Bluetooth: hci5: command 0x0405 tx timeout
==================================================================
BUG: KASAN: use-after-free in __queue_work+0xb52/0xee0 kernel/workqueue.c:1414
Read of size 4 at addr ffff888095483e40 by task kworker/1:62/2600

CPU: 1 PID: 2600 Comm: kworker/1:62 Not tainted 5.3.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events hci_cmd_timeout
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x165/0x21a lib/dump_stack.c:113
 print_address_description.cold.4+0x9/0x327 mm/kasan/report.c:351
 __kasan_report.cold.5+0x1b/0x40 mm/kasan/report.c:482
 kasan_report+0x12/0x17 mm/kasan/common.c:612
 __asan_report_load4_noabort+0x14/0x20 mm/kasan/generic_report.c:131
 __queue_work+0xb52/0xee0 kernel/workqueue.c:1414
 queue_work_on+0x150/0x190 kernel/workqueue.c:1518
 queue_work include/linux/workqueue.h:490 [inline]
 hci_cmd_timeout+0x196/0x200 net/bluetooth/hci_core.c:2626
 process_one_work+0x7d2/0x1560 kernel/workqueue.c:2269
 worker_thread+0x85/0xb60 kernel/workqueue.c:2415
 kthread+0x331/0x3f0 kernel/kthread.c:255
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

Allocated by task 6939:
 save_stack mm/kasan/common.c:69 [inline]
 set_track mm/kasan/common.c:77 [inline]
 __kasan_kmalloc.part.0+0x44/0xc0 mm/kasan/common.c:487
 __kasan_kmalloc.constprop.1+0xb1/0xc0 mm/kasan/common.c:468
 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:501
 __do_kmalloc mm/slab.c:3655 [inline]
 __kmalloc+0x16b/0x410 mm/slab.c:3664
 kmalloc include/linux/slab.h:557 [inline]
 kzalloc include/linux/slab.h:748 [inline]
 alloc_workqueue+0x10b/0xca0 kernel/workqueue.c:4238
 hci_register_dev+0x177/0x7d0 net/bluetooth/hci_core.c:3288
 __vhci_create_device+0x265/0x530 drivers/bluetooth/hci_vhci.c:124
 vhci_create_device drivers/bluetooth/hci_vhci.c:148 [inline]
 vhci_open_timeout+0x34/0x50 drivers/bluetooth/hci_vhci.c:304
 process_one_work+0x7d2/0x1560 kernel/workqueue.c:2269
 worker_thread+0x85/0xb60 kernel/workqueue.c:2415
 kthread+0x331/0x3f0 kernel/kthread.c:255
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

Freed by task 17198:
 save_stack mm/kasan/common.c:69 [inline]
 set_track mm/kasan/common.c:77 [inline]
 __kasan_slab_free+0x11a/0x1e0 mm/kasan/common.c:449
 kasan_slab_free+0xe/0x10 mm/kasan/common.c:457
 __cache_free mm/slab.c:3425 [inline]
 kfree+0x104/0x2d0 mm/slab.c:3756
 rcu_free_wq+0xd6/0x130 kernel/workqueue.c:3490
 __rcu_reclaim kernel/rcu/rcu.h:222 [inline]
 rcu_do_batch kernel/rcu/tree.c:2114 [inline]
 rcu_core+0x66e/0x14d0 kernel/rcu/tree.c:2314
 rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2323
 __do_softirq+0x264/0x9a6 kernel/softirq.c:292

The buggy address belongs to the object at ffff888095483cc0
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 384 bytes inside of
 512-byte region [ffff888095483cc0, ffff888095483ec0)
The buggy address belongs to the page:
page:ffffea00025520c0 refcount:1 mapcount:0 mapping:ffff8880aa400a80 index:0xffff888095483a40
flags: 0xfffe0000000200(slab)
raw: 00fffe0000000200 ffffea000227d808 ffffea00024fa488 ffff8880aa400a80
raw: ffff888095483a40 ffff888095483040 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888095483d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888095483d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888095483e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                           ^
 ffff888095483e80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff888095483f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================