program: perf_event_open(&(0x7f0000000040)={0x2, 0x80, 0xc3, 0x1, 0x0, 0x0, 0x0, 0x1, 0x4, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext={0x80000000, 0x8}, 0x0, 0x80, 0x8000001, 0x4, 0x0, 0x1000000, 0x0, 0x0, 0x0, 0x0, 0x3}, 0x0, 0x0, 0xffffffffffffffff, 0x9) userfaultfd(0x80001) (async) r0 = userfaultfd(0x80001) ioctl$UFFDIO_API(r0, 0xc018aa3f, &(0x7f00000000c0)={0xaa, 0x749}) socket$packet(0x11, 0x2, 0x300) (async) r1 = socket$packet(0x11, 0x2, 0x300) ioctl$sock_SIOCGIFINDEX(r1, 0x8933, &(0x7f0000000140)={'syz_tun\x00'}) (async) ioctl$sock_SIOCGIFINDEX(r1, 0x8933, &(0x7f0000000140)={'syz_tun\x00', 0x0}) bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000780)={0x6, 0x4, &(0x7f00000004c0)=ANY=[@ANYBLOB="18020000000000000000000000000000850000001700000095"], &(0x7f00000005c0)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x25, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x90) (async) r3 = bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000780)={0x6, 0x4, &(0x7f00000004c0)=ANY=[@ANYBLOB="18020000000000000000000000000000850000001700000095"], &(0x7f00000005c0)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x25, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x90) bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000340)={r3, r2, 0x25, 0x2, @val=@tracing={0x0, 0xc5c}}, 0x40) (async) bpf$BPF_LINK_CREATE_XDP(0x1c, &(0x7f0000000340)={r3, r2, 0x25, 0x2, @val=@tracing={0x0, 0xc5c}}, 0x40) r4 = bpf$BPF_BTF_LOAD(0x12, &(0x7f0000000400)={&(0x7f0000000900)=ANY=[@ANYBLOB="9feb010018000000000000004800000048000000060000000d000000010000930b000000050000000900000009000000000000000000000b030000000b0000000000000a050000000a000000000000080200000003000000000000c41a000000002e00302e003a0ab6f993d79e75b4d91e300bc7dc6287edf7e480d93cb16e04cf6956"], &(0x7f00000003c0)=""/44, 0x66, 0x2c, 0x1, 0x2, 0x0, @void, @value}, 0x28) bpf$BPF_BTF_GET_NEXT_ID(0x17, &(0x7f0000000000)={0x0, 0x0}, 0x8) bpf$BPF_BTF_GET_FD_BY_ID(0x13, &(0x7f0000000080)=r5, 0x2) r6 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000006c0)={0x11, 0x7, &(0x7f0000000580)=ANY=[@ANYBLOB="180000000800000000000000750900001800000002000000000000000200000018130000", @ANYRES32, @ANYBLOB="00000057ac00512b05bc23c9cd7c3400"], &(0x7f00000005c0)='GPL\x00', 0x4, 0x0, 0x0, 0x41100, 0x0, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x8, &(0x7f0000000600)={0x6, 0x2}, 0x8, 0x10, &(0x7f0000000640)={0x0, 0x9, 0x1, 0xd095}, 0x10, 0x0, 0x0, 0x4, 0x0, &(0x7f0000000680)=[{0x4, 0x1, 0x5, 0xc}, {0x0, 0x1, 0x8}, {0x1, 0x3, 0x2, 0x7}, {0x5, 0x4, 0xe, 0x4}], 0x10, 0x6, @void, @value}, 0x94) r7 = openat$nvme_fabrics(0xffffffffffffff9c, &(0x7f0000000780), 0x103002, 0x0) bpf$PROG_LOAD(0x5, &(0x7f0000000840)={0x0, 0xd, &(0x7f0000000140)=ANY=[@ANYBLOB="18000000030000000000000003000000810a0000ffffffff2fa60c000100000018010000756c6c258e5876b1002020207b1af8ff00000000bfa100000000000007010000f8ffffffb702000008000000b7030000ffff000085000000060000009500000000000000"], &(0x7f00000001c0)='syzkaller\x00', 0xfd0, 0xb5, &(0x7f0000000300)=""/181, 0x41100, 0xc, '\x00', r2, @fallback=0x1f, r4, 0x8, &(0x7f0000000440)={0x1, 0x4}, 0x8, 0x10, &(0x7f0000000480)={0x2, 0xa, 0x0, 0xda}, 0x10, r5, r6, 0x1, &(0x7f00000007c0)=[r7, 0xffffffffffffffff], &(0x7f0000000800)=[{0x4, 0x5, 0xa, 0x9}], 0x10, 0x5cb3, @void, @value}, 0x94) (async) bpf$PROG_LOAD(0x5, &(0x7f0000000840)={0x0, 0xd, &(0x7f0000000140)=ANY=[@ANYBLOB="18000000030000000000000003000000810a0000ffffffff2fa60c000100000018010000756c6c258e5876b1002020207b1af8ff00000000bfa100000000000007010000f8ffffffb702000008000000b7030000ffff000085000000060000009500000000000000"], &(0x7f00000001c0)='syzkaller\x00', 0xfd0, 0xb5, &(0x7f0000000300)=""/181, 0x41100, 0xc, '\x00', r2, @fallback=0x1f, r4, 0x8, &(0x7f0000000440)={0x1, 0x4}, 0x8, 0x10, &(0x7f0000000480)={0x2, 0xa, 0x0, 0xda}, 0x10, r5, r6, 0x1, &(0x7f00000007c0)=[r7, 0xffffffffffffffff], &(0x7f0000000800)=[{0x4, 0x5, 0xa, 0x9}], 0x10, 0x5cb3, @void, @value}, 0x94) r8 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) syz_emit_ethernet(0x15e, &(0x7f00000003c0)={@random="e33110495bfd", @dev, @void, {@ipv6={0x86dd, @icmpv6={0x0, 0x6, "cb653e", 0x128, 0x3a, 0xff, @dev, @mcast2, {[], @ndisc_redir={0x89, 0x0, 0x0, '\x00', @rand_addr=' \x01\x00', @private1, [{0x4, 0x20, "9595f429ae08a565c9a41d413270a44d2e6f790a3872d50bb14d25344dc5b3a281f175f5ee04aab21301b94d966c72c15a143c69205625466855101cf44d89d9f6ee47d77c0d4e53e34b67c542fc6f6f6c60139c43b78286f5bb8f4f11d164af24e2633a45bf4ed944b0ef6a7b7167f73cf54e78686ac09402659c29eb0ce380654c1bb0f61d255b1556b7a311096b7aab867396997ffab76abca01185b08d1e29ee14d8fe61245487104b1c5205c6adc794ba413b92d2d208b86f40983c4819c33b59c1abe2a4b0aa661fcb54e0855d6bb5dd267878ff59bcfc6079e7a5e0135118be22dc6c97e730f7053d6ec34ca11b5c7c3830af6b26868600f042ff"}]}}}}}}, 0x0) ioctl$sock_bt_hci(r8, 0x400448cb, 0x0) bpf$PROG_LOAD(0x5, &(0x7f00000004c0)={0x6, 0x10, &(0x7f0000000000)=ANY=[@ANYBLOB="18000000000000000000000000000000b708"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @xdp, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x94) syz_emit_vhci(&(0x7f0000000000)=ANY=[@ANYBLOB="043e751d"], 0x24) syz_emit_vhci(&(0x7f0000000040)=ANY=[@ANYBLOB="043e1f1b"], 0x22) openat$snapshot(0xffffffffffffff9c, &(0x7f00000002c0), 0x40040, 0x0) syz_emit_vhci(&(0x7f0000000040)=ANY=[@ANYBLOB="040e0402030c"], 0x7) ioctl$UFFDIO_REGISTER(r0, 0xc020aa00, &(0x7f0000000200)={{&(0x7f00000e2000/0xc00000)=nil, 0xc00000}, 0x1}) (async) ioctl$UFFDIO_REGISTER(r0, 0xc020aa00, &(0x7f0000000200)={{&(0x7f00000e2000/0xc00000)=nil, 0xc00000}, 0x1}) madvise(&(0x7f00008d7000/0x1000)=nil, 0x1000, 0x4) readv(r0, &(0x7f0000000040)=[{&(0x7f0000000100)=""/64, 0x40}], 0x5) (async) readv(r0, &(0x7f0000000040)=[{&(0x7f0000000100)=""/64, 0x40}], 0x5) [ 58.901274][ T5310] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:562 [ 58.904656][ T5310] in_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 5310, name: kworker/u5:2 [ 58.907723][ T5310] preempt_count: 0, expected: 0 [ 58.909998][ T5310] RCU nest depth: 1, expected: 0 [ 58.911670][ T5310] 4 locks held by kworker/u5:2/5310: [ 58.913551][ T5310] #0: ffff8880434cf148 ((wq_completion)hci0#2){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1850 [ 58.917344][ T5310] #1: ffffc9000d1cfd00 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1850 [ 58.922016][ T5310] #2: ffff888043788078 (&hdev->lock){+.+.}-{4:4}, at: hci_le_create_big_complete_evt+0xcf/0xae0 [ 58.925651][ T5310] #3: ffffffff8e93c7e0 (rcu_read_lock){....}-{1:3}, at: hci_le_create_big_complete_evt+0xdb/0xae0 [ 58.929528][ T5310] CPU: 0 UID: 0 PID: 5310 Comm: kworker/u5:2 Not tainted 6.12.0-syzkaller-01782-gbf9aa14fc523 #0 [ 58.933448][ T5310] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 58.937323][ T5310] Workqueue: hci0 hci_rx_work [ 58.939085][ T5310] Call Trace: [ 58.940300][ T5310] [ 58.941413][ T5310] dump_stack_lvl+0x241/0x360 [ 58.943139][ T5310] ? __pfx_dump_stack_lvl+0x10/0x10 [ 58.944934][ T5310] ? __pfx__printk+0x10/0x10 [ 58.946571][ T5310] __might_resched+0x5d4/0x780 [ 58.948305][ T5310] ? __mutex_lock+0x187/0xee0 [ 58.949918][ T5310] ? __pfx___might_resched+0x10/0x10 [ 58.951670][ T5310] ? __lock_acquire+0x1397/0x2100 [ 58.953238][ T5310] __mutex_lock+0x131/0xee0 [ 58.954723][ T5310] ? hci_le_create_big_complete_evt+0x3d9/0xae0 [ 58.956650][ T5310] ? __pfx___mutex_lock+0x10/0x10 [ 58.958473][ T5310] ? rcu_is_watching+0x15/0xb0 [ 58.960178][ T5310] ? trace_contention_end+0x3c/0x120 [ 58.962002][ T5310] ? skb_pull_data+0x112/0x230 [ 58.963566][ T5310] ? hci_conn_set_handle+0x9a/0x270 [ 58.965348][ T5310] hci_le_create_big_complete_evt+0x3d9/0xae0 [ 58.967455][ T5310] ? hci_le_create_big_complete_evt+0xdb/0xae0 [ 58.969849][ T5310] ? __pfx_hci_le_create_big_complete_evt+0x10/0x10 [ 58.972371][ T5310] ? hci_le_meta_evt+0x366/0x580 [ 58.974082][ T5310] ? __pfx_hci_le_create_big_complete_evt+0x10/0x10 [ 58.976183][ T5310] hci_event_packet+0xa55/0x1540 [ 58.977966][ T5310] ? __pfx_hci_le_meta_evt+0x10/0x10 [ 58.979947][ T5310] ? __pfx_hci_event_packet+0x10/0x10 [ 58.982183][ T5310] ? do_raw_spin_unlock+0x58/0x8b0 [ 58.984424][ T5310] ? hci_send_to_monitor+0xd8/0x7f0 [ 58.986845][ T5310] ? kcov_remote_start+0x97/0x7d0 [ 58.989005][ T5310] hci_rx_work+0x3e8/0xca0 [ 58.990814][ T5310] ? process_scheduled_works+0x976/0x1850 [ 58.993134][ T5310] process_scheduled_works+0xa63/0x1850 [ 58.995103][ T5310] ? __pfx_process_scheduled_works+0x10/0x10 [ 58.997222][ T5310] ? assign_work+0x364/0x3d0 [ 58.998846][ T5310] worker_thread+0x870/0xd30 [ 59.000509][ T5310] ? _raw_spin_unlock_irqrestore+0xdd/0x140 [ 59.002624][ T5310] ? __kthread_parkme+0x169/0x1d0 [ 59.004274][ T5310] ? __pfx_worker_thread+0x10/0x10 [ 59.006072][ T5310] kthread+0x2f0/0x390 [ 59.007535][ T5310] ? __pfx_worker_thread+0x10/0x10 [ 59.009249][ T5310] ? __pfx_kthread+0x10/0x10 [ 59.010823][ T5310] ret_from_fork+0x4b/0x80 [ 59.012221][ T5310] ? __pfx_kthread+0x10/0x10 [ 59.013781][ T5310] ret_from_fork_asm+0x1a/0x30 [ 59.015427][ T5310] [ 59.023643][ T5310] [ 59.024703][ T5310] ============================= [ 59.026288][ T5310] [ BUG: Invalid wait context ] [ 59.028063][ T5310] 6.12.0-syzkaller-01782-gbf9aa14fc523 #0 Tainted: G W [ 59.030987][ T5310] ----------------------------- [ 59.032779][ T5310] kworker/u5:2/5310 is trying to lock: [ 59.034718][ T5310] ffffffff8fe4a168 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_le_create_big_complete_evt+0x3d9/0xae0 [ 59.038545][ T5310] other info that might help us debug this: [ 59.040678][ T5310] context-{5:5} [ 59.042033][ T5310] 4 locks held by kworker/u5:2/5310: [ 59.043994][ T5310] #0: ffff8880434cf148 ((wq_completion)hci0#2){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1850 [ 59.048061][ T5310] #1: ffffc9000d1cfd00 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1850 [ 59.052544][ T5310] #2: ffff888043788078 (&hdev->lock){+.+.}-{4:4}, at: hci_le_create_big_complete_evt+0xcf/0xae0 [ 59.056544][ T5310] #3: ffffffff8e93c7e0 (rcu_read_lock){....}-{1:3}, at: hci_le_create_big_complete_evt+0xdb/0xae0 [ 59.060476][ T5310] stack backtrace: [ 59.061677][ T5310] CPU: 0 UID: 0 PID: 5310 Comm: kworker/u5:2 Tainted: G W 6.12.0-syzkaller-01782-gbf9aa14fc523 #0 [ 59.065517][ T5310] Tainted: [W]=WARN [ 59.066825][ T5310] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 59.070660][ T5310] Workqueue: hci0 hci_rx_work [ 59.072388][ T5310] Call Trace: [ 59.073652][ T5310] [ 59.074738][ T5310] dump_stack_lvl+0x241/0x360 [ 59.076522][ T5310] ? __pfx_dump_stack_lvl+0x10/0x10 [ 59.078470][ T5310] ? __pfx__printk+0x10/0x10 [ 59.080188][ T5310] __lock_acquire+0x15a8/0x2100 [ 59.082029][ T5310] lock_acquire+0x1ed/0x550 [ 59.083728][ T5310] ? hci_le_create_big_complete_evt+0x3d9/0xae0 [ 59.085994][ T5310] ? __pfx_lock_acquire+0x10/0x10 [ 59.087861][ T5310] ? __mutex_lock+0x187/0xee0 [ 59.089615][ T5310] ? __pfx___might_resched+0x10/0x10 [ 59.091676][ T5310] ? __lock_acquire+0x1397/0x2100 [ 59.093641][ T5310] __mutex_lock+0x1ac/0xee0 [ 59.095353][ T5310] ? hci_le_create_big_complete_evt+0x3d9/0xae0 [ 59.097751][ T5310] ? hci_le_create_big_complete_evt+0x3d9/0xae0 [ 59.100201][ T5310] ? __pfx___mutex_lock+0x10/0x10 [ 59.102145][ T5310] ? rcu_is_watching+0x15/0xb0 [ 59.103913][ T5310] ? trace_contention_end+0x3c/0x120 [ 59.105982][ T5310] ? skb_pull_data+0x112/0x230 [ 59.107816][ T5310] ? hci_conn_set_handle+0x9a/0x270 [ 59.109824][ T5310] hci_le_create_big_complete_evt+0x3d9/0xae0 [ 59.112195][ T5310] ? hci_le_create_big_complete_evt+0xdb/0xae0 [ 59.114443][ T5310] ? __pfx_hci_le_create_big_complete_evt+0x10/0x10 [ 59.116705][ T5310] ? hci_le_meta_evt+0x366/0x580 [ 59.118602][ T5310] ? __pfx_hci_le_create_big_complete_evt+0x10/0x10 [ 59.120993][ T5310] hci_event_packet+0xa55/0x1540 [ 59.122761][ T5310] ? __pfx_hci_le_meta_evt+0x10/0x10 [ 59.124693][ T5310] ? __pfx_hci_event_packet+0x10/0x10 [ 59.126650][ T5310] ? do_raw_spin_unlock+0x58/0x8b0 [ 59.128552][ T5310] ? hci_send_to_monitor+0xd8/0x7f0 [ 59.130493][ T5310] ? kcov_remote_start+0x97/0x7d0 [ 59.132317][ T5310] hci_rx_work+0x3e8/0xca0 [ 59.133946][ T5310] ? process_scheduled_works+0x976/0x1850 [ 59.135927][ T5310] process_scheduled_works+0xa63/0x1850 [ 59.138016][ T5310] ? __pfx_process_scheduled_works+0x10/0x10 [ 59.140267][ T5310] ? assign_work+0x364/0x3d0 [ 59.141897][ T5310] worker_thread+0x870/0xd30 [ 59.143421][ T5310] ? _raw_spin_unlock_irqrestore+0xdd/0x140 [ 59.145206][ T5310] ? __kthread_parkme+0x169/0x1d0 [ 59.147106][ T5310] ? __pfx_worker_thread+0x10/0x10 [ 59.149011][ T5310] kthread+0x2f0/0x390 [ 59.150332][ T5310] ? __pfx_worker_thread+0x10/0x10 [ 59.151934][ T5310] ? __pfx_kthread+0x10/0x10 [ 59.153655][ T5310] ret_from_fork+0x4b/0x80 [ 59.155285][ T5310] ? __pfx_kthread+0x10/0x10 [ 59.157044][ T5310] ret_from_fork_asm+0x1a/0x30 [ 59.158848][ T5310] [ 59.163721][ T5310] ================================================================== [ 59.166749][ T5310] BUG: KASAN: slab-use-after-free in hci_le_create_big_complete_evt+0x383/0xae0 [ 59.170102][ T5310] Read of size 8 at addr ffff888043734000 by task kworker/u5:2/5310 [ 59.173022][ T5310] [ 59.173857][ T5310] CPU: 0 UID: 0 PID: 5310 Comm: kworker/u5:2 Tainted: G W 6.12.0-syzkaller-01782-gbf9aa14fc523 #0 [ 59.178117][ T5310] Tainted: [W]=WARN [ 59.179547][ T5310] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 59.183399][ T5310] Workqueue: hci0 hci_rx_work [ 59.185242][ T5310] Call Trace: [ 59.186497][ T5310] [ 59.187604][ T5310] dump_stack_lvl+0x241/0x360 [ 59.189304][ T5310] ? __pfx_dump_stack_lvl+0x10/0x10 [ 59.191156][ T5310] ? __pfx__printk+0x10/0x10 [ 59.192887][ T5310] ? _printk+0xd5/0x120 [ 59.194369][ T5310] ? __virt_addr_valid+0x183/0x530 [ 59.196055][ T5310] ? __virt_addr_valid+0x183/0x530 [ 59.197941][ T5310] print_report+0x169/0x550 [ 59.199567][ T5310] ? __virt_addr_valid+0x183/0x530 [ 59.201422][ T5310] ? __virt_addr_valid+0x183/0x530 [ 59.203252][ T5310] ? __virt_addr_valid+0x45f/0x530 [ 59.205256][ T5310] ? __phys_addr+0xba/0x170 [ 59.206914][ T5310] ? hci_le_create_big_complete_evt+0x383/0xae0 [ 59.209104][ T5310] kasan_report+0x143/0x180 [ 59.210750][ T5310] ? hci_le_create_big_complete_evt+0x383/0xae0 [ 59.213017][ T5310] hci_le_create_big_complete_evt+0x383/0xae0 [ 59.215207][ T5310] ? hci_le_create_big_complete_evt+0xdb/0xae0 [ 59.217454][ T5310] ? __pfx_hci_le_create_big_complete_evt+0x10/0x10 [ 59.219795][ T5310] ? hci_le_meta_evt+0x366/0x580 [ 59.221640][ T5310] ? __pfx_hci_le_create_big_complete_evt+0x10/0x10 [ 59.223886][ T5310] hci_event_packet+0xa55/0x1540 [ 59.225675][ T5310] ? __pfx_hci_le_meta_evt+0x10/0x10 [ 59.227580][ T5310] ? __pfx_hci_event_packet+0x10/0x10 [ 59.229512][ T5310] ? do_raw_spin_unlock+0x58/0x8b0 [ 59.231322][ T5310] ? hci_send_to_monitor+0xd8/0x7f0 [ 59.233147][ T5310] ? kcov_remote_start+0x97/0x7d0 [ 59.234856][ T5310] hci_rx_work+0x3e8/0xca0 [ 59.236439][ T5310] ? process_scheduled_works+0x976/0x1850 [ 59.238688][ T5310] process_scheduled_works+0xa63/0x1850 [ 59.240859][ T5310] ? __pfx_process_scheduled_works+0x10/0x10 [ 59.243062][ T5310] ? assign_work+0x364/0x3d0 [ 59.244706][ T5310] worker_thread+0x870/0xd30 [ 59.246529][ T5310] ? _raw_spin_unlock_irqrestore+0xdd/0x140 [ 59.248911][ T5310] ? __kthread_parkme+0x169/0x1d0 [ 59.250878][ T5310] ? __pfx_worker_thread+0x10/0x10 [ 59.252853][ T5310] kthread+0x2f0/0x390 [ 59.254363][ T5310] ? __pfx_worker_thread+0x10/0x10 [ 59.256267][ T5310] ? __pfx_kthread+0x10/0x10 [ 59.257983][ T5310] ret_from_fork+0x4b/0x80 [ 59.259733][ T5310] ? __pfx_kthread+0x10/0x10 [ 59.261513][ T5310] ret_from_fork_asm+0x1a/0x30 [ 59.263390][ T5310] [ 59.264586][ T5310] [ 59.265529][ T5310] Allocated by task 5310: [ 59.267094][ T5310] kasan_save_track+0x3f/0x80 [ 59.268712][ T5310] __kasan_kmalloc+0x98/0xb0 [ 59.270112][ T5310] __kmalloc_cache_noprof+0x19c/0x2c0 [ 59.272094][ T5310] __hci_conn_add+0x2f9/0x1850 [ 59.273841][ T5310] hci_le_big_sync_established_evt+0x414/0xc20 [ 59.275936][ T5310] hci_event_packet+0xa55/0x1540 [ 59.277786][ T5310] hci_rx_work+0x3e8/0xca0 [ 59.279225][ T5310] process_scheduled_works+0xa63/0x1850 [ 59.281004][ T5310] worker_thread+0x870/0xd30 [ 59.282672][ T5310] kthread+0x2f0/0x390 [ 59.283986][ T5310] ret_from_fork+0x4b/0x80 [ 59.285581][ T5310] ret_from_fork_asm+0x1a/0x30 [ 59.287517][ T5310] [ 59.288591][ T5310] Freed by task 5310: [ 59.290297][ T5310] kasan_save_track+0x3f/0x80 [ 59.292394][ T5310] kasan_save_free_info+0x40/0x50 [ 59.294368][ T5310] __kasan_slab_free+0x59/0x70 [ 59.296060][ T5310] kfree+0x1a0/0x440 [ 59.297405][ T5310] device_release+0x99/0x1c0 [ 59.299127][ T5310] kobject_put+0x22f/0x480 [ 59.300912][ T5310] hci_conn_del+0x8c4/0xc40 [ 59.302589][ T5310] hci_le_create_big_complete_evt+0x619/0xae0 [ 59.304695][ T5310] hci_event_packet+0xa55/0x1540 [ 59.306356][ T5310] hci_rx_work+0x3e8/0xca0 [ 59.307812][ T5310] process_scheduled_works+0xa63/0x1850 [ 59.309640][ T5310] worker_thread+0x870/0xd30 [ 59.311283][ T5310] kthread+0x2f0/0x390 [ 59.312579][ T5310] ret_from_fork+0x4b/0x80 [ 59.314061][ T5310] ret_from_fork_asm+0x1a/0x30 [ 59.315773][ T5310] [ 59.316633][ T5310] The buggy address belongs to the object at ffff888043734000 [ 59.316633][ T5310] which belongs to the cache kmalloc-8k of size 8192 [ 59.321452][ T5310] The buggy address is located 0 bytes inside of [ 59.321452][ T5310] freed 8192-byte region [ffff888043734000, ffff888043736000) [ 59.326476][ T5310] [ 59.327412][ T5310] The buggy address belongs to the physical page: [ 59.329907][ T5310] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x43730 [ 59.333274][ T5310] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 59.336502][ T5310] flags: 0x4fff00000000040(head|node=1|zone=1|lastcpupid=0x7ff) [ 59.339457][ T5310] page_type: f5(slab) [ 59.341031][ T5310] raw: 04fff00000000040 ffff88801ac42280 dead000000000122 0000000000000000 [ 59.344246][ T5310] raw: 0000000000000000 0000000080020002 00000001f5000000 0000000000000000 [ 59.347547][ T5310] head: 04fff00000000040 ffff88801ac42280 dead000000000122 0000000000000000 [ 59.350794][ T5310] head: 0000000000000000 0000000080020002 00000001f5000000 0000000000000000 [ 59.353794][ T5310] head: 04fff00000000003 ffffea00010dcc01 ffffffffffffffff 0000000000000000 [ 59.357018][ T5310] head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000 [ 59.360085][ T5310] page dumped because: kasan: bad access detected [ 59.362537][ T5310] page_owner tracks the page as allocated [ 59.364543][ T5310] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1029, tgid 1029 (kworker/u4:7), ts 57528021710, free_ts 57507959506 [ 59.371767][ T5310] post_alloc_hook+0x1f3/0x230 [ 59.373502][ T5310] get_page_from_freelist+0x3649/0x3790 [ 59.375498][ T5310] __alloc_pages_noprof+0x292/0x710 [ 59.377322][ T5310] alloc_pages_mpol_noprof+0x3e8/0x680 [ 59.379349][ T5310] alloc_slab_page+0x6a/0x140 [ 59.381123][ T5310] allocate_slab+0x5a/0x2f0 [ 59.382773][ T5310] ___slab_alloc+0xcd1/0x14b0 [ 59.384479][ T5310] __slab_alloc+0x58/0xa0 [ 59.386031][ T5310] __kmalloc_noprof+0x25a/0x400 [ 59.387799][ T5310] __sta_info_alloc+0xbcb/0x1ea0 [ 59.389634][ T5310] ieee80211_ibss_add_sta+0x5ad/0x860 [ 59.391539][ T5310] ieee80211_ibss_rx_queued_mgmt+0x15c0/0x2d70 [ 59.393794][ T5310] ieee80211_iface_work+0x8a5/0xf20 [ 59.395670][ T5310] cfg80211_wiphy_work+0x2db/0x490 [ 59.397410][ T5310] process_scheduled_works+0xa63/0x1850 [ 59.399332][ T5310] worker_thread+0x870/0xd30 [ 59.400964][ T5310] page last free pid 4736 tgid 4736 stack trace: [ 59.403106][ T5310] free_unref_page+0xdf9/0x1140 [ 59.404724][ T5310] __slab_free+0x31b/0x3d0 [ 59.406139][ T5310] qlist_free_all+0x9a/0x140 [ 59.407798][ T5310] kasan_quarantine_reduce+0x14f/0x170 [ 59.409759][ T5310] __kasan_slab_alloc+0x23/0x80 [ 59.411346][ T5310] kmem_cache_alloc_lru_noprof+0x139/0x2b0 [ 59.413548][ T5310] shmem_alloc_inode+0x28/0x40 [ 59.415378][ T5310] alloc_inode+0x65/0x1a0 [ 59.417064][ T5310] new_inode+0x22/0x1d0 [ 59.418669][ T5310] shmem_get_inode+0x322/0xe00 [ 59.420406][ T5310] shmem_mknod+0x191/0x3d0 [ 59.422059][ T5310] path_openat+0x1c03/0x3590 [ 59.423734][ T5310] do_filp_open+0x27f/0x4e0 [ 59.425350][ T5310] do_sys_openat2+0x13e/0x1d0 [ 59.427188][ T5310] __x64_sys_openat+0x247/0x2a0 [ 59.429212][ T5310] do_syscall_64+0xf3/0x230 [ 59.431018][ T5310] [ 59.431762][ T5310] Memory state around the buggy address: [ 59.433596][ T5310] ffff888043733f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 59.436294][ T5310] ffff888043733f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 59.439047][ T5310] >ffff888043734000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 59.441746][ T5310] ^ [ 59.443212][ T5310] ffff888043734080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 59.446110][ T5310] ffff888043734100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 59.449024][ T5310] ================================================================== [ 59.459491][ T5310] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 59.462100][ T5310] CPU: 0 UID: 0 PID: 5310 Comm: kworker/u5:2 Tainted: G W 6.12.0-syzkaller-01782-gbf9aa14fc523 #0 [ 59.466427][ T5310] Tainted: [W]=WARN [ 59.467864][ T5310] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 59.471758][ T5310] Workqueue: hci0 hci_rx_work [ 59.473523][ T5310] Call Trace: [ 59.474645][ T5310] [ 59.475875][ T5310] dump_stack_lvl+0x241/0x360 [ 59.477568][ T5310] ? __pfx_dump_stack_lvl+0x10/0x10 [ 59.479163][ T5310] ? __pfx__printk+0x10/0x10 [ 59.480698][ T5310] ? rcu_is_watching+0x15/0xb0 [ 59.482317][ T5310] ? preempt_schedule+0xe1/0xf0 [ 59.484061][ T5310] ? vscnprintf+0x5d/0x90 [ 59.485532][ T5310] panic+0x349/0x880 [ 59.486855][ T5310] ? check_panic_on_warn+0x21/0xb0 [ 59.488416][ T5310] ? __pfx_panic+0x10/0x10 [ 59.490053][ T5310] ? _raw_spin_unlock_irqrestore+0x130/0x140 [ 59.492119][ T5310] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 59.494291][ T5310] ? print_report+0x502/0x550 [ 59.495996][ T5310] check_panic_on_warn+0x86/0xb0 [ 59.497871][ T5310] ? hci_le_create_big_complete_evt+0x383/0xae0 [ 59.500076][ T5310] end_report+0x77/0x160 [ 59.501560][ T5310] kasan_report+0x154/0x180 [ 59.503154][ T5310] ? hci_le_create_big_complete_evt+0x383/0xae0 [ 59.505368][ T5310] hci_le_create_big_complete_evt+0x383/0xae0 [ 59.507556][ T5310] ? hci_le_create_big_complete_evt+0xdb/0xae0 [ 59.509758][ T5310] ? __pfx_hci_le_create_big_complete_evt+0x10/0x10 [ 59.512053][ T5310] ? hci_le_meta_evt+0x366/0x580 [ 59.513850][ T5310] ? __pfx_hci_le_create_big_complete_evt+0x10/0x10 [ 59.516168][ T5310] hci_event_packet+0xa55/0x1540 [ 59.518160][ T5310] ? __pfx_hci_le_meta_evt+0x10/0x10 [ 59.519937][ T5310] ? __pfx_hci_event_packet+0x10/0x10 [ 59.521797][ T5310] ? do_raw_spin_unlock+0x58/0x8b0 [ 59.523652][ T5310] ? hci_send_to_monitor+0xd8/0x7f0 [ 59.525534][ T5310] ? kcov_remote_start+0x97/0x7d0 [ 59.527424][ T5310] hci_rx_work+0x3e8/0xca0 [ 59.529133][ T5310] ? process_scheduled_works+0x976/0x1850 [ 59.531187][ T5310] process_scheduled_works+0xa63/0x1850 [ 59.533222][ T5310] ? __pfx_process_scheduled_works+0x10/0x10 [ 59.535461][ T5310] ? assign_work+0x364/0x3d0 [ 59.537164][ T5310] worker_thread+0x870/0xd30 [ 59.538854][ T5310] ? _raw_spin_unlock_irqrestore+0xdd/0x140 [ 59.540952][ T5310] ? __kthread_parkme+0x169/0x1d0 [ 59.542720][ T5310] ? __pfx_worker_thread+0x10/0x10 [ 59.544424][ T5310] kthread+0x2f0/0x390 [ 59.545775][ T5310] ? __pfx_worker_thread+0x10/0x10 [ 59.547453][ T5310] ? __pfx_kthread+0x10/0x10 [ 59.549044][ T5310] ret_from_fork+0x4b/0x80 [ 59.550560][ T5310] ? __pfx_kthread+0x10/0x10 [ 59.552113][ T5310] ret_from_fork_asm+0x1a/0x30 [ 59.553733][ T5310] [ 59.554996][ T5310] Kernel Offset: disabled [ 59.556419][ T5310] Rebooting in 86400 seconds..