program:
r0 = gettid()
timer_create(0x0, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004, @tid=r0}, &(0x7f0000bbdffc)) (async)
timer_settime(0x0, 0x0, &(0x7f0000000280)={{0x0, 0x989680}, {0x0, 0x989680}}, 0x0)
r1 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2) (async)
connect$bt_sco(r1, &(0x7f0000000000)={0x1f, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}}, 0x8) (async)
connect$bt_sco(r1, &(0x7f0000000080)={0x1f, @none}, 0x8) (async)
openat$snapshot(0xffffff9c, &(0x7f0000000880), 0x20840, 0x0)
[ 73.489941][ T5303] Bluetooth: hci0: command tx timeout
[ 74.422977][ T5321] Bluetooth: hci0: Opcode 0x0c1a failed: -4
[ 74.428316][ T5321] Bluetooth: hci0: Opcode 0x0406 failed: -4
[ 74.435965][ T5321] ==================================================================
[ 74.439655][ T5321] BUG: KASAN: slab-use-after-free in sco_conn_put+0xad/0x210
[ 74.442531][ T5321] Write of size 8 at addr ffff8880532535a0 by task syz.0.0/5321
[ 74.445247][ T5321]
[ 74.446180][ T5321] CPU: 0 UID: 0 PID: 5321 Comm: syz.0.0 Not tainted 6.14.0-rc2-syzkaller-00056-gab68d7eb7b1a #0
[ 74.446193][ T5321] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[ 74.446200][ T5321] Call Trace:
[ 74.446207][ T5321]
[ 74.446213][ T5321] dump_stack_lvl+0x241/0x360
[ 74.446229][ T5321] ? __pfx_dump_stack_lvl+0x10/0x10
[ 74.446238][ T5321] ? __pfx__printk+0x10/0x10
[ 74.446254][ T5321] ? _printk+0xd5/0x120
[ 74.446268][ T5321] ? __virt_addr_valid+0x183/0x530
[ 74.446283][ T5321] ? __virt_addr_valid+0x183/0x530
[ 74.446296][ T5321] print_report+0x169/0x550
[ 74.446313][ T5321] ? __virt_addr_valid+0x183/0x530
[ 74.446325][ T5321] ? __virt_addr_valid+0x183/0x530
[ 74.446338][ T5321] ? __virt_addr_valid+0x45f/0x530
[ 74.446351][ T5321] ? __phys_addr+0xba/0x170
[ 74.446365][ T5321] ? sco_conn_put+0xad/0x210
[ 74.446375][ T5321] kasan_report+0x143/0x180
[ 74.446388][ T5321] ? sco_conn_put+0xad/0x210
[ 74.446399][ T5321] sco_conn_put+0xad/0x210
[ 74.446409][ T5321] sco_connect_cfm+0xa7/0xae0
[ 74.446418][ T5321] ? __kasan_kmalloc+0x98/0xb0
[ 74.446431][ T5321] ? hci_cb_lookup+0x1b3/0x3c0
[ 74.446446][ T5321] ? __pfx_sco_connect_cfm+0x10/0x10
[ 74.446457][ T5321] ? hci_cb_lookup+0x3a0/0x3c0
[ 74.446471][ T5321] ? __pfx_sco_connect_cfm+0x10/0x10
[ 74.446481][ T5321] hci_conn_failed+0x287/0x400
[ 74.446494][ T5321] ? __pfx_hci_conn_failed+0x10/0x10
[ 74.446507][ T5321] ? hci_conn_unlink+0x57a/0x630
[ 74.446520][ T5321] hci_conn_unlink+0x41d/0x630
[ 74.446533][ T5321] hci_conn_del+0x61/0xc40
[ 74.446545][ T5321] ? kfree+0x196/0x430
[ 74.446555][ T5321] ? hci_conn_failed+0x298/0x400
[ 74.446567][ T5321] hci_conn_failed+0x319/0x400
[ 74.446580][ T5321] ? __pfx_hci_conn_failed+0x10/0x10
[ 74.446594][ T5321] ? hci_abort_conn_sync+0x1f0/0x11f0
[ 74.446606][ T5321] hci_abort_conn_sync+0x56c/0x11f0
[ 74.446618][ T5321] ? hci_abort_conn_sync+0x1f0/0x11f0
[ 74.446629][ T5321] ? __pfx_hci_abort_conn_sync+0x10/0x10
[ 74.446639][ T5321] ? hci_disconnect_all_sync+0x8e/0x460
[ 74.446646][ T5321] ? __pfx_lock_release+0x10/0x10
[ 74.446656][ T5321] ? hci_disconnect_all_sync+0x8e/0x460
