================================================================== BUG: KASAN: use-after-free in __lock_acquire+0x4e7a/0x50c0 kernel/locking/lockdep.c:3224 at addr ffff8801209b7760 Read of size 8 by task kworker/1:0/18 CPU: 1 PID: 18 Comm: kworker/1:0 Not tainted 4.10.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events l2cap_chan_timeout Call Trace: __dump_stack lib/dump_stack.c:15 [inline] dump_stack+0x136/0x1d4 lib/dump_stack.c:51 kasan_object_err+0x1c/0x70 mm/kasan/report.c:162 print_address_description mm/kasan/report.c:200 [inline] kasan_report_error mm/kasan/report.c:289 [inline] kasan_report.part.1+0x1c9/0x480 mm/kasan/report.c:311 kasan_report mm/kasan/report.c:332 [inline] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:332 __lock_acquire+0x4e7a/0x50c0 kernel/locking/lockdep.c:3224 lock_acquire+0x197/0x4b0 kernel/locking/lockdep.c:3753 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:137 [inline] _raw_spin_lock_bh+0x3a/0x50 kernel/locking/spinlock.c:175 spin_lock_bh include/linux/spinlock.h:307 [inline] lock_sock_nested+0x3e/0x100 net/core/sock.c:2523 l2cap_sock_teardown_cb+0x82/0x3e0 net/bluetooth/l2cap_sock.c:1327 l2cap_chan_close+0x3c1/0x7e0 net/bluetooth/l2cap_core.c:758 l2cap_chan_timeout+0xdc/0x1d0 net/bluetooth/l2cap_core.c:427 process_one_work+0x685/0x1660 kernel/workqueue.c:2098 worker_thread+0xe1/0x1110 kernel/workqueue.c:2232 kthread+0x2c9/0x3d0 kernel/kthread.c:227 ret_from_fork+0x31/0x40 arch/x86/entry/entry_64.S:430 Object at ffff8801209b76c0, in cache kmalloc-2048 size: 2048 Allocated: PID = 23203 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack mm/kasan/kasan.c:502 [inline] set_track mm/kasan/kasan.c:514 [inline] kasan_kmalloc+0xee/0x180 mm/kasan/kasan.c:605 __do_kmalloc mm/slab.c:3724 [inline] __kmalloc+0x162/0x440 mm/slab.c:3733 kmalloc include/linux/slab.h:495 [inline] sk_prot_alloc+0xda/0x260 net/core/sock.c:1340 sk_alloc+0x31/0x9f0 net/core/sock.c:1396 l2cap_sock_alloc.constprop.4+0x28/0x1e0 net/bluetooth/l2cap_sock.c:1589 l2cap_sock_create+0xb6/0x180 net/bluetooth/l2cap_sock.c:1635 bt_sock_create+0x13f/0x250 net/bluetooth/af_bluetooth.c:128 __sock_create+0x2f2/0x580 net/socket.c:1199 sock_create net/socket.c:1239 [inline] SYSC_socket net/socket.c:1269 [inline] SyS_socket+0xd9/0x1e0 net/socket.c:1249 entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 23202 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack mm/kasan/kasan.c:502 [inline] set_track mm/kasan/kasan.c:514 [inline] kasan_slab_free+0xad/0x180 mm/kasan/kasan.c:578 __cache_free mm/slab.c:3502 [inline] kfree+0xd4/0x2d0 mm/slab.c:3819 sk_prot_free net/core/sock.c:1379 [inline] __sk_destruct+0x356/0x400 net/core/sock.c:1452 sk_destruct+0x3a/0x60 net/core/sock.c:1460 __sk_free+0x4f/0x1f0 net/core/sock.c:1468 sk_free+0x13/0x20 net/core/sock.c:1479 sock_put include/net/sock.h:1638 [inline] l2cap_sock_kill.part.2+0x4b/0x60 net/bluetooth/l2cap_sock.c:1054 l2cap_sock_kill net/bluetooth/l2cap_sock.c:1205 [inline] l2cap_sock_release+0x166/0x1b0 net/bluetooth/l2cap_sock.c:1203 sock_release+0x83/0x1a0 net/socket.c:599 sock_close+0xd/0x20 net/socket.c:1063 __fput+0x232/0x740 fs/file_table.c:208 ____fput+0x9/0x10 fs/file_table.c:244 task_work_run+0xd9/0x150 kernel/task_work.c:116 tracehook_notify_resume include/linux/tracehook.h:191 [inline] exit_to_usermode_loop+0x131/0x170 arch/x86/entry/common.c:160 prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] syscall_return_slowpath+0x251/0x2d0 arch/x86/entry/common.c:259 entry_SYSCALL_64_fastpath+0xc4/0xc6 Memory state around the buggy address: ffff8801209b7600: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff8801209b7680: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb >ffff8801209b7700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801209b7780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801209b7800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================