list_add corruption. prev->next should be next (85e02600), but was 836c2400. (prev=827d6f4c). ------------[ cut here ]------------ kernel BUG at lib/list_debug.c:30! Internal error: Oops - BUG: 0 [#1] PREEMPT SMP ARM Modules linked in: CPU: 0 PID: 30180 Comm: syz-executor.0 Not tainted 6.4.0-rc4-syzkaller #0 Hardware name: ARM-Versatile Express PC is at __list_add_valid+0x8c/0xb4 lib/list_debug.c:30 LR is at __wake_up_klogd.part.0+0x7c/0xac kernel/printk/printk.c:3798 pc : [<807d4f88>] lr : [<802b2a40>] psr: 60000013 sp : eb0b5c58 ip : eb0b5b98 fp : eb0b5c64 r10: 81b4b9d4 r9 : 84209650 r8 : 85e02600 r7 : 827d6f4c r6 : 827d6f48 r5 : 00000000 r4 : 85c41e00 r3 : 00000000 r2 : 00000000 r1 : 81f9d7bc r0 : 0000005d Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user Control: 30c5387d Table: 85dc63c0 DAC: fffffffd Register r0 information: non-paged memory Register r1 information: non-slab/vmalloc memory Register r2 information: NULL pointer Register r3 information: NULL pointer Register r4 information: slab kmalloc-512 start 85c41e00 pointer offset 0 size 512 Register r5 information: NULL pointer Register r6 information: non-slab/vmalloc memory Register r7 information: non-slab/vmalloc memory Register r8 information: slab kmalloc-512 start 85e02600 pointer offset 0 size 512 Register r9 information: slab shmem_inode_cache start 84209600 pointer offset 80 size 504 Register r10 information: non-slab/vmalloc memory Register r11 information: 2-page vmalloc region starting at 0xeb0b4000 allocated at kernel_clone+0x9c/0x3dc kernel/fork.c:2915 Register r12 information: 2-page vmalloc region starting at 0xeb0b4000 allocated at kernel_clone+0x9c/0x3dc kernel/fork.c:2915 Process syz-executor.0 (pid: 30180, stack limit = 0xeb0b4000) Stack: (0xeb0b5c58 to 0xeb0b6000) 5c40: eb0b5c94 eb0b5c68 5c60: 8175f4c8 807d4f08 00000000 85cbc000 00000000 85cbc000 00000000 85cbc018 5c80: 8274dc94 8274dc80 eb0b5cbc eb0b5c98 81756c2c 8175f30c 84f34000 00000000 5ca0: 00000077 84f34000 00000000 00000077 eb0b5d04 eb0b5cc0 81763578 81756bd4 5cc0: 00000000 81b4b988 000000de 3263666e 69636e5f 5f78745f 00007177 81768754 5ce0: 85dc6c80 86b703c0 00000077 d5a0ebb2 85dc6c80 86b703c0 eb0b5d1c eb0b5d08 5d00: 80a6910c 81763358 827554bc 86b703c0 eb0b5d4c eb0b5d20 809689b4 80a69080 5d20: 80968880 832bdd40 84209650 81b284c4 804d3a7c 86b703c0 eb0b5e48 86b703c0 5d40: eb0b5d84 eb0b5d50 804d3b4c 8096888c 806e4ce0 d5a0ebb2 00000000 86b703c0 5d60: 84209650 00000000 804d3a7c 86b703c8 eb0b5e48 86b703c0 eb0b5dac eb0b5d88 5d80: 804c956c 804d3a88 00000002 00000000 eb0b5f20 00000000 00000000 eb0b5e48 5da0: eb0b5dbc eb0b5db0 804cb418 804c9420 eb0b5e44 eb0b5dc0 804e0164 804cb3f0 5dc0: eb0b5e34 eb0b5dd0 817fa5d4 80277f20 00000002 ffffd000 81fb8508 fffff000 5de0: 00000000 00000041 8446e530 8260c960 00000009 8446de00 81a02a74 00000000 5e00: 00000000 82714268 ddde5640 8446de00 8309b9c0 d5a0ebb2 eb0b5e44 eb0b5f58 5e20: eb0b5f20 8446de00 00000001 eb0b5e48 8446de00 00000142 eb0b5f0c eb0b5e48 5e40: 804e2018 804dfc4c 844de790 83d35908 69ae3a65 0000000b 835a3015 80277e50 5e60: 00000000 83e0db28 84209650 00000101 00000000 00000000 00000000 00002c24 5e80: 0000321e 00000000 00000000 00000000 eb0b5e94 8340ad40 8340ad00 d5a0ebb2 5ea0: 00000003 8340ad00 eb0b5ec4 eb0b5eb8 81803548 80276a30 eb0b5efc eb0b5ec8 5ec0: 804f24b8 835a3000 00000000 00000002 ffffff9c 00000000 835a41ed 00000000 5ee0: ffffff9c d5a0ebb2 8446de00 eb0b5f58 835a3000 00000003 ffffff9c 80200288 5f00: eb0b5f54 eb0b5f10 804cb6f8 804e1fa0 8446de00 000000f0 eb0b5f4c eb0b5f28 5f20: 00000002 80300000 00000006 00000100 00000001 d5a0ebb2 ffffff9c 20000080 5f40: 0014c2bc 00000142 eb0b5fa4 eb0b5f58 804cbba8 804cb65c 00000002 00000000 5f60: 00000000 00000000 00000000 00000000 00000002 00000000 00000000 00000000 5f80: 00000000 00000000 eb0b5fac d5a0ebb2 00000000 00000000 00000000 eb0b5fa8 5fa0: 80200060 804cbb10 00000000 00000000 ffffff9c 20000080 00000002 00000000 5fc0: 00000000 00000000 0014c2bc 00000142 7e9ef3c2 76b3f6d0 7e9ef534 76b3f20c 5fe0: 76b3f020 76b3f010 00017004 0004dfb0 60000010 ffffff9c 00000000 00000000 Backtrace: [<807d4efc>] (__list_add_valid) from [<8175f4c8>] (__list_add include/linux/list.h:69 [inline]) [<807d4efc>] (__list_add_valid) from [<8175f4c8>] (list_add include/linux/list.h:88 [inline]) [<807d4efc>] (__list_add_valid) from [<8175f4c8>] (nfc_llcp_register_device+0x1c8/0x1f4 net/nfc/llcp_core.c:1604) [<8175f300>] (nfc_llcp_register_device) from [<81756c2c>] (nfc_register_device+0x64/0x170 net/nfc/core.c:1124) r8:8274dc80 r7:8274dc94 r6:85cbc018 r5:00000000 r4:85cbc000 [<81756bc8>] (nfc_register_device) from [<81763578>] (nci_register_device+0x22c/0x294 net/nfc/nci/core.c:1257) r6:00000077 r5:00000000 r4:84f34000 [<8176334c>] (nci_register_device) from [<80a6910c>] (virtual_ncidev_open+0x98/0xdc drivers/nfc/virtual_ncidev.c:148) r5:86b703c0 r4:85dc6c80 [<80a69074>] (virtual_ncidev_open) from [<809689b4>] (misc_open+0x134/0x168 drivers/char/misc.c:165) r5:86b703c0 r4:827554bc [<80968880>] (misc_open) from [<804d3b4c>] (chrdev_open+0xd0/0x244 fs/char_dev.c:414) r10:86b703c0 r9:eb0b5e48 r8:86b703c0 r7:804d3a7c r6:81b284c4 r5:84209650 r4:832bdd40 r3:80968880 [<804d3a7c>] (chrdev_open) from [<804c956c>] (do_dentry_open+0x158/0x48c fs/open.c:920) r10:86b703c0 r9:eb0b5e48 r8:86b703c8 r7:804d3a7c r6:00000000 r5:84209650 r4:86b703c0 [<804c9414>] (do_dentry_open) from [<804cb418>] (vfs_open+0x34/0x38 fs/open.c:1051) r9:eb0b5e48 r8:00000000 r7:00000000 r6:eb0b5f20 r5:00000000 r4:00000002 [<804cb3e4>] (vfs_open) from [<804e0164>] (do_open fs/namei.c:3636 [inline]) [<804cb3e4>] (vfs_open) from [<804e0164>] (path_openat+0x524/0x101c fs/namei.c:3791) [<804dfc40>] (path_openat) from [<804e2018>] (do_filp_open+0x84/0x124 fs/namei.c:3818) r10:00000142 r9:8446de00 r8:eb0b5e48 r7:00000001 r6:8446de00 r5:eb0b5f20 r4:eb0b5f58 [<804e1f94>] (do_filp_open) from [<804cb6f8>] (do_sys_openat2+0xa8/0x16c fs/open.c:1356) r8:80200288 r7:ffffff9c r6:00000003 r5:835a3000 r4:eb0b5f58 [<804cb650>] (do_sys_openat2) from [<804cbba8>] (do_sys_open fs/open.c:1372 [inline]) [<804cb650>] (do_sys_openat2) from [<804cbba8>] (__do_sys_openat fs/open.c:1388 [inline]) [<804cb650>] (do_sys_openat2) from [<804cbba8>] (sys_openat+0xa4/0xcc fs/open.c:1383) r7:00000142 r6:0014c2bc r5:20000080 r4:ffffff9c [<804cbb04>] (sys_openat) from [<80200060>] (ret_fast_syscall+0x0/0x1c arch/arm/mm/proc-v7.S:66) Exception stack(0xeb0b5fa8 to 0xeb0b5ff0) 5fa0: 00000000 00000000 ffffff9c 20000080 00000002 00000000 5fc0: 00000000 00000000 0014c2bc 00000142 7e9ef3c2 76b3f6d0 7e9ef534 76b3f20c 5fe0: 76b3f020 76b3f010 00017004 0004dfb0 r5:00000000 r4:00000000 Code: e34801fe e1a02001 e1a0100c eb401f4a (e7f001f2) ---[ end trace 0000000000000000 ]--- ---------------- Code disassembly (best guess): 0: e34801fe movt r0, #33278 ; 0x81fe 4: e1a02001 mov r2, r1 8: e1a0100c mov r1, ip c: eb401f4a bl 0x1007d3c * 10: e7f001f2 udf #18 <-- trapping instruction