program:
timer_create(0x80ecbcfe82bef37, 0x0, &(0x7f0000000080)) (async)
r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$sock_bt_hci(r0, 0x400448cb, 0x0) (async)
syz_emit_vhci(&(0x7f0000000540)=ANY=[@ANYBLOB="043e1f0a"], 0x22) (async)
write(r0, &(0x7f0000000080)="c0d5208930451139daeda77e8c0409fba7877f28cf244aa8b81449494b40d2c63de11d6163e04e2cf56a8ccb2b58a52f8b4ec75ce28c77ea39fedfcd7e89ce3b4f13e6e2d0d89e966e0de912f6fc1682cf2cd164e398d32b6ff0556272b79a1a63ed536ba9d46a3352edafcf84938f9f48450125bdb801f95519afd1", 0x7c)
syz_emit_vhci(&(0x7f0000000340)=ANY=[@ANYBLOB="03c900c56c2c5fbd59f164622a7609dce2de722303f82b9cba179c26cb0af533887194cdddde0b86439d0de15bdac32bdeb21e438d95415c38d01b05d067e9b82750bd95008592d9d403583e2efba30ea06af9e600000040a738596776901c475480048ad5e7c656b8c8e6d4d2f5b77b2c4b3a16b2479025b3edeacf53e85c722395a863cb9c0cd3528012b16149ccd52a91520c5fbbfb29f2225abd5896d2d20df01dea3602072bcad21bc2b1d3e14455cab77a549b23e71b1728d061d1fcc5195adbaa251205aa2e3e440b89ade017a6146477e15b6e44c390ea8a76198ef78a3d91bb96211db21c0624a665be5dc0c69185213823fb486fe5c704f174bc52cddd863ff0ae405f70fcb25d37e92fe0d3f7ca13214d8965aaa5524c60eb5fb05a2ac7f6f8a1c739c98bae95f4c6ee002dfa3f30c0db2aaa99c357135ffd2422436555c06c534878e8b8b052e4da4974cdcd12702dc9556e6c9646f9"], 0xc9) (async, rerun: 32)
syz_emit_vhci(&(0x7f0000000300)=ANY=[@ANYBLOB="040b"], 0xe) (rerun: 32)
syz_emit_vhci(&(0x7f0000000040)=ANY=[@ANYBLOB="040e0402030c"], 0x7)

[  102.754851][ T5302] Bluetooth: hci0: command 0x040f tx timeout
[  102.758200][ T5302] ------------[ cut here ]------------
[  102.760327][ T5302] refcnt < 0
[  102.760339][ T5302] WARNING: net/bluetooth/hci_conn.c:567 at hci_conn_timeout+0xff/0x2c0, CPU#0: kworker/u5:2/5302
[  102.765891][ T5302] Modules linked in:
[  102.767929][ T5302] CPU: 0 UID: 0 PID: 5302 Comm: kworker/u5:2 Not tainted syzkaller #0 PREEMPT(full) 
[  102.772941][ T5302] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[  102.777723][ T5302] Workqueue: hci0 hci_conn_timeout
[  102.779715][ T5302] RIP: 0010:hci_conn_timeout+0xff/0x2c0
[  102.781734][ T5302] Code: 48 89 df e8 63 a0 09 00 eb 07 e8 4c a1 21 f7 b0 13 0f b6 f0 48 89 df 5b 41 5c 41 5e 41 5f 5d e9 97 a8 fe ff e8 32 a1 21 f7 90 <0f> 0b 90 eb 8c 44 89 f9 80 e1 07 80 c1 03 38 c1 0f 8c 31 ff ff ff
[  102.790026][ T5302] RSP: 0018:ffffc9000e2dfab0 EFLAGS: 00010293
[  102.793386][ T5302] RAX: ffffffff8aa41d3e RBX: ffff888012638000 RCX: ffff88801f2524c0
[  102.797236][ T5302] RDX: 0000000000000000 RSI: 00000000ffffffff RDI: 0000000000000000
[  102.800656][ T5302] RBP: 00000000ffffffff R08: ffff888012638013 R09: 1ffff110024c7002
[  102.804135][ T5302] R10: dffffc0000000000 R11: ffffed10024c7003 R12: dffffc0000000000
[  102.807443][ T5302] R13: ffff88801f8f5518 R14: ffff888012638a40 R15: ffff888012638010
[  102.811666][ T5302] FS:  0000000000000000(0000) GS:ffff88808ca4e000(0000) knlGS:0000000000000000
[  102.816501][ T5302] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  102.819439][ T5302] CR2: 000055560d934168 CR3: 000000001f416000 CR4: 0000000000352ef0
[  102.822795][ T5302] Call Trace:
[  102.824401][ T5302]  <TASK>
[  102.825796][ T5302]  ? process_scheduled_works+0xa8d/0x18c0
[  102.828384][ T5302]  process_scheduled_works+0xb6e/0x18c0
[  102.831037][ T5302]  ? __pfx_process_scheduled_works+0x10/0x10
[  102.834197][ T5302]  ? assign_work+0x3d5/0x5e0
[  102.836408][ T5302]  worker_thread+0xa53/0xfc0
[  102.838675][ T5302]  kthread+0x388/0x470
[  102.840475][ T5302]  ? __pfx_worker_thread+0x10/0x10
[  102.842836][ T5302]  ? __pfx_kthread+0x10/0x10
[  102.845153][ T5302]  ret_from_fork+0x51e/0xb90
[  102.847291][ T5302]  ? __pfx_ret_from_fork+0x10/0x10
[  102.849727][ T5302]  ? __switch_to+0xc7d/0x1450
[  102.852238][ T5302]  ? __pfx_kthread+0x10/0x10
[  102.854877][ T5302]  ret_from_fork_asm+0x1a/0x30
[  102.857057][ T5302]  </TASK>
[  102.858453][ T5302] Kernel panic - not syncing: kernel: panic_on_warn set ...
