[syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk

[syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    e927c520e1ba Merge tag 'loongarch-fixes-6.18-1' of git://g..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10158d32580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=cb128cd5cb439809
dashboard link: https://syzkaller.appspot.com/bug?extid=f098d64cc684b8dbaf65
compiler:       gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1782c914580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=10a5f0b4580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/b755c257d71b/disk-e927c520.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/b906cb4856d7/vmlinux-e927c520.xz
kernel image: https://storage.googleapis.com/syzbot-assets/bb3525aba146/bzImage-e927c520.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+f098d64cc684b8dbaf65@syzkaller.appspotmail.com

BUG: memory leak
unreferenced object 0xffff888112c22900 (size 240):
  comm "kworker/u9:1", pid 5133, jiffies 4294947154
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace (crc 6c5ee80a):
    kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
    slab_post_alloc_hook mm/slub.c:4983 [inline]
    slab_alloc_node mm/slub.c:5288 [inline]
    kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5340
    __alloc_skb+0x203/0x240 net/core/skbuff.c:660
    alloc_skb include/linux/skbuff.h:1383 [inline]
    bt_skb_alloc include/net/bluetooth/bluetooth.h:510 [inline]
    hci_cmd_sync_alloc+0x30/0x140 net/bluetooth/hci_sync.c:58
    hci_cmd_sync_add net/bluetooth/hci_sync.c:99 [inline]
    __hci_cmd_sync_sk+0x84/0x290 net/bluetooth/hci_sync.c:168
    __hci_cmd_sync_ev+0x3e/0x50 net/bluetooth/hci_sync.c:250
    send_hci_cmd_sync+0x5e/0xf0 net/bluetooth/mgmt.c:2615
    hci_cmd_sync_work+0xd5/0x160 net/bluetooth/hci_sync.c:332
    process_one_work+0x26b/0x620 kernel/workqueue.c:3263
    process_scheduled_works kernel/workqueue.c:3346 [inline]
    worker_thread+0x2c4/0x4f0 kernel/workqueue.c:3427
    kthread+0x15b/0x310 kernel/kthread.c:463
    ret_from_fork+0x210/0x240 arch/x86/kernel/process.c:158
    ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

BUG: memory leak
unreferenced object 0xffff88810b0ee3c0 (size 704):
  comm "kworker/u9:1", pid 5133, jiffies 4294947154
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace (crc 4e765d9f):
    kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
    slab_post_alloc_hook mm/slub.c:4983 [inline]
    slab_alloc_node mm/slub.c:5288 [inline]
    kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5340
    kmalloc_reserve+0xe6/0x180 net/core/skbuff.c:579
    __alloc_skb+0xd4/0x240 net/core/skbuff.c:670
    alloc_skb include/linux/skbuff.h:1383 [inline]
    bt_skb_alloc include/net/bluetooth/bluetooth.h:510 [inline]
    hci_cmd_sync_alloc+0x30/0x140 net/bluetooth/hci_sync.c:58
    hci_cmd_sync_add net/bluetooth/hci_sync.c:99 [inline]
    __hci_cmd_sync_sk+0x84/0x290 net/bluetooth/hci_sync.c:168
    __hci_cmd_sync_ev+0x3e/0x50 net/bluetooth/hci_sync.c:250
    send_hci_cmd_sync+0x5e/0xf0 net/bluetooth/mgmt.c:2615
    hci_cmd_sync_work+0xd5/0x160 net/bluetooth/hci_sync.c:332
    process_one_work+0x26b/0x620 kernel/workqueue.c:3263
    process_scheduled_works kernel/workqueue.c:3346 [inline]
    worker_thread+0x2c4/0x4f0 kernel/workqueue.c:3427
    kthread+0x15b/0x310 kernel/kthread.c:463
    ret_from_fork+0x210/0x240 arch/x86/kernel/process.c:158
    ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

BUG: memory leak
unreferenced object 0xffff888112c22b00 (size 240):
  comm "kworker/u9:1", pid 5133, jiffies 4294947360
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace (crc a204b710):
    kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
    slab_post_alloc_hook mm/slub.c:4983 [inline]
    slab_alloc_node mm/slub.c:5288 [inline]
    kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5340
    __alloc_skb+0x203/0x240 net/core/skbuff.c:660
    alloc_skb include/linux/skbuff.h:1383 [inline]
    bt_skb_alloc include/net/bluetooth/bluetooth.h:510 [inline]
    hci_cmd_sync_alloc+0x30/0x140 net/bluetooth/hci_sync.c:58
    hci_cmd_sync_add net/bluetooth/hci_sync.c:99 [inline]
    __hci_cmd_sync_sk+0x84/0x290 net/bluetooth/hci_sync.c:168
    __hci_cmd_sync_ev+0x3e/0x50 net/bluetooth/hci_sync.c:250
    send_hci_cmd_sync+0x5e/0xf0 net/bluetooth/mgmt.c:2615
    hci_cmd_sync_work+0xd5/0x160 net/bluetooth/hci_sync.c:332
    process_one_work+0x26b/0x620 kernel/workqueue.c:3263
    process_scheduled_works kernel/workqueue.c:3346 [inline]
    worker_thread+0x2c4/0x4f0 kernel/workqueue.c:3427
    kthread+0x15b/0x310 kernel/kthread.c:463
    ret_from_fork+0x210/0x240 arch/x86/kernel/process.c:158
    ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

BUG: memory leak
unreferenced object 0xffff88810b0edb80 (size 704):
  comm "kworker/u9:1", pid 5133, jiffies 4294947360
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace (crc 4e765d9f):
    kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
    slab_post_alloc_hook mm/slub.c:4983 [inline]
    slab_alloc_node mm/slub.c:5288 [inline]
    kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5340
    kmalloc_reserve+0xe6/0x180 net/core/skbuff.c:579
    __alloc_skb+0xd4/0x240 net/core/skbuff.c:670
    alloc_skb include/linux/skbuff.h:1383 [inline]
    bt_skb_alloc include/net/bluetooth/bluetooth.h:510 [inline]
    hci_cmd_sync_alloc+0x30/0x140 net/bluetooth/hci_sync.c:58
    hci_cmd_sync_add net/bluetooth/hci_sync.c:99 [inline]
    __hci_cmd_sync_sk+0x84/0x290 net/bluetooth/hci_sync.c:168
    __hci_cmd_sync_ev+0x3e/0x50 net/bluetooth/hci_sync.c:250
    send_hci_cmd_sync+0x5e/0xf0 net/bluetooth/mgmt.c:2615
    hci_cmd_sync_work+0xd5/0x160 net/bluetooth/hci_sync.c:332
    process_one_work+0x26b/0x620 kernel/workqueue.c:3263
    process_scheduled_works kernel/workqueue.c:3346 [inline]
    worker_thread+0x2c4/0x4f0 kernel/workqueue.c:3427
    kthread+0x15b/0x310 kernel/kthread.c:463
    ret_from_fork+0x210/0x240 arch/x86/kernel/process.c:158
    ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk

[Edward Adam Davis]

#syz test

diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index 6e76798ec786..553cfc4f7886 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -177,8 +177,11 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
 					       hdev->req_status != HCI_REQ_PEND,
 					       timeout);
 
-	if (err == -ERESTARTSYS)
+	if (err == -ERESTARTSYS) {
+		flush_work(&hdev->cmd_work);
+		skb_queue_purge(&req.cmd_q);
 		return ERR_PTR(-EINTR);
+	}
 
 	switch (hdev->req_status) {
 	case HCI_REQ_DONE:

Re: [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
memory leak in __hci_cmd_sync_sk

BUG: memory leak
unreferenced object 0xffff888109a2de00 (size 240):
  comm "kworker/u9:3", pid 6352, jiffies 4294946920
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace (crc ee2326c6):
    kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
    slab_post_alloc_hook mm/slub.c:4983 [inline]
    slab_alloc_node mm/slub.c:5288 [inline]
    kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5340
    __alloc_skb+0x203/0x240 net/core/skbuff.c:660
    alloc_skb include/linux/skbuff.h:1383 [inline]
    bt_skb_alloc include/net/bluetooth/bluetooth.h:510 [inline]
    hci_cmd_sync_alloc+0x30/0x140 net/bluetooth/hci_sync.c:58
    hci_cmd_sync_add net/bluetooth/hci_sync.c:99 [inline]
    __hci_cmd_sync_sk+0x85/0x530 net/bluetooth/hci_sync.c:168
    __hci_cmd_sync_ev+0x3e/0x50 net/bluetooth/hci_sync.c:253
    send_hci_cmd_sync+0x5e/0xf0 net/bluetooth/mgmt.c:2615
    hci_cmd_sync_work+0xd5/0x160 net/bluetooth/hci_sync.c:335
    process_one_work+0x26b/0x620 kernel/workqueue.c:3263
    process_scheduled_works kernel/workqueue.c:3346 [inline]
    worker_thread+0x2c4/0x4f0 kernel/workqueue.c:3427
    kthread+0x15b/0x310 kernel/kthread.c:463
    ret_from_fork+0x210/0x240 arch/x86/kernel/process.c:158
    ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF


Tested on:

commit:         e7c375b1 Merge tag 'vfs-6.18-rc7.fixes' of gitolite.ke..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1078e212580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=f30cc590c4f6da44
dashboard link: https://syzkaller.appspot.com/bug?extid=f098d64cc684b8dbaf65
compiler:       gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=1412f212580000

Re: [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk

[Edward Adam Davis]

#syz test

diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index 6e76798ec786..81fb553ceb56 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -201,7 +201,7 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
 
 	bt_dev_dbg(hdev, "end: err %d", err);
 
-	if (err < 0) {
+	if (err <= 0) {
 		kfree_skb(skb);
 		return ERR_PTR(err);
 	}

Re: [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

BUG: unable to handle kernel NULL pointer dereference in __hci_cmd_sync_status_sk

BUG: kernel NULL pointer dereference, address: 00000000000000d8
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0 
Oops: Oops: 0000 [#1] SMP PTI
CPU: 1 UID: 0 PID: 5134 Comm: kworker/u9:1 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Workqueue: hci0 hci_power_on
RIP: 0010:__hci_cmd_sync_status_sk+0x7e/0x100 net/bluetooth/hci_sync.c:276
Code: 7b 78 fc 48 89 de 48 c7 c7 00 f0 ff ff e8 3a 74 78 fc 48 81 fb 00 f0 ff ff 77 3c e8 8c 7b 78 fc ba 02 00 00 00 48 89 de 31 ff <48> 8b 83 d8 00 00 00 0f b6 28 e8 83 74 87 ff e8 6e 7b 78 fc 89 e8
RSP: 0018:ffffc9000c087d58 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff84e919d6
RDX: 0000000000000002 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000c03 R08: 0000000000000007 R09: fffffffffffff000
R10: 0000000000000000 R11: ffff88810c72bf00 R12: 0000000000000000
R13: ffff88810e0be000 R14: 0000000000000090 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff8881b26c2000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000000000d8 CR3: 00000001198b4000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 __hci_cmd_sync_status net/bluetooth/hci_sync.c:287 [inline]
 hci_reset_sync net/bluetooth/hci_sync.c:3664 [inline]
 hci_init1_sync net/bluetooth/hci_sync.c:3750 [inline]
 hci_init_sync net/bluetooth/hci_sync.c:4867 [inline]
 hci_dev_init_sync net/bluetooth/hci_sync.c:5059 [inline]
 hci_dev_open_sync+0x5aa/0x1080 net/bluetooth/hci_sync.c:5137
 hci_dev_do_open net/bluetooth/hci_core.c:430 [inline]
 hci_power_on+0x87/0x330 net/bluetooth/hci_core.c:959
 process_one_work+0x26b/0x620 kernel/workqueue.c:3263
 process_scheduled_works kernel/workqueue.c:3346 [inline]
 worker_thread+0x2c4/0x4f0 kernel/workqueue.c:3427
 kthread+0x15b/0x310 kernel/kthread.c:463
 ret_from_fork+0x210/0x240 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
Modules linked in:
CR2: 00000000000000d8
---[ end trace 0000000000000000 ]---
RIP: 0010:__hci_cmd_sync_status_sk+0x7e/0x100 net/bluetooth/hci_sync.c:276
Code: 7b 78 fc 48 89 de 48 c7 c7 00 f0 ff ff e8 3a 74 78 fc 48 81 fb 00 f0 ff ff 77 3c e8 8c 7b 78 fc ba 02 00 00 00 48 89 de 31 ff <48> 8b 83 d8 00 00 00 0f b6 28 e8 83 74 87 ff e8 6e 7b 78 fc 89 e8
RSP: 0018:ffffc9000c087d58 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff84e919d6
RDX: 0000000000000002 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000c03 R08: 0000000000000007 R09: fffffffffffff000
R10: 0000000000000000 R11: ffff88810c72bf00 R12: 0000000000000000
R13: ffff88810e0be000 R14: 0000000000000090 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff8881b26c2000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000000000d8 CR3: 00000001198b4000 CR4: 00000000003526f0
----------------
Code disassembly (best guess):
   0:	7b 78                	jnp    0x7a
   2:	fc                   	cld
   3:	48 89 de             	mov    %rbx,%rsi
   6:	48 c7 c7 00 f0 ff ff 	mov    $0xfffffffffffff000,%rdi
   d:	e8 3a 74 78 fc       	call   0xfc78744c
  12:	48 81 fb 00 f0 ff ff 	cmp    $0xfffffffffffff000,%rbx
  19:	77 3c                	ja     0x57
  1b:	e8 8c 7b 78 fc       	call   0xfc787bac
  20:	ba 02 00 00 00       	mov    $0x2,%edx
  25:	48 89 de             	mov    %rbx,%rsi
  28:	31 ff                	xor    %edi,%edi
* 2a:	48 8b 83 d8 00 00 00 	mov    0xd8(%rbx),%rax <-- trapping instruction
  31:	0f b6 28             	movzbl (%rax),%ebp
  34:	e8 83 74 87 ff       	call   0xff8774bc
  39:	e8 6e 7b 78 fc       	call   0xfc787bac
  3e:	89 e8                	mov    %ebp,%eax


Warning: Permanently added '10.128.1.249' (ED25519) to the list of known hosts.
2025/11/18 03:52:43 parsed 1 programs
[   39.605035][ T5812] cgroup: Unknown subsys name 'net'
[   39.718206][ T5812] cgroup: Unknown subsys name 'cpuset'
[   39.725182][ T5812] cgroup: Unknown subsys name 'rlimit'
Setting up swapspace version 1, size = 127995904 bytes
[   47.625088][ T5812] Adding 124996k swap on ./swap-file.  Priority:0 extents:1 across:124996k 
[   48.821383][ T5824] soft_limit_in_bytes is deprecated and will be removed. Please report your usecase to linux-mm@kvack.org if you depend on this functionality.
[   48.930584][ T5829] chnl_net:caif_netlink_parms(): no params data found
[   48.949691][ T5829] bridge0: port 1(bridge_slave_0) entered blocking state
[   48.956768][ T5829] bridge0: port 1(bridge_slave_0) entered disabled state
[   48.964113][ T5829] bridge_slave_0: entered allmulticast mode
[   48.970539][ T5829] bridge_slave_0: entered promiscuous mode
[   48.976864][ T5829] bridge0: port 2(bridge_slave_1) entered blocking state
[   48.984045][ T5829] bridge0: port 2(bridge_slave_1) entered disabled state
[   48.991247][ T5829] bridge_slave_1: entered allmulticast mode
[   48.997453][ T5829] bridge_slave_1: entered promiscuous mode
[   49.008461][ T5829] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[   49.018458][ T5829] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[   49.033238][ T5829] team0: Port device team_slave_0 added
[   49.039522][ T5829] team0: Port device team_slave_1 added
[   49.049010][ T5829] batman_adv: batadv0: Adding interface: batadv_slave_0
[   49.056032][ T5829] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem.
[   49.082173][ T5829] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[   49.093168][ T5829] batman_adv: batadv0: Adding interface: batadv_slave_1
[   49.100231][ T5829] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem.
[   49.126190][ T5829] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[   49.143192][ T5829] hsr_slave_0: entered promiscuous mode
[   49.149035][ T5829] hsr_slave_1: entered promiscuous mode
[   49.176213][ T5829] netdevsim netdevsim0 netdevsim0: renamed from eth0
[   49.184012][ T5829] netdevsim netdevsim0 netdevsim1: renamed from eth1
[   49.191721][ T5829] netdevsim netdevsim0 netdevsim2: renamed from eth2
[   49.199377][ T5829] netdevsim netdevsim0 netdevsim3: renamed from eth3
[   49.210938][ T5829] bridge0: port 2(bridge_slave_1) entered blocking state
[   49.217991][ T5829] bridge0: port 2(bridge_slave_1) entered forwarding state
[   49.225334][ T5829] bridge0: port 1(bridge_slave_0) entered blocking state
[   49.232427][ T5829] bridge0: port 1(bridge_slave_0) entered forwarding state
[   49.249559][ T5829] 8021q: adding VLAN 0 to HW filter on device bond0
[   49.259076][ T1811] bridge0: port 1(bridge_slave_0) entered disabled state
[   49.266510][ T1811] bridge0: port 2(bridge_slave_1) entered disabled state
[   49.276312][ T5829] 8021q: adding VLAN 0 to HW filter on device team0
[   49.285041][   T35] bridge0: port 1(bridge_slave_0) entered blocking state
[   49.292228][   T35] bridge0: port 1(bridge_slave_0) entered forwarding state
[   49.301049][ T1811] bridge0: port 2(bridge_slave_1) entered blocking state
[   49.308132][ T1811] bridge0: port 2(bridge_slave_1) entered forwarding state
[   49.346750][ T5829] 8021q: adding VLAN 0 to HW filter on device batadv0
[   49.361904][ T5829] veth0_vlan: entered promiscuous mode
[   49.368744][ T5829] veth1_vlan: entered promiscuous mode
[   49.379509][ T5829] veth0_macvtap: entered promiscuous mode
[   49.386208][ T5829] veth1_macvtap: entered promiscuous mode
[   49.395078][ T5829] batman_adv: batadv0: Interface activated: batadv_slave_0
[   49.404897][ T5829] batman_adv: batadv0: Interface activated: batadv_slave_1
[   49.414036][ T1811] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
[   49.422836][ T1811] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
[   49.431714][ T1811] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
[   49.440751][ T1811] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
[   49.511385][ T1037] netdevsim netdevsim0 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[   49.548614][ T1037] netdevsim netdevsim0 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[   49.598642][ T1037] netdevsim netdevsim0 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[   49.619824][ T5868] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[   49.626860][ T5134] BUG: kernel NULL pointer dereference, address: 00000000000000d8
[   49.634660][ T5134] #PF: supervisor read access in kernel mode
[   49.640614][ T5134] #PF: error_code(0x0000) - not-present page
[   49.646656][ T5134] PGD 0 P4D 0 
[   49.650092][ T5134] Oops: Oops: 0000 [#1] SMP PTI
[   49.654923][ T5134] CPU: 1 UID: 0 PID: 5134 Comm: kworker/u9:1 Not tainted syzkaller #0 PREEMPT(full) 
[   49.664549][ T5134] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
[   49.674941][ T5134] Workqueue: hci0 hci_power_on
[   49.679690][ T5134] RIP: 0010:__hci_cmd_sync_status_sk+0x7e/0x100
[   49.686004][ T5134] Code: 7b 78 fc 48 89 de 48 c7 c7 00 f0 ff ff e8 3a 74 78 fc 48 81 fb 00 f0 ff ff 77 3c e8 8c 7b 78 fc ba 02 00 00 00 48 89 de 31 ff <48> 8b 83 d8 00 00 00 0f b6 28 e8 83 74 87 ff e8 6e 7b 78 fc 89 e8
[   49.706025][ T5134] RSP: 0018:ffffc9000c087d58 EFLAGS: 00010246
[   49.712243][ T5134] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff84e919d6
[   49.720299][ T5134] RDX: 0000000000000002 RSI: 0000000000000000 RDI: 0000000000000000
[   49.728434][ T5134] RBP: 0000000000000c03 R08: 0000000000000007 R09: fffffffffffff000
[   49.736819][ T5134] R10: 0000000000000000 R11: ffff88810c72bf00 R12: 0000000000000000
[   49.744762][ T5134] R13: ffff88810e0be000 R14: 0000000000000090 R15: 0000000000000000
[   49.752713][ T5134] FS:  0000000000000000(0000) GS:ffff8881b26c2000(0000) knlGS:0000000000000000
[   49.761620][ T5134] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   49.768180][ T5134] CR2: 00000000000000d8 CR3: 00000001198b4000 CR4: 00000000003526f0
[   49.776129][ T5134] Call Trace:
[   49.779402][ T5134]  <TASK>
[   49.782334][ T5134]  hci_dev_open_sync+0x5aa/0x1080
[   49.787364][ T5134]  ? __schedule+0x4c2/0x1990
[   49.792031][ T5134]  hci_power_on+0x87/0x330
[   49.796517][ T5134]  ? pwq_dec_nr_in_flight+0x78/0x560
[   49.801872][ T5134]  process_one_work+0x26b/0x620
[   49.806804][ T5134]  worker_thread+0x2c4/0x4f0
[   49.811464][ T5134]  ? __pfx_worker_thread+0x10/0x10
[   49.816550][ T5134]  kthread+0x15b/0x310
[   49.820623][ T5134]  ? finish_task_switch.isra.0+0x86/0x280
[   49.826410][ T5134]  ? __pfx_kthread+0x10/0x10
[   49.831068][ T5134]  ? __pfx_kthread+0x10/0x10
[   49.835908][ T5134]  ret_from_fork+0x210/0x240
[   49.840494][ T5134]  ? __pfx_kthread+0x10/0x10
[   49.845100][ T5134]  ret_from_fork_asm+0x1a/0x30
[   49.849853][ T5134]  </TASK>
[   49.852851][ T5134] Modules linked in:
[   49.856737][ T5134] CR2: 00000000000000d8
[   49.861042][ T5134] ---[ end trace 0000000000000000 ]---
[   49.866474][ T5134] RIP: 0010:__hci_cmd_sync_status_sk+0x7e/0x100
[   49.872872][ T5134] Code: 7b 78 fc 48 89 de 48 c7 c7 00 f0 ff ff e8 3a 74 78 fc 48 81 fb 00 f0 ff ff 77 3c e8 8c 7b 78 fc ba 02 00 00 00 48 89 de 31 ff <48> 8b 83 d8 00 00 00 0f b6 28 e8 83 74 87 ff e8 6e 7b 78 fc 89 e8
[   49.892482][ T5134] RSP: 0018:ffffc9000c087d58 EFLAGS: 00010246
[   49.898531][ T5134] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff84e919d6
[   49.906576][ T5134] RDX: 0000000000000002 RSI: 0000000000000000 RDI: 0000000000000000
[   49.914714][ T5134] RBP: 0000000000000c03 R08: 0000000000000007 R09: fffffffffffff000
[   49.922748][ T5134] R10: 0000000000000000 R11: ffff88810c72bf00 R12: 0000000000000000
[   49.930873][ T5134] R13: ffff88810e0be000 R14: 0000000000000090 R15: 0000000000000000
[   49.938834][ T5134] FS:  0000000000000000(0000) GS:ffff8881b26c2000(0000) knlGS:0000000000000000
[   49.948057][ T5134] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   49.954712][ T5134] CR2: 00000000000000d8 CR3: 00000001198b4000 CR4: 00000000003526f0
[   49.962685][ T5134] Kernel panic - not syncing: Fatal exception
[   49.969347][ T5134] Kernel Offset: disabled
[   49.973668][ T5134] Rebooting in 86400 seconds..


syzkaller build log:
go env (err=<nil>)
AR='ar'
CC='gcc'
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_ENABLED='1'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
CXX='g++'
GCCGO='gccgo'
GO111MODULE='auto'
GOAMD64='v1'
GOARCH='amd64'
GOAUTH='netrc'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOCACHEPROG=''
GODEBUG=''
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFIPS140='off'
GOFLAGS=''
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build379651147=/tmp/go-build -gno-record-gcc-switches'
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMOD='/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOMODCACHE='/syzkaller/jobs-2/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs-2/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTELEMETRY='local'
GOTELEMETRYDIR='/syzkaller/.config/go/telemetry'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.24.4'
GOWORK=''
PKG_CONFIG='pkg-config'

git status (err=<nil>)
HEAD detached at 07e030dea
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=07e030dea6e6d9ca88b75bb3be2810f47083b328 -X github.com/google/syzkaller/prog.gitRevisionDate=20251112-115923"  ./sys/syz-sysgen | grep -q false || go install -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=07e030dea6e6d9ca88b75bb3be2810f47083b328 -X github.com/google/syzkaller/prog.gitRevisionDate=20251112-115923"  ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=07e030dea6e6d9ca88b75bb3be2810f47083b328 -X github.com/google/syzkaller/prog.gitRevisionDate=20251112-115923"  -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
	-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include   -DGOOS_linux=1 -DGOARCH_amd64=1 \
	-DHOSTGOOS_linux=1 -DGIT_REVISION=\"07e030dea6e6d9ca88b75bb3be2810f47083b328\"
/usr/bin/ld: /tmp/cccfp96C.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x104): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
./tools/check-syzos.sh 2>/dev/null



Tested on:

commit:         e7c375b1 Merge tag 'vfs-6.18-rc7.fixes' of gitolite.ke..
git tree:       upstream
kernel config:  https://syzkaller.appspot.com/x/.config?x=f30cc590c4f6da44
dashboard link: https://syzkaller.appspot.com/bug?extid=f098d64cc684b8dbaf65
compiler:       gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=13e18e0a580000

Re: [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk

[Edward Adam Davis]

#syz test

diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index 6e76798ec786..b04bd6e357e0 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -180,6 +180,7 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
 	if (err == -ERESTARTSYS)
 		return ERR_PTR(-EINTR);
 
+	printk("err: %d, status: %u, result: %u, %s\n", err, hdev->req_status, hdev->req_result, __func__);
 	switch (hdev->req_status) {
 	case HCI_REQ_DONE:
 		err = -bt_to_errno(hdev->req_result);
@@ -201,8 +202,10 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
 
 	bt_dev_dbg(hdev, "end: err %d", err);
 
-	if (err < 0) {
+	if (err <= 0) {
 		kfree_skb(skb);
+		if (!err)
+			err = -ETIMEDOUT;
 		return ERR_PTR(err);
 	}
 

Re: [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+f098d64cc684b8dbaf65@syzkaller.appspotmail.com
Tested-by: syzbot+f098d64cc684b8dbaf65@syzkaller.appspotmail.com

Tested on:

commit:         e7c375b1 Merge tag 'vfs-6.18-rc7.fixes' of gitolite.ke..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15f18e0a580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=f30cc590c4f6da44
dashboard link: https://syzkaller.appspot.com/bug?extid=f098d64cc684b8dbaf65
compiler:       gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=12b5b884580000

Note: testing is done by a robot and is best-effort only.

Re: [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk

[shaurya]

[-- Attachment #1: Type: text/html, Size: 240 bytes --]

[-- Attachment #2: 0001-Bluetooth-hci_sync-fix-memory-leak-in-__hci_cmd_sync.patch --]
[-- Type: text/x-patch, Size: 2002 bytes --]

From da73ec851aa5ec19b429c4cf8b9e2cd6a42e6e1e Mon Sep 17 00:00:00 2001
From: Shaurya Rane <ssrane_b23@ee.vjti.ac.in>
Date: Wed, 19 Nov 2025 08:01:33 +0530
Subject: [PATCH] Bluetooth: hci_sync: fix memory leak in __hci_cmd_sync_sk

Fix a memory leak in __hci_cmd_sync_sk where allocated request command
SKBs are not properly cleaned up when the function fails.

The issue occurs when hci_cmd_sync_alloc() successfully allocates an SKB
and it gets queued via hci_cmd_sync_add(), but then __hci_cmd_sync_sk()
fails due to timeout, interruption, or cancellation. In these error
paths, the req_skb that was cloned and stored in hdev->req_skb is not
freed, leading to memory leaks.

The memory leak can be reproduced when __hci_cmd_sync_sk() allocates
and queues an HCI command SKB, and hci_req_sync_run() transfers this
SKB to hdev->cmd_q and clones it to hdev->req_skb. If the subsequent
wait_event_interruptible_timeout() call fails (due to timeout or
interruption), the function returns an error without hdev->req_skb
ever being cleaned up.

The fix ensures that when __hci_cmd_sync_sk() returns an error, any
pending request command SKB in hdev->req_skb is properly freed before
returning. This matches the cleanup pattern used elsewhere in the HCI
sync code.

