program:
r0 = socket$nl_netfilter(0x10, 0x3, 0xc)
r1 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$NFT_BATCH(r1, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000340)={{0x14, 0x10, 0x1, 0x0, 0x0, {0x1}}, [@NFT_MSG_DELSETELEM={0x48, 0xe, 0xa, 0x101, 0x0, 0x0, {0xa, 0x0, 0xa}, [@NFTA_SET_ELEM_LIST_SET_ID={0x8, 0x4, 0x1, 0x0, 0x1}, @NFTA_SET_ELEM_LIST_SET_ID={0x8, 0x4, 0x1, 0x0, 0x3}, @NFTA_SET_ELEM_LIST_SET={0x9, 0x2, 'syz0\x00'}, @NFTA_SET_ELEM_LIST_TABLE={0x9, 0x1, 'syz1\x00'}, @NFTA_SET_ELEM_LIST_SET={0x9, 0x2, 'syz2\x00'}]}, @NFT_MSG_NEWCHAIN={0x2c, 0x3, 0xa, 0x101, 0x0, 0x0, {0x1}, [@NFTA_CHAIN_TABLE={0x9, 0x1, 'syz0\x00'}, @NFTA_CHAIN_NAME={0x9, 0x3, 'syz2\x00'}]}, @NFT_MSG_NEWRULE={0xfc, 0x6, 0xa, 0x401, 0x0, 0x0, {0x3}, [@NFTA_RULE_CHAIN_ID={0x8}, @NFTA_RULE_EXPRESSIONS={0xd4, 0x4, 0x0, 0x1, [{0x34, 0x1, 0x0, 0x1, @exthdr={{0xb}, @val={0x24, 0x2, 0x0, 0x1, [@NFTA_EXTHDR_DREG={0x8, 0x1, 0x1, 0x0, 0xc}, @NFTA_EXTHDR_OFFSET={0x8}, @NFTA_EXTHDR_LEN={0x8, 0x4, 0x1, 0x0, 0x22}, @NFTA_EXTHDR_TYPE={0x5, 0x2, 0x7}]}}}, {0x9c, 0x1, 0x0, 0x1, @bitwise={{0xc}, @val={0x8c, 0x2, 0x0, 0x1, [@NFTA_BITWISE_LEN={0x8, 0x3, 0x1, 0x0, 0x2}, @NFTA_BITWISE_SREG={0x8, 0x1, 0x1, 0x0, 0x14}, @NFTA_BITWISE_DREG={0x8, 0x2, 0x1, 0x0, 0x12}, @NFTA_BITWISE_DATA={0x70, 0x7, 0x0, 0x1, [@NFTA_DATA_VERDICT={0x20, 0x2, 0x0, 0x1, [@NFTA_VERDICT_CODE={0x8, 0x1, 0x0, 0x1, 0xfffffffffffffffe}, @NFTA_VERDICT_CHAIN_ID={0x8, 0x3, 0x1, 0x0, 0x2}, @NFTA_VERDICT_CHAIN={0x9, 0x2, 'syz2\x00'}]}, @NFTA_DATA_VERDICT={0x38, 0x2, 0x0, 0x1, [@NFTA_VERDICT_CHAIN={0x9, 0x2, 'syz1\x00'}, @NFTA_VERDICT_CHAIN_ID={0x8, 0x3, 0x1, 0x0, 0x1}, @NFTA_VERDICT_CODE={0x8, 0x1, 0x0, 0x1, 0xfffffffffffffffd}, @NFTA_VERDICT_CODE={0x8, 0x1, 0x0, 0x1, 0xffffffffffffffff}, @NFTA_VERDICT_CODE={0x8, 0x1, 0x0, 0x1, 0xfffffffffffffffe}, @NFTA_VERDICT_CHAIN_ID={0x8, 0x3, 0x1, 0x0, 0x2}]}, @NFTA_DATA_VERDICT={0x14, 0x2, 0x0, 0x1, [@NFTA_VERDICT_CODE={0x8, 0x1, 0x0, 0x1, 0xfffffffffffffffd}, @NFTA_VERDICT_CODE={0x8}]}]}]}}}]}, @NFTA_RULE_TABLE={0x9, 0x1, 'syz0\x00'}]}], {0x14, 0x11, 0x1, 0x0, 0x0, {0x7}}}, 0x198}, 0x1, 0x0, 0x0, 0x20004040}, 0x0)
r2 = socket$xdp(0x2c, 0x3, 0x0)
setsockopt$XDP_UMEM_REG(r2, 0x11b, 0x4, &(0x7f0000000140)={&(0x7f0000000100)=""/7, 0x1013000, 0x800, 0x0, 0x3}, 0x20)
sendmsg$NFT_BATCH(r0, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000680)={{0x14}, [@NFT_MSG_NEWTABLE={0x20, 0x0, 0xa, 0x301, 0x0, 0x0, {0x1, 0x0, 0x7}, [@NFTA_TABLE_NAME={0x9, 0x1, 'syz0\x00'}]}, @NFT_MSG_NEWCHAIN={0x40, 0x3, 0xa, 0x801, 0x0, 0x0, {0x1}, [@NFTA_CHAIN_NAME={0x9, 0x3, 'syz2\x00'}, @NFTA_CHAIN_HOOK={0x14, 0x4, 0x0, 0x1, [@NFTA_HOOK_PRIORITY={0x8}, @NFTA_HOOK_HOOKNUM={0x8, 0x1, 0x1, 0x0, 0x3}]}, @NFTA_CHAIN_TABLE={0x9, 0x1, 'syz0\x00'}]}, @NFT_MSG_NEWRULE={0x58, 0x6, 0xa, 0x401, 0x0, 0x0, {0x1}, [@NFTA_RULE_CHAIN_ID={0x8}, @NFTA_RULE_TABLE={0x9, 0x1, 'syz0\x00'}, @NFTA_RULE_EXPRESSIONS={0x30, 0x4, 0x0, 0x1, [{0x2c, 0x1, 0x0, 0x1, @xfrm={{0x9}, @val={0x1c, 0x2, 0x0, 0x1, [@NFTA_XFRM_DREG={0x8, 0x1, 0x1, 0x0, 0x14}, @NFTA_XFRM_KEY={0x8, 0x2, 0x1, 0x0, 0x3}, @NFTA_XFRM_DIR={0x5, 0x3, 0x1}]}}}]}]}], {0x14}}, 0xe0}, 0x1, 0x0, 0x0, 0x4000000}, 0x0)
r3 = socket$key(0xf, 0x3, 0x2)
sendmsg$key(r3, &(0x7f0000000000)={0x500, 0x0, &(0x7f0000000040)={&(0x7f0000000180)={0x2, 0x400000000000003, 0x0, 0x9, 0xa, 0x0, 0x0, 0x0, [@sadb_address={0x3, 0x6, 0x0, 0x0, 0x0, @in={0x2, 0x0, @dev}}, @sadb_sa={0x2, 0x1, 0x0, 0x0, 0x0, 0x0, 0x2, 0xfbffffff}, @sadb_address={0x3, 0x5, 0x0, 0x0, 0x0, @in={0x2, 0x0, @empty}}]}, 0x50}}, 0x0)
r4 = socket$inet6(0xa, 0x1, 0x0)
setsockopt$inet6_IPV6_XFRM_POLICY(r4, 0x29, 0x23, &(0x7f0000000180)={{{@in=@private, @in6=@dev, 0x0, 0x0, 0x0, 0x0, 0x2}, {}, {}, 0x0, 0x0, 0x1}, {{@in=@local, 0x0, 0x6c}, 0x0, @in6=@loopback, 0x0, 0x0, 0x0, 0x4}}, 0xe8)
connect$inet6(r4, &(0x7f0000000000)={0xa, 0x0, 0x0, @ipv4={'\x00', '\xff\xff', @dev}}, 0x1c)
sendmsg$NBD_CMD_CONNECT(0xffffffffffffffff, 0x0, 0x0)
syz_emit_vhci(0x0, 0xe)
r5 = pidfd_getfd(r2, r2, 0x0)
write$6lowpan_control(r5, &(0x7f0000000280)='connect aa:aa:aa:aa:aa:10 2', 0x1b)
syz_usb_connect$hid(0x3, 0x36, &(0x7f0000000300)=ANY=[@ANYBLOB="1201010200000040"], 0x0)
r6 = socket$igmp(0x2, 0x3, 0x2)
setsockopt$MRT_INIT(r6, 0x0, 0xc8, &(0x7f0000000240), 0x4)
setsockopt$MRT_ADD_VIF(r6, 0x0, 0xca, &(0x7f00000000c0)={0x8, 0x1, 0x0, 0x4, @vifc_lcl_addr=@dev={0xac, 0x14, 0x14, 0x13}, @multicast1=0xe0000300}, 0x10)
r7 = socket$nl_generic(0x10, 0x3, 0x10)
r8 = syz_genetlink_get_family_id$l2tp(&(0x7f0000000140), 0xffffffffffffffff)
r9 = socket(0x10, 0x3, 0x0)
sendmsg$L2TP_CMD_TUNNEL_CREATE(r7, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000040)={0x3c, r8, 0x923, 0x0, 0x0, {}, [@L2TP_ATTR_PROTO_VERSION={0x5}, @L2TP_ATTR_CONN_ID={0x8}, @L2TP_ATTR_ENCAP_TYPE={0x6}, @L2TP_ATTR_PEER_CONN_ID={0x8}, @L2TP_ATTR_FD={0x8, 0x17, @l2tp=r9}]}, 0x3c}}, 0x0)
sendmsg$L2TP_CMD_SESSION_DELETE(r5, &(0x7f00000005c0)={&(0x7f00000002c0)={0x10, 0x0, 0x0, 0x4000000}, 0xc, &(0x7f0000000580)={&(0x7f0000000500)={0x28, r8, 0x100, 0x70bd2d, 0x25dfdbfb, {}, [@L2TP_ATTR_IFNAME={0x14, 0x8, 'ip_vti0\x00'}]}, 0x28}, 0x1, 0x0, 0x0, 0x8000080}, 0x8040)
syz_emit_vhci(&(0x7f0000000540)=ANY=[@ANYBLOB="043e1f0a"], 0x22)
syz_emit_vhci(&(0x7f0000000300)=ANY=[@ANYBLOB="040b"], 0xe)
syz_emit_vhci(&(0x7f0000000080)=ANY=[@ANYBLOB="0406"], 0x7)

[   92.151527][ T4661] Bluetooth: hci0: command tx timeout
[   92.160905][   T53] cfg80211: failed to load regulatory.db
[   92.633367][ T1351] usb 5-1: new high-speed USB device number 2 using dummy_hcd
[   92.797497][ T5318] dvmrp8: entered allmulticast mode
[   92.812252][ T5293] Bluetooth: hci0: unexpected event 0x06 length: 4 > 3
[   92.814524][ T5317] dvmrp8: left allmulticast mode
[   94.183494][ T5293] Bluetooth: hci0: command tx timeout
[   94.307098][ T1351] usb 5-1: unable to get BOS descriptor or descriptor too short
[   94.310443][ T1351] usb 5-1: no configurations
[   94.320620][ T1351] usb 5-1: can't read configurations, error -22
[   94.824666][ T4661] ------------[ cut here ]------------
[   94.827232][ T4661] refcnt < 0
[   94.827243][ T4661] WARNING: net/bluetooth/hci_conn.c:567 at hci_conn_timeout+0xff/0x2c0, CPU#0: kworker/u5:1/4661
[   94.833523][ T4661] Modules linked in:
[   94.835401][ T4661] CPU: 0 UID: 0 PID: 4661 Comm: kworker/u5:1 Not tainted syzkaller #0 PREEMPT(full) 
