program:
r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$sock_bt_hci(r0, 0x400448ca, 0x0)
r1 = socket$unix(0x1, 0x2, 0x0)
r2 = syz_genetlink_get_family_id$nl80211(&(0x7f00000000c0), 0xffffffffffffffff)
r3 = socket$kcm(0x10, 0x3, 0x0)
sendmsg$kcm(r3, &(0x7f0000000600)={0x0, 0xc, &(0x7f0000000000)=[{&(0x7f0000000080)="2e00000010008188e6b62aa73772cc9f1ba1f848480000005e140602000000000e000a000f000000028000001294", 0x2e}], 0x1}, 0x0)
syz_80211_join_ibss(&(0x7f0000000100)='wlan1\x00', &(0x7f0000000180)=@default_ibss_ssid, 0x6, 0x2)
ioctl$sock_SIOCGIFINDEX_80211(r1, 0x8933, &(0x7f0000000140)={'wlan1\x00', <r4=>0x0})
sendmsg$NL80211_CMD_NEW_INTERFACE(0xffffffffffffffff, &(0x7f0000000300)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000340)={0x50, r2, 0x1, 0x70bd28, 0x25dfdbfd, {{}, {@void, @val={0x8, 0x3, r4}, @val={0xc, 0x99, {0x7ff, 0x78}}}}, [@NL80211_ATTR_IFNAME={0x14, 0x4, 'syzkaller0\x00'}, @NL80211_ATTR_IFTYPE={0x8, 0x5, 0x7}, @NL80211_ATTR_MESH_ID={0xa}]}, 0x50}, 0x1, 0x0, 0x0, 0x91}, 0x24044884)
r5 = openat$tun(0xffffffffffffff9c, &(0x7f0000000400), 0x0, 0x0)
close(r5)
socket$nl_netfilter(0x10, 0x3, 0xc)
ioctl$SIOCSIFHWADDR(r5, 0x8914, &(0x7f0000002280)={'syzkaller0\x00', @link_local={0x1, 0x80, 0xc2, 0x0, 0x0, 0x1}})
r6 = openat$rfkill(0xffffffffffffff9c, &(0x7f0000000040), 0x801, 0x0)
write$rfkill(r6, &(0x7f0000000080)={0x0, 0x0, 0x3, 0x1}, 0x8)

[   84.736749][    C0] ------------[ cut here ]------------
[   84.739641][    C0] workqueue: cannot queue hci_cmd_timeout on wq hci0
[   84.742857][    C0] WARNING: kernel/workqueue.c:2271 at __queue_work+0xd53/0x1020, CPU#0: syz.0.0/5321
[   84.746921][    C0] Modules linked in:
[   84.748705][    C0] CPU: 0 UID: 0 PID: 5321 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[   84.752568][    C0] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   84.757056][    C0] RIP: 0010:__queue_work+0xd7e/0x1020
[   84.759407][    C0] Code: 83 c5 18 4c 89 e8 48 c1 e8 03 42 80 3c 20 00 74 08 4c 89 ef e8 23 f6 a3 00 49 8b 75 00 49 81 c7 78 01 00 00 4c 89 f7 4c 89 fa <67> 48 0f b9 3a 48 83 c4 58 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc
[   84.767310][    C0] RSP: 0018:ffffc90000007c10 EFLAGS: 00010086
[   84.769880][    C0] RAX: 1ffff110075a8151 RBX: 0000000000000008 RCX: ffff888034e0c900
[   84.773252][    C0] RDX: ffff88804165e978 RSI: ffffffff8aa04680 RDI: ffffffff90148d90
[   84.776732][    C0] RBP: 0000000000000100 R08: ffffffff901197b7 R09: 1ffffffff20232f6
[   84.780153][    C0] R10: dffffc0000000000 R11: ffffffff818d6390 R12: dffffc0000000000
[   84.783423][    C0] R13: ffff88803ad40a88 R14: ffffffff90148d90 R15: ffff88804165e978
[   84.786788][    C0] FS:  00007f2791a656c0(0000) GS:ffff88808ca5b000(0000) knlGS:0000000000000000
[   84.790536][    C0] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   84.793422][    C0] CR2: 00007fd3eb836fb3 CR3: 0000000040db6000 CR4: 0000000000352ef0
[   84.797035][    C0] Call Trace:
[   84.798586][    C0]  <IRQ>
[   84.799895][    C0]  call_timer_fn+0x192/0x640
[   84.801972][    C0]  ? __pfx_delayed_work_timer_fn+0x10/0x10
[   84.804601][    C0]  ? call_timer_fn+0xd4/0x640
[   84.806767][    C0]  ? __pfx_call_timer_fn+0x10/0x10
[   84.809055][    C0]  ? do_raw_spin_unlock+0x4d/0x210
[   84.811286][    C0]  ? __pfx_delayed_work_timer_fn+0x10/0x10
[   84.813644][    C0]  __run_timer_base+0x67e/0x8b0
[   84.815975][    C0]  ? ktime_get+0x45/0x200
[   84.817770][    C0]  ? __pfx___run_timer_base+0x10/0x10
[   84.820095][    C0]  run_timer_softirq+0xb7/0x170