Reported-by: syzbot+f098d64cc684b8dbaf65@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=f098d64cc684b8dbaf65
Signed-off-by: Shaurya Rane <ssrane_b23@ee.vjti.ac.in>
---
 net/bluetooth/hci_sync.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index 6e76798ec786..fbaa5749ad7b 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -203,6 +203,11 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
 
 	if (err < 0) {
 		kfree_skb(skb);
+		/* Clean up any pending request command */
+		if (hdev->req_skb) {
+			kfree_skb(hdev->req_skb);
+			hdev->req_skb = NULL;
+		}
 		return ERR_PTR(err);
 	}
 
-- 
2.34.1

Re: [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk

[Edward Adam Davis]

#syz test

diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index 6e76798ec786..84a57a79a025 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -177,8 +177,17 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
 					       hdev->req_status != HCI_REQ_PEND,
 					       timeout);
 
-	if (err == -ERESTARTSYS)
-		return ERR_PTR(-EINTR);
+	if (err == -ERESTARTSYS || !err) {
+		if (err)
+			err = -EINTR;
+		else
+			err = -ETIMEDOUT;
+
+		flush_work(&hdev->cmd_work);
+		skb_queue_purge(&hdev->cmd_q);
+
+		return ERR_PTR(err);
+	}
 
 	switch (hdev->req_status) {
 	case HCI_REQ_DONE:

Re: [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
memory leak in __hci_cmd_sync_sk

BUG: memory leak
unreferenced object 0xffff8881195a5a00 (size 240):
  comm "kworker/u9:1", pid 5135, jiffies 4294947360
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace (crc 5842d197):
    kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
    slab_post_alloc_hook mm/slub.c:4983 [inline]
    slab_alloc_node mm/slub.c:5288 [inline]
    kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5340
    __alloc_skb+0x203/0x240 net/core/skbuff.c:660
    alloc_skb include/linux/skbuff.h:1383 [inline]
    bt_skb_alloc include/net/bluetooth/bluetooth.h:510 [inline]
    hci_cmd_sync_alloc+0x30/0x140 net/bluetooth/hci_sync.c:58
    hci_cmd_sync_add net/bluetooth/hci_sync.c:99 [inline]
    __hci_cmd_sync_sk+0x84/0x290 net/bluetooth/hci_sync.c:168
    __hci_cmd_sync_ev+0x3e/0x50 net/bluetooth/hci_sync.c:259
    send_hci_cmd_sync+0x5e/0xf0 net/bluetooth/mgmt.c:2615
    hci_cmd_sync_work+0xd5/0x160 net/bluetooth/hci_sync.c:341
    process_one_work+0x26b/0x620 kernel/workqueue.c:3263
    process_scheduled_works kernel/workqueue.c:3346 [inline]
    worker_thread+0x2c4/0x4f0 kernel/workqueue.c:3427
    kthread+0x15b/0x310 kernel/kthread.c:463
    ret_from_fork+0x210/0x240 arch/x86/kernel/process.c:158
    ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

BUG: memory leak
unreferenced object 0xffff8881099e1e40 (size 704):
  comm "kworker/u9:1", pid 5135, jiffies 4294947360
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace (crc 4e765d9f):
    kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
    slab_post_alloc_hook mm/slub.c:4983 [inline]
    slab_alloc_node mm/slub.c:5288 [inline]
    kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5340
    kmalloc_reserve+0xe6/0x180 net/core/skbuff.c:579
    __alloc_skb+0xd4/0x240 net/core/skbuff.c:670
    alloc_skb include/linux/skbuff.h:1383 [inline]
    bt_skb_alloc include/net/bluetooth/bluetooth.h:510 [inline]
    hci_cmd_sync_alloc+0x30/0x140 net/bluetooth/hci_sync.c:58
    hci_cmd_sync_add net/bluetooth/hci_sync.c:99 [inline]
    __hci_cmd_sync_sk+0x84/0x290 net/bluetooth/hci_sync.c:168
    __hci_cmd_sync_ev+0x3e/0x50 net/bluetooth/hci_sync.c:259
    send_hci_cmd_sync+0x5e/0xf0 net/bluetooth/mgmt.c:2615
    hci_cmd_sync_work+0xd5/0x160 net/bluetooth/hci_sync.c:341
    process_one_work+0x26b/0x620 kernel/workqueue.c:3263
    process_scheduled_works kernel/workqueue.c:3346 [inline]
    worker_thread+0x2c4/0x4f0 kernel/workqueue.c:3427
    kthread+0x15b/0x310 kernel/kthread.c:463
    ret_from_fork+0x210/0x240 arch/x86/kernel/process.c:158
    ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

BUG: memory leak
unreferenced object 0xffff88810c1c2d00 (size 240):
  comm "kworker/u9:3", pid 6291, jiffies 4294947641
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace (crc 310fcca):
    kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
    slab_post_alloc_hook mm/slub.c:4983 [inline]
    slab_alloc_node mm/slub.c:5288 [inline]
    kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5340
    __alloc_skb+0x203/0x240 net/core/skbuff.c:660
    alloc_skb include/linux/skbuff.h:1383 [inline]
    bt_skb_alloc include/net/bluetooth/bluetooth.h:510 [inline]
    hci_cmd_sync_alloc+0x30/0x140 net/bluetooth/hci_sync.c:58
    hci_cmd_sync_add net/bluetooth/hci_sync.c:99 [inline]
    __hci_cmd_sync_sk+0x84/0x290 net/bluetooth/hci_sync.c:168
    __hci_cmd_sync_ev+0x3e/0x50 net/bluetooth/hci_sync.c:259
    send_hci_cmd_sync+0x5e/0xf0 net/bluetooth/mgmt.c:2615
    hci_cmd_sync_work+0xd5/0x160 net/bluetooth/hci_sync.c:341
    process_one_work+0x26b/0x620 kernel/workqueue.c:3263
    process_scheduled_works kernel/workqueue.c:3346 [inline]
    worker_thread+0x2c4/0x4f0 kernel/workqueue.c:3427
    kthread+0x15b/0x310 kernel/kthread.c:463
    ret_from_fork+0x210/0x240 arch/x86/kernel/process.c:158
    ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

BUG: memory leak
unreferenced object 0xffff888108e61080 (size 704):
  comm "kworker/u9:3", pid 6291, jiffies 4294947641
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace (crc 4e765d9f):
    kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
    slab_post_alloc_hook mm/slub.c:4983 [inline]
    slab_alloc_node mm/slub.c:5288 [inline]
    kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5340
    kmalloc_reserve+0xe6/0x180 net/core/skbuff.c:579
    __alloc_skb+0xd4/0x240 net/core/skbuff.c:670
    alloc_skb include/linux/skbuff.h:1383 [inline]
    bt_skb_alloc include/net/bluetooth/bluetooth.h:510 [inline]
    hci_cmd_sync_alloc+0x30/0x140 net/bluetooth/hci_sync.c:58
    hci_cmd_sync_add net/bluetooth/hci_sync.c:99 [inline]
    __hci_cmd_sync_sk+0x84/0x290 net/bluetooth/hci_sync.c:168
    __hci_cmd_sync_ev+0x3e/0x50 net/bluetooth/hci_sync.c:259
    send_hci_cmd_sync+0x5e/0xf0 net/bluetooth/mgmt.c:2615
    hci_cmd_sync_work+0xd5/0x160 net/bluetooth/hci_sync.c:341
    process_one_work+0x26b/0x620 kernel/workqueue.c:3263
    process_scheduled_works kernel/workqueue.c:3346 [inline]
    worker_thread+0x2c4/0x4f0 kernel/workqueue.c:3427
    kthread+0x15b/0x310 kernel/kthread.c:463
    ret_from_fork+0x210/0x240 arch/x86/kernel/process.c:158
    ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

BUG: memory leak
unreferenced object 0xffff88810c1c2300 (size 240):
  comm "kworker/u9:3", pid 6291, jiffies 4294947776
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace (crc 6674b3fb):
    kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
    slab_post_alloc_hook mm/slub.c:4983 [inline]
    slab_alloc_node mm/slub.c:5288 [inline]
    kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5340
    __alloc_skb+0x203/0x240 net/core/skbuff.c:660
    alloc_skb include/linux/skbuff.h:1383 [inline]
    bt_skb_alloc include/net/bluetooth/bluetooth.h:510 [inline]
    hci_cmd_sync_alloc+0x30/0x140 net/bluetooth/hci_sync.c:58
    hci_cmd_sync_add net/bluetooth/hci_sync.c:99 [inline]
    __hci_cmd_sync_sk+0x84/0x290 net/bluetooth/hci_sync.c:168
    __hci_cmd_sync_ev+0x3e/0x50 net/bluetooth/hci_sync.c:259
    send_hci_cmd_sync+0x5e/0xf0 net/bluetooth/mgmt.c:2615
    hci_cmd_sync_work+0xd5/0x160 net/bluetooth/hci_sync.c:341
    process_one_work+0x26b/0x620 kernel/workqueue.c:3263
    process_scheduled_works kernel/workqueue.c:3346 [inline]
    worker_thread+0x2c4/0x4f0 kernel/workqueue.c:3427
    kthread+0x15b/0x310 kernel/kthread.c:463
    ret_from_fork+0x210/0x240 arch/x86/kernel/process.c:158
    ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF


Tested on:

commit:         8b690556 Merge tag 'for-linus' of git://git.kernel.org..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15e54e0a580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=f30cc590c4f6da44
dashboard link: https://syzkaller.appspot.com/bug?extid=f098d64cc684b8dbaf65
compiler:       gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=12ede692580000

Re: [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk

[shaurya]

[-- Attachment #1: Type: text/plain, Size: 83 bytes --]

#syz test:
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

[-- Attachment #2: 0001-Bluetooth-hci_sync-fix-memory-leak-in-__hci_cmd_sync.patch --]
[-- Type: text/x-patch, Size: 2002 bytes --]

From 31c93fbc37d699e498cf51f7dc17e69cb210faaf Mon Sep 17 00:00:00 2001
From: Shaurya Rane <ssrane_b23@ee.vjti.ac.in>
Date: Thu, 20 Nov 2025 00:11:40 +0530
Subject: [PATCH] Bluetooth: hci_sync: fix memory leak in __hci_cmd_sync_sk

Fix a memory leak in __hci_cmd_sync_sk where allocated request command
SKBs are not properly cleaned up when the function fails.

The issue occurs when hci_cmd_sync_alloc() successfully allocates an SKB
and it gets queued via hci_cmd_sync_add(), but then __hci_cmd_sync_sk()
fails due to timeout, interruption, or cancellation. In these error
paths, the req_skb that was cloned and stored in hdev->req_skb is not
freed, leading to memory leaks.

The memory leak can be reproduced when __hci_cmd_sync_sk() allocates
and queues an HCI command SKB, and hci_req_sync_run() transfers this
SKB to hdev->cmd_q and clones it to hdev->req_skb. If the subsequent
wait_event_interruptible_timeout() call fails (due to timeout or
interruption), the function returns an error without hdev->req_skb
ever being cleaned up.

The fix ensures that when __hci_cmd_sync_sk() returns an error, any
pending request command SKB in hdev->req_skb is properly freed before
returning. This matches the cleanup pattern used elsewhere in the HCI
sync code.

Reported-by: syzbot+f098d64cc684b8dbaf65@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=f098d64cc684b8dbaf65
Signed-off-by: Shaurya Rane <ssrane_b23@ee.vjti.ac.in>
---
 net/bluetooth/hci_sync.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index 6e76798ec786..fbaa5749ad7b 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -203,6 +203,11 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
 
 	if (err < 0) {
 		kfree_skb(skb);
+		/* Clean up any pending request command */
+		if (hdev->req_skb) {
+			kfree_skb(hdev->req_skb);
+			hdev->req_skb = NULL;
+		}
 		return ERR_PTR(err);
 	}
 
-- 
2.34.1

Re: [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
memory leak in __hci_cmd_sync_sk

2025/11/19 19:30:48 executed programs: 47
2025/11/19 19:30:56 executed programs: 49
2025/11/19 19:31:03 executed programs: 51
2025/11/19 19:31:11 executed programs: 53
BUG: memory leak
unreferenced object 0xffff888111aec700 (size 240):
  comm "kworker/u9:1", pid 5135, jiffies 4294955520
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace (crc d1edf5a3):
    kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
    slab_post_alloc_hook mm/slub.c:4983 [inline]
    slab_alloc_node mm/slub.c:5288 [inline]
    kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5340
    __alloc_skb+0x203/0x240 net/core/skbuff.c:660
    alloc_skb include/linux/skbuff.h:1383 [inline]
    bt_skb_alloc include/net/bluetooth/bluetooth.h:510 [inline]
    hci_cmd_sync_alloc+0x30/0x140 net/bluetooth/hci_sync.c:58
    hci_cmd_sync_add net/bluetooth/hci_sync.c:99 [inline]
    __hci_cmd_sync_sk+0x84/0x290 net/bluetooth/hci_sync.c:168
    __hci_cmd_sync_ev+0x3e/0x50 net/bluetooth/hci_sync.c:255
    send_hci_cmd_sync+0x5e/0xf0 net/bluetooth/mgmt.c:2615
    hci_cmd_sync_work+0xd5/0x160 net/bluetooth/hci_sync.c:337
    process_one_work+0x26b/0x620 kernel/workqueue.c:3263
    process_scheduled_works kernel/workqueue.c:3346 [inline]
    worker_thread+0x2c4/0x4f0 kernel/workqueue.c:3427
    kthread+0x15b/0x310 kernel/kthread.c:463
    ret_from_fork+0x210/0x240 arch/x86/kernel/process.c:158
    ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

BUG: memory leak
unreferenced object 0xffff88810a34a680 (size 704):
  comm "kworker/u9:1", pid 5135, jiffies 4294955520
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace (crc 4e765d9f):
    kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
    slab_post_alloc_hook mm/slub.c:4983 [inline]
    slab_alloc_node mm/slub.c:5288 [inline]
    kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5340
    kmalloc_reserve+0xe6/0x180 net/core/skbuff.c:579
    __alloc_skb+0xd4/0x240 net/core/skbuff.c:670
    alloc_skb include/linux/skbuff.h:1383 [inline]
    bt_skb_alloc include/net/bluetooth/bluetooth.h:510 [inline]
    hci_cmd_sync_alloc+0x30/0x140 net/bluetooth/hci_sync.c:58
    hci_cmd_sync_add net/bluetooth/hci_sync.c:99 [inline]
    __hci_cmd_sync_sk+0x84/0x290 net/bluetooth/hci_sync.c:168
    __hci_cmd_sync_ev+0x3e/0x50 net/bluetooth/hci_sync.c:255
    send_hci_cmd_sync+0x5e/0xf0 net/bluetooth/mgmt.c:2615
    hci_cmd_sync_work+0xd5/0x160 net/bluetooth/hci_sync.c:337
    process_one_work+0x26b/0x620 kernel/workqueue.c:3263
    process_scheduled_works kernel/workqueue.c:3346 [inline]
    worker_thread+0x2c4/0x4f0 kernel/workqueue.c:3427
    kthread+0x15b/0x310 kernel/kthread.c:463
    ret_from_fork+0x210/0x240 arch/x86/kernel/process.c:158
    ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF


Tested on:

commit:         23cb64fb Merge tag 'soc-fixes-6.18-3' of git://git.ker..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13e81a12580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=f30cc590c4f6da44
dashboard link: https://syzkaller.appspot.com/bug?extid=f098d64cc684b8dbaf65
compiler:       gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=10d6f332580000

Re: [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk

[Edward Adam Davis]

#syz test

diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 3418d7b964a1..62469dba9e63 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -1466,7 +1466,7 @@ static void hci_cmd_timeout(struct work_struct *work)
 	if (hdev->req_skb) {
 		u16 opcode = hci_skb_opcode(hdev->req_skb);
 
-		bt_dev_err(hdev, "command 0x%4.4x tx timeout", opcode);
+		bt_dev_err(hdev, "command 0x%4.4x skb: %p tx timeout", opcode, hdev->req_skb);
 
 		hci_cmd_sync_cancel_sync(hdev, ETIMEDOUT);
 	} else {
diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index 6e76798ec786..881da7b16257 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -133,6 +133,8 @@ static int hci_req_sync_run(struct hci_request *req)
 		return -ENODATA;
 
 	skb = skb_peek_tail(&req->cmd_q);
+	printk("status: %u, result: %u, skb: %p, %s\n",
+		hdev->req_status, hdev->req_result, hdev->req_rsp, __func__);
 	bt_cb(skb)->hci.req_complete_skb = hci_cmd_sync_complete;
 	bt_cb(skb)->hci.req_flags |= HCI_REQ_SKB;
 
@@ -203,6 +205,9 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
 
 	if (err < 0) {
 		kfree_skb(skb);
+		flush_work(&hdev->cmd_work);
+		skb_queue_purge(&hdev->cmd_q);
+
 		return ERR_PTR(err);
 	}
 

Re: [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
memory leak in __hci_cmd_sync_sk

BUG: memory leak
unreferenced object 0xffff888126f9ea00 (size 240):
  comm "kworker/u9:2", pid 5907, jiffies 4294947048
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace (crc 9de8d0c7):
    kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
    slab_post_alloc_hook mm/slub.c:4983 [inline]
    slab_alloc_node mm/slub.c:5288 [inline]
    kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5340
    __alloc_skb+0x203/0x240 net/core/skbuff.c:660
    alloc_skb include/linux/skbuff.h:1383 [inline]
    bt_skb_alloc include/net/bluetooth/bluetooth.h:510 [inline]
    hci_cmd_sync_alloc+0x30/0x140 net/bluetooth/hci_sync.c:58
    hci_cmd_sync_add net/bluetooth/hci_sync.c:99 [inline]
    __hci_cmd_sync_sk+0x7d/0x2a0 net/bluetooth/hci_sync.c:170
    __hci_cmd_sync_ev+0x3e/0x50 net/bluetooth/hci_sync.c:255
    send_hci_cmd_sync+0x5e/0xf0 net/bluetooth/mgmt.c:2615
    hci_cmd_sync_work+0xd5/0x160 net/bluetooth/hci_sync.c:337
    process_one_work+0x26b/0x620 kernel/workqueue.c:3263
    process_scheduled_works kernel/workqueue.c:3346 [inline]
    worker_thread+0x2c4/0x4f0 kernel/workqueue.c:3427
    kthread+0x15b/0x310 kernel/kthread.c:463
    ret_from_fork+0x210/0x240 arch/x86/kernel/process.c:158
    ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

BUG: memory leak
unreferenced object 0xffff88810c7b3180 (size 704):
  comm "kworker/u9:2", pid 5907, jiffies 4294947048
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace (crc 4e765d9f):
    kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
    slab_post_alloc_hook mm/slub.c:4983 [inline]
    slab_alloc_node mm/slub.c:5288 [inline]
    kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5340
    kmalloc_reserve+0xe6/0x180 net/core/skbuff.c:579
    __alloc_skb+0xd4/0x240 net/core/skbuff.c:670
    alloc_skb include/linux/skbuff.h:1383 [inline]
    bt_skb_alloc include/net/bluetooth/bluetooth.h:510 [inline]
    hci_cmd_sync_alloc+0x30/0x140 net/bluetooth/hci_sync.c:58
    hci_cmd_sync_add net/bluetooth/hci_sync.c:99 [inline]
    __hci_cmd_sync_sk+0x7d/0x2a0 net/bluetooth/hci_sync.c:170
    __hci_cmd_sync_ev+0x3e/0x50 net/bluetooth/hci_sync.c:255
    send_hci_cmd_sync+0x5e/0xf0 net/bluetooth/mgmt.c:2615
    hci_cmd_sync_work+0xd5/0x160 net/bluetooth/hci_sync.c:337
    process_one_work+0x26b/0x620 kernel/workqueue.c:3263
    process_scheduled_works kernel/workqueue.c:3346 [inline]
    worker_thread+0x2c4/0x4f0 kernel/workqueue.c:3427
    kthread+0x15b/0x310 kernel/kthread.c:463
    ret_from_fork+0x210/0x240 arch/x86/kernel/process.c:158
    ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF


Tested on:

commit:         23cb64fb Merge tag 'soc-fixes-6.18-3' of git://git.ker..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=14b71a12580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=f30cc590c4f6da44
dashboard link: https://syzkaller.appspot.com/bug?extid=f098d64cc684b8dbaf65
compiler:       gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=12202a12580000

Re: [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk

[Edward Adam Davis]

#syz test


diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 3418d7b964a1..62469dba9e63 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -1466,7 +1466,7 @@ static void hci_cmd_timeout(struct work_struct *work)
 	if (hdev->req_skb) {
 		u16 opcode = hci_skb_opcode(hdev->req_skb);
 
-		bt_dev_err(hdev, "command 0x%4.4x tx timeout", opcode);
+		bt_dev_err(hdev, "command 0x%4.4x skb: %p tx timeout", opcode, hdev->req_skb);
 
 		hci_cmd_sync_cancel_sync(hdev, ETIMEDOUT);
 	} else {
diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index 6e76798ec786..0a0ce2a9b822 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -133,6 +133,8 @@ static int hci_req_sync_run(struct hci_request *req)
 		return -ENODATA;
 
 	skb = skb_peek_tail(&req->cmd_q);
+	printk("status: %u, result: %u, skb: %p, %s\n",
+		hdev->req_status, hdev->req_result, skb, __func__);
 	bt_cb(skb)->hci.req_complete_skb = hci_cmd_sync_complete;
 	bt_cb(skb)->hci.req_flags |= HCI_REQ_SKB;
 
@@ -201,6 +203,8 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
 
 	bt_dev_dbg(hdev, "end: err %d", err);
 
+	printk("err: %d, status: %u, result: %u, skb: %p, %s\n",
+		err, hdev->req_status, hdev->req_result, skb, __func__);
 	if (err < 0) {
 		kfree_skb(skb);
 		return ERR_PTR(err);
@@ -209,8 +213,12 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
 	/* If command return a status event skb will be set to NULL as there are
 	 * no parameters.
 	 */
-	if (!skb)
+	if (!skb) {
+		flush_work(&hdev->cmd_work);
+		skb_queue_purge(&hdev->cmd_q);
+
 		return ERR_PTR(-ENODATA);
+	}
 
 	return skb;
 }

Re: [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
memory leak in __hci_cmd_sync_sk

BUG: memory leak
unreferenced object 0xffff888126d95d00 (size 240):
  comm "kworker/u9:1", pid 5136, jiffies 4294947597
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace (crc d70d2c13):
    kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
    slab_post_alloc_hook mm/slub.c:4983 [inline]
    slab_alloc_node mm/slub.c:5288 [inline]
    kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5340
    __alloc_skb+0x203/0x240 net/core/skbuff.c:660
    alloc_skb include/linux/skbuff.h:1383 [inline]
    bt_skb_alloc include/net/bluetooth/bluetooth.h:510 [inline]
    hci_cmd_sync_alloc+0x30/0x140 net/bluetooth/hci_sync.c:58
    hci_cmd_sync_add net/bluetooth/hci_sync.c:99 [inline]
    __hci_cmd_sync_sk+0x7d/0x2a0 net/bluetooth/hci_sync.c:170
    __hci_cmd_sync_ev+0x3e/0x50 net/bluetooth/hci_sync.c:258
    send_hci_cmd_sync+0x5e/0xf0 net/bluetooth/mgmt.c:2615
    hci_cmd_sync_work+0xd5/0x160 net/bluetooth/hci_sync.c:340
    process_one_work+0x26b/0x620 kernel/workqueue.c:3263
    process_scheduled_works kernel/workqueue.c:3346 [inline]
    worker_thread+0x2c4/0x4f0 kernel/workqueue.c:3427
    kthread+0x15b/0x310 kernel/kthread.c:463
    ret_from_fork+0x210/0x240 arch/x86/kernel/process.c:158
    ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

BUG: memory leak
unreferenced object 0xffff88810c145080 (size 704):
  comm "kworker/u9:1", pid 5136, jiffies 4294947597
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace (crc 4e765d9f):
    kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
    slab_post_alloc_hook mm/slub.c:4983 [inline]
    slab_alloc_node mm/slub.c:5288 [inline]
    kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5340
    kmalloc_reserve+0xe6/0x180 net/core/skbuff.c:579
    __alloc_skb+0xd4/0x240 net/core/skbuff.c:670
    alloc_skb include/linux/skbuff.h:1383 [inline]
    bt_skb_alloc include/net/bluetooth/bluetooth.h:510 [inline]
    hci_cmd_sync_alloc+0x30/0x140 net/bluetooth/hci_sync.c:58
    hci_cmd_sync_add net/bluetooth/hci_sync.c:99 [inline]
    __hci_cmd_sync_sk+0x7d/0x2a0 net/bluetooth/hci_sync.c:170
    __hci_cmd_sync_ev+0x3e/0x50 net/bluetooth/hci_sync.c:258
    send_hci_cmd_sync+0x5e/0xf0 net/bluetooth/mgmt.c:2615
    hci_cmd_sync_work+0xd5/0x160 net/bluetooth/hci_sync.c:340
    process_one_work+0x26b/0x620 kernel/workqueue.c:3263
    process_scheduled_works kernel/workqueue.c:3346 [inline]
    worker_thread+0x2c4/0x4f0 kernel/workqueue.c:3427
    kthread+0x15b/0x310 kernel/kthread.c:463
    ret_from_fork+0x210/0x240 arch/x86/kernel/process.c:158
    ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

BUG: memory leak
unreferenced object 0xffff8881095f8b00 (size 240):
  comm "kworker/u9:1", pid 5136, jiffies 4294948345
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace (crc 84342eda):
    kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
    slab_post_alloc_hook mm/slub.c:4983 [inline]
    slab_alloc_node mm/slub.c:5288 [inline]
    kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5340
    __alloc_skb+0x203/0x240 net/core/skbuff.c:660
    alloc_skb include/linux/skbuff.h:1383 [inline]
    bt_skb_alloc include/net/bluetooth/bluetooth.h:510 [inline]
    hci_cmd_sync_alloc+0x30/0x140 net/bluetooth/hci_sync.c:58
    hci_cmd_sync_add net/bluetooth/hci_sync.c:99 [inline]
    __hci_cmd_sync_sk+0x7d/0x2a0 net/bluetooth/hci_sync.c:170
    __hci_cmd_sync_ev+0x3e/0x50 net/bluetooth/hci_sync.c:258
    send_hci_cmd_sync+0x5e/0xf0 net/bluetooth/mgmt.c:2615
    hci_cmd_sync_work+0xd5/0x160 net/bluetooth/hci_sync.c:340
    process_one_work+0x26b/0x620 kernel/workqueue.c:3263
    process_scheduled_works kernel/workqueue.c:3346 [inline]
    worker_thread+0x2c4/0x4f0 kernel/workqueue.c:3427
    kthread+0x15b/0x310 kernel/kthread.c:463
    ret_from_fork+0x210/0x240 arch/x86/kernel/process.c:158
    ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF


Tested on:

commit:         23cb64fb Merge tag 'soc-fixes-6.18-3' of git://git.ker..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=14d4be0a580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=f30cc590c4f6da44
dashboard link: https://syzkaller.appspot.com/bug?extid=f098d64cc684b8dbaf65
compiler:       gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=16e8d658580000

Re: [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk

[Edward Adam Davis]

#syz test

diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 3418d7b964a1..62469dba9e63 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -1466,7 +1466,7 @@ static void hci_cmd_timeout(struct work_struct *work)
 	if (hdev->req_skb) {
 		u16 opcode = hci_skb_opcode(hdev->req_skb);
 
-		bt_dev_err(hdev, "command 0x%4.4x tx timeout", opcode);
+		bt_dev_err(hdev, "command 0x%4.4x skb: %p tx timeout", opcode, hdev->req_skb);
 
 		hci_cmd_sync_cancel_sync(hdev, ETIMEDOUT);
 	} else {
diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index 6e76798ec786..3d9c94a46c62 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -133,6 +133,8 @@ static int hci_req_sync_run(struct hci_request *req)
 		return -ENODATA;
 
 	skb = skb_peek_tail(&req->cmd_q);
+	printk("status: %u, result: %u, skb: %p, %s\n",
+		hdev->req_status, hdev->req_result, skb, __func__);
 	bt_cb(skb)->hci.req_complete_skb = hci_cmd_sync_complete;
 	bt_cb(skb)->hci.req_flags |= HCI_REQ_SKB;
 
@@ -201,18 +203,30 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
 
 	bt_dev_dbg(hdev, "end: err %d", err);
 
+	printk("err: %d, status: %u, result: %u, skb: %p, %s\n",
+		err, hdev->req_status, hdev->req_result, skb, __func__);
 	if (err < 0) {
 		kfree_skb(skb);
-		return ERR_PTR(err);
+
+		goto out;
 	}
 
 	/* If command return a status event skb will be set to NULL as there are
 	 * no parameters.
 	 */
-	if (!skb)
-		return ERR_PTR(-ENODATA);
+	if (!skb) {
+		err = -ENODATA;
+		goto out;
+	}
 
 	return skb;
+
+out:
+	flush_work(&hdev->cmd_work);
+	skb_queue_purge(&hdev->cmd_q);
+
+	return ERR_PTR(err);
+
 }
 EXPORT_SYMBOL(__hci_cmd_sync_sk);
 

Re: [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
memory leak in __hci_cmd_sync_sk

BUG: memory leak
unreferenced object 0xffff88810c843f00 (size 240):
  comm "kworker/u9:1", pid 5136, jiffies 4294947634
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace (crc 9f24a45a):
    kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
    slab_post_alloc_hook mm/slub.c:4983 [inline]
    slab_alloc_node mm/slub.c:5288 [inline]
    kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5340
    __alloc_skb+0x203/0x240 net/core/skbuff.c:660
    alloc_skb include/linux/skbuff.h:1383 [inline]
    bt_skb_alloc include/net/bluetooth/bluetooth.h:510 [inline]
    hci_cmd_sync_alloc+0x30/0x140 net/bluetooth/hci_sync.c:58
    hci_cmd_sync_add net/bluetooth/hci_sync.c:99 [inline]
    __hci_cmd_sync_sk+0x7d/0x2a0 net/bluetooth/hci_sync.c:170
    __hci_cmd_sync_ev+0x3e/0x50 net/bluetooth/hci_sync.c:264
    send_hci_cmd_sync+0x5e/0xf0 net/bluetooth/mgmt.c:2615
    hci_cmd_sync_work+0xd5/0x160 net/bluetooth/hci_sync.c:346
    process_one_work+0x26b/0x620 kernel/workqueue.c:3263
    process_scheduled_works kernel/workqueue.c:3346 [inline]
    worker_thread+0x2c4/0x4f0 kernel/workqueue.c:3427
    kthread+0x15b/0x310 kernel/kthread.c:463
    ret_from_fork+0x210/0x240 arch/x86/kernel/process.c:158
    ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

BUG: memory leak
unreferenced object 0xffff888109e3d8c0 (size 704):
  comm "kworker/u9:1", pid 5136, jiffies 4294947634
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace (crc 4e765d9f):
    kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
    slab_post_alloc_hook mm/slub.c:4983 [inline]
    slab_alloc_node mm/slub.c:5288 [inline]
    kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5340
    kmalloc_reserve+0xe6/0x180 net/core/skbuff.c:579
    __alloc_skb+0xd4/0x240 net/core/skbuff.c:670
    alloc_skb include/linux/skbuff.h:1383 [inline]
    bt_skb_alloc include/net/bluetooth/bluetooth.h:510 [inline]
    hci_cmd_sync_alloc+0x30/0x140 net/bluetooth/hci_sync.c:58
    hci_cmd_sync_add net/bluetooth/hci_sync.c:99 [inline]
    __hci_cmd_sync_sk+0x7d/0x2a0 net/bluetooth/hci_sync.c:170
    __hci_cmd_sync_ev+0x3e/0x50 net/bluetooth/hci_sync.c:264
    send_hci_cmd_sync+0x5e/0xf0 net/bluetooth/mgmt.c:2615
    hci_cmd_sync_work+0xd5/0x160 net/bluetooth/hci_sync.c:346
    process_one_work+0x26b/0x620 kernel/workqueue.c:3263
    process_scheduled_works kernel/workqueue.c:3346 [inline]
    worker_thread+0x2c4/0x4f0 kernel/workqueue.c:3427
    kthread+0x15b/0x310 kernel/kthread.c:463
    ret_from_fork+0x210/0x240 arch/x86/kernel/process.c:158
    ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF


Tested on:

commit:         23cb64fb Merge tag 'soc-fixes-6.18-3' of git://git.ker..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=177f1a12580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=f30cc590c4f6da44
dashboard link: https://syzkaller.appspot.com/bug?extid=f098d64cc684b8dbaf65
compiler:       gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=14148c2a580000

