* [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk
@ 2025-11-17 14:24 syzbot
2025-11-18 2:53 ` Edward Adam Davis
` (18 more replies)
0 siblings, 19 replies; 38+ messages in thread
From: syzbot @ 2025-11-17 14:24 UTC (permalink / raw)
To: johan.hedberg, linux-bluetooth, linux-kernel, linux-usb,
luiz.dentz, marcel, syzkaller-bugs
Hello,
syzbot found the following issue on:
HEAD commit: e927c520e1ba Merge tag 'loongarch-fixes-6.18-1' of git://g..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10158d32580000
kernel config: https://syzkaller.appspot.com/x/.config?x=cb128cd5cb439809
dashboard link: https://syzkaller.appspot.com/bug?extid=f098d64cc684b8dbaf65
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1782c914580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10a5f0b4580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/b755c257d71b/disk-e927c520.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/b906cb4856d7/vmlinux-e927c520.xz
kernel image: https://storage.googleapis.com/syzbot-assets/bb3525aba146/bzImage-e927c520.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+f098d64cc684b8dbaf65@syzkaller.appspotmail.com
BUG: memory leak
unreferenced object 0xffff888112c22900 (size 240):
comm "kworker/u9:1", pid 5133, jiffies 4294947154
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 6c5ee80a):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4983 [inline]
slab_alloc_node mm/slub.c:5288 [inline]
kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5340
__alloc_skb+0x203/0x240 net/core/skbuff.c:660
alloc_skb include/linux/skbuff.h:1383 [inline]
bt_skb_alloc include/net/bluetooth/bluetooth.h:510 [inline]
hci_cmd_sync_alloc+0x30/0x140 net/bluetooth/hci_sync.c:58
hci_cmd_sync_add net/bluetooth/hci_sync.c:99 [inline]
__hci_cmd_sync_sk+0x84/0x290 net/bluetooth/hci_sync.c:168
__hci_cmd_sync_ev+0x3e/0x50 net/bluetooth/hci_sync.c:250
send_hci_cmd_sync+0x5e/0xf0 net/bluetooth/mgmt.c:2615
hci_cmd_sync_work+0xd5/0x160 net/bluetooth/hci_sync.c:332
process_one_work+0x26b/0x620 kernel/workqueue.c:3263
process_scheduled_works kernel/workqueue.c:3346 [inline]
worker_thread+0x2c4/0x4f0 kernel/workqueue.c:3427
kthread+0x15b/0x310 kernel/kthread.c:463
ret_from_fork+0x210/0x240 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
BUG: memory leak
unreferenced object 0xffff88810b0ee3c0 (size 704):
comm "kworker/u9:1", pid 5133, jiffies 4294947154
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 4e765d9f):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4983 [inline]
slab_alloc_node mm/slub.c:5288 [inline]
kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5340
kmalloc_reserve+0xe6/0x180 net/core/skbuff.c:579
__alloc_skb+0xd4/0x240 net/core/skbuff.c:670
alloc_skb include/linux/skbuff.h:1383 [inline]
bt_skb_alloc include/net/bluetooth/bluetooth.h:510 [inline]
hci_cmd_sync_alloc+0x30/0x140 net/bluetooth/hci_sync.c:58
hci_cmd_sync_add net/bluetooth/hci_sync.c:99 [inline]
__hci_cmd_sync_sk+0x84/0x290 net/bluetooth/hci_sync.c:168
__hci_cmd_sync_ev+0x3e/0x50 net/bluetooth/hci_sync.c:250
send_hci_cmd_sync+0x5e/0xf0 net/bluetooth/mgmt.c:2615
hci_cmd_sync_work+0xd5/0x160 net/bluetooth/hci_sync.c:332
process_one_work+0x26b/0x620 kernel/workqueue.c:3263
process_scheduled_works kernel/workqueue.c:3346 [inline]
worker_thread+0x2c4/0x4f0 kernel/workqueue.c:3427
kthread+0x15b/0x310 kernel/kthread.c:463
ret_from_fork+0x210/0x240 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
BUG: memory leak
unreferenced object 0xffff888112c22b00 (size 240):
comm "kworker/u9:1", pid 5133, jiffies 4294947360
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc a204b710):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4983 [inline]
slab_alloc_node mm/slub.c:5288 [inline]
kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5340
__alloc_skb+0x203/0x240 net/core/skbuff.c:660
alloc_skb include/linux/skbuff.h:1383 [inline]
bt_skb_alloc include/net/bluetooth/bluetooth.h:510 [inline]
hci_cmd_sync_alloc+0x30/0x140 net/bluetooth/hci_sync.c:58
hci_cmd_sync_add net/bluetooth/hci_sync.c:99 [inline]
__hci_cmd_sync_sk+0x84/0x290 net/bluetooth/hci_sync.c:168
__hci_cmd_sync_ev+0x3e/0x50 net/bluetooth/hci_sync.c:250
send_hci_cmd_sync+0x5e/0xf0 net/bluetooth/mgmt.c:2615
hci_cmd_sync_work+0xd5/0x160 net/bluetooth/hci_sync.c:332
process_one_work+0x26b/0x620 kernel/workqueue.c:3263
process_scheduled_works kernel/workqueue.c:3346 [inline]
worker_thread+0x2c4/0x4f0 kernel/workqueue.c:3427
kthread+0x15b/0x310 kernel/kthread.c:463
ret_from_fork+0x210/0x240 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
BUG: memory leak
unreferenced object 0xffff88810b0edb80 (size 704):
comm "kworker/u9:1", pid 5133, jiffies 4294947360
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 4e765d9f):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4983 [inline]
slab_alloc_node mm/slub.c:5288 [inline]
kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5340
kmalloc_reserve+0xe6/0x180 net/core/skbuff.c:579
__alloc_skb+0xd4/0x240 net/core/skbuff.c:670
alloc_skb include/linux/skbuff.h:1383 [inline]
bt_skb_alloc include/net/bluetooth/bluetooth.h:510 [inline]
hci_cmd_sync_alloc+0x30/0x140 net/bluetooth/hci_sync.c:58
hci_cmd_sync_add net/bluetooth/hci_sync.c:99 [inline]
__hci_cmd_sync_sk+0x84/0x290 net/bluetooth/hci_sync.c:168
__hci_cmd_sync_ev+0x3e/0x50 net/bluetooth/hci_sync.c:250
send_hci_cmd_sync+0x5e/0xf0 net/bluetooth/mgmt.c:2615
hci_cmd_sync_work+0xd5/0x160 net/bluetooth/hci_sync.c:332
process_one_work+0x26b/0x620 kernel/workqueue.c:3263
process_scheduled_works kernel/workqueue.c:3346 [inline]
worker_thread+0x2c4/0x4f0 kernel/workqueue.c:3427
kthread+0x15b/0x310 kernel/kthread.c:463
ret_from_fork+0x210/0x240 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
^ permalink raw reply [flat|nested] 38+ messages in thread
* Re: [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk
2025-11-17 14:24 [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk syzbot
@ 2025-11-18 2:53 ` Edward Adam Davis
2025-11-18 3:24 ` syzbot
2025-11-18 3:40 ` Edward Adam Davis
` (17 subsequent siblings)
18 siblings, 1 reply; 38+ messages in thread
From: Edward Adam Davis @ 2025-11-18 2:53 UTC (permalink / raw)
To: syzbot+f098d64cc684b8dbaf65; +Cc: linux-kernel, syzkaller-bugs
#syz test
diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index 6e76798ec786..553cfc4f7886 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -177,8 +177,11 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
hdev->req_status != HCI_REQ_PEND,
timeout);
- if (err == -ERESTARTSYS)
+ if (err == -ERESTARTSYS) {
+ flush_work(&hdev->cmd_work);
+ skb_queue_purge(&req.cmd_q);
return ERR_PTR(-EINTR);
+ }
switch (hdev->req_status) {
case HCI_REQ_DONE:
^ permalink raw reply related [flat|nested] 38+ messages in thread
* Re: [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk
2025-11-18 2:53 ` Edward Adam Davis
@ 2025-11-18 3:24 ` syzbot
0 siblings, 0 replies; 38+ messages in thread
From: syzbot @ 2025-11-18 3:24 UTC (permalink / raw)
To: eadavis, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
memory leak in __hci_cmd_sync_sk
BUG: memory leak
unreferenced object 0xffff888109a2de00 (size 240):
comm "kworker/u9:3", pid 6352, jiffies 4294946920
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc ee2326c6):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4983 [inline]
slab_alloc_node mm/slub.c:5288 [inline]
kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5340
__alloc_skb+0x203/0x240 net/core/skbuff.c:660
alloc_skb include/linux/skbuff.h:1383 [inline]
bt_skb_alloc include/net/bluetooth/bluetooth.h:510 [inline]
hci_cmd_sync_alloc+0x30/0x140 net/bluetooth/hci_sync.c:58
hci_cmd_sync_add net/bluetooth/hci_sync.c:99 [inline]
__hci_cmd_sync_sk+0x85/0x530 net/bluetooth/hci_sync.c:168
__hci_cmd_sync_ev+0x3e/0x50 net/bluetooth/hci_sync.c:253
send_hci_cmd_sync+0x5e/0xf0 net/bluetooth/mgmt.c:2615
hci_cmd_sync_work+0xd5/0x160 net/bluetooth/hci_sync.c:335
process_one_work+0x26b/0x620 kernel/workqueue.c:3263
process_scheduled_works kernel/workqueue.c:3346 [inline]
worker_thread+0x2c4/0x4f0 kernel/workqueue.c:3427
kthread+0x15b/0x310 kernel/kthread.c:463
ret_from_fork+0x210/0x240 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF
Tested on:
commit: e7c375b1 Merge tag 'vfs-6.18-rc7.fixes' of gitolite.ke..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1078e212580000
kernel config: https://syzkaller.appspot.com/x/.config?x=f30cc590c4f6da44
dashboard link: https://syzkaller.appspot.com/bug?extid=f098d64cc684b8dbaf65
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=1412f212580000
^ permalink raw reply [flat|nested] 38+ messages in thread
* Re: [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk
2025-11-17 14:24 [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk syzbot
2025-11-18 2:53 ` Edward Adam Davis
@ 2025-11-18 3:40 ` Edward Adam Davis
2025-11-18 3:54 ` syzbot
2025-11-18 3:56 ` Edward Adam Davis
` (16 subsequent siblings)
18 siblings, 1 reply; 38+ messages in thread
From: Edward Adam Davis @ 2025-11-18 3:40 UTC (permalink / raw)
To: syzbot+f098d64cc684b8dbaf65; +Cc: linux-kernel, syzkaller-bugs
#syz test
diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index 6e76798ec786..81fb553ceb56 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -201,7 +201,7 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
bt_dev_dbg(hdev, "end: err %d", err);
- if (err < 0) {
+ if (err <= 0) {
kfree_skb(skb);
return ERR_PTR(err);
}
^ permalink raw reply related [flat|nested] 38+ messages in thread
* Re: [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk
2025-11-18 3:40 ` Edward Adam Davis
@ 2025-11-18 3:54 ` syzbot
0 siblings, 0 replies; 38+ messages in thread
From: syzbot @ 2025-11-18 3:54 UTC (permalink / raw)
To: eadavis, linux-kernel, syzkaller-bugs
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
BUG: unable to handle kernel NULL pointer dereference in __hci_cmd_sync_status_sk
BUG: kernel NULL pointer dereference, address: 00000000000000d8
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: Oops: 0000 [#1] SMP PTI
CPU: 1 UID: 0 PID: 5134 Comm: kworker/u9:1 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Workqueue: hci0 hci_power_on
RIP: 0010:__hci_cmd_sync_status_sk+0x7e/0x100 net/bluetooth/hci_sync.c:276
Code: 7b 78 fc 48 89 de 48 c7 c7 00 f0 ff ff e8 3a 74 78 fc 48 81 fb 00 f0 ff ff 77 3c e8 8c 7b 78 fc ba 02 00 00 00 48 89 de 31 ff <48> 8b 83 d8 00 00 00 0f b6 28 e8 83 74 87 ff e8 6e 7b 78 fc 89 e8
RSP: 0018:ffffc9000c087d58 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff84e919d6
RDX: 0000000000000002 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000c03 R08: 0000000000000007 R09: fffffffffffff000
R10: 0000000000000000 R11: ffff88810c72bf00 R12: 0000000000000000
R13: ffff88810e0be000 R14: 0000000000000090 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff8881b26c2000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000000000d8 CR3: 00000001198b4000 CR4: 00000000003526f0
Call Trace:
<TASK>
__hci_cmd_sync_status net/bluetooth/hci_sync.c:287 [inline]
hci_reset_sync net/bluetooth/hci_sync.c:3664 [inline]
hci_init1_sync net/bluetooth/hci_sync.c:3750 [inline]
hci_init_sync net/bluetooth/hci_sync.c:4867 [inline]
hci_dev_init_sync net/bluetooth/hci_sync.c:5059 [inline]
hci_dev_open_sync+0x5aa/0x1080 net/bluetooth/hci_sync.c:5137
hci_dev_do_open net/bluetooth/hci_core.c:430 [inline]
hci_power_on+0x87/0x330 net/bluetooth/hci_core.c:959
process_one_work+0x26b/0x620 kernel/workqueue.c:3263
process_scheduled_works kernel/workqueue.c:3346 [inline]
worker_thread+0x2c4/0x4f0 kernel/workqueue.c:3427
kthread+0x15b/0x310 kernel/kthread.c:463
ret_from_fork+0x210/0x240 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
Modules linked in:
CR2: 00000000000000d8
---[ end trace 0000000000000000 ]---
RIP: 0010:__hci_cmd_sync_status_sk+0x7e/0x100 net/bluetooth/hci_sync.c:276
Code: 7b 78 fc 48 89 de 48 c7 c7 00 f0 ff ff e8 3a 74 78 fc 48 81 fb 00 f0 ff ff 77 3c e8 8c 7b 78 fc ba 02 00 00 00 48 89 de 31 ff <48> 8b 83 d8 00 00 00 0f b6 28 e8 83 74 87 ff e8 6e 7b 78 fc 89 e8
RSP: 0018:ffffc9000c087d58 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff84e919d6
RDX: 0000000000000002 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000c03 R08: 0000000000000007 R09: fffffffffffff000
R10: 0000000000000000 R11: ffff88810c72bf00 R12: 0000000000000000
R13: ffff88810e0be000 R14: 0000000000000090 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff8881b26c2000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000000000d8 CR3: 00000001198b4000 CR4: 00000000003526f0
----------------
Code disassembly (best guess):
0: 7b 78 jnp 0x7a
2: fc cld
3: 48 89 de mov %rbx,%rsi
6: 48 c7 c7 00 f0 ff ff mov $0xfffffffffffff000,%rdi
d: e8 3a 74 78 fc call 0xfc78744c
12: 48 81 fb 00 f0 ff ff cmp $0xfffffffffffff000,%rbx
19: 77 3c ja 0x57
1b: e8 8c 7b 78 fc call 0xfc787bac
20: ba 02 00 00 00 mov $0x2,%edx
25: 48 89 de mov %rbx,%rsi
28: 31 ff xor %edi,%edi
* 2a: 48 8b 83 d8 00 00 00 mov 0xd8(%rbx),%rax <-- trapping instruction
31: 0f b6 28 movzbl (%rax),%ebp
34: e8 83 74 87 ff call 0xff8774bc
39: e8 6e 7b 78 fc call 0xfc787bac
3e: 89 e8 mov %ebp,%eax
Warning: Permanently added '10.128.1.249' (ED25519) to the list of known hosts.
2025/11/18 03:52:43 parsed 1 programs
[ 39.605035][ T5812] cgroup: Unknown subsys name 'net'
[ 39.718206][ T5812] cgroup: Unknown subsys name 'cpuset'
[ 39.725182][ T5812] cgroup: Unknown subsys name 'rlimit'
Setting up swapspace version 1, size = 127995904 bytes
[ 47.625088][ T5812] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k
[ 48.821383][ T5824] soft_limit_in_bytes is deprecated and will be removed. Please report your usecase to linux-mm@kvack.org if you depend on this functionality.
[ 48.930584][ T5829] chnl_net:caif_netlink_parms(): no params data found
[ 48.949691][ T5829] bridge0: port 1(bridge_slave_0) entered blocking state
[ 48.956768][ T5829] bridge0: port 1(bridge_slave_0) entered disabled state
[ 48.964113][ T5829] bridge_slave_0: entered allmulticast mode
[ 48.970539][ T5829] bridge_slave_0: entered promiscuous mode
[ 48.976864][ T5829] bridge0: port 2(bridge_slave_1) entered blocking state
[ 48.984045][ T5829] bridge0: port 2(bridge_slave_1) entered disabled state
[ 48.991247][ T5829] bridge_slave_1: entered allmulticast mode
[ 48.997453][ T5829] bridge_slave_1: entered promiscuous mode
[ 49.008461][ T5829] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[ 49.018458][ T5829] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[ 49.033238][ T5829] team0: Port device team_slave_0 added
[ 49.039522][ T5829] team0: Port device team_slave_1 added
[ 49.049010][ T5829] batman_adv: batadv0: Adding interface: batadv_slave_0
[ 49.056032][ T5829] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem.
[ 49.082173][ T5829] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[ 49.093168][ T5829] batman_adv: batadv0: Adding interface: batadv_slave_1
[ 49.100231][ T5829] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem.
[ 49.126190][ T5829] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[ 49.143192][ T5829] hsr_slave_0: entered promiscuous mode
[ 49.149035][ T5829] hsr_slave_1: entered promiscuous mode
[ 49.176213][ T5829] netdevsim netdevsim0 netdevsim0: renamed from eth0
[ 49.184012][ T5829] netdevsim netdevsim0 netdevsim1: renamed from eth1
[ 49.191721][ T5829] netdevsim netdevsim0 netdevsim2: renamed from eth2
[ 49.199377][ T5829] netdevsim netdevsim0 netdevsim3: renamed from eth3
[ 49.210938][ T5829] bridge0: port 2(bridge_slave_1) entered blocking state
[ 49.217991][ T5829] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 49.225334][ T5829] bridge0: port 1(bridge_slave_0) entered blocking state
[ 49.232427][ T5829] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 49.249559][ T5829] 8021q: adding VLAN 0 to HW filter on device bond0
[ 49.259076][ T1811] bridge0: port 1(bridge_slave_0) entered disabled state
[ 49.266510][ T1811] bridge0: port 2(bridge_slave_1) entered disabled state
[ 49.276312][ T5829] 8021q: adding VLAN 0 to HW filter on device team0
[ 49.285041][ T35] bridge0: port 1(bridge_slave_0) entered blocking state
[ 49.292228][ T35] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 49.301049][ T1811] bridge0: port 2(bridge_slave_1) entered blocking state
[ 49.308132][ T1811] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 49.346750][ T5829] 8021q: adding VLAN 0 to HW filter on device batadv0
[ 49.361904][ T5829] veth0_vlan: entered promiscuous mode
[ 49.368744][ T5829] veth1_vlan: entered promiscuous mode
[ 49.379509][ T5829] veth0_macvtap: entered promiscuous mode
[ 49.386208][ T5829] veth1_macvtap: entered promiscuous mode
[ 49.395078][ T5829] batman_adv: batadv0: Interface activated: batadv_slave_0
[ 49.404897][ T5829] batman_adv: batadv0: Interface activated: batadv_slave_1
[ 49.414036][ T1811] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
[ 49.422836][ T1811] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
[ 49.431714][ T1811] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
[ 49.440751][ T1811] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
[ 49.511385][ T1037] netdevsim netdevsim0 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 49.548614][ T1037] netdevsim netdevsim0 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 49.598642][ T1037] netdevsim netdevsim0 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 49.619824][ T5868] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[ 49.626860][ T5134] BUG: kernel NULL pointer dereference, address: 00000000000000d8
[ 49.634660][ T5134] #PF: supervisor read access in kernel mode
[ 49.640614][ T5134] #PF: error_code(0x0000) - not-present page
[ 49.646656][ T5134] PGD 0 P4D 0
[ 49.650092][ T5134] Oops: Oops: 0000 [#1] SMP PTI
[ 49.654923][ T5134] CPU: 1 UID: 0 PID: 5134 Comm: kworker/u9:1 Not tainted syzkaller #0 PREEMPT(full)
[ 49.664549][ T5134] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
[ 49.674941][ T5134] Workqueue: hci0 hci_power_on
[ 49.679690][ T5134] RIP: 0010:__hci_cmd_sync_status_sk+0x7e/0x100
[ 49.686004][ T5134] Code: 7b 78 fc 48 89 de 48 c7 c7 00 f0 ff ff e8 3a 74 78 fc 48 81 fb 00 f0 ff ff 77 3c e8 8c 7b 78 fc ba 02 00 00 00 48 89 de 31 ff <48> 8b 83 d8 00 00 00 0f b6 28 e8 83 74 87 ff e8 6e 7b 78 fc 89 e8
[ 49.706025][ T5134] RSP: 0018:ffffc9000c087d58 EFLAGS: 00010246
[ 49.712243][ T5134] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff84e919d6
[ 49.720299][ T5134] RDX: 0000000000000002 RSI: 0000000000000000 RDI: 0000000000000000
[ 49.728434][ T5134] RBP: 0000000000000c03 R08: 0000000000000007 R09: fffffffffffff000
[ 49.736819][ T5134] R10: 0000000000000000 R11: ffff88810c72bf00 R12: 0000000000000000
[ 49.744762][ T5134] R13: ffff88810e0be000 R14: 0000000000000090 R15: 0000000000000000
[ 49.752713][ T5134] FS: 0000000000000000(0000) GS:ffff8881b26c2000(0000) knlGS:0000000000000000
[ 49.761620][ T5134] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 49.768180][ T5134] CR2: 00000000000000d8 CR3: 00000001198b4000 CR4: 00000000003526f0
[ 49.776129][ T5134] Call Trace:
[ 49.779402][ T5134] <TASK>
[ 49.782334][ T5134] hci_dev_open_sync+0x5aa/0x1080
[ 49.787364][ T5134] ? __schedule+0x4c2/0x1990
[ 49.792031][ T5134] hci_power_on+0x87/0x330
[ 49.796517][ T5134] ? pwq_dec_nr_in_flight+0x78/0x560
[ 49.801872][ T5134] process_one_work+0x26b/0x620
[ 49.806804][ T5134] worker_thread+0x2c4/0x4f0
[ 49.811464][ T5134] ? __pfx_worker_thread+0x10/0x10
[ 49.816550][ T5134] kthread+0x15b/0x310
[ 49.820623][ T5134] ? finish_task_switch.isra.0+0x86/0x280
[ 49.826410][ T5134] ? __pfx_kthread+0x10/0x10
[ 49.831068][ T5134] ? __pfx_kthread+0x10/0x10
[ 49.835908][ T5134] ret_from_fork+0x210/0x240
[ 49.840494][ T5134] ? __pfx_kthread+0x10/0x10
[ 49.845100][ T5134] ret_from_fork_asm+0x1a/0x30
[ 49.849853][ T5134] </TASK>
[ 49.852851][ T5134] Modules linked in:
[ 49.856737][ T5134] CR2: 00000000000000d8
[ 49.861042][ T5134] ---[ end trace 0000000000000000 ]---
[ 49.866474][ T5134] RIP: 0010:__hci_cmd_sync_status_sk+0x7e/0x100
[ 49.872872][ T5134] Code: 7b 78 fc 48 89 de 48 c7 c7 00 f0 ff ff e8 3a 74 78 fc 48 81 fb 00 f0 ff ff 77 3c e8 8c 7b 78 fc ba 02 00 00 00 48 89 de 31 ff <48> 8b 83 d8 00 00 00 0f b6 28 e8 83 74 87 ff e8 6e 7b 78 fc 89 e8
[ 49.892482][ T5134] RSP: 0018:ffffc9000c087d58 EFLAGS: 00010246
[ 49.898531][ T5134] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff84e919d6
[ 49.906576][ T5134] RDX: 0000000000000002 RSI: 0000000000000000 RDI: 0000000000000000
[ 49.914714][ T5134] RBP: 0000000000000c03 R08: 0000000000000007 R09: fffffffffffff000
[ 49.922748][ T5134] R10: 0000000000000000 R11: ffff88810c72bf00 R12: 0000000000000000
[ 49.930873][ T5134] R13: ffff88810e0be000 R14: 0000000000000090 R15: 0000000000000000
[ 49.938834][ T5134] FS: 0000000000000000(0000) GS:ffff8881b26c2000(0000) knlGS:0000000000000000
[ 49.948057][ T5134] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 49.954712][ T5134] CR2: 00000000000000d8 CR3: 00000001198b4000 CR4: 00000000003526f0
[ 49.962685][ T5134] Kernel panic - not syncing: Fatal exception
[ 49.969347][ T5134] Kernel Offset: disabled
[ 49.973668][ T5134] Rebooting in 86400 seconds..
syzkaller build log:
go env (err=<nil>)
AR='ar'
CC='gcc'
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_ENABLED='1'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
CXX='g++'
GCCGO='gccgo'
GO111MODULE='auto'
GOAMD64='v1'
GOARCH='amd64'
GOAUTH='netrc'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOCACHEPROG=''
GODEBUG=''
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFIPS140='off'
GOFLAGS=''
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build379651147=/tmp/go-build -gno-record-gcc-switches'
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMOD='/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOMODCACHE='/syzkaller/jobs-2/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs-2/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTELEMETRY='local'
GOTELEMETRYDIR='/syzkaller/.config/go/telemetry'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.24.4'
GOWORK=''
PKG_CONFIG='pkg-config'
git status (err=<nil>)
HEAD detached at 07e030dea
nothing to commit, working tree clean
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=07e030dea6e6d9ca88b75bb3be2810f47083b328 -X github.com/google/syzkaller/prog.gitRevisionDate=20251112-115923" ./sys/syz-sysgen | grep -q false || go install -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=07e030dea6e6d9ca88b75bb3be2810f47083b328 -X github.com/google/syzkaller/prog.gitRevisionDate=20251112-115923" ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=07e030dea6e6d9ca88b75bb3be2810f47083b328 -X github.com/google/syzkaller/prog.gitRevisionDate=20251112-115923" -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"07e030dea6e6d9ca88b75bb3be2810f47083b328\"
/usr/bin/ld: /tmp/cccfp96C.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x104): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
./tools/check-syzos.sh 2>/dev/null
Tested on:
commit: e7c375b1 Merge tag 'vfs-6.18-rc7.fixes' of gitolite.ke..
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=f30cc590c4f6da44
dashboard link: https://syzkaller.appspot.com/bug?extid=f098d64cc684b8dbaf65
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=13e18e0a580000
^ permalink raw reply [flat|nested] 38+ messages in thread
* Re: [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk
2025-11-17 14:24 [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk syzbot
2025-11-18 2:53 ` Edward Adam Davis
2025-11-18 3:40 ` Edward Adam Davis
@ 2025-11-18 3:56 ` Edward Adam Davis
2025-11-18 4:24 ` syzbot
2025-11-19 2:46 ` shaurya
` (15 subsequent siblings)
18 siblings, 1 reply; 38+ messages in thread
From: Edward Adam Davis @ 2025-11-18 3:56 UTC (permalink / raw)
To: syzbot+f098d64cc684b8dbaf65; +Cc: linux-kernel, syzkaller-bugs
#syz test
diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index 6e76798ec786..b04bd6e357e0 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -180,6 +180,7 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
if (err == -ERESTARTSYS)
return ERR_PTR(-EINTR);
+ printk("err: %d, status: %u, result: %u, %s\n", err, hdev->req_status, hdev->req_result, __func__);
switch (hdev->req_status) {
case HCI_REQ_DONE:
err = -bt_to_errno(hdev->req_result);
@@ -201,8 +202,10 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
bt_dev_dbg(hdev, "end: err %d", err);
- if (err < 0) {
+ if (err <= 0) {
kfree_skb(skb);
+ if (!err)
+ err = -ETIMEDOUT;
return ERR_PTR(err);
}
^ permalink raw reply related [flat|nested] 38+ messages in thread
* Re: [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk
2025-11-18 3:56 ` Edward Adam Davis
@ 2025-11-18 4:24 ` syzbot
0 siblings, 0 replies; 38+ messages in thread
From: syzbot @ 2025-11-18 4:24 UTC (permalink / raw)
To: eadavis, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+f098d64cc684b8dbaf65@syzkaller.appspotmail.com
Tested-by: syzbot+f098d64cc684b8dbaf65@syzkaller.appspotmail.com
Tested on:
commit: e7c375b1 Merge tag 'vfs-6.18-rc7.fixes' of gitolite.ke..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15f18e0a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=f30cc590c4f6da44
dashboard link: https://syzkaller.appspot.com/bug?extid=f098d64cc684b8dbaf65
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=12b5b884580000
Note: testing is done by a robot and is best-effort only.
^ permalink raw reply [flat|nested] 38+ messages in thread
* Re: [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk
2025-11-17 14:24 [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk syzbot
` (2 preceding siblings ...)
2025-11-18 3:56 ` Edward Adam Davis
@ 2025-11-19 2:46 ` shaurya
2025-11-19 3:22 ` Edward Adam Davis
` (14 subsequent siblings)
18 siblings, 0 replies; 38+ messages in thread
From: shaurya @ 2025-11-19 2:46 UTC (permalink / raw)
To: syzbot+f098d64cc684b8dbaf65
Cc: linux-bluetooth, linux-kernel, linux-usb, syzkaller-bugs
[-- Attachment #1: Type: text/html, Size: 240 bytes --]
[-- Attachment #2: 0001-Bluetooth-hci_sync-fix-memory-leak-in-__hci_cmd_sync.patch --]
[-- Type: text/x-patch, Size: 2002 bytes --]
From da73ec851aa5ec19b429c4cf8b9e2cd6a42e6e1e Mon Sep 17 00:00:00 2001
From: Shaurya Rane <ssrane_b23@ee.vjti.ac.in>
Date: Wed, 19 Nov 2025 08:01:33 +0530
Subject: [PATCH] Bluetooth: hci_sync: fix memory leak in __hci_cmd_sync_sk
Fix a memory leak in __hci_cmd_sync_sk where allocated request command
SKBs are not properly cleaned up when the function fails.
The issue occurs when hci_cmd_sync_alloc() successfully allocates an SKB
and it gets queued via hci_cmd_sync_add(), but then __hci_cmd_sync_sk()
fails due to timeout, interruption, or cancellation. In these error
paths, the req_skb that was cloned and stored in hdev->req_skb is not
freed, leading to memory leaks.
The memory leak can be reproduced when __hci_cmd_sync_sk() allocates
and queues an HCI command SKB, and hci_req_sync_run() transfers this
SKB to hdev->cmd_q and clones it to hdev->req_skb. If the subsequent
wait_event_interruptible_timeout() call fails (due to timeout or
interruption), the function returns an error without hdev->req_skb
ever being cleaned up.
The fix ensures that when __hci_cmd_sync_sk() returns an error, any
pending request command SKB in hdev->req_skb is properly freed before
returning. This matches the cleanup pattern used elsewhere in the HCI
sync code.
Reported-by: syzbot+f098d64cc684b8dbaf65@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=f098d64cc684b8dbaf65
Signed-off-by: Shaurya Rane <ssrane_b23@ee.vjti.ac.in>
---
net/bluetooth/hci_sync.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index 6e76798ec786..fbaa5749ad7b 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -203,6 +203,11 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
if (err < 0) {
kfree_skb(skb);
+ /* Clean up any pending request command */
+ if (hdev->req_skb) {
+ kfree_skb(hdev->req_skb);
+ hdev->req_skb = NULL;
+ }
return ERR_PTR(err);
}
--
2.34.1
^ permalink raw reply related [flat|nested] 38+ messages in thread
* Re: [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk
2025-11-17 14:24 [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk syzbot
` (3 preceding siblings ...)
