program:
ioctl$BTRFS_IOC_SCRUB(0xffffffffffffffff, 0xc400941b, &(0x7f0000000380)={<r0=>0x0, 0x4, 0xe})
ioctl$BTRFS_IOC_DEV_REPLACE(0xffffffffffffffff, 0xca289435, &(0x7f0000000780)={0x1, 0xf5b, @start={r0, 0x1, "535e3b2ce16291215099b8608fd6cc60d18200737c86cc07715d86c382f85cd0af4d126dcf5f38fdf9476c9bb01e8baf10e0747798cd26d7071d8476243b9f8b4dcfabd7a44e6662733915aaf7fda3bf330c147c49fd50e8eefd3283685eefcf95de8af377459f34d68b9803e982de0b38113d736ab08e40dc3ca21c823655b3123f41a5594f4797fc01f305a64724c57d2a270a0c016373a60a3a0c753b991e58bb7e3e5439fed1ccd5a3a75725ea071708aedf188788de0f0065710ae23802fa8fbad42f2645fa8a8530c757ba5d6f772867776c1126deeabbe1bac798113805f0d264c95d034877de9464a0e2c147d7db90f2f0dd2a0f17d561f41119c86ab8f6fa9b3bd41ec0d9cb8e1ddcb467dc564bcb28488adf54f3deeb312351de2aacd523d863a7123e35f7810b30fe3e34406faf6ec9d991a9d65c22bae5094fb6edeffaa4f3ad95552d48936f4e3a5e2b3918bba0a9b763f1a9bc5f88d730af4b55720d566425ea848820c43d3bbf12df224d8152c0d9a7220e020fe03c90902005ea5f548645cb5368ba3dabdd26bc617cce1ef7f18d929c30090ce037a92202f991f4a1df00df695d90c5920afb9370b73bb5cad79391b91e3c6c86fd4f665d74adf63bfc040abb85111cb0c066857364b97c0ce266a2e6cc21bf6f192133a5e85026f509fbada9caed992e35c36170a7d2705c04c111972902b391083c1ac7ab0402e3c45163e50c33ff36ef0e9c093e84bf9686554213f4e789e9c3ebd521075355daedf944ace048872245aac56234e041d3efdfe3fb286743fd963f9a00d2ca056b6baa38d32d966f393029e764f5b9fcd62f231f6fdd8ffb818358edb28a75449d023bd8b48b611cef5ea39181ce56e689dc302c5be20fe44735988fc22c35bb50b1f8d6a06a7b9dbfffc740a0017962f821ad1cd370ed3162e77cb20a3127a5c24557f005d645b303ddda68560e0d0e3e9f2fe8ce678f142df1f9cb294e422f2d1077c76745b6405508dc5a9e6eb22060ec8a45e6f8282e9fe6151a97b2a65ed65c2afe9fe7c02665b63de7b1d0105b32f76d6f53b405fa0e69cfe1ba2b2510c5960393de6dcdaa0ab7f34332cf59e41a6b4d2f73e671a5091928109699f859eebccc4fcc9925afe0a3205b4d4a6fcac1eb13d72e68c1034fbb57e2cb5306440b30f3285adabccbe3df578671db63bdf54996b94fa88e8b8053f894a05aef5438ab4ee3f83a6bacd835ea3544fe559e8c27e290cc9276923f403dcd3e56f22e4a31ef6f6253631a154574cdd032dca3852a42a2adfd8d3583c94f7e2d90fc1e55a5b602491b045c7f9d46a8eb22ecc84f7aa84999c235cd8a348d26bdc91b6472638ab471ee2bcc4fed04d9ed77d094ef07b79ad56a54977ce699fd5f89ce06a7a6b7ddada135d40bc5a3779766d09d5064eec62ea8f4a15d0fd940e143", "32d7d6cce37997040afd3f99f5e1efe85827bdb11ada53a7591d50b8dfc594e01e7608b585022166709f9b755016053c555fb21ced5994c802d7c6449d7065d3bd99bca11c01f039121cc8899dc46349cd428b515c8d4ed420fa1e3175de468146ac7bc683a7c57b8ff002d2251a86db8ded62d8e0c35470c40b0c3d9754308b866c8e70151a99d8ea059f021f98c51e2914eb97c99661b054df74a09a37480f306216cf436cc766acb1b373e78dd24e79c426dfd91785dfd88af93361678acb8a535dd4fbdf252c2ec60ef413afa540a390e69681d37202e77dc60622332046e8de570550081497442739fed9ebc62854c28b4e9bd298bb8878ada8be0c93e3a854f49c745cf87e3877304eef5103506a1ba53d5bf8a788fed5268edc250eff60208f02675a305b84b3bcbf6aff26806b635c00ddb3a1087c8a374d1caeec616653fe9add14be4b06ea899