================================================================== BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline] BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline] BUG: KASAN: slab-out-of-bounds in hci_sock_setsockopt_old net/bluetooth/hci_sock.c:1948 [inline] BUG: KASAN: slab-out-of-bounds in hci_sock_setsockopt+0x9e4/0xe50 net/bluetooth/hci_sock.c:2023 Read of size 4 at addr ffff8881000aa2fb by task syz-executor.0/2338 CPU: 1 PID: 2338 Comm: syz-executor.0 Not tainted 6.5.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xf8/0x260 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:364 [inline] print_report+0x167/0x540 mm/kasan/report.c:475 kasan_report+0x175/0x1b0 mm/kasan/report.c:588 copy_from_sockptr_offset include/linux/sockptr.h:49 [inline] copy_from_sockptr include/linux/sockptr.h:55 [inline] hci_sock_setsockopt_old net/bluetooth/hci_sock.c:1948 [inline] hci_sock_setsockopt+0x9e4/0xe50 net/bluetooth/hci_sock.c:2023 __sys_setsockopt+0x45f/0x870 net/socket.c:2305 __do_sys_setsockopt net/socket.c:2316 [inline] __se_sys_setsockopt net/socket.c:2313 [inline] __x64_sys_setsockopt+0xb0/0xd0 net/socket.c:2313 do_syscall_64+0x46/0xc0 entry_SYSCALL_64_after_hwframe+0x74/0xde RIP: 0033:0x7f7bc107de69 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f7bc1da20c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 RAX: ffffffffffffffda RBX: 00007f7bc11abf80 RCX: 00007f7bc107de69 RDX: 0000000000000001 RSI: 0000000000000000 RDI: 0000000000000004 RBP: 00007f7bc10ca47a R08: 0000000000000002 R09: 0000000000000000 R10: 0000000020000040 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000006 R14: 00007f7bc11abf80 R15: 00007fff28398928 Allocated by task 2338: kasan_save_stack mm/kasan/common.c:45 [inline] kasan_set_track+0x4f/0x80 mm/kasan/common.c:52 ____kasan_kmalloc mm/kasan/common.c:374 [inline] __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:383 kasan_kmalloc include/linux/kasan.h:196 [inline] __do_kmalloc_node mm/slab_common.c:985 [inline] __kmalloc+0xaa/0x1d0 mm/slab_common.c:998 kmalloc include/linux/slab.h:586 [inline] __cgroup_bpf_run_filter_setsockopt+0x924/0xbf0 kernel/bpf/cgroup.c:1856 __sys_setsockopt+0x83e/0x870 net/socket.c:2287 __do_sys_setsockopt net/socket.c:2316 [inline] __se_sys_setsockopt net/socket.c:2313 [inline] __x64_sys_setsockopt+0xb0/0xd0 net/socket.c:2313 do_syscall_64+0x46/0xc0 entry_SYSCALL_64_after_hwframe+0x74/0xde The buggy address belongs to the object at ffff8881000aa2f8 which belongs to the cache kmalloc-8 of size 8 The buggy address is located 1 bytes to the right of allocated 2-byte region [ffff8881000aa2f8, ffff8881000aa2fa) The buggy address belongs to the physical page: page:ffffea0004002a80 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1000aa flags: 0x100000000000200(slab|node=0|zone=2) page_type: 0xffffffff() raw: 0100000000000200 ffff888100041280 ffffea000403b6c0 dead000000000002 raw: 0000000000000000 0000000080660066 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 1, tgid 1 (swapper/0), ts 3596349800, free_ts 0 set_page_owner include/linux/page_owner.h:31 [inline] post_alloc_hook+0x10f/0x130 mm/page_alloc.c:1570 prep_new_page mm/page_alloc.c:1577 [inline] get_page_from_freelist+0x3f4f/0x4170 mm/page_alloc.c:3221 __alloc_pages+0x255/0x650 mm/page_alloc.c:4477 alloc_page_interleave+0xf/0x130 mm/mempolicy.c:2125 alloc_slab_page+0x6a/0x170 mm/slub.c:1862 allocate_slab mm/slub.c:2009 [inline] new_slab+0x70/0x270 mm/slub.c:2062 ___slab_alloc+0x834/0xd60 mm/slub.c:3215 __slab_alloc mm/slub.c:3314 [inline] __slab_alloc_node mm/slub.c:3367 [inline] slab_alloc_node mm/slub.c:3460 [inline] __kmem_cache_alloc_node+0x1aa/0x260 mm/slub.c:3509 __do_kmalloc_node mm/slab_common.c:984 [inline] __kmalloc_node_track_caller+0x9a/0x1d0 mm/slab_common.c:1005 kstrdup+0x32/0x60 mm/util.c:62 kvasprintf_const+0x1f0/0x280 kobject_set_name_vargs+0x5a/0xf0 lib/kobject.c:267 kobject_add_varg lib/kobject.c:361 [inline] kobject_init_and_add+0xd8/0x160 lib/kobject.c:450 bus_add_driver+0x237/0x520 drivers/base/bus.c:666 driver_register+0x16d/0x2b0 drivers/base/driver.c:246 acpi_ec_init+0xbc/0xe0 drivers/acpi/ec.c:2242 page_owner free stack trace missing Memory state around the buggy address: ffff8881000aa180: fc fc 03 fc fc fc fc 05 fc fc fc fc 05 fc fc fc ffff8881000aa200: fc 05 fc fc fc fc 05 fc fc fc fc 07 fc fc fc fc >ffff8881000aa280: fb fc fc fc fc fb fc fc fc fc 07 fc fc fc fc 02 ^ ffff8881000aa300: fc fc fc fc fa fc fc fc fc fa fc fc fc fc 00 fc ffff8881000aa380: fc fc fc fa fc fc fc fc 00 fc fc fc fc 00 fc fc ==================================================================