syzbot

 sign-in | mailing list | source | docs | 🏰
🐞 Open [1320]
Subsystems
🐞 Fixed [7175]
🐞 Invalid [18950]
Missing Backports [221]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
✨ AI
💬 Send us feedback

Applied filters: Label=subsystems:bluetooth (drop)
Extra filters: [With Repro]
Title Rank 🛈 Repro Cause bisect Fix bisect Count Last Reported Patched Closed Patch
KASAN: invalid-free in hci_req_sync_complete bluetooth 24 syz 179 714d 788d 1/29 never Bluetooth: Fix double free in hci_req_sync_complete
memory leak in init_srcu_struct_fields bluetooth prio:low 3 C 11 18d 19d 9/29 never 37b3009bf597 Bluetooth: fix memory leak in error path of hci_alloc_dev()
general protection fault in h4_recv prio:normal bluetooth 2 C error 4 74d 71d 10/29 never 902fe40bce70 Bluetooth: hci_uart: Fix NULL deref in recv callbacks when priv is uninitialized
KASAN: slab-use-after-free Write in le_read_features_complete bluetooth 22 C error 505 87d 193d 29/29 29d 035c25007c9e Bluetooth: hci_sync: Fix UAF in le_read_features_complete
KASAN: slab-use-after-free Read in l2cap_unregister_user bluetooth 22 C done 46133 43d 594d 29/29 29d 752a6c9596dd Bluetooth: L2CAP: Fix use-after-free in l2cap_unregister_user
KASAN: stack-out-of-bounds Read in l2cap_send_cmd bluetooth prio:high 17 C 174 84d 97d 29/29 29d 9d87cb22195b Bluetooth: L2CAP: Fix stack-out-of-bounds read in l2cap_ecred_conn_req
memory leak in skb_clone (3) bluetooth batman 3 C 4 46d 162d 29/29 43d 21e4271e6509 Bluetooth: purge error queues in socket destructors
memory leak in __skb_tstamp_tx bluetooth 3 C 1 162d 162d 29/29 43d 21e4271e6509 Bluetooth: purge error queues in socket destructors
KMSAN: uninit-value in hci_cmd_complete_evt bluetooth 7 C 37 227d 579d 29/29 162d 5c5f1f64681c Bluetooth: hci_event: validate skb length for unknown CC opcode
KASAN: slab-use-after-free Read in l2cap_recv_acldata (2) bluetooth 19 3 242d 281d 29/29 162d 79a2d4678ba9 Bluetooth: hci_core: lookup hci_conn on RX path on protocol side
KASAN: slab-use-after-free Read in mgmt_pending_remove bluetooth 19 syz 2 218d 215d 29/29 162d 89bb613511cc Bluetooth: hci_sock: Prevent race in socket write iter and sock bind
KASAN: slab-use-after-free Read in btusb_disconnect usb bluetooth 19 C 5 264d 350d 29/29 162d 23d22f2f7176 Bluetooth: btusb: reorder cleanup in btusb_disconnect to avoid UAF
general protection fault in bcsp_recv bluetooth 8 C error 1003 241d 488d 29/29 232d ca94b2b036c2 Bluetooth: bcsp: receive data only if registered
KASAN: slab-use-after-free Read in release_sock (2) bluetooth 19 1 301d 295d 29/29 232d 862c62810856 Bluetooth: Fix use-after-free in l2cap_sock_cleanup_listen()
KASAN: null-ptr-deref Write in l2cap_sock_resume_cb (4) bluetooth 12 C 8 347d 346d 29/29 287d a0075accbf0d Bluetooth: Fix null-ptr-deref in l2cap_sock_resume_cb()
KASAN: slab-use-after-free Read in skb_queue_purge_reason (3) bluetooth 19 5 359d 367d 29/29 287d 1d6123102e9f Bluetooth: hci_core: Fix use-after-free in vhci_flush()
