program: r0 = openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x40241, 0x0) openat$tun(0xffffffffffffff9c, &(0x7f0000000080), 0x2800, 0x0) sendmsg$NBD_CMD_CONNECT(0xffffffffffffffff, 0x0, 0x0) syz_emit_vhci(0x0, 0xe) syz_usb_connect$hid(0x3, 0x36, &(0x7f0000000300)=ANY=[@ANYBLOB="1201010200000040"], 0x0) syz_emit_vhci(&(0x7f0000000540)=ANY=[@ANYBLOB="043e1f0a"], 0x22) syz_emit_vhci(&(0x7f0000000300)=ANY=[@ANYBLOB="040b"], 0xe) syz_emit_vhci(&(0x7f0000000080)=ANY=[@ANYBLOB="0406"], 0x7) ioctl$TUNSETIFF(r0, 0x400454ca, &(0x7f0000000200)={'syzkaller1\x00', 0xc201}) r1 = socket$kcm(0x2, 0x3, 0x2) r2 = openat(0xffffffffffffff9c, &(0x7f0000000100)='./file1\x00', 0x42, 0x1ff) r3 = syz_usb_connect(0x0, 0x371, &(0x7f0000000280)=ANY=[@ANYBLOB="1201000057ec0020c215dcff30bd0102030109025f03019b000000090400000b403b4e000905e2379c"], 0x0) syz_usb_control_io$cdc_ncm(r3, 0x0, 0x0) syz_usb_control_io$hid(r3, 0x0, 0x0) syz_usb_control_io$uac1(r3, 0x0, 0x0) r4 = syz_open_dev$char_usb(0xc, 0xb4, 0x80000000) r5 = socket$nl_route(0x10, 0x3, 0x0) r6 = socket$nl_route(0x10, 0x3, 0x0) r7 = socket$packet(0x11, 0x3, 0x300) ioctl$ifreq_SIOCGIFINDEX_batadv_hard(r7, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00', 0x0}) sendmsg$nl_route(r6, &(0x7f0000000100)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000140)=@ipv6_newnexthop={0x20, 0x68, 0x5fb9a818fb7378e9, 0x0, 0x0, {}, [@NHA_OIF={0x8, 0x5, r8}]}, 0x20}}, 0x0) sendmsg$nl_route(r5, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000080)=@getnexthop={0x20, 0x76, 0xb0d, 0x4000, 0x0, {0x3}, [@NHA_ID={0x8, 0x1, 0x1}]}, 0x20}}, 0x0) syz_usb_control_io$uac1(r3, 0x0, 0x0) syz_usb_control_io$cdc_ecm(r3, 0x0, 0x0) write$char_usb(r4, &(0x7f0000006800)="10", 0x1) syz_usb_control_io$uac3(r3, 0x0, 0x0) close(r2) r9 = seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(0x1, 0xa, &(0x7f00000000c0)={0x1, &(0x7f0000000040)=[{0x6, 0xff, 0xfe, 0x7fff0026}]}) close_range(r9, 0xffffffffffffffff, 0x0) ioctl$SIOCSIFHWADDR(r1, 0x8914, &(0x7f0000000040)={'syzkaller1\x00', @broadcast}) [ 79.112610][ T4657] Bluetooth: hci0: command tx timeout [ 79.437994][ T5322] usb 5-1: new high-speed USB device number 2 using dummy_hcd [ 79.598573][ T5288] Bluetooth: hci0: unexpected event 0x06 length: 4 > 3 [ 79.614261][ T5324] UDC core: USB Raw Gadget: couldn't find an available UDC or it's busy [ 79.625135][ T5324] misc raw-gadget: fail, usb_gadget_register_driver returned -16 [ 79.642246][ T5324] syzkaller1: entered promiscuous mode [ 79.644690][ T5324] syzkaller1: entered allmulticast mode [ 79.662379][ T5322] usb 5-1: unable to get BOS descriptor or descriptor too short [ 79.673627][ T5322] usb 5-1: no configurations [ 79.679483][ T5322] usb 5-1: can't read configurations, error -22 [ 81.148237][ T5288] Bluetooth: hci0: command tx timeout [ 81.231560][ T1331] ieee802154 phy0 wpan0: encryption failed: -22 [ 81.234501][ T1331] ieee802154 phy1 wpan1: encryption failed: -22 [ 81.630096][ T4657] ------------[ cut here ]------------ [ 81.632927][ T4657] refcnt < 0 [ 81.632938][ T4657] WARNING: net/bluetooth/hci_conn.c:634 at hci_conn_timeout+0xff/0x2c0, CPU#0: kworker/u5:1/4657 [ 81.639134][ T4657] Modules linked in: [ 81.641666][ T4657] CPU: 0 UID: 0 PID: 4657 Comm: kworker/u5:1 Not tainted syzkaller #0 PREEMPT(full) [ 81.645777][ T4657] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 81.651308][ T4657] Workqueue: hci0 hci_conn_timeout [ 81.653511][ T4657] RIP: 0010:hci_conn_timeout+0xff/0x2c0 [ 81.655925][ T4657] Code: 48 89 df e8 d3 b4 09 00 eb 07 e8 0c 9f 25 f7 b0 13 0f b6 f0 48 89 df 5b 41 5c 41 5e 41 5f 5d e9 97 9c fe ff e8 f2 9e 25 f7 90 <0f> 0b 90 eb 8c 44 89 f9 80 e1 07 80 c1 03 38 c1 0f 8c 31 ff ff ff [ 81.664074][ T4657] RSP: 0018:ffffc900038ffab0 EFLAGS: 00010293 [ 81.666838][ T4657] RAX: ffffffff8aa034de RBX: ffff888012a04000 RCX: ffff88801ce08000 [ 81.670333][ T4657] RDX: 0000000000000000 RSI: 00000000ffffffff RDI: 0000000000000000 [ 81.673775][ T4657] RBP: 00000000ffffffff R08: ffff888012a04013 R09: 1ffff11002540802 [ 81.677511][ T4657] R10: dffffc0000000000 R11: ffffed1002540803 R12: dffffc0000000000 [ 81.680821][ T4657] R13: ffff888012a04a40 R14: ffff888012a04a40 R15: ffff888012a04010 [ 81.684265][ T4657] FS: 0000000000000000(0000) GS:ffff88808c87f000(0000) knlGS:0000000000000000 [ 81.688094][ T4657] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 81.690934][ T4657] CR2: 0000560e6a319168 CR3: 0000000036a46000 CR4: 0000000000352ef0 [ 81.694264][ T4657] Call Trace: [ 81.695716][ T4657] [ 81.696939][ T4657] ? process_scheduled_works+0xa70/0x1860 [ 81.699341][ T4657] process_scheduled_works+0xb5d/0x1860 [ 81.702137][ T4657] ? __pfx_process_scheduled_works+0x10/0x10 [ 81.704984][ T4657] ? assign_work+0x3d5/0x5e0 [ 81.706895][ T4657] worker_thread+0xa53/0xfc0 [ 81.709018][ T4657] kthread+0x389/0x470 [ 81.710792][ T4657] ? __pfx_worker_thread+0x10/0x10 [ 81.712893][ T4657] ? __pfx_kthread+0x10/0x10 [ 81.714864][ T4657] ret_from_fork+0x514/0xb70 [ 81.716848][ T4657] ? __pfx_ret_from_fork+0x10/0x10 [ 81.719248][ T4657] ? __switch_to+0xc79/0x1410 [ 81.721337][ T4657] ? __pfx_kthread+0x10/0x10 [ 81.723405][ T4657] ret_from_fork_asm+0x1a/0x30 [ 81.725507][ T4657] [ 81.726868][ T4657] Kernel panic - not syncing: kernel: panic_on_warn set ... [ 81.729911][ T4657] CPU: 0 UID: 0 PID: 4657 Comm: kworker/u5:1 Not tainted syzkaller #0 PREEMPT(full) [ 81.733849][ T4657] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 81.738147][ T4657] Workqueue: hci0 hci_conn_timeout [ 81.740279][ T4657] Call Trace: [ 81.741715][ T4657] [ 81.742957][ T4657] vpanic+0x56c/0xa60 [ 81.744668][ T4657] ? __pfx__printk+0x10/0x10 [ 81.746649][ T4657] ? __pfx_vpanic+0x10/0x10 [ 81.748617][ T4657] ? is_bpf_text_address+0x292/0x2b0 [ 81.751045][ T4657] ? is_bpf_text_address+0x26/0x2b0 [ 81.753367][ T4657] panic+0xc5/0xd0 [ 81.755104][ T4657] ? __pfx_panic+0x10/0x10 [ 81.756997][ T4657] ? ret_from_fork_asm+0x1a/0x30 [ 81.759016][ T4657] __warn+0x315/0x4c0 [ 81.760668][ T4657] ? hci_conn_timeout+0xff/0x2c0 [ 81.762821][ T4657] ? hci_conn_timeout+0xff/0x2c0 [ 81.764940][ T4657] __report_bug+0x29a/0x540 [ 81.766896][ T4657] ? hci_conn_timeout+0xff/0x2c0 [ 81.769019][ T4657] ? __pfx___report_bug+0x10/0x10 [ 81.771152][ T4657] ? add_lock_to_list+0xc7/0x100 [ 81.773150][ T4657] ? lockdep_unlock+0x5d/0xd0 [ 81.775143][ T4657] ? __lock_acquire+0x146e/0x2cf0 [ 81.777192][ T4657] ? hci_conn_timeout+0xff/0x2c0 [ 81.779307][ T4657] report_bug+0x16a/0x220 [ 81.781119][ T4657] ? hci_conn_timeout+0xff/0x2c0 [ 81.783215][ T4657] ? hci_conn_timeout+0x101/0x2c0 [ 81.785287][ T4657] handle_bug+0x9c/0x200 [ 81.787164][ T4657] exc_invalid_op+0x1a/0x50 [ 81.789153][ T4657] asm_exc_invalid_op+0x1a/0x20 [ 81.791323][ T4657] RIP: 0010:hci_conn_timeout+0xff/0x2c0 [ 81.793736][ T4657] Code: 48 89 df e8 d3 b4 09 00 eb 07 e8 0c 9f 25 f7 b0 13 0f b6 f0 48 89 df 5b 41 5c 41 5e 41 5f 5d e9 97 9c fe ff e8 f2 9e 25 f7 90 <0f> 0b 90 eb 8c 44 89 f9 80 e1 07 80 c1 03 38 c1 0f 8c 31 ff ff ff [ 81.802077][ T4657] RSP: 0018:ffffc900038ffab0 EFLAGS: 00010293 [ 81.804832][ T4657] RAX: ffffffff8aa034de RBX: ffff888012a04000 RCX: ffff88801ce08000 [ 81.808383][ T4657] RDX: 0000000000000000 RSI: 00000000ffffffff RDI: 0000000000000000 [ 81.811918][ T4657] RBP: 00000000ffffffff R08: ffff888012a04013 R09: 1ffff11002540802 [ 81.815283][ T4657] R10: dffffc0000000000 R11: ffffed1002540803 R12: dffffc0000000000 [ 81.818727][ T4657] R13: ffff888012a04a40 R14: ffff888012a04a40 R15: ffff888012a04010 [ 81.821945][ T4657] ? hci_conn_timeout+0xfe/0x2c0 [ 81.824100][ T4657] ? process_scheduled_works+0xa70/0x1860 [ 81.826421][ T4657] process_scheduled_works+0xb5d/0x1860 [ 81.828788][ T4657] ? __pfx_process_scheduled_works+0x10/0x10 [ 81.831421][ T4657] ? assign_work+0x3d5/0x5e0 [ 81.833338][ T4657] worker_thread+0xa53/0xfc0 [ 81.835282][ T4657] kthread+0x389/0x470 [ 81.837049][ T4657] ? __pfx_worker_thread+0x10/0x10 [ 81.839305][ T4657] ? __pfx_kthread+0x10/0x10 [ 81.841300][ T4657] ret_from_fork+0x514/0xb70 [ 81.843279][ T4657] ? __pfx_ret_from_fork+0x10/0x10 [ 81.845435][ T4657] ? __switch_to+0xc79/0x1410 [ 81.847359][ T4657] ? __pfx_kthread+0x10/0x10 [ 81.849411][ T4657] ret_from_fork_asm+0x1a/0x30 [ 81.851488][ T4657] [ 81.853225][ T4657] Kernel Offset: disabled [ 81.855862][ T4657] Rebooting in 86400 seconds..