==================================================================
BUG: KASAN: slab-out-of-bounds in __lock_acquire+0x3c88/0x5230 kernel/locking/lockdep.c:4772
Read of size 8 at addr ffff8880826910a0 by task kworker/1:7/9718

CPU: 1 PID: 9718 Comm: kworker/1:7 Not tainted 5.12.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events l2cap_chan_timeout
Call Trace:
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack+0x141/0x1d7 lib/dump_stack.c:120
 print_address_description.constprop.0.cold+0x5b/0x2c6 mm/kasan/report.c:233
 __kasan_report mm/kasan/report.c:419 [inline]
 kasan_report.cold+0x7c/0xd8 mm/kasan/report.c:436
 __lock_acquire+0x3c88/0x5230 kernel/locking/lockdep.c:4772
 lock_acquire kernel/locking/lockdep.c:5512 [inline]
 lock_acquire+0x1ab/0x740 kernel/locking/lockdep.c:5477
 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline]
 _raw_spin_lock_bh+0x2f/0x40 kernel/locking/spinlock.c:175
 spin_lock_bh include/linux/spinlock.h:359 [inline]
 lock_sock_nested+0x40/0x120 net/core/sock.c:3057
 l2cap_sock_teardown_cb+0xa1/0x660 net/bluetooth/l2cap_sock.c:1520
 l2cap_chan_del+0xbc/0xa80 net/bluetooth/l2cap_core.c:618
 l2cap_chan_close+0x1bc/0xaf0 net/bluetooth/l2cap_core.c:823
 l2cap_chan_timeout+0x17e/0x2f0 net/bluetooth/l2cap_core.c:436
 process_one_work+0x98d/0x1600 kernel/workqueue.c:2275
 worker_thread+0x64c/0x1120 kernel/workqueue.c:2421
 kthread+0x3b1/0x4a0 kernel/kthread.c:313
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294

Allocated by task 23824:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:427 [inline]
 ____kasan_kmalloc mm/kasan/common.c:506 [inline]
 ____kasan_kmalloc mm/kasan/common.c:465 [inline]
 __kasan_kmalloc+0x96/0xc0 mm/kasan/common.c:515
 kmalloc_reserve net/core/skbuff.c:354 [inline]
 __alloc_skb+0xde/0x340 net/core/skbuff.c:425
 alloc_skb include/linux/skbuff.h:1103 [inline]
 nsim_dev_trap_skb_build drivers/net/netdevsim/dev.c:513 [inline]
 nsim_dev_trap_report drivers/net/netdevsim/dev.c:570 [inline]
 nsim_dev_trap_report_work+0x2ac/0xbd0 drivers/net/netdevsim/dev.c:611
 process_one_work+0x98d/0x1600 kernel/workqueue.c:2275
 worker_thread+0x64c/0x1120 kernel/workqueue.c:2421
 kthread+0x3b1/0x4a0 kernel/kthread.c:313
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294

Freed by task 23824:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
 kasan_set_track+0x1c/0x30 mm/kasan/common.c:46
 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:357
 ____kasan_slab_free mm/kasan/common.c:360 [inline]
 ____kasan_slab_free mm/kasan/common.c:325 [inline]
 __kasan_slab_free+0xc7/0x100 mm/kasan/common.c:367
 kasan_slab_free include/linux/kasan.h:199 [inline]
 __cache_free mm/slab.c:3440 [inline]
 kfree+0x104/0x2b0 mm/slab.c:3798
 skb_free_head net/core/skbuff.c:651 [inline]
 skb_release_data+0x622/0x750 net/core/skbuff.c:672
 skb_release_all net/core/skbuff.c:726 [inline]
 __kfree_skb net/core/skbuff.c:740 [inline]
 consume_skb net/core/skbuff.c:896 [inline]
 consume_skb+0xc2/0x160 net/core/skbuff.c:890
 nsim_dev_trap_report drivers/net/netdevsim/dev.c:586 [inline]
 nsim_dev_trap_report_work+0x86f/0xbd0 drivers/net/netdevsim/dev.c:611
 process_one_work+0x98d/0x1600 kernel/workqueue.c:2275
 worker_thread+0x64c/0x1120 kernel/workqueue.c:2421
 kthread+0x3b1/0x4a0 kernel/kthread.c:313
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294

The buggy address belongs to the object at ffff888082690000
 which belongs to the cache kmalloc-4k of size 4096
The buggy address is located 160 bytes to the right of
 4096-byte region [ffff888082690000, ffff888082691000)
The buggy address belongs to the page:
page:ffffea000209a400 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x82690
head:ffffea000209a400 order:1 compound_mapcount:0
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010200 ffffea0000b28a08 ffffea000235d708 ffff888011040900
raw: 0000000000000000 ffff888082690000 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888082690f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888082691000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888082691080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                               ^
 ffff888082691100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888082691180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================