program:
r0 = socket$inet(0x2, 0x4000000000000001, 0x0)
setsockopt$inet_tcp_int(r0, 0x6, 0x80000000000002, &(0x7f00000004c0)=0x79, 0x4)
bind$inet(r0, &(0x7f0000000080)={0x2, 0x4e23, @local}, 0x10)
setsockopt$SO_ATTACH_FILTER(r0, 0x1, 0x1a, &(0x7f0000000140)={0x1, &(0x7f0000000280)=[{0x6, 0x0, 0x0, 0xe3}]}, 0x10)
sendto$inet(r0, 0x0, 0x0, 0x200007fd, &(0x7f0000e68000)={0x2, 0x4e23, @local}, 0x10)
setsockopt$inet_tcp_TCP_CONGESTION(r0, 0x6, 0xd, &(0x7f0000000100)='bbr', 0x3)
sendmmsg$inet(r0, &(0x7f0000001e40)=[{{0x0, 0x0, &(0x7f0000000040)=[{&(0x7f0000000ac0)="89e4192d92359cb3ee294530ae76ad6dc4ff20cc3ccc9d41018dd482ad1f395d4e38bd22b6fcae05c49fbdfdf66ae2994f191e9222effcb97205d0aaed4b29919f9e3bab7fdb276ca29501903c98de0b0cc8afca563f94fe69b6927ae594d1b53ad9f4a9f9f5c84a518d37939c84a5bd15048115ac421e9c56866ab6f91b0e8181d8999dd86c0177a971a39bf35b38eb0504bf70c02cc307c62d6f06c80b146153ca56a182831696c8cf46d2b065744e6dd4415ceff773e8d3a45aacc4fd8972cbe77878ce48d531066ec9e4790196e4a17b08ea09d4d3febf6721a44390383c7261e9e09f20c23f95e9c04d3c10220f3962d98b2bd98d5c3e50169a4c0c99f29c7a336489c26259957c4bdeae1c8cdf60d817db09336f680bbe954dc05669c9d48cb0a0488ed2385d935a7166b3187189e08d421903d546126289651db812f9c8754c0dc6f24a22ca988a2ac131cc52d724bb086a53a94e515e09fef354e9ca0daacaa347e96b3efd7c5c4063f6eb0cf55f08ff942780e6846d78410057ca2b845e69eeda4066de60a033e2f3c7e47b2f0c0c4c7da98b1d658c620f70dbe6eb8b5dd90216caa82c91db4c0f7ea02df5d5f8d6815d2d7868e6a6053f31a4fbe8732a1310ca7a79814177a981e5ab68dfeba4fe46ed4c51819be1308f73455e311f511ce4360cc7c24836c9b895ee5ce93cc42dd88f02d91b479c1748339024343700cce897087bbaae4fbd8e2ad5da016265ef097043acaf87504dde24216c805b40", 0x222}], 0x1}}], 0x1, 0x40)
r1 = socket$inet6(0x10, 0x2, 0x4)
r2 = openat$uinput(0xffffffffffffff9c, &(0x7f0000000600), 0x0, 0x0)
ioctl$UI_DEV_SETUP(r2, 0x405c5503, &(0x7f0000000280)={{0x0, 0xfffc}, 'syz0\x00', 0x10})
ioctl$UI_SET_FFBIT(r2, 0x4004556b, 0x51)
ioctl$UI_DEV_CREATE(r2, 0x5501)
sendto$inet6(r1, &(0x7f0000000080)="4c00000012001f15b9409b849ac00a00a5784002000000000000030038c88cc055c5ac27a6c5b068d0bf46d323452536005ad94a461cdbfee9bdb942352359a351d1ec0cffc8792cd8000080", 0x4c, 0x0, 0x0, 0x0)
r3 = openat$loop_ctrl(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
r4 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPSET_CMD_CREATE(r4, &(0x7f0000000040)={0x0, 0x0, &(0x7f00000044c0)={&(0x7f0000000340)=ANY=[@ANYBLOB="5000000002060108000000000000000000000051be25b0c9be2d9c000500050002000020050001000700000005000400000000000900020073797a310000000016000300686173683a6e65742c706f728775cbf63771742c6e65740000003ddb5f5a451e3528c3be1b96ce7ed542675757522d28cdbbf9139797154d887ac7f710c9e92ae205e163a811bdb310ee8832e2cb04f8282f024bdef035621406c5774fd366f80f14f372e9fee7ff5e2dfb7c73861e6ce99ff6e6f5e26c51b2d270a6c18e024d7c2f58df685f33cf467ed879b9012381c7cea8c80c9fa4f3785a27121a28f86387396975acd5bc86049cc7326c4cd56f4254f79966c2c0e1aacd9c2cf0e65df8aba249bbcd7d4418ae3b852c733cf51807d929e7d6c120944759e0541f13a1a3c78767505d466992ef59055c2e12825dff758e248c9a0e8e657ec591d841437aabcdaa0b15130f1b0ace6239365ad8bd"], 0x50}, 0x1, 0x0, 0x0, 0x4000004}, 0x0)
