program:
r0 = socket(0x10, 0x3, 0x0)
setsockopt$netlink_NETLINK_TX_RING(r0, 0x10e, 0xc, &(0x7f00000001c0)={0x5813}, 0x10)
syz_usb_connect(0x0, 0x36, &(0x7f00000000c0)=ANY=[@ANYBLOB="1a0100005c6b4408070a64006e40010203030902240001a82300000904000002ca744d00090503034d00ff99090805", @ANYRES32], &(0x7f0000000000)={0x0, 0x0, 0x0, 0x0, 0x1, [{0x0, 0x0}]})
r1 = syz_open_dev$char_usb(0xc, 0xb4, 0x0)
writev(r1, &(0x7f0000001680)=[{&(0x7f0000000040)="cb", 0x1}, {&(0x7f0000000240)="12", 0x1}], 0x2)
r2 = syz_open_dev$I2C(&(0x7f00000002c0), 0x9, 0x80100)
ioctl$I2C_SMBUS(r2, 0x720, &(0x7f0000000340)={0x1, 0x58, 0x1, &(0x7f0000000300)={0x1e, "5890e1922216634e861bd0fa9a188e224669c67ef87ed3699f3b88b3807209f208"}})
socket(0x2a, 0x6, 0x5)
r3 = openat$ttynull(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
ioctl$TCSETAW(r3, 0x5407, 0x0)
r4 = socket$packet(0x11, 0x3, 0x300)
r5 = syz_open_procfs$namespace(0x0, &(0x7f0000001380)='ns/cgroup\x00')
open_by_handle_at(r5, &(0x7f0000000040)=ANY=[@ANYBLOB="20000000f1000100", @ANYRES64=r4], 0x0)
sendmsg$nl_route(r0, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000080)=ANY=[@ANYBLOB="1c0000001e008d2a00000000000000f009000000507349aa69696a34f6ff405ec2ff3fb9ec6306fb40d9903a17dbf99314c12ac0311f78b1102e2fb9c8a2c4c25956f465d577e80e55fee612e6b647a7bd22f6b5ffe797f9332e0a7a3f2209813b2d2d5ace5931d6a9b343bad24d14de2f77befc87ec1c8c4a5ca9e66a94159d542d281b266970853579cb9c161af620a8f617b0bd74a03321664f44caeb672f2866b0014d0ff07ab74da4207696cddc016093e9d9a93f2d6e5a718638bd52f292942ce7db59ff94e5019b0fceb9ddde824b111869fcff374f7490944c00fe2865f5cba2c52fa5be093a498a71c929f3ae71745ead60fd356ec5663646", @ANYRES32=0x0, @ANYBLOB="04000000"], 0x1c}}, 0x4008800)
setsockopt$netlink_NETLINK_TX_RING(r0, 0x10e, 0x7, &(0x7f0000000280)={0x7fb, 0x1, 0x4, 0x1}, 0x10)
syz_emit_vhci(&(0x7f0000000540)=ANY=[@ANYBLOB="043e1f0a"], 0x22)
syz_emit_vhci(&(0x7f0000000040)=ANY=[@ANYBLOB="0200300c000800"], 0x11)
ioctl$FS_IOC_SET_ENCRYPTION_POLICY(0xffffffffffffffff, 0x40086602, 0x0)
r6 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$nl_generic(r6, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000040)={&(0x7f00000005c0)={0x2c, 0x3e, 0x107, 0x70bd2b, 0x0, {0x1, 0x7c}, [@nested={0x4, 0xfc}, @nested={0xc, 0x1, 0x0, 0x1, [@typed={0x10, 0x6, 0x0, 0x0, @pid}]}, @nested={0x8, 0x2, 0x0, 0x1, [@generic="7235ab62"]}]}, 0x2c}, 0x1, 0x0, 0x0, 0xc000}, 0x4040)
r7 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$nl_generic(r7, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000180)={&(0x7f0000000980)=ANY=[@ANYBLOB="240000003e0007172dbd7000fcdbdf2503"], 0x24}}, 0x0)
read(r7, &(0x7f00000009c0)=""/4096, 0x1000)
syz_emit_vhci(&(0x7f0000000080)=ANY=[@ANYBLOB="0405"], 0x7)
syz_emit_vhci(&(0x7f0000000100)=@HCI_EVENT_PKT={0x4, @hci_ev_role_change={{0x12, 0x8}}}, 0xb)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0)
