program:
syz_emit_vhci(&(0x7f0000000540)=ANY=[@ANYBLOB="043e1f0a"], 0x22)
r0 = socket$packet(0x11, 0x3, 0x300)
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000880)={'macvlan1\x00', <r1=>0x0})
sendto$packet(r0, &(0x7f00000002c0)="0503d6fcd3fc0300137347888808", 0xe, 0x0, &(0x7f0000000140)={0x11, 0x0, r1, 0x1, 0x0, 0x6, @local}, 0x14)
r2 = semget$private(0x0, 0x6, 0x0)
semtimedop(r2, &(0x7f00000003c0)=[{0x2, 0x4, 0x1800}], 0x1, 0x0)
semop(r2, &(0x7f00000000c0)=[{0x4}, {0x2}], 0x2)
syz_emit_vhci(&(0x7f00000001c0)=ANY=[@ANYRESHEX=r2], 0x11)
syz_emit_vhci(&(0x7f0000000000)=@HCI_ACLDATA_PKT={0x2, {0xc9, 0x0, 0x2, 0x1a}, @l2cap_cid_le_signaling={{0x16}, @l2cap_ecred_conn_rsp={{0x18, 0x40, 0x12}, {0x4, 0x9, 0x2, 0x0, [0x8, 0xc, 0x101, 0xcc, 0x9]}}}}, 0x1f)
syz_mount_image$ext4(&(0x7f0000000040)='ext4\x00', &(0x7f0000000200)='./file1\x00', 0x408e, &(0x7f0000000240)={[{@debug_want_extra_isize={'debug_want_extra_isize', 0x3d, 0x2e}}, {@nombcache}, {@inode_readahead_blks={'inode_readahead_blks', 0x3d, 0x2}}, {@stripe={'stripe', 0x3d, 0x2004000}}, {@max_batch_time={'max_batch_time', 0x3d, 0x2}}, {@max_batch_time={'max_batch_time', 0x3d, 0x4}}]}, 0x3, 0x43a, &(0x7f0000000780)="$eJzs28tvG0UYAPBv13FKXySU8ugDCBRExCNp0gI9cAGBxAEkJDiUY0jSqtRtUBMkWlUQECpHVIk74ojEX8AJLgg4IXGFO6pUoVxaOBmtvZs4jp0mwY5L/ftJm8zsjjPzeXbs2Z1sAH1rJPuRROyJiN8jYqieXV1gpP7r5tLl6b+XLk8nUa2+9VdSK3dj6fJ0UbR43e48M5pGpJ8lcahFvfMXL52dqlRmL+T58YVz74/PX7z07JlzU6dnT8+enzxx4vixiReen3yuI3Fmbbpx8KO5wwdee+fqG9Mnr77787dJEX9THB0yst7BJ6rVDlfXW3sb0slADxvCppQiIuuucm38D0UpVjpvKF79tKeNA7qqWq1Wd7c/vFgF7mBJbLTk2fzzArgzFF/02fVvsW3T1OO2cP2l+gVQFvfNfKsfGYg0L1Nuur7tpJGIOLn4z1fZFt25DwEAsMr32fznmVbzvzTubyh3d742NBwR90TEvoi4NyL2R8R9EbWyD0TEg5usv3mRZO38J722pcA2KJv/vZivba2e/xWzvxgu5bm9tfjLyakzldmj+XsyGuUdWX5inTp+eOW3L9oda5z/ZVtWfzEXzNtxbWDH6tfMTC1M/ZeYG13/JOLgQKv4k+WVgCQiDkTEwS3Wceapbw63O9Yu/vJG/nAH1pmqX0c8We//xWiKv5Csvz45fldUZo+OF2fFWr/8euXNdvXfuv+7K+v/XS3P/+X4h5PG9dr5zddx5Y/P217TbPX8H0zerqUH830fTi0sXJiIGExerze6cf/kymuLfFE+i3/0SOvxvy9W3olDEZGdxA9FxMMR8Uje9kcj4rGIOLJO/D+9/Ph7W4+/u7L4ZzbV/yuJwWje0zpROvvjd6sqHd5M/Fn/H6+lRvM9G/n820i7tnY2AwAAwP9PGhF7IknHltNpOjZW/3/5/bErrczNLzx9au6D8zP1ZwSGo5wWd7qGGu6HTuSX9UV+sil/LL9v/GVpZy0/Nj1Xmel18NDndrcZ/5k/S71uHdB1nteC/mX8Q/8y/qF/Gf/Qv1qM/529aAew/Vp9/3/cg3YA269p/Fv2gz7i+h/6l/EP/cv4h740vzNu/ZC8hMSaRKS3RTMkupTo9ScTAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAZ/wbAAD//9E940M=")
mkdir(&(0x7f0000000300)='./bus\x00', 0x0)
chdir(&(0x7f00000003c0)='./bus\x00')
openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000140)='cpuset.memory_pressure\x00', 0x275a, 0x0)
openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000040)='hugetlb.2MB.usage_in_bytes\x00', 0x275a, 0x0)
ioctl$FS_IOC_SET_ENCRYPTION_POLICY(0xffffffffffffffff, 0x40086602, 0x0)
perf_event_open(&(0x7f0000000040)={0x2, 0x80, 0xd2, 0x1, 0x0, 0x0, 0x0, 0x4, 0x14100, 0x19, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3b, 0x4, @perf_bp={0x0, 0xd}, 0x11fd61, 0x2, 0x3fffffe, 0x7, 0x0, 0xfffffe, 0x1000, 0x0, 0x0, 0x0, 0x9}, 0x0, 0x0, 0xffffffffffffffff, 0xa)
perf_event_open(&(0x7f0000000040)={0x2, 0x80, 0xc0, 0x1, 0x0, 0x0, 0x0, 0x1, 0x40, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0, 0x1}, 0x0, 0x53, 0x2, 0x8, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2000000}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
mlock(&(0x7f0000000000/0x800000)=nil, 0x800000)
madvise(&(0x7f0000000000/0x400000)=nil, 0x400000, 0xc)
r3 = openat$sysctl(0xffffffffffffff9c, &(0x7f0000000080)='/sys/kernel/mm/ksm/run\x00', 0x1, 0x0)
write$sysctl(r3, &(0x7f0000000580)='1\x00', 0x2)
syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000080)=ANY=[@ANYBLOB="12010000000000406a0563000000000000010902"], 0x0)
write$sysctl(r3, &(0x7f00000000c0)='2\x00', 0x2)
r4 = openat$6lowpan_control(0xffffffffffffff9c, &(0x7f0000000180), 0x2, 0x0)
write$6lowpan_control(r4, &(0x7f0000000140)='disconnect aa:aa:aa:aa:aa:10 0', 0x1e)
semctl$IPC_RMID(0x0, 0x0, 0x0)
syz_emit_vhci(&(0x7f0000000080)=ANY=[@ANYBLOB="0405"], 0x7)
syz_emit_vhci(&(0x7f00000000c0)=ANY=[@ANYBLOB="04230d05c800cb063adb1f6d0572f7b9"], 0x10)
syz_emit_vhci(&(0x7f0000000100)=@HCI_EVENT_PKT={0x4, @hci_ev_role_change={{0x12, 0x8}}}, 0xb)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0)

[   83.246622][ T5307] Bluetooth: hci0: command tx timeout
[   83.251207][ T1315] ieee802154 phy0 wpan0: encryption failed: -22
[   83.265430][ T1315] ieee802154 phy1 wpan1: encryption failed: -22
[   83.444822][ T5331] loop0: detected capacity change from 0 to 512
[   83.467888][ T5331] EXT4-fs: Warning: mounting with data=journal disables delayed allocation, dioread_nolock, O_DIRECT and fast_commit support!
[   83.485976][ T5331] EXT4-fs (loop0): encrypted files will use data=ordered instead of data journaling mode
[   83.510409][ T5331] EXT4-fs (loop0): 1 truncate cleaned up
[   83.524521][ T5331] EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: none.
[   83.914486][ T4721] usb 5-1: new high-speed USB device number 2 using dummy_hcd
[   84.067959][ T4721] usb 5-1: config index 0 descriptor too short (expected 28277, got 36)
[   84.072525][ T4721] usb 5-1: config 0 has an invalid descriptor of length 0, skipping remainder of the config
[   84.077495][ T4721] usb 5-1: config 0 has no interfaces?
