program:
r0 = socket$nl_netfilter(0x10, 0x3, 0xc)
syz_emit_vhci(&(0x7f0000000540)=ANY=[@ANYBLOB="043e1f0a"], 0x22)
syz_emit_vhci(&(0x7f0000000080)=ANY=[@ANYBLOB="0406"], 0x7)
socket$nl_netfilter(0x10, 0x3, 0xc)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000180)={0x16, 0x4, &(0x7f0000000000)=@framed={{}, [@generic={0x71, 0x0, 0x1, 0x91}]}, &(0x7f00000000c0)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2}, 0x94)
r1 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPSET_CMD_CREATE(r1, &(0x7f0000000040)={0x0, 0x0, &(0x7f00000044c0)={&(0x7f0000000100)={0x4c, 0x2, 0x6, 0x801, 0x0, 0x0, {0x0, 0x0, 0x40}, [@IPSET_ATTR_PROTOCOL={0x5, 0x1, 0x6}, @IPSET_ATTR_FAMILY={0x5, 0x5, 0x2}, @IPSET_ATTR_REVISION={0x5}, @IPSET_ATTR_SETNAME={0x9, 0x2, 'syz1\x00'}, @IPSET_ATTR_TYPENAME={0x11, 0x3, 'hash:ip,mark\x00'}]}, 0x4c}}, 0x0)
r2 = socket$nl_netfilter(0x10, 0x3, 0xc)
r3 = socket$can_raw(0x1d, 0x3, 0x1)
bind$can_raw(r3, &(0x7f0000000080), 0x10)
setsockopt$CAN_RAW_FILTER(r3, 0x65, 0x1, &(0x7f0000000600)=[{{0x3}, {0x1, 0x0, 0x1, 0x1}}], 0x8)
sendmsg$IPSET_CMD_ADD(r2, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000180)={0x48, 0x9, 0x6, 0x201, 0x0, 0x0, {0x2, 0x0, 0xffff}, [@IPSET_ATTR_DATA={0x20, 0x7, 0x0, 0x1, [@IPSET_ATTR_IP={0xc, 0x1, 0x0, 0x1, @IPSET_ATTR_IPADDR_IPV4={0x8, 0x1, 0x1, 0x0, @multicast2}}, @IPSET_ATTR_MARK={0x8, 0xa, 0x1, 0x0, 0x2}, @IPSET_ATTR_CIDR={0x5, 0x3, 0x2}]}, @IPSET_ATTR_SETNAME={0x9, 0x2, 'syz1\x00'}, @IPSET_ATTR_PROTOCOL={0x5}]}, 0x48}, 0x1, 0x0, 0x0, 0x800}, 0x40c0080)
syz_genetlink_get_family_id$team(0x0, 0xffffffffffffffff)
ioctl$ifreq_SIOCGIFINDEX_team(r0, 0x8933, 0x0)
r4 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPSET_CMD_SAVE(r1, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000200)={0x1c, 0x8, 0x6, 0x3, 0x0, 0x0, {0x0, 0x0, 0x1}, [@IPSET_ATTR_PROTOCOL={0x5}]}, 0x1c}, 0x1, 0x0, 0x0, 0x40000}, 0x8080)
sendmsg$IPSET_CMD_ADD(r4, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000180)=ANY=[@ANYBLOB='H\x00\x00\x00\n'], 0x48}, 0x1, 0x0, 0x0, 0x800}, 0x40c0080)
sendmsg$IPSET_CMD_SAVE(r0, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000300)={&(0x7f0000000340)={0x1c, 0x8, 0x6, 0x201, 0x0, 0x0, {0x1, 0x0, 0xa}, [@IPSET_ATTR_PROTOCOL={0x5}]}, 0x1c}, 0x1, 0x0, 0x0, 0x8000}, 0x4084)

[   84.990857][ T4652] Bluetooth: hci0: command tx timeout
[   84.996407][ T4652] Bluetooth: hci0: unexpected event 0x06 length: 4 > 3
[   87.021347][ T4652] Bluetooth: hci0: command 0x041b tx timeout
