Warning: Permanently added '10.128.0.169' (ECDSA) to the list of known hosts.
syzkaller login: [  607.315228] IPVS: ftp: loaded support on port[0] = 21
executing program
[  609.365181] Bluetooth: hci0 command 0x0409 tx timeout
[  611.444837] Bluetooth: hci0 command 0x041b tx timeout
executing program
[  613.524493] Bluetooth: hci0 command 0x040f tx timeout
[  615.604323] Bluetooth: hci0 command 0x0419 tx timeout
executing program
[  617.684142] Bluetooth: hci0 command 0x0405 tx timeout
executing program
executing program
executing program
executing program
executing program
executing program
[  647.442303] ==================================================================
[  647.449780] BUG: KASAN: use-after-free in __lock_acquire+0x2c57/0x3f20
[  647.456425] Read of size 8 at addr ffff8880b2e97320 by task kworker/1:1/7965
[  647.463582] 
[  647.465206] CPU: 1 PID: 7965 Comm: kworker/1:1 Not tainted 4.14.218-syzkaller #0
[  647.472730] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  647.482078] Workqueue: events l2cap_chan_timeout
[  647.486807] Call Trace:
[  647.489375]  dump_stack+0x1b2/0x281
[  647.492984]  print_address_description.cold+0x54/0x1d3
[  647.498245]  kasan_report_error.cold+0x8a/0x191
[  647.502891]  ? __lock_acquire+0x2c57/0x3f20
[  647.507196]  __asan_report_load8_noabort+0x68/0x70
[  647.512098]  ? __lock_acquire+0x2c57/0x3f20
[  647.516392]  __lock_acquire+0x2c57/0x3f20
[  647.520512]  ? lock_acquire+0x170/0x3f0
[  647.524501]  ? lock_downgrade+0x740/0x740
[  647.528640]  ? trace_hardirqs_on+0x10/0x10
[  647.532867]  ? debug_object_assert_init+0x22d/0x2d0
[  647.537861]  ? debug_object_active_state+0x330/0x330
[  647.542940]  ? ret_from_fork+0x24/0x30
[  647.546820]  ? add_lock_to_list.constprop.0+0x17d/0x330
[  647.552158]  ? save_trace+0xd6/0x290
[  647.555850]  lock_acquire+0x170/0x3f0
[  647.559628]  ? lock_sock_nested+0x39/0x100
[  647.563855]  _raw_spin_lock_bh+0x2f/0x40
[  647.567890]  ? lock_sock_nested+0x39/0x100
[  647.572098]  lock_sock_nested+0x39/0x100
[  647.576135]  l2cap_sock_teardown_cb+0x93/0x650
[  647.580715]  l2cap_chan_del+0xaf/0x950
[  647.584579]  l2cap_chan_close+0x103/0x870
[  647.588702]  ? __set_monitor_timer+0x1d0/0x1d0
[  647.593290]  ? lock_acquire+0x170/0x3f0
[  647.597241]  l2cap_chan_timeout+0x143/0x2a0
[  647.601720]  process_one_work+0x793/0x14a0
[  647.605945]  ? work_busy+0x320/0x320
[  647.609630]  ? worker_thread+0x158/0xff0
[  647.613673]  ? _raw_spin_unlock_irq+0x24/0x80
[  647.618157]  worker_thread+0x5cc/0xff0
[  647.622021]  ? rescuer_thread+0xc80/0xc80
[  647.626143]  kthread+0x30d/0x420
[  647.629484]  ? kthread_create_on_node+0xd0/0xd0
[  647.634139]  ret_from_fork+0x24/0x30
[  647.637825] 
[  647.639428] Allocated by task 7986:
[  647.643044]  kasan_kmalloc+0xeb/0x160
[  647.646821]  __kmalloc+0x15a/0x400
[  647.650335]  sk_prot_alloc+0x1ba/0x290
[  647.654209]  sk_alloc+0x36/0xcd0
[  647.657548]  l2cap_sock_alloc.constprop.0+0x31/0x210
[  647.662624]  l2cap_sock_create+0xf0/0x1a0
[  647.666745]  bt_sock_create+0x13b/0x280
[  647.670693]  __sock_create+0x303/0x620
[  647.674569]  SyS_socket+0xd1/0x1b0
[  647.678086]  do_syscall_64+0x1d5/0x640
[  647.681968]  entry_SYSCALL_64_after_hwframe+0x46/0xbb
[  647.687141] 
[  647.688795] Freed by task 7986:
[  647.692049]  kasan_slab_free+0xc3/0x1a0
[  647.696006]  kfree+0xc9/0x250
[  647.699089]  __sk_destruct+0x5e3/0x760
[  647.702951]  __sk_free+0xd9/0x2d0
[  647.706378]  sk_free+0x2b/0x40
[  647.709553]  l2cap_sock_kill.part.0+0x106/0x130
[  647.714209]  l2cap_sock_release+0x1cd/0x280
[  647.718521]  __sock_release+0xcd/0x2b0
[  647.722381]  sock_close+0x15/0x20
[  647.725808]  __fput+0x25f/0x7a0
[  647.729059]  task_work_run+0x11f/0x190
[  647.732930]  do_exit+0xa44/0x2850
[  647.736364]  do_group_exit+0x100/0x2e0
