last executing test programs:
kernel console output (not intermixed with test programs):
Warning: Permanently added '10.128.10.15' (ED25519) to the list of known hosts.
[ 53.766377][ T5074] cgroup: Unknown subsys name 'net'
[ 53.904039][ T5074] cgroup: Unknown subsys name 'rlimit'
Setting up swapspace version 1, size = 127995904 bytes
[ 55.306924][ T5074] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k
[ 55.923148][ T5084] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[ 55.945153][ T5093] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1
[ 55.954451][ T5093] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[ 55.955980][ T5090] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1
[ 55.963061][ T5093] Bluetooth: hci4: unexpected cc 0x0c03 length: 249 > 1
[ 55.970453][ T5090] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9
[ 55.977803][ T5093] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9
[ 55.984504][ T5090] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1
[ 55.990622][ T5093] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[ 55.999469][ T5090] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9
[ 56.005458][ T5093] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9
[ 56.013936][ T5090] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[ 56.027220][ T5090] Bluetooth: hci2: unexpected cc 0x0c23 length: 249 > 4
[ 56.027639][ T5093] Bluetooth: hci4: unexpected cc 0x1003 length: 249 > 9
[ 56.036412][ T5090] Bluetooth: hci2: unexpected cc 0x0c25 length: 249 > 3
[ 56.044395][ T5093] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9
[ 56.050472][ T5090] Bluetooth: hci4: unexpected cc 0x1001 length: 249 > 9
[ 56.060245][ T5093] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4
[ 56.068122][ T5090] Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2
[ 56.075160][ T5093] Bluetooth: hci1: unexpected cc 0x0c25 length: 249 > 3
[ 56.082654][ T5090] Bluetooth: hci4: unexpected cc 0x0c23 length: 249 > 4
[ 56.089685][ T5093] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9
[ 56.098441][ T5086] Bluetooth: hci4: unexpected cc 0x0c25 length: 249 > 3
[ 56.103891][ T5093] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2
[ 56.113108][ T5086] Bluetooth: hci4: unexpected cc 0x0c38 length: 249 > 2
[ 56.129817][ T5090] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4
[ 56.141611][ T5092] Bluetooth: hci3: unexpected cc 0x0c25 length: 249 > 3
[ 56.146093][ T5094] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3
[ 56.149718][ T5093] ==================================================================
[ 56.164247][ T5093] BUG: KASAN: slab-use-after-free in skb_release_head_state+0x39/0x250
[ 56.172712][ T5093] Read of size 8 at addr ffff88806a4b97d8 by task kworker/u9:7/5093
[ 56.176149][ T5094] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[ 56.181158][ T5093]
[ 56.181182][ T5093] CPU: 1 PID: 5093 Comm: kworker/u9:7 Not tainted 6.10.0-rc5-syzkaller-00018-g55027e689933 #0
[ 56.201114][ T5093] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
