last executing test programs:

kernel console output (not intermixed with test programs):

Warning: Permanently added '10.128.1.105' (ED25519) to the list of known hosts.
[   68.948184][ T5811] cgroup: Unknown subsys name 'net'
[   69.095554][ T5811] cgroup: Unknown subsys name 'cpuset'
[   69.104094][ T5811] cgroup: Unknown subsys name 'rlimit'
Setting up swapspace version 1, size = 127995904 bytes
[   70.504733][ T5811] Adding 124996k swap on ./swap-file.  Priority:0 extents:1 across:124996k 
[   71.287305][ T1298] ieee802154 phy0 wpan0: encryption failed: -22
[   71.293748][ T1298] ieee802154 phy1 wpan1: encryption failed: -22
[   72.561763][ T5825] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1
[   72.584305][ T5828] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[   72.591878][ T5828] ==================================================================
[   72.596841][ T5840] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1
[   72.599932][ T5828] BUG: KASAN: slab-use-after-free in hci_cmd_work+0x5d0/0x7b0
[   72.607718][ T5840] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1
[   72.614306][ T5828] Read of size 2 at addr ffff888063b0c2b8 by task kworker/u9:3/5828
[   72.614323][ T5828] 
[   72.614348][ T5828] CPU: 1 UID: 0 PID: 5828 Comm: kworker/u9:3 Not tainted syzkaller #0 PREEMPT(full) 
[   72.614362][ T5828] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
[   72.614371][ T5828] Workqueue: hci1 hci_cmd_work
[   72.614397][ T5828] Call Trace:
[   72.614404][ T5828]  <TASK>
[   72.614412][ T5828]  dump_stack_lvl+0x189/0x250
[   72.614433][ T5828]  ? __virt_addr_valid+0x1c8/0x5c0
[   72.614447][ T5828]  ? rcu_is_watching+0x15/0xb0
[   72.614461][ T5828]  ? __pfx_dump_stack_lvl+0x10/0x10
[   72.614479][ T5828]  ? rcu_is_watching+0x15/0xb0
[   72.614492][ T5828]  ? lock_release+0x4b/0x3d0
[   72.614510][ T5828]  ? _raw_spin_lock_irqsave+0xb3/0xf0
[   72.614528][ T5828]  ? __virt_addr_valid+0x1c8/0x5c0
[   72.614543][ T5828]  ? __virt_addr_valid+0x4a5/0x5c0
[   72.614557][ T5828]  print_report+0xca/0x240
[   72.614576][ T5828]  ? hci_cmd_work+0x5d0/0x7b0
[   72.614593][ T5828]  kasan_report+0x118/0x150
[   72.614613][ T5828]  ? hci_cmd_work+0x5d0/0x7b0
[   72.614632][ T5828]  hci_cmd_work+0x5d0/0x7b0
[   72.614652][ T5828]  ? process_one_work+0x868/0x15e0
[   72.614671][ T5828]  process_one_work+0x93a/0x15e0
[   72.614686][ T5828]  ? __lock_acquire+0xab9/0xd20
[   72.614713][ T5828]  ? __pfx_process_one_work+0x10/0x10
[   72.614735][ T5828]  ? assign_work+0x3a1/0x410
[   72.614755][ T5828]  worker_thread+0x9b0/0xee0
[   72.614784][ T5828]  kthread+0x711/0x8a0
[   72.614800][ T5828]  ? __pfx_worker_thread+0x10/0x10
[   72.614819][ T5828]  ? __pfx_kthread+0x10/0x10
[   72.614834][ T5828]  ? _raw_spin_unlock_irq+0x23/0x50
[   72.614850][ T5828]  ? lockdep_hardirqs_on+0x9c/0x150
[   72.614866][ T5828]  ? __pfx_kthread+0x10/0x10
[   72.614880][ T5828]  ret_from_fork+0x599/0xb30
[   72.614900][ T5828]  ? __pfx_ret_from_fork+0x10/0x10
[   72.614923][ T5828]  ? __switch_to_asm+0x39/0x70
[   72.614938][ T5828]  ? __switch_to_asm+0x33/0x70
[   72.614952][ T5828]  ? __pfx_kthread+0x10/0x10
[   72.614967][ T5828]  ret_from_fork_asm+0x1a/0x30
[   72.614988][ T5828]  </TASK>
[   72.614994][ T5828] 
[   72.623467][ T5840] Bluetooth: hci4: unexpected cc 0x0c03 length: 249 > 1
[   72.629551][ T5828] Allocated by task 5148:
[   72.629564][ T5828]  kasan_save_track+0x3e/0x80
[   72.632843][ T5840] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[   72.641322][ T5828]  __kasan_slab_alloc+0x6c/0x80
[   72.653303][ T5841] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[   72.656096][ T5828]  kmem_cache_alloc_node_noprof+0x43c/0x710
[   72.660494][ T5841] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[   72.662270][ T5828]  __alloc_skb+0x112/0x2d0
[   72.668243][ T5841] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[   72.672018][ T5828]  hci_cmd_sync_alloc+0x3d/0x3b0
[   72.672040][ T5828]  __hci_cmd_sync_sk+0x1a7/0xc70
[   72.745059][ T5841] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9
[   72.749605][ T5828]  hci_dev_open_sync+0x14b2/0x2dc0
[   72.749626][ T5828]  hci_power_on+0x1b4/0x720
[   72.755293][ T5841] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9
[   72.758763][ T5828]  process_one_work+0x93a/0x15e0
[   72.763620][ T5841] Bluetooth: hci4: unexpected cc 0x1003 length: 249 > 9
[   72.767896][ T5828]  worker_thread+0x9b0/0xee0
[   72.767919][ T5828]  kthread+0x711/0x8a0
[   72.773378][ T5841] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9
[   72.777657][ T5828]  ret_from_fork+0x599/0xb30
[   72.783532][ T5841] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9
[   72.787399][ T5828]  ret_from_fork_asm+0x1a/0x30
[   72.792682][ T5841] Bluetooth: hci4: unexpected cc 0x1001 length: 249 > 9
[   72.797053][ T5828] 
[   72.797061][ T5828] Freed by task 5826:
[   72.804320][ T5841] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4
[   72.806525][ T5828]  kasan_save_track+0x3e/0x80
[   72.811535][ T5841] Bluetooth: hci2: unexpected cc 0x0c23 length: 249 > 4
[   72.815825][ T5828]  kasan_save_free_info+0x46/0x50
[   72.815849][ T5828]  __kasan_slab_free+0x5c/0x80
[   72.819429][ T5841] Bluetooth: hci4: unexpected cc 0x0c23 length: 249 > 4
[   72.821165][ T5828]  kmem_cache_free+0x197/0x640
[   72.829573][ T5841] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2
[   72.832373][ T5828]  vhci_read+0x49a/0x5b0
[   72.837518][ T5841] Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2
[   72.843932][ T5828]  vfs_read+0x200/0xa30
[   72.843951][ T5828]  ksys_read+0x145/0x250
[   72.843964][ T5828]  do_syscall_64+0xfa/0xfa0
[   72.843980][ T5828]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   72.843995][ T5828] 
[   72.843999][ T5828] The buggy address belongs to the object at ffff888063b0c280
[   72.843999][ T5828]  which belongs to the cache skbuff_head_cache of size 240
[   72.844014][ T5828] The buggy address is located 56 bytes inside of
[   72.844014][ T5828]  freed 240-byte region [ffff888063b0c280, ffff888063b0c370)
[   72.844031][ T5828] 
[   72.844036][ T5828] The buggy address belongs to the physical page:
[   72.849572][ T5841] Bluetooth: hci4: unexpected cc 0x0c38 length: 249 > 2
[   72.855770][ T5828] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x63b0c
[   72.855792][ T5828] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[   73.107973][ T5828] page_type: f5(slab)
[   73.111935][ T5828] raw: 00fff00000000000 ffff888141286a00 dead000000000122 0000000000000000
[   73.120497][ T5828] raw: 0000000000000000 00000000000c000c 00000000f5000000 0000000000000000
[   73.129053][ T5828] page dumped because: kasan: bad access detected
[   73.135453][ T5828] page_owner tracks the page as allocated
[   73.141141][ T5828] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5823, tgid 5823 (udevd), ts 72568277441, free_ts 72565638228
[   73.159787][ T5828]  post_alloc_hook+0x240/0x2a0
[   73.164537][ T5828]  get_page_from_freelist+0x2365/0x2440
[   73.170067][ T5828]  __alloc_frozen_pages_noprof+0x181/0x370
[   73.175852][ T5828]  alloc_pages_mpol+0x232/0x4a0
[   73.180687][ T5828]  allocate_slab+0x86/0x3b0
[   73.185170][ T5828]  ___slab_alloc+0xf56/0x1990
[   73.189832][ T5828]  __slab_alloc+0x65/0x100
[   73.194226][ T5828]  kmem_cache_alloc_noprof+0x40f/0x700
[   73.199659][ T5828]  skb_clone+0x212/0x3a0
[   73.203881][ T5828]  netlink_broadcast_filtered+0x6ae/0x1000
[   73.209670][ T5828]  netlink_sendmsg+0x7ae/0xb30
[   73.214409][ T5828]  __sock_sendmsg+0x21c/0x270
[   73.219066][ T5828]  ____sys_sendmsg+0x505/0x870
[   73.223804][ T5828]  ___sys_sendmsg+0x21f/0x2a0
[   73.228456][ T5828]  __x64_sys_sendmsg+0x19b/0x260
[   73.233369][ T5828]  do_syscall_64+0xfa/0xfa0
[   73.237854][ T5828] page last free pid 5832 tgid 5832 stack trace:
[   73.244154][ T5828]  __free_frozen_pages+0xbc8/0xd30
[   73.249245][ T5828]  __kasan_populate_vmalloc+0x1b2/0x1d0
[   73.254769][ T5828]  alloc_vmap_area+0xdca/0x1500
[   73.259595][ T5828]  __get_vm_area_node+0x1f8/0x300
[   73.264592][ T5828]  __vmalloc_node_range_noprof+0x365/0x1640
[   73.270464][ T5828]  __vmalloc_node_noprof+0xc2/0x110
[   73.275639][ T5828]  dup_task_struct+0x3d4/0x830
[   73.280382][ T5828]  copy_process+0x4ea/0x3930
[   73.284953][ T5828]  kernel_clone+0x21e/0x850
[   73.289437][ T5828]  __se_sys_clone3+0x256/0x2d0
[   73.294175][ T5828]  do_syscall_64+0xfa/0xfa0
[   73.298662][ T5828]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   73.304532][ T5828] 
[   73.306836][ T5828] Memory state around the buggy address:
[   73.312438][ T5828]  ffff888063b0c180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   73.320472][ T5828]  ffff888063b0c200: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
[   73.328506][ T5828] >ffff888063b0c280: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   73.336538][ T5828]                                         ^
[   73.342401][ T5828]  ffff888063b0c300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[   73.350435][ T5828]  ffff888063b0c380: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[   73.358468][ T5828] ==================================================================
[   73.366677][ T5828] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   73.373877][ T5828] CPU: 1 UID: 0 PID: 5828 Comm: kworker/u9:3 Not tainted syzkaller #0 PREEMPT(full) 
[   73.383331][ T5828] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
[   73.393385][ T5828] Workqueue: hci1 hci_cmd_work
[   73.398157][ T5828] Call Trace:
[   73.401435][ T5828]  <TASK>
[   73.404363][ T5828]  dump_stack_lvl+0x99/0x250
[   73.408959][ T5828]  ? __asan_memcpy+0x40/0x70
[   73.413544][ T5828]  ? __pfx_dump_stack_lvl+0x10/0x10
[   73.418731][ T5828]  ? __pfx__printk+0x10/0x10
[   73.423305][ T5828]  vpanic+0x237/0x6d0
[   73.427267][ T5828]  ? __pfx_vpanic+0x10/0x10
[   73.431748][ T5828]  ? preempt_schedule+0xae/0xc0
[   73.436579][ T5828]  ? __pfx_preempt_schedule+0x10/0x10
[   73.441936][ T5828]  panic+0xb9/0xc0
[   73.445637][ T5828]  ? __pfx_panic+0x10/0x10
[   73.450033][ T5828]  ? _raw_spin_unlock_irqrestore+0xfd/0x110
[   73.455909][ T5828]  ? is_module_address+0x17/0xf0
[   73.460832][ T5828]  ? hci_cmd_work+0x5d0/0x7b0
[   73.465494][ T5828]  check_panic_on_warn+0x89/0xb0
[   73.470412][ T5828]  ? hci_cmd_work+0x5d0/0x7b0
[   73.475071][ T5828]  end_report+0x6f/0x160
[   73.479296][ T5828]  kasan_report+0x129/0x150
[   73.483783][ T5828]  ? hci_cmd_work+0x5d0/0x7b0
[   73.488446][ T5828]  hci_cmd_work+0x5d0/0x7b0
[   73.492937][ T5828]  ? process_one_work+0x868/0x15e0
[   73.498031][ T5828]  process_one_work+0x93a/0x15e0
[   73.502951][ T5828]  ? __lock_acquire+0xab9/0xd20
[   73.507791][ T5828]  ? __pfx_process_one_work+0x10/0x10
[   73.513147][ T5828]  ? assign_work+0x3a1/0x410
[   73.517728][ T5828]  worker_thread+0x9b0/0xee0
[   73.522308][ T5828]  kthread+0x711/0x8a0
[   73.526361][ T5828]  ? __pfx_worker_thread+0x10/0x10
[   73.531455][ T5828]  ? __pfx_kthread+0x10/0x10
[   73.536024][ T5828]  ? _raw_spin_unlock_irq+0x23/0x50
[   73.541204][ T5828]  ? lockdep_hardirqs_on+0x9c/0x150
[   73.546388][ T5828]  ? __pfx_kthread+0x10/0x10
[   73.550959][ T5828]  ret_from_fork+0x599/0xb30
[   73.555533][ T5828]  ? __pfx_ret_from_fork+0x10/0x10
[   73.560631][ T5828]  ? __switch_to_asm+0x39/0x70
[   73.565376][ T5828]  ? __switch_to_asm+0x33/0x70
[   73.570118][ T5828]  ? __pfx_kthread+0x10/0x10
[   73.574689][ T5828]  ret_from_fork_asm+0x1a/0x30
[   73.579438][ T5828]  </TASK>
[   73.582775][ T5828] Kernel Offset: disabled
[   73.587082][ T5828] Rebooting in 86400 seconds..