last executing test programs:

4.8918979s ago: executing program 2 (id=91):
syz_open_dev$radio(&(0x7f0000000040), 0x0, 0x0)
syz_open_dev$radio(&(0x7f0000000080), 0x0, 0x1)
syz_open_dev$radio(&(0x7f00000000c0), 0x0, 0x2)
syz_open_dev$radio(&(0x7f0000000100), 0x0, 0x800)

4.891393653s ago: executing program 2 (id=93):
rt_sigreturn()

2.695161177s ago: executing program 1 (id=278):
fchownat(0xffffffffffffffff, &(0x7f0000000000), 0x0, 0x0, 0x0)

2.674605851s ago: executing program 1 (id=281):
syz_init_net_socket$x25(0x9, 0x5, 0x0)

2.67016278s ago: executing program 3 (id=282):
syz_open_dev$video(&(0x7f0000000040), 0x0, 0x0)
syz_open_dev$video(&(0x7f0000000080), 0x0, 0x1)
syz_open_dev$video(&(0x7f00000000c0), 0x0, 0x2)
syz_open_dev$video(&(0x7f0000000100), 0x0, 0x800)
syz_open_dev$video(&(0x7f0000000140), 0x1, 0x0)
syz_open_dev$video(&(0x7f0000000180), 0x1, 0x1)
syz_open_dev$video(&(0x7f00000001c0), 0x1, 0x2)
syz_open_dev$video(&(0x7f0000000200), 0x1, 0x800)
syz_open_dev$video(&(0x7f0000000240), 0x2, 0x0)
syz_open_dev$video(&(0x7f0000000280), 0x2, 0x1)
syz_open_dev$video(&(0x7f00000002c0), 0x2, 0x2)
syz_open_dev$video(&(0x7f0000000300), 0x2, 0x800)
syz_open_dev$video(&(0x7f0000000340), 0x3, 0x0)
syz_open_dev$video(&(0x7f0000000380), 0x3, 0x1)
syz_open_dev$video(&(0x7f00000003c0), 0x3, 0x2)
syz_open_dev$video(&(0x7f0000000400), 0x3, 0x800)
syz_open_dev$video(&(0x7f0000000440), 0x4, 0x0)
syz_open_dev$video(&(0x7f0000000480), 0x4, 0x1)
syz_open_dev$video(&(0x7f00000004c0), 0x4, 0x2)
syz_open_dev$video(&(0x7f0000000500), 0x4, 0x800)

2.623644578s ago: executing program 0 (id=284):
chroot(&(0x7f0000000000))

2.623466887s ago: executing program 1 (id=285):
signalfd4(0xffffffffffffffff, &(0x7f0000000000), 0x0, 0x0)

2.61460263s ago: executing program 0 (id=286):
move_pages(0x0, 0x0, &(0x7f0000000000), 0x0, &(0x7f0000000000), 0x0)

2.602599419s ago: executing program 1 (id=287):
lookup_dcookie(0x0, &(0x7f0000000000), 0x0)

2.547972211s ago: executing program 3 (id=288):
socket$inet(0x2, 0x1, 0x0)

2.547859964s ago: executing program 0 (id=289):
dup3(0xffffffffffffffff, 0xffffffffffffffff, 0x0)

2.547785323s ago: executing program 3 (id=290):
open_tree(0xffffffffffffffff, &(0x7f0000000000), 0x0)

2.547705745s ago: executing program 1 (id=291):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/dev/sequencer2', 0x0, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000080)='/dev/sequencer2', 0x1, 0x0)
openat(0xffffffffffffff9c, &(0x7f00000000c0)='/dev/sequencer2', 0x2, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000100)='/dev/sequencer2', 0x800, 0x0)

2.547609973s ago: executing program 0 (id=292):
symlinkat(&(0x7f0000000000), 0xffffffffffffffff, &(0x7f0000000000))

2.540852199s ago: executing program 3 (id=293):
openat(0xffffffffffffff9c, &(0x7f0000000040)='/proc/self', 0x0, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000080)='/proc/self', 0x1, 0x0)
openat(0xffffffffffffff9c, &(0x7f00000000c0)='/proc/self', 0x2, 0x0)
openat(0xffffffffffffff9c, &(0x7f0000000100)='/proc/self', 0x800, 0x0)

2.530802154s ago: executing program 1 (id=294):
socket$l2tp(0x2, 0x2, 0x73)

1.180580809s ago: executing program 0 (id=295):
mmap(&(0x7efffffff000/0x1000)=nil, 0x1000, 0x0, 0x32, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000000000/0x1000000)=nil, 0x1000000, 0x7, 0x32, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0001000000/0x1000)=nil, 0x1000, 0x0, 0x32, 0xffffffffffffffff, 0x0)

1.010902143s ago: executing program 3 (id=296):
mmap(&(0x7efffffff000/0x1000)=nil, 0x1000, 0x0, 0x32, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000000000/0x1000000)=nil, 0x1000000, 0x7, 0x32, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0001000000/0x1000)=nil, 0x1000, 0x0, 0x32, 0xffffffffffffffff, 0x0)

812.913813ms ago: executing program 2 (id=298):
mmap(&(0x7efffffff000/0x1000)=nil, 0x1000, 0x0, 0x32, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000000000/0x1000000)=nil, 0x1000000, 0x7, 0x32, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0001000000/0x1000)=nil, 0x1000, 0x0, 0x32, 0xffffffffffffffff, 0x0)

472.682649ms ago: executing program 3 (id=300):
lchown(&(0x7f0000000000), 0x0, 0x0)

72.612371ms ago: executing program 2 (id=301):
readahead(0xffffffffffffffff, 0x0, 0x0)

61.832372ms ago: executing program 2 (id=303):
landlock_restrict_self(0xffffffffffffffff, 0x0)

57.082432ms ago: executing program 0 (id=299):
mmap(&(0x7efffffff000/0x1000)=nil, 0x1000, 0x0, 0x32, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0000000000/0x1000000)=nil, 0x1000000, 0x7, 0x32, 0xffffffffffffffff, 0x0)
mmap(&(0x7f0001000000/0x1000)=nil, 0x1000, 0x0, 0x32, 0xffffffffffffffff, 0x0)

0s ago: executing program 2 (id=304):
brk(0x0)

kernel console output (not intermixed with test programs):

Warning: Permanently added '10.128.0.200' (ED25519) to the list of known hosts.
[   68.515862][ T5811] cgroup: Unknown subsys name 'net'
[   68.666140][ T5811] cgroup: Unknown subsys name 'cpuset'
[   68.675228][ T5811] cgroup: Unknown subsys name 'rlimit'
Setting up swapspace version 1, size = 127995904 bytes
[   70.144853][ T5811] Adding 124996k swap on ./swap-file.  Priority:0 extents:1 across:124996k 
[   71.637669][ T1296] ieee802154 phy0 wpan0: encryption failed: -22
[   71.644403][ T1296] ieee802154 phy1 wpan1: encryption failed: -22
[   84.221635][ T6138] soft_limit_in_bytes is deprecated and will be removed. Please report your usecase to linux-mm@kvack.org if you depend on this functionality.
[   85.028639][ T6140] chnl_net:caif_netlink_parms(): no params data found
[   85.473512][ T1034] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[   85.481541][ T1034] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[   85.557579][ T6140] bridge0: port 1(bridge_slave_0) entered blocking state
[   85.566898][ T6140] bridge0: port 1(bridge_slave_0) entered disabled state
[   85.575288][ T6140] bridge_slave_0: entered allmulticast mode
[   85.583537][ T6140] bridge_slave_0: entered promiscuous mode
[   85.617319][ T6140] bridge0: port 2(bridge_slave_1) entered blocking state
[   85.627517][ T6140] bridge0: port 2(bridge_slave_1) entered disabled state
[   85.634991][ T6140] bridge_slave_1: entered allmulticast mode
[   85.642238][ T6140] bridge_slave_1: entered promiscuous mode
[   85.686207][ T1034] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[   85.694171][ T1034] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
[   85.715090][ T6140] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[   85.728278][ T6140] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[   85.936131][   T52] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[   85.947173][   T52] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[   85.955247][   T52] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[   85.972601][   T52] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[   85.979736][ T6140] team0: Port device team_slave_0 added
[   85.980711][   T52] ==================================================================
[   85.993709][   T52] BUG: KASAN: slab-use-after-free in hci_cmd_work+0x5d0/0x7b0
[   86.001169][   T52] Read of size 2 at addr ffff88807977f178 by task kworker/u9:0/52
[   86.009173][   T52] 
[   86.011509][   T52] CPU: 1 UID: 0 PID: 52 Comm: kworker/u9:0 Not tainted syzkaller #0 PREEMPT(full) 
[   86.011522][   T52] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
[   86.011530][   T52] Workqueue: hci0 hci_cmd_work
[   86.011553][   T52] Call Trace:
[   86.011562][   T52]  <TASK>
[   86.011567][   T52]  dump_stack_lvl+0x189/0x250
[   86.011583][   T52]  ? __virt_addr_valid+0x1c8/0x5c0
[   86.011597][   T52]  ? rcu_is_watching+0x15/0xb0
[   86.011610][   T52]  ? __pfx_dump_stack_lvl+0x10/0x10
[   86.011621][   T52]  ? rcu_is_watching+0x15/0xb0
[   86.011632][   T52]  ? lock_release+0x4b/0x3d0
[   86.011641][   T52]  ? _raw_spin_lock_irqsave+0xb3/0xf0
[   86.011653][   T52]  ? __virt_addr_valid+0x1c8/0x5c0
[   86.011665][   T52]  ? __virt_addr_valid+0x4a5/0x5c0
[   86.011678][   T52]  print_report+0xca/0x240
[   86.011691][   T52]  ? hci_cmd_work+0x5d0/0x7b0
[   86.011703][   T52]  kasan_report+0x118/0x150
[   86.011713][   T52]  ? hci_cmd_work+0x5d0/0x7b0
[   86.011727][   T52]  hci_cmd_work+0x5d0/0x7b0
[   86.011740][   T52]  ? process_one_work+0x868/0x15e0
[   86.011750][   T52]  process_one_work+0x93a/0x15e0
[   86.011759][   T52]  ? __lock_acquire+0xab9/0xd20
[   86.011772][   T52]  ? __pfx_process_one_work+0x10/0x10
[   86.011783][   T52]  ? assign_work+0x3a1/0x410
[   86.011793][   T52]  worker_thread+0x9b0/0xee0
[   86.011808][   T52]  kthread+0x711/0x8a0
[   86.011821][   T52]  ? __pfx_worker_thread+0x10/0x10
[   86.011830][   T52]  ? __pfx_kthread+0x10/0x10
[   86.011842][   T52]  ? _raw_spin_unlock_irq+0x23/0x50
[   86.011852][   T52]  ? lockdep_hardirqs_on+0x9c/0x150
[   86.011863][   T52]  ? __pfx_kthread+0x10/0x10
[   86.011875][   T52]  ret_from_fork+0x599/0xb30
[   86.011886][   T52]  ? __pfx_ret_from_fork+0x10/0x10
[   86.011897][   T52]  ? __switch_to_asm+0x39/0x70
[   86.011910][   T52]  ? __switch_to_asm+0x33/0x70
[   86.011921][   T52]  ? __pfx_kthread+0x10/0x10
[   86.011933][   T52]  ret_from_fork_asm+0x1a/0x30
[   86.011948][   T52]  </TASK>
[   86.011952][   T52] 
[   86.212206][   T52] Allocated by task 5145:
[   86.216915][   T52]  kasan_save_track+0x3e/0x80
[   86.221788][   T52]  __kasan_slab_alloc+0x6c/0x80
[   86.226863][   T52]  kmem_cache_alloc_node_noprof+0x43c/0x710
[   86.232842][   T52]  __alloc_skb+0x112/0x2d0
[   86.237443][   T52]  hci_cmd_sync_alloc+0x3d/0x3b0
[   86.242480][   T52]  __hci_cmd_sync_sk+0x1a7/0xc70
[   86.247432][   T52]  hci_read_local_name_sync+0x2c/0x120
[   86.252992][   T52]  hci_dev_open_sync+0x230e/0x2dc0
[   86.258203][   T52]  hci_power_on+0x1b4/0x720
[   86.262996][   T52]  process_one_work+0x93a/0x15e0
[   86.268298][   T52]  worker_thread+0x9b0/0xee0
[   86.273154][   T52]  kthread+0x711/0x8a0
[   86.277664][   T52]  ret_from_fork+0x599/0xb30
[   86.282564][   T52]  ret_from_fork_asm+0x1a/0x30
[   86.287435][   T52] 
[   86.289748][   T52] Freed by task 6182:
[   86.293717][   T52]  kasan_save_track+0x3e/0x80
[   86.298403][   T52]  kasan_save_free_info+0x46/0x50
[   86.303524][   T52]  __kasan_slab_free+0x5c/0x80
[   86.308383][   T52]  kmem_cache_free+0x197/0x640
[   86.313239][   T52]  vhci_read+0x49a/0x5b0
[   86.317497][   T52]  vfs_read+0x200/0xa30
[   86.321655][   T52]  ksys_read+0x145/0x250
[   86.325898][   T52]  do_syscall_64+0xfa/0xfa0
[   86.330479][   T52]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   86.336632][   T52] 
[   86.338950][   T52] The buggy address belongs to the object at ffff88807977f140
[   86.338950][   T52]  which belongs to the cache skbuff_head_cache of size 240
[   86.353781][   T52] The buggy address is located 56 bytes inside of
[   86.353781][   T52]  freed 240-byte region [ffff88807977f140, ffff88807977f230)
[   86.368114][   T52] 
[   86.370551][   T52] The buggy address belongs to the physical page:
[   86.377215][   T52] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7977f
[   86.386054][   T52] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[   86.393190][   T52] page_type: f5(slab)
[   86.397166][   T52] raw: 00fff00000000000 ffff88801ded8a00 dead000000000122 0000000000000000
[   86.405818][   T52] raw: 0000000000000000 00000000800c000c 00000000f5000000 0000000000000000
[   86.414379][   T52] page dumped because: kasan: bad access detected
[   86.420788][   T52] page_owner tracks the page as allocated
[   86.426488][   T52] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 52, tgid 52 (kworker/u9:0), ts 85972541641, free_ts 85967134635
[   86.445871][   T52]  post_alloc_hook+0x240/0x2a0
[   86.450806][   T52]  get_page_from_freelist+0x2365/0x2440
[   86.456649][   T52]  __alloc_frozen_pages_noprof+0x181/0x370
[   86.462628][   T52]  alloc_pages_mpol+0x232/0x4a0
[   86.467470][   T52]  allocate_slab+0x86/0x3b0
[   86.472047][   T52]  ___slab_alloc+0xf56/0x1990
[   86.476892][   T52]  __slab_alloc+0x65/0x100
[   86.481303][   T52]  kmem_cache_alloc_noprof+0x40f/0x700
[   86.486750][   T52]  skb_clone+0x212/0x3a0
[   86.490979][   T52]  hci_event_packet+0x3f4/0x1260
[   86.495904][   T52]  hci_rx_work+0x45d/0xfc0
[   86.500308][   T52]  process_one_work+0x93a/0x15e0
[   86.505314][   T52]  worker_thread+0x9b0/0xee0
[   86.509888][   T52]  kthread+0x711/0x8a0
[   86.513944][   T52]  ret_from_fork+0x599/0xb30
[   86.518530][   T52]  ret_from_fork_asm+0x1a/0x30
[   86.523287][   T52] page last free pid 23 tgid 23 stack trace:
[   86.529349][   T52]  __free_frozen_pages+0xbc8/0xd30
[   86.534468][   T52]  rcu_core+0xcab/0x1770
[   86.538699][   T52]  handle_softirqs+0x27d/0x880
[   86.543621][   T52]  run_ksoftirqd+0x9b/0x100
[   86.548113][   T52]  smpboot_thread_fn+0x542/0xa60
[   86.553307][   T52]  kthread+0x711/0x8a0
[   86.557361][   T52]  ret_from_fork+0x599/0xb30
[   86.561931][   T52]  ret_from_fork_asm+0x1a/0x30
[   86.566854][   T52] 
[   86.569174][   T52] Memory state around the buggy address:
[   86.575053][   T52]  ffff88807977f000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
SYZFAIL: failed to recv rpc
fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor)
[   86.583372][   T52]  ffff88807977f080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[   86.592050][   T52] >ffff88807977f100: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[   86.600368][   T52]                                                                 ^
[   86.609047][   T52]  ffff88807977f180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   86.617365][   T52]  ffff88807977f200: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
[   86.625501][   T52] ==================================================================
[   86.640653][   T52] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   86.648058][   T52] CPU: 0 UID: 0 PID: 52 Comm: kworker/u9:0 Not tainted syzkaller #0 PREEMPT(full) 
[   86.657951][   T52] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
[   86.668801][   T52] Workqueue: hci0 hci_cmd_work
[   86.673750][   T52] Call Trace:
[   86.677112][   T52]  <TASK>
[   86.680128][   T52]  dump_stack_lvl+0x99/0x250
[   86.684714][   T52]  ? __asan_memcpy+0x40/0x70
[   86.689737][   T52]  ? __pfx_dump_stack_lvl+0x10/0x10
[   86.695181][   T52]  ? __pfx__printk+0x10/0x10
[   86.700151][   T52]  vpanic+0x237/0x6d0
[   86.704292][   T52]  ? __pfx_vpanic+0x10/0x10
[   86.709154][   T52]  ? preempt_schedule+0xae/0xc0
[   86.714023][   T52]  ? __pfx_preempt_schedule+0x10/0x10
[   86.719757][   T52]  panic+0xb9/0xc0
[   86.723945][   T52]  ? __pfx_panic+0x10/0x10
[   86.729191][   T52]  ? _raw_spin_unlock_irqrestore+0xfd/0x110
[   86.735296][   T52]  ? is_module_address+0x17/0xf0
[   86.740425][   T52]  ? hci_cmd_work+0x5d0/0x7b0
[   86.745115][   T52]  check_panic_on_warn+0x89/0xb0
[   86.750217][   T52]  ? hci_cmd_work+0x5d0/0x7b0
[   86.755072][   T52]  end_report+0x6f/0x160
[   86.759385][   T52]  kasan_report+0x129/0x150
[   86.764247][   T52]  ? hci_cmd_work+0x5d0/0x7b0
[   86.768917][   T52]  hci_cmd_work+0x5d0/0x7b0
[   86.773436][   T52]  ? process_one_work+0x868/0x15e0
[   86.778846][   T52]  process_one_work+0x93a/0x15e0
[   86.784065][   T52]  ? __lock_acquire+0xab9/0xd20
[   86.789560][   T52]  ? __pfx_process_one_work+0x10/0x10
[   86.795287][   T52]  ? assign_work+0x3a1/0x410
[   86.799961][   T52]  worker_thread+0x9b0/0xee0
[   86.804546][   T52]  kthread+0x711/0x8a0
[   86.808621][   T52]  ? __pfx_worker_thread+0x10/0x10
[   86.813994][   T52]  ? __pfx_kthread+0x10/0x10
[   86.818855][   T52]  ? _raw_spin_unlock_irq+0x23/0x50
[   86.824450][   T52]  ? lockdep_hardirqs_on+0x9c/0x150
[   86.830100][   T52]  ? __pfx_kthread+0x10/0x10
[   86.835132][   T52]  ret_from_fork+0x599/0xb30
[   86.839741][   T52]  ? __pfx_ret_from_fork+0x10/0x10
[   86.844865][   T52]  ? __switch_to_asm+0x39/0x70
[   86.849824][   T52]  ? __switch_to_asm+0x33/0x70
[   86.855304][   T52]  ? __pfx_kthread+0x10/0x10
[   86.860444][   T52]  ret_from_fork_asm+0x1a/0x30
[   86.865429][   T52]  </TASK>
[   86.869121][   T52] Kernel Offset: disabled
[   86.873656][   T52] Rebooting in 86400 seconds..