program:
r0 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPSET_CMD_CREATE(r0, &(0x7f0000000000)={0x0, 0x0, &(0x7f00000044c0)={&(0x7f0000000180)=ANY=[@ANYBLOB="4c000000020605170000000000000000000000000500010006000000050405000200000005000400000000000900020073797a310000000011000300686173683a69702c6d61726b00000000"], 0x4c}}, 0x0)
r1 = socket$nl_netfilter(0x10, 0x3, 0xc)
r2 = openat(0xffffffffffffff9c, &(0x7f0000000000)='./cgroup\x00', 0x2c2701, 0x0)
openat$cgroup_int(r2, &(0x7f00000002c0)='cpuset.mems\x00', 0x2, 0x0)
read$FUSE(r2, &(0x7f0000004500)={0x2020, 0x0, 0x0, 0x0, <r3=>0x0}, 0x2020)
lchown(&(0x7f0000000640)='./cgroup\x00', 0x0, r3)
socket$nl_route(0x10, 0x3, 0x0)
r4 = socket(0x10, 0x3, 0x0)
r5 = socket(0x10, 0x803, 0x0)
syz_genetlink_get_family_id$mptcp(&(0x7f00000000c0), r5)
getsockname$packet(r5, &(0x7f0000000100)={0x11, 0x0, <r6=>0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000200)=0x14)
sendmsg$nl_route_sched(0xffffffffffffffff, &(0x7f0000000300)={0x0, 0x0, &(0x7f00000005c0)={&(0x7f0000001240)=@newqdisc={0x78, 0x24, 0x5820a61ca228651, 0x0, 0x0, {0x0, 0x0, 0x0, r6, {}, {0xffff, 0xffff}}, [@qdisc_kind_options=@q_sfq={{0x8}, {0x4c, 0x2, {{}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, {0x0, 0x3}}}}]}, 0x78}}, 0x0)
sendmsg$nl_route_sched(r4, &(0x7f0000000140)={0x0, 0x0, &(0x7f0000000180)={&(0x7f0000000a80)=@gettaction={0x168, 0x32, 0x200, 0x70bd2d, 0x25dfdbfc, {}, [@action_gd=@TCA_ACT_TAB={0x74, 0x1, [{0xc, 0x14, 0x0, 0x0, @TCA_ACT_INDEX={0x8, 0x3, 0x9}}, {0x10, 0x4, 0x0, 0x0, @TCA_ACT_KIND={0xb, 0x1, 'mirred\x00'}}, {0xc, 0x10, 0x0, 0x0, @TCA_ACT_INDEX={0x8, 0x3, 0x1000}}, {0x10, 0x1c, 0x0, 0x0, @TCA_ACT_KIND={0xa, 0x1, 'pedit\x00'}}, {0xc, 0xf, 0x0, 0x0, @TCA_ACT_INDEX={0x8, 0x3, 0x9}}, {0x10, 0x11, 0x0, 0x0, @TCA_ACT_KIND={0x9, 0x1, 'gact\x00'}}, {0xc, 0x13, 0x0, 0x0, @TCA_ACT_KIND={0x7, 0x1, 'xt\x00'}}, {0x10, 0xa, 0x0, 0x0, @TCA_ACT_KIND={0x9, 0x1, 'csum\x00'}}]}, @action_dump_flags=@TCA_ROOT_TIME_DELTA={0x8, 0x4, 0x1}, @action_gd=@TCA_ACT_TAB={0x38, 0x1, [{0xc, 0xe, 0x0, 0x0, @TCA_ACT_INDEX={0x8, 0x3, 0x7f}}, {0x10, 0x1b, 0x0, 0x0, @TCA_ACT_KIND={0xb, 0x1, 'sample\x00'}}, {0xc, 0x18, 0x0, 0x0, @TCA_ACT_INDEX={0x8, 0x3, 0x53}}, {0xc, 0x1c, 0x0, 0x0, @TCA_ACT_INDEX={0x8, 0x3, 0x2}}]}, @action_gd=@TCA_ACT_TAB={0x78, 0x1, [{0xc, 0x6, 0x0, 0x0, @TCA_ACT_INDEX={0x8, 0x3, 0x7fff}}, {0xc, 0x4, 0x0, 0x0, @TCA_ACT_INDEX={0x8, 0x3, 0x3}}, {0xc, 0x1e, 0x0, 0x0, @TCA_ACT_INDEX={0x8, 0x3, 0x1}}, {0x10, 0x1c, 0x0, 0x0, @TCA_ACT_KIND={0x9, 0x1, 'vlan\x00'}}, {0x10, 0xc, 0x0, 0x0, @TCA_ACT_KIND={0xb, 0x1, 'police\x00'}}, {0xc, 0x17, 0x0, 0x0, @TCA_ACT_INDEX={0x8, 0x3, 0xa7}}, {0xc, 0x1e, 0x0, 0x0, @TCA_ACT_KIND={0x8, 0x1, 'nat\x00'}}, {0xc, 0xd, 0x0, 0x0, @TCA_ACT_INDEX={0x8, 0x3, 0x7b}}, {0xc, 0x7, 0x0, 0x0, @TCA_ACT_KIND={0x8, 0x1, 'nat\x00'}}]}, @action_dump_flags=@TCA_ROOT_FLAGS={0xc, 0x2, {0x0, 0x1}}, @action_dump_flags=@TCA_ROOT_TIME_DELTA={0x8, 0x4, 0x1}, @action_gd=@TCA_ACT_TAB={0x14, 0x1, [{0x10, 0x14, 0x0, 0x0, @TCA_ACT_KIND={0x9, 0x1, 'gact\x00'}}]}]}, 0x168}, 0x1, 0x0, 0x0, 0x48004}, 0x0)
socket$inet6_udp(0xa, 0x2, 0x0)
io_setup(0xed, &(0x7f0000000000)=<r7=>0x0)
r8 = syz_genetlink_get_family_id$devlink(&(0x7f0000000480), r5)
r9 = syz_open_dev$tty1(0xc, 0x4, 0x1)
ioctl$KDSETLED(r9, 0x4b32, 0x6)
r10 = syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0)
connect$bt_l2cap(r10, &(0x7f0000000080)={0x1f, 0x0, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}, 0x7ff}, 0xe)
r11 = syz_init_net_socket$bt_hidp(0x1f, 0x3, 0x6)
ioctl$sock_bt_hidp_HIDPCONNADD(r11, 0x400448c8, &(0x7f00000000c0)={r10, r10, 0x206, 0x0, 0x0, 0x2, 0x72, 0x1, 0x3, 0x7, 0x0, 0x8, 'syz1\x00'})
r12 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$HCIINQUIRY(r12, 0x400448ca, 0x0)
sendmsg$DEVLINK_CMD_GET(r5, &(0x7f0000000600)={&(0x7f0000000440)={0x10, 0x0, 0x0, 0x8008}, 0xc, &(0x7f0000000580)={&(0x7f0000000800)=ANY=[@ANYBLOB="500040024e8de57951ad79af3043ca06afb7777de7b37955dc8f7a3c75a0dc", @ANYRES16=r8, @ANYBLOB="20002bbd7000fddbdf25010000000e0001006e657464657673696d0000000f0002006e657464657673696d300000080001007063690011000200303030303a30303a31302e3000000000"], 0x50}, 0x1, 0x0, 0x0, 0x4001}, 0x4008042)
r13 = openat$sysfs(0xffffffffffffff9c, &(0x7f0000000000)='/sys/power/resume_offset', 0x1c1442, 0x1a7b76cf8118a6bd)
io_submit(r7, 0x1, &(0x7f0000000540)=[&(0x7f00000007c0)={0x0, 0x0, 0x0, 0x1, 0x0, r13, &(0x7f0000000040)="ca", 0x1, 0x2004, 0x0, 0x2}])
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000380)={0x0, 0x12, &(0x7f0000000680)=ANY=[@ANYBLOB="85000000b600000018540000100000000000000000000000b7080000000000007b8af8ff00000000b7080000000100007b8af0ff00000000bfa100000000000007010000f8ffffffbfa400000000000007040000f0ffffffb70200000800000018230000", @ANYRES32=r2, @ANYBLOB="0000000000000000b70500000800000085000000a50000001831000002000000000000000000000091da063a3a5ab33275d27bf3339332b7ec59e111ea318553fc09cc5dee790853decb5666a3eb23b806e03370f0338bdeffcb4035753cfb32ece48c534a577cc958680b8f95e9068c5b02503b5f9071fc8eefdb1e964fcdf2b00da223bbfe6fada35b12816417945b68f95bcbc3be9b9cfab42c0c3be2905fae2a71f81547b2ad244993b7994fcb659e2f3abcc9592553557d31d540a8f9"], &(0x7f0000000140)='GPL\x00', 0x0, 0xba, &(0x7f0000000200)=""/186, 0x41000, 0x49, '\x00', r6, 0x0, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, &(0x7f00000002c0)={0x0, 0x8, 0xf6, 0x6}, 0x10, 0x0, 0x0, 0x4, &(0x7f0000000300)=[r13], &(0x7f0000000340)=[{0x2, 0x5, 0xc}, {0x3, 0x2, 0x10, 0x7}, {0x5, 0x1, 0x8, 0x5}, {0x1, 0x1, 0xf}], 0x10, 0x100}, 0x94)
sendmsg$IPSET_CMD_CREATE(r1, &(0x7f0000000040)={0x0, 0x0, &(0x7f00000044c0)={&(0x7f0000000880)=ANY=[@ANYBLOB="4c00f8ffffffffffffff0005000400000000000900e50073797a3100000000c33211000300f7ff73683a69702c6d6e726b0000000000000012a1fa9f000000000004000000007090e1b03a23194df1a922125b49f1923f752b88fb5397994f307bd27044a014d561a38f53a76170ee19ffeb3dce01b287d6ee96911e99b2ba5c731ca83b9008fdf5bb682f08e343966c01707bc0c4323edd5dd1dc4837ca16"], 0x4c}}, 0x0)

[   85.717286][ T4682] Bluetooth: hci0: command tx timeout
[   85.783470][ T5344] netlink: 48 bytes leftover after parsing attributes in process `syz.0.0'.
[   85.798831][ T5344] netlink: 4 bytes leftover after parsing attributes in process `syz.0.0'.
[   85.835270][ T5344] input: Bluetooth HID Boot Protocol Device as /devices/virtual/bluetooth/hci0/hci0:200/input5
[   85.985942][ T5345] 
[   85.987042][ T5345] ======================================================
[   85.989891][ T5345] WARNING: possible circular locking dependency detected
[   85.992654][ T5345] syzkaller #0 Not tainted
[   85.994487][ T5345] ------------------------------------------------------
[   85.997477][ T5345] syz.0.0/5345 is trying to acquire lock:
[   86.000107][ T5345] ffff88801185d840 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: __flush_work+0xd2/0xbc0
[   86.004813][ T5345] 
[   86.004813][ T5345] but task is already holding lock:
[   86.007943][ T5345] ffff88801185db38 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x7b/0x5b0
[   86.011930][ T5345] 
[   86.011930][ T5345] which lock already depends on the new lock.
