| Title | Replies (including bot) | Last reply |
|---|---|---|
| [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in bt_accept_unlink | 0 (1) | 2024/10/21 08:47 |
syzbot |
sign-in | mailing list | source | docs |
| Title | Replies (including bot) | Last reply |
|---|---|---|
| [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in bt_accept_unlink | 0 (1) | 2024/10/21 08:47 |
| Kernel | Title | Repro | Cause bisect | Fix bisect | Count | Last | Reported | Patched | Status |
|---|---|---|---|---|---|---|---|---|---|
| linux-5.15 | BUG: corrupted list in bt_accept_unlink | 3 | 4d10h | 45d | 0/3 | upstream: reported on 2025/04/09 00:51 | |||
| upstream | general protection fault in bt_accept_unlink (2) bluetooth | 1 | 1542d | 1538d | 0/28 | auto-closed as invalid on 2021/07/01 06:33 | |||
| upstream | BUG: corrupted list in bt_accept_unlink bluetooth | syz | error | error | 1 | 1743d | 1743d | 0/28 | auto-obsoleted due to no activity on 2022/09/07 16:27 |
| linux-4.14 | BUG: corrupted list in bt_accept_unlink | syz | unreliable | 1 | 1628d | 1748d | 0/1 | upstream: reported syz repro on 2020/08/09 08:38 |
================================================================== BUG: KASAN: slab-use-after-free in __list_del_entry_valid_or_report+0x1d4/0x200 lib/list_debug.c:62 Read of size 8 at addr ffff88807d682558 by task syz.4.1097/13438 CPU: 1 UID: 0 PID: 13438 Comm: syz.4.1097 Not tainted 6.15.0-rc7-syzkaller-00002-gb36ddb9210e6 #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xc3/0x670 mm/kasan/report.c:521 kasan_report+0xe0/0x110 mm/kasan/report.c:634 __list_del_entry_valid_or_report+0x1d4/0x200 lib/list_debug.c:62 __list_del_entry_valid include/linux/list.h:124 [inline] __list_del_entry include/linux/list.h:215 [inline] list_del_init include/linux/list.h:287 [inline] bt_accept_unlink+0x34/0x2e0 net/bluetooth/af_bluetooth.c:256 l2cap_sock_teardown_cb+0x1a3/0x3c0 net/bluetooth/l2cap_sock.c:1613 l2cap_chan_del+0xbd/0x8f0 net/bluetooth/l2cap_core.c:655 l2cap_conn_del+0x37a/0x730 net/bluetooth/l2cap_core.c:1786 l2cap_disconn_cfm net/bluetooth/l2cap_core.c:7300 [inline] l2cap_disconn_cfm+0x96/0xd0 net/bluetooth/l2cap_core.c:7293 hci_disconn_cfm include/net/bluetooth/hci_core.h:2068 [inline] hci_conn_hash_flush+0x10e/0x260 net/bluetooth/hci_conn.c:2534 hci_dev_close_sync+0x602/0x11d0 net/bluetooth/hci_sync.c:5225 hci_dev_do_close+0x2e/0x90 net/bluetooth/hci_core.c:483 hci_unregister_dev+0x213/0x620 net/bluetooth/hci_core.c:2678 vhci_release+0x79/0xf0 drivers/bluetooth/hci_vhci.c:665 __fput+0x402/0xb70 fs/file_table.c:465 task_work_run+0x150/0x240 kernel/task_work.c:227 exit_task_work include/linux/task_work.h:40 [inline] do_exit+0xafb/0x2c30 kernel/exit.c:953 do_group_exit+0xd3/0x2a0 kernel/exit.c:1102 get_signal+0x2673/0x26d0 kernel/signal.c:3034 arch_do_signal_or_restart+0x8f/0x7d0 arch/x86/kernel/signal.c:337 exit_to_user_mode_loop kernel/entry/common.c:111 [inline] exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline] __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline] syscall_exit_to_user_mode+0x150/0x2a0 kernel/entry/common.c:218 do_syscall_64+0xda/0x260 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f8fb21907fc Code: Unable to access opcode bytes at 0x7f8fb21907d2. RSP: 002b:00007f8fb305bec0 EFLAGS: 00000293 ORIG_RAX: 000000000000002c RAX: 0000000000000020 RBX: 00007f8fb305bfc0 RCX: 00007f8fb21907fc RDX: 0000000000000020 RSI: 00007f8fb305c010 RDI: 0000000000000007 RBP: 0000000000000000 R08: 00007f8fb305bf14 R09: 000000000000000c R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000007 R13: 00007f8fb305bf68 R14: 00007f8fb305c010 R15: 0000000000000000 </TASK> Allocated by task 13083: kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __do_kmalloc_node mm/slub.c:4327 [inline] __kmalloc_noprof+0x223/0x510 mm/slub.c:4339 kmalloc_noprof include/linux/slab.h:909 [inline] sk_prot_alloc+0x1a8/0x2a0 net/core/sock.c:2198 sk_alloc+0x36/0xc20 net/core/sock.c:2254 bt_sock_alloc+0x3b/0x3a0 net/bluetooth/af_bluetooth.c:148 l2cap_sock_alloc.constprop.0+0x33/0x1d0 net/bluetooth/l2cap_sock.c:1891 l2cap_sock_create+0x123/0x1f0 net/bluetooth/l2cap_sock.c:1933 bt_sock_create+0x185/0x350 net/bluetooth/af_bluetooth.c:132 __sock_create+0x338/0x8d0 net/socket.c:1541 sock_create net/socket.c:1599 [inline] __sys_socket_create net/socket.c:1636 [inline] __sys_socket+0x14d/0x260 net/socket.c:1683 __do_sys_socket