2025-11-19 2:46 ` shaurya
@ 2025-11-19 3:22 ` Edward Adam Davis
2025-11-19 3:47 ` syzbot
2025-11-19 18:45 ` shaurya
` (13 subsequent siblings)
18 siblings, 1 reply; 38+ messages in thread
From: Edward Adam Davis @ 2025-11-19 3:22 UTC (permalink / raw)
To: syzbot+f098d64cc684b8dbaf65; +Cc: linux-kernel, syzkaller-bugs
#syz test
diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index 6e76798ec786..84a57a79a025 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -177,8 +177,17 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
hdev->req_status != HCI_REQ_PEND,
timeout);
- if (err == -ERESTARTSYS)
- return ERR_PTR(-EINTR);
+ if (err == -ERESTARTSYS || !err) {
+ if (err)
+ err = -EINTR;
+ else
+ err = -ETIMEDOUT;
+
+ flush_work(&hdev->cmd_work);
+ skb_queue_purge(&hdev->cmd_q);
+
+ return ERR_PTR(err);
+ }
switch (hdev->req_status) {
case HCI_REQ_DONE:
^ permalink raw reply related [flat|nested] 38+ messages in thread
* Re: [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk
2025-11-19 3:22 ` Edward Adam Davis
@ 2025-11-19 3:47 ` syzbot
0 siblings, 0 replies; 38+ messages in thread
From: syzbot @ 2025-11-19 3:47 UTC (permalink / raw)
To: eadavis, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
memory leak in __hci_cmd_sync_sk
BUG: memory leak
unreferenced object 0xffff8881195a5a00 (size 240):
comm "kworker/u9:1", pid 5135, jiffies 4294947360
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 5842d197):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4983 [inline]
slab_alloc_node mm/slub.c:5288 [inline]
kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5340
__alloc_skb+0x203/0x240 net/core/skbuff.c:660
alloc_skb include/linux/skbuff.h:1383 [inline]
bt_skb_alloc include/net/bluetooth/bluetooth.h:510 [inline]
hci_cmd_sync_alloc+0x30/0x140 net/bluetooth/hci_sync.c:58
hci_cmd_sync_add net/bluetooth/hci_sync.c:99 [inline]
__hci_cmd_sync_sk+0x84/0x290 net/bluetooth/hci_sync.c:168
__hci_cmd_sync_ev+0x3e/0x50 net/bluetooth/hci_sync.c:259
send_hci_cmd_sync+0x5e/0xf0 net/bluetooth/mgmt.c:2615
hci_cmd_sync_work+0xd5/0x160 net/bluetooth/hci_sync.c:341
process_one_work+0x26b/0x620 kernel/workqueue.c:3263
process_scheduled_works kernel/workqueue.c:3346 [inline]
worker_thread+0x2c4/0x4f0 kernel/workqueue.c:3427
kthread+0x15b/0x310 kernel/kthread.c:463
ret_from_fork+0x210/0x240 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
BUG: memory leak
unreferenced object 0xffff8881099e1e40 (size 704):
comm "kworker/u9:1", pid 5135, jiffies 4294947360
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 4e765d9f):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4983 [inline]
slab_alloc_node mm/slub.c:5288 [inline]
kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5340
kmalloc_reserve+0xe6/0x180 net/core/skbuff.c:579
__alloc_skb+0xd4/0x240 net/core/skbuff.c:670
alloc_skb include/linux/skbuff.h:1383 [inline]
bt_skb_alloc include/net/bluetooth/bluetooth.h:510 [inline]
hci_cmd_sync_alloc+0x30/0x140 net/bluetooth/hci_sync.c:58
hci_cmd_sync_add net/bluetooth/hci_sync.c:99 [inline]
__hci_cmd_sync_sk+0x84/0x290 net/bluetooth/hci_sync.c:168
__hci_cmd_sync_ev+0x3e/0x50 net/bluetooth/hci_sync.c:259
send_hci_cmd_sync+0x5e/0xf0 net/bluetooth/mgmt.c:2615
hci_cmd_sync_work+0xd5/0x160 net/bluetooth/hci_sync.c:341
process_one_work+0x26b/0x620 kernel/workqueue.c:3263
process_scheduled_works kernel/workqueue.c:3346 [inline]
worker_thread+0x2c4/0x4f0 kernel/workqueue.c:3427
kthread+0x15b/0x310 kernel/kthread.c:463
ret_from_fork+0x210/0x240 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
BUG: memory leak
unreferenced object 0xffff88810c1c2d00 (size 240):
comm "kworker/u9:3", pid 6291, jiffies 4294947641
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 310fcca):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4983 [inline]
slab_alloc_node mm/slub.c:5288 [inline]
kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5340
__alloc_skb+0x203/0x240 net/core/skbuff.c:660
alloc_skb include/linux/skbuff.h:1383 [inline]
bt_skb_alloc include/net/bluetooth/bluetooth.h:510 [inline]
hci_cmd_sync_alloc+0x30/0x140 net/bluetooth/hci_sync.c:58
hci_cmd_sync_add net/bluetooth/hci_sync.c:99 [inline]
__hci_cmd_sync_sk+0x84/0x290 net/bluetooth/hci_sync.c:168
__hci_cmd_sync_ev+0x3e/0x50 net/bluetooth/hci_sync.c:259
send_hci_cmd_sync+0x5e/0xf0 net/bluetooth/mgmt.c:2615
hci_cmd_sync_work+0xd5/0x160 net/bluetooth/hci_sync.c:341
process_one_work+0x26b/0x620 kernel/workqueue.c:3263
process_scheduled_works kernel/workqueue.c:3346 [inline]
worker_thread+0x2c4/0x4f0 kernel/workqueue.c:3427
kthread+0x15b/0x310 kernel/kthread.c:463
ret_from_fork+0x210/0x240 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
BUG: memory leak
unreferenced object 0xffff888108e61080 (size 704):
comm "kworker/u9:3", pid 6291, jiffies 4294947641
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 4e765d9f):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4983 [inline]
slab_alloc_node mm/slub.c:5288 [inline]
kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5340
kmalloc_reserve+0xe6/0x180 net/core/skbuff.c:579
__alloc_skb+0xd4/0x240 net/core/skbuff.c:670
alloc_skb include/linux/skbuff.h:1383 [inline]
bt_skb_alloc include/net/bluetooth/bluetooth.h:510 [inline]
hci_cmd_sync_alloc+0x30/0x140 net/bluetooth/hci_sync.c:58
hci_cmd_sync_add net/bluetooth/hci_sync.c:99 [inline]
__hci_cmd_sync_sk+0x84/0x290 net/bluetooth/hci_sync.c:168
__hci_cmd_sync_ev+0x3e/0x50 net/bluetooth/hci_sync.c:259
send_hci_cmd_sync+0x5e/0xf0 net/bluetooth/mgmt.c:2615
hci_cmd_sync_work+0xd5/0x160 net/bluetooth/hci_sync.c:341
process_one_work+0x26b/0x620 kernel/workqueue.c:3263
process_scheduled_works kernel/workqueue.c:3346 [inline]
worker_thread+0x2c4/0x4f0 kernel/workqueue.c:3427
kthread+0x15b/0x310 kernel/kthread.c:463
ret_from_fork+0x210/0x240 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
BUG: memory leak
unreferenced object 0xffff88810c1c2300 (size 240):
comm "kworker/u9:3", pid 6291, jiffies 4294947776
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 6674b3fb):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4983 [inline]
slab_alloc_node mm/slub.c:5288 [inline]
kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5340
__alloc_skb+0x203/0x240 net/core/skbuff.c:660
alloc_skb include/linux/skbuff.h:1383 [inline]
bt_skb_alloc include/net/bluetooth/bluetooth.h:510 [inline]
hci_cmd_sync_alloc+0x30/0x140 net/bluetooth/hci_sync.c:58
hci_cmd_sync_add net/bluetooth/hci_sync.c:99 [inline]
__hci_cmd_sync_sk+0x84/0x290 net/bluetooth/hci_sync.c:168
__hci_cmd_sync_ev+0x3e/0x50 net/bluetooth/hci_sync.c:259
send_hci_cmd_sync+0x5e/0xf0 net/bluetooth/mgmt.c:2615
hci_cmd_sync_work+0xd5/0x160 net/bluetooth/hci_sync.c:341
process_one_work+0x26b/0x620 kernel/workqueue.c:3263
process_scheduled_works kernel/workqueue.c:3346 [inline]
worker_thread+0x2c4/0x4f0 kernel/workqueue.c:3427
kthread+0x15b/0x310 kernel/kthread.c:463
ret_from_fork+0x210/0x240 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF
Tested on:
commit: 8b690556 Merge tag 'for-linus' of git://git.kernel.org..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15e54e0a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=f30cc590c4f6da44
dashboard link: https://syzkaller.appspot.com/bug?extid=f098d64cc684b8dbaf65
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=12ede692580000
^ permalink raw reply [flat|nested] 38+ messages in thread
* Re: [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk
2025-11-17 14:24 [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk syzbot
` (4 preceding siblings ...)
2025-11-19 3:22 ` Edward Adam Davis
@ 2025-11-19 18:45 ` shaurya
2025-11-19 19:32 ` syzbot
2025-11-20 13:27 ` Edward Adam Davis
` (12 subsequent siblings)
18 siblings, 1 reply; 38+ messages in thread
From: shaurya @ 2025-11-19 18:45 UTC (permalink / raw)
To: syzbot+f098d64cc684b8dbaf65; +Cc: linux-bluetooth, linux-kernel, syzkaller-bugs
[-- Attachment #1: Type: text/plain, Size: 83 bytes --]
#syz test:
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
[-- Attachment #2: 0001-Bluetooth-hci_sync-fix-memory-leak-in-__hci_cmd_sync.patch --]
[-- Type: text/x-patch, Size: 2002 bytes --]
From 31c93fbc37d699e498cf51f7dc17e69cb210faaf Mon Sep 17 00:00:00 2001
From: Shaurya Rane <ssrane_b23@ee.vjti.ac.in>
Date: Thu, 20 Nov 2025 00:11:40 +0530
Subject: [PATCH] Bluetooth: hci_sync: fix memory leak in __hci_cmd_sync_sk
Fix a memory leak in __hci_cmd_sync_sk where allocated request command
SKBs are not properly cleaned up when the function fails.
The issue occurs when hci_cmd_sync_alloc() successfully allocates an SKB
and it gets queued via hci_cmd_sync_add(), but then __hci_cmd_sync_sk()
fails due to timeout, interruption, or cancellation. In these error
paths, the req_skb that was cloned and stored in hdev->req_skb is not
freed, leading to memory leaks.
The memory leak can be reproduced when __hci_cmd_sync_sk() allocates
and queues an HCI command SKB, and hci_req_sync_run() transfers this
SKB to hdev->cmd_q and clones it to hdev->req_skb. If the subsequent
wait_event_interruptible_timeout() call fails (due to timeout or
interruption), the function returns an error without hdev->req_skb
ever being cleaned up.
The fix ensures that when __hci_cmd_sync_sk() returns an error, any
pending request command SKB in hdev->req_skb is properly freed before
returning. This matches the cleanup pattern used elsewhere in the HCI
sync code.
Reported-by: syzbot+f098d64cc684b8dbaf65@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=f098d64cc684b8dbaf65
Signed-off-by: Shaurya Rane <ssrane_b23@ee.vjti.ac.in>
---
net/bluetooth/hci_sync.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index 6e76798ec786..fbaa5749ad7b 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -203,6 +203,11 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
if (err < 0) {
kfree_skb(skb);
+ /* Clean up any pending request command */
+ if (hdev->req_skb) {
+ kfree_skb(hdev->req_skb);
+ hdev->req_skb = NULL;
+ }
return ERR_PTR(err);
}
--
2.34.1
^ permalink raw reply related [flat|nested] 38+ messages in thread
* Re: [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk
2025-11-19 18:45 ` shaurya
@ 2025-11-19 19:32 ` syzbot
0 siblings, 0 replies; 38+ messages in thread
From: syzbot @ 2025-11-19 19:32 UTC (permalink / raw)
To: linux-bluetooth, linux-kernel, ssranevjti, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
memory leak in __hci_cmd_sync_sk
2025/11/19 19:30:48 executed programs: 47
2025/11/19 19:30:56 executed programs: 49
2025/11/19 19:31:03 executed programs: 51
2025/11/19 19:31:11 executed programs: 53
BUG: memory leak
unreferenced object 0xffff888111aec700 (size 240):
comm "kworker/u9:1", pid 5135, jiffies 4294955520
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc d1edf5a3):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4983 [inline]
slab_alloc_node mm/slub.c:5288 [inline]
kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5340
__alloc_skb+0x203/0x240 net/core/skbuff.c:660
alloc_skb include/linux/skbuff.h:1383 [inline]
bt_skb_alloc include/net/bluetooth/bluetooth.h:510 [inline]
hci_cmd_sync_alloc+0x30/0x140 net/bluetooth/hci_sync.c:58
hci_cmd_sync_add net/bluetooth/hci_sync.c:99 [inline]
__hci_cmd_sync_sk+0x84/0x290 net/bluetooth/hci_sync.c:168
__hci_cmd_sync_ev+0x3e/0x50 net/bluetooth/hci_sync.c:255
send_hci_cmd_sync+0x5e/0xf0 net/bluetooth/mgmt.c:2615
hci_cmd_sync_work+0xd5/0x160 net/bluetooth/hci_sync.c:337
process_one_work+0x26b/0x620 kernel/workqueue.c:3263
process_scheduled_works kernel/workqueue.c:3346 [inline]
worker_thread+0x2c4/0x4f0 kernel/workqueue.c:3427
kthread+0x15b/0x310 kernel/kthread.c:463
ret_from_fork+0x210/0x240 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
BUG: memory leak
unreferenced object 0xffff88810a34a680 (size 704):
comm "kworker/u9:1", pid 5135, jiffies 4294955520
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 4e765d9f):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4983 [inline]
slab_alloc_node mm/slub.c:5288 [inline]
kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5340
kmalloc_reserve+0xe6/0x180 net/core/skbuff.c:579
__alloc_skb+0xd4/0x240 net/core/skbuff.c:670
alloc_skb include/linux/skbuff.h:1383 [inline]
bt_skb_alloc include/net/bluetooth/bluetooth.h:510 [inline]
hci_cmd_sync_alloc+0x30/0x140 net/bluetooth/hci_sync.c:58
hci_cmd_sync_add net/bluetooth/hci_sync.c:99 [inline]
__hci_cmd_sync_sk+0x84/0x290 net/bluetooth/hci_sync.c:168
__hci_cmd_sync_ev+0x3e/0x50 net/bluetooth/hci_sync.c:255
send_hci_cmd_sync+0x5e/0xf0 net/bluetooth/mgmt.c:2615
hci_cmd_sync_work+0xd5/0x160 net/bluetooth/hci_sync.c:337
process_one_work+0x26b/0x620 kernel/workqueue.c:3263
process_scheduled_works kernel/workqueue.c:3346 [inline]
worker_thread+0x2c4/0x4f0 kernel/workqueue.c:3427
kthread+0x15b/0x310 kernel/kthread.c:463
ret_from_fork+0x210/0x240 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF
Tested on:
commit: 23cb64fb Merge tag 'soc-fixes-6.18-3' of git://git.ker..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13e81a12580000
kernel config: https://syzkaller.appspot.com/x/.config?x=f30cc590c4f6da44
dashboard link: https://syzkaller.appspot.com/bug?extid=f098d64cc684b8dbaf65
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=10d6f332580000
^ permalink raw reply [flat|nested] 38+ messages in thread
* Re: [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk
2025-11-17 14:24 [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk syzbot
` (5 preceding siblings ...)
2025-11-19 18:45 ` shaurya
@ 2025-11-20 13:27 ` Edward Adam Davis
2025-11-20 13:59 ` syzbot
2025-11-20 14:11 ` Edward Adam Davis
` (11 subsequent siblings)
18 siblings, 1 reply; 38+ messages in thread
From: Edward Adam Davis @ 2025-11-20 13:27 UTC (permalink / raw)
To: syzbot+f098d64cc684b8dbaf65; +Cc: linux-kernel, syzkaller-bugs
#syz test
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 3418d7b964a1..62469dba9e63 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -1466,7 +1466,7 @@ static void hci_cmd_timeout(struct work_struct *work)
if (hdev->req_skb) {
u16 opcode = hci_skb_opcode(hdev->req_skb);
- bt_dev_err(hdev, "command 0x%4.4x tx timeout", opcode);
+ bt_dev_err(hdev, "command 0x%4.4x skb: %p tx timeout", opcode, hdev->req_skb);
hci_cmd_sync_cancel_sync(hdev, ETIMEDOUT);
} else {
diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index 6e76798ec786..881da7b16257 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -133,6 +133,8 @@ static int hci_req_sync_run(struct hci_request *req)
return -ENODATA;
skb = skb_peek_tail(&req->cmd_q);
+ printk("status: %u, result: %u, skb: %p, %s\n",
+ hdev->req_status, hdev->req_result, hdev->req_rsp, __func__);
bt_cb(skb)->hci.req_complete_skb = hci_cmd_sync_complete;
bt_cb(skb)->hci.req_flags |= HCI_REQ_SKB;
@@ -203,6 +205,9 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
if (err < 0) {
kfree_skb(skb);
+ flush_work(&hdev->cmd_work);
+ skb_queue_purge(&hdev->cmd_q);
+
return ERR_PTR(err);
}
^ permalink raw reply related [flat|nested] 38+ messages in thread
* Re: [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk
2025-11-20 13:27 ` Edward Adam Davis
@ 2025-11-20 13:59 ` syzbot
0 siblings, 0 replies; 38+ messages in thread
From: syzbot @ 2025-11-20 13:59 UTC (permalink / raw)
To: eadavis, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
memory leak in __hci_cmd_sync_sk
BUG: memory leak
unreferenced object 0xffff888126f9ea00 (size 240):
comm "kworker/u9:2", pid 5907, jiffies 4294947048
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 9de8d0c7):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4983 [inline]
slab_alloc_node mm/slub.c:5288 [inline]
kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5340
__alloc_skb+0x203/0x240 net/core/skbuff.c:660
alloc_skb include/linux/skbuff.h:1383 [inline]
bt_skb_alloc include/net/bluetooth/bluetooth.h:510 [inline]
hci_cmd_sync_alloc+0x30/0x140 net/bluetooth/hci_sync.c:58
hci_cmd_sync_add net/bluetooth/hci_sync.c:99 [inline]
__hci_cmd_sync_sk+0x7d/0x2a0 net/bluetooth/hci_sync.c:170
__hci_cmd_sync_ev+0x3e/0x50 net/bluetooth/hci_sync.c:255
send_hci_cmd_sync+0x5e/0xf0 net/bluetooth/mgmt.c:2615
hci_cmd_sync_work+0xd5/0x160 net/bluetooth/hci_sync.c:337
process_one_work+0x26b/0x620 kernel/workqueue.c:3263
process_scheduled_works kernel/workqueue.c:3346 [inline]
worker_thread+0x2c4/0x4f0 kernel/workqueue.c:3427
kthread+0x15b/0x310 kernel/kthread.c:463
ret_from_fork+0x210/0x240 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
BUG: memory leak
unreferenced object 0xffff88810c7b3180 (size 704):
comm "kworker/u9:2", pid 5907, jiffies 4294947048
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 4e765d9f):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4983 [inline]
slab_alloc_node mm/slub.c:5288 [inline]
kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5340
kmalloc_reserve+0xe6/0x180 net/core/skbuff.c:579
__alloc_skb+0xd4/0x240 net/core/skbuff.c:670
alloc_skb include/linux/skbuff.h:1383 [inline]
bt_skb_alloc include/net/bluetooth/bluetooth.h:510 [inline]
hci_cmd_sync_alloc+0x30/0x140 net/bluetooth/hci_sync.c:58
hci_cmd_sync_add net/bluetooth/hci_sync.c:99 [inline]
__hci_cmd_sync_sk+0x7d/0x2a0 net/bluetooth/hci_sync.c:170
__hci_cmd_sync_ev+0x3e/0x50 net/bluetooth/hci_sync.c:255
send_hci_cmd_sync+0x5e/0xf0 net/bluetooth/mgmt.c:2615
hci_cmd_sync_work+0xd5/0x160 net/bluetooth/hci_sync.c:337
process_one_work+0x26b/0x620 kernel/workqueue.c:3263
process_scheduled_works kernel/workqueue.c:3346 [inline]
worker_thread+0x2c4/0x4f0 kernel/workqueue.c:3427
kthread+0x15b/0x310 kernel/kthread.c:463
ret_from_fork+0x210/0x240 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF
Tested on:
commit: 23cb64fb Merge tag 'soc-fixes-6.18-3' of git://git.ker..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=14b71a12580000
kernel config: https://syzkaller.appspot.com/x/.config?x=f30cc590c4f6da44
dashboard link: https://syzkaller.appspot.com/bug?extid=f098d64cc684b8dbaf65
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=12202a12580000
^ permalink raw reply [flat|nested] 38+ messages in thread
* Re: [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk
2025-11-17 14:24 [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk syzbot
` (6 preceding siblings ...)