KASAN: vmalloc-out-of-bounds Read in hci_devcd_dump bluetooth 17 C 1512 323d 444d 29/29 287d 7af4d7b53502 Bluetooth: hci_devcd_dump: fix out-of-bounds via dev_coredumpv
BUG: corrupted list in mgmt_pending_remove bluetooth 19 C error 44 384d 655d 29/29 316d 6fe26f694c82 Bluetooth: MGMT: Protect mgmt_pending list with its own lock
KASAN: slab-use-after-free Read in mgmt_remove_adv_monitor_complete (3) bluetooth 19 C 5 377d 401d 29/29 316d e6ed54e86aae Bluetooth: MGMT: Fix UAF on mgmt_remove_adv_monitor_complete
KASAN: slab-use-after-free Read in hci_sock_get_channel bluetooth 19 syz 1 394d 390d 29/29 316d 6fe26f694c82 Bluetooth: MGMT: Protect mgmt_pending list with its own lock
KASAN: slab-out-of-bounds Read in hci_cmd_sync_alloc bluetooth 17 C 4 400d 411d 29/29 322d 03f1700b9b4d Bluetooth: MGMT: reject malformed HCI_CMD_SYNC commands
general protection fault in lookup_or_create_module_kobject bluetooth usb 2 C 266 405d 410d 29/29 346d a6aeb739974e module: ensure that kobject_put() is safe for module type kobjects
KASAN: slab-use-after-free Read in skb_queue_purge_reason (2) bluetooth 19 C done 132 378d 762d 28/29 373d 5df5dafc171b Bluetooth: hci_uart: Fix another race during initialization
KASAN: slab-use-after-free Read in l2cap_send_cmd bluetooth 19 C done 34 513d 843d 28/29 373d b4f82f9ed43a Bluetooth: L2CAP: Fix slab-use-after-free Read in l2cap_send_cmd
BUG: corrupted list in hci_chan_del (2) bluetooth 19 C done 502 494d 497d 28/29 373d ab4eedb790ca Bluetooth: L2CAP: Fix corrupted list in hci_chan_del
KASAN: slab-use-after-free Read in sco_sock_connect bluetooth 19 syz 1 572d 570d 28/29 408d ed9588554943 Bluetooth: SCO: remove the redundant sco_conn_put
BUG: sleeping function called from invalid context in hci_le_create_big_complete_evt bluetooth 5 C done 380 560d 802d 28/29 408d 4d94f0555827 Bluetooth: hci_core: Fix sleeping function called from invalid context
KASAN: slab-use-after-free Read in set_powered_sync bluetooth 19 C done 153 568d 703d 28/29 408d 0b882940665c Bluetooth: MGMT: Fix slab-use-after-free Read in set_powered_sync
KASAN: slab-use-after-free Read in mgmt_remove_adv_monitor_sync bluetooth 19 syz 40 522d 694d 28/29 408d 26fbd3494a7d Bluetooth: MGMT: Fix slab-use-after-free Read in mgmt_remove_adv_monitor_sync
KMSAN: uninit-value in hci_rx_work bluetooth 7 C 29 576d 695d 28/29 549d 3fe288a8214e Bluetooth: hci_core: Fix not checking skb length on hci_acldata_packet
WARNING in hci_conn_timeout bluetooth -1 C done 6022 550d 2147d 28/29 549d 2b0f2fc9ed62 Bluetooth: hci_conn: Use disable_delayed_work_sync
KASAN: slab-use-after-free Write in sco_sock_timeout bluetooth 22 C done 275 601d 945d 28/29 569d 1bf4470a3939 Bluetooth: SCO: Fix UAF on sco_sock_timeout
possible deadlock in rfcomm_sk_state_change bluetooth 4 C done 22650 612d 1740d 28/29 583d 08d1914293da Bluetooth: RFCOMM: FIX possible deadlock in rfcomm_sk_state_change
KASAN: slab-use-after-free Read in l2cap_connect (2) bluetooth 19 C done 8 635d 724d 28/29 583d 333b4fd11e89 Bluetooth: L2CAP: Fix uaf in l2cap_connect
