program:
r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0)
connect$bt_l2cap(r0, &(0x7f0000000000)={0x1f, 0x8ef, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}}, 0xe)
r1 = syz_init_net_socket$bt_bnep(0x1f, 0x3, 0x4)
bpf$MAP_CREATE(0x0, 0x0, 0x0)
ioctl$sock_bt_bnep_BNEPCONNADD(r1, 0x400442c8, &(0x7f00000001c0)=ANY=[@ANYRES32=r0])
openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x275a, 0x0)
mmap(&(0x7f0000212000/0x3000)=nil, 0x3000, 0x4, 0x4000010, 0xffffffffffffffff, 0xaed88000)
sendmmsg(0xffffffffffffffff, 0x0, 0x0, 0x9da9e16286660ba3)
syz_emit_vhci(&(0x7f0000000040)=@HCI_EVENT_PKT={0x4, @hci_ev_disconn_complete={{0x5, 0x4}, {0x0, 0xc8, 0x9}}}, 0x7)
bind$inet(0xffffffffffffffff, &(0x7f0000000200)={0x2, 0x4, @dev={0xac, 0x14, 0x14, 0xb3}}, 0x10)
[ 74.761105][ T46] Bluetooth: hci0: command tx timeout
[ 74.836500][ T5333] ==================================================================
[ 74.839728][ T5333] BUG: KASAN: slab-use-after-free in cfusbl_device_notify+0x140/0x6b0
[ 74.842984][ T5333] Read of size 8 at addr ffff888011ae0d48 by task syz.0.0/5333
[ 74.846148][ T5333]
[ 74.847267][ T5333] CPU: 0 UID: 0 PID: 5333 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full)
[ 74.847288][ T5333] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[ 74.847296][ T5333] Call Trace:
[ 74.847303][ T5333]
[ 74.847309][ T5333] dump_stack_lvl+0xe8/0x150
[ 74.847329][ T5333] print_report+0xca/0x240
[ 74.847341][ T5333] ? cfusbl_device_notify+0x140/0x6b0
[ 74.847361][ T5333] kasan_report+0x118/0x150
[ 74.847411][ T5333] ? net_generic+0x1e/0x240
[ 74.847428][ T5333] ? cfusbl_device_notify+0x140/0x6b0
[ 74.847442][ T5333] cfusbl_device_notify+0x140/0x6b0
[ 74.847454][ T5333] ? net_generic+0x1e/0x240
[ 74.847466][ T5333] ? __pfx_cfusbl_device_notify+0x10/0x10
[ 74.847487][ T5333] ? caif_device_notify+0x250/0xfc0
[ 74.847510][ T5333] notifier_call_chain+0x19d/0x3a0
[ 74.847535][ T5333] register_netdevice+0x11f3/0x1a70
[ 74.847556][ T5333] ? __mutex_lock+0x5bb/0x1350
[ 74.847626][ T5333] ? __pfx_register_netdevice+0x10/0x10
[ 74.847649][ T5333] ? __asan_memset+0x22/0x50
[ 74.847672][ T5333] ? dev_addr_mod+0x2ce/0x3d0
[ 74.847692][ T5333] register_netdev+0x40/0x60
[ 74.847712][ T5333] bnep_add_connection+0x6c6/0xc70
[ 74.847735][ T5333] ? __pfx_bnep_add_connection+0x10/0x10
[ 74.847747][ T5333] ? __fget_files+0x3a0/0x420
[ 74.847760][ T5333] do_bnep_sock_ioctl+0x40e/0x670
[ 74.847772][ T5333] ? kasan_quarantine_put+0xbb/0x1f0
[ 74.847788][ T5333] ? __pfx_do_bnep_sock_ioctl+0x10/0x10
[ 74.847801][ T5333] ? tomoyo_path_number_perm+0x1bc/0x5a0
[ 74.847823][ T5333] sock_do_ioctl+0xdc/0x300
[ 74.847838][ T5333] ? __pfx_sock_do_ioctl+0x10/0x10
[ 74.847849][ T5333] ? do_futex+0x395/0x420
[ 74.847867][ T5333] sock_ioctl+0x576/0x790
[ 74.847879][ T5333] ? __pfx_sock_ioctl+0x10/0x10
[ 74.847891][ T5333] ? __fget_files+0x2a/0x420
[ 74.847902][ T5333] ? __fget_files+0x3a0/0x420
[ 74.847912][ T5333] ? __fget_files+0x2a/0x420
[ 74.847923][ T5333] ? bpf_lsm_file_ioctl+0x9/0x20
[ 74.847938][ T5333] ? __pfx_sock_ioctl+0x10/0x10
[ 74.847955][ T5333] __se_sys_ioctl+0xfc/0x170
[ 74.847969][ T5333] do_syscall_64+0xec/0xf80
[ 74.847979][ T5333] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 74.847988][ T5333] ? trace_irq_disable+0x37/0x100
[ 74.848005][ T5333] ? clear_bhb_loop+0x60/0xb0
