last executing test programs:

kernel console output (not intermixed with test programs):

Warning: Permanently added '10.128.0.54' (ED25519) to the list of known hosts.
[   63.615529][ T3539] cgroup: Unknown subsys name 'net'
[   63.748715][ T3539] cgroup: Unknown subsys name 'rlimit'
Setting up swapspace version 1, size = 127995904 bytes
[   65.264155][ T3539] Adding 124996k swap on ./swap-file.  Priority:0 extents:1 across:124996k FS
[   65.935000][ T3563] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[   65.935432][ T3564] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1
[   65.943905][ T3563] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1
[   65.951146][ T3564] Bluetooth: hci4: unexpected cc 0x0c03 length: 249 > 1
[   65.957953][ T3563] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9
[   65.965378][ T3564] Bluetooth: hci4: unexpected cc 0x1003 length: 249 > 9
[   65.973521][ T3563] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[   65.978786][ T3564] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1
[   65.986010][ T3563] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9
[   65.992992][ T3564] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9
[   66.000587][ T3563] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[   66.006563][ T3564] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9
[   66.015110][ T3563] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4
[   66.021173][ T3564] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[   66.027786][ T3563] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9
[   66.041739][ T3565] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9
[   66.043452][ T3563] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3
[   66.049852][ T3565] Bluetooth: hci1: unexpected cc 0x0c25 length: 249 > 3
[   66.056669][ T3563] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[   66.063528][ T3565] Bluetooth: hci4: unexpected cc 0x1001 length: 249 > 9
[   66.070734][ T3563] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2
[   66.079115][ T3565] Bluetooth: hci4: unexpected cc 0x0c23 length: 249 > 4
[   66.084418][ T3563] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4
[   66.091847][ T3565] Bluetooth: hci4: unexpected cc 0x0c25 length: 249 > 3
[   66.123076][ T3563] Bluetooth: hci3: unexpected cc 0x0c25 length: 249 > 3
[   66.126361][ T3565] Bluetooth: hci4: unexpected cc 0x0c38 length: 249 > 2
[   66.137481][ T3563] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2
[   66.145364][ T3553] ==================================================================
[   66.153550][ T3553] BUG: KASAN: use-after-free in kfree_skb_reason+0x3d/0x390
[   66.160986][ T3553] Read of size 4 at addr ffff8880612bd9a4 by task syz-executor/3553
[   66.169034][ T3553] 
[   66.171387][ T3553] CPU: 0 PID: 3553 Comm: syz-executor Not tainted 6.1.94-syzkaller #0
[   66.179566][ T3553] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
[   66.189664][ T3553] Call Trace:
[   66.192963][ T3553]  <TASK>
[   66.195919][ T3553]  dump_stack_lvl+0x1e3/0x2cb
[   66.200652][ T3553]  ? nf_tcp_handle_invalid+0x642/0x642
[   66.203057][ T3566] Bluetooth: hci2: unexpected cc 0x0c23 length: 249 > 4
[   66.206139][ T3553]  ? panic+0x764/0x764
[   66.206169][ T3553]  ? _printk+0xd1/0x111
[   66.213864][ T3566] Bluetooth: hci2: unexpected cc 0x0c25 length: 249 > 3
[   66.217150][ T3553]  ? __virt_addr_valid+0x17f/0x520
