last executing test programs:

kernel console output (not intermixed with test programs):

Warning: Permanently added '10.128.0.22' (ED25519) to the list of known hosts.
1970/01/01 00:00:35 fuzzer started
1970/01/01 00:00:35 dialing manager at 10.128.0.163:30026
[   36.159320][ T4228] cgroup: Unknown subsys name 'net'
[   36.287676][ T4230] Adding 124996k swap on ./swap-file.  Priority:0 extents:1 across:124996k SSFS
[   36.381680][ T4228] cgroup: Unknown subsys name 'rlimit'
1970/01/01 00:00:36 starting 5 executor processes
[   37.058240][ T4258] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[   37.061203][ T4260] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1
[   37.063330][ T4260] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1
[   37.066979][ T4260] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1
[   37.067800][ T4264] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[   37.069243][ T4260] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9
[   37.071496][ T4264] Bluetooth: hci4: unexpected cc 0x0c03 length: 249 > 1
[   37.073263][ T4260] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9
[   37.075446][ T4264] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9
[   37.077578][ T4260] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[   37.079265][ T4264] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9
[   37.080546][ T4260] Bluetooth: hci4: unexpected cc 0x1003 length: 249 > 9
[   37.082750][ T4264] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9
[   37.084264][ T4260] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9
[   37.086632][ T4264] Bluetooth: hci4: unexpected cc 0x1001 length: 249 > 9
[   37.091225][ T4265] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[   37.091334][ T4264] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4
[   37.093201][ T4265] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4
[   37.095414][ T4264] Bluetooth: hci4: unexpected cc 0x0c23 length: 249 > 4
[   37.097549][ T4265] Bluetooth: hci2: unexpected cc 0x0c23 length: 249 > 4
[   37.099747][ T4264] Bluetooth: hci4: unexpected cc 0x0c25 length: 249 > 3
[   37.101823][ T4265] Bluetooth: hci2: unexpected cc 0x0c25 length: 249 > 3
[   37.103551][ T4264] Bluetooth: hci3: unexpected cc 0x0c25 length: 249 > 3
[   37.105158][ T4265] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3
[   37.106731][ T4264] Bluetooth: hci1: unexpected cc 0x0c25 length: 249 > 3
[   37.108972][ T4265] Bluetooth: hci4: unexpected cc 0x0c38 length: 249 > 2
[   37.110521][ T4264] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2
[   37.111861][ T4265] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2
[   37.117013][ T4264] Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2
[   37.117102][ T4265] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[   37.133458][ T4250] ==================================================================
[   37.135586][ T4250] BUG: KASAN: use-after-free in skb_release_data+0x5a4/0x6b0
[   37.137467][ T4250] Read of size 1 at addr ffff0000edc1ea7e by task syz-executor.1/4250
[   37.139592][ T4250] 
[   37.140200][ T4250] CPU: 1 PID: 4250 Comm: syz-executor.1 Not tainted 6.1.92-syzkaller #0
[   37.142311][ T4250] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
[   37.144962][ T4250] Call trace:
1970/01/01 00:00:37 SYZFATAL: failed to recv *flatrpc.HostMessageRaw: EOF
[   37.145796][ T4250]  dump_backtrace+0x1c8/0x1f4
[   37.147025][ T4250]  show_stack+0x2c/0x3c
[   37.148141][ T4250]  dump_stack_lvl+0x108/0x170
[   37.149437][ T4250]  print_report+0x174/0x4c0
[   37.150598][ T4250]  kasan_report+0xd4/0x130
[   37.151736][ T4250]  __asan_report_load1_noabort+0x2c/0x38
[   37.153222][ T4250]  skb_release_data+0x5a4/0x6b0
[   37.154483][ T4250]  kfree_skb_reason+0x1a4/0x47c
[   37.155778][ T4250]  __hci_req_sync+0x4fc/0x7ac
[   37.156998][ T4250]  hci_req_sync+0xa4/0xd0
[   37.158142][ T4250]  hci_dev_cmd+0x330/0x90c
[   37.159317][ T4250]  hci_sock_ioctl+0x4b8/0x82c
[   37.160486][ T4250]  sock_do_ioctl+0x134/0x2dc
[   37.161710][ T4250]  sock_ioctl+0x4ec/0x858
[   37.162859][ T4250]  __arm64_sys_ioctl+0x14c/0x1c8
[   37.164112][ T4250]  invoke_syscall+0x98/0x2c0
[   37.165320][ T4250]  el0_svc_common+0x138/0x258
[   37.166513][ T4250]  do_el0_svc+0x64/0x218
[   37.167579][ T4250]  el0_svc+0x58/0x168
[   37.168635][ T4250]  el0t_64_sync_handler+0x84/0xf0
[   37.170013][ T4250]  el0t_64_sync+0x18c/0x190
[   37.171181][ T4250] 
[   37.171737][ T4250] Allocated by task 4264:
[   37.172861][ T4250]  kasan_set_track+0x4c/0x80
[   37.174043][ T4250]  kasan_save_alloc_info+0x24/0x30
[   37.175387][ T4250]  __kasan_slab_alloc+0x74/0x8c
[   37.176711][ T4250]  slab_post_alloc_hook+0x74/0x458
[   37.178065][ T4250]  kmem_cache_alloc+0x230/0x37c
[   37.179365][ T4250]  skb_clone+0x19c/0x304
[   37.180468][ T4250]  hci_cmd_work+0x174/0x568
[   37.181645][ T4250]  process_one_work+0x7ac/0x1404
[   37.182930][ T4250]  worker_thread+0x8e4/0xfec
[   37.184100][ T4250]  kthread+0x250/0x2d8
[   37.185204][ T4250]  ret_from_fork+0x10/0x20
[   37.186379][ T4250] 
[   37.186970][ T4250] Freed by task 4266:
[   37.188019][ T4250]  kasan_set_track+0x4c/0x80
[   37.189175][ T4250]  kasan_save_free_info+0x38/0x5c
[   37.190440][ T4250]  ____kasan_slab_free+0x144/0x1c0
[   37.191781][ T4250]  __kasan_slab_free+0x18/0x28
[   37.193038][ T4250]  kmem_cache_free+0x2f0/0x588
[   37.194312][ T4250]  kfree_skbmem+0x10c/0x19c
[   37.195486][ T4250]  kfree_skb_reason+0x1ac/0x47c
[   37.196744][ T4250]  hci_req_sync_complete+0xcc/0x258
[   37.198145][ T4250]  hci_event_packet+0xbd4/0x109c
[   37.199388][ T4250]  hci_rx_work+0x318/0xa68
[   37.200574][ T4250]  process_one_work+0x7ac/0x1404
[   37.201876][ T4250]  worker_thread+0x8e4/0xfec
[   37.203151][ T4250]  kthread+0x250/0x2d8
[   37.204248][ T4250]  ret_from_fork+0x10/0x20
[   37.205361][ T4250] 
[   37.206003][ T4250] The buggy address belongs to the object at ffff0000edc1ea00
[   37.206003][ T4250]  which belongs to the cache skbuff_head_cache of size 240
[   37.209850][ T4250] The buggy address is located 126 bytes inside of
[   37.209850][ T4250]  240-byte region [ffff0000edc1ea00, ffff0000edc1eaf0)
[   37.213338][ T4250] 
[   37.213966][ T4250] The buggy address belongs to the physical page:
[   37.215622][ T4250] page:000000005267f727 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12dc1e
[   37.218408][ T4250] flags: 0x5ffc00000000200(slab|node=0|zone=2|lastcpupid=0x7ff)
[   37.220411][ T4250] raw: 05ffc00000000200 0000000000000000 dead000000000122 ffff0000c0b72600
[   37.222618][ T4250] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
[   37.224851][ T4250] page dumped because: kasan: bad access detected
[   37.226574][ T4250] 
[   37.227217][ T4250] Memory state around the buggy address:
[   37.228684][ T4250]  ffff0000edc1e900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   37.230840][ T4250]  ffff0000edc1e980: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
[   37.233021][ T4250] >ffff0000edc1ea00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   37.235132][ T4250]                                                                 ^
[   37.237295][ T4250]  ffff0000edc1ea80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[   37.239371][ T4250]  ffff0000edc1eb00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[   37.241455][ T4250] ==================================================================
[   37.243751][ T4250] Disabling lock debugging due to kernel taint