program:
r0 = syz_open_procfs$pagemap(0xffffffffffffffff, &(0x7f0000000080))
r1 = userfaultfd(0x1)
r2 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$sock_bt_hci(r2, 0x400448cb, 0x0)
syz_emit_vhci(&(0x7f0000000300)=ANY=[@ANYBLOB="043c"], 0xa)
ioctl$UFFDIO_API(r1, 0xc018aa3f, &(0x7f0000000000)={0xaa, 0x4d0})
bpf$MAP_CREATE(0x0, &(0x7f0000000000)=ANY=[@ANYBLOB="1700000007"], 0x50)
r3 = syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0)
connect$bt_l2cap(r3, &(0x7f0000000000)={0x1f, 0x8ef}, 0xe)
bpf$MAP_CREATE(0x0, &(0x7f0000000000)=ANY=[@ANYBLOB="1700000007"], 0x50)
r4 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r4, &(0x7f0000000100)={0x1f, 0xffff, 0x3}, 0x6)
ioctl$UFFDIO_REGISTER(r1, 0xc020aa00, &(0x7f00000000c0)={{&(0x7f000019b000/0x4000)=nil, 0x4000}})
write$binfmt_misc(r4, &(0x7f0000000000), 0xd)
syz_emit_vhci(&(0x7f0000000800)=@HCI_EVENT_PKT={0x4, @hci_ev_cmd_complete={{0xe, 0xa}, @hci_rp_pin_code_neg_reply={{0x6}, {0x5}}}}, 0xd)
sendto$packet(0xffffffffffffffff, &(0x7f0000000000)='[', 0x1, 0x0, 0x0, 0x0)
r5 = openat$ptp0(0xffffffffffffff9c, &(0x7f0000000000), 0x80042, 0x0)
perf_event_open(&(0x7f0000000040)={0x2, 0x80, 0xcd, 0x1, 0x0, 0x0, 0x0, 0x6, 0x100, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffd, 0x0, @perf_bp={0x0, 0xd}, 0x11fd61, 0x80000000000000, 0x0, 0x7, 0x0, 0xfffffdfe, 0x0, 0x0, 0x8000, 0x0, 0x9}, 0x0, 0x0, 0xffffffffffffffff, 0xa)
mprotect(&(0x7f0000000000/0x800000)=nil, 0x800000, 0x1)
ioctl$PTP_PEROUT_REQUEST2(r5, 0x40383d0c, &(0x7f0000000040)={{0x0, 0x4003}, {0xff03000000000000, 0x3ff}, 0x0, 0x3})
r6 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r6, &(0x7f0000000100)={0x1f, 0xffff, 0x3}, 0x6)
write$binfmt_misc(r6, &(0x7f0000000000), 0xd)
ioctl$PAGEMAP_SCAN(r0, 0xc0606610, &(0x7f0000000480)={0x60, 0x0, &(0x7f0000ff9000/0x2000)=nil, &(0x7f0000ffe000/0x2000)=nil, 0x0, &(0x7f0000000580)=[{}], 0x23, 0x4, 0x1a})

[   87.269039][ T5319] Bluetooth: hci0: command tx timeout
[   87.274010][   T54] cfg80211: failed to load regulatory.db
[   87.390014][ T5348] Bluetooth: MGMT ver 1.23
[   87.401596][ T5348] ------------[ cut here ]------------
[   87.403717][ T5348] workqueue: cannot queue hci_rx_work on wq hci0
[   87.406667][ T5348] WARNING: CPU: 0 PID: 5348 at kernel/workqueue.c:2258 __queue_work+0xd62/0xfe0
[   87.410415][ T5348] Modules linked in:
[   87.412125][ T5348] CPU: 0 UID: 0 PID: 5348 Comm: syz.0.0 Not tainted 6.16.0-rc7-syzkaller #0 PREEMPT(full) 
[   87.416395][ T5348] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   87.420817][ T5348] RIP: 0010:__queue_work+0xd62/0xfe0
[   87.422957][ T5348] Code: 42 80 3c 20 00 74 08 4c 89 ef e8 99 cf 98 00 49 8b 75 00 49 81 c7 78 01 00 00 48 c7 c7 e0 e8 89 8b 4c 89 fa e8 1f 34 f9 ff 90 <0f> 0b 90 90 e9 f1 f4 ff ff e8 d0 4e 35 00 90 0f 0b 90 e9 dd fc ff
[   87.431114][ T5348] RSP: 0018:ffffc9000ff7fa68 EFLAGS: 00010046
