program: syz_emit_vhci(&(0x7f0000000000)=@HCI_EVENT_PKT={0x4, @hci_ev_clock_offset={{0x1c, 0x5}, {0x6, 0xc8, 0xbdf}}}, 0x8) syz_emit_vhci(&(0x7f0000000040)=@HCI_VENDOR_PKT={0xff, 0x80}, 0x2) r0 = openat$dlm_monitor(0xffffffffffffff9c, &(0x7f0000000080), 0x145000, 0x0) ioctl$IOMMU_IOAS_ALLOC(r0, 0x3b81, &(0x7f00000000c0)={0xc, 0x0, 0x0}) syz_emit_vhci(&(0x7f0000000100)=@HCI_EVENT_PKT={0x4, @hci_ev_simple_pair_complete={{0x36, 0x7}, {0x94}}}, 0xa) ioctl$IOMMU_TEST_OP_MOCK_DOMAIN(r0, 0x3ba0, &(0x7f0000000140)={0x48, 0x2, r1, 0x0, 0x0, 0x0, 0x0}) ioctl$IOMMU_HWPT_ALLOC$TEST(r0, 0x3b89, &(0x7f0000000200)={0x28, 0x1, r2, r1, 0x0, 0x0, 0xdead, 0x4, &(0x7f00000001c0)}) syz_emit_vhci(&(0x7f0000000240)=@HCI_ACLDATA_PKT={0x2, {0xc9, 0x2, 0x0, 0x22}, @l2cap_cid_le_signaling={{0x1e}, @l2cap_ecred_conn_req={{0x17, 0xb6, 0x1a}, {0xdab3, 0x4, 0xf7, 0xfffe, [0x1, 0x9, 0x1, 0x5, 0x2f7b, 0xa, 0x8, 0x7, 0x8]}}}}, 0x27) r3 = openat$binfmt_format(0xffffffffffffff9c, &(0x7f0000000280)='/proc/sys/fs/binfmt_misc/syz1\x00', 0x2, 0x0) write$binfmt_format(r3, &(0x7f00000002c0)='1\x00', 0x2) r4 = accept4$bt_l2cap(r0, &(0x7f0000000300), &(0x7f0000000340)=0xe, 0x800) bind$bt_l2cap(r4, &(0x7f0000000380)={0x1f, 0x4, @any, 0x6, 0x2}, 0xe) ioctl$USBDEVFS_FREE_STREAMS(r0, 0x8008551d, &(0x7f00000003c0)={0xe1e2, 0x19, [{0x0, 0x1}, {0x4, 0x1}, {}, {0x8, 0x1}, {0x1, 0x1}, {0xc}, {0xc}, {0x3, 0x1}, {0xe}, {0xa, 0x1}, {0x5}, {0x2}, {0xa}, {0x8, 0x1}, {0x2}, {0x2, 0x1}, {0xd}, {0x1}, {0xf, 0x1}, {0xe, 0x1}, {0x2, 0x1}, {0x9, 0x1}, {0x7}, {0xc}, {0x1}]}) ioctl$sock_ipv4_tunnel_SIOCDELTUNNEL(r0, 0x89f2, &(0x7f00000005c0)={'syztnl0\x00', &(0x7f0000000540)={'syztnl1\x00', 0x0, 0x10, 0x10, 0xfffeffff, 0x3, {{0x11, 0x4, 0x0, 0x9, 0x44, 0x67, 0x0, 0x4, 0x4, 0x0, @local, @multicast1, {[@cipso={0x86, 0x2f, 0x3, [{0x5, 0x3, '\n'}, {0x2, 0x9, "70d13a441bea11"}, {0x0, 0xf, "9b5a02c765c0417986e0347f28"}, {0x2, 0x6, "1d9aaca0"}, {0x1, 0x8, "3207beeb3dc3"}]}]}}}}}) r6 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000740)={0x11, 0xf, &(0x7f0000000400)=@raw=[@map_idx_val={0x18, 0x3, 0x6, 0x0, 0xc, 0x0, 0x0, 0x0, 0x8}, @alu={0x0, 0x0, 0x8, 0x3, 0x8, 0xffffffffffffffe0, 0x4}, @cb_func={0x18, 0xb, 0x4, 0x0, 0x7}, @ringbuf_output={{0x18, 0x1, 0x1, 0x0, r0}, {0x7, 0x0, 0xb, 0x8, 0x0, 0x0, 0x101}, {}, {}, {}, {}, {0x7, 0x0, 0xb, 0x4, 0x0, 0x0, 0x1}}, @kfunc={0x85, 0x0, 0x2, 0x0, 0x3}], &(0x7f0000000480)='syzkaller\x00', 0x4, 0x7c, &(0x7f00000004c0)=""/124, 0x41100, 0x2, '\x00', r5, 0x0, r0, 0x8, &(0x7f0000000600)={0x4, 0x1}, 0x8, 0x10, &(0x7f0000000640)={0x2, 0xb, 0x81, 0x1}, 0x10, 0x0, 0x0, 