program:
getsockopt$sock_cred(0xffffffffffffffff, 0x1, 0x11, 0x0, 0x0)
setresgid(0x0, 0x0, 0x0)
r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0)
connect$bt_l2cap(r0, &(0x7f0000000000)={0x1f, 0x8ef, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}}, 0xe)
r1 = syz_init_net_socket$bt_bnep(0x1f, 0x3, 0x4)
ioctl$sock_bt_bnep_BNEPCONNADD(r1, 0x400442c8, &(0x7f00000001c0)={r0, 0x1, 0x2})
ioctl$sock_bt_bnep_BNEPCONNDEL(r1, 0x400442c9, 0x0)
syz_init_net_socket$nl_rdma(0x10, 0x3, 0x10)
r2 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$sock_bt_hci(r2, 0x400448ca, 0x0) (fail_nth: 4)
r3 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$sock_bt_hci(r3, 0x400448c9, 0x0)
syz_emit_vhci(0x0, 0x22)

[   79.575227][ T4669] Bluetooth: hci0: command tx timeout
[   79.580855][ T1313] ieee802154 phy0 wpan0: encryption failed: -22
[   79.592225][ T1313] ieee802154 phy1 wpan1: encryption failed: -22
[   79.824463][ T5316] ==================================================================
[   79.827916][ T5316] BUG: KASAN: slab-use-after-free in cfusbl_device_notify+0x150/0x6a0
[   79.831540][ T5316] Read of size 8 at addr ffff88803677cc50 by task syz.0.0/5316
[   79.834710][ T5316] 
[   79.835757][ T5316] CPU: 0 UID: 0 PID: 5316 Comm: syz.0.0 Not tainted 6.15.0-syzkaller-10820-gcd2e103d57e5 #0 PREEMPT(full) 
[   79.835771][ T5316] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   79.835777][ T5316] Call Trace:
[   79.835784][ T5316]  <TASK>
[   79.835790][ T5316]  dump_stack_lvl+0x189/0x250
[   79.835809][ T5316]  ? __virt_addr_valid+0x1c8/0x5c0
[   79.835825][ T5316]  ? rcu_is_watching+0x15/0xb0
[   79.835840][ T5316]  ? __kasan_check_byte+0x12/0x40
[   79.835889][ T5316]  ? __pfx_dump_stack_lvl+0x10/0x10
[   79.835903][ T5316]  ? rcu_is_watching+0x15/0xb0
[   79.835915][ T5316]  ? lock_release+0x4b/0x3e0
[   79.835930][ T5316]  ? __virt_addr_valid+0x1c8/0x5c0
[   79.835943][ T5316]  ? __virt_addr_valid+0x4a5/0x5c0
[   79.835957][ T5316]  print_report+0xd2/0x2b0
[   79.835969][ T5316]  ? cfusbl_device_notify+0x150/0x6a0
[   79.835983][ T5316]  kasan_report+0x118/0x150
[   79.835998][ T5316]  ? cfusbl_device_notify+0x150/0x6a0
[   79.836013][ T5316]  cfusbl_device_notify+0x150/0x6a0
[   79.836026][ T5316]  ? net_generic+0x1e/0x240
[   79.836038][ T5316]  ? __pfx_cfusbl_device_notify+0x10/0x10
[   79.836051][ T5316]  ? caif_device_notify+0x250/0xfc0
[   79.836064][ T5316]  ? smc_pnet_netdev_event+0x3b5/0x6c0
[   79.836081][ T5316]  notifier_call_chain+0x1b6/0x3e0
[   79.836098][ T5316]  register_netdevice+0x121c/0x1ae0
[   79.836112][ T5316]  ? __mutex_lock+0x51b/0xe80
[   79.836157][ T5316]  ? __pfx_register_netdevice+0x10/0x10
[   79.836170][ T5316]  ? __asan_memset+0x22/0x50
[   79.836182][ T5316]  ? dev_addr_mod+0x2ce/0x3d0
[   79.836194][ T5316]  register_netdev+0x40/0x60
[   79.836205][ T5316]  bnep_add_connection+0x6bf/0xbf0
[   79.836221][ T5316]  ? __pfx_bnep_add_connection+0x10/0x10
[   79.836232][ T5316]  ? __fget_files+0x3a0/0x420
