program:
r0 = socket(0x2a, 0x2, 0x0) (async)
sendmsg$nl_route_sched(0xffffffffffffffff, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000240)={&(0x7f00000005c0)=@newqdisc={0x24, 0x24, 0x10, 0x1000000, 0x0, {0x0, 0x0, 0x0, 0x0, {0x0, 0xc}}}, 0x24}}, 0x0) (async, rerun: 64)
r1 = socket$nl_generic(0x10, 0x3, 0x10) (async, rerun: 64)
r2 = syz_genetlink_get_family_id$l2tp(&(0x7f0000000140), 0xffffffffffffffff)
sendmsg$L2TP_CMD_TUNNEL_CREATE(r1, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000340)=ANY=[@ANYBLOB="05001932", @ANYRES16=r2, @ANYBLOB="17090000000000000000010000000500070000000000080009000000000014002000fe8000000000000000000000000000bb08000a0000000000060002000100000014001f0000000000000000000000000000000001"], 0x5c}, 0x1, 0x620b}, 0x0) (async)
getsockname$packet(r0, &(0x7f0000000200)={0x11, 0x0, <r3=>0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000001480)=0x14)
getsockopt$inet_pktinfo(r0, 0x0, 0x8, &(0x7f0000000180)={0x0, @remote, @private}, &(0x7f0000000400)=0xc) (async, rerun: 64)
sendmsg$nl_route_sched(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000280)={&(0x7f00000001c0)=@newqdisc={0x2c, 0x24, 0xf0b, 0x0, 0x0, {0x0, 0x0, 0x0, r3, {}, {0xffff, 0x2}, {0x0, 0xffff}}, [@qdisc_kind_options=@q_drr={0x8}]}, 0x2c}}, 0x0) (async, rerun: 64)
r4 = openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x40241, 0x0)
ioctl$TUNSETIFF(r4, 0x400454ca, &(0x7f0000000200)={'syzkaller1\x00', 0xc201})
r5 = socket$alg(0x26, 0x5, 0x0)
bind$alg(r5, &(0x7f0000000000)={0x26, 'aead\x00', 0x0, 0x0, 'generic-gcm-aesni\x00'}, 0x58) (async, rerun: 64)
setsockopt$ALG_SET_KEY(r5, 0x117, 0x1, &(0x7f0000000140)="2c385aa3d49100dc6626c892b6bc436a", 0x10) (async, rerun: 64)
r6 = accept4(r5, 0x0, 0x0, 0x0)
sendmsg$nl_route_sched_retired(r6, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000480)=@deltfilter={0xec, 0x2d, 0x200, 0x70bd2d, 0x25dfdbfd, {0x0, 0x0, 0x0, 0x0, {0xa, 0xffe0}, {0x3, 0x31c8af0cd71626ae}, {0x9}}, [@f_rsvp6={{0xa}, {0xbc, 0x2, [@TCA_RSVP_SRC={0x14, 0x3, @empty}, @TCA_RSVP_PINFO={0x20, 0x4, {{0x58ac, 0x9, 0x6}, {0x18160dfd, 0x9, 0xfffffff9}, 0x62, 0x3, 0x6}}, @TCA_RSVP_SRC={0x14, 0x3, @local}, @TCA_RSVP_CLASSID={0x8, 0x1, {0xfff8, 0xb}}, @TCA_RSVP_ACT={0x68, 0x6, [@m_bpf={0x64, 0x7, 0x0, 0x0, {{0x8}, {0xc, 0x2, 0x0, 0x1, [@TCA_ACT_BPF_OPS_LEN={0x6, 0x3, 0x6}]}, {0x32, 0x6, "5ea905e18bdf10b1b359bebc230b1d345c9b86506ecfd16783fdddf977752052c183050c28bde19ea0f8f55999dd"}, {0xc, 0x7, {0x1, 0x1}}, {0xc, 0x8, {0x1, 0x1}}}}]}]}}]}, 0xec}}, 0x0)
recvmmsg(r6, &(0x7f0000000180)=[{{0x0, 0x0, &(0x7f0000000400)=[{&(0x7f0000000300)=""/225, 0xe1}], 0x1}}], 0x1, 0x60, 0x0) (async)
r7 = socket$kcm(0x2, 0x3, 0x2)
ioctl$SIOCSIFHWADDR(r7, 0x8914, &(0x7f0000000080)={'syzkaller1\x00', @broadcast})
