program:
r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$sock_bt_hci(r0, 0x400448cb, 0x0) (async)
sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000000c0)=@newlink={0x20, 0x10, 0x503, 0x0, 0x0, {0x0, 0xcf, 0x0, 0x0, 0x3}}, 0x20}}, 0x0)
openat$snapshot(0xffffffffffffff9c, &(0x7f00000002c0), 0x40040, 0x0) (async)
syz_emit_vhci(&(0x7f00000000c0)=ANY=[@ANYBLOB="040e0402030c"], 0x7)
bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x11, 0xc, &(0x7f0000000440)=ANY=[@ANYBLOB], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0x12, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) (async)
r1 = socket$netlink(0x10, 0x3, 0x0) (async)
r2 = socket$nl_route(0x10, 0x3, 0x0)
r3 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000140)='blkio.bfq.io_service_bytes\x00', 0x275a, 0x0)
fsetxattr$trusted_overlay_upper(r1, &(0x7f0000000240), &(0x7f0000000300)={0x0, 0xfb, 0x2d, 0x7, 0xd, "b1387e699a3fd5151518f6f6bb85dd13", "dd15603f81924a74c30a381e57777e864edd503015e1d33b"}, 0x2d, 0x3)
ioctl$FIBMAP(r3, 0x1, &(0x7f0000000080)=0x500)
r4 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000040), 0x0, 0x0)
r5 = ioctl$KVM_CREATE_VM(r4, 0xae01, 0x0)
r6 = ioctl$KVM_CREATE_VCPU(r5, 0xae41, 0x0)
ioctl$KVM_SET_MSRS(r6, 0x4008ae89, &(0x7f00000004c0)={0x1, 0x0, [{0x40000003, 0x0, 0x7ff}]})
r7 = socket$netlink(0x10, 0x3, 0x0)
r8 = socket(0x10, 0x803, 0x0)
write$binfmt_elf64(r8, 0x0, 0x78)
getsockname$packet(r8, &(0x7f00000002c0)={0x11, 0x0, <r9=>0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14)
sendmsg$nl_route(r7, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000280)=ANY=[@ANYBLOB="48000000100003f700000000000000a7017e0142", @ANYRES32=r9, @ANYBLOB="0000400000000005280012000c00010076657468"], 0x48}}, 0x0) (async)
r10 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route(r10, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000001c0)=ANY=[@ANYBLOB="2000000014002101000000000000000002010000", @ANYRES32=r9, @ANYBLOB="08000200ac1414aa"], 0x20}}, 0x0) (async)
sendmsg$nl_route(r2, &(0x7f0000000740)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000700)=ANY=[@ANYBLOB="20000000140001000000000000000000020200c8", @ANYRES32=r9, @ANYBLOB], 0x20}, 0x1, 0x0, 0x0, 0x20040840}, 0x0)
sendmsg$nl_route(r1, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000400)={&(0x7f0000000180)=@ipv4_deladdr={0x18, 0x15, 0x1, 0x0, 0x0, {0x2, 0x0, 0x0, 0x0, r9}}, 0x18}}, 0x0) (async)
bpf$PROG_LOAD_XDP(0x5, 0x0, 0x0) (async, rerun: 64)
faccessat2(0xffffffffffffff9c, &(0x7f0000000280)='./file0\x00', 0x3, 0x300) (async, rerun: 64)
