program:
r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x5, 0x0)
bind$bt_l2cap(r0, &(0x7f0000000000)={0x1f, 0x0, @any, 0x4, 0x1}, 0xe)
listen(r0, 0x90004)
syz_emit_vhci(&(0x7f0000000140)=ANY=[@ANYBLOB="043e130100c90001"], 0x16)
ppoll(&(0x7f00000000c0)=[{r0, 0x60}], 0x1, 0x0, 0x0, 0x0)
[ 84.290678][ T5289] Bluetooth: hci0: command tx timeout
[ 84.295038][ T5289] sysfs: cannot create duplicate filename '/devices/virtual/bluetooth/hci0/hci0:201'
[ 84.300031][ T5289] CPU: 0 UID: 0 PID: 5289 Comm: kworker/u5:2 Not tainted syzkaller #0 PREEMPT(full)
[ 84.300049][ T5289] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 84.300057][ T5289] Workqueue: hci0 hci_rx_work
[ 84.300416][ T5289] Call Trace:
[ 84.300422][ T5289]
[ 84.300428][ T5289] dump_stack_lvl+0xe8/0x150
[ 84.300445][ T5289] sysfs_create_dir_ns+0x271/0x2a0
[ 84.300460][ T5289] ? __pfx_sysfs_create_dir_ns+0x10/0x10
[ 84.300475][ T5289] ? do_raw_spin_unlock+0x4d/0x210
[ 84.300495][ T5289] kobject_add_internal+0x62b/0xd00
[ 84.300514][ T5289] kobject_add+0x163/0x240
[ 84.300535][ T5289] ? __pfx_kobject_add+0x10/0x10
[ 84.300552][ T5289] ? _raw_spin_unlock+0x28/0x50
[ 84.300570][ T5289] ? get_device_parent+0x366/0x3a0
[ 84.300617][ T5289] device_add+0x408/0xbb0
[ 84.300633][ T5289] hci_conn_add_sysfs+0xd5/0x210
[ 84.300652][ T5289] le_conn_complete_evt+0x10e6/0x16b0
[ 84.300670][ T5289] ? __pfx_le_conn_complete_evt+0x10/0x10
[ 84.300680][ T5289] ? __mutex_unlock_slowpath+0x1be/0x6f0
[ 84.300696][ T5289] ? __asan_memcpy+0x40/0x70
[ 84.300718][ T5289] ? __pfx___mutex_unlock_slowpath+0x10/0x10
[ 84.300733][ T5289] ? skb_pull_data+0xfb/0x200
[ 84.300752][ T5289] hci_le_conn_complete_evt+0x187/0x470
[ 84.300770][ T5289] hci_event_packet+0x659/0xef0
[ 84.300786][ T5289] ? trace_irq_disable+0x3b/0x140
[ 84.300805][ T5289] ? __pfx_hci_le_meta_evt+0x10/0x10
[ 84.300817][ T5289] ? __pfx_hci_event_packet+0x10/0x10
[ 84.300839][ T5289] ? hci_send_to_monitor+0xe2/0x590
[ 84.300855][ T5289] hci_rx_work+0x3ee/0x1040
[ 84.300877][ T5289] ? process_scheduled_works+0xa70/0x1860
[ 84.300890][ T5289] process_scheduled_works+0xb5d/0x1860
[ 84.300920][ T5289] ? __pfx_process_scheduled_works+0x10/0x10
[ 84.300936][ T5289] ? assign_work+0x3d5/0x5e0
[ 84.300950][ T5289] worker_thread+0xa53/0xfc0
[ 84.300975][ T5289] kthread+0x389/0x470
[ 84.300988][ T5289] ? __pfx_worker_thread+0x10/0x10
[ 84.300999][ T5289] ? __pfx_kthread+0x10/0x10
[ 84.301014][ T5289] ret_from_fork+0x514/0xb70
[ 84.301028][ T5289] ? __pfx_ret_from_fork+0x10/0x10
[ 84.301039][ T5289] ? __switch_to+0xc79/0x1410
[ 84.301059][ T5289] ? __pfx_kthread+0x10/0x10
[ 84.301073][ T5289] ret_from_fork_asm+0x1a/0x30
[ 84.301096][ T5289]
[ 84.301173][ T5289] kobject: kobject_add_internal failed for hci0:201 with -EEXIST, don't try to register things with the same name in the same directory.
