[syzbot] [bluetooth?] memory leak in init_srcu_struct_fields
9 views
Skip to first unread message
syzbot
May 30, 2026, 4:57:26 PM (9 days ago) May 30
to linux-b...@vger.kernel.org, linux-...@vger.kernel.org, luiz....@gmail.com, mar...@holtmann.org, syzkall...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: f377d0025eb0 Merge tag 'sh-for-v7.1-tag2' of git://git.ker..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1737bb48580000
kernel config: https://syzkaller.appspot.com/x/.config?x=9645c21cfd1d3e8f
dashboard link: https://syzkaller.appspot.com/bug?extid=535ecc844591e50588a5
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=164ed748580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10e6576c580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/5d8163677f58/disk-f377d002.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/cf2fcdb8200b/vmlinux-f377d002.xz
kernel image: https://storage.googleapis.com/syzbot-assets/e9fb70799318/bzImage-f377d002.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+535ecc...@syzkaller.appspotmail.com
BUG: memory leak
unreferenced object 0xffff888111f49600 (size 512):
comm "syz.0.17", pid 5937, jiffies 4294945495
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 6e7d3fde):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4574 [inline]
slab_alloc_node mm/slub.c:4898 [inline]
__kmalloc_cache_noprof+0x371/0x480 mm/slub.c:5414
kmalloc_noprof include/linux/slab.h:950 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
init_srcu_struct_fields+0x2c0/0x350 kernel/rcu/srcutree.c:207
hci_alloc_dev_priv+0x37/0x680 net/bluetooth/hci_core.c:2453
hci_alloc_dev include/net/bluetooth/hci_core.h:1763 [inline]
hci_uart_register_dev drivers/bluetooth/hci_ldisc.c:644 [inline]
hci_uart_set_proto drivers/bluetooth/hci_ldisc.c:720 [inline]
hci_uart_tty_ioctl+0x173/0x460 drivers/bluetooth/hci_ldisc.c:774
tty_ioctl+0xaca/0xd60 drivers/tty/tty_io.c:2801
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xee/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object (percpu) 0x607e4d93d800 (size 384):
comm "syz.0.17", pid 5937, jiffies 4294945495
hex dump (first 32 bytes on cpu 0):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 593bdea7):
pcpu_alloc_noprof+0x7c7/0xed0 mm/percpu.c:1896
init_srcu_struct_fields+0x2eb/0x350 kernel/rcu/srcutree.c:224
hci_alloc_dev_priv+0x37/0x680 net/bluetooth/hci_core.c:2453
hci_alloc_dev include/net/bluetooth/hci_core.h:1763 [inline]
hci_uart_register_dev drivers/bluetooth/hci_ldisc.c:644 [inline]
hci_uart_set_proto drivers/bluetooth/hci_ldisc.c:720 [inline]
hci_uart_tty_ioctl+0x173/0x460 drivers/bluetooth/hci_ldisc.c:774
tty_ioctl+0xaca/0xd60 drivers/tty/tty_io.c:2801
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xee/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object (percpu) 0x607e4d93d980 (size 384):
comm "syz.0.18", pid 5940, jiffies 4294945497
hex dump (first 32 bytes on cpu 0):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 593bdea7):
pcpu_alloc_noprof+0x7c7/0xed0 mm/percpu.c:1896
init_srcu_struct_fields+0x2eb/0x350 kernel/rcu/srcutree.c:224
hci_alloc_dev_priv+0x37/0x680 net/bluetooth/hci_core.c:2453
hci_alloc_dev include/net/bluetooth/hci_core.h:1763 [inline]
hci_uart_register_dev drivers/bluetooth/hci_ldisc.c:644 [inline]
hci_uart_set_proto drivers/bluetooth/hci_ldisc.c:720 [inline]
hci_uart_tty_ioctl+0x173/0x460 drivers/bluetooth/hci_ldisc.c:774
tty_ioctl+0xaca/0xd60 drivers/tty/tty_io.c:2801
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xee/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object 0xffff88811d010a00 (size 512):
comm "syz.0.19", pid 5951, jiffies 4294945502
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 2d3d1dd8):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4574 [inline]
slab_alloc_node mm/slub.c:4898 [inline]
__kmalloc_cache_noprof+0x371/0x480 mm/slub.c:5414
kmalloc_noprof include/linux/slab.h:950 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
init_srcu_struct_fields+0x2c0/0x350 kernel/rcu/srcutree.c:207
hci_alloc_dev_priv+0x37/0x680 net/bluetooth/hci_core.c:2453
hci_alloc_dev include/net/bluetooth/hci_core.h:1763 [inline]
hci_uart_register_dev drivers/bluetooth/hci_ldisc.c:644 [inline]
hci_uart_set_proto drivers/bluetooth/hci_ldisc.c:720 [inline]
hci_uart_tty_ioctl+0x173/0x460 drivers/bluetooth/hci_ldisc.c:774
tty_ioctl+0xaca/0xd60 drivers/tty/tty_io.c:2801
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xee/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object (percpu) 0x607e4d93db00 (size 384):
comm "syz.0.19", pid 5951, jiffies 4294945502
hex dump (first 32 bytes on cpu 0):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 593bdea7):
pcpu_alloc_noprof+0x7c7/0xed0 mm/percpu.c:1896
init_srcu_struct_fields+0x2eb/0x350 kernel/rcu/srcutree.c:224
hci_alloc_dev_priv+0x37/0x680 net/bluetooth/hci_core.c:2453
hci_alloc_dev include/net/bluetooth/hci_core.h:1763 [inline]
hci_uart_register_dev drivers/bluetooth/hci_ldisc.c:644 [inline]
hci_uart_set_proto drivers/bluetooth/hci_ldisc.c:720 [inline]
hci_uart_tty_ioctl+0x173/0x460 drivers/bluetooth/hci_ldisc.c:774
tty_ioctl+0xaca/0xd60 drivers/tty/tty_io.c:2801
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xee/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: f377d0025eb0 Merge tag 'sh-for-v7.1-tag2' of git://git.ker..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1737bb48580000
kernel config: https://syzkaller.appspot.com/x/.config?x=9645c21cfd1d3e8f
dashboard link: https://syzkaller.appspot.com/bug?extid=535ecc844591e50588a5
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=164ed748580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10e6576c580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/5d8163677f58/disk-f377d002.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/cf2fcdb8200b/vmlinux-f377d002.xz
kernel image: https://storage.googleapis.com/syzbot-assets/e9fb70799318/bzImage-f377d002.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+535ecc...@syzkaller.appspotmail.com
BUG: memory leak
unreferenced object 0xffff888111f49600 (size 512):
comm "syz.0.17", pid 5937, jiffies 4294945495
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 6e7d3fde):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4574 [inline]
slab_alloc_node mm/slub.c:4898 [inline]
__kmalloc_cache_noprof+0x371/0x480 mm/slub.c:5414
kmalloc_noprof include/linux/slab.h:950 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
init_srcu_struct_fields+0x2c0/0x350 kernel/rcu/srcutree.c:207
hci_alloc_dev_priv+0x37/0x680 net/bluetooth/hci_core.c:2453
hci_alloc_dev include/net/bluetooth/hci_core.h:1763 [inline]
hci_uart_register_dev drivers/bluetooth/hci_ldisc.c:644 [inline]
hci_uart_set_proto drivers/bluetooth/hci_ldisc.c:720 [inline]
hci_uart_tty_ioctl+0x173/0x460 drivers/bluetooth/hci_ldisc.c:774
tty_ioctl+0xaca/0xd60 drivers/tty/tty_io.c:2801
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xee/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object (percpu) 0x607e4d93d800 (size 384):
comm "syz.0.17", pid 5937, jiffies 4294945495
hex dump (first 32 bytes on cpu 0):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 593bdea7):
pcpu_alloc_noprof+0x7c7/0xed0 mm/percpu.c:1896
init_srcu_struct_fields+0x2eb/0x350 kernel/rcu/srcutree.c:224
hci_alloc_dev_priv+0x37/0x680 net/bluetooth/hci_core.c:2453
hci_alloc_dev include/net/bluetooth/hci_core.h:1763 [inline]
hci_uart_register_dev drivers/bluetooth/hci_ldisc.c:644 [inline]
hci_uart_set_proto drivers/bluetooth/hci_ldisc.c:720 [inline]
hci_uart_tty_ioctl+0x173/0x460 drivers/bluetooth/hci_ldisc.c:774
tty_ioctl+0xaca/0xd60 drivers/tty/tty_io.c:2801
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xee/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object (percpu) 0x607e4d93d980 (size 384):
comm "syz.0.18", pid 5940, jiffies 4294945497
hex dump (first 32 bytes on cpu 0):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 593bdea7):
pcpu_alloc_noprof+0x7c7/0xed0 mm/percpu.c:1896
init_srcu_struct_fields+0x2eb/0x350 kernel/rcu/srcutree.c:224
hci_alloc_dev_priv+0x37/0x680 net/bluetooth/hci_core.c:2453
hci_alloc_dev include/net/bluetooth/hci_core.h:1763 [inline]
hci_uart_register_dev drivers/bluetooth/hci_ldisc.c:644 [inline]
hci_uart_set_proto drivers/bluetooth/hci_ldisc.c:720 [inline]
hci_uart_tty_ioctl+0x173/0x460 drivers/bluetooth/hci_ldisc.c:774
tty_ioctl+0xaca/0xd60 drivers/tty/tty_io.c:2801
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xee/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object 0xffff88811d010a00 (size 512):
comm "syz.0.19", pid 5951, jiffies 4294945502
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 2d3d1dd8):
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4574 [inline]
slab_alloc_node mm/slub.c:4898 [inline]
__kmalloc_cache_noprof+0x371/0x480 mm/slub.c:5414
kmalloc_noprof include/linux/slab.h:950 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
init_srcu_struct_fields+0x2c0/0x350 kernel/rcu/srcutree.c:207
hci_alloc_dev_priv+0x37/0x680 net/bluetooth/hci_core.c:2453
hci_alloc_dev include/net/bluetooth/hci_core.h:1763 [inline]
hci_uart_register_dev drivers/bluetooth/hci_ldisc.c:644 [inline]
hci_uart_set_proto drivers/bluetooth/hci_ldisc.c:720 [inline]
hci_uart_tty_ioctl+0x173/0x460 drivers/bluetooth/hci_ldisc.c:774
tty_ioctl+0xaca/0xd60 drivers/tty/tty_io.c:2801
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xee/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object (percpu) 0x607e4d93db00 (size 384):
comm "syz.0.19", pid 5951, jiffies 4294945502
hex dump (first 32 bytes on cpu 0):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 593bdea7):
pcpu_alloc_noprof+0x7c7/0xed0 mm/percpu.c:1896
init_srcu_struct_fields+0x2eb/0x350 kernel/rcu/srcutree.c:224
hci_alloc_dev_priv+0x37/0x680 net/bluetooth/hci_core.c:2453
hci_alloc_dev include/net/bluetooth/hci_core.h:1763 [inline]
hci_uart_register_dev drivers/bluetooth/hci_ldisc.c:644 [inline]
hci_uart_set_proto drivers/bluetooth/hci_ldisc.c:720 [inline]
hci_uart_tty_ioctl+0x173/0x460 drivers/bluetooth/hci_ldisc.c:774
tty_ioctl+0xaca/0xd60 drivers/tty/tty_io.c:2801
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xee/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
May 30, 2026, 7:18:14 PM (9 days ago) May 30
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: [PATCH] Bluetooth: hci_core: Fix SRCU leak when device is freed unregistered
Author: karti...@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master
hci_alloc_dev_priv() initializes hdev->srcu with init_srcu_struct(), but
the matching cleanup_srcu_struct() is only called from hci_unregister_dev().
