last executing test programs:

kernel console output (not intermixed with test programs):

Warning: Permanently added '10.128.1.214' (ED25519) to the list of known hosts.
[   46.163351][ T3535] cgroup: Unknown subsys name 'net'
[   46.294933][ T3535] cgroup: Unknown subsys name 'rlimit'
Setting up swapspace version 1, size = 127995904 bytes
[   47.559056][ T3535] Adding 124996k swap on ./swap-file.  Priority:0 extents:1 across:124996k FS
[   48.722468][ T3551] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1
[   48.730340][ T3551] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[   48.741008][ T3551] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1
[   48.748582][ T3551] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1
[   48.756308][ T3551] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[   48.764615][ T3551] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9
[   48.768254][ T3559] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9
[   48.771978][ T3551] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9
[   48.772203][ T3551] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[   48.786819][ T3560] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9
[   48.793721][ T3551] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9
[   48.809419][ T3551] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4
[   48.816644][ T3551] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[   48.824498][ T3551] Bluetooth: hci1: unexpected cc 0x0c25 length: 249 > 3
[   48.827054][ T3558] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9
[   48.831692][ T3551] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3
[   48.841316][ T3560] Bluetooth: hci2: unexpected cc 0x0c23 length: 249 > 4
[   48.846126][ T3551] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2
[   48.854145][ T3560] Bluetooth: hci2: unexpected cc 0x0c25 length: 249 > 3
[   48.866887][ T3559] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[   48.867183][ T3551] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4
[   48.874853][ T3560] Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2
[   48.890799][ T3545] ==================================================================
[   48.891678][ T3558] Bluetooth: hci3: unexpected cc 0x0c25 length: 249 > 3
[   48.898872][ T3545] BUG: KASAN: use-after-free in kfree_skb_reason+0x3d/0x390
[   48.913084][ T3545] Read of size 4 at addr ffff88805e937d64 by task syz-executor/3545
[   48.921068][ T3545] 
[   48.923406][ T3545] CPU: 1 PID: 3545 Comm: syz-executor Not tainted 6.1.100-syzkaller #0
[   48.931653][ T3545] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
[   48.941719][ T3545] Call Trace:
[   48.945008][ T3545]  <TASK>
[   48.947948][ T3545]  dump_stack_lvl+0x1e3/0x2cb
[   48.952641][ T3545]  ? nf_tcp_handle_invalid+0x642/0x642
[   48.958115][ T3545]  ? panic+0x764/0x764
[   48.962200][ T3545]  ? _printk+0xd1/0x111
[   48.966367][ T3545]  ? __virt_addr_valid+0x17f/0x530
[   48.970268][ T3560] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2
[   48.971468][ T3545]  ? __virt_addr_valid+0x17f/0x530
[   48.983495][ T3545]  print_report+0x15f/0x4f0
[   48.988009][ T3545]  ? __virt_addr_valid+0x17f/0x530
[   48.993130][ T3545]  ? __virt_addr_valid+0x17f/0x530
[   48.998251][ T3545]  ? __virt_addr_valid+0x45b/0x530
[   49.003381][ T3545]  ? __phys_addr+0xb6/0x170
[   49.007893][ T3545]  ? kfree_skb_reason+0x3d/0x390
