last executing test programs:

kernel console output (not intermixed with test programs):

Warning: Permanently added '10.128.0.133' (ED25519) to the list of known hosts.
[   79.093486][ T5817] cgroup: Unknown subsys name 'net'
[   79.202082][ T5817] cgroup: Unknown subsys name 'cpuset'
[   79.211276][ T5817] cgroup: Unknown subsys name 'rlimit'
Setting up swapspace version 1, size = 127995904 bytes
[   80.884914][ T5817] Adding 124996k swap on ./swap-file.  Priority:0 extents:1 across:124996k 
[   83.800978][ T5836] ==================================================================
[   83.809187][ T5836] BUG: KASAN: slab-use-after-free in hci_cmd_work+0x5d0/0x7b0
[   83.816691][ T5836] Read of size 2 at addr ffff88805d9587b8 by task kworker/u9:4/5836
[   83.824702][ T5836] 
[   83.827075][ T5836] CPU: 1 UID: 0 PID: 5836 Comm: kworker/u9:4 Not tainted syzkaller #0 PREEMPT(full) 
[   83.827100][ T5836] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
[   83.827114][ T5836] Workqueue: hci2 hci_cmd_work
[   83.827158][ T5836] Call Trace:
[   83.827170][ T5836]  <TASK>
[   83.827178][ T5836]  dump_stack_lvl+0x189/0x250
[   83.827205][ T5836]  ? __virt_addr_valid+0x1c8/0x5c0
[   83.827234][ T5836]  ? rcu_is_watching+0x15/0xb0
[   83.827260][ T5836]  ? __pfx_dump_stack_lvl+0x10/0x10
[   83.827284][ T5836]  ? rcu_is_watching+0x15/0xb0
[   83.827314][ T5836]  ? lock_release+0x4b/0x3d0
[   83.827334][ T5836]  ? _raw_spin_lock_irqsave+0xb3/0xf0
[   83.827361][ T5836]  ? __virt_addr_valid+0x1c8/0x5c0
[   83.827388][ T5836]  ? __virt_addr_valid+0x4a5/0x5c0
[   83.827417][ T5836]  print_report+0xca/0x240
[   83.827444][ T5836]  ? hci_cmd_work+0x5d0/0x7b0
[   83.827472][ T5836]  kasan_report+0x118/0x150
[   83.827495][ T5836]  ? hci_cmd_work+0x5d0/0x7b0
[   83.827529][ T5836]  hci_cmd_work+0x5d0/0x7b0
[   83.827561][ T5836]  ? process_one_work+0x868/0x15e0
[   83.827580][ T5836]  process_one_work+0x93a/0x15e0
[   83.827600][ T5836]  ? __lock_acquire+0xab9/0xd20
[   83.827630][ T5836]  ? __pfx_process_one_work+0x10/0x10
[   83.827655][ T5836]  ? assign_work+0x3a1/0x410
[   83.827677][ T5836]  worker_thread+0x9b0/0xee0
[   83.827711][ T5836]  kthread+0x711/0x8a0
[   83.827738][ T5836]  ? __pfx_worker_thread+0x10/0x10
[   83.827759][ T5836]  ? __pfx_kthread+0x10/0x10
[   83.827786][ T5836]  ? _raw_spin_unlock_irq+0x23/0x50
[   83.827810][ T5836]  ? lockdep_hardirqs_on+0x9c/0x150
[   83.827837][ T5836]  ? __pfx_kthread+0x10/0x10
[   83.827862][ T5836]  ret_from_fork+0x599/0xb30
[   83.827889][ T5836]  ? __pfx_ret_from_fork+0x10/0x10
[   83.827912][ T5836]  ? __switch_to_asm+0x39/0x70
[   83.827937][ T5836]  ? __switch_to_asm+0x33/0x70
[   83.827961][ T5836]  ? __pfx_kthread+0x10/0x10
[   83.827986][ T5836]  ret_from_fork_asm+0x1a/0x30
[   83.828021][ T5836]  </TASK>
[   83.828026][ T5836] 
[   83.837474][ T5151] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1
[   83.847545][ T5836] Allocated by task 5833:
[   83.847566][ T5836]  kasan_save_track+0x3e/0x80
[   83.847588][ T5836]  __kasan_slab_alloc+0x6c/0x80
[   83.847606][ T5836]  kmem_cache_alloc_node_noprof+0x43c/0x710
[   83.847633][ T5836]  __alloc_skb+0x112/0x2d0
[   83.847651][ T5836]  hci_cmd_sync_alloc+0x3d/0x3b0
[   83.847678][ T5836]  __hci_cmd_sync_sk+0x1a7/0xc70
[   83.880094][ T5841] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9
[   83.883197][ T5836]  hci_reset_sync+0x4a/0x140
[   83.888997][ T5841] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9
[   83.893176][ T5836]  hci_dev_open_sync+0xec5/0x2dc0
[   83.900125][ T5841] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4
[   83.903410][ T5836]  hci_power_on+0x1b4/0x720
