program:
syz_emit_vhci(&(0x7f0000000540)=ANY=[@ANYBLOB="043e1f0a"], 0x22)
syz_emit_vhci(&(0x7f0000000040)=ANY=[@ANYBLOB="0200300c000800"], 0x11)
ioctl$FS_IOC_SET_ENCRYPTION_POLICY(0xffffffffffffffff, 0x40086602, 0x0)
syz_emit_vhci(&(0x7f0000000080)=ANY=[@ANYBLOB="0405"], 0x7)
syz_emit_vhci(&(0x7f0000000100)=@HCI_EVENT_PKT={0x4, @hci_ev_role_change={{0x12, 0x8}}}, 0xb)
r0 = syz_usb_connect$printer(0x0, 0x2d, &(0x7f0000000200)={{0x12, 0x1, 0x0, 0x0, 0x0, 0x0, 0x40, 0x525, 0xa4a8, 0x40, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x1b, 0x1, 0x1, 0x0, 0x0, 0x0, [{{0x9, 0x4, 0x0, 0x0, 0x2, 0x7, 0x1, 0x1}}]}}]}}, 0x0)
syz_usb_control_io$printer(r0, 0x0, &(0x7f00000011c0)={0x34, 0x0, 0x0, 0x0, 0x0, 0x0, &(0x7f0000001180)={0x20, 0x0, 0x1}})
r1 = syz_open_dev$char_usb(0xc, 0xb4, 0x0)
ioctl$EVIOCGMASK(r1, 0x60b, 0x0)
r2 = io_uring_setup(0x1581, &(0x7f0000000380)={0x0, 0x1b6f, 0x40, 0x0, 0x3bd})
close_range(r2, 0xffffffffffffffff, 0x0)
write$char_usb(r1, 0x0, 0x0)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0)

[   85.802009][ T5295] Bluetooth: hci0: command tx timeout
[   86.108351][ T5311] usb 5-1: new high-speed USB device number 2 using dummy_hcd
[   86.260981][ T5311] usb 5-1: config 1 interface 0 altsetting 0 endpoint 0x1 has invalid wMaxPacketSize 0
[   86.264655][ T5311] usb 5-1: config 1 interface 0 altsetting 0 bulk endpoint 0x1 has invalid maxpacket 0
[   86.268991][ T5311] usb 5-1: config 1 interface 0 altsetting 0 has 1 endpoint descriptor, different from the interface descriptor's value: 2
[   86.277417][ T5311] usb 5-1: New USB device found, idVendor=0525, idProduct=a4a8, bcdDevice= 0.40
[   86.281361][ T5311] usb 5-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[   86.284515][ T5311] usb 5-1: Product: syz
[   86.286189][ T5311] usb 5-1: Manufacturer: syz
[   86.288001][ T5311] usb 5-1: SerialNumber: syz
[   86.507274][ T5311] usblp 5-1:1.0: usblp0: USB Unidirectional printer dev 2 if 0 alt 0 proto 1 vid 0x0525 pid 0xA4A8
[   87.858977][ T4662] Bluetooth: hci0: command tx timeout
[   87.939000][ T5295] ==================================================================
[   87.942350][ T5295] BUG: KASAN: slab-use-after-free in hci_conn_drop+0x34/0x2a0
[   87.945853][ T5295] Write of size 4 at addr ffff888038fc4010 by task kworker/u5:2/5295
[   87.949277][ T5295] 
[   87.950262][ T5295] CPU: 0 UID: 0 PID: 5295 Comm: kworker/u5:2 Not tainted syzkaller #0 PREEMPT(full) 
[   87.950277][ T5295] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   87.950283][ T5295] Workqueue: hci0 hci_cmd_sync_work
[   87.950300][ T5295] Call Trace:
[   87.950305][ T5295]  <TASK>
[   87.950309][ T5295]  dump_stack_lvl+0xe8/0x150
[   87.950351][ T5295]  print_report+0xba/0x230
[   87.950365][ T5295]  ? hci_conn_drop+0x34/0x2a0
[   87.950375][ T5295]  kasan_report+0x117/0x150
[   87.950404][ T5295]  ? hci_conn_drop+0x34/0x2a0
[   87.950416][ T5295]  kasan_check_range+0x264/0x2c0
[   87.950427][ T5295]  hci_conn_drop+0x34/0x2a0
[   87.950437][ T5295]  ? __pfx_le_read_features_complete+0x10/0x10
[   87.950452][ T5295]  hci_cmd_sync_work+0x262/0x400
[   87.950466][ T5295]  ? process_scheduled_works+0xa25/0x1830
[   87.950499][ T5295]  process_scheduled_works+0xb02/0x1830
[   87.950518][ T5295]  ? __pfx_process_scheduled_works+0x10/0x10
[   87.950532][ T5295]  ? assign_work+0x3d5/0x5e0
[   87.950546][ T5295]  worker_thread+0xa50/0xfc0
[   87.950566][ T5295]  kthread+0x388/0x470
[   87.950577][ T5295]  ? __pfx_worker_thread+0x10/0x10
[   87.950586][ T5295]  ? __pfx_kthread+0x10/0x10
[   87.950592][ T5295]  ret_from_fork+0x51e/0xb90
[   87.950607][ T5295]  ? __pfx_ret_from_fork+0x10/0x10
[   87.950618][ T5295]  ? __switch_to+0xc7d/0x1450
[   87.950629][ T5295]  ? __pfx_kthread+0x10/0x10
[   87.950638][ T5295]  ret_from_fork_asm+0x1a/0x30
[   87.950657][ T5295]  </TASK>
[   87.950661][ T5295] 
[   88.017908][ T5295] Allocated by task 5295:
[   88.019836][ T5295]  kasan_save_track+0x3e/0x80
[   88.021891][ T5295]  __kasan_kmalloc+0x93/0xb0
[   88.023913][ T5295]  __kmalloc_cache_noprof+0x31c/0x660
[   88.026301][ T5295]  __hci_conn_add+0x3c4/0x1e00
[   88.028435][ T5295]  le_conn_complete_evt+0x706/0x1430
[   88.030772][ T5295]  hci_le_enh_conn_complete_evt+0x189/0x490
[   88.033316][ T5295]  hci_event_packet+0x7af/0x12c0
[   88.035361][ T5295]  hci_rx_work+0x3ee/0x1030
[   88.037333][ T5295]  process_scheduled_works+0xb02/0x1830
[   88.039609][ T5295]  worker_thread+0xa50/0xfc0
[   88.041466][ T5295]  kthread+0x388/0x470
[   88.042990][ T5295]  ret_from_fork+0x51e/0xb90
[   88.044853][ T5295]  ret_from_fork_asm+0x1a/0x30
[   88.046678][ T5295] 
[   88.047668][ T5295] Freed by task 4662:
[   88.049296][ T5295]  kasan_save_track+0x3e/0x80
[   88.051057][ T5295]  kasan_save_free_info+0x46/0x50
[   88.053062][ T5295]  __kasan_slab_free+0x5c/0x80
[   88.055157][ T5295]  kfree+0x1c1/0x630
[   88.056887][ T5295]  device_release+0x9e/0x1d0
[   88.059180][ T5295]  kobject_put+0x228/0x560
[   88.061206][ T5295]  hci_conn_del+0xc36/0x1230
[   88.063277][ T5295]  hci_disconn_complete_evt+0x64e/0x950
[   88.065826][ T5295]  hci_event_packet+0x805/0x12c0
[   88.067951][ T5295]  hci_rx_work+0x3ee/0x1030
[   88.069931][ T5295]  process_scheduled_works+0xb02/0x1830
[   88.072263][ T5295]  worker_thread+0xa50/0xfc0
[   88.074178][ T5295]  kthread+0x388/0x470
[   88.076062][ T5295]  ret_from_fork+0x51e/0xb90
[   88.078489][ T5295]  ret_from_fork_asm+0x1a/0x30
[   88.080723][ T5295] 
[   88.082027][ T5295] The buggy address belongs to the object at ffff888038fc4000
[   88.082027][ T5295]  which belongs to the cache kmalloc-8k of size 8192
[   88.088088][ T5295] The buggy address is located 16 bytes inside of