A hci_dev that is allocated and then freed without ever being registered
leaks the SRCU internals - the node array and the per-CPU sda - even though
the hci_dev itself is freed correctly.
This is reachable from the hci_uart line discipline. h5_open() (used by the
HCI_UART_3WIRE protocol) sets HCI_UART_INIT_PENDING, so hci_uart_register_dev()
returns early without calling hci_register_dev() and HCI_UART_REGISTERED is
never set. Registration is deferred until the three-wire link is synced, which
never happens over a bare pty. When the tty is closed, hci_uart_tty_close()
finds HCI_UART_REGISTERED clear, skips hci_unregister_dev(), and calls
hci_free_dev() -> hci_release_dev() -> kfree(hdev), orphaning the SRCU
allocations.
kmemleak reports only the SRCU sub-objects, not hdev, confirming that hdev is
freed while its embedded srcu is not torn down:
init_srcu_struct_fields+0x2c0/0x350 kernel/rcu/srcutree.c:207
hci_alloc_dev_priv+0x37/0x680 net/bluetooth/hci_core.c:2453
hci_alloc_dev include/net/bluetooth/hci_core.h:1763 [inline]
hci_uart_register_dev drivers/bluetooth/hci_ldisc.c:644 [inline]
hci_uart_set_proto drivers/bluetooth/hci_ldisc.c:720 [inline]
hci_uart_tty_ioctl+0x173/0x460 drivers/bluetooth/hci_ldisc.c:774
Pair the SRCU init with destruction by calling cleanup_srcu_struct() from
hci_release_dev(), so it runs on the final put_device() regardless of whether
the device was ever registered. Keep synchronize_srcu() in hci_unregister_dev()
to drain readers walking the device list before the device leaves it.
Reported-by: syzbot+535ecc...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=535ecc844591e50588a5
Signed-off-by: Deepanshu Kartikey <karti...@gmail.com>
---
net/bluetooth/hci_core.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 28d7929dc593..2d516beedb59 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -2664,7 +2664,6 @@ void hci_unregister_dev(struct hci_dev *hdev)
write_unlock(&hci_dev_list_lock);
synchronize_srcu(&hdev->srcu);
- cleanup_srcu_struct(&hdev->srcu);
disable_work_sync(&hdev->rx_work);
disable_work_sync(&hdev->cmd_work);
@@ -2737,6 +2736,8 @@ void hci_release_dev(struct hci_dev *hdev)
kfree_skb(hdev->sent_cmd);
kfree_skb(hdev->req_skb);
kfree_skb(hdev->recv_event);
+
+ cleanup_srcu_struct(&hdev->srcu);
kfree(hdev);
}
EXPORT_SYMBOL(hci_release_dev);
--
2.43.0
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: [PATCH] Bluetooth: hci_core: Fix SRCU leak when device is freed unregistered
Author: karti...@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master
hci_alloc_dev_priv() initializes hdev->srcu with init_srcu_struct(), but
the matching cleanup_srcu_struct() is only called from hci_unregister_dev().
A hci_dev that is allocated and then freed without ever being registered
leaks the SRCU internals - the node array and the per-CPU sda - even though
the hci_dev itself is freed correctly.
This is reachable from the hci_uart line discipline. h5_open() (used by the
HCI_UART_3WIRE protocol) sets HCI_UART_INIT_PENDING, so hci_uart_register_dev()
returns early without calling hci_register_dev() and HCI_UART_REGISTERED is
never set. Registration is deferred until the three-wire link is synced, which
never happens over a bare pty. When the tty is closed, hci_uart_tty_close()
finds HCI_UART_REGISTERED clear, skips hci_unregister_dev(), and calls
hci_free_dev() -> hci_release_dev() -> kfree(hdev), orphaning the SRCU
allocations.
kmemleak reports only the SRCU sub-objects, not hdev, confirming that hdev is
freed while its embedded srcu is not torn down:
init_srcu_struct_fields+0x2c0/0x350 kernel/rcu/srcutree.c:207
hci_alloc_dev_priv+0x37/0x680 net/bluetooth/hci_core.c:2453
hci_alloc_dev include/net/bluetooth/hci_core.h:1763 [inline]
hci_uart_register_dev drivers/bluetooth/hci_ldisc.c:644 [inline]
hci_uart_set_proto drivers/bluetooth/hci_ldisc.c:720 [inline]
hci_uart_tty_ioctl+0x173/0x460 drivers/bluetooth/hci_ldisc.c:774
hci_release_dev(), so it runs on the final put_device() regardless of whether
the device was ever registered. Keep synchronize_srcu() in hci_unregister_dev()
to drain readers walking the device list before the device leaves it.
Reported-by: syzbot+535ecc...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=535ecc844591e50588a5
Signed-off-by: Deepanshu Kartikey <karti...@gmail.com>
---
net/bluetooth/hci_core.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 28d7929dc593..2d516beedb59 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -2664,7 +2664,6 @@ void hci_unregister_dev(struct hci_dev *hdev)
write_unlock(&hci_dev_list_lock);
synchronize_srcu(&hdev->srcu);
- cleanup_srcu_struct(&hdev->srcu);
disable_work_sync(&hdev->rx_work);
disable_work_sync(&hdev->cmd_work);
@@ -2737,6 +2736,8 @@ void hci_release_dev(struct hci_dev *hdev)
kfree_skb(hdev->sent_cmd);
kfree_skb(hdev->req_skb);
kfree_skb(hdev->recv_event);
+
+ cleanup_srcu_struct(&hdev->srcu);
kfree(hdev);
}
EXPORT_SYMBOL(hci_release_dev);
--
2.43.0
syzbot
May 30, 2026, 7:20:10 PM (9 days ago) May 30
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: [PATCH] Bluetooth: hci_core: Fix SRCU leak when device is freed unregistered
Author: karti...@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master
hci_alloc_dev_priv() initializes hdev->srcu with init_srcu_struct(), but
the matching cleanup_srcu_struct() is only called from hci_unregister_dev().
A hci_dev that is allocated and then freed without ever being registered
leaks the SRCU internals - the node array and the per-CPU sda - even though
the hci_dev itself is freed correctly.
This is reachable from the hci_uart line discipline. h5_open() (used by the
HCI_UART_3WIRE protocol) sets HCI_UART_INIT_PENDING, so hci_uart_register_dev()
returns early without calling hci_register_dev() and HCI_UART_REGISTERED is
never set. Registration is deferred until the three-wire link is synced, which
never happens over a bare pty. When the tty is closed, hci_uart_tty_close()
finds HCI_UART_REGISTERED clear, skips hci_unregister_dev(), and calls
hci_free_dev() -> hci_release_dev() -> kfree(hdev), orphaning the SRCU
allocations.
kmemleak reports only the SRCU sub-objects, not hdev, confirming that hdev is
freed while its embedded srcu is not torn down:
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: [PATCH] Bluetooth: hci_core: Fix SRCU leak when device is freed unregistered
Author: karti...@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master
hci_alloc_dev_priv() initializes hdev->srcu with init_srcu_struct(), but
the matching cleanup_srcu_struct() is only called from hci_unregister_dev().
A hci_dev that is allocated and then freed without ever being registered
leaks the SRCU internals - the node array and the per-CPU sda - even though
the hci_dev itself is freed correctly.
This is reachable from the hci_uart line discipline. h5_open() (used by the
HCI_UART_3WIRE protocol) sets HCI_UART_INIT_PENDING, so hci_uart_register_dev()
returns early without calling hci_register_dev() and HCI_UART_REGISTERED is
never set. Registration is deferred until the three-wire link is synced, which
never happens over a bare pty. When the tty is closed, hci_uart_tty_close()
finds HCI_UART_REGISTERED clear, skips hci_unregister_dev(), and calls
hci_free_dev() -> hci_release_dev() -> kfree(hdev), orphaning the SRCU
allocations.
