syzbot

 sign-in | mailing list | source | docs
🐞 Open [717]
🐞 Fixed [181]
🐞 Invalid [640]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

BUG: corrupted list in l2cap_chan_put

Status: upstream: reported C repro on 2020/08/06 18:58
Reported-by: syzbot+2392badbf2130e71eac1@syzkaller.appspotmail.com
First crash: 2026d, last: 1089d
Similar bugs (1)
Kernel Title Rank 🛈 Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.19 BUG: corrupted list in l2cap_chan_put 8 C error 6 1618d 2027d 0/1 upstream: reported C repro on 2020/08/05 14:55
Fix bisection attempts (25)
Created Duration User Patch Repo Result
2023/03/01 10:10 56m bisect fix linux-4.14.y OK (0) job log log
2023/01/28 00:06 41m bisect fix linux-4.14.y OK (0) job log log
2022/11/19 09:19 27m bisect fix linux-4.14.y OK (0) job log log
2022/10/20 08:48 30m bisect fix linux-4.14.y OK (0) job log log
2022/09/15 17:46 28m bisect fix linux-4.14.y OK (0) job log log
2022/08/16 17:00 26m bisect fix linux-4.14.y OK (0) job log log
2022/07/17 16:09 32m bisect fix linux-4.14.y OK (0) job log log
2022/06/17 15:35 34m bisect fix linux-4.14.y OK (0) job log log
2022/05/18 15:00 34m bisect fix linux-4.14.y OK (0) job log log
2022/04/18 14:28 32m bisect fix linux-4.14.y OK (0) job log log
2022/03/19 13:36 38m bisect fix linux-4.14.y OK (0) job log log
2022/02/17 00:52 29m bisect fix linux-4.14.y OK (0) job log log
2022/01/17 20:48 30m bisect fix linux-4.14.y OK (0) job log log
2021/12/18 20:18 29m bisect fix linux-4.14.y OK (0) job log log
2021/11/18 19:50 28m bisect fix linux-4.14.y OK (0) job log log
2021/10/19 19:21 28m bisect fix linux-4.14.y OK (0) job log log
2021/09/19 18:48 33m bisect fix linux-4.14.y OK (0) job log log
2021/08/20 18:13 34m bisect fix linux-4.14.y OK (0) job log log
2021/07/21 17:40 33m bisect fix linux-4.14.y OK (0) job log log
2021/06/21 17:10 29m bisect fix linux-4.14.y OK (0) job log log
2021/05/22 00:22 34m bisect fix linux-4.14.y OK (0) job log log
2021/04/21 23:46 35m bisect fix linux-4.14.y OK (0) job log log
2021/03/22 22:44 34m bisect fix linux-4.14.y OK (0) job log log
2021/02/20 22:09 34m bisect fix linux-4.14.y OK (0) job log log
2021/02/18 00:22 19m bisect fix linux-4.14.y error job log

Sample crash report:
audit: type=1400 audit(1596869424.502:8): avc:  denied  { execmem } for  pid=6356 comm="syz-executor774" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1
IPVS: ftp: loaded support on port[0] = 21
list_del corruption, ffff88809b5268a8->next is LIST_POISON1 (dead000000000100)
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:45!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 0 PID: 6384 Comm: kworker/u5:2 Not tainted 4.14.193-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: hci0 hci_rx_work
task: ffff88809ebf0580 task.stack: ffff888097ba0000
RIP: 0010:__list_del_entry_valid.cold+0x23/0x55 lib/list_debug.c:45
RSP: 0018:ffff888097ba79b8 EFLAGS: 00010282
RAX: 000000000000004e RBX: ffff8880870600c0 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff86ac0dc0 RDI: ffffed1012f74f2d
RBP: ffff88809b5268a8 R08: 000000000000004e R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: dead000000000200
R13: dead000000000100 R14: ffff88809b526440 R15: ffff88808cce8c40
FS:  0000000000000000(0000) GS:ffff8880aea00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000561ddc1090ba CR3: 0000000099c68000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 __list_del_entry include/linux/list.h:117 [inline]
 list_del include/linux/list.h:125 [inline]
 l2cap_chan_destroy net/bluetooth/l2cap_core.c:476 [inline]
 kref_put include/linux/kref.h:70 [inline]
 l2cap_chan_put+0x50/0x1b0 net/bluetooth/l2cap_core.c:493
 l2cap_conless_channel net/bluetooth/l2cap_core.c:6976 [inline]
 l2cap_recv_frame+0xb9a/0x95c0 net/bluetooth/l2cap_core.c:7023
 l2cap_recv_acldata+0x7a6/0x8b0 net/bluetooth/l2cap_core.c:7588
 hci_acldata_packet net/bluetooth/hci_core.c:4066 [inline]
 hci_rx_work+0x3d1/0x970 net/bluetooth/hci_core.c:4249
 process_one_work+0x793/0x14a0 kernel/workqueue.c:2116
 worker_thread+0x5cc/0xff0 kernel/workqueue.c:2250
 kthread+0x30d/0x420 kernel/kthread.c:232
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404
Code: e6 e8 a8 ae 44 fe 0f 0b 48 89 ee 48 c7 c7 60 5e e4 86 e8 97 ae 44 fe 0f 0b 4c 89 ea 48 89 ee 48 c7 c7 a0 5d e4 86 e8 83 ae 44 fe <0f> 0b 4c 89 e2 48 89 ee 48 c7 c7 00 5e e4 86 e8 6f ae 44 fe 0f 
RIP: __list_del_entry_valid.cold+0x23/0x55 lib/list_debug.c:45 RSP: ffff888097ba79b8
---[ end trace 080e6e2953b0c5f9 ]---

Crashes (6):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/08/08 06:52 linux-4.14.y 14b58326976d ff51e522 .config console log report syz C ci2-linux-4-14
2020/08/07 03:44 linux-4.14.y ca4f2c56d416 cb436c69 .config console log report syz C ci2-linux-4-14
2020/08/07 03:14 linux-4.14.y ca4f2c56d416 cb436c69 .config console log report syz C ci2-linux-4-14
2020/08/07 02:43 linux-4.14.y ca4f2c56d416 cb436c69 .config console log report syz C ci2-linux-4-14
2020/08/07 02:08 linux-4.14.y ca4f2c56d416 cb436c69 .config console log report syz C ci2-linux-4-14
2020/08/06 18:58 linux-4.14.y ca4f2c56d416 4ca1c0ea .config console log report syz C ci2-linux-4-14
* Struck through repros no longer work on HEAD.