[syzbot] [bluetooth?] KASAN: vmalloc-out-of-bounds Read in hci_devcd_dump

[syzbot] [bluetooth?] KASAN: vmalloc-out-of-bounds Read in hci_devcd_dump

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    4e82c87058f4 Merge tag 'rust-6.15' of git://git.kernel.org..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=17454e4c580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=f51da9763f36e4c7
dashboard link: https://syzkaller.appspot.com/bug?extid=ac3c79181f6aecc5120c
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/a9052db6d173/disk-4e82c870.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/9398a2c8040b/vmlinux-4e82c870.xz
kernel image: https://storage.googleapis.com/syzbot-assets/8589baa292f3/bzImage-4e82c870.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ac3c79181f6aecc5120c@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: vmalloc-out-of-bounds in skb_put_data include/linux/skbuff.h:2752 [inline]
BUG: KASAN: vmalloc-out-of-bounds in hci_devcd_dump+0x142/0x240 net/bluetooth/coredump.c:258
Read of size 140 at addr ffffc90004ed5000 by task kworker/u9:2/5844

CPU: 1 UID: 0 PID: 5844 Comm: kworker/u9:2 Not tainted 6.14.0-syzkaller-10892-g4e82c87058f4 #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Workqueue: hci0 hci_devcd_timeout
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:408 [inline]
 print_report+0xc3/0x670 mm/kasan/report.c:521
 kasan_report+0xe0/0x110 mm/kasan/report.c:634
 check_region_inline mm/kasan/generic.c:183 [inline]
 kasan_check_range+0xef/0x1a0 mm/kasan/generic.c:189
 __asan_memcpy+0x23/0x60 mm/kasan/shadow.c:105
 skb_put_data include/linux/skbuff.h:2752 [inline]
 hci_devcd_dump+0x142/0x240 net/bluetooth/coredump.c:258
 hci_devcd_timeout+0xb5/0x2e0 net/bluetooth/coredump.c:413
 process_one_work+0x9cc/0x1b70 kernel/workqueue.c:3238
 process_scheduled_works kernel/workqueue.c:3319 [inline]
 worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400
 kthread+0x3c2/0x780 kernel/kthread.c:464
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:153
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>

The buggy address ffffc90004ed5000 belongs to a vmalloc virtual mapping
Memory state around the buggy address:
 ffffc90004ed4f00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
 ffffc90004ed4f80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
>ffffc90004ed5000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
                   ^
 ffffc90004ed5080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
 ffffc90004ed5100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
==================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] [bluetooth?] KASAN: vmalloc-out-of-bounds Read in hci_devcd_dump

[syzbot]

syzbot has found a reproducer for the following issue on:

HEAD commit:    a1b5bd45d4ee Merge tag 'usb-6.15-rc1' of git://git.kernel...
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1709494c580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=44bfe55da7676adc
dashboard link: https://syzkaller.appspot.com/bug?extid=ac3c79181f6aecc5120c
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=13e60be4580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=10c5cfb0580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/9096ac93f836/disk-a1b5bd45.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/83a88633dd9d/vmlinux-a1b5bd45.xz
kernel image: https://storage.googleapis.com/syzbot-assets/7353859863a8/bzImage-a1b5bd45.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ac3c79181f6aecc5120c@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: vmalloc-out-of-bounds in skb_put_data include/linux/skbuff.h:2752 [inline]
BUG: KASAN: vmalloc-out-of-bounds in hci_devcd_dump+0x142/0x240 net/bluetooth/coredump.c:258
Read of size 140 at addr ffffc90000ace000 by task kworker/u9:1/5151

CPU: 0 UID: 0 PID: 5151 Comm: kworker/u9:1 Not tainted 6.14.0-syzkaller-12886-ga1b5bd45d4ee #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Workqueue: hci0 hci_devcd_timeout
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:408 [inline]
 print_report+0xc3/0x670 mm/kasan/report.c:521
 kasan_report+0xe0/0x110 mm/kasan/report.c:634
 check_region_inline mm/kasan/generic.c:183 [inline]
 kasan_check_range+0xef/0x1a0 mm/kasan/generic.c:189
 __asan_memcpy+0x23/0x60 mm/kasan/shadow.c:105
 skb_put_data include/linux/skbuff.h:2752 [inline]
 hci_devcd_dump+0x142/0x240 net/bluetooth/coredump.c:258
 hci_devcd_timeout+0xb5/0x2e0 net/bluetooth/coredump.c:413
 process_one_work+0x9cc/0x1b70 kernel/workqueue.c:3238
 process_scheduled_works kernel/workqueue.c:3319 [inline]
 worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400
 kthread+0x3c2/0x780 kernel/kthread.c:464
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:153
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>

The buggy address ffffc90000ace000 belongs to a vmalloc virtual mapping
Memory state around the buggy address:
 ffffc90000acdf00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
 ffffc90000acdf80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
>ffffc90000ace000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
                   ^
 ffffc90000ace080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
 ffffc90000ace100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
==================================================================


---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

syz test

[Arnaud Lecomte]

#syz test

--- a/net/bluetooth/coredump.c
+++ b/net/bluetooth/coredump.c
@@ -249,6 +249,11 @@ static void hci_devcd_dump(struct hci_dev *hdev)
 
        size = hdev->dump.tail - hdev->dump.head;
 
+       if (size >SKB_MAX_ALLOC) {
+               bt_dev_err(hdev, "Dump too large (%u bytes)", size);
+               return;
+       }
+
        /* Emit a devcoredump with the available data */
        dev_coredumpv(&hdev->dev, hdev->dump.head, size, GFP_KERNEL);

--

RE: syz test

[bluez.test.bot]

[-- Attachment #1: Type: text/plain, Size: 550 bytes --]

This is an automated email and please do not reply to this email.

Dear Submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
While preparing the CI tests, the patches you submitted couldn't be applied to the current HEAD of the repository.

----- Output -----

error: patch failed: net/bluetooth/coredump.c:249
error: net/bluetooth/coredump.c: patch does not apply
hint: Use 'git am --show-current-patch' to see the failed patch

Please resolve the issue and submit the patches again.


---
Regards,
Linux Bluetooth

Re: [syzbot] [bluetooth?] KASAN: vmalloc-out-of-bounds Read in hci_devcd_dump

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Read in force_devcd_write

==================================================================
BUG: KASAN: slab-use-after-free in force_devcd_write+0x312/0x340 drivers/bluetooth/hci_vhci.c:327
Read of size 8 at addr ffff888028448800 by task syz.0.616/8068

CPU: 0 UID: 0 PID: 8068 Comm: syz.0.616 Not tainted 6.15.0-rc3-syzkaller-gbc3372351d0c-dirty #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:408 [inline]
 print_report+0xc3/0x670 mm/kasan/report.c:521
 kasan_report+0xe0/0x110 mm/kasan/report.c:634
 force_devcd_write+0x312/0x340 drivers/bluetooth/hci_vhci.c:327
 full_proxy_write+0x13c/0x200 fs/debugfs/file.c:398
 vfs_write+0x25c/0x1180 fs/read_write.c:682
 ksys_write+0x12a/0x240 fs/read_write.c:736
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xcd/0x230 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f1dc558e169
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f1dc47fe038 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f1dc57b5fa0 RCX: 00007f1dc558e169
RDX: 000000000000000e RSI: 0000000000000000 RDI: 0000000000000003
RBP: 00007f1dc5610a68 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f1dc57b5fa0 R15: 00007ffc66674788
 </TASK>

Allocated by task 6607:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
 __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394
 kmalloc_noprof include/linux/slab.h:905 [inline]
 kzalloc_noprof include/linux/slab.h:1039 [inline]
 vhci_open+0x4c/0x430 drivers/bluetooth/hci_vhci.c:635
 misc_open+0x35a/0x420 drivers/char/misc.c:179
 chrdev_open+0x231/0x6a0 fs/char_dev.c:414
 do_dentry_open+0x741/0x1c10 fs/open.c:956
 vfs_open+0x82/0x3f0 fs/open.c:1086
 do_open fs/namei.c:3880 [inline]
 path_openat+0x1e5e/0x2d40 fs/namei.c:4039
 do_filp_open+0x20b/0x470 fs/namei.c:4066
 do_sys_openat2+0x11b/0x1d0 fs/open.c:1429
 do_sys_open fs/open.c:1444 [inline]
 __do_sys_openat fs/open.c:1460 [inline]
 __se_sys_openat fs/open.c:1455 [inline]
 __x64_sys_openat+0x174/0x210 fs/open.c:1455
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xcd/0x230 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 6607:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:576
 poison_slab_object mm/kasan/common.c:247 [inline]
 __kasan_slab_free+0x51/0x70 mm/kasan/common.c:264
 kasan_slab_free include/linux/kasan.h:233 [inline]
 slab_free_hook mm/slub.c:2398 [inline]
 slab_free mm/slub.c:4656 [inline]
 kfree+0x2b6/0x4d0 mm/slub.c:4855
 vhci_release+0xbb/0xf0 drivers/bluetooth/hci_vhci.c:671
 __fput+0x3ff/0xb70 fs/file_table.c:465
 task_work_run+0x14d/0x240 kernel/task_work.c:227
 exit_task_work include/linux/task_work.h:40 [inline]
 do_exit+0xafb/0x2c30 kernel/exit.c:953
 do_group_exit+0xd3/0x2a0 kernel/exit.c:1102
 get_signal+0x2673/0x26d0 kernel/signal.c:3034
 arch_do_signal_or_restart+0x8f/0x7a0 arch/x86/kernel/signal.c:337
 exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
 syscall_exit_to_user_mode+0x150/0x2a0 kernel/entry/common.c:218
 do_syscall_64+0xda/0x230 arch/x86/entry/syscall_64.c:100
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff888028448800
 which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 0 bytes inside of
 freed 1024-byte region [ffff888028448800, ffff888028448c00)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x28448
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
anon flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88801b441dc0 0000000000000000 dead000000000001
raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
head: 00fff00000000040 ffff88801b441dc0 0000000000000000 dead000000000001
head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
head: 00fff00000000003 ffffea0000a11201 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5928, tgid 5928 (kworker/u8:2), ts 88342641017, free_ts 88224139595
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x181/0x1b0 mm/page_alloc.c:1718
 prep_new_page mm/page_alloc.c:1726 [inline]
 get_page_from_freelist+0x135c/0x3920 mm/page_alloc.c:3688
 __alloc_frozen_pages_noprof+0x263/0x23a0 mm/page_alloc.c:4970
 alloc_pages_mpol+0x1fb/0x550 mm/mempolicy.c:2301
 alloc_slab_page mm/slub.c:2468 [inline]
 allocate_slab mm/slub.c:2632 [inline]
 new_slab+0x244/0x340 mm/slub.c:2686
 ___slab_alloc+0xd9c/0x1940 mm/slub.c:3872
 __slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3962
 __slab_alloc_node mm/slub.c:4037 [inline]
 slab_alloc_node mm/slub.c:4198 [inline]
 __do_kmalloc_node mm/slub.c:4340 [inline]
 __kmalloc_noprof+0x2f2/0x510 mm/slub.c:4353
 kmalloc_noprof include/linux/slab.h:909 [inline]
 load_elf_phdrs+0x102/0x210 fs/binfmt_elf.c:532
 load_elf_binary+0x14b3/0x4f80 fs/binfmt_elf.c:960
 search_binary_handler fs/exec.c:1778 [inline]
 exec_binprm fs/exec.c:1810 [inline]
 bprm_execve fs/exec.c:1862 [inline]
 bprm_execve+0x8c0/0x1650 fs/exec.c:1838
 kernel_execve+0x2ef/0x3b0 fs/exec.c:2028
 call_usermodehelper_exec_async+0x255/0x4c0 kernel/umh.c:109
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:153
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
page last free pid 5903 tgid 5903 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1262 [inline]
 __free_frozen_pages+0x69d/0xff0 mm/page_alloc.c:2725
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x4e/0x120 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x195/0x1e0 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:329
 kasan_slab_alloc include/linux/kasan.h:250 [inline]
 slab_post_alloc_hook mm/slub.c:4161 [inline]
 slab_alloc_node mm/slub.c:4210 [inline]
 kmem_cache_alloc_noprof+0x1cb/0x3b0 mm/slub.c:4217
 getname_flags.part.0+0x4c/0x550 fs/namei.c:146
 getname_flags+0x93/0xf0 include/linux/audit.h:322
 getname include/linux/fs.h:2852 [inline]
 do_sys_openat2+0xb8/0x1d0 fs/open.c:1423
 do_sys_open fs/open.c:1444 [inline]
 __do_sys_openat fs/open.c:1460 [inline]
 __se_sys_openat fs/open.c:1455 [inline]
 __x64_sys_openat+0x174/0x210 fs/open.c:1455
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xcd/0x230 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffff888028448700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888028448780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888028448800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                   ^
 ffff888028448880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888028448900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


