================================================================== BUG: KASAN: use-after-free in __lock_acquire+0x2c57/0x3f20 kernel/locking/lockdep.c:3369 Read of size 8 at addr ffff8880452053a0 by task kworker/0:1/25 CPU: 0 PID: 25 Comm: kworker/0:1 Not tainted 4.14.232-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events l2cap_chan_timeout Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x1b2/0x281 lib/dump_stack.c:58 print_address_description.cold+0x54/0x1d3 mm/kasan/report.c:252 kasan_report_error.cold+0x8a/0x191 mm/kasan/report.c:351 kasan_report mm/kasan/report.c:409 [inline] __asan_report_load8_noabort+0x68/0x70 mm/kasan/report.c:430 __lock_acquire+0x2c57/0x3f20 kernel/locking/lockdep.c:3369 lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline] _raw_spin_lock_bh+0x2f/0x40 kernel/locking/spinlock.c:176 spin_lock_bh include/linux/spinlock.h:322 [inline] lock_sock_nested+0x39/0x100 net/core/sock.c:2788 l2cap_sock_teardown_cb+0x93/0x650 net/bluetooth/l2cap_sock.c:1341 l2cap_chan_del+0xaf/0x950 net/bluetooth/l2cap_core.c:599 l2cap_chan_close+0x103/0x870 net/bluetooth/l2cap_core.c:757 l2cap_chan_timeout+0x143/0x2a0 net/bluetooth/l2cap_core.c:430 process_one_work+0x793/0x14a0 kernel/workqueue.c:2116 worker_thread+0x5cc/0xff0 kernel/workqueue.c:2250 kthread+0x30d/0x420 kernel/kthread.c:232 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404 Allocated by task 13322: save_stack mm/kasan/kasan.c:447 [inline] set_track mm/kasan/kasan.c:459 [inline] kasan_kmalloc+0xeb/0x160 mm/kasan/kasan.c:551 __do_kmalloc_node mm/slab.c:3682 [inline] __kmalloc_node_track_caller+0x4c/0x70 mm/slab.c:3696 __kmalloc_reserve net/core/skbuff.c:137 [inline] pskb_expand_head+0x128/0xd30 net/core/skbuff.c:1471 skb_ensure_writable+0x217/0x2b0 net/core/skbuff.c:5118 __bpf_try_make_writable net/core/filter.c:1403 [inline] bpf_try_make_writable net/core/filter.c:1409 [inline] bpf_try_make_head_writable net/core/filter.c:1417 [inline] ____bpf_clone_redirect net/core/filter.c:1781 [inline] bpf_clone_redirect+0x120/0x2c0 net/core/filter.c:1759 ___bpf_prog_run+0x252b/0x5a70 kernel/bpf/core.c:1086 Freed by task 13322: save_stack mm/kasan/kasan.c:447 [inline] set_track mm/kasan/kasan.c:459 [inline] kasan_slab_free+0xc3/0x1a0 mm/kasan/kasan.c:524 __cache_free mm/slab.c:3496 [inline] kfree+0xc9/0x250 mm/slab.c:3815 skb_free_head net/core/skbuff.c:563 [inline] pskb_expand_head+0x895/0xd30 net/core/skbuff.c:1504 __skb_cow include/linux/skbuff.h:2964 [inline] skb_cow_head include/linux/skbuff.h:2998 [inline] ipgre_xmit+0x3e6/0x6d0 net/ipv4/ip_gre.c:649 __netdev_start_xmit include/linux/netdevice.h:4051 [inline] netdev_start_xmit include/linux/netdevice.h:4060 [inline] xmit_one net/core/dev.c:3005 [inline] dev_hard_start_xmit+0x188/0x890 net/core/dev.c:3021 __dev_queue_xmit+0x1d7f/0x2480 net/core/dev.c:3521 __bpf_tx_skb net/core/filter.c:1708 [inline] __bpf_redirect_common net/core/filter.c:1747 [inline] __bpf_redirect+0x5cf/0x9c0 net/core/filter.c:1754 ____bpf_clone_redirect net/core/filter.c:1787 [inline] bpf_clone_redirect+0x1e1/0x2c0 net/core/filter.c:1759 ___bpf_prog_run+0x252b/0x5a70 kernel/bpf/core.c:1086 The buggy address belongs to the object at ffff888045205300 which belongs to the cache kmalloc-2048 of size 2048 The buggy address is located 160 bytes inside of 2048-byte region [ffff888045205300, ffff888045205b00) The buggy address belongs to the page: page:ffffea0001148100 count:1 mapcount:0 mapping:ffff888045204200 index:0x0 compound_mapcount: 0 flags: 0xfff00000008100(slab|head) raw: 00fff00000008100 ffff888045204200 0000000000000000 0000000100000003 raw: ffffea0001155a20 ffffea0001150ea0 ffff88813fe80c40 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888045205280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888045205300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff888045205380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888045205400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888045205480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================