program:
r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$sock_bt_hci(r0, 0x400448cb, 0x0)
syz_emit_vhci(&(0x7f0000000040)=ANY=[@ANYBLOB="043e1f1b"], 0x22)
syz_emit_vhci(&(0x7f0000000040)=ANY=[@ANYBLOB="040e0402030c"], 0x7)
futex(&(0x7f0000000540)=0x1, 0x8, 0x0, 0x0, 0x0, 0x0)
setsockopt$sock_int(0xffffffffffffffff, 0x1, 0xf, 0x0, 0x0)
r1 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$sock_int(r1, 0x1, 0xf, &(0x7f0000000180)=0x800001, 0x4)
bind$inet6(r1, &(0x7f0000000140)={0xa, 0x4e22, 0x0, @empty}, 0x1c)
madvise(&(0x7f0000ffb000/0x4000)=nil, 0x4000, 0x0)
setsockopt$sock_int(r1, 0x1, 0x31, &(0x7f0000000200)=0x100, 0x4)
listen(r1, 0x0)
syz_emit_ethernet(0x4a, &(0x7f0000000280)={@local, @multicast, @void, {@ipv6={0x86dd, @tcp={0x0, 0x6, "0a8435", 0x14, 0x6, 0x0, @remote, @local, {[], {{0x0, 0x4e22, 0x41424344, 0x41424344, 0x0, 0x0, 0x5, 0x2}}}}}}}, 0x0)
syz_emit_vhci(&(0x7f0000000080)=@HCI_EVENT_PKT={0x4, @inquiry_info={{0x2, 0x1}}}, 0x4)
mlockall(0x2)
r2 = shmget$private(0x0, 0x400000, 0x0, &(0x7f000000e000/0x400000)=nil)
r3 = syz_open_dev$vbi(&(0x7f0000000000), 0x0, 0x2)
ioctl$VIDIOC_S_INPUT(r3, 0xc0045627, &(0x7f00000000c0)=0x1)
ioctl$VIDIOC_G_AUDIO(r3, 0x80345621, &(0x7f0000000100))
syz_emit_vhci(&(0x7f00000001c0)=@HCI_EVENT_PKT={0x4, @hci_ev_simple_pair_complete={{0x36, 0x7}, {0x8, @none}}}, 0xa)
shmat(r2, &(0x7f0000152000/0x3000)=nil, 0x3000)

[   85.109087][ T5307] Bluetooth: hci0: command tx timeout
[   85.250062][ T5328] ------------[ cut here ]------------
[   85.252724][ T5328] workqueue: cannot queue hci_rx_work on wq hci0
[   85.255695][ T5328] WARNING: CPU: 0 PID: 5328 at kernel/workqueue.c:2258 __queue_work+0xd62/0xfe0
[   85.260008][ T5328] Modules linked in:
[   85.261644][ T5328] CPU: 0 UID: 0 PID: 5328 Comm: syz.0.0 Not tainted 6.16.0-rc1-syzkaller-00010-g2c4a1f3fe03e #0 PREEMPT(full) 
[   85.266534][ T5328] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   85.271115][ T5328] RIP: 0010:__queue_work+0xd62/0xfe0
[   85.273560][ T5328] Code: 42 80 3c 20 00 74 08 4c 89 ef e8 99 00 99 00 49 8b 75 00 49 81 c7 78 01 00 00 48 c7 c7 40 e0 89 8b 4c 89 fa e8 1f 34 f9 ff 90 <0f> 0b 90 90 e9 f1 f4 ff ff e8 00 89 35 00 90 0f 0b 90 e9 dd fc ff
[   85.282757][ T5328] RSP: 0018:ffffc9000d2cfa68 EFLAGS: 00010046
[   85.285567][ T5328] RAX: c6cfa217f6323e00 RBX: 0000000000000000 RCX: 0000000000100000
[   85.289417][ T5328] RDX: ffffc9000e3db000 RSI: 0000000000000a1f RDI: 0000000000000a20
[   85.293807][ T5328] RBP: 1ffff11007dafe38 R08: ffff88801fc24293 R09: 1ffff11003f84852
[   85.297124][ T5328] R10: dffffc0000000000 R11: ffffed1003f84853 R12: dffffc0000000000
[   85.300139][ T5328] R13: ffff88804241ca98 R14: ffff88801f744880 R15: ffff88803ed7f178
[   85.302942][ T5328] FS:  00007f18b7ffa6c0(0000) GS:ffff88808d252000(0000) knlGS:0000000000000000
[   85.306702][ T5328] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   85.309708][ T5328] CR2: 00007f18b7ff9fc8 CR3: 0000000035dba000 CR4: 0000000000352ef0
[   85.313988][ T5328] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   85.317646][ T5328] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   85.321270][ T5328] Call Trace:
