================================================================== BUG: KASAN: use-after-free in __lock_acquire+0x3c3c/0x52b0 kernel/locking/lockdep.c:4885 Read of size 8 at addr ffff8881077f2120 by task kworker/1:4/6483 CPU: 1 PID: 6483 Comm: kworker/1:4 Not tainted 5.15.0-rc2-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events l2cap_chan_timeout Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xbd/0xe2 lib/dump_stack.c:106 print_address_description.constprop.0.cold+0x6c/0x2d6 mm/kasan/report.c:256 __kasan_report mm/kasan/report.c:442 [inline] kasan_report.cold+0x83/0xdf mm/kasan/report.c:459 __lock_acquire+0x3c3c/0x52b0 kernel/locking/lockdep.c:4885 lock_acquire kernel/locking/lockdep.c:5625 [inline] lock_acquire+0x212/0x5d0 kernel/locking/lockdep.c:5590 lock_sock_nested+0x2b/0xd0 net/core/sock.c:3183 l2cap_sock_teardown_cb+0x83/0x3a0 net/bluetooth/l2cap_sock.c:1528 l2cap_chan_del+0x96/0x1010 net/bluetooth/l2cap_core.c:622 l2cap_chan_close+0xe2/0x9d0 net/bluetooth/l2cap_core.c:825 l2cap_chan_timeout+0x122/0x3a0 net/bluetooth/l2cap_core.c:436 process_one_work+0x87f/0x1450 kernel/workqueue.c:2297 worker_thread+0x598/0x1040 kernel/workqueue.c:2444 kthread+0x38b/0x460 kernel/kthread.c:319 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 Allocated by task 8391: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:46 [inline] set_alloc_info mm/kasan/common.c:434 [inline] ____kasan_kmalloc mm/kasan/common.c:513 [inline] __kasan_kmalloc+0x7a/0x90 mm/kasan/common.c:522 kasan_kmalloc include/linux/kasan.h:264 [inline] __do_kmalloc mm/slab.c:3702 [inline] __kmalloc+0x213/0x470 mm/slab.c:3711 kmalloc include/linux/slab.h:596 [inline] sk_prot_alloc+0xee/0x200 net/core/sock.c:1822 sk_alloc+0x27/0x810 net/core/sock.c:1875 __netlink_create+0x58/0x2a0 net/netlink/af_netlink.c:640 netlink_create+0x305/0x540 net/netlink/af_netlink.c:703 __sock_create+0x22a/0x550 net/socket.c:1464 sock_create net/socket.c:1515 [inline] __sys_socket+0xd6/0x1a0 net/socket.c:1557 __do_sys_socket net/socket.c:1566 [inline] __se_sys_socket net/socket.c:1564 [inline] __x64_sys_socket+0x6a/0xb0 net/socket.c:1564 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae Freed by task 12: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 kasan_set_track+0x1c/0x30 mm/kasan/common.c:46 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:360 ____kasan_slab_free mm/kasan/common.c:366 [inline] ____kasan_slab_free mm/kasan/common.c:328 [inline] __kasan_slab_free+0xb2/0xe0 mm/kasan/common.c:374 kasan_slab_free include/linux/kasan.h:230 [inline] __cache_free mm/slab.c:3445 [inline] kfree+0x111/0x2d0 mm/slab.c:3803 sk_prot_free net/core/sock.c:1858 [inline] __sk_destruct+0x55b/0x6c0 net/core/sock.c:1943 rcu_do_batch kernel/rcu/tree.c:2508 [inline] rcu_core+0x777/0x16b0 kernel/rcu/tree.c:2743 __do_softirq+0x206/0xa19 kernel/softirq.c:558 Last potentially related work creation: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 kasan_record_aux_stack+0x87/0xb0 mm/kasan/generic.c:348 __call_rcu kernel/rcu/tree.c:2987 [inline] call_rcu+0x118/0x7e0 kernel/rcu/tree.c:3067 netlink_release+0xb08/0x17e0 net/netlink/af_netlink.c:812 __sock_release+0xbb/0x270 net/socket.c:649 sock_close+0xf/0x20 net/socket.c:1314 __fput+0x206/0x8d0 fs/file_table.c:280 task_work_run+0xc0/0x160 kernel/task_work.c:164 tracehook_notify_resume include/linux/tracehook.h:189 [inline] exit_to_user_mode_loop kernel/entry/common.c:175 [inline] exit_to_user_mode_prepare+0x278/0x280 kernel/entry/common.c:207 __syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline] syscall_exit_to_user_mode+0x40/0x70 kernel/entry/common.c:300 do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x44/0xae Second to last potentially related work creation: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 kasan_record_aux_stack+0x87/0xb0 mm/kasan/generic.c:348 __call_rcu kernel/rcu/tree.c:2987 [inline] call_rcu+0x118/0x7e0 kernel/rcu/tree.c:3067 netlink_release+0xb08/0x17e0 net/netlink/af_netlink.c:812 __sock_release+0xbb/0x270 net/socket.c:649 sock_close+0xf/0x20 net/socket.c:1314 __fput+0x206/0x8d0 fs/file_table.c:280 task_work_run+0xc0/0x160 kernel/task_work.c:164 exit_task_work include/linux/task_work.h:32 [inline] do_exit+0xa7a/0x2570 kernel/exit.c:825 do_group_exit+0xe7/0x290 kernel/exit.c:922 __do_sys_exit_group kernel/exit.c:933 [inline] __se_sys_exit_group kernel/exit.c:931 [inline] __x64_sys_exit_group+0x35/0x40 kernel/exit.c:931 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae The buggy address belongs to the object at ffff8881077f2000 which belongs to the cache kmalloc-2k of size 2048 The buggy address is located 288 bytes inside of 2048-byte region [ffff8881077f2000, ffff8881077f2800) The buggy address belongs to the page: page:000000000a2e0d27 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1077f2 flags: 0x17ffe0000000200(slab|node=0|zone=2|lastcpupid=0x3fff) raw: 017ffe0000000200 ffffea0005cf6208 ffffea00058d9bc8 ffff888100040800 raw: 0000000000000000 ffff8881077f2000 0000000100000001 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8881077f2000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8881077f2080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8881077f2100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8881077f2180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8881077f2200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== stack segment: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 6483 Comm: kworker/1:4 Tainted: G B 5.15.0-rc2-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events l2cap_chan_timeout RIP: 0010:arch_atomic_fetch_sub arch/x86/include/asm/atomic.h:190 [inline] RIP: 0010:atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:168 [inline] RIP: 0010:__refcount_sub_and_test include/linux/refcount.h:272 [inline] RIP: 0010:__refcount_dec_and_test include/linux/refcount.h:315 [inline] RIP: 0010:refcount_dec_and_test include/linux/refcount.h:333 [inline] RIP: 0010:kref_put include/linux/kref.h:64 [inline] RIP: 0010:l2cap_chan_put+0x21/0x1c0 net/bluetooth/l2cap_core.c:504 Code: 75 fb f9 fa eb ad 0f 1f 00 41 56 be 04 00 00 00 41 55 41 54 4c 8d 67 18 55 48 89 fd 4c 89 e7 53 e8 d4 fe f9 fa b8 ff ff ff ff 0f c1 45 18 83 f8 01 74 11 85 c0 0f 8e 2b 01 00 00 5b 5d 41 5c RSP: 0018:ffffc900078c7ca0 EFLAGS: 00010202 RAX: 00000000ffffffff RBX: ffff888173d88110 RCX: ffffffff86aef07c RDX: 0000000000000001 RSI: 0000000000000004 RDI: dead4ead00000018 RBP: dead4ead00000000 R08: 0000000000000001 R09: dead4ead0000001c R10: ffffed1020efe40c R11: 6e696c6261736944 R12: dead4ead00000018 R13: ffff888173d884b8 R14: ffffffff88ad08c0 R15: 0000000000000001 FS: 0000000000000000(0000) GS:ffff8881f6500000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fff8b4eb558 CR3: 000000010d0ac000 CR4: 0000000000350ee0 Call Trace: l2cap_sock_kill+0x95/0x110 net/bluetooth/l2cap_sock.c:1225 l2cap_chan_timeout+0x171/0x3a0 net/bluetooth/l2cap_core.c:438 process_one_work+0x87f/0x1450 kernel/workqueue.c:2297 worker_thread+0x598/0x1040 kernel/workqueue.c:2444 kthread+0x38b/0x460 kernel/kthread.c:319 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 Modules linked in: ---[ end trace 367d3377f8e15113 ]--- RIP: 0010:arch_atomic_fetch_sub arch/x86/include/asm/atomic.h:190 [inline] RIP: 0010:atomic_fetch_sub_release include/linux/atomic/atomic-instrumented.h:168 [inline] RIP: 0010:__refcount_sub_and_test include/linux/refcount.h:272 [inline] RIP: 0010:__refcount_dec_and_test include/linux/refcount.h:315 [inline] RIP: 0010:refcount_dec_and_test include/linux/refcount.h:333 [inline] RIP: 0010:kref_put include/linux/kref.h:64 [inline] RIP: 0010:l2cap_chan_put+0x21/0x1c0 net/bluetooth/l2cap_core.c:504 Code: 75 fb f9 fa eb ad 0f 1f 00 41 56 be 04 00 00 00 41 55 41 54 4c 8d 67 18 55 48 89 fd 4c 89 e7 53 e8 d4 fe f9 fa b8 ff ff ff ff 0f c1 45 18 83 f8 01 74 11 85 c0 0f 8e 2b 01 00 00 5b 5d 41 5c RSP: 0018:ffffc900078c7ca0 EFLAGS: 00010202 RAX: 00000000ffffffff RBX: ffff888173d88110 RCX: ffffffff86aef07c RDX: 0000000000000001 RSI: 0000000000000004 RDI: dead4ead00000018 RBP: dead4ead00000000 R08: 0000000000000001 R09: dead4ead0000001c R10: ffffed1020efe40c R11: 6e696c6261736944 R12: dead4ead00000018 R13: ffff888173d884b8 R14: ffffffff88ad08c0 R15: 0000000000000001 FS: 0000000000000000(0000) GS:ffff8881f6500000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fff8b4eb558 CR3: 00000001095eb000 CR4: 0000000000350ee0 ---------------- Code disassembly (best guess): 0: 75 fb jne 0xfffffffd 2: f9 stc 3: fa cli 4: eb ad jmp 0xffffffb3 6: 0f 1f 00 nopl (%rax) 9: 41 56 push %r14 b: be 04 00 00 00 mov $0x4,%esi 10: 41 55 push %r13 12: 41 54 push %r12 14: 4c 8d 67 18 lea 0x18(%rdi),%r12 18: 55 push %rbp 19: 48 89 fd mov %rdi,%rbp 1c: 4c 89 e7 mov %r12,%rdi 1f: 53 push %rbx 20: e8 d4 fe f9 fa callq 0xfaf9fef9 25: b8 ff ff ff ff mov $0xffffffff,%eax * 2a: f0 0f c1 45 18 lock xadd %eax,0x18(%rbp) <-- trapping instruction 2f: 83 f8 01 cmp $0x1,%eax 32: 74 11 je 0x45 34: 85 c0 test %eax,%eax 36: 0f 8e 2b 01 00 00 jle 0x167 3c: 5b pop %rbx 3d: 5d pop %rbp 3e: 41 5c pop %r12