last executing test programs:

kernel console output (not intermixed with test programs):

Warning: Permanently added '10.128.10.28' (ED25519) to the list of known hosts.
[   49.572237][ T3536] cgroup: Unknown subsys name 'net'
[   49.677881][ T3536] cgroup: Unknown subsys name 'rlimit'
Setting up swapspace version 1, size = 127995904 bytes
[   50.922141][ T3536] Adding 124996k swap on ./swap-file.  Priority:0 extents:1 across:124996k FS
[   51.432396][ T3553] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[   51.440809][ T3553] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1
[   51.448595][ T3553] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1
[   51.457351][ T3560] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[   51.464966][ T3560] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1
[   51.465261][ T3553] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9
[   51.472489][ T3560] Bluetooth: hci4: unexpected cc 0x0c03 length: 249 > 1
[   51.479701][ T3553] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9
[   51.488165][ T3561] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[   51.493985][ T3553] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9
[   51.500957][ T3561] Bluetooth: hci4: unexpected cc 0x1003 length: 249 > 9
[   51.507009][ T3553] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9
[   51.515370][ T3561] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[   51.522120][ T3553] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9
[   51.528459][ T3561] Bluetooth: hci4: unexpected cc 0x1001 length: 249 > 9
[   51.535370][ T3553] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9
[   51.542692][ T3561] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4
[   51.549342][ T3553] Bluetooth: hci2: unexpected cc 0x0c23 length: 249 > 4
[   51.556155][ T3561] Bluetooth: hci4: unexpected cc 0x0c23 length: 249 > 4
[   51.563109][ T3553] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4
[   51.576488][ T3553] Bluetooth: hci1: unexpected cc 0x0c25 length: 249 > 3
[   51.577114][ T3561] Bluetooth: hci2: unexpected cc 0x0c25 length: 249 > 3
[   51.584194][ T3553] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3
[   51.597471][ T3553] Bluetooth: hci4: unexpected cc 0x0c25 length: 249 > 3
[   51.598080][ T3560] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2
[   51.606249][ T3562] Bluetooth: hci3: unexpected cc 0x0c25 length: 249 > 3
[   51.612216][ T3560] Bluetooth: hci4: unexpected cc 0x0c38 length: 249 > 2
[   51.618672][ T3562] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2
[   51.635038][ T3551] ==================================================================
[   51.635597][ T3561] Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2
[   51.643090][ T3551] BUG: KASAN: use-after-free in kfree_skb_reason+0x3d/0x390
[   51.643135][ T3551] Read of size 4 at addr ffff88806090b4a4 by task syz-executor/3551
[   51.643149][ T3551] 
[   51.643157][ T3551] CPU: 1 PID: 3551 Comm: syz-executor Not tainted 6.1.94-syzkaller #0
[   51.643173][ T3551] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
[   51.650354][ T3561] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[   51.657334][ T3551] Call Trace:
[   51.657344][ T3551]  <TASK>
[   51.657350][ T3551]  dump_stack_lvl+0x1e3/0x2cb
[   51.657382][ T3551]  ? nf_tcp_handle_invalid+0x642/0x642
[   51.708960][ T3551]  ? panic+0x764/0x764
[   51.713029][ T3551]  ? _printk+0xd1/0x111
[   51.717171][ T3551]  ? __virt_addr_valid+0x17f/0x520
[   51.722268][ T3551]  ? __virt_addr_valid+0x17f/0x520
[   51.727365][ T3551]  print_report+0x15f/0x4f0
[   51.731854][ T3551]  ? __virt_addr_valid+0x17f/0x520
[   51.736957][ T3551]  ? __virt_addr_valid+0x17f/0x520
[   51.742050][ T3551]  ? __virt_addr_valid+0x44a/0x520
[   51.747144][ T3551]  ? __phys_addr+0xb6/0x170
[   51.751630][ T3551]  ? kfree_skb_reason+0x3d/0x390
[   51.756555][ T3551]  kasan_report+0x136/0x160
[   51.761038][ T3551]  ? kfree_skb_reason+0x3d/0x390
[   51.765962][ T3551]  kasan_check_range+0x27f/0x290
[   51.770880][ T3551]  kfree_skb_reason+0x3d/0x390
[   51.775635][ T3551]  __hci_req_sync+0x626/0x940
[   51.780293][ T3551]  ? trace_contention_end+0x61/0x170
[   51.785562][ T3551]  ? hci_req_sync_complete+0x280/0x280
[   51.791003][ T3551]  ? mutex_lock_nested+0x10/0x10
[   51.795920][ T3551]  ? wake_bit_function+0x210/0x210
[   51.801022][ T3551]  ? hci_encrypt_req+0x170/0x170
[   51.805947][ T3551]  hci_req_sync+0xa5/0xc0
[   51.810262][ T3551]  hci_dev_cmd+0x2fc/0xa30
[   51.814663][ T3551]  ? security_capable+0x86/0xb0
[   51.819501][ T3551]  ? hci_dev_reset_stat+0x1a0/0x1a0
[   51.824689][ T3551]  ? hci_sock_ioctl+0x426/0x850
[   51.829523][ T3551]  sock_do_ioctl+0x152/0x450
[   51.834098][ T3551]  ? sock_show_fdinfo+0xb0/0xb0
[   51.838949][ T3551]  ? __fget_files+0x28/0x4a0
[   51.843540][ T3551]  sock_ioctl+0x47f/0x770
[   51.848129][ T3551]  ? sock_poll+0x410/0x410
[   51.852537][ T3551]  ? __fget_files+0x28/0x4a0
[   51.857113][ T3551]  ? __fget_files+0x435/0x4a0
[   51.861776][ T3551]  ? __fget_files+0x28/0x4a0
[   51.866353][ T3551]  ? bpf_lsm_file_ioctl+0x5/0x10
[   51.871275][ T3551]  ? security_file_ioctl+0x7d/0xa0
[   51.876366][ T3551]  ? sock_poll+0x410/0x410
[   51.880765][ T3551]  __se_sys_ioctl+0xf1/0x160
[   51.885343][ T3551]  do_syscall_64+0x3b/0xb0
[   51.889744][ T3551]  ? clear_bhb_loop+0x45/0xa0
[   51.894408][ T3551]  entry_SYSCALL_64_after_hwframe+0x68/0xd2
[   51.900290][ T3551] RIP: 0033:0x7f5b5a5756eb
[   51.904696][ T3551] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00
[   51.924283][ T3551] RSP: 002b:00007ffdc4ec45e0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   51.932679][ T3551] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f5b5a5756eb
[   51.940639][ T3551] RDX: 00007ffdc4ec4658 RSI: 00000000400448dd RDI: 0000000000000003
[   51.948591][ T3551] RBP: 00005555571054a8 R08: 0000000000000000 R09: 0000000000000000
[   51.956549][ T3551] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000003
[   51.964499][ T3551] R13: 0000000000000003 R14: 0000000000000009 R15: 0000000000000009
[   51.972456][ T3551]  </TASK>
[   51.975456][ T3551] 
[   51.977760][ T3551] Allocated by task 3561:
[   51.982063][ T3551]  kasan_set_track+0x4b/0x70
[   51.986642][ T3551]  __kasan_slab_alloc+0x65/0x70
[   51.991472][ T3551]  slab_post_alloc_hook+0x52/0x3a0
[   51.996564][ T3551]  kmem_cache_alloc+0x10c/0x2d0
[   52.001397][ T3551]  skb_clone+0x1e5/0x360
[   52.005621][ T3551]  hci_cmd_work+0x296/0x660
[   52.010101][ T3551]  process_one_work+0x8a9/0x11d0
[   52.015019][ T3551]  worker_thread+0xa47/0x1200
[   52.019681][ T3551]  kthread+0x28d/0x320
[   52.023727][ T3551]  ret_from_fork+0x1f/0x30
[   52.028128][ T3551] 
[   52.030434][ T3551] Freed by task 3560:
[   52.034402][ T3551]  kasan_set_track+0x4b/0x70
[   52.038991][ T3551]  kasan_save_free_info+0x27/0x40
[   52.044003][ T3551]  ____kasan_slab_free+0xd6/0x120
[   52.049021][ T3551]  kmem_cache_free+0x292/0x510
[   52.053774][ T3551]  hci_req_sync_complete+0xee/0x280
[   52.058957][ T3551]  hci_event_packet+0xc49/0x1510
[   52.063881][ T3551]  hci_rx_work+0x3cd/0xce0
[   52.068279][ T3551]  process_one_work+0x8a9/0x11d0
[   52.073285][ T3551]  worker_thread+0xa47/0x1200
[   52.077944][ T3551]  kthread+0x28d/0x320
[   52.081990][ T3551]  ret_from_fork+0x1f/0x30
[   52.086393][ T3551] 
[   52.088705][ T3551] The buggy address belongs to the object at ffff88806090b3c0
[   52.088705][ T3551]  which belongs to the cache skbuff_head_cache of size 240
[   52.103263][ T3551] The buggy address is located 228 bytes inside of
[   52.103263][ T3551]  240-byte region [ffff88806090b3c0, ffff88806090b4b0)
[   52.116518][ T3551] 
[   52.118851][ T3551] The buggy address belongs to the physical page:
[   52.125252][ T3551] page:ffffea00018242c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x6090b
[   52.135382][ T3551] flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
[   52.142916][ T3551] raw: 00fff00000000200 0000000000000000 dead000000000122 ffff888012785280
[   52.151480][ T3551] raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000
[   52.160041][ T3551] page dumped because: kasan: bad access detected
[   52.166437][ T3551] page_owner tracks the page as allocated
[   52.172156][ T3551] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 3560, tgid 3560 (kworker/u5:6), ts 51634393106, free_ts 11379731777
[   52.190550][ T3551]  post_alloc_hook+0x18d/0x1b0
[   52.195301][ T3551]  get_page_from_freelist+0x31a1/0x3320
[   52.200829][ T3551]  __alloc_pages+0x28d/0x770
[   52.205403][ T3551]  alloc_slab_page+0x6a/0x150
[   52.210065][ T3551]  new_slab+0x84/0x2d0
[   52.214119][ T3551]  ___slab_alloc+0xc20/0x1270
[   52.218779][ T3551]  kmem_cache_alloc+0x1a5/0x2d0
[   52.223700][ T3551]  skb_clone+0x1e5/0x360
[   52.227922][ T3551]  hci_event_packet+0x221/0x1510
[   52.232847][ T3551]  hci_rx_work+0x3cd/0xce0
[   52.237330][ T3551]  process_one_work+0x8a9/0x11d0
[   52.242250][ T3551]  worker_thread+0xa47/0x1200
[   52.246911][ T3551]  kthread+0x28d/0x320
[   52.250960][ T3551]  ret_from_fork+0x1f/0x30
[   52.255362][ T3551] page last free stack trace:
[   52.260012][ T3551]  free_unref_page_prepare+0xf63/0x1120
[   52.265540][ T3551]  free_unref_page+0x33/0x3e0
[   52.270198][ T3551]  free_contig_range+0x9a/0x150
[   52.275029][ T3551]  destroy_args+0xfe/0x997
[   52.279431][ T3551]  debug_vm_pgtable+0x416/0x46b
[   52.284266][ T3551]  do_one_initcall+0x265/0x8f0
[   52.289014][ T3551]  do_initcall_level+0x157/0x207
[   52.293934][ T3551]  do_initcalls+0x49/0x86
[   52.298243][ T3551]  kernel_init_freeable+0x45c/0x60f
[   52.303509][ T3551]  kernel_init+0x19/0x290
[   52.307821][ T3551]  ret_from_fork+0x1f/0x30
[   52.312230][ T3551] 
[   52.314535][ T3551] Memory state around the buggy address:
[   52.320142][ T3551]  ffff88806090b380: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[   52.328182][ T3551]  ffff88806090b400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   52.336221][ T3551] >ffff88806090b480: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
[   52.344258][ T3551]                                ^
[   52.349344][ T3551]  ffff88806090b500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   52.357384][ T3551]  ffff88806090b580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[   52.365421][ T3551] ==================================================================
[   52.373943][ T3551] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   52.381227][ T3551] CPU: 1 PID: 3551 Comm: syz-executor Not tainted 6.1.94-syzkaller #0
[   52.389390][ T3551] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
[   52.399449][ T3551] Call Trace:
[   52.402732][ T3551]  <TASK>
[   52.405672][ T3551]  dump_stack_lvl+0x1e3/0x2cb
[   52.410364][ T3551]  ? nf_tcp_handle_invalid+0x642/0x642
[   52.415839][ T3551]  ? panic+0x764/0x764
[   52.419915][ T3551]  ? preempt_schedule_common+0xa6/0xd0
[   52.425382][ T3551]  ? vscnprintf+0x59/0x80
[   52.429721][ T3551]  panic+0x318/0x764
[   52.433622][ T3551]  ? check_panic_on_warn+0x1d/0xa0
[   52.438740][ T3551]  ? memcpy_page_flushcache+0xfc/0xfc
[   52.444121][ T3551]  ? _raw_spin_unlock_irqrestore+0x128/0x130
[   52.450116][ T3551]  ? _raw_spin_unlock+0x40/0x40
[   52.454981][ T3551]  ? print_report+0x4a3/0x4f0
[   52.459670][ T3551]  check_panic_on_warn+0x7e/0xa0
[   52.464620][ T3551]  ? kfree_skb_reason+0x3d/0x390
[   52.469577][ T3551]  end_report+0x66/0x110
[   52.473838][ T3551]  kasan_report+0x143/0x160
[   52.478359][ T3551]  ? kfree_skb_reason+0x3d/0x390
[   52.483320][ T3551]  kasan_check_range+0x27f/0x290
[   52.488272][ T3551]  kfree_skb_reason+0x3d/0x390
[   52.493058][ T3551]  __hci_req_sync+0x626/0x940
[   52.497755][ T3551]  ? trace_contention_end+0x61/0x170
[   52.503055][ T3551]  ? hci_req_sync_complete+0x280/0x280
[   52.508531][ T3551]  ? mutex_lock_nested+0x10/0x10
[   52.513485][ T3551]  ? wake_bit_function+0x210/0x210
[   52.518618][ T3551]  ? hci_encrypt_req+0x170/0x170
[   52.523573][ T3551]  hci_req_sync+0xa5/0xc0
[   52.527922][ T3551]  hci_dev_cmd+0x2fc/0xa30
[   52.532440][ T3551]  ? security_capable+0x86/0xb0
[   52.537306][ T3551]  ? hci_dev_reset_stat+0x1a0/0x1a0
[   52.542528][ T3551]  ? hci_sock_ioctl+0x426/0x850
[   52.547391][ T3551]  sock_do_ioctl+0x152/0x450
[   52.551991][ T3551]  ? sock_show_fdinfo+0xb0/0xb0
[   52.556851][ T3551]  ? __fget_files+0x28/0x4a0
[   52.561476][ T3551]  sock_ioctl+0x47f/0x770
[   52.565825][ T3551]  ? sock_poll+0x410/0x410
[   52.570253][ T3551]  ? __fget_files+0x28/0x4a0
[   52.574854][ T3551]  ? __fget_files+0x435/0x4a0
[   52.579547][ T3551]  ? __fget_files+0x28/0x4a0
[   52.584150][ T3551]  ? bpf_lsm_file_ioctl+0x5/0x10
[   52.589112][ T3551]  ? security_file_ioctl+0x7d/0xa0
[   52.594251][ T3551]  ? sock_poll+0x410/0x410
[   52.598681][ T3551]  __se_sys_ioctl+0xf1/0x160
[   52.603296][ T3551]  do_syscall_64+0x3b/0xb0
[   52.607733][ T3551]  ? clear_bhb_loop+0x45/0xa0
[   52.612433][ T3551]  entry_SYSCALL_64_after_hwframe+0x68/0xd2
[   52.618347][ T3551] RIP: 0033:0x7f5b5a5756eb
[   52.622773][ T3551] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00
[   52.642393][ T3551] RSP: 002b:00007ffdc4ec45e0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   52.651252][ T3551] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f5b5a5756eb
[   52.659235][ T3551] RDX: 00007ffdc4ec4658 RSI: 00000000400448dd RDI: 0000000000000003
[   52.667222][ T3551] RBP: 00005555571054a8 R08: 0000000000000000 R09: 0000000000000000
[   52.675208][ T3551] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000003
[   52.683192][ T3551] R13: 0000000000000003 R14: 0000000000000009 R15: 0000000000000009
[   52.691187][ T3551]  </TASK>
[   52.694544][ T3551] Kernel Offset: disabled
[   52.698860][ T3551] Rebooting in 86400 seconds..