bisecting cause commit starting from 119c85055d867b9588263bca59794c872ef2a30e
building syzkaller on 098b5d530648147c744a7c2eb8b78c1307f9d3ce
testing commit 119c85055d867b9588263bca59794c872ef2a30e
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: c24232a6f3f54f5c923e07098decb5a6ee24dd77cff605dcd69c55afd72c14f4
all runs: crashed: KASAN: slab-out-of-bounds Read in hci_le_meta_evt
testing release v5.14
testing commit 7d2a07b769330c34b4deabeed939325c77a7ec2f
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: b914c7c8139ce5b32bb968ce880706126fd398e4ce8dec1d9aabeadfbf5bbffb
all runs: crashed: KASAN: slab-out-of-bounds Read in hci_le_meta_evt
testing release v5.13
testing commit 62fb9874f5da54fdb243003b386128037319b219
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 73a38c14cb144de584fc177c3a181361ab0d8d343f40c35f95dcca3346014657
all runs: crashed: KASAN: slab-out-of-bounds Read in hci_le_meta_evt
testing release v5.12
testing commit 9f4ad9e425a1d3b6a34617b8ea226d56a119a717
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: eeda2026188f42392628ecf86424686d69a77a3a06dff7071a44504fead91e7a
all runs: crashed: KASAN: slab-out-of-bounds Read in hci_le_meta_evt
testing release v5.11
testing commit f40ddce88593482919761f74910f42f4b84c004b
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: f8a09ed40b690dd66f7b8741fc9dbdf0a213ac61210c1818ffa815f901ec0ff3
all runs: crashed: KASAN: slab-out-of-bounds Read in hci_le_meta_evt
testing release v5.10
testing commit 2c85ebc57b3e1817b6ce1a6b703928e113a90442
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 139153572f114f89ec3343735029d338e078de75fc7b25fc1f75eabdb159ed1a
all runs: crashed: KASAN: slab-out-of-bounds Read in hci_event_packet
testing release v5.9
testing commit bbf5c979011a099af5dc76498918ed7df445635b
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 17946c4ae07657bb9c109f942430fed0c36a35e9c73d4eadc3a5f99e0f76b80e
all runs: crashed: KASAN: slab-out-of-bounds Read in hci_event_packet
testing release v5.8
testing commit bcf876870b95592b52519ed4aafcf9d95999bc9c
compiler: gcc (GCC) 8.4.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: 5c39d663b54df16cab0d56f1479c61d0ecb0228b4170e390b1266526a427430b
all runs: crashed: KASAN: slab-out-of-bounds Read in hci_le_meta_evt
testing release v5.7
testing commit 3d77e6a8804abcc0504c904bd6e5cdf3a5cf8162
compiler: gcc version 8.4.1 20210217 (GCC), GNU ld (GNU Binutils for Debian) 2.35.2
kernel signature: eaffef4c748853247f80e1fd33dc205c468f27fe3ca354b0603bfb876707e482
all runs: crashed: KASAN: slab-out-of-bounds Read in hci_le_meta_evt
testing release v5.6
testing commit 7111951b8d4973bda27ff663f2cf18b663d15b48
compiler: gcc version 8.4.1 20210217 (GCC)
kernel signature: faa162107c78e54d9051dda5cace6d3c1f98eb49b936ecb4df8fcd0f656165d1
all runs: crashed: KASAN: slab-out-of-bounds Read in hci_le_meta_evt
testing release v5.5
testing commit d5226fa6dbae0569ee43ecfc08bdcd6770fc4755
compiler: gcc version 8.4.1 20210217 (GCC)
kernel signature: 3f86f63835fc37c9e6c1d223824ef6bffee5e10a991d8cdf37e6732a3607111f
all runs: crashed: KASAN: slab-out-of-bounds Read in hci_le_meta_evt
testing release v5.4
testing commit 219d54332a09e8d8741c1e1982f5eae56099de85
compiler: gcc version 8.4.1 20210217 (GCC)
kernel signature: 44f16823a987cc0321e88a88bef450dbfbf83034c24fa3b6821ecf0017934872
all runs: crashed: KASAN: slab-out-of-bounds Read in hci_le_meta_evt
