program:
r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x5, 0x0)
bind$bt_l2cap(r0, &(0x7f0000000000)={0x1f, 0x0, @any, 0x4, 0x1}, 0xe)
listen(r0, 0x90004)
syz_emit_vhci(&(0x7f0000000140)=ANY=[@ANYBLOB="043e130100c90001"], 0x16)
ppoll(&(0x7f00000000c0)=[{r0, 0x60}], 0x1, 0x0, 0x0, 0x0)
[ T4654] Bluetooth: hci0: command tx timeout
[ 86.062195][ T4654] sysfs: cannot create duplicate filename '/devices/virtual/bluetooth/hci0/hci0:201'
[ 86.067859][ T4654] CPU: 0 UID: 0 PID: 4654 Comm: kworker/u5:1 Not tainted syzkaller #0 PREEMPT(full)
[ 86.067878][ T4654] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 86.067887][ T4654] Workqueue: hci0 hci_rx_work
[ 86.068008][ T4654] Call Trace:
[ 86.068014][ T4654]
[ 86.068020][ T4654] dump_stack_lvl+0xe8/0x150
[ 86.068037][ T4654] sysfs_create_dir_ns+0x271/0x2a0
[ 86.068054][ T4654] ? __pfx_sysfs_create_dir_ns+0x10/0x10
[ 86.068068][ T4654] ? do_raw_spin_unlock+0x4d/0x210
[ 86.068107][ T4654] kobject_add_internal+0x62b/0xd00
[ 86.068132][ T4654] kobject_add+0x163/0x240
[ 86.068160][ T4654] ? __pfx_kobject_add+0x10/0x10
[ 86.068180][ T4654] ? _raw_spin_unlock+0x28/0x50
[ 86.068198][ T4654] ? get_device_parent+0x366/0x3a0
[ 86.068246][ T4654] device_add+0x408/0xbb0
[ 86.068269][ T4654] hci_conn_add_sysfs+0xd5/0x210
[ 86.068289][ T4654] le_conn_complete_evt+0x10e6/0x16b0
[ 86.068310][ T4654] ? __pfx_le_conn_complete_evt+0x10/0x10
[ 86.068322][ T4654] ? __mutex_unlock_slowpath+0x1be/0x6f0
[ 86.068339][ T4654] ? __asan_memcpy+0x40/0x70
[ 86.068354][ T4654] ? __pfx___mutex_unlock_slowpath+0x10/0x10
[ 86.068370][ T4654] ? skb_pull_data+0xfb/0x200
[ 86.068390][ T4654] hci_le_conn_complete_evt+0x187/0x470
[ 86.068406][ T4654] hci_event_packet+0x659/0xef0
[ 86.068428][ T4654] ? __pfx_hci_le_meta_evt+0x10/0x10
[ 86.068440][ T4654] ? __pfx_hci_event_packet+0x10/0x10
[ 86.068460][ T4654] ? kcov_remote_start+0x49a/0x7a0
[ 86.068478][ T4654] ? hci_send_to_monitor+0xe2/0x590
[ 86.068494][ T4654] hci_rx_work+0x3ee/0x1040
[ 86.068514][ T4654] ? process_scheduled_works+0xa70/0x1860
[ 86.068529][ T4654] process_scheduled_works+0xb5d/0x1860
[ 86.068557][ T4654] ? __pfx_process_scheduled_works+0x10/0x10
[ 86.068573][ T4654] ? assign_work+0x3d5/0x5e0
[ 86.068589][ T4654] worker_thread+0xa53/0xfc0
[ 86.068617][ T4654] kthread+0x388/0x470
[ 86.068632][ T4654] ? __pfx_worker_thread+0x10/0x10
[ 86.068642][ T4654] ? __pfx_kthread+0x10/0x10
[ 86.068657][ T4654] ret_from_fork+0x514/0xb70
[ 86.068671][ T4654] ? __pfx_ret_from_fork+0x10/0x10
[ 86.068683][ T4654] ? __switch_to+0xc79/0x1410
[ 86.068701][ T4654] ? __pfx_kthread+0x10/0x10
[ 86.068716][ T4654] ret_from_fork_asm+0x1a/0x30
[ 86.068741][ T4654]
[ 86.068765][ T4654] kobject: kobject_add_internal failed for hci0:201 with -EEXIST, don't try to register things with the same name in the same directory.
