program:
r0 = socket$alg(0x26, 0x5, 0x0) (async)
r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
accept$alg(r0, 0x0, 0x0)
ioctl$sock_bt_hci(r1, 0x400448ca, 0x0) (async)
r2 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r2, &(0x7f0000000080)={0x1f, 0xffff, 0x3}, 0x6)
write(r2, &(0x7f0000000040)="05000000010001", 0x7)
bind$alg(r0, &(0x7f0000000080)={0x26, 'rng\x00', 0x0, 0x0, 'drbg_pr_sha512\x00'}, 0x58) (async, rerun: 64)
accept$alg(r0, 0x0, 0x0) (async, rerun: 64)
bind$alg(r0, &(0x7f00000003c0)={0x26, 'aead\x00', 0x0, 0x0, 'rfc4309(aegis128)\x00'}, 0x6e)
r3 = openat$vmci(0xffffffffffffff9c, &(0x7f0000000000), 0x2, 0x0)
ioctl$IOCTL_VMCI_CTX_ADD_NOTIFICATION(r3, 0x7af, &(0x7f0000000180)={@hyper, 0x4}) (async)
r4 = socket$inet6_sctp(0xa, 0x1, 0x84)
getsockopt$inet6_mtu(r4, 0x29, 0x17, &(0x7f0000000100), &(0x7f0000000140)=0x4)

[   98.046221][    T9] cfg80211: failed to load regulatory.db
[   98.166265][ T5115] Bluetooth: MGMT ver 1.23
[   98.170982][ T5100] Bluetooth: hci0: command tx timeout
[   98.206966][ T5100] ==================================================================
[   98.210230][ T5100] BUG: KASAN: slab-use-after-free in set_powered_sync+0x3a/0xc0
[   98.213356][ T5100] Read of size 8 at addr ffff888011c70098 by task kworker/u5:2/5100
[   98.216659][ T5100] 
[   98.217770][ T5100] CPU: 0 UID: 0 PID: 5100 Comm: kworker/u5:2 Not tainted 6.12.0-rc3-syzkaller-00087-gc964ced77262 #0
[   98.222065][ T5100] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   98.226871][ T5100] Workqueue: hci0 hci_cmd_sync_work
[   98.229624][ T5100] Call Trace:
[   98.231268][ T5100]  <TASK>
[   98.232466][ T5100]  dump_stack_lvl+0x241/0x360
[   98.234353][ T5100]  ? __pfx_dump_stack_lvl+0x10/0x10
[   98.236383][ T5100]  ? __pfx__printk+0x10/0x10
[   98.238249][ T5100]  ? _printk+0xd5/0x120
[   98.240012][ T5100]  ? __virt_addr_valid+0x183/0x530
[   98.242574][ T5100]  ? __virt_addr_valid+0x183/0x530
[   98.245253][ T5100]  print_report+0x169/0x550
[   98.247163][ T5100]  ? __virt_addr_valid+0x183/0x530
[   98.249189][ T5100]  ? __virt_addr_valid+0x183/0x530
[   98.251311][ T5100]  ? __virt_addr_valid+0x45f/0x530
[   98.253592][ T5100]  ? __phys_addr+0xba/0x170
[   98.255807][ T5100]  ? set_powered_sync+0x3a/0xc0
[   98.258139][ T5100]  kasan_report+0x143/0x180
[   98.260052][ T5100]  ? set_powered_sync+0x3a/0xc0
[   98.261976][ T5100]  set_powered_sync+0x3a/0xc0
[   98.263835][ T5100]  ? __pfx_set_powered_sync+0x10/0x10
[   98.266305][ T5100]  hci_cmd_sync_work+0x22b/0x400
[   98.269086][ T5100]  ? process_scheduled_works+0x976/0x1850
[   98.271951][ T5100]  process_scheduled_works+0xa63/0x1850
[   98.274382][ T5100]  ? __pfx_process_scheduled_works+0x10/0x10
[   98.276768][ T5100]  ? assign_work+0x364/0x3d0
[   98.278707][ T5100]  worker_thread+0x870/0xd30
[   98.280585][ T5100]  ? _raw_spin_unlock_irqrestore+0xdd/0x140
[   98.283025][ T5100]  ? __kthread_parkme+0x169/0x1d0
[   98.285291][ T5100]  ? __pfx_worker_thread+0x10/0x10
[   98.287600][ T5100]  kthread+0x2f0/0x390
[   98.289609][ T5100]  ? __pfx_worker_thread+0x10/0x10
[   98.291993][ T5100]  ? __pfx_kthread+0x10/0x10
[   98.294057][ T5100]  ret_from_fork+0x4b/0x80
[   98.295905][ T5100]  ? __pfx_kthread+0x10/0x10
[   98.297757][ T5100]  ret_from_fork_asm+0x1a/0x30
[   98.300608][ T5100]  </TASK>
[   98.302061][ T5100] 
[   98.303192][ T5100] Allocated by task 5115:
[   98.305255][ T5100]  kasan_save_track+0x3f/0x80
[   98.307422][ T5100]  __kasan_kmalloc+0x98/0xb0
[   98.309306][ T5100]  __kmalloc_cache_noprof+0x19c/0x2c0
[   98.311470][ T5100]  mgmt_pending_new+0x65/0x250
