Bluetooth: hci3: command 0x0419 tx timeout
Bluetooth: hci6: command 0x0419 tx timeout
Bluetooth: hci2: command 0x041b tx timeout
==================================================================
BUG: KASAN: use-after-free in __lock_acquire+0x42c9/0x5e70
Read of size 8 at addr ffff88800ed3e888 by task kmemleak/55

CPU: 0 PID: 55 Comm: kmemleak Not tainted 6.0.0-rc7-next-20220929 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
Call Trace:
 <TASK>
 dump_stack_lvl+0x8b/0xb3
 print_report+0x172/0x475
 kasan_report+0xbb/0x1c0
 __lock_acquire+0x42c9/0x5e70
 lock_acquire+0x1a2/0x530
 _raw_spin_lock_irq+0x32/0x50
 kmemleak_scan+0x21d/0x16d0
 kmemleak_scan_thread+0x8f/0xb1
 kthread+0x2ed/0x3a0
 ret_from_fork+0x22/0x30
 </TASK>

Allocated by task 181:
 kasan_save_stack+0x1e/0x40
 kasan_set_track+0x21/0x30
 __kasan_slab_alloc+0x58/0x70
 kmem_cache_alloc+0x1a9/0x3e0
 __create_object+0x3d/0xc10
 kmemleak_alloc_percpu+0xa1/0x140
 pcpu_alloc+0x7f4/0x10a0
 __percpu_counter_init+0x10d/0x2e0
 wb_init+0x607/0x810
 wb_get_create+0x23a/0x1180
 __inode_attach_wb+0x2e6/0x880
 __mark_inode_dirty+0x9b2/0xf00
 touch_atime+0x644/0x700
 filemap_read+0x999/0xb60
 generic_file_read_iter+0x3cd/0x530
 ext4_file_read_iter+0x182/0x490
 __kernel_read+0x2cb/0x7d0
 kernel_read+0xbf/0x1c0
 bprm_execve+0x70e/0x1920
 do_execveat_common+0x72c/0x890
 __x64_sys_execve+0x8f/0xc0
 do_syscall_64+0x3b/0x90
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

Freed by task 13:
 kasan_save_stack+0x1e/0x40
 kasan_set_track+0x21/0x30
 kasan_save_free_info+0x2a/0x50
 __kasan_slab_free+0x106/0x190
 kmem_cache_free+0xf7/0x610
 rcu_core+0x7e2/0x2080
 __do_softirq+0x1c3/0x8f5

Last potentially related work creation:
 kasan_save_stack+0x1e/0x40
 __kasan_record_aux_stack+0x95/0xb0
 call_rcu+0x6a/0xa30
 kmemleak_free_percpu+0x9a/0x120
 free_percpu+0x2c/0xec0
 percpu_counter_destroy+0x11a/0x1c0
 wb_exit+0x6a/0xb0
 cgwb_release_workfn+0x25d/0x3f0
 process_one_work+0xa17/0x16a0
 worker_thread+0x637/0x1260
 kthread+0x2ed/0x3a0
 ret_from_fork+0x22/0x30

Second to last potentially related work creation:
 kasan_save_stack+0x1e/0x40
 __kasan_record_aux_stack+0x95/0xb0
 call_rcu+0x6a/0xa30
 kmem_cache_free+0xbd/0x610
 unlink_anon_vmas+0x116/0x710
 free_pgtables+0x24d/0x420
 exit_mmap+0x1b4/0x680
 mmput+0xd1/0x390
 begin_new_exec+0xf9e/0x2e80
 load_elf_binary+0x17ff/0x4ef0
 bprm_execve+0x7f5/0x1920
 do_execveat_common+0x72c/0x890
 __x64_sys_execve+0x8f/0xc0
 do_syscall_64+0x3b/0x90
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

The buggy address belongs to the object at ffff88800ed3e870
 which belongs to the cache kmemleak_object of size 368
The buggy address is located 24 bytes inside of
 368-byte region [ffff88800ed3e870, ffff88800ed3e9e0)

The buggy address belongs to the physical page:
page:00000000aa6eed2a refcount:1 mapcount:0 mapping:0000000000000000 index:0xdead000000000100 pfn:0xed3e
head:00000000aa6eed2a order:1 compound_mapcount:0 compound_pincount:0
flags: 0x100000000010200(slab|head|node=0|zone=1)
raw: 0100000000010200 ffff888007c4f780 dead000000120012 0000000000000000
raw: dead000000000100 dead000000000122 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88800ed3e780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88800ed3e800: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fa fb
>ffff88800ed3e880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                      ^
 ffff88800ed3e900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88800ed3e980: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
==================================================================