654f9a25c402cec70a717105908f3d6f4aeae89f94d6020f81e069805c7642cee8b5af8b2cf751f613729b1dea39f879bcb7f0943a7dcb9fcfd8fa4f890205856ac61151c9e5e9bf73218695530ccd0f30964a4f511516ec554957a4008da515003572d91a5eab2be5dcfed1a5e41510e633cc57e9d5cbd604b86efbaca0ecff789fff4b1ad1a1fef4b8e1f6569fc0465e742fad73012f239f99ce8b776b54df8e2c6b94a898a8b5492868bdde6c255cafaf8416cdf560ca752f75136013163d095875b0d8cf1eeb7d242e62c0c5e35f96a53c366da1e8d94692847958cd8c29e5f711516b7fbf6f957ffd717f48113468d70a6cc384911fd36b1bf67abf3219d1dbaff51502c82a78e7e72ce2446cbcc5b0633d53417f9d0ea3e1b1a56488dccd59e96e2210a123bd371aef123171c0bb4203a1628d82aa464588f217d3e15d7b2d0bb5ea35af8a7559258a6d05764f6c61135d3b55b00b8f922517b71f8556eb76cae72389ca3cb52a2699b3b270cc72e4ad9743e20b03666224a7c0a61137628ea17526bff359e24a0f6b4c5d74b664bb98a7a1e3c8b340ae467096b09fe24feac6023ec1baabcd05b4d3c97ea55e7302bd5e9ad9f5acec159ec388e9a363c57cd46ba310536e6bed7d72ac1fb64c4371f52e560e9c6e996f76e15f21b5349a9109466f7c0b40f67dc2a2f1353dee5d17fb7fdf40e0047026b961b3e2e80ed315498fa8fc398adcfcf6d47df599ce0a9b19da8a544c9f60386fdaa455594ba1d5f579ef0d95554c892c719f07dd769f1e49ef703b00d7a9503cd32a5e0d6860adba1a67a85d9085806610bacb58b31869f3221b1a1f4d6bb14de5e9159edb8ef696e7600a1cba7cf097c5a6f48ed041c4166fbd35895c2d1eaa830ff6715972126fda8ea5e82e75f1801ee1c91fddef6312dbf2f24fc332dc99887d41e2df8c761d529d8ba34be4c733997d53cfd0788a3a27175"}, [0x1, 0x8, 0x100000001, 0x9, 0x7, 0xfff, 0x7ff, 0x3, 0x9, 0xffffffff, 0x401, 0x7, 0x10001, 0x8, 0x4d7, 0x1, 0x3, 0x8, 0x8, 0x3, 0x4a2, 0xffffffff00000000, 0x4, 0xfffffffffffffff7, 0x1, 0xd3b6, 0x2, 0x6, 0x6, 0xd7, 0x3, 0x7fffffffffffffff, 0xffffffffffff9141, 0x3, 0x1a46d215, 0x8, 0x51d, 0x5, 0x7, 0x1, 0xfa, 0x7, 0x0, 0x0, 0x212, 0xa, 0x1, 0x40000000000, 0x27b, 0x2, 0xfffffffffffffff7, 0x52f, 0x7, 0xfff, 0x401, 0x4, 0x3, 0x6, 0xa, 0x3, 0xfffffffffffffff7, 0x6, 0x20, 0x2]})
setsockopt$netlink_NETLINK_TX_RING(0xffffffffffffffff, 0x10e, 0xc, 0x0, 0x0)
r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
r2 = syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0)
r3 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$NFT_BATCH(r3, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000500)=ANY=[@ANYBLOB="140000001000010000000000000000350000000a20000000000a01030000000000000000010000000900010073797a300000000040000000030a01020000000000000000010000000900030073797a320000000014000480080002400000000008000140000000000900010073797a300000000054000000060a010400000000000000000100000008000b40000000000900010073797a30000000012c0004802800018008000100666962001c0002800800014000000011080003400000000e080002400000000114000000110001"], 0xdc}}, 0x0)
r4 = openat$hpet(0xffffffffffffff9c, &(0x7f0000000200), 0x600000, 0x0)
r5 = socket$nl_generic(0x10, 0x3, 0x10)
r6 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r5, 0x8933, &(0x7f0000000040)={'wlan1\x00', <r7=>0x0})