[   87.433961][ T5348] RAX: c3d50e4a82d99b00 RBX: 0000000000000000 RCX: 0000000000100000
[   87.437571][ T5348] RDX: ffffc9000eef4000 RSI: 0000000000000a3c RDI: 0000000000000a3d
[   87.441043][ T5348] RBP: 1ffff11007ef5838 R08: ffff88801fc24293 R09: 1ffff11003f84852
[   87.444351][ T5348] R10: dffffc0000000000 R11: ffffed1003f84853 R12: dffffc0000000000
[   87.447774][ T5348] R13: ffff88803f17cad8 R14: ffff888000d3a440 R15: ffff88803f7ac178
[   87.451361][ T5348] FS:  00007fae389496c0(0000) GS:ffff88808d218000(0000) knlGS:0000000000000000
[   87.455583][ T5348] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   87.458644][ T5348] CR2: 00005559986b14b0 CR3: 000000004323e000 CR4: 0000000000352ef0
[   87.462123][ T5348] Call Trace:
[   87.463564][ T5348]  <TASK>
[   87.464963][ T5348]  ? rcu_is_watching+0x15/0xb0
[   87.467249][ T5348]  queue_work_on+0x181/0x270
[   87.469547][ T5348]  ? lockdep_hardirqs_on+0x9c/0x150
[   87.472201][ T5348]  ? __pfx_queue_work_on+0x10/0x10
[   87.474572][ T5348]  ? _raw_spin_unlock_irqrestore+0xad/0x110
[   87.477336][ T5348]  ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[   87.480218][ T5348]  ? skb_queue_tail+0x30/0xf0
[   87.482530][ T5348]  hci_recv_frame+0x5c9/0x720
[   87.484901][ T5348]  ? skb_pull+0xc1/0x1d0
[   87.487110][ T5348]  vhci_write+0x358/0x4a0
[   87.489213][ T5348]  vfs_write+0x548/0xa90
[   87.491172][ T5348]  ? __pfx_vhci_write+0x10/0x10
[   87.493422][ T5348]  ? __pfx_vfs_write+0x10/0x10
[   87.495620][ T5348]  ? __fget_files+0x2a/0x420
[   87.497811][ T5348]  ksys_write+0x145/0x250
[   87.499719][ T5348]  ? __pfx_ksys_write+0x10/0x10
[   87.501925][ T5348]  ? rcu_is_watching+0x15/0xb0
[   87.504408][ T5348]  ? do_syscall_64+0xbe/0x3b0
[   87.506834][ T5348]  do_syscall_64+0xfa/0x3b0
[   87.508953][ T5348]  ? lockdep_hardirqs_on+0x9c/0x150
[   87.511344][ T5348]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   87.514145][ T5348]  ? clear_bhb_loop+0x60/0xb0
[   87.516271][ T5348]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   87.518822][ T5348] RIP: 0033:0x7fae37b8d45f
[   87.520855][ T5348] Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 f9 92 02 00 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 4c 93 02 00 48
[   87.529726][ T5348] RSP: 002b:00007fae38949000 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
[   87.533311][ T5348] RAX: ffffffffffffffda RBX: 00007fae37db6160 RCX: 00007fae37b8d45f
[   87.536701][ T5348] RDX: 000000000000000d RSI: 0000200000000800 RDI: 00000000000000ca
[   87.540088][ T5348] RBP: 00007fae37c10d69 R08: 0000000000000000 R09: 0000000000000000
[   87.543648][ T5348] R10: 0000200000000800 R11: 0000000000000293 R12: 0000000000000000
[   87.547294][ T5348] R13: 0000000000000000 R14: 00007fae37db6160 R15: 00007ffce99f91b8
[   87.550909][ T5348]  </TASK>
[   87.552347][ T5348] Kernel panic - not syncing: kernel: panic_on_warn set ...
