program:
r0 = socket$inet6_sctp(0xa, 0x1, 0x84)
r1 = epoll_create1(0x80000)
epoll_wait(r1, &(0x7f0000000140)=[{}], 0x1, 0xfffffffc)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000000)={0xffffffffffffffff, <r2=>0xffffffffffffffff})
epoll_ctl$EPOLL_CTL_ADD(r1, 0x1, r2, &(0x7f0000000100))
shutdown(r2, 0x0)
epoll_ctl$EPOLL_CTL_MOD(r1, 0x3, r2, &(0x7f00000000c0)={0x20002000})
r3 = syz_open_dev$ttys(0xc, 0x2, 0x0)
ioctl$TIOCGPTLCK(r3, 0x80045439, &(0x7f0000000180))
setsockopt$inet_sctp_SCTP_SOCKOPT_BINDX_ADD(0xffffffffffffffff, 0x84, 0x64, &(0x7f00000001c0)=[@in6={0xa, 0x4e24, 0xf1, @empty, 0x19f49a9}], 0x1c)
listen(0xffffffffffffffff, 0x100)
sendmsg$inet6(r0, &(0x7f0000000800)={&(0x7f0000000080)={0xa, 0x4e24, 0x8, @loopback, 0x5}, 0x1c, &(0x7f0000000640)=[{&(0x7f00000000c0)="88", 0x1}], 0x1}, 0x4048043)
r4 = dup(r0)
setsockopt$SO_BINDTODEVICE(r4, 0x1, 0x19, &(0x7f0000000000)='ip6gretap0\x00', 0x10)
socket$nl_netfilter(0x10, 0x3, 0xc)
socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$ethtool(&(0x7f00000001c0), 0xffffffffffffffff)
r5 = syz_open_dev$tty1(0xc, 0x4, 0x1)
ioctl$KDSETLED(r5, 0x4b32, 0x6)
r6 = syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0)
sendmsg$NFT_BATCH(0xffffffffffffffff, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000480)=ANY=[], 0x28}}, 0x0)
syz_mount_image$nilfs2(&(0x7f0000000a40), &(0x7f0000000a80)='./file0\x00', 0x0, &(0x7f0000000100)=ANY=[@ANYBLOB="00a717cf64394a00dc299b573660f498c4d99aac48af10923f703f53e58070c2bf4575228d0e471df7101ac03b8d48a1b0fc276e395f25b63e9a27cd2ab98888989eec154d97b4dbcf"], 0x1, 0xa09, &(0x7f0000001540)="$eJzs3UuMHEfdAPDq2Z31M5/H+WyyOCaxCSThkd14vZiHBXEUX7DiiFukiIvlOMHCMQhHgkQ52D5xI1FkrjzEKZcIEBK5ICsnLpGIJS45BQ4csIwUiQME7EW7WzU7+/eMemZt73h2fj+ptqa6aqaqZ3t6erq7qhIwthpLf+fnp6uULr3z5tG/P/y3LYtLnmiXaC39nexINVNKVU5Phtf7cGI5vv7Raye7xVWaW/pb0umZa+3nbkspnU/70uXUSnsuXXnjvbmnj184dnH/+28dvnpn1h4AAMbLty4fnt/9lz/dv/Pjtx84kja1l5fj81ZOb8/H/UfygX85/m+k1emqI3SaCuUmc2iEchNdynXW0wzlJnvUPxVet9mj3Kaa+ic6lnVbbxhlZTtupaoxsyrdaMzMLP8mT0u/66eqmbOnz7xwbkgNBW67fz6YUtonCMI4hoUdw94DASyL1wtvcj6eWbg17Veb7K/+a082uj8fboP13v7VP1r1/+qCPQ63z0bdmsp6lc/R9pyO1xHi/UuDfv7L68XrEc0+29nrOsKoXF/o1c6JdW7HWvVqf9wuNqqv57i8D98I+Z2fn/g/HZX/MdDdv5z/F4SxDQvD3gEBd61439xCVvLjfX0xf1NN/uaa/C01+Vtr8rfV5MM4++3LP0mvVyu/8+Nv+kHPh5XzbPfk+P8GbE88Hzlo/fG+30Hdav3xfmK4m/3+xLOnvvL8c1eW7/+v2tv/jby978vpVv5sXc4FyvnCeF69fe9/a3U9jR7l7g3tuadL+aXHu1aXq3atvE7q2M/c1I7p1c/b0avc3tXlWqHclhw2h/bG45Ot4Xnl+KPsV8v7NRnWtxnWYyq0o+xXduY4tgPWomyPve7/L9vndGpWL5w+c+rxnC7b6R8nmpsWlx9Y53YDt67f/j/TaXX/n+3t5c1G535hx8ryqnO/0ArL53osP5jT5XvuOxNblpbPnPzemedv98rDmDv3yqvfPXHmzKkfeOCBBx60Hwx7zwTcabMvv/T92XOvvPrY6ZdOvHjqxVNnDx46dHBu7tBXD87PLh3Xz3Ye3QMbycqX/rBbAgAAAAAAAAAAAPTrh8eOXvnzu1/+YLn//0r/v9L/v9z5W/r//zj0/4/95Es/+NIPcGeX/KUyYYDVqVCumcP/h/buCvXsDs/7RI7b8/jl/v+lujiua2nPfWF5HL+3lAvDCdw0XspUGIMkzhf46RxfzPEvEwxRtaX74hzXjW9dtvUyPoVxKUZT+b+VraGMY1L6f/ca16ns/3euQxu5/dajO+Gw1xHo7h/G/xaEsQ0LC2bxAO4Ow57/s5z3LPHZP3xz82Ioxa49uXp/GccvhVtxt88/qf6NNf9ne/67vvd/Yca81trq/ffPrn7QUW