program:
syz_mount_image$ext4(&(0x7f0000000040)='ext4\x00', &(0x7f0000000200)='./file1\x00', 0x200000, &(0x7f0000000b80)={[{@nombcache}, {@abort}, {@dioread_lock}, {@norecovery}, {@discard}, {@lazytime}, {@noload}, {@usrquota}, {@noauto_da_alloc}]}, 0xfe, 0x558, &(0x7f0000000c00)="$eJzs3U1rG0cfAPD/ynbenOeJAyG0PRRDDk1JI8d2X1LoIT2WNjTQ3lNhb0ywHAVLDrEbaHJoLr2UUCilgdIP0HuPoV+gnyLQBkIJpj30orLyylFsyZZtpVaq3w82mdldaXY0+x/PaCQUwMAaz/4pRLwcEV8nEcdajg1HfnB87bzVJ7dmsi2Jev2TP5JI8n3N85P8/9E881JE/PJlxJnC5nKryyvzpXI5XczzE7WF6xPV5ZWzVxdKc+lcem1qevr8W9NT777zds/q+vqlv777+MEH5786tfrtT4+O30viQhzNj7XWYw9ut2bGYzx/TUbiwoYTJ3tQWD9J9vsC2JWhPM5HIusDjsVQHvXAf98XEVEHBlQi/mFANccBzbl9j+bBL4zH769NgDbXf3jtvZE41JgbHVlNnpkZZfPdsR6Un5Xx8+/372Vb9O59CIBt3b4TEeeGhzf3f0ne/+3euS7O2VjGDvu/+g4vCWjxIBv/vNFu/FNYH/9Em/HPaJvY3Y3t47/wqAfFdJSN/95rO/5dX7QaG8pz/2uM+UaSK1fLada3/T8iTsfIwSy/1XrO+dWHHfup1vFftmXlN8eC+XU8Gj747GNmS7XSXurc6vGdiFfajn+T9fZP2rR/9npc6rKMk+n9Vzsd277+z1f9x4jX2rb/0xWtZOv1yYnG/TDRvCs2+/PuyV87lb/f9c/a/8jW9R9LWtdrqzsv44dDf6edju32/j+QfNpIH8j33SzVaouTEQeSjzbvn3r62Ga+eX5W/9Ontu7/2t3/hyPisy7rf/fE3Y6n9kP7z+6o/XeeePjh5993Kr+79n+zkTqd7+mm/+v2Avfy2gEAAAAAAEC/KUTE0UgKxfV0oVAsrn2+40QcKZQr1dqZK5Wla7PR+K7sWIwUmivdoy2fh5jMPw/bzE9tyE9HxPGI+GbocCNfnKmUZ/e78gAAAAAAAAAAAAAAAAAAANAnRjt8/z/z29B+Xx3w3PnJbxhc28Z/L37pCehL/v7D4BL/MLjEPwwu8Q+DS/zD4BL/MLjEPwwu8Q8AAAAAAAAAAAAAAAAAAAAAAAAAAAA9denixWyrrz65NZPlZ28sL81XbpydTavzxYWlmeJMZfF6ca5SmSunxZnKwnbPV65Urk9OxdLNiVparU1Ul1cuL1SWrtUuX10ozaWX05F/pVYAAAAAAAAAAAAAAAAAAADwYqkur8yXyuV0UUJiV4nh/rgMibVEM7D3/IT72y8BAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQKt/AgAA//+jgjYy")
mkdirat(0xffffffffffffff9c, &(0x7f00000000c0)='./bus\x00', 0x0)
syz_mount_image$msdos(&(0x7f0000000f40), &(0x7f0000000f00)='.\x00', 0x1a4a438, &(0x7f00000008c0)=ANY=[], 0xb, 0x0, &(0x7f0000000000))
mount$overlay(0x0, &(0x7f00000000c0)='./bus\x00', &(0x7f0000000080), 0x0, &(0x7f0000000400)={[{@workdir={'workdir', 0x3d, './bus'}}, {@lowerdir={'lowerdir', 0x3d, './file0'}}, {@upperdir={'upperdir', 0x3d, './file1'}}]})
syz_usb_connect(0x0, 0x2d, &(0x7f0000000100)=ANY=[@ANYBLOB="12010000d5e9bd40eb030200c0ba050000010902115c01000000000904000001b504b100090581"], 0x0)
r0 = syz_open_dev$evdev(&(0x7f0000000000), 0x4, 0x0)
ioctl$EVIOCSKEYCODE_V2(r0, 0x40284504, &(0x7f0000000080)={0xfa, 0xf, 0x7, 0x9, "d80004000000000000957f78e83d4a100a000000000020000661e6e66b8b37ff"})
r1 = seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(0x1, 0x0, &(0x7f0000000400)={0x1, &(0x7f0000000380)=[{0x6, 0x0, 0x0, 0x7fffffff}]})
r2 = syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0)
connect$bt_l2cap(r2, &(0x7f0000000080)={0x1f, 0x0, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}, 0x7ff}, 0xe)
r3 = syz_init_net_socket$bt_hidp(0x1f, 0x3, 0x6)
ioctl$sock_bt_hidp_HIDPCONNADD(r3, 0x400448c8, &(0x7f00000000c0)={r2, r2, 0x206, 0x0, 0x0, 0x2, 0x72, 0x1, 0x3, 0x7, 0x0, 0x8, 'syz1\x00'})
r4 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$sock_bt_hci(r4, 0x400448ca, 0x0)
r5 = socket$unix(0x1, 0x1, 0x0)
r6 = socket$nl_rdma(0x10, 0x3, 0x14)
sendmsg$RDMA_NLDEV_CMD_NEWLINK(r6, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000180)=ANY=[@ANYBLOB="380000000314230c2abd7000ff05df250900020073797a310000000008004100727865001400330073797a5f74756e"], 0x38}, 0x1, 0x0, 0x0, 0x48845}, 0x4010)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0)