[   84.080232][ T4721] usb 5-1: New USB device found, idVendor=056a, idProduct=0063, bcdDevice= 0.00
[   84.088634][ T4721] usb 5-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
[   84.104052][ T4721] usb 5-1: config 0 descriptor??
[   84.828772][ T4721] usb 5-1: string descriptor 0 read error: -71
[   84.866201][ T4721] usb 5-1: USB disconnect, device number 2
[   85.305566][ T4673] Bluetooth: hci0: command tx timeout
[   85.385314][ T5307] ==================================================================
[   85.388391][ T5307] BUG: KASAN: slab-use-after-free in hci_conn_drop+0x34/0x2a0
[   85.391964][ T5307] Write of size 4 at addr ffff88801260c010 by task kworker/u5:2/5307
[   85.396573][ T5307] 
[   85.397857][ T5307] CPU: 0 UID: 0 PID: 5307 Comm: kworker/u5:2 Not tainted syzkaller #0 PREEMPT(full) 
[   85.397876][ T5307] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   85.397887][ T5307] Workqueue: hci0 hci_cmd_sync_work
[   85.397911][ T5307] Call Trace:
[   85.397919][ T5307]  <TASK>
[   85.397926][ T5307]  dump_stack_lvl+0xe8/0x150
[   85.397947][ T5307]  print_report+0xba/0x230
[   85.397962][ T5307]  ? hci_conn_drop+0x34/0x2a0
[   85.397975][ T5307]  kasan_report+0x117/0x150
[   85.397989][ T5307]  ? hci_conn_drop+0x34/0x2a0
[   85.398003][ T5307]  kasan_check_range+0x264/0x2c0
[   85.398016][ T5307]  hci_conn_drop+0x34/0x2a0
[   85.398030][ T5307]  ? __pfx_le_read_features_complete+0x10/0x10
[   85.398042][ T5307]  hci_cmd_sync_work+0x262/0x400
[   85.398056][ T5307]  ? process_scheduled_works+0xa8d/0x18c0
[   85.398073][ T5307]  process_scheduled_works+0xb6e/0x18c0
[   85.398094][ T5307]  ? __pfx_process_scheduled_works+0x10/0x10
[   85.398108][ T5307]  ? assign_work+0x3d5/0x5e0
[   85.398121][ T5307]  worker_thread+0xa53/0xfc0
[   85.398141][ T5307]  kthread+0x388/0x470
[   85.398153][ T5307]  ? __pfx_worker_thread+0x10/0x10
[   85.398167][ T5307]  ? __pfx_kthread+0x10/0x10
[   85.398177][ T5307]  ret_from_fork+0x51e/0xb90
[   85.398195][ T5307]  ? __pfx_ret_from_fork+0x10/0x10
[   85.398208][ T5307]  ? __switch_to+0xc7d/0x1450
[   85.398240][ T5307]  ? __pfx_kthread+0x10/0x10
[   85.398250][ T5307]  ret_from_fork_asm+0x1a/0x30
[   85.398270][ T5307]  </TASK>
[   85.398275][ T5307] 
[   85.468305][ T5307] Allocated by task 5307:
[   85.470453][ T5307]  kasan_save_track+0x3e/0x80
[   85.473011][ T5307]  __kasan_kmalloc+0x93/0xb0
[   85.475487][ T5307]  __kmalloc_cache_noprof+0x31c/0x660
[   85.477926][ T5307]  __hci_conn_add+0x3c4/0x1e00
[   85.480065][ T5307]  le_conn_complete_evt+0x706/0x1430
[   85.482472][ T5307]  hci_le_enh_conn_complete_evt+0x189/0x490
[   85.485397][ T5307]  hci_event_packet+0x7af/0x12c0
[   85.487744][ T5307]  hci_rx_work+0x3ee/0x1030
[   85.489893][ T5307]  process_scheduled_works+0xb6e/0x18c0
[   85.492494][ T5307]  worker_thread+0xa53/0xfc0
[   85.494489][ T5307]  kthread+0x388/0x470
[   85.496244][ T5307]  ret_from_fork+0x51e/0xb90
[   85.498608][ T5307]  ret_from_fork_asm+0x1a/0x30
[   85.501083][ T5307] 
[   85.502255][ T5307] Freed by task 4673:
[   85.503932][ T5307]  kasan_save_track+0x3e/0x80
[   85.506103][ T5307]  kasan_save_free_info+0x46/0x50
[   85.508418][ T5307]  __kasan_slab_free+0x5c/0x80
[   85.510976][ T5307]  kfree+0x1c1/0x630
[   85.513467][ T5307]  device_release+0x9e/0x1d0
[   85.516707][ T5307]  kobject_put+0x228/0x560
[   85.518911][ T5307]  hci_conn_del+0xc36/0x1230
[   85.521133][ T5307]  hci_disconn_complete_evt+0x64e/0x950
[   85.523464][ T5307]  hci_event_packet+0x805/0x12c0
[   85.525642][ T5307]  hci_rx_work+0x3ee/0x1030
[   85.527565][ T5307]  process_scheduled_works+0xb6e/0x18c0
[   85.529984][ T5307]  worker_thread+0xa53/0xfc0
[   85.531995][ T5307]  kthread+0x388/0x470
[   85.533941][ T5307]  ret_from_fork+0x51e/0xb90
[   85.536164][ T5307]  ret_from_fork_asm+0x1a/0x30
[   85.538389][ T5307] 
[   85.539496][ T5307] The buggy address belongs to the object at ffff88801260c000
[   85.539496][ T5307]  which belongs to the cache kmalloc-8k of size 8192
[   85.545588][ T5307] The buggy address is located 16 bytes inside of
[   85.545588][ T5307]  freed 8192-byte region [ffff88801260c000, ffff88801260e000)
[   85.552185][ T5307] 
[   85.553295][ T5307] The buggy address belongs to the physical page:
[   85.556569][ T5307] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12608
[   85.560674][ T5307] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   85.564548][ T5307] flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
[   85.568667][ T5307] page_type: f5(slab)
[   85.570947][ T5307] raw: 00fff00000000040 ffff88801ac42280 dead000000000100 dead000000000122
[   85.575120][ T5307] raw: 0000000000000000 0000000800020002 00000000f5000000 0000000000000000
[   85.578975][ T5307] head: 00fff00000000040 ffff88801ac42280 dead000000000100 dead000000000122
[   85.583404][ T5307] head: 0000000000000000 0000000800020002 00000000f5000000 0000000000000000
[   85.587639][ T5307] head: 00fff00000000003 ffffea0000498201 00000000ffffffff 00000000ffffffff
[   85.591739][ T5307] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
[   85.595435][ T5307] page dumped because: kasan: bad access detected
[   85.599192][ T5307] page_owner tracks the page as allocated
[   85.602222][ T5307] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4694, tgid 4694 (init), ts 29650046122, free_ts 29225348370
[   85.611617][ T5307]  post_alloc_hook+0x231/0x280
[   85.614095][ T5307]  get_page_from_freelist+0x24dc/0x2580
[   85.617119][ T5307]  __alloc_frozen_pages_noprof+0x18d/0x380
[   85.620007][ T5307]  allocate_slab+0x77/0x660
[   85.622018][ T5307]  refill_objects+0x331/0x3c0
[   85.624221][ T5307]  __pcs_replace_empty_main+0x2e6/0x730
[   85.626558][ T5307]  __kmalloc_cache_noprof+0x392/0x660
[   85.629177][ T5307]  tomoyo_init_log+0x112e/0x1fb0
[   85.631773][ T5307]  tomoyo_supervisor+0x353/0x1570
[   85.634149][ T5307]  tomoyo_env_perm+0x151/0x1f0
[   85.636781][ T5307]  tomoyo_find_next_domain+0x15cb/0x1aa0
[   85.639460][ T5307]  tomoyo_bprm_check_security+0x11b/0x180
[   85.642365][ T5307]  security_bprm_check+0x85/0x240
[   85.644640][ T5307]  bprm_execve+0x896/0x1460
[   85.647150][ T5307]  do_execveat_common+0x50d/0x690
[   85.649670][ T5307]  __x64_sys_execve+0x97/0xc0
[   85.652800][ T5307] page last free pid 1 tgid 1 stack trace:
