program:
r0 = socket$kcm(0x2, 0x200000000000001, 0x106)
r1 = openat$iommufd(0xffffffffffffff9c, 0x0, 0x0, 0x0)
ioctl$IOMMU_IOAS_ALLOC(r1, 0x3b81, &(0x7f0000000340)={0xc, 0x0, <r2=>0x0})
ioctl$IOMMU_TEST_OP_MOCK_DOMAIN_FLAGS(r1, 0x3ba0, &(0x7f0000000200)={0x48, 0x2, r2, 0x0, 0x0, 0x0, <r3=>0x0})
ioctl$IOMMU_IOAS_ALLOC(r1, 0x3b81, &(0x7f0000000040)={0xc, 0x0, <r4=>0x0})
ioctl$IOMMU_HWPT_ALLOC$TEST(r1, 0x3b89, &(0x7f00000002c0)={0x28, 0x3, r3, r4, <r5=>0x0, 0x0, 0xdead, 0x0, 0x0})
ioctl$IOMMU_HWPT_GET_DIRTY_BITMAP(r1, 0x3b8c, &(0x7f0000000100)={0x30, r5, 0x0, 0x0, 0x0, 0x0, 0x1000, 0x0})
r6 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
ioctl$TIOCSETD(r6, 0x5423, &(0x7f0000000080)=0xf)
ioctl$TCXONC(r6, 0x540a, 0x0)
ioctl$TCFLSH(r6, 0x400455c8, 0x4)
ioctl$TIOCVHANGUP(r6, 0x5437, 0x0)
syz_usb_connect(0x0, 0x3f, 0x0, 0x0)
sendmsg$inet(r0, &(0x7f0000000080)={&(0x7f0000000000)={0x2, 0x4001, @local}, 0x10, 0x0}, 0x30004001)
futex(0x0, 0x80, 0x2, 0x0, 0x0, 0x1)
sendmsg(r0, &(0x7f0000000880)={0x0, 0x0, &(0x7f0000000840)=[{&(0x7f0000000780)="a9", 0xfffffdef}], 0x1}, 0x0)
ioctl$TIOCVHANGUP(r6, 0x5437, 0x0)

[   75.800955][ T4668] Bluetooth: hci0: command tx timeout
[   75.922743][ T5317] ==================================================================
[   75.926149][ T5317] BUG: KASAN: slab-use-after-free in hci_uart_write_work+0x2ca/0x550
[   75.929541][ T5317] Read of size 8 at addr ffff888051915e98 by task kworker/0:5/5317
[   75.932908][ T5317] 
[   75.934063][ T5317] CPU: 0 UID: 0 PID: 5317 Comm: kworker/0:5 Not tainted syzkaller #0 PREEMPT(full) 
[   75.934077][ T5317] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   75.934085][ T5317] Workqueue: events hci_uart_write_work
[   75.934104][ T5317] Call Trace:
[   75.934112][ T5317]  <TASK>
[   75.934117][ T5317]  dump_stack_lvl+0x189/0x250
[   75.934132][ T5317]  ? __virt_addr_valid+0x1c8/0x5c0
[   75.934148][ T5317]  ? rcu_is_watching+0x15/0xb0
[   75.934160][ T5317]  ? __pfx_dump_stack_lvl+0x10/0x10
[   75.934173][ T5317]  ? rcu_is_watching+0x15/0xb0
[   75.934183][ T5317]  ? lock_release+0x4b/0x3e0
[   75.934193][ T5317]  ? _raw_spin_lock_irqsave+0xb3/0xf0
[   75.934204][ T5317]  ? __virt_addr_valid+0x1c8/0x5c0
[   75.934217][ T5317]  ? __virt_addr_valid+0x4a5/0x5c0
[   75.934230][ T5317]  print_report+0xca/0x240
[   75.934242][ T5317]  ? hci_uart_write_work+0x2ca/0x550
[   75.934255][ T5317]  kasan_report+0x118/0x150
[   75.934270][ T5317]  ? hci_uart_write_work+0x2ca/0x550
[   75.934284][ T5317]  ? __pfx_pty_write+0x10/0x10
[   75.934338][ T5317]  hci_uart_write_work+0x2ca/0x550
[   75.934357][ T5317]  ? process_scheduled_works+0x9ef/0x17b0
[   75.934369][ T5317]  process_scheduled_works+0xae1/0x17b0
[   75.934386][ T5317]  ? __pfx_process_scheduled_works+0x10/0x10
[   75.934399][ T5317]  worker_thread+0x8a0/0xda0
[   75.934417][ T5317]  ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[   75.934429][ T5317]  ? __kthread_parkme+0x7b/0x200
[   75.934443][ T5317]  kthread+0x711/0x8a0
[   75.934456][ T5317]  ? __pfx_worker_thread+0x10/0x10
[   75.934466][ T5317]  ? __pfx_kthread+0x10/0x10
