program:
r0 = syz_open_dev$ttys(0xc, 0x2, 0x0)
fanotify_init(0x200, 0x0)
setxattr$trusted_overlay_upper(0x0, 0x0, 0x0, 0x835, 0x0)
setxattr$trusted_overlay_upper(0x0, 0x0, 0x0, 0x835, 0x0)
bpf$PROG_LOAD(0x5, 0x0, 0x0)
syz_emit_vhci(&(0x7f0000000140)=ANY=[@ANYBLOB="040e0109220c"], 0x7)
socket$nl_route(0x10, 0x3, 0x0)
ioctl$TIOCGPTPEER(r0, 0x5441, 0xfffffffffffffff8)
ioctl$TIOCSETD(r0, 0x5423, &(0x7f00000001c0)=0x14)
r1 = gettid()
timer_create(0x0, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004, @tid=r1}, &(0x7f0000bbdffc))
r2 = accept4$packet(0xffffffffffffffff, 0x0, &(0x7f00000000c0), 0x80800)
ioctl$sock_SIOCGIFINDEX_80211(r2, 0x8933, &(0x7f0000000100)={'wlan0\x00'})
timer_settime(0x0, 0x0, &(0x7f0000000280)={{0x0, 0x989680}, {0x0, 0x989680}}, 0x0)
r3 = syz_open_dev$usbfs(&(0x7f0000000040), 0x400000001ff, 0x101301)
r4 = openat$sr(0xffffffffffffff9c, &(0x7f0000000180), 0x400000, 0x0)
ioctl$COMEDI_UNLOCK(r4, 0x6406)
r5 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
r6 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
ioctl$sock_ifreq(r6, 0x8910, &(0x7f0000000000)={'veth0_vlan\x00', @ifru_ivalue=0x7})
ioctl$sock_netdev_private(r6, 0x8947, &(0x7f0000000000))
ioctl$sock_netdev_private(r5, 0x8914, &(0x7f0000000000))
r7 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
ioctl$sock_netdev_private(r7, 0x8949, &(0x7f0000000000))
ioctl$USBDEVFS_SUBMITURB(r3, 0x8038550a, &(0x7f0000000000)=@urb_type_control={0x2, {}, 0xfffffff8, 0x40, &(0x7f0000000080)={0x4b5a9da54893e123, 0x3, 0x10, 0xfffd}, 0x8, 0x0, 0x0, 0x0, 0x0, 0x20004, 0x0})
futex_waitv(&(0x7f0000001080)=[{0x3, &(0x7f0000001040)=0x3, 0x82}], 0x1, 0x0, 0x0, 0x1)
prctl$PR_MCE_KILL(0x4e, 0x1, 0x2)
r8 = openat$ttyprintk(0xffffffffffffff9c, &(0x7f0000004b40), 0x402, 0x0)
ioctl$TIOCSETD(r8, 0x5423, &(0x7f0000004b80)=0x14)

[   75.341672][ T4667] Bluetooth: hci0: command tx timeout
[   75.552425][ T5321] usb usb5: Requested nonsensical USBDEVFS_URB_ZERO_PACKET.
[   76.253607][ T1314] ieee802154 phy0 wpan0: encryption failed: -22
[   76.256690][ T1314] ieee802154 phy1 wpan1: encryption failed: -22
[   76.260381][ T1314] ==================================================================
[   76.263706][ T1314] BUG: KASAN: slab-use-after-free in tty_write_room+0x35/0x90
[   76.267099][ T1314] Read of size 8 at addr ffff888011462020 by task aoe_tx0/1314
[   76.270394][ T1314] 
[   76.271391][ T1314] CPU: 0 UID: 0 PID: 1314 Comm: aoe_tx0 Not tainted syzkaller #0 PREEMPT(full) 
[   76.271405][ T1314] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   76.271413][ T1314] Call Trace:
[   76.271420][ T1314]  <TASK>
[   76.271426][ T1314]  dump_stack_lvl+0x189/0x250
[   76.271444][ T1314]  ? __virt_addr_valid+0x1c8/0x5c0
[   76.271464][ T1314]  ? rcu_is_watching+0x15/0xb0
[   76.271477][ T1314]  ? __pfx_dump_stack_lvl+0x10/0x10
[   76.271491][ T1314]  ? rcu_is_watching+0x15/0xb0
[   76.271503][ T1314]  ? lock_release+0x4b/0x3e0
[   76.271513][ T1314]  ? _raw_spin_lock_irqsave+0xb3/0xf0
[   76.271564][ T1314]  ? __virt_addr_valid+0x1c8/0x5c0
[   76.271578][ T1314]  ? __virt_addr_valid+0x4a5/0x5c0
[   76.271593][ T1314]  print_report+0xca/0x240
[   76.271606][ T1314]  ? tty_write_room+0x35/0x90
[   76.271616][ T1314]  kasan_report+0x118/0x150
[   76.271633][ T1314]  ? tty_write_room+0x35/0x90
[   76.271645][ T1314]  tty_write_room+0x35/0x90
[   76.271656][ T1314]  handle_tx+0x163/0x610
[   76.271675][ T1314]  dev_hard_start_xmit+0x2d7/0x830
