program:
r0 = socket$nl_route(0x10, 0x3, 0x0)
r1 = socket$inet6_mptcp(0xa, 0x1, 0x106)
ioctl$sock_SIOCGIFINDEX(r1, 0x8933, &(0x7f0000000000)={'veth1_to_bridge\x00', <r2=>0x0})
syz_mount_image$ext4(&(0x7f0000000740)='ext4\x00', &(0x7f0000000780)='./file0\x00', 0x0, &(0x7f0000000240)={[{@nouid32}, {@data_err_ignore}, {@noquota}]}, 0x1, 0x746, &(0x7f0000000f40)="$eJzs3c9rHGUfAPDvbJOmb9vXpODBimCgBwulG5vWUkGkogcpVop689Bud7ehZLdbspvShIpWFMGTSPHsj5M3/wFRBL15FDx7kkKRUi+CsDLb2bjt7jabNJtV9/OBCc8zM5tnvjszz/Mkz8NMAGNrNv2Ri9gfER8lEdPZ+iQiJlupiYiTd/e7c/taMV2SaDZf/y1p7ZPmo+MzqT1Z5rGI+O79iEO57nLrK6uLhUqlvJTl5xrVy3P1ldXDF6uFhfJC+dL88WePzp+Yf+bE/JbF+sd7r54/9dVLX9x498dfXnvr1JNJnIy92bbOOLbKbMxm38lk+hXe48WtLmzEklEfAJuS3po77t7lsT+mY0crBQD8l70dEU0AYMwk2n8AGDPt/wO0x/aGMQ72T3brhYjY1Sv+iWzMbldrHHT3neSekZEkIma2oPzZiLj65gdfp0sMaRwSoJd3rkfEuZnZ7vov6ZqzsFFPD7DP7H159R9sn2/T/s+JXv2f3Fr/J3r0f6Z63Lubsf79n7u5BcX0lfb/nuvZ/12btDazI8v9v9Xnm0wuXKyU07rtkYg4GJNTaf7IA8o49vHzP/Tb1tn/S5e0/HZfMDuOmxNT936mVGgUHibmTreuRzw+0Sv+ZO38J336v2cGLKPx/ROf99u2fvzD1fws4qme5//vGW1Jx/zEqeianzjXuh7m2ldFt/yH0/v6lT/q+NPzv/vB8c8knfM16xsv46dP/ny537bNXv87kzda6Z3ZuquFRmPpSMTO5JXu9R1TSNv59v5p/AcPPLj+63X9p38Tnhsw/sVPvzy/+fiHK42/tKHzv/HEgZ+/6R1PM5ttvO75P9ZKHczWDFL/DXqAD/PdAQAAAAAAAAAAAAAAAAAAAAAAAMCgchGxN5Jcfi2dy+Xzd9/h/WjszlVq9cahC7XlS6VovSt7JiZz7SddTnc8D/VI9jz8dn7+vvzRiNgXETem/tfK54u1SmnUwQMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAZk+f9/+nfp0a9dEBAEOza9QHAABsO+0/AIwf7T8AjB/tPwCMH+0/AIwf7T8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABDdub06XRp/n77WjHNl66sLC/WrhwuleuL+epyMV+sLV3OL9RqC5Vyvlirrvf7KrXa5fnjsXx1rlGuN+bqK6tnq7XlS42zF6uFhfLZ8uS2RAUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAG1NfWV0sVCrlJQkJCYm1xKhrJgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIB/h78CAAD//6LRHug=")
mount(0x0, &(0x7f0000000140)='./file0\x00', &(0x7f0000000080)='configfs\x00', 0x1000000, 0x0)
utimensat(0xffffffffffffff9c, &(0x7f0000000080)='./file0\x00', 0x0, 0x100)
ioctl$sock_inet6_SIOCADDRT(r1, 0x890b, &(0x7f0000000540)={@rand_addr=' \x01\x00', @rand_addr=' \x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02', @private1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4400046, r2})
r3 = socket$inet6_mptcp(0xa, 0x1, 0x106)
r4 = syz_mount_image$ext4(&(0x7f0000000240)='ext4\x00', &(0x7f0000000280)='./mnt\x00', 0x0, &(0x7f00000002c0), 0x0, 0x236, &(0x7f0000000300)="$eJzs3TFoM2UcBvDnLomf/b4gVRdBUEFEtFDqJrjURaEgpYgIKlREXJRWqC1urZOLg84qnVyKuFkdpUtxUQSnqh3qImhxsDjoELlcK9VGFFNz8t3vB5fcJe97//e4e95kOS5Aa00nmU/SSTKTpJekON/grnqZPt3cntpfTgaDx38shu3q7dpZv2tJtpI8mGSvLPJiN9nYffro54NH731jvXfPe7tPTU30IE8dHx0+dvLu4usfLjyw8fmX3y8WmU//D8d1+YoRn3WL5Jb/otj/RNFtegT8E0uvfvBVlftbk9w9zH8vZeqT9+baDXu93P/OX/V964cvbp/kWIHLNxj0qt/ArQHQOmWSfopyNkm9Xpazs/V/+K87V8uXVtdemXlhdX3l+aZnKuCy9JPDRz6+8tG1P+X/u06df+D6VeX/iaWdb6r1k07TowEmqcr/zLOb90X+oXXkH9pL/qG95B/aS/6hveQf2kv+ob3kH9pL/qG95B/a63z+AYB2GVxp+g5koClNzz8AAAAAAAAAAAAAAAAAAMBF21P7y2fLpGp++nZy/HCS7qj6neHziJMbh69XfyqqZr8r6m5jeebOMXcwpvcbvvv6pm+brf/ZHc3W31xJtl5LMtftXrz+itPr79+7+W++7z03ZoExPfRks/V/3Wm2/sJB8kk1/8yNmn/K3DZ8Hz3/9KvzN2b9l38ZcwcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABMzG8BAAD//8n0bSk=")
