program:
r0 = openat$ppp(0xffffffffffffff9c, &(0x7f0000000040), 0x0, 0x0)
ioctl$EVIOCGPROP(r0, 0x40047438, &(0x7f0000000180)=""/246) (async)
r1 = dup(r0)
ioctl$PPPIOCCONNECT(r1, 0x40047435, &(0x7f00000002c0)=0x2) (async)
r2 = syz_genetlink_get_family_id$tipc(&(0x7f0000000140), 0xffffffffffffffff)
sendmsg$TIPC_CMD_GET_MAX_PORTS(r1, &(0x7f0000000380)={&(0x7f00000000c0)={0x10, 0x0, 0x0, 0x200}, 0xc, &(0x7f0000000340)={&(0x7f0000000180)={0x1c, r2, 0x400, 0x70bd29, 0x25dfdbfb, {}, ["", "", "", ""]}, 0x1c}, 0x1, 0x0, 0x0, 0xf9a36949c43de024}, 0x8010) (async)
mkdir(&(0x7f0000000300)='./bus\x00', 0x0)
syz_emit_vhci(&(0x7f0000000540)=ANY=[@ANYBLOB="043e1f0a"], 0x22) (async)
r3 = socket$inet6_mptcp(0xa, 0x1, 0x106)
setsockopt$sock_int(r3, 0x1, 0xb, 0x0, 0x0)
syz_emit_vhci(&(0x7f0000000040)=ANY=[@ANYBLOB="0200300c000800"], 0x11) (async)
ioctl$FS_IOC_SET_ENCRYPTION_POLICY(0xffffffffffffffff, 0x40086602, 0x0) (async)
syz_emit_vhci(&(0x7f0000000080)=ANY=[@ANYBLOB="0405"], 0x7)
syz_emit_vhci(&(0x7f0000000100)=ANY=[@ANYBLOB="0412080000603d13f40000"], 0xb) (async)
r4 = syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000700)=ANY=[@ANYBLOB="12010000000000408c0d220000000000000109022400010000000009040000010300000009210000000122050009058103"], 0x0)
syz_usb_control_io$hid(r4, 0x0, 0x0) (async)
syz_usb_control_io(r4, &(0x7f0000000740)={0x2c, &(0x7f0000000980)=ANY=[@ANYBLOB="00000001"], 0x0, 0x0, 0x0, 0x0}, 0x0) (async)
r5 = syz_open_dev$usbfs(&(0x7f0000000080), 0xf, 0x8041)
ioctl$USBDEVFS_DISCONNECT_CLAIM(r5, 0x8108551b, &(0x7f00000001c0)={0x0, 0x2, "4cf90fba85c830e42a3ca4b10f01bbcb15f3806c4853e7c44a6974759d9f643905a56baa4195fb396d9bfa306999f1586e5d1ca49add100a36b751a7d9fe0b182ebf2c8a0e66f72c1c08260030752f07cd4089473e52885a3c85bacf3ccfac5bb9435fe036dcfccd7254bbd8bce90e2284d29e1f17d6652270fd0abcb8729f16ff602b438bd122a9e09984e2799d0dbfef7533d1a930ea4f4b57605ace45f5815450693650ae122d34aa0c5ca5e793516d156e5a5b34d6c17c40d753426a3d8e15e726d0f2622e873e0cbe63751bb62c68594d4cb0a21b92ad2e80f24a9b290a87ee6779022a0b7f5223e4e8c9f53f501ec8c439724078fdc076a51d50760566"}) (async, rerun: 32)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0) (async, rerun: 32)
mount(&(0x7f0000000000)=@nullb, &(0x7f0000000040)='./bus\x00', &(0x7f0000000080)='squashfs\x00', 0x18642, 0x0)
[ 139.452763][ T5308] Bluetooth: hci0: command tx timeout
[ 139.701089][ T1104] usb 5-1: new high-speed USB device number 2 using dummy_hcd
[ 139.854466][ T1104] usb 5-1: config 0 interface 0 altsetting 0 endpoint 0x81 has an invalid bInterval 0, changing to 7
[ 139.858869][ T1104] usb 5-1: config 0 interface 0 altsetting 0 endpoint 0x81 has invalid wMaxPacketSize 0
[ 139.863305][ T1104] usb 5-1: New USB device found, idVendor=0d8c, idProduct=0022, bcdDevice= 0.00
[ 139.867215][ T1104] usb 5-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
[ 139.878073][ T1104] usb 5-1: config 0 descriptor??
[ 141.451746][ T4664] ==================================================================
[ 141.455141][ T4664] BUG: KASAN: slab-use-after-free in hci_conn_drop+0x34/0x2a0
[ 141.458506][ T4664] Write of size 4 at addr ffff888012164010 by task kworker/u5:1/4664
[ 141.461820][ T4664]
[ 141.462883][ T4664] CPU: 0 UID: 0 PID: 4664 Comm: kworker/u5:1 Not tainted syzkaller #0 PREEMPT(full)
[ 141.462896][ T4664] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 141.462904][ T4664] Workqueue: hci0 hci_cmd_sync_work
[ 141.462917][ T4664] Call Trace:
[ 141.462921][ T4664]
[ 141.462925][ T4664] dump_stack_lvl+0xe8/0x150
[ 141.462936][ T4664] print_report+0xba/0x230
[ 141.462946][ T4664] ? hci_conn_drop+0x34/0x2a0
[ 141.462953][ T4664] kasan_report+0x117/0x150
[ 141.462964][ T4664] ? hci_conn_drop+0x34/0x2a0
[ 141.462972][ T4664] kasan_check_range+0x264/0x2c0
[ 141.462981][ T4664] hci_conn_drop+0x34/0x2a0
[ 141.462988][ T4664] ? __pfx_le_read_features_complete+0x10/0x10
[ 141.462998][ T4664] hci_cmd_sync_work+0x262/0x400
[ 141.463005][ T4664] ? process_scheduled_works+0xa25/0x1830
[ 141.463013][ T4664] process_scheduled_works+0xb02/0x1830
[ 141.463024][ T4664] ? __pfx_process_scheduled_works+0x10/0x10
[ 141.463033][ T4664] ? assign_work+0x3d5/0x5e0
[ 141.463040][ T4664] worker_thread+0xa50/0xfc0
[ 141.463052][ T4664] kthread+0x388/0x470
[ 141.463058][ T4664] ? __pfx_worker_thread+0x10/0x10
[ 141.463066][ T4664] ? __pfx_kthread+0x10/0x10
[ 141.463071][ T4664] ret_from_fork+0x51e/0xb90
[ 141.463080][ T4664] ? __pfx_ret_from_fork+0x10/0x10
[ 141.463088][ T4664] ? __switch_to+0xc7d/0x1450
[ 141.463095][ T4664] ? __pfx_kthread+0x10/0x10
[ 141.463101][ T4664] ret_from_fork_asm+0x1a/0x30
[ 141.463112][ T4664]
[ 141.463114][ T4664]
[ 141.524174][ T4664] Allocated by task 4664:
[ 141.526086][ T4664] kasan_save_track+0x3e/0x80
[ 141.528217][ T4664] __kasan_kmalloc+0x93/0xb0
[ 141.530265][ T4664] __kmalloc_cache_noprof+0x31c/0x660
[ 141.532599][ T4664] __hci_conn_add+0x3c4/0x1e00
[ 141.534595][ T4664] le_conn_complete_evt+0x706/0x1430
[ 141.536832][ T4664] hci_le_enh_conn_complete_evt+0x189/0x490
[ 141.539626][ T4664] hci_event_packet+0x7af/0x12c0
[ 141.541645][ T4664] hci_rx_work+0x3ee/0x1030
[ 141.543467][ T4664] process_scheduled_works+0xb02/0x1830
[ 141.545790][ T4664] worker_thread+0xa50/0xfc0
[ 141.547890][ T4664] kthread+0x388/0x470
[ 141.549717][ T4664] ret_from_fork+0x51e/0xb90
[ 141.551890][ T4664] ret_from_fork_asm+0x1a/0x30
[ 141.554646][ T4664]
[ 141.555926][ T4664] Freed by task 5308:
[ 141.557636][ T4664] kasan_save_track+0x3e/0x80
[ 141.559261][ T4664] kasan_save_free_info+0x46/0x50
[ 141.561230][ T4664] __kasan_slab_free+0x5c/0x80
[ 141.563144][ T4664] kfree+0x1c1/0x630
[ 141.564725][ T4664] device_release+0x9e/0x1d0
[ 141.566766][ T4664] kobject_put+0x228/0x560
[ 141.568701][ T4664] hci_conn_del+0xc36/0x1230
[ 141.570713][ T4664] hci_disconn_complete_evt+0x64e/0x950
[ 141.573119][ T4664] hci_event_packet+0x805/0x12c0
[ 141.575304][ T4664] hci_rx_work+0x3ee/0x1030
[ 141.577425][ T4664] process_scheduled_works+0xb02/0x1830
[ 141.579709][ T4664] worker_thread+0xa50/0xfc0
[ 141.581686][ T4664] kthread+0x388/0x470
[ 141.583369][ T4664] ret_from_fork+0x51e/0xb90
[ 141.585295][ T4664] ret_from_fork_asm+0x1a/0x30
[ 141.587364][ T4664]
[ 141.588470][ T4664] The buggy address belongs to the object at ffff888012164000
[ 141.588470][ T4664] which belongs to the cache kmalloc-8k of size 8192
[ 141.594233][ T4664] The buggy address is located 16 bytes inside of
[ 141.594233][ T4664] freed 8192-byte region [ffff888012164000, ffff888012166000)
[ 141.599699][ T4664]
[ 141.600742][ T4664] The buggy address belongs to the physical page:
[ 141.603319][ T4664] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12160
[ 141.607079][ T4664] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 141.610537][ T4664] flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
[ 141.613532][ T4664] page_type: f5(slab)
[ 141.615324][ T4664] raw: 00fff00000000040 ffff88801a842280 dead000000000100 dead000000000122
[ 141.619022][ T4664] raw: 0000000000000000 0000000000020002 00000000f5000000 0000000000000000
[ 141.622722][ T4664] head: 00fff00000000040 ffff88801a842280 dead000000000100 dead000000000122
[ 141.626357][ T4664] head: 0000000000000000 0000000000020002 00000000f5000000 0000000000000000
[ 141.629987][ T4664] head: 00fff00000000003 ffffea0000485801 00000000ffffffff 00000000ffffffff
[ 141.633701][ T4664] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
[ 141.637668][ T4664] page dumped because: kasan: bad access detected
[ 141.640451][ T4664] page_owner tracks the page as allocated
[ 141.642874][ T4664] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5000, tgid 5000 (S40network), ts 99191829509, free_ts 70791259008
[ 141.651704][ T4664] post_alloc_hook+0x231/0x280
[ 141.653897][ T4664] get_page_from_freelist+0x24dc/0x2580
[ 141.656076][ T4664] __alloc_frozen_pages_noprof+0x18d/0x380
[ 141.658524][ T4664] allocate_slab+0x77/0x660
[ 141.660541][ T4664] refill_objects+0x331/0x3c0
[ 141.662502][ T4664] __pcs_replace_empty_main+0x2b9/0x620
[ 141.664997][ T4664] __kmalloc_cache_noprof+0x392/0x660
[ 141.667453][ T4664] tomoyo_init_log+0x112e/0x1fb0
[ 141.669569][ T4664] tomoyo_supervisor+0x353/0x1570
[ 141.671683][ T4664] tomoyo_env_perm+0x151/0x1f0
[ 141.673523][ T4664] tomoyo_find_next_domain+0x15cb/0x1aa0
[ 141.675874][ T4664] tomoyo_bprm_check_security+0x11b/0x180
[ 141.678404][ T4664] security_bprm_check+0x85/0x240
[ 141.680439][ T4664] bprm_execve+0x896/0x1460
[ 141.682282][ T4664] do_execveat_common+0x50d/0x690
[ 141.684334][ T4664] __x64_sys_execve+0x97/0xc0
[ 141.686303][ T4664] page last free pid 4725 tgid 4725 stack trace:
[ 141.688980][ T4664] __free_frozen_pages+0xc00/0xd90
[ 141.691109][ T4664] __slab_free+0x263/0x2b0
[ 141.693093][ T4664] qlist_free_all+0x97/0x100
[ 141.695069][ T4664] kasan_quarantine_reduce+0x148/0x160
[ 141.697427][ T4664] __kasan_slab_alloc+0x22/0x80
[ 141.699380][ T4664] kmem_cache_alloc_noprof+0x2bc/0x650
[ 141.701453][ T4664] do_getname+0x2e/0x250
[ 141.703081][ T4664] do_sys_openat2+0xca/0x200
[ 141.704790][ T4664] __x64_sys_openat+0x138/0x170
[ 141.706752][ T4664] do_syscall_64+0x14d/0xf80
[ 141.708834][ T4664] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 141.711173][ T4664]
[ 141.712262][ T4664] Memory state around the buggy address:
[ 141.714670][ T4664] ffff888012163f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 141.718199][ T4664] ffff888012163f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 141.721566][ T4664] >ffff888012164000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 141.725008][ T4664] ^
[ 141.726878][ T4664] ffff888012164080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 141.730205][ T4664] ffff888012164100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 141.733573][ T4664] ==================================================================
[ 141.741041][ T5308] Bluetooth: hci0: command 0x040f tx timeout
[ 141.751463][ T4664] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 141.754628][ T4664] CPU: 0 UID: 0 PID: 4664 Comm: kworker/u5:1 Not tainted syzkaller #0 PREEMPT(full)
[ 141.758674][ T4664] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 141.762970][ T4664] Workqueue: hci0 hci_cmd_sync_work
[ 141.765262][ T4664] Call Trace:
[ 141.766737][ T4664]
[ 141.768003][ T4664] vpanic+0x56c/0xa60
[ 141.769759][ T4664] ? __pfx_vpanic+0x10/0x10
[ 141.771645][ T4664] panic+0xc5/0xd0
[ 141.773162][ T4664] ? __pfx_panic+0x10/0x10
[ 141.775163][ T4664] ? preempt_schedule_thunk+0x16/0x30
[ 141.777564][ T4664] ? preempt_schedule_thunk+0x16/0x30
[ 141.779717][ T4664] ? hci_conn_drop+0x34/0x2a0
[ 141.781610][ T4664] check_panic_on_warn+0x89/0xb0
[ 141.783547][ T4664] ? hci_conn_drop+0x34/0x2a0
[ 141.785414][ T4664] end_report+0x73/0x180
[ 141.787159][ T4664] ? hci_conn_drop+0x34/0x2a0
[ 141.789044][ T4664] kasan_report+0x128/0x150
[ 141.790815][ T4664] ? hci_conn_drop+0x34/0x2a0
[ 141.792884][ T4664] kasan_check_range+0x264/0x2c0
[ 141.795116][ T4664] hci_conn_drop+0x34/0x2a0
[ 141.797266][ T4664] ? __pfx_le_read_features_complete+0x10/0x10
[ 141.799868][ T4664] hci_cmd_sync_work+0x262/0x400
[ 141.801930][ T4664] ? process_scheduled_works+0xa25/0x1830
[ 141.804413][ T4664] process_scheduled_works+0xb02/0x1830
[ 141.806777][ T4664] ? __pfx_process_scheduled_works+0x10/0x10
[ 141.809319][ T4664] ? assign_work+0x3d5/0x5e0
[ 141.811337][ T4664] worker_thread+0xa50/0xfc0
[ 141.813346][ T4664] kthread+0x388/0x470
[ 141.815014][ T4664] ? __pfx_worker_thread+0x10/0x10
[ 141.817377][ T4664] ? __pfx_kthread+0x10/0x10
[ 141.819405][ T4664] ret_from_fork+0x51e/0xb90
[ 141.821356][ T4664] ? __pfx_ret_from_fork+0x10/0x10
[ 141.823655][ T4664] ? __switch_to+0xc7d/0x1450
[ 141.825789][ T4664] ? __pfx_kthread+0x10/0x10
[ 141.827870][ T4664] ret_from_fork_asm+0x1a/0x30
[ 141.830027][ T4664]
[ 141.831747][ T4664] Kernel Offset: disabled
[ 141.833628][ T4664] Rebooting in 86400 seconds..