last executing test programs:
kernel console output (not intermixed with test programs):
Warning: Permanently added '10.128.1.76' (ED25519) to the list of known hosts.
[ 82.082673][ T5820] cgroup: Unknown subsys name 'net'
[ 82.204202][ T5820] cgroup: Unknown subsys name 'cpuset'
[ 82.213207][ T5820] cgroup: Unknown subsys name 'rlimit'
Setting up swapspace version 1, size = 127995904 bytes
[ 83.950859][ T5820] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k
[ 86.082898][ T5843] ==================================================================
[ 86.091017][ T5843] BUG: KASAN: slab-use-after-free in hci_cmd_work+0x5d0/0x7b0
[ 86.091208][ T52] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[ 86.098504][ T5843] Read of size 2 at addr ffff88805c81a8f8 by task kworker/u9:5/5843
[ 86.098527][ T5843]
[ 86.106933][ T52] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1
[ 86.113485][ T5843] CPU: 1 UID: 0 PID: 5843 Comm: kworker/u9:5 Not tainted syzkaller #0 PREEMPT(full)
[ 86.113508][ T5843] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
[ 86.113520][ T5843] Workqueue: hci3 hci_cmd_work
[ 86.113552][ T5843] Call Trace:
[ 86.113561][ T5843]
[ 86.113568][ T5843] dump_stack_lvl+0x189/0x250
[ 86.113590][ T5843] ? __virt_addr_valid+0x1c8/0x5c0
[ 86.113612][ T5843] ? rcu_is_watching+0x15/0xb0
[ 86.113634][ T5843] ? __pfx_dump_stack_lvl+0x10/0x10
[ 86.113653][ T5843] ? rcu_is_watching+0x15/0xb0
[ 86.113672][ T5843] ? lock_release+0x4b/0x3d0
[ 86.113689][ T5843] ? _raw_spin_lock_irqsave+0xb3/0xf0
[ 86.113711][ T5843] ? __virt_addr_valid+0x1c8/0x5c0
[ 86.113733][ T5843] ? __virt_addr_valid+0x4a5/0x5c0
[ 86.113755][ T5843] print_report+0xca/0x240
[ 86.113778][ T5843] ? hci_cmd_work+0x5d0/0x7b0
[ 86.113799][ T5843] kasan_report+0x118/0x150
[ 86.113818][ T5843] ? hci_cmd_work+0x5d0/0x7b0
[ 86.113844][ T5843] hci_cmd_work+0x5d0/0x7b0
[ 86.113869][ T5843] ? process_one_work+0x868/0x15e0
[ 86.113885][ T5843] process_one_work+0x93a/0x15e0
[ 86.113901][ T5843] ? __lock_acquire+0xab9/0xd20
[ 86.113925][ T5843] ? __pfx_process_one_work+0x10/0x10
[ 86.113944][ T5843] ? assign_work+0x3a1/0x410
[ 86.113962][ T5843] worker_thread+0x9b0/0xee0
[ 86.113988][ T5843] kthread+0x711/0x8a0
[ 86.114009][ T5843] ? __pfx_worker_thread+0x10/0x10
[ 86.114026][ T5843] ? __pfx_kthread+0x10/0x10
[ 86.114047][ T5843] ? _raw_spin_unlock_irq+0x23/0x50
[ 86.114067][ T5843] ? lockdep_hardirqs_on+0x9c/0x150
[ 86.114088][ T5843] ? __pfx_kthread+0x10/0x10
[ 86.114108][ T5843] ret_from_fork+0x599/0xb30
[ 86.114126][ T5843] ? __pfx_ret_from_fork+0x10/0x10
[ 86.114146][ T5843] ? __switch_to_asm+0x39/0x70
[ 86.114167][ T5843] ? __switch_to_asm+0x33/0x70
[ 86.114187][ T5843] ? __pfx_kthread+0x10/0x10
[ 86.114207][ T5843] ret_from_fork_asm+0x1a/0x30
[ 86.114235][ T5843]
[ 86.114241][ T5843]
[ 86.116941][ T52] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1
[ 86.122845][ T5843] Allocated by task 5841:
[ 86.122858][ T5843] kasan_save_track+0x3e/0x80
[ 86.122878][ T5843] __kasan_slab_alloc+0x6c/0x80
[ 86.122893][ T5843] kmem_cache_alloc_node_noprof+0x43c/0x710
[ 86.122916][ T5843] __alloc_skb+0x112/0x2d0
[ 86.122934][ T5843] hci_cmd_sync_alloc+0x3d/0x3b0
[ 86.122958][ T5843] __hci_cmd_sync_sk+0x1a7/0xc70
[ 86.122981][ T5843] hci_reset_sync+0x4a/0x140
[ 86.123000][ T5843] hci_dev_open_sync+0xec5/0x2dc0
[ 86.123019][ T5843] hci_power_on+0x1b4/0x720
[ 86.123034][ T5843] process_one_work+0x93a/0x15e0
[ 86.123051][ T5843] worker_thread+0x9b0/0xee0
[ 86.123068][ T5843] kthread+0x711/0x8a0
[ 86.123090][ T5843] ret_from_fork+0x599/0xb30
[ 86.123106][ T5843] ret_from_fork_asm+0x1a/0x30
[ 86.123131][ T5843]
[ 86.123136][ T5843] Freed by task 5839:
[ 86.123145][ T5843] kasan_save_track+0x3e/0x80
[ 86.123160][ T5843] kasan_save_free_info+0x46/0x50
[ 86.123181][ T5843] __kasan_slab_free+0x5c/0x80
[ 86.123197][ T5843] kmem_cache_free+0x197/0x640
[ 86.123213][ T5843] vhci_read+0x49a/0x5b0
[ 86.123238][ T5843] vfs_read+0x200/0xa30
[ 86.123250][ T5843] ksys_read+0x145/0x250
[ 86.123262][ T5843] do_syscall_64+0xfa/0xfa0
[ 86.135608][ T52] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[ 86.142891][ T5843] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 86.142916][ T5843]
[ 86.142921][ T5843] The buggy address belongs to the object at ffff88805c81a8c0
[ 86.142921][ T5843] which belongs to the cache skbuff_head_cache of size 240
[ 86.142937][ T5843] The buggy address is located 56 bytes inside of
[ 86.142937][ T5843] freed 240-byte region [ffff88805c81a8c0, ffff88805c81a9b0)
[ 86.142954][ T5843]
[ 86.142959][ T5843] The buggy address belongs to the physical page:
[ 86.142970][ T5843] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5c81a
[ 86.142987][ T5843] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[ 86.143003][ T5843] page_type: f5(slab)
[ 86.143019][ T5843] raw: 00fff00000000000 ffff88801dee2a00 dead000000000122 0000000000000000
[ 86.143034][ T5843] raw: 0000000000000000 00000000000c000c 00000000f5000000 0000000000000000
[ 86.143042][ T5843] page dumped because: kasan: bad access detected
[ 86.143051][ T5843] page_owner tracks the page as allocated
[ 86.143057][ T5843] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5831, tgid 5831 (udevd), ts 86076254867, free_ts 86069347401
[ 86.143087][ T5843] post_alloc_hook+0x240/0x2a0
[ 86.143114][ T5843] get_page_from_freelist+0x2365/0x2440
[ 86.143133][ T5843] __alloc_frozen_pages_noprof+0x181/0x370
[ 86.143151][ T5843] alloc_pages_mpol+0x232/0x4a0
[ 86.143169][ T5843] allocate_slab+0x86/0x3b0
[ 86.143188][ T5843] ___slab_alloc+0xf56/0x1990
[ 86.143207][ T5843] __slab_alloc+0x65/0x100
[ 86.143223][ T5843] kmem_cache_alloc_noprof+0x40f/0x700
[ 86.143247][ T5843] skb_clone+0x212/0x3a0
[ 86.143268][ T5843] netlink_broadcast_filtered+0x6ae/0x1000
[ 86.143288][ T5843] netlink_sendmsg+0x7ae/0xb30
[ 86.143307][ T5843] __sock_sendmsg+0x21c/0x270
[ 86.143330][ T5843] ____sys_sendmsg+0x505/0x870
[ 86.143348][ T5843] ___sys_sendmsg+0x21f/0x2a0
[ 86.143365][ T5843] __x64_sys_sendmsg+0x19b/0x260
[ 86.143385][ T5843] do_syscall_64+0xfa/0xfa0
[ 86.143417][ T5843] page last free pid 2 tgid 2 stack trace:
[ 86.143427][ T5843] __free_frozen_pages+0xbc8/0xd30
[ 86.646341][ T5843] __kasan_populate_vmalloc+0x1b2/0x1d0
[ 86.651908][ T5843] alloc_vmap_area+0xdca/0x1500
[ 86.656854][ T5843] __get_vm_area_node+0x1f8/0x300
[ 86.661890][ T5843] __vmalloc_node_range_noprof+0x371/0x16a0
[ 86.667815][ T5843] __vmalloc_node_noprof+0xc2/0x110
[ 86.673038][ T5843] dup_task_struct+0x3d4/0x830
[ 86.677808][ T5843] copy_process+0x4ea/0x3930
[ 86.682483][ T5843] kernel_clone+0x21e/0x850
[ 86.686987][ T5843] kernel_thread+0x10d/0x160