net/socket.c:1697 [inline] __se_sys_socket net/socket.c:1695 [inline] __x64_sys_socket+0x72/0xb0 net/socket.c:1695 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 13083: kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:576 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x51/0x70 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2380 [inline] slab_free mm/slub.c:4642 [inline] kfree+0x2b6/0x4d0 mm/slub.c:4841 sk_prot_free net/core/sock.c:2237 [inline] __sk_destruct+0x740/0x980 net/core/sock.c:2332 sk_destruct+0xc2/0xf0 net/core/sock.c:2360 __sk_free+0xf4/0x3e0 net/core/sock.c:2371 sk_free+0x6a/0x90 net/core/sock.c:2382 sock_put include/net/sock.h:1944 [inline] l2cap_sock_kill net/bluetooth/l2cap_sock.c:1265 [inline] l2cap_sock_kill+0x171/0x2d0 net/bluetooth/l2cap_sock.c:1250 l2cap_sock_release+0x189/0x210 net/bluetooth/l2cap_sock.c:1435 __sock_release+0xb3/0x270 net/socket.c:647 sock_close+0x1c/0x30 net/socket.c:1391 __fput+0x402/0xb70 fs/file_table.c:465 task_work_run+0x150/0x240 kernel/task_work.c:227 get_signal+0x1d1/0x26d0 kernel/signal.c:2807 arch_do_signal_or_restart+0x8f/0x7d0 arch/x86/kernel/signal.c:337 exit_to_user_mode_loop kernel/entry/common.c:111 [inline] exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline] __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline] syscall_exit_to_user_mode+0x150/0x2a0 kernel/entry/common.c:218 do_syscall_64+0xda/0x260 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff88807d682000 which belongs to the cache kmalloc-2k of size 2048 The buggy address is located 1368 bytes inside of freed 2048-byte region [ffff88807d682000, ffff88807d682800) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88807d682000 pfn:0x7d680 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0xfff00000000240(workingset|head|node=0|zone=1|lastcpupid=0x7ff) page_type: f5(slab) raw: 00fff00000000240 ffff88801b442000 ffffea0001644610 ffffea0001546010 raw: ffff88807d682000 0000000000080002 00000000f5000000 0000000000000000 head: 00fff00000000240 ffff88801b442000 ffffea0001644610 ffffea0001546010 head: ffff88807d682000 0000000000080002 00000000f5000000 0000000000000000 head: 00fff00000000003 ffffea0001f5a001 00000000ffffffff 00000000ffffffff head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 3503, tgid 3503 (kworker/u8:10), ts 124288038087, free_ts 124217847342 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x181/0x1b0 mm/page_alloc.c:1714 prep_new_page mm/page_alloc.c:1722 [inline] get_page_from_freelist+0x135c/0x3920 mm/page_alloc.c:3684 __alloc_frozen_pages_noprof+0x263/0x23a0 mm/page_alloc.c:4966 alloc_pages_mpol+0x1fb/0x550 mm/mempolicy.c:2301 alloc_slab_page mm/slub.c:2450 [inline] allocate_slab mm/slub.c:2618 [inline] new_slab+0x244/0x340 mm/slub.c:2672 ___slab_alloc+0xd9c/0x1940 mm/slub.c:3858 __slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3948 __slab_alloc_node mm/slub.c:4023 [inline] slab_alloc_node mm/slub.c:4184 [inline] __do_kmalloc_node mm/slub.c:4326 [inline] __kmalloc_node_track_caller_noprof+0x2ee/0x510 mm/slub.c:4346 kmalloc_reserve+0xef/0x2c0 net/core/skbuff.c:599 __alloc_skb+0x166/0x380 net/core/skbuff.c:668 alloc_skb include/linux/skbuff.h:1340 [inline] mld_newpack.isra.0+0x18e/0xa20 net/ipv6/mcast.c:1788 add_grhead+0x299/0x340 net/ipv6/mcast.c:1899 add_grec+0x112a/0x1680 net/ipv6/mcast.c:2037 mld_send_initial_cr.part.0+0xe2/0x260 net/ipv6/mcast.c:2282 mld_send_initial_cr include/linux/refcount.h:291 [inline] ipv6_mc_dad_complete+0x22c/0x2b0 net/ipv6/mcast.c:2293 addrconf_dad_completed+0xd8a/0x10d0 net/ipv6/addrconf.c:4344 page last free pid 5856 tgid 5856 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1258 [inline] __free_frozen_pages+0x69d/0xff0 mm/page_alloc.c:2721 discard_slab mm/slub.c:2716 [inline] __put_partials+0x16d/0x1c0 mm/slub.c:3185 qlink_free mm/kasan/quarantine.c:163 [inline] qlist_free_all+0x4e/0x120 mm/kasan/quarantine.c:179 kasan_quarantine_reduce+0x195/0x1e0 mm/kasan/quarantine.c:286 __kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:329 kasan_slab_alloc include/linux/kasan.h:250 [inline] slab_post_alloc_hook mm/slub.c:4147 [inline] slab_alloc_node mm/slub.c:4196 [inline] __do_kmalloc_node mm/slub.c:4326 [inline] __kmalloc_noprof+0x1d4/0x510 mm/slub.c:4339 kmalloc_noprof include/linux/slab.h:909 [inline] kzalloc_noprof include/linux/slab.h:1039 [inline] tomoyo_encode2+0x100/0x3e0 security/tomoyo/realpath.c:45 