program:
r0 = userfaultfd(0x801)
ioctl$UFFDIO_API(r0, 0xc018aa3f, &(0x7f0000000080)={0xaa, 0x1})
ioctl$UFFDIO_ZEROPAGE(r0, 0xc020aa04, &(0x7f0000000000)={{&(0x7f0000ff2000/0x3000)=nil, 0x30fe}, 0x1})
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000740)={0x10, 0x4, &(0x7f0000000340)=ANY=[@ANYBLOB="1800000000000000000000000000000061104400000000009500000000000000405bae196e975a155a73e30ebf135712a120e292a87601e34f91ea243068695cb96c09b03f9d57a3441afec49589301dfa9cddda9316aae1a34d49c2d471ec821f50e2ac36d82c198724b847efd83dece19d5f30825e250c0fec1913d92480d6564bc4fbeb8e5413b86e0f660cb45c178c36dc22e6928034d9d1177c8c8f5c45c6224215c360c22c265f9232b19f"], &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x90)
r1 = socket$inet(0x2, 0x4000000000000001, 0x0)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000580)={0x2, 0xd, &(0x7f0000000000)=ANY=[@ANYBLOB="180200000000000000000000001000008510000001000000950000000000000018000000001af8ff00000000bd21ffff0000000007010000f8ffffffb502020008000000b70300000000000085000000ae000000a700000000000000"], &(0x7f0000000080)='GPL\x00', 0x2, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94)
setsockopt$sock_int(r1, 0x1, 0xa, &(0x7f0000000100)=0x4c, 0x4)
ioctl$sock_inet_tcp_SIOCINQ(r1, 0x541b, &(0x7f0000000000))
preadv2(r1, &(0x7f0000000100)=[{&(0x7f000000a3c0)=""/129, 0x81}, {&(0x7f000000a0c0)=""/209, 0xd1}, {&(0x7f0000000080)=""/59, 0x3b}, {&(0x7f000000a1c0)=""/200, 0xc8}, {&(0x7f000000a2c0)=""/255, 0xff}], 0x5, 0x854f, 0x5d, 0x10)
r2 = socket$pppoe(0x18, 0x1, 0x0)
connect$pppoe(r2, &(0x7f0000000400)={0x18, 0x0, {0x2, @dev={'\xaa\xaa\xaa\xaa\xaa', 0xa}, 'lo\x00'}}, 0x1e)
r3 = openat$ppp(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
ioctl$PPPIOCNEWUNIT(r3, 0xc004743e, &(0x7f00000000c0))
bpf$PROG_LOAD(0x5, &(0x7f0000000180)={0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x78)
r4 = openat$ppp(0xffffffffffffff9c, &(0x7f0000000040), 0x0, 0x0)
r5 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$sock_bt_hci(r5, 0x400448cb, 0x0)
syz_mount_image$ext4(&(0x7f00000001c0)='ext4\x00', &(0x7f0000000040)='./bus\x00', 0x4400, &(0x7f0000000640), 0x1, 0x75e, &(0x7f0000001100)="$eJzs3M9rHGUfAPDvTLNNf+R9Ny+8h/f1IEILLZROkubSnowX8VIoFLzWJZmEsJNsyW5qEwttPQu1uSgIonePXoVS/wBvUlDwLojWeBAvkdls0jbNxm2bZGv8fGCyz/PMPPt9vjuTJzOQZwP4x3qt/JFEDEXEpYiodtrTiDjcLh2JuLV+3OrDG5PllsTa2uWfk7JbrK5VN98r6bwej3aX+F9E3K9EnHn/6bjNpeV6rSjyhU59pDV3daS5tHx2dq42k8/k82PjF0bPj4+fHx3ftVxPvn3h6N1v3lxZ+fbL1p1XB84mMdHOOzq57Vqgx6x/JpWY2NI+vxfB+ijp4ZiBfRgHAAA7K+/zD3XuzSpRjUPu0gAAAODAWRtcAwAAAA68JPo9AgAAAGBvbfwfwMba3r1aB9vNT29ExPB28Qfaa4gjjkQlIo6tJk+sTEjWu8ELuXU7Iu5NbHP9JZ3r7/mNbqn3skaa/XWvnH8mtpt/0s35J7aZfwY2vjvhBXWf/x7FP9Rl/rvUY4yvPv1/pWv82xGvDGwXP9mMn3SJ/06P8e+sfHC32761zyNObfv3J3ki1g7fDzEyPVvs+Kt1/4/TD3bK/9hT8ZOkHTXZOf+rPeb/3uqv9W5zSRn/9Imdz/96/MEn+pXXxIedcaQRcbfzWtZXtsQ4Mffd109HTm5txJ/q8vlvf/7f2sz/sx7z/+GLwes9HgoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABtaUQMRZJmm+U0zbKI4xHx3ziWFo1m68x0Y3F+qtwXMRyVdHq2yEcjorpeT8r6WLv8qH5uS308Iv7z/dH1oLNFnk02iql+Jw8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMCm4xExFEmaRUQaEb9V0zTL+j0qAAAAYNcN93sAAAAAwJ7z/A8AAAAH3/M+/ye7PA4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADgQLt08WK5ra0+vDFZ1qeuLS3WG9fOTuXNeja3OJlNNhauZjONxkyRZ5ONub96vzQixi7E4vWRVt5sjTSXlq/MNRbnW1dm52oz+ZW8si9ZAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA8KyG2luSZhGRtstpmmUR/4qI4agk07NFPhoR/46IB9XKYFkf6/egAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA2HXNpeV6rSjyBYW/YyGSiJdgGAr1WsSz9LoZL/uJ6/fMBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAPzSXluu1osgXmv0eCQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP2V/phERLmdqp4c2rr3cPJ7tf0aEe9+cvmj67VWa2GsbP9ls731caf93GMdb+5nDgAAAHDgvf4sB288p288xwMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPSqubRcrxVFvrCHhbjd7ywBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIDn8WcAAAD//+Yew1w=")
chdir(&(0x7f0000000440)='./file0\x00')
r6 = openat(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\x00', 0x0, 0x0)
ioctl$FS_IOC_ENABLE_VERITY(r6, 0x40806685, &(0x7f00000002c0)={0x1, 0x2, 0x1000, 0x0, 0x0, 0x0, 0x0, 0x0})
ioctl$FS_IOC_READ_VERITY_METADATA(r6, 0xc0046686, &(0x7f0000000100)={0x0, 0x0, 0x0, 0x0})
bpf$PROG_LOAD(0x5, &(0x7f00000004c0)={0x6, 0x10, &(0x7f0000000000)=ANY=[@ANYBLOB="18000000000000000000000000000000b708"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @xdp, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x94)
syz_emit_vhci(&(0x7f0000000000)=ANY=[@ANYBLOB="043e751d"], 0x24)
syz_emit_vhci(&(0x7f0000000040)=ANY=[@ANYBLOB="043e1f1b"], 0x22)
openat$snapshot(0xffffffffffffff9c, &(0x7f00000002c0), 0x40040, 0x0)
syz_emit_vhci(&(0x7f0000000040)=ANY=[@ANYBLOB="040e0402030c"], 0x7)
ioctl$EVIOCGPROP(r4, 0x40047438, &(0x7f0000000180)=""/246)
ioctl$PPPIOCSMAXCID(r3, 0x40047451, &(0x7f0000000680)=0x2)
ioctl$PPPIOCSFLAGS1(r4, 0x4004743a, &(0x7f0000000300))
[ 69.504419][ T48] Bluetooth: hci0: command tx timeout
[ 69.645919][ T5334] loop0: detected capacity change from 0 to 2048
[ 69.679230][ T5334] EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: none.
