last executing test programs:
kernel console output (not intermixed with test programs):
Warning: Permanently added '10.128.1.56' (ED25519) to the list of known hosts.
[ 63.483875][ T5082] cgroup: Unknown subsys name 'net'
[ 63.655596][ T5082] cgroup: Unknown subsys name 'rlimit'
Setting up swapspace version 1, size = 127995904 bytes
[ 65.324566][ T5082] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k
[ 65.987616][ T5100] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[ 66.008734][ T5101] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1
[ 66.016562][ T5100] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1
[ 66.025544][ T5100] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1
[ 66.028158][ T5101] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[ 66.033243][ T5100] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9
[ 66.047782][ T5100] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9
[ 66.053413][ T5106] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9
[ 66.055844][ T5100] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9
[ 66.062002][ T5101] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[ 66.069450][ T5100] Bluetooth: hci4: unexpected cc 0x0c03 length: 249 > 1
[ 66.078069][ T5106] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9
[ 66.084054][ T5100] Bluetooth: hci4: unexpected cc 0x1003 length: 249 > 9
[ 66.090745][ T5101] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[ 66.097727][ T5100] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9
[ 66.104914][ T5101] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3
[ 66.113112][ T5106] Bluetooth: hci4: unexpected cc 0x1001 length: 249 > 9
[ 66.119078][ T5101] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[ 66.132177][ T5100] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4
[ 66.132910][ T5101] Bluetooth: hci2: unexpected cc 0x0c23 length: 249 > 4
[ 66.147105][ T5100] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4
[ 66.148596][ T5101] Bluetooth: hci2: unexpected cc 0x0c25 length: 249 > 3
[ 66.155753][ T5100] Bluetooth: hci4: unexpected cc 0x0c23 length: 249 > 4
[ 66.162027][ T5101] Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2
[ 66.168555][ T5100] Bluetooth: hci1: unexpected cc 0x0c25 length: 249 > 3
[ 66.176176][ T5101] Bluetooth: hci3: unexpected cc 0x0c25 length: 249 > 3
[ 66.182940][ T5100] Bluetooth: hci4: unexpected cc 0x0c25 length: 249 > 3
[ 66.189882][ T5101] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2
[ 66.197151][ T5100] Bluetooth: hci4: unexpected cc 0x0c38 length: 249 > 2
[ 66.210683][ T5100] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2
[ 66.220302][ T5092] ==================================================================
[ 66.228391][ T5092] BUG: KASAN: slab-use-after-free in sk_skb_reason_drop+0x44/0x3d0
[ 66.236339][ T5092] Read of size 4 at addr ffff888069030d64 by task syz-executor/5092
[ 66.244338][ T5092]
[ 66.246688][ T5092] CPU: 0 PID: 5092 Comm: syz-executor Not tainted 6.10.0-rc5-syzkaller-01176-g19e6ad2c7578 #0
[ 66.256946][ T5092] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
[ 66.267030][ T5092] Call Trace:
[ 66.270333][ T5092]
[ 66.273292][ T5092] dump_stack_lvl+0x241/0x360
[ 66.278005][ T5092] ? __pfx_dump_stack_lvl+0x10/0x10
[ 66.283233][ T5092] ? __pfx__printk+0x10/0x10
[ 66.287861][ T5092] ? _printk+0xd5/0x120
[ 66.292059][ T5092] ? __virt_addr_valid+0x183/0x520
[ 66.297221][ T5092] ? __virt_addr_valid+0x183/0x520
[ 66.302388][ T5092] print_report+0x169/0x550
[ 66.306930][ T5092] ? __virt_addr_valid+0x183/0x520
[ 66.312087][ T5092] ? __virt_addr_valid+0x183/0x520
[ 66.317236][ T5092] ? __virt_addr_valid+0x44e/0x520
[ 66.322380][ T5092] ? __phys_addr+0xba/0x170
[ 66.326920][ T5092] ? sk_skb_reason_drop+0x44/0x3d0
[ 66.332072][ T5092] kasan_report+0x143/0x180
[ 66.336617][ T5092] ? sk_skb_reason_drop+0x44/0x3d0
[ 66.341768][ T5092] kasan_check_range+0x282/0x290
[ 66.346743][ T5092] sk_skb_reason_drop+0x44/0x3d0
[ 66.351721][ T5092] __hci_req_sync+0x631/0x950
[ 66.356437][ T5092] ? __pfx___hci_req_sync+0x10/0x10
[ 66.361676][ T5092] ? __pfx___mutex_lock+0x10/0x10
[ 66.366735][ T5092] ? __pfx_autoremove_wake_function+0x10/0x10
[ 66.372840][ T5092] ? __pfx_hci_scan_req+0x10/0x10
[ 66.377893][ T5092] hci_req_sync+0xa9/0xd0
[ 66.382298][ T5092] hci_dev_cmd+0x4c5/0xa50
[ 66.386742][ T5092] ? security_capable+0x90/0xb0
[ 66.391637][ T5092] ? __pfx_hci_dev_cmd+0x10/0x10
[ 66.396623][ T5092] ? hci_sock_ioctl+0x6c6/0xa40
[ 66.401538][ T5092] sock_do_ioctl+0x158/0x460
[ 66.406247][ T5092] ? __pfx_sock_do_ioctl+0x10/0x10
[ 66.411403][ T5092] sock_ioctl+0x629/0x8e0
[ 66.415764][ T5092] ? __pfx_sock_ioctl+0x10/0x10
[ 66.420642][ T5092] ? __fget_files+0x29/0x470
[ 66.425268][ T5092] ? __fget_files+0x3f6/0x470
[ 66.429982][ T5092] ? __fget_files+0x29/0x470
[ 66.434611][ T5092] ? bpf_lsm_file_ioctl+0x9/0x10
[ 66.439578][ T5092] ? security_file_ioctl+0x87/0xb0
[ 66.444719][ T5092] ? __pfx_sock_ioctl+0x10/0x10
[ 66.449594][ T5092] __se_sys_ioctl+0xfc/0x170
[ 66.454216][ T5092] do_syscall_64+0xf3/0x230
[ 66.458746][ T5092] ? clear_bhb_loop+0x35/0x90
[ 66.463453][ T5092] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 66.469384][ T5092] RIP: 0033:0x7fa7fbf75b1b
[ 66.473829][ T5092] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00
[ 66.493541][ T5092] RSP: 002b:00007ffe67dde030 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 66.501986][ T5092] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fa7fbf75b1b
[ 66.509981][ T5092] RDX: 00007ffe67dde0a8 RSI: 00000000400448dd RDI: 0000000000000003
[ 66.517989][ T5092] RBP: 000055556b37f4a8 R08: 0000000000000000 R09: 0000000000000000
[ 66.525998][ T5092] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000000
[ 66.534012][ T5092] R13: 0000000000000000 R14: 0000000000000009 R15: 0000000000000009
[ 66.542014][ T5092]
[ 66.545051][ T5092]
[ 66.547387][ T5092] Allocated by task 5103:
[ 66.551728][ T5092] kasan_save_track+0x3f/0x80
[ 66.556435][ T5092] __kasan_slab_alloc+0x66/0x80
[ 66.561330][ T5092] kmem_cache_alloc_noprof+0x135/0x2a0
[ 66.566826][ T5092] skb_clone+0x20c/0x390
[ 66.571118][ T5092] hci_cmd_work+0x2a2/0x670
[ 66.575667][ T5092] process_scheduled_works+0xa2c/0x1830
[ 66.581238][ T5092] worker_thread+0x86d/0xd50
[ 66.585852][ T5092] kthread+0x2f0/0x390
[ 66.589954][ T5092] ret_from_fork+0x4b/0x80
[ 66.594400][ T5092] ret_from_fork_asm+0x1a/0x30
[ 66.599196][ T5092]
[ 66.601551][ T5092] Freed by task 5103:
[ 66.605564][ T5092] kasan_save_track+0x3f/0x80
[ 66.610265][ T5092] kasan_save_free_info+0x40/0x50
[ 66.615328][ T5092] poison_slab_object+0xe0/0x150
[ 66.620296][ T5092] __kasan_slab_free+0x37/0x60
[ 66.625093][ T5092] kmem_cache_free+0x145/0x350
