last executing test programs:

kernel console output (not intermixed with test programs):

Warning: Permanently added '10.128.0.126' (ED25519) to the list of known hosts.
syzkaller login: [   48.494941][ T3535] cgroup: Unknown subsys name 'net'
[   48.593027][ T3535] cgroup: Unknown subsys name 'rlimit'
Setting up swapspace version 1, size = 127995904 bytes
[   49.857586][ T3535] Adding 124996k swap on ./swap-file.  Priority:0 extents:1 across:124996k FS
[   50.948241][ T3553] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[   50.957382][ T3555] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1
[   50.962408][ T3560] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1
[   50.965501][ T3555] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[   50.972227][ T3560] Bluetooth: hci4: unexpected cc 0x0c03 length: 249 > 1
[   50.980716][ T3555] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1
[   50.987007][ T3560] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9
[   50.993926][ T3555] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9
[   51.008792][ T3560] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[   51.008892][ T3555] Bluetooth: hci4: unexpected cc 0x1003 length: 249 > 9
[   51.016194][ T3560] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9
[   51.023527][ T3555] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9
[   51.030387][ T3560] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9
[   51.037704][ T3555] Bluetooth: hci4: unexpected cc 0x1001 length: 249 > 9
[   51.043844][ T3560] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9
[   51.052278][ T3555] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4
[   51.058283][ T3560] Bluetooth: hci2: unexpected cc 0x0c23 length: 249 > 4
[   51.065737][ T3555] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[   51.072252][ T3560] Bluetooth: hci4: unexpected cc 0x0c23 length: 249 > 4
[   51.079247][ T3555] Bluetooth: hci1: unexpected cc 0x0c25 length: 249 > 3
[   51.086284][ T3560] Bluetooth: hci4: unexpected cc 0x0c25 length: 249 > 3
[   51.093052][ T3555] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4
[   51.099571][ T3560] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3
[   51.106621][ T3555] Bluetooth: hci2: unexpected cc 0x0c25 length: 249 > 3
[   51.113833][ T3560] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2
[   51.120526][ T3555] Bluetooth: hci4: unexpected cc 0x0c38 length: 249 > 2
[   51.128243][ T3560] Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2
[   51.134623][ T3555] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[   51.156396][ T3551] ==================================================================
[   51.159753][ T3555] Bluetooth: hci3: unexpected cc 0x0c25 length: 249 > 3
[   51.164472][ T3551] BUG: KASAN: use-after-free in kfree_skb_reason+0x3d/0x390
[   51.178681][ T3551] Read of size 4 at addr ffff888060a63364 by task syz-executor/3551
[   51.186668][ T3551] 
[   51.189008][ T3551] CPU: 0 PID: 3551 Comm: syz-executor Not tainted 6.1.99-syzkaller #0
[   51.197172][ T3551] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
[   51.207246][ T3551] Call Trace:
[   51.210538][ T3551]  <TASK>
[   51.213509][ T3551]  dump_stack_lvl+0x1e3/0x2cb
[   51.217662][   T48] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2
[   51.218198][ T3551]  ? nf_tcp_handle_invalid+0x642/0x642
[   51.230625][ T3551]  ? panic+0x764/0x764
[   51.234732][ T3551]  ? _printk+0xd1/0x111
[   51.239002][ T3551]  ? __virt_addr_valid+0x17f/0x520
[   51.244133][ T3551]  ? __virt_addr_valid+0x17f/0x520
[   51.249361][ T3551]  print_report+0x15f/0x4f0
[   51.253884][ T3551]  ? __virt_addr_valid+0x17f/0x520
[   51.259014][ T3551]  ? __virt_addr_valid+0x17f/0x520
[   51.264156][ T3551]  ? __virt_addr_valid+0x44a/0x520
[   51.269325][ T3551]  ? __phys_addr+0xb6/0x170
[   51.273830][ T3551]  ? kfree_skb_reason+0x3d/0x390
[   51.278764][ T3551]  kasan_report+0x136/0x160
[   51.283251][ T3551]  ? kfree_skb_reason+0x3d/0x390
[   51.288179][ T3551]  kasan_check_range+0x27f/0x290
[   51.293272][ T3551]  kfree_skb_reason+0x3d/0x390
[   51.298025][ T3551]  __hci_req_sync+0x626/0x940
[   51.302687][ T3551]  ? trace_contention_end+0x61/0x170
[   51.307962][ T3551]  ? hci_req_sync_complete+0x280/0x280
[   51.313410][ T3551]  ? mutex_lock_nested+0x10/0x10
[   51.318425][ T3551]  ? hci_encrypt_req+0x170/0x170
[   51.323451][ T3551]  hci_req_sync+0xa5/0xc0
[   51.327776][ T3551]  hci_dev_cmd+0x2fc/0xa30
[   51.332179][ T3551]  ? security_capable+0x86/0xb0
[   51.337018][ T3551]  ? hci_dev_reset_stat+0x1a0/0x1a0
[   51.342216][ T3551]  ? hci_sock_ioctl+0x426/0x850
[   51.347137][ T3551]  sock_do_ioctl+0x152/0x450
[   51.351717][ T3551]  ? sock_show_fdinfo+0xb0/0xb0
[   51.356550][ T3551]  ? __fget_files+0x28/0x4a0
[   51.361125][ T3551]  sock_ioctl+0x47f/0x770
[   51.365437][ T3551]  ? sock_poll+0x410/0x410
[   51.369839][ T3551]  ? __fget_files+0x28/0x4a0
[   51.374677][ T3551]  ? __fget_files+0x435/0x4a0
[   51.379353][ T3551]  ? __fget_files+0x28/0x4a0
[   51.383933][ T3551]  ? bpf_lsm_file_ioctl+0x5/0x10
[   51.388867][ T3551]  ? security_file_ioctl+0x7d/0xa0
[   51.393984][ T3551]  ? sock_poll+0x410/0x410
[   51.398392][ T3551]  __se_sys_ioctl+0xf1/0x160
[   51.402974][ T3551]  do_syscall_64+0x3b/0xb0
[   51.407392][ T3551]  ? clear_bhb_loop+0x45/0xa0
[   51.412074][ T3551]  entry_SYSCALL_64_after_hwframe+0x68/0xd2
[   51.417968][ T3551] RIP: 0033:0x7fb9c17757db
[   51.422398][ T3551] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00
[   51.442013][ T3551] RSP: 002b:00007fffbed11110 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   51.450430][ T3551] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fb9c17757db
[   51.458411][ T3551] RDX: 00007fffbed11188 RSI: 00000000400448dd RDI: 0000000000000003
[   51.466372][ T3551] RBP: 000055555560f4a8 R08: 0000000000000000 R09: 0000000000000000
[   51.474326][ T3551] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000004
[   51.482282][ T3551] R13: 0000000000000004 R14: 0000000000000009 R15: 0000000000000009
[   51.490245][ T3551]  </TASK>
[   51.493255][ T3551] 
[   51.495577][ T3551] Allocated by task 3555:
[   51.499880][ T3551]  kasan_set_track+0x4b/0x70
[   51.504461][ T3551]  __kasan_slab_alloc+0x65/0x70
[   51.509293][ T3551]  slab_post_alloc_hook+0x52/0x3a0
[   51.514397][ T3551]  kmem_cache_alloc+0x10c/0x2d0
[   51.519229][ T3551]  skb_clone+0x1e5/0x360
[   51.523456][ T3551]  hci_cmd_work+0x296/0x660
[   51.527938][ T3551]  process_one_work+0x8a9/0x11d0
[   51.532858][ T3551]  worker_thread+0xa47/0x1200
[   51.537540][ T3551]  kthread+0x28d/0x320
[   51.541589][ T3551]  ret_from_fork+0x1f/0x30
[   51.545992][ T3551] 
[   51.548303][ T3551] Freed by task 3555:
[   51.552261][ T3551]  kasan_set_track+0x4b/0x70
[   51.556835][ T3551]  kasan_save_free_info+0x27/0x40