[ 69.685415][ T5334] ext4 filesystem being mounted at /0/bus supports timestamps until 2038-01-19 (0x7fffffff)
[ 69.693270][ T5334] fs-verity: sha512 using implementation "sha512-avx2"
[ 69.701470][ T48] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:562
[ 69.706716][ T48] in_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 48, name: kworker/u5:0
[ 69.709959][ T48] preempt_count: 0, expected: 0
[ 69.712123][ T48] RCU nest depth: 1, expected: 0
[ 69.714455][ T48] 4 locks held by kworker/u5:0/48:
[ 69.716358][ T48] #0: ffff888011e92148 ((wq_completion)hci0#2){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1850
[ 69.722051][ T48] #1: ffffc9000062fd00 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1850
[ 69.727847][ T48] #2: ffff888051548078 (&hdev->lock){+.+.}-{4:4}, at: hci_le_create_big_complete_evt+0xcf/0xae0
[ 69.731998][ T48] #3: ffffffff8e93c820 (rcu_read_lock){....}-{1:3}, at: hci_le_create_big_complete_evt+0xdb/0xae0
[ 69.736486][ T48] CPU: 0 UID: 0 PID: 48 Comm: kworker/u5:0 Not tainted 6.12.0-syzkaller-03657-g43fb83c17ba2 #0
[ 69.740475][ T48] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[ 69.744746][ T48] Workqueue: hci0 hci_rx_work
[ 69.746479][ T48] Call Trace:
[ 69.747738][ T48]
[ 69.748873][ T48] dump_stack_lvl+0x241/0x360
[ 69.750603][ T48] ? __pfx_dump_stack_lvl+0x10/0x10
[ 69.752665][ T48] ? __pfx__printk+0x10/0x10
[ 69.754506][ T48] __might_resched+0x5d4/0x780
[ 69.756712][ T48] ? __mutex_lock+0x187/0xee0
[ 69.758843][ T48] ? __pfx___might_resched+0x10/0x10
[ 69.760959][ T48] ? __lock_acquire+0x1397/0x2100
[ 69.763084][ T48] __mutex_lock+0x131/0xee0
[ 69.764933][ T48] ? hci_le_create_big_complete_evt+0x3d9/0xae0
[ 69.767398][ T48] ? __pfx___mutex_lock+0x10/0x10
[ 69.769399][ T48] ? rcu_is_watching+0x15/0xb0
[ 69.771221][ T48] ? trace_contention_end+0x3c/0x120
[ 69.773265][ T48] ? skb_pull_data+0x112/0x230
[ 69.775083][ T48] ? hci_conn_set_handle+0x9a/0x270
[ 69.777132][ T48] hci_le_create_big_complete_evt+0x3d9/0xae0
[ 69.779488][ T48] ? hci_le_create_big_complete_evt+0xdb/0xae0
[ 69.781785][ T48] ? __pfx_hci_le_create_big_complete_evt+0x10/0x10
[ 69.784329][ T48] ? hci_le_meta_evt+0x366/0x580
[ 69.786261][ T48] ? __pfx_hci_le_create_big_complete_evt+0x10/0x10
[ 69.788826][ T48] hci_event_packet+0xa55/0x1540
[ 69.790822][ T48] ? __pfx_hci_le_meta_evt+0x10/0x10
[ 69.792876][ T48] ? __pfx_hci_event_packet+0x10/0x10
[ 69.794829][ T48] ? do_raw_spin_unlock+0x58/0x8b0
[ 69.796863][ T48] ? hci_send_to_monitor+0xd8/0x7f0
[ 69.798906][ T48] ? kcov_remote_start+0x97/0x7d0
[ 69.800924][ T48] hci_rx_work+0x3e8/0xca0
[ 69.802640][ T48] ? process_scheduled_works+0x976/0x1850
[ 69.804834][ T48] process_scheduled_works+0xa63/0x1850
[ 69.806757][ T48] ? __pfx_process_scheduled_works+0x10/0x10
[ 69.808978][ T48] ? assign_work+0x364/0x3d0
[ 69.810799][ T48] worker_thread+0x870/0xd30
