[syzbot] [bluetooth?] KASAN: slab-use-after-free Read in l2cap_sock_new_connection_cb
17 views
Skip to first unread message
syzbot
Oct 21, 2024, 4:46:30 AM10/21/24
to johan....@gmail.com, linux-b...@vger.kernel.org, linux-...@vger.kernel.org, luiz....@gmail.com, mar...@holtmann.org, syzkall...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 4d939780b705 Merge tag 'mm-hotfixes-stable-2024-10-17-16-0..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=17712240580000
kernel config: https://syzkaller.appspot.com/x/.config?x=4c9b3fd66df7ebb7
dashboard link: https://syzkaller.appspot.com/bug?extid=cdae834448ec8c3602fe
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/4d54d8e0d6d3/disk-4d939780.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/a28782ce0f67/vmlinux-4d939780.xz
kernel image: https://storage.googleapis.com/syzbot-assets/66ae027c044c/bzImage-4d939780.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+cdae83...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-use-after-free in l2cap_sock_new_connection_cb+0x22a/0x240 net/bluetooth/l2cap_sock.c:1483
Read of size 8 at addr ffff888051b0d580 by task kworker/u9:5/5235
CPU: 1 UID: 0 PID: 5235 Comm: kworker/u9:5 Not tainted 6.12.0-rc3-syzkaller-00217-g4d939780b705 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Workqueue: hci5 hci_rx_work
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:377 [inline]
print_report+0xc3/0x620 mm/kasan/report.c:488
kasan_report+0xd9/0x110 mm/kasan/report.c:601
l2cap_sock_new_connection_cb+0x22a/0x240 net/bluetooth/l2cap_sock.c:1483
l2cap_connect_cfm+0x4c9/0xf80 net/bluetooth/l2cap_core.c:7261
hci_connect_cfm include/net/bluetooth/hci_core.h:1960 [inline]
le_conn_complete_evt+0x1662/0x1d80 net/bluetooth/hci_event.c:5758
hci_le_conn_complete_evt+0x23c/0x370 net/bluetooth/hci_event.c:5784
hci_le_meta_evt+0x2e2/0x5d0 net/bluetooth/hci_event.c:7132
hci_event_func net/bluetooth/hci_event.c:7440 [inline]
hci_event_packet+0x666/0x1180 net/bluetooth/hci_event.c:7495
hci_rx_work+0x2c6/0x16c0 net/bluetooth/hci_core.c:4025
process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229
process_scheduled_works kernel/workqueue.c:3310 [inline]
worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
Allocated by task 5235:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:257 [inline]
__do_kmalloc_node mm/slub.c:4264 [inline]
__kmalloc_noprof+0x1e8/0x400 mm/slub.c:4276
kmalloc_noprof include/linux/slab.h:882 [inline]
sk_prot_alloc+0x1a8/0x2a0 net/core/sock.c:2164
sk_alloc+0x36/0xb90 net/core/sock.c:2217
bt_sock_alloc+0x3b/0x3a0 net/bluetooth/af_bluetooth.c:148
l2cap_sock_alloc.constprop.0+0x35/0x180 net/bluetooth/l2cap_sock.c:1877
l2cap_sock_new_connection_cb+0x101/0x240 net/bluetooth/l2cap_sock.c:1468
l2cap_connect_cfm+0x4c9/0xf80 net/bluetooth/l2cap_core.c:7261
hci_connect_cfm include/net/bluetooth/hci_core.h:1960 [inline]
le_conn_complete_evt+0x1662/0x1d80 net/bluetooth/hci_event.c:5758
hci_le_conn_complete_evt+0x23c/0x370 net/bluetooth/hci_event.c:5784
hci_le_meta_evt+0x2e2/0x5d0 net/bluetooth/hci_event.c:7132
hci_event_func net/bluetooth/hci_event.c:7440 [inline]
hci_event_packet+0x666/0x1180 net/bluetooth/hci_event.c:7495
hci_rx_work+0x2c6/0x16c0 net/bluetooth/hci_core.c:4025
process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229
process_scheduled_works kernel/workqueue.c:3310 [inline]
worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
Freed by task 12523:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:579
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x51/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:230 [inline]
slab_free_hook mm/slub.c:2342 [inline]
slab_free mm/slub.c:4579 [inline]
kfree+0x14f/0x4b0 mm/slub.c:4727
sk_prot_free net/core/sock.c:2200 [inline]
__sk_destruct+0x5eb/0x720 net/core/sock.c:2292
sk_destruct+0xc2/0xf0 net/core/sock.c:2307
__sk_free+0xf4/0x3e0 net/core/sock.c:2318
sk_free+0x6a/0x90 net/core/sock.c:2329
sock_put include/net/sock.h:1888 [inline]
l2cap_sock_kill net/bluetooth/l2cap_sock.c:1250 [inline]
l2cap_sock_kill+0x171/0x2d0 net/bluetooth/l2cap_sock.c:1235
l2cap_sock_cleanup_listen+0x3d/0x2a0 net/bluetooth/l2cap_sock.c:1448
l2cap_sock_release+0x5c/0x210 net/bluetooth/l2cap_sock.c:1411
__sock_release+0xb0/0x270 net/socket.c:658
sock_close+0x1c/0x30 net/socket.c:1426
__fput+0x3f6/0xb60 fs/file_table.c:431
task_work_run+0x14e/0x250 kernel/task_work.c:228
get_signal+0x1ca/0x2770 kernel/signal.c:2690
arch_do_signal_or_restart+0x90/0x7e0 arch/x86/kernel/signal.c:337
exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0x150/0x2a0 kernel/entry/common.c:218
do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff888051b0d000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 1408 bytes inside of
freed 2048-byte region [ffff888051b0d000, ffff888051b0d800)
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x51b08
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88801b042000 ffffea0001e8d600 dead000000000002
raw: 0000000000000000 0000000080080008 00000001f5000000 0000000000000000
head: 00fff00000000040 ffff88801b042000 ffffea0001e8d600 dead000000000002
head: 0000000000000000 0000000080080008 00000001f5000000 0000000000000000
head: 00fff00000000003 ffffea000146c201 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 8071, tgid 8071 (syz-executor), ts 364335009732, free_ts 364003293789
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537
prep_new_page mm/page_alloc.c:1545 [inline]
get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457
__alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733
alloc_pages_mpol_noprof+0x2c9/0x610 mm/mempolicy.c:2265
alloc_slab_page mm/slub.c:2412 [inline]
allocate_slab mm/slub.c:2578 [inline]
new_slab+0x2ba/0x3f0 mm/slub.c:2631
___slab_alloc+0xdac/0x1880 mm/slub.c:3818
__slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3908
__slab_alloc_node mm/slub.c:3961 [inline]
slab_alloc_node mm/slub.c:4122 [inline]
__kmalloc_cache_noprof+0x2b4/0x300 mm/slub.c:4290
kmalloc_noprof include/linux/slab.h:878 [inline]
rtnl_newlink+0x49/0xa0 net/core/rtnetlink.c:3768
rtnetlink_rcv_msg+0x3c7/0xea0 net/core/rtnetlink.c:6675
netlink_rcv_skb+0x16b/0x440 net/netlink/af_netlink.c:2551
netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline]
netlink_unicast+0x53c/0x7f0 net/netlink/af_netlink.c:1357
netlink_sendmsg+0x8b8/0xd70 net/netlink/af_netlink.c:1901
sock_sendmsg_nosec net/socket.c:729 [inline]
__sock_sendmsg net/socket.c:744 [inline]
__sys_sendto+0x479/0x4d0 net/socket.c:2214
__do_sys_sendto net/socket.c:2226 [inline]
__se_sys_sendto net/socket.c:2222 [inline]
__x64_sys_sendto+0xe0/0x1c0 net/socket.c:2222
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
page last free pid 8 tgid 8 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1108 [inline]
free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x4e/0x120 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x192/0x1e0 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:329
kasan_slab_alloc include/linux/kasan.h:247 [inline]
slab_post_alloc_hook mm/slub.c:4085 [inline]
slab_alloc_node mm/slub.c:4134 [inline]
