syzbot

 sign-in | mailing list | source | docs | 🏰
🐞 Open [1379]
Subsystems
🐞 Fixed [7035]
🐞 Invalid [18390]
Missing Backports [223]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
✨ AI
💬 Send us feedback

general protection fault in l2cap_conn_del (2)

Status: moderation: reported on 2026/03/27 12:22
Subsystems: bluetooth
[Documentation on labels]
Reported-by: syzbot+ba95575894f00ef7ff71@syzkaller.appspotmail.com
First crash: 10d, last: 10d
Similar bugs (3)
Kernel Title Rank 🛈 Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream general protection fault in l2cap_conn_del bluetooth 2 2 462d 477d 0/29 auto-obsoleted due to no activity on 2025/04/06 10:01
upstream KASAN: use-after-free Read in l2cap_conn_del bluetooth 19 C error 12 1254d 1284d 0/29 auto-obsoleted due to no activity on 2023/04/21 10:14
upstream BUG: unable to handle kernel paging request in l2cap_conn_del bluetooth 8 1 198d 194d 0/29 auto-obsoleted due to no activity on 2025/12/25 16:00

Sample crash report:
Oops: general protection fault, probably for non-canonical address 0xfbd59c0000000020: 0000 [#1] SMP KASAN PTI
KASAN: maybe wild-memory-access in range [0xdead000000000100-0xdead000000000107]
CPU: 1 UID: 0 PID: 10553 Comm: syz-executor Tainted: G             L      syzkaller #0 PREEMPT(full) 
Tainted: [L]=SOFTLOCKUP
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
RIP: 0010:l2cap_conn_del+0x2cc/0x5c0 net/bluetooth/l2cap_core.c:1797
Code: 00 4c 89 e0 48 c1 e8 03 80 3c 18 00 74 08 4c 89 e7 e8 48 77 7f f7 4d 8b 2c 24 4d 39 e5 0f 84 f8 00 00 00 4c 89 e8 48 c1 e8 03 <80> 3c 18 00 74 08 4c 89 ef e8 26 77 7f f7 49 8b 6d 00 4d 8d bd 80
RSP: 0018:ffffc90005edf9f0 EFLAGS: 00010a02
RAX: 1bd5a00000000020 RBX: dffffc0000000000 RCX: ffff8880316f5b80
RDX: 0000000000000000 RSI: 0000000000000002 RDI: 0000000000000001
RBP: dead000000000100 R08: ffff88802c3af00b R09: 1ffff11005875e01
R10: dffffc0000000000 R11: ffffed1005875e02 R12: ffff888078b52288
R13: dead000000000100 R14: ffff88802c3af4b0 R15: ffff88802c3af000
FS:  0000000000000000(0000) GS:ffff888125548000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f0216c19000 CR3: 000000005ac48000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 hci_disconn_cfm include/net/bluetooth/hci_core.h:2154 [inline]
 hci_conn_hash_flush+0x10d/0x260 net/bluetooth/hci_conn.c:2644
 hci_dev_close_sync+0x821/0x10e0 net/bluetooth/hci_sync.c:5358
 hci_dev_do_close net/bluetooth/hci_core.c:502 [inline]
 hci_unregister_dev+0x21a/0x5a0 net/bluetooth/hci_core.c:2716
 vhci_release+0x152/0x1a0 drivers/bluetooth/hci_vhci.c:690
 __fput+0x451/0x8c0 fs/file_table.c:500
 task_work_run+0x1d9/0x270 kernel/task_work.c:233
 exit_task_work include/linux/task_work.h:40 [inline]
 do_exit+0x926/0x2490 kernel/exit.c:974
 do_group_exit+0x21b/0x2d0 kernel/exit.c:1116
 __do_sys_exit_group kernel/exit.c:1127 [inline]
 __se_sys_exit_group kernel/exit.c:1125 [inline]
 __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1125
 x64_sys_call+0x221a/0x2240 arch/x86/include/generated/asm/syscalls_64.h:232
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f1f0a59c799
Code: Unable to access opcode bytes at 0x7f1f0a59c76f.
RSP: 002b:00007fff5c951ea8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 00007f1f0a632075 RCX: 00007f1f0a59c799
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000001
RBP: 0000000000000005 R08: 0000000000000000 R09: 00007f1f0a632050
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fff5c953160
R13: 00007f1f0a632050 R14: 00000000000a8875 R15: 00007fff5c955320
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:l2cap_conn_del+0x2cc/0x5c0 net/bluetooth/l2cap_core.c:1797
Code: 00 4c 89 e0 48 c1 e8 03 80 3c 18 00 74 08 4c 89 e7 e8 48 77 7f f7 4d 8b 2c 24 4d 39 e5 0f 84 f8 00 00 00 4c 89 e8 48 c1 e8 03 <80> 3c 18 00 74 08 4c 89 ef e8 26 77 7f f7 49 8b 6d 00 4d 8d bd 80
RSP: 0018:ffffc90005edf9f0 EFLAGS: 00010a02
RAX: 1bd5a00000000020 RBX: dffffc0000000000 RCX: ffff8880316f5b80
RDX: 0000000000000000 RSI: 0000000000000002 RDI: 0000000000000001
RBP: dead000000000100 R08: ffff88802c3af00b R09: 1ffff11005875e01
R10: dffffc0000000000 R11: ffffed1005875e02 R12: ffff888078b52288
R13: dead000000000100 R14: ffff88802c3af4b0 R15: ffff88802c3af000
FS:  0000000000000000(0000) GS:ffff888125448000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f00e95d7e9c CR3: 000000006a556000 CR4: 00000000003526f0
----------------
Code disassembly (best guess):
   0:	00 4c 89 e0          	add    %cl,-0x20(%rcx,%rcx,4)
   4:	48 c1 e8 03          	shr    $0x3,%rax
   8:	80 3c 18 00          	cmpb   $0x0,(%rax,%rbx,1)
   c:	74 08                	je     0x16
   e:	4c 89 e7             	mov    %r12,%rdi
  11:	e8 48 77 7f f7       	call   0xf77f775e
  16:	4d 8b 2c 24          	mov    (%r12),%r13
  1a:	4d 39 e5             	cmp    %r12,%r13
  1d:	0f 84 f8 00 00 00    	je     0x11b
  23:	4c 89 e8             	mov    %r13,%rax
  26:	48 c1 e8 03          	shr    $0x3,%rax
* 2a:	80 3c 18 00          	cmpb   $0x0,(%rax,%rbx,1) <-- trapping instruction
  2e:	74 08                	je     0x38
  30:	4c 89 ef             	mov    %r13,%rdi
  33:	e8 26 77 7f f7       	call   0xf77f775e
  38:	49 8b 6d 00          	mov    0x0(%r13),%rbp
  3c:	4d                   	rex.WRB
  3d:	8d                   	.byte 0x8d
  3e:	bd                   	.byte 0xbd
  3f:	80                   	.byte 0x80

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2026/03/23 12:12 linux-next 785f0eb2f85d 5e3db351 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root general protection fault in l2cap_conn_del
* Struck through repros no longer work on HEAD.