tomoyo_encode+0x29/0x50 security/tomoyo/realpath.c:80 tomoyo_realpath_from_path+0x18f/0x6e0 security/tomoyo/realpath.c:283 tomoyo_get_realpath security/tomoyo/file.c:151 [inline] tomoyo_path_perm+0x274/0x460 security/tomoyo/file.c:822 tomoyo_path_rmdir+0x91/0xe0 security/tomoyo/tomoyo.c:195 security_path_rmdir+0x145/0x2b0 security/security.c:1949 do_rmdir+0x27b/0x3c0 fs/namei.c:4506 __do_sys_rmdir fs/namei.c:4528 [inline] __se_sys_rmdir fs/namei.c:4526 [inline] __x64_sys_rmdir+0xc5/0x110 fs/namei.c:4526 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Memory state around the buggy address: ffff88807d682400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88807d682480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff88807d682500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88807d682580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88807d682600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: slab-use-after-free in __list_del_entry_valid_or_report+0x1e1/0x200 lib/list_debug.c:65 Read of size 8 at addr ffff88807d682560 by task syz.4.1097/13438 CPU: 1 UID: 0 PID: 13438 Comm: syz.4.1097 Tainted: G B 6.15.0-rc7-syzkaller-00002-gb36ddb9210e6 #0 PREEMPT(full) Tainted: [B]=BAD_PAGE Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xc3/0x670 mm/kasan/report.c:521 kasan_report+0xe0/0x110 mm/kasan/report.c:634 __list_del_entry_valid_or_report+0x1e1/0x200 lib/list_debug.c:65 __list_del_entry_valid include/linux/list.h:124 [inline] __list_del_entry include/linux/list.h:215 [inline] list_del_init include/linux/list.h:287 [inline] bt_accept_unlink+0x34/0x2e0 net/bluetooth/af_bluetooth.c:256 l2cap_sock_teardown_cb+0x1a3/0x3c0 net/bluetooth/l2cap_sock.c:1613 l2cap_chan_del+0xbd/0x8f0 net/bluetooth/l2cap_core.c:655 l2cap_conn_del+0x37a/0x730 net/bluetooth/l2cap_core.c:1786 l2cap_disconn_cfm net/bluetooth/l2cap_core.c:7300 [inline] l2cap_disconn_cfm+0x96/0xd0 net/bluetooth/l2cap_core.c:7293 hci_disconn_cfm include/net/bluetooth/hci_core.h:2068 [inline] hci_conn_hash_flush+0x10e/0x260 net/bluetooth/hci_conn.c:2534 hci_dev_close_sync+0x602/0x11d0 net/bluetooth/hci_sync.c:5225 hci_dev_do_close+0x2e/0x90 net/bluetooth/hci_core.c:483 hci_unregister_dev+0x213/0x620 net/bluetooth/hci_core.c:2678 vhci_release+0x79/0xf0 drivers/bluetooth/hci_vhci.c:665 __fput+0x402/0xb70 fs/file_table.c:465 task_work_run+0x150/0x240 kernel/task_work.c:227 exit_task_work include/linux/task_work.h:40 [inline] do_exit+0xafb/0x2c30 kernel/exit.c:953 do_group_exit+0xd3/0x2a0 kernel/exit.c:1102 get_signal+0x2673/0x26d0 kernel/signal.c:3034 arch_do_signal_or_restart+0x8f/0x7d0 arch/x86/kernel/signal.c:337 exit_to_user_mode_loop kernel/entry/common.c:111 [inline] exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline] __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline] syscall_exit_to_user_mode+0x150/0x2a0 kernel/entry/common.c:218 do_syscall_64+0xda/0x260 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f8fb21907fc Code: Unable to access opcode bytes at 0x7f8fb21907d2. RSP: 002b:00007f8fb305bec0 EFLAGS: 00000293 ORIG_RAX: 000000000000002c RAX: 0000000000000020 RBX: 00007f8fb305bfc0 RCX: 00007f8fb21907fc RDX: 0000000000000020 RSI: 00007f8fb305c010 RDI: 0000000000000007 RBP: 0000000000000000 R08: 00007f8fb305bf14 R09: 000000000000000c R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000007 R13: 00007f8fb305bf68 R14: 00007f8fb305c010 R15: 0000000000000000 </TASK> Allocated by task 13083: kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __do_kmalloc_node mm/slub.c:4327 [inline] __kmalloc_noprof+0x223/0x510 mm/slub.c:4339 kmalloc_noprof include/linux/slab.h:909 [inline] sk_prot_alloc+0x1a8/0x2a0 net/core/sock.c:2198 sk_alloc+0x36/0xc20 net/core/sock.c:2254 bt_sock_alloc+0x3b/0x3a0 net/bluetooth/af_bluetooth.c:148 l2cap_sock_alloc.constprop.0+0x33/0x1d0 net/bluetooth/l2cap_sock.c:1891 l2cap_sock_create+0x123/0x1f0 net/bluetooth/l2cap_sock.c:1933 bt_sock_create+0x185/0x350 net/bluetooth/af_bluetooth.c:132 __sock_create+0x338/0x8d0 net/socket.c:1541 sock_create net/socket.c:1599 [inline] __sys_socket_create net/socket.c:1636 [inline] __sys_socket+0x14d/0x260 net/socket.c:1683 __do_sys_socket net/socket.c:1697 [inline] __se_sys_socket net/socket.c:1695 [inline] __x64_sys_socket+0x72/0xb0 net/socket.c:1695 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 13083: kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:576 