program: r0 = socket$inet(0x2, 0x4000000000000001, 0x0) r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$sock_bt_hci(r1, 0x400448cb, 0x0) (async, rerun: 32) sendmsg$L2TP_CMD_TUNNEL_CREATE(0xffffffffffffffff, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000040)={0x14, 0x0, 0x4, 0x0, 0xfffffffd}, 0x14}, 0x1, 0x0, 0x0, 0x4c040}, 0x2400c0c1) (async, rerun: 32) openat$snapshot(0xffffffffffffff9c, &(0x7f00000002c0), 0x40040, 0x0) (async) syz_emit_vhci(&(0x7f0000000040)=ANY=[@ANYBLOB="040e0402030c"], 0x7) (async) setsockopt$inet_tcp_int(r0, 0x6, 0x80000000000002, &(0x7f00000000c0)=0x7a, 0x4) (async) bind$inet(r0, &(0x7f0000000080)={0x2, 0x4e23, @local}, 0x10) (async) setsockopt$SO_ATTACH_FILTER(r0, 0x1, 0x1a, &(0x7f0000000140)={0x1, &(0x7f0000000280)=[{0x6, 0x0, 0x0, 0xe4}]}, 0x10) (async) sendto$inet(r0, 0x0, 0x0, 0x200007fd, &(0x7f0000e68000)={0x2, 0x4e23, @local}, 0x10) setsockopt$inet_tcp_TCP_CONGESTION(r0, 0x6, 0xd, &(0x7f0000000100)='bbr\x00', 0x4) socket$packet(0x11, 0x3, 0x300) (async) sendmmsg$inet(r0, &(0x7f0000001080)=[{{0x0, 0x0, &(0x7f0000000900)=[{&(0x7f0000000a40)="0036d551863e1902129da79f5986e05288f50e5398660c1a29b0f45c0cc36902e0251c8d34197b357b32b161f9ad72d55a0eab976aae24ed805271b43f0ce2fea5e764494873e0d82a172b3bb54f59b458fd35039c7d81e9ab07f2fb4dad61bd500a119b54c74a12e4569e47b69a95f92c6380af2bd003fa56f06a23bbd1c76d7756bf4fcaff0c2337", 0x89}, {&(0x7f0000000d40)="316f825a3d29f96a2093a917017b4cd300000000bee70035ed313e19d6dd1fb41a20baf7f7343067fd40cdd4b16742e94b62f4eb1c5d9faab7f3028100ae8180db94b9de7456ae62b0e6fe7766a0842912179154a96fa88e161d4adf77a486e10d1d50e44155790748b7226fa4bb5d77e85729336ba6369a4c33ac53b45d46a92db9fda99af4429dc23db6a1706328df4e75eb173a81bd4af8b89d1870c9b2382a759d67b1cd03b076bf90286b63eb7aaea4cbb1280955e9a59cd8e5e8ac68c27da3d542aece1ba7920e8f39b270458224e74afa52db1ac07f7cce47d5e8ce5b2806ff7171c64a689a0ba35e934506a46a10b9a579dc43630831e2c5400853b58e020c9cb65e44d4957b00ed35a858d44b25d5b8dad1be420467333d9ce17dddc425dad69c4c9395a5c170170a4fa63091786e2a563e3d5982a73c15edf854046e1a33b2728e74c856a58ba74c80f4f4166ac51d720f507c2c205ef5a04370c77928dfde47e15d533060084d", 0x16c}, {&(0x7f0000000f00)="f5e022a4d2ed0cf5f8b2e9857cb9af98da7aa60f7a1582aadeaef336f9139f6768452f868624c7e6ce0948f33f1a63e0fcf0f2df283b3ca3f1f4de26a8b575ccb465985e48f65b9a7fcc93c0a5be8b16774f7c7ca9848a182d6ee7c0f2b9c0e7030ed93ee34214c25cb51279b18c8e5bfbc52152be37f5e2b783e2149be25180430ac63ee1bbe01fbb6125e65839ae5b02d542a97d1bfb1ca420b5405baaaf5ec6ad96af2814dbbea5a064f2ab6fc0904c07f02cbfadfb96866d962e6e21d3a0a0276a36e01b6edafd6c8461de7afec966f9c023ffe15c3c1caec8ff3ef304ed0ffedd061941d9d022b25a4b9632856295fee3a314f6c196d953bcaf1aff06d181d51662fdaa52e46d7905c0b4c632602c810f1e6a6c98f0eaed1d795bc3495ea0b47ca0c44465d4b8b46dac524f2e179f22b486aaef3b7e436e9dc1ecdf10a3a2d59c83", 