program:
r0 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
connect$bt_sco(r0, &(0x7f0000000100), 0x8)
r1 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$NFQNL_MSG_CONFIG(r1, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000040)={0x30, 0x2, 0x3, 0x301, 0x0, 0x0, {0x7, 0x0, 0x2}, [@NFQA_CFG_MASK={0x8, 0x4, 0x1, 0x0, 0x1d}, @NFQA_CFG_PARAMS={0x9, 0x2, {0xb44, 0x2}}, @NFQA_CFG_CMD={0x8, 0x1, {0x1, 0x0, 0x9}}]}, 0x30}, 0x1, 0x0, 0x0, 0x80}, 0x4054)
syz_emit_vhci(&(0x7f00000000c0)=ANY=[@ANYBLOB="0418"], 0x1a)
syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2) (async)
connect$bt_sco(r0, &(0x7f0000000100), 0x8) (async)
socket$nl_netfilter(0x10, 0x3, 0xc) (async)
sendmsg$NFQNL_MSG_CONFIG(r1, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000040)={0x30, 0x2, 0x3, 0x301, 0x0, 0x0, {0x7, 0x0, 0x2}, [@NFQA_CFG_MASK={0x8, 0x4, 0x1, 0x0, 0x1d}, @NFQA_CFG_PARAMS={0x9, 0x2, {0xb44, 0x2}}, @NFQA_CFG_CMD={0x8, 0x1, {0x1, 0x0, 0x9}}]}, 0x30}, 0x1, 0x0, 0x0, 0x80}, 0x4054) (async)
syz_emit_vhci(&(0x7f00000000c0)=ANY=[@ANYBLOB="0418"], 0x1a) (async)

[   85.304897][ T5307] Bluetooth: hci0: command tx timeout
[   85.397587][ T4672] ------------[ cut here ]------------
[   85.400126][ T4672] WARNING: CPU: 0 PID: 4672 at net/bluetooth/hci_conn.c:568 hci_conn_timeout+0xff/0x290
[   85.420485][ T4672] Modules linked in:
[   85.422310][ T4672] CPU: 0 UID: 0 PID: 4672 Comm: kworker/u5:1 Not tainted 6.16.0-rc3-syzkaller-00346-gafa9a6f4f574 #0 PREEMPT(full) 
[   85.440310][ T4672] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   85.446402][ T4672] Workqueue: hci0 hci_conn_timeout
[   85.453054][ T4672] RIP: 0010:hci_conn_timeout+0xff/0x290
[   85.455421][ T4672] Code: 48 89 df e8 73 fc 08 00 eb 07 e8 1c 03 5a f7 b0 13 0f b6 f0 48 89 df 5b 41 5c 41 5e 41 5f 5d e9 c7 cb fe ff e8 02 03 5a f7 90 <0f> 0b 90 eb 8c 44 89 f9 80 e1 07 80 c1 03 38 c1 0f 8c 31 ff ff ff
[   85.474961][ T4672] RSP: 0018:ffffc9000faa7a50 EFLAGS: 00010293
[   85.492466][ T4672] RAX: ffffffff8a664b9e RBX: ffff888044160000 RCX: ffff88801fa54880
[   85.496431][ T4672] RDX: 0000000000000000 RSI: 00000000fffffffe RDI: 0000000000000000
[   85.500198][ T4672] RBP: 00000000fffffffe R08: ffff888044160013 R09: 1ffff1100882c002
[   85.503574][ T4672] R10: dffffc0000000000 R11: ffffed100882c003 R12: dffffc0000000000
[   85.507078][ T4672] R13: ffff888000cd5018 R14: ffff888044160948 R15: ffff888044160010
[   85.521091][ T4672] FS:  0000000000000000(0000) GS:ffff88808d250000(0000) knlGS:0000000000000000
[   85.525471][ T4672] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   85.538814][ T4672] CR2: 0000558f6b5ecf00 CR3: 0000000043428000 CR4: 0000000000352ef0
[   85.542596][ T4672] Call Trace:
[   85.544637][ T4672]  <TASK>
[   85.549644][ T4672]  ? process_scheduled_works+0x9ef/0x17b0
[   85.559955][ T4672]  process_scheduled_works+0xade/0x17b0
[   85.562687][ T4672]  ? __pfx_process_scheduled_works+0x10/0x10
[   85.570059][ T4672]  worker_thread+0x8a0/0xda0
[   85.578908][ T4672]  ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[   85.583650][ T4672]  ? __kthread_parkme+0x7b/0x200
[   85.601190][ T4672]  kthread+0x70e/0x8a0
[   85.602945][ T4672]  ? __pfx_worker_thread+0x10/0x10
[   85.605005][ T4672]  ? __pfx_kthread+0x10/0x10
[   85.606990][ T4672]  ? _raw_spin_unlock_irq+0x23/0x50
[   85.610297][ T4672]  ? lockdep_hardirqs_on+0x9c/0x150
[   85.613393][ T4672]  ? __pfx_kthread+0x10/0x10
[   85.615430][ T4672]  ret_from_fork+0x3fc/0x770
[   85.627764][ T4672]  ? __pfx_ret_from_fork+0x10/0x10
[   85.630236][ T4672]  ? __pfx_kthread+0x10/0x10
[   85.632372][ T4672]  ret_from_fork_asm+0x1a/0x30
[   85.634534][ T4672]  </TASK>
[   85.636041][ T4672] Kernel panic - not syncing: kernel: panic_on_warn set ...
