Oops: general protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f] CPU: 1 UID: 0 PID: 7269 Comm: kworker/u9:8 Not tainted 6.11.0-rc6-syzkaller-00326-gd1f2d51b711a-dirty #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 Workqueue: hci2 hci_rx_work RIP: 0010:hci_send_acl+0x35/0xd30 net/bluetooth/hci_core.c:3230 Code: 41 55 41 54 55 49 8d 6f 18 53 48 89 f3 48 83 ec 70 89 14 24 e8 1c 18 83 f7 48 89 ea 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 bc 0b 00 00 49 8b 47 18 48 8d b8 e0 0f 00 00 48 RSP: 0018:ffffc9000ae676e0 EFLAGS: 00010206 RAX: dffffc0000000000 RBX: ffff888030adc500 RCX: ffffffff8a1303d4 RDX: 0000000000000003 RSI: ffffffff8a08b834 RDI: 0000000000000000 RBP: 0000000000000018 R08: 0000000000000001 R09: 0000000000000080 R10: 0000000000000001 R11: 0000000000000000 R12: ffff888011da0000 R13: 0000000000000002 R14: ffffc9000ae67880 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff8880b8900000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000080 CR3: 00000000781ba000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: l2cap_send_cmd+0x6e5/0x920 net/bluetooth/l2cap_core.c:973 l2cap_connect.constprop.0+0x6f7/0x1270 net/bluetooth/l2cap_core.c:4038 l2cap_connect_req net/bluetooth/l2cap_core.c:4084 [inline] l2cap_bredr_sig_cmd net/bluetooth/l2cap_core.c:4776 [inline] l2cap_sig_channel net/bluetooth/l2cap_core.c:5547 [inline] l2cap_recv_frame+0xf0b/0x8eb0 net/bluetooth/l2cap_core.c:6829 l2cap_recv_acldata+0xd58/0xfd0 net/bluetooth/l2cap_core.c:7528 hci_acldata_packet net/bluetooth/hci_core.c:3791 [inline] hci_rx_work+0xaab/0x1610 net/bluetooth/hci_core.c:4028 process_one_work+0x9c5/0x1b40 kernel/workqueue.c:3231 process_scheduled_works kernel/workqueue.c:3312 [inline] worker_thread+0x6c8/0xed0 kernel/workqueue.c:3389 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:hci_send_acl+0x35/0xd30 net/bluetooth/hci_core.c:3230 Code: 41 55 41 54 55 49 8d 6f 18 53 48 89 f3 48 83 ec 70 89 14 24 e8 1c 18 83 f7 48 89 ea 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 bc 0b 00 00 49 8b 47 18 48 8d b8 e0 0f 00 00 48 RSP: 0018:ffffc9000ae676e0 EFLAGS: 00010206 RAX: dffffc0000000000 RBX: ffff888030adc500 RCX: ffffffff8a1303d4 RDX: 0000000000000003 RSI: ffffffff8a08b834 RDI: 0000000000000000 RBP: 0000000000000018 R08: 0000000000000001 R09: 0000000000000080 R10: 0000000000000001 R11: 0000000000000000 R12: ffff888011da0000 R13: 0000000000000002 R14: ffffc9000ae67880 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff8880b8800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000080 CR3: 00000000781ba000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 ---------------- Code disassembly (best guess): 0: 41 55 push %r13 2: 41 54 push %r12 4: 55 push %rbp 5: 49 8d 6f 18 lea 0x18(%r15),%rbp 9: 53 push %rbx a: 48 89 f3 mov %rsi,%rbx d: 48 83 ec 70 sub $0x70,%rsp 11: 89 14 24 mov %edx,(%rsp) 14: e8 1c 18 83 f7 call 0xf7831835 19: 48 89 ea mov %rbp,%rdx 1c: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax 23: fc ff df 26: 48 c1 ea 03 shr $0x3,%rdx * 2a: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) <-- trapping instruction 2e: 0f 85 bc 0b 00 00 jne 0xbf0 34: 49 8b 47 18 mov 0x18(%r15),%rax 38: 48 8d b8 e0 0f 00 00 lea 0xfe0(%rax),%rdi 3f: 48 rex.W