program:
r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$HCIINQUIRY(r0, 0x400448ca, 0x0) (async)
r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r1, &(0x7f00000000c0)={0x1f, 0xffff, 0x3}, 0x6) (async)
write(r1, &(0x7f0000000000)="0a000000010001", 0x7)
r2 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r2, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6)

[   67.841451][ T5310] Bluetooth: hci0: command tx timeout
[   67.877676][ T5327] Bluetooth: MGMT ver 1.23
[   67.907278][ T5326] ==================================================================
[   67.911080][ T5326] BUG: KASAN: slab-use-after-free in __list_del_entry_valid_or_report+0x31/0x190
[   67.914599][ T5326] Read of size 8 at addr ffff88801d078088 by task syz.0.0/5326
[   67.917431][ T5326] 
[   67.918346][ T5326] CPU: 0 UID: 0 PID: 5326 Comm: syz.0.0 Not tainted 6.14.0-syzkaller-13443-g56f944529ec2 #0 PREEMPT(full) 
[   67.918360][ T5326] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   67.918367][ T5326] Call Trace:
[   67.918373][ T5326]  <TASK>
[   67.918378][ T5326]  dump_stack_lvl+0x241/0x360
[   67.918396][ T5326]  ? __pfx_dump_stack_lvl+0x10/0x10
[   67.918409][ T5326]  ? rcu_is_watching+0x15/0xb0
[   67.918421][ T5326]  ? __virt_addr_valid+0x183/0x530
[   67.918435][ T5326]  ? lock_release+0x4e/0x3e0
[   67.918443][ T5326]  ? __virt_addr_valid+0x183/0x530
[   67.918452][ T5326]  ? __virt_addr_valid+0x183/0x530
[   67.918465][ T5326]  print_report+0x16e/0x5b0
[   67.918473][ T5326]  ? __virt_addr_valid+0x183/0x530
[   67.918483][ T5326]  ? __virt_addr_valid+0x183/0x530
[   67.918494][ T5326]  ? __virt_addr_valid+0x45f/0x530
[   67.918505][ T5326]  ? __phys_addr+0xba/0x170
[   67.918517][ T5326]  ? __list_del_entry_valid_or_report+0x31/0x190
[   67.918533][ T5326]  kasan_report+0x143/0x180
[   67.918545][ T5326]  ? __list_del_entry_valid_or_report+0x31/0x190
[   67.918560][ T5326]  __list_del_entry_valid_or_report+0x31/0x190
[   67.918576][ T5326]  mgmt_pending_remove+0x26/0x1a0
[   67.918630][ T5326]  mgmt_pending_foreach+0xd1/0x130
[   67.918641][ T5326]  ? __pfx_cmd_complete_rsp+0x10/0x10
[   67.918654][ T5326]  __mgmt_power_off+0x18b/0x440
[   67.918666][ T5326]  ? __pfx___mgmt_power_off+0x10/0x10
[   67.918675][ T5326]  ? __lock_acquire+0xad5/0xd80
[   67.918685][ T5326]  ? __mutex_trylock_common+0x184/0x2e0
[   67.918698][ T5326]  ? __pfx___mutex_trylock_common+0x10/0x10
[   67.918711][ T5326]  ? rcu_is_watching+0x15/0xb0
[   67.918722][ T5326]  ? trace_contention_end+0x3c/0x120
[   67.918733][ T5326]  ? __mutex_lock+0x380/0x10c0
[   67.918746][ T5326]  ? __mutex_unlock_slowpath+0x229/0x800
[   67.918757][ T5326]  ? hci_dev_close_sync+0x60f/0x1260
[   67.918769][ T5326]  ? __pfx___mutex_lock+0x10/0x10
[   67.918780][ T5326]  ? __pfx___mutex_unlock_slowpath+0x10/0x10
[   67.918793][ T5326]  ? _raw_spin_unlock_irq+0x2e/0x50
[   67.918803][ T5326]  ? drain_workqueue+0x2d3/0x3a0
[   67.918816][ T5326]  ? hci_discovery_set_state+0x57/0x180
[   67.918828][ T5326]  hci_dev_close_sync+0x701/0x1260
[   67.918839][ T5326]  ? __pfx_enable_work+0x10/0x10
[   67.918851][ T5326]  ? __pfx_hci_dev_close_sync+0x10/0x10
[   67.918861][ T5326]  ? hci_dev_get+0xdc/0x1a0
[   67.918873][ T5326]  hci_dev_close+0x112/0x210
[   67.918884][ T5326]  sock_do_ioctl+0x15a/0x490
[   67.918899][ T5326]  ? __pfx_sock_do_ioctl+0x10/0x10
