program:
syz_emit_vhci(&(0x7f0000000540)=ANY=[@ANYBLOB="043e1f0a"], 0x22)
syz_emit_vhci(&(0x7f0000000040)=ANY=[@ANYBLOB="0200300c000800"], 0x11) (async)
syz_emit_vhci(&(0x7f0000000040)=ANY=[@ANYBLOB="0200300c000800"], 0x11)
syz_emit_vhci(&(0x7f0000000500)=@HCI_ACLDATA_PKT={0x2, {0x1, 0x2, 0x3, 0x1a}, @l2cap_cid_le_signaling={{0x16}, @l2cap_ecred_conn_rsp={{0x18, 0xc, 0x12}, {0x66d, 0x4, 0xe89f, 0xfffa, [0x7, 0x2, 0xde, 0x2, 0x0]}}}}, 0x1f)
ioctl$FS_IOC_SET_ENCRYPTION_POLICY(0xffffffffffffffff, 0x40086602, 0x0)
syz_emit_vhci(&(0x7f0000000080)=ANY=[@ANYBLOB="0405"], 0x7)
syz_emit_vhci(&(0x7f0000000100)=@HCI_EVENT_PKT={0x4, @hci_ev_role_change={{0x12, 0x8}}}, 0xb)
syz_usb_connect$hid(0x1, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="120100025b0000000e0bffff400001020301090224000101092005090400400203010201092108000801221908090581031000020605"], &(0x7f00000004c0)={0xa, &(0x7f00000000c0)={0xa, 0x6, 0x200, 0x5, 0x8, 0x2, 0x8, 0x4}, 0x201, &(0x7f0000000140)={0x5, 0xf, 0x201, 0x5, [@ssp_cap={0x1c, 0x10, 0xa, 0x0, 0x4, 0x7fffff8, 0xf00, 0x9, [0x30, 0x60f0, 0x0, 0xc0]}, @generic={0x9a, 0x10, 0x3, "6beeb2e1f0f1730ecde67afc948522e845613b3c8ffdbf58ca2eb19709c00e5c102eeb03f30c4e25e806841c3b09f13e9336363dec7ce6657ef85d157858b57f6c51c1fc266eb18b3628f72b5e60ad07147d18cd66c57f4e11fd70a30dd560d037fafa3d4bebf7794fb3b4d7c41f2e41bede0116f6b4d9e369bbf09973b4e35a0627aa560b0313acbbbc3094aa09753c643843d5693add"}, @wireless={0xb, 0x10, 0x1, 0xc, 0x1, 0x0, 0x99, 0x1, 0x26}, @generic={0x9a, 0x10, 0x1, "250f73b0da0487b05656f240846b9376a1f6623f8d6d75b858eda3678ff11c90eb9d2784fddfdbfc769f7dca6cab52a2693a007994ccb888d4d028e963463c0fb3e3f2cdd0228d822ae2f9f388597cbc7089004aeb88529164833f29969cb427cfaf740955a49147ce24773487cad2d48d3862b26580d8e7bf041704b4e781f6385a2ef01a4dec12dd345a877d36e0b790b4424c980618"}, @generic={0xa1, 0x10, 0x2, "9410e7ef3fdc6e38f2b9479ffe9fd84d67426eeee4780588225359a59b9570e2a9b4541cd88a3072ccdaddb60df613ddc4722376c067a93ae5cc4ceaf0c9a7c93d5099157e0b3f603a0bb58afc85eb11c9459f1b82ed416fbb003a89b8acc1ad193ab07cd8d6d3f492f075c7037fa241d82e82d0020709153ff0170cabfdd283511a073c2dcfd1544a9c6d53806b1e7882c03a854ae1dfd9a801b02c3100"}]}, 0x3, [{0x4, &(0x7f0000000380)=@lang_id={0x4, 0x3, 0x457}}, {0xa6, &(0x7f00000003c0)=@string={0xa6, 0x3, "18dee9b3cfce0ecd2b9da83c625c92916062a5063313516d65297597c00b5e73862fc44a89e54ac0812104b4ff12a1913cfc7ac399b44c8082c313b024dcf6ca2b23cc7b0bbbffadc62b25f62d5f89f4de25bc00e924939880a6b65a65ec928465c4e57eeb5338d0a0e5ae97a69de98ac207ae5aaf06396a367a3d0a600c0c3e8f6296d929a619e6a0d1033e0928d0e152356b8c62659fc09992274b9ed232102aac97f8"}}, {0x4, &(0x7f0000000480)=@lang_id={0x4, 0x3, 0x80c}}]})
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0) (async)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0)

[   84.144002][   T45] Bluetooth: hci0: command tx timeout
[   84.190132][ T4669] Bluetooth: hci0: ACL packet for unknown connection handle 1
[   84.436073][    T9] usb 5-1: new low-speed USB device number 2 using dummy_hcd
[   84.565940][    T9] usb 5-1: device descriptor read/64, error -71
[   84.805883][    T9] usb 5-1: new low-speed USB device number 3 using dummy_hcd
[   84.935896][    T9] usb 5-1: device descriptor read/64, error -71
[   85.046249][    T9] usb usb5-port1: attempt power cycle
