program: r0 = syz_open_dev$vcsa(&(0x7f0000000000), 0x9, 0x50040) ioctl$SIOCGETMIFCNT_IN6(r0, 0x89e0, &(0x7f0000000040)) syz_emit_vhci(&(0x7f0000000080)=@HCI_ACLDATA_PKT={0x2, {0xc9, 0x3, 0x0, 0x1e}, @l2cap_cid_le_signaling={{0x1a}, @l2cap_ecred_conn_req={{0x17, 0x1, 0x16}, {0x4, 0xf317, 0x4, 0x7, [0x2, 0x2, 0x97, 0x5, 0xd7, 0x7, 0x7]}}}}, 0x23) ioctl$NILFS_IOCTL_DELETE_CHECKPOINT(r0, 0x40086e81, &(0x7f00000000c0)=0x5) r1 = syz_clone(0x40200000, &(0x7f0000000100)="97a05deba9fe583633843c5bf2b64ef178466474158e0a9e4ce78e0495804d37bb2d6e7d500533ae75a4850a3eaa2f82cfc2227241d3b4b622a6a2e9706a6b6c50963a11a573fa4ccf94200da7edeab212766cc3dc947b10c50770bafd5591a591bd77b8460602fc35bc8f0996cbae637ed9e02461bd5bef32b94bc07706cccdd21569329bb0de23b61b3e35a2180411af51fbe095dbefc538897869da848eef7dae196c0d999fe2f1cae7753b473470bf107bf2069e545ae4dc87316cbe599e22752609e916fc0721d3269e850bda8d3435aad775769c9427da2f7886d29b9e596b", 0xe2, &(0x7f0000000200), &(0x7f0000000240), &(0x7f0000000280)) syz_emit_vhci(&(0x7f00000002c0)=@HCI_EVENT_PKT={0x4, @hci_ev_cmd_complete={{0xe, 0x4}, @HCI_OP_WRITE_CLASS_OF_DEV={{0x4}, 0x2c}}}, 0x7) recvmsg$unix(r0, &(0x7f0000000740)={&(0x7f0000000300), 0x6e, &(0x7f0000000680)=[{&(0x7f0000000380)=""/87, 0x57}, {&(0x7f0000000400)=""/222, 0xde}, {&(0x7f0000000500)=""/27, 0x1b}, {&(0x7f0000000540)=""/29, 0x1d}, {&(0x7f0000000580)=""/71, 0x47}, {&(0x7f0000000600)=""/124, 0x7c}], 0x6, &(0x7f0000000700)=[@rights={{0x14, 0x1, 0x1, [0xffffffffffffffff]}}, @cred={{0x1c, 0x1, 0x2, {0x0}}}], 0x38}, 0x40) syz_emit_vhci(&(0x7f0000000780)=@HCI_VENDOR_PKT={0xff, 0x40}, 0x2) open$dir(&(0x7f00000007c0)='./file0\x00', 0x80400, 0x21) exit(0x8001) prlimit64(r1, 0x6, 0x0, &(0x7f0000000800)) r4 = syz_open_procfs(r3, &(0x7f0000000840)='wchan\x00') r5 = accept4$rose(r0, &(0x7f0000000880)=@short={0xb, @remote, @remote, 0x1, @bcast}, &(0x7f00000008c0)=0x1c, 0x0) ioctl$sock_SIOCGIFINDEX(r5, 0x8933, &(0x7f0000000900)={'veth0_to_team\x00'}) ioctl$SIOCAX25GETINFOOLD(r2, 0x89e9, &(0x7f0000000940)) r6 = openat$tun(0xffffffffffffff9c, &(0x7f0000000980), 0xa000, 0x0) mmap(&(0x7f0000ffe000/0x2000)=nil, 0x2000, 0x200000c, 0x100010, r6, 0xc91bd000) ioctl$AUTOFS_DEV_IOCTL_CATATONIC(r4, 0xc0189379, &(0x7f00000009c0)={{0x1, 0x1, 0x18, r0}, './file1\x00'}) ioctl$BTRFS_IOC_SUBVOL_CREATE(r7, 0x5000940e, &(0x7f0000000a00)={{r4}, "0f17f8f7137eaa63c64031eb0e1da86d2a4999a757950a4572661b4c066fd34d7c2f25fc9a5969b3c2fd027b9f4a1d84527fc53b3374efd3c17c24377370be01a6a46cc181b0dc30c845a26c188391f6bc8365e74cb99c48e9e086087b7195c6efead371023110ba34f22611a6b86247b0eab88f0ccfbcae528fabd1c6584661f47191c6d437f444e809c4d713f8b277218b2e68497e726b3101b6d37d217fdbea8549f11745e171bed436b0a3b53edf46a20e83c7d4ca835bc7c891833bd5943a7122b649cf071fa518dbe293db0368775048f897b7191b66e398e3d571fe51b7b26f5126230ae67d2a7422cdde2ee244ad434c7aa36205f052a62ba3e268e6b3d2622bcf197115b4f842d25c576f072701e1e06d4ec6ded48650adde14bbfdc70f2621d9c45363e394db4256f086d0559d034c9b1f654440