last executing test programs:
kernel console output (not intermixed with test programs):
Warning: Permanently added '10.128.1.225' (ED25519) to the list of known hosts.
[ 70.271986][ T5080] cgroup: Unknown subsys name 'net'
[ 70.407709][ T5080] cgroup: Unknown subsys name 'rlimit'
Setting up swapspace version 1, size = 127995904 bytes
[ 71.651873][ T1251] ieee802154 phy0 wpan0: encryption failed: -22
[ 71.658534][ T1251] ieee802154 phy1 wpan1: encryption failed: -22
[ 72.176787][ T5080] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k
[ 74.571057][ T5105] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[ 74.573813][ T5107] Bluetooth: hci4: unexpected cc 0x0c03 length: 249 > 1
[ 74.586766][ T5107] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[ 74.594695][ T5107] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1
[ 74.602337][ T5105] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1
[ 74.602804][ T5107] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[ 74.611952][ T5105] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1
[ 74.617980][ T5107] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9
[ 74.625730][ T5105] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9
[ 74.632947][ T5107] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9
[ 74.638467][ T5105] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9
[ 74.645879][ T5107] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9
[ 74.652190][ T5105] Bluetooth: hci4: unexpected cc 0x1003 length: 249 > 9
[ 74.667589][ T5105] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9
[ 74.668481][ T5107] Bluetooth: hci2: unexpected cc 0x0c23 length: 249 > 4
[ 74.675025][ T5105] Bluetooth: hci4: unexpected cc 0x1001 length: 249 > 9
[ 74.683966][ T5107] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4
[ 74.690667][ T5105] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4
[ 74.696923][ T5107] Bluetooth: hci3: unexpected cc 0x0c25 length: 249 > 3
[ 74.709625][ T5108] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[ 74.718149][ T5107] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2
[ 74.724911][ T5110] Bluetooth: hci1: unexpected cc 0x0c25 length: 249 > 3
[ 74.732921][ T5110] Bluetooth: hci2: unexpected cc 0x0c25 length: 249 > 3
[ 74.740215][ T5107] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2
[ 74.742036][ T5110] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3
[ 74.754792][ T5107] Bluetooth: hci4: unexpected cc 0x0c23 length: 249 > 4
[ 74.757802][ T5110] Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2
[ 74.769615][ T5108] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[ 74.784516][ T5102] Bluetooth: hci4: unexpected cc 0x0c25 length: 249 > 3
[ 74.792073][ T5102] Bluetooth: hci4: unexpected cc 0x0c38 length: 249 > 2
[ 74.801468][ T5090] ==================================================================
[ 74.809570][ T5090] BUG: KASAN: slab-use-after-free in kfree_skb_reason+0x41/0x3b0
[ 74.817352][ T5090] Read of size 4 at addr ffff888069713ae4 by task syz-executor/5090
[ 74.825359][ T5090]
[ 74.827717][ T5090] CPU: 1 PID: 5090 Comm: syz-executor Not tainted 6.10.0-rc2-syzkaller-00834-g90dc946059b7 #0
[ 74.837982][ T5090] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
[ 74.848077][ T5090] Call Trace:
[ 74.851395][ T5090]
[ 74.854348][ T5090] dump_stack_lvl+0x241/0x360
[ 74.859060][ T5090] ? __pfx_dump_stack_lvl+0x10/0x10
[ 74.864302][ T5090] ? __pfx__printk+0x10/0x10
[ 74.869099][ T5090] ? _printk+0xd5/0x120
[ 74.873286][ T5090] ? __virt_addr_valid+0x183/0x520
[ 74.878447][ T5090] ? __virt_addr_valid+0x183/0x520
[ 74.883599][ T5090] print_report+0x169/0x550
[ 74.888137][ T5090] ? __virt_addr_valid+0x183/0x520
[ 74.893317][ T5090] ? __virt_addr_valid+0x183/0x520
[ 74.898467][ T5090] ? __virt_addr_valid+0x44e/0x520
[ 74.903705][ T5090] ? __phys_addr+0xba/0x170
[ 74.908333][ T5090] ? kfree_skb_reason+0x41/0x3b0
[ 74.913308][ T5090] kasan_report+0x143/0x180
[ 74.917847][ T5090] ? kfree_skb_reason+0x41/0x3b0
[ 74.922921][ T5090] kasan_check_range+0x282/0x290
[ 74.927898][ T5090] kfree_skb_reason+0x41/0x3b0
[ 74.932700][ T5090] __hci_req_sync+0x62f/0x950
[ 74.937451][ T5090] ? __pfx___hci_req_sync+0x10/0x10
[ 74.942772][ T5090] ? __pfx___mutex_lock+0x10/0x10
[ 74.947838][ T5090] ? __pfx_autoremove_wake_function+0x10/0x10
[ 74.953950][ T5090] ? __pfx_hci_scan_req+0x10/0x10
[ 74.959001][ T5090] hci_req_sync+0xa9/0xd0
[ 74.963357][ T5090] hci_dev_cmd+0x4c5/0xa50
[ 74.967812][ T5090] ? security_capable+0x90/0xb0
[ 74.972693][ T5090] ? __pfx_hci_dev_cmd+0x10/0x10
[ 74.977665][ T5090] ? hci_sock_ioctl+0x6c4/0xa40
[ 74.982551][ T5090] sock_do_ioctl+0x158/0x460
[ 74.987173][ T5090] ? __pfx_sock_do_ioctl+0x10/0x10
[ 74.992324][ T5090] sock_ioctl+0x629/0x8e0
[ 74.996700][ T5090] ? __pfx_sock_ioctl+0x10/0x10
[ 75.001593][ T5090] ? __fget_files+0x29/0x470
[ 75.006224][ T5090] ? __fget_files+0x3f6/0x470
[ 75.010934][ T5090] ? __fget_files+0x29/0x470
[ 75.015565][ T5090] ? bpf_lsm_file_ioctl+0x9/0x10
[ 75.020542][ T5090] ? security_file_ioctl+0x87/0xb0
[ 75.025694][ T5090] ? __pfx_sock_ioctl+0x10/0x10
[ 75.030606][ T5090] __se_sys_ioctl+0xfc/0x170
[ 75.035249][ T5090] do_syscall_64+0xf3/0x230
[ 75.039786][ T5090] ? clear_bhb_loop+0x35/0x90
[ 75.044499][ T5090] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 75.050449][ T5090] RIP: 0033:0x7f187f7757db
[ 75.054897][ T5090] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00
[ 75.074531][ T5090] RSP: 002b:00007fff46718e60 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 75.082980][ T5090] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f187f7757db
[ 75.090992][ T5090] RDX: 00007fff46718ed8 RSI: 00000000400448dd RDI: 0000000000000003
[ 75.098995][ T5090] RBP: 0000555569d924a8 R08: 0000000000000000 R09: 0000000000000000
[ 75.106995][ T5090] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000001
[ 75.115013][ T5090] R13: 0000000000000001 R14: 0000000000000009 R15: 0000000000000009
[ 75.123029][ T5090]
[ 75.126082][ T5090]
[ 75.128423][ T5090] Allocated by task 5102:
[ 75.132767][ T5090] kasan_save_track+0x3f/0x80
[ 75.137477][ T5090] __kasan_slab_alloc+0x66/0x80
[ 75.142407][ T5090] kmem_cache_alloc_noprof+0x135/0x2a0
[ 75.147986][ T5090] skb_clone+0x20c/0x390
[ 75.152978][ T5090] hci_cmd_work+0x29e/0x670
[ 75.158257][ T5090] process_scheduled_works+0xa2c/0x1830
[ 75.163838][ T5090] worker_thread+0x86d/0xd70
[ 75.168463][ T5090] kthread+0x2f0/0x390
[ 75.172565][ T5090] ret_from_fork+0x4b/0x80
[ 75.177030][ T5090] ret_from_fork_asm+0x1a/0x30
[ 75.181840][ T5090]
[ 75.184189][ T5090] Freed by task 5102:
[ 75.188187][ T5090] kasan_save_track+0x3f/0x80
[ 75.192897][ T5090] kasan_save_free_info+0x40/0x50
[ 75.197957][ T5090] poison_slab_object+0xe0/0x150
