program:
r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x3, 0x0) (async)
r1 = syz_init_net_socket$bt_l2cap(0x1f, 0x3, 0x0)
connect$bt_l2cap(r1, &(0x7f0000000040)={0x1f, 0x0, @fixed}, 0xe) (async, rerun: 64)
shutdown(r1, 0x1) (async, rerun: 64)
syz_emit_vhci(&(0x7f0000000540)=ANY=[@ANYBLOB="043e1f0a"], 0x22) (async)
syz_emit_vhci(&(0x7f0000000140)=ANY=[@ANYBLOB="040500"], 0xf) (async, rerun: 64)
connect$bt_l2cap(r0, &(0x7f0000000080)={0x1f, 0x0, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}, 0x803}, 0xe) (async, rerun: 64)
r2 = syz_open_dev$tty1(0xc, 0x4, 0x1)
ioctl$TIOCL_BLANKSCREEN(r2, 0x5608, &(0x7f0000000000)) (async)
syz_emit_vhci(&(0x7f0000000340)=ANY=[@ANYBLOB="02c82028002400010007d3040007c4faff020c04000300d3"], 0x2d) (async)
r3 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) (async, rerun: 32)
r4 = openat$kvm(0xffffffffffffff9c, &(0x7f0000001040), 0x0, 0x0) (rerun: 32)
r5 = ioctl$KVM_CREATE_VM(r4, 0xae01, 0x0)
r6 = ioctl$KVM_CREATE_VCPU(r5, 0xae41, 0x0)
ioctl$KVM_X86_SETUP_MCE(r6, 0x4008ae9c, &(0x7f00000011c0)={0xa, 0x5, 0xfd})
ioctl$KVM_X86_SET_MCE(r6, 0x4040ae9e, &(0x7f0000000000)={0xbc00000000000000}) (async)
ioctl$HCIINQUIRY(r3, 0x400448ca, 0x0)

[   85.417909][ T4680] Bluetooth: hci0: unexpected event 0x05 length: 12 > 4
[   85.430675][ T4680] Bluetooth: hci0: unexpected event 0x05 length: 12 > 4
[   85.433984][ T4680] Bluetooth: hci0: unexpected event 0x05 length: 12 > 4
[   85.439169][ T4680] Bluetooth: hci0: unexpected event 0x05 length: 12 > 4
[   85.442639][ T4680] Bluetooth: hci0: unexpected event 0x05 length: 12 > 4
[   85.445554][ T4680] Bluetooth: hci0: unexpected event 0x05 length: 12 > 4
[   85.449649][ T4680] Bluetooth: hci0: unexpected event 0x05 length: 12 > 4
[   85.452524][ T4680] Bluetooth: hci0: unexpected event 0x05 length: 12 > 4
[   85.455495][ T4680] Bluetooth: hci0: unexpected event 0x05 length: 12 > 4
[   85.458966][ T4680] Bluetooth: hci0: unexpected event 0x05 length: 12 > 4
[   85.647321][ T4680] Bluetooth: hci0: command tx timeout
[   87.488240][   T47] ==================================================================
[   87.491842][   T47] BUG: KASAN: slab-use-after-free in hci_conn_drop+0x34/0x2a0
[   87.495420][   T47] Write of size 4 at addr ffff888034014010 by task kworker/u5:0/47
[   87.498837][   T47] 
[   87.499915][   T47] CPU: 0 UID: 0 PID: 47 Comm: kworker/u5:0 Not tainted syzkaller #0 PREEMPT(full) 
[   87.499928][   T47] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   87.499936][   T47] Workqueue: hci0 hci_cmd_sync_work
[   87.499956][   T47] Call Trace:
[   87.499963][   T47]  <TASK>
[   87.499969][   T47]  dump_stack_lvl+0xe8/0x150
[   87.499984][   T47]  print_report+0xba/0x230
[   87.499994][   T47]  ? hci_conn_drop+0x34/0x2a0
[   87.500003][   T47]  kasan_report+0x117/0x150
[   87.500013][   T47]  ? hci_conn_valid+0x21/0x230
[   87.500023][   T47]  ? hci_conn_drop+0x34/0x2a0
[   87.500033][   T47]  kasan_check_range+0x264/0x2c0
[   87.500044][   T47]  hci_conn_drop+0x34/0x2a0
[   87.500052][   T47]  ? __pfx_le_read_features_complete+0x10/0x10
[   87.500067][   T47]  hci_cmd_sync_work+0x262/0x400
[   87.500080][   T47]  ? process_scheduled_works+0xa0f/0x17a0
[   87.500092][   T47]  process_scheduled_works+0xaec/0x17a0
[   87.500108][   T47]  ? __pfx_process_scheduled_works+0x10/0x10
[   87.500117][   T47]  ? do_raw_spin_lock+0x12b/0x2f0
[   87.500132][   T47]  ? assign_work+0x3d3/0x440
[   87.500142][   T47]  worker_thread+0x89f/0xd90
[   87.500158][   T47]  kthread+0x726/0x8b0
[   87.500172][   T47]  ? __pfx_worker_thread+0x10/0x10
[   87.500182][   T47]  ? __pfx_kthread+0x10/0x10
[   87.500194][   T47]  ? _raw_spin_unlock_irq+0x23/0x50
[   87.500205][   T47]  ? __pfx_kthread+0x10/0x10
[   87.500213][   T47]  ret_from_fork+0x51b/0xa40
[   87.500221][   T47]  ? __pfx_ret_from_fork+0x10/0x10
[   87.500229][   T47]  ? __switch_to+0xc82/0x1410
