KASAN: slab-out-of-bounds Read in lock_sock

KASAN: slab-out-of-bounds Read in lock_sock_nested
Status: upstream: reported on 2020/08/11 16:59
Reported-by: syzbot+9a0875bc1b2ca466b484@syzkaller.appspotmail.com
First crash: 38d, last: 7d00h

Sample crash report:

==================================================================
BUG: KASAN: slab-out-of-bounds in __lock_acquire+0x41d0/0x5640 kernel/locking/lockdep.c:4296
Read of size 8 at addr ffff88803b0210a0 by task kworker/1:20/6034

CPU: 1 PID: 6034 Comm: kworker/1:20 Not tainted 5.9.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events l2cap_chan_timeout
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x18f/0x20d lib/dump_stack.c:118
 print_address_description.constprop.0.cold+0xae/0x497 mm/kasan/report.c:383
 __kasan_report mm/kasan/report.c:513 [inline]
 kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530
 __lock_acquire+0x41d0/0x5640 kernel/locking/lockdep.c:4296
 lock_acquire+0x1f1/0xad0 kernel/locking/lockdep.c:5005
 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline]
 _raw_spin_lock_bh+0x2f/0x40 kernel/locking/spinlock.c:175
 spin_lock_bh include/linux/spinlock.h:359 [inline]
 lock_sock_nested+0x3b/0x110 net/core/sock.c:3048
 l2cap_sock_teardown_cb+0x88/0x400 net/bluetooth/l2cap_sock.c:1520
 l2cap_chan_del+0xad/0x1300 net/bluetooth/l2cap_core.c:618
 l2cap_chan_close+0x118/0xb10 net/bluetooth/l2cap_core.c:823
 l2cap_chan_timeout+0x173/0x450 net/bluetooth/l2cap_core.c:436
 process_one_work+0x94c/0x1670 kernel/workqueue.c:2269
 worker_thread+0x64c/0x1120 kernel/workqueue.c:2415
 kthread+0x3b5/0x4a0 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294

Allocated by task 0:
(stack is not available)

The buggy address belongs to the object at ffff88803b021080
 which belongs to the cache sgpool-16 of size 512
The buggy address is located 32 bytes inside of
 512-byte region [ffff88803b021080, ffff88803b021280)
The buggy address belongs to the page:
page:000000002f6c9333 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x3b021
flags: 0xfffe0000000200(slab)
raw: 00fffe0000000200 ffffea00027eb0c8 ffff8880a32e8d50 ffff888218f37c00
raw: 0000000000000000 ffff88803b021080 0000000100000006 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88803b020f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88803b021000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88803b021080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                               ^
 ffff88803b021100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88803b021180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================

Crashes (6):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Maintainers
ci-upstream-net-this-kasan-gce	2020/08/31 16:01	net	c8146fe2	d5a3ae1f	.config	log	report	davem@davemloft.net, johan.hedberg@gmail.com, kuba@kernel.org, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, marcel@holtmann.org, netdev@vger.kernel.org
ci-upstream-net-this-kasan-gce	2020/08/13 09:44	net	06a7a37b	bc15f7db	.config	log	report	davem@davemloft.net, johan.hedberg@gmail.com, kuba@kernel.org, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, marcel@holtmann.org, netdev@vger.kernel.org
ci-upstream-net-this-kasan-gce	2020/08/12 02:33	net	633f5b6b	bb3e5fe6	.config	log	report	davem@davemloft.net, johan.hedberg@gmail.com, kuba@kernel.org, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, marcel@holtmann.org, netdev@vger.kernel.org
ci-upstream-net-kasan-gce	2020/09/11 08:09	net-next	9984c0bb	adfb8b4e	.config	log	report	davem@davemloft.net, johan.hedberg@gmail.com, kuba@kernel.org, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, marcel@holtmann.org, netdev@vger.kernel.org
ci-upstream-net-kasan-gce	2020/08/13 02:48	net-next	bfdd5aaa	bc15f7db	.config	log	report	davem@davemloft.net, johan.hedberg@gmail.com, kuba@kernel.org, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, marcel@holtmann.org, netdev@vger.kernel.org
ci-upstream-net-kasan-gce	2020/08/10 18:04	net-next	bfdd5aaa	7adc7b65	.config	log	report	davem@davemloft.net, johan.hedberg@gmail.com, kuba@kernel.org, linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, marcel@holtmann.org, netdev@vger.kernel.org