program: syz_mount_image$ext4(&(0x7f0000000180)='ext4\x00', &(0x7f0000000080)='./file0\x00', 0x22000406, &(0x7f0000000900)={[{@dioread_lock}, {@noblock_validity}, {@data_err_abort}, {@init_itable}, {@auto_da_alloc}, {@grpjquota, 0x2e}, {@nouid32}, {@errors_remount}, {@jqfmt_vfsv1}, {@grpid}], [], 0x2c}, 0x84, 0x4c2, &(0x7f0000000980)="$eJzs3M1vG0UbAPBnN02afibtW73QD6ihICIKSZMW6IEDIJB6ASHBoRxDGqrStEVNkGhV0YBQOSL+AuCIhMSJCyeQEAIugLjCHSFVqJcWDsho7d3EbmzHTpqY1r+ftPbM7uzOPrM79nrHdgA9q5Q9JBFbI+LXiBiqZusLlKpPN65dmvrr2qWpJMrll/5MKuWuX7s0VRQt1tuSZ0bSiPS9JPY2qHf2wsXTkzMz0+fz/NjcmTfGZi9cfPTUmcmT0yenz04cPXrk8PgTj0881lYcl5dZnsV1fc/b5/btPvbKh89PlePV7z/L9ndrvrw2jqrhtuptpRSlKOcW5w5UHh9c9db/W7bVpJMNXdwROtIXEdnh6q/0/6Hoi8WDNxTPvbuQ+aZLOwismey9aceSuX35c7rw/gXciRJ9HHpU8Y6fff4tpvW8/ui2q09nj9OV+G/k048vVNsmzT7LDlc/sfc1Wf//DeYNLibLQ8vUvzUijs///VE2RcP7EC0kbZcEAFjwVXb980ij67+07tpmez6GMhwRByNiZ0T8LyJ2RbpQ5q6IuLvD+ks35Zde//y8qcNNdiS7/nsyH9sqpuqSIq5kIbetEn9/8tqpmelDeZuMRP/GLD/eoo6vn/3lg2bLSjXXf9mU1V9cC+b78ceGjfXrnJicm1xFyHWuvhOxZ0Oj+JOFkYCsBXZHxJ4VbD9rs1MPf7ovS2/fsnT58vG3cAvGmcqfRDxUPf7zcVP8haRaU7PxybHBmJk+NFacFUv98NOVF2vz/TXpuvgH24tpcKXBNpAd/80Nz/88/qIbFOO1s53XceW395t+pll6/JM4Pl9bIj//Ny02W3b+DyQvV9ID+by3Jufmzo9HDOQz6uZPLG6tyBfls/hHDjTu/zsj/vk4X29vRGQn8T0RcW9E7M/3/b6IuD8iDrSI/7tnHni9dQut8Py/BbL4T7Q6/hHDSe14/QoSfae//bJZ/e29/h2ppEbyOe28/rW7g6tpOwAAALhdpJUx6CQdLdI1N6d2xeZ05tzs3MFSvHn2RHWsejj60+JO11DN/dDx/N5wkZ+4KX84InZUvmm0qZIfnTo3s62bgQOV3+rU9f9I09HR6rLfm33pBbhzdDSOVvuls8+/uPU7A6wrv9eE3qX/Q+/S/6F36f/Quxr1/8sRN7qwK8A68/4PvUv/h96l/0Pv0v+hJy39SXzxdysr+aX/YmLnsVWtvuaJ8tCabHm+87X61ijSqP3TjqaJJCJWVkWkrcsMtFF71xLpsmWeWq5Z+lf1nxhZYn+e2BgR7a51ed1atXiFSPzLJAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAcFv7NwAA//8Aq+SG") r0 = open(&(0x7f00000000c0)='.\x00', 0x0, 0x0) r1 = bpf$PROG_LOAD(0x5, &(0x7f0000000480)={0x1c, 0x34, &(0x7f00000001c0)=@ringbuf={{0x18, 0x0, 0x0, 0x0, 0xe9, 0x0, 0x0, 0x0, 0x80000}, {{0x18, 0x1, 0x1, 0x0, r0}}, {}, [@ringbuf_output={{0x18, 0x1, 0x1, 0x0, r0}, {0x7, 0x0, 0xb, 0x8, 0x0, 0x0, 0xb}}, @generic={0x7f, 0xc, 0x2, 0x1, 0x66f3}, @map_val={0x18, 0x3, 0x2, 0x0, r0, 0x0, 0x0, 0x0, 0x80000000}, @snprintf={{}, {}, {0x7, 0x0, 0xb, 0x8, 0x0, 0x0, 0x1}, {}, {}, {}, {}, {}, {}, {0x18, 0x3, 0x2, 0x0, r0}}, @jmp={0x5, 0x1, 0x0, 0x8, 0x8, 0xfffffffffffffffe}, @tail_call={{0x18, 0x2, 0x1, 0x0, r0}}, @btf_id={0x18, 0x7, 0x3, 0x0, 0x2}, @map_fd={0x18, 0x5, 0x1, 0x0, r0}, @initr0={0x18, 0x0, 0x0, 0x0, 0x7, 0x0, 0x0, 0x0, 0x8}], {{}, {0x7, 0x0, 0xb, 0x2, 0x0, 0x0, 0x1}, {0x85, 0x0, 0x0, 0x85}}}, &(0x7f0000000000)='syzkaller\x00', 0x7, 0x5f, &(0x7f0000000100)=""/95, 0x41000, 0xf, '\x00', 0x0, @fallback=0x2b, r0, 0x8, &(0x7f0000000040)={0xa, 0x4}, 0x8, 0x10, &(0x7f0000000380)={0x3, 0xd, 0x2}, 0x10, 0x0, 0xffffffffffffffff, 0x8, &(0x7f00000003c0)=[r0, r0, r0, r0, r0, r0, r0], &(0x7f0000000400)=[{0x2, 0x5, 0x6, 0x4}, {0x0, 0x2, 0x6, 0x2}, {0x1, 0x4, 0x10, 0x7}, {0x0, 0x2, 0xc, 0x5}, {0x5, 0x5, 0xa}, {0x5, 0x4, 0x10}, {0x2, 0x3, 0x0, 0x9}, {0x1, 0x5, 0x5, 0x3}], 0x10, 0x9, @void, @value}, 0x94) r2 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCGIFINDEX_802154(0xffffffffffffffff, 0x8933, 0x0) r3 = socket(0x11, 0x800000003, 0x0) ioctl$ifreq_SIOCGIFINDEX_team(r3, 0x8933, &(0x7f0000000600)={'team0\x00', 0x0}) r5 = socket$netlink(0x10, 0x3, 0x0) sendmsg$nl_route_sched(r5, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000780)={&(0x7f00000003c0)=@newqdisc={0x78, 0x24, 0xf0b, 0x0, 0x0, {0x0, 0x0, 0x12, r4, {}, {0xffff, 0xffff}}, [@qdisc_kind_options=@q_netem={{0xa}, {0x48, 0x2, {{}, [@TCA_NETEM_SLOT={0x2c}]}}}]}, 0x78}}, 0x0) sendmsg$IEEE802154_LLSEC_ADD_DEV(r2, &(0x7f0000000000)={0x0, 0x0, 0x0, 0x4, 0x700000000000000}, 0x0) write$binfmt_elf32(0xffffffffffffffff, 0x0, 0xfffffffffffffc7e) bpf$PROG_LOAD(0x5, &(0x7f00000004c0)={0x6, 0x10, &(0x7f0000000000)=ANY=[@ANYBLOB="18000000000000000000000000000000b708"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @xdp, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x94) syz_emit_vhci(&(0x7f0000000000)=ANY=[@ANYBLOB="043e751d"], 0x24) syz_emit_vhci(&(0x7f0000000040)=ANY=[@ANYBLOB="043e1f1b"], 0x22) close_range(r1, r0, 0x2) getdents(r0, 0x0, 0x0) [ 58.515698][ T5320] loop0: detected capacity change from 0 to 512 [ 58.538725][ T5304] Bluetooth: hci0: command tx timeout [ 58.541503][ T5320] EXT4-fs warning (device loop0): dx_probe:878: Directory (ino: 2) htree depth 0x0002 exceedsupported value [ 58.545986][ T5320] EXT4-fs warning (device loop0): dx_probe:881: Enable large directory feature to access it [ 58.567929][ T5320] EXT4-fs warning (device loop0): dx_probe:966: inode #2: comm syz.0.0: Corrupt directory, running e2fsck is recommended [ 58.574145][ T5320] EXT4-fs (loop0): Cannot turn on journaled quota: type 1: error -117 [ 58.578367][ T5320] EXT4-fs error (device loop0): ext4_xattr_ibody_find:2240: inode #15: comm syz.0.0: corrupted in-inode xattr: invalid ea_ino [ 58.583957][ T5320] EXT4-fs (loop0): Remounting filesystem read-only [ 58.588297][ T5320] EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: writeback. [ 58.650676][ T5304] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:585 [ 58.654158][ T5304] in_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 5304, name: kworker/u5:2 [ 58.658196][ T5304] preempt_count: 0, expected: 0 [ 58.659943][ T5304] RCU nest depth: 1, expected: 0 [ 58.661663][ T5304] 4 locks held by kworker/u5:2/5304: [ 58.663571][ T5304] #0: ffff888043e06948 ((wq_completion)hci0#2){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1850 [ 58.667711][ T5304] #1: ffffc9000d15fd00 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1850 [ 58.672091][ T5304] #2: ffff88804ec78078 (&hdev->lock){+.+.}-{3:3}, at: hci_le_create_big_complete_evt+0xcf/0xae0 [ 58.676130][ T5304] #3: ffffffff8e939f60 (rcu_read_lock){....}-{1:2}, at: hci_le_create_big_complete_evt+0xdb/0xae0 [ 58.681209][ T5304] CPU: 0 UID: 0 PID: 5304 Comm: kworker/u5:2 Not tainted 6.12.0-syzkaller-00971-g158f238aa69d #0 [ 58.685348][ T5304] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 58.689404][ T5304] Workqueue: hci0 hci_rx_work [ 58.691205][ T5304] Call Trace: [ 58.692471][ T5304] [ 58.693663][ T5304] dump_stack_lvl+0x241/0x360 [ 58.695471][ T5304] ? __pfx_dump_stack_lvl+0x10/0x10 [ 58.697405][ T5304] ? __pfx__printk+0x10/0x10 [ 58.699167][ T5304] __might_resched+0x5d4/0x780 [ 58.701035][ T5304] ? __mutex_lock+0x112/0xd70 [ 58.702777][ T5304] ? __pfx___might_resched+0x10/0x10 [ 58.704812][ T5304] __mutex_lock+0xc1/0xd70 [ 58.706615][ T5304] ? __pfx_lock_acquire+0x10/0x10 [ 58.708891][ T5304] ? hci_le_create_big_complete_evt+0x3d9/0xae0 [ 58.711358][ T5304] ? __pfx_lock_release+0x10/0x10 [ 58.713368][ T5304] ? __pfx___mutex_lock+0x10/0x10 [ 58.715324][ T5304] ? trace_contention_end+0x3c/0x120 [ 58.717273][ T5304] ? skb_pull_data+0x112/0x230 [ 58.719122][ T5304] ? hci_conn_set_handle+0x9a/0x270 [ 58.721162][ T5304] hci_le_create_big_complete_evt+0x3d9/0xae0 [ 58.723553][ T5304] ? __copy_skb_header+0x437/0x5b0 [ 58.725516][ T5304] ? hci_le_create_big_complete_evt+0xdb/0xae0 [ 58.727946][ T5304] ? __pfx_hci_le_create_big_complete_evt+0x10/0x10 [ 58.730469][ T5304] ? hci_le_meta_evt+0x366/0x580 [ 58.732380][ T5304] ? __pfx_hci_le_create_big_complete_evt+0x10/0x10 [ 58.734939][ T5304] hci_event_packet+0xa55/0x1540 [ 58.736993][ T5304] ? __pfx_hci_le_meta_evt+0x10/0x10 [ 58.739048][ T5304] ? __pfx_hci_event_packet+0x10/0x10 [ 58.741135][ T5304] ? do_raw_spin_unlock+0x58/0x8b0 [ 58.743097][ T5304] ? hci_send_to_monitor+0xd8/0x7f0 [ 58.745169][ T5304] ? kcov_remote_start+0x97/0x7d0 [ 58.747116][ T5304] hci_rx_work+0x3e8/0xca0 [ 58.748871][ T5304] ? process_scheduled_works+0x976/0x1850 [ 58.751060][ T5304] process_scheduled_works+0xa63/0x1850 [ 58.753193][ T5304] ? __pfx_process_scheduled_works+0x10/0x10 [ 58.755344][ T5304] ? assign_work+0x364/0x3d0 [ 58.757142][ T5304] worker_thread+0x870/0xd30 [ 58.758749][ T5304] ? _raw_spin_unlock_irqrestore+0xdd/0x140 [ 58.760816][ T5304] ? __kthread_parkme+0x169/0x1d0 [ 58.762615][ T5304] ? __pfx_worker_thread+0x10/0x10 [ 58.764644][ T5304] kthread+0x2f0/0x390 [ 58.766178][ T5304] ? __pfx_worker_thread+0x10/0x10 [ 58.768134][ T5304] ? __pfx_kthread+0x10/0x10 [ 58.769915][ T5304] ret_from_fork+0x4b/0x80 [ 58.771689][ T5304] ? __pfx_kthread+0x10/0x10 [ 58.773508][ T5304] ret_from_fork_asm+0x1a/0x30 [ 58.775412][ T5304] [ 58.781499][ T5304] [ 58.782478][ T5304] ============================= [ 58.784335][ T5304] [ BUG: Invalid wait context ] [ 58.786214][ T5304] 6.12.0-syzkaller-00971-g158f238aa69d #0 Tainted: G W [ 58.789323][ T5304] ----------------------------- [ 58.791083][ T5304] kworker/u5:2/5304 is trying to lock: [ 58.793179][ T5304] ffffffff8fe472a8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_le_create_big_complete_evt+0x3d9/0xae0 [ 58.797277][ T5304] other info that might help us debug this: [ 58.799485][ T5304] context-{4:4} [ 58.800826][ T5304] 4 locks held by kworker/u5:2/5304: [ 58.802765][ T5304] #0: ffff888043e06948 ((wq_completion)hci0#2){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1850 [ 58.806718][ T5304] #1: ffffc9000d15fd00 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1850 [ 58.811031][ T5304] #2: ffff88804ec78078 (&hdev->lock){+.+.}-{3:3}, at: hci_le_create_big_complete_evt+0xcf/0xae0 [ 58.814985][ T5304] #3: ffffffff8e939f60 (rcu_read_lock){....}-{1:2}, at: hci_le_create_big_complete_evt+0xdb/0xae0 [ 58.818898][ T5304] stack backtrace: [ 58.820366][ T5304] CPU: 0 UID: 0 PID: 5304 Comm: kworker/u5:2 Tainted: G W 6.12.0-syzkaller-00971-g158f238aa69d #0 [ 58.824816][ T5304] Tainted: [W]=WARN [ 58.826306][ T5304] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 58.830211][ T5304] Workqueue: hci0 hci_rx_work [ 58.832008][ T5304] Call Trace: [ 58.833248][ T5304] [ 58.834362][ T5304] dump_stack_lvl+0x241/0x360 [ 58.836126][ T5304] ? __pfx_dump_stack_lvl+0x10/0x10 [ 58.837991][ T5304] ? __pfx__printk+0x10/0x10 [ 58.839572][ T5304] __lock_acquire+0x154a/0x2050 [ 58.841403][ T5304] lock_acquire+0x1ed/0x550 [ 58.843257][ T5304] ? hci_le_create_big_complete_evt+0x3d9/0xae0 [ 58.846035][ T5304] ? __pfx_lock_acquire+0x10/0x10 [ 58.848030][ T5304] ? __mutex_lock+0x112/0xd70 [ 58.849863][ T5304] ? __pfx___might_resched+0x10/0x10 [ 58.851953][ T5304] __mutex_lock+0x136/0xd70 [ 58.853575][ T5304] ? hci_le_create_big_complete_evt+0x3d9/0xae0 [ 58.855917][ T5304] ? __pfx_lock_acquire+0x10/0x10 [ 58.857758][ T5304] ? hci_le_create_big_complete_evt+0x3d9/0xae0 [ 58.860145][ T5304] ? __pfx_lock_release+0x10/0x10 [ 58.861999][ T5304] ? __pfx___mutex_lock+0x10/0x10 [ 58.863940][ T5304] ? trace_contention_end+0x3c/0x120 [ 58.865950][ T5304] ? skb_pull_data+0x112/0x230 [ 58.867743][ T5304] ? hci_conn_set_handle+0x9a/0x270 [ 58.869693][ T5304] hci_le_create_big_complete_evt+0x3d9/0xae0 [ 58.872083][ T5304] ? __copy_skb_header+0x437/0x5b0 [ 58.874075][ T5304] ? hci_le_create_big_complete_evt+0xdb/0xae0 [ 58.876481][ T5304] ? __pfx_hci_le_create_big_complete_evt+0x10/0x10 [ 58.878925][ T5304] ? hci_le_meta_evt+0x366/0x580 [ 58.880837][ T5304] ? __pfx_hci_le_create_big_complete_evt+0x10/0x10 [ 58.883368][ T5304] hci_event_packet+0xa55/0x1540 [ 58.885592][ T5304] ? __pfx_hci_le_meta_evt+0x10/0x10 [ 58.888170][ T5304] ? __pfx_hci_event_packet+0x10/0x10 [ 58.890423][ T5304] ? do_raw_spin_unlock+0x58/0x8b0 [ 58.892367][ T5304] ? hci_send_to_monitor+0xd8/0x7f0 [ 58.894412][ T5304] ? kcov_remote_start+0x97/0x7d0 [ 58.896485][ T5304] hci_rx_work+0x3e8/0xca0 [ 58.898217][ T5304] ? process_scheduled_works+0x976/0x1850 [ 58.900463][ T5304] process_scheduled_works+0xa63/0x1850 [ 58.902592][ T5304] ? __pfx_process_scheduled_works+0x10/0x10 [ 58.904945][ T5304] ? assign_work+0x364/0x3d0 [ 58.906730][ T5304] worker_thread+0x870/0xd30 [ 58.908526][ T5304] ? _raw_spin_unlock_irqrestore+0xdd/0x140 [ 58.910847][ T5304] ? __kthread_parkme+0x169/0x1d0 [ 58.912781][ T5304] ? __pfx_worker_thread+0x10/0x10 [ 58.914698][ T5304] kthread+0x2f0/0x390 [ 58.916356][ T5304] ? __pfx_worker_thread+0x10/0x10 [ 58.918302][ T5304] ? __pfx_kthread+0x10/0x10 [ 58.920120][ T5304] ret_from_fork+0x4b/0x80 [ 58.921895][ T5304] ? __pfx_kthread+0x10/0x10 [ 58.923765][ T5304] ret_from_fork_asm+0x1a/0x30 [ 58.925677][ T5304] [ 58.934278][ T5304] ================================================================== [ 58.937506][ T5304] BUG: KASAN: slab-use-after-free in hci_le_create_big_complete_evt+0x383/0xae0 [ 58.941069][ T5304] Read of size 8 at addr ffff888043e28000 by task kworker/u5:2/5304 [ 58.944075][ T5304] [ 58.945058][ T5304] CPU: 0 UID: 0 PID: 5304 Comm: kworker/u5:2 Tainted: G W 6.12.0-syzkaller-00971-g158f238aa69d #0 [ 58.949800][ T5304] Tainted: [W]=WARN [ 58.951383][ T5304] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 58.955414][ T5304] Workqueue: hci0 hci_rx_work [ 58.957260][ T5304] Call Trace: [ 58.958635][ T5304] [ 58.959848][ T5304] dump_stack_lvl+0x241/0x360 [ 58.961781][ T5304] ? __pfx_dump_stack_lvl+0x10/0x10 [ 58.964929][ T5304] ? __pfx__printk+0x10/0x10 [ 58.966791][ T5304] ? _printk+0xd5/0x120 [ 58.968452][ T5304] ? __virt_addr_valid+0x183/0x530 [ 58.970471][ T5304] ? __virt_addr_valid+0x183/0x530 [ 58.972469][ T5304] print_report+0x169/0x550 [ 58.974223][ T5304] ? __virt_addr_valid+0x183/0x530 [ 58.976262][ T5304] ? __virt_addr_valid+0x183/0x530 [ 58.978156][ T5304] ? __virt_addr_valid+0x45f/0x530 [ 58.980130][ T5304] ? __phys_addr+0xba/0x170 [ 58.981822][ T5304] ? hci_le_create_big_complete_evt+0x383/0xae0 [ 58.984211][ T5304] kasan_report+0x143/0x180 [ 58.985966][ T5304] ? hci_le_create_big_complete_evt+0x383/0xae0 [ 58.988324][ T5304] hci_le_create_big_complete_evt+0x383/0xae0 [ 58.990749][ T5304] ? __copy_skb_header+0x437/0x5b0 [ 58.992583][ T5304] ? hci_le_create_big_complete_evt+0xdb/0xae0 [ 58.994883][ T5304] ? __pfx_hci_le_create_big_complete_evt+0x10/0x10 [ 58.997379][ T5304] ? hci_le_meta_evt+0x366/0x580 [ 58.999229][ T5304] ? __pfx_hci_le_create_big_complete_evt+0x10/0x10 [ 59.001751][ T5304] hci_event_packet+0xa55/0x1540 [ 59.003649][ T5304] ? __pfx_hci_le_meta_evt+0x10/0x10 [ 59.005641][ T5304] ? __pfx_hci_event_packet+0x10/0x10 [ 59.008021][ T5304] ? do_raw_spin_unlock+0x58/0x8b0 [ 59.009924][ T5304] ? hci_send_to_monitor+0xd8/0x7f0 [ 59.011895][ T5304] ? kcov_remote_start+0x97/0x7d0 [ 59.013812][ T5304] hci_rx_work+0x3e8/0xca0 [ 59.015536][ T5304] ? process_scheduled_works+0x976/0x1850 [ 59.017699][ T5304] process_scheduled_works+0xa63/0x1850 [ 59.019833][ T5304] ? __pfx_process_scheduled_works+0x10/0x10 [ 59.022152][ T5304] ? assign_work+0x364/0x3d0 [ 59.023939][ T5304] worker_thread+0x870/0xd30 [ 59.025690][ T5304] ? _raw_spin_unlock_irqrestore+0xdd/0x140 [ 59.027907][ T5304] ? __kthread_parkme+0x169/0x1d0 [ 59.029775][ T5304] ? __pfx_worker_thread+0x10/0x10 [ 59.031783][ T5304] kthread+0x2f0/0x390 [ 59.033381][ T5304] ? __pfx_worker_thread+0x10/0x10 [ 59.035319][ T5304] ? __pfx_kthread+0x10/0x10 [ 59.037076][ T5304] ret_from_fork+0x4b/0x80 [ 59.038721][ T5304] ? __pfx_kthread+0x10/0x10 [ 59.040386][ T5304] ret_from_fork_asm+0x1a/0x30 [ 59.042136][ T5304] [ 59.043264][ T5304] [ 59.044173][ T5304] Allocated by task 5304: [ 59.045810][ T5304] kasan_save_track+0x3f/0x80 [ 59.047544][ T5304] __kasan_kmalloc+0x98/0xb0 [ 59.049237][ T5304] __kmalloc_cache_noprof+0x19c/0x2c0 [ 59.051174][ T5304] __hci_conn_add+0x2f9/0x1850 [ 59.052964][ T5304] hci_le_big_sync_established_evt+0x414/0xc20 [ 59.055379][ T5304] hci_event_packet+0xa55/0x1540 [ 59.057298][ T5304] hci_rx_work+0x3e8/0xca0 [ 59.059013][ T5304] process_scheduled_works+0xa63/0x1850 [ 59.061161][ T5304] worker_thread+0x870/0xd30 [ 59.063026][ T5304] kthread+0x2f0/0x390 [ 59.064900][ T5304] ret_from_fork+0x4b/0x80 [ 59.066937][ T5304] ret_from_fork_asm+0x1a/0x30 [ 59.069055][ T5304] [ 59.070106][ T5304] Freed by task 5304: [ 59.071870][ T5304] kasan_save_track+0x3f/0x80 [ 59.073801][ T5304] kasan_save_free_info+0x40/0x50 [ 59.075733][ T5304] __kasan_slab_free+0x59/0x70 [ 59.077510][ T5304] kfree+0x1a0/0x440 [ 59.078923][ T5304] device_release+0x99/0x1c0 [ 59.080611][ T5304] kobject_put+0x22f/0x480 [ 59.082096][ T5304] hci_conn_del+0x8c4/0xc40 [ 59.083687][ T5304] hci_le_create_big_complete_evt+0x619/0xae0 [ 59.085756][ T5304] hci_event_packet+0xa55/0x1540 [ 59.087550][ T5304] hci_rx_work+0x3e8/0xca0 [ 59.089213][ T5304] process_scheduled_works+0xa63/0x1850 [ 59.091315][ T5304] worker_thread+0x870/0xd30 [ 59.092993][ T5304] kthread+0x2f0/0x390 [ 59.094606][ T5304] ret_from_fork+0x4b/0x80 [ 59.096409][ T5304] ret_from_fork_asm+0x1a/0x30 [ 59.098267][ T5304] [ 59.099302][ T5304] The buggy address belongs to the object at ffff888043e28000 [ 59.099302][ T5304] which belongs to the cache kmalloc-8k of size 8192 [ 59.104503][ T5304] The buggy address is located 0 bytes inside of [ 59.104503][ T5304] freed 8192-byte region [ffff888043e28000, ffff888043e2a000) [ 59.109517][ T5304] [ 59.110402][ T5304] The buggy address belongs to the physical page: [ 59.112917][ T5304] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x43e28 [ 59.116402][ T5304] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 59.119634][ T5304] anon flags: 0x4fff00000000040(head|node=1|zone=1|lastcpupid=0x7ff) [ 59.122580][ T5304] page_type: f5(slab) [ 59.124079][ T5304] raw: 04fff00000000040 ffff88801ac42280 0000000000000000 0000000000000001 [ 59.127305][ T5304] raw: 0000000000000000 0000000000020002 00000001f5000000 0000000000000000 [ 59.130104][ T5304] head: 04fff00000000040 ffff88801ac42280 0000000000000000 0000000000000001 [ 59.132930][ T5304] head: 0000000000000000 0000000000020002 00000001f5000000 0000000000000000 [ 59.135831][ T5304] head: 04fff00000000003 ffffea00010f8a01 ffffffffffffffff 0000000000000000 [ 59.138736][ T5304] head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000 [ 59.141777][ T5304] page dumped because: kasan: bad access detected [ 59.144267][ T5304] page_owner tracks the page as allocated [ 59.146269][ T5304] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5299, tgid 5299 (sh), ts 55519835313, free_ts 55517827472 [ 59.153640][ T5304] post_alloc_hook+0x1f3/0x230 [ 59.155511][ T5304] get_page_from_freelist+0x3649/0x3790 [ 59.157663][ T5304] __alloc_pages_noprof+0x292/0x710 [ 59.159641][ T5304] alloc_pages_mpol_noprof+0x3e8/0x680 [ 59.161756][ T5304] alloc_slab_page+0x6a/0x140 [ 59.163609][ T5304] allocate_slab+0x5a/0x2f0 [ 59.165370][ T5304] ___slab_alloc+0xcd1/0x14b0 [ 59.167203][ T5304] __slab_alloc+0x58/0xa0 [ 59.168877][ T5304] __kmalloc_cache_noprof+0x1d5/0x2c0 [ 59.170888][ T5304] tomoyo_init_log+0x11cd/0x2050 [ 59.172817][ T5304] tomoyo_supervisor+0x38a/0x11f0 [ 59.174764][ T5304] tomoyo_env_perm+0x178/0x210 [ 59.176492][ T5304] tomoyo_find_next_domain+0x146e/0x1d40 [ 59.178632][ T5304] tomoyo_bprm_check_security+0x114/0x180 [ 59.180836][ T5304] security_bprm_check+0x86/0x250 [ 59.182634][ T5304] bprm_execve+0xa56/0x1770 [ 59.184448][ T5304] page last free pid 5299 tgid 5299 stack trace: [ 59.186815][ T5304] free_unref_page+0xdf9/0x1140 [ 59.188587][ T5304] __put_partials+0xeb/0x130 [ 59.190326][ T5304] put_cpu_partial+0x17c/0x250 [ 59.192087][ T5304] __slab_free+0x2ea/0x3d0 [ 59.193783][ T5304] qlist_free_all+0x9a/0x140 [ 59.195486][ T5304] kasan_quarantine_reduce+0x14f/0x170 [ 59.197581][ T5304] __kasan_slab_alloc+0x23/0x80 [ 59.199432][ T5304] kmem_cache_alloc_noprof+0x135/0x2a0 [ 59.201539][ T5304] __se_sys_getcwd+0xb3/0x890 [ 59.203569][ T5304] do_syscall_64+0xf3/0x230 [ 59.205343][ T5304] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 59.207663][ T5304] [ 59.208723][ T5304] Memory state around the buggy address: [ 59.210742][ T5304] ffff888043e27f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 59.213630][ T5304] ffff888043e27f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 59.216399][ T5304] >ffff888043e28000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 59.219047][ T5304] ^ [ 59.220608][ T5304] ffff888043e28080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 59.223618][ T5304] ffff888043e28100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 59.226411][ T5304] ================================================================== [ 59.232978][ T5326] EXT4-fs warning (device loop0): dx_probe:878: Directory (ino: 2) htree depth 0x0002 exceedsupported value [ 59.244448][ T5304] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 59.247289][ T5304] CPU: 0 UID: 0 PID: 5304 Comm: kworker/u5:2 Tainted: G W 6.12.0-syzkaller-00971-g158f238aa69d #0 [ 59.251435][ T5304] Tainted: [W]=WARN [ 59.252811][ T5304] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 59.256853][ T5304] Workqueue: hci0 hci_rx_work [ 59.258656][ T5304] Call Trace: [ 59.259940][ T5304] [ 59.261038][ T5304] dump_stack_lvl+0x241/0x360 [ 59.262789][ T5304] ? __pfx_dump_stack_lvl+0x10/0x10 [ 59.264725][ T5304] ? __pfx__printk+0x10/0x10 [ 59.266418][ T5304] ? rcu_is_watching+0x15/0xb0 [ 59.268276][ T5304] ? preempt_schedule+0xe1/0xf0 [ 59.270019][ T5304] ? vscnprintf+0x5d/0x90 [ 59.271656][ T5304] panic+0x349/0x880 [ 59.273106][ T5304] ? check_panic_on_warn+0x21/0xb0 [ 59.275009][ T5304] ? __pfx_panic+0x10/0x10 [ 59.276658][ T5304] ? _raw_spin_unlock_irqrestore+0x130/0x140 [ 59.278798][ T5304] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 59.281100][ T5304] ? print_report+0x502/0x550 [ 59.282792][ T5304] check_panic_on_warn+0x86/0xb0 [ 59.284653][ T5304] ? hci_le_create_big_complete_evt+0x383/0xae0 [ 59.287044][ T5304] end_report+0x77/0x160 [ 59.288633][ T5304] kasan_report+0x154/0x180 [ 59.290452][ T5304] ? hci_le_create_big_complete_evt+0x383/0xae0 [ 59.292848][ T5304] hci_le_create_big_complete_evt+0x383/0xae0 [ 59.295370][ T5304] ? __copy_skb_header+0x437/0x5b0 [ 59.297391][ T5304] ? hci_le_create_big_complete_evt+0xdb/0xae0 [ 59.299747][ T5304] ? __pfx_hci_le_create_big_complete_evt+0x10/0x10 [ 59.302289][ T5304] ? hci_le_meta_evt+0x366/0x580 [ 59.304142][ T5304] ? __pfx_hci_le_create_big_complete_evt+0x10/0x10 [ 59.306597][ T5304] hci_event_packet+0xa55/0x1540 [ 59.308456][ T5304] ? __pfx_hci_le_meta_evt+0x10/0x10 [ 59.310458][ T5304] ? __pfx_hci_event_packet+0x10/0x10 [ 59.312436][ T5304] ? do_raw_spin_unlock+0x58/0x8b0 [ 59.314352][ T5304] ? hci_send_to_monitor+0xd8/0x7f0 [ 59.316300][ T5304] ? kcov_remote_start+0x97/0x7d0 [ 59.318193][ T5304] hci_rx_work+0x3e8/0xca0 [ 59.319900][ T5304] ? process_scheduled_works+0x976/0x1850 [ 59.321966][ T5304] process_scheduled_works+0xa63/0x1850 [ 59.324022][ T5304] ? __pfx_process_scheduled_works+0x10/0x10 [ 59.326280][ T5304] ? assign_work+0x364/0x3d0 [ 59.328022][ T5304] worker_thread+0x870/0xd30 [ 59.329800][ T5304] ? _raw_spin_unlock_irqrestore+0xdd/0x140 [ 59.332026][ T5304] ? __kthread_parkme+0x169/0x1d0 [ 59.333985][ T5304] ? __pfx_worker_thread+0x10/0x10 [ 59.336097][ T5304] kthread+0x2f0/0x390 [ 59.337687][ T5304] ? __pfx_worker_thread+0x10/0x10 [ 59.339561][ T5304] ? __pfx_kthread+0x10/0x10 [ 59.341158][ T5304] ret_from_fork+0x4b/0x80 [ 59.342842][ T5304] ? __pfx_kthread+0x10/0x10 [ 59.344539][ T5304] ret_from_fork_asm+0x1a/0x30 [ 59.346417][ T5304] [ 59.347867][ T5304] Kernel Offset: disabled [ 59.349438][ T5304] Rebooting in 86400 seconds..