program: syz_mount_image$ext4(&(0x7f0000000040)='ext4\x00', &(0x7f0000000180)='./bus\x00', 0xe, &(0x7f00000004c0)={[{@resuid}, {@init_itable}, {@minixdf}, {@noblock_validity}]}, 0x3, 0x451, &(0x7f0000000f80)="$eJzs3M2PU1UbAPDn3k6HlxdwRsQPPtRRNE78mGEAlYULNZq4wMREF7qczAwEKYxhxkQIUTAGV8aYuDcu/Rdc6cYYVyZudW9IiGEDuKq57b1MW9rCdFqq098vuXDOvedyztNzT3vuPS0BjKyp7I8kYntE/B4RE/Vsc4Gp+l/Xr55fuHH1/EIS1erbfyW1cteunl8oihbnbcsz02lE+lkSe9vUu3L23Mn5SmXpTJ6fXT31wezK2XPPnTg1f3zp+NLpg0eOHD409+ILB5/vS5xZm67t+Xh53+433vvqzaNfNMXfEkefTHU7+GS12ufqhmtHQzoZG2JDWJdSRGTdVa6N/4koxVrnTcTrnw61ccBAVavV6rbOhy9UgU0siea8IQ+jovigz+5/i611EvDy4KYfQ3fllfoNUBb39XyrHxmLNC9Tbrm/7aepiHj3wt/fZFsM5jkEAECTH7L5z7Pt5n9pPNBQ7p58bWgyIu6NiJ0RcV9E7IqI+yNqZR+MiIfWWX/rIsmt85/0ck+B3aFs/vdSvrbVPP8rZn8xWcpzO2rxl5NjJypLB/LXZDrKW7L8XJc6fnztty87HWuc/2VbVn8xF8zbcXlsS/M5i/Or8xuJudGVixF7xtrFn9xcCUgiYndE7OmxjhNPf7ev07Hbx99FH9aZqt9GPFXv/wvREn8h6b4+Ofu/qCwdmC2uilv98uultzrVv6H4+yDr//+3vf5vxj+ZNK7Xrqy/jkt/fN7xnqbX6388eaeWHs/3fTS/unpmLmI8OVpvdOP+g2vnFvmifBb/9P72439nrL0SeyMiu4gfjohHIuLRvO2PRcTjEbG/S/w/v/rE+73HP1hZ/Ivr6v+1xHi07mmfKJ386fumSidvif9G9/4/XEtN53vu5P3vTtrV29UMAAAA/z1pRGyPJJ25mU7TmZn69+V3RaSV5ZXVZ44tf3h6sf4bgckop8WTromG56Fz+W19PX8xIupfLSiOH8qfG39d2lrLzywsVxaHHTyMuG0dxn/mz9KwWwcMnN9rwegy/mF0Gf8wuox/GF1txv/WYbQDuPvaff5/MoR2AHdfy/i37AcjxP0/jK6O438z/88/QI3PfxhJK1vj9j+S75oo/qUeT9+0iSj/K5qx8UQ1adu5kQ67YRKDTAz3fQkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAKBf/gkAAP//qmHgTw==") r0 = syz_mount_image$fuse(0x0, &(0x7f0000000180)='./file2\x00', 0x0, 0x0, 0x0, 0x0, 0x0) mount$overlay(0x0, &(0x7f0000000080)='./file0\x00', &(0x7f0000000000), 0x0, &(0x7f0000000140)={[{@workdir={'workdir', 0x3d, './file0'}}, {@lowerdir={'lowerdir', 0x3d, '.'}}, {@upperdir={'upperdir', 0x3d, './file2'}}], [], 0x2c}) setxattr$security_capability(&(0x7f0000000280)='./file1\x00', &(0x7f00000002c0), 0x0, 0x0, 0x0) r1 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000240)={0x11, 0x4, &(0x7f00000000c0)=ANY=[@ANYBLOB="1800000000070000000000000000000085000000230000009500000000000000"], &(0x7f00000001c0)='GPL\x00', 0x4, 0x8f, &(0x7f00000002c0)=""/143, 0x0, 0x0, '\x00', 0x0, 0x0, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000180)={&(0x7f0000000140)='kmem_cache_free\x00', r1}, 0x10) chdir(&(0x7f00000001c0)='./file0\x00') bpf$PROG_LOAD(0x5, &(0x7f00000004c0)={0x6, 0x10, &(0x7f0000000000)=ANY=[@ANYBLOB="18000000000000000000000000000000b708"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @xdp, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x94) sendmsg$IPSET_CMD_CREATE(0xffffffffffffffff, &(0x7f0000000100)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000040)={0x14, 0x2, 0x6, 0x5}, 0x14}}, 0x0) r2 = add_key$keyring(&(0x7f0000000200), &(0x7f0000000240)={'syz', 0x1}, 0x0, 0x0, 0xfffffffffffffffb) pipe2$watch_queue(&(0x7f0000000040)={0xffffffffffffffff, 0xffffffffffffffff}, 0x80) keyctl$KEYCTL_WATCH_KEY(0x20, r2, r3, 0x0) r4 = add_key$fscrypt_v1(&(0x7f0000000080), &(0x7f0000000280), &(0x7f0000000180)={0x0, "de8d0d27ca969fa15f8b3b7bae39c1b3327d4332f8c149d2d65a347d67f6db7eb90dfdad3cdebaaf421412f812305c9da91699b5a02c1295596f0fd9ec78f2fd"}, 0x48, r2) keyctl$KEYCTL_MOVE(0x9, r4, r2, 0x0, 0x0) ioctl$FS_IOC_ADD_ENCRYPTION_KEY(r0, 0xc0506617, &(0x7f0000000580)={@id={0x2, 0x0, @c}, 0x40, r4, '\x00', @a}) syz_emit_vhci(&(0x7f0000000000)=ANY=[@ANYBLOB="043e751d"], 0x24) syz_emit_vhci(&(0x7f0000000040)=ANY=[@ANYBLOB="043e1f1b"], 0x22) r5 = openat(0xffffffffffffff9c, &(0x7f0000000040)='./file1\x00', 0x3f, 0x0) ioctl$VIDIOC_SUBDEV_ENUM_DV_TIMINGS(r5, 0xc0945662, &(0x7f0000000380)={0x8, 0x0, '\x00', {0x0, @reserved}}) [ 59.627104][ T5319] loop0: detected capacity change from 0 to 512 [ 59.640500][ T5319] EXT4-fs: Warning: mounting with data=journal disables delayed allocation, dioread_nolock, O_DIRECT and fast_commit support! [ 59.653214][ T5319] EXT4-fs (loop0): encrypted files will use data=ordered instead of data journaling mode [ 59.662181][ T5319] EXT4-fs (loop0): 1 truncate cleaned up [ 59.666468][ T5319] EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: none. [ 59.689454][ T5306] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:585 [ 59.693238][ T5306] in_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 5306, name: kworker/u5:2 [ 59.697932][ T5306] preempt_count: 0, expected: 0 [ 59.699760][ T5306] RCU nest depth: 1, expected: 0 [ 59.701677][ T5306] 4 locks held by kworker/u5:2/5306: [ 59.705147][ T5306] #0: ffff888035e5b148 ((wq_completion)hci0#2){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1850 [ 59.709310][ T5306] #1: ffffc9000d3e7d00 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1850 [ 59.715432][ T5306] #2: ffff88804410c078 (&hdev->lock){+.+.}-{3:3}, at: hci_le_create_big_complete_evt+0xcf/0xae0 [ 59.719398][ T5306] #3: ffffffff8e937da0 (rcu_read_lock){....}-{1:2}, at: hci_le_create_big_complete_evt+0xdb/0xae0 [ 59.724592][ T5306] CPU: 0 UID: 0 PID: 5306 Comm: kworker/u5:2 Not tainted 6.12.0-rc7-syzkaller-00212-g4a5df3796467 #0 [ 59.728637][ T5306] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 59.732692][ T5306] Workqueue: hci0 hci_rx_work [ 59.734220][ T5306] Call Trace: [ 59.735243][ T5306] [ 59.736193][ T5306] dump_stack_lvl+0x241/0x360 [ 59.737736][ T5306] ? __pfx_dump_stack_lvl+0x10/0x10 [ 59.739601][ T5306] ? __pfx__printk+0x10/0x10 [ 59.741243][ T5306] __might_resched+0x5d4/0x780 [ 59.742710][ T5306] ? __mutex_lock+0x112/0xd70 [ 59.744278][ T5306] ? __pfx___might_resched+0x10/0x10 [ 59.745987][ T5306] __mutex_lock+0xc1/0xd70 [ 59.747644][ T5306] ? __pfx_lock_acquire+0x10/0x10 [ 