program: syz_emit_vhci(&(0x7f0000000540)=ANY=[@ANYBLOB="043e1f0a"], 0x22) r0 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCETHTOOL(r0, 0x8946, &(0x7f0000000040)={'netdevsim0\x00', &(0x7f0000000180)=@ethtool_pauseparam={0x16}}) syz_emit_vhci(&(0x7f0000000040)=ANY=[@ANYBLOB="0200300c000800"], 0x11) ioctl$FS_IOC_SET_ENCRYPTION_POLICY(0xffffffffffffffff, 0x40086602, 0x0) syz_emit_vhci(&(0x7f0000000080)=ANY=[@ANYBLOB="0405"], 0x7) syz_emit_vhci(&(0x7f0000000100)=@HCI_EVENT_PKT={0x4, @hci_ev_role_change={{0x12, 0x8}}}, 0xb) r1 = socket$nl_xfrm(0x10, 0x3, 0x6) sendmsg$nl_xfrm(r1, &(0x7f0000000540)={0x0, 0x0, &(0x7f0000000500)={&(0x7f0000005fc0)=@newsa={0x140, 0x10, 0x1, 0x0, 0x0, {{@in=@multicast2, @in6=@empty, 0x0, 0x0, 0x4e24}, {@in=@broadcast, 0x0, 0x33}, @in6=@remote, {0x0, 0x0, 0x0, 0x1}, {}, {}, 0x0, 0x0, 0xa}, [@algo_auth={0x48, 0x1, {{'sha256\x00'}}}, @etimer_thresh={0x8, 0xc, 0x7}]}, 0x140}}, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0) r2 = socket$l2tp6(0xa, 0x2, 0x73) r3 = socket$nl_route(0x10, 0x3, 0x0) perf_event_open(&(0x7f0000000040)={0x2, 0x80, 0x3, 0x1, 0x0, 0x0, 0x0, 0xf, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, @perf_bp={0x0, 0x6}, 0xa10, 0x4, 0x0, 0x0, 0x0, 0x401}, 0x0, 0x0, 0xffffffffffffffff, 0x9) r4 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2) bpf$MAP_CREATE(0x0, &(0x7f0000000400)=@base={0x12, 0x4, 0x4, 0x12}, 0x48) bpf$BPF_PROG_DETACH(0x9, &(0x7f0000000140)={@ifindex, 0xffffffffffffffff, 0x5}, 0x20) ioctl$sock_ifreq(r4, 0x8910, &(0x7f0000000000)={'vlan0\x00', @ifru_ivalue=0x8}) r5 = openat$comedi(0xffffff9c, &(0x7f0000000040)='/dev/comedi3\x00', 0x2000, 0x0) ioctl$COMEDI_DEVCONFIG(r5, 0x40946400, &(0x7f0000000080)={'ni_at_a2150\x00', [0x3c2, 0x10, 0x3, 0x8001, 0x0, 0xfffffffd, 0x6, 0x2, 0x8, 0x7ffe, 0x3, 0x4000723, 0x400, 0x3, 0x13, 0x102, 0xffffffa7, 0x405, 0x34d, 0x1, 0x49, 0x9, 0x1ff, 0x4, 0x80000001, 0x1, 0x3, 0x7ffffffd, 0x7, 0xf58, 0x6]}) syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2) ioctl$sock_netdev_private(r4, 0x8914, &(0x7f0000000000)) ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f00000000c0)={'batadv0\x00', 0x0}) sendmsg$L2TP_CMD_TUNNEL_CREATE(0xffffffffffffffff, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000380)={&(0x7f0000000300)={0x1c, 0x0, 0x917, 0x0, 0x0, {}, [@L2TP_ATTR_PROTO_VERSION={0x5}]}, 0x1c}}, 0x0) sendmsg$inet(0xffffffffffffffff, &(0x7f0000007940)={0x0, 0x0, 0x0, 0x0, &(0x7f0000000300)=ANY=[@ANYBLOB="2400000000000000000000000700000001441009"], 0x28}, 0x0) r7 = socket(0xb, 0x3, 0x100) connect$inet(r7, &(0x7f00000005c0)={0x2, 0x0, @remote}, 0x10) r8 = socket$caif_stream(0x25, 0x1, 0x0) connect(r8, &(0x7f0000000080)=@l2tp={0x25, 0x0, @private}, 0x80) sendmmsg$inet(r7, &(0x7f0000005240)=[{{0x0, 0xfffffdef, 0x0, 0x0, 0x0, 0x0, 0x10}, 0xfffffdef}], 0x4000095, 0x401eb94) sendmsg$nl_route(r3, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000100)={&(0x7f00000003c0)=ANY=[@ANYBLOB="030000001000010400"/20, @ANYRES32=0x0, @ANYBLOB="000000000000000014a5f020e03b1a0baa68107b0012800c0001006d6163766c337128a4567cd7b8d6f96ae1509bb9402013f001c88939276a8d974830453d3f9ce9551449a299030bfa6324fed9bb18c8fe53e203f28ef9e0ee6cef9ab0e1a118bd166218c9c9756bc0461598ac1923b09150e071d05b4e4033c03957cfdcbd", @ANYRES32=r6, @ANYBLOB='\b\x00\n\x00', @ANYRES32=0x0, @ANYBLOB], 