[syzbot] [bluetooth?] memory leak in init_srcu_struct_fields

[syzbot] [bluetooth?] memory leak in init_srcu_struct_fields

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    f377d0025eb0 Merge tag 'sh-for-v7.1-tag2' of git://git.ker..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1737bb48580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=9645c21cfd1d3e8f
dashboard link: https://syzkaller.appspot.com/bug?extid=535ecc844591e50588a5
compiler:       gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=164ed748580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=10e6576c580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/5d8163677f58/disk-f377d002.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/cf2fcdb8200b/vmlinux-f377d002.xz
kernel image: https://storage.googleapis.com/syzbot-assets/e9fb70799318/bzImage-f377d002.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+535ecc844591e50588a5@syzkaller.appspotmail.com

BUG: memory leak
unreferenced object 0xffff888111f49600 (size 512):
  comm "syz.0.17", pid 5937, jiffies 4294945495
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace (crc 6e7d3fde):
    kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
    slab_post_alloc_hook mm/slub.c:4574 [inline]
    slab_alloc_node mm/slub.c:4898 [inline]
    __kmalloc_cache_noprof+0x371/0x480 mm/slub.c:5414
    kmalloc_noprof include/linux/slab.h:950 [inline]
    kzalloc_noprof include/linux/slab.h:1188 [inline]
    init_srcu_struct_fields+0x2c0/0x350 kernel/rcu/srcutree.c:207
    hci_alloc_dev_priv+0x37/0x680 net/bluetooth/hci_core.c:2453
    hci_alloc_dev include/net/bluetooth/hci_core.h:1763 [inline]
    hci_uart_register_dev drivers/bluetooth/hci_ldisc.c:644 [inline]
    hci_uart_set_proto drivers/bluetooth/hci_ldisc.c:720 [inline]
    hci_uart_tty_ioctl+0x173/0x460 drivers/bluetooth/hci_ldisc.c:774
    tty_ioctl+0xaca/0xd60 drivers/tty/tty_io.c:2801
    vfs_ioctl fs/ioctl.c:51 [inline]
    __do_sys_ioctl fs/ioctl.c:597 [inline]
    __se_sys_ioctl fs/ioctl.c:583 [inline]
    __x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
    do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
    do_syscall_64+0xee/0xf80 arch/x86/entry/syscall_64.c:94
    entry_SYSCALL_64_after_hwframe+0x77/0x7f

BUG: memory leak
unreferenced object (percpu) 0x607e4d93d800 (size 384):
  comm "syz.0.17", pid 5937, jiffies 4294945495
  hex dump (first 32 bytes on cpu 0):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace (crc 593bdea7):
    pcpu_alloc_noprof+0x7c7/0xed0 mm/percpu.c:1896
    init_srcu_struct_fields+0x2eb/0x350 kernel/rcu/srcutree.c:224
    hci_alloc_dev_priv+0x37/0x680 net/bluetooth/hci_core.c:2453
    hci_alloc_dev include/net/bluetooth/hci_core.h:1763 [inline]
    hci_uart_register_dev drivers/bluetooth/hci_ldisc.c:644 [inline]
    hci_uart_set_proto drivers/bluetooth/hci_ldisc.c:720 [inline]
    hci_uart_tty_ioctl+0x173/0x460 drivers/bluetooth/hci_ldisc.c:774
    tty_ioctl+0xaca/0xd60 drivers/tty/tty_io.c:2801
    vfs_ioctl fs/ioctl.c:51 [inline]
    __do_sys_ioctl fs/ioctl.c:597 [inline]
    __se_sys_ioctl fs/ioctl.c:583 [inline]
    __x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
    do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
    do_syscall_64+0xee/0xf80 arch/x86/entry/syscall_64.c:94
    entry_SYSCALL_64_after_hwframe+0x77/0x7f

BUG: memory leak
unreferenced object (percpu) 0x607e4d93d980 (size 384):
  comm "syz.0.18", pid 5940, jiffies 4294945497
  hex dump (first 32 bytes on cpu 0):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace (crc 593bdea7):
    pcpu_alloc_noprof+0x7c7/0xed0 mm/percpu.c:1896
    init_srcu_struct_fields+0x2eb/0x350 kernel/rcu/srcutree.c:224
    hci_alloc_dev_priv+0x37/0x680 net/bluetooth/hci_core.c:2453
    hci_alloc_dev include/net/bluetooth/hci_core.h:1763 [inline]
    hci_uart_register_dev drivers/bluetooth/hci_ldisc.c:644 [inline]
    hci_uart_set_proto drivers/bluetooth/hci_ldisc.c:720 [inline]
    hci_uart_tty_ioctl+0x173/0x460 drivers/bluetooth/hci_ldisc.c:774
    tty_ioctl+0xaca/0xd60 drivers/tty/tty_io.c:2801
    vfs_ioctl fs/ioctl.c:51 [inline]
    __do_sys_ioctl fs/ioctl.c:597 [inline]
    __se_sys_ioctl fs/ioctl.c:583 [inline]
    __x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
    do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
    do_syscall_64+0xee/0xf80 arch/x86/entry/syscall_64.c:94
    entry_SYSCALL_64_after_hwframe+0x77/0x7f

BUG: memory leak
unreferenced object 0xffff88811d010a00 (size 512):
  comm "syz.0.19", pid 5951, jiffies 4294945502
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace (crc 2d3d1dd8):
    kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
    slab_post_alloc_hook mm/slub.c:4574 [inline]
    slab_alloc_node mm/slub.c:4898 [inline]
    __kmalloc_cache_noprof+0x371/0x480 mm/slub.c:5414
    kmalloc_noprof include/linux/slab.h:950 [inline]
    kzalloc_noprof include/linux/slab.h:1188 [inline]
    init_srcu_struct_fields+0x2c0/0x350 kernel/rcu/srcutree.c:207
    hci_alloc_dev_priv+0x37/0x680 net/bluetooth/hci_core.c:2453
    hci_alloc_dev include/net/bluetooth/hci_core.h:1763 [inline]
    hci_uart_register_dev drivers/bluetooth/hci_ldisc.c:644 [inline]
    hci_uart_set_proto drivers/bluetooth/hci_ldisc.c:720 [inline]
    hci_uart_tty_ioctl+0x173/0x460 drivers/bluetooth/hci_ldisc.c:774
    tty_ioctl+0xaca/0xd60 drivers/tty/tty_io.c:2801
    vfs_ioctl fs/ioctl.c:51 [inline]
    __do_sys_ioctl fs/ioctl.c:597 [inline]
    __se_sys_ioctl fs/ioctl.c:583 [inline]
    __x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
    do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
    do_syscall_64+0xee/0xf80 arch/x86/entry/syscall_64.c:94
    entry_SYSCALL_64_after_hwframe+0x77/0x7f