sendmsg$NL80211_CMD_SET_INTERFACE(r5, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)={0x24, r6, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r7}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x3}]}, 0x24}}, 0x0)
sendmsg$NL80211_CMD_START_AP(r5, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000500)=ANY=[@ANYBLOB='\\\x00\x00\x00', @ANYRES16=r6, @ANYBLOB="050000000000000000000f00000008000300", @ANYRES32=r7, @ANYBLOB="28000e00800000000802110000010802110000010802110000000000000000000000000064000000080026006c09000008000c006400000008000d"], 0x5c}}, 0x0)
ioctl$sock_SIOCGIFINDEX_80211(r1, 0x8933, &(0x7f00000011c0)={'wlan0\x00', <r8=>0x0})
sendmsg$NL80211_CMD_GET_INTERFACE(r4, &(0x7f0000001280)={&(0x7f0000000240)={0x10, 0x0, 0x0, 0x20000000}, 0xc, &(0x7f0000001240)={&(0x7f0000001200)={0x28, r6, 0x100, 0x70bd29, 0x25dfdbfd, {{}, {@val={0x8, 0x3, r8}, @val={0xc, 0x99, {0x5, 0x67}}}}, ["", "", "", "", "", "", "", "", "", ""]}, 0x28}, 0x1, 0x0, 0x0, 0x20000800}, 0x4000040)
r9 = socket$inet_tcp(0x2, 0x1, 0x0)
ioctl$sock_inet_SIOCADDRT(r9, 0x890b, &(0x7f0000000140)={0x0, {0x2, 0x0, @empty}, {0x2, 0x0, @local}, {0x2, 0xffff, @private}, 0xd0, 0x0, 0x0, 0x0, 0xfffc, 0x0, 0x0, 0x9})
syz_emit_ethernet(0x2a, &(0x7f0000000000)={@random="434a596143cc", @multicast, @void, {@ipv4={0x800, @icmp={{0x5, 0x4, 0x0, 0x0, 0x1c, 0x0, 0x0, 0x0, 0x1, 0x0, @initdev={0xac, 0x1e, 0x0, 0x0}, @multicast1}, @address_request}}}}, 0x0)
connect$bt_l2cap(r2, &(0x7f0000000080)={0x1f, 0x0, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}, 0x7ff}, 0xe)
r10 = signalfd4(r2, &(0x7f0000000100)={[0x80000001]}, 0x8, 0x800)
ioctl$HIDIOCSFLAG(r10, 0x4004480f, &(0x7f00000001c0)=0x2)
r11 = syz_init_net_socket$bt_hidp(0x1f, 0x3, 0x6)
ioctl$sock_bt_hidp_HIDPCONNADD(r11, 0x400448c8, &(0x7f0000000280)={r2, r2, 0xc, 0x1, &(0x7f0000000340)='\x00', 0x9, 0x1, 0x457, 0x9, 0x9, 0x1, 0x1, 'syz1\x00'})
ioctl$sock_bt_hci(r1, 0x400448ca, 0x0)

[   86.468033][ T5320] Bluetooth: hci0: command tx timeout
[   86.656272][ T5339] hid-multitouch 0005:0457:0009.0002: unknown main item tag 0x0
[   86.676950][ T5339] hid-multitouch 0005:0457:0009.0002: hidraw1: BLUETOOTH HID v0.09 Device [syz1] on aa:aa:aa:aa:aa:aa
[   86.716331][ T5342] 
[   86.717585][ T5342] ======================================================
[   86.720596][ T5342] WARNING: possible circular locking dependency detected
[   86.723610][ T5342] 6.16.0-rc5-syzkaller-00053-g8c2e52ebbe88 #0 Not tainted
[   86.727016][ T5342] ------------------------------------------------------
[   86.730159][ T5342] syz.0.0/5342 is trying to acquire lock:
[   86.732751][ T5342] ffff888033d30840 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: __flush_work+0xd2/0xbc0
[   86.737916][ T5342] 
[   86.737916][ T5342] but task is already holding lock:
[   86.741202][ T5342] ffff888033d30b38 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x70/0x680
[   86.744829][ T5342] 
[   86.744829][ T5342] which lock already depends on the new lock.
