[syzbot] [bluetooth?] KASAN: vmalloc-out-of-bounds Read in hci_devcd_dump

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: 4e82c87058f4 Merge tag 'rust-6.15' of git://git.kernel.org..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=17454e4c580000
kernel config: https://syzkaller.appspot.com/x/.config?x=f51da9763f36e4c7
dashboard link: https://syzkaller.appspot.com/bug?extid=ac3c79181f6aecc5120c
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/a9052db6d173/disk-4e82c870.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/9398a2c8040b/vmlinux-4e82c870.xz
kernel image: https://storage.googleapis.com/syzbot-assets/8589baa292f3/bzImage-4e82c870.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ac3c79...@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: vmalloc-out-of-bounds in skb_put_data include/linux/skbuff.h:2752 [inline]
BUG: KASAN: vmalloc-out-of-bounds in hci_devcd_dump+0x142/0x240 net/bluetooth/coredump.c:258
Read of size 140 at addr ffffc90004ed5000 by task kworker/u9:2/5844

CPU: 1 UID: 0 PID: 5844 Comm: kworker/u9:2 Not tainted 6.14.0-syzkaller-10892-g4e82c87058f4 #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Workqueue: hci0 hci_devcd_timeout
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:408 [inline]
print_report+0xc3/0x670 mm/kasan/report.c:521
kasan_report+0xe0/0x110 mm/kasan/report.c:634
check_region_inline mm/kasan/generic.c:183 [inline]
kasan_check_range+0xef/0x1a0 mm/kasan/generic.c:189
__asan_memcpy+0x23/0x60 mm/kasan/shadow.c:105
skb_put_data include/linux/skbuff.h:2752 [inline]
hci_devcd_dump+0x142/0x240 net/bluetooth/coredump.c:258
hci_devcd_timeout+0xb5/0x2e0 net/bluetooth/coredump.c:413
process_one_work+0x9cc/0x1b70 kernel/workqueue.c:3238
process_scheduled_works kernel/workqueue.c:3319 [inline]
worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400
kthread+0x3c2/0x780 kernel/kthread.c:464
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:153
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>

The buggy address ffffc90004ed5000 belongs to a vmalloc virtual mapping
Memory state around the buggy address:
ffffc90004ed4f00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
ffffc90004ed4f80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
>ffffc90004ed5000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
^
ffffc90004ed5080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
ffffc90004ed5100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
==================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

[syzbot]

syzbot has found a reproducer for the following issue on:

HEAD commit: a1b5bd45d4ee Merge tag 'usb-6.15-rc1' of git://git.kernel...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1709494c580000
kernel config: https://syzkaller.appspot.com/x/.config?x=44bfe55da7676adc

dashboard link: https://syzkaller.appspot.com/bug?extid=ac3c79181f6aecc5120c
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13e60be4580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10c5cfb0580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/9096ac93f836/disk-a1b5bd45.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/83a88633dd9d/vmlinux-a1b5bd45.xz
kernel image: https://storage.googleapis.com/syzbot-assets/7353859863a8/bzImage-a1b5bd45.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ac3c79...@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: vmalloc-out-of-bounds in skb_put_data include/linux/skbuff.h:2752 [inline]
BUG: KASAN: vmalloc-out-of-bounds in hci_devcd_dump+0x142/0x240 net/bluetooth/coredump.c:258

Read of size 140 at addr ffffc90000ace000 by task kworker/u9:1/5151

CPU: 0 UID: 0 PID: 5151 Comm: kworker/u9:1 Not tainted 6.14.0-syzkaller-12886-ga1b5bd45d4ee #0 PREEMPT(full)

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Workqueue: hci0 hci_devcd_timeout
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:408 [inline]
print_report+0xc3/0x670 mm/kasan/report.c:521
kasan_report+0xe0/0x110 mm/kasan/report.c:634
check_region_inline mm/kasan/generic.c:183 [inline]
kasan_check_range+0xef/0x1a0 mm/kasan/generic.c:189
__asan_memcpy+0x23/0x60 mm/kasan/shadow.c:105
skb_put_data include/linux/skbuff.h:2752 [inline]
hci_devcd_dump+0x142/0x240 net/bluetooth/coredump.c:258
hci_devcd_timeout+0xb5/0x2e0 net/bluetooth/coredump.c:413
process_one_work+0x9cc/0x1b70 kernel/workqueue.c:3238
process_scheduled_works kernel/workqueue.c:3319 [inline]
worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400
kthread+0x3c2/0x780 kernel/kthread.c:464
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:153
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>

The buggy address ffffc90000ace000 belongs to a vmalloc virtual mapping

Memory state around the buggy address:

ffffc90000acdf00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
ffffc90000acdf80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
>ffffc90000ace000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
^
ffffc90000ace080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
ffffc90000ace100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
==================================================================


---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

[Arnaud Lecomte]

#syz test

--- a/net/bluetooth/coredump.c
+++ b/net/bluetooth/coredump.c
@@ -249,6 +249,11 @@ static void hci_devcd_dump(struct hci_dev *hdev)

size = hdev->dump.tail - hdev->dump.head;

+ if (size >SKB_MAX_ALLOC) {
+ bt_dev_err(hdev, "Dump too large (%u bytes)", size);
+ return;
+ }
+
/* Emit a devcoredump with the available data */
dev_coredumpv(&hdev->dev, hdev->dump.head, size, GFP_KERNEL);

--

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Read in force_devcd_write

==================================================================
BUG: KASAN: slab-use-after-free in force_devcd_write+0x312/0x340 drivers/bluetooth/hci_vhci.c:327
Read of size 8 at addr ffff888028448800 by task syz.0.616/8068

CPU: 0 UID: 0 PID: 8068 Comm: syz.0.616 Not tainted 6.15.0-rc3-syzkaller-gbc3372351d0c-dirty #0 PREEMPT(full)

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025

Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:408 [inline]
print_report+0xc3/0x670 mm/kasan/report.c:521
kasan_report+0xe0/0x110 mm/kasan/report.c:634

force_devcd_write+0x312/0x340 drivers/bluetooth/hci_vhci.c:327
full_proxy_write+0x13c/0x200 fs/debugfs/file.c:398
vfs_write+0x25c/0x1180 fs/read_write.c:682
ksys_write+0x12a/0x240 fs/read_write.c:736
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0x230 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f1dc558e169
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f1dc47fe038 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f1dc57b5fa0 RCX: 00007f1dc558e169
RDX: 000000000000000e RSI: 0000000000000000 RDI: 0000000000000003
RBP: 00007f1dc5610a68 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f1dc57b5fa0 R15: 00007ffc66674788
</TASK>

