Warning: Permanently added '10.128.0.89' (ECDSA) to the list of known hosts.
syzkaller login: [  609.313628] IPVS: ftp: loaded support on port[0] = 21
executing program
[  611.355073] Bluetooth: hci0 command 0x0409 tx timeout
[  613.434796] Bluetooth: hci0 command 0x041b tx timeout
executing program
[  615.514403] Bluetooth: hci0 command 0x040f tx timeout
[  617.594231] Bluetooth: hci0 command 0x0419 tx timeout
executing program
[  619.674062] Bluetooth: hci0 command 0x0405 tx timeout
executing program
executing program
executing program
executing program
executing program
executing program
[  649.992274] ==================================================================
[  649.999644] BUG: KASAN: use-after-free in __lock_acquire+0x2c57/0x3f20
[  650.006285] Read of size 8 at addr ffff88809563e560 by task kworker/0:0/7995
[  650.013446] 
[  650.015055] CPU: 0 PID: 7995 Comm: kworker/0:0 Not tainted 4.14.212-syzkaller #0
[  650.022556] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  650.031887] Workqueue: events l2cap_chan_timeout
[  650.036721] Call Trace:
[  650.039281]  dump_stack+0x1b2/0x283
[  650.042883]  print_address_description.cold+0x54/0x1d3
[  650.048135]  kasan_report_error.cold+0x8a/0x194
[  650.052777]  ? __lock_acquire+0x2c57/0x3f20
[  650.057071]  __asan_report_load8_noabort+0x68/0x70
[  650.061971]  ? __lock_acquire+0x2c57/0x3f20
[  650.066286]  __lock_acquire+0x2c57/0x3f20
[  650.070408]  ? lock_acquire+0x170/0x3f0
[  650.074351]  ? lock_downgrade+0x740/0x740
[  650.078472]  ? trace_hardirqs_on+0x10/0x10
[  650.082682]  ? debug_object_assert_init+0x22d/0x2d0
[  650.087672]  ? debug_object_active_state+0x330/0x330
[  650.092758]  ? ret_from_fork+0x24/0x30
[  650.096623]  ? add_lock_to_list.constprop.0+0x17d/0x330
[  650.101987]  ? save_trace+0xd6/0x290
[  650.105675]  lock_acquire+0x170/0x3f0
[  650.109451]  ? lock_sock_nested+0x39/0x100
[  650.113661]  _raw_spin_lock_bh+0x2f/0x40
[  650.117699]  ? lock_sock_nested+0x39/0x100
[  650.121961]  lock_sock_nested+0x39/0x100
[  650.126096]  l2cap_sock_teardown_cb+0x93/0x650
[  650.130659]  l2cap_chan_del+0xaf/0x950
[  650.134651]  l2cap_chan_close+0x103/0x870
[  650.138774]  ? __set_monitor_timer+0x1d0/0x1d0
[  650.143332]  ? lock_acquire+0x170/0x3f0
[  650.147278]  l2cap_chan_timeout+0x143/0x2a0
[  650.151586]  process_one_work+0x793/0x14a0
[  650.155799]  ? work_busy+0x320/0x320
[  650.159484]  ? worker_thread+0x158/0xff0
[  650.163538]  ? _raw_spin_unlock_irq+0x24/0x80
[  650.168047]  worker_thread+0x5cc/0xff0
[  650.171909]  ? rescuer_thread+0xc80/0xc80
[  650.176028]  kthread+0x30d/0x420
[  650.179367]  ? kthread_create_on_node+0xd0/0xd0
[  650.184008]  ret_from_fork+0x24/0x30
[  650.187693] 
[  650.189292] Allocated by task 8035:
[  650.192891]  kasan_kmalloc+0xeb/0x160
[  650.196678]  __kmalloc+0x15a/0x400
[  650.200191]  sk_prot_alloc+0x1ba/0x290
[  650.204051]  sk_alloc+0x36/0xcd0
[  650.207390]  l2cap_sock_alloc.constprop.0+0x31/0x210
[  650.212468]  l2cap_sock_create+0xf0/0x1a0
[  650.216627]  bt_sock_create+0x13b/0x280
[  650.220578]  __sock_create+0x303/0x620
[  650.224447]  SyS_socket+0xd1/0x1b0
[  650.228002]  do_syscall_64+0x1d5/0x640
[  650.231877]  entry_SYSCALL_64_after_hwframe+0x46/0xbb
[  650.237033] 
[  650.238632] Freed by task 8035:
[  650.241882]  kasan_slab_free+0xc3/0x1a0
[  650.245826]  kfree+0xc9/0x250
[  650.248902]  __sk_destruct+0x5e3/0x760
[  650.252782]  __sk_free+0xd9/0x2d0
[  650.256206]  sk_free+0x2b/0x40
[  650.259378]  l2cap_sock_kill.part.0+0x106/0x130
[  650.264022]  l2cap_sock_release+0x1cd/0x280
[  650.268330]  __sock_release+0xcd/0x2b0
[  650.272188]  sock_close+0x15/0x20
[  650.275612]  __fput+0x25f/0x7a0
[  650.278862]  task_work_run+0x11f/0x190
[  650.282722]  do_exit+0xa44/0x2850
[  650.286145]  do_group_exit+0x100/0x2e0
