last executing test programs:
kernel console output (not intermixed with test programs):
Warning: Permanently added '10.128.0.69' (ED25519) to the list of known hosts.
[ 72.395239][ T5809] cgroup: Unknown subsys name 'net'
[ 72.570233][ T5809] cgroup: Unknown subsys name 'cpuset'
[ 72.579052][ T5809] cgroup: Unknown subsys name 'rlimit'
Setting up swapspace version 1, size = 127995904 bytes
[ 73.951339][ T5809] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k
[ 77.390713][ T5835] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[ 77.399444][ T5835] ==================================================================
[ 77.407559][ T5835] BUG: KASAN: slab-use-after-free in hci_cmd_work+0x5d0/0x7b0
[ 77.415047][ T5835] Read of size 2 at addr ffff88805c5f4df8 by task kworker/u9:5/5835
[ 77.423031][ T5835]
[ 77.425359][ T5835] CPU: 0 UID: 0 PID: 5835 Comm: kworker/u9:5 Not tainted syzkaller #0 PREEMPT(full)
[ 77.425371][ T5835] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
[ 77.425378][ T5835] Workqueue: hci3 hci_cmd_work
[ 77.425400][ T5835] Call Trace:
[ 77.425405][ T5835]
[ 77.425410][ T5835] dump_stack_lvl+0x189/0x250
[ 77.425426][ T5835] ? __virt_addr_valid+0x1c8/0x5c0
[ 77.425436][ T5835] ? rcu_is_watching+0x15/0xb0
[ 77.425445][ T5835] ? __pfx_dump_stack_lvl+0x10/0x10
[ 77.425457][ T5835] ? rcu_is_watching+0x15/0xb0
[ 77.425465][ T5835] ? lock_release+0x4b/0x3d0
[ 77.425477][ T5835] ? _raw_spin_lock_irqsave+0xb3/0xf0
[ 77.425488][ T5835] ? __virt_addr_valid+0x1c8/0x5c0
[ 77.425497][ T5835] ? __virt_addr_valid+0x4a5/0x5c0
[ 77.425507][ T5835] print_report+0xca/0x240
[ 77.425519][ T5835] ? hci_cmd_work+0x5d0/0x7b0
[ 77.425529][ T5835] kasan_report+0x118/0x150
[ 77.425542][ T5835] ? hci_cmd_work+0x5d0/0x7b0
[ 77.425554][ T5835] hci_cmd_work+0x5d0/0x7b0
[ 77.425566][ T5835] ? process_one_work+0x868/0x15e0
[ 77.425586][ T5835] process_one_work+0x93a/0x15e0
[ 77.425597][ T5835] ? __lock_acquire+0xab9/0xd20
[ 77.425613][ T5835] ? __pfx_process_one_work+0x10/0x10
[ 77.425626][ T5835] ? assign_work+0x3a1/0x410
[ 77.425638][ T5835] worker_thread+0x9b0/0xee0
[ 77.425655][ T5835] kthread+0x711/0x8a0
[ 77.425665][ T5835] ? __pfx_worker_thread+0x10/0x10
[ 77.425676][ T5835] ? __pfx_kthread+0x10/0x10
[ 77.425685][ T5835] ? _raw_spin_unlock_irq+0x23/0x50
[ 77.425694][ T5835] ? lockdep_hardirqs_on+0x9c/0x150
[ 77.425705][ T5835] ? __pfx_kthread+0x10/0x10
[ 77.425713][ T5835] ret_from_fork+0x599/0xb30
[ 77.425726][ T5835] ? __pfx_ret_from_fork+0x10/0x10
[ 77.425739][ T5835] ? __switch_to_asm+0x39/0x70
[ 77.425748][ T5835] ? __switch_to_asm+0x33/0x70
[ 77.425756][ T5835] ? __pfx_kthread+0x10/0x10
[ 77.425764][ T5835] ret_from_fork_asm+0x1a/0x30
[ 77.425777][ T5835]
[ 77.425781][ T5835]
[ 77.614737][ T5835] Allocated by task 5825:
[ 77.619046][ T5835] kasan_save_track+0x3e/0x80
[ 77.623712][ T5835] __kasan_slab_alloc+0x6c/0x80
[ 77.628544][ T5835] kmem_cache_alloc_node_noprof+0x43c/0x710
[ 77.634505][ T5835] __alloc_skb+0x112/0x2d0
[ 77.638908][ T5835] hci_cmd_sync_alloc+0x3d/0x3b0
[ 77.643840][ T5835] __hci_cmd_sync_sk+0x1a7/0xc70
[ 77.648789][ T5835] hci_reset_sync+0x4a/0x140
[ 77.653368][ T5835] hci_dev_open_sync+0xec5/0x2dc0
