last executing test programs:

kernel console output (not intermixed with test programs):

Warning: Permanently added '10.128.0.13' (ED25519) to the list of known hosts.
[   74.228886][ T5813] cgroup: Unknown subsys name 'net'
[   74.368486][ T5813] cgroup: Unknown subsys name 'cpuset'
[   74.376873][ T5813] cgroup: Unknown subsys name 'rlimit'
Setting up swapspace version 1, size = 127995904 bytes
[   75.862422][ T5813] Adding 124996k swap on ./swap-file.  Priority:0 extents:1 across:124996k 
[   77.964144][ T5831] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1
[   77.975293][ T5833] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1
[   77.984164][ T5833] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[   77.994194][ T5833] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9
[   78.002110][ T5833] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9
[   78.008633][ T5841] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1
[   78.010288][ T5833] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[   78.026489][ T5840] Bluetooth: hci4: unexpected cc 0x0c03 length: 249 > 1
[   78.028670][ T5841] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9
[   78.034181][ T5840] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[   78.040817][ T5843] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9
[   78.041099][ T5843] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9
[   78.057774][ T5840] Bluetooth: hci4: unexpected cc 0x1003 length: 249 > 9
[   78.067278][ T5843] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4
[   78.072393][ T5840] Bluetooth: hci2: unexpected cc 0x0c23 length: 249 > 4
[   78.078429][ T5843] ==================================================================
[   78.087052][ T5840] Bluetooth: hci4: unexpected cc 0x1001 length: 249 > 9
[   78.094117][ T5843] BUG: KASAN: slab-use-after-free in hci_cmd_work+0x5d0/0x7b0
[   78.103027][ T5840] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9
[   78.108748][ T5843] Read of size 2 at addr ffff888031fda2b8 by task kworker/u9:9/5843
[   78.108768][ T5843] 
[   78.108797][ T5843] CPU: 1 UID: 0 PID: 5843 Comm: kworker/u9:9 Not tainted syzkaller #0 PREEMPT(full) 
[   78.108814][ T5843] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
[   78.108825][ T5843] Workqueue: hci1 hci_cmd_work
[   78.108854][ T5843] Call Trace:
[   78.108862][ T5843]  <TASK>
[   78.108870][ T5843]  dump_stack_lvl+0x189/0x250
[   78.108894][ T5843]  ? __virt_addr_valid+0x1c8/0x5c0
[   78.108911][ T5843]  ? rcu_is_watching+0x15/0xb0
[   78.108926][ T5843]  ? __pfx_dump_stack_lvl+0x10/0x10
[   78.108946][ T5843]  ? rcu_is_watching+0x15/0xb0
[   78.108959][ T5843]  ? lock_release+0x4b/0x3d0
[   78.108978][ T5843]  ? _raw_spin_lock_irqsave+0xb3/0xf0
[   78.108997][ T5843]  ? __virt_addr_valid+0x1c8/0x5c0
[   78.109012][ T5843]  ? __virt_addr_valid+0x4a5/0x5c0
[   78.109036][ T5843]  print_report+0xca/0x240
[   78.109055][ T5843]  ? hci_cmd_work+0x5d0/0x7b0
[   78.109072][ T5843]  kasan_report+0x118/0x150
[   78.109093][ T5843]  ? hci_cmd_work+0x5d0/0x7b0
[   78.109114][ T5843]  hci_cmd_work+0x5d0/0x7b0
[   78.109134][ T5843]  ? process_one_work+0x868/0x15e0
[   78.109152][ T5843]  process_one_work+0x93a/0x15e0
[   78.109171][ T5843]  ? __lock_acquire+0xab9/0xd20
[   78.109197][ T5843]  ? __pfx_process_one_work+0x10/0x10
[   78.109219][ T5843]  ? assign_work+0x3a1/0x410
[   78.109240][ T5843]  worker_thread+0x9b0/0xee0
[   78.109269][ T5843]  kthread+0x711/0x8a0
[   78.109292][ T5843]  ? __pfx_worker_thread+0x10/0x10
[   78.109311][ T5843]  ? __pfx_kthread+0x10/0x10
[   78.109326][ T5843]  ? _raw_spin_unlock_irq+0x23/0x50
[   78.109342][ T5843]  ? lockdep_hardirqs_on+0x9c/0x150
[   78.109358][ T5843]  ? __pfx_kthread+0x10/0x10
[   78.109373][ T5843]  ret_from_fork+0x599/0xb30
[   78.109393][ T5843]  ? __pfx_ret_from_fork+0x10/0x10
[   78.109415][ T5843]  ? __switch_to_asm+0x39/0x70
[   78.109430][ T5843]  ? __switch_to_asm+0x33/0x70
[   78.109444][ T5843]  ? __pfx_kthread+0x10/0x10
[   78.109459][ T5843]  ret_from_fork_asm+0x1a/0x30
[   78.109481][ T5843]  </TASK>
[   78.109487][ T5843] 
[   78.119478][ T5840] Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2
[   78.124410][ T5843] Allocated by task 5147:
[   78.130634][ T5840] Bluetooth: hci4: unexpected cc 0x0c23 length: 249 > 4
[   78.136212][ T5843]  kasan_save_track+0x3e/0x80
[   78.136241][ T5843]  __kasan_slab_alloc+0x6c/0x80
[   78.136255][ T5843]  kmem_cache_alloc_node_noprof+0x43c/0x710
[   78.136269][ T5843]  __alloc_skb+0x112/0x2d0
[   78.136287][ T5843]  hci_cmd_sync_alloc+0x3d/0x3b0
[   78.136302][ T5843]  __hci_cmd_sync_sk+0x1a7/0xc70
[   78.136317][ T5843]  hci_read_local_name_sync+0x2c/0x120
[   78.136335][ T5843]  hci_dev_open_sync+0x230e/0x2dc0
[   78.136347][ T5843]  hci_power_on+0x1b4/0x720
[   78.136363][ T5843]  process_one_work+0x93a/0x15e0
[   78.136379][ T5843]  worker_thread+0x9b0/0xee0
[   78.136395][ T5843]  kthread+0x711/0x8a0
[   78.136409][ T5843]  ret_from_fork+0x599/0xb30
[   78.136424][ T5843]  ret_from_fork_asm+0x1a/0x30
[   78.136440][ T5843] 
[   78.136445][ T5843] Freed by task 5832:
[   78.136453][ T5843]  kasan_save_track+0x3e/0x80
[   78.136465][ T5843]  kasan_save_free_info+0x46/0x50
[   78.136483][ T5843]  __kasan_slab_free+0x5c/0x80
[   78.136496][ T5843]  kmem_cache_free+0x197/0x640
[   78.136509][ T5843]  vhci_read+0x49a/0x5b0
[   78.136524][ T5843]  vfs_read+0x200/0xa30
[   78.136538][ T5843]  ksys_read+0x145/0x250
[   78.136551][ T5843]  do_syscall_64+0xfa/0xfa0
[   78.136568][ T5843]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   78.136582][ T5843] 
[   78.136587][ T5843] The buggy address belongs to the object at ffff888031fda280
[   78.136587][ T5843]  which belongs to the cache skbuff_head_cache of size 240
[   78.149894][ T5840] Bluetooth: hci4: unexpected cc 0x0c38 length: 249 > 2
[   78.151925][ T5843] The buggy address is located 56 bytes inside of
[   78.151925][ T5843]  freed 240-byte region [ffff888031fda280, ffff888031fda370)
[   78.506328][ T5843] 
[   78.508660][ T5843] The buggy address belongs to the physical page:
[   78.515073][ T5843] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x31fda
[   78.524317][ T5843] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[   78.532580][ T5843] page_type: f5(slab)
[   78.538427][ T5843] raw: 00fff00000000000 ffff88801de81a00 dead000000000122 0000000000000000
[   78.547595][ T5843] raw: 0000000000000000 00000000800c000c 00000000f5000000 0000000000000000
[   78.556437][ T5843] page dumped because: kasan: bad access detected
[   78.562870][ T5843] page_owner tracks the page as allocated
[   78.568831][ T5843] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5843, tgid 5843 (kworker/u9:9), ts 78067239006, free_ts 78065850126
[   78.588799][ T5843]  post_alloc_hook+0x240/0x2a0
[   78.593687][ T5843]  get_page_from_freelist+0x2365/0x2440
[   78.599411][ T5843]  __alloc_frozen_pages_noprof+0x181/0x370
[   78.606106][ T5843]  alloc_pages_mpol+0x232/0x4a0
[   78.611690][ T5843]  allocate_slab+0x86/0x3b0
[   78.616637][ T5843]  ___slab_alloc+0xf56/0x1990
[   78.622715][ T5843]  __slab_alloc+0x65/0x100
[   78.627151][ T5843]  kmem_cache_alloc_noprof+0x40f/0x700
[   78.633592][ T5843]  skb_clone+0x212/0x3a0
[   78.638766][ T5843]  hci_event_packet+0x1a6/0x1260
[   78.644937][ T5843]  hci_rx_work+0x45d/0xfc0
[   78.649649][ T5843]  process_one_work+0x93a/0x15e0
[   78.655549][ T5843]  worker_thread+0x9b0/0xee0
[   78.661518][ T5843]  kthread+0x711/0x8a0
[   78.667129][ T5843]  ret_from_fork+0x599/0xb30