Allocated by task 6607:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394
kmalloc_noprof include/linux/slab.h:905 [inline]
kzalloc_noprof include/linux/slab.h:1039 [inline]
vhci_open+0x4c/0x430 drivers/bluetooth/hci_vhci.c:635
misc_open+0x35a/0x420 drivers/char/misc.c:179
chrdev_open+0x231/0x6a0 fs/char_dev.c:414
do_dentry_open+0x741/0x1c10 fs/open.c:956
vfs_open+0x82/0x3f0 fs/open.c:1086
do_open fs/namei.c:3880 [inline]
path_openat+0x1e5e/0x2d40 fs/namei.c:4039
do_filp_open+0x20b/0x470 fs/namei.c:4066
do_sys_openat2+0x11b/0x1d0 fs/open.c:1429
do_sys_open fs/open.c:1444 [inline]
__do_sys_openat fs/open.c:1460 [inline]
__se_sys_openat fs/open.c:1455 [inline]
__x64_sys_openat+0x174/0x210 fs/open.c:1455
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0x230 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 6607:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:576
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x51/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:233 [inline]
slab_free_hook mm/slub.c:2398 [inline]
slab_free mm/slub.c:4656 [inline]
kfree+0x2b6/0x4d0 mm/slub.c:4855
vhci_release+0xbb/0xf0 drivers/bluetooth/hci_vhci.c:671
__fput+0x3ff/0xb70 fs/file_table.c:465
task_work_run+0x14d/0x240 kernel/task_work.c:227
exit_task_work include/linux/task_work.h:40 [inline]
do_exit+0xafb/0x2c30 kernel/exit.c:953
do_group_exit+0xd3/0x2a0 kernel/exit.c:1102
get_signal+0x2673/0x26d0 kernel/signal.c:3034
arch_do_signal_or_restart+0x8f/0x7a0 arch/x86/kernel/signal.c:337
exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0x150/0x2a0 kernel/entry/common.c:218
do_syscall_64+0xda/0x230 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff888028448800
which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 0 bytes inside of
freed 1024-byte region [ffff888028448800, ffff888028448c00)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x28448
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
anon flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88801b441dc0 0000000000000000 dead000000000001
raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
head: 00fff00000000040 ffff88801b441dc0 0000000000000000 dead000000000001
head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
head: 00fff00000000003 ffffea0000a11201 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5928, tgid 5928 (kworker/u8:2), ts 88342641017, free_ts 88224139595
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x181/0x1b0 mm/page_alloc.c:1718
prep_new_page mm/page_alloc.c:1726 [inline]
get_page_from_freelist+0x135c/0x3920 mm/page_alloc.c:3688
__alloc_frozen_pages_noprof+0x263/0x23a0 mm/page_alloc.c:4970
alloc_pages_mpol+0x1fb/0x550 mm/mempolicy.c:2301
alloc_slab_page mm/slub.c:2468 [inline]
allocate_slab mm/slub.c:2632 [inline]
new_slab+0x244/0x340 mm/slub.c:2686
___slab_alloc+0xd9c/0x1940 mm/slub.c:3872
__slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3962
__slab_alloc_node mm/slub.c:4037 [inline]
slab_alloc_node mm/slub.c:4198 [inline]
__do_kmalloc_node mm/slub.c:4340 [inline]
__kmalloc_noprof+0x2f2/0x510 mm/slub.c:4353
kmalloc_noprof include/linux/slab.h:909 [inline]
load_elf_phdrs+0x102/0x210 fs/binfmt_elf.c:532
load_elf_binary+0x14b3/0x4f80 fs/binfmt_elf.c:960
search_binary_handler fs/exec.c:1778 [inline]
exec_binprm fs/exec.c:1810 [inline]
bprm_execve fs/exec.c:1862 [inline]
bprm_execve+0x8c0/0x1650 fs/exec.c:1838
kernel_execve+0x2ef/0x3b0 fs/exec.c:2028
call_usermodehelper_exec_async+0x255/0x4c0 kernel/umh.c:109

ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:153
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

page last free pid 5903 tgid 5903 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1262 [inline]
__free_frozen_pages+0x69d/0xff0 mm/page_alloc.c:2725
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x4e/0x120 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x195/0x1e0 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:329
kasan_slab_alloc include/linux/kasan.h:250 [inline]
slab_post_alloc_hook mm/slub.c:4161 [inline]
slab_alloc_node mm/slub.c:4210 [inline]
kmem_cache_alloc_noprof+0x1cb/0x3b0 mm/slub.c:4217
getname_flags.part.0+0x4c/0x550 fs/namei.c:146
getname_flags+0x93/0xf0 include/linux/audit.h:322
getname include/linux/fs.h:2852 [inline]
do_sys_openat2+0xb8/0x1d0 fs/open.c:1423
do_sys_open fs/open.c:1444 [inline]
__do_sys_openat fs/open.c:1460 [inline]
__se_sys_openat fs/open.c:1455 [inline]
__x64_sys_openat+0x174/0x210 fs/open.c:1455
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0x230 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:

ffff888028448700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888028448780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888028448800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888028448880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888028448900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


Tested on:

commit: bc337235 Merge tag 'for-6.15-rc3-tag' of git://git.ker..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=11a91014580000
kernel config: https://syzkaller.appspot.com/x/.config?x=f65c1740d8e72188

dashboard link: https://syzkaller.appspot.com/bug?extid=ac3c79181f6aecc5120c
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=11fdbacc580000

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-...@vger.kernel.org, syzkall...@googlegroups.com.

***

Subject: Re: [syzbot] [bluetooth?] KASAN: vmalloc-out-of-bounds Read in hci_devcd_dump
Author: ipravdin...@gmail.com

#syz test

diff --git a/net/bluetooth/coredump.c b/net/bluetooth/coredump.c
index 819eacb38762..720cb79adf96 100644
--- a/net/bluetooth/coredump.c
+++ b/net/bluetooth/coredump.c
@@ -249,15 +249,15 @@ static void hci_devcd_dump(struct hci_dev *hdev)

size = hdev->dump.tail - hdev->dump.head;

- /* Emit a devcoredump with the available data */
- dev_coredumpv(&hdev->dev, hdev->dump.head, size, GFP_KERNEL);
-
/* Send a copy to monitor as a diagnostic packet */
skb = bt_skb_alloc(size, GFP_ATOMIC);
if (skb) {
skb_put_data(skb, hdev->dump.head, size);
hci_recv_diag(hdev, skb);

}
+
+ /* Emit a devcoredump with the available data */

+ dev_coredumpv(&hdev->dev, hdev->dump.head, size, GFP_KERNEL);
}

Ivan Pravdin

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Read in force_devcd_write

==================================================================
BUG: KASAN: slab-use-after-free in force_devcd_write+0x312/0x340 drivers/bluetooth/hci_vhci.c:327

Read of size 8 at addr ffff88802a361800 by task syz.0.616/8016

CPU: 0 UID: 0 PID: 8016 Comm: syz.0.616 Not tainted 6.15.0-syzkaller-13804-g939f15e640f1-dirty #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025

Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:408 [inline]

print_report+0xcd/0x680 mm/kasan/report.c:521

kasan_report+0xe0/0x110 mm/kasan/report.c:634
force_devcd_write+0x312/0x340 drivers/bluetooth/hci_vhci.c:327

full_proxy_write+0x13f/0x200 fs/debugfs/file.c:398
vfs_write+0x29d/0x1150 fs/read_write.c:684
ksys_write+0x12a/0x250 fs/read_write.c:738
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0x490 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f669c18e969

Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007f669d03c038 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f669c3b5fa0 RCX: 00007f669c18e969

RDX: 000000000000000e RSI: 0000000000000000 RDI: 0000000000000003

RBP: 00007f669c210ab1 R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 0000000000000000 R14: 00007f669c3b5fa0 R15: 00007ffcf3655198
</TASK>

Allocated by task 6529:

kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394
kmalloc_noprof include/linux/slab.h:905 [inline]
kzalloc_noprof include/linux/slab.h:1039 [inline]
vhci_open+0x4c/0x430 drivers/bluetooth/hci_vhci.c:635

misc_open+0x35d/0x420 drivers/char/misc.c:161
chrdev_open+0x231/0x6a0 fs/char_dev.c:414
do_dentry_open+0x744/0x1c10 fs/open.c:964
vfs_open+0x82/0x3f0 fs/open.c:1094
do_open fs/namei.c:3887 [inline]
path_openat+0x1de4/0x2cb0 fs/namei.c:4046
do_filp_open+0x20b/0x470 fs/namei.c:4073
do_sys_openat2+0x11b/0x1d0 fs/open.c:1437
do_sys_open fs/open.c:1452 [inline]
__do_sys_openat fs/open.c:1468 [inline]
__se_sys_openat fs/open.c:1463 [inline]
__x64_sys_openat+0x174/0x210 fs/open.c:1463
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0x490 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 6529:

kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:576
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x51/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:233 [inline]

slab_free_hook mm/slub.c:2381 [inline]
slab_free mm/slub.c:4643 [inline]
kfree+0x2b4/0x4d0 mm/slub.c:4842
vhci_release+0xbb/0xf0 drivers/bluetooth/hci_vhci.c:671
__fput+0x402/0xb70 fs/file_table.c:465
task_work_run+0x150/0x240 kernel/task_work.c:227
exit_task_work include/linux/task_work.h:40 [inline]
do_exit+0x864/0x2bd0 kernel/exit.c:955
do_group_exit+0xd3/0x2a0 kernel/exit.c:1104
get_signal+0x2673/0x26d0 kernel/signal.c:3034
arch_do_signal_or_restart+0x8f/0x790 arch/x86/kernel/signal.c:337
exit_to_user_mode_loop+0x84/0x110 kernel/entry/common.c:111
exit_to_user_mode_prepare include/linux/entry-common.h:330 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:414 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:449 [inline]
do_syscall_64+0x3f6/0x490 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff88802a361800

which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 0 bytes inside of

freed 1024-byte region [ffff88802a361800, ffff88802a361c00)

The buggy address belongs to the physical page:

page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2a360

head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0

flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)

raw: 00fff00000000040 ffff88801b441dc0 ffffea00017efa00 dead000000000002

raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000

head: 00fff00000000040 ffff88801b441dc0 ffffea00017efa00 dead000000000002

head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000

head: 00fff00000000003 ffffea0000a8d801 00000000ffffffff 00000000ffffffff

head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated

page last allocated via order 3, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 79, tgid 79 (kworker/u8:4), ts 139345437556, free_ts 139048889741
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1c0/0x230 mm/page_alloc.c:1704
prep_new_page mm/page_alloc.c:1712 [inline]
get_page_from_freelist+0x1321/0x3890 mm/page_alloc.c:3669
__alloc_frozen_pages_noprof+0x261/0x23f0 mm/page_alloc.c:4959
alloc_pages_mpol+0x1fb/0x550 mm/mempolicy.c:2419
alloc_slab_page mm/slub.c:2451 [inline]
allocate_slab mm/slub.c:2619 [inline]
new_slab+0x23b/0x330 mm/slub.c:2673
___slab_alloc+0xd9c/0x1940 mm/slub.c:3859
__slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3949
__slab_alloc_node mm/slub.c:4024 [inline]
slab_alloc_node mm/slub.c:4185 [inline]
__do_kmalloc_node mm/slub.c:4327 [inline]
__kmalloc_noprof+0x2f2/0x510 mm/slub.c:4340
kmalloc_noprof include/linux/slab.h:909 [inline]
kzalloc_noprof include/linux/slab.h:1039 [inline]
ieee802_11_parse_elems_full+0x1d7/0x3780 net/mac80211/parse.c:1013
ieee802_11_parse_elems_crc net/mac80211/ieee80211_i.h:2414 [inline]
ieee802_11_parse_elems net/mac80211/ieee80211_i.h:2421 [inline]
ieee80211_inform_bss+0x10b/0x1140 net/mac80211/scan.c:79
rdev_inform_bss net/wireless/rdev-ops.h:418 [inline]
cfg80211_inform_single_bss_data+0x8e7/0x1df0 net/wireless/scan.c:2367
cfg80211_inform_bss_data+0x224/0x3bc0 net/wireless/scan.c:3222
cfg80211_inform_bss_frame_data+0x26f/0x750 net/wireless/scan.c:3313
ieee80211_bss_info_update+0x310/0xab0 net/mac80211/scan.c:226
ieee80211_rx_bss_info net/mac80211/ibss.c:1094 [inline]
ieee80211_rx_mgmt_probe_beacon net/mac80211/ibss.c:1573 [inline]
ieee80211_ibss_rx_queued_mgmt+0x1905/0x2fd0 net/mac80211/ibss.c:1600
ieee80211_iface_process_skb net/mac80211/iface.c:1668 [inline]
ieee80211_iface_work+0xbf4/0x1020 net/mac80211/iface.c:1722
page last free pid 3553 tgid 3553 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1248 [inline]
__free_frozen_pages+0x7fe/0x1180 mm/page_alloc.c:2706
discard_slab mm/slub.c:2717 [inline]
__put_partials+0x16d/0x1c0 mm/slub.c:3186
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x4d/0x120 mm/kasan/quarantine.c:179

kasan_quarantine_reduce+0x195/0x1e0 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:329
kasan_slab_alloc include/linux/kasan.h:250 [inline]

slab_post_alloc_hook mm/slub.c:4148 [inline]
slab_alloc_node mm/slub.c:4197 [inline]
kmem_cache_alloc_node_noprof+0x1d5/0x3b0 mm/slub.c:4249
__alloc_skb+0x2b2/0x380 net/core/skbuff.c:660
alloc_skb include/linux/skbuff.h:1336 [inline]
nlmsg_new include/net/netlink.h:1041 [inline]
mpls_netconf_notify_devconf+0x4a/0x110 net/mpls/af_mpls.c:1189
mpls_dev_sysctl_unregister net/mpls/af_mpls.c:1432 [inline]
mpls_dev_notify+0x726/0xa20 net/mpls/af_mpls.c:1641
notifier_call_chain+0xbc/0x410 kernel/notifier.c:85
call_netdevice_notifiers_info+0xbe/0x140 net/core/dev.c:2230
call_netdevice_notifiers_extack net/core/dev.c:2268 [inline]
call_netdevice_notifiers net/core/dev.c:2282 [inline]
unregister_netdevice_many_notify+0xf9d/0x2700 net/core/dev.c:12077
ops_exit_rtnl_list net/core/net_namespace.c:188 [inline]
ops_undo_list+0x8fc/0xab0 net/core/net_namespace.c:249
cleanup_net+0x408/0x890 net/core/net_namespace.c:686
process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3238
process_scheduled_works kernel/workqueue.c:3321 [inline]
worker_thread+0x6c8/0xf10 kernel/workqueue.c:3402

Memory state around the buggy address:

ffff88802a361700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88802a361780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88802a361800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88802a361880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88802a361900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


Tested on:

commit: 939f15e6 Merge tag 'turbostat-2025.06.08' of git://git..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15687570580000
kernel config: https://syzkaller.appspot.com/x/.config?x=6678e7c8a50af095

dashboard link: https://syzkaller.appspot.com/bug?extid=ac3c79181f6aecc5120c
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=172349d4580000

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Read in force_devcd_write

==================================================================
BUG: KASAN: slab-use-after-free in force_devcd_write+0x312/0x340 drivers/bluetooth/hci_vhci.c:327

Read of size 8 at addr ffff88807b5f6000 by task syz.0.616/7999

CPU: 0 UID: 0 PID: 7999 Comm: syz.0.616 Not tainted 6.15.0-syzkaller-13804-g939f15e640f1-dirty #0 PREEMPT(full)

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:408 [inline]
print_report+0xcd/0x680 mm/kasan/report.c:521
kasan_report+0xe0/0x110 mm/kasan/report.c:634
force_devcd_write+0x312/0x340 drivers/bluetooth/hci_vhci.c:327
full_proxy_write+0x13f/0x200 fs/debugfs/file.c:398
vfs_write+0x29d/0x1150 fs/read_write.c:684
ksys_write+0x12a/0x250 fs/read_write.c:738
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0x490 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

RIP: 0033:0x7f3210d8e969

Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007f3211b9b038 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f3210fb5fa0 RCX: 00007f3210d8e969

RDX: 000000000000000e RSI: 0000000000000000 RDI: 0000000000000003

RBP: 00007f3210e10ab1 R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 0000000000000000 R14: 00007f3210fb5fa0 R15: 00007fff9eb91938
</TASK>

Allocated by task 6438:

kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394
kmalloc_noprof include/linux/slab.h:905 [inline]
kzalloc_noprof include/linux/slab.h:1039 [inline]
vhci_open+0x4c/0x430 drivers/bluetooth/hci_vhci.c:635
misc_open+0x35d/0x420 drivers/char/misc.c:161
chrdev_open+0x231/0x6a0 fs/char_dev.c:414
do_dentry_open+0x744/0x1c10 fs/open.c:964
vfs_open+0x82/0x3f0 fs/open.c:1094
do_open fs/namei.c:3887 [inline]
path_openat+0x1de4/0x2cb0 fs/namei.c:4046
do_filp_open+0x20b/0x470 fs/namei.c:4073
do_sys_openat2+0x11b/0x1d0 fs/open.c:1437
do_sys_open fs/open.c:1452 [inline]
__do_sys_openat fs/open.c:1468 [inline]
__se_sys_openat fs/open.c:1463 [inline]
__x64_sys_openat+0x174/0x210 fs/open.c:1463
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0x490 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 6438:

kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:576
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x51/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:233 [inline]
slab_free_hook mm/slub.c:2381 [inline]
slab_free mm/slub.c:4643 [inline]
kfree+0x2b4/0x4d0 mm/slub.c:4842
vhci_release+0xbb/0xf0 drivers/bluetooth/hci_vhci.c:671
__fput+0x402/0xb70 fs/file_table.c:465
task_work_run+0x150/0x240 kernel/task_work.c:227
exit_task_work include/linux/task_work.h:40 [inline]
do_exit+0x864/0x2bd0 kernel/exit.c:955
do_group_exit+0xd3/0x2a0 kernel/exit.c:1104
get_signal+0x2673/0x26d0 kernel/signal.c:3034
arch_do_signal_or_restart+0x8f/0x790 arch/x86/kernel/signal.c:337
exit_to_user_mode_loop+0x84/0x110 kernel/entry/common.c:111
exit_to_user_mode_prepare include/linux/entry-common.h:330 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:414 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:449 [inline]
do_syscall_64+0x3f6/0x490 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff88807b5f6000

which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 0 bytes inside of

freed 1024-byte region [ffff88807b5f6000, ffff88807b5f6400)

The buggy address belongs to the physical page:

page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7b5f0

head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)

raw: 00fff00000000040 ffff88801b441dc0 dead000000000100 dead000000000122

raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000

head: 00fff00000000040 ffff88801b441dc0 dead000000000100 dead000000000122

head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000

head: 00fff00000000003 ffffea0001ed7c01 00000000ffffffff 00000000ffffffff

head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated

page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5498, tgid 5498 (S41dhcpcd), ts 56157746693, free_ts 56113477136

set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1c0/0x230 mm/page_alloc.c:1704
prep_new_page mm/page_alloc.c:1712 [inline]
get_page_from_freelist+0x1321/0x3890 mm/page_alloc.c:3669
__alloc_frozen_pages_noprof+0x261/0x23f0 mm/page_alloc.c:4959
alloc_pages_mpol+0x1fb/0x550 mm/mempolicy.c:2419
alloc_slab_page mm/slub.c:2451 [inline]
allocate_slab mm/slub.c:2619 [inline]
new_slab+0x23b/0x330 mm/slub.c:2673
___slab_alloc+0xd9c/0x1940 mm/slub.c:3859
__slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3949
__slab_alloc_node mm/slub.c:4024 [inline]
slab_alloc_node mm/slub.c:4185 [inline]
__do_kmalloc_node mm/slub.c:4327 [inline]
__kmalloc_noprof+0x2f2/0x510 mm/slub.c:4340
kmalloc_noprof include/linux/slab.h:909 [inline]

load_elf_phdrs+0x102/0x210 fs/binfmt_elf.c:525
load_elf_binary+0x1fa/0x4f00 fs/binfmt_elf.c:854
search_binary_handler fs/exec.c:1665 [inline]
exec_binprm fs/exec.c:1697 [inline]
bprm_execve fs/exec.c:1749 [inline]
bprm_execve+0x8c3/0x1650 fs/exec.c:1725
do_execveat_common.isra.0+0x4a5/0x610 fs/exec.c:1855
do_execve fs/exec.c:1929 [inline]
__do_sys_execve fs/exec.c:2005 [inline]
__se_sys_execve fs/exec.c:2000 [inline]
__x64_sys_execve+0x8e/0xb0 fs/exec.c:2000

do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0x490 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

page last free pid 5184 tgid 5184 stack trace:

reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1248 [inline]
__free_frozen_pages+0x7fe/0x1180 mm/page_alloc.c:2706
discard_slab mm/slub.c:2717 [inline]
__put_partials+0x16d/0x1c0 mm/slub.c:3186
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x4d/0x120 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x195/0x1e0 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:329
kasan_slab_alloc include/linux/kasan.h:250 [inline]
slab_post_alloc_hook mm/slub.c:4148 [inline]
slab_alloc_node mm/slub.c:4197 [inline]

kmem_cache_alloc_lru_noprof+0x1d0/0x3b0 mm/slub.c:4216
__d_alloc+0x31/0xaa0 fs/dcache.c:1690
d_alloc+0x4a/0x1e0 fs/dcache.c:1769
d_alloc_parallel+0xe3/0x12e0 fs/dcache.c:2533
__lookup_slow+0x193/0x460 fs/namei.c:1802
lookup_slow fs/namei.c:1834 [inline]
walk_component+0x353/0x5b0 fs/namei.c:2138
lookup_last fs/namei.c:2639 [inline]
path_lookupat+0x142/0x6d0 fs/namei.c:2663
filename_lookup+0x224/0x5f0 fs/namei.c:2692
vfs_statx+0x101/0x3e0 fs/stat.c:353
vfs_fstatat+0x7b/0xf0 fs/stat.c:375
__do_sys_newfstatat+0x97/0x120 fs/stat.c:542

Memory state around the buggy address:

ffff88807b5f5f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88807b5f5f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88807b5f6000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88807b5f6080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88807b5f6100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb

==================================================================


Tested on:

commit: 939f15e6 Merge tag 'turbostat-2025.06.08' of git://git..
git tree: upstream

console output: https://syzkaller.appspot.com/x/log.txt?x=15698a82580000

kernel config: https://syzkaller.appspot.com/x/.config?x=6678e7c8a50af095
dashboard link: https://syzkaller.appspot.com/bug?extid=ac3c79181f6aecc5120c
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=15c18a82580000

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

cquire+0xfc/0x350
[ 109.325603][ T5869] _raw_spin_lock+0x2e/0x40
[ 109.325629][ T5869] ? lockref_get+0x15/0x50
[ 109.325659][ T5869] lockref_get+0x15/0x50
[ 109.325688][ T5869] simple_recursive_removal+0x3b/0x690
[ 109.325717][ T5869] ? do_raw_spin_unlock+0x172/0x230
[ 109.325747][ T5869] ? __pfx_remove_one+0x10/0x10
[ 109.325771][ T5869] ? mntput+0x10/0x90
[ 109.325796][ T5869] debugfs_remove+0x5d/0x80
[ 109.325821][ T5869] hci_release_dev+0x8c/0x600
[ 109.325852][ T5869] ? __pfx_hci_release_dev+0x10/0x10
[ 109.325882][ T5869] ? rcu_is_watching+0x12/0xc0
[ 109.325903][ T5869] ? kfree+0x24f/0x4d0
[ 109.325931][ T5869] bt_host_release+0x6a/0xb0
[ 109.325952][ T5869] ? __pfx_bt_host_release+0x10/0x10
[ 109.325973][ T5869] device_release+0xa1/0x240
[ 109.325999][ T5869] kobject_put+0x1e7/0x5a0
[ 109.326020][ T5869] ? __pfx_vhci_release+0x10/0x10
[ 109.326052][ T5869] put_device+0x1f/0x30
[ 109.326076][ T5869] vhci_release+0xb5/0x130
[ 109.326108][ T5869] __fput+0x402/0xb70
[ 109.326132][ T5869] task_work_run+0x150/0x240
[ 109.326164][ T5869] ? __pfx_task_work_run+0x10/0x10
[ 109.326199][ T5869] do_exit+0x864/0x2bd0
[ 109.326230][ T5869] ? __pfx_do_exit+0x10/0x10
[ 109.326256][ T5869] ? do_raw_spin_lock+0x12c/0x2b0
[ 109.326286][ T5869] ? find_held_lock+0x2b/0x80
[ 109.326308][ T5869] do_group_exit+0xd3/0x2a0
[ 109.326336][ T5869] get_signal+0x2673/0x26d0
[ 109.326363][ T5869] ? __pfx_get_signal+0x10/0x10
[ 109.326385][ T5869] ? kmem_cache_free+0x16d/0x4d0
[ 109.326413][ T5869] ? __fput+0x68d/0xb70
[ 109.326434][ T5869] arch_do_signal_or_restart+0x8f/0x790
[ 109.326457][ T5869] ? __fput+0x68d/0xb70
[ 109.326476][ T5869] ? __pfx_arch_do_signal_or_restart+0x10/0x10
[ 109.326503][ T5869] ? __pfx_fput_close_sync+0x10/0x10
[ 109.326524][ T5869] ? dnotify_flush+0x79/0x4c0
[ 109.326566][ T5869] exit_to_user_mode_loop+0x84/0x110
[ 109.326600][ T5869] do_syscall_64+0x3f6/0x490
[ 109.326621][ T5869] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 109.326644][ T5869] RIP: 0033:0x7f6845b8d5ca
[ 109.326661][ T5869] Code: Unable to access opcode bytes at 0x7f6845b8d5a0.
[ 109.326671][ T5869] RSP: 002b:00007ffefac60c40 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
[ 109.326693][ T5869] RAX: 0000000000000000 RBX: 0000000000000003 RCX: 00007f6845b8d5ca
[ 109.326706][ T5869] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
[ 109.326719][ T5869] RBP: 00007ffefac60c9c R08: 0000000000000000 R09: 00007ffefac609a7
[ 109.326732][ T5869] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000001
[ 109.326745][ T5869] R13: 00000000000927c0 R14: 000000000001aa36 R15: 00007ffefac60cf0
[ 109.326765][ T5869] </TASK>
[ 109.326772][ T5869]
[ 109.662463][ T5869] Allocated by task 5869:
[ 109.666812][ T5869] kasan_save_stack+0x33/0x60
[ 109.671613][ T5869] kasan_save_track+0x14/0x30
[ 109.676325][ T5869] __kasan_slab_alloc+0x89/0x90
[ 109.681256][ T5869] kmem_cache_alloc_lru_noprof+0x1d0/0x3b0
[ 109.687349][ T5869] __d_alloc+0x31/0xaa0
[ 109.691619][ T5869] d_alloc+0x4a/0x1e0
[ 109.695718][ T5869] d_alloc_parallel+0xe3/0x12e0
[ 109.700963][ T5869] __lookup_slow+0x193/0x460
[ 109.705774][ T5869] lookup_noperm+0xe1/0x110
[ 109.710312][ T5869] start_creating.part.0+0x15a/0x3e0
[ 109.716005][ T5869] debugfs_create_dir+0x6c/0x5f0
[ 109.721340][ T5869] hci_register_dev+0x2f2/0xc60
[ 109.726328][ T5869] __vhci_create_device+0x357/0x7f0
[ 109.731716][ T5869] vhci_write+0x2c0/0x480
[ 109.736252][ T5869] vfs_write+0x6c4/0x1150
[ 109.740904][ T5869] ksys_write+0x12a/0x250
[ 109.745448][ T5869] do_syscall_64+0xcd/0x490
[ 109.750065][ T5869] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 109.755993][ T5869]
[ 109.758349][ T5869] Freed by task 15:
[ 109.762424][ T5869] kasan_save_stack+0x33/0x60
[ 109.767369][ T5869] kasan_save_track+0x14/0x30
[ 109.772423][ T5869] kasan_save_free_info+0x3b/0x60
[ 109.777663][ T5869] __kasan_slab_free+0x51/0x70
[ 109.782576][ T5869] kmem_cache_free+0x2d1/0x4d0
[ 109.787495][ T5869] rcu_core+0x79c/0x14e0
[ 109.791784][ T5869] handle_softirqs+0x219/0x8e0
[ 109.796774][ T5869] run_ksoftirqd+0x3a/0x60
[ 109.801340][ T5869] smpboot_thread_fn+0x3f7/0xae0
[ 109.806423][ T5869] kthread+0x3c2/0x780
[ 109.810589][ T5869] ret_from_fork+0x5d4/0x6f0
[ 109.815482][ T5869] ret_from_fork_asm+0x1a/0x30
[ 109.820362][ T5869]
[ 109.823072][ T5869] Last potentially related work creation:
[ 109.828904][ T5869] kasan_save_stack+0x33/0x60
[ 109.833815][ T5869] kasan_record_aux_stack+0xa7/0xc0
[ 109.839064][ T5869] __call_rcu_common.constprop.0+0x9a/0x9f0
[ 109.846303][ T5869] dentry_free+0xc2/0x160
[ 109.850666][ T5869] __dentry_kill+0x498/0x600
[ 109.855291][ T5869] dput.part.0+0x4b1/0x9b0
[ 109.859830][ T5869] dput+0x1f/0x30
[ 109.863586][ T5869] debugfs_remove+0x5d/0x80
[ 109.868127][ T5869] vhci_release+0x9b/0x130
[ 109.872572][ T5869] __fput+0x402/0xb70
[ 109.876663][ T5869] task_work_run+0x150/0x240
[ 109.881510][ T5869] do_exit+0x864/0x2bd0
[ 109.885964][ T5869] do_group_exit+0xd3/0x2a0
[ 109.890524][ T5869] get_signal+0x2673/0x26d0
[ 109.895159][ T5869] arch_do_signal_or_restart+0x8f/0x790
[ 109.900906][ T5869] exit_to_user_mode_loop+0x84/0x110
[ 109.906326][ T5869] do_syscall_64+0x3f6/0x490
[ 109.911128][ T5869] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 109.917311][ T5869]
[ 109.919935][ T5869] The buggy address belongs to the object at ffff888071891a70
[ 109.919935][ T5869] which belongs to the cache dentry of size 312
[ 109.934312][ T5869] The buggy address is located 208 bytes inside of
[ 109.934312][ T5869] freed 312-byte region [ffff888071891a70, ffff888071891ba8)
[ 109.949195][ T5869]
[ 109.951537][ T5869] The buggy address belongs to the physical page:
[ 109.957976][ T5869] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x71890
[ 109.967572][ T5869] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 109.976151][ T5869] memcg:ffff88802919ed01
[ 109.980496][ T5869] flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
[ 109.988514][ T5869] page_type: f5(slab)
[ 109.993050][ T5869] raw: 00fff00000000040 ffff88801ca94780 dead000000000122 0000000000000000
[ 110.001676][ T5869] raw: 0000000000000000 0000000000150015 00000000f5000000 ffff88802919ed01
[ 110.010388][ T5869] head: 00fff00000000040 ffff88801ca94780 dead000000000122 0000000000000000
[ 110.019449][ T5869] head: 0000000000000000 0000000000150015 00000000f5000000 ffff88802919ed01
[ 110.028182][ T5869] head: 00fff00000000001 ffffea0001c62401 00000000ffffffff 00000000ffffffff
[ 110.037080][ T5869] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002
[ 110.045949][ T5869] page dumped because: kasan: bad access detected
[ 110.052725][ T5869] page_owner tracks the page as allocated
[ 110.058670][ T5869] page last allocated via order 1, migratetype Reclaimable, gfp_mask 0xd20d0(__GFP_RECLAIMABLE|__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5864, tgid 5864 (syz-executor), ts 108825522753, free_ts 35108082918
[ 110.083404][ T5869] post_alloc_hook+0x1c0/0x230
[ 110.089384][ T5869] get_page_from_freelist+0x1321/0x3890
[ 110.095163][ T5869] __alloc_frozen_pages_noprof+0x261/0x23f0
[ 110.102661][ T5869] alloc_pages_mpol+0x1fb/0x550
[ 110.108098][ T5869] new_slab+0x23b/0x330
[ 110.112837][ T5869] ___slab_alloc+0xd9c/0x1940
[ 110.117802][ T5869] __slab_alloc.constprop.0+0x56/0xb0
[ 110.123659][ T5869] kmem_cache_alloc_lru_noprof+0xf4/0x3b0
[ 110.129789][ T5869] __d_alloc+0x31/0xaa0
[ 110.134352][ T5869] d_alloc_pseudo+0x1c/0xc0
[ 110.139204][ T5869] alloc_file_pseudo+0xcf/0x230
[ 110.144507][ T5869] sock_alloc_file+0x50/0x210
[ 110.149791][ T5869] __sys_socket+0x1c0/0x260
[ 110.154768][ T5869] __x64_sys_socket+0x72/0xb0
[ 110.159903][ T5869] do_syscall_64+0xcd/0x490
[ 110.164705][ T5869] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 110.171259][ T5869] page last free pid 1 tgid 1 stack trace:
[ 110.177345][ T5869] __free_frozen_pages+0x7fe/0x1180
[ 110.182956][ T5869] free_contig_range+0x183/0x4b0
[ 110.188039][ T5869] destroy_args+0x7f6/0xa60
[ 110.192847][ T5869] debug_vm_pgtable+0x13b8/0x2d00
[ 110.198193][ T5869] do_one_initcall+0x120/0x6e0
[ 110.203286][ T5869] kernel_init_freeable+0x5c2/0x900
[ 110.208731][ T5869] kernel_init+0x1c/0x2b0
[ 110.213105][ T5869] ret_from_fork+0x5d4/0x6f0
[ 110.217918][ T5869] ret_from_fork_asm+0x1a/0x30
[ 110.222812][ T5869]
[ 110.225370][ T5869] Memory state around the buggy address:
[ 110.231468][ T5869] ffff888071891a00: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fa fb
[ 110.240145][ T5869] ffff888071891a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 110.248590][ T5869] >ffff888071891b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 110.257376][ T5869] ^
[ 110.263723][ T5869] ffff888071891b80: fb fb fb fb fb fc fc fc fc fc fc fc fc fa fb fb
[ 110.272360][ T5869] ffff888071891c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 110.280656][ T5869] ==================================================================
[ 110.290650][ T5869] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 110.298787][ T5869] CPU: 1 UID: 0 PID: 5869 Comm: syz-executor Not tainted 6.16.0-rc1-syzkaller-g19272b37aa4f-dirty #0 PREEMPT(full)
[ 110.311806][ T5869] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
[ 110.321979][ T5869] Call Trace:
[ 110.325949][ T5869] <TASK>
[ 110.329265][ T5869] dump_stack_lvl+0x3d/0x1f0
[ 110.334799][ T5869] panic+0x71c/0x800
[ 110.338998][ T5869] ? __pfx_panic+0x10/0x10
[ 110.343613][ T5869] ? rcu_is_watching+0x12/0xc0
[ 110.348630][ T5869] ? irqentry_exit+0x3b/0x90
[ 110.353343][ T5869] ? lockdep_hardirqs_on+0x7c/0x110
[ 110.358844][ T5869] ? _raw_spin_lock+0x2e/0x40
[ 110.363634][ T5869] ? check_panic_on_warn+0x1f/0xb0
[ 110.368878][ T5869] ? _raw_spin_lock+0x2e/0x40
[ 110.373779][ T5869] check_panic_on_warn+0xab/0xb0
[ 110.378848][ T5869] end_report+0x107/0x170
[ 110.383308][ T5869] kasan_report+0xee/0x110
[ 110.387745][ T5869] ? _raw_spin_lock+0x2e/0x40
[ 110.392640][ T5869] ? _raw_spin_lock+0x2e/0x40
[ 110.397603][ T5869] __kasan_check_byte+0x36/0x50
[ 110.402600][ T5869] lock_acquire+0xfc/0x350
[ 110.407153][ T5869] _raw_spin_lock+0x2e/0x40
[ 110.411773][ T5869] ? lockref_get+0x15/0x50
[ 110.416402][ T5869] lockref_get+0x15/0x50
[ 110.420955][ T5869] simple_recursive_removal+0x3b/0x690
[ 110.426702][ T5869] ? do_raw_spin_unlock+0x172/0x230
[ 110.431959][ T5869] ? __pfx_remove_one+0x10/0x10
[ 110.436933][ T5869] ? mntput+0x10/0x90
[ 110.441117][ T5869] debugfs_remove+0x5d/0x80
[ 110.446166][ T5869] hci_release_dev+0x8c/0x600
[ 110.450960][ T5869] ? __pfx_hci_release_dev+0x10/0x10
[ 110.456565][ T5869] ? rcu_is_watching+0x12/0xc0
[ 110.461363][ T5869] ? kfree+0x24f/0x4d0
[ 110.465635][ T5869] bt_host_release+0x6a/0xb0
[ 110.470427][ T5869] ? __pfx_bt_host_release+0x10/0x10
[ 110.475842][ T5869] device_release+0xa1/0x240
[ 110.480576][ T5869] kobject_put+0x1e7/0x5a0
[ 110.485098][ T5869] ? __pfx_vhci_release+0x10/0x10
[ 110.490263][ T5869] put_device+0x1f/0x30
[ 110.494492][ T5869] vhci_release+0xb5/0x130
[ 110.499490][ T5869] __fput+0x402/0xb70
[ 110.503813][ T5869] task_work_run+0x150/0x240
[ 110.508637][ T5869] ? __pfx_task_work_run+0x10/0x10
[ 110.514088][ T5869] do_exit+0x864/0x2bd0
[ 110.518757][ T5869] ? __pfx_do_exit+0x10/0x10
[ 110.523385][ T5869] ? do_raw_spin_lock+0x12c/0x2b0
[ 110.528713][ T5869] ? find_held_lock+0x2b/0x80
[ 110.533506][ T5869] do_group_exit+0xd3/0x2a0
[ 110.538221][ T5869] get_signal+0x2673/0x26d0
[ 110.542932][ T5869] ? __pfx_get_signal+0x10/0x10
[ 110.548742][ T5869] ? kmem_cache_free+0x16d/0x4d0
[ 110.553909][ T5869] ? __fput+0x68d/0xb70
[ 110.558187][ T5869] arch_do_signal_or_restart+0x8f/0x790
[ 110.564061][ T5869] ? __fput+0x68d/0xb70
[ 110.568918][ T5869] ? __pfx_arch_do_signal_or_restart+0x10/0x10
[ 110.575472][ T5869] ? __pfx_fput_close_sync+0x10/0x10
[ 110.580949][ T5869] ? dnotify_flush+0x79/0x4c0
[ 110.585856][ T5869] exit_to_user_mode_loop+0x84/0x110
[ 110.591259][ T5869] do_syscall_64+0x3f6/0x490
[ 110.595889][ T5869] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 110.602107][ T5869] RIP: 0033:0x7f6845b8d5ca
[ 110.606681][ T5869] Code: Unable to access opcode bytes at 0x7f6845b8d5a0.
[ 110.613977][ T5869] RSP: 002b:00007ffefac60c40 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
[ 110.622786][ T5869] RAX: 0000000000000000 RBX: 0000000000000003 RCX: 00007f6845b8d5ca
[ 110.630784][ T5869] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
[ 110.638860][ T5869] RBP: 00007ffefac60c9c R08: 0000000000000000 R09: 00007ffefac609a7
[ 110.647030][ T5869] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000001
[ 110.655018][ T5869] R13: 00000000000927c0 R14: 000000000001aa36 R15: 00007ffefac60cf0
[ 110.663275][ T5869] </TASK>
[ 110.667034][ T5869] Kernel Offset: disabled
[ 110.671574][ T5869] Rebooting in 86400 seconds..