kmem_cache_alloc_node_noprof+0x153/0x310 mm/slub.c:4186
__alloc_skb+0x2b1/0x380 net/core/skbuff.c:668
alloc_skb include/linux/skbuff.h:1322 [inline]
alloc_skb_with_frags+0xe4/0x850 net/core/skbuff.c:6612
sock_alloc_send_pskb+0x7f1/0x980 net/core/sock.c:2883
sock_alloc_send_skb include/net/sock.h:1782 [inline]
mld_newpack.isra.0+0x1ed/0x790 net/ipv6/mcast.c:1747
add_grhead+0x299/0x340 net/ipv6/mcast.c:1850
add_grec+0x111e/0x1670 net/ipv6/mcast.c:1988
mld_send_cr net/ipv6/mcast.c:2114 [inline]
mld_ifc_work+0x41f/0xca0 net/ipv6/mcast.c:2651
process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229
process_scheduled_works kernel/workqueue.c:3310 [inline]
worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
Memory state around the buggy address:
ffff888051b0d480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888051b0d500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888051b0d580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888051b0d600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888051b0d680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 4d939780b705 Merge tag 'mm-hotfixes-stable-2024-10-17-16-0..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=17712240580000
kernel config: https://syzkaller.appspot.com/x/.config?x=4c9b3fd66df7ebb7
dashboard link: https://syzkaller.appspot.com/bug?extid=cdae834448ec8c3602fe
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/4d54d8e0d6d3/disk-4d939780.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/a28782ce0f67/vmlinux-4d939780.xz
kernel image: https://storage.googleapis.com/syzbot-assets/66ae027c044c/bzImage-4d939780.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+cdae83...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-use-after-free in l2cap_sock_new_connection_cb+0x22a/0x240 net/bluetooth/l2cap_sock.c:1483
Read of size 8 at addr ffff888051b0d580 by task kworker/u9:5/5235
CPU: 1 UID: 0 PID: 5235 Comm: kworker/u9:5 Not tainted 6.12.0-rc3-syzkaller-00217-g4d939780b705 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Workqueue: hci5 hci_rx_work
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:377 [inline]
print_report+0xc3/0x620 mm/kasan/report.c:488
kasan_report+0xd9/0x110 mm/kasan/report.c:601
l2cap_sock_new_connection_cb+0x22a/0x240 net/bluetooth/l2cap_sock.c:1483
l2cap_connect_cfm+0x4c9/0xf80 net/bluetooth/l2cap_core.c:7261
hci_connect_cfm include/net/bluetooth/hci_core.h:1960 [inline]
le_conn_complete_evt+0x1662/0x1d80 net/bluetooth/hci_event.c:5758
hci_le_conn_complete_evt+0x23c/0x370 net/bluetooth/hci_event.c:5784
hci_le_meta_evt+0x2e2/0x5d0 net/bluetooth/hci_event.c:7132
hci_event_func net/bluetooth/hci_event.c:7440 [inline]
hci_event_packet+0x666/0x1180 net/bluetooth/hci_event.c:7495
hci_rx_work+0x2c6/0x16c0 net/bluetooth/hci_core.c:4025
process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229
process_scheduled_works kernel/workqueue.c:3310 [inline]
worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
Allocated by task 5235:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:257 [inline]
__do_kmalloc_node mm/slub.c:4264 [inline]
__kmalloc_noprof+0x1e8/0x400 mm/slub.c:4276
kmalloc_noprof include/linux/slab.h:882 [inline]
sk_prot_alloc+0x1a8/0x2a0 net/core/sock.c:2164
sk_alloc+0x36/0xb90 net/core/sock.c:2217
bt_sock_alloc+0x3b/0x3a0 net/bluetooth/af_bluetooth.c:148
l2cap_sock_alloc.constprop.0+0x35/0x180 net/bluetooth/l2cap_sock.c:1877
l2cap_sock_new_connection_cb+0x101/0x240 net/bluetooth/l2cap_sock.c:1468
l2cap_connect_cfm+0x4c9/0xf80 net/bluetooth/l2cap_core.c:7261
hci_connect_cfm include/net/bluetooth/hci_core.h:1960 [inline]
le_conn_complete_evt+0x1662/0x1d80 net/bluetooth/hci_event.c:5758
hci_le_conn_complete_evt+0x23c/0x370 net/bluetooth/hci_event.c:5784
hci_le_meta_evt+0x2e2/0x5d0 net/bluetooth/hci_event.c:7132
hci_event_func net/bluetooth/hci_event.c:7440 [inline]
hci_event_packet+0x666/0x1180 net/bluetooth/hci_event.c:7495
hci_rx_work+0x2c6/0x16c0 net/bluetooth/hci_core.c:4025
process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229
process_scheduled_works kernel/workqueue.c:3310 [inline]
worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
Freed by task 12523:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:579
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x51/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:230 [inline]
slab_free_hook mm/slub.c:2342 [inline]
slab_free mm/slub.c:4579 [inline]
kfree+0x14f/0x4b0 mm/slub.c:4727
sk_prot_free net/core/sock.c:2200 [inline]
__sk_destruct+0x5eb/0x720 net/core/sock.c:2292
sk_destruct+0xc2/0xf0 net/core/sock.c:2307
__sk_free+0xf4/0x3e0 net/core/sock.c:2318
sk_free+0x6a/0x90 net/core/sock.c:2329
sock_put include/net/sock.h:1888 [inline]
l2cap_sock_kill net/bluetooth/l2cap_sock.c:1250 [inline]
l2cap_sock_kill+0x171/0x2d0 net/bluetooth/l2cap_sock.c:1235
l2cap_sock_cleanup_listen+0x3d/0x2a0 net/bluetooth/l2cap_sock.c:1448
l2cap_sock_release+0x5c/0x210 net/bluetooth/l2cap_sock.c:1411
__sock_release+0xb0/0x270 net/socket.c:658
sock_close+0x1c/0x30 net/socket.c:1426
__fput+0x3f6/0xb60 fs/file_table.c:431
task_work_run+0x14e/0x250 kernel/task_work.c:228
get_signal+0x1ca/0x2770 kernel/signal.c:2690
arch_do_signal_or_restart+0x90/0x7e0 arch/x86/kernel/signal.c:337
exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0x150/0x2a0 kernel/entry/common.c:218
do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff888051b0d000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 1408 bytes inside of
freed 2048-byte region [ffff888051b0d000, ffff888051b0d800)
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x51b08
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88801b042000 ffffea0001e8d600 dead000000000002
raw: 0000000000000000 0000000080080008 00000001f5000000 0000000000000000
head: 00fff00000000040 ffff88801b042000 ffffea0001e8d600 dead000000000002
head: 0000000000000000 0000000080080008 00000001f5000000 0000000000000000
head: 00fff00000000003 ffffea000146c201 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 8071, tgid 8071 (syz-executor), ts 364335009732, free_ts 364003293789
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537
prep_new_page mm/page_alloc.c:1545 [inline]
get_page_from_freelist+0x101e/0x3070 mm/page_alloc.c:3457
__alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733
alloc_pages_mpol_noprof+0x2c9/0x610 mm/mempolicy.c:2265
alloc_slab_page mm/slub.c:2412 [inline]
allocate_slab mm/slub.c:2578 [inline]
new_slab+0x2ba/0x3f0 mm/slub.c:2631
___slab_alloc+0xdac/0x1880 mm/slub.c:3818
__slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3908
__slab_alloc_node mm/slub.c:3961 [inline]
slab_alloc_node mm/slub.c:4122 [inline]
__kmalloc_cache_noprof+0x2b4/0x300 mm/slub.c:4290
kmalloc_noprof include/linux/slab.h:878 [inline]
rtnl_newlink+0x49/0xa0 net/core/rtnetlink.c:3768
rtnetlink_rcv_msg+0x3c7/0xea0 net/core/rtnetlink.c:6675
netlink_rcv_skb+0x16b/0x440 net/netlink/af_netlink.c:2551
netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline]
netlink_unicast+0x53c/0x7f0 net/netlink/af_netlink.c:1357
netlink_sendmsg+0x8b8/0xd70 net/netlink/af_netlink.c:1901
sock_sendmsg_nosec net/socket.c:729 [inline]
