[syzbot] [bluetooth?] KASAN: vmalloc-out-of-bounds Read in hci_devcd_dump

[syzbot] [bluetooth?] KASAN: vmalloc-out-of-bounds Read in hci_devcd_dump

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    4e82c87058f4 Merge tag 'rust-6.15' of git://git.kernel.org..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=17454e4c580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=f51da9763f36e4c7
dashboard link: https://syzkaller.appspot.com/bug?extid=ac3c79181f6aecc5120c
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/a9052db6d173/disk-4e82c870.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/9398a2c8040b/vmlinux-4e82c870.xz
kernel image: https://storage.googleapis.com/syzbot-assets/8589baa292f3/bzImage-4e82c870.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ac3c79181f6aecc5120c@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: vmalloc-out-of-bounds in skb_put_data include/linux/skbuff.h:2752 [inline]
BUG: KASAN: vmalloc-out-of-bounds in hci_devcd_dump+0x142/0x240 net/bluetooth/coredump.c:258
Read of size 140 at addr ffffc90004ed5000 by task kworker/u9:2/5844

CPU: 1 UID: 0 PID: 5844 Comm: kworker/u9:2 Not tainted 6.14.0-syzkaller-10892-g4e82c87058f4 #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Workqueue: hci0 hci_devcd_timeout
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:408 [inline]
 print_report+0xc3/0x670 mm/kasan/report.c:521
 kasan_report+0xe0/0x110 mm/kasan/report.c:634
 check_region_inline mm/kasan/generic.c:183 [inline]
 kasan_check_range+0xef/0x1a0 mm/kasan/generic.c:189
 __asan_memcpy+0x23/0x60 mm/kasan/shadow.c:105
 skb_put_data include/linux/skbuff.h:2752 [inline]
 hci_devcd_dump+0x142/0x240 net/bluetooth/coredump.c:258
 hci_devcd_timeout+0xb5/0x2e0 net/bluetooth/coredump.c:413
 process_one_work+0x9cc/0x1b70 kernel/workqueue.c:3238
 process_scheduled_works kernel/workqueue.c:3319 [inline]
 worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400
 kthread+0x3c2/0x780 kernel/kthread.c:464
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:153
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>

The buggy address ffffc90004ed5000 belongs to a vmalloc virtual mapping
Memory state around the buggy address:
 ffffc90004ed4f00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
 ffffc90004ed4f80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
>ffffc90004ed5000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
                   ^
 ffffc90004ed5080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
 ffffc90004ed5100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
==================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] [bluetooth?] KASAN: vmalloc-out-of-bounds Read in hci_devcd_dump

[syzbot]

syzbot has found a reproducer for the following issue on:

HEAD commit:    a1b5bd45d4ee Merge tag 'usb-6.15-rc1' of git://git.kernel...
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1709494c580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=44bfe55da7676adc
dashboard link: https://syzkaller.appspot.com/bug?extid=ac3c79181f6aecc5120c
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=13e60be4580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=10c5cfb0580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/9096ac93f836/disk-a1b5bd45.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/83a88633dd9d/vmlinux-a1b5bd45.xz
kernel image: https://storage.googleapis.com/syzbot-assets/7353859863a8/bzImage-a1b5bd45.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ac3c79181f6aecc5120c@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: vmalloc-out-of-bounds in skb_put_data include/linux/skbuff.h:2752 [inline]
BUG: KASAN: vmalloc-out-of-bounds in hci_devcd_dump+0x142/0x240 net/bluetooth/coredump.c:258
Read of size 140 at addr ffffc90000ace000 by task kworker/u9:1/5151

CPU: 0 UID: 0 PID: 5151 Comm: kworker/u9:1 Not tainted 6.14.0-syzkaller-12886-ga1b5bd45d4ee #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Workqueue: hci0 hci_devcd_timeout
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:408 [inline]
 print_report+0xc3/0x670 mm/kasan/report.c:521
 kasan_report+0xe0/0x110 mm/kasan/report.c:634
 check_region_inline mm/kasan/generic.c:183 [inline]
 kasan_check_range+0xef/0x1a0 mm/kasan/generic.c:189
 __asan_memcpy+0x23/0x60 mm/kasan/shadow.c:105
 skb_put_data include/linux/skbuff.h:2752 [inline]
 hci_devcd_dump+0x142/0x240 net/bluetooth/coredump.c:258
 hci_devcd_timeout+0xb5/0x2e0 net/bluetooth/coredump.c:413
 process_one_work+0x9cc/0x1b70 kernel/workqueue.c:3238
 process_scheduled_works kernel/workqueue.c:3319 [inline]
 worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400
 kthread+0x3c2/0x780 kernel/kthread.c:464
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:153
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>

The buggy address ffffc90000ace000 belongs to a vmalloc virtual mapping
Memory state around the buggy address:
 ffffc90000acdf00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
 ffffc90000acdf80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
>ffffc90000ace000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
                   ^
 ffffc90000ace080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
 ffffc90000ace100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
==================================================================


---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

syz test

[Arnaud Lecomte]

#syz test

--- a/net/bluetooth/coredump.c
+++ b/net/bluetooth/coredump.c
@@ -249,6 +249,11 @@ static void hci_devcd_dump(struct hci_dev *hdev)
 
        size = hdev->dump.tail - hdev->dump.head;
 
+       if (size >SKB_MAX_ALLOC) {
+               bt_dev_err(hdev, "Dump too large (%u bytes)", size);
+               return;
+       }
+
        /* Emit a devcoredump with the available data */
        dev_coredumpv(&hdev->dev, hdev->dump.head, size, GFP_KERNEL);

--

RE: syz test

[bluez.test.bot]

[-- Attachment #1: Type: text/plain, Size: 550 bytes --]

This is an automated email and please do not reply to this email.

Dear Submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
While preparing the CI tests, the patches you submitted couldn't be applied to the current HEAD of the repository.

----- Output -----

error: patch failed: net/bluetooth/coredump.c:249
error: net/bluetooth/coredump.c: patch does not apply
hint: Use 'git am --show-current-patch' to see the failed patch

Please resolve the issue and submit the patches again.