ioctl$sock_inet_SIOCADDRT(0xffffffffffffffff, 0x890b, &(0x7f00000003c0)={0x0, {0x2, 0x4e20, @rand_addr=0x64010100}, {0x2, 0x4a24, @remote}, {0x2, 0x4e25, @multicast2}, 0x204, 0x0, 0x0, 0x0, 0x2008, 0x0, 0x200001, 0x5, 0x2})
write$tun(r4, &(0x7f0000000580)=ANY=[@ANYBLOB="9c830b4956a0df"], 0xdc) (async, rerun: 32)
recvfrom(r0, &(0x7f0000000100)=""/109, 0x6d, 0x0, &(0x7f0000000380)=@l2={0x1f, 0x6, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x12}, 0x1}, 0x80) (rerun: 32)
r8 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$sock_bt_hci(r8, 0x400448cb, 0x0) (async)
syz_emit_vhci(&(0x7f0000000000)=ANY=[@ANYBLOB="043e751d"], 0x24) (async, rerun: 64)
sendmsg$nl_route_sched(r0, &(0x7f0000000340)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000740)=@newtfilter={0x60, 0x2c, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r3, {}, {}, {0xd}}, [@filter_kind_options=@f_basic={{0xa}, {0x30, 0x2, [@TCA_BASIC_EMATCHES={0x2c, 0x2, 0x0, 0x1, [@TCA_EMATCH_TREE_HDR={0x8, 0x1, {0x8a}}, @TCA_EMATCH_TREE_LIST={0x20, 0x2, 0x0, 0x1, [@TCF_EM_NBYTE={0x1c, 0x3, 0x0, 0x0, {{0x0, 0x2, 0xff84}, {0x10, 0xa, 0x2, "334f0a12932aa512f402"}}}]}]}]}}]}, 0x60}}, 0x0) (async, rerun: 64)
r9 = socket$netlink(0x10, 0x3, 0x0)
sendmmsg(r9, &(0x7f00000002c0), 0x40000000000009f, 0x0) (async)
prctl$PR_SET_MM_MAP(0x49, 0xe, 0x0, 0x65ad47c7259e66f1)
r10 = bpf$OBJ_GET_PROG(0x7, &(0x7f0000000640)=@generic={&(0x7f0000000600)='./file0\x00', 0x0, 0x8}, 0x18)
setsockopt$sock_attach_bpf(r6, 0x1, 0x32, &(0x7f0000000680)=r10, 0x4)

[   74.502230][ T4650] Bluetooth: hci0: command tx timeout
[   74.598697][ T5319] syzkaller1: entered promiscuous mode
[   74.601471][ T5319] syzkaller1: entered allmulticast mode
[   74.620591][ T4650] Bluetooth: hci0: Unable to find connection for big 0x64
[   74.626206][ T4650] Bluetooth: hci0: Unable to find connection for big 0x64
[   74.630621][ T4650] Bluetooth: hci0: Unable to find connection for big 0x64
[   74.634468][ T4650] Bluetooth: hci0: Unable to find connection for big 0x64
[   74.638100][ T4650] Bluetooth: hci0: Unable to find connection for big 0x64
[   74.643651][ T4650] Bluetooth: hci0: Unable to find connection for big 0x64
[   74.650659][ T5319] ------------[ cut here ]------------
[   74.653305][ T5319] workqueue: cannot queue hci_rx_work on wq hci0
[   74.656336][ T5319] WARNING: kernel/workqueue.c:2298 at __queue_work+0xd1f/0xfc0, CPU#0: syz.0.0/5319
[   74.660236][ T5319] Modules linked in:
[   74.661917][ T5319] CPU: 0 UID: 0 PID: 5319 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[   74.665671][ T5319] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   74.670363][ T5319] RIP: 0010:__queue_work+0xd4a/0xfc0
[   74.672930][ T5319] Code: 83 c5 18 4c 89 e8 48 c1 e8 03 42 80 3c 20 00 74 08 4c 89 ef e8 d7 4c a5 00 49 8b 75 00 49 81 c7 70 01 00 00 4c 89 f7 4c 89 fa <67> 48 0f b9 3a 48 83 c4 58 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc
[   74.681864][ T5319] RSP: 0018:ffffc900055f7b20 EFLAGS: 00010082
[   74.684844][ T5319] RAX: 1ffff11007023178 RBX: 0000000000000008 RCX: ffff88800028a500
[   74.688774][ T5319] RDX: ffff888041989970 RSI: ffffffff8a9cf820 RDI: ffffffff9033b170
[   74.692631][ T5319] RBP: 0000000000000000 R08: ffff888038118baf R09: 1ffff11007023175
[   74.696390][ T5319] R10: dffffc0000000000 R11: ffffed1007023176 R12: dffffc0000000000
[   74.700226][ T5319] R13: ffff888038118bc0 R14: ffffffff9033b170 R15: ffff888041989970
[   74.704211][ T5319] FS:  00007f38e01df6c0(0000) GS:ffff88808c888000(0000) knlGS:0000000000000000
[   74.708302][ T5319] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   74.711446][ T5319] CR2: 00007f38e019dd58 CR3: 0000000037deb000 CR4: 0000000000352ef0
[   74.715268][ T5319] Call Trace:
[   74.716795][ T5319]  <TASK>
[   74.718130][ T5319]  ? ktime_get_with_offset+0x93/0x2d0
[   74.720470][ T5319]  ? rcu_is_watching+0x15/0xb0
[   74.722542][ T5319]  queue_work_on+0x106/0x1d0
[   74.724748][ T5319]  ? _raw_spin_unlock_irqrestore+0x30/0x80
[   74.727371][ T5319]  hci_recv_frame+0x625/0x7c0
[   74.729529][ T5319]  ? skb_pull+0xc1/0x1d0
[   74.731523][ T5319]  vhci_write+0x358/0x4a0
[   74.733500][ T5319]  vfs_write+0x61d/0xb90
[   74.735486][ T5319]  ? __pfx_vfs_write+0x10/0x10
[   74.737863][ T5319]  ? __fget_files+0x2a/0x420
[   74.740169][ T5319]  ksys_write+0x150/0x270
[   74.742313][ T5319]  ? __pfx_ksys_write+0x10/0x10
[   74.744792][ T5319]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   74.747662][ T5319]  do_syscall_64+0x15f/0xf80
[   74.749882][ T5319]  ? clear_bhb_loop+0x40/0x90
[   74.752175][ T5319]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   74.754932][ T5319] RIP: 0033:0x7f38df35d60e
[   74.757220][ T5319] Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 <c3> 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08
[   74.766913][ T5319] RSP: 002b:00007f38e01def78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[   74.771821][ T5319] RAX: ffffffffffffffda RBX: 00007f38e01df6c0 RCX: 00007f38df35d60e
[   74.775991][ T5319] RDX: 0000000000000024 RSI: 0000200000000000 RDI: 00000000000000ca
[   74.780136][ T5319] RBP: 00007f38df432d69 R08: 0000000000000000 R09: 0000000000000000
[   74.784358][ T5319] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   74.788389][ T5319] R13: 00007f38df616128 R14: 00007f38df616090 R15: 00007ffd09b64568
[   74.792047][ T5319]  </TASK>
[   74.793526][ T5319] Kernel panic - not syncing: kernel: panic_on_warn set ...
