program:
syz_emit_vhci(&(0x7f0000000540)=ANY=[@ANYBLOB="043e1f0a"], 0x22)
r0 = syz_init_net_socket$netrom(0x6, 0x5, 0x0)
getsockopt$netrom_NETROM_T4(r0, 0x103, 0x6, 0x0, &(0x7f00000017c0))
syz_emit_vhci(&(0x7f00000000c0)=ANY=[], 0x11)
ioctl$FS_IOC_SET_ENCRYPTION_POLICY(0xffffffffffffffff, 0x40086602, 0x0)
syz_emit_vhci(&(0x7f0000000080)=ANY=[@ANYBLOB="0405"], 0x7)
r1 = socket$inet_sctp(0x2, 0x1, 0x84)
setsockopt$IP_VS_SO_SET_ADD(r1, 0x0, 0x482, &(0x7f0000000040)={0x84, @dev={0xac, 0x14, 0x14, 0xd}, 0x15, 0x80003, 'sh\x00', 0x1, 0x4, 0x72}, 0x2c)
r2 = socket$inet_tcp(0x2, 0x1, 0x0)
setsockopt$IP_VS_SO_SET_FLUSH(r2, 0x0, 0x485, 0x0, 0x0)
mkdirat(0xffffffffffffff9c, &(0x7f0000000640)='mnt/encrypted_dir\x00', 0x0)
r3 = openat(0xffffffffffffff9c, &(0x7f00000001c0)='mnt/encrypted_dir\x00', 0x800, 0x44)
r4 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
r5 = socket$nl_audit(0x10, 0x3, 0x9)
sendmsg$AUDIT_USER(r5, &(0x7f0000000600)={0x0, 0x0, &(0x7f00000005c0)={&(0x7f00000004c0)={0x10, 0x3ed, 0x4, 0x70bd2c, 0x25dfdbfe}, 0x10}, 0x1, 0x0, 0x0, 0x40001}, 0x20000840)
ioctl$sock_bt_hci(r4, 0x400448cb, 0x0)
syz_emit_vhci(&(0x7f00000007c0)=ANY=[@ANYBLOB="040e06006220"], 0x9)
ioctl$FS_IOC_SET_ENCRYPTION_POLICY(r3, 0x800c6613, &(0x7f00000006c0)=@v1={0x0, @adiantum, 0x2, @desc4})
chdir(&(0x7f0000000e40)='mnt/encrypted_dir\x00')
symlink(&(0x7f0000000540)='./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00', &(0x7f0000000800)='./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00')
syz_emit_vhci(&(0x7f0000000100)=@HCI_EVENT_PKT={0x4, @hci_ev_role_change={{0x12, 0x8}}}, 0xb)
r6 = openat$uinput(0xffffff9c, &(0x7f0000000180), 0x0, 0x0)
ioctl$UI_DEV_SETUP(r6, 0x405c5503, &(0x7f0000000000)={{}, 'syz1\x00'})
ioctl$UI_SET_EVBIT(r6, 0x40045564, 0x1e)
ioctl$UI_DEV_CREATE(r6, 0x5501)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0)

[   75.234214][ T5294] Bluetooth: hci0: command tx timeout
[   75.383228][ T5307] IPVS: starting estimator thread 0...
