program:
r0 = openat$tun(0xffffffffffffff9c, &(0x7f0000000100), 0x0, 0x0)
ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000040)={'syzkaller0\x00', 0x2})
r1 = openat$tun(0xffffffffffffff9c, &(0x7f0000000400), 0x0, 0x0)
close(r1)
socket$nl_generic(0x10, 0x3, 0x10)
ioctl$SIOCSIFHWADDR(r1, 0x8914, &(0x7f0000002280)={'syzkaller0\x00', @multicast})
connect$inet6(0xffffffffffffffff, &(0x7f00000005c0)={0xa, 0x4e22, 0x7f, @dev={0xfe, 0x80, '\x00', 0xe}}, 0x1c)
syz_emit_vhci(&(0x7f0000000540)=ANY=[@ANYBLOB="043e1f0a"], 0x22)
syz_emit_vhci(&(0x7f0000000040)=ANY=[@ANYBLOB="0200300c000800"], 0x11)
openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x40241, 0x0)
socket$inet_udp(0x2, 0x2, 0x0)
prctl$PR_SET_MM_MAP(0x23, 0xe, &(0x7f0000000080)={&(0x7f0000ff7000/0x1000)=nil, &(0x7f0000ff1000/0xf000)=nil, &(0x7f0000ffc000/0x4000)=nil, &(0x7f0000ffc000/0x3000)=nil, &(0x7f0000ffa000/0x4000)=nil, &(0x7f0000ff8000/0x3000)=nil, &(0x7f0000ff1000/0x3000)=nil, &(0x7f0000ff3000/0x3000)=nil, &(0x7f0000ff6000/0x1000)=nil, &(0x7f0000ffa000/0x1000)=nil, &(0x7f0000ffa000/0x2000)=nil, 0x0}, 0x68)
sendmsg$NFT_BATCH(0xffffffffffffffff, &(0x7f0000000080)={0x0, 0x0, 0x0}, 0x24004045)
r2 = io_uring_setup(0x1b7b, &(0x7f0000000040)={0x0, 0xc89f, 0xc000, 0x2, 0x20002f7})
r3 = io_uring_setup(0x7, &(0x7f0000000040)={0x0, 0xc8a1, 0xc000, 0x8, 0xc1})
bpf$MAP_CREATE(0x0, &(0x7f0000000000)=@base={0x1d, 0x4, 0x1, 0xbf22, 0x0, 0xffffffffffffffff, 0x2, '\x00', 0x0, 0xffffffffffffffff, 0x200002, 0x1}, 0x50)
io_uring_enter(r3, 0x2219, 0x7721, 0x16, 0x0, 0x0)
fchmodat(0xffffffffffffff9c, &(0x7f0000000000)='.\x00', 0xfffffffb)
io_uring_enter(r2, 0x2219, 0x7721, 0x16, 0x0, 0x0)
ioctl$FS_IOC_SET_ENCRYPTION_POLICY(0xffffffffffffffff, 0x40086602, 0x0)
syz_emit_vhci(&(0x7f0000000080)=ANY=[@ANYBLOB="0405"], 0x7)
bpf$BPF_BTF_LOAD(0x12, &(0x7f00000000c0)={&(0x7f0000000200)={{0xeb9f, 0x1, 0x0, 0x18, 0x0, 0x24, 0x24, 0x6, [@array={0x0, 0x0, 0x0, 0x3, 0x0, {0x2, 0x4, 0x5}}, @volatile={0x2, 0x0, 0x0, 0x9, 0x4}]}, {0x0, [0x4121e1e9150296b9, 0x0, 0x5f, 0x2e]}}, &(0x7f00000002c0)=""/101, 0x42, 0x65, 0x1, 0x9}, 0x28)
syz_emit_vhci(&(0x7f0000000100)=@HCI_EVENT_PKT={0x4, @hci_ev_role_change={{0x12, 0x8}}}, 0xb)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0)
r4 = socket$nl_route(0x10, 0x3, 0x0)
ioctl$sock_SIOCGIFINDEX(r4, 0x8933, &(0x7f0000000100)={'syzkaller0\x00'})
r5 = socket$inet(0x2, 0x1, 0x0)
syz_emit_ethernet(0x2a, &(0x7f0000000000)={@random="8580f83288e1", @dev={'\xaa\xaa\xaa\xaa\xaa', 0x1c}, @void, {@ipv4={0x800, @igmp={{0x5, 0x4, 0x1, 0x5, 0x1c, 0x67, 0x0, 0x0, 0x2, 0x0, @private=0xa010102, @multicast1}, {0x11, 0x81, 0x0, @empty}}}}}, 0x0)
setsockopt$inet_mreqn(r5, 0x0, 0x27, &(0x7f0000000100)={@multicast2, @local}, 0xc)
syz_emit_ethernet(0x36, &(0x7f0000000440)=ANY=[@ANYBLOB="0180c2000059aaaaaab35cc472bd8c7bd6e81999ae512ca270b8aa000800450000280000040000029078000000f3e000000211009078e00000020000001905000000000003eb20a5877bb204adb064c79d7903327dc20395c672e392444111a5ab88f0cd325ace46bc7f49b2a49afcb46839687c0442a5b5152187b9fa59aaaf59f0b746dae4aab5397dee0869976b9ed425573090aaa0bcee6ced02d34a10f6057edfedbda2b7ed8bbe367e2016b125224e91a9f6706edab7eda2ddbbfae948f84c2184b9bbcfc1f87c8ab187a91ad39e5cf523bbbbab"], 0x0)

