------------[ cut here ]------------
workqueue: cannot queue hci_cmd_timeout on wq hci2
WARNING: CPU: 1 PID: 9965 at kernel/workqueue.c:2257 __queue_work+0xc9c/0x10f0 kernel/workqueue.c:2256
Modules linked in:
CPU: 1 UID: 0 PID: 9965 Comm: syz-executor Not tainted 6.16.0-rc5-syzkaller-00266-g3f31a806a62e #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:__queue_work+0xc9c/0x10f0 kernel/workqueue.c:2256
Code: 00 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 28 04 00 00 48 8b 75 18 4c 89 f2 48 c7 c7 c0 07 ac 8b e8 f5 16 f7 ff 90 <0f> 0b 90 90 e9 96 f7 ff ff e8 56 19 38 00 90 0f 0b 90 e9 1b f6 ff
RSP: 0018:ffffc900006a0be8 EFLAGS: 00010082
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff817af1a8
RDX: ffff88805b47c880 RSI: ffffffff817af1b5 RDI: 0000000000000001
RBP: ffff88804f760970 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: 1ffff920000d418f
R13: 0000000000000100 R14: ffff888055e46978 R15: 0000000000000001
FS:  00005555861c0500(0000) GS:ffff8880d6813000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f6b2aee35c0 CR3: 000000005d6c6000 CR4: 0000000000352ef0
Call Trace:
 <IRQ>
 call_timer_fn+0x197/0x620 kernel/time/timer.c:1747
 expire_timers kernel/time/timer.c:1793 [inline]
 __run_timers+0x569/0x960 kernel/time/timer.c:2372
 __run_timer_base kernel/time/timer.c:2384 [inline]
 __run_timer_base kernel/time/timer.c:2376 [inline]
 run_timer_base+0x114/0x190 kernel/time/timer.c:2393
 run_timer_softirq+0x1a/0x40 kernel/time/timer.c:2403
 handle_softirqs+0x219/0x8e0 kernel/softirq.c:579
 __do_softirq kernel/softirq.c:613 [inline]
 invoke_softirq kernel/softirq.c:453 [inline]
 __irq_exit_rcu+0x109/0x170 kernel/softirq.c:680
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
 sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1050
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:lock_release+0x183/0x2f0 kernel/locking/lockdep.c:5896
Code: 0f c1 05 08 8d 38 12 83 f8 01 0f 85 1d 01 00 00 9c 58 f6 c4 02 0f 85 08 01 00 00 41 f7 c5 00 02 00 00 74 01 fb 48 8b 44 24 10 <65> 48 2b 05 1d 4b 38 12 0f 85 58 01 00 00 48 83 c4 18 5b 41 5c 41
RSP: 0018:ffffc9000449e9a0 EFLAGS: 00000206
RAX: 6daf77f41ce16c00 RBX: ffffffff8e5c4dc0 RCX: ffffc9000449e9ac
RDX: 0000000000000002 RSI: ffffffff8de0d975 RDI: ffffffff8c158f60
RBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000006afc R12: ffffffff816adac4
R13: 0000000000000206 R14: ffff88805b47c880 R15: 0000000000000003
 rcu_lock_release include/linux/rcupdate.h:341 [inline]
 rcu_read_unlock include/linux/rcupdate.h:871 [inline]
 class_rcu_destructor include/linux/rcupdate.h:1155 [inline]
 unwind_next_frame+0x3f9/0x20a0 arch/x86/kernel/unwind_orc.c:479
 __unwind_start+0x45f/0x7f0 arch/x86/kernel/unwind_orc.c:758
 unwind_start arch/x86/include/asm/unwind.h:64 [inline]
 arch_stack_walk+0x73/0x100 arch/x86/kernel/stacktrace.c:24
 stack_trace_save+0x8e/0xc0 kernel/stacktrace.c:122
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:576
 poison_slab_object mm/kasan/common.c:247 [inline]
 __kasan_slab_free+0x51/0x70 mm/kasan/common.c:264
 kasan_slab_free include/linux/kasan.h:233 [inline]
 slab_free_hook mm/slub.c:2381 [inline]
 slab_free mm/slub.c:4643 [inline]
 kfree+0x2b4/0x4d0 mm/slub.c:4842
 skb_kfree_head net/core/skbuff.c:1048 [inline]
 skb_free_head+0x114/0x210 net/core/skbuff.c:1060
 skb_release_data+0x776/0x9c0 net/core/skbuff.c:1087
 skb_release_all net/core/skbuff.c:1152 [inline]
 __kfree_skb net/core/skbuff.c:1166 [inline]
 consume_skb net/core/skbuff.c:1398 [inline]
 consume_skb+0xbf/0x100 net/core/skbuff.c:1392
 netlink_broadcast_filtered+0x3c9/0xf30 net/netlink/af_netlink.c:1537
 nlmsg_multicast_filtered include/net/netlink.h:1151 [inline]
 nlmsg_multicast include/net/netlink.h:1170 [inline]
 nlmsg_notify+0x9e/0x220 net/netlink/af_netlink.c:2595
 rtnl_notify net/core/rtnetlink.c:958 [inline]
 rtmsg_ifinfo_send net/core/rtnetlink.c:4419 [inline]
 rtmsg_ifinfo_event net/core/rtnetlink.c:4435 [inline]
 rtmsg_ifinfo_event net/core/rtnetlink.c:4422 [inline]
 rtnetlink_event+0x177/0x1f0 net/core/rtnetlink.c:7004
 notifier_call_chain+0xbc/0x410 kernel/notifier.c:85
 call_netdevice_notifiers_info+0xbe/0x140 net/core/dev.c:2230
 call_netdevice_notifiers_extack net/core/dev.c:2268 [inline]
 call_netdevice_notifiers net/core/dev.c:2282 [inline]
 netif_change_name+0x557/0x920 net/core/dev.c:1490
 do_setlink.constprop.0+0x3362/0x4380 net/core/rtnetlink.c:3121
 rtnl_changelink net/core/rtnetlink.c:3759 [inline]
 __rtnl_newlink net/core/rtnetlink.c:3918 [inline]
 rtnl_newlink+0x1446/0x2000 net/core/rtnetlink.c:4055
 rtnetlink_rcv_msg+0x95b/0xe90 net/core/rtnetlink.c:6944
 netlink_rcv_skb+0x158/0x420 net/netlink/af_netlink.c:2552
 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
 netlink_unicast+0x58a/0x850 net/netlink/af_netlink.c:1346
 netlink_sendmsg+0x8d1/0xdd0 net/netlink/af_netlink.c:1896
 sock_sendmsg_nosec net/socket.c:712 [inline]
 __sock_sendmsg net/socket.c:727 [inline]
 __sys_sendto+0x4a0/0x520 net/socket.c:2180
 __do_sys_sendto net/socket.c:2187 [inline]
 __se_sys_sendto net/socket.c:2183 [inline]
 __x64_sys_sendto+0xe0/0x1c0 net/socket.c:2183
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f6b2a1907bc
Code: 2a 5f 02 00 44 8b 4c 24 2c 4c 8b 44 24 20 89 c5 44 8b 54 24 28 48 8b 54 24 18 b8 2c 00 00 00 48 8b 74 24 10 8b 7c 24 08 0f 05 <48> 3d 00 f0 ff ff 77 34 89 ef 48 89 44 24 08 e8 70 5f 02 00 48 8b
RSP: 002b:00007ffcd7f8e3b0 EFLAGS: 00000293 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007f6b2aee35c0 RCX: 00007f6b2a1907bc
RDX: 0000000000000030 RSI: 00007f6b2aee3610 RDI: 0000000000000006
RBP: 0000000000000000 R08: 00007ffcd7f8e404 R09: 000000000000000c
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000006
R13: 0000000000000000 R14: 00007f6b2aee3610 R15: 0000000000000000
 </TASK>
----------------
Code disassembly (best guess):
   0:	0f c1 05 08 8d 38 12 	xadd   %eax,0x12388d08(%rip)        # 0x12388d0f
   7:	83 f8 01             	cmp    $0x1,%eax
   a:	0f 85 1d 01 00 00    	jne    0x12d
  10:	9c                   	pushf
  11:	58                   	pop    %rax
  12:	f6 c4 02             	test   $0x2,%ah
  15:	0f 85 08 01 00 00    	jne    0x123
  1b:	41 f7 c5 00 02 00 00 	test   $0x200,%r13d
  22:	74 01                	je     0x25
  24:	fb                   	sti
  25:	48 8b 44 24 10       	mov    0x10(%rsp),%rax
* 2a:	65 48 2b 05 1d 4b 38 	sub    %gs:0x12384b1d(%rip),%rax        # 0x12384b4f <-- trapping instruction
  31:	12
  32:	0f 85 58 01 00 00    	jne    0x190
  38:	48 83 c4 18          	add    $0x18,%rsp
  3c:	5b                   	pop    %rbx
  3d:	41 5c                	pop    %r12
  3f:	41                   	rex.B