program:
syz_mount_image$erofs(&(0x7f0000000180), &(0x7f00000001c0)='./file1\x00', 0x80c0, &(0x7f0000000040)=ANY=[@ANYBLOB="6468655fa1d47261746567793d6469736162800000000000130000010000100000000000b28668159617195abf66d70a6fb0d1fee389f9556ed4fdb55fa7a9bf8100000000000000032d6a059ca5868f9393aa834939cba3e3b84c10d374db900903a7400a868e8939b68e01ad094dc2165b55fc63b16f6488a2901c73a5aa7199d0d1e84ac39c0b6113425a3fd81d669fb134e842e7b0c00202a4bdb5ab9f7a05299390127bf7419bf029e37028a0ed6c5d0991f36d86d63a83d5bdaddc92aea4a6eb9162bdaf0efed39b3f006f46889967ed78afaa42c0a291dda2f68ebcc421c1f0c8deb76a0a77c69692f95ca6ee60e31e97d2de3b354eed702cb08fd5d16f6c3275c651426984"], 0x5, 0x17c, &(0x7f0000000380)="$eJzsmL9OwlAUxr/bYonEwRkHTSQRjZRS1LiYSOIDmOCfsEGkErSIQgdh80mML+DibnwUZXJhdK65f6A3BMVBDcbzG879LpyennuafE0KgiD+Lb2Xt+erXmPNBDCHFOLq91czyjG0/PVMsblwu5t4KN+X9pKP/dF6DEAYcmV96f4xAE8FE4Hah6G8ekBKrQcwhvoQBlaVPgaDrXQZBo6U9sBQUvpM002eb9undd+zT5p+lQuHhxwPLg/50f76NwxVrT+m/d/udM8rvu+1flBMml+/YGBH609/XoPZOHJ+w9Zzas2Doaj0NuKD2ciRaOdPxqL65i+f/48IczraIEFiGkTkT+Edw4rmTzHNP7JB4zLb7nQz9Ual5tW8C9fNbzkbjrPpZoURyfiJ/80Kf0po9Wc+yLWYhetKELRyMg73rozjHNcS/mcgvSz3bMybTZjqPFviS9rUTJYgCIIgCIIgCIIgCIIgCOJbWQQTX0En4O6L7PcAAAD//9O2dUQ=")
r0 = shmget(0x1, 0x4000, 0x200, &(0x7f0000ffb000/0x4000)=nil)
shmat(r0, &(0x7f0000ff9000/0x1000)=nil, 0x4000)
mmap(&(0x7f0000ffc000/0x4000)=nil, 0x4000, 0x1000005, 0x6031, 0xffffffffffffffff, 0x0)
mbind(&(0x7f0000ffb000/0x3000)=nil, 0x3000, 0x4006, &(0x7f0000000000)=0x4, 0x5, 0x2)
r1 = socket$inet_sctp(0x2, 0x1, 0x84)
r2 = gettid()
openat$snapshot(0xffffffffffffff9c, &(0x7f0000000500), 0x0, 0x0)
timer_create(0x0, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004, @tid=r2}, &(0x7f0000bbdffc))
r3 = syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0)
connect$bt_l2cap(r3, &(0x7f0000000080)={0x1f, 0x0, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}, 0x7ff}, 0xe)
r4 = syz_init_net_socket$bt_hidp(0x1f, 0x3, 0x6)
r5 = socket$inet_udp(0x2, 0x2, 0x0)
ioctl$sock_ipv6_tunnel_SIOCGETPRL(r5, 0x89f4, &(0x7f00000002c0)={'sit0\x00', &(0x7f0000000200)={@local, 0x1, 0x0, 0x40, 0x0, [{@private}, {@multicast2}, {@remote}, {@empty}]}})
ioctl$sock_bt_hidp_HIDPCONNADD(r4, 0x400448c8, &(0x7f0000000340)={r3, r3, 0x8, 0x0, 0x0, 0xb, 0x1, 0x15c2, 0xfff9, 0x3, 0x0, 0x8, 'syz0\x00'})
timer_settime(0x0, 0x0, &(0x7f0000000280)={{0x0, 0x989680}, {0x0, 0x989680}}, 0x0)
ioctl$sock_SIOCETHTOOL(r1, 0x8946, &(0x7f0000000300)={'netdevsim0\x00', &(0x7f0000000000)=@ethtool_ringparam={0x25, 0x1, 0xc0000000, 0xe, 0xb, 0x0, 0x7, 0x20000004}})
map_shadow_stack(&(0x7f0000ffc000/0x2000)=nil, 0x2000, 0x1)

[   86.412852][ T5308] Bluetooth: hci0: command tx timeout
[   86.484824][ T5332] loop0: detected capacity change from 0 to 16
[   86.511512][ T5332] =======================================================
[   86.511512][ T5332] WARNING: The mand mount option has been deprecated and
[   86.511512][ T5332]          and is ignored by this kernel. Remove the mand
[   86.511512][ T5332]          option from the mount to silence this warning.