kmemleak reports only the SRCU sub-objects, not hdev, confirming that hdev is
freed while its embedded srcu is not torn down:
init_srcu_struct_fields+0x2c0/0x350 kernel/rcu/srcutree.c:207
hci_alloc_dev_priv+0x37/0x680 net/bluetooth/hci_core.c:2453
hci_alloc_dev include/net/bluetooth/hci_core.h:1763 [inline]
hci_uart_register_dev drivers/bluetooth/hci_ldisc.c:644 [inline]
hci_uart_set_proto drivers/bluetooth/hci_ldisc.c:720 [inline]
hci_uart_tty_ioctl+0x173/0x460 drivers/bluetooth/hci_ldisc.c:774
hci_alloc_dev_priv+0x37/0x680 net/bluetooth/hci_core.c:2453
hci_alloc_dev include/net/bluetooth/hci_core.h:1763 [inline]
hci_uart_register_dev drivers/bluetooth/hci_ldisc.c:644 [inline]
hci_uart_set_proto drivers/bluetooth/hci_ldisc.c:720 [inline]
hci_uart_tty_ioctl+0x173/0x460 drivers/bluetooth/hci_ldisc.c:774
syzbot
May 30, 2026, 8:13:03 PM (9 days ago) May 30
to karti...@gmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
memory leak in init_srcu_struct_fields
BUG: memory leak
unreferenced object 0xffff88810de6f800 (size 512):
comm "syz.0.17", pid 6610, jiffies 4294948707
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4613 [inline]
slab_alloc_node mm/slub.c:4937 [inline]
__kmalloc_cache_noprof+0x371/0x480 mm/slub.c:5443
_kmalloc_noprof include/linux/slab.h:969 [inline]
_kzalloc_noprof include/linux/slab.h:1286 [inline]
init_srcu_struct_fields+0x2c0/0x350 kernel/rcu/srcutree.c:207
hci_alloc_dev_priv+0x37/0x680 net/bluetooth/hci_core.c:2416
hci_alloc_dev include/net/bluetooth/hci_core.h:1763 [inline]
hci_uart_register_dev drivers/bluetooth/hci_ldisc.c:672 [inline]
hci_uart_set_proto drivers/bluetooth/hci_ldisc.c:752 [inline]
hci_uart_tty_ioctl+0x173/0x460 drivers/bluetooth/hci_ldisc.c:806
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object (percpu) 0x607e4db7f740 (size 384):
comm "syz.0.17", pid 6610, jiffies 4294948707
init_srcu_struct_fields+0x2eb/0x350 kernel/rcu/srcutree.c:224
hci_alloc_dev_priv+0x37/0x680 net/bluetooth/hci_core.c:2416
hci_alloc_dev include/net/bluetooth/hci_core.h:1763 [inline]
hci_uart_register_dev drivers/bluetooth/hci_ldisc.c:672 [inline]
hci_uart_set_proto drivers/bluetooth/hci_ldisc.c:752 [inline]
hci_uart_tty_ioctl+0x173/0x460 drivers/bluetooth/hci_ldisc.c:806
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object (percpu) 0x607e4db7f8c0 (size 384):
comm "syz.0.18", pid 6619, jiffies 4294948711
init_srcu_struct_fields+0x2eb/0x350 kernel/rcu/srcutree.c:224
hci_alloc_dev_priv+0x37/0x680 net/bluetooth/hci_core.c:2416
hci_alloc_dev include/net/bluetooth/hci_core.h:1763 [inline]
hci_uart_register_dev drivers/bluetooth/hci_ldisc.c:672 [inline]
hci_uart_set_proto drivers/bluetooth/hci_ldisc.c:752 [inline]
hci_uart_tty_ioctl+0x173/0x460 drivers/bluetooth/hci_ldisc.c:806
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object (percpu) 0x607e4db7fa40 (size 384):
comm "syz.0.19", pid 6624, jiffies 4294948716
init_srcu_struct_fields+0x2eb/0x350 kernel/rcu/srcutree.c:224
hci_alloc_dev_priv+0x37/0x680 net/bluetooth/hci_core.c:2416
hci_alloc_dev include/net/bluetooth/hci_core.h:1763 [inline]
hci_uart_register_dev drivers/bluetooth/hci_ldisc.c:672 [inline]
hci_uart_set_proto drivers/bluetooth/hci_ldisc.c:752 [inline]
hci_uart_tty_ioctl+0x173/0x460 drivers/bluetooth/hci_ldisc.c:806
commit: 7da7f071 Add linux-next specific files for 20260529
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=14bf17a6580000
kernel config: https://syzkaller.appspot.com/x/.config?x=3dd1e35bbd92239d
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
memory leak in init_srcu_struct_fields
BUG: memory leak
unreferenced object 0xffff88810de6f800 (size 512):
comm "syz.0.17", pid 6610, jiffies 4294948707
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 55438727):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4613 [inline]
slab_alloc_node mm/slub.c:4937 [inline]
__kmalloc_cache_noprof+0x371/0x480 mm/slub.c:5443
_kmalloc_noprof include/linux/slab.h:969 [inline]
_kzalloc_noprof include/linux/slab.h:1286 [inline]
init_srcu_struct_fields+0x2c0/0x350 kernel/rcu/srcutree.c:207
hci_alloc_dev_priv+0x37/0x680 net/bluetooth/hci_core.c:2416
hci_alloc_dev include/net/bluetooth/hci_core.h:1763 [inline]
hci_uart_register_dev drivers/bluetooth/hci_ldisc.c:672 [inline]
hci_uart_set_proto drivers/bluetooth/hci_ldisc.c:752 [inline]
hci_uart_tty_ioctl+0x173/0x460 drivers/bluetooth/hci_ldisc.c:806
tty_ioctl+0xaca/0xd60 drivers/tty/tty_io.c:2801
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xee/0x600 arch/x86/entry/syscall_64.c:94
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object (percpu) 0x607e4db7f740 (size 384):
comm "syz.0.17", pid 6610, jiffies 4294948707
hex dump (first 32 bytes on cpu 0):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 593bdea7):
pcpu_alloc_noprof+0x7c7/0xed0 mm/percpu.c:1956
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 593bdea7):
init_srcu_struct_fields+0x2eb/0x350 kernel/rcu/srcutree.c:224
hci_alloc_dev_priv+0x37/0x680 net/bluetooth/hci_core.c:2416
hci_alloc_dev include/net/bluetooth/hci_core.h:1763 [inline]
hci_uart_register_dev drivers/bluetooth/hci_ldisc.c:672 [inline]
hci_uart_set_proto drivers/bluetooth/hci_ldisc.c:752 [inline]
hci_uart_tty_ioctl+0x173/0x460 drivers/bluetooth/hci_ldisc.c:806
tty_ioctl+0xaca/0xd60 drivers/tty/tty_io.c:2801
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xee/0x600 arch/x86/entry/syscall_64.c:94
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object (percpu) 0x607e4db7f8c0 (size 384):
comm "syz.0.18", pid 6619, jiffies 4294948711
hex dump (first 32 bytes on cpu 0):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 593bdea7):
pcpu_alloc_noprof+0x7c7/0xed0 mm/percpu.c:1956
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 593bdea7):
init_srcu_struct_fields+0x2eb/0x350 kernel/rcu/srcutree.c:224
hci_alloc_dev_priv+0x37/0x680 net/bluetooth/hci_core.c:2416
hci_alloc_dev include/net/bluetooth/hci_core.h:1763 [inline]
hci_uart_register_dev drivers/bluetooth/hci_ldisc.c:672 [inline]
hci_uart_set_proto drivers/bluetooth/hci_ldisc.c:752 [inline]
hci_uart_tty_ioctl+0x173/0x460 drivers/bluetooth/hci_ldisc.c:806
tty_ioctl+0xaca/0xd60 drivers/tty/tty_io.c:2801
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xee/0x600 arch/x86/entry/syscall_64.c:94
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object (percpu) 0x607e4db7fa40 (size 384):
comm "syz.0.19", pid 6624, jiffies 4294948716
hex dump (first 32 bytes on cpu 0):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 593bdea7):
pcpu_alloc_noprof+0x7c7/0xed0 mm/percpu.c:1956
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 593bdea7):
init_srcu_struct_fields+0x2eb/0x350 kernel/rcu/srcutree.c:224
hci_alloc_dev_priv+0x37/0x680 net/bluetooth/hci_core.c:2416
hci_alloc_dev include/net/bluetooth/hci_core.h:1763 [inline]
hci_uart_register_dev drivers/bluetooth/hci_ldisc.c:672 [inline]
hci_uart_set_proto drivers/bluetooth/hci_ldisc.c:752 [inline]
hci_uart_tty_ioctl+0x173/0x460 drivers/bluetooth/hci_ldisc.c:806
tty_ioctl+0xaca/0xd60 drivers/tty/tty_io.c:2801
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xee/0x600 arch/x86/entry/syscall_64.c:94
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
entry_SYSCALL_64_after_hwframe+0x77/0x7f
connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF
Tested on:
connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF
commit: 7da7f071 Add linux-next specific files for 20260529
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=14bf17a6580000
kernel config: https://syzkaller.appspot.com/x/.config?x=3dd1e35bbd92239d
dashboard link: https://syzkaller.appspot.com/bug?extid=535ecc844591e50588a5
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
patch: https://syzkaller.appspot.com/x/patch.diff?x=10cd7ed2580000
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
syzbot
May 30, 2026, 8:13:31 PM (9 days ago) May 30
to linux-...@vger.kernel.org, syzkall...@googlegroups.com
For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: [PATCH] Bluetooth: hci_core: Fix SRCU leak when device is freed unregistered
Author: karti...@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
linux-...@vger.kernel.org, syzkall...@googlegroups.com.
***
Subject: [PATCH] Bluetooth: hci_core: Fix SRCU leak when device is freed unregistered
Author: karti...@gmail.com
hci_alloc_dev_priv() initializes hdev->srcu with init_srcu_struct(), but
the matching cleanup_srcu_struct() is only called from hci_unregister_dev().
A hci_dev that is allocated and then freed without ever being registered
leaks the SRCU internals - the node array and the per-CPU sda - even though
the hci_dev itself is freed correctly.
This is reachable from the hci_uart line discipline. h5_open() (used by the
HCI_UART_3WIRE protocol) sets HCI_UART_INIT_PENDING, so hci_uart_register_dev()
returns early without calling hci_register_dev() and HCI_UART_REGISTERED is
never set. Registration is deferred until the three-wire link is synced, which
never happens over a bare pty. When the tty is closed, hci_uart_tty_close()
finds HCI_UART_REGISTERED clear, skips hci_unregister_dev(), and calls
hci_free_dev() -> hci_release_dev() -> kfree(hdev), orphaning the SRCU
allocations.