[   74.796493][ T5319] CPU: 0 UID: 0 PID: 5319 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[   74.800350][ T5319] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   74.804867][ T5319] Call Trace:
[   74.806512][ T5319]  <TASK>
[   74.807935][ T5319]  vpanic+0x56c/0xa60
[   74.809873][ T5319]  ? __pfx__printk+0x10/0x10
[   74.812226][ T5319]  ? __pfx_vpanic+0x10/0x10
[   74.814401][ T5319]  ? is_bpf_text_address+0x292/0x2b0
[   74.816870][ T5319]  ? is_bpf_text_address+0x26/0x2b0
[   74.819440][ T5319]  panic+0xc5/0xd0
[   74.821262][ T5319]  ? __pfx_panic+0x10/0x10
[   74.823690][ T5319]  __warn+0x315/0x4c0
[   74.825744][ T5319]  ? __queue_work+0xd1f/0xfc0
[   74.827982][ T5319]  ? __queue_work+0xd1f/0xfc0
[   74.830326][ T5319]  __report_bug+0x29a/0x540
[   74.832504][ T5319]  ? __queue_work+0xd1f/0xfc0
[   74.834807][ T5319]  ? __pfx___report_bug+0x10/0x10
[   74.837162][ T5319]  ? __pfx_hci_rx_work+0x10/0x10
[   74.839479][ T5319]  ? do_syscall_64+0x15f/0xf80
[   74.841717][ T5319]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   74.844466][ T5319]  ? __lock_acquire+0x6b5/0x2cf0
[   74.846735][ T5319]  report_bug_entry+0x19a/0x290
[   74.848972][ T5319]  ? __queue_work+0xd4a/0xfc0
[   74.851175][ T5319]  ? __queue_work+0xd4f/0xfc0
[   74.853450][ T5319]  handle_bug+0xce/0x200
[   74.855500][ T5319]  exc_invalid_op+0x1a/0x50
[   74.857513][ T5319]  asm_exc_invalid_op+0x1a/0x20
[   74.859647][ T5319] RIP: 0010:__queue_work+0xd4a/0xfc0
[   74.861886][ T5319] Code: 83 c5 18 4c 89 e8 48 c1 e8 03 42 80 3c 20 00 74 08 4c 89 ef e8 d7 4c a5 00 49 8b 75 00 49 81 c7 70 01 00 00 4c 89 f7 4c 89 fa <67> 48 0f b9 3a 48 83 c4 58 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc
[   74.869886][ T5319] RSP: 0018:ffffc900055f7b20 EFLAGS: 00010082
[   74.872852][ T5319] RAX: 1ffff11007023178 RBX: 0000000000000008 RCX: ffff88800028a500
[   74.876740][ T5319] RDX: ffff888041989970 RSI: ffffffff8a9cf820 RDI: ffffffff9033b170
[   74.880314][ T5319] RBP: 0000000000000000 R08: ffff888038118baf R09: 1ffff11007023175
[   74.883558][ T5319] R10: dffffc0000000000 R11: ffffed1007023176 R12: dffffc0000000000
[   74.887279][ T5319] R13: ffff888038118bc0 R14: ffffffff9033b170 R15: ffff888041989970
[   74.890779][ T5319]  ? __pfx_hci_rx_work+0x10/0x10
[   74.893048][ T5319]  ? ktime_get_with_offset+0x93/0x2d0
[   74.895523][ T5319]  ? rcu_is_watching+0x15/0xb0
[   74.898208][ T5319]  queue_work_on+0x106/0x1d0
[   74.900369][ T5319]  ? _raw_spin_unlock_irqrestore+0x30/0x80
[   74.903169][ T5319]  hci_recv_frame+0x625/0x7c0
[   74.905468][ T5319]  ? skb_pull+0xc1/0x1d0
[   74.907542][ T5319]  vhci_write+0x358/0x4a0
[   74.909529][ T5319]  vfs_write+0x61d/0xb90
[   74.911541][ T5319]  ? __pfx_vfs_write+0x10/0x10
[   74.913826][ T5319]  ? __fget_files+0x2a/0x420
[   74.916005][ T5319]  ksys_write+0x150/0x270
[   74.918016][ T5319]  ? __pfx_ksys_write+0x10/0x10
[   74.920388][ T5319]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   74.923304][ T5319]  do_syscall_64+0x15f/0xf80
[   74.925675][ T5319]  ? clear_bhb_loop+0x40/0x90
[   74.927807][ T5319]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   74.930628][ T5319] RIP: 0033:0x7f38df35d60e
[   74.932829][ T5319] Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 <c3> 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08
[   74.942039][ T5319] RSP: 002b:00007f38e01def78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[   74.945785][ T5319] RAX: ffffffffffffffda RBX: 00007f38e01df6c0 RCX: 00007f38df35d60e
[   74.949454][ T5319] RDX: 0000000000000024 RSI: 0000200000000000 RDI: 00000000000000ca
[   74.953167][ T5319] RBP: 00007f38df432d69 R08: 0000000000000000 R09: 0000000000000000
[   74.957039][ T5319] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   74.961080][ T5319] R13: 00007f38df616128 R14: 00007f38df616090 R15: 00007ffd09b64568
[   74.964954][ T5319]  </TASK>
[   74.966817][ T5319] Kernel Offset: disabled
[   74.968873][ T5319] Rebooting in 86400 seconds..