[moderation] [kernel?] KASAN: slab-use-after-free Read in netdev_register_kobject (2)
1 view
Skip to first unread message
syzbot
May 19, 2026, 2:37:25 AM (yesterday) May 19
to syzkaller-upst...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 5cbb61bf4168 arm64/fpsimd: ptrace: zero target's fpsimd_st..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=170befce580000
kernel config: https://syzkaller.appspot.com/x/.config?x=a834c6344141a58b
dashboard link: https://syzkaller.appspot.com/bug?extid=af1b0cc4d3a1e4a2489f
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
userspace arch: arm64
CC: [da...@kernel.org drive...@lists.linux.dev gre...@linuxfoundation.org linux-...@vger.kernel.org raf...@kernel.org]
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/04156ec16593/disk-5cbb61bf.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/6bfa041e2c79/vmlinux-5cbb61bf.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a92d82d8a79e/Image-5cbb61bf.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+af1b0c...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-use-after-free in kobject_get+0x124/0x144 lib/kobject.c:639
Read of size 1 at addr ffff0000dddc0d1c by task syz.8.532/7004
CPU: 1 UID: 0 PID: 7004 Comm: syz.8.532 Tainted: G L syzkaller #0 PREEMPT
Tainted: [L]=SOFTLOCKUP
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
Call trace:
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:499 (C)
__dump_stack+0x30/0x40 lib/dump_stack.c:94
dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120
print_address_description+0xb0/0x238 mm/kasan/report.c:378
print_report+0x68/0x84 mm/kasan/report.c:482
kasan_report+0x8c/0xc4 mm/kasan/report.c:595
__asan_report_load1_noabort+0x20/0x2c mm/kasan/report_generic.c:378
kobject_get+0x124/0x144 lib/kobject.c:639
get_device drivers/base/core.c:3802 [inline]
device_add+0x1f8/0x9e4 drivers/base/core.c:3614
netdev_register_kobject+0x15c/0x2e0 net/core/net-sysfs.c:2343
register_netdevice+0xe34/0x1588 net/core/dev.c:11420
register_netdev+0x4c/0x68 net/core/dev.c:11536
bnep_add_connection+0x4b0/0x918 net/bluetooth/bnep/core.c:624
do_bnep_sock_ioctl+0x3c4/0x64c net/bluetooth/bnep/sock.c:83
bnep_sock_ioctl+0x28/0x38 net/bluetooth/bnep/sock.c:139
sock_do_ioctl+0x100/0x254 net/socket.c:1313
sock_ioctl+0x558/0x7e8 net/socket.c:1434
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__arm64_sys_ioctl+0x14c/0x1c4 fs/ioctl.c:583
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x98/0x244 arch/arm64/kernel/syscall.c:49
el0_svc_common+0xe8/0x23c arch/arm64/kernel/syscall.c:121
do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:140
el0_svc+0x60/0x25c arch/arm64/kernel/entry-common.c:723
el0t_64_sync_handler+0x48/0x148 arch/arm64/kernel/entry-common.c:742
el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:594
Allocated by task 4669:
kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x40/0x78 mm/kasan/common.c:78
kasan_save_alloc_info+0x44/0x54 mm/kasan/generic.c:570
poison_kmalloc_redzone mm/kasan/common.c:398 [inline]
__kasan_kmalloc+0x9c/0xb4 mm/kasan/common.c:415
kasan_kmalloc include/linux/kasan.h:263 [inline]
__kmalloc_cache_noprof+0x284/0x56c mm/slub.c:5415
kmalloc_noprof include/linux/slab.h:950 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__hci_conn_add+0x2e4/0x17e0 net/bluetooth/hci_conn.c:963
hci_conn_add_unset+0x80/0x124 net/bluetooth/hci_conn.c:1090
hci_conn_request_evt+0x350/0x910 net/bluetooth/hci_event.c:3333
hci_event_func net/bluetooth/hci_event.c:7773 [inline]
hci_event_packet+0x5c4/0xa00 net/bluetooth/hci_event.c:7824
hci_rx_work+0x2fc/0xd1c net/bluetooth/hci_core.c:4077
process_one_work+0x78c/0x173c kernel/workqueue.c:3302
process_scheduled_works+0xdc/0x13c kernel/workqueue.c:3385
worker_thread+0x770/0xbd0 kernel/workqueue.c:3466
kthread+0x2f0/0x3c0 kernel/kthread.c:436
ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:842
Freed by task 7008:
kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x40/0x78 mm/kasan/common.c:78
kasan_save_free_info+0x58/0x70 mm/kasan/generic.c:584
poison_slab_object mm/kasan/common.c:253 [inline]
__kasan_slab_free+0x74/0xa4 mm/kasan/common.c:285
kasan_slab_free include/linux/kasan.h:235 [inline]
slab_free_hook mm/slub.c:2689 [inline]
slab_free mm/slub.c:6246 [inline]
kfree+0x188/0x5e4 mm/slub.c:6561
bt_link_release+0x20/0x30 net/bluetooth/hci_sysfs.c:16
device_release+0xa8/0x1c8 drivers/base/core.c:-1
kobject_cleanup lib/kobject.c:689 [inline]
kobject_release lib/kobject.c:720 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0x1dc/0x4bc lib/kobject.c:737
put_device drivers/base/core.c:3814 [inline]
device_unregister+0x3c/0xf0 drivers/base/core.c:3937
hci_conn_del_sysfs+0xf0/0x194 net/bluetooth/hci_sysfs.c:79
hci_conn_cleanup net/bluetooth/hci_conn.c:173 [inline]
hci_conn_del+0x9bc/0xf04 net/bluetooth/hci_conn.c:1240
hci_conn_hash_flush+0x17c/0x238 net/bluetooth/hci_conn.c:2651
hci_dev_close_sync+0x5bc/0xd88 net/bluetooth/hci_sync.c:5368
hci_dev_do_close+0x34/0xb8 net/bluetooth/hci_core.c:502
hci_dev_close+0xd0/0x1c8 net/bluetooth/hci_core.c:527
hci_sock_ioctl+0x4f8/0x768 net/bluetooth/hci_sock.c:1135
sock_do_ioctl+0x100/0x254 net/socket.c:1313
sock_ioctl+0x558/0x7e8 net/socket.c:1434
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__arm64_sys_ioctl+0x14c/0x1c4 fs/ioctl.c:583
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x98/0x244 arch/arm64/kernel/syscall.c:49
el0_svc_common+0xe8/0x23c arch/arm64/kernel/syscall.c:121
do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:140
el0_svc+0x60/0x25c arch/arm64/kernel/entry-common.c:723
el0t_64_sync_handler+0x48/0x148 arch/arm64/kernel/entry-common.c:742
el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:594
Last potentially related work creation:
kasan_save_stack+0x40/0x6c mm/kasan/common.c:57
kasan_record_aux_stack+0xb0/0xc8 mm/kasan/generic.c:556
insert_work+0x54/0x1a0 kernel/workqueue.c:2226
__queue_work+0xd54/0x12f8 kernel/workqueue.c:2381
__queue_delayed_work+0xf4/0x2b4 kernel/workqueue.c:2548
queue_delayed_work_on+0xcc/0x140 kernel/workqueue.c:2600
queue_delayed_work include/linux/workqueue.h:711 [inline]
hci_conn_drop+0x174/0x29c include/net/bluetooth/hci_core.h:1712
l2cap_chan_del+0x220/0x48c net/bluetooth/l2cap_core.c:672
l2cap_conn_del+0x2c0/0x440 net/bluetooth/l2cap_core.c:1802
l2cap_disconn_cfm+0x90/0x100 net/bluetooth/l2cap_core.c:7448
hci_disconn_cfm include/net/bluetooth/hci_core.h:2154 [inline]
hci_conn_hash_flush+0x108/0x238 net/bluetooth/hci_conn.c:2650
hci_dev_close_sync+0x5bc/0xd88 net/bluetooth/hci_sync.c:5368
hci_dev_do_close+0x34/0xb8 net/bluetooth/hci_core.c:502
hci_dev_close+0xd0/0x1c8 net/bluetooth/hci_core.c:527
hci_sock_ioctl+0x4f8/0x768 net/bluetooth/hci_sock.c:1135
sock_do_ioctl+0x100/0x254 net/socket.c:1313
sock_ioctl+0x558/0x7e8 net/socket.c:1434
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__arm64_sys_ioctl+0x14c/0x1c4 fs/ioctl.c:583
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x98/0x244 arch/arm64/kernel/syscall.c:49
el0_svc_common+0xe8/0x23c arch/arm64/kernel/syscall.c:121
do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:140
el0_svc+0x60/0x25c arch/arm64/kernel/entry-common.c:723
el0t_64_sync_handler+0x48/0x148 arch/arm64/kernel/entry-common.c:742
el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:594
The buggy address belongs to the object at ffff0000dddc0000
which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 3356 bytes inside of
freed 8192-byte region [ffff0000dddc0000, ffff0000dddc2000)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11ddc0
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x5ffc00000000040(head|node=0|zone=2|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 05ffc00000000040 ffff0000c0002280 dead000000000100 dead000000000122
raw: 0000000000000000 0000000800020002 00000000f5000000 0000000000000000
head: 05ffc00000000040 ffff0000c0002280 dead000000000100 dead000000000122
head: 0000000000000000 0000000800020002 00000000f5000000 0000000000000000
head: 05ffc00000000003 fffffdffc3777001 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff0000dddc0c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff0000dddc0c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff0000dddc0d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff0000dddc0d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff0000dddc0e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
------------[ cut here ]------------
refcount_t: addition on 0; use-after-free.
WARNING: lib/refcount.c:25 at refcount_warn_saturate+0x134/0x1f8 lib/refcount.c:25, CPU#1: syz.8.532/7004
Modules linked in:
CPU: 1 UID: 0 PID: 7004 Comm: syz.8.532 Tainted: G B L syzkaller #0 PREEMPT
Tainted: [B]=BAD_PAGE, [L]=SOFTLOCKUP
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
pstate: 63400005 (nZCv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--)
pc : refcount_warn_saturate+0x134/0x1f8 lib/refcount.c:25
lr : refcount_warn_saturate+0x134/0x1f8 lib/refcount.c:25
sp : ffff8000942b75e0
x29: ffff8000942b75e0 x28: 0000000000000000 x27: dfff800000000000
x26: 1fffe000194d84eb x25: dfff800000000000 x24: 1fffe000194d84e2
x23: 1fffe000194d84ec x22: 0000000000000000 x21: 0000000000000000
x20: ffff0000dddc0d18 x19: ffff800089f06000 x18: 1fffe00035c25820
x17: ffff8000888db000 x16: ffff80008898cfc0 x15: ffff0001ae12c10c
x14: ffff0001ae12c108 x13: 0000000000000001 x12: 0000000000000000
x11: 0000000000001020 x10: 0000000000080000 x9 : 5f7e7d1afdf03300
x8 : 5f7e7d1afdf03300 x7 : 0000000000000000 x6 : ffff8000804886d0
x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff8000802f13b0
x2 : 0000000100000000 x1 : ffff0000d8453a00 x0 : 0000000000000001
Call trace:
refcount_warn_saturate+0x134/0x1f8 lib/refcount.c:25 (P)
__refcount_add include/linux/refcount.h:-1 [inline]
__refcount_inc include/linux/refcount.h:366 [inline]
refcount_inc include/linux/refcount.h:383 [inline]
kref_get include/linux/kref.h:45 [inline]
kobject_get+0x10c/0x144 lib/kobject.c:643
get_device drivers/base/core.c:3802 [inline]
device_add+0x1f8/0x9e4 drivers/base/core.c:3614
netdev_register_kobject+0x15c/0x2e0 net/core/net-sysfs.c:2343
register_netdevice+0xe34/0x1588 net/core/dev.c:11420
register_netdev+0x4c/0x68 net/core/dev.c:11536
bnep_add_connection+0x4b0/0x918 net/bluetooth/bnep/core.c:624
do_bnep_sock_ioctl+0x3c4/0x64c net/bluetooth/bnep/sock.c:83
bnep_sock_ioctl+0x28/0x38 net/bluetooth/bnep/sock.c:139
sock_do_ioctl+0x100/0x254 net/socket.c:1313
sock_ioctl+0x558/0x7e8 net/socket.c:1434
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__arm64_sys_ioctl+0x14c/0x1c4 fs/ioctl.c:583
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x98/0x244 arch/arm64/kernel/syscall.c:49
el0_svc_common+0xe8/0x23c arch/arm64/kernel/syscall.c:121
do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:140
el0_svc+0x60/0x25c arch/arm64/kernel/entry-common.c:723
el0t_64_sync_handler+0x48/0x148 arch/arm64/kernel/entry-common.c:742
el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:594
irq event stamp: 689
hardirqs last enabled at (689): [<ffff8000803bd554>] raw_spin_rq_unlock_irq kernel/sched/sched.h:1644 [inline]
hardirqs last enabled at (689): [<ffff8000803bd554>] finish_lock_switch+0x160/0x204 kernel/sched/core.c:5124
hardirqs last disabled at (688): [<ffff80008672f800>] __schedule+0x308/0x2d24 kernel/sched/core.c:7042
softirqs last enabled at (572): [<ffff800080139e6c>] local_bh_enable+0x10/0x34 include/linux/bottom_half.h:32
softirqs last disabled at (570): [<ffff800080139e38>] local_bh_disable+0x10/0x34 include/linux/bottom_half.h:19
---[ end trace 0000000000000000 ]---
------------[ cut here ]------------
refcount_t: saturated; leaking memory.
WARNING: lib/refcount.c:22 at refcount_warn_saturate+0x1b4/0x1f8 lib/refcount.c:22, CPU#1: syz.8.532/7004
Modules linked in:
CPU: 1 UID: 0 PID: 7004 Comm: syz.8.532 Tainted: G B W L syzkaller #0 PREEMPT
Tainted: [B]=BAD_PAGE, [W]=WARN, [L]=SOFTLOCKUP
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
pstate: 63400005 (nZCv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--)
pc : refcount_warn_saturate+0x1b4/0x1f8 lib/refcount.c:22
lr : refcount_warn_saturate+0x1b4/0x1f8 lib/refcount.c:22
sp : ffff8000942b7390
x29: ffff8000942b7390 x28: 1fffe0001a2d9473 x27: dfff800000000000
x26: 1fffe0001a2d9470 x25: ffff0000d16ca398 x24: dfff800000000000
x23: ffff8000942b7520 x22: 000000007ffffffe x21: 00000000c0000000
x20: ffff0000dddc0d18 x19: ffff800089f06000 x18: 1fffe00035c25820
x17: ffff8000888db000 x16: ffff80008898cfc0 x15: ffff800080c9c548
x14: ffff800084a9b814 x13: 0000000000000001 x12: 0000000000000000
x11: 000000000000106e x10: 0000000000080000 x9 : 5f7e7d1afdf03300
x8 : 5f7e7d1afdf03300 x7 : 0000000000000000 x6 : ffff8000804886d0
x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff8000802f13b0
x2 : 0000000100000000 x1 : ffff0000d8453a00 x0 : 0000000000000001
Call trace:
refcount_warn_saturate+0x1b4/0x1f8 lib/refcount.c:22 (P)
__refcount_add include/linux/refcount.h:-1 [inline]
__refcount_inc include/linux/refcount.h:366 [inline]
refcount_inc include/linux/refcount.h:383 [inline]
kref_get include/linux/kref.h:45 [inline]
kobject_get+0x10c/0x144 lib/kobject.c:643
kobject_add_internal+0x98/0x6e8 lib/kobject.c:225
kobject_add_varg+0x98/0xe4 lib/kobject.c:374
kobject_add+0x110/0x1cc lib/kobject.c:426
class_dir_create_and_add drivers/base/core.c:3234 [inline]
get_device_parent+0x2c4/0x34c drivers/base/core.c:3285
device_add+0x294/0x9e4 drivers/base/core.c:3615
netdev_register_kobject+0x15c/0x2e0 net/core/net-sysfs.c:2343
register_netdevice+0xe34/0x1588 net/core/dev.c:11420
register_netdev+0x4c/0x68 net/core/dev.c:11536
bnep_add_connection+0x4b0/0x918 net/bluetooth/bnep/core.c:624
do_bnep_sock_ioctl+0x3c4/0x64c net/bluetooth/bnep/sock.c:83
bnep_sock_ioctl+0x28/0x38 net/bluetooth/bnep/sock.c:139
sock_do_ioctl+0x100/0x254 net/socket.c:1313
sock_ioctl+0x558/0x7e8 net/socket.c:1434
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__arm64_sys_ioctl+0x14c/0x1c4 fs/ioctl.c:583
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x98/0x244 arch/arm64/kernel/syscall.c:49
el0_svc_common+0xe8/0x23c arch/arm64/kernel/syscall.c:121
do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:140
el0_svc+0x60/0x25c arch/arm64/kernel/entry-common.c:723
el0t_64_sync_handler+0x48/0x148 arch/arm64/kernel/entry-common.c:742
el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:594
irq event stamp: 689
hardirqs last enabled at (689): [<ffff8000803bd554>] raw_spin_rq_unlock_irq kernel/sched/sched.h:1644 [inline]
hardirqs last enabled at (689): [<ffff8000803bd554>] finish_lock_switch+0x160/0x204 kernel/sched/core.c:5124
hardirqs last disabled at (688): [<ffff80008672f800>] __schedule+0x308/0x2d24 kernel/sched/core.c:7042
softirqs last enabled at (572): [<ffff800080139e6c>] local_bh_enable+0x10/0x34 include/linux/bottom_half.h:32
softirqs last disabled at (570): [<ffff800080139e38>] local_bh_disable+0x10/0x34 include/linux/bottom_half.h:19
---[ end trace 0000000000000000 ]---
------------[ cut here ]------------
refcount_t: underflow; use-after-free.
WARNING: lib/refcount.c:28 at refcount_warn_saturate+0x154/0x1f8 lib/refcount.c:28, CPU#1: syz.8.532/7004
Modules linked in:
CPU: 1 UID: 0 PID: 7004 Comm: syz.8.532 Tainted: G B W L syzkaller #0 PREEMPT
Tainted: [B]=BAD_PAGE, [W]=WARN, [L]=SOFTLOCKUP
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
pstate: 63400005 (nZCv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--)
pc : refcount_warn_saturate+0x154/0x1f8 lib/refcount.c:28
lr : refcount_warn_saturate+0x154/0x1f8 lib/refcount.c:28
sp : ffff8000942b7350
x29: ffff8000942b7350 x28: 1fffe0001a2d9473 x27: 1fffe0001bbb81a3
x26: 1fffe0001bbb819c x25: dfff800000000000 x24: ffff800086ddab60
x23: ffff0000dddc0d1c x22: 00000000fffffffe x21: 00000000c0000000
x20: ffff0000dddc0d18 x19: ffff800089f06000 x18: 1fffe00035c25820
x17: ffff8000888db000 x16: ffff80008898cfc0 x15: ffff800080c9c548
x14: ffff800084a9b814 x13: 0000000000000001 x12: 0000000000000000
x11: 00000000000010c0 x10: 0000000000080000 x9 : 5f7e7d1afdf03300
x8 : 5f7e7d1afdf03300 x7 : 0000000000000000 x6 : ffff8000804886d0
x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff8000802f13b0
x2 : 0000000100000000 x1 : ffff0000d8453a00 x0 : 0000000000000001
Call trace:
refcount_warn_saturate+0x154/0x1f8 lib/refcount.c:28 (P)
__refcount_sub_and_test include/linux/refcount.h:400 [inline]
__refcount_dec_and_test include/linux/refcount.h:432 [inline]
refcount_dec_and_test include/linux/refcount.h:450 [inline]
kref_put include/linux/kref.h:64 [inline]
kobject_put+0x25c/0x4bc lib/kobject.c:737
kobject_add_internal+0x498/0x6e8 lib/kobject.c:243
kobject_add_varg+0x98/0xe4 lib/kobject.c:374
kobject_add+0x110/0x1cc lib/kobject.c:426
class_dir_create_and_add drivers/base/core.c:3234 [inline]
get_device_parent+0x2c4/0x34c drivers/base/core.c:3285
device_add+0x294/0x9e4 drivers/base/core.c:3615
netdev_register_kobject+0x15c/0x2e0 net/core/net-sysfs.c:2343
register_netdevice+0xe34/0x1588 net/core/dev.c:11420
register_netdev+0x4c/0x68 net/core/dev.c:11536
bnep_add_connection+0x4b0/0x918 net/bluetooth/bnep/core.c:624
do_bnep_sock_ioctl+0x3c4/0x64c net/bluetooth/bnep/sock.c:83
bnep_sock_ioctl+0x28/0x38 net/bluetooth/bnep/sock.c:139
sock_do_ioctl+0x100/0x254 net/socket.c:1313
sock_ioctl+0x558/0x7e8 net/socket.c:1434
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__arm64_sys_ioctl+0x14c/0x1c4 fs/ioctl.c:583
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x98/0x244 arch/arm64/kernel/syscall.c:49
el0_svc_common+0xe8/0x23c arch/arm64/kernel/syscall.c:121
do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:140
el0_svc+0x60/0x25c arch/arm64/kernel/entry-common.c:723
el0t_64_sync_handler+0x48/0x148 arch/arm64/kernel/entry-common.c:742
el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:594
irq event stamp: 689
hardirqs last enabled at (689): [<ffff8000803bd554>] raw_spin_rq_unlock_irq kernel/sched/sched.h:1644 [inline]
hardirqs last enabled at (689): [<ffff8000803bd554>] finish_lock_switch+0x160/0x204 kernel/sched/core.c:5124
hardirqs last disabled at (688): [<ffff80008672f800>] __schedule+0x308/0x2d24 kernel/sched/core.c:7042
softirqs last enabled at (572): [<ffff800080139e6c>] local_bh_enable+0x10/0x34 include/linux/bottom_half.h:32
softirqs last disabled at (570): [<ffff800080139e38>] local_bh_disable+0x10/0x34 include/linux/bottom_half.h:19
---[ end trace 0000000000000000 ]---
kobject: kobject_add_internal failed for net (error: -2 parent: �g��)
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 5cbb61bf4168 arm64/fpsimd: ptrace: zero target's fpsimd_st..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=170befce580000
kernel config: https://syzkaller.appspot.com/x/.config?x=a834c6344141a58b
dashboard link: https://syzkaller.appspot.com/bug?extid=af1b0cc4d3a1e4a2489f
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
userspace arch: arm64
CC: [da...@kernel.org drive...@lists.linux.dev gre...@linuxfoundation.org linux-...@vger.kernel.org raf...@kernel.org]
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/04156ec16593/disk-5cbb61bf.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/6bfa041e2c79/vmlinux-5cbb61bf.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a92d82d8a79e/Image-5cbb61bf.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+af1b0c...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-use-after-free in kobject_get+0x124/0x144 lib/kobject.c:639
Read of size 1 at addr ffff0000dddc0d1c by task syz.8.532/7004
CPU: 1 UID: 0 PID: 7004 Comm: syz.8.532 Tainted: G L syzkaller #0 PREEMPT
Tainted: [L]=SOFTLOCKUP
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
Call trace:
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:499 (C)
__dump_stack+0x30/0x40 lib/dump_stack.c:94
dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120
print_address_description+0xb0/0x238 mm/kasan/report.c:378
print_report+0x68/0x84 mm/kasan/report.c:482
kasan_report+0x8c/0xc4 mm/kasan/report.c:595
__asan_report_load1_noabort+0x20/0x2c mm/kasan/report_generic.c:378
kobject_get+0x124/0x144 lib/kobject.c:639
get_device drivers/base/core.c:3802 [inline]
device_add+0x1f8/0x9e4 drivers/base/core.c:3614
netdev_register_kobject+0x15c/0x2e0 net/core/net-sysfs.c:2343
register_netdevice+0xe34/0x1588 net/core/dev.c:11420
register_netdev+0x4c/0x68 net/core/dev.c:11536
bnep_add_connection+0x4b0/0x918 net/bluetooth/bnep/core.c:624
do_bnep_sock_ioctl+0x3c4/0x64c net/bluetooth/bnep/sock.c:83
bnep_sock_ioctl+0x28/0x38 net/bluetooth/bnep/sock.c:139
sock_do_ioctl+0x100/0x254 net/socket.c:1313
sock_ioctl+0x558/0x7e8 net/socket.c:1434
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__arm64_sys_ioctl+0x14c/0x1c4 fs/ioctl.c:583
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x98/0x244 arch/arm64/kernel/syscall.c:49
el0_svc_common+0xe8/0x23c arch/arm64/kernel/syscall.c:121
do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:140
el0_svc+0x60/0x25c arch/arm64/kernel/entry-common.c:723
el0t_64_sync_handler+0x48/0x148 arch/arm64/kernel/entry-common.c:742
el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:594
Allocated by task 4669:
kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x40/0x78 mm/kasan/common.c:78
kasan_save_alloc_info+0x44/0x54 mm/kasan/generic.c:570
poison_kmalloc_redzone mm/kasan/common.c:398 [inline]
__kasan_kmalloc+0x9c/0xb4 mm/kasan/common.c:415
kasan_kmalloc include/linux/kasan.h:263 [inline]
__kmalloc_cache_noprof+0x284/0x56c mm/slub.c:5415
kmalloc_noprof include/linux/slab.h:950 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
__hci_conn_add+0x2e4/0x17e0 net/bluetooth/hci_conn.c:963
hci_conn_add_unset+0x80/0x124 net/bluetooth/hci_conn.c:1090
hci_conn_request_evt+0x350/0x910 net/bluetooth/hci_event.c:3333
hci_event_func net/bluetooth/hci_event.c:7773 [inline]
hci_event_packet+0x5c4/0xa00 net/bluetooth/hci_event.c:7824
hci_rx_work+0x2fc/0xd1c net/bluetooth/hci_core.c:4077
process_one_work+0x78c/0x173c kernel/workqueue.c:3302
process_scheduled_works+0xdc/0x13c kernel/workqueue.c:3385
worker_thread+0x770/0xbd0 kernel/workqueue.c:3466
kthread+0x2f0/0x3c0 kernel/kthread.c:436
ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:842
Freed by task 7008:
kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x40/0x78 mm/kasan/common.c:78
kasan_save_free_info+0x58/0x70 mm/kasan/generic.c:584
poison_slab_object mm/kasan/common.c:253 [inline]
__kasan_slab_free+0x74/0xa4 mm/kasan/common.c:285
kasan_slab_free include/linux/kasan.h:235 [inline]
slab_free_hook mm/slub.c:2689 [inline]
slab_free mm/slub.c:6246 [inline]
kfree+0x188/0x5e4 mm/slub.c:6561
bt_link_release+0x20/0x30 net/bluetooth/hci_sysfs.c:16
device_release+0xa8/0x1c8 drivers/base/core.c:-1
kobject_cleanup lib/kobject.c:689 [inline]
kobject_release lib/kobject.c:720 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0x1dc/0x4bc lib/kobject.c:737
put_device drivers/base/core.c:3814 [inline]
device_unregister+0x3c/0xf0 drivers/base/core.c:3937
hci_conn_del_sysfs+0xf0/0x194 net/bluetooth/hci_sysfs.c:79
hci_conn_cleanup net/bluetooth/hci_conn.c:173 [inline]
hci_conn_del+0x9bc/0xf04 net/bluetooth/hci_conn.c:1240
hci_conn_hash_flush+0x17c/0x238 net/bluetooth/hci_conn.c:2651
hci_dev_close_sync+0x5bc/0xd88 net/bluetooth/hci_sync.c:5368
hci_dev_do_close+0x34/0xb8 net/bluetooth/hci_core.c:502
hci_dev_close+0xd0/0x1c8 net/bluetooth/hci_core.c:527
hci_sock_ioctl+0x4f8/0x768 net/bluetooth/hci_sock.c:1135
sock_do_ioctl+0x100/0x254 net/socket.c:1313
sock_ioctl+0x558/0x7e8 net/socket.c:1434
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__arm64_sys_ioctl+0x14c/0x1c4 fs/ioctl.c:583
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x98/0x244 arch/arm64/kernel/syscall.c:49
el0_svc_common+0xe8/0x23c arch/arm64/kernel/syscall.c:121
do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:140
el0_svc+0x60/0x25c arch/arm64/kernel/entry-common.c:723
el0t_64_sync_handler+0x48/0x148 arch/arm64/kernel/entry-common.c:742
el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:594
Last potentially related work creation:
kasan_save_stack+0x40/0x6c mm/kasan/common.c:57
kasan_record_aux_stack+0xb0/0xc8 mm/kasan/generic.c:556
insert_work+0x54/0x1a0 kernel/workqueue.c:2226
__queue_work+0xd54/0x12f8 kernel/workqueue.c:2381
__queue_delayed_work+0xf4/0x2b4 kernel/workqueue.c:2548
queue_delayed_work_on+0xcc/0x140 kernel/workqueue.c:2600
queue_delayed_work include/linux/workqueue.h:711 [inline]
hci_conn_drop+0x174/0x29c include/net/bluetooth/hci_core.h:1712
l2cap_chan_del+0x220/0x48c net/bluetooth/l2cap_core.c:672
l2cap_conn_del+0x2c0/0x440 net/bluetooth/l2cap_core.c:1802
l2cap_disconn_cfm+0x90/0x100 net/bluetooth/l2cap_core.c:7448
hci_disconn_cfm include/net/bluetooth/hci_core.h:2154 [inline]
hci_conn_hash_flush+0x108/0x238 net/bluetooth/hci_conn.c:2650
hci_dev_close_sync+0x5bc/0xd88 net/bluetooth/hci_sync.c:5368
hci_dev_do_close+0x34/0xb8 net/bluetooth/hci_core.c:502
hci_dev_close+0xd0/0x1c8 net/bluetooth/hci_core.c:527
hci_sock_ioctl+0x4f8/0x768 net/bluetooth/hci_sock.c:1135
sock_do_ioctl+0x100/0x254 net/socket.c:1313
sock_ioctl+0x558/0x7e8 net/socket.c:1434
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__arm64_sys_ioctl+0x14c/0x1c4 fs/ioctl.c:583
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x98/0x244 arch/arm64/kernel/syscall.c:49
el0_svc_common+0xe8/0x23c arch/arm64/kernel/syscall.c:121
do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:140
el0_svc+0x60/0x25c arch/arm64/kernel/entry-common.c:723
el0t_64_sync_handler+0x48/0x148 arch/arm64/kernel/entry-common.c:742
el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:594
The buggy address belongs to the object at ffff0000dddc0000
which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 3356 bytes inside of
freed 8192-byte region [ffff0000dddc0000, ffff0000dddc2000)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11ddc0
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x5ffc00000000040(head|node=0|zone=2|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 05ffc00000000040 ffff0000c0002280 dead000000000100 dead000000000122
raw: 0000000000000000 0000000800020002 00000000f5000000 0000000000000000
head: 05ffc00000000040 ffff0000c0002280 dead000000000100 dead000000000122
head: 0000000000000000 0000000800020002 00000000f5000000 0000000000000000
head: 05ffc00000000003 fffffdffc3777001 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff0000dddc0c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff0000dddc0c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff0000dddc0d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff0000dddc0d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff0000dddc0e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
------------[ cut here ]------------
refcount_t: addition on 0; use-after-free.
WARNING: lib/refcount.c:25 at refcount_warn_saturate+0x134/0x1f8 lib/refcount.c:25, CPU#1: syz.8.532/7004
Modules linked in:
CPU: 1 UID: 0 PID: 7004 Comm: syz.8.532 Tainted: G B L syzkaller #0 PREEMPT
Tainted: [B]=BAD_PAGE, [L]=SOFTLOCKUP
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
pstate: 63400005 (nZCv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--)
pc : refcount_warn_saturate+0x134/0x1f8 lib/refcount.c:25
lr : refcount_warn_saturate+0x134/0x1f8 lib/refcount.c:25
sp : ffff8000942b75e0
x29: ffff8000942b75e0 x28: 0000000000000000 x27: dfff800000000000
x26: 1fffe000194d84eb x25: dfff800000000000 x24: 1fffe000194d84e2
x23: 1fffe000194d84ec x22: 0000000000000000 x21: 0000000000000000
x20: ffff0000dddc0d18 x19: ffff800089f06000 x18: 1fffe00035c25820
x17: ffff8000888db000 x16: ffff80008898cfc0 x15: ffff0001ae12c10c
x14: ffff0001ae12c108 x13: 0000000000000001 x12: 0000000000000000
x11: 0000000000001020 x10: 0000000000080000 x9 : 5f7e7d1afdf03300
x8 : 5f7e7d1afdf03300 x7 : 0000000000000000 x6 : ffff8000804886d0
x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff8000802f13b0
x2 : 0000000100000000 x1 : ffff0000d8453a00 x0 : 0000000000000001
Call trace:
refcount_warn_saturate+0x134/0x1f8 lib/refcount.c:25 (P)
__refcount_add include/linux/refcount.h:-1 [inline]
__refcount_inc include/linux/refcount.h:366 [inline]
refcount_inc include/linux/refcount.h:383 [inline]
kref_get include/linux/kref.h:45 [inline]
kobject_get+0x10c/0x144 lib/kobject.c:643
get_device drivers/base/core.c:3802 [inline]
device_add+0x1f8/0x9e4 drivers/base/core.c:3614
netdev_register_kobject+0x15c/0x2e0 net/core/net-sysfs.c:2343
register_netdevice+0xe34/0x1588 net/core/dev.c:11420
register_netdev+0x4c/0x68 net/core/dev.c:11536
bnep_add_connection+0x4b0/0x918 net/bluetooth/bnep/core.c:624
do_bnep_sock_ioctl+0x3c4/0x64c net/bluetooth/bnep/sock.c:83
bnep_sock_ioctl+0x28/0x38 net/bluetooth/bnep/sock.c:139
sock_do_ioctl+0x100/0x254 net/socket.c:1313
sock_ioctl+0x558/0x7e8 net/socket.c:1434