[ 56.211714][ T5093] Workqueue: hci2 hci_rx_work
[ 56.216477][ T5093] Call Trace:
[ 56.219782][ T5093]
[ 56.222846][ T5093] dump_stack_lvl+0x241/0x360
[ 56.227668][ T5093] ? __pfx_dump_stack_lvl+0x10/0x10
[ 56.233051][ T5093] ? __pfx__printk+0x10/0x10
[ 56.237667][ T5093] ? _printk+0xd5/0x120
[ 56.241910][ T5093] ? __virt_addr_valid+0x183/0x520
[ 56.247015][ T5093] ? __virt_addr_valid+0x183/0x520
[ 56.252479][ T5093] print_report+0x169/0x550
[ 56.257429][ T5093] ? __virt_addr_valid+0x183/0x520
[ 56.262533][ T5093] ? __virt_addr_valid+0x183/0x520
[ 56.267729][ T5093] ? __virt_addr_valid+0x44e/0x520
[ 56.272833][ T5093] ? __phys_addr+0xba/0x170
[ 56.277347][ T5093] ? skb_release_head_state+0x39/0x250
[ 56.282791][ T5093] kasan_report+0x143/0x180
[ 56.287308][ T5093] ? skb_release_head_state+0x39/0x250
[ 56.292760][ T5093] skb_release_head_state+0x39/0x250
[ 56.298392][ T5093] ? hci_req_sync_complete+0xe7/0x290
[ 56.303947][ T5093] kfree_skb_reason+0x16d/0x3b0
[ 56.308987][ T5093] hci_req_sync_complete+0xe7/0x290
[ 56.315157][ T5093] hci_event_packet+0xc71/0x1540
[ 56.320448][ T5093] ? __pfx_hci_cmd_complete_evt+0x10/0x10
[ 56.326358][ T5093] ? __pfx_hci_event_packet+0x10/0x10
[ 56.332028][ T5093] ? do_raw_spin_unlock+0x13c/0x8b0
[ 56.337588][ T5093] ? __pfx_hci_req_sync_complete+0x10/0x10
[ 56.343598][ T5093] ? hci_send_to_monitor+0xd8/0x7f0
[ 56.348823][ T5093] ? kcov_remote_start+0x9e/0x7e0
[ 56.353946][ T5093] hci_rx_work+0x3e8/0xca0
[ 56.358373][ T5093] ? process_scheduled_works+0x945/0x1830
[ 56.364202][ T5093] process_scheduled_works+0xa2c/0x1830
[ 56.369958][ T5093] ? __pfx_process_scheduled_works+0x10/0x10
[ 56.376000][ T5093] ? assign_work+0x364/0x3d0
[ 56.380623][ T5093] worker_thread+0x86d/0xd70
[ 56.385230][ T5093] ? __kthread_parkme+0x169/0x1d0
[ 56.390371][ T5093] ? __pfx_worker_thread+0x10/0x10
[ 56.396316][ T5093] kthread+0x2f0/0x390
[ 56.402743][ T5093] ? __pfx_worker_thread+0x10/0x10
[ 56.409445][ T5093] ? __pfx_kthread+0x10/0x10
[ 56.414490][ T5093] ret_from_fork+0x4b/0x80
[ 56.419016][ T5093] ? __pfx_kthread+0x10/0x10
[ 56.423618][ T5093] ret_from_fork_asm+0x1a/0x30
[ 56.428388][ T5093]
[ 56.431404][ T5093]
[ 56.433713][ T5093] Allocated by task 5093:
[ 56.438110][ T5093] kasan_save_track+0x3f/0x80
[ 56.442775][ T5093] __kasan_slab_alloc+0x66/0x80
[ 56.447888][ T5093] kmem_cache_alloc_noprof+0x135/0x2a0
[ 56.453365][ T5093] skb_clone+0x20c/0x390
[ 56.457697][ T5093] hci_cmd_work+0x29e/0x670
[ 56.462555][ T5093] process_scheduled_works+0xa2c/0x1830
[ 56.468546][ T5093] worker_thread+0x86d/0xd70
[ 56.474277][ T5093] kthread+0x2f0/0x390
[ 56.478562][ T5093] ret_from_fork+0x4b/0x80
[ 56.483010][ T5093] ret_from_fork_asm+0x1a/0x30
[ 56.488667][ T5093]
[ 56.490988][ T5093] Freed by task 5081:
[ 56.494952][ T5093] kasan_save_track+0x3f/0x80
[ 56.500078][ T5093] kasan_save_free_info+0x40/0x50
[ 56.505381][ T5093] poison_slab_object+0xe0/0x150
[ 56.510627][ T5093] __kasan_slab_free+0x37/0x60
[ 56.515833][ T5093] kmem_cache_free+0x145/0x350
[ 56.521304][ T5093] __hci_req_sync+0x62f/0x950
