last executing test programs:

kernel console output (not intermixed with test programs):

Warning: Permanently added '10.128.1.178' (ED25519) to the list of known hosts.
1970/01/01 00:00:32 fuzzer started
1970/01/01 00:00:32 dialing manager at 10.128.0.169:30028
[   32.446993][ T6287] cgroup: Unknown subsys name 'net'
[   32.591674][ T6294] Adding 124996k swap on ./swap-file.  Priority:0 extents:1 across:124996k SS
[   32.789871][ T6287] cgroup: Unknown subsys name 'rlimit'
1970/01/01 00:00:33 starting 5 executor processes
[   33.914171][   T52] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[   33.916924][   T52] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1
[   33.930346][ T6309] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[   33.932841][ T6309] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9
[   33.936232][ T6319] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[   33.937524][ T6317] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9
[   33.940249][ T6319] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1
[   33.941565][ T6317] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[   33.945411][ T6317] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9
[   33.945738][ T6320] Bluetooth: hci4: unexpected cc 0x0c03 length: 249 > 1
[   33.947740][ T6317] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9
[   33.950345][ T6320] Bluetooth: hci4: unexpected cc 0x1003 length: 249 > 9
[   33.952825][ T6317] Bluetooth: hci2: unexpected cc 0x0c23 length: 249 > 4
[   33.953535][ T6320] Bluetooth: hci4: unexpected cc 0x1001 length: 249 > 9
[   33.955640][ T6317] Bluetooth: hci2: unexpected cc 0x0c25 length: 249 > 3
[   33.957698][ T6320] Bluetooth: hci4: unexpected cc 0x0c23 length: 249 > 4
[   33.959009][ T6317] Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2
[   33.960960][ T6320] Bluetooth: hci4: unexpected cc 0x0c25 length: 249 > 3
[   33.964712][   T52] Bluetooth: hci4: unexpected cc 0x0c38 length: 249 > 2
[   33.966362][ T6320] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1
[   33.970170][ T6319] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9
[   33.973828][   T52] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3
[   33.973862][ T6319] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9
[   33.976203][   T52] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4
[   33.981215][ T6319] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[   33.982214][   T52] Bluetooth: hci1: unexpected cc 0x0c25 length: 249 > 3
[   33.988097][ T6320] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4
[   33.990755][ T6320] Bluetooth: hci3: unexpected cc 0x0c25 length: 249 > 3
[   33.992751][   T52] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2
[   33.993845][ T6320] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2
[   34.001213][ T6320] ==================================================================
[   34.003309][ T6320] BUG: KASAN: slab-use-after-free in skb_release_head_state+0x40/0x28c
[   34.005555][ T6320] Read of size 8 at addr ffff0000eab9fcd8 by task kworker/u9:7/6320
[   34.007684][ T6320] 
[   34.008255][ T6320] CPU: 1 PID: 6320 Comm: kworker/u9:7 Tainted: G        W          6.10.0-rc3-syzkaller-gac2193b4b460 #0
[   34.011266][ T6320] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
[   34.013901][ T6320] Workqueue: hci1 hci_rx_work
[   34.015182][ T6320] Call trace:
[   34.016063][ T6320]  dump_backtrace+0x1b8/0x1e4
[   34.017321][ T6320]  show_stack+0x2c/0x3c
[   34.018417][ T6320]  dump_stack_lvl+0xe4/0x150
[   34.019606][ T6320]  print_report+0x198/0x538
[   34.020799][ T6320]  kasan_report+0xd8/0x138
[   34.021997][ T6320]  __asan_report_load8_noabort+0x20/0x2c
[   34.023522][ T6320]  skb_release_head_state+0x40/0x28c
[   34.024969][ T6320]  kfree_skb_reason+0x188/0x490
[   34.026279][ T6320]  hci_req_sync_complete+0xb0/0x248
[   34.027625][ T6320]  hci_event_packet+0xab8/0x105c
[   34.028969][ T6320]  hci_rx_work+0x318/0xa78
[   34.030196][ T6320]  process_one_work+0x79c/0x15b8
[   34.031627][ T6320]  worker_thread+0x938/0xef4
[   34.032811][ T6320]  kthread+0x288/0x310
[   34.033882][ T6320]  ret_from_fork+0x10/0x20
[   34.035024][ T6320] 
[   34.035624][ T6320] Allocated by task 6320:
[   34.036766][ T6320]  kasan_save_track+0x40/0x78
[   34.037993][ T6320]  kasan_save_alloc_info+0x40/0x50
[   34.039365][ T6320]  __kasan_slab_alloc+0x74/0x8c
[   34.040596][ T6320]  kmem_cache_alloc_noprof+0x1c0/0x350
[   34.042036][ T6320]  skb_clone+0x1c8/0x330
[   34.043227][ T6320]  hci_cmd_work+0x174/0x568
1970/01/01 00:00:34 SYZFATAL: failed to recv *flatrpc.HostMessageRaw: EOF
[   34.044401][ T6320]  process_one_work+0x79c/0x15b8
[   34.045737][ T6320]  worker_thread+0x938/0xef4
[   34.046943][ T6320]  kthread+0x288/0x310
[   34.048026][ T6320]  ret_from_fork+0x10/0x20
[   34.049210][ T6320] 
[   34.049820][ T6320] Freed by task 6307:
[   34.050868][ T6320]  kasan_save_track+0x40/0x78
[   34.052076][ T6320]  kasan_save_free_info+0x54/0x6c
[   34.053390][ T6320]  poison_slab_object+0x128/0x180
[   34.054775][ T6320]  __kasan_slab_free+0x3c/0x70
[   34.056071][ T6320]  kmem_cache_free+0x170/0x4d0
[   34.057382][ T6320]  kfree_skbmem+0x15c/0x1ec
[   34.058585][ T6320]  kfree_skb_reason+0x1c0/0x490
[   34.059873][ T6320]  __hci_req_sync+0x4e8/0x798
[   34.061121][ T6320]  hci_req_sync+0xa0/0xcc
[   34.062267][ T6320]  hci_dev_cmd+0x304/0x8c0
[   34.063466][ T6320]  hci_sock_ioctl+0x4b8/0x7e4
[   34.064665][ T6320]  sock_do_ioctl+0x134/0x2d0
[   34.065909][ T6320]  sock_ioctl+0x4ec/0x838
[   34.067097][ T6320]  __arm64_sys_ioctl+0x14c/0x1c8
[   34.068420][ T6320]  invoke_syscall+0x98/0x2b8
[   34.069634][ T6320]  el0_svc_common+0x130/0x23c
[   34.070885][ T6320]  do_el0_svc+0x48/0x58
[   34.072027][ T6320]  el0_svc+0x54/0x168
[   34.073111][ T6320]  el0t_64_sync_handler+0x84/0xfc
[   34.074495][ T6320]  el0t_64_sync+0x190/0x194
[   34.075701][ T6320] 
[   34.076358][ T6320] The buggy address belongs to the object at ffff0000eab9fc80
[   34.076358][ T6320]  which belongs to the cache skbuff_head_cache of size 240
[   34.080287][ T6320] The buggy address is located 88 bytes inside of
[   34.080287][ T6320]  freed 240-byte region [ffff0000eab9fc80, ffff0000eab9fd70)
[   34.083888][ T6320] 
[   34.084546][ T6320] The buggy address belongs to the physical page:
[   34.086249][ T6320] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12ab9f
[   34.088668][ T6320] flags: 0x5ffc00000000000(node=0|zone=2|lastcpupid=0x7ff)
[   34.090576][ T6320] page_type: 0xffffefff(slab)
[   34.091797][ T6320] raw: 05ffc00000000000 ffff0000c1bcc780 dead000000000122 0000000000000000
[   34.094139][ T6320] raw: 0000000000000000 00000000000c000c 00000001ffffefff 0000000000000000
[   34.096461][ T6320] page dumped because: kasan: bad access detected
[   34.098123][ T6320] 
[   34.098771][ T6320] Memory state around the buggy address:
[   34.100246][ T6320]  ffff0000eab9fb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   34.102438][ T6320]  ffff0000eab9fc00: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
[   34.104508][ T6320] >ffff0000eab9fc80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   34.106648][ T6320]                                                     ^
[   34.108468][ T6320]  ffff0000eab9fd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[   34.110627][ T6320]  ffff0000eab9fd80: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
[   34.112740][ T6320] ==================================================================
[   34.115090][ T6320] Disabling lock debugging due to kernel taint