[   79.836247][ T5316]  do_bnep_sock_ioctl+0x40e/0x640
[   79.836259][ T5316]  ? __pfx_do_bnep_sock_ioctl+0x10/0x10
[   79.836273][ T5316]  ? tomoyo_path_number_perm+0x1bc/0x5a0
[   79.836287][ T5316]  ? tomoyo_path_number_perm+0x4e2/0x5a0
[   79.836298][ T5316]  ? __pfx_tomoyo_path_number_perm+0x10/0x10
[   79.836312][ T5316]  sock_do_ioctl+0xd9/0x300
[   79.836326][ T5316]  ? __pfx_sock_do_ioctl+0x10/0x10
[   79.836339][ T5316]  ? __lock_acquire+0xab9/0xd20
[   79.836353][ T5316]  sock_ioctl+0x576/0x790
[   79.836366][ T5316]  ? __pfx_sock_ioctl+0x10/0x10
[   79.836378][ T5316]  ? __fget_files+0x2a/0x420
[   79.836387][ T5316]  ? __fget_files+0x3a0/0x420
[   79.836395][ T5316]  ? __fget_files+0x2a/0x420
[   79.836405][ T5316]  ? bpf_lsm_file_ioctl+0x9/0x20
[   79.836418][ T5316]  ? __pfx_sock_ioctl+0x10/0x10
[   79.836431][ T5316]  __se_sys_ioctl+0xfc/0x170
[   79.836443][ T5316]  do_syscall_64+0xfa/0x3b0
[   79.836457][ T5316]  ? lockdep_hardirqs_on+0x9c/0x150
[   79.836468][ T5316]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   79.836480][ T5316]  ? clear_bhb_loop+0x60/0xb0
[   79.836491][ T5316]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   79.836501][ T5316] RIP: 0033:0x7f13b218e969
[   79.836514][ T5316] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   79.836524][ T5316] RSP: 002b:00007f13b2fb7038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   79.836535][ T5316] RAX: ffffffffffffffda RBX: 00007f13b23b5fa0 RCX: 00007f13b218e969
[   79.836543][ T5316] RDX: 00002000000001c0 RSI: 00000000400442c8 RDI: 0000000000000005
[   79.836550][ T5316] RBP: 00007f13b2210ab1 R08: 0000000000000000 R09: 0000000000000000
[   79.836557][ T5316] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   79.836564][ T5316] R13: 0000000000000000 R14: 00007f13b23b5fa0 R15: 00007ffc71c76508
[   79.836575][ T5316]  </TASK>
[   79.836578][ T5316] 
[   79.982510][ T5316] Allocated by task 4669:
[   79.984343][ T5316]  kasan_save_track+0x3e/0x80
[   79.986573][ T5316]  __kasan_kmalloc+0x93/0xb0
[   79.988446][ T5316]  __kmalloc_cache_noprof+0x230/0x3d0
[   79.990752][ T5316]  __hci_conn_add+0x233/0x1b30
[   79.992797][ T5316]  hci_conn_request_evt+0x53e/0xb60
[   79.995022][ T5316]  hci_event_packet+0x7e3/0x1200
[   79.997097][ T5316]  hci_rx_work+0x46a/0xe80
[   79.998954][ T5316]  process_scheduled_works+0xade/0x17b0
[   80.001226][ T5316]  worker_thread+0x8a0/0xda0
[   80.003163][ T5316]  kthread+0x711/0x8a0
[   80.004816][ T5316]  ret_from_fork+0x3fc/0x770
[   80.006740][ T5316]  ret_from_fork_asm+0x1a/0x30
[   80.008754][ T5316] 
[   80.009778][ T5316] Freed by task 5317:
[   80.011417][ T5316]  kasan_save_track+0x3e/0x80
[   80.018783][ T5316]  kasan_save_free_info+0x46/0x50
[   80.021011][ T5316]  __kasan_slab_free+0x62/0x70
[   80.022968][ T5316]  kfree+0x18e/0x440
[   80.024662][ T5316]  device_release+0x9c/0x1c0
[   80.026668][ T5316]  kobject_put+0x22b/0x480
[   80.028938][ T5316]  hci_conn_del+0x8ff/0xcb0
