last executing test programs:

kernel console output (not intermixed with test programs):

Warning: Permanently added '10.128.0.225' (ED25519) to the list of known hosts.
[   65.954585][ T5808] cgroup: Unknown subsys name 'net'
[   66.170323][ T5808] cgroup: Unknown subsys name 'cpuset'
[   66.179522][ T5808] cgroup: Unknown subsys name 'rlimit'
Setting up swapspace version 1, size = 127995904 bytes
[   67.578237][ T5808] Adding 124996k swap on ./swap-file.  Priority:0 extents:1 across:124996k 
[   69.610790][ T5821] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[   69.619935][   T52] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[   69.628492][   T52] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1
[   69.638125][ T5827] ==================================================================
[   69.646323][ T5827] BUG: KASAN: slab-use-after-free in hci_cmd_work+0x5d0/0x7b0
[   69.653797][ T5827] Read of size 2 at addr ffff88805ee16038 by task kworker/u9:3/5827
[   69.661863][ T5827] 
[   69.664197][ T5827] CPU: 0 UID: 0 PID: 5827 Comm: kworker/u9:3 Not tainted syzkaller #0 PREEMPT(full) 
[   69.664210][ T5827] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
[   69.664217][ T5827] Workqueue: hci0 hci_cmd_work
[   69.664240][ T5827] Call Trace:
[   69.664245][ T5827]  <TASK>
[   69.664250][ T5827]  dump_stack_lvl+0x189/0x250
[   69.664267][ T5827]  ? __virt_addr_valid+0x1c8/0x5c0
[   69.664277][ T5827]  ? rcu_is_watching+0x15/0xb0
[   69.664286][ T5827]  ? __pfx_dump_stack_lvl+0x10/0x10
[   69.664299][ T5827]  ? rcu_is_watching+0x15/0xb0
[   69.664307][ T5827]  ? lock_release+0x4b/0x3d0
[   69.664319][ T5827]  ? _raw_spin_lock_irqsave+0xb3/0xf0
[   69.664330][ T5827]  ? __virt_addr_valid+0x1c8/0x5c0
[   69.664339][ T5827]  ? __virt_addr_valid+0x4a5/0x5c0
[   69.664349][ T5827]  print_report+0xca/0x240
[   69.664362][ T5827]  ? hci_cmd_work+0x5d0/0x7b0
[   69.664372][ T5827]  kasan_report+0x118/0x150
[   69.664385][ T5827]  ? hci_cmd_work+0x5d0/0x7b0
[   69.664397][ T5827]  hci_cmd_work+0x5d0/0x7b0
[   69.664409][ T5827]  ? process_one_work+0x868/0x15e0
[   69.664420][ T5827]  process_one_work+0x93a/0x15e0
[   69.664431][ T5827]  ? __lock_acquire+0xab9/0xd20
[   69.664446][ T5827]  ? __pfx_process_one_work+0x10/0x10
[   69.664459][ T5827]  ? assign_work+0x3a1/0x410
[   69.664471][ T5827]  worker_thread+0x9b0/0xee0
[   69.664488][ T5827]  kthread+0x711/0x8a0
[   69.664497][ T5827]  ? __pfx_worker_thread+0x10/0x10
[   69.664509][ T5827]  ? __pfx_kthread+0x10/0x10
[   69.664517][ T5827]  ? _raw_spin_unlock_irq+0x23/0x50
[   69.664526][ T5827]  ? lockdep_hardirqs_on+0x9c/0x150
[   69.664537][ T5827]  ? __pfx_kthread+0x10/0x10
[   69.664545][ T5827]  ret_from_fork+0x599/0xb30
[   69.664557][ T5827]  ? __pfx_ret_from_fork+0x10/0x10
[   69.664570][ T5827]  ? __switch_to_asm+0x39/0x70
[   69.664584][ T5827]  ? __switch_to_asm+0x33/0x70
[   69.664592][ T5827]  ? __pfx_kthread+0x10/0x10
[   69.664600][ T5827]  ret_from_fork_asm+0x1a/0x30
[   69.664613][ T5827]  </TASK>
[   69.664616][ T5827] 
[   69.684112][ T5834] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1
[   69.688833][ T5827] Allocated by task 5145:
[   69.688847][ T5827]  kasan_save_track+0x3e/0x80
[   69.688866][ T5827]  __kasan_slab_alloc+0x6c/0x80
[   69.688882][ T5827]  kmem_cache_alloc_node_noprof+0x43c/0x710
[   69.688895][ T5827]  __alloc_skb+0x112/0x2d0
[   69.694862][ T5834] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9
[   69.695152][ T5827]  hci_cmd_sync_alloc+0x3d/0x3b0
[   69.702222][ T5834] Bluetooth: hci4: unexpected cc 0x0c03 length: 249 > 1
[   69.704991][ T5827]  __hci_cmd_sync_sk+0x1a7/0xc70
[   69.705016][ T5827]  hci_dev_open_sync+0x163e/0x2dc0
[   69.705030][ T5827]  hci_power_on+0x1b4/0x720
[   69.712756][ T5834] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1