BUG: memory leak
unreferenced object (percpu) 0x607e4d93db00 (size 384):
  comm "syz.0.19", pid 5951, jiffies 4294945502
  hex dump (first 32 bytes on cpu 0):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace (crc 593bdea7):
    pcpu_alloc_noprof+0x7c7/0xed0 mm/percpu.c:1896
    init_srcu_struct_fields+0x2eb/0x350 kernel/rcu/srcutree.c:224
    hci_alloc_dev_priv+0x37/0x680 net/bluetooth/hci_core.c:2453
    hci_alloc_dev include/net/bluetooth/hci_core.h:1763 [inline]
    hci_uart_register_dev drivers/bluetooth/hci_ldisc.c:644 [inline]
    hci_uart_set_proto drivers/bluetooth/hci_ldisc.c:720 [inline]
    hci_uart_tty_ioctl+0x173/0x460 drivers/bluetooth/hci_ldisc.c:774
    tty_ioctl+0xaca/0xd60 drivers/tty/tty_io.c:2801
    vfs_ioctl fs/ioctl.c:51 [inline]
    __do_sys_ioctl fs/ioctl.c:597 [inline]
    __se_sys_ioctl fs/ioctl.c:583 [inline]
    __x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
    do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
    do_syscall_64+0xee/0xf80 arch/x86/entry/syscall_64.c:94
    entry_SYSCALL_64_after_hwframe+0x77/0x7f

connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Forwarded: [PATCH] Bluetooth: hci_core: Fix SRCU leak when device is freed unregistered

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] Bluetooth: hci_core: Fix SRCU leak when device is freed unregistered
Author: kartikey406@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master


hci_alloc_dev_priv() initializes hdev->srcu with init_srcu_struct(), but
the matching cleanup_srcu_struct() is only called from hci_unregister_dev().
A hci_dev that is allocated and then freed without ever being registered
leaks the SRCU internals - the node array and the per-CPU sda - even though
the hci_dev itself is freed correctly.

This is reachable from the hci_uart line discipline. h5_open() (used by the
HCI_UART_3WIRE protocol) sets HCI_UART_INIT_PENDING, so hci_uart_register_dev()
returns early without calling hci_register_dev() and HCI_UART_REGISTERED is
never set. Registration is deferred until the three-wire link is synced, which
never happens over a bare pty. When the tty is closed, hci_uart_tty_close()
finds HCI_UART_REGISTERED clear, skips hci_unregister_dev(), and calls
hci_free_dev() -> hci_release_dev() -> kfree(hdev), orphaning the SRCU
allocations.

kmemleak reports only the SRCU sub-objects, not hdev, confirming that hdev is
freed while its embedded srcu is not torn down:

  init_srcu_struct_fields+0x2c0/0x350 kernel/rcu/srcutree.c:207
  hci_alloc_dev_priv+0x37/0x680 net/bluetooth/hci_core.c:2453
  hci_alloc_dev include/net/bluetooth/hci_core.h:1763 [inline]
  hci_uart_register_dev drivers/bluetooth/hci_ldisc.c:644 [inline]
  hci_uart_set_proto drivers/bluetooth/hci_ldisc.c:720 [inline]
  hci_uart_tty_ioctl+0x173/0x460 drivers/bluetooth/hci_ldisc.c:774

Pair the SRCU init with destruction by calling cleanup_srcu_struct() from
hci_release_dev(), so it runs on the final put_device() regardless of whether
the device was ever registered. Keep synchronize_srcu() in hci_unregister_dev()
to drain readers walking the device list before the device leaves it.

Reported-by: syzbot+535ecc844591e50588a5@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=535ecc844591e50588a5
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
 net/bluetooth/hci_core.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 28d7929dc593..2d516beedb59 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -2664,7 +2664,6 @@ void hci_unregister_dev(struct hci_dev *hdev)
 	write_unlock(&hci_dev_list_lock);
 
 	synchronize_srcu(&hdev->srcu);
-	cleanup_srcu_struct(&hdev->srcu);
 
 	disable_work_sync(&hdev->rx_work);
 	disable_work_sync(&hdev->cmd_work);
@@ -2737,6 +2736,8 @@ void hci_release_dev(struct hci_dev *hdev)
 	kfree_skb(hdev->sent_cmd);
 	kfree_skb(hdev->req_skb);
 	kfree_skb(hdev->recv_event);
+
+	cleanup_srcu_struct(&hdev->srcu);
 	kfree(hdev);
 }
 EXPORT_SYMBOL(hci_release_dev);
-- 
2.43.0

Forwarded: [PATCH] Bluetooth: hci_core: Fix SRCU leak when device is freed unregistered

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] Bluetooth: hci_core: Fix SRCU leak when device is freed unregistered
Author: kartikey406@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master



hci_alloc_dev_priv() initializes hdev->srcu with init_srcu_struct(), but
the matching cleanup_srcu_struct() is only called from hci_unregister_dev().
A hci_dev that is allocated and then freed without ever being registered
leaks the SRCU internals - the node array and the per-CPU sda - even though
the hci_dev itself is freed correctly.

This is reachable from the hci_uart line discipline. h5_open() (used by the
HCI_UART_3WIRE protocol) sets HCI_UART_INIT_PENDING, so hci_uart_register_dev()
returns early without calling hci_register_dev() and HCI_UART_REGISTERED is
never set. Registration is deferred until the three-wire link is synced, which
never happens over a bare pty. When the tty is closed, hci_uart_tty_close()
finds HCI_UART_REGISTERED clear, skips hci_unregister_dev(), and calls
hci_free_dev() -> hci_release_dev() -> kfree(hdev), orphaning the SRCU
allocations.

kmemleak reports only the SRCU sub-objects, not hdev, confirming that hdev is
freed while its embedded srcu is not torn down:

  init_srcu_struct_fields+0x2c0/0x350 kernel/rcu/srcutree.c:207
  hci_alloc_dev_priv+0x37/0x680 net/bluetooth/hci_core.c:2453
  hci_alloc_dev include/net/bluetooth/hci_core.h:1763 [inline]
  hci_uart_register_dev drivers/bluetooth/hci_ldisc.c:644 [inline]
  hci_uart_set_proto drivers/bluetooth/hci_ldisc.c:720 [inline]
  hci_uart_tty_ioctl+0x173/0x460 drivers/bluetooth/hci_ldisc.c:774

Pair the SRCU init with destruction by calling cleanup_srcu_struct() from
hci_release_dev(), so it runs on the final put_device() regardless of whether
the device was ever registered. Keep synchronize_srcu() in hci_unregister_dev()
to drain readers walking the device list before the device leaves it.

Reported-by: syzbot+535ecc844591e50588a5@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=535ecc844591e50588a5
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
 net/bluetooth/hci_core.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 28d7929dc593..2d516beedb59 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -2664,7 +2664,6 @@ void hci_unregister_dev(struct hci_dev *hdev)
 	write_unlock(&hci_dev_list_lock);
 
 	synchronize_srcu(&hdev->srcu);
-	cleanup_srcu_struct(&hdev->srcu);
 
 	disable_work_sync(&hdev->rx_work);
 	disable_work_sync(&hdev->cmd_work);
@@ -2737,6 +2736,8 @@ void hci_release_dev(struct hci_dev *hdev)
 	kfree_skb(hdev->sent_cmd);
 	kfree_skb(hdev->req_skb);
 	kfree_skb(hdev->recv_event);
+
+	cleanup_srcu_struct(&hdev->srcu);
 	kfree(hdev);
 }
 EXPORT_SYMBOL(hci_release_dev);
-- 
2.43.0

Re: [syzbot] [bluetooth?] memory leak in init_srcu_struct_fields

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
memory leak in init_srcu_struct_fields

BUG: memory leak
unreferenced object 0xffff88810de6f800 (size 512):
  comm "syz.0.17", pid 6610, jiffies 4294948707
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace (crc 55438727):
    kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
    slab_post_alloc_hook mm/slub.c:4613 [inline]
    slab_alloc_node mm/slub.c:4937 [inline]
    __kmalloc_cache_noprof+0x371/0x480 mm/slub.c:5443
    _kmalloc_noprof include/linux/slab.h:969 [inline]
    _kzalloc_noprof include/linux/slab.h:1286 [inline]
    init_srcu_struct_fields+0x2c0/0x350 kernel/rcu/srcutree.c:207
    hci_alloc_dev_priv+0x37/0x680 net/bluetooth/hci_core.c:2416
    hci_alloc_dev include/net/bluetooth/hci_core.h:1763 [inline]
    hci_uart_register_dev drivers/bluetooth/hci_ldisc.c:672 [inline]
    hci_uart_set_proto drivers/bluetooth/hci_ldisc.c:752 [inline]
    hci_uart_tty_ioctl+0x173/0x460 drivers/bluetooth/hci_ldisc.c:806
    tty_ioctl+0xaca/0xd60 drivers/tty/tty_io.c:2801
    vfs_ioctl fs/ioctl.c:51 [inline]
    __do_sys_ioctl fs/ioctl.c:597 [inline]
    __se_sys_ioctl fs/ioctl.c:583 [inline]
    __x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
    do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
    do_syscall_64+0xee/0x600 arch/x86/entry/syscall_64.c:94
    entry_SYSCALL_64_after_hwframe+0x77/0x7f

BUG: memory leak
unreferenced object (percpu) 0x607e4db7f740 (size 384):
  comm "syz.0.17", pid 6610, jiffies 4294948707
  hex dump (first 32 bytes on cpu 0):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace (crc 593bdea7):
    pcpu_alloc_noprof+0x7c7/0xed0 mm/percpu.c:1956
    init_srcu_struct_fields+0x2eb/0x350 kernel/rcu/srcutree.c:224
    hci_alloc_dev_priv+0x37/0x680 net/bluetooth/hci_core.c:2416
    hci_alloc_dev include/net/bluetooth/hci_core.h:1763 [inline]
    hci_uart_register_dev drivers/bluetooth/hci_ldisc.c:672 [inline]
    hci_uart_set_proto drivers/bluetooth/hci_ldisc.c:752 [inline]
    hci_uart_tty_ioctl+0x173/0x460 drivers/bluetooth/hci_ldisc.c:806
    tty_ioctl+0xaca/0xd60 drivers/tty/tty_io.c:2801
    vfs_ioctl fs/ioctl.c:51 [inline]
    __do_sys_ioctl fs/ioctl.c:597 [inline]
    __se_sys_ioctl fs/ioctl.c:583 [inline]
    __x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
    do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
    do_syscall_64+0xee/0x600 arch/x86/entry/syscall_64.c:94
    entry_SYSCALL_64_after_hwframe+0x77/0x7f

BUG: memory leak
unreferenced object (percpu) 0x607e4db7f8c0 (size 384):
  comm "syz.0.18", pid 6619, jiffies 4294948711
  hex dump (first 32 bytes on cpu 0):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace (crc 593bdea7):
    pcpu_alloc_noprof+0x7c7/0xed0 mm/percpu.c:1956
    init_srcu_struct_fields+0x2eb/0x350 kernel/rcu/srcutree.c:224
    hci_alloc_dev_priv+0x37/0x680 net/bluetooth/hci_core.c:2416
    hci_alloc_dev include/net/bluetooth/hci_core.h:1763 [inline]
    hci_uart_register_dev drivers/bluetooth/hci_ldisc.c:672 [inline]
    hci_uart_set_proto drivers/bluetooth/hci_ldisc.c:752 [inline]
    hci_uart_tty_ioctl+0x173/0x460 drivers/bluetooth/hci_ldisc.c:806
    tty_ioctl+0xaca/0xd60 drivers/tty/tty_io.c:2801
    vfs_ioctl fs/ioctl.c:51 [inline]
    __do_sys_ioctl fs/ioctl.c:597 [inline]
    __se_sys_ioctl fs/ioctl.c:583 [inline]
    __x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
    do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
    do_syscall_64+0xee/0x600 arch/x86/entry/syscall_64.c:94
    entry_SYSCALL_64_after_hwframe+0x77/0x7f

BUG: memory leak
unreferenced object (percpu) 0x607e4db7fa40 (size 384):
  comm "syz.0.19", pid 6624, jiffies 4294948716
  hex dump (first 32 bytes on cpu 0):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace (crc 593bdea7):
    pcpu_alloc_noprof+0x7c7/0xed0 mm/percpu.c:1956
    init_srcu_struct_fields+0x2eb/0x350 kernel/rcu/srcutree.c:224
    hci_alloc_dev_priv+0x37/0x680 net/bluetooth/hci_core.c:2416
    hci_alloc_dev include/net/bluetooth/hci_core.h:1763 [inline]
    hci_uart_register_dev drivers/bluetooth/hci_ldisc.c:672 [inline]
    hci_uart_set_proto drivers/bluetooth/hci_ldisc.c:752 [inline]
    hci_uart_tty_ioctl+0x173/0x460 drivers/bluetooth/hci_ldisc.c:806
    tty_ioctl+0xaca/0xd60 drivers/tty/tty_io.c:2801
    vfs_ioctl fs/ioctl.c:51 [inline]
    __do_sys_ioctl fs/ioctl.c:597 [inline]
    __se_sys_ioctl fs/ioctl.c:583 [inline]
    __x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
    do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
    do_syscall_64+0xee/0x600 arch/x86/entry/syscall_64.c:94
    entry_SYSCALL_64_after_hwframe+0x77/0x7f

connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF


Tested on:

commit:         7da7f071 Add linux-next specific files for 20260529
git tree:       linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=14bf17a6580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=3dd1e35bbd92239d
dashboard link: https://syzkaller.appspot.com/bug?extid=535ecc844591e50588a5
compiler:       gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
patch:          https://syzkaller.appspot.com/x/patch.diff?x=10cd7ed2580000

Forwarded: [PATCH] Bluetooth: hci_core: Fix SRCU leak when device is freed unregistered

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] Bluetooth: hci_core: Fix SRCU leak when device is freed unregistered
Author: kartikey406@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master




hci_alloc_dev_priv() initializes hdev->srcu with init_srcu_struct(), but
the matching cleanup_srcu_struct() is only called from hci_unregister_dev().
A hci_dev that is allocated and then freed without ever being registered
leaks the SRCU internals - the node array and the per-CPU sda - even though
the hci_dev itself is freed correctly.

This is reachable from the hci_uart line discipline. h5_open() (used by the
HCI_UART_3WIRE protocol) sets HCI_UART_INIT_PENDING, so hci_uart_register_dev()
returns early without calling hci_register_dev() and HCI_UART_REGISTERED is
never set. Registration is deferred until the three-wire link is synced, which
never happens over a bare pty. When the tty is closed, hci_uart_tty_close()
finds HCI_UART_REGISTERED clear, skips hci_unregister_dev(), and calls
hci_free_dev() -> hci_release_dev() -> kfree(hdev), orphaning the SRCU
allocations.

kmemleak reports only the SRCU sub-objects, not hdev, confirming that hdev is
freed while its embedded srcu is not torn down:

  init_srcu_struct_fields+0x2c0/0x350 kernel/rcu/srcutree.c:207
  hci_alloc_dev_priv+0x37/0x680 net/bluetooth/hci_core.c:2453
  hci_alloc_dev include/net/bluetooth/hci_core.h:1763 [inline]
  hci_uart_register_dev drivers/bluetooth/hci_ldisc.c:644 [inline]
  hci_uart_set_proto drivers/bluetooth/hci_ldisc.c:720 [inline]
  hci_uart_tty_ioctl+0x173/0x460 drivers/bluetooth/hci_ldisc.c:774

Pair the SRCU init with destruction by calling cleanup_srcu_struct() from
hci_release_dev(), so it runs on the final put_device() regardless of whether
the device was ever registered. Keep synchronize_srcu() in hci_unregister_dev()
to drain readers walking the device list before the device leaves it.

Reported-by: syzbot+535ecc844591e50588a5@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=535ecc844591e50588a5
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
 net/bluetooth/hci_core.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 28d7929dc593..2d516beedb59 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -2664,7 +2664,6 @@ void hci_unregister_dev(struct hci_dev *hdev)
 	write_unlock(&hci_dev_list_lock);
 
 	synchronize_srcu(&hdev->srcu);
-	cleanup_srcu_struct(&hdev->srcu);
 
 	disable_work_sync(&hdev->rx_work);
 	disable_work_sync(&hdev->cmd_work);
@@ -2737,6 +2736,8 @@ void hci_release_dev(struct hci_dev *hdev)
 	kfree_skb(hdev->sent_cmd);
 	kfree_skb(hdev->req_skb);
 	kfree_skb(hdev->recv_event);
+
+	cleanup_srcu_struct(&hdev->srcu);
 	kfree(hdev);
 }
 EXPORT_SYMBOL(hci_release_dev);
-- 
2.43.0

Re: [syzbot] [bluetooth?] memory leak in init_srcu_struct_fields

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
memory leak in init_srcu_struct_fields

BUG: memory leak
unreferenced object (percpu) 0x607e4db7f7c0 (size 384):
  comm "syz.0.17", pid 6615, jiffies 4294948617
  hex dump (first 32 bytes on cpu 1):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace (crc 593bdea7):
    pcpu_alloc_noprof+0x7c7/0xed0 mm/percpu.c:1956
    init_srcu_struct_fields+0x2eb/0x350 kernel/rcu/srcutree.c:224
    hci_alloc_dev_priv+0x37/0x680 net/bluetooth/hci_core.c:2416
    hci_alloc_dev include/net/bluetooth/hci_core.h:1763 [inline]
    hci_uart_register_dev drivers/bluetooth/hci_ldisc.c:672 [inline]
    hci_uart_set_proto drivers/bluetooth/hci_ldisc.c:752 [inline]
    hci_uart_tty_ioctl+0x173/0x460 drivers/bluetooth/hci_ldisc.c:806
    tty_ioctl+0xaca/0xd60 drivers/tty/tty_io.c:2801
    vfs_ioctl fs/ioctl.c:51 [inline]
    __do_sys_ioctl fs/ioctl.c:597 [inline]
    __se_sys_ioctl fs/ioctl.c:583 [inline]
    __x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
    do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
    do_syscall_64+0xee/0x600 arch/x86/entry/syscall_64.c:94
    entry_SYSCALL_64_after_hwframe+0x77/0x7f

BUG: memory leak
unreferenced object 0xffff88810de8e800 (size 512):
  comm "syz.0.18", pid 6621, jiffies 4294948621
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace (crc 4c023471):
    kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
    slab_post_alloc_hook mm/slub.c:4613 [inline]
    slab_alloc_node mm/slub.c:4937 [inline]
    __kmalloc_cache_noprof+0x371/0x480 mm/slub.c:5443
    _kmalloc_noprof include/linux/slab.h:969 [inline]
    _kzalloc_noprof include/linux/slab.h:1286 [inline]
    init_srcu_struct_fields+0x2c0/0x350 kernel/rcu/srcutree.c:207
    hci_alloc_dev_priv+0x37/0x680 net/bluetooth/hci_core.c:2416
    hci_alloc_dev include/net/bluetooth/hci_core.h:1763 [inline]
    hci_uart_register_dev drivers/bluetooth/hci_ldisc.c:672 [inline]
    hci_uart_set_proto drivers/bluetooth/hci_ldisc.c:752 [inline]
    hci_uart_tty_ioctl+0x173/0x460 drivers/bluetooth/hci_ldisc.c:806
    tty_ioctl+0xaca/0xd60 drivers/tty/tty_io.c:2801
    vfs_ioctl fs/ioctl.c:51 [inline]
    __do_sys_ioctl fs/ioctl.c:597 [inline]
    __se_sys_ioctl fs/ioctl.c:583 [inline]
    __x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
    do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
    do_syscall_64+0xee/0x600 arch/x86/entry/syscall_64.c:94
    entry_SYSCALL_64_after_hwframe+0x77/0x7f

