syzbot

==================================================================
BUG: KASAN: slab-out-of-bounds in hci_le_direct_adv_report_evt net/bluetooth/hci_event.c:5875 [inline]
BUG: KASAN: slab-out-of-bounds in hci_le_meta_evt net/bluetooth/hci_event.c:5939 [inline]
BUG: KASAN: slab-out-of-bounds in hci_event_packet+0x763b/0x17e10 net/bluetooth/hci_event.c:6192
Read of size 1 at addr ffff88809f4a0a05 by task kworker/u5:1/6821

CPU: 1 PID: 6821 Comm: kworker/u5:1 Not tainted 5.9.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: hci0 hci_rx_work
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1f0/0x31e lib/dump_stack.c:118
 print_address_description+0x66/0x620 mm/kasan/report.c:383
 __kasan_report mm/kasan/report.c:513 [inline]
 kasan_report+0x132/0x1d0 mm/kasan/report.c:530
 hci_le_direct_adv_report_evt net/bluetooth/hci_event.c:5875 [inline]
 hci_le_meta_evt net/bluetooth/hci_event.c:5939 [inline]
 hci_event_packet+0x763b/0x17e10 net/bluetooth/hci_event.c:6192
 hci_rx_work+0x246/0xa20 net/bluetooth/hci_core.c:4889
 process_one_work+0x789/0xfc0 kernel/workqueue.c:2269
 worker_thread+0xaa4/0x1460 kernel/workqueue.c:2415
 kthread+0x37e/0x3a0 drivers/block/aoe/aoecmd.c:1234
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294

Allocated by task 6817:
 kasan_save_stack mm/kasan/common.c:48 [inline]
 kasan_set_track mm/kasan/common.c:56 [inline]
 __kasan_kmalloc+0x100/0x130 mm/kasan/common.c:461
 __kmalloc_reserve net/core/skbuff.c:142 [inline]
 __alloc_skb+0xde/0x4f0 net/core/skbuff.c:210
 alloc_skb include/linux/skbuff.h:1085 [inline]
 bt_skb_alloc include/net/bluetooth/bluetooth.h:389 [inline]
 vhci_get_user drivers/bluetooth/hci_vhci.c:165 [inline]
 vhci_write+0xb7/0x400 drivers/bluetooth/hci_vhci.c:285
 call_write_iter include/linux/fs.h:1882 [inline]
 new_sync_write fs/read_write.c:503 [inline]
 vfs_write+0xa96/0xd10 fs/read_write.c:578
 ksys_write+0x11b/0x220 fs/read_write.c:631
 do_syscall_64+0x31/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

The buggy address belongs to the object at ffff88809f4a0800
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 5 bytes to the right of
 512-byte region [ffff88809f4a0800, ffff88809f4a0a00)
The buggy address belongs to the page:
page:00000000f35f91a2 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x9f4a0
flags: 0xfffe0000000200(slab)
raw: 00fffe0000000200 ffffea000287ebc8 ffffea0002a4d048 ffff8880aa440600
raw: 0000000000000000 ffff88809f4a0000 0000000100000004 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88809f4a0900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88809f4a0980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88809f4a0a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                   ^
 ffff88809f4a0a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88809f4a0b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================