From: syzbot <syzbot+535ecc844591e50588a5@syzkaller.appspotmail.com>
To: kartikey406@gmail.com, kbreddy.rpbc@gmail.com,
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [bluetooth?] memory leak in init_srcu_struct_fields
Date: Sun, 31 May 2026 08:27:02 -0700 [thread overview]
Message-ID: <6a1c5346.b111c304.35cd64.0024.GAE@google.com> (raw)
In-Reply-To: <20260531144117.98430-1-kbreddy.rpbc@gmail.com>
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: unable to handle kernel NULL pointer dereference in hci_release_dev
BUG: kernel NULL pointer dereference, address: 00000000000000b0
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 800000012a7b5067 P4D 800000012a7b5067 PUD 0
Oops: Oops: 0000 [#1] SMP PTI
CPU: 1 UID: 0 PID: 6583 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026
RIP: 0010:workqueue_sysfs_unregister kernel/workqueue.c:7607 [inline]
RIP: 0010:destroy_workqueue+0x1a/0x430 kernel/workqueue.c:6020
Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 41 57 41 56 41 55 49 89 fd 41 54 55 53 48 83 ec 08 e8 06 d2 15 00 <49> 8b 9d b0 00 00 00 48 85 db 74 19 e8 f5 d1 15 00 48 8d 7b 08 49
RSP: 0018:ffffc90002aafc78 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffff8881141e0000 RCX: ffffffff81a266cc
RDX: ffff88810a6311c0 RSI: ffffffff816e6f0a RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000006 R09: 0000000000000000
R10: ffffffff85600000 R11: 0000000000000001 R12: ffff8881141e1390
R13: 0000000000000000 R14: ffff8881141e0030 R15: 0000000000000000
FS: 000055559230a500(0000) GS:ffff8881b23ec000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000000000b0 CR3: 000000012983e000 CR4: 00000000003526f0
Call Trace:
<TASK>
hci_release_dev+0x62/0x250 net/bluetooth/hci_core.c:2749
bt_host_release+0x19/0x30 net/bluetooth/hci_sysfs.c:86
device_release+0x4d/0xd0 drivers/base/core.c:2566
kobject_cleanup lib/kobject.c:689 [inline]
kobject_release lib/kobject.c:720 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0xe4/0x1d0 lib/kobject.c:737
put_device+0x1f/0x30 drivers/base/core.c:3814
hci_uart_tty_close+0xf7/0x120 drivers/bluetooth/hci_ldisc.c:558
tty_ldisc_close+0x51/0x70 drivers/tty/tty_ldisc.c:455
tty_ldisc_kill drivers/tty/tty_ldisc.c:613 [inline]
tty_ldisc_release+0xd5/0x2d0 drivers/tty/tty_ldisc.c:781
tty_release_struct+0x1a/0x90 drivers/tty/tty_io.c:1681
tty_release+0x6b0/0x6c0 drivers/tty/tty_io.c:1852
__fput+0x1b5/0x500 fs/file_table.c:510
task_work_run+0x95/0xf0 kernel/task_work.c:233
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
__exit_to_user_mode_loop kernel/entry/common.c:67 [inline]
exit_to_user_mode_loop+0xcf/0x440 kernel/entry/common.c:98
__exit_to_user_mode_prepare include/linux/irq-entry-common.h:207 [inline]
syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:238 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:318 [inline]
do_syscall_64+0x485/0xf80 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f57d6b9cdd9
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff37ccc228 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
RAX: 0000000000000000 RBX: 00007fff37ccc310 RCX: 00007f57d6b9cdd9
RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
RBP: 000000000001baba R08: 0000000000000001 R09: 0000000000000000
R10: 0000001b31820000 R11: 0000000000000246 R12: 00007fff37ccc350
