program:
socket$inet6_sctp(0xa, 0x1, 0x84)
r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0)
connect$bt_l2cap(r0, &(0x7f0000000000)={0x1f, 0x8ef, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}}, 0xe)
r1 = syz_init_net_socket$bt_bnep(0x1f, 0x3, 0x4)
ioctl$sock_bt_bnep_BNEPCONNADD(r1, 0x400442c8, &(0x7f00000001c0)={r0, 0x1, 0x2}) (async)
r2 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$sock_bt_hci(r2, 0x400448cb, 0x0)
syz_emit_vhci(&(0x7f0000000100)=ANY=[@ANYBLOB="c85c8d15030c47d44e9fe32b6425efa51a778d37f2d16d0c8ec0d2a37d531c3536a8422e0341cd4c0158c21370c2f7d37a88557f33fdbc8d1e4d06f84d875d93c9497fde435b3f89f3c4da59dc93bdf544369182aa570d6d5c11c69be60e00000000", @ANYRESDEC], 0xffffff9f)
[ 68.702381][ T4669] Bluetooth: hci0: command tx timeout
[ 68.781691][ T5320] ==================================================================
[ 68.785013][ T5320] BUG: KASAN: slab-use-after-free in cfusbl_device_notify+0x150/0x6a0
[ 68.788691][ T5320] Read of size 8 at addr ffff8880435e0c50 by task syz.0.0/5320
[ 68.791635][ T5320]
[ 68.792518][ T5320] CPU: 0 UID: 0 PID: 5320 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full)
[ 68.792528][ T5320] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[ 68.792532][ T5320] Call Trace:
[ 68.792538][ T5320]
[ 68.792542][ T5320] dump_stack_lvl+0x189/0x250
[ 68.792553][ T5320] ? __kasan_check_byte+0x12/0x40
[ 68.792598][ T5320] ? __pfx_dump_stack_lvl+0x10/0x10
[ 68.792607][ T5320] ? lock_release+0x4b/0x3e0
[ 68.792623][ T5320] ? __virt_addr_valid+0x4a5/0x5c0
[ 68.792641][ T5320] print_report+0xca/0x240
[ 68.792652][ T5320] ? cfusbl_device_notify+0x150/0x6a0
[ 68.792661][ T5320] kasan_report+0x118/0x150
[ 68.792672][ T5320] ? cfusbl_device_notify+0x150/0x6a0
[ 68.792683][ T5320] cfusbl_device_notify+0x150/0x6a0
[ 68.792693][ T5320] ? net_generic+0x1e/0x240
[ 68.792702][ T5320] ? __pfx_cfusbl_device_notify+0x10/0x10
[ 68.792712][ T5320] ? caif_device_notify+0x250/0xfc0
[ 68.792723][ T5320] ? smc_pnet_netdev_event+0x3b5/0x6c0
[ 68.792735][ T5320] notifier_call_chain+0x1b6/0x3e0
[ 68.792752][ T5320] register_netdevice+0x121c/0x1ae0
[ 68.792786][ T5320] ? __mutex_lock+0x5bb/0x1350
[ 68.792800][ T5320] ? __pfx_register_netdevice+0x10/0x10
[ 68.792811][ T5320] ? __asan_memset+0x22/0x50
[ 68.792826][ T5320] ? dev_addr_mod+0x2ce/0x3d0
[ 68.792836][ T5320] register_netdev+0x40/0x60
[ 68.792846][ T5320] bnep_add_connection+0x6bf/0xbf0
[ 68.792860][ T5320] ? __pfx_bnep_add_connection+0x10/0x10
[ 68.792871][ T5320] ? __fget_files+0x3a0/0x420
[ 68.792885][ T5320] do_bnep_sock_ioctl+0x40e/0x640
[ 68.792897][ T5320] ? kasan_quarantine_put+0xdd/0x220
[ 68.792907][ T5320] ? __pfx_do_bnep_sock_ioctl+0x10/0x10
[ 68.792915][ T5320] ? tomoyo_path_number_perm+0x1bc/0x5a0
[ 68.792927][ T5320] ? tomoyo_path_number_perm+0x1bc/0x5a0