[   88.088088][ T5295]  freed 8192-byte region [ffff888038fc4000, ffff888038fc6000)
[   88.093651][ T5295] 
[   88.094728][ T5295] The buggy address belongs to the physical page:
[   88.097388][ T5295] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x38fc0
[   88.100931][ T5295] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   88.104517][ T5295] flags: 0x4fff00000000040(head|node=1|zone=1|lastcpupid=0x7ff)
[   88.107804][ T5295] page_type: f5(slab)
[   88.109451][ T5295] raw: 04fff00000000040 ffff88801a842280 dead000000000122 0000000000000000
[   88.112829][ T5295] raw: 0000000000000000 0000000000020002 00000000f5000000 0000000000000000
[   88.116094][ T5295] head: 04fff00000000040 ffff88801a842280 dead000000000122 0000000000000000
[   88.119365][ T5295] head: 0000000000000000 0000000000020002 00000000f5000000 0000000000000000
[   88.122817][ T5295] head: 04fff00000000003 ffffea0000e3f001 00000000ffffffff 00000000ffffffff
[   88.126452][ T5295] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
[   88.130227][ T5295] page dumped because: kasan: bad access detected
[   88.132899][ T5295] page_owner tracks the page as allocated
[   88.135247][ T5295] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5295, tgid 5295 (kworker/u5:2), ts 85862219863, free_ts 83001476953
[   88.144420][ T5295]  post_alloc_hook+0x231/0x280
[   88.146606][ T5295]  get_page_from_freelist+0x24dc/0x2580
[   88.149162][ T5295]  __alloc_frozen_pages_noprof+0x18d/0x380
[   88.151620][ T5295]  allocate_slab+0x77/0x660
[   88.153684][ T5295]  refill_objects+0x331/0x3c0
[   88.155812][ T5295]  __pcs_replace_empty_main+0x2b9/0x620
[   88.158347][ T5295]  __kmalloc_cache_noprof+0x392/0x660
[   88.160659][ T5295]  __hci_conn_add+0x3c4/0x1e00
[   88.162742][ T5295]  le_conn_complete_evt+0x706/0x1430
[   88.165187][ T5295]  hci_le_enh_conn_complete_evt+0x189/0x490
[   88.167746][ T5295]  hci_event_packet+0x7af/0x12c0
[   88.169917][ T5295]  hci_rx_work+0x3ee/0x1030
[   88.171918][ T5295]  process_scheduled_works+0xb02/0x1830
[   88.174373][ T5295]  worker_thread+0xa50/0xfc0
[   88.176359][ T5295]  kthread+0x388/0x470
[   88.178188][ T5295]  ret_from_fork+0x51e/0xb90
[   88.180306][ T5295] page last free pid 5294 tgid 5294 stack trace:
[   88.183074][ T5295]  __free_frozen_pages+0xc2b/0xdb0
[   88.185242][ T5295]  __slab_free+0x263/0x2b0
[   88.187221][ T5295]  qlist_free_all+0x97/0x100
[   88.189442][ T5295]  kasan_quarantine_reduce+0x148/0x160
[   88.191711][ T5295]  __kasan_slab_alloc+0x22/0x80
[   88.193713][ T5295]  __kmalloc_noprof+0x316/0x760
[   88.195852][ T5295]  tomoyo_encode+0x28b/0x550
[   88.197866][ T5295]  tomoyo_realpath_from_path+0x58d/0x5d0
[   88.199954][ T5295]  tomoyo_path_number_perm+0x246/0x630
[   88.202077][ T5295]  security_file_ioctl+0xc3/0x2a0
[   88.204198][ T5295]  __se_sys_ioctl+0x47/0x170
[   88.206162][ T5295]  do_syscall_64+0x14d/0xf80
