program:
sendmsg$NFT_BATCH(0xffffffffffffffff, &(0x7f0000000b40)={0x0, 0x0, &(0x7f0000000b00)={&(0x7f00000005c0)=ANY=[@ANYRESDEC], 0x68}}, 0x0)
r0 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$NFT_BATCH(r0, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000540)=ANY=[@ANYBLOB="14000000100001000b000000000000000000000a20000000000a03000000000000000000010000000900010073797a300000000044000000090a010400000000000000000100000008000a40000000000900020073797a32000000000900010073797a3000000000080005400000001f08000340000000045c0000000c0a01020000000000000000010000000900020073797a32000000000900010073797a3000000000300003802c00008028000180230001"], 0xe8}}, 0x0)
r1 = socket$nl_netfilter(0x10, 0x3, 0xc)
r2 = socket$inet_tcp(0x2, 0x1, 0x0)
r3 = socket$nl_route(0x10, 0x3, 0x0)
ioctl$sock_SIOCGIFINDEX(r3, 0x8933, &(0x7f0000000100)={'lo\x00', <r4=>0x0})
sendmsg$nl_route_sched(r3, &(0x7f00000012c0)={0x0, 0x0, &(0x7f0000000000)={&(0x7f00000005c0)=@newqdisc={0x4c, 0x24, 0x4ee4e6a52ff56541, 0x40000, 0x0, {0x0, 0x0, 0x0, r4, {}, {0xffff, 0xffff}, {0x0, 0xfff3}}, [@qdisc_kind_options=@q_netem={{0xa}, {0x1c, 0x2, {{0x6, 0x9, 0x80, 0x0, 0xffffffff, 0x91b1}}}}]}, 0x4c}, 0x1, 0x0, 0x0, 0x4000400}, 0x0)
setsockopt$inet_tcp_TCP_CONGESTION(r2, 0x6, 0xd, &(0x7f0000000040)='htcp', 0x4)
bind$inet(r2, &(0x7f00000000c0)={0x2, 0x4e20, @broadcast}, 0x10)
sendto$inet(r2, &(0x7f0000000140), 0xffffffffffffff58, 0x20008005, &(0x7f0000000100)={0x2, 0x4e20}, 0x10)
recvfrom(r2, &(0x7f0000000480)=""/110, 0x168f6f3d, 0x734, 0x0, 0xfffffffffffffecb)
sendmsg$NFT_BATCH(r1, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000400)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a3c000000090a010400000000000000000100000008000a40000000000900020073797a32000000000900010073797a3000000000080005400000001f5c0000000e0a01020000000000002000010000000900020073797a32000000000900010073797a3000000000300003802c0000802800018023000100"], 0xc0}}, 0x0)
r5 = socket$inet_mptcp(0x2, 0x1, 0x106)
socket$inet6_sctp(0xa, 0x1, 0x84)
r6 = syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0)
connect$bt_l2cap(r6, &(0x7f0000000000)={0x1f, 0x8ef, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}}, 0xe)
r7 = syz_init_net_socket$bt_bnep(0x1f, 0x3, 0x4)
ioctl$sock_bt_bnep_BNEPCONNADD(r7, 0x400442c8, &(0x7f00000001c0)={r6, 0x1, 0x2})
r8 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$sock_bt_hci(r8, 0x400448cb, 0x0)
r9 = openat$hwrng(0xffffffffffffff9c, &(0x7f00000002c0), 0x0, 0x0)
preadv(r9, &(0x7f0000000580)=[{&(0x7f0000000640)=""/102396, 0x18ffc}], 0x1, 0x0, 0x0)
r10 = socket$inet6_sctp(0xa, 0x1, 0x84)
getsockopt$bt_hci(r10, 0x84, 0x1, &(0x7f0000002280)=""/4060, &(0x7f0000000640)=0xfdc)
syz_emit_vhci(&(0x7f0000000040)=ANY=[@ANYBLOB="040e0402030c"], 0x7)
sendmmsg(r5, &(0x7f0000002840)=[{{0x0, 0x0, 0x0}}], 0x1, 0x20044000)
connect$inet(r5, &(0x7f0000000000)={0x2, 0x4e22, @empty}, 0x10)
socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$mptcp(&(0x7f00000002c0), 0xffffffffffffffff)

[   85.903540][ T5330] 
[   85.904706][ T5330] ======================================================
[   85.907843][ T5330] WARNING: possible circular locking dependency detected
[   85.910936][ T5330] syzkaller #0 Not tainted
[   85.912955][ T5330] ------------------------------------------------------
[   85.915819][ T5330] syz.0.0/5330 is trying to acquire lock:
[   85.918358][ T5330] ffff8880456ed040 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: __flush_work+0xd2/0xbc0
[   85.923112][ T5330] 
[   85.923112][ T5330] but task is already holding lock:
[   85.926325][ T5330] ffff8880456ed338 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x70/0x680
[   85.930375][ T5330] 
[   85.930375][ T5330] which lock already depends on the new lock.
[   85.930375][ T5330] 
[   85.934913][ T5330] 
[   85.934913][ T5330] the existing dependency chain (in reverse order) is:
[   85.939143][ T5330] 
[   85.939143][ T5330] -> #1 (&conn->lock#2){+.+.}-{4:4}:
[   85.942459][ T5330]        lock_acquire+0x120/0x360
[   85.944763][ T5330]        __mutex_lock+0x187/0x1350
[   85.947168][ T5330]        l2cap_info_timeout+0x60/0xa0
[   85.949552][ T5330]        process_scheduled_works+0xae1/0x17b0
[   85.952358][ T5330]        worker_thread+0x8a0/0xda0
[   85.954572][ T5330]        kthread+0x711/0x8a0
[   85.956564][ T5330]        ret_from_fork+0x4bc/0x870
[   85.958610][ T5330]        ret_from_fork_asm+0x1a/0x30
[   85.960835][ T5330] 
[   85.960835][ T5330] -> #0 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}:
[   85.965241][ T5330]        validate_chain+0xb9b/0x2140
[   85.967688][ T5330]        __lock_acquire+0xab9/0xd20
[   85.970155][ T5330]        lock_acquire+0x120/0x360
[   85.972419][ T5330]        __flush_work+0x6b8/0xbc0
[   85.974738][ T5330]        __cancel_work_sync+0xbe/0x110
[   85.977295][ T5330]        l2cap_conn_del+0x4f0/0x680
[   85.979718][ T5330]        hci_conn_hash_flush+0x10d/0x230
[   85.982331][ T5330]        hci_dev_reset+0x44b/0x6b0
[   85.984557][ T5330]        sock_do_ioctl+0xdc/0x300
[   85.986883][ T5330]        sock_ioctl+0x576/0x790
[   85.989156][ T5330]        __se_sys_ioctl+0xfc/0x170
[   85.991650][ T5330]        do_syscall_64+0xfa/0xfa0
[   85.993958][ T5330]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   85.996922][ T5330] 
[   85.996922][ T5330] other info that might help us debug this:
[   85.996922][ T5330] 
[   86.001113][ T5330]  Possible unsafe locking scenario:
[   86.001113][ T5330] 
[   86.004253][ T5330]        CPU0                    CPU1
[   86.006516][ T5330]        ----                    ----
[   86.008835][ T5330]   lock(&conn->lock#2);
[   86.010653][ T5330]                                lock((work_completion)(&(&conn->info_timer)->work));
[   86.014720][ T5330]                                lock(&conn->lock#2);
[   86.017509][ T5330]   lock((work_completion)(&(&conn->info_timer)->work));
[   86.020164][ T5330] 
[   86.020164][ T5330]  *** DEADLOCK ***
[   86.020164][ T5330] 
[   86.023789][ T5330] 6 locks held by syz.0.0/5330:
[   86.026414][ T5330]  #0: ffff888031bc4020 (&hdev->srcu){.+.+}-{0:0}, at: __hci_dev_get+0x103/0x220
[   86.030598][ T5330]  #1: ffff888031bc4dc8 (&hdev->req_lock){+.+.}-{4:4}, at: hci_dev_reset+0x17a/0x6b0
[   86.034944][ T5330]  #2: ffff888031bc40b8 (&hdev->lock){+.+.}-{4:4}, at: hci_dev_reset+0x211/0x6b0
[   86.038904][ T5330]  #3: ffffffff8f64b4a8 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_conn_hash_flush+0xa1/0x230
[   86.043525][ T5330]  #4: ffff8880456ed338 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x70/0x680
[   86.048069][ T5330]  #5: ffffffff8e13d2e0 (rcu_read_lock){....}-{1:3}, at: __flush_work+0xd2/0xbc0
[   86.052185][ T5330] 
[   86.052185][ T5330] stack backtrace:
[   86.054796][ T5330] CPU: 0 UID: 0 PID: 5330 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[   86.054815][ T5330] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   86.054823][ T5330] Call Trace:
[   86.054830][ T5330]  <TASK>
[   86.054836][ T5330]  dump_stack_lvl+0x189/0x250
[   86.054855][ T5330]  ? __pfx_dump_stack_lvl+0x10/0x10
[   86.054867][ T5330]  ? __pfx__printk+0x10/0x10
[   86.054879][ T5330]  ? print_lock_name+0xde/0x100
[   86.054890][ T5330]  print_circular_bug+0x2ee/0x310
[   86.054901][ T5330]  check_noncircular+0x134/0x160
[   86.054918][ T5330]  validate_chain+0xb9b/0x2140
[   86.054933][ T5330]  ? do_raw_spin_lock+0x121/0x290
[   86.054945][ T5330]  ? look_up_lock_class+0x74/0x170
[   86.054960][ T5330]  ? register_lock_class+0x51/0x320
[   86.054973][ T5330]  __lock_acquire+0xab9/0xd20
[   86.055012][ T5330]  ? __flush_work+0xd2/0xbc0
[   86.055024][ T5330]  lock_acquire+0x120/0x360
[   86.055038][ T5330]  ? __flush_work+0xd2/0xbc0
[   86.055049][ T5330]  ? _raw_spin_unlock_irq+0x23/0x50
[   86.055063][ T5330]  ? __flush_work+0xd2/0xbc0
[   86.055072][ T5330]  __flush_work+0x6b8/0xbc0
[   86.055081][ T5330]  ? __flush_work+0xd2/0xbc0
[   86.055090][ T5330]  ? __flush_work+0xd2/0xbc0
[   86.055100][ T5330]  ? __pfx___flush_work+0x10/0x10
[   86.055110][ T5330]  ? __pfx_wq_barrier_func+0x10/0x10
[   86.055125][ T5330]  ? __pfx___cancel_work+0x10/0x10
[   86.055136][ T5330]  ? hci_conn_drop+0x14d/0x280
[   86.055149][ T5330]  __cancel_work_sync+0xbe/0x110
[   86.055159][ T5330]  l2cap_conn_del+0x4f0/0x680
[   86.055175][ T5330]  ? __pfx_l2cap_disconn_cfm+0x10/0x10
[   86.055190][ T5330]  hci_conn_hash_flush+0x10d/0x230
[   86.055202][ T5330]  hci_dev_reset+0x44b/0x6b0
[   86.055216][ T5330]  ? hci_sock_ioctl+0x5b7/0x910
[   86.055233][ T5330]  sock_do_ioctl+0xdc/0x300
[   86.055246][ T5330]  ? __pfx_sock_do_ioctl+0x10/0x10
[   86.055261][ T5330]  sock_ioctl+0x576/0x790
[   86.055273][ T5330]  ? __pfx_sock_ioctl+0x10/0x10
[   86.055285][ T5330]  ? __fget_files+0x3a0/0x420
[   86.055297][ T5330]  ? __fget_files+0x2a/0x420
[   86.055307][ T5330]  ? bpf_lsm_file_ioctl+0x9/0x20
[   86.055320][ T5330]  ? __pfx_sock_ioctl+0x10/0x10
[   86.055330][ T5330]  __se_sys_ioctl+0xfc/0x170
[   86.055347][ T5330]  do_syscall_64+0xfa/0xfa0
[   86.055363][ T5330]  ? lockdep_hardirqs_on+0x9c/0x150
[   86.055376][ T5330]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   86.055386][ T5330]  ? clear_bhb_loop+0x60/0xb0
[   86.055398][ T5330]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   86.055409][ T5330] RIP: 0033:0x7f5aff78efc9
[   86.055420][ T5330] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   86.055428][ T5330] RSP: 002b:00007f5b00678038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   86.055440][ T5330] RAX: ffffffffffffffda RBX: 00007f5aff9e6180 RCX: 00007f5aff78efc9
[   86.055448][ T5330] RDX: 0000000000000000 RSI: 00000000400448cb RDI: 000000000000000c
[   86.055455][ T5330] RBP: 00007f5aff811f91 R08: 0000000000000000 R09: 0000000000000000
[   86.055461][ T5330] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   86.055467][ T5330] R13: 00007f5aff9e6218 R14: 00007f5aff9e6180 R15: 00007ffdbb0a3228
[   86.055477][ T5330]  </TASK>
[   91.805830][  T920] cfg80211: failed to load regulatory.db