program: syz_emit_vhci(&(0x7f0000000540)=ANY=[@ANYBLOB="043e1f0a"], 0x22) (async) syz_emit_vhci(&(0x7f0000000040)=ANY=[@ANYBLOB="0200300c000800"], 0x11) ioctl$FS_IOC_SET_ENCRYPTION_POLICY(0xffffffffffffffff, 0x40086602, 0x0) (async) syz_emit_vhci(&(0x7f0000000080)=ANY=[@ANYBLOB="0405"], 0x7) (async) syz_emit_vhci(&(0x7f0000000100)=@HCI_EVENT_PKT={0x4, @hci_ev_role_change={{0x12, 0x8}}}, 0xb) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0) (async) socketpair$tipc(0x1e, 0x5, 0x0, &(0x7f00000000c0)={0xffffffffffffffff, 0xffffffffffffffff}) sendmsg$inet(r0, &(0x7f0000000f80)={0x0, 0x0, &(0x7f0000000f40)=[{&(0x7f00000042c0)="86", 0xff0f}], 0x1}, 0x0) (async) socket$nl_generic(0x10, 0x3, 0x10) syz_init_net_socket$bt_hci(0x1f, 0x3, 0x5) r1 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$NFT_BATCH(r1, &(0x7f000000c2c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f00000004c0)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a20000000000a01010000000000000000020000000900010073797a300000000040000000030a09020000000000000000020000000900010073797a30000000000900030073797a3200000000140004800800014000000000080002400000000014000000110001"], 0x88}}, 0x0) (async) r2 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$NFT_BATCH(r2, &(0x7f0000000000)={0x0, 0x0, &(0x7f00000002c0)={&(0x7f0000000180)={{0x14, 0x10, 0x1, 0x0, 0x0, {0x2}}, [], {0x14, 0x11, 0x1, 0x0, 0x0, {0x1}}}, 0x5c}, 0x1, 0x0, 0x0, 0x40040}, 0x0) (async) r3 = openat$tun(0xffffffffffffff9c, &(0x7f0000000100), 0x40241, 0x0) ioctl$TUNSETIFF(r3, 0x400454ca, &(0x7f0000000200)={'syzkaller1\x00', 0xc201}) (async) r4 = socket$kcm(0x2, 0x3, 0x2) ioctl$SIOCSIFHWADDR(r4, 0x8914, &(0x7f0000000040)={'syzkaller1\x00', @broadcast}) (async) write$tun(r3, &(0x7f0000000580)={@val={0x8, 0x800}, @val={0x1, 0x0, 0x0, 0x0, 0x14}, @ipv4=@tcp={{0x5, 0x4, 0x0, 0x0, 0x28, 0x80, 0x0, 0x8, 0x2f, 0x0, @initdev={0xac, 0x1e, 0x0, 0x0}, @empty}, {{0x4e20, 0x22eb, 0x41424344, 0x41424344, 0x0, 0x0, 0x5, 0x0, 0x1}}}}, 0x36) close(0x4) (async) syz_open_procfs$namespace(0x0, &(0x7f0000000040)='ns/cgroup\x00') (async) syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000040)=ANY=[@ANYBLOB="1201000000000001000000000904000000030100000021000000012200000905810300"/54], 0x0) (async) r5 = socket(0x14, 0x2, 0x0) (async) syz_mount_image$nilfs2(&(0x7f0000000dc0), &(0x7f00000000c0)='./file0\x00', 0x10, &(0x7f0000000240)={[{@norecovery}, {@snapshot}, {@nobarrier}, {@nobarrier}, {@nodiscard}]}, 0x3, 0xd99, &(0x7f0000000e80)="$eJzs3UtvXNUdAPBzx544LxqHmMZN09glpbiP2CRYpbsaKV2gSqgSnwClgYYa+ghdgIKUsOi2kRAfoIh9F31mgRSxSsWmVb8AYtVNipBoG1UCI9vnjMf/zOjOOLbH4/n9pDtn7v2fe88587hz575OAkZWY+1xcXG6SuntW29dvDcz/r/VKTOtHLNrj+N5bCml1GzNl9JkWN7SxHr62SfXLrWnn+e0ShdSlarW9PTs3da8R1JK19Nsup0m03Mfn7z50gfPLL934saJi2/M3dmZ1gMAwGi596N3f/m3x3947fj/f39mKU20ppft86U8fjRv9y9V6+M5af0PqNrSqm28OBDyjeehEfKNdcjXXk4z5BvvUv6BsNxml3wTNeWPtU3r1G4YZhv/46vG/KbxRmN+fv0/+aoPxw5U869cWX7h6oAqCmy7T2fyLj6DwTByw8qxQa+BANbF44b3uR73LDyY1tLGeyv/7tONzvPDNtjtz7/yh6v8d29Y47B99uunqbSrfI+O5vF4HGE8zNfv978sLx6PaPZYz27HEYbl+EK3eo7tcj22qlv94+div/paTsvrcCbE278/8T0dlvcY6Oye/f8Gw8gOK4NeAQF7VjxvbiUr8XheX4xP1MQP1sQP1cQP18SP1MRhlP3h1d+mm9XG//z4n77f/WFlP9tDOf1Sn/WJ+yP7LT+e99uvBy0/nk8Me9rcf09/+uvbf4/n/38ezv8/m39LJ/MKouwvjPvVW+f+hwuDG13yPRyq81CH/GvPpzbnq6Y2lpPa1jP31WN683zHuuU7vTnfZMh3OG+LHAz1jdsnh8N8ZfujrFfL6zUe2tsM7TgQ6lHemeM5PRjac7xbu8KO7AMhXzMPJ0K7pkK7HgnzfTm0q5re3K64/7zU52SYHo+TlHzhbbvvdym+F/G6jEdz+mZO38np+zn9qEO5o6h8Hrud/18+n9OpWb1wZfnyE3m8fE7vjDUnVqef3+V6Aw+u1+t/ptPm63+OtqY3G+3rhWMb06v29cJkmH6hy/Qn83j5Pfvp2KG16fOXfr78k+1uPIy4q6+9/rPnl5cv/8oTTzzxpPVk0GsmYKctvPryLxauvvb6uSsvP//i5Rcvv3L+ie9/78mnnlpcWNuqX2jftgf2l40f/UHXBAAAAAAAAAAAAOhZdajz5JzW3d+2XE9erk+P18czHMr7Vj4N5T4G5frPbvd1KddvHt+FOrL9duNyokG3Eejs3+7/azCM7LCy4i7+wN4w6P7/yn0PS3r03D+Prw4l292nN68v4/0L4UHs9f7nlL+/+v9r9X/V8/ov9Jg1ubVy/3jv0D/aik2nei0/tr/cB3aqv/L/lMsvrXks9Vb+yu9C+fFGpT36cyj/cI/l39f+01sr/y+5/PKyzZ3ttfz1GleNzfWI+43LfQDjfuPir6H95d5+fbd/ix213crlwygbln4m+zUs/X92U5Zb1oN59dw6Tlfuvx37O+i3/uW+3+V34JGw/Krm903/n8Otrv/P8vlb0P8n7DsfOv5nMIzssLKyMtCuT0a135W9YtCv/6C3IQdd/qBf/zqx/8/4fyn2/xnjsf/PGI/9f8Z47F8rxmP/n/H1jP1/xvjJsNzYP+h0TfwrNfFTNfGv1sRP18Tj/7cYn62Jn6mJz9TEH66JP1oTP1sT/0ZN/LGa+OM18bma+H739ZyOavthlMV+I33/YXSU4z/dvv9TNXFgeMV+neP3+5s1cWB4lfM8fL9hBFWd79gR97eX/bhv5vSdnL6f0492rILshm/l9Ns5/U5Ov5vTczmdz+lCTvUNOdx+869TZ25WG+f5HQvxXs8njdcDxPvEnO+xPvH4XL/ns57ssZydKn+Ll4MAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADI3G2uPi4nSV0tu33rr4n6kf/Hh1ykwrx+za43geW0opNVNKVR4fD8u7PrGefvbJtUud0ipdWHss4+nZu615j6zOn2bT7TSZnvv45M2XPnhm+b0TN05cfGPuzs60HgAAAEbDFwEAAP//ManlwQ==") (async) r6 = openat(0xffffffffffffff9c, &(0x7f0000000100)='./file1\x00', 0x345800, 0x82) ioctl$FS_IOC_FSSETXATTR(r6, 0x40086602, &(0x7f0000000140)={0x180, 0xfdfffffe}) ioctl$ifreq_SIOCGIFINDEX_vcan(r5, 0x40106183, 0x0) io_setup(0x7, &(0x7f0000000280)) openat$sysfs(0xffffff9c, &(0x7f0000000400)='/sys/power/pm_print_times', 0x42, 0x0) (async) socket$nl_generic(0x10, 0x3, 0x10) [ 84.908861][ T45] Bluetooth: hci0: command tx timeout [ 85.350383][ T5318] syzkaller1: entered promiscuous mode [ 85.357094][ T5318] syzkaller1: entered allmulticast mode [ 86.922339][ T5296] Bluetooth: hci0: command tx timeout [ 86.998400][ T45] ================================================================== [ 87.002766][ T45] BUG: KASAN: slab-use-after-free in hci_conn_drop+0x34/0x2a0 [ 87.006370][ T45] Write of size 4 at addr