---
Regards,
Linux Bluetooth

Re: [syzbot] [bluetooth?] KASAN: vmalloc-out-of-bounds Read in hci_devcd_dump

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Read in force_devcd_write

==================================================================
BUG: KASAN: slab-use-after-free in force_devcd_write+0x312/0x340 drivers/bluetooth/hci_vhci.c:327
Read of size 8 at addr ffff888028448800 by task syz.0.616/8068

CPU: 0 UID: 0 PID: 8068 Comm: syz.0.616 Not tainted 6.15.0-rc3-syzkaller-gbc3372351d0c-dirty #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:408 [inline]
 print_report+0xc3/0x670 mm/kasan/report.c:521
 kasan_report+0xe0/0x110 mm/kasan/report.c:634
 force_devcd_write+0x312/0x340 drivers/bluetooth/hci_vhci.c:327
 full_proxy_write+0x13c/0x200 fs/debugfs/file.c:398
 vfs_write+0x25c/0x1180 fs/read_write.c:682
 ksys_write+0x12a/0x240 fs/read_write.c:736
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xcd/0x230 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f1dc558e169
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f1dc47fe038 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f1dc57b5fa0 RCX: 00007f1dc558e169
RDX: 000000000000000e RSI: 0000000000000000 RDI: 0000000000000003
RBP: 00007f1dc5610a68 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f1dc57b5fa0 R15: 00007ffc66674788
 </TASK>

Allocated by task 6607:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
 __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394
 kmalloc_noprof include/linux/slab.h:905 [inline]
 kzalloc_noprof include/linux/slab.h:1039 [inline]
 vhci_open+0x4c/0x430 drivers/bluetooth/hci_vhci.c:635
 misc_open+0x35a/0x420 drivers/char/misc.c:179
 chrdev_open+0x231/0x6a0 fs/char_dev.c:414
 do_dentry_open+0x741/0x1c10 fs/open.c:956
 vfs_open+0x82/0x3f0 fs/open.c:1086
 do_open fs/namei.c:3880 [inline]
 path_openat+0x1e5e/0x2d40 fs/namei.c:4039
 do_filp_open+0x20b/0x470 fs/namei.c:4066
 do_sys_openat2+0x11b/0x1d0 fs/open.c:1429
 do_sys_open fs/open.c:1444 [inline]
 __do_sys_openat fs/open.c:1460 [inline]
 __se_sys_openat fs/open.c:1455 [inline]
 __x64_sys_openat+0x174/0x210 fs/open.c:1455
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xcd/0x230 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 6607:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:576
 poison_slab_object mm/kasan/common.c:247 [inline]
 __kasan_slab_free+0x51/0x70 mm/kasan/common.c:264
 kasan_slab_free include/linux/kasan.h:233 [inline]
 slab_free_hook mm/slub.c:2398 [inline]
 slab_free mm/slub.c:4656 [inline]
 kfree+0x2b6/0x4d0 mm/slub.c:4855
 vhci_release+0xbb/0xf0 drivers/bluetooth/hci_vhci.c:671
 __fput+0x3ff/0xb70 fs/file_table.c:465
 task_work_run+0x14d/0x240 kernel/task_work.c:227
 exit_task_work include/linux/task_work.h:40 [inline]
 do_exit+0xafb/0x2c30 kernel/exit.c:953
 do_group_exit+0xd3/0x2a0 kernel/exit.c:1102
 get_signal+0x2673/0x26d0 kernel/signal.c:3034
 arch_do_signal_or_restart+0x8f/0x7a0 arch/x86/kernel/signal.c:337
 exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
 syscall_exit_to_user_mode+0x150/0x2a0 kernel/entry/common.c:218
 do_syscall_64+0xda/0x230 arch/x86/entry/syscall_64.c:100
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff888028448800
 which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 0 bytes inside of
 freed 1024-byte region [ffff888028448800, ffff888028448c00)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x28448
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
anon flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88801b441dc0 0000000000000000 dead000000000001
raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
head: 00fff00000000040 ffff88801b441dc0 0000000000000000 dead000000000001
head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
head: 00fff00000000003 ffffea0000a11201 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5928, tgid 5928 (kworker/u8:2), ts 88342641017, free_ts 88224139595
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x181/0x1b0 mm/page_alloc.c:1718
 prep_new_page mm/page_alloc.c:1726 [inline]
 get_page_from_freelist+0x135c/0x3920 mm/page_alloc.c:3688
 __alloc_frozen_pages_noprof+0x263/0x23a0 mm/page_alloc.c:4970
 alloc_pages_mpol+0x1fb/0x550 mm/mempolicy.c:2301
 alloc_slab_page mm/slub.c:2468 [inline]
 allocate_slab mm/slub.c:2632 [inline]
 new_slab+0x244/0x340 mm/slub.c:2686
 ___slab_alloc+0xd9c/0x1940 mm/slub.c:3872
 __slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3962
 __slab_alloc_node mm/slub.c:4037 [inline]
 slab_alloc_node mm/slub.c:4198 [inline]
 __do_kmalloc_node mm/slub.c:4340 [inline]
 __kmalloc_noprof+0x2f2/0x510 mm/slub.c:4353
 kmalloc_noprof include/linux/slab.h:909 [inline]
 load_elf_phdrs+0x102/0x210 fs/binfmt_elf.c:532
 load_elf_binary+0x14b3/0x4f80 fs/binfmt_elf.c:960
 search_binary_handler fs/exec.c:1778 [inline]
 exec_binprm fs/exec.c:1810 [inline]
 bprm_execve fs/exec.c:1862 [inline]
 bprm_execve+0x8c0/0x1650 fs/exec.c:1838
 kernel_execve+0x2ef/0x3b0 fs/exec.c:2028
 call_usermodehelper_exec_async+0x255/0x4c0 kernel/umh.c:109
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:153
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
page last free pid 5903 tgid 5903 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1262 [inline]
 __free_frozen_pages+0x69d/0xff0 mm/page_alloc.c:2725
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x4e/0x120 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x195/0x1e0 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:329
 kasan_slab_alloc include/linux/kasan.h:250 [inline]
 slab_post_alloc_hook mm/slub.c:4161 [inline]
 slab_alloc_node mm/slub.c:4210 [inline]
 kmem_cache_alloc_noprof+0x1cb/0x3b0 mm/slub.c:4217
 getname_flags.part.0+0x4c/0x550 fs/namei.c:146
 getname_flags+0x93/0xf0 include/linux/audit.h:322
 getname include/linux/fs.h:2852 [inline]
 do_sys_openat2+0xb8/0x1d0 fs/open.c:1423
 do_sys_open fs/open.c:1444 [inline]
 __do_sys_openat fs/open.c:1460 [inline]
 __se_sys_openat fs/open.c:1455 [inline]
 __x64_sys_openat+0x174/0x210 fs/open.c:1455
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xcd/0x230 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffff888028448700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888028448780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888028448800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                   ^
 ffff888028448880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888028448900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


