last executing test programs:

kernel console output (not intermixed with test programs):

Warning: Permanently added '10.128.1.165' (ED25519) to the list of known hosts.
[   67.578670][ T5817] cgroup: Unknown subsys name 'net'
[   67.712626][ T5817] cgroup: Unknown subsys name 'cpuset'
[   67.721195][ T5817] cgroup: Unknown subsys name 'rlimit'
Setting up swapspace version 1, size = 127995904 bytes
[   69.090459][ T5817] Adding 124996k swap on ./swap-file.  Priority:0 extents:1 across:124996k 
[   71.080133][ T5833] ==================================================================
[   71.088233][ T5833] BUG: KASAN: slab-use-after-free in hci_cmd_work+0x5d0/0x7b0
[   71.095704][ T5833] Read of size 2 at addr ffff8880600c42b8 by task kworker/u9:3/5833
[   71.103753][ T5833] 
[   71.106169][ T5833] CPU: 0 UID: 0 PID: 5833 Comm: kworker/u9:3 Not tainted syzkaller #0 PREEMPT(full) 
[   71.106185][ T5833] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
[   71.106194][ T5833] Workqueue: hci1 hci_cmd_work
[   71.106222][ T5833] Call Trace:
[   71.106232][ T5833]  <TASK>
[   71.106238][ T5833]  dump_stack_lvl+0x189/0x250
[   71.106254][ T5833]  ? __virt_addr_valid+0x1c8/0x5c0
[   71.106271][ T5833]  ? rcu_is_watching+0x15/0xb0
[   71.106287][ T5833]  ? __pfx_dump_stack_lvl+0x10/0x10
[   71.106301][ T5833]  ? rcu_is_watching+0x15/0xb0
[   71.106316][ T5833]  ? lock_release+0x4b/0x3d0
[   71.106328][ T5833]  ? _raw_spin_lock_irqsave+0xb3/0xf0
[   71.106344][ T5833]  ? __virt_addr_valid+0x1c8/0x5c0
[   71.106360][ T5833]  ? __virt_addr_valid+0x4a5/0x5c0
[   71.106376][ T5833]  print_report+0xca/0x240
[   71.106392][ T5833]  ? hci_cmd_work+0x5d0/0x7b0
[   71.106408][ T5833]  kasan_report+0x118/0x150
[   71.106423][ T5833]  ? hci_cmd_work+0x5d0/0x7b0
[   71.106442][ T5833]  hci_cmd_work+0x5d0/0x7b0
[   71.106460][ T5833]  ? process_one_work+0x868/0x15e0
[   71.106473][ T5833]  process_one_work+0x93a/0x15e0
[   71.106485][ T5833]  ? __lock_acquire+0xab9/0xd20
[   71.106503][ T5833]  ? __pfx_process_one_work+0x10/0x10
[   71.106517][ T5833]  ? assign_work+0x3a1/0x410
[   71.106530][ T5833]  worker_thread+0x9b0/0xee0
[   71.106551][ T5833]  kthread+0x711/0x8a0
[   71.106567][ T5833]  ? __pfx_worker_thread+0x10/0x10
[   71.106580][ T5833]  ? __pfx_kthread+0x10/0x10
[   71.106596][ T5833]  ? _raw_spin_unlock_irq+0x23/0x50
[   71.106610][ T5833]  ? lockdep_hardirqs_on+0x9c/0x150
[   71.106626][ T5833]  ? __pfx_kthread+0x10/0x10
[   71.106641][ T5833]  ret_from_fork+0x599/0xb30
[   71.106654][ T5833]  ? __pfx_ret_from_fork+0x10/0x10
[   71.106669][ T5833]  ? __switch_to_asm+0x39/0x70
[   71.106690][ T5833]  ? __switch_to_asm+0x33/0x70
[   71.106705][ T5833]  ? __pfx_kthread+0x10/0x10
[   71.106720][ T5833]  ret_from_fork_asm+0x1a/0x30
[   71.106741][ T5833]  </TASK>
[   71.106745][ T5833] 
[   71.296181][ T5833] Allocated by task 52:
[   71.300318][ T5833]  kasan_save_track+0x3e/0x80
[   71.304983][ T5833]  __kasan_slab_alloc+0x6c/0x80
[   71.309906][ T5833]  kmem_cache_alloc_node_noprof+0x43c/0x710
[   71.315791][ T5833]  __alloc_skb+0x112/0x2d0
[   71.320197][ T5833]  hci_cmd_sync_alloc+0x3d/0x3b0
[   71.325212][ T5833]  __hci_cmd_sync_sk+0x1a7/0xc70
[   71.330136][ T5833]  hci_reset_sync+0x4a/0x140
[   71.334710][ T5833]  hci_dev_open_sync+0xec5/0x2dc0
[   71.339721][ T5833]  hci_power_on+0x1b4/0x720