[ 84.418250][ T5289] Bluetooth: hci0: failed to register connection device
[ 84.426693][ T5289] ==================================================================
[ 84.430288][ T5289] BUG: KASAN: slab-use-after-free in l2cap_connect_cfm+0x902/0x1560
[ 84.433813][ T5289] Read of size 8 at addr ffff888041246480 by task kworker/u5:2/5289
[ 84.437275][ T5289]
[ 84.438460][ T5289] CPU: 0 UID: 0 PID: 5289 Comm: kworker/u5:2 Not tainted syzkaller #0 PREEMPT(full)
[ 84.438478][ T5289] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 84.438486][ T5289] Workqueue: hci0 hci_rx_work
[ 84.438508][ T5289] Call Trace:
[ 84.438517][ T5289]
[ 84.438524][ T5289] dump_stack_lvl+0xe8/0x150
[ 84.438539][ T5289] print_address_description+0x55/0x1e0
[ 84.438558][ T5289] ? l2cap_connect_cfm+0x902/0x1560
[ 84.438572][ T5289] print_report+0x58/0x70
[ 84.438582][ T5289] kasan_report+0x117/0x150
[ 84.438600][ T5289] ? l2cap_connect_cfm+0x902/0x1560
[ 84.438615][ T5289] l2cap_connect_cfm+0x902/0x1560
[ 84.438631][ T5289] ? __pfx_l2cap_connect_cfm+0x10/0x10
[ 84.438645][ T5289] ? __pfx_bt_err+0x10/0x10
[ 84.438661][ T5289] ? __pfx_l2cap_connect_cfm+0x10/0x10
[ 84.438673][ T5289] hci_connect_cfm+0x95/0x140
[ 84.438684][ T5289] le_conn_complete_evt+0x1134/0x16b0
[ 84.438698][ T5289] ? __pfx_le_conn_complete_evt+0x10/0x10
[ 84.438709][ T5289] ? __mutex_unlock_slowpath+0x1be/0x6f0
[ 84.438724][ T5289] ? __asan_memcpy+0x40/0x70
[ 84.438735][ T5289] ? __pfx___mutex_unlock_slowpath+0x10/0x10
[ 84.438749][ T5289] ? skb_pull_data+0xfb/0x200
[ 84.438765][ T5289] hci_le_conn_complete_evt+0x187/0x470
[ 84.438778][ T5289] hci_event_packet+0x659/0xef0
[ 84.438792][ T5289] ? trace_irq_disable+0x3b/0x140
[ 84.438808][ T5289] ? __pfx_hci_le_meta_evt+0x10/0x10
[ 84.438818][ T5289] ? __pfx_hci_event_packet+0x10/0x10
[ 84.438835][ T5289] ? hci_send_to_monitor+0xe2/0x590
[ 84.438849][ T5289] hci_rx_work+0x3ee/0x1040
[ 84.438866][ T5289] ? process_scheduled_works+0xa70/0x1860
[ 84.438877][ T5289] process_scheduled_works+0xb5d/0x1860
[ 84.438895][ T5289] ? __pfx_process_scheduled_works+0x10/0x10
[ 84.438908][ T5289] ? assign_work+0x3d5/0x5e0
[ 84.438924][ T5289] worker_thread+0xa53/0xfc0
[ 84.438941][ T5289] kthread+0x389/0x470
[ 84.438961][ T5289] ? __pfx_worker_thread+0x10/0x10
[ 84.438971][ T5289] ? __pfx_kthread+0x10/0x10
[ 84.438985][ T5289] ret_from_fork+0x514/0xb70
[ 84.438997][ T5289] ? __pfx_ret_from_fork+0x10/0x10
[ 84.439008][ T5289] ? __switch_to+0xc79/0x1410
[ 84.439023][ T5289] ? __pfx_kthread+0x10/0x10
[ 84.439036][ T5289] ret_from_fork_asm+0x1a/0x30
[ 84.439052][ T5289]
[ 84.439086][ T5289]
[ 84.533223][ T5289] Allocated by task 5289:
[ 84.535115][ T5289] kasan_save_track+0x3e/0x80
[ 84.537110][ T5289] __kasan_kmalloc+0x93/0xb0
[ 84.539203][ T5289] __kmalloc_cache_noprof+0x31c/0x660
[ 84.541508][ T5289] l2cap_chan_create+0x51/0x790
[ 84.543581][ T5289] l2cap_sock_new_connection_cb+0x191/0x2f0
[ 84.546209][ T5289] l2cap_connect_cfm+0x368/0x1560
[ 84.548378][ T5289] hci_connect_cfm+0x95/0x140
[ 84.550215][ T5289] le_conn_complete_evt+0x1134/0x16b0
[ 84.552425][ T5289] hci_le_conn_complete_evt+0x187/0x470
[ 84.554703][ T5289] hci_event_packet+0x659/0xef0
[ 84.556962][ T5289] hci_rx_work+0x3ee/0x1040
[ 84.559385][ T5289] process_scheduled_works+0xb5d/0x1860
[ 84.561965][ T5289] worker_thread+0xa53/0xfc0
[ 84.563905][ T5289] kthread+0x389/0x470
[ 84.565805][ T5289] ret_from_fork+0x514/0xb70
[ 84.567994][ T5289] ret_from_fork_asm+0x1a/0x30
[ 84.570056][ T5289]
[ 84.571020][ T5289] Freed by task 5326:
[ 84.572703][ T5289] kasan_save_track+0x3e/0x80
[ 84.574742][ T5289] kasan_save_free_info+0x46/0x50
[ 84.576977][ T5289] __kasan_slab_free+0x5c/0x80
[ 84.579177][ T5289] kfree+0x1c5/0x640
[ 84.580943][ T5289] l2cap_sock_cleanup_listen+0xf0/0x440
[ 84.583337][ T5289] l2cap_sock_release+0x6a/0x230
[ 84.585311][ T5289] sock_close+0xc3/0x240
[ 84.587082][ T5289] __fput+0x44f/0xa60
[ 84.588791][ T5289] task_work_run+0x1d9/0x270
[ 84.590714][ T5289] exit_to_user_mode_loop+0xf3/0x4d0
[ 84.593113][ T5289] do_syscall_64+0x33e/0xf80
[ 84.595117][ T5289] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 84.597474][ T5289]
[ 84.598507][ T5289] The buggy address belongs to the object at ffff888041246000
[ 84.598507][ T5289] which belongs to the cache kmalloc-2k of size 2048
[ 84.603745][ T5289] The buggy address is located 1152 bytes inside of
[ 84.603745][ T5289] freed 2048-byte region [ffff888041246000, ffff888041246800)
[ 84.609283][ T5289]
[ 84.610356][ T5289] The buggy address belongs to the physical page:
[ 84.613017][ T5289] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x41240
[ 84.616798][ T5289] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 84.620771][ T5289] flags: 0x4fff00000000040(head|node=1|zone=1|lastcpupid=0x7ff)
[ 84.623939][ T5289] page_type: f5(slab)
[ 84.625670][ T5289] raw: 04fff00000000040 ffff88801ac42000 dead000000000100 dead000000000122
[ 84.629516][ T5289] raw: 0000000000000000 0000000800080008 00000000f5000000 0000000000000000
[ 84.633134][ T5289] head: 04fff00000000040 ffff88801ac42000 dead000000000100 dead000000000122
[ 84.636840][ T5289] head: 0000000000000000 0000000800080008 00000000f5000000 0000000000000000
[ 84.640224][ T5289] head: 04fff00000000003 fffffffffffffe01 00000000ffffffff 00000000ffffffff
