program: r0 = socket$nl_netfilter(0x10, 0x3, 0xc) r1 = openat$nci(0xffffffffffffff9c, &(0x7f0000000240), 0x2, 0x0) recvmmsg(r0, &(0x7f0000006240)=[{{0x0, 0x0, &(0x7f0000001780)=[{&(0x7f0000000500)=""/248, 0xf8}, {&(0x7f0000000340)=""/96, 0x60}, {&(0x7f0000000000)=""/42, 0x2a}, {&(0x7f0000000600)=""/172, 0xac}, {&(0x7f0000000140)=""/8, 0x8}, {&(0x7f00000006c0)=""/4096, 0x1000}, {&(0x7f00000016c0)=""/134, 0x86}, {&(0x7f00000001c0)=""/38, 0x26}], 0x8, &(0x7f0000001800)=""/17, 0x11}, 0x8}, {{&(0x7f0000001840)=@caif=@rfm, 0x80, &(0x7f0000002a40)=[{&(0x7f00000018c0)=""/94, 0x5e}, {&(0x7f0000001940)=""/55, 0x37}, {&(0x7f0000001980)}, {&(0x7f00000019c0)=""/4096, 0x1000}, {&(0x7f00000029c0)=""/99, 0x63}], 0x5, &(0x7f0000002ac0)=""/96, 0x60}, 0x6}, {{&(0x7f0000002b40)=@qipcrtr, 0x80, &(0x7f0000002f80)=[{&(0x7f0000002bc0)=""/167, 0xa7}, {&(0x7f0000002c80)=""/128, 0x80}, {&(0x7f0000002d00)=""/6, 0x6}, {&(0x7f0000002d40)=""/234, 0xea}, {&(0x7f0000001980)=""/34, 0x22}, {&(0x7f0000002e80)=""/98, 0x62}, {&(0x7f0000002f00)=""/105, 0x69}], 0x7, &(0x7f0000003000)=""/108, 0x6c}, 0x800}, {{&(0x7f0000003080)=@l2tp={0x2, 0x0, @multicast1}, 0x80, &(0x7f00000034c0)=[{&(0x7f0000003100)=""/160, 0xa0}, {&(0x7f00000031c0)=""/200, 0xc8}, {&(0x7f00000032c0)=""/118, 0x76}, {&(0x7f0000003340)=""/194, 0xc2}, {&(0x7f0000006000)=""/86, 0x56}], 0x5, &(0x7f0000002e40)=""/11, 0xb}, 0x50}, {{&(0x7f0000003580)=@caif=@dgm, 0x80, &(0x7f0000004b40)=[{&(0x7f0000003600)=""/170, 0xaa}, {&(0x7f00000036c0)=""/4096, 0x1000}, {&(0x7f00000046c0)=""/146, 0x92}, {&(0x7f0000004780)=""/209, 0xd1}, {&(0x7f0000004880)=""/49, 0x31}, {&(0x7f00000048c0)=""/184, 0xb8}, {&(0x7f0000004980)=""/214, 0xd6}, {&(0x7f0000004a80)=""/149, 0x95}], 0x8}, 0x6}, {{0x0, 0x0, &(0x7f0000004c80)=[{&(0x7f0000004bc0)=""/150, 0x96}], 0x1, &(0x7f0000004cc0)=""/252, 0xfc}, 0x3}, {{&(0x7f0000004dc0)=@x25={0x9, @remote}, 0x80, &(0x7f0000006100)=[{&(0x7f0000004e40)=""/167, 0xa7}, {&(0x7f0000004f00)=""/4096, 0x1000}, {&(0x7f0000005f00)=""/240, 0xf0}, {&(0x7f0000006440)=""/206, 0xce}], 0x4, &(0x7f0000006140)=""/211, 0xd3}, 0x1}], 0x7, 0x1, &(0x7f0000006400)={0x77359400}) r2 = openat$sndtimer(0xffffffffffffff9c, &(0x7f0000003440), 0x80040) ioctl$SNDRV_TIMER_IOCTL_CREATE(r2, 0xc02054a5, &(0x7f0000006080)={0x7b, r0, 'id0\x00'}) r3 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10) syz_emit_vhci(&(0x7f0000000540)=ANY=[@ANYBLOB="043e1f0a"], 0x22) syz_emit_vhci(&(0x7f0000000040)=ANY=[@ANYBLOB="0200300c000800"], 0x11) ioctl$FS_IOC_SET_ENCRYPTION_POLICY(0xffffffffffffffff, 0x40086602, 0x0) syz_emit_vhci(&(0x7f0000000080)=ANY=[@ANYBLOB="0405"], 0x7) syz_emit_vhci(&(0x7f0000000100)=@HCI_EVENT_PKT={0x4, @hci_ev_role_change={{0x12, 0x8}}}, 