syzbot

 sign-in | mailing list | source | docs
🐞 Open [1621]
Subsystems
🐞 Fixed [6275]
🐞 Invalid [15945]
Missing Backports [189]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
💬 Send us feedback

BUG: corrupted list in __hw_addr_del_entry

Status: upstream: reported on 2025/05/22 10:00
Subsystems: net
[Documentation on labels]
Reported-by: syzbot+30468d31a80c716b0152@syzkaller.appspotmail.com
First crash: 21d, last: 3d23h
Discussions (1)
Title Replies (including bot) Last reply
[syzbot] [net?] BUG: corrupted list in __hw_addr_del_entry 0 (1) 2025/05/22 10:00

Sample crash report:
veth0_vlan: left promiscuous mode
 slab kmalloc-128 start 85497900 pointer offset 0 size 128
list_del corruption. next->prev should be 85787680, but was 00000122. (next=85497900)
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:65!
Internal error: Oops - BUG: 0 [#1] SMP ARM
Modules linked in:
CPU: 0 UID: 0 PID: 12035 Comm: kworker/u8:0 Not tainted 6.15.0-syzkaller #0 PREEMPT 
Hardware name: ARM-Versatile Express
Workqueue: netns cleanup_net
PC is at __list_del_entry_valid_or_report+0x8c/0x108 lib/list_debug.c:65
LR is at __wake_up_klogd.part.0+0x7c/0xac kernel/printk/printk.c:4556
pc : [<808d02f4>]    lr : [<802e2b20>]    psr: 60090013
sp : eb911ab8  ip : eb911a00  fp : eb911ad4
r10: 00000000  r9 : 85787688  r8 : 85505a4c
r7 : 85787680  r6 : 85787680  r5 : 85505a4c  r4 : 85497900
r3 : 84870000  r2 : 00000000  r1 : 00000000  r0 : 00000055
Flags: nZCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
Control: 30c5387d  Table: 8472e800  DAC: fffffffd
Register r0 information: non-paged memory
Register r1 information: NULL pointer
Register r2 information: NULL pointer
Register r3 information: slab task_struct start 84870000 pointer offset 0 size 3072
Register r4 information: slab kmalloc-128 start 85497900 pointer offset 0 size 128
Register r5 information: slab kmalloc-cg-2k start 85505800 pointer offset 588 size 2048
Register r6 information: slab kmalloc-128 start 85787680 pointer offset 0 size 128
Register r7 information: slab kmalloc-128 start 85787680 pointer offset 0 size 128
Register r8 information: slab kmalloc-cg-2k start 85505800 pointer offset 588 size 2048
Register r9 information: slab kmalloc-128 start 85787680 pointer offset 8 size 128
Register r10 information: NULL pointer
Register r11 information: 2-page vmalloc region starting at 0xeb910000 allocated at kernel_clone+0xac/0x3e4 kernel/fork.c:2599
Register r12 information: 2-page vmalloc region starting at 0xeb910000 allocated at kernel_clone+0xac/0x3e4 kernel/fork.c:2599
Process kworker/u8:0 (pid: 12035, stack limit = 0xeb910000)
Stack: (0xeb911ab8 to 0xeb912000)
1aa0:                                                       85787680 85505a4c
1ac0: 00000001 00000004 eb911aec eb911ad8 8156abe4 808d0274 eb911b54 00000006
1ae0: eb911b24 eb911af0 8156ace8 8156ab6c eb911b24 00000000 eb911b54 85505800