Tested on:

commit:         bc337235 Merge tag 'for-6.15-rc3-tag' of git://git.ker..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=11a91014580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=f65c1740d8e72188
dashboard link: https://syzkaller.appspot.com/bug?extid=ac3c79181f6aecc5120c
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=11fdbacc580000

Re: [syzbot] [bluetooth?] KASAN: vmalloc-out-of-bounds Read in hci_devcd_dump

[Ivan Pravdin]

[-- Attachment #1: Type: text/plain, Size: 25 bytes --]

#syz test

	Ivan Pravdin

[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 3549 bytes --]

diff --git a/drivers/bluetooth/hci_vhci.c b/drivers/bluetooth/hci_vhci.c
index f7d8c3c00655..2fef08254d78 100644
--- a/drivers/bluetooth/hci_vhci.c
+++ b/drivers/bluetooth/hci_vhci.c
@@ -380,6 +380,28 @@ static const struct file_operations force_devcoredump_fops = {
 	.write		= force_devcd_write,
 };
 
+static void vhci_debugfs_init(struct vhci_data *data)
+{
+	struct hci_dev *hdev = data->hdev;
+
+	debugfs_create_file("force_suspend", 0644, hdev->debugfs, data,
+			    &force_suspend_fops);
+
+	debugfs_create_file("force_wakeup", 0644, hdev->debugfs, data,
+			    &force_wakeup_fops);
+
+	if (IS_ENABLED(CONFIG_BT_MSFTEXT))
+		debugfs_create_file("msft_opcode", 0644, hdev->debugfs, data,
+				    &msft_opcode_fops);
+
+	if (IS_ENABLED(CONFIG_BT_AOSPEXT))
+		debugfs_create_file("aosp_capable", 0644, hdev->debugfs, data,
+				    &aosp_capable_fops);
+
+	debugfs_create_file("force_devcoredump", 0644, hdev->debugfs, data,
+			    &force_devcoredump_fops);
+}
+
 static int __vhci_create_device(struct vhci_data *data, __u8 opcode)
 {
 	struct hci_dev *hdev;
@@ -434,22 +456,8 @@ static int __vhci_create_device(struct vhci_data *data, __u8 opcode)
 		return -EBUSY;
 	}
 
-	debugfs_create_file("force_suspend", 0644, hdev->debugfs, data,
-			    &force_suspend_fops);
-
-	debugfs_create_file("force_wakeup", 0644, hdev->debugfs, data,
-			    &force_wakeup_fops);
-
-	if (IS_ENABLED(CONFIG_BT_MSFTEXT))
-		debugfs_create_file("msft_opcode", 0644, hdev->debugfs, data,
-				    &msft_opcode_fops);
-
-	if (IS_ENABLED(CONFIG_BT_AOSPEXT))
-		debugfs_create_file("aosp_capable", 0644, hdev->debugfs, data,
-				    &aosp_capable_fops);
-
-	debugfs_create_file("force_devcoredump", 0644, hdev->debugfs, data,
-			    &force_devcoredump_fops);
+	if (!IS_ERR_OR_NULL(hdev->debugfs))
+		vhci_debugfs_init(data);
 
 	hci_skb_pkt_type(skb) = HCI_VENDOR_PKT;
 
@@ -651,6 +659,21 @@ static int vhci_open(struct inode *inode, struct file *file)
 	return 0;
 }
 
+static void vhci_debugfs_remove(struct hci_dev *hdev)
+{
+	debugfs_lookup_and_remove("force_suspend", hdev->debugfs);
+
+	debugfs_lookup_and_remove("force_wakeup", hdev->debugfs);
+
+	if (IS_ENABLED(CONFIG_BT_MSFTEXT))
+		debugfs_lookup_and_remove("msft_opcode", hdev->debugfs);
+
+	if (IS_ENABLED(CONFIG_BT_AOSPEXT))
+		debugfs_lookup_and_remove("aosp_capable", hdev->debugfs);
+
+	debugfs_lookup_and_remove("force_devcoredump", hdev->debugfs);
+}
+
 static int vhci_release(struct inode *inode, struct file *file)
 {
 	struct vhci_data *data = file->private_data;
@@ -662,6 +685,8 @@ static int vhci_release(struct inode *inode, struct file *file)
 	hdev = data->hdev;
 
 	if (hdev) {
+		if (!IS_ERR_OR_NULL(hdev->debugfs))
+			vhci_debugfs_remove(hdev);
 		hci_unregister_dev(hdev);
 		hci_free_dev(hdev);
 	}
diff --git a/net/bluetooth/coredump.c b/net/bluetooth/coredump.c
index 819eacb38762..720cb79adf96 100644
--- a/net/bluetooth/coredump.c
+++ b/net/bluetooth/coredump.c
@@ -249,15 +249,15 @@ static void hci_devcd_dump(struct hci_dev *hdev)
 
 	size = hdev->dump.tail - hdev->dump.head;
 
-	/* Emit a devcoredump with the available data */
-	dev_coredumpv(&hdev->dev, hdev->dump.head, size, GFP_KERNEL);
-
 	/* Send a copy to monitor as a diagnostic packet */
 	skb = bt_skb_alloc(size, GFP_ATOMIC);
 	if (skb) {
 		skb_put_data(skb, hdev->dump.head, size);
 		hci_recv_diag(hdev, skb);
 	}
+
+	/* Emit a devcoredump with the available data */
+	dev_coredumpv(&hdev->dev, hdev->dump.head, size, GFP_KERNEL);
 }
 
 static void hci_devcd_handle_pkt_complete(struct hci_dev *hdev,

Re: [syzbot] [bluetooth?] KASAN: vmalloc-out-of-bounds Read in hci_devcd_dump

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+ac3c79181f6aecc5120c@syzkaller.appspotmail.com
Tested-by: syzbot+ac3c79181f6aecc5120c@syzkaller.appspotmail.com

Tested on:

commit:         e2291551 Merge tag 'probes-fixes-v6.16-rc6' of git://g..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=103bc58c580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=693e2f5eea496864
dashboard link: https://syzkaller.appspot.com/bug?extid=ac3c79181f6aecc5120c
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=1672e382580000

Note: testing is done by a robot and is best-effort only.