[   98.313414][ T5100]  mgmt_pending_add+0x36/0x120
[   98.315313][ T5100]  set_powered+0x3cd/0x5e0
[   98.317058][ T5100]  hci_mgmt_cmd+0xc47/0x11d0
[   98.319114][ T5100]  hci_sock_sendmsg+0x7b8/0x11c0
[   98.321521][ T5100]  __sock_sendmsg+0x221/0x270
[   98.323823][ T5100]  sock_write_iter+0x2d7/0x3f0
[   98.325806][ T5100]  vfs_write+0xa6d/0xc90
[   98.327495][ T5100]  ksys_write+0x183/0x2b0
[   98.329197][ T5100]  do_syscall_64+0xf3/0x230
[   98.330987][ T5100]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   98.333332][ T5100] 
[   98.334476][ T5100] Freed by task 5114:
[   98.336554][ T5100]  kasan_save_track+0x3f/0x80
[   98.339000][ T5100]  kasan_save_free_info+0x40/0x50
[   98.341396][ T5100]  __kasan_slab_free+0x59/0x70
[   98.343644][ T5100]  kfree+0x1a0/0x440
[   98.345373][ T5100]  settings_rsp+0x2bc/0x390
[   98.347165][ T5100]  mgmt_pending_foreach+0xd1/0x130
[   98.349040][ T5100]  __mgmt_power_off+0x106/0x430
[   98.350856][ T5100]  hci_dev_close_sync+0x665/0x11a0
[   98.352737][ T5100]  hci_dev_close+0x112/0x210
[   98.354473][ T5100]  sock_do_ioctl+0x158/0x460
[   98.356472][ T5100]  sock_ioctl+0x626/0x8e0
[   98.358508][ T5100]  __se_sys_ioctl+0xf9/0x170
[   98.360741][ T5100]  do_syscall_64+0xf3/0x230
[   98.362926][ T5100]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   98.365188][ T5100] 
[   98.366075][ T5100] The buggy address belongs to the object at ffff888011c70080
[   98.366075][ T5100]  which belongs to the cache kmalloc-96 of size 96
[   98.371024][ T5100] The buggy address is located 24 bytes inside of
[   98.371024][ T5100]  freed 96-byte region [ffff888011c70080, ffff888011c700e0)
[   98.377199][ T5100] 
[   98.378551][ T5100] The buggy address belongs to the physical page:
[   98.381633][ T5100] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11c70
[   98.385080][ T5100] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[   98.387824][ T5100] page_type: f5(slab)
[   98.389384][ T5100] raw: 00fff00000000000 ffff88801ac41280 dead000000000100 dead000000000122
[   98.393096][ T5100] raw: 0000000000000000 0000000080200020 00000001f5000000 0000000000000000
[   98.397153][ T5100] page dumped because: kasan: bad access detected
[   98.399932][ T5100] page_owner tracks the page as allocated
[   98.402059][ T5100] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 785, tgid 785 (kworker/0:2), ts 98154810359, free_ts 95012631346
[   98.410033][ T5100]  post_alloc_hook+0x1f3/0x230
[   98.412440][ T5100]  get_page_from_freelist+0x3045/0x3190
[   98.414826][ T5100]  __alloc_pages_noprof+0x292/0x710
[   98.416896][ T5100]  alloc_pages_mpol_noprof+0x3e8/0x680
[   98.418957][ T5100]  alloc_slab_page+0x6a/0x120
[   98.420606][ T5100]  allocate_slab+0x5a/0x2f0
[   98.422281][ T5100]  ___slab_alloc+0xcd1/0x14b0
[   98.424123][ T5100]  __slab_alloc+0x58/0xa0
[   98.426056][ T5100]  __kmalloc_noprof+0x25a/0x400
[   98.428209][ T5100]  cfg80211_inform_single_bss_data+0xb2d/0x2090
[   98.430806][ T5100]  cfg80211_inform_bss_data+0x3ce/0x5e70
[   98.432899][ T5100]  cfg80211_inform_bss_frame_data+0x3b8/0x720
[   98.435189][ T5100]  ieee80211_bss_info_update+0x8a7/0xbc0
[   98.437609][ T5100]  ieee80211_scan_rx+0x526/0x9c0
[   98.440281][ T5100]  ieee80211_rx_list+0x2b02/0x3780
[   98.442789][ T5100]  ieee80211_rx_napi+0x18a/0x3c0
[   98.445060][ T5100] page last free pid 5097 tgid 5097 stack trace:
[   98.447253][ T5100]  free_unref_page+0xcfb/0xf20
[   98.448982][ T5100]  __slab_free+0x31b/0x3d0
[   98.450680][ T5100]  qlist_free_all+0x9a/0x140
[   98.452483][ T5100]  kasan_quarantine_reduce+0x14f/0x170
