==================================================================
BUG: KASAN: slab-use-after-free in __mutex_lock+0x80d/0x1550
Read of size 8 at addr ffff88810a5ee2e8 by task kworker/1:7/7759

CPU: 1 UID: 0 PID: 7759 Comm: kworker/1:7 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
Workqueue: events l2cap_chan_timeout
Call Trace:
 <TASK>
 dump_stack_lvl+0xe8/0x150
 print_address_description+0x55/0x1e0
 print_report+0x58/0x70
 kasan_report+0x117/0x150
 __mutex_lock+0x80d/0x1550
 l2cap_chan_timeout+0x63/0x3b0
 process_scheduled_works+0xb5d/0x1860
 worker_thread+0xa53/0xfc0
 kthread+0x388/0x470
 ret_from_fork+0x514/0xb70
 ret_from_fork_asm+0x1a/0x30
 </TASK>

Allocated by task 5610:
 kasan_save_track+0x3e/0x80
 __kasan_kmalloc+0x93/0xb0
 __kmalloc_cache_noprof+0x31c/0x660
 l2cap_conn_add+0xaa/0x960
 l2cap_connect_cfm+0x142/0x1560
 hci_remote_features_evt+0x5b9/0x950
 hci_event_packet+0x6ab/0xef0
 hci_rx_work+0x3ee/0x1040
 process_scheduled_works+0xb5d/0x1860
 worker_thread+0xa53/0xfc0
 kthread+0x388/0x470
 ret_from_fork+0x514/0xb70
 ret_from_fork_asm+0x1a/0x30

Freed by task 5617:
 kasan_save_track+0x3e/0x80
 kasan_save_free_info+0x46/0x50
 __kasan_slab_free+0x5c/0x80
 kfree+0x1c5/0x640
 hci_conn_hash_flush+0x10d/0x260
 hci_dev_close_sync+0x821/0x10e0
 hci_unregister_dev+0x21a/0x5a0
 vhci_release+0x152/0x1a0
 __fput+0x44f/0xa60
 task_work_run+0x1d9/0x270
 do_exit+0x70f/0x22c0
 do_group_exit+0x21b/0x2d0
 get_signal+0x1284/0x1330
 arch_do_signal_or_restart+0xbc/0x830
 irqentry_exit+0x284/0x730
 asm_exc_page_fault+0x26/0x30

Last potentially related work creation:
 kasan_save_stack+0x3e/0x60
 kasan_record_aux_stack+0xbd/0xd0
 insert_work+0x3d/0x330
 __queue_work+0xccf/0xfc0
 call_timer_fn+0x192/0x5e0
 __run_timer_base+0x67e/0x8b0
 run_timer_softirq+0xb7/0x170
 handle_softirqs+0x22a/0x840
 __irq_exit_rcu+0xca/0x220
 irq_exit_rcu+0x9/0x30
 sysvec_apic_timer_interrupt+0xa6/0xc0
 asm_sysvec_apic_timer_interrupt+0x1a/0x20

Second to last potentially related work creation:
 kasan_save_stack+0x3e/0x60
 kasan_record_aux_stack+0xbd/0xd0
 insert_work+0x3d/0x330
 __queue_work+0xbad/0xfc0
 queue_work_on+0x106/0x1d0
 l2cap_connect_cfm+0x10f5/0x1560
 hci_remote_features_evt+0x5b9/0x950
 hci_event_packet+0x6ab/0xef0
 hci_rx_work+0x3ee/0x1040
 process_scheduled_works+0xb5d/0x1860
 worker_thread+0xa53/0xfc0
 kthread+0x388/0x470
 ret_from_fork+0x514/0xb70
 ret_from_fork_asm+0x1a/0x30

The buggy address belongs to the object at ffff88810a5ee000
 which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 744 bytes inside of
 freed 1024-byte region [ffff88810a5ee000, ffff88810a5ee400)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88810a5ed800 pfn:0x10a5e8
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x17ff00000000240(workingset|head|node=0|zone=2|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 017ff00000000240 ffff888100041dc0 ffffea0000882210 ffffea00044aa810
raw: ffff88810a5ed800 000000080010000b 00000000f5000000 0000000000000000
head: 017ff00000000240 ffff888100041dc0 ffffea0000882210 ffffea00044aa810
head: ffff88810a5ed800 000000080010000b 00000000f5000000 0000000000000000
head: 017ff00000000003 fffffffffffffe01 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5604, tgid 5604 (sshd), ts 60391644899, free_ts 60390832434
 post_alloc_hook+0x231/0x280
 get_page_from_freelist+0x24ba/0x2540
 __alloc_frozen_pages_noprof+0x18d/0x380
 allocate_slab+0x77/0x660
 refill_objects+0x339/0x3d0
 __pcs_replace_empty_main+0x321/0x720
 __kmalloc_noprof+0x474/0x760
 load_elf_phdrs+0x13e/0x240
 load_elf_binary+0xa0f/0x2980
 bprm_execve+0x94a/0x1440
 do_execveat_common+0x50d/0x690
 __x64_sys_execve+0x97/0xc0
 do_syscall_64+0x15f/0xf80
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 15 tgid 15 stack trace:
 __free_frozen_pages+0xbc7/0xd30
 __folio_put+0x4a2/0x580
 skb_release_data+0x544/0xa60
 napi_consume_skb+0x1e7/0x2a0
 skb_defer_free_flush+0x191/0x260
 net_rx_action+0x455/0xf70
 handle_softirqs+0x22a/0x840
 run_ksoftirqd+0x36/0x60
 smpboot_thread_fn+0x541/0xa50
 kthread+0x388/0x470
 ret_from_fork+0x514/0xb70
 ret_from_fork_asm+0x1a/0x30

Memory state around the buggy address:
 ffff88810a5ee180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88810a5ee200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88810a5ee280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                          ^
 ffff88810a5ee300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88810a5ee380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
