last executing test programs:

kernel console output (not intermixed with test programs):

Warning: Permanently added '10.128.0.177' (ED25519) to the list of known hosts.
[   55.234113][ T3536] cgroup: Unknown subsys name 'net'
[   55.376211][ T3536] cgroup: Unknown subsys name 'rlimit'
Setting up swapspace version 1, size = 127995904 bytes
[   56.888215][ T3536] Adding 124996k swap on ./swap-file.  Priority:0 extents:1 across:124996k FS
[   57.523288][ T3553] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[   57.529371][ T3554] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1
[   57.539178][ T3554] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1
[   57.539813][ T3562] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[   57.547123][ T3554] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1
[   57.554371][ T3562] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9
[   57.562348][ T3554] Bluetooth: hci4: unexpected cc 0x0c03 length: 249 > 1
[   57.569583][ T3562] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[   57.575965][ T3554] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9
[   57.582429][ T3562] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9
[   57.592211][ T3554] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9
[   57.597789][ T3562] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9
[   57.603230][ T3554] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9
[   57.611070][ T3562] Bluetooth: hci4: unexpected cc 0x1003 length: 249 > 9
[   57.618062][ T3554] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[   57.626371][ T3562] Bluetooth: hci4: unexpected cc 0x1001 length: 249 > 9
[   57.638824][ T3563] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4
[   57.639603][ T3562] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4
[   57.646800][ T3563] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3
[   57.653555][ T3562] Bluetooth: hci2: unexpected cc 0x0c23 length: 249 > 4
[   57.660734][ T3563] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[   57.674151][ T3562] Bluetooth: hci1: unexpected cc 0x0c25 length: 249 > 3
[   57.675376][ T3562] Bluetooth: hci3: unexpected cc 0x0c25 length: 249 > 3
[   57.682544][ T3563] Bluetooth: hci4: unexpected cc 0x0c23 length: 249 > 4
[   57.688753][ T3562] Bluetooth: hci2: unexpected cc 0x0c25 length: 249 > 3
[   57.695348][ T3563] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2
[   57.703089][ T3562] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2
[   57.710049][ T3563] Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2
[   57.724748][ T3555] ==================================================================
[   57.732839][ T3555] BUG: KASAN: use-after-free in kfree_skb_reason+0x3d/0x390
[   57.737647][ T3563] Bluetooth: hci4: unexpected cc 0x0c25 length: 249 > 3
[   57.740160][ T3555] Read of size 4 at addr ffff8880605440e4 by task syz-executor/3555
[   57.740184][ T3555] 
[   57.740197][ T3555] CPU: 0 PID: 3555 Comm: syz-executor Not tainted 6.1.96-syzkaller #0
[   57.740217][ T3555] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
[   57.740236][ T3555] Call Trace:
[   57.740243][ T3555]  <TASK>
[   57.740250][ T3555]  dump_stack_lvl+0x1e3/0x2cb
[   57.749358][ T3563] Bluetooth: hci4: unexpected cc 0x0c38 length: 249 > 2
[   57.755205][ T3555]  ? nf_tcp_handle_invalid+0x642/0x642
[   57.755246][ T3555]  ? panic+0x764/0x764
[   57.755269][ T3555]  ? _printk+0xd1/0x111