[   85.323014][ T5328]  <TASK>
[   85.324893][ T5328]  ? rcu_is_watching+0x15/0xb0
[   85.327803][ T5328]  queue_work_on+0x181/0x270
[   85.330140][ T5328]  ? lockdep_hardirqs_on+0x9c/0x150
[   85.332554][ T5328]  ? __pfx_queue_work_on+0x10/0x10
[   85.334970][ T5328]  ? _raw_spin_unlock_irqrestore+0xad/0x110
[   85.337647][ T5328]  ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[   85.340414][ T5328]  ? skb_queue_tail+0x30/0xf0
[   85.342577][ T5328]  hci_recv_frame+0x5c9/0x720
[   85.344910][ T5328]  ? skb_pull+0xc1/0x1d0
[   85.347078][ T5328]  vhci_write+0x358/0x4a0
[   85.349427][ T5328]  vfs_write+0x548/0xa90
[   85.351638][ T5328]  ? __pfx_vhci_write+0x10/0x10
[   85.354107][ T5328]  ? __pfx_vfs_write+0x10/0x10
[   85.356299][ T5328]  ? __fget_files+0x2a/0x420
[   85.358412][ T5328]  ksys_write+0x145/0x250
[   85.360378][ T5328]  ? __pfx_ksys_write+0x10/0x10
[   85.362626][ T5328]  ? do_syscall_64+0xbe/0x3b0
[   85.364744][ T5328]  do_syscall_64+0xfa/0x3b0
[   85.366832][ T5328]  ? lockdep_hardirqs_on+0x9c/0x150
[   85.369216][ T5328]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   85.372046][ T5328]  ? clear_bhb_loop+0x60/0xb0
[   85.374224][ T5328]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   85.376951][ T5328] RIP: 0033:0x7f18b718d3df
[   85.379041][ T5328] Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 f9 92 02 00 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 4c 93 02 00 48
[   85.387644][ T5328] RSP: 002b:00007f18b7ffa000 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
[   85.391714][ T5328] RAX: ffffffffffffffda RBX: 00007f18b73b6080 RCX: 00007f18b718d3df
[   85.395958][ T5328] RDX: 0000000000000022 RSI: 0000200000000040 RDI: 00000000000000ca
[   85.399436][ T5328] RBP: 00007f18b7210b39 R08: 0000000000000000 R09: 0000000000000000
[   85.402900][ T5328] R10: 0000200000000040 R11: 0000000000000293 R12: 0000000000000000
[   85.406769][ T5328] R13: 0000000000000001 R14: 00007f18b73b6080 R15: 00007ffc1ac8ae18
[   85.411021][ T5328]  </TASK>
[   85.412554][ T5328] Kernel panic - not syncing: kernel: panic_on_warn set ...
[   85.415778][ T5328] CPU: 0 UID: 0 PID: 5328 Comm: syz.0.0 Not tainted 6.16.0-rc1-syzkaller-00010-g2c4a1f3fe03e #0 PREEMPT(full) 
[   85.420772][ T5328] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   85.426256][ T5328] Call Trace:
[   85.428070][ T5328]  <TASK>
[   85.429701][ T5328]  dump_stack_lvl+0x99/0x250
[   85.431881][ T5328]  ? __asan_memcpy+0x40/0x70
[   85.434340][ T5328]  ? __pfx_dump_stack_lvl+0x10/0x10
[   85.436781][ T5328]  ? __pfx__printk+0x10/0x10
[   85.438898][ T5328]  panic+0x2db/0x790
[   85.440678][ T5328]  ? __pfx_panic+0x10/0x10
[   85.442668][ T5328]  ? show_trace_log_lvl+0x4fb/0x550
[   85.444995][ T5328]  __warn+0x31b/0x4b0
[   85.446856][ T5328]  ? __queue_work+0xd62/0xfe0
[   85.449331][ T5328]  ? __queue_work+0xd62/0xfe0
[   85.451433][ T5328]  report_bug+0x2be/0x4f0
[   85.453367][ T5328]  ? __queue_work+0xd62/0xfe0
[   85.455478][ T5328]  ? __queue_work+0xd62/0xfe0
[   85.457548][ T5328]  ? __queue_work+0xd64/0xfe0
