syzbot

 sign-in | mailing list | source | docs
🐞 Open [1409]
Subsystems
🐞 Fixed [6990]
🐞 Invalid [18233]
Missing Backports [223]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
✨ AI
💬 Send us feedback

BUG: corrupted list in flow_block_cb_setup_simple

Status: upstream: reported C repro on 2025/09/12 07:06
Subsystems: net
[Documentation on labels]
Reported-by: syzbot+5a66db916cdde0dbcc1c@syzkaller.appspotmail.com
First crash: 186d, last: 12d
✨ AI Jobs (3)
ID Workflow Result Correct Bug Created Started Finished Revision Error
2327301e-d6c7-405e-888d-ecf2d52e3332 patching 💥 BUG: corrupted list in flow_block_cb_setup_simple 2026/01/24 13:53 2026/01/24 13:53 2026/01/24 14:10 a58905e33a29d2b09d4334a5f5ca7ea75c4353dd tool codeexpert failed: error: Error 400, Message: The input token count exceeds the maximum number of tokens allowed 1048576., Status: INVALID_ARGUMENT, Details: [map[@type:type.googleapis.com/google.rpc.DebugInfo detail:No endpoint config found for the given token count: 1048576; input token count: 1116657]] args: map[Question:grep for flow_block_cb_setup_simple in the kernel tree to find all callers.]
31471d05-db8c-4cc1-a6df-b38fe9b21176 patching 💥 BUG: corrupted list in flow_block_cb_setup_simple 2026/01/24 07:59 2026/01/24 08:20 2026/01/24 08:28 40acda8acc843b8f5cc068eaad3b6b217e5a9de6 tool codeexpert failed: error: Error 429, Message: You exceeded your current quota, please check your plan and billing details. For more information on this error, head to: https://ai.google.dev/gemini-api/docs/rate-limits. To monitor your current usage, head to: https://ai.dev/rate-limit. * Quota exceeded for metric: generativelanguage.googleapis.com/generate_content_paid_tier_input_token_count, limit: 1000000, model: gemini-3-flash Please retry in 24.180878813s., Status: RESOURCE_EXHAUSTED, Details: [map[@type:type.googleapis.com/google.rpc.Help links:[map[description:Learn more about Gemini API quotas url:https://ai.google.dev/gemini-api/docs/rate-limits]]] map[@type:type.googleapis.com/google.rpc.QuotaFailure violations:[map[quotaDimensions:map[location:global model:gemini-3-flash] quotaId:GenerateContentPaidTierInputTokensPerModelPerMinute quotaMetric:generativelanguage.googleapis.com/generate_content_paid_tier_input_token_count quotaValue:1000000]]] map[@type:type.googleapis.com/google.rpc.RetryInfo retryDelay:24s] map[@type:type.googleapis.com/google.rpc.DebugInfo detail:[ORIGINAL ERROR] generic::resource_exhausted: You exceeded your current quota, please check your plan and billing details. For more information on this error, head to: https://ai.google.dev/gemini-api/docs/rate-limits. To monitor your current usage, head to: https://ai.dev/rate-limit. * Quota exceeded for metric: generativelanguage.googleapis.com/generate_content_paid_tier_input_token_count, limit: 1000000, model: gemini-3-flash Please retry in 24.180878813s. [google.rpc.error_details_ext] { message: "You exceeded your current quota, please check your plan and billing details. For more information on this error, head to: https://ai.google.dev/gemini-api/docs/rate-limits. To monitor your current usage, head to: https://ai.dev/rate-limit. \n* Quota exceeded for metric: generativelanguage.googleapis.com/generate_content_paid_tier_input_token_count, limit: 1000000, model: gemini-3-flash\nPlease retry in 24.180878813s." details { type_url: "type.googleapis.com/language_labs.genai.debug.GeminiApiDebugInfo" value: "R\214\001\n\211\001\nNgenerativelanguage.googleapis.com/generate_content_paid_tier_input_token_count\022\022\n\010location\022\006global\022\027\n\005model\022\016gemini-3-flash\030\300\204=\"\006\010\314\205\322\313\006" } details { [type.googleapis.com/google.rpc.Help] { links { description: "Learn more about Gemini API quotas" url: "https://ai.google.dev/gemini-api/docs/rate-limits" } } } details { [type.googleapis.com/google.rpc.QuotaFailure] { violations { quota_metric: "generativelanguage.googleapis.com/generate_content_paid_tier_input_token_count" quota_id: "GenerateContentPaidTierInputTokensPerModelPerMinute" quota_dimensions { key: "location" value: "global" } quota_dimensions { key: "model" value: "gemini-3-flash" } quota_value: 1000000 } } } details { [type.googleapis.com/google.rpc.RetryInfo] { retry_delay { seconds: 24 } } } }]] args: map[Question:grep for flow_block_cb_setup_simple in the kernel tree to find all callers.]
27ff3d90-6a2a-41bb-96b3-22d5777a1838 patching 🏃 BUG: corrupted list in flow_block_cb_setup_simple 2026/01/23 14:58 2026/01/23 14:59 7ee46ad36cdaae818f74dea493b5ec30df3fe31b
Cause bisection: failed (error log, bisect log)
  
