program:
r0 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route(r0, &(0x7f00000006c0)={0x0, 0x0, &(0x7f0000000680)={&(0x7f0000000040)=@newlink={0x3c, 0x10, 0x40d, 0x0, 0x0, {}, [@IFLA_LINKINFO={0x1c, 0x12, 0x0, 0x1, @ipip6={{0xb}, {0xc, 0x2, 0x0, 0x1, [@IFLA_IPTUN_ENCAP_TYPE={0x6, 0xf, 0x3}]}}}]}, 0x3c}}, 0x0)
r1 = bpf$PROG_LOAD(0x5, &(0x7f00000004c0)={0x6, 0x10, &(0x7f0000000000)=ANY=[@ANYBLOB="18000000000000000000000000000000b7080000000000007b8af8ff00000000b7"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @xdp, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x94)
ioctl$FS_IOC_GET_ENCRYPTION_NONCE(r1, 0x8010661b, &(0x7f0000000080))
sendmsg$IPSET_CMD_CREATE(0xffffffffffffffff, 0x0, 0x0)
syz_emit_vhci(&(0x7f0000000000)=ANY=[@ANYBLOB="043e751d"], 0x24)
syz_emit_vhci(&(0x7f0000000040)=ANY=[@ANYBLOB="043e1f1b"], 0x22)
[ 59.351599][ T5310] Bluetooth: hci0: command tx timeout
[ 59.371542][ T5310] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:585
[ 59.388319][ T5310] in_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 5310, name: kworker/u5:2
[ 59.420231][ T5310] preempt_count: 0, expected: 0
[ 59.424039][ T5310] RCU nest depth: 1, expected: 0
[ 59.436974][ T5310] 4 locks held by kworker/u5:2/5310:
[ 59.439620][ T5310] #0: ffff888043fe2148 ((wq_completion)hci0#2){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1850
[ 59.444350][ T5310] #1: ffffc9000d40fd00 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1850
[ 59.481067][ T5310] #2: ffff888043cec078 (&hdev->lock){+.+.}-{3:3}, at: hci_le_create_big_complete_evt+0xcf/0xae0
[ 59.486831][ T5310] #3: ffffffff8e937da0 (rcu_read_lock){....}-{1:2}, at: hci_le_create_big_complete_evt+0xdb/0xae0
[ 59.490683][ T5310] CPU: 0 UID: 0 PID: 5310 Comm: kworker/u5:2 Not tainted 6.12.0-rc7-syzkaller-00070-g0a9b9d17f3a7 #0
[ 59.494552][ T5310] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[ 59.522677][ T5310] Workqueue: hci0 hci_rx_work
[ 59.524647][ T5310] Call Trace:
[ 59.526094][ T5310]
[ 59.527393][ T5310] dump_stack_lvl+0x241/0x360
[ 59.529404][ T5310] ? __pfx_dump_stack_lvl+0x10/0x10
[ 59.531529][ T5310] ? __pfx__printk+0x10/0x10
[ 59.552540][ T5310] __might_resched+0x5d4/0x780
[ 59.554364][ T5310] ? __mutex_lock+0x112/0xd70
[ 59.556114][ T5310] ? __pfx___might_resched+0x10/0x10
[ 59.558226][ T5310] __mutex_lock+0xc1/0xd70
[ 59.560152][ T5310] ? __pfx_lock_acquire+0x10/0x10
[ 59.582112][ T5310] ? hci_le_create_big_complete_evt+0x3d9/0xae0
[ 59.595733][ T5310] ? __pfx_lock_release+0x10/0x10
[ 59.597588][ T5310] ? __pfx___mutex_lock+0x10/0x10
[ 59.599338][ T5310] ? trace_contention_end+0x3c/0x120
[ 59.602801][ T5310] ? skb_pull_data+0x112/0x230
[ 59.622790][ T5310] ? hci_conn_set_handle+0x9a/0x270
[ 59.624728][ T5310] hci_le_create_big_complete_evt+0x3d9/0xae0
[ 59.644688][ T5310] ? __copy_skb_header+0x437/0x5b0
[ 59.661831][ T5310] ? hci_le_create_big_complete_evt+0xdb/0xae0
[ 59.664327][ T5310] ? __pfx_hci_le_create_big_complete_evt+0x10/0x10
[ 59.666999][ T5310] ? hci_le_meta_evt+0x366/0x580
[ 59.668986][ T5310] ? __pfx_hci_le_create_big_complete_evt+0x10/0x10
[ 59.671581][ T5310] hci_event_packet+0xa55/0x1540
[ 59.696168][ T5310] ? __pfx_hci_le_meta_evt+0x10/0x10
[ 59.698156][ T5310] ? __pfx_hci_event_packet+0x10/0x10
[ 59.700123][ T5310] ? hci_send_to_sock+0x170/0x810
[ 59.701993][ T5310] ? kcov_remote_start+0x97/0x7d0
[ 59.703842][ T5310] hci_rx_work+0x3fe/0xd80
[ 59.733773][ T5310] ? process_scheduled_works+0x976/0x1850
[ 59.736070][ T5310] process_scheduled_works+0xa63/0x1850
[ 59.738460][ T5310] ? __pfx_process_scheduled_works+0x10/0x10
[ 59.741021][ T5310] ? assign_work+0x364/0x3d0
[ 59.756176][ T5310] worker_thread+0x870/0xd30
[ 59.780951][ T5310] ? _raw_spin_unlock_irqrestore+0xdd/0x140
[ 59.783793][ T5310] ? __kthread_parkme+0x169/0x1d0
[ 59.785606][ T5310] ? __pfx_worker_thread+0x10/0x10
[ 59.787514][ T5310] kthread+0x2f0/0x390
[ 59.789011][ T5310] ? __pfx_worker_thread+0x10/0x10
[ 59.798139][ T5310] ? __pfx_kthread+0x10/0x10
[ 59.800632][ T5310] ret_from_fork+0x4b/0x80
[ 59.817969][ T5310] ? __pfx_kthread+0x10/0x10
[ 59.820816][ T5310] ret_from_fork_asm+0x1a/0x30
[ 59.823854][ T5310]
[ 59.835369][ T5310]
[ 59.836339][ T5310] =============================
[ 59.838101][ T5310] [ BUG: Invalid wait context ]
[ 59.839832][ T5310] 6.12.0-rc7-syzkaller-00070-g0a9b9d17f3a7 #0 Tainted: G W
[ 59.867371][ T5310] -----------------------------
[ 59.869372][ T5310] kworker/u5:2/5310 is trying to lock:
[ 59.871439][ T5310] ffffffff8fe40368 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_le_create_big_complete_evt+0x3d9/0xae0
[ 59.875778][ T5310] other info that might help us debug this:
[ 59.898172][ T5310] context-{4:4}
[ 59.899459][ T5310] 4 locks held by kworker/u5:2/5310:
[ 59.901397][ T5310] #0: ffff888043fe2148 ((wq_completion)hci0#2){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1850
[ 59.905651][ T5310] #1: ffffc9000d40fd00 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1850
[ 59.946978][ T5310] #2: ffff888043cec078 (&hdev->lock){+.+.}-{3:3}, at: hci_le_create_big_complete_evt+0xcf/0xae0
[ 59.952408][ T5310] #3: ffffffff8e937da0 (rcu_read_lock){....}-{1:2}, at: hci_le_create_big_complete_evt+0xdb/0xae0
[ 59.958090][ T5310] stack backtrace:
[ 59.962953][ T5310] CPU: 0 UID: 0 PID: 5310 Comm: kworker/u5:2 Tainted: G W 6.12.0-rc7-syzkaller-00070-g0a9b9d17f3a7 #0
[ 59.983950][ T5310] Tainted: [W]=WARN
[ 59.985473][ T5310] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[ 60.001118][ T5310] Workqueue: hci0 hci_rx_work
[ 60.003007][ T5310] Call Trace:
[ 60.004256][ T5310]
[ 60.005305][ T5310] dump_stack_lvl+0x241/0x360
[ 60.007038][ T5310] ? __pfx_dump_stack_lvl+0x10/0x10
[ 60.008865][ T5310] ? __pfx__printk+0x10/0x10
[ 60.034893][ T5310] __lock_acquire+0x154a/0x2050
[ 60.036794][ T5310] lock_acquire+0x1ed/0x550
[ 60.038440][ T5310] ? hci_le_create_big_complete_evt+0x3d9/0xae0
[ 60.040604][ T5310] ? __pfx_lock_acquire+0x10/0x10
[ 60.042458][ T5310] ? __mutex_lock+0x112/0xd70
[ 60.044141][ T5310] ? __pfx___might_resched+0x10/0x10
[ 60.062879][ T5310] __mutex_lock+0x136/0xd70
[ 60.078000][ T5310] ? hci_le_create_big_complete_evt+0x3d9/0xae0
[ 60.080304][ T5310] ? __pfx_lock_acquire+0x10/0x10
[ 60.084145][ T5310] ? hci_le_create_big_complete_evt+0x3d9/0xae0
[ 60.089191][ T5310] ? __pfx_lock_release+0x10/0x10
[ 60.100740][ T5310] ? __pfx___mutex_lock+0x10/0x10
[ 60.102651][ T5310] ? trace_contention_end+0x3c/0x120
[ 60.104506][ T5310] ? skb_pull_data+0x112/0x230
[ 60.115048][ T5310] ? hci_conn_set_handle+0x9a/0x270
[ 60.117166][ T5310] hci_le_create_big_complete_evt+0x3d9/0xae0
[ 60.119651][ T5310] ? __copy_skb_header+0x437/0x5b0
[ 60.121690][ T5310] ? hci_le_create_big_complete_evt+0xdb/0xae0
[ 60.124132][ T5310] ? __pfx_hci_le_create_big_complete_evt+0x10/0x10
[ 60.155202][ T5310] ? hci_le_meta_evt+0x366/0x580
[ 60.166379][ T5310] ? __pfx_hci_le_create_big_complete_evt+0x10/0x10
[ 60.168924][ T5310] hci_event_packet+0xa55/0x1540
[ 60.170935][ T5310] ? __pfx_hci_le_meta_evt+0x10/0x10
[ 60.173024][ T5310] ? __pfx_hci_event_packet+0x10/0x10
[ 60.175179][ T5310] ? hci_send_to_sock+0x170/0x810
[ 60.177286][ T5310] ? kcov_remote_start+0x97/0x7d0
[ 60.179253][ T5310] hci_rx_work+0x3fe/0xd80
[ 60.180988][ T5310] ? process_scheduled_works+0x976/0x1850
[ 60.195155][ T5310] process_scheduled_works+0xa63/0x1850
[ 60.197180][ T5310] ? __pfx_process_scheduled_works+0x10/0x10
[ 60.199301][ T5310] ? assign_work+0x364/0x3d0
[ 60.200950][ T5310] worker_thread+0x870/0xd30
[ 60.202631][ T5310] ? _raw_spin_unlock_irqrestore+0xdd/0x140
[ 60.204752][ T5310] ? __kthread_parkme+0x169/0x1d0
[ 60.237566][ T5310] ? __pfx_worker_thread+0x10/0x10
[ 60.239450][ T5310] kthread+0x2f0/0x390
[ 60.240942][ T5310] ? __pfx_worker_thread+0x10/0x10
[ 60.250759][ T5310] ? __pfx_kthread+0x10/0x10
[ 60.253939][ T5310] ret_from_fork+0x4b/0x80
[ 60.259342][ T5310] ? __pfx_kthread+0x10/0x10
[ 60.274185][ T5310] ret_from_fork_asm+0x1a/0x30
[ 60.276196][ T5310]
[ 60.312161][ T5310] ==================================================================
[ 60.322421][ T5310] BUG: KASAN: slab-use-after-free in hci_le_create_big_complete_evt+0x383/0xae0
[ 60.335058][ T5310] Read of size 8 at addr ffff88801efe0000 by task kworker/u5:2/5310
[ 60.342763][ T5310]
[ 60.344102][ T5310] CPU: 0 UID: 0 PID: 5310 Comm: kworker/u5:2 Tainted: G W 6.12.0-rc7-syzkaller-00070-g0a9b9d17f3a7 #0
[ 60.350037][ T5310] Tainted: [W]=WARN
[ 60.351950][ T5310] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[ 60.360436][ T5310] Workqueue: hci0 hci_rx_work
[ 60.364473][ T5310] Call Trace:
[ 60.378684][ T5310]
[ 60.379850][ T5310] dump_stack_lvl+0x241/0x360
[ 60.381957][ T5310] ? __pfx_dump_stack_lvl+0x10/0x10
[ 60.383791][ T5310] ? __pfx__printk+0x10/0x10
[ 60.385430][ T5310] ? _printk+0xd5/0x120
[ 60.386951][ T5310] ? __virt_addr_valid+0x183/0x530
[ 60.388783][ T5310] ? __virt_addr_valid+0x183/0x530
[ 60.390699][ T5310] print_report+0x169/0x550
[ 60.392381][ T5310] ? __virt_addr_valid+0x183/0x530
[ 60.394295][ T5310] ? __virt_addr_valid+0x183/0x530
[ 60.430261][ T5310] ? __virt_addr_valid+0x45f/0x530
[ 60.432082][ T5310] ? __phys_addr+0xba/0x170
[ 60.433774][ T5310] ? hci_le_create_big_complete_evt+0x383/0xae0
[ 60.436096][ T5310] kasan_report+0x143/0x180
[ 60.465992][ T5310] ? hci_le_create_big_complete_evt+0x383/0xae0
[ 60.468377][ T5310] hci_le_create_big_complete_evt+0x383/0xae0
[ 60.470636][ T5310] ? __copy_skb_header+0x437/0x5b0
[ 60.472646][ T5310] ? hci_le_create_big_complete_evt+0xdb/0xae0
[ 60.488251][ T5310] ? __pfx_hci_le_create_big_complete_evt+0x10/0x10
[ 60.490897][ T5310] ? hci_le_meta_evt+0x366/0x580
