program:
sched_setaffinity(0x0, 0x0, 0x0)
r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x5, 0x0)
bind$bt_l2cap(r0, &(0x7f0000000000)={0x1f, 0x0, @any, 0x4, 0x1}, 0xe)
listen(r0, 0x90004)
syz_emit_vhci(&(0x7f0000000140)=ANY=[@ANYBLOB="043e130100c90001"], 0x16)
ppoll(&(0x7f00000000c0)=[{r0, 0x260}], 0x1, 0x0, 0x0, 0x0)
[ 88.778484][ T47] Bluetooth: hci0: command tx timeout
[ 88.914939][ T47] sysfs: cannot create duplicate filename '/devices/virtual/bluetooth/hci0/hci0:201'
[ 88.918951][ T47] CPU: 0 UID: 0 PID: 47 Comm: kworker/u5:0 Not tainted syzkaller #0 PREEMPT(full)
[ 88.918968][ T47] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[ 88.918974][ T47] Workqueue: hci0 hci_rx_work
[ 88.919093][ T47] Call Trace:
[ 88.919099][ T47]
[ 88.919105][ T47] dump_stack_lvl+0x189/0x250
[ 88.919123][ T47] ? __pfx_dump_stack_lvl+0x10/0x10
[ 88.919137][ T47] ? __pfx__printk+0x10/0x10
[ 88.919153][ T47] ? kernfs_path_from_node+0x250/0x290
[ 88.919193][ T47] ? kernfs_path_from_node+0x2f/0x290
[ 88.919205][ T47] sysfs_create_dir_ns+0x259/0x280
[ 88.919216][ T47] ? __pfx_sysfs_create_dir_ns+0x10/0x10
[ 88.919227][ T47] ? do_raw_spin_unlock+0x4d/0x240
[ 88.919239][ T47] kobject_add_internal+0x6ab/0xcc0
[ 88.919281][ T47] kobject_add+0x155/0x220
[ 88.919299][ T47] ? __pfx_kobject_add+0x10/0x10
[ 88.919313][ T47] ? _raw_spin_unlock+0x28/0x50
[ 88.919327][ T47] ? get_device_parent+0x366/0x3a0
[ 88.919343][ T47] device_add+0x408/0xb80
[ 88.919358][ T47] hci_conn_add_sysfs+0xd5/0x210
[ 88.919374][ T47] le_conn_complete_evt+0xf1d/0x1420
[ 88.919386][ T47] ? __pfx_le_conn_complete_evt+0x10/0x10
[ 88.919393][ T47] ? __mutex_unlock_slowpath+0x1a1/0x730
[ 88.919403][ T47] ? __asan_memcpy+0x40/0x70
[ 88.919414][ T47] ? __pfx___mutex_unlock_slowpath+0x10/0x10
[ 88.919423][ T47] ? skb_pull_data+0xfb/0x200
[ 88.919434][ T47] hci_le_conn_complete_evt+0x187/0x480
[ 88.919447][ T47] hci_event_packet+0x78f/0x1260
[ 88.919457][ T47] ? __pfx_hci_le_meta_evt+0x10/0x10
[ 88.919468][ T47] ? __pfx_hci_event_packet+0x10/0x10
[ 88.919477][ T47] ? kcov_remote_start+0x4d3/0x7f0
[ 88.919486][ T47] ? lockdep_hardirqs_on+0x98/0x140
[ 88.919495][ T47] ? hci_send_to_monitor+0xe2/0x590
[ 88.919505][ T47] hci_rx_work+0x3ee/0x1060
[ 88.919521][ T47] ? process_scheduled_works+0x9ef/0x1770
[ 88.919533][ T47] process_scheduled_works+0xad1/0x1770
[ 88.919562][ T47] ? __pfx_process_scheduled_works+0x10/0x10
[ 88.919584][ T47] worker_thread+0x8a0/0xda0
[ 88.919613][ T47] kthread+0x711/0x8a0
[ 88.919624][ T47] ? __pfx_worker_thread+0x10/0x10
[ 88.919631][ T47] ? __pfx_kthread+0x10/0x10
[ 88.919640][ T47] ? _raw_spin_unlock_irq+0x23/0x50
[ 88.919647][ T47] ? lockdep_hardirqs_on+0x98/0x140
[ 88.919654][ T47] ? __pfx_kthread+0x10/0x10
[ 88.919663][ T47] ret_from_fork+0x599/0xb30
[ 88.919671][ T47] ? __pfx_ret_from_fork+0x10/0x10
[ 88.919683][ T47] ? __pfx_kthread+0x10/0x10
[ 88.919691][ T47] ret_from_fork_asm+0x1a/0x30
[ 88.919707][ T47]
[ 88.919722][ T47] kobject: kobject_add_internal failed for hci0:201 with -EEXIST, don't try to register things with the same name in the same directory.
[ 89.051382][ T47] Bluetooth: hci0: failed to register connection device
[ 89.057094][ T47] ==================================================================
[ 89.060398][ T47] BUG: KASAN: slab-use-after-free in l2cap_connect_cfm+0x6d0/0x10e0
[ 89.063330][ T47] Read of size 8 at addr ffff8880399c8480 by task kworker/u5:0/47
[ 89.066491][ T47]
[ 89.067432][ T47] CPU: 0 UID: 0 PID: 47 Comm: kworker/u5:0 Not tainted syzkaller #0 PREEMPT(full)
[ 89.067447][ T47] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[ 89.067453][ T47] Workqueue: hci0 hci_rx_work
[ 89.067467][ T47] Call Trace:
[ 89.067472][ T47]
[ 89.067477][ T47] dump_stack_lvl+0x189/0x250
[ 89.067488][ T47] ? __kasan_check_byte+0x12/0x40
[ 89.067497][ T47] ? __pfx_dump_stack_lvl+0x10/0x10
[ 89.067507][ T47] ? lock_release+0x4b/0x3b0
[ 89.067515][ T47] ? __virt_addr_valid+0x4a5/0x5c0
[ 89.067526][ T47] print_report+0xca/0x240
[ 89.067534][ T47] ? l2cap_connect_cfm+0x6d0/0x10e0
[ 89.067541][ T47] kasan_report+0x118/0x150
[ 89.067549][ T47] ? l2cap_connect_cfm+0x6d0/0x10e0
[ 89.067557][ T47] l2cap_connect_cfm+0x6d0/0x10e0
[ 89.067566][ T47] ? __pfx_l2cap_connect_cfm+0x10/0x10
[ 89.067574][ T47] ? __pfx_l2cap_connect_cfm+0x10/0x10
[ 89.067581][ T47] hci_connect_cfm+0x95/0x140
[ 89.067591][ T47] le_conn_complete_evt+0xf65/0x1420
[ 89.067599][ T47] ? __pfx_le_conn_complete_evt+0x10/0x10
[ 89.067605][ T47] ? __mutex_unlock_slowpath+0x1a1/0x730
[ 89.067614][ T47] ? __asan_memcpy+0x40/0x70
[ 89.067623][ T47] ? __pfx___mutex_unlock_slowpath+0x10/0x10
[ 89.067631][ T47] ? skb_pull_data+0xfb/0x200
[ 89.067642][ T47] hci_le_conn_complete_evt+0x187/0x480
[ 89.067652][ T47] hci_event_packet+0x78f/0x1260
[ 89.067661][ T47] ? __pfx_hci_le_meta_evt+0x10/0x10
[ 89.067672][ T47] ? __pfx_hci_event_packet+0x10/0x10
[ 89.067680][ T47] ? kcov_remote_start+0x4d3/0x7f0
[ 89.067691][ T47] ? lockdep_hardirqs_on+0x98/0x140
[ 89.067699][ T47] ? hci_send_to_monitor+0xe2/0x590
[ 89.067707][ T47] hci_rx_work+0x3ee/0x1060
[ 89.067716][ T47] ? process_scheduled_works+0x9ef/0x1770
[ 89.067724][ T47] process_scheduled_works+0xad1/0x1770
[ 89.067735][ T47] ? __pfx_process_scheduled_works+0x10/0x10
[ 89.067743][ T47] worker_thread+0x8a0/0xda0
[ 89.067754][ T47] kthread+0x711/0x8a0
[ 89.067764][ T47] ? __pfx_worker_thread+0x10/0x10
[ 89.067770][ T47] ? __pfx_kthread+0x10/0x10
[ 89.067780][ T47] ? _raw_spin_unlock_irq+0x23/0x50
[ 89.067790][ T47] ? lockdep_hardirqs_on+0x98/0x140
[ 89.067800][ T47] ? __pfx_kthread+0x10/0x10
[ 89.067812][ T47] ret_from_fork+0x599/0xb30
[ 89.067822][ T47] ? __pfx_ret_from_fork+0x10/0x10
[ 89.067834][ T47] ? __pfx_kthread+0x10/0x10
[ 89.067845][ T47] ret_from_fork_asm+0x1a/0x30
