Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
memory leak in h4_recv_buf
2021/07/19 05:31:04 executed programs: 8
BUG: memory leak
unreferenced object 0xffff888110b60c00 (size 232):
comm "syz-executor.3", pid 10605, jiffies 4294944539 (age 22.210s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<00000000d6b938d8>] __alloc_skb+0x20f/0x280 net/core/skbuff.c:414
[<0000000081f5ef8e>] alloc_skb include/linux/skbuff.h:1112 [inline]
[<0000000081f5ef8e>] bt_skb_alloc include/net/bluetooth/bluetooth.h:389 [inline]
[<0000000081f5ef8e>] h4_recv_buf+0x357/0x5a0 drivers/bluetooth/hci_h4.c:181
[<00000000db01427c>] h4_recv+0x58/0xc0 drivers/bluetooth/hci_h4.c:115
[<00000000c32d5755>] hci_uart_tty_receive+0xcc/0x230 drivers/bluetooth/hci_ldisc.c:613
[<00000000b15c1002>] tiocsti drivers/tty/tty_io.c:2311 [inline]
[<00000000b15c1002>] tty_ioctl+0x50b/0xbf0 drivers/tty/tty_io.c:2719
[<0000000076ae3e2f>] vfs_ioctl fs/ioctl.c:51 [inline]
[<0000000076ae3e2f>] __do_sys_ioctl fs/ioctl.c:1069 [inline]
[<0000000076ae3e2f>] __se_sys_ioctl fs/ioctl.c:1055 [inline]
[<0000000076ae3e2f>] __x64_sys_ioctl+0xfc/0x140 fs/ioctl.c:1055
[<000000003e95b1b4>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<000000003e95b1b4>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
[<00000000a62fbd01>] entry_SYSCALL_64_after_hwframe+0x44/0xae
BUG: memory leak
unreferenced object 0xffff8881274ed800 (size 1024):
comm "syz-executor.3", pid 10605, jiffies 4294944539 (age 22.210s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<00000000e99b3747>] kmalloc_reserve net/core/skbuff.c:355 [inline]
[<00000000e99b3747>] __alloc_skb+0xdf/0x280 net/core/skbuff.c:426
[<0000000081f5ef8e>] alloc_skb include/linux/skbuff.h:1112 [inline]
[<0000000081f5ef8e>] bt_skb_alloc include/net/bluetooth/bluetooth.h:389 [inline]
[<0000000081f5ef8e>] h4_recv_buf+0x357/0x5a0 drivers/bluetooth/hci_h4.c:181
[<00000000db01427c>] h4_recv+0x58/0xc0 drivers/bluetooth/hci_h4.c:115
[<00000000c32d5755>] hci_uart_tty_receive+0xcc/0x230 drivers/bluetooth/hci_ldisc.c:613
[<00000000b15c1002>] tiocsti drivers/tty/tty_io.c:2311 [inline]
[<00000000b15c1002>] tty_ioctl+0x50b/0xbf0 drivers/tty/tty_io.c:2719
[<0000000076ae3e2f>] vfs_ioctl fs/ioctl.c:51 [inline]
[<0000000076ae3e2f>] __do_sys_ioctl fs/ioctl.c:1069 [inline]
[<0000000076ae3e2f>] __se_sys_ioctl fs/ioctl.c:1055 [inline]
[<0000000076ae3e2f>] __x64_sys_ioctl+0xfc/0x140 fs/ioctl.c:1055
[<000000003e95b1b4>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<000000003e95b1b4>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
[<00000000a62fbd01>] entry_SYSCALL_64_after_hwframe+0x44/0xae
BUG: memory leak
unreferenced object 0xffff888110ace800 (size 232):
comm "syz-executor.2", pid 10655, jiffies 4294944629 (age 21.310s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<00000000d6b938d8>] __alloc_skb+0x20f/0x280 net/core/skbuff.c:414
[<0000000081f5ef8e>] alloc_skb include/linux/skbuff.h:1112 [inline]
[<0000000081f5ef8e>] bt_skb_alloc include/net/bluetooth/bluetooth.h:389 [inline]
[<0000000081f5ef8e>] h4_recv_buf+0x357/0x5a0 drivers/bluetooth/hci_h4.c:181
[<00000000db01427c>] h4_recv+0x58/0xc0 drivers/bluetooth/hci_h4.c:115
[<00000000c32d5755>] hci_uart_tty_receive+0xcc/0x230 drivers/bluetooth/hci_ldisc.c:613
[<00000000b15c1002>] tiocsti drivers/tty/tty_io.c:2311 [inline]
[<00000000b15c1002>] tty_ioctl+0x50b/0xbf0 drivers/tty/tty_io.c:2719
[<0000000076ae3e2f>] vfs_ioctl fs/ioctl.c:51 [inline]
[<0000000076ae3e2f>] __do_sys_ioctl fs/ioctl.c:1069 [inline]
[<0000000076ae3e2f>] __se_sys_ioctl fs/ioctl.c:1055 [inline]
[<0000000076ae3e2f>] __x64_sys_ioctl+0xfc/0x140 fs/ioctl.c:1055
[<000000003e95b1b4>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<000000003e95b1b4>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
[<00000000a62fbd01>] entry_SYSCALL_64_after_hwframe+0x44/0xae
Tested on:
commit: 2734d6c1 Linux 5.14-rc2
git tree: upstream
console output:
https://syzkaller.appspot.com/x/log.txt?x=1569cf78300000
kernel config:
https://syzkaller.appspot.com/x/.config?x=7cd9a07e043c7c3f
dashboard link:
https://syzkaller.appspot.com/bug?extid=97388eb9d31b997fe1d0
compiler: