last executing test programs:

kernel console output (not intermixed with test programs):

Warning: Permanently added '10.128.1.10' (ED25519) to the list of known hosts.
[   69.705573][ T5813] cgroup: Unknown subsys name 'net'
[   69.855268][ T5813] cgroup: Unknown subsys name 'cpuset'
[   69.863876][ T5813] cgroup: Unknown subsys name 'rlimit'
Setting up swapspace version 1, size = 127995904 bytes
[   71.286742][ T5813] Adding 124996k swap on ./swap-file.  Priority:0 extents:1 across:124996k 
[   71.649100][ T1296] ieee802154 phy0 wpan0: encryption failed: -22
[   71.655914][ T1296] ieee802154 phy1 wpan1: encryption failed: -22
[   73.420777][ T5832] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1
[   73.430533][ T5832] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1
[   73.440629][ T5832] ==================================================================
[   73.448377][ T5842] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1
[   73.448720][ T5832] BUG: KASAN: slab-use-after-free in hci_cmd_work+0x5d0/0x7b0
[   73.457884][ T5842] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[   73.463142][ T5832] Read of size 2 at addr ffff8880780e4a38 by task kworker/u9:3/5832
[   73.463162][ T5832] 
[   73.463194][ T5832] CPU: 0 UID: 0 PID: 5832 Comm: kworker/u9:3 Not tainted syzkaller #0 PREEMPT(full) 
[   73.463210][ T5832] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
[   73.463221][ T5832] Workqueue: hci2 hci_cmd_work
[   73.463251][ T5832] Call Trace:
[   73.463259][ T5832]  <TASK>
[   73.463266][ T5832]  dump_stack_lvl+0x189/0x250
[   73.463295][ T5832]  ? __virt_addr_valid+0x1c8/0x5c0
[   73.463312][ T5832]  ? rcu_is_watching+0x15/0xb0
[   73.463327][ T5832]  ? __pfx_dump_stack_lvl+0x10/0x10
[   73.463347][ T5832]  ? rcu_is_watching+0x15/0xb0
[   73.463361][ T5832]  ? lock_release+0x4b/0x3d0
[   73.463380][ T5832]  ? _raw_spin_lock_irqsave+0xb3/0xf0
[   73.463398][ T5832]  ? __virt_addr_valid+0x1c8/0x5c0
[   73.463413][ T5832]  ? __virt_addr_valid+0x4a5/0x5c0
[   73.463430][ T5832]  print_report+0xca/0x240
[   73.463449][ T5832]  ? hci_cmd_work+0x5d0/0x7b0
[   73.463466][ T5832]  kasan_report+0x118/0x150
[   73.463487][ T5832]  ? hci_cmd_work+0x5d0/0x7b0
[   73.463508][ T5832]  hci_cmd_work+0x5d0/0x7b0
[   73.463528][ T5832]  ? process_one_work+0x868/0x15e0
[   73.463546][ T5832]  process_one_work+0x93a/0x15e0
[   73.463564][ T5832]  ? __lock_acquire+0xab9/0xd20
[   73.463589][ T5832]  ? __pfx_process_one_work+0x10/0x10
[   73.463609][ T5832]  ? assign_work+0x3a1/0x410
[   73.463630][ T5832]  worker_thread+0x9b0/0xee0
[   73.463660][ T5832]  kthread+0x711/0x8a0
[   73.463677][ T5832]  ? __pfx_worker_thread+0x10/0x10
[   73.463695][ T5832]  ? __pfx_kthread+0x10/0x10
[   73.463710][ T5832]  ? _raw_spin_unlock_irq+0x23/0x50
[   73.463726][ T5832]  ? lockdep_hardirqs_on+0x9c/0x150
[   73.463743][ T5832]  ? __pfx_kthread+0x10/0x10
[   73.463758][ T5832]  ret_from_fork+0x599/0xb30
[   73.463778][ T5832]  ? __pfx_ret_from_fork+0x10/0x10
[   73.463800][ T5832]  ? __switch_to_asm+0x39/0x70
[   73.463815][ T5832]  ? __switch_to_asm+0x33/0x70
[   73.463829][ T5832]  ? __pfx_kthread+0x10/0x10
[   73.463850][ T5832]  ret_from_fork_asm+0x1a/0x30
[   73.463876][ T5832]  </TASK>
[   73.463882][ T5832] 
[   73.471663][ T5842] Bluetooth: hci4: unexpected cc 0x0c03 length: 249 > 1
[   73.478261][ T5832] Allocated by task 52:
[   73.478277][ T5832]  kasan_save_track+0x3e/0x80
[   73.478303][ T5832]  __kasan_slab_alloc+0x6c/0x80
[   73.478317][ T5832]  kmem_cache_alloc_node_noprof+0x43c/0x710
[   73.478332][ T5832]  __alloc_skb+0x112/0x2d0
[   73.482506][ T5842] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9
[   73.490136][ T5832]  hci_cmd_sync_alloc+0x3d/0x3b0
