Dear Linux Developer, Recently when using our tool to fuzz kernel, the following crash was triggered: HEAD commit: 64570fbc14f8 Linux 5.15-rc5 git tree: upstream compiler: gcc 8.0.1 console output: https://drive.google.com/file/d/1G71Ww97u1liwpZv8zvSqphYPTtn9HnOO/view?usp=share_link kernel config: https://drive.google.com/file/d/1uDOeEYgJDcLiSOrx9W8v2bqZ6uOA_55t/view?usp=share_link Unfortunately, I don't have any reproducer for this crash yet. IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: Wei Chen <harperchen1110@xxxxxxxxx> stack segment: 0000 [#1] PREEMPT SMP CPU: 1 PID: 12694 Comm: kworker/1:11 Not tainted 5.15.0-rc5 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-48-gd9c812dda519-prebuilt.qemu.org 04/01/2014 Workqueue: events l2cap_chan_timeout RIP: 0010:l2cap_chan_put+0x21/0x160 Code: 5d 41 5c e9 91 0d 04 fd 90 41 54 55 48 89 fd 53 e8 84 0d 04 fd 66 90 e8 7d 0d 04 fd e8 78 0d 04 fd 4c 8d 65 18 bb ff ff ff ff <f0> 0f c1 5d 18 bf 01 00 00 00 89 de e8 5e 0e 04 fd 83 fb 01 74 55 RSP: 0018:ffffc90000d73dc0 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 00000000ffffffff RCX: ffff888111e39b80 RDX: 0000000000000000 RSI: ffff888111e39b80 RDI: 0000000000000002 RBP: dead4ead00000000 R08: ffffffff843965e8 R09: 0000000000000000 R10: 0000000000000007 R11: 0000000000000001 R12: dead4ead00000018 R13: ffff88810d814000 R14: ffff88810d8144b8 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff88813dc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b2e423000 CR3: 0000000111e00000 CR4: 00000000003506e0 Call Trace: l2cap_sock_kill.part.11+0x24/0x110 l2cap_sock_close_cb+0x4e/0x60 l2cap_chan_timeout+0xdc/0x160 process_one_work+0x3fa/0x9f0 worker_thread+0x42/0x5c0 kthread+0x1a6/0x1e0 ret_from_fork+0x1f/0x30 Modules linked in: ---[ end trace 9e8a9c7204ba3d85 ]--- RIP: 0010:l2cap_chan_put+0x21/0x160 Code: 5d 41 5c e9 91 0d 04 fd 90 41 54 55 48 89 fd 53 e8 84 0d 04 fd 66 90 e8 7d 0d 04 fd e8 78 0d 04 fd 4c 8d 65 18 bb ff ff ff ff <f0> 0f c1 5d 18 bf 01 00 00 00 89 de e8 5e 0e 04 fd 83 fb 01 74 55 RSP: 0018:ffffc90000d73dc0 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 00000000ffffffff RCX: ffff888111e39b80 RDX: 0000000000000000 RSI: ffff888111e39b80 RDI: 0000000000000002 RBP: dead4ead00000000 R08: ffffffff843965e8 R09: 0000000000000000 R10: 0000000000000007 R11: 0000000000000001 R12: dead4ead00000018 R13: ffff88810d814000 R14: ffff88810d8144b8 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff88813dc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b2e423000 CR3: 0000000012e7a000 CR4: 00000000003506e0 ---------------- Code disassembly (best guess): 0: 5d pop %rbp 1: 41 5c pop %r12 3: e9 91 0d 04 fd jmpq 0xfd040d99 8: 90 nop 9: 41 54 push %r12 b: 55 push %rbp c: 48 89 fd mov %rdi,%rbp f: 53 push %rbx 10: e8 84 0d 04 fd callq 0xfd040d99 15: 66 90 xchg %ax,%ax 17: e8 7d 0d 04 fd callq 0xfd040d99 1c: e8 78 0d 04 fd callq 0xfd040d99 21: 4c 8d 65 18 lea 0x18(%rbp),%r12 25: bb ff ff ff ff mov $0xffffffff,%ebx * 2a: f0 0f c1 5d 18 lock xadd %ebx,0x18(%rbp) <-- trapping instruction 2f: bf 01 00 00 00 mov $0x1,%edi 34: 89 de mov %ebx,%esi 36: e8 5e 0e 04 fd callq 0xfd040e99 3b: 83 fb 01 cmp $0x1,%ebx 3e: 74 55 je 0x95 Best, Wei