[ 56.526347][ T5093] hci_req_sync+0xa9/0xd0
[ 56.531002][ T5093] hci_dev_cmd+0x4c5/0xa50
[ 56.535733][ T5093] sock_do_ioctl+0x158/0x460
[ 56.541665][ T5093] sock_ioctl+0x629/0x8e0
[ 56.546942][ T5093] __se_sys_ioctl+0xfc/0x170
[ 56.552444][ T5093] do_syscall_64+0xf3/0x230
[ 56.557921][ T5093] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 56.564625][ T5093]
[ 56.567206][ T5093] The buggy address belongs to the object at ffff88806a4b9780
[ 56.567206][ T5093] which belongs to the cache skbuff_head_cache of size 240
[ 56.583459][ T5093] The buggy address is located 88 bytes inside of
[ 56.583459][ T5093] freed 240-byte region [ffff88806a4b9780, ffff88806a4b9870)
[ 56.598685][ T5093]
[ 56.602172][ T5093] The buggy address belongs to the physical page:
[ 56.609219][ T5093] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x6a4b9
[ 56.618401][ T5093] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[ 56.626227][ T5093] page_type: 0xffffefff(slab)
[ 56.631175][ T5093] raw: 00fff00000000000 ffff888018ed6780 dead000000000122 0000000000000000
[ 56.641526][ T5093] raw: 0000000000000000 00000000000c000c 00000001ffffefff 0000000000000000
[ 56.651700][ T5093] page dumped because: kasan: bad access detected
[ 56.659094][ T5093] page_owner tracks the page as allocated
[ 56.665283][ T5093] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 53, tgid 53 (kworker/u9:0), ts 56128219245, free_ts 17915648935
[ 56.688034][ T5093] post_alloc_hook+0x1f3/0x230
[ 56.693778][ T5093] get_page_from_freelist+0x2e43/0x2f00
[ 56.702228][ T5093] __alloc_pages_noprof+0x256/0x6c0
[ 56.708349][ T5093] alloc_slab_page+0x5f/0x120
[ 56.713174][ T5093] allocate_slab+0x5a/0x2f0
[ 56.717966][ T5093] ___slab_alloc+0xcd1/0x14b0
[ 56.723639][ T5093] __slab_alloc+0x58/0xa0
[ 56.729034][ T5093] kmem_cache_alloc_node_noprof+0x1fe/0x320
[ 56.736779][ T5093] __alloc_skb+0x1c3/0x440
[ 56.741522][ T5093] __hci_cmd_sync_sk+0x158/0x1130
[ 56.746651][ T5093] hci_write_ca_timeout_sync+0xa6/0x1d0
[ 56.752400][ T5093] hci_dev_open_sync+0x2579/0x2b40
[ 56.757698][ T5093] hci_power_on+0x1c7/0x6b0
[ 56.762379][ T5093] process_scheduled_works+0xa2c/0x1830
[ 56.768111][ T5093] worker_thread+0x86d/0xd70
[ 56.772729][ T5093] kthread+0x2f0/0x390
[ 56.777095][ T5093] page last free pid 1 tgid 1 stack trace:
[ 56.785444][ T5093] free_unref_page+0xd22/0xea0
[ 56.790582][ T5093] free_contig_range+0x9e/0x160
[ 56.796303][ T5093] destroy_args+0x8a/0x890
[ 56.800842][ T5093] debug_vm_pgtable+0x4be/0x550
[ 56.806507][ T5093] do_one_initcall+0x248/0x880
[ 56.812114][ T5093] do_initcall_level+0x157/0x210
[ 56.817545][ T5093] do_initcalls+0x3f/0x80
[ 56.822165][ T5093] kernel_init_freeable+0x435/0x5d0
[ 56.827478][ T5093] kernel_init+0x1d/0x2b0
[ 56.831908][ T5093] ret_from_fork+0x4b/0x80
[ 56.836541][ T5093] ret_from_fork_asm+0x1a/0x30
[ 56.841342][ T5093]
[ 56.843679][ T5093] Memory state around the buggy address:
[ 56.849398][ T5093] ffff88806a4b9680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 56.857643][ T5093] ffff88806a4b9700: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
