[syzbot] [bluetooth?] KASAN: slab-use-after-free Read in mgmt_remove_adv_monitor_complete (3)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: ea34704d6ad7 Merge tag 'drm-fixes-2025-05-10' of https://g..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1663acf4580000
kernel config: https://syzkaller.appspot.com/x/.config?x=91c351a0f6229e67
dashboard link: https://syzkaller.appspot.com/bug?extid=feb0dc579bbe30a13190
compiler: Debian clang version 20.1.2 (++20250402124445+58df0ef89dd6-1~exp1~20250402004600.97), Debian LLD 20.1.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=112c9768580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1526e670580000

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-ea34704d.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/c7e586f1a091/vmlinux-ea34704d.xz
kernel image: https://storage.googleapis.com/syzbot-assets/cd61ffd40938/bzImage-ea34704d.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+feb0dc...@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: slab-use-after-free in mgmt_remove_adv_monitor_complete+0xe5/0x540 net/bluetooth/mgmt.c:5405
Read of size 8 at addr ffff888048891a18 by task kworker/u5:8/5333

CPU: 0 UID: 0 PID: 5333 Comm: kworker/u5:8 Not tainted 6.15.0-rc5-syzkaller-00197-gea34704d6ad7 #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Workqueue: hci0 hci_cmd_sync_work
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:408 [inline]
print_report+0xb4/0x290 mm/kasan/report.c:521
kasan_report+0x118/0x150 mm/kasan/report.c:634
mgmt_remove_adv_monitor_complete+0xe5/0x540 net/bluetooth/mgmt.c:5405
hci_cmd_sync_work+0x25e/0x3a0 net/bluetooth/hci_sync.c:334
process_one_work kernel/workqueue.c:3238 [inline]
process_scheduled_works+0xadb/0x17a0 kernel/workqueue.c:3319
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3400
kthread+0x70e/0x8a0 kernel/kthread.c:464
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:153
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>

Allocated by task 5702:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:260 [inline]
__kmalloc_cache_noprof+0x230/0x3d0 mm/slub.c:4358
kmalloc_noprof include/linux/slab.h:905 [inline]
kzalloc_noprof include/linux/slab.h:1039 [inline]
mgmt_pending_new+0x65/0x240 net/bluetooth/mgmt_util.c:252
mgmt_pending_add+0x34/0x120 net/bluetooth/mgmt_util.c:279
remove_adv_monitor+0x103/0x1b0 net/bluetooth/mgmt.c:5453
hci_mgmt_cmd+0x9c6/0xef0 net/bluetooth/hci_sock.c:1712
hci_sock_sendmsg+0x6ca/0xee0 net/bluetooth/hci_sock.c:1832
sock_sendmsg_nosec net/socket.c:712 [inline]
__sock_sendmsg+0x219/0x270 net/socket.c:727
sock_write_iter+0x258/0x330 net/socket.c:1131
new_sync_write fs/read_write.c:591 [inline]
vfs_write+0x548/0xa90 fs/read_write.c:684
ksys_write+0x145/0x250 fs/read_write.c:736
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xf6/0x210 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 5700:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x62/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:233 [inline]
slab_free_hook mm/slub.c:2380 [inline]
slab_free mm/slub.c:4642 [inline]
kfree+0x193/0x440 mm/slub.c:4841
mgmt_pending_foreach+0xc9/0x120 net/bluetooth/mgmt_util.c:242
mgmt_index_removed+0x10d/0x2f0 net/bluetooth/mgmt.c:9362
hci_sock_bind+0xbe9/0x1000 net/bluetooth/hci_sock.c:1307
__sys_bind_socket net/socket.c:1810 [inline]
__sys_bind+0x2c3/0x3e0 net/socket.c:1841
__do_sys_bind net/socket.c:1846 [inline]
__se_sys_bind net/socket.c:1844 [inline]
__x64_sys_bind+0x7a/0x90 net/socket.c:1844
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xf6/0x210 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff888048891a00
which belongs to the cache kmalloc-96 of size 96
The buggy address is located 24 bytes inside of
freed 96-byte region [ffff888048891a00, ffff888048891a60)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x48891
flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 04fff00000000000 ffff88801a041280 ffffea0000d6e3c0 dead000000000008
raw: 0000000000000000 0000000080200020 00000000f5000000 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x252800(GFP_NOWAIT|__GFP_NORETRY|__GFP_COMP|__GFP_THISNODE), pid 5317, tgid 5317 (syz-executor420), ts 80512529929, free_ts 0
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1d8/0x230 mm/page_alloc.c:1718
prep_new_page mm/page_alloc.c:1726 [inline]
get_page_from_freelist+0x21ce/0x22b0 mm/page_alloc.c:3688
__alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:4970
alloc_slab_page mm/slub.c:2452 [inline]
allocate_slab+0x65/0x3b0 mm/slub.c:2618
new_slab mm/slub.c:2672 [inline]
___slab_alloc+0xbfc/0x1480 mm/slub.c:3858
__slab_alloc mm/slub.c:3948 [inline]
__slab_alloc_node mm/slub.c:4023 [inline]
slab_alloc_node mm/slub.c:4184 [inline]
__kmalloc_cache_node_noprof+0x29a/0x3d0 mm/slub.c:4366
kmalloc_node_noprof include/linux/slab.h:928 [inline]
alloc_node_nr_active kernel/workqueue.c:4872 [inline]
__alloc_workqueue+0x6a4/0x1b70 kernel/workqueue.c:5726
alloc_workqueue+0xd4/0x210 kernel/workqueue.c:5786
tipc_topsrv_work_start net/tipc/topsrv.c:635 [inline]
tipc_topsrv_start net/tipc/topsrv.c:679 [inline]
tipc_topsrv_init_net+0x37f/0x830 net/tipc/topsrv.c:725
ops_init+0x359/0x5c0 net/core/net_namespace.c:138
setup_net+0x238/0x830 net/core/net_namespace.c:364
copy_net_ns+0x32e/0x590 net/core/net_namespace.c:518
create_new_namespaces+0x3d3/0x700 kernel/nsproxy.c:110
unshare_nsproxy_namespaces+0x11c/0x170 kernel/nsproxy.c:228
ksys_unshare+0x4c8/0x8c0 kernel/fork.c:3375
__do_sys_unshare kernel/fork.c:3446 [inline]
__se_sys_unshare kernel/fork.c:3444 [inline]
__x64_sys_unshare+0x38/0x50 kernel/fork.c:3444
page_owner free stack trace missing

Memory state around the buggy address:
ffff888048891900: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
ffff888048891980: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
>ffff888048891a00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
^
ffff888048891a80: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
ffff888048891b00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
==================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.

***

Subject: #syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 9f35e33144ae5377d6a8de86dd3bd4d995c6ac65
Author: dman...@yandex.ru

#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 9f35e33144ae5377d6a8de86dd3bd4d995c6ac65

[Hillf Danton]

Tue, 13 May 2025 21:27:30 -0700

> syzbot found the following issue on:
>
> HEAD commit: ea34704d6ad7 Merge tag 'drm-fixes-2025-05-10' of https://g..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=1663acf4580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=91c351a0f6229e67
> dashboard link: https://syzkaller.appspot.com/bug?extid=feb0dc579bbe30a13190
> compiler: Debian clang version 20.1.2 (++20250402124445+58df0ef89dd6-1~exp1~20250402004600.97), Debian LLD 20.1.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=112c9768580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1526e670580000

#syz test

--- x/net/bluetooth/mgmt.c
+++ y/net/bluetooth/mgmt.c
@@ -9359,7 +9359,9 @@ void mgmt_index_removed(struct hci_dev *
if (test_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks))
return;

+ hci_dev_lock(hdev);
mgmt_pending_foreach(0, hdev, cmd_complete_rsp, &match);
+ hci_dev_unlock(hdev);

if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
mgmt_index_event(MGMT_EV_UNCONF_INDEX_REMOVED, hdev, NULL, 0,
--

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

net/bluetooth/mgmt.c:9362:27: error: incompatible pointer types passing 'struct work_struct *' to parameter of type 'struct delayed_work *' [-Werror,-Wincompatible-pointer-types]


Tested on:

commit: 9f35e331 x86/its: Fix build errors when CONFIG_MODULES=n
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel config: https://syzkaller.appspot.com/x/.config?x=91c351a0f6229e67
dashboard link: https://syzkaller.appspot.com/bug?extid=feb0dc579bbe30a13190
compiler: Debian clang version 20.1.2 (++20250402124445+58df0ef89dd6-1~exp1~20250402004600.97), Debian LLD 20.1.2

patch: https://syzkaller.appspot.com/x/patch.diff?x=15cd0e70580000

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

ly 0 port 6081 - 0
[ 100.848943][ T5354] netdevsim netdevsim2 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
2025/05/16 19:28:23 executed programs: 0
[ 101.013794][ T5369] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1
[ 101.017148][ T5369] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9
[ 101.020411][ T5369] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9
[ 101.035450][ T5369] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4
[ 101.038675][ T5369] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2
[ 101.209300][ T5423] chnl_net:caif_netlink_parms(): no params data found
[ 101.264598][ T5423] bridge0: port 1(bridge_slave_0) entered blocking state
[ 101.267830][ T5423] bridge0: port 1(bridge_slave_0) entered disabled state
[ 101.270938][ T5423] bridge_slave_0: entered allmulticast mode
[ 101.284275][ T5423] bridge_slave_0: entered promiscuous mode
[ 101.288654][ T5423] bridge0: port 2(bridge_slave_1) entered blocking state
[ 101.291850][ T5423] bridge0: port 2(bridge_slave_1) entered disabled state
[ 101.304908][ T5423] bridge_slave_1: entered allmulticast mode
[ 101.308917][ T5423] bridge_slave_1: entered promiscuous mode
[ 101.344729][ T5423] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[ 101.350123][ T5423] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[ 101.404166][ T5423] team0: Port device team_slave_0 added
[ 101.414160][ T5423] team0: Port device team_slave_1 added
[ 101.464236][ T5423] batman_adv: batadv0: Adding interface: batadv_slave_0
[ 101.467427][ T5423] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[ 101.524876][ T5423] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[ 101.533942][ T5423] batman_adv: batadv0: Adding interface: batadv_slave_1
[ 101.536944][ T5423] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[ 101.556644][ T5423] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[ 101.577493][ T5423] hsr_slave_0: entered promiscuous mode
[ 101.580492][ T5423] hsr_slave_1: entered promiscuous mode
[ 101.583557][ T5423] debugfs: Directory 'hsr0' with parent 'hsr' already present!
[ 101.586820][ T5423] Cannot create hsr debugfs directory
[ 101.671639][ T5423] netdevsim netdevsim0 netdevsim0: renamed from eth0
[ 101.684967][ T5423] netdevsim netdevsim0 netdevsim1: renamed from eth1
[ 101.689759][ T5423] netdevsim netdevsim0 netdevsim2: renamed from eth2
[ 101.695328][ T5423] netdevsim netdevsim0 netdevsim3: renamed from eth3
[ 101.738872][ T5423] 8021q: adding VLAN 0 to HW filter on device bond0
[ 101.750284][ T5423] 8021q: adding VLAN 0 to HW filter on device team0
[ 101.759250][ T3014] bridge0: port 1(bridge_slave_0) entered blocking state
[ 101.762476][ T3014] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 101.776899][ T3014] bridge0: port 2(bridge_slave_1) entered blocking state
[ 101.780075][ T3014] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 101.794837][ T5423] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network
[ 101.799531][ T5423] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network
[ 101.893807][ T5423] 8021q: adding VLAN 0 to HW filter on device batadv0
[ 101.921315][ T5423] veth0_vlan: entered promiscuous mode
[ 101.927787][ T5423] veth1_vlan: entered promiscuous mode
[ 101.944392][ T5423] veth0_macvtap: entered promiscuous mode
[ 101.948942][ T5423] veth1_macvtap: entered promiscuous mode
[ 101.959001][ T5423] batman_adv: batadv0: Interface activated: batadv_slave_0
[ 101.967366][ T5423] batman_adv: batadv0: Interface activated: batadv_slave_1
[ 101.974334][ T5423] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
[ 101.978242][ T5423] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
[ 101.982099][ T5423] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
[ 101.987697][ T5423] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
[ 102.017256][ T5423] ieee80211 phy5: Selected rate control algorithm 'minstrel_ht'
[ 102.031112][ T1034] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 102.036826][ T5423] ieee80211 phy6: Selected rate control algorithm 'minstrel_ht'
[ 102.042499][ T1034] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[ 102.060001][ T3014] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 102.065051][ T3014] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
[ 102.407753][ T2998] netdevsim netdevsim2 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 103.526458][ T2998] netdevsim netdevsim2 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 104.285604][ T2998] netdevsim netdevsim2 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 104.317214][ T2998] netdevsim netdevsim2 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 104.398084][ T2998] bridge_slave_1: left allmulticast mode
[ 104.400556][ T2998] bridge_slave_1: left promiscuous mode
[ 104.406727][ T2998] bridge0: port 2(bridge_slave_1) entered disabled state
[ 104.410896][ T2998] bridge_slave_0: left allmulticast mode
[ 104.414563][ T2998] bridge_slave_0: left promiscuous mode
[ 104.417073][ T2998] bridge0: port 1(bridge_slave_0) entered disabled state
[ 104.526855][ T2998] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface
[ 104.532481][ T2998] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface
[ 104.537559][ T2998] bond0 (unregistering): Released all slaves
[ 104.601253][ T2998] hsr_slave_0: left promiscuous mode
[ 104.606654][ T2998] hsr_slave_1: left promiscuous mode
[ 104.614144][ T2998] batman_adv: batadv0: Interface deactivated: batadv_slave_0
[ 104.617425][ T2998] batman_adv: batadv0: Removing interface: batadv_slave_0
[ 104.633234][ T2998] batman_adv: batadv0: Interface deactivated: batadv_slave_1
[ 104.636971][ T2998] batman_adv: batadv0: Removing interface: batadv_slave_1
[ 104.663323][ T2998] veth1_macvtap: left promiscuous mode
[ 104.665793][ T2998] veth0_macvtap: left promiscuous mode
[ 104.668265][ T2998] veth1_vlan: left promiscuous mode
[ 104.670638][ T2998] veth0_vlan: left promiscuous mode
[ 104.837769][ T2998] team0 (unregistering): Port device team_slave_1 removed
[ 104.847365][ T2998] team0 (unregistering): Port device team_slave_0 removed

