program:
syz_mount_image$ext4(&(0x7f0000000300)='ext4\x00', &(0x7f0000000000)='./file0\x00', 0x200000, &(0x7f0000000040), 0xfc, 0x57f, &(0x7f0000000a80)="$eJzs3d9rW1UcAPDvTdr91nUwhvoghT04mUvX1h8TfJiPosOBvs/QZmU0XUaTjrUO3B4ciC8yBBEH4h/gu4/Df8C/YqCDIaPogy+Rm950WXvTZl1/Lp8P3O2cnJud88295+ycnIQE0LeG0z8KEa9GxHdJxNGOsoHICoeXzlt8fHMiPZJoNj/7O4kke6x9fpL9fTjLvBIRv38dcbqwut76/MJ0uVqtzGb5kcbMtZH6/MKZKzPlqcpU5erY+Pi5d8bH3n/v3U2L9c2L//746f2Pzn17cvGHXx8eu5vE+TiSlXXGsdq+Xqu41ZkZjuHsNRmM8ytOHH2Whu8ByU43gA0pZv18MNIx4GgUs14PvPi+iogm0KeSnvt/+8xsjdBs3jZ4wF7Wnge01/Zrr4NfPI8+XFoArY5/YOm9kTjQWhsdWkyeWhml692hTag/reO3v+7dTY9Y930IgM1zK53DnR0YWD3+Jdn4t3FnezhnZR3GP9g+99P5z1t585/C8vwncuY/h3P67kas3/8LDzehmq7S+d8HufPf5U2roWKWe6k15xtMLl+pVtKx7eWI+CYG96f5tfZzzi0+aHYr65z/pUdaf3sumLXj4cD+p58zWW6UnyfmTo9uR7yWO/9Nlq9/knP909fjYo91nKjce71b2frxb63mLxFv5F7/Jztaydr7kyOt+2GkfVes9s+dE390q3+n40+v/6HO+IvtkuX4h5LO/dr6s9fx84H/Kt3KNnr/70s+b6XbO7M3yo3G7GjEvuST1Y+PPXluO98+P43/1Mm1x7+8+/9gRHyRE0/ePuid43fyTu0x/q2Vxj+59v2/4vo/e+LBx1/+1K3+3q7/263UqeyRXsa/Xhv4PK8dAAAAAAAA7DaFiDgSSaG0nC4USqWlz3ccj0OFaq3eOH25Nnd1MlrflR2KwUJ7p/tox+chRrPPw7bzYyvy4xFxLCK+Lx5s5UsTterkTgcPAAAAAAAAAAAAAAAAAAAAu8ThiAN53/9P/Vnc6dYBW85PfkP/6t7/s5KnfqXp4Ja3B9g+/v+H/qX/Q//S/6F/6f/Qv/R/6F/6P/Qv/R/6l/4PAAAAAAAAAAAAAAAAAAAAAAAAAAAAm+rihQvp0Vx8fHMizU9en5+brl0/M1mpT5dm5iZKE7XZa6WpWm2qWilN1GbW+/eqtdq10bGYuzHSqNQbI/X5hUsztbmrjUtXZspTlUuVwW2JCgAAAAAAAAAAAAAAAAAAAPaW+vzCdLlarczukUQh8or2Z9Hshhb2W2Igp6iYXY/d0UKJjSR2cFACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgBX+DwAA//8maSNU")
mount$tmpfs(0x0, &(0x7f00000003c0)='./file0\x00', &(0x7f0000000080), 0x0, &(0x7f0000000180)=ANY=[@ANYBLOB='huge=always,size=8'])
chdir(&(0x7f0000000140)='./file0\x00')
chdir(&(0x7f0000000100)='./file0\x00')
r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f00000000c0)='cpuacct.usage_percpu\x00', 0x275a, 0x0)
mmap(&(0x7f0000002000/0x4000)=nil, 0x4000, 0x3000001, 0x12, r0, 0x2000)
ftruncate(r0, 0x8979)
syz_usb_connect(0x2, 0x36, &(0x7f00000000c0)=ANY=[@ANYBLOB="120100008010bd40820514009dbb00000001090224"], 0x0)
openat$vcs(0xffffffffffffff9c, &(0x7f00000001c0), 0x0, 0x0)
timer_create(0x5, 0x0, 0x0)
r1 = socket$netlink(0x10, 0x3, 0x0)
socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000000c0)={0xffffffffffffffff, <r2=>0xffffffffffffffff})
r3 = dup(r2)
getsockname$packet(r3, &(0x7f0000000240)={0x11, 0x0, <r4=>0x0, 0x1, 0x0, 0x6, @random}, &(0x7f0000000140))
