program: r0 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route(r0, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000580)={&(0x7f0000000000)=ANY=[@ANYBLOB="3c00000010000304007f00"/20, @ANYRES32=0x0, @ANYBLOB="09000000004000001c00128009000100626f6e64000000000c00028008001300feffffff"], 0x3c}, 0x1, 0xba01, 0x0, 0x4000}, 0x0) r1 = accept4$unix(0xffffffffffffffff, &(0x7f0000000340), &(0x7f00000003c0)=0x6e, 0x800) r2 = syz_init_net_socket$bt_l2cap(0x1f, 0x5, 0x0) connect$bt_l2cap(r2, &(0x7f0000000080)={0x1f, 0x5, @any, 0x0, 0x1}, 0xe) bind$bt_l2cap(r2, &(0x7f0000000000)={0x1f, 0x0, @any, 0x4, 0x1}, 0xe) listen(r2, 0x3) syz_emit_vhci(&(0x7f0000000100)=ANY=[@ANYBLOB="043e130100c90001"], 0x16) recvmmsg$unix(r1, &(0x7f0000006480)=[{{&(0x7f0000000400), 0x6e, &(0x7f0000000780)=[{&(0x7f0000000480)=""/160, 0xa0}, {&(0x7f0000000540)=""/10, 0xa}, {&(0x7f00000005c0)=""/132, 0x84}, {&(0x7f0000000680)=""/241, 0xf1}], 0x4, &(0x7f00000007c0)=[@rights={{0x28, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff]}}, @cred={{0x1c}}, @rights={{0x28, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff]}}, @cred={{0x1c}}], 0x90}}, {{&(0x7f0000000880), 0x6e, &(0x7f0000000940)=[{&(0x7f0000000900)=""/55, 0x37}], 0x1}}, {{&(0x7f0000000980), 0x6e, &(0x7f0000001c00)=[{&(0x7f0000000a00)=""/72, 0x48}, {&(0x7f0000000a80)=""/162, 0xa2}, {&(0x7f0000000b40)=""/4096, 0x1000}, {&(0x7f0000001b40)=""/1, 0x1}, {&(0x7f0000001b80)=""/70, 0x46}], 0x5, &(0x7f0000001c80)=[@cred={{0x1c}}, @rights={{0x2c, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff]}}], 0x50}}, {{&(0x7f0000001d00)=@abs, 0x6e, &(0x7f0000001f80)=[{&(0x7f0000001d80)=""/128, 0x80}, {&(0x7f0000001e00)=""/144, 0x90}, {&(0x7f0000001ec0)=""/142, 0x8e}], 0x3, &(0x7f0000001fc0)=[@rights={{0x18, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff]}}, @cred={{0x1c}}, @rights={{0x1c, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff]}}, @rights={{0x14, 0x1, 0x1, [0xffffffffffffffff]}}, @rights={{0x1c, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff]}}, @cred={{0x1c}}, @rights={{0x1c, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff]}}], 0xd0}}, {{&(0x7f00000020c0), 0x6e, &(0x7f0000002280)=[{&(0x7f0000002140)=""/233, 0xe9}, {&(0x7f0000002240)}], 0x2, &(0x7f00000022c0)=[@rights={{0x20, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff]}}, @rights={{0x34, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff]}}, @rights={{0x1c, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff]}}, @cred={{0x1c}}, @rights={{0x1c, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff]}}, @rights={{0x24, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff]}}, @cred={{0x1c}}], 0x100}}, {{&(0x7f00000023c0), 0x6e, &(0x7f00000037c0)=[{&(0x7f0000002440)=""/154, 0x9a}, {&(0x7f0000002500)=""/35, 0x23}, {&(0x7f0000002540)=""/4096, 0x1000}, {&(0x7f0000003540)=""/75, 0x4b}, {&(0x7f00000035c0)=""/171, 0xab}, {&(0x7f0000003680)}, {&(0x7f00000036c0)=""/146, 0x92}, {&(0x7f0000003780)=""/44, 0x2c}], 