[   76.271690][ T1314]  __dev_queue_xmit+0x1b8d/0x3b50
[   76.271703][ T1314]  ? __dev_queue_xmit+0x27b/0x3b50
[   76.271714][ T1314]  ? rcu_is_watching+0x15/0xb0
[   76.271725][ T1314]  ? trace_sched_exit_tp+0x36/0x110
[   76.271743][ T1314]  ? __pfx___dev_queue_xmit+0x10/0x10
[   76.271755][ T1314]  ? do_raw_spin_lock+0x121/0x290
[   76.271771][ T1314]  ? do_raw_spin_unlock+0x4d/0x240
[   76.271785][ T1314]  ? _raw_spin_unlock_irqrestore+0xad/0x110
[   76.271799][ T1314]  ? _raw_spin_unlock_irq+0x23/0x50
[   76.271811][ T1314]  ? lockdep_hardirqs_on+0x9c/0x150
[   76.271825][ T1314]  tx+0x6b/0x190
[   76.271838][ T1314]  ? __pfx_tx+0x10/0x10
[   76.271851][ T1314]  kthread+0x1d0/0x3e0
[   76.271864][ T1314]  ? __pfx_kthread+0x10/0x10
[   76.271875][ T1314]  ? __pfx_default_wake_function+0x10/0x10
[   76.271886][ T1314]  ? __kthread_parkme+0x7b/0x200
[   76.271898][ T1314]  ? __kthread_parkme+0x1a1/0x200
[   76.271912][ T1314]  kthread+0x711/0x8a0
[   76.271925][ T1314]  ? __pfx_kthread+0x10/0x10
[   76.271937][ T1314]  ? __pfx_kthread+0x10/0x10
[   76.271950][ T1314]  ? _raw_spin_unlock_irq+0x23/0x50
[   76.271961][ T1314]  ? lockdep_hardirqs_on+0x9c/0x150
[   76.271972][ T1314]  ? __pfx_kthread+0x10/0x10
[   76.271986][ T1314]  ret_from_fork+0x4bc/0x870
[   76.271997][ T1314]  ? __pfx_ret_from_fork+0x10/0x10
[   76.272010][ T1314]  ? __pfx_kthread+0x10/0x10
[   76.272023][ T1314]  ret_from_fork_asm+0x1a/0x30
[   76.272037][ T1314]  </TASK>
[   76.272041][ T1314] 
[   76.381848][ T1314] Allocated by task 5318:
[   76.383785][ T1314]  kasan_save_track+0x3e/0x80
[   76.385883][ T1314]  __kasan_kmalloc+0x93/0xb0
[   76.387883][ T1314]  __kmalloc_cache_noprof+0x3d5/0x6f0
[   76.390241][ T1314]  alloc_tty_struct+0xa6/0x780
[   76.392347][ T1314]  tty_init_dev+0x59/0x4d0
[   76.394253][ T1314]  tty_open+0x5a6/0xd10
[   76.395919][ T1314]  chrdev_open+0x4cc/0x5e0
[   76.397828][ T1314]  do_dentry_open+0x953/0x13f0
[   76.399829][ T1314]  vfs_open+0x3b/0x340
[   76.401604][ T1314]  path_openat+0x2ee5/0x3830
[   76.403622][ T1314]  do_filp_open+0x1fa/0x410
[   76.405695][ T1314]  do_sys_openat2+0x121/0x1c0
[   76.407755][ T1314]  __x64_sys_openat+0x138/0x170
[   76.409804][ T1314]  do_syscall_64+0xfa/0xfa0
[   76.411741][ T1314]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   76.414483][ T1314] 
[   76.415580][ T1314] Freed by task 5304:
[   76.417380][ T1314]  kasan_save_track+0x3e/0x80
[   76.419427][ T1314]  __kasan_save_free_info+0x46/0x50
[   76.421700][ T1314]  __kasan_slab_free+0x5c/0x80
[   76.423801][ T1314]  kfree+0x19a/0x6d0
[   76.425468][ T1314]  process_scheduled_works+0xae1/0x17b0
[   76.427902][ T1314]  worker_thread+0x8a0/0xda0
[   76.429831][ T1314]  kthread+0x711/0x8a0
[   76.431573][ T1314]  ret_from_fork+0x4bc/0x870
[   76.433609][ T1314]  ret_from_fork_asm+0x1a/0x30
[   76.435411][ T1314] 
[   76.436352][ T1314] Last potentially related work creation:
[   76.438758][ T1314]  kasan_save_stack+0x3e/0x60
[   76.440796][ T1314]  kasan_record_aux_stack+0xbd/0xd0
[   76.442989][ T1314]  insert_work+0x3d/0x330
[   76.444783][ T1314]  __queue_work+0xcd2/0xfb0
[   76.446667][ T1314]  queue_work_on+0x181/0x270
[   76.448579][ T1314]  tty_release_struct+0xb8/0xd0
[   76.450835][ T1314]  tty_release+0xcb0/0x1640
[   76.452869][ T1314]  __fput+0x44c/0xa70
[   76.454657][ T1314]  task_work_run+0x1d4/0x260
[   76.456694][ T1314]  exit_to_user_mode_loop+0xe9/0x130