[ 86.691577][ T5843] kthreadd+0x575/0x770
[ 86.695732][ T5843] ret_from_fork+0x599/0xb30
[ 86.700317][ T5843] ret_from_fork_asm+0x1a/0x30
[ 86.705083][ T5843]
[ 86.707497][ T5843] Memory state around the buggy address:
[ 86.713220][ T5843] ffff88805c81a780: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 86.721293][ T5843] ffff88805c81a800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
SYZFAIL: failed to recv rpc
fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor)
[ 86.729516][ T5843] >ffff88805c81a880: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 86.737593][ T5843] ^
[ 86.745583][ T5843] ffff88805c81a900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 86.753652][ T5843] ffff88805c81a980: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
[ 86.761709][ T5843] ==================================================================
[ 86.770678][ T52] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9
[ 86.779100][ T52] ==================================================================
[ 86.781804][ T5843] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 86.781823][ T5843] CPU: 1 UID: 0 PID: 5843 Comm: kworker/u9:5 Not tainted syzkaller #0 PREEMPT(full)
[ 86.781843][ T5843] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
[ 86.781855][ T5843] Workqueue: hci3 hci_cmd_work
[ 86.781887][ T5843] Call Trace:
[ 86.781894][ T5843]
[ 86.781901][ T5843] dump_stack_lvl+0x99/0x250
[ 86.781925][ T5843] ? __asan_memcpy+0x40/0x70
[ 86.781949][ T5843] ? __pfx_dump_stack_lvl+0x10/0x10
[ 86.781968][ T5843] ? __pfx__printk+0x10/0x10
[ 86.781992][ T5843] vpanic+0x237/0x6d0
[ 86.782007][ T5843] ? __pfx_vpanic+0x10/0x10
[ 86.782022][ T5843] ? preempt_schedule+0xae/0xc0
[ 86.782043][ T5843] ? __pfx_preempt_schedule+0x10/0x10
[ 86.782074][ T5843] panic+0xb9/0xc0
[ 86.782089][ T5843] ? __pfx_panic+0x10/0x10
[ 86.782106][ T5843] ? _raw_spin_unlock_irqrestore+0xfd/0x110
[ 86.782130][ T5843] ? is_module_address+0x17/0xf0
[ 86.782147][ T5843] ? hci_cmd_work+0x5d0/0x7b0
[ 86.782170][ T5843] check_panic_on_warn+0x89/0xb0
[ 86.782193][ T5843] ? hci_cmd_work+0x5d0/0x7b0
[ 86.782216][ T5843] end_report+0x6f/0x160
[ 86.782234][ T5843] kasan_report+0x129/0x150
[ 86.782252][ T5843] ? hci_cmd_work+0x5d0/0x7b0
[ 86.782279][ T5843] hci_cmd_work+0x5d0/0x7b0
[ 86.782303][ T5843] ? process_one_work+0x868/0x15e0
[ 86.782320][ T5843] process_one_work+0x93a/0x15e0
[ 86.782336][ T5843] ? __lock_acquire+0xab9/0xd20
[ 86.782361][ T5843] ? __pfx_process_one_work+0x10/0x10
[ 86.782381][ T5843] ? assign_work+0x3a1/0x410
[ 86.782399][ T5843] worker_thread+0x9b0/0xee0
[ 86.782426][ T5843] kthread+0x711/0x8a0
[ 86.782447][ T5843] ? __pfx_worker_thread+0x10/0x10
[ 86.782465][ T5843] ? __pfx_kthread+0x10/0x10
[ 86.782486][ T5843] ? _raw_spin_unlock_irq+0x23/0x50
[ 86.782506][ T5843] ? lockdep_hardirqs_on+0x9c/0x150
[ 86.782527][ T5843] ? __pfx_kthread+0x10/0x10
[ 86.782548][ T5843] ret_from_fork+0x599/0xb30
[ 86.782566][ T5843] ? __pfx_ret_from_fork+0x10/0x10
[ 86.782586][ T5843] ? __switch_to_asm+0x39/0x70
[ 86.782607][ T5843] ? __switch_to_asm+0x33/0x70
[ 86.782627][ T5843] ? __pfx_kthread+0x10/0x10
[ 86.782648][ T5843] ret_from_fork_asm+0x1a/0x30
[ 86.782676][ T5843]
[ 87.004352][ T5843] Kernel Offset: disabled
[ 87.008677][ T5843] Rebooting in 86400 seconds..