================================================================== BUG: KASAN: stack-out-of-bounds in skb_put_data include/linux/skbuff.h:2800 [inline] BUG: KASAN: stack-out-of-bounds in l2cap_build_cmd net/bluetooth/l2cap_core.c:3003 [inline] BUG: KASAN: stack-out-of-bounds in l2cap_send_cmd+0x9a5/0xc80 net/bluetooth/l2cap_core.c:954 Read of size 24 at addr ffffc90003adfa60 by task kworker/u33:3/5942 CPU: 2 UID: 0 PID: 5942 Comm: kworker/u33:3 Tainted: G L syzkaller #0 PREEMPT(full) Tainted: [L]=SOFTLOCKUP Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Workqueue: hci2 hci_rx_work Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x156/0x4c9 mm/kasan/report.c:482 kasan_report+0xdf/0x1e0 mm/kasan/report.c:595 check_region_inline mm/kasan/generic.c:186 [inline] kasan_check_range+0x10f/0x1e0 mm/kasan/generic.c:200 __asan_memcpy+0x23/0x60 mm/kasan/shadow.c:105 skb_put_data include/linux/skbuff.h:2800 [inline] l2cap_build_cmd net/bluetooth/l2cap_core.c:3003 [inline] l2cap_send_cmd+0x9a5/0xc80 net/bluetooth/l2cap_core.c:954 l2cap_ecred_conn_req net/bluetooth/l2cap_core.c:5208 [inline] l2cap_le_sig_cmd net/bluetooth/l2cap_core.c:5510 [inline] l2cap_le_sig_channel net/bluetooth/l2cap_core.c:5568 [inline] l2cap_recv_frame+0x76b7/0xa2e0 net/bluetooth/l2cap_core.c:6913 l2cap_recv_acldata+0xe60/0x10a0 net/bluetooth/l2cap_core.c:7637 hci_acldata_packet net/bluetooth/hci_core.c:3855 [inline] hci_rx_work+0x537/0xfc0 net/bluetooth/hci_core.c:4082 process_one_work+0xa23/0x19a0 kernel/workqueue.c:3276 process_scheduled_works kernel/workqueue.c:3359 [inline] worker_thread+0x5ef/0xe50 kernel/workqueue.c:3440 kthread+0x370/0x450 kernel/kthread.c:436 ret_from_fork+0x754/0xd80 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 The buggy address belongs to stack of task kworker/u33:3/5942 and is located at offset 160 in frame: l2cap_recv_frame+0x0/0xa2e0 net/bluetooth/l2cap_core.c:1658 This frame has 10 objects: [48, 50) 'rsp' [64, 68) 'rsp' [80, 86) 'rej' [112, 122) 'rsp' [144, 148) 'rsp' [160, 178) 'pdu_u' [224, 264) 'chan' [304, 308) 'rx_func_to_event' [320, 328) 'buf' [352, 364) 'buf' The buggy address belongs to a vmalloc virtual mapping The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2fcd7 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 0000000000000000 ffffea0000bf35c8 0000000000000000 raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x29c2(GFP_NOWAIT|__GFP_HIGHMEM|__GFP_IO|__GFP_FS|__GFP_ZERO), pid 2, tgid 2 (kthreadd), ts 62416209483, free_ts 62256855668 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x153/0x170 mm/page_alloc.c:1889 prep_new_page mm/page_alloc.c:1897 [inline] get_page_from_freelist+0x111d/0x3140 mm/page_alloc.c:3962 __alloc_frozen_pages_noprof+0x27c/0x2ba0 mm/page_alloc.c:5250 alloc_pages_mpol+0x1fb/0x550 mm/mempolicy.c:2484 alloc_frozen_pages_noprof mm/mempolicy.c:2555 [inline] alloc_pages_noprof+0x131/0x390 mm/mempolicy.c:2575 vm_area_alloc_pages mm/vmalloc.c:3662 [inline] __vmalloc_area_node mm/vmalloc.c:3876 [inline] __vmalloc_node_range_noprof+0xe5c/0x1530 mm/vmalloc.c:4064 __vmalloc_node_noprof+0xad/0xf0 mm/vmalloc.c:4124 alloc_thread_stack_node kernel/fork.c:355 [inline] dup_task_struct kernel/fork.c:924 [inline] copy_process+0x5ec/0x7a10 kernel/fork.c:2050 kernel_clone+0xfc/0x9a0 kernel/fork.c:2654 kernel_thread+0xdb/0x120 kernel/fork.c:2715 create_kthread kernel/kthread.c:459 [inline] kthreadd+0x498/0x7a0 kernel/kthread.c:817 ret_from_fork+0x754/0xd80 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 page last free pid 5916 tgid 5916 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] __free_pages_prepare mm/page_alloc.c:1433 [inline] __free_frozen_pages+0x7e1/0x10d0 mm/page_alloc.c:2978 __folio_put+0x3b4/0x540 mm/swap.c:112 folio_put include/linux/mm.h:1817 [inline] put_page include/linux/mm.h:1886 [inline] put_netmem include/net/netmem.h:420 [inline] skb_page_unref include/linux/skbuff_ref.h:43 [inline] __skb_frag_unref include/linux/skbuff_ref.h:56 [inline] skb_release_data+0x667/0x9d0 net/core/skbuff.c:1122 skb_release_all net/core/skbuff.c:1203 [inline] napi_consume_skb+0x1f6/0x320 net/core/skbuff.c:1550 skb_defer_free_flush+0x1f1/0x290 net/core/dev.c:6820 net_rx_action+0x3ca/0xf20 net/core/dev.c:7893 handle_softirqs+0x1eb/0x9e0 kernel/softirq.c:622 do_softirq kernel/softirq.c:523 [inline] do_softirq+0xac/0xe0 kernel/softirq.c:510 __local_bh_enable_ip+0xf8/0x120 kernel/softirq.c:450 local_bh_enable include/linux/bottom_half.h:33 [inline] rcu_read_unlock_bh include/linux/rcupdate.h:924 [inline] __dev_queue_xmit+0x8b5/0x4800 net/core/dev.c:4873 dev_queue_xmit include/linux/netdevice.h:3384 [inline] neigh_hh_output include/net/neighbour.h:540 [inline] neigh_output include/net/neighbour.h:554 [inline] ip_finish_output2+0xf4a/0x24d0 net/ipv4/ip_output.c:237 __ip_finish_output.part.0+0x444/0x6f0 net/ipv4/ip_output.c:315 __ip_finish_output net/ipv4/ip_output.c:303 [inline] ip_finish_output net/ipv4/ip_output.c:325 [inline] NF_HOOK_COND include/linux/netfilter.h:307 [inline] ip_output+0x39b/0xc10 net/ipv4/ip_output.c:438 dst_output include/net/dst.h:470 [inline] ip_local_out+0x193/0x1f0 net/ipv4/ip_output.c:131 __ip_queue_xmit+0x885/0x1e90 net/ipv4/ip_output.c:534 __tcp_transmit_skb+0x3347/0x4b50 net/ipv4/tcp_output.c:1693 Memory state around the buggy address: ffffc90003adf900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffffc90003adf980: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 f1 f1 02 f2 >ffffc90003adfa00: 04 f2 06 f2 f2 f2 00 02 f2 f2 04 f2 00 00 02 f2 ^ ffffc90003adfa80: f2 f2 f2 f2 00 00 00 00 00 f2 f2 f2 f2 f2 04 f2 ffffc90003adfb00: 00 f2 f2 f2 00 04 f3 f3 00 00 00 00 00 00 00 00 ==================================================================