program: syz_emit_vhci(&(0x7f0000000540)=ANY=[@ANYBLOB="043e1f0a"], 0x22) syz_emit_vhci(&(0x7f0000000040)=ANY=[@ANYBLOB="0200300c000800"], 0x11) r0 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$IPSET_CMD_CREATE(r0, &(0x7f0000000040)={0x0, 0x0, &(0x7f00000044c0)={&(0x7f0000000440)={0x50, 0x2, 0x6, 0x101, 0x0, 0x0, {0x0, 0x0, 0x1}, [@IPSET_ATTR_FAMILY={0x5, 0x5, 0x2}, @IPSET_ATTR_PROTOCOL={0x5}, @IPSET_ATTR_REVISION={0x5, 0x4, 0x3}, @IPSET_ATTR_SETNAME={0x9, 0x2, 'syz1\x00'}, @IPSET_ATTR_TYPENAME={0x15, 0x3, 'hash:ip,port,net\x00'}]}, 0x50}, 0x1, 0x0, 0x0, 0x4040000}, 0x800) r1 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$IPSET_CMD_ADD(r1, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000380)={&(0x7f0000000300)={0x60, 0x9, 0x6, 0x3, 0x0, 0x0, {0x5}, [@IPSET_ATTR_SETNAME={0x9, 0x2, 'syz1\x00'}, @IPSET_ATTR_PROTOCOL={0x5}, @IPSET_ATTR_DATA={0x38, 0x7, 0x0, 0x1, [@IPSET_ATTR_PORT={0x6, 0x4, 0x1, 0x0, 0x4e21}, @IPSET_ATTR_PROTO={0x5, 0x7, 0x6}, @IPSET_ATTR_IP={0xc, 0x1, 0x0, 0x1, @IPSET_ATTR_IPADDR_IPV4={0x8, 0x1, 0x1, 0x0, @private=0xa010101}}, @IPSET_ATTR_IP_TO={0xc, 0x2, 0x0, 0x1, @IPSET_ATTR_IPADDR_IPV4={0x8, 0x1, 0x1, 0x0, @empty=0x20000000}}, @IPSET_ATTR_IP2={0xc, 0x14, 0x0, 0x1, @IPSET_ATTR_IPADDR_IPV4={0x8, 0x1, 0x1, 0x0, @broadcast}}]}]}, 0x60}, 0x1, 0x0, 0x0, 0x10004893}, 0x80) r2 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$IPSET_CMD_ADD(r2, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000300)={0x60, 0x9, 0x6, 0x3, 0x0, 0x0, {0x5}, [@IPSET_ATTR_SETNAME={0x9, 0x2, 'syz1\x00'}, @IPSET_ATTR_PROTOCOL={0x5}, @IPSET_ATTR_DATA={0x38, 0x7, 0x0, 0x1, [@IPSET_ATTR_PORT={0x6, 0x4, 0x1, 0x0, 0x4e21}, @IPSET_ATTR_PROTO={0x5, 0x7, 0xff}, @IPSET_ATTR_IP={0xc, 0x1, 0x0, 0x1, @IPSET_ATTR_IPADDR_IPV4={0x8, 0x1, 0x1, 0x0, @private=0xa010101}}, @IPSET_ATTR_IP_TO={0xc, 0x2, 0x0, 0x1, @IPSET_ATTR_IPADDR_IPV4={0x8, 0x1, 0x1, 0x0, @multicast2}}, @IPSET_ATTR_IP2={0xc, 0x14, 0x0, 0x1, @IPSET_ATTR_IPADDR_IPV4={0x8, 0x1, 0x1, 0x0, @broadcast}}]}]}, 0x60}, 0x1, 0x0, 0x0, 0x10004893}, 0x80) syz_usb_connect$hid(0x0, 0x0, 0x0, 0x0) socket$inet6_icmp_raw(0xa, 0x3, 0x3a) setresuid(0x0, 0x0, 0x0) quotactl$Q_GETQUOTA(0x0, 0x0, 0x0, 0x0) syz_emit_vhci(&(0x7f00000000c0)=@HCI_ACLDATA_PKT={0x2, {0xc9, 0x2, 0x3, 0xa}, @l2cap_cid_le_signaling={{0x6}, @l2cap_conn_param_update_rsp={{0x13, 0x9, 0x2}, {0xdb8}}}}, 0xf) ioctl$FS_IOC_SET_ENCRYPTION_POLICY(0xffffffffffffffff, 0x40086602, 0x0) syz_emit_vhci(&(0x7f0000000080)=ANY=[@ANYBLOB="0405"], 0x7) syz_emit_vhci(&(0x7f0000000100)=ANY=[@ANYBLOB="0412080000000100000000"], 0xb) syz_emit_vhci(&(0x7f0000000140)=@HCI_SCODATA_PKT={0x3, {0xc9, 