sendmsg$nl_route_sched(r3, &(0x7f00000003c0)={&(0x7f0000000340)={0x10, 0x0, 0x0, 0x800000}, 0xc, &(0x7f0000000380)={&(0x7f0000000500)=@gettaction={0x94, 0x32, 0x709, 0x70bd2c, 0x25dfdbfe, {}, [@action_gd=@TCA_ACT_TAB={0x80, 0x1, [{0xc, 0x1, 0x0, 0x0, @TCA_ACT_INDEX={0x8, 0x3, 0x930}}, {0x10, 0x1f, 0x0, 0x0, @TCA_ACT_KIND={0xb, 0x1, 'sample\x00'}}, {0xc, 0x14, 0x0, 0x0, @TCA_ACT_KIND={0x8, 0x1, 'bpf\x00'}}, {0xc, 0xb, 0x0, 0x0, @TCA_ACT_KIND={0x7, 0x1, 'xt\x00'}}, {0xc, 0x13, 0x0, 0x0, @TCA_ACT_INDEX={0x8, 0x3, 0x5}}, {0x10, 0xa, 0x0, 0x0, @TCA_ACT_KIND={0xb, 0x1, 'mirred\x00'}}, {0x10, 0xd, 0x0, 0x0, @TCA_ACT_KIND={0xa, 0x1, 'pedit\x00'}}, {0x10, 0x1c, 0x0, 0x0, @TCA_ACT_KIND={0xb, 0x1, 'mirred\x00'}}, {0xc, 0x1d, 0x0, 0x0, @TCA_ACT_INDEX={0x8, 0x3, 0x6}}]}]}, 0x94}, 0x1, 0x0, 0x0, 0x24042088}, 0x805)

[   76.111963][ T5316] Bluetooth: hci0: command tx timeout
[   76.177631][ T5337] ------------[ cut here ]------------
[   76.180224][ T5337] workqueue: cannot queue hci_rx_work on wq hci0
[   76.183334][ T5337] WARNING: CPU: 0 PID: 5337 at kernel/workqueue.c:2258 __queue_work+0xd62/0xfe0
[   76.187361][ T5337] Modules linked in:
[   76.189137][ T5337] CPU: 0 UID: 0 PID: 5337 Comm: syz.0.0 Not tainted 6.16.0-rc6-syzkaller-00002-g155a3c003e55 #0 PREEMPT(full) 
[   76.194189][ T5337] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   76.199548][ T5337] RIP: 0010:__queue_work+0xd62/0xfe0
[   76.202251][ T5337] Code: 42 80 3c 20 00 74 08 4c 89 ef e8 89 d1 98 00 49 8b 75 00 49 81 c7 78 01 00 00 48 c7 c7 00 e9 89 8b 4c 89 fa e8 1f 34 f9 ff 90 <0f> 0b 90 90 e9 f1 f4 ff ff e8 40 51 35 00 90 0f 0b 90 e9 dd fc ff
[   76.210836][ T5337] RSP: 0018:ffffc9000d33fa68 EFLAGS: 00010046
[   76.213830][ T5337] RAX: 3e64c17da66a7400 RBX: 0000000000000000 RCX: ffff888032f32440
[   76.217784][ T5337] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000002
[   76.221309][ T5337] RBP: 1ffff11008842538 R08: ffff88801fc24293 R09: 1ffff11003f84852
[   76.224915][ T5337] R10: dffffc0000000000 R11: ffffed1003f84853 R12: dffffc0000000000
[   76.228770][ T5337] R13: ffff888032b2cad8 R14: ffff888032f32440 R15: ffff888044212978
[   76.233084][ T5337] FS:  00007f2731fb36c0(0000) GS:ffff88808d21b000(0000) knlGS:0000000000000000
[   76.237334][ T5337] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   76.240594][ T5337] CR2: 00007f2731fb2fc8 CR3: 00000000435f2000 CR4: 0000000000352ef0
[   76.244935][ T5337] Call Trace:
[   76.247206][ T5337]  <TASK>
[   76.248718][ T5337]  ? rcu_is_watching+0x15/0xb0
[   76.250839][ T5337]  queue_work_on+0x181/0x270
[   76.253045][ T5337]  ? lockdep_hardirqs_on+0x9c/0x150
[   76.255502][ T5337]  ? __pfx_queue_work_on+0x10/0x10
[   76.257792][ T5337]  ? _raw_spin_unlock_irqrestore+0xad/0x110
[   76.260335][ T5337]  ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[   76.263034][ T5337]  ? skb_queue_tail+0x30/0xf0
[   76.265381][ T5337]  hci_recv_frame+0x5c9/0x720
[   76.267621][ T5337]  ? skb_pull+0xc1/0x1d0
[   76.269573][ T5337]  vhci_write+0x358/0x4a0
