last executing test programs:

kernel console output (not intermixed with test programs):

Warning: Permanently added '10.128.0.112' (ED25519) to the list of known hosts.
1970/01/01 00:00:32 fuzzer started
1970/01/01 00:00:32 dialing manager at 10.128.0.163:30026
syzkaller login: [   32.917237][ T4227] cgroup: Unknown subsys name 'net'
[   33.048795][ T4238] Adding 124996k swap on ./swap-file.  Priority:0 extents:1 across:124996k SSFS
[   33.173693][ T4227] cgroup: Unknown subsys name 'rlimit'
1970/01/01 00:00:33 starting 5 executor processes
[   33.688886][ T4249] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[   33.691777][ T4249] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[   33.694188][ T4249] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[   33.697161][ T4247] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[   33.709616][ T4252] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1
[   33.712473][ T4252] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3
[   33.714598][ T4252] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9
[   33.716946][ T4252] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9
[   33.720901][ T4252] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[   33.729578][ T4256] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1
[   33.732984][   T47] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4
[   33.733074][ T4259] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9
[   33.742050][ T4259] Bluetooth: hci1: unexpected cc 0x0c25 length: 249 > 3
[   33.744093][ T4256] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9
[   33.746402][ T4259] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2
[   33.750942][ T4259] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1
[   33.754709][ T4247] Bluetooth: hci2: unexpected cc 0x0c23 length: 249 > 4
[   33.757915][ T4256] Bluetooth: hci2: unexpected cc 0x0c25 length: 249 > 3
[   33.760574][ T4256] Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2
[   33.762971][ T4250] ==================================================================
[   33.765003][ T4256] Bluetooth: hci4: unexpected cc 0x0c03 length: 249 > 1
[   33.765282][ T4250] BUG: KASAN: use-after-free in skb_release_head_state+0xb4/0x28c
[   33.767938][ T4256] Bluetooth: hci4: unexpected cc 0x1003 length: 249 > 9
1970/01/01 00:00:33 SYZFATAL: failed to recv *flatrpc.HostMessageRaw: EOF
[   33.769291][ T4250] Read of size 8 at addr ffff0000ecd987e0 by task syz-executor.3/4250
[   33.769306][ T4250] 
[   33.769311][ T4250] CPU: 1 PID: 4250 Comm: syz-executor.3 Not tainted 6.1.93-syzkaller #0
[   33.769322][ T4250] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
[   33.769330][ T4250] Call trace:
[   33.769333][ T4250]  dump_backtrace+0x1c8/0x1f4
[   33.769347][ T4250]  show_stack+0x2c/0x3c
[   33.769355][ T4250]  dump_stack_lvl+0x108/0x170
[   33.769365][ T4250]  print_report+0x174/0x4c0
[   33.769378][ T4250]  kasan_report+0xd4/0x130
[   33.774926][ T4256] Bluetooth: hci4: unexpected cc 0x1001 length: 249 > 9
[   33.776346][ T4250]  __asan_report_load8_noabort+0x2c/0x38
[   33.780184][ T4256] Bluetooth: hci4: unexpected cc 0x0c23 length: 249 > 4
[   33.781333][ T4250]  skb_release_head_state+0xb4/0x28c
[   33.783007][ T4256] Bluetooth: hci4: unexpected cc 0x0c25 length: 249 > 3
[   33.783762][ T4250]  kfree_skb_reason+0x178/0x47c
[   33.785265][ T4256] Bluetooth: hci4: unexpected cc 0x0c38 length: 249 > 2
[   33.786132][ T4250]  __hci_req_sync+0x4fc/0x7ac
[   33.799416][ T4250]  hci_req_sync+0xa4/0xd0
[   33.800597][ T4250]  hci_dev_cmd+0x330/0x90c
[   33.801798][ T4250]  hci_sock_ioctl+0x4b8/0x82c
[   33.803060][ T4250]  sock_do_ioctl+0x134/0x2dc
[   33.804402][ T4250]  sock_ioctl+0x4ec/0x858
[   33.805580][ T4250]  __arm64_sys_ioctl+0x14c/0x1c8
[   33.806953][ T4250]  invoke_syscall+0x98/0x2c0
[   33.808185][ T4250]  el0_svc_common+0x138/0x258
[   33.809406][ T4250]  do_el0_svc+0x64/0x218
[   33.810541][ T4250]  el0_svc+0x58/0x168
[   33.811604][ T4250]  el0t_64_sync_handler+0x84/0xf0
[   33.812946][ T4250]  el0t_64_sync+0x18c/0x190
[   33.814241][ T4250] 
[   33.814839][ T4250] Allocated by task 4247:
[   33.816003][ T4250]  kasan_set_track+0x4c/0x80
[   33.817279][ T4250]  kasan_save_alloc_info+0x24/0x30
[   33.818674][ T4250]  __kasan_slab_alloc+0x74/0x8c
[   33.820034][ T4250]  slab_post_alloc_hook+0x74/0x458
[   33.821351][ T4250]  kmem_cache_alloc+0x230/0x37c
[   33.822628][ T4250]  skb_clone+0x19c/0x304
[   33.823764][ T4250]  hci_cmd_work+0x174/0x568
[   33.824958][ T4250]  process_one_work+0x7ac/0x1404
[   33.826287][ T4250]  worker_thread+0x8e4/0xfec
[   33.827522][ T4250]  kthread+0x250/0x2d8
[   33.828577][ T4250]  ret_from_fork+0x10/0x20
[   33.829743][ T4250] 
[   33.830379][ T4250] Freed by task 4256:
[   33.831423][ T4250]  kasan_set_track+0x4c/0x80
[   33.832670][ T4250]  kasan_save_free_info+0x38/0x5c
[   33.833985][ T4250]  ____kasan_slab_free+0x144/0x1c0
[   33.835355][ T4250]  __kasan_slab_free+0x18/0x28
[   33.836668][ T4250]  kmem_cache_free+0x2f0/0x588
[   33.838010][ T4250]  kfree_skbmem+0x10c/0x19c
[   33.839278][ T4250]  kfree_skb_reason+0x1ac/0x47c
[   33.840609][ T4250]  hci_req_sync_complete+0xcc/0x258
[   33.842052][ T4250]  hci_event_packet+0xbd4/0x109c
[   33.843384][ T4250]  hci_rx_work+0x318/0xa68
[   33.844595][ T4250]  process_one_work+0x7ac/0x1404
[   33.845920][ T4250]  worker_thread+0x8e4/0xfec
[   33.847171][ T4250]  kthread+0x250/0x2d8
[   33.848249][ T4250]  ret_from_fork+0x10/0x20
[   33.849489][ T4250] 
[   33.850106][ T4250] The buggy address belongs to the object at ffff0000ecd98780
[   33.850106][ T4250]  which belongs to the cache skbuff_head_cache of size 240
[   33.854001][ T4250] The buggy address is located 96 bytes inside of
[   33.854001][ T4250]  240-byte region [ffff0000ecd98780, ffff0000ecd98870)
[   33.857570][ T4250] 
[   33.858172][ T4250] The buggy address belongs to the physical page:
[   33.859884][ T4250] page:000000007f4a5213 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12cd98
[   33.862686][ T4250] flags: 0x5ffc00000000200(slab|node=0|zone=2|lastcpupid=0x7ff)
[   33.864818][ T4250] raw: 05ffc00000000200 0000000000000000 dead000000000122 ffff0000c0b72600
[   33.867058][ T4250] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
[   33.869381][ T4250] page dumped because: kasan: bad access detected
[   33.871166][ T4250] 
[   33.871777][ T4250] Memory state around the buggy address:
[   33.873286][ T4250]  ffff0000ecd98680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   33.875564][ T4250]  ffff0000ecd98700: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
[   33.877775][ T4250] >ffff0000ecd98780: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   33.879932][ T4250]                                                        ^
[   33.881828][ T4250]  ffff0000ecd98800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[   33.883999][ T4250]  ffff0000ecd98880: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[   33.884701][ T4260] chnl_net:caif_netlink_parms(): no params data found
[   33.886085][ T4250] ==================================================================
[   33.908039][ T4247] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9
[   33.910941][ T4247] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9
[   33.913567][ T4247] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4
[   33.915808][ T4247] Bluetooth: hci3: unexpected cc 0x0c25 length: 249 > 3
[   33.917811][ T4247] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2
[   33.948235][ T4250] Disabling lock debugging due to kernel taint