last executing test programs:

kernel console output (not intermixed with test programs):

Warning: Permanently added '10.128.1.188' (ED25519) to the list of known hosts.
[   54.884512][ T3532] cgroup: Unknown subsys name 'net'
[   54.992679][ T3532] cgroup: Unknown subsys name 'rlimit'
Setting up swapspace version 1, size = 127995904 bytes
[   56.526596][ T3532] Adding 124996k swap on ./swap-file.  Priority:0 extents:1 across:124996k FS
[   57.124489][ T3562] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1
[   57.125012][ T3564] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[   57.132753][ T3562] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1
[   57.140524][ T3564] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1
[   57.147671][ T3562] Bluetooth: hci4: unexpected cc 0x0c03 length: 249 > 1
[   57.156134][ T3564] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[   57.161114][ T3562] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9
[   57.168123][ T3564] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9
[   57.175200][ T3562] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9
[   57.183133][ T3564] Bluetooth: hci4: unexpected cc 0x1003 length: 249 > 9
[   57.189141][ T3562] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[   57.196169][ T3564] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9
[   57.206392][ T3565] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9
[   57.217002][ T3565] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9
[   57.218224][ T3564] Bluetooth: hci4: unexpected cc 0x1001 length: 249 > 9
[   57.233278][ T3564] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[   57.241084][ T3562] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4
[   57.241490][ T3564] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4
[   57.248376][ T3562] Bluetooth: hci4: unexpected cc 0x0c23 length: 249 > 4
[   57.255694][ T3564] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3
[   57.270199][ T3565] Bluetooth: hci1: unexpected cc 0x0c25 length: 249 > 3
[   57.270691][ T3564] Bluetooth: hci4: unexpected cc 0x0c25 length: 249 > 3
[   57.279494][ T3565] Bluetooth: hci2: unexpected cc 0x0c23 length: 249 > 4
[   57.284792][ T3564] Bluetooth: hci3: unexpected cc 0x0c25 length: 249 > 3
[   57.291238][ T3562] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[   57.298481][ T3564] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2
[   57.305669][ T3562] Bluetooth: hci4: unexpected cc 0x0c38 length: 249 > 2
[   57.313426][ T3564] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2
[   57.320238][ T3562] Bluetooth: hci2: unexpected cc 0x0c25 length: 249 > 3
[   57.344622][ T3565] ==================================================================
[   57.352736][ T3565] BUG: KASAN: double-free in hci_req_sync_complete+0xee/0x280
[   57.360250][ T3565] Free of addr ffff88806080c640 by task kworker/u5:7/3565
[   57.367412][ T3565] 
[   57.369766][ T3565] CPU: 0 PID: 3565 Comm: kworker/u5:7 Not tainted 6.1.96-syzkaller #0
[   57.377943][ T3565] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
[   57.388024][ T3565] Workqueue: hci0 hci_rx_work
[   57.392752][ T3565] Call Trace:
[   57.396049][ T3565]  <TASK>
[   57.399008][ T3565]  dump_stack_lvl+0x1e3/0x2cb
[   57.403731][ T3565]  ? nf_tcp_handle_invalid+0x642/0x642
