last executing test programs:

kernel console output (not intermixed with test programs):

Warning: Permanently added '10.128.0.189' (ED25519) to the list of known hosts.
syzkaller login: [   49.534272][ T3535] cgroup: Unknown subsys name 'net'
[   49.637277][ T3535] cgroup: Unknown subsys name 'rlimit'
Setting up swapspace version 1, size = 127995904 bytes
[   50.931187][ T3535] Adding 124996k swap on ./swap-file.  Priority:0 extents:1 across:124996k FS
[   51.433472][ T3549] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[   51.444291][ T3556] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1
[   51.444443][ T3549] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1
[   51.456613][ T3559] Bluetooth: hci4: unexpected cc 0x0c03 length: 249 > 1
[   51.459976][ T3549] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[   51.466756][ T3559] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1
[   51.475012][ T3549] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9
[   51.481824][ T3559] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9
[   51.488412][ T3549] Bluetooth: hci4: unexpected cc 0x1003 length: 249 > 9
[   51.495307][ T3559] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[   51.508714][ T3559] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9
[   51.509866][ T3549] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9
[   51.516662][ T3559] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9
[   51.530612][ T3561] Bluetooth: hci4: unexpected cc 0x1001 length: 249 > 9
[   51.531771][ T3559] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9
[   51.538500][ T3561] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[   51.545608][ T3559] Bluetooth: hci2: unexpected cc 0x0c23 length: 249 > 4
[   51.552666][ T3561] Bluetooth: hci4: unexpected cc 0x0c23 length: 249 > 4
[   51.559842][ T3559] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4
[   51.566101][ T3561] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4
[   51.573852][ T3559] Bluetooth: hci2: unexpected cc 0x0c25 length: 249 > 3
[   51.580302][ T3561] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3
[   51.588174][ T3559] Bluetooth: hci1: unexpected cc 0x0c25 length: 249 > 3
[   51.593914][ T3561] Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2
[   51.601969][ T3559] Bluetooth: hci3: unexpected cc 0x0c25 length: 249 > 3
[   51.607722][ T3561] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[   51.614832][ T3559] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2
[   51.622272][ T3561] Bluetooth: hci4: unexpected cc 0x0c25 length: 249 > 3
[   51.629551][ T3559] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2
[   51.636420][ T3561] Bluetooth: hci4: unexpected cc 0x0c38 length: 249 > 2
[   51.653405][ T3545] ==================================================================
[   51.661491][ T3545] BUG: KASAN: use-after-free in kfree_skb_reason+0x3d/0x390
[   51.668798][ T3545] Read of size 4 at addr ffff888062396c24 by task syz-executor/3545
[   51.676775][ T3545] 
[   51.679119][ T3545] CPU: 1 PID: 3545 Comm: syz-executor Not tainted 6.1.96-syzkaller #0
[   51.687256][ T3545] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
[   51.697308][ T3545] Call Trace:
[   51.700586][ T3545]  <TASK>
[   51.703513][ T3545]  dump_stack_lvl+0x1e3/0x2cb
[   51.708208][ T3545]  ? nf_tcp_handle_invalid+0x642/0x642
[   51.713663][ T3545]  ? panic+0x764/0x764
[   51.717721][ T3545]  ? _printk+0xd1/0x111
[   51.721865][ T3545]  ? __virt_addr_valid+0x17f/0x520
[   51.727061][ T3545]  ? __virt_addr_valid+0x17f/0x520
[   51.732175][ T3545]  print_report+0x15f/0x4f0
[   51.736674][ T3545]  ? __virt_addr_valid+0x17f/0x520
[   51.741774][ T3545]  ? __virt_addr_valid+0x17f/0x520
[   51.746891][ T3545]  ? __virt_addr_valid+0x44a/0x520
[   51.752018][ T3545]  ? __phys_addr+0xb6/0x170
[   51.756542][ T3545]  ? kfree_skb_reason+0x3d/0x390
[   51.761492][ T3545]  kasan_report+0x136/0x160
[   51.765997][ T3545]  ? kfree_skb_reason+0x3d/0x390
[   51.770931][ T3545]  kasan_check_range+0x27f/0x290
[   51.775858][ T3545]  kfree_skb_reason+0x3d/0x390
[   51.780616][ T3545]  __hci_req_sync+0x626/0x940
[   51.785288][ T3545]  ? trace_contention_end+0x61/0x170
[   51.790564][ T3545]  ? hci_req_sync_complete+0x280/0x280
[   51.796012][ T3545]  ? mutex_lock_nested+0x10/0x10
[   51.800939][ T3545]  ? hci_encrypt_req+0x170/0x170
[   51.805878][ T3545]  hci_req_sync+0xa5/0xc0
[   51.810218][ T3545]  hci_dev_cmd+0x2fc/0xa30
[   51.814641][ T3545]  ? security_capable+0x86/0xb0
[   51.819492][ T3545]  ? hci_dev_reset_stat+0x1a0/0x1a0
[   51.824687][ T3545]  ? hci_sock_ioctl+0x426/0x850
[   51.829529][ T3545]  sock_do_ioctl+0x152/0x450
[   51.834110][ T3545]  ? sock_show_fdinfo+0xb0/0xb0
[   51.838948][ T3545]  ? __fget_files+0x28/0x4a0
[   51.843527][ T3545]  sock_ioctl+0x47f/0x770
[   51.847844][ T3545]  ? sock_poll+0x410/0x410
[   51.852255][ T3545]  ? __fget_files+0x28/0x4a0
[   51.856839][ T3545]  ? __fget_files+0x435/0x4a0
[   51.861501][ T3545]  ? __fget_files+0x28/0x4a0
[   51.866075][ T3545]  ? bpf_lsm_file_ioctl+0x5/0x10
[   51.870997][ T3545]  ? security_file_ioctl+0x7d/0xa0
[   51.876093][ T3545]  ? sock_poll+0x410/0x410
[   51.880495][ T3545]  __se_sys_ioctl+0xf1/0x160
[   51.885079][ T3545]  do_syscall_64+0x3b/0xb0
[   51.889491][ T3545]  ? clear_bhb_loop+0x45/0xa0
[   51.894159][ T3545]  entry_SYSCALL_64_after_hwframe+0x68/0xd2
[   51.900045][ T3545] RIP: 0033:0x7f545e37579b
[   51.904457][ T3545] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00
[   51.924050][ T3545] RSP: 002b:00007ffff4df6080 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   51.932452][ T3545] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f545e37579b
[   51.940413][ T3545] RDX: 00007ffff4df60f8 RSI: 00000000400448dd RDI: 0000000000000003
[   51.948377][ T3545] RBP: 00005555565ba4a8 R08: 0000000000000000 R09: 0000000000000000
[   51.956334][ T3545] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000001
[   51.964298][ T3545] R13: 0000000000000001 R14: 0000000000000009 R15: 0000000000000009
[   51.972264][ T3545]  </TASK>
[   51.975282][ T3545] 
[   51.977588][ T3545] Allocated by task 3559:
[   51.981893][ T3545]  kasan_set_track+0x4b/0x70
[   51.986478][ T3545]  __kasan_slab_alloc+0x65/0x70
[   51.991325][ T3545]  slab_post_alloc_hook+0x52/0x3a0
[   51.996462][ T3545]  kmem_cache_alloc+0x10c/0x2d0
[   52.001300][ T3545]  skb_clone+0x1e5/0x360
[   52.005706][ T3545]  hci_cmd_work+0x296/0x660
[   52.010194][ T3545]  process_one_work+0x8a9/0x11d0
[   52.015120][ T3545]  worker_thread+0xa47/0x1200
[   52.019787][ T3545]  kthread+0x28d/0x320
[   52.023840][ T3545]  ret_from_fork+0x1f/0x30
[   52.028257][ T3545] 
[   52.030570][ T3545] Freed by task 3559:
[   52.034541][ T3545]  kasan_set_track+0x4b/0x70
[   52.039121][ T3545]  kasan_save_free_info+0x27/0x40
[   52.044131][ T3545]  ____kasan_slab_free+0xd6/0x120
[   52.049147][ T3545]  kmem_cache_free+0x292/0x510
[   52.053898][ T3545]  hci_req_sync_complete+0xee/0x280
[   52.059084][ T3545]  hci_event_packet+0xc49/0x1510
[   52.064011][ T3545]  hci_rx_work+0x3cd/0xce0
[   52.068422][ T3545]  process_one_work+0x8a9/0x11d0
[   52.073349][ T3545]  worker_thread+0xa47/0x1200
[   52.078015][ T3545]  kthread+0x28d/0x320
[   52.082157][ T3545]  ret_from_fork+0x1f/0x30
[   52.086651][ T3545] 
[   52.088961][ T3545] The buggy address belongs to the object at ffff888062396b40
[   52.088961][ T3545]  which belongs to the cache skbuff_head_cache of size 240
[   52.103518][ T3545] The buggy address is located 228 bytes inside of
[   52.103518][ T3545]  240-byte region [ffff888062396b40, ffff888062396c30)
[   52.116773][ T3545] 
[   52.119081][ T3545] The buggy address belongs to the physical page:
[   52.125478][ T3545] page:ffffea000188e580 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x62396
[   52.135611][ T3545] flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
[   52.143153][ T3545] raw: 00fff00000000200 0000000000000000 dead000000000122 ffff8881401dd280
[   52.151721][ T3545] raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000
[   52.160282][ T3545] page dumped because: kasan: bad access detected
[   52.166700][ T3545] page_owner tracks the page as allocated
[   52.172395][ T3545] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 3559, tgid 3559 (kworker/u5:6), ts 51652391131, free_ts 11627739129
[   52.190703][ T3545]  post_alloc_hook+0x18d/0x1b0
[   52.195455][ T3545]  get_page_from_freelist+0x31a1/0x3320
[   52.200993][ T3545]  __alloc_pages+0x28d/0x770
[   52.205570][ T3545]  alloc_slab_page+0x6a/0x150
[   52.210235][ T3545]  new_slab+0x84/0x2d0
[   52.214295][ T3545]  ___slab_alloc+0xc20/0x1270
[   52.218958][ T3545]  kmem_cache_alloc+0x1a5/0x2d0
[   52.223797][ T3545]  skb_clone+0x1e5/0x360
[   52.228458][ T3545]  hci_event_packet+0x221/0x1510
[   52.233382][ T3545]  hci_rx_work+0x3cd/0xce0
[   52.237780][ T3545]  process_one_work+0x8a9/0x11d0
[   52.242713][ T3545]  worker_thread+0xa47/0x1200
[   52.247375][ T3545]  kthread+0x28d/0x320
[   52.251427][ T3545]  ret_from_fork+0x1f/0x30
[   52.255832][ T3545] page last free stack trace:
[   52.260488][ T3545]  free_unref_page_prepare+0xf63/0x1120
[   52.266018][ T3545]  free_unref_page+0x33/0x3e0
[   52.270679][ T3545]  free_contig_range+0x9a/0x150
[   52.275516][ T3545]  destroy_args+0xfe/0x997
[   52.279922][ T3545]  debug_vm_pgtable+0x416/0x46b
[   52.284759][ T3545]  do_one_initcall+0x265/0x8f0
[   52.289632][ T3545]  do_initcall_level+0x157/0x207
[   52.294570][ T3545]  do_initcalls+0x49/0x86
[   52.298889][ T3545]  kernel_init_freeable+0x45c/0x60f
[   52.304076][ T3545]  kernel_init+0x19/0x290
[   52.308391][ T3545]  ret_from_fork+0x1f/0x30
[   52.312799][ T3545] 
[   52.315104][ T3545] Memory state around the buggy address:
[   52.320716][ T3545]  ffff888062396b00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[   52.328767][ T3545]  ffff888062396b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   52.336832][ T3545] >ffff888062396c00: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
[   52.344874][ T3545]                                ^
[   52.349984][ T3545]  ffff888062396c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   52.358037][ T3545]  ffff888062396d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc
[   52.366084][ T3545] ==================================================================
[   52.374604][ T3545] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   52.381812][ T3545] CPU: 1 PID: 3545 Comm: syz-executor Not tainted 6.1.96-syzkaller #0
[   52.389970][ T3545] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
[   52.400034][ T3545] Call Trace:
[   52.403325][ T3545]  <TASK>
[   52.406271][ T3545]  dump_stack_lvl+0x1e3/0x2cb
[   52.410969][ T3545]  ? nf_tcp_handle_invalid+0x642/0x642
[   52.416456][ T3545]  ? panic+0x764/0x764
[   52.420574][ T3545]  ? preempt_schedule_common+0xa6/0xd0
[   52.426055][ T3545]  ? vscnprintf+0x59/0x80
[   52.430413][ T3545]  panic+0x318/0x764
[   52.434323][ T3545]  ? check_panic_on_warn+0x1d/0xa0
[   52.439451][ T3545]  ? memcpy_page_flushcache+0xfc/0xfc
[   52.444844][ T3545]  ? _raw_spin_unlock_irqrestore+0x128/0x130
[   52.450846][ T3545]  ? _raw_spin_unlock+0x40/0x40
[   52.455716][ T3545]  ? print_report+0x4a3/0x4f0
[   52.460554][ T3545]  check_panic_on_warn+0x7e/0xa0
[   52.465514][ T3545]  ? kfree_skb_reason+0x3d/0x390
[   52.470475][ T3545]  end_report+0x66/0x110
[   52.474732][ T3545]  kasan_report+0x143/0x160
[   52.479270][ T3545]  ? kfree_skb_reason+0x3d/0x390
[   52.484317][ T3545]  kasan_check_range+0x27f/0x290
[   52.489280][ T3545]  kfree_skb_reason+0x3d/0x390
[   52.494091][ T3545]  __hci_req_sync+0x626/0x940
[   52.498862][ T3545]  ? trace_contention_end+0x61/0x170
[   52.504869][ T3545]  ? hci_req_sync_complete+0x280/0x280
[   52.510356][ T3545]  ? mutex_lock_nested+0x10/0x10
[   52.515319][ T3545]  ? hci_encrypt_req+0x170/0x170
[   52.520280][ T3545]  hci_req_sync+0xa5/0xc0
[   52.524629][ T3545]  hci_dev_cmd+0x2fc/0xa30
[   52.529063][ T3545]  ? security_capable+0x86/0xb0
[   52.533938][ T3545]  ? hci_dev_reset_stat+0x1a0/0x1a0
[   52.539158][ T3545]  ? hci_sock_ioctl+0x426/0x850
[   52.544029][ T3545]  sock_do_ioctl+0x152/0x450
[   52.548638][ T3545]  ? sock_show_fdinfo+0xb0/0xb0
[   52.553507][ T3545]  ? __fget_files+0x28/0x4a0
[   52.558114][ T3545]  sock_ioctl+0x47f/0x770
[   52.562462][ T3545]  ? sock_poll+0x410/0x410
[   52.566894][ T3545]  ? __fget_files+0x28/0x4a0
[   52.571497][ T3545]  ? __fget_files+0x435/0x4a0
[   52.576184][ T3545]  ? __fget_files+0x28/0x4a0
[   52.580797][ T3545]  ? bpf_lsm_file_ioctl+0x5/0x10
[   52.585758][ T3545]  ? security_file_ioctl+0x7d/0xa0
[   52.590884][ T3545]  ? sock_poll+0x410/0x410
[   52.595381][ T3545]  __se_sys_ioctl+0xf1/0x160
[   52.600022][ T3545]  do_syscall_64+0x3b/0xb0
[   52.604462][ T3545]  ? clear_bhb_loop+0x45/0xa0
[   52.609167][ T3545]  entry_SYSCALL_64_after_hwframe+0x68/0xd2
[   52.615079][ T3545] RIP: 0033:0x7f545e37579b
[   52.619508][ T3545] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00
[   52.639301][ T3545] RSP: 002b:00007ffff4df6080 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   52.647727][ T3545] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f545e37579b
[   52.655719][ T3545] RDX: 00007ffff4df60f8 RSI: 00000000400448dd RDI: 0000000000000003
[   52.663794][ T3545] RBP: 00005555565ba4a8 R08: 0000000000000000 R09: 0000000000000000
[   52.671783][ T3545] R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000001
[   52.679941][ T3545] R13: 0000000000000001 R14: 0000000000000009 R15: 0000000000000009
[   52.687933][ T3545]  </TASK>
[   52.691198][ T3545] Kernel Offset: disabled
[   52.695510][ T3545] Rebooting in 86400 seconds..