0xb) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0) r4 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10) r5 = syz_genetlink_get_family_id$nfc(&(0x7f0000000080), r4) mount(0x0, 0x0, 0x0, 0x2, 0x0) ioctl$IOCTL_GET_NCIDEV_IDX(r1, 0x0, &(0x7f00000000c0)=0x0) sendmsg$NFC_CMD_DEV_UP(r3, &(0x7f0000000200)={0x0, 0x0, &(0x7f0000000180)={&(0x7f00000002c0)=ANY=[@ANYBLOB="1c000000", @ANYRES16=r5, @ANYBLOB="010026bd7000fcdbdf250200000008000100", @ANYRES32=r6], 0x1c}}, 0x840) r7 = socket$inet6(0xa, 0x1, 0x0) setsockopt$inet6_IPV6_FLOWLABEL_MGR(r7, 0x29, 0x20, &(0x7f0000000200)={@private0, 0x800, 0x0, 0xff, 0x1}, 0x20) r8 = socket$inet6(0xa, 0x1, 0x0) setsockopt$inet6_IPV6_FLOWLABEL_MGR(r8, 0x29, 0x20, &(0x7f0000000200)={@private0, 0x800, 0x0, 0xff, 0x2}, 0x20) write$nci(r1, &(0x7f0000000300)=@NCI_OP_RF_INTF_ACTIVATED_NTF={0x1, 0x0, 0x3, 0x5, 0x7, @a={0x2, 0x3, 0x0, 0x0, 0x0, 0x7, 0xe, {0x5, 0x2, "8cee", 0x7, 0x10}, 0x40, 0xb, 0xc8, 0x3, 0x3, "5710c7"}}, 0x18) sendmsg$NFT_BATCH(r0, &(0x7f000000c2c0)={0x0, 0x0, &(0x7f0000000280)={&(0x7f00000003c0)=ANY=[@ANYBLOB="140000001000000000000000000400000000000a28000000000a0101000000005e1affd5020000000900010073797a300000000008000240000000032c000000030a01030000e6ff00000000020000000900010073797a30000000000900030073797a320000000014000000110001"], 0x7c}}, 0x0) sendmsg$NFT_BATCH(r0, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000440)={{0x14, 0x10, 0x1, 0x0, 0x0, {0x5}}, [@NFT_MSG_NEWRULE={0x64, 0x6, 0xa, 0x40b, 0x0, 0x0, {0x2}, [@NFTA_RULE_EXPRESSIONS={0x38, 0x4, 0x0, 0x1, [{0x34, 0x1, 0x0, 0x1, @target={{0xb}, @val={0x24, 0x2, 0x0, 0x1, [@NFTA_TARGET_NAME={0xc, 0x1, 'NFQUEUE\x00'}, @NFTA_TARGET_INFO={0xa, 0x3, "02b51112d439"}, @NFTA_TARGET_REV={0x8, 0x2, 0x1, 0x0, 0x2}]}}}]}, @NFTA_RULE_TABLE={0x9, 0x1, 'syz0\x00'}, @NFTA_RULE_CHAIN={0x9, 0x2, 'syz2\x00'}]}], {0x14}}, 0x8c}}, 0x0) [ 84.256923][ T4667] Bluetooth: hci0: command tx timeout [ 86.316432][ T45] Bluetooth: hci0: command tx timeout [ 86.397164][ T4667] ================================================================== [ 86.401555][ T4667] BUG: KASAN: slab-use-after-free in hci_conn_drop+0x34/0x2a0 [ 86.405234][ T4667] Write of size 4 at addr ffff88801ed14010 by task kworker/u5:1/4667 [ 86.408708][ T4667] [ 86.409792][ T4667] CPU: 0 UID: 0 PID: 4667 Comm: kworker/u5:1 Not tainted syzkaller #0 PREEMPT(full) [ 86.409806][ T4667] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 86.409815][ T4667] Workqueue: hci0 hci_cmd_sync_work [ 86.409836][ T4667] Call Trace: [ 86.409843][ T4667] [ 86.409850][ T4667] dump_stack_lvl+0xe8/0x150 [ 86.409869][ T4667] print_report+0xba/0x230 [ 86.409882][ T4667] ? hci_conn_drop+0x34/0x2a0 [ 86.409898][ T4667] kasan_report+0x117/0x150 [ 86.409913][ T4667] ? hci_conn_drop+0x34/0x2a0 [ 86.409928][ T4667] kasan_check_range+0x264/0x2c0 [ 86.409944][ T4667] hci_conn_drop+0x34/0x2a0 [ 86.409958][ T4667] ? __pfx_le_read_features_complete+0x10/0x10 [ 86.409981][ T4667] hci_cmd_sync_work+0x262/0x400 [ 86.409994][ T4667] ? process_scheduled_works+0xa8d/0x18c0 [ 86.410013][ T4667] process_scheduled_works+0xb6e/0x18c0 [ 86.410036][ T4667] ? __pfx_process_scheduled_works+0x10/0x10 [ 86.410055][ T4667] ? assign_work+0x3d5/0x5e0 [ 86.410072][ T4667] worker_thread+0xa53/0xfc0 [ 86.410097][ T4667] kthread+0x388/0x470 [ 86.410111][ T4667] ? __pfx_worker_thread+0x10/0x10 [ 86.410126][ T4667] ? __pfx_kthread+0x10/0x10 [ 86.410140][ T4667] ret_from_fork+0x51e/0xb90 [ 86.410159][ T4667] ? __pfx_ret_from_fork+0x10/0x10 [ 86.410174][ T4667] ? __switch_to+0xc7d/0x1450 [ 86.410192][ T4667] ? __pfx_kthread+0x10/0x10 [ 86.410203][ T4667] ret_from_fork_asm+0x1a/0x30 [ 86.410233][ T4667] [ 86.410239][ T4667] [ 86.481459][ T4667] Allocated by task 4667: [ 86.483440][ T4667] kasan_save_track+0x3e/0x80 [ 86.485626][ T4667] __kasan_kmalloc+0x93/0xb0 [ 86.487708][ T4667] __kmalloc_cache_noprof+0x31c/0x660 [ 86.490333][ T4667] __hci_conn_add+0x3c4/0x1e00 [ 86.492921][ T4667] le_conn_complete_evt+0x706/0x1430 [ 86.495257][ T4667] hci_le_enh_conn_complete_evt+0x189/0x490 [ 86.497698][ T4667] hci_event_packet+0x7af/0x12c0 [ 86.499889][ T4667] hci_rx_work+0x3ee/0x1030 [ 86.502369][ T4667] process_scheduled_works+0xb6e/0x18c0 [ 86.505507][ T4667] worker_thread+0xa53/0xfc0 [ 86.507534][ T4667] kthread+0x388/0x470 [ 86.509320][ T4667] ret_from_fork+0x51e/0xb90 [ 86.511265][ T4667] ret_from_fork_asm+0x1a/0x30 [ 86.513280][ T4667] [ 86.514451][ T4667] Freed by task 45: [ 86.516308][ T4667] kasan_save_track+0x3e/0x80 [ 86.518951][ T4667] kasan_save_free_info+0x46/0x50 [ 86.521489][ T4667] __kasan_slab_free+0x5c/0x80 [ 86.523642][ T4667] kfree+0x1c1/0x630 [ 86.525322][ T4667] device_release+0x9e/0x1d0 [ 86.527366][ T4667] kobject_put+0x228/0x560 [ 86.529419][ T4667] hci_conn_del+0xc36/0x1230 [ 86.532157][ T4667] hci_disconn_complete_evt+0x64e/0x950 [ 86.535326][ T4667] hci_event_packet+0x805/0x12c0 [ 86.537618][ T4667] hci_rx_work+0x3ee/0x1030 [ 86.539660][ T4667] process_scheduled_works+0xb6e/0x18c0 [ 86.542064][ T4667] worker_thread+0xa53/0xfc0 [ 86.544086][ T4667] kthread+0x388/0x470 [ 86.546080][ T4667] ret_from_fork+0x51e/0xb90 [ 86.548459][ T4667] ret_from_fork_asm+0x1a/0x30 [ 86.550835][ T4667] [ 86.551924][ T4667] The buggy address belongs to the object at ffff88801ed14000 [ 86.551924][ T4667] which belongs to the cache kmalloc-8k of size 8192 [ 86.558185][ T4667] The buggy address is located 16 bytes inside of [ 86.558185][ T4667] freed 8192-byte region [ffff88801ed14000, ffff88801ed16000) [ 