program:
syz_emit_vhci(&(0x7f0000000540)=ANY=[@ANYBLOB="043e1f0a"], 0x22) (async)
syz_emit_vhci(&(0x7f0000000040)=ANY=[@ANYBLOB="0200300c000800"], 0x11)
r0 = syz_usb_connect(0x0, 0x36, &(0x7f0000001180)=ANY=[@ANYBLOB="12010000226aa140070ad0001310010203010902240001000000000904000002bd22f00009050303000000000009058aff30"], 0x0)
syz_usb_control_io$cdc_ecm(r0, &(0x7f00000005c0)={0x14, 0x0, &(0x7f0000000580)={0x0, 0x3, 0x1a, {0x1a}}}, 0x0)
r1 = syz_open_dev$char_usb(0xc, 0xb4, 0x0)
pread64(r1, &(0x7f00000061c0)=""/4126, 0x101e, 0x1000060000003) (async)
ioctl$FS_IOC_SET_ENCRYPTION_POLICY(0xffffffffffffffff, 0x40086602, 0x0)
syz_emit_vhci(&(0x7f0000000080)=ANY=[@ANYBLOB="0405"], 0x7)
r2 = socket$alg(0x26, 0x5, 0x0)
bind$alg(r2, &(0x7f0000000000)={0x26, 'skcipher\x00', 0x0, 0x0, 'ecb(serpent)\x00'}, 0x58) (async)
setsockopt$ALG_SET_KEY(r2, 0x117, 0x1, 0x0, 0x0) (async)
r3 = accept4(r2, 0x0, 0x0, 0x0)
sendmmsg(r3, &(0x7f0000000600)=[{{0x0, 0x0, 0x0}}, {{0x0, 0x0, 0x0, 0x0, &(0x7f0000000100)=[{0x18, 0x117, 0x3, "959acd9a"}], 0x18}}], 0x2, 0x4008000) (async)
syz_emit_vhci(&(0x7f0000000100)=@HCI_EVENT_PKT={0x4, @hci_ev_role_change={{0x12, 0x8}}}, 0xb)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0)

[   74.359689][ T5303] Bluetooth: hci0: command tx timeout
[   74.649089][ T5311] usb 5-1: new high-speed USB device number 2 using dummy_hcd
[   74.801804][ T5311] usb 5-1: config 0 interface 0 altsetting 0 endpoint 0x3 has an invalid bInterval 0, changing to 7
[   74.806646][ T5311] usb 5-1: config 0 interface 0 altsetting 0 endpoint 0x3 has invalid wMaxPacketSize 0
[   74.811205][ T5311] usb 5-1: config 0 interface 0 altsetting 0 endpoint 0x8A has an invalid bInterval 0, changing to 7
[   74.822110][ T5311] usb 5-1: New USB device found, idVendor=0a07, idProduct=00d0, bcdDevice=10.13
[   74.826820][ T5311] usb 5-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[   74.831254][ T5311] usb 5-1: Product: syz
[   74.833157][ T5311] usb 5-1: Manufacturer: syz
[   74.835220][ T5311] usb 5-1: SerialNumber: syz
[   74.848886][ T5311] usb 5-1: config 0 descriptor??