2025-11-20 13:27 ` Edward Adam Davis
@ 2025-11-20 14:11 ` Edward Adam Davis
2025-11-20 14:45 ` syzbot
2025-11-20 14:54 ` Edward Adam Davis
` (10 subsequent siblings)
18 siblings, 1 reply; 38+ messages in thread
From: Edward Adam Davis @ 2025-11-20 14:11 UTC (permalink / raw)
To: syzbot+f098d64cc684b8dbaf65; +Cc: linux-kernel, syzkaller-bugs
#syz test
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 3418d7b964a1..62469dba9e63 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -1466,7 +1466,7 @@ static void hci_cmd_timeout(struct work_struct *work)
if (hdev->req_skb) {
u16 opcode = hci_skb_opcode(hdev->req_skb);
- bt_dev_err(hdev, "command 0x%4.4x tx timeout", opcode);
+ bt_dev_err(hdev, "command 0x%4.4x skb: %p tx timeout", opcode, hdev->req_skb);
hci_cmd_sync_cancel_sync(hdev, ETIMEDOUT);
} else {
diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index 6e76798ec786..0a0ce2a9b822 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -133,6 +133,8 @@ static int hci_req_sync_run(struct hci_request *req)
return -ENODATA;
skb = skb_peek_tail(&req->cmd_q);
+ printk("status: %u, result: %u, skb: %p, %s\n",
+ hdev->req_status, hdev->req_result, skb, __func__);
bt_cb(skb)->hci.req_complete_skb = hci_cmd_sync_complete;
bt_cb(skb)->hci.req_flags |= HCI_REQ_SKB;
@@ -201,6 +203,8 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
bt_dev_dbg(hdev, "end: err %d", err);
+ printk("err: %d, status: %u, result: %u, skb: %p, %s\n",
+ err, hdev->req_status, hdev->req_result, skb, __func__);
if (err < 0) {
kfree_skb(skb);
return ERR_PTR(err);
@@ -209,8 +213,12 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
/* If command return a status event skb will be set to NULL as there are
* no parameters.
*/
- if (!skb)
+ if (!skb) {
+ flush_work(&hdev->cmd_work);
+ skb_queue_purge(&hdev->cmd_q);
+
return ERR_PTR(-ENODATA);
+ }
return skb;
}
^ permalink raw reply related [flat|nested] 38+ messages in thread
* Re: [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk
2025-11-20 14:11 ` Edward Adam Davis
@ 2025-11-20 14:45 ` syzbot
0 siblings, 0 replies; 38+ messages in thread
From: syzbot @ 2025-11-20 14:45 UTC (permalink / raw)
To: eadavis, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
memory leak in __hci_cmd_sync_sk
BUG: memory leak
unreferenced object 0xffff888126d95d00 (size 240):
comm "kworker/u9:1", pid 5136, jiffies 4294947597
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc d70d2c13):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4983 [inline]
slab_alloc_node mm/slub.c:5288 [inline]
kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5340
__alloc_skb+0x203/0x240 net/core/skbuff.c:660
alloc_skb include/linux/skbuff.h:1383 [inline]
bt_skb_alloc include/net/bluetooth/bluetooth.h:510 [inline]
hci_cmd_sync_alloc+0x30/0x140 net/bluetooth/hci_sync.c:58
hci_cmd_sync_add net/bluetooth/hci_sync.c:99 [inline]
__hci_cmd_sync_sk+0x7d/0x2a0 net/bluetooth/hci_sync.c:170
__hci_cmd_sync_ev+0x3e/0x50 net/bluetooth/hci_sync.c:258
send_hci_cmd_sync+0x5e/0xf0 net/bluetooth/mgmt.c:2615
hci_cmd_sync_work+0xd5/0x160 net/bluetooth/hci_sync.c:340
process_one_work+0x26b/0x620 kernel/workqueue.c:3263
process_scheduled_works kernel/workqueue.c:3346 [inline]
worker_thread+0x2c4/0x4f0 kernel/workqueue.c:3427
kthread+0x15b/0x310 kernel/kthread.c:463
ret_from_fork+0x210/0x240 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
BUG: memory leak
unreferenced object 0xffff88810c145080 (size 704):
comm "kworker/u9:1", pid 5136, jiffies 4294947597
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 4e765d9f):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4983 [inline]
slab_alloc_node mm/slub.c:5288 [inline]
kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5340
kmalloc_reserve+0xe6/0x180 net/core/skbuff.c:579
__alloc_skb+0xd4/0x240 net/core/skbuff.c:670
alloc_skb include/linux/skbuff.h:1383 [inline]
bt_skb_alloc include/net/bluetooth/bluetooth.h:510 [inline]
hci_cmd_sync_alloc+0x30/0x140 net/bluetooth/hci_sync.c:58
hci_cmd_sync_add net/bluetooth/hci_sync.c:99 [inline]
__hci_cmd_sync_sk+0x7d/0x2a0 net/bluetooth/hci_sync.c:170
__hci_cmd_sync_ev+0x3e/0x50 net/bluetooth/hci_sync.c:258
send_hci_cmd_sync+0x5e/0xf0 net/bluetooth/mgmt.c:2615
hci_cmd_sync_work+0xd5/0x160 net/bluetooth/hci_sync.c:340
process_one_work+0x26b/0x620 kernel/workqueue.c:3263
process_scheduled_works kernel/workqueue.c:3346 [inline]
worker_thread+0x2c4/0x4f0 kernel/workqueue.c:3427
kthread+0x15b/0x310 kernel/kthread.c:463
ret_from_fork+0x210/0x240 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
BUG: memory leak
unreferenced object 0xffff8881095f8b00 (size 240):
comm "kworker/u9:1", pid 5136, jiffies 4294948345
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 84342eda):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4983 [inline]
slab_alloc_node mm/slub.c:5288 [inline]
kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5340
__alloc_skb+0x203/0x240 net/core/skbuff.c:660
alloc_skb include/linux/skbuff.h:1383 [inline]
bt_skb_alloc include/net/bluetooth/bluetooth.h:510 [inline]
hci_cmd_sync_alloc+0x30/0x140 net/bluetooth/hci_sync.c:58
hci_cmd_sync_add net/bluetooth/hci_sync.c:99 [inline]
__hci_cmd_sync_sk+0x7d/0x2a0 net/bluetooth/hci_sync.c:170
__hci_cmd_sync_ev+0x3e/0x50 net/bluetooth/hci_sync.c:258
send_hci_cmd_sync+0x5e/0xf0 net/bluetooth/mgmt.c:2615
hci_cmd_sync_work+0xd5/0x160 net/bluetooth/hci_sync.c:340
process_one_work+0x26b/0x620 kernel/workqueue.c:3263
process_scheduled_works kernel/workqueue.c:3346 [inline]
worker_thread+0x2c4/0x4f0 kernel/workqueue.c:3427
kthread+0x15b/0x310 kernel/kthread.c:463
ret_from_fork+0x210/0x240 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF
Tested on:
commit: 23cb64fb Merge tag 'soc-fixes-6.18-3' of git://git.ker..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=14d4be0a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=f30cc590c4f6da44
dashboard link: https://syzkaller.appspot.com/bug?extid=f098d64cc684b8dbaf65
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=16e8d658580000
^ permalink raw reply [flat|nested] 38+ messages in thread
* Re: [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk
2025-11-17 14:24 [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk syzbot
` (7 preceding siblings ...)
2025-11-20 14:11 ` Edward Adam Davis
@ 2025-11-20 14:54 ` Edward Adam Davis
2025-11-20 15:27 ` syzbot
2025-11-21 0:05 ` Edward Adam Davis
` (9 subsequent siblings)
18 siblings, 1 reply; 38+ messages in thread
From: Edward Adam Davis @ 2025-11-20 14:54 UTC (permalink / raw)
To: syzbot+f098d64cc684b8dbaf65; +Cc: linux-kernel, syzkaller-bugs
#syz test
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 3418d7b964a1..62469dba9e63 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -1466,7 +1466,7 @@ static void hci_cmd_timeout(struct work_struct *work)
if (hdev->req_skb) {
u16 opcode = hci_skb_opcode(hdev->req_skb);
- bt_dev_err(hdev, "command 0x%4.4x tx timeout", opcode);
+ bt_dev_err(hdev, "command 0x%4.4x skb: %p tx timeout", opcode, hdev->req_skb);
hci_cmd_sync_cancel_sync(hdev, ETIMEDOUT);
} else {
diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index 6e76798ec786..3d9c94a46c62 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -133,6 +133,8 @@ static int hci_req_sync_run(struct hci_request *req)
return -ENODATA;
skb = skb_peek_tail(&req->cmd_q);
+ printk("status: %u, result: %u, skb: %p, %s\n",
+ hdev->req_status, hdev->req_result, skb, __func__);
bt_cb(skb)->hci.req_complete_skb = hci_cmd_sync_complete;
bt_cb(skb)->hci.req_flags |= HCI_REQ_SKB;
@@ -201,18 +203,30 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
bt_dev_dbg(hdev, "end: err %d", err);
+ printk("err: %d, status: %u, result: %u, skb: %p, %s\n",
+ err, hdev->req_status, hdev->req_result, skb, __func__);
if (err < 0) {
kfree_skb(skb);
- return ERR_PTR(err);
+
+ goto out;
}
/* If command return a status event skb will be set to NULL as there are
* no parameters.
*/
- if (!skb)
- return ERR_PTR(-ENODATA);
+ if (!skb) {
+ err = -ENODATA;
+ goto out;
+ }
return skb;
+
+out:
+ flush_work(&hdev->cmd_work);
+ skb_queue_purge(&hdev->cmd_q);
+
+ return ERR_PTR(err);
+
}
EXPORT_SYMBOL(__hci_cmd_sync_sk);
^ permalink raw reply related [flat|nested] 38+ messages in thread
* Re: [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk
2025-11-20 14:54 ` Edward Adam Davis
@ 2025-11-20 15:27 ` syzbot
0 siblings, 0 replies; 38+ messages in thread
From: syzbot @ 2025-11-20 15:27 UTC (permalink / raw)
To: eadavis, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
memory leak in __hci_cmd_sync_sk
BUG: memory leak
unreferenced object 0xffff88810c843f00 (size 240):
comm "kworker/u9:1", pid 5136, jiffies 4294947634
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 9f24a45a):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4983 [inline]
slab_alloc_node mm/slub.c:5288 [inline]
kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5340
__alloc_skb+0x203/0x240 net/core/skbuff.c:660
alloc_skb include/linux/skbuff.h:1383 [inline]
bt_skb_alloc include/net/bluetooth/bluetooth.h:510 [inline]
hci_cmd_sync_alloc+0x30/0x140 net/bluetooth/hci_sync.c:58
hci_cmd_sync_add net/bluetooth/hci_sync.c:99 [inline]
__hci_cmd_sync_sk+0x7d/0x2a0 net/bluetooth/hci_sync.c:170
__hci_cmd_sync_ev+0x3e/0x50 net/bluetooth/hci_sync.c:264
send_hci_cmd_sync+0x5e/0xf0 net/bluetooth/mgmt.c:2615
hci_cmd_sync_work+0xd5/0x160 net/bluetooth/hci_sync.c:346
process_one_work+0x26b/0x620 kernel/workqueue.c:3263
process_scheduled_works kernel/workqueue.c:3346 [inline]
worker_thread+0x2c4/0x4f0 kernel/workqueue.c:3427
kthread+0x15b/0x310 kernel/kthread.c:463
ret_from_fork+0x210/0x240 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
BUG: memory leak
unreferenced object 0xffff888109e3d8c0 (size 704):
comm "kworker/u9:1", pid 5136, jiffies 4294947634
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 4e765d9f):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4983 [inline]
slab_alloc_node mm/slub.c:5288 [inline]
kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5340
kmalloc_reserve+0xe6/0x180 net/core/skbuff.c:579
__alloc_skb+0xd4/0x240 net/core/skbuff.c:670
alloc_skb include/linux/skbuff.h:1383 [inline]
bt_skb_alloc include/net/bluetooth/bluetooth.h:510 [inline]
hci_cmd_sync_alloc+0x30/0x140 net/bluetooth/hci_sync.c:58
hci_cmd_sync_add net/bluetooth/hci_sync.c:99 [inline]
__hci_cmd_sync_sk+0x7d/0x2a0 net/bluetooth/hci_sync.c:170
__hci_cmd_sync_ev+0x3e/0x50 net/bluetooth/hci_sync.c:264
send_hci_cmd_sync+0x5e/0xf0 net/bluetooth/mgmt.c:2615
hci_cmd_sync_work+0xd5/0x160 net/bluetooth/hci_sync.c:346
process_one_work+0x26b/0x620 kernel/workqueue.c:3263
process_scheduled_works kernel/workqueue.c:3346 [inline]
worker_thread+0x2c4/0x4f0 kernel/workqueue.c:3427
kthread+0x15b/0x310 kernel/kthread.c:463
ret_from_fork+0x210/0x240 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF
Tested on:
commit: 23cb64fb Merge tag 'soc-fixes-6.18-3' of git://git.ker..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=177f1a12580000
kernel config: https://syzkaller.appspot.com/x/.config?x=f30cc590c4f6da44
dashboard link: https://syzkaller.appspot.com/bug?extid=f098d64cc684b8dbaf65
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=14148c2a580000
^ permalink raw reply [flat|nested] 38+ messages in thread
* Re: [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk
2025-11-17 14:24 [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk syzbot
` (8 preceding siblings ...)
2025-11-20 14:54 ` Edward Adam Davis
@ 2025-11-21 0:05 ` Edward Adam Davis
2025-11-21 0:34 ` syzbot
2025-11-21 0:55 ` Edward Adam Davis
` (8 subsequent siblings)
18 siblings, 1 reply; 38+ messages in thread
From: Edward Adam Davis @ 2025-11-21 0:05 UTC (permalink / raw)
To: syzbot+f098d64cc684b8dbaf65; +Cc: linux-kernel, syzkaller-bugs
#syz test
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 3418d7b964a1..62469dba9e63 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -1466,7 +1466,7 @@ static void hci_cmd_timeout(struct work_struct *work)
if (hdev->req_skb) {
u16 opcode = hci_skb_opcode(hdev->req_skb);
- bt_dev_err(hdev, "command 0x%4.4x tx timeout", opcode);
+ bt_dev_err(hdev, "command 0x%4.4x skb: %p tx timeout", opcode, hdev->req_skb);
hci_cmd_sync_cancel_sync(hdev, ETIMEDOUT);
} else {
diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index 6e76798ec786..cfa3e799a212 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -133,6 +133,8 @@ static int hci_req_sync_run(struct hci_request *req)
return -ENODATA;
skb = skb_peek_tail(&req->cmd_q);
+ printk("status: %u, result: %u, skb: %p, %s\n",
+ hdev->req_status, hdev->req_result, skb, __func__);
bt_cb(skb)->hci.req_complete_skb = hci_cmd_sync_complete;
bt_cb(skb)->hci.req_flags |= HCI_REQ_SKB;
@@ -160,6 +162,7 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
struct hci_request req;
struct sk_buff *skb;
int err = 0;
+ unsigned long flags;
bt_dev_dbg(hdev, "Opcode 0x%4.4x", opcode);
@@ -201,18 +204,33 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
bt_dev_dbg(hdev, "end: err %d", err);
+ printk("err: %d, status: %u, result: %u, skb: %p, %s\n",
+ err, hdev->req_status, hdev->req_result, skb, __func__);
if (err < 0) {
kfree_skb(skb);
- return ERR_PTR(err);
+
+ goto out;
}
/* If command return a status event skb will be set to NULL as there are
* no parameters.
