program:
r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0)
connect$bt_l2cap(r0, &(0x7f0000000000)={0x1f, 0x8ef, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}}, 0xe)
r1 = syz_init_net_socket$bt_bnep(0x1f, 0x3, 0x4)
ioctl$sock_bt_bnep_BNEPCONNADD(r1, 0x400442c8, &(0x7f00000001c0)={r0, 0x1, 0x2})
r2 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$sock_bt_hci(r2, 0x400448ca, 0x0) (fail_nth: 3)

[   74.844047][ T5304] Bluetooth: hci0: command tx timeout
[   74.922268][ T5324] FAULT_INJECTION: forcing a failure.
[   74.922268][ T5324] name failslab, interval 1, probability 0, space 0, times 1
[   74.943411][ T5324] CPU: 0 UID: 0 PID: 5324 Comm: syz.0.0 Not tainted 6.16.0-rc4-syzkaller #0 PREEMPT(full) 
[   74.943425][ T5324] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   74.943431][ T5324] Call Trace:
[   74.943436][ T5324]  <TASK>
[   74.943441][ T5324]  dump_stack_lvl+0x189/0x250
[   74.943520][ T5324]  ? __pfx____ratelimit+0x10/0x10
[   74.943552][ T5324]  ? __pfx_dump_stack_lvl+0x10/0x10
[   74.943567][ T5324]  ? __pfx__printk+0x10/0x10
[   74.943579][ T5324]  ? _raw_spin_unlock_irqrestore+0x85/0x110
[   74.943592][ T5324]  ? lockdep_hardirqs_on+0x9c/0x150
[   74.943608][ T5324]  should_fail_ex+0x414/0x560
[   74.943652][ T5324]  should_failslab+0xa8/0x100
[   74.943664][ T5324]  kmem_cache_alloc_node_noprof+0x76/0x3c0
[   74.943674][ T5324]  ? __alloc_skb+0x112/0x2d0
[   74.943714][ T5324]  __alloc_skb+0x112/0x2d0
[   74.943727][ T5324]  create_monitor_ctrl_open+0x156/0x880
[   74.943740][ T5324]  ? rcu_is_watching+0x15/0xb0
[   74.943759][ T5324]  ? __pfx_create_monitor_ctrl_open+0x10/0x10
[   74.943800][ T5324]  ? bpf_lsm_capable+0x9/0x20
[   74.943816][ T5324]  hci_sock_ioctl+0x2f2/0x910
[   74.943830][ T5324]  sock_do_ioctl+0xd9/0x300
[   74.943845][ T5324]  ? __pfx_sock_do_ioctl+0x10/0x10
[   74.943857][ T5324]  ? __lock_acquire+0xab9/0xd20
[   74.943881][ T5324]  sock_ioctl+0x576/0x790
[   74.943895][ T5324]  ? __pfx_sock_ioctl+0x10/0x10
[   74.943903][ T5324]  ? __fget_files+0x2a/0x420
[   74.943910][ T5324]  ? __fget_files+0x3a0/0x420
[   74.943917][ T5324]  ? __fget_files+0x2a/0x420
[   74.943924][ T5324]  ? bpf_lsm_file_ioctl+0x9/0x20
[   74.943933][ T5324]  ? __pfx_sock_ioctl+0x10/0x10
[   74.943941][ T5324]  __se_sys_ioctl+0xf9/0x170
[   74.943952][ T5324]  do_syscall_64+0xfa/0x3b0
[   74.943962][ T5324]  ? lockdep_hardirqs_on+0x9c/0x150
[   74.943970][ T5324]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   74.943977][ T5324]  ? clear_bhb_loop+0x60/0xb0
[   74.943985][ T5324]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   74.943991][ T5324] RIP: 0033:0x7fe36ef8e929
[   74.944000][ T5324] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   74.944007][ T5324] RSP: 002b:00007fe36fd1d038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   74.944019][ T5324] RAX: ffffffffffffffda RBX: 00007fe36f1b5fa0 RCX: 00007fe36ef8e929
[   74.944026][ T5324] RDX: 0000000000000000 RSI: 00000000400448ca RDI: 0000000000000006
[   74.944031][ T5324] RBP: 00007fe36fd1d090 R08: 0000000000000000 R09: 0000000000000000
[   74.944036][ T5324] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
[   74.944041][ T5324] R13: 0000000000000000 R14: 00007fe36f1b5fa0 R15: 00007ffd20bb7a48
[   74.944059][ T5324]  </TASK>
[   75.088269][ T5324] Oops: general protection fault, probably for non-canonical address 0xdffffc000000000b: 0000 [#1] SMP KASAN NOPTI
[   75.093633][ T5324] KASAN: null-ptr-deref in range [0x0000000000000058-0x000000000000005f]
[   75.097360][ T5324] CPU: 0 UID: 0 PID: 5324 Comm: syz.0.0 Not tainted 6.16.0-rc4-syzkaller #0 PREEMPT(full) 
[   75.101649][ T5324] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   75.106367][ T5324] RIP: 0010:klist_remove+0x14a/0x340
[   75.108706][ T5324] Code: 4d 89 f5 49 c1 ed 03 43 80 7c 3d 00 00 74 08 4c 89 f7 e8 d9 a8 c6 f6 4d 8b 26 49 83 e4 fe 49 8d 7c 24 58 48 89 f8 48 c1 e8 03 <42> 80 3c 38 00 74 05 e8 ba a8 c6 f6 49 8b 44 24 58 48 89 44 24 08
[   75.117507][ T5324] RSP: 0018:ffffc9000d4b7960 EFLAGS: 00010202
[   75.120175][ T5324] RAX: 000000000000000b RBX: ffff888033862440 RCX: 0000000000000000
