syzbot

==================================================================
BUG: KASAN: use-after-free in atomic_read include/asm-generic/atomic-instrumented.h:26 [inline]
BUG: KASAN: use-after-free in refcount_read include/linux/refcount.h:43 [inline]
BUG: KASAN: use-after-free in skb_unref include/linux/skbuff.h:1010 [inline]
BUG: KASAN: use-after-free in kfree_skb+0x2a/0xb0 net/core/skbuff.c:693
Read of size 4 at addr ffff8880a0ee3c54 by task syz-executor933/7994

CPU: 1 PID: 7994 Comm: syz-executor933 Not tainted 5.4.0-rc6 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1d8/0x2f8 lib/dump_stack.c:113
 print_address_description+0x75/0x5c0 mm/kasan/report.c:374
 __kasan_report+0x14b/0x1c0 mm/kasan/report.c:506
 kasan_report+0x26/0x50 mm/kasan/common.c:634
 check_memory_region_inline mm/kasan/generic.c:182 [inline]
 check_memory_region+0x2cf/0x2e0 mm/kasan/generic.c:192
 __kasan_check_read+0x11/0x20 mm/kasan/common.c:92
 atomic_read include/asm-generic/atomic-instrumented.h:26 [inline]
 refcount_read include/linux/refcount.h:43 [inline]
 skb_unref include/linux/skbuff.h:1010 [inline]
 kfree_skb+0x2a/0xb0 net/core/skbuff.c:693
 bcsp_close+0xb1/0xf0 drivers/bluetooth/hci_bcsp.c:748
 hci_uart_tty_close+0x201/0x240 drivers/bluetooth/hci_ldisc.c:548
 tty_ldisc_close+0x126/0x180 drivers/tty/tty_ldisc.c:494
 tty_ldisc_kill drivers/tty/tty_ldisc.c:642 [inline]
 tty_ldisc_release+0x248/0x5a0 drivers/tty/tty_ldisc.c:814
 tty_release_struct+0x2a/0xe0 drivers/tty/tty_io.c:1612
 tty_release+0xce9/0xfa0 drivers/tty/tty_io.c:1785
 __fput+0x2e4/0x740 fs/file_table.c:280
 ____fput+0x15/0x20 fs/file_table.c:313
 task_work_run+0x17e/0x1b0 kernel/task_work.c:113
 tracehook_notify_resume include/linux/tracehook.h:188 [inline]
 exit_to_usermode_loop arch/x86/entry/common.c:163 [inline]
 prepare_exit_to_usermode+0x459/0x580 arch/x86/entry/common.c:194
 syscall_return_slowpath+0x113/0x4a0 arch/x86/entry/common.c:274
 do_syscall_64+0x11f/0x1c0 arch/x86/entry/common.c:300
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4076d1
Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 24 1a 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01
RSP: 002b:00007ffe59a19680 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00000000004076d1
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 00000000006dec4c R08: 00000000004b1469 R09: 00000000004b1469
R10: 00007ffe59a196a0 R11: 0000000000000293 R12: 00000000006dec50
R13: 0000000000000000 R14: 20c49ba5e353f7cf R15: 0000000000000009

Allocated by task 7:
 save_stack mm/kasan/common.c:69 [inline]
 set_track mm/kasan/common.c:77 [inline]
 __kasan_kmalloc+0x11c/0x1b0 mm/kasan/common.c:510
 kasan_slab_alloc+0xf/0x20 mm/kasan/common.c:518
 slab_post_alloc_hook mm/slab.h:584 [inline]
 slab_alloc_node mm/slab.c:3262 [inline]
 kmem_cache_alloc_node+0x235/0x280 mm/slab.c:3574
 __alloc_skb+0x9f/0x500 net/core/skbuff.c:197
 alloc_skb include/linux/skbuff.h:1049 [inline]
 bt_skb_alloc include/net/bluetooth/bluetooth.h:339 [inline]
 bcsp_recv+0x12e7/0x1720 drivers/bluetooth/hci_bcsp.c:670
 hci_uart_tty_receive+0x16b/0x470 drivers/bluetooth/hci_ldisc.c:613
 tty_ldisc_receive_buf+0x12e/0x170 drivers/tty/tty_buffer.c:465
 tty_port_default_receive_buf+0x82/0xb0 drivers/tty/tty_port.c:38
 receive_buf drivers/tty/tty_buffer.c:481 [inline]
 flush_to_ldisc+0x328/0x550 drivers/tty/tty_buffer.c:533
 process_one_work+0x7ef/0x10e0 kernel/workqueue.c:2269
 worker_thread+0xc01/0x1630 kernel/workqueue.c:2415
 kthread+0x332/0x350 kernel/kthread.c:255
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

Freed by task 7:
 save_stack mm/kasan/common.c:69 [inline]
 set_track mm/kasan/common.c:77 [inline]
 kasan_set_free_info mm/kasan/common.c:332 [inline]
 __kasan_slab_free+0x12a/0x1e0 mm/kasan/common.c:471
 kasan_slab_free+0xe/0x10 mm/kasan/common.c:480
 __cache_free mm/slab.c:3425 [inline]
 kmem_cache_free+0x81/0xf0 mm/slab.c:3693
 kfree_skbmem net/core/skbuff.c:644 [inline]
 __kfree_skb+0x118/0x170 net/core/skbuff.c:680
 kfree_skb+0x6f/0xb0 net/core/skbuff.c:697
 bcsp_recv+0x99c/0x1720 drivers/bluetooth/hci_bcsp.c:608
 hci_uart_tty_receive+0x16b/0x470 drivers/bluetooth/hci_ldisc.c:613
 tty_ldisc_receive_buf+0x12e/0x170 drivers/tty/tty_buffer.c:465
 tty_port_default_receive_buf+0x82/0xb0 drivers/tty/tty_port.c:38
 receive_buf drivers/tty/tty_buffer.c:481 [inline]
 flush_to_ldisc+0x328/0x550 drivers/tty/tty_buffer.c:533
 process_one_work+0x7ef/0x10e0 kernel/workqueue.c:2269
 worker_thread+0xc01/0x1630 kernel/workqueue.c:2415
 kthread+0x332/0x350 kernel/kthread.c:255
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

The buggy address belongs to the object at ffff8880a0ee3b80
 which belongs to the cache skbuff_head_cache of size 224
The buggy address is located 212 bytes inside of
 224-byte region [ffff8880a0ee3b80, ffff8880a0ee3c60)
The buggy address belongs to the page:
page:ffffea000283b8c0 refcount:1 mapcount:0 mapping:ffff8880a99baa80 index:0x0
flags: 0x1fffc0000000200(slab)
raw: 01fffc0000000200 ffffea0002284008 ffffea0002299d48 ffff8880a99baa80
raw: 0000000000000000 ffff8880a0ee3040 000000010000000c 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880a0ee3b00: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8880a0ee3b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880a0ee3c00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
                                                 ^
 ffff8880a0ee3c80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
 ffff8880a0ee3d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================