*/
- if (!skb)
- return ERR_PTR(-ENODATA);
+ if (!skb) {
+ err = -ENODATA;
+ goto out;
+ }
return skb;
+
+out:
+ spin_lock_irqsave(&hdev->cmd_q.lock, flags);
+ skb = __skb_dequeue_tail(&hdev->cmd_q);
+ spin_unlock_irqrestore(&hdev->cmd_q.lock, flags);
+ printk("remove skb: %p, %s\n", skb, __func__);
+ kfree_skb(skb);
+
+ return ERR_PTR(err);
+
}
EXPORT_SYMBOL(__hci_cmd_sync_sk);
^ permalink raw reply related [flat|nested] 38+ messages in thread
* Re: [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk
2025-11-21 0:05 ` Edward Adam Davis
@ 2025-11-21 0:34 ` syzbot
0 siblings, 0 replies; 38+ messages in thread
From: syzbot @ 2025-11-21 0:34 UTC (permalink / raw)
To: eadavis, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
memory leak in __hci_cmd_sync_sk
BUG: memory leak
unreferenced object 0xffff88811034aa00 (size 240):
comm "kworker/u9:0", pid 50, jiffies 4294947386
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 56103f7b):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4983 [inline]
slab_alloc_node mm/slub.c:5288 [inline]
kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5340
__alloc_skb+0x203/0x240 net/core/skbuff.c:660
alloc_skb include/linux/skbuff.h:1383 [inline]
bt_skb_alloc include/net/bluetooth/bluetooth.h:510 [inline]
hci_cmd_sync_alloc+0x30/0x140 net/bluetooth/hci_sync.c:58
hci_cmd_sync_add net/bluetooth/hci_sync.c:99 [inline]
__hci_cmd_sync_sk+0x7d/0x2a0 net/bluetooth/hci_sync.c:171
__hci_cmd_sync_ev+0x3e/0x50 net/bluetooth/hci_sync.c:268
send_hci_cmd_sync+0x5e/0xf0 net/bluetooth/mgmt.c:2615
hci_cmd_sync_work+0xd5/0x160 net/bluetooth/hci_sync.c:350
process_one_work+0x26b/0x620 kernel/workqueue.c:3263
process_scheduled_works kernel/workqueue.c:3346 [inline]
worker_thread+0x2c4/0x4f0 kernel/workqueue.c:3427
kthread+0x15b/0x310 kernel/kthread.c:463
ret_from_fork+0x210/0x240 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
BUG: memory leak
unreferenced object 0xffff88810905e680 (size 704):
comm "kworker/u9:0", pid 50, jiffies 4294947386
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 4e765d9f):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4983 [inline]
slab_alloc_node mm/slub.c:5288 [inline]
kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5340
kmalloc_reserve+0xe6/0x180 net/core/skbuff.c:579
__alloc_skb+0xd4/0x240 net/core/skbuff.c:670
alloc_skb include/linux/skbuff.h:1383 [inline]
bt_skb_alloc include/net/bluetooth/bluetooth.h:510 [inline]
hci_cmd_sync_alloc+0x30/0x140 net/bluetooth/hci_sync.c:58
hci_cmd_sync_add net/bluetooth/hci_sync.c:99 [inline]
__hci_cmd_sync_sk+0x7d/0x2a0 net/bluetooth/hci_sync.c:171
__hci_cmd_sync_ev+0x3e/0x50 net/bluetooth/hci_sync.c:268
send_hci_cmd_sync+0x5e/0xf0 net/bluetooth/mgmt.c:2615
hci_cmd_sync_work+0xd5/0x160 net/bluetooth/hci_sync.c:350
process_one_work+0x26b/0x620 kernel/workqueue.c:3263
process_scheduled_works kernel/workqueue.c:3346 [inline]
worker_thread+0x2c4/0x4f0 kernel/workqueue.c:3427
kthread+0x15b/0x310 kernel/kthread.c:463
ret_from_fork+0x210/0x240 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF
Tested on:
commit: fd95357f Merge tag 'sched_ext-for-6.18-rc6-fixes-2' of..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=141c7a12580000
kernel config: https://syzkaller.appspot.com/x/.config?x=f30cc590c4f6da44
dashboard link: https://syzkaller.appspot.com/bug?extid=f098d64cc684b8dbaf65
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=177c4484580000
^ permalink raw reply [flat|nested] 38+ messages in thread
* Re: [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk
2025-11-17 14:24 [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk syzbot
` (9 preceding siblings ...)
2025-11-21 0:05 ` Edward Adam Davis
@ 2025-11-21 0:55 ` Edward Adam Davis
2025-11-21 2:14 ` syzbot
2025-11-21 0:57 ` Edward Adam Davis
` (7 subsequent siblings)
18 siblings, 1 reply; 38+ messages in thread
From: Edward Adam Davis @ 2025-11-21 0:55 UTC (permalink / raw)
To: syzbot+f098d64cc684b8dbaf65; +Cc: linux-kernel, syzkaller-bugs
#syz test
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 3418d7b964a1..62469dba9e63 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -1466,7 +1466,7 @@ static void hci_cmd_timeout(struct work_struct *work)
if (hdev->req_skb) {
u16 opcode = hci_skb_opcode(hdev->req_skb);
- bt_dev_err(hdev, "command 0x%4.4x tx timeout", opcode);
+ bt_dev_err(hdev, "command 0x%4.4x skb: %p tx timeout", opcode, hdev->req_skb);
hci_cmd_sync_cancel_sync(hdev, ETIMEDOUT);
} else {
diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index 6e76798ec786..cfcc8bde77e2 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -133,6 +133,8 @@ static int hci_req_sync_run(struct hci_request *req)
return -ENODATA;
skb = skb_peek_tail(&req->cmd_q);
+ printk("status: %u, result: %u, skb: %p, %s\n",
+ hdev->req_status, hdev->req_result, skb, __func__);
bt_cb(skb)->hci.req_complete_skb = hci_cmd_sync_complete;
bt_cb(skb)->hci.req_flags |= HCI_REQ_SKB;
@@ -158,8 +160,9 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
struct sock *sk)
{
struct hci_request req;
- struct sk_buff *skb;
+ struct sk_buff *skb, *skb_tail;
int err = 0;
+ unsigned long flags;
bt_dev_dbg(hdev, "Opcode 0x%4.4x", opcode);
@@ -169,6 +172,7 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
hdev->req_status = HCI_REQ_PEND;
+ skb_tail = skb_peek_tail(&req.cmd_q);
err = hci_req_sync_run(&req);
if (err < 0)
return ERR_PTR(err);
@@ -201,18 +205,35 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
bt_dev_dbg(hdev, "end: err %d", err);
+ printk("err: %d, status: %u, result: %u, skb: %p, %s\n",
+ err, hdev->req_status, hdev->req_result, skb, __func__);
if (err < 0) {
kfree_skb(skb);
- return ERR_PTR(err);
+ goto out;
}
/* If command return a status event skb will be set to NULL as there are
* no parameters.
*/
- if (!skb)
- return ERR_PTR(-ENODATA);
+ if (!skb) {
+ err = -ENODATA;
+ goto out;
+ }
return skb;
+
+out:
+ if (!skb_queue_empty(&hdev->cmd_q)) {
+ spin_lock_irqsave(&hdev->cmd_q.lock, flags);
+ skb = __skb_dequeue_tail(&req.cmd_q);
+ spin_unlock_irqrestore(&hdev->cmd_q.lock, flags);
+ } else
+ skb = skb_tail;
+
+ printk("remove skb: %p, %s\n", skb, __func__);
+ kfree_skb(skb);
+
+ return ERR_PTR(err);
}
EXPORT_SYMBOL(__hci_cmd_sync_sk);
^ permalink raw reply related [flat|nested] 38+ messages in thread
* Re: [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk
2025-11-17 14:24 [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk syzbot
` (10 preceding siblings ...)
2025-11-21 0:55 ` Edward Adam Davis
@ 2025-11-21 0:57 ` Edward Adam Davis
2025-11-21 2:32 ` syzbot
2025-11-21 6:17 ` Edward Adam Davis
` (6 subsequent siblings)
18 siblings, 1 reply; 38+ messages in thread
From: Edward Adam Davis @ 2025-11-21 0:57 UTC (permalink / raw)
To: syzbot+f098d64cc684b8dbaf65; +Cc: linux-kernel, syzkaller-bugs
#syz test
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 3418d7b964a1..62469dba9e63 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -1466,7 +1466,7 @@ static void hci_cmd_timeout(struct work_struct *work)
if (hdev->req_skb) {
u16 opcode = hci_skb_opcode(hdev->req_skb);
- bt_dev_err(hdev, "command 0x%4.4x tx timeout", opcode);
+ bt_dev_err(hdev, "command 0x%4.4x skb: %p tx timeout", opcode, hdev->req_skb);
hci_cmd_sync_cancel_sync(hdev, ETIMEDOUT);
} else {
diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index 6e76798ec786..7fc79b7ee4b9 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -133,6 +133,8 @@ static int hci_req_sync_run(struct hci_request *req)
return -ENODATA;
skb = skb_peek_tail(&req->cmd_q);
+ printk("status: %u, result: %u, skb: %p, %s\n",
+ hdev->req_status, hdev->req_result, skb, __func__);
bt_cb(skb)->hci.req_complete_skb = hci_cmd_sync_complete;
bt_cb(skb)->hci.req_flags |= HCI_REQ_SKB;
@@ -158,8 +160,9 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
struct sock *sk)
{
struct hci_request req;
- struct sk_buff *skb;
+ struct sk_buff *skb, *skb_tail;
int err = 0;
+ unsigned long flags;
bt_dev_dbg(hdev, "Opcode 0x%4.4x", opcode);
@@ -169,6 +172,7 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
hdev->req_status = HCI_REQ_PEND;
+ skb_tail = skb_peek_tail(&req.cmd_q);
err = hci_req_sync_run(&req);
if (err < 0)
return ERR_PTR(err);
@@ -201,18 +205,35 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
bt_dev_dbg(hdev, "end: err %d", err);
+ printk("err: %d, status: %u, result: %u, skb: %p, %s\n",
+ err, hdev->req_status, hdev->req_result, skb, __func__);
if (err < 0) {
kfree_skb(skb);
- return ERR_PTR(err);
+ goto out;
}
/* If command return a status event skb will be set to NULL as there are
* no parameters.
*/
- if (!skb)
- return ERR_PTR(-ENODATA);
+ if (!skb) {
+ err = -ENODATA;
+ goto out;
+ }
return skb;
+
+out:
+ if (!skb_queue_empty(&hdev->cmd_q)) {
+ spin_lock_irqsave(&hdev->cmd_q.lock, flags);
+ skb = __skb_dequeue_tail(&hdev->cmd_q);
+ spin_unlock_irqrestore(&hdev->cmd_q.lock, flags);
+ } else
+ skb = skb_tail;
+
+ printk("remove skb: %p, %s\n", skb, __func__);
+ kfree_skb(skb);
+
+ return ERR_PTR(err);
}
EXPORT_SYMBOL(__hci_cmd_sync_sk);
^ permalink raw reply related [flat|nested] 38+ messages in thread
* Re: [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk
2025-11-21 0:55 ` Edward Adam Davis
@ 2025-11-21 2:14 ` syzbot
0 siblings, 0 replies; 38+ messages in thread
From: syzbot @ 2025-11-21 2:14 UTC (permalink / raw)
To: eadavis, linux-kernel, syzkaller-bugs
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
T963] bridge0: port 1(bridge_slave_0) entered blocking state
[ 54.863787][ T963] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 54.879703][ T5857] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network
[ 54.890172][ T5857] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network
[ 54.902050][ T963] bridge0: port 2(bridge_slave_1) entered blocking state
[ 54.909213][ T963] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 54.946146][ T5857] 8021q: adding VLAN 0 to HW filter on device batadv0
[ 54.961658][ T5857] veth0_vlan: entered promiscuous mode
[ 54.969001][ T5857] veth1_vlan: entered promiscuous mode
[ 54.980257][ T5857] veth0_macvtap: entered promiscuous mode
[ 54.987071][ T5857] veth1_macvtap: entered promiscuous mode
[ 54.996621][ T5857] batman_adv: batadv0: Interface activated: batadv_slave_0
[ 55.005891][ T5857] batman_adv: batadv0: Interface activated: batadv_slave_1
[ 55.014967][ T58] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
[ 55.023937][ T58] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
[ 55.033652][ T963] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
[ 55.042495][ T963] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
[ 55.073892][ T963] netdevsim netdevsim0 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 55.079530][ T5133] status: 1, result: 0, skb: ffff8881096d8d00, hci_req_sync_run
[ 55.092713][ T5881] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[ 55.099745][ T5133] err: 0, status: 0, result: 0, skb: ffff8881096d8400, __hci_cmd_sync_sk
[ 55.108270][ T5133] status: 1, result: 0, skb: ffff8881096d8400, hci_req_sync_run
[ 55.116623][ T5881] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[ 55.123986][ T5133] err: 0, status: 0, result: 0, skb: ffff88810b665b00, __hci_cmd_sync_sk
[ 55.132666][ T5133] status: 1, result: 0, skb: ffff8881096d8400, hci_req_sync_run
[ 55.140570][ T5881] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[ 55.147706][ T5133] err: 0, status: 0, result: 0, skb: ffff8881096d8c00, __hci_cmd_sync_sk
[ 55.148040][ T963] netdevsim netdevsim0 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 55.156450][ T5133] status: 1, result: 0, skb: ffff88810b665600, hci_req_sync_run
[ 55.174919][ T5133] err: 0, status: 0, result: 0, skb: ffff8881096d8300, __hci_cmd_sync_sk
[ 55.183427][ T5133] status: 1, result: 0, skb: ffff88810b665f00, hci_req_sync_run
[ 55.191574][ T5133] err: 0, status: 0, result: 0, skb: ffff8881096d8600, __hci_cmd_sync_sk
[ 55.200321][ T5133] status: 1, result: 0, skb: ffff8881096d8600, hci_req_sync_run
[ 55.208489][ T5881] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[ 55.215495][ T5133] err: 0, status: 0, result: 0, skb: ffff8881096d8c00, __hci_cmd_sync_sk
[ 55.224042][ T5133] status: 1, result: 0, skb: ffff8881096d8c00, hci_req_sync_run
[ 55.224309][ T963] netdevsim netdevsim0 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 55.242574][ T5133] err: 0, status: 0, result: 0, skb: ffff88810b665b00, __hci_cmd_sync_sk
[ 55.251372][ T5133] status: 1, result: 0, skb: ffff88810b665b00, hci_req_sync_run
[ 55.259297][ T5881] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[ 55.266291][ T5133] err: 0, status: 0, result: 0, skb: ffff88810b665600, __hci_cmd_sync_sk
[ 55.274851][ T5133] status: 1, result: 0, skb: ffff8881096d8900, hci_req_sync_run
[ 55.282869][ T5133] err: 0, status: 0, result: 0, skb: ffff88810b665800, __hci_cmd_sync_sk
[ 55.291445][ T5133] status: 1, result: 0, skb: ffff8881096d8400, hci_req_sync_run
[ 55.299616][ T5133] err: 0, status: 0, result: 0, skb: ffff88810b665e00, __hci_cmd_sync_sk
[ 55.308388][ T5879] status: 1, result: 0, skb: ffff88810b665e00, hci_req_sync_run
[ 55.308680][ T963] netdevsim netdevsim0 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 55.316426][ T5879] err: 0, status: 0, result: 0, skb: ffff88810b665c00, __hci_cmd_sync_sk
[ 55.471749][ T31] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 55.482577][ T31] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[ 55.492949][ T31] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 55.500995][ T31] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
2025/11/21 02:13:12 executed programs: 0
[ 58.484071][ T963] bridge_slave_1: left allmulticast mode
[ 58.490260][ T963] bridge_slave_1: left promiscuous mode
[ 58.495913][ T963] bridge0: port 2(bridge_slave_1) entered disabled state
[ 58.503645][ T963] bridge_slave_0: left allmulticast mode
[ 58.509735][ T963] bridge_slave_0: left promiscuous mode
[ 58.515477][ T963] bridge0: port 1(bridge_slave_0) entered disabled state
[ 58.570565][ T963] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface
[ 58.580440][ T963] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface
[ 58.589654][ T963] bond0 (unregistering): Released all slaves
[ 58.679635][ T963] hsr_slave_0: left promiscuous mode
[ 58.685086][ T963] hsr_slave_1: left promiscuous mode
[ 58.690722][ T963] batman_adv: batadv0: Interface deactivated: batadv_slave_0
[ 58.698155][ T963] batman_adv: batadv0: Removing interface: batadv_slave_0
[ 58.705568][ T963] batman_adv: batadv0: Interface deactivated: batadv_slave_1
[ 58.713414][ T963] batman_adv: batadv0: Removing interface: batadv_slave_1
[ 58.722265][ T963] veth1_macvtap: left promiscuous mode
[ 58.727853][ T963] veth0_macvtap: left promiscuous mode
[ 58.733590][ T963] veth1_vlan: left promiscuous mode
[ 58.738984][ T963] veth0_vlan: left promiscuous mode
[ 58.766479][ T963] team0 (unregistering): Port device team_slave_1 removed
[ 58.775081][ T963] team0 (unregistering): Port device team_slave_0 removed
[ 61.612519][ T5881] status: 1, result: 0, skb: ffff88810b665300, hci_req_sync_run
[ 61.620398][ T5133] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[ 61.627387][ T5881] err: 0, status: 0, result: 0, skb: ffff88810c2cc400, __hci_cmd_sync_sk
[ 61.635853][ T5881] status: 1, result: 0, skb: ffff88810b665100, hci_req_sync_run
[ 61.643705][ T5133] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[ 61.650762][ T5881] err: 0, status: 0, result: 0, skb: ffff88810c2cc400, __hci_cmd_sync_sk
[ 61.659428][ T5881] status: 1, result: 0, skb: ffff88810b665000, hci_req_sync_run
[ 61.667360][ T5133] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[ 61.674379][ T5881] err: 0, status: 0, result: 0, skb: ffff88810c2cc600, __hci_cmd_sync_sk
[ 61.682854][ T5881] status: 1, result: 0, skb: ffff88810b665900, hci_req_sync_run
[ 61.690701][ T5881] err: 0, status: 0, result: 0, skb: ffff88810b665000, __hci_cmd_sync_sk
[ 61.699176][ T5881] status: 1, result: 0, skb: ffff88810c2cc300, hci_req_sync_run
[ 61.707050][ T5881] err: 0, status: 0, result: 0, skb: ffff88810b665100, __hci_cmd_sync_sk
[ 61.715684][ T5881] status: 1, result: 0, skb: ffff88810c2ccf00, hci_req_sync_run
[ 61.723809][ T5133] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[ 61.730976][ T5881] err: 0, status: 0, result: 0, skb: ffff88810b665700, __hci_cmd_sync_sk
[ 61.739518][ T5881] status: 1, result: 0, skb: ffff88810b665700, hci_req_sync_run
[ 61.747387][ T5881] err: 0, status: 0, result: 0, skb: ffff88810b665c00, __hci_cmd_sync_sk
[ 61.756040][ T5881] status: 1, result: 0, skb: ffff88810b665c00, hci_req_sync_run
[ 61.763760][ T5133] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[ 61.770775][ T5881] err: 0, status: 0, result: 0, skb: ffff88810b665300, __hci_cmd_sync_sk
[ 61.779318][ T5881] status: 1, result: 0, skb: ffff88810c2cc500, hci_req_sync_run
[ 61.787324][ T5881] err: 0, status: 0, result: 0, skb: ffff88810b665500, __hci_cmd_sync_sk
[ 61.795790][ T5881] status: 1, result: 0, skb: ffff88810b665500, hci_req_sync_run
[ 61.803688][ T5881] err: 0, status: 0, result: 0, skb: ffff88810b665700, __hci_cmd_sync_sk
[ 61.812416][ T5984] status: 1, result: 0, skb: ffff88810c2cca00, hci_req_sync_run
[ 61.820325][ T5984] err: 0, status: 0, result: 0, skb: ffff88810b665c00, __hci_cmd_sync_sk
[ 61.859290][ T5984] chnl_net:caif_netlink_parms(): no params data found
[ 61.878670][ T5984] bridge0: port 1(bridge_slave_0) entered blocking state
[ 61.885774][ T5984] bridge0: port 1(bridge_slave_0) entered disabled state
[ 61.892945][ T5984] bridge_slave_0: entered allmulticast mode
[ 61.899197][ T5984] bridge_slave_0: entered promiscuous mode
[ 61.905544][ T5984] bridge0: port 2(bridge_slave_1) entered blocking state
[ 61.912766][ T5984] bridge0: port 2(bridge_slave_1) entered disabled state
[ 61.919996][ T5984] bridge_slave_1: entered allmulticast mode
[ 61.926246][ T5984] bridge_slave_1: entered promiscuous mode
[ 61.937375][ T5984] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[ 61.947329][ T5984] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[ 61.960948][ T5984] team0: Port device team_slave_0 added
[ 61.967027][ T5984] team0: Port device team_slave_1 added
[ 61.976764][ T5984] batman_adv: batadv0: Adding interface: batadv_slave_0
[ 61.983799][ T5984] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem.
