program:
r0 = socket$inet_sctp(0x2, 0x1, 0x84) (async)
r1 = syz_init_net_socket$bt_l2cap(0x1f, 0x3, 0x0)
connect$bt_l2cap(r1, &(0x7f0000000080)={0x1f, 0x0, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}, 0x803}, 0xe)
syz_emit_vhci(&(0x7f0000000340)=ANY=[@ANYBLOB="02c82028002400010007d3040007c4faff020c04000300d3"], 0x2d)
r2 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$HCIINQUIRY(r2, 0x400448ca, 0x0) (async)
setsockopt$inet_sctp_SCTP_STREAM_SCHEDULER(r0, 0x84, 0x7b, &(0x7f0000000200)={0x0, 0x1}, 0x8) (async)
bind$inet(r0, &(0x7f0000000000)={0x2, 0x4e22, @local}, 0x10)
sendto$inet(r0, &(0x7f0000000300)="ab", 0x34000, 0x0, &(0x7f0000000380)={0x2, 0x4e22, @local}, 0x10) (async)
getsockopt$inet_sctp_SCTP_STREAM_SCHEDULER(r0, 0x84, 0x7b, &(0x7f0000000440), &(0x7f0000000480)=0x8) (async)
r3 = socket$inet(0x2, 0x4000000000000001, 0x0)
bind$inet(r3, &(0x7f0000000000)={0x2, 0x4e23, @multicast2}, 0x10) (async)
sendto$inet(r3, 0x0, 0x0, 0x22048854, &(0x7f0000000200)={0x2, 0x4e23, @empty}, 0x10)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={<r4=>0xffffffffffffffff})
r5 = socket(0x10, 0x3, 0x0) (async)
ioctl$sock_SIOCGIFINDEX(r4, 0x8933, &(0x7f0000000000)={'lo\x00', <r6=>0x0})
sendmsg$nl_route_sched(r5, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000080)={&(0x7f00000000c0)=@newqdisc={0x48, 0x24, 0xf0b, 0x0, 0x1000000, {0x60, 0x0, 0x0, r6, {}, {0xffff, 0xffff}}, [@qdisc_kind_options=@q_cake={{0x9}, {0x18, 0x2, [@TCA_CAKE_BASE_RATE64={0xc, 0x2, 0xfff}, @TCA_CAKE_ACK_FILTER={0x8, 0x10, 0x1}]}}]}, 0x48}}, 0x0) (async)
syz_emit_ethernet(0x86, &(0x7f00000010c0)={@broadcast, @multicast, @void, {@ipv4={0x800, @icmp={{0x5, 0x4, 0x0, 0x0, 0x78, 0x0, 0x0, 0x0, 0x1, 0x0, @private=0xa010102, @local}, @redirect={0x3, 0x4, 0x0, @broadcast=0x1000000, {0x17, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x11, 0x0, @private, @empty, {[@timestamp_addr={0x44, 0xc, 0x0, 0x1, 0x0, [{@remote, 0x4e210000}]}, @timestamp_addr={0x44, 0x3c, 0x0, 0x1, 0x0, [{@local}, {}, {@dev}, {@private}, {@empty}, {@initdev={0xac, 0x1e, 0x0, 0x0}}, {@dev}]}]}}}}}}}, 0x0) (async, rerun: 32)
syz_mount_image$ext4(&(0x7f00000004c0)='ext4\x00', &(0x7f0000000000)='./file0\x00', 0x3000080, &(0x7f00000001c0)={[{@noload}, {@nombcache}, {@nojournal_checksum}]}, 0x6, 0x4c9, &(0x7f0000002dc0)="$eJzs3c9vE1ceAPCvbQJJyC4/dg8LB0ALEruLiCERSbTiwmmllWgrOPSI0sRENE4cxQ4lUQ5B6qG9Vy1ST1UP/AFVey2nHlFvLaf2XAm1aWhUqUiuPLZDfjl12xBLmc9HGvxm3uDve7a+L+PnGU8AqXWm9k8moi8iHkfEkfrqxh3O1B9WlxfHaksmqtWb32eS/VaWF8eauzb/3+GIWIqI7oi48b+INzJb45bnFyZHi8XCbGM9X5mayZfnFy7emRqdKEwUpgeHB4ZHhoaGR67sWl/fvnft1fd/uvbOx189/ObNzKfnas3qS2rOnvoy/6Ifu6ne9a44tm7bgYi4+jKCdUCu0Z+eTjeEP6T2/v2tlgFJ/h+JXPJuAmlQrVarz6uHWlUvVYF9K5scA2ey/RFRL2ez/f31Y/i/R2+2WCpXLtwuzU2P14+Vj0ZX9vadYuFS47PC0ejK1NYvJ+UX6wMRcX/d+mBEcgz8Xq4nWe8fKxXH93aoAzY5vCn/n+Xq+Q+khI/8kF7yH9JL/kN6yX9IL/kP6SX/Ib3kP6SX/If0quf/wU43A+gAf/8hveQ/pNJr16/Xlupq4zr+8bvzc5OluxfHC+XJ/qm5sf6x0uxM/0SpNJFcszP1W89XLJVmBmN67l6+UihX8uX5hVtTpbnpyq3kuv5bha496RXQjmOnHz3JRMTSf3uSJdZNBMhV2N+q1Ux0+hpkoDNynR6AgI4x9Qfp5TM+sM1P9G7Q3apiZvfbAuyNbKcbAHTM+RO+/4O0+h3z/0svsx3A3jP/D+nlGB8w/w/pY/4f0quvxf2//rLu3l2XIuKvEfF1rutQ815fwH6Q/S7TOP4/f+Rc3+bag5mfk68IDkbEWx/e/ODeaKUye7m2/Ye17ZUHje0DnWg/0K5mnjbzGABIr5XlxbHmUt/ScsZ/Vz29Vj8JoRZ3tbHUaw405ia7k+8oe1cyG85VyOzSuQtL9yPiHxHPlhfHmkszQv1+5/XXoXcltyX+8cZjpv4USXsPJPdN35v4J9bFP7Uu/sk//apAOjyqjT+Xthv/sklOx1r+bRx/+nbp3Inm+Le6ZfzLro1/uRbj3+k2Y1zNv77SMv79iJPbxm/G605ibY5fa9v5NuN/8e6Pj1vVVT+qP8928ZtqpXxlaiZfnl+4mPyO3ERhenB4YHhkaGh45Eo+maPON2eqt3ryz+ef79T/3hbxd+p/bdu/2+z/Lw8+u3Bmh/j/Orv9+398h/g9EfGfNuP//5Nvb7Sqq8Ufb9H/7A7xa9sG24x/8+HTV9rcFQDYA+X5hcnRYrEwq6CgoLBW6PTIBLxsL5K+0y0BAAAAAAAAAAAA2rUXpxN3uo8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPvBrwEAAP//mknYaA==") (rerun: 32)
sendto$inet(r3, &(0x7f00000012c0)="0c268a927f1f6588b967481241ba78600a34f65ac618ded8974895abeaf4b4834ff922b3f1e0b02bd67aa03859bcecc7a95425a3a07e758044ab4ea6f7ae55d88fecf90b037511bf746bec66ba", 0xd000, 0x11, 0x0, 0x27) (async)
r7 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r7, &(0x7f0000000200)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000640)=@updpolicy={0xc4, 0x19, 0xfd3649826d894c67, 0x0, 0x0, {{@in6=@mcast1, @in=@multicast1, 0x0, 0x0, 0x0, 0x0, 0xa}}, [@policy_type={0xa, 0x10, {0x1}}]}, 0xc4}}, 0x0)
r8 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r8, &(0x7f0000000000)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f0000000040)=@updpolicy={0x13c, 0x19, 0xfd3649826d894c67, 0x0, 0x0, {{@in6=@private2, @in=@multicast1, 0x0, 0x0, 0x0, 0x0, 0xa}, {0x9, 0x10001}}, [@tmpl={0x84, 0x5, [{{@in6=@rand_addr=' \x01\x00', 0x20000, 0x32}, 0x0, @in=@empty, 0x0, 0x3, 0x0, 0xa7}, {{@in=@local, 0x0, 0x33}, 0x0, @in, 0x0, 0x3, 0x0, 0x8}]}]}, 0x13c}}, 0x0) (async)
syz_emit_ethernet(0x3e, &(0x7f0000000500)=ANY=[@ANYBLOB="ffffffffffffbbbbbbbbbbbb86dd606b88ef00083a00fc010000000000000000000000080000fe80030000000000000000000000000000000000aa810090"], 0x0) (async)
r9 = socket$netlink(0x10, 0x3, 0x0) (async)
r10 = socket$inet_sctp(0x2, 0x1, 0x84)
setsockopt$inet_sctp_SCTP_STREAM_SCHEDULER_VALUE(r10, 0x84, 0x24, &(0x7f0000000240), 0x8) (async, rerun: 64)
sendmsg$nl_route(r9, &(0x7f0000000240)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000100)=@newlink={0x54, 0x10, 0xffffff1f, 0x0, 0x0, {}, [@IFLA_LINKINFO={0x2c, 0x12, 0x0, 0x1, @sit={{0x8}, {0x20, 0x2, 0x0, 0x1, [@IFLA_IPTUN_6RD_PREFIX={0x14, 0xb, @local}, @IFLA_IPTUN_LOCAL={0x8, 0x2, @broadcast}]}}}, @IFLA_MTU={0x8, 0x4, 0x500}]}, 0x54}}, 0x0) (rerun: 64)

[  144.462664][ T5345] 
[  144.464045][ T5345] ======================================================
[  144.471975][ T5345] WARNING: possible circular locking dependency detected
[  144.476477][ T5345] syzkaller #0 Not tainted
[  144.478471][ T5345] ------------------------------------------------------
[  144.481329][ T5345] syz.0.0/5345 is trying to acquire lock:
[  144.483716][ T5345] ffff888043373840 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: __flush_work+0xd2/0xbc0
[  144.488439][ T5345] 
[  144.488439][ T5345] but task is already holding lock:
[  144.491240][ T5345] ffff888043373b38 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x70/0x680
[  144.494428][ T5345] 
[  144.494428][ T5345] which lock already depends on the new lock.
[  144.494428][ T5345] 
[  144.498361][ T5345] 
[  144.498361][ T5345] the existing dependency chain (in reverse order) is:
[  144.501476][ T5345] 
[  144.501476][ T5345] -> #1 (&conn->lock#2){+.+.}-{4:4}:
[  144.504987][ T5345]        lock_acquire+0x120/0x360
[  144.507226][ T5345]        __mutex_lock+0x187/0x1350
[  144.509315][ T5345]        l2cap_info_timeout+0x60/0xa0
[  144.511499][ T5345]        process_scheduled_works+0xae1/0x17b0
[  144.513995][ T5345]        worker_thread+0x8a0/0xda0
[  144.516061][ T5345]        kthread+0x711/0x8a0
[  144.518110][ T5345]        ret_from_fork+0x4bc/0x870
[  144.520398][ T5345]        ret_from_fork_asm+0x1a/0x30
[  144.522704][ T5345] 
[  144.522704][ T5345] -> #0 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}:
[  144.527093][ T5345]        validate_chain+0xb9b/0x2140
[  144.529512][ T5345]        __lock_acquire+0xab9/0xd20
[  144.531886][ T5345]        lock_acquire+0x120/0x360
[  144.534115][ T5345]        __flush_work+0x6b8/0xbc0
[  144.536170][ T5345]        __cancel_work_sync+0xbe/0x110
[  144.538431][ T5345]        l2cap_conn_del+0x4f0/0x680
[  144.540584][ T5345]        hci_conn_hash_flush+0x10d/0x230
[  144.543150][ T5345]        hci_dev_close_sync+0xaef/0x1330
[  144.545657][ T5345]        hci_dev_close+0x108/0x200
[  144.547925][ T5345]        sock_do_ioctl+0xdc/0x300
[  144.550115][ T5345]        sock_ioctl+0x576/0x790
[  144.552247][ T5345]        __se_sys_ioctl+0xfc/0x170
[  144.554564][ T5345]        do_syscall_64+0xfa/0xfa0
[  144.556852][ T5345]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  144.559790][ T5345] 
[  144.559790][ T5345] other info that might help us debug this:
[  144.559790][ T5345] 
[  144.564104][ T5345]  Possible unsafe locking scenario:
[  144.564104][ T5345] 
[  144.567358][ T5345]        CPU0                    CPU1
[  144.569662][ T5345]        ----                    ----
[  144.571950][ T5345]   lock(&conn->lock#2);
[  144.573870][ T5345]                                lock((work_completion)(&(&conn->info_timer)->work));
[  144.577898][ T5345]                                lock(&conn->lock#2);
[  144.580535][ T5345]   lock((work_completion)(&(&conn->info_timer)->work));
[  144.583724][ T5345] 
[  144.583724][ T5345]  *** DEADLOCK ***
[  144.583724][ T5345] 
[  144.587071][ T5345] 5 locks held by syz.0.0/5345:
[  144.589071][ T5345]  #0: ffff888036014dc8 (&hdev->req_lock){+.+.}-{4:4}, at: hci_dev_close+0x100/0x200
[  144.593140][ T5345]  #1: ffff8880360140b8 (&hdev->lock){+.+.}-{4:4}, at: hci_dev_close_sync+0x66a/0x1330
[  144.597230][ T5345]  #2: ffffffff8f437ae8 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_conn_hash_flush+0xa1/0x230
[  144.601301][ T5345]  #3: ffff888043373b38 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x70/0x680
[  144.605161][ T5345]  #4: ffffffff8df3d6a0 (rcu_read_lock){....}-{1:3}, at: __flush_work+0xd2/0xbc0
[  144.608788][ T5345] 
[  144.608788][ T5345] stack backtrace:
[  144.611352][ T5345] CPU: 0 UID: 0 PID: 5345 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[  144.611367][ T5345] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[  144.611374][ T5345] Call Trace:
[  144.611382][ T5345]  <TASK>
[  144.611388][ T5345]  dump_stack_lvl+0x189/0x250
[  144.611407][ T5345]  ? __pfx_dump_stack_lvl+0x10/0x10
[  144.611421][ T5345]  ? __pfx__printk+0x10/0x10
