program:
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
read$msr(0xffffffffffffffff, &(0x7f0000001a40)=""/102392, 0x18ff8)
r0 = socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$tipc2(&(0x7f0000000400), 0xffffffffffffffff)
sendmsg$TIPC_NL_BEARER_ENABLE(r0, &(0x7f0000000300)={0x0, 0x0, &(0x7f00000002c0)={0x0, 0x18}, 0x1, 0x0, 0x0, 0x20}, 0x0)
add_key$user(&(0x7f00000003c0), 0x0, 0x0, 0x0, 0xfffffffffffffffd)
r1 = socket$vsock_stream(0x28, 0x1, 0x0)
sendmsg$NL80211_CMD_SET_PMKSA(r0, 0x0, 0x800)
getsockopt$bt_sco_SCO_CONNINFO(r1, 0x11, 0x2, 0x0, 0x0)
ioctl$KVM_GET_DEVICE_ATTR(0xffffffffffffffff, 0x4018aee2, 0x0)
r2 = syz_init_net_socket$bt_l2cap(0x1f, 0x5, 0x0)
bind$bt_l2cap(r2, &(0x7f0000000000)={0x1f, 0x0, @any, 0x4, 0x1}, 0xe)
listen(r2, 0x90004)
syz_emit_vhci(&(0x7f0000000140)=ANY=[@ANYBLOB="043e130100c90001"], 0x16)
ppoll(&(0x7f00000000c0)=[{r2, 0x60}], 0x1, 0x0, 0x0, 0x0)

[   86.131137][ T5322] sysfs: cannot create duplicate filename '/devices/virtual/bluetooth/hci0/hci0:201'
[   86.139748][ T5322] CPU: 0 UID: 0 PID: 5322 Comm: kworker/u5:2 Not tainted syzkaller #0 PREEMPT(full) 
[   86.139771][ T5322] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   86.139781][ T5322] Workqueue: hci0 hci_rx_work
[   86.139977][ T5322] Call Trace:
[   86.139985][ T5322]  <TASK>
[   86.139992][ T5322]  dump_stack_lvl+0x189/0x250
[   86.140018][ T5322]  ? __pfx_dump_stack_lvl+0x10/0x10
[   86.140032][ T5322]  ? __pfx__printk+0x10/0x10
[   86.140058][ T5322]  ? kernfs_path_from_node+0x250/0x290
[   86.140126][ T5322]  ? kernfs_path_from_node+0x2f/0x290
[   86.140146][ T5322]  sysfs_create_dir_ns+0x259/0x280
[   86.140165][ T5322]  ? __pfx_sysfs_create_dir_ns+0x10/0x10
[   86.140181][ T5322]  ? do_raw_spin_unlock+0x4d/0x240
[   86.140203][ T5322]  kobject_add_internal+0x6a8/0xca0
[   86.140229][ T5322]  kobject_add+0x155/0x220
[   86.140251][ T5322]  ? __pfx_kobject_add+0x10/0x10
[   86.140272][ T5322]  ? _raw_spin_unlock+0x28/0x50
[   86.140345][ T5322]  ? get_device_parent+0x366/0x3a0
[   86.140367][ T5322]  device_add+0x408/0xb50
[   86.140386][ T5322]  hci_conn_add_sysfs+0xd5/0x1e0
[   86.140407][ T5322]  le_conn_complete_evt+0xf1d/0x1420
[   86.140429][ T5322]  ? __pfx_le_conn_complete_evt+0x10/0x10
[   86.140442][ T5322]  ? __mutex_unlock_slowpath+0x1a1/0x730
[   86.140458][ T5322]  ? __asan_memcpy+0x40/0x70
[   86.140477][ T5322]  ? __pfx___mutex_unlock_slowpath+0x10/0x10
[   86.140493][ T5322]  ? skb_pull_data+0xfb/0x200
[   86.140509][ T5322]  hci_le_conn_complete_evt+0x187/0x450
[   86.140534][ T5322]  hci_event_packet+0x78f/0x1200
[   86.140553][ T5322]  ? __pfx_hci_le_meta_evt+0x10/0x10
[   86.140574][ T5322]  ? __pfx_hci_event_packet+0x10/0x10
[   86.140594][ T5322]  ? kcov_remote_start+0x4d3/0x7d0
[   86.140611][ T5322]  ? do_machine_check+0x5d0/0x710
[   86.140627][ T5322]  ? hci_send_to_monitor+0xe2/0x570
[   86.140644][ T5322]  hci_rx_work+0x42b/0xf20
[   86.140665][ T5322]  ? process_scheduled_works+0x9ef/0x1770
[   86.140680][ T5322]  process_scheduled_works+0xad1/0x1770
[   86.140728][ T5322]  ? __pfx_process_scheduled_works+0x10/0x10