[ 62.009932][ T5984] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[ 62.021051][ T5984] batman_adv: batadv0: Adding interface: batadv_slave_1
[ 62.028128][ T5984] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem.
[ 62.054130][ T5984] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[ 62.071263][ T5984] hsr_slave_0: entered promiscuous mode
[ 62.077016][ T5984] hsr_slave_1: entered promiscuous mode
[ 62.271932][ T5984] netdevsim netdevsim0 netdevsim0: renamed from eth0
[ 62.280361][ T5984] netdevsim netdevsim0 netdevsim1: renamed from eth1
[ 62.288477][ T5984] netdevsim netdevsim0 netdevsim2: renamed from eth2
[ 62.296339][ T5984] netdevsim netdevsim0 netdevsim3: renamed from eth3
[ 62.311184][ T5984] bridge0: port 2(bridge_slave_1) entered blocking state
[ 62.318287][ T5984] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 62.325560][ T5984] bridge0: port 1(bridge_slave_0) entered blocking state
[ 62.332651][ T5984] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 62.355503][ T5984] 8021q: adding VLAN 0 to HW filter on device bond0
[ 62.366090][ T31] bridge0: port 1(bridge_slave_0) entered disabled state
[ 62.374243][ T31] bridge0: port 2(bridge_slave_1) entered disabled state
[ 62.384604][ T5984] 8021q: adding VLAN 0 to HW filter on device team0
[ 62.393780][ T31] bridge0: port 1(bridge_slave_0) entered blocking state
[ 62.400982][ T31] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 62.418689][ T31] bridge0: port 2(bridge_slave_1) entered blocking state
[ 62.425883][ T31] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 62.480242][ T5984] 8021q: adding VLAN 0 to HW filter on device batadv0
[ 62.500226][ T5984] veth0_vlan: entered promiscuous mode
[ 62.508283][ T5984] veth1_vlan: entered promiscuous mode
[ 62.522303][ T5984] veth0_macvtap: entered promiscuous mode
[ 62.529936][ T5984] veth1_macvtap: entered promiscuous mode
[ 62.540982][ T5984] batman_adv: batadv0: Interface activated: batadv_slave_0
[ 62.551573][ T5984] batman_adv: batadv0: Interface activated: batadv_slave_1
[ 62.561530][ T58] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
[ 62.570414][ T58] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
[ 62.579387][ T58] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
[ 62.588536][ T963] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
[ 62.615632][ T58] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
SYZFAIL: failed to recv rpc
fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor)
[ 62.628006][ T58] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[ 62.640413][ T963] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 62.649321][ T963] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
syzkaller build log:
go env (err=<nil>)
AR='ar'
CC='gcc'
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_ENABLED='1'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
CXX='g++'
GCCGO='gccgo'
GO111MODULE='auto'
GOAMD64='v1'
GOARCH='amd64'
GOAUTH='netrc'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOCACHEPROG=''
GODEBUG=''
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFIPS140='off'
GOFLAGS=''
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build3389552490=/tmp/go-build -gno-record-gcc-switches'
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMOD='/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOMODCACHE='/syzkaller/jobs/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTELEMETRY='local'
GOTELEMETRYDIR='/syzkaller/.config/go/telemetry'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.24.4'
GOWORK=''
PKG_CONFIG='pkg-config'
git status (err=<nil>)
HEAD detached at 07e030dea
nothing to commit, working tree clean
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=07e030dea6e6d9ca88b75bb3be2810f47083b328 -X github.com/google/syzkaller/prog.gitRevisionDate=20251112-115923" ./sys/syz-sysgen | grep -q false || go install -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=07e030dea6e6d9ca88b75bb3be2810f47083b328 -X github.com/google/syzkaller/prog.gitRevisionDate=20251112-115923" ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=07e030dea6e6d9ca88b75bb3be2810f47083b328 -X github.com/google/syzkaller/prog.gitRevisionDate=20251112-115923" -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"07e030dea6e6d9ca88b75bb3be2810f47083b328\"
/usr/bin/ld: /tmp/ccx4Jar1.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x104): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
./tools/check-syzos.sh 2>/dev/null
Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=10758c2a580000
Tested on:
commit: fd95357f Merge tag 'sched_ext-for-6.18-rc6-fixes-2' of..
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=f30cc590c4f6da44
dashboard link: https://syzkaller.appspot.com/bug?extid=f098d64cc684b8dbaf65
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=1623f692580000
^ permalink raw reply [flat|nested] 38+ messages in thread
* Re: [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk
2025-11-21 0:57 ` Edward Adam Davis
@ 2025-11-21 2:32 ` syzbot
0 siblings, 0 replies; 38+ messages in thread
From: syzbot @ 2025-11-21 2:32 UTC (permalink / raw)
To: eadavis, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+f098d64cc684b8dbaf65@syzkaller.appspotmail.com
Tested-by: syzbot+f098d64cc684b8dbaf65@syzkaller.appspotmail.com
Tested on:
commit: fd95357f Merge tag 'sched_ext-for-6.18-rc6-fixes-2' of..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1425d658580000
kernel config: https://syzkaller.appspot.com/x/.config?x=f30cc590c4f6da44
dashboard link: https://syzkaller.appspot.com/bug?extid=f098d64cc684b8dbaf65
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=1485be0a580000
Note: testing is done by a robot and is best-effort only.
^ permalink raw reply [flat|nested] 38+ messages in thread
* Re: [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk
2025-11-17 14:24 [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk syzbot
` (11 preceding siblings ...)
2025-11-21 0:57 ` Edward Adam Davis
@ 2025-11-21 6:17 ` Edward Adam Davis
2025-11-21 8:08 ` syzbot
2025-11-21 9:06 ` Edward Adam Davis
` (5 subsequent siblings)
18 siblings, 1 reply; 38+ messages in thread
From: Edward Adam Davis @ 2025-11-21 6:17 UTC (permalink / raw)
To: syzbot+f098d64cc684b8dbaf65; +Cc: linux-kernel, syzkaller-bugs
#syz test
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 3418d7b964a1..34887a154700 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -1466,7 +1466,7 @@ static void hci_cmd_timeout(struct work_struct *work)
if (hdev->req_skb) {
u16 opcode = hci_skb_opcode(hdev->req_skb);
- bt_dev_err(hdev, "command 0x%4.4x tx timeout", opcode);
+ bt_dev_err(hdev, "command 0x%4.4x skb: %p tx timeout hdev: %p", opcode, hdev->req_skb, hdev);
hci_cmd_sync_cancel_sync(hdev, ETIMEDOUT);
} else {
@@ -4162,7 +4162,11 @@ static void hci_cmd_work(struct work_struct *work)
/* Send queued commands */
if (atomic_read(&hdev->cmd_cnt)) {
+ unsigned long flags;
+
+ spin_lock_irqsave(&hdev->cmd_q.lock, flags);
skb = skb_dequeue(&hdev->cmd_q);
+ spin_unlock_irqrestore(&hdev->cmd_q.lock, flags);
if (!skb)
return;
diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index 6e76798ec786..c16ab9089b5b 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -133,6 +133,8 @@ static int hci_req_sync_run(struct hci_request *req)
return -ENODATA;
skb = skb_peek_tail(&req->cmd_q);
+ printk("status: %u, result: %u, skb: %p, %s\n",
+ hdev->req_status, hdev->req_result, skb, __func__);
bt_cb(skb)->hci.req_complete_skb = hci_cmd_sync_complete;
bt_cb(skb)->hci.req_flags |= HCI_REQ_SKB;
@@ -158,8 +160,9 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
struct sock *sk)
{
struct hci_request req;
- struct sk_buff *skb;
+ struct sk_buff *skb, *skb_tail;
int err = 0;
+ unsigned long flags;
bt_dev_dbg(hdev, "Opcode 0x%4.4x", opcode);
@@ -169,6 +172,7 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
hdev->req_status = HCI_REQ_PEND;
+ skb_tail = skb_peek_tail(&req.cmd_q);
err = hci_req_sync_run(&req);
if (err < 0)
return ERR_PTR(err);
@@ -201,18 +205,36 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
bt_dev_dbg(hdev, "end: err %d", err);
+ printk("err: %d, status: %u, result: %u, skb: %p, hdev: %p, %s\n",
+ err, hdev->req_status, hdev->req_result, skb, hdev, __func__);
if (err < 0) {
kfree_skb(skb);
- return ERR_PTR(err);
+ goto out;
}
/* If command return a status event skb will be set to NULL as there are
* no parameters.
*/
- if (!skb)
- return ERR_PTR(-ENODATA);
+ if (!skb) {
+ err = -ENODATA;
+ goto out;
+ }
return skb;
+
+out:
+ if (!skb_queue_empty(&hdev->cmd_q)) {
+ spin_lock_irqsave(&hdev->cmd_q.lock, flags);
+ skb = __skb_dequeue_tail(&hdev->cmd_q);
+ spin_unlock_irqrestore(&hdev->cmd_q.lock, flags);
+ skb_tail = NULL;
+ } else
+ skb = skb_tail;
+
+ printk("remove skb: %p, tskb: %p, hdev: %p, %s\n", skb, skb_tail, hdev, __func__);
+ kfree_skb(skb);
+
+ return ERR_PTR(err);
}
EXPORT_SYMBOL(__hci_cmd_sync_sk);
^ permalink raw reply related [flat|nested] 38+ messages in thread
* Re: [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk
2025-11-21 6:17 ` Edward Adam Davis
@ 2025-11-21 8:08 ` syzbot
0 siblings, 0 replies; 38+ messages in thread
From: syzbot @ 2025-11-21 8:08 UTC (permalink / raw)
To: eadavis, linux-kernel, syzkaller-bugs
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
no output from test machine
Warning: Permanently added '10.128.0.161' (ED25519) to the list of known hosts.
2025/11/21 08:02:08 parsed 1 programs
[ 45.306274][ T5813] cgroup: Unknown subsys name 'net'
[ 45.467142][ T5813] cgroup: Unknown subsys name 'cpuset'
[ 45.473545][ T5813] cgroup: Unknown subsys name 'rlimit'
Setting up swapspace version 1, size = 127995904 bytes
[ 53.932725][ T5813] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k
[ 55.379423][ T5825] soft_limit_in_bytes is deprecated and will be removed. Please report your usecase to linux-mm@kvack.org if you depend on this functionality.
[ 55.449909][ T5134] status: 1, result: 0, skb: ffff88810c4f6a00, hci_req_sync_run
[ 57.505885][ T5134] err: -110, status: 0, result: 0, skb: 0000000000000000, hdev: ffff88810dac6000, __hci_cmd_sync_sk
syzkaller build log:
go env (err=<nil>)
AR='ar'
CC='gcc'
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_ENABLED='1'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
CXX='g++'
GCCGO='gccgo'
GO111MODULE='auto'
GOAMD64='v1'
GOARCH='amd64'
GOAUTH='netrc'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOCACHEPROG=''
GODEBUG=''
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFIPS140='off'
GOFLAGS=''
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build3711822464=/tmp/go-build -gno-record-gcc-switches'
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMOD='/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOMODCACHE='/syzkaller/jobs-2/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs-2/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTELEMETRY='local'
GOTELEMETRYDIR='/syzkaller/.config/go/telemetry'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.24.4'
GOWORK=''
PKG_CONFIG='pkg-config'
git status (err=<nil>)
HEAD detached at 07e030dea
nothing to commit, working tree clean
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=07e030dea6e6d9ca88b75bb3be2810f47083b328 -X github.com/google/syzkaller/prog.gitRevisionDate=20251112-115923" ./sys/syz-sysgen | grep -q false || go install -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=07e030dea6e6d9ca88b75bb3be2810f47083b328 -X github.com/google/syzkaller/prog.gitRevisionDate=20251112-115923" ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=07e030dea6e6d9ca88b75bb3be2810f47083b328 -X github.com/google/syzkaller/prog.gitRevisionDate=20251112-115923" -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"07e030dea6e6d9ca88b75bb3be2810f47083b328\"
/usr/bin/ld: /tmp/ccYeCkBk.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x104): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
./tools/check-syzos.sh 2>/dev/null
Tested on:
commit: fd95357f Merge tag 'sched_ext-for-6.18-rc6-fixes-2' of..