1b00: eb911b54 85505a38 00000100 80000010 850d93e4 00000000 eb911b4c eb911b28
1b20: 8156b7f0 8156ac4c 00000000 00000000 81a70b3c 85787980 85505800 84bd2130
1b40: eb911b94 eb911b50 81848ca8 8156b7b0 8027c968 00003333 00000100 00000000
1b60: 00000000 00000000 00000000 00000000 00000000 61e99622 00000000 85787980
1b80: 84bd2000 84bd2130 eb911bb4 eb911b98 8184bb90 81848ba4 84bd2000 00000000
1ba0: 84bd2000 00000100 eb911c24 eb911bb8 81819494 8184bb6c 00000000 00000201
1bc0: 81a70c18 00000000 80000010 855344c0 85505800 84bd2148 eb911bd8 eb911bd8
1be0: 80798724 eb911c74 eb911c58 80295ad4 80798724 61e99622 00000000 85505800
1c00: 84bd2000 855344c0 00000002 8181f564 00000000 eb911cfc eb911c74 eb911c28
1c20: 8181f5fc 81818d44 eb911c74 eb911c38 816841f8 80304f98 eb911c74 eb911c48
1c40: 816fd238 61e99622 81c00000 829e59e4 829e4b8c ffffffd1 00000000 8181f564
1c60: 00000000 eb911cfc eb911cac eb911c78 8028953c 8181f570 84870000 00000002
1c80: 00000cc0 eb911cfc 00000002 855344c0 00000001 85505800 00000000 8242418c
1ca0: eb911cc4 eb911cb0 80289774 802894e8 00000000 802d1fa4 eb911cec eb911cc8
1cc0: 8155c69c 80289760 00000000 00000000 00000000 85505914 85298800 eb911d70
1ce0: eb911d2c eb911cf0 8155ccac 8155c654 00000000 00000000 00000000 85505800
1d00: 00000000 61e99622 eb911ce4 84a44114 85512914 eb911df0 eb911d70 00000001
1d20: eb911dc4 eb911d30 81567c74 8155cbbc 00000001 eb911e78 eb911d8c eb911d48
1d40: 80503b48 805034fc 00000001 819eeb98 829d21e4 00000000 00000000 00000000
1d60: 84870000 82424e14 815686d8 808d019c 85505914 85512914 eb911df0 85512800
1d80: eb911dc4 eb911d90 815686d8 808d019c 00000000 61e99622 eb911dc4 855344bc
1da0: 855345b8 eb911e78 82c1f700 eb911e98 00000001 eb911e78 eb911e3c eb911dc8
1dc0: 815693ac 81567a98 eb911de4 eb911dd8 81a70a48 eb911e98 855344c0 82424ed0
1de0: 81a633b0 81a70a28 855344bc 61c88647 853da10c 8551290c 8123ab9c 00000000
1e00: 00000000 00000000 00000000 61e99622 eb911e3c eb911e98 eb911e78 829d1c40
1e20: 829d224c 829d1c40 00000001 00000001 eb911e7c eb911e40 8154a740 815690b4
1e40: 00000100 00000122 eb911e6c 61e99622 80261ffc 855344e0 82c1f6c0 829d1b40
1e60: 829d1b68 85548dc0 ffffffd4 00000000 eb911ed4 eb911e80 8154c94c 8154a640
1e80: eb911ed4 eb911e90 808d13c0 82c1f6c0 829d1b40 8154a5d0 855344e0 855344e0
1ea0: 00000000 61e99622 81c01f18 840fc600 829d1b58 8301bc00 8300e600 84870000
1ec0: 8301bc15 8300f070 eb911f2c eb911ed8 8027e2a8 8154c74c 81c01ab4 84870000
1ee0: eb911f14 eb911ef0 829d1b5c 829d1b58 829d1b5c 829d1b58 eb911f2c 00000000
1f00: 80279be4 840fc600 8300e620 8300e600 82804d40 840fc62c 84870000 61c88647
1f20: eb911f6c eb911f30 8027eef0 8027e100 81a70b3c 80293598 eb911f6c eb911f48
1f40: 80285a38 00000001 84870000 8421d980 dfab1e60 8027ecf4 840fc600 00000000
1f60: eb911fac eb911f70 80285f1c 8027ed00 8026bd70 81a70ac4 84870000 61e99622
1f80: eb911fac 85d13c00 80285df0 00000000 00000000 00000000 00000000 00000000
1fa0: 00000000 eb911fb0 80200114 80285dfc 00000000 00000000 00000000 00000000
1fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
1fe0: 00000000 00000000 00000000 00000000 00000013 00000000 00000000 00000000
Call trace: 
[<808d0268>] (__list_del_entry_valid_or_report) from [<8156abe4>] (__list_del_entry_valid include/linux/list.h:124 [inline])
[<808d0268>] (__list_del_entry_valid_or_report) from [<8156abe4>] (__list_del_entry include/linux/list.h:215 [inline])
[<808d0268>] (__list_del_entry_valid_or_report) from [<8156abe4>] (list_del_rcu include/linux/rculist.h:168 [inline])
[<808d0268>] (__list_del_entry_valid_or_report) from [<8156abe4>] (__hw_addr_del_entry+0x84/0xe0 net/core/dev_addr_lists.c:160)
 r7:00000004 r6:00000001 r5:85505a4c r4:85787680
[<8156ab60>] (__hw_addr_del_entry) from [<8156ace8>] (__hw_addr_del_ex+0xa8/0xb0 net/core/dev_addr_lists.c:200)
 r5:00000006 r4:eb911b54
[<8156ac40>] (__hw_addr_del_ex) from [<8156b7f0>] (__dev_mc_del net/core/dev_addr_lists.c:909 [inline])
[<8156ac40>] (__hw_addr_del_ex) from [<8156b7f0>] (dev_mc_del+0x4c/0x74 net/core/dev_addr_lists.c:927)
 r10:00000000 r9:850d93e4 r8:80000010 r7:00000100 r6:85505a38 r5:eb911b54
 r4:85505800
[<8156b7a4>] (dev_mc_del) from [<81848ca8>] (igmp6_group_dropped+0x110/0x238 net/ipv6/mcast.c:719)
 r6:84bd2130 r5:85505800 r4:85787980
[<81848b98>] (igmp6_group_dropped) from [<8184bb90>] (ipv6_mc_down+0x30/0x1cc net/ipv6/mcast.c:2768)
 r6:84bd2130 r5:84bd2000 r4:85787980
[<8184bb60>] (ipv6_mc_down) from [<81819494>] (addrconf_ifdown+0x75c/0x76c net/ipv6/addrconf.c:4002)
 r7:00000100 r6:84bd2000 r5:00000000 r4:84bd2000
[<81818d38>] (addrconf_ifdown) from [<8181f5fc>] (addrconf_notify+0x98/0x770 net/ipv6/addrconf.c:3780)
 r10:eb911cfc r9:00000000 r8:8181f564 r7:00000002 r6:855344c0 r5:84bd2000
 r4:85505800
[<8181f564>] (addrconf_notify) from [<8028953c>] (notifier_call_chain+0x60/0x1b4 kernel/notifier.c:85)
 r10:eb911cfc r9:00000000 r8:8181f564 r7:00000000 r6:ffffffd1 r5:829e4b8c
 r4:829e59e4
[<802894dc>] (notifier_call_chain) from [<80289774>] (raw_notifier_call_chain+0x20/0x28 kernel/notifier.c:453)
 r10:8242418c r9:00000000 r8:85505800 r7:00000001 r6:855344c0 r5:00000002
 r4:eb911cfc
[<80289754>] (raw_notifier_call_chain) from [<8155c69c>] (call_netdevice_notifiers_info+0x54/0xa0 net/core/dev.c:2230)
[<8155c648>] (call_netdevice_notifiers_info) from [<8155ccac>] (call_netdevice_notifiers_extack net/core/dev.c:2268 [inline])
[<8155c648>] (call_netdevice_notifiers_info) from [<8155ccac>] (call_netdevice_notifiers net/core/dev.c:2282 [inline])
[<8155c648>] (call_netdevice_notifiers_info) from [<8155ccac>] (dev_close_many+0xfc/0x150 net/core/dev.c:1785)
 r6:eb911d70 r5:85298800 r4:85505914
[<8155cbb0>] (dev_close_many) from [<81567c74>] (unregister_netdevice_many_notify+0x1e8/0xbc0 net/core/dev.c:12046)