[   85.385893][    T9] usb 5-1: new low-speed USB device number 4 using dummy_hcd
[   85.406583][    T9] usb 5-1: device descriptor read/8, error -71
[   85.645946][    T9] usb 5-1: new low-speed USB device number 5 using dummy_hcd
[   85.666481][    T9] usb 5-1: device descriptor read/8, error -71
[   85.776099][    T9] usb usb5-port1: unable to enumerate USB device
[   86.186729][ T4669] Bluetooth: hci0: command tx timeout
[   86.189461][   T45] ==================================================================
[   86.193006][   T45] BUG: KASAN: slab-use-after-free in hci_conn_drop+0x34/0x2a0
[   86.196639][   T45] Write of size 4 at addr ffff88801f618010 by task kworker/u5:0/45
[   86.200221][   T45] 
[   86.201302][   T45] CPU: 0 UID: 0 PID: 45 Comm: kworker/u5:0 Not tainted syzkaller #0 PREEMPT(full) 
[   86.201317][   T45] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   86.201325][   T45] Workqueue: hci0 hci_cmd_sync_work
[   86.201342][   T45] Call Trace:
[   86.201350][   T45]  <TASK>
[   86.201356][   T45]  dump_stack_lvl+0xe8/0x150
[   86.201373][   T45]  print_report+0xba/0x230
[   86.201386][   T45]  ? hci_conn_drop+0x34/0x2a0
[   86.201398][   T45]  kasan_report+0x117/0x150
[   86.201410][   T45]  ? hci_conn_drop+0x34/0x2a0
[   86.201422][   T45]  kasan_check_range+0x264/0x2c0
[   86.201433][   T45]  hci_conn_drop+0x34/0x2a0
[   86.201445][   T45]  ? __pfx_le_read_features_complete+0x10/0x10
[   86.201456][   T45]  hci_cmd_sync_work+0x262/0x400
[   86.201467][   T45]  ? process_scheduled_works+0xa8d/0x18c0
[   86.201481][   T45]  process_scheduled_works+0xb6e/0x18c0
[   86.201498][   T45]  ? __pfx_process_scheduled_works+0x10/0x10
[   86.201510][   T45]  ? assign_work+0x3d5/0x5e0
[   86.201523][   T45]  worker_thread+0xa53/0xfc0
[   86.201542][   T45]  kthread+0x388/0x470
[   86.201552][   T45]  ? __pfx_worker_thread+0x10/0x10
[   86.201564][   T45]  ? __pfx_kthread+0x10/0x10
[   86.201574][   T45]  ret_from_fork+0x51e/0xb90
[   86.201588][   T45]  ? __pfx_ret_from_fork+0x10/0x10
[   86.201600][   T45]  ? __switch_to+0xc7d/0x1450
[   86.201613][   T45]  ? __pfx_kthread+0x10/0x10
[   86.201622][   T45]  ret_from_fork_asm+0x1a/0x30
[   86.201635][   T45]  </TASK>
[   86.201638][   T45] 
[   86.273942][   T45] Allocated by task 45:
[   86.275845][   T45]  kasan_save_track+0x3e/0x80
[   86.277979][   T45]  __kasan_kmalloc+0x93/0xb0
[   86.280024][   T45]  __kmalloc_cache_noprof+0x31c/0x660
[   86.282819][   T45]  __hci_conn_add+0x3c4/0x1e00
[   86.285842][   T45]  le_conn_complete_evt+0x706/0x1430
[   86.288714][   T45]  hci_le_enh_conn_complete_evt+0x189/0x490
[   86.292021][   T45]  hci_event_packet+0x7af/0x12c0
[   86.294604][   T45]  hci_rx_work+0x3ee/0x1030
[   86.296697][   T45]  process_scheduled_works+0xb6e/0x18c0
[   86.299173][   T45]  worker_thread+0xa53/0xfc0
[   86.301052][   T45]  kthread+0x388/0x470
[   86.302908][   T45]  ret_from_fork+0x51e/0xb90
[   86.305269][   T45]  ret_from_fork_asm+0x1a/0x30
[   86.308453][   T45] 
[   86.309863][   T45] Freed by task 4669:
[   86.311723][   T45]  kasan_save_track+0x3e/0x80
[   86.313708][   T45]  kasan_save_free_info+0x46/0x50
[   86.315924][   T45]  __kasan_slab_free+0x5c/0x80
[   86.317910][   T45]  kfree+0x1c1/0x630