[   85.649263][ T4672] CPU: 0 UID: 0 PID: 4672 Comm: kworker/u5:1 Not tainted 6.16.0-rc3-syzkaller-00346-gafa9a6f4f574 #0 PREEMPT(full) 
[   85.657967][ T4672] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   85.662889][ T4672] Workqueue: hci0 hci_conn_timeout
[   85.665331][ T4672] Call Trace:
[   85.666903][ T4672]  <TASK>
[   85.678577][ T4672]  dump_stack_lvl+0x99/0x250
[   85.701482][ T4672]  ? __asan_memcpy+0x40/0x70
[   85.709189][ T4672]  ? __pfx_dump_stack_lvl+0x10/0x10
[   85.711865][ T4672]  ? __pfx__printk+0x10/0x10
[   85.718817][ T4672]  panic+0x2db/0x790
[   85.720727][ T4672]  ? __pfx_panic+0x10/0x10
[   85.722802][ T4672]  ? ret_from_fork_asm+0x1a/0x30
[   85.748482][ T4672]  __warn+0x31b/0x4b0
[   85.750384][ T4672]  ? hci_conn_timeout+0xff/0x290
[   85.752616][ T4672]  ? hci_conn_timeout+0xff/0x290
[   85.754893][ T4672]  report_bug+0x2be/0x4f0
[   85.768741][ T4672]  ? hci_conn_timeout+0xff/0x290
[   85.771102][ T4672]  ? hci_conn_timeout+0xff/0x290
[   85.777116][ T4672]  ? hci_conn_timeout+0x101/0x290
[   85.780020][ T4672]  handle_bug+0x84/0x160
[   85.781952][ T4672]  exc_invalid_op+0x1a/0x50
[   85.784927][ T4672]  asm_exc_invalid_op+0x1a/0x20
[   85.787733][ T4672] RIP: 0010:hci_conn_timeout+0xff/0x290
[   85.790056][ T4672] Code: 48 89 df e8 73 fc 08 00 eb 07 e8 1c 03 5a f7 b0 13 0f b6 f0 48 89 df 5b 41 5c 41 5e 41 5f 5d e9 c7 cb fe ff e8 02 03 5a f7 90 <0f> 0b 90 eb 8c 44 89 f9 80 e1 07 80 c1 03 38 c1 0f 8c 31 ff ff ff
[   85.801827][ T4672] RSP: 0018:ffffc9000faa7a50 EFLAGS: 00010293
[   85.807580][ T4672] RAX: ffffffff8a664b9e RBX: ffff888044160000 RCX: ffff88801fa54880
[   85.814732][ T4672] RDX: 0000000000000000 RSI: 00000000fffffffe RDI: 0000000000000000
[   85.828635][ T4672] RBP: 00000000fffffffe R08: ffff888044160013 R09: 1ffff1100882c002
[   85.832403][ T4672] R10: dffffc0000000000 R11: ffffed100882c003 R12: dffffc0000000000
[   85.836198][ T4672] R13: ffff888000cd5018 R14: ffff888044160948 R15: ffff888044160010
[   85.854535][ T4672]  ? hci_conn_timeout+0xfe/0x290
[   85.856876][ T4672]  ? process_scheduled_works+0x9ef/0x17b0
[   85.859656][ T4672]  process_scheduled_works+0xade/0x17b0
[   85.862173][ T4672]  ? __pfx_process_scheduled_works+0x10/0x10
[   85.867774][ T4672]  worker_thread+0x8a0/0xda0
[   85.870272][ T4672]  ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[   85.878334][ T4672]  ? __kthread_parkme+0x7b/0x200
[   85.885848][ T4672]  kthread+0x70e/0x8a0
[   85.887939][ T4672]  ? __pfx_worker_thread+0x10/0x10
[   85.890156][ T4672]  ? __pfx_kthread+0x10/0x10
[   85.897422][ T4672]  ? _raw_spin_unlock_irq+0x23/0x50
[   85.903290][ T4672]  ? lockdep_hardirqs_on+0x9c/0x150
[   85.906534][ T4672]  ? __pfx_kthread+0x10/0x10
[   85.916367][ T4672]  ret_from_fork+0x3fc/0x770
[   85.920615][ T4672]  ? __pfx_ret_from_fork+0x10/0x10
[   85.926102][ T4672]  ? __pfx_kthread+0x10/0x10
[   85.928857][ T4672]  ret_from_fork_asm+0x1a/0x30
[   85.931681][ T4672]  </TASK>
[   85.936124][ T4672] Kernel Offset: disabled
[   85.941102][ T4672] Rebooting in 86400 seconds..