[ 68.792940][ T5320] sock_do_ioctl+0xdc/0x300
[ 68.792952][ T5320] ? __pfx_sock_do_ioctl+0x10/0x10
[ 68.792967][ T5320] sock_ioctl+0x576/0x790
[ 68.792978][ T5320] ? __pfx_sock_ioctl+0x10/0x10
[ 68.792989][ T5320] ? __fget_files+0x3a0/0x420
[ 68.792999][ T5320] ? __fget_files+0x2a/0x420
[ 68.793008][ T5320] ? bpf_lsm_file_ioctl+0x9/0x20
[ 68.793020][ T5320] ? __pfx_sock_ioctl+0x10/0x10
[ 68.793030][ T5320] __se_sys_ioctl+0xfc/0x170
[ 68.793044][ T5320] do_syscall_64+0xfa/0xfa0
[ 68.793058][ T5320] ? lockdep_hardirqs_on+0x9c/0x150
[ 68.793071][ T5320] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 68.793081][ T5320] ? clear_bhb_loop+0x60/0xb0
[ 68.793092][ T5320] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 68.793102][ T5320] RIP: 0033:0x7ff83398efc9
[ 68.793112][ T5320] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[ 68.793117][ T5320] RSP: 002b:00007ff8347c4038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 68.793127][ T5320] RAX: ffffffffffffffda RBX: 00007ff833be5fa0 RCX: 00007ff83398efc9
[ 68.793132][ T5320] RDX: 00002000000001c0 RSI: 00000000400442c8 RDI: 0000000000000006
[ 68.793138][ T5320] RBP: 00007ff833a11f91 R08: 0000000000000000 R09: 0000000000000000
[ 68.793144][ T5320] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[ 68.793150][ T5320] R13: 00007ff833be6038 R14: 00007ff833be5fa0 R15: 00007ffc2a68e2a8
[ 68.793160][ T5320]
[ 68.793164][ T5320]
[ 68.927498][ T5320] Allocated by task 5300:
[ 68.929249][ T5320] kasan_save_track+0x3e/0x80
[ 68.931308][ T5320] __kasan_kmalloc+0x93/0xb0
[ 68.933257][ T5320] __kmalloc_cache_noprof+0x3d5/0x6f0
[ 68.935581][ T5320] __hci_conn_add+0x2b9/0x1b10
[ 68.937545][ T5320] hci_conn_request_evt+0x54b/0xb70
[ 68.939558][ T5320] hci_event_packet+0x7e3/0x1200
[ 68.941648][ T5320] hci_rx_work+0x46a/0xe80
[ 68.943764][ T5320] process_scheduled_works+0xae1/0x17b0
[ 68.946252][ T5320] worker_thread+0x8a0/0xda0
[ 68.948434][ T5320] kthread+0x711/0x8a0
[ 68.950271][ T5320] ret_from_fork+0x4bc/0x870
[ 68.952317][ T5320] ret_from_fork_asm+0x1a/0x30
[ 68.954312][ T5320]
[ 68.955350][ T5320] Freed by task 5321:
[ 68.956922][ T5320] kasan_save_track+0x3e/0x80
[ 68.958793][ T5320] __kasan_save_free_info+0x46/0x50
[ 68.960888][ T5320] __kasan_slab_free+0x5c/0x80
[ 68.962912][ T5320] kfree+0x19a/0x6d0
[ 68.964608][ T5320] device_release+0x9c/0x1c0
[ 68.966529][ T5320] kobject_put+0x22b/0x480
[ 68.968515][ T5320] hci_conn_del+0xc33/0x11b0
[ 68.970580][ T5320] hci_conn_hash_flush+0x191/0x230
[ 68.972800][ T5320] hci_dev_reset+0x44b/0x6b0
[ 68.974855][ T5320] sock_do_ioctl+0xdc/0x300
[ 68.977006][ T5320] sock_ioctl+0x576/0x790
[ 68.978959][ T5320] __se_sys_ioctl+0xfc/0x170
[ 68.980873][ T5320] do_syscall_64+0xfa/0xfa0