[ 86.186948][ T4654] Bluetooth: hci0: failed to register connection device
[ 86.204004][ T4654] ==================================================================
[ 86.207587][ T4654] BUG: KASAN: slab-use-after-free in l2cap_connect_cfm+0x902/0x1560
[ 86.210990][ T4654] Read of size 8 at addr ffff888037fd8480 by task kworker/u5:1/4654
[ 86.214414][ T4654]
[ 86.215492][ T4654] CPU: 0 UID: 0 PID: 4654 Comm: kworker/u5:1 Not tainted syzkaller #0 PREEMPT(full)
[ 86.215509][ T4654] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 86.215518][ T4654] Workqueue: hci0 hci_rx_work
[ 86.215542][ T4654] Call Trace:
[ 86.215549][ T4654]
[ 86.215556][ T4654] dump_stack_lvl+0xe8/0x150
[ 86.215572][ T4654] print_address_description+0x55/0x1e0
[ 86.215586][ T4654] ? l2cap_connect_cfm+0x902/0x1560
[ 86.215600][ T4654] print_report+0x58/0x70
[ 86.215611][ T4654] kasan_report+0x117/0x150
[ 86.215627][ T4654] ? l2cap_connect_cfm+0x902/0x1560
[ 86.215642][ T4654] l2cap_connect_cfm+0x902/0x1560
[ 86.215659][ T4654] ? __pfx_l2cap_connect_cfm+0x10/0x10
[ 86.215671][ T4654] ? __pfx_bt_err+0x10/0x10
[ 86.215689][ T4654] ? __pfx_l2cap_connect_cfm+0x10/0x10
[ 86.215701][ T4654] hci_connect_cfm+0x95/0x140
[ 86.215712][ T4654] le_conn_complete_evt+0x1134/0x16b0
[ 86.215726][ T4654] ? __pfx_le_conn_complete_evt+0x10/0x10
[ 86.215737][ T4654] ? __mutex_unlock_slowpath+0x1be/0x6f0
[ 86.215754][ T4654] ? __asan_memcpy+0x40/0x70
[ 86.215766][ T4654] ? __pfx___mutex_unlock_slowpath+0x10/0x10
[ 86.215781][ T4654] ? skb_pull_data+0xfb/0x200
[ 86.215797][ T4654] hci_le_conn_complete_evt+0x187/0x470
[ 86.215809][ T4654] hci_event_packet+0x659/0xef0
[ 86.215825][ T4654] ? __pfx_hci_le_meta_evt+0x10/0x10
[ 86.215834][ T4654] ? __pfx_hci_event_packet+0x10/0x10
[ 86.215849][ T4654] ? kcov_remote_start+0x49a/0x7a0
[ 86.215866][ T4654] ? hci_send_to_monitor+0xe2/0x590
[ 86.215880][ T4654] hci_rx_work+0x3ee/0x1040
[ 86.215896][ T4654] ? process_scheduled_works+0xa70/0x1860
[ 86.215908][ T4654] process_scheduled_works+0xb5d/0x1860
[ 86.215927][ T4654] ? __pfx_process_scheduled_works+0x10/0x10
[ 86.215939][ T4654] ? assign_work+0x3d5/0x5e0
[ 86.215949][ T4654] worker_thread+0xa53/0xfc0
[ 86.215966][ T4654] kthread+0x388/0x470
[ 86.215980][ T4654] ? __pfx_worker_thread+0x10/0x10
[ 86.215992][ T4654] ? __pfx_kthread+0x10/0x10
[ 86.216004][ T4654] ret_from_fork+0x514/0xb70
[ 86.216017][ T4654] ? __pfx_ret_from_fork+0x10/0x10
[ 86.216028][ T4654] ? __switch_to+0xc79/0x1410
[ 86.216045][ T4654] ? __pfx_kthread+0x10/0x10
[ 86.216058][ T4654] ret_from_fork_asm+0x1a/0x30
[ 86.216076][ T4654]
[ 86.216079][ T4654]
[ 86.314105][ T4654] Allocated by task 4654:
[ 86.316313][ T4654] kasan_save_track+0x3e/0x80