[ 74.848017][ T5333] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 74.848028][ T5333] RIP: 0033:0x7f7edeb8f7c9
[ 74.848039][ T5333] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[ 74.848050][ T5333] RSP: 002b:00007f7edfa7f038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 74.848062][ T5333] RAX: ffffffffffffffda RBX: 00007f7edede5fa0 RCX: 00007f7edeb8f7c9
[ 74.848070][ T5333] RDX: 00002000000001c0 RSI: 00000000400442c8 RDI: 0000000000000005
[ 74.848075][ T5333] RBP: 00007f7edec13f91 R08: 0000000000000000 R09: 0000000000000000
[ 74.848081][ T5333] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[ 74.848087][ T5333] R13: 00007f7edede6038 R14: 00007f7edede5fa0 R15: 00007ffda74b9408
[ 74.848098][ T5333]
[ 74.848103][ T5333]
[ 74.980287][ T5333] Allocated by task 4679:
[ 74.982345][ T5333] kasan_save_track+0x3e/0x80
[ 74.984384][ T5333] __kasan_kmalloc+0x93/0xb0
[ 74.986364][ T5333] __kmalloc_cache_noprof+0x3e2/0x700
[ 74.988493][ T5333] __hci_conn_add+0x3c5/0x1b30
[ 74.990413][ T5333] hci_conn_request_evt+0x576/0xbe0
[ 74.992493][ T5333] hci_event_packet+0x7e3/0x1260
[ 74.994443][ T5333] hci_rx_work+0x3ee/0x1060
[ 74.996232][ T5333] process_scheduled_works+0xad1/0x1770
[ 74.998418][ T5333] worker_thread+0x8a0/0xda0
[ 75.000473][ T5333] kthread+0x711/0x8a0
[ 75.002275][ T5333] ret_from_fork+0x510/0xa50
[ 75.004311][ T5333] ret_from_fork_asm+0x1a/0x30
[ 75.006387][ T5333]
[ 75.007466][ T5333] Freed by task 46:
[ 75.009132][ T5333] kasan_save_track+0x3e/0x80
[ 75.011189][ T5333] kasan_save_free_info+0x46/0x50
[ 75.013399][ T5333] __kasan_slab_free+0x5c/0x80
[ 75.015485][ T5333] kfree+0x1c0/0x660
[ 75.017032][ T5333] device_release+0x9e/0x1d0
[ 75.018940][ T5333] kobject_put+0x228/0x570
[ 75.020920][ T5333] hci_conn_del+0xc36/0x1240
[ 75.022928][ T5333] hci_disconn_complete_evt+0x64e/0x950
[ 75.025294][ T5333] hci_event_packet+0x7e3/0x1260
[ 75.027397][ T5333] hci_rx_work+0x3ee/0x1060
[ 75.029359][ T5333] process_scheduled_works+0xad1/0x1770
[ 75.031772][ T5333] worker_thread+0x8a0/0xda0
[ 75.033817][ T5333] kthread+0x711/0x8a0
[ 75.035601][ T5333] ret_from_fork+0x510/0xa50
[ 75.037243][ T5333] ret_from_fork_asm+0x1a/0x30
[ 75.039143][ T5333]
[ 75.040066][ T5333] Last potentially related work creation:
[ 75.042537][ T5333] kasan_save_stack+0x3e/0x60
[ 75.044613][ T5333] kasan_record_aux_stack+0xbd/0xd0
[ 75.046803][ T5333] insert_work+0x3d/0x330
[ 75.048706][ T5333] __queue_work+0xbae/0xf90
[ 75.050736][ T5333] queue_delayed_work_on+0x11a/0x1d0
[ 75.052775][ T5333] l2cap_chan_del+0x285/0x620
[ 75.054775][ T5333] l2cap_conn_del+0x326/0x5b0
[ 75.056730][ T5333] hci_disconn_complete_evt+0x501/0x950
[ 75.059430][ T5333] hci_event_packet+0x7e3/0x1260
[ 75.061487][ T5333] hci_rx_work+0x3ee/0x1060
[ 75.063443][ T5333] process_scheduled_works+0xad1/0x1770
[ 75.065541][ T5333] worker_thread+0x8a0/0xda0
[ 75.067450][ T5333] kthread+0x711/0x8a0
[ 75.069413][ T5333] ret_from_fork+0x510/0xa50
[ 75.071496][ T5333] ret_from_fork_asm+0x1a/0x30
[ 75.073469][ T5333]
[ 75.074534][ T5333] The buggy address belongs to the object at ffff888011ae0000
[ 75.074534][ T5333] which belongs to the cache kmalloc-8k of size 8192
[ 75.080388][ T5333] The buggy address is located 3400 bytes inside of
[ 75.080388][ T5333] freed 8192-byte region [ffff888011ae0000, ffff888011ae2000)
[ 75.086481][ T5333]
[ 75.087525][ T5333] The buggy address belongs to the physical page:
[ 75.090421][ T5333] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11ae0
[ 75.094257][ T5333] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 75.097729][ T5333] flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
[ 75.100614][ T5333] page_type: f5(slab)
[ 75.102070][ T5333] raw: 00fff00000000040 ffff88801a442280 dead000000000122 0000000000000000
[ 75.105140][ T5333] raw: 0000000000000000 0000000000020002 00000000f5000000 0000000000000000
[ 75.108261][ T5333] head: 00fff00000000040 ffff88801a442280 dead000000000122 0000000000000000
[ 75.112013][ T5333] head: 0000000000000000 0000000000020002 00000000f5000000 0000000000000000
[ 75.115710][ T5333] head: 00fff00000000003 ffffea000046b801 00000000ffffffff 00000000ffffffff
[ 75.119423][ T5333] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
[ 75.123162][ T5333] page dumped because: kasan: bad access detected
[ 75.125868][ T5333] page_owner tracks the page as allocated
[ 75.128322][ T5333] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4679, tgid 4679 (kworker/u5:1), ts 72319594209, free_ts 61017297025
[ 75.137673][ T5333] post_alloc_hook+0x234/0x290
[ 75.140085][ T5333] get_page_from_freelist+0x24e0/0x2580
[ 75.142500][ T5333] __alloc_frozen_pages_noprof+0x181/0x370
[ 75.145165][ T5333] alloc_pages_mpol+0x232/0x4a0
[ 75.147425][ T5333] allocate_slab+0x86/0x3b0
[ 75.149313][ T5333] ___slab_alloc+0xe53/0x1820
[ 75.151266][ T5333] __slab_alloc+0x65/0x100
[ 75.153020][ T5333] __kmalloc_cache_noprof+0x41e/0x700
[ 75.155304][ T5333] __hci_conn_add+0x3c5/0x1b30
[ 75.157462][ T5333] hci_conn_request_evt+0x576/0xbe0
[ 75.159831][ T5333] hci_event_packet+0x7e3/0x1260
[ 75.161992][ T5333] hci_rx_work+0x3ee/0x1060
[ 75.163980][ T5333] process_scheduled_works+0xad1/0x1770
[ 75.166333][ T5333] worker_thread+0x8a0/0xda0
[ 75.168370][ T5333] kthread+0x711/0x8a0
[ 75.170129][ T5333] ret_from_fork+0x510/0xa50
[ 75.172189][ T5333] page last free pid 5297 tgid 5297 stack trace:
[ 75.174984][ T5333] __free_frozen_pages+0xbc8/0xd30
[ 75.177255][ T5333] __slab_free+0x2ce/0x320
[ 75.179216][ T5333] qlist_free_all+0x97/0x100
[ 75.181303][ T5333] kasan_quarantine_reduce+0x148/0x160
[ 75.183719][ T5333] __kasan_slab_alloc+0x22/0x80
[ 75.185884][ T5333] __kmalloc_cache_noprof+0x37c/0x700
[ 75.188278][ T5333] tomoyo_init_log+0x183/0x1f70
[ 75.190502][ T5333] tomoyo_supervisor+0x340/0x1480
[ 75.192822][ T5333] tomoyo_path_permission+0x25a/0x380
[ 75.195193][ T5333] tomoyo_check_open_permission+0x24d/0x3b0
[ 75.197935][ T5333] security_file_open+0xb1/0x270
[ 75.200218][ T5333] do_dentry_open+0x34e/0x1420
[ 75.202375][ T5333] vfs_open+0x3b/0x340
[ 75.204246][ T5333] path_openat+0x340e/0x3dd0
[ 75.206198][ T5333] do_filp_open+0x1fa/0x410
[ 75.208410][ T5333] do_sys_openat2+0x121/0x200
[ 75.210502][ T5333]
[ 75.211610][ T5333] Memory state around the buggy address:
[ 75.214070][ T5333] ffff888011ae0c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 75.217527][ T5333] ffff888011ae0c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 75.221122][ T5333] >ffff888011ae0d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 75.224583][ T5333] ^
[ 75.227357][ T5333] ffff888011ae0d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 75.230899][ T5333] ffff888011ae0e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 75.234359][ T5333] ==================================================================
