program: madvise(&(0x7f0000ffc000/0x2000)=nil, 0x2000, 0x17) prctl$PR_SET_SECUREBITS(0x1c, 0x1c) (async) prctl$PR_SET_SECUREBITS(0x1c, 0x1c) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000000)={0xffffffffffffffff, 0xffffffffffffffff}) r1 = open(&(0x7f00000000c0)='.\x00', 0x0, 0x0) fsync(r1) mmap$IORING_OFF_SQ_RING(&(0x7f0000ffd000/0x1000)=nil, 0x1000, 0x0, 0x10, r1, 0x0) bind$unix(r0, &(0x7f0000000140)=@file={0x1, './file0\x00'}, 0x6e) faccessat2(0xffffffffffffff9c, &(0x7f0000000080)='./file0\x00', 0x0, 0x0) (async) faccessat2(0xffffffffffffff9c, &(0x7f0000000080)='./file0\x00', 0x0, 0x0) syz_clone(0x11, 0x0, 0x0, 0x0, 0x0, 0x0) (async) r2 = syz_clone(0x11, 0x0, 0x0, 0x0, 0x0, 0x0) ptrace(0x10, r2) ptrace$PTRACE_SECCOMP_GET_METADATA(0x420d, r2, 0xffffffffffffffa8, &(0x7f0000000040)={0x1}) (async) ptrace$PTRACE_SECCOMP_GET_METADATA(0x420d, r2, 0xffffffffffffffa8, &(0x7f0000000040)={0x1}) r3 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2) connect$bt_sco(r3, &(0x7f0000000000)={0x1f, @none}, 0x8) r4 = syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0) connect$bt_l2cap(r4, &(0x7f0000000000)={0x1f, 0x8eb}, 0xe) syz_emit_vhci(&(0x7f00000000c0)=ANY=[@ANYBLOB="0418"], 0x1a) (async) syz_emit_vhci(&(0x7f00000000c0)=ANY=[@ANYBLOB="0418"], 0x1a) perf_event_open(&(0x7f00000004c0)={0x1, 0x80, 0x2, 0x20, 0xff, 0x0, 0x0, 0x0, 0x24eaf, 0x9, 0x0, 0x1, 0x1, 0x1, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x1, 0x0, 0x1, 0x0, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x1, 0x1, 0x1, 0x1, 0x1, 0x0, 0x1, 0x0, 0x1, 0x0, 0x0, 0x0, 0x0, 0x6, 0x2, @perf_bp={0x0, 0x8}, 0x90, 0xa4, 0x3, 0x1, 0xa1, 0x9b9b, 0x8, 0x0, 0x9, 0x0, 0x8}, r2, 0xffffffffffffffff, 0xffffffffffffffff, 0x1) (async) perf_event_open(&(0x7f00000004c0)={0x1, 0x80, 0x2, 0x20, 0xff, 0x0, 0x0, 0x0, 0x24eaf, 0x9, 0x0, 0x1, 0x1, 0x1, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x1, 0x0, 0x1, 0x0, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x1, 0x1, 0x1, 0x1, 0x1, 0x0, 0x1, 0x0, 0x1, 0x0, 0x0, 0x0, 0x0, 0x6, 0x2, @perf_bp={0x0, 0x8}, 0x90, 0xa4, 0x3, 0x1, 0xa1, 0x9b9b, 0x8, 0x0, 0x9, 0x0, 0x8}, r2, 0xffffffffffffffff, 0xffffffffffffffff, 0x1) r5 = socket(0x10, 0x2, 0x0) close_range(0xffffffffffffffff, r5, 0x2) getsockopt$sock_cred(r5, 0x1, 0x11, &(0x7f0000caaffb), &(0x7f0000cab000)=0xc) syz_clone(0x28280000, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffc) (async) syz_clone(0x28280000, 0x0, 0x0, 0x0, 0x0, 0xfffffffffffffffc) munlockall() [ 156.142754][ T4684] Bluetooth: hci0: command tx timeout [ 156.234020][ T44] ------------[ cut here ]------------ [ 156.238523][ T44] refcnt < 0 [ 156.238541][ T44] WARNING: net/bluetooth/hci_conn.c:567 at hci_conn_timeout+0xff/0x2c0, CPU#0: kworker/u5:0/44 [ 156.244850][ T44] Modules linked in: [ 156.247489][ T44] CPU: 0 UID: 0 PID: 44 Comm: kworker/u5:0 Not tainted syzkaller #0 PREEMPT(full) [ 156.251808][ T44] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 156.256541][ T44] Workqueue: hci0 hci_conn_timeout [ 156.258888][ T44] RIP: 0010:hci_conn_timeout+0xff/0x2c0 [ 156.261445][ T44] Code: 48 89 df e8 f3 b0 09 00 eb 07 e8 bc 98 19 f7 b0 13 0f b6 f0 48 89 df 5b 41 5c 41 5e 41 5f 5d e9 77 a8 fe ff e8 a2 98 19 f7 90 <0f> 0b 90 eb 8c 44 89 f9 80 e1 07 80 c1 03 38 c1 0f 8c 31 ff ff ff [ 156.269182][ T44] RSP: 0018:ffffc90000467ab0 EFLAGS: 00010293 [ 156.271866][ T44] RAX: ffffffff8aac484e RBX: ffff88803f518000 RCX: ffff88801fa54a00 [ 156.275260][ T44] RDX: 0000000000000000 RSI: 00000000ffffffff RDI: 0000000000000000 [ 156.278559][ T44] RBP: 00000000ffffffff R08: ffff88803f518013 R09: 1ffff11007ea3002 [ 156.282112][ T44] R10: dffffc0000000000 R11: ffffed1007ea3003 R12: dffffc0000000000 [ 156.285729][ T44] R13: ffff88803f518a40 R14: ffff88803f518a40 R15: ffff88803f518010 [ 156.289596][ T44] FS: 0000000000000000(0000) GS:ffff88808c809000(0000) knlGS:0000000000000000 [ 156.293600][ T44] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 156.296715][ T44] CR2: 0000200000caaffb CR3: 00000000441f5000 CR4: 0000000000352ef0 [ 156.301567][ T44] Call Trace: [ 156.303535][ T44] [ 156.305200][ T44] ? process_scheduled_works+0xa70/0x1860 [ 156.308227][ T44] process_scheduled_works+0xb5d/0x1860 [ 156.310726][ T44] ? __pfx_process_scheduled_works+0x10/0x10 [ 156.313296][ T44] ? assign_work+0x3d5/0x5e0 [ 156.315258][ T44] worker_thread+0xa53/0xfc0 [ 156.317326][ T44] kthread+0x388/0x470 [ 156.319135][ T44] ? __pfx_worker_thread+0x10/0x10 [ 156.323266][ T44] ? __pfx_kthread+0x10/0x10 [ 156.325338][ T44] ret_from_fork+0x514/0xb70 [ 156.327297][ T44] ? __pfx_ret_from_fork+0x10/0x10 [ 156.329378][ T44] ? __switch_to+0xc79/0x1410 [ 156.331765][ T44] ? __pfx_kthread+0x10/0x10 [ 156.333716][ T44] ret_from_fork_asm+0x1a/0x30 [ 156.335847][ T44] [ 156.337183][ T44] Kernel panic - not syncing: kernel: panic_on_warn set ... [ 156.340457][ T44] CPU: 0 UID: 0 PID: 44 Comm: kworker/u5:0 Not tainted syzkaller #0 PREEMPT(full) [ 156.344973][ T44] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 156.350185][ T44] Workqueue: hci0 hci_conn_timeout [ 156.352507][ T44] Call Trace: [ 156.353997][ T44] [ 156.355381][ T44] vpanic+0x56c/0xa60 [ 156.357204][ T44] ? __pfx__printk+0x10/0x10 [ 156.359665][ T44] ? __pfx_vpanic+0x10/0x10 [ 156.362211][ T44] ? is_bpf_text_address+0x292/0x2b0 [ 156.364590][ T44] ? is_bpf_text_address+0x26/0x2b0 [ 156.366752][ T44] panic+0xc5/0xd0 [ 156.368475][ T44] ? __pfx_panic+0x10/0x10 [ 156.370469][ T44] ? ret_from_fork_asm+0x1a/0x30 [ 156.373390][ T44] __warn+0x315/0x4c0 [ 156.375604][ T44] ? hci_conn_timeout+0xff/0x2c0 [ 156.378399][ T44] ? hci_conn_timeout+0xff/0x2c0 [ 156.380903][ T44] __report_bug+0x29a/0x540 [ 156.382903][ T44] ? hci_conn_timeout+0xff/0x2c0 [ 156.385086][ T44] ? __pfx___report_bug+0x10/0x10 [ 156.387322][ T44] ? __lock_acquire+0x6b5/0x2cf0 [ 156.389510][ T44] ? hci_conn_timeout+0xff/0x2c0 [ 156.391829][ T44] report_bug+0x16a/0x220 [ 156.394173][ T44] ? hci_conn_timeout+0xff/0x2c0 [ 156.396856][ T44] ? hci_conn_timeout+0x101/0x2c0 [ 156.399195][ T44] handle_bug+0x9c/0x200 [ 156.401139][ T44] exc_invalid_op+0x1a/0x50 [ 156.403179][ T44] asm_exc_invalid_op+0x1a/0x20 [ 156.405443][ T44] RIP: 0010:hci_conn_timeout+0xff/0x2c0 [ 156.408103][ T44] Code: 48 89 df e8 f3 b0 09 00 eb 07 e8 bc 98 19 f7 b0 13 0f b6 f0 48 89 df 5b 41 5c 41 5e 41 5f 5d e9 77 a8 fe ff e8 a2 98 19 f7 90 <0f> 0b 90 eb 8c 44 89 f9 80 e1 07 80 c1 03 38 c1 0f 8c 31 ff ff ff [ 156.417427][ T44] RSP: 0018:ffffc90000467ab0 EFLAGS: 00010293 [ 156.420478][ T44] RAX: ffffffff8aac484e RBX: ffff88803f518000 RCX: ffff88801fa54a00 [ 156.424095][ T44] RDX: 0000000000000000 RSI: 00000000ffffffff RDI: 0000000000000000 [ 156.427343][ T44] RBP: 00000000ffffffff R08: ffff88803f518013 R09: 1ffff11007ea3002 [ 156.430844][ T44] R10: dffffc0000000000 R11: ffffed1007ea3003 R12: dffffc0000000000 [ 156.434355][ T44] R13: ffff88803f518a40 R14: ffff88803f518a40 R15: ffff88803f518010 [ 156.437897][ T44] ? hci_conn_timeout+0xfe/0x2c0 [ 156.439779][ T44] ? process_scheduled_works+0xa70/0x1860 [ 156.442259][ T44] process_scheduled_works+0xb5d/0x1860 [ 156.444490][ T44] ? __pfx_process_scheduled_works+0x10/0x10 [ 156.447110][ T44] ? assign_work+0x3d5/0x5e0 [ 156.449068][ T44] worker_thread+0xa53/0xfc0 [ 156.451047][ T44] kthread+0x388/0x470 [ 156.452798][ T44] ? __pfx_worker_thread+0x10/0x10 [ 156.454918][ T44] ? __pfx_kthread+0x10/0x10 [ 156.457155][ T44] ret_from_fork+0x514/0xb70 [ 156.459147][ T44] ? __pfx_ret_from_fork+0x10/0x10 [ 156.461409][ T44] ? __switch_to+0xc79/0x1410 [ 156.463594][ T44] ? __pfx_kthread+0x10/0x10 [ 156.465626][ T44] ret_from_fork_asm+0x1a/0x30 [ 156.467605][ T44] [ 156.469206][ T44] Kernel Offset: disabled [ 156.471064][ T44] Rebooting in 86400 seconds..