program:
r0 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route(r0, 0x0, 0x80)
sendmsg$nl_route(0xffffffffffffffff, &(0x7f00000006c0)={0x0, 0x0, &(0x7f0000000180)={&(0x7f00000001c0)=ANY=[@ANYBLOB="2000000010000d0400"/20, @ANYBLOB="ff000000"], 0x20}}, 0x0)
setsockopt$SO_TIMESTAMPING(0xffffffffffffffff, 0x1, 0x41, &(0x7f0000000000)=0x253, 0x4)
r1 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r1, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000a40)=ANY=[@ANYBLOB="840100001000130100000000000000007f0000010000000000000000000000000000000000000000000000003eb33f3fc6fccba20719f6d8a900c6d0c0c687ddd61f2ec91054e7d0e000"/92, @ANYRES32=0x0, @ANYRES32=0xee00, @ANYBLOB="000000000000000000000000000000000000000032000000ac14140000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000000000000000000000000000000000000000000000090000000000000009000000000000000000000000000000000000000000000000000000000000000000000000000000000000000a000000000000000000000048000200656362286369706865725f6e756c6c29000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004c00120072666337353339657370287863686163686131322d67656e657269632c67686173682d67656e65726963290000000000000000000000000000000000000000000000000060000000"], 0x184}}, 0x0)
setsockopt$TIPC_GROUP_JOIN(0xffffffffffffffff, 0x10f, 0x87, 0x0, 0x0)
sendmsg$IPSET_CMD_GET_BYNAME(0xffffffffffffffff, 0x0, 0x20000040)
r2 = socket$netlink(0x10, 0x3, 0x0)
r3 = bpf$PROG_LOAD(0x5, &(0x7f0000000500)={0x13, 0xc, &(0x7f0000000340)=@framed={{0x18, 0x0, 0x0, 0x0, 0x8, 0x0, 0x0, 0x0, 0x86f2}, [@btf_id={0x18, 0x9, 0x3, 0x0, 0x1}, @map_idx_val={0x18, 0xa, 0x6, 0x0, 0x7, 0x0, 0x0, 0x0, 0x1}, @exit, @map_fd={0x18, 0x9, 0x1, 0x0, r1}, @generic={0x56, 0x8, 0x0, 0x4, 0x8}, @kfunc={0x85, 0x0, 0x2, 0x0, 0x4}]}, &(0x7f00000003c0)='syzkaller\x00', 0x8, 0x5f, &(0x7f0000000400)=""/95, 0x41000, 0x7, '\x00', 0x0, @fallback=0xd, r2, 0x8, 0x0, 0x0, 0x10, &(0x7f0000000480)={0x0, 0xc, 0x3, 0x200}, 0x10, 0x0, 0xffffffffffffffff, 0x1, 0x0, &(0x7f00000004c0)=[{0x5, 0x1, 0x4, 0x9}], 0x10, 0x2}, 0x94)
bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000940)={r3, 0x0, 0x6, 0xf7, &(0x7f00000005c0)="9968daa441d1", &(0x7f0000000700)=""/247, 0x5, 0x0, 0x97, 0x65, &(0x7f0000000800)="6fe480e42d8b6571c602c88d0362a932a15cdd58a1fbf477ee80b665b3dfb1422d8bb68a00131fa8a07137f0f69dfad5e21c3689bcbc56d57f32891d1e3e5d10d10e7cb357576c55edfeec305635e565c5bb9d1e2d3b393d3373f134c598f56393eef2525be6be8680506a9f20f301aba568ec994c8c362458afbc619405c6e8272a7e6c50e594a25973715951c7c40a9f78672dcc2d2d", &(0x7f00000008c0)="2a0e4dc8ed589e31833dc8313730a11046dcfb63c081c22c64dac9133cced8144debfc1647d19073e203197410656e7e157384baca45b65fb5af7cf8551fe8e1c01033c893a12b82bb4dad709a59824a7876b7600bdccdc022afa5f1e8425de3ad1c04a993", 0x2}, 0x50)
r4 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$sock_bt_hci(r4, 0x400448cb, 0x0)