f732ad5214c1ba187a59f5b3ba478a711ae704e07f1beb7b1408af02681c12a68cfe39e7daa41d1688277dc1f71aa65bf94323cbff252ea40a5521c9406aeff25e0e6aebc3e2a08eaf4f3462942b690146811213dad28e7ce43a6b39cbf624bb1e40de82126adb1f48310f978d1a3a674d33f7f40ce267485da95bb422973cf8728f4515912ef5139953eb8a2635e1e8c9190a49db91fb3e7141c429407f55b60eae838fd64e19f25a8f88c0d2664b1017ee7890fda562f405e044c82c758e87f3bb84edb3d8015ca7677129134d17561512046dbd0b1401f96134dd5c19f7341ed3d7d0c3d38a93908e022eda512c9ed73860eed3dc3bb3cd75d225f474abc29c2f1fc05a107ef863e304959cfe089870ba7e3a4a015b93cbe098e23a7ec21f2a0b32db48c42a03740c1b2eaccbe352d8780c568f47cf67b0307e12cb3c8c0d774549929f4da25eca07f07b33f32cecf5daadb40947351f54eb82a95168ece6267df583d1dc7833e9a6bc1b16fcbf695d8b58621408265e85307dc834d6041bed56af698ad2d1511ccfac8cc4ddcc2f1e8335fd77d8dee0cb2960ba47d58870949adf63903c856dd03716fc1e84685e7be5c27c414e6fa521c3d906333d974dc6eb6c9910d990e73ef7f789a99d3463bea45e392b921ea46b2a2e45f397a9de1fa796404251458524afaa03e47cbf10100167b2d42c4bdadb8825ba47f6b80f37ba0ed1ed2593ee231f9cf630dbf1d536bffcfeee3d542c3cb05da7f7a1ee5a3e9b5e61a230b42df5f7afb1535033bb61fc678a4a50ec2be5547969f58ba069a2865720128d0fdf8dd20a43662f1f20e9b99b39196fa2406116a20fe07734231fa32dc176c360b078499f3cf0dcda07ce2b5d749ebd578d3b99a9243728a34c6796723307311faf8602f174e2db31fd5e1022af8eb977dba73e99ecf6b3cf2a3d896ff9df17678e2f008bf5e5b0d7cef2a6adba351fb96aa83b71e1f3423f879e5968d5e61d6db8d6305b67216ea5e481bee0787b7722ee9199ab1a20e696a6f203b9f06720a6b7f856b4557bd58072f829f171d23e8fb7c7e9d9ea833932cdbe93903e00ed1ea56a6349f8209206d0feb04a0b774f1999cf68e7c86cbf63e491bbadafd7f09afb94add971f50ef8046d43091b6cb631ad8f2ad40ccb4b84528f38cd2b5dd5e37db9e88254bb212977a203742afd4d41dc545ff8feb712f2bc4f0979f64a9868062365ac3f0de810a5de9edd77c2d1562c90112bdabbb2fb04120006a639c8c0cb9a56c755f01a7b7bc574ed027bd799d0df0515bdb16fe8a943a8a3c1fc311741e298b9cce023a0c505ea3e78411536bb79b2aadd5dd196fd4be72a7f96ad52a211645688ddb3ab9c12f7bc7cdd0d7cf3e854f88f3d2589933b30276b4a4dc93ebd3d266ff7ec15b52a280130c9460172e15910fc2a0345140cd88c81ad58ab5fefdde5f86fec97adb3810fd28c6f933f6943697c36b7e0cdbc6a4a5ae507375890c6f19166a0222188f0f4d842f5940526c2f3cd099eed17ac03844b6cb23c565d3a2eb8888a5b9453f6eba157a8afbe05dfa2ca4a74316131b0d5614f913c64fcf05628daa8e7287c4c0768339ec4a4b6810da3e1fc434e413dff80a777ff4c233fc27f2aee6d5d017a8a50f725f4a62013bfbde190841d021c95ff8f8bb626a3e9487bedd190d262dfe2bd309e72795885a799441546bf6832acb43ca1c5af0519ef9aba37d96528a95cc83ced3b8e3bba888db180001333842bc3aefdbd02f6dac9db6a6f22e8a35ddfb624c128717c56291d23c717533e9922e14830d430736c4ef5ac02d138bbba92c2a166c2539a60bed93aae7336071b56f6effa276970c4ab8aebdb9c618c9ce3c6d207f5c8f13ce11278fc47152542e05cf9e9ad8c5bdb186ea28910e5419d74568afc69033f3724b1f2ba581a28e334eb8f764e1a224fd7c35c51442f117cbc4cb1692a0bcde4b9c2e73d8d79e429fcde58cd9a585290f202b2d900b0914a586c37d9248f76f84b8ecaaf40fd96cea5e825daa2ad8ea3687bde0b0826217647924cd0670a869be8ff8ddf8ddfdcdcd52c5599a596df04c4b48254ba255d46a96f8692cd55c131f3ab4db53ceb652e509691fdb9d5e4031078a72cfcc5872087a69a47ce9c070b977a4a53186690471edce83c030b0935230a40c38d1c3e7c1263f67feb4ee31d49acc743ff1c20e53a2870f309d4b7f0e99b8de54b862dc39834046bed10be6954e9af746ed791b4072d139c46b30518acd8fe8eb1713e2772a9a2fa5c8ee66cd74372e89e1dbdce1f21af355c59e1252f939e8a680b9b38b6c05a22b5b75d8bcb0d7a3c1e019a5bd7a154e8c1bbd2be751f620a5e1669d8023ed4edd3c11b455dfca1a0f1acb41696c51e732f82c9a4b1d319254394f3816ffc90d599a88c316db3ef0f6c39d7f6d89724893564fbdcc3c2a875080a2ce34409cb193d5b17eca8a6b0c6a2fb625cc651e686def19484b01d99ba133d65f07f47bb85a3dae9a4c0f1092c4afee11d1f1631506e71864f87844bdb267b4573044f7b5ab55b90b0cf671f8782f54fea304e04bb2ff167d2b803e4a0a828c67dae7616ab81448e407e9a1c8df97e0b58874632c16ee3ea8744bf58d25d1235716b2bef3c0dc20a2f35cfa016e1ef0b6008bbda772bcffb35628445432159d84f90c0887189f7b99ffe694211c06f27f22ea6bb828c267c0916b6e9179eab9d7d21aaa94ab0b3f7b3d0ee1caa1f84584934fb2882792f9c34b40085b285334a286d20c288776fb9ee56a38e713f6c78286dfe72deefbbf764f4ca04343f7eb693428a004e940248b49fab0036efec3428c29dd766728fec0aef5b80b1773445bbc8fd2b0a1554e9e0127accdab8aa0b0bd8a5215e33327d511f9ffd11536b7529b06ce6995bf40c6f4f1563d9ba02571ba059e820f19460556552bbd9ace03cf959b7e0d210f0225a7d05b9208c0e5716134074cf8166489eb926c61852819f92fe228e005d75ef81018f127138ee5a534d5467f24717f82d3a75932d331f6b1ec3ff3ac6c50eed45e129c84560413f137700b4924540e8a23b8b4f8d97ed33bf273211a8924a8fd1f2c62b58ef2f5fa5ab3546effdb6cba38ccf7ccd1c5dabcbf3d7f68411609b737826e824d043016a4a1c551ee15894e981f42df67ddba42ee9c82028964d47c3726f072335d9da8e359772c20a66c1bed401b55f4c58c43667978aab278ed5490690fb715e2b4bdc81e7715b8ddff99ab42ba0106fab2c7a07697bba06c064eb050fae694b2a614dc0d4f51cfd57d1d032f88b6be3e7e69c256b73267c088109fb15195ed50f3c024a3f3dbfc4a574d27817c0cd5ef1ffd65dcfc618aa6a0a0890c2521116349ebfa83072fc71e4c576064c6a39ec7d615ea2c8af1d4ed8c8c89559fd162382099c6dc8ba6ab72de1a649c6ca706d26beee898dac36d6d481663d5719490ca245ba0659f3808c7cd1d4904a99886b24a1cbd19a7154b208e601732ce65dbd28beb486cd4e21540c95fdf8bd6a0a7ea892912ad38edf169bf89253c406ee66a5ced2d4a44aac4f13565e7a5b87a5ced356fb38dee12376021a91acf0acd5e3a4a2f932901904dac3c28a498c4281a4a854b8fc436fe9ca46cd503e429ddf7ce7d399797a486a76fe2558b60943eee702bda4d7c1238a1e460c707c322e7a571810a83afdd1e5b5681370647bc790931bca0400764a5214ae85874c44f2787769fcd87b7e2df94b28bc2aa78dd4a57c8b5e4e2c8fcacef07e53158c6a25253b449901b88be9a0b2af2e2d1a5033a9f65f7b63534e9bcb5ad9885fab03e7567fc53cd22efe5d2d9c1f733a8d04706bcaac3544dc945a51f57bfed264a3bcd177c578ef1f398db96baa352077065a197c294681b3c193143042527727c003cb4bbdbb0a92df65d41ffe3e331ea2519edb9964f505e64cddf7dee44824a6b476d52e7801317ecedfda41a6a66128bec8328f6f95d028152a6475373ab132b012c4a6129ed4526251415e304f456c391abb2015bc6199a3dfb8bdc297c8bd2d78c7c190f33c4a832df1df04e07231917bd31c4f783fc4a8f9738bb2190160ed25bcdef74bec72d1d7320e493ab3ed546124a4e40441f63934baaf13c13956f720cfded91e2322abc826c24e850d17d