program:
openat$snapshot(0xffffffffffffff9c, &(0x7f0000000000), 0x4000, 0x0) (async)
r0 = openat$snapshot(0xffffffffffffff9c, &(0x7f0000000000), 0x4000, 0x0)
syz_emit_vhci(&(0x7f0000000040)=@HCI_ACLDATA_PKT={0x2, {0xc9, 0x2, 0x0, 0x22}, @l2cap_cid_le_signaling={{0x1e}, @l2cap_ecred_conn_req={{0x17, 0x10, 0x1a}, {0xc, 0x0, 0x1, 0x1, [0x9, 0xb7, 0x7, 0x800, 0x8, 0x28, 0x3, 0x3, 0x8]}}}}, 0x27)
syz_emit_vhci(&(0x7f0000000080)=@HCI_EVENT_PKT={0x4, @hci_ev_num_comp_pkts={{0x13, 0xd}, {0x3, [{0xc8, 0x1}, {0xc9, 0x7}, {0xc8, 0x8}]}}}, 0x10)
syz_emit_vhci(&(0x7f00000000c0)=@HCI_VENDOR_PKT={0xff, 0x81}, 0x2)
ioctl$SNAPSHOT_UNFREEZE(r0, 0x3302)
syz_emit_vhci(&(0x7f0000000100)=@HCI_ACLDATA_PKT={0x2, {0xc8, 0x2, 0x1, 0x18}, @l2cap_cid_le_signaling={{0x14}, @l2cap_ecred_conn_rsp={{0x18, 0x7, 0x10}, {0x1, 0x9, 0x3, 0x0, [0x1, 0xb, 0x3, 0x2]}}}}, 0x1d)
sendmsg$nl_route_sched(0xffffffffffffffff, &(0x7f0000000240)={&(0x7f0000000140)={0x10, 0x0, 0x0, 0x8000}, 0xc, &(0x7f0000000200)={&(0x7f0000000180)=@gettfilter={0x6c, 0x2e, 0x8, 0x70bd29, 0x25dfdbff, {0x0, 0x0, 0x0, 0x0, {0x1, 0x2}, {0x7, 0xffe0}, {0x3, 0x2}}, [{0x8, 0xb, 0x9}, {0x8, 0xb, 0xc0}, {0x8, 0xb, 0x100}, {0x8, 0xb, 0x7fffffff}, {0x8, 0xb, 0x101}, {0x8, 0xb, 0xd8}, {0x8, 0xb, 0xfffffc00}, {0x8, 0xb, 0x3}, {0x8, 0xb, 0x3}]}, 0x6c}, 0x1, 0x0, 0x0, 0x20488c0}, 0x4840)
listxattr(&(0x7f0000000280)='./file0\x00', &(0x7f00000002c0)=""/193, 0xc1)
syz_emit_vhci(&(0x7f00000003c0)=@HCI_ACLDATA_PKT={0x2, {0xc9, 0x2, 0x3, 0x41}, @l2cap_cid_signaling={{0x3d}, [@l2cap_move_chan_req={{0xe, 0x4, 0x3}, {0x200, 0x8}}, @l2cap_conf_rsp={{0x5, 0x8, 0x32}, {0x5, 0x9, 0x1, [@l2cap_conf_rfc={0x4, 0x9, {0x4, 0x2, 0x8, 0x1, 0x1719}}, @l2cap_conf_rfc={0x4, 0x9, {0x1, 0x3, 0x8, 0x5, 0xc, 0x40}}, @l2cap_conf_flushto={0x2, 0x2, 0xc2bb}, @l2cap_conf_efs={0x6, 0x10, {0xf, 0x1, 0x4, 0x400, 0xffffff00, 0x7fff}}]}}]}}, 0x46)
syz_emit_vhci(&(0x7f0000000440)=@HCI_EVENT_PKT={0x4, @hci_ev_stack_internal={{0xfd, 0xc6}, {0xaa00, "c2e648c798abbab896642e4f71f1aa6dd6f08cd2a8a9203deeb58b08c38ad0f36f8ae0a83916799b3044723e3686474d25082368ad01f169e817063b2e1dc8fb2ae21ee87ce14fef6c3403fe306b1990fc62f1683bf57fb1c588254d3a3b9df9bcfb7ae04c768d266cd067263157334aecaa2febe7368fab1853477db4287866b2ffc9622c29d056ad203c2121deb6bb886ad2535922b169643c92f055fcd6c014e8f3a0d69c3bd7700d53cc1ac0ad3e9a3350bf0366c49454a4599842bb2a7049dd857c"}}}, 0xc9) (async)
syz_emit_vhci(&(0x7f0000000440)=@HCI_EVENT_PKT={0x4, @hci_ev_stack_internal={{0xfd, 0xc6}, {0xaa00, "c2e648c798abbab896642e4f71f1aa6dd6f08cd2a8a9203deeb58b08c38ad0f36f8ae0a83916799b3044723e3686474d25082368ad01f169e817063b2e1dc8fb2ae21ee87ce14fef6c3403fe306b1990fc62f1683bf57fb1c588254d3a3b9df9bcfb7ae04c768d266cd067263157334aecaa2febe7368fab1853477db4287866b2ffc9622c29d056ad203c2121deb6bb886ad2535922b169643c92f055fcd6c014e8f3a0d69c3bd7700d53cc1ac0ad3e9a3350bf0366c49454a4599842bb2a7049dd857c"}}}, 0xc9)
