program:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = socket(0x10, 0x3, 0x0) (async)
r2 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$sock_bt_hci(r2, 0x400448cb, 0x0) (async)
bpf$PROG_LOAD(0x5, &(0x7f00000004c0)={0x6, 0x10, &(0x7f0000000000)=ANY=[@ANYBLOB="18000000000000000000000000000000b708"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @xdp, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) (async)
syz_emit_vhci(&(0x7f0000000000)=ANY=[@ANYBLOB="043e751d"], 0x24) (async)
syz_emit_vhci(&(0x7f0000000040)=ANY=[@ANYBLOB="043e1f1b"], 0x22) (async)
openat$snapshot(0xffffffffffffff9c, &(0x7f00000002c0), 0x40040, 0x0) (async, rerun: 32)
syz_emit_vhci(&(0x7f0000000040)=ANY=[@ANYBLOB="040e0402030c"], 0x7) (rerun: 32)
r3 = socket(0x10, 0x803, 0x0)
syz_genetlink_get_family_id$mptcp(&(0x7f00000000c0), r3)
getsockname$packet(r3, &(0x7f0000000100)={0x11, 0x0, <r4=>0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f00000003c0)=0x14)
sendmsg$nl_route_sched(r1, &(0x7f0000005840)={0x0, 0x0, &(0x7f0000000080)={&(0x7f00000020c0)=@newqdisc={0x44, 0x24, 0x5820a61ca228651, 0x0, 0x0, {0x0, 0x0, 0x0, r4, {}, {0xffff, 0xffff}}, [@qdisc_kind_options=@q_hfsc={{0x9}, {0x14, 0x2, @TCA_HFSC_RSC={0x10, 0x1, {0x2, 0x2, 0x6}}}}]}, 0x44}}, 0x0) (async)
sendmsg$nl_route_sched(r0, &(0x7f0000000140)={0x0, 0x0, &(0x7f0000000180)={&(0x7f000000c840)=@newtfilter={0x438, 0x28, 0x43f, 0x0, 0x100, {0x0, 0x0, 0x0, r4, {0xfff1}, {}, {0x3}}, [@filter_kind_options=@f_fw={{0x7}, {0x40c, 0x2, [@TCA_FW_POLICE={0x408, 0x2, [@TCA_POLICE_PEAKRATE={0x404, 0x3, [0x8001, 0x9, 0x2, 0x5, 0x401, 0x0, 0x4, 0x8, 0x7fff, 0x8000, 0x7, 0x1, 0xfffffff8, 0x8001, 0x9, 0x9, 0x1, 0xf1, 0x4, 0x0, 0x4, 0x7, 0x7, 0x1fd30639, 0x35, 0xca, 0x9, 0x0, 0x0, 0x200, 0x5, 0xfffffffa, 0x5, 0x1, 0x3, 0x4, 0xfffff086, 0x1, 0x4, 0xffffff7f, 0x8, 0xdbd1, 0x0, 0x1, 0x5, 0x8, 0x5, 0xfffffffc, 0x400, 0x3, 0x7, 0x1, 0x2, 0x1, 0x200, 0x3ff, 0x3, 0x79, 0x3, 0xc62, 0x8, 0x400, 0x7, 0x9, 0x7, 0x7, 0x41, 0x4, 0x81, 0x273e, 0xfffffffb, 0x180, 0x7, 0x2, 0x7, 0x2, 0x401, 0x4, 0x1, 0x3, 0x0, 0x9, 0xb6, 0x2, 0x9, 0x2, 0x3, 0x9, 0x4, 0x4, 0x6, 0x7, 0x9, 0x1200, 0x6, 0x10001, 0x4, 0xf, 0x8, 0x6, 0x0, 0xffffeeee, 0x9, 0x2, 0x2e, 0x8, 0x404ca6c0, 0x9, 0x6, 0x4, 0x1, 0x4, 0x101, 0x3, 0x7, 0x16, 0xffffff68, 0x0, 0x7, 0xf35, 0x200, 0x4, 0x9, 0x1ff, 0x7, 0x1, 0x800, 0x9, 0x3, 0x7f, 0x6656d3bd, 0x3, 0x96, 0x3, 0x7, 0x80000000, 0x4, 0x815, 0x73, 0xfffffff7, 0x9, 0xc67d, 0x4, 0x0, 0x2, 0x9, 0x0, 0x8, 0x7, 0x8, 0x1, 0x6, 0x1, 0x4c800000, 0x8, 0x3, 0x6, 0x45, 0x3, 0x819, 0xc76, 0xb2, 0x10, 0x6, 0x3ff, 0x7, 0x0, 0x7, 0x8, 0xfffeffff, 0x7, 0x8, 0x10, 0x2, 0x0, 0x383c, 0x7, 0x399f, 0x1, 0xfffffffc, 0x6, 0x3, 0x5, 0xa, 0x9, 0xffff, 0xe, 0x3, 0x1, 0x4, 0x81, 0x6c0, 0x40, 0x9, 0x304b, 0x5, 0x4, 0x8, 0x81, 0x2f, 0x9, 0xffffffff, 0x7, 0x7, 0x6, 0x2, 0x941, 0x0, 0x5, 0x1, 0x6, 0x6, 0xb, 0xb, 0x6, 0x5, 0xc15, 0x3, 0x4, 0xfffffc01, 0x5, 0x3, 0xf24, 0x943d, 0x8, 0x1, 0xffff0000, 0x120000, 0x7, 0x4, 0xe, 0x4c, 0x40, 0x8, 0x7, 0x80, 0x0, 0x6, 0x800, 0x10001, 0x4, 0x6, 0x2, 0x11, 0x8000, 0x7f, 0x9, 0xfffff322, 0x3, 0x4, 0x3, 0x1, 0x9, 0x7, 0x4, 0xaa7c]}]}]}}]}, 0x438}}, 0x0) (async)
r5 = socket(0x10, 0x3, 0x0) (async)
r6 = socket(0x10, 0x803, 0x2)
syz_genetlink_get_family_id$mptcp(&(0x7f00000000c0), r6) (async)
getsockname$packet(r6, &(0x7f0000000100)={0x11, 0x0, <r7=>0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f00000003c0)=0x14)
sendmsg$nl_route_sched(r5, &(0x7f0000005840)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000400)=@newqdisc={0x58, 0x24, 0x5820a61ca228651, 0x0, 0x0, {0x0, 0x0, 0x0, r7, {}, {0xffff, 0xffff}}, [@qdisc_kind_options=@q_sfb={{0x8}, {0x2c, 0x2, @TCA_SFB_PARMS={0x28, 0x1, {0x8, 0x4, 0x8, 0x1, 0x10000, 0xded, 0xf0, 0xea, 0x5}}}}]}, 0x58}}, 0x0)

[   75.461473][ T5315] Bluetooth: hci0: command tx timeout
[   75.541280][ T5338] ------------[ cut here ]------------
[   75.543584][ T5338] workqueue: cannot queue hci_rx_work on wq hci0
[   75.546507][ T5338] WARNING: kernel/workqueue.c:2252 at __queue_work+0xd20/0xf90, CPU#0: syz.0.0/5338
[   75.550459][ T5338] Modules linked in:
[   75.552195][ T5338] CPU: 0 UID: 0 PID: 5338 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[   75.555859][ T5338] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   75.560068][ T5338] RIP: 0010:__queue_work+0xd4b/0xf90
[   75.562214][ T5338] Code: 83 c5 18 4c 89 e8 48 c1 e8 03 42 80 3c 20 00 74 08 4c 89 ef e8 86 5a 9e 00 49 8b 75 00 49 81 c7 78 01 00 00 4c 89 f7 4c 89 fa <67> 48 0f b9 3a 48 83 c4 58 5b 41 5c 41 5d 41 5e 41 5f 5d e9 7d 28
[   75.570102][ T5338] RSP: 0018:ffffc9000ae3fb20 EFLAGS: 00010086
[   75.572825][ T5338] RAX: 1ffff11006a5317b RBX: 0000000000000008 RCX: ffff888000ff0000
[   75.576072][ T5338] RDX: ffff8880336d2178 RSI: ffffffff8a553c80 RDI: ffffffff8f852e60