Re: [syzbot] [bluetooth?] KASAN: vmalloc-out-of-bounds Read in hci_devcd_dump

[Ivan Pravdin]

#syz test

diff --git a/net/bluetooth/coredump.c b/net/bluetooth/coredump.c
index 819eacb38762..1232c9a94f95 100644
--- a/net/bluetooth/coredump.c
+++ b/net/bluetooth/coredump.c
@@ -243,6 +243,7 @@ static void hci_devcd_handle_pkt_pattern(struct hci_dev *hdev,
 static void hci_devcd_dump(struct hci_dev *hdev)
 {
        struct sk_buff *skb;
+       char *coredump;
        u32 size;
 
        bt_dev_dbg(hdev, "state %d", hdev->dump.state);
@@ -250,7 +251,11 @@ static void hci_devcd_dump(struct hci_dev *hdev)
        size = hdev->dump.tail - hdev->dump.head;
 
        /* Emit a devcoredump with the available data */
-       dev_coredumpv(&hdev->dev, hdev->dump.head, size, GFP_KERNEL);
+       coredump = vmalloc(size);
+       if (coredump) {
+               memcpy(coredump, hdev->dump.head, size);
+               dev_coredumpv(&hdev->dev, coredump, size, GFP_KERNEL);
+       }
 
        /* Send a copy to monitor as a diagnostic packet */
        skb = bt_skb_alloc(size, GFP_ATOMIC);

Ivan Pravdin

Re: [syzbot] [bluetooth?] KASAN: vmalloc-out-of-bounds Read in hci_devcd_dump

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Read in force_devcd_write

==================================================================
BUG: KASAN: slab-use-after-free in force_devcd_write+0x312/0x340 drivers/bluetooth/hci_vhci.c:327
Read of size 8 at addr ffff88807b5f6000 by task syz.0.616/7999

CPU: 0 UID: 0 PID: 7999 Comm: syz.0.616 Not tainted 6.15.0-syzkaller-13804-g939f15e640f1-dirty #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:408 [inline]
 print_report+0xcd/0x680 mm/kasan/report.c:521
 kasan_report+0xe0/0x110 mm/kasan/report.c:634
 force_devcd_write+0x312/0x340 drivers/bluetooth/hci_vhci.c:327
 full_proxy_write+0x13f/0x200 fs/debugfs/file.c:398
 vfs_write+0x29d/0x1150 fs/read_write.c:684
 ksys_write+0x12a/0x250 fs/read_write.c:738
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xcd/0x490 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f3210d8e969
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f3211b9b038 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f3210fb5fa0 RCX: 00007f3210d8e969
RDX: 000000000000000e RSI: 0000000000000000 RDI: 0000000000000003
RBP: 00007f3210e10ab1 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f3210fb5fa0 R15: 00007fff9eb91938
 </TASK>

