==================================================================
BUG: KASAN: use-after-free in __lock_acquire+0x2c57/0x3f20 kernel/locking/lockdep.c:3369
Read of size 8 at addr ffff8880452053a0 by task kworker/0:1/25

CPU: 0 PID: 25 Comm: kworker/0:1 Not tainted 4.14.232-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events l2cap_chan_timeout
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x1b2/0x281 lib/dump_stack.c:58
 print_address_description.cold+0x54/0x1d3 mm/kasan/report.c:252
 kasan_report_error.cold+0x8a/0x191 mm/kasan/report.c:351
 kasan_report mm/kasan/report.c:409 [inline]
 __asan_report_load8_noabort+0x68/0x70 mm/kasan/report.c:430
 __lock_acquire+0x2c57/0x3f20 kernel/locking/lockdep.c:3369
 lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline]
 _raw_spin_lock_bh+0x2f/0x40 kernel/locking/spinlock.c:176
 spin_lock_bh include/linux/spinlock.h:322 [inline]
 lock_sock_nested+0x39/0x100 net/core/sock.c:2788
 l2cap_sock_teardown_cb+0x93/0x650 net/bluetooth/l2cap_sock.c:1341
 l2cap_chan_del+0xaf/0x950 net/bluetooth/l2cap_core.c:599
 l2cap_chan_close+0x103/0x870 net/bluetooth/l2cap_core.c:757
 l2cap_chan_timeout+0x143/0x2a0 net/bluetooth/l2cap_core.c:430
 process_one_work+0x793/0x14a0 kernel/workqueue.c:2116
 worker_thread+0x5cc/0xff0 kernel/workqueue.c:2250
 kthread+0x30d/0x420 kernel/kthread.c:232
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404

Allocated by task 13322:
 save_stack mm/kasan/kasan.c:447 [inline]
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc+0xeb/0x160 mm/kasan/kasan.c:551
 __do_kmalloc_node mm/slab.c:3682 [inline]
 __kmalloc_node_track_caller+0x4c/0x70 mm/slab.c:3696
 __kmalloc_reserve net/core/skbuff.c:137 [inline]
 pskb_expand_head+0x128/0xd30 net/core/skbuff.c:1471
 skb_ensure_writable+0x217/0x2b0 net/core/skbuff.c:5118
 __bpf_try_make_writable net/core/filter.c:1403 [inline]
 bpf_try_make_writable net/core/filter.c:1409 [inline]
 bpf_try_make_head_writable net/core/filter.c:1417 [inline]
 ____bpf_clone_redirect net/core/filter.c:1781 [inline]
 bpf_clone_redirect+0x120/0x2c0 net/core/filter.c:1759
 ___bpf_prog_run+0x252b/0x5a70 kernel/bpf/core.c:1086

Freed by task 13322:
 save_stack mm/kasan/kasan.c:447 [inline]
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_slab_free+0xc3/0x1a0 mm/kasan/kasan.c:524
 __cache_free mm/slab.c:3496 [inline]
 kfree+0xc9/0x250 mm/slab.c:3815
 skb_free_head net/core/skbuff.c:563 [inline]
 pskb_expand_head+0x895/0xd30 net/core/skbuff.c:1504
 __skb_cow include/linux/skbuff.h:2964 [inline]
 skb_cow_head include/linux/skbuff.h:2998 [inline]
 ipgre_xmit+0x3e6/0x6d0 net/ipv4/ip_gre.c:649
 __netdev_start_xmit include/linux/netdevice.h:4051 [inline]
 netdev_start_xmit include/linux/netdevice.h:4060 [inline]
 xmit_one net/core/dev.c:3005 [inline]
 dev_hard_start_xmit+0x188/0x890 net/core/dev.c:3021
 __dev_queue_xmit+0x1d7f/0x2480 net/core/dev.c:3521
 __bpf_tx_skb net/core/filter.c:1708 [inline]
 __bpf_redirect_common net/core/filter.c:1747 [inline]
 __bpf_redirect+0x5cf/0x9c0 net/core/filter.c:1754
 ____bpf_clone_redirect net/core/filter.c:1787 [inline]
 bpf_clone_redirect+0x1e1/0x2c0 net/core/filter.c:1759
 ___bpf_prog_run+0x252b/0x5a70 kernel/bpf/core.c:1086

The buggy address belongs to the object at ffff888045205300
 which belongs to the cache kmalloc-2048 of size 2048
The buggy address is located 160 bytes inside of
 2048-byte region [ffff888045205300, ffff888045205b00)
The buggy address belongs to the page:
page:ffffea0001148100 count:1 mapcount:0 mapping:ffff888045204200 index:0x0 compound_mapcount: 0
flags: 0xfff00000008100(slab|head)
raw: 00fff00000008100 ffff888045204200 0000000000000000 0000000100000003
raw: ffffea0001155a20 ffffea0001150ea0 ffff88813fe80c40 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888045205280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888045205300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888045205380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                               ^
 ffff888045205400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888045205480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================