program:
r0 = syz_init_net_socket$rose(0xb, 0x5, 0x0)
ioctl$sock_inet_SIOCGIFNETMASK(r0, 0x891b, 0x0)
r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$sock_bt_hci(r1, 0x400448cb, 0x0) (async)
syz_emit_vhci(&(0x7f0000000540)=ANY=[@ANYBLOB="043e1f0a"], 0x22) (async)
r2 = socket$inet6_sctp(0xa, 0x1, 0x84)
bind$inet6(r2, 0x0, 0x0) (async)
sendto$inet6(r2, 0x0, 0x0, 0x0, 0x0, 0x0)
r3 = socket$inet_tcp(0x2, 0x1, 0x0)
setsockopt$inet_tcp_int(r3, 0x6, 0x18, &(0x7f0000000040)=0x1f, 0x4)
syz_emit_vhci(&(0x7f0000000300)=ANY=[@ANYBLOB="040b"], 0xe) (async)
r4 = syz_clone(0x0, 0x0, 0x0, 0x0, 0x0, 0x0)
ptrace(0x10, r4) (async)
ptrace$peekuser(0x3, r4, 0xfd) (async)
syz_emit_vhci(&(0x7f0000000040)=ANY=[@ANYBLOB="040e0402030c"], 0x7)

[   78.251036][ T5317] Bluetooth: hci0: command tx timeout
[   80.298715][ T4686] Bluetooth: hci0: command tx timeout
[   80.463193][ T5317] ------------[ cut here ]------------
[   80.465882][ T5317] refcnt < 0
[   80.465897][ T5317] WARNING: net/bluetooth/hci_conn.c:567 at hci_conn_timeout+0xff/0x2c0, CPU#0: kworker/u5:2/5317
[   80.473371][ T5317] Modules linked in:
[   80.476714][ T5317] CPU: 0 UID: 0 PID: 5317 Comm: kworker/u5:2 Not tainted syzkaller #0 PREEMPT(full) 
[   80.481865][ T5317] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   80.487956][ T5317] Workqueue: hci0 hci_conn_timeout
[   80.490890][ T5317] RIP: 0010:hci_conn_timeout+0xff/0x2c0
[   80.493674][ T5317] Code: 48 89 df e8 f3 b0 09 00 eb 07 e8 cc d8 1a f7 b0 13 0f b6 f0 48 89 df 5b 41 5c 41 5e 41 5f 5d e9 77 a8 fe ff e8 b2 d8 1a f7 90 <0f> 0b 90 eb 8c 44 89 f9 80 e1 07 80 c1 03 38 c1 0f 8c 31 ff ff ff
[   80.503914][ T5317] RSP: 0018:ffffc9000346fab0 EFLAGS: 00010293
[   80.506971][ T5317] RAX: ffffffff8aab060e RBX: ffff888041bb8000 RCX: ffff888000722500
[   80.511659][ T5317] RDX: 0000000000000000 RSI: 00000000ffffffff RDI: 0000000000000000
[   80.515558][ T5317] RBP: 00000000ffffffff R08: ffff888041bb8013 R09: 1ffff11008377002
[   80.519866][ T5317] R10: dffffc0000000000 R11: ffffed1008377003 R12: dffffc0000000000
[   80.523900][ T5317] R13: ffff888041bb8a40 R14: ffff888041bb8a40 R15: ffff888041bb8010
[   80.527339][ T5317] FS:  0000000000000000(0000) GS:ffff88808c812000(0000) knlGS:0000000000000000
[   80.534788][ T5317] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   80.537752][ T5317] CR2: 00007ff3ed87dfa4 CR3: 0000000043325000 CR4: 0000000000352ef0
[   80.541738][ T5317] Call Trace:
[   80.543611][ T5317]  <TASK>
[   80.545194][ T5317]  ? process_scheduled_works+0xa70/0x1860
[   80.547769][ T5317]  process_scheduled_works+0xb5d/0x1860
[   80.550338][ T5317]  ? __pfx_process_scheduled_works+0x10/0x10
[   80.553027][ T5317]  ? assign_work+0x3d5/0x5e0
[   80.555429][ T5317]  worker_thread+0xa53/0xfc0
[   80.557504][ T5317]  ? __kthread_parkme+0x7a/0x1f0
[   80.560109][ T5317]  kthread+0x388/0x470
[   80.562185][ T5317]  ? __pfx_worker_thread+0x10/0x10
[   80.565375][ T5317]  ? __pfx_kthread+0x10/0x10
[   80.567814][ T5317]  ret_from_fork+0x514/0xb70
[   80.570017][ T5317]  ? __pfx_ret_from_fork+0x10/0x10
[   80.572216][ T5317]  ? __switch_to+0xc79/0x1410
[   80.574448][ T5317]  ? __pfx_kthread+0x10/0x10
[   80.577140][ T5317]  ret_from_fork_asm+0x1a/0x30
[   80.580062][ T5317]  </TASK>
[   80.581668][ T5317] Kernel panic - not syncing: kernel: panic_on_warn set ...