0x5, &(0x7f0000000680)=[r0, r0], &(0x7f00000006c0)=[{0x1, 0x2, 0x9, 0x3}, {0x3, 0x3, 0x3, 0x7}, {0x5, 0x3, 0x8, 0xa}, {0x4, 0x2, 0x1}, {0x4, 0x4, 0x3, 0x8}], 0x10, 0xb}, 0x94) syz_emit_vhci(&(0x7f0000000800)=@HCI_EVENT_PKT={0x4, @hci_ev_link_key_req={{0x17, 0x6}, {@fixed={'\xaa\xaa\xaa\xaa\xaa', 0x11}}}}, 0x9) ioctl$SIOCPNGETOBJECT(r0, 0x89e0, &(0x7f0000000840)=0xa57) shutdown(r0, 0x0) write$6lowpan_control(r0, &(0x7f0000000880)='connect aa:aa:aa:aa:aa:10 1', 0x1b) ioctl$IOMMU_OPTION$IOMMU_OPTION_RLIMIT_MODE(r0, 0x3b87, &(0x7f00000008c0)={0x18, 0x0, 0x0, 0x0, 0x0, 0x1ff}) execveat(r0, &(0x7f0000000900)='./file0\x00', &(0x7f0000000b00)={[&(0x7f0000000940)='%])\x00', &(0x7f0000000980)='%.\x9a}*\x00', &(0x7f00000009c0)='\xaa\xaa\xaa\xaa\xaa', &(0x7f0000000a00)='/proc/sys/fs/binfmt_misc/syz1\x00', &(0x7f0000000a40)=')%\x00', &(0x7f0000000a80)='^@}}\x00', &(0x7f0000000ac0)='$\x00']}, &(0x7f0000000c80)={[&(0x7f0000000b40)='1\x00', &(0x7f0000000b80)='/proc/sys/fs/binfmt_misc/syz1\x00', &(0x7f0000000bc0)='/dev/dlm-monitor\x00', &(0x7f0000000c00)='\x00', &(0x7f0000000c40)='&\xfe\x00']}, 0x400) fcntl$notify(r6, 0x402, 0x80000000) fchmodat(r0, &(0x7f0000000cc0)='./file0\x00', 0x8) ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f0000000d40)={'wlan1\x00', 0x0}) sendmsg$NL80211_CMD_CONNECT(r0, &(0x7f0000000e40)={&(0x7f0000000d00)={0x10, 0x0, 0x0, 0xfd4888dddc7d45f0}, 0xc, &(0x7f0000000e00)={&(0x7f0000000d80)={0x5c, 0x0, 0x0, 0x70bd2c, 0x25dfdbff, {{}, {@val={0x8, 0x3, r7}, @void}}, [@NL80211_ATTR_BSS_SELECT={0x20, 0xe3, 0x0, 0x1, {0x1c, 0x0, [@NL80211_BSS_SELECT_ATTR_BAND_PREF={0x8, 0x2, 0x6}, @NL80211_BSS_SELECT_ATTR_RSSI={0x4}, @NL80211_BSS_SELECT_ATTR_RSSI={0x4}, @NL80211_BSS_SELECT_ATTR_BAND_PREF={0x8, 0x2, 0x6e09}]}}, @NL80211_ATTR_VHT_CAPABILITY_MASK={0x10, 0xb0, {0x20000000, {0x1, 0x34f, 0x8, 0x4}}}, @NL80211_ATTR_SOCKET_OWNER={0x4}, @NL80211_ATTR_MAC={0xa, 0x6, @random="5445a0457274"}]}, 0x5c}, 0x1, 0x0, 0x0, 0x1}, 0x4000800) recvfrom$llc(r0, &(0x7f0000000e80)=""/33, 0x21, 0x101, &(0x7f0000000ec0)={0x1a, 0x1, 0x0, 0x8, 0x6a, 0x81, @random="79d1352618c5"}, 0x10) syz_emit_vhci(&(0x7f0000000f00)=@HCI_ACLDATA_PKT={0x2, {0x6bb625a403cd845, 0x3, 0x0, 0xc}, @l2cap_cid_signaling={{0x8}, [@l2cap_move_chan_rsp={{0xf, 0x4, 0x4}, {0xe, 0x84}}]}}, 0x11) r8 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000f80), r0) ioctl$sock_SIOCGIFINDEX_80211(r4, 0x8933, &(0x7f0000000fc0)={'wlan1\x00', 0x0}) sendmsg$NL80211_CMD_SET_MESH_CONFIG(r0, &(0x7f0000001100)={&(0x7f0000000f40)={0x10, 0x0, 0x0, 0x9000000}, 0xc, &(0x7f00000010c0)={&(0x7f0000001000)={0xc0, r8, 0x400, 0x70bd27, 0x25dfdbfc, {{}, {@val={0x8, 0x3, r7}, @val={0xc, 0x99, {0x9, 0x60}}}}, [@NL80211_ATTR_WIPHY={0x8, 0x1, 0x3e}, @NL80211_ATTR_WDEV={0xc, 0x99, {0x1, 0x8}}, @NL80211_ATTR_MESH_CONFIG={0x14, 0x23, 0x0, 0x1, [@NL80211_MESHCONF_RSSI_THRESHOLD={0x8, 0x14, 0xffffffffffffff8b}, @NL80211_MESHCONF_RSSI_THRESHOLD={0x8, 0x14, 0xffffffffffffff37}]}, @NL80211_ATTR_IFINDEX={0x8, 0x3, r9}, @NL80211_ATTR_WDEV={0xc, 0x99, {0xeac5, 0x5e}}, @NL80211_ATTR_WDEV={0xc, 0x99, {0x1, 0x56}}, @NL80211_ATTR_MESH_CONFIG={0x24, 0x23, 0x0, 0x1, [@NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL={0x6, 0x19, 0x5}, @NL80211_MESHCONF_HWMP_MAX_PREQ_RETRIES={0x5, 0x8, 0x6}, @NL80211_MESHCONF_HWMP_PERR_MIN_INTERVAL={0x6, 0x12, 0x5}, @NL80211_MESHCONF_HWMP_ROOTMODE={0x5, 0xe, 0x3}]}, @NL80211_ATTR_WIPHY={0x8, 0x1, 0x6}, @NL80211_ATTR_MESH_CONFIG={0x24, 0x23, 0x0, 0x1, [@NL80211_MESHCONF_HOLDING_TIMEOUT={0x6, 0x3, 0x21}, @NL80211_MESHCONF_GATE_ANNOUNCEMENTS={0x5, 0x11, 0x1}, @NL80211_MESHCONF_HWMP_CONFIRMATION_INTERVAL={0x6, 0x19, 0x8}, @NL80211_MESHCONF_HWMP_PATH_TO_ROOT_TIMEOUT={0x8, 0x17, 0x1}]}]}, 0xc0}, 0x1, 0x0, 0x0, 0x4000048}, 0x88c5) [ 80.724963][ T5305] Bluetooth: hci0: command tx timeout [ 80.797011][ T5305] ================================================================== [ 80.800711][ T5305] BUG: KASAN: stack-out-of-bounds in l2cap_send_cmd+0x2a3/0xb90 [ 80.805124][ T5305] Read of size 26 at addr ffffc9000dbd74e0 by task kworker/u5:2/5305 [ 80.809551][ T5305] [ 80.810817][ T5305] CPU: 0 UID: 0 PID: 5305 Comm: kworker/u5:2 Not tainted syzkaller #0 PREEMPT(full) [ 80.810850][ T5305] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 80.810861][ T5305] Workqueue: hci0 hci_rx_work [ 80.810883][ T5305] Call Trace: [ 80.810915][ T5305] [ 80.810963][ T5305] dump_stack_lvl+0xe8/0x150 [ 80.810983][ T5305] print_report+0xba/0x230 [ 80.810998][ T5305] ? l2cap_send_cmd+0x2a3/0xb90 [ 80.811013][ T5305] kasan_report+0x117/0x150 [ 80.811027][ T5305] ? trace_kmem_cache_alloc+0x29/0xf0 [ 80.811044][ T5305] ? l2cap_send_cmd+0x2a3/0xb90 [ 80.811057][ T5305] kasan_check_range+0x264/0x2c0 [ 80.811070][ T5305] ? l2cap_send_cmd+0x2a3/0xb90 [ 80.811085][ T5305] __asan_memcpy+0x29/0x70 [ 80.811103][ T5305] l2cap_send_cmd+0x2a3/0xb90 [ 80.811117][ T5305] l2cap_recv_frame+0xc576/0x10580 [ 80.811132][ T5305] ? ret_from_fork_asm+0x1a/0x30 [ 80.811145][ T5305] ? unwind_next_frame+0xa5/0x23c0 [ 80.811160][ T5305] ? rcu_is_watching+0x15/0xb0 [ 80.811173][ T5305] ? lock_release+0x4b/0x3d0 [ 80.811185][ T5305] ? unwind_next_frame+0x1aaf/0x23c0 [ 80.811202][ T5305] ? unwind_next_frame+0xa5/0x23c0 [ 80.811216][ T5305] ? unwind_next_frame+0x1aaf/0x23c0 [ 80.811231][ T5305] ? __pfx_l2cap_recv_frame+0x10/0x10 [ 80.811242][ T5305] ? ret_from_fork_asm+0x1a/0x30 [ 80.811254][ T5305] ? ret_from_fork_asm+0x1a/0x30 [ 80.811267][ T5305] ? __pfx_stack_trace_consume_entry+0x10/0x10 [ 80.811280][ T5305] ? ret_from_fork_asm+0x1a/0x30 [ 80.811296][ T5305] ? stack_trace_save+0xa9/0x100 [ 80.811306][ T5305] ? __pfx_stack_trace_save+0x10/0x10 [ 80.811317][ T5305] ? check_path+0x21/0x40 [ 80.811329][ T5305] ? check_noncircular+0xda/0x150 [ 80.811339][ T5305] ? add_lock_to_list+0xc7/0x100 [ 80.811348][ T5305] ? lockdep_unlock+0x5d/0xd0 [ 80.811354][ T5305] ? __lock_acquire+0x146e/0x2cf0 [ 80.811366][ T5305] ? __mutex_trylock_common+0x158/0x260 [ 80.811376][ T5305] ? __pfx___mutex_trylock_common+0x10/0x10 [ 80.811385][ T5305] ? rcu_is_watching+0x15/0xb0 [ 80.811394][ T5305] ? trace_contention_end+0x3d/0x150 [ 80.811404][ T5305] ? __mutex_lock+0x319/0x1300 [ 80.811413][ T5305] ? l2cap_recv_acldata+0x2e3/0x13e0 [ 80.811421][ T5305] ? l2cap_recv_acldata+0x30b/0x13e0 [ 80.811429][ T5305] ? __mutex_unlock_slowpath+0x1bd/0x7d0 [ 80.811436][ T5305] ? __pfx___mutex_lock+0x10/0x10 [ 80.811443][ T5305] ? __pfx___mutex_unlock_slowpath+0x10/0x10 [ 80.811450][ T5305] ? l2cap_conn_hold_unless_zero+0x179/0x2b0 [ 80.811458][ T5305] ? __pfx_l2cap_conn_hold_unless_zero+0x10/0x10 [ 80.811469][ T5305] ? l2cap_recv_acldata+0x41/0x13e0 [ 80.811477][ T5305] l2cap_recv_acldata+0x7e9/0x13e0 [ 80.811486][ T5305] hci_rx_work+0x4f9/0x1030 [ 80.811494][ T5305] ? process_scheduled_works+0xa8d/0x18c0 [ 80.811503][ T5305] process_scheduled_works+0xb6e/0x18c0 [ 80.811515][ T5305] ? __pfx_process_scheduled_works+0x10/0x10 [ 80.811524][ T5305] ? assign_work+0x3d5/0x5e0 [ 80.811532][ T5305] worker_thread+0xa53/0xfc0 [ 80.811545][ T5305] kthread+0x388/0x470 [ 80.811551][ T5305] ? __pfx_worker_thread+0x10/0x10 [ 80.811559][ T5305] ? __pfx_kthread+0x10/0x10 [ 80.811565][ T5305] ret_from_fork+0x51e/0xb90 [ 80.811574][ T5305] ? __pfx_ret_from_fork+0x10/0x10 [ 80.811583][ T5305] ? __switch_to+0xc7d/0x1450 [ 80.811594][ T5305] ? __pfx_kthread+0x10/0x10 [ 80.811601][ T5305] ret_from_fork_asm+0x1a/0x30 [ 80.811614][ T5305] [ 80.811618][ T5305] [ 80.964279][ T5305] The buggy address belongs to stack of task kworker/u5:2/5305 [ 80.967700][ T5305] and is located at offset 128 in frame: [ 80.970855][ T5305] l2cap_recv_frame+0x0/0x10580 [ 80.973765][ T5305] [ 80.975203][ T5305] This frame has 26 objects: [ 80.977439][ T5305] [32, 34) 'rsp.i244.i.i' [ 80.977452][ T5305] [48, 88) 'chan.i.i.i' [ 80.979418][ T5305] [128, 146) 'pdu_u.i.i.i' [ 80.981707][ T5305] [192, 202) 'rsp.i94.i.i' [ 80.984038][ T5305] [224, 226) 'rsp.i.i.i110' [ 80.986313][ T5305] [240, 242) 'rej.i' [ 80.988563][ T5305] [256, 258) 'rej.i145.i' [ 80.990475][ T5305] [272, 274) 'rej.i143.i' [ 80.992519][ T5305] [288, 290) 'req.i229.i.i' [ 80.994696][ T5305] [304, 312) 'buf.i222.i.i' [ 80.997220][ T5305] [336, 348) 'buf29.i.i.i' [ 80.999637][ T5305] [368, 372) 'rsp49.i.i.i' [ 81.001627][ T5305] [384, 393) 'rfc.i.i118.i.i' [ 81.003359][ T5305] [416, 480) 'buf.i119.i.i' [ 81.005201][ T5305] [512, 576) 'req.i120.i.i' [ 81.007294][ T5305] [608, 617) 'rfc.i.i.i.i' [ 81.009673][ T5305] [640, 656) 'efs.i.i.i.i' [ 81.012123][ T5305] [672, 678) 'rej.i371.i.i.i' [ 81.014400][ T5305] [704, 710) 'rej.i.i.i.i' [ 81.016576][ T5305] [736, 800) 'rsp.i.i.i' [ 81.018609][ T5305] [832, 896) 'buf.i.i.i' [ 81.021104][ T5305] [928, 1056) 'req.i.i.i' [ 81.023703][ T5305] [1088, 1096) 'rsp.i.i.i.i' [ 81.025768][ T5305] [1120, 1122) 'info.i.i.i.i' [ 81.027954][ T5305] [1136, 1264) 'buf.i.i.i.i' [ 81.030178][ T5305] [1296, 1298) 'rej.i.i' [ 81.032147][ T5305] [ 81.035552][ T5305] The buggy address belongs to a 8-page vmalloc region starting at 0xffffc9000dbd0000 allocated at copy_process+0x508/0x3cd0 [ 81.042082][ T5305] The buggy address belongs to the physical page: [ 81.045018][ T5305] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1f587 [ 81.049188][ T5305] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 81.052527][ T5305] raw: 00fff00000000000 dead000000000100 dead000000000122 0000000000000000 [ 81.056184][ T5305] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 81.059665][ T5305] page dumped because: kasan: bad access detected [ 81.063038][ T5305] page_owner tracks the page as allocated [ 81.066153][ T5305] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x29c2(GFP_NOWAIT|__GFP_HIGHMEM|__GFP_IO|__GFP_FS|__GFP_ZERO), pid 2, tgid 2 (kthreadd), ts 75736752426, free_ts 46840928731 [ 81.074760][ T5305] post_alloc_hook+0x231/0x280 [ 81.077583][ T5305] get_page_from_freelist+0x24dc/0x2580 [ 81.081054][ T5305] __alloc_frozen_pages_noprof+0x18d/0x380 [ 81.084166][ T5305] __alloc_pages_noprof+0xa/0x30 [ 81.087057][ T5305] __vmalloc_node_range_noprof+0x7be/0x1730 [ 81.090531][ T5305] __vmalloc_node_noprof+0xc2/0x100 [ 81.093127][ T5305] dup_task_struct+0x275/0x9a0 [ 81.095738][ T5305] copy_process+0x508/0x3cd0 [ 81.098169][ T5305] kernel_clone+0x248/0x8e0 [ 81.100695][ T5305] kernel_thread+0x13f/0x1b0 [ 81.103087][ T5305] kthreadd+0x4ec/0x6e0 [ 81.105021][ T5305] ret_from_fork+0x51e/0xb90 [ 81.107185][ T5305] ret_from_fork_asm+0x1a/0x30 [ 81.110100][ T5305] page last free pid 5119 tgid 5119 stack trace: [ 81.114192][ T5305] __free_frozen_pages+0xc2b/0xdb0 [ 81.116862][ T5305] __slab_free+0x263/0x2b0 [ 81.119344][ T5305] qlist_free_all+0x97/0x100 [ 81.122045][ T5305] kasan_quarantine_reduce+0x148/0x160 [ 81.125431][ T5305] __kasan_slab_alloc+0x22/0x80 [ 81.128444][ T5305] kmem_cache_alloc_noprof+0x2bc/0x650 [ 81.132125][ T5305] do_getname+0x2e/0x250 [ 81.134237][ T5305] vfs_fstatat+0x45/0x170 [ 81.136082][ T5305] __x64_sys_newfstatat+0x151/0x200 [ 81.138453][ T5305] do_syscall_64+0x14d/0xf80 [ 81.140542][ T5305] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 81.143246][ T5305] [ 81.144366][ T5305] Memory state around the buggy address: [ 81.146863][ T5305] ffffc9000dbd7380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 81.151291][ T5305] ffffc9000dbd7400: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 [ 81.155029][ T5305] >ffffc9000dbd7480: f8 f2 f8 f8 f8 f8 f8 f2 f2 f2 f2 f2 00 00 02 f2 [ 81.158512][ T5305] ^ [ 81.161918][ T5305] ffffc9000dbd7500: f2 f2 f2 f2 f8 f8 f2 f2 f8 f2 f8 f2 f8 f2 f8 f2 [ 81.166116][ T5305] ffffc9000dbd7580: f8 f2 f8 f2 f2 f2 f8 f8 f2 f2 f8 f2 f8 f8 f2 f2 [ 81.169639][ T5305] ================================================================== [ 81.191666][ T5305] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 81.195011][ T5305] CPU: 0 UID: 0 PID: 5305 Comm: kworker/u5:2 Not tainted syzkaller #0 PREEMPT(full) [ 81.199021][ T5305] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 81.204079][ T5305] Workqueue: hci0 hci_rx_work [ 81.206703][ T5305] Call Trace: [ 81.208320][ T5305] [ 81.209660][ T5305] vpanic+0x56c/0xa60 [ 81.211402][ T5305] ? __pfx_vpanic+0x10/0x10 [ 81.213465][ T5305] panic+0xc5/0xd0 [ 81.215297][ T5305] ? __pfx_panic+0x10/0x10 [ 81.217502][ T5305] ? preempt_schedule_thunk+0x16/0x30 [ 81.220174][ T5305] ? preempt_schedule_thunk+0x16/0x30 [ 81.222471][ T5305] ? l2cap_send_cmd+0x2a3/0xb90 [ 81.224697][ T5305] check_panic_on_warn+0x89/0xb0 [ 81.227087][ T5305] ? l2cap_send_cmd+0x2a3/0xb90 [ 81.229717][ T5305] end_report+0x73/0x180 [ 81.232393][ T5305] ? l2cap_send_cmd+0x2a3/0xb90 [ 81.234640][ T5305] kasan_report+0x128/0x150 [ 81.236759][ T5305] ? trace_kmem_cache_alloc+0x29/0xf0 [ 81.239037][ T5305] ? l2cap_send_cmd+0x2a3/0xb90 [ 81.241161][ T5305] kasan_check_range+0x264/0x2c0 [ 81.243999][ T5305] ? l2cap_send_cmd+0x2a3/0xb90 [ 81.246614][ T5305] __asan_memcpy+0x29/0x70 [ 81.248516][ T5305] l2cap_send_cmd+0x2a3/0xb90 [ 81.250548][ T5305] l2cap_recv_frame+0xc576/0x10580 [ 81.252818][ T5305] ? ret_from_fork_asm+0x1a/0x30 [ 81.255068][ T5305] ? unwind_next_frame+0xa5/0x23c0 [ 81.257398][ T5305] ? rcu_is_watching+0x15/0xb0 [ 81.259909][ T5305] ? lock_release+0x4b/0x3d0 [ 81.262337][ T5305] ? unwind_next_frame+0x1aaf/0x23c0 [ 81.264843][ T5305] ? unwind_next_frame+0xa5/0x23c0 [ 81.267102][ T5305] ? unwind_next_frame+0x1aaf/0x23c0 [ 81.269433][ T5305] ? __pfx_l2cap_recv_frame+0x10/0x10 [ 81.272311][ T5305] ? ret_from_fork_asm+0x1a/0x30 [ 81.275078][ T5305] ? ret_from_fork_asm+0x1a/0x30 [ 81.277445][ T5305] ? __pfx_stack_trace_consume_entry+0x10/0x10 [ 81.280200][ T5305] ? ret_from_fork_asm+0x1a/0x30 [ 81.282374][ T5305] ? stack_trace_save+0xa9/0x100 [ 81.284448][ T5305] ? __pfx_stack_trace_save+0x10/0x10 [ 81.287065][ T5305] ? check_path+0x21/0x40 [ 81.289228][ T5305] ? check_noncircular+0xda/0x150 [ 81.291339][ T5305] ? add_lock_to_list+0xc7/0x100 [ 81.293335][ T5305] ? lockdep_unlock+0x5d/0xd0 [ 81.295394][ T5305] ? __lock_acquire+0x146e/0x2cf0 [ 81.297863][ T5305] ? __mutex_trylock_common+0x158/0x260 [ 81.300799][ T5305] ? __pfx___mutex_trylock_common+0x10/0x10 [ 81.303926][ T5305] ? rcu_is_watching+0x15/0xb0 [ 81.306050][ T5305] ? trace_contention_end+0x3d/0x150 [ 81.308487][ T5305] ? __mutex_lock+0x319/0x1300 [ 81.310744][ T5305] ? l2cap_recv_acldata+0x2e3/0x13e0 [ 81.313782][ T5305] ? l2cap_recv_acldata+0x30b/0x13e0 [ 81.316482][ T5305] ? __mutex_unlock_slowpath+0x1bd/0x7d0 [ 81.319189][ T5305] ? __pfx___mutex_lock+0x10/0x10 [ 81.321955][ T5305] ? __pfx___mutex_unlock_slowpath+0x10/0x10 [ 81.325087][ T5305] ? l2cap_conn_hold_unless_zero+0x179/0x2b0 [ 81.328340][ T5305] ? __pfx_l2cap_conn_hold_unless_zero+0x10/0x10 [ 81.331070][ T5305] ? l2cap_recv_acldata+0x41/0x13e0 [ 81.333364][ T5305] l2cap_recv_acldata+0x7e9/0x13e0 [ 81.335772][ T5305] hci_rx_work+0x4f9/0x1030 [ 81.338072][ T5305] ? process_scheduled_works+0xa8d/0x18c0 [ 81.340600][ T5305] process_scheduled_works+0xb6e/0x18c0 [ 81.342879][ T5305] ? __pfx_process_scheduled_works+0x10/0x10 [ 81.345532][ T5305] ? assign_work+0x3d5/0x5e0 [ 81.347802][ T5305] worker_thread+0xa53/0xfc0 [ 81.350353][ T5305] kthread+0x388/0x470 [ 81.352502][ T5305] ? __pfx_worker_thread+0x10/0x10 [ 81.354934][ T5305] ? __pfx_kthread+0x10/0x10 [ 81.357006][ T5305] ret_from_fork+0x51e/0xb90 [ 81.359197][ T5305] ? __pfx_ret_from_fork+0x10/0x10 [ 81.361901][ T5305] ? __switch_to+0xc7d/0x1450 [ 81.364826][ T5305] ? __pfx_kthread+0x10/0x10 [ 81.367580][ T5305] ret_from_fork_asm+0x1a/0x30 [ 81.369883][ T5305] [ 81.371715][ T5305] Kernel Offset: disabled [ 81.373688][ T5305] Rebooting in 86400 seconds..