[   94.839130][ T4661] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   94.843578][ T4661] Workqueue: hci0 hci_conn_timeout
[   94.845875][ T4661] RIP: 0010:hci_conn_timeout+0xff/0x2c0
[   94.848354][ T4661] Code: 48 89 df e8 73 99 09 00 eb 07 e8 2c 9c 2e f7 b0 13 0f b6 f0 48 89 df 5b 41 5c 41 5e 41 5f 5d e9 87 a8 fe ff e8 12 9c 2e f7 90 <0f> 0b 90 eb 8c 44 89 f9 80 e1 07 80 c1 03 38 c1 0f 8c 31 ff ff ff
[   94.856454][ T4661] RSP: 0018:ffffc9000f3a7ad0 EFLAGS: 00010293
[   94.858867][ T4661] RAX: ffffffff8a95ae5e RBX: ffff888041a04000 RCX: ffff888036b08000
[   94.862134][ T4661] RDX: 0000000000000000 RSI: 00000000ffffffff RDI: 0000000000000000
[   94.865458][ T4661] RBP: 00000000ffffffff R08: ffff888041a04013 R09: 1ffff11008340802
[   94.868761][ T4661] R10: dffffc0000000000 R11: ffffed1008340803 R12: dffffc0000000000
[   94.872193][ T4661] R13: ffff88801b784e18 R14: ffff888041a04a40 R15: ffff888041a04010
[   94.875801][ T4661] FS:  0000000000000000(0000) GS:ffff88808caa3000(0000) knlGS:0000000000000000
[   94.879580][ T4661] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   94.882450][ T4661] CR2: 00007ffca9ad2c74 CR3: 00000000375cd000 CR4: 0000000000352ef0
[   94.886045][ T4661] Call Trace:
[   94.887499][ T4661]  <TASK>
[   94.888814][ T4661]  ? process_scheduled_works+0xa0f/0x17a0
[   94.891352][ T4661]  process_scheduled_works+0xaec/0x17a0
[   94.893756][ T4661]  ? __pfx_process_scheduled_works+0x10/0x10
[   94.896504][ T4661]  ? assign_work+0x3d5/0x5e0
[   94.898591][ T4661]  worker_thread+0xa50/0xfc0
[   94.900677][ T4661]  kthread+0x388/0x470
[   94.902423][ T4661]  ? __pfx_worker_thread+0x10/0x10
[   94.904728][ T4661]  ? __pfx_kthread+0x10/0x10
[   94.906578][ T4661]  ret_from_fork+0x51e/0xb90
[   94.908680][ T4661]  ? __pfx_ret_from_fork+0x10/0x10
[   94.910814][ T4661]  ? __switch_to+0xc7d/0x1400
[   94.913293][ T4661]  ? __pfx_kthread+0x10/0x10
[   94.915330][ T4661]  ret_from_fork_asm+0x1a/0x30
[   94.917408][ T4661]  </TASK>
[   94.918775][ T4661] Kernel panic - not syncing: kernel: panic_on_warn set ...
[   94.921774][ T4661] CPU: 0 UID: 0 PID: 4661 Comm: kworker/u5:1 Not tainted syzkaller #0 PREEMPT(full) 
[   94.925654][ T4661] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   94.930041][ T4661] Workqueue: hci0 hci_conn_timeout
[   94.932309][ T4661] Call Trace:
[   94.933796][ T4661]  <TASK>
[   94.935122][ T4661]  vpanic+0x1e0/0x670
[   94.936919][ T4661]  panic+0xc5/0xd0
[   94.938573][ T4661]  ? __pfx_panic+0x10/0x10
[   94.940487][ T4661]  ? ret_from_fork_asm+0x1a/0x30
[   94.942651][ T4661]  __warn+0x315/0x4a0
[   94.944486][ T4661]  ? hci_conn_timeout+0xff/0x2c0
[   94.946754][ T4661]  ? hci_conn_timeout+0xff/0x2c0
[   94.948993][ T4661]  __report_bug+0x29a/0x540
[   94.951011][ T4661]  ? hci_conn_timeout+0xff/0x2c0
[   94.953106][ T4661]  ? __pfx___report_bug+0x10/0x10
[   94.955375][ T4661]  ? add_lock_to_list+0xc7/0x100
[   94.957618][ T4661]  ? lockdep_unlock+0x5d/0xd0
[   94.959685][ T4661]  ? __lock_acquire+0x146e/0x2cf0
[   94.961835][ T4661]  ? do_raw_spin_lock+0x12b/0x2f0
[   94.964050][ T4661]  ? hci_conn_timeout+0xff/0x2c0
[   94.966278][ T4661]  report_bug+0x16a/0x220
[   94.968140][ T4661]  ? hci_conn_timeout+0xff/0x2c0
[   94.970310][ T4661]  ? hci_conn_timeout+0x101/0x2c0
[   94.972557][ T4661]  handle_bug+0x98/0x200
[   94.974471][ T4661]  exc_invalid_op+0x1a/0x50
[   94.976522][ T4661]  asm_exc_invalid_op+0x1a/0x20
[   94.978675][ T4661] RIP: 0010:hci_conn_timeout+0xff/0x2c0
[   94.981115][ T4661] Code: 48 89 df e8 73 99 09 00 eb 07 e8 2c 9c 2e f7 b0 13 0f b6 f0 48 89 df 5b 41 5c 41 5e 41 5f 5d e9 87 a8 fe ff e8 12 9c 2e f7 90 <0f> 0b 90 eb 8c 44 89 f9 80 e1 07 80 c1 03 38 c1 0f 8c 31 ff ff ff
[   94.990070][ T4661] RSP: 0018:ffffc9000f3a7ad0 EFLAGS: 00010293
[   94.992718][ T4661] RAX: ffffffff8a95ae5e RBX: ffff888041a04000 RCX: ffff888036b08000
[   94.996139][ T4661] RDX: 0000000000000000 RSI: 00000000ffffffff RDI: 0000000000000000
[   94.999581][ T4661] RBP: 00000000ffffffff R08: ffff888041a04013 R09: 1ffff11008340802
[   95.003028][ T4661] R10: dffffc0000000000 R11: ffffed1008340803 R12: dffffc0000000000
[   95.006459][ T4661] R13: ffff88801b784e18 R14: ffff888041a04a40 R15: ffff888041a04010
[   95.010241][ T4661]  ? hci_conn_timeout+0xfe/0x2c0
[   95.012487][ T4661]  ? process_scheduled_works+0xa0f/0x17a0
[   95.014978][ T4661]  process_scheduled_works+0xaec/0x17a0
[   95.017360][ T4661]  ? __pfx_process_scheduled_works+0x10/0x10
[   95.019926][ T4661]  ? assign_work+0x3d5/0x5e0
[   95.021824][ T4661]  worker_thread+0xa50/0xfc0
[   95.023786][ T4661]  kthread+0x388/0x470
[   95.025538][ T4661]  ? __pfx_worker_thread+0x10/0x10
[   95.027763][ T4661]  ? __pfx_kthread+0x10/0x10
[   95.029697][ T4661]  ret_from_fork+0x51e/0xb90
[   95.031733][ T4661]  ? __pfx_ret_from_fork+0x10/0x10
[   95.033922][ T4661]  ? __switch_to+0xc7d/0x1400
[   95.036026][ T4661]  ? __pfx_kthread+0x10/0x10
[   95.037953][ T4661]  ret_from_fork_asm+0x1a/0x30
[   95.039912][ T4661]  </TASK>
[   95.041534][ T4661] Kernel Offset: disabled
[   95.043366][ T4661] Rebooting in 86400 seconds..