BUG: spinlock bad magic on CPU#0, syz-executor.5/11726 lock: 0xffff88801bed5088, .magic: ffff8880, .owner: /-1, .owner_cpu: 659261856 CPU: 0 PID: 11726 Comm: syz-executor.5 Not tainted 5.11.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x107/0x163 lib/dump_stack.c:120 debug_spin_lock_before kernel/locking/spinlock_debug.c:83 [inline] do_raw_spin_lock+0x216/0x2b0 kernel/locking/spinlock_debug.c:112 spin_lock_bh include/linux/spinlock.h:359 [inline] lock_sock_nested+0x3b/0x110 net/core/sock.c:3049 l2cap_sock_teardown_cb+0xa1/0x660 net/bluetooth/l2cap_sock.c:1520 l2cap_chan_del+0xbc/0xa80 net/bluetooth/l2cap_core.c:618 l2cap_conn_del+0x3c0/0x7b0 net/bluetooth/l2cap_core.c:1896 l2cap_disconn_cfm net/bluetooth/l2cap_core.c:8167 [inline] l2cap_disconn_cfm+0x98/0xd0 net/bluetooth/l2cap_core.c:8160 hci_disconn_cfm include/net/bluetooth/hci_core.h:1462 [inline] hci_conn_hash_flush+0x127/0x260 net/bluetooth/hci_conn.c:1565 hci_dev_do_close+0x569/0x1110 net/bluetooth/hci_core.c:1776 hci_unregister_dev+0x223/0xfe0 net/bluetooth/hci_core.c:3872 vhci_release+0x70/0xe0 drivers/bluetooth/hci_vhci.c:340 __fput+0x283/0x920 fs/file_table.c:280 task_work_run+0xdd/0x190 kernel/task_work.c:140 exit_task_work include/linux/task_work.h:30 [inline] do_exit+0xc5c/0x2ae0 kernel/exit.c:825 do_group_exit+0x125/0x310 kernel/exit.c:922 get_signal+0x427/0x20f0 kernel/signal.c:2773 arch_do_signal_or_restart+0x2a8/0x1eb0 arch/x86/kernel/signal.c:811 handle_signal_work kernel/entry/common.c:147 [inline] exit_to_user_mode_loop kernel/entry/common.c:171 [inline] exit_to_user_mode_prepare+0x148/0x250 kernel/entry/common.c:201 __syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline] syscall_exit_to_user_mode+0x19/0x50 kernel/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x465d99 Code: Unable to access opcode bytes at RIP 0x465d6f. RSP: 002b:00007f3ef4e60218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca RAX: fffffffffffffe00 RBX: 000000000056c010 RCX: 0000000000465d99 RDX: 0000000000000000 RSI: 0000000000000080 RDI: 000000000056c010 RBP: 000000000056c008 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056c014 R13: 00007fffb023529f R14: 00007f3ef4e60300 R15: 0000000000022000 ================================================================================ UBSAN: array-index-out-of-bounds in kernel/locking/qspinlock.c:130:9 index 2478 is out of range for type 'long unsigned int [8]' CPU: 0 PID: 11726 Comm: syz-executor.5 Not tainted 5.11.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x107/0x163 lib/dump_stack.c:120 ubsan_epilogue+0xb/0x5a lib/ubsan.c:148 __ubsan_handle_out_of_bounds.cold+0x62/0x6c lib/ubsan.c:356 decode_tail kernel/locking/qspinlock.c:130 [inline] __pv_queued_spin_lock_slowpath+0xa3f/0xb40 kernel/locking/qspinlock.c:468 pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:554 [inline] queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:51 [inline] queued_spin_lock include/asm-generic/qspinlock.h:85 [inline] do_raw_spin_lock+0x200/0x2b0 kernel/locking/spinlock_debug.c:113 spin_lock_bh include/linux/spinlock.h:359 [inline] lock_sock_nested+0x3b/0x110 net/core/sock.c:3049 l2cap_sock_teardown_cb+0xa1/0x660 net/bluetooth/l2cap_sock.c:1520 l2cap_chan_del+0xbc/0xa80 net/bluetooth/l2cap_core.c:618 l2cap_conn_del+0x3c0/0x7b0 net/bluetooth/l2cap_core.c:1896 l2cap_disconn_cfm net/bluetooth/l2cap_core.c:8167 [inline] l2cap_disconn_cfm+0x98/0xd0 net/bluetooth/l2cap_core.c:8160 hci_disconn_cfm include/net/bluetooth/hci_core.h:1462 [inline] hci_conn_hash_flush+0x127/0x260 net/bluetooth/hci_conn.c:1565 hci_dev_do_close+0x569/0x1110 net/bluetooth/hci_core.c:1776 hci_unregister_dev+0x223/0xfe0 net/bluetooth/hci_core.c:3872 vhci_release+0x70/0xe0 drivers/bluetooth/hci_vhci.c:340 __fput+0x283/0x920 fs/file_table.c:280 task_work_run+0xdd/0x190 kernel/task_work.c:140 exit_task_work include/linux/task_work.h:30 [inline] do_exit+0xc5c/0x2ae0 kernel/exit.c:825 do_group_exit+0x125/0x310 kernel/exit.c:922 get_signal+0x427/0x20f0 kernel/signal.c:2773 arch_do_signal_or_restart+0x2a8/0x1eb0 arch/x86/kernel/signal.c:811 handle_signal_work kernel/entry/common.c:147 [inline] exit_to_user_mode_loop kernel/entry/common.c:171 [inline] exit_to_user_mode_prepare+0x148/0x250 kernel/entry/common.c:201 __syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline] syscall_exit_to_user_mode+0x19/0x50 kernel/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x465d99 Code: Unable to access opcode bytes at RIP 0x465d6f. RSP: 002b:00007f3ef4e60218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca RAX: fffffffffffffe00 RBX: 000000000056c010 RCX: 0000000000465d99 RDX: 0000000000000000 RSI: 0000000000000080 RDI: 000000000056c010 RBP: 000000000056c008 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056c014 R13: 00007fffb023529f R14: 00007f3ef4e60300 R15: 0000000000022000 ================================================================================