[   78.673640][ T5843]  ret_from_fork_asm+0x1a/0x30
[   78.679018][ T5843] page last free pid 23 tgid 23 stack trace:
[   78.685449][ T5843]  __free_frozen_pages+0xbc8/0xd30
[   78.691010][ T5843]  rcu_core+0xcab/0x1770
[   78.695748][ T5843]  handle_softirqs+0x27d/0x880
[   78.702430][ T5843]  run_ksoftirqd+0x9b/0x100
[   78.707126][ T5843]  smpboot_thread_fn+0x542/0xa60
[   78.712171][ T5843]  kthread+0x711/0x8a0
[   78.716622][ T5843]  ret_from_fork+0x599/0xb30
[   78.721700][ T5843]  ret_from_fork_asm+0x1a/0x30
[   78.728132][ T5843] 
[   78.730719][ T5843] Memory state around the buggy address:
[   78.737821][ T5843]  ffff888031fda180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   78.747361][ T5843]  ffff888031fda200: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
[   78.756910][ T5843] >ffff888031fda280: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   78.766021][ T5843]                                         ^
[   78.773303][ T5843]  ffff888031fda300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[   78.781714][ T5843]  ffff888031fda380: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
[   78.790838][ T5843] ==================================================================
[   78.811115][ T5840] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4
[   78.819226][ T5840] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2
[   78.826044][ T5843] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   78.826073][ T5843] CPU: 1 UID: 0 PID: 5843 Comm: kworker/u9:9 Not tainted syzkaller #0 PREEMPT(full) 
[   78.826093][ T5843] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
[   78.826105][ T5843] Workqueue: hci1 hci_cmd_work
[   78.826131][ T5843] Call Trace:
[   78.826139][ T5843]  <TASK>
[   78.826148][ T5843]  dump_stack_lvl+0x99/0x250
[   78.826172][ T5843]  ? __asan_memcpy+0x40/0x70
[   78.826189][ T5843]  ? __pfx_dump_stack_lvl+0x10/0x10
[   78.826210][ T5843]  ? __pfx__printk+0x10/0x10
[   78.826233][ T5843]  vpanic+0x237/0x6d0
[   78.826248][ T5843]  ? __pfx_vpanic+0x10/0x10
[   78.826261][ T5843]  ? preempt_schedule+0xae/0xc0
[   78.826276][ T5843]  ? __pfx_preempt_schedule+0x10/0x10
[   78.826293][ T5843]  panic+0xb9/0xc0
[   78.826305][ T5843]  ? __pfx_panic+0x10/0x10
[   78.826319][ T5843]  ? _raw_spin_unlock_irqrestore+0xfd/0x110
[   78.826337][ T5843]  ? is_module_address+0x17/0xf0
[   78.826356][ T5843]  ? hci_cmd_work+0x5d0/0x7b0
[   78.926853][ T5843]  check_panic_on_warn+0x89/0xb0
[   78.931809][ T5843]  ? hci_cmd_work+0x5d0/0x7b0
[   78.936730][ T5843]  end_report+0x6f/0x160
[   78.941332][ T5843]  kasan_report+0x129/0x150
[   78.945845][ T5843]  ? hci_cmd_work+0x5d0/0x7b0
[   78.950646][ T5843]  hci_cmd_work+0x5d0/0x7b0
[   78.955329][ T5843]  ? process_one_work+0x868/0x15e0
[   78.960427][ T5843]  process_one_work+0x93a/0x15e0
[   78.965613][ T5843]  ? __lock_acquire+0xab9/0xd20
[   78.971204][ T5843]  ? __pfx_process_one_work+0x10/0x10
[   78.976855][ T5843]  ? assign_work+0x3a1/0x410
[   78.981799][ T5843]  worker_thread+0x9b0/0xee0
[   78.987035][ T5843]  kthread+0x711/0x8a0
[   78.991481][ T5843]  ? __pfx_worker_thread+0x10/0x10
[   78.997227][ T5843]  ? __pfx_kthread+0x10/0x10
[   79.002807][ T5843]  ? _raw_spin_unlock_irq+0x23/0x50
[   79.008219][ T5843]  ? lockdep_hardirqs_on+0x9c/0x150
[   79.014223][ T5843]  ? __pfx_kthread+0x10/0x10
[   79.018909][ T5843]  ret_from_fork+0x599/0xb30
[   79.023513][ T5843]  ? __pfx_ret_from_fork+0x10/0x10
[   79.028728][ T5843]  ? __switch_to_asm+0x39/0x70
[   79.033798][ T5843]  ? __switch_to_asm+0x33/0x70
[   79.038707][ T5843]  ? __pfx_kthread+0x10/0x10
[   79.043639][ T5843]  ret_from_fork_asm+0x1a/0x30
[   79.048481][ T5843]  </TASK>
[   79.052145][ T5843] Kernel Offset: disabled
[   79.056763][ T5843] Rebooting in 86400 seconds..