0x8, &(0x7f0000003840)=[@cred={{0x1c}}, @cred={{0x1c}}, @cred={{0x1c}}, @cred={{0x1c}}, @cred={{0x1c}}, @rights={{0x30, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff]}}, @cred={{0x1c}}, @rights={{0x1c, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff]}}], 0x110}}, {{&(0x7f0000003980), 0x6e, &(0x7f0000003b40)=[{&(0x7f0000003a00)=""/186, 0xba}, {&(0x7f0000003ac0)=""/103, 0x67}], 0x2}}, {{&(0x7f0000003b80), 0x6e, &(0x7f0000004f40)=[{&(0x7f0000003c00)=""/4096, 0x1000}, {&(0x7f0000004c00)=""/124, 0x7c}, {&(0x7f0000004c80)=""/163, 0xa3}, {&(0x7f0000004d40)=""/182, 0xb6}, {&(0x7f0000004e00)=""/2, 0x2}, {&(0x7f0000004e40)=""/197, 0xc5}], 0x6, &(0x7f0000004fc0)=[@cred={{0x1c}}], 0x20}}, {{&(0x7f0000005000), 0x6e, &(0x7f0000006280)=[{&(0x7f0000005080)=""/65, 0x41}, {&(0x7f0000005100)=""/4096, 0x1000}, {&(0x7f0000006100)=""/220, 0xdc}, {&(0x7f0000006200)=""/98, 0x62}], 0x4, &(0x7f00000062c0)=[@rights={{0x34, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff]}}, @rights={{0x20, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff]}}], 0x58}}, {{&(0x7f0000006340)=@abs, 0x6e, &(0x7f00000063c0), 0x0, &(0x7f0000006400)=[@rights={{0x14, 0x1, 0x1, [0xffffffffffffffff]}}, @rights={{0x28, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff]}}, @rights={{0x18, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff]}}, @rights={{0x24, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff]}}], 0x80}}], 0xa, 0x40, 0x0) sendmsg$nl_route(r0, &(0x7f0000000140)={&(0x7f0000000040)={0x10, 0x0, 0x0, 0x80000000}, 0xc, &(0x7f0000000100)={&(0x7f0000006700)=ANY=[@ANYBLOB="80000000200000012bbd7000fbdbdf250a80207ec90000000900010014000100fe880000000000000000000000000101080018004e244e2005001300fc00000005001600ff000000140001000000000000000000000000000000000108000f00ff0300001400020000000000000000000000ffff64010101080018004e234e249189e0871da64be4519a609b117ccfa804f574bc82a3844b5257d70fcfa4093ab0a32330f47223a309b9c85ac4392fc1abc45a9132a32d214d09cc9b274efc67935b1bf5df9918cad0abc51571b289ddc51e6b16af1156c2e073c8ad2c054a331e0d863c79a593c4aa5a08e4e8"], 0x80}, 0x1, 0x0, 0x0, 0xc000}, 0x810) ioctl$AUTOFS_DEV_IOCTL_READY(0xffffffffffffffff, 0xc0189376, &(0x7f00000002c0)={{0x1, 0x1, 0x18, r0, {0x8}}, './file0\x00'}) ioctl$DRM_IOCTL_WAIT_VBLANK(r4, 0xc018643a, &(0x7f0000000300)={0x1, 0x40, 0x3}) write(r3, &(0x7f0000002240)="72d6d5f4e9e284dddc672d2a740c1bca471d8f2d408e9e5119456cd033f50a68fa", 0x21) r5 = socket$nl_generic(0x10, 0x3, 0x10) sendmsg$NL80211_CMD_GET_COALESCE(r5, &(0x7f0000000240)={&(0x7f0000000180)={0x10, 0x0, 0x0, 0x40}, 0xc, &(0x7f0000000200)={&(0x7f00000001c0)={0x20, 0x0, 0x4, 0x70bd26, 0x25dfdbff, {{}, {@void, @void, @val={0xc, 0x99, {0xb, 0x6a}}}}, ["", "", ""]}, 0x20}, 0x1, 0x0, 0x0, 0x40840}, 0x4004800) [ 75.074028][ T46] Bluetooth: hci0: command tx timeout [ 75.150016][ T5342] bond1: option lp_interval: invalid value (18446744073709551614) [ 75.153763][ T5342] bond1: option lp_interval: allowed values 1 - 2147483647 [ 75.170574][ T5342] bond1 (unregistering): Released all slaves [ 75.201284][ T46] sysfs: cannot create duplicate filename '/devices/virtual/bluetooth/hci0/hci0:201' [ 75.208094][ T46] CPU: 0 UID: 0 PID: 46 Comm: kworker/u5:0 Not tainted syzkaller #0 PREEMPT(full) [ 75.208113][ T46] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 75.208121][ T46] Workqueue: hci0 hci_rx_work [ 75.208260][ T46] Call Trace: [ 75.208266][ T46] [ 75.208272][ T46] dump_stack_lvl+0xe8/0x150 [ 75.208290][ T46] sysfs_create_dir_ns+0x259/0x280 [ 75.208336][ T46] ? __pfx_sysfs_create_dir_ns+0x10/0x10 [ 75.208353][ T46] ? do_raw_spin_unlock+0x4d/0x240 [ 75.208371][ T46] kobject_add_internal+0x6ab/0xcc0 [ 75.208416][ T46] kobject_add+0x155/0x220 [ 75.208431][ T46] ? __pfx_kobject_add+0x10/0x10 [ 75.208444][ T46] ? _raw_spin_unlock+0x28/0x50 [ 75.208478][ T46] ? get_device_parent+0x366/0x3a0 [ 75.208497][ T46] device_add+0x408/0xb80 [ 75.208522][ T46] hci_conn_add_sysfs+0xd5/0x210 [ 75.208543][ T46] le_conn_complete_evt+0xf1d/0x1420 [ 75.208563][ T46] ? __pfx_le_conn_complete_evt+0x10/0x10 [ 75.208575][ T46] ? __mutex_unlock_slowpath+0x1a1/0x730 [ 75.208585][ T46] ? __asan_memcpy+0x40/0x70 [ 75.208601][ T46] ? __pfx___mutex_unlock_slowpath+0x10/0x10 [ 75.208611][ T46] ? skb_pull_data+0xfb/0x200 [ 75.208627][ T46] hci_le_conn_complete_evt+0x187/0x480 [ 75.208644][ T46] hci_event_packet+0x78f/0x1260 [ 75.208657][ T46] ? __pfx_hci_le_meta_evt+0x10/0x10 [ 75.208670][ T46] ? __pfx_hci_event_packet+0x10/0x10 [ 75.208687][ T46] ? hci_send_to_monitor+0xe2/0x590 [ 75.208703][ T46] hci_rx_work+0x3ee/0x1060 [ 75.208718][ T46] ? process_scheduled_works+0x9ef/0x1770 [ 75.208732][ T46] process_scheduled_works+0xad1/0x1770 [ 75.208760][ T46] ? __pfx_process_scheduled_works+0x10/0x10 [ 75.208769][ T46] ? do_raw_spin_lock+0x121/0x290 [ 75.208794][ T46] worker_thread+0x8a0/0xda0 [ 75.208819][ T46] kthread+0x711/0x8a0 [ 75.208834][ T46] ? __pfx_worker_thread+0x10/0x10 [ 75.208845][ T46] ? __pfx_kthread+0x10/0x10 [ 75.208860][ T46] ? _raw_spin_unlock_irq+0x23/0x50 [ 75.208873][ T46] ? __pfx_kthread+0x10/0x10 [ 75.208911][ T46] ret_from_fork+0x510/0xa50 [ 75.208926][ T46] ? __pfx_ret_from_fork+0x10/0x10 [ 75.208935][ T46] ? __switch_to+0xc9e/0x1480 [ 75.208954][ T46] ? __pfx_kthread+0x10/0x10 [ 75.208969][ T46] ret_from_fork_asm+0x1a/0x30 [ 75.208993][ T46] [ 75.209099][ T46] kobject: kobject_add_internal failed for hci0:201 with -EEXIST, don't try to register things with the same name in the same directory. [ 75.319888][ T46] Bluetooth: hci0: failed to register connection device [ 75.345536][ T46] ================================================================== [ 75.348849][ T46] BUG: KASAN: slab-use-after-free in l2cap_connect_cfm+0x6d0/0x10e0 [ 75.352258][ T46] Read of size 8 at addr ffff88803ac53480 by task kworker/u5:0/46 [ 75.355318][ T46] [ 75.356424][ T46] CPU: 0 UID: 0 PID: 46 Comm: kworker/u5:0 Not tainted syzkaller #0 PREEMPT(full) [ 75.356438][ T46] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 75.356448][ T46] Workqueue: hci0 hci_rx_work [ 75.356464][ T46] Call Trace: [ 75.356470][ T46] [ 75.356474][ T46] dump_stack_lvl+0xe8/0x150 [ 75.356486][ T46] print_report+0xca/0x240 [ 75.356495][ T46] ? l2cap_connect_cfm+0x6d0/0x10e0 [ 75.356510][ T46] kasan_report+0x118/0x150 [ 75.356523][ T46] ? l2cap_connect_cfm+0x6d0/0x10e0 [ 75.356545][ T46] l2cap_connect_cfm+0x6d0/0x10e0 [ 75.356561][ T46] ? __pfx_l2cap_connect_cfm+0x10/0x10 [ 75.356575][ T46] ? __pfx_l2cap_connect_cfm+0x10/0x10 [ 75.356589][ T46] hci_connect_cfm+0x95/0x140 [ 75.356601][ T46] le_conn_complete_evt+0xf65/0x1420 [ 75.356616][ T46] ? __pfx_le_conn_complete_evt+0x10/0x10 [ 75.356628][ T46] ? __mutex_unlock_slowpath+0x1a1/0x730 [ 75.356638][ T46] ? __asan_memcpy+0x40/0x70 [ 75.356651][ T46] ? __pfx___mutex_unlock_slowpath+0x10/0x10 [ 75.356660][ T46] ? skb_pull_data+0xfb/0x200 [ 75.356675][ T46] hci_le_conn_complete_evt+0x187/0x480 [ 75.356689][ T46] hci_event_packet+0x78f/0x1260 [ 75.356700][ T46] ? __pfx_hci_le_meta_evt+0x10/0x10 [ 75.356712][ T46] ? __pfx_hci_event_packet+0x10/0x10 [ 75.356722][ T46] ? hci_send_to_monitor+0xe2/0x590 [ 75.356731][ T46] hci_rx_work+0x3ee/0x1060 [ 75.356739][ T46] ? process_scheduled_works+0x9ef/0x1770 [ 75.356746][ T46] process_scheduled_works+0xad1/0x1770 [ 75.356756][ T46] ? __pfx_process_scheduled_works+0x10/0x10 [ 75.356762][ T46] ? do_raw_spin_lock+0x121/0x290 [ 75.356773][ T46] worker_thread+0x8a0/0xda0 [ 75.356788][ T46] kthread+0x711/0x8a0 [ 75.356800][ T46] ? __pfx_worker_thread+0x10/0x10 [ 75.356810][ T46] ? __pfx_kthread+0x10/0x10 [ 75.356824][ T46] ? _raw_spin_unlock_irq+0x23/0x50 [ 75.356839][ T46] ? __pfx_kthread+0x10/0x10 [ 75.356853][ T46] ret_from_fork+0x510/0xa50 [ 75.356864][ T46] ? __pfx_ret_from_fork+0x10/0x10 [ 75.356873][ T46] ? __switch_to+0xc9e/0x1480 [ 75.356914][ T46] ? __pfx_kthread+0x10/0x10 [ 75.356929][ T46] ret_from_fork_asm+0x1a/0x30 [ 75.356949][ T46] [ 75.356953][ T46] [ 75.449316][ T46] Allocated by task 46: [ 75.450997][ T46] kasan_save_track+0x3e/0x80 [ 75.453106][ T46] __kasan_kmalloc+0x93/0xb0 [ 75.455035][ T46] __kmalloc_cache_noprof+0x3e2/0x700 [ 75.457210][ T46] l2cap_chan_create+0x51/0x790 [ 75.459232][ T46] l2cap_sock_new_connection_cb+0x182/0x2e0 [ 75.461754][ T46] l2cap_connect_cfm+0x367/0x10e0 [ 75.463767][ T46] hci_connect_cfm+0x95/0x140 [ 75.465740][ T46] le_conn_complete_evt+0xf65/0x1420 [ 75.467938][ T46] hci_le_conn_complete_evt+0x187/0x480 [ 75.470170][ T46] hci_event_packet+0x78f/0x1260 [ 75.472337][ T46] hci_rx_work+0x3ee/0x1060 [ 75.474302][ T46] process_scheduled_works+0xad1/0x1770 [ 75.476716][ T46] worker_thread+0x8a0/0xda0 [ 75.478812][ T46] kthread+0x711/0x8a0 [ 75.480632][ T46] ret_from_fork+0x510/0xa50 [ 75.483062][ T46] ret_from_fork_asm+0x1a/0x30 [ 75.485134][ T46] [ 75.486096][ T46] Freed by task 5341: [ 75.487812][ T46] kasan_save_track+0x3e/0x80 [ 75.489771][ T46] kasan_save_free_info+0x46/0x50 [ 75.491956][ T46] __kasan_slab_free+0x5c/0x80 [ 75.493925][ T46] kfree+0x1c0/0x660 [ 75.495632][ T46] l2cap_sock_cleanup_listen+0xf0/0x450 [ 75.497998][ T46] l2cap_sock_release+0x6a/0x230 [ 75.500174][ T46] sock_close+0xc3/0x240 [ 75.502010][ T46] __fput+0x44c/0xa70 [ 75.503650][ T46] task_work_run+0x1d4/0x260 [ 75.505841][ T46] exit_to_user_mode_loop+0xef/0x4e0 [ 