VM DIAGNOSIS:
19:28:21 Registers:
info registers vcpu 0

CPU#0
RAX=0000000000000079 RBX=0000000000000079 RCX=0000000000000000 RDX=00000000000003f8
RSI=0000000000000000 RDI=0000000000000020 RBP=00000000000003f8 RSP=ffffc9000d52edf0
R8 =ffff888000b60237 R9 =1ffff1100016c046 R10=dffffc0000000000 R11=ffffffff853e04f0
R12=dffffc0000000000 R13=ffffffff9984bc64 R14=ffffffff99b50c00 R15=0000000000000000
RIP=ffffffff853e056c RFL=00000002 [-------] CPL=0 II=0 A20=1 SMM=0 HLT=0
ES =0000 0000000000000000 ffffffff 00c00000
CS =0010 0000000000000000 ffffffff 00a09b00 DPL=0 CS64 [-RA]
SS =0018 0000000000000000 ffffffff 00c09300 DPL=0 DS [-WA]
DS =0000 0000000000000000 ffffffff 00c00000
FS =0000 0000000000000000 ffffffff 00c00000
GS =0000 ffff88808d6c7000 ffffffff 00c00000
LDT=0000 0000000000000000 ffffffff 00c00000
TR =0040 fffffe0000003000 00004087 00008b00 DPL=0 TSS64-busy
GDT= fffffe0000001000 0000007f
IDT= fffffe0000000000 00000fff
CR0=80050033 CR2=00007fff08f02e48 CR3=000000001f723000 CR4=00352ef0
DR0=0000000000000000 DR1=0000000000000000 DR2=0000000000000000 DR3=0000000000000000
DR6=00000000fffe0ff0 DR7=0000000000000400
EFER=0000000000000d01
FCW=037f FSW=0000 [ST=0] FTW=00 MXCSR=00001f80
FPR0=0000000000000000 0000 FPR1=0000000000000000 0000
FPR2=0000000000000000 0000 FPR3=0000000000000000 0000
FPR4=0000000000000000 0000 FPR5=0000000000000000 0000
FPR6=0000000000000000 0000 FPR7=0000000000000000 0000
Opmask00=00000000fcfeffd0 Opmask01=0000000000000003 Opmask02=00000000ffff7fdf Opmask03=0000000000000000
Opmask04=00000000ffffffff Opmask05=0000000000000000 Opmask06=0000000000000000 Opmask07=0000000000000000
ZMM00=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM01=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 44455a494c414954 494e495f43455355
ZMM02=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 00005597abcaeb30
ZMM03=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 00005597abcbcbf0
ZMM04=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 00ff000000000000
ZMM05=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM06=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM07=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 00007f0c36552c80
ZMM08=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM09=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM10=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM11=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM12=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM13=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM14=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM15=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM16=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM17=0000000000000000 0000000000000000 0000000000000000 0000000000000000 3030323a30696368 2f306963682f6874 6f6f7465756c622f 6c6175747269762f
ZMM18=0000000000000000 0000000000000000 0000000000000000 0000000000000000 005600051f40494c 43055c5155484005 424b4c55554c4e53 004057005b1a0f00
ZMM19=0000000000000000 0000000000000000 0000000000000000 0000000000000000 7377685f31313230 3863616d2f6c6175 747269762f736563 697665642f737973
ZMM20=0000000000000000 0000000000000000 0000000000000000 0000000000000000 003a756b733a322e 392d3533712d6370 7276633a3174633a 554d45516e76633a
ZMM21=0000000000000000 0000000000000000 0000000000000000 0000000000000000 322e392d3533712d 63707276703a2939 3030322c39484349 2b35335128435064
ZMM22=0000000000000000 0000000000000000 0000000000000000 0000000000000000 7261646e6174536e 703a554d45516e76 733a302e3072623a 343130322f31302f
ZMM23=0000000000000000 0000000000000000 0000000000000000 0000000000000000 343064623a312b32 316f70627e322d33 2e36312e312d6e61 696265642d332e36
ZMM24=0000000000000000 0000000000000000 0000000000000000 0000000000000000 313731302c453631 302c353631302c34 3631302c33343130 2c323431302c3134
ZMM25=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM26=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM27=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM28=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM29=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM30=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM31=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000


syzkaller build log:
go env (err=<nil>)
GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/syzkaller/jobs/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/syzkaller/jobs/linux/gopath/pkg/mod/golang.org/tool...@v0.0.1-go1.23.7.linux-amd64'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/syzkaller/jobs/linux/gopath/pkg/mod/golang.org/tool...@v0.0.1-go1.23.7.linux-amd64/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.23.7'
GODEBUG=''
GOTELEMETRY='local'
GOTELEMETRYDIR='/syzkaller/.config/go/telemetry'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build2323670350=/tmp/go-build -gno-record-gcc-switches'

git status (err=<nil>)
HEAD detached at 77908e5f2
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=77908e5f2ae80bee6d434bca762a25a0a5fc6a83 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20250509-090543'" -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"77908e5f2ae80bee6d434bca762a25a0a5fc6a83\"
/usr/bin/ld: /tmp/ccKazgFn.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x104): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking


Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=15c40ef4580000


Tested on:

commit: 83a89654 Merge tag 'scsi-fixes' of git://git.kernel.or..
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=c3f0e807ec5d1268

dashboard link: https://syzkaller.appspot.com/bug?extid=feb0dc579bbe30a13190
compiler: Debian clang version 20.1.2 (++20250402124445+58df0ef89dd6-1~exp1~20250402004600.97), Debian LLD 20.1.2

patch: https://syzkaller.appspot.com/x/patch.diff?x=10569cd4580000

[Hillf Danton]

Tue, 13 May 2025 21:27:30 -0700

> syzbot found the following issue on:
>
> HEAD commit: ea34704d6ad7 Merge tag 'drm-fixes-2025-05-10' of https://g..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=1663acf4580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=91c351a0f6229e67
> dashboard link: https://syzkaller.appspot.com/bug?extid=feb0dc579bbe30a13190
> compiler: Debian clang version 20.1.2 (++20250402124445+58df0ef89dd6-1~exp1~20250402004600.97), Debian LLD 20.1.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=112c9768580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1526e670580000

#syz test upstream master

--- x/net/bluetooth/mgmt.c
+++ y/net/bluetooth/mgmt.c
@@ -9362,7 +9362,9 @@ void mgmt_index_removed(struct hci_dev *

