last executing test programs:
kernel console output (not intermixed with test programs):
Warning: Permanently added '10.128.1.248' (ED25519) to the list of known hosts.
[ 71.482346][ T5812] cgroup: Unknown subsys name 'net'
[ 71.591356][ T5812] cgroup: Unknown subsys name 'cpuset'
[ 71.600606][ T5812] cgroup: Unknown subsys name 'rlimit'
Setting up swapspace version 1, size = 127995904 bytes
[ 73.009387][ T5812] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k
[ 75.062380][ T5828] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1
[ 75.071352][ T5828] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[ 75.080074][ T5828] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[ 75.087975][ T5831] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9
[ 75.087996][ T5828] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[ 75.102119][ T5831] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9
[ 75.103894][ T5828] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[ 75.118301][ T5831] ==================================================================
[ 75.118302][ T5828] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[ 75.133310][ T5831] BUG: KASAN: slab-use-after-free in hci_cmd_work+0x5d0/0x7b0
[ 75.140856][ T5831] Read of size 2 at addr ffff888062b68b78 by task kworker/u9:4/5831
[ 75.148826][ T5831]
[ 75.151153][ T5831] CPU: 1 UID: 0 PID: 5831 Comm: kworker/u9:4 Not tainted syzkaller #0 PREEMPT(full)
[ 75.151169][ T5831] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
[ 75.151179][ T5831] Workqueue: hci1 hci_cmd_work
[ 75.151205][ T5831] Call Trace:
[ 75.151211][ T5831]
[ 75.151217][ T5831] dump_stack_lvl+0x189/0x250
[ 75.151236][ T5831] ? __virt_addr_valid+0x1c8/0x5c0
[ 75.151249][ T5831] ? rcu_is_watching+0x15/0xb0
[ 75.151260][ T5831] ? __pfx_dump_stack_lvl+0x10/0x10
[ 75.151277][ T5831] ? rcu_is_watching+0x15/0xb0
[ 75.151287][ T5831] ? lock_release+0x4b/0x3d0
[ 75.151302][ T5831] ? _raw_spin_lock_irqsave+0xb3/0xf0
[ 75.151317][ T5831] ? __virt_addr_valid+0x1c8/0x5c0
[ 75.151329][ T5831] ? __virt_addr_valid+0x4a5/0x5c0
[ 75.151341][ T5831] print_report+0xca/0x240
[ 75.151357][ T5831] ? hci_cmd_work+0x5d0/0x7b0
[ 75.151371][ T5831] kasan_report+0x118/0x150
[ 75.151387][ T5831] ? hci_cmd_work+0x5d0/0x7b0
[ 75.151404][ T5831] hci_cmd_work+0x5d0/0x7b0
[ 75.151419][ T5831] ? process_one_work+0x868/0x15e0
[ 75.151434][ T5831] process_one_work+0x93a/0x15e0
[ 75.151449][ T5831] ? __lock_acquire+0xab9/0xd20
[ 75.151470][ T5831] ? __pfx_process_one_work+0x10/0x10
[ 75.151487][ T5831] ? assign_work+0x3a1/0x410
[ 75.151503][ T5831] worker_thread+0x9b0/0xee0
[ 75.151526][ T5831] kthread+0x711/0x8a0
[ 75.151539][ T5831] ? __pfx_worker_thread+0x10/0x10
[ 75.151554][ T5831] ? __pfx_kthread+0x10/0x10
[ 75.151565][ T5831] ? _raw_spin_unlock_irq+0x23/0x50
[ 75.151577][ T5831] ? lockdep_hardirqs_on+0x9c/0x150
[ 75.151590][ T5831] ? __pfx_kthread+0x10/0x10
[ 75.151602][ T5831] ret_from_fork+0x599/0xb30
[ 75.151618][ T5831] ? __pfx_ret_from_fork+0x10/0x10
[ 75.151636][ T5831] ? __switch_to_asm+0x39/0x70
[ 75.151647][ T5831] ? __switch_to_asm+0x33/0x70
[ 75.151658][ T5831] ? __pfx_kthread+0x10/0x10
[ 75.151670][ T5831] ret_from_fork_asm+0x1a/0x30
[ 75.151687][ T5831]
[ 75.151691][ T5831]
[ 75.341355][ T5831] Allocated by task 52:
[ 75.345491][ T5831] kasan_save_track+0x3e/0x80
[ 75.350156][ T5831] __kasan_slab_alloc+0x6c/0x80
[ 75.354995][ T5831] kmem_cache_alloc_node_noprof+0x43c/0x710
[ 75.360883][ T5831] __alloc_skb+0x112/0x2d0
[ 75.365287][ T5831] hci_cmd_sync_alloc+0x3d/0x3b0
[ 75.370205][ T5831] __hci_cmd_sync_sk+0x1a7/0xc70
[ 75.375141][ T5831] hci_read_dev_class_sync+0x2c/0x120
[ 75.380509][ T5831] hci_dev_open_sync+0x227c/0x2dc0
[ 75.385621][ T5831] hci_power_on+0x1b4/0x720
[ 75.390117][ T5831] process_one_work+0x93a/0x15e0
[ 75.395051][ T5831] worker_thread+0x9b0/0xee0
[ 75.399629][ T5831] kthread+0x711/0x8a0
[ 75.403677][ T5831] ret_from_fork+0x599/0xb30
[ 75.408254][ T5831] ret_from_fork_asm+0x1a/0x30
[ 75.413002][ T5831]
[ 75.415316][ T5831] Freed by task 5826:
[ 75.419278][ T5831] kasan_save_track+0x3e/0x80
[ 75.423945][ T5831] kasan_save_free_info+0x46/0x50
[ 75.428966][ T5831] __kasan_slab_free+0x5c/0x80
[ 75.433714][ T5831] kmem_cache_free+0x197/0x640
[ 75.438463][ T5831] vhci_read+0x49a/0x5b0
[ 75.442691][ T5831] vfs_read+0x200/0xa30
[ 75.446831][ T5831] ksys_read+0x145/0x250
[ 75.451056][ T5831] do_syscall_64+0xfa/0xfa0
[ 75.455548][ T5831] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 75.461424][ T5831]
[ 75.463736][ T5831] The buggy address belongs to the object at ffff888062b68b40
[ 75.463736][ T5831] which belongs to the cache skbuff_head_cache of size 240
[ 75.478293][ T5831] The buggy address is located 56 bytes inside of
[ 75.478293][ T5831] freed 240-byte region [ffff888062b68b40, ffff888062b68c30)
[ 75.491993][ T5831]
[ 75.494305][ T5831] The buggy address belongs to the physical page:
[ 75.500728][ T5831] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x62b68
[ 75.509483][ T5831] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[ 75.516752][ T5831] page_type: f5(slab)
[ 75.520727][ T5831] raw: 00fff00000000000 ffff88801ea86000 dead000000000122 0000000000000000
[ 75.529294][ T5831] raw: 0000000000000000 00000000000c000c 00000000f5000000 0000000000000000
[ 75.537859][ T5831] page dumped because: kasan: bad access detected
[ 75.544263][ T5831] page_owner tracks the page as allocated
[ 75.549977][ T5831] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5831, tgid 5831 (kworker/u9:4), ts 75116434863, free_ts 21835213895
[ 75.569320][ T5831] post_alloc_hook+0x240/0x2a0
[ 75.574075][ T5831] get_page_from_freelist+0x2365/0x2440
[ 75.579643][ T5831] __alloc_frozen_pages_noprof+0x181/0x370
[ 75.585440][ T5831] alloc_pages_mpol+0x232/0x4a0
[ 75.590278][ T5831] allocate_slab+0x86/0x3b0
[ 75.594831][ T5831] ___slab_alloc+0xf56/0x1990
[ 75.599493][ T5831] __slab_alloc+0x65/0x100
[ 75.603897][ T5831] kmem_cache_alloc_noprof+0x40f/0x700
[ 75.609336][ T5831] skb_clone+0x212/0x3a0
[ 75.613563][ T5831] hci_event_packet+0x1a6/0x1260
[ 75.618484][ T5831] hci_rx_work+0x45d/0xfc0
[ 75.622885][ T5831] process_one_work+0x93a/0x15e0
[ 75.627808][ T5831] worker_thread+0x9b0/0xee0
[ 75.632386][ T5831] kthread+0x711/0x8a0
[ 75.636436][ T5831] ret_from_fork+0x599/0xb30
[ 75.641011][ T5831] ret_from_fork_asm+0x1a/0x30
[ 75.645757][ T5831] page last free pid 1 tgid 1 stack trace:
[ 75.651544][ T5831] __free_frozen_pages+0xbc8/0xd30
[ 75.656725][ T5831] free_contig_range+0x1bd/0x4a0
[ 75.661652][ T5831] destroy_args+0x69/0x660
[ 75.666057][ T5831] debug_vm_pgtable+0x38f/0x3a0
[ 75.670904][ T5831] do_one_initcall+0x1fb/0x870
[ 75.675750][ T5831] do_initcall_level+0x104/0x190
[ 75.680672][ T5831] do_initcalls+0x59/0xa0
[ 75.685009][ T5831] kernel_init_freeable+0x334/0x4b0
[ 75.690198][ T5831] kernel_init+0x1d/0x1d0
[ 75.694515][ T5831] ret_from_fork+0x599/0xb30
[ 75.699089][ T5831] ret_from_fork_asm+0x1a/0x30
[ 75.704021][ T5831]
[ 75.706330][ T5831] Memory state around the buggy address:
[ 75.711942][ T5831] ffff888062b68a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 75.719989][ T5831] ffff888062b68a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[ 75.728031][ T5831] >ffff888062b68b00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 75.736076][ T5831] ^
[ 75.744121][ T5831] ffff888062b68b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 75.752163][ T5831] ffff888062b68c00: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
[ 75.760478][ T5831] ==================================================================
[ 75.777204][ T5831] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 75.784449][ T5831] CPU: 1 UID: 0 PID: 5831 Comm: kworker/u9:4 Not tainted syzkaller #0 PREEMPT(full)
[ 75.793907][ T5831] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
[ 75.803977][ T5831] Workqueue: hci1 hci_cmd_work
[ 75.808743][ T5831] Call Trace:
[ 75.812027][ T5831]
[ 75.814963][ T5831] dump_stack_lvl+0x99/0x250
[ 75.819547][ T5831] ? __asan_memcpy+0x40/0x70
[ 75.824124][ T5831] ? __pfx_dump_stack_lvl+0x10/0x10
[ 75.829405][ T5831] ? __pfx__printk+0x10/0x10
[ 75.834014][ T5831] vpanic+0x237/0x6d0
[ 75.838273][ T5831] ? __pfx_vpanic+0x10/0x10
[ 75.842811][ T5831] ? preempt_schedule+0xae/0xc0
[ 75.847681][ T5831] ? __pfx_preempt_schedule+0x10/0x10
[ 75.853071][ T5831] panic+0xb9/0xc0
[ 75.856807][ T5831] ? __pfx_panic+0x10/0x10
[ 75.861245][ T5831] ? _raw_spin_unlock_irqrestore+0xfd/0x110
[ 75.867185][ T5831] ? is_module_address+0x17/0xf0
[ 75.872141][ T5831] ? hci_cmd_work+0x5d0/0x7b0
[ 75.877276][ T5831] check_panic_on_warn+0x89/0xb0
[ 75.882234][ T5831] ? hci_cmd_work+0x5d0/0x7b0
[ 75.886914][ T5831] end_report+0x6f/0x160
[ 75.891149][ T5831] kasan_report+0x129/0x150
[ 75.895643][ T5831] ? hci_cmd_work+0x5d0/0x7b0
[ 75.900397][ T5831] hci_cmd_work+0x5d0/0x7b0
[ 75.904893][ T5831] ? process_one_work+0x868/0x15e0
[ 75.910086][ T5831] process_one_work+0x93a/0x15e0
[ 75.915013][ T5831] ? __lock_acquire+0xab9/0xd20
[ 75.919862][ T5831] ? __pfx_process_one_work+0x10/0x10
[ 75.925228][ T5831] ? assign_work+0x3a1/0x410
[ 75.929821][ T5831] worker_thread+0x9b0/0xee0
[ 75.934417][ T5831] kthread+0x711/0x8a0
[ 75.938569][ T5831] ? __pfx_worker_thread+0x10/0x10
[ 75.943758][ T5831] ? __pfx_kthread+0x10/0x10
[ 75.948335][ T5831] ? _raw_spin_unlock_irq+0x23/0x50
[ 75.953609][ T5831] ? lockdep_hardirqs_on+0x9c/0x150
[ 75.958816][ T5831] ? __pfx_kthread+0x10/0x10
[ 75.963829][ T5831] ret_from_fork+0x599/0xb30
[ 75.968409][ T5831] ? __pfx_ret_from_fork+0x10/0x10
[ 75.973514][ T5831] ? __switch_to_asm+0x39/0x70
[ 75.978264][ T5831] ? __switch_to_asm+0x33/0x70
[ 75.983014][ T5831] ? __pfx_kthread+0x10/0x10
[ 75.987591][ T5831] ret_from_fork_asm+0x1a/0x30
[ 75.992347][ T5831]
[ 75.995839][ T5831] Kernel Offset: disabled
[ 76.000157][ T5831] Rebooting in 86400 seconds..