[   75.934479][ T5317]  ? _raw_spin_unlock_irq+0x23/0x50
[   75.934488][ T5317]  ? lockdep_hardirqs_on+0x9c/0x150
[   75.934500][ T5317]  ? __pfx_kthread+0x10/0x10
[   75.934512][ T5317]  ret_from_fork+0x4bc/0x870
[   75.934523][ T5317]  ? __pfx_ret_from_fork+0x10/0x10
[   75.934534][ T5317]  ? __pfx_kthread+0x10/0x10
[   75.934547][ T5317]  ret_from_fork_asm+0x1a/0x30
[   75.934559][ T5317]  </TASK>
[   75.934563][ T5317] 
[   76.011544][ T5317] Allocated by task 4668:
[   76.013365][ T5317]  kasan_save_track+0x3e/0x80
[   76.015297][ T5317]  __kasan_slab_alloc+0x6c/0x80
[   76.017198][ T5317]  kmem_cache_alloc_node_noprof+0x433/0x710
[   76.019468][ T5317]  __alloc_skb+0x112/0x2d0
[   76.021265][ T5317]  hci_cmd_sync_alloc+0x3d/0x380
[   76.023223][ T5317]  __hci_cmd_sync_sk+0x1a7/0xbc0
[   76.025248][ T5317]  hci_dev_open_sync+0x14be/0x2b60
[   76.027524][ T5317]  hci_power_on+0x1b4/0x680
[   76.029552][ T5317]  process_scheduled_works+0xae1/0x17b0
[   76.031933][ T5317]  worker_thread+0x8a0/0xda0
[   76.034214][ T5317]  kthread+0x711/0x8a0
[   76.036094][ T5317]  ret_from_fork+0x4bc/0x870
[   76.037951][ T5317]  ret_from_fork_asm+0x1a/0x30
[   76.040176][ T5317] 
[   76.041229][ T5317] The buggy address belongs to the object at ffff888051915dc0
[   76.041229][ T5317]  which belongs to the cache skbuff_head_cache of size 240
[   76.046976][ T5317] The buggy address is located 216 bytes inside of
[   76.046976][ T5317]  freed 240-byte region [ffff888051915dc0, ffff888051915eb0)
[   76.052825][ T5317] 
[   76.053845][ T5317] The buggy address belongs to the physical page:
[   76.056247][ T5317] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x51915
[   76.059091][ T5317] flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
[   76.061731][ T5317] page_type: f5(slab)
[   76.063270][ T5317] raw: 04fff00000000000 ffff8880304dcc80 dead000000000122 0000000000000000
[   76.066563][ T5317] raw: 0000000000000000 00000000000c000c 00000000f5000000 0000000000000000
[   76.070073][ T5317] page dumped because: kasan: bad access detected
[   76.072979][ T5317] page_owner tracks the page as allocated
[   76.075230][ T5317] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 12, tgid 12 (kworker/u4:0), ts 75912288364, free_ts 0
[   76.082672][ T5317]  post_alloc_hook+0x240/0x2a0
[   76.084774][ T5317]  get_page_from_freelist+0x2365/0x2440
[   76.087008][ T5317]  __alloc_frozen_pages_noprof+0x181/0x370
[   76.089480][ T5317]  alloc_pages_mpol+0x232/0x4a0
[   76.091484][ T5317]  allocate_slab+0x96/0x3a0
[   76.093474][ T5317]  ___slab_alloc+0xe94/0x18a0
[   76.095547][ T5317]  __slab_alloc+0x65/0x100
[   76.097394][ T5317]  kmem_cache_alloc_node_noprof+0x4c5/0x710
[   76.099950][ T5317]  __alloc_skb+0x112/0x2d0
[   76.101836][ T5317]  nsim_dev_trap_report_work+0x29a/0xb80
[   76.104188][ T5317]  process_scheduled_works+0xae1/0x17b0
[   76.106421][ T5317]  worker_thread+0x8a0/0xda0
[   76.108399][ T5317]  kthread+0x711/0x8a0
[   76.110028][ T5317]  ret_from_fork+0x4bc/0x870
[   76.111923][ T5317]  ret_from_fork_asm+0x1a/0x30
[   76.113835][ T5317] page_owner free stack trace missing
[   76.116165][ T5317] 
