program:
socket$nl_route(0x10, 0x3, 0x0)
ioctl$SIOCX25SCUDMATCHLEN(0xffffffffffffffff, 0x89e7, &(0x7f0000000040)={0x2b}) (async)
getsockopt$PNPIPE_IFINDEX(0xffffffffffffffff, 0x113, 0x2, &(0x7f00000000c0), &(0x7f0000000100)=0x4) (async)
socket$netlink(0x10, 0x3, 0x0) (async)
r0 = socket$nl_route(0x10, 0x3, 0x0) (async)
r1 = socket$unix(0x1, 0x1, 0x0)
ioctl$sock_SIOCGIFINDEX(r1, 0x8933, &(0x7f0000000100)={'syzkaller0\x00'}) (async)
r2 = socket$nl_route(0x10, 0x3, 0x0)
ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000340)={'syz_tun\x00'})
sendmsg$nl_route_sched(r2, 0x0, 0x0) (async)
r3 = socket$nl_generic(0x10, 0x3, 0x10)
r4 = socket(0x10, 0x3, 0x0) (async)
r5 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$sock_bt_hci(r5, 0x400448cb, 0x0) (async)
syz_emit_vhci(&(0x7f0000000540)=ANY=[@ANYBLOB="043e1f0a"], 0x22) (async)
syz_emit_vhci(&(0x7f0000000300)=ANY=[@ANYBLOB], 0xe) (async)
syz_emit_vhci(&(0x7f0000000040)=ANY=[@ANYBLOB="040e04"], 0x7) (async)
socketpair$unix(0x1, 0x1, 0x0, 0x0) (async)
ioctl$sock_SIOCGIFINDEX(0xffffffffffffffff, 0x8933, &(0x7f0000000140)={'pimreg0\x00', <r6=>0x0}) (async)
r7 = socket(0x10, 0x6, 0x2000007) (async)
bpf$PROG_LOAD_XDP(0x5, 0x0, 0x0) (async)
ioctl$sock_SIOCGIFINDEX(r3, 0x8933, &(0x7f0000000500)={'vcan0\x00', <r8=>0x0})
sendmsg$nl_route_sched(r7, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000780)={&(0x7f00000007c0)=@newqdisc={0x43c, 0x24, 0xd0f, 0x70bd2d, 0x0, {0x60, 0x0, 0x0, r8, {0x0, 0xa}, {0xffff, 0xffff}, {0x0, 0xffff}}, [@qdisc_kind_options=@q_tbf={{0x8}, {0x410, 0x2, [@TCA_TBF_BURST={0x8, 0x6, 0x8057}, @TCA_TBF_PTAB={0x404, 0x3, [0xffffffff, 0xd0d60, 0x1ff, 0x6, 0xe, 0x6, 0xa, 0x4b, 0x8, 0x8, 0xffffffff, 0x2, 0x1, 0x80000001, 0x0, 0x3, 0x5, 0x401, 0xffffffe9, 0x1, 0x4, 0x8000, 0x7, 0x7f, 0x8, 0x1f3c, 0x1, 0x101, 0x7, 0x800, 0x4, 0xa, 0xba5, 0x7, 0x8, 0xe, 0x4, 0x200, 0xa, 0x832d, 0x5, 0x1000, 0x208, 0x80000001, 0x5, 0xc4, 0x0, 0x1552, 0x9, 0x2, 0x6, 0x1, 0x0, 0xfffffffd, 0x4, 0x8, 0x5c, 0x18000000, 0x8, 0x7, 0x2ea, 0x5, 0x0, 0x6, 0x7, 0x3ff, 0x7, 0x800, 0x427, 0x3, 0x5, 0x66a38c86, 0xfffffffa, 0xe3e, 0x80000001, 0x6, 0x3c, 0x5, 0xffffffff, 0x1, 0x3, 0x9, 0xffffffc0, 0x62a, 0xfffffffd, 0x1ff, 0xfffffffe, 0xc37e, 0x7, 0x1, 0x7fffffff, 0x9, 0x1, 0x0, 0xcbe, 0xf, 0x7, 0xff, 0x48e, 0x3ff, 0xfb87, 0x0, 0x3, 0x2, 0x1, 0x7, 0x0, 0xffff, 0x7, 0xb4c2, 0x4, 0x9, 0x8, 0xf, 0x10, 0x3ff, 0x7, 0xa753, 0xe, 0x1000, 0x2, 0xffffffc0, 0x5, 0x3, 0x3, 0x11a, 0x3, 0x6, 0x7, 0x10, 0xc, 0x400, 0x8, 0x9, 0x0, 0x3cf2, 0x1, 0x2, 0xb0, 0x3, 0x5, 0x0, 0x1, 0xb95, 0x4, 0x80000001, 0x4, 0x0, 0x0, 0xfffffff7, 0xe, 0xd, 0x6, 0x3, 0xb3, 0x3, 0x5, 0x7, 0x8, 0xf50f, 0x2, 0x3ff, 0x6, 0x101, 0x0, 0x8, 0xcbe, 0x50000000, 0xffffffc8, 0x5, 0x9, 0x7, 0x637995c8, 0x260196c8, 0x3, 0xd, 0x5, 0x80000001, 0x8, 0xffffffff, 0x3, 0x1ff, 0x8, 0x7, 0x3c2, 0x3, 0xfffffc00, 0x9, 0x1, 0x6, 0xffff, 0x7fff, 0x6, 0x7, 0x2, 0x2, 0xa0, 0x3, 0x1000, 0xd, 0x0, 0x6fd, 0x2, 0x1, 0x6, 0x1, 0x5, 0x5d73, 0x6, 0x9, 0x7f, 0xfffffff9, 0x6, 0xb, 0x7, 0x9, 0x529e, 0xffff0001, 0x2, 0xfffffffb, 0x1, 0x6, 0x1, 0x8722, 0x801, 0x7f, 0x3, 0x8, 0x9, 0x1, 0x9, 0x20, 0x4e, 0xe, 0x1, 0xfb1, 0x1, 0x53f, 0x8, 0x5, 0x3a3f, 0x1ff, 0x9, 0xffffffff, 0x7fff, 0x2000, 0x81, 0x3, 0xa00, 0xfffffffd, 0x2, 0x80, 0x4, 0x162, 0x5, 0x4]}]}}]}, 0x43c}}, 0x44080) (async)
sendmsg$nl_route_sched(r4, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000780)={&(0x7f0000000200)=@gettfilter={0x2c, 0x2e, 0x0, 0x70bd26, 0x25dfdbfe, {0x0, 0x0, 0x0, r6, {0x0, 0x9}, {0xe, 0xc}, {0xffe0, 0xe}}, [{0x8, 0xb, 0x6}]}, 0x2c}, 0x1, 0x0, 0x0, 0x40001}, 0x0) (async)
r9 = socket$nl_route(0x10, 0x3, 0x0)
ioctl$sock_SIOCGIFINDEX(r9, 0x8933, &(0x7f0000000040)={'veth0\x00'}) (async)
sendmsg$nl_route_sched(r9, 0x0, 0x8000)
r10 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route_sched(r10, 0x0, 0x0)
sendmsg$nl_route_sched(r0, &(0x7f00000012c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000000)=@getqdisc={0x34, 0x26, 0x200, 0x30bd29, 0x25dfdbfe, {0x0, 0x0, 0x0, r6, {0xf, 0x1}, {0xfff3, 0x7}, {0xe, 0xfff1}}, [{0x4}, {0x4}, {0x4}, {0x4}]}, 0x34}}, 0x2000c041)

[  108.687945][   T44] Bluetooth: hci0: command tx timeout
[  108.787043][ T5337] ------------[ cut here ]------------
[  108.789948][ T5337] workqueue: cannot queue hci_rx_work on wq hci0
[  108.793438][ T5337] WARNING: kernel/workqueue.c:2298 at __queue_work+0xd1f/0xfc0, CPU#0: syz.0.0/5337
[  108.798178][ T5337] Modules linked in:
[  108.800025][ T5337] CPU: 0 UID: 0 PID: 5337 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[  108.803803][ T5337] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[  108.807967][ T5337] RIP: 0010:__queue_work+0xd4a/0xfc0
[  108.810481][ T5337] Code: 83 c5 18 4c 89 e8 48 c1 e8 03 42 80 3c 20 00 74 08 4c 89 ef e8 97 58 a5 00 49 8b 75 00 49 81 c7 70 01 00 00 4c 89 f7 4c 89 fa <67> 48 0f b9 3a 48 83 c4 58 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc
[  108.819280][ T5337] RSP: 0018:ffffc9000fadfb20 EFLAGS: 00010082
[  108.822064][ T5337] RAX: 1ffff11007187178 RBX: 0000000000000008 RCX: ffff88801fa52500
[  108.825651][ T5337] RDX: ffff8880413b2170 RSI: ffffffff8a9d81a0 RDI: ffffffff9033c3b0
[  108.829258][ T5337] RBP: 0000000000000000 R08: ffff888038c38baf R09: 1ffff11007187175
[  108.832902][ T5337] R10: dffffc0000000000 R11: ffffed1007187176 R12: dffffc0000000000
[  108.836169][ T5337] R13: ffff888038c38bc0 R14: ffffffff9033c3b0 R15: ffff8880413b2170
[  108.839756][ T5337] FS:  00007f59bf82a6c0(0000) GS:ffff88808c885000(0000) knlGS:0000000000000000
[  108.844633][ T5337] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  108.847790][ T5337] CR2: 00007f59bf809d58 CR3: 00000000123d7000 CR4: 0000000000352ef0
[  108.851311][ T5337] Call Trace:
[  108.852891][ T5337]  <TASK>
[  108.854520][ T5337]  ? ktime_get_with_offset+0x93/0x2d0
[  108.856899][ T5337]  ? rcu_is_watching+0x15/0xb0
[  108.858889][ T5337]  queue_work_on+0x106/0x1d0
[  108.860827][ T5337]  ? _raw_spin_unlock_irqrestore+0x30/0x80
[  108.863170][ T5337]  hci_recv_frame+0x625/0x7c0
[  108.865166][ T5337]  ? skb_pull+0xc1/0x1d0
[  108.867041][ T5337]  vhci_write+0x358/0x4a0
[  108.869060][ T5337]  vfs_write+0x61d/0xb90
[  108.872483][ T5337]  ? __pfx_vfs_write+0x10/0x10
[  108.875640][ T5337]  ? __fget_files+0x2a/0x420
[  108.877885][ T5337]  ksys_write+0x150/0x270
[  108.879747][ T5337]  ? __pfx_ksys_write+0x10/0x10
[  108.881970][ T5337]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  108.884654][ T5337]  do_syscall_64+0x15f/0xf80
[  108.886790][ T5337]  ? trace_irq_disable+0x3b/0x140
[  108.888860][ T5337]  ? clear_bhb_loop+0x40/0x90
[  108.891004][ T5337]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  108.893585][ T5337] RIP: 0033:0x7f59be95d60e
[  108.895618][ T5337] Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 <c3> 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08
[  108.907808][ T5337] RSP: 002b:00007f59bf829f78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[  108.911196][ T5337] RAX: ffffffffffffffda RBX: 00007f59bf82a6c0 RCX: 00007f59be95d60e
[  108.914394][ T5337] RDX: 0000000000000022 RSI: 0000200000000540 RDI: 00000000000000ca
[  108.917623][ T5337] RBP: 00007f59bea32d69 R08: 0000000000000000 R09: 0000000000000000
[  108.921474][ T5337] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[  108.925180][ T5337] R13: 00007f59bec16218 R14: 00007f59bec16180 R15: 00007fff45ec3ae8
[  108.928477][ T5337]  </TASK>
[  108.929835][ T5337] Kernel panic - not syncing: kernel: panic_on_warn set ...
[  108.932799][ T5337] CPU: 0 UID: 0 PID: 5337 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[  108.936357][ T5337] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[  108.940898][ T5337] Call Trace:
[  108.942731][ T5337]  <TASK>
[  108.944310][ T5337]  vpanic+0x56c/0xa60
[  108.946220][ T5337]  ? __pfx__printk+0x10/0x10
[  108.948060][ T5337]  ? __pfx_vpanic+0x10/0x10
[  108.950073][ T5337]  ? is_bpf_text_address+0x292/0x2b0
[  108.952331][ T5337]  ? is_bpf_text_address+0x26/0x2b0
[  108.954847][ T5337]  panic+0xc5/0xd0
[  108.956451][ T5337]  ? __pfx_panic+0x10/0x10
[  108.958417][ T5337]  __warn+0x315/0x4c0
[  108.960338][ T5337]  ? __queue_work+0xd1f/0xfc0
[  108.962587][ T5337]  ? __queue_work+0xd1f/0xfc0
[  108.964938][ T5337]  __report_bug+0x29a/0x540
[  108.967321][ T5337]  ? __queue_work+0xd1f/0xfc0
[  108.969294][ T5337]  ? __pfx___report_bug+0x10/0x10
[  108.971381][ T5337]  ? __pfx_hci_rx_work+0x10/0x10
[  108.973443][ T5337]  ? do_syscall_64+0x15f/0xf80
[  108.975547][ T5337]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  108.978301][ T5337]  ? __lock_acquire+0x6b5/0x2cf0
[  108.980891][ T5337]  report_bug_entry+0x19a/0x290
[  108.983414][ T5337]  ? __queue_work+0xd4a/0xfc0
[  108.985732][ T5337]  ? __queue_work+0xd4f/0xfc0
[  108.988011][ T5337]  handle_bug+0xce/0x200
[  108.989961][ T5337]  exc_invalid_op+0x1a/0x50
[  108.992041][ T5337]  asm_exc_invalid_op+0x1a/0x20
[  108.994279][ T5337] RIP: 0010:__queue_work+0xd4a/0xfc0
[  108.996906][ T5337] Code: 83 c5 18 4c 89 e8 48 c1 e8 03 42 80 3c 20 00 74 08 4c 89 ef e8 97 58 a5 00 49 8b 75 00 49 81 c7 70 01 00 00 4c 89 f7 4c 89 fa <67> 48 0f b9 3a 48 83 c4 58 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc
[  109.005752][ T5337] RSP: 0018:ffffc9000fadfb20 EFLAGS: 00010082
[  109.008429][ T5337] RAX: 1ffff11007187178 RBX: 0000000000000008 RCX: ffff88801fa52500
[  109.011764][ T5337] RDX: ffff8880413b2170 RSI: ffffffff8a9d81a0 RDI: ffffffff9033c3b0
[  109.015106][ T5337] RBP: 0000000000000000 R08: ffff888038c38baf R09: 1ffff11007187175
[  109.019017][ T5337] R10: dffffc0000000000 R11: ffffed1007187176 R12: dffffc0000000000
[  109.022814][ T5337] R13: ffff888038c38bc0 R14: ffffffff9033c3b0 R15: ffff8880413b2170
[  109.026215][ T5337]  ? __pfx_hci_rx_work+0x10/0x10
[  109.028396][ T5337]  ? ktime_get_with_offset+0x93/0x2d0
[  109.031028][ T5337]  ? rcu_is_watching+0x15/0xb0
[  109.033379][ T5337]  queue_work_on+0x106/0x1d0
[  109.035685][ T5337]  ? _raw_spin_unlock_irqrestore+0x30/0x80
[  109.038218][ T5337]  hci_recv_frame+0x625/0x7c0
[  109.040335][ T5337]  ? skb_pull+0xc1/0x1d0
[  109.042212][ T5337]  vhci_write+0x358/0x4a0
[  109.044041][ T5337]  vfs_write+0x61d/0xb90
[  109.046014][ T5337]  ? __pfx_vfs_write+0x10/0x10
[  109.048486][ T5337]  ? __fget_files+0x2a/0x420
[  109.050689][ T5337]  ksys_write+0x150/0x270
[  109.052560][ T5337]  ? __pfx_ksys_write+0x10/0x10
[  109.054659][ T5337]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  109.057177][ T5337]  do_syscall_64+0x15f/0xf80
[  109.059157][ T5337]  ? trace_irq_disable+0x3b/0x140
[  109.061459][ T5337]  ? clear_bhb_loop+0x40/0x90
[  109.063865][ T5337]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  109.066477][ T5337] RIP: 0033:0x7f59be95d60e
[  109.068418][ T5337] Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 <c3> 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08
[  109.076785][ T5337] RSP: 002b:00007f59bf829f78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[  109.080600][ T5337] RAX: ffffffffffffffda RBX: 00007f59bf82a6c0 RCX: 00007f59be95d60e
[  109.085825][ T5337] RDX: 0000000000000022 RSI: 0000200000000540 RDI: 00000000000000ca
[  109.088858][ T5337] RBP: 00007f59bea32d69 R08: 0000000000000000 R09: 0000000000000000
[  109.092227][ T5337] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[  109.095916][ T5337] R13: 00007f59bec16218 R14: 00007f59bec16180 R15: 00007fff45ec3ae8
[  109.099644][ T5337]  </TASK>
[  109.101567][ T5337] Kernel Offset: disabled
[  109.103662][ T5337] Rebooting in 86400 seconds..