program:
r0 = socket$inet_udplite(0x2, 0x2, 0x88)
r1 = socket(0x21, 0x3, 0x0)
getsockname$packet(r1, &(0x7f0000000200)={0x11, 0x0, <r2=>0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000001480)=0x14)
r3 = syz_open_dev$dri(&(0x7f0000000000), 0x1, 0x40402)
ioctl$DRM_IOCTL_MODE_GETRESOURCES(r3, 0xc04064a0, &(0x7f0000000300)={0x0, &(0x7f0000000240)=[<r4=>0x0], 0x0, 0x0, 0x0, 0x1})
r5 = openat$iommufd(0xffffffffffffff9c, &(0x7f0000000000), 0x40200, 0x0)
ioctl$IOMMU_VFIO_IOAS$SET(r5, 0x3b88, &(0x7f0000000040)={0xc, 0x0, 0x1, 0x204})
ioctl$DRM_IOCTL_MODE_GETCRTC(r3, 0xc06864a1, &(0x7f00000001c0)={0x0, 0x0, r4, <r6=>0x0})
ioctl$DRM_IOCTL_MODE_SETCRTC(r3, 0xc06864a2, &(0x7f0000000d80)={0x0, 0x0, r4, r6, 0x0, 0x1, 0x7, 0x2, {0x4, 0x7, 0x3, 0xd, 0x7, 0x7, 0x5, 0x9, 0xb, 0x0, 0x7, 0x3, 0x100, 0x7, "dcdda51c878b0cbcd373cf12c16f0008f713dc15cc1772401486460adfc8af74"}})
sendmsg$IPCTNL_MSG_CT_NEW(0xffffffffffffffff, &(0x7f0000000300)={0x0, 0x0, &(0x7f00000000c0)={0x0}}, 0x0)
sendmsg$nl_route_sched(0xffffffffffffffff, &(0x7f0000000100)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000800)=@newtfilter={0x30, 0x2c, 0xd27, 0x70bd2d, 0x0, {0x0, 0x0, 0x0, r2, {0xffff}, {}, {0x8, 0xb}}, [@filter_kind_options=@f_fw={{0x7}, {0x4}}]}, 0x30}}, 0x4000)
r7 = socket$netlink(0x10, 0x3, 0x0)
r8 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$sock_bt_hci(r8, 0x400448cb, 0x0)
getsockopt$inet6_IPV6_FLOWLABEL_MGR(0xffffffffffffffff, 0x29, 0x20, &(0x7f0000000100)={@loopback, 0x1, 0x1, 0x3, 0x1a, 0xffff}, 0x0)
r9 = socket$nl_generic(0x10, 0x3, 0x10)
r10 = syz_genetlink_get_family_id$tipc2(&(0x7f0000000180), 0xffffffffffffffff)
sendmsg$TIPC_NL_MEDIA_SET(r9, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000040)=ANY=[@ANYBLOB='4\x00\x00\x00', @ANYRES16=r10, @ANYBLOB="01002cbd7000fddbdf250c00000020000580070001006962000014000280080003000002000008000400070000009cd2dc8c0701c5"], 0x34}, 0x1, 0x0, 0x0, 0x8040}, 0x80)
ioctl$BTRFS_IOC_BALANCE_CTL(r7, 0x40049421, 0x2)
r11 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$IPCTNL_MSG_CT_NEW(r11, &(0x7f0000000080)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000740)={0x14, 0x0, 0x1, 0x401, 0x0, 0x0, {0xa}}, 0x14}}, 0x0)
r12 = syz_init_net_socket$bt_l2cap(0x1f, 0x3, 0x3)
ioctl$FS_IOC_GETFSLABEL(r12, 0x400452c8, &(0x7f0000000100))
sendmmsg(r7, &(0x7f00000002c0), 0x40000000000009f, 0x0)
sendmmsg$inet(r0, &(0x7f0000002240)=[{{&(0x7f0000000140)={0x2, 0x4e22, @dev={0xac, 0x14, 0x14, 0x44}}, 0x10, 0x0}}], 0x1, 0x4000000)

[   86.453927][ T4680] Bluetooth: hci0: command tx timeout
[   86.533546][ T5333] UDPLite: UDP-Lite is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list
[   86.647863][ T5333] 
[   86.649000][ T5333] ======================================================
[   86.652302][ T5333] WARNING: possible circular locking dependency detected
[   86.655378][ T5333] 6.16.0-rc1-syzkaller #0 Not tainted
[   86.658042][ T5333] ------------------------------------------------------
[   86.661773][ T5333] syz.0.0/5333 is trying to acquire lock:
[   86.664345][ T5333] ffff88803f062040 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: __flush_work+0xd2/0xbc0
[   86.669565][ T5333] 
[   86.669565][ T5333] but task is already holding lock:
[   86.673017][ T5333] ffff88803f062338 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x70/0x680
[   86.677753][ T5333] 
[   86.677753][ T5333] which lock already depends on the new lock.
