last executing test programs:
kernel console output (not intermixed with test programs):
Warning: Permanently added '10.128.1.159' (ED25519) to the list of known hosts.
[ 66.278425][ T5082] cgroup: Unknown subsys name 'net'
[ 66.419127][ T5082] cgroup: Unknown subsys name 'rlimit'
Setting up swapspace version 1, size = 127995904 bytes
[ 68.171486][ T5082] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k
[ 68.798946][ T5103] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[ 68.807806][ T5103] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1
[ 68.817253][ T5103] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1
[ 68.825564][ T5103] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[ 68.833323][ T5103] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9
[ 68.841781][ T5103] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9
[ 68.844745][ T5106] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1
[ 68.849273][ T5103] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[ 68.860532][ T5107] Bluetooth: hci4: unexpected cc 0x0c03 length: 249 > 1
[ 68.863628][ T5103] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9
[ 68.872528][ T5106] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9
[ 68.880396][ T5103] Bluetooth: hci4: unexpected cc 0x1003 length: 249 > 9
[ 68.885121][ T5107] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9
[ 68.893713][ T5106] Bluetooth: hci4: unexpected cc 0x1001 length: 249 > 9
[ 68.899017][ T5107] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9
[ 68.908358][ T5106] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4
[ 68.913514][ T5107] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4
[ 68.919516][ T5109] Bluetooth: hci2: unexpected cc 0x0c23 length: 249 > 4
[ 68.926613][ T5107] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[ 68.940874][ T5107] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3
[ 68.948607][ T5107] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[ 68.954278][ T5108] Bluetooth: hci4: unexpected cc 0x0c23 length: 249 > 4
[ 68.959664][ T5107] Bluetooth: hci1: unexpected cc 0x0c25 length: 249 > 3
[ 68.963451][ T5108] Bluetooth: hci4: unexpected cc 0x0c25 length: 249 > 3
[ 68.970746][ T5107] Bluetooth: hci3: unexpected cc 0x0c25 length: 249 > 3
[ 68.977714][ T5108] Bluetooth: hci2: unexpected cc 0x0c25 length: 249 > 3
[ 68.985132][ T5107] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2
[ 68.991304][ T5108] Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2
[ 68.998915][ T5107] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2
[ 69.006187][ T5108] Bluetooth: hci4: unexpected cc 0x0c38 length: 249 > 2
[ 69.040802][ T5094] ==================================================================
[ 69.048918][ T5094] BUG: KASAN: slab-use-after-free in kfree_skb_reason+0x41/0x3b0
[ 69.056706][ T5094] Read of size 4 at addr ffff888029d72364 by task syz-executor/5094
[ 69.064716][ T5094]
[ 69.067077][ T5094] CPU: 0 PID: 5094 Comm: syz-executor Not tainted 6.10.0-rc2-syzkaller-00805-g03922e97bc30 #0
[ 69.077344][ T5094] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
[ 69.087442][ T5094] Call Trace:
[ 69.090748][ T5094]
[ 69.093699][ T5094] dump_stack_lvl+0x241/0x360
[ 69.098412][ T5094] ? __pfx_dump_stack_lvl+0x10/0x10
[ 69.103651][ T5094] ? __pfx__printk+0x10/0x10
[ 69.108276][ T5094] ? _printk+0xd5/0x120
[ 69.112461][ T5094] ? __virt_addr_valid+0x183/0x520