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__arm64_sys_ioctl+0x14c/0x1c4 fs/ioctl.c:583
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x98/0x244 arch/arm64/kernel/syscall.c:49
el0_svc_common+0xe8/0x23c arch/arm64/kernel/syscall.c:121
do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:140
el0_svc+0x60/0x25c arch/arm64/kernel/entry-common.c:723
el0t_64_sync_handler+0x48/0x148 arch/arm64/kernel/entry-common.c:742
el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:594
irq event stamp: 689
hardirqs last enabled at (689): [<ffff8000803bd554>] raw_spin_rq_unlock_irq kernel/sched/sched.h:1644 [inline]
hardirqs last enabled at (689): [<ffff8000803bd554>] finish_lock_switch+0x160/0x204 kernel/sched/core.c:5124
hardirqs last disabled at (688): [<ffff80008672f800>] __schedule+0x308/0x2d24 kernel/sched/core.c:7042
softirqs last enabled at (572): [<ffff800080139e6c>] local_bh_enable+0x10/0x34 include/linux/bottom_half.h:32
softirqs last disabled at (570): [<ffff800080139e38>] local_bh_disable+0x10/0x34 include/linux/bottom_half.h:19
---[ end trace 0000000000000000 ]---
------------[ cut here ]------------
refcount_t: saturated; leaking memory.
WARNING: lib/refcount.c:22 at refcount_warn_saturate+0x1b4/0x1f8 lib/refcount.c:22, CPU#1: syz.8.532/7004
Modules linked in:
CPU: 1 UID: 0 PID: 7004 Comm: syz.8.532 Tainted: G B W L syzkaller #0 PREEMPT
Tainted: [B]=BAD_PAGE, [W]=WARN, [L]=SOFTLOCKUP
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
pstate: 63400005 (nZCv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--)
pc : refcount_warn_saturate+0x1b4/0x1f8 lib/refcount.c:22
lr : refcount_warn_saturate+0x1b4/0x1f8 lib/refcount.c:22
sp : ffff8000942b7390
x29: ffff8000942b7390 x28: 1fffe0001a2d9473 x27: dfff800000000000
x26: 1fffe0001a2d9470 x25: ffff0000d16ca398 x24: dfff800000000000
x23: ffff8000942b7520 x22: 000000007ffffffe x21: 00000000c0000000
x20: ffff0000dddc0d18 x19: ffff800089f06000 x18: 1fffe00035c25820
x17: ffff8000888db000 x16: ffff80008898cfc0 x15: ffff800080c9c548
x14: ffff800084a9b814 x13: 0000000000000001 x12: 0000000000000000
x11: 000000000000106e x10: 0000000000080000 x9 : 5f7e7d1afdf03300
x8 : 5f7e7d1afdf03300 x7 : 0000000000000000 x6 : ffff8000804886d0
x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff8000802f13b0
x2 : 0000000100000000 x1 : ffff0000d8453a00 x0 : 0000000000000001
Call trace:
refcount_warn_saturate+0x1b4/0x1f8 lib/refcount.c:22 (P)
__refcount_add include/linux/refcount.h:-1 [inline]
__refcount_inc include/linux/refcount.h:366 [inline]
refcount_inc include/linux/refcount.h:383 [inline]
kref_get include/linux/kref.h:45 [inline]
kobject_get+0x10c/0x144 lib/kobject.c:643
kobject_add_internal+0x98/0x6e8 lib/kobject.c:225
kobject_add_varg+0x98/0xe4 lib/kobject.c:374
kobject_add+0x110/0x1cc lib/kobject.c:426
class_dir_create_and_add drivers/base/core.c:3234 [inline]
get_device_parent+0x2c4/0x34c drivers/base/core.c:3285
device_add+0x294/0x9e4 drivers/base/core.c:3615
netdev_register_kobject+0x15c/0x2e0 net/core/net-sysfs.c:2343
register_netdevice+0xe34/0x1588 net/core/dev.c:11420
register_netdev+0x4c/0x68 net/core/dev.c:11536
bnep_add_connection+0x4b0/0x918 net/bluetooth/bnep/core.c:624
do_bnep_sock_ioctl+0x3c4/0x64c net/bluetooth/bnep/sock.c:83
bnep_sock_ioctl+0x28/0x38 net/bluetooth/bnep/sock.c:139
sock_do_ioctl+0x100/0x254 net/socket.c:1313
sock_ioctl+0x558/0x7e8 net/socket.c:1434
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__arm64_sys_ioctl+0x14c/0x1c4 fs/ioctl.c:583
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x98/0x244 arch/arm64/kernel/syscall.c:49
el0_svc_common+0xe8/0x23c arch/arm64/kernel/syscall.c:121
do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:140
el0_svc+0x60/0x25c arch/arm64/kernel/entry-common.c:723
el0t_64_sync_handler+0x48/0x148 arch/arm64/kernel/entry-common.c:742
el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:594
irq event stamp: 689
hardirqs last enabled at (689): [<ffff8000803bd554>] raw_spin_rq_unlock_irq kernel/sched/sched.h:1644 [inline]
hardirqs last enabled at (689): [<ffff8000803bd554>] finish_lock_switch+0x160/0x204 kernel/sched/core.c:5124
hardirqs last disabled at (688): [<ffff80008672f800>] __schedule+0x308/0x2d24 kernel/sched/core.c:7042
softirqs last enabled at (572): [<ffff800080139e6c>] local_bh_enable+0x10/0x34 include/linux/bottom_half.h:32
softirqs last disabled at (570): [<ffff800080139e38>] local_bh_disable+0x10/0x34 include/linux/bottom_half.h:19
---[ end trace 0000000000000000 ]---
------------[ cut here ]------------
refcount_t: underflow; use-after-free.