[   86.511512][ T5332] =======================================================
[   86.563706][ T5300] udevd[5300]: incorrect erofs checksum on /dev/loop0
[   86.573354][ T5332] erofs: Unknown parameter 'dhe_¡Ôrategy'
[   86.649952][   T10] cfg80211: failed to load regulatory.db
[   86.665613][ T5333] input: Bluetooth HID Boot Protocol Device as /devices/virtual/bluetooth/hci0/hci0:200/input5
[   86.704306][ T5332] Bluetooth: hci0: Opcode 0x0c1a failed: -4
[   86.706977][ T5332] Bluetooth: hci0: Opcode 0x0406 failed: -4
[   86.723357][ T5332] 
[   86.724526][ T5332] ======================================================
[   86.727796][ T5332] WARNING: possible circular locking dependency detected
[   86.731133][ T5332] syzkaller #0 Not tainted
[   86.733142][ T5332] ------------------------------------------------------
[   86.736274][ T5332] syz.0.0/5332 is trying to acquire lock:
[   86.739169][ T5332] ffff888011a65840 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: __flush_work+0xd2/0xbc0
[   86.744406][ T5332] 
[   86.744406][ T5332] but task is already holding lock:
[   86.747495][ T5332] ffff888011a65b38 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x70/0x680
[   86.751264][ T5332] 
[   86.751264][ T5332] which lock already depends on the new lock.
[   86.751264][ T5332] 
[   86.755352][ T5332] 
[   86.755352][ T5332] the existing dependency chain (in reverse order) is:
[   86.759142][ T5332] 
[   86.759142][ T5332] -> #1 (&conn->lock#2){+.+.}-{4:4}:
[   86.762303][ T5332]        lock_acquire+0x120/0x360
[   86.764504][ T5332]        __mutex_lock+0x187/0x1350
[   86.766651][ T5332]        l2cap_info_timeout+0x60/0xa0
[   86.768995][ T5332]        process_scheduled_works+0xae1/0x17b0
[   86.771409][ T5332]        worker_thread+0x8a0/0xda0
[   86.773464][ T5332]        kthread+0x711/0x8a0
[   86.775434][ T5332]        ret_from_fork+0x4bc/0x870
[   86.777668][ T5332]        ret_from_fork_asm+0x1a/0x30
[   86.780152][ T5332] 
[   86.780152][ T5332] -> #0 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}:
[   86.784411][ T5332]        validate_chain+0xb9b/0x2140
[   86.786570][ T5332]        __lock_acquire+0xab9/0xd20
[   86.788782][ T5332]        lock_acquire+0x120/0x360
[   86.790766][ T5332]        __flush_work+0x6b8/0xbc0
[   86.792855][ T5332]        __cancel_work_sync+0xbe/0x110
[   86.795084][ T5332]        l2cap_conn_del+0x4f0/0x680
[   86.797302][ T5332]        l2cap_connect_cfm+0x11d/0x1040
[   86.799869][ T5332]        hci_conn_failed+0x1ce/0x310
[   86.802123][ T5332]        hci_abort_conn_sync+0x658/0xe30
[   86.804529][ T5332]        hci_disconnect_all_sync+0x1b5/0x350
[   86.806995][ T5332]        hci_suspend_sync+0x3fc/0xc60
[   86.809346][ T5332]        hci_suspend_dev+0x28d/0x4d0
[   86.811486][ T5332]        hci_suspend_notifier+0xf2/0x290
[   86.813759][ T5332]        notifier_call_chain+0x1b6/0x3e0
[   86.816093][ T5332]        blocking_notifier_call_chain_robust+0x85/0x100
[   86.818989][ T5332]        pm_notifier_call_chain_robust+0x2c/0x60
[   86.821803][ T5332]        snapshot_open+0x19c/0x280
[   86.823605][ T5332]        misc_open+0x2d5/0x350
[   86.825507][ T5332]        chrdev_open+0x4cc/0x5e0
[   86.827464][ T5332]        do_dentry_open+0x953/0x13f0
[   86.829502][ T5332]        vfs_open+0x3b/0x340
[   86.831441][ T5332]        path_openat+0x2ee5/0x3830
[   86.833559][ T5332]        do_filp_open+0x1fa/0x410
[   86.835625][ T5332]        do_sys_openat2+0x121/0x1c0
[   86.837689][ T5332]        __x64_sys_openat+0x138/0x170
[   86.839900][ T5332]        do_syscall_64+0xfa/0xfa0
[   86.841989][ T5332]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   86.844583][ T5332] 
[   86.844583][ T5332] other info that might help us debug this:
[   86.844583][ T5332] 
[   86.848648][ T5332]  Possible unsafe locking scenario:
[   86.848648][ T5332] 
[   86.851753][ T5332]        CPU0                    CPU1
[   86.853953][ T5332]        ----                    ----
[   86.855892][ T5332]   lock(&conn->lock#2);
[   86.857548][ T5332]                                lock((work_completion)(&(&conn->info_timer)->work));
[   86.861465][ T5332]                                lock(&conn->lock#2);
[   86.863934][ T5332]   lock((work_completion)(&(&conn->info_timer)->work));
[   86.866529][ T5332] 
[   86.866529][ T5332]  *** DEADLOCK ***
[   86.866529][ T5332] 
[   86.869769][ T5332] 8 locks held by syz.0.0/5332:
[   86.871792][ T5332]  #0: ffffffff8e7776a8 (misc_mtx){+.+.}-{4:4}, at: misc_open+0x51/0x350
[   86.875408][ T5332]  #1: ffffffff8dded268 (system_transition_mutex){+.+.}-{4:4}, at: lock_system_sleep+0x4a/0x70
[   86.879822][ T5332]  #2: ffffffff8de10970 ((pm_chain_head).rwsem){++++}-{4:4}, at: blocking_notifier_call_chain_robust+0x65/0x100
[   86.885225][ T5332]  #3: ffff888011a58dc8 (&hdev->req_lock){+.+.}-{4:4}, at: hci_suspend_dev+0x285/0x4d0
[   86.890030][ T5332]  #4: ffff888011a580b8 (&hdev->lock){+.+.}-{4:4}, at: hci_abort_conn_sync+0x242/0xe30
[   86.894477][ T5332]  #5: ffffffff8f437f28 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_conn_failed+0x165/0x310
[   86.898439][ T5332]  #6: ffff888011a65b38 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x70/0x680
[   86.903035][ T5332]  #7: ffffffff8df3d6e0 (rcu_read_lock){....}-{1:3}, at: __flush_work+0xd2/0xbc0
[   86.906787][ T5332] 
[   86.906787][ T5332] stack backtrace:
[   86.909312][ T5332] CPU: 0 UID: 0 PID: 5332 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[   86.909322][ T5332] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   86.909327][ T5332] Call Trace:
[   86.909334][ T5332]  <TASK>
[   86.909362][ T5332]  dump_stack_lvl+0x189/0x250
[   86.909397][ T5332]  ? __pfx_dump_stack_lvl+0x10/0x10
[   86.909426][ T5332]  ? __pfx__printk+0x10/0x10
[   86.909433][ T5332]  ? print_lock_name+0xde/0x100
[   86.909443][ T5332]  print_circular_bug+0x2ee/0x310
[   86.909456][ T5332]  check_noncircular+0x134/0x160
[   86.909468][ T5332]  validate_chain+0xb9b/0x2140
[   86.909478][ T5332]  ? do_raw_spin_lock+0x121/0x290
[   86.909492][ T5332]  ? look_up_lock_class+0x74/0x170
[   86.909507][ T5332]  ? register_lock_class+0x51/0x320
[   86.909517][ T5332]  __lock_acquire+0xab9/0xd20
[   86.909529][ T5332]  ? __flush_work+0xd2/0xbc0
[   86.909542][ T5332]  lock_acquire+0x120/0x360
[   86.909551][ T5332]  ? __flush_work+0xd2/0xbc0
[   86.909564][ T5332]  ? _raw_spin_unlock_irq+0x23/0x50
[   86.909576][ T5332]  ? __flush_work+0xd2/0xbc0
[   86.909587][ T5332]  __flush_work+0x6b8/0xbc0
[   86.909599][ T5332]  ? __flush_work+0xd2/0xbc0
[   86.909610][ T5332]  ? __flush_work+0xd2/0xbc0
[   86.909621][ T5332]  ? __pfx___flush_work+0x10/0x10
[   86.909633][ T5332]  ? __pfx_wq_barrier_func+0x10/0x10
[   86.909646][ T5332]  ? __pfx___cancel_work+0x10/0x10
[   86.909656][ T5332]  ? hci_conn_drop+0x14d/0x280
[   86.909665][ T5332]  __cancel_work_sync+0xbe/0x110
[   86.909676][ T5332]  l2cap_conn_del+0x4f0/0x680
[   86.909690][ T5332]  l2cap_connect_cfm+0x11d/0x1040
[   86.909714][ T5332]  ? __pfx_l2cap_connect_cfm+0x10/0x10
[   86.909731][ T5332]  ? __pfx_l2cap_connect_cfm+0x10/0x10