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0

[ 104.385177][ T13] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 104.388595][ T13] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[ 104.426472][ T13] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 104.433660][ T13] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
[ 104.766732][ T5428]
[ 104.767865][ T5428] ============================================
[ 104.770638][ T5428] WARNING: possible recursive locking detected
[ 104.773310][ T5428] 6.15.0-rc6-syzkaller-00346-g5723cc3450bc-dirty #0 Not tainted
[ 104.777485][ T5428] --------------------------------------------
[ 104.780117][ T5428] syz-executor/5428 is trying to acquire lock:
[ 104.782906][ T5428] ffff88803ef90078 (&hdev->lock){+.+.}-{4:4}, at: mgmt_index_removed+0x10b/0x310
[ 104.786940][ T5428]
[ 104.786940][ T5428] but task is already holding lock:
[ 104.790341][ T5428] ffff88803ef90078 (&hdev->lock){+.+.}-{4:4}, at: hci_unregister_dev+0x2d3/0x500
[ 104.794363][ T5428]
[ 104.794363][ T5428] other info that might help us debug this:
[ 104.797740][ T5428] Possible unsafe locking scenario:
[ 104.797740][ T5428]
[ 104.800954][ T5428] CPU0
[ 104.802424][ T5428] ----
[ 104.803931][ T5428] lock(&hdev->lock);
[ 104.805663][ T5428] lock(&hdev->lock);
[ 104.807445][ T5428]
[ 104.807445][ T5428] *** DEADLOCK ***
[ 104.807445][ T5428]
[ 104.810846][ T5428] May be due to missing lock nesting notation
[ 104.810846][ T5428]
[ 104.814303][ T5428] 1 lock held by syz-executor/5428:
[ 104.816520][ T5428] #0: ffff88803ef90078 (&hdev->lock){+.+.}-{4:4}, at: hci_unregister_dev+0x2d3/0x500
[ 104.820530][ T5428]
[ 104.820530][ T5428] stack backtrace:
[ 104.823093][ T5428] CPU: 0 UID: 0 PID: 5428 Comm: syz-executor Not tainted 6.15.0-rc6-syzkaller-00346-g5723cc3450bc-dirty #0 PREEMPT(full)
[ 104.823106][ T5428] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[ 104.823113][ T5428] Call Trace:
[ 104.823119][ T5428] <TASK>
[ 104.823124][ T5428] dump_stack_lvl+0x189/0x250
[ 104.823142][ T5428] ? __pfx_dump_stack_lvl+0x10/0x10
[ 104.823155][ T5428] ? __pfx__printk+0x10/0x10
[ 104.823165][ T5428] ? print_lock_name+0xde/0x100
[ 104.823181][ T5428] print_deadlock_bug+0x28b/0x2a0
[ 104.823193][ T5428] validate_chain+0x1a3f/0x2140
[ 104.823202][ T5428] ? _raw_spin_unlock_irqrestore+0xad/0x110
[ 104.823220][ T5428] __lock_acquire+0xaac/0xd20
[ 104.823234][ T5428] ? mgmt_index_removed+0x10b/0x310
[ 104.823245][ T5428] lock_acquire+0x120/0x360
[ 104.823258][ T5428] ? mgmt_index_removed+0x10b/0x310
[ 104.823272][ T5428] __mutex_lock+0x182/0xe80
[ 104.823283][ T5428] ? mgmt_index_removed+0x10b/0x310
[ 104.823298][ T5428] ? __mutex_trylock_common+0x153/0x260
[ 104.823311][ T5428] ? __pfx___mutex_trylock_common+0x10/0x10
[ 104.823320][ T5428] ? mgmt_index_removed+0x10b/0x310
[ 104.823330][ T5428] ? __pfx___mutex_lock+0x10/0x10
[ 104.823343][ T5428] ? rcu_is_watching+0x15/0xb0
[ 104.823352][ T5428] ? trace_contention_end+0x39/0x120
[ 104.823362][ T5428] ? hci_unregister_dev+0x20e/0x500
[ 104.823376][ T5428] mgmt_index_removed+0x10b/0x310
[ 104.823386][ T5428] ? __pfx___mutex_lock+0x10/0x10
[ 104.823399][ T5428] ? __pfx_mgmt_index_removed+0x10/0x10
[ 104.823414][ T5428] ? __pfx_hci_dev_close_sync+0x10/0x10
[ 104.823423][ T5428] ? up_write+0x1c4/0x420
[ 104.823436][ T5428] hci_unregister_dev+0x2db/0x500
[ 104.823449][ T5428] vhci_release+0x80/0xd0
[ 104.823461][ T5428] ? __pfx_vhci_release+0x10/0x10
[ 104.823470][ T5428] __fput+0x44c/0xa70
[ 104.826159][ T5428] task_work_run+0x1d1/0x260
[ 104.826172][ T5428] ? __pfx_task_work_run+0x10/0x10
[ 104.826190][ T5428] ? kmem_cache_free+0x192/0x3f0
[ 104.826207][ T5428] do_exit+0x8d6/0x2550
[ 104.826221][ T5428] ? __pfx_do_exit+0x10/0x10
[ 104.826236][ T5428] ? _raw_spin_unlock_irq+0x23/0x50
[ 104.826246][ T5428] ? lockdep_hardirqs_on+0x9c/0x150
[ 104.826263][ T5428] do_group_exit+0x21c/0x2d0
[ 104.826275][ T5428] __x64_sys_exit_group+0x3f/0x40
[ 104.826288][ T5428] x64_sys_call+0x21ba/0x21c0
[ 104.826304][ T5428] do_syscall_64+0xf6/0x210
[ 104.826317][ T5428] ? clear_bhb_loop+0x60/0xb0
[ 104.826329][ T5428] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 104.826339][ T5428] RIP: 0033:0x7f462058e969
[ 104.826347][ T5428] Code: Unable to access opcode bytes at 0x7f462058e93f.
[ 104.826352][ T5428] RSP: 002b:00007fff116e7dc8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[ 104.826363][ T5428] RAX: ffffffffffffffda RBX: 00007f4620612297 RCX: 00007f462058e969
[ 104.826371][ T5428] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000043
[ 104.826376][ T5428] RBP: 00007f46206122a9 R08: 00007fff116e5b67 R09: 00007f462077d260
[ 104.826387][ T5428] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000006
[ 104.826392][ T5428] R13: 00007f462077d260 R14: 0000000000019780 R15: 00007fff116e7f70
[ 104.826402][ T5428] </TASK>
[ 105.221855][ T48] netdevsim netdevsim4 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 106.001857][ T48] netdevsim netdevsim4 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 106.032391][ T48] netdevsim netdevsim4 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 106.062433][ T48] netdevsim netdevsim4 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[ 106.141381][ T48] bridge_slave_1: left allmulticast mode
[ 106.143913][ T48] bridge_slave_1: left promiscuous mode
[ 106.146436][ T48] bridge0: port 2(bridge_slave_1) entered disabled state
[ 106.151053][ T48] bridge_slave_0: left allmulticast mode
[ 106.153527][ T48] bridge_slave_0: left promiscuous mode
[ 106.155988][ T48] bridge0: port 1(bridge_slave_0) entered disabled state
[ 106.233284][ T48] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface
[ 106.238207][ T48] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface
[ 106.243434][ T48] bond0 (unregistering): Released all slaves
[ 106.312852][ T48] hsr_slave_0: left promiscuous mode
[ 106.315732][ T48] hsr_slave_1: left promiscuous mode
[ 106.318406][ T48] batman_adv: batadv0: Interface deactivated: batadv_slave_0
[ 106.323733][ T48] batman_adv: batadv0: Removing interface: batadv_slave_0
[ 106.331831][ T48] batman_adv: batadv0: Interface deactivated: batadv_slave_1
[ 106.334694][ T48] batman_adv: batadv0: Removing interface: batadv_slave_1
[ 106.353667][ T48] veth1_macvtap: left promiscuous mode
[ 106.356174][ T48] veth0_macvtap: left promiscuous mode
[ 106.358681][ T48] veth1_vlan: left promiscuous mode
[ 106.370871][ T48] veth0_vlan: left promiscuous mode
[ 106.542004][ T48] team0 (unregistering): Port device team_slave_1 removed
[ 106.553795][ T48] team0 (unregistering): Port device team_slave_0 removed

VM DIAGNOSIS:
23:41:34 Registers:

info registers vcpu 0

CPU#0

RAX=0000000000000072 RBX=0000000000000072 RCX=0000000000000000 RDX=00000000000003f8
RSI=0000000000000000 RDI=0000000000000020 RBP=00000000000003f8 RSP=ffffc900026d7010
R8 =ffff888000b80237 R9 =1ffff11000170046 R10=dffffc0000000000 R11=ffffffff853e18b0
R12=dffffc0000000000 R13=ffffffff99850c5f R14=ffffffff99b55c40 R15=0000000000000000
RIP=ffffffff853e192c RFL=00000002 [-------] CPL=0 II=0 A20=1 SMM=0 HLT=0

ES =0000 0000000000000000 ffffffff 00c00000
CS =0010 0000000000000000 ffffffff 00a09b00 DPL=0 CS64 [-RA]
SS =0018 0000000000000000 ffffffff 00c09300 DPL=0 DS [-WA]
DS =0000 0000000000000000 ffffffff 00c00000
FS =0000 0000000000000000 ffffffff 00c00000

GS =0000 ffff88808d6c2000 ffffffff 00c00000

LDT=0000 0000000000000000 ffffffff 00c00000
TR =0040 fffffe0000003000 00004087 00008b00 DPL=0 TSS64-busy
GDT= fffffe0000001000 0000007f
IDT= fffffe0000000000 00000fff

CR0=80050033 CR2=0000000000570e60 CR3=000000000dd38000 CR4=00352ef0

DR0=0000000000000000 DR1=0000000000000000 DR2=0000000000000000 DR3=0000000000000000
DR6=00000000fffe0ff0 DR7=0000000000000400
EFER=0000000000000d01
FCW=037f FSW=0000 [ST=0] FTW=00 MXCSR=00001f80
FPR0=0000000000000000 0000 FPR1=0000000000000000 0000
FPR2=0000000000000000 0000 FPR3=0000000000000000 0000
FPR4=0000000000000000 0000 FPR5=0000000000000000 0000
FPR6=0000000000000000 0000 FPR7=0000000000000000 0000

Opmask00=0000000000000000 Opmask01=0000000000000000 Opmask02=0000000000000000 Opmask03=0000000000000000
Opmask04=0000000000000000 Opmask05=0000000000000000 Opmask06=0000000000000000 Opmask07=0000000000000000
ZMM00=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 00000000a60ce07b 00000000cec3662e
ZMM01=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 6cee38cca59f481e
ZMM02=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM03=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 f17df3c66a3c5e1f d1def7dc81e8bad0
ZMM04=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000001e40
ZMM05=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000040
ZMM06=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 000045fa00000003 28f51c0014361600
ZMM07=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 00000008000045fa 00000000000045fa
ZMM08=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 000045fa24a1fa00 25c0ee00e80dbf00
ZMM09=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 50947d00aa1c9d00 0000000022afe300
ZMM10=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 e75ef055f668ac60 5151fed073c43ec7
ZMM11=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 3ebecf9dfc61bdd9 0aecfc0672314c27
ZMM12=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 72c1e96872c1e968 72c1e96872c1e968
ZMM13=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 1bf6d1761bf6d176 1bf6d1761bf6d176
ZMM14=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 a54ff53a3c6ef372 bb67ae856a09e667
ZMM15=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 5be0cd191f83d9ab 9b05688c510e527f

ZMM16=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000

ZMM17=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM18=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM19=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM20=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM21=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM22=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM23=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000
ZMM24=0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000 0000000000000000

GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build4194737262=/tmp/go-build -gno-record-gcc-switches'

git status (err=<nil>)
HEAD detached at 77908e5f2
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=77908e5f2ae80bee6d434bca762a25a0a5fc6a83 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20250509-090543'" -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"77908e5f2ae80bee6d434bca762a25a0a5fc6a83\"

/usr/bin/ld: /tmp/ccbAI600.o: in function `Connection::Connect(char const*, char const*)':

executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x104): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking


Error text is too large and was truncated, full error text is at:

https://syzkaller.appspot.com/x/error.txt?x=17375ef4580000


Tested on:

commit: 5723cc34 Merge tag 'dmaengine-fix-6.15' of git://git.k..

git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=c3f0e807ec5d1268

dashboard link: https://syzkaller.appspot.com/bug?extid=feb0dc579bbe30a13190
compiler: Debian clang version 20.1.2 (++20250402124445+58df0ef89dd6-1~exp1~20250402004600.97), Debian LLD 20.1.2

patch: https://syzkaller.appspot.com/x/patch.diff?x=17326ef4580000

[Hillf Danton]

Tue, 13 May 2025 21:27:30 -0700

> syzbot found the following issue on:
>
> HEAD commit: ea34704d6ad7 Merge tag 'drm-fixes-2025-05-10' of https://g..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=1663acf4580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=91c351a0f6229e67
> dashboard link: https://syzkaller.appspot.com/bug?extid=feb0dc579bbe30a13190
> compiler: Debian clang version 20.1.2 (++20250402124445+58df0ef89dd6-1~exp1~20250402004600.97), Debian LLD 20.1.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=112c9768580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1526e670580000

#syz test upstream master

--- x/net/bluetooth/hci_sock.c
+++ y/net/bluetooth/hci_sock.c
@@ -1304,7 +1304,9 @@ static int hci_sock_bind(struct socket *
goto done;
}

+ hci_dev_lock(hdev);
mgmt_index_removed(hdev);
+ hci_dev_unlock(hdev);

err = hci_dev_open(hdev->id);
if (err) {
--

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Read in mgmt_remove_adv_monitor_complete

==================================================================
BUG: KASAN: slab-use-after-free in mgmt_remove_adv_monitor_complete+0xe5/0x540 net/bluetooth/mgmt.c:5405