[   87.028683][ T4652] ------------[ cut here ]------------
[   87.031710][ T4652] refcnt < 0
[   87.031722][ T4652] WARNING: net/bluetooth/hci_conn.c:567 at hci_conn_timeout+0xff/0x2c0, CPU#0: kworker/u5:1/4652
[   87.038253][ T4652] Modules linked in:
[   87.040252][ T4652] CPU: 0 UID: 0 PID: 4652 Comm: kworker/u5:1 Not tainted syzkaller #0 PREEMPT(full) 
[   87.044566][ T4652] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   87.048966][ T4652] Workqueue: hci0 hci_conn_timeout
[   87.051181][ T4652] RIP: 0010:hci_conn_timeout+0xff/0x2c0
[   87.053580][ T4652] Code: 48 89 df e8 f3 b0 09 00 eb 07 e8 3c f8 26 f7 b0 13 0f b6 f0 48 89 df 5b 41 5c 41 5e 41 5f 5d e9 77 a8 fe ff e8 22 f8 26 f7 90 <0f> 0b 90 eb 8c 44 89 f9 80 e1 07 80 c1 03 38 c1 0f 8c 31 ff ff ff
[   87.062179][ T4652] RSP: 0018:ffffc9000fb5fab0 EFLAGS: 00010293
[   87.064832][ T4652] RAX: ffffffff8a9ebb8e RBX: ffff888044744000 RCX: ffff88801f7c0000
[   87.068200][ T4652] RDX: 0000000000000000 RSI: 00000000ffffffff RDI: 0000000000000000
[   87.071775][ T4652] RBP: 00000000ffffffff R08: ffff888044744013 R09: 1ffff110088e8802
[   87.075296][ T4652] R10: dffffc0000000000 R11: ffffed10088e8803 R12: dffffc0000000000
[   87.079044][ T4652] R13: ffff888044744a40 R14: ffff888044744a40 R15: ffff888044744010
[   87.082757][ T4652] FS:  0000000000000000(0000) GS:ffff88808c88b000(0000) knlGS:0000000000000000
[   87.086637][ T4652] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   87.089535][ T4652] CR2: 000055558225b848 CR3: 0000000012234000 CR4: 0000000000352ef0
[   87.093171][ T4652] Call Trace:
[   87.094845][ T4652]  <TASK>
[   87.096287][ T4652]  ? process_scheduled_works+0xa70/0x1860
[   87.099215][ T4652]  process_scheduled_works+0xb5d/0x1860
[   87.101716][ T4652]  ? __pfx_process_scheduled_works+0x10/0x10
[   87.104364][ T4652]  ? assign_work+0x3d5/0x5e0
[   87.106825][ T4652]  worker_thread+0xa53/0xfc0
[   87.109246][ T4652]  kthread+0x388/0x470
[   87.111160][ T4652]  ? __pfx_worker_thread+0x10/0x10
[   87.113475][ T4652]  ? __pfx_kthread+0x10/0x10
[   87.115662][ T4652]  ret_from_fork+0x514/0xb70
[   87.117872][ T4652]  ? __pfx_ret_from_fork+0x10/0x10
[   87.120291][ T4652]  ? __switch_to+0xc79/0x1410
[   87.122534][ T4652]  ? __pfx_kthread+0x10/0x10
[   87.124732][ T4652]  ret_from_fork_asm+0x1a/0x30
[   87.126966][ T4652]  </TASK>
[   87.128361][ T4652] Kernel panic - not syncing: kernel: panic_on_warn set ...
