Bluetooth: hci4: Malformed Event: 0x02 Bluetooth: Wrong link type (-22) ================================================================== BUG: KASAN: stack-out-of-bounds in l2cap_send_cmd+0x8ea/0xbb0 Read of size 22 at addr ffff888013ad7a28 by task kworker/u11:1/21580 CPU: 0 UID: 0 PID: 21580 Comm: kworker/u11:1 Not tainted 6.19.0-next-20260218 #1 PREEMPT(lazy) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 Workqueue: hci4 hci_rx_work Call Trace: dump_stack_lvl+0xca/0x120 print_report+0xcb/0x610 kasan_report+0xca/0x100 kasan_check_range+0x39/0x1b0 __asan_memcpy+0x24/0x60 l2cap_send_cmd+0x8ea/0xbb0 l2cap_recv_frame+0x6e4e/0x9580 l2cap_recv_acldata+0xf07/0x10d0 hci_rx_work+0x416/0x8b0 process_one_work+0x8e1/0x1a40 worker_thread+0x67e/0xe90 kthread+0x385/0x490 ret_from_fork+0x67a/0xab0 ret_from_fork_asm+0x1a/0x30 The buggy address belongs to stack of task kworker/u11:1/21580 and is located at offset 96 in frame: l2cap_recv_frame+0x0/0x9580 This frame has 8 objects: [32, 34) 'rsp' [48, 58) 'rsp' [80, 84) 'rsp' [96, 114) 'pdu_u' [160, 200) 'chan' [240, 244) 'rx_func_to_event' [256, 264) 'buf' [288, 300) 'buf' The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x13ad7 flags: 0x100000000000000(node=0|zone=1) raw: 0100000000000000 0000000000000000 dead000000000122 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888013ad7900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888013ad7980: 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 >ffff888013ad7a00: 02 f2 f2 04 f2 00 00 02 f2 f2 f2 f2 f2 00 00 00 ^ ffff888013ad7a80: 00 00 f2 f2 f2 f2 f2 04 f2 00 f2 f2 f2 00 04 f3 ffff888013ad7b00: f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ================================================================== Bluetooth: hci4: Malformed Event: 0x02 Bluetooth: Wrong link type (-22) loop2: detected capacity change from 0 to 264192 loop2: detected capacity change from 0 to 264192 Bluetooth: Unexpected continuation frame (len 12) Bluetooth: Unexpected continuation frame (len 12) netlink: 16 bytes leftover after parsing attributes in process `syz-executor.3'.