==================================================================
BUG: KASAN: slab-out-of-bounds in __lock_acquire+0x3db6/0x54f0 kernel/locking/lockdep.c:4702
Read of size 8 at addr ffff88801181c0a0 by task kworker/0:1/7

CPU: 0 PID: 7 Comm: kworker/0:1 Not tainted 5.11.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events l2cap_chan_timeout
Call Trace:
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack+0x107/0x163 lib/dump_stack.c:120
 print_address_description.constprop.0.cold+0x5b/0x2c6 mm/kasan/report.c:230
 __kasan_report mm/kasan/report.c:396 [inline]
 kasan_report.cold+0x79/0xd5 mm/kasan/report.c:413
 __lock_acquire+0x3db6/0x54f0 kernel/locking/lockdep.c:4702
 lock_acquire kernel/locking/lockdep.c:5442 [inline]
 lock_acquire+0x1a8/0x720 kernel/locking/lockdep.c:5407
 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline]
 _raw_spin_lock_bh+0x2f/0x40 kernel/locking/spinlock.c:175
 spin_lock_bh include/linux/spinlock.h:359 [inline]
 lock_sock_nested+0x3b/0x110 net/core/sock.c:3049
 l2cap_sock_teardown_cb+0xa1/0x660 net/bluetooth/l2cap_sock.c:1520
 l2cap_chan_del+0xbc/0xa80 net/bluetooth/l2cap_core.c:618
 l2cap_chan_close+0x1bc/0xaf0 net/bluetooth/l2cap_core.c:823
 l2cap_chan_timeout+0x17e/0x2f0 net/bluetooth/l2cap_core.c:436
 process_one_work+0x98d/0x15f0 kernel/workqueue.c:2275
 worker_thread+0x64c/0x1120 kernel/workqueue.c:2421
 kthread+0x3b1/0x4a0 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296

Allocated by task 24122:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:401 [inline]
 ____kasan_kmalloc.constprop.0+0x7f/0xa0 mm/kasan/common.c:429
 kasan_slab_alloc include/linux/kasan.h:209 [inline]
 slab_post_alloc_hook mm/slab.h:512 [inline]
 slab_alloc mm/slab.c:3315 [inline]
 kmem_cache_alloc+0x1ab/0x4c0 mm/slab.c:3486
 mempool_alloc+0x146/0x350 mm/mempool.c:391
 bio_alloc_bioset+0x37b/0x5d0 block/bio.c:486
 bio_clone_fast+0x21/0x1c0 block/bio.c:710
 bio_split+0xc7/0x2b0 block/bio.c:1480
 blk_bio_segment_split block/blk-merge.c:290 [inline]
 __blk_queue_split+0x1005/0x1510 block/blk-merge.c:340
 blk_mq_submit_bio+0x1a2/0x1750 block/blk-mq.c:2146
 __submit_bio_noacct_mq block/blk-core.c:1028 [inline]
 submit_bio_noacct+0xa03/0xe10 block/blk-core.c:1061
 submit_bio+0x263/0x5a0 block/blk-core.c:1131
 iomap_dio_submit_bio+0x28d/0x350 fs/iomap/direct-io.c:76
 iomap_dio_bio_actor+0x4f9/0xf60 fs/iomap/direct-io.c:312
 iomap_dio_actor+0x89/0x550 fs/iomap/direct-io.c:389
 iomap_apply+0x2a3/0xb50 fs/iomap/apply.c:84
 __iomap_dio_rw+0x6cd/0x1220 fs/iomap/direct-io.c:517
 iomap_dio_rw+0x31/0x90 fs/iomap/direct-io.c:605
 ext4_dio_write_iter fs/ext4/file.c:552 [inline]
 ext4_file_write_iter+0xe53/0x14d0 fs/ext4/file.c:662
 call_write_iter include/linux/fs.h:1901 [inline]
 new_sync_write+0x426/0x650 fs/read_write.c:518
 vfs_write+0x791/0xa30 fs/read_write.c:605
 ksys_write+0x12d/0x250 fs/read_write.c:658
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Freed by task 8472:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
 kasan_set_track+0x1c/0x30 mm/kasan/common.c:46
 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:356
 ____kasan_slab_free+0xb0/0xe0 mm/kasan/common.c:362
 kasan_slab_free include/linux/kasan.h:192 [inline]
 __cache_free mm/slab.c:3424 [inline]
 kmem_cache_free+0x58/0x1c0 mm/slab.c:3697
 mempool_free+0xe3/0x3b0 mm/mempool.c:500
 bio_free+0xe8/0x140 block/bio.c:266
 bio_put block/bio.c:650 [inline]
 __bio_chain_endio block/bio.c:318 [inline]
 bio_endio+0x2d5/0x790 block/bio.c:1437
 req_bio_endio block/blk-core.c:264 [inline]
 blk_update_request+0x68b/0x1480 block/blk-core.c:1462
 scsi_end_request+0x7a/0x800 drivers/scsi/scsi_lib.c:570
 scsi_io_completion+0x1df/0x1170 drivers/scsi/scsi_lib.c:969
 scsi_softirq_done+0x12f/0x270 drivers/scsi/scsi_lib.c:1449
 blk_done_softirq+0x294/0x3e0 block/blk-mq.c:588
 __do_softirq+0x29b/0x9f6 kernel/softirq.c:343

The buggy address belongs to the object at ffff88801181c0c0
 which belongs to the cache bio-0 of size 200
The buggy address is located 32 bytes to the left of
 200-byte region [ffff88801181c0c0, ffff88801181c188)
The buggy address belongs to the page:
page:00000000a55f92cb refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1181c
flags: 0xfff00000000200(slab)
raw: 00fff00000000200 ffffea0000517dc8 ffffea0000b0dc08 ffff888140ca2300
raw: 0000000000000000 ffff88801181c0c0 000000010000000c 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88801181bf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88801181c000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88801181c080: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
                               ^
 ffff88801181c100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88801181c180: fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================