program: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000280), 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x4, 0x0, 0x100000, 0x1000, &(0x7f0000004000/0x1000)=nil}) r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x1) syz_kvm_setup_cpu$x86(r1, r2, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000600)=[@text64={0x40, 0x0}], 0x1, 0x10, 0x0, 0x0) r3 = socket(0x840000000002, 0x3, 0xfa) ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000000)={0x1fd, 0x0, 0x60000, 0x1000, &(0x7f0000aae000/0x1000)=nil}) connect$inet(r3, &(0x7f0000000140)={0x2, 0x0, @remote}, 0x10) syz_usb_connect$cdc_ecm(0x2, 0x0, 0x0, 0x0) r4 = socket(0x2a, 0x2, 0x0) getsockname$packet(r4, &(0x7f0000000200)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000001480)=0x14) sendmsg$nl_route_sched(r3, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000180)=@gettfilter={0x0, 0x2e, 0x8, 0x70bd26, 0x25dfdbfc, {0x0, 0x0, 0x0, 0x0, {0x0, 0xffff}, {0x9, 0x2}, {0xb, 0x3}}, [{0x0, 0xb, 0x5}, {0x0, 0xb, 0xd07}, {0x0, 0xb, 0x74e}]}, 0x3f}}, 0x80) sendmsg$IPCTNL_MSG_CT_NEW(0xffffffffffffffff, &(0x7f0000000300)={0x0, 0x0, &(0x7f00000000c0)={0x0}}, 0x0) sendmsg$nl_route_sched(0xffffffffffffffff, &(0x7f0000000340)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000380)=@newtfilter={0x44, 0x2c, 0xd27, 0x70bd2d, 0x0, {0x0, 0x0, 0x0, r5, {0xe}, {}, {0x8, 0xffe0}}, [@filter_kind_options=@f_flow={{0x9}, {0x14, 0x2, [@TCA_FLOW_MODE={0x8, 0x2, 0x1}, @TCA_FLOW_KEYS={0x8, 0x1, 0x15864}]}}]}, 0x44}}, 0x4000) r6 = socket$netlink(0x10, 0x3, 0x0) sendmsg$IPCTNL_MSG_TIMEOUT_DEFAULT_SET(0xffffffffffffffff, &(0x7f0000000480)={0x0, 0x0, &(0x7f0000000440)={&(0x7f00000003c0)=ANY=[@ANYBLOB="1c0002"], 0x1c}, 0x1, 0x0, 0x0, 0x4010}, 0x4) sendmmsg(r6, &(0x7f00000002c0), 0x40000000000009f, 0x0) syz_emit_vhci(&(0x7f0000000540)=ANY=[@ANYBLOB="043e1f0a"], 0x22) syz_emit_vhci(&(0x7f0000000040)=ANY=[@ANYBLOB="0200300c000800"], 0x11) ioctl$FS_IOC_SET_ENCRYPTION_POLICY(0xffffffffffffffff, 0x40086602, 0x0) syz_emit_vhci(&(0x7f0000000080)=ANY=[@ANYBLOB="0405"], 0x7) syz_emit_vhci(&(0x7f0000000100)=@HCI_EVENT_PKT={0x4, @hci_ev_role_change={{0x12, 0x8}}}, 0xb) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0) sendmmsg$inet(r3, &(0x7f0000005240), 0x4000095, 0x0) ioctl$KVM_RUN(r2, 0xae80, 0x0) [ 104.526529][ T5306] Bluetooth: hci0: command tx timeout [ 106.615579][ T4670] Bluetooth: hci0: command tx timeout [ 106.846606][ T5306] ================================================================== [ 106.850717][ T5306] BUG: KASAN: slab-use-after-free in hci_conn_drop+0x34/0x2a0 [ 106.854619][ T5306] Write of size 4 at addr ffff888012380010 by task kworker/u5:2/5306 [ 106.871454][ T5306] [ 106.872922][ T5306] CPU: 0 UID: 0 PID: 5306 Comm: kworker/u5:2 Not tainted syzkaller #0 PREEMPT(full) [ 106.872948][ T5306] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 106.872960][ T5306] Workqueue: hci0 hci_cmd_sync_work [ 106.872993][ T5306] Call Trace: [ 106.873003][ T5306] [ 106.873010][ T5306] dump_stack_lvl+0xe8/0x150 [ 106.873033][ T5306] print_report+0xba/0x230 [ 106.873049][ T5306] ? hci_conn_drop+0x34/0x2a0 [ 106.873064][ T5306] kasan_report+0x117/0x150 [ 106.873082][ T5306] ? hci_conn_drop+0x34/0x2a0 [ 106.873099][ T5306] kasan_check_range+0x264/0x2c0 [ 106.873115][ T5306] hci_conn_drop+0x34/0x2a0 [ 106.873130][ T5306] ? __pfx_le_read_features_complete+0x10/0x10 [ 106.873151][ T5306] hci_cmd_sync_work+0x262/0x400 [ 106.873172][ T5306] ? process_scheduled_works+0xa25/0x1830 [ 106.873191][ T5306] process_scheduled_works+0xb02/0x1830 [ 106.873217][ T5306] ? __pfx_process_scheduled_works+0x10/0x10 [ 106.873238][ T5306] ? assign_work+0x3d5/0x5e0 [ 106.873257][ T5306] worker_thread+0xa50/0xfc0 [ 106.873296][ T5306] kthread+0x388/0x470 [ 106.873310][ T5306] ? __pfx_worker_thread+0x10/0x10 [ 106.873326][ T5306] ? __pfx_kthread+0x10/0x10 [ 106.873339][ T5306] ret_from_fork+0x51e/0xb90 [ 106.873359][ T5306] ? __pfx_ret_from_fork+0x10/0x10 [ 106.873376][ T5306] ? __switch_to+0xc7d/0x1450 [ 106.873396][ T5306] ? __pfx_kthread+0x10/0x10 [ 106.873410][ T5306] ret_from_fork_asm+0x1a/0x30 [ 106.873438][ T5306] [ 106.873443][ T5306] [ 106.988781][ T5306] Allocated by task 5306: [ 106.990602][ T5306] kasan_save_track+0x3e/0x80 [ 106.994390][ T5306] __kasan_kmalloc+0x93/0xb0 [ 107.000749][ T5306] __kmalloc_cache_noprof+0x31c/0x660 [ 107.004551][ T5306] __hci_conn_add+0x3c4/0x1e00 [ 107.007450][ T5306] le_conn_complete_evt+0x706/0x1430 [ 107.010775][ T5306] hci_le_enh_conn_complete_evt+0x189/0x490 [ 107.014248][ T5306] hci_event_packet+0x7af/0x12c0 [ 107.017322][ T5306] hci_rx_work+0x3ee/0x1030 [ 107.021902][ T5306] process_scheduled_works+0xb02/0x1830 [ 107.028932][ T5306] worker_thread+0xa50/0xfc0 [ 107.033897][ T5306] kthread+0x388/0x470 [ 107.039095][ T5306] ret_from_fork+0x51e/0xb90 [ 107.043029][ T5306] ret_from_fork_asm+0x1a/0x30 [ 107.050243][ T5306] [ 107.053601][ T5306] Freed by task 4670: [ 107.059352][ T5306] kasan_save_track+0x3e/0x80 [ 107.061678][ T5306] kasan_save_free_info+0x46/0x50 [ 107.069419][ T5306] __kasan_slab_free+0x5c/0x80 [ 107.075761][ T5306] kfree+0x1c1/0x630 [ 107.077965][ T5306] device_release+0x9e/0x1d0 [ 107.086602][ T5306] kobject_put+0x228/0x560 [ 107.089247][ T5306] hci_conn_del+0xc36/0x1230 [ 107.091678][ T5306] hci_disconn_complete_evt+0x64e/0x950 [ 107.094405][ T5306] hci_event_packet+0x805/0x12c0 [ 107.107036][ T5306] hci_rx_work+0x3ee/0x1030 [ 107.109417][ T5306] process_scheduled_works+0xb02/0x1830 [ 107.112713][ T5306] worker_thread+0xa50/0xfc0 [ 107.121861][ T5306] kthread+0x388/0x470 [ 107.123641][ T5306] ret_from_fork+0x51e/0xb90 [ 107.136374][ T5306] ret_from_fork_asm+0x1a/0x30 [ 107.138798][ T5306] [ 107.139924][ T5306] The buggy address belongs to the object at ffff888012380000 [ 107.139924][ T5306] which belongs to the cache kmalloc-8k of size 8192 [ 107.157026][ T5306] The buggy address is located 16 bytes inside of [ 107.157026][ T5306] freed 8192-byte region [ffff888012380000, ffff888012382000) [ 107.165994][ T5306] [ 107.167242][ T5306] The buggy address belongs to the physical page: [ 107.179770][ T5306] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12380 [ 107.183658][ T5306] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 107.198021][ T5306] flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff) [ 107.201694][ T5306] page_type: f5(slab) [ 107.206529][ T5306] raw: 00fff00000000040 ffff88801ac42280 dead000000000100 dead000000000122 [ 107.219939][ T5306] raw: 0000000000000000 0000000800020002 00000000f5000000 0000000000000000 [ 107.223826][ T5306] head: 00fff00000000040 ffff88801ac42280 dead000000000100 dead000000000122 [ 107.238269][ T5306] head: 0000000000000000 0000000800020002 00000000f5000000 0000000000000000 [ 107.243210][ T5306] head: 00fff00000000003 ffffea000048e001 00000000ffffffff 00000000ffffffff [ 107.258590][ T5306] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 [ 107.263359][ T5306] page dumped because: kasan: bad access detected [ 107.267527][ T5306] page_owner tracks the page as allocated [ 107.270338][ T5306] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4696, tgid 4696 (init), ts 37861307074, free_ts 37053818140 [ 107.296961][ T5306] post_alloc_hook+0x231/0x280 [ 107.306304][ T5306] get_page_from_freelist+0x24dc/0x2580 [ 107.316886][ T5306] __alloc_frozen_pages_noprof+0x18d/0x380 [ 107.321585][ T5306] allocate_slab+0x77/0x660 [ 107.325657][ T5306] refill_objects+0x331/0x3c0 [ 107.337550][ T5306] __pcs_replace_empty_main+0x2f9/0x5e0 [ 107.341339][ T5306] __kmalloc_cache_noprof+0x392/0x660 [ 107.344166][ T5306] tomoyo_init_log+0x112e/0x1fb0 [ 107.357540][ T5306] tomoyo_supervisor+0x353/0x1570 [ 107.360154][ T5306] tomoyo_env_perm+0x151/0x1f0 [ 107.362926][ T5306] tomoyo_find_next_domain+0x15cb/0x1aa0 [ 107.376800][ T5306] tomoyo_bprm_check_security+0x11b/0x180 [ 107.380637][ T5306] security_bprm_check+0x85/0x240 [ 107.383447][ T5306] bprm_execve+0x896/0x1460 [ 107.396000][ T5306] do_execveat_common+0x50d/0x690 [ 107.398884][ T5306] __x64_sys_execve+0x97/0xc0 [ 107.401787][ T5306] page last free pid 1 tgid 1 stack trace: [ 107.406132][ T5306] __free_frozen_pages+0xc2b/0xdb0 [ 107.408827][ T5306] free_reserved_page+0xce/0x120 [ 107.411767][ T5306] free_reserved_area+0x90/0x190 [ 107.426542][ T5306] free_kernel_image_pages+0xa2/0x100 [ 107.428884][ T5306] kernel_init+0x31/0x1d0 [ 107.436623][ T5306] ret_from_fork+0x51e/0xb90 [ 107.439099][ T5306] ret_from_fork_asm+0x1a/0x30 [ 107.441398][ T5306] [ 107.442650][ T5306] Memory state around the buggy address: [ 107.456017][ T5306] ffff88801237ff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 107.460747][ T5306] ffff88801237ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 107.475294][ T5306] >ffff888012380000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 107.479596][ T5306] ^ [ 107.485766][ T5306] ffff888012380080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 107.489538][ T5306] ffff888012380100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 107.505733][ T5306] ================================================================== [ 107.550553][ T5306] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 107.558362][ T5306] CPU: 0 UID: 0 PID: 5306 Comm: kworker/u5:2 Not tainted syzkaller #0 PREEMPT(full) [ 107.568706][ T5306] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 107.586185][ T5306] Workqueue: hci0 hci_cmd_sync_work [ 107.589430][ T5306] Call Trace: [ 107.591643][ T5306] [ 107.596028][ T5306] vpanic+0x56c/0xa60 [ 107.597993][ T5306] ? __pfx_vpanic+0x10/0x10 [ 107.600175][ T5306] panic+0xc5/0xd0 [ 107.606884][ T5306] ? __pfx_panic+0x10/0x10 [ 107.617079][ T5306] ? preempt_schedule_thunk+0x16/0x30 [ 107.619782][ T5306] ? preempt_schedule_thunk+0x16/0x30 [ 107.622476][ T5306] ? hci_conn_drop+0x34/0x2a0 [ 107.636554][ T5306] check_panic_on_warn+0x89/0xb0 [ 107.639367][ T5306] ? hci_conn_drop+0x34/0x2a0 [ 107.642404][ T5306] end_report+0x73/0x180 [ 107.645136][ T5306] ? hci_conn_drop+0x34/0x2a0 [ 107.655901][ T5306] kasan_report+0x128/0x150 [ 107.658520][ T5306] ? hci_conn_drop+0x34/0x2a0 [ 107.660808][ T5306] kasan_check_range+0x264/0x2c0 [ 107.665888][ T5306] hci_conn_drop+0x34/0x2a0 [ 107.676272][ T5306] ? __pfx_le_read_features_complete+0x10/0x10 [ 107.679962][ T5306] hci_cmd_sync_work+0x262/0x400 [ 107.686138][ T5306] ? process_scheduled_works+0xa25/0x1830 [ 107.688944][ T5306] process_scheduled_works+0xb02/0x1830 [ 107.692718][ T5306] ? __pfx_process_scheduled_works+0x10/0x10 [ 107.708018][ T5306] ? assign_work+0x3d5/0x5e0 [ 107.710430][ T5306] worker_thread+0xa50/0xfc0 [ 107.715965][ T5306] kthread+0x388/0x470 [ 107.718305][ T5306] ? __pfx_worker_thread+0x10/0x10 [ 107.721071][ T5306] ? __pfx_kthread+0x10/0x10 [ 107.736281][ T5306] ret_from_fork+0x51e/0xb90 [ 107.738813][ T5306] ? __pfx_ret_from_fork+0x10/0x10 [ 107.741669][ T5306] ? __switch_to+0xc7d/0x1450 [ 107.744329][ T5306] ? __pfx_kthread+0x10/0x10 [ 107.757976][ T5306] ret_from_fork_asm+0x1a/0x30 [ 107.760755][ T5306] [ 107.762735][ T5306] Kernel Offset: disabled [ 107.775953][ T5306] Rebooting in 86400 seconds..