[ 89.067858][ T47]
[ 89.067861][ T47]
[ 89.176224][ T47] Allocated by task 47:
[ 89.177991][ T47] kasan_save_track+0x3e/0x80
[ 89.180013][ T47] __kasan_kmalloc+0x93/0xb0
[ 89.182049][ T47] __kmalloc_cache_noprof+0x3e2/0x700
[ 89.184539][ T47] l2cap_chan_create+0x51/0x790
[ 89.186810][ T47] l2cap_sock_new_connection_cb+0x182/0x2e0
[ 89.189365][ T47] l2cap_connect_cfm+0x367/0x10e0
[ 89.191538][ T47] hci_connect_cfm+0x95/0x140
[ 89.193590][ T47] le_conn_complete_evt+0xf65/0x1420
[ 89.195744][ T47] hci_le_conn_complete_evt+0x187/0x480
[ 89.198141][ T47] hci_event_packet+0x78f/0x1260
[ 89.200337][ T47] hci_rx_work+0x3ee/0x1060
[ 89.202330][ T47] process_scheduled_works+0xad1/0x1770
[ 89.204704][ T47] worker_thread+0x8a0/0xda0
[ 89.206705][ T47] kthread+0x711/0x8a0
[ 89.208446][ T47] ret_from_fork+0x599/0xb30
[ 89.210427][ T47] ret_from_fork_asm+0x1a/0x30
[ 89.212546][ T47]
[ 89.213611][ T47] Freed by task 5335:
[ 89.215351][ T47] kasan_save_track+0x3e/0x80
[ 89.217366][ T47] kasan_save_free_info+0x46/0x50
[ 89.219490][ T47] __kasan_slab_free+0x5c/0x80
[ 89.221548][ T47] kfree+0x1c0/0x660
[ 89.223244][ T47] l2cap_sock_cleanup_listen+0xf0/0x450
[ 89.225628][ T47] l2cap_sock_release+0x6a/0x230
[ 89.227830][ T47] sock_close+0xc3/0x240
[ 89.229616][ T47] __fput+0x44c/0xa70
[ 89.231282][ T47] task_work_run+0x1d4/0x260
[ 89.233238][ T47] exit_to_user_mode_loop+0xff/0x4f0
[ 89.235518][ T47] do_syscall_64+0x2e3/0xf80
[ 89.237559][ T47] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 89.240193][ T47]
[ 89.241226][ T47] The buggy address belongs to the object at ffff8880399c8000
[ 89.241226][ T47] which belongs to the cache kmalloc-2k of size 2048
[ 89.247107][ T47] The buggy address is located 1152 bytes inside of
[ 89.247107][ T47] freed 2048-byte region [ffff8880399c8000, ffff8880399c8800)
[ 89.252934][ T47]
[ 89.254189][ T47] The buggy address belongs to the physical page:
[ 89.256783][ T47] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x399c8
[ 89.260445][ T47] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 89.263994][ T47] flags: 0x4fff00000000040(head|node=1|zone=1|lastcpupid=0x7ff)
[ 89.267247][ T47] page_type: f5(slab)
[ 89.269024][ T47] raw: 04fff00000000040 ffff88801a442000 ffffea000110bc00 dead000000000002
[ 89.272332][ T47] raw: 0000000000000000 0000000080080008 00000000f5000000 0000000000000000
[ 89.275971][ T47] head: 04fff00000000040 ffff88801a442000 ffffea000110bc00 dead000000000002
[ 89.279706][ T47] head: 0000000000000000 0000000080080008 00000000f5000000 0000000000000000
[ 89.283125][ T47] head: 04fff00000000003 ffffea0000e67201 00000000ffffffff 00000000ffffffff
[ 89.286912][ T47] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
[ 89.290731][ T47] page dumped because: kasan: bad access detected
[ 89.293498][ T47] page_owner tracks the page as allocated
[ 89.296065][ T47] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5176, tgid 5176 (dhcpcd), ts 57643703430, free_ts 56303757476
[ 89.304885][ T47] post_alloc_hook+0x234/0x290
[ 89.306903][ T47] get_page_from_freelist+0x2365/0x2440
[ 89.309286][ T47] __alloc_frozen_pages_noprof+0x181/0x370
[ 89.311836][ T47] alloc_pages_mpol+0x232/0x4a0
[ 89.313968][ T47] allocate_slab+0x86/0x3b0
[ 89.316035][ T47] ___slab_alloc+0xf2b/0x1960
[ 89.318159][ T47] __slab_alloc+0x65/0x100
[ 89.320158][ T47] __kmalloc_node_track_caller_noprof+0x5d4/0x820
[ 89.322683][ T47] kmemdup_array+0x3f/0x80
[ 89.324625][ T47] bpf_prepare_filter+0xd67/0x12c0
[ 89.326956][ T47] bpf_prog_create_from_user+0x2c8/0x440
[ 89.329469][ T47] do_seccomp+0x7b1/0xd90
[ 89.331394][ T47] __se_sys_prctl+0xc3c/0x1830
[ 89.333388][ T47] do_syscall_64+0xfa/0xf80
[ 89.335504][ T47] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 89.338057][ T47] page last free pid 5143 tgid 5143 stack trace:
[ 89.340789][ T47] __free_frozen_pages+0xbc8/0xd30
[ 89.343045][ T47] __put_partials+0x146/0x170
[ 89.344990][ T47] put_cpu_partial+0x1f2/0x2d0
[ 89.346963][ T47] __slab_free+0x288/0x2a0
[ 89.348766][ T47] qlist_free_all+0x97/0x100
[ 89.350614][ T47] kasan_quarantine_reduce+0x148/0x160
[ 89.352840][ T47] __kasan_slab_alloc+0x22/0x80
[ 89.354801][ T47] kmem_cache_alloc_noprof+0x37d/0x710
[ 89.357009][ T47] __anon_vma_prepare+0xcb/0x4a0
[ 89.359157][ T47] do_pte_missing+0x2e38/0x3330
[ 89.361395][ T47] handle_mm_fault+0x1b26/0x32b0
[ 89.363571][ T47] do_user_addr_fault+0xa7c/0x1380
[ 89.365773][ T47] exc_page_fault+0x82/0x100
[ 89.367811][ T47] asm_exc_page_fault+0x26/0x30
[ 89.369855][ T47]
[ 89.370965][ T47] Memory state around the buggy address:
[ 89.373534][ T47] ffff8880399c8380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 89.377067][ T47] ffff8880399c8400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 89.380462][ T47] >ffff8880399c8480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 89.383870][ T47] ^
[ 89.385706][ T47] ffff8880399c8500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 89.389431][ T47] ffff8880399c8580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 89.392958][ T47] ==================================================================
[ 89.432187][ T47] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 89.435562][ T47] CPU: 0 UID: 0 PID: 47 Comm: kworker/u5:0 Not tainted syzkaller #0 PREEMPT(full)