Read of size 8 at addr ffff888043826318 by task kworker/u5:2/5365

CPU: 0 UID: 0 PID: 5365 Comm: kworker/u5:2 Not tainted 6.15.0-rc6-syzkaller-00346-g5723cc3450bc-dirty #0 PREEMPT(full)

Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014

Workqueue: hci0 hci_cmd_sync_work
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:408 [inline]
print_report+0xb4/0x290 mm/kasan/report.c:521
kasan_report+0x118/0x150 mm/kasan/report.c:634
mgmt_remove_adv_monitor_complete+0xe5/0x540 net/bluetooth/mgmt.c:5405

hci_cmd_sync_work+0x261/0x3a0 net/bluetooth/hci_sync.c:334

process_one_work kernel/workqueue.c:3238 [inline]
process_scheduled_works+0xadb/0x17a0 kernel/workqueue.c:3319
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3400
kthread+0x70e/0x8a0 kernel/kthread.c:464
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:153
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>

Allocated by task 9194:

kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:260 [inline]
__kmalloc_cache_noprof+0x230/0x3d0 mm/slub.c:4358
kmalloc_noprof include/linux/slab.h:905 [inline]
kzalloc_noprof include/linux/slab.h:1039 [inline]
mgmt_pending_new+0x65/0x240 net/bluetooth/mgmt_util.c:252
mgmt_pending_add+0x34/0x120 net/bluetooth/mgmt_util.c:279
remove_adv_monitor+0x103/0x1b0 net/bluetooth/mgmt.c:5453

hci_mgmt_cmd+0x9c6/0xef0 net/bluetooth/hci_sock.c:1714
hci_sock_sendmsg+0x6ca/0xee0 net/bluetooth/hci_sock.c:1834

sock_sendmsg_nosec net/socket.c:712 [inline]
__sock_sendmsg+0x219/0x270 net/socket.c:727
sock_write_iter+0x258/0x330 net/socket.c:1131
new_sync_write fs/read_write.c:591 [inline]
vfs_write+0x548/0xa90 fs/read_write.c:684
ksys_write+0x145/0x250 fs/read_write.c:736
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xf6/0x210 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 9198:

kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x62/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:233 [inline]
slab_free_hook mm/slub.c:2380 [inline]
slab_free mm/slub.c:4642 [inline]
kfree+0x193/0x440 mm/slub.c:4841
mgmt_pending_foreach+0xc9/0x120 net/bluetooth/mgmt_util.c:242

mgmt_index_removed+0x10d/0x2f0 net/bluetooth/mgmt.c:9365
hci_sock_bind+0xbf7/0x1010 net/bluetooth/hci_sock.c:1308

__sys_bind_socket net/socket.c:1810 [inline]
__sys_bind+0x2c3/0x3e0 net/socket.c:1841
__do_sys_bind net/socket.c:1846 [inline]
__se_sys_bind net/socket.c:1844 [inline]
__x64_sys_bind+0x7a/0x90 net/socket.c:1844
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xf6/0x210 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff888043826300

which belongs to the cache kmalloc-96 of size 96
The buggy address is located 24 bytes inside of

freed 96-byte region [ffff888043826300, ffff888043826360)

The buggy address belongs to the physical page:

page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x43826

flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)

raw: 04fff00000000000 ffff88801a041280 ffffea0000447dc0 dead000000000002
raw: 0000000000000000 0000000000200020 00000000f5000000 0000000000000000

page dumped because: kasan: bad access detected
page_owner tracks the page as allocated

page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 4015, tgid 4015 (kworker/u4:10), ts 162423232319, free_ts 162406246108
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1d8/0x230 mm/page_alloc.c:1714
prep_new_page mm/page_alloc.c:1722 [inline]
get_page_from_freelist+0x21ce/0x22b0 mm/page_alloc.c:3684
__alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:4966
alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2301
alloc_slab_page mm/slub.c:2450 [inline]
allocate_slab+0x8a/0x3b0 mm/slub.c:2618

new_slab mm/slub.c:2672 [inline]
___slab_alloc+0xbfc/0x1480 mm/slub.c:3858
__slab_alloc mm/slub.c:3948 [inline]
__slab_alloc_node mm/slub.c:4023 [inline]
slab_alloc_node mm/slub.c:4184 [inline]

__kmalloc_cache_noprof+0x296/0x3d0 mm/slub.c:4353
kmalloc_noprof include/linux/slab.h:905 [inline]
dst_cow_metrics_generic+0x56/0x1c0 net/core/dst.c:193
dst_metrics_write_ptr include/net/dst.h:133 [inline]
dst_metric_set include/net/dst.h:194 [inline]
icmp6_dst_alloc+0x261/0x420 net/ipv6/route.c:3328
ndisc_send_skb+0x41f/0x1400 net/ipv6/ndisc.c:493
addrconf_dad_completed+0x7ae/0xd60 net/ipv6/addrconf.c:4364
addrconf_dad_work+0xc36/0x14b0 net/ipv6/addrconf.c:-1

process_one_work kernel/workqueue.c:3238 [inline]
process_scheduled_works+0xadb/0x17a0 kernel/workqueue.c:3319
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3400
kthread+0x70e/0x8a0 kernel/kthread.c:464
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:153

page last free pid 5850 tgid 5850 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1258 [inline]
__free_frozen_pages+0xb0e/0xcd0 mm/page_alloc.c:2721
rcu_do_batch kernel/rcu/tree.c:2568 [inline]
rcu_core+0xca8/0x1710 kernel/rcu/tree.c:2824
handle_softirqs+0x286/0x870 kernel/softirq.c:579
__do_softirq kernel/softirq.c:613 [inline]
invoke_softirq kernel/softirq.c:453 [inline]
__irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:680
irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline]
sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1049
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702

Memory state around the buggy address:

ffff888043826200: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc
ffff888043826280: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
>ffff888043826300: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
^
ffff888043826380: 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc
ffff888043826400: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc
==================================================================

Tested on:

commit: 5723cc34 Merge tag 'dmaengine-fix-6.15' of git://git.k..

git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=17df62d4580000
kernel config: https://syzkaller.appspot.com/x/.config?x=c3f0e807ec5d1268

dashboard link: https://syzkaller.appspot.com/bug?extid=feb0dc579bbe30a13190
compiler: Debian clang version 20.1.2 (++20250402124445+58df0ef89dd6-1~exp1~20250402004600.97), Debian LLD 20.1.2

patch: https://syzkaller.appspot.com/x/patch.diff?x=114f62d4580000

[Hillf Danton]

Tue, 13 May 2025 21:27:30 -0700

> syzbot found the following issue on:
>
> HEAD commit: ea34704d6ad7 Merge tag 'drm-fixes-2025-05-10' of https://g..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=1663acf4580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=91c351a0f6229e67
> dashboard link: https://syzkaller.appspot.com/bug?extid=feb0dc579bbe30a13190
> compiler: Debian clang version 20.1.2 (++20250402124445+58df0ef89dd6-1~exp1~20250402004600.97), Debian LLD 20.1.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=112c9768580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1526e670580000

#syz test upstream master

--- x/net/bluetooth/mgmt.c
+++ y/net/bluetooth/mgmt.c
@@ -1472,7 +1472,8 @@ static void cmd_complete_rsp(struct mgmt
/* dequeue cmd_sync entries using cmd as data as that is about to be
* removed/freed.
*/
- hci_cmd_sync_dequeue(match->hdev, NULL, cmd, NULL);
+ if (!hci_cmd_sync_dequeue(match->hdev, NULL, cmd, NULL))
+ return;

if (cmd->cmd_complete) {
cmd->cmd_complete(cmd, match->mgmt_status);
--

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+feb0dc...@syzkaller.appspotmail.com
Tested-by: syzbot+feb0dc...@syzkaller.appspotmail.com

Tested on:

commit: 5723cc34 Merge tag 'dmaengine-fix-6.15' of git://git.k..

git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1437ee70580000
kernel config: https://syzkaller.appspot.com/x/.config?x=c3f0e807ec5d1268

dashboard link: https://syzkaller.appspot.com/bug?extid=feb0dc579bbe30a13190
compiler: Debian clang version 20.1.2 (++20250402124445+58df0ef89dd6-1~exp1~20250402004600.97), Debian LLD 20.1.2

patch: https://syzkaller.appspot.com/x/patch.diff?x=102a5f68580000

Note: testing is done by a robot and is best-effort only.

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.

***

Subject: #syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git a5806cd506af5a7c19bcd596e4708b5c464bfd21
Author: dman...@yandex.ru

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git a5806cd506af5a7c19bcd596e4708b5c464bfd21

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+feb0dc...@syzkaller.appspotmail.com
Tested-by: syzbot+feb0dc...@syzkaller.appspotmail.com

Tested on:

commit: a5806cd5 Linux 6.15-rc7
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=16bede70580000
kernel config: https://syzkaller.appspot.com/x/.config?x=9fd1c9848687d742
dashboard link: https://syzkaller.appspot.com/bug?extid=feb0dc579bbe30a13190
compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6
patch: https://syzkaller.appspot.com/x/patch.diff?x=15af7f68580000

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.

***

Subject: #syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 94305e83eccb3120c921cd3a015cd74731140bac
Author: dman...@yandex.ru

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 94305e83eccb3120c921cd3a015cd74731140bac

[syzbot]

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+feb0dc...@syzkaller.appspotmail.com
Tested-by: syzbot+feb0dc...@syzkaller.appspotmail.com

Tested on:

commit: 94305e83 Merge tag 'pmdomain-v6.15-rc3' of git://git.k..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=1302c170580000

kernel config: https://syzkaller.appspot.com/x/.config?x=9fd1c9848687d742
dashboard link: https://syzkaller.appspot.com/bug?extid=feb0dc579bbe30a13190
compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6

patch: https://syzkaller.appspot.com/x/patch.diff?x=11bf25f4580000

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.

***

Subject: Re: [PATCH v1] Bluetooth: MGMT: Use RCU-protected in mgmt_pending list
Author: luiz....@gmail.com

#syz test

On Wed, May 28, 2025 at 2:44 PM Luiz Augusto von Dentz
<luiz....@gmail.com> wrote:
>
> From: Luiz Augusto von Dentz <luiz.vo...@intel.com>
>
> This uses RCU procedures to protect from concurrent access of
> mgmt_pending list which can cause crashes like:

> Fixes: a380b6cff1a2 ("Bluetooth: Add generic mgmt helper API")
> Closes: https://syzkaller.appspot.com/bug?extid=feb0dc579bbe30a13190
> Signed-off-by: Dmitry Antipov <dman...@yandex.ru>
> Signed-off-by: Luiz Augusto von Dentz <luiz.vo...@intel.com>
> ---
> net/bluetooth/mgmt_util.c | 25 +++++++++++++++----------
> 1 file changed, 15 insertions(+), 10 deletions(-)
>
> diff --git a/net/bluetooth/mgmt_util.c b/net/bluetooth/mgmt_util.c
> index 3713ff490c65..c2dc8ddf5f78 100644
> --- a/net/bluetooth/mgmt_util.c
> +++ b/net/bluetooth/mgmt_util.c
> @@ -219,13 +219,20 @@ struct mgmt_pending_cmd *mgmt_pending_find(unsigned short channel, u16 opcode,
> {
> struct mgmt_pending_cmd *cmd;
>
> - list_for_each_entry(cmd, &hdev->mgmt_pending, list) {
> + rcu_read_lock();
> +
> + list_for_each_entry_rcu(cmd, &hdev->mgmt_pending, list) {
> if (hci_sock_get_channel(cmd->sk) != channel)
> continue;
> - if (cmd->opcode == opcode)
> +
> + if (cmd->opcode == opcode) {
> + rcu_read_unlock();
> return cmd;
> + }
> }
>
> + rcu_read_unlock();
> +
> return NULL;
> }
>
> @@ -233,14 +240,11 @@ void mgmt_pending_foreach(u16 opcode, struct hci_dev *hdev,
> void (*cb)(struct mgmt_pending_cmd *cmd, void *data),
> void *data)
> {
> - struct mgmt_pending_cmd *cmd, *tmp;
> -
> - list_for_each_entry_safe(cmd, tmp, &hdev->mgmt_pending, list) {
> - if (opcode > 0 && cmd->opcode != opcode)
> - continue;
> + struct mgmt_pending_cmd *cmd;
>
> + cmd = mgmt_pending_find(HCI_CHANNEL_CONTROL, opcode, hdev);
> + if (cmd)
> cb(cmd, data);
> - }
> }
>
> struct mgmt_pending_cmd *mgmt_pending_new(struct sock *sk, u16 opcode,
> @@ -280,7 +284,7 @@ struct mgmt_pending_cmd *mgmt_pending_add(struct sock *sk, u16 opcode,
> if (!cmd)
> return NULL;
>
> - list_add_tail(&cmd->list, &hdev->mgmt_pending);
> + list_add_tail_rcu(&cmd->list, &hdev->mgmt_pending);
>
> return cmd;
> }
> @@ -294,7 +298,8 @@ void mgmt_pending_free(struct mgmt_pending_cmd *cmd)
>
> void mgmt_pending_remove(struct mgmt_pending_cmd *cmd)
> {
> - list_del(&cmd->list);
> + list_del_rcu(&cmd->list);
> + synchronize_rcu();
> mgmt_pending_free(cmd);
> }
>
> --
> 2.49.0
>


--
Luiz Augusto von Dentz

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+feb0dc...@syzkaller.appspotmail.com
Tested-by: syzbot+feb0dc...@syzkaller.appspotmail.com

Tested on:

commit: b08494a8 Merge tag 'drm-next-2025-05-28' of https://gi..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1207f170580000
kernel config: https://syzkaller.appspot.com/x/.config?x=67c5e0d63b5e6251

dashboard link: https://syzkaller.appspot.com/bug?extid=feb0dc579bbe30a13190
compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6

patch: https://syzkaller.appspot.com/x/patch.diff?x=15ec6bf4580000

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.

***

Subject: Re: [PATCH v3] Bluetooth: MGMT: Protect mgmt_pending list with its own lock
Author: luiz....@gmail.com

#syz test

On Mon, Jun 2, 2025 at 1:46 PM Luiz Augusto von Dentz

<luiz....@gmail.com> wrote:
>
> From: Luiz Augusto von Dentz <luiz.vo...@intel.com>
>

> This uses a mutex to protect from concurrent access of mgmt_pending

> list which can cause crashes like:
>

> Fixes: a380b6cff1a2 ("Bluetooth: Add generic mgmt helper API")
> Closes: https://syzkaller.appspot.com/bug?extid=feb0dc579bbe30a13190

> Closes: https://syzkaller.appspot.com/bug?extid=0a7039d5d9986ff4ececi
> Closes: https://syzkaller.appspot.com/bug?extid=cc0cc52e7f43dc9e6df1
> Reported-by: syzbot+feb0dc...@syzkaller.appspotmail.com
> Tested-by: syzbot+feb0dc...@syzkaller.appspotmail.com
> Tested-by: syzbot+0a7039...@syzkaller.appspotmail.com
> Tested-by: syzbot+cc0cc5...@syzkaller.appspotmail.com

> Signed-off-by: Dmitry Antipov <dman...@yandex.ru>
> Signed-off-by: Luiz Augusto von Dentz <luiz.vo...@intel.com>
> ---

> include/net/bluetooth/hci_core.h | 1 +
> net/bluetooth/hci_core.c | 1 +
> net/bluetooth/mgmt.c | 101 +++++++++++++++----------------
> net/bluetooth/mgmt_util.c | 32 ++++++++--
> net/bluetooth/mgmt_util.h | 4 +-
> 5 files changed, 80 insertions(+), 59 deletions(-)
>
> diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h
> index 2b261e74e2c4..b9ff0e825071 100644
> --- a/include/net/bluetooth/hci_core.h
> +++ b/include/net/bluetooth/hci_core.h
> @@ -546,6 +546,7 @@ struct hci_dev {
> struct hci_conn_hash conn_hash;
>
> struct list_head mesh_pending;
> + struct mutex mgmt_pending_lock;
> struct list_head mgmt_pending;
> struct list_head reject_list;
> struct list_head accept_list;
> diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
> index 04845ff3ad57..f197f5497043 100644
> --- a/net/bluetooth/hci_core.c
> +++ b/net/bluetooth/hci_core.c
> @@ -2487,6 +2487,7 @@ struct hci_dev *hci_alloc_dev_priv(int sizeof_priv)
>
> mutex_init(&hdev->lock);
> mutex_init(&hdev->req_lock);
> + mutex_init(&hdev->mgmt_pending_lock);
>
> ida_init(&hdev->unset_handle_ida);
>
> diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
> index 14a9462fced5..7d9ed7db377f 100644
> --- a/net/bluetooth/mgmt.c
> +++ b/net/bluetooth/mgmt.c
> @@ -1447,22 +1447,17 @@ static void settings_rsp(struct mgmt_pending_cmd *cmd, void *data)
>
> send_settings_rsp(cmd->sk, cmd->opcode, match->hdev);
>
> - list_del(&cmd->list);
> -
> if (match->sk == NULL) {
> match->sk = cmd->sk;
> sock_hold(match->sk);
> }
> -
> - mgmt_pending_free(cmd);
> }
>
> static void cmd_status_rsp(struct mgmt_pending_cmd *cmd, void *data)
> {
> u8 *status = data;
>
> - mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode, *status);
> - mgmt_pending_remove(cmd);
> + mgmt_cmd_status(cmd->sk, cmd->hdev->id, cmd->opcode, *status);
> }
>
> static void cmd_complete_rsp(struct mgmt_pending_cmd *cmd, void *data)
> @@ -1476,8 +1471,6 @@ static void cmd_complete_rsp(struct mgmt_pending_cmd *cmd, void *data)

>
> if (cmd->cmd_complete) {
> cmd->cmd_complete(cmd, match->mgmt_status);