[ 86.318366][ T4654] __kasan_kmalloc+0x93/0xb0
[ 86.320421][ T4654] __kmalloc_cache_noprof+0x31c/0x660
[ 86.322806][ T4654] l2cap_chan_create+0x51/0x790
[ 86.324968][ T4654] l2cap_sock_new_connection_cb+0x191/0x2f0
[ 86.327445][ T4654] l2cap_connect_cfm+0x368/0x1560
[ 86.329629][ T4654] hci_connect_cfm+0x95/0x140
[ 86.331881][ T4654] le_conn_complete_evt+0x1134/0x16b0
[ 86.334437][ T4654] hci_le_conn_complete_evt+0x187/0x470
[ 86.336874][ T4654] hci_event_packet+0x659/0xef0
[ 86.339067][ T4654] hci_rx_work+0x3ee/0x1040
[ 86.341124][ T4654] process_scheduled_works+0xb5d/0x1860
[ 86.343669][ T4654] worker_thread+0xa53/0xfc0
[ 86.345613][ T4654] kthread+0x388/0x470
[ 86.347379][ T4654] ret_from_fork+0x514/0xb70
[ 86.349438][ T4654] ret_from_fork_asm+0x1a/0x30
[ 86.351519][ T4654]
[ 86.352619][ T4654] Freed by task 5326:
[ 86.354399][ T4654] kasan_save_track+0x3e/0x80
[ 86.356460][ T4654] kasan_save_free_info+0x46/0x50
[ 86.358568][ T4654] __kasan_slab_free+0x5c/0x80
[ 86.360583][ T4654] kfree+0x1c5/0x640
[ 86.362242][ T4654] l2cap_sock_cleanup_listen+0xf0/0x440
[ 86.364654][ T4654] l2cap_sock_release+0x6a/0x230
[ 86.366762][ T4654] sock_close+0xc3/0x240
[ 86.368575][ T4654] __fput+0x44f/0xa60
[ 86.370331][ T4654] task_work_run+0x1d9/0x270
[ 86.372350][ T4654] exit_to_user_mode_loop+0xf3/0x4d0
[ 86.374595][ T4654] do_syscall_64+0x33e/0xf80
[ 86.376419][ T4654] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 86.378674][ T4654]
[ 86.379671][ T4654] The buggy address belongs to the object at ffff888037fd8000
[ 86.379671][ T4654] which belongs to the cache kmalloc-2k of size 2048
[ 86.385161][ T4654] The buggy address is located 1152 bytes inside of
[ 86.385161][ T4654] freed 2048-byte region [ffff888037fd8000, ffff888037fd8800)
[ 86.391418][ T4654]
[ 86.392465][ T4654] The buggy address belongs to the physical page:
[ 86.395241][ T4654] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888037fdc000 pfn:0x37fd8
[ 86.399486][ T4654] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 86.403199][ T4654] flags: 0x4fff00000000240(workingset|head|node=1|zone=1|lastcpupid=0x7ff)
[ 86.406958][ T4654] page_type: f5(slab)
[ 86.408670][ T4654] raw: 04fff00000000240 ffff88801ac42000 ffffea0000d9ca10 ffff888030400948
[ 86.412416][ T4654] raw: ffff888037fdc000 0000000800080004 00000000f5000000 0000000000000000
[ 86.416168][ T4654] head: 04fff00000000240 ffff88801ac42000 ffffea0000d9ca10 ffff888030400948
[ 86.419902][ T4654] head: ffff888037fdc000 0000000800080004 00000000f5000000 0000000000000000
[ 86.423535][ T4654] head: 04fff00000000003 fffffffffffffe01 00000000ffffffff 00000000ffffffff
[ 86.427099][ T4654] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