[ 77.658376][ T5835] hci_power_on+0x1b4/0x720
[ 77.662879][ T5835] process_one_work+0x93a/0x15e0
[ 77.667799][ T5835] worker_thread+0x9b0/0xee0
[ 77.672379][ T5835] kthread+0x711/0x8a0
[ 77.676432][ T5835] ret_from_fork+0x599/0xb30
[ 77.681010][ T5835] ret_from_fork_asm+0x1a/0x30
[ 77.685763][ T5835]
[ 77.688070][ T5835] Freed by task 5824:
[ 77.692029][ T5835] kasan_save_track+0x3e/0x80
[ 77.696689][ T5835] kasan_save_free_info+0x46/0x50
[ 77.701706][ T5835] __kasan_slab_free+0x5c/0x80
[ 77.706455][ T5835] kmem_cache_free+0x197/0x640
[ 77.711207][ T5835] vhci_read+0x49a/0x5b0
[ 77.715446][ T5835] vfs_read+0x200/0xa30
[ 77.719613][ T5835] ksys_read+0x145/0x250
[ 77.723847][ T5835] do_syscall_64+0xfa/0xfa0
[ 77.728343][ T5835] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 77.734236][ T5835]
[ 77.736561][ T5835] The buggy address belongs to the object at ffff88805c5f4dc0
[ 77.736561][ T5835] which belongs to the cache skbuff_head_cache of size 240
[ 77.751153][ T5835] The buggy address is located 56 bytes inside of
[ 77.751153][ T5835] freed 240-byte region [ffff88805c5f4dc0, ffff88805c5f4eb0)
[ 77.764868][ T5835]
[ 77.767189][ T5835] The buggy address belongs to the physical page:
[ 77.773594][ T5835] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5c5f4
[ 77.782346][ T5835] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[ 77.789439][ T5835] page_type: f5(slab)
[ 77.793404][ T5835] raw: 00fff00000000000 ffff888141a8ca00 dead000000000122 0000000000000000
[ 77.801966][ T5835] raw: 0000000000000000 00000000000c000c 00000000f5000000 0000000000000000
[ 77.810524][ T5835] page dumped because: kasan: bad access detected
[ 77.816922][ T5835] page_owner tracks the page as allocated
[ 77.822618][ T5835] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5821, tgid 5821 (syz-executor), ts 77352919754, free_ts 22006132448
[ 77.841893][ T5835] post_alloc_hook+0x240/0x2a0
[ 77.846666][ T5835] get_page_from_freelist+0x2365/0x2440
[ 77.852195][ T5835] __alloc_frozen_pages_noprof+0x181/0x370
[ 77.858001][ T5835] alloc_pages_mpol+0x232/0x4a0
[ 77.862936][ T5835] allocate_slab+0x86/0x3b0
[ 77.867449][ T5835] ___slab_alloc+0xf56/0x1990
[ 77.872143][ T5835] __slab_alloc+0x65/0x100
[ 77.876620][ T5835] kmem_cache_alloc_noprof+0x40f/0x700
[ 77.882089][ T5835] skb_clone+0x212/0x3a0
[ 77.886346][ T5835] netlink_broadcast_filtered+0x6ae/0x1000
[ 77.892149][ T5835] netlink_broadcast+0x37/0x50
[ 77.896912][ T5835] kobject_uevent_net_broadcast+0x378/0x560
[ 77.902817][ T5835] kobject_uevent_env+0x55c/0x9f0
[ 77.907839][ T5835] device_add+0x557/0xb80
[ 77.912176][ T5835] rfkill_register+0x17a/0x8e0
[ 77.916934][ T5835] hci_register_dev+0x3f2/0x8b0
[ 77.921861][ T5835] page last free pid 1 tgid 1 stack trace:
[ 77.927644][ T5835] __free_frozen_pages+0xbc8/0xd30
[ 77.932740][ T5835] free_contig_range+0x1bd/0x4a0
[ 77.937664][ T5835] destroy_args+0x69/0x660
[ 77.942068][ T5835] debug_vm_pgtable+0x38f/0x3a0
[ 77.946900][ T5835] do_one_initcall+0x1fb/0x870
[ 77.951644][ T5835] do_initcall_level+0x104/0x190
[ 77.956575][ T5835] do_initcalls+0x59/0xa0
[ 77.960886][ T5835] kernel_init_freeable+0x334/0x4b0
[ 77.966071][ T5835] kernel_init+0x1d/0x1d0
[ 77.970383][ T5835] ret_from_fork+0x599/0xb30
[ 77.974958][ T5835] ret_from_fork_asm+0x1a/0x30
[ 77.979705][ T5835]
[ 77.982012][ T5835] Memory state around the buggy address:
[ 77.987624][ T5835] ffff88805c5f4c80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 77.995665][ T5835] ffff88805c5f4d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[ 78.003713][ T5835] >ffff88805c5f4d80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 78.011753][ T5835] ^
[ 78.019714][ T5835] ffff88805c5f4e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 78.027763][ T5835] ffff88805c5f4e80: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
[ 78.035818][ T5835] ==================================================================
[ 78.045574][ T5836] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1
[ 78.054183][ T5836] Bluetooth: hci4: unexpected cc 0x0c03 length: 249 > 1
[ 78.061761][ T5835] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 78.068983][ T5835] CPU: 0 UID: 0 PID: 5835 Comm: kworker/u9:5 Not tainted syzkaller #0 PREEMPT(full)
[ 78.078459][ T5835] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
[ 78.088536][ T5835] Workqueue: hci3 hci_cmd_work
[ 78.093325][ T5835] Call Trace:
[ 78.096609][ T5835]
[ 78.099547][ T5835] dump_stack_lvl+0x99/0x250
[ 78.104153][ T5835] ? __asan_memcpy+0x40/0x70
[ 78.108747][ T5835] ? __pfx_dump_stack_lvl+0x10/0x10
[ 78.113962][ T5835] ? __pfx__printk+0x10/0x10
[ 78.118565][ T5835] vpanic+0x237/0x6d0
[ 78.122549][ T5835] ? __pfx_vpanic+0x10/0x10
[ 78.127058][ T5835] ? preempt_schedule+0xae/0xc0
[ 78.131918][ T5835] ? __pfx_preempt_schedule+0x10/0x10
[ 78.137303][ T5835] panic+0xb9/0xc0
[ 78.141034][ T5835] ? __pfx_panic+0x10/0x10
[ 78.145458][ T5835] ? _raw_spin_unlock_irqrestore+0xfd/0x110
[ 78.151372][ T5835] ? is_module_address+0x17/0xf0
[ 78.156303][ T5835] ? hci_cmd_work+0x5d0/0x7b0
[ 78.160969][ T5835] check_panic_on_warn+0x89/0xb0
[ 78.165889][ T5835] ? hci_cmd_work+0x5d0/0x7b0
[ 78.170550][ T5835] end_report+0x6f/0x160
[ 78.174782][ T5835] kasan_report+0x129/0x150
[ 78.179271][ T5835] ? hci_cmd_work+0x5d0/0x7b0
[ 78.183937][ T5835] hci_cmd_work+0x5d0/0x7b0
[ 78.188424][ T5835] ? process_one_work+0x868/0x15e0
[ 78.193526][ T5835] process_one_work+0x93a/0x15e0
[ 78.198447][ T5835] ? __lock_acquire+0xab9/0xd20
[ 78.203302][ T5835] ? __pfx_process_one_work+0x10/0x10
[ 78.208665][ T5835] ? assign_work+0x3a1/0x410
[ 78.213240][ T5835] worker_thread+0x9b0/0xee0
[ 78.217828][ T5835] kthread+0x711/0x8a0
[ 78.221884][ T5835] ? __pfx_worker_thread+0x10/0x10
[ 78.226979][ T5835] ? __pfx_kthread+0x10/0x10
[ 78.231548][ T5835] ? _raw_spin_unlock_irq+0x23/0x50
[ 78.236731][ T5835] ? lockdep_hardirqs_on+0x9c/0x150
[ 78.242000][ T5835] ? __pfx_kthread+0x10/0x10
[ 78.246628][ T5835] ret_from_fork+0x599/0xb30
[ 78.251205][ T5835] ? __pfx_ret_from_fork+0x10/0x10
[ 78.256307][ T5835] ? __switch_to_asm+0x39/0x70
[ 78.261050][ T5835] ? __switch_to_asm+0x33/0x70
[ 78.265801][ T5835] ? __pfx_kthread+0x10/0x10
[ 78.270371][ T5835] ret_from_fork_asm+0x1a/0x30
[ 78.275120][ T5835]
[ 78.278467][ T5835] Kernel Offset: disabled
[ 78.282780][ T5835] Rebooting in 86400 seconds..