EXT4-fs (loop5): mounted filesystem without journal. Opts: ,errors=continue EXT4-fs (loop7): mounted filesystem without journal. Opts: ,errors=continue ================================================================== BUG: KASAN: use-after-free in __lock_acquire+0x41b3/0x5b60 kernel/locking/lockdep.c:4820 Read of size 8 at addr ffff8880424450a0 by task kworker/0:1/12 CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.10.60 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 Workqueue: events l2cap_chan_timeout Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x107/0x163 lib/dump_stack.c:118 print_address_description.constprop.0+0x1c/0x210 mm/kasan/report.c:385 __kasan_report mm/kasan/report.c:545 [inline] kasan_report.cold+0x37/0x7c mm/kasan/report.c:562 __lock_acquire+0x41b3/0x5b60 kernel/locking/lockdep.c:4820 lock_acquire kernel/locking/lockdep.c:5560 [inline] lock_acquire+0x197/0x490 kernel/locking/lockdep.c:5525 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline] _raw_spin_lock_bh+0x2f/0x40 kernel/locking/spinlock.c:175 spin_lock_bh include/linux/spinlock.h:359 [inline] lock_sock_nested+0x40/0x120 net/core/sock.c:3038 l2cap_sock_teardown_cb+0x89/0x420 net/bluetooth/l2cap_sock.c:1528 l2cap_chan_del+0xad/0xf30 net/bluetooth/l2cap_core.c:622 l2cap_chan_close+0xf8/0xb40 net/bluetooth/l2cap_core.c:827 l2cap_chan_timeout+0x16d/0x3a0 net/bluetooth/l2cap_core.c:436 process_one_work+0x9ac/0x1580 kernel/workqueue.c:2270 worker_thread+0x61d/0x1310 kernel/workqueue.c:2416 kthread+0x38f/0x470 kernel/kthread.c:292 ret_from_fork+0x22/0x30 arch/x86/entry/entry_64.S:296 Allocated by task 117: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48 kasan_set_track mm/kasan/common.c:56 [inline] __kasan_kmalloc.constprop.0+0xc2/0xd0 mm/kasan/common.c:461 kmalloc include/linux/slab.h:557 [inline] sk_prot_alloc+0x1a4/0x2d0 net/core/sock.c:1674 sk_alloc+0x30/0x340 net/core/sock.c:1728 __netlink_create+0x63/0x300 net/netlink/af_netlink.c:632 netlink_create+0x3ac/0x5e0 net/netlink/af_netlink.c:695 __sock_create+0x355/0x760 net/socket.c:1414 sock_create net/socket.c:1465 [inline] __sys_socket+0xef/0x200 net/socket.c:1507 __do_sys_socket net/socket.c:1516 [inline] __se_sys_socket net/socket.c:1514 [inline] __x64_sys_socket+0x6e/0xb0 net/socket.c:1514 do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Freed by task 16: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48 kasan_set_track+0x1c/0x30 mm/kasan/common.c:56 kasan_set_free_info+0x1b/0x30 mm/kasan/generic.c:355 __kasan_slab_free+0x111/0x150 mm/kasan/common.c:422 slab_free_hook mm/slub.c:1542 [inline] slab_free_freelist_hook+0x64/0x150 mm/slub.c:1575 slab_free mm/slub.c:3140 [inline] kfree+0xca/0x360 mm/slub.c:4116 sk_prot_free net/core/sock.c:1711 [inline] __sk_destruct+0x5d3/0x720 net/core/sock.c:1796 sk_destruct+0xbd/0xe0 net/core/sock.c:1811 __sk_free+0xed/0x3d0 net/core/sock.c:1822 sk_free+0x78/0xa0 net/core/sock.c:1833 deferred_put_nlk_sk+0x151/0x2e0 net/netlink/af_netlink.c:732 rcu_do_batch kernel/rcu/tree.c:2484 [inline] rcu_core+0x504/0xfd0 kernel/rcu/tree.c:2719 __do_softirq+0x1b6/0x86a kernel/softirq.c:298 Last call_rcu(): kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48 kasan_record_aux_stack+0xa0/0xb0 mm/kasan/generic.c:346 __call_rcu kernel/rcu/tree.c:2960 [inline] call_rcu+0x8a/0x9d0 kernel/rcu/tree.c:3034 netlink_release+0xd73/0x1c70 net/netlink/af_netlink.c:804 __sock_release+0xd2/0x290 net/socket.c:596 sock_close+0x18/0x20 net/socket.c:1264 __fput+0x285/0x970 fs/file_table.c:281 task_work_run+0xe2/0x1a0 kernel/task_work.c:151 exit_task_work include/linux/task_work.h:30 [inline] do_exit+0xc0f/0x2770 kernel/exit.c:811 do_group_exit+0x125/0x310 kernel/exit.c:908 __do_sys_exit_group kernel/exit.c:919 [inline] __se_sys_exit_group kernel/exit.c:917 [inline] __x64_sys_exit_group+0x3a/0x50 kernel/exit.c:917 do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Second to last call_rcu(): kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48 kasan_record_aux_stack+0xa0/0xb0 mm/kasan/generic.c:346 __call_rcu kernel/rcu/tree.c:2960 [inline] call_rcu+0x8a/0x9d0 kernel/rcu/tree.c:3034 netlink_release+0xd73/0x1c70 net/netlink/af_netlink.c:804 __sock_release+0xd2/0x290 net/socket.c:596 sock_close+0x18/0x20 net/socket.c:1264 __fput+0x285/0x970 fs/file_table.c:281 task_work_run+0xe2/0x1a0 kernel/task_work.c:151 exit_task_work include/linux/task_work.h:30 [inline] do_exit+0xc0f/0x2770 kernel/exit.c:811 do_group_exit+0x125/0x310 kernel/exit.c:908 __do_sys_exit_group kernel/exit.c:919 [inline] __se_sys_exit_group kernel/exit.c:917 [inline] __x64_sys_exit_group+0x3a/0x50 kernel/exit.c:917 do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 The buggy address belongs to the object at ffff888042445000 which belongs to the cache kmalloc-2k of size 2048 The buggy address is located 160 bytes inside of 2048-byte region [ffff888042445000, ffff888042445800) The buggy address belongs to the page: page:000000006bf3a6cf refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x42440 head:000000006bf3a6cf order:3 compound_mapcount:0 compound_pincount:0 flags: 0x100000000010200(slab|head) raw: 0100000000010200 0000000000000000 0000000500000001 ffff888007c42000 raw: 0000000000000000 0000000000080008 00000001ffffffff ffff888041c53c01 page dumped because: kasan: bad access detected page->mem_cgroup:ffff888041c53c01 Memory state around the buggy address: ffff888042444f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888042445000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff888042445080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888042445100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888042445180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== stack segment: 0000 [#1] SMP KASAN NOPTI CPU: 0 PID: 12 Comm: kworker/0:1 Tainted: G B 5.10.60 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 Workqueue: events l2cap_chan_timeout RIP: 0010:arch_atomic_fetch_sub arch/x86/include/asm/atomic.h:190 [inline] RIP: 0010:atomic_fetch_sub_release include/asm-generic/atomic-instrumented.h:221 [inline] RIP: 0010:__refcount_sub_and_test include/linux/refcount.h:272 [inline] RIP: 0010:__refcount_dec_and_test include/linux/refcount.h:315 [inline] RIP: 0010:refcount_dec_and_test include/linux/refcount.h:333 [inline] RIP: 0010:kref_put include/linux/kref.h:64 [inline] RIP: 0010:l2cap_chan_put+0x22/0x190 net/bluetooth/l2cap_core.c:504 Code: 84 00 00 00 00 00 66 90 41 54 55 48 89 fd 53 4c 8d 65 18 bb ff ff ff ff e8 eb bb c3 fd be 04 00 00 00 4c 89 e7 e8 fe 86 ee fd 0f c1 5d 18 bf 01 00 00 00 89 de e8 4d b5 c3 fd 83 fb 01 74 35 RSP: 0018:ffff88800856fcb8 EFLAGS: 00010202 RAX: 0000000000000001 RBX: 00000000ffffffff RCX: ffffffff837ba2d2 RDX: 0000000000000001 RSI: 0000000000000004 RDI: dead4ead00000018 RBP: dead4ead00000000 R08: 0000000000000001 R09: dead4ead0000001c R10: 0000000000000000 R11: 0000000000000001 R12: dead4ead00000018 R13: ffff888042446000 R14: ffff8880424464b8 R15: ffff888007fc6d00 FS: 0000000000000000(0000) GS:ffff88806ce00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055ee973c5678 CR3: 0000000018394000 CR4: 0000000000350ef0 Call Trace: l2cap_sock_kill+0xbd/0x180 net/bluetooth/l2cap_sock.c:1225 l2cap_chan_timeout+0x1c6/0x3a0 net/bluetooth/l2cap_core.c:438 process_one_work+0x9ac/0x1580 kernel/workqueue.c:2270 worker_thread+0x61d/0x1310 kernel/workqueue.c:2416 kthread+0x38f/0x470 kernel/kthread.c:292 ret_from_fork+0x22/0x30 arch/x86/entry/entry_64.S:296 Modules linked in: ---[ end trace 46a6b7f002e220fb ]--- RIP: 0010:arch_atomic_fetch_sub arch/x86/include/asm/atomic.h:190 [inline] RIP: 0010:atomic_fetch_sub_release include/asm-generic/atomic-instrumented.h:221 [inline] RIP: 0010:__refcount_sub_and_test include/linux/refcount.h:272 [inline] RIP: 0010:__refcount_dec_and_test include/linux/refcount.h:315 [inline] RIP: 0010:refcount_dec_and_test include/linux/refcount.h:333 [inline] RIP: 0010:kref_put include/linux/kref.h:64 [inline] RIP: 0010:l2cap_chan_put+0x22/0x190 net/bluetooth/l2cap_core.c:504 Code: 84 00 00 00 00 00 66 90 41 54 55 48 89 fd 53 4c 8d 65 18 bb ff ff ff ff e8 eb bb c3 fd be 04 00 00 00 4c 89 e7 e8 fe 86 ee fd 0f c1 5d 18 bf 01 00 00 00 89 de e8 4d b5 c3 fd 83 fb 01 74 35 RSP: 0018:ffff88800856fcb8 EFLAGS: 00010202 RAX: 0000000000000001 RBX: 00000000ffffffff RCX: ffffffff837ba2d2 RDX: 0000000000000001 RSI: 0000000000000004 RDI: dead4ead00000018 RBP: dead4ead00000000 R08: 0000000000000001 R09: dead4ead0000001c R10: 0000000000000000 R11: 0000000000000001 R12: dead4ead00000018 R13: ffff888042446000 R14: ffff8880424464b8 R15: ffff888007fc6d00 FS: 0000000000000000(0000) GS:ffff88806ce00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055ee973c5678 CR3: 0000000018394000 CR4: 0000000000350ef0 kmemleak: 43 new suspected memory leaks (see /sys/kernel/debug/kmemleak) kmemleak: 4 new suspected memory leaks (see /sys/kernel/debug/kmemleak) EXT4-fs (loop2): mounted filesystem without journal. Opts: ,errors=continue