ci2 starts bisection 2025-11-06 08:24:45.032455765 +0000 UTC m=+93580.570221413
bisecting fixing commit since 43bb85222e53926decace01ce6584ca88e09a0a9
building syzkaller on 0abd06914a0618dff2f4b80e8d3c0bfb50121eb1
ensuring issue is reproducible on original commit 43bb85222e53926decace01ce6584ca88e09a0a9

testing commit 43bb85222e53926decace01ce6584ca88e09a0a9 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 77f570036dbcf1d0e56269638807a89d0731deccdf2c465ee6119f1e88fb0f83
run #0: crashed: KASAN: use-after-free Read in l2cap_connect_cfm
run #1: crashed: KASAN: use-after-free Read in l2cap_connect_cfm
run #2: crashed: KASAN: use-after-free Read in l2cap_connect_cfm
run #3: crashed: KASAN: use-after-free Read in l2cap_connect_cfm
run #4: crashed: KASAN: use-after-free Read in l2cap_connect_cfm
run #5: crashed: KASAN: use-after-free Read in l2cap_connect_cfm
run #6: crashed: KASAN: use-after-free Read in l2cap_connect_cfm
run #7: crashed: KASAN: use-after-free Read in l2cap_connect_cfm
run #8: crashed: KASAN: use-after-free Read in l2cap_connect_cfm
run #9: crashed: KASAN: use-after-free Read in l2cap_connect_cfm
run #10: crashed: KASAN: use-after-free Read in l2cap_connect_cfm
run #11: crashed: KASAN: use-after-free Read in l2cap_connect_cfm
run #12: crashed: KASAN: use-after-free Read in l2cap_connect_cfm
run #13: crashed: KASAN: use-after-free Read in l2cap_connect_cfm
run #14: crashed: KASAN: use-after-free Read in l2cap_connect_cfm
run #15: crashed: KASAN: use-after-free Read in l2cap_connect_cfm
run #16: crashed: KASAN: use-after-free Read in l2cap_connect_cfm
run #17: crashed: KASAN: use-after-free Read in l2cap_connect_cfm
run #18: crashed: KASAN: use-after-free Read in l2cap_connect_cfm
run #19: OK
representative crash: KASAN: use-after-free Read in l2cap_connect_cfm, types: [KASAN-USE-AFTER-FREE-READ]
check whether we can drop unnecessary instrumentation
disabling configs for [bug_or_warning locking atomic_sleep hang memleak ubsan], they are not needed
testing commit 43bb85222e53926decace01ce6584ca88e09a0a9 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: e5ab928f35ef5b34f1a87d4dfd28c30339d0b76d4b1762622c501fd9c02a7f94
run #0: crashed: KASAN: use-after-free Read in l2cap_connect_cfm
run #1: crashed: KASAN: use-after-free Read in l2cap_connect_cfm
run #2: crashed: KASAN: use-after-free Read in l2cap_connect_cfm
run #3: crashed: KASAN: use-after-free Read in l2cap_connect_cfm
run #4: crashed: KASAN: use-after-free Read in l2cap_connect_cfm
run #5: crashed: KASAN: wild-memory-access Read in l2cap_connect_cfm
run #6: crashed: KASAN: use-after-free Read in l2cap_connect_cfm
run #7: crashed: KASAN: use-after-free Read in l2cap_connect_cfm
run #8: crashed: KASAN: use-after-free Read in l2cap_connect_cfm
run #9: crashed: KASAN: use-after-free Read in l2cap_connect_cfm
representative crash: KASAN: use-after-free Read in l2cap_connect_cfm, types: [KASAN-USE-AFTER-FREE-READ]
the bug reproduces without the instrumentation
disabling configs for [atomic_sleep hang memleak ubsan bug_or_warning locking], they are not needed
kconfig minimization: base=3707 full=7424 leaves diff=2100
split chunks (needed=false): <2100>
split chunk #0 of len 2100 into 5 parts
testing without sub-chunk 1/5
disabling configs for [bug_or_warning locking atomic_sleep hang memleak ubsan], they are not needed
testing commit 43bb85222e53926decace01ce6584ca88e09a0a9 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: d907f55fe952fc15aee41092100708f239d6502be2acde518b54a0cf0bd575c0
all runs: OK
false negative chance: 0.000
testing without sub-chunk 2/5
disabling configs for [hang memleak ubsan bug_or_warning locking atomic_sleep], they are not needed
testing commit 43bb85222e53926decace01ce6584ca88e09a0a9 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 424d68420d26982e57f8c77cfff727b866ff966481d05b416d8c50f2136ea158
run #0: crashed: KASAN: use-after-free Read in l2cap_connect_cfm
run #1: crashed: KASAN: use-after-free Read in l2cap_connect_cfm
run #2: crashed: KASAN: use-after-free Read in l2cap_connect_cfm