kmemleak reports only the SRCU sub-objects, not hdev, confirming that hdev is
freed while its embedded srcu is not torn down:
init_srcu_struct_fields+0x2c0/0x350 kernel/rcu/srcutree.c:207
hci_alloc_dev_priv+0x37/0x680 net/bluetooth/hci_core.c:2453
hci_alloc_dev include/net/bluetooth/hci_core.h:1763 [inline]
hci_uart_register_dev drivers/bluetooth/hci_ldisc.c:644 [inline]
hci_uart_set_proto drivers/bluetooth/hci_ldisc.c:720 [inline]
hci_uart_tty_ioctl+0x173/0x460 drivers/bluetooth/hci_ldisc.c:774
hci_alloc_dev_priv+0x37/0x680 net/bluetooth/hci_core.c:2453
hci_alloc_dev include/net/bluetooth/hci_core.h:1763 [inline]
hci_uart_register_dev drivers/bluetooth/hci_ldisc.c:644 [inline]
hci_uart_set_proto drivers/bluetooth/hci_ldisc.c:720 [inline]
hci_uart_tty_ioctl+0x173/0x460 drivers/bluetooth/hci_ldisc.c:774
syzbot
May 30, 2026, 8:21:03 PM (9 days ago) May 30
to karti...@gmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
memory leak in init_srcu_struct_fields
BUG: memory leak
unreferenced object (percpu) 0x607e4db7f7c0 (size 384):
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
memory leak in init_srcu_struct_fields
BUG: memory leak
comm "syz.0.17", pid 6615, jiffies 4294948617
hex dump (first 32 bytes on cpu 1):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 593bdea7):
pcpu_alloc_noprof+0x7c7/0xed0 mm/percpu.c:1956
init_srcu_struct_fields+0x2eb/0x350 kernel/rcu/srcutree.c:224
hci_alloc_dev_priv+0x37/0x680 net/bluetooth/hci_core.c:2416
hci_alloc_dev include/net/bluetooth/hci_core.h:1763 [inline]
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 593bdea7):
pcpu_alloc_noprof+0x7c7/0xed0 mm/percpu.c:1956
init_srcu_struct_fields+0x2eb/0x350 kernel/rcu/srcutree.c:224
hci_alloc_dev_priv+0x37/0x680 net/bluetooth/hci_core.c:2416
hci_uart_register_dev drivers/bluetooth/hci_ldisc.c:672 [inline]
hci_uart_set_proto drivers/bluetooth/hci_ldisc.c:752 [inline]
hci_uart_tty_ioctl+0x173/0x460 drivers/bluetooth/hci_ldisc.c:806
tty_ioctl+0xaca/0xd60 drivers/tty/tty_io.c:2801
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xee/0x600 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object 0xffff88810de8e800 (size 512):
hci_uart_set_proto drivers/bluetooth/hci_ldisc.c:752 [inline]
hci_uart_tty_ioctl+0x173/0x460 drivers/bluetooth/hci_ldisc.c:806
tty_ioctl+0xaca/0xd60 drivers/tty/tty_io.c:2801
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xee/0x600 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
comm "syz.0.18", pid 6621, jiffies 4294948621
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 4c023471):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4613 [inline]
slab_alloc_node mm/slub.c:4937 [inline]
__kmalloc_cache_noprof+0x371/0x480 mm/slub.c:5443
_kmalloc_noprof include/linux/slab.h:969 [inline]
_kzalloc_noprof include/linux/slab.h:1286 [inline]
init_srcu_struct_fields+0x2c0/0x350 kernel/rcu/srcutree.c:207
slab_post_alloc_hook mm/slub.c:4613 [inline]
slab_alloc_node mm/slub.c:4937 [inline]
__kmalloc_cache_noprof+0x371/0x480 mm/slub.c:5443
_kmalloc_noprof include/linux/slab.h:969 [inline]
_kzalloc_noprof include/linux/slab.h:1286 [inline]
hci_alloc_dev_priv+0x37/0x680 net/bluetooth/hci_core.c:2416
hci_alloc_dev include/net/bluetooth/hci_core.h:1763 [inline]
hci_uart_register_dev drivers/bluetooth/hci_ldisc.c:672 [inline]
hci_uart_set_proto drivers/bluetooth/hci_ldisc.c:752 [inline]
hci_uart_tty_ioctl+0x173/0x460 drivers/bluetooth/hci_ldisc.c:806
tty_ioctl+0xaca/0xd60 drivers/tty/tty_io.c:2801
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xee/0x600 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object (percpu) 0x607e4db7f940 (size 384):
hci_uart_set_proto drivers/bluetooth/hci_ldisc.c:752 [inline]
hci_uart_tty_ioctl+0x173/0x460 drivers/bluetooth/hci_ldisc.c:806
tty_ioctl+0xaca/0xd60 drivers/tty/tty_io.c:2801
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xee/0x600 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
comm "syz.0.18", pid 6621, jiffies 4294948621
hex dump (first 32 bytes on cpu 1):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 593bdea7):
pcpu_alloc_noprof+0x7c7/0xed0 mm/percpu.c:1956
init_srcu_struct_fields+0x2eb/0x350 kernel/rcu/srcutree.c:224
hci_alloc_dev_priv+0x37/0x680 net/bluetooth/hci_core.c:2416
hci_alloc_dev include/net/bluetooth/hci_core.h:1763 [inline]
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 593bdea7):
pcpu_alloc_noprof+0x7c7/0xed0 mm/percpu.c:1956
init_srcu_struct_fields+0x2eb/0x350 kernel/rcu/srcutree.c:224
hci_alloc_dev_priv+0x37/0x680 net/bluetooth/hci_core.c:2416
hci_uart_register_dev drivers/bluetooth/hci_ldisc.c:672 [inline]
hci_uart_set_proto drivers/bluetooth/hci_ldisc.c:752 [inline]
hci_uart_tty_ioctl+0x173/0x460 drivers/bluetooth/hci_ldisc.c:806
tty_ioctl+0xaca/0xd60 drivers/tty/tty_io.c:2801
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xee/0x600 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object 0xffff88810de8fc00 (size 512):
hci_uart_set_proto drivers/bluetooth/hci_ldisc.c:752 [inline]
hci_uart_tty_ioctl+0x173/0x460 drivers/bluetooth/hci_ldisc.c:806
tty_ioctl+0xaca/0xd60 drivers/tty/tty_io.c:2801
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xee/0x600 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
comm "syz.0.19", pid 6630, jiffies 4294948624
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc a013f5be):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4613 [inline]
slab_alloc_node mm/slub.c:4937 [inline]
__kmalloc_cache_noprof+0x371/0x480 mm/slub.c:5443
_kmalloc_noprof include/linux/slab.h:969 [inline]
_kzalloc_noprof include/linux/slab.h:1286 [inline]
init_srcu_struct_fields+0x2c0/0x350 kernel/rcu/srcutree.c:207
slab_post_alloc_hook mm/slub.c:4613 [inline]
slab_alloc_node mm/slub.c:4937 [inline]
__kmalloc_cache_noprof+0x371/0x480 mm/slub.c:5443
_kmalloc_noprof include/linux/slab.h:969 [inline]
_kzalloc_noprof include/linux/slab.h:1286 [inline]
hci_alloc_dev_priv+0x37/0x680 net/bluetooth/hci_core.c:2416
hci_alloc_dev include/net/bluetooth/hci_core.h:1763 [inline]
hci_uart_register_dev drivers/bluetooth/hci_ldisc.c:672 [inline]
hci_uart_set_proto drivers/bluetooth/hci_ldisc.c:752 [inline]
hci_uart_tty_ioctl+0x173/0x460 drivers/bluetooth/hci_ldisc.c:806
tty_ioctl+0xaca/0xd60 drivers/tty/tty_io.c:2801
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xee/0x600 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object (percpu) 0x607e4db7fac0 (size 384):
hci_uart_set_proto drivers/bluetooth/hci_ldisc.c:752 [inline]
hci_uart_tty_ioctl+0x173/0x460 drivers/bluetooth/hci_ldisc.c:806
tty_ioctl+0xaca/0xd60 drivers/tty/tty_io.c:2801
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xee/0x600 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
comm "syz.0.19", pid 6630, jiffies 4294948624
hex dump (first 32 bytes on cpu 1):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 593bdea7):
pcpu_alloc_noprof+0x7c7/0xed0 mm/percpu.c:1956
init_srcu_struct_fields+0x2eb/0x350 kernel/rcu/srcutree.c:224
hci_alloc_dev_priv+0x37/0x680 net/bluetooth/hci_core.c:2416
hci_alloc_dev include/net/bluetooth/hci_core.h:1763 [inline]
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 593bdea7):
pcpu_alloc_noprof+0x7c7/0xed0 mm/percpu.c:1956
init_srcu_struct_fields+0x2eb/0x350 kernel/rcu/srcutree.c:224
hci_alloc_dev_priv+0x37/0x680 net/bluetooth/hci_core.c:2416
hci_uart_register_dev drivers/bluetooth/hci_ldisc.c:672 [inline]
hci_uart_set_proto drivers/bluetooth/hci_ldisc.c:752 [inline]
hci_uart_tty_ioctl+0x173/0x460 drivers/bluetooth/hci_ldisc.c:806
tty_ioctl+0xaca/0xd60 drivers/tty/tty_io.c:2801
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xee/0x600 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF
Tested on:
commit: 7da7f071 Add linux-next specific files for 20260529
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=1395b36a580000
hci_uart_set_proto drivers/bluetooth/hci_ldisc.c:752 [inline]
hci_uart_tty_ioctl+0x173/0x460 drivers/bluetooth/hci_ldisc.c:806
tty_ioctl+0xaca/0xd60 drivers/tty/tty_io.c:2801
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xee/0x600 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF
Tested on:
commit: 7da7f071 Add linux-next specific files for 20260529
git tree: linux-next
kernel config: https://syzkaller.appspot.com/x/.config?x=3dd1e35bbd92239d
dashboard link: https://syzkaller.appspot.com/bug?extid=535ecc844591e50588a5
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
patch: https://syzkaller.appspot.com/x/patch.diff?x=123de056580000
dashboard link: https://syzkaller.appspot.com/bug?extid=535ecc844591e50588a5
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
syzbot
May 30, 2026, 9:19:05 PM (9 days ago) May 30
to karti...@gmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
memory leak in init_srcu_struct_fields
BUG: memory leak
unreferenced object 0xffff88810ace7000 (size 512):
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
memory leak in init_srcu_struct_fields
BUG: memory leak
comm "syz.0.17", pid 6583, jiffies 4294948651
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 1a69216d):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4575 [inline]
slab_alloc_node mm/slub.c:4899 [inline]
__kmalloc_cache_noprof+0x371/0x480 mm/slub.c:5415
kmalloc_noprof include/linux/slab.h:950 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
init_srcu_struct_fields+0x2c0/0x350 kernel/rcu/srcutree.c:207
hci_alloc_dev_priv+0x37/0x680 net/bluetooth/hci_core.c:2416
hci_alloc_dev include/net/bluetooth/hci_core.h:1763 [inline]
hci_uart_register_dev drivers/bluetooth/hci_ldisc.c:672 [inline]
hci_uart_set_proto drivers/bluetooth/hci_ldisc.c:752 [inline]
hci_uart_tty_ioctl+0x173/0x460 drivers/bluetooth/hci_ldisc.c:806
tty_ioctl+0xaca/0xd60 drivers/tty/tty_io.c:2801
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xee/0x600 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object (percpu) 0x607e4d944640 (size 384):
hci_alloc_dev_priv+0x37/0x680 net/bluetooth/hci_core.c:2416
hci_alloc_dev include/net/bluetooth/hci_core.h:1763 [inline]
hci_uart_register_dev drivers/bluetooth/hci_ldisc.c:672 [inline]
hci_uart_set_proto drivers/bluetooth/hci_ldisc.c:752 [inline]
hci_uart_tty_ioctl+0x173/0x460 drivers/bluetooth/hci_ldisc.c:806
tty_ioctl+0xaca/0xd60 drivers/tty/tty_io.c:2801
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xee/0x600 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
comm "syz.0.17", pid 6583, jiffies 4294948651
hex dump (first 32 bytes on cpu 0):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 593bdea7):
pcpu_alloc_noprof+0x7c7/0xed0 mm/percpu.c:1896