ioctl$EXT4_IOC_CHECKPOINT(r4, 0x4004662b, &(0x7f0000000000)=0x7)
ioctl$sock_SIOCGIFINDEX(r3, 0x8933, &(0x7f0000000000)={'veth1_to_bridge\x00', <r5=>0x0})
r6 = socket$inet6_mptcp(0xa, 0x1, 0x106)
ioctl$sock_inet6_SIOCADDRT(r6, 0x890b, &(0x7f0000000540)={@empty, @rand_addr=' \x01\x00', @rand_addr=' \x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01', 0x0, 0x0, 0x0, 0x0, 0x0, 0x6, r5})
sendmsg$nl_route(r0, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000040)=ANY=[@ANYBLOB="9c000000190001000000000000000000f0000000fd00c8000000c20000"], 0x1c}}, 0x0)
syz_emit_vhci(&(0x7f0000000000)=@HCI_EVENT_PKT={0x4, @hci_ev_io_capa_request={{0x31, 0x6}, {@fixed={'\xaa\xaa\xaa\xaa\xaa', 0x12}}}}, 0x9)
r7 = syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0)
connect$bt_l2cap(r7, &(0x7f0000000080)={0x1f, 0x0, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}, 0x7ff}, 0xe)
r8 = syz_open_dev$vim2m(&(0x7f0000000100), 0x0, 0x2)
ioctl$vim2m_VIDIOC_REQBUFS(r8, 0xc0145608, &(0x7f0000000000)={0x6, 0x1, 0x1, 0x0, 0x3})
ioctl$vim2m_VIDIOC_STREAMOFF(r8, 0x40045612, &(0x7f0000000040)=0x1)
ppoll(&(0x7f00000000c0)=[{r8, 0x2004}], 0x1, 0x0, 0x0, 0x0)
r9 = syz_init_net_socket$bt_hidp(0x1f, 0x3, 0x6)
ioctl$sock_bt_hidp_HIDPCONNADD(r9, 0x400448c8, &(0x7f0000000280)={r7, r7, 0xc, 0x0, 0x0, 0x9, 0x1, 0x457, 0x9, 0x9, 0x1, 0x1, 'syz1\x00'})
r10 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$sock_bt_hci(r10, 0x400448ca, 0x0)

[   85.712057][ T5336] Bluetooth: hci0: command tx timeout
[   85.808863][ T5360] loop0: detected capacity change from 0 to 2048
[   85.875703][ T5360] EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: none.
[   86.008144][ T5360] input: Bluetooth HID Boot Protocol Device as /devices/virtual/bluetooth/hci0/hci0:200/input5
[   86.046739][ T5360] 
[   86.047908][ T5360] ======================================================
[   86.050973][ T5360] WARNING: possible circular locking dependency detected
[   86.054020][ T5360] syzkaller #0 Not tainted
[   86.055990][ T5360] ------------------------------------------------------
[   86.059235][ T5360] syz.0.0/5360 is trying to acquire lock:
[   86.061842][ T5360] ffff888011d93840 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: __flush_work+0xd2/0xbc0
[   86.067009][ T5360] 
[   86.067009][ T5360] but task is already holding lock:
[   86.070244][ T5360] ffff888011d93b38 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x70/0x680
[   86.074356][ T5360] 
[   86.074356][ T5360] which lock already depends on the new lock.
[   86.074356][ T5360] 
[   86.079035][ T5360] 
[   86.079035][ T5360] the existing dependency chain (in reverse order) is:
[   86.082955][ T5360] 
[   86.082955][ T5360] -> #1 (&conn->lock#2){+.+.}-{4:4}:
[   86.086193][ T5360]        lock_acquire+0x120/0x360
[   86.088404][ T5360]        __mutex_lock+0x187/0x1350
[   86.090791][ T5360]        l2cap_info_timeout+0x60/0xa0
[   86.093303][ T5360]        process_scheduled_works+0xae1/0x17b0
[   86.096181][ T5360]        worker_thread+0x8a0/0xda0
[   86.098496][ T5360]        kthread+0x70e/0x8a0
[   86.100543][ T5360]        ret_from_fork+0x3f9/0x770
[   86.102764][ T5360]        ret_from_fork_asm+0x1a/0x30
[   86.105050][ T5360] 
[   86.105050][ T5360] -> #0 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}:
[   86.109452][ T5360]        validate_chain+0xb9b/0x2140
[   86.111971][ T5360]        __lock_acquire+0xab9/0xd20
[   86.114674][ T5360]        lock_acquire+0x120/0x360
[   86.117112][ T5360]        __flush_work+0x6b8/0xbc0
[   86.119362][ T5360]        __cancel_work_sync+0xbe/0x110
[   86.121669][ T5360]        l2cap_conn_del+0x4f0/0x680
[   86.124013][ T5360]        hci_conn_hash_flush+0x10a/0x230
[   86.126544][ T5360]        hci_dev_close_sync+0xaef/0x1330
[   86.129087][ T5360]        hci_dev_close+0x108/0x200
[   86.131480][ T5360]        sock_do_ioctl+0xdc/0x300
[   86.133816][ T5360]        sock_ioctl+0x576/0x790
[   86.136139][ T5360]        __se_sys_ioctl+0xf9/0x170
[   86.138473][ T5360]        do_syscall_64+0xfa/0x3b0
[   86.140694][ T5360]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   86.143694][ T5360] 
[   86.143694][ T5360] other info that might help us debug this:
[   86.143694][ T5360] 
[   86.148298][ T5360]  Possible unsafe locking scenario:
[   86.148298][ T5360] 
[   86.152104][ T5360]        CPU0                    CPU1
[   86.154731][ T5360]        ----                    ----
[   86.156840][ T5360]   lock(&conn->lock#2);
[   86.158739][ T5360]                                lock((work_completion)(&(&conn->info_timer)->work));
[   86.162825][ T5360]                                lock(&conn->lock#2);
[   86.165894][ T5360]   lock((work_completion)(&(&conn->info_timer)->work));
[   86.168924][ T5360] 
[   86.168924][ T5360]  *** DEADLOCK ***
[   86.168924][ T5360] 
[   86.172321][ T5360] 5 locks held by syz.0.0/5360:
[   86.174478][ T5360]  #0: ffff888033160dc0 (&hdev->req_lock){+.+.}-{4:4}, at: hci_dev_close+0x100/0x200
[   86.178471][ T5360]  #1: ffff8880331600b8 (&hdev->lock){+.+.}-{4:4}, at: hci_dev_close_sync+0x66a/0x1330
[   86.182909][ T5360]  #2: ffffffff8f69f508 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_conn_hash_flush+0xa1/0x230
[   86.187449][ T5360]  #3: ffff888011d93b38 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x70/0x680
[   86.191441][ T5360]  #4: ffffffff8e139ee0 (rcu_read_lock){....}-{1:3}, at: __flush_work+0xd2/0xbc0
[   86.195388][ T5360] 
[   86.195388][ T5360] stack backtrace:
[   86.198055][ T5360] CPU: 0 UID: 0 PID: 5360 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[   86.198078][ T5360] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   86.198088][ T5360] Call Trace:
[   86.198097][ T5360]  <TASK>
[   86.198105][ T5360]  dump_stack_lvl+0x189/0x250
[   86.198130][ T5360]  ? __pfx_dump_stack_lvl+0x10/0x10
[   86.198147][ T5360]  ? __pfx__printk+0x10/0x10
[   86.198169][ T5360]  ? print_lock_name+0xde/0x100
[   86.198191][ T5360]  print_circular_bug+0x2ee/0x310
[   86.198210][ T5360]  check_noncircular+0x134/0x160
[   86.198228][ T5360]  validate_chain+0xb9b/0x2140
[   86.198244][ T5360]  ? do_raw_spin_lock+0x121/0x290
[   86.198263][ T5360]  ? look_up_lock_class+0x74/0x170
[   86.198284][ T5360]  ? register_lock_class+0x51/0x320
[   86.198306][ T5360]  __lock_acquire+0xab9/0xd20
[   86.198330][ T5360]  ? __flush_work+0xd2/0xbc0
[   86.198346][ T5360]  lock_acquire+0x120/0x360
[   86.198366][ T5360]  ? __flush_work+0xd2/0xbc0
[   86.198382][ T5360]  ? _raw_spin_unlock_irq+0x23/0x50
[   86.198398][ T5360]  ? __flush_work+0xd2/0xbc0
[   86.198412][ T5360]  __flush_work+0x6b8/0xbc0
[   86.198427][ T5360]  ? __flush_work+0xd2/0xbc0
[   86.198444][ T5360]  ? __flush_work+0xd2/0xbc0
[   86.198461][ T5360]  ? __pfx___flush_work+0x10/0x10
[   86.198475][ T5360]  ? __pfx_wq_barrier_func+0x10/0x10
[   86.198490][ T5360]  ? __pfx___cancel_work+0x10/0x10
[   86.198503][ T5360]  ? hci_conn_drop+0x14d/0x280
[   86.198518][ T5360]  __cancel_work_sync+0xbe/0x110
[   86.198535][ T5360]  l2cap_conn_del+0x4f0/0x680
[   86.198555][ T5360]  ? __pfx_l2cap_disconn_cfm+0x10/0x10
[   86.198575][ T5360]  hci_conn_hash_flush+0x10a/0x230
[   86.198588][ T5360]  hci_dev_close_sync+0xaef/0x1330
[   86.198620][ T5360]  ? __pfx_hci_dev_close_sync+0x10/0x10
[   86.198636][ T5360]  ? do_raw_read_unlock+0x3d/0x80
[   86.198654][ T5360]  hci_dev_close+0x108/0x200
[   86.198671][ T5360]  sock_do_ioctl+0xdc/0x300
[   86.198686][ T5360]  ? __pfx_sock_do_ioctl+0x10/0x10
[   86.198698][ T5360]  ? __lock_acquire+0xab9/0xd20
[   86.198721][ T5360]  sock_ioctl+0x576/0x790
[   86.198735][ T5360]  ? __pfx_sock_ioctl+0x10/0x10
[   86.198746][ T5360]  ? __fget_files+0x2a/0x420
[   86.198760][ T5360]  ? __fget_files+0x3a0/0x420
[   86.198771][ T5360]  ? __fget_files+0x2a/0x420
[   86.198781][ T5360]  ? bpf_lsm_file_ioctl+0x9/0x20
[   86.198790][ T5360]  ? __pfx_sock_ioctl+0x10/0x10
[   86.198802][ T5360]  __se_sys_ioctl+0xf9/0x170
[   86.198814][ T5360]  do_syscall_64+0xfa/0x3b0
[   86.198830][ T5360]  ? lockdep_hardirqs_on+0x9c/0x150
[   86.198845][ T5360]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   86.198857][ T5360]  ? clear_bhb_loop+0x60/0xb0
[   86.198870][ T5360]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   86.198884][ T5360] RIP: 0033:0x7f342e78ebe9
[   86.198898][ T5360] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   86.198909][ T5360] RSP: 002b:00007f342f650038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   86.198923][ T5360] RAX: ffffffffffffffda RBX: 00007f342e9b5fa0 RCX: 00007f342e78ebe9
[   86.198930][ T5360] RDX: 0000000000000000 RSI: 00000000400448ca RDI: 000000000000000c
[   86.198936][ T5360] RBP: 00007f342e811e19 R08: 0000000000000000 R09: 0000000000000000
[   86.198941][ T5360] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   86.198946][ T5360] R13: 00007f342e9b6038 R14: 00007f342e9b5fa0 R15: 00007ffc11348898
[   86.198954][ T5360]  </TASK>
[   86.674723][   T10] cfg80211: failed to load regulatory.db
[   87.790347][ T5336] Bluetooth: hci0: command tx timeout
[   89.870673][ T5336] Bluetooth: hci0: command tx timeout
[   91.950324][ T5336] Bluetooth: hci0: command tx timeout