last executing test programs:

kernel console output (not intermixed with test programs):

Warning: Permanently added '10.128.1.68' (ED25519) to the list of known hosts.
[   68.282056][ T5814] cgroup: Unknown subsys name 'net'
[   68.396427][ T5814] cgroup: Unknown subsys name 'cpuset'
[   68.405118][ T5814] cgroup: Unknown subsys name 'rlimit'
Setting up swapspace version 1, size = 127995904 bytes
[   69.760896][ T5814] Adding 124996k swap on ./swap-file.  Priority:0 extents:1 across:124996k 
[   71.307984][ T1297] ieee802154 phy0 wpan0: encryption failed: -22
[   71.314492][ T1297] ieee802154 phy1 wpan1: encryption failed: -22
[   73.057605][ T5829] ==================================================================
[   73.065707][ T5829] BUG: KASAN: slab-use-after-free in hci_cmd_work+0x5d0/0x7b0
[   73.073180][ T5829] Read of size 2 at addr ffff888062120178 by task kworker/u9:2/5829
[   73.081154][ T5829] 
[   73.083486][ T5829] CPU: 0 UID: 0 PID: 5829 Comm: kworker/u9:2 Not tainted syzkaller #0 PREEMPT(full) 
[   73.083502][ T5829] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
[   73.083511][ T5829] Workqueue: hci0 hci_cmd_work
[   73.083539][ T5829] Call Trace:
[   73.083548][ T5829]  <TASK>
[   73.083554][ T5829]  dump_stack_lvl+0x189/0x250
[   73.083571][ T5829]  ? __virt_addr_valid+0x1c8/0x5c0
[   73.083588][ T5829]  ? rcu_is_watching+0x15/0xb0
[   73.083604][ T5829]  ? __pfx_dump_stack_lvl+0x10/0x10
[   73.083618][ T5829]  ? rcu_is_watching+0x15/0xb0
[   73.083632][ T5829]  ? lock_release+0x4b/0x3d0
[   73.083644][ T5829]  ? _raw_spin_lock_irqsave+0xb3/0xf0
[   73.083661][ T5829]  ? __virt_addr_valid+0x1c8/0x5c0
[   73.083676][ T5829]  ? __virt_addr_valid+0x4a5/0x5c0
[   73.083693][ T5829]  print_report+0xca/0x240
[   73.083709][ T5829]  ? hci_cmd_work+0x5d0/0x7b0
[   73.083725][ T5829]  kasan_report+0x118/0x150
[   73.083739][ T5829]  ? hci_cmd_work+0x5d0/0x7b0
[   73.083758][ T5829]  hci_cmd_work+0x5d0/0x7b0
[   73.083777][ T5829]  ? process_one_work+0x868/0x15e0
[   73.083789][ T5829]  process_one_work+0x93a/0x15e0
[   73.083801][ T5829]  ? __lock_acquire+0xab9/0xd20
[   73.083819][ T5829]  ? __pfx_process_one_work+0x10/0x10
[   73.083834][ T5829]  ? assign_work+0x3a1/0x410
[   73.083847][ T5829]  worker_thread+0x9b0/0xee0
[   73.083867][ T5829]  kthread+0x711/0x8a0
[   73.083884][ T5829]  ? __pfx_worker_thread+0x10/0x10
[   73.083896][ T5829]  ? __pfx_kthread+0x10/0x10
[   73.083912][ T5829]  ? _raw_spin_unlock_irq+0x23/0x50
[   73.083926][ T5829]  ? lockdep_hardirqs_on+0x9c/0x150
[   73.083942][ T5829]  ? __pfx_kthread+0x10/0x10
[   73.083957][ T5829]  ret_from_fork+0x599/0xb30
[   73.083970][ T5829]  ? __pfx_ret_from_fork+0x10/0x10
[   73.083985][ T5829]  ? __switch_to_asm+0x39/0x70
[   73.084000][ T5829]  ? __switch_to_asm+0x33/0x70
[   73.084015][ T5829]  ? __pfx_kthread+0x10/0x10
[   73.084030][ T5829]  ret_from_fork_asm+0x1a/0x30
[   73.084051][ T5829]  </TASK>
[   73.084055][ T5829] 
[   73.272887][ T5829] Allocated by task 5151:
[   73.277197][ T5829]  kasan_save_track+0x3e/0x80
[   73.281860][ T5829]  __kasan_slab_alloc+0x6c/0x80
[   73.286694][ T5829]  kmem_cache_alloc_node_noprof+0x43c/0x710
[   73.292574][ T5829]  __alloc_skb+0x112/0x2d0
[   73.296975][ T5829]  hci_cmd_sync_alloc+0x3d/0x3b0
[   73.301897][ T5829]  __hci_cmd_sync_sk+0x1a7/0xc70
[   73.306820][ T5829]  hci_reset_sync+0x4a/0x140
[   73.311390][ T5829]  hci_dev_open_sync+0xec5/0x2dc0
[   73.316396][ T5829]  hci_power_on+0x1b4/0x720
[   73.320880][ T5829]  process_one_work+0x93a/0x15e0
[   73.325800][ T5829]  worker_thread+0x9b0/0xee0
[   73.330370][ T5829]  kthread+0x711/0x8a0
[   73.334423][ T5829]  ret_from_fork+0x599/0xb30
[   73.338998][ T5829]  ret_from_fork_asm+0x1a/0x30
[   73.343745][ T5829] 
[   73.346050][ T5829] Freed by task 5828:
[   73.350010][ T5829]  kasan_save_track+0x3e/0x80
[   73.354667][ T5829]  kasan_save_free_info+0x46/0x50
[   73.359673][ T5829]  __kasan_slab_free+0x5c/0x80
[   73.364416][ T5829]  kmem_cache_free+0x197/0x640
[   73.369163][ T5829]  vhci_read+0x49a/0x5b0
[   73.373405][ T5829]  vfs_read+0x200/0xa30
[   73.377546][ T5829]  ksys_read+0x145/0x250
[   73.381765][ T5829]  do_syscall_64+0xfa/0xfa0
[   73.386252][ T5829]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   73.392124][ T5829] 
[   73.394440][ T5829] The buggy address belongs to the object at ffff888062120140
[   73.394440][ T5829]  which belongs to the cache skbuff_head_cache of size 240
[   73.408992][ T5829] The buggy address is located 56 bytes inside of
[   73.408992][ T5829]  freed 240-byte region [ffff888062120140, ffff888062120230)
[   73.422683][ T5829] 
[   73.424995][ T5829] The buggy address belongs to the physical page:
[   73.431417][ T5829] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x62120
[   73.440162][ T5829] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[   73.447263][ T5829] page_type: f5(slab)
[   73.451229][ T5829] raw: 00fff00000000000 ffff88801eac9000 dead000000000122 0000000000000000
[   73.459794][ T5829] raw: 0000000000000000 00000000000c000c 00000000f5000000 0000000000000000
[   73.468378][ T5829] page dumped because: kasan: bad access detected
[   73.474777][ T5829] page_owner tracks the page as allocated
[   73.480471][ T5829] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5826, tgid 5826 (syz-executor), ts 73036983409, free_ts 20174855681
[   73.499730][ T5829]  post_alloc_hook+0x240/0x2a0
[   73.504487][ T5829]  get_page_from_freelist+0x2365/0x2440
[   73.510020][ T5829]  __alloc_frozen_pages_noprof+0x181/0x370
[   73.515806][ T5829]  alloc_pages_mpol+0x232/0x4a0
[   73.520649][ T5829]  allocate_slab+0x86/0x3b0
[   73.525136][ T5829]  ___slab_alloc+0xf56/0x1990
[   73.529794][ T5829]  __slab_alloc+0x65/0x100
[   73.534193][ T5829]  kmem_cache_alloc_node_noprof+0x4ce/0x710
[   73.540070][ T5829]  __alloc_skb+0x112/0x2d0
[   73.544470][ T5829]  vhci_create_device+0xb7/0x650
[   73.549387][ T5829]  vhci_write+0x3ce/0x4a0
[   73.553702][ T5829]  vfs_write+0x5c9/0xb30
[   73.557923][ T5829]  ksys_write+0x145/0x250
[   73.562230][ T5829]  do_syscall_64+0xfa/0xfa0
[   73.566718][ T5829]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   73.572592][ T5829] page last free pid 1 tgid 1 stack trace:
[   73.578375][ T5829]  __free_frozen_pages+0xbc8/0xd30
[   73.583467][ T5829]  free_contig_range+0x1bd/0x4a0
[   73.588386][ T5829]  destroy_args+0x69/0x660
[   73.592792][ T5829]  debug_vm_pgtable+0x38f/0x3a0
[   73.597632][ T5829]  do_one_initcall+0x1fb/0x870
[   73.602393][ T5829]  do_initcall_level+0x104/0x190
[   73.607316][ T5829]  do_initcalls+0x59/0xa0
[   73.611635][ T5829]  kernel_init_freeable+0x334/0x4b0
