program: r0 = socket$nl_netfilter(0x10, 0x3, 0xc) r1 = socket(0x10, 0x3, 0x0) setsockopt$netlink_NETLINK_TX_RING(r1, 0x10e, 0xc, &(0x7f0000000280)={0xfffffffc}, 0x9) (async) sendmsg$nl_generic(r1, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000080)={0x20, 0x12, 0xa01, 0x0, 0x0, {0x80, 0x2}}, 0x26}}, 0x0) (async) sendmsg$NFT_BATCH(r0, &(0x7f000000c2c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f00000004c0)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a20000000000a01010000000000000000020000000900010073797a300000000040000000030a09020000000000000000020000000900010073797a30000000000900030073797a3200000000140004800800014000000000080002400000000014000000110001"], 0x88}}, 0x0) (async) r2 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$sock_bt_hci(r2, 0x400448cb, 0x0) (async, rerun: 64) syz_emit_vhci(&(0x7f0000000300)=ANY=[@ANYBLOB="040e0402030c02"], 0x7) (rerun: 64) r3 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$NFT_BATCH(r3, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000b40)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a98000000060a0b040000000000000009000000000900020073797a32000000006c000480680001800b000100746172676574000058000280400003009b6a37b458a8056dd9a87f963d140d7a9d3ac869f3a860917523679abf4579f9cd656422a633a39f03000000000000000000000001000000000000000a000100484d41524b00000008000240000000000900010073797a3000000000140000001100010000000000000000000000000a"], 0xc0}, 0x1, 0x0, 0x0, 0x20040000}, 0x0) r4 = open(&(0x7f0000000280)='.\x00', 0x0, 0x0) fcntl$notify(r4, 0x402, 0x8000003d) (async) r5 = socket$inet6_sctp(0xa, 0x5, 0x84) r6 = socket$inet6_sctp(0xa, 0x5, 0x84) shutdown(r6, 0x0) getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(r6, 0x84, 0x6f, &(0x7f0000000000)={0x0, 0x1c, &(0x7f00000000c0)=[@in6={0xa, 0x0, 0x0, @private2}]}, &(0x7f0000000180)=0x10) (async, rerun: 64) r7 = socket$inet_sctp(0x2, 0x1, 0x84) (rerun: 64) getsockopt$inet_sctp_SCTP_MAX_BURST(r7, 0x84, 0xd, &(0x7f0000000000)=@assoc_value={0x0}, &(0x7f0000000040)=0x8) getsockopt$inet_sctp6_SCTP_GET_LOCAL_ADDRS(r5, 0x84, 0x6d, &(0x7f0000000000)={r8}, &(0x7f0000000080)=0x8) r9 = socket$kcm(0x10, 0x2, 0x0) sendmsg$inet(r9, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000680)=[{&(0x7f00000000c0)="5c00000014006b05c84e21000ab16d6e230675f811000000440002005817d30461bc24eeb556a7ef59510525ba56dcd79a36c23d3b9844e1571a86ea1698fa51f60a64c9f408000000e786a6d0bdd70000b6c0504bb9189d9193e9bd", 0x5c}], 0x1, 0x0, 0x0, 0x1f00c00e}, 0x0) (async) r10 = socket$phonet_pipe(0x23, 0x5, 0x2) connect$phonet_pipe(r10, &(0x7f0000000040), 0x10) fcntl$setsig(r4, 0xa, 0x21) mkdirat(0xffffffffffffff9c, &(0x7f00000000c0)='./bus\x00', 0x0) syz_emit_ethernet(0x3e, &(0x7f0000000700)={@local, @random="429e82211cf8", @void, {@ipv4={0x800, @icmp={{0x5, 0x4, 0x3, 0x7, 0x30, 0x67, 0x0, 0x9, 0x1, 0x0, @remote, @remote}, @source_quench={0x4, 0x0, 0x0, 0x0, {0x5, 0x4, 0x1, 0x30, 0x8001, 0x65, 0x4, 0xff, 0x5e, 0xd588, @dev={0xac, 0x14, 0x14, 0x1d}, @rand_addr=0x64010100}}}}}}, 0x0) (async, rerun: 64) r11 = syz_open_dev$dri(&(0x7f0000000000), 0x7, 0x2) (rerun: 64) ioctl$DRM_IOCTL_SYNCOBJ_CREATE(r11, 0xc00864bf, &(0x7f0000000080)={0x0, 0x1}) [ 85.982745][ T5307] Bluetooth: hci0: command tx timeout [ 86.192847][ T5328] ------------[ cut here ]------------ [ 86.195322][ T5328] workqueue: cannot queue hci_rx_work on wq hci0 [ 86.198257][ T5328] WARNING: kernel/workqueue.c:2271 at __queue_work+0xd53/0x1020, CPU#0: syz.0.0/5328 [ 86.202496][ T5328] Modules linked in: [ 86.204347][ T5328] CPU: 0 UID: 0 PID: 5328 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 86.208439][ T5328] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 86.212946][ T5328] RIP: 0010:__queue_work+0xd7e/0x1020 [ 86.215388][ T5328] Code: 83 c5 18 4c 89 e8 48 c1 e8 03 42 80 3c 20 00 74 08 4c 89 ef e8 73 f1 a3 00 49 8b 75 00 49 81 c7 78 01 00 00 4c 89 f7 4c 89 fa <67> 48 0f b9 3a 48 83 c4 58 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc [ 86.224005][ T5328] RSP: 0018:ffffc9000dfefb20 EFLAGS: 00010086 [ 86.226732][ T5328] RAX: 1ffff1100247897b RBX: 0000000000000008 RCX: ffff88801fad2480 [ 86.230256][ T5328] RDX: ffff88803fe71178 RSI: ffffffff8aa01a00 RDI: ffffffff90149890 [ 86.233600][ T5328] RBP: 0000000000000000 R08: ffff8880123c4bc7 R09: 1ffff11002478978 [ 86.237093][ T5328] R10: dffffc0000000000 R11: ffffed1002478979 R12: dffffc0000000000 [ 86.240660][ T5328] R13: ffff8880123c4bd8 R14: ffffffff90149890 R15: ffff88803fe71178 [ 86.244102][ T5328] FS: 00007f5e5cdf56c0(0000) GS:ffff88808ca5b000(0000) knlGS:0000000000000000 [ 86.248047][ T5328] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 86.250975][ T5328] CR2: 00007f5e5cdf4ff0 CR3: 000000001efb0000 CR4: 0000000000352ef0 [ 86.254428][ T5328] Call Trace: [ 86.255865][ T5328] [ 86.257195][ T5328] ? rcu_is_watching+0x15/0xb0 [ 86.259255][ T5328] queue_work_on+0x106/0x1d0 [ 86.261234][ T5328] ? _raw_spin_unlock_irqrestore+0x30/0x80 [ 86.263452][ T5328] hci_recv_frame+0x625/0x7c0 [ 86.265196][ T5328] ? skb_pull+0xc1/0x1d0 [ 86.266697][ T5328] vhci_write+0x358/0x4a0 [ 86.268243][ T5328] vfs_write+0x61d/0xb90 [ 86.269804][ T5328] ? __pfx_vfs_write+0x10/0x10 [ 86.271827][ T5328] ? __fget_files+0x2a/0x420 [ 86.274014][ T5328] ksys_write+0x150/0x270 [ 86.275499][ T5328] ? __pfx_ksys_write+0x10/0x10 [ 86.277298][ T5328] do_syscall_64+0x14d/0xf80 [ 86.279164][ T5328] ? trace_irq_disable+0x3b/0x150 [ 86.281302][ T5328] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 86.283842][ T5328] ? clear_bhb_loop+0x40/0x90 [ 86.285813][ T5328] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 86.288344][ T5328] RIP: 0033:0x7f5e6095cece [ 86.290246][ T5328] Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08 [ 86.298144][ T5328] RSP: 002b:00007f5e5cdf4fb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 86.301753][ T5328] RAX: ffffffffffffffda RBX: 00007f5e5cdf56c0 RCX: 00007f5e6095cece [ 86.305051][ T5328] RDX: 0000000000000007 RSI: 0000200000000300 RDI: 00000000000000ca [ 86.308504][ T5328] RBP: 00007f5e60a32b39 R08: 0000000000000000 R09: 0000000000000000 [ 86.311872][ T5328] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 86.315124][ T5328] R13: 00007f5e60c16128 R14: 00007f5e60c16090 R15: 00007ffd8a5b0128 [ 86.318729][ T5328] [ 86.319988][ T5328] Kernel panic - not syncing: kernel: panic_on_warn set ... [ 86.323235][ T5328] CPU: 0 UID: 0 PID: 5328 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 86.327094][ T5328] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 86.331404][ T5328] Call Trace: [ 86.332851][ T5328] [ 86.334143][ T5328] vpanic+0x56c/0xa60 [ 86.335835][ T5328] ? __pfx__printk+0x10/0x10 [ 86.337807][ T5328] ? __pfx_vpanic+0x10/0x10 [ 86.339870][ T5328] ? is_bpf_text_address+0x292/0x2b0 [ 86.342229][ T5328] ? is_bpf_text_address+0x26/0x2b0 [ 86.344608][ T5328] panic+0xc5/0xd0 [ 86.347066][ T5328] ? __pfx_panic+0x10/0x10 [ 86.349013][ T5328] __warn+0x315/0x4f0 [ 86.350736][ T5328] ? __queue_work+0xd53/0x1020 [ 86.352753][ T5328] ? __queue_work+0xd53/0x1020 [ 86.354745][ T5328] __report_bug+0x29a/0x540 [ 86.356822][ T5328] ? __queue_work+0xd53/0x1020 [ 86.358801][ T5328] ? __pfx___report_bug+0x10/0x10 [ 86.360927][ T5328] ? __pfx_hci_rx_work+0x10/0x10 [ 86.363096][ T5328] ? do_syscall_64+0x14d/0xf80 [ 86.365162][ T5328] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 86.367709][ T5328] report_bug_entry+0x19a/0x290 [ 86.369835][ T5328] ? __queue_work+0xd7e/0x1020 [ 86.371945][ T5328] ? __queue_work+0xd83/0x1020 [ 86.374093][ T5328] handle_bug+0xca/0x200 [ 86.375853][ T5328] exc_invalid_op+0x1a/0x50 [ 86.377722][ T5328] asm_exc_invalid_op+0x1a/0x20 [ 86.379851][ T5328] RIP: 0010:__queue_work+0xd7e/0x1020 [ 86.382193][ T5328] Code: 83 c5 18 4c 89 e8 48 c1 e8 03 42 80 3c 20 00 74 08 4c 89 ef e8 73 f1 a3 00 49 8b 75 00 49 81 c7 78 01 00 00 4c 89 f7 4c 89 fa <67> 48 0f b9 3a 48 83 c4 58 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc [ 86.390151][ T5328] RSP: 0018:ffffc9000dfefb20 EFLAGS: 00010086 [ 86.392569][ T5328] RAX: 1ffff1100247897b RBX: 0000000000000008 RCX: ffff88801fad2480 [ 86.395891][ T5328] RDX: ffff88803fe71178 RSI: ffffffff8aa01a00 RDI: ffffffff90149890 [ 86.399094][ T5328] RBP: 0000000000000000 R08: ffff8880123c4bc7 R09: 1ffff11002478978 [ 86.402267][ T5328] R10: dffffc0000000000 R11: ffffed1002478979 R12: dffffc0000000000 [ 86.405221][ T5328] R13: ffff8880123c4bd8 R14: ffffffff90149890 R15: ffff88803fe71178 [ 86.408254][ T5328] ? __pfx_hci_rx_work+0x10/0x10 [ 86.410093][ T5328] ? rcu_is_watching+0x15/0xb0 [ 86.411937][ T5328] queue_work_on+0x106/0x1d0 [ 86.414003][ T5328] ? _raw_spin_unlock_irqrestore+0x30/0x80 [ 86.416469][ T5328] hci_recv_frame+0x625/0x7c0 [ 86.418531][ T5328] ? skb_pull+0xc1/0x1d0 [ 86.420382][ T5328] vhci_write+0x358/0x4a0 [ 86.422164][ T5328] vfs_write+0x61d/0xb90 [ 86.424020][ T5328] ? __pfx_vfs_write+0x10/0x10 [ 86.425993][ T5328] ? __fget_files+0x2a/0x420 [ 86.427819][ T5328] ksys_write+0x150/0x270 [ 86.429878][ T5328] ? __pfx_ksys_write+0x10/0x10 [ 86.431974][ T5328] do_syscall_64+0x14d/0xf80 [ 86.434026][ T5328] ? trace_irq_disable+0x3b/0x150 [ 86.436210][ T5328] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 86.438876][ T5328] ? clear_bhb_loop+0x40/0x90 [ 86.440741][ T5328] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 86.443010][ T5328] RIP: 0033:0x7f5e6095cece [ 86.444940][ T5328] Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08 [ 86.453242][ T5328] RSP: 002b:00007f5e5cdf4fb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 86.456699][ T5328] RAX: ffffffffffffffda RBX: 00007f5e5cdf56c0 RCX: 00007f5e6095cece [ 86.459887][ T5328] RDX: 0000000000000007 RSI: 0000200000000300 RDI: 00000000000000ca [ 86.463078][ T5328] RBP: 00007f5e60a32b39 R08: 0000000000000000 R09: 0000000000000000 [ 86.466218][ T5328] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 86.469474][ T5328] R13: 00007f5e60c16128 R14: 00007f5e60c16090 R15: 00007ffd8a5b0128 [ 86.472763][ T5328] [ 86.474453][ T5328] Kernel Offset: disabled [ 86.476265][ T5328] Rebooting in 86400 seconds..