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=f30cc590c4f6da44
dashboard link: https://syzkaller.appspot.com/bug?extid=f098d64cc684b8dbaf65
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=17b3d658580000
^ permalink raw reply [flat|nested] 38+ messages in thread
* Re: [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk
2025-11-17 14:24 [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk syzbot
` (12 preceding siblings ...)
2025-11-21 6:17 ` Edward Adam Davis
@ 2025-11-21 9:06 ` Edward Adam Davis
2025-11-21 14:36 ` syzbot
2025-11-22 7:09 ` Edward Adam Davis
` (4 subsequent siblings)
18 siblings, 1 reply; 38+ messages in thread
From: Edward Adam Davis @ 2025-11-21 9:06 UTC (permalink / raw)
To: syzbot+f098d64cc684b8dbaf65; +Cc: linux-kernel, syzkaller-bugs
#syz test
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 3418d7b964a1..34887a154700 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -1466,7 +1466,7 @@ static void hci_cmd_timeout(struct work_struct *work)
if (hdev->req_skb) {
u16 opcode = hci_skb_opcode(hdev->req_skb);
- bt_dev_err(hdev, "command 0x%4.4x tx timeout", opcode);
+ bt_dev_err(hdev, "command 0x%4.4x skb: %p tx timeout hdev: %p", opcode, hdev->req_skb, hdev);
hci_cmd_sync_cancel_sync(hdev, ETIMEDOUT);
} else {
@@ -4162,7 +4162,11 @@ static void hci_cmd_work(struct work_struct *work)
/* Send queued commands */
if (atomic_read(&hdev->cmd_cnt)) {
+ unsigned long flags;
+
+ spin_lock_irqsave(&hdev->cmd_q.lock, flags);
skb = skb_dequeue(&hdev->cmd_q);
+ spin_unlock_irqrestore(&hdev->cmd_q.lock, flags);
if (!skb)
return;
diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index 6e76798ec786..c16ab9089b5b 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -133,6 +133,8 @@ static int hci_req_sync_run(struct hci_request *req)
return -ENODATA;
skb = skb_peek_tail(&req->cmd_q);
+ printk("status: %u, result: %u, skb: %p, %s\n",
+ hdev->req_status, hdev->req_result, skb, __func__);
bt_cb(skb)->hci.req_complete_skb = hci_cmd_sync_complete;
bt_cb(skb)->hci.req_flags |= HCI_REQ_SKB;
@@ -158,8 +160,9 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
struct sock *sk)
{
struct hci_request req;
- struct sk_buff *skb;
+ struct sk_buff *skb, *skb_tail;
int err = 0;
+ unsigned long flags;
bt_dev_dbg(hdev, "Opcode 0x%4.4x", opcode);
@@ -169,6 +172,7 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
hdev->req_status = HCI_REQ_PEND;
+ skb_tail = skb_peek_tail(&req.cmd_q);
err = hci_req_sync_run(&req);
if (err < 0)
return ERR_PTR(err);
@@ -201,18 +205,36 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
bt_dev_dbg(hdev, "end: err %d", err);
+ printk("err: %d, status: %u, result: %u, skb: %p, hdev: %p, %s\n",
+ err, hdev->req_status, hdev->req_result, skb, hdev, __func__);
if (err < 0) {
kfree_skb(skb);
- return ERR_PTR(err);
+ goto out;
}
/* If command return a status event skb will be set to NULL as there are
* no parameters.
*/
- if (!skb)
- return ERR_PTR(-ENODATA);
+ if (!skb) {
+ err = -ENODATA;
+ goto out;
+ }
return skb;
+
+out:
+ if (!skb_queue_empty(&hdev->cmd_q)) {
+ spin_lock_irqsave(&hdev->cmd_q.lock, flags);
+ skb = __skb_dequeue_tail(&hdev->cmd_q);
+ spin_unlock_irqrestore(&hdev->cmd_q.lock, flags);
+ skb_tail = NULL;
+ } else
+ skb = skb_tail;
+
+ printk("remove skb: %p, tskb: %p, hdev: %p, %s\n", skb, skb_tail, hdev, __func__);
+ kfree_skb(skb);
+
+ return ERR_PTR(err);
}
EXPORT_SYMBOL(__hci_cmd_sync_sk);
^ permalink raw reply related [flat|nested] 38+ messages in thread
* Re: [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk
2025-11-21 9:06 ` Edward Adam Davis
@ 2025-11-21 14:36 ` syzbot
0 siblings, 0 replies; 38+ messages in thread
From: syzbot @ 2025-11-21 14:36 UTC (permalink / raw)
To: eadavis, linux-kernel, syzkaller-bugs
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
no output from test machine
Warning: Permanently added '10.128.1.191' (ED25519) to the list of known hosts.
2025/11/21 14:30:15 parsed 1 programs
[ 43.487666][ T5813] cgroup: Unknown subsys name 'net'
[ 43.613650][ T5813] cgroup: Unknown subsys name 'cpuset'
[ 43.619980][ T5813] cgroup: Unknown subsys name 'rlimit'
Setting up swapspace version 1, size = 127995904 bytes
[ 51.571131][ T5813] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k
[ 52.853944][ T5833] soft_limit_in_bytes is deprecated and will be removed. Please report your usecase to linux-mm@kvack.org if you depend on this functionality.
[ 52.930032][ T5135] status: 1, result: 0, skb: ffff88810139c900, hci_req_sync_run
[ 55.032580][ T5135] err: -110, status: 0, result: 0, skb: 0000000000000000, hdev: ffff888111b34000, __hci_cmd_sync_sk
syzkaller build log:
go env (err=<nil>)
AR='ar'
CC='gcc'
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_ENABLED='1'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
CXX='g++'
GCCGO='gccgo'
GO111MODULE='auto'
GOAMD64='v1'
GOARCH='amd64'
GOAUTH='netrc'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOCACHEPROG=''
GODEBUG=''
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFIPS140='off'
GOFLAGS=''
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build1251597850=/tmp/go-build -gno-record-gcc-switches'
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMOD='/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOMODCACHE='/syzkaller/jobs-2/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs-2/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTELEMETRY='local'
GOTELEMETRYDIR='/syzkaller/.config/go/telemetry'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.24.4'
GOWORK=''
PKG_CONFIG='pkg-config'
git status (err=<nil>)
HEAD detached at 07e030dea
nothing to commit, working tree clean
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=07e030dea6e6d9ca88b75bb3be2810f47083b328 -X github.com/google/syzkaller/prog.gitRevisionDate=20251112-115923" ./sys/syz-sysgen | grep -q false || go install -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=07e030dea6e6d9ca88b75bb3be2810f47083b328 -X github.com/google/syzkaller/prog.gitRevisionDate=20251112-115923" ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=07e030dea6e6d9ca88b75bb3be2810f47083b328 -X github.com/google/syzkaller/prog.gitRevisionDate=20251112-115923" -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"07e030dea6e6d9ca88b75bb3be2810f47083b328\"
/usr/bin/ld: /tmp/ccwV2Y1O.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x104): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
./tools/check-syzos.sh 2>/dev/null
Tested on:
commit: fd95357f Merge tag 'sched_ext-for-6.18-rc6-fixes-2' of..
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=f30cc590c4f6da44
dashboard link: https://syzkaller.appspot.com/bug?extid=f098d64cc684b8dbaf65
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=108fd658580000
^ permalink raw reply [flat|nested] 38+ messages in thread
* Re: [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk
2025-11-17 14:24 [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk syzbot
` (13 preceding siblings ...)
2025-11-21 9:06 ` Edward Adam Davis
@ 2025-11-22 7:09 ` Edward Adam Davis
2025-11-22 10:23 ` syzbot
2025-11-22 14:14 ` Edward Adam Davis
` (3 subsequent siblings)
18 siblings, 1 reply; 38+ messages in thread
From: Edward Adam Davis @ 2025-11-22 7:09 UTC (permalink / raw)
To: syzbot+f098d64cc684b8dbaf65; +Cc: linux-kernel, syzkaller-bugs
#syz test
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 3418d7b964a1..187dda1e5950 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -1466,7 +1466,7 @@ static void hci_cmd_timeout(struct work_struct *work)
if (hdev->req_skb) {
u16 opcode = hci_skb_opcode(hdev->req_skb);
- bt_dev_err(hdev, "command 0x%4.4x tx timeout", opcode);
+ bt_dev_err(hdev, "command 0x%4.4x skb: %p tx timeout hdev: %p", opcode, hdev->req_skb, hdev);
hci_cmd_sync_cancel_sync(hdev, ETIMEDOUT);
} else {
@@ -4138,6 +4138,7 @@ static void hci_send_cmd_sync(struct hci_dev *hdev, struct sk_buff *skb)
if (hci_skb_opcode(skb) != HCI_OP_NOP) {
err = hci_send_frame(hdev, skb);
+ printk("err: %d, skb: %p, %s\n", err, skb, __func__);
if (err < 0) {
hci_cmd_sync_cancel_sync(hdev, -err);
return;
@@ -4163,6 +4164,7 @@ static void hci_cmd_work(struct work_struct *work)
/* Send queued commands */
if (atomic_read(&hdev->cmd_cnt)) {
skb = skb_dequeue(&hdev->cmd_q);
+ printk("dequeue skb:%p, hdev: %p, %s\n", skb, hdev, __func__);
if (!skb)
return;
diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index 6e76798ec786..4bf39cd402be 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -158,8 +158,9 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
struct sock *sk)
{
struct hci_request req;
- struct sk_buff *skb;
+ struct sk_buff *skb, *new_skb;
int err = 0;
+ unsigned long flags;
bt_dev_dbg(hdev, "Opcode 0x%4.4x", opcode);
@@ -169,6 +170,7 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
hdev->req_status = HCI_REQ_PEND;
+ new_skb = skb_peek_tail(&req.cmd_q);
err = hci_req_sync_run(&req);
if (err < 0)
return ERR_PTR(err);
@@ -203,16 +205,33 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
if (err < 0) {
kfree_skb(skb);
- return ERR_PTR(err);
+ goto out;
}
/* If command return a status event skb will be set to NULL as there are
* no parameters.
*/
- if (!skb)
- return ERR_PTR(-ENODATA);
+ if (!skb) {
+ err = -ENODATA;
+ goto out;
+ }
return skb;
+
+out:
+ if (!skb_queue_empty(&hdev->cmd_q)) {
+ spin_lock_irqsave(&hdev->cmd_q.lock, flags);
+ skb = __skb_dequeue_tail(&hdev->cmd_q);
+ spin_unlock_irqrestore(&hdev->cmd_q.lock, flags);
+ } else {
+ printk("!!!!!!!!! skb: %p, nskb: %p, %s\n", skb, new_skb, __func__);
+ skb = new_skb;
+ }
+
+ printk(">>>>> remove skb: %p, tskb: %p, hdev: %p, %s\n", skb, new_skb, hdev, __func__);
+ kfree_skb(skb);
+
+ return ERR_PTR(err);
}
EXPORT_SYMBOL(__hci_cmd_sync_sk);
^ permalink raw reply related [flat|nested] 38+ messages in thread
* Re: [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk
2025-11-22 7:09 ` Edward Adam Davis
@ 2025-11-22 10:23 ` syzbot
0 siblings, 0 replies; 38+ messages in thread
From: syzbot @ 2025-11-22 10:23 UTC (permalink / raw)
To: eadavis, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+f098d64cc684b8dbaf65@syzkaller.appspotmail.com
Tested-by: syzbot+f098d64cc684b8dbaf65@syzkaller.appspotmail.com
Tested on:
commit: 2eba5e05 Merge tag 'loongarch-fixes-6.18-2' of git://g..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=150bd97c580000
kernel config: https://syzkaller.appspot.com/x/.config?x=f30cc590c4f6da44
dashboard link: https://syzkaller.appspot.com/bug?extid=f098d64cc684b8dbaf65
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=145faa12580000
Note: testing is done by a robot and is best-effort only.
^ permalink raw reply [flat|nested] 38+ messages in thread
* Re: [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk
2025-11-17 14:24 [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk syzbot
` (14 preceding siblings ...)
2025-11-22 7:09 ` Edward Adam Davis
@ 2025-11-22 14:14 ` Edward Adam Davis
2025-11-22 14:39 ` syzbot
2025-11-23 14:05 ` Edward Adam Davis
` (2 subsequent siblings)
18 siblings, 1 reply; 38+ messages in thread
From: Edward Adam Davis @ 2025-11-22 14:14 UTC (permalink / raw)
To: syzbot+f098d64cc684b8dbaf65; +Cc: linux-kernel, syzkaller-bugs
#syz test
^ permalink raw reply [flat|nested] 38+ messages in thread
* Re: [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk
2025-11-22 14:14 ` Edward Adam Davis
@ 2025-11-22 14:39 ` syzbot
0 siblings, 0 replies; 38+ messages in thread
From: syzbot @ 2025-11-22 14:39 UTC (permalink / raw)
To: eadavis, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
memory leak in __hci_cmd_sync_sk
BUG: memory leak
unreferenced object 0xffff8881226e0100 (size 240):
comm "kworker/u9:1", pid 5136, jiffies 4294947304
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc f9cb4e51):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4983 [inline]
slab_alloc_node mm/slub.c:5288 [inline]
kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5340
__alloc_skb+0x203/0x240 net/core/skbuff.c:660
alloc_skb include/linux/skbuff.h:1383 [inline]
bt_skb_alloc include/net/bluetooth/bluetooth.h:510 [inline]
hci_cmd_sync_alloc+0x30/0x140 net/bluetooth/hci_sync.c:58
hci_cmd_sync_add net/bluetooth/hci_sync.c:99 [inline]
__hci_cmd_sync_sk+0x84/0x290 net/bluetooth/hci_sync.c:168
__hci_cmd_sync_ev+0x3e/0x50 net/bluetooth/hci_sync.c:250
send_hci_cmd_sync+0x5e/0xf0 net/bluetooth/mgmt.c:2615
hci_cmd_sync_work+0xd5/0x160 net/bluetooth/hci_sync.c:332
process_one_work+0x26b/0x620 kernel/workqueue.c:3263
process_scheduled_works kernel/workqueue.c:3346 [inline]
worker_thread+0x2c4/0x4f0 kernel/workqueue.c:3427
kthread+0x15b/0x310 kernel/kthread.c:463
ret_from_fork+0x210/0x240 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
BUG: memory leak
unreferenced object 0xffff88810d21f440 (size 704):
comm "kworker/u9:1", pid 5136, jiffies 4294947304
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 4e765d9f):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4983 [inline]
slab_alloc_node mm/slub.c:5288 [inline]
kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5340
kmalloc_reserve+0xe6/0x180 net/core/skbuff.c:579
__alloc_skb+0xd4/0x240 net/core/skbuff.c:670
alloc_skb include/linux/skbuff.h:1383 [inline]
bt_skb_alloc include/net/bluetooth/bluetooth.h:510 [inline]
hci_cmd_sync_alloc+0x30/0x140 net/bluetooth/hci_sync.c:58
hci_cmd_sync_add net/bluetooth/hci_sync.c:99 [inline]
__hci_cmd_sync_sk+0x84/0x290 net/bluetooth/hci_sync.c:168
__hci_cmd_sync_ev+0x3e/0x50 net/bluetooth/hci_sync.c:250
send_hci_cmd_sync+0x5e/0xf0 net/bluetooth/mgmt.c:2615
hci_cmd_sync_work+0xd5/0x160 net/bluetooth/hci_sync.c:332
process_one_work+0x26b/0x620 kernel/workqueue.c:3263
process_scheduled_works kernel/workqueue.c:3346 [inline]
worker_thread+0x2c4/0x4f0 kernel/workqueue.c:3427
kthread+0x15b/0x310 kernel/kthread.c:463
ret_from_fork+0x210/0x240 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF
Tested on:
commit: 2eba5e05 Merge tag 'loongarch-fixes-6.18-2' of git://g..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=14080612580000
kernel config: https://syzkaller.appspot.com/x/.config?x=f30cc590c4f6da44
dashboard link: https://syzkaller.appspot.com/bug?extid=f098d64cc684b8dbaf65
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
Note: no patches were applied.
^ permalink raw reply [flat|nested] 38+ messages in thread
* Re: [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk
2025-11-17 14:24 [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk syzbot
` (15 preceding siblings ...)
