program:
r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0)
connect$bt_l2cap(r0, &(0x7f0000000000)={0x1f, 0x8ef, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}}, 0xe)
r1 = syz_init_net_socket$bt_bnep(0x1f, 0x3, 0x4)
ioctl$sock_bt_bnep_BNEPCONNADD(r1, 0x400442c8, &(0x7f00000001c0)={r0, 0x1, 0x2})
r2 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$sock_bt_hci(r2, 0x400448ca, 0x0)
[ 86.184829][ T5305] Bluetooth: hci0: command tx timeout
[ 86.330851][ T5328] ==================================================================
[ 86.334306][ T5328] BUG: KASAN: slab-use-after-free in cfusbl_device_notify+0x150/0x6a0
[ 86.337941][ T5328] Read of size 8 at addr ffff888033a34c50 by task syz.0.0/5328
[ 86.341141][ T5328]
[ 86.342192][ T5328] CPU: 0 UID: 0 PID: 5328 Comm: syz.0.0 Not tainted 6.16.0-rc4-syzkaller #0 PREEMPT(full)
[ 86.342213][ T5328] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[ 86.342223][ T5328] Call Trace:
[ 86.342231][ T5328]
[ 86.342238][ T5328] dump_stack_lvl+0x189/0x250
[ 86.342261][ T5328] ? __virt_addr_valid+0x1c8/0x5c0
[ 86.342273][ T5328] ? rcu_is_watching+0x15/0xb0
[ 86.342290][ T5328] ? __kasan_check_byte+0x12/0x40
[ 86.342346][ T5328] ? __pfx_dump_stack_lvl+0x10/0x10
[ 86.342366][ T5328] ? rcu_is_watching+0x15/0xb0
[ 86.342387][ T5328] ? lock_release+0x4b/0x3e0
[ 86.342404][ T5328] ? __virt_addr_valid+0x1c8/0x5c0
[ 86.342414][ T5328] ? __virt_addr_valid+0x4a5/0x5c0
[ 86.342423][ T5328] print_report+0xd2/0x2b0
[ 86.342434][ T5328] ? cfusbl_device_notify+0x150/0x6a0
[ 86.342443][ T5328] kasan_report+0x118/0x150
[ 86.342455][ T5328] ? cfusbl_device_notify+0x150/0x6a0
[ 86.342468][ T5328] cfusbl_device_notify+0x150/0x6a0
[ 86.342481][ T5328] ? net_generic+0x1e/0x240
[ 86.342493][ T5328] ? __pfx_cfusbl_device_notify+0x10/0x10
[ 86.342517][ T5328] ? caif_device_notify+0x250/0xfc0
[ 86.342531][ T5328] ? smc_pnet_netdev_event+0x3b5/0x6c0
[ 86.342546][ T5328] notifier_call_chain+0x1b3/0x3e0
[ 86.342567][ T5328] register_netdevice+0x121c/0x1ae0
[ 86.342583][ T5328] ? __mutex_lock+0x51b/0xe80
[ 86.342647][ T5328] ? __pfx_register_netdevice+0x10/0x10
[ 86.342664][ T5328] ? __asan_memset+0x22/0x50
[ 86.342681][ T5328] ? dev_addr_mod+0x2ce/0x3d0
[ 86.342695][ T5328] register_netdev+0x40/0x60
[ 86.342710][ T5328] bnep_add_connection+0x6bf/0xbf0
[ 86.342733][ T5328] ? __pfx_bnep_add_connection+0x10/0x10
[ 86.342751][ T5328] ? __fget_files+0x3a0/0x420
[ 86.342769][ T5328] do_bnep_sock_ioctl+0x40e/0x640
[ 86.342786][ T5328] ? __pfx_do_bnep_sock_ioctl+0x10/0x10
[ 86.342805][ T5328] ? tomoyo_path_number_perm+0x1bc/0x5a0
[ 86.342819][ T5328] ? tomoyo_path_number_perm+0x4e2/0x5a0
[ 86.342834][ T5328] ? __pfx_tomoyo_path_number_perm+0x10/0x10
[ 86.342850][ T5328] sock_do_ioctl+0xd9/0x300
[ 86.342869][ T5328] ? __pfx_sock_do_ioctl+0x10/0x10
[ 86.342883][ T5328] ? __lock_acquire+0xab9/0xd20
[ 86.342902][ T5328] sock_ioctl+0x576/0x790
[ 86.342916][ T5328] ? __pfx_sock_ioctl+0x10/0x10
[ 86.342931][ T5328] ? __fget_files+0x2a/0x420
[ 86.342944][ T5328] ? __fget_files+0x3a0/0x420
[ 86.342955][ T5328] ? __fget_files+0x2a/0x420
[ 86.342967][ T5328] ? bpf_lsm_file_ioctl+0x9/0x20
[ 86.342984][ T5328] ? __pfx_sock_ioctl+0x10/0x10
[ 86.342998][ T5328] __se_sys_ioctl+0xf9/0x170
[ 86.343015][ T5328] do_syscall_64+0xfa/0x3b0
[ 86.343032][ T5328] ? lockdep_hardirqs_on+0x9c/0x150
[ 86.343047][ T5328] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 86.343058][ T5328] ? clear_bhb_loop+0x60/0xb0