[   86.909752][ T5332]  hci_conn_failed+0x1ce/0x310
[   86.909767][ T5332]  ? hci_abort_conn_sync+0x24e/0xe30
[   86.909780][ T5332]  hci_abort_conn_sync+0x658/0xe30
[   86.909793][ T5332]  ? __lock_acquire+0xab9/0xd20
[   86.909804][ T5332]  ? __pfx_hci_abort_conn_sync+0x10/0x10
[   86.909817][ T5332]  ? hci_disconnect_all_sync+0x2e/0x350
[   86.909832][ T5332]  ? hci_disconnect_all_sync+0x2e/0x350
[   86.909847][ T5332]  ? hci_disconnect_all_sync+0x2e/0x350
[   86.909862][ T5332]  hci_disconnect_all_sync+0x1b5/0x350
[   86.909877][ T5332]  hci_suspend_sync+0x3fc/0xc60
[   86.909891][ T5332]  ? __pfx___mutex_lock+0x10/0x10
[   86.909904][ T5332]  ? enable_work+0x258/0x2c0
[   86.909916][ T5332]  ? __pfx_hci_suspend_sync+0x10/0x10
[   86.909931][ T5332]  ? mgmt_pending_find+0x152/0x170
[   86.909946][ T5332]  ? hci_cmd_sync_cancel_sync+0xc9/0x190
[   86.909956][ T5332]  hci_suspend_dev+0x28d/0x4d0
[   86.909968][ T5332]  ? __pfx_hci_suspend_dev+0x10/0x10
[   86.909979][ T5332]  ? rcu_barrier+0x474/0x570
[   86.909993][ T5332]  hci_suspend_notifier+0xf2/0x290
[   86.910006][ T5332]  notifier_call_chain+0x1b6/0x3e0
[   86.910019][ T5332]  blocking_notifier_call_chain_robust+0x85/0x100
[   86.910033][ T5332]  pm_notifier_call_chain_robust+0x2c/0x60
[   86.910043][ T5332]  snapshot_open+0x19c/0x280
[   86.910054][ T5332]  ? __pfx_snapshot_open+0x10/0x10
[   86.910064][ T5332]  misc_open+0x2d5/0x350
[   86.910076][ T5332]  chrdev_open+0x4cc/0x5e0
[   86.910090][ T5332]  ? __pfx_chrdev_open+0x10/0x10
[   86.910106][ T5332]  ? fsnotify_open_perm_and_set_mode+0x113/0x610
[   86.910121][ T5332]  ? __pfx_chrdev_open+0x10/0x10
[   86.910133][ T5332]  do_dentry_open+0x953/0x13f0
[   86.910146][ T5332]  vfs_open+0x3b/0x340
[   86.910154][ T5332]  ? path_openat+0x2ecd/0x3830
[   86.910165][ T5332]  path_openat+0x2ee5/0x3830
[   86.910184][ T5332]  ? __pfx_path_openat+0x10/0x10
[   86.910198][ T5332]  do_filp_open+0x1fa/0x410
[   86.910208][ T5332]  ? __lock_acquire+0xab9/0xd20
[   86.910217][ T5332]  ? __pfx_do_filp_open+0x10/0x10
[   86.910232][ T5332]  ? _raw_spin_unlock+0x28/0x50
[   86.910243][ T5332]  ? alloc_fd+0x64c/0x6c0
[   86.910258][ T5332]  do_sys_openat2+0x121/0x1c0
[   86.910268][ T5332]  ? __pfx_do_sys_openat2+0x10/0x10
[   86.910279][ T5332]  ? rcu_is_watching+0x15/0xb0
[   86.910291][ T5332]  __x64_sys_openat+0x138/0x170
[   86.910301][ T5332]  do_syscall_64+0xfa/0xfa0
[   86.910315][ T5332]  ? lockdep_hardirqs_on+0x9c/0x150
[   86.910328][ T5332]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   86.910337][ T5332]  ? clear_bhb_loop+0x60/0xb0
[   86.910349][ T5332]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   86.910359][ T5332] RIP: 0033:0x7f94dd98f6c9
[   86.910371][ T5332] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   86.910380][ T5332] RSP: 002b:00007f94de8bf038 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
[   86.910393][ T5332] RAX: ffffffffffffffda RBX: 00007f94ddbe5fa0 RCX: 00007f94dd98f6c9
[   86.910402][ T5332] RDX: 0000000000000000 RSI: 0000200000000500 RDI: ffffffffffffff9c
[   86.910409][ T5332] RBP: 00007f94dda11f91 R08: 0000000000000000 R09: 0000000000000000
[   86.910416][ T5332] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   86.910423][ T5332] R13: 00007f94ddbe6038 R14: 00007f94ddbe5fa0 R15: 00007ffd62225758
[   86.910434][ T5332]  </TASK>
[   88.642273][   T46] Bluetooth: hci0: command 0x040f tx timeout
[   90.722855][   T46] Bluetooth: hci0: command 0x040f tx timeout
[   92.802332][   T46] Bluetooth: hci0: command 0x040f tx timeout