59.749445][ T5306] ? hci_le_create_big_complete_evt+0x3d9/0xae0 [ 59.751855][ T5306] ? __pfx_lock_release+0x10/0x10 [ 59.753724][ T5306] ? __pfx___mutex_lock+0x10/0x10 [ 59.755643][ T5306] ? trace_contention_end+0x3c/0x120 [ 59.757632][ T5306] ? skb_pull_data+0x112/0x230 [ 59.759209][ T5306] ? hci_conn_set_handle+0x9a/0x270 [ 59.760910][ T5306] hci_le_create_big_complete_evt+0x3d9/0xae0 [ 59.763091][ T5306] ? __copy_skb_header+0x437/0x5b0 [ 59.765091][ T5306] ? hci_le_create_big_complete_evt+0xdb/0xae0 [ 59.767422][ T5306] ? __pfx_hci_le_create_big_complete_evt+0x10/0x10 [ 59.769872][ T5306] ? hci_le_meta_evt+0x366/0x580 [ 59.771845][ T5306] ? __pfx_hci_le_create_big_complete_evt+0x10/0x10 [ 59.774361][ T5306] hci_event_packet+0xa55/0x1540 [ 59.776300][ T5306] ? __pfx_hci_le_meta_evt+0x10/0x10 [ 59.778414][ T5306] ? __pfx_hci_event_packet+0x10/0x10 [ 59.780581][ T5306] ? do_raw_spin_unlock+0x58/0x8b0 [ 59.782585][ T5306] ? hci_send_to_monitor+0xd8/0x7f0 [ 59.784645][ T5306] ? kcov_remote_start+0x97/0x7d0 [ 59.786621][ T5306] hci_rx_work+0x3e8/0xca0 [ 59.788192][ T5306] ? process_scheduled_works+0x976/0x1850 [ 59.790167][ T5306] process_scheduled_works+0xa63/0x1850 [ 59.792100][ T5306] ? __pfx_process_scheduled_works+0x10/0x10 [ 59.794453][ T5306] ? assign_work+0x364/0x3d0 [ 59.796214][ T5306] worker_thread+0x870/0xd30 [ 59.797948][ T5306] ? __kthread_parkme+0x169/0x1d0 [ 59.799587][ T5306] ? __pfx_worker_thread+0x10/0x10 [ 59.801470][ T5306] kthread+0x2f0/0x390 [ 59.802981][ T5306] ? __pfx_worker_thread+0x10/0x10 [ 59.804722][ T5306] ? __pfx_kthread+0x10/0x10 [ 59.806210][ T5306] ret_from_fork+0x4b/0x80 [ 59.807856][ T5306] ? __pfx_kthread+0x10/0x10 [ 59.809525][ T5306] ret_from_fork_asm+0x1a/0x30 [ 59.811263][ T5306] [ 59.822088][ T24] audit: type=1800 audit(1731814859.030:2): pid=5319 uid=0 auid=4294967295 ses=4294967295 subj=unconfined op=collect_data cause=failed comm="syz.0.0" name="file1" dev="overlay" ino=15 res=0 errno=0 [ 59.828779][ T5306] [ 59.829627][ T5306] ============================= [ 59.831351][ T5306] [ BUG: Invalid wait context ] [ 59.832969][ T5306] 6.12.0-rc7-syzkaller-00212-g4a5df3796467 #0 Tainted: G W [ 59.835878][ T5306] ----------------------------- [ 59.837629][ T5306] kworker/u5:2/5306 is trying to lock: [ 59.839621][ T5306] ffffffff8fe40568 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_le_create_big_complete_evt+0x3d9/0xae0 [ 59.843484][ T5306] other info that might help us debug this: [ 59.845607][ T5306] context-{4:4} [ 59.846934][ T5306] 4 locks held by kworker/u5:2/5306: [ 59.848857][ T5306] #0: ffff888035e5b148 ((wq_completion)hci0#2){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1850 [ 59.852849][ T5306] #1: ffffc9000d3e7d00 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1850 [ 59.857279][ T5306] #2: ffff88804410c078 (&hdev->lock){+.+.}-{3:3}, at: hci_le_create_big_complete_evt+0xcf/0xae0 [ 59.861028][ T5306] #3: ffffffff8e937da0 (rcu_read_lock){....}-{1:2}, at: hci_le_create_big_complete_evt+0xdb/0xae0 [ 59.864866][ T5306] stack backtrace: [ 59.866163][ T5306] CPU: 0 UID: 0 PID: 5306 Comm: kworker/u5:2 Tainted: G W 6.12.0-rc7-syzkaller-00212-g4a5df3796467 #0 [ 59.870901][ T5306] Tainted: [W]=WARN [ 59.872471][ T5306] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 59.876383][ T5306] Workqueue: hci0 hci_rx_work [ 59.878204][ T5306] Call Trace: [ 59.879485][ T5306] [ 59.880681][ T5306] dump_stack_lvl+0x241/0x360 [ 59.882560][ T5306] ? __pfx_dump_stack_lvl+0x10/0x10 [ 59.884541][ T5306] ? __pfx__printk+0x10/0x10 [ 59.886307][ T5306] __lock_acquire+0x154a/0x2050 [ 59.888235][ T5306] lock_acquire+0x1ed/0x550 [ 59.889986][ T5306] ? hci_le_create_big_complete_evt+0x3d9/0xae0 [ 59.892359][ T5306] ? __pfx_lock_acquire+0x10/0x10 [ 59.894328][ T5306] ? __mutex_lock+0x112/0xd70 [ 59.896290][ T5306] ? __pfx___might_resched+0x10/0x10 [ 59.898310][ T5306] __mutex_lock+0x136/0xd70 [ 59.900212][ T5306] ? hci_le_create_big_complete_evt+0x3d9/0xae0 [ 59.902627][ T5306] ? __pfx_lock_acquire+0x10/0x10 [ 59.904553][ T5306] ? hci_le_create_big_complete_evt+0x3d9/0xae0 [ 59.906831][ T5306] ? __pfx_lock_release+0x10/0x10 [ 59.908666][ T5306] ? __pfx___mutex_lock+0x10/0x10 [ 59.910489][ T5306] ? trace_contention_end+0x3c/0x120 [ 59.912480][ T5306] ? skb_pull_data+0x112/0x230 [ 59.914386][ T5306] ? hci_conn_set_handle+0x9a/0x270 [ 59.916406][ T5306] hci_le_create_big_complete_evt+0x3d9/0xae0 [ 59.918650][ T5306] ? __copy_skb_header+0x437/0x5b0 [ 59.920614][ T5306] ? hci_le_create_big_complete_evt+0xdb/0xae0 [ 59.923014][ T5306] ? __pfx_hci_le_create_big_complete_evt+0x10/0x10 [ 59.925447][ T5306] ? hci_le_meta_evt+0x366/0x580 [ 59.927298][ T5306] ? __pfx_hci_le_create_big_complete_evt+0x10/0x10 [ 59.929846][ T5306] hci_event_packet+0xa55/0x1540 [ 59.931778][ T5306] ? __pfx_hci_le_meta_evt+0x10/0x10 [ 59.933691][ T5306] ? __pfx_hci_event_packet+0x10/0x10 [ 59.935720][ T5306] ? do_raw_spin_unlock+0x58/0x8b0 [ 59.937638][ T5306] ? hci_send_to_monitor+0xd8/0x7f0 [ 59.939598][ T5306] ? kcov_remote_start+0x97/0x7d0 [ 59.941473][ T5306] hci_rx_work+0x3e8/0xca0 [ 59.943240][ T5306] ? process_scheduled_works+0x976/0x1850 [ 59.945308][ T5306] process_scheduled_works+0xa63/0x1850 [ 59.947381][ T5306] ? __pfx_process_scheduled_works+0x10/0x10 [ 59.949571][ T5306] ? assign_work+0x364/0x3d0 [ 59.951349][ T5306] worker_thread+0x870/0xd30 [ 59.953077][ T5306] ? __kthread_parkme+0x169/0x1d0 [ 59.955001][ T5306] ? __pfx_worker_thread+0x10/0x10 [ 59.956908][ T5306] kthread+0x2f0/0x390 [ 59.958456][ T5306] ? __pfx_worker_thread+0x10/0x10 [ 59.960405][ T5306] ? __pfx_kthread+0x10/0x10 [ 59.962190][ T5306] ret_from_fork+0x4b/0x80 [ 59.963952][ T5306] ? __pfx_kthread+0x10/0x10 [ 59.965770][ T5306] ret_from_fork_asm+0x1a/0x30 [ 59.967494][ T5306] [ 59.972664][ T5306] ================================================================== [ 59.975446][ T5306] BUG: KASAN: slab-use-after-free in hci_le_create_big_complete_evt+0x383/0xae0 [ 59.978436][ T5306] Read of size 8 at addr ffff88803c410000 by task kworker/u5:2/5306 [ 59.981141][ T5306] [ 59.981899][ T5306] CPU: 0 UID: 0 PID: 5306 Comm: kworker/u5:2 Tainted: G W 6.12.0-rc7-syzkaller-00212-g4a5df3796467 #0 [ 59.985998][ T5306] Tainted: [W]=WARN [ 59.987487][ T5306] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 59.991562][ T5306] Workqueue: hci0 hci_rx_work [ 59.993329][ T5306] Call Trace: [ 59.994606][ T5306] [ 59.995779][ T5306] dump_stack_lvl+0x241/0x360 [ 59.997633][ T5306] ? __pfx_dump_stack_lvl+0x10/0x10 [ 59.999683][ T5306] ? __pfx__printk+0x10/0x10 [ 60.001468][ T5306] ? _printk+0xd5/0x120 [ 60.003130][ T5306] ? __virt_addr_valid+0x183/0x530 [ 60.005055][ T5306] ? __virt_addr_valid+0x183/0x530 [ 60.007098][ T5306] print_report+0x169/0x550 [ 60.008746][ T5306] ? __virt_addr_valid+0x183/0x530 [ 60.010637][ T5306] ? __virt_addr_valid+0x183/0x530 [ 60.012586][ T5306] ? __virt_addr_valid+0x45f/0x530 [ 60.014426][ T5306] ? __phys_addr+0xba/0x170 [ 60.016090][ T5306] ? hci_le_create_big_complete_evt+0x383/0xae0 [ 60.018346][ T5306] kasan_report+0x143/0x180 [ 60.019881][ T5306] ? hci_le_create_big_complete_evt+0x383/0xae0 [ 60.022059][ T5306] hci_le_create_big_complete_evt+0x383/0xae0 [ 60.024409][ T5306] ? __copy_skb_header+0x437/0x5b0 [ 60.026240][ T5306] ? hci_le_create_big_complete_evt+0xdb/0xae0 [ 60.028567][ T5306] ? __pfx_hci_le_create_big_complete_evt+0x10/0x10 [ 60.031022][ T5306] ? hci_le_meta_evt+0x366/0x580 [ 60.032988][ T5306] ? __pfx_hci_le_create_big_complete_evt+0x10/0x10 [ 60.035527][ T5306] hci_event_packet+0xa55/0x1540 [ 60.037392][ T5306] ? __pfx_hci_le_meta_evt+0x10/0x10 [ 60.039408][ T5306] ? __pfx_hci_event_packet+0x10/0x10 [ 60.041415][ T5306] ? do_raw_spin_unlock+0x58/0x8b0 [ 60.043366][ T5306] ? hci_send_to_monitor+0xd8/0x7f0 [ 60.045323][ T5306] ? kcov_remote_start+0x97/0x7d0 [ 60.047255][ T5306] hci_rx_work+0x3e8/0xca0 [ 60.048957][ T5306] ? process_scheduled_works+0x976/0x1850 [ 60.051022][ T5306] process_scheduled_works+0xa63/0x1850 [ 60.053080][ T5306] ? __pfx_process_scheduled_works+0x10/0x10 [ 60.055234][ T5306] ? assign_work+0x364/0x3d0 [ 60.056928][ T5306] worker_thread+0x870/0xd30 [ 60.058710][ T5306] ? __kthread_parkme+0x169/0x1d0 [ 60.060668][ T5306] ? __pfx_worker_thread+0x10/0x10 [ 60.062354][ T5306] kthread+0x2f0/0x390 [ 60.063902][ T5306] ? __pfx_worker_thread+0x10/0x10 [ 60.065860][ T5306] ? __pfx_kthread+0x10/0x10 [ 60.067630][ T5306] ret_from_fork+0x4b/0x80 [ 60.069357][ T5306] ? __pfx_kthread+0x10/0x10 [ 60.071132][ T5306] ret_from_fork_asm+0x1a/0x30 [ 60.073001][ T5306] [ 60.074090][ T5306] [ 60.075007][ T5306] Allocated by task 5306: [ 60.076518][ T5306] kasan_save_track+0x3f/0x80 [ 60.078233][ T5306] __kasan_kmalloc+0x98/0xb0 [ 60.079846][ T5306] __kmalloc_cache_noprof+0x19c/0x2c0 [ 60.081925][ T5306] __hci_conn_add+0x2f9/0x1850 [ 60.083596][ T5306] hci_le_big_sync_established_evt+0x414/0xc20 [ 60.085954][ T5306] hci_event_packet+0xa55/0x1540 [ 60.087819][ T5306] hci_rx_work+0x3e8/0xca0 [ 60.089556][ T5306] process_scheduled_works+0xa63/0x1850 [ 60.091579][ T5306] worker_thread+0x870/0xd30 [ 60.093314][ T5306] kthread+0x2f0/0x390 [ 60.094835][ T5306] ret_from_fork+0x4b/0x80 [ 60.096463][ T5306] ret_from_fork_asm+0x1a/0x30 [ 60.098315][ T5306] [ 60.099300][ T5306] Freed by task 5306: [ 60.100868][ T5306] kasan_save_track+0x3f/0x80 [ 60.102562][ T5306] kasan_save_free_info+0x40/0x50 [ 60.104534][ T5306] __kasan_slab_free+0x59/0x70 [ 60.106290][ T5306] kfree+0x1a0/0x440 [ 60.107813][ T5306] device_release+0x99/0x1c0 [ 60.109647][ T5306] kobject_put+0x22f/0x480 [ 60.111393][ T5306] hci_conn_del+0x8c4/0xc40 [ 60.113113][ T5306] hci_le_create_big_complete_evt+0x619/0xae0 [ 60.115474][ T5306] hci_event_packet+0xa55/0x1540 [ 60.117393][ T5306] hci_rx_work+0x3e8/0xca0 [ 60.119079][ T5306] process_scheduled_works+0xa63/0x1850 [ 60.121210][ T5306] worker_thread+0x870/0xd30 [ 60.122897][ T5306] kthread+0x2f0/0x390 [ 60.124436][ T5306] ret_from_fork+0x4b/0x80 [ 60.126161][ T5306] ret_from_fork_asm+0x1a/0x30 [ 60.127950][ T5306] [ 60.128828][ T5306] The buggy address belongs to the object at ffff88803c410000 [ 60.128828][ T5306] which belongs to the cache kmalloc-8k of size 8192 [ 60.133598][ T5306] The buggy address is located 0 bytes inside of [ 60.133598][ T5306] freed 8192-byte region [ffff88803c410000, ffff88803c412000) [ 60.138554][ T5306] [ 60.139456][ T5306] The buggy address belongs to the physical page: [ 60.141737][ T5306] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x3c410 [ 60.144855][ T5306] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 60.147790][ T5306] flags: 0x4fff00000000040(head|node=1|zone=1|lastcpupid=0x7ff) [ 60.150521][ T5306] page_type: f5(slab) [ 60.152066][ T5306] raw: 04fff00000000040 ffff88801ac42280 ffffea00010be000 0000000000000002 [ 60.155265][ T5306] raw: 0000000000000000 0000000080020002 00000001f5000000 0000000000000000 [ 60.158430][ T5306] head: 04fff00000000040 ffff88801ac42280 ffffea00010be000 0000000000000002 [ 60.161639][ T5306] head: 0000000000000000 0000000080020002 00000001f5000000 0000000000000000 [ 60.164817][ T5306] head: 04fff00000000003 ffffea0000f10401 ffffffffffffffff 0000000000000000 [ 60.167725][ T5306] head: ffff888000000008 0000000000000000 00000000ffffffff 0000000000000000 [ 60.170655][ T5306] page dumped because: kasan: bad access detected [ 60.173095][ T5306] page_owner tracks the page as allocated [ 60.175094][ T5306] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5299, tgid 5299 (sh), ts 56662609251, free_ts 56655554939 [ 60.181898][ T5306] post_alloc_hook+0x1f3/0x230 [ 60.183712][ T5306] get_page_from_freelist+0x3649/0x3790 [ 60.185610][ T5306] __alloc_pages_noprof+0x292/0x710 [ 60.187639][ T5306] alloc_pages_mpol_noprof+0x3e8/0x680 [ 60.189731][ T5306] alloc_slab_page+0x6a/0x140 [ 60.191590][ T5306] allocate_slab+0x5a/0x2f0 [ 60.193327][ T5306] ___slab_alloc+0xcd1/0x14b0 [ 60.195152][ T5306] __slab_alloc+0x58/0xa0 [ 60.196753][ T5306] __kmalloc_cache_noprof+0x1d5/0x2c0 [ 60.198660][ T5306] tomoyo_init_log+0x11cd/0x2050 [ 60.200501][ T5306] tomoyo_supervisor+0x38a/0x11f0 [ 60.202384][ T5306] tomoyo_env_perm+0x178/0x210 [ 60.204208][ T5306] tomoyo_find_next_domain+0x146e/0x1d40 [ 60.206375][ T5306] tomoyo_bprm_check_security+0x114/0x180 [ 60.208549][ T5306] security_bprm_check+0x86/0x250 [ 60.210407][ T5306] bprm_execve+0xa56/0x1770 [ 60.212124][ T5306] page last free pid 5300 tgid 5300 stack trace: [ 60.214435][ T5306] free_unref_page+0xdf9/0x1140 [ 60.216213][ T5306] __put_partials+0xeb/0x130 [ 60.217895][ T5306] put_cpu_partial+0x17c/0x250 [ 60.219648][ T5306] __slab_free+0x2ea/0x3d0 [ 60.221273][ T5306] qlist_free_all+0x9a/0x140 [ 60.222799][ T5306] kasan_quarantine_reduce+0x14f/0x170 [ 60.224803][ T5306] __kasan_slab_alloc+0x23/0x80 [ 60.226614][ T5306] __kmalloc_noprof+0x1a6/0x400 [ 60.228586][ T5306] tomoyo_realpath_from_path+0xcf/0x5e0 [ 60.230532][ T5306] tomoyo_path_perm+0x2b7/0x740 [ 60.232286][ T5306] security_file_truncate+0xac/0x250 [ 60.234129][ T5306] path_openat+0x2dc2/0x3590 [ 60.235776][ T5306] do_filp_open+0x235/0x490 [ 60.237373][ T5306] do_sys_openat2+0x13e/0x1d0 [ 60.239026][ T5306] __x64_sys_openat+0x247/0x2a0 [ 60.240762][ T5306] do_syscall_64+0xf3/0x230 [ 60.242410][ T5306] [ 60.243327][ T5306] Memory state around the buggy address: [ 60.245363][ T5306] ffff88803c40ff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 60.248224][ T5306] ffff88803c40ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 60.250876][ T5306] >ffff88803c410000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 60.253883][ T5306] ^ [ 60.255468][ T5306] ffff88803c410080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 60.258363][ T5306] ffff88803c410100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 60.261473][ T5306] ================================================================== [ 60.275393][ T5306] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 60.278134][ T5306] CPU: 0 UID: 0 PID: 5306 Comm: kworker/u5:2 Tainted: G W 6.12.0-rc7-syzkaller-00212-g4a5df3796467 #0 [ 60.282884][ T5306] Tainted: [W]=WARN [ 60.284225][ T5306] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 60.288185][ T5306] Workqueue: hci0 hci_rx_work [ 60.289746][ T5306] Call Trace: [ 60.290889][ T5306] [ 60.291995][ T5306] dump_stack_lvl+0x241/0x360 [ 60.293912][ T5306] ? __pfx_dump_stack_lvl+0x10/0x10 [ 60.295890][ T5306] ? __pfx__printk+0x10/0x10 [ 60.297608][ T5306] ? rcu_is_watching+0x15/0xb0 [ 60.299313][ T5306] ? preempt_schedule+0xe1/0xf0 [ 60.301110][ T5306] ? vscnprintf+0x5d/0x90 [ 60.302735][ T5306] panic+0x349/0x880 [ 60.304309][ T5306] ? check_panic_on_warn+0x21/0xb0 [ 60.306169][ T5306] ? __pfx_panic+0x10/0x10 [ 60.307907][ T5306] ? _raw_spin_unlock_irqrestore+0x130/0x140 [ 60.310114][ T5306] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 60.312401][ T5306] ? print_report+0x502/0x550 [ 60.314037][ T5306] check_panic_on_warn+0x86/0xb0 [ 60.315810][ T5306] ? hci_le_create_big_complete_evt+0x383/0xae0 [ 60.318008][ T5306] end_report+0x77/0x160 [ 60.319352][ T5306] kasan_report+0x154/0x180 [ 60.320990][ T5306] ? hci_le_create_big_complete_evt+0x383/0xae0 [ 60.323234][ T5306] hci_le_create_big_complete_evt+0x383/0xae0 [ 60.325428][ T5306] ? __copy_skb_header+0x437/0x5b0 [ 60.327227][ T5306] ? hci_le_create_big_complete_evt+0xdb/0xae0 [ 60.329280][ T5306] ? __pfx_hci_le_create_big_complete_evt+0x10/0x10 [ 60.331723][ T5306] ? hci_le_meta_evt+0x366/0x580 [ 60.333430][ T5306] ? __pfx_hci_le_create_big_complete_evt+0x10/0x10 [ 60.335661][ T5306] hci_event_packet+0xa55/0x1540 [ 60.337399][ T5306] ? __pfx_hci_le_meta_evt+0x10/0x10 [ 60.339401][ T5306] ? __pfx_hci_event_packet+0x10/0x10 [ 60.341263][ T5306] ? do_raw_spin_unlock+0x58/0x8b0 [ 60.343181][ T5306] ? hci_send_to_monitor+0xd8/0x7f0 [ 60.345136][ T5306] ? kcov_remote_start+0x97/0x7d0 [ 60.347024][ T5306] hci_rx_work+0x3e8/0xca0 [ 60.348649][ T5306] ? process_scheduled_works+0x976/0x1850 [ 60.350730][ T5306] process_scheduled_works+0xa63/0x1850 [ 60.352799][ T5306] ? __pfx_process_scheduled_works+0x10/0x10 [ 60.354986][ T5306] ? assign_work+0x364/0x3d0 [ 60.356738][ T5306] worker_thread+0x870/0xd30 [ 60.358522][ T5306] ? __kthread_parkme+0x169/0x1d0 [ 60.360375][ T5306] ? __pfx_worker_thread+0x10/0x10 [ 60.362282][ T5306] kthread+0x2f0/0x390 [ 60.363739][ T5306] ? __pfx_worker_thread+0x10/0x10 [ 60.365574][ T5306] ? __pfx_kthread+0x10/0x10 [ 60.367305][ T5306] ret_from_fork+0x4b/0x80 [ 60.368882][ T5306] ? __pfx_kthread+0x10/0x10 [ 60.370265][ T5306] ret_from_fork_asm+0x1a/0x30 [ 60.371919][ T5306] [ 60.373288][ T5306] Kernel Offset: disabled [ 60.374778][ T5306] Rebooting in 86400 seconds..