last executing test programs:
kernel console output (not intermixed with test programs):
Warning: Permanently added '10.128.1.123' (ED25519) to the list of known hosts.
[ 70.382345][ T5812] cgroup: Unknown subsys name 'net'
[ 70.533249][ T5812] cgroup: Unknown subsys name 'cpuset'
[ 70.541783][ T5812] cgroup: Unknown subsys name 'rlimit'
Setting up swapspace version 1, size = 127995904 bytes
[ 71.414802][ T1298] ieee802154 phy0 wpan0: encryption failed: -22
[ 71.421365][ T1298] ieee802154 phy1 wpan1: encryption failed: -22
[ 71.956246][ T5812] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k
[ 75.262987][ T5839] ==================================================================
[ 75.271107][ T5839] BUG: KASAN: slab-use-after-free in hci_cmd_work+0x5d0/0x7b0
[ 75.278582][ T5839] Read of size 2 at addr ffff88805cef8b78 by task kworker/u9:5/5839
[ 75.283951][ T5840] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1
[ 75.286569][ T5839]
[ 75.286599][ T5839] CPU: 1 UID: 0 PID: 5839 Comm: kworker/u9:5 Not tainted syzkaller #0 PREEMPT(full)
[ 75.286615][ T5839] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
[ 75.286626][ T5839] Workqueue: hci0 hci_cmd_work
[ 75.286655][ T5839] Call Trace:
[ 75.286662][ T5839]
[ 75.286670][ T5839] dump_stack_lvl+0x189/0x250
[ 75.286694][ T5839] ? __virt_addr_valid+0x1c8/0x5c0
[ 75.286710][ T5839] ? rcu_is_watching+0x15/0xb0
[ 75.286725][ T5839] ? __pfx_dump_stack_lvl+0x10/0x10
[ 75.286746][ T5839] ? rcu_is_watching+0x15/0xb0
[ 75.286759][ T5839] ? lock_release+0x4b/0x3d0
[ 75.286778][ T5839] ? _raw_spin_lock_irqsave+0xb3/0xf0
[ 75.286796][ T5839] ? __virt_addr_valid+0x1c8/0x5c0
[ 75.286811][ T5839] ? __virt_addr_valid+0x4a5/0x5c0
[ 75.286828][ T5839] print_report+0xca/0x240
[ 75.286848][ T5839] ? hci_cmd_work+0x5d0/0x7b0
[ 75.286865][ T5839] kasan_report+0x118/0x150
[ 75.286885][ T5839] ? hci_cmd_work+0x5d0/0x7b0
[ 75.286906][ T5839] hci_cmd_work+0x5d0/0x7b0
[ 75.286926][ T5839] ? process_one_work+0x868/0x15e0
[ 75.286945][ T5839] process_one_work+0x93a/0x15e0
[ 75.286962][ T5839] ? __lock_acquire+0xab9/0xd20
[ 75.286989][ T5839] ? __pfx_process_one_work+0x10/0x10
[ 75.287010][ T5839] ? assign_work+0x3a1/0x410
[ 75.287030][ T5839] worker_thread+0x9b0/0xee0
[ 75.287059][ T5839] kthread+0x711/0x8a0
[ 75.287076][ T5839] ? __pfx_worker_thread+0x10/0x10
[ 75.287095][ T5839] ? __pfx_kthread+0x10/0x10
[ 75.287109][ T5839] ? _raw_spin_unlock_irq+0x23/0x50
[ 75.287125][ T5839] ? lockdep_hardirqs_on+0x9c/0x150
[ 75.287142][ T5839] ? __pfx_kthread+0x10/0x10
[ 75.287157][ T5839] ret_from_fork+0x599/0xb30
[ 75.287178][ T5839] ? __pfx_ret_from_fork+0x10/0x10
[ 75.287200][ T5839] ? __switch_to_asm+0x39/0x70
[ 75.287220][ T5839] ? __switch_to_asm+0x33/0x70
[ 75.287235][ T5839] ? __pfx_kthread+0x10/0x10
[ 75.287250][ T5839] ret_from_fork_asm+0x1a/0x30
[ 75.287272][ T5839]
[ 75.287278][ T5839]
[ 75.295597][ T5840] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1
[ 75.295868][ T5839] Allocated by task 5830:
[ 75.295879][ T5839] kasan_save_track+0x3e/0x80
[ 75.306643][ T5840] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1
[ 75.315546][ T5839] __kasan_slab_alloc+0x6c/0x80
[ 75.315571][ T5839] kmem_cache_alloc_node_noprof+0x43c/0x710
[ 75.315584][ T5839] __alloc_skb+0x112/0x2d0
[ 75.315602][ T5839] hci_cmd_sync_alloc+0x3d/0x3b0
[ 75.315617][ T5839] __hci_cmd_sync_sk+0x1a7/0xc70
[ 75.315631][ T5839] hci_reset_sync+0x4a/0x140
[ 75.315643][ T5839] hci_dev_open_sync+0xec5/0x2dc0
[ 75.315655][ T5839] hci_power_on+0x1b4/0x720
[ 75.315672][ T5839] process_one_work+0x93a/0x15e0
[ 75.315688][ T5839] worker_thread+0x9b0/0xee0
[ 75.315702][ T5839] kthread+0x711/0x8a0
[ 75.315713][ T5839] ret_from_fork+0x599/0xb30
[ 75.315727][ T5839] ret_from_fork_asm+0x1a/0x30
[ 75.315740][ T5839]
[ 75.315744][ T5839] Freed by task 5828:
[ 75.315752][ T5839] kasan_save_track+0x3e/0x80
[ 75.315765][ T5839] kasan_save_free_info+0x46/0x50
[ 75.315780][ T5839] __kasan_slab_free+0x5c/0x80
[ 75.315792][ T5839] kmem_cache_free+0x197/0x640
[ 75.315806][ T5839] vhci_read+0x49a/0x5b0
[ 75.315823][ T5839] vfs_read+0x200/0xa30
[ 75.315838][ T5839] ksys_read+0x145/0x250
[ 75.315851][ T5839] do_syscall_64+0xfa/0xfa0
[ 75.315866][ T5839] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 75.315877][ T5839]
[ 75.315881][ T5839] The buggy address belongs to the object at ffff88805cef8b40
[ 75.315881][ T5839] which belongs to the cache skbuff_head_cache of size 240
[ 75.315892][ T5839] The buggy address is located 56 bytes inside of
[ 75.315892][ T5839] freed 240-byte region [ffff88805cef8b40, ffff88805cef8c30)
[ 75.315908][ T5839]
[ 75.315913][ T5839] The buggy address belongs to the physical page:
[ 75.315926][ T5839] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5cef8
[ 75.315942][ T5839] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[ 75.315958][ T5839] page_type: f5(slab)
[ 75.315972][ T5839] raw: 00fff00000000000 ffff88801ea8c000 dead000000000122 0000000000000000
[ 75.315982][ T5839] raw: 0000000000000000 00000000000c000c 00000000f5000000 0000000000000000
[ 75.315989][ T5839] page dumped because: kasan: bad access detected
[ 75.316000][ T5839] page_owner tracks the page as allocated
[ 75.316005][ T5839] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5832, tgid 5832 (syz-executor), ts 75231578199, free_ts 21701705566
[ 75.316029][ T5839] post_alloc_hook+0x240/0x2a0
[ 75.316043][ T5839] get_page_from_freelist+0x2365/0x2440
[ 75.316059][ T5839] __alloc_frozen_pages_noprof+0x181/0x370
[ 75.316074][ T5839] alloc_pages_mpol+0x232/0x4a0
[ 75.322692][ T5840] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9
[ 75.324122][ T5839] allocate_slab+0x86/0x3b0
[ 75.328017][ T5840] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9
[ 75.331865][ T5839] ___slab_alloc+0xf56/0x1990
[ 75.331891][ T5839] __slab_alloc+0x65/0x100
[ 75.331906][ T5839] kmem_cache_alloc_noprof+0x40f/0x700
[ 75.331918][ T5839] skb_clone+0x212/0x3a0
[ 75.331932][ T5839] netlink_broadcast_filtered+0x6ae/0x1000
[ 75.331952][ T5839] netlink_broadcast+0x37/0x50
[ 75.338757][ T5840] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4
[ 75.341808][ T5839] kobject_uevent_net_broadcast+0x378/0x560
[ 75.341836][ T5839] kobject_uevent_env+0x55c/0x9f0
[ 75.341852][ T5839] device_add+0x557/0xb80
[ 75.341866][ T5839] hci_register_dev+0x36c/0x8b0
[ 75.341883][ T5839] vhci_create_device+0x39c/0x650
[ 75.341901][ T5839] page last free pid 1 tgid 1 stack trace:
[ 75.341911][ T5839] __free_frozen_pages+0xbc8/0xd30
[ 75.348518][ T5840] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2
[ 75.351841][ T5839] free_contig_range+0x1bd/0x4a0
[ 75.351866][ T5839] destroy_args+0x69/0x660
[ 75.351885][ T5839] debug_vm_pgtable+0x38f/0x3a0
