Warning: Permanently added '10.128.10.58' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [  216.637368] IPVS: ftp: loaded support on port[0] = 21
[  218.673892] Bluetooth: hci0 command 0x0409 tx timeout
[  220.753125] Bluetooth: hci0 command 0x041b tx timeout
executing program
[  222.832829] Bluetooth: hci0 command 0x040f tx timeout
[  224.912548] Bluetooth: hci0 command 0x0419 tx timeout
executing program
[  226.992367] Bluetooth: hci0 command 0x0405 tx timeout
executing program
executing program
executing program
executing program
executing program
executing program
[  257.069284] ==================================================================
[  257.076830] BUG: KASAN: use-after-free in __lock_acquire+0x2c57/0x3f20
[  257.083473] Read of size 8 at addr ffff8880957232e0 by task kworker/0:2/4311
[  257.090643] 
[  257.092250] CPU: 0 PID: 4311 Comm: kworker/0:2 Not tainted 4.14.218-syzkaller #0
[  257.099842] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  257.109240] Workqueue: events l2cap_chan_timeout
[  257.113969] Call Trace:
[  257.116549]  dump_stack+0x1b2/0x281
[  257.120172]  print_address_description.cold+0x54/0x1d3
[  257.125425]  kasan_report_error.cold+0x8a/0x191
[  257.130069]  ? __lock_acquire+0x2c57/0x3f20
[  257.134399]  __asan_report_load8_noabort+0x68/0x70
[  257.139309]  ? __lock_acquire+0x2c57/0x3f20
[  257.143611]  __lock_acquire+0x2c57/0x3f20
[  257.147732]  ? lock_acquire+0x170/0x3f0
[  257.151694]  ? lock_downgrade+0x740/0x740
[  257.155816]  ? trace_hardirqs_on+0x10/0x10
[  257.160061]  ? debug_object_assert_init+0x22d/0x2d0
[  257.165054]  ? debug_object_active_state+0x330/0x330
[  257.170157]  ? ret_from_fork+0x24/0x30
[  257.174019]  ? add_lock_to_list.constprop.0+0x17d/0x330
[  257.179367]  ? save_trace+0xd6/0x290
[  257.183075]  lock_acquire+0x170/0x3f0
[  257.186903]  ? lock_sock_nested+0x39/0x100
[  257.191114]  _raw_spin_lock_bh+0x2f/0x40
[  257.195160]  ? lock_sock_nested+0x39/0x100
[  257.199378]  lock_sock_nested+0x39/0x100
[  257.204458]  l2cap_sock_teardown_cb+0x93/0x650
[  257.209052]  l2cap_chan_del+0xaf/0x950
[  257.212918]  l2cap_chan_close+0x103/0x870
[  257.217054]  ? __set_monitor_timer+0x1d0/0x1d0
[  257.221609]  ? lock_acquire+0x170/0x3f0
[  257.225555]  l2cap_chan_timeout+0x143/0x2a0
[  257.229898]  process_one_work+0x793/0x14a0
[  257.234544]  ? work_busy+0x320/0x320
[  257.238229]  ? worker_thread+0x158/0xff0
[  257.242265]  ? _raw_spin_unlock_irq+0x24/0x80
[  257.246732]  worker_thread+0x5cc/0xff0
[  257.250597]  ? rescuer_thread+0xc80/0xc80
[  257.254717]  kthread+0x30d/0x420
[  257.258054]  ? kthread_create_on_node+0xd0/0xd0
[  257.262696]  ret_from_fork+0x24/0x30
[  257.266393] 
[  257.267994] Allocated by task 8020:
[  257.271596]  kasan_kmalloc+0xeb/0x160
[  257.275400]  __kmalloc+0x15a/0x400
[  257.278913]  sk_prot_alloc+0x1ba/0x290
[  257.282772]  sk_alloc+0x36/0xcd0
[  257.286124]  l2cap_sock_alloc.constprop.0+0x31/0x210
[  257.291200]  l2cap_sock_create+0xf0/0x1a0
[  257.295349]  bt_sock_create+0x13b/0x280
[  257.299307]  __sock_create+0x303/0x620
[  257.303166]  SyS_socket+0xd1/0x1b0
[  257.306689]  do_syscall_64+0x1d5/0x640
[  257.310549]  entry_SYSCALL_64_after_hwframe+0x46/0xbb
[  257.315795] 
[  257.317402] Freed by task 8020:
[  257.320654]  kasan_slab_free+0xc3/0x1a0
[  257.324601]  kfree+0xc9/0x250
[  257.327691]  __sk_destruct+0x5e3/0x760
[  257.331563]  __sk_free+0xd9/0x2d0
[  257.334989]  sk_free+0x2b/0x40
[  257.338167]  l2cap_sock_kill.part.0+0x106/0x130
[  257.342820]  l2cap_sock_release+0x1cd/0x280
[  257.347112]  __sock_release+0xcd/0x2b0
[  257.350986]  sock_close+0x15/0x20
[  257.354444]  __fput+0x25f/0x7a0
[  257.357695]  task_work_run+0x11f/0x190
[  257.361587]  do_exit+0xa44/0x2850
[  257.365013]  do_group_exit+0x100/0x2e0