[   57.755289][ T3555]  ? __virt_addr_valid+0x17f/0x520
[   57.812649][ T3555]  ? __virt_addr_valid+0x17f/0x520
[   57.817802][ T3555]  print_report+0x15f/0x4f0
[   57.822337][ T3555]  ? __virt_addr_valid+0x17f/0x520
[   57.827481][ T3555]  ? __virt_addr_valid+0x17f/0x520
[   57.832623][ T3555]  ? __virt_addr_valid+0x44a/0x520
[   57.837784][ T3555]  ? __phys_addr+0xb6/0x170
[   57.842326][ T3555]  ? kfree_skb_reason+0x3d/0x390
[   57.847300][ T3555]  kasan_report+0x136/0x160
[   57.851817][ T3555]  ? kfree_skb_reason+0x3d/0x390
[   57.856775][ T3555]  kasan_check_range+0x27f/0x290
[   57.861747][ T3555]  kfree_skb_reason+0x3d/0x390
[   57.866532][ T3555]  __hci_req_sync+0x626/0x940
[   57.871216][ T3555]  ? trace_contention_end+0x61/0x170
[   57.876540][ T3555]  ? hci_req_sync_complete+0x280/0x280
[   57.882092][ T3555]  ? mutex_lock_nested+0x10/0x10
[   57.887037][ T3555]  ? wake_bit_function+0x210/0x210
[   57.892165][ T3555]  ? hci_encrypt_req+0x170/0x170
[   57.897122][ T3555]  hci_req_sync+0xa5/0xc0
[   57.901458][ T3555]  hci_dev_cmd+0x2fc/0xa30
[   57.905973][ T3555]  ? security_capable+0x86/0xb0
[   57.910841][ T3555]  ? hci_dev_reset_stat+0x1a0/0x1a0
[   57.916052][ T3555]  ? hci_sock_ioctl+0x426/0x850
[   57.920909][ T3555]  sock_do_ioctl+0x152/0x450
[   57.925508][ T3555]  ? sock_show_fdinfo+0xb0/0xb0
[   57.930365][ T3555]  ? __fget_files+0x28/0x4a0
[   57.934961][ T3555]  sock_ioctl+0x47f/0x770
[   57.939327][ T3555]  ? sock_poll+0x410/0x410
[   57.943746][ T3555]  ? __fget_files+0x28/0x4a0
[   57.948338][ T3555]  ? __fget_files+0x435/0x4a0
[   57.953017][ T3555]  ? __fget_files+0x28/0x4a0
[   57.957616][ T3555]  ? bpf_lsm_file_ioctl+0x5/0x10
[   57.962556][ T3555]  ? security_file_ioctl+0x7d/0xa0
[   57.967669][ T3555]  ? sock_poll+0x410/0x410
[   57.972090][ T3555]  __se_sys_ioctl+0xf1/0x160
[   57.976787][ T3555]  do_syscall_64+0x3b/0xb0
[   57.981214][ T3555]  ? clear_bhb_loop+0x45/0xa0
[   57.985900][ T3555]  entry_SYSCALL_64_after_hwframe+0x68/0xd2
[   57.991802][ T3555] RIP: 0033:0x7f25f977572b
[   57.996227][ T3555] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00
[   58.015837][ T3555] RSP: 002b:00007ffdb7fe2a00 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   58.024253][ T3555] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f25f977572b
[   58.032226][ T3555] RDX: 00007ffdb7fe2a78 RSI: 00000000400448dd RDI: 0000000000000003
[   58.040284][ T3555] RBP: 0000555556d9a4a8 R08: 0000000000000000 R09: 0000000000000000
[   58.048270][ T3555] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000003
[   58.056244][ T3555] R13: 0000000000000003 R14: 0000000000000009 R15: 0000000000000009
[   58.064224][ T3555]  </TASK>
[   58.067242][ T3555] 
[   58.069570][ T3555] Allocated by task 48:
[   58.073731][ T3555]  kasan_set_track+0x4b/0x70
[   58.078332][ T3555]  __kasan_slab_alloc+0x65/0x70
[   58.083183][ T3555]  slab_post_alloc_hook+0x52/0x3a0
[   58.088301][ T3555]  kmem_cache_alloc+0x10c/0x2d0
[   58.093155][ T3555]  skb_clone+0x1e5/0x360
[   58.097396][ T3555]  hci_cmd_work+0x296/0x660
[   58.101907][ T3555]  process_one_work+0x8a9/0x11d0
[   58.106846][ T3555]  worker_thread+0xa47/0x1200
[   58.111525][ T3555]  kthread+0x28d/0x320
[   58.115591][ T3555]  ret_from_fork+0x1f/0x30
[   58.120013][ T3555] 
[   58.122331][ T3555] Freed by task 3562:
[   58.126307][ T3555]  kasan_set_track+0x4b/0x70
[   58.130904][ T3555]  kasan_save_free_info+0x27/0x40
[   58.135929][ T3555]  ____kasan_slab_free+0xd6/0x120
[   58.140963][ T3555]  kmem_cache_free+0x292/0x510
[   58.145732][ T3555]  hci_req_sync_complete+0xee/0x280
[   58.150947][ T3555]  hci_event_packet+0xc49/0x1510
[   58.155893][ T3555]  hci_rx_work+0x3cd/0xce0
[   58.160310][ T3555]  process_one_work+0x8a9/0x11d0
[   58.165251][ T3555]  worker_thread+0xa47/0x1200
[   58.169933][ T3555]  kthread+0x28d/0x320
[   58.173999][ T3555]  ret_from_fork+0x1f/0x30
[   58.178420][ T3555] 
[   58.180913][ T3555] The buggy address belongs to the object at ffff888060544000
[   58.180913][ T3555]  which belongs to the cache skbuff_head_cache of size 240
[   58.195489][ T3555] The buggy address is located 228 bytes inside of
[   58.195489][ T3555]  240-byte region [ffff888060544000, ffff8880605440f0)
[   58.208935][ T3555] 
[   58.211259][ T3555] The buggy address belongs to the physical page:
[   58.217674][ T3555] page:ffffea0001815100 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x60544
[   58.227911][ T3555] flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
[   58.235463][ T3555] raw: 00fff00000000200 0000000000000000 dead000000000122 ffff88814127d000
[   58.244597][ T3555] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
[   58.253174][ T3555] page dumped because: kasan: bad access detected
[   58.259595][ T3555] page_owner tracks the page as allocated
[   58.265307][ T3555] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 48, tgid 48 (kworker/u5:0), ts 57724424219, free_ts 17287139828
[   58.283302][ T3555]  post_alloc_hook+0x18d/0x1b0
[   58.288079][ T3555]  get_page_from_freelist+0x31a1/0x3320
[   58.293624][ T3555]  __alloc_pages+0x28d/0x770
[   58.298244][ T3555]  alloc_slab_page+0x6a/0x150
[   58.302925][ T3555]  new_slab+0x84/0x2d0
[   58.306997][ T3555]  ___slab_alloc+0xc20/0x1270
[   58.311680][ T3555]  kmem_cache_alloc+0x1a5/0x2d0
[   58.316533][ T3555]  skb_clone+0x1e5/0x360
[   58.320774][ T3555]  hci_cmd_work+0x296/0x660
[   58.325364][ T3555]  process_one_work+0x8a9/0x11d0
[   58.330308][ T3555]  worker_thread+0xa47/0x1200
[   58.335104][ T3555]  kthread+0x28d/0x320
[   58.339189][ T3555]  ret_from_fork+0x1f/0x30
[   58.343620][ T3555] page last free stack trace:
[   58.348292][ T3555]  free_unref_page_prepare+0xf63/0x1120
[   58.353840][ T3555]  free_unref_page+0x33/0x3e0
[   58.358517][ T3555]  free_contig_range+0x9a/0x150
[   58.363372][ T3555]  destroy_args+0xfe/0x997
[   58.367793][ T3555]  debug_vm_pgtable+0x416/0x46b
[   58.372648][ T3555]  do_one_initcall+0x265/0x8f0
[   58.377419][ T3555]  do_initcall_level+0x157/0x207
[   58.382456][ T3555]  do_initcalls+0x49/0x86
[   58.386874][ T3555]  kernel_init_freeable+0x45c/0x60f
[   58.392075][ T3555]  kernel_init+0x19/0x290
[   58.397973][ T3555]  ret_from_fork+0x1f/0x30
[   58.402403][ T3555] 
[   58.404720][ T3555] Memory state around the buggy address:
[   58.410355][ T3555]  ffff888060543f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   58.418597][ T3555]  ffff888060544000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   58.426785][ T3555] >ffff888060544080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[   58.434851][ T3555]                                                        ^
[   58.442037][ T3555]  ffff888060544100: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[   58.450186][ T3555]  ffff888060544180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   58.458241][ T3555] ==================================================================
