==================================================================
BUG: KASAN: use-after-free in hci_cmd_timeout+0x239/0x250 net/bluetooth/hci_core.c:1494
Read of size 8 at addr ffff888027543b98 by task kworker/u5:0/47

CPU: 0 PID: 47 Comm: kworker/u5:0 Not tainted 6.1.0-rc1-syzkaller-00134-ge35184f32151 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022
Workqueue: hci6 hci_cmd_timeout
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:284 [inline]
 print_report+0x15e/0x461 mm/kasan/report.c:395
 kasan_report+0xbb/0x1f0 mm/kasan/report.c:495
 hci_cmd_timeout+0x239/0x250 net/bluetooth/hci_core.c:1494
 process_one_work+0x9bf/0x1710 kernel/workqueue.c:2289
 worker_thread+0x665/0x1080 kernel/workqueue.c:2436
 kthread+0x2e4/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
 </TASK>

Allocated by task 3648:
 kasan_save_stack+0x1e/0x40 mm/kasan/common.c:45
 kasan_set_track+0x21/0x30 mm/kasan/common.c:52
 __kasan_slab_alloc+0x7b/0x80 mm/kasan/common.c:325
 kasan_slab_alloc include/linux/kasan.h:201 [inline]
 slab_post_alloc_hook mm/slab.h:737 [inline]
 slab_alloc_node mm/slab.c:3257 [inline]
 slab_alloc mm/slab.c:3265 [inline]
 __kmem_cache_alloc_lru mm/slab.c:3442 [inline]
 kmem_cache_alloc+0x218/0x450 mm/slab.c:3461
 skb_clone+0x16e/0x3c0 net/core/skbuff.c:1650
 hci_cmd_work+0x191/0x570 net/bluetooth/hci_core.c:4080
 process_one_work+0x9bf/0x1710 kernel/workqueue.c:2289
 worker_thread+0x665/0x1080 kernel/workqueue.c:2436
 kthread+0x2e4/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306

Freed by task 3647:
 kasan_save_stack+0x1e/0x40 mm/kasan/common.c:45
 kasan_set_track+0x21/0x30 mm/kasan/common.c:52
 kasan_save_free_info+0x27/0x40 mm/kasan/generic.c:511
 ____kasan_slab_free mm/kasan/common.c:236 [inline]
 ____kasan_slab_free+0x13b/0x1a0 mm/kasan/common.c:200
 kasan_slab_free include/linux/kasan.h:177 [inline]
 __cache_free mm/slab.c:3389 [inline]
 __do_kmem_cache_free mm/slab.c:3585 [inline]
 kmem_cache_free mm/slab.c:3610 [inline]
 kmem_cache_free+0x104/0x4b0 mm/slab.c:3603
 kfree_skbmem+0xef/0x1b0 net/core/skbuff.c:812
 __kfree_skb net/core/skbuff.c:869 [inline]
 kfree_skb_reason+0x193/0x4b0 net/core/skbuff.c:891
 kfree_skb include/linux/skbuff.h:1216 [inline]
 hci_dev_open_sync+0xbec/0x21a0 net/bluetooth/hci_sync.c:4699
 hci_dev_do_open+0x2d/0x70 net/bluetooth/hci_core.c:483
 hci_power_on+0xda/0x620 net/bluetooth/hci_core.c:984
 process_one_work+0x9bf/0x1710 kernel/workqueue.c:2289
 worker_thread+0x665/0x1080 kernel/workqueue.c:2436
 kthread+0x2e4/0x3a0 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306

The buggy address belongs to the object at ffff888027543ac0
 which belongs to the cache skbuff_head_cache of size 240
The buggy address is located 216 bytes inside of
 240-byte region [ffff888027543ac0, ffff888027543bb0)

