last executing test programs:

5.320652367s ago: executing program 3 (id=482):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/full', 0x0, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/full', 0x1, 0x0)
openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/full', 0x2, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/full', 0x800, 0x0)

5.308771087s ago: executing program 3 (id=485):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/zero', 0x0, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/zero', 0x1, 0x0)
openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/zero', 0x2, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/zero', 0x800, 0x0)

5.220771353s ago: executing program 3 (id=487):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/ndctl0', 0x0, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/ndctl0', 0x1, 0x0)
openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/ndctl0', 0x2, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/ndctl0', 0x800, 0x0)

5.216534942s ago: executing program 3 (id=490):
rt_sigreturn()

4.012721186s ago: executing program 2 (id=585):
timer_getoverrun(0x0)

3.993469146s ago: executing program 2 (id=589):
prlimit64(0x0, 0x0, 0x0, 0x0)

3.936675362s ago: executing program 2 (id=592):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/sys/kernel/debug/damon/schemes', 0x0, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000080)='/sys/kernel/debug/damon/schemes', 0x1, 0x0)
openat(0xffffffffffffff9c, &(0x7f00000000c0)='/sys/kernel/debug/damon/schemes', 0x2, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000100)='/sys/kernel/debug/damon/schemes', 0x800, 0x0)

3.908565079s ago: executing program 2 (id=596):
faccessat2(0xffffffffffffffff, &(0x7f0000000000), 0x0, 0x0)

3.861182599s ago: executing program 0 (id=597):
timer_gettime(0x0, &(0x7f0000000000))

3.860856751s ago: executing program 4 (id=598):
pkey_free(0xffffffffffffffff)

3.860547297s ago: executing program 4 (id=600):
socket$alg(0x26, 0x5, 0x0)

3.829395943s ago: executing program 4 (id=602):
shmdt(0x0)

3.828865467s ago: executing program 0 (id=603):
fchdir(0xffffffffffffffff)

3.75707017s ago: executing program 0 (id=605):
pidfd_getfd(0xffffffffffffffff, 0xffffffffffffffff, 0x0)

3.756672518s ago: executing program 4 (id=607):
futimesat(0xffffffffffffffff, &(0x7f0000000000), &(0x7f0000000000))

3.756554005s ago: executing program 0 (id=608):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/audio', 0x0, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/audio', 0x1, 0x0)
openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/audio', 0x2, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/audio', 0x800, 0x0)

3.747134124s ago: executing program 1 (id=609):
socket$l2tp(0x2, 0x2, 0x73)

3.746995208s ago: executing program 4 (id=610):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/kvm', 0x0, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/kvm', 0x1, 0x0)
openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/kvm', 0x2, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/kvm', 0x800, 0x0)

3.721829618s ago: executing program 0 (id=611):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/virtual_nci', 0x2, 0x0)

3.661060695s ago: executing program 1 (id=612):
fstatfs(0xffffffffffffffff, &(0x7f0000000000))

3.66074793s ago: executing program 1 (id=614):
fadvise64(0xffffffffffffffff, 0x0, 0x0, 0x0)

3.62124686s ago: executing program 1 (id=615):
setitimer(0x0, &(0x7f0000000000), 0x0)

3.572150007s ago: executing program 1 (id=616):
splice(0xffffffffffffffff, &(0x7f0000000000), 0xffffffffffffffff, &(0x7f0000000000), 0x0, 0x0)

2.112655491s ago: executing program 0 (id=617):
mmap(&(0x7efffffff000/0x1000)=nil, 0x1000, 0x0, 0x32, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000000000/0x1000000)=nil, 0x1000000, 0x7, 0x32, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0001000000/0x1000)=nil, 0x1000, 0x0, 0x32, 0xffffffffffffffff, 0x0)

1.978827545s ago: executing program 2 (id=601):
mmap(&(0x7efffffff000/0x1000)=nil, 0x1000, 0x0, 0x32, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000000000/0x1000000)=nil, 0x1000000, 0x7, 0x32, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0001000000/0x1000)=nil, 0x1000, 0x0, 0x32, 0xffffffffffffffff, 0x0)

1.733336736s ago: executing program 1 (id=618):
mmap(&(0x7efffffff000/0x1000)=nil, 0x1000, 0x0, 0x32, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000000000/0x1000000)=nil, 0x1000000, 0x7, 0x32, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0001000000/0x1000)=nil, 0x1000, 0x0, 0x32, 0xffffffffffffffff, 0x0)

1.725810926s ago: executing program 3 (id=619):
mmap(&(0x7efffffff000/0x1000)=nil, 0x1000, 0x0, 0x32, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000000000/0x1000000)=nil, 0x1000000, 0x7, 0x32, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0001000000/0x1000)=nil, 0x1000, 0x0, 0x32, 0xffffffffffffffff, 0x0)

1.273265828s ago: executing program 4 (id=613):
mmap(&(0x7efffffff000/0x1000)=nil, 0x1000, 0x0, 0x32, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000000000/0x1000000)=nil, 0x1000000, 0x7, 0x32, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0001000000/0x1000)=nil, 0x1000, 0x0, 0x32, 0xffffffffffffffff, 0x0)

803.781513ms ago: executing program 3 (id=621):
get_robust_list(0x0, &(0x7f0000000000), &(0x7f0000000000))

0s ago: executing program 2 (id=622):
msgrcv(0x0, &(0x7f0000000000), 0x0, 0x0, 0x0)

kernel console output (not intermixed with test programs):

Warning: Permanently added '10.128.1.35' (ED25519) to the list of known hosts.
[   74.944340][ T5819] cgroup: Unknown subsys name 'net'
[   75.093901][ T5819] cgroup: Unknown subsys name 'cpuset'
[   75.102818][ T5819] cgroup: Unknown subsys name 'rlimit'
Setting up swapspace version 1, size = 127995904 bytes
[   76.687774][ T5819] Adding 124996k swap on ./swap-file.  Priority:0 extents:1 across:124996k 
[   81.489164][ T6142] UDPLite6: UDP-Lite is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list
[   81.879492][ T6181] UDPLite: UDP-Lite is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list
[   82.043313][ T6190] mmap: syz.4.342 (6190) uses deprecated remap_file_pages() syscall. See Documentation/mm/remap_file_pages.rst.
[   86.279851][ T6481] soft_limit_in_bytes is deprecated and will be removed. Please report your usecase to linux-mm@kvack.org if you depend on this functionality.
[   86.556718][ T2913] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[   86.600781][ T2913] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[   87.031862][   T43] cfg80211: failed to load regulatory.db
[   87.100026][ T3737] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[   87.173984][ T3737] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
[   88.976656][ T5153] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[   88.985954][ T5153] ==================================================================
[   88.994058][ T5153] BUG: KASAN: slab-use-after-free in hci_cmd_work+0x5d0/0x7b0
[   89.001803][ T5153] Read of size 2 at addr ffff88802f7833f8 by task kworker/u9:1/5153
[   89.009795][ T5153] 
[   89.012399][ T5153] CPU: 1 UID: 0 PID: 5153 Comm: kworker/u9:1 Not tainted syzkaller #0 PREEMPT(full) 
[   89.012417][ T5153] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
[   89.012427][ T5153] Workqueue: hci0 hci_cmd_work
[   89.012452][ T5153] Call Trace:
[   89.012461][ T5153]  <TASK>
[   89.012468][ T5153]  dump_stack_lvl+0x189/0x250
[   89.012489][ T5153]  ? __virt_addr_valid+0x1c8/0x5c0
[   89.012503][ T5153]  ? rcu_is_watching+0x15/0xb0
[   89.012515][ T5153]  ? __pfx_dump_stack_lvl+0x10/0x10
[   89.012532][ T5153]  ? rcu_is_watching+0x15/0xb0
[   89.012544][ T5153]  ? lock_release+0x4b/0x3d0
[   89.012559][ T5153]  ? _raw_spin_lock_irqsave+0xb3/0xf0
[   89.012576][ T5153]  ? __virt_addr_valid+0x1c8/0x5c0
[   89.012589][ T5153]  ? __virt_addr_valid+0x4a5/0x5c0
[   89.012602][ T5153]  print_report+0xca/0x240
[   89.012619][ T5153]  ? hci_cmd_work+0x5d0/0x7b0
[   89.012635][ T5153]  kasan_report+0x118/0x150
[   89.012653][ T5153]  ? hci_cmd_work+0x5d0/0x7b0
[   89.012673][ T5153]  hci_cmd_work+0x5d0/0x7b0
[   89.012691][ T5153]  ? process_one_work+0x868/0x15e0
[   89.012707][ T5153]  process_one_work+0x93a/0x15e0
[   89.012727][ T5153]  ? __lock_acquire+0xab9/0xd20
[   89.012748][ T5153]  ? __pfx_process_one_work+0x10/0x10
[   89.012765][ T5153]  ? assign_work+0x3a1/0x410
[   89.012782][ T5153]  worker_thread+0x9b0/0xee0
[   89.012806][ T5153]  kthread+0x711/0x8a0
[   89.012819][ T5153]  ? __pfx_worker_thread+0x10/0x10
[   89.012834][ T5153]  ? __pfx_kthread+0x10/0x10
[   89.012846][ T5153]  ? _raw_spin_unlock_irq+0x23/0x50
[   89.012862][ T5153]  ? lockdep_hardirqs_on+0x9c/0x150
[   89.012878][ T5153]  ? __pfx_kthread+0x10/0x10
[   89.012890][ T5153]  ret_from_fork+0x599/0xb30
[   89.012906][ T5153]  ? __pfx_ret_from_fork+0x10/0x10
[   89.012924][ T5153]  ? __switch_to_asm+0x39/0x70
[   89.012936][ T5153]  ? __switch_to_asm+0x33/0x70
[   89.012948][ T5153]  ? __pfx_kthread+0x10/0x10
[   89.012960][ T5153]  ret_from_fork_asm+0x1a/0x30
[   89.012979][ T5153]  </TASK>