[   58.467606][ T3555] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   58.474833][ T3555] CPU: 0 PID: 3555 Comm: syz-executor Not tainted 6.1.96-syzkaller #0
[   58.483095][ T3555] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
[   58.493173][ T3555] Call Trace:
[   58.496472][ T3555]  <TASK>
[   58.499424][ T3555]  dump_stack_lvl+0x1e3/0x2cb
[   58.504141][ T3555]  ? nf_tcp_handle_invalid+0x642/0x642
[   58.509639][ T3555]  ? panic+0x764/0x764
[   58.513740][ T3555]  ? preempt_schedule_common+0xa6/0xd0
[   58.519242][ T3555]  ? vscnprintf+0x59/0x80
[   58.523608][ T3555]  panic+0x318/0x764
[   58.527529][ T3555]  ? check_panic_on_warn+0x1d/0xa0
[   58.532669][ T3555]  ? memcpy_page_flushcache+0xfc/0xfc
[   58.538081][ T3555]  ? _raw_spin_unlock_irqrestore+0x128/0x130
[   58.544095][ T3555]  ? _raw_spin_unlock+0x40/0x40
[   58.549067][ T3555]  ? print_report+0x4a3/0x4f0
[   58.553775][ T3555]  check_panic_on_warn+0x7e/0xa0
[   58.559011][ T3555]  ? kfree_skb_reason+0x3d/0x390
[   58.564083][ T3555]  end_report+0x66/0x110
[   58.568350][ T3555]  kasan_report+0x143/0x160
[   58.572880][ T3555]  ? kfree_skb_reason+0x3d/0x390
[   58.577853][ T3555]  kasan_check_range+0x27f/0x290
[   58.582815][ T3555]  kfree_skb_reason+0x3d/0x390
[   58.587622][ T3555]  __hci_req_sync+0x626/0x940
[   58.592461][ T3555]  ? trace_contention_end+0x61/0x170
[   58.597784][ T3555]  ? hci_req_sync_complete+0x280/0x280
[   58.603281][ T3555]  ? mutex_lock_nested+0x10/0x10
[   58.608250][ T3555]  ? wake_bit_function+0x210/0x210
[   58.613403][ T3555]  ? hci_encrypt_req+0x170/0x170
[   58.618377][ T3555]  hci_req_sync+0xa5/0xc0
[   58.622735][ T3555]  hci_dev_cmd+0x2fc/0xa30
[   58.627185][ T3555]  ? security_capable+0x86/0xb0
[   58.632074][ T3555]  ? hci_dev_reset_stat+0x1a0/0x1a0
[   58.637307][ T3555]  ? hci_sock_ioctl+0x426/0x850
[   58.642188][ T3555]  sock_do_ioctl+0x152/0x450
[   58.646804][ T3555]  ? sock_show_fdinfo+0xb0/0xb0
[   58.651684][ T3555]  ? __fget_files+0x28/0x4a0
[   58.656308][ T3555]  sock_ioctl+0x47f/0x770
[   58.660666][ T3555]  ? sock_poll+0x410/0x410
[   58.665110][ T3555]  ? __fget_files+0x28/0x4a0
[   58.669729][ T3555]  ? __fget_files+0x435/0x4a0
[   58.674432][ T3555]  ? __fget_files+0x28/0x4a0
[   58.679056][ T3555]  ? bpf_lsm_file_ioctl+0x5/0x10
[   58.684019][ T3555]  ? security_file_ioctl+0x7d/0xa0
[   58.689162][ T3555]  ? sock_poll+0x410/0x410
[   58.693603][ T3555]  __se_sys_ioctl+0xf1/0x160
[   58.698232][ T3555]  do_syscall_64+0x3b/0xb0
[   58.702681][ T3555]  ? clear_bhb_loop+0x45/0xa0
[   58.707412][ T3555]  entry_SYSCALL_64_after_hwframe+0x68/0xd2
[   58.713344][ T3555] RIP: 0033:0x7f25f977572b
[   58.717783][ T3555] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00
[   58.737501][ T3555] RSP: 002b:00007ffdb7fe2a00 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   58.745945][ T3555] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f25f977572b
[   58.753944][ T3555] RDX: 00007ffdb7fe2a78 RSI: 00000000400448dd RDI: 0000000000000003
[   58.761952][ T3555] RBP: 0000555556d9a4a8 R08: 0000000000000000 R09: 0000000000000000
[   58.769953][ T3555] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000003
[   58.777950][ T3555] R13: 0000000000000003 R14: 0000000000000009 R15: 0000000000000009
[   58.785940][ T3555]  </TASK>
[   58.789087][ T3555] Kernel Offset: disabled
[   58.793410][ T3555] Rebooting in 86400 seconds..