[   67.918911][ T5326]  ? __lock_acquire+0xad5/0xd80
[   67.918923][ T5326]  sock_ioctl+0x644/0x900
[   67.918934][ T5326]  ? __pfx_sock_ioctl+0x10/0x10
[   67.918944][ T5326]  ? __fget_files+0x2a/0x420
[   67.918953][ T5326]  ? __fget_files+0x2a/0x420
[   67.918961][ T5326]  ? __fget_files+0x2a/0x420
[   67.918971][ T5326]  ? __pfx_sock_ioctl+0x10/0x10
[   67.918982][ T5326]  __se_sys_ioctl+0xf1/0x160
[   67.918994][ T5326]  do_syscall_64+0xf3/0x230
[   67.919005][ T5326]  ? clear_bhb_loop+0x45/0xa0
[   67.919016][ T5326]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   67.919027][ T5326] RIP: 0033:0x7eff7978d169
[   67.919038][ T5326] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   67.919046][ T5326] RSP: 002b:00007eff7a6b1038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   67.919058][ T5326] RAX: ffffffffffffffda RBX: 00007eff799a5fa0 RCX: 00007eff7978d169
[   67.919065][ T5326] RDX: 0000000000000000 RSI: 00000000400448ca RDI: 0000000000000004
[   67.919071][ T5326] RBP: 00007eff7980e2a0 R08: 0000000000000000 R09: 0000000000000000
[   67.919077][ T5326] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   67.919083][ T5326] R13: 0000000000000000 R14: 00007eff799a5fa0 R15: 00007ffd6f1fa468
[   67.919094][ T5326]  </TASK>
[   67.919098][ T5326] 
[   68.062696][ T5326] Allocated by task 5327:
[   68.064499][ T5326]  kasan_save_track+0x3f/0x80
[   68.066324][ T5326]  __kasan_kmalloc+0x9d/0xb0
[   68.068177][ T5326]  __kmalloc_cache_noprof+0x236/0x370
[   68.070259][ T5326]  mgmt_pending_new+0x65/0x250
[   68.072211][ T5326]  mgmt_pending_add+0x36/0x120
[   68.074085][ T5326]  set_link_security+0x61e/0x860
[   68.076075][ T5326]  hci_mgmt_cmd+0xa2e/0xf20
[   68.077929][ T5326]  hci_sock_sendmsg+0x7b8/0x11f0
[   68.079942][ T5326]  __sock_sendmsg+0x221/0x270
[   68.081829][ T5326]  sock_write_iter+0x2d9/0x3f0
[   68.083716][ T5326]  vfs_write+0x70f/0xd10
[   68.085336][ T5326]  ksys_write+0x19d/0x2d0
[   68.086984][ T5326]  do_syscall_64+0xf3/0x230
[   68.088805][ T5326]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   68.091067][ T5326] 
[   68.091996][ T5326] Freed by task 5327:
[   68.093572][ T5326]  kasan_save_track+0x3f/0x80
[   68.095474][ T5326]  kasan_save_free_info+0x40/0x50
[   68.097447][ T5326]  __kasan_slab_free+0x59/0x70
[   68.099407][ T5326]  kfree+0x198/0x430
[   68.101143][ T5326]  mgmt_pending_foreach+0xd1/0x130
[   68.103228][ T5326]  mgmt_index_removed+0x135/0x3a0
[   68.105329][ T5326]  hci_sock_bind+0xd74/0x12d0
[   68.107198][ T5326]  __sys_bind+0x1de/0x290
[   68.108970][ T5326]  __x64_sys_bind+0x7a/0x90
[   68.110762][ T5326]  do_syscall_64+0xf3/0x230
[   68.112624][ T5326]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   68.115036][ T5326] 
[   68.116005][ T5326] The buggy address belongs to the object at ffff88801d078080
[   68.116005][ T5326]  which belongs to the cache kmalloc-96 of size 96
[   68.121415][ T5326] The buggy address is located 8 bytes inside of
[   68.121415][ T5326]  freed 96-byte region [ffff88801d078080, ffff88801d0780e0)
[   68.126692][ T5326] 
[   68.127682][ T5326] The buggy address belongs to the physical page:
[   68.130171][ T5326] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1d078
[   68.133645][ T5326] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[   68.136423][ T5326] page_type: f5(slab)
[   68.138048][ T5326] raw: 00fff00000000000 ffff88801b041280 dead000000000100 dead000000000122
[   68.141381][ T5326] raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
[   68.144746][ T5326] page dumped because: kasan: bad access detected
[   68.147193][ T5326] page_owner tracks the page as allocated
[   68.149487][ T5326] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x252800(GFP_NOWAIT|__GFP_NORETRY|__GFP_COMP|__GFP_THISNODE), pid 5327, tgid 5325 (syz.0.0), ts 67877257445, free_ts 66182794905
[   68.156762][ T5326]  post_alloc_hook+0x1f4/0x240
[   68.158652][ T5326]  get_page_from_freelist+0x352b/0x36c0
[   68.160936][ T5326]  __alloc_pages_slowpath+0x436/0x1080
[   68.163133][ T5326]  __alloc_frozen_pages_noprof+0x40d/0x5b0
[   68.165498][ T5326]  allocate_slab+0x66/0x3a0
[   68.167329][ T5326]  ___slab_alloc+0xc3b/0x1500
[   68.169246][ T5326]  __slab_alloc+0x58/0xa0
[   68.170977][ T5326]  __kmalloc_node_noprof+0x2f4/0x4d0
[   68.173075][ T5326]  alloc_slab_obj_exts+0x3a/0xa0
[   68.175059][ T5326]  __memcg_slab_post_alloc_hook+0x31c/0x7e0
[   68.177356][ T5326]  kmem_cache_alloc_noprof+0x28f/0x390
[   68.179516][ T5326]  alloc_empty_file+0x56/0x1d0
[   68.181589][ T5326]  alloc_file_pseudo+0x206/0x320
[   68.183598][ T5326]  sock_alloc_file+0xb7/0x2e0
[   68.185444][ T5326]  __sys_socket+0x1dc/0x3c0
[   68.187169][ T5326]  __x64_sys_socket+0x7a/0x90
[   68.188798][ T5326] page last free pid 1050 tgid 1050 stack trace:
[   68.191036][ T5326]  __free_frozen_pages+0xde8/0x10a0
[   68.193147][ T5326]  rcu_core+0xaac/0x17a0
[   68.194736][ T5326]  handle_softirqs+0x2d6/0x9b0
[   68.196704][ T5326]  do_softirq+0x11f/0x1e0
[   68.198476][ T5326]  __local_bh_enable_ip+0x1be/0x200
[   68.200510][ T5326]  batadv_nc_purge_paths+0x312/0x3b0
[   68.202618][ T5326]  batadv_nc_worker+0x328/0x610
[   68.204633][ T5326]  process_scheduled_works+0xac3/0x18e0
[   68.206797][ T5326]  worker_thread+0x870/0xd50
[   68.208642][ T5326]  kthread+0x7b7/0x940
[   68.210257][ T5326]  ret_from_fork+0x4b/0x80
[   68.212018][ T5326]  ret_from_fork_asm+0x1a/0x30
[   68.213949][ T5326] 
[   68.214952][ T5326] Memory state around the buggy address:
[   68.217146][ T5326]  ffff88801d077f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   68.220330][ T5326]  ffff88801d078000: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc
[   68.223400][ T5326] >ffff88801d078080: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
[   68.226551][ T5326]                       ^
[   68.228266][ T5326]  ffff88801d078100: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
[   68.231437][ T5326]  ffff88801d078180: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc
[   68.234555][ T5326] ==================================================================
[   68.265228][ T5326] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   68.268166][ T5326] CPU: 0 UID: 0 PID: 5326 Comm: syz.0.0 Not tainted 6.14.0-syzkaller-13443-g56f944529ec2 #0 PREEMPT(full) 
[   68.272558][ T5326] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   68.276718][ T5326] Call Trace:
[   68.278100][ T5326]  <TASK>
[   68.279279][ T5326]  dump_stack_lvl+0x241/0x360
[   68.281176][ T5326]  ? __pfx_dump_stack_lvl+0x10/0x10
[   68.283317][ T5326]  ? __pfx__printk+0x10/0x10
[   68.285219][ T5326]  ? vscnprintf+0x5d/0x90
[   68.286983][ T5326]  panic+0x349/0x880
[   68.288722][ T5326]  ? check_panic_on_warn+0x21/0xb0
[   68.290821][ T5326]  ? __pfx_panic+0x10/0x10
[   68.292634][ T5326]  ? _raw_spin_unlock_irqrestore+0x134/0x140
[   68.294954][ T5326]  ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[   68.297469][ T5326]  ? print_report+0x519/0x5b0
[   68.299428][ T5326]  check_panic_on_warn+0x86/0xb0
[   68.301436][ T5326]  ? __list_del_entry_valid_or_report+0x31/0x190
[   68.304088][ T5326]  end_report+0x77/0x160
[   68.305817][ T5326]  kasan_report+0x154/0x180
[   68.307654][ T5326]  ? __list_del_entry_valid_or_report+0x31/0x190
[   68.310188][ T5326]  __list_del_entry_valid_or_report+0x31/0x190
[   68.312840][ T5326]  mgmt_pending_remove+0x26/0x1a0
[   68.314857][ T5326]  mgmt_pending_foreach+0xd1/0x130
[   68.316812][ T5326]  ? __pfx_cmd_complete_rsp+0x10/0x10
[   68.318690][ T5326]  __mgmt_power_off+0x18b/0x440
[   68.320418][ T5326]  ? __pfx___mgmt_power_off+0x10/0x10
[   68.322480][ T5326]  ? __lock_acquire+0xad5/0xd80
[   68.324352][ T5326]  ? __mutex_trylock_common+0x184/0x2e0
[   68.326464][ T5326]  ? __pfx___mutex_trylock_common+0x10/0x10
[   68.328771][ T5326]  ? rcu_is_watching+0x15/0xb0
[   68.330753][ T5326]  ? trace_contention_end+0x3c/0x120
[   68.332908][ T5326]  ? __mutex_lock+0x380/0x10c0
[   68.334900][ T5326]  ? __mutex_unlock_slowpath+0x229/0x800
[   68.337214][ T5326]  ? hci_dev_close_sync+0x60f/0x1260
[   68.339154][ T5326]  ? __pfx___mutex_lock+0x10/0x10
[   68.341133][ T5326]  ? __pfx___mutex_unlock_slowpath+0x10/0x10
[   68.343327][ T5326]  ? _raw_spin_unlock_irq+0x2e/0x50
[   68.345235][ T5326]  ? drain_workqueue+0x2d3/0x3a0
[   68.347080][ T5326]  ? hci_discovery_set_state+0x57/0x180
[   68.349219][ T5326]  hci_dev_close_sync+0x701/0x1260
[   68.351119][ T5326]  ? __pfx_enable_work+0x10/0x10
[   68.353113][ T5326]  ? __pfx_hci_dev_close_sync+0x10/0x10
[   68.355275][ T5326]  ? hci_dev_get+0xdc/0x1a0
[   68.357123][ T5326]  hci_dev_close+0x112/0x210
[   68.358938][ T5326]  sock_do_ioctl+0x15a/0x490
[   68.360809][ T5326]  ? __pfx_sock_do_ioctl+0x10/0x10
[   68.362924][ T5326]  ? __lock_acquire+0xad5/0xd80
[   68.364958][ T5326]  sock_ioctl+0x644/0x900
[   68.366719][ T5326]  ? __pfx_sock_ioctl+0x10/0x10
[   68.368653][ T5326]  ? __fget_files+0x2a/0x420
[   68.370524][ T5326]  ? __fget_files+0x2a/0x420
[   68.372473][ T5326]  ? __fget_files+0x2a/0x420
[   68.374371][ T5326]  ? __pfx_sock_ioctl+0x10/0x10
[   68.376455][ T5326]  __se_sys_ioctl+0xf1/0x160
[   68.378430][ T5326]  do_syscall_64+0xf3/0x230
[   68.380372][ T5326]  ? clear_bhb_loop+0x45/0xa0
[   68.382280][ T5326]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   68.384634][ T5326] RIP: 0033:0x7eff7978d169
[   68.386577][ T5326] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   68.394158][ T5326] RSP: 002b:00007eff7a6b1038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   68.397588][ T5326] RAX: ffffffffffffffda RBX: 00007eff799a5fa0 RCX: 00007eff7978d169
[   68.400773][ T5326] RDX: 0000000000000000 RSI: 00000000400448ca RDI: 0000000000000004
[   68.403902][ T5326] RBP: 00007eff7980e2a0 R08: 0000000000000000 R09: 0000000000000000
[   68.406942][ T5326] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   68.410225][ T5326] R13: 0000000000000000 R14: 00007eff799a5fa0 R15: 00007ffd6f1fa468
[   68.413730][ T5326]  </TASK>
[   68.415344][ T5326] Kernel Offset: disabled
[   68.417119][ T5326] Rebooting in 86400 seconds..