[   75.074702][ T5311] adutux 5-1:0.0: ADU208 4242424 now attached to /dev/usb/adutux0
[   76.379573][ T4673] Bluetooth: hci0: command tx timeout
[   76.459858][ T5303] ==================================================================
[   76.463562][ T5303] BUG: KASAN: slab-use-after-free in hci_conn_drop+0x34/0x2a0
[   76.466903][ T5303] Write of size 4 at addr ffff88804099c010 by task kworker/u5:2/5303
[   76.470304][ T5303] 
[   76.471449][ T5303] CPU: 0 UID: 0 PID: 5303 Comm: kworker/u5:2 Not tainted syzkaller #0 PREEMPT(full) 
[   76.471481][ T5303] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   76.471490][ T5303] Workqueue: hci0 hci_cmd_sync_work
[   76.471527][ T5303] Call Trace:
[   76.471596][ T5303]  <TASK>
[   76.471628][ T5303]  dump_stack_lvl+0xe8/0x150
[   76.471714][ T5303]  print_report+0xba/0x230
[   76.471726][ T5303]  ? hci_conn_drop+0x34/0x2a0
[   76.471741][ T5303]  kasan_report+0x117/0x150
[   76.471804][ T5303]  ? hci_conn_drop+0x34/0x2a0
[   76.471819][ T5303]  kasan_check_range+0x264/0x2c0
[   76.471829][ T5303]  hci_conn_drop+0x34/0x2a0
[   76.471844][ T5303]  ? __pfx_le_read_features_complete+0x10/0x10
[   76.471857][ T5303]  hci_cmd_sync_work+0x262/0x400
[   76.471871][ T5303]  ? process_scheduled_works+0xa0f/0x17a0
[   76.471928][ T5303]  process_scheduled_works+0xaec/0x17a0
[   76.471949][ T5303]  ? __pfx_process_scheduled_works+0x10/0x10
[   76.471965][ T5303]  ? do_raw_spin_lock+0x12b/0x2f0
[   76.471979][ T5303]  ? __pfx_do_raw_spin_lock+0x10/0x10
[   76.471991][ T5303]  ? schedule+0x90/0x360
[   76.472008][ T5303]  worker_thread+0xda6/0x1360
[   76.472021][ T5303]  ? __kthread_parkme+0x19c/0x1f0
[   76.472034][ T5303]  kthread+0x726/0x8b0
[   76.472046][ T5303]  ? __pfx_worker_thread+0x10/0x10
[   76.472056][ T5303]  ? __pfx_kthread+0x10/0x10
[   76.472068][ T5303]  ? _raw_spin_unlock_irq+0x23/0x50
[   76.472082][ T5303]  ? __pfx_kthread+0x10/0x10
[   76.472093][ T5303]  ret_from_fork+0x51b/0xa40
[   76.472105][ T5303]  ? __pfx_ret_from_fork+0x10/0x10
[   76.472114][ T5303]  ? __switch_to+0xc82/0x1410
[   76.472130][ T5303]  ? __pfx_kthread+0x10/0x10
[   76.472142][ T5303]  ret_from_fork_asm+0x1a/0x30
[   76.472160][ T5303]  </TASK>
[   76.472182][ T5303] 
[   76.548224][ T5303] Allocated by task 5303:
[   76.550012][ T5303]  kasan_save_track+0x3e/0x80
[   76.552059][ T5303]  __kasan_kmalloc+0x93/0xb0
[   76.554061][ T5303]  __kmalloc_cache_noprof+0x3d1/0x6e0
[   76.556361][ T5303]  __hci_conn_add+0x3c5/0x1b30
[   76.558374][ T5303]  le_conn_complete_evt+0x706/0x1430
[   76.560635][ T5303]  hci_le_enh_conn_complete_evt+0x189/0x490
[   76.563191][ T5303]  hci_event_packet+0x7af/0x12c0
[   76.565349][ T5303]  hci_rx_work+0x3ee/0x1030
[   76.567393][ T5303]  process_scheduled_works+0xaec/0x17a0
[   76.569807][ T5303]  worker_thread+0xda6/0x1360
[   76.571872][ T5303]  kthread+0x726/0x8b0
[   76.573683][ T5303]  ret_from_fork+0x51b/0xa40
[   76.575703][ T5303]  ret_from_fork_asm+0x1a/0x30
[   76.577808][ T5303] 
[   76.578915][ T5303] Freed by task 4673:
[   76.580639][ T5303]  kasan_save_track+0x3e/0x80
[   76.582649][ T5303]  kasan_save_free_info+0x46/0x50
[   76.584802][ T5303]  __kasan_slab_free+0x5c/0x80
[   76.586853][ T5303]  kfree+0x1be/0x650
[   76.588546][ T5303]  device_release+0x9e/0x1d0
