program:
r0 = syz_open_dev$ttys(0xc, 0x2, 0x0)
ioctl$TIOCSETD(r0, 0x5423, &(0x7f00000001c0)=0x14)
r1 = openat$ttyprintk(0xffffffffffffff9c, &(0x7f0000004b40), 0x402, 0x0)
ioctl$TIOCSETD(r1, 0x5423, &(0x7f0000004b80)=0x14)
socket$nl_route(0x10, 0x3, 0x0)
syz_open_procfs(0x0, &(0x7f00000001c0)='maps\x00')
syz_usb_connect$cdc_ncm(0x0, 0x6e, &(0x7f0000000040)=ANY=[@ANYBLOB="1201000009000008250200000000000000010902"], 0x0)
r2 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
r3 = ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0)
ioctl$KVM_CREATE_IRQCHIP(r3, 0xae60)
ioctl$KVM_CREATE_IRQCHIP(r3, 0xae60)
r4 = socket$nl_generic(0x10, 0x3, 0x10)
r5 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$sock_bt_hci(r5, 0x400448cb, 0x0)
openat$snapshot(0xffffffffffffff9c, &(0x7f00000002c0), 0x40040, 0x0)
syz_emit_vhci(&(0x7f0000000000)=ANY=[@ANYBLOB="040e0402030c", @ANYRES32=r4], 0x7)

[   75.394865][ T5298] Bluetooth: hci0: command tx timeout
[   75.785117][ T5312] usb 5-1: new high-speed USB device number 2 using dummy_hcd
[   75.936816][ T5312] usb 5-1: Using ep0 maxpacket: 8
[   75.942304][ T5312] usb 5-1: config 0 has no interfaces?
[   75.947056][ T5312] usb 5-1: New USB device found, idVendor=0225, idProduct=0000, bcdDevice= 0.00
[   75.950909][ T5312] usb 5-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
[   75.963880][ T5312] usb 5-1: config 0 descriptor??
[   76.307942][ T5319] Bluetooth: hci0: Opcode 0x0c03 failed: -112
[   76.347922][ T5320] Bluetooth: hci0: Opcode 0x0c1a failed: -31
[   76.415170][ T5312] usb 5-1: USB disconnect, device number 2
[   76.455752][ T1314] ieee802154 phy0 wpan0: encryption failed: -22
[   76.458913][ T1314] ieee802154 phy1 wpan1: encryption failed: -22
[   76.462530][ T1314] ==================================================================
[   76.466045][ T1314] BUG: KASAN: slab-use-after-free in tty_write_room+0x35/0x90
[   76.469344][ T1314] Read of size 8 at addr ffff88803ffe2020 by task aoe_tx0/1314
[   76.472747][ T1314] 
[   76.473942][ T1314] CPU: 0 UID: 0 PID: 1314 Comm: aoe_tx0 Not tainted syzkaller #0 PREEMPT(full) 
[   76.473956][ T1314] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   76.473962][ T1314] Call Trace:
[   76.473970][ T1314]  <TASK>
[   76.473976][ T1314]  dump_stack_lvl+0x189/0x250
[   76.473992][ T1314]  ? __virt_addr_valid+0x1c8/0x5c0
[   76.474003][ T1314]  ? rcu_is_watching+0x15/0xb0
[   76.474018][ T1314]  ? __pfx_dump_stack_lvl+0x10/0x10
[   76.474027][ T1314]  ? rcu_is_watching+0x15/0xb0
[   76.474042][ T1314]  ? lock_release+0x4b/0x3e0
[   76.474054][ T1314]  ? _raw_spin_lock_irqsave+0xb3/0xf0
[   76.474121][ T1314]  ? __virt_addr_valid+0x1c8/0x5c0
[   76.474130][ T1314]  ? __virt_addr_valid+0x4a5/0x5c0
[   76.474141][ T1314]  print_report+0xca/0x240
[   76.474154][ T1314]  ? tty_write_room+0x35/0x90
[   76.474164][ T1314]  kasan_report+0x118/0x150
[   76.474177][ T1314]  ? tty_write_room+0x35/0x90
[   76.474188][ T1314]  tty_write_room+0x35/0x90
[   76.474198][ T1314]  handle_tx+0x163/0x610
[   76.474258][ T1314]  dev_hard_start_xmit+0x2d7/0x830
[   76.474278][ T1314]  __dev_queue_xmit+0x1b8d/0x3b50
[   76.474294][ T1314]  ? __dev_queue_xmit+0x27b/0x3b50
[   76.474309][ T1314]  ? rcu_is_watching+0x15/0xb0
[   76.474323][ T1314]  ? trace_sched_exit_tp+0x36/0x110
[   76.474335][ T1314]  ? __pfx___dev_queue_xmit+0x10/0x10