r8 = syz_open_dev$tty20(0xc, 0x4, 0x0)
pselect6(0x40, &(0x7f0000000400)={0x9c, 0x4, 0x8260, 0xffffffff, 0xcffe, 0x8, 0x1, 0x80000001}, &(0x7f0000000440)={0x8d, 0x5a9, 0x2, 0xa, 0x5, 0x0, 0x4d6b, 0x5}, &(0x7f0000000480)={0xffab, 0x100000001, 0x0, 0x3, 0x6, 0x4, 0x4c78cbff, 0x5}, &(0x7f00000004c0)={0x77359400}, &(0x7f0000000580)={&(0x7f0000000500)={[0xffffffff00000001]}, 0x8})
ioctl$GIO_SCRNMAP(r8, 0x4b40, &(0x7f0000000380)=""/55)
syz_open_dev$dri(&(0x7f0000000040), 0x8, 0x240000)
[ 93.181301][ T9] cfg80211: failed to load regulatory.db
[ 93.189339][ T5296] Bluetooth: hci0: command tx timeout
[ 93.721820][ T5304] usb 5-1: new high-speed USB device number 2 using dummy_hcd
[ 93.872066][ T5304] usb 5-1: Using ep0 maxpacket: 8
[ 93.877671][ T5304] usb 5-1: config 168 descriptor has 1 excess byte, ignoring
[ 93.882240][ T5304] usb 5-1: config 168 interface 0 altsetting 0 endpoint 0x3 has an invalid bInterval 255, changing to 11
[ 93.888679][ T5304] usb 5-1: config 168 interface 0 altsetting 0 has an endpoint descriptor with address 0xFF, changing to 0x8F
[ 93.894250][ T5304] usb 5-1: config 168 interface 0 altsetting 0 endpoint 0x8F has an invalid bInterval 0, changing to 7
[ 93.898235][ T5304] usb 5-1: config 168 interface 0 altsetting 0 endpoint 0x8F has invalid maxpacket 59391, setting to 1024
[ 93.905086][ T5304] usb 5-1: config 168 descriptor has 1 excess byte, ignoring
[ 93.908300][ T5304] usb 5-1: config 168 interface 0 altsetting 0 endpoint 0x3 has an invalid bInterval 255, changing to 11
[ 93.913486][ T5304] usb 5-1: config 168 interface 0 altsetting 0 has an endpoint descriptor with address 0xFF, changing to 0x8F
[ 93.918812][ T5304] usb 5-1: config 168 interface 0 altsetting 0 endpoint 0x8F has an invalid bInterval 0, changing to 7
[ 93.925216][ T5304] usb 5-1: config 168 interface 0 altsetting 0 endpoint 0x8F has invalid maxpacket 59391, setting to 1024
[ 93.931398][ T5304] usb 5-1: config 168 descriptor has 1 excess byte, ignoring
[ 93.935346][ T5304] usb 5-1: config 168 interface 0 altsetting 0 endpoint 0x3 has an invalid bInterval 255, changing to 11
[ 93.940100][ T5304] usb 5-1: config 168 interface 0 altsetting 0 has an endpoint descriptor with address 0xFF, changing to 0x8F
[ 93.945536][ T5304] usb 5-1: config 168 interface 0 altsetting 0 endpoint 0x8F has an invalid bInterval 0, changing to 7
[ 93.950265][ T5304] usb 5-1: config 168 interface 0 altsetting 0 endpoint 0x8F has invalid maxpacket 59391, setting to 1024
[ 93.958878][ T5304] usb 5-1: string descriptor 0 read error: -22
[ 93.961457][ T5304] usb 5-1: New USB device found, idVendor=0a07, idProduct=0064, bcdDevice=40.6e
[ 93.965596][ T5304] usb 5-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 93.995637][ T5304] adutux 5-1:168.0: ADU100 now attached to /dev/usb/adutux0
[ 94.254501][ T5318] �: entered promiscuous mode