[   89.012984][ T5153] 
[   89.205214][ T5153] Allocated by task 52:
[   89.209368][ T5153]  kasan_save_track+0x3e/0x80
[   89.214048][ T5153]  __kasan_slab_alloc+0x6c/0x80
[   89.218899][ T5153]  kmem_cache_alloc_node_noprof+0x43c/0x710
[   89.224963][ T5153]  __alloc_skb+0x112/0x2d0
[   89.229475][ T5153]  hci_cmd_sync_alloc+0x3d/0x3b0
[   89.234603][ T5153]  __hci_cmd_sync_sk+0x1a7/0xc70
[   89.239543][ T5153]  hci_dev_open_sync+0x14b2/0x2dc0
[   89.244653][ T5153]  hci_power_on+0x1b4/0x720
[   89.249246][ T5153]  process_one_work+0x93a/0x15e0
[   89.254181][ T5153]  worker_thread+0x9b0/0xee0
[   89.258795][ T5153]  kthread+0x711/0x8a0
[   89.262861][ T5153]  ret_from_fork+0x599/0xb30
[   89.267447][ T5153]  ret_from_fork_asm+0x1a/0x30
[   89.272190][ T5153] 
[   89.274585][ T5153] Freed by task 6526:
[   89.278821][ T5153]  kasan_save_track+0x3e/0x80
[   89.283481][ T5153]  kasan_save_free_info+0x46/0x50
[   89.288531][ T5153]  __kasan_slab_free+0x5c/0x80
[   89.293296][ T5153]  kmem_cache_free+0x197/0x640
[   89.298063][ T5153]  vhci_read+0x49a/0x5b0
[   89.302353][ T5153]  vfs_read+0x200/0xa30
[   89.306502][ T5153]  ksys_read+0x145/0x250
[   89.310825][ T5153]  do_syscall_64+0xfa/0xfa0
[   89.315530][ T5153]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   89.321439][ T5153] 
[   89.323753][ T5153] The buggy address belongs to the object at ffff88802f7833c0
[   89.323753][ T5153]  which belongs to the cache skbuff_head_cache of size 240
[   89.338480][ T5153] The buggy address is located 56 bytes inside of
[   89.338480][ T5153]  freed 240-byte region [ffff88802f7833c0, ffff88802f7834b0)
[   89.352745][ T5153] 
[   89.355172][ T5153] The buggy address belongs to the physical page:
[   89.361680][ T5153] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2f783
[   89.370447][ T5153] ksm flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[   89.378015][ T5153] page_type: f5(slab)
[   89.381992][ T5153] raw: 00fff00000000000 ffff88801e2d8000 ffffea00009eec00 dead000000000003
[   89.390995][ T5153] raw: 0000000000000000 00000000000c000c 00000000f5000000 0000000000000000
[   89.399709][ T5153] page dumped because: kasan: bad access detected
[   89.406115][ T5153] page_owner tracks the page as allocated
[   89.411920][ T5153] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5211, tgid 5211 (udevd), ts 30016495035, free_ts 30008911356
[   89.430686][ T5153]  post_alloc_hook+0x240/0x2a0
[   89.435468][ T5153]  get_page_from_freelist+0x2365/0x2440
[   89.441112][ T5153]  __alloc_frozen_pages_noprof+0x181/0x370
[   89.447019][ T5153]  alloc_pages_mpol+0x232/0x4a0
[   89.452054][ T5153]  allocate_slab+0x86/0x3b0
[   89.456740][ T5153]  ___slab_alloc+0xf56/0x1990
[   89.461428][ T5153]  __slab_alloc+0x65/0x100
[   89.465832][ T5153]  kmem_cache_alloc_node_noprof+0x4ce/0x710
[   89.471720][ T5153]  __alloc_skb+0x112/0x2d0
[   89.476119][ T5153]  netlink_sendmsg+0x5c6/0xb30
[   89.480879][ T5153]  __sock_sendmsg+0x21c/0x270
[   89.485622][ T5153]  ____sys_sendmsg+0x505/0x870
[   89.490398][ T5153]  ___sys_sendmsg+0x21f/0x2a0
[   89.495087][ T5153]  __x64_sys_sendmsg+0x19b/0x260
[   89.500182][ T5153]  do_syscall_64+0xfa/0xfa0
[   89.504733][ T5153]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   89.510805][ T5153] page last free pid 5203 tgid 5203 stack trace:
[   89.517209][ T5153]  __free_frozen_pages+0xbc8/0xd30
[   89.522490][ T5153]  __slab_free+0x21b/0x2a0
[   89.526931][ T5153]  qlist_free_all+0x97/0x100
[   89.531698][ T5153]  kasan_quarantine_reduce+0x148/0x160
[   89.537239][ T5153]  __kasan_slab_alloc+0x22/0x80
[   89.542070][ T5153]  __kmalloc_cache_noprof+0x37c/0x700