r5 = socket$nl_netfilter(0x10, 0x3, 0xc)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000140)={0x0, 0x4, &(0x7f0000000200)=ANY=[@ANYBLOB="180000000000000000000000000000007112370000000000950000000000000089e2d90aa1795cc26efb1dacf01150510936875c66d6a7d6eb12d4cdbc5c0ce0d29df91940d8ca08008e7aa5b3c9a10909d6e18b263131bf965f55746df5189a2e23905ae4dc5340e0eb74eb523d5b77a763cccb768b4453c8b1b1dd0a71983b5c2cfe11f3d30228772b0b798ebaf5abde2ce3ec34f8c6f13ee1f181ac563ba7a7edc9be94452da6d7eb67ae3243cb393245efd0dd21de9553cbd1a8516282de458c44d1ddae97af584de743d44ed18d20dd3b2c42cf1e8b27788dfc562367d46197198cd19fda89a6feca6c738b1d4b2522"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x24}, 0x90)
r6 = syz_usb_connect(0x2, 0x36, &(0x7f00000002c0)=ANY=[@ANYBLOB="1201000014da2108ab12a390eb1e001000010902240001b30000040904410017ff5d810009050f1f010400000009058303"], 0x0)
ioctl$EVIOCSCLOCKID(0xffffffffffffffff, 0x400445a0, &(0x7f0000000080)=0xb309)
syz_usb_ep_write$ath9k_ep2(r6, 0x83, 0x8, &(0x7f0000000080)=ANY=[])
r7 = bpf$BPF_BTF_LOAD(0x12, &(0x7f0000000140)={&(0x7f0000000040)=ANY=[@ANYBLOB="9feb01001800000000000000180000001800000004000000020000000100000c02000000000000000000000d0000000000005f"], 0x0, 0x34}, 0x20)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000200)={0x11, 0x3, &(0x7f0000000100)=@framed, &(0x7f0000000000)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x0, r7, 0x8, &(0x7f00000000c0)={0x0, 0x1}, 0x1}, 0x90)
r8 = syz_open_dev$evdev(&(0x7f00000000c0), 0x40, 0x141000)
ioctl$EVIOCSFF(r8, 0x40304580, &(0x7f0000000300)={0x50, 0xffff, 0x0, {0x0, 0x68bd}, {}, @cond=[{0x0, 0x0, 0x0, 0x0, 0x0, 0x2}]})
ioctl$EVIOCSFF(r8, 0x40304580, &(0x7f0000000bc0)={0x50, 0xffff, 0x0, {0x10, 0x4}, {0x1ff, 0x4003}, @rumble={0x8000, 0x1002}})
sendmsg$IPSET_CMD_TEST(r5, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000640)=ANY=[@ANYBLOB="780000000b06090300119a49857e233e89000000000002db5192c300010007000000440007800c001480080001400a010102180001801400000000000000060004404e240000050015000600000009001a0073797a30000000000800094000000000fddb58c77deb7f8be1c49f04402e12815a63b20a4602e470f2f1431c8d2c83bae718c76ac57507e27214bf7085305a86ddd36481b28a6052bfd6a5c35f58bdf90c347eec489c4886a541db18945e08197caaf20d7b0a217bfde544c9fd152abc21cd55e6317fa6ebd103ce21de8e161643c4deb98c95269f653332f042875f12ef6a19d55e67ea9520892c78151793e2eb4a27834e142803d57dcca8281ab825d57966"], 0x68}, 0x1, 0x0, 0x0, 0x4000}, 0x4800)
ioctl$LOOP_CTL_REMOVE(r3, 0x4c81, 0x0)
r9 = ioctl$LOOP_CTL_ADD(r3, 0x4c80, 0xa)
ioctl$LOOP_CTL_REMOVE(r3, 0x4c81, r9)

[   76.607933][ T5301] Bluetooth: hci0: command tx timeout
[   76.612200][ T1314] ieee802154 phy0 wpan0: encryption failed: -22
[   76.614947][ T1314] ieee802154 phy1 wpan1: encryption failed: -22
[   76.713190][ T5322] input: syz0 as /devices/virtual/input/input5
[   76.748055][ T5322] netlink: 60 bytes leftover after parsing attributes in process `syz.0.0'.