[ 69.812538][ T48] ? __kthread_parkme+0x169/0x1d0
[ 69.814441][ T48] ? __pfx_worker_thread+0x10/0x10
[ 69.816441][ T48] kthread+0x2f0/0x390
[ 69.817996][ T48] ? __pfx_worker_thread+0x10/0x10
[ 69.819766][ T48] ? __pfx_kthread+0x10/0x10
[ 69.821416][ T48] ret_from_fork+0x4b/0x80
[ 69.822969][ T48] ? __pfx_kthread+0x10/0x10
[ 69.824542][ T48] ret_from_fork_asm+0x1a/0x30
[ 69.826268][ T48]
[ 69.830682][ T48]
[ 69.831544][ T48] =============================
[ 69.833086][ T48] [ BUG: Invalid wait context ]
[ 69.834773][ T48] 6.12.0-syzkaller-03657-g43fb83c17ba2 #0 Tainted: G W
[ 69.837740][ T48] -----------------------------
[ 69.839481][ T48] kworker/u5:0/48 is trying to lock:
[ 69.841250][ T48] ffffffff8fe4d568 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_le_create_big_complete_evt+0x3d9/0xae0
[ 69.844787][ T48] other info that might help us debug this:
[ 69.846756][ T48] context-{5:5}
[ 69.848130][ T48] 4 locks held by kworker/u5:0/48:
[ 69.850066][ T48] #0: ffff888011e92148 ((wq_completion)hci0#2){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1850
[ 69.854130][ T48] #1: ffffc9000062fd00 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1850
[ 69.858613][ T48] #2: ffff888051548078 (&hdev->lock){+.+.}-{4:4}, at: hci_le_create_big_complete_evt+0xcf/0xae0
[ 69.862448][ T48] #3: ffffffff8e93c820 (rcu_read_lock){....}-{1:3}, at: hci_le_create_big_complete_evt+0xdb/0xae0
[ 69.866314][ T48] stack backtrace:
[ 69.867700][ T48] CPU: 0 UID: 0 PID: 48 Comm: kworker/u5:0 Tainted: G W 6.12.0-syzkaller-03657-g43fb83c17ba2 #0
[ 69.871963][ T48] Tainted: [W]=WARN
[ 69.873434][ T48] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[ 69.877453][ T48] Workqueue: hci0 hci_rx_work
[ 69.879207][ T48] Call Trace:
[ 69.880593][ T48]
[ 69.881721][ T48] dump_stack_lvl+0x241/0x360
[ 69.883485][ T48] ? __pfx_dump_stack_lvl+0x10/0x10
[ 69.885415][ T48] ? __pfx__printk+0x10/0x10
[ 69.887034][ T48] __lock_acquire+0x15a8/0x2100
[ 69.888848][ T48] lock_acquire+0x1ed/0x550
[ 69.890559][ T48] ? hci_le_create_big_complete_evt+0x3d9/0xae0
[ 69.892882][ T48] ? __pfx_lock_acquire+0x10/0x10
[ 69.894744][ T48] ? __mutex_lock+0x187/0xee0
[ 69.896508][ T48] ? __pfx___might_resched+0x10/0x10
[ 69.898452][ T48] ? __lock_acquire+0x1397/0x2100
[ 69.900409][ T48] __mutex_lock+0x1ac/0xee0
[ 69.902127][ T48] ? hci_le_create_big_complete_evt+0x3d9/0xae0
[ 69.904352][ T48] ? hci_le_create_big_complete_evt+0x3d9/0xae0
[ 69.906551][ T48] ? __pfx___mutex_lock+0x10/0x10
[ 69.908548][ T48] ? rcu_is_watching+0x15/0xb0
[ 69.910581][ T48] ? trace_contention_end+0x3c/0x120
[ 69.912824][ T48] ? skb_pull_data+0x112/0x230
[ 69.914802][ T48] ? hci_conn_set_handle+0x9a/0x270
[ 69.916896][ T48] hci_le_create_big_complete_evt+0x3d9/0xae0
[ 69.919307][ T48] ? hci_le_create_big_complete_evt+0xdb/0xae0
[ 69.921690][ T48] ? __pfx_hci_le_create_big_complete_evt+0x10/0x10