[ 84.643868][ T5289] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
[ 84.647097][ T5289] page dumped because: kasan: bad access detected
[ 84.649708][ T5289] page_owner tracks the page as allocated
[ 84.651984][ T5289] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5001, tgid 5001 (dhcpcd), ts 84273483967, free_ts 81921527683
[ 84.659945][ T5289] post_alloc_hook+0x231/0x280
[ 84.661883][ T5289] get_page_from_freelist+0x24ba/0x2540
[ 84.664410][ T5289] __alloc_frozen_pages_noprof+0x18d/0x380
[ 84.666653][ T5289] allocate_slab+0x77/0x660
[ 84.668458][ T5289] refill_objects+0x339/0x3d0
[ 84.670473][ T5289] __pcs_replace_empty_main+0x321/0x720
[ 84.672938][ T5289] __kmalloc_node_track_caller_noprof+0x572/0x7b0
[ 84.675738][ T5289] __alloc_skb+0x2c1/0x7d0
[ 84.677655][ T5289] igmpv3_newpack+0x164/0x11e0
[ 84.679809][ T5289] add_grhead+0x70/0x340
[ 84.681601][ T5289] add_grec+0x1122/0x13e0
[ 84.683404][ T5289] igmp_ifc_timer_expire+0x925/0x10d0
[ 84.685582][ T5289] call_timer_fn+0x192/0x5e0
[ 84.687531][ T5289] __run_timer_base+0x652/0x8b0
[ 84.689727][ T5289] run_timer_softirq+0xb7/0x170
[ 84.691959][ T5289] handle_softirqs+0x22a/0x840
[ 84.693961][ T5289] page last free pid 5288 tgid 5288 stack trace:
[ 84.696475][ T5289] __free_frozen_pages+0xbc7/0xd30
[ 84.698651][ T5289] __slab_free+0x274/0x2c0
[ 84.700403][ T5289] qlist_free_all+0x99/0x100
[ 84.702139][ T5289] kasan_quarantine_reduce+0x148/0x160
[ 84.704825][ T5289] __kasan_slab_alloc+0x22/0x80
[ 84.707397][ T5289] kmem_cache_alloc_lru_noprof+0x2b8/0x640
[ 84.709919][ T5289] sock_alloc_inode+0x2c/0x190
[ 84.711996][ T5289] alloc_inode+0x6a/0x1b0
[ 84.713811][ T5289] __sock_create+0x12d/0x9d0
[ 84.715807][ T5289] __sys_socket+0xd6/0x1b0
[ 84.717665][ T5289] __x64_sys_socket+0x7a/0x90
[ 84.719674][ T5289] do_syscall_64+0x15f/0xf80
[ 84.721449][ T5289] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 84.724062][ T5289]
[ 84.725106][ T5289] Memory state around the buggy address:
[ 84.727376][ T5289] ffff888041246380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 84.730655][ T5289] ffff888041246400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 84.733972][ T5289] >ffff888041246480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 84.737385][ T5289] ^
[ 84.739121][ T5289] ffff888041246500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 84.742418][ T5289] ffff888041246580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 84.745702][ T5289] ==================================================================
[ 84.760884][ T5289] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 84.764120][ T5289] CPU: 0 UID: 0 PID: 5289 Comm: kworker/u5:2 Not tainted syzkaller #0 PREEMPT(full)
