==================================================================
BUG: KASAN: use-after-free in __lock_acquire+0x4e7a/0x50c0 kernel/locking/lockdep.c:3224 at addr ffff880110abc9a0
Read of size 8 by task kworker/1:0/18
CPU: 1 PID: 18 Comm: kworker/1:0 Not tainted 4.10.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events l2cap_chan_timeout
Call Trace:
 __dump_stack lib/dump_stack.c:15 [inline]
 dump_stack+0x136/0x1d4 lib/dump_stack.c:51
 kasan_object_err+0x1c/0x70 mm/kasan/report.c:162
 print_address_description mm/kasan/report.c:200 [inline]
 kasan_report_error mm/kasan/report.c:289 [inline]
 kasan_report.part.1+0x1c9/0x480 mm/kasan/report.c:311
 kasan_report mm/kasan/report.c:332 [inline]
 __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:332
 __lock_acquire+0x4e7a/0x50c0 kernel/locking/lockdep.c:3224
 lock_acquire+0x197/0x4b0 kernel/locking/lockdep.c:3753
 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:137 [inline]
 _raw_spin_lock_bh+0x3a/0x50 kernel/locking/spinlock.c:175
 spin_lock_bh include/linux/spinlock.h:307 [inline]
 lock_sock_nested+0x3e/0x100 net/core/sock.c:2523
 l2cap_sock_teardown_cb+0x82/0x3e0 net/bluetooth/l2cap_sock.c:1327
 l2cap_chan_del+0x9b/0x7b0 net/bluetooth/l2cap_core.c:596
 l2cap_chan_close+0x33b/0x7e0 net/bluetooth/l2cap_core.c:754
 l2cap_chan_timeout+0xdc/0x1d0 net/bluetooth/l2cap_core.c:427
 process_one_work+0x685/0x1660 kernel/workqueue.c:2098
 worker_thread+0xe1/0x1110 kernel/workqueue.c:2232
 kthread+0x2c9/0x3d0 kernel/kthread.c:227
 ret_from_fork+0x31/0x40 arch/x86/entry/entry_64.S:430
Object at ffff880110abc900, in cache kmalloc-2048 size: 2048
Allocated:
PID = 6158
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack mm/kasan/kasan.c:502 [inline]
 set_track mm/kasan/kasan.c:514 [inline]
 kasan_kmalloc+0xee/0x180 mm/kasan/kasan.c:605
 __do_kmalloc mm/slab.c:3724 [inline]
 __kmalloc+0x162/0x440 mm/slab.c:3733
 kmalloc include/linux/slab.h:495 [inline]
 alloc_fdmem+0x1b/0x40 fs/file.c:40
 alloc_fdtable+0xb4/0x240 fs/file.c:134
 dup_fd+0x5aa/0xba0 fs/file.c:328
 copy_files kernel/fork.c:1241 [inline]
 copy_process.part.7+0x1844/0x6040 kernel/fork.c:1649
 copy_process kernel/fork.c:1486 [inline]
 _do_fork+0x148/0xbb0 kernel/fork.c:1942
 SYSC_clone kernel/fork.c:2052 [inline]
 SyS_clone+0x14/0x20 kernel/fork.c:2046
 do_syscall_64+0x1ba/0x5b0 arch/x86/entry/common.c:280
 return_from_SYSCALL_64+0x0/0x7a
Freed:
PID = 9185
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack mm/kasan/kasan.c:502 [inline]
 set_track mm/kasan/kasan.c:514 [inline]
 kasan_slab_free+0xad/0x180 mm/kasan/kasan.c:578
 __cache_free mm/slab.c:3502 [inline]
 kfree+0xd4/0x2d0 mm/slab.c:3819
 kvfree+0x25/0x30 mm/util.c:332
 __free_fdtable+0x2c/0x70 fs/file.c:50
 put_files_struct+0x186/0x220 fs/file.c:438
 exit_files+0x79/0xa0 fs/file.c:463
 do_exit+0x70e/0x2ed0 kernel/exit.c:834
 do_group_exit+0xf2/0x2d0 kernel/exit.c:943
 get_signal+0x49a/0x1390 kernel/signal.c:2313
 do_signal+0x7f/0x1950 arch/x86/kernel/signal.c:807
 exit_to_usermode_loop+0x112/0x170 arch/x86/entry/common.c:156
 prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline]
 syscall_return_slowpath+0x251/0x2d0 arch/x86/entry/common.c:259
 entry_SYSCALL_64_fastpath+0xc4/0xc6
Memory state around the buggy address:
 ffff880110abc880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff880110abc900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff880110abc980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                               ^
 ffff880110abca00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff880110abca80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================