> - mgmt_pending_remove(cmd);
> -
> return;
> }
>
> @@ -1486,13 +1479,13 @@ static void cmd_complete_rsp(struct mgmt_pending_cmd *cmd, void *data)
>
> static int generic_cmd_complete(struct mgmt_pending_cmd *cmd, u8 status)
> {
> - return mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode, status,
> + return mgmt_cmd_complete(cmd->sk, cmd->hdev->id, cmd->opcode, status,
> cmd->param, cmd->param_len);
> }
>
> static int addr_cmd_complete(struct mgmt_pending_cmd *cmd, u8 status)
> {
> - return mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode, status,
> + return mgmt_cmd_complete(cmd->sk, cmd->hdev->id, cmd->opcode, status,
> cmd->param, sizeof(struct mgmt_addr_info));
> }
>
> @@ -1532,7 +1525,7 @@ static void mgmt_set_discoverable_complete(struct hci_dev *hdev, void *data,
>
> if (err) {
> u8 mgmt_err = mgmt_status(err);
> - mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode, mgmt_err);
> + mgmt_cmd_status(cmd->sk, cmd->hdev->id, cmd->opcode, mgmt_err);
> hci_dev_clear_flag(hdev, HCI_LIMITED_DISCOVERABLE);
> goto done;
> }
> @@ -1707,7 +1700,7 @@ static void mgmt_set_connectable_complete(struct hci_dev *hdev, void *data,
>
> if (err) {
> u8 mgmt_err = mgmt_status(err);
> - mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode, mgmt_err);
> + mgmt_cmd_status(cmd->sk, cmd->hdev->id, cmd->opcode, mgmt_err);
> goto done;
> }
>
> @@ -1943,8 +1936,8 @@ static void set_ssp_complete(struct hci_dev *hdev, void *data, int err)
> new_settings(hdev, NULL);
> }
>
> - mgmt_pending_foreach(MGMT_OP_SET_SSP, hdev, cmd_status_rsp,
> - &mgmt_err);
> + mgmt_pending_foreach(MGMT_OP_SET_SSP, hdev, true,
> + cmd_status_rsp, &mgmt_err);
> return;
> }
>
> @@ -1954,7 +1947,7 @@ static void set_ssp_complete(struct hci_dev *hdev, void *data, int err)
> changed = hci_dev_test_and_clear_flag(hdev, HCI_SSP_ENABLED);
> }
>
> - mgmt_pending_foreach(MGMT_OP_SET_SSP, hdev, settings_rsp, &match);
> + mgmt_pending_foreach(MGMT_OP_SET_SSP, hdev, true, settings_rsp, &match);
>
> if (changed)
> new_settings(hdev, match.sk);
> @@ -2074,12 +2067,12 @@ static void set_le_complete(struct hci_dev *hdev, void *data, int err)
> bt_dev_dbg(hdev, "err %d", err);
>
> if (status) {
> - mgmt_pending_foreach(MGMT_OP_SET_LE, hdev, cmd_status_rsp,
> - &status);
> + mgmt_pending_foreach(MGMT_OP_SET_LE, hdev, true, cmd_status_rsp,
> + &status);
> return;
> }
>
> - mgmt_pending_foreach(MGMT_OP_SET_LE, hdev, settings_rsp, &match);
> + mgmt_pending_foreach(MGMT_OP_SET_LE, hdev, true, settings_rsp, &match);
>
> new_settings(hdev, match.sk);
>
> @@ -2138,7 +2131,7 @@ static void set_mesh_complete(struct hci_dev *hdev, void *data, int err)
> struct sock *sk = cmd->sk;
>
> if (status) {
> - mgmt_pending_foreach(MGMT_OP_SET_MESH_RECEIVER, hdev,
> + mgmt_pending_foreach(MGMT_OP_SET_MESH_RECEIVER, hdev, true,
> cmd_status_rsp, &status);
> return;
> }
> @@ -2638,7 +2631,7 @@ static void mgmt_class_complete(struct hci_dev *hdev, void *data, int err)
>
> bt_dev_dbg(hdev, "err %d", err);
>
> - mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode,
> + mgmt_cmd_complete(cmd->sk, cmd->hdev->id, cmd->opcode,
> mgmt_status(err), hdev->dev_class, 3);
>
> mgmt_pending_free(cmd);
> @@ -3427,7 +3420,7 @@ static int pairing_complete(struct mgmt_pending_cmd *cmd, u8 status)
> bacpy(&rp.addr.bdaddr, &conn->dst);
> rp.addr.type = link_to_bdaddr(conn->type, conn->dst_type);
>
> - err = mgmt_cmd_complete(cmd->sk, cmd->index, MGMT_OP_PAIR_DEVICE,
> + err = mgmt_cmd_complete(cmd->sk, cmd->hdev->id, MGMT_OP_PAIR_DEVICE,
> status, &rp, sizeof(rp));
>
> /* So we don't get further callbacks for this connection */
> @@ -5196,7 +5189,7 @@ static void mgmt_add_adv_patterns_monitor_complete(struct hci_dev *hdev,
> hci_update_passive_scan(hdev);
> }
>
> - mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode,
> + mgmt_cmd_complete(cmd->sk, cmd->hdev->id, cmd->opcode,
> mgmt_status(status), &rp, sizeof(rp));
> mgmt_pending_remove(cmd);
>
> @@ -5411,7 +5404,7 @@ static void mgmt_remove_adv_monitor_complete(struct hci_dev *hdev,
> if (!status)
> hci_update_passive_scan(hdev);
>
> - mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode,
> + mgmt_cmd_complete(cmd->sk, cmd->hdev->id, cmd->opcode,
> mgmt_status(status), &rp, sizeof(rp));
> mgmt_pending_remove(cmd);
>
> @@ -5792,7 +5785,7 @@ static void start_discovery_complete(struct hci_dev *hdev, void *data, int err)
> cmd != pending_find(MGMT_OP_START_SERVICE_DISCOVERY, hdev))
> return;
>
> - mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode, mgmt_status(err),
> + mgmt_cmd_complete(cmd->sk, cmd->hdev->id, cmd->opcode, mgmt_status(err),
> cmd->param, 1);
> mgmt_pending_remove(cmd);
>
> @@ -6013,7 +6006,7 @@ static void stop_discovery_complete(struct hci_dev *hdev, void *data, int err)
>
> bt_dev_dbg(hdev, "err %d", err);
>
> - mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode, mgmt_status(err),
> + mgmt_cmd_complete(cmd->sk, cmd->hdev->id, cmd->opcode, mgmt_status(err),
> cmd->param, 1);
> mgmt_pending_remove(cmd);
>
> @@ -6238,7 +6231,7 @@ static void set_advertising_complete(struct hci_dev *hdev, void *data, int err)
> u8 status = mgmt_status(err);
>
> if (status) {
> - mgmt_pending_foreach(MGMT_OP_SET_ADVERTISING, hdev,
> + mgmt_pending_foreach(MGMT_OP_SET_ADVERTISING, hdev, true,
> cmd_status_rsp, &status);
> return;
> }
> @@ -6248,7 +6241,7 @@ static void set_advertising_complete(struct hci_dev *hdev, void *data, int err)
> else
> hci_dev_clear_flag(hdev, HCI_ADVERTISING);
>
> - mgmt_pending_foreach(MGMT_OP_SET_ADVERTISING, hdev, settings_rsp,
> + mgmt_pending_foreach(MGMT_OP_SET_ADVERTISING, hdev, true, settings_rsp,
> &match);
>
> new_settings(hdev, match.sk);
> @@ -6592,7 +6585,7 @@ static void set_bredr_complete(struct hci_dev *hdev, void *data, int err)
> */
> hci_dev_clear_flag(hdev, HCI_BREDR_ENABLED);
>
> - mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode, mgmt_err);
> + mgmt_cmd_status(cmd->sk, cmd->hdev->id, cmd->opcode, mgmt_err);
> } else {
> send_settings_rsp(cmd->sk, MGMT_OP_SET_BREDR, hdev);
> new_settings(hdev, cmd->sk);
> @@ -6729,7 +6722,7 @@ static void set_secure_conn_complete(struct hci_dev *hdev, void *data, int err)
> if (err) {
> u8 mgmt_err = mgmt_status(err);
>
> - mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode, mgmt_err);
> + mgmt_cmd_status(cmd->sk, cmd->hdev->id, cmd->opcode, mgmt_err);
> goto done;
> }
>
> @@ -7176,7 +7169,7 @@ static void get_conn_info_complete(struct hci_dev *hdev, void *data, int err)
> rp.max_tx_power = HCI_TX_POWER_INVALID;
> }
>
> - mgmt_cmd_complete(cmd->sk, cmd->index, MGMT_OP_GET_CONN_INFO, status,
> + mgmt_cmd_complete(cmd->sk, cmd->hdev->id, MGMT_OP_GET_CONN_INFO, status,
> &rp, sizeof(rp));
>
> mgmt_pending_free(cmd);
> @@ -7336,7 +7329,7 @@ static void get_clock_info_complete(struct hci_dev *hdev, void *data, int err)
> }
>
> complete:
> - mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode, status, &rp,
> + mgmt_cmd_complete(cmd->sk, cmd->hdev->id, cmd->opcode, status, &rp,
> sizeof(rp));
>
> mgmt_pending_free(cmd);
> @@ -8586,10 +8579,10 @@ static void add_advertising_complete(struct hci_dev *hdev, void *data, int err)
> rp.instance = cp->instance;
>
> if (err)
> - mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode,
> + mgmt_cmd_status(cmd->sk, cmd->hdev->id, cmd->opcode,
> mgmt_status(err));
> else
> - mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode,
> + mgmt_cmd_complete(cmd->sk, cmd->hdev->id, cmd->opcode,
> mgmt_status(err), &rp, sizeof(rp));
>
> add_adv_complete(hdev, cmd->sk, cp->instance, err);
> @@ -8777,10 +8770,10 @@ static void add_ext_adv_params_complete(struct hci_dev *hdev, void *data,
>
> hci_remove_adv_instance(hdev, cp->instance);
>
> - mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode,
> + mgmt_cmd_status(cmd->sk, cmd->hdev->id, cmd->opcode,
> mgmt_status(err));
> } else {
> - mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode,
> + mgmt_cmd_complete(cmd->sk, cmd->hdev->id, cmd->opcode,
> mgmt_status(err), &rp, sizeof(rp));
> }
>
> @@ -8927,10 +8920,10 @@ static void add_ext_adv_data_complete(struct hci_dev *hdev, void *data, int err)
> rp.instance = cp->instance;
>
> if (err)
> - mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode,
> + mgmt_cmd_status(cmd->sk, cmd->hdev->id, cmd->opcode,
> mgmt_status(err));
> else
> - mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode,
> + mgmt_cmd_complete(cmd->sk, cmd->hdev->id, cmd->opcode,
> mgmt_status(err), &rp, sizeof(rp));
>
> mgmt_pending_free(cmd);
> @@ -9089,10 +9082,10 @@ static void remove_advertising_complete(struct hci_dev *hdev, void *data,
> rp.instance = cp->instance;
>
> if (err)
> - mgmt_cmd_status(cmd->sk, cmd->index, cmd->opcode,
> + mgmt_cmd_status(cmd->sk, cmd->hdev->id, cmd->opcode,
> mgmt_status(err));
> else
> - mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode,
> + mgmt_cmd_complete(cmd->sk, cmd->hdev->id, cmd->opcode,
> MGMT_STATUS_SUCCESS, &rp, sizeof(rp));
>
> mgmt_pending_free(cmd);
> @@ -9364,7 +9357,7 @@ void mgmt_index_removed(struct hci_dev *hdev)

> if (test_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks))
> return;
>

> - mgmt_pending_foreach(0, hdev, cmd_complete_rsp, &match);
> + mgmt_pending_foreach(0, hdev, true, cmd_complete_rsp, &match);

>
> if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
> mgmt_index_event(MGMT_EV_UNCONF_INDEX_REMOVED, hdev, NULL, 0,

> @@ -9402,7 +9395,8 @@ void mgmt_power_on(struct hci_dev *hdev, int err)
> hci_update_passive_scan(hdev);
> }
>
> - mgmt_pending_foreach(MGMT_OP_SET_POWERED, hdev, settings_rsp, &match);
> + mgmt_pending_foreach(MGMT_OP_SET_POWERED, hdev, true, settings_rsp,
> + &match);
>
> new_settings(hdev, match.sk);
>
> @@ -9417,7 +9411,8 @@ void __mgmt_power_off(struct hci_dev *hdev)
> struct cmd_lookup match = { NULL, hdev };
> u8 zero_cod[] = { 0, 0, 0 };
>
> - mgmt_pending_foreach(MGMT_OP_SET_POWERED, hdev, settings_rsp, &match);
> + mgmt_pending_foreach(MGMT_OP_SET_POWERED, hdev, true, settings_rsp,
> + &match);
>
> /* If the power off is because of hdev unregistration let
> * use the appropriate INVALID_INDEX status. Otherwise use
> @@ -9431,7 +9426,7 @@ void __mgmt_power_off(struct hci_dev *hdev)
> else
> match.mgmt_status = MGMT_STATUS_NOT_POWERED;
>
> - mgmt_pending_foreach(0, hdev, cmd_complete_rsp, &match);
> + mgmt_pending_foreach(0, hdev, true, cmd_complete_rsp, &match);
>
> if (memcmp(hdev->dev_class, zero_cod, sizeof(zero_cod)) != 0) {
> mgmt_limited_event(MGMT_EV_CLASS_OF_DEV_CHANGED, hdev,
> @@ -9672,7 +9667,6 @@ static void unpair_device_rsp(struct mgmt_pending_cmd *cmd, void *data)
> device_unpaired(hdev, &cp->addr.bdaddr, cp->addr.type, cmd->sk);
>
> cmd->cmd_complete(cmd, 0);
> - mgmt_pending_remove(cmd);
> }
>
> bool mgmt_powering_down(struct hci_dev *hdev)
> @@ -9728,8 +9722,8 @@ void mgmt_disconnect_failed(struct hci_dev *hdev, bdaddr_t *bdaddr,
> struct mgmt_cp_disconnect *cp;
> struct mgmt_pending_cmd *cmd;
>
> - mgmt_pending_foreach(MGMT_OP_UNPAIR_DEVICE, hdev, unpair_device_rsp,
> - hdev);
> + mgmt_pending_foreach(MGMT_OP_UNPAIR_DEVICE, hdev, true,
> + unpair_device_rsp, hdev);
>
> cmd = pending_find(MGMT_OP_DISCONNECT, hdev);
> if (!cmd)
> @@ -9922,7 +9916,7 @@ void mgmt_auth_enable_complete(struct hci_dev *hdev, u8 status)
>
> if (status) {
> u8 mgmt_err = mgmt_status(status);
> - mgmt_pending_foreach(MGMT_OP_SET_LINK_SECURITY, hdev,
> + mgmt_pending_foreach(MGMT_OP_SET_LINK_SECURITY, hdev, true,
> cmd_status_rsp, &mgmt_err);
> return;
> }
> @@ -9932,8 +9926,8 @@ void mgmt_auth_enable_complete(struct hci_dev *hdev, u8 status)
> else
> changed = hci_dev_test_and_clear_flag(hdev, HCI_LINK_SECURITY);
>
> - mgmt_pending_foreach(MGMT_OP_SET_LINK_SECURITY, hdev, settings_rsp,
> - &match);
> + mgmt_pending_foreach(MGMT_OP_SET_LINK_SECURITY, hdev, true,
> + settings_rsp, &match);
>
> if (changed)
> new_settings(hdev, match.sk);
> @@ -9957,9 +9951,12 @@ void mgmt_set_class_of_dev_complete(struct hci_dev *hdev, u8 *dev_class,
> {
> struct cmd_lookup match = { NULL, hdev, mgmt_status(status) };
>
> - mgmt_pending_foreach(MGMT_OP_SET_DEV_CLASS, hdev, sk_lookup, &match);
> - mgmt_pending_foreach(MGMT_OP_ADD_UUID, hdev, sk_lookup, &match);
> - mgmt_pending_foreach(MGMT_OP_REMOVE_UUID, hdev, sk_lookup, &match);
> + mgmt_pending_foreach(MGMT_OP_SET_DEV_CLASS, hdev, false, sk_lookup,
> + &match);
> + mgmt_pending_foreach(MGMT_OP_ADD_UUID, hdev, false, sk_lookup,
> + &match);
> + mgmt_pending_foreach(MGMT_OP_REMOVE_UUID, hdev, false, sk_lookup,
> + &match);
>
> if (!status) {
> mgmt_limited_event(MGMT_EV_CLASS_OF_DEV_CHANGED, hdev, dev_class,
> diff --git a/net/bluetooth/mgmt_util.c b/net/bluetooth/mgmt_util.c
> index 3713ff490c65..a88a07da3947 100644
> --- a/net/bluetooth/mgmt_util.c
> +++ b/net/bluetooth/mgmt_util.c
> @@ -217,30 +217,47 @@ int mgmt_cmd_complete(struct sock *sk, u16 index, u16 cmd, u8 status,

