last executing test programs:
kernel console output (not intermixed with test programs):
Warning: Permanently added '10.128.1.183' (ED25519) to the list of known hosts.
[ 84.666530][ T5813] cgroup: Unknown subsys name 'net'
[ 84.784085][ T5813] cgroup: Unknown subsys name 'cpuset'
[ 84.792968][ T5813] cgroup: Unknown subsys name 'rlimit'
Setting up swapspace version 1, size = 127995904 bytes
[ 86.458244][ T5813] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k
[ 89.692996][ T5832] ==================================================================
[ 89.701137][ T5832] BUG: KASAN: slab-use-after-free in hci_cmd_work+0x5d0/0x7b0
[ 89.701292][ T5829] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[ 89.708630][ T5832] Read of size 2 at addr ffff8880602bd8f8 by task kworker/u9:3/5832
[ 89.708654][ T5832]
[ 89.726292][ T5832] CPU: 0 UID: 0 PID: 5832 Comm: kworker/u9:3 Not tainted syzkaller #0 PREEMPT(full)
[ 89.726316][ T5832] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
[ 89.726329][ T5832] Workqueue: hci1 hci_cmd_work
[ 89.726359][ T5832] Call Trace:
[ 89.726367][ T5832]
[ 89.726375][ T5832] dump_stack_lvl+0x189/0x250
[ 89.726402][ T5832] ? __virt_addr_valid+0x1c8/0x5c0
[ 89.726420][ T5832] ? rcu_is_watching+0x15/0xb0
[ 89.726436][ T5832] ? __pfx_dump_stack_lvl+0x10/0x10
[ 89.726459][ T5832] ? rcu_is_watching+0x15/0xb0
[ 89.726474][ T5832] ? lock_release+0x4b/0x3d0
[ 89.726496][ T5832] ? _raw_spin_lock_irqsave+0xb3/0xf0
[ 89.726516][ T5832] ? __virt_addr_valid+0x1c8/0x5c0
[ 89.726533][ T5832] ? __virt_addr_valid+0x4a5/0x5c0
[ 89.726552][ T5832] print_report+0xca/0x240
[ 89.726575][ T5832] ? hci_cmd_work+0x5d0/0x7b0
[ 89.726596][ T5832] kasan_report+0x118/0x150
[ 89.726620][ T5832] ? hci_cmd_work+0x5d0/0x7b0
[ 89.726645][ T5832] hci_cmd_work+0x5d0/0x7b0
[ 89.726668][ T5832] ? process_one_work+0x868/0x15e0
[ 89.726689][ T5832] process_one_work+0x93a/0x15e0
[ 89.726710][ T5832] ? __lock_acquire+0xab9/0xd20
[ 89.726740][ T5832] ? __pfx_process_one_work+0x10/0x10
[ 89.726773][ T5832] ? assign_work+0x3a1/0x410
[ 89.726798][ T5832] worker_thread+0x9b0/0xee0
[ 89.726840][ T5832] kthread+0x711/0x8a0
[ 89.726859][ T5832] ? __pfx_worker_thread+0x10/0x10
[ 89.726881][ T5832] ? __pfx_kthread+0x10/0x10
[ 89.726897][ T5832] ? _raw_spin_unlock_irq+0x23/0x50
[ 89.726915][ T5832] ? lockdep_hardirqs_on+0x9c/0x150
[ 89.726935][ T5832] ? __pfx_kthread+0x10/0x10
[ 89.726952][ T5832] ret_from_fork+0x599/0xb30
[ 89.726976][ T5832] ? __pfx_ret_from_fork+0x10/0x10
[ 89.727001][ T5832] ? __switch_to_asm+0x39/0x70
[ 89.727019][ T5832] ? __switch_to_asm+0x33/0x70
[ 89.727036][ T5832] ? __pfx_kthread+0x10/0x10
[ 89.727054][ T5832] ret_from_fork_asm+0x1a/0x30
[ 89.727078][ T5832]
[ 89.727085][ T5832]
[ 89.920431][ T5832] Allocated by task 5147:
[ 89.924773][ T5832] kasan_save_track+0x3e/0x80
[ 89.929475][ T5832] __kasan_slab_alloc+0x6c/0x80
[ 89.934439][ T5832] kmem_cache_alloc_node_noprof+0x43c/0x710
[ 89.940423][ T5832] __alloc_skb+0x112/0x2d0
[ 89.944939][ T5832] hci_cmd_sync_alloc+0x3d/0x3b0
[ 89.949883][ T5832] __hci_cmd_sync_sk+0x1a7/0xc70
[ 89.954830][ T5832] hci_reset_sync+0x4a/0x140
[ 89.959971][ T5832] hci_dev_open_sync+0xec5/0x2dc0