[   86.319665][   T45]  device_release+0xc4/0x1f0
[   86.321769][   T45]  kobject_put+0x228/0x560
[   86.324182][   T45]  hci_conn_del+0xc36/0x1230
[   86.327171][   T45]  hci_disconn_complete_evt+0x64e/0x950
[   86.329837][   T45]  hci_event_packet+0x805/0x12c0
[   86.331920][   T45]  hci_rx_work+0x3ee/0x1030
[   86.333946][   T45]  process_scheduled_works+0xb6e/0x18c0
[   86.336322][   T45]  worker_thread+0xa53/0xfc0
[   86.338291][   T45]  kthread+0x388/0x470
[   86.340360][   T45]  ret_from_fork+0x51e/0xb90
[   86.342496][   T45]  ret_from_fork_asm+0x1a/0x30
[   86.344998][   T45] 
[   86.346213][   T45] The buggy address belongs to the object at ffff88801f618000
[   86.346213][   T45]  which belongs to the cache kmalloc-8k of size 8192
[   86.352129][   T45] The buggy address is located 16 bytes inside of
[   86.352129][   T45]  freed 8192-byte region [ffff88801f618000, ffff88801f61a000)
[   86.357893][   T45] 
[   86.359136][   T45] The buggy address belongs to the physical page:
[   86.362514][   T45] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1f618
[   86.366836][   T45] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   86.370296][   T45] flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
[   86.373649][   T45] page_type: f5(slab)
[   86.375495][   T45] raw: 00fff00000000040 ffff88801ac42280 dead000000000100 dead000000000122
[   86.379411][   T45] raw: 0000000000000000 0000000800020002 00000000f5000000 0000000000000000
[   86.383169][   T45] head: 00fff00000000040 ffff88801ac42280 dead000000000100 dead000000000122
[   86.387155][   T45] head: 0000000000000000 0000000800020002 00000000f5000000 0000000000000000
[   86.391330][   T45] head: 00fff00000000003 ffffea00007d8601 00000000ffffffff 00000000ffffffff
[   86.395562][   T45] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
[   86.399001][   T45] page dumped because: kasan: bad access detected
[   86.401616][   T45] page_owner tracks the page as allocated
[   86.404175][   T45] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5099, tgid 5099 (init), ts 56351653614, free_ts 54959284691
[   86.413791][   T45]  post_alloc_hook+0x231/0x280
[   86.415840][   T45]  get_page_from_freelist+0x24dc/0x2580
[   86.417793][   T45]  __alloc_frozen_pages_noprof+0x18d/0x380
[   86.420303][   T45]  allocate_slab+0x77/0x660
[   86.422239][   T45]  refill_objects+0x331/0x3c0
[   86.424677][   T45]  __pcs_replace_empty_main+0x2e6/0x730
[   86.428180][   T45]  __kmalloc_cache_noprof+0x392/0x660
[   86.431275][   T45]  tomoyo_init_log+0x112e/0x1fb0
[   86.434057][   T45]  tomoyo_supervisor+0x353/0x1570
[   86.436373][   T45]  tomoyo_env_perm+0x151/0x1f0
[   86.438581][   T45]  tomoyo_find_next_domain+0x15cb/0x1aa0
[   86.441156][   T45]  tomoyo_bprm_check_security+0x11b/0x180
[   86.443705][   T45]  security_bprm_check+0x85/0x240
[   86.446220][   T45]  bprm_execve+0x896/0x1460
[   86.448571][   T45]  do_execveat_common+0x50d/0x690
[   86.451066][   T45]  __x64_sys_execve+0x97/0xc0
[   86.453182][   T45] page last free pid 5033 tgid 5033 stack trace:
[   86.455909][   T45]  __free_frozen_pages+0xc2b/0xdb0
[   86.458194][   T45]  __slab_free+0x263/0x2b0
[   86.460307][   T45]  qlist_free_all+0x97/0x100
[   86.462863][   T45]  kasan_quarantine_reduce+0x148/0x160
[   86.467180][   T45]  __kasan_slab_alloc+0x22/0x80
[   86.470320][   T45]  __kmalloc_noprof+0x316/0x760
[   86.472468][   T45]  tomoyo_realpath_from_path+0xe3/0x5d0
[   86.474966][   T45]  tomoyo_path_perm+0x283/0x560
[   86.477062][   T45]  security_inode_getattr+0x12b/0x310
[   86.479509][   T45]  __x64_sys_newfstat+0x13b/0x270
[   86.481841][   T45]  do_syscall_64+0x14d/0xf80
[   86.484168][   T45]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   86.487604][   T45] 
[   86.489100][   T45] Memory state around the buggy address:
[   86.492216][   T45]  ffff88801f617f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   86.496143][   T45]  ffff88801f617f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   86.499380][   T45] >ffff88801f618000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   86.502595][   T45]                          ^
[   86.504837][   T45]  ffff88801f618080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   86.508857][   T45]  ffff88801f618100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   86.512379][   T45] ==================================================================
[   86.525946][   T45] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   86.529756][   T45] CPU: 0 UID: 0 PID: 45 Comm: kworker/u5:0 Not tainted syzkaller #0 PREEMPT(full) 
[   86.534033][   T45] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   86.538899][   T45] Workqueue: hci0 hci_cmd_sync_work
[   86.542033][   T45] Call Trace:
[   86.544035][   T45]  <TASK>
[   86.545569][   T45]  vpanic+0x56c/0xa60
[   86.547446][   T45]  ? __pfx_vpanic+0x10/0x10
[   86.549527][   T45]  panic+0xc5/0xd0
[   86.551309][   T45]  ? __pfx_panic+0x10/0x10
[   86.553437][   T45]  ? preempt_schedule_thunk+0x16/0x30
[   86.556074][   T45]  ? preempt_schedule_thunk+0x16/0x30
[   86.559162][   T45]  ? hci_conn_drop+0x34/0x2a0
[   86.562283][   T45]  check_panic_on_warn+0x89/0xb0
[   86.564650][   T45]  ? hci_conn_drop+0x34/0x2a0
[   86.566784][   T45]  end_report+0x73/0x180
[   86.568807][   T45]  ? hci_conn_drop+0x34/0x2a0
[   86.570986][   T45]  kasan_report+0x128/0x150
[   86.573185][   T45]  ? hci_conn_drop+0x34/0x2a0
[   86.575879][   T45]  kasan_check_range+0x264/0x2c0
[   86.578741][   T45]  hci_conn_drop+0x34/0x2a0
[   86.581179][   T45]  ? __pfx_le_read_features_complete+0x10/0x10
[   86.584010][   T45]  hci_cmd_sync_work+0x262/0x400
[   86.586248][   T45]  ? process_scheduled_works+0xa8d/0x18c0
[   86.588836][   T45]  process_scheduled_works+0xb6e/0x18c0
[   86.591568][   T45]  ? __pfx_process_scheduled_works+0x10/0x10
[   86.594941][   T45]  ? assign_work+0x3d5/0x5e0
[   86.597283][   T45]  worker_thread+0xa53/0xfc0
[   86.599418][   T45]  kthread+0x388/0x470
[   86.601365][   T45]  ? __pfx_worker_thread+0x10/0x10
[   86.603699][   T45]  ? __pfx_kthread+0x10/0x10
[   86.605867][   T45]  ret_from_fork+0x51e/0xb90
[   86.608177][   T45]  ? __pfx_ret_from_fork+0x10/0x10
[   86.611012][   T45]  ? __switch_to+0xc7d/0x1450
[   86.613141][   T45]  ? __pfx_kthread+0x10/0x10
[   86.615254][   T45]  ret_from_fork_asm+0x1a/0x30
[   86.617576][   T45]  </TASK>
[   86.619516][   T45] Kernel Offset: disabled
[   86.621530][   T45] Rebooting in 86400 seconds..