==================================================================
BUG: KASAN: stack-out-of-bounds in l2cap_send_cmd+0x8ea/0xbb0
Read of size 26 at addr ffff888054a8fa28 by task kworker/u11:3/13902

CPU: 0 UID: 0 PID: 13902 Comm: kworker/u11:3 Not tainted 6.19.0-next-20260213 #1 PREEMPT(lazy) 
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
Workqueue: hci2 hci_rx_work
Call Trace:
 <TASK>
 dump_stack_lvl+0xca/0x120
 print_report+0xcb/0x610
 kasan_report+0xca/0x100
 kasan_check_range+0x39/0x1b0
 __asan_memcpy+0x24/0x60
 l2cap_send_cmd+0x8ea/0xbb0
 l2cap_recv_frame+0x6e53/0x9530
 l2cap_recv_acldata+0xf07/0x10d0
 hci_rx_work+0x416/0x8b0
 process_one_work+0x8e1/0x1a40
 worker_thread+0x67e/0xe90
 kthread+0x385/0x490
 ret_from_fork+0x67a/0xab0
 ret_from_fork_asm+0x1a/0x30
 </TASK>

The buggy address belongs to stack of task kworker/u11:3/13902
 and is located at offset 96 in frame:
 l2cap_recv_frame+0x0/0x9530

This frame has 8 objects:
 [32, 34) 'rsp'
 [48, 58) 'rsp'
 [80, 84) 'rsp'
 [96, 114) 'pdu_u'
 [160, 200) 'chan'
 [240, 244) 'rx_func_to_event'
 [256, 264) 'buf'
 [288, 300) 'buf'

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x54a8f
flags: 0x100000000000000(node=0|zone=1)
raw: 0100000000000000 0000000000000000 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888054a8f900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff888054a8f980: 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00
>ffff888054a8fa00: 02 f2 f2 04 f2 00 00 02 f2 f2 f2 f2 f2 00 00 00
                                        ^
 ffff888054a8fa80: 00 00 f2 f2 f2 f2 f2 04 f2 00 f2 f2 f2 00 04 f3
 ffff888054a8fb00: f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
Bluetooth: hci4: SCO packet for unknown connection handle 261
debugfs: '0' already exists in 'hci4'
sysfs: cannot create duplicate filename '/devices/virtual/bluetooth/hci4/hci4:0'
CPU: 0 UID: 0 PID: 6537 Comm: kworker/u11:0 Tainted: G    B               6.19.0-next-20260213 #1 PREEMPT(lazy) 
Tainted: [B]=BAD_PAGE
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
Workqueue: hci4 hci_rx_work
Call Trace:
 <TASK>
 dump_stack_lvl+0xfa/0x120
 sysfs_warn_dup+0x80/0xa0
 sysfs_create_dir_ns+0x23b/0x2a0
 kobject_add_internal+0x24c/0x9a0
 kobject_add+0x157/0x240
 device_add+0x32d/0x1830
 hci_conn_add_sysfs+0x117/0x1c0
 le_conn_complete_evt+0x1246/0x1e40
 hci_le_enh_conn_complete_evt+0x22f/0x2e0
 hci_le_meta_evt+0x34b/0x530
 hci_event_packet+0x66c/0x10e0
 hci_rx_work+0x65b/0x8b0
 process_one_work+0x8e1/0x1a40
 worker_thread+0x67e/0xe90
 kthread+0x385/0x490
 ret_from_fork+0x67a/0xab0
 ret_from_fork_asm+0x1a/0x30
 </TASK>
kobject: kobject_add_internal failed for hci4:0 with -EEXIST, don't try to register things with the same name in the same directory.
Bluetooth: hci4: failed to register connection device
Bluetooth: hci4: SCO packet for unknown connection handle 261
Bluetooth: hci4: command 0x0406 tx timeout
Bluetooth: hci4: command 0x0406 tx timeout
Bluetooth: hci4: command 0x0406 tx timeout
Bluetooth: hci4: command 0x0406 tx timeout