Tested on:

commit:         bc337235 Merge tag 'for-6.15-rc3-tag' of git://git.ker..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=11a91014580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=f65c1740d8e72188
dashboard link: https://syzkaller.appspot.com/bug?extid=ac3c79181f6aecc5120c
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=11fdbacc580000

Re: [syzbot] [bluetooth?] KASAN: vmalloc-out-of-bounds Read in hci_devcd_dump

[Ivan Pravdin]

[-- Attachment #1: Type: text/plain, Size: 25 bytes --]

#syz test

	Ivan Pravdin

[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 3549 bytes --]

diff --git a/drivers/bluetooth/hci_vhci.c b/drivers/bluetooth/hci_vhci.c
index f7d8c3c00655..2fef08254d78 100644
--- a/drivers/bluetooth/hci_vhci.c
+++ b/drivers/bluetooth/hci_vhci.c
@@ -380,6 +380,28 @@ static const struct file_operations force_devcoredump_fops = {
 	.write		= force_devcd_write,
 };
 
+static void vhci_debugfs_init(struct vhci_data *data)
+{
+	struct hci_dev *hdev = data->hdev;
+
+	debugfs_create_file("force_suspend", 0644, hdev->debugfs, data,
+			    &force_suspend_fops);
+
+	debugfs_create_file("force_wakeup", 0644, hdev->debugfs, data,
+			    &force_wakeup_fops);
+
+	if (IS_ENABLED(CONFIG_BT_MSFTEXT))
+		debugfs_create_file("msft_opcode", 0644, hdev->debugfs, data,
+				    &msft_opcode_fops);
+
+	if (IS_ENABLED(CONFIG_BT_AOSPEXT))
+		debugfs_create_file("aosp_capable", 0644, hdev->debugfs, data,
+				    &aosp_capable_fops);
+
+	debugfs_create_file("force_devcoredump", 0644, hdev->debugfs, data,
+			    &force_devcoredump_fops);
+}
+
 static int __vhci_create_device(struct vhci_data *data, __u8 opcode)
 {
 	struct hci_dev *hdev;
@@ -434,22 +456,8 @@ static int __vhci_create_device(struct vhci_data *data, __u8 opcode)
 		return -EBUSY;
 	}
 
-	debugfs_create_file("force_suspend", 0644, hdev->debugfs, data,
-			    &force_suspend_fops);
-
-	debugfs_create_file("force_wakeup", 0644, hdev->debugfs, data,
-			    &force_wakeup_fops);
-
-	if (IS_ENABLED(CONFIG_BT_MSFTEXT))
-		debugfs_create_file("msft_opcode", 0644, hdev->debugfs, data,
-				    &msft_opcode_fops);
-
-	if (IS_ENABLED(CONFIG_BT_AOSPEXT))
-		debugfs_create_file("aosp_capable", 0644, hdev->debugfs, data,
-				    &aosp_capable_fops);
-
-	debugfs_create_file("force_devcoredump", 0644, hdev->debugfs, data,
-			    &force_devcoredump_fops);
+	if (!IS_ERR_OR_NULL(hdev->debugfs))
+		vhci_debugfs_init(data);
 
 	hci_skb_pkt_type(skb) = HCI_VENDOR_PKT;
 
@@ -651,6 +659,21 @@ static int vhci_open(struct inode *inode, struct file *file)
 	return 0;
 }
 
+static void vhci_debugfs_remove(struct hci_dev *hdev)
+{
+	debugfs_lookup_and_remove("force_suspend", hdev->debugfs);
+
+	debugfs_lookup_and_remove("force_wakeup", hdev->debugfs);
+
+	if (IS_ENABLED(CONFIG_BT_MSFTEXT))
+		debugfs_lookup_and_remove("msft_opcode", hdev->debugfs);
+
+	if (IS_ENABLED(CONFIG_BT_AOSPEXT))
+		debugfs_lookup_and_remove("aosp_capable", hdev->debugfs);
+
+	debugfs_lookup_and_remove("force_devcoredump", hdev->debugfs);
+}
+
 static int vhci_release(struct inode *inode, struct file *file)
 {
 	struct vhci_data *data = file->private_data;
@@ -662,6 +685,8 @@ static int vhci_release(struct inode *inode, struct file *file)
 	hdev = data->hdev;
 
 	if (hdev) {
+		if (!IS_ERR_OR_NULL(hdev->debugfs))
+			vhci_debugfs_remove(hdev);
 		hci_unregister_dev(hdev);
 		hci_free_dev(hdev);
 	}
diff --git a/net/bluetooth/coredump.c b/net/bluetooth/coredump.c
index 819eacb38762..720cb79adf96 100644
--- a/net/bluetooth/coredump.c
+++ b/net/bluetooth/coredump.c
@@ -249,15 +249,15 @@ static void hci_devcd_dump(struct hci_dev *hdev)
 
 	size = hdev->dump.tail - hdev->dump.head;
 
-	/* Emit a devcoredump with the available data */
-	dev_coredumpv(&hdev->dev, hdev->dump.head, size, GFP_KERNEL);
-
 	/* Send a copy to monitor as a diagnostic packet */
 	skb = bt_skb_alloc(size, GFP_ATOMIC);
 	if (skb) {
 		skb_put_data(skb, hdev->dump.head, size);
 		hci_recv_diag(hdev, skb);
 	}
+
+	/* Emit a devcoredump with the available data */
+	dev_coredumpv(&hdev->dev, hdev->dump.head, size, GFP_KERNEL);
 }
 
 static void hci_devcd_handle_pkt_complete(struct hci_dev *hdev,

Re: [syzbot] [bluetooth?] KASAN: vmalloc-out-of-bounds Read in hci_devcd_dump

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+ac3c79181f6aecc5120c@syzkaller.appspotmail.com
Tested-by: syzbot+ac3c79181f6aecc5120c@syzkaller.appspotmail.com

Tested on:

commit:         e2291551 Merge tag 'probes-fixes-v6.16-rc6' of git://g..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=103bc58c580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=693e2f5eea496864
dashboard link: https://syzkaller.appspot.com/bug?extid=ac3c79181f6aecc5120c
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=1672e382580000

Note: testing is done by a robot and is best-effort only.

Re: [syzbot] Re: [syzbot] [bluetooth?] KASAN: vmalloc-out-of-bounds Read in hci_devcd_dump

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: Re: [syzbot] [bluetooth?] KASAN: vmalloc-out-of-bounds Read in hci_devcd_dump
Author: ipravdin.official@gmail.com

#syz test

diff --git a/net/bluetooth/coredump.c b/net/bluetooth/coredump.c
index 819eacb38762..720cb79adf96 100644
--- a/net/bluetooth/coredump.c
+++ b/net/bluetooth/coredump.c
@@ -249,15 +249,15 @@ static void hci_devcd_dump(struct hci_dev *hdev)
 
        size = hdev->dump.tail - hdev->dump.head;
 
-       /* Emit a devcoredump with the available data */
-       dev_coredumpv(&hdev->dev, hdev->dump.head, size, GFP_KERNEL);
-
        /* Send a copy to monitor as a diagnostic packet */
        skb = bt_skb_alloc(size, GFP_ATOMIC);
        if (skb) {
                skb_put_data(skb, hdev->dump.head, size);
                hci_recv_diag(hdev, skb);
        }
+
+       /* Emit a devcoredump with the available data */
+       dev_coredumpv(&hdev->dev, hdev->dump.head, size, GFP_KERNEL);
 }

Ivan Pravdin

Re: [syzbot] [bluetooth?] KASAN: vmalloc-out-of-bounds Read in hci_devcd_dump

[Ivan Pravdin]

#syz test

diff --git a/net/bluetooth/coredump.c b/net/bluetooth/coredump.c
index 819eacb38762..1232c9a94f95 100644
--- a/net/bluetooth/coredump.c
+++ b/net/bluetooth/coredump.c
@@ -243,6 +243,7 @@ static void hci_devcd_handle_pkt_pattern(struct hci_dev *hdev,
 static void hci_devcd_dump(struct hci_dev *hdev)
 {
        struct sk_buff *skb;
+       char *coredump;
        u32 size;
 
        bt_dev_dbg(hdev, "state %d", hdev->dump.state);
@@ -250,7 +251,11 @@ static void hci_devcd_dump(struct hci_dev *hdev)
        size = hdev->dump.tail - hdev->dump.head;
 
        /* Emit a devcoredump with the available data */
-       dev_coredumpv(&hdev->dev, hdev->dump.head, size, GFP_KERNEL);
+       coredump = vmalloc(size);
+       if (coredump) {
+               memcpy(coredump, hdev->dump.head, size);
+               dev_coredumpv(&hdev->dev, coredump, size, GFP_KERNEL);
+       }
 
        /* Send a copy to monitor as a diagnostic packet */
        skb = bt_skb_alloc(size, GFP_ATOMIC);

Ivan Pravdin

Re: [syzbot] [bluetooth?] KASAN: vmalloc-out-of-bounds Read in hci_devcd_dump

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Read in force_devcd_write

==================================================================
BUG: KASAN: slab-use-after-free in force_devcd_write+0x312/0x340 drivers/bluetooth/hci_vhci.c:327
Read of size 8 at addr ffff88807b5f6000 by task syz.0.616/7999

CPU: 0 UID: 0 PID: 7999 Comm: syz.0.616 Not tainted 6.15.0-syzkaller-13804-g939f15e640f1-dirty #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:408 [inline]
 print_report+0xcd/0x680 mm/kasan/report.c:521
 kasan_report+0xe0/0x110 mm/kasan/report.c:634
 force_devcd_write+0x312/0x340 drivers/bluetooth/hci_vhci.c:327
 full_proxy_write+0x13f/0x200 fs/debugfs/file.c:398
 vfs_write+0x29d/0x1150 fs/read_write.c:684
 ksys_write+0x12a/0x250 fs/read_write.c:738
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xcd/0x490 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f3210d8e969
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f3211b9b038 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f3210fb5fa0 RCX: 00007f3210d8e969
RDX: 000000000000000e RSI: 0000000000000000 RDI: 0000000000000003
RBP: 00007f3210e10ab1 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f3210fb5fa0 R15: 00007fff9eb91938
 </TASK>

