program: r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000040), 0x41, 0x0) write$binfmt_aout(r0, &(0x7f0000000180)=ANY=[], 0xff2e) syz_emit_vhci(&(0x7f0000000540)=ANY=[@ANYBLOB="043e1f0a"], 0x22) syz_emit_vhci(&(0x7f0000000040)=ANY=[@ANYBLOB="0200300c000800"], 0x11) ioctl$FS_IOC_SET_ENCRYPTION_POLICY(0xffffffffffffffff, 0x40086602, 0x0) syz_emit_vhci(&(0x7f0000000080)=ANY=[@ANYBLOB="0405"], 0x7) syz_emit_vhci(&(0x7f0000000100)=@HCI_EVENT_PKT={0x4, @hci_ev_role_change={{0x12, 0x8}}}, 0xb) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0) ioctl$TCSETS(r0, 0x40045431, &(0x7f0000000dc0)={0x0, 0x0, 0x0, 0x0, 0x0, "0062ba7d82000000000000000000f7ffffff00"}) syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="1201000000000010c410cf8a0000000000010902"], 0x0) r1 = syz_open_pts(r0, 0x0) r2 = dup3(r1, r0, 0x0) ioctl$TIOCSTI(r2, 0x5412, &(0x7f0000000000)=0x11) r3 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000140), 0x0, 0x0) r4 = openat$rfkill(0xffffffffffffff9c, &(0x7f0000000040), 0x801, 0x0) write$rfkill(r4, &(0x7f0000000080)={0x0, 0x0, 0x3, 0x1}, 0x8) r5 = socket$nl_generic(0x10, 0x3, 0x10) r6 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200), 0xffffffffffffffff) ioctl$sock_SIOCGIFINDEX_80211(r5, 0x8933, &(0x7f0000000700)={'wlan1\x00', 0x0}) sendmsg$NL80211_CMD_SET_INTERFACE(r5, &(0x7f0000000340)={0x0, 0x0, &(0x7f0000000300)={&(0x7f0000000000)=ANY=[@ANYBLOB='$\x00\x00\x00', @ANYRES16=r6, @ANYBLOB="050000000000000000000600000008000300", @ANYRES32=r7, @ANYBLOB="0800050002"], 0x24}}, 0x0) r8 = socket$nl_generic(0x10, 0x3, 0x10) r9 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff) ioctl$sock_SIOCGIFINDEX_80211(r8, 0x8933, &(0x7f00000000c0)={'wlan1\x00', 0x0}) sendmsg$NL80211_CMD_CONNECT(r8, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000180)={0x38, r9, 0x5, 0x0, 0x25dfdbfb, {{}, {@val={0x8, 0x3, r10}, @void}}, [@NL80211_ATTR_SSID={0xa, 0x34, @default_ap_ssid}, @chandef_params=[@NL80211_ATTR_WIPHY_FREQ={0x8}], @NL80211_ATTR_USE_MFP={0x8, 0x42, 0x1}]}, 0x38}}, 0x0) syz_80211_inject_frame(&(0x7f00000002c0)=@device_b, &(0x7f0000000100)=@mgmt_frame=@probe_response={{{}, {}, @device_b, @device_a, @from_mac}, 0x0, @random=0x101, 0x1, @val={0x0, 0x6, @default_ap_ssid}, @val={0x1, 0x1, [{0x2, 0x1}]}, @void, @void, @void, @void, @void, @val={0x71, 0x7, {0x0, 0x0, 0x1, 0x0, 0x1, 0x8, 0x1}}}, 0x38) nanosleep(&(0x7f0000000340)={0x0, 0x2faf080}, 0x0) syz_80211_inject_frame(&(0x7f00000003c0)=@device_b, &(0x7f0000000400)=@mgmt_frame=@auth={{{}, {}, @device_b, @device_a, @from_mac, {0x0, 0x1}}, 0x0, 0x2, 0x0, @void}, 0x1e) syz_80211_inject_frame(&(0x7f00000004c0)=@device_b, &(0x7f0000000380)=@mgmt_frame=@assoc_resp={{{}, {}, @device_b, @device_a, @from_mac, {0x0, 0x2}}, 0x1, 0x0, @default, @val, @void}, 0x20) syz_usb_connect(0x0, 0xfffffe88, 0x0, 0x0) ioctl$TIOCSETD(r3, 0x5423, &(0x7f0000000000)=0x15) [ 85.171169][ T4664] Bluetooth: hci0: command tx timeout [ 85.330685][ T5323] usb 5-1: new high-speed USB device number 2 using dummy_hcd [ 85.480682][ T5323] usb 5-1: Using