last executing test programs:
kernel console output (not intermixed with test programs):
Warning: Permanently added '10.128.1.243' (ED25519) to the list of known hosts.
[ 44.435984][ T3533] cgroup: Unknown subsys name 'net'
[ 44.564828][ T3533] cgroup: Unknown subsys name 'rlimit'
Setting up swapspace version 1, size = 127995904 bytes
[ 45.835501][ T3533] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k FS
[ 47.168493][ T3546] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[ 47.176856][ T3546] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[ 47.184958][ T3546] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[ 47.192914][ T3546] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[ 47.200582][ T3546] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3
[ 47.207822][ T3546] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[ 47.237247][ T3551] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1
[ 47.250335][ T3551] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9
[ 47.257914][ T3551] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9
[ 47.266280][ T3551] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4
[ 47.279587][ T3551] Bluetooth: hci1: unexpected cc 0x0c25 length: 249 > 3
[ 47.287880][ T3551] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2
[ 47.295529][ T3551] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1
[ 47.305500][ T3554] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1
[ 47.313435][ T3554] Bluetooth: hci4: unexpected cc 0x0c03 length: 249 > 1
[ 47.320992][ T3554] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9
[ 47.329094][ T3554] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9
[ 47.336427][ T3554] Bluetooth: hci4: unexpected cc 0x1003 length: 249 > 9
[ 47.343682][ T3554] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9
[ 47.352852][ T3557] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9
[ 47.358989][ T3554] Bluetooth: hci4: unexpected cc 0x1001 length: 249 > 9
[ 47.367948][ T3554] Bluetooth: hci2: unexpected cc 0x0c23 length: 249 > 4
[ 47.368993][ T3557] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4
[ 47.375987][ T3554] Bluetooth: hci4: unexpected cc 0x0c23 length: 249 > 4
[ 47.383767][ T3557] Bluetooth: hci3: unexpected cc 0x0c25 length: 249 > 3
[ 47.396757][ T47] Bluetooth: hci2: unexpected cc 0x0c25 length: 249 > 3
[ 47.404871][ T3557] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2
[ 47.410681][ T3561] Bluetooth: hci4: unexpected cc 0x0c25 length: 249 > 3
[ 47.412345][ T47] Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2
[ 47.426309][ T3561] Bluetooth: hci4: unexpected cc 0x0c38 length: 249 > 2
[ 47.436111][ T3558] ==================================================================
[ 47.444182][ T3558] BUG: KASAN: use-after-free in kfree_skb_reason+0x3d/0x390
[ 47.451492][ T3558] Read of size 4 at addr ffff8880623f65e4 by task syz-executor/3558
[ 47.459471][ T3558]
[ 47.461801][ T3558] CPU: 0 PID: 3558 Comm: syz-executor Not tainted 6.1.99-syzkaller #0
[ 47.469953][ T3558] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
[ 47.480010][ T3558] Call Trace:
[ 47.483291][ T3558]
[ 47.486223][ T3558] dump_stack_lvl+0x1e3/0x2cb
[ 47.490921][ T3558] ? nf_tcp_handle_invalid+0x642/0x642
[ 47.496392][ T3558] ? panic+0x764/0x764
[ 47.500473][ T3558] ? _printk+0xd1/0x111
[ 47.504635][ T3558] ? __virt_addr_valid+0x17f/0x520
[ 47.509754][ T3558] ? __virt_addr_valid+0x17f/0x520
[ 47.514881][ T3558] print_report+0x15f/0x4f0
[ 47.519388][ T3558] ? __virt_addr_valid+0x17f/0x520
[ 47.524511][ T3558] ? __virt_addr_valid+0x17f/0x520
[ 47.529638][ T3558] ? __virt_addr_valid+0x44a/0x520
[ 47.534758][ T3558] ? __phys_addr+0xb6/0x170
[ 47.539266][ T3558] ? kfree_skb_reason+0x3d/0x390
[ 47.544215][ T3558] kasan_report+0x136/0x160
[ 47.548724][ T3558] ? kfree_skb_reason+0x3d/0x390
[ 47.553674][ T3558] kasan_check_range+0x27f/0x290
[ 47.558616][ T3558] kfree_skb_reason+0x3d/0x390
[ 47.563389][ T3558] __hci_req_sync+0x626/0x940
[ 47.568072][ T3558] ? trace_contention_end+0x61/0x170
[ 47.573371][ T3558] ? hci_req_sync_complete+0x280/0x280
[ 47.578841][ T3558] ? mutex_lock_nested+0x10/0x10
[ 47.583782][ T3558] ? wake_bit_function+0x210/0x210
[ 47.588903][ T3558] ? hci_encrypt_req+0x170/0x170
[ 47.593848][ T3558] hci_req_sync+0xa5/0xc0
[ 47.598185][ T3558] hci_dev_cmd+0x2fc/0xa30
[ 47.602614][ T3558] ? security_capable+0x86/0xb0
[ 47.607477][ T3558] ? hci_dev_reset_stat+0x1a0/0x1a0
[ 47.612685][ T3558] ? hci_sock_ioctl+0x426/0x850
[ 47.617542][ T3558] sock_do_ioctl+0x152/0x450
[ 47.622140][ T3558] ? sock_show_fdinfo+0xb0/0xb0
[ 47.627000][ T3558] ? __fget_files+0x28/0x4a0
[ 47.631604][ T3558] sock_ioctl+0x47f/0x770
[ 47.635942][ T3558] ? sock_poll+0x410/0x410
[ 47.640371][ T3558] ? __fget_files+0x28/0x4a0
[ 47.644966][ T3558] ? __fget_files+0x435/0x4a0
[ 47.649651][ T3558] ? __fget_files+0x28/0x4a0
[ 47.654254][ T3558] ? bpf_lsm_file_ioctl+0x5/0x10
[ 47.659209][ T3558] ? security_file_ioctl+0x7d/0xa0
[ 47.664325][ T3558] ? sock_poll+0x410/0x410
[ 47.668745][ T3558] __se_sys_ioctl+0xf1/0x160
[ 47.673346][ T3558] do_syscall_64+0x3b/0xb0
[ 47.677773][ T3558] ? clear_bhb_loop+0x45/0xa0
[ 47.682461][ T3558] entry_SYSCALL_64_after_hwframe+0x68/0xd2
[ 47.688361][ T3558] RIP: 0033:0x7fdd689756db
[ 47.692784][ T3558] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00
[ 47.704079][ T3545] chnl_net:caif_netlink_parms(): no params data found
[ 47.712371][ T3558] RSP: 002b:00007ffca922f870 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 47.712393][ T3558] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fdd689756db
[ 47.712405][ T3558] RDX: 00007ffca922f8e8 RSI: 00000000400448dd RDI: 0000000000000003
[ 47.712415][ T3558] RBP: 000055555731b4a8 R08: 0000000000000000 R09: 0000000000000000
[ 47.751419][ T3558] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000004
[ 47.759390][ T3558] R13: 0000000000000004 R14: 0000000000000009 R15: 0000000000000009
[ 47.767372][ T3558]
[ 47.770393][ T3558]
[ 47.772711][ T3558] Allocated by task 3551:
[ 47.777034][ T3558] kasan_set_track+0x4b/0x70
[ 47.781631][ T3558] __kasan_slab_alloc+0x65/0x70
[ 47.786479][ T3558] slab_post_alloc_hook+0x52/0x3a0
[ 47.791595][ T3558] kmem_cache_alloc+0x10c/0x2d0
[ 47.795609][ T3549] chnl_net:caif_netlink_parms(): no params data found
[ 47.796435][ T3558] skb_clone+0x1e5/0x360
[ 47.807416][ T3558] hci_cmd_work+0x296/0x660
[ 47.811922][ T3558] process_one_work+0x8a9/0x11d0
[ 47.816863][ T3558] worker_thread+0xa47/0x1200
[ 47.821539][ T3558] kthread+0x28d/0x320
[ 47.825607][ T3558] ret_from_fork+0x1f/0x30
[ 47.830031][ T3558]
[ 47.832352][ T3558] Freed by task 3561:
[ 47.836325][ T3558] kasan_set_track+0x4b/0x70
[ 47.840927][ T3558] kasan_save_free_info+0x27/0x40
[ 47.845952][ T3558] ____kasan_slab_free+0xd6/0x120
[ 47.850984][ T3558] kmem_cache_free+0x292/0x510
[ 47.855752][ T3558] hci_req_sync_complete+0xee/0x280
[ 47.860951][ T3558] hci_event_packet+0xc49/0x1510
[ 47.865897][ T3558] hci_rx_work+0x3cd/0xce0
[ 47.870308][ T3558] process_one_work+0x8a9/0x11d0
[ 47.875262][ T3558] worker_thread+0xa47/0x1200
[ 47.879913][ T3558] kthread+0x28d/0x320
[ 47.883958][ T3558] ret_from_fork+0x1f/0x30
[ 47.888351][ T3558]
[ 47.890652][ T3558] The buggy address belongs to the object at ffff8880623f6500
[ 47.890652][ T3558] which belongs to the cache skbuff_head_cache of size 240
[ 47.905201][ T3558] The buggy address is located 228 bytes inside of
[ 47.905201][ T3558] 240-byte region [ffff8880623f6500, ffff8880623f65f0)
[ 47.918463][ T3558]
[ 47.920772][ T3558] The buggy address belongs to the physical page:
[ 47.927171][ T3558] page:ffffea000188fd80 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x623f6
[ 47.937296][ T3558] flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
[ 47.944822][ T3558] raw: 00fff00000000200 0000000000000000 dead000000000122 ffff8880127c0000
[ 47.953392][ T3558] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
[ 47.961945][ T3558] page dumped because: kasan: bad access detected
[ 47.968329][ T3558] page_owner tracks the page as allocated
[ 47.974014][ T3558] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 3559, tgid 3558 (syz-executor), ts 47434642950, free_ts 11032030034
[ 47.992305][ T3558] post_alloc_hook+0x18d/0x1b0
[ 47.997060][ T3558] get_page_from_freelist+0x322e/0x33b0
[ 48.002582][ T3558] __alloc_pages+0x28d/0x770
[ 48.007147][ T3558] alloc_slab_page+0x6a/0x150
[ 48.011800][ T3558] new_slab+0x84/0x2d0
[ 48.015845][ T3558] ___slab_alloc+0xc20/0x1270
[ 48.020501][ T3558] kmem_cache_alloc_node+0x1cf/0x310
[ 48.025774][ T3558] __alloc_skb+0xde/0x670
[ 48.030084][ T3558] vhci_write+0xbc/0x440
[ 48.034312][ T3558] do_iter_write+0x6e6/0xc40
[ 48.038874][ T3558] do_writev+0x27b/0x460
[ 48.043091][ T3558] do_syscall_64+0x3b/0xb0
[ 48.047485][ T3558] entry_SYSCALL_64_after_hwframe+0x68/0xd2
[ 48.053356][ T3558] page last free stack trace:
[ 48.057998][ T3558] free_unref_page_prepare+0xf63/0x1120
[ 48.063517][ T3558] free_unref_page+0x33/0x3e0
[ 48.068164][ T3558] free_contig_range+0x9a/0x150
[ 48.072991][ T3558] destroy_args+0xfe/0x997
[ 48.077386][ T3558] debug_vm_pgtable+0x416/0x46b
[ 48.082213][ T3558] do_one_initcall+0x265/0x8f0
[ 48.086956][ T3558] do_initcall_level+0x157/0x207
[ 48.091865][ T3558] do_initcalls+0x49/0x86
[ 48.096167][ T3558] kernel_init_freeable+0x45c/0x60f
[ 48.101338][ T3558] kernel_init+0x19/0x290
[ 48.105640][ T3558] ret_from_fork+0x1f/0x30
[ 48.110029][ T3558]
[ 48.112327][ T3558] Memory state around the buggy address:
[ 48.117924][ T3558] ffff8880623f6480: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
[ 48.125957][ T3558] ffff8880623f6500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 48.133991][ T3558] >ffff8880623f6580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[ 48.142032][ T3558] ^
[ 48.149195][ T3558] ffff8880623f6600: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 48.157241][ T3558] ffff8880623f6680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 48.165291][ T3558] ==================================================================
[ 48.174694][ T3558] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 48.181894][ T3558] CPU: 0 PID: 3558 Comm: syz-executor Not tainted 6.1.99-syzkaller #0
[ 48.190028][ T3558] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
[ 48.200066][ T3558] Call Trace:
[ 48.203333][ T3558]
[ 48.206246][ T3558] dump_stack_lvl+0x1e3/0x2cb
[ 48.210915][ T3558] ? nf_tcp_handle_invalid+0x642/0x642
[ 48.216358][ T3558] ? panic+0x764/0x764
[ 48.220411][ T3558] ? preempt_schedule_common+0xa6/0xd0
[ 48.225863][ T3558] ? vscnprintf+0x59/0x80
[ 48.230188][ T3558] panic+0x318/0x764
[ 48.234071][ T3558] ? check_panic_on_warn+0x1d/0xa0
[ 48.239165][ T3558] ? memcpy_page_flushcache+0xfc/0xfc
[ 48.244520][ T3558] ? _raw_spin_unlock_irqrestore+0x128/0x130
[ 48.250486][ T3558] ? _raw_spin_unlock+0x40/0x40
[ 48.255322][ T3558] ? print_report+0x4a3/0x4f0
[ 48.259993][ T3558] check_panic_on_warn+0x7e/0xa0
[ 48.264919][ T3558] ? kfree_skb_reason+0x3d/0x390
[ 48.269852][ T3558] end_report+0x66/0x110
[ 48.274077][ T3558] kasan_report+0x143/0x160
[ 48.278568][ T3558] ? kfree_skb_reason+0x3d/0x390
[ 48.283496][ T3558] kasan_check_range+0x27f/0x290
[ 48.288415][ T3558] kfree_skb_reason+0x3d/0x390
[ 48.293174][ T3558] __hci_req_sync+0x626/0x940
[ 48.297834][ T3558] ? trace_contention_end+0x61/0x170
[ 48.303105][ T3558] ? hci_req_sync_complete+0x280/0x280
[ 48.308546][ T3558] ? mutex_lock_nested+0x10/0x10
[ 48.313469][ T3558] ? wake_bit_function+0x210/0x210
[ 48.318572][ T3558] ? hci_encrypt_req+0x170/0x170
[ 48.323494][ T3558] hci_req_sync+0xa5/0xc0
[ 48.327811][ T3558] hci_dev_cmd+0x2fc/0xa30
[ 48.332215][ T3558] ? security_capable+0x86/0xb0
[ 48.337052][ T3558] ? hci_dev_reset_stat+0x1a0/0x1a0
[ 48.342237][ T3558] ? hci_sock_ioctl+0x426/0x850
[ 48.347074][ T3558] sock_do_ioctl+0x152/0x450
[ 48.351649][ T3558] ? sock_show_fdinfo+0xb0/0xb0
[ 48.356483][ T3558] ? __fget_files+0x28/0x4a0
[ 48.361059][ T3558] sock_ioctl+0x47f/0x770
[ 48.365371][ T3558] ? sock_poll+0x410/0x410
[ 48.369769][ T3558] ? __fget_files+0x28/0x4a0
[ 48.374337][ T3558] ? __fget_files+0x435/0x4a0
[ 48.378993][ T3558] ? __fget_files+0x28/0x4a0
[ 48.383566][ T3558] ? bpf_lsm_file_ioctl+0x5/0x10
[ 48.388484][ T3558] ? security_file_ioctl+0x7d/0xa0
[ 48.393576][ T3558] ? sock_poll+0x410/0x410
[ 48.397975][ T3558] __se_sys_ioctl+0xf1/0x160
[ 48.402552][ T3558] do_syscall_64+0x3b/0xb0
[ 48.406956][ T3558] ? clear_bhb_loop+0x45/0xa0
[ 48.411630][ T3558] entry_SYSCALL_64_after_hwframe+0x68/0xd2
[ 48.417522][ T3558] RIP: 0033:0x7fdd689756db
[ 48.421928][ T3558] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00
[ 48.441521][ T3558] RSP: 002b:00007ffca922f870 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 48.449918][ T3558] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fdd689756db
[ 48.457870][ T3558] RDX: 00007ffca922f8e8 RSI: 00000000400448dd RDI: 0000000000000003
[ 48.465823][ T3558] RBP: 000055555731b4a8 R08: 0000000000000000 R09: 0000000000000000
[ 48.473789][ T3558] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000004
[ 48.481747][ T3558] R13: 0000000000000004 R14: 0000000000000009 R15: 0000000000000009
[ 48.489707][ T3558]
[ 48.493019][ T3558] Kernel Offset: disabled
[ 48.497326][ T3558] Rebooting in 86400 seconds..