bisecting fixing commit since 961f830af0658ef5ef8a7708786d634a6115f16b
building syzkaller on ff51e5229e0ee846d2fd687cb0dbca13de758c66
testing commit 961f830af0658ef5ef8a7708786d634a6115f16b with gcc (GCC) 8.4.1 20210217
kernel signature: 55366f5152df8134fe9f0cb7887916aaefe7b39d58ca7b04a7bf4d91ac004d69
run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in l2cap_chan_put
run #1: crashed: KASAN: use-after-free Read in lock_sock_nested
run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in l2cap_chan_put
run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in l2cap_chan_put
run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in l2cap_chan_put
run #5: crashed: KASAN: use-after-free Read in lock_sock_nested
run #6: crashed: KASAN: use-after-free Read in lock_sock_nested
run #7: crashed: KASAN: use-after-free Read in lock_sock_nested
run #8: crashed: BUG: unable to handle kernel NULL pointer dereference in l2cap_chan_put
run #9: crashed: KASAN: use-after-free Read in lock_sock_nested
run #10: crashed: KASAN: use-after-free Read in lock_sock_nested
run #11: crashed: KASAN: use-after-free Read in lock_sock_nested
run #12: crashed: KASAN: use-after-free Read in lock_sock_nested
run #13: crashed: KASAN: use-after-free Read in lock_sock_nested
run #14: crashed: KASAN: use-after-free Read in lock_sock_nested
run #15: crashed: KASAN: use-after-free Read in lock_sock_nested
run #16: crashed: BUG: unable to handle kernel NULL pointer dereference in l2cap_chan_put
run #17: crashed: BUG: unable to handle kernel NULL pointer dereference in l2cap_chan_put
run #18: crashed: KASAN: use-after-free Read in lock_sock_nested
run #19: crashed: KASAN: use-after-free Read in lock_sock_nested
testing current HEAD 2d19be4653f5e74ed95560b69f94eb6791d49af3
testing commit 2d19be4653f5e74ed95560b69f94eb6791d49af3 with gcc (GCC) 8.4.1 20210217
kernel signature: c0b1b03e6f48be9df66d456747f6a6fa3b8263ced2af4731d429085e4d2c1f39
run #0: crashed: KASAN: use-after-free Read in lock_sock_nested
run #1: crashed: KASAN: use-after-free Read in lock_sock_nested
run #2: crashed: KASAN: use-after-free Read in lock_sock_nested
run #3: crashed: KASAN: use-after-free Read in lock_sock_nested
run #4: crashed: KASAN: use-after-free Read in lock_sock_nested
run #5: crashed: KASAN: use-after-free Read in lock_sock_nested
run #6: crashed: KASAN: use-after-free Read in lock_sock_nested
run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in l2cap_chan_put
run #8: crashed: KASAN: use-after-free Read in lock_sock_nested
run #9: crashed: KASAN: use-after-free Read in lock_sock_nested
revisions tested: 2, total time: 26m45.700414513s (build: 16m59.169241978s, test: 8m51.39364012s)
the crash still happens on HEAD
commit msg: Linux 4.19.177
crash: KASAN: use-after-free Read in lock_sock_nested
==================================================================
BUG: KASAN: use-after-free in __lock_acquire+0x31e7/0x47c0 kernel/locking/lockdep.c:3294
Read of size 8 at addr ffff8881e783c960 by task kworker/1:2/3154

CPU: 1 PID: 3154 Comm: kworker/1:2 Not tainted 4.19.177-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events l2cap_chan_timeout
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x17c/0x226 lib/dump_stack.c:118
 print_address_description.cold.6+0x9/0x211 mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report mm/kasan/report.c:412 [inline]
 kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:396
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
 __lock_acquire+0x31e7/0x47c0 kernel/locking/lockdep.c:3294
 lock_acquire+0x180/0x3a0 kernel/locking/lockdep.c:3907
 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline]
 _raw_spin_lock_bh+0x31/0x40 kernel/locking/spinlock.c:168
 spin_lock_bh include/linux/spinlock.h:334 [inline]
 lock_sock_nested+0x3a/0x100 net/core/sock.c:2864
 l2cap_sock_teardown_cb+0x87/0x400 net/bluetooth/l2cap_sock.c:1340
 l2cap_chan_close+0x3ef/0x830 net/bluetooth/l2cap_core.c:761
 l2cap_chan_timeout+0x11d/0x1c0 net/bluetooth/l2cap_core.c:430
 process_one_work+0x7b9/0x15a0 kernel/workqueue.c:2152
 worker_thread+0x85/0xb60 kernel/workqueue.c:2295
 kthread+0x347/0x410 kernel/kthread.c:259
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415

Allocated by task 5900:
 save_stack mm/kasan/kasan.c:448 [inline]
 set_track mm/kasan/kasan.c:460 [inline]
 kasan_kmalloc.part.1+0x62/0xf0 mm/kasan/kasan.c:553
 kasan_kmalloc+0xaf/0xc0 mm/kasan/kasan.c:538
 __do_kmalloc_node mm/slab.c:3689 [inline]
 __kmalloc_node+0x50/0x70 mm/slab.c:3696
 kmalloc_node include/linux/slab.h:557 [inline]
 kvmalloc_node+0x68/0x70 mm/util.c:423
 kvmalloc include/linux/mm.h:577 [inline]
 xt_alloc_table_info+0x29/0x80 net/netfilter/x_tables.c:1181
 do_replace net/ipv6/netfilter/ip6_tables.c:1145 [inline]
 do_ip6t_set_ctl+0x1d1/0x3f0 net/ipv6/netfilter/ip6_tables.c:1684
 nf_sockopt net/netfilter/nf_sockopt.c:106 [inline]
 nf_setsockopt+0x5c/0xb0 net/netfilter/nf_sockopt.c:115
 ipv6_setsockopt+0x95/0xf0 net/ipv6/ipv6_sockglue.c:945
 tcp_setsockopt net/ipv4/tcp.c:3097 [inline]
 tcp_setsockopt+0x6a/0xd0 net/ipv4/tcp.c:3091
 sock_common_setsockopt+0x73/0xf0 net/core/sock.c:3072
 __sys_setsockopt+0x13e/0x210 net/socket.c:1901
 __do_sys_setsockopt net/socket.c:1912 [inline]
 __se_sys_setsockopt net/socket.c:1909 [inline]
 __x64_sys_setsockopt+0xb9/0x150 net/socket.c:1909
 do_syscall_64+0xd0/0x4e0 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 5900:
 save_stack mm/kasan/kasan.c:448 [inline]
 set_track mm/kasan/kasan.c:460 [inline]
 __kasan_slab_free+0x13c/0x220 mm/kasan/kasan.c:521
 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
 __cache_free mm/slab.c:3503 [inline]
 kfree+0xcf/0x220 mm/slab.c:3822
 kvfree+0x2c/0x30 mm/util.c:452
 xt_free_table_info+0xf8/0x160 net/netfilter/x_tables.c:1201
 __do_replace+0x644/0x9b0 net/ipv6/netfilter/ip6_tables.c:1107
 do_replace net/ipv6/netfilter/ip6_tables.c:1160 [inline]
 do_ip6t_set_ctl+0x27e/0x3f0 net/ipv6/netfilter/ip6_tables.c:1684
 nf_sockopt net/netfilter/nf_sockopt.c:106 [inline]
 nf_setsockopt+0x5c/0xb0 net/netfilter/nf_sockopt.c:115
 ipv6_setsockopt+0x95/0xf0 net/ipv6/ipv6_sockglue.c:945
 tcp_setsockopt net/ipv4/tcp.c:3097 [inline]
 tcp_setsockopt+0x6a/0xd0 net/ipv4/tcp.c:3091
 sock_common_setsockopt+0x73/0xf0 net/core/sock.c:3072
 __sys_setsockopt+0x13e/0x210 net/socket.c:1901
 __do_sys_setsockopt net/socket.c:1912 [inline]
 __se_sys_setsockopt net/socket.c:1909 [inline]
 __x64_sys_setsockopt+0xb9/0x150 net/socket.c:1909
 do_syscall_64+0xd0/0x4e0 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff8881e783c8c0
 which belongs to the cache kmalloc-2048 of size 2048
The buggy address is located 160 bytes inside of
 2048-byte region [ffff8881e783c8c0, ffff8881e783d0c0)
The buggy address belongs to the page:
page:ffffea00079e0f00 count:1 mapcount:0 mapping:ffff8881f6400c40 index:0x0 compound_mapcount: 0
flags: 0x17ffe0000008100(slab|head)
raw: 017ffe0000008100 ffffea0007a01a08 ffffea00079a9608 ffff8881f6400c40
raw: 0000000000000000 ffff8881e783c040 0000000100000003 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8881e783c800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8881e783c880: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
>ffff8881e783c900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                       ^
 ffff8881e783c980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8881e783ca00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================