last executing test programs:
kernel console output (not intermixed with test programs):
Warning: Permanently added '10.128.1.112' (ED25519) to the list of known hosts.
[ 63.863998][ T5808] cgroup: Unknown subsys name 'net'
[ 63.997894][ T5808] cgroup: Unknown subsys name 'cpuset'
[ 64.006692][ T5808] cgroup: Unknown subsys name 'rlimit'
Setting up swapspace version 1, size = 127995904 bytes
[ 65.360993][ T5808] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k
[ 67.406872][ T5823] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[ 67.416220][ T5823] ==================================================================
[ 67.421231][ T5833] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1
[ 67.424303][ T5823] BUG: KASAN: slab-use-after-free in hci_cmd_work+0x5d0/0x7b0
[ 67.424331][ T5823] Read of size 2 at addr ffff888061dd8cb8 by task kworker/u9:2/5823
[ 67.424345][ T5823]
[ 67.424375][ T5823] CPU: 0 UID: 0 PID: 5823 Comm: kworker/u9:2 Not tainted syzkaller #0 PREEMPT(full)
[ 67.424393][ T5823] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
[ 67.424403][ T5823] Workqueue: hci0 hci_cmd_work
[ 67.424429][ T5823] Call Trace:
[ 67.424438][ T5823]
[ 67.424445][ T5823] dump_stack_lvl+0x189/0x250
[ 67.424468][ T5823] ? __virt_addr_valid+0x1c8/0x5c0
[ 67.424484][ T5823] ? rcu_is_watching+0x15/0xb0
[ 67.424499][ T5823] ? __pfx_dump_stack_lvl+0x10/0x10
[ 67.424520][ T5823] ? rcu_is_watching+0x15/0xb0
[ 67.424533][ T5823] ? lock_release+0x4b/0x3d0
[ 67.424551][ T5823] ? _raw_spin_lock_irqsave+0xb3/0xf0
[ 67.424569][ T5823] ? __virt_addr_valid+0x1c8/0x5c0
[ 67.424590][ T5823] ? __virt_addr_valid+0x4a5/0x5c0
[ 67.424606][ T5823] print_report+0xca/0x240
[ 67.424627][ T5823] ? hci_cmd_work+0x5d0/0x7b0
[ 67.424644][ T5823] kasan_report+0x118/0x150
[ 67.424664][ T5823] ? hci_cmd_work+0x5d0/0x7b0
[ 67.424685][ T5823] hci_cmd_work+0x5d0/0x7b0
[ 67.424705][ T5823] ? process_one_work+0x868/0x15e0
[ 67.424723][ T5823] process_one_work+0x93a/0x15e0
[ 67.424741][ T5823] ? __lock_acquire+0xab9/0xd20
[ 67.424767][ T5823] ? __pfx_process_one_work+0x10/0x10
[ 67.424789][ T5823] ? assign_work+0x3a1/0x410
[ 67.424809][ T5823] worker_thread+0x9b0/0xee0
[ 67.424838][ T5823] kthread+0x711/0x8a0
[ 67.424855][ T5823] ? __pfx_worker_thread+0x10/0x10
[ 67.424874][ T5823] ? __pfx_kthread+0x10/0x10
[ 67.424888][ T5823] ? _raw_spin_unlock_irq+0x23/0x50
[ 67.424904][ T5823] ? lockdep_hardirqs_on+0x9c/0x150
[ 67.424929][ T5823] ? __pfx_kthread+0x10/0x10
[ 67.424944][ T5823] ret_from_fork+0x599/0xb30
[ 67.424964][ T5823] ? __pfx_ret_from_fork+0x10/0x10
[ 67.424986][ T5823] ? __switch_to_asm+0x39/0x70
[ 67.425001][ T5823] ? __switch_to_asm+0x33/0x70
[ 67.425015][ T5823] ? __pfx_kthread+0x10/0x10
[ 67.425029][ T5823] ret_from_fork_asm+0x1a/0x30
[ 67.425051][ T5823]
[ 67.425058][ T5823]
[ 67.432669][ T5833] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9
[ 67.438761][ T5823] Allocated by task 5145:
[ 67.438774][ T5823] kasan_save_track+0x3e/0x80
[ 67.438792][ T5823] __kasan_slab_alloc+0x6c/0x80
[ 67.438806][ T5823] kmem_cache_alloc_node_noprof+0x43c/0x710
[ 67.438817][ T5823] __alloc_skb+0x112/0x2d0
[ 67.438834][ T5823] hci_cmd_sync_alloc+0x3d/0x3b0
[ 67.438848][ T5823] __hci_cmd_sync_sk+0x1a7/0xc70
[ 67.438861][ T5823] hci_dev_open_sync+0x14b2/0x2dc0
[ 67.438871][ T5823] hci_power_on+0x1b4/0x720
[ 67.438886][ T5823] process_one_work+0x93a/0x15e0
[ 67.438903][ T5823] worker_thread+0x9b0/0xee0
[ 67.438927][ T5823] kthread+0x711/0x8a0
[ 67.438938][ T5823] ret_from_fork+0x599/0xb30
[ 67.438952][ T5823] ret_from_fork_asm+0x1a/0x30
[ 67.438966][ T5823]
[ 67.438970][ T5823] Freed by task 5821:
[ 67.438977][ T5823] kasan_save_track+0x3e/0x80
[ 67.438991][ T5823] kasan_save_free_info+0x46/0x50
[ 67.439010][ T5823] __kasan_slab_free+0x5c/0x80
[ 67.439024][ T5823] kmem_cache_free+0x197/0x640
[ 67.439039][ T5823] vhci_read+0x49a/0x5b0
[ 67.439054][ T5823] vfs_read+0x200/0xa30
[ 67.439068][ T5823] ksys_read+0x145/0x250
[ 67.439082][ T5823] do_syscall_64+0xfa/0xfa0
[ 67.439098][ T5823] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 67.439111][ T5823]
[ 67.439115][ T5823] The buggy address belongs to the object at ffff888061dd8c80
[ 67.439115][ T5823] which belongs to the cache skbuff_head_cache of size 240
[ 67.439128][ T5823] The buggy address is located 56 bytes inside of
[ 67.439128][ T5823] freed 240-byte region [ffff888061dd8c80, ffff888061dd8d70)
[ 67.439144][ T5823]
[ 67.439148][ T5823] The buggy address belongs to the physical page:
[ 67.439164][ T5823] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x61dd8
[ 67.439183][ T5823] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[ 67.450978][ T5833] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9
[ 67.458919][ T5823] page_type: f5(slab)
[ 67.458937][ T5823] raw: 00fff00000000000 ffff88801e282a00 dead000000000122 0000000000000000
[ 67.458949][ T5823] raw: 0000000000000000 00000000000c000c 00000000f5000000 0000000000000000
[ 67.458957][ T5823] page dumped because: kasan: bad access detected
[ 67.458972][ T5823] page_owner tracks the page as allocated
[ 67.471033][ T5833] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4
[ 67.473741][ T5823] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5827, tgid 5827 (syz-executor), ts 67391652969, free_ts 20529049245
[ 67.477899][ T5833] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2
[ 67.479930][ T5823] post_alloc_hook+0x240/0x2a0
[ 67.892714][ T5823] get_page_from_freelist+0x2365/0x2440
[ 67.898254][ T5823] __alloc_frozen_pages_noprof+0x181/0x370
[ 67.904047][ T5823] alloc_pages_mpol+0x232/0x4a0
[ 67.908931][ T5823] allocate_slab+0x86/0x3b0
[ 67.913523][ T5823] ___slab_alloc+0xf56/0x1990
[ 67.918291][ T5823] __slab_alloc+0x65/0x100
[ 67.922691][ T5823] kmem_cache_alloc_noprof+0x40f/0x700
[ 67.928134][ T5823] skb_clone+0x212/0x3a0
[ 67.932366][ T5823] netlink_broadcast_filtered+0x6ae/0x1000
[ 67.938170][ T5823] netlink_broadcast+0x37/0x50
[ 67.942920][ T5823] kobject_uevent_net_broadcast+0x378/0x560
[ 67.948800][ T5823] kobject_uevent_env+0x55c/0x9f0
[ 67.953819][ T5823] device_add+0x557/0xb80
[ 67.958143][ T5823] hci_register_dev+0x36c/0x8b0
[ 67.962980][ T5823] vhci_create_device+0x39c/0x650
[ 67.967992][ T5823] page last free pid 1 tgid 1 stack trace:
[ 67.973787][ T5823] __free_frozen_pages+0xbc8/0xd30
[ 67.978940][ T5823] free_contig_range+0x1bd/0x4a0
[ 67.983876][ T5823] destroy_args+0x69/0x660
[ 67.988364][ T5823] debug_vm_pgtable+0x38f/0x3a0
[ 67.993196][ T5823] do_one_initcall+0x1fb/0x870
[ 67.997942][ T5823] do_initcall_level+0x104/0x190
[ 68.002864][ T5823] do_initcalls+0x59/0xa0
[ 68.007175][ T5823] kernel_init_freeable+0x334/0x4b0
[ 68.012357][ T5823] kernel_init+0x1d/0x1d0
[ 68.016758][ T5823] ret_from_fork+0x599/0xb30
[ 68.021336][ T5823] ret_from_fork_asm+0x1a/0x30
[ 68.026081][ T5823]
[ 68.028389][ T5823] Memory state around the buggy address:
[ 68.034003][ T5823] ffff888061dd8b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 68.042043][ T5823] ffff888061dd8c00: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
[ 68.050084][ T5823] >ffff888061dd8c80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 68.058125][ T5823] ^
[ 68.064004][ T5823] ffff888061dd8d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[ 68.072050][ T5823] ffff888061dd8d80: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
[ 68.080091][ T5823] ==================================================================
[ 68.092866][ T5833] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1
[ 68.100706][ T5833] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1
[ 68.101020][ T5823] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 68.101043][ T5823] CPU: 0 UID: 0 PID: 5823 Comm: kworker/u9:2 Not tainted syzkaller #0 PREEMPT(full)
[ 68.101062][ T5823] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
[ 68.101074][ T5823] Workqueue: hci0 hci_cmd_work
[ 68.101098][ T5823] Call Trace:
[ 68.101106][ T5823]
[ 68.101112][ T5823] dump_stack_lvl+0x99/0x250
[ 68.101137][ T5823] ? __asan_memcpy+0x40/0x70
[ 68.101152][ T5823] ? __pfx_dump_stack_lvl+0x10/0x10
[ 68.101174][ T5823] ? __pfx__printk+0x10/0x10
[ 68.101203][ T5823] vpanic+0x237/0x6d0
[ 68.101218][ T5823] ? __pfx_vpanic+0x10/0x10
[ 68.101231][ T5823] ? preempt_schedule+0xae/0xc0
[ 68.101248][ T5823] ? __pfx_preempt_schedule+0x10/0x10
[ 68.101269][ T5823] panic+0xb9/0xc0
[ 68.101282][ T5823] ? __pfx_panic+0x10/0x10
[ 68.101298][ T5823] ? _raw_spin_unlock_irqrestore+0xfd/0x110
[ 68.101316][ T5823] ? is_module_address+0x17/0xf0
[ 68.101336][ T5823] ? hci_cmd_work+0x5d0/0x7b0
[ 68.101354][ T5823] check_panic_on_warn+0x89/0xb0
[ 68.101373][ T5823] ? hci_cmd_work+0x5d0/0x7b0
[ 68.101392][ T5823] end_report+0x6f/0x160
[ 68.101410][ T5823] kasan_report+0x129/0x150
[ 68.101429][ T5823] ? hci_cmd_work+0x5d0/0x7b0
[ 68.101450][ T5823] hci_cmd_work+0x5d0/0x7b0
[ 68.101471][ T5823] ? process_one_work+0x868/0x15e0
[ 68.101490][ T5823] process_one_work+0x93a/0x15e0
[ 68.101508][ T5823] ? __lock_acquire+0xab9/0xd20
[ 68.101536][ T5823] ? __pfx_process_one_work+0x10/0x10
[ 68.101558][ T5823] ? assign_work+0x3a1/0x410
[ 68.101579][ T5823] worker_thread+0x9b0/0xee0
[ 68.101609][ T5823] kthread+0x711/0x8a0
[ 68.101625][ T5823] ? __pfx_worker_thread+0x10/0x10
[ 68.101644][ T5823] ? __pfx_kthread+0x10/0x10
[ 68.101659][ T5823] ? _raw_spin_unlock_irq+0x23/0x50
[ 68.101675][ T5823] ? lockdep_hardirqs_on+0x9c/0x150
[ 68.101692][ T5823] ? __pfx_kthread+0x10/0x10
[ 68.101708][ T5823] ret_from_fork+0x599/0xb30
[ 68.101727][ T5823] ? __pfx_ret_from_fork+0x10/0x10
[ 68.101750][ T5823] ? __switch_to_asm+0x39/0x70
[ 68.101766][ T5823] ? __switch_to_asm+0x33/0x70
[ 68.101781][ T5823] ? __pfx_kthread+0x10/0x10
[ 68.101796][ T5823] ret_from_fork_asm+0x1a/0x30
[ 68.101818][ T5823]
[ 68.107803][ T5823] Kernel Offset: disabled