[   89.547761][ T5153]  kernfs_fop_open+0x397/0xca0
[   89.552525][ T5153]  do_dentry_open+0x7ce/0x1420
[   89.557279][ T5153]  vfs_open+0x3b/0x340
[   89.561345][ T5153]  path_openat+0x33ce/0x3d90
[   89.566551][ T5153]  do_filp_open+0x1fa/0x410
[   89.571058][ T5153]  do_sys_openat2+0x121/0x1c0
[   89.575828][ T5153]  __x64_sys_openat+0x138/0x170
[   89.580783][ T5153]  do_syscall_64+0xfa/0xfa0
[   89.585311][ T5153]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   89.591201][ T5153] 
[   89.593516][ T5153] Memory state around the buggy address:
[   89.599165][ T5153]  ffff88802f783280: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   89.607294][ T5153]  ffff88802f783300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[   89.615530][ T5153] >ffff88802f783380: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[   89.623741][ T5153]                                                                 ^
[   89.631700][ T5153]  ffff88802f783400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   89.639853][ T5153]  ffff88802f783480: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
[   89.648009][ T5153] ==================================================================
[   89.660602][ T5153] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   89.667839][ T5153] CPU: 1 UID: 0 PID: 5153 Comm: kworker/u9:1 Not tainted syzkaller #0 PREEMPT(full) 
[   89.677284][ T5153] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
[   89.687338][ T5153] Workqueue: hci0 hci_cmd_work
[   89.692281][ T5153] Call Trace:
[   89.695545][ T5153]  <TASK>
[   89.698460][ T5153]  dump_stack_lvl+0x99/0x250
[   89.703054][ T5153]  ? __asan_memcpy+0x40/0x70
[   89.707738][ T5153]  ? __pfx_dump_stack_lvl+0x10/0x10
[   89.713026][ T5153]  ? __pfx__printk+0x10/0x10
[   89.717849][ T5153]  vpanic+0x237/0x6d0
[   89.721833][ T5153]  ? __pfx_vpanic+0x10/0x10
[   89.726370][ T5153]  ? preempt_schedule+0xae/0xc0
[   89.731225][ T5153]  ? __pfx_preempt_schedule+0x10/0x10
[   89.736604][ T5153]  panic+0xb9/0xc0
[   89.740316][ T5153]  ? __pfx_panic+0x10/0x10
[   89.744735][ T5153]  ? _raw_spin_unlock_irqrestore+0xfd/0x110
[   89.750632][ T5153]  ? is_module_address+0x17/0xf0
[   89.755581][ T5153]  ? hci_cmd_work+0x5d0/0x7b0
[   89.760247][ T5153]  check_panic_on_warn+0x89/0xb0
[   89.765172][ T5153]  ? hci_cmd_work+0x5d0/0x7b0
[   89.769883][ T5153]  end_report+0x6f/0x160
[   89.774141][ T5153]  kasan_report+0x129/0x150
[   89.778809][ T5153]  ? hci_cmd_work+0x5d0/0x7b0
[   89.783571][ T5153]  hci_cmd_work+0x5d0/0x7b0
[   89.788074][ T5153]  ? process_one_work+0x868/0x15e0
[   89.793186][ T5153]  process_one_work+0x93a/0x15e0
[   89.798128][ T5153]  ? __lock_acquire+0xab9/0xd20
[   89.802982][ T5153]  ? __pfx_process_one_work+0x10/0x10
[   89.808341][ T5153]  ? assign_work+0x3a1/0x410
[   89.812948][ T5153]  worker_thread+0x9b0/0xee0
[   89.817559][ T5153]  kthread+0x711/0x8a0
[   89.821630][ T5153]  ? __pfx_worker_thread+0x10/0x10
[   89.827158][ T5153]  ? __pfx_kthread+0x10/0x10
[   89.831746][ T5153]  ? _raw_spin_unlock_irq+0x23/0x50
[   89.837189][ T5153]  ? lockdep_hardirqs_on+0x9c/0x150
[   89.842408][ T5153]  ? __pfx_kthread+0x10/0x10
[   89.847427][ T5153]  ret_from_fork+0x599/0xb30
[   89.852717][ T5153]  ? __pfx_ret_from_fork+0x10/0x10
[   89.857818][ T5153]  ? __switch_to_asm+0x39/0x70
[   89.862563][ T5153]  ? __switch_to_asm+0x33/0x70
[   89.867306][ T5153]  ? __pfx_kthread+0x10/0x10
[   89.871876][ T5153]  ret_from_fork_asm+0x1a/0x30
[   89.876629][ T5153]  </TASK>
[   89.879776][ T5153] Kernel Offset: disabled
[   89.884081][ T5153] Rebooting in 86400 seconds..