[  102.861702][ T5302] CPU: 0 UID: 0 PID: 5302 Comm: kworker/u5:2 Not tainted syzkaller #0 PREEMPT(full) 
[  102.867289][ T5302] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[  102.872560][ T5302] Workqueue: hci0 hci_conn_timeout
[  102.874995][ T5302] Call Trace:
[  102.876536][ T5302]  <TASK>
[  102.877946][ T5302]  vpanic+0x56c/0xa60
[  102.879792][ T5302]  ? __pfx__printk+0x10/0x10
[  102.881974][ T5302]  ? __pfx_vpanic+0x10/0x10
[  102.884123][ T5302]  ? is_bpf_text_address+0x292/0x2b0
[  102.887014][ T5302]  ? is_bpf_text_address+0x26/0x2b0
[  102.889924][ T5302]  panic+0xc5/0xd0
[  102.891723][ T5302]  ? __pfx_panic+0x10/0x10
[  102.893751][ T5302]  ? ret_from_fork_asm+0x1a/0x30
[  102.896017][ T5302]  __warn+0x315/0x4f0
[  102.897827][ T5302]  ? hci_conn_timeout+0xff/0x2c0
[  102.900146][ T5302]  ? hci_conn_timeout+0xff/0x2c0
[  102.902405][ T5302]  __report_bug+0x29a/0x540
[  102.904701][ T5302]  ? __pfx_stack_trace_save+0x10/0x10
[  102.907587][ T5302]  ? hci_conn_timeout+0xff/0x2c0
[  102.910263][ T5302]  ? __pfx___report_bug+0x10/0x10
[  102.912476][ T5302]  ? add_lock_to_list+0xc7/0x100
[  102.914818][ T5302]  ? lockdep_unlock+0x5d/0xd0
[  102.916988][ T5302]  ? __lock_acquire+0x146e/0x2cf0
[  102.919305][ T5302]  ? hci_conn_timeout+0xff/0x2c0
[  102.922251][ T5302]  report_bug+0x16a/0x220
[  102.924585][ T5302]  ? hci_conn_timeout+0xff/0x2c0
[  102.927114][ T5302]  ? hci_conn_timeout+0x101/0x2c0
[  102.929350][ T5302]  handle_bug+0x9c/0x200
[  102.931091][ T5302]  exc_invalid_op+0x1a/0x50
[  102.932972][ T5302]  asm_exc_invalid_op+0x1a/0x20
[  102.934902][ T5302] RIP: 0010:hci_conn_timeout+0xff/0x2c0
[  102.937345][ T5302] Code: 48 89 df e8 63 a0 09 00 eb 07 e8 4c a1 21 f7 b0 13 0f b6 f0 48 89 df 5b 41 5c 41 5e 41 5f 5d e9 97 a8 fe ff e8 32 a1 21 f7 90 <0f> 0b 90 eb 8c 44 89 f9 80 e1 07 80 c1 03 38 c1 0f 8c 31 ff ff ff
[  102.945374][ T5302] RSP: 0018:ffffc9000e2dfab0 EFLAGS: 00010293
[  102.948984][ T5302] RAX: ffffffff8aa41d3e RBX: ffff888012638000 RCX: ffff88801f2524c0
[  102.953221][ T5302] RDX: 0000000000000000 RSI: 00000000ffffffff RDI: 0000000000000000
[  102.956534][ T5302] RBP: 00000000ffffffff R08: ffff888012638013 R09: 1ffff110024c7002
[  102.959885][ T5302] R10: dffffc0000000000 R11: ffffed10024c7003 R12: dffffc0000000000
[  102.963345][ T5302] R13: ffff88801f8f5518 R14: ffff888012638a40 R15: ffff888012638010
[  102.967056][ T5302]  ? hci_conn_timeout+0xfe/0x2c0
[  102.969481][ T5302]  ? process_scheduled_works+0xa8d/0x18c0
[  102.974179][ T5302]  process_scheduled_works+0xb6e/0x18c0
[  102.976676][ T5302]  ? __pfx_process_scheduled_works+0x10/0x10
[  102.979436][ T5302]  ? assign_work+0x3d5/0x5e0
[  102.982066][ T5302]  worker_thread+0xa53/0xfc0
[  102.984878][ T5302]  kthread+0x388/0x470
[  102.986906][ T5302]  ? __pfx_worker_thread+0x10/0x10
[  102.989115][ T5302]  ? __pfx_kthread+0x10/0x10
[  102.991138][ T5302]  ret_from_fork+0x51e/0xb90
[  102.993237][ T5302]  ? __pfx_ret_from_fork+0x10/0x10
[  102.995753][ T5302]  ? __switch_to+0xc7d/0x1450
[  102.998085][ T5302]  ? __pfx_kthread+0x10/0x10
[  103.000572][ T5302]  ret_from_fork_asm+0x1a/0x30
[  103.002926][ T5302]  </TASK>
[  103.004605][ T5302] Kernel Offset: disabled
[  103.006612][ T5302] Rebooting in 86400 seconds..