program:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$wireguard(&(0x7f00000001c0), 0xffffffffffffffff)
r2 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$HCIINQUIRY(r2, 0x400448ca, 0x0)
r3 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r3, &(0x7f0000000340)={0x1f, 0xffff, 0x3}, 0x6)
write(r3, &(0x7f0000000040)="05000000010000", 0x7)
r4 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r4, &(0x7f0000000080)={0x1f, 0xffff, 0x3}, 0x6)
write(r4, &(0x7f0000000040)="05000000010001", 0x7)
bind$bt_hci(r2, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6)
r5 = openat$rfkill(0xffffffffffffff9c, &(0x7f00000004c0), 0x81, 0x0)
write$rfkill(r5, &(0x7f0000000340)={0xfffffff7, 0x0, 0x3}, 0x8)
sendmsg$WG_CMD_SET_DEVICE(r0, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x30, r1, 0x1, 0x70bd2d, 0x25dfdbfe, {}, [@WGDEVICE_A_IFNAME={0x14, 0x2, 'wg0\x00'}, @WGDEVICE_A_LISTEN_PORT={0x6, 0x6, 0x214e}]}, 0x30}, 0x1, 0x0, 0x0, 0x2004c000}, 0x0)
socket$nl_generic(0x10, 0x3, 0x10) (async)
syz_genetlink_get_family_id$wireguard(&(0x7f00000001c0), 0xffffffffffffffff) (async)
syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) (async)
ioctl$HCIINQUIRY(r2, 0x400448ca, 0x0) (async)
syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) (async)
bind$bt_hci(r3, &(0x7f0000000340)={0x1f, 0xffff, 0x3}, 0x6) (async)
write(r3, &(0x7f0000000040)="05000000010000", 0x7) (async)
syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) (async)
bind$bt_hci(r4, &(0x7f0000000080)={0x1f, 0xffff, 0x3}, 0x6) (async)
write(r4, &(0x7f0000000040)="05000000010001", 0x7) (async)
bind$bt_hci(r2, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6) (async)
openat$rfkill(0xffffffffffffff9c, &(0x7f00000004c0), 0x81, 0x0) (async)
write$rfkill(r5, &(0x7f0000000340)={0xfffffff7, 0x0, 0x3}, 0x8) (async)
sendmsg$WG_CMD_SET_DEVICE(r0, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)={0x30, r1, 0x1, 0x70bd2d, 0x25dfdbfe, {}, [@WGDEVICE_A_IFNAME={0x14, 0x2, 'wg0\x00'}, @WGDEVICE_A_LISTEN_PORT={0x6, 0x6, 0x214e}]}, 0x30}, 0x1, 0x0, 0x0, 0x2004c000}, 0x0) (async)

[   77.465388][ T4670] Bluetooth: hci0: command tx timeout
[   77.475078][ T1303] ieee802154 phy0 wpan0: encryption failed: -22
[   77.477358][ T1303] ieee802154 phy1 wpan1: encryption failed: -22
[   77.610961][ T5324] Bluetooth: MGMT ver 1.23
[   77.617504][ T5324] ==================================================================
[   77.619898][ T5324] BUG: KASAN: slab-use-after-free in cmd_complete_rsp+0x67/0x180
[   77.622873][ T5324] Read of size 8 at addr ffff88804027fdc0 by task syz.0.0/5324
[   77.626060][ T5324] 
[   77.627012][ T5324] CPU: 0 UID: 0 PID: 5324 Comm: syz.0.0 Not tainted 6.12.0-rc5-syzkaller-00322-gb9021de3ec2f #0
[   77.631334][ T5324] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   77.635547][ T5324] Call Trace:
[   77.636812][ T5324]  <TASK>
[   77.637935][ T5324]  dump_stack_lvl+0x241/0x360
[   77.639597][ T5324]  ? __pfx_dump_stack_lvl+0x10/0x10
[   77.641545][ T5324]  ? __pfx__printk+0x10/0x10
[   77.643476][ T5324]  ? _printk+0xd5/0x120
[   77.645217][ T5324]  ? __virt_addr_valid+0x183/0x530
[   77.647249][ T5324]  ? __virt_addr_valid+0x183/0x530
[   77.649256][ T5324]  print_report+0x169/0x550
[   77.650991][ T5324]  ? __virt_addr_valid+0x183/0x530
[   77.652853][ T5324]  ? __virt_addr_valid+0x183/0x530
[   77.654614][ T5324]  ? __virt_addr_valid+0x45f/0x530
[   77.656430][ T5324]  ? __phys_addr+0xba/0x170
[   77.658039][ T5324]  ? cmd_complete_rsp+0x67/0x180
[   77.659799][ T5324]  kasan_report+0x143/0x180
[   77.661372][ T5324]  ? cmd_complete_rsp+0x67/0x180
[   77.663296][ T5324]  cmd_complete_rsp+0x67/0x180
[   77.665265][ T5324]  mgmt_pending_foreach+0xd1/0x130
[   77.667218][ T5324]  ? __pfx_cmd_complete_rsp+0x10/0x10
[   77.669112][ T5324]  mgmt_index_removed+0x133/0x390
[   77.670910][ T5324]  ? __pfx_mgmt_index_removed+0x10/0x10
[   77.672920][ T5324]  ? apparmor_capable+0x13b/0x1b0
[   77.674914][ T5324]  ? _raw_read_unlock+0x28/0x50
[   77.676847][ T5324]  hci_sock_bind+0xcce/0x1150
[   77.678583][ T5324]  ? __pfx_hci_sock_bind+0x10/0x10
[   77.680585][ T5324]  __sys_bind+0x22d/0x2d0
[   77.681919][ T5324]  ? __pfx___sys_bind+0x10/0x10
[   77.683663][ T5324]  ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[   77.686111][ T5324]  ? do_syscall_64+0x100/0x230
[   77.688070][ T5324]  __x64_sys_bind+0x7a/0x90
[   77.689689][ T5324]  do_syscall_64+0xf3/0x230
[   77.691498][ T5324]  ? clear_bhb_loop+0x35/0x90
[   77.693407][ T5324]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   77.695595][ T5324] RIP: 0033:0x7f432057e719
[   77.697302][ T5324] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   77.704825][ T5324] RSP: 002b:00007f4321365038 EFLAGS: 00000246 ORIG_RAX: 0000000000000031
[   77.708026][ T5324] RAX: ffffffffffffffda RBX: 00007f4320735f80 RCX: 00007f432057e719
[   77.710796][ T5324] RDX: 0000000000000006 RSI: 0000000020000040 RDI: 0000000000000005
[   77.713328][ T5324] RBP: 00007f43205f132e R08: 0000000000000000 R09: 0000000000000000
[   77.716254][ T5324] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   77.719293][ T5324] R13: 0000000000000000 R14: 00007f4320735f80 R15: 00007ffc894cfa68
[   77.722155][ T5324]  </TASK>
[   77.723081][ T5324] 
[   77.723992][ T5324] Allocated by task 5324:
[   77.725599][ T5324]  kasan_save_track+0x3f/0x80
[   77.727275][ T5324]  __kasan_kmalloc+0x98/0xb0
[   77.728998][ T5324]  __kmalloc_cache_noprof+0x19c/0x2c0
[   77.730989][ T5324]  mgmt_pending_new+0x65/0x250
[   77.732796][ T5324]  mgmt_pending_add+0x36/0x120
[   77.734383][ T5324]  set_powered+0x3cd/0x5e0
[   77.735943][ T5324]  hci_mgmt_cmd+0xc47/0x11d0
[   77.737652][ T5324]  hci_sock_sendmsg+0x7b8/0x11c0
[   77.739590][ T5324]  __sock_sendmsg+0x221/0x270
[   77.741276][ T5324]  sock_write_iter+0x2d7/0x3f0
[   77.743049][ T5324]  vfs_write+0xaeb/0xd30
[   77.744630][ T5324]  ksys_write+0x183/0x2b0
[   77.745962][ T5324]  do_syscall_64+0xf3/0x230
[   77.747811][ T5324]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   77.749953][ T5324] 
[   77.750812][ T5324] Freed by task 5324:
[   77.752213][ T5324]  kasan_save_track+0x3f/0x80
[   77.754024][ T5324]  kasan_save_free_info+0x40/0x50
[   77.755923][ T5324]  __kasan_slab_free+0x59/0x70
[   77.757751][ T5324]  kfree+0x1a0/0x440
[   77.759288][ T5324]  mgmt_set_powered_complete+0x4c5/0x6c0
[   77.761456][ T5324]  hci_cmd_sync_dequeue+0x22b/0x3d0
[   77.763420][ T5324]  cmd_complete_rsp+0x4c/0x180
[   77.765252][ T5324]  mgmt_pending_foreach+0xd1/0x130
[   77.767124][ T5324]  mgmt_index_removed+0x133/0x390
[   77.768822][ T5324]  hci_sock_bind+0xcce/0x1150
[   77.770389][ T5324]  __sys_bind+0x22d/0x2d0
[   77.771858][ T5324]  __x64_sys_bind+0x7a/0x90
[   77.773392][ T5324]  do_syscall_64+0xf3/0x230
[   77.774980][ T5324]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   77.777169][ T5324] 
[   77.778075][ T5324] The buggy address belongs to the object at ffff88804027fd80
[   77.778075][ T5324]  which belongs to the cache kmalloc-96 of size 96
[   77.783363][ T5324] The buggy address is located 64 bytes inside of
[   77.783363][ T5324]  freed 96-byte region [ffff88804027fd80, ffff88804027fde0)
[   77.788635][ T5324] 
[   77.789581][ T5324] The buggy address belongs to the physical page:
[   77.792050][ T5324] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4027f
[   77.795371][ T5324] flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
[   77.798067][ T5324] page_type: f5(slab)
[   77.799686][ T5324] raw: 04fff00000000000 ffff88801ac41280 dead000000000122 0000000000000000
[   77.803021][ T5324] raw: 0000000000000000 0000000080200020 00000001f5000000 0000000000000000
[   77.806307][ T5324] page dumped because: kasan: bad access detected
[   77.808806][ T5324] page_owner tracks the page as allocated
[   77.810968][ T5324] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 1026, tgid 1026 (kworker/u4:5), ts 77564621394, free_ts 77550643406
[   77.818114][ T5324]  post_alloc_hook+0x1f3/0x230
[   77.819712][ T5324]  get_page_from_freelist+0x303f/0x3190
[   77.821561][ T5324]  __alloc_pages_noprof+0x292/0x710
[   77.823426][ T5324]  alloc_pages_mpol_noprof+0x3e8/0x680
[   77.825096][ T5324]  alloc_slab_page+0x6a/0x120
[   77.826684][ T5324]  allocate_slab+0x5a/0x2f0
[   77.828257][ T5324]  ___slab_alloc+0xcd1/0x14b0
[   77.829831][ T5324]  __slab_alloc+0x58/0xa0
[   77.831326][ T5324]  __kmalloc_cache_noprof+0x1d5/0x2c0
[   77.833273][ T5324]  dst_cow_metrics_generic+0x56/0x1c0
[   77.835170][ T5324]  icmp6_dst_alloc+0x270/0x420
[   77.836991][ T5324]  mld_sendpack+0x6a3/0xdb0
[   77.838658][ T5324]  ipv6_mc_dad_complete+0x88/0x490
[   77.840584][ T5324]  addrconf_dad_completed+0x712/0xcd0
[   77.842653][ T5324]  addrconf_dad_work+0xdc2/0x16f0
[   77.844523][ T5324]  process_scheduled_works+0xa63/0x1850
[   77.846448][ T5324] page last free pid 5307 tgid 5307 stack trace:
[   77.848850][ T5324]  free_unref_folios+0xf12/0x18d0
[   77.850662][ T5324]  folios_put_refs+0x76c/0x860
[   77.852499][ T5324]  free_pages_and_swap_cache+0x2ea/0x690
[   77.854601][ T5324]  tlb_flush_mmu+0x3a3/0x680
[   77.856407][ T5324]  tlb_finish_mmu+0xd4/0x200
[   77.858005][ T5324]  exit_mmap+0x496/0xc40
[   77.859600][ T5324]  __mmput+0x115/0x390
[   77.861038][ T5324]  exit_mm+0x220/0x310
[   77.862500][ T5324]  do_exit+0x9b2/0x28e0
[   77.863980][ T5324]  do_group_exit+0x207/0x2c0
[   77.865660][ T5324]  __x64_sys_exit_group+0x3f/0x40
[   77.867532][ T5324]  x64_sys_call+0x2634/0x2640
[   77.869273][ T5324]  do_syscall_64+0xf3/0x230
[   77.870991][ T5324]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   77.873189][ T5324] 
[   77.874008][ T5324] Memory state around the buggy address:
[   77.875980][ T5324]  ffff88804027fc80: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc
[   77.878638][ T5324]  ffff88804027fd00: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc
[   77.881464][ T5324] >ffff88804027fd80: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
[   77.884363][ T5324]                                            ^
[   77.886374][ T5324]  ffff88804027fe00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   77.889219][ T5324]  ffff88804027fe80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   77.892110][ T5324] ==================================================================
[   77.912724][ T5324] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   77.915576][ T5324] CPU: 0 UID: 0 PID: 5324 Comm: syz.0.0 Not tainted 6.12.0-rc5-syzkaller-00322-gb9021de3ec2f #0
[   77.919589][ T5324] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   77.923760][ T5324] Call Trace:
[   77.925065][ T5324]  <TASK>
[   77.926235][ T5324]  dump_stack_lvl+0x241/0x360
[   77.928117][ T5324]  ? __pfx_dump_stack_lvl+0x10/0x10
[   77.930002][ T5324]  ? __pfx__printk+0x10/0x10
[   77.931769][ T5324]  ? lockdep_hardirqs_on_prepare+0x43d/0x780
[   77.933825][ T5324]  ? vscnprintf+0x5d/0x90
[   77.935499][ T5324]  panic+0x349/0x880
[   77.936905][ T5324]  ? check_panic_on_warn+0x21/0xb0
[   77.938832][ T5324]  ? __pfx_panic+0x10/0x10
[   77.940520][ T5324]  ? _raw_spin_unlock_irqrestore+0x130/0x140
[   77.942883][ T5324]  ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[   77.945342][ T5324]  check_panic_on_warn+0x86/0xb0
[   77.947275][ T5324]  ? cmd_complete_rsp+0x67/0x180
[   77.949152][ T5324]  end_report+0x77/0x160
[   77.950763][ T5324]  kasan_report+0x154/0x180
[   77.952510][ T5324]  ? cmd_complete_rsp+0x67/0x180
[   77.954217][ T5324]  cmd_complete_rsp+0x67/0x180
[   77.956072][ T5324]  mgmt_pending_foreach+0xd1/0x130
[   77.957908][ T5324]  ? __pfx_cmd_complete_rsp+0x10/0x10
[   77.959733][ T5324]  mgmt_index_removed+0x133/0x390
[   77.961433][ T5324]  ? __pfx_mgmt_index_removed+0x10/0x10
[   77.963380][ T5324]  ? apparmor_capable+0x13b/0x1b0
[   77.965128][ T5324]  ? _raw_read_unlock+0x28/0x50
[   77.966758][ T5324]  hci_sock_bind+0xcce/0x1150
[   77.968439][ T5324]  ? __pfx_hci_sock_bind+0x10/0x10
[   77.970207][ T5324]  __sys_bind+0x22d/0x2d0
[   77.971869][ T5324]  ? __pfx___sys_bind+0x10/0x10
[   77.973804][ T5324]  ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[   77.976063][ T5324]  ? do_syscall_64+0x100/0x230
[   77.977899][ T5324]  __x64_sys_bind+0x7a/0x90
[   77.979654][ T5324]  do_syscall_64+0xf3/0x230
[   77.981315][ T5324]  ? clear_bhb_loop+0x35/0x90
[   77.983078][ T5324]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   77.985332][ T5324] RIP: 0033:0x7f432057e719
[   77.986878][ T5324] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   77.993895][ T5324] RSP: 002b:00007f4321365038 EFLAGS: 00000246 ORIG_RAX: 0000000000000031
[   77.996949][ T5324] RAX: ffffffffffffffda RBX: 00007f4320735f80 RCX: 00007f432057e719
[   77.999925][ T5324] RDX: 0000000000000006 RSI: 0000000020000040 RDI: 0000000000000005
[   78.002578][ T5324] RBP: 00007f43205f132e R08: 0000000000000000 R09: 0000000000000000
[   78.005546][ T5324] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   78.008462][ T5324] R13: 0000000000000000 R14: 00007f4320735f80 R15: 00007ffc894cfa68
[   78.011225][ T5324]  </TASK>
[   78.012625][ T5324] Kernel Offset: disabled
[   78.014180][ T5324] Rebooting in 86400 seconds..