last executing test programs:

kernel console output (not intermixed with test programs):

Warning: Permanently added '10.128.0.75' (ED25519) to the list of known hosts.
[   49.324253][ T3534] cgroup: Unknown subsys name 'net'
[   49.457776][ T3534] cgroup: Unknown subsys name 'rlimit'
Setting up swapspace version 1, size = 127995904 bytes
[   50.672910][ T3534] Adding 124996k swap on ./swap-file.  Priority:0 extents:1 across:124996k FS
[   52.374769][ T3550] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[   52.384959][ T3551] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1
[   52.394499][ T3551] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[   52.405135][ T3551] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9
[   52.410911][ T3554] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1
[   52.419583][ T3560] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[   52.420103][ T3554] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9
[   52.427324][ T3560] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1
[   52.435215][ T3554] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9
[   52.443156][ T3560] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9
[   52.448874][ T3554] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9
[   52.455584][ T3560] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[   52.461903][ T3554] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9
[   52.469483][ T3560] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4
[   52.476285][ T3554] Bluetooth: hci2: unexpected cc 0x0c23 length: 249 > 4
[   52.483118][ T3560] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3
[   52.490529][ T3554] Bluetooth: hci2: unexpected cc 0x0c25 length: 249 > 3
[   52.497321][ T3560] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4
[   52.510858][ T3560] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[   52.511168][ T3554] Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2
[   52.518126][ T3560] Bluetooth: hci1: unexpected cc 0x0c25 length: 249 > 3
[   52.526894][ T3554] Bluetooth: hci4: unexpected cc 0x0c03 length: 249 > 1
[   52.539861][ T3545] ==================================================================
[   52.540037][ T3561] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2
[   52.547919][ T3545] BUG: KASAN: use-after-free in kfree_skb_reason+0x3d/0x390
[   52.547963][ T3545] Read of size 4 at addr ffff888060f44d64 by task syz-executor/3545
[   52.547976][ T3545] 
[   52.547984][ T3545] CPU: 1 PID: 3545 Comm: syz-executor Not tainted 6.1.97-syzkaller #0
[   52.547999][ T3545] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
[   52.548010][ T3545] Call Trace:
[   52.548016][ T3545]  <TASK>
[   52.548024][ T3545]  dump_stack_lvl+0x1e3/0x2cb
[   52.548049][ T3545]  ? nf_tcp_handle_invalid+0x642/0x642
[   52.548072][ T3545]  ? panic+0x764/0x764
[   52.548089][ T3545]  ? _printk+0xd1/0x111
[   52.548105][ T3545]  ? __virt_addr_valid+0x17f/0x520
[   52.548126][ T3545]  ? __virt_addr_valid+0x17f/0x520
[   52.548147][ T3545]  print_report+0x15f/0x4f0
[   52.548164][ T3545]  ? __virt_addr_valid+0x17f/0x520
[   52.548183][ T3545]  ? __virt_addr_valid+0x17f/0x520
[   52.548201][ T3545]  ? __virt_addr_valid+0x44a/0x520
[   52.548221][ T3545]  ? __phys_addr+0xb6/0x170
[   52.548240][ T3545]  ? kfree_skb_reason+0x3d/0x390
[   52.548267][ T3545]  kasan_report+0x136/0x160
[   52.548282][ T3545]  ? kfree_skb_reason+0x3d/0x390
[   52.561077][ T3554] Bluetooth: hci4: unexpected cc 0x1003 length: 249 > 9
[   52.562464][ T3545]  kasan_check_range+0x27f/0x290
[   52.562487][ T3545]  kfree_skb_reason+0x3d/0x390
[   52.562510][ T3545]  __hci_req_sync+0x626/0x940
[   52.562528][ T3545]  ? trace_contention_end+0x61/0x170
[   52.571592][ T3554] Bluetooth: hci4: unexpected cc 0x1001 length: 249 > 9
[   52.572799][ T3545]  ? hci_req_sync_complete+0x280/0x280
[   52.572825][ T3545]  ? mutex_lock_nested+0x10/0x10
[   52.572842][ T3545]  ? wake_bit_function+0x210/0x210
[   52.572865][ T3545]  ? hci_encrypt_req+0x170/0x170
[   52.581743][ T3554] Bluetooth: hci4: unexpected cc 0x0c23 length: 249 > 4
[   52.591022][ T3545]  hci_req_sync+0xa5/0xc0
[   52.591049][ T3545]  hci_dev_cmd+0x2fc/0xa30
[   52.591069][ T3545]  ? security_capable+0x86/0xb0
[   52.594948][ T3554] Bluetooth: hci4: unexpected cc 0x0c25 length: 249 > 3
[   52.597235][ T3545]  ? hci_dev_reset_stat+0x1a0/0x1a0
[   52.602604][ T3554] Bluetooth: hci4: unexpected cc 0x0c38 length: 249 > 2
[   52.607318][ T3545]  ? hci_sock_ioctl+0x426/0x850
[   52.762242][ T3545]  sock_do_ioctl+0x152/0x450
[   52.766831][ T3545]  ? sock_show_fdinfo+0xb0/0xb0
[   52.771664][ T3545]  ? __fget_files+0x28/0x4a0
[   52.776252][ T3545]  sock_ioctl+0x47f/0x770
[   52.780566][ T3545]  ? sock_poll+0x410/0x410
[   52.784961][ T3545]  ? __fget_files+0x28/0x4a0
[   52.789533][ T3545]  ? __fget_files+0x435/0x4a0
[   52.794191][ T3545]  ? __fget_files+0x28/0x4a0
[   52.798859][ T3545]  ? bpf_lsm_file_ioctl+0x5/0x10
[   52.803780][ T3545]  ? security_file_ioctl+0x7d/0xa0
[   52.808958][ T3545]  ? sock_poll+0x410/0x410
[   52.813354][ T3545]  __se_sys_ioctl+0xf1/0x160
[   52.817931][ T3545]  do_syscall_64+0x3b/0xb0
[   52.822335][ T3545]  ? clear_bhb_loop+0x45/0xa0
[   52.826998][ T3545]  entry_SYSCALL_64_after_hwframe+0x68/0xd2
[   52.832875][ T3545] RIP: 0033:0x7f1205d757db
[   52.837281][ T3545] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00
[   52.856867][ T3545] RSP: 002b:00007ffc4c86e8f0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   52.865259][ T3545] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f1205d757db
[   52.873211][ T3545] RDX: 00007ffc4c86e968 RSI: 00000000400448dd RDI: 0000000000000003
[   52.881166][ T3545] RBP: 000055555748a4a8 R08: 0000000000000000 R09: 0000000000000000
[   52.889116][ T3545] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000000
[   52.897067][ T3545] R13: 0000000000000000 R14: 0000000000000009 R15: 0000000000000009
[   52.905024][ T3545]  </TASK>
[   52.908023][ T3545] 
[   52.910325][ T3545] Allocated by task 3550:
[   52.914630][ T3545]  kasan_set_track+0x4b/0x70
[   52.919208][ T3545]  __kasan_slab_alloc+0x65/0x70
[   52.924044][ T3545]  slab_post_alloc_hook+0x52/0x3a0
[   52.929135][ T3545]  kmem_cache_alloc+0x10c/0x2d0
[   52.933965][ T3545]  skb_clone+0x1e5/0x360
[   52.938190][ T3545]  hci_cmd_work+0x296/0x660
[   52.942675][ T3545]  process_one_work+0x8a9/0x11d0
[   52.947595][ T3545]  worker_thread+0xa47/0x1200
[   52.952252][ T3545]  kthread+0x28d/0x320
[   52.956298][ T3545]  ret_from_fork+0x1f/0x30
[   52.960697][ T3545] 
[   52.962999][ T3545] Freed by task 3561:
[   52.966954][ T3545]  kasan_set_track+0x4b/0x70
[   52.971527][ T3545]  kasan_save_free_info+0x27/0x40
[   52.976532][ T3545]  ____kasan_slab_free+0xd6/0x120
[   52.981540][ T3545]  kmem_cache_free+0x292/0x510
[   52.986285][ T3545]  hci_req_sync_complete+0xee/0x280
[   52.991462][ T3545]  hci_event_packet+0xc49/0x1510
[   52.996382][ T3545]  hci_rx_work+0x3cd/0xce0
[   53.000775][ T3545]  process_one_work+0x8a9/0x11d0
[   53.005692][ T3545]  worker_thread+0xa47/0x1200
[   53.010364][ T3545]  kthread+0x28d/0x320
[   53.014424][ T3545]  ret_from_fork+0x1f/0x30
[   53.018836][ T3545] 
[   53.021154][ T3545] The buggy address belongs to the object at ffff888060f44c80
[   53.021154][ T3545]  which belongs to the cache skbuff_head_cache of size 240
[   53.035712][ T3545] The buggy address is located 228 bytes inside of
[   53.035712][ T3545]  240-byte region [ffff888060f44c80, ffff888060f44d70)
[   53.048964][ T3545] 
[   53.051270][ T3545] The buggy address belongs to the physical page:
[   53.057664][ T3545] page:ffffea000183d100 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x60f44
[   53.067798][ T3545] flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
[   53.075345][ T3545] raw: 00fff00000000200 0000000000000000 dead000000000122 ffff888141258500
[   53.083916][ T3545] raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000
[   53.092479][ T3545] page dumped because: kasan: bad access detected
[   53.098888][ T3545] page_owner tracks the page as allocated
[   53.104579][ T3545] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 3554, tgid 3554 (kworker/u5:4), ts 52526072270, free_ts 11019873780
[   53.122877][ T3545]  post_alloc_hook+0x18d/0x1b0
[   53.127629][ T3545]  get_page_from_freelist+0x322e/0x33b0
[   53.133156][ T3545]  __alloc_pages+0x28d/0x770
[   53.137724][ T3545]  alloc_slab_page+0x6a/0x150
[   53.142385][ T3545]  new_slab+0x84/0x2d0
[   53.146450][ T3545]  ___slab_alloc+0xc20/0x1270
[   53.151107][ T3545]  kmem_cache_alloc+0x1a5/0x2d0
[   53.155941][ T3545]  skb_clone+0x1e5/0x360
[   53.160161][ T3545]  hci_event_packet+0x221/0x1510
[   53.165082][ T3545]  hci_rx_work+0x3cd/0xce0
[   53.169477][ T3545]  process_one_work+0x8a9/0x11d0
[   53.174397][ T3545]  worker_thread+0xa47/0x1200
[   53.179057][ T3545]  kthread+0x28d/0x320
[   53.183105][ T3545]  ret_from_fork+0x1f/0x30
[   53.187506][ T3545] page last free stack trace:
[   53.192153][ T3545]  free_unref_page_prepare+0xf63/0x1120
[   53.197765][ T3545]  free_unref_page+0x33/0x3e0
[   53.202421][ T3545]  free_contig_range+0x9a/0x150
[   53.207255][ T3545]  destroy_args+0xfe/0x997
[   53.211654][ T3545]  debug_vm_pgtable+0x416/0x46b
[   53.216485][ T3545]  do_one_initcall+0x265/0x8f0
[   53.221235][ T3545]  do_initcall_level+0x157/0x207
[   53.226155][ T3545]  do_initcalls+0x49/0x86
[   53.230466][ T3545]  kernel_init_freeable+0x45c/0x60f
[   53.235644][ T3545]  kernel_init+0x19/0x290
[   53.239957][ T3545]  ret_from_fork+0x1f/0x30
[   53.244356][ T3545] 
[   53.246660][ T3545] Memory state around the buggy address:
[   53.252265][ T3545]  ffff888060f44c00: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
[   53.260303][ T3545]  ffff888060f44c80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   53.268356][ T3545] >ffff888060f44d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[   53.276395][ T3545]                                                        ^
[   53.283575][ T3545]  ffff888060f44d80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[   53.291612][ T3545]  ffff888060f44e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   53.299649][ T3545] ==================================================================
[   53.311985][ T3546] Bluetooth: hci3: unexpected cc 0x0c25 length: 249 > 3
[   53.322135][ T3546] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2
[   53.334387][ T3545] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   53.341597][ T3545] CPU: 0 PID: 3545 Comm: syz-executor Not tainted 6.1.97-syzkaller #0
[   53.349748][ T3545] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
[   53.359804][ T3545] Call Trace:
[   53.363086][ T3545]  <TASK>
[   53.366017][ T3545]  dump_stack_lvl+0x1e3/0x2cb
[   53.370710][ T3545]  ? nf_tcp_handle_invalid+0x642/0x642
[   53.376184][ T3545]  ? panic+0x764/0x764
[   53.380263][ T3545]  ? preempt_schedule_common+0xa6/0xd0
[   53.385725][ T3545]  ? vscnprintf+0x59/0x80
[   53.390063][ T3545]  panic+0x318/0x764
[   53.393966][ T3545]  ? check_panic_on_warn+0x1d/0xa0
[   53.399081][ T3545]  ? memcpy_page_flushcache+0xfc/0xfc
[   53.404454][ T3545]  ? _raw_spin_unlock_irqrestore+0x128/0x130
[   53.410440][ T3545]  ? _raw_spin_unlock+0x40/0x40
[   53.415298][ T3545]  ? print_report+0x4a3/0x4f0
[   53.419979][ T3545]  check_panic_on_warn+0x7e/0xa0
[   53.424921][ T3545]  ? kfree_skb_reason+0x3d/0x390
[   53.429869][ T3545]  end_report+0x66/0x110
[   53.434114][ T3545]  kasan_report+0x143/0x160
[   53.438628][ T3545]  ? kfree_skb_reason+0x3d/0x390
[   53.443581][ T3545]  kasan_check_range+0x27f/0x290
[   53.448523][ T3545]  kfree_skb_reason+0x3d/0x390
[   53.453304][ T3545]  __hci_req_sync+0x626/0x940
[   53.457986][ T3545]  ? trace_contention_end+0x61/0x170
[   53.463281][ T3545]  ? hci_req_sync_complete+0x280/0x280
[   53.468747][ T3545]  ? mutex_lock_nested+0x10/0x10
[   53.473688][ T3545]  ? wake_bit_function+0x210/0x210
[   53.478815][ T3545]  ? hci_encrypt_req+0x170/0x170
[   53.483761][ T3545]  hci_req_sync+0xa5/0xc0
[   53.488097][ T3545]  hci_dev_cmd+0x2fc/0xa30
[   53.492522][ T3545]  ? security_capable+0x86/0xb0
[   53.497379][ T3545]  ? hci_dev_reset_stat+0x1a0/0x1a0
[   53.502588][ T3545]  ? hci_sock_ioctl+0x426/0x850
[   53.507450][ T3545]  sock_do_ioctl+0x152/0x450
[   53.512054][ T3545]  ? sock_show_fdinfo+0xb0/0xb0
[   53.516915][ T3545]  ? __fget_files+0x28/0x4a0
[   53.521515][ T3545]  sock_ioctl+0x47f/0x770
[   53.525844][ T3545]  ? sock_poll+0x410/0x410
[   53.530243][ T3545]  ? __fget_files+0x28/0x4a0
[   53.534815][ T3545]  ? __fget_files+0x435/0x4a0
[   53.539474][ T3545]  ? __fget_files+0x28/0x4a0
[   53.544045][ T3545]  ? bpf_lsm_file_ioctl+0x5/0x10
[   53.548963][ T3545]  ? security_file_ioctl+0x7d/0xa0
[   53.554053][ T3545]  ? sock_poll+0x410/0x410
[   53.558454][ T3545]  __se_sys_ioctl+0xf1/0x160
[   53.563034][ T3545]  do_syscall_64+0x3b/0xb0
[   53.567436][ T3545]  ? clear_bhb_loop+0x45/0xa0
[   53.572096][ T3545]  entry_SYSCALL_64_after_hwframe+0x68/0xd2
[   53.577974][ T3545] RIP: 0033:0x7f1205d757db
[   53.582372][ T3545] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00
[   53.601962][ T3545] RSP: 002b:00007ffc4c86e8f0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   53.610356][ T3545] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f1205d757db
[   53.618309][ T3545] RDX: 00007ffc4c86e968 RSI: 00000000400448dd RDI: 0000000000000003
[   53.626259][ T3545] RBP: 000055555748a4a8 R08: 0000000000000000 R09: 0000000000000000
[   53.634209][ T3545] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000000
[   53.642161][ T3545] R13: 0000000000000000 R14: 0000000000000009 R15: 0000000000000009
[   53.650116][ T3545]  </TASK>
[   53.653230][ T3545] Kernel Offset: disabled
[   53.657536][ T3545] Rebooting in 86400 seconds..