[   66.217184][ T3553]  ? __virt_addr_valid+0x17f/0x520
[   66.221750][ T3566] Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2
[   66.228258][ T3553]  print_report+0x15f/0x4f0
[   66.228286][ T3553]  ? __virt_addr_valid+0x17f/0x520
[   66.228313][ T3553]  ? __virt_addr_valid+0x17f/0x520
[   66.260536][ T3553]  ? __virt_addr_valid+0x44a/0x520
[   66.265699][ T3553]  ? __phys_addr+0xb6/0x170
[   66.270250][ T3553]  ? kfree_skb_reason+0x3d/0x390
[   66.275235][ T3553]  kasan_report+0x136/0x160
[   66.279782][ T3553]  ? kfree_skb_reason+0x3d/0x390
[   66.284774][ T3553]  kasan_check_range+0x27f/0x290
[   66.289750][ T3553]  kfree_skb_reason+0x3d/0x390
[   66.294653][ T3553]  __hci_req_sync+0x626/0x940
[   66.299456][ T3553]  ? trace_contention_end+0x61/0x170
[   66.304785][ T3553]  ? hci_req_sync_complete+0x280/0x280
[   66.310288][ T3553]  ? mutex_lock_nested+0x10/0x10
[   66.315270][ T3553]  ? wake_bit_function+0x210/0x210
[   66.320442][ T3553]  ? hci_encrypt_req+0x170/0x170
[   66.325427][ T3553]  hci_req_sync+0xa5/0xc0
[   66.329802][ T3553]  hci_dev_cmd+0x2fc/0xa30
[   66.334268][ T3553]  ? security_capable+0x86/0xb0
[   66.339169][ T3553]  ? hci_dev_reset_stat+0x1a0/0x1a0
[   66.344412][ T3553]  ? hci_sock_ioctl+0x426/0x850
[   66.349304][ T3553]  sock_do_ioctl+0x152/0x450
[   66.353944][ T3553]  ? sock_show_fdinfo+0xb0/0xb0
[   66.358923][ T3553]  ? __fget_files+0x28/0x4a0
[   66.363557][ T3553]  sock_ioctl+0x47f/0x770
[   66.368078][ T3553]  ? sock_poll+0x410/0x410
[   66.372519][ T3553]  ? __fget_files+0x28/0x4a0
[   66.377116][ T3553]  ? __fget_files+0x435/0x4a0
[   66.381801][ T3553]  ? __fget_files+0x28/0x4a0
[   66.386401][ T3553]  ? bpf_lsm_file_ioctl+0x5/0x10
[   66.391347][ T3553]  ? security_file_ioctl+0x7d/0xa0
[   66.396477][ T3553]  ? sock_poll+0x410/0x410
[   66.400918][ T3553]  __se_sys_ioctl+0xf1/0x160
[   66.405537][ T3553]  do_syscall_64+0x3b/0xb0
[   66.409972][ T3553]  ? clear_bhb_loop+0x45/0xa0
[   66.414662][ T3553]  entry_SYSCALL_64_after_hwframe+0x68/0xd2
[   66.420582][ T3553] RIP: 0033:0x7f25abf7593b
[   66.425362][ T3553] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00
[   66.445007][ T3553] RSP: 002b:00007ffc0d991e20 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   66.453539][ T3553] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f25abf7593b
[   66.461538][ T3553] RDX: 00007ffc0d991e98 RSI: 00000000400448dd RDI: 0000000000000003
[   66.469515][ T3553] RBP: 000055555703b4a8 R08: 0000000000000000 R09: 0000000000000000
[   66.477489][ T3553] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000004
[   66.485597][ T3553] R13: 0000000000000004 R14: 0000000000000009 R15: 0000000000000009
[   66.493586][ T3553]  </TASK>
[   66.496608][ T3553] 
[   66.498957][ T3553] Allocated by task 48:
[   66.503108][ T3553]  kasan_set_track+0x4b/0x70
[   66.507717][ T3553]  __kasan_slab_alloc+0x65/0x70
[   66.512580][ T3553]  slab_post_alloc_hook+0x52/0x3a0
[   66.517796][ T3553]  kmem_cache_alloc+0x10c/0x2d0
[   66.522656][ T3553]  skb_clone+0x1e5/0x360
[   66.526902][ T3553]  hci_cmd_work+0x296/0x660
[   66.531410][ T3553]  process_one_work+0x8a9/0x11d0
[   66.536355][ T3553]  worker_thread+0xa47/0x1200
[   66.541050][ T3553]  kthread+0x28d/0x320
[   66.545123][ T3553]  ret_from_fork+0x1f/0x30
[   66.549546][ T3553] 
[   66.551875][ T3553] Freed by task 3566:
[   66.555850][ T3553]  kasan_set_track+0x4b/0x70
[   66.560452][ T3553]  kasan_save_free_info+0x27/0x40
[   66.565573][ T3553]  ____kasan_slab_free+0xd6/0x120
[   66.570615][ T3553]  kmem_cache_free+0x292/0x510
[   66.575413][ T3553]  hci_req_sync_complete+0xee/0x280
[   66.580640][ T3553]  hci_event_packet+0xc49/0x1510
[   66.585597][ T3553]  hci_rx_work+0x3cd/0xce0
[   66.590020][ T3553]  process_one_work+0x8a9/0x11d0
[   66.594964][ T3553]  worker_thread+0xa47/0x1200
[   66.599647][ T3553]  kthread+0x28d/0x320
[   66.603722][ T3553]  ret_from_fork+0x1f/0x30
[   66.608152][ T3553] 
[   66.610477][ T3553] The buggy address belongs to the object at ffff8880612bd8c0
[   66.610477][ T3553]  which belongs to the cache skbuff_head_cache of size 240
[   66.625315][ T3553] The buggy address is located 228 bytes inside of
[   66.625315][ T3553]  240-byte region [ffff8880612bd8c0, ffff8880612bd9b0)
[   66.638610][ T3553] 
[   66.641026][ T3553] The buggy address belongs to the physical page:
[   66.647458][ T3553] page:ffffea000184af40 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x612bd
[   66.657880][ T3553] flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
[   66.665447][ T3553] raw: 00fff00000000200 0000000000000000 dead000000000122 ffff888140a73000
[   66.674039][ T3553] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
[   66.682651][ T3553] page dumped because: kasan: bad access detected
[   66.689157][ T3553] page_owner tracks the page as allocated
[   66.695392][ T3553] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 3563, tgid 3563 (kworker/u5:5), ts 66137292686, free_ts 18789312315
[   66.713907][ T3553]  post_alloc_hook+0x18d/0x1b0
[   66.718684][ T3553]  get_page_from_freelist+0x31a1/0x3320
[   66.724331][ T3553]  __alloc_pages+0x28d/0x770
[   66.728925][ T3553]  alloc_slab_page+0x6a/0x150
[   66.733613][ T3553]  new_slab+0x84/0x2d0
[   66.737688][ T3553]  ___slab_alloc+0xc20/0x1270
[   66.742375][ T3553]  kmem_cache_alloc+0x1a5/0x2d0
[   66.747246][ T3553]  skb_clone+0x1e5/0x360
[   66.751515][ T3553]  hci_cmd_work+0xd8/0x660
[   66.755965][ T3553]  process_one_work+0x8a9/0x11d0
[   66.760926][ T3553]  worker_thread+0xa47/0x1200
[   66.765607][ T3553]  kthread+0x28d/0x320
[   66.769696][ T3553]  ret_from_fork+0x1f/0x30
[   66.774120][ T3553] page last free stack trace:
[   66.778814][ T3553]  free_unref_page_prepare+0xf63/0x1120
[   66.784370][ T3553]  free_unref_page+0x33/0x3e0
[   66.789047][ T3553]  free_contig_range+0x9a/0x150
[   66.793902][ T3553]  destroy_args+0xfe/0x997
[   66.798358][ T3553]  debug_vm_pgtable+0x416/0x46b
[   66.803221][ T3553]  do_one_initcall+0x265/0x8f0
[   66.807993][ T3553]  do_initcall_level+0x157/0x207
[   66.812935][ T3553]  do_initcalls+0x49/0x86
[   66.817266][ T3553]  kernel_init_freeable+0x45c/0x60f
[   66.822471][ T3553]  kernel_init+0x19/0x290
[   66.826810][ T3553]  ret_from_fork+0x1f/0x30
[   66.831415][ T3553] 
[   66.833745][ T3553] Memory state around the buggy address:
[   66.839460][ T3553]  ffff8880612bd880: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[   66.847525][ T3553]  ffff8880612bd900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   66.855593][ T3553] >ffff8880612bd980: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
[   66.863653][ T3553]                                ^
[   66.868760][ T3553]  ffff8880612bda00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   66.876847][ T3553]  ffff8880612bda80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[   66.884947][ T3553] ==================================================================
