last executing test programs:

kernel console output (not intermixed with test programs):

Warning: Permanently added '10.128.0.55' (ED25519) to the list of known hosts.
[   87.765541][ T5814] cgroup: Unknown subsys name 'net'
[   87.952432][ T5814] cgroup: Unknown subsys name 'cpuset'
[   87.962001][ T5814] cgroup: Unknown subsys name 'rlimit'
Setting up swapspace version 1, size = 127995904 bytes
[   89.736244][ T5814] Adding 124996k swap on ./swap-file.  Priority:0 extents:1 across:124996k 
[   93.341806][ T5831] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1
[   93.349892][ T5831] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[   93.359488][ T5831] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[   93.367341][ T5831] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[   93.375964][ T5837] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9
[   93.377207][ T5837] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9
[   93.394602][ T5837] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1
[   93.399224][ T5831] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[   93.405302][ T5837] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4
[   93.413396][ T5831] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[   93.420280][ T5838] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2
[   93.438668][ T5838] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9
[   93.447141][ T5838] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9
[   93.456370][ T5838] Bluetooth: hci2: unexpected cc 0x0c23 length: 249 > 4
[   93.463834][   T52] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1
[   93.473071][ T5838] Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2
[   93.480363][   T52] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9
[   93.488379][   T52] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9
[   93.499780][ T5832] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4
[   93.507988][ T5832] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2
[   93.516737][ T5832] ==================================================================
[   93.524946][ T5832] BUG: KASAN: slab-use-after-free in hci_cmd_work+0x5d0/0x7b0
[   93.532650][ T5832] Read of size 2 at addr ffff88805d8ca038 by task kworker/u9:3/5832
[   93.541010][ T5832] 
[   93.543552][ T5832] CPU: 0 UID: 0 PID: 5832 Comm: kworker/u9:3 Not tainted syzkaller #0 PREEMPT(full) 
[   93.543579][ T5832] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
[   93.543599][ T5832] Workqueue: hci3 hci_cmd_work
[   93.543627][ T5832] Call Trace:
[   93.543635][ T5832]  <TASK>
[   93.543643][ T5832]  dump_stack_lvl+0x189/0x250
[   93.543672][ T5832]  ? __virt_addr_valid+0x1c8/0x5c0
[   93.543691][ T5832]  ? rcu_is_watching+0x15/0xb0
[   93.543708][ T5832]  ? __pfx_dump_stack_lvl+0x10/0x10
[   93.543733][ T5832]  ? rcu_is_watching+0x15/0xb0
[   93.543749][ T5832]  ? lock_release+0x4b/0x3d0
[   93.543771][ T5832]  ? _raw_spin_lock_irqsave+0xb3/0xf0
[   93.543792][ T5832]  ? __virt_addr_valid+0x1c8/0x5c0
[   93.543810][ T5832]  ? __virt_addr_valid+0x4a5/0x5c0
[   93.543829][ T5832]  print_report+0xca/0x240
[   93.543852][ T5832]  ? hci_cmd_work+0x5d0/0x7b0
[   93.543872][ T5832]  kasan_report+0x118/0x150
[   93.543896][ T5832]  ? hci_cmd_work+0x5d0/0x7b0
[   93.543920][ T5832]  hci_cmd_work+0x5d0/0x7b0
[   93.543944][ T5832]  ? process_one_work+0x868/0x15e0
[   93.543966][ T5832]  process_one_work+0x93a/0x15e0
[   93.543989][ T5832]  ? __lock_acquire+0xab9/0xd20
[   93.544020][ T5832]  ? __pfx_process_one_work+0x10/0x10
[   93.544046][ T5832]  ? assign_work+0x3a1/0x410
[   93.544070][ T5832]  worker_thread+0x9b0/0xee0
[   93.544105][ T5832]  kthread+0x711/0x8a0
[   93.544125][ T5832]  ? __pfx_worker_thread+0x10/0x10
[   93.544149][ T5832]  ? __pfx_kthread+0x10/0x10
[   93.544167][ T5832]  ? _raw_spin_unlock_irq+0x23/0x50
[   93.544185][ T5832]  ? lockdep_hardirqs_on+0x9c/0x150
