program:
r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
quotactl_fd$Q_SYNC(r0, 0xffffffff80000100, 0x0, 0x0)
ioctl$sock_bt_hci(r0, 0x400448cb, 0x0)
r1 = bpf$MAP_CREATE(0x0, &(0x7f0000000200)=ANY=[@ANYBLOB="22000000040000001000000012"], 0x48)
bpf$BPF_MAP_CONST_STR_FREEZE(0x16, &(0x7f00000000c0)={r1}, 0x4)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000600)={0x18, 0x1c, &(0x7f0000000740)=@ringbuf={{0x18, 0x0, 0x0, 0x0, 0x9, 0x0, 0x0, 0x0, 0x8}, {{0x18, 0x1, 0x1, 0x0, r1}}, {}, [@snprintf={{}, {}, {0x7, 0x0, 0xb, 0x8, 0x0, 0x0, 0x10001}, {}, {}, {}, {}, {}, {}, {0x18, 0x3, 0x2, 0x0, r1, 0x0, 0x0, 0x0, 0x12}}], {{}, {}, {0x85, 0x0, 0x0, 0x84}}}, &(0x7f0000000000)='GPL\x00', 0x2, 0x0, 0x0, 0x0, 0x8}, 0x94)
syz_emit_vhci(&(0x7f00000006c0)=ANY=[@ANYBLOB="040e0402030c"], 0x7)
r2 = syz_open_dev$tty1(0xc, 0x4, 0x1)
ioctl$TIOCL_SETSEL(r2, 0x541c, &(0x7f00000000c0)={0x2, {0x2, 0x3bf, 0x4, 0x14a}})
r3 = syz_clone(0x11, 0x0, 0x0, 0x0, 0x0, 0x0)
ptrace(0x10, r3)
ptrace$setsig(0x4203, r3, 0xa, &(0x7f0000000080)={0xf, 0xffff0001, 0xa5})
ioctl$TCSETS2(r2, 0x402c542b, &(0x7f0000000080)={0xfffe7527, 0x10000, 0xefc9, 0x7fa, 0xb2, "35969809006e24a7446d80732e5e6c31c267a0", 0x7, 0x200008})
ioctl$TIOCL_PASTESEL(r2, 0x541c, &(0x7f0000000000))
syz_emit_vhci(&(0x7f0000000200)=@HCI_EVENT_PKT={0x4, @hci_ev_cmd_status={{0xf, 0x4}, {0x9, 0x1, 0x200d}}}, 0x7)

[  102.602699][   T44] Bluetooth: hci0: command tx timeout
[  102.790758][ T5324] ------------[ cut here ]------------
[  102.793285][ T5324] workqueue: cannot queue hci_rx_work on wq hci0
[  102.796234][ T5324] WARNING: kernel/workqueue.c:2298 at __queue_work+0xd1f/0xfc0, CPU#0: syz.0.0/5324
[  102.800864][ T5324] Modules linked in:
[  102.803077][ T5324] CPU: 0 UID: 0 PID: 5324 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[  102.808156][ T5324] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[  102.812704][ T5324] RIP: 0010:__queue_work+0xd4a/0xfc0
[  102.815039][ T5324] Code: 83 c5 18 4c 89 e8 48 c1 e8 03 42 80 3c 20 00 74 08 4c 89 ef e8 c7 53 a5 00 49 8b 75 00 49 81 c7 70 01 00 00 4c 89 f7 4c 89 fa <67> 48 0f b9 3a 48 83 c4 58 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc
[  102.824677][ T5324] RSP: 0018:ffffc9000ddcfb20 EFLAGS: 00010082
[  102.827454][ T5324] RAX: 1ffff11003574978 RBX: 0000000000000008 RCX: 0000000000100000
[  102.831065][ T5324] RDX: ffff8880340a2970 RSI: ffffffff8a9d17f0 RDI: ffffffff9033b370
[  102.834506][ T5324] RBP: 0000000000000000 R08: ffff88801aba4baf R09: 1ffff11003574975
[  102.838137][ T5324] R10: dffffc0000000000 R11: ffffed1003574976 R12: dffffc0000000000
[  102.841828][ T5324] R13: ffff88801aba4bc0 R14: ffffffff9033b370 R15: ffff8880340a2970
[  102.845183][ T5324] FS:  00007f2f50a9f6c0(0000) GS:ffff88808c888000(0000) knlGS:0000000000000000
[  102.849377][ T5324] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  102.853027][ T5324] CR2: 00007f2f4fa72700 CR3: 0000000012ada000 CR4: 0000000000352ef0
[  102.856829][ T5324] Call Trace:
[  102.858337][ T5324]  <TASK>
[  102.859721][ T5324]  ? ktime_get_with_offset+0x93/0x2d0
[  102.862398][ T5324]  ? rcu_is_watching+0x15/0xb0
[  102.864941][ T5324]  queue_work_on+0x106/0x1d0
[  102.867650][ T5324]  ? _raw_spin_unlock_irqrestore+0x30/0x80
[  102.870812][ T5324]  hci_recv_frame+0x625/0x7c0
[  102.872921][ T5324]  ? skb_pull+0xc1/0x1d0
[  102.874697][ T5324]  vhci_write+0x358/0x4a0
[  102.876648][ T5324]  vfs_write+0x61d/0xb90
[  102.878560][ T5324]  ? __pfx_vfs_write+0x10/0x10
[  102.880691][ T5324]  ? __fget_files+0x2a/0x420
[  102.883113][ T5324]  ksys_write+0x150/0x270
[  102.885557][ T5324]  ? __pfx_ksys_write+0x10/0x10
[  102.888306][ T5324]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  102.891177][ T5324]  do_syscall_64+0x15f/0xf80
[  102.893212][ T5324]  ? trace_irq_disable+0x3b/0x140
[  102.895493][ T5324]  ? clear_bhb_loop+0x40/0x90
[  102.897601][ T5324]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  102.900169][ T5324] RIP: 0033:0x7f2f4fb5d60e
[  102.902234][ T5324] Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 <c3> 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08
[  102.911294][ T5324] RSP: 002b:00007f2f50a9ef78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[  102.915089][ T5324] RAX: ffffffffffffffda RBX: 00007f2f50a9f6c0 RCX: 00007f2f4fb5d60e
[  102.919288][ T5324] RDX: 0000000000000007 RSI: 00002000000006c0 RDI: 00000000000000ca
[  102.923367][ T5324] RBP: 00007f2f4fc32d69 R08: 0000000000000000 R09: 0000000000000000
[  102.926770][ T5324] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[  102.930323][ T5324] R13: 00007f2f4fe16128 R14: 00007f2f4fe16090 R15: 00007fffa21601d8
[  102.934765][ T5324]  </TASK>
[  102.936483][ T5324] Kernel panic - not syncing: kernel: panic_on_warn set ...
[  102.939915][ T5324] CPU: 0 UID: 0 PID: 5324 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[  102.943829][ T5324] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[  102.948359][ T5324] Call Trace:
[  102.949857][ T5324]  <TASK>
[  102.951303][ T5324]  vpanic+0x56c/0xa60
[  102.953650][ T5324]  ? __pfx__printk+0x10/0x10
[  102.956517][ T5324]  ? __pfx_vpanic+0x10/0x10
[  102.958616][ T5324]  ? is_bpf_text_address+0x292/0x2b0
[  102.960966][ T5324]  ? is_bpf_text_address+0x26/0x2b0
[  102.963342][ T5324]  panic+0xc5/0xd0
[  102.965027][ T5324]  ? __pfx_panic+0x10/0x10
[  102.967139][ T5324]  __warn+0x315/0x4c0
[  102.969093][ T5324]  ? __queue_work+0xd1f/0xfc0
[  102.971430][ T5324]  ? __queue_work+0xd1f/0xfc0
[  102.973798][ T5324]  __report_bug+0x29a/0x540
[  102.976058][ T5324]  ? __queue_work+0xd1f/0xfc0
[  102.978116][ T5324]  ? __pfx___report_bug+0x10/0x10
[  102.980267][ T5324]  ? __pfx_hci_rx_work+0x10/0x10
[  102.982509][ T5324]  ? do_syscall_64+0x15f/0xf80
[  102.985064][ T5324]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  102.988748][ T5324]  ? __lock_acquire+0x6b5/0x2cf0
[  102.991519][ T5324]  report_bug_entry+0x19a/0x290
[  102.993776][ T5324]  ? __queue_work+0xd4a/0xfc0
[  102.996582][ T5324]  ? __queue_work+0xd4f/0xfc0
[  102.998757][ T5324]  handle_bug+0xce/0x200
[  103.000753][ T5324]  exc_invalid_op+0x1a/0x50
[  103.002886][ T5324]  asm_exc_invalid_op+0x1a/0x20
[  103.005519][ T5324] RIP: 0010:__queue_work+0xd4a/0xfc0
[  103.008513][ T5324] Code: 83 c5 18 4c 89 e8 48 c1 e8 03 42 80 3c 20 00 74 08 4c 89 ef e8 c7 53 a5 00 49 8b 75 00 49 81 c7 70 01 00 00 4c 89 f7 4c 89 fa <67> 48 0f b9 3a 48 83 c4 58 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc
[  103.017760][ T5324] RSP: 0018:ffffc9000ddcfb20 EFLAGS: 00010082
[  103.020742][ T5324] RAX: 1ffff11003574978 RBX: 0000000000000008 RCX: 0000000000100000
[  103.024867][ T5324] RDX: ffff8880340a2970 RSI: ffffffff8a9d17f0 RDI: ffffffff9033b370
[  103.028863][ T5324] RBP: 0000000000000000 R08: ffff88801aba4baf R09: 1ffff11003574975
[  103.032519][ T5324] R10: dffffc0000000000 R11: ffffed1003574976 R12: dffffc0000000000
[  103.036313][ T5324] R13: ffff88801aba4bc0 R14: ffffffff9033b370 R15: ffff8880340a2970
[  103.040609][ T5324]  ? __pfx_hci_rx_work+0x10/0x10
[  103.043420][ T5324]  ? ktime_get_with_offset+0x93/0x2d0
[  103.046252][ T5324]  ? rcu_is_watching+0x15/0xb0
[  103.048825][ T5324]  queue_work_on+0x106/0x1d0
[  103.051177][ T5324]  ? _raw_spin_unlock_irqrestore+0x30/0x80
[  103.053982][ T5324]  hci_recv_frame+0x625/0x7c0
[  103.056150][ T5324]  ? skb_pull+0xc1/0x1d0
[  103.058347][ T5324]  vhci_write+0x358/0x4a0
[  103.060800][ T5324]  vfs_write+0x61d/0xb90
[  103.063668][ T5324]  ? __pfx_vfs_write+0x10/0x10
[  103.066372][ T5324]  ? __fget_files+0x2a/0x420
[  103.068943][ T5324]  ksys_write+0x150/0x270
[  103.070974][ T5324]  ? __pfx_ksys_write+0x10/0x10
[  103.073456][ T5324]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  103.076693][ T5324]  do_syscall_64+0x15f/0xf80
[  103.078809][ T5324]  ? trace_irq_disable+0x3b/0x140
[  103.080879][ T5324]  ? clear_bhb_loop+0x40/0x90
[  103.083021][ T5324]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  103.085787][ T5324] RIP: 0033:0x7f2f4fb5d60e
[  103.088491][ T5324] Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 <c3> 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08
[  103.098322][ T5324] RSP: 002b:00007f2f50a9ef78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[  103.102062][ T5324] RAX: ffffffffffffffda RBX: 00007f2f50a9f6c0 RCX: 00007f2f4fb5d60e
[  103.106471][ T5324] RDX: 0000000000000007 RSI: 00002000000006c0 RDI: 00000000000000ca
[  103.110118][ T5324] RBP: 00007f2f4fc32d69 R08: 0000000000000000 R09: 0000000000000000
[  103.113263][ T5324] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[  103.116397][ T5324] R13: 00007f2f4fe16128 R14: 00007f2f4fe16090 R15: 00007fffa21601d8
[  103.120166][ T5324]  </TASK>
[  103.122242][ T5324] Kernel Offset: disabled
[  103.124231][ T5324] Rebooting in 86400 seconds..