sendmsg$nl_route(r1, &(0x7f0000000080)={0x0, 0xdd860600, &(0x7f0000000040)={&(0x7f0000000500)=@newlink={0xec, 0x10, 0x801, 0x0, 0x0, {0x0, 0x0, 0x0, r4, 0xb}, [@IFLA_AF_SPEC={0xcc, 0x1a, 0x0, 0x1, [@AF_INET6={0x18, 0xa, 0x0, 0x1, [@IFLA_INET6_TOKEN={0x14, 0x7, @local}]}, @AF_INET={0xb0, 0x2, 0x0, 0x1, {0x9, 0x1, 0x0, 0x1, [{0xc}, {0x8}, {0x1b}, {0x8}, {0x8}]}}, @AF_INET={0x18, 0x2, 0x0, 0x1, {0x14, 0x1, 0x0, 0x1, [{0x9, 0xd}, {0x8}]}}, @AF_INET6={0x18, 0xa, 0x0, 0x1, [@IFLA_INET6_TOKEN={0x14, 0x7, @mcast2}, @IFLA_INET6_TOKEN={0x0, 0x7, @mcast2}, @IFLA_INET6_TOKEN={0x0, 0x7, @dev}]}, @AF_INET={0x28, 0x2, 0x0, 0x1, {0x24, 0x1, 0x0, 0x1, [{0x8}, {0x8}, {0x8}, {0x8}]}}, @AF_MPLS={0x4}, @AF_INET6={0x0, 0xa, 0x0, 0x1, [@IFLA_INET6_TOKEN={0x0, 0x7, @rand_addr=' \x01\x00'}, @IFLA_INET6_ADDR_GEN_MODE, @IFLA_INET6_ADDR_GEN_MODE, @IFLA_INET6_TOKEN={0x0, 0x7, @dev}, @IFLA_INET6_TOKEN={0x0, 0x7, @mcast2}, @IFLA_INET6_TOKEN={0x0, 0x7, @rand_addr=' \x01\x00'}, @IFLA_INET6_TOKEN={0x0, 0x7, @dev}, @IFLA_INET6_ADDR_GEN_MODE, @IFLA_INET6_ADDR_GEN_MODE]}, @AF_MPLS={0x4}]}]}, 0xec}}, 0x0)
r5 = syz_open_dev$tty1(0xc, 0x4, 0x1)
ioctl$KDSETLED(r5, 0x4b32, 0x6)
r6 = syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0)
connect$bt_l2cap(r6, &(0x7f0000000080)={0x1f, 0x0, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}, 0x7ff}, 0xe)
r7 = syz_init_net_socket$bt_hidp(0x1f, 0x3, 0x6)
ioctl$sock_bt_hidp_HIDPCONNADD(r7, 0x400448c8, &(0x7f00000000c0)={r6, r6, 0x206, 0x0, 0x0, 0x2, 0x72, 0x1, 0x3, 0x7, 0x0, 0x8, 'syz1\x00'})
r8 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$sock_bt_hci(r8, 0x400448ca, 0x0)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0)
openat$rdma_cm(0xffffffffffffff9c, &(0x7f0000000040), 0x2, 0x0)
mremap(&(0x7f0000000000/0x9000)=nil, 0x600a00, 0x200000, 0x3, &(0x7f0000a00000/0x600000)=nil)
mmap(&(0x7f0000000000/0xff5000)=nil, 0xff5000, 0x1000002, 0x200000005c831, 0xffffffffffffffff, 0x0)
writev(r0, &(0x7f0000002940)=[{0x0}], 0x1)

[   74.881436][ T4666] Bluetooth: hci0: command tx timeout
[   74.973488][ T5317] loop0: detected capacity change from 0 to 1024
[   75.059527][ T5317] EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: none.
[   75.342387][    T9] usb 5-1: new full-speed USB device number 2 using dummy_hcd
[   75.505771][    T9] usb 5-1: config 0 has an invalid descriptor of length 0, skipping remainder of the config
[   75.510053][    T9] usb 5-1: config 0 has no interfaces?
[   75.521839][    T9] usb 5-1: New USB device found, idVendor=0582, idProduct=0014, bcdDevice=bb.9d
[   75.525608][    T9] usb 5-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
[   75.539758][    T9] usb 5-1: config 0 descriptor??
