program:
r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x1, 0x3)
connect(r0, &(0x7f0000000000)=@rc={0x1f, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}, 0x8}, 0x80) (async)
connect(r0, &(0x7f0000000000)=@rc={0x1f, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}, 0x8}, 0x80)
r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
r2 = socket(0x10, 0x3, 0x0)
socket(0x10, 0x803, 0x0) (async)
r3 = socket(0x10, 0x803, 0x0)
syz_genetlink_get_family_id$mptcp(&(0x7f00000000c0), r3)
getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, <r4=>0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f00000003c0)=0x14)
sendmsg$nl_route_sched(r2, &(0x7f0000005840)={0x0, 0x0, &(0x7f0000000080)={&(0x7f00000020c0)=@newqdisc={0x44, 0x24, 0x5820a61ca228651, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {0xffff, 0xffff}, {0x0, 0xfff1}}, [@qdisc_kind_options=@q_hfsc={{0x9}, {0x14, 0x2, @TCA_HFSC_RSC={0xffffffffffffff7c, 0x1, {0x2, 0x2, 0x6}}}}]}, 0x44}}, 0x0)
sendmsg$nl_route_sched(r3, &(0x7f0000000140)={0x0, 0x0, &(0x7f0000000180)={&(0x7f0000008c00)=@newtfilter={0x7c, 0x28, 0xc2f, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {0xffe0}, {}, {0x3}}, [@filter_kind_options=@f_cgroup={{0xb}, {0x4c, 0x2, [@TCA_CGROUP_ACT={0x30, 0x1, [@m_xt={0x2c, 0x14, 0x0, 0x0, {{0x7}, {0x4}, {0x4}, {0xc, 0x7, {0x0, 0x1}}, {0xc, 0x8, {0x1, 0x3}}}}]}, @TCA_CGROUP_EMATCHES={0x18, 0x3, 0x0, 0x1, [@TCA_EMATCH_TREE_LIST={0x14, 0x2, 0x0, 0x1, [@TCF_EM_NBYTE={0x10, 0x3, 0x0, 0x0, {{0xc000, 0x2, 0x7f}, {0xffff}}}]}]}]}}]}, 0x7c}, 0x1, 0x0, 0x0, 0x2000c880}, 0x0) (async)
sendmsg$nl_route_sched(r3, &(0x7f0000000140)={0x0, 0x0, &(0x7f0000000180)={&(0x7f0000008c00)=@newtfilter={0x7c, 0x28, 0xc2f, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {0xffe0}, {}, {0x3}}, [@filter_kind_options=@f_cgroup={{0xb}, {0x4c, 0x2, [@TCA_CGROUP_ACT={0x30, 0x1, [@m_xt={0x2c, 0x14, 0x0, 0x0, {{0x7}, {0x4}, {0x4}, {0xc, 0x7, {0x0, 0x1}}, {0xc, 0x8, {0x1, 0x3}}}}]}, @TCA_CGROUP_EMATCHES={0x18, 0x3, 0x0, 0x1, [@TCA_EMATCH_TREE_LIST={0x14, 0x2, 0x0, 0x1, [@TCF_EM_NBYTE={0x10, 0x3, 0x0, 0x0, {{0xc000, 0x2, 0x7f}, {0xffff}}}]}]}]}}]}, 0x7c}, 0x1, 0x0, 0x0, 0x2000c880}, 0x0)
ioctl$HCIINQUIRY(r1, 0x400448ca, 0x0)

[  118.514322][ T5335] netlink: 4 bytes leftover after parsing attributes in process `syz.0.0'.
[  118.527045][ T4653] Bluetooth: hci0: command tx timeout
[  118.533074][ T5332] ------------[ cut here ]------------
[  118.535603][ T5332] workqueue: cannot queue hci_tx_work on wq hci0
[  118.538383][ T5332] WARNING: kernel/workqueue.c:2298 at __queue_work+0xd3f/0x1040, CPU#0: kworker/0:5/5332
[  118.543460][ T5332] Modules linked in:
[  118.545314][ T5332] CPU: 0 UID: 0 PID: 5332 Comm: kworker/0:5 Not tainted syzkaller #0 PREEMPT(full) 
[  118.549181][ T5332] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[  118.562183][ T5332] Workqueue: events l2cap_info_timeout
[  118.568389][ T5332] RIP: 0010:__queue_work+0xd67/0x1040
[  118.571681][ T5332] Code: a6 0e 49 8d 7d 18 48 89 f8 48 c1 e8 03 42 80 3c 20 00 74 05 e8 0a 5e a5 00 49 8b 75 18 49 81 c7 70 01 00 00 4c 89 f7 4c 89 fa <67> 48 0f b9 3a 4c 89 e8 48 c1 e8 03 42 80 3c 20 00 74 08 4c 89 ef
[  118.580055][ T5332] RSP: 0018:ffffc9000ccbf760 EFLAGS: 00010082
[  118.582816][ T5332] RAX: 1ffff1100251e18a RBX: 0000000000000008 RCX: ffff88801fa9a500
[  118.586025][ T5332] RDX: ffff8880371dc970 RSI: ffffffff8a9e4cf0 RDI: ffffffff9033ef50
[  118.589492][ T5332] RBP: 0000000000000020 R08: ffff8880128f0c3f R09: 1ffff1100251e187
[  118.593046][ T5332] R10: dffffc0000000000 R11: ffffed100251e188 R12: dffffc0000000000
[  118.596525][ T5332] R13: ffff8880128f0c38 R14: ffffffff9033ef50 R15: ffff8880371dc970
[  118.600190][ T5332] FS:  0000000000000000(0000) GS:ffff88808c87e000(0000) knlGS:0000000000000000
[  118.604123][ T5332] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  118.606814][ T5332] CR2: 0000200000008c00 CR3: 000000000e74a000 CR4: 0000000000352ef0
[  118.610391][ T5332] Call Trace:
[  118.611934][ T5332]  <TASK>
[  118.613327][ T5332]  ? _raw_spin_unlock_irqrestore+0x4c/0x80
[  118.615963][ T5332]  ? rcu_is_watching+0x15/0xb0
[  118.618288][ T5332]  queue_work_on+0x106/0x1d0
[  118.620419][ T5332]  l2cap_send_conn_req+0x243/0x370
[  118.622644][ T5332]  ? __pfx_l2cap_send_conn_req+0x10/0x10
[  118.625115][ T5332]  ? rcu_is_watching+0x15/0xb0
[  118.627427][ T5332]  ? l2cap_chan_check_security+0x303/0x570
[  118.630087][ T5332]  l2cap_conn_start+0xb2b/0xf20
[  118.632283][ T5332]  ? __pfx_l2cap_conn_start+0x10/0x10
[  118.634612][ T5332]  ? l2cap_info_timeout+0x60/0xa0
[  118.636774][ T5332]  ? __pfx___mutex_lock+0x10/0x10
[  118.638875][ T5332]  ? process_scheduled_works+0xa70/0x1860
[  118.641171][ T5332]  l2cap_info_timeout+0x68/0xa0
[  118.642784][ T5332]  ? process_scheduled_works+0xa70/0x1860
[  118.644862][ T5332]  process_scheduled_works+0xb5d/0x1860
[  118.647110][ T5332]  ? __pfx_process_scheduled_works+0x10/0x10
[  118.649461][ T5332]  ? assign_work+0x3d5/0x5e0
[  118.651353][ T5332]  worker_thread+0xa53/0xfc0
[  118.653137][ T5332]  kthread+0x389/0x470
[  118.654775][ T5332]  ? __pfx_worker_thread+0x10/0x10
[  118.656771][ T5332]  ? __pfx_kthread+0x10/0x10
[  118.658649][ T5332]  ret_from_fork+0x514/0xb70
[  118.660399][ T5332]  ? __pfx_ret_from_fork+0x10/0x10
[  118.662365][ T5332]  ? __switch_to+0xc79/0x1410
[  118.664154][ T5332]  ? __pfx_kthread+0x10/0x10
[  118.666015][ T5332]  ret_from_fork_asm+0x1a/0x30
[  118.667875][ T5332]  </TASK>
[  118.669095][ T5332] Kernel panic - not syncing: kernel: panic_on_warn set ...
[  118.671947][ T5332] CPU: 0 UID: 0 PID: 5332 Comm: kworker/0:5 Not tainted syzkaller #0 PREEMPT(full) 
[  118.675364][ T5332] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[  118.678921][ T5332] Workqueue: events l2cap_info_timeout
[  118.681069][ T5332] Call Trace:
[  118.682427][ T5332]  <TASK>
[  118.683606][ T5332]  vpanic+0x56c/0xa60
[  118.685163][ T5332]  ? __pfx__printk+0x10/0x10
[  118.687080][ T5332]  ? __pfx_vpanic+0x10/0x10
[  118.688962][ T5332]  ? is_bpf_text_address+0x292/0x2b0
[  118.691055][ T5332]  ? is_bpf_text_address+0x26/0x2b0
[  118.693134][ T5332]  panic+0xc5/0xd0
[  118.694550][ T5332]  ? __pfx_panic+0x10/0x10
[  118.696134][ T5332]  ? ret_from_fork_asm+0x1a/0x30
[  118.697955][ T5332]  __warn+0x315/0x4c0
[  118.699446][ T5332]  ? __queue_work+0xd3f/0x1040
[  118.701401][ T5332]  ? __queue_work+0xd3f/0x1040
[  118.703275][ T5332]  __report_bug+0x29a/0x540
[  118.705345][ T5332]  ? __queue_work+0xd3f/0x1040
[  118.707380][ T5332]  ? __pfx___report_bug+0x10/0x10
[  118.709291][ T5332]  ? __pfx_hci_tx_work+0x10/0x10
[  118.711514][ T5332]  report_bug_entry+0x19a/0x290
[  118.713847][ T5332]  ? __queue_work+0xd67/0x1040
[  118.716081][ T5332]  ? __queue_work+0xd6c/0x1040
[  118.718345][ T5332]  handle_bug+0xce/0x200
[  118.720344][ T5332]  exc_invalid_op+0x1a/0x50
[  118.722454][ T5332]  asm_exc_invalid_op+0x1a/0x20
[  118.724724][ T5332] RIP: 0010:__queue_work+0xd67/0x1040
[  118.727348][ T5332] Code: a6 0e 49 8d 7d 18 48 89 f8 48 c1 e8 03 42 80 3c 20 00 74 05 e8 0a 5e a5 00 49 8b 75 18 49 81 c7 70 01 00 00 4c 89 f7 4c 89 fa <67> 48 0f b9 3a 4c 89 e8 48 c1 e8 03 42 80 3c 20 00 74 08 4c 89 ef
[  118.736340][ T5332] RSP: 0018:ffffc9000ccbf760 EFLAGS: 00010082
[  118.739308][ T5332] RAX: 1ffff1100251e18a RBX: 0000000000000008 RCX: ffff88801fa9a500
[  118.742994][ T5332] RDX: ffff8880371dc970 RSI: ffffffff8a9e4cf0 RDI: ffffffff9033ef50
[  118.746601][ T5332] RBP: 0000000000000020 R08: ffff8880128f0c3f R09: 1ffff1100251e187
[  118.750227][ T5332] R10: dffffc0000000000 R11: ffffed100251e188 R12: dffffc0000000000
[  118.753875][ T5332] R13: ffff8880128f0c38 R14: ffffffff9033ef50 R15: ffff8880371dc970
[  118.757509][ T5332]  ? __pfx_hci_tx_work+0x10/0x10
[  118.759755][ T5332]  ? _raw_spin_unlock_irqrestore+0x4c/0x80
[  118.762430][ T5332]  ? rcu_is_watching+0x15/0xb0
[  118.764660][ T5332]  queue_work_on+0x106/0x1d0
[  118.766767][ T5332]  l2cap_send_conn_req+0x243/0x370
[  118.769267][ T5332]  ? __pfx_l2cap_send_conn_req+0x10/0x10
[  118.771914][ T5332]  ? rcu_is_watching+0x15/0xb0
[  118.774262][ T5332]  ? l2cap_chan_check_security+0x303/0x570
[  118.776992][ T5332]  l2cap_conn_start+0xb2b/0xf20
[  118.779235][ T5332]  ? __pfx_l2cap_conn_start+0x10/0x10
[  118.781713][ T5332]  ? l2cap_info_timeout+0x60/0xa0
[  118.784029][ T5332]  ? __pfx___mutex_lock+0x10/0x10
[  118.786212][ T5332]  ? process_scheduled_works+0xa70/0x1860
[  118.788740][ T5332]  l2cap_info_timeout+0x68/0xa0
[  118.791141][ T5332]  ? process_scheduled_works+0xa70/0x1860
[  118.793915][ T5332]  process_scheduled_works+0xb5d/0x1860
[  118.796431][ T5332]  ? __pfx_process_scheduled_works+0x10/0x10
[  118.799160][ T5332]  ? assign_work+0x3d5/0x5e0
[  118.801289][ T5332]  worker_thread+0xa53/0xfc0
[  118.803252][ T5332]  kthread+0x389/0x470
[  118.805017][ T5332]  ? __pfx_worker_thread+0x10/0x10
[  118.807281][ T5332]  ? __pfx_kthread+0x10/0x10
[  118.809368][ T5332]  ret_from_fork+0x514/0xb70
[  118.811500][ T5332]  ? __pfx_ret_from_fork+0x10/0x10
[  118.813888][ T5332]  ? __switch_to+0xc79/0x1410
[  118.816052][ T5332]  ? __pfx_kthread+0x10/0x10
[  118.818189][ T5332]  ret_from_fork_asm+0x1a/0x30
[  118.820467][ T5332]  </TASK>
[  118.822295][ T5332] Kernel Offset: disabled
[  118.824272][ T5332] Rebooting in 86400 seconds..