[   84.822387][    C0]  handle_softirqs+0x22a/0x870
[   84.824481][    C0]  ? __irq_exit_rcu+0x5f/0x150
[   84.826799][    C0]  __irq_exit_rcu+0x5f/0x150
[   84.828933][    C0]  irq_exit_rcu+0x9/0x30
[   84.830840][    C0]  sysvec_apic_timer_interrupt+0xa6/0xc0
[   84.833561][    C0]  </IRQ>
[   84.834979][    C0]  <TASK>
[   84.836273][    C0]  asm_sysvec_apic_timer_interrupt+0x1a/0x20
[   84.838818][    C0] RIP: 0010:lock_acquire+0x20b/0x2e0
[   84.841045][    C0] Code: e9 30 ff ff ff e8 65 95 0d 0a f7 c3 00 02 00 00 0f 84 38 ff ff ff 65 48 8b 05 e1 d2 7a 11 48 3b 44 24 30 75 33 fb 48 83 c4 38 <5b> 41 5c 41 5d 41 5e 41 5f 5d e9 c6 7b 10 0a cc 48 8d 3d 9e 6d 73
[   84.849152][    C0] RSP: 0018:ffffc9000dc0f908 EFLAGS: 00000282
[   84.851706][    C0] RAX: 02113ab1b9672600 RBX: 0000000000000246 RCX: 0000000000000046
[   84.855329][    C0] RDX: 0000000000000001 RSI: ffffffff8e165850 RDI: ffffffff8c27bb80
[   84.858770][    C0] RBP: 0000000000000000 R08: 0000000000000008 R09: ffffffff9640b888
[   84.862403][    C0] R10: 00000000d4dbf0a9 R11: 00000000b37f1782 R12: 0000000000000000
[   84.866125][    C0] R13: ffff88804165e948 R14: 0000000000000000 R15: 0000000000000001
[   84.869773][    C0]  ? touch_wq_lockdep_map+0xb5/0x180
[   84.871967][    C0]  touch_wq_lockdep_map+0xcb/0x180
[   84.874091][    C0]  ? touch_wq_lockdep_map+0xb5/0x180
[   84.876564][    C0]  __flush_workqueue+0x14b/0x14f0
[   84.878767][    C0]  ? drain_workqueue+0xb1/0x390
[   84.881051][    C0]  ? __pfx___flush_workqueue+0x10/0x10
[   84.883962][    C0]  drain_workqueue+0xd3/0x390
[   84.886342][    C0]  hci_dev_close_sync+0x62f/0x10e0
[   84.888608][    C0]  ? __pfx_hci_dev_close_sync+0x10/0x10
[   84.891006][    C0]  ? lockdep_hardirqs_on+0x7a/0x110
[   84.893411][    C0]  ? enable_work+0x1fd/0x230
[   84.895360][    C0]  hci_dev_close+0x108/0x260
[   84.897188][    C0]  sock_do_ioctl+0x101/0x320
[   84.899417][    C0]  ? __pfx_sock_do_ioctl+0x10/0x10
[   84.901753][    C0]  ? do_futex+0x395/0x420
[   84.903708][    C0]  sock_ioctl+0x5c6/0x7f0
[   84.905622][    C0]  ? __pfx_sock_ioctl+0x10/0x10
[   84.907759][    C0]  ? __fget_files+0x2a/0x420
[   84.909810][    C0]  ? __fget_files+0x3a0/0x420
[   84.911996][    C0]  ? __fget_files+0x2a/0x420
[   84.914071][    C0]  ? bpf_lsm_file_ioctl+0x9/0x20
[   84.916298][    C0]  ? __pfx_sock_ioctl+0x10/0x10
[   84.918356][    C0]  __se_sys_ioctl+0xfc/0x170
[   84.920408][    C0]  do_syscall_64+0x14d/0xf80
[   84.922696][    C0]  ? trace_irq_disable+0x3b/0x150
[   84.925082][    C0]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   84.927811][    C0]  ? clear_bhb_loop+0x40/0x90
[   84.929981][    C0]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   84.932602][    C0] RIP: 0033:0x7f2790b9c629
[   84.934637][    C0] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
[   84.942763][    C0] RSP: 002b:00007f2791a65028 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   84.946423][    C0] RAX: ffffffffffffffda RBX: 00007f2790e15fa0 RCX: 00007f2790b9c629
[   84.949772][    C0] RDX: 0000000000000000 RSI: 00000000400448ca RDI: 0000000000000004
[   84.953215][    C0] RBP: 00007f2790c32b39 R08: 0000000000000000 R09: 0000000000000000
[   84.956637][    C0] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   84.960579][    C0] R13: 00007f2790e16038 R14: 00007f2790e15fa0 R15: 00007fffaabe5038
[   84.964874][    C0]  </TASK>
[   84.966621][    C0] Kernel panic - not syncing: kernel: panic_on_warn set ...
