last executing test programs:

kernel console output (not intermixed with test programs):

Warning: Permanently added '10.128.1.161' (ED25519) to the list of known hosts.
[   97.749657][ T5818] cgroup: Unknown subsys name 'net'
[   97.878343][ T5818] cgroup: Unknown subsys name 'cpuset'
[   97.888215][ T5818] cgroup: Unknown subsys name 'rlimit'
Setting up swapspace version 1, size = 127995904 bytes
[   99.603863][ T5818] Adding 124996k swap on ./swap-file.  Priority:0 extents:1 across:124996k 
[  101.865874][ T5842] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[  101.877587][ T5846] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1
[  101.888657][ T5849] Bluetooth: hci4: unexpected cc 0x0c03 length: 249 > 1
[  101.889508][ T5846] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1
[  101.897899][ T5849] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[  101.905430][ T5846] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9
[  101.911445][ T5849] Bluetooth: hci4: unexpected cc 0x1003 length: 249 > 9
[  101.918253][ T5846] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1
[  101.927151][ T5849] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9
[  101.932238][ T5842] Bluetooth: hci4: unexpected cc 0x1001 length: 249 > 9
[  101.939616][ T5849] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[  101.946429][ T5846] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9
[  101.956003][ T5849] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9
[  101.961061][ T5842] Bluetooth: hci4: unexpected cc 0x0c23 length: 249 > 4
[  101.967379][ T5849] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[  101.974764][ T5842] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9
[  101.982874][ T5849] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[  101.988507][ T5846] Bluetooth: hci4: unexpected cc 0x0c38 length: 249 > 2
[  102.001979][   T53] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9
[  102.009862][ T5842] ==================================================================
[  102.017953][ T5842] BUG: KFENCE: use-after-free read in hci_cmd_work+0x33d/0x7b0
[  102.017953][ T5842] 
[  102.027712][ T5842] Use-after-free read at 0xffff88823be86f38 (in kfence-#66):
[  102.035104][ T5842]  hci_cmd_work+0x33d/0x7b0
[  102.039640][ T5842]  process_one_work+0x93a/0x15e0
[  102.044608][ T5842]  worker_thread+0x9b0/0xee0
[  102.049232][ T5842]  kthread+0x711/0x8a0
[  102.053328][ T5842]  ret_from_fork+0x599/0xb30
[  102.057950][ T5842]  ret_from_fork_asm+0x1a/0x30
[  102.062739][ T5842] 
[  102.065086][ T5842] kfence-#66: 0xffff88823be86f00-0xffff88823be86fef, size=240, cache=skbuff_head_cache
[  102.065086][ T5842] 
[  102.076909][ T5842] allocated by task 5841 on cpu 0 at 102.001449s (0.075459s ago):
[  102.084736][ T5842]  __alloc_skb+0x112/0x2d0
[  102.089165][ T5842]  hci_cmd_sync_alloc+0x3d/0x3b0
[  102.094114][ T5842]  __hci_cmd_sync_sk+0x1a7/0xc70
[  102.099171][ T5842]  hci_read_dev_class_sync+0x2c/0x120
[  102.104548][ T5842]  hci_dev_open_sync+0x227c/0x2dc0
[  102.109664][ T5842]  hci_power_on+0x1b4/0x720
[  102.114171][ T5842]  process_one_work+0x93a/0x15e0
[  102.119120][ T5842]  worker_thread+0x9b0/0xee0
[  102.123727][ T5842]  kthread+0x711/0x8a0
[  102.127818][ T5842]  ret_from_fork+0x599/0xb30
[  102.132422][ T5842]  ret_from_fork_asm+0x1a/0x30
[  102.137199][ T5842] 
[  102.139531][ T5842] freed by task 5840 on cpu 1 at 102.001762s (0.137767s ago):
[  102.147005][ T5842]  vhci_read+0x49a/0x5b0
[  102.151260][ T5842]  vfs_read+0x200/0xa30
[  102.155419][ T5842]  ksys_read+0x145/0x250
[  102.159694][ T5842]  do_syscall_64+0xfa/0xfa0
[  102.164209][ T5842]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  102.170112][ T5842] 
[  102.172466][ T5842] CPU: 1 UID: 0 PID: 5842 Comm: kworker/u9:4 Not tainted syzkaller #0 PREEMPT(full) 
[  102.181930][ T5842] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
[  102.191987][ T5842] Workqueue: hci3 hci_cmd_work
[  102.196778][ T5842] RIP: 0010:hci_cmd_work+0x33d/0x7b0
[  102.202082][ T5842] Code: f7 4d 89 27 4c 8b 2c 24 49 bc 00 00 00 00 00 fc ff df 49 83 c6 38 4c 89 f0 48 c1 e8 03 42 0f b6 04 20 84 c0 0f 85 7b 02 00 00 <41> 0f b7 2e 31 ff 89 ee e8 56 9a 6c f7 85 ed 74 51 e8 0d 36 53 f7
[  102.221691][ T5842] RSP: 0018:ffffc9000412fa38 EFLAGS: 00010246
[  102.227768][ T5842] RAX: 0000000000000000 RBX: 1ffff110065649ab RCX: ffffffff8931f833
[  102.235750][ T5842] RDX: 0000000000000001 RSI: 0000000000000004 RDI: ffff8880604d5860
[  102.243746][ T5842] RBP: 0000000000000001 R08: ffff8880604d5863 R09: 1ffff1100c09ab0c
[  102.251723][ T5842] R10: dffffc0000000000 R11: ffffed100c09ab0d R12: dffffc0000000000
[  102.259703][ T5842] R13: ffff888032b24b18 R14: ffff88823be86f38 R15: ffff888032b24e50
[  102.267683][ T5842] FS:  0000000000000000(0000) GS:ffff888125dbb000(0000) knlGS:0000000000000000
[  102.276624][ T5842] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  102.283211][ T5842] CR2: ffff88823be86f38 CR3: 000000006748a000 CR4: 00000000003526f0
[  102.291186][ T5842] Call Trace:
[  102.294470][ T5842]  <TASK>
[  102.297407][ T5842]  ? process_one_work+0x868/0x15e0
[  102.302528][ T5842]  process_one_work+0x93a/0x15e0
[  102.307477][ T5842]  ? __lock_acquire+0xab9/0xd20
[  102.312345][ T5842]  ? __pfx_process_one_work+0x10/0x10
[  102.317756][ T5842]  ? assign_work+0x3a1/0x410
[  102.322359][ T5842]  worker_thread+0x9b0/0xee0
[  102.326976][ T5842]  kthread+0x711/0x8a0
[  102.331049][ T5842]  ? __pfx_worker_thread+0x10/0x10
[  102.336167][ T5842]  ? __pfx_kthread+0x10/0x10
[  102.340764][ T5842]  ? _raw_spin_unlock_irq+0x23/0x50
[  102.345971][ T5842]  ? lockdep_hardirqs_on+0x9c/0x150
[  102.351175][ T5842]  ? __pfx_kthread+0x10/0x10
[  102.355789][ T5842]  ret_from_fork+0x599/0xb30
[  102.360394][ T5842]  ? __pfx_ret_from_fork+0x10/0x10
[  102.365518][ T5842]  ? __switch_to_asm+0x39/0x70
[  102.370310][ T5842]  ? __switch_to_asm+0x33/0x70
[  102.375077][ T5842]  ? __pfx_kthread+0x10/0x10
[  102.379674][ T5842]  ret_from_fork_asm+0x1a/0x30
[  102.384450][ T5842]  </TASK>
[  102.387469][ T5842] ==================================================================
[  102.395531][ T5842] Kernel panic - not syncing: KFENCE: panic_on_warn set ...
[  102.403028][ T5842] CPU: 1 UID: 0 PID: 5842 Comm: kworker/u9:4 Not tainted syzkaller #0 PREEMPT(full) 
[  102.412492][ T5842] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
[  102.422559][ T5842] Workqueue: hci3 hci_cmd_work
[  102.427345][ T5842] Call Trace:
[  102.430645][ T5842]  <TASK>
[  102.433601][ T5842]  dump_stack_lvl+0x99/0x250
[  102.438256][ T5842]  ? __asan_memcpy+0x40/0x70
[  102.442883][ T5842]  ? __pfx_dump_stack_lvl+0x10/0x10
[  102.448105][ T5842]  ? __pfx__printk+0x10/0x10
[  102.452749][ T5842]  vpanic+0x237/0x6d0
[  102.456753][ T5842]  ? __pfx_vpanic+0x10/0x10
[  102.461267][ T5842]  ? is_bpf_text_address+0x292/0x2b0
[  102.466586][ T5842]  panic+0xb9/0xc0
[  102.470323][ T5842]  ? __pfx_panic+0x10/0x10
[  102.474749][ T5842]  ? __pfx__printk+0x10/0x10
[  102.479359][ T5842]  check_panic_on_warn+0x89/0xb0
[  102.484310][ T5842]  kfence_report_error+0x738/0xa40
[  102.489447][ T5842]  ? __pfx_kfence_report_error+0x10/0x10
[  102.495087][ T5842]  ? hci_cmd_work+0x33d/0x7b0
[  102.499780][ T5842]  ? process_one_work+0x93a/0x15e0
[  102.504906][ T5842]  ? worker_thread+0x9b0/0xee0
[  102.509700][ T5842]  ? kthread+0x711/0x8a0
[  102.513951][ T5842]  ? ret_from_fork+0x599/0xb30
[  102.519081][ T5842]  ? ret_from_fork_asm+0x1a/0x30
[  102.524073][ T5842]  ? _raw_spin_lock_irqsave+0xb3/0xf0
[  102.529455][ T5842]  ? __pfx__raw_spin_lock_irqsave+0x10/0x10
[  102.535356][ T5842]  ? search_bpf_extables+0x26/0x3f0
[  102.540570][ T5842]  kfence_handle_page_fault+0x358/0x4d0
[  102.546133][ T5842]  page_fault_oops+0x19f/0xa10
[  102.550914][ T5842]  ? __pfx_fixup_exception+0x10/0x10
[  102.556244][ T5842]  ? __pfx_page_fault_oops+0x10/0x10
[  102.561554][ T5842]  ? is_prefetch+0x403/0x640
[  102.566154][ T5842]  ? kasan_save_track+0x4f/0x80
[  102.571025][ T5842]  ? kasan_save_track+0x3e/0x80
[  102.575901][ T5842]  ? __kasan_slab_alloc+0x6c/0x80
[  102.580989][ T5842]  ? kmem_cache_alloc_noprof+0x37d/0x700
[  102.586638][ T5842]  ? skb_clone+0x212/0x3a0
[  102.591073][ T5842]  ? hci_cmd_work+0x2f7/0x7b0
[  102.595788][ T5842]  ? process_one_work+0x93a/0x15e0
[  102.600924][ T5842]  ? __pfx_is_prefetch+0x10/0x10
[  102.605874][ T5842]  ? ret_from_fork_asm+0x1a/0x30
[  102.610838][ T5842]  __bad_area_nosemaphore+0x11a/0x780
[  102.616233][ T5842]  ? __pfx___bad_area_nosemaphore+0x10/0x10
[  102.622154][ T5842]  ? do_kern_addr_fault+0x30/0x80
[  102.627217][ T5842]  exc_page_fault+0xcf/0x100
[  102.631846][ T5842]  asm_exc_page_fault+0x26/0x30
[  102.636712][ T5842] RIP: 0010:hci_cmd_work+0x33d/0x7b0
[  102.642026][ T5842] Code: f7 4d 89 27 4c 8b 2c 24 49 bc 00 00 00 00 00 fc ff df 49 83 c6 38 4c 89 f0 48 c1 e8 03 42 0f b6 04 20 84 c0 0f 85 7b 02 00 00 <41> 0f b7 2e 31 ff 89 ee e8 56 9a 6c f7 85 ed 74 51 e8 0d 36 53 f7
[  102.661642][ T5842] RSP: 0018:ffffc9000412fa38 EFLAGS: 00010246
[  102.667724][ T5842] RAX: 0000000000000000 RBX: 1ffff110065649ab RCX: ffffffff8931f833
[  102.675704][ T5842] RDX: 0000000000000001 RSI: 0000000000000004 RDI: ffff8880604d5860
[  102.683685][ T5842] RBP: 0000000000000001 R08: ffff8880604d5863 R09: 1ffff1100c09ab0c
[  102.691702][ T5842] R10: dffffc0000000000 R11: ffffed100c09ab0d R12: dffffc0000000000
[  102.699678][ T5842] R13: ffff888032b24b18 R14: ffff88823be86f38 R15: ffff888032b24e50
[  102.707666][ T5842]  ? __skb_clone+0x483/0x7a0
[  102.712271][ T5842]  ? hci_cmd_work+0x2f7/0x7b0
[  102.716968][ T5842]  ? process_one_work+0x868/0x15e0
[  102.722117][ T5842]  process_one_work+0x93a/0x15e0
[  102.727066][ T5842]  ? __lock_acquire+0xab9/0xd20
[  102.731947][ T5842]  ? __pfx_process_one_work+0x10/0x10
[  102.737335][ T5842]  ? assign_work+0x3a1/0x410
[  102.741940][ T5842]  worker_thread+0x9b0/0xee0
[  102.746599][ T5842]  kthread+0x711/0x8a0
[  102.750681][ T5842]  ? __pfx_worker_thread+0x10/0x10
[  102.755806][ T5842]  ? __pfx_kthread+0x10/0x10
[  102.760409][ T5842]  ? _raw_spin_unlock_irq+0x23/0x50
[  102.765644][ T5842]  ? lockdep_hardirqs_on+0x9c/0x150
[  102.770899][ T5842]  ? __pfx_kthread+0x10/0x10
[  102.775524][ T5842]  ret_from_fork+0x599/0xb30
[  102.780137][ T5842]  ? __pfx_ret_from_fork+0x10/0x10
[  102.785271][ T5842]  ? __switch_to_asm+0x39/0x70
[  102.790049][ T5842]  ? __switch_to_asm+0x33/0x70
[  102.794830][ T5842]  ? __pfx_kthread+0x10/0x10
[  102.799431][ T5842]  ret_from_fork_asm+0x1a/0x30
[  102.804217][ T5842]  </TASK>
[  102.807420][ T5842] Kernel Offset: disabled
[  102.811912][ T5842] Rebooting in 86400 seconds..