[   85.459627][ T5328]  handle_bug+0x84/0x160
[   85.461523][ T5328]  exc_invalid_op+0x1a/0x50
[   85.463501][ T5328]  asm_exc_invalid_op+0x1a/0x20
[   85.465595][ T5328] RIP: 0010:__queue_work+0xd62/0xfe0
[   85.468023][ T5328] Code: 42 80 3c 20 00 74 08 4c 89 ef e8 99 00 99 00 49 8b 75 00 49 81 c7 78 01 00 00 48 c7 c7 40 e0 89 8b 4c 89 fa e8 1f 34 f9 ff 90 <0f> 0b 90 90 e9 f1 f4 ff ff e8 00 89 35 00 90 0f 0b 90 e9 dd fc ff
[   85.476773][ T5328] RSP: 0018:ffffc9000d2cfa68 EFLAGS: 00010046
[   85.479447][ T5328] RAX: c6cfa217f6323e00 RBX: 0000000000000000 RCX: 0000000000100000
[   85.482901][ T5328] RDX: ffffc9000e3db000 RSI: 0000000000000a1f RDI: 0000000000000a20
[   85.486582][ T5328] RBP: 1ffff11007dafe38 R08: ffff88801fc24293 R09: 1ffff11003f84852
[   85.490362][ T5328] R10: dffffc0000000000 R11: ffffed1003f84853 R12: dffffc0000000000
[   85.494234][ T5328] R13: ffff88804241ca98 R14: ffff88801f744880 R15: ffff88803ed7f178
[   85.497917][ T5328]  ? __queue_work+0xd61/0xfe0
[   85.500130][ T5328]  ? rcu_is_watching+0x15/0xb0
[   85.502665][ T5328]  queue_work_on+0x181/0x270
[   85.505364][ T5328]  ? lockdep_hardirqs_on+0x9c/0x150
[   85.508066][ T5328]  ? __pfx_queue_work_on+0x10/0x10
[   85.510368][ T5328]  ? _raw_spin_unlock_irqrestore+0xad/0x110
[   85.513081][ T5328]  ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[   85.515989][ T5328]  ? skb_queue_tail+0x30/0xf0
[   85.518178][ T5328]  hci_recv_frame+0x5c9/0x720
[   85.520996][ T5328]  ? skb_pull+0xc1/0x1d0
[   85.523711][ T5328]  vhci_write+0x358/0x4a0
[   85.525890][ T5328]  vfs_write+0x548/0xa90
[   85.527924][ T5328]  ? __pfx_vhci_write+0x10/0x10
[   85.530137][ T5328]  ? __pfx_vfs_write+0x10/0x10
[   85.532427][ T5328]  ? __fget_files+0x2a/0x420
[   85.534760][ T5328]  ksys_write+0x145/0x250
[   85.536691][ T5328]  ? __pfx_ksys_write+0x10/0x10
[   85.538830][ T5328]  ? do_syscall_64+0xbe/0x3b0
[   85.541191][ T5328]  do_syscall_64+0xfa/0x3b0
[   85.543900][ T5328]  ? lockdep_hardirqs_on+0x9c/0x150
[   85.546836][ T5328]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   85.549760][ T5328]  ? clear_bhb_loop+0x60/0xb0
[   85.551925][ T5328]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   85.554693][ T5328] RIP: 0033:0x7f18b718d3df
[   85.556795][ T5328] Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 f9 92 02 00 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 4c 93 02 00 48
[   85.566352][ T5328] RSP: 002b:00007f18b7ffa000 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
[   85.570124][ T5328] RAX: ffffffffffffffda RBX: 00007f18b73b6080 RCX: 00007f18b718d3df
[   85.574005][ T5328] RDX: 0000000000000022 RSI: 0000200000000040 RDI: 00000000000000ca
[   85.578376][ T5328] RBP: 00007f18b7210b39 R08: 0000000000000000 R09: 0000000000000000
[   85.582001][ T5328] R10: 0000200000000040 R11: 0000000000000293 R12: 0000000000000000
[   85.585641][ T5328] R13: 0000000000000001 R14: 00007f18b73b6080 R15: 00007ffc1ac8ae18
[   85.589939][ T5328]  </TASK>
[   85.592194][ T5328] Kernel Offset: disabled
[   85.594526][ T5328] Rebooting in 86400 seconds..