program:
r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$sock_bt_hci(r0, 0x400448cb, 0x0) (async)
bpf$PROG_LOAD(0x5, &(0x7f00000004c0)={0x6, 0x10, &(0x7f0000000000)=ANY=[@ANYBLOB="18000000000000000000000000000000b708"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @xdp, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) (async)
syz_emit_vhci(&(0x7f0000000000)=ANY=[@ANYBLOB="043e751d"], 0x24) (async)
syz_emit_vhci(&(0x7f0000000040)=ANY=[@ANYBLOB="043e1f1b"], 0x22)
openat$snapshot(0xffffffffffffff9c, &(0x7f00000002c0), 0x40040, 0x0)
syz_emit_vhci(&(0x7f0000000040)=ANY=[@ANYBLOB="040e0402030c"], 0x7)
socketpair$nbd(0x1, 0x1, 0x0, &(0x7f00000012c0)={<r1=>0xffffffffffffffff, <r2=>0xffffffffffffffff})
syz_emit_vhci(&(0x7f0000000080)=@HCI_VENDOR_PKT={0xff, 0x1}, 0x2) (async)
sendmsg$inet(r1, &(0x7f0000000740)={0x0, 0x0, &(0x7f0000000900)=[{&(0x7f00000013c0)="d0ff", 0x2}], 0x1, 0x0, 0x0, 0x800300}, 0x24008841) (async)
recvmsg(r2, &(0x7f0000000580)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x300}, 0x40002122) (async)
r3 = bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f0000000100)=ANY=[@ANYBLOB="1b00000000000000000000000000040000000000", @ANYRES32=0x0, @ANYBLOB="000000000000000000000000000000000000000095f372a5ef18b1da1ae50f17b21f6b5174e9d7738fb4745d00b902419e181ac0c63afb9d94f049a0b5cd8f081db3af70f40dd91812f898e4af210c78b9c5c1e6d7e3fcabd00338ad73a7727eb878cace7e473fcf145be3a4966c2fe1a1301d", @ANYRES32=0x0, @ANYRES32=0x0, @ANYBLOB='\x00'/28], 0x48)
r4 = bpf$PROG_LOAD(0x5, &(0x7f0000000200)={0x11, 0xf, &(0x7f00000003c0)=ANY=[@ANYBLOB="180000000000000000000000000000001811000024021ef72dbf409c1aea10bb71da49a81ff8265bb80451ead3b721f38a0f922df4f1b8281cdb664ba2fa2944a42cee218466523ae100a5245e79cc4908151cff505e93b1dab329e86200f83057de3594c0b06691717371692b1c23e8507523489718d46d", @ANYRES32=r3, @ANYBLOB="0000000000000000b702000014000000b7030000000000008500000083000000bf0900000000000055090100000000009500000000000000bf91000000000000b70200003f515b138500000085000000b7000000000000009500000000000000"], &(0x7f0000000040)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f00000004c0)={&(0x7f00000000c0)='skb_copy_datagram_iovec\x00', r4, 0x0, 0x4651}, 0x18)
openat$vmci(0xffffffffffffff9c, &(0x7f0000000740), 0x2, 0x0) (async)
pipe(&(0x7f00000001c0))
socket$nl_route(0x10, 0x3, 0x0)
socket$nl_netfilter(0x10, 0x3, 0xc) (async)
bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f0000000240)={0x2, 0x4, 0x8, 0x1, 0x80, 0x0, 0x0, '\x00', 0x0, 0x0}, 0x48)
openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000040)='cgroup.controllers\x00', 0x275a, 0x0) (async)
socket(0x10, 0x803, 0x0) (async)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080))
socket(0x10, 0x3, 0x0)
pipe2$9p(&(0x7f0000000000), 0x0) (async)
socket$nl_route(0x10, 0x3, 0x0)
socket$inet6_udp(0xa, 0x2, 0x0) (async)
prctl$PR_SET_MM_MAP(0x23, 0xe, &(0x7f0000000080)={&(0x7f0000ff0000/0x1000)=nil, &(0x7f0000ff0000/0x10000)=nil, &(0x7f0000ffc000/0x4000)=nil, &(0x7f0000fff000/0x1000)=nil, &(0x7f0000ff8000/0x4000)=nil, &(0x7f0000ff8000/0x3000)=nil, &(0x7f0000ffb000/0x3000)=nil, &(0x7f0000ff6000/0x2000)=nil, &(0x7f0000ffc000/0x3000)=nil, &(0x7f0000ffa000/0x1000)=nil, &(0x7f0000ffa000/0x2000)=nil, 0x0}, 0x68) (async)
sendmsg$NFT_BATCH(0xffffffffffffffff, &(0x7f0000000080)={0x0, 0x0, 0x0}, 0x0) (async)
r5 = creat(&(0x7f0000000100)='./file0\x00', 0x100)
io_uring_setup(0x7, &(0x7f0000000040)={0x0, 0xc8a2, 0xc000, 0x8, 0xc1, 0x0, r5})

[   69.175161][ T4672] Bluetooth: hci0: command tx timeout
[   69.221585][ T5323] ------------[ cut here ]------------
