Bluetooth: hci3: unexpected event 0x01 length: 4 > 1
Bluetooth: Unexpected start frame (len 26)
==================================================================
BUG: KASAN: use-after-free in skb_zcopy include/linux/skbuff.h:1700 [inline]
BUG: KASAN: use-after-free in skb_release_data+0x7a5/0x880 net/core/skbuff.c:1093
Read of size 1 at addr ffff88806c6afec0 by task kworker/u9:6/5111

CPU: 0 PID: 5111 Comm: kworker/u9:6 Not tainted 6.10.0-rc7-syzkaller-00256-gd0d0cd380055 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
Workqueue: hci3 hci_rx_work
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0x169/0x550 mm/kasan/report.c:488
 kasan_report+0x143/0x180 mm/kasan/report.c:601
 skb_zcopy include/linux/skbuff.h:1700 [inline]
 skb_release_data+0x7a5/0x880 net/core/skbuff.c:1093
 skb_release_all net/core/skbuff.c:1173 [inline]
 __kfree_skb net/core/skbuff.c:1187 [inline]
 kfree_skb_reason+0x1a3/0x3b0 net/core/skbuff.c:1223
 kfree_skb include/linux/skbuff.h:1257 [inline]
 l2cap_recv_reset net/bluetooth/l2cap_core.c:7472 [inline]
 l2cap_recv_acldata+0x333/0x1550 net/bluetooth/l2cap_core.c:7496
 hci_acldata_packet net/bluetooth/hci_core.c:3810 [inline]
 hci_rx_work+0x50f/0xca0 net/bluetooth/hci_core.c:4047
 process_one_work kernel/workqueue.c:3248 [inline]
 process_scheduled_works+0xa2e/0x1830 kernel/workqueue.c:3329
 worker_thread+0x86d/0xd50 kernel/workqueue.c:3409
 kthread+0x2f2/0x390 kernel/kthread.c:389
 ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x6c6af
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 0000000000000000 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 4, migratetype Unmovable, gfp_mask 0x1c2cc0(GFP_USER|__GFP_NOWARN|__GFP_COMP|__GFP_NOMEMALLOC), pid 5102, tgid 5102 (kworker/u9:3), ts 1276535520413, free_ts 1296915846684
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1473
 prep_new_page mm/page_alloc.c:1481 [inline]
 get_page_from_freelist+0x2e4c/0x2f10 mm/page_alloc.c:3425
 __alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4683
 __alloc_pages_node_noprof include/linux/gfp.h:269 [inline]
 alloc_pages_node_noprof include/linux/gfp.h:296 [inline]
 __kmalloc_large_node+0x8b/0x1d0 mm/slub.c:4068
 __do_kmalloc_node mm/slub.c:4111 [inline]
 kmalloc_node_track_caller_noprof+0x2cd/0x440 mm/slub.c:4143
 kmalloc_reserve+0x111/0x2a0 net/core/skbuff.c:597
 __alloc_skb+0x1f3/0x440 net/core/skbuff.c:666
 alloc_skb include/linux/skbuff.h:1308 [inline]
 bt_skb_alloc include/net/bluetooth/bluetooth.h:489 [inline]
 l2cap_recv_frag net/bluetooth/l2cap_core.c:7419 [inline]
 l2cap_recv_acldata+0x7f6/0x1550 net/bluetooth/l2cap_core.c:7527
 hci_acldata_packet net/bluetooth/hci_core.c:3810 [inline]
 hci_rx_work+0x50f/0xca0 net/bluetooth/hci_core.c:4047
 process_one_work kernel/workqueue.c:3248 [inline]
 process_scheduled_works+0xa2e/0x1830 kernel/workqueue.c:3329
 worker_thread+0x86d/0xd50 kernel/workqueue.c:3409
 kthread+0x2f2/0x390 kernel/kthread.c:389
 ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
page last free pid 5102 tgid 5102 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1093 [inline]
 __free_pages_ok+0xb4e/0xcc0 mm/page_alloc.c:1213
 __folio_put+0x3b9/0x620 mm/swap.c:129
 folio_put include/linux/mm.h:1513 [inline]
 free_large_kmalloc+0x105/0x1c0 mm/slub.c:4530
 kfree+0x1c4/0x360 mm/slub.c:4553
 skb_kfree_head net/core/skbuff.c:1069 [inline]
 skb_free_head net/core/skbuff.c:1081 [inline]
 skb_release_data+0x676/0x880 net/core/skbuff.c:1108
 skb_release_all net/core/skbuff.c:1173 [inline]
 __kfree_skb net/core/skbuff.c:1187 [inline]
 kfree_skb_reason+0x1a3/0x3b0 net/core/skbuff.c:1223
 kfree_skb include/linux/skbuff.h:1257 [inline]
 l2cap_conn_del+0x8c/0x680 net/bluetooth/l2cap_core.c:1760
 l2cap_connect_cfm+0x11f/0x1220 net/bluetooth/l2cap_core.c:7240
 hci_connect_cfm include/net/bluetooth/hci_core.h:1970 [inline]
 hci_conn_failed+0x1f8/0x340 net/bluetooth/hci_conn.c:1266
 hci_abort_conn_sync+0x583/0xde0 net/bluetooth/hci_sync.c:5463
 hci_cmd_sync_work+0x22d/0x400 net/bluetooth/hci_sync.c:323
 process_one_work kernel/workqueue.c:3248 [inline]
 process_scheduled_works+0xa2e/0x1830 kernel/workqueue.c:3329
 worker_thread+0x86d/0xd50 kernel/workqueue.c:3409
 kthread+0x2f2/0x390 kernel/kthread.c:389
 ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Memory state around the buggy address:
 ffff88806c6afd80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88806c6afe00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff88806c6afe80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                           ^
 ffff88806c6aff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88806c6aff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================