run #3: crashed: KASAN: use-after-free Read in l2cap_connect_cfm
run #4: crashed: KASAN: use-after-free Read in l2cap_connect_cfm
run #5: crashed: KASAN: use-after-free Read in l2cap_connect_cfm
run #6: crashed: KASAN: wild-memory-access Read in l2cap_connect_cfm
run #7: crashed: KASAN: use-after-free Read in l2cap_connect_cfm
run #8: crashed: KASAN: use-after-free Read in l2cap_connect_cfm
run #9: crashed: KASAN: wild-memory-access Read in l2cap_connect_cfm
representative crash: KASAN: use-after-free Read in l2cap_connect_cfm, types: [KASAN-USE-AFTER-FREE-READ]
the chunk can be dropped
testing without sub-chunk 3/5
disabling configs for [bug_or_warning locking atomic_sleep hang memleak ubsan], they are not needed
testing commit 43bb85222e53926decace01ce6584ca88e09a0a9 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: c25481c1acaa975d1ff177e9b73c1d624b27608617b6831dee45dc3bea7d1eb5
run #0: crashed: KASAN: use-after-free Read in l2cap_connect_cfm
run #1: crashed: KASAN: use-after-free Read in l2cap_connect_cfm
run #2: crashed: KASAN: wild-memory-access Read in l2cap_connect_cfm
run #3: crashed: KASAN: use-after-free Read in l2cap_connect_cfm
run #4: crashed: KASAN: use-after-free Read in l2cap_connect_cfm
run #5: crashed: KASAN: use-after-free Read in l2cap_connect_cfm
run #6: crashed: KASAN: wild-memory-access Read in l2cap_connect_cfm
run #7: crashed: KASAN: wild-memory-access Read in l2cap_connect_cfm
run #8: crashed: KASAN: use-after-free Read in l2cap_connect_cfm
run #9: crashed: KASAN: use-after-free Read in l2cap_connect_cfm
representative crash: KASAN: use-after-free Read in l2cap_connect_cfm, types: [KASAN-USE-AFTER-FREE-READ KASAN-READ]
the chunk can be dropped
testing without sub-chunk 4/5
disabling configs for [locking atomic_sleep hang memleak ubsan bug_or_warning], they are not needed
testing commit 43bb85222e53926decace01ce6584ca88e09a0a9 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: e227c49a67e3adc7b84b84c95beddb434760636dcfa417b511c16db41483b458
all runs: OK
false negative chance: 0.000
testing without sub-chunk 5/5
disabling configs for [locking atomic_sleep hang memleak ubsan bug_or_warning], they are not needed
testing commit 43bb85222e53926decace01ce6584ca88e09a0a9 gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: aca17bde9ace3ee223bc7806aaeb9ff9aedad8e993b79b2336d041ffd3e18878
run #0: crashed: KASAN: use-after-free Read in l2cap_connect_cfm
run #1: crashed: KASAN: use-after-free Read in l2cap_connect_cfm
run #2: crashed: KASAN: wild-memory-access Read in l2cap_connect_cfm
run #3: crashed: KASAN: wild-memory-access Read in l2cap_connect_cfm
run #4: crashed: KASAN: use-after-free Read in l2cap_connect_cfm
run #5: crashed: KASAN: use-after-free Read in l2cap_connect_cfm
run #6: crashed: KASAN: use-after-free Read in l2cap_connect_cfm
run #7: crashed: KASAN: use-after-free Read in l2cap_connect_cfm
run #8: crashed: KASAN: wild-memory-access Read in l2cap_connect_cfm
run #9: crashed: KASAN: use-after-free Read in l2cap_connect_cfm
representative crash: KASAN: use-after-free Read in l2cap_connect_cfm, types: [KASAN-USE-AFTER-FREE-READ KASAN-READ]
the chunk can be dropped
minimized to 840 configs; suspects: [6LOWPAN 6LOWPAN_GHC_EXT_HDR_DEST 6LOWPAN_GHC_EXT_HDR_FRAG 6LOWPAN_GHC_EXT_HDR_HOP 6LOWPAN_GHC_EXT_HDR_ROUTE 6LOWPAN_GHC_ICMPV6 6LOWPAN_GHC_UDP 6LOWPAN_NHC 6LOWPAN_NHC_DEST 6LOWPAN_NHC_FRAGMENT 6LOWPAN_NHC_HOP 6LOWPAN_NHC_IPV6 6LOWPAN_NHC_MOBILITY 6LOWPAN_NHC_ROUTING 6LOWPAN_NHC_UDP 6PACK 842_COMPRESS 842_DECOMPRESS 9P_FSCACHE 9P_FS_POSIX_ACL 9P_FS_SECURITY ACORN_PARTITION ACORN_PARTITION_ADFS ACORN_PARTITION_CUMANA ACORN_PARTITION_EESOX ACORN_PARTITION_ICS ACORN_PARTITION_POWERTEC ACORN_PARTITION_RISCIX ACPI_NFIT ACPI_PLATFORM_PROFILE ADFS_FS AFFS_FS AFS_FS AFS_FSCACHE AF_KCM AF_RXRPC AF_RXRPC_IPV6 AIX_PARTITION AMD_SFH_HID AMIGA_PARTITION ANDROID ANDROID_BINDERFS ANDROID_BINDER_IPC APPLE_MFI_FASTCHARGE AR5523 ARCH_ENABLE_MEMORY_HOTREMOVE ARCH_ENABLE_THP_MIGRATION ASHMEM ASM_MODVERSIONS ASN1_ENCODER ASYMMETRIC_TPM_KEY_SUBTYPE ASYNC_CORE ASYNC_MEMCPY