Bluetooth: hci8: sending frame failed (-49)
general protection fault, probably for non-canonical address 0xdffffc0000000072: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000390-0x0000000000000397]
CPU: 0 PID: 3637 Comm: kworker/u5:5 Not tainted 5.17.0-syzkaller-00192-geaa54b1458ca #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: hci8 hci_cmd_work
RIP: 0010:__pm_runtime_resume+0x44/0x170 drivers/base/power/runtime.c:1126
Code: ff e8 a0 ab af fc 44 89 e0 83 e0 01 0f 85 81 00 00 00 48 bb 00 00 00 00 00 fc ff df 4d 8d be 90 03 00 00 4c 89 f8 48 c1 e8 03 <8a> 04 18 84 c0 0f 85 e0 00 00 00 41 0f b7 2f 81 e5 00 04 00 00 31
RSP: 0018:ffffc9000297fb28 EFLAGS: 00010206
RAX: 0000000000000072 RBX: dffffc0000000000 RCX: ffff88801dcc1d00
RDX: ffff88801dcc1d00 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffff88801a00b2a8 R08: ffffffff84d5f1d0 R09: fffffbfff1ffbdf1
R10: fffffbfff1ffbdf1 R11: 0000000000000000 R12: 0000000000000004
R13: dffffc0000000000 R14: 0000000000000000 R15: 0000000000000390
FS:  0000000000000000(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fff22b31ed8 CR3: 000000007d0a4000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 pm_runtime_get_sync include/linux/pm_runtime.h:420 [inline]
 h5_enqueue+0x1f9/0x2b0 drivers/bluetooth/hci_h5.c:632
 hci_uart_send_frame+0x195/0x480 drivers/bluetooth/hci_ldisc.c:286
 hci_send_frame+0x1ad/0x2b0 net/bluetooth/hci_core.c:2942
 hci_cmd_work+0x1ae/0x360 net/bluetooth/hci_core.c:3861
 process_one_work+0x86c/0x1190 kernel/workqueue.c:2307
 worker_thread+0xab1/0x1300 kernel/workqueue.c:2454
 kthread+0x2a3/0x2d0 kernel/kthread.c:377
 ret_from_fork+0x1f/0x30
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__pm_runtime_resume+0x44/0x170 drivers/base/power/runtime.c:1126
Code: ff e8 a0 ab af fc 44 89 e0 83 e0 01 0f 85 81 00 00 00 48 bb 00 00 00 00 00 fc ff df 4d 8d be 90 03 00 00 4c 89 f8 48 c1 e8 03 <8a> 04 18 84 c0 0f 85 e0 00 00 00 41 0f b7 2f 81 e5 00 04 00 00 31
RSP: 0018:ffffc9000297fb28 EFLAGS: 00010206
RAX: 0000000000000072 RBX: dffffc0000000000 RCX: ffff88801dcc1d00
RDX: ffff88801dcc1d00 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffff88801a00b2a8 R08: ffffffff84d5f1d0 R09: fffffbfff1ffbdf1
R10: fffffbfff1ffbdf1 R11: 0000000000000000 R12: 0000000000000004
R13: dffffc0000000000 R14: 0000000000000000 R15: 0000000000000390
FS:  0000000000000000(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fff22b31ed8 CR3: 000000007f209000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess), 1 bytes skipped:
   0:	e8 a0 ab af fc       	callq  0xfcafaba5
   5:	44 89 e0             	mov    %r12d,%eax
   8:	83 e0 01             	and    $0x1,%eax
   b:	0f 85 81 00 00 00    	jne    0x92
  11:	48 bb 00 00 00 00 00 	movabs $0xdffffc0000000000,%rbx
  18:	fc ff df
  1b:	4d 8d be 90 03 00 00 	lea    0x390(%r14),%r15
  22:	4c 89 f8             	mov    %r15,%rax
  25:	48 c1 e8 03          	shr    $0x3,%rax
* 29:	8a 04 18             	mov    (%rax,%rbx,1),%al <-- trapping instruction
  2c:	84 c0                	test   %al,%al
  2e:	0f 85 e0 00 00 00    	jne    0x114
  34:	41 0f b7 2f          	movzwl (%r15),%ebp
  38:	81 e5 00 04 00 00    	and    $0x400,%ebp
  3e:	31                   	.byte 0x31