[   71.344208][ T5833]  process_one_work+0x93a/0x15e0
[   71.349220][ T5833]  worker_thread+0x9b0/0xee0
[   71.353798][ T5833]  kthread+0x711/0x8a0
[   71.357867][ T5833]  ret_from_fork+0x599/0xb30
[   71.362444][ T5833]  ret_from_fork_asm+0x1a/0x30
[   71.367197][ T5833] 
[   71.369504][ T5833] Freed by task 5829:
[   71.373465][ T5833]  kasan_save_track+0x3e/0x80
[   71.378127][ T5833]  kasan_save_free_info+0x46/0x50
[   71.383145][ T5833]  __kasan_slab_free+0x5c/0x80
[   71.387955][ T5833]  kmem_cache_free+0x197/0x640
[   71.392724][ T5833]  vhci_read+0x49a/0x5b0
[   71.396970][ T5833]  vfs_read+0x200/0xa30
[   71.401134][ T5833]  ksys_read+0x145/0x250
[   71.405373][ T5833]  do_syscall_64+0xfa/0xfa0
[   71.409900][ T5833]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   71.415777][ T5833] 
[   71.418091][ T5833] The buggy address belongs to the object at ffff8880600c4280
[   71.418091][ T5833]  which belongs to the cache skbuff_head_cache of size 240
[   71.432663][ T5833] The buggy address is located 56 bytes inside of
[   71.432663][ T5833]  freed 240-byte region [ffff8880600c4280, ffff8880600c4370)
[   71.446378][ T5833] 
[   71.448694][ T5833] The buggy address belongs to the physical page:
[   71.455099][ T5833] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x600c4
[   71.463868][ T5833] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[   71.470974][ T5833] page_type: f5(slab)
[   71.474943][ T5833] raw: 00fff00000000000 ffff88801eabd000 dead000000000122 0000000000000000
[   71.483513][ T5833] raw: 0000000000000000 00000000800c000c 00000000f5000000 0000000000000000
[   71.492075][ T5833] page dumped because: kasan: bad access detected
[   71.498482][ T5833] page_owner tracks the page as allocated
[   71.504180][ T5833] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5827, tgid 5827 (syz-executor), ts 71073025231, free_ts 21803245203
[   71.523549][ T5833]  post_alloc_hook+0x240/0x2a0
[   71.528320][ T5833]  get_page_from_freelist+0x2365/0x2440
[   71.533941][ T5833]  __alloc_frozen_pages_noprof+0x181/0x370
[   71.539734][ T5833]  alloc_pages_mpol+0x232/0x4a0
[   71.544571][ T5833]  allocate_slab+0x86/0x3b0
[   71.549064][ T5833]  ___slab_alloc+0xf56/0x1990
[   71.553727][ T5833]  __slab_alloc+0x65/0x100
[   71.558130][ T5833]  kmem_cache_alloc_node_noprof+0x4ce/0x710
[   71.564011][ T5833]  __alloc_skb+0x112/0x2d0
[   71.568419][ T5833]  hci_sock_dev_event+0x15c/0x630
[   71.573532][ T5833]  hci_register_dev+0x6be/0x8b0
[   71.578384][ T5833]  vhci_create_device+0x39c/0x650
[   71.583407][ T5833]  vhci_write+0x3ce/0x4a0
[   71.587753][ T5833]  vfs_write+0x5c9/0xb30
[   71.591981][ T5833]  ksys_write+0x145/0x250
[   71.596296][ T5833]  do_syscall_64+0xfa/0xfa0
[   71.600877][ T5833] page last free pid 1 tgid 1 stack trace:
[   71.606682][ T5833]  __free_frozen_pages+0xbc8/0xd30
[   71.611788][ T5833]  free_contig_range+0x1bd/0x4a0
[   71.616990][ T5833]  destroy_args+0x69/0x660
[   71.621396][ T5833]  debug_vm_pgtable+0x38f/0x3a0
[   71.626233][ T5833]  do_one_initcall+0x1fb/0x870
[   71.630984][ T5833]  do_initcall_level+0x104/0x190
[   71.635907][ T5833]  do_initcalls+0x59/0xa0
[   71.640219][ T5833]  kernel_init_freeable+0x334/0x4b0
[   71.645432][ T5833]  kernel_init+0x1d/0x1d0
[   71.649749][ T5833]  ret_from_fork+0x599/0xb30
