last executing test programs:

kernel console output (not intermixed with test programs):

Warning: Permanently added '10.128.1.255' (ED25519) to the list of known hosts.
[   49.726412][ T5082] cgroup: Unknown subsys name 'net'
[   49.865404][ T5082] cgroup: Unknown subsys name 'rlimit'
Setting up swapspace version 1, size = 127995904 bytes
[   51.192384][ T5082] Adding 124996k swap on ./swap-file.  Priority:0 extents:1 across:124996k SS
[   51.781577][ T5095] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[   51.790728][ T5095] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[   51.798863][ T5095] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[   51.802925][ T5097] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1
[   51.807466][ T5095] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[   51.814500][ T5097] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1
[   51.821259][ T5095] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3
[   51.828733][ T5097] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9
[   51.835390][ T5095] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[   51.842384][ T5097] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9
[   51.865781][ T5100] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9
[   51.874286][ T5097] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9
[   51.886716][ T5097] Bluetooth: hci2: unexpected cc 0x0c23 length: 249 > 4
[   51.894539][ T5100] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4
[   51.904020][ T5100] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1
[   51.911766][ T5097] Bluetooth: hci1: unexpected cc 0x0c25 length: 249 > 3
[   51.919519][ T5105] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2
[   51.920244][ T5100] Bluetooth: hci2: unexpected cc 0x0c25 length: 249 > 3
[   51.932970][ T5105] Bluetooth: hci4: unexpected cc 0x0c03 length: 249 > 1
[   51.933868][ T5100] Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2
[   51.949861][ T5105] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9
[   51.953002][ T5100] Bluetooth: hci4: unexpected cc 0x1003 length: 249 > 9
[   51.962743][ T5105] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9
[   51.972652][ T5100] Bluetooth: hci4: unexpected cc 0x1001 length: 249 > 9
[   51.973180][ T5105] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4
[   51.987757][ T5105] Bluetooth: hci3: unexpected cc 0x0c25 length: 249 > 3
[   51.995336][ T5105] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2
[   52.005506][ T5095] Bluetooth: hci4: unexpected cc 0x0c23 length: 249 > 4
[   52.014141][ T5105] ==================================================================
[   52.017744][ T5095] Bluetooth: hci4: unexpected cc 0x0c25 length: 249 > 3
[   52.022212][ T5105] BUG: KASAN: slab-use-after-free in skb_release_head_state+0x39/0x250
[   52.022273][ T5105] Read of size 8 at addr ffff888021b5f698 by task kworker/u9:7/5105
[   52.022289][ T5105] 
[   52.022301][ T5105] CPU: 0 UID: 0 PID: 5105 Comm: kworker/u9:7 Not tainted 6.10.0-rc5-next-20240624-syzkaller #0
[   52.022327][ T5105] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
[   52.022339][ T5105] Workqueue: hci3 hci_rx_work
[   52.022368][ T5105] Call Trace:
[   52.022376][ T5105]  <TASK>
