program: pipe(&(0x7f0000000380)={0xffffffffffffffff, 0xffffffffffffffff}) r2 = socket$inet_udp(0x2, 0x2, 0x0) close(r2) r3 = openat$nci(0xffffffffffffff9c, &(0x7f0000000240), 0x2, 0x0) r4 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10) r5 = syz_genetlink_get_family_id$nfc(&(0x7f0000000100), r4) ioctl$IOCTL_GET_NCIDEV_IDX(r3, 0x0, &(0x7f00000000c0)=0x0) sendmsg$NFC_CMD_DEV_UP(r4, &(0x7f0000000200)={0x0, 0x0, &(0x7f0000000180)={&(0x7f00000002c0)=ANY=[@ANYBLOB="1c000000", @ANYRES16=r5, @ANYBLOB="010026bd7000fcdbdf250200000008000100", @ANYRES32=r6], 0x1c}}, 0x840) write$nci(r3, &(0x7f00000003c0)=@NCI_OP_CORE_INTF_ERROR_NTF={0x0, 0x1, 0x3, 0x8, 0x1, {0x1}}, 0x5) socket$nl_xfrm(0x10, 0x3, 0x6) sendmsg$nl_route(0xffffffffffffffff, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000000)=ANY=[@ANYBLOB="4808000010001f"], 0x3}}, 0x0) r7 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10) r8 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10) r9 = syz_genetlink_get_family_id$nbd(&(0x7f0000000040), 0xffffffffffffffff) sendmsg$NBD_CMD_CONNECT(r8, &(0x7f0000001ac0)={0x0, 0x0, &(0x7f0000001a80)={&(0x7f0000001a00)={0x30, r9, 0x1, 0x0, 0x0, {}, [@NBD_ATTR_CLIENT_FLAGS={0xc, 0x6, 0x1}, @NBD_ATTR_SIZE_BYTES={0xc}, @NBD_ATTR_SOCKETS={0x4}]}, 0x30}}, 0x0) sendmsg$NBD_CMD_RECONFIGURE(r7, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000200)={0x1c, r9, 0x181, 0x0, 0x0, {}, [@NBD_ATTR_INDEX={0x8, 0x1, 0x0}]}, 0x1c}}, 0x0) write$binfmt_misc(r1, &(0x7f0000000000), 0xfffffecc) syz_emit_vhci(&(0x7f0000000540)=ANY=[@ANYBLOB="043e1f0a"], 0x22) syz_emit_vhci(&(0x7f0000000040)=ANY=[@ANYBLOB="0200300c000800"], 0x11) ioctl$FS_IOC_SET_ENCRYPTION_POLICY(0xffffffffffffffff, 0x40086602, 0x0) syz_emit_vhci(&(0x7f0000000080)=ANY=[@ANYBLOB="0405"], 0x7) syz_emit_vhci(&(0x7f0000000100)=@HCI_EVENT_PKT={0x4, @hci_ev_role_change={{0x12, 0x8}}}, 0xb) r10 = socket$kcm(0x10, 0x2, 0x4) sendmsg$inet(r10, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000000)=[{&(0x7f0000000300)="5c0000001200c97458cee3d86e6c1d0000147ea60864160af36504b68675f8001d000a00a0e69ee517d34460bc24eab556a705251e6182949a36c23d3b48dfd8cdbf9367b4fa51f60a64c9f408000368060100000800030006010000", 0x5c}], 0x1, 0x0, 0x0, 0x1f00c00e}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0) r11 = socket$nl_xfrm(0x10, 0x3, 0x6) sendmsg$nl_xfrm(r11, &(0x7f0000000640)={0x0, 0x0, &(0x7f0000000500)={&(0x7f0000000680)=ANY=[@ANYBLOB="dc010000160011040000000000000000ffff6d436a4217a64f9ed960ffff00000000000028000000640101020000000000000000000000000000f8fe4e22000000000000010400000000caf14017c8e3802e5b3dc5c2376757e3e4f992d4ea0a2781d77285f3cfe188d6d039936773022fd322741ea8681feaec1778f6aee08d7c420ba4e304558b129f98aa4ab4ff4af7533b68c30dcc2cf4a14680300b80a27d32a702c92d2d6c1d28e0d2ae904b875d4945bcb534023a0492f1a51b8a99a63a93b70ea6c07dc9a7322295f3af4ee9d0", @ANYRES32=0x0, @ANYRES32=0x0, @ANYBLOB="000000000000000000000000000000000000000033000000ac1e00010000000000000000000000000400000000000000020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff002000000000000000000000000000000000000000000000fefefffde4002000fe880000000000000000000000000101000000000000000000000000000000004e2000004e2300000a00a08030000000", @ANYRES32=0x0, @ANYRES32=0x0, @ANYBLOB="e0000001000000000000000000000000000004d53c000000ffffffff00000000000000000000000000000000000000800000000000000000c9000000000000003d080000000000007802000000000000000000000000000001010000000000000100000000000000ffffffff0000000001000000000000000400000000000000050000000000000008000000000000000700000028bd7000073580000200030c0000000000000000"], 0x1dc}}, 0x0) splice(r0, 0x0, r2, 0x0, 0x4ffe2, 0x0) [ 84.275314][ T45] Bluetooth: hci0: command tx timeout [ 84.758598][ T5334] netlink: 228 bytes leftover after parsing attributes in process `syz.0.0'. [ 86.292293][ T45] Bluetooth: hci0: command tx timeout [ 86.693944][ T4669] ================================================================== [ 86.697768][ T4669] BUG: KASAN: slab-use-after-free in hci_conn_drop+0x34/0x2a0 [ 86.702067][ T4669] Write of size 4 at addr ffff888012758010 by task kworker/u5:1/4669 [ 86.706481][ T4669] [ 86.707686][ T4669] CPU: 0 UID: 0 PID: 4669 Comm: kworker/u5:1 Not tainted syzkaller #0 PREEMPT(full) [ 86.707703][ T4669] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 86.707712][ T4669] Workqueue: hci0 hci_cmd_sync_work [ 86.707732][ T4669] Call Trace: [ 86.707741][ T4669] [ 86.707747][ T4669] dump_stack_lvl+0xe8/0x150 [ 86.707765][ T4669] print_report+0xba/0x230 [ 86.707778][ T4669] ? hci_conn_drop+0x34/0x2a0 [ 86.707792][ T4669] kasan_report+0x117/0x150 [ 86.707804][ T4669] ? hci_conn_drop+0x34/0x2a0 [ 86.707817][ T4669] kasan_check_range+0x264/0x2c0 [ 86.707828][ T4669] hci_conn_drop+0x34/0x2a0 [ 86.707841][ T4669] ? __pfx_le_read_features_complete+0x10/0x10 [ 86.707851][ T4669] hci_cmd_sync_work+0x262/0x400 [ 86.707862][ T4669] ? process_scheduled_works+0xa8d/0x18c0 [ 86.707876][ T4669] process_scheduled_works+0xb6e/0x18c0 [ 86.707895][ T4669] ? __pfx_process_scheduled_works+0x10/0x10 [ 86.707909][ T4669] ? assign_work+0x3d5/0x5e0 [ 86.707923][ T4669] worker_thread+0xa53/0xfc0 [ 86.707942][ T4669] kthread+0x388/0x470 [ 86.707952][ T4669] ? __pfx_worker_thread+0x10/0x10 [ 86.707965][ T4669] ? __pfx_kthread+0x10/0x10 [ 86.707974][ T4669] ret_from_fork+0x51e/0xb90 [ 86.707987][ T4669] ? __pfx_ret_from_fork+0x10/0x10 [ 86.707999][ T4669] ? __switch_to+0xc7d/0x1450 [ 86.708011][ T4669] ? __pfx_kthread+0x10/0x10 [ 86.708021][ T4669] ret_from_fork_asm+0x1a/0x30 [ 86.708039][ T4669] [ 86.708042][ T4669] [ 86.775123][ T4669] Allocated by task 45: [ 86.777172][ T4669] kasan_save_track+0x3e/0x80 [ 86.779639][ T4669] __kasan_kmalloc+0x93/0xb0 [ 86.782021][ T4669] __kmalloc_cache_noprof+0x31c/0x660 [ 86.784456][ T4669] __hci_conn_add+0x3c4/0x1e00 [ 86.786649][ T4669] le_conn_complete_evt+0x706/0x1430 [ 86.789065][ T4669] hci_le_enh_conn_complete_evt+0x189/0x490 [ 86.792280][ T4669] hci_event_packet+0x7af/0x12c0 [ 86.794972][ T4669] hci_rx_work+0x3ee/0x1030 [ 86.796976][ T4669] process_scheduled_works+0xb6e/0x18c0 [ 86.799425][ T4669] worker_thread+0xa53/0xfc0 [ 86.801567][ T4669] kthread+0x388/0x470 [ 86.803778][ T4669] ret_from_fork+0x51e/0xb90 [ 86.806009][ T4669] ret_from_fork_asm+0x1a/0x30 [ 86.808127][ T4669] [ 86.809155][ T4669] Freed by task 45: [ 86.810857][ T4669] kasan_save_track+0x3e/0x80 [ 86.812927][ T4669] kasan_save_free_info+0x46/0x50 [ 86.815385][ T4669] __kasan_slab_free+0x5c/0x80 [ 86.818100][ T4669] kfree+0x1c1/0x630 [ 86.820214][ T4669] device_release+0xc4/0x1f0 [ 86.822564][ T4669] kobject_put+0x228/0x560 [ 86.824441][ T4669] hci_conn_del+0xc36/0x1230 [ 86.826382][ T4669] hci_disconn_complete_evt+0x64e/0x950 [ 86.828721][ T4669] hci_event_packet+0x805/0x12c0 [ 86.830887][ T4669] hci_rx_work+0x3ee/0x1030 [ 86.833127][ T4669] process_scheduled_works+0xb6e/0x18c0 [ 86.836191][ T4669] worker_thread+0xa53/0xfc0 [ 86.838863][ T4669] kthread+0x388/0x470 [ 86.840944][ T4669] ret_from_fork+0x51e/0xb90 [ 86.843385][ T4669] ret_from_fork_asm+0x1a/0x30 [ 86.845179][ T4669] [ 86.846303][ T4669] The buggy address belongs to the object at ffff888012758000 [ 86.846303][ T4669] which belongs to the cache kmalloc-8k of size 8192 [ 86.852249][ T4669] The buggy address is located 16 bytes inside of [ 86.852249][ T4669] freed 8192-byte region [ffff888012758000, ffff88801275a000) [ 86.859673][ T4669] [ 86.860849][ T4669] The buggy address belongs to the physical page: [ 86.863536][ T4669] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12758 [ 86.867332][ T4669] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 86.871309][ T4669] flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff) [ 86.874547][ T4669] page_type: f5(slab) [ 86.876467][ T4669] raw: 00fff00000000040 ffff88801ac42280 dead000000000100 dead000000000122 [ 86.880226][ T4669] raw: 0000000000000000 0000000800020002 00000000f5000000 0000000000000000 [ 86.883484][ T4669] head: 00fff00000000040 ffff88801ac42280 dead000000000100 dead000000000122 [ 86.887315][ T4669] head: 0000000000000000 0000000800020002 00000000f5000000 0000000000000000 [ 86.892728][ T4669] head: 00fff00000000003 ffffea000049d601 00000000ffffffff 00000000ffffffff [ 86.897039][ T4669] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 [ 86.901769][ T4669] page dumped because: kasan: bad access detected [ 86.906228][ T4669] page_owner tracks the page as allocated [ 86.909415][ T4669] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4690, tgid 4690 (init), ts 29728391388, free_ts 29309570415 [ 86.918363][ T4669] post_alloc_hook+0x231/0x280 [ 86.920615][ T4669] get_page_from_freelist+0x24dc/0x2580 [ 86.923774][ T4669] __alloc_frozen_pages_noprof+0x18d/0x380 [ 86.927300][ T4669] allocate_slab+0x77/0x660 [ 86.929826][ T4669] refill_objects+0x331/0x3c0 [ 86.932400][ T4669] __pcs_replace_empty_main+0x2e6/0x730 [ 86.935342][ T4669] __kmalloc_cache_noprof+0x392/0x660 [ 86.938259][ T4669] tomoyo_init_log+0x112e/0x1fb0 [ 86.940754][ T4669] tomoyo_supervisor+0x353/0x1570 [ 86.943843][ T4669] tomoyo_env_perm+0x151/0x1f0 [ 86.946294][ T4669] tomoyo_find_next_domain+0x15cb/0x1aa0 [ 86.949032][ T4669] tomoyo_bprm_check_security+0x11b/0x180 [ 86.952650][ T4669] security_bprm_check+0x85/0x240 [ 86.955320][ T4669] bprm_execve+0x896/0x1460 [ 86.957427][ T4669] do_execveat_common+0x50d/0x690 [ 86.959700][ T4669] __x64_sys_execve+0x97/0xc0 [ 86.962366][ T4669] page last free pid 1 tgid 1 stack trace: [ 86.965761][ T4669] __free_frozen_pages+0xc2b/0xdb0 [ 86.968319][ T4669] free_reserved_page+0xce/0x120 [ 86.970544][ T4669] free_reserved_area+0x90/0x190 [ 86.972858][ T4669] free_kernel_image_pages+0xa2/0x100 [ 86.975469][ T4669] kernel_init+0x31/0x1d0 [ 86.977801][ T4669] ret_from_fork+0x51e/0xb90 [ 86.980213][ T4669] ret_from_fork_asm+0x1a/0x30 [ 86.982721][ T4669] [ 86.983893][ T4669] Memory state around the buggy address: [ 86.986495][ T4669] ffff888012757f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 86.990112][ T4669] ffff888012757f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 86.994415][ T4669] >ffff888012758000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 86.998161][ T4669] ^ [ 87.000218][ T4669] ffff888012758080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 87.004568][ T4669] ffff888012758100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 87.008788][ T4669] ================================================================== [ 87.014804][ T4669] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 87.018210][ T4669] CPU: 0 UID: 0 PID: 4669 Comm: kworker/u5:1 Not tainted syzkaller #0 PREEMPT(full) [ 87.023126][ T4669] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 87.027725][ T4669] Workqueue: hci0 hci_cmd_sync_work [ 87.030304][ T4669] Call Trace: [ 87.032152][ T4669] [ 87.033902][ T4669] vpanic+0x56c/0xa60 [ 87.036012][ T4669] ? __pfx_vpanic+0x10/0x10 [ 87.038130][ T4669] panic+0xc5/0xd0 [ 87.039845][ T4669] ? __pfx_panic+0x10/0x10 [ 87.041828][ T4669] ? preempt_schedule_thunk+0x16/0x30 [ 87.044306][ T4669] ? preempt_schedule_thunk+0x16/0x30 [ 87.047114][ T4669] ? hci_conn_drop+0x34/0x2a0 [ 87.049585][ T4669] check_panic_on_warn+0x89/0xb0 [ 87.051988][ T4669] ? hci_conn_drop+0x34/0x2a0 [ 87.054021][ T4669] end_report+0x73/0x180 [ 87.055968][ T4669] ? hci_conn_drop+0x34/0x2a0 [ 87.058449][ T4669] kasan_report+0x128/0x150 [ 87.061553][ T4669] ? hci_conn_drop+0x34/0x2a0 [ 87.064162][ T4669] kasan_check_range+0x264/0x2c0 [ 87.066342][ T4669] hci_conn_drop+0x34/0x2a0 [ 87.068336][ T4669] ? __pfx_le_read_features_complete+0x10/0x10 [ 87.070985][ T4669] hci_cmd_sync_work+0x262/0x400 [ 87.073123][ T4669] ? process_scheduled_works+0xa8d/0x18c0 [ 87.075715][ T4669] process_scheduled_works+0xb6e/0x18c0 [ 87.078833][ T4669] ? __pfx_process_scheduled_works+0x10/0x10 [ 87.082095][ T4669] ? assign_work+0x3d5/0x5e0 [ 87.084195][ T4669] worker_thread+0xa53/0xfc0 [ 87.086254][ T4669] kthread+0x388/0x470 [ 87.088115][ T4669] ? __pfx_worker_thread+0x10/0x10 [ 87.090485][ T4669] ? __pfx_kthread+0x10/0x10 [ 87.092647][ T4669] ret_from_fork+0x51e/0xb90 [ 87.095159][ T4669] ? __pfx_ret_from_fork+0x10/0x10 [ 87.097730][ T4669] ? __switch_to+0xc7d/0x1450 [ 87.099743][ T4669] ? __pfx_kthread+0x10/0x10 [ 87.101664][ T4669] ret_from_fork_asm+0x1a/0x30 [ 87.103663][ T4669] [ 87.105286][ T4669] Kernel Offset: disabled [ 87.107330][ T4669] Rebooting in 86400 seconds..