[ 60.505949][ T5310] ? __pfx_hci_le_create_big_complete_evt+0x10/0x10
[ 60.508480][ T5310] hci_event_packet+0xa55/0x1540
[ 60.510463][ T5310] ? __pfx_hci_le_meta_evt+0x10/0x10
[ 60.512453][ T5310] ? __pfx_hci_event_packet+0x10/0x10
[ 60.514331][ T5310] ? hci_send_to_sock+0x170/0x810
[ 60.516068][ T5310] ? kcov_remote_start+0x97/0x7d0
[ 60.517846][ T5310] hci_rx_work+0x3fe/0xd80
[ 60.519474][ T5310] ? process_scheduled_works+0x976/0x1850
[ 60.521622][ T5310] process_scheduled_works+0xa63/0x1850
[ 60.523805][ T5310] ? __pfx_process_scheduled_works+0x10/0x10
[ 60.542361][ T5310] ? assign_work+0x364/0x3d0
[ 60.544208][ T5310] worker_thread+0x870/0xd30
[ 60.546516][ T5310] ? _raw_spin_unlock_irqrestore+0xdd/0x140
[ 60.549685][ T5310] ? __kthread_parkme+0x169/0x1d0
[ 60.555000][ T5310] ? __pfx_worker_thread+0x10/0x10
[ 60.572030][ T5310] kthread+0x2f0/0x390
[ 60.574962][ T5310] ? __pfx_worker_thread+0x10/0x10
[ 60.577519][ T5310] ? __pfx_kthread+0x10/0x10
[ 60.579196][ T5310] ret_from_fork+0x4b/0x80
[ 60.580828][ T5310] ? __pfx_kthread+0x10/0x10
[ 60.582522][ T5310] ret_from_fork_asm+0x1a/0x30
[ 60.584278][ T5310]
[ 60.585490][ T5310]
[ 60.586504][ T5310] Allocated by task 5310:
[ 60.602577][ T5310] kasan_save_track+0x3f/0x80
[ 60.604622][ T5310] __kasan_kmalloc+0x98/0xb0
[ 60.606589][ T5310] __kmalloc_cache_noprof+0x19c/0x2c0
[ 60.608801][ T5310] __hci_conn_add+0x2f9/0x1850
[ 60.610810][ T5310] hci_le_big_sync_established_evt+0x414/0xc20
[ 60.613329][ T5310] hci_event_packet+0xa55/0x1540
[ 60.615279][ T5310] hci_rx_work+0x3fe/0xd80
[ 60.617077][ T5310] process_scheduled_works+0xa63/0x1850
[ 60.634947][ T5310] worker_thread+0x870/0xd30
[ 60.636774][ T5310] kthread+0x2f0/0x390
[ 60.638313][ T5310] ret_from_fork+0x4b/0x80
[ 60.640137][ T5310] ret_from_fork_asm+0x1a/0x30
[ 60.642061][ T5310]
[ 60.643597][ T5310] Freed by task 5310:
[ 60.645210][ T5310] kasan_save_track+0x3f/0x80
[ 60.663005][ T5310] kasan_save_free_info+0x40/0x50
[ 60.664925][ T5310] __kasan_slab_free+0x59/0x70
[ 60.666716][ T5310] kfree+0x1a0/0x440
[ 60.668313][ T5310] device_release+0x99/0x1c0
[ 60.670239][ T5310] kobject_put+0x22f/0x480
[ 60.672019][ T5310] hci_conn_del+0x8c4/0xc40
[ 60.673893][ T5310] hci_le_create_big_complete_evt+0x619/0xae0
[ 60.676299][ T5310] hci_event_packet+0xa55/0x1540
[ 60.686503][ T5310] hci_rx_work+0x3fe/0xd80
[ 60.688150][ T5310] process_scheduled_works+0xa63/0x1850
[ 60.690278][ T5310] worker_thread+0x870/0xd30
[ 60.692185][ T5310] kthread+0x2f0/0x390
[ 60.693885][ T5310] ret_from_fork+0x4b/0x80
[ 60.695646][ T5310] ret_from_fork_asm+0x1a/0x30
[ 60.713599][ T5310]
[ 60.714643][ T5310] The buggy address belongs to the object at ffff88801efe0000
[ 60.714643][ T5310] which belongs to the cache kmalloc-8k of size 8192
[ 60.720525][ T5310] The buggy address is located 0 bytes inside of
[ 60.720525][ T5310] freed 8192-byte region [ffff88801efe0000, ffff88801efe2000)
[ 60.730281][ T5310]
[ 60.732335][ T5310] The buggy address belongs to the physical page:
[ 60.735832][ T5310] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1efe0
[ 60.739467][ T5310] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 60.743212][ T5310] flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