Discussions (2)
Title Replies (including bot) Last reply
[PATCH net] net: flow_offload: protect driver_block_list in flow_block_cb_setup_simple() 8 (8) 2026/02/17 22:05
[syzbot] [net?] BUG: corrupted list in flow_block_cb_setup_simple 1 (4) 2026/02/06 18:28
Similar bugs (1)
Kernel Title Rank 🛈 Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-6.1 BUG: corrupted list in flow_block_cb_setup_simple 19 2 138d 230d 0/3 auto-obsoleted due to no activity on 2026/02/06 21:04
Last patch testing requests (12)
Created Duration User Patch Repo Result
2026/02/16 00:51 32m retest repro linux-next report log
2026/02/16 00:51 54m retest repro linux-next report log
2026/02/16 00:51 49m retest repro linux-next report log
2026/02/16 00:51 34m retest repro linux-next report log
2026/02/06 18:28 1h12m syoshida@redhat.com patch net OK log
2026/02/01 23:51 31m retest repro bpf report log
2026/02/01 23:51 18m retest repro bpf report log
2026/01/18 21:03 21m retest repro net report log
2025/12/31 20:20 1h11m retest repro bpf report log
2025/12/31 20:20 3h00m retest repro bpf report log
2025/12/31 20:20 2h29m retest repro bpf report log
2025/09/12 09:30 3h13m hdanton@sina.com patch upstream OK log

Sample crash report:
list_del corruption. prev->next should be ffff88802b0a5300, but was ffff88802b1e1b00. (prev=ffffffff8f43d660)
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:64!
Oops: invalid opcode: 0000 [#1] SMP KASAN PTI
CPU: 0 UID: 0 PID: 6205 Comm: syz.0.146 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
RIP: 0010:__list_del_entry_valid_or_report+0x15a/0x190 lib/list_debug.c:62
Code: e8 1b 99 54 fd 43 80 3c 2c 00 74 08 4c 89 ff e8 7c 93 77 fd 49 8b 17 48 c7 c7 c0 ae 27 8c 48 89 de 4c 89 f9 e8 57 9c 6f fc 90 <0f> 0b 4c 89 f7 e8 ec 98 54 fd 43 80 3c 2c 00 74 08 4c 89 ff e8 4d
RSP: 0018:ffffc90004a76700 EFLAGS: 00010246
RAX: 000000000000006d RBX: ffff88802b0a5300 RCX: cc441111bdb3b700
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: 1ffff9200094ed32 R08: ffffc90004a76487 R09: 1ffff9200094ec90
R10: dffffc0000000000 R11: fffff5200094ec91 R12: 1ffffffff1e87acc
R13: dffffc0000000000 R14: ffffffff8f43d660 R15: ffffffff8f43d660
FS:  00005555667d4500(0000) GS:ffff888125464000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fc3ee94da08 CR3: 00000000323dc000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 __list_del_entry_valid include/linux/list.h:132 [inline]
 __list_del_entry include/linux/list.h:223 [inline]
 list_del include/linux/list.h:237 [inline]
 flow_block_cb_setup_simple+0x62d/0x740 net/core/flow_offload.c:367
 nft_block_offload_cmd net/netfilter/nf_tables_offload.c:397 [inline]
 nft_chain_offload_cmd+0x2d8/0x6e0 net/netfilter/nf_tables_offload.c:451
 nft_flow_block_chain net/netfilter/nf_tables_offload.c:471 [inline]
 nft_flow_offload_chain net/netfilter/nf_tables_offload.c:513 [inline]
 nft_flow_rule_offload_commit+0x485/0x1ce0 net/netfilter/nf_tables_offload.c:592
 nf_tables_commit+0x80d/0xa400 net/netfilter/nf_tables_api.c:10841
 nfnetlink_rcv_batch net/netfilter/nfnetlink.c:576 [inline]
 nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:649 [inline]
 nfnetlink_rcv+0x1c1b/0x27b0 net/netfilter/nfnetlink.c:667
 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
 netlink_unicast+0x80f/0x9b0 net/netlink/af_netlink.c:1344
 netlink_sendmsg+0x813/0xb40 net/netlink/af_netlink.c:1894
 sock_sendmsg_nosec net/socket.c:727 [inline]
 __sock_sendmsg net/socket.c:742 [inline]
 ____sys_sendmsg+0xa68/0xad0 net/socket.c:2592
 ___sys_sendmsg+0x2a5/0x360 net/socket.c:2646
 __sys_sendmsg net/socket.c:2678 [inline]
 __do_sys_sendmsg net/socket.c:2683 [inline]
 __se_sys_sendmsg net/socket.c:2681 [inline]
 __x64_sys_sendmsg+0x1bd/0x2a0 net/socket.c:2681
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f42b259c799
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffd292400e8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f42b2815fa0 RCX: 00007f42b259c799
RDX: 000000000000c050 RSI: 0000200000000cc0 RDI: 0000000000000003
RBP: 00007f42b2632bd9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f42b2815fac R14: 00007f42b2815fa0 R15: 00007f42b2815fa0
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__list_del_entry_valid_or_report+0x15a/0x190 lib/list_debug.c:62
Code: e8 1b 99 54 fd 43 80 3c 2c 00 74 08 4c 89 ff e8 7c 93 77 fd 49 8b 17 48 c7 c7 c0 ae 27 8c 48 89 de 4c 89 f9 e8 57 9c 6f fc 90 <0f> 0b 4c 89 f7 e8 ec 98 54 fd 43 80 3c 2c 00 74 08 4c 89 ff e8 4d
RSP: 0018:ffffc90004a76700 EFLAGS: 00010246

