program:
r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f00000001c0)='memory.events\x00', 0x275a, 0x0)
r1 = socket$rds(0x15, 0x5, 0x0)
bind$rds(r1, &(0x7f0000000040)={0x2, 0x0, @loopback}, 0x10)
sendmsg$rds(r1, &(0x7f0000001d00)={&(0x7f00000017c0)={0x2, 0x0, @private=0xa010101}, 0x10, 0x0, 0x0, &(0x7f0000001c00)=[@rdma_args={0x48, 0x114, 0x1, {{0x400000}, {&(0x7f0000001a00)=""/106, 0x6a}, &(0x7f0000001b40)=[{&(0x7f0000001a80)=""/79, 0x4f}], 0x1}}], 0x48, 0x2}, 0x0)
write$cgroup_subtree(r0, &(0x7f0000000000)=ANY=[@ANYRES32=r0, @ANYRESHEX=r1, @ANYRES64], 0x10448)
mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x2000005, 0x11, r0, 0x0) (async)
r2 = socket$inet_smc(0x2b, 0x1, 0x0) (async)
r3 = syz_open_dev$usbfs(&(0x7f00000000c0), 0x204, 0x2)
mmap(&(0x7f0000000000/0x400000)=nil, 0x400000, 0x1000002, 0x11012, r3, 0x10c000)
r4 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000000), 0x42, 0x0) (async)
r5 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$sock_bt_hci(r5, 0x400448cb, 0x0) (async)
syz_emit_vhci(&(0x7f0000000000)=ANY=[@ANYBLOB="040e0402030c"], 0x7) (async, rerun: 64)
r6 = syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0) (rerun: 64)
r7 = gettid()
timer_create(0x0, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004, @tid=r7}, &(0x7f0000bbdffc))
timer_settime(0x0, 0x0, &(0x7f0000000080)={{0x0, 0x989680}, {0x0, 0x989680}}, 0x0) (async)
connect$bt_l2cap(r6, &(0x7f0000000000)={0x1f, 0x8ef, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}}, 0xe) (async)
close_range(r4, 0xffffffffffffffff, 0x0)
socket$key(0xf, 0x3, 0x2) (async, rerun: 32)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0) (rerun: 32)
bind$inet(r2, &(0x7f0000000280)={0x2, 0x4e22, @private=0xa010102}, 0x10)

[   87.595227][ T4678] Bluetooth: hci0: command tx timeout
[   87.773246][ T5333] rdma_op ffff88803872b9f0 conn xmit_rdma 0000000000000000
[   87.898204][ T4678] Bluetooth: hci0: SCO packet for unknown connection handle 0
[   87.898326][ T4678] Bluetooth: hci0: SCO packet for unknown connection handle 0
[   87.901766][ T4678] Bluetooth: hci0: SCO packet for unknown connection handle 0
[   87.905168][ T4678] Bluetooth: hci0: SCO packet for unknown connection handle 0
[   87.914527][ T4678] Bluetooth: hci0: SCO packet for unknown connection handle 0
[   87.918632][ T4678] Bluetooth: hci0: SCO packet for unknown connection handle 0
[   87.922044][ T4678] Bluetooth: hci0: SCO packet for unknown connection handle 0
[   87.925560][ T4678] Bluetooth: hci0: SCO packet for unknown connection handle 0
[   87.929561][ T4678] Bluetooth: hci0: SCO packet for unknown connection handle 0
[   87.932919][ T4678] Bluetooth: hci0: SCO packet for unknown connection handle 0
[   87.943354][ T5334] ------------[ cut here ]------------
[   87.948494][ T5334] workqueue: cannot queue hci_rx_work on wq hci0
[   87.951129][ T5334] WARNING: kernel/workqueue.c:2252 at 0x0, CPU#0: syz.0.0/5334
[   87.954272][ T5334] Modules linked in:
[   87.955952][ T5334] CPU: 0 UID: 0 PID: 5334 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[   87.960124][ T5334] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   87.964889][ T5334] RIP: 0010:__queue_work+0xd4b/0xf90
[   87.967261][ T5334] Code: 83 c5 18 4c 89 e8 48 c1 e8 03 42 80 3c 20 00 74 08 4c 89 ef e8 06 ee 9e 00 49 8b 75 00 49 81 c7 78 01 00 00 4c 89 f7 4c 89 fa <67> 48 0f b9 3a 48 83 c4 58 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc
[   87.976349][ T5334] RSP: 0018:ffffc9000edffa70 EFLAGS: 00010086
[   87.979128][ T5334] RAX: 1ffff1100237617b RBX: 0000000000000008 RCX: ffff8880001d24c0
[   87.982574][ T5334] RDX: ffff888041953978 RSI: ffffffff8a56ce70 RDI: ffffffff8fa50310
[   87.985909][ T5334] RBP: 0000000000000000 R08: ffff888011bb0bc7 R09: 1ffff11002376178
[   87.989334][ T5334] R10: dffffc0000000000 R11: ffffed1002376179 R12: dffffc0000000000
[   87.992730][ T5334] R13: ffff888011bb0bd8 R14: ffffffff8fa50310 R15: ffff888041953978
[   87.996137][ T5334] FS:  00007f42f15956c0(0000) GS:ffff88808d22f000(0000) knlGS:0000000000000000
[   87.999681][ T5334] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   88.002261][ T5334] CR2: 00007f6a7e6a8ad8 CR3: 0000000037616000 CR4: 0000000000352ef0
[   88.005771][ T5334] Call Trace:
[   88.007269][ T5334]  <TASK>
[   88.008565][ T5334]  ? rcu_is_watching+0x15/0xb0
[   88.010698][ T5334]  queue_work_on+0x181/0x270
[   88.012702][ T5334]  ? lockdep_hardirqs_on+0x98/0x140
[   88.014933][ T5334]  ? __pfx_queue_work_on+0x10/0x10
[   88.017001][ T5334]  ? _raw_spin_unlock_irqrestore+0xad/0x110
[   88.019452][ T5334]  ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[   88.022142][ T5334]  ? skb_queue_tail+0x30/0xf0
[   88.024263][ T5334]  hci_recv_frame+0x625/0x7c0
[   88.026421][ T5334]  ? skb_pull+0xc1/0x1d0
[   88.028333][ T5334]  vhci_write+0x358/0x4a0
[   88.030048][ T5334]  vfs_write+0x5c9/0xb30
[   88.031825][ T5334]  ? __pfx_vhci_write+0x10/0x10
[   88.033893][ T5334]  ? __pfx_vfs_write+0x10/0x10
[   88.035917][ T5334]  ? __fget_files+0x2a/0x420
[   88.037801][ T5334]  ksys_write+0x145/0x250
[   88.039793][ T5334]  ? __pfx_ksys_write+0x10/0x10
[   88.042517][ T5334]  ? do_syscall_64+0xbe/0xf80
[   88.044514][ T5334]  do_syscall_64+0xfa/0xf80
[   88.046429][ T5334]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   88.048988][ T5334]  ? clear_bhb_loop+0x60/0xb0
[   88.050563][ T5334]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   88.053024][ T5334] RIP: 0033:0x7f42f078e27f
[   88.054979][ T5334] Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 f9 92 02 00 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 4c 93 02 00 48
[   88.062632][ T5334] RSP: 002b:00007f42f1595000 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
[   88.065824][ T5334] RAX: ffffffffffffffda RBX: 00007f42f09e6090 RCX: 00007f42f078e27f
[   88.068841][ T5334] RDX: 0000000000000007 RSI: 0000200000000000 RDI: 00000000000000ca
[   88.073201][ T5334] RBP: 00007f42f0813f91 R08: 0000000000000000 R09: 0000000000000000
[   88.076775][ T5334] R10: 0000200000000000 R11: 0000000000000293 R12: 0000000000000000
[   88.080673][ T5334] R13: 00007f42f09e6128 R14: 00007f42f09e6090 R15: 00007fff38693b88
[   88.084357][ T5334]  </TASK>
[   88.085624][ T5334] Kernel panic - not syncing: kernel: panic_on_warn set ...
[   88.088991][ T5334] CPU: 0 UID: 0 PID: 5334 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[   88.093014][ T5334] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   88.097387][ T5334] Call Trace:
[   88.098888][ T5334]  <TASK>
[   88.100260][ T5334]  dump_stack_lvl+0x99/0x250
[   88.102334][ T5334]  ? __asan_memcpy+0x40/0x70
[   88.104501][ T5334]  ? __pfx_dump_stack_lvl+0x10/0x10
[   88.106749][ T5334]  ? __pfx__printk+0x10/0x10
[   88.108756][ T5334]  vpanic+0x237/0x6d0
[   88.110499][ T5334]  ? __pfx_vpanic+0x10/0x10
[   88.112677][ T5334]  ? is_bpf_text_address+0x292/0x2b0
[   88.115315][ T5334]  ? is_bpf_text_address+0x26/0x2b0
[   88.117676][ T5334]  panic+0xb9/0xc0
[   88.119412][ T5334]  ? __pfx_panic+0x10/0x10
[   88.123286][ T5334]  __warn+0x317/0x4b0
[   88.125161][ T5334]  __report_bug+0x288/0x500
[   88.127196][ T5334]  ? stack_depot_save_flags+0x40/0x850
[   88.129671][ T5334]  ? __pfx___report_bug+0x10/0x10
[   88.132103][ T5334]  ? kasan_save_track+0x4f/0x80
[   88.134351][ T5334]  ? __pfx_hci_rx_work+0x10/0x10
[   88.136624][ T5334]  ? __lock_acquire+0x6b6/0x2cf0
[   88.138834][ T5334]  report_bug_entry+0x16a/0x220
[   88.140664][ T5334]  ? __queue_work+0xd4b/0xf90
[   88.142717][ T5334]  ? __queue_work+0xd50/0xf90
[   88.144723][ T5334]  handle_bug+0xca/0x200
[   88.146545][ T5334]  exc_invalid_op+0x1a/0x50
[   88.148419][ T5334]  asm_exc_invalid_op+0x1a/0x20
[   88.150537][ T5334] RIP: 0010:__queue_work+0xd4b/0xf90
[   88.152860][ T5334] Code: 83 c5 18 4c 89 e8 48 c1 e8 03 42 80 3c 20 00 74 08 4c 89 ef e8 06 ee 9e 00 49 8b 75 00 49 81 c7 78 01 00 00 4c 89 f7 4c 89 fa <67> 48 0f b9 3a 48 83 c4 58 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc
[   88.161157][ T5334] RSP: 0018:ffffc9000edffa70 EFLAGS: 00010086
[   88.163953][ T5334] RAX: 1ffff1100237617b RBX: 0000000000000008 RCX: ffff8880001d24c0
[   88.167268][ T5334] RDX: ffff888041953978 RSI: ffffffff8a56ce70 RDI: ffffffff8fa50310
[   88.170769][ T5334] RBP: 0000000000000000 R08: ffff888011bb0bc7 R09: 1ffff11002376178
[   88.174157][ T5334] R10: dffffc0000000000 R11: ffffed1002376179 R12: dffffc0000000000
[   88.177565][ T5334] R13: ffff888011bb0bd8 R14: ffffffff8fa50310 R15: ffff888041953978
[   88.180869][ T5334]  ? __pfx_hci_rx_work+0x10/0x10
[   88.183064][ T5334]  ? rcu_is_watching+0x15/0xb0
[   88.185104][ T5334]  queue_work_on+0x181/0x270
[   88.187117][ T5334]  ? lockdep_hardirqs_on+0x98/0x140
[   88.189453][ T5334]  ? __pfx_queue_work_on+0x10/0x10
[   88.191715][ T5334]  ? _raw_spin_unlock_irqrestore+0xad/0x110
[   88.194287][ T5334]  ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[   88.197046][ T5334]  ? skb_queue_tail+0x30/0xf0
[   88.199086][ T5334]  hci_recv_frame+0x625/0x7c0
[   88.201052][ T5334]  ? skb_pull+0xc1/0x1d0
[   88.202926][ T5334]  vhci_write+0x358/0x4a0
[   88.204961][ T5334]  vfs_write+0x5c9/0xb30
[   88.206764][ T5334]  ? __pfx_vhci_write+0x10/0x10
[   88.208828][ T5334]  ? __pfx_vfs_write+0x10/0x10
[   88.210956][ T5334]  ? __fget_files+0x2a/0x420
[   88.213093][ T5334]  ksys_write+0x145/0x250
[   88.214902][ T5334]  ? __pfx_ksys_write+0x10/0x10
[   88.217118][ T5334]  ? do_syscall_64+0xbe/0xf80
[   88.219107][ T5334]  do_syscall_64+0xfa/0xf80
[   88.221331][ T5334]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   88.223983][ T5334]  ? clear_bhb_loop+0x60/0xb0
[   88.225908][ T5334]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   88.228316][ T5334] RIP: 0033:0x7f42f078e27f
[   88.230391][ T5334] Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 f9 92 02 00 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 4c 93 02 00 48
[   88.238872][ T5334] RSP: 002b:00007f42f1595000 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
[   88.242659][ T5334] RAX: ffffffffffffffda RBX: 00007f42f09e6090 RCX: 00007f42f078e27f
[   88.246314][ T5334] RDX: 0000000000000007 RSI: 0000200000000000 RDI: 00000000000000ca
[   88.249841][ T5334] RBP: 00007f42f0813f91 R08: 0000000000000000 R09: 0000000000000000
[   88.253361][ T5334] R10: 0000200000000000 R11: 0000000000000293 R12: 0000000000000000
[   88.256983][ T5334] R13: 00007f42f09e6128 R14: 00007f42f09e6090 R15: 00007fff38693b88
[   88.260462][ T5334]  </TASK>
[   88.262157][ T5334] Kernel Offset: disabled
[   88.264082][ T5334] Rebooting in 86400 seconds..