INFO: trying to register non-static key.
The code is fine but needs lockdep annotation, or maybe
you didn't initialize this object before use?
turning off the locking correctness validator.
CPU: 0 PID: 28571 Comm: kworker/0:1 Not tainted 4.19.203-syzkaller #0
wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events l2cap_chan_timeout
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
 assign_lock_key kernel/locking/lockdep.c:728 [inline]
 register_lock_class+0xe82/0x11c0 kernel/locking/lockdep.c:754
 __lock_acquire+0x17d/0x3ff0 kernel/locking/lockdep.c:3304
 lock_acquire+0x170/0x3c0 kernel/locking/lockdep.c:3908
 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline]
 _raw_spin_lock_bh+0x2f/0x40 kernel/locking/spinlock.c:168
 spin_lock_bh include/linux/spinlock.h:334 [inline]
 lock_sock_nested+0x3b/0x110 net/core/sock.c:2864
 l2cap_sock_teardown_cb+0xa0/0x6d0 net/bluetooth/l2cap_sock.c:1348
 l2cap_chan_del+0xbc/0xa50 net/bluetooth/l2cap_core.c:603
 l2cap_chan_close+0x1b5/0x950 net/bluetooth/l2cap_core.c:761
 l2cap_chan_timeout+0x17e/0x2f0 net/bluetooth/l2cap_core.c:430
 process_one_work+0x864/0x1570 kernel/workqueue.c:2153
 worker_thread+0x64c/0x1130 kernel/workqueue.c:2296
 kthread+0x33f/0x460 kernel/kthread.c:259
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
audit: type=1804 audit(1629011145.129:298): pid=14571 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.5" name="/root/syzkaller-testdir480913705/syzkaller.Ogohj1/4329/bus" dev="sda1" ino=14153 res=1
IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready
connect: ipv4 mapped
connect: ipv4 mapped
sd 0:0:1:0: [sg0] tag#7578 FAILED Result: hostbyte=DID_ABORT driverbyte=DRIVER_OK
sd 0:0:1:0: [sg0] tag#7578 CDB: Verify(6)
sd 0:0:1:0: [sg0] tag#7578 CDB[00]: 13 9e 6e b3 04 d5 f8 21 a9 be 1f 0a a0 17 a2 57
sd 0:0:1:0: [sg0] tag#7578 CDB[10]: 2a ef da 0b 61 a8 54 51 46 73 ab fe 44 d5 dd ee
sd 0:0:1:0: [sg0] tag#7578 CDB[20]: b3 80 ce 94 f9 04 b6 80 fe 11 37 d7 4d f4 ae 77
sd 0:0:1:0: [sg0] tag#7578 CDB[30]: 88 fb 57 e3 fa 38 50 b1 0d 12 b5 13 ef 35 72 b0
sd 0:0:1:0: [sg0] tag#7578 CDB[40]: e0 91 51 f7 12 b6 5d 90 28 66 13 4a 28 ca f6 d1
sd 0:0:1:0: [sg0] tag#7578 CDB[50]: fb f9 0a 9d ea 3f 7e 6a 33 1c 4b 76 44 c0 0b bf
sd 0:0:1:0: [sg0] tag#7578 CDB[60]: 1e 30 80 a2 36 c5 3a 53 60 14 2b 78 2a 33 66 5e
sd 0:0:1:0: [sg0] tag#7578 CDB[70]: f7 0f 00 40 a7 ce bc 62 05 f0 89 b1 5a fb 9b 55
sd 0:0:1:0: [sg0] tag#7578 CDB[80]: f0 a0 c8 c0 5d 33 7d b9 f0 d7 8a 1f 2a 7e 7c 59
sd 0:0:1:0: [sg0] tag#7578 CDB[90]: fc 95 ee ea dd e9 f6
sd 0:0:1:0: [sg0] tag#7578 FAILED Result: hostbyte=DID_ABORT driverbyte=DRIVER_OK
sd 0:0:1:0: [sg0] tag#7578 CDB: Verify(6)
sd 0:0:1:0: [sg0] tag#7578 CDB[00]: 13 9e 6e b3 04 d5 f8 21 a9 be 1f 0a a0 17 a2 57
sd 0:0:1:0: [sg0] tag#7578 CDB[10]: 2a ef da 0b 61 a8 54 51 46 73 ab fe 44 d5 dd ee
sd 0:0:1:0: [sg0] tag#7578 CDB[20]: b3 80 ce 94 f9 04 b6 80 fe 11 37 d7 4d f4 ae 77
sd 0:0:1:0: [sg0] tag#7578 CDB[30]: 88 fb 57 e3 fa 38 50 b1 0d 12 b5 13 ef 35 72 b0
sd 0:0:1:0: [sg0] tag#7578 CDB[40]: e0 91 51 f7 12 b6 5d 90 28 66 13 4a 28 ca f6 d1
sd 0:0:1:0: [sg0] tag#7578 CDB[50]: fb f9 0a 9d ea 3f 7e 6a 33 1c 4b 76 44 c0 0b bf
sd 0:0:1:0: [sg0] tag#7578 CDB[60]: 1e 30 80 a2 36 c5 3a 53 60 14 2b 78 2a 33 66 5e
sd 0:0:1:0: [sg0] tag#7578 CDB[70]: f7 0f 00 40 a7 ce bc 62 05 f0 89 b1 5a fb 9b 55
sd 0:0:1:0: [sg0] tag#7578 CDB[80]: f0 a0 c8 c0 5d 33 7d b9 f0 d7 8a 1f 2a 7e 7c 59
sd 0:0:1:0: [sg0] tag#7578 CDB[90]: fc 95 ee ea dd e9 f6
x_tables: duplicate underflow at hook 2
audit: type=1804 audit(1629011145.519:299): pid=14592 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.5" name="/root/syzkaller-testdir480913705/syzkaller.Ogohj1/4330/bus" dev="sda1" ino=14153 res=1
sd 0:0:1:0: [sg0] tag#7562 FAILED Result: hostbyte=DID_ABORT driverbyte=DRIVER_OK
sd 0:0:1:0: [sg0] tag#7562 CDB: Verify(6)
sd 0:0:1:0: [sg0] tag#7562 CDB[00]: 13 9e 6e b3 04 d5 f8 21 a9 be 1f 0a a0 17 a2 57
sd 0:0:1:0: [sg0] tag#7562 CDB[10]: 2a ef da 0b 61 a8 54 51 46 73 ab fe 44 d5 dd ee
sd 0:0:1:0: [sg0] tag#7562 CDB[20]: b3 80 ce 94 f9 04 b6 80 fe 11 37 d7 4d f4 ae 77
sd 0:0:1:0: [sg0] tag#7562 CDB[30]: 88 fb 57 e3 fa 38 50 b1 0d 12 b5 13 ef 35 72 b0
sd 0:0:1:0: [sg0] tag#7562 CDB[40]: e0 91 51 f7 12 b6 5d 90 28 66 13 4a 28 ca f6 d1
x_tables: arp_tables: CLASSIFY target: used from hooks INPUT, but only usable from FORWARD/OUTPUT
sd 0:0:1:0: [sg0] tag#7562 CDB[50]: fb f9 0a 9d ea 3f 7e 6a 33 1c 4b 76 44 c0 0b bf
sd 0:0:1:0: [sg0] tag#7562 CDB[60]: 1e 30 80 a2 36 c5 3a 53 60 14 2b 78 2a 33 66 5e
sd 0:0:1:0: [sg0] tag#7562 CDB[70]: f7 0f 00 40 a7 ce bc 62 05 f0 89 b1 5a fb 9b 55
sd 0:0:1:0: [sg0] tag#7562 CDB[80]: f0 a0 c8 c0 5d 33 7d b9 f0 d7 8a 1f 2a 7e 7c 59
sd 0:0:1:0: [sg0] tag#7562 CDB[90]: fc 95 ee ea dd e9 f6
==================================================================
BUG: KASAN: slab-out-of-bounds in l2cap_sock_teardown_cb+0x628/0x6d0 net/bluetooth/l2cap_sock.c:1350
Read of size 8 at addr ffff8880470a04e8 by task kworker/0:1/28571

CPU: 0 PID: 28571 Comm: kworker/0:1 Not tainted 4.19.203-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events l2cap_chan_timeout
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
 print_address_description.cold+0x54/0x219 mm/kasan/report.c:256
 kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354
 kasan_report mm/kasan/report.c:412 [inline]
 __asan_report_load8_noabort+0x88/0x90 mm/kasan/report.c:433
 l2cap_sock_teardown_cb+0x628/0x6d0 net/bluetooth/l2cap_sock.c:1350
 l2cap_chan_del+0xbc/0xa50 net/bluetooth/l2cap_core.c:603
 l2cap_chan_close+0x1b5/0x950 net/bluetooth/l2cap_core.c:761
 l2cap_chan_timeout+0x17e/0x2f0 net/bluetooth/l2cap_core.c:430
 process_one_work+0x864/0x1570 kernel/workqueue.c:2153
 worker_thread+0x64c/0x1130 kernel/workqueue.c:2296
 kthread+0x33f/0x460 kernel/kthread.c:259
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415

Allocated by task 13870:
 __do_kmalloc mm/slab.c:3727 [inline]
 __kmalloc+0x15a/0x3c0 mm/slab.c:3736
 kmalloc include/linux/slab.h:520 [inline]
 kzalloc include/linux/slab.h:709 [inline]
 ops_init+0xfe/0x410 net/core/net_namespace.c:119
 setup_net+0x2c2/0x720 net/core/net_namespace.c:315
 copy_net_ns+0x1f7/0x340 net/core/net_namespace.c:438
 create_new_namespaces+0x3f6/0x7b0 kernel/nsproxy.c:107
 copy_namespaces+0x325/0x3c0 kernel/nsproxy.c:165
 copy_process.part.0+0x3a59/0x8260 kernel/fork.c:1915
 copy_process kernel/fork.c:1709 [inline]
 _do_fork+0x22f/0xf30 kernel/fork.c:2218
 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 12318:
 __cache_free mm/slab.c:3503 [inline]
 kfree+0xcc/0x210 mm/slab.c:3822
 sk_prot_free net/core/sock.c:1503 [inline]
 __sk_destruct+0x684/0x8a0 net/core/sock.c:1584
 sk_destruct net/core/sock.c:1599 [inline]
 __sk_free+0x165/0x3b0 net/core/sock.c:1610
 sk_free+0x3b/0x50 net/core/sock.c:1621
 sock_put include/net/sock.h:1711 [inline]
 l2cap_sock_kill.part.0+0x124/0x150 net/bluetooth/l2cap_sock.c:1063
 l2cap_sock_kill net/bluetooth/l2cap_sock.c:1054 [inline]
 l2cap_sock_release+0x1e6/0x290 net/bluetooth/l2cap_sock.c:1217
 __sock_release+0xcd/0x2a0 net/socket.c:599
 sock_close+0x15/0x20 net/socket.c:1212
 __fput+0x2ce/0x890 fs/file_table.c:278
 task_work_run+0x148/0x1c0 kernel/task_work.c:113
 get_signal+0x1b64/0x1f70 kernel/signal.c:2400
 do_signal+0x8f/0x1670 arch/x86/kernel/signal.c:799
 exit_to_usermode_loop+0x204/0x2a0 arch/x86/entry/common.c:163
 prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:271 [inline]
 do_syscall_64+0x538/0x620 arch/x86/entry/common.c:296
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff8880470a0080
 which belongs to the cache kmalloc-2048 of size 2048
The buggy address is located 1128 bytes inside of
 2048-byte region [ffff8880470a0080, ffff8880470a0880)
The buggy address belongs to the page:
page:ffffea00011c2800 count:1 mapcount:0 mapping:ffff88813bff0c40 index:0xffff8880470a0900 compound_mapcount: 0
flags: 0xfff00000008100(slab|head)
raw: 00fff00000008100 ffffea00011d0708 ffffea0000e15788 ffff88813bff0c40
raw: ffff8880470a0900 ffff8880470a0080 0000000100000002 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880470a0380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8880470a0400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8880470a0480: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
                                                          ^
 ffff8880470a0500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8880470a0580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================