[ 75.376419][ T5333] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 75.380423][ T5333] CPU: 0 UID: 0 PID: 5333 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full)
[ 75.384329][ T5333] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[ 75.389062][ T5333] Call Trace:
[ 75.390679][ T5333]
[ 75.391938][ T5333] vpanic+0x1e0/0x670
[ 75.393759][ T5333] panic+0xb9/0xc0
[ 75.395504][ T5333] ? __pfx_panic+0x10/0x10
[ 75.397434][ T5333] ? preempt_schedule_thunk+0x16/0x30
[ 75.399828][ T5333] ? cfusbl_device_notify+0x140/0x6b0
[ 75.402317][ T5333] check_panic_on_warn+0x89/0xb0
[ 75.404446][ T5333] ? cfusbl_device_notify+0x140/0x6b0
[ 75.406872][ T5333] end_report+0x6f/0x140
[ 75.408748][ T5333] kasan_report+0x129/0x150
[ 75.410810][ T5333] ? net_generic+0x1e/0x240
[ 75.412813][ T5333] ? cfusbl_device_notify+0x140/0x6b0
[ 75.415276][ T5333] cfusbl_device_notify+0x140/0x6b0
[ 75.417652][ T5333] ? net_generic+0x1e/0x240
[ 75.419739][ T5333] ? __pfx_cfusbl_device_notify+0x10/0x10
[ 75.422313][ T5333] ? caif_device_notify+0x250/0xfc0
[ 75.424641][ T5333] notifier_call_chain+0x19d/0x3a0
[ 75.426879][ T5333] register_netdevice+0x11f3/0x1a70
[ 75.429078][ T5333] ? __mutex_lock+0x5bb/0x1350
[ 75.431261][ T5333] ? __pfx_register_netdevice+0x10/0x10
[ 75.433891][ T5333] ? __asan_memset+0x22/0x50
[ 75.436077][ T5333] ? dev_addr_mod+0x2ce/0x3d0
[ 75.438328][ T5333] register_netdev+0x40/0x60
[ 75.440688][ T5333] bnep_add_connection+0x6c6/0xc70
[ 75.443213][ T5333] ? __pfx_bnep_add_connection+0x10/0x10
[ 75.445696][ T5333] ? __fget_files+0x3a0/0x420
[ 75.447758][ T5333] do_bnep_sock_ioctl+0x40e/0x670
[ 75.449939][ T5333] ? kasan_quarantine_put+0xbb/0x1f0
[ 75.452440][ T5333] ? __pfx_do_bnep_sock_ioctl+0x10/0x10
[ 75.455559][ T5333] ? tomoyo_path_number_perm+0x1bc/0x5a0
[ 75.458018][ T5333] sock_do_ioctl+0xdc/0x300
[ 75.460000][ T5333] ? __pfx_sock_do_ioctl+0x10/0x10
[ 75.462249][ T5333] ? do_futex+0x395/0x420
[ 75.464191][ T5333] sock_ioctl+0x576/0x790
[ 75.465990][ T5333] ? __pfx_sock_ioctl+0x10/0x10
[ 75.468104][ T5333] ? __fget_files+0x2a/0x420
[ 75.470130][ T5333] ? __fget_files+0x3a0/0x420
[ 75.472161][ T5333] ? __fget_files+0x2a/0x420
[ 75.474100][ T5333] ? bpf_lsm_file_ioctl+0x9/0x20
[ 75.476210][ T5333] ? __pfx_sock_ioctl+0x10/0x10
[ 75.478274][ T5333] __se_sys_ioctl+0xfc/0x170
[ 75.480351][ T5333] do_syscall_64+0xec/0xf80
[ 75.482103][ T5333] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 75.484626][ T5333] ? trace_irq_disable+0x37/0x100
[ 75.486769][ T5333] ? clear_bhb_loop+0x60/0xb0
[ 75.488731][ T5333] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 75.491201][ T5333] RIP: 0033:0x7f7edeb8f7c9
[ 75.493116][ T5333] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[ 75.501126][ T5333] RSP: 002b:00007f7edfa7f038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 75.504373][ T5333] RAX: ffffffffffffffda RBX: 00007f7edede5fa0 RCX: 00007f7edeb8f7c9
[ 75.507611][ T5333] RDX: 00002000000001c0 RSI: 00000000400442c8 RDI: 0000000000000005
[ 75.511019][ T5333] RBP: 00007f7edec13f91 R08: 0000000000000000 R09: 0000000000000000
[ 75.514526][ T5333] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[ 75.518323][ T5333] R13: 00007f7edede6038 R14: 00007f7edede5fa0 R15: 00007ffda74b9408
[ 75.521980][ T5333]
[ 75.523725][ T5333] Kernel Offset: disabled
[ 75.525569][ T5333] Rebooting in 86400 seconds..