86.565119][ T4667] [ 86.566275][ T4667] The buggy address belongs to the physical page: [ 86.569220][ T4667] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1ed10 [ 86.573795][ T4667] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 86.578279][ T4667] flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff) [ 86.581438][ T4667] page_type: f5(slab) [ 86.583175][ T4667] raw: 00fff00000000040 ffff88801ac42280 dead000000000122 0000000000000000 [ 86.587484][ T4667] raw: 0000000000000000 0000000800020002 00000000f5000000 0000000000000000 [ 86.591728][ T4667] head: 00fff00000000040 ffff88801ac42280 dead000000000122 0000000000000000 [ 86.595979][ T4667] head: 0000000000000000 0000000800020002 00000000f5000000 0000000000000000 [ 86.599810][ T4667] head: 00fff00000000003 ffffea00007b4401 00000000ffffffff 00000000ffffffff [ 86.604278][ T4667] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 [ 86.608721][ T4667] page dumped because: kasan: bad access detected [ 86.611598][ T4667] page_owner tracks the page as allocated [ 86.614137][ T4667] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4667, tgid 4667 (kworker/u5:1), ts 84380752693, free_ts 84370489345 [ 86.624669][ T4667] post_alloc_hook+0x231/0x280 [ 86.626853][ T4667] get_page_from_freelist+0x24dc/0x2580 [ 86.629443][ T4667] __alloc_frozen_pages_noprof+0x18d/0x380 [ 86.632106][ T4667] allocate_slab+0x77/0x660 [ 86.634245][ T4667] refill_objects+0x331/0x3c0 [ 86.636364][ T4667] __pcs_replace_empty_main+0x2e6/0x730 [ 86.639059][ T4667] __kmalloc_cache_noprof+0x392/0x660 [ 86.641470][ T4667] __hci_conn_add+0x3c4/0x1e00 [ 86.643267][ T4667] le_conn_complete_evt+0x706/0x1430 [ 86.645376][ T4667] hci_le_enh_conn_complete_evt+0x189/0x490 [ 86.648195][ T4667] hci_event_packet+0x7af/0x12c0 [ 86.650892][ T4667] hci_rx_work+0x3ee/0x1030 [ 86.653439][ T4667] process_scheduled_works+0xb6e/0x18c0 [ 86.656035][ T4667] worker_thread+0xa53/0xfc0 [ 86.658180][ T4667] kthread+0x388/0x470 [ 86.660008][ T4667] ret_from_fork+0x51e/0xb90 [ 86.662114][ T4667] page last free pid 5294 tgid 5294 stack trace: [ 86.665524][ T4667] __free_frozen_pages+0xc2b/0xdb0 [ 86.668101][ T4667] __slab_free+0x263/0x2b0 [ 86.670213][ T4667] qlist_free_all+0x97/0x100 [ 86.672221][ T4667] kasan_quarantine_reduce+0x148/0x160 [ 86.674544][ T4667] __kasan_slab_alloc+0x22/0x80 [ 86.677141][ T4667] __kmalloc_cache_noprof+0x2ba/0x660 [ 86.680067][ T4667] kernfs_fop_open+0x397/0xca0 [ 86.682205][ T4667] do_dentry_open+0x785/0x14e0 [ 86.684279][ T4667] vfs_open+0x3b/0x340 [ 86.686238][ T4667] path_openat+0x2e08/0x3860 [ 86.688208][ T4667] do_file_open+0x23e/0x4a0 [ 86.690934][ T4667] do_sys_openat2+0x113/0x200 [ 86.693770][ T4667] __x64_sys_openat+0x138/0x170 [ 86.695947][ T4667] do_syscall_64+0x14d/0xf80 [ 86.698152][ T4667] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 86.701179][ T4667] [ 86.702492][ T4667] Memory state around the buggy address: [ 86.706198][ T4667] ffff88801ed13f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 86.711000][ T4667] ffff88801ed13f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 86.714261][ T4667] >ffff88801ed14000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 86.717584][ T4667] ^ [ 86.720488][ T4667] ffff88801ed14080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 86.723939][ T4667] ffff88801ed14100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 86.727396][ T4667] ================================================================== [ 86.739646][ T4667] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 86.743188][ T4667] CPU: 0 UID: 0 PID: 4667 Comm: kworker/u5:1 Not tainted syzkaller #0 PREEMPT(full) [ 86.748239][ T4667] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 86.753609][ T4667] Workqueue: hci0 hci_cmd_sync_work [ 86.756196][ T4667] Call Trace: [ 86.758279][ T4667] [ 86.759933][ T4667] vpanic+0x56c/0xa60 [ 86.762085][ T4667] ? __pfx_vpanic+0x10/0x10 [ 86.764069][ T4667] panic+0xc5/0xd0 [ 86.765720][ T4667] ? __pfx_panic+0x10/0x10 [ 86.767803][ T4667] ? preempt_schedule_thunk+0x16/0x30 [ 86.770369][ T4667] ? preempt_schedule_thunk+0x16/0x30 [ 86.773056][ T4667] ? hci_conn_drop+0x34/0x2a0 [ 86.775267][ T4667] check_panic_on_warn+0x89/0xb0 [ 86.777582][ T4667] ? hci_conn_drop+0x34/0x2a0 [ 86.779859][ T4667] end_report+0x73/0x180 [ 86.781857][ T4667] ? hci_conn_drop+0x34/0x2a0 [ 86.784184][ T4667] kasan_report+0x128/0x150 [ 86.786660][ T4667] ? hci_conn_drop+0x34/0x2a0 [ 86.788964][ T4667] kasan_check_range+0x264/0x2c0 [ 86.791262][ T4667] hci_conn_drop+0x34/0x2a0 [ 86.793283][ T4667] ? __pfx_le_read_features_complete+0x10/0x10 [ 86.795837][ T4667] hci_cmd_sync_work+0x262/0x400 [ 86.798359][ T4667] ? process_scheduled_works+0xa8d/0x18c0 [ 86.801816][ T4667] process_scheduled_works+0xb6e/0x18c0 [ 86.804441][ T4667] ? __pfx_process_scheduled_works+0x10/0x10 [ 86.807175][ T4667] ? assign_work+0x3d5/0x5e0 [ 86.809305][ T4667] worker_thread+0xa53/0xfc0 [ 86.811603][ T4667] kthread+0x388/0x470 [ 86.814027][ T4667] ? __pfx_worker_thread+0x10/0x10 [ 86.816881][ T4667] ? __pfx_kthread+0x10/0x10 [ 86.819397][ T4667] ret_from_fork+0x51e/0xb90 [ 86.821636][ T4667] ? __pfx_ret_from_fork+0x10/0x10 [ 86.824522][ T4667] ? __switch_to+0xc7d/0x1450 [ 86.826776][ T4667] ? __pfx_kthread+0x10/0x10 [ 86.828936][ T4667] ret_from_fork_asm+0x1a/0x30 [ 86.831010][ T4667] [ 86.832855][ T4667] Kernel Offset: disabled [ 86.834832][ T4667] Rebooting in 86400 seconds..