openat$userio(0xffffffffffffff9c, &(0x7f0000000540), 0x8000, 0x0)
ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x1) (async)
r1 = ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x1)
ioctl$KVM_GET_ONE_REG(r1, 0x4010aeab, &(0x7f00000005c0)=@riscv64_f={0x8020000005000006, &(0x7f0000000580)=0xac})
r2 = openat$ndctl0(0xffffffffffffff9c, &(0x7f0000000600), 0x80100, 0x0)
connect$vsock_stream(r2, &(0x7f0000000640)={0x28, 0x0, 0x2711, @local}, 0x10)
ioctl$SIOCX25SCUDMATCHLEN(r2, 0x89e7, &(0x7f0000000680)={0x61})
sendmsg$IPSET_CMD_CREATE(r2, &(0x7f0000000780)={&(0x7f00000006c0), 0xc, &(0x7f0000000740)={&(0x7f0000000700)={0x30, 0x2, 0x6, 0x301, 0x0, 0x0, {0x0, 0x0, 0x5}, [@IPSET_ATTR_PROTOCOL={0x5}, @IPSET_ATTR_REVISION={0x5}, @IPSET_ATTR_DATA={0xc, 0x7, 0x0, 0x1, [@IPSET_ATTR_PORT_TO={0x6, 0x5, 0x1, 0x0, 0x4e22}]}]}, 0x30}, 0x1, 0x0, 0x0, 0x4040081}, 0x8001) (async)
sendmsg$IPSET_CMD_CREATE(r2, &(0x7f0000000780)={&(0x7f00000006c0), 0xc, &(0x7f0000000740)={&(0x7f0000000700)={0x30, 0x2, 0x6, 0x301, 0x0, 0x0, {0x0, 0x0, 0x5}, [@IPSET_ATTR_PROTOCOL={0x5}, @IPSET_ATTR_REVISION={0x5}, @IPSET_ATTR_DATA={0xc, 0x7, 0x0, 0x1, [@IPSET_ATTR_PORT_TO={0x6, 0x5, 0x1, 0x0, 0x4e22}]}]}, 0x30}, 0x1, 0x0, 0x0, 0x4040081}, 0x8001)
write$FUSE_INIT(r2, &(0x7f00000007c0)={0x50, 0x0, 0x0, {0x7, 0x2d, 0x8, 0x80, 0x9, 0xfff9, 0x1, 0xfff, 0x0, 0x0, 0x80, 0x6}}, 0x50)
ioctl$FS_IOC_GETFSUUID(r1, 0x80111500, &(0x7f0000000840))
mmap(&(0x7f0000ffd000/0x3000)=nil, 0x3000, 0x200000b, 0x110, r1, 0x93bb0000)
ioctl$XFS_IOC_BULKSTAT(r2, 0x8040587f, &(0x7f0000000b80)={{0x1, 0x0, 0x1000, 0x539, 0x1}, &(0x7f0000000880)=[{}, {}, {}, {}]}) (async)
ioctl$XFS_IOC_BULKSTAT(r2, 0x8040587f, &(0x7f0000000b80)={{0x1, 0x0, 0x1000, 0x539, 0x1}, &(0x7f0000000880)=[{}, {}, {}, {}]})
r3 = openat$vcs(0xffffffffffffff9c, &(0x7f0000000c00), 0x1002, 0x0)
read(r3, &(0x7f0000000c40)=""/6, 0x6)
ioctl$HCIINQUIRY(r2, 0x800448f0, &(0x7f0000000c80)={0xffffffffffffffff, 0x401, "022eac", 0x8a, 0x7}) (async)
ioctl$HCIINQUIRY(r2, 0x800448f0, &(0x7f0000000c80)={0xffffffffffffffff, 0x401, "022eac", 0x8a, 0x7})
sendmsg$IPSET_CMD_LIST(r3, &(0x7f0000000d80)={&(0x7f0000000cc0)={0x10, 0x0, 0x0, 0x1000}, 0xc, &(0x7f0000000d40)={&(0x7f0000000d00)={0x3c, 0x7, 0x6, 0x101, 0x0, 0x0, {0x2, 0x0, 0x4}, [@IPSET_ATTR_PROTOCOL={0x5}, @IPSET_ATTR_SETNAME={0x9, 0x2, 'syz1\x00'}, @IPSET_ATTR_SETNAME={0x9, 0x2, 'syz2\x00'}, @IPSET_ATTR_FLAGS={0x8, 0x6, 0x1, 0x0, 0x2}]}, 0x3c}, 0x1, 0x0, 0x0, 0xc000}, 0x10) (async)
