+0x10/0x10 [ 75.887505][ T4672] ? assign_work+0x364/0x3d0 [ 75.889297][ T4672] worker_thread+0x870/0xd30 [ 75.891017][ T4672] ? _raw_spin_unlock_irqrestore+0xdd/0x140 [ 75.893271][ T4672] ? __kthread_parkme+0x169/0x1d0 [ 75.895154][ T4672] ? __pfx_worker_thread+0x10/0x10 [ 75.897094][ T4672] kthread+0x2f0/0x390 [ 75.898664][ T4672] ? __pfx_worker_thread+0x10/0x10 [ 75.901584][ T4672] ? __pfx_kthread+0x10/0x10 [ 75.903451][ T4672] ret_from_fork+0x4b/0x80 [ 75.905167][ T4672] ? __pfx_kthread+0x10/0x10 [ 75.906907][ T4672] ret_from_fork_asm+0x1a/0x30 [ 75.908721][ T4672] [ 75.909904][ T4672] [ 75.910812][ T4672] Allocated by task 4672: [ 75.912449][ T4672] kasan_save_track+0x3f/0x80 [ 75.914140][ T4672] __kasan_kmalloc+0x98/0xb0 [ 75.915907][ T4672] __kmalloc_cache_noprof+0x19c/0x2c0 [ 75.917908][ T4672] __hci_conn_add+0x2f9/0x1850 [ 75.919715][ T4672] hci_le_big_sync_established_evt+0x414/0xc20 [ 75.921999][ T4672] hci_event_packet+0xa55/0x1540 [ 75.923751][ T4672] hci_rx_work+0x3fe/0xd80 [ 75.925446][ T4672] process_scheduled_works+0xa63/0x1850 [ 75.927506][ T4672] worker_thread+0x870/0xd30 [ 75.929314][ T4672] kthread+0x2f0/0x390 [ 75.930895][ T4672] ret_from_fork+0x4b/0x80 [ 75.932600][ T4672] ret_from_fork_asm+0x1a/0x30 [ 75.934359][ T4672] [ 75.935231][ T4672] Freed by task 4672: [ 75.936763][ T4672] kasan_save_track+0x3f/0x80 [ 75.938561][ T4672] kasan_save_free_info+0x40/0x50 [ 75.940479][ T4672] __kasan_slab_free+0x59/0x70 [ 75.942287][ T4672] kfree+0x1a0/0x440 [ 75.943809][ T4672] device_release+0x99/0x1c0 [ 75.945609][ T4672] kobject_put+0x22f/0x480 [ 75.947284][ T4672] hci_conn_del+0x8c4/0xc40 [ 75.948968][ T4672] hci_le_create_big_complete_evt+0x619/0xae0 [ 75.951183][ T4672] hci_event_packet+0xa55/0x1540 [ 75.953068][ T4672] hci_rx_work+0x3fe/0xd80 [ 75.954751][ T4672] process_scheduled_works+0xa63/0x1850 [ 75.956968][ T4672] worker_thread+0x870/0xd30 [ 75.958711][ T4672] kthread+0x2f0/0x390 [ 75.960266][ T4672] ret_from_fork+0x4b/0x80 [ 75.961936][ T4672] ret_from_fork_asm+0x1a/0x30 [ 75.963706][ T4672] [ 75.964592][ T4672] The buggy address belongs to the object at ffff888040b80000 [ 75.964592][ T4672] which belongs to the cache kmalloc-8k of size 8192 [ 75.969637][ T4672] The buggy address is located 0 bytes inside of [ 75.969637][ T4672] freed 8192-byte region [ffff888040b80000, ffff888040b82000) [ 75.974575][ T4672] [ 75.975495][ T4672] The buggy address belongs to the physical page: [ 75.977867][ T4672] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x40b80 [ 75.981058][ T4672] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 75.984113][ T4672] flags: 0x4fff00000000040(head|node=1|zone=1|lastcpupid=0x7ff) [ 75.986894][ T4672] page_type: f5(slab) [ 75.988394][ T4672] raw: 04fff00000000040 ffff88801ac42280 ffffea000101a800 0000000000000004 [ 75.991454][ T4672] raw: 0000000000000000 0000000080020002 00000001f5000000 