[   93.544206][ T5832]  ? __pfx_kthread+0x10/0x10
[   93.544222][ T5832]  ret_from_fork+0x599/0xb30
[   93.544246][ T5832]  ? __pfx_ret_from_fork+0x10/0x10
[   93.544273][ T5832]  ? __switch_to_asm+0x39/0x70
[   93.544290][ T5832]  ? __switch_to_asm+0x33/0x70
[   93.544307][ T5832]  ? __pfx_kthread+0x10/0x10
[   93.544325][ T5832]  ret_from_fork_asm+0x1a/0x30
[   93.544349][ T5832]  </TASK>
[   93.544356][ T5832] 
[   93.593794][   T52] Bluetooth: hci4: unexpected cc 0x0c03 length: 249 > 1
[   93.596604][ T5832] Allocated by task 5148:
[   93.604286][   T52] Bluetooth: hci4: unexpected cc 0x1003 length: 249 > 9
[   93.606099][ T5832]  kasan_save_track+0x3e/0x80
[   93.606127][ T5832]  __kasan_slab_alloc+0x6c/0x80
[   93.613114][   T52] Bluetooth: hci4: unexpected cc 0x1001 length: 249 > 9
[   93.616789][ T5832]  kmem_cache_alloc_node_noprof+0x43c/0x710
[   93.616815][ T5832]  __alloc_skb+0x112/0x2d0
[   93.624156][   T52] Bluetooth: hci4: unexpected cc 0x0c23 length: 249 > 4
[   93.626957][ T5832]  hci_cmd_sync_alloc+0x3d/0x3b0
[   93.626984][ T5832]  __hci_cmd_sync_sk+0x1a7/0xc70
[   93.636427][   T52] Bluetooth: hci4: unexpected cc 0x0c38 length: 249 > 2
[   93.636893][ T5832]  hci_read_current_iac_lap_sync+0x2c/0x120
[   93.826647][ T5832]  hci_dev_open_sync+0x24ad/0x2dc0
[   93.831872][ T5832]  hci_power_on+0x1b4/0x720
[   93.836397][ T5832]  process_one_work+0x93a/0x15e0
[   93.841532][ T5832]  worker_thread+0x9b0/0xee0
[   93.846401][ T5832]  kthread+0x711/0x8a0
[   93.850583][ T5832]  ret_from_fork+0x599/0xb30
[   93.855881][ T5832]  ret_from_fork_asm+0x1a/0x30
[   93.860647][ T5832] 
[   93.862979][ T5832] Freed by task 5841:
[   93.866959][ T5832]  kasan_save_track+0x3e/0x80
[   93.871817][ T5832]  kasan_save_free_info+0x46/0x50
[   93.877544][ T5832]  __kasan_slab_free+0x5c/0x80
[   93.882325][ T5832]  kmem_cache_free+0x197/0x640
[   93.887752][ T5832]  vhci_read+0x49a/0x5b0
[   93.892822][ T5832]  vfs_read+0x200/0xa30
[   93.897697][ T5832]  ksys_read+0x145/0x250
[   93.902665][ T5832]  do_syscall_64+0xfa/0xfa0
[   93.907470][ T5832]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   93.913912][ T5832] 
[   93.916251][ T5832] The buggy address belongs to the object at ffff88805d8ca000
[   93.916251][ T5832]  which belongs to the cache skbuff_head_cache of size 240
[   93.931731][ T5832] The buggy address is located 56 bytes inside of
[   93.931731][ T5832]  freed 240-byte region [ffff88805d8ca000, ffff88805d8ca0f0)
[   93.946985][ T5832] 
[   93.949624][ T5832] The buggy address belongs to the physical page:
[   93.958044][ T5832] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5d8ca
[   93.967453][ T5832] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[   93.974930][ T5832] page_type: f5(slab)
[   93.979015][ T5832] raw: 00fff00000000000 ffff88801ceed780 dead000000000122 0000000000000000
[   93.988006][ T5832] raw: 0000000000000000 00000000800c000c 00000000f5000000 0000000000000000
[   93.996865][ T5832] page dumped because: kasan: bad access detected
[   94.003300][ T5832] page_owner tracks the page as allocated
[   94.009033][ T5832] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5148, tgid 5148 (kworker/u9:1), ts 93515941494, free_ts 31071088208
[   94.028952][ T5832]  post_alloc_hook+0x240/0x2a0
[   94.033821][ T5832]  get_page_from_freelist+0x2365/0x2440
[   94.039372][ T5832]  __alloc_frozen_pages_noprof+0x181/0x370
[   94.045236][ T5832]  alloc_pages_mpol+0x232/0x4a0
[   94.050189][ T5832]  allocate_slab+0x86/0x3b0
[   94.054902][ T5832]  ___slab_alloc+0xf56/0x1990
[   94.059599][ T5832]  __slab_alloc+0x65/0x100
[   94.064200][ T5832]  kmem_cache_alloc_node_noprof+0x4ce/0x710
[   94.070462][ T5832]  __alloc_skb+0x112/0x2d0
[   94.075153][ T5832]  hci_cmd_sync_alloc+0x3d/0x3b0
[   94.080283][ T5832]  __hci_cmd_sync_sk+0x1a7/0xc70
[   94.085429][ T5832]  hci_read_current_iac_lap_sync+0x2c/0x120
[   94.091419][ T5832]  hci_dev_open_sync+0x24ad/0x2dc0
[   94.096625][ T5832]  hci_power_on+0x1b4/0x720
[   94.101133][ T5832]  process_one_work+0x93a/0x15e0
[   94.106105][ T5832]  worker_thread+0x9b0/0xee0
[   94.110782][ T5832] page last free pid 1 tgid 1 stack trace:
[   94.117022][ T5832]  __free_frozen_pages+0xbc8/0xd30
[   94.122326][ T5832]  free_contig_range+0x1bd/0x4a0
[   94.127728][ T5832]  destroy_args+0x69/0x660
[   94.132646][ T5832]  debug_vm_pgtable+0x38f/0x3a0
[   94.137712][ T5832]  do_one_initcall+0x1fb/0x870
[   94.142679][ T5832]  do_initcall_level+0x104/0x190
[   94.147742][ T5832]  do_initcalls+0x59/0xa0
[   94.152437][ T5832]  kernel_init_freeable+0x334/0x4b0
[   94.157927][ T5832]  kernel_init+0x1d/0x1d0
[   94.162292][ T5832]  ret_from_fork+0x599/0xb30
[   94.166906][ T5832]  ret_from_fork_asm+0x1a/0x30
[   94.171795][ T5832] 
[   94.174145][ T5832] Memory state around the buggy address:
[   94.179967][ T5832]  ffff88805d8c9f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   94.188564][ T5832]  ffff88805d8c9f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   94.197058][ T5832] >ffff88805d8ca000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   94.205935][ T5832]                                         ^
[   94.211854][ T5832]  ffff88805d8ca080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[   94.220542][ T5832]  ffff88805d8ca100: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
[   94.228623][ T5832] ==================================================================
[   94.237819][ T5832] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   94.245380][ T5832] CPU: 0 UID: 0 PID: 5832 Comm: kworker/u9:3 Not tainted syzkaller #0 PREEMPT(full) 
[   94.254961][ T5832] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
[   94.265047][ T5832] Workqueue: hci3 hci_cmd_work
[   94.270029][ T5832] Call Trace:
[   94.273643][ T5832]  <TASK>
[   94.276769][ T5832]  dump_stack_lvl+0x99/0x250
[   94.281912][ T5832]  ? __asan_memcpy+0x40/0x70
[   94.286794][ T5832]  ? __pfx_dump_stack_lvl+0x10/0x10
[   94.292423][ T5832]  ? __pfx__printk+0x10/0x10
[   94.297037][ T5832]  vpanic+0x237/0x6d0
[   94.301140][ T5832]  ? __pfx_vpanic+0x10/0x10
[   94.305923][ T5832]  ? preempt_schedule+0xae/0xc0
[   94.311161][ T5832]  ? __pfx_preempt_schedule+0x10/0x10
[   94.318017][ T5832]  panic+0xb9/0xc0
[   94.321955][ T5832]  ? __pfx_panic+0x10/0x10
[   94.326515][ T5832]  ? _raw_spin_unlock_irqrestore+0xfd/0x110
[   94.332458][ T5832]  ? is_module_address+0x17/0xf0
[   94.337431][ T5832]  ? hci_cmd_work+0x5d0/0x7b0
[   94.342263][ T5832]  check_panic_on_warn+0x89/0xb0
[   94.347330][ T5832]  ? hci_cmd_work+0x5d0/0x7b0
[   94.352012][ T5832]  end_report+0x6f/0x160
[   94.356382][ T5832]  kasan_report+0x129/0x150
[   94.361121][ T5832]  ? hci_cmd_work+0x5d0/0x7b0
[   94.365808][ T5832]  hci_cmd_work+0x5d0/0x7b0
[   94.370657][ T5832]  ? process_one_work+0x868/0x15e0
[   94.376524][ T5832]  process_one_work+0x93a/0x15e0
[   94.381730][ T5832]  ? __lock_acquire+0xab9/0xd20
[   94.386683][ T5832]  ? __pfx_process_one_work+0x10/0x10
[   94.392168][ T5832]  ? assign_work+0x3a1/0x410
[   94.396850][ T5832]  worker_thread+0x9b0/0xee0
[   94.401789][ T5832]  kthread+0x711/0x8a0
[   94.405968][ T5832]  ? __pfx_worker_thread+0x10/0x10
[   94.411449][ T5832]  ? __pfx_kthread+0x10/0x10
[   94.416057][ T5832]  ? _raw_spin_unlock_irq+0x23/0x50
[   94.421260][ T5832]  ? lockdep_hardirqs_on+0x9c/0x150
[   94.426467][ T5832]  ? __pfx_kthread+0x10/0x10
[   94.431073][ T5832]  ret_from_fork+0x599/0xb30
[   94.435780][ T5832]  ? __pfx_ret_from_fork+0x10/0x10
[   94.441114][ T5832]  ? __switch_to_asm+0x39/0x70
[   94.445970][ T5832]  ? __switch_to_asm+0x33/0x70
[   94.450735][ T5832]  ? __pfx_kthread+0x10/0x10
[   94.455498][ T5832]  ret_from_fork_asm+0x1a/0x30
[   94.460461][ T5832]  </TASK>
[   94.463656][ T5832] Kernel Offset: disabled
[   94.468240][ T5832] Rebooting in 86400 seconds..