[   84.970605][    C0] CPU: 0 UID: 0 PID: 5321 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[   84.975354][    C0] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   84.979504][    C0] Call Trace:
[   84.981038][    C0]  <IRQ>
[   84.982343][    C0]  vpanic+0x56c/0xa60
[   84.984079][    C0]  ? __pfx__printk+0x10/0x10
[   84.986233][    C0]  ? __pfx_vpanic+0x10/0x10
[   84.988245][    C0]  ? is_bpf_text_address+0x292/0x2b0
[   84.990446][    C0]  ? is_bpf_text_address+0x26/0x2b0
[   84.992755][    C0]  panic+0xc5/0xd0
[   84.994409][    C0]  ? __pfx_panic+0x10/0x10
[   84.996467][    C0]  __warn+0x315/0x4f0
[   84.998300][    C0]  ? __queue_work+0xd53/0x1020
[   85.000394][    C0]  ? __queue_work+0xd53/0x1020
[   85.002511][    C0]  __report_bug+0x29a/0x540
[   85.004502][    C0]  ? __queue_work+0xd53/0x1020
[   85.006681][    C0]  ? __pfx___report_bug+0x10/0x10
[   85.008860][    C0]  ? __pfx_hci_cmd_timeout+0x10/0x10
[   85.011223][    C0]  ? look_up_lock_class+0x57/0x110
[   85.013289][    C0]  ? register_lock_class+0x31/0x2e0
[   85.015411][    C0]  report_bug_entry+0x19a/0x290
[   85.017391][    C0]  ? __queue_work+0xd7e/0x1020
[   85.019250][    C0]  ? __queue_work+0xd83/0x1020
[   85.021184][    C0]  handle_bug+0xca/0x200
[   85.022943][    C0]  exc_invalid_op+0x1a/0x50
[   85.024969][    C0]  asm_exc_invalid_op+0x1a/0x20
[   85.026901][    C0] RIP: 0010:__queue_work+0xd7e/0x1020
[   85.029346][    C0] Code: 83 c5 18 4c 89 e8 48 c1 e8 03 42 80 3c 20 00 74 08 4c 89 ef e8 23 f6 a3 00 49 8b 75 00 49 81 c7 78 01 00 00 4c 89 f7 4c 89 fa <67> 48 0f b9 3a 48 83 c4 58 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc
[   85.037735][    C0] RSP: 0018:ffffc90000007c10 EFLAGS: 00010086
[   85.040435][    C0] RAX: 1ffff110075a8151 RBX: 0000000000000008 RCX: ffff888034e0c900
[   85.043635][    C0] RDX: ffff88804165e978 RSI: ffffffff8aa04680 RDI: ffffffff90148d90
[   85.047018][    C0] RBP: 0000000000000100 R08: ffffffff901197b7 R09: 1ffffffff20232f6
[   85.050259][    C0] R10: dffffc0000000000 R11: ffffffff818d6390 R12: dffffc0000000000
[   85.053508][    C0] R13: ffff88803ad40a88 R14: ffffffff90148d90 R15: ffff88804165e978
[   85.056617][    C0]  ? __pfx_delayed_work_timer_fn+0x10/0x10
[   85.059068][    C0]  ? __pfx_hci_cmd_timeout+0x10/0x10
[   85.061196][    C0]  call_timer_fn+0x192/0x640
[   85.063215][    C0]  ? __pfx_delayed_work_timer_fn+0x10/0x10
[   85.065805][    C0]  ? call_timer_fn+0xd4/0x640
[   85.067896][    C0]  ? __pfx_call_timer_fn+0x10/0x10
[   85.069965][    C0]  ? do_raw_spin_unlock+0x4d/0x210
[   85.072159][    C0]  ? __pfx_delayed_work_timer_fn+0x10/0x10
[   85.074754][    C0]  __run_timer_base+0x67e/0x8b0
[   85.076848][    C0]  ? ktime_get+0x45/0x200
[   85.078826][    C0]  ? __pfx___run_timer_base+0x10/0x10
[   85.081212][    C0]  run_timer_softirq+0xb7/0x170
[   85.083287][    C0]  handle_softirqs+0x22a/0x870
[   85.085349][    C0]  ? __irq_exit_rcu+0x5f/0x150
[   85.087392][    C0]  __irq_exit_rcu+0x5f/0x150
[   85.089592][    C0]  irq_exit_rcu+0x9/0x30
[   85.091912][    C0]  sysvec_apic_timer_interrupt+0xa6/0xc0
[   85.095036][    C0]  </IRQ>
[   85.096688][    C0]  <TASK>