BUG: workqueue leaked atomic, lock or RCU: kworker/u33:NUM[NUM] bluetooth -1 C 13 679d 692d 28/29 623d c531e63871c0 Bluetooth: l2cap: always unlock channel in l2cap_conless_channel()
WARNING in __hci_cmd_sync_sk bluetooth -1 syz 36 694d 710d 27/29 670d f1a8f402f13f Bluetooth: L2CAP: Fix deadlock
WARNING in btusb_submit_intr_urb/usb_submit_urb bluetooth usb -1 C error 2 712d 723d 27/29 674d a368ecde8a50 USB: core: Fix duplicate endpoint bug by clearing reserved bits in the descriptor
general protection fault in l2cap_sock_recv_cb bluetooth 8 C inconclusive 8 715d 742d 26/29 681d 89e856e124f9 bluetooth/l2cap: sync sock recv cb and release
possible deadlock in __flush_workqueue bluetooth 4 1456 684d 883d 26/29 681d 0d151a103775 Bluetooth: hci_core: cancel all works upon hci_unregister_dev()
WARNING in hci_conn_del bluetooth -1 C done 10497 710d 842d 26/29 681d 015d79c96d62 Bluetooth: Ignore too large handle values in BIG 1cc18c2ab2e8 bluetooth/hci: disallow setting handle bigger than HCI_CONN_HANDLE_MAX
BUG: soft lockup in hci_cmd_timeout bluetooth usb 1 C 1 741d 737d 26/29 709d 22f008128625 USB: class: cdc-wdm: Fix CPU lockup caused by excessive log messages
general protection fault in btintel_read_version bluetooth 2 C error 5 872d 883d 25/29 800d b79e04091010 Bluetooth: btintel: Fix null ptr deref in btintel_read_version
KASAN: slab-use-after-free Write in __hci_acl_create_connection_sync bluetooth 22 C done 87 850d 861d 25/29 800d 5f641f03abcc Bluetooth: hci_conn: Fix UAF Write in __hci_acl_create_connection_sync
memory leak in corrupted bluetooth 3 syz 536 812d 884d 25/29 812d 0a186b49bba5 batman-adv: mcast: fix memory leak on deleting a batman-adv interface
KASAN: null-ptr-deref Read in ida_free (4) bluetooth 11 C done done 29 908d 947d 25/29 855d af73483f4e8b ida: Fix crash in ida_free when the bitmap is empty
possible deadlock in hci_rfkill_set_block bluetooth 4 C done 3391 896d 969d 25/29 864d 769bf60e17ee Bluetooth: Fix deadlock in vhci_send_frame
KASAN: slab-out-of-bounds Read in create_monitor_event bluetooth 17 C done 952 969d 983d 25/29 911d 18f547f3fc07 Bluetooth: hci_sock: fix slab oob read in create_monitor_event
BUG: sleeping function called from invalid context in __hci_cmd_sync_sk bluetooth 5 C done 34 980d 1097d 25/29 911d acab8ff29a2a Bluetooth: ISO: Fix invalid context error
general protection fault in sco_conn_add bluetooth 2 C done 4 1066d 1076d 23/29 980d b4066eb04bb6 Bluetooth: hci_conn: return ERR_PTR instead of NULL when there is no link
KASAN: slab-use-after-free Write in sco_chan_del bluetooth 22 C done 19 996d 1130d 23/29 980d 3344d318337d Bluetooth: hci_conn: fail SCO/ISO via hci_conn_failed if ACL gone early
INFO: rcu detected stall in hci_cmd_timeout bluetooth 1 1 1043d 1043d 23/29 980d 8c21ab1bae94 net/sched: fq_pie: avoid stalls in fq_pie_timer()
KASAN: slab-use-after-free Read in hci_conn_del bluetooth 19 7 1120d 1144d 22/29 1083d ca1fd42e7dbf Bluetooth: Fix potential double free caused by hci_conn_unlink