[ 69.117620][ T5094] ? __virt_addr_valid+0x183/0x520
[ 69.122776][ T5094] print_report+0x169/0x550
[ 69.127323][ T5094] ? __virt_addr_valid+0x183/0x520
[ 69.132501][ T5094] ? __virt_addr_valid+0x183/0x520
[ 69.137669][ T5094] ? __virt_addr_valid+0x44e/0x520
[ 69.142818][ T5094] ? __phys_addr+0xba/0x170
[ 69.147360][ T5094] ? kfree_skb_reason+0x41/0x3b0
[ 69.152333][ T5094] kasan_report+0x143/0x180
[ 69.156876][ T5094] ? kfree_skb_reason+0x41/0x3b0
[ 69.161854][ T5094] kasan_check_range+0x282/0x290
[ 69.166829][ T5094] kfree_skb_reason+0x41/0x3b0
[ 69.171620][ T5094] __hci_req_sync+0x62f/0x950
[ 69.176306][ T5094] ? __pfx___hci_req_sync+0x10/0x10
[ 69.181530][ T5094] ? __pfx___mutex_lock+0x10/0x10
[ 69.186581][ T5094] ? __pfx_autoremove_wake_function+0x10/0x10
[ 69.192657][ T5094] ? __pfx_hci_scan_req+0x10/0x10
[ 69.197689][ T5094] hci_req_sync+0xa9/0xd0
[ 69.202026][ T5094] hci_dev_cmd+0x4c5/0xa50
[ 69.206448][ T5094] ? security_capable+0x90/0xb0
[ 69.211317][ T5094] ? __pfx_hci_dev_cmd+0x10/0x10
[ 69.216260][ T5094] ? hci_sock_ioctl+0x6c4/0xa40
[ 69.221116][ T5094] sock_do_ioctl+0x158/0x460
[ 69.225714][ T5094] ? __pfx_sock_do_ioctl+0x10/0x10
[ 69.230838][ T5094] sock_ioctl+0x629/0x8e0
[ 69.235183][ T5094] ? __pfx_sock_ioctl+0x10/0x10
[ 69.240045][ T5094] ? __fget_files+0x29/0x470
[ 69.244647][ T5094] ? __fget_files+0x3f6/0x470
[ 69.249335][ T5094] ? __fget_files+0x29/0x470
[ 69.253935][ T5094] ? bpf_lsm_file_ioctl+0x9/0x10
[ 69.258878][ T5094] ? security_file_ioctl+0x87/0xb0
[ 69.263996][ T5094] ? __pfx_sock_ioctl+0x10/0x10
[ 69.268857][ T5094] __se_sys_ioctl+0xfc/0x170
[ 69.273457][ T5094] do_syscall_64+0xf3/0x230
[ 69.277967][ T5094] ? clear_bhb_loop+0x35/0x90
[ 69.282656][ T5094] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 69.288567][ T5094] RIP: 0033:0x7f6cd8375b1b
[ 69.292987][ T5094] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00
[ 69.312594][ T5094] RSP: 002b:00007ffc32a022c0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 69.321045][ T5094] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f6cd8375b1b
[ 69.329018][ T5094] RDX: 00007ffc32a02338 RSI: 00000000400448dd RDI: 0000000000000003
[ 69.336999][ T5094] RBP: 000055557df3a4a8 R08: 0000000000000000 R09: 0000000000000000
[ 69.344972][ T5094] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000004
[ 69.352943][ T5094] R13: 0000000000000004 R14: 0000000000000009 R15: 0000000000000009
[ 69.360922][ T5094]
[ 69.363940][ T5094]
[ 69.366268][ T5094] Allocated by task 5104:
[ 69.370616][ T5094] kasan_save_track+0x3f/0x80
[ 69.375300][ T5094] __kasan_slab_alloc+0x66/0x80
[ 69.380156][ T5094] kmem_cache_alloc_noprof+0x135/0x2a0
[ 69.385616][ T5094] skb_clone+0x20c/0x390
[ 69.389866][ T5094] hci_cmd_work+0x29e/0x670
[ 69.394379][ T5094] process_scheduled_works+0xa2c/0x1830
[ 69.399926][ T5094] worker_thread+0x86d/0xd70
[ 69.404518][ T5094] kthread+0x2f0/0x390
[ 69.408601][ T5094] ret_from_fork+0x4b/0x80
[ 69.413026][ T5094] ret_from_fork_asm+0x1a/0x30
[ 69.417807][ T5094]
[ 69.420130][ T5094] Freed by task 5101:
[ 69.424136][ T5094] kasan_save_track+0x3f/0x80
[ 69.428819][ T5094] kasan_save_free_info+0x40/0x50
[ 69.433850][ T5094] poison_slab_object+0xe0/0x150
[ 69.438796][ T5094] __kasan_slab_free+0x37/0x60
[ 69.443563][ T5094] kmem_cache_free+0x145/0x350
[ 69.448329][ T5094] hci_req_sync_complete+0xe7/0x290
[ 69.453537][ T5094] hci_event_packet+0xc71/0x1540