[   57.409232][ T3565]  ? panic+0x764/0x764
[   57.413332][ T3565]  ? _printk+0xd1/0x111
[   57.417527][ T3565]  ? hci_req_sync_complete+0xee/0x280
[   57.422929][ T3565]  ? __virt_addr_valid+0x17f/0x520
[   57.428081][ T3565]  ? __virt_addr_valid+0x17f/0x520
[   57.433238][ T3565]  ? hci_req_sync_complete+0xee/0x280
[   57.438643][ T3565]  print_report+0x15f/0x4f0
[   57.443185][ T3565]  ? hci_req_sync_complete+0xee/0x280
[   57.447813][ T3553] Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2
[   57.448570][ T3565]  ? __virt_addr_valid+0x17f/0x520
[   57.460645][ T3565]  ? __virt_addr_valid+0x17f/0x520
[   57.465797][ T3565]  ? __virt_addr_valid+0x44a/0x520
[   57.470985][ T3565]  ? __phys_addr+0xb6/0x170
[   57.475531][ T3565]  ? hci_req_sync_complete+0xee/0x280
[   57.480939][ T3565]  ? hci_req_sync_complete+0xee/0x280
[   57.486357][ T3565]  kasan_report_invalid_free+0x10c/0x130
[   57.492024][ T3565]  ? hci_req_sync_complete+0xee/0x280
[   57.497517][ T3565]  ____kasan_slab_free+0xfb/0x120
[   57.502588][ T3565]  kmem_cache_free+0x292/0x510
[   57.507397][ T3565]  ? hci_req_sync_complete+0xee/0x280
[   57.512810][ T3565]  hci_req_sync_complete+0xee/0x280
[   57.518135][ T3565]  ? hci_req_run_skb+0x20/0x20
[   57.522968][ T3565]  hci_event_packet+0xc49/0x1510
[   57.527947][ T3565]  ? hci_remote_features_evt+0xab0/0xab0
[   57.533627][ T3565]  ? bis_list+0x290/0x290
[   57.537997][ T3565]  ? do_raw_spin_unlock+0x137/0x8a0
[   57.543231][ T3565]  ? hci_req_run_skb+0x20/0x20
[   57.548045][ T3565]  ? kcov_remote_start+0x4b5/0x7d0
[   57.553198][ T3565]  ? lockdep_hardirqs_on+0x50/0x130
[   57.558611][ T3565]  ? hci_send_to_monitor+0x99/0x4d0
[   57.563843][ T3565]  hci_rx_work+0x3cd/0xce0
[   57.568292][ T3565]  ? do_raw_spin_unlock+0x137/0x8a0
[   57.573966][ T3565]  ? process_one_work+0x7a9/0x11d0
[   57.579166][ T3565]  process_one_work+0x8a9/0x11d0
[   57.584149][ T3565]  ? worker_detach_from_pool+0x260/0x260
[   57.589823][ T3565]  ? _raw_spin_lock_irqsave+0x120/0x120
[   57.595497][ T3565]  ? kthread_data+0x4e/0xc0
[   57.600044][ T3565]  ? wq_worker_running+0x97/0x190
[   57.605114][ T3565]  worker_thread+0xa47/0x1200
[   57.609826][ T3565]  ? _raw_spin_unlock+0x40/0x40
[   57.614715][ T3565]  ? __sched_text_start+0x8/0x8
[   57.619609][ T3565]  ? _raw_spin_unlock+0x40/0x40
[   57.624509][ T3565]  kthread+0x28d/0x320
[   57.628608][ T3565]  ? worker_clr_flags+0x190/0x190
[   57.633666][ T3565]  ? kthread_blkcg+0xd0/0xd0
[   57.638289][ T3565]  ret_from_fork+0x1f/0x30
[   57.642755][ T3565]  </TASK>
[   57.645793][ T3565] 
[   57.648133][ T3565] Allocated by task 3565:
[   57.652496][ T3565]  kasan_set_track+0x4b/0x70
[   57.657129][ T3565]  __kasan_slab_alloc+0x65/0x70
[   57.662003][ T3565]  slab_post_alloc_hook+0x52/0x3a0
[   57.667147][ T3565]  kmem_cache_alloc+0x10c/0x2d0
[   57.672030][ T3565]  skb_clone+0x1e5/0x360
[   57.676301][ T3565]  hci_cmd_work+0x296/0x660
[   57.680835][ T3565]  process_one_work+0x8a9/0x11d0
[   57.685800][ T3565]  worker_thread+0xa47/0x1200
[   57.690511][ T3565]  kthread+0x28d/0x320
[   57.694606][ T3565]  ret_from_fork+0x1f/0x30
[   57.699057][ T3565] 
[   57.701396][ T3565] Freed by task 3548:
[   57.705393][ T3565]  kasan_set_track+0x4b/0x70
[   57.710020][ T3565]  kasan_save_free_info+0x27/0x40