[   85.655452][ T5307]  __free_frozen_pages+0xc2b/0xdb0
[   85.657707][ T5307]  free_reserved_page+0xce/0x120
[   85.660257][ T5307]  free_reserved_area+0x90/0x190
[   85.662432][ T5307]  free_kernel_image_pages+0xa2/0x100
[   85.665348][ T5307]  kernel_init+0x31/0x1d0
[   85.667615][ T5307]  ret_from_fork+0x51e/0xb90
[   85.669926][ T5307]  ret_from_fork_asm+0x1a/0x30
[   85.671997][ T5307] 
[   85.673048][ T5307] Memory state around the buggy address:
[   85.675496][ T5307]  ffff88801260bf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   85.679216][ T5307]  ffff88801260bf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   85.682761][ T5307] >ffff88801260c000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   85.686077][ T5307]                          ^
[   85.687940][ T5307]  ffff88801260c080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   85.691706][ T5307]  ffff88801260c100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   85.695513][ T5307] ==================================================================
[   85.703677][ T5307] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   85.706865][ T5307] CPU: 0 UID: 0 PID: 5307 Comm: kworker/u5:2 Not tainted syzkaller #0 PREEMPT(full) 
[   85.710786][ T5307] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   85.715170][ T5307] Workqueue: hci0 hci_cmd_sync_work
[   85.717919][ T5307] Call Trace:
[   85.719831][ T5307]  <TASK>
[   85.721233][ T5307]  vpanic+0x56c/0xa60
[   85.723093][ T5307]  ? __pfx_vpanic+0x10/0x10
[   85.724987][ T5307]  panic+0xc5/0xd0
[   85.726762][ T5307]  ? __pfx_panic+0x10/0x10
[   85.729374][ T5307]  ? preempt_schedule_thunk+0x16/0x30
[   85.732493][ T5307]  ? preempt_schedule_thunk+0x16/0x30
[   85.734978][ T5307]  ? hci_conn_drop+0x34/0x2a0
[   85.736974][ T5307]  check_panic_on_warn+0x89/0xb0
[   85.739236][ T5307]  ? hci_conn_drop+0x34/0x2a0
[   85.741487][ T5307]  end_report+0x73/0x180
[   85.743482][ T5307]  ? hci_conn_drop+0x34/0x2a0
[   85.746291][ T5307]  kasan_report+0x128/0x150
[   85.748743][ T5307]  ? hci_conn_drop+0x34/0x2a0
[   85.750822][ T5307]  kasan_check_range+0x264/0x2c0
[   85.753261][ T5307]  hci_conn_drop+0x34/0x2a0
[   85.755703][ T5307]  ? __pfx_le_read_features_complete+0x10/0x10
[   85.759233][ T5307]  hci_cmd_sync_work+0x262/0x400
[   85.762337][ T5307]  ? process_scheduled_works+0xa8d/0x18c0
[   85.764887][ T5307]  process_scheduled_works+0xb6e/0x18c0
[   85.767439][ T5307]  ? __pfx_process_scheduled_works+0x10/0x10
[   85.770199][ T5307]  ? assign_work+0x3d5/0x5e0
[   85.772341][ T5307]  worker_thread+0xa53/0xfc0
[   85.774602][ T5307]  kthread+0x388/0x470
[   85.776905][ T5307]  ? __pfx_worker_thread+0x10/0x10
[   85.779809][ T5307]  ? __pfx_kthread+0x10/0x10
[   85.781980][ T5307]  ret_from_fork+0x51e/0xb90
[   85.784016][ T5307]  ? __pfx_ret_from_fork+0x10/0x10
[   85.786345][ T5307]  ? __switch_to+0xc7d/0x1450
[   85.788489][ T5307]  ? __pfx_kthread+0x10/0x10
[   85.790609][ T5307]  ret_from_fork_asm+0x1a/0x30
[   85.792968][ T5307]  </TASK>
[   85.795040][ T5307] Kernel Offset: disabled
[   85.797242][ T5307] Rebooting in 86400 seconds..