[ 60.745797][ T5310] page_type: f5(slab)
[ 60.747470][ T5310] raw: 00fff00000000040 ffff88801ac42280 ffffea0000498200 dead000000000002
[ 60.752547][ T5310] raw: 0000000000000000 0000000080020002 00000001f5000000 0000000000000000
[ 60.755962][ T5310] head: 00fff00000000040 ffff88801ac42280 ffffea0000498200 dead000000000002
[ 60.759214][ T5310] head: 0000000000000000 0000000080020002 00000001f5000000 0000000000000000
[ 60.762360][ T5310] head: 00fff00000000003 ffffea00007bf801 ffffffffffffffff 0000000000000000
[ 60.765470][ T5310] head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
[ 60.768691][ T5310] page dumped because: kasan: bad access detected
[ 60.775498][ T5310] page_owner tracks the page as allocated
[ 60.779103][ T5310] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5112, tgid 5112 (init), ts 35275341166, free_ts 34666820005
[ 60.837121][ T5310] post_alloc_hook+0x1f3/0x230
[ 60.839265][ T5310] get_page_from_freelist+0x3649/0x3790
[ 60.841278][ T5310] __alloc_pages_noprof+0x292/0x710
[ 60.843206][ T5310] alloc_pages_mpol_noprof+0x3e8/0x680
[ 60.845377][ T5310] alloc_slab_page+0x6a/0x140
[ 60.847271][ T5310] allocate_slab+0x5a/0x2f0
[ 60.849076][ T5310] ___slab_alloc+0xcd1/0x14b0
[ 60.867082][ T5310] __slab_alloc+0x58/0xa0
[ 60.868791][ T5310] __kmalloc_cache_noprof+0x1d5/0x2c0
[ 60.900880][ T5310] tomoyo_init_log+0x11cd/0x2050
[ 60.907702][ T5310] tomoyo_supervisor+0x38a/0x11f0
[ 60.910814][ T5310] tomoyo_env_perm+0x178/0x210
[ 60.912569][ T5310] tomoyo_find_next_domain+0x146e/0x1d40
[ 60.925321][ T5310] tomoyo_bprm_check_security+0x114/0x180
[ 60.935113][ T5310] security_bprm_check+0x86/0x250
[ 60.938585][ T5310] bprm_execve+0xa56/0x1770
[ 60.940388][ T5310] page last free pid 5081 tgid 5081 stack trace:
[ 60.942921][ T5310] free_unref_page+0xdf9/0x1140
[ 60.944690][ T5310] __put_partials+0xeb/0x130
[ 60.946382][ T5310] put_cpu_partial+0x17c/0x250
[ 60.948075][ T5310] __slab_free+0x2ea/0x3d0
[ 60.974017][ T5310] qlist_free_all+0x9a/0x140
[ 60.976130][ T5310] kasan_quarantine_reduce+0x14f/0x170
[ 60.980581][ T5310] __kasan_slab_alloc+0x23/0x80
[ 60.995410][ T5310] __kmalloc_noprof+0x1a6/0x400
[ 60.997699][ T5310] tomoyo_realpath_from_path+0xcf/0x5e0
[ 61.000238][ T5310] tomoyo_path_perm+0x2b7/0x740
[ 61.002449][ T5310] security_inode_getattr+0x130/0x330
[ 61.004888][ T5310] vfs_getattr+0x45/0x430
[ 61.006923][ T5310] vfs_fstatat+0xe4/0x190
[ 61.008953][ T5310] __x64_sys_newfstatat+0x11d/0x1a0
[ 61.020271][ T5310] do_syscall_64+0xf3/0x230
[ 61.021975][ T5310] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 61.024136][ T5310]
[ 61.025006][ T5310] Memory state around the buggy address:
[ 61.027172][ T5310] ffff88801efdff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 61.046686][ T5310] ffff88801efdff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 61.062639][ T5310] >ffff88801efe0000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 61.066610][ T5310] ^
[ 61.068502][ T5310] ffff88801efe0080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 61.072207][ T5310] ffff88801efe0100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 61.075714][ T5310] ==================================================================