[   73.504464][ T5842] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9
[   73.504944][ T5832]  __hci_cmd_sync_sk+0x1a7/0xc70
[   73.509076][ T5842] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9
[   73.511139][ T5832]  hci_dev_open_sync+0x14b2/0x2dc0
[   73.517899][ T5842] Bluetooth: hci4: unexpected cc 0x1003 length: 249 > 9
[   73.520899][ T5832]  hci_power_on+0x1b4/0x720
[   73.527161][ T5842] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4
[   73.530833][ T5832]  process_one_work+0x93a/0x15e0
[   73.536110][ T5842] Bluetooth: hci4: unexpected cc 0x1001 length: 249 > 9
[   73.540151][ T5832]  worker_thread+0x9b0/0xee0
[   73.548573][ T5842] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2
[   73.550602][ T5832]  kthread+0x711/0x8a0
[   73.556487][ T5842] Bluetooth: hci4: unexpected cc 0x0c23 length: 249 > 4
[   73.560104][ T5832]  ret_from_fork+0x599/0xb30
[   73.569540][ T5842] Bluetooth: hci4: unexpected cc 0x0c38 length: 249 > 2
[   73.574003][ T5832]  ret_from_fork_asm+0x1a/0x30
[   73.574027][ T5832] 
[   73.574032][ T5832] Freed by task 5830:
[   73.574040][ T5832]  kasan_save_track+0x3e/0x80
[   73.574055][ T5832]  kasan_save_free_info+0x46/0x50
[   73.593120][ T5844] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[   73.593527][ T5832]  __kasan_slab_free+0x5c/0x80
[   73.599747][ T5844] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9
[   73.603461][ T5832]  kmem_cache_free+0x197/0x640
[   73.603483][ T5832]  vhci_read+0x49a/0x5b0
[   73.603507][ T5832]  vfs_read+0x200/0xa30
[   73.603521][ T5832]  ksys_read+0x145/0x250
[   73.609296][ T5844] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[   73.612237][ T5832]  do_syscall_64+0xfa/0xfa0
[   73.612261][ T5832]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   73.612274][ T5832] 
[   73.612279][ T5832] The buggy address belongs to the object at ffff8880780e4a00
[   73.612279][ T5832]  which belongs to the cache skbuff_head_cache of size 240
[   73.632541][ T5844] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4
[   73.637016][ T5832] The buggy address is located 56 bytes inside of
[   73.637016][ T5832]  freed 240-byte region [ffff8880780e4a00, ffff8880780e4af0)
[   73.643126][ T5844] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[   73.646780][ T5832] 
[   73.646790][ T5832] The buggy address belongs to the physical page:
[   73.653019][ T5844] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2
[   73.656816][ T5832] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x780e4
[   73.662197][ T5844] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[   73.666490][ T5832] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[   73.961458][ T5832] page_type: f5(slab)
[   73.965614][ T5832] raw: 00fff00000000000 ffff88801e6e0a00 dead000000000122 0000000000000000
[   73.974190][ T5832] raw: 0000000000000000 00000000000c000c 00000000f5000000 0000000000000000
[   73.982757][ T5832] page dumped because: kasan: bad access detected
[   73.989250][ T5832] page_owner tracks the page as allocated
[   73.994955][ T5832] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5831, tgid 5831 (kworker/u9:2), ts 73408675144, free_ts 73402165428
[   74.014213][ T5832]  post_alloc_hook+0x240/0x2a0
[   74.018969][ T5832]  get_page_from_freelist+0x2365/0x2440
[   74.024501][ T5832]  __alloc_frozen_pages_noprof+0x181/0x370
[   74.030301][ T5832]  alloc_pages_mpol+0x232/0x4a0
[   74.035137][ T5832]  allocate_slab+0x86/0x3b0
[   74.039627][ T5832]  ___slab_alloc+0xf56/0x1990
[   74.044298][ T5832]  __slab_alloc+0x65/0x100
[   74.048698][ T5832]  kmem_cache_alloc_noprof+0x40f/0x700
[   74.054146][ T5832]  skb_clone+0x212/0x3a0
[   74.058389][ T5832]  hci_cmd_work+0xe2/0x7b0
[   74.062897][ T5832]  process_one_work+0x93a/0x15e0