r7 = openat$rdma_cm(0xffffffffffffff9c, &(0x7f0000000000), 0x2, 0x0)
write$RDMA_USER_CM_CMD_CREATE_ID(r7, &(0x7f00000001c0)={0x0, 0x18, 0xfa00, {0x3, &(0x7f0000000100)={<r8=>0xffffffffffffffff}, 0x13f, 0x4}}, 0x20)
write$RDMA_USER_CM_CMD_BIND_IP(r7, &(0x7f0000000180)={0x2, 0x28, 0xfa00, {0x0, {0xa, 0x4e25, 0x10001, @local, 0xb}, r8}}, 0x30)
write$RDMA_USER_CM_CMD_JOIN_MCAST(r7, &(0x7f0000000900)={0x16, 0x98, 0xfa00, {&(0x7f00000008c0), 0x4, r8, 0x10, 0x1, @in={0x2, 0x6e23, @broadcast}}}, 0xa0)
r9 = dup2(r5, r1)
close_range(r9, 0xffffffffffffffff, 0x0)
socket$nl_rdma(0x10, 0x3, 0x14)

[   85.174579][ T4678] Bluetooth: hci0: command tx timeout
[   85.235198][ T5338] loop0: detected capacity change from 0 to 1024
[   85.265912][ T5338] EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: writeback.
[   85.300521][ T5338] EXT4-fs error (device loop0): __ext4_remount:6746: comm syz.0.0: Abort forced by user
[   85.306840][ T5338] EXT4-fs (loop0): Remounting filesystem read-only
[   85.309687][ T5338] EXT4-fs (loop0): re-mounted 00000000-0000-0000-0000-000000000000.
[   85.317198][ T5338] overlayfs: failed to create directory ./bus/work (errno: 30); mounting read-only
[   85.322790][ T5338] overlayfs: failed to set uuid (/file1, err=-30); falling back to uuid=null.
[   85.564146][ T5310] usb 5-1: new high-speed USB device number 2 using dummy_hcd
[   85.716782][ T5310] usb 5-1: config index 0 descriptor too short (expected 23569, got 27)
[   85.720500][ T5310] usb 5-1: config 0 interface 0 altsetting 0 endpoint 0x81 has invalid wMaxPacketSize 0
[   85.728620][ T5310] usb 5-1: New USB device found, idVendor=03eb, idProduct=0002, bcdDevice=ba.c0
[   85.732586][ T5310] usb 5-1: New USB device strings: Mfr=5, Product=0, SerialNumber=0
[   85.736689][ T5310] usb 5-1: Manufacturer: syz
[   85.741296][ T5310] usb 5-1: config 0 descriptor??
[   85.805601][ T5310] rc_core: IR keymap rc-hauppauge not found
[   85.808235][ T5310] Registered IR keymap rc-empty
[   85.813158][ T5310] rc rc0: IgorPlug-USB IR Receiver as /devices/platform/dummy_hcd.0/usb5/5-1/5-1:0.0/rc/rc0
[   85.820334][ T5310] input: IgorPlug-USB IR Receiver as /devices/platform/dummy_hcd.0/usb5/5-1/5-1:0.0/rc/rc0/input5
[   85.958690][ T5338] input: Bluetooth HID Boot Protocol Device as /devices/virtual/bluetooth/hci0/hci0:200/input6
[   86.207149][ T5339] 
[   86.208286][ T5339] ======================================================
[   86.211268][ T5339] WARNING: possible circular locking dependency detected
[   86.214249][ T5339] syzkaller #0 Not tainted
[   86.216151][ T5339] ------------------------------------------------------
[   86.219102][ T5339] syz.0.0/5339 is trying to acquire lock:
[   86.221577][ T5339] ffff888044b25840 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: __flush_work+0xd2/0xbc0
[   86.227200][ T5339] 
[   86.227200][ T5339] but task is already holding lock:
[   86.230247][ T5339] ffff888044b25b38 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x70/0x680
[   86.233949][ T5339] 
[   86.233949][ T5339] which lock already depends on the new lock.