[ 69.458523][ T5094] hci_rx_work+0x3e8/0xca0
[ 69.462946][ T5094] process_scheduled_works+0xa2c/0x1830
[ 69.468494][ T5094] worker_thread+0x86d/0xd70
[ 69.473088][ T5094] kthread+0x2f0/0x390
[ 69.477162][ T5094] ret_from_fork+0x4b/0x80
[ 69.481586][ T5094] ret_from_fork_asm+0x1a/0x30
[ 69.486357][ T5094]
[ 69.488682][ T5094] The buggy address belongs to the object at ffff888029d72280
[ 69.488682][ T5094] which belongs to the cache skbuff_head_cache of size 240
[ 69.503257][ T5094] The buggy address is located 228 bytes inside of
[ 69.503257][ T5094] freed 240-byte region [ffff888029d72280, ffff888029d72370)
[ 69.517078][ T5094]
[ 69.519400][ T5094] The buggy address belongs to the physical page:
[ 69.525811][ T5094] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x29d72
[ 69.534572][ T5094] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[ 69.541708][ T5094] page_type: 0xffffefff(slab)
[ 69.546383][ T5094] raw: 00fff00000000000 ffff888018ae0780 dead000000000122 0000000000000000
[ 69.554987][ T5094] raw: 0000000000000000 00000000800c000c 00000001ffffefff 0000000000000000
[ 69.563574][ T5094] page dumped because: kasan: bad access detected
[ 69.570004][ T5094] page_owner tracks the page as allocated
[ 69.575726][ T5094] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5094, tgid 5094 (syz-executor), ts 69039873619, free_ts 69021879919
[ 69.595013][ T5094] post_alloc_hook+0x1f3/0x230
[ 69.599794][ T5094] get_page_from_freelist+0x2e2d/0x2ee0
[ 69.605342][ T5094] __alloc_pages_noprof+0x256/0x6c0
[ 69.610566][ T5094] alloc_slab_page+0x5f/0x120
[ 69.615267][ T5094] allocate_slab+0x5a/0x2e0
[ 69.619789][ T5094] ___slab_alloc+0xcd1/0x14b0
[ 69.624471][ T5094] __slab_alloc+0x58/0xa0
[ 69.628807][ T5094] kmem_cache_alloc_node_noprof+0x1fe/0x320
[ 69.634715][ T5094] __alloc_skb+0x1c3/0x440
[ 69.639153][ T5094] hci_prepare_cmd+0x39/0x300
[ 69.643843][ T5094] hci_req_add_ev+0xac/0x290
[ 69.648440][ T5094] hci_scan_req+0xa0/0x180
[ 69.652866][ T5094] __hci_req_sync+0x1a8/0x950
[ 69.657545][ T5094] hci_req_sync+0xa9/0xd0
[ 69.661872][ T5094] hci_dev_cmd+0x4c5/0xa50
[ 69.666292][ T5094] sock_do_ioctl+0x158/0x460
[ 69.670886][ T5094] page last free pid 5107 tgid 5107 stack trace:
[ 69.677205][ T5094] free_unref_page+0xd22/0xea0
[ 69.681981][ T5094] __put_partials+0xeb/0x130
[ 69.686572][ T5094] put_cpu_partial+0x17c/0x250
[ 69.691339][ T5094] __slab_free+0x2ea/0x3d0
[ 69.695762][ T5094] qlist_free_all+0x9e/0x140
[ 69.700357][ T5094] kasan_quarantine_reduce+0x14f/0x170
[ 69.705820][ T5094] __kasan_slab_alloc+0x23/0x80
[ 69.710698][ T5094] kmalloc_trace_noprof+0x132/0x2c0
[ 69.715919][ T5094] hci_cmd_sync_submit+0xcb/0x2f0
[ 69.720962][ T5094] hci_conn_complete_evt+0xd5b/0x1440
[ 69.726348][ T5094] hci_event_packet+0xac0/0x1540
[ 69.731296][ T5094] hci_rx_work+0x3e8/0xca0
[ 69.735721][ T5094] process_scheduled_works+0xa2c/0x1830
[ 69.741266][ T5094] worker_thread+0x86d/0xd70
[ 69.745858][ T5094] kthread+0x2f0/0x390
[ 69.749934][ T5094] ret_from_fork+0x4b/0x80
[ 69.754361][ T5094]
[ 69.756682][ T5094] Memory state around the buggy address:
[ 69.762310][ T5094] ffff888029d72200: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
[ 69.770383][ T5094] ffff888029d72280: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 69.778457][ T5094] >ffff888029d72300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[ 69.786523][ T5094] ^
[ 69.793719][ T5094] ffff888029d72380: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 69.801780][ T5094] ffff888029d72400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 69.809836][ T5094] ==================================================================
[ 69.889480][ T5094] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 69.896724][ T5094] CPU: 0 PID: 5094 Comm: syz-executor Not tainted 6.10.0-rc2-syzkaller-00805-g03922e97bc30 #0
[ 69.906991][ T5094] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
[ 69.917076][ T5094] Call Trace:
[ 69.920380][ T5094]
[ 69.923336][ T5094] dump_stack_lvl+0x241/0x360
[ 69.928047][ T5094] ? __pfx_dump_stack_lvl+0x10/0x10
[ 69.933271][ T5094] ? __pfx__printk+0x10/0x10
[ 69.937890][ T5094] ? lockdep_hardirqs_on_prepare+0x43d/0x780
[ 69.943908][ T5094] ? vscnprintf+0x5d/0x90
[ 69.948277][ T5094] panic+0x349/0x860
[ 69.952209][ T5094] ? check_panic_on_warn+0x21/0xb0
[ 69.957365][ T5094] ? __pfx_panic+0x10/0x10
[ 69.961818][ T5094] ? _raw_spin_unlock_irqrestore+0x130/0x140
[ 69.967832][ T5094] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[ 69.974190][ T5094] check_panic_on_warn+0x86/0xb0
[ 69.979174][ T5094] ? kfree_skb_reason+0x41/0x3b0
[ 69.984151][ T5094] end_report+0x77/0x160
[ 69.988432][ T5094] kasan_report+0x154/0x180
[ 69.992983][ T5094] ? kfree_skb_reason+0x41/0x3b0
[ 69.997967][ T5094] kasan_check_range+0x282/0x290
[ 70.002941][ T5094] kfree_skb_reason+0x41/0x3b0
[ 70.007750][ T5094] __hci_req_sync+0x62f/0x950
[ 70.012459][ T5094] ? __pfx___hci_req_sync+0x10/0x10
[ 70.017714][ T5094] ? __pfx___mutex_lock+0x10/0x10
[ 70.022782][ T5094] ? __pfx_autoremove_wake_function+0x10/0x10
[ 70.028882][ T5094] ? __pfx_hci_scan_req+0x10/0x10
[ 70.033939][ T5094] hci_req_sync+0xa9/0xd0
[ 70.038298][ T5094] hci_dev_cmd+0x4c5/0xa50
[ 70.042747][ T5094] ? security_capable+0x90/0xb0
[ 70.047628][ T5094] ? __pfx_hci_dev_cmd+0x10/0x10
[ 70.052605][ T5094] ? hci_sock_ioctl+0x6c4/0xa40
[ 70.057491][ T5094] sock_do_ioctl+0x158/0x460
[ 70.062125][ T5094] ? __pfx_sock_do_ioctl+0x10/0x10
[ 70.067273][ T5094] sock_ioctl+0x629/0x8e0
[ 70.071647][ T5094] ? __pfx_sock_ioctl+0x10/0x10
[ 70.076543][ T5094] ? __fget_files+0x29/0x470
[ 70.081437][ T5094] ? __fget_files+0x3f6/0x470
[ 70.086151][ T5094] ? __fget_files+0x29/0x470
[ 70.090786][ T5094] ? bpf_lsm_file_ioctl+0x9/0x10
[ 70.095758][ T5094] ? security_file_ioctl+0x87/0xb0
[ 70.100905][ T5094] ? __pfx_sock_ioctl+0x10/0x10
[ 70.105800][ T5094] __se_sys_ioctl+0xfc/0x170
[ 70.110429][ T5094] do_syscall_64+0xf3/0x230
[ 70.114966][ T5094] ? clear_bhb_loop+0x35/0x90
[ 70.119686][ T5094] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 70.125636][ T5094] RIP: 0033:0x7f6cd8375b1b
[ 70.130082][ T5094] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00
[ 70.149720][ T5094] RSP: 002b:00007ffc32a022c0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 70.158175][ T5094] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f6cd8375b1b
[ 70.166263][ T5094] RDX: 00007ffc32a02338 RSI: 00000000400448dd RDI: 0000000000000003
[ 70.174270][ T5094] RBP: 000055557df3a4a8 R08: 0000000000000000 R09: 0000000000000000
[ 70.182248][ T5094] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000004
[ 70.190220][ T5094] R13: 0000000000000004 R14: 0000000000000009 R15: 0000000000000009
[ 70.198205][ T5094]
[ 70.201471][ T5094] Kernel Offset: disabled
[ 70.205796][ T5094] Rebooting in 86400 seconds..