[   74.067827][ T5832]  worker_thread+0x9b0/0xee0
[   74.072494][ T5832]  kthread+0x711/0x8a0
[   74.076590][ T5832]  ret_from_fork+0x599/0xb30
[   74.081196][ T5832]  ret_from_fork_asm+0x1a/0x30
[   74.085946][ T5832] page last free pid 15 tgid 15 stack trace:
[   74.091905][ T5832]  __free_frozen_pages+0xbc8/0xd30
[   74.097007][ T5832]  rcu_core+0xcab/0x1770
[   74.101246][ T5832]  handle_softirqs+0x27d/0x880
[   74.105997][ T5832]  run_ksoftirqd+0x9b/0x100
[   74.110490][ T5832]  smpboot_thread_fn+0x542/0xa60
[   74.115421][ T5832]  kthread+0x711/0x8a0
[   74.119487][ T5832]  ret_from_fork+0x599/0xb30
[   74.124061][ T5832]  ret_from_fork_asm+0x1a/0x30
[   74.128811][ T5832] 
[   74.131120][ T5832] Memory state around the buggy address:
[   74.136733][ T5832]  ffff8880780e4900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   74.144779][ T5832]  ffff8880780e4980: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
[   74.152913][ T5832] >ffff8880780e4a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   74.160956][ T5832]                                         ^
[   74.166833][ T5832]  ffff8880780e4a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[   74.174878][ T5832]  ffff8880780e4b00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[   74.182923][ T5832] ==================================================================
[   74.193933][ T5832] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   74.201154][ T5832] CPU: 0 UID: 0 PID: 5832 Comm: kworker/u9:3 Not tainted syzkaller #0 PREEMPT(full) 
[   74.210983][ T5832] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
[   74.221306][ T5832] Workqueue: hci2 hci_cmd_work
[   74.226098][ T5832] Call Trace:
[   74.229383][ T5832]  <TASK>
[   74.232317][ T5832]  dump_stack_lvl+0x99/0x250
[   74.236917][ T5832]  ? __asan_memcpy+0x40/0x70
[   74.241518][ T5832]  ? __pfx_dump_stack_lvl+0x10/0x10
[   74.246728][ T5832]  ? __pfx__printk+0x10/0x10
[   74.251336][ T5832]  vpanic+0x237/0x6d0
[   74.255323][ T5832]  ? __pfx_vpanic+0x10/0x10
[   74.259816][ T5832]  ? preempt_schedule+0xae/0xc0
[   74.264653][ T5832]  ? __pfx_preempt_schedule+0x10/0x10
[   74.270020][ T5832]  panic+0xb9/0xc0
[   74.273728][ T5832]  ? __pfx_panic+0x10/0x10
[   74.278393][ T5832]  ? _raw_spin_unlock_irqrestore+0xfd/0x110
[   74.284276][ T5832]  ? is_module_address+0x17/0xf0
[   74.289203][ T5832]  ? hci_cmd_work+0x5d0/0x7b0
[   74.293867][ T5832]  check_panic_on_warn+0x89/0xb0
[   74.298812][ T5832]  ? hci_cmd_work+0x5d0/0x7b0
[   74.303475][ T5832]  end_report+0x6f/0x160
[   74.307707][ T5832]  kasan_report+0x129/0x150
[   74.312217][ T5832]  ? hci_cmd_work+0x5d0/0x7b0
[   74.316886][ T5832]  hci_cmd_work+0x5d0/0x7b0
[   74.321389][ T5832]  ? process_one_work+0x868/0x15e0
[   74.326494][ T5832]  process_one_work+0x93a/0x15e0
[   74.331507][ T5832]  ? __lock_acquire+0xab9/0xd20
[   74.336353][ T5832]  ? __pfx_process_one_work+0x10/0x10
[   74.341715][ T5832]  ? assign_work+0x3a1/0x410
[   74.346296][ T5832]  worker_thread+0x9b0/0xee0
[   74.350882][ T5832]  kthread+0x711/0x8a0
[   74.354940][ T5832]  ? __pfx_worker_thread+0x10/0x10
[   74.360042][ T5832]  ? __pfx_kthread+0x10/0x10
[   74.364619][ T5832]  ? _raw_spin_unlock_irq+0x23/0x50
[   74.369803][ T5832]  ? lockdep_hardirqs_on+0x9c/0x150
[   74.375008][ T5832]  ? __pfx_kthread+0x10/0x10
[   74.380019][ T5832]  ret_from_fork+0x599/0xb30
[   74.384600][ T5832]  ? __pfx_ret_from_fork+0x10/0x10
[   74.389703][ T5832]  ? __switch_to_asm+0x39/0x70
[   74.394453][ T5832]  ? __switch_to_asm+0x33/0x70
[   74.399204][ T5832]  ? __pfx_kthread+0x10/0x10
[   74.403782][ T5832]  ret_from_fork_asm+0x1a/0x30
[   74.408536][ T5832]  </TASK>
[   74.411946][ T5832] Kernel Offset: disabled
[   74.416267][ T5832] Rebooting in 86400 seconds..