Allocated by task 6438:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
 __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394
 kmalloc_noprof include/linux/slab.h:905 [inline]
 kzalloc_noprof include/linux/slab.h:1039 [inline]
 vhci_open+0x4c/0x430 drivers/bluetooth/hci_vhci.c:635
 misc_open+0x35d/0x420 drivers/char/misc.c:161
 chrdev_open+0x231/0x6a0 fs/char_dev.c:414
 do_dentry_open+0x744/0x1c10 fs/open.c:964
 vfs_open+0x82/0x3f0 fs/open.c:1094
 do_open fs/namei.c:3887 [inline]
 path_openat+0x1de4/0x2cb0 fs/namei.c:4046
 do_filp_open+0x20b/0x470 fs/namei.c:4073
 do_sys_openat2+0x11b/0x1d0 fs/open.c:1437
 do_sys_open fs/open.c:1452 [inline]
 __do_sys_openat fs/open.c:1468 [inline]
 __se_sys_openat fs/open.c:1463 [inline]
 __x64_sys_openat+0x174/0x210 fs/open.c:1463
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xcd/0x490 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 6438:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:576
 poison_slab_object mm/kasan/common.c:247 [inline]
 __kasan_slab_free+0x51/0x70 mm/kasan/common.c:264
 kasan_slab_free include/linux/kasan.h:233 [inline]
 slab_free_hook mm/slub.c:2381 [inline]
 slab_free mm/slub.c:4643 [inline]
 kfree+0x2b4/0x4d0 mm/slub.c:4842
 vhci_release+0xbb/0xf0 drivers/bluetooth/hci_vhci.c:671
 __fput+0x402/0xb70 fs/file_table.c:465
 task_work_run+0x150/0x240 kernel/task_work.c:227
 exit_task_work include/linux/task_work.h:40 [inline]
 do_exit+0x864/0x2bd0 kernel/exit.c:955
 do_group_exit+0xd3/0x2a0 kernel/exit.c:1104
 get_signal+0x2673/0x26d0 kernel/signal.c:3034
 arch_do_signal_or_restart+0x8f/0x790 arch/x86/kernel/signal.c:337
 exit_to_user_mode_loop+0x84/0x110 kernel/entry/common.c:111
 exit_to_user_mode_prepare include/linux/entry-common.h:330 [inline]
 syscall_exit_to_user_mode_work include/linux/entry-common.h:414 [inline]
 syscall_exit_to_user_mode include/linux/entry-common.h:449 [inline]
 do_syscall_64+0x3f6/0x490 arch/x86/entry/syscall_64.c:100
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff88807b5f6000
 which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 0 bytes inside of
 freed 1024-byte region [ffff88807b5f6000, ffff88807b5f6400)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7b5f0
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88801b441dc0 dead000000000100 dead000000000122
raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
head: 00fff00000000040 ffff88801b441dc0 dead000000000100 dead000000000122
head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
head: 00fff00000000003 ffffea0001ed7c01 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5498, tgid 5498 (S41dhcpcd), ts 56157746693, free_ts 56113477136
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x1c0/0x230 mm/page_alloc.c:1704
 prep_new_page mm/page_alloc.c:1712 [inline]
 get_page_from_freelist+0x1321/0x3890 mm/page_alloc.c:3669
 __alloc_frozen_pages_noprof+0x261/0x23f0 mm/page_alloc.c:4959
 alloc_pages_mpol+0x1fb/0x550 mm/mempolicy.c:2419
 alloc_slab_page mm/slub.c:2451 [inline]
 allocate_slab mm/slub.c:2619 [inline]
 new_slab+0x23b/0x330 mm/slub.c:2673
 ___slab_alloc+0xd9c/0x1940 mm/slub.c:3859
 __slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3949
 __slab_alloc_node mm/slub.c:4024 [inline]
 slab_alloc_node mm/slub.c:4185 [inline]
 __do_kmalloc_node mm/slub.c:4327 [inline]
 __kmalloc_noprof+0x2f2/0x510 mm/slub.c:4340
 kmalloc_noprof include/linux/slab.h:909 [inline]
 load_elf_phdrs+0x102/0x210 fs/binfmt_elf.c:525
 load_elf_binary+0x1fa/0x4f00 fs/binfmt_elf.c:854
 search_binary_handler fs/exec.c:1665 [inline]
 exec_binprm fs/exec.c:1697 [inline]
 bprm_execve fs/exec.c:1749 [inline]
 bprm_execve+0x8c3/0x1650 fs/exec.c:1725
 do_execveat_common.isra.0+0x4a5/0x610 fs/exec.c:1855
 do_execve fs/exec.c:1929 [inline]
 __do_sys_execve fs/exec.c:2005 [inline]
 __se_sys_execve fs/exec.c:2000 [inline]
 __x64_sys_execve+0x8e/0xb0 fs/exec.c:2000
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xcd/0x490 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 5184 tgid 5184 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1248 [inline]
 __free_frozen_pages+0x7fe/0x1180 mm/page_alloc.c:2706
 discard_slab mm/slub.c:2717 [inline]
 __put_partials+0x16d/0x1c0 mm/slub.c:3186
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x4d/0x120 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x195/0x1e0 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:329
 kasan_slab_alloc include/linux/kasan.h:250 [inline]
 slab_post_alloc_hook mm/slub.c:4148 [inline]
 slab_alloc_node mm/slub.c:4197 [inline]
 kmem_cache_alloc_lru_noprof+0x1d0/0x3b0 mm/slub.c:4216
 __d_alloc+0x31/0xaa0 fs/dcache.c:1690
 d_alloc+0x4a/0x1e0 fs/dcache.c:1769
 d_alloc_parallel+0xe3/0x12e0 fs/dcache.c:2533
 __lookup_slow+0x193/0x460 fs/namei.c:1802
 lookup_slow fs/namei.c:1834 [inline]
 walk_component+0x353/0x5b0 fs/namei.c:2138
 lookup_last fs/namei.c:2639 [inline]
 path_lookupat+0x142/0x6d0 fs/namei.c:2663
 filename_lookup+0x224/0x5f0 fs/namei.c:2692
 vfs_statx+0x101/0x3e0 fs/stat.c:353
 vfs_fstatat+0x7b/0xf0 fs/stat.c:375
 __do_sys_newfstatat+0x97/0x120 fs/stat.c:542

Memory state around the buggy address:
 ffff88807b5f5f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88807b5f5f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88807b5f6000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                   ^
 ffff88807b5f6080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88807b5f6100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


Tested on:

commit:         939f15e6 Merge tag 'turbostat-2025.06.08' of git://git..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15698a82580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=6678e7c8a50af095
dashboard link: https://syzkaller.appspot.com/bug?extid=ac3c79181f6aecc5120c
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=15c18a82580000

Re: [syzbot] [bluetooth?] KASAN: vmalloc-out-of-bounds Read in hci_devcd_dump

[Ivan Pravdin]

#syz test

diff --git a/drivers/bluetooth/hci_vhci.c b/drivers/bluetooth/hci_vhci.c
index 59f4d7bdffdc..493d704c0dfb 100644
--- a/drivers/bluetooth/hci_vhci.c
+++ b/drivers/bluetooth/hci_vhci.c
@@ -661,6 +661,8 @@ static int vhci_release(struct inode *inode, struct file *file)
 
 	hdev = data->hdev;
 
+	debugfs_remove_recursive(hdev->debugfs);
+
 	if (hdev) {
 		hci_unregister_dev(hdev);
 		hci_free_dev(hdev);
diff --git a/net/bluetooth/coredump.c b/net/bluetooth/coredump.c
index 819eacb38762..1232c9a94f95 100644
--- a/net/bluetooth/coredump.c
+++ b/net/bluetooth/coredump.c
@@ -243,6 +243,7 @@ static void hci_devcd_handle_pkt_pattern(struct hci_dev *hdev,
 static void hci_devcd_dump(struct hci_dev *hdev)
 {
 	struct sk_buff *skb;
+	char *coredump;
 	u32 size;
 
 	bt_dev_dbg(hdev, "state %d", hdev->dump.state);
@@ -250,7 +251,11 @@ static void hci_devcd_dump(struct hci_dev *hdev)
 	size = hdev->dump.tail - hdev->dump.head;
 
 	/* Emit a devcoredump with the available data */
-	dev_coredumpv(&hdev->dev, hdev->dump.head, size, GFP_KERNEL);
+	coredump = vmalloc(size);
+	if (coredump) {
+		memcpy(coredump, hdev->dump.head, size);
+		dev_coredumpv(&hdev->dev, coredump, size, GFP_KERNEL);
+	}
 
 	/* Send a copy to monitor as a diagnostic packet */
 	skb = bt_skb_alloc(size, GFP_ATOMIC);