3a02/9cf3LONC7Bqv/41x/WZtHUn/1L/wi1B8vCPXpP6H+rX3Wf9P6711b/f/N9Ze37dGH+q1/ucVVY3U74nnjcv0vnjcurof1L2N7Drz+a5yo8UauH8bZqMwzO6hRmf+3l3gfxpdyuuwIy30Ocb6TQdtf7q8o3wO7w+tXNd9v5v8dbV/Lcd3nocz/W7bHVpd0oyPd7PLebtR9DYyqD13/E4SxDQsLC3f2hFaNoVbO0N//Yf9OGHb9w37/68T5f+MxfJz/N+bH+X9jfpz/N+bH+fVifpz/N76fcf7fmH9feN04P/B0Tf4na/L31OTfX5O/tyb/UzX5+2vyH6jJf7Am/96a/Idq8j9Tk//ZmvyHa/Ifrcn/XE3+Rlf6o4zr+sM4i/3zfP5hfJTrP70+/7tq8oHR9dO3Dzz13G++3Vru/z/VPh9SruMdyelm/u38o5yO171TR3ox792c/mvIv9vPd8A4ieNnxO/3R2rygdFV7vPy+YYxVHUfsaffcat6HeczWj6f4y/k+Is5fizHMzmezfGBHM+tU/u4M5769e8Ov16t/N7fEfL7vZ889geK40Qd7LM98fzAoPezx3H8BnWr9a+xOxgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMDQNJb+zs9PVyldeufNo88ePz27uOSJdonW0t/JjlSz/byUHs/xRI5/nh9c/+i1k53xjcV4KqUqzaUqVe3l6Zlr7Zq2pZTOp33pcmqlPZeuvPHe3NPHLxy7uP/9tw5fvYNvAQAAAGx4/wsAAP//2XsNow==")
bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000280)={0x6, 0x2, &(0x7f0000000000)=@raw=[@cb_func={0x18, 0x1, 0x4, 0x0, 0xfffffffffffffffe}], 0x0, 0x8, 0x0, 0x0, 0x41000, 0x2, '\x00', 0x0, 0x25, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x2}, 0x94)
r7 = open(&(0x7f0000000080)='.\x00', 0x0, 0x1b5)
ioctl$EXT4_IOC_GROUP_ADD(r7, 0x40186e8d, &(0x7f0000000040)={0x0, 0x42c0000000003f, 0x400, 0x200000003, 0x6, 0x3, 0x2401})
connect$bt_l2cap(r6, &(0x7f0000000080)={0x1f, 0x0, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}, 0x7ff}, 0xe)
r8 = syz_init_net_socket$bt_hidp(0x1f, 0x3, 0x6)
ioctl$sock_bt_hidp_HIDPCONNADD(r8, 0x400448c8, &(0x7f00000000c0)={r6, r6, 0x206, 0x0, 0x0, 0x2, 0x72, 0x1, 0x3, 0x7, 0x0, 0x8, 'syz1\x00'})
r9 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$HCIINQUIRY(r9, 0x400448ca, 0x0)

[   85.955324][ T5341] loop0: detected capacity change from 0 to 2048
[   85.993662][ T5341] NILFS (loop0): broken superblock, retrying with spare superblock (blocksize = 1024)
[   86.011999][ T5341] NILFS (loop0): mounting unchecked fs
[   86.026175][ T5310] udevd[5310]: incorrect nilfs2 checksum on /dev/loop0
[   86.041675][ T5341] NILFS (loop0): recovery complete
[   86.050876][ T5344] NILFS (loop0): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds
[   86.088659][ T5341] input: Bluetooth HID Boot Protocol Device as /devices/virtual/bluetooth/hci0/hci0:200/input5
[   86.175826][ T5341] 
[   86.176945][ T5341] ======================================================
[   86.179994][ T5341] WARNING: possible circular locking dependency detected
[   86.183064][ T5341] syzkaller #0 Not tainted
[   86.185087][ T5341] ------------------------------------------------------
[   86.188169][ T5341] syz.0.0/5341 is trying to acquire lock:
[   86.190731][ T5341] ffff888000c9e840 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: __flush_work+0xd2/0xbc0
[   86.195804][ T5341] 
[   86.195804][ T5341] but task is already holding lock:
[   86.198944][ T5341] ffff888000c9eb38 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x7b/0x5b0
[   86.202823][ T5341] 
[   86.202823][ T5341] which lock already depends on the new lock.