[   57.715076][ T3565]  ____kasan_slab_free+0xd6/0x120
[   57.720140][ T3565]  kmem_cache_free+0x292/0x510
[   57.724941][ T3565]  __hci_req_sync+0x626/0x940
[   57.729654][ T3565]  hci_req_sync+0xa5/0xc0
[   57.734014][ T3565]  hci_dev_cmd+0x2fc/0xa30
[   57.738467][ T3565]  sock_do_ioctl+0x152/0x450
[   57.743084][ T3565]  sock_ioctl+0x47f/0x770
[   57.747444][ T3565]  __se_sys_ioctl+0xf1/0x160
[   57.752083][ T3565]  do_syscall_64+0x3b/0xb0
[   57.756537][ T3565]  entry_SYSCALL_64_after_hwframe+0x68/0xd2
[   57.762471][ T3565] 
[   57.764813][ T3565] The buggy address belongs to the object at ffff88806080c640
[   57.764813][ T3565]  which belongs to the cache skbuff_head_cache of size 240
[   57.779416][ T3565] The buggy address is located 0 bytes inside of
[   57.779416][ T3565]  240-byte region [ffff88806080c640, ffff88806080c730)
[   57.792548][ T3565] 
[   57.794895][ T3565] The buggy address belongs to the physical page:
[   57.801507][ T3565] page:ffffea0001820300 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x6080c
[   57.811683][ T3565] flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
[   57.819288][ T3565] raw: 00fff00000000200 0000000000000000 dead000000000122 ffff88801464e000
[   57.827911][ T3565] raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000
[   57.836528][ T3565] page dumped because: kasan: bad access detected
[   57.842971][ T3565] page_owner tracks the page as allocated
[   57.848705][ T3565] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 3553, tgid 3553 (kworker/u5:1), ts 57335073364, free_ts 18106416385
[   57.867202][ T3565]  post_alloc_hook+0x18d/0x1b0
[   57.871991][ T3565]  get_page_from_freelist+0x31a1/0x3320
[   57.877557][ T3565]  __alloc_pages+0x28d/0x770
[   57.882242][ T3565]  alloc_slab_page+0x6a/0x150
[   57.886946][ T3565]  new_slab+0x84/0x2d0
[   57.891020][ T3565]  ___slab_alloc+0xc20/0x1270
[   57.895703][ T3565]  kmem_cache_alloc+0x1a5/0x2d0
[   57.900558][ T3565]  skb_clone+0x1e5/0x360
[   57.904801][ T3565]  hci_event_packet+0x221/0x1510
[   57.909739][ T3565]  hci_rx_work+0x3cd/0xce0
[   57.914152][ T3565]  process_one_work+0x8a9/0x11d0
[   57.919090][ T3565]  worker_thread+0xa47/0x1200
[   57.923769][ T3565]  kthread+0x28d/0x320
[   57.927839][ T3565]  ret_from_fork+0x1f/0x30
[   57.932262][ T3565] page last free stack trace:
[   57.936931][ T3565]  free_unref_page_prepare+0xf63/0x1120
[   57.942571][ T3565]  free_unref_page+0x33/0x3e0
[   57.947257][ T3565]  free_contig_range+0x9a/0x150
[   57.952109][ T3565]  destroy_args+0xfe/0x997
[   57.956535][ T3565]  debug_vm_pgtable+0x416/0x46b
[   57.961391][ T3565]  do_one_initcall+0x265/0x8f0
[   57.966158][ T3565]  do_initcall_level+0x157/0x207
[   57.971117][ T3565]  do_initcalls+0x49/0x86
[   57.975465][ T3565]  kernel_init_freeable+0x45c/0x60f
[   57.980665][ T3565]  kernel_init+0x19/0x290
[   57.984996][ T3565]  ret_from_fork+0x1f/0x30
[   57.989418][ T3565] 
[   57.991736][ T3565] Memory state around the buggy address:
[   57.997361][ T3565]  ffff88806080c500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   58.005422][ T3565]  ffff88806080c580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[   58.013571][ T3565] >ffff88806080c600: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[   58.021627][ T3565]                                            ^