[   75.579410][ T5338] RBP: 0000000000000000 R08: ffff888035298bc7 R09: 1ffff11006a53178
[   75.582703][ T5338] R10: dffffc0000000000 R11: ffffed1006a53179 R12: dffffc0000000000
[   75.586145][ T5338] R13: ffff888035298bd8 R14: ffffffff8f852e60 R15: ffff8880336d2178
[   75.589612][ T5338] FS:  00007f8e5c1f56c0(0000) GS:ffff88808d414000(0000) knlGS:0000000000000000
[   75.593378][ T5338] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   75.596187][ T5338] CR2: 0000000000000000 CR3: 0000000043e21000 CR4: 0000000000352ef0
[   75.599539][ T5338] Call Trace:
[   75.600946][ T5338]  <TASK>
[   75.602185][ T5338]  ? rcu_is_watching+0x15/0xb0
[   75.604226][ T5338]  queue_work_on+0x106/0x1c0
[   75.606362][ T5338]  ? _raw_spin_unlock_irqrestore+0x30/0x80
[   75.608950][ T5338]  hci_recv_frame+0x625/0x7c0
[   75.611031][ T5338]  ? skb_pull+0xc1/0x1d0
[   75.612940][ T5338]  vhci_write+0x358/0x4a0
[   75.614905][ T5338]  vfs_write+0x5c9/0xb30
[   75.616858][ T5338]  ? __pfx_vhci_write+0x10/0x10
[   75.618963][ T5338]  ? __pfx_vfs_write+0x10/0x10
[   75.620972][ T5338]  ? __fget_files+0x2a/0x420
[   75.622943][ T5338]  ksys_write+0x145/0x250
[   75.624806][ T5338]  ? __pfx_ksys_write+0x10/0x10
[   75.626931][ T5338]  do_syscall_64+0xec/0xf80
[   75.628947][ T5338]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   75.631546][ T5338]  ? trace_irq_disable+0x37/0x100
[   75.633644][ T5338]  ? clear_bhb_loop+0x60/0xb0
[   75.635621][ T5338]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   75.638018][ T5338] RIP: 0033:0x7f8e5fd8e27f
[   75.639973][ T5338] Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 f9 92 02 00 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 4c 93 02 00 48
[   75.648208][ T5338] RSP: 002b:00007f8e5c1f5000 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
[   75.651913][ T5338] RAX: ffffffffffffffda RBX: 00007f8e5ffe6090 RCX: 00007f8e5fd8e27f
[   75.655435][ T5338] RDX: 0000000000000024 RSI: 0000200000000000 RDI: 00000000000000ca
[   75.658789][ T5338] RBP: 00007f8e5fe13f91 R08: 0000000000000000 R09: 0000000000000000
[   75.662189][ T5338] R10: 0000200000000000 R11: 0000000000000293 R12: 0000000000000000
[   75.665490][ T5338] R13: 00007f8e5ffe6128 R14: 00007f8e5ffe6090 R15: 00007ffe9f75d318
[   75.668809][ T5338]  </TASK>
[   75.670320][ T5338] Kernel panic - not syncing: kernel: panic_on_warn set ...
[   75.673446][ T5338] CPU: 0 UID: 0 PID: 5338 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[   75.677270][ T5338] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   75.681732][ T5338] Call Trace:
[   75.683217][ T5338]  <TASK>
[   75.684587][ T5338]  vpanic+0x1e0/0x670
[   75.686365][ T5338]  panic+0xb9/0xc0
[   75.688080][ T5338]  ? __pfx_panic+0x10/0x10
[   75.690118][ T5338]  __warn+0x317/0x4b0
[   75.691990][ T5338]  ? __queue_work+0xd20/0xf90
[   75.694111][ T5338]  ? __queue_work+0xd20/0xf90
[   75.696198][ T5338]  __report_bug+0x288/0x500
[   75.698278][ T5338]  ? __queue_work+0xd20/0xf90
[   75.700406][ T5338]  ? __pfx___report_bug+0x10/0x10
[   75.702672][ T5338]  ? vhci_write+0xbe/0x4a0
[   75.704594][ T5338]  ? __pfx_hci_rx_work+0x10/0x10
[   75.706935][ T5338]  ? __lock_acquire+0x6b6/0x2cf0
[   75.709168][ T5338]  report_bug_entry+0x19a/0x290
[   75.711342][ T5338]  ? __queue_work+0xd4b/0xf90
[   75.713445][ T5338]  ? __queue_work+0xd50/0xf90
[   75.715570][ T5338]  handle_bug+0xca/0x200
[   75.717489][ T5338]  exc_invalid_op+0x1a/0x50
[   75.719550][ T5338]  asm_exc_invalid_op+0x1a/0x20
[   75.721761][ T5338] RIP: 0010:__queue_work+0xd4b/0xf90
[   75.724135][ T5338] Code: 83 c5 18 4c 89 e8 48 c1 e8 03 42 80 3c 20 00 74 08 4c 89 ef e8 86 5a 9e 00 49 8b 75 00 49 81 c7 78 01 00 00 4c 89 f7 4c 89 fa <67> 48 0f b9 3a 48 83 c4 58 5b 41 5c 41 5d 41 5e 41 5f 5d e9 7d 28
[   75.732374][ T5338] RSP: 0018:ffffc9000ae3fb20 EFLAGS: 00010086
[   75.734946][ T5338] RAX: 1ffff11006a5317b RBX: 0000000000000008 RCX: ffff888000ff0000
[   75.738321][ T5338] RDX: ffff8880336d2178 RSI: ffffffff8a553c80 RDI: ffffffff8f852e60
[   75.741629][ T5338] RBP: 0000000000000000 R08: ffff888035298bc7 R09: 1ffff11006a53178
[   75.744892][ T5338] R10: dffffc0000000000 R11: ffffed1006a53179 R12: dffffc0000000000
[   75.748277][ T5338] R13: ffff888035298bd8 R14: ffffffff8f852e60 R15: ffff8880336d2178
[   75.751783][ T5338]  ? __pfx_hci_rx_work+0x10/0x10
[   75.754046][ T5338]  ? rcu_is_watching+0x15/0xb0
[   75.756205][ T5338]  queue_work_on+0x106/0x1c0
[   75.758367][ T5338]  ? _raw_spin_unlock_irqrestore+0x30/0x80
[   75.760917][ T5338]  hci_recv_frame+0x625/0x7c0
[   75.763017][ T5338]  ? skb_pull+0xc1/0x1d0
[   75.764879][ T5338]  vhci_write+0x358/0x4a0
[   75.766814][ T5338]  vfs_write+0x5c9/0xb30
[   75.768726][ T5338]  ? __pfx_vhci_write+0x10/0x10
[   75.770898][ T5338]  ? __pfx_vfs_write+0x10/0x10
[   75.773085][ T5338]  ? __fget_files+0x2a/0x420
[   75.775187][ T5338]  ksys_write+0x145/0x250
[   75.777141][ T5338]  ? __pfx_ksys_write+0x10/0x10
[   75.779387][ T5338]  do_syscall_64+0xec/0xf80
[   75.781349][ T5338]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   75.783948][ T5338]  ? trace_irq_disable+0x37/0x100
[   75.786255][ T5338]  ? clear_bhb_loop+0x60/0xb0
[   75.788419][ T5338]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   75.791004][ T5338] RIP: 0033:0x7f8e5fd8e27f
[   75.792990][ T5338] Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 f9 92 02 00 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 4c 93 02 00 48
[   75.801167][ T5338] RSP: 002b:00007f8e5c1f5000 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
[   75.804738][ T5338] RAX: ffffffffffffffda RBX: 00007f8e5ffe6090 RCX: 00007f8e5fd8e27f
[   75.808213][ T5338] RDX: 0000000000000024 RSI: 0000200000000000 RDI: 00000000000000ca
[   75.811654][ T5338] RBP: 00007f8e5fe13f91 R08: 0000000000000000 R09: 0000000000000000
[   75.814975][ T5338] R10: 0000200000000000 R11: 0000000000000293 R12: 0000000000000000
[   75.818246][ T5338] R13: 00007f8e5ffe6128 R14: 00007f8e5ffe6090 R15: 00007ffe9f75d318
[   75.821499][ T5338]  </TASK>
[   75.823111][ T5338] Kernel Offset: disabled
[   75.825046][ T5338] Rebooting in 86400 seconds..