[   88.208133][ T5295]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   88.210842][ T5295] 
[   88.211934][ T5295] Memory state around the buggy address:
[   88.214409][ T5295]  ffff888038fc3f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   88.217792][ T5295]  ffff888038fc3f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   88.221058][ T5295] >ffff888038fc4000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   88.224213][ T5295]                          ^
[   88.226184][ T5295]  ffff888038fc4080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   88.229308][ T5295]  ffff888038fc4100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   88.232603][ T5295] ==================================================================
[   88.241201][ T5295] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   88.244252][ T5295] CPU: 0 UID: 0 PID: 5295 Comm: kworker/u5:2 Not tainted syzkaller #0 PREEMPT(full) 
[   88.248252][ T5295] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   88.252398][ T5295] Workqueue: hci0 hci_cmd_sync_work
[   88.254687][ T5295] Call Trace:
[   88.256208][ T5295]  <TASK>
[   88.257564][ T5295]  vpanic+0x56c/0xa60
[   88.259436][ T5295]  ? __pfx_vpanic+0x10/0x10
[   88.261337][ T5295]  panic+0xc5/0xd0
[   88.263022][ T5295]  ? __pfx_panic+0x10/0x10
[   88.265056][ T5295]  ? preempt_schedule_thunk+0x16/0x30
[   88.267303][ T5295]  ? preempt_schedule_thunk+0x16/0x30
[   88.269640][ T5295]  ? hci_conn_drop+0x34/0x2a0
[   88.271681][ T5295]  check_panic_on_warn+0x89/0xb0
[   88.273905][ T5295]  ? hci_conn_drop+0x34/0x2a0
[   88.275967][ T5295]  end_report+0x73/0x180
[   88.277864][ T5295]  ? hci_conn_drop+0x34/0x2a0
[   88.279963][ T5295]  kasan_report+0x128/0x150
[   88.282123][ T5295]  ? hci_conn_drop+0x34/0x2a0
[   88.284178][ T5295]  kasan_check_range+0x264/0x2c0
[   88.286529][ T5295]  hci_conn_drop+0x34/0x2a0
[   88.288723][ T5295]  ? __pfx_le_read_features_complete+0x10/0x10
[   88.291646][ T5295]  hci_cmd_sync_work+0x262/0x400
[   88.293795][ T5295]  ? process_scheduled_works+0xa25/0x1830
[   88.296221][ T5295]  process_scheduled_works+0xb02/0x1830
[   88.298476][ T5295]  ? __pfx_process_scheduled_works+0x10/0x10
[   88.300936][ T5295]  ? assign_work+0x3d5/0x5e0
[   88.302973][ T5295]  worker_thread+0xa50/0xfc0
[   88.304846][ T5295]  kthread+0x388/0x470
[   88.306470][ T5295]  ? __pfx_worker_thread+0x10/0x10
[   88.308539][ T5295]  ? __pfx_kthread+0x10/0x10
[   88.310568][ T5295]  ret_from_fork+0x51e/0xb90
[   88.312649][ T5295]  ? __pfx_ret_from_fork+0x10/0x10
[   88.314914][ T5295]  ? __switch_to+0xc7d/0x1450
[   88.316929][ T5295]  ? __pfx_kthread+0x10/0x10
[   88.319085][ T5295]  ret_from_fork_asm+0x1a/0x30
[   88.321148][ T5295]  </TASK>
[   88.322462][ T5295] Kernel Offset: disabled
[   88.324215][ T5295] Rebooting in 86400 seconds..