[   98.454940][ T5100]  __kasan_slab_alloc+0x23/0x80
[   98.457488][ T5100]  __kmalloc_cache_noprof+0x132/0x2c0
[   98.460501][ T5100]  ____ip_mc_inc_group+0x31d/0xbf0
[   98.462981][ T5100]  ip_mc_up+0x124/0x300
[   98.464758][ T5100]  inetdev_event+0xfaa/0x1550
[   98.466589][ T5100]  notifier_call_chain+0x19f/0x3e0
[   98.468614][ T5100]  __dev_notify_flags+0x207/0x400
[   98.470591][ T5100]  dev_change_flags+0xf0/0x1a0
[   98.472361][ T5100]  do_setlink+0xcd0/0x41f0
[   98.474250][ T5100]  rtnl_newlink+0x180d/0x20a0
[   98.476320][ T5100]  rtnetlink_rcv_msg+0x73f/0xcf0
[   98.479209][ T5100]  netlink_rcv_skb+0x1e3/0x430
[   98.481651][ T5100] 
[   98.482736][ T5100] Memory state around the buggy address:
[   98.485055][ T5100]  ffff888011c6ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   98.488151][ T5100]  ffff888011c70000: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc
[   98.491416][ T5100] >ffff888011c70080: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
[   98.495024][ T5100]                             ^
[   98.497703][ T5100]  ffff888011c70100: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
[   98.500842][ T5100]  ffff888011c70180: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc
[   98.503768][ T5100] ==================================================================
[   98.526365][ T5100] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   98.530263][ T5100] CPU: 0 UID: 0 PID: 5100 Comm: kworker/u5:2 Not tainted 6.12.0-rc3-syzkaller-00087-gc964ced77262 #0
[   98.535658][ T5100] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   98.539763][ T5100] Workqueue: hci0 hci_cmd_sync_work
[   98.542219][ T5100] Call Trace:
[   98.543572][ T5100]  <TASK>
[   98.544762][ T5100]  dump_stack_lvl+0x241/0x360
[   98.546763][ T5100]  ? __pfx_dump_stack_lvl+0x10/0x10
[   98.548954][ T5100]  ? __pfx__printk+0x10/0x10
[   98.551185][ T5100]  ? preempt_schedule+0xe1/0xf0
[   98.553278][ T5100]  ? vscnprintf+0x5d/0x90
[   98.555091][ T5100]  panic+0x349/0x880
[   98.556647][ T5100]  ? check_panic_on_warn+0x21/0xb0
[   98.558664][ T5100]  ? __pfx_panic+0x10/0x10
[   98.560679][ T5100]  ? _raw_spin_unlock_irqrestore+0x130/0x140
[   98.563670][ T5100]  ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[   98.566467][ T5100]  ? print_report+0x502/0x550
[   98.568447][ T5100]  check_panic_on_warn+0x86/0xb0
[   98.570488][ T5100]  ? set_powered_sync+0x3a/0xc0
[   98.572352][ T5100]  end_report+0x77/0x160
[   98.574052][ T5100]  kasan_report+0x154/0x180
[   98.575877][ T5100]  ? set_powered_sync+0x3a/0xc0
[   98.578038][ T5100]  set_powered_sync+0x3a/0xc0
[   98.580344][ T5100]  ? __pfx_set_powered_sync+0x10/0x10
[   98.583139][ T5100]  hci_cmd_sync_work+0x22b/0x400
[   98.585410][ T5100]  ? process_scheduled_works+0x976/0x1850
[   98.587523][ T5100]  process_scheduled_works+0xa63/0x1850
[   98.589432][ T5100]  ? __pfx_process_scheduled_works+0x10/0x10
[   98.591834][ T5100]  ? assign_work+0x364/0x3d0
[   98.593645][ T5100]  worker_thread+0x870/0xd30
[   98.595476][ T5100]  ? _raw_spin_unlock_irqrestore+0xdd/0x140
[   98.598034][ T5100]  ? __kthread_parkme+0x169/0x1d0
[   98.600308][ T5100]  ? __pfx_worker_thread+0x10/0x10
[   98.602938][ T5100]  kthread+0x2f0/0x390
[   98.604886][ T5100]  ? __pfx_worker_thread+0x10/0x10
[   98.607318][ T5100]  ? __pfx_kthread+0x10/0x10
[   98.609114][ T5100]  ret_from_fork+0x4b/0x80
[   98.610843][ T5100]  ? __pfx_kthread+0x10/0x10
[   98.612700][ T5100]  ret_from_fork_asm+0x1a/0x30
[   98.614625][ T5100]  </TASK>
[   98.616219][ T5100] Kernel Offset: disabled
[   98.618123][ T5100] Rebooting in 86400 seconds..