[  647.740226]  get_signal+0x38d/0x1ca0
[  647.743924]  do_signal+0x7c/0x1550
[  647.747439]  exit_to_usermode_loop+0x160/0x200
[  647.752012]  do_syscall_64+0x4a3/0x640
[  647.755876]  entry_SYSCALL_64_after_hwframe+0x46/0xbb
[  647.761050] 
[  647.762654] The buggy address belongs to the object at ffff8880b2e97280
[  647.762654]  which belongs to the cache kmalloc-2048 of size 2048
[  647.775458] The buggy address is located 160 bytes inside of
[  647.775458]  2048-byte region [ffff8880b2e97280, ffff8880b2e97a80)
[  647.787752] The buggy address belongs to the page:
[  647.793086] page:ffffea0002cba580 count:1 mapcount:0 mapping:ffff8880b2e96180 index:0x0 compound_mapcount: 0
[  647.803034] flags: 0xfff00000008100(slab|head)
[  647.807603] raw: 00fff00000008100 ffff8880b2e96180 0000000000000000 0000000100000003
[  647.815462] raw: ffffea000256c5a0 ffffea0002cba4a0 ffff88813fe80c40 0000000000000000
[  647.823342] page dumped because: kasan: bad access detected
[  647.829026] 
[  647.830627] Memory state around the buggy address:
[  647.835543]  ffff8880b2e97200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  647.842881]  ffff8880b2e97280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  647.850254] >ffff8880b2e97300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  647.857594]                                ^
[  647.861979]  ffff8880b2e97380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  647.869401]  ffff8880b2e97400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  647.876737] ==================================================================
[  647.884183] Disabling lock debugging due to kernel taint
[  647.889609] Kernel panic - not syncing: panic_on_warn set ...
[  647.889609] 
[  647.896945] CPU: 1 PID: 7965 Comm: kworker/1:1 Tainted: G    B           4.14.218-syzkaller #0
[  647.905668] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  647.915010] Workqueue: events l2cap_chan_timeout
[  647.919749] Call Trace:
[  647.922331]  dump_stack+0x1b2/0x281
[  647.925949]  panic+0x1f9/0x42d
[  647.929115]  ? add_taint.cold+0x16/0x16
[  647.933067]  ? lock_downgrade+0x740/0x740
[  647.937190]  kasan_end_report+0x43/0x49
[  647.941147]  kasan_report_error.cold+0xa7/0x191
[  647.945792]  ? __lock_acquire+0x2c57/0x3f20
[  647.950086]  __asan_report_load8_noabort+0x68/0x70
[  647.955007]  ? __lock_acquire+0x2c57/0x3f20
[  647.959303]  __lock_acquire+0x2c57/0x3f20
[  647.963443]  ? lock_acquire+0x170/0x3f0
[  647.967399]  ? lock_downgrade+0x740/0x740
[  647.971529]  ? trace_hardirqs_on+0x10/0x10
[  647.975743]  ? debug_object_assert_init+0x22d/0x2d0
[  647.980734]  ? debug_object_active_state+0x330/0x330
[  647.985815]  ? ret_from_fork+0x24/0x30
[  647.989678]  ? add_lock_to_list.constprop.0+0x17d/0x330
[  647.995014]  ? save_trace+0xd6/0x290
[  647.998713]  lock_acquire+0x170/0x3f0
[  648.002491]  ? lock_sock_nested+0x39/0x100
[  648.006703]  _raw_spin_lock_bh+0x2f/0x40
[  648.010738]  ? lock_sock_nested+0x39/0x100
[  648.014956]  lock_sock_nested+0x39/0x100
[  648.018998]  l2cap_sock_teardown_cb+0x93/0x650
[  648.023792]  l2cap_chan_del+0xaf/0x950
[  648.029660]  l2cap_chan_close+0x103/0x870
[  648.033791]  ? __set_monitor_timer+0x1d0/0x1d0
[  648.038353]  ? lock_acquire+0x170/0x3f0
[  648.042310]  l2cap_chan_timeout+0x143/0x2a0
[  648.046610]  process_one_work+0x793/0x14a0
[  648.050823]  ? work_busy+0x320/0x320
[  648.054530]  ? worker_thread+0x158/0xff0
[  648.058568]  ? _raw_spin_unlock_irq+0x24/0x80
[  648.063174]  worker_thread+0x5cc/0xff0
[  648.067045]  ? rescuer_thread+0xc80/0xc80
[  648.071166]  kthread+0x30d/0x420
[  648.074508]  ? kthread_create_on_node+0xd0/0xd0
[  648.079261]  ret_from_fork+0x24/0x30
[  648.083718] Kernel Offset: disabled
[  648.087331] Rebooting in 86400 seconds..