Ivan Pravdin

Re: [syzbot] [bluetooth?] KASAN: vmalloc-out-of-bounds Read in hci_devcd_dump

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

cquire+0xfc/0x350
[  109.325603][ T5869]  _raw_spin_lock+0x2e/0x40
[  109.325629][ T5869]  ? lockref_get+0x15/0x50
[  109.325659][ T5869]  lockref_get+0x15/0x50
[  109.325688][ T5869]  simple_recursive_removal+0x3b/0x690
[  109.325717][ T5869]  ? do_raw_spin_unlock+0x172/0x230
[  109.325747][ T5869]  ? __pfx_remove_one+0x10/0x10
[  109.325771][ T5869]  ? mntput+0x10/0x90
[  109.325796][ T5869]  debugfs_remove+0x5d/0x80
[  109.325821][ T5869]  hci_release_dev+0x8c/0x600
[  109.325852][ T5869]  ? __pfx_hci_release_dev+0x10/0x10
[  109.325882][ T5869]  ? rcu_is_watching+0x12/0xc0
[  109.325903][ T5869]  ? kfree+0x24f/0x4d0
[  109.325931][ T5869]  bt_host_release+0x6a/0xb0
[  109.325952][ T5869]  ? __pfx_bt_host_release+0x10/0x10
[  109.325973][ T5869]  device_release+0xa1/0x240
[  109.325999][ T5869]  kobject_put+0x1e7/0x5a0
[  109.326020][ T5869]  ? __pfx_vhci_release+0x10/0x10
[  109.326052][ T5869]  put_device+0x1f/0x30
[  109.326076][ T5869]  vhci_release+0xb5/0x130
[  109.326108][ T5869]  __fput+0x402/0xb70
[  109.326132][ T5869]  task_work_run+0x150/0x240
[  109.326164][ T5869]  ? __pfx_task_work_run+0x10/0x10
[  109.326199][ T5869]  do_exit+0x864/0x2bd0
[  109.326230][ T5869]  ? __pfx_do_exit+0x10/0x10
[  109.326256][ T5869]  ? do_raw_spin_lock+0x12c/0x2b0
[  109.326286][ T5869]  ? find_held_lock+0x2b/0x80
[  109.326308][ T5869]  do_group_exit+0xd3/0x2a0
[  109.326336][ T5869]  get_signal+0x2673/0x26d0
[  109.326363][ T5869]  ? __pfx_get_signal+0x10/0x10
[  109.326385][ T5869]  ? kmem_cache_free+0x16d/0x4d0
[  109.326413][ T5869]  ? __fput+0x68d/0xb70
[  109.326434][ T5869]  arch_do_signal_or_restart+0x8f/0x790
[  109.326457][ T5869]  ? __fput+0x68d/0xb70
[  109.326476][ T5869]  ? __pfx_arch_do_signal_or_restart+0x10/0x10
[  109.326503][ T5869]  ? __pfx_fput_close_sync+0x10/0x10
[  109.326524][ T5869]  ? dnotify_flush+0x79/0x4c0
[  109.326566][ T5869]  exit_to_user_mode_loop+0x84/0x110
[  109.326600][ T5869]  do_syscall_64+0x3f6/0x490
[  109.326621][ T5869]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  109.326644][ T5869] RIP: 0033:0x7f6845b8d5ca
[  109.326661][ T5869] Code: Unable to access opcode bytes at 0x7f6845b8d5a0.
[  109.326671][ T5869] RSP: 002b:00007ffefac60c40 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
[  109.326693][ T5869] RAX: 0000000000000000 RBX: 0000000000000003 RCX: 00007f6845b8d5ca
[  109.326706][ T5869] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
[  109.326719][ T5869] RBP: 00007ffefac60c9c R08: 0000000000000000 R09: 00007ffefac609a7
[  109.326732][ T5869] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000001
[  109.326745][ T5869] R13: 00000000000927c0 R14: 000000000001aa36 R15: 00007ffefac60cf0
[  109.326765][ T5869]  </TASK>
[  109.326772][ T5869] 
[  109.662463][ T5869] Allocated by task 5869:
[  109.666812][ T5869]  kasan_save_stack+0x33/0x60
[  109.671613][ T5869]  kasan_save_track+0x14/0x30
[  109.676325][ T5869]  __kasan_slab_alloc+0x89/0x90
[  109.681256][ T5869]  kmem_cache_alloc_lru_noprof+0x1d0/0x3b0
[  109.687349][ T5869]  __d_alloc+0x31/0xaa0
[  109.691619][ T5869]  d_alloc+0x4a/0x1e0
[  109.695718][ T5869]  d_alloc_parallel+0xe3/0x12e0
[  109.700963][ T5869]  __lookup_slow+0x193/0x460
[  109.705774][ T5869]  lookup_noperm+0xe1/0x110
[  109.710312][ T5869]  start_creating.part.0+0x15a/0x3e0
[  109.716005][ T5869]  debugfs_create_dir+0x6c/0x5f0
[  109.721340][ T5869]  hci_register_dev+0x2f2/0xc60
[  109.726328][ T5869]  __vhci_create_device+0x357/0x7f0
[  109.731716][ T5869]  vhci_write+0x2c0/0x480
[  109.736252][ T5869]  vfs_write+0x6c4/0x1150
[  109.740904][ T5869]  ksys_write+0x12a/0x250
[  109.745448][ T5869]  do_syscall_64+0xcd/0x490
[  109.750065][ T5869]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  109.755993][ T5869] 
[  109.758349][ T5869] Freed by task 15:
[  109.762424][ T5869]  kasan_save_stack+0x33/0x60
[  109.767369][ T5869]  kasan_save_track+0x14/0x30
[  109.772423][ T5869]  kasan_save_free_info+0x3b/0x60
[  109.777663][ T5869]  __kasan_slab_free+0x51/0x70
[  109.782576][ T5869]  kmem_cache_free+0x2d1/0x4d0
[  109.787495][ T5869]  rcu_core+0x79c/0x14e0
[  109.791784][ T5869]  handle_softirqs+0x219/0x8e0
[  109.796774][ T5869]  run_ksoftirqd+0x3a/0x60
[  109.801340][ T5869]  smpboot_thread_fn+0x3f7/0xae0
[  109.806423][ T5869]  kthread+0x3c2/0x780
[  109.810589][ T5869]  ret_from_fork+0x5d4/0x6f0
[  109.815482][ T5869]  ret_from_fork_asm+0x1a/0x30
[  109.820362][ T5869] 
[  109.823072][ T5869] Last potentially related work creation:
[  109.828904][ T5869]  kasan_save_stack+0x33/0x60
[  109.833815][ T5869]  kasan_record_aux_stack+0xa7/0xc0
[  109.839064][ T5869]  __call_rcu_common.constprop.0+0x9a/0x9f0
[  109.846303][ T5869]  dentry_free+0xc2/0x160
[  109.850666][ T5869]  __dentry_kill+0x498/0x600
[  109.855291][ T5869]  dput.part.0+0x4b1/0x9b0
[  109.859830][ T5869]  dput+0x1f/0x30
[  109.863586][ T5869]  debugfs_remove+0x5d/0x80
[  109.868127][ T5869]  vhci_release+0x9b/0x130
[  109.872572][ T5869]  __fput+0x402/0xb70
[  109.876663][ T5869]  task_work_run+0x150/0x240
[  109.881510][ T5869]  do_exit+0x864/0x2bd0
[  109.885964][ T5869]  do_group_exit+0xd3/0x2a0
[  109.890524][ T5869]  get_signal+0x2673/0x26d0
[  109.895159][ T5869]  arch_do_signal_or_restart+0x8f/0x790
[  109.900906][ T5869]  exit_to_user_mode_loop+0x84/0x110
[  109.906326][ T5869]  do_syscall_64+0x3f6/0x490
[  109.911128][ T5869]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  109.917311][ T5869] 
[  109.919935][ T5869] The buggy address belongs to the object at ffff888071891a70
[  109.919935][ T5869]  which belongs to the cache dentry of size 312
[  109.934312][ T5869] The buggy address is located 208 bytes inside of
[  109.934312][ T5869]  freed 312-byte region [ffff888071891a70, ffff888071891ba8)
[  109.949195][ T5869] 
[  109.951537][ T5869] The buggy address belongs to the physical page:
[  109.957976][ T5869] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x71890
[  109.967572][ T5869] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[  109.976151][ T5869] memcg:ffff88802919ed01
[  109.980496][ T5869] flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
[  109.988514][ T5869] page_type: f5(slab)
[  109.993050][ T5869] raw: 00fff00000000040 ffff88801ca94780 dead000000000122 0000000000000000
[  110.001676][ T5869] raw: 0000000000000000 0000000000150015 00000000f5000000 ffff88802919ed01
[  110.010388][ T5869] head: 00fff00000000040 ffff88801ca94780 dead000000000122 0000000000000000
[  110.019449][ T5869] head: 0000000000000000 0000000000150015 00000000f5000000 ffff88802919ed01
[  110.028182][ T5869] head: 00fff00000000001 ffffea0001c62401 00000000ffffffff 00000000ffffffff
[  110.037080][ T5869] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002
[  110.045949][ T5869] page dumped because: kasan: bad access detected
[  110.052725][ T5869] page_owner tracks the page as allocated
[  110.058670][ T5869] page last allocated via order 1, migratetype Reclaimable, gfp_mask 0xd20d0(__GFP_RECLAIMABLE|__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5864, tgid 5864 (syz-executor), ts 108825522753, free_ts 35108082918
[  110.083404][ T5869]  post_alloc_hook+0x1c0/0x230
[  110.089384][ T5869]  get_page_from_freelist+0x1321/0x3890
[  110.095163][ T5869]  __alloc_frozen_pages_noprof+0x261/0x23f0
[  110.102661][ T5869]  alloc_pages_mpol+0x1fb/0x550
[  110.108098][ T5869]  new_slab+0x23b/0x330
[  110.112837][ T5869]  ___slab_alloc+0xd9c/0x1940
[  110.117802][ T5869]  __slab_alloc.constprop.0+0x56/0xb0
[  110.123659][ T5869]  kmem_cache_alloc_lru_noprof+0xf4/0x3b0
[  110.129789][ T5869]  __d_alloc+0x31/0xaa0
[  110.134352][ T5869]  d_alloc_pseudo+0x1c/0xc0
[  110.139204][ T5869]  alloc_file_pseudo+0xcf/0x230
[  110.144507][ T5869]  sock_alloc_file+0x50/0x210
[  110.149791][ T5869]  __sys_socket+0x1c0/0x260
[  110.154768][ T5869]  __x64_sys_socket+0x72/0xb0
[  110.159903][ T5869]  do_syscall_64+0xcd/0x490
[  110.164705][ T5869]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  110.171259][ T5869] page last free pid 1 tgid 1 stack trace:
[  110.177345][ T5869]  __free_frozen_pages+0x7fe/0x1180
[  110.182956][ T5869]  free_contig_range+0x183/0x4b0
[  110.188039][ T5869]  destroy_args+0x7f6/0xa60
[  110.192847][ T5869]  debug_vm_pgtable+0x13b8/0x2d00
[  110.198193][ T5869]  do_one_initcall+0x120/0x6e0
[  110.203286][ T5869]  kernel_init_freeable+0x5c2/0x900
[  110.208731][ T5869]  kernel_init+0x1c/0x2b0
[  110.213105][ T5869]  ret_from_fork+0x5d4/0x6f0
[  110.217918][ T5869]  ret_from_fork_asm+0x1a/0x30
[  110.222812][ T5869] 
[  110.225370][ T5869] Memory state around the buggy address:
[  110.231468][ T5869]  ffff888071891a00: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fa fb
[  110.240145][ T5869]  ffff888071891a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  110.248590][ T5869] >ffff888071891b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  110.257376][ T5869]                                            ^
[  110.263723][ T5869]  ffff888071891b80: fb fb fb fb fb fc fc fc fc fc fc fc fc fa fb fb
[  110.272360][ T5869]  ffff888071891c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  110.280656][ T5869] ==================================================================
[  110.290650][ T5869] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[  110.298787][ T5869] CPU: 1 UID: 0 PID: 5869 Comm: syz-executor Not tainted 6.16.0-rc1-syzkaller-g19272b37aa4f-dirty #0 PREEMPT(full) 
[  110.311806][ T5869] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
[  110.321979][ T5869] Call Trace:
[  110.325949][ T5869]  <TASK>
[  110.329265][ T5869]  dump_stack_lvl+0x3d/0x1f0
[  110.334799][ T5869]  panic+0x71c/0x800
[  110.338998][ T5869]  ? __pfx_panic+0x10/0x10
[  110.343613][ T5869]  ? rcu_is_watching+0x12/0xc0
[  110.348630][ T5869]  ? irqentry_exit+0x3b/0x90
[  110.353343][ T5869]  ? lockdep_hardirqs_on+0x7c/0x110
[  110.358844][ T5869]  ? _raw_spin_lock+0x2e/0x40
[  110.363634][ T5869]  ? check_panic_on_warn+0x1f/0xb0
[  110.368878][ T5869]  ? _raw_spin_lock+0x2e/0x40
[  110.373779][ T5869]  check_panic_on_warn+0xab/0xb0
[  110.378848][ T5869]  end_report+0x107/0x170
[  110.383308][ T5869]  kasan_report+0xee/0x110
[  110.387745][ T5869]  ? _raw_spin_lock+0x2e/0x40
[  110.392640][ T5869]  ? _raw_spin_lock+0x2e/0x40
[  110.397603][ T5869]  __kasan_check_byte+0x36/0x50
[  110.402600][ T5869]  lock_acquire+0xfc/0x350
[  110.407153][ T5869]  _raw_spin_lock+0x2e/0x40
[  110.411773][ T5869]  ? lockref_get+0x15/0x50
[  110.416402][ T5869]  lockref_get+0x15/0x50
[  110.420955][ T5869]  simple_recursive_removal+0x3b/0x690
[  110.426702][ T5869]  ? do_raw_spin_unlock+0x172/0x230
[  110.431959][ T5869]  ? __pfx_remove_one+0x10/0x10
[  110.436933][ T5869]  ? mntput+0x10/0x90
[  110.441117][ T5869]  debugfs_remove+0x5d/0x80
[  110.446166][ T5869]  hci_release_dev+0x8c/0x600
[  110.450960][ T5869]  ? __pfx_hci_release_dev+0x10/0x10
[  110.456565][ T5869]  ? rcu_is_watching+0x12/0xc0
[  110.461363][ T5869]  ? kfree+0x24f/0x4d0
[  110.465635][ T5869]  bt_host_release+0x6a/0xb0
[  110.470427][ T5869]  ? __pfx_bt_host_release+0x10/0x10
[  110.475842][ T5869]  device_release+0xa1/0x240
[  110.480576][ T5869]  kobject_put+0x1e7/0x5a0
[  110.485098][ T5869]  ? __pfx_vhci_release+0x10/0x10
[  110.490263][ T5869]  put_device+0x1f/0x30
[  110.494492][ T5869]  vhci_release+0xb5/0x130
[  110.499490][ T5869]  __fput+0x402/0xb70
[  110.503813][ T5869]  task_work_run+0x150/0x240
[  110.508637][ T5869]  ? __pfx_task_work_run+0x10/0x10
[  110.514088][ T5869]  do_exit+0x864/0x2bd0
[  110.518757][ T5869]  ? __pfx_do_exit+0x10/0x10
[  110.523385][ T5869]  ? do_raw_spin_lock+0x12c/0x2b0
[  110.528713][ T5869]  ? find_held_lock+0x2b/0x80
[  110.533506][ T5869]  do_group_exit+0xd3/0x2a0
[  110.538221][ T5869]  get_signal+0x2673/0x26d0
[  110.542932][ T5869]  ? __pfx_get_signal+0x10/0x10
[  110.548742][ T5869]  ? kmem_cache_free+0x16d/0x4d0
[  110.553909][ T5869]  ? __fput+0x68d/0xb70
[  110.558187][ T5869]  arch_do_signal_or_restart+0x8f/0x790
[  110.564061][ T5869]  ? __fput+0x68d/0xb70
[  110.568918][ T5869]  ? __pfx_arch_do_signal_or_restart+0x10/0x10
[  110.575472][ T5869]  ? __pfx_fput_close_sync+0x10/0x10
[  110.580949][ T5869]  ? dnotify_flush+0x79/0x4c0
[  110.585856][ T5869]  exit_to_user_mode_loop+0x84/0x110
[  110.591259][ T5869]  do_syscall_64+0x3f6/0x490
[  110.595889][ T5869]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  110.602107][ T5869] RIP: 0033:0x7f6845b8d5ca
[  110.606681][ T5869] Code: Unable to access opcode bytes at 0x7f6845b8d5a0.
[  110.613977][ T5869] RSP: 002b:00007ffefac60c40 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
[  110.622786][ T5869] RAX: 0000000000000000 RBX: 0000000000000003 RCX: 00007f6845b8d5ca
[  110.630784][ T5869] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
[  110.638860][ T5869] RBP: 00007ffefac60c9c R08: 0000000000000000 R09: 00007ffefac609a7
[  110.647030][ T5869] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000001
[  110.655018][ T5869] R13: 00000000000927c0 R14: 000000000001aa36 R15: 00007ffefac60cf0
[  110.663275][ T5869]  </TASK>
[  110.667034][ T5869] Kernel Offset: disabled
[  110.671574][ T5869] Rebooting in 86400 seconds..