[   51.561841][ T3551]  ____kasan_slab_free+0xd6/0x120
[   51.566853][ T3551]  kmem_cache_free+0x292/0x510
[   51.571602][ T3551]  hci_req_sync_complete+0xee/0x280
[   51.576784][ T3551]  hci_event_packet+0xc49/0x1510
[   51.581707][ T3551]  hci_rx_work+0x3cd/0xce0
[   51.586112][ T3551]  process_one_work+0x8a9/0x11d0
[   51.591035][ T3551]  worker_thread+0xa47/0x1200
[   51.595694][ T3551]  kthread+0x28d/0x320
[   51.599829][ T3551]  ret_from_fork+0x1f/0x30
[   51.604229][ T3551] 
[   51.606533][ T3551] The buggy address belongs to the object at ffff888060a63280
[   51.606533][ T3551]  which belongs to the cache skbuff_head_cache of size 240
[   51.621090][ T3551] The buggy address is located 228 bytes inside of
[   51.621090][ T3551]  240-byte region [ffff888060a63280, ffff888060a63370)
[   51.634345][ T3551] 
[   51.636657][ T3551] The buggy address belongs to the physical page:
[   51.643244][ T3551] page:ffffea00018298c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x60a63
[   51.653394][ T3551] flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
[   51.660948][ T3551] raw: 00fff00000000200 0000000000000000 dead000000000122 ffff888013e47280
[   51.669512][ T3551] raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000
[   51.678071][ T3551] page dumped because: kasan: bad access detected
[   51.684472][ T3551] page_owner tracks the page as allocated
[   51.690164][ T3551] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 3555, tgid 3555 (kworker/u5:4), ts 51149962229, free_ts 11330055404
[   51.708651][ T3551]  post_alloc_hook+0x18d/0x1b0
[   51.713423][ T3551]  get_page_from_freelist+0x322e/0x33b0
[   51.719050][ T3551]  __alloc_pages+0x28d/0x770
[   51.723624][ T3551]  alloc_slab_page+0x6a/0x150
[   51.728287][ T3551]  new_slab+0x84/0x2d0
[   51.732340][ T3551]  ___slab_alloc+0xc20/0x1270
[   51.736999][ T3551]  kmem_cache_alloc+0x1a5/0x2d0
[   51.741838][ T3551]  skb_clone+0x1e5/0x360
[   51.746152][ T3551]  hci_cmd_work+0xd8/0x660
[   51.750579][ T3551]  process_one_work+0x8a9/0x11d0
[   51.755527][ T3551]  worker_thread+0xa47/0x1200
[   51.760200][ T3551]  kthread+0x28d/0x320
[   51.764250][ T3551]  ret_from_fork+0x1f/0x30
[   51.768652][ T3551] page last free stack trace:
[   51.773303][ T3551]  free_unref_page_prepare+0xf63/0x1120
[   51.778828][ T3551]  free_unref_page+0x33/0x3e0
[   51.783483][ T3551]  free_contig_range+0x9a/0x150
[   51.788323][ T3551]  destroy_args+0xfe/0x997
[   51.792735][ T3551]  debug_vm_pgtable+0x416/0x46b
[   51.797573][ T3551]  do_one_initcall+0x265/0x8f0
[   51.802321][ T3551]  do_initcall_level+0x157/0x207
[   51.807238][ T3551]  do_initcalls+0x49/0x86
[   51.811552][ T3551]  kernel_init_freeable+0x45c/0x60f
[   51.816741][ T3551]  kernel_init+0x19/0x290
[   51.821057][ T3551]  ret_from_fork+0x1f/0x30
[   51.825456][ T3551] 
[   51.827762][ T3551] Memory state around the buggy address:
[   51.833374][ T3551]  ffff888060a63200: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
[   51.841416][ T3551]  ffff888060a63280: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   51.849458][ T3551] >ffff888060a63300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[   51.857498][ T3551]                                                        ^
[   51.864668][ T3551]  ffff888060a63380: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
[   51.872709][ T3551]  ffff888060a63400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   51.880746][ T3551] ==================================================================