[   86.140754][ T5322]  worker_thread+0x8a0/0xda0
[   86.140778][ T5322]  ? __kthread_parkme+0x7b/0x200
[   86.140799][ T5322]  kthread+0x711/0x8a0
[   86.140818][ T5322]  ? __pfx_worker_thread+0x10/0x10
[   86.140831][ T5322]  ? __pfx_kthread+0x10/0x10
[   86.140849][ T5322]  ? _raw_spin_unlock_irq+0x23/0x50
[   86.140864][ T5322]  ? lockdep_hardirqs_on+0x98/0x140
[   86.140879][ T5322]  ? __pfx_kthread+0x10/0x10
[   86.140896][ T5322]  ret_from_fork+0x599/0xb30
[   86.140911][ T5322]  ? __pfx_ret_from_fork+0x10/0x10
[   86.140930][ T5322]  ? __pfx_kthread+0x10/0x10
[   86.140947][ T5322]  ret_from_fork_asm+0x1a/0x30
[   86.140976][ T5322]  </TASK>
[   86.141003][ T5322] kobject: kobject_add_internal failed for hci0:201 with -EEXIST, don't try to register things with the same name in the same directory.
[   86.282815][ T5322] Bluetooth: hci0: failed to register connection device
[   86.290842][ T5322] ==================================================================
[   86.294498][ T5322] BUG: KASAN: slab-use-after-free in l2cap_connect_cfm+0x6e4/0x1060
[   86.298039][ T5322] Read of size 8 at addr ffff888042e15480 by task kworker/u5:2/5322
[   86.301533][ T5322] 
[   86.302809][ T5322] CPU: 0 UID: 0 PID: 5322 Comm: kworker/u5:2 Not tainted syzkaller #0 PREEMPT(full) 
[   86.302832][ T5322] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   86.302842][ T5322] Workqueue: hci0 hci_rx_work
[   86.302866][ T5322] Call Trace:
[   86.302876][ T5322]  <TASK>
[   86.302883][ T5322]  dump_stack_lvl+0x189/0x250
[   86.302900][ T5322]  ? __kasan_check_byte+0x12/0x40
[   86.302920][ T5322]  ? __pfx_dump_stack_lvl+0x10/0x10
[   86.302933][ T5322]  ? lock_release+0x4b/0x3b0
[   86.302946][ T5322]  ? __virt_addr_valid+0x4a5/0x5c0
[   86.302963][ T5322]  print_report+0xca/0x240
[   86.302975][ T5322]  ? l2cap_connect_cfm+0x6e4/0x1060
[   86.302988][ T5322]  kasan_report+0x118/0x150
[   86.303004][ T5322]  ? l2cap_connect_cfm+0x6e4/0x1060
[   86.303019][ T5322]  l2cap_connect_cfm+0x6e4/0x1060
[   86.303037][ T5322]  ? __pfx_l2cap_connect_cfm+0x10/0x10
[   86.303052][ T5322]  ? __pfx_l2cap_connect_cfm+0x10/0x10
[   86.303063][ T5322]  hci_connect_cfm+0x95/0x140
[   86.303076][ T5322]  le_conn_complete_evt+0xf65/0x1420
[   86.303090][ T5322]  ? __pfx_le_conn_complete_evt+0x10/0x10
[   86.303098][ T5322]  ? __mutex_unlock_slowpath+0x1a1/0x730
[   86.303114][ T5322]  ? __asan_memcpy+0x40/0x70
[   86.303126][ T5322]  ? __pfx___mutex_unlock_slowpath+0x10/0x10
[   86.303144][ T5322]  ? skb_pull_data+0xfb/0x200
[   86.303157][ T5322]  hci_le_conn_complete_evt+0x187/0x450
[   86.303177][ T5322]  hci_event_packet+0x78f/0x1200
[   86.303194][ T5322]  ? __pfx_hci_le_meta_evt+0x10/0x10
[   86.303212][ T5322]  ? __pfx_hci_event_packet+0x10/0x10
[   86.303228][ T5322]  ? kcov_remote_start+0x4d3/0x7d0
[   86.303243][ T5322]  ? do_machine_check+0x5d0/0x710
[   86.303257][ T5322]  ? hci_send_to_monitor+0xe2/0x570
[   86.303272][ T5322]  hci_rx_work+0x42b/0xf20
[   86.303289][ T5322]  ? process_scheduled_works+0x9ef/0x1770
[   86.303303][ T5322]  process_scheduled_works+0xad1/0x1770