[   66.895039][ T3553] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   66.902281][ T3553] CPU: 0 PID: 3553 Comm: syz-executor Not tainted 6.1.94-syzkaller #0
[   66.910456][ T3553] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
[   66.920556][ T3553] Call Trace:
[   66.923841][ T3553]  <TASK>
[   66.926772][ T3553]  dump_stack_lvl+0x1e3/0x2cb
[   66.931470][ T3553]  ? nf_tcp_handle_invalid+0x642/0x642
[   66.936945][ T3553]  ? panic+0x764/0x764
[   66.941019][ T3553]  ? preempt_schedule_common+0xa6/0xd0
[   66.946484][ T3553]  ? vscnprintf+0x59/0x80
[   66.950824][ T3553]  panic+0x318/0x764
[   66.954727][ T3553]  ? check_panic_on_warn+0x1d/0xa0
[   66.959849][ T3553]  ? memcpy_page_flushcache+0xfc/0xfc
[   66.965228][ T3553]  ? _raw_spin_unlock_irqrestore+0x128/0x130
[   66.971221][ T3553]  ? _raw_spin_unlock+0x40/0x40
[   66.976082][ T3553]  ? print_report+0x4a3/0x4f0
[   66.980768][ T3553]  check_panic_on_warn+0x7e/0xa0
[   66.985723][ T3553]  ? kfree_skb_reason+0x3d/0x390
[   66.990674][ T3553]  end_report+0x66/0x110
[   66.994917][ T3553]  kasan_report+0x143/0x160
[   66.999423][ T3553]  ? kfree_skb_reason+0x3d/0x390
[   67.004383][ T3553]  kasan_check_range+0x27f/0x290
[   67.009326][ T3553]  kfree_skb_reason+0x3d/0x390
[   67.014111][ T3553]  __hci_req_sync+0x626/0x940
[   67.018796][ T3553]  ? trace_contention_end+0x61/0x170
[   67.024095][ T3553]  ? hci_req_sync_complete+0x280/0x280
[   67.029563][ T3553]  ? mutex_lock_nested+0x10/0x10
[   67.034511][ T3553]  ? wake_bit_function+0x210/0x210
[   67.039636][ T3553]  ? hci_encrypt_req+0x170/0x170
[   67.044583][ T3553]  hci_req_sync+0xa5/0xc0
[   67.048924][ T3553]  hci_dev_cmd+0x2fc/0xa30
[   67.053357][ T3553]  ? security_capable+0x86/0xb0
[   67.058223][ T3553]  ? hci_dev_reset_stat+0x1a0/0x1a0
[   67.063436][ T3553]  ? hci_sock_ioctl+0x426/0x850
[   67.068294][ T3553]  sock_do_ioctl+0x152/0x450
[   67.072891][ T3553]  ? sock_show_fdinfo+0xb0/0xb0
[   67.077748][ T3553]  ? __fget_files+0x28/0x4a0
[   67.082346][ T3553]  sock_ioctl+0x47f/0x770
[   67.086690][ T3553]  ? sock_poll+0x410/0x410
[   67.091107][ T3553]  ? __fget_files+0x28/0x4a0
[   67.095713][ T3553]  ? __fget_files+0x435/0x4a0
[   67.100395][ T3553]  ? __fget_files+0x28/0x4a0
[   67.105080][ T3553]  ? bpf_lsm_file_ioctl+0x5/0x10
[   67.110029][ T3553]  ? security_file_ioctl+0x7d/0xa0
[   67.115164][ T3553]  ? sock_poll+0x410/0x410
[   67.119598][ T3553]  __se_sys_ioctl+0xf1/0x160
[   67.124221][ T3553]  do_syscall_64+0x3b/0xb0
[   67.128663][ T3553]  ? clear_bhb_loop+0x45/0xa0
[   67.133364][ T3553]  entry_SYSCALL_64_after_hwframe+0x68/0xd2
[   67.139271][ T3553] RIP: 0033:0x7f25abf7593b
[   67.143693][ T3553] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00
[   67.163408][ T3553] RSP: 002b:00007ffc0d991e20 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   67.171835][ T3553] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f25abf7593b
[   67.179901][ T3553] RDX: 00007ffc0d991e98 RSI: 00000000400448dd RDI: 0000000000000003
[   67.187878][ T3553] RBP: 000055555703b4a8 R08: 0000000000000000 R09: 0000000000000000
[   67.195852][ T3553] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000004
[   67.203917][ T3553] R13: 0000000000000004 R14: 0000000000000009 R15: 0000000000000009
[   67.211925][ T3553]  </TASK>
[   67.215192][ T3553] Kernel Offset: disabled
[   67.219610][ T3553] Rebooting in 86400 seconds..