[   75.441631][ T4662] Bluetooth: hci0: unexpected Set CIG Parameters response data
[   75.469327][ T5316] IPVS: using max 61 ests per chain, 146400 per kthread
[   75.472719][ T5315] input: syz1 as /devices/virtual/input/input5
[   76.663057][ T1312] ieee802154 phy0 wpan0: encryption failed: -22
[   76.666046][ T1312] ieee802154 phy1 wpan1: encryption failed: -22
[   77.378419][ T5294] ==================================================================
[   77.384655][ T5294] BUG: KASAN: slab-use-after-free in hci_conn_drop+0x34/0x2a0
[   77.388126][ T5294] Write of size 4 at addr ffff888012b30010 by task kworker/u5:2/5294
[   77.391729][ T5294] 
[   77.392906][ T5294] CPU: 0 UID: 0 PID: 5294 Comm: kworker/u5:2 Not tainted syzkaller #0 PREEMPT(full) 
[   77.392922][ T5294] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   77.393060][ T5294] Workqueue: hci0 hci_cmd_sync_work
[   77.394782][ T5294] Call Trace:
[   77.394968][ T5294]  <TASK>
[   77.395004][ T5294]  dump_stack_lvl+0xe8/0x150
[   77.395073][ T5294]  print_report+0xba/0x230
[   77.395088][ T5294]  ? hci_conn_drop+0x34/0x2a0
[   77.395103][ T5294]  kasan_report+0x117/0x150
[   77.395184][ T5294]  ? hci_conn_drop+0x34/0x2a0
[   77.395195][ T5294]  kasan_check_range+0x264/0x2c0
[   77.395206][ T5294]  hci_conn_drop+0x34/0x2a0
[   77.395365][ T5294]  ? __pfx_le_read_features_complete+0x10/0x10
[   77.395381][ T5294]  hci_cmd_sync_work+0x262/0x400
[   77.395396][ T5294]  ? process_scheduled_works+0xa25/0x1830
[   77.395411][ T5294]  process_scheduled_works+0xb02/0x1830
[   77.395450][ T5294]  ? __pfx_process_scheduled_works+0x10/0x10
[   77.395466][ T5294]  ? assign_work+0x3d5/0x5e0
[   77.395480][ T5294]  worker_thread+0xa50/0xfc0
[   77.395500][ T5294]  kthread+0x388/0x470
[   77.395512][ T5294]  ? __pfx_worker_thread+0x10/0x10
[   77.395526][ T5294]  ? __pfx_kthread+0x10/0x10
[   77.395537][ T5294]  ret_from_fork+0x51e/0xb90
[   77.395587][ T5294]  ? __pfx_ret_from_fork+0x10/0x10
[   77.395602][ T5294]  ? __switch_to+0xc7d/0x1450
[   77.395615][ T5294]  ? __pfx_kthread+0x10/0x10
[   77.395626][ T5294]  ret_from_fork_asm+0x1a/0x30
[   77.395647][ T5294]  </TASK>
[   77.395652][ T5294] 
[   77.458376][ T5294] Allocated by task 5294:
[   77.461596][ T5294]  kasan_save_track+0x3e/0x80
[   77.463732][ T5294]  __kasan_kmalloc+0x93/0xb0
[   77.465797][ T5294]  __kmalloc_cache_noprof+0x31c/0x660
[   77.468144][ T5294]  __hci_conn_add+0x3c4/0x1e00
[   77.470338][ T5294]  le_conn_complete_evt+0x706/0x1430
[   77.472726][ T5294]  hci_le_enh_conn_complete_evt+0x189/0x490
[   77.475338][ T5294]  hci_event_packet+0x7af/0x12c0
[   77.477363][ T5294]  hci_rx_work+0x3ee/0x1030
[   77.479317][ T5294]  process_scheduled_works+0xb02/0x1830
[   77.481792][ T5294]  worker_thread+0xa50/0xfc0
[   77.483849][ T5294]  kthread+0x388/0x470
[   77.485675][ T5294]  ret_from_fork+0x51e/0xb90
[   77.487812][ T5294]  ret_from_fork_asm+0x1a/0x30
[   77.489992][ T5294] 
[   77.491109][ T5294] Freed by task 4662:
[   77.492913][ T5294]  kasan_save_track+0x3e/0x80
[   77.494993][ T5294]  kasan_save_free_info+0x46/0x50
[   77.497181][ T5294]  __kasan_slab_free+0x5c/0x80