[   80.031319][ T5316]  hci_conn_hash_flush+0x191/0x230
[   80.033942][ T5316]  hci_dev_close_sync+0xaef/0x1330
[   80.036228][ T5316]  hci_dev_close+0x106/0x200
[   80.038312][ T5316]  sock_do_ioctl+0xd9/0x300
[   80.040253][ T5316]  sock_ioctl+0x576/0x790
[   80.042115][ T5316]  __se_sys_ioctl+0xfc/0x170
[   80.044030][ T5316]  do_syscall_64+0xfa/0x3b0
[   80.045898][ T5316]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   80.048299][ T5316] 
[   80.049450][ T5316] Last potentially related work creation:
[   80.051830][ T5316]  kasan_save_stack+0x3e/0x60
[   80.053864][ T5316]  kasan_record_aux_stack+0xbd/0xd0
[   80.056016][ T5316]  insert_work+0x3d/0x330
[   80.057759][ T5316]  __queue_work+0xcfc/0xfe0
[   80.059600][ T5316]  queue_delayed_work_on+0x18b/0x280
[   80.061766][ T5316]  l2cap_chan_del+0x285/0x5e0
[   80.063805][ T5316]  l2cap_conn_del+0x388/0x680
[   80.065599][ T5316]  hci_conn_hash_flush+0x10a/0x230
[   80.067481][ T5316]  hci_dev_close_sync+0xaef/0x1330
[   80.069586][ T5316]  hci_dev_close+0x106/0x200
[   80.071325][ T5316]  sock_do_ioctl+0xd9/0x300
[   80.073144][ T5316]  sock_ioctl+0x576/0x790
[   80.074798][ T5316]  __se_sys_ioctl+0xfc/0x170
[   80.076709][ T5316]  do_syscall_64+0xfa/0x3b0
[   80.078579][ T5316]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   80.080888][ T5316] 
[   80.081909][ T5316] The buggy address belongs to the object at ffff88803677c000
[   80.081909][ T5316]  which belongs to the cache kmalloc-8k of size 8192
[   80.087333][ T5316] The buggy address is located 3152 bytes inside of
[   80.087333][ T5316]  freed 8192-byte region [ffff88803677c000, ffff88803677e000)
[   80.092701][ T5316] 
[   80.093801][ T5316] The buggy address belongs to the physical page:
[   80.096381][ T5316] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x36778
[   80.099979][ T5316] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   80.103470][ T5316] flags: 0x4fff00000000040(head|node=1|zone=1|lastcpupid=0x7ff)
[   80.106678][ T5316] page_type: f5(slab)
[   80.108355][ T5316] raw: 04fff00000000040 ffff88801a442280 dead000000000122 0000000000000000
[   80.111667][ T5316] raw: 0000000000000000 0000000000020002 00000000f5000000 0000000000000000
[   80.115057][ T5316] head: 04fff00000000040 ffff88801a442280 dead000000000122 0000000000000000
[   80.118561][ T5316] head: 0000000000000000 0000000000020002 00000000f5000000 0000000000000000
[   80.122179][ T5316] head: 04fff00000000003 ffffea0000d9de01 00000000ffffffff 00000000ffffffff
[   80.125830][ T5316] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
[   80.129371][ T5316] page dumped because: kasan: bad access detected
[   80.131977][ T5316] page_owner tracks the page as allocated
[   80.134374][ T5316] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5299, tgid 5299 (syz-executor), ts 72696367433, free_ts 60157193226
[   80.143015][ T5316]  post_alloc_hook+0x240/0x2a0
[   80.145148][ T5316]  get_page_from_freelist+0x21e4/0x22c0