Allocated by task 6438:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
 __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394
 kmalloc_noprof include/linux/slab.h:905 [inline]
 kzalloc_noprof include/linux/slab.h:1039 [inline]
 vhci_open+0x4c/0x430 drivers/bluetooth/hci_vhci.c:635
 misc_open+0x35d/0x420 drivers/char/misc.c:161
 chrdev_open+0x231/0x6a0 fs/char_dev.c:414
 do_dentry_open+0x744/0x1c10 fs/open.c:964
 vfs_open+0x82/0x3f0 fs/open.c:1094
 do_open fs/namei.c:3887 [inline]
 path_openat+0x1de4/0x2cb0 fs/namei.c:4046
 do_filp_open+0x20b/0x470 fs/namei.c:4073
 do_sys_openat2+0x11b/0x1d0 fs/open.c:1437
 do_sys_open fs/open.c:1452 [inline]
 __do_sys_openat fs/open.c:1468 [inline]
 __se_sys_openat fs/open.c:1463 [inline]
 __x64_sys_openat+0x174/0x210 fs/open.c:1463
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xcd/0x490 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 6438:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:576
 poison_slab_object mm/kasan/common.c:247 [inline]
 __kasan_slab_free+0x51/0x70 mm/kasan/common.c:264
 kasan_slab_free include/linux/kasan.h:233 [inline]
 slab_free_hook mm/slub.c:2381 [inline]
 slab_free mm/slub.c:4643 [inline]
 kfree+0x2b4/0x4d0 mm/slub.c:4842
 vhci_release+0xbb/0xf0 drivers/bluetooth/hci_vhci.c:671
 __fput+0x402/0xb70 fs/file_table.c:465
 task_work_run+0x150/0x240 kernel/task_work.c:227
 exit_task_work include/linux/task_work.h:40 [inline]
 do_exit+0x864/0x2bd0 kernel/exit.c:955
 do_group_exit+0xd3/0x2a0 kernel/exit.c:1104
 get_signal+0x2673/0x26d0 kernel/signal.c:3034
 arch_do_signal_or_restart+0x8f/0x790 arch/x86/kernel/signal.c:337
 exit_to_user_mode_loop+0x84/0x110 kernel/entry/common.c:111
 exit_to_user_mode_prepare include/linux/entry-common.h:330 [inline]
 syscall_exit_to_user_mode_work include/linux/entry-common.h:414 [inline]
 syscall_exit_to_user_mode include/linux/entry-common.h:449 [inline]
 do_syscall_64+0x3f6/0x490 arch/x86/entry/syscall_64.c:100
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff88807b5f6000
 which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 0 bytes inside of
 freed 1024-byte region [ffff88807b5f6000, ffff88807b5f6400)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7b5f0
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88801b441dc0 dead000000000100 dead000000000122
raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
head: 00fff00000000040 ffff88801b441dc0 dead000000000100 dead000000000122
head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
head: 00fff00000000003 ffffea0001ed7c01 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5498, tgid 5498 (S41dhcpcd), ts 56157746693, free_ts 56113477136
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x1c0/0x230 mm/page_alloc.c:1704
 prep_new_page mm/page_alloc.c:1712 [inline]
 get_page_from_freelist+0x1321/0x3890 mm/page_alloc.c:3669
 __alloc_frozen_pages_noprof+0x261/0x23f0 mm/page_alloc.c:4959
 alloc_pages_mpol+0x1fb/0x550 mm/mempolicy.c:2419
 alloc_slab_page mm/slub.c:2451 [inline]
 allocate_slab mm/slub.c:2619 [inline]
 new_slab+0x23b/0x330 mm/slub.c:2673
 ___slab_alloc+0xd9c/0x1940 mm/slub.c:3859
 __slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3949
 __slab_alloc_node mm/slub.c:4024 [inline]
 slab_alloc_node mm/slub.c:4185 [inline]
 __do_kmalloc_node mm/slub.c:4327 [inline]
 __kmalloc_noprof+0x2f2/0x510 mm/slub.c:4340
 kmalloc_noprof include/linux/slab.h:909 [inline]
 load_elf_phdrs+0x102/0x210 fs/binfmt_elf.c:525
 load_elf_binary+0x1fa/0x4f00 fs/binfmt_elf.c:854
 search_binary_handler fs/exec.c:1665 [inline]
 exec_binprm fs/exec.c:1697 [inline]
 bprm_execve fs/exec.c:1749 [inline]
 bprm_execve+0x8c3/0x1650 fs/exec.c:1725
 do_execveat_common.isra.0+0x4a5/0x610 fs/exec.c:1855
 do_execve fs/exec.c:1929 [inline]
 __do_sys_execve fs/exec.c:2005 [inline]
 __se_sys_execve fs/exec.c:2000 [inline]
 __x64_sys_execve+0x8e/0xb0 fs/exec.c:2000
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xcd/0x490 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 5184 tgid 5184 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1248 [inline]
 __free_frozen_pages+0x7fe/0x1180 mm/page_alloc.c:2706
 discard_slab mm/slub.c:2717 [inline]
 __put_partials+0x16d/0x1c0 mm/slub.c:3186
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x4d/0x120 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x195/0x1e0 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:329
 kasan_slab_alloc include/linux/kasan.h:250 [inline]
 slab_post_alloc_hook mm/slub.c:4148 [inline]
 slab_alloc_node mm/slub.c:4197 [inline]
 kmem_cache_alloc_lru_noprof+0x1d0/0x3b0 mm/slub.c:4216
 __d_alloc+0x31/0xaa0 fs/dcache.c:1690
 d_alloc+0x4a/0x1e0 fs/dcache.c:1769
 d_alloc_parallel+0xe3/0x12e0 fs/dcache.c:2533
 __lookup_slow+0x193/0x460 fs/namei.c:1802
 lookup_slow fs/namei.c:1834 [inline]
 walk_component+0x353/0x5b0 fs/namei.c:2138
 lookup_last fs/namei.c:2639 [inline]
 path_lookupat+0x142/0x6d0 fs/namei.c:2663
 filename_lookup+0x224/0x5f0 fs/namei.c:2692
 vfs_statx+0x101/0x3e0 fs/stat.c:353
 vfs_fstatat+0x7b/0xf0 fs/stat.c:375
 __do_sys_newfstatat+0x97/0x120 fs/stat.c:542

Memory state around the buggy address:
 ffff88807b5f5f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88807b5f5f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88807b5f6000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                   ^
 ffff88807b5f6080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88807b5f6100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


Tested on:

commit:         939f15e6 Merge tag 'turbostat-2025.06.08' of git://git..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15698a82580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=6678e7c8a50af095
dashboard link: https://syzkaller.appspot.com/bug?extid=ac3c79181f6aecc5120c
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=15c18a82580000

Re: [syzbot] [bluetooth?] KASAN: vmalloc-out-of-bounds Read in hci_devcd_dump

[Ivan Pravdin]

#syz test

diff --git a/drivers/bluetooth/hci_vhci.c b/drivers/bluetooth/hci_vhci.c
index 59f4d7bdffdc..493d704c0dfb 100644
--- a/drivers/bluetooth/hci_vhci.c
+++ b/drivers/bluetooth/hci_vhci.c
@@ -661,6 +661,8 @@ static int vhci_release(struct inode *inode, struct file *file)
 
 	hdev = data->hdev;
 
+	debugfs_remove_recursive(hdev->debugfs);
+
 	if (hdev) {
 		hci_unregister_dev(hdev);
 		hci_free_dev(hdev);
diff --git a/net/bluetooth/coredump.c b/net/bluetooth/coredump.c
index 819eacb38762..1232c9a94f95 100644
--- a/net/bluetooth/coredump.c
+++ b/net/bluetooth/coredump.c
@@ -243,6 +243,7 @@ static void hci_devcd_handle_pkt_pattern(struct hci_dev *hdev,
 static void hci_devcd_dump(struct hci_dev *hdev)
 {
 	struct sk_buff *skb;
+	char *coredump;
 	u32 size;
 
 	bt_dev_dbg(hdev, "state %d", hdev->dump.state);
@@ -250,7 +251,11 @@ static void hci_devcd_dump(struct hci_dev *hdev)
 	size = hdev->dump.tail - hdev->dump.head;
 
 	/* Emit a devcoredump with the available data */
-	dev_coredumpv(&hdev->dev, hdev->dump.head, size, GFP_KERNEL);
+	coredump = vmalloc(size);
+	if (coredump) {
+		memcpy(coredump, hdev->dump.head, size);
+		dev_coredumpv(&hdev->dev, coredump, size, GFP_KERNEL);
+	}
 
 	/* Send a copy to monitor as a diagnostic packet */
 	skb = bt_skb_alloc(size, GFP_ATOMIC);