Re: [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk

[Edward Adam Davis]

#syz test

diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 3418d7b964a1..62469dba9e63 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -1466,7 +1466,7 @@ static void hci_cmd_timeout(struct work_struct *work)
 	if (hdev->req_skb) {
 		u16 opcode = hci_skb_opcode(hdev->req_skb);
 
-		bt_dev_err(hdev, "command 0x%4.4x tx timeout", opcode);
+		bt_dev_err(hdev, "command 0x%4.4x skb: %p tx timeout", opcode, hdev->req_skb);
 
 		hci_cmd_sync_cancel_sync(hdev, ETIMEDOUT);
 	} else {
diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index 6e76798ec786..cfa3e799a212 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -133,6 +133,8 @@ static int hci_req_sync_run(struct hci_request *req)
 		return -ENODATA;
 
 	skb = skb_peek_tail(&req->cmd_q);
+	printk("status: %u, result: %u, skb: %p, %s\n",
+		hdev->req_status, hdev->req_result, skb, __func__);
 	bt_cb(skb)->hci.req_complete_skb = hci_cmd_sync_complete;
 	bt_cb(skb)->hci.req_flags |= HCI_REQ_SKB;
 
@@ -160,6 +162,7 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
 	struct hci_request req;
 	struct sk_buff *skb;
 	int err = 0;
+	unsigned long flags;
 
 	bt_dev_dbg(hdev, "Opcode 0x%4.4x", opcode);
 
@@ -201,18 +204,33 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
 
 	bt_dev_dbg(hdev, "end: err %d", err);
 
+	printk("err: %d, status: %u, result: %u, skb: %p, %s\n",
+		err, hdev->req_status, hdev->req_result, skb, __func__);
 	if (err < 0) {
 		kfree_skb(skb);
-		return ERR_PTR(err);
+
+		goto out;
 	}
 
 	/* If command return a status event skb will be set to NULL as there are
 	 * no parameters.
 	 */
-	if (!skb)
-		return ERR_PTR(-ENODATA);
+	if (!skb) {
+		err = -ENODATA;
+		goto out;
+	}
 
 	return skb;
+
+out:
+	spin_lock_irqsave(&hdev->cmd_q.lock, flags);
+	skb = __skb_dequeue_tail(&hdev->cmd_q);
+	spin_unlock_irqrestore(&hdev->cmd_q.lock, flags);
+	printk("remove skb: %p, %s\n", skb, __func__);
+	kfree_skb(skb);
+
+	return ERR_PTR(err);
+
 }
 EXPORT_SYMBOL(__hci_cmd_sync_sk);
 

Re: [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
memory leak in __hci_cmd_sync_sk

BUG: memory leak
unreferenced object 0xffff88811034aa00 (size 240):
  comm "kworker/u9:0", pid 50, jiffies 4294947386
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace (crc 56103f7b):
    kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
    slab_post_alloc_hook mm/slub.c:4983 [inline]
    slab_alloc_node mm/slub.c:5288 [inline]
    kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5340
    __alloc_skb+0x203/0x240 net/core/skbuff.c:660
    alloc_skb include/linux/skbuff.h:1383 [inline]
    bt_skb_alloc include/net/bluetooth/bluetooth.h:510 [inline]
    hci_cmd_sync_alloc+0x30/0x140 net/bluetooth/hci_sync.c:58
    hci_cmd_sync_add net/bluetooth/hci_sync.c:99 [inline]
    __hci_cmd_sync_sk+0x7d/0x2a0 net/bluetooth/hci_sync.c:171
    __hci_cmd_sync_ev+0x3e/0x50 net/bluetooth/hci_sync.c:268
    send_hci_cmd_sync+0x5e/0xf0 net/bluetooth/mgmt.c:2615
    hci_cmd_sync_work+0xd5/0x160 net/bluetooth/hci_sync.c:350
    process_one_work+0x26b/0x620 kernel/workqueue.c:3263
    process_scheduled_works kernel/workqueue.c:3346 [inline]
    worker_thread+0x2c4/0x4f0 kernel/workqueue.c:3427
    kthread+0x15b/0x310 kernel/kthread.c:463
    ret_from_fork+0x210/0x240 arch/x86/kernel/process.c:158
    ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

BUG: memory leak
unreferenced object 0xffff88810905e680 (size 704):
  comm "kworker/u9:0", pid 50, jiffies 4294947386
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace (crc 4e765d9f):
    kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
    slab_post_alloc_hook mm/slub.c:4983 [inline]
    slab_alloc_node mm/slub.c:5288 [inline]
    kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5340
    kmalloc_reserve+0xe6/0x180 net/core/skbuff.c:579
    __alloc_skb+0xd4/0x240 net/core/skbuff.c:670
    alloc_skb include/linux/skbuff.h:1383 [inline]
    bt_skb_alloc include/net/bluetooth/bluetooth.h:510 [inline]
    hci_cmd_sync_alloc+0x30/0x140 net/bluetooth/hci_sync.c:58
    hci_cmd_sync_add net/bluetooth/hci_sync.c:99 [inline]
    __hci_cmd_sync_sk+0x7d/0x2a0 net/bluetooth/hci_sync.c:171
    __hci_cmd_sync_ev+0x3e/0x50 net/bluetooth/hci_sync.c:268
    send_hci_cmd_sync+0x5e/0xf0 net/bluetooth/mgmt.c:2615
    hci_cmd_sync_work+0xd5/0x160 net/bluetooth/hci_sync.c:350
    process_one_work+0x26b/0x620 kernel/workqueue.c:3263
    process_scheduled_works kernel/workqueue.c:3346 [inline]
    worker_thread+0x2c4/0x4f0 kernel/workqueue.c:3427
    kthread+0x15b/0x310 kernel/kthread.c:463
    ret_from_fork+0x210/0x240 arch/x86/kernel/process.c:158
    ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF


Tested on:

commit:         fd95357f Merge tag 'sched_ext-for-6.18-rc6-fixes-2' of..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=141c7a12580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=f30cc590c4f6da44
dashboard link: https://syzkaller.appspot.com/bug?extid=f098d64cc684b8dbaf65
compiler:       gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=177c4484580000

Re: [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk

[Edward Adam Davis]

#syz test

diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 3418d7b964a1..62469dba9e63 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -1466,7 +1466,7 @@ static void hci_cmd_timeout(struct work_struct *work)
 	if (hdev->req_skb) {
 		u16 opcode = hci_skb_opcode(hdev->req_skb);
 
-		bt_dev_err(hdev, "command 0x%4.4x tx timeout", opcode);
+		bt_dev_err(hdev, "command 0x%4.4x skb: %p tx timeout", opcode, hdev->req_skb);
 
 		hci_cmd_sync_cancel_sync(hdev, ETIMEDOUT);
 	} else {
diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index 6e76798ec786..cfcc8bde77e2 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -133,6 +133,8 @@ static int hci_req_sync_run(struct hci_request *req)
 		return -ENODATA;
 
 	skb = skb_peek_tail(&req->cmd_q);
+	printk("status: %u, result: %u, skb: %p, %s\n",
+		hdev->req_status, hdev->req_result, skb, __func__);
 	bt_cb(skb)->hci.req_complete_skb = hci_cmd_sync_complete;
 	bt_cb(skb)->hci.req_flags |= HCI_REQ_SKB;
 
@@ -158,8 +160,9 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
 				  struct sock *sk)
 {
 	struct hci_request req;
-	struct sk_buff *skb;
+	struct sk_buff *skb, *skb_tail;
 	int err = 0;
+	unsigned long flags;
 
 	bt_dev_dbg(hdev, "Opcode 0x%4.4x", opcode);
 
@@ -169,6 +172,7 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
 
 	hdev->req_status = HCI_REQ_PEND;
 
+	skb_tail = skb_peek_tail(&req.cmd_q);
 	err = hci_req_sync_run(&req);
 	if (err < 0)
 		return ERR_PTR(err);
@@ -201,18 +205,35 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
 
 	bt_dev_dbg(hdev, "end: err %d", err);
 
+	printk("err: %d, status: %u, result: %u, skb: %p, %s\n",
+		err, hdev->req_status, hdev->req_result, skb, __func__);
 	if (err < 0) {
 		kfree_skb(skb);
-		return ERR_PTR(err);
+		goto out;
 	}
 
 	/* If command return a status event skb will be set to NULL as there are
 	 * no parameters.
 	 */
-	if (!skb)
-		return ERR_PTR(-ENODATA);
+	if (!skb) {
+		err = -ENODATA;
+		goto out;
+	}
 
 	return skb;
+
+out:
+	if (!skb_queue_empty(&hdev->cmd_q)) {
+		spin_lock_irqsave(&hdev->cmd_q.lock, flags);
+		skb = __skb_dequeue_tail(&req.cmd_q);
+		spin_unlock_irqrestore(&hdev->cmd_q.lock, flags);
+	} else
+		skb = skb_tail;
+
+	printk("remove skb: %p, %s\n", skb,  __func__);
+	kfree_skb(skb);
+
+	return ERR_PTR(err);
 }
 EXPORT_SYMBOL(__hci_cmd_sync_sk);
 

Re: [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

 T963] bridge0: port 1(bridge_slave_0) entered blocking state
[   54.863787][  T963] bridge0: port 1(bridge_slave_0) entered forwarding state
[   54.879703][ T5857] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network
[   54.890172][ T5857] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network
[   54.902050][  T963] bridge0: port 2(bridge_slave_1) entered blocking state
[   54.909213][  T963] bridge0: port 2(bridge_slave_1) entered forwarding state
[   54.946146][ T5857] 8021q: adding VLAN 0 to HW filter on device batadv0
[   54.961658][ T5857] veth0_vlan: entered promiscuous mode
[   54.969001][ T5857] veth1_vlan: entered promiscuous mode
[   54.980257][ T5857] veth0_macvtap: entered promiscuous mode
[   54.987071][ T5857] veth1_macvtap: entered promiscuous mode
[   54.996621][ T5857] batman_adv: batadv0: Interface activated: batadv_slave_0
[   55.005891][ T5857] batman_adv: batadv0: Interface activated: batadv_slave_1
[   55.014967][   T58] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
[   55.023937][   T58] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
[   55.033652][  T963] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
[   55.042495][  T963] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
[   55.073892][  T963] netdevsim netdevsim0 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[   55.079530][ T5133] status: 1, result: 0, skb: ffff8881096d8d00, hci_req_sync_run
[   55.092713][ T5881] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[   55.099745][ T5133] err: 0, status: 0, result: 0, skb: ffff8881096d8400, __hci_cmd_sync_sk
[   55.108270][ T5133] status: 1, result: 0, skb: ffff8881096d8400, hci_req_sync_run
[   55.116623][ T5881] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[   55.123986][ T5133] err: 0, status: 0, result: 0, skb: ffff88810b665b00, __hci_cmd_sync_sk
[   55.132666][ T5133] status: 1, result: 0, skb: ffff8881096d8400, hci_req_sync_run
[   55.140570][ T5881] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[   55.147706][ T5133] err: 0, status: 0, result: 0, skb: ffff8881096d8c00, __hci_cmd_sync_sk
[   55.148040][  T963] netdevsim netdevsim0 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[   55.156450][ T5133] status: 1, result: 0, skb: ffff88810b665600, hci_req_sync_run
[   55.174919][ T5133] err: 0, status: 0, result: 0, skb: ffff8881096d8300, __hci_cmd_sync_sk
[   55.183427][ T5133] status: 1, result: 0, skb: ffff88810b665f00, hci_req_sync_run
[   55.191574][ T5133] err: 0, status: 0, result: 0, skb: ffff8881096d8600, __hci_cmd_sync_sk
[   55.200321][ T5133] status: 1, result: 0, skb: ffff8881096d8600, hci_req_sync_run
[   55.208489][ T5881] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[   55.215495][ T5133] err: 0, status: 0, result: 0, skb: ffff8881096d8c00, __hci_cmd_sync_sk
[   55.224042][ T5133] status: 1, result: 0, skb: ffff8881096d8c00, hci_req_sync_run
[   55.224309][  T963] netdevsim netdevsim0 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[   55.242574][ T5133] err: 0, status: 0, result: 0, skb: ffff88810b665b00, __hci_cmd_sync_sk
[   55.251372][ T5133] status: 1, result: 0, skb: ffff88810b665b00, hci_req_sync_run
[   55.259297][ T5881] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[   55.266291][ T5133] err: 0, status: 0, result: 0, skb: ffff88810b665600, __hci_cmd_sync_sk
[   55.274851][ T5133] status: 1, result: 0, skb: ffff8881096d8900, hci_req_sync_run
[   55.282869][ T5133] err: 0, status: 0, result: 0, skb: ffff88810b665800, __hci_cmd_sync_sk
[   55.291445][ T5133] status: 1, result: 0, skb: ffff8881096d8400, hci_req_sync_run
[   55.299616][ T5133] err: 0, status: 0, result: 0, skb: ffff88810b665e00, __hci_cmd_sync_sk
[   55.308388][ T5879] status: 1, result: 0, skb: ffff88810b665e00, hci_req_sync_run
[   55.308680][  T963] netdevsim netdevsim0 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[   55.316426][ T5879] err: 0, status: 0, result: 0, skb: ffff88810b665c00, __hci_cmd_sync_sk
[   55.471749][   T31] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[   55.482577][   T31] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[   55.492949][   T31] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[   55.500995][   T31] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
2025/11/21 02:13:12 executed programs: 0
[   58.484071][  T963] bridge_slave_1: left allmulticast mode
[   58.490260][  T963] bridge_slave_1: left promiscuous mode
[   58.495913][  T963] bridge0: port 2(bridge_slave_1) entered disabled state
[   58.503645][  T963] bridge_slave_0: left allmulticast mode
[   58.509735][  T963] bridge_slave_0: left promiscuous mode
[   58.515477][  T963] bridge0: port 1(bridge_slave_0) entered disabled state
[   58.570565][  T963] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface
[   58.580440][  T963] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface
[   58.589654][  T963] bond0 (unregistering): Released all slaves
[   58.679635][  T963] hsr_slave_0: left promiscuous mode
[   58.685086][  T963] hsr_slave_1: left promiscuous mode
[   58.690722][  T963] batman_adv: batadv0: Interface deactivated: batadv_slave_0
[   58.698155][  T963] batman_adv: batadv0: Removing interface: batadv_slave_0
[   58.705568][  T963] batman_adv: batadv0: Interface deactivated: batadv_slave_1
[   58.713414][  T963] batman_adv: batadv0: Removing interface: batadv_slave_1
[   58.722265][  T963] veth1_macvtap: left promiscuous mode
[   58.727853][  T963] veth0_macvtap: left promiscuous mode
[   58.733590][  T963] veth1_vlan: left promiscuous mode
[   58.738984][  T963] veth0_vlan: left promiscuous mode
[   58.766479][  T963] team0 (unregistering): Port device team_slave_1 removed
[   58.775081][  T963] team0 (unregistering): Port device team_slave_0 removed
[   61.612519][ T5881] status: 1, result: 0, skb: ffff88810b665300, hci_req_sync_run
[   61.620398][ T5133] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[   61.627387][ T5881] err: 0, status: 0, result: 0, skb: ffff88810c2cc400, __hci_cmd_sync_sk
[   61.635853][ T5881] status: 1, result: 0, skb: ffff88810b665100, hci_req_sync_run
[   61.643705][ T5133] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[   61.650762][ T5881] err: 0, status: 0, result: 0, skb: ffff88810c2cc400, __hci_cmd_sync_sk
[   61.659428][ T5881] status: 1, result: 0, skb: ffff88810b665000, hci_req_sync_run
[   61.667360][ T5133] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[   61.674379][ T5881] err: 0, status: 0, result: 0, skb: ffff88810c2cc600, __hci_cmd_sync_sk
[   61.682854][ T5881] status: 1, result: 0, skb: ffff88810b665900, hci_req_sync_run
[   61.690701][ T5881] err: 0, status: 0, result: 0, skb: ffff88810b665000, __hci_cmd_sync_sk
[   61.699176][ T5881] status: 1, result: 0, skb: ffff88810c2cc300, hci_req_sync_run
[   61.707050][ T5881] err: 0, status: 0, result: 0, skb: ffff88810b665100, __hci_cmd_sync_sk
[   61.715684][ T5881] status: 1, result: 0, skb: ffff88810c2ccf00, hci_req_sync_run
[   61.723809][ T5133] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[   61.730976][ T5881] err: 0, status: 0, result: 0, skb: ffff88810b665700, __hci_cmd_sync_sk
[   61.739518][ T5881] status: 1, result: 0, skb: ffff88810b665700, hci_req_sync_run
[   61.747387][ T5881] err: 0, status: 0, result: 0, skb: ffff88810b665c00, __hci_cmd_sync_sk
[   61.756040][ T5881] status: 1, result: 0, skb: ffff88810b665c00, hci_req_sync_run
[   61.763760][ T5133] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[   61.770775][ T5881] err: 0, status: 0, result: 0, skb: ffff88810b665300, __hci_cmd_sync_sk
[   61.779318][ T5881] status: 1, result: 0, skb: ffff88810c2cc500, hci_req_sync_run
[   61.787324][ T5881] err: 0, status: 0, result: 0, skb: ffff88810b665500, __hci_cmd_sync_sk
[   61.795790][ T5881] status: 1, result: 0, skb: ffff88810b665500, hci_req_sync_run
[   61.803688][ T5881] err: 0, status: 0, result: 0, skb: ffff88810b665700, __hci_cmd_sync_sk
[   61.812416][ T5984] status: 1, result: 0, skb: ffff88810c2cca00, hci_req_sync_run
[   61.820325][ T5984] err: 0, status: 0, result: 0, skb: ffff88810b665c00, __hci_cmd_sync_sk
[   61.859290][ T5984] chnl_net:caif_netlink_parms(): no params data found
[   61.878670][ T5984] bridge0: port 1(bridge_slave_0) entered blocking state
[   61.885774][ T5984] bridge0: port 1(bridge_slave_0) entered disabled state
[   61.892945][ T5984] bridge_slave_0: entered allmulticast mode
[   61.899197][ T5984] bridge_slave_0: entered promiscuous mode
[   61.905544][ T5984] bridge0: port 2(bridge_slave_1) entered blocking state
[   61.912766][ T5984] bridge0: port 2(bridge_slave_1) entered disabled state
[   61.919996][ T5984] bridge_slave_1: entered allmulticast mode
[   61.926246][ T5984] bridge_slave_1: entered promiscuous mode
[   61.937375][ T5984] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[   61.947329][ T5984] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[   61.960948][ T5984] team0: Port device team_slave_0 added
[   61.967027][ T5984] team0: Port device team_slave_1 added
[   61.976764][ T5984] batman_adv: batadv0: Adding interface: batadv_slave_0
[   61.983799][ T5984] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem.
[   62.009932][ T5984] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[   62.021051][ T5984] batman_adv: batadv0: Adding interface: batadv_slave_1
[   62.028128][ T5984] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem.
[   62.054130][ T5984] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[   62.071263][ T5984] hsr_slave_0: entered promiscuous mode
[   62.077016][ T5984] hsr_slave_1: entered promiscuous mode
[   62.271932][ T5984] netdevsim netdevsim0 netdevsim0: renamed from eth0
[   62.280361][ T5984] netdevsim netdevsim0 netdevsim1: renamed from eth1
[   62.288477][ T5984] netdevsim netdevsim0 netdevsim2: renamed from eth2
[   62.296339][ T5984] netdevsim netdevsim0 netdevsim3: renamed from eth3
[   62.311184][ T5984] bridge0: port 2(bridge_slave_1) entered blocking state
[   62.318287][ T5984] bridge0: port 2(bridge_slave_1) entered forwarding state
[   62.325560][ T5984] bridge0: port 1(bridge_slave_0) entered blocking state
[   62.332651][ T5984] bridge0: port 1(bridge_slave_0) entered forwarding state
[   62.355503][ T5984] 8021q: adding VLAN 0 to HW filter on device bond0
[   62.366090][   T31] bridge0: port 1(bridge_slave_0) entered disabled state
[   62.374243][   T31] bridge0: port 2(bridge_slave_1) entered disabled state
[   62.384604][ T5984] 8021q: adding VLAN 0 to HW filter on device team0
[   62.393780][   T31] bridge0: port 1(bridge_slave_0) entered blocking state
[   62.400982][   T31] bridge0: port 1(bridge_slave_0) entered forwarding state
[   62.418689][   T31] bridge0: port 2(bridge_slave_1) entered blocking state
[   62.425883][   T31] bridge0: port 2(bridge_slave_1) entered forwarding state
[   62.480242][ T5984] 8021q: adding VLAN 0 to HW filter on device batadv0
[   62.500226][ T5984] veth0_vlan: entered promiscuous mode
[   62.508283][ T5984] veth1_vlan: entered promiscuous mode
[   62.522303][ T5984] veth0_macvtap: entered promiscuous mode
[   62.529936][ T5984] veth1_macvtap: entered promiscuous mode
[   62.540982][ T5984] batman_adv: batadv0: Interface activated: batadv_slave_0
[   62.551573][ T5984] batman_adv: batadv0: Interface activated: batadv_slave_1
[   62.561530][   T58] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
[   62.570414][   T58] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
[   62.579387][   T58] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
[   62.588536][  T963] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
[   62.615632][   T58] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
SYZFAIL: failed to recv rpc
fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor)
[   62.628006][   T58] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[   62.640413][  T963] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[   62.649321][  T963] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50


syzkaller build log:
go env (err=<nil>)
AR='ar'
CC='gcc'
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_ENABLED='1'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
CXX='g++'
GCCGO='gccgo'
GO111MODULE='auto'
GOAMD64='v1'
GOARCH='amd64'
GOAUTH='netrc'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOCACHEPROG=''
GODEBUG=''
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFIPS140='off'
GOFLAGS=''
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build3389552490=/tmp/go-build -gno-record-gcc-switches'
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMOD='/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOMODCACHE='/syzkaller/jobs/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTELEMETRY='local'
GOTELEMETRYDIR='/syzkaller/.config/go/telemetry'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.24.4'
GOWORK=''
PKG_CONFIG='pkg-config'

git status (err=<nil>)
HEAD detached at 07e030dea
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=07e030dea6e6d9ca88b75bb3be2810f47083b328 -X github.com/google/syzkaller/prog.gitRevisionDate=20251112-115923"  ./sys/syz-sysgen | grep -q false || go install -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=07e030dea6e6d9ca88b75bb3be2810f47083b328 -X github.com/google/syzkaller/prog.gitRevisionDate=20251112-115923"  ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=07e030dea6e6d9ca88b75bb3be2810f47083b328 -X github.com/google/syzkaller/prog.gitRevisionDate=20251112-115923"  -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
	-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include   -DGOOS_linux=1 -DGOARCH_amd64=1 \
	-DHOSTGOOS_linux=1 -DGIT_REVISION=\"07e030dea6e6d9ca88b75bb3be2810f47083b328\"
/usr/bin/ld: /tmp/ccx4Jar1.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x104): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
./tools/check-syzos.sh 2>/dev/null


Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=10758c2a580000


Tested on:

commit:         fd95357f Merge tag 'sched_ext-for-6.18-rc6-fixes-2' of..
git tree:       upstream
kernel config:  https://syzkaller.appspot.com/x/.config?x=f30cc590c4f6da44
dashboard link: https://syzkaller.appspot.com/bug?extid=f098d64cc684b8dbaf65
compiler:       gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=1623f692580000

Re: [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk

[Edward Adam Davis]

#syz test

diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 3418d7b964a1..62469dba9e63 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -1466,7 +1466,7 @@ static void hci_cmd_timeout(struct work_struct *work)
 	if (hdev->req_skb) {
 		u16 opcode = hci_skb_opcode(hdev->req_skb);
 
-		bt_dev_err(hdev, "command 0x%4.4x tx timeout", opcode);
+		bt_dev_err(hdev, "command 0x%4.4x skb: %p tx timeout", opcode, hdev->req_skb);
 
 		hci_cmd_sync_cancel_sync(hdev, ETIMEDOUT);
 	} else {
diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index 6e76798ec786..7fc79b7ee4b9 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -133,6 +133,8 @@ static int hci_req_sync_run(struct hci_request *req)
 		return -ENODATA;
 
 	skb = skb_peek_tail(&req->cmd_q);
+	printk("status: %u, result: %u, skb: %p, %s\n",
+		hdev->req_status, hdev->req_result, skb, __func__);
 	bt_cb(skb)->hci.req_complete_skb = hci_cmd_sync_complete;
 	bt_cb(skb)->hci.req_flags |= HCI_REQ_SKB;
 
@@ -158,8 +160,9 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
 				  struct sock *sk)
 {
 	struct hci_request req;
-	struct sk_buff *skb;
+	struct sk_buff *skb, *skb_tail;
 	int err = 0;
+	unsigned long flags;
 
 	bt_dev_dbg(hdev, "Opcode 0x%4.4x", opcode);
 
@@ -169,6 +172,7 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
 
 	hdev->req_status = HCI_REQ_PEND;
 
+	skb_tail = skb_peek_tail(&req.cmd_q);
 	err = hci_req_sync_run(&req);
 	if (err < 0)
 		return ERR_PTR(err);
@@ -201,18 +205,35 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
 
 	bt_dev_dbg(hdev, "end: err %d", err);
 
+	printk("err: %d, status: %u, result: %u, skb: %p, %s\n",
+		err, hdev->req_status, hdev->req_result, skb, __func__);
 	if (err < 0) {
 		kfree_skb(skb);
-		return ERR_PTR(err);
+		goto out;
 	}
 
 	/* If command return a status event skb will be set to NULL as there are
 	 * no parameters.
 	 */
-	if (!skb)
-		return ERR_PTR(-ENODATA);
+	if (!skb) {
+		err = -ENODATA;
+		goto out;
+	}
 
 	return skb;
+
+out:
+	if (!skb_queue_empty(&hdev->cmd_q)) {
+		spin_lock_irqsave(&hdev->cmd_q.lock, flags);
+		skb = __skb_dequeue_tail(&hdev->cmd_q);
+		spin_unlock_irqrestore(&hdev->cmd_q.lock, flags);
+	} else
+		skb = skb_tail;
+
+	printk("remove skb: %p, %s\n", skb,  __func__);
+	kfree_skb(skb);
+
+	return ERR_PTR(err);
 }
 EXPORT_SYMBOL(__hci_cmd_sync_sk);
 

Re: [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+f098d64cc684b8dbaf65@syzkaller.appspotmail.com
Tested-by: syzbot+f098d64cc684b8dbaf65@syzkaller.appspotmail.com

Tested on:

commit:         fd95357f Merge tag 'sched_ext-for-6.18-rc6-fixes-2' of..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1425d658580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=f30cc590c4f6da44
dashboard link: https://syzkaller.appspot.com/bug?extid=f098d64cc684b8dbaf65
compiler:       gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=1485be0a580000

Note: testing is done by a robot and is best-effort only.

Re: [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk

[Edward Adam Davis]

#syz test

diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 3418d7b964a1..34887a154700 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -1466,7 +1466,7 @@ static void hci_cmd_timeout(struct work_struct *work)
 	if (hdev->req_skb) {
 		u16 opcode = hci_skb_opcode(hdev->req_skb);
 
-		bt_dev_err(hdev, "command 0x%4.4x tx timeout", opcode);
+		bt_dev_err(hdev, "command 0x%4.4x skb: %p tx timeout hdev: %p", opcode, hdev->req_skb, hdev);
 
 		hci_cmd_sync_cancel_sync(hdev, ETIMEDOUT);
 	} else {
@@ -4162,7 +4162,11 @@ static void hci_cmd_work(struct work_struct *work)
 
 	/* Send queued commands */
 	if (atomic_read(&hdev->cmd_cnt)) {
+		unsigned long flags;
+
+		spin_lock_irqsave(&hdev->cmd_q.lock, flags);
 		skb = skb_dequeue(&hdev->cmd_q);
+		spin_unlock_irqrestore(&hdev->cmd_q.lock, flags);
 		if (!skb)
 			return;
 
diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index 6e76798ec786..c16ab9089b5b 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -133,6 +133,8 @@ static int hci_req_sync_run(struct hci_request *req)
 		return -ENODATA;
 
 	skb = skb_peek_tail(&req->cmd_q);
+	printk("status: %u, result: %u, skb: %p, %s\n",
+		hdev->req_status, hdev->req_result, skb, __func__);
 	bt_cb(skb)->hci.req_complete_skb = hci_cmd_sync_complete;
 	bt_cb(skb)->hci.req_flags |= HCI_REQ_SKB;
 
@@ -158,8 +160,9 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
 				  struct sock *sk)
 {
 	struct hci_request req;
-	struct sk_buff *skb;
+	struct sk_buff *skb, *skb_tail;
 	int err = 0;
+	unsigned long flags;
 
 	bt_dev_dbg(hdev, "Opcode 0x%4.4x", opcode);
 
@@ -169,6 +172,7 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
 
 	hdev->req_status = HCI_REQ_PEND;
 
+	skb_tail = skb_peek_tail(&req.cmd_q);
 	err = hci_req_sync_run(&req);
 	if (err < 0)
 		return ERR_PTR(err);
@@ -201,18 +205,36 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
 
 	bt_dev_dbg(hdev, "end: err %d", err);
 
+	printk("err: %d, status: %u, result: %u, skb: %p, hdev: %p, %s\n",
+		err, hdev->req_status, hdev->req_result, skb, hdev, __func__);
 	if (err < 0) {
 		kfree_skb(skb);
-		return ERR_PTR(err);
+		goto out;
 	}
 
 	/* If command return a status event skb will be set to NULL as there are
 	 * no parameters.
 	 */
-	if (!skb)
-		return ERR_PTR(-ENODATA);
+	if (!skb) {
+		err = -ENODATA;
+		goto out;
+	}
 
 	return skb;
+
+out:
+	if (!skb_queue_empty(&hdev->cmd_q)) {
+		spin_lock_irqsave(&hdev->cmd_q.lock, flags);
+		skb = __skb_dequeue_tail(&hdev->cmd_q);
+		spin_unlock_irqrestore(&hdev->cmd_q.lock, flags);
+		skb_tail = NULL;
+	} else
+		skb = skb_tail;
+
+	printk("remove skb: %p, tskb: %p, hdev: %p, %s\n", skb, skb_tail, hdev, __func__);
+	kfree_skb(skb);
+
+	return ERR_PTR(err);
 }
 EXPORT_SYMBOL(__hci_cmd_sync_sk);
 

Re: [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

no output from test machine



Warning: Permanently added '10.128.0.161' (ED25519) to the list of known hosts.
2025/11/21 08:02:08 parsed 1 programs
[   45.306274][ T5813] cgroup: Unknown subsys name 'net'
[   45.467142][ T5813] cgroup: Unknown subsys name 'cpuset'
[   45.473545][ T5813] cgroup: Unknown subsys name 'rlimit'
Setting up swapspace version 1, size = 127995904 bytes
[   53.932725][ T5813] Adding 124996k swap on ./swap-file.  Priority:0 extents:1 across:124996k 
[   55.379423][ T5825] soft_limit_in_bytes is deprecated and will be removed. Please report your usecase to linux-mm@kvack.org if you depend on this functionality.
[   55.449909][ T5134] status: 1, result: 0, skb: ffff88810c4f6a00, hci_req_sync_run
[   57.505885][ T5134] err: -110, status: 0, result: 0, skb: 0000000000000000, hdev: ffff88810dac6000, __hci_cmd_sync_sk


syzkaller build log:
go env (err=<nil>)
AR='ar'
CC='gcc'
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_ENABLED='1'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
CXX='g++'
GCCGO='gccgo'
GO111MODULE='auto'
GOAMD64='v1'
GOARCH='amd64'
GOAUTH='netrc'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOCACHEPROG=''
GODEBUG=''
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFIPS140='off'
GOFLAGS=''
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build3711822464=/tmp/go-build -gno-record-gcc-switches'
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMOD='/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOMODCACHE='/syzkaller/jobs-2/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs-2/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTELEMETRY='local'
GOTELEMETRYDIR='/syzkaller/.config/go/telemetry'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.24.4'
GOWORK=''
PKG_CONFIG='pkg-config'

git status (err=<nil>)
HEAD detached at 07e030dea
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=07e030dea6e6d9ca88b75bb3be2810f47083b328 -X github.com/google/syzkaller/prog.gitRevisionDate=20251112-115923"  ./sys/syz-sysgen | grep -q false || go install -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=07e030dea6e6d9ca88b75bb3be2810f47083b328 -X github.com/google/syzkaller/prog.gitRevisionDate=20251112-115923"  ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=07e030dea6e6d9ca88b75bb3be2810f47083b328 -X github.com/google/syzkaller/prog.gitRevisionDate=20251112-115923"  -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
	-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include   -DGOOS_linux=1 -DGOARCH_amd64=1 \
	-DHOSTGOOS_linux=1 -DGIT_REVISION=\"07e030dea6e6d9ca88b75bb3be2810f47083b328\"
/usr/bin/ld: /tmp/ccYeCkBk.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x104): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
./tools/check-syzos.sh 2>/dev/null



Tested on:

commit:         fd95357f Merge tag 'sched_ext-for-6.18-rc6-fixes-2' of..
git tree:       upstream
kernel config:  https://syzkaller.appspot.com/x/.config?x=f30cc590c4f6da44
dashboard link: https://syzkaller.appspot.com/bug?extid=f098d64cc684b8dbaf65
compiler:       gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=17b3d658580000

Re: [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk

[Edward Adam Davis]

#syz test

diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 3418d7b964a1..34887a154700 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -1466,7 +1466,7 @@ static void hci_cmd_timeout(struct work_struct *work)
 	if (hdev->req_skb) {
 		u16 opcode = hci_skb_opcode(hdev->req_skb);
 
-		bt_dev_err(hdev, "command 0x%4.4x tx timeout", opcode);
+		bt_dev_err(hdev, "command 0x%4.4x skb: %p tx timeout hdev: %p", opcode, hdev->req_skb, hdev);
 
 		hci_cmd_sync_cancel_sync(hdev, ETIMEDOUT);
 	} else {
@@ -4162,7 +4162,11 @@ static void hci_cmd_work(struct work_struct *work)
 
 	/* Send queued commands */
 	if (atomic_read(&hdev->cmd_cnt)) {
+		unsigned long flags;
+
+		spin_lock_irqsave(&hdev->cmd_q.lock, flags);
 		skb = skb_dequeue(&hdev->cmd_q);
+		spin_unlock_irqrestore(&hdev->cmd_q.lock, flags);
 		if (!skb)
 			return;
 
diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index 6e76798ec786..c16ab9089b5b 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -133,6 +133,8 @@ static int hci_req_sync_run(struct hci_request *req)
 		return -ENODATA;
 
 	skb = skb_peek_tail(&req->cmd_q);
+	printk("status: %u, result: %u, skb: %p, %s\n",
+		hdev->req_status, hdev->req_result, skb, __func__);
 	bt_cb(skb)->hci.req_complete_skb = hci_cmd_sync_complete;
 	bt_cb(skb)->hci.req_flags |= HCI_REQ_SKB;
 
@@ -158,8 +160,9 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
 				  struct sock *sk)
 {
 	struct hci_request req;
-	struct sk_buff *skb;
+	struct sk_buff *skb, *skb_tail;
 	int err = 0;
+	unsigned long flags;
 
 	bt_dev_dbg(hdev, "Opcode 0x%4.4x", opcode);
 
@@ -169,6 +172,7 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
 
 	hdev->req_status = HCI_REQ_PEND;
 
+	skb_tail = skb_peek_tail(&req.cmd_q);
 	err = hci_req_sync_run(&req);
 	if (err < 0)
 		return ERR_PTR(err);
@@ -201,18 +205,36 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
 
 	bt_dev_dbg(hdev, "end: err %d", err);
 
+	printk("err: %d, status: %u, result: %u, skb: %p, hdev: %p, %s\n",
+		err, hdev->req_status, hdev->req_result, skb, hdev, __func__);
 	if (err < 0) {
 		kfree_skb(skb);
-		return ERR_PTR(err);
+		goto out;
 	}
 
 	/* If command return a status event skb will be set to NULL as there are
 	 * no parameters.
 	 */
-	if (!skb)
-		return ERR_PTR(-ENODATA);
+	if (!skb) {
+		err = -ENODATA;
+		goto out;
+	}
 
 	return skb;
+
+out:
+	if (!skb_queue_empty(&hdev->cmd_q)) {
+		spin_lock_irqsave(&hdev->cmd_q.lock, flags);
+		skb = __skb_dequeue_tail(&hdev->cmd_q);
+		spin_unlock_irqrestore(&hdev->cmd_q.lock, flags);
+		skb_tail = NULL;
+	} else
+		skb = skb_tail;
+
+	printk("remove skb: %p, tskb: %p, hdev: %p, %s\n", skb, skb_tail, hdev, __func__);
+	kfree_skb(skb);
+
+	return ERR_PTR(err);
 }
 EXPORT_SYMBOL(__hci_cmd_sync_sk);
 

Re: [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

no output from test machine



Warning: Permanently added '10.128.1.191' (ED25519) to the list of known hosts.
2025/11/21 14:30:15 parsed 1 programs
[   43.487666][ T5813] cgroup: Unknown subsys name 'net'
[   43.613650][ T5813] cgroup: Unknown subsys name 'cpuset'
[   43.619980][ T5813] cgroup: Unknown subsys name 'rlimit'
Setting up swapspace version 1, size = 127995904 bytes
[   51.571131][ T5813] Adding 124996k swap on ./swap-file.  Priority:0 extents:1 across:124996k 
[   52.853944][ T5833] soft_limit_in_bytes is deprecated and will be removed. Please report your usecase to linux-mm@kvack.org if you depend on this functionality.
[   52.930032][ T5135] status: 1, result: 0, skb: ffff88810139c900, hci_req_sync_run
[   55.032580][ T5135] err: -110, status: 0, result: 0, skb: 0000000000000000, hdev: ffff888111b34000, __hci_cmd_sync_sk


syzkaller build log:
go env (err=<nil>)
AR='ar'
CC='gcc'
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_ENABLED='1'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
CXX='g++'
GCCGO='gccgo'
GO111MODULE='auto'
GOAMD64='v1'
GOARCH='amd64'
GOAUTH='netrc'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOCACHEPROG=''
GODEBUG=''
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFIPS140='off'
GOFLAGS=''
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build1251597850=/tmp/go-build -gno-record-gcc-switches'
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMOD='/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOMODCACHE='/syzkaller/jobs-2/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs-2/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTELEMETRY='local'
GOTELEMETRYDIR='/syzkaller/.config/go/telemetry'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.24.4'
GOWORK=''
PKG_CONFIG='pkg-config'

git status (err=<nil>)
HEAD detached at 07e030dea
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=07e030dea6e6d9ca88b75bb3be2810f47083b328 -X github.com/google/syzkaller/prog.gitRevisionDate=20251112-115923"  ./sys/syz-sysgen | grep -q false || go install -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=07e030dea6e6d9ca88b75bb3be2810f47083b328 -X github.com/google/syzkaller/prog.gitRevisionDate=20251112-115923"  ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=07e030dea6e6d9ca88b75bb3be2810f47083b328 -X github.com/google/syzkaller/prog.gitRevisionDate=20251112-115923"  -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
	-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include   -DGOOS_linux=1 -DGOARCH_amd64=1 \
	-DHOSTGOOS_linux=1 -DGIT_REVISION=\"07e030dea6e6d9ca88b75bb3be2810f47083b328\"
/usr/bin/ld: /tmp/ccwV2Y1O.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x104): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
./tools/check-syzos.sh 2>/dev/null



Tested on:

commit:         fd95357f Merge tag 'sched_ext-for-6.18-rc6-fixes-2' of..
git tree:       upstream
kernel config:  https://syzkaller.appspot.com/x/.config?x=f30cc590c4f6da44
dashboard link: https://syzkaller.appspot.com/bug?extid=f098d64cc684b8dbaf65
compiler:       gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=108fd658580000

Re: [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk

[Edward Adam Davis]

#syz test

diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 3418d7b964a1..187dda1e5950 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -1466,7 +1466,7 @@ static void hci_cmd_timeout(struct work_struct *work)
 	if (hdev->req_skb) {
 		u16 opcode = hci_skb_opcode(hdev->req_skb);
 
-		bt_dev_err(hdev, "command 0x%4.4x tx timeout", opcode);
+		bt_dev_err(hdev, "command 0x%4.4x skb: %p tx timeout hdev: %p", opcode, hdev->req_skb, hdev);
 
 		hci_cmd_sync_cancel_sync(hdev, ETIMEDOUT);
 	} else {
@@ -4138,6 +4138,7 @@ static void hci_send_cmd_sync(struct hci_dev *hdev, struct sk_buff *skb)
 
 	if (hci_skb_opcode(skb) != HCI_OP_NOP) {
 		err = hci_send_frame(hdev, skb);
+		printk("err: %d, skb: %p, %s\n", err, skb, __func__);
 		if (err < 0) {
 			hci_cmd_sync_cancel_sync(hdev, -err);
 			return;
@@ -4163,6 +4164,7 @@ static void hci_cmd_work(struct work_struct *work)
 	/* Send queued commands */
 	if (atomic_read(&hdev->cmd_cnt)) {
 		skb = skb_dequeue(&hdev->cmd_q);
+		printk("dequeue skb:%p, hdev: %p, %s\n", skb, hdev, __func__);
 		if (!skb)
 			return;
 
diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index 6e76798ec786..4bf39cd402be 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -158,8 +158,9 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
 				  struct sock *sk)
 {
 	struct hci_request req;
-	struct sk_buff *skb;
+	struct sk_buff *skb, *new_skb;
 	int err = 0;
+	unsigned long flags;
 
 	bt_dev_dbg(hdev, "Opcode 0x%4.4x", opcode);
 
@@ -169,6 +170,7 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
 
 	hdev->req_status = HCI_REQ_PEND;
 
+	new_skb = skb_peek_tail(&req.cmd_q);
 	err = hci_req_sync_run(&req);
 	if (err < 0)
 		return ERR_PTR(err);
@@ -203,16 +205,33 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
 
 	if (err < 0) {
 		kfree_skb(skb);
-		return ERR_PTR(err);
+		goto out;
 	}
 
 	/* If command return a status event skb will be set to NULL as there are
 	 * no parameters.
 	 */
-	if (!skb)
-		return ERR_PTR(-ENODATA);
+	if (!skb) {
+		err = -ENODATA;
+		goto out;
+	}
 
 	return skb;
+
+out:
+	if (!skb_queue_empty(&hdev->cmd_q)) {
+		spin_lock_irqsave(&hdev->cmd_q.lock, flags);
+		skb = __skb_dequeue_tail(&hdev->cmd_q);
+		spin_unlock_irqrestore(&hdev->cmd_q.lock, flags);
+	} else {
+		printk("!!!!!!!!! skb: %p, nskb: %p, %s\n", skb, new_skb, __func__);
+		skb = new_skb;
+	}
+
+	printk(">>>>> remove skb: %p, tskb: %p, hdev: %p, %s\n", skb, new_skb, hdev, __func__);
+	kfree_skb(skb);
+
+	return ERR_PTR(err);
 }
 EXPORT_SYMBOL(__hci_cmd_sync_sk);
 

Re: [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+f098d64cc684b8dbaf65@syzkaller.appspotmail.com
Tested-by: syzbot+f098d64cc684b8dbaf65@syzkaller.appspotmail.com

Tested on:

commit:         2eba5e05 Merge tag 'loongarch-fixes-6.18-2' of git://g..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=150bd97c580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=f30cc590c4f6da44
dashboard link: https://syzkaller.appspot.com/bug?extid=f098d64cc684b8dbaf65
compiler:       gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=145faa12580000

Note: testing is done by a robot and is best-effort only.

Re: [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk

[Edward Adam Davis]

#syz test

Re: [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
memory leak in __hci_cmd_sync_sk

BUG: memory leak
unreferenced object 0xffff8881226e0100 (size 240):
  comm "kworker/u9:1", pid 5136, jiffies 4294947304
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace (crc f9cb4e51):
    kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
    slab_post_alloc_hook mm/slub.c:4983 [inline]
    slab_alloc_node mm/slub.c:5288 [inline]
    kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5340
    __alloc_skb+0x203/0x240 net/core/skbuff.c:660
    alloc_skb include/linux/skbuff.h:1383 [inline]
    bt_skb_alloc include/net/bluetooth/bluetooth.h:510 [inline]
    hci_cmd_sync_alloc+0x30/0x140 net/bluetooth/hci_sync.c:58
    hci_cmd_sync_add net/bluetooth/hci_sync.c:99 [inline]
    __hci_cmd_sync_sk+0x84/0x290 net/bluetooth/hci_sync.c:168
    __hci_cmd_sync_ev+0x3e/0x50 net/bluetooth/hci_sync.c:250
    send_hci_cmd_sync+0x5e/0xf0 net/bluetooth/mgmt.c:2615
    hci_cmd_sync_work+0xd5/0x160 net/bluetooth/hci_sync.c:332
    process_one_work+0x26b/0x620 kernel/workqueue.c:3263
    process_scheduled_works kernel/workqueue.c:3346 [inline]
    worker_thread+0x2c4/0x4f0 kernel/workqueue.c:3427
    kthread+0x15b/0x310 kernel/kthread.c:463
    ret_from_fork+0x210/0x240 arch/x86/kernel/process.c:158
    ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

BUG: memory leak
unreferenced object 0xffff88810d21f440 (size 704):
  comm "kworker/u9:1", pid 5136, jiffies 4294947304
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace (crc 4e765d9f):
    kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
    slab_post_alloc_hook mm/slub.c:4983 [inline]
    slab_alloc_node mm/slub.c:5288 [inline]
    kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5340
    kmalloc_reserve+0xe6/0x180 net/core/skbuff.c:579
    __alloc_skb+0xd4/0x240 net/core/skbuff.c:670
    alloc_skb include/linux/skbuff.h:1383 [inline]
    bt_skb_alloc include/net/bluetooth/bluetooth.h:510 [inline]
    hci_cmd_sync_alloc+0x30/0x140 net/bluetooth/hci_sync.c:58
    hci_cmd_sync_add net/bluetooth/hci_sync.c:99 [inline]
    __hci_cmd_sync_sk+0x84/0x290 net/bluetooth/hci_sync.c:168
    __hci_cmd_sync_ev+0x3e/0x50 net/bluetooth/hci_sync.c:250
    send_hci_cmd_sync+0x5e/0xf0 net/bluetooth/mgmt.c:2615
    hci_cmd_sync_work+0xd5/0x160 net/bluetooth/hci_sync.c:332
    process_one_work+0x26b/0x620 kernel/workqueue.c:3263
    process_scheduled_works kernel/workqueue.c:3346 [inline]
    worker_thread+0x2c4/0x4f0 kernel/workqueue.c:3427
    kthread+0x15b/0x310 kernel/kthread.c:463
    ret_from_fork+0x210/0x240 arch/x86/kernel/process.c:158
    ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF


Tested on:

commit:         2eba5e05 Merge tag 'loongarch-fixes-6.18-2' of git://g..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=14080612580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=f30cc590c4f6da44
dashboard link: https://syzkaller.appspot.com/bug?extid=f098d64cc684b8dbaf65
compiler:       gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

Note: no patches were applied.

Re: [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk

[Edward Adam Davis]

#syz test

diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index 6e76798ec786..4db9360732c5 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -172,7 +172,9 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
 	err = hci_req_sync_run(&req);
 	if (err < 0)
 		return ERR_PTR(err);
+	skb = skb_peek_tail(&req.cmd_q);
 
+retry:
 	err = wait_event_interruptible_timeout(hdev->req_wait_q,
 					       hdev->req_status != HCI_REQ_PEND,
 					       timeout);
@@ -186,6 +188,11 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
 		break;
 
 	case HCI_REQ_CANCELED:
+		if (hdev->req_skb != skb) {
+			atomic_set(&hdev->cmd_cnt, 1);
+			queue_work(hdev->workqueue, &hdev->cmd_work);
+			goto retry;
+		}
 		err = -hdev->req_result;
 		break;
 
diff --git a/drivers/bluetooth/hci_vhci.c b/drivers/bluetooth/hci_vhci.c
index 2fef08254d78..2e12615f539e 100644
--- a/drivers/bluetooth/hci_vhci.c
+++ b/drivers/bluetooth/hci_vhci.c
@@ -75,6 +75,10 @@ static int vhci_send_frame(struct hci_dev *hdev, struct sk_buff *skb)
 {
 	struct vhci_data *data = hci_get_drvdata(hdev);
 
+	printk("skb: %p refcnt: %u,  data inited: %d, %s\n",
+		skb, refcount_read(&skb->users),
+		atomic_read(&data->initialized),
+		__func__);
 	memcpy(skb_push(skb, 1), &hci_skb_pkt_type(skb), 1);
 
 	skb_queue_tail(&data->readq, skb);
@@ -587,6 +591,8 @@ static ssize_t vhci_read(struct file *file,
 		skb = skb_dequeue(&data->readq);
 		if (skb) {
 			ret = vhci_put_user(data, skb, buf, count);
+			printk("skb: %p refcnt: %u len: %u, data: %p, ret: %ld, count: %lu, %s\n",
+				skb, refcount_read(&skb->users), skb->len, skb->data, ret, count, __func__);
 			if (ret < 0)
 				skb_queue_head(&data->readq, skb);
 			else

Re: [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+f098d64cc684b8dbaf65@syzkaller.appspotmail.com
Tested-by: syzbot+f098d64cc684b8dbaf65@syzkaller.appspotmail.com

Tested on:

commit:         d13f3ac6 Merge tag 'mips-fixes_6.18_1' of git://git.ke..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=168cd8b4580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=f30cc590c4f6da44
dashboard link: https://syzkaller.appspot.com/bug?extid=f098d64cc684b8dbaf65
compiler:       gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=11a6b97c580000

Note: testing is done by a robot and is best-effort only.

Re: [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk

[Edward Adam Davis]

#syz test

diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index 6e76798ec786..f3898f8b007e 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -173,6 +173,8 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
 	if (err < 0)
 		return ERR_PTR(err);
 
+	skb = skb_peek_tail(&req.cmd_q);
+retry:
 	err = wait_event_interruptible_timeout(hdev->req_wait_q,
 					       hdev->req_status != HCI_REQ_PEND,
 					       timeout);
@@ -186,6 +188,11 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
 		break;
 
 	case HCI_REQ_CANCELED:
+		if (!skb_queue_empty(&hdev->cmd_q) && hdev->req_skb != skb) {
+			atomic_set(&hdev->cmd_cnt, 1);
+			queue_work(hdev->workqueue, &hdev->cmd_work);
+			goto retry;
+		}
 		err = -hdev->req_result;
 		break;
 
diff --git a/drivers/bluetooth/hci_vhci.c b/drivers/bluetooth/hci_vhci.c
index 2fef08254d78..2e12615f539e 100644
--- a/drivers/bluetooth/hci_vhci.c
+++ b/drivers/bluetooth/hci_vhci.c
@@ -75,6 +75,10 @@ static int vhci_send_frame(struct hci_dev *hdev, struct sk_buff *skb)
 {
 	struct vhci_data *data = hci_get_drvdata(hdev);
 
+	printk("skb: %p refcnt: %u,  data inited: %d, %s\n",
+		skb, refcount_read(&skb->users),
+		atomic_read(&data->initialized),
+		__func__);
 	memcpy(skb_push(skb, 1), &hci_skb_pkt_type(skb), 1);
 
 	skb_queue_tail(&data->readq, skb);
@@ -587,6 +591,8 @@ static ssize_t vhci_read(struct file *file,
 		skb = skb_dequeue(&data->readq);
 		if (skb) {
 			ret = vhci_put_user(data, skb, buf, count);
+			printk("skb: %p refcnt: %u len: %u, data: %p, ret: %ld, count: %lu, %s\n",
+				skb, refcount_read(&skb->users), skb->len, skb->data, ret, count, __func__);
 			if (ret < 0)
 				skb_queue_head(&data->readq, skb);
 			else

Re: [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
memory leak in __hci_cmd_sync_sk

BUG: memory leak
unreferenced object 0xffff88810d55d200 (size 240):
  comm "kworker/u9:2", pid 5892, jiffies 4294947408
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace (crc d5cb7eed):
    kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
    slab_post_alloc_hook mm/slub.c:4983 [inline]
    slab_alloc_node mm/slub.c:5288 [inline]
    kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5340
    __alloc_skb+0x203/0x240 net/core/skbuff.c:660
    alloc_skb include/linux/skbuff.h:1383 [inline]
    bt_skb_alloc include/net/bluetooth/bluetooth.h:510 [inline]
    hci_cmd_sync_alloc+0x30/0x140 net/bluetooth/hci_sync.c:58
    hci_cmd_sync_add net/bluetooth/hci_sync.c:99 [inline]
    __hci_cmd_sync_sk+0x87/0x590 net/bluetooth/hci_sync.c:168
    __hci_cmd_sync_ev+0x3e/0x50 net/bluetooth/hci_sync.c:257
    send_hci_cmd_sync+0x5e/0xf0 net/bluetooth/mgmt.c:2615
    hci_cmd_sync_work+0xd5/0x160 net/bluetooth/hci_sync.c:339
    process_one_work+0x26b/0x620 kernel/workqueue.c:3263
    process_scheduled_works kernel/workqueue.c:3346 [inline]
    worker_thread+0x2c4/0x4f0 kernel/workqueue.c:3427
    kthread+0x15b/0x310 kernel/kthread.c:463
    ret_from_fork+0x210/0x240 arch/x86/kernel/process.c:158
    ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

BUG: memory leak
unreferenced object 0xffff88810d41ac00 (size 704):
  comm "kworker/u9:2", pid 5892, jiffies 4294947408
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace (crc 4e765d9f):
    kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
    slab_post_alloc_hook mm/slub.c:4983 [inline]
    slab_alloc_node mm/slub.c:5288 [inline]
    kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5340
    kmalloc_reserve+0xe6/0x180 net/core/skbuff.c:579
    __alloc_skb+0xd4/0x240 net/core/skbuff.c:670
    alloc_skb include/linux/skbuff.h:1383 [inline]
    bt_skb_alloc include/net/bluetooth/bluetooth.h:510 [inline]
    hci_cmd_sync_alloc+0x30/0x140 net/bluetooth/hci_sync.c:58
    hci_cmd_sync_add net/bluetooth/hci_sync.c:99 [inline]
    __hci_cmd_sync_sk+0x87/0x590 net/bluetooth/hci_sync.c:168
    __hci_cmd_sync_ev+0x3e/0x50 net/bluetooth/hci_sync.c:257
    send_hci_cmd_sync+0x5e/0xf0 net/bluetooth/mgmt.c:2615
    hci_cmd_sync_work+0xd5/0x160 net/bluetooth/hci_sync.c:339
    process_one_work+0x26b/0x620 kernel/workqueue.c:3263
    process_scheduled_works kernel/workqueue.c:3346 [inline]
    worker_thread+0x2c4/0x4f0 kernel/workqueue.c:3427
    kthread+0x15b/0x310 kernel/kthread.c:463
    ret_from_fork+0x210/0x240 arch/x86/kernel/process.c:158
    ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF


Tested on:

commit:         d13f3ac6 Merge tag 'mips-fixes_6.18_1' of git://git.ke..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1170ce92580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=f30cc590c4f6da44
dashboard link: https://syzkaller.appspot.com/bug?extid=f098d64cc684b8dbaf65
compiler:       gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=132f4e92580000

Re: [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk

[Edward Adam Davis]

#syz test

diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index 6e76798ec786..1fce1a8c79ee 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -173,6 +173,8 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
 	if (err < 0)
 		return ERR_PTR(err);
 
+	skb = skb_peek_tail(&req.cmd_q);
+retry:
 	err = wait_event_interruptible_timeout(hdev->req_wait_q,
 					       hdev->req_status != HCI_REQ_PEND,
 					       timeout);
@@ -186,6 +188,12 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
 		break;
 
 	case HCI_REQ_CANCELED:
+		if (!skb_queue_empty(&hdev->cmd_q) && hdev->req_skb != skb) {
+			hdev->req_status = HCI_REQ_PEND;
+			atomic_set(&hdev->cmd_cnt, 1);
+			queue_work(hdev->workqueue, &hdev->cmd_work);
+			goto retry;
+		}
 		err = -hdev->req_result;
 		break;
 
diff --git a/drivers/bluetooth/hci_vhci.c b/drivers/bluetooth/hci_vhci.c
index 2fef08254d78..2e12615f539e 100644
--- a/drivers/bluetooth/hci_vhci.c
+++ b/drivers/bluetooth/hci_vhci.c
@@ -75,6 +75,10 @@ static int vhci_send_frame(struct hci_dev *hdev, struct sk_buff *skb)
 {
 	struct vhci_data *data = hci_get_drvdata(hdev);
 
+	printk("skb: %p refcnt: %u,  data inited: %d, %s\n",
+		skb, refcount_read(&skb->users),
+		atomic_read(&data->initialized),
+		__func__);
 	memcpy(skb_push(skb, 1), &hci_skb_pkt_type(skb), 1);
 
 	skb_queue_tail(&data->readq, skb);
@@ -587,6 +591,8 @@ static ssize_t vhci_read(struct file *file,
 		skb = skb_dequeue(&data->readq);
 		if (skb) {
 			ret = vhci_put_user(data, skb, buf, count);
+			printk("skb: %p refcnt: %u len: %u, data: %p, ret: %ld, count: %lu, %s\n",
+				skb, refcount_read(&skb->users), skb->len, skb->data, ret, count, __func__);
 			if (ret < 0)
 				skb_queue_head(&data->readq, skb);
 			else

Re: [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
memory leak in __hci_cmd_sync_sk

BUG: memory leak
unreferenced object 0xffff888109d1e300 (size 240):
  comm "kworker/u9:1", pid 5135, jiffies 4294951173
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace (crc 4072963):
    kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
    slab_post_alloc_hook mm/slub.c:4983 [inline]
    slab_alloc_node mm/slub.c:5288 [inline]
    kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5340
    __alloc_skb+0x203/0x240 net/core/skbuff.c:660
    alloc_skb include/linux/skbuff.h:1383 [inline]
    bt_skb_alloc include/net/bluetooth/bluetooth.h:510 [inline]
    hci_cmd_sync_alloc+0x30/0x140 net/bluetooth/hci_sync.c:58
    hci_cmd_sync_add net/bluetooth/hci_sync.c:99 [inline]
    __hci_cmd_sync_sk+0x87/0x590 net/bluetooth/hci_sync.c:168
    __hci_cmd_sync_ev+0x3e/0x50 net/bluetooth/hci_sync.c:258
    send_hci_cmd_sync+0x5e/0xf0 net/bluetooth/mgmt.c:2615
    hci_cmd_sync_work+0xd5/0x160 net/bluetooth/hci_sync.c:340
    process_one_work+0x26b/0x620 kernel/workqueue.c:3263
    process_scheduled_works kernel/workqueue.c:3346 [inline]
    worker_thread+0x2c4/0x4f0 kernel/workqueue.c:3427
    kthread+0x15b/0x310 kernel/kthread.c:463
    ret_from_fork+0x210/0x240 arch/x86/kernel/process.c:158
    ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

BUG: memory leak
unreferenced object 0xffff888124def900 (size 240):
  comm "kworker/u9:1", pid 5135, jiffies 4294951376
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace (crc bee89128):
    kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
    slab_post_alloc_hook mm/slub.c:4983 [inline]
    slab_alloc_node mm/slub.c:5288 [inline]
    kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5340
    __alloc_skb+0x203/0x240 net/core/skbuff.c:660
    alloc_skb include/linux/skbuff.h:1383 [inline]
    bt_skb_alloc include/net/bluetooth/bluetooth.h:510 [inline]
    hci_cmd_sync_alloc+0x30/0x140 net/bluetooth/hci_sync.c:58
    hci_cmd_sync_add net/bluetooth/hci_sync.c:99 [inline]
    __hci_cmd_sync_sk+0x87/0x590 net/bluetooth/hci_sync.c:168
    __hci_cmd_sync_ev+0x3e/0x50 net/bluetooth/hci_sync.c:258
    send_hci_cmd_sync+0x5e/0xf0 net/bluetooth/mgmt.c:2615
    hci_cmd_sync_work+0xd5/0x160 net/bluetooth/hci_sync.c:340
    process_one_work+0x26b/0x620 kernel/workqueue.c:3263
    process_scheduled_works kernel/workqueue.c:3346 [inline]
    worker_thread+0x2c4/0x4f0 kernel/workqueue.c:3427
    kthread+0x15b/0x310 kernel/kthread.c:463
    ret_from_fork+0x210/0x240 arch/x86/kernel/process.c:158
    ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF


Tested on:

commit:         d13f3ac6 Merge tag 'mips-fixes_6.18_1' of git://git.ke..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15d1b97c580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=f30cc590c4f6da44
dashboard link: https://syzkaller.appspot.com/bug?extid=f098d64cc684b8dbaf65
compiler:       gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=1653ea12580000