ASYNC_PQ ASYNC_RAID6_RECOV ASYNC_TX_DMA ASYNC_XOR ATARI_PARTITION ATA_GENERIC ATA_OVER_ETH ATH10K ATH10K_CE ATH10K_PCI ATH10K_USB ATH11K ATH6KL ATH6KL_USB ATH9K ATH9K_AHB ATH9K_BTCOEX_SUPPORT ATH9K_CHANNEL_CONTEXT ATH9K_COMMON ATH9K_COMMON_DEBUG ATH9K_COMMON_SPECTRAL ATH9K_DEBUGFS ATH9K_DYNACK ATH9K_HTC ATH9K_HTC_DEBUGFS ATH9K_HW ATH9K_PCI ATH9K_PCOEM ATH9K_RFKILL ATH_COMMON ATM ATM_BR2684 ATM_CLIP ATM_DRIVERS ATM_LANE ATM_MPOA ATM_TCP AX25 AX25_DAMA_SLAVE AX88796B_PHY BAREUDP BATMAN_ADV BATMAN_ADV_BATMAN_V BATMAN_ADV_BLA BATMAN_ADV_DAT BATMAN_ADV_MCAST BATMAN_ADV_NC BCACHE BCMA BCMA_HOST_PCI_POSSIBLE BEFS_FS BFQ_CGROUP_DEBUG BFQ_GROUP_IOSCHED BFS_FS BIG_KEYS BLK_CGROUP BLK_CGROUP_IOCOST BLK_CGROUP_IOLATENCY BLK_CGROUP_RWSTAT BLK_DEBUG_FS_ZONED BLK_DEV_BSGLIB BLK_DEV_CRYPTOLOOP BLK_DEV_INTEGRITY BLK_DEV_INTEGRITY_T10 BLK_DEV_NBD BLK_DEV_NULL_BLK BLK_DEV_NULL_BLK_FAULT_INJECTION BLK_DEV_NVME BLK_DEV_PMEM BLK_DEV_RAM BLK_DEV_RNBD BLK_DEV_RNBD_CLIENT BLK_DEV_THROTTLING BLK_INLINE_ENCRYPTION BLK_INLINE_ENCRYPTION_FALLBACK BLK_MQ_RDMA BLK_RQ_ALLOC_TIME BLK_WBT BLK_WBT_MQ BLOCK_LEGACY_AUTOLOAD BONDING BPF_EVENTS BPF_JIT BPF_JIT_ALWAYS_ON BPF_JIT_DEFAULT_ON BPF_LSM BPF_PRELOAD BPF_PRELOAD_UMD BPF_SYSCALL BPQETHER BRIDGE BRIDGE_CFM BRIDGE_EBT_802_3 BRIDGE_EBT_AMONG BRIDGE_EBT_ARP BRIDGE_EBT_ARPREPLY BRIDGE_EBT_BROUTE BRIDGE_EBT_DNAT BRIDGE_EBT_IP BRIDGE_EBT_IP6 BRIDGE_EBT_LIMIT BRIDGE_EBT_LOG BRIDGE_EBT_MARK BRIDGE_EBT_MARK_T BRIDGE_EBT_NFLOG BRIDGE_EBT_PKTTYPE BRIDGE_EBT_REDIRECT BRIDGE_EBT_SNAT BRIDGE_EBT_STP BRIDGE_EBT_T_FILTER BRIDGE_EBT_T_NAT BRIDGE_EBT_VLAN BRIDGE_IGMP_SNOOPING BRIDGE_MRP BRIDGE_NF_EBTABLES BRIDGE_VLAN_FILTERING BSD_DISKLABEL BSD_PROCESS_ACCT_V3 BT BTRFS_ASSERT BTRFS_FS BTRFS_FS_POSIX_ACL BTRFS_FS_REF_VERIFY BTT BT_6LOWPAN BT_ATH3K BT_BCM BT_BNEP BT_BNEP_MC_FILTER BT_BNEP_PROTO_FILTER BT_BREDR BT_CMTP BT_HCIBCM203X BT_HCIBFUSB BT_HCIBPA10X BT_HCIBTUSB BT_HCIBTUSB_AUTOSUSPEND BT_HCIBTUSB_BCM BT_HCIBTUSB_MTK BT_HCIBTUSB_RTL BT_HCIUART BT_HCIUART_3WIRE BT_HCIUART_AG6XX BT_HCIUART_BCSP BT_HCIUART_H4 BT_HCIUART_LL BT_HCIUART_MRVL BT_HCIUART_QCA BT_HCIUART_SERDEV BT_HCIVHCI BT_HIDP BT_HS BT_INTEL BT_LE BT_LEDS BT_MSFTEXT BT_QCA BT_RFCOMM BT_RFCOMM_TTY BT_RTL BXT_WC_PMIC_OPREGION CACHEFILES CAIF CAIF_DEBUG CAIF_DRIVERS CAIF_NETDEV CAIF_TTY CAIF_USB CAIF_VIRTIO CAN CAN_8DEV_USB CAN_BCM CAN_CALC_BITTIMING CAN_DEV CAN_EMS_USB CAN_ESD_USB2 CAN_ETAS_ES58X CAN_GS_USB CAN_GW CAN_IFI_CANFD CAN_ISOTP CAN_J1939 CAN_KVASER_USB CAN_MCBA_USB CAN_PEAK_USB CAN_RAW CAN_SLCAN CAN_UCAN CAN_VCAN CAN_VXCAN CAPI_TRACE CARL9170 CARL9170_HWRNG CARL9170_LEDS CARL9170_WPC CEC_CORE CEPH_FS CEPH_FSCACHE CEPH_FS_POSIX_ACL CEPH_LIB CEPH_LIB_USE_DNS_RESOLVER CFG80211 CFG80211_CRDA_SUPPORT CFG80211_DEBUGFS CFG80211_DEFAULT_PS CFG80211_REQUIRE_SIGNED_REGDB CFG80211_USE_KERNEL_REGDB_KEYS CFG80211_WEXT CFS_BANDWIDTH CGROUP_DEVICE CGROUP_HUGETLB CGROUP_NET_CLASSID CGROUP_NET_PRIO CGROUP_PERF CGROUP_RDMA CGROUP_WRITEBACK CHARGER_ISP1704 CHR_DEV_ST CIFS CIFS_ALLOW_INSECURE_LEGACY CIFS_DEBUG CIFS_DFS_UPCALL CIFS_FSCACHE CIFS_POSIX CIFS_SMB_DIRECT CIFS_SWN_UPCALL CIFS_UPCALL CIFS_XATTR CLS_U32_MARK CLS_U32_PERF CMA CMA_SIZE_SEL_MBYTES CMDLINE_PARTITION COMEDI COMEDI_8254 COMEDI_8255 COMEDI_8255_PCI COMEDI_8255_SA COMEDI_ADL_PCI9118 COMEDI_ADQ12B COMEDI_AIO_AIO12_8 COMEDI_AIO_IIRO_16 COMEDI_AMPLC_DIO200 COMEDI_AMPLC_DIO200_ISA COMEDI_AMPLC_PC236 COMEDI_AMPLC_PC236_ISA COMEDI_AMPLC_PC263_ISA COMEDI_BOND COMEDI_C6XDIGIO COMEDI_DAC02 COMEDI_DAS08 COMEDI_DAS08_ISA COMEDI_DAS16M1 COMEDI_DAS1800 COMEDI_DAS6402 COMEDI_DAS800 COMEDI_DMM32AT COMEDI_DT2801 COMEDI_DT2811 COMEDI_DT2814 COMEDI_DT2815 COMEDI_DT2817 COMEDI_DT282X COMEDI_DT9812 COMEDI_FL512 COMEDI_ISADMA COMEDI_ISA_DRIVERS COMEDI_KCOMEDILIB COMEDI_MISC_DRIVERS COMEDI_MPC624 COMEDI_MULTIQ3 COMEDI_NI_ATMIO16D COMEDI_NI_AT_A2150 COMEDI_NI_AT_AO COMEDI_NI_DAQ_700_CS COMEDI_NI_LABPC COMEDI_NI_LABPC_CS COMEDI_NI_LABPC_ISA COMEDI_NI_LABPC_ISADMA COMEDI_NI_LABPC_PCI COMEDI_NI_USB6501 COMEDI_PARPORT COMEDI_PCI_DRIVERS COMEDI_PCL711 COMEDI_PCL724 COMEDI_PCL726 COMEDI_PCL730 COMEDI_PCL812 COMEDI_PCL816 COMEDI_PCL818 COMEDI_PCM3724 COMEDI_PCMAD COMEDI_PCMCIA_DRIVERS COMEDI_PCMDA12 COMEDI_PCMMIO COMEDI_PCMUIO COMEDI_RTI800 COMEDI_RTI802 COMEDI_S526 COMEDI_TEST COMEDI_USBDUX COMEDI_USBDUXFAST COMEDI_USBDUXSIGMA COMEDI_USB_DRIVERS COMEDI_VMK80XX COMPAT_NETLINK_MESSAGES COUNTER CRAMFS CRAMFS_BLOCKDEV CRAMFS_MTD CRC4 CRC64 CRC7 CRC8 CRC_ITU_T CRC_T10DIF CRYPTO_ADIANTUM CRYPTO_AEGIS128 CRYPTO_AEGIS128_AESNI_SSE2 CRYPTO_AES_NI_INTEL CRYPTO_AES_TI CRYPTO_ANSI_CPRNG CRYPTO_ANUBIS CRYPTO_ARC4 CRYPTO_ARCH_HAVE_LIB_BLAKE2S CRYPTO_ARCH_HAVE_LIB_CHACHA CRYPTO_ARCH_HAVE_LIB_CURVE25519 CRYPTO_ARCH_HAVE_LIB_POLY1305 CRYPTO_BLAKE2B CRYPTO_BLAKE2S_X86 CRYPTO_BLOWFISH CRYPTO_BLOWFISH_COMMON CRYPTO_BLOWFISH_X86_64 CRYPTO_CAMELLIA CRYPTO_CAMELLIA_AESNI_AVX2_X86_64 CRYPTO_CAMELLIA_AESNI_AVX_X86_64 CRYPTO_CAMELLIA_X86_64 CRYPTO_CAST5 CRYPTO_CAST5_AVX_X86_64 CRYPTO_CAST6 CRYPTO_CAST6_AVX_X86_64 CRYPTO_CAST_COMMON CRYPTO_CHACHA20 CRYPTO_CHACHA20POLY1305 CRYPTO_CHACHA20_X86_64 CRYPTO_CRC32 CRYPTO_CRC32C_INTEL CRYPTO_CRC32_PCLMUL CRYPTO_CRCT10DIF CRYPTO_CRCT10DIF_PCLMUL CRYPTO_CRYPTD CRYPTO_CTS CRYPTO_CURVE25519 CRYPTO_CURVE25519_X86 CRYPTO_DEFLATE CRYPTO_DES CRYPTO_DES3_EDE_X86_64 CRYPTO_DEV_CCP CRYPTO_DEV_CCP_DD CRYPTO_DEV_PADLOCK CRYPTO_DEV_PADLOCK_AES CRYPTO_DEV_PADLOCK_SHA CRYPTO_DEV_QAT CRYPTO_DEV_QAT_C3XXX CRYPTO_DEV_QAT_C3XXXVF CRYPTO_DEV_QAT_C62X CRYPTO_DEV_QAT_C62XVF CRYPTO_DEV_QAT_DH895xCC CRYPTO_DEV_QAT_DH895xCCVF CRYPTO_DEV_VIRTIO CRYPTO_DH CRYPTO_DRBG_CTR CRYPTO_DRBG_HASH CRYPTO_ECB CRYPTO_ECC CRYPTO_ECDH CRYPTO_ECRDSA CRYPTO_ENGINE CRYPTO_ESSIV CRYPTO_FCRYPT CRYPTO_GHASH_CLMUL_NI_INTEL CRYPTO_KEYWRAP CRYPTO_KHAZAD CRYPTO_KPP CRYPTO_LIB_ARC4 CRYPTO_LIB_CHACHA CRYPTO_LIB_CHACHA20POLY1305 CRYPTO_LIB_CHACHA_GENERIC CRYPTO_LIB_CURVE25519 CRYPTO_LIB_CURVE25519_GENERIC CRYPTO_LIB_DES CRYPTO_LIB_POLY1305 CRYPTO_LIB_POLY1305_GENERIC CRYPTO_LIB_SM4 CRYPTO_LRW CRYPTO_MICHAEL_MIC CRYPTO_NHPOLY1305 CRYPTO_NHPOLY1305_AVX2 CRYPTO_NHPOLY1305_SSE2 CRYPTO_PCBC CRYPTO_PCRYPT CRYPTO_POLY1305 CRYPTO_POLY1305_X86_64 CRYPTO_RMD160 CRYPTO_SEED CRYPTO_SERPENT CRYPTO_SERPENT_AVX2_X86_64 CRYPTO_SERPENT_AVX_X86_64 CRYPTO_SERPENT_SSE2_X86_64 CRYPTO_SHA1_SSSE3 CRYPTO_SHA256_SSSE3 CRYPTO_SHA3 CRYPTO_SHA512_SSSE3 CRYPTO_SIMD CRYPTO_SM2 CRYPTO_SM3 CRYPTO_SM4 CRYPTO_STREEBOG CRYPTO_TEA CRYPTO_TWOFISH CRYPTO_TWOFISH_AVX_X86_64 CRYPTO_TWOFISH_COMMON CRYPTO_TWOFISH_X86_64 CRYPTO_TWOFISH_X86_64_3WAY CRYPTO_USER CRYPTO_USER_API CRYPTO_USER_API_AEAD CRYPTO_USER_API_ENABLE_OBSOLETE CRYPTO_USER_API_HASH CRYPTO_USER_API_RNG CRYPTO_USER_API_SKCIPHER CRYPTO_VMAC CRYPTO_WP512 CRYPTO_XCBC CRYPTO_XTS CRYPTO_XXHASH CUSE CYPRESS_FIRMWARE DAMON DAMON_DBGFS DAMON_VADDR DAX DCA DCB DEBUG_PREEMPT DLM DMA_CMA DVB_CORE ENCRYPTED_KEYS EXTCON FSCACHE FUSE_FS GENEVE GPIOLIB HAMRADIO HID_PLAYSTATION HID_SENSOR_HUB HID_SMARTJOYPLUS HID_THRUSTMASTER IIO INFINIBAND INFINIBAND_ADDR_TRANS INFINIBAND_IPOIB INFINIBAND_RTRS_CLIENT INFINIBAND_USER_ACCESS INFINIBAND_VIRT_DMA INPUT_TABLET INPUT_TOUCHSCREEN INTEL_SCU_IPC INTEL_SOC_PMIC_BXTWC IOSCHED_BFQ IP_SCTP ISDN ISDN_CAPI L2TP LIBCRC32C LIBNVDIMM MAC80211 MAC80211_LEDS MEDIA_COMMON_OPTIONS MEDIA_DIGITAL_TV_SUPPORT MEDIA_PLATFORM_SUPPORT MEDIA_RADIO_SUPPORT MEDIA_SDR_SUPPORT MEDIA_SUPPORT MEDIA_USB_SUPPORT MEMORY_HOTPLUG MEMORY_HOTREMOVE MFD_DLN2 MFD_INTEL_PMC_BXT MFD_MT6360 MFD_RETU MMC MTD MTD_UBI NETFILTER_ADVANCED NETFILTER_CONNCOUNT NET_CLS_U32 NET_IPGRE NET_IPGRE_DEMUX NFS_V4_1 NF_CONNTRACK_SNMP NF_NAT_REDIRECT NF_NAT_SNMP_BASIC NF_NAT_TFTP NF_SOCKET_IPV4 NF_SOCKET_IPV6 NF_TABLES NF_TABLES_ARP NF_TPROXY_IPV4 NF_TPROXY_IPV6 NILFS2_FS NLMON NLS_CODEPAGE_1250 NLS_CODEPAGE_1251 NLS_CODEPAGE_737 NLS_CODEPAGE_775 NLS_CODEPAGE_850 NLS_CODEPAGE_852 NLS_CODEPAGE_855 NLS_CODEPAGE_857 NLS_CODEPAGE_860 NLS_CODEPAGE_861 NLS_CODEPAGE_862 NLS_CODEPAGE_863 NLS_CODEPAGE_864 NLS_CODEPAGE_865 NLS_CODEPAGE_866 NLS_CODEPAGE_869 NLS_CODEPAGE_874 NLS_CODEPAGE_932 NLS_CODEPAGE_936 NLS_CODEPAGE_949 NLS_CODEPAGE_950 NLS_ISO8859_13 NLS_ISO8859_14 NLS_ISO8859_15 NLS_ISO8859_2 NLS_ISO8859_3 NLS_ISO8859_4 NLS_ISO8859_5 NLS_ISO8859_6 NLS_ISO8859_7 NLS_ISO8859_8 NLS_ISO8859_9 NLS_KOI8_R NLS_KOI8_U NLS_MAC_CELTIC NLS_MAC_CENTEURO NLS_MAC_CROATIAN NLS_MAC_CYRILLIC NLS_MAC_GAELIC NLS_MAC_GREEK NLS_MAC_ICELAND NLS_MAC_INUIT NLS_MAC_ROMAN NLS_MAC_ROMANIAN NLS_MAC_TURKISH NOZOMI NTFS3_FS NTFS3_FS_POSIX_ACL NTFS3_LZX_XPRESS NTFS_FS NTFS_RW NULL_TTY NUMA_BALANCING NUMA_BALANCING_DEFAULT_ENABLED NUMA_EMU NUMA_KEEP_MEMINFO NVDIMM_DAX NVDIMM_KEYS NVDIMM_PFN NVME_CORE NVME_FABRICS NVME_FC NVME_MULTIPATH NVME_RDMA NVME_TARGET NVME_TARGET_FC NVME_TARGET_FCLOOP NVME_TARGET_LOOP NVME_TARGET_RDMA NVME_TARGET_TCP NVME_TCP N_GSM N_HDLC OCFS2_DEBUG_FS OCFS2_FS OCFS2_FS_O2CB OCFS2_FS_STATS OCFS2_FS_USERSPACE_CLUSTER OF_GPIO OF_PMEM OMFS_FS OPENVSWITCH OPENVSWITCH_GENEVE OPENVSWITCH_GRE OPENVSWITCH_VXLAN ORANGEFS_FS OSF_PARTITION OVERLAY_FS OVERLAY_FS_INDEX OVERLAY_FS_REDIRECT_ALWAYS_FOLLOW OVERLAY_FS_REDIRECT_DIR PACKET_DIAG PADATA PAGE_IDLE_FLAG PAGE_REPORTING PAHOLE_HAS_SPLIT_BTF PARPORT PARPORT_NOT_PC PARTITION_ADVANCED PCCARD PCCARD_NONSTATIC PCIEAER PCI_ENDPOINT PCI_IOV PCMCIA PCMCIA_LOAD_CIS PERCPU_STATS PERSISTENT_KEYRINGS PHONET PHYLINK PHY_CPCAP_USB PHY_QCOM_USB_HS PHY_QCOM_USB_HSIC PHY_SAMSUNG_USB2 PHY_TUSB1210 PKCS7_TEST_KEY PKCS8_PRIVATE_KEY_PARSER PLAYSTATION_FF PMIC_OPREGION PNFS_BLOCK PNFS_FILE_LAYOUT PNFS_FLEXFILE_LAYOUT PPP PPPOATM PPPOE PPPOL2TP PPP_ASYNC PPP_BSDCOMP PPP_DEFLATE PPP_FILTER PPP_MPPE PPP_MULTILINK PPP_SYNC_TTY PPTP PREEMPT PREEMPTION PREEMPT_DYNAMIC PREEMPT_NOTIFIERS PREEMPT_RCU PRISM2_USB PROC_CHILDREN PROC_MEM_ALWAYS_FORCE PSI PSTORE PSTORE_842_COMPRESS PSTORE_COMPRESS PSTORE_DEFLATE_COMPRESS PSTORE_DEFLATE_COMPRESS_DEFAULT PSTORE_LZ4HC_COMPRESS PSTORE_LZ4_COMPRESS PSTORE_LZO_COMPRESS PSTORE_ZSTD_COMPRESS QCOM_QMI_HELPERS QNX4FS_FS QNX6FS_FS QRTR QRTR_TUN R8712U RADIO_ADAPTERS RADIO_SHARK RADIO_SHARK2 RADIO_TEA575X RAID6_PQ RAID_ATTRS RC_ATI_REMOTE RC_CORE RC_DEVICES RC_XBOX_DVD RDMA_RXE RDMA_SIW RDS RDS_RDMA RDS_TCP READ_ONLY_THP_FOR_FS REALTEK_AUTOPM REED_SOLOMON REED_SOLOMON_DEC8 REGMAP REGMAP_I2C REGMAP_IRQ REGMAP_MMIO REGULATOR REGULATOR_FIXED_VOLTAGE REGULATOR_TWL4030 REISERFS_FS REISERFS_FS_POSIX_ACL REISERFS_FS_SECURITY REISERFS_FS_XATTR REISERFS_PROC_INFO RESET_CONTROLLER RFKILL RFKILL_INPUT RFKILL_LEDS RMI4_2D_SENSOR RMI4_CORE RMI4_F03 RMI4_F03_SERIO RMI4_F11 RMI4_F12 RMI4_F30 ROMFS_BACKED_BY_BOTH ROMFS_FS ROMFS_ON_BLOCK ROMFS_ON_MTD ROSE RTC_DRV_HID_SENSOR_TIME RXKAD SCHED_CORE SCSI_FC_ATTRS SCSI_HPSA SCSI_ISCSI_ATTRS SCSI_LOGGING SCSI_NETLINK SCSI_SAS_ATA SCSI_SAS_ATTRS SCSI_SAS_LIBSAS SCSI_SCAN_ASYNC SCSI_SRP_ATTRS SCTP_COOKIE_HMAC_MD5 SCTP_COOKIE_HMAC_SHA1 SCTP_DEFAULT_COOKIE_HMAC_MD5 SECONDARY_TRUSTED_KEYRING SECURITY_INFINIBAND SECURITY_NETWORK_XFRM SENSORS_AQUACOMPUTER_D5NEXT SENSORS_CORSAIR_CPRO SENSORS_CORSAIR_PSU SENSORS_NZXT_KRAKEN2 SERIAL_DEV_BUS SERIAL_DEV_CTRL_TTYPORT SERIAL_MCTRL_GPIO SGI_PARTITION SIGNATURE SIGNED_PE_FILE_VERIFICATION SLHC SLIP SLIP_COMPRESSED SLIP_MODE_SLIP6 SLIP_SMART SMARTJOYPLUS_FF SMBFS_COMMON SMB_SERVER SMC SMC_DIAG SMSC_PHY SMS_SDIO_DRV SMS_SIANO_DEBUGFS SMS_SIANO_MDTV SMS_SIANO_RC SMS_USB_DRV SND SND_ALOOP SND_BCD2000 SND_CTL_LED SND_CTL_VALIDATION SND_DEBUG SND_DMA_SGBUF SND_DRIVERS SND_DUMMY SND_DYNAMIC_MINORS SND_HDA SND_HDA_CODEC_ANALOG SND_HDA_CODEC_CA0110 SND_HDA_CODEC_CA0132 SND_HDA_CODEC_CIRRUS SND_HDA_CODEC_CMEDIA SND_HDA_CODEC_CONEXANT SND_HDA_CODEC_HDMI SND_HDA_CODEC_REALTEK SND_HDA_CODEC_SI3054 SND_HDA_CODEC_SIGMATEL SND_HDA_CODEC_VIA SND_HDA_COMPONENT SND_HDA_CORE SND_HDA_GENERIC SND_HDA_GENERIC_LEDS SND_HDA_HWDEP SND_HDA_I915 SND_HDA_INPUT_BEEP SND_HDA_INTEL SND_HDA_PATCH_LOADER SND_HDA_RECONFIG SND_HRTIMER SND_HWDEP SND_INTEL_DSP_CONFIG SND_INTEL_NHLT SND_INTEL_SOUNDWIRE_ACPI SND_JACK SND_JACK_INPUT_DEV SND_MIXER_OSS SND_OSSEMUL SND_PCI SND_PCM SND_PCMCIA SND_PCM_OSS SND_PCM_OSS_PLUGINS SND_PCM_TIMER SND_PCM_XRUN_DEBUG SND_PROC_FS SND_RAWMIDI SND_SEQUENCER SND_SEQUENCER_OSS SND_SEQ_DEVICE SND_SEQ_DUMMY SND_SEQ_HRTIMER_DEFAULT SND_SEQ_MIDI SND_SEQ_MIDI_EVENT SND_SEQ_VIRMIDI SND_SUPPORT_OLD_API SND_TIMER SND_USB SND_USB_6FIRE SND_USB_AUDIO SND_USB_AUDIO_USE_MEDIA_CONTROLLER SND_USB_CAIAQ SND_USB_CAIAQ_INPUT SND_USB_HIFACE SND_USB_LINE6 SND_USB_POD SND_USB_PODHD SND_USB_TONEPORT SND_USB_UA101 SND_USB_US122L SND_USB_USX2Y SND_USB_VARIAX SND_VERBOSE_PROCFS SND_VIRMIDI SND_VIRTIO SND_VMASTER SND_X86 SOCK_CGROUP_DATA SOCK_VALIDATE_XMIT SOLARIS_X86_PARTITION SONY_FF SOUND SOUND_OSS_CORE SOUND_OSS_CORE_PRECLAIM SPI SPI_DLN2 SPI_DYNAMIC SPI_MASTER SQUASHFS SQUASHFS_4K_DEVBLK_SIZE SQUASHFS_DECOMP_SINGLE SQUASHFS_FILE_DIRECT SQUASHFS_LZ4 SQUASHFS_LZO SQUASHFS_XATTR SQUASHFS_XZ SQUASHFS_ZLIB SQUASHFS_ZSTD SSB SSB_PCIHOST_POSSIBLE SSB_PCMCIAHOST_POSSIBLE SSB_SDIOHOST_POSSIBLE STAGING STP STREAM_PARSER SUNRPC_BACKCHANNEL SUN_PARTITION SW_SYNC SYSV68_PARTITION SYSV_FS TABLET_USB_ACECAD TABLET_USB_AIPTEK TABLET_USB_HANWANG TABLET_USB_KBTAB TABLET_USB_PEGASUS TAHVO_USB TAHVO_USB_HOST_BY_DEFAULT TASKS_RCU TASKS_RCU_GENERIC TASKS_TRACE_RCU TCG_CRB TCG_TIS TCG_TIS_CORE TCG_TPM TCP_CONG_BBR TCP_CONG_BIC TCP_CONG_CDG TCP_CONG_DCTCP TCP_CONG_HSTCP TCP_CONG_HTCP TCP_CONG_HYBLA TCP_CONG_ILLINOIS TCP_CONG_LP TCP_CONG_NV TCP_CONG_SCALABLE TCP_CONG_VEGAS TCP_CONG_VENO TCP_CONG_WESTWOOD TCP_CONG_YEAH TEXTSEARCH TEXTSEARCH_BM TEXTSEARCH_FSM TEXTSEARCH_KMP THERMAL_NETLINK THP_SWAP THRUSTMASTER_FF TIPC TIPC_CRYPTO TIPC_DIAG TIPC_MEDIA_IB TIPC_MEDIA_UDP TLS TLS_DEVICE TLS_TOE TOOLS_SUPPORT_RELR TOUCHSCREEN_SUR40 TOUCHSCREEN_USB_3M TOUCHSCREEN_USB_COMPOSITE TOUCHSCREEN_USB_DMC_TSC10 TOUCHSCREEN_USB_E2I TOUCHSCREEN_USB_EASYTOUCH TOUCHSCREEN_USB_EGALAX TOUCHSCREEN_USB_ELO TOUCHSCREEN_USB_ETT_TC45USB TOUCHSCREEN_USB_ETURBO TOUCHSCREEN_USB_GENERAL_TOUCH TOUCHSCREEN_USB_GOTOP TOUCHSCREEN_USB_GUNZE TOUCHSCREEN_USB_IDEALTEK TOUCHSCREEN_USB_IRTOUCH TOUCHSCREEN_USB_ITM TOUCHSCREEN_USB_JASTEC TOUCHSCREEN_USB_NEXIO TOUCHSCREEN_USB_PANJIT TOUCHSCREEN_USB_ZYTRONIC TPM_KEY_PARSER TRANSPARENT_HUGEPAGE TRANSPARENT_HUGEPAGE_MADVISE TRUSTED_KEYS TTPCI_EEPROM TTY_PRINTK TUN_VNET_CROSS_LE TWL4030_CORE TYPEC TYPEC_DP_ALTMODE TYPEC_FUSB302 TYPEC_HD3SS3220 TYPEC_MT6360 TYPEC_MUX_INTEL_PMC TYPEC_NVIDIA_ALTMODE TYPEC_RT1711H TYPEC_STUSB160X TYPEC_TCPCI TYPEC_TCPCI_MAXIM TYPEC_TCPM TYPEC_TPS6598X TYPEC_UCSI TYPEC_WCOVE UBIFS_ATIME_SUPPORT UBIFS_FS UBIFS_FS_ADVANCED_COMPR UBIFS_FS_LZO UBIFS_FS_SECURITY UBIFS_FS_XATTR UBIFS_FS_ZLIB UBIFS_FS_ZSTD UCSI_ACPI UCSI_CCG UDF_FS UDMABUF UFS_FS UFS_FS_WRITE UHID ULTRIX_PARTITION UNICODE UNIXWARE_DISKLABEL UNIX_DIAG USB4 USB4_NET USBIP_CORE USBIP_HOST USBIP_VHCI_HCD USBIP_VUDC USBPCWATCHDOG USB_ACM USB_ADUTUX USB_AIRSPY USB_ALI_M5632 USB_AN2720 USB_APPLEDISPLAY USB_ARMLINUX USB_BDC_UDC USB_BELKIN USB_C67X00_HCD USB_CATC USB_CDC_PHONET USB_CDNS3 USB_CDNS3_GADGET USB_CDNS3_HOST USB_CDNS3_PCI_WRAP USB_CDNSP_GADGET USB_CDNSP_HOST USB_CDNSP_PCI USB_CDNS_HOST USB_CDNS_SUPPORT USB_CHAOSKEY USB_DWC2 USB_GADGET USB_MUSB_HDRC USB_NET_CDC_SUBSET USB_PHY USB_ROLE_SWITCH USB_STORAGE_REALTEK USB_ULPI_BUS USB_USBNET VIDEO_DEV VIDEO_V4L2 VLAN_8021Q VXLAN WANT_COMPAT_NETLINK_MESSAGES WEXT_CORE WIRELESS WIRELESS_EXT WLAN WLAN_VENDOR_ATH ZONE_DEVICE]
disabling configs for [hang memleak ubsan bug_or_warning locking atomic_sleep], they are not needed
testing current HEAD cc5ec87693063acebb60f587e8a019ba9b94ae0e
testing commit cc5ec87693063acebb60f587e8a019ba9b94ae0e gcc
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 70fec14697942c43329e52379fb1a2a84364475b1bcd3e07a61ecec4b210885f
run #0: crashed: KASAN: use-after-free Read in l2cap_connect_cfm
run #1: crashed: KASAN: wild-memory-access Read in l2cap_connect_cfm
run #2: crashed: KASAN: use-after-free Read in l2cap_connect_cfm
run #3: crashed: KASAN: wild-memory-access Read in l2cap_connect_cfm
run #4: crashed: KASAN: use-after-free Read in l2cap_connect_cfm
run #5: crashed: KASAN: use-after-free Read in l2cap_connect_cfm
run #6: crashed: KASAN: wild-memory-access Read in l2cap_connect_cfm
run #7: crashed: KASAN: use-after-free Read in l2cap_connect_cfm
run #8: crashed: KASAN: use-after-free Read in l2cap_connect_cfm
run #9: crashed: KASAN: wild-memory-access Read in l2cap_connect_cfm