Ivan Pravdin

Re: [syzbot] [bluetooth?] KASAN: vmalloc-out-of-bounds Read in hci_devcd_dump

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

cquire+0xfc/0x350
[  109.325603][ T5869]  _raw_spin_lock+0x2e/0x40
[  109.325629][ T5869]  ? lockref_get+0x15/0x50
[  109.325659][ T5869]  lockref_get+0x15/0x50
[  109.325688][ T5869]  simple_recursive_removal+0x3b/0x690
[  109.325717][ T5869]  ? do_raw_spin_unlock+0x172/0x230
[  109.325747][ T5869]  ? __pfx_remove_one+0x10/0x10
[  109.325771][ T5869]  ? mntput+0x10/0x90
[  109.325796][ T5869]  debugfs_remove+0x5d/0x80
[  109.325821][ T5869]  hci_release_dev+0x8c/0x600
[  109.325852][ T5869]  ? __pfx_hci_release_dev+0x10/0x10
[  109.325882][ T5869]  ? rcu_is_watching+0x12/0xc0
[  109.325903][ T5869]  ? kfree+0x24f/0x4d0
[  109.325931][ T5869]  bt_host_release+0x6a/0xb0
[  109.325952][ T5869]  ? __pfx_bt_host_release+0x10/0x10
[  109.325973][ T5869]  device_release+0xa1/0x240
[  109.325999][ T5869]  kobject_put+0x1e7/0x5a0
[  109.326020][ T5869]  ? __pfx_vhci_release+0x10/0x10
[  109.326052][ T5869]  put_device+0x1f/0x30
[  109.326076][ T5869]  vhci_release+0xb5/0x130
[  109.326108][ T5869]  __fput+0x402/0xb70
[  109.326132][ T5869]  task_work_run+0x150/0x240
[  109.326164][ T5869]  ? __pfx_task_work_run+0x10/0x10
[  109.326199][ T5869]  do_exit+0x864/0x2bd0
[  109.326230][ T5869]  ? __pfx_do_exit+0x10/0x10
[  109.326256][ T5869]  ? do_raw_spin_lock+0x12c/0x2b0
[  109.326286][ T5869]  ? find_held_lock+0x2b/0x80
[  109.326308][ T5869]  do_group_exit+0xd3/0x2a0
[  109.326336][ T5869]  get_signal+0x2673/0x26d0
[  109.326363][ T5869]  ? __pfx_get_signal+0x10/0x10
[  109.326385][ T5869]  ? kmem_cache_free+0x16d/0x4d0
[  109.326413][ T5869]  ? __fput+0x68d/0xb70
[  109.326434][ T5869]  arch_do_signal_or_restart+0x8f/0x790
[  109.326457][ T5869]  ? __fput+0x68d/0xb70
[  109.326476][ T5869]  ? __pfx_arch_do_signal_or_restart+0x10/0x10
[  109.326503][ T5869]  ? __pfx_fput_close_sync+0x10/0x10
[  109.326524][ T5869]  ? dnotify_flush+0x79/0x4c0
[  109.326566][ T5869]  exit_to_user_mode_loop+0x84/0x110
[  109.326600][ T5869]  do_syscall_64+0x3f6/0x490
[  109.326621][ T5869]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  109.326644][ T5869] RIP: 0033:0x7f6845b8d5ca
[  109.326661][ T5869] Code: Unable to access opcode bytes at 0x7f6845b8d5a0.
[  109.326671][ T5869] RSP: 002b:00007ffefac60c40 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
[  109.326693][ T5869] RAX: 0000000000000000 RBX: 0000000000000003 RCX: 00007f6845b8d5ca
[  109.326706][ T5869] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
[  109.326719][ T5869] RBP: 00007ffefac60c9c R08: 0000000000000000 R09: 00007ffefac609a7
[  109.326732][ T5869] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000001
[  109.326745][ T5869] R13: 00000000000927c0 R14: 000000000001aa36 R15: 00007ffefac60cf0
[  109.326765][ T5869]  </TASK>
[  109.326772][ T5869] 
[  109.662463][ T5869] Allocated by task 5869:
[  109.666812][ T5869]  kasan_save_stack+0x33/0x60
[  109.671613][ T5869]  kasan_save_track+0x14/0x30
[  109.676325][ T5869]  __kasan_slab_alloc+0x89/0x90
[  109.681256][ T5869]  kmem_cache_alloc_lru_noprof+0x1d0/0x3b0
[  109.687349][ T5869]  __d_alloc+0x31/0xaa0
[  109.691619][ T5869]  d_alloc+0x4a/0x1e0
[  109.695718][ T5869]  d_alloc_parallel+0xe3/0x12e0
[  109.700963][ T5869]  __lookup_slow+0x193/0x460
[  109.705774][ T5869]  lookup_noperm+0xe1/0x110
[  109.710312][ T5869]  start_creating.part.0+0x15a/0x3e0
[  109.716005][ T5869]  debugfs_create_dir+0x6c/0x5f0
[  109.721340][ T5869]  hci_register_dev+0x2f2/0xc60
[  109.726328][ T5869]  __vhci_create_device+0x357/0x7f0
[  109.731716][ T5869]  vhci_write+0x2c0/0x480
[  109.736252][ T5869]  vfs_write+0x6c4/0x1150
[  109.740904][ T5869]  ksys_write+0x12a/0x250
[  109.745448][ T5869]  do_syscall_64+0xcd/0x490
[  109.750065][ T5869]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  109.755993][ T5869] 
[  109.758349][ T5869] Freed by task 15:
[  109.762424][ T5869]  kasan_save_stack+0x33/0x60
[  109.767369][ T5869]  kasan_save_track+0x14/0x30
[  109.772423][ T5869]  kasan_save_free_info+0x3b/0x60
[  109.777663][ T5869]  __kasan_slab_free+0x51/0x70
[  109.782576][ T5869]  kmem_cache_free+0x2d1/0x4d0
[  109.787495][ T5869]  rcu_core+0x79c/0x14e0
[  109.791784][ T5869]  handle_softirqs+0x219/0x8e0
[  109.796774][ T5869]  run_ksoftirqd+0x3a/0x60
[  109.801340][ T5869]  smpboot_thread_fn+0x3f7/0xae0
[  109.806423][ T5869]  kthread+0x3c2/0x780
[  109.810589][ T5869]  ret_from_fork+0x5d4/0x6f0
[  109.815482][ T5869]  ret_from_fork_asm+0x1a/0x30
[  109.820362][ T5869] 
[  109.823072][ T5869] Last potentially related work creation:
[  109.828904][ T5869]  kasan_save_stack+0x33/0x60
[  109.833815][ T5869]  kasan_record_aux_stack+0xa7/0xc0
[  109.839064][ T5869]  __call_rcu_common.constprop.0+0x9a/0x9f0
[  109.846303][ T5869]  dentry_free+0xc2/0x160
[  109.850666][ T5869]  __dentry_kill+0x498/0x600
[  109.855291][ T5869]  dput.part.0+0x4b1/0x9b0
[  109.859830][ T5869]  dput+0x1f/0x30
[  109.863586][ T5869]  debugfs_remove+0x5d/0x80
[  109.868127][ T5869]  vhci_release+0x9b/0x130
[  109.872572][ T5869]  __fput+0x402/0xb70
[  109.876663][ T5869]  task_work_run+0x150/0x240
[  109.881510][ T5869]  do_exit+0x864/0x2bd0
[  109.885964][ T5869]  do_group_exit+0xd3/0x2a0
[  109.890524][ T5869]  get_signal+0x2673/0x26d0
[  109.895159][ T5869]  arch_do_signal_or_restart+0x8f/0x790
[  109.900906][ T5869]  exit_to_user_mode_loop+0x84/0x110
[  109.906326][ T5869]  do_syscall_64+0x3f6/0x490
[  109.911128][ T5869]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  109.917311][ T5869] 
[  109.919935][ T5869] The buggy address belongs to the object at ffff888071891a70
[  109.919935][ T5869]  which belongs to the cache dentry of size 312
[  109.934312][ T5869] The buggy address is located 208 bytes inside of
[  109.934312][ T5869]  freed 312-byte region [ffff888071891a70, ffff888071891ba8)
[  109.949195][ T5869] 
[  109.951537][ T5869] The buggy address belongs to the physical page:
[  109.957976][ T5869] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x71890
[  109.967572][ T5869] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[  109.976151][ T5869] memcg:ffff88802919ed01
[  109.980496][ T5869] flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
[  109.988514][ T5869] page_type: f5(slab)
[  109.993050][ T5869] raw: 00fff00000000040 ffff88801ca94780 dead000000000122 0000000000000000
[  110.001676][ T5869] raw: 0000000000000000 0000000000150015 00000000f5000000 ffff88802919ed01
[  110.010388][ T5869] head: 00fff00000000040 ffff88801ca94780 dead000000000122 0000000000000000
[  110.019449][ T5869] head: 0000000000000000 0000000000150015 00000000f5000000 ffff88802919ed01