[   69.715066][ T5827]  process_one_work+0x93a/0x15e0
[   69.715092][ T5827]  worker_thread+0x9b0/0xee0
[   69.722251][ T5834] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9
[   69.724628][ T5827]  kthread+0x711/0x8a0
[   69.724651][ T5827]  ret_from_fork+0x599/0xb30
[   69.724669][ T5827]  ret_from_fork_asm+0x1a/0x30
[   69.724684][ T5827] 
[   69.731806][ T5834] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9
[   69.735132][ T5827] Freed by task 5820:
[   69.735148][ T5827]  kasan_save_track+0x3e/0x80
[   69.735168][ T5827]  kasan_save_free_info+0x46/0x50
[   69.741123][ T5834] Bluetooth: hci4: unexpected cc 0x1003 length: 249 > 9
[   69.744702][ T5827]  __kasan_slab_free+0x5c/0x80
[   69.751095][ T5834] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9
[   69.753948][ T5827]  kmem_cache_free+0x197/0x640
[   69.760217][ T5834] Bluetooth: hci4: unexpected cc 0x1001 length: 249 > 9
[   69.763160][ T5827]  vhci_read+0x49a/0x5b0
[   69.769211][ T5834] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9
[   69.773414][ T5827]  vfs_read+0x200/0xa30
[   69.773435][ T5827]  ksys_read+0x145/0x250
[   69.773447][ T5827]  do_syscall_64+0xfa/0xfa0
[   69.773465][ T5827]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   69.779418][ T5834] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9
[   69.783922][ T5827] 
[   69.783931][ T5827] The buggy address belongs to the object at ffff88805ee16000
[   69.783931][ T5827]  which belongs to the cache skbuff_head_cache of size 240
[   69.790995][ T5834] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4
[   69.793095][ T5827] The buggy address is located 56 bytes inside of
[   69.793095][ T5827]  freed 240-byte region [ffff88805ee16000, ffff88805ee160f0)
[   69.793116][ T5827] 
[   69.793122][ T5827] The buggy address belongs to the physical page:
[   69.793143][ T5827] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5ee16
[   69.799681][ T5834] Bluetooth: hci2: unexpected cc 0x0c23 length: 249 > 4
[   69.802291][ T5827] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[   69.808449][ T5834] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2
[   69.812120][ T5827] page_type: f5(slab)
[   69.812138][ T5827] raw: 00fff00000000000 ffff888141ac4a00 dead000000000122 0000000000000000
[   69.812151][ T5827] raw: 0000000000000000 00000000000c000c 00000000f5000000 0000000000000000
[   69.812159][ T5827] page dumped because: kasan: bad access detected
[   69.818412][ T5834] Bluetooth: hci4: unexpected cc 0x0c23 length: 249 > 4
[   69.821927][ T5827] page_owner tracks the page as allocated
[   69.821936][ T5827] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5145, tgid 5145 (kworker/u9:1), ts 69627965407, free_ts 21914955219
[   69.828483][ T5834] Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2
[   69.831623][ T5827]  post_alloc_hook+0x240/0x2a0
[   69.831647][ T5827]  get_page_from_freelist+0x2365/0x2440
[   69.831665][ T5827]  __alloc_frozen_pages_noprof+0x181/0x370
[   69.839071][ T5834] Bluetooth: hci4: unexpected cc 0x0c38 length: 249 > 2
[   69.841170][ T5827]  alloc_pages_mpol+0x232/0x4a0
[   69.841197][ T5827]  allocate_slab+0x86/0x3b0
[   69.841216][ T5827]  ___slab_alloc+0xf56/0x1990
[   69.871146][   T52] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4
[   69.871786][ T5827]  __slab_alloc+0x65/0x100
[   69.871811][ T5827]  kmem_cache_alloc_node_noprof+0x4ce/0x710
[   69.877523][   T52] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2
[   69.882526][ T5827]  __alloc_skb+0x112/0x2d0
[   69.882554][ T5827]  hci_cmd_sync_alloc+0x3d/0x3b0
[   69.882570][ T5827]  __hci_cmd_sync_sk+0x1a7/0xc70
[   70.269201][ T5827]  hci_dev_open_sync+0x163e/0x2dc0
[   70.274618][ T5827]  hci_power_on+0x1b4/0x720
[   70.279124][ T5827]  process_one_work+0x93a/0x15e0
[   70.284409][ T5827]  worker_thread+0x9b0/0xee0
[   70.289002][ T5827]  kthread+0x711/0x8a0
[   70.293163][ T5827] page last free pid 1 tgid 1 stack trace:
[   70.298965][ T5827]  __free_frozen_pages+0xbc8/0xd30
[   70.304161][ T5827]  free_contig_range+0x1bd/0x4a0
[   70.309101][ T5827]  destroy_args+0x69/0x660
[   70.313595][ T5827]  debug_vm_pgtable+0x38f/0x3a0
[   70.318430][ T5827]  do_one_initcall+0x1fb/0x870
[   70.323181][ T5827]  do_initcall_level+0x104/0x190
[   70.328115][ T5827]  do_initcalls+0x59/0xa0
[   70.332628][ T5827]  kernel_init_freeable+0x334/0x4b0
[   70.337841][ T5827]  kernel_init+0x1d/0x1d0
[   70.342166][ T5827]  ret_from_fork+0x599/0xb30
[   70.346743][ T5827]  ret_from_fork_asm+0x1a/0x30
[   70.351580][ T5827] 
[   70.353984][ T5827] Memory state around the buggy address:
[   70.359598][ T5827]  ffff88805ee15f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   70.367913][ T5827]  ffff88805ee15f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   70.376384][ T5827] >ffff88805ee16000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   70.384608][ T5827]                                         ^
[   70.390754][ T5827]  ffff88805ee16080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[   70.399101][ T5827]  ffff88805ee16100: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[   70.407251][ T5827] ==================================================================
[   70.416657][ T5827] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   70.423893][ T5827] CPU: 0 UID: 0 PID: 5827 Comm: kworker/u9:3 Not tainted syzkaller #0 PREEMPT(full) 
[   70.433365][ T5827] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
[   70.443434][ T5827] Workqueue: hci0 hci_cmd_work
[   70.448234][ T5827] Call Trace:
[   70.451541][ T5827]  <TASK>
[   70.454487][ T5827]  dump_stack_lvl+0x99/0x250
[   70.459101][ T5827]  ? __asan_memcpy+0x40/0x70
[   70.463703][ T5827]  ? __pfx_dump_stack_lvl+0x10/0x10
[   70.469011][ T5827]  ? __pfx__printk+0x10/0x10
[   70.473710][ T5827]  vpanic+0x237/0x6d0
[   70.477722][ T5827]  ? __pfx_vpanic+0x10/0x10
[   70.482236][ T5827]  ? preempt_schedule+0xae/0xc0
[   70.487124][ T5827]  ? __pfx_preempt_schedule+0x10/0x10
[   70.492521][ T5827]  panic+0xb9/0xc0
[   70.496513][ T5827]  ? __pfx_panic+0x10/0x10
[   70.500970][ T5827]  ? _raw_spin_unlock_irqrestore+0xfd/0x110
[   70.507844][ T5827]  ? is_module_address+0x17/0xf0
[   70.513402][ T5827]  ? hci_cmd_work+0x5d0/0x7b0
[   70.518194][ T5827]  check_panic_on_warn+0x89/0xb0
[   70.523669][ T5827]  ? hci_cmd_work+0x5d0/0x7b0
[   70.528418][ T5827]  end_report+0x6f/0x160
[   70.532847][ T5827]  kasan_report+0x129/0x150
[   70.537465][ T5827]  ? hci_cmd_work+0x5d0/0x7b0
[   70.542417][ T5827]  hci_cmd_work+0x5d0/0x7b0
[   70.546933][ T5827]  ? process_one_work+0x868/0x15e0
[   70.552590][ T5827]  process_one_work+0x93a/0x15e0
[   70.557545][ T5827]  ? __lock_acquire+0xab9/0xd20
[   70.562422][ T5827]  ? __pfx_process_one_work+0x10/0x10
[   70.567823][ T5827]  ? assign_work+0x3a1/0x410
[   70.572518][ T5827]  worker_thread+0x9b0/0xee0
[   70.577136][ T5827]  kthread+0x711/0x8a0
[   70.581217][ T5827]  ? __pfx_worker_thread+0x10/0x10
[   70.586428][ T5827]  ? __pfx_kthread+0x10/0x10
[   70.591113][ T5827]  ? _raw_spin_unlock_irq+0x23/0x50
[   70.597035][ T5827]  ? lockdep_hardirqs_on+0x9c/0x150
[   70.602560][ T5827]  ? __pfx_kthread+0x10/0x10
[   70.607158][ T5827]  ret_from_fork+0x599/0xb30
[   70.611858][ T5827]  ? __pfx_ret_from_fork+0x10/0x10
[   70.617060][ T5827]  ? __switch_to_asm+0x39/0x70
[   70.621840][ T5827]  ? __switch_to_asm+0x33/0x70
[   70.626634][ T5827]  ? __pfx_kthread+0x10/0x10
[   70.631334][ T5827]  ret_from_fork_asm+0x1a/0x30
[   70.636643][ T5827]  </TASK>
[   70.640489][ T5827] Kernel Offset: disabled
[   70.644809][ T5827] Rebooting in 86400 seconds..