[   77.017723][    T9] usb 5-1: new full-speed USB device number 2 using dummy_hcd
[   77.170620][    T9] usb 5-1: config 179 has an invalid interface number: 65 but max is 0
[   77.174535][    T9] usb 5-1: config 179 has no interface number 0
[   77.178107][    T9] usb 5-1: config 179 interface 65 altsetting 0 endpoint 0xF has an invalid bInterval 0, changing to 10
[   77.182975][    T9] usb 5-1: config 179 interface 65 altsetting 0 endpoint 0xF has invalid maxpacket 1025, setting to 64
[   77.198074][    T9] usb 5-1: config 179 interface 65 altsetting 0 endpoint 0x83 has an invalid bInterval 0, changing to 10
[   77.203527][    T9] usb 5-1: config 179 interface 65 altsetting 0 has 2 endpoint descriptors, different from the interface descriptor's value: 23
[   77.220312][    T9] usb 5-1: New USB device found, idVendor=12ab, idProduct=90a3, bcdDevice=1e.eb
[   77.230589][    T9] usb 5-1: New USB device strings: Mfr=0, Product=16, SerialNumber=0
[   77.234011][    T9] usb 5-1: Product: syz
[   77.248250][ T5322] raw-gadget.0 gadget.0: fail, usb_ep_enable returned -22
[   77.471230][    T9] input: Generic X-Box pad as /devices/platform/dummy_hcd.0/usb5/5-1/5-1:179.65/input/input6
[   77.662334][ T5322] 
[   77.663491][ T5322] ======================================================
[   77.666501][ T5322] WARNING: possible circular locking dependency detected
[   77.669397][ T5322] syzkaller #0 Not tainted
[   77.671393][ T5322] ------------------------------------------------------
[   77.674484][ T5322] syz.0.0/5322 is trying to acquire lock:
[   77.676966][ T5322] ffff88805185c870 (&newdev->mutex){+.+.}-{4:4}, at: uinput_request_submit+0x188/0x6f0
[   77.681161][ T5322] 
[   77.681161][ T5322] but task is already holding lock:
[   77.684220][ T5322] ffff88803345c8b0 (&ff->mutex){+.+.}-{4:4}, at: input_ff_upload+0x398/0xb30
[   77.687779][ T5322] 
[   77.687779][ T5322] which lock already depends on the new lock.
[   77.687779][ T5322] 
[   77.692077][ T5322] 
[   77.692077][ T5322] the existing dependency chain (in reverse order) is:
[   77.695767][ T5322] 
[   77.695767][ T5322] -> #3 (&ff->mutex){+.+.}-{4:4}:
[   77.698787][ T5322]        lock_acquire+0x120/0x360
[   77.701001][ T5322]        __mutex_lock+0x187/0x1350
[   77.703313][ T5322]        input_ff_flush+0x5d/0x170
[   77.705560][ T5322]        input_flush_device+0xb4/0x110
[   77.707822][ T5322]        evdev_release+0xe1/0x800
[   77.710051][ T5322]        __fput+0x44c/0xa70
[   77.712031][ T5322]        fput_close_sync+0x119/0x200
[   77.714307][ T5322]        __x64_sys_close+0x7f/0x110
[   77.716527][ T5322]        do_syscall_64+0xfa/0xfa0
[   77.718758][ T5322]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   77.721508][ T5322] 
[   77.721508][ T5322] -> #2 (&dev->mutex#2){+.+.}-{4:4}:
[   77.724342][ T5322]        lock_acquire+0x120/0x360
[   77.726573][ T5322]        __mutex_lock+0x187/0x1350
[   77.728870][ T5322]        input_register_handle+0x18f/0x530
[   77.731298][ T5322]        kbd_connect+0xc3/0x140
[   77.733387][ T5322]        input_register_device+0xd00/0x1140
[   77.736197][ T5322]        acpi_button_add+0x6b1/0xb50
[   77.738458][ T5322]        acpi_device_probe+0xa8/0x2d0
[   77.740630][ T5322]        really_probe+0x26d/0x9e0
[   77.742805][ T5322]        __driver_probe_device+0x18c/0x2f0
[   77.745458][ T5322]        driver_probe_device+0x4f/0x430
