program: r0 = socket$nl_route(0x10, 0x3, 0x0) (async) sendmsg$IPSET_CMD_CREATE(0xffffffffffffffff, &(0x7f0000000040)={0x0, 0x0, &(0x7f00000044c0)={&(0x7f0000000200)=ANY=[@ANYBLOB="4c000000020681010000000000000000000000000500050002000000050001000700000005000400030000000900020073797a310000000011000300686173683a6e65742c6e6574"], 0x4c}, 0x1, 0x0, 0x0, 0x4040000}, 0x800) r1 = socket$nl_netfilter(0x10, 0x3, 0xc) (async) r2 = socket$l2tp(0x2, 0x2, 0x73) (async) r3 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$NFT_BATCH(r3, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000980)={{0x14, 0x10, 0x1, 0x0, 0x0, {0x1}}, [@NFT_MSG_NEWTABLE={0x20, 0x0, 0xa, 0x201, 0x0, 0x0, {0x3, 0x0, 0x3}, [@NFTA_TABLE_NAME={0x9, 0x1, 'syz0\x00'}]}, @NFT_MSG_NEWCHAIN={0x2c, 0x3, 0xa, 0x101, 0x0, 0x0, {0x1}, [@NFTA_CHAIN_HANDLE={0xc, 0x2, 0x1, 0x0, 0x2}, @NFTA_CHAIN_NAME={0x9, 0x3, 'syz0\x00'}]}, @NFT_MSG_NEWRULE={0x98, 0x6, 0xa, 0x201, 0x0, 0x0, {0xa}, [@NFTA_RULE_POSITION={0xc, 0x6, 0x1, 0x0, 0x5}, @NFTA_RULE_EXPRESSIONS={0x6c, 0x4, 0x0, 0x1, [{0x44, 0x1, 0x0, 0x1, @lookup={{0xb}, @val={0x34, 0x2, 0x0, 0x1, [@NFTA_LOOKUP_FLAGS={0x8, 0x5, 0x1, 0x0, 0x1}, @NFTA_LOOKUP_DREG={0x8, 0x3, 0x1, 0x0, 0xc}, @NFTA_LOOKUP_DREG={0x8, 0x3, 0x1, 0x0, 0xa}, @NFTA_LOOKUP_SET={0x9, 0x1, 'syz1\x00'}, @NFTA_LOOKUP_SET={0x9, 0x1, 'syz1\x00'}]}}}, {0x24, 0x1, 0x0, 0x1, @meta={{0x9}, @val={0x14, 0x2, 0x0, 0x1, [@NFTA_META_SREG={0x8, 0x3, 0x1, 0x0, 0xc}, @NFTA_META_KEY={0x8, 0x2, 0x1, 0x0, 0xd}]}}}]}, @NFTA_RULE_TABLE={0x9, 0x1, 'syz0\x00'}]}], {0x14, 0x11, 0x1, 0x0, 0x0, {0x7}}}, 0x10c}}, 0xc0) r4 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10) r5 = syz_genetlink_get_family_id$nfc(&(0x7f0000000100), r4) sendmsg$NFC_CMD_DEV_UP(r4, &(0x7f0000000140)={0x0, 0x0, &(0x7f0000000180)={&(0x7f00000001c0)=ANY=[@ANYBLOB='\t\x00\x00\x00', @ANYRES16=r5, @ANYBLOB="01002cbd7000340200000200000008000100", @ANYRES32=0x0, @ANYBLOB], 0x1c}}, 0x240040c0) (async) r6 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10) r7 = syz_genetlink_get_family_id$nfc(&(0x7f00000002c0), r6) sendmsg$NFC_CMD_DEV_UP(r6, &(0x7f0000000380)={0x0, 0x0, &(0x7f0000000340)={&(0x7f0000000700)=ANY=[@ANYBLOB="b44b58ab55ce18af06aa71c558f52f46dbb371b413d6baede8986004d9d0b852705e005a26ccafae431fccf5d929d17c5cf56bcced9aa1828691185e3c2af46862074169ae229d83ada21f8bf29aad17e01fafe9685af0d7efccf914aa95223748bc4e1416a4a53caadd716e251bdb9f10f693e02e8f9a5f25", @ANYRES16=r7, @ANYBLOB="010023010000340200000200000008000100567d647572eb7bf83e8abf3341c72cfc26967d1306b2603cbd444833b635b912215b", @ANYRES32=r4, @ANYBLOB="b66609eb293f538c9748d13fc6c66708b3facfcf1e374cb70b6f646bfd85e2fb81d5e4200dc74f86df4866f5bfa4b701cfb1800d95dcb0fe6a6feccb6765ecd3c3c29356ed329d1095823d463d1f337fbe46be90a147343f52e51283eb59242ea160f03a4d135a02d4214b37f09dc12dfd19439fd4412e33f6e0327d9dd4fe8fb56e1fe3df6bdcfa4af1f30859049f4ed0549c2e"], 0x1c}}, 0x20000000) (async) setsockopt$SO_BINDTODEVICE(0xffffffffffffffff, 0x1, 0x19, &(0x7f0000000180)='netdevsim0\x00', 0x10) r8 = syz_genetlink_get_family_id$nfc(&(0x7f0000000100), 0xffffffffffffffff) ioctl$IOCTL_GET_NCIDEV_IDX(0xffffffffffffffff, 0x0, &(0x7f00000000c0)=0x0) sendmsg$NFC_CMD_DEV_UP(0xffffffffffffffff, &(0x7f0000000140)={0x0, 0x0, &(0x7f0000000180)={&(0x7f0000000280)=ANY=[@ANYBLOB="1c000000", @ANYRES16=r8, @ANYBLOB="010026bd70003c0200000200000008000100", @ANYRES32=r9], 0x1c}}, 0x0) sendmsg$NFC_CMD_START_POLL(r4, &(0x7f00000004c0)={&(0x7f0000000300)={0x10, 0x0, 0x0, 0x1}, 0xc, &(0x7f0000000480)={&(0x7f0000000400)={0x64, 0x0, 0x400, 0x70bd2d, 0x25dfdbfc, {}, [@NFC_ATTR_DEVICE_INDEX={0x8}, @NFC_ATTR_IM_PROTOCOLS={0x8, 0xd, 0x40}, @NFC_ATTR_IM_PROTOCOLS={0x8, 0xd, 0xca}, @NFC_ATTR_PROTOCOLS={0x8}, @NFC_ATTR_TM_PROTOCOLS={0x8, 0xe, 0x8}, @NFC_ATTR_DEVICE_INDEX={0x8}, @NFC_ATTR_PROTOCOLS={0x8}, @NFC_ATTR_PROTOCOLS={0x8, 0x3, 0x52}, @NFC_ATTR_DEVICE_INDEX={0x8, 0x1, r9}, @NFC_ATTR_IM_PROTOCOLS={0x8, 0xd, 0x40}]}, 0x64}, 0x1, 0x0, 0x0, 0x1000}, 0x4000091) (async) setsockopt$IP_VS_SO_SET_FLUSH(r2, 0x0, 0x485, 0x0, 0x0) (async) sendmsg$NFT_MSG_GETOBJ(r3, &(0x7f0000000600)={&(0x7f0000000500)={0x10, 0x0, 0x0, 0x400000}, 0xc, &(0x7f0000000540)={&(0x7f0000000ac0)={0x1a8, 0x13, 0xa, 0x5, 0x0, 0x0, {0x0, 0x0, 0x7}, [@NFTA_OBJ_USERDATA={0xa8, 0x8, "ce17e5d9561c24898981cc10f54fe52f734c9ec5fa0d1aa8fa847c9707fc2facfeb8e06952f5b500e118221c99160b433bf62cb08933024ec78144bd72e7ba4893539353f1e65df659691dc39932abe81d05d901cfc7d15660ac2cb2fdb722f5157c99eb16c715912d31e7f8417812cb046a2b33a612747b7dcbdec451d5c1de0af041f6a19031364362c33055f58cd46a699e609964a19176c406598dd0bf821edcbdf8"}, @NFTA_OBJ_USERDATA={0xea, 0x8, "c7f17f073d8641dd5aea015a18b91e344d7ed4c9d3d2c9c37ee1b73bbc18b6ee24a1a5e88ede897a021583a2d5315419cec6eddcdf8a2d6088a2cfa6cac93647ab08e888280295951205a6c1137369eface10701845c40b8a2e8003e75eeb3f9319e32a4d4de5a58d00c7bbf2a0eddcb92451fff5a13e63a482cacd9fb6966ebc4dae760edf1044e41c9d8353edb939008c3a742b155eedbb51ac9505a4ff5bb5ca9b579182283eb01319ad296cce6b6c9c8c0e40846ec39e6a21a42c34d77671b12984d5408a28496555b29358be97b63ffbb3661c12fc7d631b93247bb8b756e6fd5d37fd8"}]}, 0x1a8}, 0x1, 0x0, 0x0, 0x18000}, 0x20000000) (async) sendmsg$IPSET_CMD_ADD(r1, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000580)={0x50, 0x9, 0x6, 0x201, 0x0, 0x0, {0x3}, [@IPSET_ATTR_SETNAME={0x9, 0x2, 'syz1\x00'}, @IPSET_ATTR_PROTOCOL={0x5}, @IPSET_ATTR_DATA={0x28, 0x7, 0x0, 0x1, [@IPSET_ATTR_IP={0xc, 0x1, 0x0, 0x1, @IPSET_ATTR_IPADDR_IPV4={0x8, 0x1, 0x1, 0x0, @broadcast}}, @IPSET_ATTR_IP2={0xc, 0x14, 0x0, 0x1, @IPSET_ATTR_IPADDR_IPV4={0x8, 0x1, 0x1, 0x0, @remote}}, @IPSET_ATTR_IP_TO={0xc, 0x2, 0x0, 0x1, @IPSET_ATTR_IPADDR_IPV4={0x8, 0x1, 0x1, 0x0, @rand_addr=0x64010101}}]}]}, 0x50}, 0x1, 0x0, 0x0, 0xd24f4d5778621dc6}, 0x4) (async) r10 = socket$nl_netfilter(0x10, 0x3, 0xc) (async) syz_open_dev$cec(&(0x7f00000003c0), 0x0, 0x0) (async) r11 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) (async) syz_emit_vhci(&(0x7f00000003c0)=ANY=[@ANYBLOB="04221f02"], 0x22) ioctl$sock_bt_hci(r11, 0x400448cb, 0x0) (async) syz_emit_vhci(&(0x7f0000000040)=ANY=[@ANYBLOB="040e0402030c"], 0x7) sendmsg$IPSET_CMD_LIST(r10, &(0x7f0000000200)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f0000000040)=ANY=[@ANYBLOB="1c0000000706010800000000000d0000000005000000000000000000"], 0x1c}}, 0x0) (async) sendmsg$IPCTNL_MSG_CT_NEW(r10, &(0x7f0000000140)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000280)=ANY=[@ANYBLOB="14000000000000000a"], 0x14}, 0x1, 0x0, 0x0, 0x4008002}, 0x40000) (async) read(r10, &(0x7f00000000c0)=""/81, 0xfdef) sendmsg$nl_route(r0, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000640)=@newlink={0x84, 0x10, 0x1, 0x70bd2a, 0x25dfdbfd, {0x0, 0x0, 0x0, 0x0, 0x2102, 0x22008}, [@IFLA_IFNAME={0x14, 0x3, 'netdevsim0\x00'}, @IFLA_VFINFO_LIST={0x50, 0x16, 0x0, 0x1, [{0x4c, 0x1, 0x0, 0x1, [@IFLA_VF_MAC={0x28, 0x1, {0x5, @broadcast}}, @IFLA_VF_VLAN={0x10, 0x2, {0x8, 0xc4d, 0xd8e}}, @IFLA_VF_RATE={0x10, 0x6, {0x8, 0x741, 0x7ff}}]}]}]}, 0x84}}, 0x80811) [ 74.517877][ T5302] Bluetooth: hci0: command tx timeout [ 74.600449][ T5324] ------------[ cut here ]------------ [ 74.603368][ T5324] workqueue: cannot queue hci_rx_work on wq hci0 [ 74.606507][ T5324] WARNING: CPU: 0 PID: 5324 at kernel/workqueue.c:2258 __queue_work+0xd62/0xfe0 [ 74.610742][ T5324] Modules linked in: [ 74.612784][ T5324] CPU: 0 UID: 0 PID: 5324 Comm: syz.0.0 Not tainted 6.16.0-rc3-syzkaller-00346-gafa9a6f4f574 #0 PREEMPT(full) [ 74.617944][ T5324] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 74.622188][ T5324] RIP: 0010:__queue_work+0xd62/0xfe0 [ 74.624272][ T5324] Code: 42 80 3c 20 00 74 08 4c 89 ef e8 79 0e 99 00 49 8b 75 00 49 81 c7 78 01 00 00 48 c7 c7 c0 e0 89 8b 4c 89 fa e8 1f 34 f9 ff 90 <0f> 0b 90 90 e9 f1 f4 ff ff e8 80 8b 35 00 90 0f 0b 90 e9 dd fc ff [ 74.632336][ T5324] RSP: 0018:ffffc9000d5c7a68 EFLAGS: 00010046 [ 74.634782][ T5324] RAX: 6f2f42449e07c800 RBX: 0000000000000000 RCX: ffff88801f894880 [ 74.638577][ T5324] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000002 [ 74.642068][ T5324] RBP: 1ffff11008068238 R08: ffff88801fc24293 R09: 1ffff11003f84852 [ 74.645531][ T5324] R10: dffffc0000000000 R11: ffffed1003f84853 R12: dffffc0000000000 [ 74.649083][ T5324] R13: ffff88803607cad8 R14: ffff88801f894880 R15: ffff888040341178 [ 74.652620][ T5324] FS: 00007fcb5a61b6c0(0000) GS:ffff88808d250000(0000) knlGS:0000000000000000 [ 74.656458][ T5324] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 74.659232][ T5324] CR2: 00007fcb5a61afc8 CR3: 0000000041f46000 CR4: 0000000000352ef0 [ 74.662742][ T5324] Call Trace: [ 74.664157][ T5324] [ 74.665427][ T5324] ? rcu_is_watching+0x15/0xb0 [ 74.667613][ T5324] queue_work_on+0x181/0x270 [ 74.670174][ T5324] ? lockdep_hardirqs_on+0x9c/0x150 [ 74.672860][ T5324] ? __pfx_queue_work_on+0x10/0x10 [ 74.675156][ T5324] ? _raw_spin_unlock_irqrestore+0xad/0x110 [ 74.677907][ T5324] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 74.680857][ T5324] ? skb_queue_tail+0x30/0xf0 [ 74.682937][ T5324] hci_recv_frame+0x5c9/0x720 [ 74.684972][ T5324] ? skb_pull+0xc1/0x1d0 [ 74.686637][ T5324] vhci_write+0x358/0x4a0 [ 74.688472][ T5324] vfs_write+0x54b/0xa90 [ 74.690268][ T5324] ? __pfx_vhci_write+0x10/0x10 [ 74.692396][ T5324] ? __pfx_vfs_write+0x10/0x10 [ 74.694547][ T5324] ? __fget_files+0x2a/0x420 [ 74.696530][ T5324] ksys_write+0x145/0x250 [ 74.698593][ T5324] ? __pfx_ksys_write+0x10/0x10 [ 74.700674][ T5324] ? do_syscall_64+0xbe/0x3b0 [ 74.702331][ T5324] do_syscall_64+0xfa/0x3b0 [ 74.704065][ T5324] ? lockdep_hardirqs_on+0x9c/0x150 [ 74.706188][ T5324] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 74.708751][ T5324] ? clear_bhb_loop+0x60/0xb0 [ 74.710756][ T5324] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 74.713417][ T5324] RIP: 0033:0x7fcb5978d3df [ 74.715408][ T5324] Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 f9 92 02 00 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 4c 93 02 00 48 [ 74.723908][ T5324] RSP: 002b:00007fcb5a61b000 EFLAGS: 00000293 ORIG_RAX: 0000000000000001 [ 74.727536][ T5324] RAX: ffffffffffffffda RBX: 00007fcb599b6160 RCX: 00007fcb5978d3df [ 74.730841][ T5324] RDX: 0000000000000007 RSI: 0000200000000040 RDI: 00000000000000ca [ 74.734331][ T5324] RBP: 00007fcb59810b39 R08: 0000000000000000 R09: 0000000000000000 [ 74.737765][ T5324] R10: 0000200000000040 R11: 0000000000000293 R12: 0000000000000000 [ 74.741180][ T5324] R13: 0000000000000001 R14: 00007fcb599b6160 R15: 00007ffec4d7b2c8 [ 74.744354][ T5324] [ 74.745804][ T5324] Kernel panic - not syncing: kernel: panic_on_warn set ... [ 74.748839][ T5324] CPU: 0 UID: 0 PID: 5324 Comm: syz.0.0 Not tainted 6.16.0-rc3-syzkaller-00346-gafa9a6f4f574 #0 PREEMPT(full) [ 74.753637][ T5324] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 74.757893][ T5324] Call Trace: [ 74.759287][ T5324] [ 74.760611][ T5324] dump_stack_lvl+0x99/0x250 [ 74.762525][ T5324] ? __asan_memcpy+0x40/0x70 [ 74.764513][ T5324] ? __pfx_dump_stack_lvl+0x10/0x10 [ 74.766680][ T5324] ? __pfx__printk+0x10/0x10 [ 74.768714][ T5324] panic+0x2db/0x790 [ 74.770484][ T5324] ? __pfx_panic+0x10/0x10 [ 74.772443][ T5324] ? show_trace_log_lvl+0x4fb/0x550 [ 74.774716][ T5324] __warn+0x31b/0x4b0 [ 74.776545][ T5324] ? __queue_work+0xd62/0xfe0 [ 74.778628][ T5324] ? __queue_work+0xd62/0xfe0 [ 74.780748][ T5324] report_bug+0x2be/0x4f0 [ 74.782607][ T5324] ? __queue_work+0xd62/0xfe0 [ 74.784589][ T5324] ? __queue_work+0xd62/0xfe0 [ 74.786481][ T5324] ? __queue_work+0xd64/0xfe0 [ 74.788427][ T5324] handle_bug+0x84/0x160 [ 74.790182][ T5324] exc_invalid_op+0x1a/0x50 [ 74.792037][ T5324] asm_exc_invalid_op+0x1a/0x20 [ 74.794136][ T5324] RIP: 0010:__queue_work+0xd62/0xfe0 [ 74.796347][ T5324] Code: 42 80 3c 20 00 74 08 4c 89 ef e8 79 0e 99 00 49 8b 75 00 49 81 c7 78 01 00 00 48 c7 c7 c0 e0 89 8b 4c 89 fa e8 1f 34 f9 ff 90 <0f> 0b 90 90 e9 f1 f4 ff ff e8 80 8b 35 00 90 0f 0b 90 e9 dd fc ff [ 74.803663][ T5324] RSP: 0018:ffffc9000d5c7a68 EFLAGS: 00010046 [ 74.806164][ T5324] RAX: 6f2f42449e07c800 RBX: 0000000000000000 RCX: ffff88801f894880 [ 74.810023][ T5324] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000002 [ 74.813482][ T5324] RBP: 1ffff11008068238 R08: ffff88801fc24293 R09: 1ffff11003f84852 [ 74.816761][ T5324] R10: dffffc0000000000 R11: ffffed1003f84853 R12: dffffc0000000000 [ 74.820095][ T5324] R13: ffff88803607cad8 R14: ffff88801f894880 R15: ffff888040341178 [ 74.823463][ T5324] ? __queue_work+0xd61/0xfe0 [ 74.825491][ T5324] ? rcu_is_watching+0x15/0xb0 [ 74.827631][ T5324] queue_work_on+0x181/0x270 [ 74.829704][ T5324] ? lockdep_hardirqs_on+0x9c/0x150 [ 74.831993][ T5324] ? __pfx_queue_work_on+0x10/0x10 [ 74.834226][ T5324] ? _raw_spin_unlock_irqrestore+0xad/0x110 [ 74.836764][ T5324] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 74.839475][ T5324] ? skb_queue_tail+0x30/0xf0 [ 74.841587][ T5324] hci_recv_frame+0x5c9/0x720 [ 74.843601][ T5324] ? skb_pull+0xc1/0x1d0 [ 74.845395][ T5324] vhci_write+0x358/0x4a0 [ 74.847183][ T5324] vfs_write+0x54b/0xa90 [ 74.848997][ T5324] ? __pfx_vhci_write+0x10/0x10 [ 74.851236][ T5324] ? __pfx_vfs_write+0x10/0x10 [ 74.853322][ T5324] ? __fget_files+0x2a/0x420 [ 74.855291][ T5324] ksys_write+0x145/0x250 [ 74.857074][ T5324] ? __pfx_ksys_write+0x10/0x10 [ 74.859124][ T5324] ? do_syscall_64+0xbe/0x3b0 [ 74.861210][ T5324] do_syscall_64+0xfa/0x3b0 [ 74.863172][ T5324] ? lockdep_hardirqs_on+0x9c/0x150 [ 74.865368][ T5324] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 74.867979][ T5324] ? clear_bhb_loop+0x60/0xb0 [ 74.870060][ T5324] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 74.872677][ T5324] RIP: 0033:0x7fcb5978d3df [ 74.874539][ T5324] Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 f9 92 02 00 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 4c 93 02 00 48 [ 74.882985][ T5324] RSP: 002b:00007fcb5a61b000 EFLAGS: 00000293 ORIG_RAX: 0000000000000001 [ 74.886789][ T5324] RAX: ffffffffffffffda RBX: 00007fcb599b6160 RCX: 00007fcb5978d3df [ 74.890365][ T5324] RDX: 0000000000000007 RSI: 0000200000000040 RDI: 00000000000000ca [ 74.893883][ T5324] RBP: 00007fcb59810b39 R08: 0000000000000000 R09: 0000000000000000 [ 74.897381][ T5324] R10: 0000200000000040 R11: 0000000000000293 R12: 0000000000000000 [ 74.900903][ T5324] R13: 0000000000000001 R14: 00007fcb599b6160 R15: 00007ffec4d7b2c8 [ 74.904284][ T5324] [ 74.905975][ T5324] Kernel Offset: disabled [ 74.907729][ T5324] Rebooting in 86400 seconds..