program:
r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0)
connect$bt_l2cap(r0, &(0x7f0000000000)={0x1f, 0x8ef, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}}, 0xe)
r1 = syz_init_net_socket$bt_bnep(0x1f, 0x3, 0x4)
ioctl$sock_bt_bnep_BNEPCONNADD(r1, 0x400442c8, &(0x7f00000001c0)={r0, 0x1, 0x2})
ioctl$sock_bt_bnep_BNEPCONNADD(r1, 0x400442c8, &(0x7f0000000040)={r0, 0x0, 0x4})
r2 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$sock_bt_hci(r2, 0x400448ca, 0x0)
bind$bt_hci(r2, &(0x7f0000000080)={0x1f, 0xffff, 0x3}, 0x6)
write(r2, &(0x7f0000000340)="23000000010007", 0x7)

[   79.920139][ T5287] Bluetooth: hci0: command tx timeout
[   80.170407][ T5327] Oops: general protection fault, probably for non-canonical address 0xdffffc000000000b: 0000 [#1] SMP KASAN NOPTI
[   80.175431][ T5327] KASAN: null-ptr-deref in range [0x0000000000000058-0x000000000000005f]
[   80.179104][ T5327] CPU: 0 UID: 0 PID: 5327 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[   80.183078][ T5327] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   80.187339][ T5327] RIP: 0010:klist_remove+0x156/0x340
[   80.189982][ T5327] Code: 4d 89 f5 49 c1 ed 03 43 80 7c 3d 00 00 74 08 4c 89 f7 e8 0d ee 92 f6 4d 8b 26 49 83 e4 fe 49 8d 7c 24 58 48 89 f8 48 c1 e8 03 <42> 80 3c 38 00 74 05 e8 ee ed 92 f6 49 8b 44 24 58 48 89 44 24 08
[   80.198481][ T5327] RSP: 0018:ffffc9000e157960 EFLAGS: 00010202
[   80.201052][ T5327] RAX: 000000000000000b RBX: ffff8880008fca80 RCX: 0000000000000000
[   80.204458][ T5327] RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000058
[   80.207659][ T5327] RBP: ffffc9000e157a60 R08: ffffffff9016d9e3 R09: 1ffffffff202db3c
[   80.211066][ T5327] R10: dffffc0000000000 R11: fffffbfff202db3d R12: 0000000000000000
[   80.214556][ T5327] R13: 1ffff110023b3b0c R14: ffff888011d9d860 R15: dffffc0000000000
[   80.218070][ T5327] FS:  00007fde272f46c0(0000) GS:ffff88808c891000(0000) knlGS:0000000000000000
[   80.221924][ T5327] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   80.224759][ T5327] CR2: 00007fe4e41ab68c CR3: 00000000430fb000 CR4: 0000000000352ef0
[   80.228039][ T5327] Call Trace:
[   80.229704][ T5327]  <TASK>
[   80.231018][ T5327]  ? __pfx_klist_remove+0x10/0x10
[   80.233070][ T5327]  ? kobject_move+0x5de/0x720
[   80.235342][ T5327]  ? __pfx_kobject_move+0x10/0x10
[   80.237630][ T5327]  ? do_raw_spin_unlock+0x4d/0x210
[   80.240033][ T5327]  ? get_device_parent+0x366/0x3a0
[   80.242769][ T5327]  device_move+0x193/0x730
[   80.244668][ T5327]  hci_conn_del_sysfs+0xb8/0x1a0
[   80.246985][ T5327]  hci_conn_del+0xc36/0x1230
[   80.249013][ T5327]  hci_conn_hash_flush+0x191/0x260
[   80.251417][ T5327]  hci_dev_close_sync+0x85d/0x1150
[   80.253778][ T5327]  ? __pfx_hci_dev_close_sync+0x10/0x10
[   80.256308][ T5327]  ? lockdep_hardirqs_on+0x7a/0x110
[   80.258511][ T5327]  ? enable_work+0x1fd/0x230
[   80.260496][ T5327]  hci_dev_close+0x108/0x260
