last executing test programs:
kernel console output (not intermixed with test programs):
Warning: Permanently added '10.128.1.48' (ED25519) to the list of known hosts.
[ 56.290141][ T3538] cgroup: Unknown subsys name 'net'
[ 56.430543][ T3538] cgroup: Unknown subsys name 'rlimit'
Setting up swapspace version 1, size = 127995904 bytes
[ 57.938366][ T3538] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k FS
[ 59.157056][ T3563] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1
[ 59.158079][ T3564] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[ 59.167054][ T3563] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1
[ 59.172960][ T3564] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1
[ 59.179367][ T3563] Bluetooth: hci4: unexpected cc 0x0c03 length: 249 > 1
[ 59.187144][ T3564] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9
[ 59.193917][ T3563] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9
[ 59.200351][ T3564] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9
[ 59.208032][ T3563] Bluetooth: hci4: unexpected cc 0x1003 length: 249 > 9
[ 59.215248][ T3564] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[ 59.221782][ T3563] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9
[ 59.228082][ T3564] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9
[ 59.243188][ T3563] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9
[ 59.243399][ T3564] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[ 59.250364][ T3563] Bluetooth: hci4: unexpected cc 0x1001 length: 249 > 9
[ 59.258998][ T3564] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4
[ 59.272120][ T3563] Bluetooth: hci2: unexpected cc 0x0c23 length: 249 > 4
[ 59.272828][ T3564] Bluetooth: hci1: unexpected cc 0x0c25 length: 249 > 3
[ 59.287336][ T3564] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2
[ 59.287893][ T3563] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[ 59.296595][ T3565] Bluetooth: hci4: unexpected cc 0x0c23 length: 249 > 4
[ 59.303142][ T3563] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4
[ 59.315888][ T3563] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3
[ 59.317827][ T3564] Bluetooth: hci2: unexpected cc 0x0c25 length: 249 > 3
[ 59.330304][ T3564] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[ 59.330977][ T3563] Bluetooth: hci3: unexpected cc 0x0c25 length: 249 > 3
[ 59.337973][ T3564] Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2
[ 59.351762][ T3563] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2
[ 59.352585][ T3565] Bluetooth: hci4: unexpected cc 0x0c25 length: 249 > 3
[ 59.368945][ T3556] ==================================================================
[ 59.377033][ T3556] BUG: KASAN: use-after-free in kfree_skb_reason+0x3d/0x390
[ 59.384452][ T3556] Read of size 4 at addr ffff888060b66864 by task syz-executor/3556
[ 59.392439][ T3556]
[ 59.394780][ T3556] CPU: 0 PID: 3556 Comm: syz-executor Not tainted 6.1.97-syzkaller #0
[ 59.402985][ T3556] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
[ 59.413071][ T3556] Call Trace:
[ 59.416372][ T3556]
[ 59.419324][ T3556] dump_stack_lvl+0x1e3/0x2cb
[ 59.424029][ T3556] ? nf_tcp_handle_invalid+0x642/0x642
[ 59.429700][ T3556] ? panic+0x764/0x764
[ 59.433772][ T3556] ? _printk+0xd1/0x111
[ 59.437928][ T3556] ? __virt_addr_valid+0x17f/0x520
[ 59.443064][ T3556] ? __virt_addr_valid+0x17f/0x520
[ 59.448185][ T3556] print_report+0x15f/0x4f0
[ 59.452692][ T3556] ? __virt_addr_valid+0x17f/0x520
[ 59.457808][ T3556] ? __virt_addr_valid+0x17f/0x520
[ 59.462932][ T3556] ? __virt_addr_valid+0x44a/0x520
[ 59.468056][ T3556] ? __phys_addr+0xb6/0x170
[ 59.472565][ T3556] ? kfree_skb_reason+0x3d/0x390
[ 59.477532][ T3556] kasan_report+0x136/0x160
[ 59.482037][ T3556] ? kfree_skb_reason+0x3d/0x390
[ 59.486998][ T3556] kasan_check_range+0x27f/0x290
[ 59.491992][ T3556] kfree_skb_reason+0x3d/0x390
[ 59.496779][ T3556] __hci_req_sync+0x626/0x940
[ 59.501493][ T3556] ? trace_contention_end+0x61/0x170
[ 59.506818][ T3556] ? hci_req_sync_complete+0x280/0x280
[ 59.512325][ T3556] ? mutex_lock_nested+0x10/0x10
[ 59.517283][ T3556] ? wake_bit_function+0x210/0x210
[ 59.522409][ T3556] ? hci_encrypt_req+0x170/0x170
[ 59.527397][ T3556] hci_req_sync+0xa5/0xc0
[ 59.531746][ T3556] hci_dev_cmd+0x2fc/0xa30
[ 59.536196][ T3556] ? security_capable+0x86/0xb0
[ 59.541073][ T3556] ? hci_dev_reset_stat+0x1a0/0x1a0
[ 59.546297][ T3556] ? hci_sock_ioctl+0x426/0x850
[ 59.551217][ T3556] sock_do_ioctl+0x152/0x450
[ 59.555830][ T3556] ? sock_show_fdinfo+0xb0/0xb0
[ 59.560694][ T3556] ? __fget_files+0x28/0x4a0
[ 59.565303][ T3556] sock_ioctl+0x47f/0x770
[ 59.569638][ T3556] ? sock_poll+0x410/0x410
[ 59.574054][ T3556] ? __fget_files+0x28/0x4a0
[ 59.578645][ T3556] ? __fget_files+0x435/0x4a0
[ 59.583322][ T3556] ? __fget_files+0x28/0x4a0
[ 59.587919][ T3556] ? bpf_lsm_file_ioctl+0x5/0x10
[ 59.592862][ T3556] ? security_file_ioctl+0x7d/0xa0
[ 59.598061][ T3556] ? sock_poll+0x410/0x410
[ 59.602480][ T3556] __se_sys_ioctl+0xf1/0x160
[ 59.607083][ T3556] do_syscall_64+0x3b/0xb0
[ 59.611512][ T3556] ? clear_bhb_loop+0x45/0xa0
[ 59.616201][ T3556] entry_SYSCALL_64_after_hwframe+0x68/0xd2
[ 59.622098][ T3556] RIP: 0033:0x7f22321757db
[ 59.626519][ T3556] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00
[ 59.646127][ T3556] RSP: 002b:00007fff5d9ea2b0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 59.654539][ T3556] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f22321757db
[ 59.662508][ T3556] RDX: 00007fff5d9ea328 RSI: 00000000400448dd RDI: 0000000000000003
[ 59.670476][ T3556] RBP: 00005555560fb4a8 R08: 0000000000000000 R09: 0000000000000000
[ 59.678465][ T3556] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000003
[ 59.686433][ T3556] R13: 0000000000000003 R14: 0000000000000009 R15: 0000000000000009
[ 59.694409][ T3556]
[ 59.697429][ T3556]
[ 59.699748][ T3556] Allocated by task 3558:
[ 59.704066][ T3556] kasan_set_track+0x4b/0x70
[ 59.708666][ T3556] __kasan_slab_alloc+0x65/0x70
[ 59.713508][ T3556] slab_post_alloc_hook+0x52/0x3a0
[ 59.718617][ T3556] kmem_cache_alloc+0x10c/0x2d0
[ 59.723468][ T3556] skb_clone+0x1e5/0x360
[ 59.727711][ T3556] hci_cmd_work+0x296/0x660
[ 59.732208][ T3556] process_one_work+0x8a9/0x11d0
[ 59.737143][ T3556] worker_thread+0xa47/0x1200
[ 59.741819][ T3556] kthread+0x28d/0x320
[ 59.745884][ T3556] ret_from_fork+0x1f/0x30
[ 59.750298][ T3556]
[ 59.752614][ T3556] Freed by task 3555:
[ 59.756602][ T3556] kasan_set_track+0x4b/0x70
[ 59.761205][ T3556] kasan_save_free_info+0x27/0x40
[ 59.766230][ T3556] ____kasan_slab_free+0xd6/0x120
[ 59.771262][ T3556] kmem_cache_free+0x292/0x510
[ 59.776034][ T3556] hci_req_sync_complete+0xee/0x280
[ 59.781256][ T3556] hci_event_packet+0xc49/0x1510
[ 59.786197][ T3556] hci_rx_work+0x3cd/0xce0
[ 59.790613][ T3556] process_one_work+0x8a9/0x11d0
[ 59.795566][ T3556] worker_thread+0xa47/0x1200
[ 59.800246][ T3556] kthread+0x28d/0x320
[ 59.804311][ T3556] ret_from_fork+0x1f/0x30
[ 59.808729][ T3556]
[ 59.811046][ T3556] The buggy address belongs to the object at ffff888060b66780
[ 59.811046][ T3556] which belongs to the cache skbuff_head_cache of size 240
[ 59.825618][ T3556] The buggy address is located 228 bytes inside of
[ 59.825618][ T3556] 240-byte region [ffff888060b66780, ffff888060b66870)
[ 59.838886][ T3556]
[ 59.841227][ T3556] The buggy address belongs to the physical page:
[ 59.847640][ T3556] page:ffffea000182d980 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x60b66
[ 59.857884][ T3556] flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
[ 59.865442][ T3556] raw: 00fff00000000200 0000000000000000 dead000000000122 ffff888014e4d500
[ 59.874035][ T3556] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
[ 59.882623][ T3556] page dumped because: kasan: bad access detected
[ 59.889032][ T3556] page_owner tracks the page as allocated
[ 59.894741][ T3556] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 3559, tgid 3550 (syz-executor), ts 59367759592, free_ts 16977354267
[ 59.913152][ T3556] post_alloc_hook+0x18d/0x1b0
[ 59.917916][ T3556] get_page_from_freelist+0x322e/0x33b0
[ 59.923461][ T3556] __alloc_pages+0x28d/0x770
[ 59.928051][ T3556] alloc_slab_page+0x6a/0x150
[ 59.932748][ T3556] new_slab+0x84/0x2d0
[ 59.936819][ T3556] ___slab_alloc+0xc20/0x1270
[ 59.941498][ T3556] kmem_cache_alloc_node+0x1cf/0x310
[ 59.946806][ T3556] __alloc_skb+0xde/0x670
[ 59.951141][ T3556] vhci_write+0xbc/0x440
[ 59.955388][ T3556] do_iter_write+0x6e6/0xc50
[ 59.960022][ T3556] do_writev+0x27b/0x460
[ 59.964267][ T3556] do_syscall_64+0x3b/0xb0
[ 59.968692][ T3556] entry_SYSCALL_64_after_hwframe+0x68/0xd2
[ 59.974614][ T3556] page last free stack trace:
[ 59.979278][ T3556] free_unref_page_prepare+0xf63/0x1120
[ 59.984822][ T3556] free_unref_page+0x33/0x3e0
[ 59.989503][ T3556] free_contig_range+0x9a/0x150
[ 59.994353][ T3556] destroy_args+0xfe/0x997
[ 59.998802][ T3556] debug_vm_pgtable+0x416/0x46b
[ 60.003668][ T3556] do_one_initcall+0x265/0x8f0
[ 60.008446][ T3556] do_initcall_level+0x157/0x207
[ 60.013401][ T3556] do_initcalls+0x49/0x86
[ 60.017739][ T3556] kernel_init_freeable+0x45c/0x60f
[ 60.022946][ T3556] kernel_init+0x19/0x290
[ 60.027286][ T3556] ret_from_fork+0x1f/0x30
[ 60.031711][ T3556]
[ 60.034032][ T3556] Memory state around the buggy address:
[ 60.039656][ T3556] ffff888060b66700: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
[ 60.047715][ T3556] ffff888060b66780: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 60.055784][ T3556] >ffff888060b66800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[ 60.063843][ T3556] ^
[ 60.071050][ T3556] ffff888060b66880: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 60.079120][ T3556] ffff888060b66900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 60.087177][ T3556] ==================================================================
[ 60.098393][ T3565] Bluetooth: hci4: unexpected cc 0x0c38 length: 249 > 2
[ 60.122216][ T3556] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 60.129447][ T3556] CPU: 0 PID: 3556 Comm: syz-executor Not tainted 6.1.97-syzkaller #0
[ 60.137614][ T3556] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
[ 60.147692][ T3556] Call Trace:
[ 60.150995][ T3556]
[ 60.153941][ T3556] dump_stack_lvl+0x1e3/0x2cb
[ 60.158669][ T3556] ? nf_tcp_handle_invalid+0x642/0x642
[ 60.164163][ T3556] ? panic+0x764/0x764
[ 60.168254][ T3556] ? preempt_schedule_common+0xa6/0xd0
[ 60.173823][ T3556] ? vscnprintf+0x59/0x80
[ 60.178177][ T3556] panic+0x318/0x764
[ 60.182095][ T3556] ? check_panic_on_warn+0x1d/0xa0
[ 60.187233][ T3556] ? memcpy_page_flushcache+0xfc/0xfc
[ 60.192647][ T3556] ? _raw_spin_unlock_irqrestore+0x128/0x130
[ 60.198658][ T3556] ? _raw_spin_unlock+0x40/0x40
[ 60.203567][ T3556] ? print_report+0x4a3/0x4f0
[ 60.208268][ T3556] check_panic_on_warn+0x7e/0xa0
[ 60.213231][ T3556] ? kfree_skb_reason+0x3d/0x390
[ 60.218203][ T3556] end_report+0x66/0x110
[ 60.222463][ T3556] kasan_report+0x143/0x160
[ 60.227249][ T3556] ? kfree_skb_reason+0x3d/0x390
[ 60.232220][ T3556] kasan_check_range+0x27f/0x290
[ 60.237178][ T3556] kfree_skb_reason+0x3d/0x390
[ 60.241980][ T3556] __hci_req_sync+0x626/0x940
[ 60.246700][ T3556] ? trace_contention_end+0x61/0x170
[ 60.252013][ T3556] ? hci_req_sync_complete+0x280/0x280
[ 60.257506][ T3556] ? mutex_lock_nested+0x10/0x10
[ 60.262463][ T3556] ? wake_bit_function+0x210/0x210
[ 60.267777][ T3556] ? hci_encrypt_req+0x170/0x170
[ 60.272746][ T3556] hci_req_sync+0xa5/0xc0
[ 60.277098][ T3556] hci_dev_cmd+0x2fc/0xa30
[ 60.281539][ T3556] ? security_capable+0x86/0xb0
[ 60.286443][ T3556] ? hci_dev_reset_stat+0x1a0/0x1a0
[ 60.291674][ T3556] ? hci_sock_ioctl+0x426/0x850
[ 60.296553][ T3556] sock_do_ioctl+0x152/0x450
[ 60.301182][ T3556] ? sock_show_fdinfo+0xb0/0xb0
[ 60.306084][ T3556] ? __fget_files+0x28/0x4a0
[ 60.310704][ T3556] sock_ioctl+0x47f/0x770
[ 60.315083][ T3556] ? sock_poll+0x410/0x410
[ 60.319540][ T3556] ? __fget_files+0x28/0x4a0
[ 60.324149][ T3556] ? __fget_files+0x435/0x4a0
[ 60.328886][ T3556] ? __fget_files+0x28/0x4a0
[ 60.333500][ T3556] ? bpf_lsm_file_ioctl+0x5/0x10
[ 60.338462][ T3556] ? security_file_ioctl+0x7d/0xa0
[ 60.343595][ T3556] ? sock_poll+0x410/0x410
[ 60.348046][ T3556] __se_sys_ioctl+0xf1/0x160
[ 60.352673][ T3556] do_syscall_64+0x3b/0xb0
[ 60.357118][ T3556] ? clear_bhb_loop+0x45/0xa0
[ 60.361826][ T3556] entry_SYSCALL_64_after_hwframe+0x68/0xd2
[ 60.367748][ T3556] RIP: 0033:0x7f22321757db
[ 60.372178][ T3556] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00
[ 60.391885][ T3556] RSP: 002b:00007fff5d9ea2b0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 60.400306][ T3556] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f22321757db
[ 60.408276][ T3556] RDX: 00007fff5d9ea328 RSI: 00000000400448dd RDI: 0000000000000003
[ 60.416244][ T3556] RBP: 00005555560fb4a8 R08: 0000000000000000 R09: 0000000000000000
[ 60.424209][ T3556] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000003
[ 60.432194][ T3556] R13: 0000000000000003 R14: 0000000000000009 R15: 0000000000000009
[ 60.440180][ T3556]
[ 60.443464][ T3556] Kernel Offset: disabled
[ 60.447787][ T3556] Rebooting in 86400 seconds..