last executing test programs:

kernel console output (not intermixed with test programs):

Warning: Permanently added '10.128.0.104' (ED25519) to the list of known hosts.
[   64.636910][ T5809] cgroup: Unknown subsys name 'net'
[   64.786673][ T5809] cgroup: Unknown subsys name 'cpuset'
[   64.795216][ T5809] cgroup: Unknown subsys name 'rlimit'
Setting up swapspace version 1, size = 127995904 bytes
[   66.112286][ T5809] Adding 124996k swap on ./swap-file.  Priority:0 extents:1 across:124996k 
[   68.201199][   T52] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[   68.220269][ T5827] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1
[   68.232349][ T5835] ==================================================================
[   68.234529][ T5836] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[   68.240423][ T5835] BUG: KASAN: slab-use-after-free in hci_cmd_work+0x5d0/0x7b0
[   68.248835][ T5836] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1
[   68.254766][ T5835] Read of size 2 at addr ffff88805ccda538 by task kworker/u9:5/5835
[   68.254784][ T5835] 
[   68.254818][ T5835] CPU: 0 UID: 0 PID: 5835 Comm: kworker/u9:5 Not tainted syzkaller #0 PREEMPT(full) 
[   68.254836][ T5835] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
[   68.254847][ T5835] Workqueue: hci1 hci_cmd_work
[   68.254877][ T5835] Call Trace:
[   68.254885][ T5835]  <TASK>
[   68.254892][ T5835]  dump_stack_lvl+0x189/0x250
[   68.254914][ T5835]  ? __virt_addr_valid+0x1c8/0x5c0
[   68.254930][ T5835]  ? rcu_is_watching+0x15/0xb0
[   68.254944][ T5835]  ? __pfx_dump_stack_lvl+0x10/0x10
[   68.254965][ T5835]  ? rcu_is_watching+0x15/0xb0
[   68.254978][ T5835]  ? lock_release+0x4b/0x3d0
[   68.254997][ T5835]  ? _raw_spin_lock_irqsave+0xb3/0xf0
[   68.255015][ T5835]  ? __virt_addr_valid+0x1c8/0x5c0
[   68.255030][ T5835]  ? __virt_addr_valid+0x4a5/0x5c0
[   68.255046][ T5835]  print_report+0xca/0x240
[   68.255065][ T5835]  ? hci_cmd_work+0x5d0/0x7b0
[   68.255082][ T5835]  kasan_report+0x118/0x150
[   68.255102][ T5835]  ? hci_cmd_work+0x5d0/0x7b0
[   68.255123][ T5835]  hci_cmd_work+0x5d0/0x7b0
[   68.255142][ T5835]  ? process_one_work+0x868/0x15e0
[   68.255160][ T5835]  process_one_work+0x93a/0x15e0
[   68.255178][ T5835]  ? __lock_acquire+0xab9/0xd20
[   68.255204][ T5835]  ? __pfx_process_one_work+0x10/0x10
[   68.255225][ T5835]  ? assign_work+0x3a1/0x410
[   68.255245][ T5835]  worker_thread+0x9b0/0xee0
[   68.255274][ T5835]  kthread+0x711/0x8a0
[   68.255290][ T5835]  ? __pfx_worker_thread+0x10/0x10
[   68.255309][ T5835]  ? __pfx_kthread+0x10/0x10
[   68.255323][ T5835]  ? _raw_spin_unlock_irq+0x23/0x50
[   68.255339][ T5835]  ? lockdep_hardirqs_on+0x9c/0x150
[   68.255355][ T5835]  ? __pfx_kthread+0x10/0x10
[   68.255370][ T5835]  ret_from_fork+0x599/0xb30
[   68.255390][ T5835]  ? __pfx_ret_from_fork+0x10/0x10
[   68.255412][ T5835]  ? __switch_to_asm+0x39/0x70
[   68.255426][ T5835]  ? __switch_to_asm+0x33/0x70
[   68.255441][ T5835]  ? __pfx_kthread+0x10/0x10
[   68.255455][ T5835]  ret_from_fork_asm+0x1a/0x30
[   68.255477][ T5835]  </TASK>
[   68.255483][ T5835] 
[   68.263326][ T5836] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1
[   68.269765][ T5835] Allocated by task 5823:
[   68.269776][ T5835]  kasan_save_track+0x3e/0x80
[   68.269801][ T5835]  __kasan_slab_alloc+0x6c/0x80
[   68.269816][ T5835]  kmem_cache_alloc_node_noprof+0x43c/0x710
[   68.269830][ T5835]  __alloc_skb+0x112/0x2d0
[   68.269850][ T5835]  hci_cmd_sync_alloc+0x3d/0x3b0
[   68.275000][ T5836] Bluetooth: hci4: unexpected cc 0x0c03 length: 249 > 1
[   68.281609][ T5835]  __hci_cmd_sync_sk+0x1a7/0xc70
[   68.293301][ T5836] Bluetooth: hci4: unexpected cc 0x1003 length: 249 > 9
[   68.296419][ T5835]  hci_dev_open_sync+0x14b2/0x2dc0
[   68.296438][ T5835]  hci_power_on+0x1b4/0x720
[   68.296455][ T5835]  process_one_work+0x93a/0x15e0
[   68.301776][ T5836] Bluetooth: hci4: unexpected cc 0x1001 length: 249 > 9
[   68.302640][ T5835]  worker_thread+0x9b0/0xee0
[   68.308958][ T5836] Bluetooth: hci4: unexpected cc 0x0c23 length: 249 > 4
[   68.312380][ T5835]  kthread+0x711/0x8a0
[   68.319346][ T5836] Bluetooth: hci4: unexpected cc 0x0c38 length: 249 > 2
[   68.322300][ T5835]  ret_from_fork+0x599/0xb30
[   68.333173][ T5827] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[   68.336962][ T5835]  ret_from_fork_asm+0x1a/0x30
[   68.336984][ T5835] 
[   68.336988][ T5835] Freed by task 5826:
[   68.336997][ T5835]  kasan_save_track+0x3e/0x80
[   68.337012][ T5835]  kasan_save_free_info+0x46/0x50
[   68.343442][ T5827] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[   68.347198][ T5835]  __kasan_slab_free+0x5c/0x80
[   68.347219][ T5835]  kmem_cache_free+0x197/0x640
[   68.347234][ T5835]  vhci_read+0x49a/0x5b0
[   68.347250][ T5835]  vfs_read+0x200/0xa30
[   68.347263][ T5835]  ksys_read+0x145/0x250
[   68.347276][ T5835]  do_syscall_64+0xfa/0xfa0
[   68.347291][ T5835]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   68.352602][ T5827] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[   68.356341][ T5835] 
[   68.356348][ T5835] The buggy address belongs to the object at ffff88805ccda500
[   68.356348][ T5835]  which belongs to the cache skbuff_head_cache of size 240
[   68.356363][ T5835] The buggy address is located 56 bytes inside of
[   68.356363][ T5835]  freed 240-byte region [ffff88805ccda500, ffff88805ccda5f0)
[   68.356378][ T5835] 
[   68.356383][ T5835] The buggy address belongs to the physical page:
[   68.356404][ T5835] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5ccda
[   68.364638][ T5147] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9
[   68.365552][ T5835] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[   68.370950][ T5147] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9
[   68.375106][ T5835] page_type: f5(slab)
[   68.375123][ T5835] raw: 00fff00000000000 ffff888140eeba00 dead000000000122 0000000000000000
[   68.375136][ T5835] raw: 0000000000000000 00000000000c000c 00000000f5000000 0000000000000000
[   68.375144][ T5835] page dumped because: kasan: bad access detected
[   68.375160][ T5835] page_owner tracks the page as allocated
[   68.375166][ T5835] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5196, tgid 5196 (udevd), ts 68212413631, free_ts 68207885541
[   68.383968][ T5147] Bluetooth: hci2: unexpected cc 0x0c23 length: 249 > 4
[   68.384918][ T5835]  post_alloc_hook+0x240/0x2a0
[   68.390990][ T5147] Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2
[   68.394833][ T5835]  get_page_from_freelist+0x2365/0x2440
[   68.394856][ T5835]  __alloc_frozen_pages_noprof+0x181/0x370
[   68.394872][ T5835]  alloc_pages_mpol+0x232/0x4a0
[   68.394888][ T5835]  allocate_slab+0x86/0x3b0
[   68.394906][ T5835]  ___slab_alloc+0xf56/0x1990
[   68.464043][ T5147] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9
[   68.468795][ T5835]  __slab_alloc+0x65/0x100
[   68.474100][ T5147] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9
[   68.477769][ T5835]  kmem_cache_alloc_node_noprof+0x4ce/0x710
[   68.486507][ T5147] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4
[   68.488476][ T5835]  __alloc_skb+0x112/0x2d0
[   68.493774][ T5147] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2
[   68.497791][ T5835]  netlink_sendmsg+0x5c6/0xb30
[   68.849713][ T5835]  __sock_sendmsg+0x21c/0x270
[   68.854385][ T5835]  ____sys_sendmsg+0x505/0x870
[   68.859130][ T5835]  ___sys_sendmsg+0x21f/0x2a0
[   68.863785][ T5835]  __x64_sys_sendmsg+0x19b/0x260
[   68.868701][ T5835]  do_syscall_64+0xfa/0xfa0
[   68.873183][ T5835]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   68.879053][ T5835] page last free pid 5824 tgid 5824 stack trace:
[   68.885355][ T5835]  __free_frozen_pages+0xbc8/0xd30
[   68.890449][ T5835]  __kasan_populate_vmalloc+0x137/0x1d0
[   68.895972][ T5835]  alloc_vmap_area+0xdca/0x1500
[   68.900799][ T5835]  __get_vm_area_node+0x1f8/0x300
[   68.905802][ T5835]  __vmalloc_node_range_noprof+0x365/0x1640
[   68.911672][ T5835]  __vmalloc_node_noprof+0xc2/0x110
[   68.916846][ T5835]  dup_task_struct+0x3d4/0x830
[   68.921593][ T5835]  copy_process+0x4ea/0x3930
[   68.926163][ T5835]  kernel_clone+0x21e/0x850
[   68.930652][ T5835]  __se_sys_clone3+0x256/0x2d0
[   68.935392][ T5835]  do_syscall_64+0xfa/0xfa0
[   68.939876][ T5835]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   68.945751][ T5835] 
[   68.948053][ T5835] Memory state around the buggy address:
[   68.953661][ T5835]  ffff88805ccda400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   68.961702][ T5835]  ffff88805ccda480: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
[   68.969744][ T5835] >ffff88805ccda500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   68.977785][ T5835]                                         ^
[   68.983652][ T5835]  ffff88805ccda580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[   68.991691][ T5835]  ffff88805ccda600: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[   68.999727][ T5835] ==================================================================
[   69.009518][ T5835] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   69.016741][ T5835] CPU: 0 UID: 0 PID: 5835 Comm: kworker/u9:5 Not tainted syzkaller #0 PREEMPT(full) 
[   69.026199][ T5835] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
[   69.036262][ T5835] Workqueue: hci1 hci_cmd_work
[   69.041041][ T5835] Call Trace:
[   69.044320][ T5835]  <TASK>
[   69.047266][ T5835]  dump_stack_lvl+0x99/0x250
[   69.051862][ T5835]  ? __asan_memcpy+0x40/0x70
[   69.056457][ T5835]  ? __pfx_dump_stack_lvl+0x10/0x10
[   69.061661][ T5835]  ? __pfx__printk+0x10/0x10
[   69.066259][ T5835]  vpanic+0x237/0x6d0
[   69.070244][ T5835]  ? __pfx_vpanic+0x10/0x10
[   69.074753][ T5835]  ? preempt_schedule+0xae/0xc0
[   69.079606][ T5835]  ? __pfx_preempt_schedule+0x10/0x10
[   69.084985][ T5835]  panic+0xb9/0xc0
[   69.088706][ T5835]  ? __pfx_panic+0x10/0x10
[   69.093132][ T5835]  ? _raw_spin_unlock_irqrestore+0xfd/0x110
[   69.099031][ T5835]  ? is_module_address+0x17/0xf0
[   69.103972][ T5835]  ? hci_cmd_work+0x5d0/0x7b0
[   69.108652][ T5835]  check_panic_on_warn+0x89/0xb0
[   69.113595][ T5835]  ? hci_cmd_work+0x5d0/0x7b0
[   69.118274][ T5835]  end_report+0x6f/0x160
[   69.122525][ T5835]  kasan_report+0x129/0x150
[   69.127038][ T5835]  ? hci_cmd_work+0x5d0/0x7b0
[   69.131727][ T5835]  hci_cmd_work+0x5d0/0x7b0
[   69.136236][ T5835]  ? process_one_work+0x868/0x15e0
[   69.141348][ T5835]  process_one_work+0x93a/0x15e0
[   69.146297][ T5835]  ? __lock_acquire+0xab9/0xd20
[   69.151160][ T5835]  ? __pfx_process_one_work+0x10/0x10
[   69.156541][ T5835]  ? assign_work+0x3a1/0x410
[   69.161139][ T5835]  worker_thread+0x9b0/0xee0
[   69.165748][ T5835]  kthread+0x711/0x8a0
[   69.169828][ T5835]  ? __pfx_worker_thread+0x10/0x10
[   69.174942][ T5835]  ? __pfx_kthread+0x10/0x10
[   69.179519][ T5835]  ? _raw_spin_unlock_irq+0x23/0x50
[   69.184701][ T5835]  ? lockdep_hardirqs_on+0x9c/0x150
[   69.189884][ T5835]  ? __pfx_kthread+0x10/0x10
[   69.194457][ T5835]  ret_from_fork+0x599/0xb30
[   69.199033][ T5835]  ? __pfx_ret_from_fork+0x10/0x10
[   69.204131][ T5835]  ? __switch_to_asm+0x39/0x70
[   69.208876][ T5835]  ? __switch_to_asm+0x33/0x70
[   69.213617][ T5835]  ? __pfx_kthread+0x10/0x10
[   69.218186][ T5835]  ret_from_fork_asm+0x1a/0x30
[   69.222935][ T5835]  </TASK>
[   69.226288][ T5835] Kernel Offset: disabled
[   69.230594][ T5835] Rebooting in 86400 seconds..