NOHZ: local_softirq_pending 08 ================================================================== BUG: KASAN: use-after-free in __lock_acquire+0x4e7a/0x50c0 kernel/locking/lockdep.c:3224 at addr ffff88011ceccb20 Read of size 8 by task kworker/0:0/3 CPU: 0 PID: 3 Comm: kworker/0:0 Not tainted 4.10.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events l2cap_chan_timeout Call Trace: __dump_stack lib/dump_stack.c:15 [inline] dump_stack+0x136/0x1d4 lib/dump_stack.c:51 kasan_object_err+0x1c/0x70 mm/kasan/report.c:162 print_address_description mm/kasan/report.c:200 [inline] kasan_report_error mm/kasan/report.c:289 [inline] kasan_report.part.1+0x1c9/0x480 mm/kasan/report.c:311 kasan_report mm/kasan/report.c:332 [inline] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:332 __lock_acquire+0x4e7a/0x50c0 kernel/locking/lockdep.c:3224 lock_acquire+0x197/0x4b0 kernel/locking/lockdep.c:3753 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:137 [inline] _raw_spin_lock_bh+0x3a/0x50 kernel/locking/spinlock.c:175 spin_lock_bh include/linux/spinlock.h:307 [inline] lock_sock_nested+0x3e/0x100 net/core/sock.c:2523 l2cap_sock_teardown_cb+0x86/0x5d0 net/bluetooth/l2cap_sock.c:1327 l2cap_chan_del+0xa0/0x8d0 net/bluetooth/l2cap_core.c:596 l2cap_chan_close+0x307/0x8a0 net/bluetooth/l2cap_core.c:754 l2cap_chan_timeout+0xe5/0x270 net/bluetooth/l2cap_core.c:427 process_one_work+0x685/0x1660 kernel/workqueue.c:2098 worker_thread+0xe1/0x1110 kernel/workqueue.c:2232 kthread+0x2c9/0x3d0 kernel/kthread.c:227 ret_from_fork+0x31/0x40 arch/x86/entry/entry_64.S:430 Object at ffff88011cecca80, in cache kmalloc-2048 size: 2048 Allocated: PID = 10534 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack mm/kasan/kasan.c:502 [inline] set_track mm/kasan/kasan.c:514 [inline] kasan_kmalloc+0xee/0x180 mm/kasan/kasan.c:605 __do_kmalloc mm/slab.c:3724 [inline] __kmalloc+0x162/0x440 mm/slab.c:3733 kmalloc include/linux/slab.h:495 [inline] sk_prot_alloc+0xda/0x260 net/core/sock.c:1340 sk_alloc+0x31/0x9f0 net/core/sock.c:1396 l2cap_sock_alloc.constprop.4+0x28/0x1e0 net/bluetooth/l2cap_sock.c:1589 l2cap_sock_create+0xcb/0x180 net/bluetooth/l2cap_sock.c:1635 bt_sock_create+0x13f/0x250 net/bluetooth/af_bluetooth.c:128 __sock_create+0x2f2/0x580 net/socket.c:1199 sock_create net/socket.c:1239 [inline] SYSC_socket net/socket.c:1269 [inline] SyS_socket+0xd9/0x1e0 net/socket.c:1249 entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 10534 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack mm/kasan/kasan.c:502 [inline] set_track mm/kasan/kasan.c:514 [inline] kasan_slab_free+0xad/0x180 mm/kasan/kasan.c:578 __cache_free mm/slab.c:3502 [inline] kfree+0xd4/0x2d0 mm/slab.c:3819 sk_prot_free net/core/sock.c:1379 [inline] __sk_destruct+0x3b2/0x470 net/core/sock.c:1452 sk_destruct+0x3a/0x60 net/core/sock.c:1460 __sk_free+0x4f/0x1f0 net/core/sock.c:1468 sk_free+0x13/0x20 net/core/sock.c:1479 sock_put include/net/sock.h:1638 [inline] l2cap_sock_kill.part.2+0xdb/0x100 net/bluetooth/l2cap_sock.c:1054 l2cap_sock_kill net/bluetooth/l2cap_sock.c:1193 [inline] l2cap_sock_release+0x189/0x1d0 net/bluetooth/l2cap_sock.c:1203 sock_release+0x83/0x1a0 net/socket.c:599 sock_close+0xd/0x20 net/socket.c:1063 __fput+0x232/0x740 fs/file_table.c:208 ____fput+0x9/0x10 fs/file_table.c:244 task_work_run+0xd9/0x150 kernel/task_work.c:116 get_signal+0x1132/0x1390 kernel/signal.c:2143 do_signal+0x7f/0x1950 arch/x86/kernel/signal.c:807 exit_to_usermode_loop+0x112/0x170 arch/x86/entry/common.c:156 prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] syscall_return_slowpath+0x251/0x2d0 arch/x86/entry/common.c:259 entry_SYSCALL_64_fastpath+0xc4/0xc6 Memory state around the buggy address: ffff88011cecca00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88011cecca80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff88011ceccb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88011ceccb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88011ceccc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================