[ 66.629881][ T5092] hci_req_sync_complete+0xe8/0x290
[ 66.635118][ T5092] hci_event_packet+0xc75/0x1540
[ 66.640085][ T5092] hci_rx_work+0x3e8/0xca0
[ 66.644536][ T5092] process_scheduled_works+0xa2c/0x1830
[ 66.650124][ T5092] worker_thread+0x86d/0xd50
[ 66.654745][ T5092] kthread+0x2f0/0x390
[ 66.658848][ T5092] ret_from_fork+0x4b/0x80
[ 66.663300][ T5092] ret_from_fork_asm+0x1a/0x30
[ 66.668105][ T5092]
[ 66.670445][ T5092] The buggy address belongs to the object at ffff888069030c80
[ 66.670445][ T5092] which belongs to the cache skbuff_head_cache of size 240
[ 66.685043][ T5092] The buggy address is located 228 bytes inside of
[ 66.685043][ T5092] freed 240-byte region [ffff888069030c80, ffff888069030d70)
[ 66.698864][ T5092]
[ 66.701203][ T5092] The buggy address belongs to the physical page:
[ 66.707630][ T5092] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x69030
[ 66.716410][ T5092] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[ 66.723523][ T5092] page_type: 0xffffefff(slab)
[ 66.728202][ T5092] raw: 00fff00000000000 ffff888018ae7780 dead000000000122 0000000000000000
[ 66.736785][ T5092] raw: 0000000000000000 00000000000c000c 00000001ffffefff 0000000000000000
[ 66.745364][ T5092] page dumped because: kasan: bad access detected
[ 66.751774][ T5092] page_owner tracks the page as allocated
[ 66.757511][ T5092] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5101, tgid 5101 (kworker/u9:4), ts 66217898649, free_ts 24378034316
[ 66.776787][ T5092] post_alloc_hook+0x1f3/0x230
[ 66.781562][ T5092] get_page_from_freelist+0x2e4c/0x2f10
[ 66.787108][ T5092] __alloc_pages_noprof+0x256/0x6c0
[ 66.792304][ T5092] alloc_slab_page+0x5f/0x120
[ 66.796990][ T5092] allocate_slab+0x5a/0x2f0
[ 66.801496][ T5092] ___slab_alloc+0xcd1/0x14b0
[ 66.806174][ T5092] __slab_alloc+0x58/0xa0
[ 66.810505][ T5092] kmem_cache_alloc_noprof+0x1c1/0x2a0
[ 66.815972][ T5092] skb_clone+0x20c/0x390
[ 66.820227][ T5092] hci_event_packet+0x227/0x1540
[ 66.825169][ T5092] hci_rx_work+0x3e8/0xca0
[ 66.829588][ T5092] process_scheduled_works+0xa2c/0x1830
[ 66.835135][ T5092] worker_thread+0x86d/0xd50
[ 66.839729][ T5092] kthread+0x2f0/0x390
[ 66.843800][ T5092] ret_from_fork+0x4b/0x80
[ 66.848225][ T5092] ret_from_fork_asm+0x1a/0x30
[ 66.853008][ T5092] page last free pid 1 tgid 1 stack trace:
[ 66.858809][ T5092] free_unref_page+0xd22/0xea0
[ 66.863601][ T5092] free_contig_range+0x9e/0x160
[ 66.868456][ T5092] destroy_args+0x8a/0x890
[ 66.872888][ T5092] debug_vm_pgtable+0x4be/0x550
[ 66.877749][ T5092] do_one_initcall+0x248/0x880
[ 66.882518][ T5092] do_initcall_level+0x157/0x210
[ 66.887463][ T5092] do_initcalls+0x3f/0x80
[ 66.891801][ T5092] kernel_init_freeable+0x435/0x5d0
[ 66.897005][ T5092] kernel_init+0x1d/0x2b0
[ 66.901346][ T5092] ret_from_fork+0x4b/0x80
[ 66.905774][ T5092] ret_from_fork_asm+0x1a/0x30
[ 66.910546][ T5092]
[ 66.912868][ T5092] Memory state around the buggy address:
[ 66.918491][ T5092] ffff888069030c00: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
[ 66.926546][ T5092] ffff888069030c80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 66.934623][ T5092] >ffff888069030d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[ 66.942679][ T5092] ^