[ 86.343072][ T5328] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 86.343086][ T5328] RIP: 0033:0x7f065e98e929
[ 86.343099][ T5328] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[ 86.343109][ T5328] RSP: 002b:00007f065adf5038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 86.343126][ T5328] RAX: ffffffffffffffda RBX: 00007f065ebb5fa0 RCX: 00007f065e98e929
[ 86.343135][ T5328] RDX: 00002000000001c0 RSI: 00000000400442c8 RDI: 0000000000000005
[ 86.343146][ T5328] RBP: 00007f065ea10b39 R08: 0000000000000000 R09: 0000000000000000
[ 86.343154][ T5328] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[ 86.343161][ T5328] R13: 0000000000000000 R14: 00007f065ebb5fa0 R15: 00007ffc8adce2a8
[ 86.343173][ T5328]
[ 86.343177][ T5328]
[ 86.494316][ T5328] Allocated by task 5305:
[ 86.496285][ T5328] kasan_save_track+0x3e/0x80
[ 86.498461][ T5328] __kasan_kmalloc+0x93/0xb0
[ 86.500574][ T5328] __kmalloc_cache_noprof+0x230/0x3d0
[ 86.502951][ T5328] __hci_conn_add+0x233/0x1b30
[ 86.505110][ T5328] hci_conn_request_evt+0x53e/0xb60
[ 86.507454][ T5328] hci_event_packet+0x7e0/0x1200
[ 86.509770][ T5328] hci_rx_work+0x46a/0xe80
[ 86.512168][ T5328] process_scheduled_works+0xade/0x17b0
[ 86.514851][ T5328] worker_thread+0x8a0/0xda0
[ 86.516882][ T5328] kthread+0x70e/0x8a0
[ 86.518916][ T5328] ret_from_fork+0x3fc/0x770
[ 86.520965][ T5328] ret_from_fork_asm+0x1a/0x30
[ 86.523115][ T5328]
[ 86.524193][ T5328] Freed by task 5329:
[ 86.525958][ T5328] kasan_save_track+0x3e/0x80
[ 86.528046][ T5328] kasan_save_free_info+0x46/0x50
[ 86.530266][ T5328] __kasan_slab_free+0x62/0x70
[ 86.532567][ T5328] kfree+0x18e/0x440
[ 86.534396][ T5328] device_release+0x99/0x1c0
[ 86.536595][ T5328] kobject_put+0x22b/0x480
[ 86.538330][ T5328] hci_conn_del+0x8ff/0xcb0
[ 86.540583][ T5328] hci_conn_hash_flush+0x191/0x230
[ 86.542977][ T5328] hci_dev_close_sync+0xaef/0x1330
[ 86.545019][ T5328] hci_dev_close+0x108/0x200
[ 86.547342][ T5328] sock_do_ioctl+0xd9/0x300
[ 86.549474][ T5328] sock_ioctl+0x576/0x790
[ 86.551573][ T5328] __se_sys_ioctl+0xf9/0x170
[ 86.553613][ T5328] do_syscall_64+0xfa/0x3b0
[ 86.555552][ T5328] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 86.558239][ T5328]
[ 86.559328][ T5328] Last potentially related work creation:
[ 86.561940][ T5328] kasan_save_stack+0x3e/0x60
[ 86.564073][ T5328] kasan_record_aux_stack+0xbd/0xd0
[ 86.566440][ T5328] insert_work+0x3d/0x330
[ 86.568384][ T5328] __queue_work+0xcfc/0xfe0
[ 86.570478][ T5328] queue_delayed_work_on+0x18b/0x280
[ 86.572815][ T5328] l2cap_chan_del+0x285/0x5e0
[ 86.575026][ T5328] l2cap_conn_del+0x388/0x680
[ 86.577306][ T5328] hci_conn_hash_flush+0x10d/0x230
[ 86.579714][ T5328] hci_dev_close_sync+0xaef/0x1330
[ 86.581993][ T5328] hci_dev_close+0x108/0x200
[ 86.584117][ T5328] sock_do_ioctl+0xd9/0x300
[ 86.586179][ T5328] sock_ioctl+0x576/0x790
[ 86.588207][ T5328] __se_sys_ioctl+0xf9/0x170
[ 86.590389][ T5328] do_syscall_64+0xfa/0x3b0
[ 86.592536][ T5328] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 86.595316][ T5328]
[ 86.596256][ T5328] The buggy address belongs to the object at ffff888033a34000
[ 86.596256][ T5328] which belongs to the cache kmalloc-8k of size 8192
[ 86.602577][ T5328] The buggy address is located 3152 bytes inside of
[ 86.602577][ T5328] freed 8192-byte region [ffff888033a34000, ffff888033a36000)
[ 86.608478][ T5328]
[ 86.609546][ T5328] The buggy address belongs to the physical page:
[ 86.612316][ T5328] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x33a30
[ 86.616167][ T5328] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 86.619920][ T5328] flags: 0x4fff00000000040(head|node=1|zone=1|lastcpupid=0x7ff)
[ 86.623161][ T5328] page_type: f5(slab)
[ 86.624844][ T5328] raw: 04fff00000000040 ffff88801a442280 dead000000000122 0000000000000000
[ 86.628578][ T5328] raw: 0000000000000000 0000000000020002 00000000f5000000 0000000000000000
[ 86.632345][ T5328] head: 04fff00000000040 ffff88801a442280 dead000000000122 0000000000000000
[ 86.635932][ T5328] head: 0000000000000000 0000000000020002 00000000f5000000 0000000000000000
[ 86.639672][ T5328] head: 04fff00000000003 ffffea0000ce8c01 00000000ffffffff 00000000ffffffff
[ 86.643347][ T5328] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
[ 86.647050][ T5328] page dumped because: kasan: bad access detected
[ 86.649778][ T5328] page_owner tracks the page as allocated
[ 86.652337][ T5328] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5304, tgid 5304 (syz-executor), ts 82348937606, free_ts 80292762976
[ 86.661890][ T5328] post_alloc_hook+0x240/0x2a0
[ 86.664074][ T5328] get_page_from_freelist+0x21e4/0x22c0
[ 86.666561][ T5328] __alloc_frozen_pages_noprof+0x181/0x370
[ 86.669318][ T5328] alloc_pages_mpol+0x232/0x4a0
[ 86.671586][ T5328] allocate_slab+0x8a/0x3b0
[ 86.673723][ T5328] ___slab_alloc+0xbfc/0x1480
[ 86.675828][ T5328] __kmalloc_noprof+0x305/0x4f0
[ 86.678091][ T5328] hci_alloc_dev_priv+0x28/0x2040
[ 86.680388][ T5328] vhci_create_device+0x120/0x6e0
[ 86.682774][ T5328] vhci_write+0x3ce/0x4a0
[ 86.684793][ T5328] vfs_write+0x54b/0xa90
[ 86.686794][ T5328] ksys_write+0x145/0x250
[ 86.688814][ T5328] do_syscall_64+0xfa/0x3b0
[ 86.690892][ T5328] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 86.693507][ T5328] page last free pid 5302 tgid 5302 stack trace:
[ 86.696275][ T5328] __free_frozen_pages+0xc71/0xe70
[ 86.698479][ T5328] __slab_free+0x326/0x400
[ 86.700426][ T5328] qlist_free_all+0x97/0x140
[ 86.702447][ T5328] kasan_quarantine_reduce+0x148/0x160
[ 86.704794][ T5328] __kasan_slab_alloc+0x22/0x80
[ 86.706942][ T5328] kmem_cache_alloc_noprof+0x1c1/0x3c0
[ 86.709314][ T5328] getname_flags+0xb8/0x540
[ 86.711295][ T5328] user_path_at+0x24/0x60
[ 86.713167][ T5328] user_statfs+0x94/0x170
[ 86.715024][ T5328] __x64_sys_statfs+0xe0/0x1b0
[ 86.717094][ T5328] do_syscall_64+0xfa/0x3b0
[ 86.719045][ T5328] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 86.721610][ T5328]
[ 86.722640][ T5328] Memory state around the buggy address:
[ 86.725015][ T5328] ffff888033a34b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 86.728415][ T5328] ffff888033a34b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 86.731804][ T5328] >ffff888033a34c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 86.735132][ T5328] ^
[ 86.738060][ T5328] ffff888033a34c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 86.741521][ T5328] ffff888033a34d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 86.744837][ T5328] ==================================================================
[ 86.767324][ T5328] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 86.770614][ T5328] CPU: 0 UID: 0 PID: 5328 Comm: syz.0.0 Not tainted 6.16.0-rc4-syzkaller #0 PREEMPT(full)
[ 86.774877][ T5328] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[ 86.779315][ T5328] Call Trace:
[ 86.780778][ T5328]