[   86.011930][ T5345] 
[   86.016412][ T5345] 
[   86.016412][ T5345] the existing dependency chain (in reverse order) is:
[   86.020321][ T5345] 
[   86.020321][ T5345] -> #1 (&conn->lock#2){+.+.}-{4:4}:
[   86.023791][ T5345]        __mutex_lock+0x187/0x1350
[   86.026043][ T5345]        l2cap_info_timeout+0x60/0xa0
[   86.028354][ T5345]        process_scheduled_works+0xad1/0x1770
[   86.030883][ T5345]        worker_thread+0x8a0/0xda0
[   86.033039][ T5345]        kthread+0x711/0x8a0
[   86.035031][ T5345]        ret_from_fork+0x510/0xa50
[   86.037167][ T5345]        ret_from_fork_asm+0x1a/0x30
[   86.039299][ T5345] 
[   86.039299][ T5345] -> #0 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}:
[   86.043651][ T5345]        __lock_acquire+0x15a6/0x2cf0
[   86.045942][ T5345]        lock_acquire+0x107/0x340
[   86.048312][ T5345]        __flush_work+0x6b8/0xbc0
[   86.050540][ T5345]        __cancel_work_sync+0xbe/0x110
[   86.052976][ T5345]        l2cap_conn_del+0x402/0x5b0
[   86.055390][ T5345]        hci_conn_hash_flush+0x10d/0x260
[   86.057729][ T5345]        hci_dev_close_sync+0x821/0x1100
[   86.060110][ T5345]        hci_dev_close+0x108/0x270
[   86.062356][ T5345]        sock_do_ioctl+0xdc/0x300
[   86.064591][ T5345]        sock_ioctl+0x576/0x790
[   86.066864][ T5345]        __se_sys_ioctl+0xfc/0x170
[   86.069161][ T5345]        do_syscall_64+0xec/0xf80
[   86.071293][ T5345]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   86.073651][ T5345] 
[   86.073651][ T5345] other info that might help us debug this:
[   86.073651][ T5345] 
[   86.077621][ T5345]  Possible unsafe locking scenario:
[   86.077621][ T5345] 
[   86.080959][ T5345]        CPU0                    CPU1
[   86.083331][ T5345]        ----                    ----
[   86.085610][ T5345]   lock(&conn->lock#2);
[   86.087451][ T5345]                                lock((work_completion)(&(&conn->info_timer)->work));
[   86.091740][ T5345]                                lock(&conn->lock#2);
[   86.094861][ T5345]   lock((work_completion)(&(&conn->info_timer)->work));
[   86.098014][ T5345] 
[   86.098014][ T5345]  *** DEADLOCK ***
[   86.098014][ T5345] 
[   86.101524][ T5345] 5 locks held by syz.0.0/5345:
[   86.103574][ T5345]  #0: ffff88801a12cec0 (&hdev->req_lock){+.+.}-{4:4}, at: hci_dev_close+0x100/0x270
[   86.107775][ T5345]  #1: ffff88801a12c0c0 (&hdev->lock){+.+.}-{4:4}, at: hci_dev_close_sync+0x640/0x1100
[   86.112299][ T5345]  #2: ffffffff8f485c88 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_conn_hash_flush+0xa1/0x260
[   86.117718][ T5345]  #3: ffff88801185db38 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x7b/0x5b0
[   86.121875][ T5345]  #4: ffffffff8df41aa0 (rcu_read_lock){....}-{1:3}, at: __flush_work+0xd2/0xbc0
[   86.125742][ T5345] 
[   86.125742][ T5345] stack backtrace:
[   86.128284][ T5345] CPU: 0 UID: 0 PID: 5345 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[   86.128297][ T5345] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   86.128303][ T5345] Call Trace:
[   86.128309][ T5345]  <TASK>
[   86.128314][ T5345]  dump_stack_lvl+0xe8/0x150
[   86.128327][ T5345]  print_circular_bug+0x2e2/0x300
[   86.128342][ T5345]  check_noncircular+0x12e/0x150
[   86.128353][ T5345]  __lock_acquire+0x15a6/0x2cf0
[   86.128363][ T5345]  ? do_raw_spin_lock+0x121/0x290
[   86.128379][ T5345]  ? __flush_work+0xd2/0xbc0
[   86.128391][ T5345]  lock_acquire+0x107/0x340
[   86.128400][ T5345]  ? __flush_work+0xd2/0xbc0
[   86.128413][ T5345]  ? __flush_work+0xd2/0xbc0
[   86.128423][ T5345]  __flush_work+0x6b8/0xbc0
[   86.128434][ T5345]  ? __flush_work+0xd2/0xbc0
[   86.128446][ T5345]  ? __flush_work+0xd2/0xbc0
[   86.128456][ T5345]  ? __pfx___flush_work+0x10/0x10
[   86.128466][ T5345]  ? __pfx_wq_barrier_func+0x10/0x10
[   86.128479][ T5345]  ? __cancel_work_sync+0x5c/0x110
[   86.128490][ T5345]  __cancel_work_sync+0xbe/0x110
[   86.128502][ T5345]  l2cap_conn_del+0x402/0x5b0
[   86.128516][ T5345]  ? __pfx_l2cap_disconn_cfm+0x10/0x10
[   86.128529][ T5345]  hci_conn_hash_flush+0x10d/0x260
[   86.128547][ T5345]  hci_dev_close_sync+0x821/0x1100
[   86.128560][ T5345]  ? __pfx_hci_dev_close_sync+0x10/0x10
[   86.128569][ T5345]  ? lockdep_hardirqs_on+0x7b/0x110
[   86.128575][ T5345]  ? enable_work+0x1e9/0x220
[   86.128584][ T5345]  hci_dev_close+0x108/0x270
[   86.128593][ T5345]  sock_do_ioctl+0xdc/0x300
[   86.128602][ T5345]  ? __pfx_sock_do_ioctl+0x10/0x10
[   86.128609][ T5345]  ? do_futex+0x333/0x420
[   86.128616][ T5345]  ? call_rcu+0x644/0x890
[   86.128626][ T5345]  sock_ioctl+0x576/0x790
[   86.128634][ T5345]  ? __pfx_sock_ioctl+0x10/0x10
[   86.128640][ T5345]  ? __fget_files+0x2a/0x420
[   86.128648][ T5345]  ? __fget_files+0x3a0/0x420
[   86.128656][ T5345]  ? __fget_files+0x2a/0x420
[   86.128665][ T5345]  ? bpf_lsm_file_ioctl+0x9/0x20
[   86.128680][ T5345]  ? __pfx_sock_ioctl+0x10/0x10
[   86.128689][ T5345]  __se_sys_ioctl+0xfc/0x170
[   86.128703][ T5345]  do_syscall_64+0xec/0xf80
[   86.128713][ T5345]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   86.128723][ T5345]  ? trace_irq_disable+0x37/0x100
[   86.128735][ T5345]  ? clear_bhb_loop+0x60/0xb0
[   86.128744][ T5345]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   86.128752][ T5345] RIP: 0033:0x7fc4b678f7c9
[   86.128764][ T5345] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   86.128773][ T5345] RSP: 002b:00007fc4b7555038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   86.128788][ T5345] RAX: ffffffffffffffda RBX: 00007fc4b69e6090 RCX: 00007fc4b678f7c9
[   86.128798][ T5345] RDX: 0000000000000000 RSI: 00000000400448ca RDI: 000000000000000e
[   86.128805][ T5345] RBP: 00007fc4b6813f91 R08: 0000000000000000 R09: 0000000000000000
[   86.128812][ T5345] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   86.128818][ T5345] R13: 00007fc4b69e6128 R14: 00007fc4b69e6090 R15: 00007ffd46a8cbe8
[   86.128830][ T5345]  </TASK>
[   87.770758][   T47] Bluetooth: hci0: command tx timeout
[   89.851026][   T47] Bluetooth: hci0: command tx timeout
[   91.691471][ T1360] cfg80211: failed to load regulatory.db
[   91.930574][   T47] Bluetooth: hci0: command tx timeout