program: pipe2$9p(&(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) (async) pipe2$9p(&(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}, 0x0) tee(r1, r0, 0x9, 0x0) (async) write$P9_RREADLINK(r2, &(0x7f0000000000)={0x10, 0x17, 0x0, {0x7, './file6'}}, 0x10) (async, rerun: 32) r3 = syz_usb_connect$hid(0x0, 0x3f, &(0x7f0000000040)=ANY=[@ANYBLOB="1201000000000020961b0a9f1500000000010902"], 0x0) (async, rerun: 32) r4 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2) bpf$BPF_GET_MAP_INFO(0xf, &(0x7f0000000300)={0xffffffffffffffff, 0x58, &(0x7f0000000280)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ""/16, 0x0}}, 0x10) r6 = syz_open_dev$sg(&(0x7f00000060c0), 0x0, 0x0) ioctl$SG_IO(r6, 0x2285, &(0x7f0000000180)={0x53, 0x0, 0x6, 0xa, @buffer={0x0, 0x0, 0x0}, &(0x7f0000000000)="120180ff8000", 0x0, 0x0, 0x0, 0x0, 0x0}) bpf$MAP_CREATE(0x0, &(0x7f0000000340)=@bloom_filter={0x1e, 0x6, 0x6, 0x7fffffff, 0x40418, 0xffffffffffffffff, 0x3, '\x00', r5, 0xffffffffffffffff, 0x0, 0x5, 0x0, 0xf}, 0x50) connect$bt_sco(r4, &(0x7f0000000100), 0x8) (async, rerun: 32) syz_emit_vhci(&(0x7f00000000c0)=ANY=[@ANYBLOB="0418"], 0x1a) (rerun: 32) r7 = syz_open_dev$hidraw(&(0x7f0000000000), 0x0, 0x0) syz_usb_control_io(r3, 0x0, 0x0) (async) write$hidraw(r7, 0x0, 0x0) (async, rerun: 32) r8 = socket$inet6_sctp(0xa, 0x5, 0x84) (async, rerun: 32) r9 = gettid() syz_open_procfs(r9, &(0x7f0000000380)='mountinfo\x00') (async) pipe2(&(0x7f0000000480)={0xffffffffffffffff, 0xffffffffffffffff}, 0x80) perf_event_open(&(0x7f0000000400)={0x5, 0x80, 0x6, 0x7f, 0x4, 0x4, 0x0, 0x64, 0x100, 0x1, 0x1, 0x0, 0x1, 0x1, 0x1, 0x0, 0x1, 0x0, 0x0, 0x0, 0x1, 0x1, 0x1, 0x1, 0x0, 0x2, 0x0, 0x0, 0x1, 0x0, 0x1, 0x1, 0x1, 0x1, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x1, 0x1, 0x0, 0x1, 0x0, 0x0, 0x0, 0x6a, 0x0, @perf_bp={&(0x7f00000003c0), 0x7}, 0x20, 0x8, 0x0, 0x1, 0x5, 0x962, 0x1, 0x0, 0x3, 0x0, 0x4b9e}, r9, 0x9, r10, 0x9) (async) getsockopt$inet_sctp6_SCTP_STATUS(0xffffffffffffffff, 0x84, 0xe, &(0x7f0000000080)={0x0, 0x9, 0x0, 0x6, 0x7, 0x4, 0xfffb, 0xa433, {0x0, @in={{0x2, 0x4e24, @local}}, 0xff, 0x0, 0xfffffff6, 0x3, 0x1000}}, &(0x7f0000000140)=0xb0) getsockopt$inet_sctp6_SCTP_PEER_ADDR_THLDS(r8, 0x84, 0x1f, &(0x7f0000000180)={r11, @in6={{0xa, 0x4e22, 0x0, @private0, 0x1}}, 0x1, 0x40}, &(0x7f0000000240)=0x90) [ 85.810142][ T5303] Bluetooth: hci0: command tx timeout [ 85.896862][ T4667] ------------[ cut here ]------------ [ 85.899832][ T4667] WARNING: CPU: 0 PID: 4667 at net/bluetooth/hci_conn.c:568 hci_conn_timeout+0xff/0x290 [ 85.904582][ T4667] Modules linked in: [ 85.906490][ T4667] CPU: 0 UID: 0 PID: 4667 Comm: kworker/u5:1 Not tainted 6.16.0-rc4-syzkaller-00013-g66701750d556 #0 PREEMPT(full) [ 85.911201][ T4667] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 85.915997][ T4667] Workqueue: hci0 hci_conn_timeout [ 85.918119][ T4667] RIP: 0010:hci_conn_timeout+0xff/0x290 [ 85.921219][ T4667] Code: 48 89 df e8 73 fc 08 00 eb 07 e8 9c 02 5a f7 b0 13 0f b6 f0 48 89 df 5b 41 5c 41 5e 41 5f 5d e9 c7 cb fe ff e8 82 02 5a f7 90 <0f> 0b 90 eb 8c 44 89 f9 80 e1 07 80 c1 03 38 c1 0f 8c 31 ff ff ff [ 85.930418][ T4667] RSP: 0018:ffffc9000f99fa50 EFLAGS: 00010293 [ 85.933243][ T4667] RAX: ffffffff8a664c1e RBX: ffff8880404cc000 RCX: ffff88801c532440 [ 85.936650][ T4667] RDX: 0000000000000000 RSI: 00000000ffffffff RDI: 0000000000000000 [ 85.940256][ T4667] RBP: 00000000ffffffff R08: ffff8880404cc013 R09: 1ffff11008099802 [ 85.944232][ T4667] R10: dffffc0000000000 R11: ffffed1008099803 R12: dffffc0000000000 [ 85.947782][ T4667] R13: ffff8880366c7718 R14: ffff8880404cc948 R15: ffff8880404cc010 [ 85.951245][ T4667] FS: 0000000000000000(0000) GS:ffff88808d250000(0000) knlGS:0000000000000000 [ 85.955275][ T4667] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 85.958429][ T4667] CR2: 00007fe10fdf4fc8 CR3: 0000000035b2b000 CR4: 0000000000352ef0 [ 85.962153][ T4667] Call Trace: [ 85.963651][ T4667] [ 85.964961][ T4667] ? process_scheduled_works+0x9ef/0x17b0 [ 85.967440][ T4667] process_scheduled_works+0xade/0x17b0 [ 85.970118][ T4667] ? __pfx_process_scheduled_works+0x10/0x10 [ 85.973270][ T4667] worker_thread+0x8a0/0xda0 [ 85.975465][ T4667] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 85.978008][ T4667] ? __kthread_parkme+0x7b/0x200 [ 85.980059][ T4667] kthread+0x70e/0x8a0 [ 85.981825][ T4667] ? __pfx_worker_thread+0x10/0x10 [ 85.983995][ T4667] ? __pfx_kthread+0x10/0x10 [ 85.986129][ T4667] ? _raw_spin_unlock_irq+0x23/0x50 [ 85.988398][ T4667] ? lockdep_hardirqs_on+0x9c/0x150 [ 85.991066][ T4667] ? __pfx_kthread+0x10/0x10 [ 85.993482][ T4667] ret_from_fork+0x3fc/0x770 [ 85.995561][ T4667] ? __pfx_ret_from_fork+0x10/0x10 [ 85.997866][ T4667] ? __pfx_kthread+0x10/0x10 [ 85.999845][ T4667] ret_from_fork_asm+0x1a/0x30 [ 86.001781][ T4667] [ 86.003770][ T4667] Kernel panic - not syncing: kernel: panic_on_warn set ... [ 86.006706][ T4667] CPU: 0 UID: 0 PID: 4667 Comm: kworker/u5:1 Not tainted 6.16.0-rc4-syzkaller-00013-g66701750d556 #0 PREEMPT(full) [ 86.012135][ T4667] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 86.017388][ T4667] Workqueue: hci0 hci_conn_timeout [ 86.019373][ T4667] Call Trace: [ 86.020900][ T4667] [ 86.022209][ T4667] dump_stack_lvl+0x99/0x250 [ 86.024203][ T4667] ? __asan_memcpy+0x40/0x70 [ 86.026284][ T4667] ? __pfx_dump_stack_lvl+0x10/0x10 [ 86.028487][ T4667] ? __pfx__printk+0x10/0x10 [ 86.030721][ T4667] panic+0x2db/0x790 [ 86.032452][ T4667] ? __pfx_panic+0x10/0x10 [ 86.034627][ T4667] ? ret_from_fork_asm+0x1a/0x30 [ 86.037045][ T4667] __warn+0x31b/0x4b0 [ 86.038729][ T4667] ? hci_conn_timeout+0xff/0x290 [ 86.040882][ T4667] ? hci_conn_timeout+0xff/0x290 [ 86.042983][ T4667] report_bug+0x2be/0x4f0 [ 86.044848][ T4667] ? hci_conn_timeout+0xff/0x290 [ 86.046940][ T4667] ? hci_conn_timeout+0xff/0x290 [ 86.049187][ T4667] ? hci_conn_timeout+0x101/0x290 [ 86.051459][ T4667] handle_bug+0x84/0x160 [ 86.053600][ T4667] exc_invalid_op+0x1a/0x50 [ 86.055797][ T4667] asm_exc_invalid_op+0x1a/0x20 [ 86.057977][ T4667] RIP: 0010:hci_conn_timeout+0xff/0x290 [ 86.060404][ T4667] Code: 48 89 df e8 73 fc 08 00 eb 07 e8 9c 02 5a f7 b0 13 0f b6 f0 48 89 df 5b 41 5c 41 5e 41 5f 5d e9 c7 cb fe ff e8 82 02 5a f7 90 <0f> 0b 90 eb 8c 44 89 f9 80 e1 07 80 c1 03 38 c1 0f 8c 31 ff ff ff [ 86.068928][ T4667] RSP: 0018:ffffc9000f99fa50 EFLAGS: 00010293 [ 86.071826][ T4667] RAX: ffffffff8a664c1e RBX: ffff8880404cc000 RCX: ffff88801c532440 [ 86.075296][ T4667] RDX: 0000000000000000 RSI: 00000000ffffffff RDI: 0000000000000000 [ 86.079031][ T4667] RBP: 00000000ffffffff R08: ffff8880404cc013 R09: 1ffff11008099802 [ 86.082981][ T4667] R10: dffffc0000000000 R11: ffffed1008099803 R12: dffffc0000000000 [ 86.086658][ T4667] R13: ffff8880366c7718 R14: ffff8880404cc948 R15: ffff8880404cc010 [ 86.089936][ T4667] ? hci_conn_timeout+0xfe/0x290 [ 86.092164][ T4667] ? process_scheduled_works+0x9ef/0x17b0 [ 86.094632][ T4667] process_scheduled_works+0xade/0x17b0 [ 86.097112][ T4667] ? __pfx_process_scheduled_works+0x10/0x10 [ 86.099892][ T4667] worker_thread+0x8a0/0xda0 [ 86.102099][ T4667] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 86.104945][ T4667] ? __kthread_parkme+0x7b/0x200 [ 86.107228][ T4667] kthread+0x70e/0x8a0 [ 86.109176][ T4667] ? __pfx_worker_thread+0x10/0x10 [ 86.111517][ T4667] ? __pfx_kthread+0x10/0x10 [ 86.113524][ T4667] ? _raw_spin_unlock_irq+0x23/0x50 [ 86.115880][ T4667] ? lockdep_hardirqs_on+0x9c/0x150 [ 86.118104][ T4667] ? __pfx_kthread+0x10/0x10 [ 86.120401][ T4667] ret_from_fork+0x3fc/0x770 [ 86.122892][ T4667] ? __pfx_ret_from_fork+0x10/0x10 [ 86.125184][ T4667] ? __pfx_kthread+0x10/0x10 [ 86.127115][ T4667] ret_from_fork_asm+0x1a/0x30 [ 86.129168][ T4667] [ 86.130794][ T4667] Kernel Offset: disabled [ 86.132643][ T4667] Rebooting in 86400 seconds..