[   69.224144][ T5323] workqueue: cannot queue hci_rx_work on wq hci0
[   69.230808][ T5323] WARNING: CPU: 0 PID: 5323 at kernel/workqueue.c:2258 __queue_work+0xd38/0xfb0
[   69.237079][ T5323] Modules linked in:
[   69.238886][ T5323] CPU: 0 UID: 0 PID: 5323 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[   69.242905][ T5323] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   69.247676][ T5323] RIP: 0010:__queue_work+0xd38/0xfb0
[   69.249968][ T5323] Code: 42 80 3c 20 00 74 08 4c 89 ef e8 53 66 9d 00 49 8b 75 00 49 81 c7 78 01 00 00 48 c7 c7 20 eb 69 8b 4c 89 fa e8 b9 31 f9 ff 90 <0f> 0b 90 90 e9 1a f5 ff ff e8 4a 27 36 00 90 0f 0b 90 e9 dd fc ff
[   69.258535][ T5323] RSP: 0018:ffffc9000d437a70 EFLAGS: 00010046
[   69.261283][ T5323] RAX: 4e5fb2702d58f200 RBX: 0000000000000000 RCX: ffff88800026a480
[   69.264846][ T5323] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000002
[   69.268425][ T5323] RBP: 1ffff11007f3b738 R08: ffff88801fe24293 R09: 1ffff11003fc4852
[   69.271830][ T5323] R10: dffffc0000000000 R11: ffffed1003fc4853 R12: dffffc0000000000
[   69.275359][ T5323] R13: ffff88803315cae0 R14: ffff88800026a480 R15: ffff88803f9db978
[   69.278944][ T5323] FS:  00007f904704c6c0(0000) GS:ffff88808d732000(0000) knlGS:0000000000000000
[   69.282915][ T5323] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   69.285834][ T5323] CR2: 000055557decb7c8 CR3: 00000000426e4000 CR4: 0000000000352ef0
[   69.289430][ T5323] Call Trace:
[   69.290959][ T5323]  <TASK>
[   69.292323][ T5323]  ? rcu_is_watching+0x15/0xb0
[   69.294494][ T5323]  queue_work_on+0x181/0x270
[   69.296599][ T5323]  ? lockdep_hardirqs_on+0x9c/0x150
[   69.298988][ T5323]  ? __pfx_queue_work_on+0x10/0x10
[   69.301312][ T5323]  ? _raw_spin_unlock_irqrestore+0xad/0x110
[   69.303993][ T5323]  ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[   69.306858][ T5323]  ? skb_queue_tail+0x30/0xf0
[   69.309016][ T5323]  hci_recv_frame+0x625/0x7c0
[   69.311154][ T5323]  ? skb_pull+0xc1/0x1d0
[   69.313104][ T5323]  vhci_write+0x358/0x4a0
[   69.315088][ T5323]  vfs_write+0x5c9/0xb30
[   69.317018][ T5323]  ? __pfx_vhci_write+0x10/0x10
[   69.319268][ T5323]  ? __pfx_vfs_write+0x10/0x10
[   69.321455][ T5323]  ? __fget_files+0x2a/0x420
[   69.323559][ T5323]  ksys_write+0x145/0x250
[   69.325439][ T5323]  ? __pfx_ksys_write+0x10/0x10
[   69.327652][ T5323]  ? do_syscall_64+0xbe/0xfa0
[   69.329776][ T5323]  do_syscall_64+0xfa/0xfa0
[   69.331799][ T5323]  ? lockdep_hardirqs_on+0x9c/0x150
[   69.334104][ T5323]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   69.336885][ T5323]  ? clear_bhb_loop+0x60/0xb0
[   69.338988][ T5323]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   69.341614][ T5323] RIP: 0033:0x7f904618da7f
[   69.343583][ T5323] Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 f9 92 02 00 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 4c 93 02 00 48
[   69.352141][ T5323] RSP: 002b:00007f904704c000 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
[   69.355913][ T5323] RAX: ffffffffffffffda RBX: 00007f90463e6090 RCX: 00007f904618da7f
[   69.359625][ T5323] RDX: 0000000000000022 RSI: 0000200000000040 RDI: 00000000000000ca
[   69.363193][ T5323] RBP: 00007f9046211f91 R08: 0000000000000000 R09: 0000000000000000
[   69.366703][ T5323] R10: 0000200000000040 R11: 0000000000000293 R12: 0000000000000000
[   69.370244][ T5323] R13: 00007f90463e6128 R14: 00007f90463e6090 R15: 00007ffdab8e46c8
[   69.373800][ T5323]  </TASK>
[   69.375160][ T5323] Kernel panic - not syncing: kernel: panic_on_warn set ...