[   86.303320][ T5322]  ? __pfx_process_scheduled_works+0x10/0x10
[   86.303338][ T5322]  worker_thread+0x8a0/0xda0
[   86.303355][ T5322]  ? __kthread_parkme+0x7b/0x200
[   86.303369][ T5322]  kthread+0x711/0x8a0
[   86.303385][ T5322]  ? __pfx_worker_thread+0x10/0x10
[   86.303397][ T5322]  ? __pfx_kthread+0x10/0x10
[   86.303412][ T5322]  ? _raw_spin_unlock_irq+0x23/0x50
[   86.303424][ T5322]  ? lockdep_hardirqs_on+0x98/0x140
[   86.303436][ T5322]  ? __pfx_kthread+0x10/0x10
[   86.303451][ T5322]  ret_from_fork+0x599/0xb30
[   86.303464][ T5322]  ? __pfx_ret_from_fork+0x10/0x10
[   86.303477][ T5322]  ? __pfx_kthread+0x10/0x10
[   86.303491][ T5322]  ret_from_fork_asm+0x1a/0x30
[   86.303509][ T5322]  </TASK>
[   86.303514][ T5322] 
[   86.418524][ T5322] Allocated by task 5322:
[   86.420823][ T5322]  kasan_save_track+0x3e/0x80
[   86.422930][ T5322]  __kasan_kmalloc+0x93/0xb0
[   86.425068][ T5322]  __kmalloc_cache_noprof+0x3d5/0x6f0
[   86.427470][ T5322]  l2cap_chan_create+0x50/0x760
[   86.429657][ T5322]  l2cap_sock_new_connection_cb+0x182/0x2b0
[   86.432285][ T5322]  l2cap_connect_cfm+0x37a/0x1060
[   86.434676][ T5322]  hci_connect_cfm+0x95/0x140
[   86.436803][ T5322]  le_conn_complete_evt+0xf65/0x1420
[   86.439331][ T5322]  hci_le_conn_complete_evt+0x187/0x450
[   86.441968][ T5322]  hci_event_packet+0x78f/0x1200
[   86.444415][ T5322]  hci_rx_work+0x42b/0xf20
[   86.446503][ T5322]  process_scheduled_works+0xad1/0x1770
[   86.448933][ T5322]  worker_thread+0x8a0/0xda0
[   86.450959][ T5322]  kthread+0x711/0x8a0
[   86.452716][ T5322]  ret_from_fork+0x599/0xb30
[   86.454731][ T5322]  ret_from_fork_asm+0x1a/0x30
[   86.456878][ T5322] 
[   86.457948][ T5322] Freed by task 5344:
[   86.459720][ T5322]  kasan_save_track+0x3e/0x80
[   86.461813][ T5322]  __kasan_save_free_info+0x46/0x50
[   86.464204][ T5322]  __kasan_slab_free+0x5c/0x80
[   86.466403][ T5322]  kfree+0x1c0/0x660
[   86.468240][ T5322]  l2cap_sock_cleanup_listen+0xea/0x3e0
[   86.470712][ T5322]  l2cap_sock_release+0x6a/0x210
[   86.472852][ T5322]  sock_close+0xc3/0x240
[   86.474653][ T5322]  __fput+0x44c/0xa70
[   86.476519][ T5322]  task_work_run+0x1d4/0x260
[   86.478601][ T5322]  exit_to_user_mode_loop+0xff/0x4f0
[   86.480931][ T5322]  do_syscall_64+0x2e3/0xf80
[   86.483007][ T5322]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   86.485614][ T5322] 
[   86.486730][ T5322] The buggy address belongs to the object at ffff888042e15000
[   86.486730][ T5322]  which belongs to the cache kmalloc-2k of size 2048
[   86.492931][ T5322] The buggy address is located 1152 bytes inside of
[   86.492931][ T5322]  freed 2048-byte region [ffff888042e15000, ffff888042e15800)
[   86.499387][ T5322] 
[   86.500524][ T5322] The buggy address belongs to the physical page:
[   86.503285][ T5322] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x42e10
[   86.507109][ T5322] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   86.510804][ T5322] flags: 0x4fff00000000040(head|node=1|zone=1|lastcpupid=0x7ff)
[   86.514292][ T5322] page_type: f5(slab)
[   86.516238][ T5322] raw: 04fff00000000040 ffff88801a042000 dead000000000122 0000000000000000
