program: syz_emit_vhci(&(0x7f0000000540)=ANY=[@ANYBLOB="043e1f0a"], 0x22) (async) syz_emit_vhci(&(0x7f0000000040)=ANY=[@ANYBLOB="0200300c000800"], 0x11) (async) ioctl$FS_IOC_SET_ENCRYPTION_POLICY(0xffffffffffffffff, 0x40086602, 0x0) (async) r0 = openat$vimc2(0xffffffffffffff9c, &(0x7f0000000200), 0x2, 0x0) ioctl$VIDIOC_EXPBUF(r0, 0xc0405626, &(0x7f0000000240)={0x9, 0xfffffffe, 0x8}) (async) syz_emit_vhci(&(0x7f0000000080)=ANY=[@ANYBLOB="0405"], 0x7) (async) r1 = openat$tun(0xffffffffffffff9c, &(0x7f0000000240), 0x0, 0x0) ioctl$TUNSETIFF(r1, 0x400454ca, &(0x7f0000000040)={'syzkaller0\x00', 0x7101}) (async) socket$nl_route(0x10, 0x3, 0x0) (async) r2 = socket$unix(0x1, 0x1, 0x0) ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000100)={'syzkaller0\x00', 0x0}) sendmsg$nl_route_sched(0xffffffffffffffff, &(0x7f0000000740)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000500)=@getchain={0x64, 0x66, 0x10, 0x70bd2a, 0x25dfdbfc, {0x0, 0x0, 0x0, r3, {0x4, 0xfff1}, {0xd, 0x8}, {0xfff1, 0xffe0}}, [{0x8, 0xb, 0x2}, {0x8, 0xb, 0x7}, {0xffe0, 0xb, 0x6}, {0x8, 0xb, 0x4}, {0x8, 0xb, 0x80000000}, {0x8, 0xb, 0x1000}, {0x8, 0xb, 0xffffffff}, {0x8}]}, 0x64}, 0x1, 0x0, 0x0, 0x24008040}, 0x20040084) r4 = socket$unix(0x1, 0x1, 0x0) (async) r5 = socket$kcm(0x11, 0x3, 0x0) (async) r6 = openat$tun(0xffffffffffffff9c, &(0x7f0000000400), 0x0, 0x0) close(r6) socket$inet_smc(0x2b, 0x1, 0x0) (async) ioctl$SIOCSIFHWADDR(r6, 0x8914, &(0x7f0000002280)={'syzkaller0\x00', @multicast}) (async) r7 = socket(0x400000000010, 0x3, 0x0) (async) r8 = socket$unix(0x1, 0x1, 0x0) ioctl$VIDIOC_S_CTRL(r0, 0xc008561c, &(0x7f0000000000)={0x8, 0xffff}) (async) ioctl$sock_SIOCGIFINDEX(r8, 0x8933, &(0x7f0000000100)={'syzkaller0\x00', 0x0}) sendmsg$nl_route_sched(r7, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000300)={&(0x7f0000000140)=@newtfilter={0x3c, 0x2c, 0xd27, 0x30bd29, 0x25dfdc00, {0x0, 0x0, 0x0, r9, {0x0, 0xfff1}, {0x7, 0xfff2}, {0x8, 0xf}}, [@filter_kind_options=@f_matchall={{0xd}, {0x8, 0x2, [@TCA_MATCHALL_ACT={0x4}]}}]}, 0x3c}, 0x1, 0x0, 0x0, 0x20000810}, 0x20000000) r10 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$IPSET_CMD_CREATE(r10, &(0x7f0000000040)={0x0, 0x0, &(0x7f00000002c0)={&(0x7f0000000580)=ANY=[@ANYBLOB="600000000206050000000000000000000000000033000780080011400000000005001540406311fc0130e7f3250000000500012006000000050004000100100005000400000000000900020073797a310000000013000300686173683a6e65742c69666163650000f1a49cc9e8e8b72f5c67bc9cc11aea63afbb982589787d57a9996b9942bc8b88d08efd57bd328bd67e904669c115f4371bd5b408fcb8da10849193d32a7116c00a14db9387c0efc8b37c65ab58704dbe82752bdc42aa38ca4826702f4730b19c8bf6701d671d002a8a0ed4dc4dd4feee7fbf9b506fb5312aad10d52b57ce08a48fd7a5ed"], 0x60}}, 0x0) ioctl$sock_SIOCGIFINDEX(r4, 0x8933, &(0x7f0000000100)={'syzkaller0\x00', 0x0}) setsockopt$sock_attach_bpf(r8, 0x107, 0xf, &(0x7f0000000340), 0x4) (async) sendmsg$kcm(r5, &(0x7f0000000280)={&(0x7f0000000380)=@xdp={0x2c, 0x0, r11, 0x3e}, 0x80, &(0x7f00000001c0)=[{&(0x7f0000000180)="27030200000214000e00002fb96dffff1144ee163cddcb000000800000827600000000000000", 