0000000000000000 [ 75.994636][ T4672] head: 04fff00000000040 ffff88801ac42280 ffffea000101a800 0000000000000004 [ 75.997718][ T4672] head: 0000000000000000 0000000080020002 00000001f5000000 0000000000000000 [ 76.000946][ T4672] head: 04fff00000000003 ffffea000102e001 ffffffffffffffff 0000000000000000 [ 76.004090][ T4672] head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000 [ 76.007123][ T4672] page dumped because: kasan: bad access detected [ 76.009385][ T4672] page_owner tracks the page as allocated [ 76.011677][ T4672] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5306, tgid 5306 (sh), ts 64434458964, free_ts 64406012846 [ 76.018994][ T4672] post_alloc_hook+0x1f3/0x230 [ 76.020808][ T4672] get_page_from_freelist+0x303f/0x3190 [ 76.022830][ T4672] __alloc_pages_noprof+0x292/0x710 [ 76.024853][ T4672] alloc_pages_mpol_noprof+0x3e8/0x680 [ 76.026960][ T4672] alloc_slab_page+0x6a/0x140 [ 76.028725][ T4672] allocate_slab+0x5a/0x2f0 [ 76.030439][ T4672] ___slab_alloc+0xcd1/0x14b0 [ 76.032154][ T4672] __slab_alloc+0x58/0xa0 [ 76.033796][ T4672] __kmalloc_cache_noprof+0x1d5/0x2c0 [ 76.035863][ T4672] tomoyo_init_log+0x11cd/0x2050 [ 76.037746][ T4672] tomoyo_supervisor+0x38a/0x11f0 [ 76.039669][ T4672] tomoyo_env_perm+0x178/0x210 [ 76.041494][ T4672] tomoyo_find_next_domain+0x146e/0x1d40 [ 76.043545][ T4672] tomoyo_bprm_check_security+0x114/0x180 [ 76.045639][ T4672] security_bprm_check+0x86/0x250 [ 76.047476][ T4672] bprm_execve+0xa56/0x1770 [ 76.049143][ T4672] page last free pid 5028 tgid 5028 stack trace: [ 76.051516][ T4672] free_unref_page+0xcfb/0xf20 [ 76.053292][ T4672] __put_partials+0xeb/0x130 [ 76.055064][ T4672] put_cpu_partial+0x17c/0x250 [ 76.056893][ T4672] __slab_free+0x2ea/0x3d0 [ 76.058551][ T4672] qlist_free_all+0x9a/0x140 [ 76.060290][ T4672] kasan_quarantine_reduce+0x14f/0x170 [ 76.062276][ T4672] __kasan_slab_alloc+0x23/0x80 [ 76.064091][ T4672] kmem_cache_alloc_node_noprof+0x16b/0x320 [ 76.066167][ T4672] __alloc_skb+0x1c3/0x440 [ 76.067767][ T4672] netlink_sendmsg+0x638/0xcb0 [ 76.069479][ T4672] __sock_sendmsg+0x221/0x270 [ 76.071276][ T4672] __sys_sendto+0x39b/0x4f0 [ 76.072952][ T4672] __x64_sys_sendto+0xde/0x100 [ 76.074785][ T4672] do_syscall_64+0xf3/0x230 [ 76.076549][ T4672] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 76.078756][ T4672] [ 76.079683][ T4672] Memory state around the buggy address: [ 76.081814][ T4672] ffff888040b7ff00: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe [ 76.084999][ T4672] ffff888040b7ff80: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe [ 76.088037][ T4672] >ffff888040b80000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 76.090948][ T4672] ^ [ 76.092421][ T4672] ffff888040b80080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 76.095457][ T4672] ffff888040b80100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 76.098416][ T4672] ================================================================== [ 76.121429][ T4672] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 76.124111][ T4672] CPU: 0 UID: 0 PID: 4672 Comm: kworker/u5:1 Tainted: G W 6.12.0-rc6-syzkaller-00279-gde2f378f2b77 #0 [ 76.128721][ T4672] Tainted: [W]=WARN [ 76.130193][ T4672] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 76.134237][ T4672] Workqueue: hci0 hci_rx_work [ 76.135895][ T4672] Call Trace: [ 76.137173][ T4672] [ 76.138329][ T4672] dump_stack_lvl+0x241/0x360 [ 76.140241][ T4672] ? __pfx_dump_stack_lvl+0x10/0x10 [ 76.142217][ T4672] ? __pfx__printk+0x10/0x10 [ 76.143908][ T4672] ? rcu_is_watching+0x15/0xb0 [ 76.145681][ T4672] ? preempt_schedule+0xe1/0xf0 [ 76.147557][ T4672] ? vscnprintf+0x5d/0x90 [ 76.149288][ T4672] panic+0x349/0x880 [ 76.150893][ T4672] ? check_panic_on_warn+0x21/0xb0 [ 76.152754][ T4672] ? __pfx_panic+0x10/0x10 [ 76.154525][ T4672] ? _raw_spin_unlock_irqrestore+0x130/0x140 [ 76.156743][ T4672] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 76.158811][ T4672] ? print_report+0x502/0x550 [ 76.160531][ T4672] check_panic_on_warn+0x86/0xb0 [ 76.162529][ T4672] ? hci_le_create_big_complete_evt+0x383/0xae0 [ 76.164886][ T4672] end_report+0x77/0x160 [ 76.166437][ T4672] kasan_report+0x154/0x180 [ 76.168181][ T4672] ? hci_le_create_big_complete_evt+0x383/0xae0 [ 76.170554][ T4672] hci_le_create_big_complete_evt+0x383/0xae0 [ 76.172875][ T4672] ? __copy_skb_header+0x437/0x5b0 [ 76.175023][ T4672] ? hci_le_create_big_complete_evt+0xdb/0xae0 [ 76.177325][ T4672] ? __pfx_hci_le_create_big_complete_evt+0x10/0x10 [ 76.179915][ T4672] ? hci_le_meta_evt+0x366/0x580 [ 76.181757][ T4672] ? __pfx_hci_le_create_big_complete_evt+0x10/0x10 [ 76.184219][ T4672] hci_event_packet+0xa55/0x1540 [ 76.186108][ T4672] ? __pfx_hci_le_meta_evt+0x10/0x10 [ 76.188116][ T4672] ? __pfx_hci_event_packet+0x10/0x10 [ 76.190123][ T4672] ? set_secure_conn_complete+0x5c0/0x630 [ 76.192272][ T4672] ? kcov_remote_start+0x97/0x7d0 [ 76.194137][ T4672] hci_rx_work+0x3fe/0xd80 [ 76.195838][ T4672] ? process_scheduled_works+0x976/0x1850 [ 76.197929][ T4672] process_scheduled_works+0xa63/0x1850 [ 76.200048][ T4672] ? __pfx_process_scheduled_works+0x10/0x10 [ 76.202350][ T4672] ? assign_work+0x364/0x3d0 [ 76.204160][ T4672] worker_thread+0x870/0xd30 [ 76.206178][ T4672] ? _raw_spin_unlock_irqrestore+0xdd/0x140 [ 76.208422][ T4672] ? __kthread_parkme+0x169/0x1d0 [ 76.210304][ T4672] ? __pfx_worker_thread+0x10/0x10 [ 76.212218][ T4672] kthread+0x2f0/0x390 [ 76.213777][ T4672] ? __pfx_worker_thread+0x10/0x10 [ 76.215690][ T4672] ? __pfx_kthread+0x10/0x10 [ 76.217465][ T4672] ret_from_fork+0x4b/0x80 [ 76.219208][ T4672] ? __pfx_kthread+0x10/0x10 [ 76.220952][ T4672] ret_from_fork_asm+0x1a/0x30 [ 76.222824][ T4672] [ 76.224323][ T4672] Kernel Offset: disabled [ 76.226036][ T4672] Rebooting in 86400 seconds..