[   84.225814][ T5301] Bluetooth: hci0: command tx timeout
[   84.310562][ T5325] syzkaller0: entered promiscuous mode
[   84.314825][ T5325] syzkaller0: entered allmulticast mode
[   86.292596][ T4666] Bluetooth: hci0: command tx timeout
[   86.374585][ T5301] ==================================================================
[   86.378310][ T5301] BUG: KASAN: slab-use-after-free in hci_conn_drop+0x34/0x2a0
[   86.381781][ T5301] Write of size 4 at addr ffff88803a89c010 by task kworker/u5:2/5301
[   86.385505][ T5301] 
[   86.386743][ T5301] CPU: 0 UID: 0 PID: 5301 Comm: kworker/u5:2 Not tainted syzkaller #0 PREEMPT(full) 
[   86.386761][ T5301] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   86.386771][ T5301] Workqueue: hci0 hci_cmd_sync_work
[   86.386796][ T5301] Call Trace:
[   86.386805][ T5301]  <TASK>
[   86.386811][ T5301]  dump_stack_lvl+0xe8/0x150
[   86.386831][ T5301]  print_report+0xba/0x230
[   86.386846][ T5301]  ? hci_conn_drop+0x34/0x2a0
[   86.386862][ T5301]  kasan_report+0x117/0x150
[   86.386878][ T5301]  ? hci_conn_drop+0x34/0x2a0
[   86.386895][ T5301]  kasan_check_range+0x264/0x2c0
[   86.386910][ T5301]  hci_conn_drop+0x34/0x2a0
[   86.386926][ T5301]  ? __pfx_le_read_features_complete+0x10/0x10
[   86.386939][ T5301]  hci_cmd_sync_work+0x262/0x400
[   86.386954][ T5301]  ? process_scheduled_works+0xa8d/0x18c0
[   86.386970][ T5301]  process_scheduled_works+0xb6e/0x18c0
[   86.386995][ T5301]  ? __pfx_process_scheduled_works+0x10/0x10
[   86.387010][ T5301]  ? assign_work+0x3d5/0x5e0
[   86.387027][ T5301]  worker_thread+0xa53/0xfc0
[   86.387051][ T5301]  kthread+0x388/0x470
[   86.387064][ T5301]  ? __pfx_worker_thread+0x10/0x10
[   86.387081][ T5301]  ? __pfx_kthread+0x10/0x10
[   86.387093][ T5301]  ret_from_fork+0x51e/0xb90
[   86.387111][ T5301]  ? __pfx_ret_from_fork+0x10/0x10
[   86.387125][ T5301]  ? __switch_to+0xc7d/0x1450
[   86.387141][ T5301]  ? __pfx_kthread+0x10/0x10
[   86.387153][ T5301]  ret_from_fork_asm+0x1a/0x30
[   86.387176][ T5301]  </TASK>
[   86.387180][ T5301] 
[   86.455145][ T5301] Allocated by task 5301:
[   86.457335][ T5301]  kasan_save_track+0x3e/0x80
[   86.459207][ T5301]  __kasan_kmalloc+0x93/0xb0
[   86.461260][ T5301]  __kmalloc_cache_noprof+0x31c/0x660
[   86.463818][ T5301]  __hci_conn_add+0x3c4/0x1e00
[   86.465982][ T5301]  le_conn_complete_evt+0x706/0x1430
[   86.468849][ T5301]  hci_le_enh_conn_complete_evt+0x189/0x490
[   86.472150][ T5301]  hci_event_packet+0x7af/0x12c0
[   86.474422][ T5301]  hci_rx_work+0x3ee/0x1030
[   86.476483][ T5301]  process_scheduled_works+0xb6e/0x18c0
[   86.478938][ T5301]  worker_thread+0xa53/0xfc0
[   86.481222][ T5301]  kthread+0x388/0x470
[   86.483447][ T5301]  ret_from_fork+0x51e/0xb90
[   86.485787][ T5301]  ret_from_fork_asm+0x1a/0x30
[   86.488260][ T5301] 
[   86.489369][ T5301] Freed by task 4666:
[   86.491180][ T5301]  kasan_save_track+0x3e/0x80
[   86.493422][ T5301]  kasan_save_free_info+0x46/0x50
[   86.496311][ T5301]  __kasan_slab_free+0x5c/0x80
[   86.499262][ T5301]  kfree+0x1c1/0x630
[   86.501609][ T5301]  device_release+0xc4/0x1f0
[   86.504415][ T5301]  kobject_put+0x228/0x560