0x26}, {&(0x7f00000004c0)="f058050000007f8f", 0x300}], 0x2}, 0x5) syz_emit_vhci(&(0x7f00000000c0)=ANY=[@ANYBLOB="0412080000110000000000c578744a2c29e428c349a26b83e0311cb13e0390b7047ff510d67948ecf4"], 0xb) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0) [ 74.743881][ T4663] Bluetooth: hci0: command tx timeout [ 74.999487][ T5316] syzkaller0: default qdisc (pfifo_fast) fail, fallback to noqueue [ 75.016114][ T5316] syzkaller0: entered promiscuous mode [ 75.018360][ T5316] syzkaller0: entered allmulticast mode [ 76.814337][ T5295] Bluetooth: hci0: command tx timeout [ 76.893557][ T4663] ================================================================== [ 76.897405][ T4663] BUG: KASAN: slab-use-after-free in hci_conn_drop+0x34/0x2a0 [ 76.900971][ T4663] Write of size 4 at addr ffff88801249c010 by task kworker/u5:1/4663 [ 76.904414][ T4663] [ 76.905479][ T4663] CPU: 0 UID: 0 PID: 4663 Comm: kworker/u5:1 Not tainted syzkaller #0 PREEMPT(full) [ 76.905493][ T4663] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 76.905502][ T4663] Workqueue: hci0 hci_cmd_sync_work [ 76.905522][ T4663] Call Trace: [ 76.905529][ T4663] [ 76.905534][ T4663] dump_stack_lvl+0xe8/0x150 [ 76.905551][ T4663] print_report+0xba/0x230 [ 76.905563][ T4663] ? hci_conn_drop+0x34/0x2a0 [ 76.905572][ T4663] kasan_report+0x117/0x150 [ 76.905583][ T4663] ? hci_conn_drop+0x34/0x2a0 [ 76.905595][ T4663] kasan_check_range+0x264/0x2c0 [ 76.905606][ T4663] hci_conn_drop+0x34/0x2a0 [ 76.905616][ T4663] ? __pfx_le_read_features_complete+0x10/0x10 [ 76.905631][ T4663] hci_cmd_sync_work+0x262/0x400 [ 76.905675][ T4663] ? process_scheduled_works+0xa25/0x1830 [ 76.905691][ T4663] process_scheduled_works+0xb02/0x1830 [ 76.905710][ T4663] ? __pfx_process_scheduled_works+0x10/0x10 [ 76.905725][ T4663] ? assign_work+0x3d5/0x5e0 [ 76.905738][ T4663] worker_thread+0xa50/0xfc0 [ 76.905757][ T4663] kthread+0x388/0x470 [ 76.905767][ T4663] ? __pfx_worker_thread+0x10/0x10 [ 76.905780][ T4663] ? __pfx_kthread+0x10/0x10 [ 76.905789][ T4663] ret_from_fork+0x51e/0xb90 [ 76.905804][ T4663] ? __pfx_ret_from_fork+0x10/0x10 [ 76.905817][ T4663] ? __switch_to+0xc7d/0x1450 [ 76.905829][ T4663] ? __pfx_kthread+0x10/0x10 [ 76.905839][ T4663] ret_from_fork_asm+0x1a/0x30 [ 76.905858][ T4663] [ 76.905862][ T4663] [ 76.967629][ T4663] Allocated by task 4663: [ 76.969439][ T4663] kasan_save_track+0x3e/0x80 [ 76.971399][ T4663] __kasan_kmalloc+0x93/0xb0 [ 76.973444][ T4663] __kmalloc_cache_noprof+0x31c/0x660 [ 76.975801][ T4663] __hci_conn_add+0x3c4/0x1e00 [ 76.978130][ T4663] le_conn_complete_evt+0x706/0x1430 [ 76.980486][ T4663] hci_le_enh_conn_complete_evt+0x189/0x490 [ 76.983160][ T4663] hci_event_packet+0x7af/0x12c0 [ 76.985420][ T4663] hci_rx_work+0x3ee/0x1030 [ 76.987399][ T4663] process_scheduled_works+0xb02/0x1830 [ 76.989826][ T4663] worker_thread+0xa50/0xfc0 [ 76.991863][ T4663] kthread+0x388/0x470 [ 76.993701][ T4663] ret_from_fork+0x51e/0xb90 [ 76.995743][ T4663] ret_from_fork_asm+0x1a/0x30 [ 76.997737][ T4663] [ 76.998776][ T4663] Freed by task 5295: [ 77.000424][ T4663] kasan_save_track+0x3e/0x80 [ 77.002578][ T4663] kasan_save_free_info+0x46/0x50 [ 77.004899][ T4663] __kasan_slab_free+0x5c/0x80 [ 77.007067][ T4663] kfree+0x1c1/0x630 [ 77.008795][ T4663] device_release+0x9e/0x1d0 [ 77.010875][ T4663] kobject_put+0x228/0x560 [ 77.012840][ T4663] hci_conn_del+0xc36/0x1230 [ 77.014876][ T4663] hci_disconn_complete_evt+0x64e/0x950 [ 77.017386][ T4663] hci_event_packet+0x805/0x12c0 [ 77.019682][ T4663] hci_rx_work+0x3ee/0x1030 [ 77.021628][ T4663] process_scheduled_works+0xb02/0x1830 [ 77.024086][ T4663] worker_thread+0xa50/0xfc0 [ 77.026112][ T4663] kthread+0x388/0x470 [ 77.028100][ T4663] ret_from_fork+0x51e/0xb90 [ 77.030225][ T4663] ret_from_fork_asm+0x1a/0x30 [ 77.032298][ T4663] [ 77.033327][ T4663] The buggy address belongs to the object at ffff88801249c000 [ 77.033327][ T4663] which belongs to the cache kmalloc-8k of size 8192 [ 77.039183][ T4663] The buggy address is located 16 bytes inside of [ 77.039183][ T4663] freed 8192-byte region [ffff88801249c000, ffff88801249e000) [ 77.045259][ T4663] [ 77.046316][ T4663] The buggy address belongs to the physical page: [ 77.049049][ T4663] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12498 [ 77.052949][ T4663] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 77.056742][ T4663] flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff) [ 77.060242][ T4663] page_type: f5(slab) [ 77.062058][ T4663] raw: 00fff00000000040 ffff88801a842280 dead000000000100 dead000000000122 [ 77.065844][ T4663] raw: 0000000000000000 0000000000020002 00000000f5000000 0000000000000000 [ 77.069836][ T4663] head: 00fff00000000040 ffff88801a842280 dead000000000100 dead000000000122 [ 77.073974][ T4663] head: 0000000000000000 0000000000020002 00000000f5000000 0000000000000000 [ 77.077847][ T4663] head: 00fff00000000003 ffffea0000492601 00000000ffffffff 00000000ffffffff [ 77.081531][ T4663] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 [ 77.085113][ T4663] page dumped because: kasan: bad access detected [ 77.087821][ T4663] page_owner tracks the page as allocated [ 77.090201][ T4663] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4684, tgid 4684 (init), ts 29178095307, free_ts 28658866736 [ 77.098593][ T4663] post_alloc_hook+0x231/0x280 [ 77.100768][ T4663] get_page_from_freelist+0x24dc/0x2580 [ 77.103292][ T4663] __alloc_frozen_pages_noprof+0x18d/0x380 [ 77.105867][ T4663] allocate_slab+0x77/0x660 [ 77.108011][ T4663] refill_objects+0x331/0x3c0 [ 77.110080][ T4663] __pcs_replace_empty_main+0x2b9/0x620 [ 77.112355][ T4663] __kmalloc_cache_noprof+0x392/0x660 [ 77.114719][ T4663] tomoyo_init_log+0x112e/0x1fb0 [ 77.116938][ T4663] tomoyo_supervisor+0x353/0x1570 [ 77.119141][ T4663] tomoyo_env_perm+0x151/0x1f0 [ 77.121106][ T4663] tomoyo_find_next_domain+0x15cb/0x1aa0 [ 77.123393][ T4663] tomoyo_bprm_check_security+0x11b/0x180 [ 77.125938][ T4663] security_bprm_check+0x85/0x240 [ 77.128171][ T4663] bprm_execve+0x896/0x1460 [ 77.130233][ T4663] do_execveat_common+0x50d/0x690 [ 77.132443][ T4663] __x64_sys_execve+0x97/0xc0 [ 77.134419][ T4663] page last free pid 1 tgid 1 stack trace: [ 77.137130][ T4663] __free_frozen_pages+0xc2b/0xdb0 [ 77.139447][ T4663] free_reserved_page+0xce/0x120 [ 77.141707][ T4663] free_reserved_area+0x90/0x190 [ 77.143987][ T4663] free_kernel_image_pages+0xa2/0x100 [ 77.146482][ T4663] kernel_init+0x31/0x1d0 [ 77.148480][ T4663] ret_from_fork+0x51e/0xb90 [ 77.150535][ T4663] ret_from_fork_asm+0x1a/0x30 [ 77.152696][ T4663] [ 77.153821][ T4663] Memory state around the buggy address: [ 77.156469][ T4663] ffff88801249bf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 77.160079][ T4663] ffff88801249bf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 77.163666][ T4663] >ffff88801249c000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 77.167389][ T4663] ^ [ 77.169456][ T4663] ffff88801249c080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 77.172923][ T4663] ffff88801249c100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 77.176384][ T4663] ================================================================== [ 77.182923][ T4663] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 77.185986][ T4663] CPU: 0 UID: 0 PID: 4663 Comm: kworker/u5:1 Not tainted syzkaller #0 PREEMPT(full) [ 77.190185][ T4663] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 77.194764][ T4663] Workqueue: hci0 hci_cmd_sync_work [ 77.197209][ T4663] Call Trace: [ 77.198617][ T4663] [ 77.199852][ T4663] vpanic+0x56c/0xa60 [ 77.201489][ T4663] ? __pfx_vpanic+0x10/0x10 [ 77.203334][ T4663] panic+0xc5/0xd0 [ 77.204900][ T4663] ? __pfx_panic+0x10/0x10 [ 77.206807][ T4663] ? preempt_schedule_thunk+0x16/0x30 [ 77.208977][ T4663] ? preempt_schedule_thunk+0x16/0x30 [ 77.211211][ T4663] ? hci_conn_drop+0x34/0x2a0 [ 77.213105][ T4663] check_panic_on_warn+0x89/0xb0 [ 77.215104][ T4663] ? hci_conn_drop+0x34/0x2a0 [ 77.217040][ T4663] end_report+0x73/0x180 [ 77.218773][ T4663] ? hci_conn_drop+0x34/0x2a0 [ 77.220690][ T4663] kasan_report+0x128/0x150 [ 77.222624][ T4663] ? hci_conn_drop+0x34/0x2a0 [ 77.224579][ T4663] kasan_check_range+0x264/0x2c0 [ 77.226598][ T4663] hci_conn_drop+0x34/0x2a0 [ 77.228479][ T4663] ? __pfx_le_read_features_complete+0x10/0x10 [ 77.231044][ T4663] hci_cmd_sync_work+0x262/0x400 [ 77.233132][ T4663] ? process_scheduled_works+0xa25/0x1830 [ 77.235481][ T4663] process_scheduled_works+0xb02/0x1830 [ 77.237824][ T4663] ? __pfx_process_scheduled_works+0x10/0x10 [ 77.240359][ T4663] ? assign_work+0x3d5/0x5e0 [ 77.242347][ T4663] worker_thread+0xa50/0xfc0 [ 77.244318][ T4663] kthread+0x388/0x470 [ 77.246039][ T4663] ? __pfx_worker_thread+0x10/0x10 [ 77.248154][ T4663] ? __pfx_kthread+0x10/0x10 [ 77.250110][ T4663] ret_from_fork+0x51e/0xb90 [ 77.251963][ T4663] ? __pfx_ret_from_fork+0x10/0x10 [ 77.254096][ T4663] ? __switch_to+0xc7d/0x1450 [ 77.256082][ T4663] ? __pfx_kthread+0x10/0x10 [ 77.258279][ T4663] ret_from_fork_asm+0x1a/0x30 [ 77.260371][ T4663] [ 77.262132][ T4663] Kernel Offset: disabled [ 77.264057][ T4663] Rebooting in 86400 seconds..