sendmsg$IPSET_CMD_LIST(r3, &(0x7f0000000d80)={&(0x7f0000000cc0)={0x10, 0x0, 0x0, 0x1000}, 0xc, &(0x7f0000000d40)={&(0x7f0000000d00)={0x3c, 0x7, 0x6, 0x101, 0x0, 0x0, {0x2, 0x0, 0x4}, [@IPSET_ATTR_PROTOCOL={0x5}, @IPSET_ATTR_SETNAME={0x9, 0x2, 'syz1\x00'}, @IPSET_ATTR_SETNAME={0x9, 0x2, 'syz2\x00'}, @IPSET_ATTR_FLAGS={0x8, 0x6, 0x1, 0x0, 0x2}]}, 0x3c}, 0x1, 0x0, 0x0, 0xc000}, 0x10)
bind$bt_hci(r3, &(0x7f0000000dc0)={0x1f, 0x4, 0x1}, 0x6)
epoll_create(0x5) (async)
r4 = epoll_create(0x5)
epoll_wait(r4, &(0x7f0000000e00)=[{}], 0x1, 0x8) (async)
epoll_wait(r4, &(0x7f0000000e00)=[{}], 0x1, 0x8)
r5 = accept4$llc(r2, &(0x7f0000000e40)={0x1a, 0x0, 0x0, 0x0, 0x0, 0x0, @random}, &(0x7f0000000e80)=0x10, 0x48cf2cc955714d7e)
getsockname$llc(r5, &(0x7f0000000ec0), &(0x7f0000000f00)=0x10) (async)
getsockname$llc(r5, &(0x7f0000000ec0), &(0x7f0000000f00)=0x10)

[   85.488021][ T4663] Bluetooth: hci0: command tx timeout
[   85.672591][ T4663] ==================================================================
[   85.677201][ T4663] BUG: KASAN: stack-out-of-bounds in l2cap_send_cmd+0x2a3/0xb90
[   85.681227][ T4663] Read of size 26 at addr ffffc900032df500 by task kworker/u5:1/4663
[   85.685309][ T4663] 
[   85.686752][ T4663] CPU: 0 UID: 0 PID: 4663 Comm: kworker/u5:1 Not tainted syzkaller #0 PREEMPT(full) 
[   85.686774][ T4663] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   85.686785][ T4663] Workqueue: hci0 hci_rx_work
[   85.686815][ T4663] Call Trace:
[   85.686823][ T4663]  <TASK>
[   85.686830][ T4663]  dump_stack_lvl+0xe8/0x150
[   85.686851][ T4663]  print_report+0xba/0x230
[   85.686867][ T4663]  ? l2cap_send_cmd+0x2a3/0xb90
[   85.686891][ T4663]  kasan_report+0x117/0x150
[   85.686906][ T4663]  ? trace_kmem_cache_alloc+0x29/0xf0
[   85.686924][ T4663]  ? l2cap_send_cmd+0x2a3/0xb90
[   85.686944][ T4663]  kasan_check_range+0x264/0x2c0
[   85.686960][ T4663]  ? l2cap_send_cmd+0x2a3/0xb90
[   85.686976][ T4663]  __asan_memcpy+0x29/0x70
[   85.686991][ T4663]  l2cap_send_cmd+0x2a3/0xb90
[   85.687010][ T4663]  l2cap_recv_frame+0xc032/0x10240
[   85.687023][ T4663]  ? lock_release+0x4b/0x3d0
[   85.687039][ T4663]  ? ret_from_fork_asm+0x1a/0x30
[   85.687059][ T4663]  ? unwind_next_frame+0xa5/0x23c0
[   85.687080][ T4663]  ? rcu_is_watching+0x15/0xb0
[   85.687101][ T4663]  ? lock_release+0x4b/0x3d0
[   85.687113][ T4663]  ? unwind_next_frame+0x1aaf/0x23c0
[   85.687133][ T4663]  ? unwind_next_frame+0xa5/0x23c0
[   85.687149][ T4663]  ? unwind_next_frame+0x1aaf/0x23c0
[   85.687168][ T4663]  ? __pfx_l2cap_recv_frame+0x10/0x10
[   85.687181][ T4663]  ? ret_from_fork_asm+0x1a/0x30
[   85.687195][ T4663]  ? ret_from_fork_asm+0x1a/0x30
[   85.687211][ T4663]  ? __pfx_stack_trace_consume_entry+0x10/0x10
[   85.687227][ T4663]  ? ret_from_fork_asm+0x1a/0x30
[   85.687259][ T4663]  ? stack_trace_save+0xa9/0x100
[   85.687273][ T4663]  ? __pfx_stack_trace_save+0x10/0x10
[   85.687287][ T4663]  ? check_path+0x21/0x40
[   85.687306][ T4663]  ? check_noncircular+0xda/0x150
[   85.687324][ T4663]  ? add_lock_to_list+0xc7/0x100
[   85.687335][ T4663]  ? lockdep_unlock+0x5d/0xd0
[   85.687343][ T4663]  ? __lock_acquire+0x146e/0x2cf0
[   85.687357][ T4663]  ? __mutex_trylock_common+0x158/0x260
[   85.687370][ T4663]  ? __pfx___mutex_trylock_common+0x10/0x10
[   85.687381][ T4663]  ? rcu_is_watching+0x15/0xb0
[   85.687394][ T4663]  ? trace_contention_end+0x3d/0x150
[   85.687410][ T4663]  ? __mutex_lock+0x319/0x1300
[   85.687427][ T4663]  ? l2cap_recv_acldata+0x2e3/0x13e0
[   85.687440][ T4663]  ? l2cap_recv_acldata+0x30b/0x13e0
[   85.687451][ T4663]  ? __mutex_unlock_slowpath+0x1bd/0x7d0
[   85.687469][ T4663]  ? __pfx___mutex_lock+0x10/0x10
[   85.687486][ T4663]  ? __pfx___mutex_unlock_slowpath+0x10/0x10
[   85.687503][ T4663]  ? l2cap_conn_hold_unless_zero+0x179/0x2b0
[   85.687517][ T4663]  ? __pfx_l2cap_conn_hold_unless_zero+0x10/0x10
[   85.687531][ T4663]  ? l2cap_recv_acldata+0x41/0x13e0
[   85.687544][ T4663]  l2cap_recv_acldata+0x7e9/0x13e0
[   85.687559][ T4663]  hci_rx_work+0x4f9/0x1030
[   85.687579][ T4663]  ? process_scheduled_works+0xa25/0x1830
[   85.687596][ T4663]  process_scheduled_works+0xb02/0x1830
[   85.687619][ T4663]  ? __pfx_process_scheduled_works+0x10/0x10
[   85.687636][ T4663]  ? assign_work+0x3d5/0x5e0
[   85.687652][ T4663]  worker_thread+0xa50/0xfc0
[   85.687674][ T4663]  kthread+0x388/0x470
[   85.687686][ T4663]  ? __pfx_worker_thread+0x10/0x10
[   85.687700][ T4663]  ? __pfx_kthread+0x10/0x10
[   85.687712][ T4663]  ret_from_fork+0x51e/0xb90
[   85.687729][ T4663]  ? __pfx_ret_from_fork+0x10/0x10
[   85.687743][ T4663]  ? __switch_to+0xc7d/0x1450
[   85.687758][ T4663]  ? __pfx_kthread+0x10/0x10
[   85.687769][ T4663]  ret_from_fork_asm+0x1a/0x30
[   85.687791][ T4663]  </TASK>
[   85.687796][ T4663] 
[   85.851184][ T4663] The buggy address belongs to stack of task kworker/u5:1/4663
[   85.855133][ T4663]  and is located at offset 128 in frame:
[   85.857637][ T4663]  l2cap_recv_frame+0x0/0x10240
[   85.860129][ T4663] 
[   85.861256][ T4663] This frame has 26 objects:
[   85.863273][ T4663]  [32, 34) 'rsp.i241.i.i'
[   85.863288][ T4663]  [48, 88) 'chan.i.i.i'
[   85.865548][ T4663]  [128, 146) 'pdu_u.i.i.i'
[   85.867551][ T4663]  [192, 202) 'rsp.i94.i.i'
[   85.869815][ T4663]  [224, 226) 'rsp.i.i.i111'
[   85.871994][ T4663]  [240, 242) 'rej.i'
[   85.874297][ T4663]  [256, 258) 'rej.i145.i'
[   85.876165][ T4663]  [272, 274) 'rej.i143.i'
[   85.878338][ T4663]  [288, 290) 'req.i229.i.i'
[   85.880407][ T4663]  [304, 312) 'buf.i222.i.i'
[   85.882603][ T4663]  [336, 348) 'buf29.i.i.i'
[   85.884760][ T4663]  [368, 372) 'rsp49.i.i.i'
[   85.886765][ T4663]  [384, 393) 'rfc.i.i118.i.i'
[   85.888779][ T4663]  [416, 480) 'buf.i119.i.i'
[   85.890938][ T4663]  [512, 576) 'req.i120.i.i'
[   85.892948][ T4663]  [608, 617) 'rfc.i.i.i.i'
[   85.894880][ T4663]  [640, 656) 'efs.i.i.i.i'
[   85.896626][ T4663]  [672, 678) 'rej.i371.i.i.i'
[   85.898601][ T4663]  [704, 710) 'rej.i.i.i.i'
[   85.900775][ T4663]  [736, 800) 'rsp.i.i.i'
[   85.903102][ T4663]  [832, 896) 'buf.i.i.i'
[   85.905550][ T4663]  [928, 1056) 'req.i.i.i'
[   85.908323][ T4663]  [1088, 1096) 'rsp.i.i.i.i'
[   85.910981][ T4663]  [1120, 1122) 'info.i.i.i.i'
[   85.913279][ T4663]  [1136, 1264) 'buf.i.i.i.i'
[   85.915482][ T4663]  [1296, 1298) 'rej.i.i'
[   85.917708][ T4663] 
[   85.920802][ T4663] The buggy address belongs to a 8-page vmalloc region starting at 0xffffc900032d8000 allocated at copy_process+0x508/0x3cf0
[   85.928133][ T4663] The buggy address belongs to the physical page:
[   85.931060][ T4663] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x415a7
[   85.935076][ T4663] flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
[   85.938614][ T4663] raw: 04fff00000000000 0000000000000000 ffffea00010569c8 0000000000000000
[   85.942705][ T4663] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
[   85.947593][ T4663] page dumped because: kasan: bad access detected
[   85.950505][ T4663] page_owner tracks the page as allocated
[   85.952905][ T4663] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x29c2(GFP_NOWAIT|__GFP_HIGHMEM|__GFP_IO|__GFP_FS|__GFP_ZERO), pid 2, tgid 2 (kthreadd), ts 30500618985, free_ts 29917479054
[   85.962023][ T4663]  post_alloc_hook+0x231/0x280
[   85.965397][ T4663]  get_page_from_freelist+0x24dc/0x2580
[   85.968512][ T4663]  __alloc_frozen_pages_noprof+0x18d/0x380
[   85.971797][ T4663]  __alloc_pages_noprof+0xa/0x30
[   85.974433][ T4663]  __vmalloc_node_range_noprof+0x7be/0x1730
[   85.977727][ T4663]  __vmalloc_node_noprof+0xc2/0x100
[   85.980404][ T4663]  dup_task_struct+0x228/0x9a0
[   85.983030][ T4663]  copy_process+0x508/0x3cf0
[   85.985422][ T4663]  kernel_clone+0x248/0x8e0
[   85.987675][ T4663]  kernel_thread+0x13f/0x1b0
[   85.989919][ T4663]  kthreadd+0x4ec/0x6e0
[   85.991908][ T4663]  ret_from_fork+0x51e/0xb90
[   85.994338][ T4663]  ret_from_fork_asm+0x1a/0x30
[   85.997157][ T4663] page last free pid 1 tgid 1 stack trace:
[   86.001330][ T4663]  __free_frozen_pages+0xc2b/0xdb0
[   86.003841][ T4663]  __slab_free+0x263/0x2b0
[   86.005905][ T4663]  qlist_free_all+0x97/0x100
[   86.008179][ T4663]  kasan_quarantine_reduce+0x148/0x160
[   86.010892][ T4663]  __kasan_krealloc+0x1f/0x110
[   86.013398][ T4663]  krealloc_node_align_noprof+0x238/0x390
[   86.016293][ T4663]  add_sysfs_param+0xd4/0xb80
[   86.018674][ T4663]  kernel_add_sysfs_param+0x7f/0xe0
[   86.021418][ T4663]  param_sysfs_builtin+0x199/0x250
[   86.023854][ T4663]  param_sysfs_builtin_init+0x23/0x30
[   86.026117][ T4663]  do_one_initcall+0x250/0x8d0
[   86.028572][ T4663]  do_initcall_level+0x104/0x190
[   86.030843][ T4663]  do_initcalls+0x59/0xa0
[   86.033007][ T4663]  kernel_init_freeable+0x2a6/0x3e0
[   86.035294][ T4663]  kernel_init+0x1d/0x1d0
[   86.037407][ T4663]  ret_from_fork+0x51e/0xb90
[   86.039565][ T4663] 
[   86.040719][ T4663] Memory state around the buggy address:
[   86.044151][ T4663]  ffffc900032df400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   86.048956][ T4663]  ffffc900032df480: f1 f1 f1 f1 f8 f2 f8 f8 f8 f8 f8 f2 f2 f2 f2 f2
[   86.053820][ T4663] >ffffc900032df500: 00 00 02 f2 f2 f2 f2 f2 f8 f8 f2 f2 f8 f2 f8 f2
[   86.058294][ T4663]                          ^
[   86.060624][ T4663]  ffffc900032df580: f8 f2 f8 f2 f8 f2 f8 f2 f2 f2 f8 f8 f2 f2 f8 f2
[   86.064259][ T4663]  ffffc900032df600: f8 f8 f2 f2 f8 f8 f8 f8 f8 f8 f8 f8 f2 f2 f2 f2
[   86.067710][ T4663] ==================================================================
[   86.090536][ T4663] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   86.093915][ T4663] CPU: 0 UID: 0 PID: 4663 Comm: kworker/u5:1 Not tainted syzkaller #0 PREEMPT(full) 
[   86.098802][ T4663] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   86.103094][ T4663] Workqueue: hci0 hci_rx_work
[   86.105224][ T4663] Call Trace:
[   86.106746][ T4663]  <TASK>
[   86.108071][ T4663]  vpanic+0x56c/0xa60
[   86.109931][ T4663]  ? __pfx_vpanic+0x10/0x10
[   86.111908][ T4663]  panic+0xc5/0xd0
[   86.113734][ T4663]  ? __pfx_panic+0x10/0x10
[   86.116217][ T4663]  ? preempt_schedule_thunk+0x16/0x30
[   86.119607][ T4663]  ? preempt_schedule_thunk+0x16/0x30
[   86.122613][ T4663]  ? l2cap_send_cmd+0x2a3/0xb90
[   86.124906][ T4663]  check_panic_on_warn+0x89/0xb0
[   86.127195][ T4663]  ? l2cap_send_cmd+0x2a3/0xb90
[   86.129363][ T4663]  end_report+0x73/0x180
[   86.131379][ T4663]  ? l2cap_send_cmd+0x2a3/0xb90
[   86.133411][ T4663]  kasan_report+0x128/0x150
[   86.135258][ T4663]  ? trace_kmem_cache_alloc+0x29/0xf0
[   86.137581][ T4663]  ? l2cap_send_cmd+0x2a3/0xb90
[   86.139994][ T4663]  kasan_check_range+0x264/0x2c0
[   86.142442][ T4663]  ? l2cap_send_cmd+0x2a3/0xb90
[   86.144522][ T4663]  __asan_memcpy+0x29/0x70
[   86.146447][ T4663]  l2cap_send_cmd+0x2a3/0xb90
[   86.148766][ T4663]  l2cap_recv_frame+0xc032/0x10240
[   86.151250][ T4663]  ? lock_release+0x4b/0x3d0
[   86.153811][ T4663]  ? ret_from_fork_asm+0x1a/0x30
