program: r0 = socket$nl_netfilter(0x10, 0x3, 0xc) getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, 0x0, 0x0) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = socket$inet6_icmp_raw(0xa, 0x3, 0x3a) ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000000)={'bridge0\x00', 0x0}) sendmsg$nl_route(r1, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000580)={&(0x7f0000000e00)=@newlink={0x3cc, 0x10, 0x403, 0x0, 0x0, {0x0, 0x0, 0x0, 0x0, 0x2a005}, [@IFLA_LINK={0x8, 0x5, r3}, @IFLA_LINKINFO={0x28, 0x12, 0x0, 0x1, @vlan={{0x9}, {0x18, 0x2, 0x0, 0x1, [@IFLA_VLAN_FLAGS={0xc, 0x2, {0xa54, 0x18}}, @IFLA_VLAN_ID={0x6, 0x1, 0x1}]}}}, @IFLA_VFINFO_LIST={0x37c, 0x16, 0x0, 0x1, [{0x14, 0x1, 0x0, 0x1, [@IFLA_VF_RATE={0x10, 0x6, {0x0, 0x10000, 0x3}}]}, {0xa0, 0x1, 0x0, 0x1, [@IFLA_VF_SPOOFCHK={0xc, 0x4, {0x8001, 0x3}}, @IFLA_VF_VLAN={0x10, 0x2, {0x80, 0xf73, 0xfff}}, @IFLA_VF_IB_PORT_GUID={0x14, 0xb, {0xffffffff, 0x1}}, @IFLA_VF_SPOOFCHK={0xc, 0x4, {0x4, 0x5dd}}, @IFLA_VF_IB_PORT_GUID={0x14, 0xb, {0xfffffff8, 0x8}}, @IFLA_VF_LINK_STATE={0xc, 0x5, {0x400, 0x6}}, @IFLA_VF_VLAN_LIST={0x40, 0xc, 0x0, 0x1, [{0x14, 0x1, {0x9, 0x8b0, 0x8, 0x88a8}}, {0x14, 0x1, {0x8, 0xbe4, 0x5, 0x88a8}}, {0x14, 0x1, {0x4, 0xdd9, 0x20d8, 0x8100}}]}]}, {0x14, 0x1, 0x0, 0x1, [@IFLA_VF_VLAN={0x10, 0x2, {0xfffffff8, 0x6c7, 0x2}}]}, {0x50, 0x1, 0x0, 0x1, [@IFLA_VF_TX_RATE={0xc, 0x3, {0x9, 0x8}}, @IFLA_VF_IB_PORT_GUID={0x14, 0xb, {0x80000001, 0xc140}}, @IFLA_VF_VLAN={0x10, 0x2, {0x0, 0xea2, 0x8e22}}, @IFLA_VF_TRUST={0xc, 0x9, {0x2, 0x89}}, @IFLA_VF_VLAN={0x10, 0x2, {0x2, 0xb86, 0x983}}]}, {0x18, 0x1, 0x0, 0x1, [@IFLA_VF_IB_NODE_GUID={0x14, 0xa, {0x0, 0x7}}]}, {0x20, 0x1, 0x0, 0x1, [@IFLA_VF_RATE={0x10, 0x6, {0x7, 0x800, 0x5}}, @IFLA_VF_LINK_STATE={0xc, 0x5, {0x4, 0x7}}]}, {0x44, 0x1, 0x0, 0x1, [@IFLA_VF_TX_RATE={0xc, 0x3, {0x9, 0x1}}, @IFLA_VF_VLAN={0x10, 0x2, {0xffff, 0xbdf}}, @IFLA_VF_TRUST={0xc, 0x9, {0xb35, 0x1}}, @IFLA_VF_TRUST={0xc, 0x9, {0x4e6, 0x6}}, @IFLA_VF_SPOOFCHK={0xc, 0x4, {0x9, 0x7}}]}, {0x1c4, 0x1, 0x0, 0x1, [@IFLA_VF_VLAN_LIST={0x18, 0xc, 0x0, 0x1, [{0x14, 0x1, {0x7, 0x819, 0x0, 0x8100}}]}, @IFLA_VF_TRUST={0xc, 0x9, {0x7, 0x6}}, @IFLA_VF_TX_RATE={0xc, 0x3, {0x7, 0xfc}}, @IFLA_VF_RATE={0x10, 0x6, {0x4b6d, 0x2, 0x101}}, @IFLA_VF_VLAN_LIST={0x2c, 0xc, 0x0, 0x1, [{0x14, 0x1, {0x7fffffff, 0x194, 0x4, 0x8100}}, {0x14, 0x1, {0x8, 0x70d, 0x6, 0x8100}}]}, @IFLA_VF_RATE={0x10, 0x6, {0x7, 0x9, 0x200}}, @IFLA_VF_SPOOFCHK={0xc, 0x4, {0xef0, 0x5551}}, @IFLA_VF_VLAN_LIST={0xa4, 0xc, 0x0, 0x1, [{0x14, 0x1, {0x2, 0x851, 0x2, 0x88a8}}, {0x14, 0x1, {0x0, 0x233, 0x101, 0x8100}}, {0x14, 0x1, {0x3, 0x17d, 0x1, 0x88a8}}, {0x14, 0x1, {0x9, 0xee4, 0xd279, 0x88a8}}, {0x14, 0x1, {0x2, 0x221, 0x3, 0x8100}}, {0x14, 0x1, {0x10000, 0x9e9, 0x6, 0x88a8}}, {0x14, 0x1, {0x8, 0x42, 0xcd0, 0x88a8}}, {0x14, 0x1, {0x7, 0x2c8, 0x2, 0x8100}}]}, @IFLA_VF_SPOOFCHK={0xc, 0x4, {0x10, 