------------[ cut here ]------------
workqueue: cannot queue hci_rx_work on wq hci0
WARNING: kernel/workqueue.c:2252 at __queue_work+0xfa0/0x121c kernel/workqueue.c:2250, CPU#1: syz.3.4/6708
Modules linked in:
CPU: 1 UID: 0 PID: 6708 Comm: syz.3.4 Not tainted syzkaller #0 PREEMPT 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/03/2025
pstate: 634000c5 (nZCv daIF +PAN -UAO +TCO +DIT -SSBS BTYPE=--)
pc : __queue_work+0xfa0/0x121c kernel/workqueue.c:2250
lr : __queue_work+0xfa0/0x121c kernel/workqueue.c:2250
sp : ffff8000a5457950
x29: ffff8000a54579a0 x28: 1ffff00014a8af94 x27: 1fffe0001bb26670
x26: ffff0000c8a86800 x25: 0000000000000008 x24: 1fffe0001aadd391
x23: dfff800000000000 x22: ffff0000c8a869c0 x21: 0000000000400040
x20: ffff800092e87000 x19: ffff0000dd280bd8 x18: 0000000000000000
x17: 0000000000000000 x16: ffff800082e5e68c x15: 0000000000000001
x14: 1fffe000337818fa x13: 0000000000000000 x12: 0000000000000000
x11: 0000000000080000 x10: 0000000000000a41 x9 : ba7b86d1a7745400
x8 : ba7b86d1a7745400 x7 : ffff8000805761f8 x6 : 0000000000000000
x5 : 0000000000000001 x4 : 0000000000000000 x3 : ffff8000807f1034
x2 : 0000000000000001 x1 : 0000000100000000 x0 : 0000000000000000
Call trace:
 __queue_work+0xfa0/0x121c kernel/workqueue.c:2250 (P)
 queue_work_on+0xdc/0x18c kernel/workqueue.c:2386
 queue_work include/linux/workqueue.h:669 [inline]
 hci_recv_frame+0x538/0x6b4 net/bluetooth/hci_core.c:2968
 vhci_get_user drivers/bluetooth/hci_vhci.c:520 [inline]
 vhci_write+0x298/0x3d4 drivers/bluetooth/hci_vhci.c:616
 new_sync_write fs/read_write.c:593 [inline]
 vfs_write+0x540/0xa3c fs/read_write.c:686
 ksys_write+0x120/0x210 fs/read_write.c:738
 __do_sys_write fs/read_write.c:749 [inline]
 __se_sys_write fs/read_write.c:746 [inline]
 __arm64_sys_write+0x7c/0x90 fs/read_write.c:746
 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
 invoke_syscall+0x98/0x254 arch/arm64/kernel/syscall.c:49
 el0_svc_common+0xe8/0x23c arch/arm64/kernel/syscall.c:132
 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
 el0_svc+0x5c/0x26c arch/arm64/kernel/entry-common.c:724
 el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:743
 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:596
irq event stamp: 96
hardirqs last  enabled at (95): [<ffff80008afbc424>] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:151 [inline]
hardirqs last  enabled at (95): [<ffff80008afbc424>] _raw_spin_unlock_irqrestore+0x38/0x98 kernel/locking/spinlock.c:194
hardirqs last disabled at (96): [<ffff8000804294f8>] queue_work_on+0x50/0x18c kernel/workqueue.c:2382
softirqs last  enabled at (90): [<ffff8000891b7a2c>] local_bh_enable+0x10/0x34 include/linux/bottom_half.h:32
softirqs last disabled at (88): [<ffff8000891b79f8>] local_bh_disable+0x10/0x34 include/linux/bottom_half.h:19
---[ end trace 0000000000000000 ]---