testing release v5.3
testing commit 4d856f72c10ecb060868ed10ff1b1453943fc6c8
compiler: gcc version 8.4.1 20210217 (GCC)
kernel signature: abdcaf71ec29d90aaea5a56c313f93490510d2f8d461616a398fb85cb4547c7e
all runs: crashed: KASAN: slab-out-of-bounds Read in hci_le_meta_evt
testing release v5.2
testing commit 0ecfebd2b52404ae0c54a878c872bb93363ada36
compiler: gcc version 8.4.1 20210217 (GCC)
kernel signature: bf65c830aa169e9f0b05c17096e310223649b9badfa96a2c342144d6539b819e
all runs: crashed: KASAN: slab-out-of-bounds Read in hci_le_meta_evt
testing release v5.1
testing commit e93c9c99a629c61837d5a7fc2120cd2b6c70dbdd
compiler: gcc version 8.4.1 20210217 (GCC)
kernel signature: d0537871fbe36d17079691762a8e26c25094702808326ca41f277b63dd956e1c
all runs: crashed: KASAN: slab-out-of-bounds Read in hci_le_meta_evt
testing release v5.0
testing commit 1c163f4c7b3f621efff9b28a47abb36f7378d783
compiler: gcc version 8.4.1 20210217 (GCC)
kernel signature: d5705eecbf076430128038bb7d8065a0d37c8b5ee1d8fef5c9e67a72196dbfe0
all runs: crashed: KASAN: slab-out-of-bounds Read in hci_le_meta_evt
testing release v4.20
testing commit 8fe28cb58bcb235034b64cbbb7550a8a43fd88be
compiler: gcc version 8.4.1 20210217 (GCC)
kernel signature: ac3d6b01d390cd83c259e605fac7d7d754943f5019c7d5a62af9062311ef1f78
all runs: crashed: KASAN: slab-out-of-bounds Read in hci_le_meta_evt
testing release v4.19
testing commit 84df9525b0c27f3ebc2ebb1864fa62a97fdedb7d
compiler: gcc version 8.4.1 20210217 (GCC)
kernel signature: a6ededab4f3137e65c97a5476958516cb3c235ab2d6af10fe96c3201d4aed7f0
all runs: crashed: KASAN: slab-out-of-bounds Read in hci_le_meta_evt
testing release v4.18
testing commit 94710cac0ef4ee177a63b5227664b38c95bbf703
compiler: gcc version 8.4.1 20210217 (GCC)
kernel signature: 047c8af3b7c6e0739b95356d039564ff30958b8015d1fc56317f127fee0d12b7
all runs: crashed: KASAN: slab-out-of-bounds Read in hci_le_meta_evt
testing release v4.17
testing commit 29dcea88779c856c7dc92040a0c01233263101d4
compiler: gcc (GCC) 8.4.1 20210217
./security/selinux/include/classmap.h:247:2: error: #error New address family defined, please update secclass_map.
testing release v4.16
testing commit 0adb32858b0bddf4ada5f364a84ed60b196dbcda
compiler: gcc (GCC) 8.4.1 20210217
./security/selinux/include/classmap.h:247:2: error: #error New address family defined, please update secclass_map.
orc_dump.c:106:2: error: 'elf_getshnum' is deprecated [-Werror=deprecated-declarations]
orc_dump.c:111:2: error: 'elf_getshstrndx' is deprecated [-Werror=deprecated-declarations]
elf.c:135:2: error: 'elf_getshnum' is deprecated [-Werror=deprecated-declarations]
elf.c:140:2: error: 'elf_getshstrndx' is deprecated [-Werror=deprecated-declarations]
testing release v4.15
testing commit d8a5b80568a9cb66810e75b182018e9edb68e8ff
compiler: gcc (GCC) 8.4.1 20210217
orc_dump.c:106:2: error: 'elf_getshnum' is deprecated [-Werror=deprecated-declarations]
orc_dump.c:111:2: error: 'elf_getshstrndx' is deprecated [-Werror=deprecated-declarations]
elf.c:135:2: error: 'elf_getshnum' is deprecated [-Werror=deprecated-declarations]
elf.c:140:2: error: 'elf_getshstrndx' is deprecated [-Werror=deprecated-declarations]
pager.c:36:12: error: passing argument 2 to 'restrict'-qualified parameter aliases with argument 4 [-Werror=restrict]
./security/selinux/include/classmap.h:247:2: error: #error New address family defined, please update secclass_map.
