EXT4-fs (loop2): ext4_check_descriptors: Inode bitmap for group 0 not in group (block 2449473539)! EXT4-fs (loop2): group descriptors corrupted! ================================================================== BUG: KASAN: use-after-free in __lock_acquire+0x41b3/0x5b60 kernel/locking/lockdep.c:4820 Read of size 8 at addr ffff8880427d50a0 by task kworker/1:1/5504 CPU: 1 PID: 5504 Comm: kworker/1:1 Not tainted 5.10.60 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 Workqueue: events l2cap_chan_timeout Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x107/0x163 lib/dump_stack.c:118 print_address_description.constprop.0+0x1c/0x210 mm/kasan/report.c:385 __kasan_report mm/kasan/report.c:545 [inline] kasan_report.cold+0x37/0x7c mm/kasan/report.c:562 __lock_acquire+0x41b3/0x5b60 kernel/locking/lockdep.c:4820 lock_acquire kernel/locking/lockdep.c:5560 [inline] lock_acquire+0x197/0x490 kernel/locking/lockdep.c:5525 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline] _raw_spin_lock_bh+0x2f/0x40 kernel/locking/spinlock.c:175 spin_lock_bh include/linux/spinlock.h:359 [inline] lock_sock_nested+0x40/0x120 net/core/sock.c:3038 l2cap_sock_teardown_cb+0x89/0x420 net/bluetooth/l2cap_sock.c:1528 l2cap_chan_del+0xad/0xf30 net/bluetooth/l2cap_core.c:622 l2cap_chan_close+0xf8/0xb40 net/bluetooth/l2cap_core.c:827 l2cap_chan_timeout+0x16d/0x3a0 net/bluetooth/l2cap_core.c:436 process_one_work+0x9ac/0x1580 kernel/workqueue.c:2270 worker_thread+0x61d/0x1310 kernel/workqueue.c:2416 kthread+0x38f/0x470 kernel/kthread.c:292 ret_from_fork+0x22/0x30 arch/x86/entry/entry_64.S:296 Allocated by task 7216: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48 kasan_set_track mm/kasan/common.c:56 [inline] __kasan_kmalloc.constprop.0+0xc2/0xd0 mm/kasan/common.c:461 kmalloc include/linux/slab.h:557 [inline] sk_prot_alloc+0x1a4/0x2d0 net/core/sock.c:1674 sk_alloc+0x30/0x340 net/core/sock.c:1728 l2cap_sock_alloc.constprop.0+0x31/0x230 net/bluetooth/l2cap_sock.c:1813 l2cap_sock_create+0x110/0x1b0 net/bluetooth/l2cap_sock.c:1859 bt_sock_create+0x159/0x2b0 net/bluetooth/af_bluetooth.c:130 __sock_create+0x355/0x760 net/socket.c:1414 sock_create net/socket.c:1465 [inline] __sys_socket+0xef/0x200 net/socket.c:1507 __do_sys_socket net/socket.c:1516 [inline] __se_sys_socket net/socket.c:1514 [inline] __x64_sys_socket+0x6e/0xb0 net/socket.c:1514 do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Freed by task 7214: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48 kasan_set_track+0x1c/0x30 mm/kasan/common.c:56 kasan_set_free_info+0x1b/0x30 mm/kasan/generic.c:355 __kasan_slab_free+0x111/0x150 mm/kasan/common.c:422 slab_free_hook mm/slub.c:1542 [inline] slab_free_freelist_hook+0x64/0x150 mm/slub.c:1575 slab_free mm/slub.c:3140 [inline] kfree+0xca/0x360 mm/slub.c:4116 sk_prot_free net/core/sock.c:1711 [inline] __sk_destruct+0x5d3/0x720 net/core/sock.c:1796 sk_destruct+0xbd/0xe0 net/core/sock.c:1811 __sk_free+0xed/0x3d0 net/core/sock.c:1822 sk_free+0x78/0xa0 net/core/sock.c:1833 sock_put include/net/sock.h:1779 [inline] l2cap_sock_kill+0x14e/0x180 net/bluetooth/l2cap_sock.c:1227 l2cap_sock_release+0x175/0x1d0 net/bluetooth/l2cap_sock.c:1397 __sock_release+0xd2/0x290 net/socket.c:596 sock_close+0x18/0x20 net/socket.c:1264 __fput+0x285/0x970 fs/file_table.c:281 task_work_run+0xe2/0x1a0 kernel/task_work.c:151 tracehook_notify_resume include/linux/tracehook.h:188 [inline] exit_to_user_mode_loop kernel/entry/common.c:164 [inline] exit_to_user_mode_prepare+0x155/0x160 kernel/entry/common.c:191 syscall_exit_to_user_mode+0x38/0x230 kernel/entry/common.c:266 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Last call_rcu(): kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48 kasan_record_aux_stack+0xa0/0xb0 mm/kasan/generic.c:346 __call_rcu kernel/rcu/tree.c:2960 [inline] call_rcu+0x8a/0x9d0 kernel/rcu/tree.c:3034 netlink_release+0xd73/0x1c70 net/netlink/af_netlink.c:804 __sock_release+0xd2/0x290 net/socket.c:596 sock_close+0x18/0x20 net/socket.c:1264 __fput+0x285/0x970 fs/file_table.c:281 task_work_run+0xe2/0x1a0 kernel/task_work.c:151 exit_task_work include/linux/task_work.h:30 [inline] do_exit+0xc0f/0x2770 kernel/exit.c:811 do_group_exit+0x125/0x310 kernel/exit.c:908 __do_sys_exit_group kernel/exit.c:919 [inline] __se_sys_exit_group kernel/exit.c:917 [inline] __x64_sys_exit_group+0x3a/0x50 kernel/exit.c:917 do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Second to last call_rcu(): kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48 kasan_record_aux_stack+0xa0/0xb0 mm/kasan/generic.c:346 __call_rcu kernel/rcu/tree.c:2960 [inline] call_rcu+0x8a/0x9d0 kernel/rcu/tree.c:3034 netlink_release+0xd73/0x1c70 net/netlink/af_netlink.c:804 __sock_release+0xd2/0x290 net/socket.c:596 sock_close+0x18/0x20 net/socket.c:1264 __fput+0x285/0x970 fs/file_table.c:281 task_work_run+0xe2/0x1a0 kernel/task_work.c:151 tracehook_notify_resume include/linux/tracehook.h:188 [inline] exit_to_user_mode_loop kernel/entry/common.c:164 [inline] exit_to_user_mode_prepare+0x155/0x160 kernel/entry/common.c:191 syscall_exit_to_user_mode+0x38/0x230 kernel/entry/common.c:266 entry_SYSCALL_64_after_hwframe+0x44/0xa9 The buggy address belongs to the object at ffff8880427d5000 which belongs to the cache kmalloc-2k of size 2048 The buggy address is located 160 bytes inside of 2048-byte region [ffff8880427d5000, ffff8880427d5800) The buggy address belongs to the page: page:00000000a74668e3 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x427d0 head:00000000a74668e3 order:3 compound_mapcount:0 compound_pincount:0 flags: 0x100000000010200(slab|head) raw: 0100000000010200 dead000000000100 dead000000000122 ffff888007c42000 raw: 0000000000000000 0000000000080008 00000001ffffffff ffff88800e442e81 page dumped because: kasan: bad access detected page->mem_cgroup:ffff88800e442e81 Memory state around the buggy address: ffff8880427d4f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8880427d5000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8880427d5080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880427d5100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880427d5180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ------------[ cut here ]------------ refcount_t: underflow; use-after-free. WARNING: CPU: 1 PID: 5504 at lib/refcount.c:28 refcount_warn_saturate+0x103/0x1f0 lib/refcount.c:28 Modules linked in: CPU: 1 PID: 5504 Comm: kworker/1:1 Tainted: G B 5.10.60 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 Workqueue: events l2cap_chan_timeout RIP: 0010:refcount_warn_saturate+0x103/0x1f0 lib/refcount.c:28 Code: 1d 26 54 56 03 31 ff 89 de e8 f9 c7 50 ff 84 db 75 a3 e8 b0 ce 50 ff 48 c7 c7 40 41 3b 84 c6 05 06 54 56 03 01 e8 bc e6 dc 01 <0f> 0b eb 87 e8 94 ce 50 ff 0f b6 1d ef 53 56 03 31 ff 89 de e8 c4 RSP: 0018:ffff88801addfca0 EFLAGS: 00010282 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: ffff888008e7cbc0 RSI: ffffffff812912c3 RDI: ffffed10035bbf86 RBP: ffff8880427d0018 R08: 0000000000000001 R09: ffff88806cf2fb4f R10: 0000000000000000 R11: 0000000000000001 R12: ffff8880427d0018 R13: ffff888042bbd000 R14: ffff888042bbd4b8 R15: ffff888009098500 FS: 0000000000000000(0000) GS:ffff88806cf00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f0c9ba85344 CR3: 0000000041d3c000 CR4: 0000000000350ee0 Call Trace: __refcount_sub_and_test include/linux/refcount.h:283 [inline] __refcount_dec_and_test include/linux/refcount.h:315 [inline] refcount_dec_and_test include/linux/refcount.h:333 [inline] kref_put include/linux/kref.h:64 [inline] l2cap_chan_put+0x15a/0x190 net/bluetooth/l2cap_core.c:504 l2cap_sock_kill+0xbd/0x180 net/bluetooth/l2cap_sock.c:1225 l2cap_chan_timeout+0x1c6/0x3a0 net/bluetooth/l2cap_core.c:438 process_one_work+0x9ac/0x1580 kernel/workqueue.c:2270 worker_thread+0x61d/0x1310 kernel/workqueue.c:2416 kthread+0x38f/0x470 kernel/kthread.c:292 ret_from_fork+0x22/0x30 arch/x86/entry/entry_64.S:296 irq event stamp: 580986 hardirqs last enabled at (580985): [] __cancel_work kernel/workqueue.c:3229 [inline] hardirqs last enabled at (580985): [] cancel_delayed_work+0x249/0x2b0 kernel/workqueue.c:3251 hardirqs last disabled at (580984): [] try_to_grab_pending+0xb7/0xd0 kernel/workqueue.c:1242 softirqs last enabled at (580192): [] srcu_invoke_callbacks+0x1db/0x380 kernel/rcu/srcutree.c:1191 softirqs last disabled at (580986): [] spin_lock_bh include/linux/spinlock.h:359 [inline] softirqs last disabled at (580986): [] lock_sock_nested+0x40/0x120 net/core/sock.c:3038 ---[ end trace c63a520adc75bf4f ]--- kmemleak: 10 new suspected memory leaks (see /sys/kernel/debug/kmemleak)