[v5.15] BUG: corrupted list in bt_accept_unlink
1 view
Skip to first unread message
syzbot
Apr 8, 2025, 8:51:31 PM4/8/25
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 0c935c049b5c Linux 5.15.179
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=104e0398580000
kernel config: https://syzkaller.appspot.com/x/.config?x=98c228fbc016eb3a
dashboard link: https://syzkaller.appspot.com/bug?extid=3436a290be33b556e9e7
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/d5477072f336/disk-0c935c04.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/77d15907ffb3/vmlinux-0c935c04.xz
kernel image: https://storage.googleapis.com/syzbot-assets/efe5d79cb16a/Image-0c935c04.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+3436a2...@syzkaller.appspotmail.com
list_del corruption. prev->next should be ffff0000d6cfa518, but was ffff0000ce426518
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:61!
Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 PID: 8097 Comm: syz.8.913 Not tainted 5.15.179-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : __list_del_entry_valid+0x138/0x150 lib/list_debug.c:59
lr : __list_del_entry_valid+0x138/0x150 lib/list_debug.c:59
sp : ffff800020597440
x29: ffff800020597440 x28: dfff800000000000 x27: ffff0000d6cfd01c
x26: ffff0000d6cfd488 x25: 1fffe0001ad9fa04 x24: dfff800000000000
x23: dfff800000000000 x22: ffff0000ce426518 x21: dfff800000000000
x20: ffff0000ce426518 x19: ffff0000d6cfa518 x18: 1fffe0003682e78e
x17: 1fffe0003682e78e x16: ffff800011b5ac80 x15: ffff800014c0f2a0
x14: 1ffff0000296e06c x13: dfff800000000000 x12: 0000000000000001
x11: 0000000000000000 x10: 0000000000000000 x9 : 1be0c985f38c7700
x8 : 1be0c985f38c7700 x7 : 0000000000000000 x6 : 0000000000000000
x5 : 0000000000000080 x4 : 0000000000000000 x3 : ffff80000aa1313c
x2 : ffff0001b4173d10 x1 : 0000000100000000 x0 : 0000000000000054
Call trace:
__list_del_entry_valid+0x138/0x150 lib/list_debug.c:59
__list_del_entry include/linux/list.h:132 [inline]
list_del_init include/linux/list.h:204 [inline]
bt_accept_unlink+0x40/0x26c net/bluetooth/af_bluetooth.c:187
l2cap_sock_teardown_cb+0x194/0x37c net/bluetooth/l2cap_sock.c:1588
l2cap_chan_del+0xbc/0x560 net/bluetooth/l2cap_core.c:655
l2cap_conn_del+0x2e8/0x554 net/bluetooth/l2cap_core.c:1929
l2cap_disconn_cfm+0x90/0xe0 net/bluetooth/l2cap_core.c:8315
hci_disconn_cfm include/net/bluetooth/hci_core.h:1520 [inline]
hci_conn_hash_flush+0x104/0x220 net/bluetooth/hci_conn.c:1622
hci_dev_do_close+0x7e4/0x1060 net/bluetooth/hci_core.c:1795
hci_unregister_dev+0x248/0x4d4 net/bluetooth/hci_core.c:4040
vhci_release+0x74/0xc4 drivers/bluetooth/hci_vhci.c:345
__fput+0x1c4/0x800 fs/file_table.c:311
____fput+0x20/0x30 fs/file_table.c:339
task_work_run+0x130/0x1e4 kernel/task_work.c:188
exit_task_work include/linux/task_work.h:33 [inline]
do_exit+0x670/0x20bc kernel/exit.c:874
do_group_exit+0x110/0x268 kernel/exit.c:996
get_signal+0x634/0x1550 kernel/signal.c:2900
do_signal arch/arm64/kernel/signal.c:890 [inline]
do_notify_resume+0x3d0/0x32b8 arch/arm64/kernel/signal.c:943
prepare_exit_to_user_mode arch/arm64/kernel/entry-common.c:133 [inline]
exit_to_user_mode arch/arm64/kernel/entry-common.c:138 [inline]
asm_exit_to_user_mode+0x9c/0xf0 arch/arm64/kernel/entry-common.c:145
ret_from_fork+0x1c/0x20 arch/arm64/kernel/entry.S:873
Code: f003b800 91198000 aa1303e1 95c38cb4 (d4210000)
---[ end trace 2839c0191bf4a812 ]---
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 0c935c049b5c Linux 5.15.179
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=104e0398580000
kernel config: https://syzkaller.appspot.com/x/.config?x=98c228fbc016eb3a
dashboard link: https://syzkaller.appspot.com/bug?extid=3436a290be33b556e9e7
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/d5477072f336/disk-0c935c04.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/77d15907ffb3/vmlinux-0c935c04.xz
kernel image: https://storage.googleapis.com/syzbot-assets/efe5d79cb16a/Image-0c935c04.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+3436a2...@syzkaller.appspotmail.com
list_del corruption. prev->next should be ffff0000d6cfa518, but was ffff0000ce426518
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:61!
Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 PID: 8097 Comm: syz.8.913 Not tainted 5.15.179-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : __list_del_entry_valid+0x138/0x150 lib/list_debug.c:59
lr : __list_del_entry_valid+0x138/0x150 lib/list_debug.c:59
sp : ffff800020597440
x29: ffff800020597440 x28: dfff800000000000 x27: ffff0000d6cfd01c
x26: ffff0000d6cfd488 x25: 1fffe0001ad9fa04 x24: dfff800000000000
x23: dfff800000000000 x22: ffff0000ce426518 x21: dfff800000000000
x20: ffff0000ce426518 x19: ffff0000d6cfa518 x18: 1fffe0003682e78e
x17: 1fffe0003682e78e x16: ffff800011b5ac80 x15: ffff800014c0f2a0
x14: 1ffff0000296e06c x13: dfff800000000000 x12: 0000000000000001
x11: 0000000000000000 x10: 0000000000000000 x9 : 1be0c985f38c7700
x8 : 1be0c985f38c7700 x7 : 0000000000000000 x6 : 0000000000000000
x5 : 0000000000000080 x4 : 0000000000000000 x3 : ffff80000aa1313c
x2 : ffff0001b4173d10 x1 : 0000000100000000 x0 : 0000000000000054
Call trace:
__list_del_entry_valid+0x138/0x150 lib/list_debug.c:59
__list_del_entry include/linux/list.h:132 [inline]
list_del_init include/linux/list.h:204 [inline]
bt_accept_unlink+0x40/0x26c net/bluetooth/af_bluetooth.c:187
l2cap_sock_teardown_cb+0x194/0x37c net/bluetooth/l2cap_sock.c:1588
l2cap_chan_del+0xbc/0x560 net/bluetooth/l2cap_core.c:655
l2cap_conn_del+0x2e8/0x554 net/bluetooth/l2cap_core.c:1929
l2cap_disconn_cfm+0x90/0xe0 net/bluetooth/l2cap_core.c:8315
hci_disconn_cfm include/net/bluetooth/hci_core.h:1520 [inline]
hci_conn_hash_flush+0x104/0x220 net/bluetooth/hci_conn.c:1622
hci_dev_do_close+0x7e4/0x1060 net/bluetooth/hci_core.c:1795
hci_unregister_dev+0x248/0x4d4 net/bluetooth/hci_core.c:4040
vhci_release+0x74/0xc4 drivers/bluetooth/hci_vhci.c:345
__fput+0x1c4/0x800 fs/file_table.c:311
____fput+0x20/0x30 fs/file_table.c:339
task_work_run+0x130/0x1e4 kernel/task_work.c:188
exit_task_work include/linux/task_work.h:33 [inline]
do_exit+0x670/0x20bc kernel/exit.c:874
do_group_exit+0x110/0x268 kernel/exit.c:996
get_signal+0x634/0x1550 kernel/signal.c:2900
do_signal arch/arm64/kernel/signal.c:890 [inline]
do_notify_resume+0x3d0/0x32b8 arch/arm64/kernel/signal.c:943
prepare_exit_to_user_mode arch/arm64/kernel/entry-common.c:133 [inline]
exit_to_user_mode arch/arm64/kernel/entry-common.c:138 [inline]
asm_exit_to_user_mode+0x9c/0xf0 arch/arm64/kernel/entry-common.c:145
ret_from_fork+0x1c/0x20 arch/arm64/kernel/entry.S:873
Code: f003b800 91198000 aa1303e1 95c38cb4 (d4210000)
---[ end trace 2839c0191bf4a812 ]---
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Aug 27, 2025, 1:34:19 PM8/27/25
to syzkaller...@googlegroups.com
Auto-closing this bug as obsolete.
Crashes did not happen for a while, no reproducer and no activity.
Crashes did not happen for a while, no reproducer and no activity.
Reply all
Reply to author
Forward
0 new messages