program:
syz_emit_vhci(&(0x7f0000004000)=@HCI_ACLDATA_PKT={0x2, {0xc9, 0x0, 0x0, 0x1c}, @l2cap_cid_le_signaling={{0x18}, @l2cap_ecred_conn_req={{0x17, 0x3, 0x14}, {0x4, 0x6, 0x5, 0x2, [0x3ff, 0x0, 0x1b, 0x9, 0x7, 0x6]}}}}, 0x21)

[  109.090356][ T5309] Bluetooth: hci0: command tx timeout
[  109.244095][ T5309] ==================================================================
[  109.247929][ T5309] BUG: KASAN: stack-out-of-bounds in l2cap_send_cmd+0x2a3/0xb90
[  109.251230][ T5309] Read of size 20 at addr ffffc9000e0774e0 by task kworker/u5:2/5309
[  109.255464][ T5309] 
[  109.256633][ T5309] CPU: 0 UID: 0 PID: 5309 Comm: kworker/u5:2 Not tainted syzkaller #0 PREEMPT(full) 
[  109.256652][ T5309] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[  109.256662][ T5309] Workqueue: hci0 hci_rx_work
[  109.256688][ T5309] Call Trace:
[  109.256700][ T5309]  <TASK>
[  109.256707][ T5309]  dump_stack_lvl+0xe8/0x150
[  109.256754][ T5309]  print_report+0xba/0x230
[  109.256795][ T5309]  ? l2cap_send_cmd+0x2a3/0xb90
[  109.256810][ T5309]  kasan_report+0x117/0x150
[  109.256847][ T5309]  ? trace_kmem_cache_alloc+0x29/0xf0
[  109.256870][ T5309]  ? l2cap_send_cmd+0x2a3/0xb90
[  109.256885][ T5309]  kasan_check_range+0x264/0x2c0
[  109.256896][ T5309]  ? l2cap_send_cmd+0x2a3/0xb90
[  109.256908][ T5309]  __asan_memcpy+0x29/0x70
[  109.256946][ T5309]  l2cap_send_cmd+0x2a3/0xb90
[  109.256963][ T5309]  l2cap_recv_frame+0xc576/0x10580
[  109.256987][ T5309]  ? kvm_sched_clock_read+0x11/0x20
[  109.257000][ T5309]  ? sched_clock+0x3f/0x60
[  109.257062][ T5309]  ? sched_clock_cpu+0x74/0x440
[  109.257106][ T5309]  ? __pfx_l2cap_recv_frame+0x10/0x10
[  109.257125][ T5309]  ? finish_task_switch+0x240/0x920
[  109.257141][ T5309]  ? lockdep_hardirqs_on+0x7a/0x110
[  109.257154][ T5309]  ? rcu_is_watching+0x15/0xb0
[  109.257195][ T5309]  ? trace_sched_exit_tp+0x3a/0x150
[  109.257207][ T5309]  ? __schedule+0x15f3/0x52d0
[  109.257219][ T5309]  ? lockdep_unlock+0x5d/0xd0
[  109.257232][ T5309]  ? irqentry_exit+0x59e/0x620
[  109.257241][ T5309]  ? lockdep_hardirqs_on+0x7a/0x110
[  109.257250][ T5309]  ? __pfx___schedule+0x10/0x10
[  109.257261][ T5309]  ? __mutex_trylock_common+0x158/0x260
[  109.257278][ T5309]  ? preempt_schedule_thunk+0x16/0x30
[  109.257291][ T5309]  ? preempt_schedule_common+0x82/0xd0
[  109.257300][ T5309]  ? preempt_schedule_thunk+0x16/0x30
[  109.257313][ T5309]  ? __mutex_lock+0x32d/0x1300
[  109.257325][ T5309]  ? l2cap_recv_acldata+0x2e3/0x13e0
[  109.257338][ T5309]  ? l2cap_recv_acldata+0x30b/0x13e0
[  109.257351][ T5309]  ? __mutex_unlock_slowpath+0x1bd/0x7d0
[  109.257362][ T5309]  ? __pfx___mutex_lock+0x10/0x10
[  109.257373][ T5309]  ? __pfx___mutex_unlock_slowpath+0x10/0x10
[  109.257383][ T5309]  ? l2cap_conn_hold_unless_zero+0x179/0x2b0
[  109.257398][ T5309]  ? __pfx_l2cap_conn_hold_unless_zero+0x10/0x10
[  109.257410][ T5309]  ? l2cap_recv_acldata+0x41/0x13e0
[  109.257422][ T5309]  l2cap_recv_acldata+0x7e9/0x13e0
[  109.257435][ T5309]  hci_rx_work+0x4f9/0x1030
[  109.257448][ T5309]  ? process_scheduled_works+0xa8d/0x18c0
[  109.257487][ T5309]  process_scheduled_works+0xb6e/0x18c0
[  109.257511][ T5309]  ? __pfx_process_scheduled_works+0x10/0x10
[  109.257527][ T5309]  ? assign_work+0x3d5/0x5e0
[  109.257541][ T5309]  worker_thread+0xa53/0xfc0
[  109.257562][ T5309]  kthread+0x388/0x470
[  109.257574][ T5309]  ? __pfx_worker_thread+0x10/0x10
[  109.257587][ T5309]  ? __pfx_kthread+0x10/0x10
[  109.257597][ T5309]  ret_from_fork+0x51e/0xb90
[  109.257610][ T5309]  ? __pfx_ret_from_fork+0x10/0x10
[  109.257623][ T5309]  ? __switch_to+0xc7d/0x1450
[  109.257635][ T5309]  ? __pfx_kthread+0x10/0x10
[  109.257645][ T5309]  ret_from_fork_asm+0x1a/0x30
[  109.257663][ T5309]  </TASK>
[  109.257668][ T5309] 
[  109.398859][ T5309] The buggy address belongs to stack of task kworker/u5:2/5309
[  109.402140][ T5309]  and is located at offset 128 in frame:
[  109.404524][ T5309]  l2cap_recv_frame+0x0/0x10580
[  109.406741][ T5309] 
[  109.407883][ T5309] This frame has 26 objects:
[  109.410186][ T5309]  [32, 34) 'rsp.i244.i.i'
[  109.410199][ T5309]  [48, 88) 'chan.i.i.i'
[  109.412573][ T5309]  [128, 146) 'pdu_u.i.i.i'
[  109.414637][ T5309]  [192, 202) 'rsp.i94.i.i'
[  109.416598][ T5309]  [224, 226) 'rsp.i.i.i110'
[  109.418535][ T5309]  [240, 242) 'rej.i'
[  109.421011][ T5309]  [256, 258) 'rej.i145.i'
[  109.423356][ T5309]  [272, 274) 'rej.i143.i'
[  109.425713][ T5309]  [288, 290) 'req.i229.i.i'
[  109.427814][ T5309]  [304, 312) 'buf.i222.i.i'
[  109.430106][ T5309]  [336, 348) 'buf29.i.i.i'
[  109.432437][ T5309]  [368, 372) 'rsp49.i.i.i'
[  109.435087][ T5309]  [384, 393) 'rfc.i.i118.i.i'
[  109.437335][ T5309]  [416, 480) 'buf.i119.i.i'
[  109.439506][ T5309]  [512, 576) 'req.i120.i.i'
[  109.441540][ T5309]  [608, 617) 'rfc.i.i.i.i'
[  109.443735][ T5309]  [640, 656) 'efs.i.i.i.i'
[  109.446073][ T5309]  [672, 678) 'rej.i371.i.i.i'
[  109.448307][ T5309]  [704, 710) 'rej.i.i.i.i'
[  109.450629][ T5309]  [736, 800) 'rsp.i.i.i'
[  109.452763][ T5309]  [832, 896) 'buf.i.i.i'
[  109.455195][ T5309]  [928, 1056) 'req.i.i.i'
[  109.457451][ T5309]  [1088, 1096) 'rsp.i.i.i.i'
[  109.459725][ T5309]  [1120, 1122) 'info.i.i.i.i'
[  109.461912][ T5309]  [1136, 1264) 'buf.i.i.i.i'
[  109.464023][ T5309]  [1296, 1298) 'rej.i.i'
[  109.466094][ T5309] 
[  109.469565][ T5309] The buggy address belongs to a 8-page vmalloc region starting at 0xffffc9000e070000 allocated at copy_process+0x508/0x3cd0
[  109.476165][ T5309] The buggy address belongs to the physical page:
[  109.478933][ T5309] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12147
[  109.482399][ T5309] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[  109.485408][ T5309] raw: 00fff00000000000 0000000000000000 dead000000000122 0000000000000000
[  109.489870][ T5309] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
[  109.493734][ T5309] page dumped because: kasan: bad access detected
[  109.496685][ T5309] page_owner tracks the page as allocated
[  109.499133][ T5309] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x29c2(GFP_NOWAIT|__GFP_HIGHMEM|__GFP_IO|__GFP_FS|__GFP_ZERO), pid 2, tgid 2 (kthreadd), ts 104477464106, free_ts 76885688762
[  109.508527][ T5309]  post_alloc_hook+0x231/0x280
[  109.510694][ T5309]  get_page_from_freelist+0x24dc/0x2580
[  109.513502][ T5309]  __alloc_frozen_pages_noprof+0x18d/0x380
[  109.516686][ T5309]  __alloc_pages_noprof+0xa/0x30
[  109.519043][ T5309]  __vmalloc_node_range_noprof+0x7be/0x1730
[  109.521677][ T5309]  __vmalloc_node_noprof+0xc2/0x100
[  109.524084][ T5309]  dup_task_struct+0x275/0x9a0
[  109.526635][ T5309]  copy_process+0x508/0x3cd0
[  109.529159][ T5309]  kernel_clone+0x248/0x8e0
[  109.531537][ T5309]  kernel_thread+0x13f/0x1b0
[  109.533836][ T5309]  kthreadd+0x4ec/0x6e0
[  109.536031][ T5309]  ret_from_fork+0x51e/0xb90
[  109.538146][ T5309]  ret_from_fork_asm+0x1a/0x30
[  109.540283][ T5309] page last free pid 5150 tgid 5150 stack trace:
[  109.543493][ T5309]  __free_frozen_pages+0xc2b/0xdb0
[  109.546308][ T5309]  __slab_free+0x263/0x2b0
[  109.548398][ T5309]  qlist_free_all+0x97/0x100
[  109.550403][ T5309]  kasan_quarantine_reduce+0x148/0x160
[  109.552974][ T5309]  __kasan_slab_alloc+0x22/0x80
[  109.555789][ T5309]  __kmalloc_noprof+0x316/0x760
[  109.558498][ T5309]  tomoyo_realpath_from_path+0xe3/0x5d0
[  109.561109][ T5309]  tomoyo_path_perm+0x283/0x560
[  109.563302][ T5309]  security_inode_getattr+0x12b/0x310
[  109.565844][ T5309]  __x64_sys_newfstat+0x13b/0x270
[  109.568371][ T5309]  do_syscall_64+0x14d/0xf80
[  109.570842][ T5309]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  109.573572][ T5309] 
[  109.574675][ T5309] Memory state around the buggy address:
[  109.577396][ T5309]  ffffc9000e077380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  109.581664][ T5309]  ffffc9000e077400: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
[  109.585086][ T5309] >ffffc9000e077480: f8 f2 f8 f8 f8 f8 f8 f2 f2 f2 f2 f2 00 00 02 f2
[  109.588329][ T5309]                                                              ^
[  109.592415][ T5309]  ffffc9000e077500: f2 f2 f2 f2 f8 f8 f2 f2 f8 f2 f8 f2 f8 f2 f8 f2
[  109.596055][ T5309]  ffffc9000e077580: f8 f2 f8 f2 f2 f2 f8 f8 f2 f2 f8 f2 f8 f8 f2 f2
[  109.599691][ T5309] ==================================================================
[  109.622591][ T5309] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[  109.625951][ T5309] CPU: 0 UID: 0 PID: 5309 Comm: kworker/u5:2 Not tainted syzkaller #0 PREEMPT(full) 
[  109.630778][ T5309] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[  109.635833][ T5309] Workqueue: hci0 hci_rx_work
[  109.638024][ T5309] Call Trace:
[  109.639573][ T5309]  <TASK>
[  109.640917][ T5309]  vpanic+0x56c/0xa60
[  109.642718][ T5309]  ? __pfx_vpanic+0x10/0x10
[  109.644800][ T5309]  panic+0xc5/0xd0
[  109.646486][ T5309]  ? __pfx_panic+0x10/0x10
[  109.648433][ T5309]  ? preempt_schedule_thunk+0x16/0x30
[  109.650716][ T5309]  ? preempt_schedule_thunk+0x16/0x30
[  109.653138][ T5309]  ? l2cap_send_cmd+0x2a3/0xb90
[  109.655363][ T5309]  check_panic_on_warn+0x89/0xb0
[  109.657570][ T5309]  ? l2cap_send_cmd+0x2a3/0xb90
[  109.659719][ T5309]  end_report+0x73/0x180
[  109.661563][ T5309]  ? l2cap_send_cmd+0x2a3/0xb90
[  109.663881][ T5309]  kasan_report+0x128/0x150
[  109.666339][ T5309]  ? trace_kmem_cache_alloc+0x29/0xf0
[  109.669085][ T5309]  ? l2cap_send_cmd+0x2a3/0xb90
[  109.671555][ T5309]  kasan_check_range+0x264/0x2c0
[  109.674019][ T5309]  ? l2cap_send_cmd+0x2a3/0xb90
[  109.676681][ T5309]  __asan_memcpy+0x29/0x70
[  109.678676][ T5309]  l2cap_send_cmd+0x2a3/0xb90
[  109.680785][ T5309]  l2cap_recv_frame+0xc576/0x10580
[  109.683178][ T5309]  ? kvm_sched_clock_read+0x11/0x20
[  109.685619][ T5309]  ? sched_clock+0x3f/0x60
[  109.688000][ T5309]  ? sched_clock_cpu+0x74/0x440
[  109.690537][ T5309]  ? __pfx_l2cap_recv_frame+0x10/0x10
[  109.693291][ T5309]  ? finish_task_switch+0x240/0x920
[  109.695773][ T5309]  ? lockdep_hardirqs_on+0x7a/0x110
[  109.698259][ T5309]  ? rcu_is_watching+0x15/0xb0
[  109.700798][ T5309]  ? trace_sched_exit_tp+0x3a/0x150
[  109.703320][ T5309]  ? __schedule+0x15f3/0x52d0
[  109.705705][ T5309]  ? lockdep_unlock+0x5d/0xd0
[  109.707988][ T5309]  ? irqentry_exit+0x59e/0x620
[  109.710483][ T5309]  ? lockdep_hardirqs_on+0x7a/0x110
[  109.713532][ T5309]  ? __pfx___schedule+0x10/0x10
[  109.715951][ T5309]  ? __mutex_trylock_common+0x158/0x260
[  109.718358][ T5309]  ? preempt_schedule_thunk+0x16/0x30
[  109.720770][ T5309]  ? preempt_schedule_common+0x82/0xd0
[  109.723392][ T5309]  ? preempt_schedule_thunk+0x16/0x30
[  109.726085][ T5309]  ? __mutex_lock+0x32d/0x1300
[  109.728475][ T5309]  ? l2cap_recv_acldata+0x2e3/0x13e0
[  109.731308][ T5309]  ? l2cap_recv_acldata+0x30b/0x13e0
[  109.733799][ T5309]  ? __mutex_unlock_slowpath+0x1bd/0x7d0
[  109.736499][ T5309]  ? __pfx___mutex_lock+0x10/0x10
[  109.739036][ T5309]  ? __pfx___mutex_unlock_slowpath+0x10/0x10
[  109.742437][ T5309]  ? l2cap_conn_hold_unless_zero+0x179/0x2b0
[  109.745412][ T5309]  ? __pfx_l2cap_conn_hold_unless_zero+0x10/0x10
[  109.747982][ T5309]  ? l2cap_recv_acldata+0x41/0x13e0
[  109.750240][ T5309]  l2cap_recv_acldata+0x7e9/0x13e0
[  109.752648][ T5309]  hci_rx_work+0x4f9/0x1030
[  109.754864][ T5309]  ? process_scheduled_works+0xa8d/0x18c0
[  109.757326][ T5309]  process_scheduled_works+0xb6e/0x18c0
[  109.759733][ T5309]  ? __pfx_process_scheduled_works+0x10/0x10
[  109.762436][ T5309]  ? assign_work+0x3d5/0x5e0
[  109.764848][ T5309]  worker_thread+0xa53/0xfc0
[  109.767268][ T5309]  kthread+0x388/0x470
[  109.769212][ T5309]  ? __pfx_worker_thread+0x10/0x10
[  109.771506][ T5309]  ? __pfx_kthread+0x10/0x10
[  109.773622][ T5309]  ret_from_fork+0x51e/0xb90
[  109.775882][ T5309]  ? __pfx_ret_from_fork+0x10/0x10
[  109.778478][ T5309]  ? __switch_to+0xc7d/0x1450
[  109.780962][ T5309]  ? __pfx_kthread+0x10/0x10
[  109.783076][ T5309]  ret_from_fork_asm+0x1a/0x30
[  109.785305][ T5309]  </TASK>
[  109.787041][ T5309] Kernel Offset: disabled
[  109.789273][ T5309] Rebooting in 86400 seconds..