[   73.616822][ T5829]  kernel_init+0x1d/0x1d0
[   73.621137][ T5829]  ret_from_fork+0x599/0xb30
[   73.625717][ T5829]  ret_from_fork_asm+0x1a/0x30
[   73.630475][ T5829] 
[   73.632788][ T5829] Memory state around the buggy address:
[   73.638403][ T5829]  ffff888062120000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   73.646452][ T5829]  ffff888062120080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[   73.654492][ T5829] >ffff888062120100: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[   73.662541][ T5829]                                                                 ^
[   73.670499][ T5829]  ffff888062120180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   73.678545][ T5829]  ffff888062120200: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
[   73.686618][ T5829] ==================================================================
[   73.695979][ T5829] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   73.703201][ T5829] CPU: 0 UID: 0 PID: 5829 Comm: kworker/u9:2 Not tainted syzkaller #0 PREEMPT(full) 
[   73.712643][ T5829] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
[   73.722684][ T5829] Workqueue: hci0 hci_cmd_work
[   73.727447][ T5829] Call Trace:
[   73.730716][ T5829]  <TASK>
[   73.733632][ T5829]  dump_stack_lvl+0x99/0x250
[   73.738210][ T5829]  ? __asan_memcpy+0x40/0x70
[   73.742796][ T5829]  ? __pfx_dump_stack_lvl+0x10/0x10
[   73.747982][ T5829]  ? __pfx__printk+0x10/0x10
[   73.752561][ T5829]  vpanic+0x237/0x6d0
[   73.756528][ T5829]  ? __pfx_vpanic+0x10/0x10
[   73.761063][ T5829]  ? preempt_schedule+0xae/0xc0
[   73.765899][ T5829]  ? __pfx_preempt_schedule+0x10/0x10
[   73.771258][ T5829]  panic+0xb9/0xc0
[   73.774962][ T5829]  ? __pfx_panic+0x10/0x10
[   73.779368][ T5829]  ? _raw_spin_unlock_irqrestore+0xfd/0x110
[   73.785259][ T5829]  ? is_module_address+0x17/0xf0
[   73.790196][ T5829]  ? hci_cmd_work+0x5d0/0x7b0
[   73.794864][ T5829]  check_panic_on_warn+0x89/0xb0
[   73.799795][ T5829]  ? hci_cmd_work+0x5d0/0x7b0
[   73.804467][ T5829]  end_report+0x6f/0x160
[   73.808701][ T5829]  kasan_report+0x129/0x150
[   73.813195][ T5829]  ? hci_cmd_work+0x5d0/0x7b0
[   73.817867][ T5829]  hci_cmd_work+0x5d0/0x7b0
[   73.822361][ T5829]  ? process_one_work+0x868/0x15e0
[   73.827457][ T5829]  process_one_work+0x93a/0x15e0
[   73.832377][ T5829]  ? __lock_acquire+0xab9/0xd20
[   73.837221][ T5829]  ? __pfx_process_one_work+0x10/0x10
[   73.842575][ T5829]  ? assign_work+0x3a1/0x410
[   73.847158][ T5829]  worker_thread+0x9b0/0xee0
[   73.851746][ T5829]  kthread+0x711/0x8a0
[   73.855803][ T5829]  ? __pfx_worker_thread+0x10/0x10
[   73.860894][ T5829]  ? __pfx_kthread+0x10/0x10
[   73.865473][ T5829]  ? _raw_spin_unlock_irq+0x23/0x50
[   73.870659][ T5829]  ? lockdep_hardirqs_on+0x9c/0x150
[   73.875842][ T5829]  ? __pfx_kthread+0x10/0x10
[   73.880504][ T5829]  ret_from_fork+0x599/0xb30
[   73.885080][ T5829]  ? __pfx_ret_from_fork+0x10/0x10
[   73.890179][ T5829]  ? __switch_to_asm+0x39/0x70
[   73.894927][ T5829]  ? __switch_to_asm+0x33/0x70
[   73.899676][ T5829]  ? __pfx_kthread+0x10/0x10
[   73.904251][ T5829]  ret_from_fork_asm+0x1a/0x30
[   73.909004][ T5829]  </TASK>
[   73.912360][ T5829] Kernel Offset: disabled
[   73.916665][ T5829] Rebooting in 86400 seconds..