[ 84.767603][ T5289] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 84.771857][ T5289] Workqueue: hci0 hci_rx_work
[ 84.773795][ T5289] Call Trace:
[ 84.775172][ T5289]
[ 84.776449][ T5289] vpanic+0x56c/0xa60
[ 84.778143][ T5289] ? __pfx_vpanic+0x10/0x10
[ 84.780107][ T5289] panic+0xc5/0xd0
[ 84.781682][ T5289] ? __pfx_panic+0x10/0x10
[ 84.783497][ T5289] ? preempt_schedule_thunk+0x16/0x30
[ 84.785577][ T5289] ? l2cap_connect_cfm+0x902/0x1560
[ 84.787631][ T5289] ? preempt_schedule_thunk+0x16/0x30
[ 84.790296][ T5289] ? l2cap_connect_cfm+0x902/0x1560
[ 84.792776][ T5289] check_panic_on_warn+0x89/0xb0
[ 84.794846][ T5289] ? l2cap_connect_cfm+0x902/0x1560
[ 84.797086][ T5289] end_report+0x73/0x170
[ 84.798836][ T5289] ? l2cap_connect_cfm+0x902/0x1560
[ 84.801116][ T5289] kasan_report+0x128/0x150
[ 84.803148][ T5289] ? l2cap_connect_cfm+0x902/0x1560
[ 84.805346][ T5289] l2cap_connect_cfm+0x902/0x1560
[ 84.807488][ T5289] ? __pfx_l2cap_connect_cfm+0x10/0x10
[ 84.809750][ T5289] ? __pfx_bt_err+0x10/0x10
[ 84.811696][ T5289] ? __pfx_l2cap_connect_cfm+0x10/0x10
[ 84.813985][ T5289] hci_connect_cfm+0x95/0x140
[ 84.815967][ T5289] le_conn_complete_evt+0x1134/0x16b0
[ 84.818133][ T5289] ? __pfx_le_conn_complete_evt+0x10/0x10
[ 84.820613][ T5289] ? __mutex_unlock_slowpath+0x1be/0x6f0
[ 84.822990][ T5289] ? __asan_memcpy+0x40/0x70
[ 84.824936][ T5289] ? __pfx___mutex_unlock_slowpath+0x10/0x10
[ 84.827440][ T5289] ? skb_pull_data+0xfb/0x200
[ 84.829475][ T5289] hci_le_conn_complete_evt+0x187/0x470
[ 84.831837][ T5289] hci_event_packet+0x659/0xef0
[ 84.833986][ T5289] ? trace_irq_disable+0x3b/0x140
[ 84.836130][ T5289] ? __pfx_hci_le_meta_evt+0x10/0x10
[ 84.838273][ T5289] ? __pfx_hci_event_packet+0x10/0x10
[ 84.840560][ T5289] ? hci_send_to_monitor+0xe2/0x590
[ 84.842781][ T5289] hci_rx_work+0x3ee/0x1040
[ 84.844792][ T5289] ? process_scheduled_works+0xa70/0x1860
[ 84.847207][ T5289] process_scheduled_works+0xb5d/0x1860
[ 84.849541][ T5289] ? __pfx_process_scheduled_works+0x10/0x10
[ 84.852167][ T5289] ? assign_work+0x3d5/0x5e0
[ 84.854155][ T5289] worker_thread+0xa53/0xfc0
[ 84.855821][ T5289] kthread+0x389/0x470
[ 84.857522][ T5289] ? __pfx_worker_thread+0x10/0x10
[ 84.859733][ T5289] ? __pfx_kthread+0x10/0x10
[ 84.861639][ T5289] ret_from_fork+0x514/0xb70
[ 84.863767][ T5289] ? __pfx_ret_from_fork+0x10/0x10
[ 84.865971][ T5289] ? __switch_to+0xc79/0x1410
[ 84.867955][ T5289] ? __pfx_kthread+0x10/0x10
[ 84.870039][ T5289] ret_from_fork_asm+0x1a/0x30
[ 84.872589][ T5289]
[ 84.874418][ T5289] Kernel Offset: disabled
[ 84.876555][ T5289] Rebooting in 86400 seconds..