Out of memory: Kill process 13714 (syz-executor.4) score 1005 or sacrifice child
Killed process 13714 (syz-executor.4) total-vm:93412kB, anon-rss:2224kB, file-rss:34816kB, shmem-rss:0kB
oom_reaper: reaped process 13714 (syz-executor.4), now anon-rss:0kB, file-rss:34816kB, shmem-rss:0kB
==================================================================
BUG: KASAN: use-after-free in constant_test_bit arch/x86/include/asm/bitops.h:317 [inline]
BUG: KASAN: use-after-free in sock_flag include/net/sock.h:839 [inline]
BUG: KASAN: use-after-free in l2cap_sock_kill net/bluetooth/l2cap_sock.c:1046 [inline]
BUG: KASAN: use-after-free in l2cap_sock_close_cb+0xbd/0xd0 net/bluetooth/l2cap_sock.c:1311
Read of size 8 at addr ffff88804809f320 by task kworker/1:0/19

CPU: 1 PID: 19 Comm: kworker/1:0 Not tainted 4.19.143-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events l2cap_chan_timeout
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1fc/0x2fe lib/dump_stack.c:118
 print_address_description.cold+0x54/0x219 mm/kasan/report.c:256
 kasan_report_error.cold+0x8a/0x1c7 mm/kasan/report.c:354
 kasan_report mm/kasan/report.c:412 [inline]
 __asan_report_load8_noabort+0x88/0x90 mm/kasan/report.c:433
 constant_test_bit arch/x86/include/asm/bitops.h:317 [inline]
 sock_flag include/net/sock.h:839 [inline]
 l2cap_sock_kill net/bluetooth/l2cap_sock.c:1046 [inline]
 l2cap_sock_close_cb+0xbd/0xd0 net/bluetooth/l2cap_sock.c:1311
 l2cap_chan_timeout+0x1bb/0x210 net/bluetooth/l2cap_core.c:431
 process_one_work+0x864/0x1570 kernel/workqueue.c:2155
 worker_thread+0x64c/0x1130 kernel/workqueue.c:2298
 kthread+0x33f/0x460 kernel/kthread.c:259
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415

Allocated by task 13874:
 __do_kmalloc mm/slab.c:3727 [inline]
 __kmalloc+0x15a/0x3c0 mm/slab.c:3736
 kmalloc include/linux/slab.h:520 [inline]
 sk_prot_alloc+0x1e2/0x2d0 net/core/sock.c:1466
 sk_alloc+0x36/0xec0 net/core/sock.c:1520
 l2cap_sock_alloc.constprop.0+0x31/0x210 net/bluetooth/l2cap_sock.c:1590
 l2cap_sock_create+0x110/0x1b0 net/bluetooth/l2cap_sock.c:1636
 bt_sock_create+0x154/0x2a0 net/bluetooth/af_bluetooth.c:130
 __sock_create+0x3d8/0x740 net/socket.c:1276
 rfcomm_l2sock_create net/bluetooth/rfcomm/core.c:203 [inline]
 rfcomm_session_create net/bluetooth/rfcomm/core.c:738 [inline]
 __rfcomm_dlc_open net/bluetooth/rfcomm/core.c:388 [inline]
 rfcomm_dlc_open+0x6e2/0xcb0 net/bluetooth/rfcomm/core.c:431
 rfcomm_sock_connect+0x317/0x420 net/bluetooth/rfcomm/sock.c:416
 __sys_connect+0x265/0x2c0 net/socket.c:1663
 __do_sys_connect net/socket.c:1674 [inline]
 __se_sys_connect net/socket.c:1671 [inline]
 __x64_sys_connect+0x6f/0xb0 net/socket.c:1671
 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 3597:
 __cache_free mm/slab.c:3503 [inline]
 kfree+0xcc/0x210 mm/slab.c:3822
 sk_prot_free net/core/sock.c:1503 [inline]
 __sk_destruct+0x5ff/0x810 net/core/sock.c:1584
 sk_destruct net/core/sock.c:1599 [inline]
 __sk_free+0x165/0x3b0 net/core/sock.c:1610
 sk_free+0x3b/0x50 net/core/sock.c:1621
 sock_put include/net/sock.h:1711 [inline]
 l2cap_sock_kill.part.0+0x6b/0x80 net/bluetooth/l2cap_sock.c:1055
 l2cap_sock_kill net/bluetooth/l2cap_sock.c:1206 [inline]
 l2cap_sock_release+0x158/0x190 net/bluetooth/l2cap_sock.c:1204
 __sock_release net/socket.c:579 [inline]
 sock_release+0x87/0x1d0 net/socket.c:599
 rfcomm_session_del+0x15a/0x1f0 net/bluetooth/rfcomm/core.c:684
 rfcomm_session_close net/bluetooth/rfcomm/core.c:723 [inline]
 rfcomm_process_rx net/bluetooth/rfcomm/core.c:1916 [inline]
 rfcomm_process_sessions net/bluetooth/rfcomm/core.c:2000 [inline]
 rfcomm_run+0x12ed/0x4250 net/bluetooth/rfcomm/core.c:2087
 kthread+0x33f/0x460 kernel/kthread.c:259
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415

