================================================================== BUG: KASAN: use-after-free in perf_trace_lock_acquire+0x3d8/0x4f0 include/trace/events/lock.h:13 Read of size 8 at addr ffff8880425830b8 by task kworker/0:2/71 CPU: 0 PID: 71 Comm: kworker/0:2 Not tainted 5.10.60 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 Workqueue: events l2cap_chan_timeout Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x107/0x163 lib/dump_stack.c:118 print_address_description.constprop.0+0x1c/0x210 mm/kasan/report.c:385 __kasan_report mm/kasan/report.c:545 [inline] kasan_report.cold+0x37/0x7c mm/kasan/report.c:562 perf_trace_lock_acquire+0x3d8/0x4f0 include/trace/events/lock.h:13 trace_lock_acquire include/trace/events/lock.h:13 [inline] lock_acquire+0x3d8/0x490 kernel/locking/lockdep.c:5531 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline] _raw_spin_lock_bh+0x2f/0x40 kernel/locking/spinlock.c:175 spin_lock_bh include/linux/spinlock.h:359 [inline] lock_sock_nested+0x40/0x120 net/core/sock.c:3038 l2cap_sock_teardown_cb+0x89/0x420 net/bluetooth/l2cap_sock.c:1528 l2cap_chan_del+0xad/0xf30 net/bluetooth/l2cap_core.c:622 l2cap_chan_close+0xf8/0xb40 net/bluetooth/l2cap_core.c:827 l2cap_chan_timeout+0x16d/0x3a0 net/bluetooth/l2cap_core.c:436 process_one_work+0x9ac/0x1580 kernel/workqueue.c:2270 worker_thread+0x61d/0x1310 kernel/workqueue.c:2416 kthread+0x38f/0x470 kernel/kthread.c:292 ret_from_fork+0x22/0x30 arch/x86/entry/entry_64.S:296 Allocated by task 289: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48 kasan_set_track mm/kasan/common.c:56 [inline] __kasan_kmalloc.constprop.0+0xc2/0xd0 mm/kasan/common.c:461 kmalloc_node include/linux/slab.h:575 [inline] kvmalloc_node+0x61/0xf0 mm/util.c:575 kvmalloc include/linux/mm.h:765 [inline] kvmalloc_array include/linux/mm.h:783 [inline] alloc_fdtable+0xcd/0x280 fs/file.c:118 dup_fd+0x71a/0xc50 fs/file.c:323 copy_files kernel/fork.c:1472 [inline] copy_process+0x18a3/0x64e0 kernel/fork.c:2092 kernel_clone+0xe7/0xa20 kernel/fork.c:2465 __do_sys_clone+0xc8/0x110 kernel/fork.c:2582 do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Freed by task 11538: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48 kasan_set_track+0x1c/0x30 mm/kasan/common.c:56 kasan_set_free_info+0x1b/0x30 mm/kasan/generic.c:355 __kasan_slab_free+0x111/0x150 mm/kasan/common.c:422 slab_free_hook mm/slub.c:1542 [inline] slab_free_freelist_hook+0x64/0x150 mm/slub.c:1575 slab_free mm/slub.c:3140 [inline] kfree+0xca/0x360 mm/slub.c:4116 kvfree+0x42/0x50 mm/util.c:604 __free_fdtable fs/file.c:34 [inline] put_files_struct fs/file.c:433 [inline] put_files_struct+0x270/0x350 fs/file.c:426 exit_files+0x7e/0xa0 fs/file.c:458 do_exit+0xbd5/0x2770 kernel/exit.c:806 do_group_exit+0x125/0x310 kernel/exit.c:908 get_signal+0x469/0x2210 kernel/signal.c:2758 arch_do_signal+0x88/0x1b00 arch/x86/kernel/signal.c:805 exit_to_user_mode_loop kernel/entry/common.c:161 [inline] exit_to_user_mode_prepare+0xf7/0x160 kernel/entry/common.c:191 syscall_exit_to_user_mode+0x38/0x230 kernel/entry/common.c:266 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Last call_rcu(): kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48 kasan_record_aux_stack+0xa0/0xb0 mm/kasan/generic.c:346 __call_rcu kernel/rcu/tree.c:2960 [inline] call_rcu+0x8a/0x9d0 kernel/rcu/tree.c:3034 netlink_release+0xd73/0x1c70 net/netlink/af_netlink.c:804 __sock_release+0xd2/0x290 net/socket.c:596 sock_close+0x18/0x20 net/socket.c:1264 __fput+0x285/0x970 fs/file_table.c:281 task_work_run+0xe2/0x1a0 kernel/task_work.c:151 exit_task_work include/linux/task_work.h:30 [inline] do_exit+0xc0f/0x2770 kernel/exit.c:811 do_group_exit+0x125/0x310 kernel/exit.c:908 __do_sys_exit_group kernel/exit.c:919 [inline] __se_sys_exit_group kernel/exit.c:917 [inline] __x64_sys_exit_group+0x3a/0x50 kernel/exit.c:917 do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Second to last call_rcu(): kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48 kasan_record_aux_stack+0xa0/0xb0 mm/kasan/generic.c:346 __call_rcu kernel/rcu/tree.c:2960 [inline] call_rcu+0x8a/0x9d0 kernel/rcu/tree.c:3034 netlink_release+0xd73/0x1c70 net/netlink/af_netlink.c:804 __sock_release+0xd2/0x290 net/socket.c:596 sock_close+0x18/0x20 net/socket.c:1264 __fput+0x285/0x970 fs/file_table.c:281 task_work_run+0xe2/0x1a0 kernel/task_work.c:151 tracehook_notify_resume include/linux/tracehook.h:188 [inline] exit_to_user_mode_loop kernel/entry/common.c:164 [inline] exit_to_user_mode_prepare+0x155/0x160 kernel/entry/common.c:191 syscall_exit_to_user_mode+0x38/0x230 kernel/entry/common.c:266 entry_SYSCALL_64_after_hwframe+0x44/0xa9 The buggy address belongs to the object at ffff888042583000 which belongs to the cache kmalloc-2k of size 2048 The buggy address is located 184 bytes inside of 2048-byte region [ffff888042583000, ffff888042583800) The buggy address belongs to the page: page:0000000042e7dd48 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x42580 head:0000000042e7dd48 order:3 compound_mapcount:0 compound_pincount:0 flags: 0x100000000010200(slab|head) raw: 0100000000010200 0000000000000000 0000000100000001 ffff888007c42000 raw: 0000000000000000 0000000000080008 00000001ffffffff ffff888017a6c801 page dumped because: kasan: bad access detected page->mem_cgroup:ffff888017a6c801 Memory state around the buggy address: ffff888042582f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888042583000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff888042583080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888042583100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888042583180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor instruction fetch in kernel mode #PF: error_code(0x0010) - not-present page PGD 0 P4D 0 Oops: 0010 [#1] SMP KASAN NOPTI CPU: 0 PID: 71 Comm: kworker/0:2 Tainted: G B 5.10.60 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 Workqueue: events l2cap_chan_timeout RIP: 0010:0x0 Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6. RSP: 0018:ffff888008b5fb90 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff888042583000 RCX: ffffffff837f0c54 RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff888042583000 RBP: 0000000000000005 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000009 R11: 0000000000000001 R12: 000000000000006f R13: ffff88804198a000 R14: 0000000000000000 R15: dffffc0000000000 FS: 0000000000000000(0000) GS:ffff88806ce00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffffffffffd6 CR3: 0000000004c26000 CR4: 0000000000350ef0 Call Trace: l2cap_sock_teardown_cb+0x386/0x420 net/bluetooth/l2cap_sock.c:1553 l2cap_chan_del+0xad/0xf30 net/bluetooth/l2cap_core.c:622 l2cap_chan_close+0xf8/0xb40 net/bluetooth/l2cap_core.c:827 l2cap_chan_timeout+0x16d/0x3a0 net/bluetooth/l2cap_core.c:436 process_one_work+0x9ac/0x1580 kernel/workqueue.c:2270 worker_thread+0x61d/0x1310 kernel/workqueue.c:2416 kthread+0x38f/0x470 kernel/kthread.c:292 ret_from_fork+0x22/0x30 arch/x86/entry/entry_64.S:296 Modules linked in: CR2: 0000000000000000 ---[ end trace 7fe5c5a311135c5a ]--- RIP: 0010:0x0 Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6. RSP: 0018:ffff888008b5fb90 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff888042583000 RCX: ffffffff837f0c54 RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff888042583000 RBP: 0000000000000005 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000009 R11: 0000000000000001 R12: 000000000000006f R13: ffff88804198a000 R14: 0000000000000000 R15: dffffc0000000000 FS: 0000000000000000(0000) GS:ffff88806ce00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffffffffffd6 CR3: 0000000004c26000 CR4: 0000000000350ef0 BUG: sleeping function called from invalid context at include/linux/percpu-rwsem.h:49 in_atomic(): 0, irqs_disabled(): 1, non_block: 0, pid: 71, name: kworker/0:2 INFO: lockdep is turned off. irq event stamp: 157499 hardirqs last enabled at (157497): [] __cancel_work kernel/workqueue.c:3229 [inline] hardirqs last enabled at (157497): [] cancel_delayed_work+0x249/0x2b0 kernel/workqueue.c:3251 hardirqs last disabled at (157499): [] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline] hardirqs last disabled at (157499): [] _raw_spin_lock_irqsave+0x4b/0x50 kernel/locking/spinlock.c:159 softirqs last enabled at (157478): [] asm_call_irq_on_stack+0x12/0x20 softirqs last disabled at (157498): [] spin_lock_bh include/linux/spinlock.h:359 [inline] softirqs last disabled at (157498): [] lock_sock_nested+0x40/0x120 net/core/sock.c:3038 CPU: 0 PID: 71 Comm: kworker/0:2 Tainted: G B D 5.10.60 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 Workqueue: events l2cap_chan_timeout Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x107/0x163 lib/dump_stack.c:118 ___might_sleep.cold+0x141/0x16f kernel/sched/core.c:7277 percpu_down_read include/linux/percpu-rwsem.h:49 [inline] cgroup_threadgroup_change_begin include/linux/cgroup-defs.h:733 [inline] exit_signals+0x23/0x850 kernel/signal.c:2843 do_exit+0x30a/0x2770 kernel/exit.c:767 rewind_stack_do_exit+0x17/0x20 arch/x86/entry/entry_64.S:1483 RIP: 0000:0x0 Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6. RSP: 0000:0000000000000000 EFLAGS: 00000000 ORIG_RAX: 0000000000000000 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000