program:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = syz_open_dev$sndctrl(&(0x7f0000001440), 0x0, 0x0)
ioctl$SNDRV_CTL_IOCTL_PCM_PREFER_SUBDEVICE(r1, 0x40045532, &(0x7f0000000100))
r2 = openat$audio(0xffffffffffffff9c, &(0x7f00000000c0), 0x18b782, 0x0)
ioctl$SNDCTL_DSP_GETODELAY(r2, 0x80045017, 0x0)
r3 = syz_open_dev$sndpcmp(&(0x7f00000001c0), 0x0, 0xa2c65)
ioctl$SNDRV_PCM_IOCTL_CHANNEL_INFO(r3, 0x80184132, &(0x7f0000000500))
r4 = bpf$PROG_LOAD(0x5, &(0x7f0000000140)={0x12, 0x4, &(0x7f0000000340)=ANY=[@ANYBLOB="1800000000000000000000000000000071180a000000000095"], &(0x7f00000000c0)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @cgroup_sock_addr=0xb, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
r5 = openat(0xffffffffffffff9c, &(0x7f0000000280)='./cgroup\x00', 0x40000, 0x6)
bpf$BPF_LINK_CREATE(0x1c, &(0x7f0000000040)={r4, r5, 0xb, 0x0, @void}, 0x10)
r6 = socket$inet6(0xa, 0x2, 0x0)
bind$inet6(r6, &(0x7f0000000580)={0xa, 0xe22, 0x0, @mcast1, 0x2}, 0x1c)
connect$inet6(r6, &(0x7f0000000600)={0x2, 0x4e23, 0x0, @ipv4={'\x00', '\xff\xff', @loopback}}, 0x1c)
r7 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
ioctl$TIOCSETD(r7, 0x5423, &(0x7f0000000080)=0xf)
ioctl$TCXONC(r7, 0x540a, 0x0)
ioctl$TCFLSH(r7, 0x400455c8, 0x4)
ioctl$TIOCVHANGUP(r7, 0x5437, 0x0)
syz_usb_connect(0x0, 0x3f, 0x0, 0x0)
sendmsg$nl_route(r0, &(0x7f0000000140)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000040)=ANY=[@ANYBLOB="2400000020000103000000000000ff0f0000000000000000000000000800060000000000"], 0x24}}, 0x0)
r8 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPSET_CMD_CREATE(r8, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000600)={&(0x7f0000000080)={0x54, 0x2, 0x6, 0x201, 0x0, 0x0, {0x6}, [@IPSET_ATTR_PROTOCOL={0x5}, @IPSET_ATTR_SETNAME={0x9, 0x2, 'syz0\x00'}, @IPSET_ATTR_FAMILY={0x5, 0x5, 0x2}, @IPSET_ATTR_DATA={0xc, 0x7, 0x0, 0x1, [@IPSET_ATTR_HASHSIZE={0x8}]}, @IPSET_ATTR_REVISION={0x5}, @IPSET_ATTR_TYPENAME={0x10, 0x3, 'hash:ip,mac\x00'}]}, 0x54}}, 0x8000)
sendmsg$IPSET_CMD_SAVE(r8, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000200)={&(0x7f00000001c0)={0x1c, 0x8, 0x6, 0x401, 0x0, 0x0, {0x5}, [@IPSET_ATTR_PROTOCOL={0x5}]}, 0x1c}, 0x1, 0x0, 0x0, 0x4000}, 0x40000)
socket$nl_route(0x10, 0x3, 0x0)
r9 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route(r9, &(0x7f0000000140)={0x0, 0x0, &(0x7f0000000000)={&(0x7f00000000c0)=@ipv4_newrule={0x1c, 0x20, 0x301, 0x0, 0x0, {0x2, 0x0, 0x0, 0x0, 0x1}}, 0x1c}, 0x1, 0x0, 0x0, 0x4000040}, 0x4000850)
[ 75.999252][ T5302] Bluetooth: hci0: command tx timeout
[ 76.102221][ T5309] ==================================================================
[ 76.105713][ T5309] BUG: KASAN: slab-use-after-free in hci_uart_write_work+0x2ca/0x550
[ 76.109442][ T5309] Read of size 8 at addr ffff888051032218 by task kworker/0:4/5309
[ 76.112856][ T5309]
[ 76.113966][ T5309] CPU: 0 UID: 0 PID: 5309 Comm: kworker/0:4 Not tainted syzkaller #0 PREEMPT(full)
[ 76.113984][ T5309] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[ 76.113992][ T5309] Workqueue: events hci_uart_write_work
[ 76.114008][ T5309] Call Trace:
[ 76.114014][ T5309]
[ 76.114019][ T5309] dump_stack_lvl+0x189/0x250
[ 76.114037][ T5309] ? __virt_addr_valid+0x1c8/0x5c0
[ 76.114051][ T5309] ? rcu_is_watching+0x15/0xb0
[ 76.114062][ T5309] ? __pfx_dump_stack_lvl+0x10/0x10
[ 76.114074][ T5309] ? rcu_is_watching+0x15/0xb0
[ 76.114084][ T5309] ? lock_release+0x4b/0x3e0
[ 76.114099][ T5309] ? _raw_spin_lock_irqsave+0xb3/0xf0
[ 76.114113][ T5309] ? __virt_addr_valid+0x1c8/0x5c0
[ 76.114125][ T5309] ? __virt_addr_valid+0x4a5/0x5c0
[ 76.114139][ T5309] print_report+0xca/0x240
[ 76.114152][ T5309] ? hci_uart_write_work+0x2ca/0x550
[ 76.114160][ T5309] kasan_report+0x118/0x150
[ 76.114175][ T5309] ? hci_uart_write_work+0x2ca/0x550
[ 76.114185][ T5309] ? __pfx_pty_write+0x10/0x10
[ 76.114238][ T5309] hci_uart_write_work+0x2ca/0x550
[ 76.114251][ T5309] ? process_scheduled_works+0x9ef/0x17b0
[ 76.114263][ T5309] process_scheduled_works+0xae1/0x17b0
[ 76.114281][ T5309] ? __pfx_process_scheduled_works+0x10/0x10
[ 76.114294][ T5309] worker_thread+0x8a0/0xda0
[ 76.114311][ T5309] kthread+0x711/0x8a0
[ 76.114324][ T5309] ? __pfx_worker_thread+0x10/0x10
[ 76.114334][ T5309] ? __pfx_kthread+0x10/0x10
[ 76.114347][ T5309] ? _raw_spin_unlock_irq+0x23/0x50
[ 76.114358][ T5309] ? lockdep_hardirqs_on+0x9c/0x150
[ 76.114371][ T5309] ? __pfx_kthread+0x10/0x10
[ 76.114384][ T5309] ret_from_fork+0x4bc/0x870
[ 76.114395][ T5309] ? __pfx_ret_from_fork+0x10/0x10
[ 76.114406][ T5309] ? __pfx_kthread+0x10/0x10
[ 76.114419][ T5309] ret_from_fork_asm+0x1a/0x30
[ 76.114431][ T5309]
[ 76.114435][ T5309]
[ 76.192192][ T5309] Allocated by task 5302:
[ 76.194075][ T5309] kasan_save_track+0x3e/0x80
[ 76.196059][ T5309] __kasan_slab_alloc+0x6c/0x80
[ 76.198089][ T5309] kmem_cache_alloc_node_noprof+0x433/0x710
[ 76.200648][ T5309] __alloc_skb+0x112/0x2d0
[ 76.202536][ T5309] hci_cmd_sync_alloc+0x3d/0x380
[ 76.204641][ T5309] __hci_cmd_sync_sk+0x1a7/0xbc0
[ 76.206699][ T5309] hci_dev_open_sync+0x14be/0x2b60
[ 76.208932][ T5309] hci_power_on+0x1b4/0x680
[ 76.210849][ T5309] process_scheduled_works+0xae1/0x17b0
[ 76.213193][ T5309] worker_thread+0x8a0/0xda0
[ 76.215176][ T5309] kthread+0x711/0x8a0
[ 76.216990][ T5309] ret_from_fork+0x4bc/0x870
[ 76.219129][ T5309] ret_from_fork_asm+0x1a/0x30
[ 76.221258][ T5309]
[ 76.222323][ T5309] The buggy address belongs to the object at ffff888051032140
[ 76.222323][ T5309] which belongs to the cache skbuff_head_cache of size 240
[ 76.228259][ T5309] The buggy address is located 216 bytes inside of
[ 76.228259][ T5309] freed 240-byte region [ffff888051032140, ffff888051032230)
[ 76.234119][ T5309]
[ 76.235104][ T5309] The buggy address belongs to the physical page:
[ 76.237931][ T5309] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x51032
[ 76.241628][ T5309] ksm flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
[ 76.244865][ T5309] page_type: f5(slab)
[ 76.246614][ T5309] raw: 04fff00000000000 ffff8880304cfc80 ffffea00010b9a80 0000000000000003
[ 76.250281][ T5309] raw: 0000000000000000 00000000000c000c 00000000f5000000 0000000000000000
[ 76.254000][ T5309] page dumped because: kasan: bad access detected
[ 76.256760][ T5309] page_owner tracks the page as allocated
[ 76.259287][ T5309] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5300, tgid 5300 (syz-executor), ts 72944481945, free_ts 0
[ 76.267008][ T5309] post_alloc_hook+0x234/0x290
[ 76.269180][ T5309] get_page_from_freelist+0x2365/0x2440
[ 76.271581][ T5309] __alloc_frozen_pages_noprof+0x181/0x370
[ 76.274141][ T5309] alloc_pages_mpol+0x232/0x4a0
[ 76.276265][ T5309] allocate_slab+0x96/0x350
[ 76.278334][ T5309] ___slab_alloc+0xf56/0x1990
[ 76.280406][ T5309] __slab_alloc+0x65/0x100
[ 76.282342][ T5309] kmem_cache_alloc_node_noprof+0x4c5/0x710
[ 76.284824][ T5309] __alloc_skb+0x112/0x2d0
[ 76.286785][ T5309] alloc_uevent_skb+0x7d/0x230
[ 76.288798][ T5309] kobject_uevent_net_broadcast+0x184/0x560
[ 76.291345][ T5309] kobject_uevent_env+0x55b/0x8c0
[ 76.293548][ T5309] device_add+0x557/0xb50
[ 76.295476][ T5309] netdev_register_kobject+0x178/0x310
[ 76.297720][ T5309] register_netdevice+0x126c/0x1ae0
[ 76.299811][ T5309] __ip_tunnel_create+0x3e7/0x560
[ 76.301828][ T5309] page_owner free stack trace missing
[ 76.303874][ T5309]
[ 76.304836][ T5309] Memory state around the buggy address:
[ 76.307054][ T5309] ffff888051032100: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[ 76.310280][ T5309] ffff888051032180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 76.313426][ T5309] >ffff888051032200: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
[ 76.316812][ T5309] ^
[ 76.318954][ T5309] ffff888051032280: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 76.322324][ T5309] ffff888051032300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[ 76.325618][ T5309] ==================================================================
[ 76.376173][ T1313] ieee802154 phy0 wpan0: encryption failed: -22
[ 76.378975][ T1313] ieee802154 phy1 wpan1: encryption failed: -22
[ 76.488673][ T5309] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 76.491589][ T5309] CPU: 0 UID: 0 PID: 5309 Comm: kworker/0:4 Not tainted syzkaller #0 PREEMPT(full)
[ 76.495263][ T5309] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[ 76.499913][ T5309] Workqueue: events hci_uart_write_work
[ 76.502294][ T5309] Call Trace:
[ 76.503743][ T5309]
[ 76.505046][ T5309] dump_stack_lvl+0x99/0x250
[ 76.507933][ T5309] ? __asan_memcpy+0x40/0x70
[ 76.510036][ T5309] ? __pfx_dump_stack_lvl+0x10/0x10
[ 76.512402][ T5309] ? __pfx__printk+0x10/0x10
[ 76.514384][ T5309] vpanic+0x237/0x6d0
[ 76.516147][ T5309] ? __pfx_vpanic+0x10/0x10
[ 76.518183][ T5309] ? preempt_schedule+0xae/0xc0
[ 76.520343][ T5309] ? __pfx_preempt_schedule+0x10/0x10
[ 76.522575][ T5309] panic+0xb9/0xc0
[ 76.524327][ T5309] ? __pfx_panic+0x10/0x10
[ 76.526223][ T5309] ? _raw_spin_unlock_irqrestore+0xfd/0x110
[ 76.528741][ T5309] ? is_module_address+0x17/0xf0
[ 76.530890][ T5309] ? hci_uart_write_work+0x2ca/0x550
[ 76.532894][ T5309] check_panic_on_warn+0x89/0xb0
[ 76.535016][ T5309] ? hci_uart_write_work+0x2ca/0x550
[ 76.537312][ T5309] end_report+0x78/0x160
[ 76.539195][ T5309] kasan_report+0x129/0x150
[ 76.541183][ T5309] ? hci_uart_write_work+0x2ca/0x550
[ 76.543426][ T5309] ? __pfx_pty_write+0x10/0x10
[ 76.545453][ T5309] hci_uart_write_work+0x2ca/0x550
[ 76.547639][ T5309] ? process_scheduled_works+0x9ef/0x17b0
[ 76.550055][ T5309] process_scheduled_works+0xae1/0x17b0
[ 76.552473][ T5309] ? __pfx_process_scheduled_works+0x10/0x10
[ 76.555066][ T5309] worker_thread+0x8a0/0xda0
[ 76.557116][ T5309] kthread+0x711/0x8a0
[ 76.558811][ T5309] ? __pfx_worker_thread+0x10/0x10
[ 76.560989][ T5309] ? __pfx_kthread+0x10/0x10
[ 76.562999][ T5309] ? _raw_spin_unlock_irq+0x23/0x50
[ 76.565265][ T5309] ? lockdep_hardirqs_on+0x9c/0x150
[ 76.567489][ T5309] ? __pfx_kthread+0x10/0x10
[ 76.569467][ T5309] ret_from_fork+0x4bc/0x870
[ 76.571489][ T5309] ? __pfx_ret_from_fork+0x10/0x10
[ 76.573639][ T5309] ? __pfx_kthread+0x10/0x10
[ 76.575647][ T5309] ret_from_fork_asm+0x1a/0x30
[ 76.577808][ T5309]
[ 76.579497][ T5309] Kernel Offset: disabled
[ 76.581424][ T5309] Rebooting in 86400 seconds..