possible deadlock in sco_conn_del bluetooth 4 C done done 279 1130d 1533d 22/29 1083d a2ac591cb4d8 Bluetooth: Fix UAF in hci_conn_hash_flush again
KASAN: slab-use-after-free Read in hci_conn_hash_flush bluetooth 22 C error 3511 1109d 1203d 22/29 1083d a2ac591cb4d8 Bluetooth: Fix UAF in hci_conn_hash_flush again ca1fd42e7dbf Bluetooth: Fix potential double free caused by hci_conn_unlink
INFO: task hung in rfcomm_process_sessions (2) bluetooth 1 C error done 14 1268d 1542d 22/29 1106d 1d80d57ffcb5 Bluetooth: Fix possible deadlock in rfcomm_sk_state_change
WARNING: bad unlock balance in l2cap_recv_frame bluetooth 4 75 1149d 1160d 22/29 1106d 25e97f7b1866 Bluetooth: L2CAP: fix "bad unlock balance" in l2cap_disconnect_rsp
KASAN: use-after-free Read in mgmt_pending_remove bluetooth 19 C unreliable 9 1382d 1401d 22/29 1210d 3cfbc6ac22d6 Bluetooth: hci_sync: fix double mgmt_pending_free() in remove_adv_monitor() Bluetooth: hci_sync: fix double mgmt_pending_free() in remove_adv_monitor()
WARNING: ODEBUG bug in mgmt_index_removed bluetooth -1 1 1384d 1379d 22/29 1210d f74ca25d6d66 Bluetooth: avoid hci_dev_test_and_set_flag() in mgmt_init_hdev()
KASAN: use-after-free Write in sco_sock_timeout bluetooth 22 C done 272 1485d 1757d 22/29 1210d 7aa1e7d15f8a Bluetooth: fix dangling sco_conn and use-after-free in sco_sock_timeout
INFO: task hung in hci_dev_close_sync bluetooth 1 C unreliable 2366 1352d 1507d 22/29 1210d e36bea6e78ab Bluetooth: core: Fix deadlock on hci_power_on_sync.
BUG: corrupted list in hci_conn_add_sysfs bluetooth 19 C error done 9 1365d 1364d 22/29 1210d 448a496f7606 Bluetooth: hci_sysfs: Fix attempting to call device_add multiple times
WARNING: ODEBUG bug in __cancel_work bluetooth -1 C inconclusive 1 1404d 1400d 22/29 1210d 2d2cb3066f2c Bluetooth: L2CAP: initialize delayed works at l2cap_chan_create()
upstream test error: WARNING: ODEBUG bug in mgmt_index_removed bluetooth -1 551 1407d 1414d 22/29 1210d 3f2893d3c142 Bluetooth: don't try to cancel uninitialized works at mgmt_index_removed()
memory leak in vhci_write bluetooth 3 C 1 1402d 1398d 22/29 1210d 7c9524d92964 Bluetooth: L2CAP: Fix memory leak in vhci_write
INFO: trying to register non-static key in hci_uart_flush (2) bluetooth -1 syz error error 37 1338d 2480d 22/29 1210d 3124d320c22f Bluetooth: hci_{ldisc,serdev}: check percpu_init_rwsem() failure
WARNING: ODEBUG bug in bt_host_release bluetooth -1 syz done done 7 1893d 2146d 22/29 1368d e2cb6b891ad2 bluetooth: eliminate the potential race condition when removing the HCI controller
general protection fault in hci_inquiry_result_with_rssi_evt bluetooth 2 C done 17 1624d 1649d 20/29 1491d 72279d17df54 Bluetooth: hci_event: Rework hci_inquiry_result_with_rssi_evt
KASAN: slab-out-of-bounds Read in add_adv_patterns_monitor bluetooth 17 C error done 5 1947d 1967d 20/29 1498d b4a221ea8a1f Bluetooth: advmon offload MSFT add rssi support
INFO: trying to register non-static key in l2cap_sock_teardown_cb bluetooth -1 C done done 88 1691d 1994d 20/29 1563d 1bff51ea59a9 Bluetooth: fix use-after-free error in lock_sock_nested()