0x6}}, @IFLA_VF_SPOOFCHK={0xc, 0x4, {0x3, 0x8}}, @IFLA_VF_VLAN_LIST={0x7c, 0xc, 0x0, 0x1, [{0x14, 0x1, {0x7, 0x8f8, 0x1ff, 0x8100}}, {0x14, 0x1, {0x6, 0x20, 0xfff, 0x8100}}, {0x14, 0x1, {0xfffffffa, 0x6eb, 0x10000, 0x88a8}}, {0x14, 0x1, {0x0, 0x725, 0x9, 0x88a8}}, {0x14, 0x1, {0x6, 0x89d, 0x3, 0x8100}}, {0x14, 0x1, {0x5, 0xc0a, 0x8000, 0x8100}}]}]}, {0x10, 0x1, 0x0, 0x1, [@IFLA_VF_TX_RATE={0xc, 0x3, {0x9, 0x1d8e}}]}, {0x10, 0x1, 0x0, 0x1, [@IFLA_VF_TRUST={0xc, 0x9, {0x7ff, 0x7fffffff}}]}]}]}, 0x3cc}, 0x1, 0xba01}, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route(r4, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000080)={&(0x7f00000009c0)=@newlink={0x28, 0x10, 0xc362e63b3f31ba5f, 0x0, 0x0, {0x0, 0x0, 0x0, 0x0, 0x20080, 0x80e1}, [@IFLA_GROUP={0x8}]}, 0x28}, 0x1, 0x0, 0x0, 0x10}, 0x0) r5 = socket$netlink(0x10, 0x3, 0x0) sendmsg$NL80211_CMD_NEW_KEY(0xffffffffffffffff, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={&(0x7f0000000000)={0x14, 0x0, 0x0, 0x0, 0x0, {{}, {@void, @void}}}, 0x14}}, 0x4000080) ioctl$sock_SIOCBRDELBR(r5, 0x89a2, &(0x7f0000000000)='bridge0\x00') r6 = socket$kcm(0x10, 0x2, 0x0) sendmsg$kcm(r6, &(0x7f0000000600)={0x0, 0x0, &(0x7f0000000000)=[{&(0x7f0000000300)="2e00000010008188040f80ec59acbc0413a181000b00000001010000000000000e000a000f000000028002002d1f", 0x2e}], 0x1}, 0x0) setresgid(0x0, 0x0, 0xee01) r7 = syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0) connect$bt_l2cap(r7, &(0x7f0000000000)={0x1f, 0x8ef, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}}, 0xe) r8 = syz_init_net_socket$bt_bnep(0x1f, 0x3, 0x4) ioctl$sock_bt_bnep_BNEPCONNADD(r8, 0x400442c8, &(0x7f00000001c0)={r7, 0x1, 0x2}) ioctl$sock_bt_bnep_BNEPCONNDEL(r8, 0x400442c9, 0x0) syz_init_net_socket$nl_rdma(0x10, 0x3, 0x10) r9 = syz_init_net_socket$802154_dgram(0x24, 0x2, 0x0) getsockopt$WPAN_SECURITY_LEVEL(r9, 0x0, 0x2, 0x0, &(0x7f0000000a40)) r10 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$sock_bt_hci(r10, 0x400448ca, 0x0) r11 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$sock_bt_hci(r11, 0x400448c9, 0x0) syz_emit_vhci(0x0, 0x22) sendmsg$IPSET_CMD_CREATE(r0, &(0x7f0000000040)={0x0, 0x0, &(0x7f00000044c0)={&(0x7f0000000080)=ANY=[@ANYBLOB="54000000020601080000000000000006000000000c000780080008400000000c0500010006000000050005000a00000005000400000000000900020073797a31000000000d000300686173683a6e657400000000"], 0x54}}, 0x0) r12 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$IPSET_CMD_ADD(r12, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000340)=ANY=[@ANYBLOB="44000000090601020000000000000000000000000900020073797a310000000005000100070000021c0007801800018014715e572169e100024000"/74], 0x44}, 0x1, 0x0, 0x0, 0x10000047}, 0x4000084) [ 74.452169][ T4679] Bluetooth: hci0: command tx timeout [ 74.552882][ T5323] bridge0: port 2(bridge_slave_1) entered disabled state [ 74.556492][ T5323] bridge0: port 1(bridge_slave_0) entered disabled state [ 74.616925][ T5323] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 74.627250][ T5323] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 74.637618][ T5325] netlink: 'syz.0.0': attribute type 10 has an invalid length. [ 74.702736][ T5323] netdevsim netdevsim0 netdevsim0: unset [1, 0] type 2 family 0 port 6081 - 0 [ 74.706545][ T5323] netdevsim netdevsim0 netdevsim1: unset [1, 0] type 2 family 0 port 6081 - 0 [ 74.710411][ T5323] netdevsim netdevsim0 netdevsim2: unset [1, 0] type 2 family 0 port 6081 - 0 [ 74.714532][ T5323] netdevsim netdevsim0 netdevsim3: unset [1, 0] type 2 family 0 port 6081 - 0 [ 74.746410][ T5324] bridge0: port 3(syz_tun) entered blocking state [ 74.749397][ T5324] bridge0: port 3(syz_tun) entered disabled state [ 74.759425][ T5324] syz_tun: entered allmulticast mode [ 74.766050][ T5324] syz_tun: entered promiscuous mode [ 74.775719][ T5325] syz_tun: left allmulticast mode [ 74.777977][ T5325] bridge0: port 3(syz_tun) entered disabled state [ 74.799333][ T5326] ================================================================== [ 74.802674][ T5326] BUG: KASAN: slab-use-after-free in cfusbl_device_notify+0x150/0x6a0 [ 74.806136][ T5326] Read of size 8 at addr ffff888040638c50 by task syz.0.0/5326 [ 74.809277][ T5326] [ 74.810363][ T5326] CPU: 0 UID: 0 PID: 5326 Comm: syz.0.0 Not tainted 6.15.0-syzkaller-11796-g5abc7438f1e9 #0 PREEMPT(full) [ 74.810379][ T5326] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 74.810387][ T5326] Call Trace: [ 74.810395][ T5326] [ 74.810401][ T5326] dump_stack_lvl+0x189/0x250 [ 74.810423][ T5326] ? __virt_addr_valid+0x1c8/0x5c0 [ 74.810435][ T5326] ? rcu_is_watching+0x15/0xb0 [ 74.810446][ T5326] ? __kasan_check_byte+0x12/0x40 [ 74.810497][ T5326] ? __pfx_dump_stack_lvl+0x10/0x10 [ 74.810514][ T5326] ? rcu_is_watching+0x15/0xb0 [ 74.810523][ T5326] ? lock_release+0x4b/0x3e0 [ 74.810539][ T5326] ? __virt_addr_valid+0x1c8/0x5c0 [ 74.810551][ T5326] ? __virt_addr_valid+0x4a5/0x5c0 [ 74.810562][ T5326] print_report+0xd2/0x2b0 [ 74.810578][ T5326] ? cfusbl_device_notify+0x150/0x6a0 [ 74.810590][ T5326] kasan_report+0x118/0x150 [ 74.810601][ T5326] ? cfusbl_device_notify+0x150/0x6a0 [ 74.810614][ T5326] cfusbl_device_notify+0x150/0x6a0 [ 74.810627][ T5326] ? net_generic+0x1e/0x240 [ 74.810638][ T5326] ? __pfx_cfusbl_device_notify+0x10/0x10 [ 74.810651][ T5326] ? caif_device_notify+0x250/0xfc0 [ 74.810663][ T5326] ? smc_pnet_netdev_event+0x3b5/0x6c0 [ 74.810677][ T5326] notifier_call_chain+0x1b6/0x3e0 [ 74.810689][ T5326] register_netdevice+0x121c/0x1ae0 [ 74.810703][ T5326] ? __mutex_lock+0x51b/0xe80 [ 74.810756][ T5326] ? __pfx_register_netdevice+0x10/0x10 [ 74.810773][ T5326] ? __asan_memset+0x22/0x50 [ 74.810790][ T5326] ? dev_addr_mod+0x2ce/0x3d0 [ 74.810805][ T5326] register_netdev+0x40/0x60 [ 74.810819][ T5326] bnep_add_connection+0x6bf/0xbf0 [ 74.810837][ T5326] ? __pfx_bnep_add_connection+0x10/0x10 [ 74.810850][ T5326] ? __fget_files+0x3a0/0x420 [ 74.810866][ T5326] do_bnep_sock_ioctl+0x40e/0x640 [ 74.810881][ T5326] ? __pfx_do_bnep_sock_ioctl+0x10/0x10 [ 74.810896][ T5326] ? tomoyo_path_number_perm+0x1bc/0x5a0 [ 74.810912][ T5326] ? tomoyo_path_number_perm+0x4e2/0x5a0 [ 74.810925][ T5326] ? __pfx_tomoyo_path_number_perm+0x10/0x10 [ 74.810941][ T5326] sock_do_ioctl+0xd9/0x300 [ 74.810957][ T5326] ? __pfx_sock_do_ioctl+0x10/0x10 [ 74.810972][ T5326] ? __lock_acquire+0xab9/0xd20 [ 74.810990][ T5326] sock_ioctl+0x576/0x790 [ 74.811004][ T5326] ? __pfx_sock_ioctl+0x10/0x10 [ 74.811015][ T5326] ? __fget_files+0x2a/0x420 [ 74.811023][ T5326] ? __fget_files+0x3a0/0x420 [ 74.811034][ T5326] ? __fget_files+0x2a/0x420 [ 74.811045][ T5326] ? bpf_lsm_file_ioctl+0x9/0x20 [ 74.811060][ T5326] ? __pfx_sock_ioctl+0x10/0x10 [ 74.811074][ T5326] __se_sys_ioctl+0xfc/0x170 [ 74.811099][ T5326] do_syscall_64+0xfa/0x3b0 [ 74.811117][ T5326] ? lockdep_hardirqs_on+0x9c/0x150 [ 74.811133][ T5326] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 74.811144][ T5326] ? clear_bhb_loop+0x60/0xb0 [ 74.811156][ T5326] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 74.811167][ T5326] RIP: 0033:0x7f5bf138e969 [ 74.811180][ T5326] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 74.811189][ T5326] RSP: 002b:00007f5bf225b038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 74.811202][ T5326] RAX: ffffffffffffffda RBX: 00007f5bf15b6240 RCX: 00007f5bf138e969 [ 74.811210][ T5326] RDX: 00002000000001c0 RSI: 00000000400442c8 RDI: 000000000000000b [ 74.811217][ T5326] RBP: 00007f5bf1410ab1 R08: 0000000000000000 R09: 0000000000000000 [ 74.811225][ T5326] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 74.811232][ T5326] R13: 0000000000000000 R14: 00007f5bf15b6240 R15: 00007ffe72e88a18 [ 74.811245][ T5326] [ 74.811249][ T5326] [ 74.958547][ T5326] Allocated by task 5309: [ 74.960538][ T5326] kasan_save_track+0x3e/0x80 [ 74.962505][ T5326] __kasan_kmalloc+0x93/0xb0 [ 74.964579][ T5326] __kmalloc_cache_noprof+0x230/0x3d0 [ 74.967156][ T5326] __hci_conn_add+0x233/0x1b30 [ 74.969273][ T5326] hci_conn_request_evt+0x53e/0xb60 [ 74.971443][ T5326] hci_event_packet+0x7e3/0x1200 [ 74.973508][ T5326] hci_rx_work+0x46a/0xe80 [ 74.975410][ T5326] process_scheduled_works+0xade/0x17b0 [ 74.977798][ T5326] worker_thread+0x8a0/0xda0 [ 74.979698][ T5326] kthread+0x711/0x8a0 [ 74.981457][ T5326] ret_from_fork+0x3f9/0x770 [ 74.983447][ T5326] ret_from_fork_asm+0x1a/0x30 [ 74.985498][ T5326] [ 74.986484][ T5326] Freed by task 5323: [ 74.988185][ T5326] kasan_save_track+0x3e/0x80 [ 74.990164][ T5326] kasan_save_free_info+0x46/0x50 [ 74.992304][ T5326] __kasan_slab_free+0x62/0x70 [ 74.994295][ T5326] kfree+0x18e/0x440 [ 74.996111][ T5326] device_release+0x9c/0x1c0 [ 74.998170][ T5326] kobject_put+0x22b/0x480 [ 75.000056][ T5326] hci_conn_del+0x8ff/0xcb0 [ 75.001964][ T5326] hci_conn_hash_flush+0x191/0x230 [ 75.004156][ T5326] hci_dev_close_sync+0xaef/0x1330 [ 75.006383][ T5326] hci_dev_close+0x106/0x200 [ 75.008376][ T5326] sock_do_ioctl+0xd9/0x300 [ 75.010307][ T5326] sock_ioctl+0x576/0x790 [ 75.012153][ T5326] __se_sys_ioctl+0xfc/0x170 [ 75.014105][ T5326] do_syscall_64+0xfa/0x3b0 [ 75.015945][ T5326] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 75.018290][ T5326] [ 75.019244][ T5326] Last potentially related work creation: [ 75.021429][ T5326] kasan_save_stack+0x3e/0x60 [ 75.023291][ T5326] kasan_record_aux_stack+0xbd/0xd0 [ 75.025340][ T5326] insert_work+0x3d/0x330 [ 75.027062][ T5326] __queue_work+0xcfc/0xfe0 [ 75.028690][ T5326] queue_delayed_work_on+0x18b/0x280 [ 75.030663][ T5326] l2cap_chan_del+0x285/0x5e0 [ 75.032627][ T5326] l2cap_conn_del+0x388/0x680 [ 75.034648][ T5326] hci_conn_hash_flush+0x10a/0x230 [ 75.036962][ T5326] hci_dev_close_sync+0xaef/0x1330 [ 75.039167][ T5326] hci_dev_close+0x106/0x200 [ 75.041213][ T5326] sock_do_ioctl+0xd9/0x300 [ 75.043153][ T5326] sock_ioctl+0x576/0x790 [ 75.044972][ T5326] __se_sys_ioctl+0xfc/0x170 [ 75.046761][ T5326] do_syscall_64+0xfa/0x3b0 [ 75.048723][ T5326] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 75.051207][ T5326] [ 75.052226][ T5326] The buggy address belongs to the object at ffff888040638000 [ 75.052226][ T5326] which belongs to the cache kmalloc-8k of size 8192 [ 75.057995][ T5326] The buggy address is located 3152 bytes inside of [ 75.057995][ T5326] freed 8192-byte region [ffff888040638000, ffff88804063a000) [ 75.063732][ T5326] [ 75.064815][ T5326] The buggy address belongs to the physical page: [ 75.067647][ T5326] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x40638 [ 75.071368][ T5326] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 75.074645][ T5326] flags: 0x4fff00000000040(head|node=1|zone=1|lastcpupid=0x7ff) [ 75.078037][ T5326] page_type: f5(slab) [ 75.079752][ T5326] raw: 04fff00000000040 ffff88801a442280 dead000000000122 0000000000000000 [ 75.083302][ T5326] raw: 0000000000000000 0000000000020002 00000000f5000000 0000000000000000 [ 75.086888][ T5326] head: 04fff00000000040 ffff88801a442280 dead000000000122 0000000000000000 [ 75.090629][ T5326] head: 0000000000000000 0000000000020002 00000000f5000000 0000000000000000 [ 75.094312][ T5326] head: 04fff00000000003 ffffea0001018e01 00000000ffffffff 00000000ffffffff [ 75.097979][ T5326] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 [ 75.101650][ T5326] page dumped because: kasan: bad access detected [ 75.104271][ T5326] page_owner tracks the page as allocated [ 75.106572][ T5326] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5309, tgid 5309 (kworker/u5:2), ts 72171297606, free_ts 64443437358 [ 75.114933][ T5326] post_alloc_hook+0x240/0x2a0 [ 75.116980][ T5326] get_page_from_freelist+0x21e4/0x22c0 [ 75.119270][ T5326] __alloc_frozen_pages_noprof+0x181/0x370 [ 75.121653][ T5326] alloc_pages_mpol+0x232/0x4a0 [ 75.123673][ T5326] allocate_slab+0x8a/0x3b0 [ 75.125611][ T5326] ___slab_alloc+0xbfc/0x1480 [ 75.127633][ T5326] __kmalloc_cache_noprof+0x296/0x3d0 [ 75.129988][ T5326] __hci_conn_add+0x233/0x1b30 [ 75.132253][ T5326] hci_conn_request_evt+0x53e/0xb60 [ 75.134502][ T5326] hci_event_packet+0x7e3/0x1200 [ 75.136709][ T5326] hci_rx_work+0x46a/0xe80 [ 75.138718][ T5326] process_scheduled_works+0xade/0x17b0 [ 75.141162][ T5326] worker_thread+0x8a0/0xda0 [ 75.143215][ T5326] kthread+0x711/0x8a0 [ 75.144928][ T5326] ret_from_fork+0x3f9/0x770 [ 75.146883][ T5326] ret_from_fork_asm+0x1a/0x30 [ 75.148857][ T5326] page last free pid 5290 tgid 5290 stack trace: [ 75.151428][ T5326] __free_frozen_pages+0xc71/0xe70 [ 75.153536][ T5326] __put_partials+0x161/0x1c0 [ 75.155483][ T5326] put_cpu_partial+0x17c/0x250 [ 75.157526][ T5326] __slab_free+0x2f7/0x400 [ 75.159496][ T5326] qlist_free_all+0x97/0x140 [ 75.161500][ T5326] kasan_quarantine_reduce+0x148/0x160 [ 75.163826][ T5326] __kasan_slab_alloc+0x22/0x80 [ 75.165764][ T5326] kmem_cache_alloc_noprof+0x1c1/0x3c0 [ 75.168103][ T5326] getname_flags+0xb8/0x540 [ 75.170006][ T5326] do_sys_openat2+0xbc/0x1c0 [ 75.171951][ T5326] __x64_sys_openat+0x138/0x170 [ 75.173972][ T5326] do_syscall_64+0xfa/0x3b0 [ 75.175970][ T5326] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 75.178619][ T5326] [ 75.179695][ T5326] Memory state around the buggy address: [ 75.182266][ T5326] ffff888040638b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.185711][ T5326] ffff888040638b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.189185][ T5326] >ffff888040638c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.192428][ T5326] ^ [ 75.195137][ T5326] ffff888040638c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.198411][ T5326] ffff888040638d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.201290][ T5326] ================================================================== [ 75.219010][ T5326] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 75.222141][ T5326] CPU: 0 UID: 0 PID: 5326 Comm: syz.0.0 Not tainted 6.15.0-syzkaller-11796-g5abc7438f1e9 #0 PREEMPT(full) [ 75.226979][ T5326] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 75.231481][ T5326] Call Trace: [ 75.232873][ T5326] [ 75.234137][ T5326] dump_stack_lvl+0x99/0x250 [ 75.236282][ T5326] ? __asan_memcpy+0x40/0x70 [ 75.238363][ T5326] ? __pfx_dump_stack_lvl+0x10/0x10 [ 75.240605][ T5326] ? __pfx__printk+0x10/0x10 [ 75.242524][ T5326] panic+0x2db/0x790 [ 75.244201][ T5326] ? __pfx_panic+0x10/0x10 [ 75.246099][ T5326] ? _raw_spin_unlock_irqrestore+0xfd/0x110 [ 75.248755][ T5326] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 75.251359][ T5326] ? print_memory_metadata+0x314/0x400 [ 75.253666][ T5326] ? cfusbl_device_notify+0x150/0x6a0 [ 75.255987][ T5326] check_panic_on_warn+0x89/0xb0 [ 75.258068][ T5326] ? cfusbl_device_notify+0x150/0x6a0 [ 75.260278][ T5326] end_report+0x78/0x160 [ 75.262079][ T5326] kasan_report+0x129/0x150 [ 75.263977][ T5326] ? cfusbl_device_notify+0x150/0x6a0 [ 75.266337][ T5326] cfusbl_device_notify+0x150/0x6a0 [ 75.268600][ T5326] ? net_generic+0x1e/0x240 [ 75.270628][ T5326] ? __pfx_cfusbl_device_notify+0x10/0x10 [ 75.273176][ T5326] ? caif_device_notify+0x250/0xfc0 [ 75.275379][ T5326] ? smc_pnet_netdev_event+0x3b5/0x6c0 [ 75.277529][ T5326] notifier_call_chain+0x1b6/0x3e0 [ 75.279591][ T5326] register_netdevice+0x121c/0x1ae0 [ 75.281861][ T5326] ? __mutex_lock+0x51b/0xe80 [ 75.283901][ T5326] ? __pfx_register_netdevice+0x10/0x10 [ 75.286297][ T5326] ? __asan_memset+0x22/0x50 [ 75.288169][ T5326] ? dev_addr_mod+0x2ce/0x3d0 [ 75.290138][ T5326] register_netdev+0x40/0x60 [ 75.292103][ T5326] bnep_add_connection+0x6bf/0xbf0 [ 75.294123][ T5326] ? __pfx_bnep_add_connection+0x10/0x10 [ 75.296470][ T5326] ? __fget_files+0x3a0/0x420 [ 75.298529][ T5326] do_bnep_sock_ioctl+0x40e/0x640 [ 75.300746][ T5326] ? __pfx_do_bnep_sock_ioctl+0x10/0x10 [ 75.302926][ T5326] ? tomoyo_path_number_perm+0x1bc/0x5a0 [ 75.305268][ T5326] ? tomoyo_path_number_perm+0x4e2/0x5a0 [ 75.307562][ T5326] ? __pfx_tomoyo_path_number_perm+0x10/0x10 [ 75.310141][ T5326] sock_do_ioctl+0xd9/0x300 [ 75.312042][ T5326] ? __pfx_sock_do_ioctl+0x10/0x10 [ 75.314295][ T5326] ? __lock_acquire+0xab9/0xd20 [ 75.316485][ T5326] sock_ioctl+0x576/0x790 [ 75.318411][ T5326] ? __pfx_sock_ioctl+0x10/0x10 [ 75.320542][ T5326] ? __fget_files+0x2a/0x420 [ 75.322528][ T5326] ? __fget_files+0x3a0/0x420 [ 75.324584][ T5326] ? __fget_files+0x2a/0x420 [ 75.326680][ T5326] ? bpf_lsm_file_ioctl+0x9/0x20 [ 75.328863][ T5326] ? __pfx_sock_ioctl+0x10/0x10 [ 75.330972][ T5326] __se_sys_ioctl+0xfc/0x170 [ 75.333025][ T5326] do_syscall_64+0xfa/0x3b0 [ 75.335048][ T5326] ? lockdep_hardirqs_on+0x9c/0x150 [ 75.337449][ T5326] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 75.340073][ T5326] ? clear_bhb_loop+0x60/0xb0 [ 75.342106][ T5326] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 75.344730][ T5326] RIP: 0033:0x7f5bf138e969 [ 75.346743][ T5326] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 75.354662][ T5326] RSP: 002b:00007f5bf225b038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 75.358134][ T5326] RAX: ffffffffffffffda RBX: 00007f5bf15b6240 RCX: 00007f5bf138e969 [ 75.361400][ T5326] RDX: 00002000000001c0 RSI: 00000000400442c8 RDI: 000000000000000b [ 75.364615][ T5326] RBP: 00007f5bf1410ab1 R08: 0000000000000000 R09: 0000000000000000 [ 75.368069][ T5326] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 75.371346][ T5326] R13: 0000000000000000 R14: 00007f5bf15b6240 R15: 00007ffe72e88a18 [ 75.374614][ T5326] [ 75.376309][ T5326] Kernel Offset: disabled [ 75.378120][ T5326] Rebooting in 86400 seconds..