[   87.555870][ T5348] CPU: 0 UID: 0 PID: 5348 Comm: syz.0.0 Not tainted 6.16.0-rc7-syzkaller #0 PREEMPT(full) 
[   87.560443][ T5348] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   87.565382][ T5348] Call Trace:
[   87.566947][ T5348]  <TASK>
[   87.568364][ T5348]  dump_stack_lvl+0x99/0x250
[   87.570453][ T5348]  ? __asan_memcpy+0x40/0x70
[   87.572545][ T5348]  ? __pfx_dump_stack_lvl+0x10/0x10
[   87.574940][ T5348]  ? __pfx__printk+0x10/0x10
[   87.576923][ T5348]  panic+0x2db/0x790
[   87.578693][ T5348]  ? __pfx_panic+0x10/0x10
[   87.580800][ T5348]  ? show_trace_log_lvl+0x4fb/0x550
[   87.583305][ T5348]  __warn+0x31b/0x4b0
[   87.585282][ T5348]  ? __queue_work+0xd62/0xfe0
[   87.587650][ T5348]  ? __queue_work+0xd62/0xfe0
[   87.589777][ T5348]  report_bug+0x2be/0x4f0
[   87.591731][ T5348]  ? __queue_work+0xd62/0xfe0
[   87.593850][ T5348]  ? __queue_work+0xd62/0xfe0
[   87.595866][ T5348]  ? __queue_work+0xd64/0xfe0
[   87.598057][ T5348]  handle_bug+0x84/0x160
[   87.600013][ T5348]  exc_invalid_op+0x1a/0x50
[   87.602116][ T5348]  asm_exc_invalid_op+0x1a/0x20
[   87.604334][ T5348] RIP: 0010:__queue_work+0xd62/0xfe0
[   87.606643][ T5348] Code: 42 80 3c 20 00 74 08 4c 89 ef e8 99 cf 98 00 49 8b 75 00 49 81 c7 78 01 00 00 48 c7 c7 e0 e8 89 8b 4c 89 fa e8 1f 34 f9 ff 90 <0f> 0b 90 90 e9 f1 f4 ff ff e8 d0 4e 35 00 90 0f 0b 90 e9 dd fc ff
[   87.615059][ T5348] RSP: 0018:ffffc9000ff7fa68 EFLAGS: 00010046
[   87.617714][ T5348] RAX: c3d50e4a82d99b00 RBX: 0000000000000000 RCX: 0000000000100000
[   87.621360][ T5348] RDX: ffffc9000eef4000 RSI: 0000000000000a3c RDI: 0000000000000a3d
[   87.624935][ T5348] RBP: 1ffff11007ef5838 R08: ffff88801fc24293 R09: 1ffff11003f84852
[   87.628338][ T5348] R10: dffffc0000000000 R11: ffffed1003f84853 R12: dffffc0000000000
[   87.631779][ T5348] R13: ffff88803f17cad8 R14: ffff888000d3a440 R15: ffff88803f7ac178
[   87.635456][ T5348]  ? __queue_work+0xd61/0xfe0
[   87.637794][ T5348]  ? rcu_is_watching+0x15/0xb0
[   87.640094][ T5348]  queue_work_on+0x181/0x270
[   87.642129][ T5348]  ? lockdep_hardirqs_on+0x9c/0x150
[   87.644482][ T5348]  ? __pfx_queue_work_on+0x10/0x10
[   87.646859][ T5348]  ? _raw_spin_unlock_irqrestore+0xad/0x110
[   87.649543][ T5348]  ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[   87.652369][ T5348]  ? skb_queue_tail+0x30/0xf0
[   87.654454][ T5348]  hci_recv_frame+0x5c9/0x720
[   87.656785][ T5348]  ? skb_pull+0xc1/0x1d0
[   87.658928][ T5348]  vhci_write+0x358/0x4a0
[   87.660988][ T5348]  vfs_write+0x548/0xa90
[   87.662919][ T5348]  ? __pfx_vhci_write+0x10/0x10
[   87.665122][ T5348]  ? __pfx_vfs_write+0x10/0x10
[   87.667339][ T5348]  ? __fget_files+0x2a/0x420
[   87.669458][ T5348]  ksys_write+0x145/0x250
[   87.671557][ T5348]  ? __pfx_ksys_write+0x10/0x10
[   87.673835][ T5348]  ? rcu_is_watching+0x15/0xb0
[   87.676112][ T5348]  ? do_syscall_64+0xbe/0x3b0
[   87.678319][ T5348]  do_syscall_64+0xfa/0x3b0
[   87.680367][ T5348]  ? lockdep_hardirqs_on+0x9c/0x150
[   87.682760][ T5348]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   87.685377][ T5348]  ? clear_bhb_loop+0x60/0xb0
[   87.687488][ T5348]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   87.689947][ T5348] RIP: 0033:0x7fae37b8d45f
[   87.691848][ T5348] Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 f9 92 02 00 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 4c 93 02 00 48
[   87.699785][ T5348] RSP: 002b:00007fae38949000 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
[   87.703312][ T5348] RAX: ffffffffffffffda RBX: 00007fae37db6160 RCX: 00007fae37b8d45f
[   87.706857][ T5348] RDX: 000000000000000d RSI: 0000200000000800 RDI: 00000000000000ca
[   87.710475][ T5348] RBP: 00007fae37c10d69 R08: 0000000000000000 R09: 0000000000000000
[   87.714121][ T5348] R10: 0000200000000800 R11: 0000000000000293 R12: 0000000000000000
[   87.717719][ T5348] R13: 0000000000000000 R14: 00007fae37db6160 R15: 00007ffce99f91b8
[   87.721004][ T5348]  </TASK>
[   87.722669][ T5348] Kernel Offset: disabled
[   87.724575][ T5348] Rebooting in 86400 seconds..