Warning: Permanently added '10.128.0.243' (ED25519) to the list of known hosts. executing program [ 43.572395][ T3973] Bluetooth: hci0: Unknown advertising packet type: 0x35 [ 43.572476][ T3973] ================================================================== [ 43.575695][ T3973] BUG: KASAN: slab-out-of-bounds in hci_le_meta_evt+0xe88/0x2f38 [ 43.577395][ T3973] Read of size 1 at addr ffff0000c2c9cc06 by task kworker/u5:1/3973 [ 43.579074][ T3973] [ 43.579566][ T3973] CPU: 0 PID: 3973 Comm: kworker/u5:1 Not tainted 5.15.120-syzkaller #0 [ 43.581358][ T3973] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/03/2023 [ 43.583537][ T3973] Workqueue: hci0 hci_rx_work [ 43.584559][ T3973] Call trace: [ 43.585250][ T3973] dump_backtrace+0x0/0x530 [ 43.586194][ T3973] show_stack+0x2c/0x3c [ 43.587145][ T3973] dump_stack_lvl+0x108/0x170 [ 43.588184][ T3973] print_address_description+0x7c/0x3f0 [ 43.589347][ T3973] kasan_report+0x174/0x1e4 [ 43.590279][ T3973] __asan_report_load1_noabort+0x44/0x50 [ 43.591425][ T3973] hci_le_meta_evt+0xe88/0x2f38 [ 43.592495][ T3973] hci_event_packet+0xe04/0x1258 [ 43.593509][ T3973] hci_rx_work+0x1d0/0x6d0 [ 43.594422][ T3973] process_one_work+0x790/0x11b8 [ 43.595547][ T3973] worker_thread+0x910/0x1034 [ 43.596549][ T3973] kthread+0x37c/0x45c [ 43.597355][ T3973] ret_from_fork+0x10/0x20 [ 43.598293][ T3973] [ 43.598769][ T3973] Allocated by task 3971: [ 43.599660][ T3973] ____kasan_kmalloc+0xbc/0xfc [ 43.600728][ T3973] __kasan_kmalloc+0x10/0x1c [ 43.601709][ T3973] __kmalloc_node_track_caller+0x234/0x448 [ 43.602955][ T3973] kmalloc_reserve+0xe8/0x270 [ 43.603988][ T3973] __alloc_skb+0x1a4/0x584 [ 43.604933][ T3973] vhci_write+0xb8/0x3b8 [ 43.605801][ T3973] vfs_write+0x87c/0xb3c [ 43.606683][ T3973] ksys_write+0x15c/0x26c [ 43.607594][ T3973] __arm64_sys_write+0x7c/0x90 [ 43.608566][ T3973] invoke_syscall+0x98/0x2b8 [ 43.609519][ T3973] el0_svc_common+0x138/0x258 [ 43.610522][ T3973] do_el0_svc+0x58/0x14c [ 43.611489][ T3973] el0_svc+0x7c/0x1f0 [ 43.612331][ T3973] el0t_64_sync_handler+0x84/0xe4 [ 43.613494][ T3973] el0t_64_sync+0x1a0/0x1a4 [ 43.614328][ T3973] [ 43.614842][ T3973] The buggy address belongs to the object at ffff0000c2c9c800 [ 43.614842][ T3973] which belongs to the cache kmalloc-1k of size 1024 [ 43.617786][ T3973] The buggy address is located 6 bytes to the right of [ 43.617786][ T3973] 1024-byte region [ffff0000c2c9c800, ffff0000c2c9cc00) [ 43.620824][ T3973] The buggy address belongs to the page: [ 43.622091][ T3973] page:00000000bf9111ab refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102c98 [ 43.624167][ T3973] head:00000000bf9111ab order:3 compound_mapcount:0 compound_pincount:0 [ 43.625953][ T3973] flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff) [ 43.627650][ T3973] raw: 05ffc00000010200 0000000000000000 dead000000000122 ffff0000c0002780 [ 43.629476][ T3973] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 43.631342][ T3973] page dumped because: kasan: bad access detected [ 43.632725][ T3973] [ 43.633150][ T3973] Memory state around the buggy address: [ 43.634340][ T3973] ffff0000c2c9cb00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 43.636084][ T3973] ffff0000c2c9cb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 43.637833][ T3973] >ffff0000c2c9cc00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 43.639579][ T3973] ^ [ 43.640448][ T3973] ffff0000c2c9cc80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 43.642193][ T3973] ffff0000c2c9cd00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 43.643881][ T3973] ================================================================== [ 43.645751][ T3973] Disabling lock debugging due to kernel taint