program:
r0 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000000), 0x2, 0x0)
ioctl$TIOCSETD(r0, 0x5423, &(0x7f00000000c0)=0xf) (async)
r1 = openat$pmem0(0xffffffffffffff9c, &(0x7f0000000000), 0x400, 0x0)
ioctl$BLKREPORTZONE(r1, 0xc0101282, 0x0)
r2 = fcntl$dupfd(r0, 0x0, r0)
ioctl$TCFLSH(r2, 0x400455c8, 0x2) (async)
ioctl$TIOCSETD(r2, 0x5412, &(0x7f0000000140)=0xffffffc0) (async, rerun: 32)
ioctl$TIOCSTI(r0, 0x5412, &(0x7f0000000280)) (rerun: 32)
ioctl$TIOCSTI(r2, 0x5412, &(0x7f0000000040))
ioctl$TIOCSTI(r2, 0x5412, &(0x7f0000000200)=0xff) (async)
ioctl$TIOCSTI(r0, 0x5412, &(0x7f0000000180)) (async)
ioctl$TIOCSTI(r2, 0x5412, &(0x7f0000000240)=0xff)

[   85.464156][   T47] Bluetooth: hci0: command tx timeout
[   85.547330][ T5328] Oops: general protection fault, probably for non-canonical address 0xdffffc000000005f: 0000 [#1] SMP KASAN NOPTI
[   85.552557][ T5328] KASAN: null-ptr-deref in range [0x00000000000002f8-0x00000000000002ff]
[   85.556058][ T5328] CPU: 0 UID: 0 PID: 5328 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[   85.559543][ T5328] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   85.563872][ T5328] RIP: 0010:h5_recv+0x146/0x910
[   85.565933][ T5328] Code: 18 48 c1 ea 03 48 89 54 24 28 48 89 d8 48 c1 e8 03 48 89 44 24 50 44 89 64 24 14 48 b8 00 00 00 00 00 fc ff df 48 8b 4c 24 30 <80> 3c 01 00 74 08 4c 89 ef e8 bc 10 f4 f9 4d 8b 65 00 31 ff 4c 89
[   85.573797][ T5328] RSP: 0018:ffffc9000d46fc20 EFLAGS: 00010202
[   85.576605][ T5328] RAX: dffffc0000000000 RBX: 00000000000002e8 RCX: 000000000000005f
[   85.580090][ T5328] RDX: 000000000000005e RSI: 0000000000000001 RDI: 0000000000000000
[   85.583542][ T5328] RBP: ffffc9000d46fd40 R08: ffff88803f108c1f R09: 1ffff11007e21183
[   85.586864][ T5328] R10: dffffc0000000000 R11: ffffffff883340e0 R12: 0000000000000001
[   85.590182][ T5328] R13: 00000000000002f8 R14: ffff88803f108c10 R15: ffffc9000d46fde0
[   85.593325][ T5328] FS:  00007f344997a6c0(0000) GS:ffff88808d733000(0000) knlGS:0000000000000000
[   85.596865][ T5328] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   85.599645][ T5328] CR2: 00007f3449979fc8 CR3: 00000000409fb000 CR4: 0000000000352ef0
[   85.603012][ T5328] Call Trace:
[   85.604739][ T5328]  <TASK>
[   85.606310][ T5328]  ? __pfx_h5_recv+0x10/0x10
[   85.608413][ T5328]  ? rcu_read_lock_any_held+0xb3/0x120
[   85.610715][ T5328]  ? __pfx_rcu_read_lock_any_held+0x10/0x10
[   85.613384][ T5328]  ? tty_audit_push+0x7c/0x250
[   85.615422][ T5328]  hci_uart_tty_receive+0x194/0x220
[   85.617539][ T5328]  ? __pfx_hci_uart_tty_receive+0x10/0x10
[   85.619918][ T5328]  tiocsti+0x23c/0x2c0
[   85.621529][ T5328]  ? __pfx_tiocsti+0x10/0x10
[   85.623278][ T5328]  ? __fget_files+0x3a0/0x420
[   85.625209][ T5328]  ? __fget_files+0x2a/0x420
[   85.627252][ T5328]  tty_ioctl+0x626/0xde0
[   85.629091][ T5328]  ? __pfx_tty_ioctl+0x10/0x10
[   85.631121][ T5328]  __se_sys_ioctl+0xfc/0x170
[   85.633155][ T5328]  do_syscall_64+0xfa/0xfa0
[   85.635112][ T5328]  ? lockdep_hardirqs_on+0x9c/0x150
[   85.637314][ T5328]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   85.639890][ T5328]  ? clear_bhb_loop+0x60/0xb0
[   85.641956][ T5328]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   85.644551][ T5328] RIP: 0033:0x7f3448b8efc9
[   85.646548][ T5328] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   85.654460][ T5328] RSP: 002b:00007f344997a038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   85.657687][ T5328] RAX: ffffffffffffffda RBX: 00007f3448de6090 RCX: 00007f3448b8efc9
[   85.660864][ T5328] RDX: 0000200000000140 RSI: 0000000000005412 RDI: 0000000000000005
[   85.664220][ T5328] RBP: 00007f3448c11f91 R08: 0000000000000000 R09: 0000000000000000
[   85.667456][ T5328] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   85.670604][ T5328] R13: 00007f3448de6128 R14: 00007f3448de6090 R15: 00007ffd9584b298
[   85.674005][ T5328]  </TASK>
[   85.675350][ T5328] Modules linked in:
[   85.677534][ T5328] ---[ end trace 0000000000000000 ]---
[   85.686042][ T5328] RIP: 0010:h5_recv+0x146/0x910
[   85.687988][ T5328] Code: 18 48 c1 ea 03 48 89 54 24 28 48 89 d8 48 c1 e8 03 48 89 44 24 50 44 89 64 24 14 48 b8 00 00 00 00 00 fc ff df 48 8b 4c 24 30 <80> 3c 01 00 74 08 4c 89 ef e8 bc 10 f4 f9 4d 8b 65 00 31 ff 4c 89
[   85.696252][ T5328] RSP: 0018:ffffc9000d46fc20 EFLAGS: 00010202
[   85.698397][ T5328] RAX: dffffc0000000000 RBX: 00000000000002e8 RCX: 000000000000005f
[   85.701335][ T5328] RDX: 000000000000005e RSI: 0000000000000001 RDI: 0000000000000000
[   85.704205][ T5328] RBP: ffffc9000d46fd40 R08: ffff88803f108c1f R09: 1ffff11007e21183
[   85.707744][ T5328] R10: dffffc0000000000 R11: ffffffff883340e0 R12: 0000000000000001
[   85.710759][ T5328] R13: 00000000000002f8 R14: ffff88803f108c10 R15: ffffc9000d46fde0
[   85.714078][ T5328] FS:  00007f344997a6c0(0000) GS:ffff88808d733000(0000) knlGS:0000000000000000
[   85.718214][ T5328] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   85.720699][ T5328] CR2: 00007f3449958fc8 CR3: 00000000409fb000 CR4: 0000000000352ef0
[   85.724244][ T5328] Kernel panic - not syncing: Fatal exception
[   85.727274][ T5328] Kernel Offset: disabled
[   85.729227][ T5328] Rebooting in 86400 seconds..