[   77.499330][ T5294]  kfree+0x1c1/0x630
[   77.501143][ T5294]  device_release+0x9e/0x1d0
[   77.503335][ T5294]  kobject_put+0x228/0x560
[   77.505430][ T5294]  hci_conn_del+0xc36/0x1230
[   77.507473][ T5294]  hci_disconn_complete_evt+0x64e/0x950
[   77.509926][ T5294]  hci_event_packet+0x805/0x12c0
[   77.512167][ T5294]  hci_rx_work+0x3ee/0x1030
[   77.514181][ T5294]  process_scheduled_works+0xb02/0x1830
[   77.516719][ T5294]  worker_thread+0xa50/0xfc0
[   77.518818][ T5294]  kthread+0x388/0x470
[   77.520651][ T5294]  ret_from_fork+0x51e/0xb90
[   77.522717][ T5294]  ret_from_fork_asm+0x1a/0x30
[   77.524855][ T5294] 
[   77.525946][ T5294] The buggy address belongs to the object at ffff888012b30000
[   77.525946][ T5294]  which belongs to the cache kmalloc-8k of size 8192
[   77.531912][ T5294] The buggy address is located 16 bytes inside of
[   77.531912][ T5294]  freed 8192-byte region [ffff888012b30000, ffff888012b32000)
[   77.537889][ T5294] 
[   77.538998][ T5294] The buggy address belongs to the physical page:
[   77.541929][ T5294] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12b30
[   77.545620][ T5294] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   77.549247][ T5294] flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
[   77.552541][ T5294] page_type: f5(slab)
[   77.554277][ T5294] raw: 00fff00000000040 ffff88801a842280 dead000000000100 dead000000000122
[   77.557903][ T5294] raw: 0000000000000000 0000000000020002 00000000f5000000 0000000000000000
[   77.561408][ T5294] head: 00fff00000000040 ffff88801a842280 dead000000000100 dead000000000122
[   77.564905][ T5294] head: 0000000000000000 0000000000020002 00000000f5000000 0000000000000000
[   77.568383][ T5294] head: 00fff00000000003 ffffea00004acc01 00000000ffffffff 00000000ffffffff
[   77.571958][ T5294] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
[   77.575658][ T5294] page dumped because: kasan: bad access detected
[   77.578583][ T5294] page_owner tracks the page as allocated
[   77.581108][ T5294] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4681, tgid 4681 (kworker/u4:0), ts 29735808631, free_ts 29252609233
[   77.589254][ T5294]  post_alloc_hook+0x231/0x280
[   77.591299][ T5294]  get_page_from_freelist+0x24dc/0x2580
[   77.593738][ T5294]  __alloc_frozen_pages_noprof+0x18d/0x380
[   77.596274][ T5294]  allocate_slab+0x77/0x660
[   77.598271][ T5294]  refill_objects+0x331/0x3c0
[   77.600372][ T5294]  __pcs_replace_empty_main+0x2b9/0x620
[   77.602860][ T5294]  __kmalloc_cache_noprof+0x392/0x660
[   77.605273][ T5294]  tomoyo_init_log+0x112e/0x1fb0
[   77.607457][ T5294]  tomoyo_supervisor+0x353/0x1570
[   77.609788][ T5294]  tomoyo_env_perm+0x151/0x1f0
[   77.611950][ T5294]  tomoyo_find_next_domain+0x15cb/0x1aa0
[   77.614469][ T5294]  tomoyo_bprm_check_security+0x11b/0x180
[   77.616959][ T5294]  security_bprm_check+0x85/0x240
[   77.619112][ T5294]  bprm_execve+0x896/0x1460
[   77.621246][ T5294]  kernel_execve+0x844/0x930
[   77.623244][ T5294]  call_usermodehelper_exec_async+0x20f/0x360
[   77.625830][ T5294] page last free pid 1 tgid 1 stack trace:
[   77.628335][ T5294]  __free_frozen_pages+0xc2b/0xdb0
[   77.630508][ T5294]  free_reserved_page+0xce/0x120
[   77.632728][ T5294]  free_reserved_area+0x90/0x190
[   77.634725][ T5294]  free_kernel_image_pages+0xa2/0x100
[   77.636865][ T5294]  kernel_init+0x31/0x1d0
[   77.638577][ T5294]  ret_from_fork+0x51e/0xb90
[   77.640476][ T5294]  ret_from_fork_asm+0x1a/0x30
[   77.642368][ T5294] 
[   77.643362][ T5294] Memory state around the buggy address:
[   77.645574][ T5294]  ffff888012b2ff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   77.648812][ T5294]  ffff888012b2ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   77.652180][ T5294] >ffff888012b30000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   77.655497][ T5294]                          ^
[   77.657437][ T5294]  ffff888012b30080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   77.660829][ T5294]  ffff888012b30100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   77.664248][ T5294] ==================================================================
[   77.678093][ T5294] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   77.681277][ T5294] CPU: 0 UID: 0 PID: 5294 Comm: kworker/u5:2 Not tainted syzkaller #0 PREEMPT(full) 
[   77.685068][ T5294] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   77.689057][ T5294] Workqueue: hci0 hci_cmd_sync_work
[   77.691370][ T5294] Call Trace:
[   77.692838][ T5294]  <TASK>
[   77.694071][ T5294]  vpanic+0x56c/0xa60
[   77.695825][ T5294]  ? __pfx_vpanic+0x10/0x10
[   77.697800][ T5294]  panic+0xc5/0xd0
[   77.699400][ T5294]  ? __pfx_panic+0x10/0x10
[   77.701266][ T5294]  ? preempt_schedule_thunk+0x16/0x30
[   77.703436][ T5294]  ? preempt_schedule_thunk+0x16/0x30
[   77.705693][ T5294]  ? hci_conn_drop+0x34/0x2a0
[   77.707622][ T5294]  check_panic_on_warn+0x89/0xb0
[   77.709880][ T5294]  ? hci_conn_drop+0x34/0x2a0
[   77.711954][ T5294]  end_report+0x73/0x180
[   77.713657][ T5294]  ? hci_conn_drop+0x34/0x2a0
[   77.715702][ T5294]  kasan_report+0x128/0x150
[   77.717728][ T5294]  ? hci_conn_drop+0x34/0x2a0
[   77.719895][ T5294]  kasan_check_range+0x264/0x2c0
[   77.721904][ T5294]  hci_conn_drop+0x34/0x2a0
[   77.723903][ T5294]  ? __pfx_le_read_features_complete+0x10/0x10
[   77.726407][ T5294]  hci_cmd_sync_work+0x262/0x400
[   77.728531][ T5294]  ? process_scheduled_works+0xa25/0x1830
[   77.731051][ T5294]  process_scheduled_works+0xb02/0x1830
[   77.733467][ T5294]  ? __pfx_process_scheduled_works+0x10/0x10
[   77.735889][ T5294]  ? assign_work+0x3d5/0x5e0
[   77.737903][ T5294]  worker_thread+0xa50/0xfc0
[   77.739879][ T5294]  kthread+0x388/0x470
[   77.741622][ T5294]  ? __pfx_worker_thread+0x10/0x10
[   77.743810][ T5294]  ? __pfx_kthread+0x10/0x10
[   77.745729][ T5294]  ret_from_fork+0x51e/0xb90
[   77.747676][ T5294]  ? __pfx_ret_from_fork+0x10/0x10
[   77.749713][ T5294]  ? __switch_to+0xc7d/0x1450
[   77.751621][ T5294]  ? __pfx_kthread+0x10/0x10
[   77.753435][ T5294]  ret_from_fork_asm+0x1a/0x30
[   77.755408][ T5294]  </TASK>
[   77.757064][ T5294] Kernel Offset: disabled
[   77.758745][ T5294] Rebooting in 86400 seconds..