[  144.611434][ T5345]  ? print_lock_name+0xde/0x100
[  144.611444][ T5345]  print_circular_bug+0x2ee/0x310
[  144.611460][ T5345]  check_noncircular+0x134/0x160
[  144.611474][ T5345]  validate_chain+0xb9b/0x2140
[  144.611486][ T5345]  ? do_raw_spin_lock+0x121/0x290
[  144.611502][ T5345]  ? look_up_lock_class+0x74/0x170
[  144.611517][ T5345]  ? register_lock_class+0x51/0x320
[  144.611528][ T5345]  __lock_acquire+0xab9/0xd20
[  144.611539][ T5345]  ? __flush_work+0xd2/0xbc0
[  144.611552][ T5345]  lock_acquire+0x120/0x360
[  144.611561][ T5345]  ? __flush_work+0xd2/0xbc0
[  144.611575][ T5345]  ? _raw_spin_unlock_irq+0x23/0x50
[  144.611587][ T5345]  ? __flush_work+0xd2/0xbc0
[  144.611599][ T5345]  __flush_work+0x6b8/0xbc0
[  144.611611][ T5345]  ? __flush_work+0xd2/0xbc0
[  144.611624][ T5345]  ? __flush_work+0xd2/0xbc0
[  144.611637][ T5345]  ? __pfx___flush_work+0x10/0x10
[  144.611649][ T5345]  ? __pfx_wq_barrier_func+0x10/0x10
[  144.611665][ T5345]  ? __pfx___cancel_work+0x10/0x10
[  144.611678][ T5345]  ? l2cap_conn_del+0x3db/0x680
[  144.611693][ T5345]  ? kfree+0x19a/0x6d0
[  144.611706][ T5345]  __cancel_work_sync+0xbe/0x110
[  144.611719][ T5345]  l2cap_conn_del+0x4f0/0x680
[  144.611740][ T5345]  ? __pfx_l2cap_disconn_cfm+0x10/0x10
[  144.611755][ T5345]  hci_conn_hash_flush+0x10d/0x230
[  144.611766][ T5345]  hci_dev_close_sync+0xaef/0x1330
[  144.611782][ T5345]  ? __pfx_hci_dev_close_sync+0x10/0x10
[  144.611795][ T5345]  ? do_raw_read_unlock+0x3d/0x80
[  144.611810][ T5345]  hci_dev_close+0x108/0x200
[  144.611825][ T5345]  sock_do_ioctl+0xdc/0x300
[  144.611839][ T5345]  ? __pfx_sock_do_ioctl+0x10/0x10
[  144.611853][ T5345]  sock_ioctl+0x576/0x790
[  144.611863][ T5345]  ? __pfx_sock_ioctl+0x10/0x10
[  144.611870][ T5345]  ? __fget_files+0x3a0/0x420
[  144.611879][ T5345]  ? __fget_files+0x2a/0x420
[  144.611888][ T5345]  ? bpf_lsm_file_ioctl+0x9/0x20
[  144.611895][ T5345]  ? __pfx_sock_ioctl+0x10/0x10
[  144.611902][ T5345]  __se_sys_ioctl+0xfc/0x170
[  144.611910][ T5345]  do_syscall_64+0xfa/0xfa0
[  144.611924][ T5345]  ? lockdep_hardirqs_on+0x9c/0x150
[  144.611936][ T5345]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  144.611948][ T5345]  ? clear_bhb_loop+0x60/0xb0
[  144.611960][ T5345]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  144.611970][ T5345] RIP: 0033:0x7f6b8f58f6c9
[  144.611983][ T5345] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[  144.611992][ T5345] RSP: 002b:00007f6b90374038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[  144.612002][ T5345] RAX: ffffffffffffffda RBX: 00007f6b8f7e5fa0 RCX: 00007f6b8f58f6c9
[  144.612007][ T5345] RDX: 0000000000000000 RSI: 00000000400448ca RDI: 0000000000000006
[  144.612012][ T5345] RBP: 00007f6b8f611f91 R08: 0000000000000000 R09: 0000000000000000
[  144.612016][ T5345] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[  144.612020][ T5345] R13: 00007f6b8f7e6038 R14: 00007f6b8f7e5fa0 R15: 00007ffe5c39f078
[  144.612027][ T5345]  </TASK>
[  144.757570][ T4672] Bluetooth: hci0: command tx timeout
[  146.777849][ T4672] Bluetooth: hci0: command tx timeout
[  148.858042][ T4672] Bluetooth: hci0: command tx timeout
[  149.739104][ T1315] ieee802154 phy0 wpan0: encryption failed: -22
[  149.741841][ T1315] ieee802154 phy1 wpan1: encryption failed: -22