[   75.782898][ T5317] input: Bluetooth HID Boot Protocol Device as /devices/virtual/bluetooth/hci0/hci0:200/input5
[   76.021104][ T5318] 
[   76.022186][ T5318] ======================================================
[   76.024901][ T5318] WARNING: possible circular locking dependency detected
[   76.027728][ T5318] syzkaller #0 Not tainted
[   76.029679][ T5318] ------------------------------------------------------
[   76.032636][ T5318] syz.0.0/5318 is trying to acquire lock:
[   76.035063][ T5318] ffff88803e72e840 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: __flush_work+0xd2/0xbc0
[   76.039719][ T5318] 
[   76.039719][ T5318] but task is already holding lock:
[   76.042583][ T5318] ffff88803e72eb38 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x70/0x680
[   76.046212][ T5318] 
[   76.046212][ T5318] which lock already depends on the new lock.
[   76.046212][ T5318] 
[   76.050381][ T5318] 
[   76.050381][ T5318] the existing dependency chain (in reverse order) is:
[   76.054004][ T5318] 
[   76.054004][ T5318] -> #1 (&conn->lock#2){+.+.}-{4:4}:
[   76.056966][ T5318]        lock_acquire+0x120/0x360
[   76.058936][ T5318]        __mutex_lock+0x187/0x1350
[   76.060866][ T5318]        l2cap_info_timeout+0x60/0xa0
[   76.062956][ T5318]        process_scheduled_works+0xae1/0x17b0
[   76.065331][ T5318]        worker_thread+0x8a0/0xda0
[   76.067262][ T5318]        kthread+0x711/0x8a0
[   76.069041][ T5318]        ret_from_fork+0x4bc/0x870
[   76.071270][ T5318]        ret_from_fork_asm+0x1a/0x30
[   76.073458][ T5318] 
[   76.073458][ T5318] -> #0 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}:
[   76.077673][ T5318]        validate_chain+0xb9b/0x2140
[   76.079940][ T5318]        __lock_acquire+0xab9/0xd20
[   76.082620][ T5318]        lock_acquire+0x120/0x360
[   76.084731][ T5318]        __flush_work+0x6b8/0xbc0
[   76.086930][ T5318]        __cancel_work_sync+0xbe/0x110
[   76.089180][ T5318]        l2cap_conn_del+0x4f0/0x680
[   76.091409][ T5318]        hci_conn_hash_flush+0x10a/0x230
[   76.093719][ T5318]        hci_dev_close_sync+0xaef/0x1330
[   76.096063][ T5318]        hci_dev_close+0x108/0x200
[   76.098292][ T5318]        sock_do_ioctl+0xd9/0x300
[   76.100507][ T5318]        sock_ioctl+0x576/0x790
[   76.102741][ T5318]        __se_sys_ioctl+0xfc/0x170
[   76.104988][ T5318]        do_syscall_64+0xfa/0xfa0
[   76.107167][ T5318]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   76.109723][ T5318] 
[   76.109723][ T5318] other info that might help us debug this:
[   76.109723][ T5318] 
[   76.113689][ T5318]  Possible unsafe locking scenario:
[   76.113689][ T5318] 
[   76.116911][ T5318]        CPU0                    CPU1
[   76.119172][ T5318]        ----                    ----
[   76.121522][ T5318]   lock(&conn->lock#2);
[   76.123374][ T5318]                                lock((work_completion)(&(&conn->info_timer)->work));
[   76.127556][ T5318]                                lock(&conn->lock#2);
[   76.130510][ T5318]   lock((work_completion)(&(&conn->info_timer)->work));
[   76.133431][ T5318] 
[   76.133431][ T5318]  *** DEADLOCK ***
[   76.133431][ T5318] 
[   76.136807][ T5318] 5 locks held by syz.0.0/5318:
[   76.138975][ T5318]  #0: ffff888033824dc8 (&hdev->req_lock){+.+.}-{4:4}, at: hci_dev_close+0x100/0x200
[   76.143036][ T5318]  #1: ffff8880338240b8 (&hdev->lock){+.+.}-{4:4}, at: hci_dev_close_sync+0x66a/0x1330
[   76.147189][ T5318]  #2: ffffffff8f64b1a8 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_conn_hash_flush+0xa1/0x230
[   76.151497][ T5318]  #3: ffff88803e72eb38 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x70/0x680
[   76.155273][ T5318]  #4: ffffffff8e13d320 (rcu_read_lock){....}-{1:3}, at: __flush_work+0xd2/0xbc0