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 593bdea7):
init_srcu_struct_fields+0x2eb/0x350 kernel/rcu/srcutree.c:224
hci_alloc_dev_priv+0x37/0x680 net/bluetooth/hci_core.c:2416
hci_alloc_dev include/net/bluetooth/hci_core.h:1763 [inline]
hci_uart_register_dev drivers/bluetooth/hci_ldisc.c:672 [inline]
hci_uart_set_proto drivers/bluetooth/hci_ldisc.c:752 [inline]
hci_uart_tty_ioctl+0x173/0x460 drivers/bluetooth/hci_ldisc.c:806
tty_ioctl+0xaca/0xd60 drivers/tty/tty_io.c:2801
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xee/0x600 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object 0xffff88810b1d9200 (size 512):
hci_alloc_dev_priv+0x37/0x680 net/bluetooth/hci_core.c:2416
hci_alloc_dev include/net/bluetooth/hci_core.h:1763 [inline]
hci_uart_register_dev drivers/bluetooth/hci_ldisc.c:672 [inline]
hci_uart_set_proto drivers/bluetooth/hci_ldisc.c:752 [inline]
hci_uart_tty_ioctl+0x173/0x460 drivers/bluetooth/hci_ldisc.c:806
tty_ioctl+0xaca/0xd60 drivers/tty/tty_io.c:2801
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xee/0x600 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
comm "syz.0.18", pid 6587, jiffies 4294948653
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 27fa06af):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
slab_post_alloc_hook mm/slub.c:4575 [inline]
slab_alloc_node mm/slub.c:4899 [inline]
__kmalloc_cache_noprof+0x371/0x480 mm/slub.c:5415
kmalloc_noprof include/linux/slab.h:950 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
init_srcu_struct_fields+0x2c0/0x350 kernel/rcu/srcutree.c:207
hci_alloc_dev_priv+0x37/0x680 net/bluetooth/hci_core.c:2416
hci_alloc_dev include/net/bluetooth/hci_core.h:1763 [inline]
hci_uart_register_dev drivers/bluetooth/hci_ldisc.c:672 [inline]
hci_uart_set_proto drivers/bluetooth/hci_ldisc.c:752 [inline]
hci_uart_tty_ioctl+0x173/0x460 drivers/bluetooth/hci_ldisc.c:806
tty_ioctl+0xaca/0xd60 drivers/tty/tty_io.c:2801
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xee/0x600 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object (percpu) 0x607e4d9447c0 (size 384):
hci_alloc_dev_priv+0x37/0x680 net/bluetooth/hci_core.c:2416
hci_alloc_dev include/net/bluetooth/hci_core.h:1763 [inline]
hci_uart_register_dev drivers/bluetooth/hci_ldisc.c:672 [inline]
hci_uart_set_proto drivers/bluetooth/hci_ldisc.c:752 [inline]
hci_uart_tty_ioctl+0x173/0x460 drivers/bluetooth/hci_ldisc.c:806
tty_ioctl+0xaca/0xd60 drivers/tty/tty_io.c:2801
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xee/0x600 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
comm "syz.0.18", pid 6587, jiffies 4294948653
hex dump (first 32 bytes on cpu 0):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 593bdea7):
pcpu_alloc_noprof+0x7c7/0xed0 mm/percpu.c:1896
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 593bdea7):
init_srcu_struct_fields+0x2eb/0x350 kernel/rcu/srcutree.c:224
hci_alloc_dev_priv+0x37/0x680 net/bluetooth/hci_core.c:2416
hci_alloc_dev include/net/bluetooth/hci_core.h:1763 [inline]
hci_uart_register_dev drivers/bluetooth/hci_ldisc.c:672 [inline]
hci_uart_set_proto drivers/bluetooth/hci_ldisc.c:752 [inline]
hci_uart_tty_ioctl+0x173/0x460 drivers/bluetooth/hci_ldisc.c:806
tty_ioctl+0xaca/0xd60 drivers/tty/tty_io.c:2801
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xee/0x600 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
unreferenced object (percpu) 0x607e4d944980 (size 384):
hci_alloc_dev_priv+0x37/0x680 net/bluetooth/hci_core.c:2416
hci_alloc_dev include/net/bluetooth/hci_core.h:1763 [inline]
hci_uart_register_dev drivers/bluetooth/hci_ldisc.c:672 [inline]
hci_uart_set_proto drivers/bluetooth/hci_ldisc.c:752 [inline]
hci_uart_tty_ioctl+0x173/0x460 drivers/bluetooth/hci_ldisc.c:806
tty_ioctl+0xaca/0xd60 drivers/tty/tty_io.c:2801
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xee/0x600 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
BUG: memory leak
comm "syz.0.19", pid 6595, jiffies 4294948657
hex dump (first 32 bytes on cpu 0):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 593bdea7):
pcpu_alloc_noprof+0x7c7/0xed0 mm/percpu.c:1896
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 593bdea7):
init_srcu_struct_fields+0x2eb/0x350 kernel/rcu/srcutree.c:224
hci_alloc_dev_priv+0x37/0x680 net/bluetooth/hci_core.c:2416
hci_alloc_dev include/net/bluetooth/hci_core.h:1763 [inline]
hci_uart_register_dev drivers/bluetooth/hci_ldisc.c:672 [inline]
hci_uart_set_proto drivers/bluetooth/hci_ldisc.c:752 [inline]
hci_uart_tty_ioctl+0x173/0x460 drivers/bluetooth/hci_ldisc.c:806
tty_ioctl+0xaca/0xd60 drivers/tty/tty_io.c:2801
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xee/0x600 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF
Tested on:
commit: 174914ea Merge tag 'v7.1-rc6-smb3-client-fixes' of git..
hci_alloc_dev_priv+0x37/0x680 net/bluetooth/hci_core.c:2416
hci_alloc_dev include/net/bluetooth/hci_core.h:1763 [inline]
hci_uart_register_dev drivers/bluetooth/hci_ldisc.c:672 [inline]
hci_uart_set_proto drivers/bluetooth/hci_ldisc.c:752 [inline]
hci_uart_tty_ioctl+0x173/0x460 drivers/bluetooth/hci_ldisc.c:806
tty_ioctl+0xaca/0xd60 drivers/tty/tty_io.c:2801
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__x64_sys_ioctl+0xf4/0x140 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xee/0x600 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF
Tested on:
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=17f2f57e580000
kernel config: https://syzkaller.appspot.com/x/.config?x=5733044df9370cfc
dashboard link: https://syzkaller.appspot.com/bug?extid=535ecc844591e50588a5
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
patch: https://syzkaller.appspot.com/x/patch.diff?x=17b2f57e580000
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
syzbot
May 31, 2026, 10:59:04 AM (8 days ago) May 31
to karti...@gmail.com, kbredd...@gmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: unable to handle kernel NULL pointer dereference in hci_release_dev
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: kernel NULL pointer dereference, address: 00000000000000b0
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 800000011280f067 P4D 800000011280f067 PUD 0
Oops: Oops: 0000 [#1] SMP PTI
CPU: 1 UID: 0 PID: 6587 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026
RIP: 0010:workqueue_sysfs_unregister kernel/workqueue.c:7632 [inline]
RIP: 0010:destroy_workqueue+0x1a/0x430 kernel/workqueue.c:6045
Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 41 57 41 56 41 55 49 89 fd 41 54 55 53 48 83 ec 08 e8 66 d6 15 00 <49> 8b 9d b0 00 00 00 48 85 db 74 19 e8 55 d6 15 00 48 8d 7b 08 49
RSP: 0018:ffffc90002177c68 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffff88811cb86000 RCX: ffffffff81a2820c
RDX: ffff88810aac91c0 RSI: ffffffff816e808a RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000006 R09: 0000000000000000
R10: ffffffff85600000 R11: 0000000000000001 R12: ffff88811cb87390
R13: 0000000000000000 R14: ffff88811cb86030 R15: 0000000000000000
FS: 000055556c326500(0000) GS:ffff8881b23e5000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000000000b0 CR3: 0000000129ede000 CR4: 00000000003526f0
Call Trace:
<TASK>
hci_release_dev+0x62/0x250 net/bluetooth/hci_core.c:2712
bt_host_release+0x19/0x30 net/bluetooth/hci_sysfs.c:86
device_release+0x4d/0xd0 drivers/base/core.c:2566
kobject_cleanup lib/kobject.c:689 [inline]
kobject_release lib/kobject.c:720 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0xe4/0x1d0 lib/kobject.c:737
put_device+0x1f/0x30 drivers/base/core.c:3814
hci_uart_tty_close+0x155/0x1a0 drivers/bluetooth/hci_ldisc.c:587
tty_ldisc_close+0x51/0x70 drivers/tty/tty_ldisc.c:455
tty_ldisc_kill drivers/tty/tty_ldisc.c:613 [inline]
tty_ldisc_release+0xd5/0x2d0 drivers/tty/tty_ldisc.c:781
tty_release_struct+0x1a/0x90 drivers/tty/tty_io.c:1681
tty_release+0x6b0/0x6c0 drivers/tty/tty_io.c:1852
__fput+0x1b5/0x500 fs/file_table.c:510
task_work_run+0x95/0xf0 kernel/task_work.c:233
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
__exit_to_user_mode_loop kernel/entry/common.c:67 [inline]
exit_to_user_mode_loop+0xd9/0x4a0 kernel/entry/common.c:98
__exit_to_user_mode_prepare include/linux/irq-entry-common.h:207 [inline]
syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:230 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:318 [inline]
do_syscall_64+0x485/0x600 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fe03af9cdd9
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffeee0ab038 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
RAX: 0000000000000000 RBX: 00007ffeee0ab120 RCX: 00007fe03af9cdd9
RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
RBP: 000000000001bd43 R08: 0000000000000001 R09: 0000000000000000
R10: 0000001b31220000 R11: 0000000000000246 R12: 00007ffeee0ab160
R13: 00007fe03b215fac R14: 000000000001bd76 R15: 00007fe03b215fa0
</TASK>
Modules linked in:
CR2: 00000000000000b0
---[ end trace 0000000000000000 ]---
RIP: 0010:workqueue_sysfs_unregister kernel/workqueue.c:7632 [inline]
RIP: 0010:destroy_workqueue+0x1a/0x430 kernel/workqueue.c:6045
Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 41 57 41 56 41 55 49 89 fd 41 54 55 53 48 83 ec 08 e8 66 d6 15 00 <49> 8b 9d b0 00 00 00 48 85 db 74 19 e8 55 d6 15 00 48 8d 7b 08 49
RSP: 0018:ffffc90002177c68 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffff88811cb86000 RCX: ffffffff81a2820c
RDX: ffff88810aac91c0 RSI: ffffffff816e808a RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000006 R09: 0000000000000000
R10: ffffffff85600000 R11: 0000000000000001 R12: ffff88811cb87390
R13: 0000000000000000 R14: ffff88811cb86030 R15: 0000000000000000
FS: 000055556c326500(0000) GS:ffff8881b23e5000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000000000b0 CR3: 0000000129ede000 CR4: 00000000003526f0
----------------
Code disassembly (best guess):
0: 90 nop
1: 90 nop
2: 90 nop
3: 90 nop
4: 90 nop
5: 90 nop
6: 90 nop
7: 90 nop
8: 90 nop
9: 90 nop
a: 90 nop
b: 90 nop
c: 90 nop
d: 90 nop
e: 90 nop
f: 90 nop
10: f3 0f 1e fa endbr64
14: 41 57 push %r15
16: 41 56 push %r14
18: 41 55 push %r13
1a: 49 89 fd mov %rdi,%r13
1d: 41 54 push %r12
1f: 55 push %rbp
20: 53 push %rbx
21: 48 83 ec 08 sub $0x8,%rsp
25: e8 66 d6 15 00 call 0x15d690
* 2a: 49 8b 9d b0 00 00 00 mov 0xb0(%r13),%rbx <-- trapping instruction
31: 48 85 db test %rbx,%rbx
34: 74 19 je 0x4f
36: e8 55 d6 15 00 call 0x15d690
3b: 48 8d 7b 08 lea 0x8(%rbx),%rdi
3f: 49 rex.WB
Tested on:
commit: 174914ea Merge tag 'v7.1-rc6-smb3-client-fixes' of git..