BUG: memory leak
unreferenced object (percpu) 0x607e4db7f940 (size 384):
  comm "syz.0.18", pid 6621, jiffies 4294948621
  hex dump (first 32 bytes on cpu 1):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace (crc 593bdea7):
    pcpu_alloc_noprof+0x7c7/0xed0 mm/percpu.c:1956
    init_srcu_struct_fields+0x2eb/0x350 kernel/rcu/srcutree.c:224
    hci_alloc_dev_priv+0x37/0x680 net/bluetooth/hci_core.c:2416
    hci_alloc_dev include/net/bluetooth/hci_core.h:1763 [inline]
    hci_uart_register_dev drivers/bluetooth/hci_ldisc.c:672 [inline]
    hci_uart_set_proto drivers/bluetooth/hci_ldisc.c:752 [inline]
    hci_uart_tty_ioctl+0x173/0x460 drivers/bluetooth/hci_ldisc.c:806
    tty_ioctl+0xaca/0xd60 drivers/tty/tty_io.c:2801
    vfs_ioctl fs/ioctl.c:51 [inline]
    __do_sys_ioctl fs/ioctl.c:597 [inline]
    __se_sys_ioctl fs/ioctl.c:583 [inline]
    __x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
    do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
    do_syscall_64+0xee/0x600 arch/x86/entry/syscall_64.c:94
    entry_SYSCALL_64_after_hwframe+0x77/0x7f

BUG: memory leak
unreferenced object 0xffff88810de8fc00 (size 512):
  comm "syz.0.19", pid 6630, jiffies 4294948624
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace (crc a013f5be):
    kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
    slab_post_alloc_hook mm/slub.c:4613 [inline]
    slab_alloc_node mm/slub.c:4937 [inline]
    __kmalloc_cache_noprof+0x371/0x480 mm/slub.c:5443
    _kmalloc_noprof include/linux/slab.h:969 [inline]
    _kzalloc_noprof include/linux/slab.h:1286 [inline]
    init_srcu_struct_fields+0x2c0/0x350 kernel/rcu/srcutree.c:207
    hci_alloc_dev_priv+0x37/0x680 net/bluetooth/hci_core.c:2416
    hci_alloc_dev include/net/bluetooth/hci_core.h:1763 [inline]
    hci_uart_register_dev drivers/bluetooth/hci_ldisc.c:672 [inline]
    hci_uart_set_proto drivers/bluetooth/hci_ldisc.c:752 [inline]
    hci_uart_tty_ioctl+0x173/0x460 drivers/bluetooth/hci_ldisc.c:806
    tty_ioctl+0xaca/0xd60 drivers/tty/tty_io.c:2801
    vfs_ioctl fs/ioctl.c:51 [inline]
    __do_sys_ioctl fs/ioctl.c:597 [inline]
    __se_sys_ioctl fs/ioctl.c:583 [inline]
    __x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
    do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
    do_syscall_64+0xee/0x600 arch/x86/entry/syscall_64.c:94
    entry_SYSCALL_64_after_hwframe+0x77/0x7f

BUG: memory leak
unreferenced object (percpu) 0x607e4db7fac0 (size 384):
  comm "syz.0.19", pid 6630, jiffies 4294948624
  hex dump (first 32 bytes on cpu 1):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace (crc 593bdea7):
    pcpu_alloc_noprof+0x7c7/0xed0 mm/percpu.c:1956
    init_srcu_struct_fields+0x2eb/0x350 kernel/rcu/srcutree.c:224
    hci_alloc_dev_priv+0x37/0x680 net/bluetooth/hci_core.c:2416
    hci_alloc_dev include/net/bluetooth/hci_core.h:1763 [inline]
    hci_uart_register_dev drivers/bluetooth/hci_ldisc.c:672 [inline]
    hci_uart_set_proto drivers/bluetooth/hci_ldisc.c:752 [inline]
    hci_uart_tty_ioctl+0x173/0x460 drivers/bluetooth/hci_ldisc.c:806
    tty_ioctl+0xaca/0xd60 drivers/tty/tty_io.c:2801
    vfs_ioctl fs/ioctl.c:51 [inline]
    __do_sys_ioctl fs/ioctl.c:597 [inline]
    __se_sys_ioctl fs/ioctl.c:583 [inline]
    __x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
    do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
    do_syscall_64+0xee/0x600 arch/x86/entry/syscall_64.c:94
    entry_SYSCALL_64_after_hwframe+0x77/0x7f

connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF


Tested on:

commit:         7da7f071 Add linux-next specific files for 20260529
git tree:       linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=1395b36a580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=3dd1e35bbd92239d
dashboard link: https://syzkaller.appspot.com/bug?extid=535ecc844591e50588a5
compiler:       gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
patch:          https://syzkaller.appspot.com/x/patch.diff?x=123de056580000

Re: [syzbot] [bluetooth?] memory leak in init_srcu_struct_fields

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
memory leak in init_srcu_struct_fields

BUG: memory leak
unreferenced object 0xffff88810ace7000 (size 512):
  comm "syz.0.17", pid 6583, jiffies 4294948651
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace (crc 1a69216d):
    kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
    slab_post_alloc_hook mm/slub.c:4575 [inline]
    slab_alloc_node mm/slub.c:4899 [inline]
    __kmalloc_cache_noprof+0x371/0x480 mm/slub.c:5415
    kmalloc_noprof include/linux/slab.h:950 [inline]
    kzalloc_noprof include/linux/slab.h:1188 [inline]
    init_srcu_struct_fields+0x2c0/0x350 kernel/rcu/srcutree.c:207
    hci_alloc_dev_priv+0x37/0x680 net/bluetooth/hci_core.c:2416
    hci_alloc_dev include/net/bluetooth/hci_core.h:1763 [inline]
    hci_uart_register_dev drivers/bluetooth/hci_ldisc.c:672 [inline]
    hci_uart_set_proto drivers/bluetooth/hci_ldisc.c:752 [inline]
    hci_uart_tty_ioctl+0x173/0x460 drivers/bluetooth/hci_ldisc.c:806
    tty_ioctl+0xaca/0xd60 drivers/tty/tty_io.c:2801
    vfs_ioctl fs/ioctl.c:51 [inline]
    __do_sys_ioctl fs/ioctl.c:597 [inline]
    __se_sys_ioctl fs/ioctl.c:583 [inline]
    __x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
    do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
    do_syscall_64+0xee/0x600 arch/x86/entry/syscall_64.c:94
    entry_SYSCALL_64_after_hwframe+0x77/0x7f

