Warning: Permanently added '10.128.0.8' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [  215.105780] IPVS: ftp: loaded support on port[0] = 21
[  217.143985] Bluetooth: hci0 command 0x0409 tx timeout
[  219.223459] Bluetooth: hci0 command 0x041b tx timeout
executing program
[  221.303444] Bluetooth: hci0 command 0x040f tx timeout
[  223.383442] Bluetooth: hci0 command 0x0419 tx timeout
executing program
[  225.463450] Bluetooth: hci0 command 0x0405 tx timeout
executing program
executing program
executing program
executing program
executing program
executing program
[  255.783928] ==================================================================
[  255.791452] BUG: KASAN: use-after-free in __lock_acquire+0x2c57/0x3f20
[  255.798118] Read of size 8 at addr ffff8880b2c6e4e0 by task kworker/0:2/3623
[  255.805303] 
[  255.806933] CPU: 0 PID: 3623 Comm: kworker/0:2 Not tainted 4.14.224-syzkaller #0
[  255.814546] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  255.823895] Workqueue: events l2cap_chan_timeout
[  255.829713] Call Trace:
[  255.832313]  dump_stack+0x1b2/0x281
[  255.835947]  print_address_description.cold+0x54/0x1d3
[  255.841248]  kasan_report_error.cold+0x8a/0x191
[  255.845924]  ? __lock_acquire+0x2c57/0x3f20
[  255.850245]  __asan_report_load8_noabort+0x68/0x70
[  255.855172]  ? __lock_acquire+0x2c57/0x3f20
[  255.859769]  __lock_acquire+0x2c57/0x3f20
[  255.864259]  ? lock_acquire+0x170/0x3f0
[  255.868472]  ? lock_downgrade+0x740/0x740
[  255.872623]  ? trace_hardirqs_on+0x10/0x10
[  255.876886]  ? debug_object_assert_init+0x22d/0x2d0
[  255.881952]  ? debug_object_active_state+0x330/0x330
[  255.887057]  ? ret_from_fork+0x24/0x30
[  255.891803]  ? add_lock_to_list.constprop.0+0x17d/0x330
[  255.897178]  ? save_trace+0xd6/0x290
[  255.900913]  lock_acquire+0x170/0x3f0
[  255.904719]  ? lock_sock_nested+0x39/0x100
[  255.908960]  _raw_spin_lock_bh+0x2f/0x40
[  255.913016]  ? lock_sock_nested+0x39/0x100
[  255.918659]  lock_sock_nested+0x39/0x100
[  255.922795]  l2cap_sock_teardown_cb+0x93/0x650
[  255.927911]  l2cap_chan_del+0xaf/0x950
[  255.932251]  l2cap_chan_close+0x103/0x870
[  255.936600]  ? __set_monitor_timer+0x1d0/0x1d0
[  255.941180]  ? lock_acquire+0x170/0x3f0
[  255.945159]  l2cap_chan_timeout+0x143/0x2a0
[  255.949473]  process_one_work+0x793/0x14a0
[  255.953698]  ? work_busy+0x320/0x320
[  255.957423]  ? worker_thread+0x158/0xff0
[  255.961494]  ? _raw_spin_unlock_irq+0x24/0x80
[  255.965990]  worker_thread+0x5cc/0xff0
[  255.969982]  ? rescuer_thread+0xc80/0xc80
[  255.974161]  kthread+0x30d/0x420
[  255.977606]  ? kthread_create_on_node+0xd0/0xd0
[  255.982374]  ret_from_fork+0x24/0x30
[  255.987807] 
[  255.989440] Allocated by task 7986:
[  255.993060]  kasan_kmalloc+0xeb/0x160
[  255.996849]  __kmalloc+0x15a/0x400
[  256.000378]  sk_prot_alloc+0x1ba/0x290
[  256.004528]  sk_alloc+0x36/0xcd0
[  256.007880]  l2cap_sock_alloc.constprop.0+0x31/0x210
[  256.012983]  l2cap_sock_create+0xf0/0x1a0
[  256.017132]  bt_sock_create+0x13b/0x280
[  256.021098]  __sock_create+0x303/0x620
[  256.025202]  SyS_socket+0xd1/0x1b0
[  256.028739]  do_syscall_64+0x1d5/0x640
[  256.032615]  entry_SYSCALL_64_after_hwframe+0x46/0xbb
[  256.037804] 
[  256.039429] Freed by task 7986:
[  256.042696]  kasan_slab_free+0xc3/0x1a0
[  256.046658]  kfree+0xc9/0x250
[  256.049751]  __sk_destruct+0x5e3/0x760
[  256.053913]  __sk_free+0xd9/0x2d0
[  256.057455]  sk_free+0x2b/0x40
[  256.060655]  l2cap_sock_kill.part.0+0x106/0x130
[  256.065341]  l2cap_sock_release+0x1cd/0x280
[  256.069666]  __sock_release+0xcd/0x2b0
[  256.073559]  sock_close+0x15/0x20
[  256.077023]  __fput+0x25f/0x7a0
[  256.081275]  task_work_run+0x11f/0x190
[  256.085415]  do_exit+0xa44/0x2850
[  256.089662]  do_group_exit+0x100/0x2e0