syzkaller build log:
go env (err=<nil>)
GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/syzkaller/jobs/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/syzkaller/jobs/linux/gopath/pkg/mod/golang.org/toolchain@v0.0.1-go1.23.7.linux-amd64'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/syzkaller/jobs/linux/gopath/pkg/mod/golang.org/toolchain@v0.0.1-go1.23.7.linux-amd64/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.23.7'
GODEBUG=''
GOTELEMETRY='local'
GOTELEMETRYDIR='/syzkaller/.config/go/telemetry'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build3640950295=/tmp/go-build -gno-record-gcc-switches'

git status (err=<nil>)
HEAD detached at 3d2f584dd
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=3d2f584ddab119da50e8a8d26765aa98d3b33c02 -X github.com/google/syzkaller/prog.gitRevisionDate=20250528-144826"  -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
	-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include   -DGOOS_linux=1 -DGOARCH_amd64=1 \
	-DHOSTGOOS_linux=1 -DGIT_REVISION=\"3d2f584ddab119da50e8a8d26765aa98d3b33c02\"
/usr/bin/ld: /tmp/ccd8Gt78.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x104): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking


Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=12b67570580000


Tested on:

commit:         19272b37 Linux 6.16-rc1
git tree:       upstream
kernel config:  https://syzkaller.appspot.com/x/.config?x=c4c8362784bb7796
dashboard link: https://syzkaller.appspot.com/bug?extid=ac3c79181f6aecc5120c
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=130d8a0c580000

Re: [syzbot] Re: [syzbot] [bluetooth?] KASAN: vmalloc-out-of-bounds Read in hci_devcd_dump

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: Re: [syzbot] [bluetooth?] KASAN: vmalloc-out-of-bounds Read in hci_devcd_dump
Author: ipravdin.official@gmail.com

#syz test

diff --git a/drivers/bluetooth/hci_vhci.c b/drivers/bluetooth/hci_vhci.c
index 59f4d7bdffdc..82a1088cd662 100644
--- a/drivers/bluetooth/hci_vhci.c
+++ b/drivers/bluetooth/hci_vhci.c
@@ -380,6 +380,31 @@ static const struct file_operations force_devcoredump_fops = {
 	.write		= force_devcd_write,
 };
 
+static void vhci_debugfs_init(struct vhci_data *data)
+{
+	struct hci_dev *hdev = data->hdev;
+
+	if (!hdev->debugfs)
+		return;
+
+	debugfs_create_file("force_suspend", 0644, hdev->debugfs, data,
+			    &force_suspend_fops);
+
+	debugfs_create_file("force_wakeup", 0644, hdev->debugfs, data,
+			    &force_wakeup_fops);
+
+	if (IS_ENABLED(CONFIG_BT_MSFTEXT))
+		debugfs_create_file("msft_opcode", 0644, hdev->debugfs, data,
+				    &msft_opcode_fops);
+
+	if (IS_ENABLED(CONFIG_BT_AOSPEXT))
+		debugfs_create_file("aosp_capable", 0644, hdev->debugfs, data,
+				    &aosp_capable_fops);
+
+	debugfs_create_file("force_devcoredump", 0644, hdev->debugfs, data,
+			    &force_devcoredump_fops);
+}
+
 static int __vhci_create_device(struct vhci_data *data, __u8 opcode)
 {
 	struct hci_dev *hdev;
@@ -434,22 +459,9 @@ static int __vhci_create_device(struct vhci_data *data, __u8 opcode)
 		return -EBUSY;
 	}
 
-	debugfs_create_file("force_suspend", 0644, hdev->debugfs, data,
-			    &force_suspend_fops);
-
-	debugfs_create_file("force_wakeup", 0644, hdev->debugfs, data,
-			    &force_wakeup_fops);
-
-	if (IS_ENABLED(CONFIG_BT_MSFTEXT))
-		debugfs_create_file("msft_opcode", 0644, hdev->debugfs, data,
-				    &msft_opcode_fops);
-
-	if (IS_ENABLED(CONFIG_BT_AOSPEXT))
-		debugfs_create_file("aosp_capable", 0644, hdev->debugfs, data,
-				    &aosp_capable_fops);
-
-	debugfs_create_file("force_devcoredump", 0644, hdev->debugfs, data,
-			    &force_devcoredump_fops);
+#ifdef CONFIG_DEBUG_FS
+	vhci_debugfs_init(data);
+#endif
 
 	hci_skb_pkt_type(skb) = HCI_VENDOR_PKT;
 
@@ -651,6 +663,26 @@ static int vhci_open(struct inode *inode, struct file *file)
 	return 0;
 }
 
+static void vhci_debugfs_remove(struct vhci_data *data)
+{
+	struct hci_dev *hdev = data->hdev;
+
+	if (!hdev->debugfs)
+		return;
+
+	debugfs_lookup_and_remove("force_suspend", hdev->debugfs);
+
+	debugfs_lookup_and_remove("force_wakeup", hdev->debugfs);
+
+	if (IS_ENABLED(CONFIG_BT_MSFTEXT))
+		debugfs_lookup_and_remove("msft_opcode", hdev->debugfs);
+
+	if (IS_ENABLED(CONFIG_BT_AOSPEXT))
+		debugfs_lookup_and_remove("aosp_capable", hdev->debugfs);
+
+	debugfs_lookup_and_remove("force_devcoredump", hdev->debugfs);
+}
+
 static int vhci_release(struct inode *inode, struct file *file)
 {
 	struct vhci_data *data = file->private_data;
@@ -661,6 +693,10 @@ static int vhci_release(struct inode *inode, struct file *file)
 
 	hdev = data->hdev;
 
+#ifdef CONFIG_DEBUG_FS
+	vhci_debugfs_remove(data);
+#endif
+
 	if (hdev) {
 		hci_unregister_dev(hdev);
 		hci_free_dev(hdev);
diff --git a/net/bluetooth/coredump.c b/net/bluetooth/coredump.c
index 819eacb38762..908ad0d242c3 100644
--- a/net/bluetooth/coredump.c
+++ b/net/bluetooth/coredump.c
@@ -243,6 +243,7 @@ static void hci_devcd_handle_pkt_pattern(struct hci_dev *hdev,
 static void hci_devcd_dump(struct hci_dev *hdev)
 {
 	struct sk_buff *skb;
+	char* coredump;
 	u32 size;
 
 	bt_dev_dbg(hdev, "state %d", hdev->dump.state);
@@ -250,7 +251,11 @@ static void hci_devcd_dump(struct hci_dev *hdev)
 	size = hdev->dump.tail - hdev->dump.head;
 
 	/* Emit a devcoredump with the available data */
-	dev_coredumpv(&hdev->dev, hdev->dump.head, size, GFP_KERNEL);
+	coredump = vmalloc(size);
+	if (coredump) {
+		memcpy(coredump, hdev->dump.head, size);
+		dev_coredumpv(&hdev->dev, coredump, size, GFP_KERNEL);
+	}
 
 	/* Send a copy to monitor as a diagnostic packet */
 	skb = bt_skb_alloc(size, GFP_ATOMIC);

Ivan Pravdin

[syzbot] [hfs?] KMSAN: uninit-value in hfs_brec_keylen

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    8ffd015db85f Linux 6.15-rc2
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=104d20cc580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=e30b69a28cc940e1
dashboard link: https://syzkaller.appspot.com/bug?extid=5405d1265a66aa313343
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1790ea3f980000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=17e17398580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/b099795f8c63/disk-8ffd015d.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/a10b15dc31a5/vmlinux-8ffd015d.xz
kernel image: https://storage.googleapis.com/syzbot-assets/24a20f2e33c6/bzImage-8ffd015d.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/acf63dfb20d0/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+5405d1265a66aa313343@syzkaller.appspotmail.com

loop0: detected capacity change from 0 to 64
=====================================================
BUG: KMSAN: uninit-value in hfs_brec_keylen+0x423/0x610 fs/hfs/brec.c:46
 hfs_brec_keylen+0x423/0x610 fs/hfs/brec.c:46
 __hfs_brec_find+0x111/0x830 fs/hfs/bfind.c:69
 hfs_brec_find+0x436/0x980 fs/hfs/bfind.c:138
 hfs_cat_move+0x116d/0x12e0 fs/hfs/catalog.c:372
 hfs_rename+0x344/0x500 fs/hfs/dir.c:299
 vfs_rename+0x1d9d/0x2280 fs/namei.c:5086
 do_renameat2+0x1577/0x1b80 fs/namei.c:5235
 __do_sys_rename fs/namei.c:5282 [inline]
 __se_sys_rename fs/namei.c:5280 [inline]
 __x64_sys_rename+0xe8/0x140 fs/namei.c:5280
 x64_sys_call+0x3a1e/0x3c80 arch/x86/include/generated/asm/syscalls_64.h:83
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xcd/0x1e0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Local variable data created at:
 hfs_bnode_read_u16+0x3d/0x90 fs/hfs/bnode.c:-1
 hfs_brec_keylen+0x23e/0x610 fs/hfs/brec.c:45

CPU: 0 UID: 0 PID: 5794 Comm: syz-executor252 Not tainted 6.15.0-rc2-syzkaller #0 PREEMPT(undef) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
=====================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

syz test

[Arnaud Lecomte]

#syz test
diff --git a/fs/hfs/bnode.c b/fs/hfs/bnode.c
index 6add6ebfef89..e8d7431ce178 100644
--- a/fs/hfs/bnode.c
+++ b/fs/hfs/bnode.c
@@ -15,7 +15,7 @@
 
 #include "btree.h"
 