0xc0}, "50e475fd0aa623a37febe6475748bc80a50e1263518f1c0ee1bc277f5177a2b9f84124950b421ece6003dc977c9c0470ac77d917d5ae3713ce18c79735f3b199c42f42e86c2c34f96e2a971293dee2e9e21445c8a3e2e413161aded2e911461d584f72998aef205a87b6f8ac9ddf3b11ca5cd437bd598f552d9fa43f151ad642cc0dd226fd63f76064f78693272637eb385b1259a320a2ca130813e16eb72f0e9eb905f9eb05b6f8fc3ad164f29346bbe3c3b4676fc69df37f33fffc60b562e2"}, 0xc4) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0) r3 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) r4 = syz_genetlink_get_family_id$nl80211(&(0x7f00000003c0), 0xffffffffffffffff) r5 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCGIFINDEX_80211(r5, 0x8933, &(0x7f0000000040)={'wlan0\x00', 0x0}) r7 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000000), 0xffffffffffffffff) sendmsg$NL80211_CMD_TRIGGER_SCAN(r5, &(0x7f0000000200)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000001440)={0x1c, r7, 0x1, 0x0, 0x0, {{0x8}, {@val={0x8, 0x3, r6}, @void}}}, 0x1c}, 0x1, 0x0, 0x0, 0x4000}, 0x0) sendmsg$NL80211_CMD_UNEXPECTED_FRAME(0xffffffffffffffff, &(0x7f0000000500)={&(0x7f0000000280)={0x10, 0x0, 0x0, 0x8}, 0xc, &(0x7f00000004c0)={&(0x7f0000000400)={0x1c, r4, 0x1, 0x2, 0x25dfdbfe, {{}, {@val={0x8, 0x3, r6}, @void}}, [""]}, 0x1c}, 0x1, 0x0, 0x0, 0x4000040}, 0x4048801) bind$bt_hci(r3, &(0x7f0000000000)={0x1f, 0x0, 0x4}, 0x6) [ 102.000730][ T5302] Bluetooth: hci0: command tx timeout [ 104.097094][ T4668] Bluetooth: hci0: command tx timeout [ 104.184744][ T5302] ================================================================== [ 104.188207][ T5302] BUG: KASAN: slab-use-after-free in hci_conn_drop+0x34/0x2a0 [ 104.191557][ T5302] Write of size 4 at addr ffff888036e58010 by task kworker/u5:2/5302 [ 104.196218][ T5302] [ 104.197433][ T5302] CPU: 0 UID: 0 PID: 5302 Comm: kworker/u5:2 Not tainted syzkaller #0 PREEMPT(full) [ 104.197446][ T5302] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 104.197453][ T5302] Workqueue: hci0 hci_cmd_sync_work [ 104.197470][ T5302] Call Trace: [ 104.197476][ T5302] [ 104.197481][ T5302] dump_stack_lvl+0xe8/0x150 [ 104.197496][ T5302] print_report+0xba/0x230 [ 104.197506][ T5302] ? hci_conn_drop+0x34/0x2a0 [ 104.197518][ T5302] kasan_report+0x117/0x150 [ 104.197528][ T5302] ? hci_conn_drop+0x34/0x2a0 [ 104.197540][ T5302] kasan_check_range+0x264/0x2c0 [ 104.197549][ T5302] hci_conn_drop+0x34/0x2a0 [ 104.197560][ T5302] ? __pfx_le_read_features_complete+0x10/0x10 [ 104.197569][ T5302] hci_cmd_sync_work+0x262/0x400 [ 104.197579][ T5302] ? process_scheduled_works+0xa8d/0x18c0 [ 104.197591][ T5302] process_scheduled_works+0xb6e/0x18c0 [ 104.197612][ T5302] ? __pfx_process_scheduled_works+0x10/0x10 [ 104.197628][ T5302] ? assign_work+0x3d5/0x5e0 [ 104.197642][ T5302] worker_thread+0xa53/0xfc0 [ 104.197658][ T5302] kthread+0x388/0x470 [ 104.197667][ T5302] ? __pfx_worker_thread+0x10/0x10 [ 104.197677][ T5302] ? __pfx_kthread+0x10/0x10 [ 104.197684][ T5302] ret_from_fork+0x51e/0xb90 [ 104.197697][ T5302] ? __pfx_ret_from_fork+0x10/0x10 [ 104.197710][ T5302] ? __switch_to+0xc7d/0x1450 [ 104.197724][ T5302] ? __pfx_kthread+0x10/0x10 [ 104.197736][ T5302] ret_from_fork_asm+0x1a/0x30 [ 104.197760][ T5302] [ 104.197763][ T5302] [ 104.265249][ T5302] Allocated by task 5302: [ 104.267657][ T5302] kasan_save_track+0x3e/0x80 [ 104.270211][ T5302] __kasan_kmalloc+0x93/0xb0 [ 104.272296][ T5302] __kmalloc_cache_noprof+0x31c/0x660 [ 104.274789][ T5302] __hci_conn_add+0x3c4/0x1e00 [ 104.276972][ T5302] le_conn_complete_evt+0x706/0x1430 [ 104.279168][ T5302] hci_le_enh_conn_complete_evt+0x189/0x490 [ 104.281535][ T5302] hci_event_packet+0x7af/0x12c0 [ 104.283995][ T5302] hci_rx_work+0x3ee/0x1030 [ 104.286964][ T5302] process_scheduled_works+0xb6e/0x18c0 [ 104.291586][ T5302] worker_thread+0xa53/0xfc0 [ 104.294090][ T5302] kthread+0x388/0x470 [ 104.296167][ T5302] ret_from_fork+0x51e/0xb90 [ 104.298609][ T5302] ret_from_fork_asm+0x1a/0x30 [ 104.300849][ T5302] [ 104.302022][ T5302] Freed by task 4668: [ 104.303942][ T5302] kasan_save_track+0x3e/0x80 [ 104.306149][ T5302] kasan_save_free_info+0x46/0x50 [ 104.308965][ T5302] __kasan_slab_free+0x5c/0x80 [ 104.311470][ T5302] kfree+0x1c1/0x630 [ 104.313348][ T5302] device_release+0xc4/0x1f0 [ 104.315554][ T5302] kobject_put+0x228/0x560 [ 104.317587][ T5302] hci_conn_del+0xc36/0x1230 [ 104.319581][ T5302] hci_disconn_complete_evt+0x64e/0x950 [ 104.321957][ T5302] hci_event_packet+0x805/0x12c0 [ 104.324240][ T5302] hci_rx_work+0x3ee/0x1030 [ 104.326393][ T5302] process_scheduled_works+0xb6e/0x18c0 [ 104.329629][ T5302] worker_thread+0xa53/0xfc0 [ 104.332151][ T5302] kthread+0x388/0x470 [ 104.333757][ T5302] ret_from_fork+0x51e/0xb90 [ 104.335717][ T5302] ret_from_fork_asm+0x1a/0x30 [ 104.337720][ T5302] [ 104.338779][ T5302] The buggy address belongs to the object at ffff888036e58000 [ 104.338779][ T5302] which belongs to the cache kmalloc-8k of size 8192 [ 104.344872][ T5302] The buggy address is located 16 bytes inside of [ 104.344872][ T5302] freed 8192-byte region [ffff888036e58000, ffff888036e5a000) [ 104.351448][ T5302] [ 104.352581][ T5302] The buggy address belongs to the physical page: [ 104.355489][ T5302] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x36e58 [ 104.359597][ T5302] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 104.363827][ T5302] flags: 0x4fff00000000040(head|node=1|zone=1|lastcpupid=0x7ff) [ 104.367668][ T5302] page_type: f5(slab) [ 104.369333][ T5302] raw: 04fff00000000040 ffff88801ac42280 dead000000000100 dead000000000122 [ 104.373024][ T5302] raw: 0000000000000000 0000000800020002 00000000f5000000 0000000000000000 [ 104.376701][ T5302] head: 04fff00000000040 ffff88801ac42280 dead000000000100 dead000000000122 [ 104.380406][ T5302] head: 0000000000000000 0000000800020002 00000000f5000000 0000000000000000 [ 104.384846][ T5302] head: 04fff00000000003 ffffea0000db9601 00000000ffffffff 00000000ffffffff [ 104.390958][ T5302] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 [ 104.395275][ T5302] page dumped because: kasan: bad access detected [ 104.398216][ T5302] page_owner tracks the page as allocated [ 104.401059][ T5302] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd28c0(GFP_NOWAIT|__GFP_IO|__GFP_FS|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5012, tgid 5012 (dhcpcd), ts 68663432262, free_ts 68643536526 [ 104.410342][ T5302] post_alloc_hook+0x231/0x280 [ 104.412693][ T5302] get_page_from_freelist+0x24dc/0x2580 [ 104.415075][ T5302] __alloc_frozen_pages_noprof+0x18d/0x380 [ 104.417748][ T5302] allocate_slab+0x77/0x660 [ 104.419743][ T5302] refill_objects+0x331/0x3c0 [ 104.421750][ T5302] __pcs_replace_empty_main+0x2e6/0x730 [ 104.424227][ T5302] __kvmalloc_node_noprof+0x657/0x8a0 [ 104.426954][ T5302] pfifo_fast_init+0x112/0x6c0 [ 104.429381][ T5302] qdisc_create_dflt+0x13b/0x510 [ 104.431566][ T5302] dev_activate+0x378/0x1150 [ 104.433734][ T5302] __dev_open+0x67a/0x830 [ 104.435590][ T5302] __dev_change_flags+0x1f7/0x690 [ 104.437783][ T5302] netif_change_flags+0x88/0x1a0 [ 104.440326][ T5302] dev_change_flags+0x130/0x260 [ 104.442901][ T5302] devinet_ioctl+0x9f2/0x1b30 [ 104.445249][ T5302] inet_ioctl+0x42a/0x560 [ 104.447069][ T5302] page last free pid 5090 tgid 5090 stack trace: [ 104.449625][ T5302] __free_frozen_pages+0xc2b/0xdb0 [ 104.451646][ T5302] __slab_free+0x263/0x2b0 [ 104.453405][ T5302] qlist_free_all+0x97/0x100 [ 104.455390][ T5302] kasan_quarantine_reduce+0x148/0x160 [ 104.458297][ T5302] __kasan_slab_alloc+0x22/0x80 [ 104.461466][ T5302] __kmalloc_cache_noprof+0x2ba/0x660 [ 104.464830][ T5302] tomoyo_init_log+0x195/0x1fb0 [ 104.467042][ T5302] tomoyo_supervisor+0x353/0x1570 [ 104.469143][ T5302] tomoyo_path_permission+0x25a/0x380 [ 104.471392][ T5302] tomoyo_path_perm+0x3f3/0x560 [ 104.473543][ T5302] security_inode_getattr+0x12b/0x310 [ 104.475901][ T5302] __x64_sys_newfstat+0x13b/0x270 [ 104.478323][ T5302] do_syscall_64+0x14d/0xf80 [ 104.480350][ T5302] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 104.482901][ T5302] [ 104.484139][ T5302] Memory state around the buggy address: [ 104.488006][ T5302] ffff888036e57f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 104.492749][ T5302] ffff888036e57f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 104.496403][ T5302] >ffff888036e58000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 104.500038][ T5302] ^ [ 104.502163][ T5302] ffff888036e58080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 104.505795][ T5302] ffff888036e58100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 104.509814][ T5302] ================================================================== [ 104.527527][ T5302] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 104.532156][ T5302] CPU: 0 UID: 0 PID: 5302 Comm: kworker/u5:2 Not tainted syzkaller #0 PREEMPT(full) [ 104.536805][ T5302] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 104.541411][ T5302] Workqueue: hci0 hci_cmd_sync_work [ 104.543791][ T5302] Call Trace: [ 104.545231][ T5302] [ 104.546462][ T5302] vpanic+0x56c/0xa60 [ 104.548156][ T5302] ? __pfx_vpanic+0x10/0x10 [ 104.550287][ T5302] panic+0xc5/0xd0 [ 104.552462][ T5302] ? __pfx_panic+0x10/0x10 [ 104.555315][ T5302] ? preempt_schedule_thunk+0x16/0x30 [ 104.558306][ T5302] ? preempt_schedule_thunk+0x16/0x30 [ 104.560688][ T5302] ? hci_conn_drop+0x34/0x2a0 [ 104.562589][ T5302] check_panic_on_warn+0x89/0xb0 [ 104.564667][ T5302] ? hci_conn_drop+0x34/0x2a0 [ 104.566885][ T5302] end_report+0x73/0x180 [ 104.568861][ T5302] ? hci_conn_drop+0x34/0x2a0 [ 104.571102][ T5302] kasan_report+0x128/0x150 [ 104.573175][ T5302] ? hci_conn_drop+0x34/0x2a0 [ 104.575408][ T5302] kasan_check_range+0x264/0x2c0 [ 104.577846][ T5302] hci_conn_drop+0x34/0x2a0 [ 104.580146][ T5302] ? __pfx_le_read_features_complete+0x10/0x10 [ 104.583286][ T5302] hci_cmd_sync_work+0x262/0x400 [ 104.585540][ T5302] ? process_scheduled_works+0xa8d/0x18c0 [ 104.588108][ T5302] process_scheduled_works+0xb6e/0x18c0 [ 104.590617][ T5302] ? __pfx_process_scheduled_works+0x10/0x10 [ 104.593255][ T5302] ? assign_work+0x3d5/0x5e0 [ 104.595326][ T5302] worker_thread+0xa53/0xfc0 [ 104.597995][ T5302] kthread+0x388/0x470 [ 104.600379][ T5302] ? __pfx_worker_thread+0x10/0x10 [ 104.603125][ T5302] ? __pfx_kthread+0x10/0x10 [ 104.605296][ T5302] ret_from_fork+0x51e/0xb90 [ 104.607648][ T5302] ? __pfx_ret_from_fork+0x10/0x10 [ 104.609959][ T5302] ? __switch_to+0xc7d/0x1450 [ 104.612245][ T5302] ? __pfx_kthread+0x10/0x10 [ 104.614331][ T5302] ret_from_fork_asm+0x1a/0x30 [ 104.616165][ T5302] [ 104.617985][ T5302] Kernel Offset: disabled [ 104.620082][ T5302] Rebooting in 86400 seconds..