================================================================== BUG: KASAN: slab-out-of-bounds in __lock_acquire+0x3e6f/0x54c0 kernel/locking/lockdep.c:4771 Read of size 8 at addr ffff888012c970a0 by task syz-executor.0/17041 CPU: 2 PID: 17041 Comm: syz-executor.0 Not tainted 5.12.0-rc8-syzkaller #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x141/0x1d7 lib/dump_stack.c:120 print_address_description.constprop.0.cold+0x5b/0x2c6 mm/kasan/report.c:232 __kasan_report mm/kasan/report.c:399 [inline] kasan_report.cold+0x7c/0xd8 mm/kasan/report.c:416 __lock_acquire+0x3e6f/0x54c0 kernel/locking/lockdep.c:4771 lock_acquire kernel/locking/lockdep.c:5511 [inline] lock_acquire+0x1ab/0x740 kernel/locking/lockdep.c:5476 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline] _raw_spin_lock_bh+0x2f/0x40 kernel/locking/spinlock.c:175 spin_lock_bh include/linux/spinlock.h:359 [inline] lock_sock_nested+0x40/0x120 net/core/sock.c:3057 l2cap_sock_teardown_cb+0xa1/0x660 net/bluetooth/l2cap_sock.c:1520 l2cap_chan_del+0xbc/0xa80 net/bluetooth/l2cap_core.c:618 l2cap_conn_del+0x3c0/0x7b0 net/bluetooth/l2cap_core.c:1896 l2cap_disconn_cfm net/bluetooth/l2cap_core.c:8168 [inline] l2cap_disconn_cfm+0x98/0xd0 net/bluetooth/l2cap_core.c:8161 hci_disconn_cfm include/net/bluetooth/hci_core.h:1486 [inline] hci_conn_hash_flush+0x127/0x260 net/bluetooth/hci_conn.c:1598 hci_dev_do_close+0x569/0x1110 net/bluetooth/hci_core.c:1778 hci_rfkill_set_block+0x19c/0x1d0 net/bluetooth/hci_core.c:2217 rfkill_set_block+0x1f9/0x540 net/rfkill/core.c:344 rfkill_fop_write+0x267/0x500 net/rfkill/core.c:1268 vfs_write+0x28e/0xa30 fs/read_write.c:603 ksys_write+0x1ee/0x250 fs/read_write.c:658 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x4665f9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fbad2f32188 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 000000000056bf60 RCX: 00000000004665f9 RDX: 0000000000000008 RSI: 0000000020000100 RDI: 0000000000000003 RBP: 00000000004bfce1 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf60 R13: 00007fffc64fa85f R14: 00007fbad2f32300 R15: 0000000000022000 Allocated by task 8933: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:46 [inline] set_alloc_info mm/kasan/common.c:427 [inline] ____kasan_kmalloc mm/kasan/common.c:506 [inline] ____kasan_kmalloc mm/kasan/common.c:465 [inline] __kasan_krealloc+0x108/0x160 mm/kasan/common.c:574 kasan_krealloc include/linux/kasan.h:253 [inline] __do_krealloc mm/slab_common.c:1149 [inline] krealloc+0x54/0xf0 mm/slab_common.c:1186 nf_ct_ext_add+0x2d3/0x6b0 net/netfilter/nf_conntrack_extend.c:73 nf_ct_ecache_ext_add include/net/netfilter/nf_conntrack_ecache.h:55 [inline] init_conntrack.constprop.0+0x5db/0x1150 net/netfilter/nf_conntrack_core.c:1598 resolve_normal_ct net/netfilter/nf_conntrack_core.c:1675 [inline] nf_conntrack_in+0x9d2/0x1330 net/netfilter/nf_conntrack_core.c:1830 ipv4_conntrack_local+0x11c/0x220 net/netfilter/nf_conntrack_proto.c:200 nf_hook_entry_hookfn include/linux/netfilter.h:136 [inline] nf_hook_slow+0xc5/0x1e0 net/netfilter/core.c:589 nf_hook+0x2cf/0x5a0 include/linux/netfilter.h:256 __ip_local_out+0x26e/0x530 net/ipv4/ip_output.c:115 ip_local_out net/ipv4/ip_output.c:124 [inline] __ip_queue_xmit+0x85d/0x1a00 net/ipv4/ip_output.c:533 __tcp_transmit_skb+0x188c/0x38f0 net/ipv4/tcp_output.c:1405 tcp_transmit_skb net/ipv4/tcp_output.c:1423 [inline] tcp_connect+0x2b62/0x4110 net/ipv4/tcp_output.c:3856 tcp_v4_connect+0x1522/0x1c40 net/ipv4/tcp_ipv4.c:312 __inet_stream_connect+0x8cf/0xed0 net/ipv4/af_inet.c:664 inet_stream_connect+0x53/0xa0 net/ipv4/af_inet.c:728 rds_tcp_conn_path_connect+0x61c/0x880 net/rds/tcp_connect.c:172 rds_connect_worker+0x1a5/0x2c0 net/rds/threads.c:176 process_one_work+0x98d/0x1600 kernel/workqueue.c:2275 worker_thread+0x64c/0x1120 kernel/workqueue.c:2421 kthread+0x3b1/0x4a0 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294 The buggy address belongs to the object at ffff888012c97000 which belongs to the cache kmalloc-128 of size 128 The buggy address is located 32 bytes to the right of 128-byte region [ffff888012c97000, ffff888012c97080) The buggy address belongs to the page: page:ffffea00004b25c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888012c97f00 pfn:0x12c97 flags: 0xfff00000000200(slab) raw: 00fff00000000200 ffffea00009774c8 ffffea00006c2888 ffff888010840400 raw: ffff888012c97f00 ffff888012c97000 000000010000000f 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888012c96f80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc ffff888012c97000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff888012c97080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff888012c97100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888012c97180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ==================================================================