> struct mgmt_pending_cmd *mgmt_pending_find(unsigned short channel, u16 opcode,

> struct hci_dev *hdev)
> {
> - struct mgmt_pending_cmd *cmd;
> + struct mgmt_pending_cmd *cmd, *tmp;

>
> - list_for_each_entry(cmd, &hdev->mgmt_pending, list) {

> + mutex_lock(&hdev->mgmt_pending_lock);
> +
> + list_for_each_entry_safe(cmd, tmp, &hdev->mgmt_pending, list) {

> if (hci_sock_get_channel(cmd->sk) != channel)
> continue;
> - if (cmd->opcode == opcode)
> +
> + if (cmd->opcode == opcode) {

> + mutex_unlock(&hdev->mgmt_pending_lock);
> return cmd;
> + }
> }
>
> + mutex_unlock(&hdev->mgmt_pending_lock);
> +
> return NULL;
> }
>
> -void mgmt_pending_foreach(u16 opcode, struct hci_dev *hdev,
> +void mgmt_pending_foreach(u16 opcode, struct hci_dev *hdev, bool remove,

> void (*cb)(struct mgmt_pending_cmd *cmd, void *data),
> void *data)
> {

> struct mgmt_pending_cmd *cmd, *tmp;
>
> + mutex_lock(&hdev->mgmt_pending_lock);
> +

> list_for_each_entry_safe(cmd, tmp, &hdev->mgmt_pending, list) {

> if (opcode > 0 && cmd->opcode != opcode)

> continue;
>
> + if (remove)
> + list_del(&cmd->list);
> +
> cb(cmd, data);
> +
> + if (remove)
> + mgmt_pending_free(cmd);
> }
> +
> + mutex_unlock(&hdev->mgmt_pending_lock);

> }
>
> struct mgmt_pending_cmd *mgmt_pending_new(struct sock *sk, u16 opcode,

> @@ -254,7 +271,7 @@ struct mgmt_pending_cmd *mgmt_pending_new(struct sock *sk, u16 opcode,
> return NULL;
>
> cmd->opcode = opcode;
> - cmd->index = hdev->id;
> + cmd->hdev = hdev;
>
> cmd->param = kmemdup(data, len, GFP_KERNEL);
> if (!cmd->param) {
> @@ -280,7 +297,9 @@ struct mgmt_pending_cmd *mgmt_pending_add(struct sock *sk, u16 opcode,
> if (!cmd)
> return NULL;
>
> + mutex_lock(&hdev->mgmt_pending_lock);
> list_add_tail(&cmd->list, &hdev->mgmt_pending);
> + mutex_unlock(&hdev->mgmt_pending_lock);
>
> return cmd;
> }
> @@ -294,7 +313,10 @@ void mgmt_pending_free(struct mgmt_pending_cmd *cmd)
>
> void mgmt_pending_remove(struct mgmt_pending_cmd *cmd)
> {
> + mutex_lock(&cmd->hdev->mgmt_pending_lock);
> list_del(&cmd->list);
> + mutex_unlock(&cmd->hdev->mgmt_pending_lock);
> +
> mgmt_pending_free(cmd);
> }
>
> diff --git a/net/bluetooth/mgmt_util.h b/net/bluetooth/mgmt_util.h
> index f2ba994ab1d8..024e51dd6937 100644
> --- a/net/bluetooth/mgmt_util.h
> +++ b/net/bluetooth/mgmt_util.h
> @@ -33,7 +33,7 @@ struct mgmt_mesh_tx {
> struct mgmt_pending_cmd {
> struct list_head list;
> u16 opcode;
> - int index;
> + struct hci_dev *hdev;
> void *param;
> size_t param_len;
> struct sock *sk;
> @@ -54,7 +54,7 @@ int mgmt_cmd_complete(struct sock *sk, u16 index, u16 cmd, u8 status,

>
> struct mgmt_pending_cmd *mgmt_pending_find(unsigned short channel, u16 opcode,

> struct hci_dev *hdev);
> -void mgmt_pending_foreach(u16 opcode, struct hci_dev *hdev,
> +void mgmt_pending_foreach(u16 opcode, struct hci_dev *hdev, bool remove,

> void (*cb)(struct mgmt_pending_cmd *cmd, void *data),

> void *data);

> struct mgmt_pending_cmd *mgmt_pending_add(struct sock *sk, u16 opcode,

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Read in mgmt_remove_adv_monitor_complete

Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
==================================================================
BUG: KASAN: slab-use-after-free in mgmt_remove_adv_monitor_complete+0xe5/0x5a0 net/bluetooth/mgmt.c:5399
Read of size 8 at addr ffff8880115a3aa0 by task kworker/u5:4/5846

CPU: 0 UID: 0 PID: 5846 Comm: kworker/u5:4 Not tainted 6.15.0-syzkaller-gcd2e103d57e5-dirty #0 PREEMPT(full)

Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Workqueue: hci0 hci_cmd_sync_work
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:408 [inline]

print_report+0xd2/0x2b0 mm/kasan/report.c:521
kasan_report+0x118/0x150 mm/kasan/report.c:634
mgmt_remove_adv_monitor_complete+0xe5/0x5a0 net/bluetooth/mgmt.c:5399
hci_cmd_sync_work+0x261/0x3a0 net/bluetooth/hci_sync.c:334
process_one_work kernel/workqueue.c:3238 [inline]
process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3321
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402
kthread+0x711/0x8a0 kernel/kthread.c:464
ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>

Allocated by task 13316:

kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:260 [inline]
__kmalloc_cache_noprof+0x230/0x3d0 mm/slub.c:4358
kmalloc_noprof include/linux/slab.h:905 [inline]
kzalloc_noprof include/linux/slab.h:1039 [inline]

mgmt_pending_new+0x65/0x1e0 net/bluetooth/mgmt_util.c:269
mgmt_pending_add+0x35/0x140 net/bluetooth/mgmt_util.c:296
remove_adv_monitor+0x103/0x1b0 net/bluetooth/mgmt.c:5447
hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719
hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839

sock_sendmsg_nosec net/socket.c:712 [inline]
__sock_sendmsg+0x219/0x270 net/socket.c:727
sock_write_iter+0x258/0x330 net/socket.c:1131

new_sync_write fs/read_write.c:593 [inline]
vfs_write+0x54b/0xa90 fs/read_write.c:686
ksys_write+0x145/0x250 fs/read_write.c:738
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 13322:

kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x62/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:233 [inline]
slab_free_hook mm/slub.c:2380 [inline]
slab_free mm/slub.c:4642 [inline]

kfree+0x18e/0x440 mm/slub.c:4841
mgmt_pending_free net/bluetooth/mgmt_util.c:311 [inline]
mgmt_pending_foreach+0x30d/0x380 net/bluetooth/mgmt_util.c:257
mgmt_index_removed+0x112/0x2f0 net/bluetooth/mgmt.c:9359
hci_sock_bind+0xbe9/0x1000 net/bluetooth/hci_sock.c:1314
__sys_bind_socket net/socket.c:1810 [inline]
__sys_bind+0x2c6/0x3e0 net/socket.c:1841

__do_sys_bind net/socket.c:1846 [inline]
__se_sys_bind net/socket.c:1844 [inline]
__x64_sys_bind+0x7a/0x90 net/socket.c:1844
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]

do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff8880115a3a80

which belongs to the cache kmalloc-96 of size 96

The buggy address is located 32 bytes inside of
freed 96-byte region [ffff8880115a3a80, ffff8880115a3ae0)

The buggy address belongs to the physical page:

page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x115a3
ksm flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000000 ffff88801a441280 ffffea0000681b00 dead000000000003

raw: 0000000000000000 0000000000200020 00000000f5000000 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated

page last allocated via order 0, migratetype Unmovable, gfp_mask 0x252800(GFP_NOWAIT|__GFP_NORETRY|__GFP_COMP|__GFP_THISNODE), pid 5851, tgid 5851 (syz-executor), ts 158761816277, free_ts 158220175343
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1704
prep_new_page mm/page_alloc.c:1712 [inline]
get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3669
__alloc_pages_slowpath+0x2fe/0xce0 mm/page_alloc.c:4490
__alloc_frozen_pages_noprof+0x319/0x370 mm/page_alloc.c:4972
alloc_slab_page mm/slub.c:2452 [inline]
allocate_slab+0x65/0x3b0 mm/slub.c:2618

new_slab mm/slub.c:2672 [inline]
___slab_alloc+0xbfc/0x1480 mm/slub.c:3858
__slab_alloc mm/slub.c:3948 [inline]
__slab_alloc_node mm/slub.c:4023 [inline]
slab_alloc_node mm/slub.c:4184 [inline]

__kmalloc_cache_node_noprof+0x29a/0x3d0 mm/slub.c:4366
kmalloc_node_noprof include/linux/slab.h:928 [inline]

alloc_node_nr_active kernel/workqueue.c:4874 [inline]
__alloc_workqueue+0x6a4/0x1b70 kernel/workqueue.c:5728
alloc_workqueue+0xd4/0x210 kernel/workqueue.c:5788
ieee80211_register_hw+0x2c5f/0x4120 net/mac80211/main.c:1491
mac80211_hwsim_new_radio+0x2f0e/0x5340 drivers/net/wireless/virtual/mac80211_hwsim.c:5565
hwsim_new_radio_nl+0xea4/0x1b10 drivers/net/wireless/virtual/mac80211_hwsim.c:6249
genl_family_rcv_msg_doit+0x215/0x300 net/netlink/genetlink.c:1115
genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
genl_rcv_msg+0x60e/0x790 net/netlink/genetlink.c:1210
netlink_rcv_skb+0x205/0x470 net/netlink/af_netlink.c:2534
genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219
page last free pid 5977 tgid 5977 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1248 [inline]
__free_frozen_pages+0xc71/0xe70 mm/page_alloc.c:2706
vfree+0x25a/0x400 mm/vmalloc.c:3426
delayed_vfree_work+0x55/0x80 mm/vmalloc.c:3345
process_one_work kernel/workqueue.c:3238 [inline]
process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3321
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402
kthread+0x711/0x8a0 kernel/kthread.c:464
ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

Memory state around the buggy address:

ffff8880115a3980: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
ffff8880115a3a00: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc
>ffff8880115a3a80: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
^
ffff8880115a3b00: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc
ffff8880115a3b80: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc
==================================================================


Tested on:

commit: cd2e103d Merge tag 'hardening-v6.16-rc1-fix1-take2' of..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1032ac82580000
kernel config: https://syzkaller.appspot.com/x/.config?x=6acfdd5e5c8ef3d0

dashboard link: https://syzkaller.appspot.com/bug?extid=feb0dc579bbe30a13190
compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6

patch: https://syzkaller.appspot.com/x/patch.diff?x=1182ac82580000

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.