[ 69.924212][ T48] ? hci_le_meta_evt+0x366/0x580
[ 69.926172][ T48] ? __pfx_hci_le_create_big_complete_evt+0x10/0x10
[ 69.929000][ T48] hci_event_packet+0xa55/0x1540
[ 69.931191][ T48] ? __pfx_hci_le_meta_evt+0x10/0x10
[ 69.933674][ T48] ? __pfx_hci_event_packet+0x10/0x10
[ 69.935921][ T48] ? do_raw_spin_unlock+0x58/0x8b0
[ 69.937913][ T48] ? hci_send_to_monitor+0xd8/0x7f0
[ 69.939894][ T48] ? kcov_remote_start+0x97/0x7d0
[ 69.941887][ T48] hci_rx_work+0x3e8/0xca0
[ 69.943654][ T48] ? process_scheduled_works+0x976/0x1850
[ 69.945873][ T48] process_scheduled_works+0xa63/0x1850
[ 69.947882][ T48] ? __pfx_process_scheduled_works+0x10/0x10
[ 69.950167][ T48] ? assign_work+0x364/0x3d0
[ 69.951912][ T48] worker_thread+0x870/0xd30
[ 69.953620][ T48] ? __kthread_parkme+0x169/0x1d0
[ 69.955489][ T48] ? __pfx_worker_thread+0x10/0x10
[ 69.957480][ T48] kthread+0x2f0/0x390
[ 69.959028][ T48] ? __pfx_worker_thread+0x10/0x10
[ 69.960996][ T48] ? __pfx_kthread+0x10/0x10
[ 69.962747][ T48] ret_from_fork+0x4b/0x80
[ 69.964524][ T48] ? __pfx_kthread+0x10/0x10
[ 69.966226][ T48] ret_from_fork_asm+0x1a/0x30
[ 69.968378][ T48]
[ 69.982122][ T48] ==================================================================
[ 69.985124][ T48] BUG: KASAN: slab-use-after-free in hci_le_create_big_complete_evt+0x383/0xae0
[ 69.988526][ T48] Read of size 8 at addr ffff888043808000 by task kworker/u5:0/48
[ 69.991348][ T48]
[ 69.992267][ T48] CPU: 0 UID: 0 PID: 48 Comm: kworker/u5:0 Tainted: G W 6.12.0-syzkaller-03657-g43fb83c17ba2 #0
[ 69.996655][ T48] Tainted: [W]=WARN
[ 69.998149][ T48] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[ 70.002236][ T48] Workqueue: hci0 hci_rx_work
[ 70.004024][ T48] Call Trace:
[ 70.005287][ T48]
[ 70.006387][ T48] dump_stack_lvl+0x241/0x360
[ 70.008019][ T48] ? __pfx_dump_stack_lvl+0x10/0x10
[ 70.009893][ T48] ? __pfx__printk+0x10/0x10
[ 70.011630][ T48] ? _printk+0xd5/0x120
[ 70.013218][ T48] ? __virt_addr_valid+0x183/0x530
[ 70.015107][ T48] ? __virt_addr_valid+0x183/0x530
[ 70.017063][ T48] print_report+0x169/0x550
[ 70.018861][ T48] ? __virt_addr_valid+0x183/0x530
[ 70.020869][ T48] ? __virt_addr_valid+0x183/0x530
[ 70.022822][ T48] ? __virt_addr_valid+0x45f/0x530
[ 70.024781][ T48] ? __phys_addr+0xba/0x170
[ 70.026440][ T48] ? hci_le_create_big_complete_evt+0x383/0xae0
[ 70.028810][ T48] kasan_report+0x143/0x180
[ 70.030553][ T48] ? hci_le_create_big_complete_evt+0x383/0xae0
[ 70.032925][ T48] hci_le_create_big_complete_evt+0x383/0xae0
[ 70.035246][ T48] ? hci_le_create_big_complete_evt+0xdb/0xae0
[ 70.037531][ T48] ? __pfx_hci_le_create_big_complete_evt+0x10/0x10
[ 70.040006][ T48] ? hci_le_meta_evt+0x366/0x580
[ 70.041855][ T48] ? __pfx_hci_le_create_big_complete_evt+0x10/0x10
[ 70.044336][ T48] hci_event_packet+0xa55/0x1540
[ 70.046225][ T48] ? __pfx_hci_le_meta_evt+0x10/0x10
[ 70.048202][ T48] ? __pfx_hci_event_packet+0x10/0x10
[ 70.050171][ T48] ? do_raw_spin_unlock+0x58/0x8b0
[ 70.052130][ T48] ? hci_send_to_monitor+0xd8/0x7f0
[ 70.054107][ T48] ? kcov_remote_start+0x97/0x7d0
[ 70.056010][ T48] hci_rx_work+0x3e8/0xca0
[ 70.057785][ T48] ? process_scheduled_works+0x976/0x1850
[ 70.060024][ T48] process_scheduled_works+0xa63/0x1850
[ 70.062094][ T48] ? __pfx_process_scheduled_works+0x10/0x10
[ 70.064228][ T48] ? assign_work+0x364/0x3d0
[ 70.065999][ T48] worker_thread+0x870/0xd30
[ 70.067741][ T48] ? __kthread_parkme+0x169/0x1d0
[ 70.069622][ T48] ? __pfx_worker_thread+0x10/0x10
[ 70.071550][ T48] kthread+0x2f0/0x390
[ 70.073083][ T48] ? __pfx_worker_thread+0x10/0x10
[ 70.075188][ T48] ? __pfx_kthread+0x10/0x10
[ 70.077246][ T48] ret_from_fork+0x4b/0x80
[ 70.079255][ T48] ? __pfx_kthread+0x10/0x10
[ 70.081307][ T48] ret_from_fork_asm+0x1a/0x30
[ 70.083347][ T48]
[ 70.084699][ T48]
[ 70.085639][ T48] Allocated by task 48:
[ 70.087149][ T48] kasan_save_track+0x3f/0x80
[ 70.088950][ T48] __kasan_kmalloc+0x98/0xb0
[ 70.090776][ T48] __kmalloc_cache_noprof+0x19c/0x2c0
[ 70.092867][ T48] __hci_conn_add+0x2f9/0x1850
[ 70.094665][ T48] hci_le_big_sync_established_evt+0x414/0xc20
[ 70.096845][ T48] hci_event_packet+0xa55/0x1540
[ 70.098793][ T48] hci_rx_work+0x3e8/0xca0
[ 70.100512][ T48] process_scheduled_works+0xa63/0x1850
[ 70.102552][ T48] worker_thread+0x870/0xd30
[ 70.104287][ T48] kthread+0x2f0/0x390
[ 70.105805][ T48] ret_from_fork+0x4b/0x80
[ 70.107526][ T48] ret_from_fork_asm+0x1a/0x30
[ 70.109282][ T48]
[ 70.110151][ T48] Freed by task 48:
[ 70.111597][ T48] kasan_save_track+0x3f/0x80
[ 70.113360][ T48] kasan_save_free_info+0x40/0x50
[ 70.115191][ T48] __kasan_slab_free+0x59/0x70
[ 70.117003][ T48] kfree+0x1a0/0x440
[ 70.118487][ T48] device_release+0x99/0x1c0
[ 70.120239][ T48] kobject_put+0x22f/0x480
[ 70.121963][ T48] hci_conn_del+0x8c4/0xc40
[ 70.123720][ T48] hci_le_create_big_complete_evt+0x619/0xae0
[ 70.126043][ T48] hci_event_packet+0xa55/0x1540
[ 70.127899][ T48] hci_rx_work+0x3e8/0xca0
[ 70.129684][ T48] process_scheduled_works+0xa63/0x1850
[ 70.131832][ T48] worker_thread+0x870/0xd30
[ 70.133616][ T48] kthread+0x2f0/0x390
[ 70.135209][ T48] ret_from_fork+0x4b/0x80
[ 70.136933][ T48] ret_from_fork_asm+0x1a/0x30
[ 70.138789][ T48]
[ 70.139726][ T48] The buggy address belongs to the object at ffff888043808000
[ 70.139726][ T48] which belongs to the cache kmalloc-8k of size 8192
[ 70.144872][ T48] The buggy address is located 0 bytes inside of
[ 70.144872][ T48] freed 8192-byte region [ffff888043808000, ffff88804380a000)
[ 70.149912][ T48]
[ 70.150856][ T48] The buggy address belongs to the physical page:
[ 70.153250][ T48] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x43808
[ 70.156572][ T48] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 70.159749][ T48] flags: 0x4fff00000000040(head|node=1|zone=1|lastcpupid=0x7ff)