The buggy address belongs to the object at ffff88804809f2c0
 which belongs to the cache kmalloc-2048 of size 2048
syz-executor.0: vmalloc: allocation failure, allocated 1464160256 of 3319955456 bytes, mode:0x6080c0(GFP_KERNEL|__GFP_ZERO), nodemask=(null)
The buggy address is located 96 bytes inside of
 2048-byte region [ffff88804809f2c0, ffff88804809fac0)
The buggy address belongs to the page:
page:ffffea0001202780 count:1 mapcount:0 mapping:ffff88812c39cc40 index:0xffff88804809ea40 compound_mapcount: 0
flags: 0xfffe0000008100(slab|head)
raw: 00fffe0000008100 ffffea000129b788 ffffea00027f5808 ffff88812c39cc40
raw: ffff88804809ea40 ffff88804809e1c0 0000000100000002 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
syz-executor.0 cpuset=/ mems_allowed=0-1
 ffff88804809f200: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff88804809f280: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
>ffff88804809f300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                               ^
 ffff88804809f380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88804809f400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
CPU: 0 PID: 14801 Comm: syz-executor.0 Not tainted 4.19.143-syzkaller #0
==================================================================
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1fc/0x2fe lib/dump_stack.c:118
 warn_alloc.cold+0x7b/0x18f mm/page_alloc.c:3456
 __vmalloc_area_node+0x4fd/0x780 mm/vmalloc.c:1712
 __vmalloc_node_range+0xed/0x180 mm/vmalloc.c:1753
 __vmalloc_node mm/vmalloc.c:1804 [inline]
 vmalloc_user+0x70/0xe0 mm/vmalloc.c:1874
 vb2_vmalloc_alloc+0xb3/0x290 drivers/media/common/videobuf2/videobuf2-vmalloc.c:48
 __vb2_buf_mem_alloc drivers/media/common/videobuf2/videobuf2-core.c:214 [inline]
 __vb2_queue_alloc+0x472/0xe60 drivers/media/common/videobuf2/videobuf2-core.c:367
 vb2_core_create_bufs+0x273/0x7e0 drivers/media/common/videobuf2/videobuf2-core.c:838
 vb2_create_bufs+0x332/0x620 drivers/media/common/videobuf2/videobuf2-v4l2.c:557
 vb2_ioctl_create_bufs+0x20d/0x360 drivers/media/common/videobuf2/videobuf2-v4l2.c:748
 v4l_create_bufs drivers/media/v4l2-core/v4l2-ioctl.c:1930 [inline]
 v4l_create_bufs+0xb2/0x160 drivers/media/v4l2-core/v4l2-ioctl.c:1917
 __video_do_ioctl+0x49a/0xcd0 drivers/media/v4l2-core/v4l2-ioctl.c:2838
 video_usercopy+0x13c/0x1000 drivers/media/v4l2-core/v4l2-ioctl.c:3018
 v4l2_ioctl+0x147/0x1a0 drivers/media/v4l2-core/v4l2-dev.c:364
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:501 [inline]
 do_vfs_ioctl+0xcdb/0x12e0 fs/ioctl.c:688
 ksys_ioctl+0x9b/0xc0 fs/ioctl.c:705
 __do_sys_ioctl fs/ioctl.c:712 [inline]
 __se_sys_ioctl fs/ioctl.c:710 [inline]
 __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:710
 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45d5b9
Code: Bad RIP value.
RSP: 002b:00007f9495135c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 000000000001b640 RCX: 000000000045d5b9
RDX: 00000000200000c0 RSI: 00000000c100565c RDI: 0000000000000003
RBP: 000000000118cf80 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118cf4c
R13: 00007fff2b4511bf R14: 00007f94951369c0 R15: 000000000118cf4c
Mem-Info:
active_anon:191822 inactive_anon:4107 isolated_anon:0
 active_file:43 inactive_file:11 isolated_file:0
 unevictable:0 dirty:0 writeback:0 unstable:0
 slab_reclaimable:14504 slab_unreclaimable:122328
 mapped:53069 shmem:4295 pagetables:2403 bounce:0
 free:13707 free_pcp:420 free_cma:0