0x144}], 0x3}}, {{0x0, 0x0, &(0x7f0000000c80)=[{&(0x7f0000000340)="63c3b174ab06077f6ee67ac1310d86586b13d2c9e203a9da866b81e20e9fe5c43219396d489c1459ce9cd14fa3b43a0b9b6004118a35444790d70af5c873561ac1ad55af7f9f8551103f694e2a22346ca675898ce02a665ecc07e153e3949b954c1d74b105c14411925a8ae24778d4111d2d9743b682d653bcf35d53fd33489a3a405042c0de5ec2cb4b991a31e1d76db8609d0bf66d8d723a6c28a50d42ab169de383345fbee97bea33e8bfb5d705852d360ab703fc956c1ea86157aedcff1782c7", 0xc2}, {&(0x7f0000000440)="03d5", 0x2}], 0x2}}, {{0x0, 0x0, &(0x7f0000000040)=[{&(0x7f0000000180)="69499bbe182c20b98e5f2364a4018e8d498604051e06fd7c943b1d4bfb6c759e7589dced7dc6a60c7e3379282b1e540cb440cbddf4a7a380a83f2746758748b038e11a32bad30f7a93c9befee8afb79cdec33da36f7c94dbdb7b303bcc3294b1e53ded96888da5e312ed798b6f4c740e2ea434e00729848d3f29b988c39d5d53fbe0b7e8ef5c24010dabe2c74ce51219b874fba1339401fc60215a1535ee300bddece834aaf1bfd3", 0xa8}], 0x1}}, {{0x0, 0x0, &(0x7f0000000bc0)=[{&(0x7f0000000640)="1d44a349b72d26dc5c783f468e43fd6d653cdf8ff28b34e0729f31f98061b1c19541c240127c0d1b65d0317c06805ffff8f7d0a1c2776111e7083843df7d97116358682ad5c5b01aedf41bb21edb4dfaf4f0322ec189fcd7ce330dab4a524c6f99e61ac5e542c6614749608e6069e1504de58a67e641742850b69c1ad91f5e3513ca32350c2439cabb96c2a41beb781d0fc7bc1eac6177711a90a4e476ece9c722d801e2c80df0f54e7c656108c397aa2676ad77", 0xb4}, {&(0x7f0000000700)="e035b222f1a8ab003081a6", 0xb}, {&(0x7f0000000580)="75a5c4e4d38b13bb79ff80e78173b2", 0xf}, {&(0x7f0000000800)="59e5f36ba904579809479e066feb5ecf09598b1e910ad46278d6a833006fb89d10f8811a796d54299058a56d13fa60814785bd0fea0c5bfb0463cffc17d43321f8d6ab5712e0f8ddcc9117121756760c68be8dde31b615ff8ab841f7d73bc1daca07e364fc7c261532df745b1a6b7002c0f5d35a4c969768b3b6287da28ced2b1781b276d73a21f84bdcb77ea64aa5bdc8c70c4a3169030c69d006d86bc5fee791c13bb6d00e0806fe7105737bf3b6dd6432d96af63bb95a04e65c89d6c347b0c4cd0cf2b3597a47ba946c6eb7bc8b13", 0xd0}], 0x4}}], 0x4, 0x0) (async) setsockopt$sock_int(r0, 0x1, 0x8, &(0x7f0000000600)=0xdfa, 0x4) (async) sendto$inet(r0, &(0x7f00000012c0)="09268a927f1f6588b967481241ba7860fcfaf65ac618ded8974895abeaf4b4834ff922b3f1e0b02bd67aa03059bcecc7a95425a3a07e758044ab4ea6f7ae55d88fecf90b1a7511bf746bec66ba", 0x20c8, 0x11, 0x0, 0x27) (async) r2 = socket$nl_generic(0x10, 0x3, 0x10) (async, rerun: 64) r3 = syz_genetlink_get_family_id$tipc2(&(0x7f00000002c0), 0xffffffffffffffff) (async, rerun: 64) r4 = socket$nl_route(0x10, 0x3, 0x0) (async) r5 = socket$nl_route(0x10, 0x3, 0x0) (async) r6 = socket(0x10, 0x3, 0x0) sendmsg$nl_route_sched(r6, &(0x7f0000000140)={0x0, 0x0, &(0x7f0000000100)={0x0, 0x14}}, 0x0) (async) getsockname$packet(r6, &(0x7f00000002c0)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000100)=0x14) sendmsg$nl_route_sched(r5, &(0x7f0000000040)={0x0, 