From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-oo1-f70.google.com (mail-oo1-f70.google.com [209.85.161.70]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2685D33A71A for ; Fri, 23 Jan 2026 06:57:02 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.161.70 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769151425; cv=none; b=UoLDSH4s5vwOm4YcIW1Ks3gIz/wEsyjEbLCI1dPl8DrDD8dsuGzFuPeW+V2ImbmsC2sEylYSFaECv10JaYE2fpcL/4l6Yzv7ZspI0wKynNqVnck52pu35i2VqTsgw0ENkjW1eb0MGskFXCEX51SQW/zzbTHwIwJywyOD3VpmiBo= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769151425; c=relaxed/simple; bh=c+EcVg8Itr5evJkyg2sesLYhxBP2n5Zl0mIq41bC7IQ=; h=MIME-Version:Date:In-Reply-To:Message-ID:Subject:From:To: Content-Type; b=TdvtI5xa3YsEqkzMwlxC9xboZvnrRjz/OAQWq5MmSvFE9RDeRjqvdz9SIwqplcwJobhKLmvvbFz6pwdBLxQgOdz2Kb8354XgX7d8CF3bTlskK/5BCFyMKhYZCLi4Fukm2Z602Ed/csf+hp+bt6A4Laby+BrX5g5nfI1mDCVMMMs= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com; arc=none smtp.client-ip=209.85.161.70 Authentication-Results: smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com Received: by mail-oo1-f70.google.com with SMTP id 006d021491bc7-662c684f983so3470007eaf.2 for ; Thu, 22 Jan 2026 22:57:02 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1769151422; x=1769756222; h=to:from:subject:message-id:in-reply-to:date:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=eG7L5QyfS3tJ4kQRpWVtxgHmAh6DXfEiz8ePdP6pspQ=; b=bUCWDQjS+hN29AQyOzF0ZGo/KIxMaTQQtojSJJQgH263CyxedXklIJXcJ8YNUcNv3n a6FK9gbJC0dAYMwF5hHTP++PTQfi4om4km4cC+Kg3EqExU4UKY/QByYkWrLDSWav6ika TS4H7lDSj9XoqtixrbIfG9syaU8MxBPD+lprmD5EqQCuwLBrPHPHSaHGQaNGHZzNYgOt NiCQ5IeLoaFmcPuzK9IxUj5/JyNpX23pJyVkzcIU19rqZSGxVskNOUFhtTWbCT8aMhrT awjmUDa4oT2pVsG/oHQ55JubRfsTaOeptg4yEMKVP0g3VnT9ITFIDrp5vRiopJrjieEN OBPA== X-Forwarded-Encrypted: i=1; AJvYcCUsB2cyjDSQPSnQb8jF5ir3670A/kR1d6dk3TCweLbz0PyQcd/1ZI40GiG9J31zt2WXzWifA1VZ0Mix7+4=@vger.kernel.org X-Gm-Message-State: AOJu0YwbPzcOm2Esc6U+YLFRgbDjhK0miK/L0qwq1w1Dcdy51ToqC5GV HHZ+dwiAbBGaaxRCnG3ml/SPJ3zaDGNNQ0FzFvvccdYElwJbwKKp568ooENmmtUXl5KKfwt11vs N5XoJB8Kh6zVrQ9dkANSqsol/bhaygkMv2V1qnQFE/59YnXrpa++UgMjLOVk= Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Received: by 2002:a05:6820:1689:b0:662:c0e7:571a with SMTP id 006d021491bc7-662caaed765mr1130593eaf.20.1769151421714; Thu, 22 Jan 2026 22:57:01 -0800 (PST) Date: Thu, 22 Jan 2026 22:57:01 -0800 In-Reply-To: <20260123063814.2286-1-hdanton@sina.com> X-Google-Appengine-App-Id: s~syzkaller X-Google-Appengine-App-Id-Alias: syzkaller Message-ID: <69731bbd.050a0220.1ad174.0336.GAE@google.com> Subject: Re: [syzbot] [bluetooth?] KASAN: slab-use-after-free Read in l2cap_sock_ready_cb (2) From: syzbot To: hdanton@sina.com, linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com Content-Type: text/plain; charset="UTF-8" Hello, syzbot has tested the proposed patch but the reproducer is still triggering an issue: general protection fault in lock_sock_nested Oops: general protection fault, probably for non-canonical address 0xdffffc000000004c: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000260-0x0000000000000267] CPU: 1 UID: 0 PID: 6371 Comm: kworker/u33:6 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Workqueue: hci0 hci_rx_work RIP: 0010:kasan_byte_accessible+0x15/0x30 mm/kasan/generic.c:210 Code: 00 00 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 40 d6 48 b8 00 00 00 00 00 fc ff df 48 c1 ef 03 48 01 c7 <0f> b6 07 3c 07 0f 96 c0 e9 ce 86 08 09 66 66 2e 0f 1f 84 00 00 00 RSP: 0018:ffffc900036c77d8 EFLAGS: 00010282 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff89422bb1 RDI: dffffc000000004c RBP: 0000000000000260 R08: 0000000000000001 R09: 0000000000000000 R10: ffffc900036c78c8 R11: 00000000000075a9 R12: ffffffff89422bb1 R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff8880d66dc000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f01e4fde2f8 CR3: 000000000e392000 CR4: 0000000000352ef0 Call Trace: __kasan_check_byte+0x13/0x50 mm/kasan/common.c:573 kasan_check_byte include/linux/kasan.h:402 [inline] lock_acquire kernel/locking/lockdep.c:5842 [inline] lock_acquire+0xf5/0x330 kernel/locking/lockdep.c:5825 lock_sock_nested+0x41/0xf0 net/core/sock.c:3780 lock_sock include/net/sock.h:1700 [inline] l2cap_sock_new_connection_cb+0x4c/0x260 net/bluetooth/l2cap_sock.c:1476 l2cap_connect_cfm+0x4e2/0x1010 net/bluetooth/l2cap_core.c:7288 hci_connect_cfm include/net/bluetooth/hci_core.h:2131 [inline] hci_remote_features_evt+0x4f4/0x9b0 net/bluetooth/hci_event.c:3729 hci_event_func net/bluetooth/hci_event.c:7719 [inline] hci_event_packet+0xa86/0x11c0 net/bluetooth/hci_event.c:7773 hci_rx_work+0x451/0xfc0 net/bluetooth/hci_core.c:4076 process_one_work+0x9c2/0x1840 kernel/workqueue.c:3257 process_scheduled_works kernel/workqueue.c:3340 [inline] worker_thread+0x5da/0xe40 kernel/workqueue.c:3421 kthread+0x3b3/0x730 kernel/kthread.c:463 ret_from_fork+0x754/0xaf0 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:kasan_byte_accessible+0x15/0x30 mm/kasan/generic.c:210 Code: 00 00 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 40 d6 48 b8 00 00 00 00 00 fc ff df 48 c1 ef 03 48 01 c7 <0f> b6 07 3c 07 0f 96 c0 e9 ce 86 08 09 66 66 2e 0f 1f 84 00 00 00 RSP: 0018:ffffc900036c77d8 EFLAGS: 00010282 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff89422bb1 RDI: dffffc000000004c RBP: 0000000000000260 R08: 0000000000000001 R09: 0000000000000000 R10: ffffc900036c78c8 R11: 00000000000075a9 R12: ffffffff89422bb1 R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff8880d66dc000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f01e4fde2f8 CR3: 000000003084d000 CR4: 0000000000352ef0 ---------------- Code disassembly (best guess): 0: 00 00 add %al,(%rax) 2: 0f 1f 00 nopl (%rax) 5: 90 nop 6: 90 nop 7: 90 nop 8: 90 nop 9: 90 nop a: 90 nop b: 90 nop c: 90 nop d: 90 nop e: 90 nop f: 90 nop 10: 90 nop 11: 90 nop 12: 90 nop 13: 90 nop 14: 90 nop 15: 0f 1f 40 d6 nopl -0x2a(%rax) 19: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax 20: fc ff df 23: 48 c1 ef 03 shr $0x3,%rdi 27: 48 01 c7 add %rax,%rdi * 2a: 0f b6 07 movzbl (%rdi),%eax <-- trapping instruction 2d: 3c 07 cmp $0x7,%al 2f: 0f 96 c0 setbe %al 32: e9 ce 86 08 09 jmp 0x9088705 37: 66 data16 38: 66 data16 39: 2e cs 3a: 0f .byte 0xf 3b: 1f (bad) 3c: 84 00 test %al,(%rax) Tested on: commit: c072629f Merge tag 'v6.19-p4' of git://git.kernel.org/.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=10c95f9a580000 kernel config: https://syzkaller.appspot.com/x/.config?x=f1fac0919970b671 dashboard link: https://syzkaller.appspot.com/bug?extid=9265e754091c2d27ea29 compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44 patch: https://syzkaller.appspot.com/x/patch.diff?x=16ec813a580000