__sock_sendmsg net/socket.c:744 [inline]
__sys_sendto+0x479/0x4d0 net/socket.c:2214
__do_sys_sendto net/socket.c:2226 [inline]
__se_sys_sendto net/socket.c:2222 [inline]
__x64_sys_sendto+0xe0/0x1c0 net/socket.c:2222
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
page last free pid 8 tgid 8 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1108 [inline]
free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x4e/0x120 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x192/0x1e0 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:329
kasan_slab_alloc include/linux/kasan.h:247 [inline]
slab_post_alloc_hook mm/slub.c:4085 [inline]
slab_alloc_node mm/slub.c:4134 [inline]
kmem_cache_alloc_node_noprof+0x153/0x310 mm/slub.c:4186
__alloc_skb+0x2b1/0x380 net/core/skbuff.c:668
alloc_skb include/linux/skbuff.h:1322 [inline]
alloc_skb_with_frags+0xe4/0x850 net/core/skbuff.c:6612
sock_alloc_send_pskb+0x7f1/0x980 net/core/sock.c:2883
sock_alloc_send_skb include/net/sock.h:1782 [inline]
mld_newpack.isra.0+0x1ed/0x790 net/ipv6/mcast.c:1747
add_grhead+0x299/0x340 net/ipv6/mcast.c:1850
add_grec+0x111e/0x1670 net/ipv6/mcast.c:1988
mld_send_cr net/ipv6/mcast.c:2114 [inline]
mld_ifc_work+0x41f/0xca0 net/ipv6/mcast.c:2651
process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229
process_scheduled_works kernel/workqueue.c:3310 [inline]
worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
Memory state around the buggy address:
ffff888051b0d480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888051b0d500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888051b0d580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888051b0d600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888051b0d680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Nov 23, 2025, 11:01:30 PMNov 23
to johan....@gmail.com, linux-b...@vger.kernel.org, linux-...@vger.kernel.org, luiz....@gmail.com, mar...@holtmann.org, syzkall...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: d0e88704d96c Merge tag 'clk-fixes-for-linus' of git://git...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1263ce92580000
kernel config: https://syzkaller.appspot.com/x/.config?x=38a0c4cddc846161
dashboard link: https://syzkaller.appspot.com/bug?extid=cdae834448ec8c3602fe
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15bc797c580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/711231d3cfaf/disk-d0e88704.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/d60243774d7d/vmlinux-d0e88704.xz
kernel image: https://storage.googleapis.com/syzbot-assets/3604850a56dd/bzImage-d0e88704.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+cdae83...@syzkaller.appspotmail.com
</TASK>
kobject: kobject_add_internal failed for hci3:201 with -EEXIST, don't try to register things with the same name in the same directory.
Bluetooth: hci3: failed to register connection device
==================================================================
BUG: KASAN: slab-use-after-free in l2cap_sock_new_connection_cb+0x1f9/0x2b0 net/bluetooth/l2cap_sock.c:1500
Read of size 8 at addr ffff888034df07a8 by task kworker/u9:3/5924
CPU: 1 UID: 0 PID: 5924 Comm: kworker/u9:3 Not tainted syzkaller #0 PREEMPT_{RT,(full)}
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Workqueue: hci3 hci_rx_work
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x240 mm/kasan/report.c:482
kasan_report+0x118/0x150 mm/kasan/report.c:595
l2cap_sock_new_connection_cb+0x1f9/0x2b0 net/bluetooth/l2cap_sock.c:1500
l2cap_connect_cfm+0x37a/0x1040 net/bluetooth/l2cap_core.c:7288
hci_connect_cfm+0x95/0x140 include/net/bluetooth/hci_core.h:2107
le_conn_complete_evt+0xfb8/0x1500 net/bluetooth/hci_event.c:5799
hci_le_conn_complete_evt+0x187/0x450 net/bluetooth/hci_event.c:5825
hci_event_func net/bluetooth/hci_event.c:7586 [inline]
hci_event_packet+0x78f/0x1200 net/bluetooth/hci_event.c:7643
hci_rx_work+0x46a/0xe80 net/bluetooth/hci_core.c:4099
process_one_work kernel/workqueue.c:3263 [inline]
process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3346
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
Allocated by task 5924:
kasan_save_stack mm/kasan/common.c:56 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:77
poison_kmalloc_redzone mm/kasan/common.c:400 [inline]
__kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:417
kasan_kmalloc include/linux/kasan.h:262 [inline]
__do_kmalloc_node mm/slub.c:5650 [inline]
__kmalloc_noprof+0x233/0x7d0 mm/slub.c:5662
kmalloc_noprof include/linux/slab.h:961 [inline]
sk_prot_alloc+0xe7/0x220 net/core/sock.c:2239
sk_alloc+0x3a/0x370 net/core/sock.c:2295
bt_sock_alloc+0x3b/0x310 net/bluetooth/af_bluetooth.c:151
l2cap_sock_alloc net/bluetooth/l2cap_sock.c:1897 [inline]
l2cap_sock_new_connection_cb+0xe2/0x2b0 net/bluetooth/l2cap_sock.c:1485
l2cap_connect_cfm+0x37a/0x1040 net/bluetooth/l2cap_core.c:7288
hci_connect_cfm+0x95/0x140 include/net/bluetooth/hci_core.h:2107
le_conn_complete_evt+0xfb8/0x1500 net/bluetooth/hci_event.c:5799
hci_le_conn_complete_evt+0x187/0x450 net/bluetooth/hci_event.c:5825
hci_event_func net/bluetooth/hci_event.c:7586 [inline]
hci_event_packet+0x78f/0x1200 net/bluetooth/hci_event.c:7643
hci_rx_work+0x46a/0xe80 net/bluetooth/hci_core.c:4099
process_one_work kernel/workqueue.c:3263 [inline]
process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3346
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
Freed by task 6561:
kasan_save_stack mm/kasan/common.c:56 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:77
__kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:587
kasan_save_free_info mm/kasan/kasan.h:406 [inline]
poison_slab_object mm/kasan/common.c:252 [inline]
__kasan_slab_free+0x5c/0x80 mm/kasan/common.c:284
kasan_slab_free include/linux/kasan.h:234 [inline]
slab_free_hook mm/slub.c:2543 [inline]
slab_free mm/slub.c:6642 [inline]
kfree+0x197/0x950 mm/slub.c:6849
sk_prot_free net/core/sock.c:2278 [inline]
__sk_destruct+0x4e4/0x670 net/core/sock.c:2373
l2cap_sock_cleanup_listen+0xda/0x3e0 net/bluetooth/l2cap_sock.c:1465
l2cap_sock_release+0x6a/0x230 net/bluetooth/l2cap_sock.c:1426
__sock_release net/socket.c:662 [inline]
sock_close+0xc3/0x240 net/socket.c:1455
__fput+0x45b/0xa80 fs/file_table.c:468
task_work_run+0x1d4/0x260 kernel/task_work.c:227
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
exit_to_user_mode_loop+0xe9/0x130 kernel/entry/common.c:43
exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
do_syscall_64+0x2bd/0xfa0 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff888034df0000
freed 2048-byte region [ffff888034df0000, ffff888034df0800)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x34df0
page_type: f5(slab)
raw: 0080000000000040 ffff88813ff27000 dead000000000100 dead000000000122
raw: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000
head: 0080000000000040 ffff88813ff27000 dead000000000100 dead000000000122
head: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000
head: 0080000000000003 ffffea0000d37c01 00000000ffffffff 00000000ffffffff
head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000008
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x234/0x290 mm/page_alloc.c:1845
