------------[ cut here ]------------ refcount_t: addition on 0; use-after-free. WARNING: CPU: 1 PID: 8217 at lib/refcount.c:25 refcount_warn_saturate+0x80/0xe0 lib/refcount.c:25 Kernel panic - not syncing: panic_on_warn set ... CPU: 1 PID: 8217 Comm: kworker/u5:2 Not tainted 5.9.0-rc8-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: hci3 hci_rx_work Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xa3/0xcc lib/dump_stack.c:118 panic+0x135/0x31a kernel/panic.c:231 __warn.cold.13+0x20/0x25 kernel/panic.c:600 report_bug+0xc0/0xf0 lib/bug.c:198 handle_bug+0x35/0x90 arch/x86/kernel/traps.c:234 exc_invalid_op+0x13/0x60 arch/x86/kernel/traps.c:254 asm_exc_invalid_op+0x12/0x20 arch/x86/include/asm/idtentry.h:536 RIP: 0010:refcount_warn_saturate+0x80/0xe0 lib/refcount.c:25 Code: 05 51 47 91 02 01 e8 aa 84 4f ff 0f 0b c3 80 3d 41 47 91 02 00 75 b8 48 c7 c7 48 54 f1 83 c6 05 31 47 91 02 01 e8 8b 84 4f ff <0f> 0b c3 80 3d 24 47 91 02 00 75 99 48 c7 c7 20 54 f1 83 c6 05 14 RSP: 0018:ffffc90002e77cc8 EFLAGS: 00010282 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000002 RDX: 0000000080000002 RSI: ffffffff8401c171 RDI: 00000000ffffffff RBP: ffff888111274000 R08: 0000000000000001 R09: 0000000000000001 R10: ffff8881105c62c0 R11: 9bbde7cf1f2cc717 R12: 0000000000000000 R13: 0000000000000001 R14: ffffffff8455b548 R15: 0000000000000000 refcount_add include/linux/refcount.h:204 [inline] refcount_inc include/linux/refcount.h:241 [inline] kref_get include/linux/kref.h:45 [inline] l2cap_chan_hold net/bluetooth/l2cap_core.c:495 [inline] l2cap_global_chan_by_psm+0x1f8/0x220 net/bluetooth/l2cap_core.c:1978 l2cap_conless_channel net/bluetooth/l2cap_core.c:7595 [inline] l2cap_recv_frame+0x532/0x2b70 net/bluetooth/l2cap_core.c:7665 hci_acldata_packet net/bluetooth/hci_core.c:4703 [inline] hci_rx_work+0x1d3/0x500 net/bluetooth/hci_core.c:4894 process_one_work+0x26a/0x5f0 kernel/workqueue.c:2269 worker_thread+0x38/0x380 kernel/workqueue.c:2415 kthread+0x148/0x170 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294 Kernel Offset: disabled Rebooting in 86400 seconds..