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x51/0x70 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2380 [inline] slab_free mm/slub.c:4642 [inline] kfree+0x2b6/0x4d0 mm/slub.c:4841 sk_prot_free net/core/sock.c:2237 [inline] __sk_destruct+0x740/0x980 net/core/sock.c:2332 sk_destruct+0xc2/0xf0 net/core/sock.c:2360 __sk_free+0xf4/0x3e0 net/core/sock.c:2371 sk_free+0x6a/0x90 net/core/sock.c:2382 sock_put include/net/sock.h:1944 [inline] l2cap_sock_kill net/bluetooth/l2cap_sock.c:1265 [inline] l2cap_sock_kill+0x171/0x2d0 net/bluetooth/l2cap_sock.c:1250 l2cap_sock_release+0x189/0x210 net/bluetooth/l2cap_sock.c:1435 __sock_release+0xb3/0x270 net/socket.c:647 sock_close+0x1c/0x30 net/socket.c:1391 __fput+0x402/0xb70 fs/file_table.c:465 task_work_run+0x150/0x240 kernel/task_work.c:227 get_signal+0x1d1/0x26d0 kernel/signal.c:2807 arch_do_signal_or_restart+0x8f/0x7d0 arch/x86/kernel/signal.c:337 exit_to_user_mode_loop kernel/entry/common.c:111 [inline] exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline] __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline] syscall_exit_to_user_mode+0x150/0x2a0 kernel/entry/common.c:218 do_syscall_64+0xda/0x260 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff88807d682000 which belongs to the cache kmalloc-2k of size 2048 The buggy address is located 1376 bytes inside of freed 2048-byte region [ffff88807d682000, ffff88807d682800) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88807d682000 pfn:0x7d680 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0xfff00000000240(workingset|head|node=0|zone=1|lastcpupid=0x7ff) page_type: f5(slab) raw: 00fff00000000240 ffff88801b442000 ffffea0001644610 ffffea0001546010 raw: ffff88807d682000 0000000000080002 00000000f5000000 0000000000000000 head: 00fff00000000240 ffff88801b442000 ffffea0001644610 ffffea0001546010 head: ffff88807d682000 0000000000080002 00000000f5000000 0000000000000000 head: 00fff00000000003 ffffea0001f5a001 00000000ffffffff 00000000ffffffff head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 3503, tgid 3503 (kworker/u8:10), ts 124288038087, free_ts 124217847342 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x181/0x1b0 mm/page_alloc.c:1714 prep_new_page mm/page_alloc.c:1722 [inline] get_page_from_freelist+0x135c/0x3920 mm/page_alloc.c:3684 __alloc_frozen_pages_noprof+0x263/0x23a0 mm/page_alloc.c:4966 alloc_pages_mpol+0x1fb/0x550 mm/mempolicy.c:2301 alloc_slab_page mm/slub.c:2450 [inline] allocate_slab mm/slub.c:2618 [inline] new_slab+0x244/0x340 mm/slub.c:2672 ___slab_alloc+0xd9c/0x1940 mm/slub.c:3858 __slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3948 __slab_alloc_node mm/slub.c:4023 [inline] slab_alloc_node mm/slub.c:4184 [inline] __do_kmalloc_node mm/slub.c:4326 [inline] __kmalloc_node_track_caller_noprof+0x2ee/0x510 mm/slub.c:4346 kmalloc_reserve+0xef/0x2c0 net/core/skbuff.c:599 __alloc_skb+0x166/0x380 net/core/skbuff.c:668 alloc_skb include/linux/skbuff.h:1340 [inline] mld_newpack.isra.0+0x18e/0xa20 net/ipv6/mcast.c:1788 add_grhead+0x299/0x340 net/ipv6/mcast.c:1899 add_grec+0x112a/0x1680 net/ipv6/mcast.c:2037 mld_send_initial_cr.part.0+0xe2/0x260 net/ipv6/mcast.c:2282 mld_send_initial_cr include/linux/refcount.h:291 [inline] ipv6_mc_dad_complete+0x22c/0x2b0 net/ipv6/mcast.c:2293 addrconf_dad_completed+0xd8a/0x10d0 net/ipv6/addrconf.c:4344 page last free pid 5856 tgid 5856 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1258 [inline] __free_frozen_pages+0x69d/0xff0 mm/page_alloc.c:2721 discard_slab mm/slub.c:2716 [inline] __put_partials+0x16d/0x1c0 mm/slub.c:3185 qlink_free mm/kasan/quarantine.c:163 [inline] qlist_free_all+0x4e/0x120 mm/kasan/quarantine.c:179 kasan_quarantine_reduce+0x195/0x1e0 mm/kasan/quarantine.c:286 __kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:329 kasan_slab_alloc include/linux/kasan.h:250 [inline] slab_post_alloc_hook mm/slub.c:4147 [inline] slab_alloc_node mm/slub.c:4196 [inline] __do_kmalloc_node mm/slub.c:4326 [inline] __kmalloc_noprof+0x1d4/0x510 mm/slub.c:4339 kmalloc_noprof include/linux/slab.h:909 [inline] kzalloc_noprof include/linux/slab.h:1039 [inline] tomoyo_encode2+0x100/0x3e0 security/tomoyo/realpath.c:45 tomoyo_encode+0x29/0x50 security/tomoyo/realpath.c:80 tomoyo_realpath_from_path+0x18f/0x6e0 security/tomoyo/realpath.c:283 tomoyo_get_realpath security/tomoyo/file.c:151 [inline] tomoyo_path_perm+0x274/0x460 