last executing test programs:

kernel console output (not intermixed with test programs):

Warning: Permanently added '10.128.1.226' (ED25519) to the list of known hosts.
[   66.524289][ T5819] cgroup: Unknown subsys name 'net'
[   66.659512][ T5819] cgroup: Unknown subsys name 'cpuset'
[   66.669336][ T5819] cgroup: Unknown subsys name 'rlimit'
Setting up swapspace version 1, size = 127995904 bytes
[   68.122548][ T5819] Adding 124996k swap on ./swap-file.  Priority:0 extents:1 across:124996k 
[   71.333341][ T1301] ieee802154 phy0 wpan0: encryption failed: -22
[   71.345508][ T1301] ieee802154 phy1 wpan1: encryption failed: -22
[   71.430470][ T5841] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1
[   71.444223][ T5843] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[   71.452125][ T5841] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1
[   71.462359][ T5841] ==================================================================
[   71.466956][ T5843] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9
[   71.470681][ T5841] BUG: KASAN: slab-use-after-free in hci_cmd_work+0x5d0/0x7b0
[   71.478824][ T5844] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1
[   71.485133][ T5841] Read of size 2 at addr ffff888060222538 by task kworker/u9:4/5841
[   71.485150][ T5841] 
[   71.485177][ T5841] CPU: 0 UID: 0 PID: 5841 Comm: kworker/u9:4 Not tainted syzkaller #0 PREEMPT(full) 
[   71.485191][ T5841] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
[   71.485202][ T5841] Workqueue: hci1 hci_cmd_work
[   71.485234][ T5841] Call Trace:
[   71.485245][ T5841]  <TASK>
[   71.485253][ T5841]  dump_stack_lvl+0x189/0x250
[   71.485281][ T5841]  ? __virt_addr_valid+0x1c8/0x5c0
[   71.485301][ T5841]  ? rcu_is_watching+0x15/0xb0
[   71.485320][ T5841]  ? __pfx_dump_stack_lvl+0x10/0x10
[   71.485337][ T5841]  ? rcu_is_watching+0x15/0xb0
[   71.485356][ T5841]  ? lock_release+0x4b/0x3d0
[   71.485371][ T5841]  ? _raw_spin_lock_irqsave+0xb3/0xf0
[   71.485391][ T5841]  ? __virt_addr_valid+0x1c8/0x5c0
[   71.485411][ T5841]  ? __virt_addr_valid+0x4a5/0x5c0
[   71.485431][ T5841]  print_report+0xca/0x240
[   71.485451][ T5841]  ? hci_cmd_work+0x5d0/0x7b0
[   71.485470][ T5841]  kasan_report+0x118/0x150
[   71.485488][ T5841]  ? hci_cmd_work+0x5d0/0x7b0
[   71.485512][ T5841]  hci_cmd_work+0x5d0/0x7b0
[   71.485534][ T5841]  ? process_one_work+0x868/0x15e0
[   71.485550][ T5841]  process_one_work+0x93a/0x15e0
[   71.485565][ T5841]  ? __lock_acquire+0xab9/0xd20
[   71.485588][ T5841]  ? __pfx_process_one_work+0x10/0x10
[   71.485607][ T5841]  ? assign_work+0x3a1/0x410
[   71.485624][ T5841]  worker_thread+0x9b0/0xee0
[   71.485650][ T5841]  kthread+0x711/0x8a0
[   71.485670][ T5841]  ? __pfx_worker_thread+0x10/0x10
[   71.485685][ T5841]  ? __pfx_kthread+0x10/0x10
[   71.485704][ T5841]  ? _raw_spin_unlock_irq+0x23/0x50
[   71.485722][ T5841]  ? lockdep_hardirqs_on+0x9c/0x150
[   71.485741][ T5841]  ? __pfx_kthread+0x10/0x10
[   71.485760][ T5841]  ret_from_fork+0x599/0xb30
[   71.485777][ T5841]  ? __pfx_ret_from_fork+0x10/0x10
[   71.485796][ T5841]  ? __switch_to_asm+0x39/0x70
[   71.485815][ T5841]  ? __switch_to_asm+0x33/0x70
[   71.485833][ T5841]  ? __pfx_kthread+0x10/0x10
[   71.485852][ T5841]  ret_from_fork_asm+0x1a/0x30
[   71.485878][ T5841]  </TASK>
[   71.485884][ T5841] 
[   71.494468][ T5844] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9
[   71.500085][ T5841] Allocated by task 52:
[   71.500099][ T5841]  kasan_save_track+0x3e/0x80
[   71.500116][ T5841]  __kasan_slab_alloc+0x6c/0x80
[   71.500128][ T5841]  kmem_cache_alloc_node_noprof+0x43c/0x710
[   71.500145][ T5841]  __alloc_skb+0x112/0x2d0
[   71.500157][ T5841]  hci_cmd_sync_alloc+0x3d/0x3b0
[   71.500172][ T5841]  __hci_cmd_sync_sk+0x1a7/0xc70
[   71.500187][ T5841]  hci_dev_open_sync+0x14b2/0x2dc0
[   71.500199][ T5841]  hci_power_on+0x1b4/0x720
[   71.500209][ T5841]  process_one_work+0x93a/0x15e0
[   71.500221][ T5841]  worker_thread+0x9b0/0xee0
[   71.500232][ T5841]  kthread+0x711/0x8a0
[   71.500245][ T5841]  ret_from_fork+0x599/0xb30
[   71.500256][ T5841]  ret_from_fork_asm+0x1a/0x30
[   71.500278][ T5841] 
[   71.500282][ T5841] Freed by task 5831:
[   71.500288][ T5841]  kasan_save_track+0x3e/0x80
[   71.500301][ T5841]  kasan_save_free_info+0x46/0x50
[   71.500316][ T5841]  __kasan_slab_free+0x5c/0x80
[   71.500326][ T5841]  kmem_cache_free+0x197/0x640
[   71.500336][ T5841]  vhci_read+0x49a/0x5b0
[   71.500353][ T5841]  vfs_read+0x200/0xa30
[   71.500363][ T5841]  ksys_read+0x145/0x250
[   71.500373][ T5841]  do_syscall_64+0xfa/0xfa0
[   71.500389][ T5841]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   71.500400][ T5841] 
[   71.500404][ T5841] The buggy address belongs to the object at ffff888060222500
[   71.500404][ T5841]  which belongs to the cache skbuff_head_cache of size 240
[   71.500415][ T5841] The buggy address is located 56 bytes inside of
[   71.500415][ T5841]  freed 240-byte region [ffff888060222500, ffff8880602225f0)
[   71.500428][ T5841] 
[   71.500433][ T5841] The buggy address belongs to the physical page:
[   71.500455][ T5841] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x60222
[   71.500469][ T5841] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[   71.500486][ T5841] page_type: f5(slab)
[   71.500500][ T5841] raw: 00fff00000000000 ffff888140e8aa00 dead000000000122 0000000000000000
[   71.500513][ T5841] raw: 0000000000000000 00000000000c000c 00000000f5000000 0000000000000000
[   71.500520][ T5841] page dumped because: kasan: bad access detected
[   71.500533][ T5841] page_owner tracks the page as allocated
[   71.500538][ T5841] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5841, tgid 5841 (kworker/u9:4), ts 71423784712, free_ts 71422840057
[   71.500561][ T5841]  post_alloc_hook+0x240/0x2a0
[   71.500581][ T5841]  get_page_from_freelist+0x2365/0x2440
[   71.500596][ T5841]  __alloc_frozen_pages_noprof+0x181/0x370
[   71.500609][ T5841]  alloc_pages_mpol+0x232/0x4a0
[   71.500622][ T5841]  allocate_slab+0x86/0x3b0
[   71.500638][ T5841]  ___slab_alloc+0xf56/0x1990
[   71.500651][ T5841]  __slab_alloc+0x65/0x100
[   71.500664][ T5841]  kmem_cache_alloc_noprof+0x40f/0x700
[   71.507025][ T5844] Bluetooth: hci2: unexpected cc 0x0c23 length: 249 > 4
[   71.512644][ T5841]  skb_clone+0x212/0x3a0
[   71.525015][ T5844] Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2
[   71.527455][ T5841]  hci_cmd_work+0xe2/0x7b0
[   71.527481][ T5841]  process_one_work+0x93a/0x15e0
[   71.527495][ T5841]  worker_thread+0x9b0/0xee0
[   71.527510][ T5841]  kthread+0x711/0x8a0
[   71.606701][ T5844] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[   71.611577][ T5841]  ret_from_fork+0x599/0xb30
[   71.618071][ T5844] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[   71.622029][ T5841]  ret_from_fork_asm+0x1a/0x30
[   71.628129][ T5844] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[   71.631178][ T5841] page last free pid 2 tgid 2 stack trace:
[   71.636863][ T5844] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[   71.640340][ T5841]  __free_frozen_pages+0xbc8/0xd30
[   71.646596][ T5844] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9
[   71.650493][ T5841]  __kasan_populate_vmalloc+0x1b2/0x1d0
[   71.657375][ T5844] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9
[   71.660972][ T5841]  alloc_vmap_area+0xdca/0x1500
[   71.667028][ T5844] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4
[   71.670952][ T5841]  __get_vm_area_node+0x1f8/0x300
[   71.677135][ T5844] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2
[   71.680836][ T5841]  __vmalloc_node_range_noprof+0x371/0x16a0
[   72.104702][ T5841]  __vmalloc_node_noprof+0xc2/0x110
[   72.109909][ T5841]  dup_task_struct+0x3d4/0x830
[   72.114774][ T5841]  copy_process+0x4ea/0x3930
[   72.119438][ T5841]  kernel_clone+0x21e/0x850
[   72.123933][ T5841]  kernel_thread+0x10d/0x160
[   72.128515][ T5841]  kthreadd+0x575/0x770
[   72.132837][ T5841]  ret_from_fork+0x599/0xb30
[   72.138036][ T5841]  ret_from_fork_asm+0x1a/0x30
[   72.142945][ T5841] 
[   72.145282][ T5841] Memory state around the buggy address:
[   72.150984][ T5841]  ffff888060222400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   72.159204][ T5841]  ffff888060222480: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
[   72.167263][ T5841] >ffff888060222500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   72.175565][ T5841]                                         ^
SYZFAIL: failed to recv rpc
fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor)
[   72.181556][ T5841]  ffff888060222580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[   72.189870][ T5841]  ffff888060222600: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[   72.198183][ T5841] ==================================================================
[   72.208784][ T5841] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   72.216101][ T5841] CPU: 0 UID: 0 PID: 5841 Comm: kworker/u9:4 Not tainted syzkaller #0 PREEMPT(full) 
[   72.225576][ T5841] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
[   72.235817][ T5841] Workqueue: hci1 hci_cmd_work
[   72.240678][ T5841] Call Trace:
[   72.243943][ T5841]  <TASK>
[   72.246960][ T5841]  dump_stack_lvl+0x99/0x250
[   72.251543][ T5841]  ? __asan_memcpy+0x40/0x70
[   72.256139][ T5841]  ? __pfx_dump_stack_lvl+0x10/0x10
[   72.261605][ T5841]  ? __pfx__printk+0x10/0x10
[   72.266295][ T5841]  vpanic+0x237/0x6d0
[   72.270261][ T5841]  ? __pfx_vpanic+0x10/0x10
[   72.274750][ T5841]  ? preempt_schedule+0xae/0xc0
[   72.279615][ T5841]  ? __pfx_preempt_schedule+0x10/0x10
[   72.284982][ T5841]  panic+0xb9/0xc0
[   72.288687][ T5841]  ? __pfx_panic+0x10/0x10
[   72.293192][ T5841]  ? _raw_spin_unlock_irqrestore+0xfd/0x110
[   72.299097][ T5841]  ? is_module_address+0x17/0xf0
[   72.304124][ T5841]  ? hci_cmd_work+0x5d0/0x7b0
[   72.308886][ T5841]  check_panic_on_warn+0x89/0xb0
[   72.313920][ T5841]  ? hci_cmd_work+0x5d0/0x7b0
[   72.318674][ T5841]  end_report+0x6f/0x160
[   72.322903][ T5841]  kasan_report+0x129/0x150
[   72.327427][ T5841]  ? hci_cmd_work+0x5d0/0x7b0
[   72.332102][ T5841]  hci_cmd_work+0x5d0/0x7b0
[   72.336615][ T5841]  ? process_one_work+0x868/0x15e0
[   72.341723][ T5841]  process_one_work+0x93a/0x15e0
[   72.346664][ T5841]  ? __lock_acquire+0xab9/0xd20
[   72.351510][ T5841]  ? __pfx_process_one_work+0x10/0x10
[   72.356971][ T5841]  ? assign_work+0x3a1/0x410
[   72.361566][ T5841]  worker_thread+0x9b0/0xee0
[   72.366170][ T5841]  kthread+0x711/0x8a0
[   72.370247][ T5841]  ? __pfx_worker_thread+0x10/0x10
[   72.375528][ T5841]  ? __pfx_kthread+0x10/0x10
[   72.380395][ T5841]  ? _raw_spin_unlock_irq+0x23/0x50
[   72.385593][ T5841]  ? lockdep_hardirqs_on+0x9c/0x150
[   72.390781][ T5841]  ? __pfx_kthread+0x10/0x10
[   72.395360][ T5841]  ret_from_fork+0x599/0xb30
[   72.399942][ T5841]  ? __pfx_ret_from_fork+0x10/0x10
[   72.405300][ T5841]  ? __switch_to_asm+0x39/0x70
[   72.410055][ T5841]  ? __switch_to_asm+0x33/0x70
[   72.414893][ T5841]  ? __pfx_kthread+0x10/0x10
[   72.419498][ T5841]  ret_from_fork_asm+0x1a/0x30
[   72.424275][ T5841]  </TASK>
[   72.427419][ T5841] Kernel Offset: disabled
[   72.431992][ T5841] Rebooting in 86400 seconds..