=========================
WARNING: held lock freed!
6.0.0-rc7-syzkaller-18095-gbbed346d5a96 #0 Not tainted
-------------------------
syz-executor.4/4339 is freeing memory ffff00010b41d000-ffff00010b41d7ff, with a lock still held there!
ffff00010b41d520 (&chan->lock/1){+.+.}-{3:3}, at: l2cap_chan_lock include/net/bluetooth/l2cap.h:855 [inline]
ffff00010b41d520 (&chan->lock/1){+.+.}-{3:3}, at: l2cap_conn_del+0x1a4/0x38c net/bluetooth/l2cap_core.c:1920
6 locks held by syz-executor.4/4339:
 #0: ffff80000d893400 (rfkill_global_mutex){+.+.}-{3:3}, at: rfkill_fop_write+0x18c/0x3f8 net/rfkill/core.c:1278
 #1: ffff000109700fd0 (&hdev->req_lock){+.+.}-{3:3}, at: hci_dev_do_close net/bluetooth/hci_core.c:552 [inline]
 #1: ffff000109700fd0 (&hdev->req_lock){+.+.}-{3:3}, at: hci_rfkill_set_block+0x90/0x198 net/bluetooth/hci_core.c:947
 #2: ffff000109700078 (&hdev->lock){+.+.}-{3:3}, at: hci_dev_close_sync+0x200/0x9e0 net/bluetooth/hci_sync.c:4463
 #3: ffff80000d832b98 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_disconn_cfm include/net/bluetooth/hci_core.h:1776 [inline]
 #3: ffff80000d832b98 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_conn_hash_flush+0x64/0x148 net/bluetooth/hci_conn.c:2366
 #4: ffff0000cb0b4ed8 (&conn->chan_lock){+.+.}-{3:3}, at: l2cap_conn_del+0x130/0x38c net/bluetooth/l2cap_core.c:1915
 #5: ffff00010b41d520 (&chan->lock/1){+.+.}-{3:3}, at: l2cap_chan_lock include/net/bluetooth/l2cap.h:855 [inline]
 #5: ffff00010b41d520 (&chan->lock/1){+.+.}-{3:3}, at: l2cap_conn_del+0x1a4/0x38c net/bluetooth/l2cap_core.c:1920

stack backtrace:
CPU: 1 PID: 4339 Comm: syz-executor.4 Not tainted 6.0.0-rc7-syzkaller-18095-gbbed346d5a96 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/30/2022
Call trace:
 dump_backtrace+0x1c4/0x1f0 arch/arm64/kernel/stacktrace.c:156
 show_stack+0x2c/0x54 arch/arm64/kernel/stacktrace.c:163
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x104/0x16c lib/dump_stack.c:106
 dump_stack+0x1c/0x58 lib/dump_stack.c:113
 print_freed_lock_bug kernel/locking/lockdep.c:6422 [inline]
 debug_check_no_locks_freed+0x184/0x19c kernel/locking/lockdep.c:6455
 slab_free_hook mm/slub.c:1731 [inline]
 slab_free_freelist_hook mm/slub.c:1785 [inline]
 slab_free mm/slub.c:3539 [inline]
 kfree+0x138/0x348 mm/slub.c:4567
 l2cap_chan_destroy net/bluetooth/l2cap_core.c:503 [inline]
 kref_put include/linux/kref.h:65 [inline]
 l2cap_chan_put+0xcc/0x160 net/bluetooth/l2cap_core.c:527
 a2mp_chan_close_cb+0x20/0x30 net/bluetooth/a2mp.c:713
 l2cap_conn_del+0x1c0/0x38c net/bluetooth/l2cap_core.c:1924
 l2cap_disconn_cfm+0x68/0xac net/bluetooth/l2cap_core.c:8212
 hci_disconn_cfm include/net/bluetooth/hci_core.h:1779 [inline]
 hci_conn_hash_flush+0x88/0x148 net/bluetooth/hci_conn.c:2366
 hci_dev_close_sync+0x48c/0x9e0 net/bluetooth/hci_sync.c:4476
 hci_dev_do_close net/bluetooth/hci_core.c:554 [inline]
 hci_rfkill_set_block+0x98/0x198 net/bluetooth/hci_core.c:947
 rfkill_set_block+0xb4/0x1f8 net/rfkill/core.c:345
 rfkill_fop_write+0x358/0x3f8 net/rfkill/core.c:1286
 vfs_write+0x1a4/0x46c fs/read_write.c:576
 ksys_write+0xb4/0x160 fs/read_write.c:631
 __do_sys_write fs/read_write.c:643 [inline]
 __se_sys_write fs/read_write.c:640 [inline]
 __arm64_sys_write+0x24/0x34 fs/read_write.c:640
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall arch/arm64/kernel/syscall.c:52 [inline]
 el0_svc_common+0x138/0x220 arch/arm64/kernel/syscall.c:142
 do_el0_svc+0x48/0x164 arch/arm64/kernel/syscall.c:206
 el0_svc+0x58/0x150 arch/arm64/kernel/entry-common.c:636
 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:654
 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:581
------------[ cut here ]------------
refcount_t: underflow; use-after-free.
WARNING: CPU: 1 PID: 4339 at lib/refcount.c:28 refcount_warn_saturate+0x1a0/0x1c8 lib/refcount.c:28
Modules linked in:
CPU: 1 PID: 4339 Comm: syz-executor.4 Not tainted 6.0.0-rc7-syzkaller-18095-gbbed346d5a96 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/30/2022
pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : refcount_warn_saturate+0x1a0/0x1c8 lib/refcount.c:28
lr : refcount_warn_saturate+0x1a0/0x1c8 lib/refcount.c:28
sp : ffff800013b0ba60
x29: ffff800013b0ba60 x28: ffff0000cb0b4e60 x27: 0000000000000003
x26: ffff00010b41d4b8 x25: ffff00010b41d000 x24: ffff00010b41d488
x23: 0000000000000001 x22: ffff0000cb0b4e70 x21: 0000000000000067
x20: 0000000000000003 x19: ffff80000d8c8000 x18: 00000000000001a0
x17: ffff80000bffd6bc x16: 0000000000000001 x15: 0000000000000000
x14: 0000000000000000 x13: 205d393333345420 x12: 0000000000040000
x11: 000000000003ffff x10: ffff800018181000 x9 : f1413a911afd0b00
x8 : f1413a911afd0b00 x7 : 205b5d3530303732 x6 : ffff80000819545c
x5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000000
x2 : 0000000000000000 x1 : 0000000100000000 x0 : 0000000000000026
Call trace:
 refcount_warn_saturate+0x1a0/0x1c8 lib/refcount.c:28
 __refcount_sub_and_test include/linux/refcount.h:283 [inline]
 __refcount_dec_and_test include/linux/refcount.h:315 [inline]
 refcount_dec_and_test include/linux/refcount.h:333 [inline]
 kref_put include/linux/kref.h:64 [inline]
 l2cap_chan_put+0xec/0x160 net/bluetooth/l2cap_core.c:527
 l2cap_conn_del+0x1d0/0x38c net/bluetooth/l2cap_core.c:1927
 l2cap_disconn_cfm+0x68/0xac net/bluetooth/l2cap_core.c:8212
 hci_disconn_cfm include/net/bluetooth/hci_core.h:1779 [inline]
 hci_conn_hash_flush+0x88/0x148 net/bluetooth/hci_conn.c:2366
 hci_dev_close_sync+0x48c/0x9e0 net/bluetooth/hci_sync.c:4476
 hci_dev_do_close net/bluetooth/hci_core.c:554 [inline]
 hci_rfkill_set_block+0x98/0x198 net/bluetooth/hci_core.c:947
 rfkill_set_block+0xb4/0x1f8 net/rfkill/core.c:345
 rfkill_fop_write+0x358/0x3f8 net/rfkill/core.c:1286
 vfs_write+0x1a4/0x46c fs/read_write.c:576
 ksys_write+0xb4/0x160 fs/read_write.c:631
 __do_sys_write fs/read_write.c:643 [inline]
 __se_sys_write fs/read_write.c:640 [inline]
 __arm64_sys_write+0x24/0x34 fs/read_write.c:640
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall arch/arm64/kernel/syscall.c:52 [inline]
 el0_svc_common+0x138/0x220 arch/arm64/kernel/syscall.c:142
 do_el0_svc+0x48/0x164 arch/arm64/kernel/syscall.c:206
 el0_svc+0x58/0x150 arch/arm64/kernel/entry-common.c:636
 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:654
 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:581
irq event stamp: 5289
hardirqs last  enabled at (5289): [<ffff80000bfc89b4>] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:151 [inline]
hardirqs last  enabled at (5289): [<ffff80000bfc89b4>] _raw_spin_unlock_irqrestore+0x48/0x8c kernel/locking/spinlock.c:194
hardirqs last disabled at (5288): [<ffff80000bfc87f0>] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline]
hardirqs last disabled at (5288): [<ffff80000bfc87f0>] _raw_spin_lock_irqsave+0xa4/0xb4 kernel/locking/spinlock.c:162
softirqs last  enabled at (4040): [<ffff80000b777c7c>] spin_unlock_bh include/linux/spinlock.h:394 [inline]
softirqs last  enabled at (4040): [<ffff80000b777c7c>] fib6_run_gc+0x108/0x154 net/ipv6/ip6_fib.c:2341
softirqs last disabled at (4024): [<ffff80000b777bcc>] spin_trylock_bh include/linux/spinlock.h:409 [inline]
softirqs last disabled at (4024): [<ffff80000b777bcc>] fib6_run_gc+0x58/0x154 net/ipv6/ip6_fib.c:2323
---[ end trace 0000000000000000 ]---