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=5733044df9370cfc
dashboard link: https://syzkaller.appspot.com/bug?extid=535ecc844591e50588a5
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
patch: https://syzkaller.appspot.com/x/patch.diff?x=114b7ed2580000
dashboard link: https://syzkaller.appspot.com/bug?extid=535ecc844591e50588a5
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
syzbot
May 31, 2026, 11:27:04 AM (8 days ago) May 31
to karti...@gmail.com, kbredd...@gmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: unable to handle kernel NULL pointer dereference in hci_release_dev
BUG: kernel NULL pointer dereference, address: 00000000000000b0
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 800000012a7b5067 P4D 800000012a7b5067 PUD 0
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: unable to handle kernel NULL pointer dereference in hci_release_dev
BUG: kernel NULL pointer dereference, address: 00000000000000b0
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
Oops: Oops: 0000 [#1] SMP PTI
CPU: 1 UID: 0 PID: 6583 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026
RIP: 0010:workqueue_sysfs_unregister kernel/workqueue.c:7607 [inline]
RIP: 0010:destroy_workqueue+0x1a/0x430 kernel/workqueue.c:6020
Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 41 57 41 56 41 55 49 89 fd 41 54 55 53 48 83 ec 08 e8 06 d2 15 00 <49> 8b 9d b0 00 00 00 48 85 db 74 19 e8 f5 d1 15 00 48 8d 7b 08 49
RSP: 0018:ffffc90002aafc78 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffff8881141e0000 RCX: ffffffff81a266cc
RDX: ffff88810a6311c0 RSI: ffffffff816e6f0a RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000006 R09: 0000000000000000
R10: ffffffff85600000 R11: 0000000000000001 R12: ffff8881141e1390
R13: 0000000000000000 R14: ffff8881141e0030 R15: 0000000000000000
FS: 000055559230a500(0000) GS:ffff8881b23ec000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000000000b0 CR3: 000000012983e000 CR4: 00000000003526f0
Call Trace:
<TASK>
hci_release_dev+0x62/0x250 net/bluetooth/hci_core.c:2749
bt_host_release+0x19/0x30 net/bluetooth/hci_sysfs.c:86
device_release+0x4d/0xd0 drivers/base/core.c:2566
kobject_cleanup lib/kobject.c:689 [inline]
kobject_release lib/kobject.c:720 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0xe4/0x1d0 lib/kobject.c:737
put_device+0x1f/0x30 drivers/base/core.c:3814
hci_uart_tty_close+0xf7/0x120 drivers/bluetooth/hci_ldisc.c:558
device_release+0x4d/0xd0 drivers/base/core.c:2566
kobject_cleanup lib/kobject.c:689 [inline]
kobject_release lib/kobject.c:720 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0xe4/0x1d0 lib/kobject.c:737
put_device+0x1f/0x30 drivers/base/core.c:3814
tty_ldisc_close+0x51/0x70 drivers/tty/tty_ldisc.c:455
tty_ldisc_kill drivers/tty/tty_ldisc.c:613 [inline]
tty_ldisc_release+0xd5/0x2d0 drivers/tty/tty_ldisc.c:781
tty_release_struct+0x1a/0x90 drivers/tty/tty_io.c:1681
tty_release+0x6b0/0x6c0 drivers/tty/tty_io.c:1852
__fput+0x1b5/0x500 fs/file_table.c:510
task_work_run+0x95/0xf0 kernel/task_work.c:233
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
__exit_to_user_mode_loop kernel/entry/common.c:67 [inline]
exit_to_user_mode_loop+0xcf/0x440 kernel/entry/common.c:98
tty_ldisc_kill drivers/tty/tty_ldisc.c:613 [inline]
tty_ldisc_release+0xd5/0x2d0 drivers/tty/tty_ldisc.c:781
tty_release_struct+0x1a/0x90 drivers/tty/tty_io.c:1681
tty_release+0x6b0/0x6c0 drivers/tty/tty_io.c:1852
__fput+0x1b5/0x500 fs/file_table.c:510
task_work_run+0x95/0xf0 kernel/task_work.c:233
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
__exit_to_user_mode_loop kernel/entry/common.c:67 [inline]
__exit_to_user_mode_prepare include/linux/irq-entry-common.h:207 [inline]
syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:238 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:318 [inline]
do_syscall_64+0x485/0xf80 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f57d6b9cdd9
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff37ccc228 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
RAX: 0000000000000000 RBX: 00007fff37ccc310 RCX: 00007f57d6b9cdd9
RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
RBP: 000000000001baba R08: 0000000000000001 R09: 0000000000000000
R10: 0000001b31820000 R11: 0000000000000246 R12: 00007fff37ccc350
R13: 00007f57d6e15fac R14: 000000000001baed R15: 00007f57d6e15fa0
</TASK>
Modules linked in:
CR2: 00000000000000b0
---[ end trace 0000000000000000 ]---
RIP: 0010:workqueue_sysfs_unregister kernel/workqueue.c:7607 [inline]
Modules linked in:
CR2: 00000000000000b0
---[ end trace 0000000000000000 ]---
RIP: 0010:destroy_workqueue+0x1a/0x430 kernel/workqueue.c:6020
Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 41 57 41 56 41 55 49 89 fd 41 54 55 53 48 83 ec 08 e8 06 d2 15 00 <49> 8b 9d b0 00 00 00 48 85 db 74 19 e8 f5 d1 15 00 48 8d 7b 08 49
RSP: 0018:ffffc90002aafc78 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffff8881141e0000 RCX: ffffffff81a266cc
RDX: ffff88810a6311c0 RSI: ffffffff816e6f0a RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000006 R09: 0000000000000000
R10: ffffffff85600000 R11: 0000000000000001 R12: ffff8881141e1390
R13: 0000000000000000 R14: ffff8881141e0030 R15: 0000000000000000
FS: 000055559230a500(0000) GS:ffff8881b23ec000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000000000b0 CR3: 000000012983e000 CR4: 00000000003526f0
* 2a: 49 8b 9d b0 00 00 00 mov 0xb0(%r13),%rbx <-- trapping instruction
31: 48 85 db test %rbx,%rbx
34: 74 19 je 0x4f
36: e8 f5 d1 15 00 call 0x15d230
31: 48 85 db test %rbx,%rbx
34: 74 19 je 0x4f
3b: 48 8d 7b 08 lea 0x8(%rbx),%rdi
3f: 49 rex.WB
Tested on:
commit: f377d002 Merge tag 'sh-for-v7.1-tag2' of git://git.ker..
3f: 49 rex.WB
Tested on:
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=14789d7e580000
kernel config: https://syzkaller.appspot.com/x/.config?x=9645c21cfd1d3e8f
dashboard link: https://syzkaller.appspot.com/bug?extid=535ecc844591e50588a5
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
patch: https://syzkaller.appspot.com/x/patch.diff?x=10392ab6580000
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
syzbot
May 31, 2026, 12:11:04 PM (8 days ago) May 31
to karti...@gmail.com, kbredd...@gmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+535ecc...@syzkaller.appspotmail.com
Tested-by: syzbot+535ecc...@syzkaller.appspotmail.com
Tested on:
commit: f377d002 Merge tag 'sh-for-v7.1-tag2' of git://git.ker..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=125e35ec580000
Note: testing is done by a robot and is best-effort only.
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+535ecc...@syzkaller.appspotmail.com
Tested-by: syzbot+535ecc...@syzkaller.appspotmail.com
Tested on:
commit: f377d002 Merge tag 'sh-for-v7.1-tag2' of git://git.ker..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=9645c21cfd1d3e8f
dashboard link: https://syzkaller.appspot.com/bug?extid=535ecc844591e50588a5
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
patch: https://syzkaller.appspot.com/x/patch.diff?x=122676ec580000
dashboard link: https://syzkaller.appspot.com/bug?extid=535ecc844591e50588a5
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
Note: testing is done by a robot and is best-effort only.
Bharath Reddy
May 31, 2026, 12:53:12 PM (8 days ago) May 31
to syzbot+535ecc...@syzkaller.appspotmail.com, karti...@gmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com, Bharath Reddy
Syzbot caught a percpu memory leak in the SRCU struct when Bluetooth
HCI UART configuration fails early.
The problem boils down to a bypassed destructor. If device setup fails
before hci_register_dev() completes, the HCI_UNREGISTER flag is never
set. Later, when the device is freed, bt_host_release() sees this flag
is missing, skips hci_release_dev(), and jumps straight to kfree(hdev).