 r9:00000001 r8:eb911d70 r7:eb911df0 r6:85512914 r5:84a44114 r4:eb911ce4
[<81567a8c>] (unregister_netdevice_many_notify) from [<815693ac>] (unregister_netdevice_many net/core/dev.c:12139 [inline])
[<81567a8c>] (unregister_netdevice_many_notify) from [<815693ac>] (default_device_exit_batch+0x304/0x384 net/core/dev.c:12643)
 r10:eb911e78 r9:00000001 r8:eb911e98 r7:82c1f700 r6:eb911e78 r5:855345b8
 r4:855344bc
[<815690a8>] (default_device_exit_batch) from [<8154a740>] (ops_exit_list net/core/net_namespace.c:206 [inline])
[<815690a8>] (default_device_exit_batch) from [<8154a740>] (ops_undo_list+0x10c/0x238 net/core/net_namespace.c:253)
 r10:00000001 r9:00000001 r8:829d1c40 r7:829d224c r6:829d1c40 r5:eb911e78
 r4:eb911e98
[<8154a634>] (ops_undo_list) from [<8154c94c>] (cleanup_net+0x20c/0x384 net/core/net_namespace.c:686)
 r10:00000000 r9:ffffffd4 r8:85548dc0 r7:829d1b68 r6:829d1b40 r5:82c1f6c0
 r4:855344e0
[<8154c740>] (cleanup_net) from [<8027e2a8>] (process_one_work+0x1b4/0x4f4 kernel/workqueue.c:3238)
 r10:8300f070 r9:8301bc15 r8:84870000 r7:8300e600 r6:8301bc00 r5:829d1b58
 r4:840fc600
[<8027e0f4>] (process_one_work) from [<8027eef0>] (process_scheduled_works kernel/workqueue.c:3321 [inline])
[<8027e0f4>] (process_one_work) from [<8027eef0>] (worker_thread+0x1fc/0x3d8 kernel/workqueue.c:3402)
 r10:61c88647 r9:84870000 r8:840fc62c r7:82804d40 r6:8300e600 r5:8300e620
 r4:840fc600
[<8027ecf4>] (worker_thread) from [<80285f1c>] (kthread+0x12c/0x280 kernel/kthread.c:464)
 r10:00000000 r9:840fc600 r8:8027ecf4 r7:dfab1e60 r6:8421d980 r5:84870000
 r4:00000001
[<80285df0>] (kthread) from [<80200114>] (ret_from_fork+0x14/0x20 arch/arm/kernel/entry-common.S:137)
Exception stack(0xeb911fb0 to 0xeb911ff8)
1fa0:                                     00000000 00000000 00000000 00000000
1fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
1fe0: 00000000 00000000 00000000 00000000 00000013 00000000
 r10:00000000 r9:00000000 r8:00000000 r7:00000000 r6:00000000 r5:80285df0
 r4:85d13c00
Code: e1a01006 e3040f24 e348022b ebe4d1be (e7f001f2) 
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
   0:	e1a01006 	mov	r1, r6
   4:	e3040f24 	movw	r0, #20260	@ 0x4f24
   8:	e348022b 	movt	r0, #33323	@ 0x822b
   c:	ebe4d1be 	bl	0xff93470c
* 10:	e7f001f2 	udf	#18 <-- trapping instruction

Crashes (3):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2025/06/05 04:43 upstream 16b70698aa3a 6b6b5f21 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm32 BUG: corrupted list in __hw_addr_del_entry
2025/05/30 01:09 upstream 9d230d500b0e 3d2f584d .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm32 BUG: corrupted list in __hw_addr_del_entry
2025/05/18 09:35 upstream 5723cc3450bc f41472b0 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu2-arm32 BUG: corrupted list in __hw_addr_del_entry
* Struck through repros no longer work on HEAD.