security/tomoyo/file.c:822 tomoyo_path_rmdir+0x91/0xe0 security/tomoyo/tomoyo.c:195 security_path_rmdir+0x145/0x2b0 security/security.c:1949 do_rmdir+0x27b/0x3c0 fs/namei.c:4506 __do_sys_rmdir fs/namei.c:4528 [inline] __se_sys_rmdir fs/namei.c:4526 [inline] __x64_sys_rmdir+0xc5/0x110 fs/namei.c:4526 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Memory state around the buggy address: ffff88807d682400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88807d682480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff88807d682500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88807d682580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88807d682600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: slab-use-after-free in __list_del include/linux/list.h:195 [inline] BUG: KASAN: slab-use-after-free in __list_del_entry include/linux/list.h:218 [inline] BUG: KASAN: slab-use-after-free in list_del_init include/linux/list.h:287 [inline] BUG: KASAN: slab-use-after-free in bt_accept_unlink+0x2c5/0x2e0 net/bluetooth/af_bluetooth.c:256 Write of size 8 at addr ffff88807d682560 by task syz.4.1097/13438 CPU: 0 UID: 0 PID: 13438 Comm: syz.4.1097 Tainted: G B 6.15.0-rc7-syzkaller-00002-gb36ddb9210e6 #0 PREEMPT(full) Tainted: [B]=BAD_PAGE Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xc3/0x670 mm/kasan/report.c:521 kasan_report+0xe0/0x110 mm/kasan/report.c:634 __list_del include/linux/list.h:195 [inline] __list_del_entry include/linux/list.h:218 [inline] list_del_init include/linux/list.h:287 [inline] bt_accept_unlink+0x2c5/0x2e0 net/bluetooth/af_bluetooth.c:256 l2cap_sock_teardown_cb+0x1a3/0x3c0 net/bluetooth/l2cap_sock.c:1613 l2cap_chan_del+0xbd/0x8f0 net/bluetooth/l2cap_core.c:655 l2cap_conn_del+0x37a/0x730 net/bluetooth/l2cap_core.c:1786 l2cap_disconn_cfm net/bluetooth/l2cap_core.c:7300 [inline] l2cap_disconn_cfm+0x96/0xd0 net/bluetooth/l2cap_core.c:7293 hci_disconn_cfm include/net/bluetooth/hci_core.h:2068 [inline] hci_conn_hash_flush+0x10e/0x260 net/bluetooth/hci_conn.c:2534 hci_dev_close_sync+0x602/0x11d0 net/bluetooth/hci_sync.c:5225 hci_dev_do_close+0x2e/0x90 net/bluetooth/hci_core.c:483 hci_unregister_dev+0x213/0x620 net/bluetooth/hci_core.c:2678 vhci_release+0x79/0xf0 drivers/bluetooth/hci_vhci.c:665 __fput+0x402/0xb70 fs/file_table.c:465 task_work_run+0x150/0x240 kernel/task_work.c:227 exit_task_work include/linux/task_work.h:40 [inline] do_exit+0xafb/0x2c30 kernel/exit.c:953 do_group_exit+0xd3/0x2a0 kernel/exit.c:1102 get_signal+0x2673/0x26d0 kernel/signal.c:3034 arch_do_signal_or_restart+0x8f/0x7d0 arch/x86/kernel/signal.c:337 exit_to_user_mode_loop kernel/entry/common.c:111 [inline] exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline] __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline] syscall_exit_to_user_mode+0x150/0x2a0 kernel/entry/common.c:218 do_syscall_64+0xda/0x260 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f8fb21907fc Code: Unable to access opcode bytes at 0x7f8fb21907d2. RSP: 002b:00007f8fb305bec0 EFLAGS: 00000293 ORIG_RAX: 000000000000002c RAX: 0000000000000020 RBX: 00007f8fb305bfc0 RCX: 00007f8fb21907fc RDX: 0000000000000020 RSI: 00007f8fb305c010 RDI: 0000000000000007 RBP: 0000000000000000 R08: 00007f8fb305bf14 R09: 000000000000000c R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000007 R13: 00007f8fb305bf68 R14: 00007f8fb305c010 R15: 0000000000000000 </TASK> Allocated by task 13083: kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __do_kmalloc_node mm/slub.c:4327 [inline] __kmalloc_noprof+0x223/0x510 mm/slub.c:4339 kmalloc_noprof include/linux/slab.h:909 [inline] sk_prot_alloc+0x1a8/0x2a0 net/core/sock.c:2198 sk_alloc+0x36/0xc20 net/core/sock.c:2254 bt_sock_alloc+0x3b/0x3a0 net/bluetooth/af_bluetooth.c:148 l2cap_sock_alloc.constprop.0+0x33/0x1d0 net/bluetooth/l2cap_sock.c:1891 l2cap_sock_create+0x123/0x1f0 net/bluetooth/l2cap_sock.c:1933 bt_sock_create+0x185/0x350 net/bluetooth/af_bluetooth.c:132 __sock_create+0x338/0x8d0 net/socket.c:1541 sock_create net/socket.c:1599 [inline] __sys_socket_create net/socket.c:1636 [inline] __sys_socket+0x14d/0x260 net/socket.c:1683 __do_sys_socket net/socket.c:1697 [inline] __se_sys_socket net/socket.c:1695 [inline] __x64_sys_socket+0x72/0xb0 net/socket.c:1695 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 13083: kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:576 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x51/0x70 