[  110.028182][ T5869] head: 00fff00000000001 ffffea0001c62401 00000000ffffffff 00000000ffffffff
[  110.037080][ T5869] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002
[  110.045949][ T5869] page dumped because: kasan: bad access detected
[  110.052725][ T5869] page_owner tracks the page as allocated
[  110.058670][ T5869] page last allocated via order 1, migratetype Reclaimable, gfp_mask 0xd20d0(__GFP_RECLAIMABLE|__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5864, tgid 5864 (syz-executor), ts 108825522753, free_ts 35108082918
[  110.083404][ T5869]  post_alloc_hook+0x1c0/0x230
[  110.089384][ T5869]  get_page_from_freelist+0x1321/0x3890
[  110.095163][ T5869]  __alloc_frozen_pages_noprof+0x261/0x23f0
[  110.102661][ T5869]  alloc_pages_mpol+0x1fb/0x550
[  110.108098][ T5869]  new_slab+0x23b/0x330
[  110.112837][ T5869]  ___slab_alloc+0xd9c/0x1940
[  110.117802][ T5869]  __slab_alloc.constprop.0+0x56/0xb0
[  110.123659][ T5869]  kmem_cache_alloc_lru_noprof+0xf4/0x3b0
[  110.129789][ T5869]  __d_alloc+0x31/0xaa0
[  110.134352][ T5869]  d_alloc_pseudo+0x1c/0xc0
[  110.139204][ T5869]  alloc_file_pseudo+0xcf/0x230
[  110.144507][ T5869]  sock_alloc_file+0x50/0x210
[  110.149791][ T5869]  __sys_socket+0x1c0/0x260
[  110.154768][ T5869]  __x64_sys_socket+0x72/0xb0
[  110.159903][ T5869]  do_syscall_64+0xcd/0x490
[  110.164705][ T5869]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  110.171259][ T5869] page last free pid 1 tgid 1 stack trace:
[  110.177345][ T5869]  __free_frozen_pages+0x7fe/0x1180
[  110.182956][ T5869]  free_contig_range+0x183/0x4b0
[  110.188039][ T5869]  destroy_args+0x7f6/0xa60
[  110.192847][ T5869]  debug_vm_pgtable+0x13b8/0x2d00
[  110.198193][ T5869]  do_one_initcall+0x120/0x6e0
[  110.203286][ T5869]  kernel_init_freeable+0x5c2/0x900
[  110.208731][ T5869]  kernel_init+0x1c/0x2b0
[  110.213105][ T5869]  ret_from_fork+0x5d4/0x6f0
[  110.217918][ T5869]  ret_from_fork_asm+0x1a/0x30
[  110.222812][ T5869] 
[  110.225370][ T5869] Memory state around the buggy address:
[  110.231468][ T5869]  ffff888071891a00: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fa fb
[  110.240145][ T5869]  ffff888071891a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  110.248590][ T5869] >ffff888071891b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  110.257376][ T5869]                                            ^
[  110.263723][ T5869]  ffff888071891b80: fb fb fb fb fb fc fc fc fc fc fc fc fc fa fb fb
[  110.272360][ T5869]  ffff888071891c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  110.280656][ T5869] ==================================================================
[  110.290650][ T5869] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[  110.298787][ T5869] CPU: 1 UID: 0 PID: 5869 Comm: syz-executor Not tainted 6.16.0-rc1-syzkaller-g19272b37aa4f-dirty #0 PREEMPT(full) 
[  110.311806][ T5869] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
[  110.321979][ T5869] Call Trace:
[  110.325949][ T5869]  <TASK>
[  110.329265][ T5869]  dump_stack_lvl+0x3d/0x1f0
[  110.334799][ T5869]  panic+0x71c/0x800
[  110.338998][ T5869]  ? __pfx_panic+0x10/0x10
[  110.343613][ T5869]  ? rcu_is_watching+0x12/0xc0
[  110.348630][ T5869]  ? irqentry_exit+0x3b/0x90
[  110.353343][ T5869]  ? lockdep_hardirqs_on+0x7c/0x110
[  110.358844][ T5869]  ? _raw_spin_lock+0x2e/0x40
[  110.363634][ T5869]  ? check_panic_on_warn+0x1f/0xb0
[  110.368878][ T5869]  ? _raw_spin_lock+0x2e/0x40
[  110.373779][ T5869]  check_panic_on_warn+0xab/0xb0
[  110.378848][ T5869]  end_report+0x107/0x170
[  110.383308][ T5869]  kasan_report+0xee/0x110
[  110.387745][ T5869]  ? _raw_spin_lock+0x2e/0x40
[  110.392640][ T5869]  ? _raw_spin_lock+0x2e/0x40
[  110.397603][ T5869]  __kasan_check_byte+0x36/0x50
[  110.402600][ T5869]  lock_acquire+0xfc/0x350
[  110.407153][ T5869]  _raw_spin_lock+0x2e/0x40
[  110.411773][ T5869]  ? lockref_get+0x15/0x50
[  110.416402][ T5869]  lockref_get+0x15/0x50
[  110.420955][ T5869]  simple_recursive_removal+0x3b/0x690
[  110.426702][ T5869]  ? do_raw_spin_unlock+0x172/0x230
[  110.431959][ T5869]  ? __pfx_remove_one+0x10/0x10
[  110.436933][ T5869]  ? mntput+0x10/0x90
[  110.441117][ T5869]  debugfs_remove+0x5d/0x80
[  110.446166][ T5869]  hci_release_dev+0x8c/0x600
[  110.450960][ T5869]  ? __pfx_hci_release_dev+0x10/0x10
[  110.456565][ T5869]  ? rcu_is_watching+0x12/0xc0
[  110.461363][ T5869]  ? kfree+0x24f/0x4d0
[  110.465635][ T5869]  bt_host_release+0x6a/0xb0
[  110.470427][ T5869]  ? __pfx_bt_host_release+0x10/0x10
[  110.475842][ T5869]  device_release+0xa1/0x240
[  110.480576][ T5869]  kobject_put+0x1e7/0x5a0
[  110.485098][ T5869]  ? __pfx_vhci_release+0x10/0x10
[  110.490263][ T5869]  put_device+0x1f/0x30
[  110.494492][ T5869]  vhci_release+0xb5/0x130
[  110.499490][ T5869]  __fput+0x402/0xb70
[  110.503813][ T5869]  task_work_run+0x150/0x240
[  110.508637][ T5869]  ? __pfx_task_work_run+0x10/0x10
[  110.514088][ T5869]  do_exit+0x864/0x2bd0
[  110.518757][ T5869]  ? __pfx_do_exit+0x10/0x10
[  110.523385][ T5869]  ? do_raw_spin_lock+0x12c/0x2b0
[  110.528713][ T5869]  ? find_held_lock+0x2b/0x80
[  110.533506][ T5869]  do_group_exit+0xd3/0x2a0
[  110.538221][ T5869]  get_signal+0x2673/0x26d0
[  110.542932][ T5869]  ? __pfx_get_signal+0x10/0x10
[  110.548742][ T5869]  ? kmem_cache_free+0x16d/0x4d0
[  110.553909][ T5869]  ? __fput+0x68d/0xb70
[  110.558187][ T5869]  arch_do_signal_or_restart+0x8f/0x790
[  110.564061][ T5869]  ? __fput+0x68d/0xb70
[  110.568918][ T5869]  ? __pfx_arch_do_signal_or_restart+0x10/0x10
[  110.575472][ T5869]  ? __pfx_fput_close_sync+0x10/0x10
[  110.580949][ T5869]  ? dnotify_flush+0x79/0x4c0
[  110.585856][ T5869]  exit_to_user_mode_loop+0x84/0x110
[  110.591259][ T5869]  do_syscall_64+0x3f6/0x490
[  110.595889][ T5869]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  110.602107][ T5869] RIP: 0033:0x7f6845b8d5ca
[  110.606681][ T5869] Code: Unable to access opcode bytes at 0x7f6845b8d5a0.
[  110.613977][ T5869] RSP: 002b:00007ffefac60c40 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
[  110.622786][ T5869] RAX: 0000000000000000 RBX: 0000000000000003 RCX: 00007f6845b8d5ca
[  110.630784][ T5869] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
[  110.638860][ T5869] RBP: 00007ffefac60c9c R08: 0000000000000000 R09: 00007ffefac609a7
[  110.647030][ T5869] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000001
[  110.655018][ T5869] R13: 00000000000927c0 R14: 000000000001aa36 R15: 00007ffefac60cf0
[  110.663275][ T5869]  </TASK>
[  110.667034][ T5869] Kernel Offset: disabled
[  110.671574][ T5869] Rebooting in 86400 seconds..


syzkaller build log:
go env (err=<nil>)
GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/syzkaller/jobs/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/syzkaller/jobs/linux/gopath/pkg/mod/golang.org/toolchain@v0.0.1-go1.23.7.linux-amd64'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/syzkaller/jobs/linux/gopath/pkg/mod/golang.org/toolchain@v0.0.1-go1.23.7.linux-amd64/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.23.7'
GODEBUG=''
GOTELEMETRY='local'
GOTELEMETRYDIR='/syzkaller/.config/go/telemetry'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build3640950295=/tmp/go-build -gno-record-gcc-switches'

git status (err=<nil>)
HEAD detached at 3d2f584dd
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=3d2f584ddab119da50e8a8d26765aa98d3b33c02 -X github.com/google/syzkaller/prog.gitRevisionDate=20250528-144826"  -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
	-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include   -DGOOS_linux=1 -DGOARCH_amd64=1 \
	-DHOSTGOOS_linux=1 -DGIT_REVISION=\"3d2f584ddab119da50e8a8d26765aa98d3b33c02\"
/usr/bin/ld: /tmp/ccd8Gt78.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x104): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking


Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=12b67570580000


Tested on:

commit:         19272b37 Linux 6.16-rc1
git tree:       upstream
kernel config:  https://syzkaller.appspot.com/x/.config?x=c4c8362784bb7796
dashboard link: https://syzkaller.appspot.com/bug?extid=ac3c79181f6aecc5120c
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=130d8a0c580000