[ 86.430711][ T4654] page dumped because: kasan: bad access detected
[ 86.433426][ T4654] page_owner tracks the page as allocated
[ 86.435838][ T4654] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 802, tgid 802 (kworker/0:2), ts 86182411394, free_ts 82704548490
[ 86.444629][ T4654] post_alloc_hook+0x231/0x280
[ 86.446641][ T4654] get_page_from_freelist+0x24ba/0x2540
[ 86.448908][ T4654] __alloc_frozen_pages_noprof+0x18d/0x380
[ 86.451597][ T4654] allocate_slab+0x77/0x660
[ 86.453957][ T4654] refill_objects+0x339/0x3d0
[ 86.456060][ T4654] __pcs_replace_empty_main+0x321/0x720
[ 86.458500][ T4654] __kmalloc_node_track_caller_noprof+0x572/0x7b0
[ 86.461385][ T4654] __alloc_skb+0x2c1/0x7d0
[ 86.463317][ T4654] mld_newpack+0x14c/0xc90
[ 86.465301][ T4654] add_grhead+0x5a/0x2a0
[ 86.467174][ T4654] add_grec+0x1452/0x1740
[ 86.469167][ T4654] mld_ifc_work+0x6e6/0xe70
[ 86.471194][ T4654] process_scheduled_works+0xb5d/0x1860
[ 86.473722][ T4654] worker_thread+0xa53/0xfc0
[ 86.475801][ T4654] kthread+0x388/0x470
[ 86.477584][ T4654] ret_from_fork+0x514/0xb70
[ 86.479602][ T4654] page last free pid 10 tgid 10 stack trace:
[ 86.482311][ T4654] __free_frozen_pages+0xbc7/0xd30
[ 86.484602][ T4654] __slab_free+0x274/0x2c0
[ 86.486535][ T4654] qlist_free_all+0x99/0x100
[ 86.488514][ T4654] kasan_quarantine_reduce+0x148/0x160
[ 86.490793][ T4654] __kasan_slab_alloc+0x22/0x80
[ 86.492971][ T4654] kmem_cache_alloc_node_noprof+0x384/0x690
[ 86.495611][ T4654] __alloc_skb+0x1d0/0x7d0
[ 86.497522][ T4654] mld_newpack+0x14c/0xc90
[ 86.499422][ T4654] add_grhead+0x5a/0x2a0
[ 86.501360][ T4654] add_grec+0x1452/0x1740
[ 86.503276][ T4654] mld_ifc_work+0x6e6/0xe70
[ 86.505311][ T4654] process_scheduled_works+0xb5d/0x1860
[ 86.507816][ T4654] worker_thread+0xa53/0xfc0
[ 86.509948][ T4654] kthread+0x388/0x470
[ 86.511828][ T4654] ret_from_fork+0x514/0xb70
[ 86.513954][ T4654] ret_from_fork_asm+0x1a/0x30
[ 86.516089][ T4654]
[ 86.517252][ T4654] Memory state around the buggy address:
[ 86.519724][ T4654] ffff888037fd8380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 86.523329][ T4654] ffff888037fd8400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 86.526932][ T4654] >ffff888037fd8480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 86.530489][ T4654] ^
[ 86.532220][ T4654] ffff888037fd8500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 86.535764][ T4654] ffff888037fd8580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 86.539152][ T4654] ==================================================================
[ 86.563940][ T4654] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 86.566879][ T4654] CPU: 0 UID: 0 PID: 4654 Comm: kworker/u5:1 Not tainted syzkaller #0 PREEMPT(full)