[ 68.982820][ T5320] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 68.985317][ T5320]
[ 68.986400][ T5320] Last potentially related work creation:
[ 68.988759][ T5320] kasan_save_stack+0x3e/0x60
[ 68.990738][ T5320] kasan_record_aux_stack+0xbd/0xd0
[ 68.993016][ T5320] insert_work+0x3d/0x330
[ 68.994839][ T5320] __queue_work+0xcd2/0xfb0
[ 68.996744][ T5320] queue_delayed_work_on+0x18b/0x280
[ 68.999192][ T5320] l2cap_chan_del+0x285/0x5e0
[ 69.001421][ T5320] l2cap_conn_del+0x388/0x680
[ 69.003627][ T5320] hci_conn_hash_flush+0x10d/0x230
[ 69.005907][ T5320] hci_dev_reset+0x44b/0x6b0
[ 69.007985][ T5320] sock_do_ioctl+0xdc/0x300
[ 69.009941][ T5320] sock_ioctl+0x576/0x790
[ 69.011784][ T5320] __se_sys_ioctl+0xfc/0x170
[ 69.013589][ T5320] do_syscall_64+0xfa/0xfa0
[ 69.015453][ T5320] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 69.017988][ T5320]
[ 69.019007][ T5320] The buggy address belongs to the object at ffff8880435e0000
[ 69.019007][ T5320] which belongs to the cache kmalloc-8k of size 8192
[ 69.024416][ T5320] The buggy address is located 3152 bytes inside of
[ 69.024416][ T5320] freed 8192-byte region [ffff8880435e0000, ffff8880435e2000)
[ 69.030340][ T5320]
[ 69.031473][ T5320] The buggy address belongs to the physical page:
[ 69.034888][ T5320] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x435e0
[ 69.038982][ T5320] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 69.042524][ T5320] flags: 0x4fff00000000040(head|node=1|zone=1|lastcpupid=0x7ff)
[ 69.045741][ T5320] page_type: f5(slab)
[ 69.047418][ T5320] raw: 04fff00000000040 ffff88801a442280 dead000000000122 0000000000000000
[ 69.050763][ T5320] raw: 0000000000000000 0000000000020002 00000000f5000000 0000000000000000
[ 69.054177][ T5320] head: 04fff00000000040 ffff88801a442280 dead000000000122 0000000000000000
[ 69.057514][ T5320] head: 0000000000000000 0000000000020002 00000000f5000000 0000000000000000
[ 69.060794][ T5320] head: 04fff00000000003 ffffea00010d7801 00000000ffffffff 00000000ffffffff
[ 69.064413][ T5320] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
[ 69.069312][ T5320] page dumped because: kasan: bad access detected
[ 69.072449][ T5320] page_owner tracks the page as allocated
[ 69.074975][ T5320] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5300, tgid 5300 (kworker/u5:2), ts 66508616498, free_ts 65253225255
[ 69.083645][ T5320] post_alloc_hook+0x240/0x2a0
[ 69.085696][ T5320] get_page_from_freelist+0x2365/0x2440
[ 69.088121][ T5320] __alloc_frozen_pages_noprof+0x181/0x370
[ 69.090821][ T5320] alloc_pages_mpol+0x232/0x4a0
[ 69.093074][ T5320] allocate_slab+0x96/0x3a0
[ 69.094885][ T5320] ___slab_alloc+0xe94/0x18a0
[ 69.096612][ T5320] __slab_alloc+0x65/0x100
[ 69.098266][ T5320] __kmalloc_cache_noprof+0x411/0x6f0
[ 69.100235][ T5320] __hci_conn_add+0x2b9/0x1b10
[ 69.102209][ T5320] hci_conn_request_evt+0x54b/0xb70
[ 69.104340][ T5320] hci_event_packet+0x7e3/0x1200
[ 69.106426][ T5320] hci_rx_work+0x46a/0xe80
[ 69.108197][ T5320] process_scheduled_works+0xae1/0x17b0
[ 69.110437][ T5320] worker_thread+0x8a0/0xda0
[ 69.112644][ T5320] kthread+0x711/0x8a0
[ 69.114554][ T5320] ret_from_fork+0x4bc/0x870
[ 69.116586][ T5320] page last free pid 9 tgid 9 stack trace:
[ 69.118904][ T5320] __free_frozen_pages+0xbc4/0xd30
[ 69.120928][ T5320] __put_partials+0x146/0x170
[ 69.122856][ T5320] put_cpu_partial+0x1f2/0x2e0
[ 69.124816][ T5320] __slab_free+0x2b9/0x390
[ 69.126637][ T5320] qlist_free_all+0x97/0x140
[ 69.128394][ T5320] kasan_quarantine_reduce+0x148/0x160
[ 69.130700][ T5320] __kasan_slab_alloc+0x22/0x80
[ 69.132510][ T5320] __kmalloc_cache_noprof+0x36f/0x6f0
[ 69.134675][ T5320] drm_atomic_state_alloc+0xa9/0x100
[ 69.136905][ T5320] drm_atomic_helper_dirtyfb+0xed/0xee0
[ 69.139212][ T5320] drm_fbdev_shmem_helper_fb_dirty+0x160/0x2f0
[ 69.141825][ T5320] drm_fb_helper_damage_work+0x224/0x710
[ 69.144342][ T5320] process_scheduled_works+0xae1/0x17b0
[ 69.147207][ T5320] worker_thread+0x8a0/0xda0
[ 69.149257][ T5320] kthread+0x711/0x8a0
[ 69.151102][ T5320] ret_from_fork+0x4bc/0x870
[ 69.153188][ T5320]
[ 69.154331][ T5320] Memory state around the buggy address:
[ 69.156785][ T5320] ffff8880435e0b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 69.160378][ T5320] ffff8880435e0b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 69.163908][ T5320] >ffff8880435e0c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 69.167185][ T5320] ^
[ 69.170126][ T5320] ffff8880435e0c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 69.173487][ T5320] ffff8880435e0d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 69.177115][ T5320] ==================================================================
[ 69.218649][ T5320] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 69.221720][ T5320] CPU: 0 UID: 0 PID: 5320 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full)
[ 69.225580][ T5320] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[ 69.230205][ T5320] Call Trace:
[ 69.231640][ T5320]
[ 69.232993][ T5320] dump_stack_lvl+0x99/0x250
[ 69.235036][ T5320] ? __asan_memcpy+0x40/0x70
[ 69.236924][ T5320] ? __pfx_dump_stack_lvl+0x10/0x10
[ 69.239196][ T5320] ? __pfx__printk+0x10/0x10
[ 69.241076][ T5320] vpanic+0x237/0x6d0
[ 69.242724][ T5320] ? __pfx_vpanic+0x10/0x10
[ 69.244655][ T5320] ? preempt_schedule+0xae/0xc0
[ 69.246705][ T5320] ? __pfx_preempt_schedule+0x10/0x10
[ 69.248981][ T5320] panic+0xb9/0xc0
[ 69.250581][ T5320] ? __pfx_panic+0x10/0x10
[ 69.252479][ T5320] ? _raw_spin_unlock_irqrestore+0xfd/0x110
[ 69.254892][ T5320] ? cfusbl_device_notify+0x150/0x6a0