[   49.012841][ T3545]  kasan_report+0x136/0x160
[   49.017355][ T3545]  ? kfree_skb_reason+0x3d/0x390
[   49.022309][ T3545]  kasan_check_range+0x27f/0x290
[   49.027251][ T3545]  kfree_skb_reason+0x3d/0x390
[   49.027702][ T3555] Bluetooth: hci4: unexpected cc 0x0c03 length: 249 > 1
[   49.032107][ T3545]  __hci_req_sync+0x626/0x940
[   49.032130][ T3545]  ? trace_contention_end+0x61/0x170
[   49.032150][ T3545]  ? hci_req_sync_complete+0x280/0x280
[   49.032168][ T3545]  ? mutex_lock_nested+0x10/0x10
[   49.032188][ T3545]  ? hci_encrypt_req+0x170/0x170
[   49.032208][ T3545]  hci_req_sync+0xa5/0xc0
[   49.032225][ T3545]  hci_dev_cmd+0x2fc/0xa30
[   49.042411][ T3552] Bluetooth: hci4: unexpected cc 0x1003 length: 249 > 9
[   49.043837][ T3545]  ? security_capable+0x86/0xb0
[   49.049758][ T3552] Bluetooth: hci4: unexpected cc 0x1001 length: 249 > 9
[   49.054527][ T3545]  ? hci_dev_reset_stat+0x1a0/0x1a0
[   49.054553][ T3545]  ? hci_sock_ioctl+0x426/0x850
[   49.054572][ T3545]  sock_do_ioctl+0x152/0x450
[   49.054592][ T3545]  ? sock_show_fdinfo+0xb0/0xb0
[   49.061277][ T3552] Bluetooth: hci4: unexpected cc 0x0c23 length: 249 > 4
[   49.064417][ T3545]  ? __fget_files+0x28/0x4a0
[   49.069391][ T3552] Bluetooth: hci4: unexpected cc 0x0c25 length: 249 > 3
[   49.073113][ T3545]  sock_ioctl+0x47f/0x770
[   49.073136][ T3545]  ? sock_poll+0x410/0x410
[   49.073151][ T3545]  ? __fget_files+0x28/0x4a0
[   49.073166][ T3545]  ? __fget_files+0x435/0x4a0
[   49.073179][ T3545]  ? __fget_files+0x28/0x4a0
[   49.073195][ T3545]  ? bpf_lsm_file_ioctl+0x5/0x10
[   49.073210][ T3545]  ? security_file_ioctl+0x7d/0xa0
[   49.073226][ T3545]  ? sock_poll+0x410/0x410
[   49.073242][ T3545]  __se_sys_ioctl+0xf1/0x160
[   49.081731][ T3555] Bluetooth: hci4: unexpected cc 0x0c38 length: 249 > 2
[   49.084985][ T3545]  do_syscall_64+0x3b/0xb0
[   49.182679][ T3545]  ? clear_bhb_loop+0x45/0xa0
[   49.187375][ T3545]  entry_SYSCALL_64_after_hwframe+0x68/0xd2
[   49.193289][ T3545] RIP: 0033:0x7f8716f75b1b
[   49.197718][ T3545] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00
[   49.217331][ T3545] RSP: 002b:00007ffdfbf03300 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   49.225757][ T3545] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f8716f75b1b
[   49.233736][ T3545] RDX: 00007ffdfbf03378 RSI: 00000000400448dd RDI: 0000000000000003
[   49.241714][ T3545] RBP: 00005555556d14a8 R08: 0000000000000000 R09: 0000000000000000
[   49.249688][ T3545] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000000
[   49.257646][ T3545] R13: 0000000000000000 R14: 0000000000000009 R15: 0000000000000009
[   49.265605][ T3545]  </TASK>
[   49.268609][ T3545] 
[   49.270914][ T3545] Allocated by task 3548:
[   49.275217][ T3545]  kasan_set_track+0x4b/0x70
[   49.279803][ T3545]  __kasan_slab_alloc+0x65/0x70
[   49.284631][ T3545]  slab_post_alloc_hook+0x52/0x3a0
[   49.289723][ T3545]  kmem_cache_alloc+0x10c/0x2d0
[   49.294554][ T3545]  skb_clone+0x1e5/0x360
[   49.298776][ T3545]  hci_cmd_work+0x296/0x660
[   49.303259][ T3545]  process_one_work+0x8a9/0x11d0
[   49.308176][ T3545]  worker_thread+0xa47/0x1200
[   49.312834][ T3545]  kthread+0x28d/0x320
[   49.316882][ T3545]  ret_from_fork+0x1f/0x30
[   49.321282][ T3545] 
[   49.323585][ T3545] Freed by task 3558:
[   49.327543][ T3545]  kasan_set_track+0x4b/0x70
[   49.332117][ T3545]  kasan_save_free_info+0x27/0x40
[   49.337121][ T3545]  ____kasan_slab_free+0xd6/0x120
[   49.342132][ T3545]  kmem_cache_free+0x292/0x510
[   49.346878][ T3545]  hci_req_sync_complete+0xee/0x280
[   49.352056][ T3545]  hci_event_packet+0xc49/0x1510
[   49.356976][ T3545]  hci_rx_work+0x3cd/0xce0
[   49.361384][ T3545]  process_one_work+0x8a9/0x11d0
[   49.366313][ T3545]  worker_thread+0xa47/0x1200
[   49.370976][ T3545]  kthread+0x28d/0x320
[   49.375036][ T3545]  ret_from_fork+0x1f/0x30
[   49.379446][ T3545] 
[   49.381757][ T3545] The buggy address belongs to the object at ffff88805e937c80
[   49.381757][ T3545]  which belongs to the cache skbuff_head_cache of size 240
[   49.396311][ T3545] The buggy address is located 228 bytes inside of
[   49.396311][ T3545]  240-byte region [ffff88805e937c80, ffff88805e937d70)
[   49.409563][ T3545] 
[   49.411869][ T3545] The buggy address belongs to the physical page:
[   49.418268][ T3545] page:ffffea00017a4dc0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5e937
[   49.428399][ T3545] flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
[   49.435935][ T3545] raw: 00fff00000000200 0000000000000000 dead000000000122 ffff888141a61280
[   49.444500][ T3545] raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000
[   49.453057][ T3545] page dumped because: kasan: bad access detected
[   49.459454][ T3545] page_owner tracks the page as allocated
[   49.465148][ T3545] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 48, tgid 48 (kworker/u5:0), ts 48888942106, free_ts 11081487880
[   49.483110][ T3545]  post_alloc_hook+0x18d/0x1b0
[   49.487864][ T3545]  get_page_from_freelist+0x322e/0x33b0
[   49.493399][ T3545]  __alloc_pages+0x28d/0x770
[   49.497971][ T3545]  alloc_slab_page+0x6a/0x150
[   49.502633][ T3545]  new_slab+0x84/0x2d0
[   49.506683][ T3545]  ___slab_alloc+0xc20/0x1270
[   49.511341][ T3545]  kmem_cache_alloc+0x1a5/0x2d0
[   49.516174][ T3545]  skb_clone+0x1e5/0x360
[   49.520396][ T3545]  hci_event_packet+0x498/0x1510
[   49.525319][ T3545]  hci_rx_work+0x3cd/0xce0
[   49.529716][ T3545]  process_one_work+0x8a9/0x11d0
[   49.534638][ T3545]  worker_thread+0xa47/0x1200
[   49.539297][ T3545]  kthread+0x28d/0x320
[   49.543346][ T3545]  ret_from_fork+0x1f/0x30
[   49.547746][ T3545] page last free stack trace:
[   49.552400][ T3545]  free_unref_page_prepare+0xf63/0x1120
[   49.557926][ T3545]  free_unref_page+0x33/0x3e0
[   49.562581][ T3545]  free_contig_range+0x9a/0x150
[   49.567411][ T3545]  destroy_args+0xfe/0x997
[   49.571814][ T3545]  debug_vm_pgtable+0x416/0x46b
[   49.576648][ T3545]  do_one_initcall+0x265/0x8f0
[   49.581396][ T3545]  do_initcall_level+0x157/0x207
[   49.586314][ T3545]  do_initcalls+0x49/0x86
[   49.590645][ T3545]  kernel_init_freeable+0x45c/0x60f
[   49.595826][ T3545]  kernel_init+0x19/0x290
[   49.600139][ T3545]  ret_from_fork+0x1f/0x30
[   49.604537][ T3545] 
[   49.606842][ T3545] Memory state around the buggy address:
[   49.612450][ T3545]  ffff88805e937c00: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
[   49.620490][ T3545]  ffff88805e937c80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   49.628530][ T3545] >ffff88805e937d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[   49.636566][ T3545]                                                        ^
[   49.643735][ T3545]  ffff88805e937d80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[   49.651781][ T3545]  ffff88805e937e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   49.659818][ T3545] ==================================================================
[   49.668332][ T3545] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   49.675542][ T3545] CPU: 0 PID: 3545 Comm: syz-executor Not tainted 6.1.100-syzkaller #0
[   49.683766][ T3545] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
[   49.693803][ T3545] Call Trace:
[   49.697065][ T3545]  <TASK>
[   49.699981][ T3545]  dump_stack_lvl+0x1e3/0x2cb
[   49.704650][ T3545]  ? nf_tcp_handle_invalid+0x642/0x642
[   49.710099][ T3545]  ? panic+0x764/0x764
[   49.714159][ T3545]  ? preempt_schedule_common+0xa6/0xd0
[   49.719611][ T3545]  ? vscnprintf+0x59/0x80
[   49.723925][ T3545]  panic+0x318/0x764
[   49.727803][ T3545]  ? check_panic_on_warn+0x1d/0xa0
[   49.732896][ T3545]  ? memcpy_page_flushcache+0xfc/0xfc
[   49.738252][ T3545]  ? _raw_spin_unlock_irqrestore+0x128/0x130
[   49.744219][ T3545]  ? _raw_spin_unlock+0x40/0x40
[   49.749054][ T3545]  ? print_report+0x4a3/0x4f0
[   49.753716][ T3545]  check_panic_on_warn+0x7e/0xa0
[   49.758635][ T3545]  ? kfree_skb_reason+0x3d/0x390
[   49.763562][ T3545]  end_report+0x66/0x110
[   49.767787][ T3545]  kasan_report+0x143/0x160
[   49.772272][ T3545]  ? kfree_skb_reason+0x3d/0x390
[   49.777198][ T3545]  kasan_check_range+0x27f/0x290
[   49.782137][ T3545]  kfree_skb_reason+0x3d/0x390
[   49.786910][ T3545]  __hci_req_sync+0x626/0x940
[   49.791589][ T3545]  ? trace_contention_end+0x61/0x170
[   49.796878][ T3545]  ? hci_req_sync_complete+0x280/0x280
[   49.802333][ T3545]  ? mutex_lock_nested+0x10/0x10
[   49.807267][ T3545]  ? hci_encrypt_req+0x170/0x170
[   49.812198][ T3545]  hci_req_sync+0xa5/0xc0
[   49.816516][ T3545]  hci_dev_cmd+0x2fc/0xa30
[   49.820919][ T3545]  ? security_capable+0x86/0xb0
[   49.825754][ T3545]  ? hci_dev_reset_stat+0x1a0/0x1a0
[   49.830936][ T3545]  ? hci_sock_ioctl+0x426/0x850
[   49.835769][ T3545]  sock_do_ioctl+0x152/0x450
[   49.840344][ T3545]  ? sock_show_fdinfo+0xb0/0xb0
[   49.845178][ T3545]  ? __fget_files+0x28/0x4a0
[   49.849754][ T3545]  sock_ioctl+0x47f/0x770
[   49.854065][ T3545]  ? sock_poll+0x410/0x410
[   49.858466][ T3545]  ? __fget_files+0x28/0x4a0
[   49.863036][ T3545]  ? __fget_files+0x435/0x4a0
[   49.867694][ T3545]  ? __fget_files+0x28/0x4a0
[   49.872269][ T3545]  ? bpf_lsm_file_ioctl+0x5/0x10
[   49.877191][ T3545]  ? security_file_ioctl+0x7d/0xa0
[   49.882285][ T3545]  ? sock_poll+0x410/0x410
[   49.886684][ T3545]  __se_sys_ioctl+0xf1/0x160
[   49.891261][ T3545]  do_syscall_64+0x3b/0xb0
[   49.895662][ T3545]  ? clear_bhb_loop+0x45/0xa0
[   49.900325][ T3545]  entry_SYSCALL_64_after_hwframe+0x68/0xd2
[   49.906205][ T3545] RIP: 0033:0x7f8716f75b1b
[   49.910620][ T3545] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00
[   49.930216][ T3545] RSP: 002b:00007ffdfbf03300 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   49.938615][ T3545] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f8716f75b1b
[   49.946573][ T3545] RDX: 00007ffdfbf03378 RSI: 00000000400448dd RDI: 0000000000000003
[   49.954527][ T3545] RBP: 00005555556d14a8 R08: 0000000000000000 R09: 0000000000000000
[   49.962483][ T3545] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000000
[   49.970439][ T3545] R13: 0000000000000000 R14: 0000000000000009 R15: 0000000000000009
[   49.978399][ T3545]  </TASK>
[   49.981632][ T3545] Kernel Offset: disabled
[   49.985942][ T3545] Rebooting in 86400 seconds..