[   86.744829][ T5342] 
[   86.749064][ T5342] 
[   86.749064][ T5342] the existing dependency chain (in reverse order) is:
[   86.752752][ T5342] 
[   86.752752][ T5342] -> #1 (&conn->lock#2){+.+.}-{4:4}:
[   86.755899][ T5342]        lock_acquire+0x120/0x360
[   86.758095][ T5342]        __mutex_lock+0x182/0xe80
[   86.760453][ T5342]        l2cap_info_timeout+0x60/0xa0
[   86.762894][ T5342]        process_scheduled_works+0xae1/0x17b0
[   86.765398][ T5342]        worker_thread+0x8a0/0xda0
[   86.767735][ T5342]        kthread+0x70e/0x8a0
[   86.770180][ T5342]        ret_from_fork+0x3f9/0x770
[   86.772797][ T5342]        ret_from_fork_asm+0x1a/0x30
[   86.775201][ T5342] 
[   86.775201][ T5342] -> #0 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}:
[   86.779800][ T5342]        validate_chain+0xb9b/0x2140
[   86.782613][ T5342]        __lock_acquire+0xab9/0xd20
[   86.784922][ T5342]        lock_acquire+0x120/0x360
[   86.787512][ T5342]        __flush_work+0x6b8/0xbc0
[   86.789994][ T5342]        __cancel_work_sync+0xbe/0x110
[   86.792880][ T5342]        l2cap_conn_del+0x4f0/0x680
[   86.795149][ T5342]        hci_conn_hash_flush+0x10d/0x230
[   86.797701][ T5342]        hci_dev_close_sync+0xaef/0x1330
[   86.800014][ T5342]        hci_dev_close+0x108/0x200
[   86.802283][ T5342]        sock_do_ioctl+0xd9/0x300
[   86.804472][ T5342]        sock_ioctl+0x576/0x790
[   86.806598][ T5342]        __se_sys_ioctl+0xfc/0x170
[   86.808741][ T5342]        do_syscall_64+0xfa/0x3b0
[   86.810968][ T5342]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   86.813875][ T5342] 
[   86.813875][ T5342] other info that might help us debug this:
[   86.813875][ T5342] 
[   86.819048][ T5342]  Possible unsafe locking scenario:
[   86.819048][ T5342] 
[   86.822431][ T5342]        CPU0                    CPU1
[   86.824619][ T5342]        ----                    ----
[   86.826699][ T5342]   lock(&conn->lock#2);
[   86.828465][ T5342]                                lock((work_completion)(&(&conn->info_timer)->work));
[   86.832547][ T5342]                                lock(&conn->lock#2);
[   86.835621][ T5342]   lock((work_completion)(&(&conn->info_timer)->work));
[   86.838707][ T5342] 
[   86.838707][ T5342]  *** DEADLOCK ***
[   86.838707][ T5342] 
[   86.842260][ T5342] 5 locks held by syz.0.0/5342:
[   86.844150][ T5342]  #0: ffff888031710dc0 (&hdev->req_lock){+.+.}-{4:4}, at: hci_dev_close+0x100/0x200
[   86.848492][ T5342]  #1: ffff8880317100b8 (&hdev->lock){+.+.}-{4:4}, at: hci_dev_close_sync+0x66a/0x1330
[   86.852808][ T5342]  #2: ffffffff8f685908 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_conn_hash_flush+0xa1/0x230
[   86.857420][ T5342]  #3: ffff888033d30b38 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x70/0x680
[   86.861190][ T5342]  #4: ffffffff8e13f160 (rcu_read_lock){....}-{1:3}, at: __flush_work+0xd2/0xbc0
[   86.865209][ T5342] 
[   86.865209][ T5342] stack backtrace:
[   86.867890][ T5342] CPU: 0 UID: 0 PID: 5342 Comm: syz.0.0 Not tainted 6.16.0-rc5-syzkaller-00053-g8c2e52ebbe88 #0 PREEMPT(full) 
[   86.867908][ T5342] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   86.867916][ T5342] Call Trace:
[   86.867925][ T5342]  <TASK>
[   86.867931][ T5342]  dump_stack_lvl+0x189/0x250
[   86.867951][ T5342]  ? __pfx_dump_stack_lvl+0x10/0x10
[   86.867966][ T5342]  ? __pfx__printk+0x10/0x10
[   86.867981][ T5342]  ? print_lock_name+0xde/0x100