[   51.889147][ T3551] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   51.896351][ T3551] CPU: 1 PID: 3551 Comm: syz-executor Not tainted 6.1.99-syzkaller #0
[   51.904505][ T3551] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
[   51.914599][ T3551] Call Trace:
[   51.917881][ T3551]  <TASK>
[   51.920819][ T3551]  dump_stack_lvl+0x1e3/0x2cb
[   51.925517][ T3551]  ? nf_tcp_handle_invalid+0x642/0x642
[   51.930994][ T3551]  ? panic+0x764/0x764
[   51.935072][ T3551]  ? preempt_schedule_common+0xa6/0xd0
[   51.940545][ T3551]  ? vscnprintf+0x59/0x80
[   51.944891][ T3551]  panic+0x318/0x764
[   51.948798][ T3551]  ? check_panic_on_warn+0x1d/0xa0
[   51.953922][ T3551]  ? memcpy_page_flushcache+0xfc/0xfc
[   51.959309][ T3551]  ? _raw_spin_unlock_irqrestore+0x128/0x130
[   51.965305][ T3551]  ? _raw_spin_unlock+0x40/0x40
[   51.970170][ T3551]  ? print_report+0x4a3/0x4f0
[   51.974861][ T3551]  check_panic_on_warn+0x7e/0xa0
[   51.979815][ T3551]  ? kfree_skb_reason+0x3d/0x390
[   51.984775][ T3551]  end_report+0x66/0x110
[   51.989027][ T3551]  kasan_report+0x143/0x160
[   51.993550][ T3551]  ? kfree_skb_reason+0x3d/0x390
[   51.998506][ T3551]  kasan_check_range+0x27f/0x290
[   52.003466][ T3551]  kfree_skb_reason+0x3d/0x390
[   52.008247][ T3551]  __hci_req_sync+0x626/0x940
[   52.012914][ T3551]  ? trace_contention_end+0x61/0x170
[   52.018188][ T3551]  ? hci_req_sync_complete+0x280/0x280
[   52.023633][ T3551]  ? mutex_lock_nested+0x10/0x10
[   52.028561][ T3551]  ? hci_encrypt_req+0x170/0x170
[   52.033486][ T3551]  hci_req_sync+0xa5/0xc0
[   52.037802][ T3551]  hci_dev_cmd+0x2fc/0xa30
[   52.042206][ T3551]  ? security_capable+0x86/0xb0
[   52.047227][ T3551]  ? hci_dev_reset_stat+0x1a0/0x1a0
[   52.052416][ T3551]  ? hci_sock_ioctl+0x426/0x850
[   52.057254][ T3551]  sock_do_ioctl+0x152/0x450
[   52.061832][ T3551]  ? sock_show_fdinfo+0xb0/0xb0
[   52.066675][ T3551]  ? __fget_files+0x28/0x4a0
[   52.071259][ T3551]  sock_ioctl+0x47f/0x770
[   52.075591][ T3551]  ? sock_poll+0x410/0x410
[   52.079988][ T3551]  ? __fget_files+0x28/0x4a0
[   52.084558][ T3551]  ? __fget_files+0x435/0x4a0
[   52.089217][ T3551]  ? __fget_files+0x28/0x4a0
[   52.093876][ T3551]  ? bpf_lsm_file_ioctl+0x5/0x10
[   52.098797][ T3551]  ? security_file_ioctl+0x7d/0xa0
[   52.103892][ T3551]  ? sock_poll+0x410/0x410
[   52.108293][ T3551]  __se_sys_ioctl+0xf1/0x160
[   52.112885][ T3551]  do_syscall_64+0x3b/0xb0
[   52.117292][ T3551]  ? clear_bhb_loop+0x45/0xa0
[   52.121968][ T3551]  entry_SYSCALL_64_after_hwframe+0x68/0xd2
[   52.127852][ T3551] RIP: 0033:0x7fb9c17757db
[   52.132261][ T3551] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00
[   52.151850][ T3551] RSP: 002b:00007fffbed11110 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   52.160248][ T3551] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fb9c17757db
[   52.168293][ T3551] RDX: 00007fffbed11188 RSI: 00000000400448dd RDI: 0000000000000003
[   52.176263][ T3551] RBP: 000055555560f4a8 R08: 0000000000000000 R09: 0000000000000000
[   52.184222][ T3551] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000004
[   52.192175][ T3551] R13: 0000000000000004 R14: 0000000000000009 R15: 0000000000000009
[   52.200135][ T3551]  </TASK>
[   52.203334][ T3551] Kernel Offset: disabled
[   52.210788][ T3551] Rebooting in 86400 seconds..