[   76.458985][ T1314]  do_syscall_64+0x2bd/0xfa0
[   76.461078][ T1314]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   76.463723][ T1314] 
[   76.464777][ T1314] The buggy address belongs to the object at ffff888011462000
[   76.464777][ T1314]  which belongs to the cache kmalloc-cg-2k of size 2048
[   76.470854][ T1314] The buggy address is located 32 bytes inside of
[   76.470854][ T1314]  freed 2048-byte region [ffff888011462000, ffff888011462800)
[   76.476611][ T1314] 
[   76.477808][ T1314] The buggy address belongs to the physical page:
[   76.480844][ T1314] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11460
[   76.484598][ T1314] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   76.487968][ T1314] memcg:ffff888011aab001
[   76.489826][ T1314] flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
[   76.493124][ T1314] page_type: f5(slab)
[   76.494814][ T1314] raw: 00fff00000000040 ffff88801a04b3c0 dead000000000122 0000000000000000
[   76.498383][ T1314] raw: 0000000000000000 0000000000080008 00000000f5000000 ffff888011aab001
[   76.502325][ T1314] head: 00fff00000000040 ffff88801a04b3c0 dead000000000122 0000000000000000
[   76.506103][ T1314] head: 0000000000000000 0000000000080008 00000000f5000000 ffff888011aab001
[   76.509862][ T1314] head: 00fff00000000003 ffffea0000451801 00000000ffffffff 00000000ffffffff
[   76.513677][ T1314] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
[   76.517122][ T1314] page dumped because: kasan: bad access detected
[   76.519832][ T1314] page_owner tracks the page as allocated
[   76.522284][ T1314] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5295, tgid 5295 (syz-executor), ts 73814497946, free_ts 73544993679
[   76.531279][ T1314]  post_alloc_hook+0x240/0x2a0
[   76.533372][ T1314]  get_page_from_freelist+0x2365/0x2440
[   76.535627][ T1314]  __alloc_frozen_pages_noprof+0x181/0x370
[   76.538223][ T1314]  alloc_pages_mpol+0x232/0x4a0
[   76.540420][ T1314]  allocate_slab+0x96/0x350
[   76.542502][ T1314]  ___slab_alloc+0xe94/0x18a0
[   76.544632][ T1314]  __slab_alloc+0x65/0x100
[   76.546680][ T1314]  __kvmalloc_node_noprof+0x6ba/0x910
[   76.548993][ T1314]  xt_alloc_table_info+0x40/0xb0
[   76.550976][ T1314]  do_ip6t_set_ctl+0x88a/0xce0
[   76.552990][ T1314]  nf_setsockopt+0x26f/0x290
[   76.554918][ T1314]  do_sock_setsockopt+0x25a/0x3e0
[   76.557014][ T1314]  __x64_sys_setsockopt+0x18b/0x220
[   76.559165][ T1314]  do_syscall_64+0xfa/0xfa0
[   76.561028][ T1314]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   76.564756][ T1314] page last free pid 5295 tgid 5295 stack trace:
[   76.567166][ T1314]  __free_frozen_pages+0xbc4/0xd30
[   76.569107][ T1314]  __slab_free+0x2e7/0x390
[   76.571272][ T1314]  qlist_free_all+0x97/0x140
[   76.573294][ T1314]  kasan_quarantine_reduce+0x148/0x160
[   76.575530][ T1314]  __kasan_slab_alloc+0x22/0x80
[   76.577635][ T1314]  kmem_cache_alloc_node_noprof+0x433/0x710
[   76.580203][ T1314]  __alloc_skb+0x112/0x2d0
[   76.582119][ T1314]  netlink_sendmsg+0x5c6/0xb30
[   76.584159][ T1314]  __sock_sendmsg+0x21c/0x270
[   76.585967][ T1314]  __sys_sendto+0x3bd/0x520
[   76.587826][ T1314]  __x64_sys_sendto+0xde/0x100
[   76.589772][ T1314]  do_syscall_64+0xfa/0xfa0
[   76.591594][ T1314]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   76.594247][ T1314] 
[   76.595324][ T1314] Memory state around the buggy address:
[   76.597795][ T1314]  ffff888011461f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   76.601291][ T1314]  ffff888011461f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   76.604770][ T1314] >ffff888011462000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   76.608183][ T1314]                                ^
[   76.610416][ T1314]  ffff888011462080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   76.613799][ T1314]  ffff888011462100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   76.617151][ T1314] ==================================================================
[   76.620814][ T1314] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   76.623978][ T1314] CPU: 0 UID: 0 PID: 1314 Comm: aoe_tx0 Not tainted syzkaller #0 PREEMPT(full) 
[   76.627910][ T1314] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   76.632755][ T1314] Call Trace:
[   76.634306][ T1314]  <TASK>
[   76.635590][ T1314]  dump_stack_lvl+0x99/0x250
[   76.637664][ T1314]  ? __asan_memcpy+0x40/0x70
[   76.639682][ T1314]  ? __pfx_dump_stack_lvl+0x10/0x10
[   76.641946][ T1314]  ? __pfx__printk+0x10/0x10
[   76.644023][ T1314]  vpanic+0x237/0x6d0
[   76.645777][ T1314]  ? __pfx_vpanic+0x10/0x10
[   76.647773][ T1314]  panic+0xb9/0xc0
[   76.649478][ T1314]  ? __pfx_panic+0x10/0x10
[   76.651560][ T1314]  ? _raw_spin_unlock_irqrestore+0xa8/0x110
[   76.654244][ T1314]  ? _raw_spin_unlock_irqrestore+0xad/0x110
[   76.656791][ T1314]  ? is_module_address+0x17/0xf0
[   76.658971][ T1314]  ? tty_write_room+0x35/0x90
[   76.660974][ T1314]  check_panic_on_warn+0x89/0xb0
[   76.663146][ T1314]  ? tty_write_room+0x35/0x90
[   76.665158][ T1314]  end_report+0x78/0x160
[   76.667061][ T1314]  kasan_report+0x129/0x150
[   76.669105][ T1314]  ? tty_write_room+0x35/0x90
[   76.671103][ T1314]  tty_write_room+0x35/0x90
[   76.673107][ T1314]  handle_tx+0x163/0x610
[   76.674973][ T1314]  dev_hard_start_xmit+0x2d7/0x830
[   76.677170][ T1314]  __dev_queue_xmit+0x1b8d/0x3b50
[   76.679491][ T1314]  ? __dev_queue_xmit+0x27b/0x3b50
[   76.681793][ T1314]  ? rcu_is_watching+0x15/0xb0
[   76.683948][ T1314]  ? trace_sched_exit_tp+0x36/0x110
[   76.686279][ T1314]  ? __pfx___dev_queue_xmit+0x10/0x10
[   76.688695][ T1314]  ? do_raw_spin_lock+0x121/0x290
[   76.690985][ T1314]  ? do_raw_spin_unlock+0x4d/0x240
[   76.693322][ T1314]  ? _raw_spin_unlock_irqrestore+0xad/0x110
[   76.695938][ T1314]  ? _raw_spin_unlock_irq+0x23/0x50
[   76.698328][ T1314]  ? lockdep_hardirqs_on+0x9c/0x150
[   76.700733][ T1314]  tx+0x6b/0x190
[   76.702376][ T1314]  ? __pfx_tx+0x10/0x10
[   76.704328][ T1314]  kthread+0x1d0/0x3e0
[   76.706200][ T1314]  ? __pfx_kthread+0x10/0x10
[   76.708278][ T1314]  ? __pfx_default_wake_function+0x10/0x10
[   76.710887][ T1314]  ? __kthread_parkme+0x7b/0x200
[   76.713082][ T1314]  ? __kthread_parkme+0x1a1/0x200
[   76.715284][ T1314]  kthread+0x711/0x8a0
[   76.716952][ T1314]  ? __pfx_kthread+0x10/0x10
[   76.718953][ T1314]  ? __pfx_kthread+0x10/0x10
[   76.720941][ T1314]  ? _raw_spin_unlock_irq+0x23/0x50
[   76.723232][ T1314]  ? lockdep_hardirqs_on+0x9c/0x150
[   76.725397][ T1314]  ? __pfx_kthread+0x10/0x10
[   76.727287][ T1314]  ret_from_fork+0x4bc/0x870
[   76.729213][ T1314]  ? __pfx_ret_from_fork+0x10/0x10
[   76.731537][ T1314]  ? __pfx_kthread+0x10/0x10
[   76.733671][ T1314]  ret_from_fork_asm+0x1a/0x30
[   76.735755][ T1314]  </TASK>
[   76.737546][ T1314] Kernel Offset: disabled
[   76.739538][ T1314] Rebooting in 86400 seconds..