[   75.123682][ T5324] RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000058
[   75.126981][ T5324] RBP: ffffc9000d4b7a48 R08: ffffffff8f878d43 R09: 1ffffffff1f0f1a8
[   75.130102][ T5324] R10: dffffc0000000000 R11: fffffbfff1f0f1a9 R12: 0000000000000000
[   75.133265][ T5324] R13: 1ffff1100340748c R14: ffff88801a03a460 R15: dffffc0000000000
[   75.136639][ T5324] FS:  00007fe36fd1d6c0(0000) GS:ffff88808d250000(0000) knlGS:0000000000000000
[   75.140532][ T5324] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   75.143255][ T5324] CR2: 000056533c4eb490 CR3: 0000000042738000 CR4: 0000000000352ef0
[   75.146577][ T5324] Call Trace:
[   75.148132][ T5324]  <TASK>
[   75.149463][ T5324]  ? __pfx_klist_remove+0x10/0x10
[   75.151565][ T5324]  ? __pfx_kobject_move+0x10/0x10
[   75.153917][ T5324]  ? get_device_parent+0x366/0x3a0
[   75.156063][ T5324]  device_move+0x193/0x700
[   75.158256][ T5324]  hci_conn_del_sysfs+0xb8/0x170
[   75.160628][ T5324]  hci_conn_del+0x8ff/0xcb0
[   75.162700][ T5324]  hci_conn_hash_flush+0x191/0x230
[   75.165111][ T5324]  hci_dev_close_sync+0xaef/0x1330
[   75.167379][ T5324]  ? __pfx_hci_dev_close_sync+0x10/0x10
[   75.169745][ T5324]  ? do_raw_read_unlock+0x3d/0x80
[   75.171976][ T5324]  hci_dev_close+0x108/0x200
[   75.174024][ T5324]  sock_do_ioctl+0xd9/0x300
[   75.176005][ T5324]  ? __pfx_sock_do_ioctl+0x10/0x10
[   75.178384][ T5324]  ? __lock_acquire+0xab9/0xd20
[   75.180593][ T5324]  sock_ioctl+0x576/0x790
[   75.182587][ T5324]  ? __pfx_sock_ioctl+0x10/0x10
[   75.184736][ T5324]  ? __fget_files+0x2a/0x420
[   75.186740][ T5324]  ? __fget_files+0x3a0/0x420
[   75.188845][ T5324]  ? __fget_files+0x2a/0x420
[   75.190906][ T5324]  ? bpf_lsm_file_ioctl+0x9/0x20
[   75.193100][ T5324]  ? __pfx_sock_ioctl+0x10/0x10
[   75.195331][ T5324]  __se_sys_ioctl+0xf9/0x170
[   75.197355][ T5324]  do_syscall_64+0xfa/0x3b0
[   75.199420][ T5324]  ? lockdep_hardirqs_on+0x9c/0x150
[   75.201733][ T5324]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   75.204697][ T5324]  ? clear_bhb_loop+0x60/0xb0
[   75.206981][ T5324]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   75.209800][ T5324] RIP: 0033:0x7fe36ef8e929
[   75.211841][ T5324] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   75.220825][ T5324] RSP: 002b:00007fe36fd1d038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   75.224577][ T5324] RAX: ffffffffffffffda RBX: 00007fe36f1b5fa0 RCX: 00007fe36ef8e929
[   75.228179][ T5324] RDX: 0000000000000000 RSI: 00000000400448ca RDI: 0000000000000006
[   75.231650][ T5324] RBP: 00007fe36fd1d090 R08: 0000000000000000 R09: 0000000000000000
[   75.235181][ T5324] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
[   75.238785][ T5324] R13: 0000000000000000 R14: 00007fe36f1b5fa0 R15: 00007ffd20bb7a48
[   75.242559][ T5324]  </TASK>
[   75.244176][ T5324] Modules linked in:
[   75.246733][ T5324] ---[ end trace 0000000000000000 ]---
[   75.254705][ T5324] RIP: 0010:klist_remove+0x14a/0x340
[   75.257239][ T5324] Code: 4d 89 f5 49 c1 ed 03 43 80 7c 3d 00 00 74 08 4c 89 f7 e8 d9 a8 c6 f6 4d 8b 26 49 83 e4 fe 49 8d 7c 24 58 48 89 f8 48 c1 e8 03 <42> 80 3c 38 00 74 05 e8 ba a8 c6 f6 49 8b 44 24 58 48 89 44 24 08
[   75.266992][ T5324] RSP: 0018:ffffc9000d4b7960 EFLAGS: 00010202
[   75.269786][ T5324] RAX: 000000000000000b RBX: ffff888033862440 RCX: 0000000000000000
[   75.273773][ T5324] RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000058
[   75.277169][ T5324] RBP: ffffc9000d4b7a48 R08: ffffffff8f878d43 R09: 1ffffffff1f0f1a8
[   75.280736][ T5324] R10: dffffc0000000000 R11: fffffbfff1f0f1a9 R12: 0000000000000000
[   75.285352][ T5324] R13: 1ffff1100340748c R14: ffff88801a03a460 R15: dffffc0000000000
[   75.289407][ T5324] FS:  00007fe36fd1d6c0(0000) GS:ffff88808d250000(0000) knlGS:0000000000000000
[   75.293899][ T5324] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   75.297405][ T5324] CR2: 000056533c4eb490 CR3: 0000000042738000 CR4: 0000000000352ef0
[   75.301869][ T5324] Kernel panic - not syncing: Fatal exception
[   75.305088][ T5324] Kernel Offset: disabled
[   75.306917][ T5324] Rebooting in 86400 seconds..