last executing test programs:
kernel console output (not intermixed with test programs):
Warning: Permanently added '10.128.0.88' (ED25519) to the list of known hosts.
[ 84.608697][ T5812] cgroup: Unknown subsys name 'net'
[ 84.763606][ T5812] cgroup: Unknown subsys name 'cpuset'
[ 84.773095][ T5812] cgroup: Unknown subsys name 'rlimit'
Setting up swapspace version 1, size = 127995904 bytes
[ 86.501311][ T5812] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k
[ 89.981944][ T5829] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[ 89.995716][ T5829] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1
[ 90.026542][ T5831] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[ 90.046298][ T5829] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9
[ 90.070047][ T5829] ==================================================================
[ 90.095132][ T5829] BUG: KASAN: slab-use-after-free in hci_cmd_work+0x5d0/0x7b0
[ 90.101224][ T5840] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1
[ 90.111631][ T5829] Read of size 2 at addr ffff88805ee3a538 by task kworker/u9:2/5829
[ 90.111660][ T5829]
[ 90.111675][ T5829] CPU: 1 UID: 0 PID: 5829 Comm: kworker/u9:2 Not tainted syzkaller #0 PREEMPT(full)
[ 90.111695][ T5829] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
[ 90.111708][ T5829] Workqueue: hci0 hci_cmd_work
[ 90.111735][ T5829] Call Trace:
[ 90.111746][ T5829]
[ 90.111754][ T5829] dump_stack_lvl+0x189/0x250
[ 90.111779][ T5829] ? __virt_addr_valid+0x1c8/0x5c0
[ 90.111796][ T5829] ? rcu_is_watching+0x15/0xb0
[ 90.111812][ T5829] ? __pfx_dump_stack_lvl+0x10/0x10
[ 90.111834][ T5829] ? rcu_is_watching+0x15/0xb0
[ 90.111848][ T5829] ? lock_release+0x4b/0x3d0
[ 90.111868][ T5829] ? _raw_spin_lock_irqsave+0xb3/0xf0
[ 90.111886][ T5829] ? __virt_addr_valid+0x1c8/0x5c0
[ 90.111902][ T5829] ? __virt_addr_valid+0x4a5/0x5c0
[ 90.111919][ T5829] print_report+0xca/0x240
[ 90.111941][ T5829] ? hci_cmd_work+0x5d0/0x7b0
[ 90.112082][ T5829] kasan_report+0x118/0x150
[ 90.112124][ T5829] ? hci_cmd_work+0x5d0/0x7b0
[ 90.112147][ T5829] hci_cmd_work+0x5d0/0x7b0
[ 90.112168][ T5829] ? process_one_work+0x868/0x15e0
[ 90.112188][ T5829] process_one_work+0x93a/0x15e0
[ 90.112208][ T5829] ? __lock_acquire+0xab9/0xd20
[ 90.112235][ T5829] ? __pfx_process_one_work+0x10/0x10
[ 90.112260][ T5829] ? assign_work+0x3a1/0x410
[ 90.112281][ T5829] worker_thread+0x9b0/0xee0
[ 90.112451][ T5829] kthread+0x711/0x8a0
[ 90.112475][ T5829] ? __pfx_worker_thread+0x10/0x10
[ 90.112496][ T5829] ? __pfx_kthread+0x10/0x10
[ 90.112512][ T5829] ? _raw_spin_unlock_irq+0x23/0x50
[ 90.112530][ T5829] ? lockdep_hardirqs_on+0x9c/0x150
[ 90.112548][ T5829] ? __pfx_kthread+0x10/0x10
[ 90.112565][ T5829] ret_from_fork+0x599/0xb30
[ 90.112595][ T5829] ? __pfx_ret_from_fork+0x10/0x10
[ 90.112617][ T5829] ? __switch_to_asm+0x39/0x70
[ 90.112632][ T5829] ? __switch_to_asm+0x33/0x70
[ 90.112646][ T5829] ? __pfx_kthread+0x10/0x10
[ 90.112660][ T5829] ret_from_fork_asm+0x1a/0x30
[ 90.112684][ T5829]
[ 90.112690][ T5829]
[ 91.053201][ T5829] Allocated by task 53:
[ 91.070830][ T5829] kasan_save_track+0x3e/0x80
[ 91.090782][ T5829] __kasan_slab_alloc+0x6c/0x80
[ 91.114787][ T5829] kmem_cache_alloc_node_noprof+0x43c/0x710
[ 91.151731][ T5829] __alloc_skb+0x112/0x2d0
[ 91.166018][ T5829] hci_cmd_sync_alloc+0x3d/0x3b0
[ 91.200291][ T5829] __hci_cmd_sync_sk+0x1a7/0xc70
[ 91.217680][ T5829] hci_dev_open_sync+0x163e/0x2dc0
[ 91.230220][ T5829] hci_power_on+0x1b4/0x720
[ 91.243912][ T5829] process_one_work+0x93a/0x15e0
[ 91.263734][ T5829] worker_thread+0x9b0/0xee0
[ 91.287711][ T5829] kthread+0x711/0x8a0
[ 91.297851][ T5829] ret_from_fork+0x599/0xb30
[ 91.317241][ T5829] ret_from_fork_asm+0x1a/0x30
[ 91.331905][ T5829]
[ 91.340155][ T5829] Freed by task 5830:
[ 91.365295][ T5829] kasan_save_track+0x3e/0x80
[ 91.377940][ T5829] kasan_save_free_info+0x46/0x50
[ 91.395966][ T5829] __kasan_slab_free+0x5c/0x80
[ 91.412272][ T5829] kmem_cache_free+0x197/0x640
[ 91.426293][ T5829] vhci_read+0x49a/0x5b0
[ 91.458680][ T5829] vfs_read+0x200/0xa30
[ 91.471254][ T5829] ksys_read+0x145/0x250
[ 91.491993][ T5829] do_syscall_64+0xfa/0xfa0
[ 91.507088][ T5829] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 91.533197][ T5829]
[ 91.536849][ T5829] The buggy address belongs to the object at ffff88805ee3a500
[ 91.536849][ T5829] which belongs to the cache skbuff_head_cache of size 240
[ 91.622500][ T5829] The buggy address is located 56 bytes inside of
[ 91.622500][ T5829] freed 240-byte region [ffff88805ee3a500, ffff88805ee3a5f0)
[ 91.664829][ T5829]
[ 91.673377][ T5829] The buggy address belongs to the physical page:
[ 91.697798][ T5829] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5ee3a
[ 91.719826][ T5829] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[ 91.741825][ T5829] page_type: f5(slab)
[ 91.749004][ T5829] raw: 00fff00000000000 ffff88801e2ab8c0 dead000000000122 0000000000000000
[ 91.767782][ T5829] raw: 0000000000000000 00000000000c000c 00000000f5000000 0000000000000000
[ 91.789173][ T5829] page dumped because: kasan: bad access detected
[ 91.799998][ T5829] page_owner tracks the page as allocated
[ 91.810868][ T5829] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5831, tgid 5831 (kworker/u9:3), ts 90026430673, free_ts 29411075240
[ 91.848857][ T5829] post_alloc_hook+0x240/0x2a0
[ 91.859656][ T5829] get_page_from_freelist+0x2365/0x2440
[ 91.875742][ T5829] __alloc_frozen_pages_noprof+0x181/0x370
[ 91.888284][ T5829] alloc_pages_mpol+0x232/0x4a0
[ 91.897630][ T5829] allocate_slab+0x86/0x3b0
[ 91.906623][ T5829] ___slab_alloc+0xf56/0x1990
[ 91.918386][ T5829] __slab_alloc+0x65/0x100
[ 91.930684][ T5829] kmem_cache_alloc_noprof+0x40f/0x700
[ 91.944129][ T5829] skb_clone+0x212/0x3a0
[ 91.956988][ T5829] hci_event_packet+0x1a6/0x1260
[ 91.969201][ T5829] hci_rx_work+0x45d/0xfc0
[ 91.980816][ T5829] process_one_work+0x93a/0x15e0
[ 91.994758][ T5829] worker_thread+0x9b0/0xee0
[ 92.006784][ T5829] kthread+0x711/0x8a0
[ 92.013427][ T5829] ret_from_fork+0x599/0xb30
[ 92.023641][ T5829] ret_from_fork_asm+0x1a/0x30
[ 92.033566][ T5829] page last free pid 1 tgid 1 stack trace:
[ 92.056255][ T5829] __free_frozen_pages+0xbc8/0xd30
[ 92.065805][ T5829] free_contig_range+0x1bd/0x4a0
[ 92.073421][ T5829] destroy_args+0x69/0x660
[ 92.081942][ T5829] debug_vm_pgtable+0x38f/0x3a0
[ 92.091227][ T5829] do_one_initcall+0x1fb/0x870
[ 92.101108][ T5829] do_initcall_level+0x104/0x190
[ 92.113799][ T5829] do_initcalls+0x59/0xa0
[ 92.121386][ T5829] kernel_init_freeable+0x334/0x4b0
[ 92.131657][ T5829] kernel_init+0x1d/0x1d0
[ 92.141539][ T5829] ret_from_fork+0x599/0xb30
[ 92.149855][ T5829] ret_from_fork_asm+0x1a/0x30
[ 92.161752][ T5829]
[ 92.167572][ T5829] Memory state around the buggy address:
[ 92.177012][ T5829] ffff88805ee3a400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 92.198885][ T5829] ffff88805ee3a480: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
[ 92.237376][ T5829] >ffff88805ee3a500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 92.258362][ T5829] ^
[ 92.272680][ T5829] ffff88805ee3a580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[ 92.291070][ T5829] ffff88805ee3a600: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 92.311225][ T5829] ==================================================================
[ 92.329219][ T5842] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9
[ 92.342379][ T5831] Bluetooth: hci2: Opcode 0x1003 failed: -110
[ 92.342912][ T5842] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1
[ 92.354405][ T5840] Bluetooth: hci4: Opcode 0x0c03 failed: -110
[ 92.369436][ T53] Bluetooth: hci0: Opcode 0x1001 failed: -110
[ 92.382646][ T5829] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 92.382673][ T5829] CPU: 1 UID: 0 PID: 5829 Comm: kworker/u9:2 Not tainted syzkaller #0 PREEMPT(full)
[ 92.382696][ T5829] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
[ 92.382709][ T5829] Workqueue: hci0 hci_cmd_work
[ 92.382741][ T5829] Call Trace:
[ 92.382752][ T5829]
[ 92.382761][ T5829] dump_stack_lvl+0x99/0x250
[ 92.382790][ T5829] ? __asan_memcpy+0x40/0x70
[ 92.382807][ T5829] ? __pfx_dump_stack_lvl+0x10/0x10
[ 92.382830][ T5829] ? __pfx__printk+0x10/0x10
[ 92.382855][ T5829] vpanic+0x237/0x6d0
[ 92.382870][ T5829] ? __pfx_vpanic+0x10/0x10
[ 92.382883][ T5829] ? preempt_schedule+0xae/0xc0
[ 92.382901][ T5829] ? __pfx_preempt_schedule+0x10/0x10
[ 92.382921][ T5829] panic+0xb9/0xc0
[ 92.382935][ T5829] ? __pfx_panic+0x10/0x10
[ 92.382951][ T5829] ? _raw_spin_unlock_irqrestore+0xfd/0x110
[ 92.382970][ T5829] ? is_module_address+0x17/0xf0
[ 92.382993][ T5829] ? hci_cmd_work+0x5d0/0x7b0
[ 92.383012][ T5829] check_panic_on_warn+0x89/0xb0
[ 92.383031][ T5829] ? hci_cmd_work+0x5d0/0x7b0
[ 92.383061][ T5829] end_report+0x6f/0x160
[ 92.383081][ T5829] kasan_report+0x129/0x150
[ 92.383101][ T5829] ? hci_cmd_work+0x5d0/0x7b0
[ 92.383124][ T5829] hci_cmd_work+0x5d0/0x7b0
[ 92.383180][ T5829] ? process_one_work+0x868/0x15e0
[ 92.383200][ T5829] process_one_work+0x93a/0x15e0
[ 92.383413][ T5829] ? __lock_acquire+0xab9/0xd20
[ 92.383454][ T5829] ? __pfx_process_one_work+0x10/0x10
[ 92.383476][ T5829] ? assign_work+0x3a1/0x410
[ 92.383499][ T5829] worker_thread+0x9b0/0xee0
[ 92.383530][ T5829] kthread+0x711/0x8a0
[ 92.383548][ T5829] ? __pfx_worker_thread+0x10/0x10
[ 92.383569][ T5829] ? __pfx_kthread+0x10/0x10
[ 92.383585][ T5829] ? _raw_spin_unlock_irq+0x23/0x50
[ 92.383895][ T5829] ? lockdep_hardirqs_on+0x9c/0x150
[ 92.383921][ T5829] ? __pfx_kthread+0x10/0x10
[ 92.383938][ T5829] ret_from_fork+0x599/0xb30
[ 92.383961][ T5829] ? __pfx_ret_from_fork+0x10/0x10
[ 92.383984][ T5829] ? __switch_to_asm+0x39/0x70
[ 92.384001][ T5829] ? __switch_to_asm+0x33/0x70
[ 92.384016][ T5829] ? __pfx_kthread+0x10/0x10
[ 92.384032][ T5829] ret_from_fork_asm+0x1a/0x30
[ 92.384055][ T5829]
[ 92.394825][ T5829] Kernel Offset: disabled