0x44}}, 0x0) [ 138.089663][ T5308] Bluetooth: hci0: command tx timeout [ 138.861987][ T5335] e1000e 0000:00:02.0 eth1: NIC Link is Down [ 140.166450][ T4662] Bluetooth: hci0: command tx timeout [ 140.239170][ T5308] ================================================================== [ 140.242575][ T5308] BUG: KASAN: slab-use-after-free in hci_conn_drop+0x34/0x2a0 [ 140.245866][ T5308] Write of size 4 at addr ffff8880124f4010 by task kworker/u5:2/5308 [ 140.249157][ T5308] [ 140.250306][ T5308] CPU: 0 UID: 0 PID: 5308 Comm: kworker/u5:2 Not tainted syzkaller #0 PREEMPT(full) [ 140.250320][ T5308] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 140.250327][ T5308] Workqueue: hci0 hci_cmd_sync_work [ 140.250343][ T5308] Call Trace: [ 140.250359][ T5308] [ 140.250365][ T5308] dump_stack_lvl+0xe8/0x150 [ 140.250462][ T5308] print_report+0xba/0x230 [ 140.250474][ T5308] ? hci_conn_drop+0x34/0x2a0 [ 140.250485][ T5308] kasan_report+0x117/0x150 [ 140.250550][ T5308] ? hci_conn_drop+0x34/0x2a0 [ 140.250564][ T5308] kasan_check_range+0x264/0x2c0 [ 140.250579][ T5308] hci_conn_drop+0x34/0x2a0 [ 140.250590][ T5308] ? __pfx_le_read_features_complete+0x10/0x10 [ 140.250606][ T5308] hci_cmd_sync_work+0x262/0x400 [ 140.250616][ T5308] ? process_scheduled_works+0xa25/0x1830 [ 140.250680][ T5308] process_scheduled_works+0xb02/0x1830 [ 140.250696][ T5308] ? __pfx_process_scheduled_works+0x10/0x10 [ 140.250709][ T5308] ? assign_work+0x3d5/0x5e0 [ 140.250722][ T5308] worker_thread+0xa50/0xfc0 [ 140.250738][ T5308] kthread+0x388/0x470 [ 140.250749][ T5308] ? __pfx_worker_thread+0x10/0x10 [ 140.250761][ T5308] ? __pfx_kthread+0x10/0x10 [ 140.250770][ T5308] ret_from_fork+0x51e/0xb90 [ 140.250784][ T5308] ? __pfx_ret_from_fork+0x10/0x10 [ 140.250796][ T5308] ? __switch_to+0xc7d/0x1450 [ 140.250806][ T5308] ? __pfx_kthread+0x10/0x10 [ 140.250814][ T5308] ret_from_fork_asm+0x1a/0x30 [ 140.250830][ T5308] [ 140.250834][ T5308] [ 140.312211][ T5308] Allocated by task 5308: [ 140.314197][ T5308] kasan_save_track+0x3e/0x80 [ 140.316251][ T5308] __kasan_kmalloc+0x93/0xb0 [ 140.318317][ T5308] __kmalloc_cache_noprof+0x31c/0x660 [ 140.320762][ T5308] __hci_conn_add+0x3c4/0x1e00 [ 140.322935][ T5308] le_conn_complete_evt+0x706/0x1430 [ 140.325316][ T5308] hci_le_enh_conn_complete_evt+0x189/0x490 [ 140.327870][ T5308] hci_event_packet+0x7af/0x12c0 [ 140.330119][ T5308] hci_rx_work+0x3ee/0x1030 [ 140.332219][ T5308] process_scheduled_works+0xb02/0x1830 [ 140.334724][ T5308] worker_thread+0xa50/0xfc0 [ 140.336746][ T5308] kthread+0x388/0x470 [ 140.338430][ T5308] ret_from_fork+0x51e/0xb90 [ 140.340261][ T5308] ret_from_fork_asm+0x1a/0x30 [ 140.342331][ T5308] [ 140.343439][ T5308] Freed by task 4662: [ 140.345182][ T5308] kasan_save_track+0x3e/0x80 [ 140.347322][ T5308] kasan_save_free_info+0x46/0x50 [ 140.349604][ T5308] __kasan_slab_free+0x5c/0x80 [ 140.351762][ T5308] kfree+0x1c1/0x630 [ 140.353553][ T5308] device_release+0x9e/0x1d0 [ 140.355860][ T5308] kobject_put+0x228/0x560 [ 140.357883][ T5308] hci_conn_del+0xc36/0x1230 [ 140.359936][ T5308] hci_disconn_complete_evt+0x64e/0x950 [ 140.362470][ T5308] hci_event_packet+0x805/0x12c0 [ 140.364655][ T5308] hci_rx_work+0x3ee/0x1030 [ 140.366642][ T5308] process_scheduled_works+0xb02/0x1830 [ 140.369093][ T5308] worker_thread+0xa50/0xfc0 [ 140.371158][ T5308] kthread+0x388/0x470 [ 140.373053][ T5308] ret_from_fork+0x51e/0xb90 [ 140.375087][ T5308] ret_from_fork_asm+0x1a/0x30 [ 140.377268][ T5308] [ 140.378426][ T5308] The buggy address belongs to the object at ffff8880124f4000 [ 140.378426][ T5308] which belongs to the cache kmalloc-8k of size 8192 [ 140.384494][ T5308] The buggy address is located 16 bytes inside of [ 140.384494][ T5308] freed 8192-byte region [ffff8880124f4000, ffff8880124f6000) [ 140.390063][ T5308] [ 140.391078][ T5308] The buggy address belongs to the physical page: [ 140.393662][ T5308] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x124f0 [ 140.397371][ T5308] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 140.401175][ T5308] flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff) [ 140.404647][ T5308] page_type: f5(slab) [ 140.406196][ T5308] raw: 00fff00000000040 ffff88801a842280 dead000000000122 0000000000000000 [ 140.410224][ T5308] raw: 0000000000000000 0000000000020002 00000000f5000000 0000000000000000 [ 140.414861][ T5308] head: 00fff00000000040 ffff88801a842280 dead000000000122 0000000000000000 [ 140.418958][ T5308] head: 0000000000000000 0000000000020002 00000000f5000000 0000000000000000 [ 140.422689][ T5308] head: 00fff00000000003 ffffea0000493c01 00000000ffffffff 00000000ffffffff [ 140.426383][ T5308] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 [ 140.430002][ T5308] page dumped because: kasan: bad access detected [ 140.432807][ T5308] page_owner tracks the page as allocated [ 140.435402][ T5308] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5308, tgid 5308 (kworker/u5:2), ts 138210719957, free_ts 56612932258 [ 140.444073][ T5308] post_alloc_hook+0x231/0x280 [ 140.446042][ T5308] get_page_from_freelist+0x24dc/0x2580 [ 140.448204][ T5308] __alloc_frozen_pages_noprof+0x18d/0x380 [ 140.450089][ T5308] allocate_slab+0x77/0x660 [ 140.451671][ T5308] refill_objects+0x331/0x3c0 [ 140.453268][ T5308] __pcs_replace_empty_main+0x2b9/0x620 [ 140.455362][ T5308] __kmalloc_cache_noprof+0x392/0x660 [ 140.457493][ T5308] __hci_conn_add+0x3c4/0x1e00 [ 140.459494][ T5308] le_conn_complete_evt+0x706/0x1430 [ 140.461669][ T5308] hci_le_enh_conn_complete_evt+0x189/0x490 [ 140.464273][ T5308] hci_event_packet+0x7af/0x12c0 [ 140.466347][ T5308] hci_rx_work+0x3ee/0x1030 [ 140.468091][ T5308] process_scheduled_works+0xb02/0x1830 [ 140.470064][ T5308] worker_thread+0xa50/0xfc0 [ 140.471826][ T5308] kthread+0x388/0x470 [ 140.473387][ T5308] ret_from_fork+0x51e/0xb90 [ 140.475436][ T5308] page last free pid 4716 tgid 4716 stack trace: [ 140.478823][ T5308] __free_frozen_pages+0xc00/0xd90 [ 140.481540][ T5308] __slab_free+0x263/0x2b0 [ 140.483140][ T5308] qlist_free_all+0x97/0x100 [ 140.484735][ T5308] kasan_quarantine_reduce+0x148/0x160 [ 140.486708][ T5308] __kasan_slab_alloc+0x22/0x80 [ 140.488355][ T5308] __kmalloc_noprof+0x316/0x760 [ 140.490034][ T5308] tomoyo_realpath_from_path+0xe3/0x5d0 [ 140.492091][ T5308] tomoyo_path_perm+0x283/0x560 [ 140.494183][ T5308] security_file_truncate+0xa9/0x240 [ 140.496430][ T5308] path_openat+0x2f32/0x3860 [ 140.498496][ T5308] do_file_open+0x23e/0x4a0 [ 140.500710][ T5308] do_sys_openat2+0x113/0x200 [ 140.502892][ T5308] __x64_sys_openat+0x138/0x170 [ 140.504944][ T5308] do_syscall_64+0x14d/0xf80 [ 140.506764][ T5308] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 140.509184][ T5308] [ 140.510199][ T5308] Memory state around the buggy address: [ 140.512332][ T5308] ffff8880124f3f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 140.515417][ T5308] ffff8880124f3f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 140.518688][ T5308] >ffff8880124f4000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 140.521994][ T5308] ^ [ 140.523857][ T5308] ffff8880124f4080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 140.527324][ T5308] ffff8880124f4100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 140.530603][ T5308] ================================================================== [ 140.535662][ T5308] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 140.538720][ T5308] CPU: 0 UID: 0 PID: 5308 Comm: kworker/u5:2 Not tainted syzkaller #0 PREEMPT(full) [ 140.542733][ T5308] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 140.547053][ T5308] Workqueue: hci0 hci_cmd_sync_work [ 140.549216][ T5308] Call Trace: [ 140.550738][ T5308] [ 140.552078][ T5308] vpanic+0x56c/0xa60 [ 140.553990][ T5308] ? __pfx_vpanic+0x10/0x10 [ 140.555856][ T5308] panic+0xc5/0xd0 [ 140.557333][ T5308] ? __pfx_panic+0x10/0x10 [ 140.559035][ T5308] ? preempt_schedule_thunk+0x16/0x30 [ 140.561385][ T5308] ? preempt_schedule_thunk+0x16/0x30 [ 140.563825][ T5308] ? hci_conn_drop+0x34/0x2a0 [ 140.565575][ T5308] check_panic_on_warn+0x89/0xb0 [ 140.567623][ T5308] ? hci_conn_drop+0x34/0x2a0 [ 140.569382][ T5308] end_report+0x73/0x180 [ 140.571136][ T5308] ? hci_conn_drop+0x34/0x2a0 [ 140.573155][ T5308] kasan_report+0x128/0x150 [ 140.574983][ T5308] ? hci_conn_drop+0x34/0x2a0 [ 140.576839][ T5308] kasan_check_range+0x264/0x2c0 [ 140.578876][ T5308] hci_conn_drop+0x34/0x2a0 [ 140.581009][ T5308] ? __pfx_le_read_features_complete+0x10/0x10 [ 140.583782][ T5308] hci_cmd_sync_work+0x262/0x400 [ 140.585856][ T5308] ? process_scheduled_works+0xa25/0x1830 [ 140.588395][ T5308] process_scheduled_works+0xb02/0x1830 [ 140.590867][ T5308] ? __pfx_process_scheduled_works+0x10/0x10 [ 140.593375][ T5308] ? assign_work+0x3d5/0x5e0 [ 140.595482][ T5308] worker_thread+0xa50/0xfc0 [ 140.597425][ T5308] kthread+0x388/0x470 [ 140.599186][ T5308] ? __pfx_worker_thread+0x10/0x10 [ 140.601285][ T5308] ? __pfx_kthread+0x10/0x10 [ 140.603293][ T5308] ret_from_fork+0x51e/0xb90 [ 140.605261][ T5308] ? __pfx_ret_from_fork+0x10/0x10 [ 140.607353][ T5308] ? __switch_to+0xc7d/0x1450 [ 140.609308][ T5308] ? __pfx_kthread+0x10/0x10 [ 140.611444][ T5308] ret_from_fork_asm+0x1a/0x30 [ 140.613575][ T5308] [ 140.615421][ T5308] Kernel Offset: disabled [ 140.617371][ T5308] Rebooting in 86400 seconds..