[syzbot] [bluetooth?] BUG: corrupted list in _hci_cmd_sync_cancel_entry

[syzbot] [bluetooth?] BUG: corrupted list in _hci_cmd_sync_cancel_entry

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    a430d95c5efa Merge tag 'lsm-pr-20240911' of git://git.kern..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=136ba607980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=44d46e514184cd24
dashboard link: https://syzkaller.appspot.com/bug?extid=01fdb2cc3f0b4ddcfcf1
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/bdf130384fad/disk-a430d95c.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/c62ff195641a/vmlinux-a430d95c.xz
kernel image: https://storage.googleapis.com/syzbot-assets/4069702199e2/bzImage-a430d95c.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+01fdb2cc3f0b4ddcfcf1@syzkaller.appspotmail.com

list_del corruption, ffff88801febb580->next is LIST_POISON1 (dead000000000100)
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:56!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 1 UID: 0 PID: 8278 Comm: kworker/u9:2 Not tainted 6.11.0-syzkaller-02574-ga430d95c5efa #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
Workqueue: hci2 hci_conn_timeout
RIP: 0010:__list_del_entry_valid_or_report+0x108/0x1c0 lib/list_debug.c:56
Code: c7 c7 80 1b b1 8b e8 c7 c6 dd fc 90 0f 0b 48 c7 c7 e0 1b b1 8b e8 b8 c6 dd fc 90 0f 0b 48 c7 c7 40 1c b1 8b e8 a9 c6 dd fc 90 <0f> 0b 48 89 ca 48 c7 c7 a0 1c b1 8b e8 97 c6 dd fc 90 0f 0b 48 89
RSP: 0018:ffffc90003a1fbe0 EFLAGS: 00010286
RAX: 000000000000004e RBX: ffff88801febb580 RCX: ffffffff816c6699
RDX: 0000000000000000 RSI: ffffffff816cf7b6 RDI: 0000000000000005
RBP: ffff88805f5a8000 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000000 R11: 0000000000000001 R12: ffff88801febb588
R13: dffffc0000000000 R14: ffff88805f5a8618 R15: ffff88801febb580
FS:  0000000000000000(0000) GS:ffff8880b8900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000202f5000 CR3: 0000000060a82000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 __list_del_entry_valid include/linux/list.h:124 [inline]
 __list_del_entry include/linux/list.h:215 [inline]
 list_del include/linux/list.h:229 [inline]
 _hci_cmd_sync_cancel_entry.constprop.0+0x80/0x1d0 net/bluetooth/hci_sync.c:643
 hci_cmd_sync_cancel_entry net/bluetooth/hci_sync.c:847 [inline]
 hci_cmd_sync_dequeue_once net/bluetooth/hci_sync.c:866 [inline]
 hci_cancel_connect_sync+0x103/0x2c0 net/bluetooth/hci_sync.c:6844
 hci_abort_conn+0x163/0x340 net/bluetooth/hci_conn.c:2948
 hci_conn_timeout+0x1ab/0x220 net/bluetooth/hci_conn.c:576
 process_one_work+0x9c5/0x1b40 kernel/workqueue.c:3231
 process_scheduled_works kernel/workqueue.c:3312 [inline]
 worker_thread+0x6c8/0xf00 kernel/workqueue.c:3393
 kthread+0x2c1/0x3a0 kernel/kthread.c:389
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__list_del_entry_valid_or_report+0x108/0x1c0 lib/list_debug.c:56
Code: c7 c7 80 1b b1 8b e8 c7 c6 dd fc 90 0f 0b 48 c7 c7 e0 1b b1 8b e8 b8 c6 dd fc 90 0f 0b 48 c7 c7 40 1c b1 8b e8 a9 c6 dd fc 90 <0f> 0b 48 89 ca 48 c7 c7 a0 1c b1 8b e8 97 c6 dd fc 90 0f 0b 48 89
RSP: 0018:ffffc90003a1fbe0 EFLAGS: 00010286
RAX: 000000000000004e RBX: ffff88801febb580 RCX: ffffffff816c6699
RDX: 0000000000000000 RSI: ffffffff816cf7b6 RDI: 0000000000000005
RBP: ffff88805f5a8000 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000000 R11: 0000000000000001 R12: ffff88801febb588
R13: dffffc0000000000 R14: ffff88805f5a8618 R15: ffff88801febb580
FS:  0000000000000000(0000) GS:ffff8880b8900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000202f5000 CR3: 0000000060a82000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] [bluetooth?] BUG: corrupted list in _hci_cmd_sync_cancel_entry

[syzbot]

syzbot has found a reproducer for the following issue on:

HEAD commit:    7595b66ae9de Merge tag 'selinux-pr-20250624' of git://git...
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10ed4f0c580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=641bc01f4fbdccd4
dashboard link: https://syzkaller.appspot.com/bug?extid=01fdb2cc3f0b4ddcfcf1
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=14bc9b70580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/86576f060f6f/disk-7595b66a.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/051ad595d63b/vmlinux-7595b66a.xz
kernel image: https://storage.googleapis.com/syzbot-assets/e72740ea313a/bzImage-7595b66a.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+01fdb2cc3f0b4ddcfcf1@syzkaller.appspotmail.com

Bluetooth: hci4: command 0x0406 tx timeout
 non-paged memory
list_del corruption, ffff88802932b700->next is LIST_POISON1 (dead000000000100)
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:56!
Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
CPU: 1 UID: 0 PID: 51 Comm: kworker/u9:0 Not tainted 6.16.0-rc3-syzkaller-00044-g7595b66ae9de #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Workqueue: hci4 hci_conn_timeout
RIP: 0010:__list_del_entry_valid_or_report+0x121/0x200 lib/list_debug.c:56
Code: 48 c7 c7 e0 7e 15 8c e8 1d 41 b9 fc 90 0f 0b 4c 89 e7 e8 02 f3 1d fd 4c 89 e2 48 89 de 48 c7 c7 40 7f 15 8c e8 00 41 b9 fc 90 <0f> 0b 48 89 ef e8 e5 f2 1d fd 48 89 ea 48 89 de 48 c7 c7 a0 7f 15
RSP: 0018:ffffc90000bb7b78 EFLAGS: 00010282
RAX: 000000000000004e RBX: ffff88802932b700 RCX: ffffffff819b00b9
RDX: 0000000000000000 RSI: ffffffff819b7f46 RDI: 0000000000000005
RBP: dead000000000122 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000000 R11: 0000000000000001 R12: dead000000000100
R13: dffffc0000000000 R14: ffff88802f118618 R15: ffff88802932b700
FS:  0000000000000000(0000) GS:ffff888124852000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000c007642020 CR3: 000000007e2b4000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 __list_del_entry_valid include/linux/list.h:124 [inline]
 __list_del_entry include/linux/list.h:215 [inline]
 list_del include/linux/list.h:229 [inline]
 _hci_cmd_sync_cancel_entry.constprop.0+0x80/0x1d0 net/bluetooth/hci_sync.c:647
 hci_cmd_sync_cancel_entry net/bluetooth/hci_sync.c:851 [inline]
 hci_cmd_sync_dequeue_once net/bluetooth/hci_sync.c:870 [inline]
 hci_cancel_connect_sync+0xfa/0x2b0 net/bluetooth/hci_sync.c:6903
 hci_abort_conn+0x15a/0x340 net/bluetooth/hci_conn.c:2919
 hci_conn_timeout+0x1a2/0x210 net/bluetooth/hci_conn.c:580
 process_one_work+0x9cc/0x1b70 kernel/workqueue.c:3238
 process_scheduled_works kernel/workqueue.c:3321 [inline]
 worker_thread+0x6c8/0xf10 kernel/workqueue.c:3402
 kthread+0x3c2/0x780 kernel/kthread.c:464
 ret_from_fork+0x5d4/0x6f0 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__list_del_entry_valid_or_report+0x121/0x200 lib/list_debug.c:56
Code: 48 c7 c7 e0 7e 15 8c e8 1d 41 b9 fc 90 0f 0b 4c 89 e7 e8 02 f3 1d fd 4c 89 e2 48 89 de 48 c7 c7 40 7f 15 8c e8 00 41 b9 fc 90 <0f> 0b 48 89 ef e8 e5 f2 1d fd 48 89 ea 48 89 de 48 c7 c7 a0 7f 15
RSP: 0018:ffffc90000bb7b78 EFLAGS: 00010282
RAX: 000000000000004e RBX: ffff88802932b700 RCX: ffffffff819b00b9
RDX: 0000000000000000 RSI: ffffffff819b7f46 RDI: 0000000000000005
RBP: dead000000000122 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000000 R11: 0000000000000001 R12: dead000000000100
R13: dffffc0000000000 R14: ffff88802f118618 R15: ffff88802932b700
FS:  0000000000000000(0000) GS:ffff888124852000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fd6f9b7e2d8 CR3: 000000007b2b4000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.