last executing test programs:

kernel console output (not intermixed with test programs):

Warning: Permanently added '10.128.1.150' (ED25519) to the list of known hosts.
[   65.226942][ T5813] cgroup: Unknown subsys name 'net'
[   65.373362][ T5813] cgroup: Unknown subsys name 'cpuset'
[   65.382495][ T5813] cgroup: Unknown subsys name 'rlimit'
Setting up swapspace version 1, size = 127995904 bytes
[   66.819038][ T5813] Adding 124996k swap on ./swap-file.  Priority:0 extents:1 across:124996k 
[   68.997472][ T5835] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1
[   69.002178][ T5837] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[   69.005542][ T5835] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1
[   69.013527][ T5838] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9
[   69.025969][ T5837] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9
[   69.034350][ T5838] ==================================================================
[   69.042433][ T5838] BUG: KASAN: slab-use-after-free in hci_cmd_work+0x5d0/0x7b0
[   69.048910][ T5837] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1
[   69.049892][ T5838] Read of size 2 at addr ffff88805cbc57b8 by task kworker/u9:6/5838
[   69.058398][ T5837] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[   69.064936][ T5838] 
[   69.064971][ T5838] CPU: 0 UID: 0 PID: 5838 Comm: kworker/u9:6 Not tainted syzkaller #0 PREEMPT(full) 
[   69.064989][ T5838] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
[   69.065000][ T5838] Workqueue: hci1 hci_cmd_work
[   69.065030][ T5838] Call Trace:
[   69.065038][ T5838]  <TASK>
[   69.065046][ T5838]  dump_stack_lvl+0x189/0x250
[   69.065070][ T5838]  ? __virt_addr_valid+0x1c8/0x5c0
[   69.065087][ T5838]  ? rcu_is_watching+0x15/0xb0
[   69.065101][ T5838]  ? __pfx_dump_stack_lvl+0x10/0x10
[   69.065122][ T5838]  ? rcu_is_watching+0x15/0xb0
[   69.065136][ T5838]  ? lock_release+0x4b/0x3d0
[   69.065154][ T5838]  ? _raw_spin_lock_irqsave+0xb3/0xf0
[   69.065172][ T5838]  ? __virt_addr_valid+0x1c8/0x5c0
[   69.065187][ T5838]  ? __virt_addr_valid+0x4a5/0x5c0
[   69.065209][ T5838]  print_report+0xca/0x240
[   69.065229][ T5838]  ? hci_cmd_work+0x5d0/0x7b0
[   69.065246][ T5838]  kasan_report+0x118/0x150
[   69.065267][ T5838]  ? hci_cmd_work+0x5d0/0x7b0
[   69.065288][ T5838]  hci_cmd_work+0x5d0/0x7b0
[   69.065307][ T5838]  ? process_one_work+0x868/0x15e0
[   69.065326][ T5838]  process_one_work+0x93a/0x15e0
[   69.065344][ T5838]  ? __lock_acquire+0xab9/0xd20
[   69.065371][ T5838]  ? __pfx_process_one_work+0x10/0x10
[   69.065392][ T5838]  ? assign_work+0x3a1/0x410
[   69.065412][ T5838]  worker_thread+0x9b0/0xee0
[   69.065442][ T5838]  kthread+0x711/0x8a0
[   69.065458][ T5838]  ? __pfx_worker_thread+0x10/0x10
[   69.065477][ T5838]  ? __pfx_kthread+0x10/0x10
[   69.065492][ T5838]  ? _raw_spin_unlock_irq+0x23/0x50
[   69.065507][ T5838]  ? lockdep_hardirqs_on+0x9c/0x150
[   69.065524][ T5838]  ? __pfx_kthread+0x10/0x10
[   69.065539][ T5838]  ret_from_fork+0x599/0xb30
[   69.065559][ T5838]  ? __pfx_ret_from_fork+0x10/0x10
[   69.065582][ T5838]  ? __switch_to_asm+0x39/0x70
[   69.065596][ T5838]  ? __switch_to_asm+0x33/0x70
[   69.065610][ T5838]  ? __pfx_kthread+0x10/0x10
[   69.065625][ T5838]  ret_from_fork_asm+0x1a/0x30
[   69.065648][ T5838]  </TASK>
[   69.065654][ T5838] 
[   69.078114][ T5839] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9
[   69.083694][ T5838] Allocated by task 5146:
[   69.083708][ T5838]  kasan_save_track+0x3e/0x80
[   69.083727][ T5838]  __kasan_slab_alloc+0x6c/0x80
[   69.083742][ T5838]  kmem_cache_alloc_node_noprof+0x43c/0x710
[   69.083756][ T5838]  __alloc_skb+0x112/0x2d0
[   69.095978][ T5839] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9
[   69.098558][ T5838]  hci_cmd_sync_alloc+0x3d/0x3b0
[   69.105167][ T5839] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4
[   69.109401][ T5838]  __hci_cmd_sync_sk+0x1a7/0xc70
[   69.115888][ T5839] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2
[   69.119244][ T5838]  hci_dev_open_sync+0x163e/0x2dc0
[   69.127448][ T5839] Bluetooth: hci4: unexpected cc 0x0c03 length: 249 > 1
[   69.129214][ T5838]  hci_power_on+0x1b4/0x720
[   69.135614][ T5839] Bluetooth: hci4: unexpected cc 0x1003 length: 249 > 9
[   69.139201][ T5838]  process_one_work+0x93a/0x15e0
[   69.353209][ T5838]  worker_thread+0x9b0/0xee0
[   69.357880][ T5838]  kthread+0x711/0x8a0
[   69.361945][ T5838]  ret_from_fork+0x599/0xb30
[   69.366537][ T5838]  ret_from_fork_asm+0x1a/0x30
[   69.371293][ T5838] 
[   69.373601][ T5838] Freed by task 5828:
[   69.377558][ T5838]  kasan_save_track+0x3e/0x80
[   69.382218][ T5838]  kasan_save_free_info+0x46/0x50
[   69.387228][ T5838]  __kasan_slab_free+0x5c/0x80
[   69.391974][ T5838]  kmem_cache_free+0x197/0x640
[   69.396724][ T5838]  vhci_read+0x49a/0x5b0
[   69.400946][ T5838]  vfs_read+0x200/0xa30
[   69.405079][ T5838]  ksys_read+0x145/0x250
[   69.409301][ T5838]  do_syscall_64+0xfa/0xfa0
[   69.413782][ T5838]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   69.419656][ T5838] 
[   69.421962][ T5838] The buggy address belongs to the object at ffff88805cbc5780
[   69.421962][ T5838]  which belongs to the cache skbuff_head_cache of size 240
[   69.436522][ T5838] The buggy address is located 56 bytes inside of
[   69.436522][ T5838]  freed 240-byte region [ffff88805cbc5780, ffff88805cbc5870)
[   69.450224][ T5838] 
[   69.452534][ T5838] The buggy address belongs to the physical page:
[   69.458936][ T5838] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5cbc5
[   69.467702][ T5838] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[   69.474794][ T5838] page_type: f5(slab)
[   69.478761][ T5838] raw: 00fff00000000000 ffff888140eb9a00 dead000000000122 0000000000000000
[   69.487326][ T5838] raw: 0000000000000000 00000000000c000c 00000000f5000000 0000000000000000
[   69.495970][ T5838] page dumped because: kasan: bad access detected
[   69.502464][ T5838] page_owner tracks the page as allocated
[   69.508157][ T5838] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5832, tgid 5832 (udevd), ts 69031621638, free_ts 20997798043
[   69.526799][ T5838]  post_alloc_hook+0x240/0x2a0
[   69.531549][ T5838]  get_page_from_freelist+0x2365/0x2440
[   69.537081][ T5838]  __alloc_frozen_pages_noprof+0x181/0x370
[   69.542869][ T5838]  alloc_pages_mpol+0x232/0x4a0
[   69.547708][ T5838]  allocate_slab+0x86/0x3b0
[   69.552191][ T5838]  ___slab_alloc+0xf56/0x1990
[   69.556847][ T5838]  __slab_alloc+0x65/0x100
[   69.561245][ T5838]  kmem_cache_alloc_node_noprof+0x4ce/0x710
[   69.567123][ T5838]  __alloc_skb+0x112/0x2d0
[   69.571523][ T5838]  netlink_sendmsg+0x5c6/0xb30
[   69.576266][ T5838]  __sock_sendmsg+0x21c/0x270
[   69.581099][ T5838]  ____sys_sendmsg+0x505/0x870
[   69.585845][ T5838]  ___sys_sendmsg+0x21f/0x2a0
[   69.590505][ T5838]  __x64_sys_sendmsg+0x19b/0x260
[   69.595420][ T5838]  do_syscall_64+0xfa/0xfa0
[   69.599994][ T5838]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   69.605862][ T5838] page last free pid 1 tgid 1 stack trace:
[   69.611649][ T5838]  __free_frozen_pages+0xbc8/0xd30
[   69.616741][ T5838]  free_contig_range+0x1bd/0x4a0