[ 86.570986][ T4654] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 86.575356][ T4654] Workqueue: hci0 hci_rx_work
[ 86.577449][ T4654] Call Trace:
[ 86.578943][ T4654]
[ 86.580220][ T4654] vpanic+0x56c/0xa60
[ 86.582025][ T4654] ? __pfx_vpanic+0x10/0x10
[ 86.583999][ T4654] panic+0xc5/0xd0
[ 86.585611][ T4654] ? __pfx_panic+0x10/0x10
[ 86.587412][ T4654] ? preempt_schedule_thunk+0x16/0x30
[ 86.589598][ T4654] ? l2cap_connect_cfm+0x902/0x1560
[ 86.591934][ T4654] ? preempt_schedule_thunk+0x16/0x30
[ 86.594303][ T4654] ? l2cap_connect_cfm+0x902/0x1560
[ 86.596630][ T4654] check_panic_on_warn+0x89/0xb0
[ 86.598829][ T4654] ? l2cap_connect_cfm+0x902/0x1560
[ 86.600878][ T4654] end_report+0x73/0x170
[ 86.602500][ T4654] ? l2cap_connect_cfm+0x902/0x1560
[ 86.604597][ T4654] kasan_report+0x128/0x150
[ 86.606563][ T4654] ? l2cap_connect_cfm+0x902/0x1560
[ 86.608880][ T4654] l2cap_connect_cfm+0x902/0x1560
[ 86.611169][ T4654] ? __pfx_l2cap_connect_cfm+0x10/0x10
[ 86.613765][ T4654] ? __pfx_bt_err+0x10/0x10
[ 86.615817][ T4654] ? __pfx_l2cap_connect_cfm+0x10/0x10
[ 86.618209][ T4654] hci_connect_cfm+0x95/0x140
[ 86.620319][ T4654] le_conn_complete_evt+0x1134/0x16b0
[ 86.622718][ T4654] ? __pfx_le_conn_complete_evt+0x10/0x10
[ 86.625223][ T4654] ? __mutex_unlock_slowpath+0x1be/0x6f0
[ 86.627564][ T4654] ? __asan_memcpy+0x40/0x70
[ 86.629622][ T4654] ? __pfx___mutex_unlock_slowpath+0x10/0x10
[ 86.632463][ T4654] ? skb_pull_data+0xfb/0x200
[ 86.634684][ T4654] hci_le_conn_complete_evt+0x187/0x470
[ 86.637213][ T4654] hci_event_packet+0x659/0xef0
[ 86.639386][ T4654] ? __pfx_hci_le_meta_evt+0x10/0x10
[ 86.641780][ T4654] ? __pfx_hci_event_packet+0x10/0x10
[ 86.644180][ T4654] ? kcov_remote_start+0x49a/0x7a0
[ 86.646576][ T4654] ? hci_send_to_monitor+0xe2/0x590
[ 86.648758][ T4654] hci_rx_work+0x3ee/0x1040
[ 86.650670][ T4654] ? process_scheduled_works+0xa70/0x1860
[ 86.653176][ T4654] process_scheduled_works+0xb5d/0x1860
[ 86.655474][ T4654] ? __pfx_process_scheduled_works+0x10/0x10
[ 86.658087][ T4654] ? assign_work+0x3d5/0x5e0
[ 86.660105][ T4654] worker_thread+0xa53/0xfc0
[ 86.662166][ T4654] kthread+0x388/0x470
[ 86.663951][ T4654] ? __pfx_worker_thread+0x10/0x10
[ 86.666193][ T4654] ? __pfx_kthread+0x10/0x10
[ 86.668257][ T4654] ret_from_fork+0x514/0xb70
[ 86.670334][ T4654] ? __pfx_ret_from_fork+0x10/0x10
[ 86.672578][ T4654] ? __switch_to+0xc79/0x1410
[ 86.674601][ T4654] ? __pfx_kthread+0x10/0x10
[ 86.676680][ T4654] ret_from_fork_asm+0x1a/0x30
[ 86.678797][ T4654]
[ 86.680523][ T4654] Kernel Offset: disabled
[ 86.682624][ T4654] Rebooting in 86400 seconds..