ep0 maxpacket: 16 [ 85.486784][ T5323] usb 5-1: config 0 has no interfaces? [ 85.489190][ T5323] usb 5-1: New USB device found, idVendor=10c4, idProduct=8acf, bcdDevice= 0.00 [ 85.493708][ T5323] usb 5-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 85.500339][ T5323] usb 5-1: config 0 descriptor?? [ 85.918454][ T5317] wlan1: authenticate with 08:02:11:00:00:00 (local address=08:02:11:00:00:01) [ 85.923813][ T5327] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium [ 85.937017][ T5317] wlan1: send auth to 08:02:11:00:00:00 (try 1/3) [ 86.045437][ T3025] wlan1: authenticated [ 86.047573][ T5325] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium [ 86.055998][ T3025] wlan1: RX AssocResp from 08:02:11:00:00:00 (capab=0x1 status=0 aid=1) [ 86.063183][ T3025] wlan1: associated [ 86.066799][ T5325] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium [ 87.012847][ T5303] ================================================================== [ 87.016492][ T5303] BUG: KASAN: slab-use-after-free in hci_conn_drop+0x34/0x2a0 [ 87.019792][ T5303] Write of size 4 at addr ffff888032e94010 by task kworker/u5:2/5303 [ 87.023303][ T5303] [ 87.024327][ T5303] CPU: 0 UID: 0 PID: 5303 Comm: kworker/u5:2 Not tainted syzkaller #0 PREEMPT(full) [ 87.024340][ T5303] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 87.024348][ T5303] Workqueue: hci0 hci_cmd_sync_work [ 87.024369][ T5303] Call Trace: [ 87.024376][ T5303] [ 87.024381][ T5303] dump_stack_lvl+0xe8/0x150 [ 87.024397][ T5303] print_report+0xba/0x230 [ 87.024410][ T5303] ? hci_conn_drop+0x34/0x2a0 [ 87.024425][ T5303] kasan_report+0x117/0x150 [ 87.024436][ T5303] ? hci_conn_drop+0x34/0x2a0 [ 87.024448][ T5303] kasan_check_range+0x264/0x2c0 [ 87.024459][ T5303] hci_conn_drop+0x34/0x2a0 [ 87.024468][ T5303] ? __pfx_le_read_features_complete+0x10/0x10 [ 87.024482][ T5303] hci_cmd_sync_work+0x262/0x400 [ 87.024496][ T5303] ? process_scheduled_works+0xa25/0x1830 [ 87.024510][ T5303] process_scheduled_works+0xb02/0x1830 [ 87.024529][ T5303] ? __pfx_process_scheduled_works+0x10/0x10 [ 87.024542][ T5303] ? assign_work+0x3d5/0x5e0 [ 87.024555][ T5303] worker_thread+0xa50/0xfc0 [ 87.024573][ T5303] kthread+0x388/0x470 [ 87.024583][ T5303] ? __pfx_worker_thread+0x10/0x10 [ 87.024595][ T5303] ? __pfx_kthread+0x10/0x10 [ 87.024604][ T5303] ret_from_fork+0x51e/0xb90 [ 87.024618][ T5303] ? __pfx_ret_from_fork+0x10/0x10 [ 87.024629][ T5303] ? __switch_to+0xc7d/0x1450 [ 87.024641][ T5303] ? __pfx_kthread+0x10/0x10 [ 87.024650][ T5303] ret_from_fork_asm+0x1a/0x30 [ 87.024669][ T5303] [ 87.024673][ T5303] [ 87.088779][ T5303] Allocated by task 5303: [ 87.090761][ T5303] kasan_save_track+0x3e/0x80 [ 87.092759][ T5303] __kasan_kmalloc+0x93/0xb0 [ 87.094739][ T5303] __kmalloc_cache_noprof+0x31c/0x660 [ 87.097023][ T5303] __hci_conn_add+0x3c4/0x1e00 [ 87.099089][ T5303] le_conn_complete_evt+0x706/0x1430 [ 87.101617][ T5303] hci_le_enh_conn_complete_evt+0x189/0x490 [ 87.104126][ T5303] hci_event_packet+0x7af/0x12c0 [ 87.106225][ T5303] hci_rx_work+0x3ee/0x1030 [ 87.108147][ T5303] process_scheduled_works+0xb02/0x1830 [ 87.110513][ T5303] worker_thread+0xa50/0xfc0 [ 87.112588][ T5303] kthread+0x388/0x470 [ 87.114370][ T5303] ret_from_fork+0x51e/0xb90 [ 87.116414][ T5303] ret_from_fork_asm+0x1a/0x30 [ 87.118536][ T5303] [ 87.119566][ T5303] Freed by task 4664: [ 87.121290][ T5303] kasan_save_track+0x3e/0x80 [ 87.123295][ T5303] kasan_save_free_info+0x46/0x50 [ 87.125478][ T5303] __kasan_slab_free+0x5c/0x80 [ 87.127662][ T5303] kfree+0x1c1/0x630 [ 87.129460][ T5303] device_release+0x9e/0x1d0 [ 87.131636][ T5303] kobject_put+0x228/0x560 [ 87.133611][ T5303] hci_conn_del+0xc36/0x1230 [ 87.135722][ T5303] hci_disconn_complete_evt+0x64e/0x950 [ 87.138173][ T5303] hci_event_packet+0x805/0x12c0 [ 87.140324][ T5303] hci_rx_work+0x3ee/0x1030 [ 87.142385][ T5303] process_scheduled_works+0xb02/0x1830 [ 87.144869][ T5303] worker_thread+0xa50/0xfc0 [ 87.146946][ T5303] kthread+0x388/0x470 [ 87.148830][ T5303] ret_from_fork+0x51e/0xb90 [ 87.150817][ T5303] ret_from_fork_asm+0x1a/0x30 [ 87.152863][ T5303] [ 87.153952][ T5303] The buggy address belongs to the object at ffff888032e94000 [ 87.153952][ T5303] which belongs to the cache kmalloc-8k of size 8192 [ 87.159836][ T5303] The buggy address is located 16 bytes inside of [ 87.159836][ T5303] freed 8192-byte region [ffff888032e94000, ffff888032e96000) [ 87.165693][ T5303] [ 87.166793][ T5303] The buggy address belongs to the physical page: [ 87.169548][ T5303] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x32e90 [ 87.173096][ T5303] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 87.176402][ T5303] flags: 0x4fff00000000040(head|node=1|zone=1|lastcpupid=0x7ff) [ 87.179357][ T5303] page_type: f5(slab) [ 87.181212][ T5303] raw: 04fff00000000040 ffff88801ac42280 dead000000000100 dead000000000122 [ 87.185083][ T5303] raw: 0000000000000000 0000000000020002 00000000f5000000 0000000000000000 [ 87.188679][ T5303] head: 04fff00000000040 ffff88801ac42280 dead000000000100 dead000000000122 [ 87.192404][ T5303] head: 0000000000000000 0000000000020002 00000000f5000000 0000000000000000 [ 87.196019][ T5303] head: 04fff00000000003 ffffea0000cba401 00000000ffffffff 00000000ffffffff [ 87.199890][ T5303] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 [ 87.203554][ T5303] page dumped because: kasan: bad access detected [ 87.206009][ T5303] page_owner tracks the page as allocated [ 87.208470][ T5303] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 9318978548, free_ts 0 [ 87.216576][ T5303] post_alloc_hook+0x231/0x280 [ 87.218707][ T5303] get_page_from_freelist+0x24dc/0x2580 [ 87.221167][ T5303] __alloc_frozen_pages_noprof+0x18d/0x380 [ 87.223597][ T5303] allocate_slab+0x77/0x660 [ 87.225475][ T5303] refill_objects+0x331/0x3c0 [ 87.227471][ T5303] __pcs_replace_empty_main+0x2b9/0x620 [ 87.229797][ T5303] __kmalloc_noprof+0x474/0x760 [ 87.231919][ T5303] acpi_ut_initialize_buffer+0xd2/0x180 [ 87.234224][ T5303] acpi_rs_create_pci_routing_table+0x1c0/0xd90 [ 87.236806][ T5303] acpi_rs_get_prt_method_data+0xdf/0x150 [ 87.239183][ T5303] acpi_get_irq_routing_table+0x98/0xe0 [ 87.241492][ T5303] acpi_pci_irq_find_prt_entry+0x163/0x1090 [ 87.243973][ T5303] acpi_pci_irq_lookup+0x45/0x690 [ 87.246101][ T5303] acpi_pci_irq_enable+0x1ee/0x790 [ 87.248261][ T5303] do_pci_enable_device+0x28a/0x4a0 [ 87.250578][ T5303] pci_enable_device_flags+0x5a9/0x6d0 [ 87.253022][ T5303] page_owner free stack trace missing [ 87.255368][ T5303] [ 87.256438][ T5303] Memory state around the buggy address: [ 87.258755][ T5303] ffff888032e93f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 87.262212][ T5303] ffff888032e93f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 87.265754][ T5303] >ffff888032e94000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 87.269261][ T5303] ^ [ 87.271473][ T5303] ffff888032e94080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 87.275079][ T5303] ffff888032e94100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 87.278826][ T5303] ================================================================== [ 87.289014][ T4664] Bluetooth: hci0: command 0x040f tx timeout [ 87.293325][ T5303] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 87.296404][ T5303] CPU: 0 UID: 0 PID: 5303 Comm: kworker/u5:2 Not tainted syzkaller #0 PREEMPT(full) [ 87.300605][ T5303] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 87.305326][ T5303] Workqueue: hci0 hci_cmd_sync_work [ 87.307654][ T5303] Call Trace: [ 87.309118][ T5303] [ 87.310409][ T5303] vpanic+0x56c/0xa60 [ 87.312793][ T5303] ? __pfx_vpanic+0x10/0x10 [ 87.315400][ T5303] panic+0xc5/0xd0 [ 87.317628][ T5303] ? __pfx_panic+0x10/0x10 [ 87.320233][ T5303] ? preempt_schedule_thunk+0x16/0x30 [ 87.323424][ T5303] ? preempt_schedule_thunk+0x16/0x30 [ 87.326377][ T5303] ? hci_conn_drop+0x34/0x2a0 [ 87.328799][ T5303] check_panic_on_warn+0x89/0xb0 [ 87.330698][ T5303] ? hci_conn_drop+0x34/0x2a0 [ 87.332638][ T5303] end_report+0x73/0x180 [ 87.334302][ T5303] ? hci_conn_drop+0x34/0x2a0 [ 87.336188][ T5303] kasan_report+0x128/0x150 [ 87.337961][ T5303] ? hci_conn_drop+0x34/0x2a0 [ 87.339800][ T5303] kasan_check_range+0x264/0x2c0 [ 87.342017][ T5303] hci_conn_drop+0x34/0x2a0 [ 87.343833][ T5303] ? __pfx_le_read_features_complete+0x10/0x10 [ 87.346435][ T5303] hci_cmd_sync_work+0x262/0x400 [ 87.348674][ T5303] ? process_scheduled_works+0xa25/0x1830 [ 87.351018][ T5303] process_scheduled_works+0xb02/0x1830 [ 87.353082][ T5303] ? __pfx_process_scheduled_works+0x10/0x10 [ 87.355461][ T5303] ? assign_work+0x3d5/0x5e0 [ 87.357312][ T5303] worker_thread+0xa50/0xfc0 [ 87.358957][ T5303] kthread+0x388/0x470 [ 87.360704][ T5303] ? __pfx_worker_thread+0x10/0x10 [ 87.362936][ T5303] ? __pfx_kthread+0x10/0x10 [ 87.364972][ T5303] ret_from_fork+0x51e/0xb90 [ 87.366797][ T5303] ? __pfx_ret_from_fork+0x10/0x10 [ 87.368881][ T5303] ? __switch_to+0xc7d/0x1450 [ 87.370698][ T5303] ? __pfx_kthread+0x10/0x10 [ 87.372507][ T5303] ret_from_fork_asm+0x1a/0x30 [ 87.374440][ T5303] [ 87.375982][ T5303] Kernel Offset: disabled [ 87.377695][ T5303] Rebooting in 86400 seconds..