[   80.147566][ T5316]  __alloc_frozen_pages_noprof+0x181/0x370
[   80.150012][ T5316]  alloc_pages_mpol+0x232/0x4a0
[   80.152150][ T5316]  allocate_slab+0x8a/0x3b0
[   80.154047][ T5316]  ___slab_alloc+0xbfc/0x1480
[   80.156080][ T5316]  __kmalloc_noprof+0x305/0x4f0
[   80.158229][ T5316]  hci_alloc_dev_priv+0x27/0x1ff0
[   80.160428][ T5316]  vhci_create_device+0x120/0x6e0
[   80.162581][ T5316]  vhci_write+0x3ce/0x4a0
[   80.164492][ T5316]  vfs_write+0x54b/0xa90
[   80.166375][ T5316]  ksys_write+0x145/0x250
[   80.168235][ T5316]  do_syscall_64+0xfa/0x3b0
[   80.170203][ T5316]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   80.172737][ T5316] page last free pid 5260 tgid 5260 stack trace:
[   80.175464][ T5316]  __free_frozen_pages+0xc71/0xe70
[   80.177635][ T5316]  skb_release_data+0x62d/0x7c0
[   80.179684][ T5316]  skb_attempt_defer_free+0x422/0x5c0
[   80.182010][ T5316]  tcp_recvmsg_locked+0x249d/0x3660
[   80.184239][ T5316]  tcp_recvmsg+0x216/0x810
[   80.186154][ T5316]  inet_recvmsg+0x147/0x250
[   80.188135][ T5316]  sock_recvmsg+0x1a8/0x270
[   80.190099][ T5316]  sock_read_iter+0x231/0x2f0
[   80.192037][ T5316]  vfs_read+0x4d0/0x980
[   80.193915][ T5316]  ksys_read+0x145/0x250
[   80.195789][ T5316]  do_syscall_64+0xfa/0x3b0
[   80.197767][ T5316]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   80.200318][ T5316] 
[   80.201386][ T5316] Memory state around the buggy address:
[   80.203911][ T5316]  ffff88803677cb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   80.207316][ T5316]  ffff88803677cb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   80.210619][ T5316] >ffff88803677cc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   80.213846][ T5316]                                                  ^
[   80.216512][ T5316]  ffff88803677cc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   80.219799][ T5316]  ffff88803677cd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   80.223166][ T5316] ==================================================================
[   80.255952][ T5316] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   80.258950][ T5316] CPU: 0 UID: 0 PID: 5316 Comm: syz.0.0 Not tainted 6.15.0-syzkaller-10820-gcd2e103d57e5 #0 PREEMPT(full) 
[   80.263577][ T5316] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   80.268082][ T5316] Call Trace:
[   80.269552][ T5316]  <TASK>
[   80.270819][ T5316]  dump_stack_lvl+0x99/0x250
[   80.272856][ T5316]  ? __asan_memcpy+0x40/0x70
[   80.274804][ T5316]  ? __pfx_dump_stack_lvl+0x10/0x10
[   80.276886][ T5316]  ? __pfx__printk+0x10/0x10
[   80.278774][ T5316]  panic+0x2db/0x790
[   80.280602][ T5316]  ? __pfx_panic+0x10/0x10
[   80.282638][ T5316]  ? _raw_spin_unlock_irqrestore+0xfd/0x110
[   80.285520][ T5316]  ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[   80.288292][ T5316]  ? print_memory_metadata+0x314/0x400
[   80.290510][ T5316]  ? cfusbl_device_notify+0x150/0x6a0
[   80.292810][ T5316]  check_panic_on_warn+0x89/0xb0