[   77.747813][ T5322]        __driver_attach+0x452/0x700
[   77.750174][ T5322]        bus_for_each_dev+0x233/0x2b0
[   77.752520][ T5322]        bus_add_driver+0x345/0x640
[   77.754691][ T5322]        driver_register+0x23a/0x320
[   77.756525][ T5322]        do_one_initcall+0x236/0x820
[   77.758656][ T5322]        do_initcall_level+0x104/0x190
[   77.760864][ T5322]        do_initcalls+0x59/0xa0
[   77.763075][ T5322]        kernel_init_freeable+0x334/0x4b0
[   77.765503][ T5322]        kernel_init+0x1d/0x1d0
[   77.767640][ T5322]        ret_from_fork+0x4bc/0x870
[   77.769794][ T5322]        ret_from_fork_asm+0x1a/0x30
[   77.771797][ T5322] 
[   77.771797][ T5322] -> #1 (input_mutex){+.+.}-{4:4}:
[   77.774742][ T5322]        lock_acquire+0x120/0x360
[   77.776913][ T5322]        __mutex_lock+0x187/0x1350
[   77.779283][ T5322]        input_register_device+0xa76/0x1140
[   77.781679][ T5322]        uinput_create_device+0x422/0x670
[   77.784150][ T5322]        uinput_ioctl_handler+0x3f0/0x1570
[   77.786569][ T5322]        __se_sys_ioctl+0xfc/0x170
[   77.788776][ T5322]        do_syscall_64+0xfa/0xfa0
[   77.790964][ T5322]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   77.793643][ T5322] 
[   77.793643][ T5322] -> #0 (&newdev->mutex){+.+.}-{4:4}:
[   77.796797][ T5322]        validate_chain+0xb9b/0x2140
[   77.799191][ T5322]        __lock_acquire+0xab9/0xd20
[   77.801503][ T5322]        lock_acquire+0x120/0x360
[   77.803798][ T5322]        __mutex_lock+0x187/0x1350
[   77.806277][ T5322]        uinput_request_submit+0x188/0x6f0
[   77.808507][ T5322]        uinput_dev_upload_effect+0x150/0x1e0
[   77.810737][ T5322]        input_ff_upload+0x5fb/0xb30
[   77.812573][ T5322]        evdev_ioctl_handler+0x1644/0x1f10
[   77.814669][ T5322]        __se_sys_ioctl+0xfc/0x170
[   77.816710][ T5322]        do_syscall_64+0xfa/0xfa0
[   77.818888][ T5322]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   77.821421][ T5322] 
[   77.821421][ T5322] other info that might help us debug this:
[   77.821421][ T5322] 
[   77.825636][ T5322] Chain exists of:
[   77.825636][ T5322]   &newdev->mutex --> &dev->mutex#2 --> &ff->mutex
[   77.825636][ T5322] 
[   77.830819][ T5322]  Possible unsafe locking scenario:
[   77.830819][ T5322] 
[   77.834031][ T5322]        CPU0                    CPU1
[   77.836363][ T5322]        ----                    ----
[   77.839204][ T5322]   lock(&ff->mutex);
[   77.841329][ T5322]                                lock(&dev->mutex#2);
[   77.844808][ T5322]                                lock(&ff->mutex);
[   77.848227][ T5322]   lock(&newdev->mutex);
[   77.850649][ T5322] 
[   77.850649][ T5322]  *** DEADLOCK ***
[   77.850649][ T5322] 
[   77.854541][ T5322] 2 locks held by syz.0.0/5322:
[   77.856655][ T5322]  #0: ffff88803a551118 (&evdev->mutex){+.+.}-{4:4}, at: evdev_ioctl_handler+0x121/0x1f10
[   77.861099][ T5322]  #1: ffff88803345c8b0 (&ff->mutex){+.+.}-{4:4}, at: input_ff_upload+0x398/0xb30
[   77.864631][ T5322] 
[   77.864631][ T5322] stack backtrace:
[   77.866968][ T5322] CPU: 0 UID: 0 PID: 5322 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[   77.866985][ T5322] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   77.866992][ T5322] Call Trace:
[   77.867001][ T5322]  <TASK>
[   77.867007][ T5322]  dump_stack_lvl+0x189/0x250
[   77.867025][ T5322]  ? __pfx_dump_stack_lvl+0x10/0x10
[   77.867038][ T5322]  ? __pfx__printk+0x10/0x10
[   77.867052][ T5322]  ? print_lock_name+0xde/0x100
[   77.867063][ T5322]  print_circular_bug+0x2ee/0x310
[   77.867083][ T5322]  check_noncircular+0x134/0x160
[   77.867100][ T5322]  validate_chain+0xb9b/0x2140
[   77.867118][ T5322]  ? stack_trace_save+0x9c/0xe0
[   77.867128][ T5322]  ? __pfx_stack_trace_save+0x10/0x10
[   77.867139][ T5322]  __lock_acquire+0xab9/0xd20
[   77.867155][ T5322]  ? uinput_request_submit+0x188/0x6f0
[   77.867168][ T5322]  lock_acquire+0x120/0x360
[   77.867179][ T5322]  ? uinput_request_submit+0x188/0x6f0
[   77.867193][ T5322]  __mutex_lock+0x187/0x1350
[   77.867204][ T5322]  ? uinput_request_submit+0x188/0x6f0
[   77.867289][ T5322]  ? uinput_request_alloc_id+0x2f/0x400
[   77.867313][ T5322]  ? uinput_request_submit+0x188/0x6f0
[   77.867329][ T5322]  ? __pfx___mutex_lock+0x10/0x10
[   77.867342][ T5322]  ? do_raw_spin_unlock+0x4d/0x240
[   77.867354][ T5322]  ? _raw_spin_unlock+0x28/0x50
[   77.867367][ T5322]  ? uinput_request_alloc_id+0x3cf/0x400
[   77.867376][ T5322]  uinput_request_submit+0x188/0x6f0
[   77.867387][ T5322]  ? __pfx___mutex_trylock_common+0x10/0x10
[   77.867397][ T5322]  ? __pfx_uinput_request_submit+0x10/0x10
[   77.867404][ T5322]  ? rcu_is_watching+0x15/0xb0
[   77.867413][ T5322]  ? trace_contention_end+0x39/0x120
[   77.867423][ T5322]  ? __mutex_lock+0x335/0x1350
[   77.867430][ T5322]  uinput_dev_upload_effect+0x150/0x1e0
[   77.867438][ T5322]  ? input_ff_upload+0x398/0xb30
[   77.867446][ T5322]  ? __pfx_uinput_dev_upload_effect+0x10/0x10
[   77.867456][ T5322]  input_ff_upload+0x5fb/0xb30
[   77.867465][ T5322]  evdev_ioctl_handler+0x1644/0x1f10
[   77.867473][ T5322]  ? do_vfs_ioctl+0xbe8/0x1430
[   77.867485][ T5322]  ? tomoyo_path_number_perm+0x1bc/0x5a0
[   77.867498][ T5322]  ? __pfx_evdev_ioctl_handler+0x10/0x10
[   77.867513][ T5322]  ? __might_fault+0xb0/0x130
[   77.867535][ T5322]  ? __fget_files+0x2a/0x420
[   77.867546][ T5322]  ? __fget_files+0x3a0/0x420
[   77.867556][ T5322]  ? __fget_files+0x2a/0x420
[   77.867567][ T5322]  ? bpf_lsm_file_ioctl+0x9/0x20
[   77.867579][ T5322]  ? __pfx_evdev_ioctl+0x10/0x10
[   77.867589][ T5322]  __se_sys_ioctl+0xfc/0x170
[   77.867604][ T5322]  do_syscall_64+0xfa/0xfa0
[   77.867614][ T5322]  ? lockdep_hardirqs_on+0x9c/0x150
[   77.867630][ T5322]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   77.867641][ T5322]  ? clear_bhb_loop+0x60/0xb0
[   77.867654][ T5322]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   77.867665][ T5322] RIP: 0033:0x7f6332f8eec9
[   77.867679][ T5322] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   77.867688][ T5322] RSP: 002b:00007f632f3f5038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   77.867701][ T5322] RAX: ffffffffffffffda RBX: 00007f63331e5fa0 RCX: 00007f6332f8eec9
[   77.867712][ T5322] RDX: 0000200000000300 RSI: 0000000040304580 RDI: 000000000000000a
[   77.867718][ T5322] RBP: 00007f6333011f91 R08: 0000000000000000 R09: 0000000000000000
[   77.867725][ T5322] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   77.867731][ T5322] R13: 00007f63331e6038 R14: 00007f63331e5fa0 R15: 00007ffd6db367e8
[   77.867742][ T5322]  </TASK>
[   78.667812][ T5301] Bluetooth: hci0: command tx timeout
[   80.748087][ T5301] Bluetooth: hci0: command tx timeout
[   82.827814][ T5301] Bluetooth: hci0: command tx timeout