non-slab/vmalloc memory list_del corruption. prev->next should be ffff888028a1e558, but was 0000000000000000. (prev=ffff88807cca6558) ------------[ cut here ]------------ kernel BUG at lib/list_debug.c:62! Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI CPU: 0 UID: 0 PID: 5846 Comm: syz-executor Not tainted 6.16.0-rc6-syzkaller-00037-ge2291551827f #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 RIP: 0010:__list_del_entry_valid_or_report+0x17a/0x200 lib/list_debug.c:62 Code: 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 8d 00 00 00 48 8b 55 00 48 89 e9 48 89 de 48 c7 c7 00 80 15 8c e8 47 a9 bb fc 90 <0f> 0b 4c 89 e7 e8 ac 2d 1f fd 48 89 ea 48 b8 00 00 00 00 00 fc ff RSP: 0018:ffffc900032977e8 EFLAGS: 00010282 RAX: 000000000000006d RBX: ffff888028a1e558 RCX: ffffffff819b0e09 RDX: 0000000000000000 RSI: ffffffff819b8c96 RDI: 0000000000000005 RBP: ffff88807cca6558 R08: 0000000000000005 R09: 0000000000000000 R10: 0000000080000000 R11: 0000000000000001 R12: ffff88807cca6558 R13: ffff888028a1e560 R14: ffff88807cca6000 R15: ffff88807e08e010 FS: 0000000000000000(0000) GS:ffff88812471a000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000020000000b0cd CR3: 00000000599e1000 CR4: 0000000000350ef0 Call Trace: __list_del_entry_valid include/linux/list.h:124 [inline] __list_del_entry include/linux/list.h:215 [inline] list_del_init include/linux/list.h:287 [inline] bt_accept_unlink+0x34/0x2e0 net/bluetooth/af_bluetooth.c:259 l2cap_sock_teardown_cb+0x1a3/0x3c0 net/bluetooth/l2cap_sock.c:1613 l2cap_chan_del+0xbd/0x8f0 net/bluetooth/l2cap_core.c:655 l2cap_conn_del+0x37a/0x730 net/bluetooth/l2cap_core.c:1787 l2cap_disconn_cfm net/bluetooth/l2cap_core.c:7309 [inline] l2cap_disconn_cfm+0x96/0xd0 net/bluetooth/l2cap_core.c:7302 hci_disconn_cfm include/net/bluetooth/hci_core.h:2070 [inline] hci_conn_hash_flush+0x10e/0x260 net/bluetooth/hci_conn.c:2560 hci_dev_close_sync+0x602/0x11d0 net/bluetooth/hci_sync.c:5294 hci_dev_do_close+0x2e/0x90 net/bluetooth/hci_core.c:501 hci_unregister_dev+0x227/0x640 net/bluetooth/hci_core.c:2717 vhci_release+0x79/0xf0 drivers/bluetooth/hci_vhci.c:665 __fput+0x402/0xb70 fs/file_table.c:465 task_work_run+0x150/0x240 kernel/task_work.c:227 exit_task_work include/linux/task_work.h:40 [inline] do_exit+0x86c/0x2bd0 kernel/exit.c:964 do_group_exit+0xd3/0x2a0 kernel/exit.c:1105 get_signal+0x2673/0x26d0 kernel/signal.c:3034 arch_do_signal_or_restart+0x8f/0x7d0 arch/x86/kernel/signal.c:337 exit_to_user_mode_loop+0x84/0x110 kernel/entry/common.c:111 exit_to_user_mode_prepare include/linux/entry-common.h:330 [inline] syscall_exit_to_user_mode_work include/linux/entry-common.h:414 [inline] syscall_exit_to_user_mode include/linux/entry-common.h:449 [inline] do_syscall_64+0x3f6/0x4c0 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f485a784b97 Code: Unable to access opcode bytes at 0x7f485a784b6d. RSP: 002b:00007ffef835fb50 EFLAGS: 00000293 ORIG_RAX: 000000000000003d RAX: fffffffffffffe00 RBX: 0000000000000103 RCX: 00007f485a784b97 RDX: 0000000040000000 RSI: 00007ffef835fbbc RDI: 00000000ffffffff RBP: 00007ffef835fbbc R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000293 R12: 000000000000003b R13: 00005555774ad590 R14: 0000000000054a0e R15: 00007ffef835fc10 Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:__list_del_entry_valid_or_report+0x17a/0x200 lib/list_debug.c:62 Code: 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 8d 00 00 00 48 8b 55 00 48 89 e9 48 89 de 48 c7 c7 00 80 15 8c e8 47 a9 bb fc 90 <0f> 0b 4c 89 e7 e8 ac 2d 1f fd 48 89 ea 48 b8 00 00 00 00 00 fc ff RSP: 0018:ffffc900032977e8 EFLAGS: 00010282 RAX: 000000000000006d RBX: ffff888028a1e558 RCX: ffffffff819b0e09 RDX: 0000000000000000 RSI: ffffffff819b8c96 RDI: 0000000000000005 RBP: ffff88807cca6558 R08: 0000000000000005 R09: 0000000000000000 R10: 0000000080000000 R11: 0000000000000001 R12: ffff88807cca6558 R13: ffff888028a1e560 R14: ffff88807cca6000 R15: ffff88807e08e010 FS: 0000000000000000(0000) GS:ffff88812481a000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fdec6fee000 CR3: 0000000069925000 CR4: 0000000000350ef0