[ 86.782084][ T5328] dump_stack_lvl+0x99/0x250
[ 86.784062][ T5328] ? __asan_memcpy+0x40/0x70
[ 86.786104][ T5328] ? __pfx_dump_stack_lvl+0x10/0x10
[ 86.788381][ T5328] ? __pfx__printk+0x10/0x10
[ 86.790439][ T5328] panic+0x2db/0x790
[ 86.792181][ T5328] ? __pfx_panic+0x10/0x10
[ 86.794103][ T5328] ? _raw_spin_unlock_irqrestore+0xfd/0x110
[ 86.796777][ T5328] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[ 86.800009][ T5328] ? print_memory_metadata+0x314/0x400
[ 86.803004][ T5328] ? cfusbl_device_notify+0x150/0x6a0
[ 86.805873][ T5328] check_panic_on_warn+0x89/0xb0
[ 86.808083][ T5328] ? cfusbl_device_notify+0x150/0x6a0
[ 86.810421][ T5328] end_report+0x78/0x160
[ 86.812299][ T5328] kasan_report+0x129/0x150
[ 86.814348][ T5328] ? cfusbl_device_notify+0x150/0x6a0
[ 86.816613][ T5328] cfusbl_device_notify+0x150/0x6a0
[ 86.818942][ T5328] ? net_generic+0x1e/0x240
[ 86.820908][ T5328] ? __pfx_cfusbl_device_notify+0x10/0x10
[ 86.823475][ T5328] ? caif_device_notify+0x250/0xfc0
[ 86.825746][ T5328] ? smc_pnet_netdev_event+0x3b5/0x6c0
[ 86.828088][ T5328] notifier_call_chain+0x1b3/0x3e0
[ 86.830330][ T5328] register_netdevice+0x121c/0x1ae0
[ 86.832721][ T5328] ? __mutex_lock+0x51b/0xe80
[ 86.834826][ T5328] ? __pfx_register_netdevice+0x10/0x10
[ 86.837368][ T5328] ? __asan_memset+0x22/0x50
[ 86.839475][ T5328] ? dev_addr_mod+0x2ce/0x3d0
[ 86.841621][ T5328] register_netdev+0x40/0x60
[ 86.843685][ T5328] bnep_add_connection+0x6bf/0xbf0
[ 86.846014][ T5328] ? __pfx_bnep_add_connection+0x10/0x10
[ 86.848509][ T5328] ? __fget_files+0x3a0/0x420
[ 86.850598][ T5328] do_bnep_sock_ioctl+0x40e/0x640
[ 86.852958][ T5328] ? __pfx_do_bnep_sock_ioctl+0x10/0x10
[ 86.856204][ T5328] ? tomoyo_path_number_perm+0x1bc/0x5a0
[ 86.859331][ T5328] ? tomoyo_path_number_perm+0x4e2/0x5a0
[ 86.862008][ T5328] ? __pfx_tomoyo_path_number_perm+0x10/0x10
[ 86.864528][ T5328] sock_do_ioctl+0xd9/0x300
[ 86.866458][ T5328] ? __pfx_sock_do_ioctl+0x10/0x10
[ 86.868685][ T5328] ? __lock_acquire+0xab9/0xd20
[ 86.870803][ T5328] sock_ioctl+0x576/0x790
[ 86.872690][ T5328] ? __pfx_sock_ioctl+0x10/0x10
[ 86.874742][ T5328] ? __fget_files+0x2a/0x420
[ 86.876653][ T5328] ? __fget_files+0x3a0/0x420
[ 86.878696][ T5328] ? __fget_files+0x2a/0x420
[ 86.880681][ T5328] ? bpf_lsm_file_ioctl+0x9/0x20
[ 86.882824][ T5328] ? __pfx_sock_ioctl+0x10/0x10
[ 86.884839][ T5328] __se_sys_ioctl+0xf9/0x170
[ 86.886869][ T5328] do_syscall_64+0xfa/0x3b0
[ 86.888869][ T5328] ? lockdep_hardirqs_on+0x9c/0x150
[ 86.891189][ T5328] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 86.893928][ T5328] ? clear_bhb_loop+0x60/0xb0
[ 86.896030][ T5328] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 86.898668][ T5328] RIP: 0033:0x7f065e98e929
[ 86.900683][ T5328] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[ 86.908707][ T5328] RSP: 002b:00007f065adf5038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 86.912105][ T5328] RAX: ffffffffffffffda RBX: 00007f065ebb5fa0 RCX: 00007f065e98e929
[ 86.915453][ T5328] RDX: 00002000000001c0 RSI: 00000000400442c8 RDI: 0000000000000005
[ 86.918854][ T5328] RBP: 00007f065ea10b39 R08: 0000000000000000 R09: 0000000000000000
[ 86.922246][ T5328] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[ 86.925561][ T5328] R13: 0000000000000000 R14: 00007f065ebb5fa0 R15: 00007ffc8adce2a8
[ 86.929045][ T5328]
[ 86.930730][ T5328] Kernel Offset: disabled
[ 86.932551][ T5328] Rebooting in 86400 seconds..