representative crash: KASAN: use-after-free Read in l2cap_connect_cfm, types: [KASAN-USE-AFTER-FREE-READ KASAN-READ]
crash still not fixed/happens on the oldest tested release
revisions tested: 8, total time: 2h17m0.955129153s (build: 41m15.038485814s, test: 1h33m49.306509106s)
crash still not fixed or there were kernel test errors
commit msg: Linux 5.15.196
crash: KASAN: use-after-free Read in l2cap_connect_cfm
 </TASK>
kobject_add_internal failed for hci0:201 with -EEXIST, don't try to register things with the same name in the same directory.
Bluetooth: hci0: failed to register connection device
==================================================================
BUG: KASAN: use-after-free in l2cap_conn_ready net/bluetooth/l2cap_core.c:1758 [inline]
BUG: KASAN: use-after-free in l2cap_connect_cfm+0xb3a/0xd50 net/bluetooth/l2cap_core.c:8320
Read of size 8 at addr ffff8880707e7488 by task kworker/u5:2/1998

CPU: 0 PID: 1998 Comm: kworker/u5:2 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
Workqueue: hci0 hci_rx_work
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x41/0x5e lib/dump_stack.c:106
 print_address_description.constprop.0.cold+0x6c/0x309 mm/kasan/report.c:248
 __kasan_report mm/kasan/report.c:434 [inline]
 kasan_report.cold+0x83/0xdf mm/kasan/report.c:451
 l2cap_conn_ready net/bluetooth/l2cap_core.c:1758 [inline]
 l2cap_connect_cfm+0xb3a/0xd50 net/bluetooth/l2cap_core.c:8320
 hci_connect_cfm include/net/bluetooth/hci_core.h:1505 [inline]
 le_conn_complete_evt+0x11f0/0x1ab0 net/bluetooth/hci_event.c:5439
 hci_le_conn_complete_evt net/bluetooth/hci_event.c:5464 [inline]
 hci_le_meta_evt+0x71b/0x3c90 net/bluetooth/hci_event.c:6186
 hci_event_packet+0x4c5/0x8420 net/bluetooth/hci_event.c:6535
 hci_rx_work+0x3e8/0xab0 net/bluetooth/hci_core.c:5160
 process_one_work+0x800/0x11d0 kernel/workqueue.c:2310
 worker_thread+0x4a0/0xdd0 kernel/workqueue.c:2457
 kthread+0x31b/0x3e0 kernel/kthread.c:334
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:287
 </TASK>

Allocated by task 1998:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:434 [inline]
 ____kasan_kmalloc mm/kasan/common.c:513 [inline]
 __kasan_kmalloc+0x7c/0x90 mm/kasan/common.c:522
 kmalloc include/linux/slab.h:607 [inline]
 kzalloc include/linux/slab.h:738 [inline]
 l2cap_chan_create+0x39/0x8f0 net/bluetooth/l2cap_core.c:469
 l2cap_sock_alloc.constprop.0+0x177/0x250 net/bluetooth/l2cap_sock.c:1882
 l2cap_sock_new_connection_cb+0xd5/0x1e0 net/bluetooth/l2cap_sock.c:1479
 l2cap_connect_cfm+0x3d6/0xd50 net/bluetooth/l2cap_core.c:8303
 hci_connect_cfm include/net/bluetooth/hci_core.h:1505 [inline]
 le_conn_complete_evt+0x11f0/0x1ab0 net/bluetooth/hci_event.c:5439
 hci_le_conn_complete_evt net/bluetooth/hci_event.c:5464 [inline]
 hci_le_meta_evt+0x71b/0x3c90 net/bluetooth/hci_event.c:6186
 hci_event_packet+0x4c5/0x8420 net/bluetooth/hci_event.c:6535
 hci_rx_work+0x3e8/0xab0 net/bluetooth/hci_core.c:5160
 process_one_work+0x800/0x11d0 kernel/workqueue.c:2310
 worker_thread+0x4a0/0xdd0 kernel/workqueue.c:2457
 kthread+0x31b/0x3e0 kernel/kthread.c:334
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:287

Freed by task 6428:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
 kasan_set_track+0x1c/0x30 mm/kasan/common.c:46
 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:360
 ____kasan_slab_free mm/kasan/common.c:366 [inline]
 ____kasan_slab_free mm/kasan/common.c:328 [inline]
 __kasan_slab_free+0xe0/0x110 mm/kasan/common.c:374
 kasan_slab_free include/linux/kasan.h:230 [inline]
 slab_free_hook mm/slub.c:1710 [inline]
 slab_free_freelist_hook mm/slub.c:1736 [inline]
 slab_free mm/slub.c:3504 [inline]
 kfree+0xd0/0x4e0 mm/slub.c:4564
 l2cap_sock_cleanup_listen+0x45/0x230 net/bluetooth/l2cap_sock.c:1462
 l2cap_sock_release+0x56/0x200 net/bluetooth/l2cap_sock.c:1420
 __sock_release+0xbb/0x270 net/socket.c:651
 sock_close+0xf/0x20 net/socket.c:1346
 __fput+0x1f2/0x9a0 fs/file_table.c:311
 task_work_run+0xb8/0x140 kernel/task_work.c:188
 tracehook_notify_resume include/linux/tracehook.h:189 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:181 [inline]
 exit_to_user_mode_prepare+0x1a2/0x1b0 kernel/entry/common.c:214
 __syscall_exit_to_user_mode_work kernel/entry/common.c:296 [inline]
 syscall_exit_to_user_mode+0x12/0x30 kernel/entry/common.c:307
 do_syscall_64+0x40/0x80 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x66/0xd0

The buggy address belongs to the object at ffff8880707e7000
 which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 1160 bytes inside of
 2048-byte region [ffff8880707e7000, ffff8880707e7800)
The buggy address belongs to the page:
page:ffffea0001c1f800 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x707e0
head:ffffea0001c1f800 order:3 compound_mapcount:0 compound_pincount:0
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010200 0000000000000000 dead000000000122 ffff88800e042000
raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x152a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL), pid 6426, ts 420863283705, free_ts 420516940080
 prep_new_page mm/page_alloc.c:2426 [inline]
 get_page_from_freelist+0x13cc/0x3270 mm/page_alloc.c:4192
 __alloc_pages+0x1b2/0x440 mm/page_alloc.c:5487
 alloc_slab_page mm/slub.c:1780 [inline]
 allocate_slab+0x2eb/0x430 mm/slub.c:1917
 new_slab mm/slub.c:1980 [inline]
 ___slab_alloc+0xc94/0x10f0 mm/slub.c:3013
 __slab_alloc.constprop.0+0x45/0x80 mm/slub.c:3100
 slab_alloc_node mm/slub.c:3191 [inline]
 slab_alloc mm/slub.c:3233 [inline]
 __kmalloc+0x386/0x3c0 mm/slub.c:4408
 kmalloc include/linux/slab.h:612 [inline]
 sk_prot_alloc+0xee/0x200 net/core/sock.c:1866
 sk_alloc+0x27/0x570 net/core/sock.c:1922
 l2cap_sock_alloc.constprop.0+0x24/0x250 net/bluetooth/l2cap_sock.c:1867
 l2cap_sock_create+0xc8/0x160 net/bluetooth/l2cap_sock.c:1915
 bt_sock_create+0x11a/0x250 net/bluetooth/af_bluetooth.c:130
 __sock_create+0x20f/0x4f0 net/socket.c:1496
 sock_create net/socket.c:1552 [inline]
 __sys_socket+0xd6/0x1a0 net/socket.c:1594
 __do_sys_socket net/socket.c:1603 [inline]
 __se_sys_socket net/socket.c:1601 [inline]
 __x64_sys_socket+0x6a/0xb0 net/socket.c:1601
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x33/0x80 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x66/0xd0
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1340 [inline]
 free_pcp_prepare+0x379/0x850 mm/page_alloc.c:1391
 free_unref_page_prepare mm/page_alloc.c:3317 [inline]
 free_unref_page+0x19/0x510 mm/page_alloc.c:3396
 __unfreeze_partials+0x30b/0x320 mm/slub.c:2512
 qlink_free mm/kasan/quarantine.c:157 [inline]
 qlist_free_all+0x68/0x110 mm/kasan/quarantine.c:176
 kasan_quarantine_reduce+0x180/0x1f0 mm/kasan/quarantine.c:283
 __kasan_slab_alloc+0x73/0x80 mm/kasan/common.c:444
 kasan_slab_alloc include/linux/kasan.h:254 [inline]
 slab_post_alloc_hook mm/slab.h:519 [inline]
 slab_alloc_node mm/slub.c:3225 [inline]
 slab_alloc mm/slub.c:3233 [inline]
 kmem_cache_alloc_trace+0x224/0x350 mm/slub.c:3250
 kmalloc include/linux/slab.h:607 [inline]
 tomoyo_print_header security/tomoyo/audit.c:156 [inline]
 tomoyo_init_log+0x180/0x1df0 security/tomoyo/audit.c:255
 tomoyo_supervisor+0x2ea/0xea0 security/tomoyo/common.c:2097
 tomoyo_audit_path_number_log security/tomoyo/file.c:235 [inline]
 tomoyo_path_number_perm+0x34c/0x420 security/tomoyo/file.c:734
 tomoyo_path_mkdir+0x81/0xd0 security/tomoyo/tomoyo.c:166
 security_path_mkdir+0xc0/0x130 security/security.c:1155
 do_mkdirat+0x109/0x280 fs/namei.c:4093
 __do_sys_mkdir fs/namei.c:4118 [inline]
 __se_sys_mkdir fs/namei.c:4116 [inline]
 __x64_sys_mkdir+0xd0/0x120 fs/namei.c:4116
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x33/0x80 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x66/0xd0

Memory state around the buggy address:
 ffff8880707e7380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880707e7400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880707e7480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                      ^
 ffff8880707e7500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880707e7580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================