r5 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
r6 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$nl_generic(r6, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000080)={0x38, 0x40, 0x107, 0x70bd2b, 0x25dfdbfa, {0x3, 0x7c}, [@nested={0x4, 0x1c2}, @nested={0x1c, 0x1, 0x0, 0x1, [@nested={0x18, 0x10, 0x0, 0x1, [@typed={0x14, 0xd, 0x0, 0x0, @ipv6=@empty}]}]}, @typed={0x4, 0x8}]}, 0x38}, 0x1, 0x0, 0x0, 0x4c090}, 0xc000)
connect$bt_sco(r5, &(0x7f0000000000)={0x1f, @none}, 0x8)
r7 = syz_init_net_socket$bt_l2cap(0x1f, 0x3, 0x0)
connect$bt_l2cap(r7, &(0x7f0000000000)={0x1f, 0x0, @fixed}, 0xe)
syz_emit_vhci(&(0x7f0000000040)=@HCI_EVENT_PKT={0x4, @hci_ev_key_refresh_complete={{0x30, 0x3}, {0x5, 0xc9}}}, 0x6)
syz_emit_vhci(&(0x7f0000000300)=ANY=[@ANYBLOB="040e0402030c02"], 0x7)

[   84.610298][ T5322] netlink: 148 bytes leftover after parsing attributes in process `syz.0.0'.
[   84.633541][ T5285] Bluetooth: hci0: command tx timeout
[   84.764666][ T5328] ------------[ cut here ]------------
[   84.767735][ T5328] workqueue: cannot queue hci_rx_work on wq hci0
[   84.771412][ T5328] WARNING: kernel/workqueue.c:2298 at __queue_work+0xd1f/0xfc0, CPU#0: syz.0.0/5328
[   84.775551][ T5328] Modules linked in:
[   84.777478][ T5328] CPU: 0 UID: 0 PID: 5328 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[   84.781423][ T5328] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   84.786410][ T5328] RIP: 0010:__queue_work+0xd4a/0xfc0
[   84.789327][ T5328] Code: 83 c5 18 4c 89 e8 48 c1 e8 03 42 80 3c 20 00 74 08 4c 89 ef e8 57 53 a5 00 49 8b 75 00 49 81 c7 70 01 00 00 4c 89 f7 4c 89 fa <67> 48 0f b9 3a 48 83 c4 58 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc
[   84.797813][ T5328] RSP: 0018:ffffc9000db87b20 EFLAGS: 00010082
[   84.800770][ T5328] RAX: 1ffff11008446178 RBX: 0000000000000008 RCX: 0000000000100000
[   84.804228][ T5328] RDX: ffff8880417d0970 RSI: ffffffff8a9d1150 RDI: ffffffff9033b4b0
[   84.807543][ T5328] RBP: 0000000000000000 R08: ffff888042230baf R09: 1ffff11008446175
[   84.811921][ T5328] R10: dffffc0000000000 R11: ffffed1008446176 R12: dffffc0000000000
[   84.816700][ T5328] R13: ffff888042230bc0 R14: ffffffff9033b4b0 R15: ffff8880417d0970
[   84.820663][ T5328] FS:  00007fd2bcfb36c0(0000) GS:ffff88808c888000(0000) knlGS:0000000000000000
[   84.824387][ T5328] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   84.827213][ T5328] CR2: 00007fd2bcfb2fe8 CR3: 0000000012fba000 CR4: 0000000000352ef0
[   84.830716][ T5328] Call Trace:
[   84.832534][ T5328]  <TASK>
[   84.834136][ T5328]  ? ktime_get_with_offset+0x93/0x2d0
[   84.836967][ T5328]  ? rcu_is_watching+0x15/0xb0
[   84.839301][ T5328]  queue_work_on+0x106/0x1d0
[   84.841669][ T5328]  ? _raw_spin_unlock_irqrestore+0x30/0x80
[   84.844227][ T5328]  hci_recv_frame+0x625/0x7c0