[   86.507238][ T5301]  hci_conn_del+0xc36/0x1230
[   86.510055][ T5301]  hci_disconn_complete_evt+0x64e/0x950
[   86.513396][ T5301]  hci_event_packet+0x805/0x12c0
[   86.516328][ T5301]  hci_rx_work+0x3ee/0x1030
[   86.519232][ T5301]  process_scheduled_works+0xb6e/0x18c0
[   86.522959][ T5301]  worker_thread+0xa53/0xfc0
[   86.525359][ T5301]  kthread+0x388/0x470
[   86.527235][ T5301]  ret_from_fork+0x51e/0xb90
[   86.529252][ T5301]  ret_from_fork_asm+0x1a/0x30
[   86.531184][ T5301] 
[   86.532402][ T5301] The buggy address belongs to the object at ffff88803a89c000
[   86.532402][ T5301]  which belongs to the cache kmalloc-8k of size 8192
[   86.539678][ T5301] The buggy address is located 16 bytes inside of
[   86.539678][ T5301]  freed 8192-byte region [ffff88803a89c000, ffff88803a89e000)
[   86.545895][ T5301] 
[   86.547085][ T5301] The buggy address belongs to the physical page:
[   86.550550][ T5301] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x3a898
[   86.555268][ T5301] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   86.558896][ T5301] flags: 0x4fff00000000040(head|node=1|zone=1|lastcpupid=0x7ff)
[   86.562328][ T5301] page_type: f5(slab)
[   86.564025][ T5301] raw: 04fff00000000040 ffff88801ac42280 dead000000000100 dead000000000122
[   86.567824][ T5301] raw: 0000000000000000 0000000800020002 00000000f5000000 0000000000000000
[   86.572782][ T5301] head: 04fff00000000040 ffff88801ac42280 dead000000000100 dead000000000122
[   86.577514][ T5301] head: 0000000000000000 0000000800020002 00000000f5000000 0000000000000000
[   86.582179][ T5301] head: 04fff00000000003 ffffea0000ea2601 00000000ffffffff 00000000ffffffff
[   86.586854][ T5301] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
[   86.590620][ T5301] page dumped because: kasan: bad access detected
[   86.593470][ T5301] page_owner tracks the page as allocated
[   86.596070][ T5301] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5088, tgid 5088 (S50crond), ts 51275572535, free_ts 51272297935
[   86.605777][ T5301]  post_alloc_hook+0x231/0x280
[   86.607948][ T5301]  get_page_from_freelist+0x24dc/0x2580
[   86.610340][ T5301]  __alloc_frozen_pages_noprof+0x18d/0x380
[   86.613440][ T5301]  allocate_slab+0x77/0x660
[   86.616053][ T5301]  refill_objects+0x331/0x3c0
[   86.618258][ T5301]  __pcs_replace_empty_main+0x2e6/0x730
[   86.620761][ T5301]  __kmalloc_cache_noprof+0x392/0x660
[   86.623460][ T5301]  tomoyo_init_log+0x112e/0x1fb0
[   86.626222][ T5301]  tomoyo_supervisor+0x353/0x1570
[   86.629065][ T5301]  tomoyo_env_perm+0x151/0x1f0
[   86.631480][ T5301]  tomoyo_find_next_domain+0x15cb/0x1aa0
[   86.633976][ T5301]  tomoyo_bprm_check_security+0x11b/0x180
[   86.636393][ T5301]  security_bprm_check+0x85/0x240
[   86.638631][ T5301]  bprm_execve+0x896/0x1460
[   86.640919][ T5301]  do_execveat_common+0x50d/0x690
[   86.643729][ T5301]  __x64_sys_execve+0x97/0xc0
[   86.645948][ T5301] page last free pid 4714 tgid 4714 stack trace:
[   86.648642][ T5301]  __free_frozen_pages+0xc2b/0xdb0
[   86.650769][ T5301]  __slab_free+0x263/0x2b0
[   86.652912][ T5301]  qlist_free_all+0x97/0x100
[   86.655530][ T5301]  kasan_quarantine_reduce+0x148/0x160
[   86.658395][ T5301]  __kasan_slab_alloc+0x22/0x80
[   86.660642][ T5301]  kmem_cache_alloc_noprof+0x2bc/0x650
[   86.663145][ T5301]  do_getname+0x2e/0x250
[   86.665165][ T5301]  do_sys_openat2+0xca/0x200
[   86.667341][ T5301]  __x64_sys_openat+0x138/0x170
[   86.670009][ T5301]  do_syscall_64+0x14d/0xf80
[   86.672482][ T5301]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   86.675144][ T5301] 
[   86.676271][ T5301] Memory state around the buggy address:
[   86.678808][ T5301]  ffff88803a89bf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   86.682346][ T5301]  ffff88803a89bf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   86.685460][ T5301] >ffff88803a89c000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   86.689112][ T5301]                          ^
[   86.691298][ T5301]  ffff88803a89c080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   86.694634][ T5301]  ffff88803a89c100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   86.697643][ T5301] ==================================================================
[   86.706104][ T5301] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   86.709410][ T5301] CPU: 0 UID: 0 PID: 5301 Comm: kworker/u5:2 Not tainted syzkaller #0 PREEMPT(full) 
[   86.713623][ T5301] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   86.718290][ T5301] Workqueue: hci0 hci_cmd_sync_work
[   86.721208][ T5301] Call Trace:
[   86.722817][ T5301]  <TASK>
[   86.724118][ T5301]  vpanic+0x56c/0xa60
[   86.725815][ T5301]  ? __pfx_vpanic+0x10/0x10
[   86.728047][ T5301]  panic+0xc5/0xd0
[   86.730314][ T5301]  ? __pfx_panic+0x10/0x10
[   86.733059][ T5301]  ? preempt_schedule_thunk+0x16/0x30
[   86.735745][ T5301]  ? preempt_schedule_thunk+0x16/0x30
[   86.738100][ T5301]  ? hci_conn_drop+0x34/0x2a0
[   86.740120][ T5301]  check_panic_on_warn+0x89/0xb0
[   86.742261][ T5301]  ? hci_conn_drop+0x34/0x2a0
[   86.744428][ T5301]  end_report+0x73/0x180
[   86.746714][ T5301]  ? hci_conn_drop+0x34/0x2a0
[   86.749247][ T5301]  kasan_report+0x128/0x150
[   86.751579][ T5301]  ? hci_conn_drop+0x34/0x2a0
[   86.753808][ T5301]  kasan_check_range+0x264/0x2c0
[   86.755966][ T5301]  hci_conn_drop+0x34/0x2a0
[   86.757835][ T5301]  ? __pfx_le_read_features_complete+0x10/0x10
[   86.760482][ T5301]  hci_cmd_sync_work+0x262/0x400
[   86.762590][ T5301]  ? process_scheduled_works+0xa8d/0x18c0
[   86.764973][ T5301]  process_scheduled_works+0xb6e/0x18c0
[   86.767961][ T5301]  ? __pfx_process_scheduled_works+0x10/0x10
[   86.771528][ T5301]  ? assign_work+0x3d5/0x5e0
[   86.774016][ T5301]  worker_thread+0xa53/0xfc0
[   86.776195][ T5301]  kthread+0x388/0x470
[   86.777946][ T5301]  ? __pfx_worker_thread+0x10/0x10
[   86.780156][ T5301]  ? __pfx_kthread+0x10/0x10
[   86.782341][ T5301]  ret_from_fork+0x51e/0xb90
[   86.784535][ T5301]  ? __pfx_ret_from_fork+0x10/0x10
[   86.787511][ T5301]  ? __switch_to+0xc7d/0x1450
[   86.790474][ T5301]  ? __pfx_kthread+0x10/0x10
[   86.793031][ T5301]  ret_from_fork_asm+0x1a/0x30
[   86.795470][ T5301]  </TASK>
[   86.797330][ T5301] Kernel Offset: disabled
[   86.799323][ T5301] Rebooting in 86400 seconds..