[ 56.865699][ T5093] >ffff88806a4b9780: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 56.873774][ T5093] ^
[ 56.881503][ T5093] ffff88806a4b9800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[ 56.889677][ T5093] ffff88806a4b9880: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 56.898092][ T5093] ==================================================================
[ 56.907192][ T5093] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 56.915196][ T5093] CPU: 1 PID: 5093 Comm: kworker/u9:7 Not tainted 6.10.0-rc5-syzkaller-00018-g55027e689933 #0
[ 56.926342][ T5093] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
[ 56.936850][ T5093] Workqueue: hci2 hci_rx_work
[ 56.941652][ T5093] Call Trace:
[ 56.945216][ T5093]
[ 56.948429][ T5093] dump_stack_lvl+0x241/0x360
[ 56.953659][ T5093] ? __pfx_dump_stack_lvl+0x10/0x10
[ 56.959234][ T5093] ? __pfx__printk+0x10/0x10
[ 56.964128][ T5093] ? preempt_schedule+0xe1/0xf0
[ 56.969106][ T5093] ? vscnprintf+0x5d/0x90
[ 56.973461][ T5093] panic+0x349/0x860
[ 56.977536][ T5093] ? check_panic_on_warn+0x21/0xb0
[ 56.982860][ T5093] ? __pfx_panic+0x10/0x10
[ 56.987309][ T5093] ? _raw_spin_unlock_irqrestore+0x130/0x140
[ 56.993449][ T5093] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[ 56.999926][ T5093] ? print_report+0x502/0x550
[ 57.004824][ T5093] check_panic_on_warn+0x86/0xb0
[ 57.010238][ T5093] ? skb_release_head_state+0x39/0x250
[ 57.015966][ T5093] end_report+0x77/0x160
[ 57.020243][ T5093] kasan_report+0x154/0x180
[ 57.024873][ T5093] ? skb_release_head_state+0x39/0x250
[ 57.030450][ T5093] skb_release_head_state+0x39/0x250
[ 57.035855][ T5093] ? hci_req_sync_complete+0xe7/0x290
[ 57.041421][ T5093] kfree_skb_reason+0x16d/0x3b0
[ 57.046338][ T5093] hci_req_sync_complete+0xe7/0x290
[ 57.053318][ T5093] hci_event_packet+0xc71/0x1540
[ 57.058290][ T5093] ? __pfx_hci_cmd_complete_evt+0x10/0x10
[ 57.064221][ T5093] ? __pfx_hci_event_packet+0x10/0x10
[ 57.069818][ T5093] ? do_raw_spin_unlock+0x13c/0x8b0
[ 57.075406][ T5093] ? __pfx_hci_req_sync_complete+0x10/0x10
[ 57.081950][ T5093] ? hci_send_to_monitor+0xd8/0x7f0
[ 57.087368][ T5093] ? kcov_remote_start+0x9e/0x7e0
[ 57.092779][ T5093] hci_rx_work+0x3e8/0xca0
[ 57.098038][ T5093] ? process_scheduled_works+0x945/0x1830
[ 57.105748][ T5093] process_scheduled_works+0xa2c/0x1830
[ 57.114539][ T5093] ? __pfx_process_scheduled_works+0x10/0x10
[ 57.121780][ T5093] ? assign_work+0x364/0x3d0
[ 57.127876][ T5093] worker_thread+0x86d/0xd70
[ 57.132694][ T5093] ? __kthread_parkme+0x169/0x1d0
[ 57.137802][ T5093] ? __pfx_worker_thread+0x10/0x10
[ 57.143449][ T5093] kthread+0x2f0/0x390
[ 57.147792][ T5093] ? __pfx_worker_thread+0x10/0x10
[ 57.153253][ T5093] ? __pfx_kthread+0x10/0x10
[ 57.157945][ T5093] ret_from_fork+0x4b/0x80
[ 57.162735][ T5093] ? __pfx_kthread+0x10/0x10
[ 57.167343][ T5093] ret_from_fork_asm+0x1a/0x30
[ 57.172599][ T5093]
[ 57.175814][ T5093] Kernel Offset: disabled
[ 57.180689][ T5093] Rebooting in 86400 seconds..