0x0, &(0x7f00000004c0)={&(0x7f0000000900)=@newqdisc={0x30, 0x24, 0xf1d, 0x0, 0x0, {0x0, 0x0, 0x0, r7, {}, {0xfff1, 0xffff}, {0x4, 0x3}}, [@qdisc_kind_options=@q_clsact={0xb}]}, 0x30}}, 0x0) (async) sendmsg$nl_route_sched(r4, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000240)={&(0x7f00000001c0)=@getqdisc={0x24, 0x26, 0x705, 0x70bd2b, 0x5, {0x0, 0x0, 0x0, 0x0, {0x1, 0xffe0}, {0x10, 0x8}, {0xfff2, 0xffff}}}, 0x24}, 0x1, 0x0, 0x0, 0x8000}, 0x0) (async) sendmsg$TIPC_NL_PEER_REMOVE(r2, &(0x7f0000000580)={0x0, 0x0, &(0x7f0000000540)={&(0x7f0000000840)={0x14, r3, 0x601, 0x70bd28, 0x3}, 0x14}, 0x1, 0x0, 0x0, 0x4000}, 0x800) [ 69.547731][ T4664] Bluetooth: hci0: command tx timeout [ 69.624589][ T5327] ------------[ cut here ]------------ [ 69.627156][ T5327] WARNING: CPU: 0 PID: 5327 at kernel/workqueue.c:2257 __queue_work+0xcd3/0xf50 [ 69.630517][ T5327] Modules linked in: [ 69.632091][ T5327] CPU: 0 UID: 0 PID: 5327 Comm: syz.0.0 Not tainted 6.14.0-rc3-syzkaller-00079-g87a132e73910 #0 [ 69.637013][ T5327] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 69.641379][ T5327] RIP: 0010:__queue_work+0xcd3/0xf50 [ 69.643369][ T5327] Code: ff e8 e1 af 38 00 90 0f 0b 90 e9 b2 fe ff ff e8 d3 af 38 00 eb 13 e8 cc af 38 00 eb 0c e8 c5 af 38 00 eb 05 e8 be af 38 00 90 <0f> 0b 90 48 83 c4 60 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc [ 69.650186][ T5327] RSP: 0018:ffffc9000d3b7a88 EFLAGS: 00010093 [ 69.652524][ T5327] RAX: ffffffff81890ac4 RBX: ffff888000a3c880 RCX: ffff888000a3c880 [ 69.656028][ T5327] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 69.659843][ T5327] RBP: 0000000000000000 R08: ffffffff8188ff24 R09: 0000000000000000 [ 69.663028][ T5327] R10: ffffc9000d3b7b60 R11: fffff52001a76f6d R12: ffff88804097f800 [ 69.665828][ T5327] R13: ffff88804097f9c0 R14: dffffc0000000000 R15: 0000000000000008 [ 69.668684][ T5327] FS: 00007f73e7f236c0(0000) GS:ffff88801fc00000(0000) knlGS:0000000000000000 [ 69.671819][ T5327] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 69.674619][ T5327] CR2: 00007f73e7f22fe0 CR3: 0000000044194000 CR4: 0000000000352ef0 [ 69.678580][ T5327] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 69.681775][ T5327] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 69.684648][ T5327] Call Trace: [ 69.685938][ T5327] [ 69.687084][ T5327] ? __warn+0x165/0x4d0 [ 69.688642][ T5327] ? __queue_work+0xcd3/0xf50 [ 69.690588][ T5327] ? report_bug+0x2b3/0x500 [ 69.692663][ T5327] ? __queue_work+0xcd3/0xf50 [ 69.695128][ T5327] ? handle_bug+0x60/0x90 [ 69.697113][ T5327] ? exc_invalid_op+0x1a/0x50 [ 69.698864][ T5327] ? asm_exc_invalid_op+0x1a/0x20 [ 69.700740][ T5327] ? __queue_work+0x124/0xf50 [ 69.702569][ T5327] ? __queue_work+0xcc4/0xf50 [ 69.704614][ T5327] ? __queue_work+0xcd3/0xf50 [ 69.706965][ T5327] ? __queue_work+0xcc4/0xf50 [ 69.709261][ T5327] queue_work_on+0x1c2/0x380 [ 69.711412][ T5327] ? __pfx_queue_work_on+0x10/0x10 [ 69.713463][ T5327] ? _raw_spin_unlock_irqrestore+0xdd/0x140 [ 69.715634][ T5327] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 69.717897][ T5327] ? skb_queue_tail+0x36/0x120 [ 69.719602][ T5327] hci_recv_frame+0x598/0x6f0 [ 69.721620][ T5327] vhci_write+0x35a/0x490 [ 69.723840][ T5327] vfs_write+0xacf/0xd10 [ 69.725944][ T5327] ? __pfx_vhci_write+0x10/0x10 [ 69.728350][ T5327] ? __pfx_vfs_write+0x10/0x10 [ 69.730353][ T5327] ? __fget_files+0x2a/0x410 [ 69.732149][ T5327] ? __fget_files+0x2a/0x410 [ 69.733870][ T5327] ksys_write+0x18f/0x2b0 [ 69.735799][ T5327] ? __pfx_ksys_write+0x10/0x10 [ 69.737593][ T5327] ? exc_page_fault+0x590/0x8b0 [ 69.739421][ T5327] ? do_syscall_64+0xb6/0x230 [ 69.741317][ T5327] do_syscall_64+0xf3/0x230 [ 69.743340][ T5327] ? clear_bhb_loop+0x35/0x90 [ 69.745524][ T5327] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 69.747914][ T5327] RIP: 0033:0x7f73e718b89f [ 69.749625][ T5327] Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 f9 92 02 00 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 4c 93 02 00 48 [ 69.757181][ T5327] RSP: 002b:00007f73e7f23000 EFLAGS: 00000293 ORIG_RAX: 0000000000000001 [ 69.761247][ T5327] RAX: ffffffffffffffda RBX: 00007f73e73a6160 RCX: 00007f73e718b89f [ 69.764316][ T5327] RDX: 0000000000000007 RSI: 0000400000000040 RDI: 00000000000000ca [ 69.767386][ T5327] RBP: 00007f73e720e2a0 R08: 0000000000000000 R09: 0000000000000000 [ 69.770545][ T5327] R10: 0000400000000040 R11: 0000000000000293 R12: 0000000000000000 [ 69.773789][ T5327] R13: 0000000000000001 R14: 00007f73e73a6160 R15: 00007ffc701c6fe8 [ 69.777135][ T5327] [ 69.778542][ T5327] Kernel panic - not syncing: kernel: panic_on_warn set ... [ 69.781613][ T5327] CPU: 0 UID: 0 PID: 5327 Comm: syz.0.0 Not tainted 6.14.0-rc3-syzkaller-00079-g87a132e73910 #0 [ 69.785606][ T5327] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 69.789464][ T5327] Call Trace: [ 69.791038][ T5327] [ 69.792189][ T5327] dump_stack_lvl+0x241/0x360 [ 69.794610][ T5327] ? __pfx_dump_stack_lvl+0x10/0x10 [ 69.797428][ T5327] ? __pfx__printk+0x10/0x10 [ 69.799507][ T5327] ? _printk+0xd5/0x120 [ 69.801124][ T5327] ? __init_begin+0x41000/0x41000 [ 69.802975][ T5327] ? vscnprintf+0x5d/0x90 [ 69.804705][ T5327] panic+0x349/0x880 [ 69.806439][ T5327] ? __warn+0x174/0x4d0 [ 69.808173][ T5327] ? __pfx_panic+0x10/0x10 [ 69.810256][ T5327] __warn+0x344/0x4d0 [ 69.812426][ T5327] ? __queue_work+0xcd3/0xf50 [ 69.814776][ T5327] report_bug+0x2b3/0x500 [ 69.817157][ T5327] ? __queue_work+0xcd3/0xf50 [ 69.819964][ T5327] handle_bug+0x60/0x90 [ 69.822133][ T5327] exc_invalid_op+0x1a/0x50 [ 69.824208][ T5327] asm_exc_invalid_op+0x1a/0x20 [ 69.826538][ T5327] RIP: 0010:__queue_work+0xcd3/0xf50 [ 69.828875][ T5327] Code: ff e8 e1 af 38 00 90 0f 0b 90 e9 b2 fe ff ff e8 d3 af 38 00 eb 13 e8 cc af 38 00 eb 0c e8 c5 af 38 00 eb 05 e8 be af 38 00 90 <0f> 0b 90 48 83 c4 60 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc [ 69.836038][ T5327] RSP: 0018:ffffc9000d3b7a88 EFLAGS: 00010093 [ 69.838535][ T5327] RAX: ffffffff81890ac4 RBX: ffff888000a3c880 RCX: ffff888000a3c880 [ 69.841774][ T5327] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 69.845374][ T5327] RBP: 0000000000000000 R08: ffffffff8188ff24 R09: 0000000000000000 [ 69.848958][ T5327] R10: ffffc9000d3b7b60 R11: fffff52001a76f6d R12: ffff88804097f800 [ 69.852035][ T5327] R13: ffff88804097f9c0 R14: dffffc0000000000 R15: 0000000000000008 [ 69.854801][ T5327] ? __queue_work+0x124/0xf50 [ 69.856634][ T5327] ? __queue_work+0xcc4/0xf50 [ 69.858535][ T5327] ? __queue_work+0xcc4/0xf50 [ 69.860415][ T5327] queue_work_on+0x1c2/0x380 [ 69.862647][ T5327] ? __pfx_queue_work_on+0x10/0x10 [ 69.865134][ T5327] ? _raw_spin_unlock_irqrestore+0xdd/0x140 [ 69.867840][ T5327] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 69.870164][ T5327] ? skb_queue_tail+0x36/0x120 [ 69.872134][ T5327] hci_recv_frame+0x598/0x6f0 [ 69.874151][ T5327] vhci_write+0x35a/0x490 [ 69.875915][ T5327] vfs_write+0xacf/0xd10 [ 69.877472][ T5327] ? __pfx_vhci_write+0x10/0x10 [ 69.879454][ T5327] ? __pfx_vfs_write+0x10/0x10 [ 69.881697][ T5327] ? __fget_files+0x2a/0x410 [ 69.883873][ T5327] ? __fget_files+0x2a/0x410 [ 69.885699][ T5327] ksys_write+0x18f/0x2b0 [ 69.887379][ T5327] ? __pfx_ksys_write+0x10/0x10 [ 69.889229][ T5327] ? exc_page_fault+0x590/0x8b0 [ 69.891062][ T5327] ? do_syscall_64+0xb6/0x230 [ 69.892780][ T5327] do_syscall_64+0xf3/0x230 [ 69.894343][ T5327] ? clear_bhb_loop+0x35/0x90 [ 69.896460][ T5327] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 69.899521][ T5327] RIP: 0033:0x7f73e718b89f [ 69.901761][ T5327] Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 f9 92 02 00 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 4c 93 02 00 48 [ 69.908951][ T5327] RSP: 002b:00007f73e7f23000 EFLAGS: 00000293 ORIG_RAX: 0000000000000001 [ 69.911903][ T5327] RAX: ffffffffffffffda RBX: 00007f73e73a6160 RCX: 00007f73e718b89f [ 69.914930][ T5327] RDX: 0000000000000007 RSI: 0000400000000040 RDI: 00000000000000ca [ 69.918372][ T5327] RBP: 00007f73e720e2a0 R08: 0000000000000000 R09: 0000000000000000 [ 69.922133][ T5327] R10: 0000400000000040 R11: 0000000000000293 R12: 0000000000000000 [ 69.925422][ T5327] R13: 0000000000000001 R14: 00007f73e73a6160 R15: 00007ffc701c6fe8 [ 69.928301][ T5327] [ 69.929821][ T5327] Kernel Offset: disabled [ 69.931443][ T5327] Rebooting in 86400 seconds..