last executing test programs:
kernel console output (not intermixed with test programs):
Warning: Permanently added '10.128.0.208' (ED25519) to the list of known hosts.
[ 50.377371][ T3534] cgroup: Unknown subsys name 'net'
[ 50.479046][ T3534] cgroup: Unknown subsys name 'rlimit'
Setting up swapspace version 1, size = 127995904 bytes
[ 51.780745][ T3534] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k FS
[ 52.826312][ T3557] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[ 52.828323][ T3560] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1
[ 52.842231][ T3557] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1
[ 52.842295][ T3560] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1
[ 52.850329][ T3557] Bluetooth: hci4: unexpected cc 0x0c03 length: 249 > 1
[ 52.858458][ T3560] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[ 52.865019][ T3557] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9
[ 52.872323][ T3560] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9
[ 52.878153][ T3557] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9
[ 52.885501][ T3560] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[ 52.892031][ T3557] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9
[ 52.898700][ T3560] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9
[ 52.905441][ T3557] Bluetooth: hci4: unexpected cc 0x1003 length: 249 > 9
[ 52.913437][ T3560] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9
[ 52.920550][ T3557] Bluetooth: hci2: unexpected cc 0x0c23 length: 249 > 4
[ 52.927408][ T3560] Bluetooth: hci4: unexpected cc 0x1001 length: 249 > 9
[ 52.934051][ T3557] Bluetooth: hci2: unexpected cc 0x0c25 length: 249 > 3
[ 52.941131][ T3560] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4
[ 52.947416][ T3557] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[ 52.954938][ T3560] Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2
[ 52.961128][ T3557] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4
[ 52.969102][ T3560] Bluetooth: hci3: unexpected cc 0x0c25 length: 249 > 3
[ 52.974983][ T3557] Bluetooth: hci4: unexpected cc 0x0c23 length: 249 > 4
[ 52.982563][ T3560] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3
[ 52.988883][ T3557] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2
[ 52.996826][ T3560] Bluetooth: hci1: unexpected cc 0x0c25 length: 249 > 3
[ 53.009678][ T3548] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[ 53.012674][ T3560] Bluetooth: hci4: unexpected cc 0x0c25 length: 249 > 3
[ 53.016956][ T3548] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2
[ 53.031220][ T3560] Bluetooth: hci4: unexpected cc 0x0c38 length: 249 > 2
[ 53.049577][ T3545] ==================================================================
[ 53.057686][ T3545] BUG: KASAN: use-after-free in kfree_skb_reason+0x3d/0x390
[ 53.065012][ T3545] Read of size 4 at addr ffff888027adf864 by task syz-executor/3545
[ 53.073006][ T3545]
[ 53.075346][ T3545] CPU: 0 PID: 3545 Comm: syz-executor Not tainted 6.1.99-syzkaller #0
[ 53.083523][ T3545] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
[ 53.093597][ T3545] Call Trace:
[ 53.096890][ T3545]
[ 53.099828][ T3545] dump_stack_lvl+0x1e3/0x2cb
[ 53.104529][ T3545] ? nf_tcp_handle_invalid+0x642/0x642
[ 53.110009][ T3545] ? panic+0x764/0x764
[ 53.114088][ T3545] ? _printk+0xd1/0x111
[ 53.118253][ T3545] ? __virt_addr_valid+0x17f/0x520
[ 53.123374][ T3545] ? __virt_addr_valid+0x17f/0x520
[ 53.128499][ T3545] print_report+0x15f/0x4f0
[ 53.133018][ T3545] ? __virt_addr_valid+0x17f/0x520
[ 53.138145][ T3545] ? __virt_addr_valid+0x17f/0x520
[ 53.143270][ T3545] ? __virt_addr_valid+0x44a/0x520
[ 53.148397][ T3545] ? __phys_addr+0xb6/0x170
[ 53.152917][ T3545] ? kfree_skb_reason+0x3d/0x390
[ 53.157867][ T3545] kasan_report+0x136/0x160
[ 53.162358][ T3545] ? kfree_skb_reason+0x3d/0x390
[ 53.167289][ T3545] kasan_check_range+0x27f/0x290
[ 53.172208][ T3545] kfree_skb_reason+0x3d/0x390
[ 53.176963][ T3545] __hci_req_sync+0x626/0x940
[ 53.181627][ T3545] ? trace_contention_end+0x61/0x170
[ 53.186900][ T3545] ? hci_req_sync_complete+0x280/0x280
[ 53.192345][ T3545] ? mutex_lock_nested+0x10/0x10
[ 53.197267][ T3545] ? wake_bit_function+0x210/0x210
[ 53.202366][ T3545] ? hci_encrypt_req+0x170/0x170
[ 53.207290][ T3545] hci_req_sync+0xa5/0xc0
[ 53.211604][ T3545] hci_dev_cmd+0x2fc/0xa30
[ 53.216006][ T3545] ? security_capable+0x86/0xb0
[ 53.220844][ T3545] ? hci_dev_reset_stat+0x1a0/0x1a0
[ 53.226029][ T3545] ? hci_sock_ioctl+0x426/0x850
[ 53.230867][ T3545] sock_do_ioctl+0x152/0x450
[ 53.235442][ T3545] ? sock_show_fdinfo+0xb0/0xb0
[ 53.240275][ T3545] ? __fget_files+0x28/0x4a0
[ 53.244849][ T3545] sock_ioctl+0x47f/0x770
[ 53.249160][ T3545] ? sock_poll+0x410/0x410
[ 53.253556][ T3545] ? __fget_files+0x28/0x4a0
[ 53.258129][ T3545] ? __fget_files+0x435/0x4a0
[ 53.262788][ T3545] ? __fget_files+0x28/0x4a0
[ 53.267362][ T3545] ? bpf_lsm_file_ioctl+0x5/0x10
[ 53.272281][ T3545] ? security_file_ioctl+0x7d/0xa0
[ 53.277372][ T3545] ? sock_poll+0x410/0x410
[ 53.281769][ T3545] __se_sys_ioctl+0xf1/0x160
[ 53.286348][ T3545] do_syscall_64+0x3b/0xb0
[ 53.290750][ T3545] ? clear_bhb_loop+0x45/0xa0
[ 53.295415][ T3545] entry_SYSCALL_64_after_hwframe+0x68/0xd2
[ 53.301299][ T3545] RIP: 0033:0x7f80b5d757db
[ 53.305712][ T3545] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00
[ 53.325304][ T3545] RSP: 002b:00007ffe741ecd50 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 53.333699][ T3545] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f80b5d757db
[ 53.341652][ T3545] RDX: 00007ffe741ecdc8 RSI: 00000000400448dd RDI: 0000000000000003
[ 53.349605][ T3545] RBP: 00005555575404a8 R08: 0000000000000000 R09: 0000000000000000
[ 53.357559][ T3545] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000000
[ 53.365515][ T3545] R13: 0000000000000000 R14: 0000000000000009 R15: 0000000000000009
[ 53.373476][ T3545]
[ 53.376476][ T3545]
[ 53.378782][ T3545] Allocated by task 3550:
[ 53.383090][ T3545] kasan_set_track+0x4b/0x70
[ 53.387669][ T3545] __kasan_slab_alloc+0x65/0x70
[ 53.392502][ T3545] slab_post_alloc_hook+0x52/0x3a0
[ 53.397599][ T3545] kmem_cache_alloc+0x10c/0x2d0
[ 53.402433][ T3545] skb_clone+0x1e5/0x360
[ 53.406660][ T3545] hci_cmd_work+0x296/0x660
[ 53.411145][ T3545] process_one_work+0x8a9/0x11d0
[ 53.416065][ T3545] worker_thread+0xa47/0x1200
[ 53.420725][ T3545] kthread+0x28d/0x320
[ 53.424771][ T3545] ret_from_fork+0x1f/0x30
[ 53.429173][ T3545]
[ 53.431481][ T3545] Freed by task 47:
[ 53.435266][ T3545] kasan_set_track+0x4b/0x70
[ 53.439840][ T3545] kasan_save_free_info+0x27/0x40
[ 53.444846][ T3545] ____kasan_slab_free+0xd6/0x120
[ 53.449855][ T3545] kmem_cache_free+0x292/0x510
[ 53.454603][ T3545] hci_req_sync_complete+0xee/0x280
[ 53.459874][ T3545] hci_event_packet+0xc49/0x1510
[ 53.464811][ T3545] hci_rx_work+0x3cd/0xce0
[ 53.469214][ T3545] process_one_work+0x8a9/0x11d0
[ 53.474135][ T3545] worker_thread+0xa47/0x1200
[ 53.478794][ T3545] kthread+0x28d/0x320
[ 53.482844][ T3545] ret_from_fork+0x1f/0x30
[ 53.487256][ T3545]
[ 53.489578][ T3545] The buggy address belongs to the object at ffff888027adf780
[ 53.489578][ T3545] which belongs to the cache skbuff_head_cache of size 240
[ 53.504155][ T3545] The buggy address is located 228 bytes inside of
[ 53.504155][ T3545] 240-byte region [ffff888027adf780, ffff888027adf870)
[ 53.517419][ T3545]
[ 53.519730][ T3545] The buggy address belongs to the physical page:
[ 53.526133][ T3545] page:ffffea00009eb7c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x27adf
[ 53.536271][ T3545] flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
[ 53.543807][ T3545] raw: 00fff00000000200 0000000000000000 dead000000000122 ffff888140e5a000
[ 53.552373][ T3545] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
[ 53.560934][ T3545] page dumped because: kasan: bad access detected
[ 53.567340][ T3545] page_owner tracks the page as allocated
[ 53.573032][ T3545] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 3544, tgid 3544 (syz-executor), ts 53044750765, free_ts 53041744050
[ 53.591329][ T3545] post_alloc_hook+0x18d/0x1b0
[ 53.596170][ T3545] get_page_from_freelist+0x322e/0x33b0
[ 53.601698][ T3545] __alloc_pages+0x28d/0x770
[ 53.606271][ T3545] alloc_slab_page+0x6a/0x150
[ 53.610935][ T3545] new_slab+0x84/0x2d0
[ 53.614994][ T3545] ___slab_alloc+0xc20/0x1270
[ 53.619659][ T3545] kmem_cache_alloc_node+0x1cf/0x310
[ 53.624942][ T3545] __alloc_skb+0xde/0x670
[ 53.629281][ T3545] vhci_write+0xbc/0x440
[ 53.633532][ T3545] do_iter_write+0x6e6/0xc40
[ 53.638119][ T3545] do_writev+0x27b/0x460
[ 53.642360][ T3545] do_syscall_64+0x3b/0xb0
[ 53.646779][ T3545] entry_SYSCALL_64_after_hwframe+0x68/0xd2
[ 53.652660][ T3545] page last free stack trace:
[ 53.657319][ T3545] free_unref_page_prepare+0xf63/0x1120
[ 53.662851][ T3545] free_unref_page+0x33/0x3e0
[ 53.667511][ T3545] __unfreeze_partials+0x1b7/0x210
[ 53.672606][ T3545] put_cpu_partial+0x17b/0x250
[ 53.677356][ T3545] qlist_free_all+0x76/0xe0
[ 53.681844][ T3545] kasan_quarantine_reduce+0x156/0x170
[ 53.687305][ T3545] __kasan_slab_alloc+0x1f/0x70
[ 53.692161][ T3545] slab_post_alloc_hook+0x52/0x3a0
[ 53.697268][ T3545] kmem_cache_alloc_node+0x136/0x310
[ 53.702550][ T3545] __alloc_skb+0xde/0x670
[ 53.706869][ T3545] alloc_skb_with_frags+0xa4/0x740
[ 53.711968][ T3545] sock_alloc_send_pskb+0x915/0xa50
[ 53.717150][ T3545] unix_dgram_sendmsg+0x5b1/0x2050
[ 53.722242][ T3545] sock_write_iter+0x394/0x4e0
[ 53.726993][ T3545] vfs_write+0x857/0xbc0
[ 53.731218][ T3545] ksys_write+0x19c/0x2c0
[ 53.735531][ T3545]
[ 53.737842][ T3545] Memory state around the buggy address:
[ 53.744254][ T3545] ffff888027adf700: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
[ 53.752293][ T3545] ffff888027adf780: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 53.760344][ T3545] >ffff888027adf800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[ 53.768382][ T3545] ^
[ 53.775562][ T3545] ffff888027adf880: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 53.783602][ T3545] ffff888027adf900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 53.791642][ T3545] ==================================================================
[ 53.800017][ T3545] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 53.807222][ T3545] CPU: 1 PID: 3545 Comm: syz-executor Not tainted 6.1.99-syzkaller #0
[ 53.815380][ T3545] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
[ 53.825436][ T3545] Call Trace:
[ 53.828718][ T3545]
[ 53.831672][ T3545] dump_stack_lvl+0x1e3/0x2cb
[ 53.836365][ T3545] ? nf_tcp_handle_invalid+0x642/0x642
[ 53.841836][ T3545] ? panic+0x764/0x764
[ 53.845915][ T3545] ? preempt_schedule_common+0xa6/0xd0
[ 53.851382][ T3545] ? vscnprintf+0x59/0x80
[ 53.855720][ T3545] panic+0x318/0x764
[ 53.859633][ T3545] ? check_panic_on_warn+0x1d/0xa0
[ 53.864755][ T3545] ? memcpy_page_flushcache+0xfc/0xfc
[ 53.870133][ T3545] ? _raw_spin_unlock_irqrestore+0x128/0x130
[ 53.876125][ T3545] ? _raw_spin_unlock+0x40/0x40
[ 53.880983][ T3545] ? print_report+0x4a3/0x4f0
[ 53.885671][ T3545] check_panic_on_warn+0x7e/0xa0
[ 53.890624][ T3545] ? kfree_skb_reason+0x3d/0x390
[ 53.895578][ T3545] end_report+0x66/0x110
[ 53.899827][ T3545] kasan_report+0x143/0x160
[ 53.904329][ T3545] ? kfree_skb_reason+0x3d/0x390
[ 53.909257][ T3545] kasan_check_range+0x27f/0x290
[ 53.914179][ T3545] kfree_skb_reason+0x3d/0x390
[ 53.918931][ T3545] __hci_req_sync+0x626/0x940
[ 53.923592][ T3545] ? trace_contention_end+0x61/0x170
[ 53.928869][ T3545] ? hci_req_sync_complete+0x280/0x280
[ 53.934311][ T3545] ? mutex_lock_nested+0x10/0x10
[ 53.939237][ T3545] ? wake_bit_function+0x210/0x210
[ 53.944337][ T3545] ? hci_encrypt_req+0x170/0x170
[ 53.949259][ T3545] hci_req_sync+0xa5/0xc0
[ 53.953572][ T3545] hci_dev_cmd+0x2fc/0xa30
[ 53.957976][ T3545] ? security_capable+0x86/0xb0
[ 53.962813][ T3545] ? hci_dev_reset_stat+0x1a0/0x1a0
[ 53.967999][ T3545] ? hci_sock_ioctl+0x426/0x850
[ 53.972834][ T3545] sock_do_ioctl+0x152/0x450
[ 53.977411][ T3545] ? sock_show_fdinfo+0xb0/0xb0
[ 53.982245][ T3545] ? __fget_files+0x28/0x4a0
[ 53.986821][ T3545] sock_ioctl+0x47f/0x770
[ 53.991135][ T3545] ? sock_poll+0x410/0x410
[ 53.995532][ T3545] ? __fget_files+0x28/0x4a0
[ 54.000104][ T3545] ? __fget_files+0x435/0x4a0
[ 54.004762][ T3545] ? __fget_files+0x28/0x4a0
[ 54.009334][ T3545] ? bpf_lsm_file_ioctl+0x5/0x10
[ 54.014255][ T3545] ? security_file_ioctl+0x7d/0xa0
[ 54.019347][ T3545] ? sock_poll+0x410/0x410
[ 54.023753][ T3545] __se_sys_ioctl+0xf1/0x160
[ 54.028330][ T3545] do_syscall_64+0x3b/0xb0
[ 54.032734][ T3545] ? clear_bhb_loop+0x45/0xa0
[ 54.037398][ T3545] entry_SYSCALL_64_after_hwframe+0x68/0xd2
[ 54.043275][ T3545] RIP: 0033:0x7f80b5d757db
[ 54.047673][ T3545] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00
[ 54.067260][ T3545] RSP: 002b:00007ffe741ecd50 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 54.075656][ T3545] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f80b5d757db
[ 54.083610][ T3545] RDX: 00007ffe741ecdc8 RSI: 00000000400448dd RDI: 0000000000000003
[ 54.091564][ T3545] RBP: 00005555575404a8 R08: 0000000000000000 R09: 0000000000000000
[ 54.099521][ T3545] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000000
[ 54.107487][ T3545] R13: 0000000000000000 R14: 0000000000000009 R15: 0000000000000009
[ 54.115452][ T3545]
[ 54.118704][ T3545] Kernel Offset: disabled
[ 54.123013][ T3545] Rebooting in 86400 seconds..