[   85.098360][    C0]  asm_sysvec_apic_timer_interrupt+0x1a/0x20
[   85.101540][    C0] RIP: 0010:lock_acquire+0x20b/0x2e0
[   85.104225][    C0] Code: e9 30 ff ff ff e8 65 95 0d 0a f7 c3 00 02 00 00 0f 84 38 ff ff ff 65 48 8b 05 e1 d2 7a 11 48 3b 44 24 30 75 33 fb 48 83 c4 38 <5b> 41 5c 41 5d 41 5e 41 5f 5d e9 c6 7b 10 0a cc 48 8d 3d 9e 6d 73
[   85.111975][    C0] RSP: 0018:ffffc9000dc0f908 EFLAGS: 00000282
[   85.114244][    C0] RAX: 02113ab1b9672600 RBX: 0000000000000246 RCX: 0000000000000046
[   85.117523][    C0] RDX: 0000000000000001 RSI: ffffffff8e165850 RDI: ffffffff8c27bb80
[   85.120923][    C0] RBP: 0000000000000000 R08: 0000000000000008 R09: ffffffff9640b888
[   85.124421][    C0] R10: 00000000d4dbf0a9 R11: 00000000b37f1782 R12: 0000000000000000
[   85.127973][    C0] R13: ffff88804165e948 R14: 0000000000000000 R15: 0000000000000001
[   85.131308][    C0]  ? touch_wq_lockdep_map+0xb5/0x180
[   85.133576][    C0]  touch_wq_lockdep_map+0xcb/0x180
[   85.135930][    C0]  ? touch_wq_lockdep_map+0xb5/0x180
[   85.138294][    C0]  __flush_workqueue+0x14b/0x14f0
[   85.140490][    C0]  ? drain_workqueue+0xb1/0x390
[   85.142667][    C0]  ? __pfx___flush_workqueue+0x10/0x10
[   85.145084][    C0]  drain_workqueue+0xd3/0x390
[   85.147214][    C0]  hci_dev_close_sync+0x62f/0x10e0
[   85.149421][    C0]  ? __pfx_hci_dev_close_sync+0x10/0x10
[   85.151724][    C0]  ? lockdep_hardirqs_on+0x7a/0x110
[   85.153886][    C0]  ? enable_work+0x1fd/0x230
[   85.155967][    C0]  hci_dev_close+0x108/0x260
[   85.158020][    C0]  sock_do_ioctl+0x101/0x320
[   85.160010][    C0]  ? __pfx_sock_do_ioctl+0x10/0x10
[   85.162254][    C0]  ? do_futex+0x395/0x420
[   85.164130][    C0]  sock_ioctl+0x5c6/0x7f0
[   85.166021][    C0]  ? __pfx_sock_ioctl+0x10/0x10
[   85.168110][    C0]  ? __fget_files+0x2a/0x420
[   85.170185][    C0]  ? __fget_files+0x3a0/0x420
[   85.172289][    C0]  ? __fget_files+0x2a/0x420
[   85.174369][    C0]  ? bpf_lsm_file_ioctl+0x9/0x20
[   85.176520][    C0]  ? __pfx_sock_ioctl+0x10/0x10
[   85.178650][    C0]  __se_sys_ioctl+0xfc/0x170
[   85.180701][    C0]  do_syscall_64+0x14d/0xf80
[   85.182725][    C0]  ? trace_irq_disable+0x3b/0x150
[   85.184967][    C0]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   85.187754][    C0]  ? clear_bhb_loop+0x40/0x90
[   85.189845][    C0]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   85.192354][    C0] RIP: 0033:0x7f2790b9c629
[   85.194311][    C0] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
[   85.202325][    C0] RSP: 002b:00007f2791a65028 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   85.205928][    C0] RAX: ffffffffffffffda RBX: 00007f2790e15fa0 RCX: 00007f2790b9c629
[   85.209383][    C0] RDX: 0000000000000000 RSI: 00000000400448ca RDI: 0000000000000004
[   85.212865][    C0] RBP: 00007f2790c32b39 R08: 0000000000000000 R09: 0000000000000000
[   85.216240][    C0] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   85.219501][    C0] R13: 00007f2790e16038 R14: 00007f2790e15fa0 R15: 00007fffaabe5038
[   85.222988][    C0]  </TASK>
[   85.224682][    C0] Kernel Offset: disabled
[   85.226644][    C0] Rebooting in 86400 seconds..