[   86.520366][ T5322] raw: 0000000000000000 0000000080080008 00000000f5000000 0000000000000000
[   86.524230][ T5322] head: 04fff00000000040 ffff88801a042000 dead000000000122 0000000000000000
[   86.528034][ T5322] head: 0000000000000000 0000000080080008 00000000f5000000 0000000000000000
[   86.531768][ T5322] head: 04fff00000000003 ffffea00010b8401 00000000ffffffff 00000000ffffffff
[   86.535567][ T5322] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
[   86.539410][ T5322] page dumped because: kasan: bad access detected
[   86.542349][ T5322] page_owner tracks the page as allocated
[   86.544943][ T5322] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4725, tgid 4725 (klogd), ts 86278205740, free_ts 86104710127
[   86.553609][ T5322]  post_alloc_hook+0x234/0x290
[   86.555606][ T5322]  get_page_from_freelist+0x2365/0x2440
[   86.557800][ T5322]  __alloc_frozen_pages_noprof+0x181/0x370
[   86.560135][ T5322]  alloc_pages_mpol+0x232/0x4a0
[   86.562164][ T5322]  allocate_slab+0x86/0x3b0
[   86.564097][ T5322]  ___slab_alloc+0xf2b/0x1960
[   86.566217][ T5322]  __slab_alloc+0x65/0x100
[   86.568297][ T5322]  __kmalloc_cache_noprof+0x411/0x6f0
[   86.571220][ T5322]  syslog_print+0xd2/0x590
[   86.573642][ T5322]  do_syslog+0x544/0x760
[   86.576061][ T5322]  __x64_sys_syslog+0x7c/0x90
[   86.579001][ T5322]  do_syscall_64+0xfa/0xf80
[   86.581843][ T5322]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   86.585404][ T5322] page last free pid 5033 tgid 5033 stack trace:
[   86.589414][ T5322]  __free_frozen_pages+0xbc4/0xd30
[   86.591661][ T5322]  __slab_free+0x21b/0x2a0
[   86.593741][ T5322]  qlist_free_all+0x97/0x100
[   86.595838][ T5322]  kasan_quarantine_reduce+0x148/0x160
[   86.598475][ T5322]  __kasan_slab_alloc+0x22/0x80
[   86.600630][ T5322]  kmem_cache_alloc_node_noprof+0x433/0x710
[   86.603249][ T5322]  __alloc_skb+0x255/0x430
[   86.605411][ T5322]  alloc_skb_with_frags+0xca/0x890
[   86.607748][ T5322]  sock_alloc_send_pskb+0x84d/0x980
[   86.610158][ T5322]  unix_dgram_sendmsg+0x501/0x18c0
[   86.612569][ T5322]  __sock_sendmsg+0x21c/0x270
[   86.614729][ T5322]  __sys_sendto+0x3bd/0x520
[   86.616732][ T5322]  __x64_sys_sendto+0xde/0x100
[   86.618855][ T5322]  do_syscall_64+0xfa/0xf80
[   86.620976][ T5322]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   86.623679][ T5322] 
[   86.624800][ T5322] Memory state around the buggy address:
[   86.627376][ T5322]  ffff888042e15380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   86.631126][ T5322]  ffff888042e15400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   86.634615][ T5322] >ffff888042e15480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   86.638195][ T5322]                    ^
[   86.640148][ T5322]  ffff888042e15500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   86.644020][ T5322]  ffff888042e15580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   86.647735][ T5322] ==================================================================
[   86.686138][ T5322] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   86.690823][ T5322] CPU: 0 UID: 0 PID: 5322 Comm: kworker/u5:2 Not tainted syzkaller #0 PREEMPT(full) 
