Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x197/0x210 lib/dump_stack.c:118
 fail_dump lib/fault-inject.c:51 [inline]
 should_fail.cold+0xa/0x1b lib/fault-inject.c:149
==================================================================
 should_fail_alloc_page mm/page_alloc.c:3086 [inline]
 prepare_alloc_pages mm/page_alloc.c:4344 [inline]
 __alloc_pages_nodemask+0x1ee/0x750 mm/page_alloc.c:4391
BUG: KASAN: slab-out-of-bounds in hci_inquiry_result_evt net/bluetooth/hci_event.c:2376 [inline]
BUG: KASAN: slab-out-of-bounds in hci_event_packet+0xa5b2/0xaa40 net/bluetooth/hci_event.c:5746
Read of size 3 at addr ffff88809b102f3f by task kworker/u5:1/8458

 __alloc_pages include/linux/gfp.h:496 [inline]
 __alloc_pages_node include/linux/gfp.h:509 [inline]
 kmem_getpages mm/slab.c:1412 [inline]
 cache_grow_begin+0x91/0x8c0 mm/slab.c:2682
 cache_alloc_refill mm/slab.c:3049 [inline]
 ____cache_alloc mm/slab.c:3132 [inline]
 ____cache_alloc mm/slab.c:3115 [inline]
 __do_cache_alloc mm/slab.c:3354 [inline]
 slab_alloc mm/slab.c:3389 [inline]
 __do_kmalloc mm/slab.c:3725 [inline]
 __kmalloc+0x68b/0x750 mm/slab.c:3736
 kmalloc include/linux/slab.h:520 [inline]
 match_number.isra.0+0xa1/0x230 lib/parser.c:136
 match_int+0x41/0x50 lib/parser.c:195
 parse_options+0xe9a/0x1b00 fs/fat/inode.c:1239
 fat_fill_super+0x287/0x3900 fs/fat/inode.c:1633
 msdos_fill_super+0x2f/0x40 fs/fat/namei_msdos.c:651
 mount_bdev+0x304/0x3c0 fs/super.c:1158
 msdos_mount+0x35/0x40 fs/fat/namei_msdos.c:658
 mount_fs+0xa8/0x31f fs/super.c:1261
 vfs_kern_mount.part.0+0x6f/0x410 fs/namespace.c:961
 vfs_kern_mount fs/namespace.c:951 [inline]
 do_new_mount fs/namespace.c:2469 [inline]
 do_mount+0x53e/0x2bc0 fs/namespace.c:2799
 ksys_mount+0xdb/0x150 fs/namespace.c:3015
 __do_sys_mount fs/namespace.c:3029 [inline]
 __se_sys_mount fs/namespace.c:3026 [inline]
 __x64_sys_mount+0xbe/0x150 fs/namespace.c:3026
 do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x45d99a
Code: b8 a6 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 4d 8c fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 2a 8c fb ff c3 66 0f 1f 84 00 00 00 00 00
RSP: 002b:00007f8a9b118a68 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007f8a9b118c90 RCX: 000000000045d99a
RDX: 00007f8a9b118ae0 RSI: 00000000200000c0 RDI: 00007f8a9b118b00
RBP: 000000000075bf20 R08: 00007f8a9b118b40 R09: 00007f8a9b118ae0
R10: 0000000000000000 R11: 0000000000000202 R12: 00007f8a9b1196d4
R13: 00000000004cbf18 R14: 00000000004e6db0 R15: 0000000000000003
CPU: 0 PID: 8458 Comm: kworker/u5:1 Not tainted 4.19.95-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: hci0 hci_rx_work
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x197/0x210 lib/dump_stack.c:118
 print_address_description.cold+0x7c/0x20d mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report mm/kasan/report.c:412 [inline]
 kasan_report.cold+0x8c/0x2ba mm/kasan/report.c:396
 __asan_report_load_n_noabort+0xf/0x20 mm/kasan/report.c:443
 hci_inquiry_result_evt net/bluetooth/hci_event.c:2376 [inline]
 hci_event_packet+0xa5b2/0xaa40 net/bluetooth/hci_event.c:5746
 hci_rx_work+0x478/0xae0 net/bluetooth/hci_core.c:4359
 process_one_work+0x989/0x1750 kernel/workqueue.c:2153
 worker_thread+0x98/0xe40 kernel/workqueue.c:2296
 kthread+0x354/0x420 kernel/kthread.c:246
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415

Allocated by task 16239:
 save_stack+0x45/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 kasan_kmalloc mm/kasan/kasan.c:553 [inline]
 kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:531
 __do_kmalloc_node mm/slab.c:3689 [inline]
 __kmalloc_node_track_caller+0x51/0x80 mm/slab.c:3703
 __kmalloc_reserve.isra.0+0x40/0xf0 net/core/skbuff.c:137
 __alloc_skb+0x10b/0x5f0 net/core/skbuff.c:205
 alloc_skb include/linux/skbuff.h:995 [inline]
 bt_skb_alloc include/net/bluetooth/bluetooth.h:339 [inline]
 vhci_get_user drivers/bluetooth/hci_vhci.c:180 [inline]
 vhci_write+0xc4/0x470 drivers/bluetooth/hci_vhci.c:299
 call_write_iter include/linux/fs.h:1820 [inline]
 new_sync_write fs/read_write.c:474 [inline]
 __vfs_write+0x587/0x810 fs/read_write.c:487
 vfs_write+0x20c/0x560 fs/read_write.c:549
 ksys_write+0x14f/0x2d0 fs/read_write.c:599
 __do_sys_write fs/read_write.c:611 [inline]
 __se_sys_write fs/read_write.c:608 [inline]
 __x64_sys_write+0x73/0xb0 fs/read_write.c:608
 do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 3777:
 save_stack+0x45/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 __kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521
 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
 __cache_free mm/slab.c:3503 [inline]
 kfree+0xcf/0x220 mm/slab.c:3822
 skb_free_head+0x99/0xc0 net/core/skbuff.c:554
 skb_release_data+0x619/0x8d0 net/core/skbuff.c:574
 skb_release_all+0x4d/0x60 net/core/skbuff.c:631
 __kfree_skb net/core/skbuff.c:645 [inline]
 consume_skb net/core/skbuff.c:705 [inline]
 consume_skb+0xe2/0x390 net/core/skbuff.c:699
 uevent_net_broadcast_untagged lib/kobject_uevent.c:335 [inline]
 kobject_uevent_net_broadcast lib/kobject_uevent.c:406 [inline]
 kobject_uevent_env+0xa2c/0x1170 lib/kobject_uevent.c:590
 kobject_synth_uevent+0x77b/0x89c lib/kobject_uevent.c:208
 uevent_store+0x26/0x80 drivers/base/core.c:1073
 dev_attr_store+0x59/0x80 drivers/base/core.c:782
 sysfs_kf_write+0x116/0x170 fs/sysfs/file.c:139
 kernfs_fop_write+0x2b8/0x480 fs/kernfs/file.c:316
 __vfs_write+0x114/0x810 fs/read_write.c:485
 vfs_write+0x20c/0x560 fs/read_write.c:549
 ksys_write+0x14f/0x2d0 fs/read_write.c:599
 __do_sys_write fs/read_write.c:611 [inline]
 __se_sys_write fs/read_write.c:608 [inline]
 __x64_sys_write+0x73/0xb0 fs/read_write.c:608
 do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff88809b102d40
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 511 bytes inside of
 512-byte region [ffff88809b102d40, ffff88809b102f40)
The buggy address belongs to the page:
page:ffffea00026c4080 count:1 mapcount:0 mapping:ffff88812c31c940 index:0xffff88809b1020c0
flags: 0xfffe0000000100(slab)
raw: 00fffe0000000100 ffffea000155ebc8 ffffea000251df88 ffff88812c31c940
raw: ffff88809b1020c0 ffff88809b1020c0 0000000100000004 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88809b102e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88809b102e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88809b102f00: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
                                           ^
 ffff88809b102f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88809b103000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================