testing release v4.14
testing commit bebc6082da0a9f5d47a1ea2edc099bf671058bd4
compiler: gcc (GCC) 8.4.1 20210217
orc_dump.c:105:2: error: 'elf_getshnum' is deprecated [-Werror=deprecated-declarations]
orc_dump.c:110:2: error: 'elf_getshstrndx' is deprecated [-Werror=deprecated-declarations]
pager.c:36:12: error: passing argument 2 to 'restrict'-qualified parameter aliases with argument 4 [-Werror=restrict]
elf.c:134:2: error: 'elf_getshnum' is deprecated [-Werror=deprecated-declarations]
elf.c:139:2: error: 'elf_getshstrndx' is deprecated [-Werror=deprecated-declarations]
./security/selinux/include/classmap.h:245:2: error: #error New address family defined, please update secclass_map.
testing release v4.13
testing commit 569dbb88e80deb68974ef6fdd6a13edb9d686261
compiler: gcc (GCC) 8.4.1 20210217
pager.c:35:12: error: passing argument 2 to 'restrict'-qualified parameter aliases with argument 4 [-Werror=restrict]
elf.c:144:2: error: 'elf_getshnum' is deprecated [-Werror=deprecated-declarations]
elf.c:149:2: error: 'elf_getshstrndx' is deprecated [-Werror=deprecated-declarations]
./security/selinux/include/classmap.h:242:2: error: #error New address family defined, please update secclass_map.
testing release v4.12
testing commit 6f7da290413ba713f0cdd9ff1a2a9bb129ef4f6c
compiler: gcc (GCC) 8.4.1 20210217
pager.c:35:12: error: passing argument 2 to 'restrict'-qualified parameter aliases with argument 4 [-Werror=restrict]
elf.c:141:2: error: 'elf_getshnum' is deprecated [-Werror=deprecated-declarations]
elf.c:146:2: error: 'elf_getshstrndx' is deprecated [-Werror=deprecated-declarations]
./security/selinux/include/classmap.h:238:2: error: #error New address family defined, please update secclass_map.
testing release v4.11
testing commit a351e9b9fc24e982ec2f0e76379a49826036da12
compiler: gcc (GCC) 7.5.0
elf.c:141:2: error: 'elf_getshnum' is deprecated [-Werror=deprecated-declarations]
elf.c:146:2: error: 'elf_getshstrndx' is deprecated [-Werror=deprecated-declarations]
pager.c:35:12: error: passing argument 2 to 'restrict'-qualified parameter aliases with argument 4 [-Werror=restrict]
testing release v4.10
testing commit c470abd4fde40ea6a0846a2beab642a578c0b8cd
compiler: gcc (GCC) 5.5.0
tools/include/linux/log2.h:19:1: error: ignoring attribute 'noreturn' because it conflicts with attribute 'const' [-Werror=attributes]
elf.c:129:2: error: 'elf_getshnum' is deprecated [-Werror=deprecated-declarations]
elf.c:134:2: error: 'elf_getshstrndx' is deprecated [-Werror=deprecated-declarations]
pager.c:35:12: error: passing argument 2 to 'restrict'-qualified parameter aliases with argument 4 [-Werror=restrict]
testing release v4.9
testing commit 69973b830859bc6529a7a0468ba0d80ee5117826
compiler: gcc (GCC) 5.5.0
tools/include/linux/log2.h:19:1: error: ignoring attribute 'noreturn' because it conflicts with attribute 'const' [-Werror=attributes]
elf.c:129:2: error: 'elf_getshnum' is deprecated [-Werror=deprecated-declarations]
elf.c:134:2: error: 'elf_getshstrndx' is deprecated [-Werror=deprecated-declarations]
pager.c:35:12: error: passing argument 2 to 'restrict'-qualified parameter aliases with argument 4 [-Werror=restrict]
testing release v4.8
testing commit c8d2bc9bc39ebea8437fd974fdbc21847bb897a3
compiler: gcc (GCC) 5.5.0
tools/include/linux/log2.h:19:1: error: ignoring attribute 'noreturn' because it conflicts with attribute 'const' [-Werror=attributes]
pager.c:33:12: error: passing argument 2 to 'restrict'-qualified parameter aliases with argument 4 [-Werror=restrict]