[   80.585054][ T5317] CPU: 0 UID: 0 PID: 5317 Comm: kworker/u5:2 Not tainted syzkaller #0 PREEMPT(full) 
[   80.589330][ T5317] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   80.594586][ T5317] Workqueue: hci0 hci_conn_timeout
[   80.596946][ T5317] Call Trace:
[   80.598531][ T5317]  <TASK>
[   80.599946][ T5317]  vpanic+0x56c/0xa60
[   80.601937][ T5317]  ? __pfx__printk+0x10/0x10
[   80.604477][ T5317]  ? __pfx_vpanic+0x10/0x10
[   80.606734][ T5317]  ? is_bpf_text_address+0x292/0x2b0
[   80.609085][ T5317]  ? is_bpf_text_address+0x26/0x2b0
[   80.611409][ T5317]  panic+0xc5/0xd0
[   80.613400][ T5317]  ? __pfx_panic+0x10/0x10
[   80.616165][ T5317]  ? ret_from_fork_asm+0x1a/0x30
[   80.618801][ T5317]  __warn+0x315/0x4c0
[   80.620618][ T5317]  ? hci_conn_timeout+0xff/0x2c0
[   80.622827][ T5317]  ? hci_conn_timeout+0xff/0x2c0
[   80.625177][ T5317]  __report_bug+0x29a/0x540
[   80.627869][ T5317]  ? hci_conn_timeout+0xff/0x2c0
[   80.630854][ T5317]  ? __pfx___report_bug+0x10/0x10
[   80.633243][ T5317]  ? add_lock_to_list+0xc7/0x100
[   80.635454][ T5317]  ? lockdep_unlock+0x5d/0xd0
[   80.637581][ T5317]  ? __lock_acquire+0x146e/0x2cf0
[   80.640322][ T5317]  ? hci_conn_timeout+0xff/0x2c0
[   80.643291][ T5317]  report_bug+0x16a/0x220
[   80.645459][ T5317]  ? hci_conn_timeout+0xff/0x2c0
[   80.647694][ T5317]  ? hci_conn_timeout+0x101/0x2c0
[   80.650117][ T5317]  handle_bug+0x9c/0x200
[   80.652629][ T5317]  exc_invalid_op+0x1a/0x50
[   80.655472][ T5317]  asm_exc_invalid_op+0x1a/0x20
[   80.657867][ T5317] RIP: 0010:hci_conn_timeout+0xff/0x2c0
[   80.660463][ T5317] Code: 48 89 df e8 f3 b0 09 00 eb 07 e8 cc d8 1a f7 b0 13 0f b6 f0 48 89 df 5b 41 5c 41 5e 41 5f 5d e9 77 a8 fe ff e8 b2 d8 1a f7 90 <0f> 0b 90 eb 8c 44 89 f9 80 e1 07 80 c1 03 38 c1 0f 8c 31 ff ff ff
[   80.670597][ T5317] RSP: 0018:ffffc9000346fab0 EFLAGS: 00010293
[   80.673804][ T5317] RAX: ffffffff8aab060e RBX: ffff888041bb8000 RCX: ffff888000722500
[   80.677432][ T5317] RDX: 0000000000000000 RSI: 00000000ffffffff RDI: 0000000000000000
[   80.681880][ T5317] RBP: 00000000ffffffff R08: ffff888041bb8013 R09: 1ffff11008377002
[   80.686126][ T5317] R10: dffffc0000000000 R11: ffffed1008377003 R12: dffffc0000000000
[   80.689655][ T5317] R13: ffff888041bb8a40 R14: ffff888041bb8a40 R15: ffff888041bb8010
[   80.693885][ T5317]  ? hci_conn_timeout+0xfe/0x2c0
[   80.696827][ T5317]  ? process_scheduled_works+0xa70/0x1860
[   80.699558][ T5317]  process_scheduled_works+0xb5d/0x1860
[   80.702109][ T5317]  ? __pfx_process_scheduled_works+0x10/0x10
[   80.704880][ T5317]  ? assign_work+0x3d5/0x5e0
[   80.707184][ T5317]  worker_thread+0xa53/0xfc0
[   80.709942][ T5317]  ? __kthread_parkme+0x7a/0x1f0
[   80.713424][ T5317]  kthread+0x388/0x470
[   80.715350][ T5317]  ? __pfx_worker_thread+0x10/0x10
[   80.717710][ T5317]  ? __pfx_kthread+0x10/0x10
[   80.720111][ T5317]  ret_from_fork+0x514/0xb70
[   80.722879][ T5317]  ? __pfx_ret_from_fork+0x10/0x10
[   80.725468][ T5317]  ? __switch_to+0xc79/0x1410
[   80.727696][ T5317]  ? __pfx_kthread+0x10/0x10
[   80.730589][ T5317]  ret_from_fork_asm+0x1a/0x30
[   80.733400][ T5317]  </TASK>
[   80.735631][ T5317] Kernel Offset: disabled
[   80.737583][ T5317] Rebooting in 86400 seconds..