[   86.233949][ T5339] 
[   86.238493][ T5339] 
[   86.238493][ T5339] the existing dependency chain (in reverse order) is:
[   86.242263][ T5339] 
[   86.242263][ T5339] -> #1 (&conn->lock#2){+.+.}-{4:4}:
[   86.245486][ T5339]        lock_acquire+0x120/0x360
[   86.247618][ T5339]        __mutex_lock+0x187/0x1350
[   86.249776][ T5339]        l2cap_info_timeout+0x60/0xa0
[   86.252103][ T5339]        process_scheduled_works+0xade/0x17b0
[   86.254665][ T5339]        worker_thread+0x8a0/0xda0
[   86.256879][ T5339]        kthread+0x70e/0x8a0
[   86.258902][ T5339]        ret_from_fork+0x436/0x7d0
[   86.261159][ T5339]        ret_from_fork_asm+0x1a/0x30
[   86.263565][ T5339] 
[   86.263565][ T5339] -> #0 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}:
[   86.267868][ T5339]        validate_chain+0xb9b/0x2140
[   86.269858][ T5339]        __lock_acquire+0xab9/0xd20
[   86.271788][ T5339]        lock_acquire+0x120/0x360
[   86.273716][ T5339]        __flush_work+0x6b8/0xbc0
[   86.275943][ T5339]        __cancel_work_sync+0xbe/0x110
[   86.278654][ T5339]        l2cap_conn_del+0x4f0/0x680
[   86.280906][ T5339]        hci_conn_hash_flush+0x10a/0x230
[   86.283398][ T5339]        hci_dev_close_sync+0xaef/0x1330
[   86.285764][ T5339]        hci_dev_close+0x108/0x200
[   86.288074][ T5339]        sock_do_ioctl+0xdc/0x300
[   86.290238][ T5339]        sock_ioctl+0x576/0x790
[   86.292301][ T5339]        __se_sys_ioctl+0xf9/0x170
[   86.294478][ T5339]        do_syscall_64+0xfa/0x3b0
[   86.296700][ T5339]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   86.299509][ T5339] 
[   86.299509][ T5339] other info that might help us debug this:
[   86.299509][ T5339] 
[   86.304715][ T5339]  Possible unsafe locking scenario:
[   86.304715][ T5339] 
[   86.308018][ T5339]        CPU0                    CPU1
[   86.310340][ T5339]        ----                    ----
[   86.312584][ T5339]   lock(&conn->lock#2);
[   86.314379][ T5339]                                lock((work_completion)(&(&conn->info_timer)->work));
[   86.318410][ T5339]                                lock(&conn->lock#2);
[   86.321220][ T5339]   lock((work_completion)(&(&conn->info_timer)->work));
[   86.324388][ T5339] 
[   86.324388][ T5339]  *** DEADLOCK ***
[   86.324388][ T5339] 
[   86.327843][ T5339] 5 locks held by syz.0.0/5339:
[   86.329964][ T5339]  #0: ffff888035ec4dc8 (&hdev->req_lock){+.+.}-{4:4}, at: hci_dev_close+0x100/0x200
[   86.334004][ T5339]  #1: ffff888035ec40b8 (&hdev->lock){+.+.}-{4:4}, at: hci_dev_close_sync+0x66a/0x1330
[   86.337868][ T5339]  #2: ffffffff8f22c828 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_conn_hash_flush+0xa1/0x230
[   86.341870][ T5339]  #3: ffff888044b25b38 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x70/0x680
[   86.345805][ T5339]  #4: ffffffff8dd3b160 (rcu_read_lock){....}-{1:3}, at: __flush_work+0xd2/0xbc0
[   86.350271][ T5339] 
[   86.350271][ T5339] stack backtrace:
[   86.353100][ T5339] CPU: 0 UID: 0 PID: 5339 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[   86.353117][ T5339] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   86.353124][ T5339] Call Trace:
[   86.353129][ T5339]  <TASK>
[   86.353133][ T5339]  dump_stack_lvl+0x189/0x250
[   86.353147][ T5339]  ? __pfx_dump_stack_lvl+0x10/0x10
[   86.353156][ T5339]  ? __pfx__printk+0x10/0x10
[   86.353168][ T5339]  ? print_lock_name+0xde/0x100
[   86.353178][ T5339]  print_circular_bug+0x2ee/0x310
[   86.353188][ T5339]  check_noncircular+0x134/0x160
[   86.353199][ T5339]  validate_chain+0xb9b/0x2140
[   86.353208][ T5339]  ? do_raw_spin_lock+0x121/0x290
[   86.353219][ T5339]  ? look_up_lock_class+0x74/0x170
[   86.353227][ T5339]  ? register_lock_class+0x51/0x320
[   86.353235][ T5339]  __lock_acquire+0xab9/0xd20
[   86.353243][ T5339]  ? __flush_work+0xd2/0xbc0
[   86.353252][ T5339]  lock_acquire+0x120/0x360
[   86.353258][ T5339]  ? __flush_work+0xd2/0xbc0
[   86.353267][ T5339]  ? _raw_spin_unlock_irq+0x23/0x50
[   86.353277][ T5339]  ? __flush_work+0xd2/0xbc0
[   86.353285][ T5339]  __flush_work+0x6b8/0xbc0
[   86.353292][ T5339]  ? __flush_work+0xd2/0xbc0
[   86.353300][ T5339]  ? __flush_work+0xd2/0xbc0
[   86.353309][ T5339]  ? __pfx___flush_work+0x10/0x10
[   86.353317][ T5339]  ? __pfx_wq_barrier_func+0x10/0x10
[   86.353330][ T5339]  ? __pfx___cancel_work+0x10/0x10
[   86.353343][ T5339]  ? hci_conn_drop+0x14d/0x280
[   86.353355][ T5339]  __cancel_work_sync+0xbe/0x110
[   86.353368][ T5339]  l2cap_conn_del+0x4f0/0x680
[   86.353384][ T5339]  ? __pfx_l2cap_disconn_cfm+0x10/0x10
[   86.353398][ T5339]  hci_conn_hash_flush+0x10a/0x230
[   86.353413][ T5339]  hci_dev_close_sync+0xaef/0x1330
[   86.353429][ T5339]  ? __pfx_hci_dev_close_sync+0x10/0x10
[   86.353442][ T5339]  ? do_raw_read_unlock+0x3d/0x80
[   86.353458][ T5339]  hci_dev_close+0x108/0x200
[   86.353472][ T5339]  sock_do_ioctl+0xdc/0x300
[   86.353488][ T5339]  ? __pfx_sock_do_ioctl+0x10/0x10
[   86.353501][ T5339]  ? __lock_acquire+0xab9/0xd20
[   86.353515][ T5339]  sock_ioctl+0x576/0x790
[   86.353529][ T5339]  ? __pfx_sock_ioctl+0x10/0x10
[   86.353542][ T5339]  ? __fget_files+0x2a/0x420
[   86.353556][ T5339]  ? __fget_files+0x3a0/0x420
[   86.353570][ T5339]  ? __fget_files+0x2a/0x420
[   86.353584][ T5339]  ? bpf_lsm_file_ioctl+0x9/0x20
[   86.353594][ T5339]  ? __pfx_sock_ioctl+0x10/0x10
[   86.353608][ T5339]  __se_sys_ioctl+0xf9/0x170
[   86.353619][ T5339]  do_syscall_64+0xfa/0x3b0
[   86.353631][ T5339]  ? lockdep_hardirqs_on+0x9c/0x150
[   86.353641][ T5339]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   86.353651][ T5339]  ? clear_bhb_loop+0x60/0xb0
[   86.353664][ T5339]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   86.353675][ T5339] RIP: 0033:0x7f854758eec9
[   86.353685][ T5339] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   86.353692][ T5339] RSP: 002b:00007f8548449038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   86.353700][ T5339] RAX: ffffffffffffffda RBX: 00007f85477e6090 RCX: 00007f854758eec9
[   86.353706][ T5339] RDX: 0000000000000000 RSI: 00000000400448ca RDI: 000000000000000a
[   86.353710][ T5339] RBP: 00007f8547611f91 R08: 0000000000000000 R09: 0000000000000000
[   86.353714][ T5339] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   86.353718][ T5339] R13: 00007f85477e6128 R14: 00007f85477e6090 R15: 00007fffa9ff7b58
[   86.353726][ T5339]  </TASK>
[   86.666295][ T5338] infiniband syz1: set active
[   86.668531][ T5338] infiniband syz1: added syz_tun
[   86.734383][ T5338] RDS/IB: syz1: added
[   86.950549][ T5335] usb 5-1: USB disconnect, device number 2
[   87.224200][ T4678] Bluetooth: hci0: command tx timeout
[   89.304603][ T4678] Bluetooth: hci0: command tx timeout
[   91.384230][ T4678] Bluetooth: hci0: command tx timeout
[   91.871852][   T54] cfg80211: failed to load regulatory.db