The buggy address belongs to the physical page:
page:ffffea00009d50c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888027543480 pfn:0x27543
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 ffffea000095d088 ffffea0001e79608 ffff888016eddd00
raw: ffff888027543480 ffff8880275430c0 0000000100000005 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x242220(__GFP_HIGH|__GFP_ATOMIC|__GFP_NOWARN|__GFP_COMP|__GFP_THISNODE), pid 20, tgid 20 (ksoftirqd/1), ts 123194518577, free_ts 122478805697
 prep_new_page mm/page_alloc.c:2538 [inline]
 get_page_from_freelist+0x10b5/0x2d50 mm/page_alloc.c:4287
 __alloc_pages+0x1c7/0x5a0 mm/page_alloc.c:5554
 __alloc_pages_node include/linux/gfp.h:223 [inline]
 kmem_getpages mm/slab.c:1363 [inline]
 cache_grow_begin+0x75/0x360 mm/slab.c:2570
 cache_alloc_refill+0x27f/0x380 mm/slab.c:2943
 ____cache_alloc mm/slab.c:3019 [inline]
 ____cache_alloc mm/slab.c:3002 [inline]
 __do_cache_alloc mm/slab.c:3202 [inline]
 slab_alloc_node mm/slab.c:3250 [inline]
 slab_alloc mm/slab.c:3265 [inline]
 __kmem_cache_alloc_lru mm/slab.c:3442 [inline]
 kmem_cache_alloc+0x35c/0x450 mm/slab.c:3461
 __build_skb+0x21/0x60 net/core/skbuff.c:322
 build_skb+0x1e/0x280 net/core/skbuff.c:339
 page_to_skb+0x621/0xc60 drivers/net/virtio_net.c:485
 receive_mergeable drivers/net/virtio_net.c:1122 [inline]
 receive_buf+0xe02/0x5570 drivers/net/virtio_net.c:1261
 virtnet_receive drivers/net/virtio_net.c:1556 [inline]
 virtnet_poll+0x700/0x1300 drivers/net/virtio_net.c:1674
 __napi_poll+0xb8/0x770 net/core/dev.c:6498
 napi_poll net/core/dev.c:6565 [inline]
 net_rx_action+0x9fc/0xde0 net/core/dev.c:6676
 __do_softirq+0x1f7/0xad8 kernel/softirq.c:571
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1458 [inline]
 free_pcp_prepare+0x65c/0xd90 mm/page_alloc.c:1508
 free_unref_page_prepare mm/page_alloc.c:3386 [inline]
 free_unref_page+0x19/0x4d0 mm/page_alloc.c:3482
 slab_destroy mm/slab.c:1615 [inline]
 slabs_destroy+0x85/0xc0 mm/slab.c:1635
 cache_flusharray mm/slab.c:3360 [inline]
 ___cache_free+0x2a8/0x3d0 mm/slab.c:3423
 qlink_free mm/kasan/quarantine.c:168 [inline]
 qlist_free_all+0x4f/0x1a0 mm/kasan/quarantine.c:187
 kasan_quarantine_reduce+0x180/0x200 mm/kasan/quarantine.c:294
 __kasan_slab_alloc+0x5f/0x80 mm/kasan/common.c:302
 kasan_slab_alloc include/linux/kasan.h:201 [inline]
 slab_post_alloc_hook mm/slab.h:737 [inline]
 slab_alloc_node mm/slab.c:3257 [inline]
 slab_alloc mm/slab.c:3265 [inline]
 __kmem_cache_alloc_lru mm/slab.c:3442 [inline]
 kmem_cache_alloc+0x218/0x450 mm/slab.c:3461
 mt_alloc_one lib/maple_tree.c:152 [inline]
 mas_alloc_nodes+0x429/0x810 lib/maple_tree.c:1231
 mas_node_count_gfp lib/maple_tree.c:1316 [inline]
 mas_preallocate+0x1b7/0x360 lib/maple_tree.c:5719
 do_mas_align_munmap+0x11c/0xee0 mm/mmap.c:2313
 do_mas_munmap+0x26a/0x2b0 mm/mmap.c:2501
 mmap_region+0x219/0x1bf0 mm/mmap.c:2549
 do_mmap+0x825/0xf50 mm/mmap.c:1411
 vm_mmap_pgoff+0x1ab/0x270 mm/util.c:520
 ksys_mmap_pgoff+0x79/0x5a0 mm/mmap.c:1457

Memory state around the buggy address:
 ffff888027543a80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
 ffff888027543b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888027543b80: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
                            ^
 ffff888027543c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888027543c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
==================================================================