syzbot

 ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
kobject: kobject_add_internal failed for hci5:201 with -EEXIST, don't try to register things with the same name in the same directory.
Bluetooth: hci5: failed to register connection device
==================================================================
BUG: KASAN: slab-use-after-free in l2cap_sock_new_connection_cb+0x1f9/0x2b0 net/bluetooth/l2cap_sock.c:1497
Read of size 8 at addr ffff888029e7b790 by task kworker/u9:2/9455

CPU: 0 UID: 0 PID: 9455 Comm: kworker/u9:2 Not tainted syzkaller #0 PREEMPT_{RT,(full)} 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
Workqueue: hci5 hci_rx_work
Call Trace:
 <TASK>
 dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xca/0x240 mm/kasan/report.c:482
 kasan_report+0x118/0x150 mm/kasan/report.c:595
 l2cap_sock_new_connection_cb+0x1f9/0x2b0 net/bluetooth/l2cap_sock.c:1497
 l2cap_connect_cfm+0x377/0x1040 net/bluetooth/l2cap_core.c:7287
 hci_connect_cfm+0x92/0x140 include/net/bluetooth/hci_core.h:2082
 le_conn_complete_evt+0xcd3/0x1220 net/bluetooth/hci_event.c:5755
 hci_le_conn_complete_evt+0x187/0x450 net/bluetooth/hci_event.c:5781
 hci_event_func net/bluetooth/hci_event.c:7521 [inline]
 hci_event_packet+0x78c/0x1200 net/bluetooth/hci_event.c:7578
 hci_rx_work+0x46a/0xe80 net/bluetooth/hci_core.c:4071
 process_one_work kernel/workqueue.c:3236 [inline]
 process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3319
 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3400
 kthread+0x711/0x8a0 kernel/kthread.c:463
 ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>

Allocated by task 9455:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:388 [inline]
 __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:405
 kasan_kmalloc include/linux/kasan.h:260 [inline]
 __do_kmalloc_node mm/slub.c:4365 [inline]
 __kmalloc_noprof+0x1ef/0x430 mm/slub.c:4377
 kmalloc_noprof include/linux/slab.h:909 [inline]
 sk_prot_alloc+0xe7/0x220 net/core/sock.c:2239
 sk_alloc+0x3a/0x370 net/core/sock.c:2295
 bt_sock_alloc+0x3b/0x310 net/bluetooth/af_bluetooth.c:151
 l2cap_sock_alloc net/bluetooth/l2cap_sock.c:1894 [inline]
 l2cap_sock_new_connection_cb+0xe2/0x2b0 net/bluetooth/l2cap_sock.c:1482
 l2cap_connect_cfm+0x377/0x1040 net/bluetooth/l2cap_core.c:7287
 hci_connect_cfm+0x92/0x140 include/net/bluetooth/hci_core.h:2082
 le_conn_complete_evt+0xcd3/0x1220 net/bluetooth/hci_event.c:5755
 hci_le_conn_complete_evt+0x187/0x450 net/bluetooth/hci_event.c:5781
 hci_event_func net/bluetooth/hci_event.c:7521 [inline]
 hci_event_packet+0x78c/0x1200 net/bluetooth/hci_event.c:7578
 hci_rx_work+0x46a/0xe80 net/bluetooth/hci_core.c:4071
 process_one_work kernel/workqueue.c:3236 [inline]
 process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3319
 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3400
 kthread+0x711/0x8a0 kernel/kthread.c:463
 ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