[   76.590616][ T5303]  kobject_put+0x228/0x560
[   76.592531][ T5303]  hci_conn_del+0xc36/0x1230
[   76.594464][ T5303]  hci_disconn_complete_evt+0x64e/0x950
[   76.596735][ T5303]  hci_event_packet+0x805/0x12c0
[   76.598771][ T5303]  hci_rx_work+0x3ee/0x1030
[   76.600680][ T5303]  process_scheduled_works+0xaec/0x17a0
[   76.602975][ T5303]  worker_thread+0xda6/0x1360
[   76.604920][ T5303]  kthread+0x726/0x8b0
[   76.606614][ T5303]  ret_from_fork+0x51b/0xa40
[   76.608493][ T5303]  ret_from_fork_asm+0x1a/0x30
[   76.610484][ T5303] 
[   76.611485][ T5303] The buggy address belongs to the object at ffff88804099c000
[   76.611485][ T5303]  which belongs to the cache kmalloc-8k of size 8192
[   76.617019][ T5303] The buggy address is located 16 bytes inside of
[   76.617019][ T5303]  freed 8192-byte region [ffff88804099c000, ffff88804099e000)
[   76.622456][ T5303] 
[   76.623497][ T5303] The buggy address belongs to the physical page:
[   76.626114][ T5303] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x40998
[   76.629520][ T5303] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   76.632687][ T5303] flags: 0x4fff00000000040(head|node=1|zone=1|lastcpupid=0x7ff)
[   76.635803][ T5303] page_type: f5(slab)
[   76.637505][ T5303] raw: 04fff00000000040 ffff88801a842280 dead000000000122 0000000000000000
[   76.640909][ T5303] raw: 0000000000000000 0000000080020002 00000000f5000000 0000000000000000
[   76.645368][ T5303] head: 04fff00000000040 ffff88801a842280 dead000000000122 0000000000000000
[   76.649925][ T5303] head: 0000000000000000 0000000080020002 00000000f5000000 0000000000000000
[   76.660904][ T5303] head: 04fff00000000003 ffffea0001026601 00000000ffffffff 00000000ffffffff
[   76.664418][ T5303] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
[   76.667969][ T5303] page dumped because: kasan: bad access detected
[   76.670523][ T5303] page_owner tracks the page as allocated
[   76.672786][ T5303] page last allocated via order 3, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 50, tgid 50 (kworker/u4:4), ts 72761344004, free_ts 72751399728
[   76.679859][ T5303]  post_alloc_hook+0x228/0x280
[   76.681867][ T5303]  get_page_from_freelist+0x24dc/0x2580
[   76.683944][ T5303]  __alloc_frozen_pages_noprof+0x18d/0x380
[   76.686204][ T5303]  alloc_pages_mpol+0x232/0x4a0
[   76.688408][ T5303]  allocate_slab+0x86/0x3a0
[   76.690358][ T5303]  ___slab_alloc+0xd82/0x1760
[   76.692466][ T5303]  __slab_alloc+0x65/0x100
[   76.694322][ T5303]  __kmalloc_noprof+0x46c/0x7e0
[   76.696449][ T5303]  __sta_info_alloc+0xce5/0x2630
[   76.698403][ T5303]  ieee80211_ibss_rx_no_sta+0x3e1/0x730
[   76.700771][ T5303]  ieee80211_prepare_and_rx_handle+0x3aca/0x67e0
[   76.703463][ T5303]  ieee80211_rx_list+0x266e/0x3050
[   76.705621][ T5303]  ieee80211_rx_napi+0x1b1/0x3e0
[   76.707751][ T5303]  ieee80211_handle_queued_frames+0xe8/0x1e0
[   76.710254][ T5303]  tasklet_action_common+0x2da/0x4b0
[   76.712561][ T5303]  handle_softirqs+0x22a/0x7c0
[   76.714389][ T5303] page last free pid 5302 tgid 5302 stack trace:
[   76.717447][ T5303]  __free_frozen_pages+0xbf8/0xd70
[   76.719709][ T5303]  __slab_free+0x2ce/0x320
[   76.721868][ T5303]  qlist_free_all+0x97/0x100
[   76.723868][ T5303]  kasan_quarantine_reduce+0x148/0x160
[   76.726144][ T5303]  __kasan_slab_alloc+0x22/0x80