RAX: 000000000000006d RBX: ffff88802b0a5300 RCX: cc441111bdb3b700
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: 1ffff9200094ed32 R08: ffffc90004a76487 R09: 1ffff9200094ec90
R10: dffffc0000000000 R11: fffff5200094ec91 R12: 1ffffffff1e87acc
R13: dffffc0000000000 R14: ffffffff8f43d660 R15: ffffffff8f43d660

Crashes (28):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2026/03/02 18:26 net 9439a661c2e8 b9dd6534 .config console log report syz / log C [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce BUG: corrupted list in flow_block_cb_setup_simple
2026/03/02 14:36 net 9439a661c2e8 b9dd6534 .config console log report syz / log C [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce BUG: corrupted list in flow_block_cb_setup_simple
2025/10/05 21:42 net 1b54b0756f05 49379ee0 .config console log report syz / log C [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce BUG: corrupted list in flow_block_cb_setup_simple
2025/09/12 07:54 bpf e59a039119c3 e2beed91 .config console log report syz / log C [disk image] [vmlinux] [kernel image] ci-upstream-bpf-kasan-gce BUG: corrupted list in flow_block_cb_setup_simple
2025/09/12 06:27 bpf e59a039119c3 e2beed91 .config console log report syz / log C [disk image] [vmlinux] [kernel image] ci-upstream-bpf-kasan-gce BUG: corrupted list in flow_block_cb_setup_simple
2025/09/12 05:00 bpf e59a039119c3 e2beed91 .config console log report syz / log C [disk image] [vmlinux] [kernel image] ci-upstream-bpf-kasan-gce BUG: corrupted list in flow_block_cb_setup_simple
2025/09/12 03:29 bpf e59a039119c3 e2beed91 .config console log report syz / log C [disk image] [vmlinux] [kernel image] ci-upstream-bpf-kasan-gce BUG: corrupted list in flow_block_cb_setup_simple
2025/09/11 23:17 bpf e59a039119c3 e2beed91 .config console log report syz / log C [disk image] [vmlinux] [kernel image] ci-upstream-bpf-kasan-gce BUG: corrupted list in flow_block_cb_setup_simple
2025/10/22 09:22 bpf-next e7586577b75f 252fbbad .config console log report syz / log C [disk image] [vmlinux] [kernel image] ci-upstream-bpf-next-kasan-gce BUG: corrupted list in flow_block_cb_setup_simple
2025/09/29 09:40 bpf-next 4ef77dd584cf 001c9061 .config console log report syz / log C [disk image] [vmlinux] [kernel image] ci-upstream-bpf-next-kasan-gce BUG: corrupted list in flow_block_cb_setup_simple
2025/09/28 22:46 bpf-next 4ef77dd584cf 001c9061 .config console log report syz / log C [disk image] [vmlinux] [kernel image] ci-upstream-bpf-next-kasan-gce BUG: corrupted list in flow_block_cb_setup_simple
2025/10/06 03:31 linux-next 47a8d4b89844 49379ee0 .config console log report syz / log C [disk image] [vmlinux] [kernel image] ci-upstream-rust-kasan-gce BUG: corrupted list in flow_block_cb_setup_simple
2025/09/13 16:29 linux-next 590b221ed425 e2beed91 .config console log report syz / log C [disk image] [vmlinux] [kernel image] ci-upstream-rust-kasan-gce BUG: corrupted list in flow_block_cb_setup_simple
2025/09/13 15:02 linux-next 590b221ed425 e2beed91 .config console log report syz / log C [disk image] [vmlinux] [kernel image] ci-upstream-rust-kasan-gce BUG: corrupted list in flow_block_cb_setup_simple
2025/09/13 12:49 linux-next 590b221ed425 e2beed91 .config console log report syz / log C [disk image] [vmlinux] [kernel image] ci-upstream-rust-kasan-gce BUG: corrupted list in flow_block_cb_setup_simple
2025/09/13 09:27 linux-next 590b221ed425 e2beed91 .config console log report syz / log C [disk image] [vmlinux] [kernel image] ci-upstream-rust-kasan-gce BUG: corrupted list in flow_block_cb_setup_simple
2026/03/02 17:09 net 9439a661c2e8 b9dd6534 .config console log report syz / log C [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce KASAN: slab-use-after-free Read in flow_block_cb_setup_simple
2025/10/12 05:11 bpf 67029a49db6c ff1712fe .config console log report syz / log C [disk image] [vmlinux] [kernel image] ci-upstream-bpf-kasan-gce KASAN: slab-use-after-free Read in flow_block_cb_setup_simple
2025/09/12 00:57 bpf e59a039119c3 e2beed91 .config console log report syz / log C [disk image] [vmlinux] [kernel image] ci-upstream-bpf-kasan-gce KASAN: slab-use-after-free Read in flow_block_cb_setup_simple
2025/09/29 08:37 bpf-next 4ef77dd584cf 001c9061 .config console log report syz / log C [disk image] [vmlinux] [kernel image] ci-upstream-bpf-next-kasan-gce KASAN: slab-use-after-free Read in flow_block_cb_setup_simple
2025/09/29 05:27 bpf-next 4ef77dd584cf 001c9061 .config console log report syz / log C [disk image] [vmlinux] [kernel image] ci-upstream-bpf-next-kasan-gce general protection fault in flow_block_cb_setup_simple
2025/09/29 04:01 bpf-next 4ef77dd584cf 001c9061 .config console log report syz / log C [disk image] [vmlinux] [kernel image] ci-upstream-bpf-next-kasan-gce KASAN: slab-use-after-free Read in flow_block_cb_setup_simple
2025/09/13 11:45 linux-next 590b221ed425 e2beed91 .config console log report syz / log C [disk image] [vmlinux] [kernel image] ci-upstream-rust-kasan-gce general protection fault in flow_block_cb_setup_simple
2026/03/02 20:15 net 9439a661c2e8 b9dd6534 .config console log report syz / log [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce BUG: corrupted list in flow_block_cb_setup_simple
2026/03/04 13:31 upstream 0031c06807cf e6b6b96b .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 BUG: corrupted list in flow_block_cb_setup_simple
2026/02/27 17:31 upstream a75cb869a8cc 2cf092b8 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 BUG: corrupted list in flow_block_cb_setup_simple
2026/01/04 21:02 upstream 54e82e93ca93 d1b870e1 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 BUG: corrupted list in flow_block_cb_setup_simple
2025/09/11 21:41 bpf e59a039119c3 e2beed91 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-bpf-kasan-gce BUG: corrupted list in flow_block_cb_setup_simple
* Struck through repros no longer work on HEAD.