[   69.378342][ T5323] CPU: 0 UID: 0 PID: 5323 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[   69.382316][ T5323] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   69.386979][ T5323] Call Trace:
[   69.388503][ T5323]  <TASK>
[   69.389670][ T5323]  dump_stack_lvl+0x99/0x250
[   69.391483][ T5323]  ? __asan_memcpy+0x40/0x70
[   69.393586][ T5323]  ? __pfx_dump_stack_lvl+0x10/0x10
[   69.395831][ T5323]  ? __pfx__printk+0x10/0x10
[   69.397889][ T5323]  vpanic+0x237/0x6d0
[   69.399808][ T5323]  ? __pfx_vpanic+0x10/0x10
[   69.401896][ T5323]  panic+0xb9/0xc0
[   69.403548][ T5323]  ? __pfx_panic+0x10/0x10
[   69.405500][ T5323]  __warn+0x31b/0x4b0
[   69.407238][ T5323]  ? __queue_work+0xd38/0xfb0
[   69.409239][ T5323]  ? __queue_work+0xd38/0xfb0
[   69.411321][ T5323]  report_bug+0x2be/0x4f0
[   69.413129][ T5323]  ? __queue_work+0xd38/0xfb0
[   69.415210][ T5323]  ? __queue_work+0xd38/0xfb0
[   69.417496][ T5323]  ? __queue_work+0xd3a/0xfb0
[   69.419448][ T5323]  handle_bug+0x84/0x160
[   69.421236][ T5323]  exc_invalid_op+0x1a/0x50
[   69.423280][ T5323]  asm_exc_invalid_op+0x1a/0x20
[   69.425488][ T5323] RIP: 0010:__queue_work+0xd38/0xfb0
[   69.427843][ T5323] Code: 42 80 3c 20 00 74 08 4c 89 ef e8 53 66 9d 00 49 8b 75 00 49 81 c7 78 01 00 00 48 c7 c7 20 eb 69 8b 4c 89 fa e8 b9 31 f9 ff 90 <0f> 0b 90 90 e9 1a f5 ff ff e8 4a 27 36 00 90 0f 0b 90 e9 dd fc ff
[   69.436619][ T5323] RSP: 0018:ffffc9000d437a70 EFLAGS: 00010046
[   69.439429][ T5323] RAX: 4e5fb2702d58f200 RBX: 0000000000000000 RCX: ffff88800026a480
[   69.442842][ T5323] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000002
[   69.446225][ T5323] RBP: 1ffff11007f3b738 R08: ffff88801fe24293 R09: 1ffff11003fc4852
[   69.449614][ T5323] R10: dffffc0000000000 R11: ffffed1003fc4853 R12: dffffc0000000000
[   69.453142][ T5323] R13: ffff88803315cae0 R14: ffff88800026a480 R15: ffff88803f9db978
[   69.456812][ T5323]  ? rcu_is_watching+0x15/0xb0
[   69.458928][ T5323]  queue_work_on+0x181/0x270
[   69.460966][ T5323]  ? lockdep_hardirqs_on+0x9c/0x150
[   69.463148][ T5323]  ? __pfx_queue_work_on+0x10/0x10
[   69.465158][ T5323]  ? _raw_spin_unlock_irqrestore+0xad/0x110
[   69.467856][ T5323]  ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[   69.470798][ T5323]  ? skb_queue_tail+0x30/0xf0
[   69.472874][ T5323]  hci_recv_frame+0x625/0x7c0
[   69.474872][ T5323]  ? skb_pull+0xc1/0x1d0
[   69.476874][ T5323]  vhci_write+0x358/0x4a0
[   69.478909][ T5323]  vfs_write+0x5c9/0xb30
[   69.481397][ T5323]  ? __pfx_vhci_write+0x10/0x10
[   69.483782][ T5323]  ? __pfx_vfs_write+0x10/0x10
[   69.485877][ T5323]  ? __fget_files+0x2a/0x420
[   69.487880][ T5323]  ksys_write+0x145/0x250
[   69.489940][ T5323]  ? __pfx_ksys_write+0x10/0x10
[   69.492549][ T5323]  ? do_syscall_64+0xbe/0xfa0
[   69.494767][ T5323]  do_syscall_64+0xfa/0xfa0
[   69.496806][ T5323]  ? lockdep_hardirqs_on+0x9c/0x150
[   69.499206][ T5323]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   69.501882][ T5323]  ? clear_bhb_loop+0x60/0xb0
[   69.504153][ T5323]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   69.506776][ T5323] RIP: 0033:0x7f904618da7f
[   69.508764][ T5323] Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 f9 92 02 00 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 4c 93 02 00 48
[   69.516820][ T5323] RSP: 002b:00007f904704c000 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
[   69.520455][ T5323] RAX: ffffffffffffffda RBX: 00007f90463e6090 RCX: 00007f904618da7f
[   69.523785][ T5323] RDX: 0000000000000022 RSI: 0000200000000040 RDI: 00000000000000ca
[   69.527220][ T5323] RBP: 00007f9046211f91 R08: 0000000000000000 R09: 0000000000000000
[   69.530834][ T5323] R10: 0000200000000040 R11: 0000000000000293 R12: 0000000000000000
[   69.534131][ T5323] R13: 00007f90463e6128 R14: 00007f90463e6090 R15: 00007ffdab8e46c8
[   69.537371][ T5323]  </TASK>
[   69.539048][ T5323] Kernel Offset: disabled
[   69.540745][ T5323] Rebooting in 86400 seconds..