[   80.262664][ T5327]  sock_do_ioctl+0x101/0x320
[   80.264669][ T5327]  ? __pfx_sock_do_ioctl+0x10/0x10
[   80.266839][ T5327]  ? do_futex+0x333/0x420
[   80.268873][ T5327]  sock_ioctl+0x5c6/0x7f0
[   80.270795][ T5327]  ? __pfx_sock_ioctl+0x10/0x10
[   80.273214][ T5327]  ? __fget_files+0x2a/0x420
[   80.275272][ T5327]  ? __fget_files+0x3a0/0x420
[   80.277405][ T5327]  ? __fget_files+0x2a/0x420
[   80.279535][ T5327]  ? bpf_lsm_file_ioctl+0x9/0x20
[   80.281631][ T5327]  ? __pfx_sock_ioctl+0x10/0x10
[   80.283641][ T5327]  __se_sys_ioctl+0xfc/0x170
[   80.285613][ T5327]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   80.288281][ T5327]  do_syscall_64+0x174/0x580
[   80.290307][ T5327]  ? trace_irq_disable+0x3b/0x140
[   80.292454][ T5327]  ? clear_bhb_loop+0x40/0x90
[   80.294653][ T5327]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   80.297386][ T5327] RIP: 0033:0x7fde2639ce59
[   80.299395][ T5327] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
[   80.308211][ T5327] RSP: 002b:00007fde272f3fe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   80.311943][ T5327] RAX: ffffffffffffffda RBX: 00007fde26616090 RCX: 00007fde2639ce59
[   80.315637][ T5327] RDX: 0000000000000000 RSI: 00000000400448ca RDI: 0000000000000006
[   80.319036][ T5327] RBP: 00007fde26432d6f R08: 0000000000000000 R09: 0000000000000000
[   80.322382][ T5327] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   80.325855][ T5327] R13: 00007fde26616128 R14: 00007fde26616090 R15: 00007ffe65810c88
[   80.329433][ T5327]  </TASK>
[   80.330834][ T5327] Modules linked in:
[   80.333372][ T5327] ---[ end trace 0000000000000000 ]---
[   80.394316][ T5326] Bluetooth: MGMT ver 1.23
[   80.396437][ T5327] RIP: 0010:klist_remove+0x156/0x340
[   80.398887][ T5327] Code: 4d 89 f5 49 c1 ed 03 43 80 7c 3d 00 00 74 08 4c 89 f7 e8 0d ee 92 f6 4d 8b 26 49 83 e4 fe 49 8d 7c 24 58 48 89 f8 48 c1 e8 03 <42> 80 3c 38 00 74 05 e8 ee ed 92 f6 49 8b 44 24 58 48 89 44 24 08
[   80.407986][ T5327] RSP: 0018:ffffc9000e157960 EFLAGS: 00010202
[   80.411071][ T5327] RAX: 000000000000000b RBX: ffff8880008fca80 RCX: 0000000000000000
[   80.414503][ T5327] RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000058
[   80.417790][ T5327] RBP: ffffc9000e157a60 R08: ffffffff9016d9e3 R09: 1ffffffff202db3c
[   80.421495][ T5327] R10: dffffc0000000000 R11: fffffbfff202db3d R12: 0000000000000000
[   80.424660][ T5327] R13: 1ffff110023b3b0c R14: ffff888011d9d860 R15: dffffc0000000000
[   80.427741][ T5327] FS:  00007fde272f46c0(0000) GS:ffff88808c891000(0000) knlGS:0000000000000000
[   80.431907][ T5327] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   80.434445][ T5327] CR2: 00007fef8843e5a3 CR3: 00000000430fb000 CR4: 0000000000352ef0
[   80.437678][ T5327] Kernel panic - not syncing: Fatal exception
[   80.440440][ T5327] Kernel Offset: disabled
[   80.442204][ T5327] Rebooting in 86400 seconds..