[   76.474352][ T1314]  ? do_raw_spin_lock+0x121/0x290
[   76.474365][ T1314]  ? do_raw_spin_unlock+0x4d/0x240
[   76.474376][ T1314]  ? _raw_spin_unlock_irqrestore+0xad/0x110
[   76.474392][ T1314]  ? _raw_spin_unlock_irq+0x23/0x50
[   76.474406][ T1314]  ? lockdep_hardirqs_on+0x9c/0x150
[   76.474423][ T1314]  tx+0x6b/0x190
[   76.474435][ T1314]  ? __pfx_tx+0x10/0x10
[   76.474447][ T1314]  kthread+0x1d0/0x3e0
[   76.474460][ T1314]  ? __pfx_kthread+0x10/0x10
[   76.474471][ T1314]  ? __pfx_default_wake_function+0x10/0x10
[   76.474482][ T1314]  ? __kthread_parkme+0x7b/0x200
[   76.474495][ T1314]  ? __kthread_parkme+0x1a1/0x200
[   76.474509][ T1314]  kthread+0x711/0x8a0
[   76.474520][ T1314]  ? __pfx_kthread+0x10/0x10
[   76.474530][ T1314]  ? __pfx_kthread+0x10/0x10
[   76.474539][ T1314]  ? _raw_spin_unlock_irq+0x23/0x50
[   76.474551][ T1314]  ? lockdep_hardirqs_on+0x9c/0x150
[   76.474565][ T1314]  ? __pfx_kthread+0x10/0x10
[   76.474574][ T1314]  ret_from_fork+0x4bc/0x870
[   76.474595][ T1314]  ? __pfx_ret_from_fork+0x10/0x10
[   76.474609][ T1314]  ? __pfx_kthread+0x10/0x10
[   76.474618][ T1314]  ret_from_fork_asm+0x1a/0x30
[   76.474634][ T1314]  </TASK>
[   76.474637][ T1314] 
[   76.579200][ T1314] Allocated by task 5319:
[   76.581114][ T1314]  kasan_save_track+0x3e/0x80
[   76.583180][ T1314]  __kasan_kmalloc+0x93/0xb0
[   76.585210][ T1314]  __kmalloc_cache_noprof+0x3d5/0x6f0
[   76.587482][ T1314]  alloc_tty_struct+0xa6/0x780
[   76.589643][ T1314]  tty_init_dev+0x59/0x4d0
[   76.591437][ T1314]  tty_open+0x5a6/0xd10
[   76.593163][ T1314]  chrdev_open+0x4cc/0x5e0
[   76.595176][ T1314]  do_dentry_open+0x953/0x13f0
[   76.597689][ T1314]  vfs_open+0x3b/0x340
[   76.599708][ T1314]  path_openat+0x2ee5/0x3830
[   76.601654][ T1314]  do_filp_open+0x1fa/0x410
[   76.603451][ T1314]  do_sys_openat2+0x121/0x1c0
[   76.605328][ T1314]  __x64_sys_openat+0x138/0x170
[   76.607380][ T1314]  do_syscall_64+0xfa/0xfa0
[   76.609336][ T1314]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   76.611803][ T1314] 
[   76.612798][ T1314] Freed by task 5297:
[   76.614422][ T1314]  kasan_save_track+0x3e/0x80
[   76.616369][ T1314]  __kasan_save_free_info+0x46/0x50
[   76.618487][ T1314]  __kasan_slab_free+0x5c/0x80
[   76.620664][ T1314]  kfree+0x19a/0x6d0
[   76.622561][ T1314]  process_scheduled_works+0xae1/0x17b0
[   76.625558][ T1314]  worker_thread+0x8a0/0xda0
[   76.628027][ T1314]  kthread+0x711/0x8a0
[   76.630224][ T1314]  ret_from_fork+0x4bc/0x870
[   76.632747][ T1314]  ret_from_fork_asm+0x1a/0x30
[   76.635348][ T1314] 
[   76.636754][ T1314] Last potentially related work creation:
[   76.639476][ T1314]  kasan_save_stack+0x3e/0x60
[   76.641212][ T1314]  kasan_record_aux_stack+0xbd/0xd0
[   76.643425][ T1314]  insert_work+0x3d/0x330
[   76.645307][ T1314]  __queue_work+0xcd2/0xfb0
[   76.647317][ T1314]  queue_work_on+0x181/0x270
[   76.649336][ T1314]  tty_release_struct+0xb8/0xd0
[   76.651547][ T1314]  tty_release+0xcb0/0x1640
[   76.653614][ T1314]  __fput+0x44c/0xa70
[   76.655254][ T1314]  task_work_run+0x1d4/0x260
[   76.657259][ T1314]  exit_to_user_mode_loop+0xe9/0x130
[   76.659363][ T1314]  do_syscall_64+0x2bd/0xfa0
[   76.661236][ T1314]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   76.663473][ T1314] 
[   76.664507][ T1314] The buggy address belongs to the object at ffff88803ffe2000