[   58.027771][ T3565]  ffff88806080c680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   58.035829][ T3565]  ffff88806080c700: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
[   58.043885][ T3565] ==================================================================
[   58.052216][ T3565] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   58.059438][ T3565] CPU: 0 PID: 3565 Comm: kworker/u5:7 Not tainted 6.1.96-syzkaller #0
[   58.067637][ T3565] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
[   58.077715][ T3565] Workqueue: hci0 hci_rx_work
[   58.082415][ T3565] Call Trace:
[   58.085711][ T3565]  <TASK>
[   58.088645][ T3565]  dump_stack_lvl+0x1e3/0x2cb
[   58.093356][ T3565]  ? nf_tcp_handle_invalid+0x642/0x642
[   58.098829][ T3565]  ? panic+0x764/0x764
[   58.102902][ T3565]  ? preempt_schedule_common+0xa6/0xd0
[   58.108462][ T3565]  ? vscnprintf+0x59/0x80
[   58.112794][ T3565]  ? hci_req_sync_complete+0x90/0x280
[   58.118166][ T3565]  panic+0x318/0x764
[   58.122081][ T3565]  ? check_panic_on_warn+0x1d/0xa0
[   58.127194][ T3565]  ? memcpy_page_flushcache+0xfc/0xfc
[   58.132829][ T3565]  ? _raw_spin_unlock_irqrestore+0x128/0x130
[   58.138830][ T3565]  ? _raw_spin_unlock+0x40/0x40
[   58.143710][ T3565]  ? print_report+0x4a3/0x4f0
[   58.148408][ T3565]  ? hci_req_sync_complete+0xee/0x280
[   58.153785][ T3565]  check_panic_on_warn+0x7e/0xa0
[   58.158729][ T3565]  ? hci_req_sync_complete+0xee/0x280
[   58.164119][ T3565]  end_report+0x66/0x110
[   58.168378][ T3565]  kasan_report_invalid_free+0x117/0x130
[   58.174016][ T3565]  ? hci_req_sync_complete+0xee/0x280
[   58.179393][ T3565]  ____kasan_slab_free+0xfb/0x120
[   58.184428][ T3565]  kmem_cache_free+0x292/0x510
[   58.189199][ T3565]  ? hci_req_sync_complete+0xee/0x280
[   58.194571][ T3565]  hci_req_sync_complete+0xee/0x280
[   58.199771][ T3565]  ? hci_req_run_skb+0x20/0x20
[   58.204536][ T3565]  hci_event_packet+0xc49/0x1510
[   58.209571][ T3565]  ? hci_remote_features_evt+0xab0/0xab0
[   58.215213][ T3565]  ? bis_list+0x290/0x290
[   58.219543][ T3565]  ? do_raw_spin_unlock+0x137/0x8a0
[   58.225001][ T3565]  ? hci_req_run_skb+0x20/0x20
[   58.229788][ T3565]  ? kcov_remote_start+0x4b5/0x7d0
[   58.234924][ T3565]  ? lockdep_hardirqs_on+0x50/0x130
[   58.240135][ T3565]  ? hci_send_to_monitor+0x99/0x4d0
[   58.245346][ T3565]  hci_rx_work+0x3cd/0xce0
[   58.249781][ T3565]  ? do_raw_spin_unlock+0x137/0x8a0
[   58.255037][ T3565]  ? process_one_work+0x7a9/0x11d0
[   58.260168][ T3565]  process_one_work+0x8a9/0x11d0
[   58.265210][ T3565]  ? worker_detach_from_pool+0x260/0x260
[   58.270847][ T3565]  ? _raw_spin_lock_irqsave+0x120/0x120
[   58.276397][ T3565]  ? kthread_data+0x4e/0xc0
[   58.280911][ T3565]  ? wq_worker_running+0x97/0x190
[   58.285947][ T3565]  worker_thread+0xa47/0x1200
[   58.290627][ T3565]  ? _raw_spin_unlock+0x40/0x40
[   58.295584][ T3565]  ? __sched_text_start+0x8/0x8
[   58.300449][ T3565]  ? _raw_spin_unlock+0x40/0x40
[   58.305313][ T3565]  kthread+0x28d/0x320
[   58.309470][ T3565]  ? worker_clr_flags+0x190/0x190
[   58.314497][ T3565]  ? kthread_blkcg+0xd0/0xd0
[   58.319084][ T3565]  ret_from_fork+0x1f/0x30
[   58.323513][ T3565]  </TASK>
[   58.326829][ T3565] Kernel Offset: disabled
[   58.331175][ T3565] Rebooting in 86400 seconds..