bisecting cause commit starting from 47ec5303d73ea344e84f46660fff693c57641386
building syzkaller on 1f122f880fe2064d038c0152fbdc763974580f15
testing commit 47ec5303d73ea344e84f46660fff693c57641386 with gcc (GCC) 8.1.0
kernel signature: bb58e4ac541b63e18a90266c5954ba378e1e5d570d7b284b0d231bab5cd28472
run #0: crashed: WARNING: ODEBUG bug in __queue_work
run #1: crashed: WARNING: ODEBUG bug in hci_conn_del
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
testing release v5.8
testing commit bcf876870b95592b52519ed4aafcf9d95999bc9c with gcc (GCC) 8.1.0
kernel signature: 91e0f6fbd8df9b00bc767acbac77ecfa6e20d0d7bb996d2851341519276ef051
run #0: crashed: WARNING: ODEBUG bug in __queue_work
run #1: crashed: WARNING: ODEBUG bug in hci_conn_del
run #2: crashed: WARNING: ODEBUG bug in hci_conn_del
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
testing release v5.7
testing commit 3d77e6a8804abcc0504c904bd6e5cdf3a5cf8162 with gcc (GCC) 8.1.0
kernel signature: 4a1dccbf437d2e8dd4426e2a2ad504266f1ce55a3eaeb2c333940cf3a2f484d6
run #0: crashed: WARNING: ODEBUG bug in hci_conn_del
run #1: crashed: WARNING: ODEBUG bug in hci_conn_del
run #2: crashed: KASAN: use-after-free Read in sco_chan_del
run #3: crashed: WARNING: ODEBUG bug in hci_conn_del
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
testing release v5.6
testing commit 7111951b8d4973bda27ff663f2cf18b663d15b48 with gcc (GCC) 8.1.0
kernel signature: 180d105b1f4afccf3648bb92073f68d482fe57c2f419c0514e464ec10018085c
run #0: crashed: WARNING: ODEBUG bug in hci_conn_del
run #1: crashed: KASAN: use-after-free Read in sco_chan_del
run #2: crashed: WARNING: ODEBUG bug in hci_conn_del
run #3: crashed: KASAN: use-after-free Read in sco_chan_del
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
testing release v5.5
testing commit d5226fa6dbae0569ee43ecfc08bdcd6770fc4755 with gcc (GCC) 8.1.0
kernel signature: e816756695beab705fc70a2b236578d67bbd048420a558c0a7623a837f34722f
run #0: crashed: KASAN: use-after-free Read in sco_chan_del
run #1: crashed: WARNING: ODEBUG bug in hci_conn_del
run #2: crashed: WARNING: ODEBUG bug in hci_conn_del
run #3: crashed: KASAN: use-after-free Read in sco_chan_del
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
testing release v5.4
testing commit 219d54332a09e8d8741c1e1982f5eae56099de85 with gcc (GCC) 8.1.0
kernel signature: 19e60c242a6471a1b9e86bad70c15fe03de51b8912550f152e8f94e61b2dd1e2
run #0: crashed: WARNING: ODEBUG bug in hci_conn_del
run #1: crashed: WARNING: ODEBUG bug in hci_conn_del
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
testing release v5.3
testing commit 4d856f72c10ecb060868ed10ff1b1453943fc6c8 with gcc (GCC) 8.1.0
kernel signature: 456ef61d855d9e9493432dd151aa953da75f5e3cb8528fedaec642ad6603e134
all runs: OK
# git bisect start 219d54332a09e8d8741c1e1982f5eae56099de85 4d856f72c10ecb060868ed10ff1b1453943fc6c8
Bisecting: 7882 revisions left to test after this (roughly 13 steps)
[a9f8b38a071b468276a243ea3ea5a0636e848cf2] Merge tag 'for-linus-5.4-1' of git://github.com/cminyard/linux-ipmi
testing commit a9f8b38a071b468276a243ea3ea5a0636e848cf2 with gcc (GCC) 8.1.0
kernel signature: 6ec38f27625099e514a3a9473575232789c30f68f44b37924d22c99e9f1717c7
run #0: crashed: WARNING: ODEBUG bug in bt_link_release
run #1: crashed: WARNING: ODEBUG bug in bt_link_release
run #2: crashed: KASAN: use-after-free Read in sco_chan_del
run #3: crashed: KASAN: use-after-free Read in sco_chan_del
run #4: crashed: WARNING: ODEBUG bug in bt_link_release
run #5: crashed: WARNING: ODEBUG bug in bt_link_release
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad a9f8b38a071b468276a243ea3ea5a0636e848cf2
Bisecting: 3920 revisions left to test after this (roughly 12 steps)
[fe38bd6862074c0a2b9be7f31f043aaa70b2af5f] Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm
testing commit fe38bd6862074c0a2b9be7f31f043aaa70b2af5f with gcc (GCC) 8.1.0
kernel signature: ebe79e42f8cfabeeb1aeaa5799fd14da96a2f23d13687ffd421693a9d1bc7b3d
run #0: crashed: KASAN: use-after-free Read in sco_chan_del
run #1: crashed: KASAN: use-after-free Read in sco_chan_del
run #2: crashed: WARNING: ODEBUG bug in bt_link_release
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad fe38bd6862074c0a2b9be7f31f043aaa70b2af5f
Bisecting: 1970 revisions left to test after this (roughly 11 steps)
[fc6fd1392a8f3d5f3d722ad9c92314477c1a2a35] Merge branch 'x86-build-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
testing commit fc6fd1392a8f3d5f3d722ad9c92314477c1a2a35 with gcc (GCC) 8.1.0
kernel signature: d1e420c0085c6a7f47e827926ce7e8a5930282f50601450172ff7cfeaba41e94
run #0: crashed: WARNING: ODEBUG bug in bt_link_release
run #1: crashed: WARNING: ODEBUG bug in bt_link_release
run #2: crashed: KASAN: use-after-free Read in sco_chan_del
run #3: crashed: WARNING: ODEBUG bug in bt_link_release
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad fc6fd1392a8f3d5f3d722ad9c92314477c1a2a35
Bisecting: 1024 revisions left to test after this (roughly 10 steps)
[d47ebd684229f0048be5def6027bfcfbfe2db0d6] Merge tag 'armsoc-defconfig' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc
testing commit d47ebd684229f0048be5def6027bfcfbfe2db0d6 with gcc (GCC) 8.1.0
kernel signature: 89cb69448ac03753e4db09cc067d0701f8f413f2fc40ae6b60040208856f723b
run #0: crashed: KASAN: use-after-free Read in sco_chan_del
run #1: crashed: KASAN: use-after-free Read in sco_chan_del
run #2: crashed: KASAN: use-after-free Read in sco_chan_del
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad d47ebd684229f0048be5def6027bfcfbfe2db0d6
Bisecting: 459 revisions left to test after this (roughly 9 steps)
[52a5525214d0d612160154d902956eca0558b7c0] Merge tag 'iommu-updates-v5.4' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu
testing commit 52a5525214d0d612160154d902956eca0558b7c0 with gcc (GCC) 8.1.0
kernel signature: 7ceb34233dab21d994c7d06832eb954a6a21320a8b43e60fdcf4cb8f37045d99
run #0: crashed: KASAN: use-after-free Read in sco_chan_del
run #1: crashed: KASAN: use-after-free Read in sco_chan_del
run #2: crashed: KASAN: use-after-free Read in sco_chan_del
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad 52a5525214d0d612160154d902956eca0558b7c0
Bisecting: 211 revisions left to test after this (roughly 8 steps)
[aa62325dc38de2be8b1c27eb180ad3751b3f58ec] Merge tag 'spi-v5.4' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi
testing commit aa62325dc38de2be8b1c27eb180ad3751b3f58ec with gcc (GCC) 8.1.0
kernel signature: 02b39e42994b2ed4822c8485516c2095124c3fcef6f08d7298eb59f02ce67812
run #0: crashed: WARNING: ODEBUG bug in bt_link_release
run #1: crashed: WARNING: ODEBUG bug in bt_link_release
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad aa62325dc38de2be8b1c27eb180ad3751b3f58ec
Bisecting: 105 revisions left to test after this (roughly 7 steps)
[c4d11ccb2b5cec6cdef7aeeb0017473d23031d96] Merge tag 'regulator-v5.4' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator
testing commit c4d11ccb2b5cec6cdef7aeeb0017473d23031d96 with gcc (GCC) 8.1.0
kernel signature: a0036bfc7fbfb71cdf4d103e19ba9a91551e3449633ec59a00b651ce171f16b0
run #0: crashed: KASAN: use-after-free Read in sco_chan_del
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad c4d11ccb2b5cec6cdef7aeeb0017473d23031d96
Bisecting: 60 revisions left to test after this (roughly 6 steps)
[6729fb666a3b5a9a5ffa1bb6589127f7e4d35c38] Merge tag 'hwmon-for-v5.4' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging
testing commit 6729fb666a3b5a9a5ffa1bb6589127f7e4d35c38 with gcc (GCC) 8.1.0
kernel signature: 5be418011ff530dcee3c15857520ce491debd708f015b9ec15d1680805f529f0
run #0: crashed: KASAN: use-after-free Read in sco_chan_del
run #1: crashed: WARNING: ODEBUG bug in bt_link_release
run #2: crashed: KASAN: use-after-free Read in sco_chan_del
run #3: crashed: WARNING: ODEBUG bug in bt_link_release
run #4: crashed: KASAN: use-after-free Read in sco_chan_del
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad 6729fb666a3b5a9a5ffa1bb6589127f7e4d35c38
Bisecting: 42 revisions left to test after this (roughly 6 steps)
[35cd180485425dcab3f587fd67f21552505939ac] hwmon: (lm75) Aproximate sample times to data-sheet values
testing commit 35cd180485425dcab3f587fd67f21552505939ac with gcc (GCC) 8.1.0
kernel signature: 1eee76f33436c8c5ce4e419c9e584d5a9ea39443a3bd0090bc2ff0c37f60daf4
run #0: crashed: KASAN: use-after-free Read in sco_chan_del
run #1: crashed: KASAN: use-after-free Read in sco_chan_del
run #2: crashed: KASAN: use-after-free Read in sco_chan_del
run #3: crashed: KASAN: use-after-free Read in sco_chan_del
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad 35cd180485425dcab3f587fd67f21552505939ac
Bisecting: 21 revisions left to test after this (roughly 5 steps)
[dcb12653875e7cd969a6a18346bc1ed24ffb893b] hwmon: (lm75) Create structure to save all the configuration parameters.
testing commit dcb12653875e7cd969a6a18346bc1ed24ffb893b with gcc (GCC) 8.1.0
kernel signature: 45a96c3a979ce5193d529e939de88371011d5a3daed2b965b5c3c0a9490f8548
run #0: crashed: KASAN: use-after-free Read in sco_chan_del
run #1: crashed: WARNING: ODEBUG bug in bt_link_release
run #2: crashed: KASAN: use-after-free Read in sco_chan_del
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad dcb12653875e7cd969a6a18346bc1ed24ffb893b
Bisecting: 10 revisions left to test after this (roughly 3 steps)
[af4e1c5eca95bed1192d8dc45c8ed63aea2209e8] x86/amd_nb: Add PCI device IDs for family 17h, model 70h
testing commit af4e1c5eca95bed1192d8dc45c8ed63aea2209e8 with gcc (GCC) 8.1.0
kernel signature: 22ac907ce8869f6c342c2b6cd2b27672a22b305edfeebe11371e6ce63a16520e
run #0: crashed: WARNING: ODEBUG bug in bt_link_release
run #1: crashed: KASAN: use-after-free Read in sco_chan_del
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad af4e1c5eca95bed1192d8dc45c8ed63aea2209e8
Bisecting: 4 revisions left to test after this (roughly 2 steps)
[5ac6badc5aa057ceb1d50c93326a81db6e89ad2f] device-tree: bindinds: add NXP PCT2075 as compatible device to LM75
testing commit 5ac6badc5aa057ceb1d50c93326a81db6e89ad2f with gcc (GCC) 8.1.0
kernel signature: 3391dee09995e6ed0db5463908886e19a64430e94522e5331803beedfc153c26
run #0: crashed: WARNING: ODEBUG bug in bt_link_release
run #1: OK
run #2: OK
run #3: OK
run #4: crashed: WARNING: ODEBUG bug in bt_link_release
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad 5ac6badc5aa057ceb1d50c93326a81db6e89ad2f
Bisecting: 2 revisions left to test after this (roughly 1 step)
[7d82fcc9d9e81241778aaa22fda7be753e237d86] hwmon: (lm75) Fix write operations for negative temperatures
testing commit 7d82fcc9d9e81241778aaa22fda7be753e237d86 with gcc (GCC) 8.1.0
kernel signature: f6018cdd39f953fa179ecbea907744d78810d0c2fd71c102af922e20054f21a2
run #0: crashed: WARNING: ODEBUG bug in bt_link_release
run #1: crashed: KASAN: use-after-free Read in sco_chan_del
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad 7d82fcc9d9e81241778aaa22fda7be753e237d86
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[6f8c8f3c31015808100ee54fc471ff5dffdf1734] hwmon: pmbus: ucd9000: remove unneeded include
testing commit 6f8c8f3c31015808100ee54fc471ff5dffdf1734 with gcc (GCC) 8.1.0
kernel signature: 132fc29b67b8cef9c0ee7005bd427d16eabe79d01ee440f339d586ee69b9942c
run #0: crashed: KASAN: use-after-free Read in sco_chan_del
run #1: crashed: KASAN: use-after-free Read in sco_chan_del
run #2: crashed: KASAN: use-after-free Read in sco_chan_del
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad 6f8c8f3c31015808100ee54fc471ff5dffdf1734
6f8c8f3c31015808100ee54fc471ff5dffdf1734 is the first bad commit
commit 6f8c8f3c31015808100ee54fc471ff5dffdf1734
Author: Bartosz Golaszewski <bgolaszewski@baylibre.com>
Date:   Thu Aug 8 10:01:44 2019 +0200

    hwmon: pmbus: ucd9000: remove unneeded include
    
    Build bot reports the following build issue after commit 9091373ab7ea
    ("gpio: remove less important #ifdef around declarations):
    
       In file included from drivers/hwmon/pmbus/ucd9000.c:19:0:
    >> include/linux/gpio/driver.h:576:1: error: redefinition of 'gpiochip_add_pin_range'
        gpiochip_add_pin_range(struct gpio_chip *chip, const char *pinctl_name,
        ^~~~~~~~~~~~~~~~~~~~~~
       In file included from drivers/hwmon/pmbus/ucd9000.c:18:0:
       include/linux/gpio.h:245:1: note: previous definition of 'gpiochip_add_pin_range' was here
        gpiochip_add_pin_range(struct gpio_chip *chip, const char *pinctl_name,
        ^~~~~~~~~~~~~~~~~~~~~~
       In file included from drivers/hwmon/pmbus/ucd9000.c:19:0:
    >> include/linux/gpio/driver.h:583:1: error: redefinition of 'gpiochip_add_pingroup_range'
        gpiochip_add_pingroup_range(struct gpio_chip *chip,
        ^~~~~~~~~~~~~~~~~~~~~~~~~~~
       In file included from drivers/hwmon/pmbus/ucd9000.c:18:0:
       include/linux/gpio.h:254:1: note: previous definition of 'gpiochip_add_pingroup_range' was here
        gpiochip_add_pingroup_range(struct gpio_chip *chip,
        ^~~~~~~~~~~~~~~~~~~~~~~~~~~
       In file included from drivers/hwmon/pmbus/ucd9000.c:19:0:
    >> include/linux/gpio/driver.h:591:1: error: redefinition of 'gpiochip_remove_pin_ranges'
        gpiochip_remove_pin_ranges(struct gpio_chip *chip)
        ^~~~~~~~~~~~~~~~~~~~~~~~~~
       In file included from drivers/hwmon/pmbus/ucd9000.c:18:0:
       include/linux/gpio.h:263:1: note: previous definition of 'gpiochip_remove_pin_ranges' was here
        gpiochip_remove_pin_ranges(struct gpio_chip *chip)
    
    This is caused by conflicting defines from linux/gpio.h and
    linux/gpio/driver.h. Drivers should not include both the legacy and
    the new API headers. This driver doesn't even use linux/gpio.h so
    remove it.
    
    Reported-by: kbuild test robot <lkp@intel.com>
    Cc: Linus Walleij <linus.walleij@linaro.org>
    Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com>
    Link: https://lore.kernel.org/r/20190808080144.6183-1-brgl@bgdev.pl
    Signed-off-by: Guenter Roeck <linux@roeck-us.net>

 drivers/hwmon/pmbus/ucd9000.c | 1 -
 1 file changed, 1 deletion(-)
parent commit a55aa89aab90fae7c815b0551b07be37db359d76 wasn't tested
testing commit a55aa89aab90fae7c815b0551b07be37db359d76 with gcc (GCC) 8.1.0
kernel signature: 1e5628ecb5201e7fcfc22d2a68f8023a95718bb6e76361d9e3de34bcf3ca05f5
culprit signature: 132fc29b67b8cef9c0ee7005bd427d16eabe79d01ee440f339d586ee69b9942c
parent  signature: 1e5628ecb5201e7fcfc22d2a68f8023a95718bb6e76361d9e3de34bcf3ca05f5
revisions tested: 21, total time: 5h42m49.521913803s (build: 2h14m3.49306975s, test: 3h26m36.275288693s)
first bad commit: 6f8c8f3c31015808100ee54fc471ff5dffdf1734 hwmon: pmbus: ucd9000: remove unneeded include
recipients (to): ["bgolaszewski@baylibre.com" "jdelvare@suse.com" "linux-hwmon@vger.kernel.org" "linux@roeck-us.net" "linux@roeck-us.net"]
recipients (cc): ["linux-kernel@vger.kernel.org"]
crash: KASAN: use-after-free Read in sco_chan_del
==================================================================
BUG: KASAN: use-after-free in debug_spin_lock_before kernel/locking/spinlock_debug.c:83 [inline]
BUG: KASAN: use-after-free in do_raw_spin_lock+0x279/0x2d0 kernel/locking/spinlock_debug.c:112
Read of size 4 at addr ffff888096482f0c by task syz-executor.4/16013

CPU: 1 PID: 16013 Comm: syz-executor.4 Not tainted 5.3.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x165/0x21a lib/dump_stack.c:113
 print_address_description.cold.4+0x9/0x327 mm/kasan/report.c:351
 __kasan_report.cold.5+0x1b/0x40 mm/kasan/report.c:482
 kasan_report+0x12/0x17 mm/kasan/common.c:618
 __asan_report_load4_noabort+0x14/0x20 mm/kasan/generic_report.c:131
 debug_spin_lock_before kernel/locking/spinlock_debug.c:83 [inline]
 do_raw_spin_lock+0x279/0x2d0 kernel/locking/spinlock_debug.c:112
 __raw_spin_lock include/linux/spinlock_api_smp.h:143 [inline]
 _raw_spin_lock+0x35/0x40 kernel/locking/spinlock.c:151
 spin_lock include/linux/spinlock.h:338 [inline]
 sco_chan_del+0x52/0x3e0 net/bluetooth/sco.c:142
 __sco_sock_close+0x145/0x520 net/bluetooth/sco.c:433
 sco_sock_close+0x26/0x40 net/bluetooth/sco.c:447
 sco_sock_release+0x49/0x240 net/bluetooth/sco.c:1008
 __sock_release+0xc2/0x270 net/socket.c:590
 sock_close+0x13/0x20 net/socket.c:1268
 __fput+0x25a/0x780 fs/file_table.c:280
 ____fput+0x9/0x10 fs/file_table.c:313
 task_work_run+0x108/0x180 kernel/task_work.c:113
 get_signal+0x150d/0x1d00 kernel/signal.c:2528
 do_signal+0x87/0x1620 arch/x86/kernel/signal.c:815
 exit_to_usermode_loop+0x114/0x2e0 arch/x86/entry/common.c:159
 prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:274 [inline]
 do_syscall_64+0x462/0x540 arch/x86/entry/common.c:299
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45ccd9
Code: 2d b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb b5 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f9b3abe8c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
RAX: fffffffffffffffc RBX: 0000000000002140 RCX: 000000000045ccd9
RDX: 0000000000000008 RSI: 0000000020000140 RDI: 0000000000000004
RBP: 000000000078bf40 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000078bf0c
R13: 00007ffea5e8885f R14: 00007f9b3abe99c0 R15: 000000000078bf0c

Allocated by task 16013:
 save_stack mm/kasan/common.c:69 [inline]
 set_track mm/kasan/common.c:77 [inline]
 __kasan_kmalloc.part.0+0x44/0xc0 mm/kasan/common.c:493
 __kasan_kmalloc.constprop.1+0xb1/0xc0 mm/kasan/common.c:474
 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:507
 kmem_cache_alloc_trace+0x162/0x410 mm/slab.c:3550
 kmalloc include/linux/slab.h:552 [inline]
 kzalloc include/linux/slab.h:748 [inline]
 sco_conn_add+0xaa/0x210 net/bluetooth/sco.c:112
 sco_connect net/bluetooth/sco.c:247 [inline]
 sco_sock_connect+0x2ce/0x820 net/bluetooth/sco.c:576
 __sys_connect+0x20d/0x2d0 net/socket.c:1828
 __do_sys_connect net/socket.c:1839 [inline]
 __se_sys_connect net/socket.c:1836 [inline]
 __x64_sys_connect+0x6e/0xb0 net/socket.c:1836
 do_syscall_64+0xd0/0x540 arch/x86/entry/common.c:296
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 8325:
 save_stack mm/kasan/common.c:69 [inline]
 set_track mm/kasan/common.c:77 [inline]
 __kasan_slab_free+0x11a/0x1e0 mm/kasan/common.c:455
 kasan_slab_free+0xe/0x10 mm/kasan/common.c:463
 __cache_free mm/slab.c:3425 [inline]
 kfree+0x104/0x2d0 mm/slab.c:3756
 sco_conn_del.isra.0+0xf6/0x130 net/bluetooth/sco.c:184
 sco_connect_cfm+0x1b3/0x700 net/bluetooth/sco.c:1123
 hci_connect_cfm include/net/bluetooth/hci_core.h:1267 [inline]
 hci_sco_setup+0x2f8/0x400 net/bluetooth/hci_conn.c:391
 hci_conn_complete_evt.isra.52+0xbab/0x1560 net/bluetooth/hci_event.c:2545
 hci_event_packet+0x3c7b/0x7a22 net/bluetooth/hci_event.c:5870
 hci_rx_work+0x4c6/0x900 net/bluetooth/hci_core.c:4462
 process_one_work+0x7d2/0x1560 kernel/workqueue.c:2269
 worker_thread+0x85/0xb60 kernel/workqueue.c:2415
 kthread+0x331/0x3f0 kernel/kthread.c:255
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

The buggy address belongs to the object at ffff888096482f00
 which belongs to the cache kmalloc-96 of size 96
The buggy address is located 12 bytes inside of
 96-byte region [ffff888096482f00, ffff888096482f60)
The buggy address belongs to the page:
page:ffffea0002592080 refcount:1 mapcount:0 mapping:ffff8880aa400540 index:0xffff888096482e00
flags: 0xfffe0000000200(slab)
raw: 00fffe0000000200 ffffea00025e8308 ffffea0002632888 ffff8880aa400540
raw: ffff888096482e00 ffff888096482000 000000010000001f 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888096482e00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
 ffff888096482e80: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc
>ffff888096482f00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
                      ^
 ffff888096482f80: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc
 ffff888096483000: 00 00 00 00 04 fc fc fc fc fc fc fc fc fc fc fc
==================================================================