[ 70.162706][ T48] page_type: f5(slab)
[ 70.164258][ T48] raw: 04fff00000000040 ffff88801ac42280 ffffea00010d1e00 0000000000000004
[ 70.167502][ T48] raw: 0000000000000000 0000000000020002 00000001f5000000 0000000000000000
[ 70.170703][ T48] head: 04fff00000000040 ffff88801ac42280 ffffea00010d1e00 0000000000000004
[ 70.173926][ T48] head: 0000000000000000 0000000000020002 00000001f5000000 0000000000000000
[ 70.177154][ T48] head: 04fff00000000003 ffffea00010e0201 ffffffffffffffff 0000000000000000
[ 70.180361][ T48] head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
[ 70.183853][ T48] page dumped because: kasan: bad access detected
[ 70.186235][ T48] page_owner tracks the page as allocated
[ 70.188369][ T48] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5316, tgid 5316 (sh), ts 65364651856, free_ts 65363571970
[ 70.195378][ T48] post_alloc_hook+0x1f3/0x230
[ 70.197406][ T48] get_page_from_freelist+0x3649/0x3790
[ 70.199490][ T48] __alloc_pages_noprof+0x292/0x710
[ 70.201547][ T48] alloc_pages_mpol_noprof+0x3e8/0x680
[ 70.203570][ T48] alloc_slab_page+0x6a/0x140
[ 70.205400][ T48] allocate_slab+0x5a/0x2f0
[ 70.207094][ T48] ___slab_alloc+0xcd1/0x14b0
[ 70.208882][ T48] __slab_alloc+0x58/0xa0
[ 70.210495][ T48] __kmalloc_cache_noprof+0x1d5/0x2c0
[ 70.212486][ T48] tomoyo_init_log+0x11cd/0x2050
[ 70.214274][ T48] tomoyo_supervisor+0x38a/0x11f0
[ 70.216076][ T48] tomoyo_env_perm+0x178/0x210
[ 70.217912][ T48] tomoyo_find_next_domain+0x146e/0x1d40
[ 70.220023][ T48] tomoyo_bprm_check_security+0x117/0x180
[ 70.222190][ T48] security_bprm_check+0x86/0x250
[ 70.224075][ T48] bprm_execve+0xa56/0x1770
[ 70.225777][ T48] page last free pid 5316 tgid 5316 stack trace:
[ 70.228028][ T48] free_unref_page+0xdf9/0x1140
[ 70.229852][ T48] __put_partials+0xeb/0x130
[ 70.231516][ T48] put_cpu_partial+0x17c/0x250
[ 70.233353][ T48] __slab_free+0x2ea/0x3d0
[ 70.235050][ T48] qlist_free_all+0x9a/0x140
[ 70.236825][ T48] kasan_quarantine_reduce+0x14f/0x170
[ 70.238926][ T48] __kasan_slab_alloc+0x23/0x80
[ 70.240733][ T48] __kmalloc_noprof+0x1a6/0x400
[ 70.242501][ T48] tomoyo_supervisor+0xe0d/0x11f0
[ 70.244468][ T48] tomoyo_env_perm+0x178/0x210
[ 70.246314][ T48] tomoyo_find_next_domain+0x146e/0x1d40
[ 70.248471][ T48] tomoyo_bprm_check_security+0x117/0x180
[ 70.250584][ T48] security_bprm_check+0x86/0x250
[ 70.252524][ T48] bprm_execve+0xa56/0x1770
[ 70.254124][ T48] do_execveat_common+0x55f/0x6f0
[ 70.256001][ T48] __x64_sys_execve+0x92/0xb0
[ 70.257912][ T48]
[ 70.258855][ T48] Memory state around the buggy address:
[ 70.260963][ T48] ffff888043807f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 70.263932][ T48] ffff888043807f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 70.266743][ T48] >ffff888043808000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 70.269869][ T48] ^