[  257.368871]  get_signal+0x38d/0x1ca0
[  257.372601]  do_signal+0x7c/0x1550
[  257.376118]  exit_to_usermode_loop+0x160/0x200
[  257.380683]  do_syscall_64+0x4a3/0x640
[  257.384553]  entry_SYSCALL_64_after_hwframe+0x46/0xbb
[  257.389722] 
[  257.391324] The buggy address belongs to the object at ffff888095723240
[  257.391324]  which belongs to the cache kmalloc-2048 of size 2048
[  257.404137] The buggy address is located 160 bytes inside of
[  257.404137]  2048-byte region [ffff888095723240, ffff888095723a40)
[  257.416066] The buggy address belongs to the page:
[  257.420980] page:ffffea000255c880 count:1 mapcount:0 mapping:ffff888095722140 index:0x0 compound_mapcount: 0
[  257.431017] flags: 0xfff00000008100(slab|head)
[  257.435583] raw: 00fff00000008100 ffff888095722140 0000000000000000 0000000100000003
[  257.443446] raw: ffffea0002ca6ea0 ffffea000240e2a0 ffff88813fe80c40 0000000000000000
[  257.451295] page dumped because: kasan: bad access detected
[  257.456975] 
[  257.458574] Memory state around the buggy address:
[  257.463474]  ffff888095723180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  257.470802]  ffff888095723200: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[  257.478132] >ffff888095723280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  257.485460]                                                        ^
[  257.491921]  ffff888095723300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  257.499251]  ffff888095723380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  257.506758] ==================================================================
[  257.514142] Disabling lock debugging due to kernel taint
[  257.519563] Kernel panic - not syncing: panic_on_warn set ...
[  257.519563] 
[  257.526938] CPU: 0 PID: 4311 Comm: kworker/0:2 Tainted: G    B           4.14.218-syzkaller #0
[  257.535659] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  257.544995] Workqueue: events l2cap_chan_timeout
[  257.549724] Call Trace:
[  257.552288]  dump_stack+0x1b2/0x281
[  257.555928]  panic+0x1f9/0x42d
[  257.559112]  ? add_taint.cold+0x16/0x16
[  257.563073]  ? lock_downgrade+0x740/0x740
[  257.567200]  kasan_end_report+0x43/0x49
[  257.571149]  kasan_report_error.cold+0xa7/0x191
[  257.575793]  ? __lock_acquire+0x2c57/0x3f20
[  257.580087]  __asan_report_load8_noabort+0x68/0x70
[  257.584993]  ? __lock_acquire+0x2c57/0x3f20
[  257.589287]  __lock_acquire+0x2c57/0x3f20
[  257.593410]  ? lock_acquire+0x170/0x3f0
[  257.597357]  ? lock_downgrade+0x740/0x740
[  257.601478]  ? trace_hardirqs_on+0x10/0x10
[  257.605699]  ? debug_object_assert_init+0x22d/0x2d0
[  257.610701]  ? debug_object_active_state+0x330/0x330
[  257.615776]  ? ret_from_fork+0x24/0x30
[  257.619649]  ? add_lock_to_list.constprop.0+0x17d/0x330
[  257.625011]  ? save_trace+0xd6/0x290
[  257.628696]  lock_acquire+0x170/0x3f0
[  257.632476]  ? lock_sock_nested+0x39/0x100
[  257.636682]  _raw_spin_lock_bh+0x2f/0x40
[  257.640717]  ? lock_sock_nested+0x39/0x100
[  257.644926]  lock_sock_nested+0x39/0x100
[  257.648963]  l2cap_sock_teardown_cb+0x93/0x650
[  257.653521]  l2cap_chan_del+0xaf/0x950
[  257.657468]  l2cap_chan_close+0x103/0x870
[  257.661587]  ? __set_monitor_timer+0x1d0/0x1d0
[  257.666156]  ? lock_acquire+0x170/0x3f0
[  257.670102]  l2cap_chan_timeout+0x143/0x2a0
[  257.674397]  process_one_work+0x793/0x14a0
[  257.678618]  ? work_busy+0x320/0x320
[  257.682303]  ? worker_thread+0x158/0xff0
[  257.686337]  ? _raw_spin_unlock_irq+0x24/0x80
[  257.690804]  worker_thread+0x5cc/0xff0
[  257.694673]  ? rescuer_thread+0xc80/0xc80
[  257.698797]  kthread+0x30d/0x420
[  257.702148]  ? kthread_create_on_node+0xd0/0xd0
[  257.706830]  ret_from_fork+0x24/0x30
[  257.711078] Kernel Offset: disabled
[  257.714688] Rebooting in 86400 seconds..