================================================================== BUG: KASAN: use-after-free in perf_trace_lock_acquire+0x400/0x550 include/trace/events/lock.h:13 Read of size 8 at addr ffff88808a3af138 by task syz-executor.5/27752 CPU: 0 PID: 27752 Comm: syz-executor.5 Not tainted 5.15.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description.constprop.0.cold+0x6c/0x2d6 mm/kasan/report.c:256 __kasan_report mm/kasan/report.c:442 [inline] kasan_report.cold+0x83/0xdf mm/kasan/report.c:459 perf_trace_lock_acquire+0x400/0x550 include/trace/events/lock.h:13 trace_lock_acquire include/trace/events/lock.h:13 [inline] lock_acquire+0x416/0x510 kernel/locking/lockdep.c:5596 lock_sock_nested+0x2f/0xf0 net/core/sock.c:3203 l2cap_sock_teardown_cb+0xa1/0x660 net/bluetooth/l2cap_sock.c:1528 l2cap_chan_del+0xbc/0xa80 net/bluetooth/l2cap_core.c:622 l2cap_conn_del+0x3c0/0x7b0 net/bluetooth/l2cap_core.c:1898 l2cap_disconn_cfm net/bluetooth/l2cap_core.c:8177 [inline] l2cap_disconn_cfm+0x95/0xd0 net/bluetooth/l2cap_core.c:8170 hci_disconn_cfm include/net/bluetooth/hci_core.h:1518 [inline] hci_conn_hash_flush+0x127/0x260 net/bluetooth/hci_conn.c:1608 hci_dev_do_close+0x57d/0x1130 net/bluetooth/hci_core.c:1793 hci_unregister_dev+0x1c0/0x5a0 net/bluetooth/hci_core.c:4029 vhci_release+0x70/0xe0 drivers/bluetooth/hci_vhci.c:340 __fput+0x288/0x9f0 fs/file_table.c:280 task_work_run+0xdd/0x1a0 kernel/task_work.c:164 exit_task_work include/linux/task_work.h:32 [inline] do_exit+0xbae/0x2a30 kernel/exit.c:825 do_group_exit+0x125/0x310 kernel/exit.c:922 get_signal+0x47f/0x2160 kernel/signal.c:2868 arch_do_signal_or_restart+0x2a9/0x1c40 arch/x86/kernel/signal.c:865 handle_signal_work kernel/entry/common.c:148 [inline] exit_to_user_mode_loop kernel/entry/common.c:172 [inline] exit_to_user_mode_prepare+0x17d/0x290 kernel/entry/common.c:207 __syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline] syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:300 do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f4f31471a39 Code: Unable to access opcode bytes at RIP 0x7f4f31471a0f. RSP: 002b:00007f4f2e9e7218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca RAX: fffffffffffffe00 RBX: 00007f4f31574f68 RCX: 00007f4f31471a39 RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f4f31574f68 RBP: 00007f4f31574f60 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f4f31574f6c R13: 00007ffec94575af R14: 00007f4f2e9e7300 R15: 0000000000022000 The buggy address belongs to the page: page:ffffea000228ebc0 refcount:0 mapcount:-128 mapping:0000000000000000 index:0x0 pfn:0x8a3af flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 ffffea00027cbb08 ffffea00022b9cc8 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffff7f 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 0, migratetype Unmovable, gfp_mask 0x400dc0(GFP_KERNEL_ACCOUNT|__GFP_ZERO), pid 27502, ts 968993675135, free_ts 969235553408 prep_new_page mm/page_alloc.c:2424 [inline] get_page_from_freelist+0xa72/0x2f80 mm/page_alloc.c:4153 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5375 alloc_pages+0x1a7/0x300 mm/mempolicy.c:2191 __pte_alloc_one include/asm-generic/pgalloc.h:63 [inline] pte_alloc_one+0x16/0x230 arch/x86/mm/pgtable.c:33 __pte_alloc+0x1f/0x2d0 mm/memory.c:439 copy_pte_range mm/memory.c:1021 [inline] copy_pmd_range mm/memory.c:1156 [inline] copy_pud_range mm/memory.c:1193 [inline] copy_p4d_range mm/memory.c:1217 [inline] copy_page_range+0x1789/0x4420 mm/memory.c:1290 dup_mmap kernel/fork.c:610 [inline] dup_mm+0xa4e/0x13e0 kernel/fork.c:1453 copy_mm kernel/fork.c:1505 [inline] copy_process+0x6fdf/0x7590 kernel/fork.c:2194 kernel_clone+0xe7/0xac0 kernel/fork.c:2584 __do_sys_clone+0xc8/0x110 kernel/fork.c:2701 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1338 [inline] free_pcp_prepare+0x2c5/0x780 mm/page_alloc.c:1389 free_unref_page_prepare mm/page_alloc.c:3315 [inline] free_unref_page_list+0x1a9/0xfa0 mm/page_alloc.c:3431 release_pages+0x830/0x20b0 mm/swap.c:963 tlb_batch_pages_flush mm/mmu_gather.c:49 [inline] tlb_flush_mmu_free mm/mmu_gather.c:242 [inline] tlb_flush_mmu mm/mmu_gather.c:249 [inline] tlb_finish_mmu+0x165/0x8c0 mm/mmu_gather.c:340 exit_mmap+0x1ea/0x630 mm/mmap.c:3173 __mmput+0x122/0x4b0 kernel/fork.c:1115 mmput+0x58/0x60 kernel/fork.c:1136 exit_mm kernel/exit.c:501 [inline] do_exit+0xabc/0x2a30 kernel/exit.c:812 do_group_exit+0x125/0x310 kernel/exit.c:922 get_signal+0x47f/0x2160 kernel/signal.c:2868 arch_do_signal_or_restart+0x2a9/0x1c40 arch/x86/kernel/signal.c:865 handle_signal_work kernel/entry/common.c:148 [inline] exit_to_user_mode_loop kernel/entry/common.c:172 [inline] exit_to_user_mode_prepare+0x17d/0x290 kernel/entry/common.c:207 irqentry_exit_to_user_mode+0x5/0x40 kernel/entry/common.c:313 asm_exc_general_protection+0x1e/0x30 arch/x86/include/asm/idtentry.h:562 Memory state around the buggy address: ffff88808a3af000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88808a3af080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff88808a3af100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff88808a3af180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88808a3af200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ==================================================================