[   87.500243][   T47]  ? __pfx_kthread+0x10/0x10
[   87.500254][   T47]  ret_from_fork_asm+0x1a/0x30
[   87.500271][   T47]  </TASK>
[   87.500275][   T47] 
[   87.571872][   T47] Allocated by task 4680:
[   87.573761][   T47]  kasan_save_track+0x3e/0x80
[   87.575862][   T47]  __kasan_kmalloc+0x93/0xb0
[   87.577956][   T47]  __kmalloc_cache_noprof+0x3d1/0x6e0
[   87.580329][   T47]  __hci_conn_add+0x3c5/0x1b30
[   87.582501][   T47]  le_conn_complete_evt+0x706/0x1430
[   87.584907][   T47]  hci_le_enh_conn_complete_evt+0x189/0x490
[   87.587617][   T47]  hci_event_packet+0x7af/0x12c0
[   87.589800][   T47]  hci_rx_work+0x3ee/0x1030
[   87.591919][   T47]  process_scheduled_works+0xaec/0x17a0
[   87.594439][   T47]  worker_thread+0x89f/0xd90
[   87.596425][   T47]  kthread+0x726/0x8b0
[   87.598149][   T47]  ret_from_fork+0x51b/0xa40
[   87.600248][   T47]  ret_from_fork_asm+0x1a/0x30
[   87.602634][   T47] 
[   87.603734][   T47] Freed by task 4680:
[   87.605569][   T47]  kasan_save_track+0x3e/0x80
[   87.607698][   T47]  kasan_save_free_info+0x46/0x50
[   87.610047][   T47]  __kasan_slab_free+0x5c/0x80
[   87.612180][   T47]  kfree+0x1be/0x650
[   87.613889][   T47]  device_release+0x9e/0x1d0
[   87.616035][   T47]  kobject_put+0x228/0x560
[   87.618132][   T47]  hci_conn_del+0xc36/0x1230
[   87.620124][   T47]  hci_disconn_complete_evt+0x64e/0x950
[   87.622505][   T47]  hci_event_packet+0x805/0x12c0
[   87.624644][   T47]  hci_rx_work+0x3ee/0x1030
[   87.626666][   T47]  process_scheduled_works+0xaec/0x17a0
[   87.628974][   T47]  worker_thread+0x89f/0xd90
[   87.631080][   T47]  kthread+0x726/0x8b0
[   87.632935][   T47]  ret_from_fork+0x51b/0xa40
[   87.635091][   T47]  ret_from_fork_asm+0x1a/0x30
[   87.637098][   T47] 
[   87.638223][   T47] The buggy address belongs to the object at ffff888034014000
[   87.638223][   T47]  which belongs to the cache kmalloc-8k of size 8192
[   87.644503][   T47] The buggy address is located 16 bytes inside of
[   87.644503][   T47]  freed 8192-byte region [ffff888034014000, ffff888034016000)
[   87.650569][   T47] 
[   87.651678][   T47] The buggy address belongs to the physical page:
[   87.654719][   T47] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x34010
[   87.658430][   T47] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   87.661988][   T47] anon flags: 0x4fff00000000040(head|node=1|zone=1|lastcpupid=0x7ff)
[   87.665686][   T47] page_type: f5(slab)
[   87.667747][   T47] raw: 04fff00000000040 ffff88801a842280 0000000000000000 0000000000000001
[   87.672081][   T47] raw: 0000000000000000 0000000080020002 00000000f5000000 0000000000000000
[   87.675801][   T47] head: 04fff00000000040 ffff88801a842280 0000000000000000 0000000000000001
[   87.680064][   T47] head: 0000000000000000 0000000080020002 00000000f5000000 0000000000000000
[   87.683798][   T47] head: 04fff00000000003 ffffea0000d00401 00000000ffffffff 00000000ffffffff
[   87.687855][   T47] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
[   87.691974][   T47] page dumped because: kasan: bad access detected
[   87.695004][   T47] page_owner tracks the page as allocated
[   87.697418][   T47] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5309, tgid 5309 (sh), ts 79932579143, free_ts 68216205967
[   87.706322][   T47]  post_alloc_hook+0x228/0x280
[   87.708566][   T47]  get_page_from_freelist+0x24dc/0x2580
[   87.711128][   T47]  __alloc_frozen_pages_noprof+0x18d/0x380
[   87.713741][   T47]  alloc_pages_mpol+0x232/0x4a0
[   87.715779][   T47]  allocate_slab+0x86/0x3a0
[   87.717902][   T47]  ___slab_alloc+0xd82/0x1760
[   87.720060][   T47]  __slab_alloc+0x65/0x100
[   87.722084][   T47]  __kmalloc_cache_noprof+0x40d/0x6e0
[   87.724512][   T47]  tomoyo_init_log+0x112e/0x1fb0
[   87.726797][   T47]  tomoyo_supervisor+0x353/0x1570
[   87.729099][   T47]  tomoyo_env_perm+0x151/0x1f0
