INFO: trying to register non-static key.
the code is fine but needs lockdep annotation.
turning off the locking correctness validator.
CPU: 0 PID: 14434 Comm: kworker/0:14 Not tainted 5.9.0-rc1-next-20200817-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events l2cap_chan_timeout
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x18f/0x20d lib/dump_stack.c:118
 assign_lock_key kernel/locking/lockdep.c:894 [inline]
 register_lock_class+0x157d/0x1630 kernel/locking/lockdep.c:1206
 __lock_acquire+0xf9/0x5640 kernel/locking/lockdep.c:4305
 lock_acquire+0x1f1/0xad0 kernel/locking/lockdep.c:5005
 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline]
 _raw_spin_lock_bh+0x2f/0x40 kernel/locking/spinlock.c:175
 spin_lock_bh include/linux/spinlock.h:359 [inline]
 lock_sock_nested+0x3b/0x110 net/core/sock.c:3048
 l2cap_sock_teardown_cb+0x88/0x400 net/bluetooth/l2cap_sock.c:1520
 l2cap_chan_del+0xad/0x1300 net/bluetooth/l2cap_core.c:618
 l2cap_chan_close+0x118/0xb10 net/bluetooth/l2cap_core.c:823
 l2cap_chan_timeout+0x173/0x450 net/bluetooth/l2cap_core.c:436
 process_one_work+0x94c/0x1670 kernel/workqueue.c:2269
 worker_thread+0x64c/0x1120 kernel/workqueue.c:2415
 kthread+0x3b5/0x4a0 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
==================================================================
BUG: KASAN: use-after-free in l2cap_sock_teardown_cb+0x3d9/0x400 net/bluetooth/l2cap_sock.c:1522
Read of size 8 at addr ffff88805e1864c8 by task kworker/0:14/14434

CPU: 0 PID: 14434 Comm: kworker/0:14 Not tainted 5.9.0-rc1-next-20200817-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events l2cap_chan_timeout
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x18f/0x20d lib/dump_stack.c:118
 print_address_description.constprop.0.cold+0xae/0x497 mm/kasan/report.c:383
 __kasan_report mm/kasan/report.c:513 [inline]
 kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530
 l2cap_sock_teardown_cb+0x3d9/0x400 net/bluetooth/l2cap_sock.c:1522
 l2cap_chan_del+0xad/0x1300 net/bluetooth/l2cap_core.c:618
 l2cap_chan_close+0x118/0xb10 net/bluetooth/l2cap_core.c:823
 l2cap_chan_timeout+0x173/0x450 net/bluetooth/l2cap_core.c:436
 process_one_work+0x94c/0x1670 kernel/workqueue.c:2269
 worker_thread+0x64c/0x1120 kernel/workqueue.c:2415
 kthread+0x3b5/0x4a0 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294

Allocated by task 3468:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
 kasan_set_track mm/kasan/common.c:56 [inline]
 __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:461
 __do_kmalloc mm/slab.c:3655 [inline]
 __kmalloc+0x1a8/0x320 mm/slab.c:3664
 kmalloc include/linux/slab.h:559 [inline]
 kzalloc include/linux/slab.h:666 [inline]
 alloc_ts_config include/linux/textsearch.h:167 [inline]
 kmp_init+0x46/0x7b0 lib/ts_kmp.c:100
 textsearch_prepare lib/textsearch.c:289 [inline]
 textsearch_prepare+0x95/0x180 lib/textsearch.c:263
 string_mt_check+0x1ca/0x280 net/netfilter/xt_string.c:56
 xt_check_match+0x275/0x650 net/netfilter/x_tables.c:501
 check_match net/ipv4/netfilter/ip_tables.c:472 [inline]
 find_check_match net/ipv4/netfilter/ip_tables.c:488 [inline]
 find_check_entry.constprop.0+0x31a/0x9a0 net/ipv4/netfilter/ip_tables.c:538
 translate_table+0xbe1/0x1600 net/ipv4/netfilter/ip_tables.c:717
 do_replace net/ipv4/netfilter/ip_tables.c:1135 [inline]
 do_ipt_set_ctl+0x56e/0xb61 net/ipv4/netfilter/ip_tables.c:1627
 nf_setsockopt+0x83/0xe0 net/netfilter/nf_sockopt.c:101
 ip_setsockopt+0x3c3/0x39d0 net/ipv4/ip_sockglue.c:1436
 tcp_setsockopt+0x136/0x24a0 net/ipv4/tcp.c:3333
 __sys_setsockopt+0x2db/0x610 net/socket.c:2132
 __do_sys_setsockopt net/socket.c:2143 [inline]
 __se_sys_setsockopt net/socket.c:2140 [inline]
 __x64_sys_setsockopt+0xba/0x150 net/socket.c:2140
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

The buggy address belongs to the object at ffff88805e186400
 which belongs to the cache kmalloc-256 of size 256
The buggy address is located 200 bytes inside of
 256-byte region [ffff88805e186400, ffff88805e186500)
The buggy address belongs to the page:
page:000000001ce0db7e refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5e186
flags: 0xfffe0000000200(slab)
raw: 00fffe0000000200 ffffea000175ea08 ffffea00029786c8 ffff8880aa040500
raw: 0000000000000000 ffff88805e186000 0000000100000008 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88805e186380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88805e186400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88805e186480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                              ^
 ffff88805e186500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88805e186580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================