==================================================================
BUG: KASAN: use-after-free in rt_spin_lock+0x83/0x400 kernel/locking/spinlock_rt.c:56
Read of size 1 at addr ffff88805e8387e8 by task syz-executor/13352

CPU: 0 UID: 0 PID: 13352 Comm: syz-executor Tainted: G             L      syzkaller #0 PREEMPT_{RT,(full)} 
Tainted: [L]=SOFTLOCKUP
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026
Call Trace:
 <TASK>
 dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
 print_address_description+0x55/0x1e0 mm/kasan/report.c:378
 print_report+0x58/0x70 mm/kasan/report.c:482
 kasan_report+0x117/0x150 mm/kasan/report.c:595
 __kasan_check_byte+0x2a/0x40 mm/kasan/common.c:574
 kasan_check_byte include/linux/kasan.h:402 [inline]
 lock_acquire+0x84/0x350 kernel/locking/lockdep.c:5842
 rt_spin_lock+0x83/0x400 kernel/locking/spinlock_rt.c:56
 spin_lock_bh include/linux/spinlock_rt.h:90 [inline]
 bt_accept_unlink+0x7d/0x2f0 net/bluetooth/af_bluetooth.c:262
 l2cap_sock_teardown_cb+0x17e/0x490 net/bluetooth/l2cap_sock.c:1692
 l2cap_chan_del+0x98/0x600 net/bluetooth/l2cap_core.c:659
 l2cap_conn_del+0x343/0x570 net/bluetooth/l2cap_core.c:1803
 hci_disconn_cfm include/net/bluetooth/hci_core.h:2151 [inline]
 hci_conn_hash_flush+0x105/0x260 net/bluetooth/hci_conn.c:2733
 hci_dev_close_sync+0x7fc/0x10a0 net/bluetooth/hci_sync.c:5405
 hci_dev_do_close net/bluetooth/hci_core.c:499 [inline]
 hci_unregister_dev+0x232/0x5b0 net/bluetooth/hci_core.c:2678
 vhci_release+0x170/0x1c0 drivers/bluetooth/hci_vhci.c:700
 __fput+0x42a/0xa80 fs/file_table.c:512
 task_work_run+0x1d9/0x270 kernel/task_work.c:233
 exit_task_work include/linux/task_work.h:40 [inline]
 do_exit+0x73a/0x2360 kernel/exit.c:1004
 get_signal+0x121b/0x12c0 kernel/signal.c:3038
 arch_do_signal_or_restart+0xbb/0x860 arch/x86/kernel/signal.c:337
 __exit_to_user_mode_loop kernel/entry/common.c:66 [inline]
 exit_to_user_mode_loop+0x104/0x730 kernel/entry/common.c:101
 __exit_to_user_mode_prepare include/linux/irq-entry-common.h:207 [inline]
 syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:230 [inline]
 syscall_exit_to_user_mode include/linux/entry-common.h:318 [inline]
 do_syscall_64+0x353/0x580 arch/x86/entry/syscall_64.c:100
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fb777f1d68e
Code: Unable to access opcode bytes at 0x7fb777f1d664.
RSP: 002b:00007ffe3c455738 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: fffffffffffffe00 RBX: 00005555861d1500 RCX: 00007fb777f1d68e
RDX: 0000000000000030 RSI: 00007ffe3c455830 RDI: 00000000000000f9
RBP: 00007ffe3c4557dc R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000267
R13: 00000000000927c0 R14: 000000000013ba4a R15: 00007ffe3c455830
 </TASK>

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88805e83c000 pfn:0x5e838
flags: 0x80000000000000(node=0|zone=1)
raw: 0080000000000000 0000000000000000 dead000000000122 0000000000000000
raw: ffff88805e83c000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 4, migratetype Unmovable, gfp_mask 0x4429c0(GFP_NOWAIT|__GFP_IO|__GFP_FS|__GFP_ZERO|__GFP_COMP|__GFP_ACCOUNT), pid 20725, tgid 20724 (syz.1.4837), ts 1208568708778, free_ts 1208569013956
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x1f9/0x250 mm/page_alloc.c:1859
 prep_new_page mm/page_alloc.c:1867 [inline]
 get_page_from_freelist+0x262a/0x26a0 mm/page_alloc.c:3946
 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5304
 alloc_pages_mpol+0xce/0x280 mm/mempolicy.c:2490
 ___kmalloc_large_node+0x4c/0x120 mm/slub.c:5302
 __kmalloc_large_node_noprof+0x18/0x90 mm/slub.c:5333
 __do_kmalloc_node mm/slub.c:5350 [inline]
 __kvmalloc_node_noprof+0x93/0x8a0 mm/slub.c:6933
 bpf_check+0xb9/0x5320 kernel/bpf/verifier.c:19729
 bpf_prog_load+0x1577/0x1c00 kernel/bpf/syscall.c:3197
 __sys_bpf+0xd0d/0xd90 kernel/bpf/syscall.c:6418
 __do_sys_bpf kernel/bpf/syscall.c:6537 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:6534 [inline]
 __x64_sys_bpf+0xba/0xd0 kernel/bpf/syscall.c:6534
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 20725 tgid 20724 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 __free_pages_prepare mm/page_alloc.c:1406 [inline]
 __free_pages_ok+0xa8e/0xb80 mm/page_alloc.c:1584
 __free_frozen_pages+0x121/0x11c0 mm/page_alloc.c:2946
 bpf_check+0x3eee/0x5320 kernel/bpf/verifier.c:20004
 bpf_prog_load+0x1577/0x1c00 kernel/bpf/syscall.c:3197
 __sys_bpf+0xd0d/0xd90 kernel/bpf/syscall.c:6418
 __do_sys_bpf kernel/bpf/syscall.c:6537 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:6534 [inline]
 __x64_sys_bpf+0xba/0xd0 kernel/bpf/syscall.c:6534
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffff88805e838680: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88805e838700: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff88805e838780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                          ^
 ffff88805e838800: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88805e838880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================