[   86.202823][ T5341] 
[   86.207105][ T5341] 
[   86.207105][ T5341] the existing dependency chain (in reverse order) is:
[   86.211028][ T5341] 
[   86.211028][ T5341] -> #1 (&conn->lock#2){+.+.}-{4:4}:
[   86.214458][ T5341]        __mutex_lock+0x187/0x1350
[   86.216901][ T5341]        l2cap_info_timeout+0x60/0xa0
[   86.219811][ T5341]        process_scheduled_works+0xad1/0x1770
[   86.223203][ T5341]        worker_thread+0x8a0/0xda0
[   86.226074][ T5341]        kthread+0x711/0x8a0
[   86.228224][ T5341]        ret_from_fork+0x510/0xa50
[   86.230492][ T5341]        ret_from_fork_asm+0x1a/0x30
[   86.232850][ T5341] 
[   86.232850][ T5341] -> #0 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}:
[   86.237591][ T5341]        __lock_acquire+0x15a6/0x2cf0
[   86.239900][ T5341]        lock_acquire+0x107/0x340
[   86.241692][ T5341]        __flush_work+0x6b8/0xbc0
[   86.243683][ T5341]        __cancel_work_sync+0xbe/0x110
[   86.245937][ T5341]        l2cap_conn_del+0x402/0x5b0
[   86.248152][ T5341]        hci_conn_hash_flush+0x10d/0x260
[   86.250211][ T5341]        hci_dev_close_sync+0x821/0x1100
[   86.252466][ T5341]        hci_dev_close+0x108/0x270
[   86.254506][ T5341]        sock_do_ioctl+0xdc/0x300
[   86.256692][ T5341]        sock_ioctl+0x576/0x790
[   86.258721][ T5341]        __se_sys_ioctl+0xfc/0x170
[   86.260952][ T5341]        do_syscall_64+0xec/0xf80
[   86.263303][ T5341]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   86.266015][ T5341] 
[   86.266015][ T5341] other info that might help us debug this:
[   86.266015][ T5341] 
[   86.270031][ T5341]  Possible unsafe locking scenario:
[   86.270031][ T5341] 
[   86.273050][ T5341]        CPU0                    CPU1
[   86.275305][ T5341]        ----                    ----
[   86.277692][ T5341]   lock(&conn->lock#2);
[   86.279356][ T5341]                                lock((work_completion)(&(&conn->info_timer)->work));
[   86.283405][ T5341]                                lock(&conn->lock#2);
[   86.286957][ T5341]   lock((work_completion)(&(&conn->info_timer)->work));
[   86.290836][ T5341] 
[   86.290836][ T5341]  *** DEADLOCK ***
[   86.290836][ T5341] 
[   86.295108][ T5341] 5 locks held by syz.0.0/5341:
[   86.297849][ T5341]  #0: ffff888037318ec0 (&hdev->req_lock){+.+.}-{4:4}, at: hci_dev_close+0x100/0x270
[   86.302291][ T5341]  #1: ffff8880373180c0 (&hdev->lock){+.+.}-{4:4}, at: hci_dev_close_sync+0x640/0x1100
[   86.306190][ T5341]  #2: ffffffff8f485c88 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_conn_hash_flush+0xa1/0x260
[   86.310428][ T5341]  #3: ffff888000c9eb38 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x7b/0x5b0
[   86.314529][ T5341]  #4: ffffffff8df41aa0 (rcu_read_lock){....}-{1:3}, at: __flush_work+0xd2/0xbc0
[   86.318582][ T5341] 
[   86.318582][ T5341] stack backtrace:
[   86.321229][ T5341] CPU: 0 UID: 0 PID: 5341 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[   86.321248][ T5341] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   86.321255][ T5341] Call Trace:
[   86.321264][ T5341]  <TASK>
[   86.321270][ T5341]  dump_stack_lvl+0xe8/0x150
[   86.321290][ T5341]  print_circular_bug+0x2e2/0x300
[   86.321305][ T5341]  check_noncircular+0x12e/0x150
[   86.321320][ T5341]  __lock_acquire+0x15a6/0x2cf0
[   86.321332][ T5341]  ? __pfx___schedule+0x10/0x10
[   86.321346][ T5341]  ? irqentry_exit+0x5e8/0x670
[   86.321357][ T5341]  ? irqentry_exit+0x5e8/0x670
[   86.321367][ T5341]  ? __flush_work+0xd2/0xbc0
[   86.321377][ T5341]  lock_acquire+0x107/0x340
[   86.321387][ T5341]  ? __flush_work+0xd2/0xbc0
[   86.321405][ T5341]  ? preempt_schedule_thunk+0x16/0x30
[   86.321416][ T5341]  ? __flush_work+0xd2/0xbc0
[   86.321426][ T5341]  __flush_work+0x6b8/0xbc0
[   86.321438][ T5341]  ? __flush_work+0xd2/0xbc0
[   86.321451][ T5341]  ? __flush_work+0xd2/0xbc0
[   86.321463][ T5341]  ? __pfx___flush_work+0x10/0x10
[   86.321475][ T5341]  ? __pfx_wq_barrier_func+0x10/0x10
[   86.321490][ T5341]  ? __cancel_work_sync+0x5c/0x110
[   86.321502][ T5341]  __cancel_work_sync+0xbe/0x110
[   86.321515][ T5341]  l2cap_conn_del+0x402/0x5b0
[   86.321529][ T5341]  ? __pfx_l2cap_disconn_cfm+0x10/0x10
[   86.321543][ T5341]  hci_conn_hash_flush+0x10d/0x260
[   86.321558][ T5341]  hci_dev_close_sync+0x821/0x1100
[   86.321572][ T5341]  ? __pfx_hci_dev_close_sync+0x10/0x10
[   86.321586][ T5341]  ? lockdep_hardirqs_on+0x7b/0x110
[   86.321595][ T5341]  ? enable_work+0x1e9/0x220
[   86.321607][ T5341]  hci_dev_close+0x108/0x270
[   86.321621][ T5341]  sock_do_ioctl+0xdc/0x300
[   86.321634][ T5341]  ? __pfx_sock_do_ioctl+0x10/0x10
[   86.321644][ T5341]  ? do_futex+0x333/0x420
[   86.321656][ T5341]  ? call_rcu+0x644/0x890
[   86.321671][ T5341]  sock_ioctl+0x576/0x790
[   86.321682][ T5341]  ? __pfx_sock_ioctl+0x10/0x10
[   86.321694][ T5341]  ? __fget_files+0x2a/0x420
[   86.321706][ T5341]  ? __fget_files+0x3a0/0x420
[   86.321715][ T5341]  ? __fget_files+0x2a/0x420
[   86.321725][ T5341]  ? bpf_lsm_file_ioctl+0x9/0x20
[   86.321743][ T5341]  ? __pfx_sock_ioctl+0x10/0x10
[   86.321753][ T5341]  __se_sys_ioctl+0xfc/0x170
[   86.321769][ T5341]  do_syscall_64+0xec/0xf80
[   86.321779][ T5341]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   86.321789][ T5341]  ? trace_irq_disable+0x37/0x100
[   86.321804][ T5341]  ? clear_bhb_loop+0x60/0xb0
[   86.321816][ T5341]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   86.321827][ T5341] RIP: 0033:0x7f632278f7c9
[   86.321839][ T5341] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   86.321848][ T5341] RSP: 002b:00007f632367a038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   86.321861][ T5341] RAX: ffffffffffffffda RBX: 00007f63229e5fa0 RCX: 00007f632278f7c9
[   86.321869][ T5341] RDX: 0000000000000000 RSI: 00000000400448ca RDI: 0000000000000011
[   86.321875][ T5341] RBP: 00007f6322813f91 R08: 0000000000000000 R09: 0000000000000000
[   86.321882][ T5341] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   86.321889][ T5341] R13: 00007f63229e6038 R14: 00007f63229e5fa0 R15: 00007fffee852978
[   86.321902][ T5341]  </TASK>
[   86.462276][   T47] Bluetooth: hci0: command tx timeout
[   88.542409][   T47] Bluetooth: hci0: command tx timeout
[   90.622846][   T47] Bluetooth: hci0: command tx timeout
[   91.664485][   T10] cfg80211: failed to load regulatory.db