-void hfs_bnode_read(struct hfs_bnode *node, void *buf, int off, int len)
+int hfs_bnode_read(struct hfs_bnode *node, void *buf, int off, int len)
 {
 	struct page *page;
 	int pagenum;
@@ -37,13 +37,16 @@ void hfs_bnode_read(struct hfs_bnode *node, void *buf, int off, int len)
 		pagenum++;
 		off = 0; /* page offset only applies to the first page */
 	}
+
+	return bytes_to_read;
 }
 
 u16 hfs_bnode_read_u16(struct hfs_bnode *node, int off)
 {
-	__be16 data;
+	__be16 data = 0;
 	// optimize later...
-	hfs_bnode_read(node, &data, off, 2);
+	if(hfs_bnode_read(node, &data, off, 2) < sizeof(u16))
+		return 0;
 	return be16_to_cpu(data);
 }
 
diff --git a/fs/hfs/btree.h b/fs/hfs/btree.h
index 0e6baee93245..54f310c52643 100644
--- a/fs/hfs/btree.h
+++ b/fs/hfs/btree.h
@@ -94,7 +94,7 @@ extern struct hfs_bnode * hfs_bmap_alloc(struct hfs_btree *);
 extern void hfs_bmap_free(struct hfs_bnode *node);
 
 /* bnode.c */
-extern void hfs_bnode_read(struct hfs_bnode *, void *, int, int);
+extern int hfs_bnode_read(struct hfs_bnode *, void *, int, int);
 extern u16 hfs_bnode_read_u16(struct hfs_bnode *, int);
 extern u8 hfs_bnode_read_u8(struct hfs_bnode *, int);
 extern void hfs_bnode_read_key(struct hfs_bnode *, void *, int);
-- 

[syzbot] [media?] BUG: corrupted list in az6007_i2c_xfer

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    ac71fabf1567 gcc-15: work around sequence-point warning
git tree:       upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=10b4cc70580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=7a7c679f880028f0
dashboard link: https://syzkaller.appspot.com/bug?extid=0192952caa411a3be209
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=16fedb98580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=10edf4cc580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/d368be8878a6/disk-ac71fabf.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/cc783efdaf4c/vmlinux-ac71fabf.xz
kernel image: https://storage.googleapis.com/syzbot-assets/d04c29c82c67/bzImage-ac71fabf.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+0192952caa411a3be209@syzkaller.appspotmail.com

usb read operation failed. (-71)
------------[ cut here ]------------
UBSAN: array-index-out-of-bounds in drivers/media/usb/dvb-usb-v2/az6007.c:821:30
index 4096 is out of range for type 'unsigned char [4096]'
CPU: 1 UID: 0 PID: 5832 Comm: syz-executor328 Not tainted 6.15.0-rc2-syzkaller-00493-gac71fabf1567 #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120
 ubsan_epilogue lib/ubsan.c:231 [inline]
 __ubsan_handle_out_of_bounds+0x11c/0x160 lib/ubsan.c:453
 az6007_i2c_xfer+0x549/0xc30 drivers/media/usb/dvb-usb-v2/az6007.c:821
 __i2c_transfer+0x6b3/0x2190 drivers/i2c/i2c-core-base.c:2259
 i2c_transfer drivers/i2c/i2c-core-base.c:2315 [inline]
 i2c_transfer+0x1da/0x380 drivers/i2c/i2c-core-base.c:2291
 i2c_transfer_buffer_flags+0x10c/0x190 drivers/i2c/i2c-core-base.c:2343
 i2c_master_recv include/linux/i2c.h:79 [inline]
 i2cdev_read+0x111/0x280 drivers/i2c/i2c-dev.c:155
 do_loop_readv_writev fs/read_write.c:845 [inline]
 do_loop_readv_writev fs/read_write.c:833 [inline]
 vfs_readv+0x6bc/0x8a0 fs/read_write.c:1018
 do_preadv+0x1af/0x270 fs/read_write.c:1130
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xcd/0x260 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f4d458f3929
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffe002f51e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000127
RAX: ffffffffffffffda RBX: 00007ffe002f5230 RCX: 00007f4d458f3929
RDX: 0000000000000001 RSI: 00002000000025c0 RDI: 0000000000000004
RBP: 0000000000000000 R08: 000000000000007e R09: 00007ffe002f5230
R10: 0000000000000002 R11: 0000000000000246 R12: 00000000000f4240
R13: 00007ffe002f54b8 R14: 00007ffe002f521c R15: 00007ffe002f5220
 </TASK>
---[ end trace ]---


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

syz test

[Arnaud Lecomte]

#syz test
diff --git a/drivers/media/usb/dvb-usb-v2/az6007.c b/drivers/media/usb/dvb-usb-v2/az6007.c
index 65ef045b74ca..784cba9c15ef 100644
--- a/drivers/media/usb/dvb-usb-v2/az6007.c
+++ b/drivers/media/usb/dvb-usb-v2/az6007.c
@@ -751,6 +751,9 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[],
 	int length;
 	u8 req, addr;
 
+	if (!usb_trylock_device(d->udev))
+		return -EBUSY;
+
 	if (mutex_lock_interruptible(&st->mutex) < 0) {
+		usb_unlock_device(d->udev);
 		return -EAGAIN;
 	}
 
@@ -757,6 +760,10 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[],
 
 	for (i = 0; i < num; i++) {
 		addr = msgs[i].addr << 1;
+		if (msgs[i].len < 1 || msgs[i].len >= sizeof(st->data) - 6) {
+			ret = -EIO;
+			goto err;
+		}
 		if (((i + 1) < num)
 		    && (msgs[i].len == 1)
 		    && ((msgs[i].flags & I2C_M_RD) != I2C_M_RD)
@@ -821,6 +828,7 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[],
 	}
 err:
 	mutex_unlock(&st->mutex);
+	usb_unlock_device(d->udev);
 	if (ret < 0) {
 		pr_info("%s ERROR: %i\n", __func__, ret);
 		return ret;

syz test

[Arnaud Lecomte]

#syz test
diff --git a/drivers/media/usb/dvb-usb-v2/az6007.c b/drivers/media/usb/dvb-usb-v2/az6007.c
index 65ef045b74ca..784cba9c15ef 100644
--- a/drivers/media/usb/dvb-usb-v2/az6007.c
+++ b/drivers/media/usb/dvb-usb-v2/az6007.c
@@ -752,11 +752,18 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[],
        int length;
        u8 req, addr;

+       if(!usb_trylock_device(d->udev))
+               return -EBUSY;
+
        if (mutex_lock_interruptible(&st->mutex) < 0)
                return -EAGAIN;

        for (i = 0; i < num; i++) {
                addr = msgs[i].addr << 1;
+               if (msgs[i].len < 1 || msgs[i].len >= sizeof(st->data) - 6) {
+                       ret = -EIO;
+                       goto err;
+               }
                if (((i + 1) < num)
                    && (msgs[i].len == 1)
                    && ((msgs[i].flags & I2C_M_RD) != I2C_M_RD)
@@ -788,10 +795,6 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[],
                        if (az6007_xfer_debug)
                                printk(KERN_DEBUG "az6007: I2C W addr=0x%x len=%d\n",
                                       addr, msgs[i].len);
-                       if (msgs[i].len < 1) {
-                               ret = -EIO;
-                               goto err;
-                       }
                        req = AZ6007_I2C_WR;
                        index = msgs[i].buf[0];
                        value = addr | (1 << 8);
@@ -806,10 +809,6 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[],
                        if (az6007_xfer_debug)
                                printk(KERN_DEBUG "az6007: I2C R addr=0x%x len=%d\n",
                                       addr, msgs[i].len);
-                       if (msgs[i].len < 1) {
-                               ret = -EIO;
-                               goto err;
-                       }
                        req = AZ6007_I2C_RD;
                        index = msgs[i].buf[0];
                        value = addr;
@@ -825,7 +824,7 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[],
        }
 err:
        mutex_unlock(&st->mutex);
-
+       usb_unlock_device(d->udev);
        if (ret < 0) {
                pr_info("%s ERROR: %i\n", __func__, ret);
                return ret;

syz test

[Arnaud Lecomte]

#syz test

--- a/drivers/media/usb/dvb-usb-v2/az6007.c
+++ b/drivers/media/usb/dvb-usb-v2/az6007.c
@@ -752,11 +752,18 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[],
        int length;
        u8 req, addr;
 
+       if(!usb_trylock_device(d->udev))
+               return -EBUSY;
+
        if (mutex_lock_interruptible(&st->mutex) < 0)
                return -EAGAIN;
 
        for (i = 0; i < num; i++) {
                addr = msgs[i].addr << 1;
+               if (msgs[i].len < 1 || msgs[i].len >= sizeof(st->data) - 6) {
+                       ret = -EIO;
+                       goto err;
+               }
                if (((i + 1) < num)
                    && (msgs[i].len == 1)
                    && ((msgs[i].flags & I2C_M_RD) != I2C_M_RD)
@@ -788,10 +795,6 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[],
                        if (az6007_xfer_debug)
                                printk(KERN_DEBUG "az6007: I2C W addr=0x%x len=%d\n",
                                       addr, msgs[i].len);
-                       if (msgs[i].len < 1) {
-                               ret = -EIO;
-                               goto err;
-                       }
                        req = AZ6007_I2C_WR;
                        index = msgs[i].buf[0];
                        value = addr | (1 << 8);
@@ -806,10 +809,6 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[],
                        if (az6007_xfer_debug)
                                printk(KERN_DEBUG "az6007: I2C R addr=0x%x len=%d\n",
                                       addr, msgs[i].len);
-                       if (msgs[i].len < 1) {
-                               ret = -EIO;
-                               goto err;
-                       }
                        req = AZ6007_I2C_RD;
                        index = msgs[i].buf[0];
                        value = addr;
@@ -825,7 +824,7 @@ static int az6007_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[],
        }
 err:
        mutex_unlock(&st->mutex);
-
+       usb_unlock_device(d->udev);
        if (ret < 0) {
                pr_info("%s ERROR: %i\n", __func__, ret);
                return ret;
--

Re: [syzbot] [bpf?] KASAN: slab-out-of-bounds Write in __bpf_get_stackid

[syzbot]

syzbot has found a reproducer for the following issue on:

HEAD commit:    5b4c54ac49af bpf: Fix various typos in verifier.c comments
git tree:       bpf-next
console+strace: https://syzkaller.appspot.com/x/log.txt?x=17441782580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=934611ae034ab218
dashboard link: https://syzkaller.appspot.com/bug?extid=c9b724fbb41cf2538b7b
compiler:       Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=16f294a2580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=14349034580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/5a5cfac28d08/disk-5b4c54ac.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/bb5b9f9f1b33/vmlinux-5b4c54ac.xz
kernel image: https://storage.googleapis.com/syzbot-assets/14b928da2760/bzImage-5b4c54ac.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+c9b724fbb41cf2538b7b@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: slab-out-of-bounds in __bpf_get_stackid+0x677/0xcf0 kernel/bpf/stackmap.c:265
Write of size 8 at addr ffff8880439aa258 by task syz-executor265/6114

