==================================================================
BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:373 [inline]
BUG: KASAN: slab-out-of-bounds in hci_inquiry_result_evt net/bluetooth/hci_event.c:2375 [inline]
BUG: KASAN: slab-out-of-bounds in hci_event_packet+0x3dbf/0x858f net/bluetooth/hci_event.c:5747
Read of size 3 at addr ffff888094135c7f by task kworker/u5:4/7904

CPU: 0 PID: 7904 Comm: kworker/u5:4 Not tainted 4.19.136-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: hci2 hci_rx_work
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1fc/0x2fe lib/dump_stack.c:118
 print_address_description.cold+0x54/0x219 mm/kasan/report.c:256
 kasan_report_error.cold+0x8a/0x1c7 mm/kasan/report.c:354
 kasan_report+0x8f/0x96 mm/kasan/report.c:412
 memcpy+0x20/0x50 mm/kasan/kasan.c:302
 memcpy include/linux/string.h:373 [inline]
 hci_inquiry_result_evt net/bluetooth/hci_event.c:2375 [inline]
 hci_event_packet+0x3dbf/0x858f net/bluetooth/hci_event.c:5747
 hci_rx_work+0x46b/0xa90 net/bluetooth/hci_core.c:4359
 process_one_work+0x864/0x1570 kernel/workqueue.c:2155
 worker_thread+0x64c/0x1130 kernel/workqueue.c:2298
 kthread+0x30b/0x410 kernel/kthread.c:246
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415

Allocated by task 8669:
 __do_kmalloc_node mm/slab.c:3689 [inline]
 __kmalloc_node_track_caller+0x4c/0x70 mm/slab.c:3703
 __kmalloc_reserve net/core/skbuff.c:137 [inline]
 __alloc_skb+0xae/0x560 net/core/skbuff.c:205
 alloc_skb include/linux/skbuff.h:995 [inline]
 bt_skb_alloc include/net/bluetooth/bluetooth.h:339 [inline]
 vhci_get_user drivers/bluetooth/hci_vhci.c:180 [inline]
 vhci_write+0xbd/0x450 drivers/bluetooth/hci_vhci.c:299
 call_write_iter include/linux/fs.h:1821 [inline]
 new_sync_write fs/read_write.c:474 [inline]
 __vfs_write+0x51b/0x770 fs/read_write.c:487
 vfs_write+0x1f3/0x540 fs/read_write.c:549
 ksys_write+0x12b/0x2a0 fs/read_write.c:599
 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 6174:
 __cache_free mm/slab.c:3503 [inline]
 kfree+0xcc/0x210 mm/slab.c:3822
 skb_free_head net/core/skbuff.c:554 [inline]
 skb_release_data+0x6de/0x920 net/core/skbuff.c:574
 skb_release_all net/core/skbuff.c:631 [inline]
 __kfree_skb net/core/skbuff.c:645 [inline]
 consume_skb+0x113/0x3d0 net/core/skbuff.c:705
 netlink_broadcast_filtered+0x319/0xbc0 net/netlink/af_netlink.c:1520
 netlink_broadcast+0x35/0x40 net/netlink/af_netlink.c:1542
 uevent_net_broadcast_tagged lib/kobject_uevent.c:370 [inline]
 kobject_uevent_net_broadcast lib/kobject_uevent.c:409 [inline]
 kobject_uevent_env+0xfa5/0x1220 lib/kobject_uevent.c:590
 netdev_queue_add_kobject net/core/net-sysfs.c:1492 [inline]
 netdev_queue_update_kobjects+0x2f9/0x3c0 net/core/net-sysfs.c:1509
 register_queue_kobjects net/core/net-sysfs.c:1551 [inline]
 netdev_register_kobject+0x2f2/0x3b0 net/core/net-sysfs.c:1769
 register_netdevice+0xb46/0x10f0 net/core/dev.c:8716
 __ip_tunnel_create+0x398/0x580 net/ipv4/ip_tunnel.c:280
 ip_tunnel_init_net+0x330/0x990 net/ipv4/ip_tunnel.c:1025
 vti_init_net+0x2a/0x370 net/ipv4/ip_vti.c:520
 ops_init+0xb3/0x410 net/core/net_namespace.c:129
 setup_net+0x2c2/0x720 net/core/net_namespace.c:315
 copy_net_ns+0x1f7/0x335 net/core/net_namespace.c:438
 create_new_namespaces+0x3f6/0x7b0 kernel/nsproxy.c:107
 unshare_nsproxy_namespaces+0xbd/0x1f0 kernel/nsproxy.c:206
 ksys_unshare+0x36c/0x9a0 kernel/fork.c:2530
 __do_sys_unshare kernel/fork.c:2598 [inline]
 __se_sys_unshare kernel/fork.c:2596 [inline]
 __x64_sys_unshare+0x2d/0x40 kernel/fork.c:2596
 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff888094135a80
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 511 bytes inside of
 512-byte region [ffff888094135a80, ffff888094135c80)
The buggy address belongs to the page:
page:ffffea0002504d40 count:1 mapcount:0 mapping:ffff88812c39c940 index:0x0
flags: 0xfffe0000000100(slab)
raw: 00fffe0000000100 ffffea0002103648 ffffea00026b9dc8 ffff88812c39c940
raw: 0000000000000000 ffff888094135080 0000000100000006 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888094135b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff888094135c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888094135c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                   ^
 ffff888094135d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888094135d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================