[   76.728304][ T5303]  kmem_cache_alloc_lru_noprof+0x35f/0x6c0
[   76.730775][ T5303]  sock_alloc_inode+0x28/0xc0
[   76.732792][ T5303]  alloc_inode+0x6a/0x1b0
[   76.734509][ T5303]  __sock_create+0x12d/0x9d0
[   76.736461][ T5303]  __sys_socket+0xd6/0x1b0
[   76.738247][ T5303]  __x64_sys_socket+0x7a/0x90
[   76.740247][ T5303]  do_syscall_64+0xe2/0xf80
[   76.742259][ T5303]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   76.744855][ T5303] 
[   76.745886][ T5303] Memory state around the buggy address:
[   76.748337][ T5303]  ffff88804099bf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   76.751577][ T5303]  ffff88804099bf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   76.754927][ T5303] >ffff88804099c000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   76.758298][ T5303]                          ^
[   76.760293][ T5303]  ffff88804099c080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   76.763799][ T5303]  ffff88804099c100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   76.767760][ T5303] ==================================================================
[   76.779800][ T5303] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   76.782755][ T5303] CPU: 0 UID: 0 PID: 5303 Comm: kworker/u5:2 Not tainted syzkaller #0 PREEMPT(full) 
[   76.786313][ T5303] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   76.790937][ T5303] Workqueue: hci0 hci_cmd_sync_work
[   76.793475][ T5303] Call Trace:
[   76.794947][ T5303]  <TASK>
[   76.796238][ T5303]  vpanic+0x1e0/0x670
[   76.797874][ T5303]  panic+0xc5/0xd0
[   76.799488][ T5303]  ? __pfx_panic+0x10/0x10
[   76.801510][ T5303]  ? preempt_schedule_common+0x82/0xd0
[   76.803896][ T5303]  ? hci_conn_drop+0x34/0x2a0
[   76.805967][ T5303]  check_panic_on_warn+0x89/0xb0
[   76.808211][ T5303]  ? hci_conn_drop+0x34/0x2a0
[   76.810847][ T5303]  end_report+0x6f/0x140
[   76.813154][ T5303]  kasan_report+0x128/0x150
[   76.815668][ T5303]  ? hci_conn_drop+0x34/0x2a0
[   76.817897][ T5303]  kasan_check_range+0x264/0x2c0
[   76.820165][ T5303]  hci_conn_drop+0x34/0x2a0
[   76.822309][ T5303]  ? __pfx_le_read_features_complete+0x10/0x10
[   76.825148][ T5303]  hci_cmd_sync_work+0x262/0x400
[   76.827295][ T5303]  ? process_scheduled_works+0xa0f/0x17a0
[   76.829901][ T5303]  process_scheduled_works+0xaec/0x17a0
[   76.832433][ T5303]  ? __pfx_process_scheduled_works+0x10/0x10
[   76.835172][ T5303]  ? do_raw_spin_lock+0x12b/0x2f0
[   76.837438][ T5303]  ? __pfx_do_raw_spin_lock+0x10/0x10
[   76.839921][ T5303]  ? schedule+0x90/0x360
[   76.841865][ T5303]  worker_thread+0xda6/0x1360
[   76.843857][ T5303]  ? __kthread_parkme+0x19c/0x1f0
[   76.845914][ T5303]  kthread+0x726/0x8b0
[   76.848026][ T5303]  ? __pfx_worker_thread+0x10/0x10
[   76.850151][ T5303]  ? __pfx_kthread+0x10/0x10
[   76.852129][ T5303]  ? _raw_spin_unlock_irq+0x23/0x50
[   76.854320][ T5303]  ? __pfx_kthread+0x10/0x10
[   76.856282][ T5303]  ret_from_fork+0x51b/0xa40
[   76.858389][ T5303]  ? __pfx_ret_from_fork+0x10/0x10
[   76.860581][ T5303]  ? __switch_to+0xc82/0x1410
[   76.862651][ T5303]  ? __pfx_kthread+0x10/0x10
[   76.864582][ T5303]  ret_from_fork_asm+0x1a/0x30
[   76.866645][ T5303]  </TASK>
[   76.868635][ T5303] Kernel Offset: disabled
[   76.870762][ T5303] Rebooting in 86400 seconds..