[   86.677753][ T5333] 
[   86.682347][ T5333] 
[   86.682347][ T5333] the existing dependency chain (in reverse order) is:
[   86.686580][ T5333] 
[   86.686580][ T5333] -> #1 (&conn->lock#2){+.+.}-{4:4}:
[   86.690422][ T5333]        lock_acquire+0x120/0x360
[   86.692834][ T5333]        __mutex_lock+0x182/0xe80
[   86.695255][ T5333]        l2cap_info_timeout+0x60/0xa0
[   86.697683][ T5333]        process_scheduled_works+0xae1/0x17b0
[   86.700996][ T5333]        worker_thread+0x8a0/0xda0
[   86.703639][ T5333]        kthread+0x70e/0x8a0
[   86.705724][ T5333]        ret_from_fork+0x3fc/0x770
[   86.708084][ T5333]        ret_from_fork_asm+0x1a/0x30
[   86.710364][ T5333] 
[   86.710364][ T5333] -> #0 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}:
[   86.715331][ T5333]        validate_chain+0xb9b/0x2140
[   86.718007][ T5333]        __lock_acquire+0xab9/0xd20
[   86.720218][ T5333]        lock_acquire+0x120/0x360
[   86.722464][ T5333]        __flush_work+0x6b8/0xbc0
[   86.724800][ T5333]        __cancel_work_sync+0xbe/0x110
[   86.727548][ T5333]        l2cap_conn_del+0x4f0/0x680
[   86.730411][ T5333]        hci_conn_hash_flush+0x10a/0x230
[   86.733029][ T5333]        hci_dev_reset+0x3e0/0x5c0
[   86.735296][ T5333]        sock_do_ioctl+0xd9/0x300
[   86.737615][ T5333]        sock_ioctl+0x576/0x790
[   86.739950][ T5333]        __se_sys_ioctl+0xf9/0x170
[   86.742729][ T5333]        do_syscall_64+0xfa/0x3b0
[   86.745258][ T5333]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   86.748288][ T5333] 
[   86.748288][ T5333] other info that might help us debug this:
[   86.748288][ T5333] 
[   86.752855][ T5333]  Possible unsafe locking scenario:
[   86.752855][ T5333] 
[   86.756702][ T5333]        CPU0                    CPU1
[   86.759577][ T5333]        ----                    ----
[   86.761859][ T5333]   lock(&conn->lock#2);
[   86.763757][ T5333]                                lock((work_completion)(&(&conn->info_timer)->work));
[   86.768100][ T5333]                                lock(&conn->lock#2);
[   86.771653][ T5333]   lock((work_completion)(&(&conn->info_timer)->work));
[   86.774859][ T5333] 
[   86.774859][ T5333]  *** DEADLOCK ***
[   86.774859][ T5333] 
[   86.778263][ T5333] 5 locks held by syz.0.0/5333:
[   86.780317][ T5333]  #0: ffff888033230d80 (&hdev->req_lock){+.+.}-{4:4}, at: hci_dev_reset+0x139/0x5c0
[   86.785266][ T5333]  #1: ffff888033230078 (&hdev->lock){+.+.}-{4:4}, at: hci_dev_reset+0x1c9/0x5c0
[   86.789568][ T5333]  #2: ffffffff8f678068 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_conn_hash_flush+0xa1/0x230
[   86.793868][ T5333]  #3: ffff88803f062338 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x70/0x680
[   86.797886][ T5333]  #4: ffffffff8e13eda0 (rcu_read_lock){....}-{1:3}, at: __flush_work+0xd2/0xbc0
[   86.802297][ T5333] 
[   86.802297][ T5333] stack backtrace:
[   86.805062][ T5333] CPU: 0 UID: 0 PID: 5333 Comm: syz.0.0 Not tainted 6.16.0-rc1-syzkaller #0 PREEMPT(full) 
[   86.805081][ T5333] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   86.805091][ T5333] Call Trace:
[   86.805102][ T5333]  <TASK>
[   86.805110][ T5333]  dump_stack_lvl+0x189/0x250
[   86.805162][ T5333]  ? __pfx_dump_stack_lvl+0x10/0x10
[   86.805211][ T5333]  ? __pfx__printk+0x10/0x10
[   86.805226][ T5333]  ? print_lock_name+0xde/0x100
[   86.805239][ T5333]  print_circular_bug+0x2ee/0x310
[   86.805253][ T5333]  check_noncircular+0x134/0x160
[   86.805265][ T5333]  validate_chain+0xb9b/0x2140
[   86.805276][ T5333]  ? do_raw_spin_lock+0x121/0x290
[   86.805291][ T5333]  ? look_up_lock_class+0x74/0x170
[   86.805309][ T5333]  ? register_lock_class+0x51/0x320
[   86.805328][ T5333]  __lock_acquire+0xab9/0xd20
[   86.805346][ T5333]  ? __flush_work+0xd2/0xbc0
[   86.805357][ T5333]  lock_acquire+0x120/0x360
[   86.805370][ T5333]  ? __flush_work+0xd2/0xbc0
[   86.805381][ T5333]  ? _raw_spin_unlock_irq+0x23/0x50
[   86.805395][ T5333]  ? __flush_work+0xd2/0xbc0
[   86.805405][ T5333]  __flush_work+0x6b8/0xbc0
[   86.805416][ T5333]  ? __flush_work+0xd2/0xbc0
[   86.805428][ T5333]  ? __flush_work+0xd2/0xbc0
[   86.805438][ T5333]  ? __pfx___flush_work+0x10/0x10
[   86.805449][ T5333]  ? __pfx_wq_barrier_func+0x10/0x10
[   86.805465][ T5333]  ? __pfx___cancel_work+0x10/0x10
[   86.805477][ T5333]  ? __pfx___mutex_lock+0x10/0x10
[   86.805487][ T5333]  ? hci_dev_reset+0x1c9/0x5c0
[   86.805502][ T5333]  __cancel_work_sync+0xbe/0x110
[   86.805517][ T5333]  l2cap_conn_del+0x4f0/0x680
[   86.805531][ T5333]  ? __pfx_l2cap_disconn_cfm+0x10/0x10
[   86.805544][ T5333]  hci_conn_hash_flush+0x10a/0x230
[   86.805560][ T5333]  hci_dev_reset+0x3e0/0x5c0
[   86.805573][ T5333]  sock_do_ioctl+0xd9/0x300
[   86.805594][ T5333]  ? __pfx_sock_do_ioctl+0x10/0x10
[   86.805611][ T5333]  ? __lock_acquire+0xab9/0xd20
[   86.805629][ T5333]  sock_ioctl+0x576/0x790
[   86.805643][ T5333]  ? __pfx_sock_ioctl+0x10/0x10
[   86.805657][ T5333]  ? __fget_files+0x2a/0x420
[   86.805677][ T5333]  ? __fget_files+0x3a0/0x420
[   86.805689][ T5333]  ? __fget_files+0x2a/0x420
[   86.805701][ T5333]  ? bpf_lsm_file_ioctl+0x9/0x20
[   86.805716][ T5333]  ? __pfx_sock_ioctl+0x10/0x10
[   86.805731][ T5333]  __se_sys_ioctl+0xf9/0x170
[   86.805747][ T5333]  do_syscall_64+0xfa/0x3b0
[   86.805758][ T5333]  ? lockdep_hardirqs_on+0x9c/0x150
[   86.805773][ T5333]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   86.805785][ T5333]  ? clear_bhb_loop+0x60/0xb0
[   86.805797][ T5333]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   86.805808][ T5333] RIP: 0033:0x7f393c98e929
[   86.805820][ T5333] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   86.805831][ T5333] RSP: 002b:00007f393d891038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   86.805846][ T5333] RAX: ffffffffffffffda RBX: 00007f393cbb5fa0 RCX: 00007f393c98e929
[   86.805855][ T5333] RDX: 0000000000000000 RSI: 00000000400448cb RDI: 0000000000000008
[   86.805863][ T5333] RBP: 00007f393ca10b39 R08: 0000000000000000 R09: 0000000000000000
[   86.805871][ T5333] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   86.805879][ T5333] R13: 0000000000000000 R14: 00007f393cbb5fa0 R15: 00007ffefe928a38
[   86.805890][ T5333]  </TASK>
[   86.968331][   T10] cfg80211: failed to load regulatory.db
[   87.048503][ T5342] Zero length message leads to an empty skb