Freed by task 11150:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576
 poison_slab_object mm/kasan/common.c:243 [inline]
 __kasan_slab_free+0x5b/0x80 mm/kasan/common.c:275
 kasan_slab_free include/linux/kasan.h:233 [inline]
 slab_free_hook mm/slub.c:2417 [inline]
 slab_free mm/slub.c:4680 [inline]
 kfree+0x195/0x550 mm/slub.c:4879
 sk_prot_free net/core/sock.c:2278 [inline]
 __sk_destruct+0x4e4/0x670 net/core/sock.c:2373
 l2cap_sock_cleanup_listen+0xda/0x3e0 net/bluetooth/l2cap_sock.c:1462
 l2cap_sock_release+0x5e/0x200 net/bluetooth/l2cap_sock.c:1425
 __sock_release net/socket.c:649 [inline]
 sock_close+0xc3/0x240 net/socket.c:1439
 __fput+0x45b/0xa80 fs/file_table.c:468
 task_work_run+0x1d4/0x260 kernel/task_work.c:227
 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
 exit_to_user_mode_loop+0xec/0x110 kernel/entry/common.c:43
 exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
 syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
 syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
 do_syscall_64+0x2bd/0x3b0 arch/x86/entry/syscall_64.c:100
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff888029e7b000
 which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 1936 bytes inside of
 freed 2048-byte region [ffff888029e7b000, ffff888029e7b800)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x29e78
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x80000000000040(head|node=0|zone=1)
page_type: f5(slab)
raw: 0080000000000040 ffff888019842000 dead000000000100 dead000000000122
raw: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000
head: 0080000000000040 ffff888019842000 dead000000000100 dead000000000122
head: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000
head: 0080000000000003 ffffea0000a79e01 00000000ffffffff 00000000ffffffff
head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5850, tgid 5850 (syz-executor), ts 99857352707, free_ts 99780275454
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1851
 prep_new_page mm/page_alloc.c:1859 [inline]
 get_page_from_freelist+0x2119/0x21b0 mm/page_alloc.c:3858
 __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5148
 alloc_pages_mpol+0xd1/0x380 mm/mempolicy.c:2416
 alloc_slab_page mm/slub.c:2487 [inline]
 allocate_slab+0x8a/0x370 mm/slub.c:2655
 new_slab mm/slub.c:2709 [inline]
 ___slab_alloc+0x8d1/0xdd0 mm/slub.c:3891
 __slab_alloc mm/slub.c:3981 [inline]
 __slab_alloc_node mm/slub.c:4056 [inline]
 slab_alloc_node mm/slub.c:4217 [inline]
 __do_kmalloc_node mm/slub.c:4364 [inline]
 __kmalloc_node_track_caller_noprof+0x14c/0x450 mm/slub.c:4384
 kmalloc_reserve+0x136/0x290 net/core/skbuff.c:600
 pskb_expand_head+0x18e/0x1150 net/core/skbuff.c:2240
 netlink_trim+0x1d5/0x2e0 net/netlink/af_netlink.c:1301
 netlink_broadcast_filtered+0xd6/0x12c0 net/netlink/af_netlink.c:1514
 nlmsg_multicast_filtered include/net/netlink.h:1165 [inline]
 nlmsg_multicast include/net/netlink.h:1184 [inline]
 nlmsg_notify+0xf0/0x1a0 net/netlink/af_netlink.c:2595
 __dev_notify_flags+0xf4/0x2e0 net/core/dev.c:9584
 netif_change_flags+0xe8/0x1a0 net/core/dev.c:9617
 do_setlink+0xc55/0x41c0 net/core/rtnetlink.c:3143
 rtnl_changelink net/core/rtnetlink.c:3761 [inline]
 __rtnl_newlink net/core/rtnetlink.c:3920 [inline]
 rtnl_newlink+0x160b/0x1c70 net/core/rtnetlink.c:4057
page last free pid 5847 tgid 5847 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1395 [inline]
 __free_frozen_pages+0xb59/0xce0 mm/page_alloc.c:2895
 __slab_free+0x2db/0x390 mm/slub.c:4591
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x97/0x140 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:340
 kasan_slab_alloc include/linux/kasan.h:250 [inline]
 slab_post_alloc_hook mm/slub.c:4180 [inline]
 slab_alloc_node mm/slub.c:4229 [inline]
 __do_kmalloc_node mm/slub.c:4364 [inline]
 __kmalloc_node_track_caller_noprof+0x1ab/0x450 mm/slub.c:4384
 __kmemdup_nul mm/util.c:64 [inline]
 kstrdup+0x42/0x100 mm/util.c:84
 __kernfs_new_node+0x9c/0x690 fs/kernfs/dir.c:633
 kernfs_new_node+0x102/0x210 fs/kernfs/dir.c:713
 kernfs_create_link+0xa7/0x200 fs/kernfs/symlink.c:39
 sysfs_do_create_link_sd+0x83/0x110 fs/sysfs/symlink.c:44
 driver_sysfs_add+0x89/0x210 drivers/base/dd.c:442
 device_bind_driver+0x17/0x60 drivers/base/dd.c:500
 mac80211_hwsim_new_radio+0x484/0x4e30 drivers/net/wireless/virtual/mac80211_hwsim.c:5223
 hwsim_new_radio_nl+0xea4/0x1b10 drivers/net/wireless/virtual/mac80211_hwsim.c:6252
 genl_family_rcv_msg_doit+0x212/0x300 net/netlink/genetlink.c:1115

Memory state around the buggy address:
 ffff888029e7b680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888029e7b700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888029e7b780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                         ^
 ffff888029e7b800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888029e7b880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================