Bluetooth: Can't register HCI device
Bluetooth: Can't register HCI device
Bluetooth: Can't register HCI device
Bluetooth: Can't register HCI device
==================================================================
BUG: KASAN: use-after-free in kobject_put+0x8d/0xa0 lib/kobject.c:687 at addr ffff880129b515a4
Bluetooth: Can't register HCI device
Bluetooth: Can't register HCI device
Read of size 1 by task syz-executor.4/29383
Bluetooth: Can't register HCI device
CPU: 1 PID: 29383 Comm: syz-executor.4 Not tainted 4.10.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:15 [inline]
 dump_stack+0xe6/0x120 lib/dump_stack.c:51
Bluetooth: Can't register HCI device
 kasan_object_err+0x1c/0x70 mm/kasan/report.c:162
 print_address_description mm/kasan/report.c:200 [inline]
 kasan_report_error mm/kasan/report.c:289 [inline]
 kasan_report.part.2+0x1c9/0x480 mm/kasan/report.c:311
 kasan_report mm/kasan/report.c:329 [inline]
 __asan_report_load1_noabort+0x29/0x30 mm/kasan/report.c:329
 kobject_put+0x8d/0xa0 lib/kobject.c:687
 put_device+0x12/0x20 drivers/base/core.c:1801
 hci_free_dev+0x10/0x20 net/bluetooth/hci_core.c:3016
 vhci_release+0x73/0xe0 drivers/bluetooth/hci_vhci.c:355
 __fput+0x25c/0x730 fs/file_table.c:208
 ____fput+0x9/0x10 fs/file_table.c:244
 task_work_run+0xd9/0x150 kernel/task_work.c:116
 tracehook_notify_resume include/linux/tracehook.h:191 [inline]
 exit_to_usermode_loop+0x15a/0x1a0 arch/x86/entry/common.c:160
 prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline]
 syscall_return_slowpath+0x251/0x2d0 arch/x86/entry/common.c:259
 entry_SYSCALL_64_fastpath+0xc4/0xc6
RIP: 0033:0x415fe1
RSP: 002b:00007ffd886d0c30 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000004 RCX: 0000000000415fe1
RDX: 0000001b2ca20000 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 0000000000000001 R08: 00ffffffffffffff R09: 00ffffffffffffff
R10: 00007ffd886d0d10 R11: 0000000000000293 R12: 000000000076bf20
R13: 0000000000770418 R14: 0000000000049032 R15: 000000000076bf2c
Object at ffff880129b504c0, in cache kmalloc-8192 size: 8192
Allocated:
PID = 29386
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x46/0xd0 mm/kasan/kasan.c:502
 set_track mm/kasan/kasan.c:514 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:605
 kmem_cache_alloc_trace+0x142/0x800 mm/slab.c:3626
 kmalloc include/linux/slab.h:490 [inline]
 kzalloc include/linux/slab.h:636 [inline]
 hci_alloc_dev+0x41/0x1b50 net/bluetooth/hci_core.c:2929
 __vhci_create_device+0xf5/0x500 drivers/bluetooth/hci_vhci.c:114
 vhci_create_device drivers/bluetooth/hci_vhci.c:163 [inline]
 vhci_get_user drivers/bluetooth/hci_vhci.c:219 [inline]
 vhci_write+0x27d/0x3c0 drivers/bluetooth/hci_vhci.c:299
 new_sync_write fs/read_write.c:499 [inline]
 __vfs_write+0x303/0x740 fs/read_write.c:512
 vfs_write+0x156/0x4e0 fs/read_write.c:560
 SYSC_write fs/read_write.c:607 [inline]
 SyS_write+0xcb/0x1a0 fs/read_write.c:599
 entry_SYSCALL_64_fastpath+0x23/0xc6
Freed:
PID = 29383
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x46/0xd0 mm/kasan/kasan.c:502
 set_track mm/kasan/kasan.c:514 [inline]
 kasan_slab_free+0x70/0xb0 mm/kasan/kasan.c:578
 __cache_free mm/slab.c:3502 [inline]
 kfree+0xcf/0x2c0 mm/slab.c:3819
 bt_host_release+0x10/0x20 net/bluetooth/hci_sysfs.c:85
 device_release+0x71/0x1e0 drivers/base/core.c:813
 kobject_cleanup lib/kobject.c:645 [inline]
 kobject_release+0xc1/0x160 lib/kobject.c:674
 kref_sub include/linux/kref.h:73 [inline]
 kref_put include/linux/kref.h:98 [inline]
 kobject_put+0x4d/0xa0 lib/kobject.c:691
 put_device+0x12/0x20 drivers/base/core.c:1801
 hci_dev_put include/net/bluetooth/hci_core.h:992 [inline]
 hci_unregister_dev+0x5c7/0x790 net/bluetooth/hci_core.c:3187
 vhci_release+0x6b/0xe0 drivers/bluetooth/hci_vhci.c:354
 __fput+0x25c/0x730 fs/file_table.c:208
 ____fput+0x9/0x10 fs/file_table.c:244
 task_work_run+0xd9/0x150 kernel/task_work.c:116
 tracehook_notify_resume include/linux/tracehook.h:191 [inline]
 exit_to_usermode_loop+0x15a/0x1a0 arch/x86/entry/common.c:160
 prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline]
 syscall_return_slowpath+0x251/0x2d0 arch/x86/entry/common.c:259
 entry_SYSCALL_64_fastpath+0xc4/0xc6
Memory state around the buggy address:
 ffff880129b51480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff880129b51500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff880129b51580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                               ^
 ffff880129b51600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff880129b51680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================