program: prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x88}, 0x0) sched_setscheduler(0x0, 0x1, &(0x7f0000000240)=0x7) getpid() sched_setscheduler(0x0, 0x5, &(0x7f0000000200)=0x7) r0 = socket(0x40000000015, 0x5, 0x0) connect$inet(r0, &(0x7f0000000040)={0x2, 0x4e20, @loopback}, 0x10) (async) connect$inet(r0, &(0x7f0000000040)={0x2, 0x4e20, @loopback}, 0x10) bind$inet(r0, &(0x7f0000000340)={0x2, 0x4e20, @loopback}, 0x57) (async) bind$inet(r0, &(0x7f0000000340)={0x2, 0x4e20, @loopback}, 0x57) sendmsg$NL80211_CMD_JOIN_MESH(r0, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={&(0x7f00000002c0)=ANY=[], 0x1a000}}, 0x0) sendmsg$nl_route_sched(0xffffffffffffffff, &(0x7f0000000340)={0x0, 0x0, &(0x7f0000000500)={&(0x7f0000000000)=@newtfilter={0x34, 0x2c, 0x6f14cf9ac61f9c9b, 0x70bd2a, 0x3, {0x0, 0x0, 0x0, 0x0, {0xfffa}, {0xb}, {0x1c, 0xfff9}}, [@filter_kind_options=@f_flower={{0xb}, {0x4}}]}, 0x34}}, 0x24000000) r1 = syz_usb_connect(0x2, 0x2d, &(0x7f0000000000)=ANY=[@ANYBLOB="120100000cb768405e0483020b990102030109021b0001000000000904000001012920000905"], 0x0) syz_usb_control_io$hid(r1, 0x0, 0x0) (async) syz_usb_control_io$hid(r1, 0x0, 0x0) syz_emit_vhci(&(0x7f0000000540)=ANY=[@ANYBLOB="043e1f0a"], 0x22) (async) syz_emit_vhci(&(0x7f0000000540)=ANY=[@ANYBLOB="043e1f0a"], 0x22) syz_emit_vhci(&(0x7f0000000040)=ANY=[@ANYBLOB="0200300c000800"], 0x11) ioctl$FS_IOC_SET_ENCRYPTION_POLICY(0xffffffffffffffff, 0x40086602, 0x0) syz_emit_vhci(&(0x7f0000000080)=ANY=[@ANYBLOB="0405"], 0x7) syz_emit_vhci(&(0x7f0000000100)=@HCI_EVENT_PKT={0x4, @hci_ev_role_change={{0x12, 0x8}}}, 0xb) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0) (async) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0) syz_open_dev$audion(&(0x7f00000011c0), 0x3, 0x8c4201) (async) syz_open_dev$audion(&(0x7f00000011c0), 0x3, 0x8c4201) r2 = socket$can_raw(0x1d, 0x3, 0x1) r3 = socket$phonet(0x23, 0x2, 0x1) setsockopt(r2, 0x65, 0x1, &(0x7f0000000080), 0x1d0) bind$can_raw(r2, &(0x7f0000000000), 0x10) ioctl$ifreq_SIOCGIFINDEX_vcan(r3, 0x8933, &(0x7f0000000080)={'vxcan1\x00'}) (async) ioctl$ifreq_SIOCGIFINDEX_vcan(r3, 0x8933, &(0x7f0000000080)={'vxcan1\x00', 0x0}) bind$can_raw(r2, &(0x7f00000000c0)={0x1d, r4}, 0x10) (async) bind$can_raw(r2, &(0x7f00000000c0)={0x1d, r4}, 0x10) sendmsg$rds(r0, &(0x7f0000001180)={0x0, 0x0, 0x0, 0x0, 0x0, 0x2, 0x10}, 0x0) r5 = socket(0x15, 0x5, 0x0) getsockopt(r5, 0x200000000114, 0x2711, &(0x7f0000032580)=""/102400, &(0x7f0000000000)=0x19000) (async) getsockopt(r5, 0x200000000114, 0x2711, &(0x7f0000032580)=""/102400, &(0x7f0000000000)=0x19000) [ 84.440547][ T5304] Bluetooth: hci0: command tx timeout [ 84.729386][ T5315] usb 5-1: new full-speed USB device number 2 using dummy_hcd [ 84.884697][ T5315] usb 5-1: config 0 interface 0 altsetting 0 endpoint 0x1 has invalid maxpacket 27750, setting to 64 [ 84.894461][ T5315] usb 5-1: New USB device found, idVendor=045e, idProduct=0283, bcdDevice=99.0b [ 84.899086][ T5315] usb 5-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 