[ 75.351901][ T5839] do_one_initcall+0x1fb/0x870
[ 75.359041][ T5836] Bluetooth: hci4: unexpected cc 0x0c03 length: 249 > 1
[ 75.361845][ T5839] do_initcall_level+0x104/0x190
[ 75.361872][ T5839] do_initcalls+0x59/0xa0
[ 75.361889][ T5839] kernel_init_freeable+0x334/0x4b0
[ 75.361906][ T5839] kernel_init+0x1d/0x1d0
[ 75.361925][ T5839] ret_from_fork+0x599/0xb30
[ 75.361941][ T5839] ret_from_fork_asm+0x1a/0x30
[ 75.361957][ T5839]
[ 75.361961][ T5839] Memory state around the buggy address:
[ 75.361971][ T5839] ffff88805cef8a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 75.361983][ T5839] ffff88805cef8a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[ 75.361993][ T5839] >ffff88805cef8b00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 75.362002][ T5839] ^
[ 75.377000][ T5840] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9
[ 75.381613][ T5839] ffff88805cef8b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 75.381628][ T5839] ffff88805cef8c00: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
[ 75.381635][ T5839] ==================================================================
[ 75.391583][ T5839] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 75.391608][ T5839] CPU: 1 UID: 0 PID: 5839 Comm: kworker/u9:5 Not tainted syzkaller #0 PREEMPT(full)
[ 75.391629][ T5839] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
[ 75.391640][ T5839] Workqueue: hci0 hci_cmd_work
[ 75.391666][ T5839] Call Trace:
[ 75.391673][ T5839]
[ 75.391681][ T5839] dump_stack_lvl+0x99/0x250
[ 75.391705][ T5839] ? __asan_memcpy+0x40/0x70
[ 75.391721][ T5839] ? __pfx_dump_stack_lvl+0x10/0x10
[ 75.391742][ T5839] ? __pfx__printk+0x10/0x10
[ 75.391765][ T5839] vpanic+0x237/0x6d0
[ 75.391780][ T5839] ? __pfx_vpanic+0x10/0x10
[ 75.391793][ T5839] ? preempt_schedule+0xae/0xc0
[ 75.391810][ T5839] ? __pfx_preempt_schedule+0x10/0x10
[ 75.391830][ T5839] panic+0xb9/0xc0
[ 75.391844][ T5839] ? __pfx_panic+0x10/0x10
[ 75.391859][ T5839] ? _raw_spin_unlock_irqrestore+0xfd/0x110
[ 75.391876][ T5839] ? is_module_address+0x17/0xf0
[ 75.391895][ T5839] ? hci_cmd_work+0x5d0/0x7b0
[ 75.391914][ T5839] check_panic_on_warn+0x89/0xb0
[ 75.391932][ T5839] ? hci_cmd_work+0x5d0/0x7b0
[ 75.391950][ T5839] end_report+0x6f/0x160
[ 75.391968][ T5839] kasan_report+0x129/0x150
[ 75.391987][ T5839] ? hci_cmd_work+0x5d0/0x7b0
[ 75.392009][ T5839] hci_cmd_work+0x5d0/0x7b0
[ 75.392029][ T5839] ? process_one_work+0x868/0x15e0
[ 75.392048][ T5839] process_one_work+0x93a/0x15e0
[ 75.392066][ T5839] ? __lock_acquire+0xab9/0xd20
[ 75.392093][ T5839] ? __pfx_process_one_work+0x10/0x10
[ 75.392123][ T5839] ? assign_work+0x3a1/0x410
[ 75.392144][ T5839] worker_thread+0x9b0/0xee0
[ 75.392173][ T5839] kthread+0x711/0x8a0
[ 75.392190][ T5839] ? __pfx_worker_thread+0x10/0x10
[ 75.392209][ T5839] ? __pfx_kthread+0x10/0x10
[ 75.392225][ T5839] ? _raw_spin_unlock_irq+0x23/0x50
[ 75.392241][ T5839] ? lockdep_hardirqs_on+0x9c/0x150
[ 75.392258][ T5839] ? __pfx_kthread+0x10/0x10
[ 75.392273][ T5839] ret_from_fork+0x599/0xb30
[ 75.392293][ T5839] ? __pfx_ret_from_fork+0x10/0x10
[ 75.392316][ T5839] ? __switch_to_asm+0x39/0x70
[ 75.392332][ T5839] ? __switch_to_asm+0x33/0x70
[ 75.392347][ T5839] ? __pfx_kthread+0x10/0x10
[ 75.392362][ T5839] ret_from_fork_asm+0x1a/0x30
[ 75.392384][ T5839]
[ 75.396696][ T5839] Kernel Offset: disabled