[   86.695039][ T5322] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   86.699769][ T5322] Workqueue: hci0 hci_rx_work
[   86.702285][ T5322] Call Trace:
[   86.704304][ T5322]  <TASK>
[   86.705913][ T5322]  dump_stack_lvl+0x99/0x250
[   86.708099][ T5322]  ? __asan_memcpy+0x40/0x70
[   86.710326][ T5322]  ? __pfx_dump_stack_lvl+0x10/0x10
[   86.712605][ T5322]  ? __pfx__printk+0x10/0x10
[   86.714734][ T5322]  vpanic+0x237/0x6d0
[   86.716555][ T5322]  ? __pfx_vpanic+0x10/0x10
[   86.718642][ T5322]  ? preempt_schedule+0xae/0xc0
[   86.721083][ T5322]  ? __pfx_preempt_schedule+0x10/0x10
[   86.723742][ T5322]  panic+0xb9/0xc0
[   86.725640][ T5322]  ? __pfx_panic+0x10/0x10
[   86.727804][ T5322]  ? _raw_spin_unlock_irqrestore+0xfd/0x110
[   86.730498][ T5322]  ? l2cap_connect_cfm+0x6e4/0x1060
[   86.732963][ T5322]  check_panic_on_warn+0x89/0xb0
[   86.735287][ T5322]  ? l2cap_connect_cfm+0x6e4/0x1060
[   86.737691][ T5322]  end_report+0x6f/0x140
[   86.739617][ T5322]  kasan_report+0x129/0x150
[   86.741632][ T5322]  ? l2cap_connect_cfm+0x6e4/0x1060
[   86.743981][ T5322]  l2cap_connect_cfm+0x6e4/0x1060
[   86.746245][ T5322]  ? __pfx_l2cap_connect_cfm+0x10/0x10
[   86.748955][ T5322]  ? __pfx_l2cap_connect_cfm+0x10/0x10
[   86.751443][ T5322]  hci_connect_cfm+0x95/0x140
[   86.753666][ T5322]  le_conn_complete_evt+0xf65/0x1420
[   86.756375][ T5322]  ? __pfx_le_conn_complete_evt+0x10/0x10
[   86.759058][ T5322]  ? __mutex_unlock_slowpath+0x1a1/0x730
[   86.761601][ T5322]  ? __asan_memcpy+0x40/0x70
[   86.763845][ T5322]  ? __pfx___mutex_unlock_slowpath+0x10/0x10
[   86.766702][ T5322]  ? skb_pull_data+0xfb/0x200
[   86.768869][ T5322]  hci_le_conn_complete_evt+0x187/0x450
[   86.771437][ T5322]  hci_event_packet+0x78f/0x1200
[   86.773730][ T5322]  ? __pfx_hci_le_meta_evt+0x10/0x10
[   86.775917][ T5322]  ? __pfx_hci_event_packet+0x10/0x10
[   86.778174][ T5322]  ? kcov_remote_start+0x4d3/0x7d0
[   86.780391][ T5322]  ? do_machine_check+0x5d0/0x710
[   86.782690][ T5322]  ? hci_send_to_monitor+0xe2/0x570
[   86.785045][ T5322]  hci_rx_work+0x42b/0xf20
[   86.787097][ T5322]  ? process_scheduled_works+0x9ef/0x1770
[   86.789576][ T5322]  process_scheduled_works+0xad1/0x1770
[   86.792075][ T5322]  ? __pfx_process_scheduled_works+0x10/0x10
[   86.795334][ T5322]  worker_thread+0x8a0/0xda0
[   86.797612][ T5322]  ? __kthread_parkme+0x7b/0x200
[   86.799928][ T5322]  kthread+0x711/0x8a0
[   86.801813][ T5322]  ? __pfx_worker_thread+0x10/0x10
[   86.804185][ T5322]  ? __pfx_kthread+0x10/0x10
[   86.806366][ T5322]  ? _raw_spin_unlock_irq+0x23/0x50
[   86.808704][ T5322]  ? lockdep_hardirqs_on+0x98/0x140
[   86.811077][ T5322]  ? __pfx_kthread+0x10/0x10
[   86.813247][ T5322]  ret_from_fork+0x599/0xb30
[   86.815380][ T5322]  ? __pfx_ret_from_fork+0x10/0x10
[   86.817742][ T5322]  ? __pfx_kthread+0x10/0x10
[   86.820257][ T5322]  ret_from_fork_asm+0x1a/0x30
[   86.822824][ T5322]  </TASK>
[   86.824620][ T5322] Kernel Offset: disabled
[   86.826531][ T5322] Rebooting in 86400 seconds..