================================================================== BUG: KASAN: use-after-free in perf_trace_lock_acquire+0x3d8/0x4f0 include/trace/events/lock.h:13 Read of size 8 at addr ffff88804c5e10b8 by task kworker/0:5/15029 CPU: 0 PID: 15029 Comm: kworker/0:5 Not tainted 5.10.60 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 Workqueue: events l2cap_chan_timeout Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x107/0x163 lib/dump_stack.c:118 print_address_description.constprop.0+0x1c/0x210 mm/kasan/report.c:385 __kasan_report mm/kasan/report.c:545 [inline] kasan_report.cold+0x37/0x7c mm/kasan/report.c:562 perf_trace_lock_acquire+0x3d8/0x4f0 include/trace/events/lock.h:13 trace_lock_acquire include/trace/events/lock.h:13 [inline] lock_acquire+0x3d8/0x490 kernel/locking/lockdep.c:5531 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline] _raw_spin_lock_bh+0x2f/0x40 kernel/locking/spinlock.c:175 spin_lock_bh include/linux/spinlock.h:359 [inline] lock_sock_nested+0x40/0x120 net/core/sock.c:3038 l2cap_sock_teardown_cb+0x89/0x420 net/bluetooth/l2cap_sock.c:1528 l2cap_chan_del+0xad/0xf30 net/bluetooth/l2cap_core.c:622 l2cap_chan_close+0xf8/0xb40 net/bluetooth/l2cap_core.c:827 l2cap_chan_timeout+0x16d/0x3a0 net/bluetooth/l2cap_core.c:436 process_one_work+0x9ac/0x1580 kernel/workqueue.c:2270 worker_thread+0x61d/0x1310 kernel/workqueue.c:2416 kthread+0x38f/0x470 kernel/kthread.c:292 ret_from_fork+0x22/0x30 arch/x86/entry/entry_64.S:296 Allocated by task 287: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48 kasan_set_track mm/kasan/common.c:56 [inline] __kasan_kmalloc.constprop.0+0xc2/0xd0 mm/kasan/common.c:461 kmalloc_node include/linux/slab.h:575 [inline] kvmalloc_node+0x61/0xf0 mm/util.c:575 kvmalloc include/linux/mm.h:765 [inline] kvmalloc_array include/linux/mm.h:783 [inline] alloc_fdtable+0xcd/0x280 fs/file.c:118 dup_fd+0x71a/0xc50 fs/file.c:323 copy_files kernel/fork.c:1472 [inline] copy_process+0x18a3/0x64e0 kernel/fork.c:2092 kernel_clone+0xe7/0xa20 kernel/fork.c:2465 __do_sys_clone+0xc8/0x110 kernel/fork.c:2582 do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Freed by task 25224: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48 kasan_set_track+0x1c/0x30 mm/kasan/common.c:56 kasan_set_free_info+0x1b/0x30 mm/kasan/generic.c:355 __kasan_slab_free+0x111/0x150 mm/kasan/common.c:422 slab_free_hook mm/slub.c:1542 [inline] slab_free_freelist_hook+0x64/0x150 mm/slub.c:1575 slab_free mm/slub.c:3140 [inline] kfree+0xca/0x360 mm/slub.c:4116 kvfree+0x42/0x50 mm/util.c:604 __free_fdtable fs/file.c:34 [inline] put_files_struct fs/file.c:433 [inline] put_files_struct+0x270/0x350 fs/file.c:426 exit_files+0x7e/0xa0 fs/file.c:458 do_exit+0xbd5/0x2770 kernel/exit.c:806 do_group_exit+0x125/0x310 kernel/exit.c:908 get_signal+0x469/0x2210 kernel/signal.c:2758 arch_do_signal+0x88/0x1b00 arch/x86/kernel/signal.c:805 exit_to_user_mode_loop kernel/entry/common.c:161 [inline] exit_to_user_mode_prepare+0xf7/0x160 kernel/entry/common.c:191 syscall_exit_to_user_mode+0x38/0x230 kernel/entry/common.c:266 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Last call_rcu(): kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48 kasan_record_aux_stack+0xa0/0xb0 mm/kasan/generic.c:346 __call_rcu kernel/rcu/tree.c:2960 [inline] call_rcu+0x8a/0x9d0 kernel/rcu/tree.c:3034 put_event kernel/events/core.c:4981 [inline] perf_event_release_kernel+0x899/0xc20 kernel/events/core.c:5096 perf_release+0x33/0x40 kernel/events/core.c:5106 __fput+0x285/0x970 fs/file_table.c:281 task_work_run+0xe2/0x1a0 kernel/task_work.c:151 tracehook_notify_resume include/linux/tracehook.h:188 [inline] exit_to_user_mode_loop kernel/entry/common.c:164 [inline] exit_to_user_mode_prepare+0x155/0x160 kernel/entry/common.c:191 syscall_exit_to_user_mode+0x38/0x230 kernel/entry/common.c:266 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Second to last call_rcu(): kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48 kasan_record_aux_stack+0xa0/0xb0 mm/kasan/generic.c:346 __call_rcu kernel/rcu/tree.c:2960 [inline] call_rcu+0x8a/0x9d0 kernel/rcu/tree.c:3034 netlink_release+0xd73/0x1c70 net/netlink/af_netlink.c:804 __sock_release net/socket.c:596 [inline] sock_release+0x8d/0x1b0 net/socket.c:624 netlink_kernel_release+0x4b/0x60 net/netlink/af_netlink.c:2109 uevent_net_exit+0xbb/0x210 lib/kobject_uevent.c:799 ops_exit_list+0xb3/0x160 net/core/net_namespace.c:187 cleanup_net+0x484/0x8e0 net/core/net_namespace.c:604 process_one_work+0x9ac/0x1580 kernel/workqueue.c:2270 worker_thread+0x61d/0x1310 kernel/workqueue.c:2416 kthread+0x38f/0x470 kernel/kthread.c:292 ret_from_fork+0x22/0x30 arch/x86/entry/entry_64.S:296 The buggy address belongs to the object at ffff88804c5e1000 which belongs to the cache kmalloc-2k of size 2048 The buggy address is located 184 bytes inside of 2048-byte region [ffff88804c5e1000, ffff88804c5e1800) The buggy address belongs to the page: page:00000000d0e88ba8 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88804c5e5000 pfn:0x4c5e0 head:00000000d0e88ba8 order:3 compound_mapcount:0 compound_pincount:0 flags: 0x100000000010200(slab|head) raw: 0100000000010200 ffffea0001361008 ffffea0000f9ee08 ffff888007c42000 raw: ffff88804c5e5000 0000000000080005 00000001ffffffff ffff88804899fe81 page dumped because: kasan: bad access detected page->mem_cgroup:ffff88804899fe81 Memory state around the buggy address: ffff88804c5e0f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88804c5e1000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff88804c5e1080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88804c5e1100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88804c5e1180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor instruction fetch in kernel mode #PF: error_code(0x0010) - not-present page PGD 45fab067 P4D 45fab067 PUD 4f83f067 PMD 0 Oops: 0010 [#1] SMP KASAN NOPTI CPU: 0 PID: 15029 Comm: kworker/0:5 Tainted: G B 5.10.60 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 Workqueue: events l2cap_chan_timeout RIP: 0010:0x0 Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6. RSP: 0018:ffff88800fc97b90 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff88804c5e1000 RCX: ffffffff837f0c54 RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff88804c5e1000 RBP: 0000000000000005 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000009 R11: 0000000000000001 R12: 000000000000006f R13: ffff88804f507000 R14: 0000000000000000 R15: dffffc0000000000 FS: 0000000000000000(0000) GS:ffff88806ce00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffffffffffd6 CR3: 000000004f556000 CR4: 0000000000350ef0 Call Trace: l2cap_sock_teardown_cb+0x386/0x420 net/bluetooth/l2cap_sock.c:1553 l2cap_chan_del+0xad/0xf30 net/bluetooth/l2cap_core.c:622 l2cap_chan_close+0xf8/0xb40 net/bluetooth/l2cap_core.c:827 l2cap_chan_timeout+0x16d/0x3a0 net/bluetooth/l2cap_core.c:436 process_one_work+0x9ac/0x1580 kernel/workqueue.c:2270 worker_thread+0x61d/0x1310 kernel/workqueue.c:2416 kthread+0x38f/0x470 kernel/kthread.c:292 ret_from_fork+0x22/0x30 arch/x86/entry/entry_64.S:296 Modules linked in: CR2: 0000000000000000 ---[ end trace 59994d92008cdeab ]--- RIP: 0010:0x0 Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6. RSP: 0018:ffff88800fc97b90 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff88804c5e1000 RCX: ffffffff837f0c54 RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff88804c5e1000 RBP: 0000000000000005 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000009 R11: 0000000000000001 R12: 000000000000006f R13: ffff88804f507000 R14: 0000000000000000 R15: dffffc0000000000 FS: 0000000000000000(0000) GS:ffff88806ce00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffffffffffd6 CR3: 000000004f556000 CR4: 0000000000350ef0 BUG: sleeping function called from invalid context at include/linux/percpu-rwsem.h:49 in_atomic(): 0, irqs_disabled(): 1, non_block: 0, pid: 15029, name: kworker/0:5 INFO: lockdep is turned off. irq event stamp: 116317 hardirqs last enabled at (116316): [] asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:635 hardirqs last disabled at (116317): [] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline] hardirqs last disabled at (116317): [] _raw_spin_lock_irqsave+0x4b/0x50 kernel/locking/spinlock.c:159 softirqs last enabled at (115990): [] asm_call_irq_on_stack+0x12/0x20 softirqs last disabled at (116314): [] spin_lock_bh include/linux/spinlock.h:359 [inline] softirqs last disabled at (116314): [] lock_sock_nested+0x40/0x120 net/core/sock.c:3038 CPU: 0 PID: 15029 Comm: kworker/0:5 Tainted: G B D 5.10.60 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 Workqueue: events l2cap_chan_timeout Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x107/0x163 lib/dump_stack.c:118 ___might_sleep.cold+0x141/0x16f kernel/sched/core.c:7277 percpu_down_read include/linux/percpu-rwsem.h:49 [inline] cgroup_threadgroup_change_begin include/linux/cgroup-defs.h:733 [inline] exit_signals+0x23/0x850 kernel/signal.c:2843 do_exit+0x30a/0x2770 kernel/exit.c:767 rewind_stack_do_exit+0x17/0x20 arch/x86/entry/entry_64.S:1483 RIP: 0000:0x0 Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6. RSP: 0000:0000000000000000 EFLAGS: 00000000 ORIG_RAX: 0000000000000000 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 netlink: 56 bytes leftover after parsing attributes in process `syz-executor.6'. mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium