------------[ cut here ]------------
workqueue: cannot queue hci_cmd_timeout on wq hci0
WARNING: CPU: 2 PID: 12 at kernel/workqueue.c:2257 __queue_work+0xc9c/0x10f0 kernel/workqueue.c:2256
Modules linked in:
CPU: 2 UID: 0 PID: 12 Comm: kworker/u32:0 Not tainted 6.16.0-rc5-syzkaller-00121-gbc9ff192a6c9 #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Workqueue: netns cleanup_net
RIP: 0010:__queue_work+0xc9c/0x10f0 kernel/workqueue.c:2256
Code: 00 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 28 04 00 00 48 8b 75 18 4c 89 f2 48 c7 c7 c0 05 ac 8b e8 45 44 f7 ff 90 <0f> 0b 90 90 e9 96 f7 ff ff e8 36 f8 37 00 90 0f 0b 90 e9 1b f6 ff
RSP: 0018:ffffc90000538be8 EFLAGS: 00010082
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff817ab108
RDX: ffff88801dae4880 RSI: ffffffff817ab115 RDI: 0000000000000001
RBP: ffff88804cd34970 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: 1ffff920000a718f
R13: 0000000080000100 R14: ffff888060b5b178 R15: 0000000000000001
FS:  0000000000000000(0000) GS:ffff888097721000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000f5136dc7 CR3: 000000004a03f000 CR4: 0000000000352ef0
Call Trace:
 <IRQ>
 call_timer_fn+0x19a/0x620 kernel/time/timer.c:1747
 expire_timers kernel/time/timer.c:1793 [inline]
 __run_timers+0x569/0x960 kernel/time/timer.c:2372
 __run_timer_base kernel/time/timer.c:2384 [inline]
 __run_timer_base kernel/time/timer.c:2376 [inline]
 run_timer_base+0x114/0x190 kernel/time/timer.c:2393
 run_timer_softirq+0x1a/0x40 kernel/time/timer.c:2403
 handle_softirqs+0x219/0x8e0 kernel/softirq.c:579
 __do_softirq kernel/softirq.c:613 [inline]
 invoke_softirq kernel/softirq.c:453 [inline]
 __irq_exit_rcu+0x109/0x170 kernel/softirq.c:680
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
 sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1050
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:lockdep_unregister_key+0xe9/0x140 kernel/locking/lockdep.c:6619
Code: 48 89 ef e8 b9 e5 ff ff 48 83 2d 39 02 58 14 01 89 c3 e8 da ee ff ff 9c 58 f6 c4 02 75 52 41 f7 c4 00 02 00 00 74 01 fb 84 db <75> 1b 5b 5d 41 5c e9 bc 73 0a 00 8b 05 0a 18 12 0f 31 db 85 c0 74
RSP: 0018:ffffc900001e7610 EFLAGS: 00000246
RAX: 0000000000000046 RBX: 0000000000000000 RCX: 0000000000000001
RDX: 0000000000000000 RSI: ffffffff8df1f0da RDI: ffffffff8c1578e0
RBP: ffffffff9756ba08 R08: 000000000000a219 R09: ffffffff95f0fdd2
R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000246
R13: ffff888013b88000 R14: ffff888013b884c0 R15: 0000000000000001
 __qdisc_destroy+0x11a/0x4d0 net/sched/sch_generic.c:1081
 qdisc_put+0xab/0xe0 net/sched/sch_generic.c:1107
 dev_shutdown+0x1d0/0x430 net/sched/sch_generic.c:1495
 unregister_netdevice_many_notify+0xb3c/0x2700 net/core/dev.c:12065
 unregister_netdevice_many net/core/dev.c:12140 [inline]
 unregister_netdevice_queue+0x305/0x3f0 net/core/dev.c:11984
 unregister_netdevice include/linux/netdevice.h:3379 [inline]
 _cfg80211_unregister_wdev+0x64b/0x830 net/wireless/core.c:1256
 ieee80211_remove_interfaces+0x34e/0x720 net/mac80211/iface.c:2362
 ieee80211_unregister_hw+0x55/0x3a0 net/mac80211/main.c:1683
 mac80211_hwsim_del_radio drivers/net/wireless/virtual/mac80211_hwsim.c:5671 [inline]
 hwsim_exit_net+0x3ac/0x7d0 drivers/net/wireless/virtual/mac80211_hwsim.c:6551
 ops_exit_list net/core/net_namespace.c:200 [inline]
 ops_undo_list+0x2ee/0xab0 net/core/net_namespace.c:253
 cleanup_net+0x408/0x890 net/core/net_namespace.c:686
 process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3238
 process_scheduled_works kernel/workqueue.c:3321 [inline]
 worker_thread+0x6c8/0xf10 kernel/workqueue.c:3402
 kthread+0x3c2/0x780 kernel/kthread.c:464
 ret_from_fork+0x5d7/0x6f0 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
----------------
Code disassembly (best guess):
   0:	48 89 ef             	mov    %rbp,%rdi
   3:	e8 b9 e5 ff ff       	call   0xffffe5c1
   8:	48 83 2d 39 02 58 14 	subq   $0x1,0x14580239(%rip)        # 0x14580249
   f:	01
  10:	89 c3                	mov    %eax,%ebx
  12:	e8 da ee ff ff       	call   0xffffeef1
  17:	9c                   	pushf
  18:	58                   	pop    %rax
  19:	f6 c4 02             	test   $0x2,%ah
  1c:	75 52                	jne    0x70
  1e:	41 f7 c4 00 02 00 00 	test   $0x200,%r12d
  25:	74 01                	je     0x28
  27:	fb                   	sti
  28:	84 db                	test   %bl,%bl
* 2a:	75 1b                	jne    0x47 <-- trapping instruction
  2c:	5b                   	pop    %rbx
  2d:	5d                   	pop    %rbp
  2e:	41 5c                	pop    %r12
  30:	e9 bc 73 0a 00       	jmp    0xa73f1
  35:	8b 05 0a 18 12 0f    	mov    0xf12180a(%rip),%eax        # 0xf121845
  3b:	31 db                	xor    %ebx,%ebx
  3d:	85 c0                	test   %eax,%eax
  3f:	74                   	.byte 0x74