==================================================================
BUG: KFENCE: use-after-free write in skb_release_data+0x6c0/0x880 net/core/skbuff.c:1119

Use-after-free write at 0xffff88823bc0cf7e (in kfence-#5):
 skb_release_data+0x6c0/0x880 net/core/skbuff.c:1119
 skb_release_all net/core/skbuff.c:1173 [inline]
 __kfree_skb net/core/skbuff.c:1187 [inline]
 kfree_skb_reason+0x1a3/0x3b0 net/core/skbuff.c:1223
 kfree_skb include/linux/skbuff.h:1263 [inline]
 __hci_req_sync+0x62f/0x950 net/bluetooth/hci_request.c:184
 hci_req_sync+0xa9/0xd0 net/bluetooth/hci_request.c:206
 hci_dev_cmd+0x4c5/0xa50 net/bluetooth/hci_core.c:787
 sock_do_ioctl+0x158/0x460 net/socket.c:1222
 sock_ioctl+0x629/0x8e0 net/socket.c:1341
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:907 [inline]
 __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

kfence-#5: 0xffff88823bc0cf00-0xffff88823bc0cfef, size=240, cache=skbuff_head_cache

allocated by task 4492 on cpu 1 at 373.109181s:
 skb_clone+0x20c/0x390 net/core/skbuff.c:2052
 hci_send_cmd_sync net/bluetooth/hci_core.c:4123 [inline]
 hci_cmd_work+0x29e/0x670 net/bluetooth/hci_core.c:4143
 process_one_work kernel/workqueue.c:3231 [inline]
 process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3312
 worker_thread+0x86d/0xd70 kernel/workqueue.c:3393
 kthread+0x2f0/0x390 kernel/kthread.c:389
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

freed by task 5125 on cpu 0 at 373.109326s:
 kfree_skb include/linux/skbuff.h:1263 [inline]
 hci_req_sync_complete+0xe7/0x290 net/bluetooth/hci_request.c:109
 hci_event_packet+0xc71/0x1540 net/bluetooth/hci_event.c:7479
 hci_rx_work+0x3e8/0xca0 net/bluetooth/hci_core.c:4074
 process_one_work kernel/workqueue.c:3231 [inline]
 process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3312
 worker_thread+0x86d/0xd70 kernel/workqueue.c:3393
 kthread+0x2f0/0x390 kernel/kthread.c:389
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

CPU: 1 PID: 8194 Comm: syz-executor.2 Not tainted 6.10.0-rc2-syzkaller-00761-g3ec8d7572a69 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
RIP: 0010:skb_release_data+0x6c0/0x880 net/core/skbuff.c:1119
Code: 26 c6 ff ff 84 c0 74 07 e8 9d 17 45 f8 eb 0d e8 96 17 45 f8 4c 89 f7 e8 3e 69 9e f8 48 8b 44 24 38 42 0f b6 04 38 84 c0 75 66 <41> 80 24 24 7f 48 83 c4 58 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc
RSP: 0018:ffffc900032ef918 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000140 RCX: ffffffff8172d78a
RDX: dffffc0000000000 RSI: ffffffff8bcabb80 RDI: ffffffff8c1ff680
RBP: ffff888063a9f440 R08: ffffffff92fb5657 R09: 1ffffffff25f6aca
R10: dffffc0000000000 R11: fffffbfff25f6acb R12: ffff88823bc0cf7e
R13: ffff888063a9f442 R14: ffff888063a9f300 R15: dffffc0000000000
FS:  000055558fafb480(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff88823bc0cf7e CR3: 000000007e096000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 skb_release_all net/core/skbuff.c:1173 [inline]
 __kfree_skb net/core/skbuff.c:1187 [inline]
 kfree_skb_reason+0x1a3/0x3b0 net/core/skbuff.c:1223
 kfree_skb include/linux/skbuff.h:1263 [inline]
 __hci_req_sync+0x62f/0x950 net/bluetooth/hci_request.c:184
 hci_req_sync+0xa9/0xd0 net/bluetooth/hci_request.c:206
 hci_dev_cmd+0x4c5/0xa50 net/bluetooth/hci_core.c:787
 sock_do_ioctl+0x158/0x460 net/socket.c:1222
 sock_ioctl+0x629/0x8e0 net/socket.c:1341
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:907 [inline]
 __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fc7d667cc0b
Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00
RSP: 002b:00007fff8a0dec30 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fc7d667cc0b
RDX: 00007fff8a0deca8 RSI: 00000000400448dd RDI: 0000000000000003
RBP: 000055558fafb430 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000002
R13: 0000000000000002 R14: 0000000000000003 R15: 000000000000000c
 </TASK>
==================================================================
----------------
Code disassembly (best guess), 4 bytes skipped:
   0:	84 c0                	test   %al,%al
   2:	74 07                	je     0xb
   4:	e8 9d 17 45 f8       	call   0xf84517a6
   9:	eb 0d                	jmp    0x18
   b:	e8 96 17 45 f8       	call   0xf84517a6
  10:	4c 89 f7             	mov    %r14,%rdi
  13:	e8 3e 69 9e f8       	call   0xf89e6956
  18:	48 8b 44 24 38       	mov    0x38(%rsp),%rax
  1d:	42 0f b6 04 38       	movzbl (%rax,%r15,1),%eax
  22:	84 c0                	test   %al,%al
  24:	75 66                	jne    0x8c
* 26:	41 80 24 24 7f       	andb   $0x7f,(%r12) <-- trapping instruction
  2b:	48 83 c4 58          	add    $0x58,%rsp
  2f:	5b                   	pop    %rbx
  30:	41 5c                	pop    %r12
  32:	41 5d                	pop    %r13
  34:	41 5e                	pop    %r14
  36:	41 5f                	pop    %r15
  38:	5d                   	pop    %rbp
  39:	c3                   	ret
  3a:	cc                   	int3
  3b:	cc                   	int3