[ 74.446663][ T5321] hci_disconnect_all_sync+0x264/0x460
[ 74.446679][ T5321] ? __pfx_bt_err+0x10/0x10
[ 74.446689][ T5321] ? hci_disconnect_all_sync+0x8e/0x460
[ 74.446700][ T5321] ? __pfx_hci_disconnect_all_sync+0x10/0x10
[ 74.446711][ T5321] ? __mutex_lock+0x397/0x1010
[ 74.446727][ T5321] hci_suspend_sync+0x41a/0xca0
[ 74.446739][ T5321] ? hci_suspend_dev+0x1fb/0x3e0
[ 74.446751][ T5321] ? __pfx_hci_suspend_sync+0x10/0x10
[ 74.446762][ T5321] ? autoremove_wake_function+0x37/0x110
[ 74.446775][ T5321] ? __wake_up_common_lock+0x18c/0x1e0
[ 74.446788][ T5321] hci_suspend_dev+0x203/0x3e0
[ 74.446799][ T5321] hci_suspend_notifier+0xf2/0x2b0
[ 74.446811][ T5321] notifier_call_chain+0x1a5/0x3f0
[ 74.446827][ T5321] blocking_notifier_call_chain_robust+0xe8/0x1e0
[ 74.446841][ T5321] ? __pfx_blocking_notifier_call_chain_robust+0x10/0x10
[ 74.446854][ T5321] ? chrdev_open+0x36e/0x600
[ 74.446865][ T5321] pm_notifier_call_chain_robust+0x2c/0x60
[ 74.446880][ T5321] snapshot_open+0x19b/0x280
[ 74.446893][ T5321] ? __pfx_snapshot_open+0x10/0x10
[ 74.446906][ T5321] misc_open+0x2cc/0x340
[ 74.446963][ T5321] chrdev_open+0x521/0x600
[ 74.446975][ T5321] ? __pfx_chrdev_open+0x10/0x10
[ 74.446985][ T5321] ? file_set_fsnotify_mode_from_watchers+0x123/0x640
[ 74.447003][ T5321] ? __pfx_chrdev_open+0x10/0x10
[ 74.447011][ T5321] do_dentry_open+0xdec/0x1960
[ 74.447023][ T5321] ? vfs_open+0x31/0x370
[ 74.447029][ T5321] vfs_open+0x3b/0x370
[ 74.447035][ T5321] path_openat+0x2c81/0x3590
[ 74.447047][ T5321] ? __pfx_path_openat+0x10/0x10
[ 74.447057][ T5321] do_filp_open+0x27f/0x4e0
[ 74.447065][ T5321] ? __pfx_do_filp_open+0x10/0x10
[ 74.447076][ T5321] ? do_raw_spin_lock+0x14f/0x370
[ 74.447094][ T5321] do_sys_openat2+0x13e/0x1d0
[ 74.447105][ T5321] ? __pfx_do_sys_openat2+0x10/0x10
[ 74.447117][ T5321] __x64_sys_openat+0x247/0x2a0
[ 74.447128][ T5321] ? __pfx___x64_sys_openat+0x10/0x10
[ 74.447139][ T5321] ? exc_page_fault+0x590/0x8b0
[ 74.447153][ T5321] ? do_syscall_64+0xb6/0x230
[ 74.447167][ T5321] do_syscall_64+0xf3/0x230
[ 74.447179][ T5321] ? clear_bhb_loop+0x35/0x90
[ 74.447195][ T5321] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 74.447209][ T5321] RIP: 0033:0x7f3f2298cde9
[ 74.447220][ T5321] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[ 74.447229][ T5321] RSP: 002b:00007f3f23823038 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
[ 74.447242][ T5321] RAX: ffffffffffffffda RBX: 00007f3f22ba6160 RCX: 00007f3f2298cde9
[ 74.447249][ T5321] RDX: 0000000000020840 RSI: 0000400000000880 RDI: 00000000ffffff9c
[ 74.447256][ T5321] RBP: 00007f3f22a0e2a0 R08: 0000000000000000 R09: 0000000000000000
[ 74.447262][ T5321] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[ 74.447268][ T5321] R13: 0000000000000001 R14: 00007f3f22ba6160 R15: 00007ffd651eef58
[ 74.447279][ T5321]
[ 74.447282][ T5321]
[ 74.656662][ T5321] Allocated by task 5319:
[ 74.658304][ T5321] kasan_save_track+0x3f/0x80
[ 74.660132][ T5321] __kasan_kmalloc+0x98/0xb0
[ 74.661948][ T5321] __kmalloc_noprof+0x285/0x4c0
[ 74.663862][ T5321] sk_prot_alloc+0xe0/0x210
[ 74.666037][ T5321] sk_alloc+0x38/0x370