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2380 [inline] slab_free mm/slub.c:4642 [inline] kfree+0x2b6/0x4d0 mm/slub.c:4841 sk_prot_free net/core/sock.c:2237 [inline] __sk_destruct+0x740/0x980 net/core/sock.c:2332 sk_destruct+0xc2/0xf0 net/core/sock.c:2360 __sk_free+0xf4/0x3e0 net/core/sock.c:2371 sk_free+0x6a/0x90 net/core/sock.c:2382 sock_put include/net/sock.h:1944 [inline] l2cap_sock_kill net/bluetooth/l2cap_sock.c:1265 [inline] l2cap_sock_kill+0x171/0x2d0 net/bluetooth/l2cap_sock.c:1250 l2cap_sock_release+0x189/0x210 net/bluetooth/l2cap_sock.c:1435 __sock_release+0xb3/0x270 net/socket.c:647 sock_close+0x1c/0x30 net/socket.c:1391 __fput+0x402/0xb70 fs/file_table.c:465 task_work_run+0x150/0x240 kernel/task_work.c:227 get_signal+0x1d1/0x26d0 kernel/signal.c:2807 arch_do_signal_or_restart+0x8f/0x7d0 arch/x86/kernel/signal.c:337 exit_to_user_mode_loop kernel/entry/common.c:111 [inline] exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline] __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline] syscall_exit_to_user_mode+0x150/0x2a0 kernel/entry/common.c:218 do_syscall_64+0xda/0x260 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff88807d682000 which belongs to the cache kmalloc-2k of size 2048 The buggy address is located 1376 bytes inside of freed 2048-byte region [ffff88807d682000, ffff88807d682800) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88807d682000 pfn:0x7d680 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0xfff00000000240(workingset|head|node=0|zone=1|lastcpupid=0x7ff) page_type: f5(slab) raw: 00fff00000000240 ffff88801b442000 ffffea0001644610 ffffea0001546010 raw: ffff88807d682000 0000000000080002 00000000f5000000 0000000000000000 head: 00fff00000000240 ffff88801b442000 ffffea0001644610 ffffea0001546010 head: ffff88807d682000 0000000000080002 00000000f5000000 0000000000000000 head: 00fff00000000003 ffffea0001f5a001 00000000ffffffff 00000000ffffffff head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 3503, tgid 3503 (kworker/u8:10), ts 124288038087, free_ts 124217847342 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x181/0x1b0 mm/page_alloc.c:1714 prep_new_page mm/page_alloc.c:1722 [inline] get_page_from_freelist+0x135c/0x3920 mm/page_alloc.c:3684 __alloc_frozen_pages_noprof+0x263/0x23a0 mm/page_alloc.c:4966 alloc_pages_mpol+0x1fb/0x550 mm/mempolicy.c:2301 alloc_slab_page mm/slub.c:2450 [inline] allocate_slab mm/slub.c:2618 [inline] new_slab+0x244/0x340 mm/slub.c:2672 ___slab_alloc+0xd9c/0x1940 mm/slub.c:3858 __slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3948 __slab_alloc_node mm/slub.c:4023 [inline] slab_alloc_node mm/slub.c:4184 [inline] __do_kmalloc_node mm/slub.c:4326 [inline] __kmalloc_node_track_caller_noprof+0x2ee/0x510 mm/slub.c:4346 kmalloc_reserve+0xef/0x2c0 net/core/skbuff.c:599 __alloc_skb+0x166/0x380 net/core/skbuff.c:668 alloc_skb include/linux/skbuff.h:1340 [inline] mld_newpack.isra.0+0x18e/0xa20 net/ipv6/mcast.c:1788 add_grhead+0x299/0x340 net/ipv6/mcast.c:1899 add_grec+0x112a/0x1680 net/ipv6/mcast.c:2037 mld_send_initial_cr.part.0+0xe2/0x260 net/ipv6/mcast.c:2282 mld_send_initial_cr include/linux/refcount.h:291 [inline] ipv6_mc_dad_complete+0x22c/0x2b0 net/ipv6/mcast.c:2293 addrconf_dad_completed+0xd8a/0x10d0 net/ipv6/addrconf.c:4344 page last free pid 5856 tgid 5856 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1258 [inline] __free_frozen_pages+0x69d/0xff0 mm/page_alloc.c:2721 discard_slab mm/slub.c:2716 [inline] __put_partials+0x16d/0x1c0 mm/slub.c:3185 qlink_free mm/kasan/quarantine.c:163 [inline] qlist_free_all+0x4e/0x120 mm/kasan/quarantine.c:179 kasan_quarantine_reduce+0x195/0x1e0 mm/kasan/quarantine.c:286 __kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:329 kasan_slab_alloc include/linux/kasan.h:250 [inline] slab_post_alloc_hook mm/slub.c:4147 [inline] slab_alloc_node mm/slub.c:4196 [inline] __do_kmalloc_node mm/slub.c:4326 [inline] __kmalloc_noprof+0x1d4/0x510 mm/slub.c:4339 kmalloc_noprof include/linux/slab.h:909 [inline] kzalloc_noprof include/linux/slab.h:1039 [inline] tomoyo_encode2+0x100/0x3e0 security/tomoyo/realpath.c:45 tomoyo_encode+0x29/0x50 security/tomoyo/realpath.c:80 tomoyo_realpath_from_path+0x18f/0x6e0 security/tomoyo/realpath.c:283 tomoyo_get_realpath security/tomoyo/file.c:151 [inline] tomoyo_path_perm+0x274/0x460 security/tomoyo/file.c:822 tomoyo_path_rmdir+0x91/0xe0 security/tomoyo/tomoyo.c:195 security_path_rmdir+0x145/0x2b0 security/security.c:1949 do_rmdir+0x27b/0x3c0 fs/namei.c:4506 __do_sys_rmdir fs/namei.c:4528 [inline] __se_sys_rmdir fs/namei.c:4526 [inline] __x64_sys_rmdir+0xc5/0x110 fs/namei.c:4526 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Memory state around the buggy address: ffff88807d682400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88807d682480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff88807d682500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88807d682580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88807d682600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================
| Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2025/05/20 23:45 | upstream | b36ddb9210e6 | 8f9cf946 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-badwrites-root | KASAN: slab-use-after-free Read in bt_accept_unlink | ||
| 2025/05/20 00:04 | upstream | a5806cd506af | 8f9cf946 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-badwrites-root | KASAN: slab-use-after-free Read in bt_accept_unlink | ||
| 2025/05/19 01:22 | upstream | a5806cd506af | f41472b0 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-selinux-root | KASAN: slab-use-after-free Read in bt_accept_unlink | ||
| 2025/05/19 00:37 | upstream | a5806cd506af | f41472b0 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-selinux-root | KASAN: slab-use-after-free Read in bt_accept_unlink | ||
| 2025/05/18 21:32 | upstream | 5723cc3450bc | f41472b0 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-selinux-root | KASAN: slab-use-after-free Read in bt_accept_unlink | ||
| 2025/05/17 15:38 | upstream | 172a9d94339c | f41472b0 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-root | KASAN: slab-use-after-free Read in bt_accept_unlink | ||
| 2025/05/16 05:41 | upstream | fee3e843b309 | cfde8269 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-selinux-root | KASAN: slab-use-after-free Read in bt_accept_unlink | ||
| 2025/05/16 02:36 | upstream | fee3e843b309 | cfde8269 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-smack-root | KASAN: slab-use-after-free Read in bt_accept_unlink | ||
| 2025/04/23 11:14 | upstream | bc3372351d0c | 53a8b9bd | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-selinux-root | KASAN: slab-use-after-free Read in bt_accept_unlink | ||
| 2025/04/13 13:18 | upstream | 7cdabafc0012 | 0bd6db41 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-selinux-root | KASAN: slab-use-after-free Read in bt_accept_unlink | ||
| 2025/04/08 18:07 | upstream | 0af2f6be1b42 | a775275d | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-selinux-root | KASAN: slab-use-after-free Read in bt_accept_unlink | ||
| 2025/02/17 17:43 | upstream | 0ad2507d5d93 | 9be4ace3 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-root | KASAN: slab-use-after-free Read in bt_accept_unlink | ||
| 2025/02/08 00:03 | upstream | 7ee983c850b4 | a4f327c2 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-selinux-root | KASAN: slab-use-after-free Read in bt_accept_unlink | ||
| 2025/01/16 05:15 | upstream | 619f0b6fad52 | 968edaf4 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-selinux-root | KASAN: slab-use-after-free Read in bt_accept_unlink | ||
| 2025/04/03 08:36 | upstream | a1b5bd45d4ee | 996a9618 | .config | console log | report | info | [disk image (non-bootable)] [vmlinux] [kernel image] | ci-qemu-upstream | KASAN: slab-use-after-free Read in bt_accept_unlink | ||
| 2025/03/01 04:22 | upstream | 276f98efb64a | 67cf5345 | .config | console log | report | info | [disk image (non-bootable)] [vmlinux] [kernel image] | ci-qemu-upstream | KASAN: slab-use-after-free Read in bt_accept_unlink | ||
| 2025/01/16 22:26 | upstream | ce69b4019001 | f9e07a6e | .config | console log | report | info | [disk image (non-bootable)] [vmlinux] [kernel image] | ci-qemu-upstream | KASAN: slab-use-after-free Read in bt_accept_unlink | ||
| 2024/10/27 14:44 | upstream | 850925a8133c | 65e8686b | .config | console log | report | info | [disk image (non-bootable)] [vmlinux] [kernel image] | ci-qemu-upstream | KASAN: slab-use-after-free Read in bt_accept_unlink | ||
| 2024/10/10 10:49 | upstream | d3d1556696c1 | a156c552 | .config | console log | report | info | [disk image (non-bootable)] [vmlinux] [kernel image] | ci-qemu-upstream | KASAN: slab-use-after-free Read in bt_accept_unlink | ||
| 2024/10/01 18:11 | upstream | e32cde8d2bd7 | e9f6e118 | .config | console log | report | info | [disk image (non-bootable)] [vmlinux] [kernel image] | ci-qemu-upstream | KASAN: slab-use-after-free Read in bt_accept_unlink | ||
| 2025/02/15 02:47 | upstream | 04f41cbf03ec | 40a34ec9 | .config | console log | report | info | [disk image (non-bootable)] [vmlinux] [kernel image] | ci-qemu-upstream-386 | KASAN: slab-use-after-free Read in bt_accept_unlink | ||
| 2025/02/11 19:48 | upstream | febbc555cf0f | f2baddf5 | .config | console log | report | info | [disk image (non-bootable)] [vmlinux] [kernel image] | ci-qemu-upstream-386 | KASAN: slab-use-after-free Read in bt_accept_unlink | ||
| 2025/01/28 17:15 | upstream | 805ba04cb7cc | ac37c1f8 | .config | console log | report | info | [disk image (non-bootable)] [vmlinux] [kernel image] | ci-qemu-upstream-386 | KASAN: slab-use-after-free Read in bt_accept_unlink | ||
| 2025/02/15 19:38 | linux-next | 0ae0fa3bf0b4 | 40a34ec9 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-linux-next-kasan-gce-root | KASAN: slab-use-after-free Read in bt_accept_unlink | ||
| 2025/02/11 22:13 | linux-next | df5d6180169a | f2baddf5 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-linux-next-kasan-gce-root | KASAN: slab-use-after-free Read in bt_accept_unlink | ||
| 2024/12/07 21:44 | linux-next | af2ea8ab7a54 | 9ac0fdc6 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-linux-next-kasan-gce-root | KASAN: slab-use-after-free Read in bt_accept_unlink | ||
| 2024/11/22 18:55 | linux-next | cfba9f07a1d6 | 68da6d95 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-linux-next-kasan-gce-root | KASAN: slab-use-after-free Read in bt_accept_unlink | ||
| 2025/04/09 05:51 | git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci | 0af2f6be1b42 | b133e63a | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-gce-arm64 | KASAN: slab-use-after-free Read in bt_accept_unlink | ||
| 2024/11/21 22:47 | git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci | 7b1d1d4cfac0 | 4b25d554 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-gce-arm64 | KASAN: slab-use-after-free Read in bt_accept_unlink | ||
| 2025/05/19 03:37 | upstream | a5806cd506af | f41472b0 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-badwrites-root | KASAN: slab-out-of-bounds Read in bt_accept_unlink | ||
| 2025/05/18 00:44 | upstream | 5723cc3450bc | f41472b0 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-selinux-root | KASAN: use-after-free Read in bt_accept_unlink | ||
| 2025/05/16 02:35 | upstream | fee3e843b309 | cfde8269 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-smack-root | BUG: corrupted list in bt_accept_unlink | ||
| 2025/05/15 18:55 | upstream | 546bce579204 | d6b2ee52 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-smack-root | KASAN: slab-out-of-bounds Read in bt_accept_unlink | ||
| 2025/04/08 20:25 | upstream | 0af2f6be1b42 | a775275d | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-selinux-root | BUG: corrupted list in bt_accept_unlink | ||
| 2024/11/14 00:56 | upstream | f1b785f4c787 | a8c99394 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci-upstream-kasan-gce-selinux-root | KASAN: slab-out-of-bounds Read in bt_accept_unlink | ||
| 2025/04/07 11:24 | upstream | 0af2f6be1b42 | 2f0c9720 | .config | console log | report | info | [disk image (non-bootable)] [vmlinux] [kernel image] | ci-qemu-upstream | KASAN: slab-out-of-bounds Read in bt_accept_unlink | ||
| 2025/04/07 05:28 | upstream | 16cd1c265776 | 1c65791e | .config | console log | report | info | [disk image (non-bootable)] [vmlinux] [kernel image] | ci-qemu-upstream-386 | KASAN: slab-out-of-bounds Read in bt_accept_unlink | ||
| 2025/02/05 02:52 | upstream | d009de7d5428 | 44c01590 | .config | console log | report | info | [disk image (non-bootable)] [vmlinux] [kernel image] | ci-qemu-upstream-386 | KASAN: slab-out-of-bounds Read in bt_accept_unlink | ||
| 2025/01/21 14:39 | upstream | 3d3a9c8b89d4 | 6e87cfa2 | .config | console log | report | info | [disk image (non-bootable)] [vmlinux] [kernel image] | ci-qemu-upstream-386 | KASAN: slab-out-of-bounds Read in bt_accept_unlink | ||
| 2024/12/21 04:48 | upstream | e9b8ffafd20a | d7f584ee | .config | console log | report | info | [disk image (non-bootable)] [vmlinux] [kernel image] | ci-qemu-upstream-386 | BUG: corrupted list in bt_accept_unlink |