last executing test programs:

kernel console output (not intermixed with test programs):

Warning: Permanently added '10.128.1.113' (ED25519) to the list of known hosts.
[   65.922399][ T5809] cgroup: Unknown subsys name 'net'
[   66.061385][ T5809] cgroup: Unknown subsys name 'cpuset'
[   66.069914][ T5809] cgroup: Unknown subsys name 'rlimit'
Setting up swapspace version 1, size = 127995904 bytes
[   67.541493][ T5809] Adding 124996k swap on ./swap-file.  Priority:0 extents:1 across:124996k 
[   69.664707][ T5840] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[   69.673189][ T5840] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1
[   69.679456][ T5841] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1
[   69.681402][ T5840] Bluetooth: hci4: unexpected cc 0x0c03 length: 249 > 1
[   69.689137][ T5841] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9
[   69.702793][ T5841] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[   69.704147][ T5840] Bluetooth: hci4: unexpected cc 0x1003 length: 249 > 9
[   69.718289][ T5840] Bluetooth: hci4: unexpected cc 0x1001 length: 249 > 9
[   69.719189][ T5842] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9
[   69.726253][ T5841] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1
[   69.733991][ T5842] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9
[   69.740558][ T5840] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[   69.755705][ T5844] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9
[   69.756476][ T5841] ==================================================================
[   69.764299][ T5844] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9
[   69.770784][ T5841] BUG: KASAN: slab-use-after-free in hci_cmd_work+0x5d0/0x7b0
[   69.770816][ T5841] Read of size 2 at addr ffff8880337f7538 by task kworker/u9:6/5841
[   69.770829][ T5841] 
[   69.770853][ T5841] CPU: 1 UID: 0 PID: 5841 Comm: kworker/u9:6 Not tainted syzkaller #0 PREEMPT(full) 
[   69.770870][ T5841] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
[   69.770881][ T5841] Workqueue: hci2 hci_cmd_work
[   69.770908][ T5841] Call Trace:
[   69.770916][ T5841]  <TASK>
[   69.770924][ T5841]  dump_stack_lvl+0x189/0x250
[   69.770947][ T5841]  ? __virt_addr_valid+0x1c8/0x5c0
[   69.770964][ T5841]  ? rcu_is_watching+0x15/0xb0
[   69.770978][ T5841]  ? __pfx_dump_stack_lvl+0x10/0x10
[   69.771005][ T5841]  ? rcu_is_watching+0x15/0xb0
[   69.771018][ T5841]  ? lock_release+0x4b/0x3d0
[   69.771041][ T5841]  ? _raw_spin_lock_irqsave+0xb3/0xf0
[   69.771059][ T5841]  ? __virt_addr_valid+0x1c8/0x5c0
[   69.771075][ T5841]  ? __virt_addr_valid+0x4a5/0x5c0
[   69.771092][ T5841]  print_report+0xca/0x240
[   69.771111][ T5841]  ? hci_cmd_work+0x5d0/0x7b0
[   69.771128][ T5841]  kasan_report+0x118/0x150
[   69.771148][ T5841]  ? hci_cmd_work+0x5d0/0x7b0
[   69.771170][ T5841]  hci_cmd_work+0x5d0/0x7b0
[   69.771189][ T5841]  ? process_one_work+0x868/0x15e0
[   69.771207][ T5841]  process_one_work+0x93a/0x15e0
[   69.771225][ T5841]  ? __lock_acquire+0xab9/0xd20
[   69.771251][ T5841]  ? __pfx_process_one_work+0x10/0x10
[   69.771273][ T5841]  ? assign_work+0x3a1/0x410
[   69.771293][ T5841]  worker_thread+0x9b0/0xee0
[   69.771323][ T5841]  kthread+0x711/0x8a0
[   69.771339][ T5841]  ? __pfx_worker_thread+0x10/0x10
[   69.771358][ T5841]  ? __pfx_kthread+0x10/0x10
[   69.771373][ T5841]  ? _raw_spin_unlock_irq+0x23/0x50
[   69.771388][ T5841]  ? lockdep_hardirqs_on+0x9c/0x150
[   69.771405][ T5841]  ? __pfx_kthread+0x10/0x10
[   69.771420][ T5841]  ret_from_fork+0x599/0xb30
[   69.771440][ T5841]  ? __pfx_ret_from_fork+0x10/0x10
[   69.771463][ T5841]  ? __switch_to_asm+0x39/0x70
[   69.771478][ T5841]  ? __switch_to_asm+0x33/0x70
[   69.771492][ T5841]  ? __pfx_kthread+0x10/0x10
[   69.771507][ T5841]  ret_from_fork_asm+0x1a/0x30
[   69.771529][ T5841]  </TASK>
[   69.771535][ T5841] 
[   69.780079][ T5844] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9
[   69.785428][ T5841] Allocated by task 5828:
[   69.785445][ T5841]  kasan_save_track+0x3e/0x80
[   69.794845][ T5844] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4
[   69.795718][ T5841]  __kasan_slab_alloc+0x6c/0x80
[   69.806896][ T5844] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2
[   69.815468][ T5841]  kmem_cache_alloc_node_noprof+0x43c/0x710
[   69.815494][ T5841]  __alloc_skb+0x112/0x2d0
[   69.815513][ T5841]  hci_cmd_sync_alloc+0x3d/0x3b0
[   69.899961][ T5844] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[   69.904599][ T5841]  __hci_cmd_sync_sk+0x1a7/0xc70
[   69.910706][ T5844] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[   69.914800][ T5841]  hci_read_buffer_size_sync+0x2c/0x120
[   69.923095][ T5832] Bluetooth: hci4: unexpected cc 0x0c23 length: 249 > 4
[   69.924123][ T5841]  hci_dev_open_sync+0x2057/0x2dc0
[   69.924145][ T5841]  hci_power_on+0x1b4/0x720
[   69.930072][ T5832] Bluetooth: hci4: unexpected cc 0x0c38 length: 249 > 2
[   69.934242][ T5841]  process_one_work+0x93a/0x15e0
[   69.934270][ T5841]  worker_thread+0x9b0/0xee0
[   69.934287][ T5841]  kthread+0x711/0x8a0
[   69.947373][ T5145] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4
[   69.949236][ T5841]  ret_from_fork+0x599/0xb30
[   69.949261][ T5841]  ret_from_fork_asm+0x1a/0x30
[   69.949276][ T5841] 
[   69.949280][ T5841] Freed by task 5833:
[   69.949288][ T5841]  kasan_save_track+0x3e/0x80
[   69.949304][ T5841]  kasan_save_free_info+0x46/0x50
[   69.949321][ T5841]  __kasan_slab_free+0x5c/0x80
[   69.949335][ T5841]  kmem_cache_free+0x197/0x640
[   69.949350][ T5841]  vhci_read+0x49a/0x5b0
[   69.949367][ T5841]  vfs_read+0x200/0xa30
[   69.955870][ T5844] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2
[   69.958518][ T5841]  ksys_read+0x145/0x250
[   69.958541][ T5841]  do_syscall_64+0xfa/0xfa0
[   69.958557][ T5841]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   69.958572][ T5841] 
[   69.958577][ T5841] The buggy address belongs to the object at ffff8880337f7500
[   69.958577][ T5841]  which belongs to the cache skbuff_head_cache of size 240
[   70.186994][ T5841] The buggy address is located 56 bytes inside of
[   70.186994][ T5841]  freed 240-byte region [ffff8880337f7500, ffff8880337f75f0)
[   70.200782][ T5841] 
[   70.203092][ T5841] The buggy address belongs to the physical page:
[   70.209492][ T5841] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x337f7
[   70.218242][ T5841] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[   70.225341][ T5841] page_type: f5(slab)
[   70.229308][ T5841] raw: 00fff00000000000 ffff888140aa2a00 dead000000000122 0000000000000000
[   70.237962][ T5841] raw: 0000000000000000 00000000000c000c 00000000f5000000 0000000000000000
[   70.246526][ T5841] page dumped because: kasan: bad access detected
[   70.252934][ T5841] page_owner tracks the page as allocated
[   70.258629][ T5841] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5840, tgid 5840 (kworker/u9:5), ts 69740483081, free_ts 69739442773
[   70.277891][ T5841]  post_alloc_hook+0x240/0x2a0
[   70.282654][ T5841]  get_page_from_freelist+0x2365/0x2440
[   70.288184][ T5841]  __alloc_frozen_pages_noprof+0x181/0x370
[   70.293975][ T5841]  alloc_pages_mpol+0x232/0x4a0
[   70.298816][ T5841]  allocate_slab+0x86/0x3b0
[   70.303310][ T5841]  ___slab_alloc+0xf56/0x1990
[   70.307971][ T5841]  __slab_alloc+0x65/0x100
[   70.312378][ T5841]  kmem_cache_alloc_noprof+0x40f/0x700
[   70.317817][ T5841]  skb_clone+0x212/0x3a0
[   70.322046][ T5841]  hci_event_packet+0x1a6/0x1260
[   70.326969][ T5841]  hci_rx_work+0x45d/0xfc0
[   70.331378][ T5841]  process_one_work+0x93a/0x15e0
[   70.336300][ T5841]  worker_thread+0x9b0/0xee0
[   70.340879][ T5841]  kthread+0x711/0x8a0
[   70.344938][ T5841]  ret_from_fork+0x599/0xb30
[   70.349611][ T5841]  ret_from_fork_asm+0x1a/0x30
[   70.354360][ T5841] page last free pid 5841 tgid 5841 stack trace:
[   70.360667][ T5841]  __free_frozen_pages+0xbc8/0xd30
[   70.365799][ T5841]  rcu_core+0xcab/0x1770
[   70.370051][ T5841]  handle_softirqs+0x27d/0x880
[   70.374811][ T5841]  __irq_exit_rcu+0xca/0x1f0
[   70.379486][ T5841]  irq_exit_rcu+0x9/0x30
[   70.383731][ T5841]  sysvec_apic_timer_interrupt+0xa6/0xc0
[   70.389365][ T5841]  asm_sysvec_apic_timer_interrupt+0x1a/0x20
[   70.395333][ T5841] 
[   70.397641][ T5841] Memory state around the buggy address:
[   70.403258][ T5841]  ffff8880337f7400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   70.411310][ T5841]  ffff8880337f7480: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
[   70.419356][ T5841] >ffff8880337f7500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   70.427398][ T5841]                                         ^
[   70.433270][ T5841]  ffff8880337f7580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[   70.441315][ T5841]  ffff8880337f7600: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[   70.449357][ T5841] ==================================================================
[   70.477856][ T5841] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   70.485095][ T5841] CPU: 0 UID: 0 PID: 5841 Comm: kworker/u9:6 Not tainted syzkaller #0 PREEMPT(full) 
[   70.494536][ T5841] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
[   70.504581][ T5841] Workqueue: hci2 hci_cmd_work
[   70.509341][ T5841] Call Trace:
[   70.512609][ T5841]  <TASK>
[   70.515534][ T5841]  dump_stack_lvl+0x99/0x250
[   70.520687][ T5841]  ? __asan_memcpy+0x40/0x70
[   70.525321][ T5841]  ? __pfx_dump_stack_lvl+0x10/0x10
[   70.530527][ T5841]  ? __pfx__printk+0x10/0x10
[   70.535114][ T5841]  vpanic+0x237/0x6d0
[   70.539085][ T5841]  ? __pfx_vpanic+0x10/0x10
[   70.543574][ T5841]  ? preempt_schedule+0xae/0xc0
[   70.548416][ T5841]  ? __pfx_preempt_schedule+0x10/0x10
[   70.553777][ T5841]  panic+0xb9/0xc0
[   70.557485][ T5841]  ? __pfx_panic+0x10/0x10
[   70.561885][ T5841]  ? _raw_spin_unlock_irqrestore+0xfd/0x110
[   70.567768][ T5841]  ? is_module_address+0x17/0xf0
[   70.572740][ T5841]  ? hci_cmd_work+0x5d0/0x7b0
[   70.577429][ T5841]  check_panic_on_warn+0x89/0xb0
[   70.582375][ T5841]  ? hci_cmd_work+0x5d0/0x7b0
[   70.587051][ T5841]  end_report+0x6f/0x160
[   70.591287][ T5841]  kasan_report+0x129/0x150
[   70.595781][ T5841]  ? hci_cmd_work+0x5d0/0x7b0
[   70.600448][ T5841]  hci_cmd_work+0x5d0/0x7b0
[   70.604943][ T5841]  ? process_one_work+0x868/0x15e0
[   70.610044][ T5841]  process_one_work+0x93a/0x15e0
[   70.614978][ T5841]  ? __lock_acquire+0xab9/0xd20
[   70.619825][ T5841]  ? __pfx_process_one_work+0x10/0x10
[   70.625185][ T5841]  ? assign_work+0x3a1/0x410
[   70.629764][ T5841]  worker_thread+0x9b0/0xee0
[   70.634350][ T5841]  kthread+0x711/0x8a0
[   70.638404][ T5841]  ? __pfx_worker_thread+0x10/0x10
[   70.643512][ T5841]  ? __pfx_kthread+0x10/0x10
[   70.648089][ T5841]  ? _raw_spin_unlock_irq+0x23/0x50
[   70.653283][ T5841]  ? lockdep_hardirqs_on+0x9c/0x150
[   70.658504][ T5841]  ? __pfx_kthread+0x10/0x10
[   70.663098][ T5841]  ret_from_fork+0x599/0xb30
[   70.667682][ T5841]  ? __pfx_ret_from_fork+0x10/0x10
[   70.672829][ T5841]  ? __switch_to_asm+0x39/0x70
[   70.677619][ T5841]  ? __switch_to_asm+0x33/0x70
[   70.682414][ T5841]  ? __pfx_kthread+0x10/0x10
[   70.687081][ T5841]  ret_from_fork_asm+0x1a/0x30
[   70.691849][ T5841]  </TASK>
[   70.695248][ T5841] Kernel Offset: disabled
[   70.699584][ T5841] Rebooting in 86400 seconds..