[syzbot] [bluetooth?] BUG: corrupted list in _hci_cmd_sync_cancel_entry

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: a430d95c5efa Merge tag 'lsm-pr-20240911' of git://git.kern..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=136ba607980000
kernel config: https://syzkaller.appspot.com/x/.config?x=44d46e514184cd24
dashboard link: https://syzkaller.appspot.com/bug?extid=01fdb2cc3f0b4ddcfcf1
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/bdf130384fad/disk-a430d95c.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/c62ff195641a/vmlinux-a430d95c.xz
kernel image: https://storage.googleapis.com/syzbot-assets/4069702199e2/bzImage-a430d95c.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+01fdb2...@syzkaller.appspotmail.com

list_del corruption, ffff88801febb580->next is LIST_POISON1 (dead000000000100)
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:56!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 1 UID: 0 PID: 8278 Comm: kworker/u9:2 Not tainted 6.11.0-syzkaller-02574-ga430d95c5efa #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
Workqueue: hci2 hci_conn_timeout
RIP: 0010:__list_del_entry_valid_or_report+0x108/0x1c0 lib/list_debug.c:56
Code: c7 c7 80 1b b1 8b e8 c7 c6 dd fc 90 0f 0b 48 c7 c7 e0 1b b1 8b e8 b8 c6 dd fc 90 0f 0b 48 c7 c7 40 1c b1 8b e8 a9 c6 dd fc 90 <0f> 0b 48 89 ca 48 c7 c7 a0 1c b1 8b e8 97 c6 dd fc 90 0f 0b 48 89
RSP: 0018:ffffc90003a1fbe0 EFLAGS: 00010286
RAX: 000000000000004e RBX: ffff88801febb580 RCX: ffffffff816c6699
RDX: 0000000000000000 RSI: ffffffff816cf7b6 RDI: 0000000000000005
RBP: ffff88805f5a8000 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000000 R11: 0000000000000001 R12: ffff88801febb588
R13: dffffc0000000000 R14: ffff88805f5a8618 R15: ffff88801febb580
FS: 0000000000000000(0000) GS:ffff8880b8900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000202f5000 CR3: 0000000060a82000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
__list_del_entry_valid include/linux/list.h:124 [inline]
__list_del_entry include/linux/list.h:215 [inline]
list_del include/linux/list.h:229 [inline]
_hci_cmd_sync_cancel_entry.constprop.0+0x80/0x1d0 net/bluetooth/hci_sync.c:643
hci_cmd_sync_cancel_entry net/bluetooth/hci_sync.c:847 [inline]
hci_cmd_sync_dequeue_once net/bluetooth/hci_sync.c:866 [inline]
hci_cancel_connect_sync+0x103/0x2c0 net/bluetooth/hci_sync.c:6844
hci_abort_conn+0x163/0x340 net/bluetooth/hci_conn.c:2948
hci_conn_timeout+0x1ab/0x220 net/bluetooth/hci_conn.c:576
process_one_work+0x9c5/0x1b40 kernel/workqueue.c:3231
process_scheduled_works kernel/workqueue.c:3312 [inline]
worker_thread+0x6c8/0xf00 kernel/workqueue.c:3393
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__list_del_entry_valid_or_report+0x108/0x1c0 lib/list_debug.c:56
Code: c7 c7 80 1b b1 8b e8 c7 c6 dd fc 90 0f 0b 48 c7 c7 e0 1b b1 8b e8 b8 c6 dd fc 90 0f 0b 48 c7 c7 40 1c b1 8b e8 a9 c6 dd fc 90 <0f> 0b 48 89 ca 48 c7 c7 a0 1c b1 8b e8 97 c6 dd fc 90 0f 0b 48 89
RSP: 0018:ffffc90003a1fbe0 EFLAGS: 00010286
RAX: 000000000000004e RBX: ffff88801febb580 RCX: ffffffff816c6699
RDX: 0000000000000000 RSI: ffffffff816cf7b6 RDI: 0000000000000005
RBP: ffff88805f5a8000 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000000 R11: 0000000000000001 R12: ffff88801febb588
R13: dffffc0000000000 R14: ffff88805f5a8618 R15: ffff88801febb580
FS: 0000000000000000(0000) GS:ffff8880b8900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000202f5000 CR3: 0000000060a82000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

[syzbot]

syzbot has found a reproducer for the following issue on:

HEAD commit: 7595b66ae9de Merge tag 'selinux-pr-20250624' of git://git...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10ed4f0c580000
kernel config: https://syzkaller.appspot.com/x/.config?x=641bc01f4fbdccd4

dashboard link: https://syzkaller.appspot.com/bug?extid=01fdb2cc3f0b4ddcfcf1
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14bc9b70580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/86576f060f6f/disk-7595b66a.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/051ad595d63b/vmlinux-7595b66a.xz
kernel image: https://storage.googleapis.com/syzbot-assets/e72740ea313a/bzImage-7595b66a.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+01fdb2...@syzkaller.appspotmail.com

Bluetooth: hci4: command 0x0406 tx timeout
non-paged memory
list_del corruption, ffff88802932b700->next is LIST_POISON1 (dead000000000100)

------------[ cut here ]------------
kernel BUG at lib/list_debug.c:56!

Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
CPU: 1 UID: 0 PID: 51 Comm: kworker/u9:0 Not tainted 6.16.0-rc3-syzkaller-00044-g7595b66ae9de #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Workqueue: hci4 hci_conn_timeout
RIP: 0010:__list_del_entry_valid_or_report+0x121/0x200 lib/list_debug.c:56
Code: 48 c7 c7 e0 7e 15 8c e8 1d 41 b9 fc 90 0f 0b 4c 89 e7 e8 02 f3 1d fd 4c 89 e2 48 89 de 48 c7 c7 40 7f 15 8c e8 00 41 b9 fc 90 <0f> 0b 48 89 ef e8 e5 f2 1d fd 48 89 ea 48 89 de 48 c7 c7 a0 7f 15
RSP: 0018:ffffc90000bb7b78 EFLAGS: 00010282
RAX: 000000000000004e RBX: ffff88802932b700 RCX: ffffffff819b00b9
RDX: 0000000000000000 RSI: ffffffff819b7f46 RDI: 0000000000000005
RBP: dead000000000122 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000000 R11: 0000000000000001 R12: dead000000000100
R13: dffffc0000000000 R14: ffff88802f118618 R15: ffff88802932b700
FS: 0000000000000000(0000) GS:ffff888124852000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 000000c007642020 CR3: 000000007e2b4000 CR4: 00000000003526f0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
__list_del_entry_valid include/linux/list.h:124 [inline]
__list_del_entry include/linux/list.h:215 [inline]
list_del include/linux/list.h:229 [inline]

_hci_cmd_sync_cancel_entry.constprop.0+0x80/0x1d0 net/bluetooth/hci_sync.c:647
hci_cmd_sync_cancel_entry net/bluetooth/hci_sync.c:851 [inline]
hci_cmd_sync_dequeue_once net/bluetooth/hci_sync.c:870 [inline]
hci_cancel_connect_sync+0xfa/0x2b0 net/bluetooth/hci_sync.c:6903
hci_abort_conn+0x15a/0x340 net/bluetooth/hci_conn.c:2919
hci_conn_timeout+0x1a2/0x210 net/bluetooth/hci_conn.c:580
process_one_work+0x9cc/0x1b70 kernel/workqueue.c:3238
process_scheduled_works kernel/workqueue.c:3321 [inline]
worker_thread+0x6c8/0xf10 kernel/workqueue.c:3402
kthread+0x3c2/0x780 kernel/kthread.c:464
ret_from_fork+0x5d4/0x6f0 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---

RIP: 0010:__list_del_entry_valid_or_report+0x121/0x200 lib/list_debug.c:56
Code: 48 c7 c7 e0 7e 15 8c e8 1d 41 b9 fc 90 0f 0b 4c 89 e7 e8 02 f3 1d fd 4c 89 e2 48 89 de 48 c7 c7 40 7f 15 8c e8 00 41 b9 fc 90 <0f> 0b 48 89 ef e8 e5 f2 1d fd 48 89 ea 48 89 de 48 c7 c7 a0 7f 15
RSP: 0018:ffffc90000bb7b78 EFLAGS: 00010282
RAX: 000000000000004e RBX: ffff88802932b700 RCX: ffffffff819b00b9
RDX: 0000000000000000 RSI: ffffffff819b7f46 RDI: 0000000000000005
RBP: dead000000000122 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000000 R11: 0000000000000001 R12: dead000000000100
R13: dffffc0000000000 R14: ffff88802f118618 R15: ffff88802932b700
FS: 0000000000000000(0000) GS:ffff888124852000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007fd6f9b7e2d8 CR3: 000000007b2b4000 CR4: 00000000003526f0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


---

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

[Hillf Danton]

> Date: Wed, 25 Jun 2025 10:14:27 -0700

> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: 7595b66ae9de Merge tag 'selinux-pr-20250624' of git://git...
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=10ed4f0c580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=641bc01f4fbdccd4
> dashboard link: https://syzkaller.appspot.com/bug?extid=01fdb2cc3f0b4ddcfcf1
> compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14bc9b70580000

#syz test

--- x/net/bluetooth/hci_sync.c
+++ y/net/bluetooth/hci_sync.c
@@ -862,14 +862,17 @@ bool hci_cmd_sync_dequeue_once(struct hc
void *data, hci_cmd_sync_work_destroy_t destroy)
{
struct hci_cmd_sync_work_entry *entry;
+ bool ret = false;

- entry = hci_cmd_sync_lookup_entry(hdev, func, data, destroy);
- if (!entry)
- return false;
+ mutex_lock(&hdev->cmd_sync_work_lock);
+ entry = _hci_cmd_sync_lookup_entry(hdev, func, data, destroy);
+ if (entry) {
+ _hci_cmd_sync_cancel_entry(hdev, entry, -ECANCELED);
+ ret = true;
+ }
+ mutex_unlock(&hdev->cmd_sync_work_lock);

- hci_cmd_sync_cancel_entry(hdev, entry);
-
- return true;
+ return ret;
}
EXPORT_SYMBOL(hci_cmd_sync_dequeue_once);

--

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+01fdb2...@syzkaller.appspotmail.com
Tested-by: syzbot+01fdb2...@syzkaller.appspotmail.com

Tested on:

commit: c4dce0c0 Merge tag 'spi-fix-v6.16-rc3' of git://git.ke..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=165ef70c580000

kernel config: https://syzkaller.appspot.com/x/.config?x=641bc01f4fbdccd4
dashboard link: https://syzkaller.appspot.com/bug?extid=01fdb2cc3f0b4ddcfcf1
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=175a3f0c580000

Note: testing is done by a robot and is best-effort only.

[syzbot]

Auto-closing this bug as obsolete.
No recent activity, existing reproducers are no longer triggering the issue.