R13: 00007f57d6e15fac R14: 000000000001baed R15: 00007f57d6e15fa0
</TASK>
Modules linked in:
CR2: 00000000000000b0
---[ end trace 0000000000000000 ]---
RIP: 0010:workqueue_sysfs_unregister kernel/workqueue.c:7607 [inline]
RIP: 0010:destroy_workqueue+0x1a/0x430 kernel/workqueue.c:6020
Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 41 57 41 56 41 55 49 89 fd 41 54 55 53 48 83 ec 08 e8 06 d2 15 00 <49> 8b 9d b0 00 00 00 48 85 db 74 19 e8 f5 d1 15 00 48 8d 7b 08 49
RSP: 0018:ffffc90002aafc78 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffff8881141e0000 RCX: ffffffff81a266cc
RDX: ffff88810a6311c0 RSI: ffffffff816e6f0a RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000006 R09: 0000000000000000
R10: ffffffff85600000 R11: 0000000000000001 R12: ffff8881141e1390
R13: 0000000000000000 R14: ffff8881141e0030 R15: 0000000000000000
FS: 000055559230a500(0000) GS:ffff8881b23ec000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000000000b0 CR3: 000000012983e000 CR4: 00000000003526f0
----------------
Code disassembly (best guess):
0: 90 nop
1: 90 nop
2: 90 nop
3: 90 nop
4: 90 nop
5: 90 nop
6: 90 nop
7: 90 nop
8: 90 nop
9: 90 nop
a: 90 nop
b: 90 nop
c: 90 nop
d: 90 nop
e: 90 nop
f: 90 nop
10: f3 0f 1e fa endbr64
14: 41 57 push %r15
16: 41 56 push %r14
18: 41 55 push %r13
1a: 49 89 fd mov %rdi,%r13
1d: 41 54 push %r12
1f: 55 push %rbp
20: 53 push %rbx
21: 48 83 ec 08 sub $0x8,%rsp
25: e8 06 d2 15 00 call 0x15d230
* 2a: 49 8b 9d b0 00 00 00 mov 0xb0(%r13),%rbx <-- trapping instruction
31: 48 85 db test %rbx,%rbx
34: 74 19 je 0x4f
36: e8 f5 d1 15 00 call 0x15d230
3b: 48 8d 7b 08 lea 0x8(%rbx),%rdi
3f: 49 rex.WB
Tested on:
commit: f377d002 Merge tag 'sh-for-v7.1-tag2' of git://git.ker..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=14789d7e580000
kernel config: https://syzkaller.appspot.com/x/.config?x=9645c21cfd1d3e8f
dashboard link: https://syzkaller.appspot.com/bug?extid=535ecc844591e50588a5
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
patch: https://syzkaller.appspot.com/x/patch.diff?x=10392ab6580000
next prev parent reply other threads:[~2026-05-31 15:27 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20260531001321.98695-1-kartikey406@gmail.com>
2026-05-31 1:19 ` [syzbot] [bluetooth?] memory leak in init_srcu_struct_fields syzbot
2026-05-31 14:25 ` [PATCH] Bluetooth: fix memory leaks in error path of hci_alloc_dev() Bharath Reddy
2026-05-31 14:59 ` [syzbot] [bluetooth?] memory leak in init_srcu_struct_fields syzbot
2026-05-31 14:41 ` [PATCH] Bluetooth: fix memory leaks in error path of hci_alloc_dev() Bharath Reddy
2026-05-31 15:27 ` syzbot [this message]
2026-05-31 15:27 ` [PATCH v2] Bluetooth: fix memory leak " Bharath Reddy
2026-05-31 16:11 ` [syzbot] [bluetooth?] memory leak in init_srcu_struct_fields syzbot
[not found] <20260530232001.97305-1-kartikey406@gmail.com>
2026-05-31 0:21 ` syzbot
[not found] <20260530231803.97278-1-kartikey406@gmail.com>
2026-05-31 0:13 ` syzbot
2026-05-30 20:57 syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6a1c5346.b111c304.35cd64.0024.GAE@google.com \
--to=syzbot+535ecc844591e50588a5@syzkaller.appspotmail.com \
--cc=kartikey406@gmail.com \
--cc=kbreddy.rpbc@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.