BUG: memory leak
unreferenced object (percpu) 0x607e4d944640 (size 384):
  comm "syz.0.17", pid 6583, jiffies 4294948651
  hex dump (first 32 bytes on cpu 0):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace (crc 593bdea7):
    pcpu_alloc_noprof+0x7c7/0xed0 mm/percpu.c:1896
    init_srcu_struct_fields+0x2eb/0x350 kernel/rcu/srcutree.c:224
    hci_alloc_dev_priv+0x37/0x680 net/bluetooth/hci_core.c:2416
    hci_alloc_dev include/net/bluetooth/hci_core.h:1763 [inline]
    hci_uart_register_dev drivers/bluetooth/hci_ldisc.c:672 [inline]
    hci_uart_set_proto drivers/bluetooth/hci_ldisc.c:752 [inline]
    hci_uart_tty_ioctl+0x173/0x460 drivers/bluetooth/hci_ldisc.c:806
    tty_ioctl+0xaca/0xd60 drivers/tty/tty_io.c:2801
    vfs_ioctl fs/ioctl.c:51 [inline]
    __do_sys_ioctl fs/ioctl.c:597 [inline]
    __se_sys_ioctl fs/ioctl.c:583 [inline]
    __x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
    do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
    do_syscall_64+0xee/0x600 arch/x86/entry/syscall_64.c:94
    entry_SYSCALL_64_after_hwframe+0x77/0x7f

BUG: memory leak
unreferenced object 0xffff88810b1d9200 (size 512):
  comm "syz.0.18", pid 6587, jiffies 4294948653
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace (crc 27fa06af):
    kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
    slab_post_alloc_hook mm/slub.c:4575 [inline]
    slab_alloc_node mm/slub.c:4899 [inline]
    __kmalloc_cache_noprof+0x371/0x480 mm/slub.c:5415
    kmalloc_noprof include/linux/slab.h:950 [inline]
    kzalloc_noprof include/linux/slab.h:1188 [inline]
    init_srcu_struct_fields+0x2c0/0x350 kernel/rcu/srcutree.c:207
    hci_alloc_dev_priv+0x37/0x680 net/bluetooth/hci_core.c:2416
    hci_alloc_dev include/net/bluetooth/hci_core.h:1763 [inline]
    hci_uart_register_dev drivers/bluetooth/hci_ldisc.c:672 [inline]
    hci_uart_set_proto drivers/bluetooth/hci_ldisc.c:752 [inline]
    hci_uart_tty_ioctl+0x173/0x460 drivers/bluetooth/hci_ldisc.c:806
    tty_ioctl+0xaca/0xd60 drivers/tty/tty_io.c:2801
    vfs_ioctl fs/ioctl.c:51 [inline]
    __do_sys_ioctl fs/ioctl.c:597 [inline]
    __se_sys_ioctl fs/ioctl.c:583 [inline]
    __x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
    do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
    do_syscall_64+0xee/0x600 arch/x86/entry/syscall_64.c:94
    entry_SYSCALL_64_after_hwframe+0x77/0x7f

BUG: memory leak
unreferenced object (percpu) 0x607e4d9447c0 (size 384):
  comm "syz.0.18", pid 6587, jiffies 4294948653
  hex dump (first 32 bytes on cpu 0):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace (crc 593bdea7):
    pcpu_alloc_noprof+0x7c7/0xed0 mm/percpu.c:1896
    init_srcu_struct_fields+0x2eb/0x350 kernel/rcu/srcutree.c:224
    hci_alloc_dev_priv+0x37/0x680 net/bluetooth/hci_core.c:2416
    hci_alloc_dev include/net/bluetooth/hci_core.h:1763 [inline]
    hci_uart_register_dev drivers/bluetooth/hci_ldisc.c:672 [inline]
    hci_uart_set_proto drivers/bluetooth/hci_ldisc.c:752 [inline]
    hci_uart_tty_ioctl+0x173/0x460 drivers/bluetooth/hci_ldisc.c:806
    tty_ioctl+0xaca/0xd60 drivers/tty/tty_io.c:2801
    vfs_ioctl fs/ioctl.c:51 [inline]
    __do_sys_ioctl fs/ioctl.c:597 [inline]
    __se_sys_ioctl fs/ioctl.c:583 [inline]
    __x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
    do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
    do_syscall_64+0xee/0x600 arch/x86/entry/syscall_64.c:94
    entry_SYSCALL_64_after_hwframe+0x77/0x7f

BUG: memory leak
unreferenced object (percpu) 0x607e4d944980 (size 384):
  comm "syz.0.19", pid 6595, jiffies 4294948657
  hex dump (first 32 bytes on cpu 0):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace (crc 593bdea7):
    pcpu_alloc_noprof+0x7c7/0xed0 mm/percpu.c:1896
    init_srcu_struct_fields+0x2eb/0x350 kernel/rcu/srcutree.c:224
    hci_alloc_dev_priv+0x37/0x680 net/bluetooth/hci_core.c:2416
    hci_alloc_dev include/net/bluetooth/hci_core.h:1763 [inline]
    hci_uart_register_dev drivers/bluetooth/hci_ldisc.c:672 [inline]
    hci_uart_set_proto drivers/bluetooth/hci_ldisc.c:752 [inline]
    hci_uart_tty_ioctl+0x173/0x460 drivers/bluetooth/hci_ldisc.c:806
    tty_ioctl+0xaca/0xd60 drivers/tty/tty_io.c:2801
    vfs_ioctl fs/ioctl.c:51 [inline]
    __do_sys_ioctl fs/ioctl.c:597 [inline]
    __se_sys_ioctl fs/ioctl.c:583 [inline]
    __x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
    do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
    do_syscall_64+0xee/0x600 arch/x86/entry/syscall_64.c:94
    entry_SYSCALL_64_after_hwframe+0x77/0x7f

connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF


Tested on:

commit:         174914ea Merge tag 'v7.1-rc6-smb3-client-fixes' of git..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=17f2f57e580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=5733044df9370cfc
dashboard link: https://syzkaller.appspot.com/bug?extid=535ecc844591e50588a5
compiler:       gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
patch:          https://syzkaller.appspot.com/x/patch.diff?x=17b2f57e580000

Re: [syzbot] [bluetooth?] memory leak in init_srcu_struct_fields

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: unable to handle kernel NULL pointer dereference in hci_release_dev

BUG: kernel NULL pointer dereference, address: 00000000000000b0
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 800000011280f067 P4D 800000011280f067 PUD 0 
Oops: Oops: 0000 [#1] SMP PTI
CPU: 1 UID: 0 PID: 6587 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026
RIP: 0010:workqueue_sysfs_unregister kernel/workqueue.c:7632 [inline]
RIP: 0010:destroy_workqueue+0x1a/0x430 kernel/workqueue.c:6045
Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 41 57 41 56 41 55 49 89 fd 41 54 55 53 48 83 ec 08 e8 66 d6 15 00 <49> 8b 9d b0 00 00 00 48 85 db 74 19 e8 55 d6 15 00 48 8d 7b 08 49
RSP: 0018:ffffc90002177c68 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffff88811cb86000 RCX: ffffffff81a2820c
RDX: ffff88810aac91c0 RSI: ffffffff816e808a RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000006 R09: 0000000000000000
R10: ffffffff85600000 R11: 0000000000000001 R12: ffff88811cb87390
R13: 0000000000000000 R14: ffff88811cb86030 R15: 0000000000000000
FS:  000055556c326500(0000) GS:ffff8881b23e5000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000000000b0 CR3: 0000000129ede000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 hci_release_dev+0x62/0x250 net/bluetooth/hci_core.c:2712
 bt_host_release+0x19/0x30 net/bluetooth/hci_sysfs.c:86
 device_release+0x4d/0xd0 drivers/base/core.c:2566
 kobject_cleanup lib/kobject.c:689 [inline]
 kobject_release lib/kobject.c:720 [inline]
 kref_put include/linux/kref.h:65 [inline]
 kobject_put+0xe4/0x1d0 lib/kobject.c:737
 put_device+0x1f/0x30 drivers/base/core.c:3814
 hci_uart_tty_close+0x155/0x1a0 drivers/bluetooth/hci_ldisc.c:587
 tty_ldisc_close+0x51/0x70 drivers/tty/tty_ldisc.c:455
 tty_ldisc_kill drivers/tty/tty_ldisc.c:613 [inline]
 tty_ldisc_release+0xd5/0x2d0 drivers/tty/tty_ldisc.c:781
 tty_release_struct+0x1a/0x90 drivers/tty/tty_io.c:1681
 tty_release+0x6b0/0x6c0 drivers/tty/tty_io.c:1852
 __fput+0x1b5/0x500 fs/file_table.c:510
 task_work_run+0x95/0xf0 kernel/task_work.c:233
 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
 __exit_to_user_mode_loop kernel/entry/common.c:67 [inline]
 exit_to_user_mode_loop+0xd9/0x4a0 kernel/entry/common.c:98
 __exit_to_user_mode_prepare include/linux/irq-entry-common.h:207 [inline]
 syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:230 [inline]
 syscall_exit_to_user_mode include/linux/entry-common.h:318 [inline]
 do_syscall_64+0x485/0x600 arch/x86/entry/syscall_64.c:100
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fe03af9cdd9
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffeee0ab038 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
RAX: 0000000000000000 RBX: 00007ffeee0ab120 RCX: 00007fe03af9cdd9
RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
RBP: 000000000001bd43 R08: 0000000000000001 R09: 0000000000000000
R10: 0000001b31220000 R11: 0000000000000246 R12: 00007ffeee0ab160
R13: 00007fe03b215fac R14: 000000000001bd76 R15: 00007fe03b215fa0
 </TASK>
Modules linked in:
CR2: 00000000000000b0
---[ end trace 0000000000000000 ]---
RIP: 0010:workqueue_sysfs_unregister kernel/workqueue.c:7632 [inline]
RIP: 0010:destroy_workqueue+0x1a/0x430 kernel/workqueue.c:6045
Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 41 57 41 56 41 55 49 89 fd 41 54 55 53 48 83 ec 08 e8 66 d6 15 00 <49> 8b 9d b0 00 00 00 48 85 db 74 19 e8 55 d6 15 00 48 8d 7b 08 49
RSP: 0018:ffffc90002177c68 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffff88811cb86000 RCX: ffffffff81a2820c
RDX: ffff88810aac91c0 RSI: ffffffff816e808a RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000006 R09: 0000000000000000
R10: ffffffff85600000 R11: 0000000000000001 R12: ffff88811cb87390
R13: 0000000000000000 R14: ffff88811cb86030 R15: 0000000000000000
FS:  000055556c326500(0000) GS:ffff8881b23e5000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000000000b0 CR3: 0000000129ede000 CR4: 00000000003526f0
----------------
Code disassembly (best guess):
   0:	90                   	nop
   1:	90                   	nop
   2:	90                   	nop
   3:	90                   	nop
   4:	90                   	nop
   5:	90                   	nop
   6:	90                   	nop
   7:	90                   	nop
   8:	90                   	nop
   9:	90                   	nop
   a:	90                   	nop
   b:	90                   	nop
   c:	90                   	nop
   d:	90                   	nop
   e:	90                   	nop
   f:	90                   	nop
  10:	f3 0f 1e fa          	endbr64
  14:	41 57                	push   %r15
  16:	41 56                	push   %r14
  18:	41 55                	push   %r13
  1a:	49 89 fd             	mov    %rdi,%r13
  1d:	41 54                	push   %r12
  1f:	55                   	push   %rbp
  20:	53                   	push   %rbx
  21:	48 83 ec 08          	sub    $0x8,%rsp
  25:	e8 66 d6 15 00       	call   0x15d690
* 2a:	49 8b 9d b0 00 00 00 	mov    0xb0(%r13),%rbx <-- trapping instruction
  31:	48 85 db             	test   %rbx,%rbx
  34:	74 19                	je     0x4f
  36:	e8 55 d6 15 00       	call   0x15d690
  3b:	48 8d 7b 08          	lea    0x8(%rbx),%rdi
  3f:	49                   	rex.WB


Tested on:

commit:         174914ea Merge tag 'v7.1-rc6-smb3-client-fixes' of git..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=17cb69a6580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=5733044df9370cfc
dashboard link: https://syzkaller.appspot.com/bug?extid=535ecc844591e50588a5
compiler:       gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
patch:          https://syzkaller.appspot.com/x/patch.diff?x=114b7ed2580000

Re: [syzbot] [bluetooth?] memory leak in init_srcu_struct_fields

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: unable to handle kernel NULL pointer dereference in hci_release_dev

BUG: kernel NULL pointer dereference, address: 00000000000000b0
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 800000012a7b5067 P4D 800000012a7b5067 PUD 0 
Oops: Oops: 0000 [#1] SMP PTI
CPU: 1 UID: 0 PID: 6583 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026
RIP: 0010:workqueue_sysfs_unregister kernel/workqueue.c:7607 [inline]
RIP: 0010:destroy_workqueue+0x1a/0x430 kernel/workqueue.c:6020
Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 41 57 41 56 41 55 49 89 fd 41 54 55 53 48 83 ec 08 e8 06 d2 15 00 <49> 8b 9d b0 00 00 00 48 85 db 74 19 e8 f5 d1 15 00 48 8d 7b 08 49
RSP: 0018:ffffc90002aafc78 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffff8881141e0000 RCX: ffffffff81a266cc
RDX: ffff88810a6311c0 RSI: ffffffff816e6f0a RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000006 R09: 0000000000000000
R10: ffffffff85600000 R11: 0000000000000001 R12: ffff8881141e1390
R13: 0000000000000000 R14: ffff8881141e0030 R15: 0000000000000000
FS:  000055559230a500(0000) GS:ffff8881b23ec000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000000000b0 CR3: 000000012983e000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 hci_release_dev+0x62/0x250 net/bluetooth/hci_core.c:2749
 bt_host_release+0x19/0x30 net/bluetooth/hci_sysfs.c:86
 device_release+0x4d/0xd0 drivers/base/core.c:2566
 kobject_cleanup lib/kobject.c:689 [inline]
 kobject_release lib/kobject.c:720 [inline]
 kref_put include/linux/kref.h:65 [inline]
 kobject_put+0xe4/0x1d0 lib/kobject.c:737
 put_device+0x1f/0x30 drivers/base/core.c:3814
 hci_uart_tty_close+0xf7/0x120 drivers/bluetooth/hci_ldisc.c:558
 tty_ldisc_close+0x51/0x70 drivers/tty/tty_ldisc.c:455
 tty_ldisc_kill drivers/tty/tty_ldisc.c:613 [inline]
 tty_ldisc_release+0xd5/0x2d0 drivers/tty/tty_ldisc.c:781
 tty_release_struct+0x1a/0x90 drivers/tty/tty_io.c:1681
 tty_release+0x6b0/0x6c0 drivers/tty/tty_io.c:1852
 __fput+0x1b5/0x500 fs/file_table.c:510
 task_work_run+0x95/0xf0 kernel/task_work.c:233
 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
 __exit_to_user_mode_loop kernel/entry/common.c:67 [inline]
 exit_to_user_mode_loop+0xcf/0x440 kernel/entry/common.c:98
 __exit_to_user_mode_prepare include/linux/irq-entry-common.h:207 [inline]
 syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:238 [inline]
 syscall_exit_to_user_mode include/linux/entry-common.h:318 [inline]
 do_syscall_64+0x485/0xf80 arch/x86/entry/syscall_64.c:100
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f57d6b9cdd9
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff37ccc228 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
RAX: 0000000000000000 RBX: 00007fff37ccc310 RCX: 00007f57d6b9cdd9
RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
RBP: 000000000001baba R08: 0000000000000001 R09: 0000000000000000
R10: 0000001b31820000 R11: 0000000000000246 R12: 00007fff37ccc350
R13: 00007f57d6e15fac R14: 000000000001baed R15: 00007f57d6e15fa0
 </TASK>
Modules linked in:
CR2: 00000000000000b0
---[ end trace 0000000000000000 ]---
RIP: 0010:workqueue_sysfs_unregister kernel/workqueue.c:7607 [inline]
RIP: 0010:destroy_workqueue+0x1a/0x430 kernel/workqueue.c:6020
Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 41 57 41 56 41 55 49 89 fd 41 54 55 53 48 83 ec 08 e8 06 d2 15 00 <49> 8b 9d b0 00 00 00 48 85 db 74 19 e8 f5 d1 15 00 48 8d 7b 08 49
RSP: 0018:ffffc90002aafc78 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffff8881141e0000 RCX: ffffffff81a266cc
RDX: ffff88810a6311c0 RSI: ffffffff816e6f0a RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000006 R09: 0000000000000000
R10: ffffffff85600000 R11: 0000000000000001 R12: ffff8881141e1390
R13: 0000000000000000 R14: ffff8881141e0030 R15: 0000000000000000
FS:  000055559230a500(0000) GS:ffff8881b23ec000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000000000b0 CR3: 000000012983e000 CR4: 00000000003526f0
----------------
Code disassembly (best guess):
   0:	90                   	nop
   1:	90                   	nop
   2:	90                   	nop
   3:	90                   	nop
   4:	90                   	nop
   5:	90                   	nop
   6:	90                   	nop
   7:	90                   	nop
   8:	90                   	nop
   9:	90                   	nop
   a:	90                   	nop
   b:	90                   	nop
   c:	90                   	nop
   d:	90                   	nop
   e:	90                   	nop
   f:	90                   	nop
  10:	f3 0f 1e fa          	endbr64
  14:	41 57                	push   %r15
  16:	41 56                	push   %r14
  18:	41 55                	push   %r13
  1a:	49 89 fd             	mov    %rdi,%r13
  1d:	41 54                	push   %r12
  1f:	55                   	push   %rbp
  20:	53                   	push   %rbx
  21:	48 83 ec 08          	sub    $0x8,%rsp
  25:	e8 06 d2 15 00       	call   0x15d230
* 2a:	49 8b 9d b0 00 00 00 	mov    0xb0(%r13),%rbx <-- trapping instruction
  31:	48 85 db             	test   %rbx,%rbx
  34:	74 19                	je     0x4f
  36:	e8 f5 d1 15 00       	call   0x15d230
  3b:	48 8d 7b 08          	lea    0x8(%rbx),%rdi
  3f:	49                   	rex.WB


Tested on:

commit:         f377d002 Merge tag 'sh-for-v7.1-tag2' of git://git.ker..
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=14789d7e580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=9645c21cfd1d3e8f
dashboard link: https://syzkaller.appspot.com/bug?extid=535ecc844591e50588a5
compiler:       gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
patch:          https://syzkaller.appspot.com/x/patch.diff?x=10392ab6580000

Re: [syzbot] [bluetooth?] memory leak in init_srcu_struct_fields

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+535ecc844591e50588a5@syzkaller.appspotmail.com
Tested-by: syzbot+535ecc844591e50588a5@syzkaller.appspotmail.com

Tested on:

commit:         f377d002 Merge tag 'sh-for-v7.1-tag2' of git://git.ker..
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=125e35ec580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=9645c21cfd1d3e8f
dashboard link: https://syzkaller.appspot.com/bug?extid=535ecc844591e50588a5
compiler:       gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
patch:          https://syzkaller.appspot.com/x/patch.diff?x=122676ec580000

Note: testing is done by a robot and is best-effort only.