[ 95.211754][ T4663] Bluetooth: hci0: command tx timeout
[ 96.251655][ T5296] ==================================================================
[ 96.255201][ T5296] BUG: KASAN: slab-use-after-free in hci_conn_drop+0x34/0x2a0
[ 96.258581][ T5296] Write of size 4 at addr ffff888012554010 by task kworker/u5:2/5296
[ 96.262021][ T5296]
[ 96.263088][ T5296] CPU: 0 UID: 0 PID: 5296 Comm: kworker/u5:2 Not tainted syzkaller #0 PREEMPT(full)
[ 96.263115][ T5296] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 96.263123][ T5296] Workqueue: hci0 hci_cmd_sync_work
[ 96.263147][ T5296] Call Trace:
[ 96.263161][ T5296]
[ 96.263178][ T5296] dump_stack_lvl+0xe8/0x150
[ 96.263235][ T5296] print_report+0xba/0x230
[ 96.263251][ T5296] ? hci_conn_drop+0x34/0x2a0
[ 96.263262][ T5296] kasan_report+0x117/0x150
[ 96.263309][ T5296] ? hci_conn_drop+0x34/0x2a0
[ 96.263322][ T5296] kasan_check_range+0x264/0x2c0
[ 96.263334][ T5296] hci_conn_drop+0x34/0x2a0
[ 96.263344][ T5296] ? __pfx_le_read_features_complete+0x10/0x10
[ 96.263361][ T5296] hci_cmd_sync_work+0x262/0x400
[ 96.263377][ T5296] ? process_scheduled_works+0xa25/0x1830
[ 96.263417][ T5296] process_scheduled_works+0xb02/0x1830
[ 96.263437][ T5296] ? __pfx_process_scheduled_works+0x10/0x10
[ 96.263452][ T5296] ? assign_work+0x3d5/0x5e0
[ 96.263465][ T5296] worker_thread+0xa50/0xfc0
[ 96.263484][ T5296] kthread+0x388/0x470
[ 96.263496][ T5296] ? __pfx_worker_thread+0x10/0x10
[ 96.263509][ T5296] ? __pfx_kthread+0x10/0x10
[ 96.263518][ T5296] ret_from_fork+0x51e/0xb90
[ 96.263534][ T5296] ? __pfx_ret_from_fork+0x10/0x10
[ 96.263546][ T5296] ? __switch_to+0xc7d/0x1450
[ 96.263560][ T5296] ? __pfx_kthread+0x10/0x10
[ 96.263569][ T5296] ret_from_fork_asm+0x1a/0x30
[ 96.263589][ T5296]
[ 96.263603][ T5296]
[ 96.325704][ T5296] Allocated by task 4663:
[ 96.327631][ T5296] kasan_save_track+0x3e/0x80
[ 96.329652][ T5296] __kasan_kmalloc+0x93/0xb0
[ 96.331604][ T5296] __kmalloc_cache_noprof+0x31c/0x660
[ 96.333964][ T5296] __hci_conn_add+0x3c4/0x1e00
[ 96.336066][ T5296] le_conn_complete_evt+0x706/0x1430
[ 96.338324][ T5296] hci_le_enh_conn_complete_evt+0x189/0x490
[ 96.340882][ T5296] hci_event_packet+0x7af/0x12c0
[ 96.343027][ T5296] hci_rx_work+0x3ee/0x1030
[ 96.344919][ T5296] process_scheduled_works+0xb02/0x1830
[ 96.347271][ T5296] worker_thread+0xa50/0xfc0
[ 96.349224][ T5296] kthread+0x388/0x470
[ 96.351070][ T5296] ret_from_fork+0x51e/0xb90
[ 96.353101][ T5296] ret_from_fork_asm+0x1a/0x30
[ 96.355157][ T5296]
[ 96.356181][ T5296] Freed by task 4663:
[ 96.357886][ T5296] kasan_save_track+0x3e/0x80
[ 96.359893][ T5296] kasan_save_free_info+0x46/0x50
[ 96.362046][ T5296] __kasan_slab_free+0x5c/0x80
[ 96.364139][ T5296] kfree+0x1c1/0x630
[ 96.365916][ T5296] device_release+0x9e/0x1d0
[ 96.368046][ T5296] kobject_put+0x228/0x560
[ 96.369832][ T5296] hci_conn_del+0xc36/0x1230
[ 96.371927][ T5296] hci_disconn_complete_evt+0x64e/0x950
[ 96.374331][ T5296] hci_event_packet+0x805/0x12c0
[ 96.376561][ T5296] hci_rx_work+0x3ee/0x1030
[ 96.378527][ T5296] process_scheduled_works+0xb02/0x1830
[ 96.380852][ T5296] worker_thread+0xa50/0xfc0
[ 96.382773][ T5296] kthread+0x388/0x470
[ 96.384529][ T5296] ret_from_fork+0x51e/0xb90
[ 96.386500][ T5296] ret_from_fork_asm+0x1a/0x30
[ 96.388709][ T5296]
[ 96.389776][ T5296] The buggy address belongs to the object at ffff888012554000
[ 96.389776][ T5296] which belongs to the cache kmalloc-8k of size 8192
[ 96.395774][ T5296] The buggy address is located 16 bytes inside of
[ 96.395774][ T5296] freed 8192-byte region [ffff888012554000, ffff888012556000)
[ 96.401716][ T5296]
[ 96.402971][ T5296] The buggy address belongs to the physical page:
[ 96.405778][ T5296] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12550
[ 96.409524][ T5296] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 96.413148][ T5296] flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
[ 96.416461][ T5296] page_type: f5(slab)
[ 96.418230][ T5296] raw: 00fff00000000040 ffff88801ac42280 dead000000000100 dead000000000122
[ 96.421971][ T5296] raw: 0000000000000000 0000000800020002 00000000f5000000 0000000000000000
[ 96.425813][ T5296] head: 00fff00000000040 ffff88801ac42280 dead000000000100 dead000000000122
[ 96.429582][ T5296] head: 0000000000000000 0000000800020002 00000000f5000000 0000000000000000
[ 96.433276][ T5296] head: 00fff00000000003 ffffea0000495401 00000000ffffffff 00000000ffffffff
[ 96.436932][ T5296] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
[ 96.440648][ T5296] page dumped because: kasan: bad access detected
[ 96.443354][ T5296] page_owner tracks the page as allocated
[ 96.445707][ T5296] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4685, tgid 4685 (init), ts 30855556834, free_ts 30236850778
[ 96.453957][ T5296] post_alloc_hook+0x231/0x280
[ 96.456112][ T5296] get_page_from_freelist+0x24dc/0x2580
[ 96.458497][ T5296] __alloc_frozen_pages_noprof+0x18d/0x380
[ 96.460983][ T5296] allocate_slab+0x77/0x660
[ 96.462930][ T5296] refill_objects+0x331/0x3c0
[ 96.464889][ T5296] __pcs_replace_empty_main+0x2b9/0x620
[ 96.467235][ T5296] __kmalloc_cache_noprof+0x392/0x660
[ 96.469483][ T5296] tomoyo_init_log+0x112e/0x1fb0
[ 96.471670][ T5296] tomoyo_supervisor+0x353/0x1570
[ 96.473929][ T5296] tomoyo_env_perm+0x151/0x1f0
[ 96.476120][ T5296] tomoyo_find_next_domain+0x15cb/0x1aa0
[ 96.478630][ T5296] tomoyo_bprm_check_security+0x11b/0x180
[ 96.480995][ T5296] security_bprm_check+0x85/0x240
[ 96.483201][ T5296] bprm_execve+0x896/0x1460
[ 96.485164][ T5296] do_execveat_common+0x50d/0x690
[ 96.487390][ T5296] __x64_sys_execve+0x97/0xc0
[ 96.489421][ T5296] page last free pid 1 tgid 1 stack trace:
[ 96.491990][ T5296] __free_frozen_pages+0xc2b/0xdb0
[ 96.494097][ T5296] free_reserved_page+0xce/0x120
[ 96.496183][ T5296] free_reserved_area+0x90/0x190
[ 96.498302][ T5296] free_kernel_image_pages+0xa2/0x100
[ 96.500604][ T5296] kernel_init+0x31/0x1d0
[ 96.502482][ T5296] ret_from_fork+0x51e/0xb90
[ 96.504535][ T5296] ret_from_fork_asm+0x1a/0x30
[ 96.506593][ T5296]
[ 96.507670][ T5296] Memory state around the buggy address:
[ 96.509999][ T5296] ffff888012553f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 96.513428][ T5296] ffff888012553f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 96.516843][ T5296] >ffff888012554000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 96.520301][ T5296] ^
[ 96.522314][ T5296] ffff888012554080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 96.525748][ T5296] ffff888012554100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 96.529122][ T5296] ==================================================================
[ 96.533163][ T5296] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 96.536372][ T5296] CPU: 0 UID: 0 PID: 5296 Comm: kworker/u5:2 Not tainted syzkaller #0 PREEMPT(full)
[ 96.540479][ T5296] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 96.545479][ T5296] Workqueue: hci0 hci_cmd_sync_work
[ 96.547795][ T5296] Call Trace:
[ 96.549260][ T5296]
[ 96.550582][ T5296] vpanic+0x56c/0xa60
[ 96.552323][ T5296] ? __pfx_vpanic+0x10/0x10
[ 96.554320][ T5296] panic+0xc5/0xd0
[ 96.555926][ T5296] ? __pfx_panic+0x10/0x10
[ 96.557854][ T5296] ? preempt_schedule_thunk+0x16/0x30
[ 96.559969][ T5296] ? preempt_schedule_thunk+0x16/0x30
[ 96.562243][ T5296] ? hci_conn_drop+0x34/0x2a0
[ 96.564384][ T5296] check_panic_on_warn+0x89/0xb0
[ 96.566567][ T5296] ? hci_conn_drop+0x34/0x2a0
[ 96.568524][ T5296] end_report+0x73/0x180
[ 96.570298][ T5296] ? hci_conn_drop+0x34/0x2a0
[ 96.572347][ T5296] kasan_report+0x128/0x150
[ 96.574265][ T5296] ? hci_conn_drop+0x34/0x2a0
[ 96.576366][ T5296] kasan_check_range+0x264/0x2c0
[ 96.578787][ T5296] hci_conn_drop+0x34/0x2a0
[ 96.581354][ T5296] ? __pfx_le_read_features_complete+0x10/0x10
[ 96.584768][ T5296] hci_cmd_sync_work+0x262/0x400
[ 96.587097][ T5296] ? process_scheduled_works+0xa25/0x1830
[ 96.589607][ T5296] process_scheduled_works+0xb02/0x1830
[ 96.591975][ T5296] ? __pfx_process_scheduled_works+0x10/0x10
[ 96.594468][ T5296] ? assign_work+0x3d5/0x5e0
[ 96.596529][ T5296] worker_thread+0xa50/0xfc0
[ 96.598563][ T5296] kthread+0x388/0x470
[ 96.600352][ T5296] ? __pfx_worker_thread+0x10/0x10
[ 96.602503][ T5296] ? __pfx_kthread+0x10/0x10
[ 96.604585][ T5296] ret_from_fork+0x51e/0xb90
[ 96.606602][ T5296] ? __pfx_ret_from_fork+0x10/0x10
[ 96.608846][ T5296] ? __switch_to+0xc7d/0x1450
[ 96.610838][ T5296] ? __pfx_kthread+0x10/0x10
[ 96.612860][ T5296] ret_from_fork_asm+0x1a/0x30
[ 96.615074][ T5296]
[ 96.616821][ T5296] Kernel Offset: disabled
[ 96.618745][ T5296] Rebooting in 86400 seconds..