***

Subject: Re: [PATCH v4 1/2] Bluetooth: MGMT: Fix UAF on mgmt_remove_adv_monitor_complete
Author: luiz....@gmail.com

#syz test

On Tue, Jun 3, 2025 at 4:29 PM Luiz Augusto von Dentz

<luiz....@gmail.com> wrote:
>
> From: Luiz Augusto von Dentz <luiz.vo...@intel.com>
>

> This reworks MGMT_OP_REMOVE_ADV_MONITOR to not use mgmt_pending_add to
> avoid crashes like bellow:
>
> ==================================================================
> BUG: KASAN: slab-use-after-free in mgmt_remove_adv_monitor_complete+0xe5/0x540 net/bluetooth/mgmt.c:5406
> Read of size 8 at addr ffff88801c53f318 by task kworker/u5:5/5341
>
> CPU: 0 UID: 0 PID: 5341 Comm: kworker/u5:5 Not tainted 6.15.0-syzkaller-10402-g4cb6c8af8591 #0 PREEMPT(full)

> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
> Workqueue: hci0 hci_cmd_sync_work
> Call Trace:
> <TASK>
> dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
> print_address_description mm/kasan/report.c:408 [inline]

> print_report+0xd2/0x2b0 mm/kasan/report.c:521
> kasan_report+0x118/0x150 mm/kasan/report.c:634
> mgmt_remove_adv_monitor_complete+0xe5/0x540 net/bluetooth/mgmt.c:5406
> hci_cmd_sync_work+0x261/0x3a0 net/bluetooth/hci_sync.c:334
> process_one_work kernel/workqueue.c:3238 [inline]

> process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3321
> worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402
> kthread+0x711/0x8a0 kernel/kthread.c:464
> ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148

> ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
> </TASK>
>
> Allocated by task 5987:

> kasan_save_stack mm/kasan/common.c:47 [inline]
> kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
> poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
> __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394
> kasan_kmalloc include/linux/kasan.h:260 [inline]
> __kmalloc_cache_noprof+0x230/0x3d0 mm/slub.c:4358
> kmalloc_noprof include/linux/slab.h:905 [inline]
> kzalloc_noprof include/linux/slab.h:1039 [inline]
> mgmt_pending_new+0x65/0x240 net/bluetooth/mgmt_util.c:252
> mgmt_pending_add+0x34/0x120 net/bluetooth/mgmt_util.c:279

> remove_adv_monitor+0x103/0x1b0 net/bluetooth/mgmt.c:5454

> hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719
> hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839

> sock_sendmsg_nosec net/socket.c:712 [inline]
> __sock_sendmsg+0x219/0x270 net/socket.c:727
> sock_write_iter+0x258/0x330 net/socket.c:1131

> new_sync_write fs/read_write.c:593 [inline]
> vfs_write+0x548/0xa90 fs/read_write.c:686

> ksys_write+0x145/0x250 fs/read_write.c:738
> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]

> do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
>
> Freed by task 5989:

> kasan_save_stack mm/kasan/common.c:47 [inline]
> kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
> kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576
> poison_slab_object mm/kasan/common.c:247 [inline]
> __kasan_slab_free+0x62/0x70 mm/kasan/common.c:264
> kasan_slab_free include/linux/kasan.h:233 [inline]
> slab_free_hook mm/slub.c:2380 [inline]
> slab_free mm/slub.c:4642 [inline]

> kfree+0x18e/0x440 mm/slub.c:4841
> mgmt_pending_foreach+0xc9/0x120 net/bluetooth/mgmt_util.c:242
> mgmt_index_removed+0x10d/0x2f0 net/bluetooth/mgmt.c:9366
> hci_sock_bind+0xbe9/0x1000 net/bluetooth/hci_sock.c:1314

> __sys_bind_socket net/socket.c:1810 [inline]
> __sys_bind+0x2c3/0x3e0 net/socket.c:1841
> __do_sys_bind net/socket.c:1846 [inline]
> __se_sys_bind net/socket.c:1844 [inline]
> __x64_sys_bind+0x7a/0x90 net/socket.c:1844
> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]

> do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
>
> Fixes: 66bd095ab5d4 ("Bluetooth: advmon offload MSFT remove monitor")
> Closes: https://syzkaller.appspot.com/bug?extid=feb0dc579bbe30a13190
> Reported-by: syzbot+feb0dc...@syzkaller.appspotmail.com
> Tested-by: syzbot+feb0dc...@syzkaller.appspotmail.com

> Signed-off-by: Luiz Augusto von Dentz <luiz.vo...@intel.com>
> ---

> include/net/bluetooth/hci_core.h | 1 -
> net/bluetooth/hci_core.c | 4 +---
> net/bluetooth/mgmt.c | 37 ++++++++++----------------------
> 3 files changed, 12 insertions(+), 30 deletions(-)
>
> diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h
> index 2b261e74e2c4..93fcb659f0d4 100644
> --- a/include/net/bluetooth/hci_core.h
> +++ b/include/net/bluetooth/hci_core.h
> @@ -2400,7 +2400,6 @@ void mgmt_advertising_added(struct sock *sk, struct hci_dev *hdev,
> u8 instance);
> void mgmt_advertising_removed(struct sock *sk, struct hci_dev *hdev,
> u8 instance);
> -void mgmt_adv_monitor_removed(struct hci_dev *hdev, u16 handle);
> int mgmt_phy_configuration_changed(struct hci_dev *hdev, struct sock *skip);
> void mgmt_adv_monitor_device_lost(struct hci_dev *hdev, u16 handle,
> bdaddr_t *bdaddr, u8 addr_type);
> diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
> index 04845ff3ad57..aeda2e4557d5 100644
> --- a/net/bluetooth/hci_core.c
> +++ b/net/bluetooth/hci_core.c
> @@ -1877,10 +1877,8 @@ void hci_free_adv_monitor(struct hci_dev *hdev, struct adv_monitor *monitor)
> if (monitor->handle)
> idr_remove(&hdev->adv_monitors_idr, monitor->handle);
>
> - if (monitor->state != ADV_MONITOR_STATE_NOT_REGISTERED) {
> + if (monitor->state != ADV_MONITOR_STATE_NOT_REGISTERED)
> hdev->adv_monitors_cnt--;
> - mgmt_adv_monitor_removed(hdev, monitor->handle);
> - }
>
> kfree(monitor);
> }
> diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
> index 14a9462fced5..feaeec2423ae 100644
> --- a/net/bluetooth/mgmt.c
> +++ b/net/bluetooth/mgmt.c
> @@ -5108,24 +5108,14 @@ static void mgmt_adv_monitor_added(struct sock *sk, struct hci_dev *hdev,
> mgmt_event(MGMT_EV_ADV_MONITOR_ADDED, hdev, &ev, sizeof(ev), sk);
> }
>
> -void mgmt_adv_monitor_removed(struct hci_dev *hdev, u16 handle)
> +static void mgmt_adv_monitor_removed(struct sock *sk, struct hci_dev *hdev,
> + u16 handle)
> {
> struct mgmt_ev_adv_monitor_removed ev;
> - struct mgmt_pending_cmd *cmd;
> - struct sock *sk_skip = NULL;
> - struct mgmt_cp_remove_adv_monitor *cp;
> -
> - cmd = pending_find(MGMT_OP_REMOVE_ADV_MONITOR, hdev);
> - if (cmd) {
> - cp = cmd->param;
> -
> - if (cp->monitor_handle)
> - sk_skip = cmd->sk;
> - }
>
> ev.monitor_handle = cpu_to_le16(handle);
>
> - mgmt_event(MGMT_EV_ADV_MONITOR_REMOVED, hdev, &ev, sizeof(ev), sk_skip);
> + mgmt_event(MGMT_EV_ADV_MONITOR_REMOVED, hdev, &ev, sizeof(ev), sk);
> }
>
> static int read_adv_mon_features(struct sock *sk, struct hci_dev *hdev,
> @@ -5227,8 +5217,7 @@ static int __add_adv_patterns_monitor(struct sock *sk, struct hci_dev *hdev,
>
> if (pending_find(MGMT_OP_SET_LE, hdev) ||
> pending_find(MGMT_OP_ADD_ADV_PATTERNS_MONITOR, hdev) ||
> - pending_find(MGMT_OP_ADD_ADV_PATTERNS_MONITOR_RSSI, hdev) ||
> - pending_find(MGMT_OP_REMOVE_ADV_MONITOR, hdev)) {
> + pending_find(MGMT_OP_ADD_ADV_PATTERNS_MONITOR_RSSI, hdev)) {
> status = MGMT_STATUS_BUSY;
> goto unlock;
> }
> @@ -5398,8 +5387,7 @@ static void mgmt_remove_adv_monitor_complete(struct hci_dev *hdev,
> struct mgmt_pending_cmd *cmd = data;
> struct mgmt_cp_remove_adv_monitor *cp;
>
> - if (status == -ECANCELED ||
> - cmd != pending_find(MGMT_OP_REMOVE_ADV_MONITOR, hdev))
> + if (status == -ECANCELED)
> return;
>
> hci_dev_lock(hdev);
> @@ -5408,12 +5396,14 @@ static void mgmt_remove_adv_monitor_complete(struct hci_dev *hdev,
>
> rp.monitor_handle = cp->monitor_handle;
>
> - if (!status)
> + if (!status) {
> + mgmt_adv_monitor_removed(cmd->sk, hdev, cp->monitor_handle);
> hci_update_passive_scan(hdev);
> + }

>
> mgmt_cmd_complete(cmd->sk, cmd->index, cmd->opcode,

> mgmt_status(status), &rp, sizeof(rp));
> - mgmt_pending_remove(cmd);
> + mgmt_pending_free(cmd);
>
> hci_dev_unlock(hdev);
> bt_dev_dbg(hdev, "remove monitor %d complete, status %d",
> @@ -5423,10 +5413,6 @@ static void mgmt_remove_adv_monitor_complete(struct hci_dev *hdev,
> static int mgmt_remove_adv_monitor_sync(struct hci_dev *hdev, void *data)
> {
> struct mgmt_pending_cmd *cmd = data;
> -
> - if (cmd != pending_find(MGMT_OP_REMOVE_ADV_MONITOR, hdev))
> - return -ECANCELED;
> -
> struct mgmt_cp_remove_adv_monitor *cp = cmd->param;
> u16 handle = __le16_to_cpu(cp->monitor_handle);
>
> @@ -5445,14 +5431,13 @@ static int remove_adv_monitor(struct sock *sk, struct hci_dev *hdev,
> hci_dev_lock(hdev);
>
> if (pending_find(MGMT_OP_SET_LE, hdev) ||
> - pending_find(MGMT_OP_REMOVE_ADV_MONITOR, hdev) ||
> pending_find(MGMT_OP_ADD_ADV_PATTERNS_MONITOR, hdev) ||
> pending_find(MGMT_OP_ADD_ADV_PATTERNS_MONITOR_RSSI, hdev)) {
> status = MGMT_STATUS_BUSY;
> goto unlock;
> }
>
> - cmd = mgmt_pending_add(sk, MGMT_OP_REMOVE_ADV_MONITOR, hdev, data, len);
> + cmd = mgmt_pending_new(sk, MGMT_OP_REMOVE_ADV_MONITOR, hdev, data, len);
> if (!cmd) {
> status = MGMT_STATUS_NO_RESOURCES;
> goto unlock;
> @@ -5462,7 +5447,7 @@ static int remove_adv_monitor(struct sock *sk, struct hci_dev *hdev,
> mgmt_remove_adv_monitor_complete);
>
> if (err) {
> - mgmt_pending_remove(cmd);
> + mgmt_pending_free(cmd);
>
> if (err == -ENOMEM)
> status = MGMT_STATUS_NO_RESOURCES;

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+feb0dc...@syzkaller.appspotmail.com
Tested-by: syzbot+feb0dc...@syzkaller.appspotmail.com

Tested on:

commit: a9dfb7db Merge tag 'backlight-next-6.16' of git://git...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=160c4570580000
kernel config: https://syzkaller.appspot.com/x/.config?x=6a3965f6896e6e14

dashboard link: https://syzkaller.appspot.com/bug?extid=feb0dc579bbe30a13190
compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6

patch: https://syzkaller.appspot.com/x/patch.diff?x=15933c82580000