75.508597][ T46] do_syscall_64+0x2b7/0xf80 [ 75.510592][ T46] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 75.513269][ T46] [ 75.514337][ T46] The buggy address belongs to the object at ffff88803ac53000 [ 75.514337][ T46] which belongs to the cache kmalloc-2k of size 2048 [ 75.520165][ T46] The buggy address is located 1152 bytes inside of [ 75.520165][ T46] freed 2048-byte region [ffff88803ac53000, ffff88803ac53800) [ 75.525835][ T46] [ 75.526872][ T46] The buggy address belongs to the physical page: [ 75.529550][ T46] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x3ac50 [ 75.532976][ T46] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 75.536399][ T46] flags: 0x4fff00000000040(head|node=1|zone=1|lastcpupid=0x7ff) [ 75.539493][ T46] page_type: f5(slab) [ 75.541180][ T46] raw: 04fff00000000040 ffff88801a442000 dead000000000122 0000000000000000 [ 75.544617][ T46] raw: 0000000000000000 0000000080080008 00000000f5000000 0000000000000000 [ 75.548126][ T46] head: 04fff00000000040 ffff88801a442000 dead000000000122 0000000000000000 [ 75.551630][ T46] head: 0000000000000000 0000000080080008 00000000f5000000 0000000000000000 [ 75.554975][ T46] head: 04fff00000000003 ffffea0000eb1401 00000000ffffffff 00000000ffffffff [ 75.558489][ T46] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 [ 75.562304][ T46] page dumped because: kasan: bad access detected [ 75.565113][ T46] page_owner tracks the page as allocated [ 75.567529][ T46] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4727, tgid 4727 (klogd), ts 75316117239, free_ts 75164195989 [ 75.576031][ T46] post_alloc_hook+0x234/0x290 [ 75.578027][ T46] get_page_from_freelist+0x24e0/0x2580 [ 75.580250][ T46] __alloc_frozen_pages_noprof+0x181/0x370 [ 75.582933][ T46] alloc_pages_mpol+0x232/0x4a0 [ 75.585003][ T46] allocate_slab+0x86/0x3b0 [ 75.587041][ T46] ___slab_alloc+0xe53/0x1820 [ 75.589221][ T46] __slab_alloc+0x65/0x100 [ 75.591079][ T46] __kmalloc_cache_noprof+0x41e/0x700 [ 75.593481][ T46] syslog_print+0xd2/0x590 [ 75.595451][ T46] do_syslog+0x544/0x760 [ 75.597287][ T46] __x64_sys_syslog+0x7c/0x90 [ 75.599359][ T46] do_syscall_64+0xec/0xf80 [ 75.601322][ T46] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 75.603770][ T46] page last free pid 5344 tgid 5344 stack trace: [ 75.606360][ T46] __free_frozen_pages+0xbc8/0xd30 [ 75.608446][ T46] __put_partials+0x146/0x170 [ 75.610389][ T46] __slab_free+0x294/0x320 [ 75.612210][ T46] qlist_free_all+0x97/0x100 [ 75.614455][ T46] kasan_quarantine_reduce+0x148/0x160 [ 75.616710][ T46] __kasan_slab_alloc+0x22/0x80 [ 75.618700][ T46] kmem_cache_alloc_node_noprof+0x43c/0x720 [ 75.621048][ T46] __alloc_skb+0x1dc/0x3a0 [ 75.622970][ T46] alloc_skb_with_frags+0xca/0x890 [ 75.624971][ T46] sock_alloc_send_pskb+0x84d/0x980 [ 75.627045][ T46] unix_dgram_sendmsg+0x501/0x18c0 [ 75.629163][ T46] __sock_sendmsg+0x21c/0x270 [ 75.630949][ T46] sock_write_iter+0x279/0x360 [ 75.632845][ T46] vfs_write+0x5c9/0xb30 [ 75.634576][ T46] ksys_write+0x145/0x250 [ 75.636235][ T46] do_syscall_64+0xec/0xf80 [ 75.638023][ T46] [ 75.638980][ T46] Memory state around the buggy address: [ 75.641092][ T46] ffff88803ac53380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.644074][ T46] ffff88803ac53400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.646993][ T46] >ffff88803ac53480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.650333][ T46] ^ [ 75.652137][ T46] ffff88803ac53500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.655572][ T46] ffff88803ac53580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.658979][ T46] ================================================================== [ 75.685555][ T46] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 75.688422][ T46] CPU: 0 UID: 0 PID: 46 Comm: kworker/u5:0 Not tainted syzkaller #0 PREEMPT(full) [ 75.692235][ T46] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 75.696722][ T46] Workqueue: hci0 hci_rx_work [ 75.698966][ T46] Call Trace: [ 75.700479][ T46] [ 75.701779][ T46] vpanic+0x1e0/0x670 [ 75.703555][ T46] panic+0xb9/0xc0 [ 75.705168][ T46] ? __pfx_panic+0x10/0x10 [ 75.707057][ T46] ? preempt_schedule_thunk+0x16/0x30 [ 75.709143][ T46] ? l2cap_connect_cfm+0x6d0/0x10e0 [ 75.711588][ T46] check_panic_on_warn+0x89/0xb0 [ 75.713846][ T46] ? l2cap_connect_cfm+0x6d0/0x10e0 [ 75.716044][ T46] end_report+0x6f/0x140 [ 75.717904][ T46] kasan_report+0x129/0x150 [ 75.719893][ T46] ? l2cap_connect_cfm+0x6d0/0x10e0 [ 75.722093][ T46] l2cap_connect_cfm+0x6d0/0x10e0 [ 75.724127][ T46] ? __pfx_l2cap_connect_cfm+0x10/0x10 [ 75.726423][ T46] ? __pfx_l2cap_connect_cfm+0x10/0x10 [ 75.728756][ T46] hci_connect_cfm+0x95/0x140 [ 75.730839][ T46] le_conn_complete_evt+0xf65/0x1420 [ 75.733542][ T46] ? __pfx_le_conn_complete_evt+0x10/0x10 [ 75.736214][ T46] ? __mutex_unlock_slowpath+0x1a1/0x730 [ 75.738650][ T46] ? __asan_memcpy+0x40/0x70 [ 75.740625][ T46] ? __pfx___mutex_unlock_slowpath+0x10/0x10 [ 75.743164][ T46] ? skb_pull_data+0xfb/0x200 [ 75.745235][ T46] hci_le_conn_complete_evt+0x187/0x480 [ 75.747735][ T46] hci_event_packet+0x78f/0x1260 [ 75.749755][ T46] ? __pfx_hci_le_meta_evt+0x10/0x10 [ 75.752022][ T46] ? __pfx_hci_event_packet+0x10/0x10 [ 75.754287][ T46] ? hci_send_to_monitor+0xe2/0x590 [ 75.756511][ T46] hci_rx_work+0x3ee/0x1060 [ 75.758480][ T46] ? process_scheduled_works+0x9ef/0x1770 [ 75.760863][ T46] process_scheduled_works+0xad1/0x1770 [ 75.763229][ T46] ? __pfx_process_scheduled_works+0x10/0x10 [ 75.765795][ T46] ? do_raw_spin_lock+0x121/0x290 [ 75.767955][ T46] worker_thread+0x8a0/0xda0 [ 75.769969][ T46] kthread+0x711/0x8a0 [ 75.771754][ T46] ? __pfx_worker_thread+0x10/0x10 [ 75.774019][ T46] ? __pfx_kthread+0x10/0x10 [ 75.776073][ T46] ? _raw_spin_unlock_irq+0x23/0x50 [ 75.778354][ T46] ? __pfx_kthread+0x10/0x10 [ 75.780352][ T46] ret_from_fork+0x510/0xa50 [ 75.782393][ T46] ? __pfx_ret_from_fork+0x10/0x10 [ 75.784561][ T46] ? __switch_to+0xc9e/0x1480 [ 75.786609][ T46] ? __pfx_kthread+0x10/0x10 [ 75.788653][ T46] ret_from_fork_asm+0x1a/0x30 [ 75.790845][ T46] [ 75.792624][ T46] Kernel Offset: disabled [ 75.794542][ T46] Rebooting in 86400 seconds..