[ 70.271610][ T48] ffff888043808080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 70.274753][ T48] ffff888043808100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 70.277693][ T48] ==================================================================
[ 70.296187][ T48] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 70.299443][ T48] CPU: 0 UID: 0 PID: 48 Comm: kworker/u5:0 Tainted: G W 6.12.0-syzkaller-03657-g43fb83c17ba2 #0
[ 70.303838][ T48] Tainted: [W]=WARN
[ 70.305294][ T48] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[ 70.309158][ T48] Workqueue: hci0 hci_rx_work
[ 70.310964][ T48] Call Trace:
[ 70.312278][ T48]
[ 70.313470][ T48] dump_stack_lvl+0x241/0x360
[ 70.315313][ T48] ? __pfx_dump_stack_lvl+0x10/0x10
[ 70.317255][ T48] ? __pfx__printk+0x10/0x10
[ 70.319041][ T48] ? rcu_is_watching+0x15/0xb0
[ 70.320907][ T48] ? preempt_schedule+0xe1/0xf0
[ 70.322668][ T48] ? vscnprintf+0x5d/0x90
[ 70.324292][ T48] panic+0x349/0x880
[ 70.325752][ T48] ? check_panic_on_warn+0x21/0xb0
[ 70.327603][ T48] ? __pfx_panic+0x10/0x10
[ 70.329266][ T48] ? _raw_spin_unlock_irqrestore+0x130/0x140
[ 70.331308][ T48] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[ 70.333499][ T48] ? print_report+0x502/0x550
[ 70.335120][ T48] check_panic_on_warn+0x86/0xb0
[ 70.336863][ T48] ? hci_le_create_big_complete_evt+0x383/0xae0
[ 70.339024][ T48] end_report+0x77/0x160
[ 70.340521][ T48] kasan_report+0x154/0x180
[ 70.342132][ T48] ? hci_le_create_big_complete_evt+0x383/0xae0
[ 70.344381][ T48] hci_le_create_big_complete_evt+0x383/0xae0
[ 70.346756][ T48] ? hci_le_create_big_complete_evt+0xdb/0xae0
[ 70.349124][ T48] ? __pfx_hci_le_create_big_complete_evt+0x10/0x10
[ 70.351663][ T48] ? hci_le_meta_evt+0x366/0x580
[ 70.353462][ T48] ? __pfx_hci_le_create_big_complete_evt+0x10/0x10
[ 70.356013][ T48] hci_event_packet+0xa55/0x1540
[ 70.357972][ T48] ? __pfx_hci_le_meta_evt+0x10/0x10
[ 70.359986][ T48] ? __pfx_hci_event_packet+0x10/0x10
[ 70.362087][ T48] ? do_raw_spin_unlock+0x58/0x8b0
[ 70.364056][ T48] ? hci_send_to_monitor+0xd8/0x7f0
[ 70.366282][ T48] ? kcov_remote_start+0x97/0x7d0
[ 70.368168][ T48] hci_rx_work+0x3e8/0xca0
[ 70.372699][ T48] ? process_scheduled_works+0x976/0x1850
[ 70.374850][ T48] process_scheduled_works+0xa63/0x1850
[ 70.376980][ T48] ? __pfx_process_scheduled_works+0x10/0x10
[ 70.379316][ T48] ? assign_work+0x364/0x3d0
[ 70.380972][ T48] worker_thread+0x870/0xd30
[ 70.382767][ T48] ? __kthread_parkme+0x169/0x1d0
[ 70.384780][ T48] ? __pfx_worker_thread+0x10/0x10
[ 70.386728][ T48] kthread+0x2f0/0x390
[ 70.388290][ T48] ? __pfx_worker_thread+0x10/0x10
[ 70.390277][ T48] ? __pfx_kthread+0x10/0x10
[ 70.392156][ T48] ret_from_fork+0x4b/0x80
[ 70.394149][ T48] ? __pfx_kthread+0x10/0x10
[ 70.396030][ T48] ret_from_fork_asm+0x1a/0x30
[ 70.397946][ T48]
[ 70.399403][ T48] Kernel Offset: disabled
[ 70.401076][ T48] Rebooting in 86400 seconds..