[ 89.439529][ T47] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[ 89.444061][ T47] Workqueue: hci0 hci_rx_work
[ 89.446240][ T47] Call Trace:
[ 89.447715][ T47]
[ 89.448976][ T47] dump_stack_lvl+0x99/0x250
[ 89.451228][ T47] ? __asan_memcpy+0x40/0x70
[ 89.453350][ T47] ? __pfx_dump_stack_lvl+0x10/0x10
[ 89.455657][ T47] ? __pfx__printk+0x10/0x10
[ 89.458005][ T47] vpanic+0x237/0x6d0
[ 89.459807][ T47] ? __pfx_vpanic+0x10/0x10
[ 89.461774][ T47] ? preempt_schedule+0xae/0xc0
[ 89.463915][ T47] ? __pfx_preempt_schedule+0x10/0x10
[ 89.466197][ T47] panic+0xb9/0xc0
[ 89.467728][ T47] ? __pfx_panic+0x10/0x10
[ 89.469531][ T47] ? _raw_spin_unlock_irqrestore+0xfd/0x110
[ 89.472091][ T47] ? l2cap_connect_cfm+0x6d0/0x10e0
[ 89.474817][ T47] check_panic_on_warn+0x89/0xb0
[ 89.477382][ T47] ? l2cap_connect_cfm+0x6d0/0x10e0
[ 89.479462][ T47] end_report+0x6f/0x140
[ 89.481444][ T47] kasan_report+0x129/0x150
[ 89.483446][ T47] ? l2cap_connect_cfm+0x6d0/0x10e0
[ 89.485640][ T47] l2cap_connect_cfm+0x6d0/0x10e0
[ 89.487904][ T47] ? __pfx_l2cap_connect_cfm+0x10/0x10
[ 89.490202][ T47] ? __pfx_l2cap_connect_cfm+0x10/0x10
[ 89.492560][ T47] hci_connect_cfm+0x95/0x140
[ 89.494598][ T47] le_conn_complete_evt+0xf65/0x1420
[ 89.496905][ T47] ? __pfx_le_conn_complete_evt+0x10/0x10
[ 89.499535][ T47] ? __mutex_unlock_slowpath+0x1a1/0x730
[ 89.501969][ T47] ? __asan_memcpy+0x40/0x70
[ 89.504141][ T47] ? __pfx___mutex_unlock_slowpath+0x10/0x10
[ 89.506909][ T47] ? skb_pull_data+0xfb/0x200
[ 89.508999][ T47] hci_le_conn_complete_evt+0x187/0x480
[ 89.512106][ T47] hci_event_packet+0x78f/0x1260
[ 89.514390][ T47] ? __pfx_hci_le_meta_evt+0x10/0x10
[ 89.516664][ T47] ? __pfx_hci_event_packet+0x10/0x10
[ 89.519129][ T47] ? kcov_remote_start+0x4d3/0x7f0
[ 89.521407][ T47] ? lockdep_hardirqs_on+0x98/0x140
[ 89.523663][ T47] ? hci_send_to_monitor+0xe2/0x590
[ 89.525935][ T47] hci_rx_work+0x3ee/0x1060
[ 89.527945][ T47] ? process_scheduled_works+0x9ef/0x1770
[ 89.530350][ T47] process_scheduled_works+0xad1/0x1770
[ 89.532788][ T47] ? __pfx_process_scheduled_works+0x10/0x10
[ 89.535184][ T47] worker_thread+0x8a0/0xda0
[ 89.537124][ T47] kthread+0x711/0x8a0
[ 89.538797][ T47] ? __pfx_worker_thread+0x10/0x10
[ 89.541040][ T47] ? __pfx_kthread+0x10/0x10
[ 89.543103][ T47] ? _raw_spin_unlock_irq+0x23/0x50
[ 89.545500][ T47] ? lockdep_hardirqs_on+0x98/0x140
[ 89.547697][ T47] ? __pfx_kthread+0x10/0x10
[ 89.549782][ T47] ret_from_fork+0x599/0xb30
[ 89.551929][ T47] ? __pfx_ret_from_fork+0x10/0x10
[ 89.553993][ T47] ? __pfx_kthread+0x10/0x10
[ 89.555855][ T47] ret_from_fork_asm+0x1a/0x30
[ 89.557981][ T47]
[ 89.559620][ T47] Kernel Offset: disabled
[ 89.561590][ T47] Rebooting in 86400 seconds..