syzkaller build log:
go env (err=<nil>)
GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/syzkaller/jobs/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/syzkaller/jobs/linux/gopath/pkg/mod/golang.org/tool...@v0.0.1-go1.23.7.linux-amd64'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/syzkaller/jobs/linux/gopath/pkg/mod/golang.org/tool...@v0.0.1-go1.23.7.linux-amd64/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.23.7'
GODEBUG=''
GOTELEMETRY='local'
GOTELEMETRYDIR='/syzkaller/.config/go/telemetry'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build3640950295=/tmp/go-build -gno-record-gcc-switches'

git status (err=<nil>)
HEAD detached at 3d2f584dd
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=3d2f584ddab119da50e8a8d26765aa98d3b33c02 -X github.com/google/syzkaller/prog.gitRevisionDate=20250528-144826" -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"3d2f584ddab119da50e8a8d26765aa98d3b33c02\"
/usr/bin/ld: /tmp/ccd8Gt78.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x104): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking


Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=12b67570580000


Tested on:

commit: 19272b37 Linux 6.16-rc1
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=c4c8362784bb7796

dashboard link: https://syzkaller.appspot.com/bug?extid=ac3c79181f6aecc5120c
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=130d8a0c580000

[Ivan Pravdin]

#syz test

diff --git a/drivers/bluetooth/hci_vhci.c b/drivers/bluetooth/hci_vhci.c
index 59f4d7bdffdc..493d704c0dfb 100644
--- a/drivers/bluetooth/hci_vhci.c
+++ b/drivers/bluetooth/hci_vhci.c
@@ -661,6 +661,8 @@ static int vhci_release(struct inode *inode, struct file *file)

hdev = data->hdev;

+ debugfs_remove_recursive(hdev->debugfs);
+
if (hdev) {
hci_unregister_dev(hdev);
hci_free_dev(hdev);
diff --git a/net/bluetooth/coredump.c b/net/bluetooth/coredump.c
index 819eacb38762..1232c9a94f95 100644
--- a/net/bluetooth/coredump.c
+++ b/net/bluetooth/coredump.c
@@ -243,6 +243,7 @@ static void hci_devcd_handle_pkt_pattern(struct hci_dev *hdev,

static void hci_devcd_dump(struct hci_dev *hdev)

{
struct sk_buff *skb;
+ char *coredump;
u32 size;

bt_dev_dbg(hdev, "state %d", hdev->dump.state);
@@ -250,7 +251,11 @@ static void hci_devcd_dump(struct hci_dev *hdev)

size = hdev->dump.tail - hdev->dump.head;

/* Emit a devcoredump with the available data */
- dev_coredumpv(&hdev->dev, hdev->dump.head, size, GFP_KERNEL);

+ coredump = vmalloc(size);
+ if (coredump) {
+ memcpy(coredump, hdev->dump.head, size);
+ dev_coredumpv(&hdev->dev, coredump, size, GFP_KERNEL);
+ }

/* Send a copy to monitor as a diagnostic packet */
skb = bt_skb_alloc(size, GFP_ATOMIC);

Ivan Pravdin

[Ivan Pravdin]

#syz test

[Ivan Pravdin]

#syz test

diff --git a/drivers/bluetooth/hci_vhci.c b/drivers/bluetooth/hci_vhci.c

index 59f4d7bdffdc..82a1088cd662 100644
--- a/drivers/bluetooth/hci_vhci.c
+++ b/drivers/bluetooth/hci_vhci.c
@@ -380,6 +380,31 @@ static const struct file_operations force_devcoredump_fops = {
.write = force_devcd_write,
};

+static void vhci_debugfs_init(struct vhci_data *data)
+{
+ struct hci_dev *hdev = data->hdev;
+
+ if (!hdev->debugfs)
+ return;
+
+ debugfs_create_file("force_suspend", 0644, hdev->debugfs, data,
+ &force_suspend_fops);
+
+ debugfs_create_file("force_wakeup", 0644, hdev->debugfs, data,
+ &force_wakeup_fops);
+
+ if (IS_ENABLED(CONFIG_BT_MSFTEXT))
+ debugfs_create_file("msft_opcode", 0644, hdev->debugfs, data,
+ &msft_opcode_fops);
+
+ if (IS_ENABLED(CONFIG_BT_AOSPEXT))
+ debugfs_create_file("aosp_capable", 0644, hdev->debugfs, data,
+ &aosp_capable_fops);
+
+ debugfs_create_file("force_devcoredump", 0644, hdev->debugfs, data,
+ &force_devcoredump_fops);
+}
+
static int __vhci_create_device(struct vhci_data *data, __u8 opcode)
{
struct hci_dev *hdev;
@@ -434,22 +459,9 @@ static int __vhci_create_device(struct vhci_data *data, __u8 opcode)
return -EBUSY;
}

- debugfs_create_file("force_suspend", 0644, hdev->debugfs, data,
- &force_suspend_fops);
-
- debugfs_create_file("force_wakeup", 0644, hdev->debugfs, data,
- &force_wakeup_fops);
-
- if (IS_ENABLED(CONFIG_BT_MSFTEXT))
- debugfs_create_file("msft_opcode", 0644, hdev->debugfs, data,
- &msft_opcode_fops);
-
- if (IS_ENABLED(CONFIG_BT_AOSPEXT))
- debugfs_create_file("aosp_capable", 0644, hdev->debugfs, data,
- &aosp_capable_fops);
-
- debugfs_create_file("force_devcoredump", 0644, hdev->debugfs, data,
- &force_devcoredump_fops);
+#ifdef CONFIG_DEBUG_FS
+ vhci_debugfs_init(data);
+#endif

hci_skb_pkt_type(skb) = HCI_VENDOR_PKT;

@@ -651,6 +663,26 @@ static int vhci_open(struct inode *inode, struct file *file)
return 0;
}

+static void vhci_debugfs_remove(struct vhci_data *data)
+{
+ struct hci_dev *hdev = data->hdev;
+
+ if (!hdev->debugfs)
+ return;
+
+ debugfs_lookup_and_remove("force_suspend", hdev->debugfs);
+
+ debugfs_lookup_and_remove("force_wakeup", hdev->debugfs);
+
+ if (IS_ENABLED(CONFIG_BT_MSFTEXT))
+ debugfs_lookup_and_remove("msft_opcode", hdev->debugfs);
+
+ if (IS_ENABLED(CONFIG_BT_AOSPEXT))
+ debugfs_lookup_and_remove("aosp_capable", hdev->debugfs);
+
+ debugfs_lookup_and_remove("force_devcoredump", hdev->debugfs);
+}
+

static int vhci_release(struct inode *inode, struct file *file)

{
struct vhci_data *data = file->private_data;
@@ -661,6 +693,10 @@ static int vhci_release(struct inode *inode, struct file *file)

hdev = data->hdev;

+#ifdef CONFIG_DEBUG_FS
+ vhci_debugfs_remove(data);
+#endif

+
if (hdev) {
hci_unregister_dev(hdev);
hci_free_dev(hdev);

diff --git a/net/bluetooth/coredump.c b/net/bluetooth/coredump.c
index 819eacb38762..908ad0d242c3 100644

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+ac3c79...@syzkaller.appspotmail.com
Tested-by: syzbot+ac3c79...@syzkaller.appspotmail.com

Tested on:

commit: aef17cb3 Revert "mm/damon/Kconfig: enable CONFIG_DAMON..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=156619d4580000

kernel config: https://syzkaller.appspot.com/x/.config?x=c4c8362784bb7796
dashboard link: https://syzkaller.appspot.com/bug?extid=ac3c79181f6aecc5120c
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=1140a60c580000

Note: testing is done by a robot and is best-effort only.

[Ivan Pravdin]

#syz test

Ivan Pravdin

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+ac3c79...@syzkaller.appspotmail.com
Tested-by: syzbot+ac3c79...@syzkaller.appspotmail.com

Tested on:

commit: e2291551 Merge tag 'probes-fixes-v6.16-rc6' of git://g..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=103bc58c580000
kernel config: https://syzkaller.appspot.com/x/.config?x=693e2f5eea496864

dashboard link: https://syzkaller.appspot.com/bug?extid=ac3c79181f6aecc5120c
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=1672e382580000