[   69.621667][ T5838]  destroy_args+0x69/0x660
[   69.626103][ T5838]  debug_vm_pgtable+0x38f/0x3a0
[   69.630937][ T5838]  do_one_initcall+0x1fb/0x870
[   69.635680][ T5838]  do_initcall_level+0x104/0x190
[   69.640601][ T5838]  do_initcalls+0x59/0xa0
[   69.644912][ T5838]  kernel_init_freeable+0x334/0x4b0
[   69.650092][ T5838]  kernel_init+0x1d/0x1d0
[   69.654413][ T5838]  ret_from_fork+0x599/0xb30
[   69.658987][ T5838]  ret_from_fork_asm+0x1a/0x30
[   69.663734][ T5838] 
[   69.666096][ T5838] Memory state around the buggy address:
[   69.671702][ T5838]  ffff88805cbc5680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   69.679756][ T5838]  ffff88805cbc5700: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
[   69.687972][ T5838] >ffff88805cbc5780: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   69.696009][ T5838]                                         ^
[   69.701879][ T5838]  ffff88805cbc5800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[   69.709916][ T5838]  ffff88805cbc5880: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[   69.717950][ T5838] ==================================================================
[   69.727607][ T5839] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9
[   69.728070][ T5838] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   69.728095][ T5838] CPU: 0 UID: 0 PID: 5838 Comm: kworker/u9:6 Not tainted syzkaller #0 PREEMPT(full) 
[   69.728115][ T5838] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
[   69.728125][ T5838] Workqueue: hci1 hci_cmd_work
[   69.728149][ T5838] Call Trace:
[   69.728157][ T5838]  <TASK>
[   69.728164][ T5838]  dump_stack_lvl+0x99/0x250
[   69.728188][ T5838]  ? __asan_memcpy+0x40/0x70
[   69.728208][ T5838]  ? __pfx_dump_stack_lvl+0x10/0x10
[   69.728229][ T5838]  ? __pfx__printk+0x10/0x10
[   69.728251][ T5838]  vpanic+0x237/0x6d0
[   69.728266][ T5838]  ? __pfx_vpanic+0x10/0x10
[   69.728279][ T5838]  ? preempt_schedule+0xae/0xc0
[   69.728296][ T5838]  ? __pfx_preempt_schedule+0x10/0x10
[   69.728315][ T5838]  panic+0xb9/0xc0
[   69.728329][ T5838]  ? __pfx_panic+0x10/0x10
[   69.728345][ T5838]  ? _raw_spin_unlock_irqrestore+0xfd/0x110
[   69.728363][ T5838]  ? is_module_address+0x17/0xf0
[   69.728383][ T5838]  ? hci_cmd_work+0x5d0/0x7b0
[   69.728400][ T5838]  check_panic_on_warn+0x89/0xb0
[   69.728418][ T5838]  ? hci_cmd_work+0x5d0/0x7b0
[   69.728437][ T5838]  end_report+0x6f/0x160
[   69.728454][ T5838]  kasan_report+0x129/0x150
[   69.728474][ T5838]  ? hci_cmd_work+0x5d0/0x7b0
[   69.728495][ T5838]  hci_cmd_work+0x5d0/0x7b0
[   69.728515][ T5838]  ? process_one_work+0x868/0x15e0
[   69.728535][ T5838]  process_one_work+0x93a/0x15e0
[   69.728553][ T5838]  ? __lock_acquire+0xab9/0xd20
[   69.728581][ T5838]  ? __pfx_process_one_work+0x10/0x10
[   69.728603][ T5838]  ? assign_work+0x3a1/0x410
[   69.728623][ T5838]  worker_thread+0x9b0/0xee0
[   69.728653][ T5838]  kthread+0x711/0x8a0
[   69.728669][ T5838]  ? __pfx_worker_thread+0x10/0x10
[   69.728689][ T5838]  ? __pfx_kthread+0x10/0x10
[   69.728704][ T5838]  ? _raw_spin_unlock_irq+0x23/0x50
[   69.728720][ T5838]  ? lockdep_hardirqs_on+0x9c/0x150
[   69.728737][ T5838]  ? __pfx_kthread+0x10/0x10
[   69.728752][ T5838]  ret_from_fork+0x599/0xb30
[   69.728773][ T5838]  ? __pfx_ret_from_fork+0x10/0x10
[   69.728793][ T5838]  ? __switch_to_asm+0x39/0x70
[   69.728809][ T5838]  ? __switch_to_asm+0x33/0x70
[   69.728823][ T5838]  ? __pfx_kthread+0x10/0x10
[   69.728838][ T5838]  ret_from_fork_asm+0x1a/0x30
[   69.728861][ T5838]  </TASK>
[   69.734696][ T5838] Kernel Offset: disabled