KASAN: null-ptr-deref Write in l2cap_chan_put bluetooth 21 syz done done 7 1695d 2140d 20/29 1563d 1bff51ea59a9 Bluetooth: fix use-after-free error in lock_sock_nested()
memory leak in mgmt_cmd_complete bluetooth 3 C 3 1759d 1858d 20/29 1563d 709fca500067 Bluetooth: hci_sock: purge socket queues in the destruct() callback
KASAN: slab-out-of-bounds Read in hci_le_meta_evt (2) bluetooth 17 C inconclusive 2 1691d 1691d 20/29 1563d 3a56ef719f0b Bluetooth: stop proccessing malicious adv data
BUG: sleeping function called from invalid context in lock_sock_nested (2) bluetooth 5 C done error 19391 1773d 2308d 20/29 1681d e04480920d1e Bluetooth: defer cleanup of resources in hci_unregister_dev() Bluetooth: defer cleanup of resources in hci_unregister_dev()
INFO: trying to register non-static key in l2cap_chan_del bluetooth -1 syz inconclusive 73 1925d 2143d 20/29 1682d 3af70b39fa2d Bluetooth: check for zapped sk before connecting
inconsistent lock state in sco_sock_timeout bluetooth 4 C done 16 1787d 2131d 20/29 1682d ba316be1b6a0 Bluetooth: schedule SCO timeouts with delayed_work
general protection fault in hci_release_dev bluetooth 2 C done 41 1761d 1782d 20/29 1682d e04480920d1e Bluetooth: defer cleanup of resources in hci_unregister_dev()
INFO: trying to register non-static key in skb_dequeue bluetooth -1 C error 28951 1867d 2148d 20/29 1682d be8597239379 Bluetooth: initialize skb_queue_head at l2cap_chan_create()
BUG: corrupted list in kobject_add_internal (3) bluetooth 8 C inconclusive 3 1718d 1822d 20/29 1682d 92fe24a7db75 Bluetooth: skip invalid hci_sync_conn_complete_evt
KASAN: use-after-free Read in hci_send_acl bluetooth 19 C done 2 1936d 2146d 20/29 1682d 5c4c8c954409 Bluetooth: verify AMP hci_chan before amp_destroy
INFO: task hung in hci_req_sync bluetooth 1 C inconclusive 1 1776d 1772d 20/29 1682d f41a4b2b5eb7 Bluetooth: add timeout sanity check to hci_inquiry
KASAN: null-ptr-deref Write in amp_read_loc_assoc_final_data bluetooth 12 C done 185 1947d 2148d 20/29 1896d e8bd76ede155 Bluetooth: Fix null pointer dereference in amp_read_loc_assoc_final_data
KASAN: slab-out-of-bounds Read in hci_le_meta_evt bluetooth 17 C error error 45 2024d 2145d 19/29 1927d f7e0e8b2f1b0 Bluetooth: Fix slab-out-of-bounds read in hci_le_direct_adv_report_evt()
memory leak in h5_rx_pkt_start bluetooth 3 C 5 2124d 2467d 19/29 1927d 70f259a3f427 Bluetooth: hci_h5: close serdev device and free hu in h5_close 855af2d74c87 Bluetooth: hci_h5: fix memory leak in h5_close
KASAN: use-after-free Write in __sco_sock_close bluetooth 22 C done done 10 2048d 2146d 19/29 1927d 6dfccd13db2f Bluetooth: Fix null pointer dereference in hci_event_packet()
general protection fault in hci_event_packet bluetooth 2 C done 25 2093d 2146d 19/29 1927d 6dfccd13db2f Bluetooth: Fix null pointer dereference in hci_event_packet()
BUG: corrupted list in kobject_add_internal bluetooth 8 C done done 9 2078d 2141d 15/29 2040d a46b7ed4d52d Bluetooth: Fix auto-creation of hci_conn at Conn Complete event
WARNING: refcount bug in do_enable_set bluetooth 13 C inconclusive done 8 2142d 2253d 15/29 2040d b83764f9220a Bluetooth: Fix kernel oops triggered by hci_adv_monitors_clear()
KASAN: use-after-free Write in refcount_warn_saturate bluetooth 22 C inconclusive done 2 2144d 2303d 15/29 2040d b83764f9220a Bluetooth: Fix kernel oops triggered by hci_adv_monitors_clear()
memory leak in read_adv_mon_features bluetooth 3 C 2 2110d 2133d 15/29 2040d cafd472a10ff Bluetooth: Fix memory leak in read_adv_mon_features()
KASAN: slab-out-of-bounds Read in hci_extended_inquiry_result_evt bluetooth 17 C 16 2144d 2172d 15/29 2101d 51c19bf3d5cf Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()
KASAN: slab-out-of-bounds Read in hci_inquiry_result_with_rssi_evt bluetooth 17 C error 9 2146d 2166d 15/29 2101d 629b49c848ee Bluetooth: Prevent out-of-bounds read in hci_inquiry_result_with_rssi_evt()
WARNING: ODEBUG bug in rfcomm_dev_ioctl bluetooth -1 1 2295d 2295d 15/29 2230d 71811cac8532 Bluetooth: RFCOMM: fix ODEBUG bug in rfcomm_dev_ioctl
linux-next test error: KASAN: use-after-free Read in l2cap_sock_release bluetooth -1 12 2325d 2327d 15/29 2230d 2a154903cec2 Bluetooth: prefetch channel before killing sock
KASAN: use-after-free Write in hci_sock_bind bluetooth 22 4 2314d 2347d 15/29 2312d 11eb85ec42dc Bluetooth: Fix race condition in hci_release_sock()
KMSAN: use-after-free in kfree_skb bluetooth 18 syz 34 2397d 2445d 15/29 2380d cf94da6f502d Bluetooth: Fix invalid-free in bcsp_close()
KMSAN: use-after-free in skb_dequeue bluetooth 18 C 1 2440d 2440d 15/29 2380d cf94da6f502d Bluetooth: Fix invalid-free in bcsp_close()
KASAN: invalid-free in skb_free_head bluetooth 24 C done 1 2421d 2421d 15/29 2380d cf94da6f502d Bluetooth: Fix invalid-free in bcsp_close()
general protection fault in qca_setup arm-msm bluetooth 2 C done done 6 2684d 2684d 13/29 2413d b36a1552d731 Bluetooth: hci_uart: check for missing tty operations
BUG: unable to handle kernel NULL pointer dereference in hci_uart_set_flow_control bluetooth 10 C done 7 2646d 2646d 12/29 2501d b36a1552d731 Bluetooth: hci_uart: check for missing tty operations
memory leak in bcsp_recv bluetooth 3 C 3 2554d 2581d 12/29 2509d 4ce9146e0370 Bluetooth: hci_bcsp: Fix memory leak in rx_skb
WARNING in lockdep_unregister_key bluetooth -1 C done 214 2642d 2656d 11/29 2635d 82efcab3b9f3 workqueue: Only unregister a registered lockdep key
general protection fault in hci_uart_write_work bluetooth 2 C 84 2663d 2712d 11/29 2639d 32a7b4cbe93b Bluetooth: hci_ldisc: Initialize hci_dev before open()
KASAN: use-after-free Read in h5_reset_rx bluetooth 19 2 2670d 2676d 11/29 2639d 56897b217a1d Bluetooth: hci_ldisc: Postpone HCI_UART_PROTO_READY bit set in hci_uart_set_proto()
BUG: unable to handle kernel paging request in h4_recv_buf bluetooth 8 C 203 2663d 2724d 11/29 2639d 1dc2d785156c Bluetooth: hci_uart: Check if socket buffer is ERR_PTR in h4_recv_buf()