prep_new_page mm/page_alloc.c:1853 [inline]
get_page_from_freelist+0x28c0/0x2960 mm/page_alloc.c:3879
__alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5178
alloc_pages_mpol+0xd1/0x380 mm/mempolicy.c:2416
alloc_slab_page mm/slub.c:3059 [inline]
allocate_slab+0x96/0x350 mm/slub.c:3232
new_slab mm/slub.c:3286 [inline]
___slab_alloc+0xb10/0x1400 mm/slub.c:4655
__slab_alloc+0xc6/0x1f0 mm/slub.c:4778
__slab_alloc_node mm/slub.c:4854 [inline]
slab_alloc_node mm/slub.c:5276 [inline]
__do_kmalloc_node mm/slub.c:5649 [inline]
__kmalloc_node_track_caller_noprof+0x2a8/0x7e0 mm/slub.c:5759
kmalloc_reserve+0x136/0x290 net/core/skbuff.c:601
__alloc_skb+0x142/0x2d0 net/core/skbuff.c:670
alloc_skb include/linux/skbuff.h:1383 [inline]
nlmsg_new include/net/netlink.h:1055 [inline]
rtmsg_ifinfo_build_skb+0x84/0x260 net/core/rtnetlink.c:4400
rtmsg_ifinfo_event net/core/rtnetlink.c:4442 [inline]
rtmsg_ifinfo+0x8c/0x1a0 net/core/rtnetlink.c:4451
register_netdevice+0x1746/0x1b10 net/core/dev.c:11346
__ip_tunnel_create+0x3e7/0x560 net/ipv4/ip_tunnel.c:268
ip_tunnel_init_net+0x2ba/0x800 net/ipv4/ip_tunnel.c:1147
vti_init_net+0x2f/0x100 net/ipv4/ip_vti.c:517
page last free pid 5832 tgid 5832 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1394 [inline]
__free_frozen_pages+0xfb6/0x1140 mm/page_alloc.c:2901
discard_slab mm/slub.c:3330 [inline]
__put_partials+0x149/0x170 mm/slub.c:3876
__slab_free+0x29e/0x370 mm/slub.c:5929
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x97/0x140 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:352
kasan_slab_alloc include/linux/kasan.h:252 [inline]
slab_post_alloc_hook mm/slub.c:4978 [inline]
slab_alloc_node mm/slub.c:5288 [inline]
__kmalloc_cache_noprof+0x181/0x6c0 mm/slub.c:5766
kmalloc_noprof include/linux/slab.h:957 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]
kset_create lib/kobject.c:965 [inline]
kset_create_and_add+0x5a/0x180 lib/kobject.c:1008
register_queue_kobjects net/core/net-sysfs.c:2106 [inline]
netdev_register_kobject+0x1a2/0x310 net/core/net-sysfs.c:2362
register_netdevice+0x12a0/0x1b10 net/core/dev.c:11294
__ip_tunnel_create+0x3e7/0x560 net/ipv4/ip_tunnel.c:268
ip_tunnel_init_net+0x2ba/0x800 net/ipv4/ip_tunnel.c:1147
ops_init+0x35c/0x5c0 net/core/net_namespace.c:137
setup_net+0xfe/0x320 net/core/net_namespace.c:445
copy_net_ns+0x34e/0x4e0 net/core/net_namespace.c:580
create_new_namespaces+0x3f3/0x720 kernel/nsproxy.c:110
Memory state around the buggy address:
ffff888034df0680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888034df0700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888034df0780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888034df0800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888034df0880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
HEAD commit: d0e88704d96c Merge tag 'clk-fixes-for-linus' of git://git...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1263ce92580000
kernel config: https://syzkaller.appspot.com/x/.config?x=38a0c4cddc846161
dashboard link: https://syzkaller.appspot.com/bug?extid=cdae834448ec8c3602fe
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15bc797c580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/711231d3cfaf/disk-d0e88704.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/d60243774d7d/vmlinux-d0e88704.xz
kernel image: https://storage.googleapis.com/syzbot-assets/3604850a56dd/bzImage-d0e88704.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+cdae83...@syzkaller.appspotmail.com
kobject: kobject_add_internal failed for hci3:201 with -EEXIST, don't try to register things with the same name in the same directory.
Bluetooth: hci3: failed to register connection device
==================================================================
BUG: KASAN: slab-use-after-free in l2cap_sock_new_connection_cb+0x1f9/0x2b0 net/bluetooth/l2cap_sock.c:1500
Read of size 8 at addr ffff888034df07a8 by task kworker/u9:3/5924
CPU: 1 UID: 0 PID: 5924 Comm: kworker/u9:3 Not tainted syzkaller #0 PREEMPT_{RT,(full)}
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Workqueue: hci3 hci_rx_work
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x240 mm/kasan/report.c:482
kasan_report+0x118/0x150 mm/kasan/report.c:595
l2cap_sock_new_connection_cb+0x1f9/0x2b0 net/bluetooth/l2cap_sock.c:1500
l2cap_connect_cfm+0x37a/0x1040 net/bluetooth/l2cap_core.c:7288
hci_connect_cfm+0x95/0x140 include/net/bluetooth/hci_core.h:2107
le_conn_complete_evt+0xfb8/0x1500 net/bluetooth/hci_event.c:5799
hci_le_conn_complete_evt+0x187/0x450 net/bluetooth/hci_event.c:5825
hci_event_func net/bluetooth/hci_event.c:7586 [inline]
hci_event_packet+0x78f/0x1200 net/bluetooth/hci_event.c:7643
hci_rx_work+0x46a/0xe80 net/bluetooth/hci_core.c:4099
process_one_work kernel/workqueue.c:3263 [inline]
process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3346
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
Allocated by task 5924:
kasan_save_stack mm/kasan/common.c:56 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:77
poison_kmalloc_redzone mm/kasan/common.c:400 [inline]
__kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:417
kasan_kmalloc include/linux/kasan.h:262 [inline]
__do_kmalloc_node mm/slub.c:5650 [inline]
__kmalloc_noprof+0x233/0x7d0 mm/slub.c:5662
kmalloc_noprof include/linux/slab.h:961 [inline]
sk_prot_alloc+0xe7/0x220 net/core/sock.c:2239
sk_alloc+0x3a/0x370 net/core/sock.c:2295
bt_sock_alloc+0x3b/0x310 net/bluetooth/af_bluetooth.c:151
l2cap_sock_alloc net/bluetooth/l2cap_sock.c:1897 [inline]
l2cap_sock_new_connection_cb+0xe2/0x2b0 net/bluetooth/l2cap_sock.c:1485
l2cap_connect_cfm+0x37a/0x1040 net/bluetooth/l2cap_core.c:7288
hci_connect_cfm+0x95/0x140 include/net/bluetooth/hci_core.h:2107
le_conn_complete_evt+0xfb8/0x1500 net/bluetooth/hci_event.c:5799
hci_le_conn_complete_evt+0x187/0x450 net/bluetooth/hci_event.c:5825
hci_event_func net/bluetooth/hci_event.c:7586 [inline]
hci_event_packet+0x78f/0x1200 net/bluetooth/hci_event.c:7643
hci_rx_work+0x46a/0xe80 net/bluetooth/hci_core.c:4099
process_one_work kernel/workqueue.c:3263 [inline]
process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3346
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
Freed by task 6561:
kasan_save_stack mm/kasan/common.c:56 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:77
__kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:587
kasan_save_free_info mm/kasan/kasan.h:406 [inline]
poison_slab_object mm/kasan/common.c:252 [inline]
__kasan_slab_free+0x5c/0x80 mm/kasan/common.c:284
kasan_slab_free include/linux/kasan.h:234 [inline]
slab_free_hook mm/slub.c:2543 [inline]
slab_free mm/slub.c:6642 [inline]
kfree+0x197/0x950 mm/slub.c:6849
sk_prot_free net/core/sock.c:2278 [inline]
__sk_destruct+0x4e4/0x670 net/core/sock.c:2373
l2cap_sock_cleanup_listen+0xda/0x3e0 net/bluetooth/l2cap_sock.c:1465
l2cap_sock_release+0x6a/0x230 net/bluetooth/l2cap_sock.c:1426
__sock_release net/socket.c:662 [inline]
sock_close+0xc3/0x240 net/socket.c:1455
__fput+0x45b/0xa80 fs/file_table.c:468
task_work_run+0x1d4/0x260 kernel/task_work.c:227
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
exit_to_user_mode_loop+0xe9/0x130 kernel/entry/common.c:43
exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
do_syscall_64+0x2bd/0xfa0 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff888034df0000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 1960 bytes inside of
freed 2048-byte region [ffff888034df0000, ffff888034df0800)
The buggy address belongs to the physical page:
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x80000000000040(head|node=0|zone=1)
page_type: f5(slab)
raw: 0080000000000040 ffff88813ff27000 dead000000000100 dead000000000122
raw: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000
head: 0080000000000040 ffff88813ff27000 dead000000000100 dead000000000122
head: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000
head: 0080000000000003 ffffea0000d37c01 00000000ffffffff 00000000ffffffff
head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5829, tgid 5829 (syz-executor), ts 105983598332, free_ts 105930998295
page_owner tracks the page as allocated
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x234/0x290 mm/page_alloc.c:1845
prep_new_page mm/page_alloc.c:1853 [inline]
get_page_from_freelist+0x28c0/0x2960 mm/page_alloc.c:3879
__alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5178
alloc_pages_mpol+0xd1/0x380 mm/mempolicy.c:2416
alloc_slab_page mm/slub.c:3059 [inline]
allocate_slab+0x96/0x350 mm/slub.c:3232
new_slab mm/slub.c:3286 [inline]
___slab_alloc+0xb10/0x1400 mm/slub.c:4655
__slab_alloc+0xc6/0x1f0 mm/slub.c:4778
__slab_alloc_node mm/slub.c:4854 [inline]
slab_alloc_node mm/slub.c:5276 [inline]
__do_kmalloc_node mm/slub.c:5649 [inline]
__kmalloc_node_track_caller_noprof+0x2a8/0x7e0 mm/slub.c:5759
kmalloc_reserve+0x136/0x290 net/core/skbuff.c:601
__alloc_skb+0x142/0x2d0 net/core/skbuff.c:670
alloc_skb include/linux/skbuff.h:1383 [inline]
nlmsg_new include/net/netlink.h:1055 [inline]
rtmsg_ifinfo_build_skb+0x84/0x260 net/core/rtnetlink.c:4400
rtmsg_ifinfo_event net/core/rtnetlink.c:4442 [inline]
rtmsg_ifinfo+0x8c/0x1a0 net/core/rtnetlink.c:4451
register_netdevice+0x1746/0x1b10 net/core/dev.c:11346
__ip_tunnel_create+0x3e7/0x560 net/ipv4/ip_tunnel.c:268
ip_tunnel_init_net+0x2ba/0x800 net/ipv4/ip_tunnel.c:1147
vti_init_net+0x2f/0x100 net/ipv4/ip_vti.c:517
page last free pid 5832 tgid 5832 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1394 [inline]
__free_frozen_pages+0xfb6/0x1140 mm/page_alloc.c:2901
discard_slab mm/slub.c:3330 [inline]
__put_partials+0x149/0x170 mm/slub.c:3876
__slab_free+0x29e/0x370 mm/slub.c:5929
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x97/0x140 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:352
kasan_slab_alloc include/linux/kasan.h:252 [inline]
slab_post_alloc_hook mm/slub.c:4978 [inline]
slab_alloc_node mm/slub.c:5288 [inline]
__kmalloc_cache_noprof+0x181/0x6c0 mm/slub.c:5766
kmalloc_noprof include/linux/slab.h:957 [inline]
kzalloc_noprof include/linux/slab.h:1094 [inline]
kset_create lib/kobject.c:965 [inline]
kset_create_and_add+0x5a/0x180 lib/kobject.c:1008
register_queue_kobjects net/core/net-sysfs.c:2106 [inline]
netdev_register_kobject+0x1a2/0x310 net/core/net-sysfs.c:2362
register_netdevice+0x12a0/0x1b10 net/core/dev.c:11294
__ip_tunnel_create+0x3e7/0x560 net/ipv4/ip_tunnel.c:268
ip_tunnel_init_net+0x2ba/0x800 net/ipv4/ip_tunnel.c:1147
ops_init+0x35c/0x5c0 net/core/net_namespace.c:137
setup_net+0xfe/0x320 net/core/net_namespace.c:445
copy_net_ns+0x34e/0x4e0 net/core/net_namespace.c:580
create_new_namespaces+0x3f3/0x720 kernel/nsproxy.c:110
Memory state around the buggy address:
ffff888034df0700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888034df0780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888034df0800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888034df0880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
Edward Adam Davis
Nov 25, 2025, 7:14:06 AMNov 25
to syzbot+cdae83...@syzkaller.appspotmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
#syz test
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
index 814fb8610ac4..6f2740d55dc0 100644
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -1422,7 +1422,7 @@ static int l2cap_sock_release(struct socket *sock)
if (!sk)
return 0;
- lock_sock_nested(sk, L2CAP_NESTING_PARENT);
+ lock_sock(sk);
l2cap_sock_cleanup_listen(sk);
release_sock(sk);
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
index 814fb8610ac4..6f2740d55dc0 100644
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -1422,7 +1422,7 @@ static int l2cap_sock_release(struct socket *sock)
if (!sk)
return 0;
- lock_sock_nested(sk, L2CAP_NESTING_PARENT);
+ lock_sock(sk);
l2cap_sock_cleanup_listen(sk);
release_sock(sk);
syzbot
Nov 25, 2025, 7:50:05 AMNov 25
to ead...@qq.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
possible deadlock in bt_accept_dequeue
============================================
WARNING: possible recursive locking detected
syzkaller #0 Not tainted
--------------------------------------------
syz.3.20/6474 is trying to acquire lock:
ffff888028ff2358 (sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1679 [inline]
ffff888028ff2358 (sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP){+.+.}-{0:0}, at: bt_accept_dequeue+0x100/0x5b0 net/bluetooth/af_bluetooth.c:279
but task is already holding lock:
ffff88803b4e8358 (sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1679 [inline]
ffff88803b4e8358 (sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP){+.+.}-{0:0}, at: l2cap_sock_release+0x5f/0x230 net/bluetooth/l2cap_sock.c:1425
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock(sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP);
lock(sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP);
*** DEADLOCK ***
May be due to missing lock nesting notation
2 locks held by syz.3.20/6474:
#0: ffff88803d4c70f8 (&sb->s_type->i_mutex_key#10){+.+.}-{4:4}, at: inode_lock include/linux/fs.h:980 [inline]
#0: ffff88803d4c70f8 (&sb->s_type->i_mutex_key#10){+.+.}-{4:4}, at: __sock_release net/socket.c:661 [inline]
#0: ffff88803d4c70f8 (&sb->s_type->i_mutex_key#10){+.+.}-{4:4}, at: sock_close+0x9b/0x240 net/socket.c:1455
#1: ffff88803b4e8358 (sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1679 [inline]
#1: ffff88803b4e8358 (sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP){+.+.}-{0:0}, at: l2cap_sock_release+0x5f/0x230 net/bluetooth/l2cap_sock.c:1425
stack backtrace:
CPU: 0 UID: 0 PID: 6474 Comm: syz.3.20 Not tainted syzkaller #0 PREEMPT_{RT,(full)}
check_deadlock kernel/locking/lockdep.c:3093 [inline]
validate_chain+0x1a3f/0x2140 kernel/locking/lockdep.c:3895
__lock_acquire+0xab9/0xd20 kernel/locking/lockdep.c:5237
lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5868
lock_sock_nested+0x3e/0x130 net/core/sock.c:3720
lock_sock include/net/sock.h:1679 [inline]
bt_accept_dequeue+0x100/0x5b0 net/bluetooth/af_bluetooth.c:279
l2cap_sock_cleanup_listen+0x2f/0x3e0 net/bluetooth/l2cap_sock.c:1454
l2cap_sock_release+0x67/0x230 net/bluetooth/l2cap_sock.c:1426
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff3eea6588 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
RAX: 0000000000000000 RBX: 00007fe17a5c7da0 RCX: 00007fe17a36f749
RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
RBP: 00007fe17a5c7da0 R08: 0000000000000000 R09: 000000143eea687f
R10: 000000000003fd20 R11: 0000000000000246 R12: 000000000002a91f
R13: 00007fff3eea6680 R14: ffffffffffffffff R15: 00007fff3eea66a0
</TASK>
Tested on:
commit: ac3fd01e Linux 6.18-rc7
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=12c97612580000
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
possible deadlock in bt_accept_dequeue
============================================
WARNING: possible recursive locking detected
syzkaller #0 Not tainted
--------------------------------------------
syz.3.20/6474 is trying to acquire lock:
ffff888028ff2358 (sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1679 [inline]
ffff888028ff2358 (sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP){+.+.}-{0:0}, at: bt_accept_dequeue+0x100/0x5b0 net/bluetooth/af_bluetooth.c:279
but task is already holding lock:
ffff88803b4e8358 (sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1679 [inline]
ffff88803b4e8358 (sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP){+.+.}-{0:0}, at: l2cap_sock_release+0x5f/0x230 net/bluetooth/l2cap_sock.c:1425
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock(sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP);
lock(sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP);
*** DEADLOCK ***
May be due to missing lock nesting notation
2 locks held by syz.3.20/6474:
#0: ffff88803d4c70f8 (&sb->s_type->i_mutex_key#10){+.+.}-{4:4}, at: inode_lock include/linux/fs.h:980 [inline]
#0: ffff88803d4c70f8 (&sb->s_type->i_mutex_key#10){+.+.}-{4:4}, at: __sock_release net/socket.c:661 [inline]
#0: ffff88803d4c70f8 (&sb->s_type->i_mutex_key#10){+.+.}-{4:4}, at: sock_close+0x9b/0x240 net/socket.c:1455
#1: ffff88803b4e8358 (sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1679 [inline]
#1: ffff88803b4e8358 (sk_lock-AF_BLUETOOTH-BTPROTO_L2CAP){+.+.}-{0:0}, at: l2cap_sock_release+0x5f/0x230 net/bluetooth/l2cap_sock.c:1425
stack backtrace:
CPU: 0 UID: 0 PID: 6474 Comm: syz.3.20 Not tainted syzkaller #0 PREEMPT_{RT,(full)}
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_deadlock_bug+0x28b/0x2a0 kernel/locking/lockdep.c:3041
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
check_deadlock kernel/locking/lockdep.c:3093 [inline]
validate_chain+0x1a3f/0x2140 kernel/locking/lockdep.c:3895
__lock_acquire+0xab9/0xd20 kernel/locking/lockdep.c:5237
lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5868
lock_sock_nested+0x3e/0x130 net/core/sock.c:3720
lock_sock include/net/sock.h:1679 [inline]
bt_accept_dequeue+0x100/0x5b0 net/bluetooth/af_bluetooth.c:279
l2cap_sock_cleanup_listen+0x2f/0x3e0 net/bluetooth/l2cap_sock.c:1454
l2cap_sock_release+0x67/0x230 net/bluetooth/l2cap_sock.c:1426
__sock_release net/socket.c:662 [inline]
sock_close+0xc3/0x240 net/socket.c:1455
__fput+0x45b/0xa80 fs/file_table.c:468
task_work_run+0x1d4/0x260 kernel/task_work.c:227
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
exit_to_user_mode_loop+0xe9/0x130 kernel/entry/common.c:43
exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
do_syscall_64+0x2bd/0xfa0 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fe17a36f749
sock_close+0xc3/0x240 net/socket.c:1455
__fput+0x45b/0xa80 fs/file_table.c:468
task_work_run+0x1d4/0x260 kernel/task_work.c:227
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
exit_to_user_mode_loop+0xe9/0x130 kernel/entry/common.c:43
exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
do_syscall_64+0x2bd/0xfa0 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff3eea6588 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
RAX: 0000000000000000 RBX: 00007fe17a5c7da0 RCX: 00007fe17a36f749
RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
RBP: 00007fe17a5c7da0 R08: 0000000000000000 R09: 000000143eea687f
R10: 000000000003fd20 R11: 0000000000000246 R12: 000000000002a91f
R13: 00007fff3eea6680 R14: ffffffffffffffff R15: 00007fff3eea66a0
</TASK>
Tested on:
commit: ac3fd01e Linux 6.18-rc7
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=12c97612580000
kernel config: https://syzkaller.appspot.com/x/.config?x=38a0c4cddc846161
dashboard link: https://syzkaller.appspot.com/bug?extid=cdae834448ec8c3602fe
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=100f4f42580000
dashboard link: https://syzkaller.appspot.com/bug?extid=cdae834448ec8c3602fe
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
Edward Adam Davis
Nov 25, 2025, 8:08:09 AMNov 25
to syzbot+cdae83...@syzkaller.appspotmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
#syz test
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
index 814fb8610ac4..20939ab32b13 100644
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -1411,6 +1411,8 @@ static int l2cap_sock_shutdown(struct socket *sock, int how)
return err;
}
+static DEFINE_MUTEX(ra_lock);
+
static int l2cap_sock_release(struct socket *sock)
{
struct sock *sk = sock->sk;
@@ -1422,9 +1424,8 @@ static int l2cap_sock_release(struct socket *sock)
if (!sk)
return 0;
- lock_sock_nested(sk, L2CAP_NESTING_PARENT);
+ guard(mutex)(&ra_lock);
return 0;
- lock_sock_nested(sk, L2CAP_NESTING_PARENT);
l2cap_sock_cleanup_listen(sk);
- release_sock(sk);
bt_sock_unlink(&l2cap_sk_list, sk);
@@ -1473,6 +1474,7 @@ static struct l2cap_chan *l2cap_sock_new_connection_cb(struct l2cap_chan *chan)
{
struct sock *sk, *parent = chan->data;
+ guard(mutex)(&ra_lock);
lock_sock(parent);
/* Check for backlog size */
syzbot
Nov 25, 2025, 8:46:04 AMNov 25
to ead...@qq.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
possible deadlock in l2cap_sock_shutdown
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
======================================================
WARNING: possible circular locking dependency detected
syzkaller #0 Not tainted
------------------------------------------------------
syz.2.19/6669 is trying to acquire lock:
ffff88803a345588 (&chan->lock/2){+.+.}-{4:4}, at: l2cap_chan_lock include/net/bluetooth/l2cap.h:827 [inline]
ffff88803a345588 (&chan->lock/2){+.+.}-{4:4}, at: l2cap_sock_shutdown+0x9f3/0x1130 net/bluetooth/l2cap_sock.c:1374
but task is already holding lock:
ffffffff8e9e3238 (ra_lock){+.+.}-{4:4}, at: l2cap_sock_release+0x5e/0x260 net/bluetooth/l2cap_sock.c:1427
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (ra_lock){+.+.}-{4:4}:
lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5868
__mutex_lock_common kernel/locking/rtmutex_api.c:535 [inline]
mutex_lock_nested+0x5a/0x1d0 kernel/locking/rtmutex_api.c:547
class_mutex_constructor include/linux/mutex.h:228 [inline]
l2cap_sock_new_connection_cb+0x4e/0x300 net/bluetooth/l2cap_sock.c:1477
l2cap_connect_cfm+0x37a/0x1040 net/bluetooth/l2cap_core.c:7288
hci_connect_cfm+0x95/0x140 include/net/bluetooth/hci_core.h:2107
le_conn_complete_evt+0xfb8/0x1500 net/bluetooth/hci_event.c:5799
hci_le_conn_complete_evt+0x187/0x450 net/bluetooth/hci_event.c:5825
hci_event_func net/bluetooth/hci_event.c:7586 [inline]
hci_event_packet+0x78f/0x1200 net/bluetooth/hci_event.c:7643
hci_rx_work+0x46a/0xe80 net/bluetooth/hci_core.c:4099
process_one_work kernel/workqueue.c:3263 [inline]
process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3346
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
-> #0 (&chan->lock/2){+.+.}-{4:4}:
hci_connect_cfm+0x95/0x140 include/net/bluetooth/hci_core.h:2107
le_conn_complete_evt+0xfb8/0x1500 net/bluetooth/hci_event.c:5799
hci_le_conn_complete_evt+0x187/0x450 net/bluetooth/hci_event.c:5825
hci_event_func net/bluetooth/hci_event.c:7586 [inline]
hci_event_packet+0x78f/0x1200 net/bluetooth/hci_event.c:7643
hci_rx_work+0x46a/0xe80 net/bluetooth/hci_core.c:4099
process_one_work kernel/workqueue.c:3263 [inline]
process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3346
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
check_prev_add kernel/locking/lockdep.c:3165 [inline]
check_prevs_add kernel/locking/lockdep.c:3284 [inline]
validate_chain+0xb9b/0x2140 kernel/locking/lockdep.c:3908
__lock_acquire+0xab9/0xd20 kernel/locking/lockdep.c:5237
lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5868
__mutex_lock_common kernel/locking/rtmutex_api.c:535 [inline]
lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5868
mutex_lock_nested+0x5a/0x1d0 kernel/locking/rtmutex_api.c:547
l2cap_chan_lock include/net/bluetooth/l2cap.h:827 [inline]
l2cap_sock_shutdown+0x9f3/0x1130 net/bluetooth/l2cap_sock.c:1374
l2cap_sock_release+0x82/0x260 net/bluetooth/l2cap_sock.c:1432
__sock_release net/socket.c:662 [inline]
sock_close+0xc3/0x240 net/socket.c:1455
__fput+0x45b/0xa80 fs/file_table.c:468
task_work_run+0x1d4/0x260 kernel/task_work.c:227
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
exit_to_user_mode_loop+0xe9/0x130 kernel/entry/common.c:43
exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
do_syscall_64+0x2bd/0xfa0 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
sock_close+0xc3/0x240 net/socket.c:1455
__fput+0x45b/0xa80 fs/file_table.c:468
task_work_run+0x1d4/0x260 kernel/task_work.c:227
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
exit_to_user_mode_loop+0xe9/0x130 kernel/entry/common.c:43
exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
do_syscall_64+0x2bd/0xfa0 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
Possible unsafe locking scenario:
---- ----
lock(ra_lock);
lock(&chan->lock/2);
lock(ra_lock);
lock(&chan->lock/2);
*** DEADLOCK ***
2 locks held by syz.2.19/6669:
#0: ffff8880480cd6f8 (&sb->s_type->i_mutex_key#10){+.+.}-{4:4}, at: inode_lock include/linux/fs.h:980 [inline]
#0: ffff8880480cd6f8 (&sb->s_type->i_mutex_key#10){+.+.}-{4:4}, at: __sock_release net/socket.c:661 [inline]
#0: ffff8880480cd6f8 (&sb->s_type->i_mutex_key#10){+.+.}-{4:4}, at: sock_close+0x9b/0x240 net/socket.c:1455
#1: ffffffff8e9e3238 (ra_lock){+.+.}-{4:4}, at: class_mutex_constructor include/linux/mutex.h:228 [inline]
#1: ffffffff8e9e3238 (ra_lock){+.+.}-{4:4}, at: l2cap_sock_release+0x5e/0x260 net/bluetooth/l2cap_sock.c:1427
stack backtrace:
CPU: 1 UID: 0 PID: 6669 Comm: syz.2.19 Not tainted syzkaller #0 PREEMPT_{RT,(full)}
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_circular_bug+0x2ee/0x310 kernel/locking/lockdep.c:2043
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
check_noncircular+0x134/0x160 kernel/locking/lockdep.c:2175
check_prev_add kernel/locking/lockdep.c:3165 [inline]
check_prevs_add kernel/locking/lockdep.c:3284 [inline]
validate_chain+0xb9b/0x2140 kernel/locking/lockdep.c:3908
__lock_acquire+0xab9/0xd20 kernel/locking/lockdep.c:5237
lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5868
__mutex_lock_common kernel/locking/rtmutex_api.c:535 [inline]
lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5868
mutex_lock_nested+0x5a/0x1d0 kernel/locking/rtmutex_api.c:547
l2cap_chan_lock include/net/bluetooth/l2cap.h:827 [inline]
l2cap_sock_shutdown+0x9f3/0x1130 net/bluetooth/l2cap_sock.c:1374
l2cap_sock_release+0x82/0x260 net/bluetooth/l2cap_sock.c:1432
__sock_release net/socket.c:662 [inline]
sock_close+0xc3/0x240 net/socket.c:1455
__fput+0x45b/0xa80 fs/file_table.c:468
task_work_run+0x1d4/0x260 kernel/task_work.c:227
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
exit_to_user_mode_loop+0xe9/0x130 kernel/entry/common.c:43
exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
do_syscall_64+0x2bd/0xfa0 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fc22a98f749
sock_close+0xc3/0x240 net/socket.c:1455
__fput+0x45b/0xa80 fs/file_table.c:468
task_work_run+0x1d4/0x260 kernel/task_work.c:227
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
exit_to_user_mode_loop+0xe9/0x130 kernel/entry/common.c:43
exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
do_syscall_64+0x2bd/0xfa0 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff1d93f9c8 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
RAX: 0000000000000000 RBX: 00007fc22abe7da0 RCX: 00007fc22a98f749
RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
RBP: 00007fc22abe7da0 R08: 0000000000000000 R09: 000000141d93fcbf
R10: 000000000003fd20 R11: 0000000000000246 R12: 000000000002b06f
R13: 00007fff1d93fac0 R14: ffffffffffffffff R15: 00007fff1d93fae0
</TASK>
Tested on:
commit: ac3fd01e Linux 6.18-rc7
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=155ec57c580000
Tested on:
commit: ac3fd01e Linux 6.18-rc7
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=38a0c4cddc846161
dashboard link: https://syzkaller.appspot.com/bug?extid=cdae834448ec8c3602fe
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=1280cf42580000
dashboard link: https://syzkaller.appspot.com/bug?extid=cdae834448ec8c3602fe
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
Edward Adam Davis
Nov 25, 2025, 8:55:55 AMNov 25
to syzbot+cdae83...@syzkaller.appspotmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
#syz test
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
index 814fb8610ac4..6532f11e3e17 100644
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -1411,6 +1411,8 @@ static int l2cap_sock_shutdown(struct socket *sock, int how)
return err;
}
+static DEFINE_MUTEX(ra_lock);
+
static int l2cap_sock_release(struct socket *sock)
{
struct sock *sk = sock->sk;
@@ -1422,9 +1424,9 @@ static int l2cap_sock_release(struct socket *sock)
+++ b/net/bluetooth/l2cap_sock.c
@@ -1411,6 +1411,8 @@ static int l2cap_sock_shutdown(struct socket *sock, int how)
return err;
}
+static DEFINE_MUTEX(ra_lock);
+
static int l2cap_sock_release(struct socket *sock)
{
struct sock *sk = sock->sk;
if (!sk)
return 0;
- lock_sock_nested(sk, L2CAP_NESTING_PARENT);
+ mutex_lock(&ra_lock);
return 0;
- lock_sock_nested(sk, L2CAP_NESTING_PARENT);
l2cap_sock_cleanup_listen(sk);
- release_sock(sk);
+ mutex_unlock(&ra_lock);
bt_sock_unlink(&l2cap_sk_list, sk);
@@ -1473,6 +1475,7 @@ static struct l2cap_chan *l2cap_sock_new_connection_cb(struct l2cap_chan *chan)
syzbot
Nov 25, 2025, 9:54:05 AMNov 25
to ead...@qq.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
general protection fault in lock_sock_nested
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
</TASK>
kobject: kobject_add_internal failed for hci3:201 with -EEXIST, don't try to register things with the same name in the same directory.
Bluetooth: hci3: failed to register connection device
KASAN: null-ptr-deref in range [0x0000000000000358-0x000000000000035f]
CPU: 1 UID: 0 PID: 5116 Comm: kworker/u9:1 Not tainted syzkaller #0 PREEMPT_{RT,(full)}
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Workqueue: hci3 hci_rx_work
RIP: 0010:kasan_byte_accessible+0x12/0x30 mm/kasan/generic.c:210
Code: 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 40 d6 48 c1 ef 03 48 b8 00 00 00 00 00 fc ff df <0f> b6 04 07 3c 08 0f 92 c0 c3 cc cc cc cc cc 66 66 66 66 66 66 2e
RSP: 0018:ffffc900106072e8 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffffffff889d1fbe RCX: 562ba08c8e500400
RDX: 0000000000000000 RSI: ffffffff889d1fbe RDI: 000000000000006b
RBP: ffffffff89ca6065 R08: 0000000000000001 R09: 0000000000000000
R10: dffffc0000000000 R11: ffffffff89ca6020 R12: 0000000000000000
R13: 0000000000000358 R14: 0000000000000358 R15: 0000000000000001
FS: 0000000000000000(0000) GS:ffff888126ef4000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000555572fa15c8 CR3: 000000000d3a6000 CR4: 00000000003526f0
Call Trace:
<TASK>
__kasan_check_byte+0x12/0x40 mm/kasan/common.c:579
kasan_check_byte include/linux/kasan.h:401 [inline]
lock_acquire+0x8d/0x360 kernel/locking/lockdep.c:5842
lock_sock_nested+0x3e/0x130 net/core/sock.c:3720
lock_sock include/net/sock.h:1679 [inline]
l2cap_sock_ready_cb+0x45/0x140 net/bluetooth/l2cap_sock.c:1680
lock_sock include/net/sock.h:1679 [inline]
l2cap_chan_ready net/bluetooth/l2cap_core.c:1264 [inline]
l2cap_le_start+0xb0d/0x13b0 net/bluetooth/l2cap_core.c:1376
l2cap_conn_ready net/bluetooth/l2cap_core.c:1629 [inline]
l2cap_connect_cfm+0x6be/0x1040 net/bluetooth/l2cap_core.c:7305
hci_connect_cfm+0x95/0x140 include/net/bluetooth/hci_core.h:2107
le_conn_complete_evt+0xfb8/0x1500 net/bluetooth/hci_event.c:5799
hci_le_conn_complete_evt+0x187/0x450 net/bluetooth/hci_event.c:5825
hci_event_func net/bluetooth/hci_event.c:7586 [inline]
hci_event_packet+0x78f/0x1200 net/bluetooth/hci_event.c:7643
hci_rx_work+0x46a/0xe80 net/bluetooth/hci_core.c:4099
process_one_work kernel/workqueue.c:3263 [inline]
process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3346
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
le_conn_complete_evt+0xfb8/0x1500 net/bluetooth/hci_event.c:5799
hci_le_conn_complete_evt+0x187/0x450 net/bluetooth/hci_event.c:5825
hci_event_func net/bluetooth/hci_event.c:7586 [inline]
hci_event_packet+0x78f/0x1200 net/bluetooth/hci_event.c:7643
hci_rx_work+0x46a/0xe80 net/bluetooth/hci_core.c:4099
process_one_work kernel/workqueue.c:3263 [inline]
process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3346
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:kasan_byte_accessible+0x12/0x30 mm/kasan/generic.c:210
Code: 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 40 d6 48 c1 ef 03 48 b8 00 00 00 00 00 fc ff df <0f> b6 04 07 3c 08 0f 92 c0 c3 cc cc cc cc cc 66 66 66 66 66 66 2e
RSP: 0018:ffffc900106072e8 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffffffff889d1fbe RCX: 562ba08c8e500400
RDX: 0000000000000000 RSI: ffffffff889d1fbe RDI: 000000000000006b
RBP: ffffffff89ca6065 R08: 0000000000000001 R09: 0000000000000000
R10: dffffc0000000000 R11: ffffffff89ca6020 R12: 0000000000000000
R13: 0000000000000358 R14: 0000000000000358 R15: 0000000000000001
FS: 0000000000000000(0000) GS:ffff888126ef4000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000555572fa15c8 CR3: 000000000d3a6000 CR4: 00000000003526f0
----------------
Code disassembly (best guess):
0: 0f 1f 84 00 00 00 00 nopl 0x0(%rax,%rax,1)
7: 00
8: 90 nop
9: 90 nop
a: 90 nop
b: 90 nop
c: 90 nop
d: 90 nop
e: 90 nop
f: 90 nop
10: 90 nop
11: 90 nop
12: 90 nop
13: 90 nop
14: 90 nop
15: 90 nop
16: 90 nop
17: 90 nop
18: 0f 1f 40 d6 nopl -0x2a(%rax)
1c: 48 c1 ef 03 shr $0x3,%rdi
20: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
27: fc ff df
* 2a: 0f b6 04 07 movzbl (%rdi,%rax,1),%eax <-- trapping instruction
2e: 3c 08 cmp $0x8,%al
30: 0f 92 c0 setb %al
33: c3 ret
34: cc int3
35: cc int3
36: cc int3
37: cc int3
38: cc int3
39: 66 data16
3a: 66 data16
3b: 66 data16
3c: 66 data16
3d: 66 data16
3e: 66 data16
3f: 2e cs
Tested on:
commit: ac3fd01e Linux 6.18-rc7
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=38a0c4cddc846161
dashboard link: https://syzkaller.appspot.com/bug?extid=cdae834448ec8c3602fe
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=11e46e92580000
dashboard link: https://syzkaller.appspot.com/bug?extid=cdae834448ec8c3602fe
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
Reply all
Reply to author
Forward
0 new messages