[ 89.965024][ T5832] hci_power_on+0x1b4/0x720
[ 89.969873][ T5832] process_one_work+0x93a/0x15e0
[ 89.974996][ T5832] worker_thread+0x9b0/0xee0
[ 89.979594][ T5832] kthread+0x711/0x8a0
[ 89.983660][ T5832] ret_from_fork+0x599/0xb30
[ 89.988341][ T5832] ret_from_fork_asm+0x1a/0x30
[ 89.993109][ T5832]
[ 89.995437][ T5832] Freed by task 5830:
[ 89.999559][ T5832] kasan_save_track+0x3e/0x80
[ 90.004254][ T5832] kasan_save_free_info+0x46/0x50
[ 90.009420][ T5832] __kasan_slab_free+0x5c/0x80
[ 90.014235][ T5832] kmem_cache_free+0x197/0x640
[ 90.019100][ T5832] vhci_read+0x49a/0x5b0
[ 90.023348][ T5832] vfs_read+0x200/0xa30
[ 90.027532][ T5832] ksys_read+0x145/0x250
[ 90.031871][ T5832] do_syscall_64+0xfa/0xfa0
[ 90.036392][ T5832] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 90.042287][ T5832]
[ 90.044615][ T5832] The buggy address belongs to the object at ffff8880602bd8c0
[ 90.044615][ T5832] which belongs to the cache skbuff_head_cache of size 240
[ 90.059184][ T5832] The buggy address is located 56 bytes inside of
[ 90.059184][ T5832] freed 240-byte region [ffff8880602bd8c0, ffff8880602bd9b0)
[ 90.072978][ T5832]
[ 90.075481][ T5832] The buggy address belongs to the physical page:
[ 90.081928][ T5832] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x602bd
[ 90.090902][ T5832] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[ 90.098018][ T5832] page_type: f5(slab)
[ 90.102094][ T5832] raw: 00fff00000000000 ffff88801dea18c0 dead000000000122 0000000000000000
[ 90.110692][ T5832] raw: 0000000000000000 00000000000c000c 00000000f5000000 0000000000000000
[ 90.119280][ T5832] page dumped because: kasan: bad access detected
[ 90.125716][ T5832] page_owner tracks the page as allocated
[ 90.131520][ T5832] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5826, tgid 5826 (udevd), ts 89686668708, free_ts 89681982640
[ 90.150363][ T5832] post_alloc_hook+0x240/0x2a0
[ 90.155134][ T5832] get_page_from_freelist+0x2365/0x2440
[ 90.160856][ T5832] __alloc_frozen_pages_noprof+0x181/0x370
[ 90.166665][ T5832] alloc_pages_mpol+0x232/0x4a0
[ 90.171521][ T5832] allocate_slab+0x86/0x3b0
[ 90.176027][ T5832] ___slab_alloc+0xf56/0x1990
[ 90.180711][ T5832] __slab_alloc+0x65/0x100
[ 90.185307][ T5832] kmem_cache_alloc_node_noprof+0x4ce/0x710
[ 90.191393][ T5832] __alloc_skb+0x112/0x2d0
[ 90.195843][ T5832] netlink_sendmsg+0x5c6/0xb30
[ 90.200618][ T5832] __sock_sendmsg+0x21c/0x270
[ 90.205302][ T5832] ____sys_sendmsg+0x505/0x870
[ 90.210200][ T5832] ___sys_sendmsg+0x21f/0x2a0
[ 90.214967][ T5832] __x64_sys_sendmsg+0x19b/0x260
[ 90.219902][ T5832] do_syscall_64+0xfa/0xfa0
[ 90.224418][ T5832] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 90.230409][ T5832] page last free pid 5824 tgid 5824 stack trace:
[ 90.236868][ T5832] __free_frozen_pages+0xbc8/0xd30
[ 90.242094][ T5832] __kasan_populate_vmalloc+0x137/0x1d0
[ 90.247817][ T5832] alloc_vmap_area+0xdca/0x1500
[ 90.252928][ T5832] __get_vm_area_node+0x1f8/0x300
[ 90.257953][ T5832] __vmalloc_node_range_noprof+0x365/0x1640
[ 90.264119][ T5832] __vmalloc_node_noprof+0xc2/0x110
[ 90.269321][ T5832] dup_task_struct+0x3d4/0x830