This leaks the SRCU memory, which was also incorrectly being cleaned up
in hci_unregister_dev() which is also skipped during an early abort.
To fix this and properly balance the allocation and teardown paths:
1. Move cleanup_srcu_struct() into hci_release_dev() so it directly
mirrors the allocation in hci_alloc_dev().
2. Unconditionally call hci_release_dev() from bt_host_release() by
dropping the HCI_UNREGISTER check. This is safe for unregistered
devices since it only cleans up resources initialized early on in
hci_alloc_dev().
Reported-by: syzbot+535ecc...@syzkaller.appspotmail.com
Signed-off-by: Bharath Reddy <kbredd...@gmail.com>
---
net/bluetooth/hci_core.c | 3 ++-
net/bluetooth/hci_sysfs.c | 6 ++----
2 files changed, 4 insertions(+), 5 deletions(-)
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index c46c1236ebfa..f6bc7cb3e55c 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -2701,7 +2701,6 @@ void hci_unregister_dev(struct hci_dev *hdev)
index 041ce9adc378..261b28a25b02 100644
--- a/net/bluetooth/hci_sysfs.c
+++ b/net/bluetooth/hci_sysfs.c
@@ -83,10 +83,8 @@ static void bt_host_release(struct device *dev)
{
struct hci_dev *hdev = to_hci_dev(dev);
- if (hci_dev_test_flag(hdev, HCI_UNREGISTER))
- hci_release_dev(hdev);
- else
- kfree(hdev);
+ hci_release_dev(hdev);
+
module_put(THIS_MODULE);
}
--
2.34.1
HCI UART configuration fails early.
The problem boils down to a bypassed destructor. If device setup fails
before hci_register_dev() completes, the HCI_UNREGISTER flag is never
set. Later, when the device is freed, bt_host_release() sees this flag
is missing, skips hci_release_dev(), and jumps straight to kfree(hdev).
This leaks the SRCU memory, which was also incorrectly being cleaned up
in hci_unregister_dev() which is also skipped during an early abort.
To fix this and properly balance the allocation and teardown paths:
1. Move cleanup_srcu_struct() into hci_release_dev() so it directly
mirrors the allocation in hci_alloc_dev().
2. Unconditionally call hci_release_dev() from bt_host_release() by
dropping the HCI_UNREGISTER check. This is safe for unregistered
devices since it only cleans up resources initialized early on in
hci_alloc_dev().
Reported-by: syzbot+535ecc...@syzkaller.appspotmail.com
Signed-off-by: Bharath Reddy <kbredd...@gmail.com>
---
net/bluetooth/hci_core.c | 3 ++-
net/bluetooth/hci_sysfs.c | 6 ++----
2 files changed, 4 insertions(+), 5 deletions(-)
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index c46c1236ebfa..f6bc7cb3e55c 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -2701,7 +2701,6 @@ void hci_unregister_dev(struct hci_dev *hdev)
write_unlock(&hci_dev_list_lock);
synchronize_srcu(&hdev->srcu);
- cleanup_srcu_struct(&hdev->srcu);
disable_work_sync(&hdev->rx_work);
disable_work_sync(&hdev->cmd_work);
@@ -2774,6 +2773,8 @@ void hci_release_dev(struct hci_dev *hdev)
synchronize_srcu(&hdev->srcu);
- cleanup_srcu_struct(&hdev->srcu);
disable_work_sync(&hdev->rx_work);
disable_work_sync(&hdev->cmd_work);
kfree_skb(hdev->sent_cmd);
kfree_skb(hdev->req_skb);
kfree_skb(hdev->recv_event);
+
+ cleanup_srcu_struct(&hdev->srcu);
kfree(hdev);
}
EXPORT_SYMBOL(hci_release_dev);
diff --git a/net/bluetooth/hci_sysfs.c b/net/bluetooth/hci_sysfs.c
kfree_skb(hdev->req_skb);
kfree_skb(hdev->recv_event);
+
+ cleanup_srcu_struct(&hdev->srcu);
kfree(hdev);
}
EXPORT_SYMBOL(hci_release_dev);
index 041ce9adc378..261b28a25b02 100644
--- a/net/bluetooth/hci_sysfs.c
+++ b/net/bluetooth/hci_sysfs.c
@@ -83,10 +83,8 @@ static void bt_host_release(struct device *dev)
{
struct hci_dev *hdev = to_hci_dev(dev);
- if (hci_dev_test_flag(hdev, HCI_UNREGISTER))
- hci_release_dev(hdev);
- else
- kfree(hdev);
+ hci_release_dev(hdev);
+
module_put(THIS_MODULE);
}
--
2.34.1
Bharath Reddy
May 31, 2026, 12:53:12 PM (8 days ago) May 31
to syzbot+535ecc...@syzkaller.appspotmail.com, karti...@gmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com, Bharath Reddy
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git f377d0025eb0
Early failures in Bluetooth HCI UART configuration leak SRCU percpu
memory.
When device initialization fails before hci_register_dev() completes,
the HCI_UNREGISTER flag is never set. As a result, when the device
reference count reaches zero, bt_host_release() evaluates this flag as
false and falls back to a direct kfree(hdev).
Because hci_release_dev() is bypassed, the SRCU struct initialized
early in hci_alloc_dev() is never cleaned up, resulting in a leak of
percpu memory.
Fix the leak by explicitly calling cleanup_srcu_struct() in the
fallback (unregistered) branch of bt_host_release() before freeing
the device.
Reported-by: syzbot+535ecc...@syzkaller.appspotmail.com
Signed-off-by: Bharath Reddy <kbredd...@gmail.com>
---
net/bluetooth/hci_sysfs.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/bluetooth/hci_sysfs.c b/net/bluetooth/hci_sysfs.c
index 041ce9adc378..74131f2c3be6 100644
--- a/net/bluetooth/hci_sysfs.c
+++ b/net/bluetooth/hci_sysfs.c
@@ -85,8 +85,10 @@ static void bt_host_release(struct device *dev)
if (hci_dev_test_flag(hdev, HCI_UNREGISTER))
hci_release_dev(hdev);
- else
+ else {
+ cleanup_srcu_struct(&hdev->srcu);
kfree(hdev);
+ }
module_put(THIS_MODULE);
}
--
2.34.1
Early failures in Bluetooth HCI UART configuration leak SRCU percpu
memory.
When device initialization fails before hci_register_dev() completes,
the HCI_UNREGISTER flag is never set. As a result, when the device
reference count reaches zero, bt_host_release() evaluates this flag as
false and falls back to a direct kfree(hdev).
Because hci_release_dev() is bypassed, the SRCU struct initialized
early in hci_alloc_dev() is never cleaned up, resulting in a leak of
percpu memory.
Fix the leak by explicitly calling cleanup_srcu_struct() in the
fallback (unregistered) branch of bt_host_release() before freeing
the device.
Reported-by: syzbot+535ecc...@syzkaller.appspotmail.com
Signed-off-by: Bharath Reddy <kbredd...@gmail.com>
---
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/bluetooth/hci_sysfs.c b/net/bluetooth/hci_sysfs.c
index 041ce9adc378..74131f2c3be6 100644
--- a/net/bluetooth/hci_sysfs.c
+++ b/net/bluetooth/hci_sysfs.c
@@ -85,8 +85,10 @@ static void bt_host_release(struct device *dev)
if (hci_dev_test_flag(hdev, HCI_UNREGISTER))
hci_release_dev(hdev);
- else
+ else {
+ cleanup_srcu_struct(&hdev->srcu);
kfree(hdev);
+ }
module_put(THIS_MODULE);
}
--
2.34.1
Bharath Reddy
May 31, 2026, 12:53:12 PM (8 days ago) May 31
to syzbot+535ecc...@syzkaller.appspotmail.com, karti...@gmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com, Bharath Reddy
Syzbot caught a percpu memory leak in the SRCU struct when Bluetooth
HCI UART configuration fails early.
The problem boils down to a bypassed destructor. If device setup fails
HCI UART configuration fails early.
before hci_register_dev() completes, the HCI_UNREGISTER flag is never
set. Later, when the device is freed, bt_host_release() sees this flag
is missing, skips hci_release_dev(), and jumps straight to kfree(hdev).
This leaks the SRCU memory, which was also incorrectly being cleaned up
in hci_unregister_dev() which is also skipped during an early abort.
To fix this and properly balance the allocation and teardown paths:
1. Move cleanup_srcu_struct() into hci_release_dev() so it directly
mirrors the allocation in hci_alloc_dev().
2. Unconditionally call hci_release_dev() from bt_host_release() by
dropping the HCI_UNREGISTER check. This is safe for unregistered
devices since it only cleans up resources initialized early on in
hci_alloc_dev().
is missing, skips hci_release_dev(), and jumps straight to kfree(hdev).
This leaks the SRCU memory, which was also incorrectly being cleaned up
in hci_unregister_dev() which is also skipped during an early abort.
To fix this and properly balance the allocation and teardown paths:
1. Move cleanup_srcu_struct() into hci_release_dev() so it directly
mirrors the allocation in hci_alloc_dev().
2. Unconditionally call hci_release_dev() from bt_host_release() by
dropping the HCI_UNREGISTER check. This is safe for unregistered
devices since it only cleans up resources initialized early on in
hci_alloc_dev().