[  650.290016]  get_signal+0x38d/0x1ca0
[  650.293701]  do_signal+0x7c/0x1550
[  650.297217]  exit_to_usermode_loop+0x160/0x200
[  650.301768]  do_syscall_64+0x4a3/0x640
[  650.305628]  entry_SYSCALL_64_after_hwframe+0x46/0xbb
[  650.310786] 
[  650.312386] The buggy address belongs to the object at ffff88809563e4c0
[  650.312386]  which belongs to the cache kmalloc-2048 of size 2048
[  650.325192] The buggy address is located 160 bytes inside of
[  650.325192]  2048-byte region [ffff88809563e4c0, ffff88809563ecc0)
[  650.337153] The buggy address belongs to the page:
[  650.342056] page:ffffea0002558f80 count:1 mapcount:0 mapping:ffff88809563e4c0 index:0x0 compound_mapcount: 0
[  650.351998] flags: 0xfff00000008100(slab|head)
[  650.356560] raw: 00fff00000008100 ffff88809563e4c0 0000000000000000 0000000100000003
[  650.364466] raw: ffffea000256a2a0 ffffea0002c67220 ffff88813fe80c40 0000000000000000
[  650.372317] page dumped because: kasan: bad access detected
[  650.377997] 
[  650.379597] Memory state around the buggy address:
[  650.384497]  ffff88809563e400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  650.391826]  ffff88809563e480: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[  650.399157] >ffff88809563e500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  650.406487]                                                        ^
[  650.412949]  ffff88809563e580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  650.420279]  ffff88809563e600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  650.427620] ==================================================================
[  650.434950] Disabling lock debugging due to kernel taint
[  650.440370] Kernel panic - not syncing: panic_on_warn set ...
[  650.440370] 
[  650.447732] CPU: 0 PID: 7995 Comm: kworker/0:0 Tainted: G    B           4.14.212-syzkaller #0
[  650.456449] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  650.465795] Workqueue: events l2cap_chan_timeout
[  650.470522] Call Trace:
[  650.473085]  dump_stack+0x1b2/0x283
[  650.476690]  panic+0x1f9/0x42d
[  650.479856]  ? add_taint.cold+0x16/0x16
[  650.483802]  ? lock_downgrade+0x740/0x740
[  650.487936]  kasan_end_report+0x43/0x49
[  650.491883]  kasan_report_error.cold+0xa7/0x194
[  650.496527]  ? __lock_acquire+0x2c57/0x3f20
[  650.500822]  __asan_report_load8_noabort+0x68/0x70
[  650.505724]  ? __lock_acquire+0x2c57/0x3f20
[  650.510016]  __lock_acquire+0x2c57/0x3f20
[  650.514135]  ? lock_acquire+0x170/0x3f0
[  650.518086]  ? lock_downgrade+0x740/0x740
[  650.522230]  ? trace_hardirqs_on+0x10/0x10
[  650.526440]  ? debug_object_assert_init+0x22d/0x2d0
[  650.531428]  ? debug_object_active_state+0x330/0x330
[  650.536504]  ? ret_from_fork+0x24/0x30
[  650.540362]  ? add_lock_to_list.constprop.0+0x17d/0x330
[  650.545698]  ? save_trace+0xd6/0x290
[  650.549388]  lock_acquire+0x170/0x3f0
[  650.553168]  ? lock_sock_nested+0x39/0x100
[  650.557388]  _raw_spin_lock_bh+0x2f/0x40
[  650.561421]  ? lock_sock_nested+0x39/0x100
[  650.565629]  lock_sock_nested+0x39/0x100
[  650.569662]  l2cap_sock_teardown_cb+0x93/0x650
[  650.574224]  l2cap_chan_del+0xaf/0x950
[  650.578093]  l2cap_chan_close+0x103/0x870
[  650.582226]  ? __set_monitor_timer+0x1d0/0x1d0
[  650.586783]  ? lock_acquire+0x170/0x3f0
[  650.590730]  l2cap_chan_timeout+0x143/0x2a0
[  650.595024]  process_one_work+0x793/0x14a0
[  650.599233]  ? work_busy+0x320/0x320
[  650.602916]  ? worker_thread+0x158/0xff0
[  650.606949]  ? _raw_spin_unlock_irq+0x24/0x80
[  650.611429]  worker_thread+0x5cc/0xff0
[  650.615295]  ? rescuer_thread+0xc80/0xc80
[  650.619416]  kthread+0x30d/0x420
[  650.622754]  ? kthread_create_on_node+0xd0/0xd0
[  650.627409]  ret_from_fork+0x24/0x30
[  650.631734] Kernel Offset: disabled
[  650.635340] Rebooting in 86400 seconds..