6090d21e1be6d2bb165a833b8294334af08b93261c6a2900d5f70cfac00766bd045487f9b99a1f5160797a72703fddf1586a0696bdd754f90cb36bbf2051fcfdca84fd8241bb7ce56dc913372ca7a741d7d9c86c5b34a6d2b4b4211e89b3df23171f10aac45983e153ca8a1657b8b37ec5e4121546b4ef866d95ac8b37593bd2f1f9b76f9499ca2d280e7c14319d348867bf0f043f6631f4a6937f97330f81b3d2fbb57383d72633178ec3af183134c5a9fc089f2ea61ac46f3f20f1b3cf34f63fc4c1ebdc8d21d6ef9300b71b1d11e0775207515810859c982bd3615fba644e192cd1196f38e5b5b9c1eff5e877c50cdd148f73d5d7f8961b033df08caca7d44df228d83b1df46acca0e3232cbb83c922e211dca1cbb3f1167cdbba41ca50ac442248337623cece3210df656f94469e448af45571718cfef613053d2cf91d2859212feb8976d3f1e814a89d07e6f44f418ede9dadda6a06e088bbf618d1bad1e13dc17e91901e5398624ca71939f2549b1362edddb43f66cb25b1cdbf27ffba3b60a766631ffa84a5c54599b1718508fa6e5136618822a5c3d2b1de1ba202d6103a43772f6b7f7347aac8a709af0fbe688ed7762ca1dd73751772a6d102665ea3639247ff8d0ae8a3ed1d65840e2a7c6382bc420ef46a0fd483bd6b2d3da8fe73904900be6aa1d842df8f470c62e5757a538e0af6b46f1ac9dfb4e4ea4f3b66b88f15eb49ff723681a6ef577d087f8f60ca1b280bffc63749da91313a4fd4ab8654a70960ae0643885f27fd5a67c932f81201bce23d40ec4152f56300ae699cb08ec934a980e5204a91043140c2688f25570ec1ddbb918074443990fde96464e023acfa747095706163b43e9a4c1cab6d7453ede8caa0e44a956d1cae7ff6f6b9130d1c87ed05afe035a8320d9d19482441f7553db8190748017465ebae6f5f8df7f0a2e1de6d806ed719ee75c2e3eabfd896aeabc63e343778c9526ae8d216cd89399bdfb093213e0f2dca6f94812c32b578e8fcdf03787e406844cecfe11c762af240dbc921921e50a7ff0861b600bd82a47866f06f587bc276b2568e26b8613fd701e22ce776999d7ecd162f04e562b12e448164c3e165b298a316a20ebf4422a5f7b53dd6a5da4a91ac4e4c304bfd8da"}) socket(0x0, 0xa, 0xb0) syz_emit_vhci(&(0x7f0000001a00)=@HCI_VENDOR_PKT, 0x2) getsockopt$packet_int(r4, 0x107, 0xf, &(0x7f0000001a40), &(0x7f0000001a80)=0x4) mount$pvfs2(&(0x7f0000001ac0), &(0x7f0000001b00)='./file1\x00', &(0x7f0000001b40), 0x202800, &(0x7f0000001b80)={[{}, {'wchan\x00'}, {'\''}, {'/dev/net/tun\x00'}], [{@dont_measure}, {@obj_role={'obj_role', 0x3d, '-}'}}, {@dont_appraise}, {@appraise_type}, {@fsmagic={'fsmagic', 0x3d, 0xc982}}, {@audit}]}) exit(0xffffffff) ioctl$DRM_IOCTL_SYNCOBJ_FD_TO_HANDLE_FD(r4, 0xc01864c2, &(0x7f0000001c00)={0x0, 0x0, r0}) ioctl$DRM_IOCTL_SYNCOBJ_TIMELINE_WAIT(r4, 0xc03064ca, &(0x7f0000001cc0)={&(0x7f0000001c40)=[r8], &(0x7f0000001c80)=[0x80, 0x2, 0x31cc], 0x5, 0x1, 0x7}) ioctl$SECCOMP_IOCTL_NOTIF_RECV(r4, 0xc0502100, &(0x7f0000001d00)) bind$inet6(r0, &(0x7f0000001d80)={0xa, 0x4e21, 0x4, @dev={0xfe, 0x80, '\x00', 0xc}, 0x2ec}, 0x1c) fsetxattr$security_capability(r4, &(0x7f0000001dc0), &(0x7f0000001e00)=@v1={0x1000000, [{0x0, 0x7}]}, 0xc, 0x3) syz_emit_vhci(&(0x7f0000001e40)=@HCI_EVENT_PKT={0x4, @hci_ev_pscan_rep_mode={{0x20, 0x7}, {@none, 0x9a}}}, 0xa) [ 84.578413][ T5304] Bluetooth: hci0: command tx timeout [ 84.675423][ T5304] ================================================================== [ 84.680048][ T5304] BUG: KASAN: stack-out-of-bounds in