[   76.159142][ T5318] 
[   76.159142][ T5318] stack backtrace:
[   76.161734][ T5318] CPU: 0 UID: 0 PID: 5318 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[   76.161752][ T5318] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   76.161760][ T5318] Call Trace:
[   76.161767][ T5318]  <TASK>
[   76.161773][ T5318]  dump_stack_lvl+0x189/0x250
[   76.161791][ T5318]  ? __pfx_dump_stack_lvl+0x10/0x10
[   76.161803][ T5318]  ? __pfx__printk+0x10/0x10
[   76.161817][ T5318]  ? print_lock_name+0xde/0x100
[   76.161829][ T5318]  print_circular_bug+0x2ee/0x310
[   76.161846][ T5318]  check_noncircular+0x134/0x160
[   76.161860][ T5318]  validate_chain+0xb9b/0x2140
[   76.161874][ T5318]  ? do_raw_spin_lock+0x121/0x290
[   76.161889][ T5318]  ? look_up_lock_class+0x74/0x170
[   76.161912][ T5318]  ? register_lock_class+0x51/0x320
[   76.161924][ T5318]  __lock_acquire+0xab9/0xd20
[   76.161935][ T5318]  ? __flush_work+0xd2/0xbc0
[   76.161947][ T5318]  lock_acquire+0x120/0x360
[   76.161957][ T5318]  ? __flush_work+0xd2/0xbc0
[   76.161970][ T5318]  ? _raw_spin_unlock_irq+0x23/0x50
[   76.161981][ T5318]  ? __flush_work+0xd2/0xbc0
[   76.161992][ T5318]  __flush_work+0x6b8/0xbc0
[   76.162003][ T5318]  ? __flush_work+0xd2/0xbc0
[   76.162015][ T5318]  ? __flush_work+0xd2/0xbc0
[   76.162025][ T5318]  ? __pfx___flush_work+0x10/0x10
[   76.162036][ T5318]  ? __pfx_wq_barrier_func+0x10/0x10
[   76.162049][ T5318]  ? __pfx___cancel_work+0x10/0x10
[   76.162060][ T5318]  ? hci_conn_drop+0x14d/0x280
[   76.162071][ T5318]  __cancel_work_sync+0xbe/0x110
[   76.162083][ T5318]  l2cap_conn_del+0x4f0/0x680
[   76.162097][ T5318]  ? __pfx_l2cap_disconn_cfm+0x10/0x10
[   76.162111][ T5318]  hci_conn_hash_flush+0x10a/0x230
[   76.162128][ T5318]  hci_dev_close_sync+0xaef/0x1330
[   76.162142][ T5318]  ? __pfx_hci_dev_close_sync+0x10/0x10
[   76.162154][ T5318]  ? do_raw_read_unlock+0x3d/0x80
[   76.162169][ T5318]  hci_dev_close+0x108/0x200
[   76.162183][ T5318]  sock_do_ioctl+0xd9/0x300
[   76.162199][ T5318]  ? __pfx_sock_do_ioctl+0x10/0x10
[   76.162216][ T5318]  sock_ioctl+0x576/0x790
[   76.162229][ T5318]  ? __pfx_sock_ioctl+0x10/0x10
[   76.162243][ T5318]  ? __fget_files+0x3a0/0x420
[   76.162255][ T5318]  ? __fget_files+0x2a/0x420
[   76.162269][ T5318]  ? bpf_lsm_file_ioctl+0x9/0x20
[   76.162279][ T5318]  ? __pfx_sock_ioctl+0x10/0x10
[   76.162289][ T5318]  __se_sys_ioctl+0xfc/0x170
[   76.162299][ T5318]  do_syscall_64+0xfa/0xfa0
[   76.162311][ T5318]  ? lockdep_hardirqs_on+0x9c/0x150
[   76.162323][ T5318]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   76.162333][ T5318]  ? clear_bhb_loop+0x60/0xb0
[   76.162344][ T5318]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   76.162356][ T5318] RIP: 0033:0x7f79e858eec9
[   76.162368][ T5318] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   76.162377][ T5318] RSP: 002b:00007f79e49d4038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   76.162390][ T5318] RAX: ffffffffffffffda RBX: 00007f79e87e6090 RCX: 00007f79e858eec9
[   76.162398][ T5318] RDX: 0000000000000000 RSI: 00000000400448ca RDI: 000000000000000f
[   76.162406][ T5318] RBP: 00007f79e8611f91 R08: 0000000000000000 R09: 0000000000000000
[   76.162413][ T5318] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   76.162420][ T5318] R13: 00007f79e87e6128 R14: 00007f79e87e6090 R15: 00007ffc986457c8
[   76.162433][ T5318]  </TASK>
[   76.492970][ T1314] ieee802154 phy0 wpan0: encryption failed: -22
[   76.495905][ T1314] ieee802154 phy1 wpan1: encryption failed: -22
[   76.892141][ T5297] Bluetooth: hci0: command tx timeout
[   78.971898][ T5297] Bluetooth: hci0: command tx timeout
[   81.051753][ T5297] Bluetooth: hci0: command tx timeout