[   52.022385][ T5105]  dump_stack_lvl+0x241/0x360
[   52.022408][ T5105]  ? __pfx_dump_stack_lvl+0x10/0x10
[   52.022427][ T5105]  ? __pfx__printk+0x10/0x10
[   52.022450][ T5105]  ? _printk+0xd5/0x120
[   52.022468][ T5105]  ? __virt_addr_valid+0x183/0x520
[   52.022493][ T5105]  ? __virt_addr_valid+0x183/0x520
[   52.022518][ T5105]  print_report+0x169/0x550
[   52.022540][ T5105]  ? __virt_addr_valid+0x183/0x520
[   52.030817][ T5095] Bluetooth: hci4: unexpected cc 0x0c38 length: 249 > 2
[   52.037687][ T5105]  ? __virt_addr_valid+0x183/0x520
[   52.129333][ T5105]  ? __virt_addr_valid+0x44e/0x520
[   52.134452][ T5105]  ? __phys_addr+0xba/0x170
[   52.138951][ T5105]  ? skb_release_head_state+0x39/0x250
[   52.144404][ T5105]  kasan_report+0x143/0x180
[   52.148906][ T5105]  ? skb_release_head_state+0x39/0x250
[   52.154364][ T5105]  skb_release_head_state+0x39/0x250
[   52.159646][ T5105]  sk_skb_reason_drop+0x170/0x3d0
[   52.164660][ T5105]  hci_req_sync_complete+0xe8/0x290
[   52.169855][ T5105]  hci_event_packet+0xc75/0x1540
[   52.174787][ T5105]  ? __pfx_hci_cmd_complete_evt+0x10/0x10
[   52.180497][ T5105]  ? __pfx_hci_event_packet+0x10/0x10
[   52.185857][ T5105]  ? do_raw_spin_unlock+0x13c/0x8b0
[   52.191046][ T5105]  ? __pfx_hci_req_sync_complete+0x10/0x10
[   52.196843][ T5105]  ? hci_send_to_monitor+0xd8/0x7f0
[   52.202031][ T5105]  ? kcov_remote_start+0x9e/0x7e0
[   52.207050][ T5105]  hci_rx_work+0x3e8/0xca0
[   52.211483][ T5105]  ? process_scheduled_works+0x945/0x1830
[   52.217191][ T5105]  process_scheduled_works+0xa2c/0x1830
[   52.222738][ T5105]  ? __pfx_process_scheduled_works+0x10/0x10
[   52.228714][ T5105]  ? assign_work+0x364/0x3d0
[   52.233293][ T5105]  worker_thread+0x86d/0xd40
[   52.237878][ T5105]  ? _raw_spin_unlock_irqrestore+0xdd/0x140
[   52.243760][ T5105]  ? __kthread_parkme+0x169/0x1d0
[   52.248775][ T5105]  ? __pfx_worker_thread+0x10/0x10
[   52.253876][ T5105]  kthread+0x2f0/0x390
[   52.257934][ T5105]  ? __pfx_worker_thread+0x10/0x10
[   52.263037][ T5105]  ? __pfx_kthread+0x10/0x10
[   52.267616][ T5105]  ret_from_fork+0x4b/0x80
[   52.272024][ T5105]  ? __pfx_kthread+0x10/0x10
[   52.276605][ T5105]  ret_from_fork_asm+0x1a/0x30
[   52.281365][ T5105]  </TASK>
[   52.284371][ T5105] 
[   52.286679][ T5105] Allocated by task 5105:
[   52.290988][ T5105]  kasan_save_track+0x3f/0x80
[   52.295652][ T5105]  __kasan_slab_alloc+0x66/0x80
[   52.300489][ T5105]  kmem_cache_alloc_noprof+0x135/0x2a0
[   52.305938][ T5105]  skb_clone+0x20c/0x390
[   52.310167][ T5105]  hci_cmd_work+0x2a2/0x670
[   52.314660][ T5105]  process_scheduled_works+0xa2c/0x1830
[   52.320196][ T5105]  worker_thread+0x86d/0xd40
[   52.324774][ T5105]  kthread+0x2f0/0x390
[   52.328830][ T5105]  ret_from_fork+0x4b/0x80
[   52.333234][ T5105]  ret_from_fork_asm+0x1a/0x30
[   52.337987][ T5105] 
[   52.340296][ T5105] Freed by task 5096:
[   52.344260][ T5105]  kasan_save_track+0x3f/0x80
[   52.348924][ T5105]  kasan_save_free_info+0x40/0x50
[   52.353937][ T5105]  poison_slab_object+0xe0/0x150
[   52.358860][ T5105]  __kasan_slab_free+0x37/0x60
[   52.363613][ T5105]  kmem_cache_free+0x145/0x350
[   52.368369][ T5105]  __hci_req_sync+0x631/0x950
[   52.373040][ T5105]  hci_req_sync+0xa9/0xd0
[   52.377358][ T5105]  hci_dev_cmd+0x4c5/0xa50
[   52.381764][ T5105]  sock_do_ioctl+0x158/0x460
[   52.386342][ T5105]  sock_ioctl+0x629/0x8e0
[   52.390657][ T5105]  __se_sys_ioctl+0xfc/0x170
[   52.395235][ T5105]  do_syscall_64+0xf3/0x230
[   52.399722][ T5105]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   52.405602][ T5105] 
[   52.407912][ T5105] The buggy address belongs to the object at ffff888021b5f640
[   52.407912][ T5105]  which belongs to the cache skbuff_head_cache of size 240
[   52.422477][ T5105] The buggy address is located 88 bytes inside of
[   52.422477][ T5105]  freed 240-byte region [ffff888021b5f640, ffff888021b5f730)
[   52.436174][ T5105] 
[   52.438592][ T5105] The buggy address belongs to the physical page:
[   52.445000][ T5105] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x21b5f
[   52.453767][ T5105] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[   52.460886][ T5105] page_type: 0xffffefff(slab)
[   52.465549][ T5105] raw: 00fff00000000000 ffff8880196dc780 dead000000000122 0000000000000000
[   52.474119][ T5105] raw: 0000000000000000 00000000000c000c 00000001ffffefff 0000000000000000
[   52.482684][ T5105] page dumped because: kasan: bad access detected
[   52.489088][ T5105] page_owner tracks the page as allocated
[   52.494781][ T5105] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5095, tgid 5095 (kworker/u9:2), ts 52003856533, free_ts 51880988234
[   52.514041][ T5105]  post_alloc_hook+0x1f3/0x230
[   52.518801][ T5105]  get_page_from_freelist+0x2ccb/0x2d80
[   52.524338][ T5105]  __alloc_pages_noprof+0x256/0x6c0
[   52.529526][ T5105]  alloc_slab_page+0x5f/0x120
[   52.534189][ T5105]  allocate_slab+0x5a/0x2f0
[   52.538677][ T5105]  ___slab_alloc+0xcd1/0x14b0
[   52.543338][ T5105]  __slab_alloc+0x58/0xa0
[   52.547651][ T5105]  kmem_cache_alloc_node_noprof+0x1fe/0x320
[   52.553537][ T5105]  __alloc_skb+0x1c3/0x440
[   52.557946][ T5105]  hci_sock_dev_event+0x102/0x5f0
[   52.562962][ T5105]  hci_dev_open_sync+0x11d0/0x2b60
[   52.568063][ T5105]  hci_power_on+0x1c7/0x6b0
[   52.572555][ T5105]  process_scheduled_works+0xa2c/0x1830
[   52.578086][ T5105]  worker_thread+0x86d/0xd40
[   52.582664][ T5105]  kthread+0x2f0/0x390
[   52.586723][ T5105]  ret_from_fork+0x4b/0x80
[   52.591141][ T5105] page last free pid 5083 tgid 5083 stack trace:
[   52.597466][ T5105]  free_unref_page+0xd22/0xea0
[   52.602219][ T5105]  __put_partials+0xeb/0x130
[   52.606793][ T5105]  put_cpu_partial+0x17c/0x250
[   52.611542][ T5105]  __slab_free+0x2ea/0x3d0
[   52.615965][ T5105]  qlist_free_all+0x9e/0x140
[   52.620543][ T5105]  kasan_quarantine_reduce+0x14f/0x170
[   52.625999][ T5105]  __kasan_slab_alloc+0x23/0x80
[   52.630837][ T5105]  kmem_cache_alloc_node_noprof+0x16b/0x320
[   52.636722][ T5105]  __alloc_skb+0x1c3/0x440
[   52.641128][ T5105]  netlink_sendmsg+0x638/0xcb0
[   52.645883][ T5105]  __sock_sendmsg+0x221/0x270
[   52.650547][ T5105]  ____sys_sendmsg+0x525/0x7d0
[   52.655294][ T5105]  __sys_sendmsg+0x2b0/0x3a0
[   52.659870][ T5105]  do_syscall_64+0xf3/0x230
[   52.664360][ T5105]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   52.670256][ T5105] 
[   52.672566][ T5105] Memory state around the buggy address:
[   52.678178][ T5105]  ffff888021b5f580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc
[   52.686239][ T5105]  ffff888021b5f600: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[   52.694286][ T5105] >ffff888021b5f680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   52.702329][ T5105]                             ^
[   52.707161][ T5105]  ffff888021b5f700: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
[   52.715204][ T5105]  ffff888021b5f780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   52.723250][ T5105] ==================================================================
[   52.732617][ T5105] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   52.739834][ T5105] CPU: 0 UID: 0 PID: 5105 Comm: kworker/u9:7 Not tainted 6.10.0-rc5-next-20240624-syzkaller #0
[   52.750169][ T5105] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
[   52.760220][ T5105] Workqueue: hci3 hci_rx_work
[   52.764897][ T5105] Call Trace:
[   52.768166][ T5105]  <TASK>
[   52.771087][ T5105]  dump_stack_lvl+0x241/0x360
[   52.775759][ T5105]  ? __pfx_dump_stack_lvl+0x10/0x10
[   52.780966][ T5105]  ? __pfx__printk+0x10/0x10
[   52.785541][ T5105]  ? preempt_schedule+0xe1/0xf0
[   52.790389][ T5105]  ? vscnprintf+0x5d/0x90
[   52.794711][ T5105]  panic+0x349/0x870
[   52.798596][ T5105]  ? check_panic_on_warn+0x21/0xb0
[   52.803703][ T5105]  ? __pfx_panic+0x10/0x10
[   52.808115][ T5105]  ? _raw_spin_unlock_irqrestore+0x130/0x140
[   52.814087][ T5105]  ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[   52.820404][ T5105]  ? print_report+0x502/0x550
[   52.825078][ T5105]  check_panic_on_warn+0x86/0xb0
[   52.830009][ T5105]  ? skb_release_head_state+0x39/0x250
[   52.835462][ T5105]  end_report+0x77/0x160
[   52.839694][ T5105]  kasan_report+0x154/0x180
[   52.844190][ T5105]  ? skb_release_head_state+0x39/0x250
[   52.849648][ T5105]  skb_release_head_state+0x39/0x250
[   52.854926][ T5105]  sk_skb_reason_drop+0x170/0x3d0
[   52.859938][ T5105]  hci_req_sync_complete+0xe8/0x290
[   52.865133][ T5105]  hci_event_packet+0xc75/0x1540
[   52.870064][ T5105]  ? __pfx_hci_cmd_complete_evt+0x10/0x10
[   52.875775][ T5105]  ? __pfx_hci_event_packet+0x10/0x10
[   52.881138][ T5105]  ? do_raw_spin_unlock+0x13c/0x8b0
[   52.886326][ T5105]  ? __pfx_hci_req_sync_complete+0x10/0x10
[   52.892127][ T5105]  ? hci_send_to_monitor+0xd8/0x7f0
[   52.897320][ T5105]  ? kcov_remote_start+0x9e/0x7e0
[   52.902354][ T5105]  hci_rx_work+0x3e8/0xca0
[   52.906780][ T5105]  ? process_scheduled_works+0x945/0x1830
[   52.912503][ T5105]  process_scheduled_works+0xa2c/0x1830
[   52.918056][ T5105]  ? __pfx_process_scheduled_works+0x10/0x10
[   52.924031][ T5105]  ? assign_work+0x364/0x3d0
[   52.928614][ T5105]  worker_thread+0x86d/0xd40
[   52.933198][ T5105]  ? _raw_spin_unlock_irqrestore+0xdd/0x140
[   52.939087][ T5105]  ? __kthread_parkme+0x169/0x1d0
[   52.944115][ T5105]  ? __pfx_worker_thread+0x10/0x10
[   52.949215][ T5105]  kthread+0x2f0/0x390
[   52.953281][ T5105]  ? __pfx_worker_thread+0x10/0x10
[   52.958382][ T5105]  ? __pfx_kthread+0x10/0x10
[   52.962983][ T5105]  ret_from_fork+0x4b/0x80
[   52.967388][ T5105]  ? __pfx_kthread+0x10/0x10
[   52.971971][ T5105]  ret_from_fork_asm+0x1a/0x30
[   52.976845][ T5105]  </TASK>
[   52.980066][ T5105] Kernel Offset: disabled
[   52.984407][ T5105] Rebooting in 86400 seconds..