[ 74.668084][ T5321] bt_sock_alloc+0x3c/0x340
[ 74.670214][ T5321] sco_sock_create+0xbb/0x390
[ 74.672264][ T5321] bt_sock_create+0x161/0x230
[ 74.674137][ T5321] __sock_create+0x4c0/0xa30
[ 74.675970][ T5321] __sys_socket+0x150/0x3c0
[ 74.677745][ T5321] __x64_sys_socket+0x7a/0x90
[ 74.679627][ T5321] do_syscall_64+0xf3/0x230
[ 74.681564][ T5321] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 74.684027][ T5321]
[ 74.684989][ T5321] Freed by task 5320:
[ 74.686808][ T5321] kasan_save_track+0x3f/0x80
[ 74.689094][ T5321] kasan_save_free_info+0x40/0x50
[ 74.691490][ T5321] __kasan_slab_free+0x59/0x70
[ 74.693342][ T5321] kfree+0x196/0x430
[ 74.694919][ T5321] __sk_destruct+0x479/0x5f0
[ 74.696614][ T5321] sco_sock_release+0x25e/0x320
[ 74.698446][ T5321] sock_close+0xbc/0x240
[ 74.700277][ T5321] __fput+0x3e9/0x9f0
[ 74.701950][ T5321] task_work_run+0x24f/0x310
[ 74.703791][ T5321] get_signal+0x15f7/0x1750
[ 74.705960][ T5321] arch_do_signal_or_restart+0x96/0x860
[ 74.708746][ T5321] syscall_exit_to_user_mode+0xce/0x340
[ 74.711650][ T5321] do_syscall_64+0x100/0x230
[ 74.713431][ T5321] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 74.715750][ T5321]
[ 74.716614][ T5321] The buggy address belongs to the object at ffff888053253000
[ 74.716614][ T5321] which belongs to the cache kmalloc-2k of size 2048
[ 74.721558][ T5321] The buggy address is located 1440 bytes inside of
[ 74.721558][ T5321] freed 2048-byte region [ffff888053253000, ffff888053253800)
[ 74.727749][ T5321]
[ 74.728868][ T5321] The buggy address belongs to the physical page:
[ 74.731312][ T5321] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x53250
[ 74.734604][ T5321] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 74.738029][ T5321] flags: 0x4fff00000000040(head|node=1|zone=1|lastcpupid=0x7ff)
[ 74.740962][ T5321] page_type: f5(slab)
[ 74.742645][ T5321] raw: 04fff00000000040 ffff88801ac42000 dead000000000122 0000000000000000
[ 74.746500][ T5321] raw: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000
[ 74.750418][ T5321] head: 04fff00000000040 ffff88801ac42000 dead000000000122 0000000000000000
[ 74.753869][ T5321] head: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000
[ 74.757051][ T5321] head: 04fff00000000003 ffffea00014c9401 ffffffffffffffff 0000000000000000
[ 74.760242][ T5321] head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
[ 74.763839][ T5321] page dumped because: kasan: bad access detected
[ 74.766449][ T5321] page_owner tracks the page as allocated
[ 74.768992][ T5321] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5311, tgid 5311 (kworker/0:4), ts 73576696684, free_ts 0
[ 74.777326][ T5321] post_alloc_hook+0x1f4/0x240
[ 74.779689][ T5321] get_page_from_freelist+0x365c/0x37a0
[ 74.782352][ T5321] __alloc_frozen_pages_noprof+0x292/0x710
[ 74.784947][ T5321] alloc_pages_mpol+0x311/0x660
[ 74.786872][ T5321] allocate_slab+0x8f/0x3a0
[ 74.788793][ T5321] ___slab_alloc+0xc27/0x14a0
[ 74.790716][ T5321] __slab_alloc+0x58/0xa0
[ 74.792384][ T5321] __kmalloc_node_track_caller_noprof+0x2e9/0x4c0
[ 74.794919][ T5321] kmalloc_reserve+0x111/0x2a0
[ 74.796806][ T5321] __alloc_skb+0x1f3/0x440
[ 74.798662][ T5321] alloc_skb_with_frags+0xc3/0x820
[ 74.800734][ T5321] sock_alloc_send_pskb+0x91a/0xa60
[ 74.803068][ T5321] mld_newpack+0x1c3/0xaf0
[ 74.805166][ T5321] add_grec+0x1492/0x19a0
[ 74.807142][ T5321] mld_ifc_work+0x691/0xd90
[ 74.809242][ T5321] process_scheduled_works+0xa66/0x1840
[ 74.811422][ T5321] page_owner free stack trace missing
[ 74.813294][ T5321]
[ 74.814157][ T5321] Memory state around the buggy address:
[ 74.816284][ T5321] ffff888053253480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 74.819498][ T5321] ffff888053253500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 74.824425][ T5321] >ffff888053253580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 74.828059][ T5321] ^
[ 74.829965][ T5321] ffff888053253600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 74.832967][ T5321] ffff888053253680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 74.836149][ T5321] ==================================================================
[ 74.865086][ T5321] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 74.868256][ T5321] CPU: 0 UID: 0 PID: 5321 Comm: syz.0.0 Not tainted 6.14.0-rc2-syzkaller-00056-gab68d7eb7b1a #0
[ 74.873136][ T5321] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[ 74.877659][ T5321] Call Trace:
[ 74.878946][ T5321]
[ 74.879990][ T5321] dump_stack_lvl+0x241/0x360
[ 74.881860][ T5321] ? __pfx_dump_stack_lvl+0x10/0x10
[ 74.883832][ T5321] ? __pfx__printk+0x10/0x10
[ 74.885615][ T5321] ? lockdep_hardirqs_on_prepare+0x43d/0x780
[ 74.888338][ T5321] ? vscnprintf+0x5d/0x90
[ 74.890558][ T5321] panic+0x349/0x880
[ 74.892497][ T5321] ? check_panic_on_warn+0x21/0xb0
[ 74.894436][ T5321] ? __pfx_panic+0x10/0x10
[ 74.896076][ T5321] ? _raw_spin_unlock_irqrestore+0x130/0x140
[ 74.898360][ T5321] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[ 74.900730][ T5321] check_panic_on_warn+0x86/0xb0
[ 74.902638][ T5321] ? sco_conn_put+0xad/0x210
[ 74.904606][ T5321] end_report+0x77/0x160
[ 74.906700][ T5321] kasan_report+0x154/0x180
[ 74.908871][ T5321] ? sco_conn_put+0xad/0x210
[ 74.911117][ T5321] sco_conn_put+0xad/0x210
[ 74.913156][ T5321] sco_connect_cfm+0xa7/0xae0
[ 74.915114][ T5321] ? __kasan_kmalloc+0x98/0xb0
[ 74.916874][ T5321] ? hci_cb_lookup+0x1b3/0x3c0
[ 74.918680][ T5321] ? __pfx_sco_connect_cfm+0x10/0x10
[ 74.920995][ T5321] ? hci_cb_lookup+0x3a0/0x3c0
[ 74.922857][ T5321] ? __pfx_sco_connect_cfm+0x10/0x10
[ 74.924898][ T5321] hci_conn_failed+0x287/0x400
[ 74.926921][ T5321] ? __pfx_hci_conn_failed+0x10/0x10
[ 74.929310][ T5321] ? hci_conn_unlink+0x57a/0x630
[ 74.931863][ T5321] hci_conn_unlink+0x41d/0x630
[ 74.934073][ T5321] hci_conn_del+0x61/0xc40
[ 74.935875][ T5321] ? kfree+0x196/0x430
[ 74.937403][ T5321] ? hci_conn_failed+0x298/0x400
[ 74.939178][ T5321] hci_conn_failed+0x319/0x400
[ 74.941044][ T5321] ? __pfx_hci_conn_failed+0x10/0x10
[ 74.943024][ T5321] ? hci_abort_conn_sync+0x1f0/0x11f0
[ 74.945085][ T5321] hci_abort_conn_sync+0x56c/0x11f0
[ 74.947587][ T5321] ? hci_abort_conn_sync+0x1f0/0x11f0
[ 74.950120][ T5321] ? __pfx_hci_abort_conn_sync+0x10/0x10