[   84.846630][ T5328]  ? skb_pull+0xc1/0x1d0
[   84.849049][ T5328]  vhci_write+0x358/0x4a0
[   84.851389][ T5328]  vfs_write+0x61d/0xb90
[   84.853421][ T5328]  ? __pfx_vfs_write+0x10/0x10
[   84.855476][ T5328]  ? __fget_files+0x2a/0x420
[   84.857512][ T5328]  ksys_write+0x150/0x270
[   84.859399][ T5328]  ? __pfx_ksys_write+0x10/0x10
[   84.861737][ T5328]  ? __pfx_kcov_ioctl+0x10/0x10
[   84.864374][ T5328]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   84.867341][ T5328]  do_syscall_64+0x15f/0xf80
[   84.869432][ T5328]  ? trace_irq_disable+0x3b/0x140
[   84.871665][ T5328]  ? clear_bhb_loop+0x40/0x90
[   84.873912][ T5328]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   84.876911][ T5328] RIP: 0033:0x7fd2c0b5d60e
[   84.879173][ T5328] Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 <c3> 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08
[   84.887627][ T5328] RSP: 002b:00007fd2bcfb2f78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[   84.891779][ T5328] RAX: ffffffffffffffda RBX: 00007fd2bcfb36c0 RCX: 00007fd2c0b5d60e
[   84.895910][ T5328] RDX: 0000000000000006 RSI: 0000200000000040 RDI: 00000000000000ca
[   84.899367][ T5328] RBP: 00007fd2c0c32d69 R08: 0000000000000000 R09: 0000000000000000
[   84.902882][ T5328] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   84.906752][ T5328] R13: 00007fd2c0e16218 R14: 00007fd2c0e16180 R15: 00007ffdad5722c8
[   84.911422][ T5328]  </TASK>
[   84.912911][ T5328] Kernel panic - not syncing: kernel: panic_on_warn set ...
[   84.916181][ T5328] CPU: 0 UID: 0 PID: 5328 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[   84.919955][ T5328] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   84.925188][ T5328] Call Trace:
[   84.926829][ T5328]  <TASK>
[   84.928263][ T5328]  vpanic+0x56c/0xa60
[   84.930075][ T5328]  ? __pfx__printk+0x10/0x10
[   84.932085][ T5328]  ? __pfx_vpanic+0x10/0x10
[   84.934160][ T5328]  ? is_bpf_text_address+0x292/0x2b0
[   84.936744][ T5328]  ? is_bpf_text_address+0x26/0x2b0
[   84.939281][ T5328]  panic+0xc5/0xd0
[   84.941366][ T5328]  ? __pfx_panic+0x10/0x10
[   84.943504][ T5328]  __warn+0x315/0x4c0
[   84.945347][ T5328]  ? __queue_work+0xd1f/0xfc0
[   84.947571][ T5328]  ? __queue_work+0xd1f/0xfc0
[   84.949971][ T5328]  __report_bug+0x29a/0x540
[   84.952618][ T5328]  ? __queue_work+0xd1f/0xfc0
[   84.955520][ T5328]  ? __pfx___report_bug+0x10/0x10
[   84.957994][ T5328]  ? __pfx_hci_rx_work+0x10/0x10
[   84.960337][ T5328]  ? do_syscall_64+0x15f/0xf80
[   84.962587][ T5328]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   84.965255][ T5328]  ? __lock_acquire+0x6b5/0x2cf0
[   84.967727][ T5328]  report_bug_entry+0x19a/0x290
[   84.970217][ T5328]  ? __queue_work+0xd4a/0xfc0
[   84.973019][ T5328]  ? __queue_work+0xd4f/0xfc0
[   84.975716][ T5328]  handle_bug+0xce/0x200
[   84.977799][ T5328]  exc_invalid_op+0x1a/0x50
[   84.979791][ T5328]  asm_exc_invalid_op+0x1a/0x20
[   84.981978][ T5328] RIP: 0010:__queue_work+0xd4a/0xfc0
[   84.984330][ T5328] Code: 83 c5 18 4c 89 e8 48 c1 e8 03 42 80 3c 20 00 74 08 4c 89 ef e8 57 53 a5 00 49 8b 75 00 49 81 c7 70 01 00 00 4c 89 f7 4c 89 fa <67> 48 0f b9 3a 48 83 c4 58 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc
[   84.994458][ T5328] RSP: 0018:ffffc9000db87b20 EFLAGS: 00010082
[   84.997646][ T5328] RAX: 1ffff11008446178 RBX: 0000000000000008 RCX: 0000000000100000
[   85.001017][ T5328] RDX: ffff8880417d0970 RSI: ffffffff8a9d1150 RDI: ffffffff9033b4b0
[   85.004747][ T5328] RBP: 0000000000000000 R08: ffff888042230baf R09: 1ffff11008446175
[   85.008397][ T5328] R10: dffffc0000000000 R11: ffffed1008446176 R12: dffffc0000000000
[   85.013632][ T5328] R13: ffff888042230bc0 R14: ffffffff9033b4b0 R15: ffff8880417d0970
[   85.017657][ T5328]  ? __pfx_hci_rx_work+0x10/0x10
[   85.019976][ T5328]  ? ktime_get_with_offset+0x93/0x2d0
[   85.022301][ T5328]  ? rcu_is_watching+0x15/0xb0
[   85.024431][ T5328]  queue_work_on+0x106/0x1d0
[   85.026443][ T5328]  ? _raw_spin_unlock_irqrestore+0x30/0x80
[   85.029652][ T5328]  hci_recv_frame+0x625/0x7c0
[   85.032566][ T5328]  ? skb_pull+0xc1/0x1d0
[   85.034984][ T5328]  vhci_write+0x358/0x4a0
[   85.037125][ T5328]  vfs_write+0x61d/0xb90
[   85.039060][ T5328]  ? __pfx_vfs_write+0x10/0x10
[   85.041380][ T5328]  ? __fget_files+0x2a/0x420
[   85.043552][ T5328]  ksys_write+0x150/0x270
[   85.045625][ T5328]  ? __pfx_ksys_write+0x10/0x10
[   85.048132][ T5328]  ? __pfx_kcov_ioctl+0x10/0x10
[   85.051098][ T5328]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   85.055084][ T5328]  do_syscall_64+0x15f/0xf80
[   85.057413][ T5328]  ? trace_irq_disable+0x3b/0x140
[   85.059725][ T5328]  ? clear_bhb_loop+0x40/0x90
[   85.061732][ T5328]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   85.064176][ T5328] RIP: 0033:0x7fd2c0b5d60e
[   85.066019][ T5328] Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 <c3> 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08
[   85.074564][ T5328] RSP: 002b:00007fd2bcfb2f78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[   85.078448][ T5328] RAX: ffffffffffffffda RBX: 00007fd2bcfb36c0 RCX: 00007fd2c0b5d60e
[   85.082051][ T5328] RDX: 0000000000000006 RSI: 0000200000000040 RDI: 00000000000000ca
[   85.086306][ T5328] RBP: 00007fd2c0c32d69 R08: 0000000000000000 R09: 0000000000000000
[   85.090908][ T5328] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   85.094523][ T5328] R13: 00007fd2c0e16218 R14: 00007fd2c0e16180 R15: 00007ffdad5722c8
[   85.098168][ T5328]  </TASK>
[   85.100059][ T5328] Kernel Offset: disabled
[   85.102241][ T5328] Rebooting in 86400 seconds..