84.903530][ T5315] usb 5-1: Product: syz [ 84.905441][ T5315] usb 5-1: Manufacturer: syz [ 84.907272][ T5315] usb 5-1: SerialNumber: syz [ 84.921654][ T5315] usb 5-1: config 0 descriptor?? [ 85.485790][ T4669] sysfs: cannot create duplicate filename '/devices/virtual/bluetooth/hci0/hci0:0' [ 85.490420][ T4669] CPU: 0 UID: 0 PID: 4669 Comm: kworker/u5:1 Not tainted syzkaller #0 PREEMPT(full) [ 85.490441][ T4669] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 85.490452][ T4669] Workqueue: hci0 hci_rx_work [ 85.490689][ T4669] Call Trace: [ 85.490697][ T4669] [ 85.490706][ T4669] dump_stack_lvl+0xe8/0x150 [ 85.490735][ T4669] sysfs_create_dir_ns+0x271/0x2a0 [ 85.490758][ T4669] ? __pfx_sysfs_create_dir_ns+0x10/0x10 [ 85.490779][ T4669] ? do_raw_spin_unlock+0x4d/0x210 [ 85.490798][ T4669] kobject_add_internal+0x62b/0xd00 [ 85.490823][ T4669] kobject_add+0x163/0x240 [ 85.490843][ T4669] ? __pfx_kobject_add+0x10/0x10 [ 85.490860][ T4669] ? _raw_spin_unlock+0x28/0x50 [ 85.490883][ T4669] ? get_device_parent+0x366/0x3a0 [ 85.490959][ T4669] device_add+0x408/0xb70 [ 85.490978][ T4669] hci_conn_add_sysfs+0xd5/0x210 [ 85.491011][ T4669] le_conn_complete_evt+0xf1d/0x1430 [ 85.491039][ T4669] ? __pfx_le_conn_complete_evt+0x10/0x10 [ 85.491056][ T4669] ? __mutex_unlock_slowpath+0x1bd/0x7d0 [ 85.491074][ T4669] ? __pfx___mutex_lock+0x10/0x10 [ 85.491090][ T4669] ? __pfx___mutex_unlock_slowpath+0x10/0x10 [ 85.491102][ T4669] ? skb_pull_data+0xfb/0x200 [ 85.491120][ T4669] hci_le_enh_conn_complete_evt+0x189/0x490 [ 85.491140][ T4669] ? __pfx_hci_le_enh_conn_complete_evt+0x10/0x10 [ 85.491161][ T4669] hci_event_packet+0x7af/0x12c0 [ 85.491182][ T4669] ? __pfx_hci_le_meta_evt+0x10/0x10 [ 85.491199][ T4669] ? __pfx_hci_event_packet+0x10/0x10 [ 85.491218][ T4669] ? kcov_remote_start+0x49a/0x7a0 [ 85.491244][ T4669] ? hci_send_to_monitor+0xe2/0x590 [ 85.491269][ T4669] hci_rx_work+0x3ee/0x1030 [ 85.491290][ T4669] ? process_scheduled_works+0xa8d/0x18c0 [ 85.491312][ T4669] process_scheduled_works+0xb6e/0x18c0 [ 85.491371][ T4669] ? __pfx_process_scheduled_works+0x10/0x10 [ 85.491398][ T4669] ? assign_work+0x3d5/0x5e0 [ 85.491422][ T4669] worker_thread+0xa53/0xfc0 [ 85.491459][ T4669] kthread+0x388/0x470 [ 85.491476][ T4669] ? __pfx_worker_thread+0x10/0x10 [ 85.491494][ T4669] ? __pfx_kthread+0x10/0x10 [ 85.491509][ T4669] ret_from_fork+0x51e/0xb90 [ 85.491531][ T4669] ? __pfx_ret_from_fork+0x10/0x10 [ 85.491550][ T4669] ? __switch_to+0xc7d/0x1450 [ 85.491570][ T4669] ? __pfx_kthread+0x10/0x10 [ 85.491585][ T4669] ret_from_fork_asm+0x1a/0x30 [ 85.491619][ T4669] [ 85.491655][ T4669] kobject: kobject_add_internal failed for hci0:0 with -EEXIST, don't try to register things with the same name in the same directory. [ 85.624814][ T4669] Bluetooth: hci0: failed to register connection device [ 86.490368][ T4669] Bluetooth: hci0: command tx timeout [ 87.499806][ T5315] usb 5-1: USB disconnect, device number 2 [ 87.529617][ T5304] ================================================================== [ 87.532933][ T5304] BUG: KASAN: slab-use-after-free in hci_conn_drop+0x34/0x2a0 [ 87.535991][ T5304] Write of size 4 at addr ffff888036944010 by task kworker/u5:2/5304 [ 87.539520][ T5304] [ 87.540754][ T5304] CPU: 0 UID: 0 PID: 5304 Comm: kworker/u5:2 Not tainted syzkaller #0 PREEMPT(full) [ 87.540768][ T5304] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 87.540776][ T5304] Workqueue: hci0 hci_cmd_sync_work [ 87.540792][ T5304] Call Trace: [ 87.540798][ T5304] [ 87.540805][ T5304] dump_stack_lvl+0xe8/0x150 [ 87.540825][ T5304] print_report+0xba/0x230 [ 87.540841][ T5304] ? hci_conn_drop+0x34/0x2a0 [ 87.540857][ T5304] kasan_report+0x117/0x150 [ 87.540873][ T5304] ? hci_conn_drop+0x34/0x2a0 [ 87.540891][ T5304] kasan_check_range+0x264/0x2c0 [ 87.540907][ T5304] hci_conn_drop+0x34/0x2a0 [ 87.540918][ T5304] ? __pfx_le_read_features_complete+0x10/0x10 [ 87.540935][ T5304] hci_cmd_sync_work+0x262/0x400 [ 87.540949][ T5304] ? process_scheduled_works+0xa8d/0x18c0 [ 87.540968][ T5304] process_scheduled_works+0xb6e/0x18c0 [ 87.540990][ T5304] ? __pfx_process_scheduled_works+0x10/0x10 [ 87.541011][ T5304] ? assign_work+0x3d5/0x5e0 [ 87.541028][ T5304] worker_thread+0xa53/0xfc0 [ 87.541055][ T5304] kthread+0x388/0x470 [ 87.541071][ T5304] ? __pfx_worker_thread+0x10/0x10 [ 87.541087][ T5304] ? __pfx_kthread+0x10/0x10 [ 87.541103][ T5304] ret_from_fork+0x51e/0xb90 [ 87.541122][ T5304] ? __pfx_ret_from_fork+0x10/0x10 [ 87.541150][ T5304] ? __switch_to+0xc7d/0x1450 [ 87.541167][ T5304] ? __pfx_kthread+0x10/0x10 [ 87.541180][ T5304] ret_from_fork_asm+0x1a/0x30 [ 87.541203][ T5304] [ 87.541208][ T5304] [ 87.609018][ T5304] Allocated by task 5304: [ 87.610780][ T5304] kasan_save_track+0x3e/0x80 [ 87.612563][ T5304] __kasan_kmalloc+0x93/0xb0 [ 87.614821][ T5304] __kmalloc_cache_noprof+0x31c/0x660 [ 87.617456][ T5304] __hci_conn_add+0x3c4/0x1e00 [ 87.620243][ T5304] le_conn_complete_evt+0x706/0x1430 [ 87.623000][ T5304] hci_le_enh_conn_complete_evt+0x189/0x490 [ 87.625731][ T5304] hci_event_packet+0x7af/0x12c0 [ 87.628253][ T5304] hci_rx_work+0x3ee/0x1030 [ 87.630327][ T5304] process_scheduled_works+0xb6e/0x18c0 [ 87.632956][ T5304] worker_thread+0xa53/0xfc0 [ 87.635682][ T5304] kthread+0x388/0x470 [ 87.638106][ T5304] ret_from_fork+0x51e/0xb90 [ 87.640233][ T5304] ret_from_fork_asm+0x1a/0x30 [ 87.642314][ T5304] [ 87.643351][ T5304] Freed by task 4669: [ 87.645201][ T5304] kasan_save_track+0x3e/0x80 [ 87.647433][ T5304] kasan_save_free_info+0x46/0x50 [ 87.650375][ T5304] __kasan_slab_free+0x5c/0x80 [ 87.653298][ T5304] kfree+0x1c1/0x630 [ 87.655549][ T5304] device_release+0x9e/0x1d0 [ 87.657590][ T5304] kobject_put+0x228/0x560 [ 87.659595][ T5304] hci_conn_del+0xc36/0x1230 [ 87.661654][ T5304] hci_disconn_complete_evt+0x64e/0x950 [ 87.664172][ T5304] hci_event_packet+0x805/0x12c0 [ 87.666501][ T5304] hci_rx_work+0x3ee/0x1030 [ 87.668576][ T5304] process_scheduled_works+0xb6e/0x18c0 [ 87.671232][ T5304] worker_thread+0xa53/0xfc0 [ 87.673530][ T5304] kthread+0x388/0x470 [ 87.675642][ T5304] ret_from_fork+0x51e/0xb90 [ 87.677974][ T5304] ret_from_fork_asm+0x1a/0x30 [ 87.680164][ T5304] [ 87.681137][ T5304] The buggy address belongs to the object at ffff888036944000 [ 87.681137][ T5304] which belongs to the cache kmalloc-8k of size 8192 [ 87.687174][ T5304] The buggy address is located 16 bytes inside of [ 87.687174][ T5304] freed 8192-byte region [ffff888036944000, ffff888036946000) [ 87.692922][ T5304] [ 87.694042][ T5304] The buggy address belongs to the physical page: [ 87.697013][ T5304] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x36940 [ 87.701174][ T5304] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 87.705336][ T5304] flags: 0x4fff00000000040(head|node=1|zone=1|lastcpupid=0x7ff) [ 87.708753][ T5304] page_type: f5(slab) [ 87.710585][ T5304] raw: 04fff00000000040 ffff88801ac42280 dead000000000122 0000000000000000 [ 87.714867][ T5304] raw: 0000000000000000 0000000800020002 00000000f5000000 0000000000000000 [ 87.719471][ T5304] head: 04fff00000000040 ffff88801ac42280 dead000000000122 0000000000000000 [ 87.723390][ T5304] head: 0000000000000000 0000000800020002 00000000f5000000 0000000000000000 [ 87.727480][ T5304] head: 04fff00000000003 ffffea0000da5001 00000000ffffffff 00000000ffffffff [ 87.731614][ T5304] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 [ 87.736242][ T5304] page dumped because: kasan: bad access detected [ 87.739431][ T5304] page_owner tracks the page as allocated [ 87.741955][ T5304] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5315, tgid 5315 (kworker/0:4), ts 84943257164, free_ts 84520018217 [ 87.752159][ T5304] post_alloc_hook+0x231/0x280 [ 87.754502][ T5304] get_page_from_freelist+0x24dc/0x2580 [ 87.756959][ T5304] __alloc_frozen_pages_noprof+0x18d/0x380 [ 87.759677][ T5304] allocate_slab+0x77/0x660 [ 87.761831][ T5304] refill_objects+0x331/0x3c0 [ 87.764066][ T5304] __pcs_replace_empty_main+0x2e6/0x730 [ 87.767358][ T5304] __kmalloc_cache_noprof+0x392/0x660 [ 87.770892][ T5304] snd_usb_add_endpoint+0xea/0x460 [ 87.773521][ T5304] create_fixed_stream_quirk+0x546/0xa30 [ 87.776086][ T5304] create_composite_quirk+0x1f6/0x4f0 [ 87.778709][ T5304] usb_audio_probe+0x11e4/0x2330 [ 87.780791][ T5304] usb_probe_interface+0x668/0xc90 [ 87.782951][ T5304] really_probe+0x267/0xaf0 [ 87.785353][ T5304] __driver_probe_device+0x18c/0x320 [ 87.788212][ T5304] driver_probe_device+0x4f/0x240 [ 87.791452][ T5304] __device_attach_driver+0x279/0x430 [ 87.794193][ T5304] page last free pid 24 tgid 24 stack trace: [ 87.797375][ T5304] __free_frozen_pages+0xc2b/0xdb0 [ 87.799829][ T5304] __slab_free+0x263/0x2b0 [ 87.802040][ T5304] qlist_free_all+0x97/0x100 [ 87.804646][ T5304] kasan_quarantine_reduce+0x148/0x160 [ 87.807927][ T5304] __kasan_slab_alloc+0x22/0x80 [ 87.810145][ T5304] kmem_cache_alloc_node_noprof+0x384/0x690 [ 87.812704][ T5304] __alloc_skb+0x1d0/0x7d0 [ 87.814720][ T5304] mld_newpack+0x14c/0xc90 [ 87.816747][ T5304] add_grhead+0x5a/0x2a0 [ 87.819028][ T5304] add_grec+0x1452/0x1740 [ 87.821722][ T5304] mld_send_initial_cr+0x288/0x550 [ 87.823983][ T5304] ipv6_mc_dad_complete+0x88/0x540 [ 87.826558][ T5304] addrconf_dad_completed+0x8a7/0xe60 [ 87.829057][ T5304] addrconf_dad_work+0xc5e/0x14c0 [ 87.831566][ T5304] process_scheduled_works+0xb6e/0x18c0 [ 87.834433][ T5304] worker_thread+0xa53/0xfc0 [ 87.836769][ T5304] [ 87.838108][ T5304] Memory state around the buggy address: [ 87.840766][ T5304] ffff888036943f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 87.844519][ T5304] ffff888036943f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 87.847868][ T5304] >ffff888036944000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 87.851375][ T5304] ^ [ 87.853902][ T5304] ffff888036944080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 87.857653][ T5304] ffff888036944100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 87.861054][ T5304] ================================================================== [ 87.868567][ T5304] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 87.872100][ T5304] CPU: 0 UID: 0 PID: 5304 Comm: kworker/u5:2 Not tainted syzkaller #0 PREEMPT(full) [ 87.876226][ T5304] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 87.880844][ T5304] Workqueue: hci0 hci_cmd_sync_work [ 87.883734][ T5304] Call Trace: [ 87.885655][ T5304] [ 87.887169][ T5304] vpanic+0x56c/0xa60 [ 87.888977][ T5304] ? __pfx_vpanic+0x10/0x10 [ 87.890891][ T5304] panic+0xc5/0xd0 [ 87.892484][ T5304] ? __pfx_panic+0x10/0x10 [ 87.894468][ T5304] ? preempt_schedule_thunk+0x16/0x30 [ 87.896859][ T5304] ? preempt_schedule_thunk+0x16/0x30 [ 87.899483][ T5304] ? hci_conn_drop+0x34/0x2a0 [ 87.901914][ T5304] check_panic_on_warn+0x89/0xb0 [ 87.903898][ T5304] ? hci_conn_drop+0x34/0x2a0 [ 87.906057][ T5304] end_report+0x73/0x180 [ 87.907866][ T5304] ? hci_conn_drop+0x34/0x2a0 [ 87.909930][ T5304] kasan_report+0x128/0x150 [ 87.912165][ T5304] ? hci_conn_drop+0x34/0x2a0 [ 87.914644][ T5304] kasan_check_range+0x264/0x2c0 [ 87.917106][ T5304] hci_conn_drop+0x34/0x2a0 [ 87.919138][ T5304] ? __pfx_le_read_features_complete+0x10/0x10 [ 87.921726][ T5304] hci_cmd_sync_work+0x262/0x400 [ 87.923528][ T5304] ? process_scheduled_works+0xa8d/0x18c0 [ 87.925929][ T5304] process_scheduled_works+0xb6e/0x18c0 [ 87.928305][ T5304] ? __pfx_process_scheduled_works+0x10/0x10 [ 87.931186][ T5304] ? assign_work+0x3d5/0x5e0 [ 87.934126][ T5304] worker_thread+0xa53/0xfc0 [ 87.936582][ T5304] kthread+0x388/0x470 [ 87.938308][ T5304] ? __pfx_worker_thread+0x10/0x10 [ 87.940394][ T5304] ? __pfx_kthread+0x10/0x10 [ 87.942437][ T5304] ret_from_fork+0x51e/0xb90 [ 87.944163][ T5304] ? __pfx_ret_from_fork+0x10/0x10 [ 87.946254][ T5304] ? __switch_to+0xc7d/0x1450 [ 87.948148][ T5304] ? __pfx_kthread+0x10/0x10 [ 87.950069][ T5304] ret_from_fork_asm+0x1a/0x30 [ 87.952202][ T5304] [ 87.953914][ T5304] Kernel Offset: disabled [ 87.955908][ T5304] Rebooting in 86400 seconds..