[   87.731347][   T47]  tomoyo_find_next_domain+0x15cb/0x1aa0
[   87.733953][   T47]  tomoyo_bprm_check_security+0x11b/0x180
[   87.736566][   T47]  security_bprm_check+0x85/0x240
[   87.738897][   T47]  bprm_execve+0x896/0x1410
[   87.741001][   T47]  do_execveat_common+0x50f/0x690
[   87.743376][   T47] page last free pid 5297 tgid 5297 stack trace:
[   87.746283][   T47]  __free_frozen_pages+0xbb0/0xd10
[   87.748514][   T47]  skb_release_data+0x62d/0x7c0
[   87.750741][   T47]  skb_attempt_defer_free+0x4ff/0x6f0
[   87.753144][   T47]  tcp_recvmsg_locked+0x2373/0x35b0
[   87.755742][   T47]  tcp_recvmsg+0x213/0x7f0
[   87.757848][   T47]  inet_recvmsg+0x157/0x270
[   87.760062][   T47]  sock_recvmsg+0x1a8/0x270
[   87.762184][   T47]  sock_read_iter+0x251/0x320
[   87.764327][   T47]  vfs_read+0x582/0xa70
[   87.766204][   T47]  ksys_read+0x150/0x270
[   87.768157][   T47]  do_syscall_64+0xe2/0xf80
[   87.770289][   T47]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   87.772920][   T47] 
[   87.774276][   T47] Memory state around the buggy address:
[   87.777594][   T47]  ffff888034013f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   87.781395][   T47]  ffff888034013f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   87.784867][   T47] >ffff888034014000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   87.788381][   T47]                          ^
[   87.790496][   T47]  ffff888034014080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   87.794097][   T47]  ffff888034014100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   87.797616][   T47] ==================================================================
[   87.807585][ T4680] Bluetooth: hci0: command 0x040f tx timeout
[   87.810520][   T47] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   87.813693][   T47] CPU: 0 UID: 0 PID: 47 Comm: kworker/u5:0 Not tainted syzkaller #0 PREEMPT(full) 
[   87.817844][   T47] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   87.822126][   T47] Workqueue: hci0 hci_cmd_sync_work
[   87.824362][   T47] Call Trace:
[   87.825885][   T47]  <TASK>
[   87.827179][   T47]  vpanic+0x1e0/0x670
[   87.828961][   T47]  panic+0xc5/0xd0
[   87.830637][   T47]  ? __pfx_panic+0x10/0x10
[   87.832586][   T47]  ? preempt_schedule_common+0x82/0xd0
[   87.834994][   T47]  ? hci_conn_drop+0x34/0x2a0
[   87.836795][   T47]  check_panic_on_warn+0x89/0xb0
[   87.838881][   T47]  ? hci_conn_drop+0x34/0x2a0
[   87.841067][   T47]  end_report+0x6f/0x140
[   87.842979][   T47]  kasan_report+0x128/0x150
[   87.845102][   T47]  ? hci_conn_valid+0x21/0x230
[   87.847234][   T47]  ? hci_conn_drop+0x34/0x2a0
[   87.849245][   T47]  kasan_check_range+0x264/0x2c0
[   87.851326][   T47]  hci_conn_drop+0x34/0x2a0
[   87.853188][   T47]  ? __pfx_le_read_features_complete+0x10/0x10
[   87.855795][   T47]  hci_cmd_sync_work+0x262/0x400
[   87.858015][   T47]  ? process_scheduled_works+0xa0f/0x17a0
[   87.860492][   T47]  process_scheduled_works+0xaec/0x17a0
[   87.862993][   T47]  ? __pfx_process_scheduled_works+0x10/0x10
[   87.865738][   T47]  ? do_raw_spin_lock+0x12b/0x2f0
[   87.868077][   T47]  ? assign_work+0x3d3/0x440
[   87.869998][   T47]  worker_thread+0x89f/0xd90
[   87.871916][   T47]  kthread+0x726/0x8b0
[   87.873553][   T47]  ? __pfx_worker_thread+0x10/0x10
[   87.875701][   T47]  ? __pfx_kthread+0x10/0x10
[   87.877587][   T47]  ? _raw_spin_unlock_irq+0x23/0x50
[   87.879481][   T47]  ? __pfx_kthread+0x10/0x10
[   87.881287][   T47]  ret_from_fork+0x51b/0xa40
[   87.883189][   T47]  ? __pfx_ret_from_fork+0x10/0x10
[   87.885376][   T47]  ? __switch_to+0xc82/0x1410
[   87.887452][   T47]  ? __pfx_kthread+0x10/0x10
[   87.889546][   T47]  ret_from_fork_asm+0x1a/0x30
[   87.891702][   T47]  </TASK>
[   87.893325][   T47] Kernel Offset: disabled
[   87.895063][   T47] Rebooting in 86400 seconds..