[   80.295035][ T5316]  ? cfusbl_device_notify+0x150/0x6a0
[   80.297246][ T5316]  end_report+0x78/0x160
[   80.299070][ T5316]  kasan_report+0x129/0x150
[   80.301287][ T5316]  ? cfusbl_device_notify+0x150/0x6a0
[   80.303718][ T5316]  cfusbl_device_notify+0x150/0x6a0
[   80.305981][ T5316]  ? net_generic+0x1e/0x240
[   80.307978][ T5316]  ? __pfx_cfusbl_device_notify+0x10/0x10
[   80.310297][ T5316]  ? caif_device_notify+0x250/0xfc0
[   80.312261][ T5316]  ? smc_pnet_netdev_event+0x3b5/0x6c0
[   80.314667][ T5316]  notifier_call_chain+0x1b6/0x3e0
[   80.316827][ T5316]  register_netdevice+0x121c/0x1ae0
[   80.318960][ T5316]  ? __mutex_lock+0x51b/0xe80
[   80.321068][ T5316]  ? __pfx_register_netdevice+0x10/0x10
[   80.323433][ T5316]  ? __asan_memset+0x22/0x50
[   80.325389][ T5316]  ? dev_addr_mod+0x2ce/0x3d0
[   80.327392][ T5316]  register_netdev+0x40/0x60
[   80.329383][ T5316]  bnep_add_connection+0x6bf/0xbf0
[   80.331599][ T5316]  ? __pfx_bnep_add_connection+0x10/0x10
[   80.334001][ T5316]  ? __fget_files+0x3a0/0x420
[   80.336022][ T5316]  do_bnep_sock_ioctl+0x40e/0x640
[   80.338134][ T5316]  ? __pfx_do_bnep_sock_ioctl+0x10/0x10
[   80.340496][ T5316]  ? tomoyo_path_number_perm+0x1bc/0x5a0
[   80.342768][ T5316]  ? tomoyo_path_number_perm+0x4e2/0x5a0
[   80.345181][ T5316]  ? __pfx_tomoyo_path_number_perm+0x10/0x10
[   80.347679][ T5316]  sock_do_ioctl+0xd9/0x300
[   80.349665][ T5316]  ? __pfx_sock_do_ioctl+0x10/0x10
[   80.351783][ T5316]  ? __lock_acquire+0xab9/0xd20
[   80.353974][ T5316]  sock_ioctl+0x576/0x790
[   80.355897][ T5316]  ? __pfx_sock_ioctl+0x10/0x10
[   80.358021][ T5316]  ? __fget_files+0x2a/0x420
[   80.360006][ T5316]  ? __fget_files+0x3a0/0x420
[   80.362134][ T5316]  ? __fget_files+0x2a/0x420
[   80.364095][ T5316]  ? bpf_lsm_file_ioctl+0x9/0x20
[   80.366206][ T5316]  ? __pfx_sock_ioctl+0x10/0x10
[   80.368325][ T5316]  __se_sys_ioctl+0xfc/0x170
[   80.370291][ T5316]  do_syscall_64+0xfa/0x3b0
[   80.372258][ T5316]  ? lockdep_hardirqs_on+0x9c/0x150
[   80.374458][ T5316]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   80.376959][ T5316]  ? clear_bhb_loop+0x60/0xb0
[   80.378956][ T5316]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   80.381411][ T5316] RIP: 0033:0x7f13b218e969
[   80.383324][ T5316] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   80.390975][ T5316] RSP: 002b:00007f13b2fb7038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   80.394395][ T5316] RAX: ffffffffffffffda RBX: 00007f13b23b5fa0 RCX: 00007f13b218e969
[   80.397936][ T5316] RDX: 00002000000001c0 RSI: 00000000400442c8 RDI: 0000000000000005
[   80.401751][ T5316] RBP: 00007f13b2210ab1 R08: 0000000000000000 R09: 0000000000000000
[   80.405834][ T5316] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   80.409486][ T5316] R13: 0000000000000000 R14: 00007f13b23b5fa0 R15: 00007ffc71c76508
[   80.412784][ T5316]  </TASK>
[   80.414482][ T5316] Kernel Offset: disabled
[   80.416302][ T5316] Rebooting in 86400 seconds..