[   87.131506][ T4652] CPU: 0 UID: 0 PID: 4652 Comm: kworker/u5:1 Not tainted syzkaller #0 PREEMPT(full) 
[   87.135579][ T4652] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   87.139984][ T4652] Workqueue: hci0 hci_conn_timeout
[   87.142206][ T4652] Call Trace:
[   87.143708][ T4652]  <TASK>
[   87.145176][ T4652]  vpanic+0x56c/0xa60
[   87.147008][ T4652]  ? __pfx__printk+0x10/0x10
[   87.149279][ T4652]  ? __pfx_vpanic+0x10/0x10
[   87.151506][ T4652]  ? is_bpf_text_address+0x292/0x2b0
[   87.153864][ T4652]  ? is_bpf_text_address+0x26/0x2b0
[   87.156262][ T4652]  panic+0xc5/0xd0
[   87.158017][ T4652]  ? __pfx_panic+0x10/0x10
[   87.159961][ T4652]  ? ret_from_fork_asm+0x1a/0x30
[   87.162280][ T4652]  __warn+0x315/0x4c0
[   87.164228][ T4652]  ? hci_conn_timeout+0xff/0x2c0
[   87.166494][ T4652]  ? hci_conn_timeout+0xff/0x2c0
[   87.168671][ T4652]  __report_bug+0x29a/0x540
[   87.170640][ T4652]  ? hci_conn_timeout+0xff/0x2c0
[   87.172839][ T4652]  ? __pfx___report_bug+0x10/0x10
[   87.175079][ T4652]  ? add_lock_to_list+0xc7/0x100
[   87.177192][ T4652]  ? lockdep_unlock+0x5d/0xd0
[   87.179349][ T4652]  ? __lock_acquire+0x146e/0x2cf0
[   87.181553][ T4652]  ? hci_conn_timeout+0xff/0x2c0
[   87.183752][ T4652]  report_bug+0x16a/0x220
[   87.185580][ T4652]  ? hci_conn_timeout+0xff/0x2c0
[   87.187785][ T4652]  ? hci_conn_timeout+0x101/0x2c0
[   87.190058][ T4652]  handle_bug+0x9c/0x200
[   87.191923][ T4652]  exc_invalid_op+0x1a/0x50
[   87.194304][ T4652]  asm_exc_invalid_op+0x1a/0x20
[   87.196866][ T4652] RIP: 0010:hci_conn_timeout+0xff/0x2c0
[   87.199397][ T4652] Code: 48 89 df e8 f3 b0 09 00 eb 07 e8 3c f8 26 f7 b0 13 0f b6 f0 48 89 df 5b 41 5c 41 5e 41 5f 5d e9 77 a8 fe ff e8 22 f8 26 f7 90 <0f> 0b 90 eb 8c 44 89 f9 80 e1 07 80 c1 03 38 c1 0f 8c 31 ff ff ff
[   87.207351][ T4652] RSP: 0018:ffffc9000fb5fab0 EFLAGS: 00010293
[   87.210011][ T4652] RAX: ffffffff8a9ebb8e RBX: ffff888044744000 RCX: ffff88801f7c0000
[   87.213643][ T4652] RDX: 0000000000000000 RSI: 00000000ffffffff RDI: 0000000000000000
[   87.217326][ T4652] RBP: 00000000ffffffff R08: ffff888044744013 R09: 1ffff110088e8802
[   87.220960][ T4652] R10: dffffc0000000000 R11: ffffed10088e8803 R12: dffffc0000000000
[   87.224570][ T4652] R13: ffff888044744a40 R14: ffff888044744a40 R15: ffff888044744010
[   87.228191][ T4652]  ? hci_conn_timeout+0xfe/0x2c0
[   87.230498][ T4652]  ? process_scheduled_works+0xa70/0x1860
[   87.233017][ T4652]  process_scheduled_works+0xb5d/0x1860
[   87.235566][ T4652]  ? __pfx_process_scheduled_works+0x10/0x10
[   87.238275][ T4652]  ? assign_work+0x3d5/0x5e0
[   87.240407][ T4652]  worker_thread+0xa53/0xfc0
[   87.242581][ T4652]  kthread+0x388/0x470
[   87.244896][ T4652]  ? __pfx_worker_thread+0x10/0x10
[   87.247263][ T4652]  ? __pfx_kthread+0x10/0x10
[   87.249403][ T4652]  ret_from_fork+0x514/0xb70
[   87.251577][ T4652]  ? __pfx_ret_from_fork+0x10/0x10
[   87.253905][ T4652]  ? __switch_to+0xc79/0x1410
[   87.256100][ T4652]  ? __pfx_kthread+0x10/0x10
[   87.258261][ T4652]  ret_from_fork_asm+0x1a/0x30
[   87.260446][ T4652]  </TASK>
[   87.262238][ T4652] Kernel Offset: disabled
[   87.264260][ T4652] Rebooting in 86400 seconds..