[   76.664507][ T1314]  which belongs to the cache kmalloc-cg-2k of size 2048
[   76.669970][ T1314] The buggy address is located 32 bytes inside of
[   76.669970][ T1314]  freed 2048-byte region [ffff88803ffe2000, ffff88803ffe2800)
[   76.675460][ T1314] 
[   76.676488][ T1314] The buggy address belongs to the physical page:
[   76.679298][ T1314] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x3ffe0
[   76.682919][ T1314] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   76.686735][ T1314] memcg:ffff8880426f0f81
[   76.688696][ T1314] flags: 0x4fff00000000040(head|node=1|zone=1|lastcpupid=0x7ff)
[   76.692197][ T1314] page_type: f5(slab)
[   76.694055][ T1314] raw: 04fff00000000040 ffff88801a44b3c0 dead000000000122 0000000000000000
[   76.697542][ T1314] raw: 0000000000000000 0000000000080008 00000000f5000000 ffff8880426f0f81
[   76.701436][ T1314] head: 04fff00000000040 ffff88801a44b3c0 dead000000000122 0000000000000000
[   76.704728][ T1314] head: 0000000000000000 0000000000080008 00000000f5000000 ffff8880426f0f81
[   76.708550][ T1314] head: 04fff00000000003 ffffea0000fff801 00000000ffffffff 00000000ffffffff
[   76.712097][ T1314] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
[   76.715833][ T1314] page dumped because: kasan: bad access detected
[   76.718458][ T1314] page_owner tracks the page as allocated
[   76.720997][ T1314] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5296, tgid 5296 (syz-executor), ts 73840703418, free_ts 73832212721
[   76.730018][ T1314]  post_alloc_hook+0x240/0x2a0
[   76.732110][ T1314]  get_page_from_freelist+0x2365/0x2440
[   76.734483][ T1314]  __alloc_frozen_pages_noprof+0x181/0x370
[   76.737101][ T1314]  alloc_pages_mpol+0x232/0x4a0
[   76.739243][ T1314]  allocate_slab+0x96/0x3a0
[   76.741128][ T1314]  ___slab_alloc+0xe94/0x18a0
[   76.743092][ T1314]  __slab_alloc+0x65/0x100
[   76.744904][ T1314]  __kvmalloc_node_noprof+0x6ba/0x910
[   76.747612][ T1314]  xt_alloc_table_info+0x40/0xb0
[   76.749785][ T1314]  do_ip6t_set_ctl+0x88a/0xce0
[   76.752191][ T1314]  nf_setsockopt+0x26f/0x290
[   76.754148][ T1314]  do_sock_setsockopt+0x25a/0x3e0
[   76.756456][ T1314]  __x64_sys_setsockopt+0x18b/0x220
[   76.758782][ T1314]  do_syscall_64+0xfa/0xfa0
[   76.760648][ T1314]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   76.763146][ T1314] page last free pid 73 tgid 73 stack trace:
[   76.765781][ T1314]  __free_frozen_pages+0xbc4/0xd30
[   76.767922][ T1314]  __slab_free+0x2e7/0x390
[   76.769929][ T1314]  qlist_free_all+0x97/0x140
[   76.771965][ T1314]  kasan_quarantine_reduce+0x148/0x160
[   76.774347][ T1314]  __kasan_slab_alloc+0x22/0x80
[   76.776587][ T1314]  kmem_cache_alloc_node_noprof+0x433/0x710
[   76.779211][ T1314]  zswap_store+0xbc8/0x1f40
[   76.781331][ T1314]  swap_writeout+0x710/0xd70
[   76.783504][ T1314]  shrink_folio_list+0x3011/0x4c70
[   76.785794][ T1314]  evict_folios+0x471e/0x57c0
[   76.787909][ T1314]  try_to_shrink_lruvec+0x8a3/0xb50
[   76.790277][ T1314]  shrink_one+0x21b/0x7c0
[   76.792203][ T1314]  shrink_node+0x315d/0x3780
[   76.794285][ T1314]  kswapd+0x147c/0x2800
[   76.796136][ T1314]  kthread+0x711/0x8a0
[   76.797922][ T1314]  ret_from_fork+0x4bc/0x870
[   76.800029][ T1314] 
[   76.801115][ T1314] Memory state around the buggy address:
[   76.803513][ T1314]  ffff88803ffe1f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   76.807005][ T1314]  ffff88803ffe1f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   76.810306][ T1314] >ffff88803ffe2000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   76.813656][ T1314]                                ^
[   76.815777][ T1314]  ffff88803ffe2080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   76.819210][ T1314]  ffff88803ffe2100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   76.822670][ T1314] ==================================================================
[   76.826555][ T1314] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   76.829645][ T1314] CPU: 0 UID: 0 PID: 1314 Comm: aoe_tx0 Not tainted syzkaller #0 PREEMPT(full) 
[   76.833441][ T1314] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   76.838088][ T1314] Call Trace:
[   76.839534][ T1314]  <TASK>
[   76.840825][ T1314]  dump_stack_lvl+0x99/0x250
[   76.842863][ T1314]  ? __asan_memcpy+0x40/0x70
[   76.844948][ T1314]  ? __pfx_dump_stack_lvl+0x10/0x10
[   76.847311][ T1314]  ? __pfx__printk+0x10/0x10
[   76.849393][ T1314]  vpanic+0x237/0x6d0
[   76.851110][ T1314]  ? __pfx_vpanic+0x10/0x10
[   76.853130][ T1314]  panic+0xb9/0xc0
[   76.854728][ T1314]  ? __pfx_panic+0x10/0x10
[   76.856679][ T1314]  ? _raw_spin_unlock_irqrestore+0xa8/0x110
[   76.859058][ T1314]  ? _raw_spin_unlock_irqrestore+0xad/0x110
[   76.861333][ T1314]  ? is_module_address+0x17/0xf0
[   76.863187][ T1314]  ? tty_write_room+0x35/0x90
[   76.865032][ T1314]  check_panic_on_warn+0x89/0xb0
[   76.866810][ T1314]  ? tty_write_room+0x35/0x90
[   76.868615][ T1314]  end_report+0x78/0x160
[   76.870196][ T1314]  kasan_report+0x129/0x150
[   76.871902][ T1314]  ? tty_write_room+0x35/0x90
[   76.873702][ T1314]  tty_write_room+0x35/0x90
[   76.875383][ T1314]  handle_tx+0x163/0x610
[   76.877084][ T1314]  dev_hard_start_xmit+0x2d7/0x830
[   76.879047][ T1314]  __dev_queue_xmit+0x1b8d/0x3b50
[   76.881067][ T1314]  ? __dev_queue_xmit+0x27b/0x3b50
[   76.883118][ T1314]  ? rcu_is_watching+0x15/0xb0
[   76.885035][ T1314]  ? trace_sched_exit_tp+0x36/0x110
[   76.887269][ T1314]  ? __pfx___dev_queue_xmit+0x10/0x10
[   76.889893][ T1314]  ? do_raw_spin_lock+0x121/0x290
[   76.892349][ T1314]  ? do_raw_spin_unlock+0x4d/0x240
[   76.894436][ T1314]  ? _raw_spin_unlock_irqrestore+0xad/0x110
[   76.896848][ T1314]  ? _raw_spin_unlock_irq+0x23/0x50
[   76.898870][ T1314]  ? lockdep_hardirqs_on+0x9c/0x150
[   76.900837][ T1314]  tx+0x6b/0x190
[   76.902302][ T1314]  ? __pfx_tx+0x10/0x10
[   76.903913][ T1314]  kthread+0x1d0/0x3e0
[   76.905566][ T1314]  ? __pfx_kthread+0x10/0x10
[   76.907334][ T1314]  ? __pfx_default_wake_function+0x10/0x10
[   76.909861][ T1314]  ? __kthread_parkme+0x7b/0x200
[   76.912007][ T1314]  ? __kthread_parkme+0x1a1/0x200
[   76.914204][ T1314]  kthread+0x711/0x8a0
[   76.915999][ T1314]  ? __pfx_kthread+0x10/0x10
[   76.917958][ T1314]  ? __pfx_kthread+0x10/0x10
[   76.919933][ T1314]  ? _raw_spin_unlock_irq+0x23/0x50
[   76.922197][ T1314]  ? lockdep_hardirqs_on+0x9c/0x150
[   76.924434][ T1314]  ? __pfx_kthread+0x10/0x10
[   76.926603][ T1314]  ret_from_fork+0x4bc/0x870
[   76.928677][ T1314]  ? __pfx_ret_from_fork+0x10/0x10
[   76.930882][ T1314]  ? __pfx_kthread+0x10/0x10
[   76.932925][ T1314]  ret_from_fork_asm+0x1a/0x30
[   76.934961][ T1314]  </TASK>
[   76.936730][ T1314] Kernel Offset: disabled
[   76.938657][ T1314] Rebooting in 86400 seconds..