team0 (unregistering): Port device team_slave_0 removed
bond0 (unregistering): Releasing backup interface bond_slave_1
bond0 (unregistering): Releasing backup interface bond_slave_0
bond0 (unregistering): Released all slaves
==================================================================
BUG: KASAN: use-after-free in __lock_acquire+0x2c57/0x3f20 kernel/locking/lockdep.c:3369
Read of size 8 at addr ffff888046b031e0 by task kworker/0:0/3

CPU: 0 PID: 3 Comm: kworker/0:0 Not tainted 4.14.232-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events l2cap_chan_timeout
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x1b2/0x281 lib/dump_stack.c:58
 print_address_description.cold+0x54/0x1d3 mm/kasan/report.c:252
 kasan_report_error.cold+0x8a/0x191 mm/kasan/report.c:351
 kasan_report mm/kasan/report.c:409 [inline]
 __asan_report_load8_noabort+0x68/0x70 mm/kasan/report.c:430
 __lock_acquire+0x2c57/0x3f20 kernel/locking/lockdep.c:3369
 lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline]
 _raw_spin_lock_bh+0x2f/0x40 kernel/locking/spinlock.c:176
 spin_lock_bh include/linux/spinlock.h:322 [inline]
 lock_sock_nested+0x39/0x100 net/core/sock.c:2788
 l2cap_sock_teardown_cb+0x93/0x650 net/bluetooth/l2cap_sock.c:1341
 l2cap_chan_del+0xaf/0x950 net/bluetooth/l2cap_core.c:599
 l2cap_chan_close+0x103/0x870 net/bluetooth/l2cap_core.c:757
 l2cap_chan_timeout+0x143/0x2a0 net/bluetooth/l2cap_core.c:430
 process_one_work+0x793/0x14a0 kernel/workqueue.c:2116
 worker_thread+0x5cc/0xff0 kernel/workqueue.c:2250
 kthread+0x30d/0x420 kernel/kthread.c:232
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404

Allocated by task 25616:
 save_stack mm/kasan/kasan.c:447 [inline]
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc+0xeb/0x160 mm/kasan/kasan.c:551
 __do_kmalloc_node mm/slab.c:3682 [inline]
 __kmalloc_node_track_caller+0x4c/0x70 mm/slab.c:3696
 __kmalloc_reserve net/core/skbuff.c:137 [inline]
 pskb_expand_head+0x128/0xd30 net/core/skbuff.c:1471
 __skb_cow include/linux/skbuff.h:2964 [inline]
 skb_cow_head include/linux/skbuff.h:2998 [inline]
 ip_tunnel_xmit+0xe3e/0x33a0 net/ipv4/ip_tunnel.c:792
 ipgre_xmit+0x398/0x6d0 net/ipv4/ip_gre.c:670
 __netdev_start_xmit include/linux/netdevice.h:4051 [inline]
 netdev_start_xmit include/linux/netdevice.h:4060 [inline]
 xmit_one net/core/dev.c:3005 [inline]
 dev_hard_start_xmit+0x188/0x890 net/core/dev.c:3021
 __dev_queue_xmit+0x1d7f/0x2480 net/core/dev.c:3521
 __bpf_tx_skb net/core/filter.c:1708 [inline]
 __bpf_redirect_common net/core/filter.c:1747 [inline]
 __bpf_redirect+0x5cf/0x9c0 net/core/filter.c:1754
 ____bpf_clone_redirect net/core/filter.c:1787 [inline]
 bpf_clone_redirect+0x1e1/0x2c0 net/core/filter.c:1759
 ___bpf_prog_run+0x252b/0x5a70 kernel/bpf/core.c:1086

Freed by task 25616:
 save_stack mm/kasan/kasan.c:447 [inline]
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_slab_free+0xc3/0x1a0 mm/kasan/kasan.c:524
 __cache_free mm/slab.c:3496 [inline]
 kfree+0xc9/0x250 mm/slab.c:3815
 skb_free_head net/core/skbuff.c:563 [inline]
 skb_release_data+0x5f6/0x820 net/core/skbuff.c:583
 skb_release_all net/core/skbuff.c:640 [inline]
 __kfree_skb net/core/skbuff.c:654 [inline]
 kfree_skb+0xe7/0x390 net/core/skbuff.c:672
 geneve_rx drivers/net/geneve.c:304 [inline]
 geneve_udp_encap_recv+0x26c/0x2340 drivers/net/geneve.c:377
 udp_queue_rcv_skb+0x75f/0x1730 net/ipv4/udp.c:1882
 udp_unicast_rcv_skb+0xa0/0x310 net/ipv4/udp.c:2095
 __udp4_lib_rcv+0x18e4/0x2af0 net/ipv4/udp.c:2162
 ip_local_deliver_finish+0x3f2/0xab0 net/ipv4/ip_input.c:216
 NF_HOOK include/linux/netfilter.h:250 [inline]
 ip_local_deliver+0x167/0x460 net/ipv4/ip_input.c:257
 dst_input include/net/dst.h:476 [inline]
 ip_rcv_finish+0x6e3/0x19f0 net/ipv4/ip_input.c:396
 NF_HOOK include/linux/netfilter.h:250 [inline]
 ip_rcv+0x8a7/0xf10 net/ipv4/ip_input.c:493
 __netif_receive_skb_core+0x15ee/0x2a30 net/core/dev.c:4474
 __netif_receive_skb+0x27/0x1a0 net/core/dev.c:4512
 process_backlog+0x218/0x6f0 net/core/dev.c:5194
 napi_poll net/core/dev.c:5596 [inline]
 net_rx_action+0x466/0xfd0 net/core/dev.c:5662
 __do_softirq+0x24d/0x9ff kernel/softirq.c:288

The buggy address belongs to the object at ffff888046b03140
 which belongs to the cache kmalloc-2048 of size 2048
The buggy address is located 160 bytes inside of
 2048-byte region [ffff888046b03140, ffff888046b03940)
The buggy address belongs to the page:
page:ffffea00011ac080 count:1 mapcount:0 mapping:ffff888046b02040 index:0x0 compound_mapcount: 0
flags: 0xfff00000008100(slab|head)
raw: 00fff00000008100 ffff888046b02040 0000000000000000 0000000100000003
raw: ffffea00010b1520 ffffea00026b93a0 ffff88813fe80c40 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888046b03080: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff888046b03100: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
>ffff888046b03180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                       ^
 ffff888046b03200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888046b03280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================