[ 66.949869][ T5092] ffff888069030d80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 66.957927][ T5092] ffff888069030e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 66.965994][ T5092] ==================================================================
[ 66.975354][ T5092] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 66.982572][ T5092] CPU: 1 PID: 5092 Comm: syz-executor Not tainted 6.10.0-rc5-syzkaller-01176-g19e6ad2c7578 #0
[ 66.992810][ T5092] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
[ 67.002873][ T5092] Call Trace:
[ 67.006161][ T5092]
[ 67.009093][ T5092] dump_stack_lvl+0x241/0x360
[ 67.013779][ T5092] ? __pfx_dump_stack_lvl+0x10/0x10
[ 67.018978][ T5092] ? __pfx__printk+0x10/0x10
[ 67.023580][ T5092] ? preempt_schedule+0xe1/0xf0
[ 67.028440][ T5092] ? vscnprintf+0x5d/0x90
[ 67.032780][ T5092] panic+0x349/0x860
[ 67.036691][ T5092] ? check_panic_on_warn+0x21/0xb0
[ 67.041819][ T5092] ? __pfx_panic+0x10/0x10
[ 67.046252][ T5092] ? _raw_spin_unlock_irqrestore+0x130/0x140
[ 67.052252][ T5092] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[ 67.058594][ T5092] ? print_report+0x502/0x550
[ 67.063285][ T5092] check_panic_on_warn+0x86/0xb0
[ 67.068233][ T5092] ? sk_skb_reason_drop+0x44/0x3d0
[ 67.073354][ T5092] end_report+0x77/0x160
[ 67.077605][ T5092] kasan_report+0x154/0x180
[ 67.082122][ T5092] ? sk_skb_reason_drop+0x44/0x3d0
[ 67.087260][ T5092] kasan_check_range+0x282/0x290
[ 67.092218][ T5092] sk_skb_reason_drop+0x44/0x3d0
[ 67.097195][ T5092] __hci_req_sync+0x631/0x950
[ 67.101890][ T5092] ? __pfx___hci_req_sync+0x10/0x10
[ 67.107101][ T5092] ? __pfx___mutex_lock+0x10/0x10
[ 67.112134][ T5092] ? __pfx_autoremove_wake_function+0x10/0x10
[ 67.118205][ T5092] ? __pfx_hci_scan_req+0x10/0x10
[ 67.123228][ T5092] hci_req_sync+0xa9/0xd0
[ 67.127567][ T5092] hci_dev_cmd+0x4c5/0xa50
[ 67.131986][ T5092] ? security_capable+0x90/0xb0
[ 67.136838][ T5092] ? __pfx_hci_dev_cmd+0x10/0x10
[ 67.141777][ T5092] ? hci_sock_ioctl+0x6c6/0xa40
[ 67.146639][ T5092] sock_do_ioctl+0x158/0x460
[ 67.151240][ T5092] ? __pfx_sock_do_ioctl+0x10/0x10
[ 67.156368][ T5092] sock_ioctl+0x629/0x8e0
[ 67.160721][ T5092] ? __pfx_sock_ioctl+0x10/0x10
[ 67.165573][ T5092] ? __fget_files+0x29/0x470
[ 67.170173][ T5092] ? __fget_files+0x3f6/0x470
[ 67.174861][ T5092] ? __fget_files+0x29/0x470
[ 67.179464][ T5092] ? bpf_lsm_file_ioctl+0x9/0x10
[ 67.184405][ T5092] ? security_file_ioctl+0x87/0xb0
[ 67.189526][ T5092] ? __pfx_sock_ioctl+0x10/0x10
[ 67.194377][ T5092] __se_sys_ioctl+0xfc/0x170
[ 67.198977][ T5092] do_syscall_64+0xf3/0x230
[ 67.203483][ T5092] ? clear_bhb_loop+0x35/0x90
[ 67.208171][ T5092] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 67.214074][ T5092] RIP: 0033:0x7fa7fbf75b1b
[ 67.218493][ T5092] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00
[ 67.238106][ T5092] RSP: 002b:00007ffe67dde030 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 67.246529][ T5092] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fa7fbf75b1b
[ 67.254504][ T5092] RDX: 00007ffe67dde0a8 RSI: 00000000400448dd RDI: 0000000000000003
[ 67.262473][ T5092] RBP: 000055556b37f4a8 R08: 0000000000000000 R09: 0000000000000000
[ 67.270443][ T5092] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000000
[ 67.278414][ T5092] R13: 0000000000000000 R14: 0000000000000009 R15: 0000000000000009
[ 67.286393][ T5092]
[ 67.289905][ T5092] Kernel Offset: disabled
[ 67.294224][ T5092] Rebooting in 86400 seconds..