l2cap_send_cmd+0x2a3/0xb90 [ 84.683698][ T5304] Read of size 22 at addr ffffc9000eea74e0 by task kworker/u5:2/5304 [ 84.687864][ T5304] [ 84.689462][ T5304] CPU: 0 UID: 0 PID: 5304 Comm: kworker/u5:2 Not tainted syzkaller #0 PREEMPT(full) [ 84.689484][ T5304] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 84.689496][ T5304] Workqueue: hci0 hci_rx_work [ 84.689521][ T5304] Call Trace: [ 84.689531][ T5304] [ 84.689538][ T5304] dump_stack_lvl+0xe8/0x150 [ 84.689569][ T5304] print_report+0xba/0x230 [ 84.689588][ T5304] ? l2cap_send_cmd+0x2a3/0xb90 [ 84.689614][ T5304] kasan_report+0x117/0x150 [ 84.689630][ T5304] ? trace_kmem_cache_alloc+0x29/0xf0 [ 84.689649][ T5304] ? l2cap_send_cmd+0x2a3/0xb90 [ 84.689664][ T5304] kasan_check_range+0x264/0x2c0 [ 84.689681][ T5304] ? l2cap_send_cmd+0x2a3/0xb90 [ 84.689696][ T5304] __asan_memcpy+0x29/0x70 [ 84.689714][ T5304] l2cap_send_cmd+0x2a3/0xb90 [ 84.689731][ T5304] l2cap_recv_frame+0xc576/0x10580 [ 84.689750][ T5304] ? __lock_acquire+0x6b5/0x2cf0 [ 84.689767][ T5304] ? ret_from_fork_asm+0x1a/0x30 [ 84.689785][ T5304] ? unwind_next_frame+0xa5/0x23c0 [ 84.689805][ T5304] ? rcu_is_watching+0x15/0xb0 [ 84.689823][ T5304] ? lock_release+0x4b/0x3d0 [ 84.689838][ T5304] ? unwind_next_frame+0x1aaf/0x23c0 [ 84.689858][ T5304] ? unwind_next_frame+0xa5/0x23c0 [ 84.689875][ T5304] ? unwind_next_frame+0x1aaf/0x23c0 [ 84.689897][ T5304] ? __pfx_l2cap_recv_frame+0x10/0x10 [ 84.689912][ T5304] ? ret_from_fork_asm+0x1a/0x30 [ 84.689930][ T5304] ? ret_from_fork_asm+0x1a/0x30 [ 84.689949][ T5304] ? __pfx_stack_trace_consume_entry+0x10/0x10 [ 84.689965][ T5304] ? ret_from_fork_asm+0x1a/0x30 [ 84.689985][ T5304] ? stack_trace_save+0xa9/0x100 [ 84.689998][ T5304] ? __pfx_stack_trace_save+0x10/0x10 [ 84.690012][ T5304] ? check_path+0x21/0x40 [ 84.690029][ T5304] ? check_noncircular+0xda/0x150 [ 84.690048][ T5304] ? add_lock_to_list+0xc7/0x100 [ 84.690066][ T5304] ? lockdep_unlock+0x5d/0xd0 [ 84.690080][ T5304] ? __lock_acquire+0x146e/0x2cf0 [ 84.690100][ T5304] ? __mutex_trylock_common+0x158/0x260 [ 84.690120][ T5304] ? __pfx___mutex_trylock_common+0x10/0x10 [ 84.690140][ T5304] ? rcu_is_watching+0x15/0xb0 [ 84.690159][ T5304] ? trace_contention_end+0x3d/0x150 [ 84.690171][ T5304] ? __mutex_lock+0x319/0x1300 [ 84.690188][ T5304] ? l2cap_recv_acldata+0x2e3/0x13e0 [ 84.690205][ T5304] ? l2cap_recv_acldata+0x30b/0x13e0 [ 84.690221][ T5304] ? __mutex_unlock_slowpath+0x1bd/0x7d0 [ 84.690236][ T5304] ? __pfx___mutex_lock+0x10/0x10 [ 84.690249][ T5304] ? __pfx___mutex_unlock_slowpath+0x10/0x10 [ 84.690263][ T5304] ? l2cap_conn_hold_unless_zero+0x179/0x2b0 [ 84.690280][ T5304] ? __pfx_l2cap_conn_hold_unless_zero+0x10/0x10 [ 84.690299][ T5304] ? l2cap_recv_acldata+0x41/0x13e0 [ 84.690315][ T5304] l2cap_recv_acldata+0x7e9/0x13e0 [ 84.690333][ T5304] hci_rx_work+0x4f9/0x1030 [ 84.690349][ T5304] ? process_scheduled_works+0xa8d/0x18c0 [ 84.690366][ T5304] process_scheduled_works+0xb6e/0x18c0 [ 84.690392][ T5304] ? __pfx_process_scheduled_works+0x10/0x10 [ 84.690410][ T5304] ? assign_work+0x3d5/0x5e0 [ 84.690427][ T5304] worker_thread+0xa53/0xfc0 [ 84.690451][ T5304] kthread+0x388/0x470 [ 84.690464][ T5304] ? __pfx_worker_thread+0x10/0x10 [ 84.690481][ T5304] ? __pfx_kthread+0x10/0x10 [ 84.690493][ T5304] ret_from_fork+0x51e/0xb90 [ 84.690510][ T5304] ? __pfx_ret_from_fork+0x10/0x10 [ 84.690526][ T5304] ? __switch_to+0xc7d/0x1450 [ 84.690543][ T5304] ? __pfx_kthread+0x10/0x10 [ 84.690556][ T5304] ret_from_fork_asm+0x1a/0x30 [ 84.690579][ T5304] [ 84.690585][ T5304] [ 84.855007][ T5304] The buggy address belongs to stack of task kworker/u5:2/5304 [ 84.858242][ T5304] and is located at offset 128 in frame: [ 84.860726][ T5304] l2cap_recv_frame+0x0/0x10580 [ 84.862894][ T5304] [ 84.864179][ T5304] This frame has 26 objects: [ 84.866726][ T5304] [32, 34) 'rsp.i244.i.i' [ 84.866743][ T5304] [48, 88) 'chan.i.i.i' [ 84.869256][ T5304] [128, 146) 'pdu_u.i.i.i' [ 84.871572][ T5304] [192, 202) 'rsp.i94.i.i' [ 84.873635][ T5304] [224, 226) 'rsp.i.i.i110' [ 84.875699][ T5304] [240, 242) 'rej.i' [ 84.877792][ T5304] [256, 258) 'rej.i145.i' [ 84.879502][ T5304] [272, 274) 'rej.i143.i' [ 84.881495][ T5304] [288, 290) 'req.i229.i.i' [ 84.883455][ T5304] [304, 312) 'buf.i222.i.i' [ 84.885734][ T5304] [336, 348) 'buf29.i.i.i' [ 84.888179][ T5304] [368, 372) 'rsp49.i.i.i' [ 84.890457][ T5304] [384, 393) 'rfc.i.i118.i.i' [ 84.892264][ T5304] [416, 480) 'buf.i119.i.i' [ 84.894393][ T5304] [512, 576) 'req.i120.i.i' [ 84.896473][ T5304] [608, 617) 'rfc.i.i.i.i' [ 84.898510][ T5304] [640, 656) 'efs.i.i.i.i' [ 84.900468][ T5304] [672, 678) 'rej.i371.i.i.i' [ 84.902631][ T5304] [704, 710) 'rej.i.i.i.i' [ 84.904943][ T5304] [736, 800) 'rsp.i.i.i' [ 84.907306][ T5304] [832, 896) 'buf.i.i.i' [ 84.909587][ T5304] [928, 1056) 'req.i.i.i' [ 84.911628][ T5304] [1088, 1096) 'rsp.i.i.i.i' [ 84.913621][ T5304] [1120, 1122) 'info.i.i.i.i' [ 84.915756][ T5304] [1136, 1264) 'buf.i.i.i.i' [ 84.917858][ T5304] [1296, 1298) 'rej.i.i' [ 84.920341][ T5304] [ 84.923684][ T5304] The buggy address belongs to a 8-page vmalloc region starting at 0xffffc9000eea0000 allocated at copy_process+0x508/0x3cd0 [ 84.929439][ T5304] The buggy address belongs to the physical page: [ 84.932371][ T5304] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11f27 [ 84.936731][ T5304] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 84.940000][ T5304] raw: 00fff00000000000 0000000000000000 dead000000000122 0000000000000000 [ 84.944412][ T5304] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 84.949226][ T5304] page dumped because: kasan: bad access detected [ 84.952100][ T5304] page_owner tracks the page as allocated [ 84.954839][ T5304] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x29c2(GFP_NOWAIT|__GFP_HIGHMEM|__GFP_IO|__GFP_FS|__GFP_ZERO), pid 2, tgid 2 (kthreadd), ts 81315833566, free_ts 54048499955 [ 84.963368][ T5304] post_alloc_hook+0x231/0x280 [ 84.965843][ T5304] get_page_from_freelist+0x24dc/0x2580 [ 84.968563][ T5304] __alloc_frozen_pages_noprof+0x18d/0x380 [ 84.971455][ T5304] __alloc_pages_noprof+0xa/0x30 [ 84.973766][ T5304] __vmalloc_node_range_noprof+0x7be/0x1730 [ 84.976654][ T5304] __vmalloc_node_noprof+0xc2/0x100 [ 84.979505][ T5304] dup_task_struct+0x275/0x9a0 [ 84.982243][ T5304] copy_process+0x508/0x3cd0 [ 84.984581][ T5304] kernel_clone+0x248/0x8e0 [ 84.986573][ T5304] kernel_thread+0x13f/0x1b0 [ 84.988556][ T5304] kthreadd+0x4ec/0x6e0 [ 84.990368][ T5304] ret_from_fork+0x51e/0xb90 [ 84.992447][ T5304] ret_from_fork_asm+0x1a/0x30 [ 84.994551][ T5304] page last free pid 5153 tgid 5153 stack trace: [ 84.997757][ T5304] __free_frozen_pages+0xc2b/0xdb0 [ 85.000364][ T5304] __slab_free+0x263/0x2b0 [ 85.002515][ T5304] qlist_free_all+0x97/0x100 [ 85.004558][ T5304] kasan_quarantine_reduce+0x148/0x160 [ 85.006864][ T5304] __kasan_slab_alloc+0x22/0x80 [ 85.008991][ T5304] kmem_cache_alloc_noprof+0x2bc/0x650 [ 85.011719][ T5304] alloc_empty_file+0x55/0x1d0 [ 85.014308][ T5304] path_openat+0x10f/0x3860 [ 85.016586][ T5304] do_file_open+0x23e/0x4a0 [ 85.018463][ T5304] do_sys_openat2+0x113/0x200 [ 85.020479][ T5304] __x64_sys_openat+0x138/0x170 [ 85.022678][ T5304] do_syscall_64+0x14d/0xf80 [ 85.024711][ T5304] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 85.027685][ T5304] [ 85.028974][ T5304] Memory state around the buggy address: [ 85.032157][ T5304] ffffc9000eea7380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 85.035567][ T5304] ffffc9000eea7400: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 [ 85.039071][ T5304] >ffffc9000eea7480: f8 f2 f8 f8 f8 f8 f8 f2 f2 f2 f2 f2 00 00 02 f2 [ 85.042515][ T5304] ^ [ 85.045931][ T5304] ffffc9000eea7500: f2 f2 f2 f2 f8 f8 f2 f2 f8 f2 f8 f2 f8 f2 f8 f2 [ 85.050283][ T5304] ffffc9000eea7580: f8 f2 f8 f2 f2 f2 f8 f8 f2 f2 f8 f2 f8 f8 f2 f2 [ 85.054210][ T5304] ================================================================== [ 85.081751][ T5304] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 85.085635][ T5304] CPU: 0 UID: 0 PID: 5304 Comm: kworker/u5:2 Not tainted syzkaller #0 PREEMPT(full) [ 85.090135][ T5304] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 85.094294][ T5304] Workqueue: hci0 hci_rx_work [ 85.096213][ T5304] Call Trace: [ 85.097692][ T5304] [ 85.098972][ T5304] vpanic+0x56c/0xa60 [ 85.100771][ T5304] ? __pfx_vpanic+0x10/0x10 [ 85.102791][ T5304] panic+0xc5/0xd0 [ 85.104582][ T5304] ? __pfx_panic+0x10/0x10 [ 85.106710][ T5304] ? preempt_schedule_thunk+0x16/0x30 [ 85.109256][ T5304] ? preempt_schedule_thunk+0x16/0x30 [ 85.111658][ T5304] ? l2cap_send_cmd+0x2a3/0xb90 [ 85.113862][ T5304] check_panic_on_warn+0x89/0xb0 [ 85.116013][ T5304] ? l2cap_send_cmd+0x2a3/0xb90 [ 85.118217][ T5304] end_report+0x73/0x180 [ 85.120318][ T5304] ? l2cap_send_cmd+0x2a3/0xb90 [ 85.123179][ T5304] kasan_report+0x128/0x150 [ 85.125458][ T5304] ? trace_kmem_cache_alloc+0x29/0xf0 [ 85.128083][ T5304] ? l2cap_send_cmd+0x2a3/0xb90 [ 85.130058][ T5304] kasan_check_range+0x264/0x2c0 [ 85.132254][ T5304] ? l2cap_send_cmd+0x2a3/0xb90 [ 85.134521][ T5304] __asan_memcpy+0x29/0x70 [ 85.136671][ T5304] l2cap_send_cmd+0x2a3/0xb90 [ 85.139042][ T5304] l2cap_recv_frame+0xc576/0x10580 [ 85.141591][ T5304] ? __lock_acquire+0x6b5/0x2cf0 [ 85.143863][ T5304] ? ret_from_fork_asm+0x1a/0x30 [ 85.145956][ T5304] ? unwind_next_frame+0xa5/0x23c0 [ 85.148210][ T5304] ? rcu_is_watching+0x15/0xb0 [ 85.150259][ T5304] ? lock_release+0x4b/0x3d0 [ 85.152423][ T5304] ? unwind_next_frame+0x1aaf/0x23c0 [ 85.155296][ T5304] ? unwind_next_frame+0xa5/0x23c0 [ 85.158049][ T5304] ? unwind_next_frame+0x1aaf/0x23c0 [ 85.160369][ T5304] ? __pfx_l2cap_recv_frame+0x10/0x10 [ 85.162691][ T5304] ? ret_from_fork_asm+0x1a/0x30 [ 85.164719][ T5304] ? ret_from_fork_asm+0x1a/0x30 [ 85.166801][ T5304] ? __pfx_stack_trace_consume_entry+0x10/0x10 [ 85.169380][ T5304] ? ret_from_fork_asm+0x1a/0x30 [ 85.171757][ T5304] ? stack_trace_save+0xa9/0x100 [ 85.174202][ T5304] ? __pfx_stack_trace_save+0x10/0x10 [ 85.177181][ T5304] ? check_path+0x21/0x40 [ 85.179281][ T5304] ? check_noncircular+0xda/0x150 [ 85.181540][ T5304] ? add_lock_to_list+0xc7/0x100 [ 85.183711][ T5304] ? lockdep_unlock+0x5d/0xd0 [ 85.185721][ T5304] ? __lock_acquire+0x146e/0x2cf0 [ 85.188091][ T5304] ? __mutex_trylock_common+0x158/0x260 [ 85.190768][ T5304] ? __pfx___mutex_trylock_common+0x10/0x10 [ 85.193812][ T5304] ? rcu_is_watching+0x15/0xb0 [ 85.196262][ T5304] ? trace_contention_end+0x3d/0x150 [ 85.198756][ T5304] ? __mutex_lock+0x319/0x1300 [ 85.200893][ T5304] ? l2cap_recv_acldata+0x2e3/0x13e0 [ 85.203181][ T5304] ? l2cap_recv_acldata+0x30b/0x13e0 [ 85.205456][ T5304] ? __mutex_unlock_slowpath+0x1bd/0x7d0 [ 85.207954][ T5304] ? __pfx___mutex_lock+0x10/0x10 [ 85.210319][ T5304] ? __pfx___mutex_unlock_slowpath+0x10/0x10 [ 85.213550][ T5304] ? l2cap_conn_hold_unless_zero+0x179/0x2b0 [ 85.216848][ T5304] ? __pfx_l2cap_conn_hold_unless_zero+0x10/0x10 [ 85.219621][ T5304] ? l2cap_recv_acldata+0x41/0x13e0 [ 85.221922][ T5304] l2cap_recv_acldata+0x7e9/0x13e0 [ 85.224156][ T5304] hci_rx_work+0x4f9/0x1030 [ 85.226180][ T5304] ? process_scheduled_works+0xa8d/0x18c0 [ 85.229001][ T5304] process_scheduled_works+0xb6e/0x18c0 [ 85.232144][ T5304] ? __pfx_process_scheduled_works+0x10/0x10 [ 85.235392][ T5304] ? assign_work+0x3d5/0x5e0 [ 85.237532][ T5304] worker_thread+0xa53/0xfc0 [ 85.239622][ T5304] kthread+0x388/0x470 [ 85.241461][ T5304] ? __pfx_worker_thread+0x10/0x10 [ 85.243878][ T5304] ? __pfx_kthread+0x10/0x10 [ 85.246073][ T5304] ret_from_fork+0x51e/0xb90 [ 85.248250][ T5304] ? __pfx_ret_from_fork+0x10/0x10 [ 85.250657][ T5304] ? __switch_to+0xc7d/0x1450 [ 85.253312][ T5304] ? __pfx_kthread+0x10/0x10 [ 85.255492][ T5304] ret_from_fork_asm+0x1a/0x30 [ 85.257762][ T5304] [ 85.259508][ T5304] Kernel Offset: disabled [ 85.261573][ T5304] Rebooting in 86400 seconds..