[   76.117169][ T5317] Memory state around the buggy address:
[   76.119350][ T5317]  ffff888051915d80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   76.122705][ T5317]  ffff888051915e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   76.126169][ T5317] >ffff888051915e80: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
[   76.129557][ T5317]                             ^
[   76.131681][ T5317]  ffff888051915f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   76.135041][ T5317]  ffff888051915f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   76.138478][ T5317] ==================================================================
[   76.236176][ T5317] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   76.239457][ T5317] CPU: 0 UID: 0 PID: 5317 Comm: kworker/0:5 Not tainted syzkaller #0 PREEMPT(full) 
[   76.243558][ T5317] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   76.248396][ T5317] Workqueue: events hci_uart_write_work
[   76.250866][ T5317] Call Trace:
[   76.252375][ T5317]  <TASK>
[   76.253678][ T5317]  dump_stack_lvl+0x99/0x250
[   76.255739][ T5317]  ? __asan_memcpy+0x40/0x70
[   76.257825][ T5317]  ? __pfx_dump_stack_lvl+0x10/0x10
[   76.260243][ T5317]  ? __pfx__printk+0x10/0x10
[   76.262253][ T5317]  vpanic+0x237/0x6d0
[   76.264022][ T5317]  ? __pfx_vpanic+0x10/0x10
[   76.265993][ T5317]  ? preempt_schedule+0xae/0xc0
[   76.268064][ T5317]  ? __pfx_preempt_schedule+0x10/0x10
[   76.270448][ T5317]  panic+0xb9/0xc0
[   76.272160][ T5317]  ? __pfx_panic+0x10/0x10
[   76.274176][ T5317]  ? _raw_spin_unlock_irqrestore+0xfd/0x110
[   76.276783][ T5317]  ? is_module_address+0x17/0xf0
[   76.278999][ T5317]  ? hci_uart_write_work+0x2ca/0x550
[   76.281333][ T5317]  check_panic_on_warn+0x89/0xb0
[   76.283492][ T5317]  ? hci_uart_write_work+0x2ca/0x550
[   76.285903][ T5317]  end_report+0x78/0x160
[   76.287879][ T5317]  kasan_report+0x129/0x150
[   76.289925][ T5317]  ? hci_uart_write_work+0x2ca/0x550
[   76.292278][ T5317]  ? __pfx_pty_write+0x10/0x10
[   76.294375][ T5317]  hci_uart_write_work+0x2ca/0x550
[   76.296654][ T5317]  ? process_scheduled_works+0x9ef/0x17b0
[   76.298945][ T5317]  process_scheduled_works+0xae1/0x17b0
[   76.301155][ T5317]  ? __pfx_process_scheduled_works+0x10/0x10
[   76.303582][ T5317]  worker_thread+0x8a0/0xda0
[   76.305511][ T5317]  ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[   76.308069][ T5317]  ? __kthread_parkme+0x7b/0x200
[   76.310064][ T5317]  kthread+0x711/0x8a0
[   76.311747][ T5317]  ? __pfx_worker_thread+0x10/0x10
[   76.314031][ T5317]  ? __pfx_kthread+0x10/0x10
[   76.316143][ T5317]  ? _raw_spin_unlock_irq+0x23/0x50
[   76.318391][ T5317]  ? lockdep_hardirqs_on+0x9c/0x150
[   76.320689][ T5317]  ? __pfx_kthread+0x10/0x10
[   76.322746][ T5317]  ret_from_fork+0x4bc/0x870
[   76.324774][ T5317]  ? __pfx_ret_from_fork+0x10/0x10
[   76.327044][ T5317]  ? __pfx_kthread+0x10/0x10
[   76.329096][ T5317]  ret_from_fork_asm+0x1a/0x30
[   76.331193][ T5317]  </TASK>
[   76.332974][ T5317] Kernel Offset: disabled
[   76.334720][ T5317] Rebooting in 86400 seconds..