2025-11-22 14:14 ` Edward Adam Davis
@ 2025-11-23 14:05 ` Edward Adam Davis
2025-11-23 15:23 ` syzbot
2025-11-23 14:33 ` Edward Adam Davis
2025-11-23 15:08 ` Edward Adam Davis
18 siblings, 1 reply; 38+ messages in thread
From: Edward Adam Davis @ 2025-11-23 14:05 UTC (permalink / raw)
To: syzbot+f098d64cc684b8dbaf65; +Cc: linux-kernel, syzkaller-bugs
#syz test
diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index 6e76798ec786..4db9360732c5 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -172,7 +172,9 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
err = hci_req_sync_run(&req);
if (err < 0)
return ERR_PTR(err);
+ skb = skb_peek_tail(&req.cmd_q);
+retry:
err = wait_event_interruptible_timeout(hdev->req_wait_q,
hdev->req_status != HCI_REQ_PEND,
timeout);
@@ -186,6 +188,11 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
break;
case HCI_REQ_CANCELED:
+ if (hdev->req_skb != skb) {
+ atomic_set(&hdev->cmd_cnt, 1);
+ queue_work(hdev->workqueue, &hdev->cmd_work);
+ goto retry;
+ }
err = -hdev->req_result;
break;
diff --git a/drivers/bluetooth/hci_vhci.c b/drivers/bluetooth/hci_vhci.c
index 2fef08254d78..2e12615f539e 100644
--- a/drivers/bluetooth/hci_vhci.c
+++ b/drivers/bluetooth/hci_vhci.c
@@ -75,6 +75,10 @@ static int vhci_send_frame(struct hci_dev *hdev, struct sk_buff *skb)
{
struct vhci_data *data = hci_get_drvdata(hdev);
+ printk("skb: %p refcnt: %u, data inited: %d, %s\n",
+ skb, refcount_read(&skb->users),
+ atomic_read(&data->initialized),
+ __func__);
memcpy(skb_push(skb, 1), &hci_skb_pkt_type(skb), 1);
skb_queue_tail(&data->readq, skb);
@@ -587,6 +591,8 @@ static ssize_t vhci_read(struct file *file,
skb = skb_dequeue(&data->readq);
if (skb) {
ret = vhci_put_user(data, skb, buf, count);
+ printk("skb: %p refcnt: %u len: %u, data: %p, ret: %ld, count: %lu, %s\n",
+ skb, refcount_read(&skb->users), skb->len, skb->data, ret, count, __func__);
if (ret < 0)
skb_queue_head(&data->readq, skb);
else
^ permalink raw reply related [flat|nested] 38+ messages in thread
* Re: [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk
2025-11-17 14:24 [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk syzbot
` (16 preceding siblings ...)
2025-11-23 14:05 ` Edward Adam Davis
@ 2025-11-23 14:33 ` Edward Adam Davis
2025-11-23 16:09 ` syzbot
2025-11-23 15:08 ` Edward Adam Davis
18 siblings, 1 reply; 38+ messages in thread
From: Edward Adam Davis @ 2025-11-23 14:33 UTC (permalink / raw)
To: syzbot+f098d64cc684b8dbaf65; +Cc: linux-kernel, syzkaller-bugs
#syz test
diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index 6e76798ec786..f3898f8b007e 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -173,6 +173,8 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
if (err < 0)
return ERR_PTR(err);
+ skb = skb_peek_tail(&req.cmd_q);
+retry:
err = wait_event_interruptible_timeout(hdev->req_wait_q,
hdev->req_status != HCI_REQ_PEND,
timeout);
@@ -186,6 +188,11 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
break;
case HCI_REQ_CANCELED:
+ if (!skb_queue_empty(&hdev->cmd_q) && hdev->req_skb != skb) {
+ atomic_set(&hdev->cmd_cnt, 1);
+ queue_work(hdev->workqueue, &hdev->cmd_work);
+ goto retry;
+ }
err = -hdev->req_result;
break;
diff --git a/drivers/bluetooth/hci_vhci.c b/drivers/bluetooth/hci_vhci.c
index 2fef08254d78..2e12615f539e 100644
--- a/drivers/bluetooth/hci_vhci.c
+++ b/drivers/bluetooth/hci_vhci.c
@@ -75,6 +75,10 @@ static int vhci_send_frame(struct hci_dev *hdev, struct sk_buff *skb)
{
struct vhci_data *data = hci_get_drvdata(hdev);
+ printk("skb: %p refcnt: %u, data inited: %d, %s\n",
+ skb, refcount_read(&skb->users),
+ atomic_read(&data->initialized),
+ __func__);
memcpy(skb_push(skb, 1), &hci_skb_pkt_type(skb), 1);
skb_queue_tail(&data->readq, skb);
@@ -587,6 +591,8 @@ static ssize_t vhci_read(struct file *file,
skb = skb_dequeue(&data->readq);
if (skb) {
ret = vhci_put_user(data, skb, buf, count);
+ printk("skb: %p refcnt: %u len: %u, data: %p, ret: %ld, count: %lu, %s\n",
+ skb, refcount_read(&skb->users), skb->len, skb->data, ret, count, __func__);
if (ret < 0)
skb_queue_head(&data->readq, skb);
else
^ permalink raw reply related [flat|nested] 38+ messages in thread
* Re: [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk
2025-11-17 14:24 [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk syzbot
` (17 preceding siblings ...)
2025-11-23 14:33 ` Edward Adam Davis
@ 2025-11-23 15:08 ` Edward Adam Davis
2025-11-23 16:30 ` syzbot
18 siblings, 1 reply; 38+ messages in thread
From: Edward Adam Davis @ 2025-11-23 15:08 UTC (permalink / raw)
To: syzbot+f098d64cc684b8dbaf65; +Cc: linux-kernel, syzkaller-bugs
#syz test
diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index 6e76798ec786..1fce1a8c79ee 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -173,6 +173,8 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
if (err < 0)
return ERR_PTR(err);
+ skb = skb_peek_tail(&req.cmd_q);
+retry:
err = wait_event_interruptible_timeout(hdev->req_wait_q,
hdev->req_status != HCI_REQ_PEND,
timeout);
@@ -186,6 +188,12 @@ struct sk_buff *__hci_cmd_sync_sk(struct hci_dev *hdev, u16 opcode, u32 plen,
break;
case HCI_REQ_CANCELED:
+ if (!skb_queue_empty(&hdev->cmd_q) && hdev->req_skb != skb) {
+ hdev->req_status = HCI_REQ_PEND;
+ atomic_set(&hdev->cmd_cnt, 1);
+ queue_work(hdev->workqueue, &hdev->cmd_work);
+ goto retry;
+ }
err = -hdev->req_result;
break;
diff --git a/drivers/bluetooth/hci_vhci.c b/drivers/bluetooth/hci_vhci.c
index 2fef08254d78..2e12615f539e 100644
--- a/drivers/bluetooth/hci_vhci.c
+++ b/drivers/bluetooth/hci_vhci.c
@@ -75,6 +75,10 @@ static int vhci_send_frame(struct hci_dev *hdev, struct sk_buff *skb)
{
struct vhci_data *data = hci_get_drvdata(hdev);
+ printk("skb: %p refcnt: %u, data inited: %d, %s\n",
+ skb, refcount_read(&skb->users),
+ atomic_read(&data->initialized),
+ __func__);
memcpy(skb_push(skb, 1), &hci_skb_pkt_type(skb), 1);
skb_queue_tail(&data->readq, skb);
@@ -587,6 +591,8 @@ static ssize_t vhci_read(struct file *file,
skb = skb_dequeue(&data->readq);
if (skb) {
ret = vhci_put_user(data, skb, buf, count);
+ printk("skb: %p refcnt: %u len: %u, data: %p, ret: %ld, count: %lu, %s\n",
+ skb, refcount_read(&skb->users), skb->len, skb->data, ret, count, __func__);
if (ret < 0)
skb_queue_head(&data->readq, skb);
else
^ permalink raw reply related [flat|nested] 38+ messages in thread
* Re: [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk
2025-11-23 14:05 ` Edward Adam Davis
@ 2025-11-23 15:23 ` syzbot
0 siblings, 0 replies; 38+ messages in thread
From: syzbot @ 2025-11-23 15:23 UTC (permalink / raw)
To: eadavis, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+f098d64cc684b8dbaf65@syzkaller.appspotmail.com
Tested-by: syzbot+f098d64cc684b8dbaf65@syzkaller.appspotmail.com
Tested on:
commit: d13f3ac6 Merge tag 'mips-fixes_6.18_1' of git://git.ke..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=168cd8b4580000
kernel config: https://syzkaller.appspot.com/x/.config?x=f30cc590c4f6da44
dashboard link: https://syzkaller.appspot.com/bug?extid=f098d64cc684b8dbaf65
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=11a6b97c580000
Note: testing is done by a robot and is best-effort only.
^ permalink raw reply [flat|nested] 38+ messages in thread
* Re: [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk
2025-11-23 14:33 ` Edward Adam Davis
@ 2025-11-23 16:09 ` syzbot
0 siblings, 0 replies; 38+ messages in thread
From: syzbot @ 2025-11-23 16:09 UTC (permalink / raw)
To: eadavis, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
memory leak in __hci_cmd_sync_sk
BUG: memory leak
unreferenced object 0xffff88810d55d200 (size 240):
comm "kworker/u9:2", pid 5892, jiffies 4294947408
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc d5cb7eed):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4983 [inline]
slab_alloc_node mm/slub.c:5288 [inline]
kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5340
__alloc_skb+0x203/0x240 net/core/skbuff.c:660
alloc_skb include/linux/skbuff.h:1383 [inline]
bt_skb_alloc include/net/bluetooth/bluetooth.h:510 [inline]
hci_cmd_sync_alloc+0x30/0x140 net/bluetooth/hci_sync.c:58
hci_cmd_sync_add net/bluetooth/hci_sync.c:99 [inline]
__hci_cmd_sync_sk+0x87/0x590 net/bluetooth/hci_sync.c:168
__hci_cmd_sync_ev+0x3e/0x50 net/bluetooth/hci_sync.c:257
send_hci_cmd_sync+0x5e/0xf0 net/bluetooth/mgmt.c:2615
hci_cmd_sync_work+0xd5/0x160 net/bluetooth/hci_sync.c:339
process_one_work+0x26b/0x620 kernel/workqueue.c:3263
process_scheduled_works kernel/workqueue.c:3346 [inline]
worker_thread+0x2c4/0x4f0 kernel/workqueue.c:3427
kthread+0x15b/0x310 kernel/kthread.c:463
ret_from_fork+0x210/0x240 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
BUG: memory leak
unreferenced object 0xffff88810d41ac00 (size 704):
comm "kworker/u9:2", pid 5892, jiffies 4294947408
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 01 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 4e765d9f):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4983 [inline]
slab_alloc_node mm/slub.c:5288 [inline]
kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5340
kmalloc_reserve+0xe6/0x180 net/core/skbuff.c:579
__alloc_skb+0xd4/0x240 net/core/skbuff.c:670
alloc_skb include/linux/skbuff.h:1383 [inline]
bt_skb_alloc include/net/bluetooth/bluetooth.h:510 [inline]
hci_cmd_sync_alloc+0x30/0x140 net/bluetooth/hci_sync.c:58
hci_cmd_sync_add net/bluetooth/hci_sync.c:99 [inline]
__hci_cmd_sync_sk+0x87/0x590 net/bluetooth/hci_sync.c:168
__hci_cmd_sync_ev+0x3e/0x50 net/bluetooth/hci_sync.c:257
send_hci_cmd_sync+0x5e/0xf0 net/bluetooth/mgmt.c:2615
hci_cmd_sync_work+0xd5/0x160 net/bluetooth/hci_sync.c:339
process_one_work+0x26b/0x620 kernel/workqueue.c:3263
process_scheduled_works kernel/workqueue.c:3346 [inline]
worker_thread+0x2c4/0x4f0 kernel/workqueue.c:3427
kthread+0x15b/0x310 kernel/kthread.c:463
ret_from_fork+0x210/0x240 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF
Tested on:
commit: d13f3ac6 Merge tag 'mips-fixes_6.18_1' of git://git.ke..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1170ce92580000
kernel config: https://syzkaller.appspot.com/x/.config?x=f30cc590c4f6da44
dashboard link: https://syzkaller.appspot.com/bug?extid=f098d64cc684b8dbaf65
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=132f4e92580000
^ permalink raw reply [flat|nested] 38+ messages in thread
* Re: [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk
2025-11-23 15:08 ` Edward Adam Davis
@ 2025-11-23 16:30 ` syzbot
0 siblings, 0 replies; 38+ messages in thread
From: syzbot @ 2025-11-23 16:30 UTC (permalink / raw)
To: eadavis, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
memory leak in __hci_cmd_sync_sk
BUG: memory leak
unreferenced object 0xffff888109d1e300 (size 240):
comm "kworker/u9:1", pid 5135, jiffies 4294951173
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 4072963):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4983 [inline]
slab_alloc_node mm/slub.c:5288 [inline]
kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5340
__alloc_skb+0x203/0x240 net/core/skbuff.c:660
alloc_skb include/linux/skbuff.h:1383 [inline]
bt_skb_alloc include/net/bluetooth/bluetooth.h:510 [inline]
hci_cmd_sync_alloc+0x30/0x140 net/bluetooth/hci_sync.c:58
hci_cmd_sync_add net/bluetooth/hci_sync.c:99 [inline]
__hci_cmd_sync_sk+0x87/0x590 net/bluetooth/hci_sync.c:168
__hci_cmd_sync_ev+0x3e/0x50 net/bluetooth/hci_sync.c:258
send_hci_cmd_sync+0x5e/0xf0 net/bluetooth/mgmt.c:2615
hci_cmd_sync_work+0xd5/0x160 net/bluetooth/hci_sync.c:340
process_one_work+0x26b/0x620 kernel/workqueue.c:3263
process_scheduled_works kernel/workqueue.c:3346 [inline]
worker_thread+0x2c4/0x4f0 kernel/workqueue.c:3427
kthread+0x15b/0x310 kernel/kthread.c:463
ret_from_fork+0x210/0x240 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
BUG: memory leak
unreferenced object 0xffff888124def900 (size 240):
comm "kworker/u9:1", pid 5135, jiffies 4294951376
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc bee89128):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4983 [inline]
slab_alloc_node mm/slub.c:5288 [inline]
kmem_cache_alloc_node_noprof+0x36f/0x5e0 mm/slub.c:5340
__alloc_skb+0x203/0x240 net/core/skbuff.c:660
alloc_skb include/linux/skbuff.h:1383 [inline]
bt_skb_alloc include/net/bluetooth/bluetooth.h:510 [inline]
hci_cmd_sync_alloc+0x30/0x140 net/bluetooth/hci_sync.c:58
hci_cmd_sync_add net/bluetooth/hci_sync.c:99 [inline]
__hci_cmd_sync_sk+0x87/0x590 net/bluetooth/hci_sync.c:168
__hci_cmd_sync_ev+0x3e/0x50 net/bluetooth/hci_sync.c:258
send_hci_cmd_sync+0x5e/0xf0 net/bluetooth/mgmt.c:2615
hci_cmd_sync_work+0xd5/0x160 net/bluetooth/hci_sync.c:340
process_one_work+0x26b/0x620 kernel/workqueue.c:3263
process_scheduled_works kernel/workqueue.c:3346 [inline]
worker_thread+0x2c4/0x4f0 kernel/workqueue.c:3427
kthread+0x15b/0x310 kernel/kthread.c:463
ret_from_fork+0x210/0x240 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF
Tested on:
commit: d13f3ac6 Merge tag 'mips-fixes_6.18_1' of git://git.ke..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15d1b97c580000
kernel config: https://syzkaller.appspot.com/x/.config?x=f30cc590c4f6da44
dashboard link: https://syzkaller.appspot.com/bug?extid=f098d64cc684b8dbaf65
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=1653ea12580000
^ permalink raw reply [flat|nested] 38+ messages in thread
end of thread, other threads:[~2025-11-23 16:30 UTC | newest]
Thread overview: 38+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-11-17 14:24 [syzbot] [bluetooth?] [usb?] memory leak in __hci_cmd_sync_sk syzbot
2025-11-18 2:53 ` Edward Adam Davis
2025-11-18 3:24 ` syzbot
2025-11-18 3:40 ` Edward Adam Davis
2025-11-18 3:54 ` syzbot
2025-11-18 3:56 ` Edward Adam Davis
2025-11-18 4:24 ` syzbot
2025-11-19 2:46 ` shaurya
2025-11-19 3:22 ` Edward Adam Davis
2025-11-19 3:47 ` syzbot
2025-11-19 18:45 ` shaurya
2025-11-19 19:32 ` syzbot
2025-11-20 13:27 ` Edward Adam Davis
2025-11-20 13:59 ` syzbot
2025-11-20 14:11 ` Edward Adam Davis
2025-11-20 14:45 ` syzbot
2025-11-20 14:54 ` Edward Adam Davis
2025-11-20 15:27 ` syzbot
2025-11-21 0:05 ` Edward Adam Davis
2025-11-21 0:34 ` syzbot
2025-11-21 0:55 ` Edward Adam Davis
2025-11-21 2:14 ` syzbot
2025-11-21 0:57 ` Edward Adam Davis
2025-11-21 2:32 ` syzbot
2025-11-21 6:17 ` Edward Adam Davis
2025-11-21 8:08 ` syzbot
2025-11-21 9:06 ` Edward Adam Davis
2025-11-21 14:36 ` syzbot
2025-11-22 7:09 ` Edward Adam Davis
2025-11-22 10:23 ` syzbot
2025-11-22 14:14 ` Edward Adam Davis
2025-11-22 14:39 ` syzbot
2025-11-23 14:05 ` Edward Adam Davis
2025-11-23 15:23 ` syzbot
2025-11-23 14:33 ` Edward Adam Davis
2025-11-23 16:09 ` syzbot
2025-11-23 15:08 ` Edward Adam Davis
2025-11-23 16:30 ` syzbot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox