last executing test programs:

kernel console output (not intermixed with test programs):

Warning: Permanently added '10.128.0.188' (ED25519) to the list of known hosts.
[   66.334449][ T5811] cgroup: Unknown subsys name 'net'
[   66.445830][ T5811] cgroup: Unknown subsys name 'cpuset'
[   66.454415][ T5811] cgroup: Unknown subsys name 'rlimit'
Setting up swapspace version 1, size = 127995904 bytes
[   67.822866][ T5811] Adding 124996k swap on ./swap-file.  Priority:0 extents:1 across:124996k 
[   69.874715][ T5830] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1
[   69.895356][ T5835] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1
[   69.902748][ T5835] Bluetooth: hci4: unexpected cc 0x0c03 length: 249 > 1
[   69.910596][ T5835] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9
[   69.920011][ T5840] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[   69.920017][ T5835] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1
[   69.921206][ T5835] ==================================================================
[   69.927855][ T5843] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9
[   69.933978][ T5835] BUG: KASAN: slab-use-after-free in hci_cmd_work+0x5d0/0x7b0
[   69.934007][ T5835] Read of size 2 at addr ffff888061d8f538 by task kworker/u9:5/5835
[   69.934021][ T5835] 
[   69.934045][ T5835] CPU: 1 UID: 0 PID: 5835 Comm: kworker/u9:5 Not tainted syzkaller #0 PREEMPT(full) 
[   69.934064][ T5835] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
[   69.934075][ T5835] Workqueue: hci4 hci_cmd_work
[   69.934103][ T5835] Call Trace:
[   69.934111][ T5835]  <TASK>
[   69.934119][ T5835]  dump_stack_lvl+0x189/0x250
[   69.934142][ T5835]  ? __virt_addr_valid+0x1c8/0x5c0
[   69.934157][ T5835]  ? rcu_is_watching+0x15/0xb0
[   69.934171][ T5835]  ? __pfx_dump_stack_lvl+0x10/0x10
[   69.934192][ T5835]  ? rcu_is_watching+0x15/0xb0
[   69.934206][ T5835]  ? lock_release+0x4b/0x3d0
[   69.934224][ T5835]  ? _raw_spin_lock_irqsave+0xb3/0xf0
[   69.934242][ T5835]  ? __virt_addr_valid+0x1c8/0x5c0
[   69.934262][ T5835]  ? __virt_addr_valid+0x4a5/0x5c0
[   69.934279][ T5835]  print_report+0xca/0x240
[   69.934299][ T5835]  ? hci_cmd_work+0x5d0/0x7b0
[   69.934316][ T5835]  kasan_report+0x118/0x150
[   69.934340][ T5835]  ? hci_cmd_work+0x5d0/0x7b0
[   69.934361][ T5835]  hci_cmd_work+0x5d0/0x7b0
[   69.934380][ T5835]  ? process_one_work+0x868/0x15e0
[   69.934399][ T5835]  process_one_work+0x93a/0x15e0
[   69.934417][ T5835]  ? __lock_acquire+0xab9/0xd20
[   69.934450][ T5835]  ? __pfx_process_one_work+0x10/0x10
[   69.934472][ T5835]  ? assign_work+0x3a1/0x410
[   69.934492][ T5835]  worker_thread+0x9b0/0xee0
[   69.934521][ T5835]  kthread+0x711/0x8a0
[   69.934538][ T5835]  ? __pfx_worker_thread+0x10/0x10
[   69.934556][ T5835]  ? __pfx_kthread+0x10/0x10
[   69.934569][ T5835]  ? _raw_spin_unlock_irq+0x23/0x50
[   69.934584][ T5835]  ? lockdep_hardirqs_on+0x9c/0x150
[   69.934602][ T5835]  ? __pfx_kthread+0x10/0x10
[   69.934617][ T5835]  ret_from_fork+0x599/0xb30
[   69.934637][ T5835]  ? __pfx_ret_from_fork+0x10/0x10
[   69.934659][ T5835]  ? __switch_to_asm+0x39/0x70
[   69.934674][ T5835]  ? __switch_to_asm+0x33/0x70
[   69.934688][ T5835]  ? __pfx_kthread+0x10/0x10
[   69.934702][ T5835]  ret_from_fork_asm+0x1a/0x30
[   69.934723][ T5835]  </TASK>
[   69.934730][ T5835] 
[   69.943209][ T5840] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9
[   69.949006][ T5835] Allocated by task 52:
[   69.949020][ T5835]  kasan_save_track+0x3e/0x80
[   69.958925][ T5840] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9
[   69.964481][ T5835]  __kasan_slab_alloc+0x6c/0x80
[   69.964508][ T5835]  kmem_cache_alloc_node_noprof+0x43c/0x710
[   69.964521][ T5835]  __alloc_skb+0x112/0x2d0
[   69.964540][ T5835]  hci_cmd_sync_alloc+0x3d/0x3b0
[   69.968415][ T5840] Bluetooth: hci2: unexpected cc 0x0c23 length: 249 > 4
[   69.976319][ T5835]  __hci_cmd_sync_sk+0x1a7/0xc70
[   69.976345][ T5835]  hci_dev_open_sync+0x14b2/0x2dc0
[   69.976357][ T5835]  hci_power_on+0x1b4/0x720
[   69.976372][ T5835]  process_one_work+0x93a/0x15e0
[   69.976388][ T5835]  worker_thread+0x9b0/0xee0
[   69.976403][ T5835]  kthread+0x711/0x8a0
[   69.976415][ T5835]  ret_from_fork+0x599/0xb30
[   69.987820][ T5840] Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2
[   69.991214][ T5835]  ret_from_fork_asm+0x1a/0x30
[   70.034267][ T5840] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9
[   70.036875][ T5835] 
[   70.036883][ T5835] Freed by task 5839:
[   70.043240][ T5840] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9
[   70.046380][ T5835]  kasan_save_track+0x3e/0x80
[   70.052256][ T5840] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4
[   70.055576][ T5835]  kasan_save_free_info+0x46/0x50
[   70.055602][ T5835]  __kasan_slab_free+0x5c/0x80
[   70.055616][ T5835]  kmem_cache_free+0x197/0x640
[   70.055631][ T5835]  vhci_read+0x49a/0x5b0
[   70.061342][ T5840] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[   70.064772][ T5835]  vfs_read+0x200/0xa30
[   70.064791][ T5835]  ksys_read+0x145/0x250
[   70.064804][ T5835]  do_syscall_64+0xfa/0xfa0
[   70.064821][ T5835]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   70.064842][ T5835] 
[   70.064847][ T5835] The buggy address belongs to the object at ffff888061d8f500
[   70.064847][ T5835]  which belongs to the cache skbuff_head_cache of size 240
[   70.064862][ T5835] The buggy address is located 56 bytes inside of
[   70.064862][ T5835]  freed 240-byte region [ffff888061d8f500, ffff888061d8f5f0)
[   70.071939][ T5840] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[   70.075077][ T5835] 
[   70.075085][ T5835] The buggy address belongs to the physical page:
[   70.075104][ T5835] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x61d8f
[   70.075124][ T5835] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[   70.080788][ T5840] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4
[   70.085335][ T5835] page_type: f5(slab)
[   70.085352][ T5835] raw: 00fff00000000000 ffff8881416a0a00 dead000000000122 0000000000000000
[   70.085365][ T5835] raw: 0000000000000000 00000000000c000c 00000000f5000000 0000000000000000
[   70.085372][ T5835] page dumped because: kasan: bad access detected
[   70.085397][ T5835] page_owner tracks the page as allocated
[   70.085403][ T5835] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5835, tgid 5835 (kworker/u9:5), ts 69895228046, free_ts 69894023338
[   70.090726][ T5840] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2
[   70.094549][ T5835]  post_alloc_hook+0x240/0x2a0
[   70.094569][ T5835]  get_page_from_freelist+0x2365/0x2440
[   70.094585][ T5835]  __alloc_frozen_pages_noprof+0x181/0x370
[   70.101712][ T5829] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2
[   70.103751][ T5835]  alloc_pages_mpol+0x232/0x4a0
[   70.103775][ T5835]  allocate_slab+0x86/0x3b0
[   70.103809][ T5835]  ___slab_alloc+0xf56/0x1990
[   70.109538][ T5829] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[   70.113577][ T5835]  __slab_alloc+0x65/0x100
[   70.113600][ T5835]  kmem_cache_alloc_noprof+0x40f/0x700
[   70.113613][ T5835]  skb_clone+0x212/0x3a0
[   70.113629][ T5835]  hci_event_packet+0x1a6/0x1260
[   70.121875][ T5145] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[   70.123375][ T5835]  hci_rx_work+0x45d/0xfc0
[   70.123397][ T5835]  process_one_work+0x93a/0x15e0
[   70.123413][ T5835]  worker_thread+0x9b0/0xee0
[   70.123429][ T5835]  kthread+0x711/0x8a0
[   70.123442][ T5835]  ret_from_fork+0x599/0xb30
[   70.548246][ T5835]  ret_from_fork_asm+0x1a/0x30
[   70.553022][ T5835] page last free pid 2 tgid 2 stack trace:
[   70.558842][ T5835]  __free_frozen_pages+0xbc8/0xd30
[   70.563986][ T5835]  __kasan_populate_vmalloc+0x1b2/0x1d0
[   70.569543][ T5835]  alloc_vmap_area+0xdca/0x1500
[   70.574405][ T5835]  __get_vm_area_node+0x1f8/0x300
[   70.579433][ T5835]  __vmalloc_node_range_noprof+0x365/0x1640
[   70.585331][ T5835]  __vmalloc_node_noprof+0xc2/0x110
[   70.590541][ T5835]  dup_task_struct+0x3d4/0x830
[   70.595317][ T5835]  copy_process+0x4ea/0x3930
[   70.599918][ T5835]  kernel_clone+0x21e/0x850
[   70.604454][ T5835]  kernel_thread+0x10d/0x160
[   70.609037][ T5835]  kthreadd+0x575/0x770
[   70.613178][ T5835]  ret_from_fork+0x599/0xb30
[   70.617754][ T5835]  ret_from_fork_asm+0x1a/0x30
[   70.622515][ T5835] 
[   70.624822][ T5835] Memory state around the buggy address:
[   70.630428][ T5835]  ffff888061d8f400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   70.638468][ T5835]  ffff888061d8f480: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
[   70.646513][ T5835] >ffff888061d8f500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   70.654562][ T5835]                                         ^
[   70.660482][ T5835]  ffff888061d8f580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
[   70.668523][ T5835]  ffff888061d8f600: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[   70.676563][ T5835] ==================================================================
[   70.687537][ T5835] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   70.694753][ T5835] CPU: 1 UID: 0 PID: 5835 Comm: kworker/u9:5 Not tainted syzkaller #0 PREEMPT(full) 
[   70.704201][ T5835] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
[   70.714243][ T5835] Workqueue: hci4 hci_cmd_work
[   70.718998][ T5835] Call Trace:
[   70.722263][ T5835]  <TASK>
[   70.725182][ T5835]  dump_stack_lvl+0x99/0x250
[   70.729764][ T5835]  ? __asan_memcpy+0x40/0x70
[   70.734346][ T5835]  ? __pfx_dump_stack_lvl+0x10/0x10
[   70.739528][ T5835]  ? __pfx__printk+0x10/0x10
[   70.744106][ T5835]  vpanic+0x237/0x6d0
[   70.748069][ T5835]  ? __pfx_vpanic+0x10/0x10
[   70.752551][ T5835]  ? preempt_schedule+0xae/0xc0
[   70.757385][ T5835]  ? __pfx_preempt_schedule+0x10/0x10
[   70.762760][ T5835]  panic+0xb9/0xc0
[   70.766468][ T5835]  ? __pfx_panic+0x10/0x10
[   70.770885][ T5835]  ? _raw_spin_unlock_irqrestore+0xfd/0x110
[   70.776791][ T5835]  ? is_module_address+0x17/0xf0
[   70.781739][ T5835]  ? hci_cmd_work+0x5d0/0x7b0
[   70.786424][ T5835]  check_panic_on_warn+0x89/0xb0
[   70.791354][ T5835]  ? hci_cmd_work+0x5d0/0x7b0
[   70.796109][ T5835]  end_report+0x6f/0x160
[   70.800341][ T5835]  kasan_report+0x129/0x150
[   70.804860][ T5835]  ? hci_cmd_work+0x5d0/0x7b0
[   70.809524][ T5835]  hci_cmd_work+0x5d0/0x7b0
[   70.814099][ T5835]  ? process_one_work+0x868/0x15e0
[   70.819194][ T5835]  process_one_work+0x93a/0x15e0
[   70.824114][ T5835]  ? __lock_acquire+0xab9/0xd20
[   70.828960][ T5835]  ? __pfx_process_one_work+0x10/0x10
[   70.834323][ T5835]  ? assign_work+0x3a1/0x410
[   70.838925][ T5835]  worker_thread+0x9b0/0xee0
[   70.843517][ T5835]  kthread+0x711/0x8a0
[   70.847570][ T5835]  ? __pfx_worker_thread+0x10/0x10
[   70.852665][ T5835]  ? __pfx_kthread+0x10/0x10
[   70.857236][ T5835]  ? _raw_spin_unlock_irq+0x23/0x50
[   70.862425][ T5835]  ? lockdep_hardirqs_on+0x9c/0x150
[   70.867604][ T5835]  ? __pfx_kthread+0x10/0x10
[   70.872261][ T5835]  ret_from_fork+0x599/0xb30
[   70.876835][ T5835]  ? __pfx_ret_from_fork+0x10/0x10
[   70.881944][ T5835]  ? __switch_to_asm+0x39/0x70
[   70.886689][ T5835]  ? __switch_to_asm+0x33/0x70
[   70.891440][ T5835]  ? __pfx_kthread+0x10/0x10
[   70.896018][ T5835]  ret_from_fork_asm+0x1a/0x30
[   70.900783][ T5835]  </TASK>
[   70.903980][ T5835] Kernel Offset: disabled
[   70.908314][ T5835] Rebooting in 86400 seconds..