elf.c:129:2: error: 'elf_getshnum' is deprecated [-Werror=deprecated-declarations]
elf.c:134:2: error: 'elf_getshstrndx' is deprecated [-Werror=deprecated-declarations]
testing release v4.7
testing commit 523d939ef98fd712632d93a5a2b588e477a7565e
compiler: gcc (GCC) 5.5.0
tools/include/linux/log2.h:19:1: error: ignoring attribute 'noreturn' because it conflicts with attribute 'const' [-Werror=attributes]
elf.c:122:2: error: 'elf_getshnum' is deprecated [-Werror=deprecated-declarations]
elf.c:127:2: error: 'elf_getshstrndx' is deprecated [-Werror=deprecated-declarations]
pager.c:33:12: error: passing argument 2 to 'restrict'-qualified parameter aliases with argument 4 [-Werror=restrict]
testing release v4.6
testing commit 2dcd0af568b0cf583645c8a317dd12e344b1c72a
compiler: gcc (GCC) 5.5.0
tools/include/linux/log2.h:19:1: error: ignoring attribute 'noreturn' because it conflicts with attribute 'const' [-Werror=attributes]
pager.c:33:12: error: passing argument 2 to 'restrict'-qualified parameter aliases with argument 4 [-Werror=restrict]
revisions tested: 19, total time: 3h20m7.893385295s (build: 2h11m25.091807003s, test: 1h3m30.112348074s)
the crash already happened on the oldest tested release
commit msg: Linux 4.18
crash: KASAN: slab-out-of-bounds Read in hci_le_meta_evt
IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
Bluetooth: hci0: unknown advertising packet type: 0x90
Bluetooth: hci0: Dropping invalid advertising data
Bluetooth: hci0: Dropping invalid advertising data
==================================================================
BUG: KASAN: slab-out-of-bounds in hci_le_adv_report_evt net/bluetooth/hci_event.c:4946 [inline]
BUG: KASAN: slab-out-of-bounds in hci_le_meta_evt+0x3aeb/0x4590 net/bluetooth/hci_event.c:5173
Read of size 1 at addr ffff880096a157c0 by task kworker/u5:6/8094
wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50

CPU: 1 PID: 8094 Comm: kworker/u5:6 Not tainted 4.18.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: hci0 hci_rx_work
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x15a/0x20d lib/dump_stack.c:113
 print_address_description.cold.6+0x9/0x211 mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report mm/kasan/report.c:412 [inline]
 kasan_report.cold.7+0x242/0x308 mm/kasan/report.c:396
 __asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:430
 hci_le_adv_report_evt net/bluetooth/hci_event.c:4946 [inline]
 hci_le_meta_evt+0x3aeb/0x4590 net/bluetooth/hci_event.c:5173
 hci_event_packet+0x28b3/0x7576 net/bluetooth/hci_event.c:5415
 hci_rx_work+0x368/0xa40 net/bluetooth/hci_core.c:4258
 process_one_work+0x7b9/0x1580 kernel/workqueue.c:2153
wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
 worker_thread+0x85/0xb60 kernel/workqueue.c:2296
wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
 kthread+0x316/0x3d0 kernel/kthread.c:246
IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:412
wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50

Allocated by task 9521:
 save_stack mm/kasan/kasan.c:448 [inline]
 set_track mm/kasan/kasan.c:460 [inline]
 kasan_kmalloc.part.1+0x62/0xf0 mm/kasan/kasan.c:553
 kasan_kmalloc+0xaf/0xc0 mm/kasan/kasan.c:538
 __do_kmalloc_node mm/slab.c:3682 [inline]
 __kmalloc_node_track_caller+0x47/0x70 mm/slab.c:3696
 __kmalloc_reserve.isra.8+0x2c/0xc0 net/core/skbuff.c:137
 __alloc_skb+0xd7/0x580 net/core/skbuff.c:205
 alloc_skb include/linux/skbuff.h:987 [inline]
 bt_skb_alloc include/net/bluetooth/bluetooth.h:339 [inline]
 vhci_get_user drivers/bluetooth/hci_vhci.c:180 [inline]
 vhci_write+0xa8/0x3e0 drivers/bluetooth/hci_vhci.c:299
 call_write_iter include/linux/fs.h:1793 [inline]
 new_sync_write fs/read_write.c:474 [inline]
 __vfs_write+0x446/0x880 fs/read_write.c:487
 vfs_write+0x150/0x4f0 fs/read_write.c:549
 ksys_write+0xcd/0x1b0 fs/read_write.c:598
 __do_sys_write fs/read_write.c:610 [inline]
 __se_sys_write fs/read_write.c:607 [inline]
 __x64_sys_write+0x6e/0xb0 fs/read_write.c:607
 do_syscall_64+0xda/0x540 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 0:
IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready
(stack is not available)
wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50

The buggy address belongs to the object at ffff880096a155c0
 which belongs to the cache kmalloc-512 of size 512
IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready
The buggy address is located 0 bytes to the right of
 512-byte region [ffff880096a155c0, ffff880096a157c0)
The buggy address belongs to the page:
page:ffffea00025a8540 count:1 mapcount:0 mapping:ffff8800b6000940 index:0x0
flags: 0xfff00000000100(slab)
raw: 00fff00000000100 ffffea00025d0e48 ffffea000266fe88 ffff8800b6000940
raw: 0000000000000000 ffff880096a150c0 0000000100000006 0000000000000000
page dumped because: kasan: bad access detected
page allocated via order 0, migratetype Unmovable, gfp_mask 0x442c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_COMP|__GFP_THISNODE)
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook mm/page_alloc.c:1906 [inline]
 prep_new_page mm/page_alloc.c:1914 [inline]
 get_page_from_freelist+0x2f35/0x46b0 mm/page_alloc.c:3345
 __alloc_pages_nodemask+0x39e/0x2780 mm/page_alloc.c:4369
 __alloc_pages include/linux/gfp.h:456 [inline]
 __alloc_pages_node include/linux/gfp.h:469 [inline]
 kmem_getpages mm/slab.c:1409 [inline]
 cache_grow_begin+0xa5/0x8c0 mm/slab.c:2677
 cache_alloc_refill+0x2ac/0x380 mm/slab.c:3044
 ____cache_alloc mm/slab.c:3127 [inline]
 __do_cache_alloc mm/slab.c:3349 [inline]
 slab_alloc mm/slab.c:3384 [inline]
 kmem_cache_alloc_trace+0x361/0x3f0 mm/slab.c:3618
 kmalloc include/linux/slab.h:513 [inline]
 kzalloc include/linux/slab.h:707 [inline]
 ipv6_add_addr+0x353/0x1bc0 net/ipv6/addrconf.c:1031
 addrconf_add_linklocal+0x1a6/0x370 net/ipv6/addrconf.c:3136
wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
 addrconf_addr_gen+0x288/0x2f0 net/ipv6/addrconf.c:3263
 addrconf_dev_config+0xe9/0x1b0 net/ipv6/addrconf.c:3306
 addrconf_notify+0x305/0x20e0 net/ipv6/addrconf.c:3537
 notifier_call_chain+0x8a/0x160 kernel/notifier.c:93
 __raw_notifier_call_chain kernel/notifier.c:394 [inline]
 raw_notifier_call_chain+0x11/0x20 kernel/notifier.c:401
 call_netdevice_notifiers_info+0x28/0x60 net/core/dev.c:1735
 netdev_state_change net/core/dev.c:1340 [inline]
 netdev_state_change+0xd4/0x100 net/core/dev.c:1333
 linkwatch_do_dev+0x72/0xc0 net/core/link_watch.c:164
 __linkwatch_run_queue+0x24b/0x470 net/core/link_watch.c:202
wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50

IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready
Memory state around the buggy address:
 ffff880096a15680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Bluetooth: hci3: unknown advertising packet type: 0x90
 ffff880096a15700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff880096a15780: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
                                           ^
 ffff880096a15800: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
 ffff880096a15880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Bluetooth: hci4: command 0x0419 tx timeout
Bluetooth: hci3: Dropping invalid advertising data