[   86.867995][ T5342]  print_circular_bug+0x2ee/0x310
[   86.868012][ T5342]  check_noncircular+0x134/0x160
[   86.868027][ T5342]  validate_chain+0xb9b/0x2140
[   86.868041][ T5342]  ? do_raw_spin_lock+0x121/0x290
[   86.868057][ T5342]  ? look_up_lock_class+0x74/0x170
[   86.868074][ T5342]  ? register_lock_class+0x51/0x320
[   86.868085][ T5342]  __lock_acquire+0xab9/0xd20
[   86.868097][ T5342]  ? __flush_work+0xd2/0xbc0
[   86.868112][ T5342]  lock_acquire+0x120/0x360
[   86.868129][ T5342]  ? __flush_work+0xd2/0xbc0
[   86.868146][ T5342]  ? _raw_spin_unlock_irq+0x23/0x50
[   86.868163][ T5342]  ? __flush_work+0xd2/0xbc0
[   86.868178][ T5342]  __flush_work+0x6b8/0xbc0
[   86.868192][ T5342]  ? __flush_work+0xd2/0xbc0
[   86.868205][ T5342]  ? __flush_work+0xd2/0xbc0
[   86.868218][ T5342]  ? __pfx___flush_work+0x10/0x10
[   86.868233][ T5342]  ? __pfx_wq_barrier_func+0x10/0x10
[   86.868248][ T5342]  ? __pfx___cancel_work+0x10/0x10
[   86.868262][ T5342]  ? hci_conn_drop+0x14d/0x280
[   86.868279][ T5342]  __cancel_work_sync+0xbe/0x110
[   86.868295][ T5342]  l2cap_conn_del+0x4f0/0x680
[   86.868310][ T5342]  ? __pfx_l2cap_disconn_cfm+0x10/0x10
[   86.868323][ T5342]  hci_conn_hash_flush+0x10d/0x230
[   86.868340][ T5342]  hci_dev_close_sync+0xaef/0x1330
[   86.868355][ T5342]  ? __pfx_hci_dev_close_sync+0x10/0x10
[   86.868368][ T5342]  ? do_raw_read_unlock+0x3d/0x80
[   86.868383][ T5342]  hci_dev_close+0x108/0x200
[   86.868397][ T5342]  sock_do_ioctl+0xd9/0x300
[   86.868414][ T5342]  ? __pfx_sock_do_ioctl+0x10/0x10
[   86.868429][ T5342]  ? __lock_acquire+0xab9/0xd20
[   86.868443][ T5342]  sock_ioctl+0x576/0x790
[   86.868458][ T5342]  ? __pfx_sock_ioctl+0x10/0x10
[   86.868473][ T5342]  ? __fget_files+0x2a/0x420
[   86.868487][ T5342]  ? __fget_files+0x3a0/0x420
[   86.868500][ T5342]  ? __fget_files+0x2a/0x420
[   86.868515][ T5342]  ? bpf_lsm_file_ioctl+0x9/0x20
[   86.868526][ T5342]  ? __pfx_sock_ioctl+0x10/0x10
[   86.868541][ T5342]  __se_sys_ioctl+0xfc/0x170
[   86.868554][ T5342]  do_syscall_64+0xfa/0x3b0
[   86.868565][ T5342]  ? lockdep_hardirqs_on+0x9c/0x150
[   86.868581][ T5342]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   86.868592][ T5342]  ? clear_bhb_loop+0x60/0xb0
[   86.868603][ T5342]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   86.868614][ T5342] RIP: 0033:0x7f711b98e929
[   86.868627][ T5342] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   86.868635][ T5342] RSP: 002b:00007f711c84d038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   86.868648][ T5342] RAX: ffffffffffffffda RBX: 00007f711bbb5fa0 RCX: 00007f711b98e929
[   86.868656][ T5342] RDX: 0000000000000000 RSI: 00000000400448ca RDI: 0000000000000004
[   86.868662][ T5342] RBP: 00007f711ba10b39 R08: 0000000000000000 R09: 0000000000000000
[   86.868668][ T5342] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   86.868675][ T5342] R13: 0000000000000000 R14: 00007f711bbb5fa0 R15: 00007ffc7d698628
[   86.868688][ T5342]  </TASK>
[   87.031242][ T5350] fido_id[5350]: Failed to open report descriptor at '/sys/devices/virtual/bluetooth/hci0/hci0:200/report_descriptor': No such file or directory
[   88.525816][ T5320] Bluetooth: hci0: command tx timeout
[   90.606023][ T5320] Bluetooth: hci0: command tx timeout
[   91.892091][   T10] cfg80211: failed to load regulatory.db
[   92.685717][ T5320] Bluetooth: hci0: command tx timeout