ffff888043024010 by task kworker/u5:0/45 [ 87.009887][ T45] [ 87.011029][ T45] CPU: 0 UID: 0 PID: 45 Comm: kworker/u5:0 Not tainted syzkaller #0 PREEMPT(full) [ 87.011068][ T45] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 87.011077][ T45] Workqueue: hci0 hci_cmd_sync_work [ 87.011102][ T45] Call Trace: [ 87.011127][ T45] [ 87.011150][ T45] dump_stack_lvl+0xe8/0x150 [ 87.011194][ T45] print_report+0xba/0x230 [ 87.011208][ T45] ? hci_conn_drop+0x34/0x2a0 [ 87.011221][ T45] kasan_report+0x117/0x150 [ 87.011233][ T45] ? hci_conn_drop+0x34/0x2a0 [ 87.011245][ T45] kasan_check_range+0x264/0x2c0 [ 87.011257][ T45] hci_conn_drop+0x34/0x2a0 [ 87.011268][ T45] ? __pfx_le_read_features_complete+0x10/0x10 [ 87.011284][ T45] hci_cmd_sync_work+0x262/0x400 [ 87.011300][ T45] ? process_scheduled_works+0xa25/0x1830 [ 87.011316][ T45] process_scheduled_works+0xb02/0x1830 [ 87.011334][ T45] ? __pfx_process_scheduled_works+0x10/0x10 [ 87.011350][ T45] ? assign_work+0x3d5/0x5e0 [ 87.011364][ T45] worker_thread+0xa50/0xfc0 [ 87.011383][ T45] kthread+0x388/0x470 [ 87.011395][ T45] ? __pfx_worker_thread+0x10/0x10 [ 87.011408][ T45] ? __pfx_kthread+0x10/0x10 [ 87.011418][ T45] ret_from_fork+0x51e/0xb90 [ 87.011434][ T45] ? __pfx_ret_from_fork+0x10/0x10 [ 87.011448][ T45] ? __switch_to+0xc7d/0x1450 [ 87.011460][ T45] ? __pfx_kthread+0x10/0x10 [ 87.011469][ T45] ret_from_fork_asm+0x1a/0x30 [ 87.011495][ T45] [ 87.011513][ T45] [ 87.086207][ T45] Allocated by task 45: [ 87.088621][ T45] kasan_save_track+0x3e/0x80 [ 87.091376][ T45] __kasan_kmalloc+0x93/0xb0 [ 87.093999][ T45] __kmalloc_cache_noprof+0x31c/0x660 [ 87.096681][ T45] __hci_conn_add+0x3c4/0x1e00 [ 87.099400][ T45] le_conn_complete_evt+0x706/0x1430 [ 87.102910][ T45] hci_le_enh_conn_complete_evt+0x189/0x490 [ 87.107410][ T45] hci_event_packet+0x7af/0x12c0 [ 87.110115][ T45] hci_rx_work+0x3ee/0x1030 [ 87.112264][ T45] process_scheduled_works+0xb02/0x1830 [ 87.114822][ T45] worker_thread+0xa50/0xfc0 [ 87.117479][ T45] kthread+0x388/0x470 [ 87.120051][ T45] ret_from_fork+0x51e/0xb90 [ 87.123048][ T45] ret_from_fork_asm+0x1a/0x30 [ 87.126243][ T45] [ 87.127678][ T45] Freed by task 5296: [ 87.129488][ T45] kasan_save_track+0x3e/0x80 [ 87.131438][ T45] kasan_save_free_info+0x46/0x50 [ 87.133765][ T45] __kasan_slab_free+0x5c/0x80 [ 87.135933][ T45] kfree+0x1c1/0x630 [ 87.137595][ T45] device_release+0x9e/0x1d0 [ 87.140816][ T45] kobject_put+0x228/0x560 [ 87.143881][ T45] hci_conn_del+0xc36/0x1230 [ 87.146290][ T45] hci_disconn_complete_evt+0x64e/0x950 [ 87.148851][ T45] hci_event_packet+0x805/0x12c0 [ 87.151075][ T45] hci_rx_work+0x3ee/0x1030 [ 87.153218][ T45] process_scheduled_works+0xb02/0x1830 [ 87.155731][ T45] worker_thread+0xa50/0xfc0 [ 87.157832][ T45] kthread+0x388/0x470 [ 87.159886][ T45] ret_from_fork+0x51e/0xb90 [ 87.162256][ T45] ret_from_fork_asm+0x1a/0x30 [ 87.164794][ T45] [ 87.166201][ T45] The buggy address belongs to the object at ffff888043024000 [ 87.166201][ T45] which belongs to the cache kmalloc-8k of size 8192 [ 87.173099][ T45] The buggy address is located 16 bytes inside of [ 87.173099][ T45] freed 8192-byte region [ffff888043024000, ffff888043026000) [ 87.179212][ T45] [ 87.180255][ T45] The buggy address belongs to the physical page: [ 87.183506][ T45] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x43020 [ 87.188132][ T45] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 87.191927][ T45] flags: 0x4fff00000000040(head|node=1|zone=1|lastcpupid=0x7ff) [ 87.195696][ T45] page_type: f5(slab) [ 87.197861][ T45] raw: 04fff00000000040 ffff88801ac42280 dead000000000100 dead000000000122 [ 87.202441][ T45] raw: 0000000000000000 0000000800020002 00000000f5000000 0000000000000000 [ 87.206217][ T45] head: 04fff00000000040 ffff88801ac42280 dead000000000100 dead000000000122 [ 87.210125][ T45] head: 0000000000000000 0000000800020002 00000000f5000000 0000000000000000 [ 87.214429][ T45] head: 04fff00000000003 ffffea00010c0801 00000000ffffffff 00000000ffffffff [ 87.218819][ T45] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 [ 87.223115][ T45] page dumped because: kasan: bad access detected [ 87.225950][ T45] page_owner tracks the page as allocated [ 87.228549][ T45] page last allocated via order 3, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5295, tgid 5295 (syz-executor), ts 81528772792, free_ts 29112895851 [ 87.237826][ T45] post_alloc_hook+0x231/0x280 [ 87.240798][ T45] get_page_from_freelist+0x24dc/0x2580 [ 87.243599][ T45] __alloc_frozen_pages_noprof+0x18d/0x380 [ 87.246212][ T45] alloc_pages_mpol+0x232/0x4a0 [ 87.248237][ T45] allocate_slab+0x83/0x660 [ 87.250256][ T45] ___slab_alloc+0x150/0x6b0 [ 87.252797][ T45] __kmalloc_noprof+0x18a/0x760 [ 87.255431][ T45] batadv_hash_new+0x7b/0x290 [ 87.257761][ T45] batadv_tt_init+0x54/0x2a0 [ 87.259772][ T45] batadv_mesh_init+0x3a6/0x6a0 [ 87.262002][ T45] batadv_meshif_init_late+0xa38/0xee0 [ 87.264402][ T45] register_netdevice+0x6d1/0x1cf0 [ 87.266659][ T45] rtnl_newlink_create+0x329/0xb70 [ 87.269040][ T45] rtnl_newlink+0x1666/0x1be0 [ 87.271191][ T45] rtnetlink_rcv_msg+0x7d5/0xbe0 [ 87.273629][ T45] netlink_rcv_skb+0x232/0x4b0 [ 87.275919][ T45] page last free pid 1237 tgid 1237 stack trace: [ 87.278839][ T45] __free_frozen_pages+0xc2b/0xdb0 [ 87.281205][ T45] vfree+0x25a/0x400 [ 87.282983][ T45] delayed_vfree_work+0x55/0x80 [ 87.285144][ T45] process_scheduled_works+0xb02/0x1830 [ 87.287719][ T45] worker_thread+0xa50/0xfc0 [ 87.290155][ T45] kthread+0x388/0x470 [ 87.292797][ T45] ret_from_fork+0x51e/0xb90 [ 87.295461][ T45] ret_from_fork_asm+0x1a/0x30 [ 87.297710][ T45] [ 87.298761][ T45] Memory state around the buggy address: [ 87.301234][ T45] ffff888043023f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 87.304835][ T45] ffff888043023f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 87.308598][ T45] >ffff888043024000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 87.312675][ T45] ^ [ 87.315133][ T45] ffff888043024080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 87.319098][ T45] ffff888043024100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 87.322909][ T45] ================================================================== [ 87.327847][ T45] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 87.331266][ T45] CPU: 0 UID: 0 PID: 45 Comm: kworker/u5:0 Not tainted syzkaller #0 PREEMPT(full) [ 87.335344][ T45] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 87.339844][ T45] Workqueue: hci0 hci_cmd_sync_work [ 87.342365][ T45] Call Trace: [ 87.343830][ T45] [ 87.345258][ T45] vpanic+0x56c/0xa60 [ 87.347056][ T45] ? __pfx_vpanic+0x10/0x10 [ 87.349040][ T45] panic+0xc5/0xd0 [ 87.350751][ T45] ? __pfx_panic+0x10/0x10 [ 87.352840][ T45] ? preempt_schedule_thunk+0x16/0x30 [ 87.355723][ T45] ? preempt_schedule_thunk+0x16/0x30 [ 87.358582][ T45] ? hci_conn_drop+0x34/0x2a0 [ 87.360882][ T45] check_panic_on_warn+0x89/0xb0 [ 87.363285][ T45] ? hci_conn_drop+0x34/0x2a0 [ 87.365435][ T45] end_report+0x73/0x180 [ 87.367371][ T45] ? hci_conn_drop+0x34/0x2a0 [ 87.369432][ T45] kasan_report+0x128/0x150 [ 87.372145][ T45] ? hci_conn_drop+0x34/0x2a0 [ 87.375923][ T45] kasan_check_range+0x264/0x2c0 [ 87.378704][ T45] hci_conn_drop+0x34/0x2a0 [ 87.380761][ T45] ? __pfx_le_read_features_complete+0x10/0x10 [ 87.383645][ T45] hci_cmd_sync_work+0x262/0x400 [ 87.385966][ T45] ? process_scheduled_works+0xa25/0x1830 [ 87.388620][ T45] process_scheduled_works+0xb02/0x1830 [ 87.391285][ T45] ? __pfx_process_scheduled_works+0x10/0x10 [ 87.394233][ T45] ? assign_work+0x3d5/0x5e0 [ 87.397046][ T45] worker_thread+0xa50/0xfc0 [ 87.399534][ T45] kthread+0x388/0x470 [ 87.401519][ T45] ? __pfx_worker_thread+0x10/0x10 [ 87.404136][ T45] ? __pfx_kthread+0x10/0x10 [ 87.406358][ T45] ret_from_fork+0x51e/0xb90 [ 87.408660][ T45] ? __pfx_ret_from_fork+0x10/0x10 [ 87.410982][ T45] ? __switch_to+0xc7d/0x1450 [ 87.413288][ T45] ? __pfx_kthread+0x10/0x10 [ 87.415597][ T45] ret_from_fork_asm+0x1a/0x30 [ 87.417957][ T45] [ 87.419928][ T45] Kernel Offset: disabled [ 87.422218][ T45] Rebooting in 86400 seconds..