[ 75.202935][ T5090] __kasan_slab_free+0x37/0x60
[ 75.207730][ T5090] kmem_cache_free+0x145/0x350
[ 75.212526][ T5090] hci_req_sync_complete+0xe7/0x290
[ 75.217761][ T5090] hci_event_packet+0xc71/0x1540
[ 75.222736][ T5090] hci_rx_work+0x3e8/0xca0
[ 75.227187][ T5090] process_scheduled_works+0xa2c/0x1830
[ 75.232780][ T5090] worker_thread+0x86d/0xd70
[ 75.237454][ T5090] kthread+0x2f0/0x390
[ 75.241563][ T5090] ret_from_fork+0x4b/0x80
[ 75.246027][ T5090] ret_from_fork_asm+0x1a/0x30
[ 75.250844][ T5090]
[ 75.253212][ T5090] The buggy address belongs to the object at ffff888069713a00
[ 75.253212][ T5090] which belongs to the cache skbuff_head_cache of size 240
[ 75.267912][ T5090] The buggy address is located 228 bytes inside of
[ 75.267912][ T5090] freed 240-byte region [ffff888069713a00, ffff888069713af0)
[ 75.281750][ T5090]
[ 75.284083][ T5090] The buggy address belongs to the physical page:
[ 75.290501][ T5090] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x69713
[ 75.299274][ T5090] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[ 75.306391][ T5090] page_type: 0xffffefff(slab)
[ 75.311084][ T5090] raw: 00fff00000000000 ffff888018ae0780 dead000000000122 0000000000000000
[ 75.319671][ T5090] raw: 0000000000000000 00000000000c000c 00000001ffffefff 0000000000000000
[ 75.328252][ T5090] page dumped because: kasan: bad access detected
[ 75.334669][ T5090] page_owner tracks the page as allocated
[ 75.340380][ T5090] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5094, tgid 5089 (syz-executor), ts 74799295162, free_ts 23806576767
[ 75.359748][ T5090] post_alloc_hook+0x1f3/0x230
[ 75.364528][ T5090] get_page_from_freelist+0x2e2d/0x2ee0
[ 75.371001][ T5090] __alloc_pages_noprof+0x256/0x6c0
[ 75.376317][ T5090] alloc_slab_page+0x5f/0x120
[ 75.381017][ T5090] allocate_slab+0x5a/0x2e0
[ 75.385541][ T5090] ___slab_alloc+0xcd1/0x14b0
[ 75.390317][ T5090] __slab_alloc+0x58/0xa0
[ 75.394747][ T5090] kmem_cache_alloc_node_noprof+0x1fe/0x320
[ 75.400647][ T5090] __alloc_skb+0x1c3/0x440
[ 75.405246][ T5090] vhci_write+0xc0/0x480
[ 75.409495][ T5090] do_iter_readv_writev+0x5a4/0x800
[ 75.414700][ T5090] vfs_writev+0x395/0xbe0
[ 75.419030][ T5090] do_writev+0x1b1/0x350
[ 75.423621][ T5090] do_syscall_64+0xf3/0x230
[ 75.428579][ T5090] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 75.434496][ T5090] page last free pid 1 tgid 1 stack trace:
[ 75.440304][ T5090] free_unref_page+0xd22/0xea0
[ 75.445083][ T5090] free_contig_range+0x9e/0x160
[ 75.449941][ T5090] destroy_args+0x8a/0x890
[ 75.454361][ T5090] debug_vm_pgtable+0x4be/0x550
[ 75.459220][ T5090] do_one_initcall+0x248/0x880
[ 75.463994][ T5090] do_initcall_level+0x157/0x210
[ 75.468941][ T5090] do_initcalls+0x3f/0x80
[ 75.473273][ T5090] kernel_init_freeable+0x435/0x5d0
[ 75.478475][ T5090] kernel_init+0x1d/0x2b0
[ 75.482805][ T5090] ret_from_fork+0x4b/0x80
[ 75.487751][ T5090] ret_from_fork_asm+0x1a/0x30
[ 75.492532][ T5090]
[ 75.494850][ T5090] Memory state around the buggy address:
[ 75.500481][ T5090] ffff888069713980: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
[ 75.508538][ T5090] ffff888069713a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 75.516594][ T5090] >ffff888069713a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[ 75.524648][ T5090] ^
[ 75.531958][ T5090] ffff888069713b00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 75.540910][ T5090] ffff888069713b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 75.548966][ T5090] ==================================================================
[ 75.566785][ T5090] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 75.574052][ T5090] CPU: 0 PID: 5090 Comm: syz-executor Not tainted 6.10.0-rc2-syzkaller-00834-g90dc946059b7 #0
[ 75.584303][ T5090] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
[ 75.594447][ T5090] Call Trace:
[ 75.597732][ T5090]
[ 75.600667][ T5090] dump_stack_lvl+0x241/0x360
[ 75.605355][ T5090] ? __pfx_dump_stack_lvl+0x10/0x10
[ 75.610582][ T5090] ? __pfx__printk+0x10/0x10
[ 75.615175][ T5090] ? lockdep_hardirqs_on_prepare+0x43d/0x780
[ 75.621164][ T5090] ? vscnprintf+0x5d/0x90
[ 75.625520][ T5090] panic+0x349/0x860
[ 75.629421][ T5090] ? check_panic_on_warn+0x21/0xb0
[ 75.634539][ T5090] ? __pfx_panic+0x10/0x10
[ 75.638962][ T5090] ? _raw_spin_unlock_irqrestore+0x130/0x140
[ 75.645646][ T5090] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[ 75.651992][ T5090] check_panic_on_warn+0x86/0xb0
[ 75.656939][ T5090] ? kfree_skb_reason+0x41/0x3b0
[ 75.661890][ T5090] end_report+0x77/0x160
[ 75.666141][ T5090] kasan_report+0x154/0x180
[ 75.670652][ T5090] ? kfree_skb_reason+0x41/0x3b0
[ 75.675602][ T5090] kasan_check_range+0x282/0x290
[ 75.680667][ T5090] kfree_skb_reason+0x41/0x3b0
[ 75.685915][ T5090] __hci_req_sync+0x62f/0x950
[ 75.690612][ T5090] ? __pfx___hci_req_sync+0x10/0x10
[ 75.695822][ T5090] ? __pfx___mutex_lock+0x10/0x10
[ 75.700887][ T5090] ? __pfx_autoremove_wake_function+0x10/0x10
[ 75.706974][ T5090] ? __pfx_hci_scan_req+0x10/0x10
[ 75.712280][ T5090] hci_req_sync+0xa9/0xd0
[ 75.716636][ T5090] hci_dev_cmd+0x4c5/0xa50
[ 75.721111][ T5090] ? security_capable+0x90/0xb0
[ 75.725989][ T5090] ? __pfx_hci_dev_cmd+0x10/0x10
[ 75.730997][ T5090] ? hci_sock_ioctl+0x6c4/0xa40
[ 75.737297][ T5090] sock_do_ioctl+0x158/0x460
[ 75.742004][ T5090] ? __pfx_sock_do_ioctl+0x10/0x10
[ 75.747140][ T5090] sock_ioctl+0x629/0x8e0
[ 75.751511][ T5090] ? __pfx_sock_ioctl+0x10/0x10
[ 75.756419][ T5090] ? __fget_files+0x29/0x470
[ 75.761024][ T5090] ? __fget_files+0x3f6/0x470
[ 75.765720][ T5090] ? __fget_files+0x29/0x470
[ 75.770496][ T5090] ? bpf_lsm_file_ioctl+0x9/0x10
[ 75.775441][ T5090] ? security_file_ioctl+0x87/0xb0
[ 75.780580][ T5090] ? __pfx_sock_ioctl+0x10/0x10
[ 75.786267][ T5090] __se_sys_ioctl+0xfc/0x170
[ 75.791780][ T5090] do_syscall_64+0xf3/0x230
[ 75.796318][ T5090] ? clear_bhb_loop+0x35/0x90
[ 75.801026][ T5090] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 75.806936][ T5090] RIP: 0033:0x7f187f7757db
[ 75.811444][ T5090] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00
[ 75.831056][ T5090] RSP: 002b:00007fff46718e60 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 75.839479][ T5090] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f187f7757db
[ 75.849152][ T5090] RDX: 00007fff46718ed8 RSI: 00000000400448dd RDI: 0000000000000003
[ 75.857135][ T5090] RBP: 0000555569d924a8 R08: 0000000000000000 R09: 0000000000000000
[ 75.865217][ T5090] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000001
[ 75.873286][ T5090] R13: 0000000000000001 R14: 0000000000000009 R15: 0000000000000009
[ 75.881275][ T5090]
[ 75.884625][ T5090] Kernel Offset: disabled
[ 75.890802][ T5090] Rebooting in 86400 seconds..