WARNING: lib/refcount.c:28 at refcount_warn_saturate+0x154/0x1f8 lib/refcount.c:28, CPU#1: syz.8.532/7004
Modules linked in:
CPU: 1 UID: 0 PID: 7004 Comm: syz.8.532 Tainted: G B W L syzkaller #0 PREEMPT
Tainted: [B]=BAD_PAGE, [W]=WARN, [L]=SOFTLOCKUP
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
pstate: 63400005 (nZCv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--)
pc : refcount_warn_saturate+0x154/0x1f8 lib/refcount.c:28
lr : refcount_warn_saturate+0x154/0x1f8 lib/refcount.c:28
sp : ffff8000942b7350
x29: ffff8000942b7350 x28: 1fffe0001a2d9473 x27: 1fffe0001bbb81a3
x26: 1fffe0001bbb819c x25: dfff800000000000 x24: ffff800086ddab60
x23: ffff0000dddc0d1c x22: 00000000fffffffe x21: 00000000c0000000
x20: ffff0000dddc0d18 x19: ffff800089f06000 x18: 1fffe00035c25820
x17: ffff8000888db000 x16: ffff80008898cfc0 x15: ffff800080c9c548
x14: ffff800084a9b814 x13: 0000000000000001 x12: 0000000000000000
x11: 00000000000010c0 x10: 0000000000080000 x9 : 5f7e7d1afdf03300
x8 : 5f7e7d1afdf03300 x7 : 0000000000000000 x6 : ffff8000804886d0
x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff8000802f13b0
x2 : 0000000100000000 x1 : ffff0000d8453a00 x0 : 0000000000000001
Call trace:
refcount_warn_saturate+0x154/0x1f8 lib/refcount.c:28 (P)
__refcount_sub_and_test include/linux/refcount.h:400 [inline]
__refcount_dec_and_test include/linux/refcount.h:432 [inline]
refcount_dec_and_test include/linux/refcount.h:450 [inline]
kref_put include/linux/kref.h:64 [inline]
kobject_put+0x25c/0x4bc lib/kobject.c:737
kobject_add_internal+0x498/0x6e8 lib/kobject.c:243
kobject_add_varg+0x98/0xe4 lib/kobject.c:374
kobject_add+0x110/0x1cc lib/kobject.c:426
class_dir_create_and_add drivers/base/core.c:3234 [inline]
get_device_parent+0x2c4/0x34c drivers/base/core.c:3285
device_add+0x294/0x9e4 drivers/base/core.c:3615
netdev_register_kobject+0x15c/0x2e0 net/core/net-sysfs.c:2343
register_netdevice+0xe34/0x1588 net/core/dev.c:11420
register_netdev+0x4c/0x68 net/core/dev.c:11536
bnep_add_connection+0x4b0/0x918 net/bluetooth/bnep/core.c:624
do_bnep_sock_ioctl+0x3c4/0x64c net/bluetooth/bnep/sock.c:83
bnep_sock_ioctl+0x28/0x38 net/bluetooth/bnep/sock.c:139
sock_do_ioctl+0x100/0x254 net/socket.c:1313
sock_ioctl+0x558/0x7e8 net/socket.c:1434
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl fs/ioctl.c:583 [inline]
__arm64_sys_ioctl+0x14c/0x1c4 fs/ioctl.c:583
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x98/0x244 arch/arm64/kernel/syscall.c:49
el0_svc_common+0xe8/0x23c arch/arm64/kernel/syscall.c:121
do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:140
el0_svc+0x60/0x25c arch/arm64/kernel/entry-common.c:723
el0t_64_sync_handler+0x48/0x148 arch/arm64/kernel/entry-common.c:742
el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:594
irq event stamp: 689
hardirqs last enabled at (689): [<ffff8000803bd554>] raw_spin_rq_unlock_irq kernel/sched/sched.h:1644 [inline]
hardirqs last enabled at (689): [<ffff8000803bd554>] finish_lock_switch+0x160/0x204 kernel/sched/core.c:5124
hardirqs last disabled at (688): [<ffff80008672f800>] __schedule+0x308/0x2d24 kernel/sched/core.c:7042
softirqs last enabled at (572): [<ffff800080139e6c>] local_bh_enable+0x10/0x34 include/linux/bottom_half.h:32
softirqs last disabled at (570): [<ffff800080139e38>] local_bh_disable+0x10/0x34 include/linux/bottom_half.h:19
---[ end trace 0000000000000000 ]---
kobject: kobject_add_internal failed for net (error: -2 parent: �g��)
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages