program:
r0 = socket$nl_route(0x10, 0x3, 0x0)
ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000340)={'syz_tun\x00'})
sendmsg$nl_route_sched(r0, 0x0, 0x0)
r1 = socket$nl_generic(0x10, 0x3, 0x10)
r2 = socket(0x10, 0x81002, 0x0)
r3 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$sock_bt_hci(r3, 0x400448cb, 0x0)
syz_emit_vhci(&(0x7f0000000540)=ANY=[@ANYBLOB="043e1f0a"], 0x22)
syz_emit_vhci(&(0x7f0000000300)=ANY=[@ANYBLOB], 0xe)
syz_emit_vhci(&(0x7f0000000040)=ANY=[@ANYBLOB="040e04"], 0x7)
socketpair$unix(0x1, 0x1, 0x0, 0x0)
ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, &(0x7f0000000140)={'lo\x00', <r4=>0x0})
r5 = socket(0x10, 0x3, 0x0)
bpf$PROG_LOAD_XDP(0x5, 0x0, 0x0)
ioctl$sock_SIOCGIFINDEX(r1, 0x8933, &(0x7f0000000500)={'vcan0\x00', <r6=>0x0})
sendmsg$nl_route_sched(r5, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000780)={&(0x7f0000000080)=@newqdisc={0x38, 0x24, 0xd0f, 0x70bd2d, 0x0, {0x60, 0x0, 0x0, r6, {0x0, 0xa}, {0xffff, 0xffff}, {0x0, 0xa}}, [@qdisc_kind_options=@q_tbf={{0x8}, {0xc, 0x2, [@TCA_TBF_BURST={0x8, 0x6, 0x8057}]}}]}, 0x38}}, 0x44080)
r7 = openat$comedi(0xffffffffffffff9c, &(0x7f0000000040)='/dev/comedi4\x00', 0x101000, 0x0)
ioctl$COMEDI_CMD(r7, 0x80506409, &(0x7f0000000180)={0x0, 0x20, 0x2, 0x6dd, 0x4, 0x0, 0x10, 0x3e8, 0x20, 0x20, 0x1, 0x40, &(0x7f0000000080)=[0x4], 0x1, 0x0})
sendmsg$nl_route_sched(r2, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000780)={&(0x7f00000001c0)=@newqdisc={0x30, 0x24, 0xd0f, 0x400000, 0x0, {0x60, 0x0, 0x0, r4, {}, {0xffff, 0xffff}, {0x0, 0x2}}, [@qdisc_kind_options=@q_hhf={{0x8}, {0x4}}]}, 0x30}, 0x1, 0x0, 0x0, 0x40001}, 0x0)
r8 = socket$nl_route(0x10, 0x3, 0x0)
ioctl$sock_SIOCGIFINDEX(r8, 0x8933, &(0x7f0000000040)={'veth0\x00'})
sendmsg$nl_route_sched(r8, 0x0, 0x24000c40)
r9 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route_sched(r9, 0x0, 0x0)

[  104.435445][ T5286] Bluetooth: hci0: command tx timeout
[  104.573837][ T5325] ------------[ cut here ]------------
[  104.576536][ T5325] workqueue: cannot queue hci_rx_work on wq hci0
[  104.579182][ T5325] WARNING: kernel/workqueue.c:2298 at __queue_work+0xd1f/0xfc0, CPU#0: syz.0.0/5325
[  104.583450][ T5325] Modules linked in:
[  104.585395][ T5325] CPU: 0 UID: 0 PID: 5325 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[  104.589118][ T5325] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[  104.593833][ T5325] RIP: 0010:__queue_work+0xd4a/0xfc0
[  104.596411][ T5325] Code: 83 c5 18 4c 89 e8 48 c1 e8 03 42 80 3c 20 00 74 08 4c 89 ef e8 97 58 a5 00 49 8b 75 00 49 81 c7 70 01 00 00 4c 89 f7 4c 89 fa <67> 48 0f b9 3a 48 83 c4 58 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc
[  104.604283][ T5325] RSP: 0018:ffffc9000e5d7b20 EFLAGS: 00010082
[  104.607025][ T5325] RAX: 1ffff11002573178 RBX: 0000000000000008 RCX: 0000000000100000
[  104.610337][ T5325] RDX: ffff888040efa170 RSI: ffffffff8a9d81a0 RDI: ffffffff9033c3b0
[  104.613884][ T5325] RBP: 0000000000000000 R08: ffff888012b98baf R09: 1ffff11002573175
[  104.617266][ T5325] R10: dffffc0000000000 R11: ffffed1002573176 R12: dffffc0000000000
[  104.620487][ T5325] R13: ffff888012b98bc0 R14: ffffffff9033c3b0 R15: ffff888040efa170
[  104.623857][ T5325] FS:  00007f04239116c0(0000) GS:ffff88808c885000(0000) knlGS:0000000000000000
[  104.627535][ T5325] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  104.630214][ T5325] CR2: 0000562d3bbc4898 CR3: 000000001fc97000 CR4: 0000000000352ef0
[  104.633992][ T5325] Call Trace:
[  104.635673][ T5325]  <TASK>
[  104.637100][ T5325]  ? ktime_get_with_offset+0x93/0x2d0
[  104.639531][ T5325]  ? rcu_is_watching+0x15/0xb0
[  104.641767][ T5325]  queue_work_on+0x106/0x1d0
[  104.643839][ T5325]  ? _raw_spin_unlock_irqrestore+0x30/0x80
[  104.646183][ T5325]  hci_recv_frame+0x625/0x7c0
[  104.648072][ T5325]  ? skb_pull+0xc1/0x1d0
[  104.649721][ T5325]  vhci_write+0x358/0x4a0
[  104.651568][ T5325]  vfs_write+0x61d/0xb90
[  104.653403][ T5325]  ? __pfx_vfs_write+0x10/0x10
[  104.655608][ T5325]  ? __fget_files+0x2a/0x420
[  104.657743][ T5325]  ksys_write+0x150/0x270
[  104.659856][ T5325]  ? __pfx_ksys_write+0x10/0x10
[  104.662086][ T5325]  ? __pfx_kcov_ioctl+0x10/0x10
[  104.664245][ T5325]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  104.666808][ T5325]  do_syscall_64+0x15f/0xf80
[  104.668986][ T5325]  ? trace_irq_disable+0x3b/0x140
[  104.671272][ T5325]  ? clear_bhb_loop+0x40/0x90
[  104.673102][ T5325]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  104.675530][ T5325] RIP: 0033:0x7f042295d60e
[  104.677517][ T5325] Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 <c3> 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08
[  104.685192][ T5325] RSP: 002b:00007f0423910f78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[  104.688483][ T5325] RAX: ffffffffffffffda RBX: 00007f04239116c0 RCX: 00007f042295d60e
[  104.692077][ T5325] RDX: 0000000000000022 RSI: 0000200000000540 RDI: 00000000000000ca
[  104.695966][ T5325] RBP: 00007f0422a32d69 R08: 0000000000000000 R09: 0000000000000000
[  104.699516][ T5325] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[  104.702932][ T5325] R13: 00007f0422c16128 R14: 00007f0422c16090 R15: 00007ffd521fb918
[  104.706414][ T5325]  </TASK>
[  104.707651][ T5325] Kernel panic - not syncing: kernel: panic_on_warn set ...
[  104.710583][ T5325] CPU: 0 UID: 0 PID: 5325 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[  104.714205][ T5325] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[  104.719315][ T5325] Call Trace:
[  104.720801][ T5325]  <TASK>
[  104.722073][ T5325]  vpanic+0x56c/0xa60
[  104.723796][ T5325]  ? __pfx__printk+0x10/0x10
[  104.725798][ T5325]  ? __pfx_vpanic+0x10/0x10
[  104.727783][ T5325]  ? is_bpf_text_address+0x292/0x2b0
[  104.730012][ T5325]  ? is_bpf_text_address+0x26/0x2b0
[  104.732321][ T5325]  panic+0xc5/0xd0
[  104.733946][ T5325]  ? __pfx_panic+0x10/0x10
[  104.736150][ T5325]  __warn+0x315/0x4c0
[  104.738230][ T5325]  ? __queue_work+0xd1f/0xfc0
[  104.740557][ T5325]  ? __queue_work+0xd1f/0xfc0
[  104.742744][ T5325]  __report_bug+0x29a/0x540
[  104.744749][ T5325]  ? __queue_work+0xd1f/0xfc0
[  104.746820][ T5325]  ? __pfx___report_bug+0x10/0x10
[  104.749180][ T5325]  ? __pfx_hci_rx_work+0x10/0x10
[  104.751364][ T5325]  ? do_syscall_64+0x15f/0xf80
[  104.753394][ T5325]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  104.755875][ T5325]  ? __lock_acquire+0x6b5/0x2cf0
[  104.758109][ T5325]  report_bug_entry+0x19a/0x290
[  104.760624][ T5325]  ? __queue_work+0xd4a/0xfc0
[  104.763094][ T5325]  ? __queue_work+0xd4f/0xfc0
[  104.765379][ T5325]  handle_bug+0xce/0x200
[  104.767303][ T5325]  exc_invalid_op+0x1a/0x50
[  104.769349][ T5325]  asm_exc_invalid_op+0x1a/0x20
[  104.771557][ T5325] RIP: 0010:__queue_work+0xd4a/0xfc0
[  104.773786][ T5325] Code: 83 c5 18 4c 89 e8 48 c1 e8 03 42 80 3c 20 00 74 08 4c 89 ef e8 97 58 a5 00 49 8b 75 00 49 81 c7 70 01 00 00 4c 89 f7 4c 89 fa <67> 48 0f b9 3a 48 83 c4 58 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc
[  104.782043][ T5325] RSP: 0018:ffffc9000e5d7b20 EFLAGS: 00010082
[  104.784631][ T5325] RAX: 1ffff11002573178 RBX: 0000000000000008 RCX: 0000000000100000
[  104.788336][ T5325] RDX: ffff888040efa170 RSI: ffffffff8a9d81a0 RDI: ffffffff9033c3b0
[  104.792253][ T5325] RBP: 0000000000000000 R08: ffff888012b98baf R09: 1ffff11002573175
[  104.795655][ T5325] R10: dffffc0000000000 R11: ffffed1002573176 R12: dffffc0000000000
[  104.798913][ T5325] R13: ffff888012b98bc0 R14: ffffffff9033c3b0 R15: ffff888040efa170
[  104.802583][ T5325]  ? __pfx_hci_rx_work+0x10/0x10
[  104.804933][ T5325]  ? ktime_get_with_offset+0x93/0x2d0
[  104.807591][ T5325]  ? rcu_is_watching+0x15/0xb0
[  104.809945][ T5325]  queue_work_on+0x106/0x1d0
[  104.812021][ T5325]  ? _raw_spin_unlock_irqrestore+0x30/0x80
[  104.814569][ T5325]  hci_recv_frame+0x625/0x7c0
[  104.816594][ T5325]  ? skb_pull+0xc1/0x1d0
[  104.818449][ T5325]  vhci_write+0x358/0x4a0
[  104.820258][ T5325]  vfs_write+0x61d/0xb90
[  104.822041][ T5325]  ? __pfx_vfs_write+0x10/0x10
[  104.824348][ T5325]  ? __fget_files+0x2a/0x420
[  104.826601][ T5325]  ksys_write+0x150/0x270
[  104.828559][ T5325]  ? __pfx_ksys_write+0x10/0x10
[  104.830823][ T5325]  ? __pfx_kcov_ioctl+0x10/0x10
[  104.833126][ T5325]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  104.835815][ T5325]  do_syscall_64+0x15f/0xf80
[  104.837881][ T5325]  ? trace_irq_disable+0x3b/0x140
[  104.839998][ T5325]  ? clear_bhb_loop+0x40/0x90
[  104.842071][ T5325]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  104.844616][ T5325] RIP: 0033:0x7f042295d60e
[  104.846587][ T5325] Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 <c3> 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08
[  104.854125][ T5325] RSP: 002b:00007f0423910f78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[  104.857362][ T5325] RAX: ffffffffffffffda RBX: 00007f04239116c0 RCX: 00007f042295d60e
[  104.860549][ T5325] RDX: 0000000000000022 RSI: 0000200000000540 RDI: 00000000000000ca
[  104.864092][ T5325] RBP: 00007f0422a32d69 R08: 0000000000000000 R09: 0000000000000000
[  104.867726][ T5325] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[  104.871130][ T5325] R13: 00007f0422c16128 R14: 00007f0422c16090 R15: 00007ffd521fb918
[  104.874411][ T5325]  </TASK>
[  104.876108][ T5325] Kernel Offset: disabled
[  104.877951][ T5325] Rebooting in 86400 seconds..