[   76.271518][ T5337]  vfs_write+0x54b/0xa90
[   76.273364][ T5337]  ? __pfx_vhci_write+0x10/0x10
[   76.275524][ T5337]  ? __pfx_vfs_write+0x10/0x10
[   76.277621][ T5337]  ? __fget_files+0x2a/0x420
[   76.279862][ T5337]  ksys_write+0x145/0x250
[   76.282045][ T5337]  ? __pfx_ksys_write+0x10/0x10
[   76.284501][ T5337]  ? do_syscall_64+0xbe/0x3b0
[   76.286695][ T5337]  do_syscall_64+0xfa/0x3b0
[   76.288674][ T5337]  ? lockdep_hardirqs_on+0x9c/0x150
[   76.291027][ T5337]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   76.293833][ T5337]  ? clear_bhb_loop+0x60/0xb0
[   76.295921][ T5337]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   76.298614][ T5337] RIP: 0033:0x7f2735b8d3df
[   76.300670][ T5337] Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 f9 92 02 00 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 4c 93 02 00 48
[   76.309218][ T5337] RSP: 002b:00007f2731fb3000 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
[   76.313212][ T5337] RAX: ffffffffffffffda RBX: 00007f2735db6160 RCX: 00007f2735b8d3df
[   76.316857][ T5337] RDX: 0000000000000007 RSI: 00002000000000c0 RDI: 00000000000000ca
[   76.320283][ T5337] RBP: 00007f2735c10ca1 R08: 0000000000000000 R09: 0000000000000000
[   76.323741][ T5337] R10: 00002000000000c0 R11: 0000000000000293 R12: 0000000000000000
[   76.327536][ T5337] R13: 0000000000000001 R14: 00007f2735db6160 R15: 00007ffc08bf6568
[   76.331106][ T5337]  </TASK>
[   76.332514][ T5337] Kernel panic - not syncing: kernel: panic_on_warn set ...
[   76.335705][ T5337] CPU: 0 UID: 0 PID: 5337 Comm: syz.0.0 Not tainted 6.16.0-rc6-syzkaller-00002-g155a3c003e55 #0 PREEMPT(full) 
[   76.340721][ T5337] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   76.345661][ T5337] Call Trace:
[   76.347374][ T5337]  <TASK>
[   76.349004][ T5337]  dump_stack_lvl+0x99/0x250
[   76.351095][ T5337]  ? __asan_memcpy+0x40/0x70
[   76.353005][ T5337]  ? __pfx_dump_stack_lvl+0x10/0x10
[   76.355314][ T5337]  ? __pfx__printk+0x10/0x10
[   76.357475][ T5337]  panic+0x2db/0x790
[   76.359186][ T5337]  ? __pfx_panic+0x10/0x10
[   76.361291][ T5337]  ? show_trace_log_lvl+0x4fb/0x550
[   76.363597][ T5337]  __warn+0x31b/0x4b0
[   76.365385][ T5337]  ? __queue_work+0xd62/0xfe0
[   76.367386][ T5337]  ? __queue_work+0xd62/0xfe0
[   76.369450][ T5337]  report_bug+0x2be/0x4f0
[   76.371380][ T5337]  ? __queue_work+0xd62/0xfe0
[   76.373456][ T5337]  ? __queue_work+0xd62/0xfe0
[   76.375798][ T5337]  ? __queue_work+0xd64/0xfe0
[   76.377927][ T5337]  handle_bug+0x84/0x160
[   76.379883][ T5337]  exc_invalid_op+0x1a/0x50
[   76.382105][ T5337]  asm_exc_invalid_op+0x1a/0x20
[   76.384466][ T5337] RIP: 0010:__queue_work+0xd62/0xfe0
[   76.386828][ T5337] Code: 42 80 3c 20 00 74 08 4c 89 ef e8 89 d1 98 00 49 8b 75 00 49 81 c7 78 01 00 00 48 c7 c7 00 e9 89 8b 4c 89 fa e8 1f 34 f9 ff 90 <0f> 0b 90 90 e9 f1 f4 ff ff e8 40 51 35 00 90 0f 0b 90 e9 dd fc ff
[   76.395412][ T5337] RSP: 0018:ffffc9000d33fa68 EFLAGS: 00010046
[   76.398028][ T5337] RAX: 3e64c17da66a7400 RBX: 0000000000000000 RCX: ffff888032f32440
[   76.401770][ T5337] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000002
[   76.405144][ T5337] RBP: 1ffff11008842538 R08: ffff88801fc24293 R09: 1ffff11003f84852
[   76.408677][ T5337] R10: dffffc0000000000 R11: ffffed1003f84853 R12: dffffc0000000000
[   76.412297][ T5337] R13: ffff888032b2cad8 R14: ffff888032f32440 R15: ffff888044212978
[   76.415378][ T5337]  ? __queue_work+0xd61/0xfe0
[   76.417460][ T5337]  ? rcu_is_watching+0x15/0xb0
[   76.419605][ T5337]  queue_work_on+0x181/0x270
[   76.421742][ T5337]  ? lockdep_hardirqs_on+0x9c/0x150
[   76.424262][ T5337]  ? __pfx_queue_work_on+0x10/0x10
[   76.426202][ T5337]  ? _raw_spin_unlock_irqrestore+0xad/0x110
[   76.428495][ T5337]  ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[   76.430928][ T5337]  ? skb_queue_tail+0x30/0xf0
[   76.433031][ T5337]  hci_recv_frame+0x5c9/0x720
[   76.435063][ T5337]  ? skb_pull+0xc1/0x1d0
[   76.436836][ T5337]  vhci_write+0x358/0x4a0
[   76.438661][ T5337]  vfs_write+0x54b/0xa90
[   76.440528][ T5337]  ? __pfx_vhci_write+0x10/0x10
[   76.442838][ T5337]  ? __pfx_vfs_write+0x10/0x10
[   76.445176][ T5337]  ? __fget_files+0x2a/0x420
[   76.447440][ T5337]  ksys_write+0x145/0x250
[   76.449187][ T5337]  ? __pfx_ksys_write+0x10/0x10
[   76.451228][ T5337]  ? do_syscall_64+0xbe/0x3b0
[   76.453184][ T5337]  do_syscall_64+0xfa/0x3b0
[   76.455101][ T5337]  ? lockdep_hardirqs_on+0x9c/0x150
[   76.457375][ T5337]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   76.459895][ T5337]  ? clear_bhb_loop+0x60/0xb0
[   76.462040][ T5337]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   76.464740][ T5337] RIP: 0033:0x7f2735b8d3df
[   76.466682][ T5337] Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 f9 92 02 00 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 4c 93 02 00 48
[   76.475042][ T5337] RSP: 002b:00007f2731fb3000 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
[   76.478546][ T5337] RAX: ffffffffffffffda RBX: 00007f2735db6160 RCX: 00007f2735b8d3df
[   76.482184][ T5337] RDX: 0000000000000007 RSI: 00002000000000c0 RDI: 00000000000000ca
[   76.485572][ T5337] RBP: 00007f2735c10ca1 R08: 0000000000000000 R09: 0000000000000000
[   76.489336][ T5337] R10: 00002000000000c0 R11: 0000000000000293 R12: 0000000000000000
[   76.493027][ T5337] R13: 0000000000000001 R14: 00007f2735db6160 R15: 00007ffc08bf6568
[   76.496229][ T5337]  </TASK>
[   76.497736][ T5337] Kernel Offset: disabled
[   76.499672][ T5337] Rebooting in 86400 seconds..