[   86.156531][ T4663]  ? unwind_next_frame+0xa5/0x23c0
[   86.158957][ T4663]  ? rcu_is_watching+0x15/0xb0
[   86.161234][ T4663]  ? lock_release+0x4b/0x3d0
[   86.163412][ T4663]  ? unwind_next_frame+0x1aaf/0x23c0
[   86.165799][ T4663]  ? unwind_next_frame+0xa5/0x23c0
[   86.167876][ T4663]  ? unwind_next_frame+0x1aaf/0x23c0
[   86.170222][ T4663]  ? __pfx_l2cap_recv_frame+0x10/0x10
[   86.172440][ T4663]  ? ret_from_fork_asm+0x1a/0x30
[   86.174797][ T4663]  ? ret_from_fork_asm+0x1a/0x30
[   86.177038][ T4663]  ? __pfx_stack_trace_consume_entry+0x10/0x10
[   86.179964][ T4663]  ? ret_from_fork_asm+0x1a/0x30
[   86.182061][ T4663]  ? stack_trace_save+0xa9/0x100
[   86.184247][ T4663]  ? __pfx_stack_trace_save+0x10/0x10
[   86.187198][ T4663]  ? check_path+0x21/0x40
[   86.189268][ T4663]  ? check_noncircular+0xda/0x150
[   86.191931][ T4663]  ? add_lock_to_list+0xc7/0x100
[   86.194183][ T4663]  ? lockdep_unlock+0x5d/0xd0
[   86.196377][ T4663]  ? __lock_acquire+0x146e/0x2cf0
[   86.198718][ T4663]  ? __mutex_trylock_common+0x158/0x260
[   86.201247][ T4663]  ? __pfx___mutex_trylock_common+0x10/0x10
[   86.204172][ T4663]  ? rcu_is_watching+0x15/0xb0
[   86.206530][ T4663]  ? trace_contention_end+0x3d/0x150
[   86.209587][ T4663]  ? __mutex_lock+0x319/0x1300
[   86.212031][ T4663]  ? l2cap_recv_acldata+0x2e3/0x13e0
[   86.214525][ T4663]  ? l2cap_recv_acldata+0x30b/0x13e0
[   86.216982][ T4663]  ? __mutex_unlock_slowpath+0x1bd/0x7d0
[   86.219633][ T4663]  ? __pfx___mutex_lock+0x10/0x10
[   86.222468][ T4663]  ? __pfx___mutex_unlock_slowpath+0x10/0x10
[   86.226026][ T4663]  ? l2cap_conn_hold_unless_zero+0x179/0x2b0
[   86.229406][ T4663]  ? __pfx_l2cap_conn_hold_unless_zero+0x10/0x10
[   86.232625][ T4663]  ? l2cap_recv_acldata+0x41/0x13e0
[   86.235037][ T4663]  l2cap_recv_acldata+0x7e9/0x13e0
[   86.237572][ T4663]  hci_rx_work+0x4f9/0x1030
[   86.239916][ T4663]  ? process_scheduled_works+0xa25/0x1830
[   86.242770][ T4663]  process_scheduled_works+0xb02/0x1830
[   86.245398][ T4663]  ? __pfx_process_scheduled_works+0x10/0x10
[   86.248245][ T4663]  ? assign_work+0x3d5/0x5e0
[   86.250331][ T4663]  worker_thread+0xa50/0xfc0
[   86.252563][ T4663]  kthread+0x388/0x470
[   86.254681][ T4663]  ? __pfx_worker_thread+0x10/0x10
[   86.258335][ T4663]  ? __pfx_kthread+0x10/0x10
[   86.260985][ T4663]  ret_from_fork+0x51e/0xb90
[   86.263047][ T4663]  ? __pfx_ret_from_fork+0x10/0x10
[   86.265297][ T4663]  ? __switch_to+0xc7d/0x1450
[   86.267399][ T4663]  ? __pfx_kthread+0x10/0x10
[   86.269501][ T4663]  ret_from_fork_asm+0x1a/0x30
[   86.271836][ T4663]  </TASK>
[   86.273933][ T4663] Kernel Offset: disabled
[   86.276534][ T4663] Rebooting in 86400 seconds..