[ 69.257267][ T5320] check_panic_on_warn+0x89/0xb0
[ 69.259399][ T5320] ? cfusbl_device_notify+0x150/0x6a0
[ 69.261694][ T5320] end_report+0x78/0x160
[ 69.263574][ T5320] kasan_report+0x129/0x150
[ 69.265478][ T5320] ? cfusbl_device_notify+0x150/0x6a0
[ 69.267760][ T5320] cfusbl_device_notify+0x150/0x6a0
[ 69.270062][ T5320] ? net_generic+0x1e/0x240
[ 69.272029][ T5320] ? __pfx_cfusbl_device_notify+0x10/0x10
[ 69.274333][ T5320] ? caif_device_notify+0x250/0xfc0
[ 69.276268][ T5320] ? smc_pnet_netdev_event+0x3b5/0x6c0
[ 69.278566][ T5320] notifier_call_chain+0x1b6/0x3e0
[ 69.280651][ T5320] register_netdevice+0x121c/0x1ae0
[ 69.282958][ T5320] ? __mutex_lock+0x5bb/0x1350
[ 69.285122][ T5320] ? __pfx_register_netdevice+0x10/0x10
[ 69.287582][ T5320] ? __asan_memset+0x22/0x50
[ 69.289624][ T5320] ? dev_addr_mod+0x2ce/0x3d0
[ 69.291864][ T5320] register_netdev+0x40/0x60
[ 69.293990][ T5320] bnep_add_connection+0x6bf/0xbf0
[ 69.296148][ T5320] ? __pfx_bnep_add_connection+0x10/0x10
[ 69.298585][ T5320] ? __fget_files+0x3a0/0x420
[ 69.300654][ T5320] do_bnep_sock_ioctl+0x40e/0x640
[ 69.302906][ T5320] ? kasan_quarantine_put+0xdd/0x220
[ 69.305267][ T5320] ? __pfx_do_bnep_sock_ioctl+0x10/0x10
[ 69.307622][ T5320] ? tomoyo_path_number_perm+0x1bc/0x5a0
[ 69.310134][ T5320] ? tomoyo_path_number_perm+0x1bc/0x5a0
[ 69.312476][ T5320] sock_do_ioctl+0xdc/0x300
[ 69.314538][ T5320] ? __pfx_sock_do_ioctl+0x10/0x10
[ 69.316588][ T5320] sock_ioctl+0x576/0x790
[ 69.318557][ T5320] ? __pfx_sock_ioctl+0x10/0x10
[ 69.320531][ T5320] ? __fget_files+0x3a0/0x420
[ 69.322449][ T5320] ? __fget_files+0x2a/0x420
[ 69.324486][ T5320] ? bpf_lsm_file_ioctl+0x9/0x20
[ 69.326596][ T5320] ? __pfx_sock_ioctl+0x10/0x10
[ 69.328642][ T5320] __se_sys_ioctl+0xfc/0x170
[ 69.330432][ T5320] do_syscall_64+0xfa/0xfa0
[ 69.332287][ T5320] ? lockdep_hardirqs_on+0x9c/0x150
[ 69.334498][ T5320] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 69.337004][ T5320] ? clear_bhb_loop+0x60/0xb0
[ 69.339134][ T5320] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 69.341558][ T5320] RIP: 0033:0x7ff83398efc9
[ 69.343525][ T5320] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[ 69.351911][ T5320] RSP: 002b:00007ff8347c4038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 69.355467][ T5320] RAX: ffffffffffffffda RBX: 00007ff833be5fa0 RCX: 00007ff83398efc9
[ 69.358988][ T5320] RDX: 00002000000001c0 RSI: 00000000400442c8 RDI: 0000000000000006
[ 69.362283][ T5320] RBP: 00007ff833a11f91 R08: 0000000000000000 R09: 0000000000000000
[ 69.365928][ T5320] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[ 69.369083][ T5320] R13: 00007ff833be6038 R14: 00007ff833be5fa0 R15: 00007ffc2a68e2a8
[ 69.372746][ T5320]
[ 69.374492][ T5320] Kernel Offset: disabled
[ 69.376346][ T5320] Rebooting in 86400 seconds..