last executing test programs:

kernel console output (not intermixed with test programs):

Warning: Permanently added '10.128.0.114' (ED25519) to the list of known hosts.
[   79.866021][ T5812] cgroup: Unknown subsys name 'net'
[   79.978364][ T5812] cgroup: Unknown subsys name 'cpuset'
[   79.987754][ T5812] cgroup: Unknown subsys name 'rlimit'
Setting up swapspace version 1, size = 127995904 bytes
[   81.404145][ T5812] Adding 124996k swap on ./swap-file.  Priority:0 extents:1 across:124996k 
[   84.612143][ T5828] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[   84.627267][ T5835] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1
[   84.636543][ T5836] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1
[   84.645465][ T5836] ==================================================================
[   84.653571][ T5836] BUG: KASAN: slab-use-after-free in hci_cmd_work+0x5d0/0x7b0
[   84.661137][ T5836] Read of size 2 at addr ffff88805f149cb8 by task kworker/u9:5/5836
[   84.669106][ T5836] 
[   84.671440][ T5836] CPU: 1 UID: 0 PID: 5836 Comm: kworker/u9:5 Not tainted syzkaller #0 PREEMPT(full) 
[   84.671457][ T5836] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
[   84.671467][ T5836] Workqueue: hci2 hci_cmd_work
[   84.671492][ T5836] Call Trace:
[   84.671501][ T5836]  <TASK>
[   84.671508][ T5836]  dump_stack_lvl+0x189/0x250
[   84.671527][ T5836]  ? __virt_addr_valid+0x1c8/0x5c0
[   84.671540][ T5836]  ? rcu_is_watching+0x15/0xb0
[   84.671552][ T5836]  ? __pfx_dump_stack_lvl+0x10/0x10
[   84.671569][ T5836]  ? rcu_is_watching+0x15/0xb0
[   84.671580][ T5836]  ? lock_release+0x4b/0x3d0
[   84.671594][ T5836]  ? _raw_spin_lock_irqsave+0xb3/0xf0
[   84.671609][ T5836]  ? __virt_addr_valid+0x1c8/0x5c0
[   84.671621][ T5836]  ? __virt_addr_valid+0x4a5/0x5c0
[   84.671633][ T5836]  print_report+0xca/0x240
[   84.671649][ T5836]  ? hci_cmd_work+0x5d0/0x7b0
[   84.671663][ T5836]  kasan_report+0x118/0x150
[   84.671679][ T5836]  ? hci_cmd_work+0x5d0/0x7b0
[   84.671695][ T5836]  hci_cmd_work+0x5d0/0x7b0
[   84.671711][ T5836]  ? process_one_work+0x868/0x15e0
[   84.671726][ T5836]  process_one_work+0x93a/0x15e0
[   84.671740][ T5836]  ? __lock_acquire+0xab9/0xd20
[   84.671761][ T5836]  ? __pfx_process_one_work+0x10/0x10
[   84.671778][ T5836]  ? assign_work+0x3a1/0x410
[   84.671794][ T5836]  worker_thread+0x9b0/0xee0
[   84.671818][ T5836]  kthread+0x711/0x8a0
[   84.671831][ T5836]  ? __pfx_worker_thread+0x10/0x10
[   84.671846][ T5836]  ? __pfx_kthread+0x10/0x10
[   84.671858][ T5836]  ? _raw_spin_unlock_irq+0x23/0x50
[   84.671870][ T5836]  ? lockdep_hardirqs_on+0x9c/0x150
[   84.671883][ T5836]  ? __pfx_kthread+0x10/0x10
[   84.671895][ T5836]  ret_from_fork+0x599/0xb30
[   84.671911][ T5836]  ? __pfx_ret_from_fork+0x10/0x10
[   84.671929][ T5836]  ? __switch_to_asm+0x39/0x70
[   84.671941][ T5836]  ? __switch_to_asm+0x33/0x70
[   84.671952][ T5836]  ? __pfx_kthread+0x10/0x10
[   84.671963][ T5836]  ret_from_fork_asm+0x1a/0x30
[   84.671980][ T5836]  </TASK>
[   84.671985][ T5836] 
[   84.868145][ T5836] Allocated by task 52:
[   84.872655][ T5836]  kasan_save_track+0x3e/0x80
[   84.877434][ T5836]  __kasan_slab_alloc+0x6c/0x80
[   84.882523][ T5836]  kmem_cache_alloc_node_noprof+0x43c/0x710
[   84.889054][ T5836]  __alloc_skb+0x112/0x2d0
[   84.893588][ T5836]  hci_cmd_sync_alloc+0x3d/0x3b0
[   84.898585][ T5836]  __hci_cmd_sync_sk+0x1a7/0xc70
[   84.904153][ T5836]  hci_dev_open_sync+0x14b2/0x2dc0
[   84.909351][ T5836]  hci_power_on+0x1b4/0x720
[   84.914329][ T5836]  process_one_work+0x93a/0x15e0
[   84.919537][ T5836]  worker_thread+0x9b0/0xee0
[   84.924649][ T5836]  kthread+0x711/0x8a0
[   84.928917][ T5836]  ret_from_fork+0x599/0xb30
[   84.933695][ T5836]  ret_from_fork_asm+0x1a/0x30
[   84.938558][ T5836] 
[   84.940986][ T5836] Freed by task 5831:
[   84.945047][ T5836]  kasan_save_track+0x3e/0x80
[   84.950087][ T5836]  kasan_save_free_info+0x46/0x50
[   84.955240][ T5836]  __kasan_slab_free+0x5c/0x80
[   84.960215][ T5836]  kmem_cache_free+0x197/0x640
[   84.965341][ T5836]  vhci_read+0x49a/0x5b0
[   84.969591][ T5836]  vfs_read+0x200/0xa30
[   84.973745][ T5836]  ksys_read+0x145/0x250
[   84.978288][ T5836]  do_syscall_64+0xfa/0xfa0
[   84.982792][ T5836]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   84.988679][ T5836] 
[   84.991012][ T5836] The buggy address belongs to the object at ffff88805f149c80
[   84.991012][ T5836]  which belongs to the cache skbuff_head_cache of size 240
[   85.005660][ T5836] The buggy address is located 56 bytes inside of
[   85.005660][ T5836]  freed 240-byte region [ffff88805f149c80, ffff88805f149d70)
[   85.019780][ T5836] 
[   85.022098][ T5836] The buggy address belongs to the physical page:
[   85.028574][ T5836] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5f149
[   85.037605][ T5836] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[   85.044794][ T5836] page_type: f5(slab)
[   85.049212][ T5836] raw: 00fff00000000000 ffff88801e6f6a00 dead000000000122 0000000000000000
[   85.057878][ T5836] raw: 0000000000000000 00000000000c000c 00000000f5000000 0000000000000000
[   85.066647][ T5836] page dumped because: kasan: bad access detected
[   85.073074][ T5836] page_owner tracks the page as allocated
[   85.078774][ T5836] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 52, tgid 52 (kworker/u9:0), ts 84595574493, free_ts 26238754968
[   85.098662][ T5836]  post_alloc_hook+0x240/0x2a0
[   85.103547][ T5836]  get_page_from_freelist+0x2365/0x2440
[   85.109587][ T5836]  __alloc_frozen_pages_noprof+0x181/0x370
[   85.115956][ T5836]  alloc_pages_mpol+0x232/0x4a0
[   85.120840][ T5836]  allocate_slab+0x86/0x3b0
[   85.125354][ T5836]  ___slab_alloc+0xf56/0x1990
[   85.130218][ T5836]  __slab_alloc+0x65/0x100
[   85.134820][ T5836]  kmem_cache_alloc_noprof+0x40f/0x700
[   85.140278][ T5836]  skb_clone+0x212/0x3a0
[   85.144704][ T5836]  hci_cmd_work+0x2f7/0x7b0
[   85.149678][ T5836]  process_one_work+0x93a/0x15e0
[   85.154712][ T5836]  worker_thread+0x9b0/0xee0
[   85.159758][ T5836]  kthread+0x711/0x8a0
[   85.163825][ T5836]  ret_from_fork+0x599/0xb30
[   85.168410][ T5836]  ret_from_fork_asm+0x1a/0x30
[   85.173309][ T5836] page last free pid 1 tgid 1 stack trace:
[   85.179107][ T5836]  __free_frozen_pages+0xbc8/0xd30
[   85.184337][ T5836]  free_contig_range+0x1bd/0x4a0
[   85.189368][ T5836]  destroy_args+0x69/0x660
[   85.194065][ T5836]  debug_vm_pgtable+0x38f/0x3a0
[   85.199098][ T5836]  do_one_initcall+0x1fb/0x870
[   85.203945][ T5836]  do_initcall_level+0x104/0x190
[   85.209063][ T5836]  do_initcalls+0x59/0xa0
[   85.213406][ T5836]  kernel_init_freeable+0x334/0x4b0
[   85.218621][ T5836]  kernel_init+0x1d/0x1d0
[   85.223087][ T5836]  ret_from_fork+0x599/0xb30
[   85.227936][ T5836]  ret_from_fork_asm+0x1a/0x30
[   85.232730][ T5836] 
[   85.235144][ T5836] Memory state around the buggy address:
[   85.240764][ T5836]  ffff88805f149b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   85.248861][ T5836]  ffff88805f149c00: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
[   85.256928][ T5836] >ffff88805f149c80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   85.265321][ T5836]                                         ^
[   85.271411][ T5836]  ffff88805f149d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[   85.279904][ T5836]  ffff88805f149d80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[   85.288083][ T5836] ==================================================================
[   85.313149][ T5836] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   85.321088][ T5836] CPU: 1 UID: 0 PID: 5836 Comm: kworker/u9:5 Not tainted syzkaller #0 PREEMPT(full) 
[   85.331086][ T5836] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
[   85.342343][ T5836] Workqueue: hci2 hci_cmd_work
[   85.347134][ T5836] Call Trace:
[   85.350605][ T5836]  <TASK>
[   85.353672][ T5836]  dump_stack_lvl+0x99/0x250
[   85.358709][ T5836]  ? __asan_memcpy+0x40/0x70
[   85.363768][ T5836]  ? __pfx_dump_stack_lvl+0x10/0x10
[   85.368992][ T5836]  ? __pfx__printk+0x10/0x10
[   85.373717][ T5836]  vpanic+0x237/0x6d0
[   85.377985][ T5836]  ? __pfx_vpanic+0x10/0x10
[   85.382705][ T5836]  ? preempt_schedule+0xae/0xc0
[   85.388449][ T5836]  ? __pfx_preempt_schedule+0x10/0x10
[   85.393993][ T5836]  panic+0xb9/0xc0
[   85.398088][ T5836]  ? __pfx_panic+0x10/0x10
[   85.402592][ T5836]  ? _raw_spin_unlock_irqrestore+0xfd/0x110
[   85.408669][ T5836]  ? is_module_address+0x17/0xf0
[   85.413930][ T5836]  ? hci_cmd_work+0x5d0/0x7b0
[   85.418646][ T5836]  check_panic_on_warn+0x89/0xb0
[   85.424601][ T5836]  ? hci_cmd_work+0x5d0/0x7b0
[   85.429832][ T5836]  end_report+0x6f/0x160
[   85.434274][ T5836]  kasan_report+0x129/0x150
[   85.438858][ T5836]  ? hci_cmd_work+0x5d0/0x7b0
[   85.443630][ T5836]  hci_cmd_work+0x5d0/0x7b0
[   85.448151][ T5836]  ? process_one_work+0x868/0x15e0
[   85.453463][ T5836]  process_one_work+0x93a/0x15e0
[   85.458607][ T5836]  ? __lock_acquire+0xab9/0xd20
[   85.463480][ T5836]  ? __pfx_process_one_work+0x10/0x10
[   85.469059][ T5836]  ? assign_work+0x3a1/0x410
[   85.473835][ T5836]  worker_thread+0x9b0/0xee0
[   85.478609][ T5836]  kthread+0x711/0x8a0
[   85.482949][ T5836]  ? __pfx_worker_thread+0x10/0x10
[   85.488060][ T5836]  ? __pfx_kthread+0x10/0x10
[   85.492736][ T5836]  ? _raw_spin_unlock_irq+0x23/0x50
[   85.498115][ T5836]  ? lockdep_hardirqs_on+0x9c/0x150
[   85.503354][ T5836]  ? __pfx_kthread+0x10/0x10
[   85.508146][ T5836]  ret_from_fork+0x599/0xb30
[   85.513364][ T5836]  ? __pfx_ret_from_fork+0x10/0x10
[   85.518930][ T5836]  ? __switch_to_asm+0x39/0x70
[   85.523797][ T5836]  ? __switch_to_asm+0x33/0x70
[   85.528737][ T5836]  ? __pfx_kthread+0x10/0x10
[   85.534134][ T5836]  ret_from_fork_asm+0x1a/0x30
[   85.539121][ T5836]  </TASK>
[   85.542805][ T5836] Kernel Offset: disabled
[   85.547242][ T5836] Rebooting in 86400 seconds..