CPU: 1 UID: 0 PID: 6114 Comm: syz-executor265 Not tainted 6.16.0-rc6-syzkaller-g5b4c54ac49af #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
Call Trace:
 <IRQ>
 dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xca/0x230 mm/kasan/report.c:480
 kasan_report+0x118/0x150 mm/kasan/report.c:593
 __bpf_get_stackid+0x677/0xcf0 kernel/bpf/stackmap.c:265
 ____bpf_get_stackid_raw_tp kernel/trace/bpf_trace.c:1810 [inline]
 bpf_get_stackid_raw_tp+0x196/0x210 kernel/trace/bpf_trace.c:1799
 bpf_prog_b724608cae728045+0x27/0x2f
 bpf_dispatcher_nop_func include/linux/bpf.h:1322 [inline]
 __bpf_prog_run include/linux/filter.h:718 [inline]
 bpf_prog_run include/linux/filter.h:725 [inline]
 __bpf_trace_run kernel/trace/bpf_trace.c:2257 [inline]
 bpf_trace_run2+0x284/0x4b0 kernel/trace/bpf_trace.c:2298
 __do_trace_kfree include/trace/events/kmem.h:94 [inline]
 trace_kfree include/trace/events/kmem.h:94 [inline]
 kfree+0x3a0/0x440 mm/slub.c:4829
 slab_free_after_rcu_debug+0x60/0x2a0 mm/slub.c:4680
 rcu_do_batch kernel/rcu/tree.c:2576 [inline]
 rcu_core+0xca8/0x1710 kernel/rcu/tree.c:2832
 handle_softirqs+0x283/0x870 kernel/softirq.c:579
 __do_softirq kernel/softirq.c:613 [inline]
 invoke_softirq kernel/softirq.c:453 [inline]
 __irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:680
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
 sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1050
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:xas_load+0xd9/0x5b0 lib/xarray.c:244
Code: 42 0f b6 04 28 84 c0 0f 85 3a 04 00 00 49 8d 5e fe 48 8b 44 24 08 0f b6 28 48 89 d8 48 c1 e8 03 48 89 44 24 20 42 0f b6 04 28 <84> c0 0f 85 34 04 00 00 44 0f b6 23 44 0f b6 fd 44 89 ff 44 89 e6
RSP: 0000:ffffc9000459f898 EFLAGS: 00000a02
RAX: 0000000000000000 RBX: ffff888025438840 RCX: ffff88807c050000
RDX: 0000000000000000 RSI: 0000000000000002 RDI: 0000000000000002
RBP: 0000000000000000 R08: ffff88807c050000 R09: 0000000000000002
R10: 0000000000000003 R11: 0000000000000000 R12: ffffc9000459fb32
R13: dffffc0000000000 R14: ffff888025438842 R15: 0000000000000002
 xas_find+0x157/0x990 lib/xarray.c:1406
 next_uptodate_folio+0x32/0x5d0 mm/filemap.c:3562
 filemap_map_pages+0x21f/0x1740 mm/filemap.c:3714
 do_fault_around mm/memory.c:5548 [inline]
 do_read_fault mm/memory.c:5581 [inline]
 do_fault mm/memory.c:5724 [inline]
 do_pte_missing mm/memory.c:4251 [inline]
 handle_pte_fault mm/memory.c:6069 [inline]
 __handle_mm_fault+0x3687/0x5620 mm/memory.c:6212
 handle_mm_fault+0x40a/0x8e0 mm/memory.c:6381
 do_user_addr_fault+0xa81/0x1390 arch/x86/mm/fault.c:1336
 handle_page_fault arch/x86/mm/fault.c:1476 [inline]
 exc_page_fault+0x76/0xf0 arch/x86/mm/fault.c:1532
 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623
RIP: 0033:0x7f3d52e29438
Code: Unable to access opcode bytes at 0x7f3d52e2940e.
RSP: 002b:00007fff46c399c8 EFLAGS: 00010206
RAX: 00007f3d52e59ad8 RBX: 0000000000000000 RCX: 0000000000000004
RDX: 00007f3d52e5ad00 RSI: 0000000000000000 RDI: 00007f3d52e59ad8
RBP: 00007f3d52e58118 R08: 00007fff46c39a3c R09: 00007fff46c39a3c
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f3d52e5ace8
R13: 0000000000000000 R14: 00007f3d52e5ad00 R15: 00007f3d52db0290
 </TASK>

Allocated by task 6114:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
 __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394
 kasan_kmalloc include/linux/kasan.h:260 [inline]
 __do_kmalloc_node mm/slub.c:4328 [inline]
 __kmalloc_node_noprof+0x276/0x4e0 mm/slub.c:4334
 kmalloc_node_noprof include/linux/slab.h:932 [inline]
 __bpf_map_area_alloc kernel/bpf/syscall.c:391 [inline]
 bpf_map_area_alloc+0x64/0x180 kernel/bpf/syscall.c:404
 prealloc_elems_and_freelist+0x86/0x1d0 kernel/bpf/stackmap.c:51
 stack_map_alloc+0x33f/0x4c0 kernel/bpf/stackmap.c:114
 map_create+0xaa0/0x1310 kernel/bpf/syscall.c:1477
 __sys_bpf+0x60f/0x870 kernel/bpf/syscall.c:6004
 __do_sys_bpf kernel/bpf/syscall.c:6132 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:6130 [inline]
 __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:6130
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff8880439aa000
 which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 24 bytes to the right of
 allocated 576-byte region [ffff8880439aa000, ffff8880439aa240)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x439a8
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
anon flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88801a441dc0 0000000000000000 dead000000000001
raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
head: 00fff00000000040 ffff88801a441dc0 0000000000000000 dead000000000001
head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
head: 00fff00000000003 ffffea00010e6a01 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5514, tgid 5514 (dhcpcd), ts 48384102667, free_ts 48383277611
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1704
 prep_new_page mm/page_alloc.c:1712 [inline]
 get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3669
 __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:4959
 alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2419
 alloc_slab_page mm/slub.c:2451 [inline]
 allocate_slab+0x8a/0x3b0 mm/slub.c:2619
 new_slab mm/slub.c:2673 [inline]
 ___slab_alloc+0xbfc/0x1480 mm/slub.c:3859
 __slab_alloc mm/slub.c:3949 [inline]
 __slab_alloc_node mm/slub.c:4024 [inline]
 slab_alloc_node mm/slub.c:4185 [inline]
 __do_kmalloc_node mm/slub.c:4327 [inline]
 __kmalloc_noprof+0x305/0x4f0 mm/slub.c:4340
 kmalloc_noprof include/linux/slab.h:909 [inline]
 load_elf_phdrs fs/binfmt_elf.c:525 [inline]
 load_elf_binary+0x2cd/0x2790 fs/binfmt_elf.c:854
 search_binary_handler fs/exec.c:1670 [inline]
 exec_binprm fs/exec.c:1702 [inline]
 bprm_execve+0x999/0x1450 fs/exec.c:1754
 do_execveat_common+0x510/0x6a0 fs/exec.c:1860
 do_execve fs/exec.c:1934 [inline]
 __do_sys_execve fs/exec.c:2010 [inline]
 __se_sys_execve fs/exec.c:2005 [inline]
 __x64_sys_execve+0x94/0xb0 fs/exec.c:2005
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 5514 tgid 5514 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1248 [inline]
 __free_frozen_pages+0xc71/0xe70 mm/page_alloc.c:2706
 discard_slab mm/slub.c:2717 [inline]
 __put_partials+0x161/0x1c0 mm/slub.c:3186
 put_cpu_partial+0x17c/0x250 mm/slub.c:3261
 __slab_free+0x2f7/0x400 mm/slub.c:4513
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x97/0x140 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:329
 kasan_slab_alloc include/linux/kasan.h:250 [inline]
 slab_post_alloc_hook mm/slub.c:4148 [inline]
 slab_alloc_node mm/slub.c:4197 [inline]
 __do_kmalloc_node mm/slub.c:4327 [inline]
 __kmalloc_noprof+0x224/0x4f0 mm/slub.c:4340
 kmalloc_noprof include/linux/slab.h:909 [inline]
 tomoyo_add_entry security/tomoyo/common.c:2132 [inline]
 tomoyo_supervisor+0xbd5/0x1480 security/tomoyo/common.c:2204
 tomoyo_audit_env_log security/tomoyo/environ.c:36 [inline]
 tomoyo_env_perm+0x149/0x1e0 security/tomoyo/environ.c:63
 tomoyo_environ security/tomoyo/domain.c:672 [inline]
 tomoyo_find_next_domain+0x15cf/0x1aa0 security/tomoyo/domain.c:888
 tomoyo_bprm_check_security+0x11c/0x180 security/tomoyo/tomoyo.c:102
 security_bprm_check+0x89/0x270 security/security.c:1302
 search_binary_handler fs/exec.c:1660 [inline]
 exec_binprm fs/exec.c:1702 [inline]
 bprm_execve+0x8ee/0x1450 fs/exec.c:1754
 do_execveat_common+0x510/0x6a0 fs/exec.c:1860
 do_execve fs/exec.c:1934 [inline]
 __do_sys_execve fs/exec.c:2010 [inline]
 __se_sys_execve fs/exec.c:2005 [inline]
 __x64_sys_execve+0x94/0xb0 fs/exec.c:2005

Memory state around the buggy address:
 ffff8880439aa100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8880439aa180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8880439aa200: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
                                                    ^
 ffff8880439aa280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8880439aa300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
----------------
Code disassembly (best guess):
   0:	42 0f b6 04 28       	movzbl (%rax,%r13,1),%eax
   5:	84 c0                	test   %al,%al
   7:	0f 85 3a 04 00 00    	jne    0x447
   d:	49 8d 5e fe          	lea    -0x2(%r14),%rbx
  11:	48 8b 44 24 08       	mov    0x8(%rsp),%rax
  16:	0f b6 28             	movzbl (%rax),%ebp
  19:	48 89 d8             	mov    %rbx,%rax
  1c:	48 c1 e8 03          	shr    $0x3,%rax
  20:	48 89 44 24 20       	mov    %rax,0x20(%rsp)
  25:	42 0f b6 04 28       	movzbl (%rax,%r13,1),%eax
* 2a:	84 c0                	test   %al,%al <-- trapping instruction
  2c:	0f 85 34 04 00 00    	jne    0x466
  32:	44 0f b6 23          	movzbl (%rbx),%r12d
  36:	44 0f b6 fd          	movzbl %bpl,%r15d
  3a:	44 89 ff             	mov    %r15d,%edi
  3d:	44 89 e6             	mov    %r12d,%esi


---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

Syz Test

[Arnaud lecomte]

#syz test

diff --git a/kernel/bpf/stackmap.c b/kernel/bpf/stackmap.c
index 3615c06b7dfa..c0ee51db8eed 100644
--- a/kernel/bpf/stackmap.c
+++ b/kernel/bpf/stackmap.c
@@ -42,6 +42,28 @@ static inline int stack_map_data_size(struct bpf_map *map)
                sizeof(struct bpf_stack_build_id) : sizeof(u64);
 }

+/**
+ * stack_map_calculate_max_depth - Calculate maximum allowed stack trace depth
+ * @size:  Size of the buffer/map value in bytes
+ * @elem_size:  Size of each stack trace element
+ * @flags:  BPF stack trace flags (BPF_F_USER_STACK, BPF_F_USER_BUILD_ID, ...)
+ *
+ * Return: Maximum number of stack trace entries that can be safely stored
+ */
+static u32 stack_map_calculate_max_depth(u32 size, u32 elem_size, u64 flags)
+{
+       u32 skip = flags & BPF_F_SKIP_FIELD_MASK;
+       u32 max_depth;
+       u32 curr_sysctl_max_stack = READ_ONCE(sysctl_perf_event_max_stack);
+
+       max_depth = size / elem_size;
+       max_depth += skip;
+       if (max_depth > curr_sysctl_max_stack)
+               return curr_sysctl_max_stack;
+
+       return max_depth;
+}
+
 static int prealloc_elems_and_freelist(struct bpf_stack_map *smap)
 {
        u64 elem_size = sizeof(struct stack_map_bucket) +
@@ -251,8 +273,8 @@ static long __bpf_get_stackid(struct bpf_map *map,
 {
        struct bpf_stack_map *smap = container_of(map, struct bpf_stack_map, map);
        struct stack_map_bucket *bucket, *new_bucket, *old_bucket;
+       u32 hash, id, trace_nr, trace_len, i, max_depth;
        u32 skip = flags & BPF_F_SKIP_FIELD_MASK;
-       u32 hash, id, trace_nr, trace_len, i;
        bool user = flags & BPF_F_USER_STACK;
        u64 *ips;
        bool hash_matches;
@@ -261,7 +283,8 @@ static long __bpf_get_stackid(struct bpf_map *map,
                /* skipping more than usable stack trace */
                return -EFAULT;

-       trace_nr = trace->nr - skip;
+       max_depth = stack_map_calculate_max_depth(map->value_size, stack_map_data_size(map), flags);
+       trace_nr = min_t(u32, trace->nr - skip, max_depth - skip);
        trace_len = trace_nr * sizeof(u64);
        ips = trace->ip + skip;
        hash = jhash2((u32 *)ips, trace_len / sizeof(u32), 0);
@@ -300,20 +323,17 @@ static long __bpf_get_stackid(struct bpf_map *map,
 BPF_CALL_3(bpf_get_stackid, struct pt_regs *, regs, struct bpf_map *, map,
           u64, flags)
 {
-       u32 max_depth = map->value_size / stack_map_data_size(map);
-       u32 skip = flags & BPF_F_SKIP_FIELD_MASK;
+       u32 elem_size = stack_map_data_size(map);
        bool user = flags & BPF_F_USER_STACK;
        struct perf_callchain_entry *trace;
        bool kernel = !user;
+       u32 max_depth;

        if (unlikely(flags & ~(BPF_F_SKIP_FIELD_MASK | BPF_F_USER_STACK |
                               BPF_F_FAST_STACK_CMP | BPF_F_REUSE_STACKID)))
                return -EINVAL;

-       max_depth += skip;
-       if (max_depth > sysctl_perf_event_max_stack)
-               max_depth = sysctl_perf_event_max_stack;
-
+       max_depth = stack_map_calculate_max_depth(map->value_size, elem_size, flags);
        trace = get_perf_callchain(regs, 0, kernel, user, max_depth,
                                   false, false);

@@ -390,15 +410,11 @@ BPF_CALL_3(bpf_get_stackid_pe, struct bpf_perf_event_data_kern *, ctx,
                return -EFAULT;

        nr_kernel = count_kernel_ip(trace);
+       __u64 nr = trace->nr; /* save original */

        if (kernel) {
-               __u64 nr = trace->nr;
-
                trace->nr = nr_kernel;
                ret = __bpf_get_stackid(map, trace, flags);
-
-               /* restore nr */
-               trace->nr = nr;
        } else { /* user */
                u64 skip = flags & BPF_F_SKIP_FIELD_MASK;

@@ -409,6 +425,10 @@ BPF_CALL_3(bpf_get_stackid_pe, struct bpf_perf_event_data_kern *, ctx,
                flags = (flags & ~BPF_F_SKIP_FIELD_MASK) | skip;
                ret = __bpf_get_stackid(map, trace, flags);
        }
+
+       /* restore nr */
+       trace->nr = nr;
+
        return ret;
 }

@@ -426,7 +446,7 @@ static long __bpf_get_stack(struct pt_regs *regs, struct task_struct *task,
                            struct perf_callchain_entry *trace_in,
                            void *buf, u32 size, u64 flags, bool may_fault)
 {
-       u32 trace_nr, copy_len, elem_size, num_elem, max_depth;
+       u32 trace_nr, copy_len, elem_size, max_depth;
        bool user_build_id = flags & BPF_F_USER_BUILD_ID;
        bool crosstask = task && task != current;
        u32 skip = flags & BPF_F_SKIP_FIELD_MASK;
@@ -458,21 +478,20 @@ static long __bpf_get_stack(struct pt_regs *regs, struct task_struct *task,
                goto clear;
        }

-       num_elem = size / elem_size;
-       max_depth = num_elem + skip;
-       if (sysctl_perf_event_max_stack < max_depth)
-               max_depth = sysctl_perf_event_max_stack;
+       max_depth = stack_map_calculate_max_depth(size, elem_size, flags);

        if (may_fault)
                rcu_read_lock(); /* need RCU for perf's callchain below */

-       if (trace_in)
+       if (trace_in) {
                trace = trace_in;
-       else if (kernel && task)
+               trace->nr = min_t(u32, trace->nr, max_depth);
+       } else if (kernel && task) {
                trace = get_callchain_entry_for_task(task, max_depth);
-       else
+       } else {
                trace = get_perf_callchain(regs, 0, kernel, user, max_depth,
                                           crosstask, false);
+       }

        if (unlikely(!trace) || trace->nr < skip) {
                if (may_fault)
@@ -481,7 +500,6 @@ static long __bpf_get_stack(struct pt_regs *regs, struct task_struct *task,
        }

        trace_nr = trace->nr - skip;
-       trace_nr = (trace_nr <= num_elem) ? trace_nr : num_elem;
        copy_len = trace_nr * elem_size;

        ips = trace->ip + skip;
--
2.47.3

syz test

[Arnaud lecomte]

#syz test

diff --git a/kernel/bpf/stackmap.c b/kernel/bpf/stackmap.c
index 3615c06b7dfa..c0ee51db8eed 100644
--- a/kernel/bpf/stackmap.c
+++ b/kernel/bpf/stackmap.c
@@ -42,6 +42,28 @@ static inline int stack_map_data_size(struct bpf_map *map)
 		sizeof(struct bpf_stack_build_id) : sizeof(u64);
 }

+/**
+ * stack_map_calculate_max_depth - Calculate maximum allowed stack trace depth
+ * @size:  Size of the buffer/map value in bytes
+ * @elem_size:  Size of each stack trace element
+ * @flags:  BPF stack trace flags (BPF_F_USER_STACK, BPF_F_USER_BUILD_ID, ...)
+ *
+ * Return: Maximum number of stack trace entries that can be safely stored
+ */
+static u32 stack_map_calculate_max_depth(u32 size, u32 elem_size, u64 flags)
+{
+	u32 skip = flags & BPF_F_SKIP_FIELD_MASK;
+	u32 max_depth;
+	u32 curr_sysctl_max_stack = READ_ONCE(sysctl_perf_event_max_stack);
+
+	max_depth = size / elem_size;
+	max_depth += skip;
+	if (max_depth > curr_sysctl_max_stack)
+		return curr_sysctl_max_stack;
+
+	return max_depth;
+}
+
 static int prealloc_elems_and_freelist(struct bpf_stack_map *smap)
 {
 	u64 elem_size = sizeof(struct stack_map_bucket) +
@@ -229,8 +251,8 @@ static long __bpf_get_stackid(struct bpf_map *map,
 {
 	struct bpf_stack_map *smap = container_of(map, struct bpf_stack_map, map);
 	struct stack_map_bucket *bucket, *new_bucket, *old_bucket;
+	u32 hash, id, trace_nr, trace_len, i, max_depth;
 	u32 skip = flags & BPF_F_SKIP_FIELD_MASK;
-	u32 hash, id, trace_nr, trace_len, i;
 	bool user = flags & BPF_F_USER_STACK;
 	u64 *ips;
 	bool hash_matches;
@@ -239,7 +261,8 @@ static long __bpf_get_stackid(struct bpf_map *map,
 		/* skipping more than usable stack trace */
 		return -EFAULT;

-	trace_nr = trace->nr - skip;
+	max_depth = stack_map_calculate_max_depth(map->value_size, stack_map_data_size(map), flags);
+	trace_nr = min_t(u32, trace->nr - skip, max_depth - skip);
 	trace_len = trace_nr * sizeof(u64);
 	ips = trace->ip + skip;
 	hash = jhash2((u32 *)ips, trace_len / sizeof(u32), 0);
@@ -300,20 +323,17 @@ static long __bpf_get_stackid(struct bpf_map *map,
 BPF_CALL_3(bpf_get_stackid, struct pt_regs *, regs, struct bpf_map *, map,
 	   u64, flags)
 {
-	u32 max_depth = map->value_size / stack_map_data_size(map);
-	u32 skip = flags & BPF_F_SKIP_FIELD_MASK;
+	u32 elem_size = stack_map_data_size(map);
 	bool user = flags & BPF_F_USER_STACK;
 	struct perf_callchain_entry *trace;
 	bool kernel = !user;
+	u32 max_depth;

 	if (unlikely(flags & ~(BPF_F_SKIP_FIELD_MASK | BPF_F_USER_STACK |
 			       BPF_F_FAST_STACK_CMP | BPF_F_REUSE_STACKID)))
 		return -EINVAL;

-	max_depth += skip;
-	if (max_depth > sysctl_perf_event_max_stack)
-		max_depth = sysctl_perf_event_max_stack;
-
+	max_depth = stack_map_calculate_max_depth(map->value_size, elem_size, flags);
 	trace = get_perf_callchain(regs, 0, kernel, user, max_depth,
 				   false, false);

@@ -371,15 +391,11 @@ BPF_CALL_3(bpf_get_stackid_pe, struct bpf_perf_event_data_kern *, ctx,
 		return -EFAULT;

 	nr_kernel = count_kernel_ip(trace);
+	__u64 nr = trace->nr; /* save original */

 	if (kernel) {
-		__u64 nr = trace->nr;
-
 		trace->nr = nr_kernel;
 		ret = __bpf_get_stackid(map, trace, flags);
-
-		/* restore nr */
-		trace->nr = nr;
 	} else { /* user */
 		u64 skip = flags & BPF_F_SKIP_FIELD_MASK;

@@ -390,6 +406,10 @@ BPF_CALL_3(bpf_get_stackid_pe, struct bpf_perf_event_data_kern *, ctx,
 		flags = (flags & ~BPF_F_SKIP_FIELD_MASK) | skip;
 		ret = __bpf_get_stackid(map, trace, flags);
 	}
+
+	/* restore nr */
+	trace->nr = nr;
+
 	return ret;
 }

@@ -406,7 +426,7 @@ static long __bpf_get_stack(struct pt_regs *regs, struct task_struct *task,
 			    struct perf_callchain_entry *trace_in,
 			    void *buf, u32 size, u64 flags, bool may_fault)
 {
-	u32 trace_nr, copy_len, elem_size, num_elem, max_depth;
+	u32 trace_nr, copy_len, elem_size, max_depth;
 	bool user_build_id = flags & BPF_F_USER_BUILD_ID;
 	bool crosstask = task && task != current;
 	u32 skip = flags & BPF_F_SKIP_FIELD_MASK;
@@ -438,21 +458,20 @@ static long __bpf_get_stack(struct pt_regs *regs, struct task_struct *task,
 		goto clear;
 	}

-	num_elem = size / elem_size;
-	max_depth = num_elem + skip;
-	if (sysctl_perf_event_max_stack < max_depth)
-		max_depth = sysctl_perf_event_max_stack;
+	max_depth = stack_map_calculate_max_depth(size, elem_size, flags);

 	if (may_fault)
 		rcu_read_lock(); /* need RCU for perf's callchain below */

-	if (trace_in)
+	if (trace_in) {
 		trace = trace_in;
-	else if (kernel && task)
+		trace->nr = min_t(u32, trace->nr, max_depth);
+	} else if (kernel && task) {
 		trace = get_callchain_entry_for_task(task, max_depth);
-	else
+	} else {
 		trace = get_perf_callchain(regs, 0, kernel, user, max_depth,
 					   crosstask, false);
+	}

 	if (unlikely(!trace) || trace->nr < skip) {
 		if (may_fault)
@@ -461,7 +480,6 @@ static long __bpf_get_stack(struct pt_regs *regs, struct task_struct *task,
 	}

 	trace_nr = trace->nr - skip;
-	trace_nr = (trace_nr <= num_elem) ? trace_nr : num_elem;
 	copy_len = trace_nr * elem_size;

 	ips = trace->ip + skip;
--
2.47.3