[   71.654321][ T5833]  ret_from_fork_asm+0x1a/0x30
[   71.659077][ T5833] 
[   71.661388][ T5833] Memory state around the buggy address:
[   71.667003][ T5833]  ffff8880600c4180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
SYZFAIL: failed to recv rpc
fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor)
[   71.675071][ T5833]  ffff8880600c4200: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
[   71.683128][ T5833] >ffff8880600c4280: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   71.691175][ T5833]                                         ^
[   71.697053][ T5833]  ffff8880600c4300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[   71.705108][ T5833]  ffff8880600c4380: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
[   71.713166][ T5833] ==================================================================
[   71.746304][ T1300] ieee802154 phy0 wpan0: encryption failed: -22
[   71.753751][ T5833] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   71.760988][ T5833] CPU: 0 UID: 0 PID: 5833 Comm: kworker/u9:3 Not tainted syzkaller #0 PREEMPT(full) 
[   71.770458][ T5833] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
[   71.780522][ T5833] Workqueue: hci1 hci_cmd_work
[   71.785338][ T5833] Call Trace:
[   71.788631][ T5833]  <TASK>
[   71.791570][ T5833]  dump_stack_lvl+0x99/0x250
[   71.796191][ T5833]  ? __asan_memcpy+0x40/0x70
[   71.800802][ T5833]  ? __pfx_dump_stack_lvl+0x10/0x10
[   71.806018][ T5833]  ? __pfx__printk+0x10/0x10
[   71.810629][ T5833]  vpanic+0x237/0x6d0
[   71.814623][ T5833]  ? __pfx_vpanic+0x10/0x10
[   71.819130][ T5833]  ? preempt_schedule+0xae/0xc0
[   71.823993][ T5833]  ? __pfx_preempt_schedule+0x10/0x10
[   71.829383][ T5833]  panic+0xb9/0xc0
[   71.833113][ T5833]  ? __pfx_panic+0x10/0x10
[   71.837537][ T5833]  ? _raw_spin_unlock_irqrestore+0xfd/0x110
[   71.843454][ T5833]  ? is_module_address+0x17/0xf0
[   71.848402][ T5833]  ? hci_cmd_work+0x5d0/0x7b0
[   71.853097][ T5833]  check_panic_on_warn+0x89/0xb0
[   71.858062][ T5833]  ? hci_cmd_work+0x5d0/0x7b0
[   71.862838][ T5833]  end_report+0x6f/0x160
[   71.867097][ T5833]  kasan_report+0x129/0x150
[   71.871603][ T5833]  ? hci_cmd_work+0x5d0/0x7b0
[   71.876309][ T5833]  hci_cmd_work+0x5d0/0x7b0
[   71.880819][ T5833]  ? process_one_work+0x868/0x15e0
[   71.885926][ T5833]  process_one_work+0x93a/0x15e0
[   71.890853][ T5833]  ? __lock_acquire+0xab9/0xd20
[   71.895861][ T5833]  ? __pfx_process_one_work+0x10/0x10
[   71.901289][ T5833]  ? assign_work+0x3a1/0x410
[   71.905888][ T5833]  worker_thread+0x9b0/0xee0
[   71.910483][ T5833]  kthread+0x711/0x8a0
[   71.914556][ T5833]  ? __pfx_worker_thread+0x10/0x10
[   71.919654][ T5833]  ? __pfx_kthread+0x10/0x10
[   71.924266][ T5833]  ? _raw_spin_unlock_irq+0x23/0x50
[   71.929460][ T5833]  ? lockdep_hardirqs_on+0x9c/0x150
[   71.934644][ T5833]  ? __pfx_kthread+0x10/0x10
[   71.939250][ T5833]  ret_from_fork+0x599/0xb30
[   71.943829][ T5833]  ? __pfx_ret_from_fork+0x10/0x10
[   71.948929][ T5833]  ? __switch_to_asm+0x39/0x70
[   71.953682][ T5833]  ? __switch_to_asm+0x33/0x70
[   71.958439][ T5833]  ? __pfx_kthread+0x10/0x10
[   71.963191][ T5833]  ret_from_fork_asm+0x1a/0x30
[   71.967954][ T5833]  </TASK>
[   71.971312][ T5833] Kernel Offset: disabled
[   71.975619][ T5833] Rebooting in 86400 seconds..