[   83.909074][ T5841] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2
[   83.912561][ T5836]  process_one_work+0x93a/0x15e0
[   83.921408][ T5841] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[   83.921760][ T5836]  worker_thread+0x9b0/0xee0
[   83.948600][ T5841] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1
[   83.951153][ T5836]  kthread+0x711/0x8a0
[   83.957483][ T5841] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9
[   83.959941][ T5836]  ret_from_fork+0x599/0xb30
[   83.959966][ T5836]  ret_from_fork_asm+0x1a/0x30
[   83.959993][ T5836] 
[   83.959999][ T5836] Freed by task 5831:
[   83.960009][ T5836]  kasan_save_track+0x3e/0x80
[   83.960025][ T5836]  kasan_save_free_info+0x46/0x50
[   83.967478][ T5841] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9
[   83.969739][ T5836]  __kasan_slab_free+0x5c/0x80
[   83.969764][ T5836]  kmem_cache_free+0x197/0x640
[   83.969781][ T5836]  vhci_read+0x49a/0x5b0
[   83.969809][ T5836]  vfs_read+0x200/0xa30
[   83.969824][ T5836]  ksys_read+0x145/0x250
[   83.976348][ T5841] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4
[   83.980221][ T5836]  do_syscall_64+0xfa/0xfa0
[   83.980256][ T5836]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   83.980281][ T5836] 
[   83.980287][ T5836] The buggy address belongs to the object at ffff88805d958780
[   83.980287][ T5836]  which belongs to the cache skbuff_head_cache of size 240
[   83.980304][ T5836] The buggy address is located 56 bytes inside of
[   83.980304][ T5836]  freed 240-byte region [ffff88805d958780, ffff88805d958870)
[   83.980324][ T5836] 
[   83.980330][ T5836] The buggy address belongs to the physical page:
[   83.980356][ T5836] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5d958
[   83.997823][   T52] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[   83.999431][ T5836] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[   83.999465][ T5836] page_type: f5(slab)
[   83.999482][ T5836] raw: 00fff00000000000 ffff88801e2bd8c0 dead000000000122 0000000000000000
[   83.999498][ T5836] raw: 0000000000000000 00000000000c000c 00000000f5000000 0000000000000000
[   83.999509][ T5836] page dumped because: kasan: bad access detected
[   83.999524][ T5836] page_owner tracks the page as allocated
[   84.005963][   T52] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[   84.008877][ T5836] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5826, tgid 5826 (syz-executor), ts 83754899635, free_ts 29875341310
[   84.008914][ T5836]  post_alloc_hook+0x240/0x2a0
[   84.008946][ T5836]  get_page_from_freelist+0x2365/0x2440
[   84.008966][ T5836]  __alloc_frozen_pages_noprof+0x181/0x370
[   84.015748][   T52] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[   84.016805][ T5836]  alloc_pages_mpol+0x232/0x4a0
[   84.020076][   T52] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[   84.026073][ T5836]  allocate_slab+0x86/0x3b0
[   84.049750][   T52] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2
[   84.050372][ T5836]  ___slab_alloc+0xf56/0x1990
[   84.381987][ T5836]  __slab_alloc+0x65/0x100
[   84.386446][ T5836]  kmem_cache_alloc_node_noprof+0x4ce/0x710
[   84.392377][ T5836]  __alloc_skb+0x112/0x2d0
[   84.396824][ T5836]  vhci_write+0xbe/0x4a0
[   84.401104][ T5836]  vfs_write+0x5c9/0xb30
[   84.405375][ T5836]  ksys_write+0x145/0x250
[   84.409731][ T5836]  do_syscall_64+0xfa/0xfa0
[   84.414276][ T5836]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   84.420197][ T5836] page last free pid 1 tgid 1 stack trace:
[   84.426029][ T5836]  __free_frozen_pages+0xbc8/0xd30
[   84.431265][ T5836]  free_contig_range+0x1bd/0x4a0
[   84.436233][ T5836]  destroy_args+0x69/0x660
[   84.440688][ T5836]  debug_vm_pgtable+0x38f/0x3a0
[   84.445563][ T5836]  do_one_initcall+0x1fb/0x870
[   84.450448][ T5836]  do_initcall_level+0x104/0x190
[   84.455413][ T5836]  do_initcalls+0x59/0xa0
[   84.459877][ T5836]  kernel_init_freeable+0x334/0x4b0
[   84.465116][ T5836]  kernel_init+0x1d/0x1d0
[   84.469476][ T5836]  ret_from_fork+0x599/0xb30
[   84.474096][ T5836]  ret_from_fork_asm+0x1a/0x30
[   84.478908][ T5836] 
[   84.481258][ T5836] Memory state around the buggy address:
[   84.486913][ T5836]  ffff88805d958680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   84.495008][ T5836]  ffff88805d958700: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
SYZFAIL: failed to recv rpc
fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor)
[   84.503141][ T5836] >ffff88805d958780: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   84.511230][ T5836]                                         ^
[   84.517148][ T5836]  ffff88805d958800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[   84.525241][ T5836]  ffff88805d958880: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[   84.533327][ T5836] ==================================================================
[   84.543012][ T5836] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   84.550314][ T5836] CPU: 1 UID: 0 PID: 5836 Comm: kworker/u9:4 Not tainted syzkaller #0 PREEMPT(full) 
[   84.559805][ T5836] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
[   84.569875][ T5836] Workqueue: hci2 hci_cmd_work
[   84.574701][ T5836] Call Trace:
[   84.577989][ T5836]  <TASK>
[   84.580940][ T5836]  dump_stack_lvl+0x99/0x250
[   84.585558][ T5836]  ? __asan_memcpy+0x40/0x70
[   84.590196][ T5836]  ? __pfx_dump_stack_lvl+0x10/0x10
[   84.595413][ T5836]  ? __pfx__printk+0x10/0x10
[   84.600025][ T5836]  vpanic+0x237/0x6d0
[   84.604015][ T5836]  ? __pfx_vpanic+0x10/0x10
[   84.608529][ T5836]  ? preempt_schedule+0xae/0xc0
[   84.613401][ T5836]  ? __pfx_preempt_schedule+0x10/0x10
[   84.618787][ T5836]  panic+0xb9/0xc0
[   84.622514][ T5836]  ? __pfx_panic+0x10/0x10
[   84.626939][ T5836]  ? _raw_spin_unlock_irqrestore+0xfd/0x110
[   84.632847][ T5836]  ? is_module_address+0x17/0xf0
[   84.637790][ T5836]  ? hci_cmd_work+0x5d0/0x7b0
[   84.642485][ T5836]  check_panic_on_warn+0x89/0xb0
[   84.647441][ T5836]  ? hci_cmd_work+0x5d0/0x7b0
[   84.652137][ T5836]  end_report+0x6f/0x160
[   84.656397][ T5836]  kasan_report+0x129/0x150
[   84.660911][ T5836]  ? hci_cmd_work+0x5d0/0x7b0
[   84.665608][ T5836]  hci_cmd_work+0x5d0/0x7b0
[   84.670183][ T5836]  ? process_one_work+0x868/0x15e0
[   84.675301][ T5836]  process_one_work+0x93a/0x15e0
[   84.680276][ T5836]  ? __lock_acquire+0xab9/0xd20
[   84.685148][ T5836]  ? __pfx_process_one_work+0x10/0x10
[   84.690532][ T5836]  ? assign_work+0x3a1/0x410
[   84.695131][ T5836]  worker_thread+0x9b0/0xee0
[   84.699741][ T5836]  kthread+0x711/0x8a0
[   84.703828][ T5836]  ? __pfx_worker_thread+0x10/0x10
[   84.708945][ T5836]  ? __pfx_kthread+0x10/0x10
[   84.713575][ T5836]  ? _raw_spin_unlock_irq+0x23/0x50
[   84.718784][ T5836]  ? lockdep_hardirqs_on+0x9c/0x150
[   84.723999][ T5836]  ? __pfx_kthread+0x10/0x10
[   84.728607][ T5836]  ret_from_fork+0x599/0xb30
[   84.733212][ T5836]  ? __pfx_ret_from_fork+0x10/0x10
[   84.738343][ T5836]  ? __switch_to_asm+0x39/0x70
[   84.743118][ T5836]  ? __switch_to_asm+0x33/0x70
[   84.747897][ T5836]  ? __pfx_kthread+0x10/0x10
[   84.752506][ T5836]  ret_from_fork_asm+0x1a/0x30
[   84.757293][ T5836]  </TASK>
[   84.760565][ T5836] Kernel Offset: disabled
[   84.764909][ T5836] Rebooting in 86400 seconds..