[ 74.952649][ T5321] ? hci_disconnect_all_sync+0x8e/0x460
[ 74.954843][ T5321] ? __pfx_lock_release+0x10/0x10
[ 74.956782][ T5321] ? hci_disconnect_all_sync+0x8e/0x460
[ 74.959365][ T5321] hci_disconnect_all_sync+0x264/0x460
[ 74.961624][ T5321] ? __pfx_bt_err+0x10/0x10
[ 74.963763][ T5321] ? hci_disconnect_all_sync+0x8e/0x460
[ 74.966544][ T5321] ? __pfx_hci_disconnect_all_sync+0x10/0x10
[ 74.969314][ T5321] ? __mutex_lock+0x397/0x1010
[ 74.971156][ T5321] hci_suspend_sync+0x41a/0xca0
[ 74.972999][ T5321] ? hci_suspend_dev+0x1fb/0x3e0
[ 74.974657][ T5321] ? __pfx_hci_suspend_sync+0x10/0x10
[ 74.977011][ T5321] ? autoremove_wake_function+0x37/0x110
[ 74.979272][ T5321] ? __wake_up_common_lock+0x18c/0x1e0
[ 74.981662][ T5321] hci_suspend_dev+0x203/0x3e0
[ 74.983740][ T5321] hci_suspend_notifier+0xf2/0x2b0
[ 74.985724][ T5321] notifier_call_chain+0x1a5/0x3f0
[ 74.987898][ T5321] blocking_notifier_call_chain_robust+0xe8/0x1e0
[ 74.990234][ T5321] ? __pfx_blocking_notifier_call_chain_robust+0x10/0x10
[ 74.992698][ T5321] ? chrdev_open+0x36e/0x600
[ 74.994565][ T5321] pm_notifier_call_chain_robust+0x2c/0x60
[ 74.997098][ T5321] snapshot_open+0x19b/0x280
[ 74.999929][ T5321] ? __pfx_snapshot_open+0x10/0x10
[ 75.002922][ T5321] misc_open+0x2cc/0x340
[ 75.004471][ T5321] chrdev_open+0x521/0x600
[ 75.006150][ T5321] ? __pfx_chrdev_open+0x10/0x10
[ 75.008056][ T5321] ? file_set_fsnotify_mode_from_watchers+0x123/0x640
[ 75.010645][ T5321] ? __pfx_chrdev_open+0x10/0x10
[ 75.012597][ T5321] do_dentry_open+0xdec/0x1960
[ 75.014422][ T5321] ? vfs_open+0x31/0x370
[ 75.016243][ T5321] vfs_open+0x3b/0x370
[ 75.018318][ T5321] path_openat+0x2c81/0x3590
[ 75.020192][ T5321] ? __pfx_path_openat+0x10/0x10
[ 75.022964][ T5321] do_filp_open+0x27f/0x4e0
[ 75.025554][ T5321] ? __pfx_do_filp_open+0x10/0x10
[ 75.027970][ T5321] ? do_raw_spin_lock+0x14f/0x370
[ 75.029481][ T5321] do_sys_openat2+0x13e/0x1d0
[ 75.031339][ T5321] ? __pfx_do_sys_openat2+0x10/0x10
[ 75.033478][ T5321] __x64_sys_openat+0x247/0x2a0
[ 75.035481][ T5321] ? __pfx___x64_sys_openat+0x10/0x10
[ 75.037638][ T5321] ? exc_page_fault+0x590/0x8b0
[ 75.039495][ T5321] ? do_syscall_64+0xb6/0x230
[ 75.041319][ T5321] do_syscall_64+0xf3/0x230
[ 75.043160][ T5321] ? clear_bhb_loop+0x35/0x90
[ 75.044915][ T5321] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 75.047602][ T5321] RIP: 0033:0x7f3f2298cde9
[ 75.050590][ T5321] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[ 75.059317][ T5321] RSP: 002b:00007f3f23823038 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
[ 75.062336][ T5321] RAX: ffffffffffffffda RBX: 00007f3f22ba6160 RCX: 00007f3f2298cde9
[ 75.065207][ T5321] RDX: 0000000000020840 RSI: 0000400000000880 RDI: 00000000ffffff9c
[ 75.068206][ T5321] RBP: 00007f3f22a0e2a0 R08: 0000000000000000 R09: 0000000000000000
[ 75.071319][ T5321] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[ 75.074340][ T5321] R13: 0000000000000001 R14: 00007f3f22ba6160 R15: 00007ffd651eef58
[ 75.077300][ T5321]
[ 75.078814][ T5321] Kernel Offset: disabled
[ 75.080523][ T5321] Rebooting in 86400 seconds..