Reported-by: syzbot+535ecc...@syzkaller.appspotmail.com
Signed-off-by: Bharath Reddy <kbredd...@gmail.com>
---
Signed-off-by: Bharath Reddy <kbredd...@gmail.com>
---
net/bluetooth/hci_core.c | 3 ++-
net/bluetooth/hci_sysfs.c | 6 ++----
2 files changed, 4 insertions(+), 5 deletions(-)
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index c46c1236ebfa..f6bc7cb3e55c 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -2701,7 +2701,6 @@ void hci_unregister_dev(struct hci_dev *hdev)
write_unlock(&hci_dev_list_lock);
synchronize_srcu(&hdev->srcu);
- cleanup_srcu_struct(&hdev->srcu);
disable_work_sync(&hdev->rx_work);
disable_work_sync(&hdev->cmd_work);
@@ -2774,6 +2773,8 @@ void hci_release_dev(struct hci_dev *hdev)
kfree_skb(hdev->sent_cmd);
kfree_skb(hdev->req_skb);
kfree_skb(hdev->recv_event);
+
+ cleanup_srcu_struct(&hdev->srcu);
kfree(hdev);
}
EXPORT_SYMBOL(hci_release_dev);
diff --git a/net/bluetooth/hci_sysfs.c b/net/bluetooth/hci_sysfs.c
net/bluetooth/hci_sysfs.c | 6 ++----
2 files changed, 4 insertions(+), 5 deletions(-)
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index c46c1236ebfa..f6bc7cb3e55c 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -2701,7 +2701,6 @@ void hci_unregister_dev(struct hci_dev *hdev)
write_unlock(&hci_dev_list_lock);
synchronize_srcu(&hdev->srcu);
- cleanup_srcu_struct(&hdev->srcu);
disable_work_sync(&hdev->rx_work);
disable_work_sync(&hdev->cmd_work);
@@ -2774,6 +2773,8 @@ void hci_release_dev(struct hci_dev *hdev)
kfree_skb(hdev->sent_cmd);
kfree_skb(hdev->req_skb);
kfree_skb(hdev->recv_event);
+
+ cleanup_srcu_struct(&hdev->srcu);
kfree(hdev);
}
EXPORT_SYMBOL(hci_release_dev);
index 041ce9adc378..261b28a25b02 100644
--- a/net/bluetooth/hci_sysfs.c
+++ b/net/bluetooth/hci_sysfs.c
Bharath Reddy
May 31, 2026, 2:13:06 PM (8 days ago) May 31
to mar...@holtmann.org, luiz....@gmail.com, linux-b...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com, Bharath Reddy, syzbot+535ecc...@syzkaller.appspotmail.com
Early failures in Bluetooth HCI UART configuration leak SRCU percpu
memory.
When device initialization fails before hci_register_dev() completes,
the HCI_UNREGISTER flag is never set. As a result, when the device
reference count reaches zero, bt_host_release() evaluates this flag as
false and falls back to a direct kfree(hdev).
Because hci_release_dev() is bypassed, the SRCU struct initialized
early in hci_alloc_dev() is never cleaned up, resulting in a leak of
percpu memory.
Fix the leak by explicitly calling cleanup_srcu_struct() in the
fallback (unregistered) branch of bt_host_release() before freeing
the device.
Reported-by: syzbot+535ecc...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=535ecc844591e50588a5
memory.
When device initialization fails before hci_register_dev() completes,
the HCI_UNREGISTER flag is never set. As a result, when the device
reference count reaches zero, bt_host_release() evaluates this flag as
false and falls back to a direct kfree(hdev).
Because hci_release_dev() is bypassed, the SRCU struct initialized
early in hci_alloc_dev() is never cleaned up, resulting in a leak of
percpu memory.
Fix the leak by explicitly calling cleanup_srcu_struct() in the
fallback (unregistered) branch of bt_host_release() before freeing
the device.
Reported-by: syzbot+535ecc...@syzkaller.appspotmail.com
Tested-by: syzbot+535ecc...@syzkaller.appspotmail.com
Fixes: 1d6123102e9f ("Bluetooth: hci_core: Fix use-after-free in vhci_flush()")
net/bluetooth/hci_sysfs.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/net/bluetooth/hci_sysfs.c b/net/bluetooth/hci_sysfs.c
index 041ce9adc378..8957ce7c21b7 100644
--- a/net/bluetooth/hci_sysfs.c
+++ b/net/bluetooth/hci_sysfs.c
@@ -83,10 +83,12 @@ static void bt_host_release(struct device *dev)
{
struct hci_dev *hdev = to_hci_dev(dev);
- if (hci_dev_test_flag(hdev, HCI_UNREGISTER))
+ if (hci_dev_test_flag(hdev, HCI_UNREGISTER)) {
struct hci_dev *hdev = to_hci_dev(dev);
- if (hci_dev_test_flag(hdev, HCI_UNREGISTER))
Bharath Reddy
May 31, 2026, 2:54:00 PM (8 days ago) May 31
to mar...@holtmann.org, luiz....@gmail.com, linux-b...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com, Bharath Reddy, syzbot+535ecc...@syzkaller.appspotmail.com
Early failures in Bluetooth HCI UART configuration leak SRCU percpu
memory.
When device initialization fails before hci_register_dev() completes,
the HCI_UNREGISTER flag is never set. As a result, when the device
reference count reaches zero, bt_host_release() evaluates this flag as
false and falls back to a direct kfree(hdev).
Because hci_release_dev() is bypassed, the SRCU struct initialized
early in hci_alloc_dev() is never cleaned up, resulting in a leak of
percpu memory.
Fix the leak by explicitly calling cleanup_srcu_struct() in the
fallback (unregistered) branch of bt_host_release() before freeing
the device.
Reported-by: syzbot+535ecc...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=535ecc844591e50588a5
Tested-by: syzbot+535ecc...@syzkaller.appspotmail.com
Fixes: 1d6123102e9f ("Bluetooth: hci_core: Fix use-after-free in vhci_flush()")
Signed-off-by: Bharath Reddy <kbredd...@gmail.com>
---
Changes in v4:
memory.
When device initialization fails before hci_register_dev() completes,
the HCI_UNREGISTER flag is never set. As a result, when the device
reference count reaches zero, bt_host_release() evaluates this flag as
false and falls back to a direct kfree(hdev).
Because hci_release_dev() is bypassed, the SRCU struct initialized
early in hci_alloc_dev() is never cleaned up, resulting in a leak of
percpu memory.
Fix the leak by explicitly calling cleanup_srcu_struct() in the
fallback (unregistered) branch of bt_host_release() before freeing
the device.
Reported-by: syzbot+535ecc...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=535ecc844591e50588a5
Tested-by: syzbot+535ecc...@syzkaller.appspotmail.com
Fixes: 1d6123102e9f ("Bluetooth: hci_core: Fix use-after-free in vhci_flush()")
Signed-off-by: Bharath Reddy <kbredd...@gmail.com>
---
- Include patch version history.
Changes in v3:
- Added missing curly braces to the if/else block in bt_host_release()
to resolve a checkpatch.pl warning.
- Added Fixes and Closes tags.
Changes in v2:
- Fixed a NULL pointer dereference caused by v1.
- Moved cleanup_srcu_struct() to the fallback (unregistered) branch
of bt_host_release() instead of unconditionally calling hci_release_dev().
Changes in v1:
- Initial patch (failed because it bypassed the HCI_UNREGISTER check).
Bharath Reddy
May 31, 2026, 11:24:46 PM (8 days ago) May 31
to mar...@holtmann.org, luiz....@gmail.com, linux-b...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com, Bharath Reddy, syzbot+535ecc...@syzkaller.appspotmail.com
Early failures in Bluetooth HCI UART configuration leak SRCU percpu
memory.
When device initialization fails before hci_register_dev() completes,
the HCI_UNREGISTER flag is never set. As a result, when the device
reference count reaches zero, bt_host_release() evaluates this flag as
false and falls back to a direct kfree(hdev).
Because hci_release_dev() is bypassed, the SRCU struct initialized
early in hci_alloc_dev() is never cleaned up, resulting in a leak of
percpu memory.
Fix the leak by explicitly calling cleanup_srcu_struct() in the
fallback (unregistered) branch of bt_host_release() before freeing
the device.
Reported-by: syzbot+535ecc...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=535ecc844591e50588a5
Tested-by: syzbot+535ecc...@syzkaller.appspotmail.com
Fixes: 1d6123102e9f ("Bluetooth: hci_core: Fix use-after-free in vhci_flush()")
Signed-off-by: Bharath Reddy <kbredd...@gmail.com>
---
Changes in v5:
memory.
When device initialization fails before hci_register_dev() completes,
the HCI_UNREGISTER flag is never set. As a result, when the device
reference count reaches zero, bt_host_release() evaluates this flag as
false and falls back to a direct kfree(hdev).
Because hci_release_dev() is bypassed, the SRCU struct initialized
early in hci_alloc_dev() is never cleaned up, resulting in a leak of
percpu memory.
Fix the leak by explicitly calling cleanup_srcu_struct() in the
fallback (unregistered) branch of bt_host_release() before freeing
the device.
Reported-by: syzbot+535ecc...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=535ecc844591e50588a5
Tested-by: syzbot+535ecc...@syzkaller.appspotmail.com
Fixes: 1d6123102e9f ("Bluetooth: hci_core: Fix use-after-free in vhci_flush()")
Signed-off-by: Bharath Reddy <kbredd...@gmail.com>
---
- Removed trailing whitespace in the version history to fix GitLint error
Changes in v4:
- Included patch version history
Changes in v3:
- Added missing curly braces to the if/else block in bt_host_release()
to resolve a checkpatch.pl warning
- Added Fixes and Closes tags
Changes in v2:
- Fixed a NULL pointer dereference caused by v1
- Fixed a NULL pointer dereference caused by v1
- Moved cleanup_srcu_struct() to the fallback (unregistered) branch
of bt_host_release() instead of unconditionally calling hci_release_dev()
of bt_host_release() instead of unconditionally calling hci_release_dev()
Changes in v1:
- Initial patch (failed because it bypassed the HCI_UNREGISTER check)
- Initial patch (failed because it bypassed the HCI_UNREGISTER check)
patchwork-b...@kernel.org
Jun 1, 2026, 3:10:07 PM (7 days ago) Jun 1
to Bharath Reddy, mar...@holtmann.org, luiz....@gmail.com, linux-b...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com, syzbot+535ecc...@syzkaller.appspotmail.com
Hello:
This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.vo...@intel.com>:
On Mon, 1 Jun 2026 08:54:26 +0530 you wrote:
> Early failures in Bluetooth HCI UART configuration leak SRCU percpu
> memory.
>
> When device initialization fails before hci_register_dev() completes,
> the HCI_UNREGISTER flag is never set. As a result, when the device
> reference count reaches zero, bt_host_release() evaluates this flag as
> false and falls back to a direct kfree(hdev).
>
> [...]
Here is the summary with links:
- [v5] Bluetooth: fix memory leak in error path of hci_alloc_dev()
https://git.kernel.org/bluetooth/bluetooth-next/c/cf767a2d88f7
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.vo...@intel.com>:
On Mon, 1 Jun 2026 08:54:26 +0530 you wrote:
> Early failures in Bluetooth HCI UART configuration leak SRCU percpu
> memory.
>
> When device initialization fails before hci_register_dev() completes,
> the HCI_UNREGISTER flag is never set. As a result, when the device
> reference count reaches zero, bt_host_release() evaluates this flag as
> false and falls back to a direct kfree(hdev).
>
Here is the summary with links:
- [v5] Bluetooth: fix memory leak in error path of hci_alloc_dev()
https://git.kernel.org/bluetooth/bluetooth-next/c/cf767a2d88f7
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
Reply all
Reply to author
Forward
0 new messages