[  256.093541]  get_signal+0x38d/0x1ca0
[  256.097260]  do_signal+0x7c/0x1550
[  256.100791]  exit_to_usermode_loop+0x160/0x200
[  256.105513]  do_syscall_64+0x4a3/0x640
[  256.109408]  entry_SYSCALL_64_after_hwframe+0x46/0xbb
[  256.114750] 
[  256.116358] The buggy address belongs to the object at ffff8880b2c6e440
[  256.116358]  which belongs to the cache kmalloc-2048 of size 2048
[  256.130143] The buggy address is located 160 bytes inside of
[  256.130143]  2048-byte region [ffff8880b2c6e440, ffff8880b2c6ec40)
[  256.142458] The buggy address belongs to the page:
[  256.147378] page:ffffea0002cb1b80 count:1 mapcount:0 mapping:ffff8880b2c6e440 index:0x0 compound_mapcount: 0
[  256.157433] flags: 0xfff00000008100(slab|head)
[  256.162145] raw: 00fff00000008100 ffff8880b2c6e440 0000000000000000 0000000100000003
[  256.170026] raw: ffffea0002552e20 ffffea0002cb99a0 ffff88813fe80c40 0000000000000000
[  256.177907] page dumped because: kasan: bad access detected
[  256.183612] 
[  256.185350] Memory state around the buggy address:
[  256.190373]  ffff8880b2c6e380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  256.198333]  ffff8880b2c6e400: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[  256.205884] >ffff8880b2c6e480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  256.213407]                                                        ^
[  256.219974]  ffff8880b2c6e500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  256.229585]  ffff8880b2c6e580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  256.238342] ==================================================================
[  256.246185] Disabling lock debugging due to kernel taint
[  256.252373] Kernel panic - not syncing: panic_on_warn set ...
[  256.252373] 
[  256.259989] CPU: 0 PID: 3623 Comm: kworker/0:2 Tainted: G    B           4.14.224-syzkaller #0
[  256.269976] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  256.279414] Workqueue: events l2cap_chan_timeout
[  256.284377] Call Trace:
[  256.287091]  dump_stack+0x1b2/0x281
[  256.290722]  panic+0x1f9/0x42d
[  256.293998]  ? add_taint.cold+0x16/0x16
[  256.297962]  ? lock_downgrade+0x740/0x740
[  256.302379]  kasan_end_report+0x43/0x49
[  256.306421]  kasan_report_error.cold+0xa7/0x191
[  256.311075]  ? __lock_acquire+0x2c57/0x3f20
[  256.315398]  __asan_report_load8_noabort+0x68/0x70
[  256.320319]  ? __lock_acquire+0x2c57/0x3f20
[  256.324641]  __lock_acquire+0x2c57/0x3f20
[  256.328781]  ? lock_acquire+0x170/0x3f0
[  256.332882]  ? lock_downgrade+0x740/0x740
[  256.337037]  ? trace_hardirqs_on+0x10/0x10
[  256.341259]  ? debug_object_assert_init+0x22d/0x2d0
[  256.346301]  ? debug_object_active_state+0x330/0x330
[  256.351400]  ? ret_from_fork+0x24/0x30
[  256.355270]  ? add_lock_to_list.constprop.0+0x17d/0x330
[  256.360725]  ? save_trace+0xd6/0x290
[  256.364430]  lock_acquire+0x170/0x3f0
[  256.368214]  ? lock_sock_nested+0x39/0x100
[  256.372449]  _raw_spin_lock_bh+0x2f/0x40
[  256.376517]  ? lock_sock_nested+0x39/0x100
[  256.380731]  lock_sock_nested+0x39/0x100
[  256.384773]  l2cap_sock_teardown_cb+0x93/0x650
[  256.389336]  l2cap_chan_del+0xaf/0x950
[  256.393205]  l2cap_chan_close+0x103/0x870
[  256.397344]  ? __set_monitor_timer+0x1d0/0x1d0
[  256.401908]  ? lock_acquire+0x170/0x3f0
[  256.405875]  l2cap_chan_timeout+0x143/0x2a0
[  256.410194]  process_one_work+0x793/0x14a0
[  256.414425]  ? work_busy+0x320/0x320
[  256.418126]  ? worker_thread+0x158/0xff0
[  256.422166]  ? _raw_spin_unlock_irq+0x24/0x80
[  256.426644]  worker_thread+0x5cc/0xff0
[  256.430523]  ? rescuer_thread+0xc80/0xc80
[  256.434831]  kthread+0x30d/0x420
[  256.438193]  ? kthread_create_on_node+0xd0/0xd0
[  256.442930]  ret_from_fork+0x24/0x30
[  256.447248] Kernel Offset: disabled
[  256.450871] Rebooting in 86400 seconds..