general protection fault, probably for non-canonical address 0xdffffc000000005f: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x00000000000002f8-0x00000000000002ff]
CPU: 1 PID: 10320 Comm: syz-executor198 Not tainted 6.1.137-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/19/2025
RIP: 0010:h5_recv+0x149/0x8c0 drivers/bluetooth/hci_h5.c:569
Code: 89 54 24 70 48 89 4c 24 28 48 c1 e9 03 48 89 4c 24 30 48 89 44 24 38 48 c1 e8 03 48 89 44 24 68 4c 89 74 24 18 48 8b 44 24 40 <80> 3c 18 00 74 08 4c 89 f7 e8 69 7f 89 fa 4d 8b 36 31 ff 4c 89 f6
RSP: 0018:ffffc9000d487c40 EFLAGS: 00010202
RAX: 000000000000005f RBX: dffffc0000000000 RCX: 000000000000005e
RDX: 1ffff1100dc57d82 RSI: 000000000000005f RDI: 0000000000000000
RBP: ffffc9000d487d80 R08: dffffc0000000000 R09: ffffed100dc57d84
R10: ffffed100dc57d84 R11: 1ffff1100dc57d83 R12: 0000000000000001
R13: ffff88806e2bec00 R14: 00000000000002f8 R15: 0000000000000061
FS: 00007f8c6ae166c0(0000) GS:ffff8880b8f00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fc178905a48 CR3: 0000000076d09000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
hci_uart_tty_receive+0x188/0x210 drivers/bluetooth/hci_ldisc.c:624
tiocsti+0x1f6/0x280 drivers/tty/tty_io.c:2288
tty_ioctl+0x34e/0xba0 drivers/tty/tty_io.c:2690
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:870 [inline]
__se_sys_ioctl+0xfa/0x170 fs/ioctl.c:856
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7f8c6b6875c9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 81 1d 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f8c6ae16168 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f8c6b708438 RCX: 00007f8c6b6875c9
RDX: 0000200000000140 RSI: 0000000000005412 RDI: 0000000000000006
RBP: 00007f8c6b708430 R08: 00007f8c6ae166c0 R09: 0000000000000000
R10: 00007f8c6ae166c0 R11: 0000000000000246 R12: 00007f8c6b70843c
R13: 000000000000006e R14: 00007ffd81b4f6e0 R15: 00007ffd81b4f7c8
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:h5_recv+0x149/0x8c0 drivers/bluetooth/hci_h5.c:569
Code: 89 54 24 70 48 89 4c 24 28 48 c1 e9 03 48 89 4c 24 30 48 89 44 24 38 48 c1 e8 03 48 89 44 24 68 4c 89 74 24 18 48 8b 44 24 40 <80> 3c 18 00 74 08 4c 89 f7 e8 69 7f 89 fa 4d 8b 36 31 ff 4c 89 f6
RSP: 0018:ffffc9000d487c40 EFLAGS: 00010202
RAX: 000000000000005f RBX: dffffc0000000000 RCX: 000000000000005e
RDX: 1ffff1100dc57d82 RSI: 000000000000005f RDI: 0000000000000000
RBP: ffffc9000d487d80 R08: dffffc0000000000 R09: ffffed100dc57d84
R10: ffffed100dc57d84 R11: 1ffff1100dc57d83 R12: 0000000000000001
R13: ffff88806e2bec00 R14: 00000000000002f8 R15: 0000000000000061
FS: 00007f8c6ae166c0(0000) GS:ffff8880b8e00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffd81b4ece8 CR3: 0000000076d09000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 89 54 24 70 mov %edx,0x70(%rsp)
4: 48 89 4c 24 28 mov %rcx,0x28(%rsp)
9: 48 c1 e9 03 shr $0x3,%rcx
d: 48 89 4c 24 30 mov %rcx,0x30(%rsp)
12: 48 89 44 24 38 mov %rax,0x38(%rsp)
17: 48 c1 e8 03 shr $0x3,%rax
1b: 48 89 44 24 68 mov %rax,0x68(%rsp)
20: 4c 89 74 24 18 mov %r14,0x18(%rsp)
25: 48 8b 44 24 40 mov 0x40(%rsp),%rax
* 2a: 80 3c 18 00 cmpb $0x0,(%rax,%rbx,1) <-- trapping instruction
2e: 74 08 je 0x38
30: 4c 89 f7 mov %r14,%rdi
33: e8 69 7f 89 fa call 0xfa897fa1
38: 4d 8b 36 mov (%r14),%r14
3b: 31 ff xor %edi,%edi
3d: 4c 89 f6 mov %r14,%rsi