[ 90.274088][ T5832] copy_process+0x4ea/0x3930
[ 90.278701][ T5832] kernel_clone+0x21e/0x850
[ 90.283233][ T5832] __se_sys_clone3+0x256/0x2d0
[ 90.288222][ T5832] do_syscall_64+0xfa/0xfa0
[ 90.293054][ T5832] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 90.299245][ T5832]
[ 90.301590][ T5832] Memory state around the buggy address:
[ 90.307411][ T5832] ffff8880602bd780: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 90.315641][ T5832] ffff8880602bd800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[ 90.323705][ T5832] >ffff8880602bd880: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 90.331763][ T5832] ^
[ 90.339830][ T5832] ffff8880602bd900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 90.348069][ T5832] ffff8880602bd980: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
[ 90.356143][ T5832] ==================================================================
[ 90.365524][ T5832] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 90.372779][ T5832] CPU: 0 UID: 0 PID: 5832 Comm: kworker/u9:3 Not tainted syzkaller #0 PREEMPT(full)
[ 90.382261][ T5832] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
[ 90.392345][ T5832] Workqueue: hci1 hci_cmd_work
[ 90.397130][ T5832] Call Trace:
[ 90.400521][ T5832]
[ 90.403456][ T5832] dump_stack_lvl+0x99/0x250
[ 90.408256][ T5832] ? __asan_memcpy+0x40/0x70
[ 90.412851][ T5832] ? __pfx_dump_stack_lvl+0x10/0x10
[ 90.418060][ T5832] ? __pfx__printk+0x10/0x10
[ 90.422848][ T5832] vpanic+0x237/0x6d0
[ 90.426840][ T5832] ? __pfx_vpanic+0x10/0x10
[ 90.431539][ T5832] ? preempt_schedule+0xae/0xc0
[ 90.436628][ T5832] ? __pfx_preempt_schedule+0x10/0x10
[ 90.442269][ T5832] panic+0xb9/0xc0
[ 90.446120][ T5832] ? __pfx_panic+0x10/0x10
[ 90.450626][ T5832] ? _raw_spin_unlock_irqrestore+0xfd/0x110
[ 90.456574][ T5832] ? is_module_address+0x17/0xf0
[ 90.461808][ T5832] ? hci_cmd_work+0x5d0/0x7b0
[ 90.466565][ T5832] check_panic_on_warn+0x89/0xb0
[ 90.471601][ T5832] ? hci_cmd_work+0x5d0/0x7b0
[ 90.476287][ T5832] end_report+0x6f/0x160
[ 90.480638][ T5832] kasan_report+0x129/0x150
[ 90.485149][ T5832] ? hci_cmd_work+0x5d0/0x7b0
[ 90.489933][ T5832] hci_cmd_work+0x5d0/0x7b0
[ 90.494529][ T5832] ? process_one_work+0x868/0x15e0
[ 90.499747][ T5832] process_one_work+0x93a/0x15e0
[ 90.504777][ T5832] ? __lock_acquire+0xab9/0xd20
[ 90.509646][ T5832] ? __pfx_process_one_work+0x10/0x10
[ 90.515031][ T5832] ? assign_work+0x3a1/0x410
[ 90.519743][ T5832] worker_thread+0x9b0/0xee0
[ 90.524356][ T5832] kthread+0x711/0x8a0
[ 90.528433][ T5832] ? __pfx_worker_thread+0x10/0x10
[ 90.533551][ T5832] ? __pfx_kthread+0x10/0x10
[ 90.538158][ T5832] ? _raw_spin_unlock_irq+0x23/0x50
[ 90.543472][ T5832] ? lockdep_hardirqs_on+0x9c/0x150
[ 90.548878][ T5832] ? __pfx_kthread+0x10/0x10
[ 90.553478][ T5832] ret_from_fork+0x599/0xb30
[ 90.558093][ T5832] ? __pfx_ret_from_fork+0x10/0x10
[ 90.563488][ T5832] ? __switch_to_asm+0x39/0x70
[ 90.568380][ T5832] ? __switch_to_asm+0x33/0x70
[ 90.573148][ T5832] ? __pfx_kthread+0x10/0x10
[ 90.577837][ T5832] ret_from_fork_asm+0x1a/0x30
[ 90.582782][ T5832]
[ 90.585959][ T5832] Kernel Offset: disabled
[ 90.590292][ T5832] Rebooting in 86400 seconds..