program:
syz_emit_ethernet(0x2a, &(0x7f0000000100)=ANY=[@ANYBLOB="bbbbbbbbbbbb0180c200000008060001080006040002aaaaaaaaa68322ec14bbaaaaaaaaaa00ac1414aa"], 0x0)
r0 = socket$packet(0x11, 0x3, 0x300)
r1 = socket$inet_mptcp(0x2, 0x1, 0x106)
ioctl$ifreq_SIOCGIFINDEX_batadv_mesh(r1, 0x8933, &(0x7f0000000140)={'batadv0\x00', <r2=>0x0})
sendto$packet(r0, &(0x7f0000000100)="f257a8ea7bc273dfaeab96850806", 0x2a, 0x0, &(0x7f0000000200)={0x11, 0x0, r2, 0x1, 0x0, 0x6, @link_local}, 0x14)
r3 = socket$nl_generic(0x10, 0x3, 0x10)
syz_usb_connect$hid(0x0, 0x36, 0x0, 0x0)
r4 = socket$nl_netfilter(0x10, 0x3, 0xc)
bind$netlink(r4, &(0x7f0000000000)={0x10, 0x0, 0x0, 0x80065c9}, 0xc)
r5 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$NFT_BATCH(r5, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000200)={&(0x7f00000003c0)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a28000000000a0101000000005e1affd5020000000900010073797a300000000008000240000000032c000000030a01030000e6ff00000000020000000900010073797a30000000000900030073797a320000000014000000110001"], 0x7c}}, 0x0)
sendmsg$NFT_BATCH(r5, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000680)=ANY=[@ANYBLOB="14000000100001000000000000b890c1a000000a80000000160a01030000000000000000020000000900020073797a30000000000900010073797a30000000005400038008000240000000000800014000000000400003801400010076657468315f746f5f6272696467650014000100776732000000000000000000000000001400010076657468305f746f5f7465616d00000014000000110001"], 0xa8}}, 0x0)
sendmsg$NFT_BATCH(r5, &(0x7f0000000500)={0x0, 0x0, &(0x7f00000004c0)={&(0x7f00000002c0)={{0x14, 0x10, 0x1, 0x0, 0x0, {0x5}}, [@NFT_MSG_DELFLOWTABLE={0x30, 0x18, 0xa, 0x5, 0x0, 0x0, {0x2}, [@NFTA_FLOWTABLE_HOOK={0x4}, @NFTA_FLOWTABLE_NAME={0x9, 0x2, 'syz0\x00'}, @NFTA_FLOWTABLE_TABLE={0x9, 0x1, 'syz0\x00'}]}], {0x14, 0x11, 0x1, 0x0, 0x0, {0x3}}}, 0x58}, 0x1, 0x0, 0x0, 0x40000}, 0x20008000)
r6 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$HCIINQUIRY(r6, 0x400448ca, 0x0)
bind$bt_hci(r6, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6)
r7 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
r8 = bpf$ITER_CREATE(0xb, &(0x7f0000000100), 0x8)
bind$bt_hci(r7, &(0x7f0000000000)={0x1f, 0xffff, 0x3}, 0x6)
setsockopt$packet_fanout_data(r8, 0x107, 0x16, &(0x7f0000000100)={0x6, &(0x7f0000000280)=[{0x2, 0xa6, 0x2, 0x3}, {0x2, 0x8, 0x8, 0xfffc}, {0xaee, 0x2, 0xac, 0x1000}, {0x40, 0xaf, 0x5, 0x6}, {0x6, 0x80, 0x0, 0x2}, {0x0, 0x3, 0x5, 0x9}]}, 0x10)
write$binfmt_misc(r7, &(0x7f0000000100), 0x6)
ioctl$ifreq_SIOCGIFINDEX_batadv_mesh(r3, 0x8933, &(0x7f0000000140))
socket$nl_route(0x10, 0x3, 0x0)
r9 = getpid()
perf_event_open(&(0x7f00000003c0)={0x2, 0x80, 0x71, 0x1, 0x0, 0x0, 0x0, 0x1, 0x1, 0x6, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xfffffffe, 0x0, @perf_bp={0x0, 0xc}, 0x624d, 0xfffd, 0x80000000, 0x3, 0x0, 0xfffffff8, 0x0, 0x0, 0x0, 0x0, 0x10}, r9, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
r10 = socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$batadv(&(0x7f0000000040), r10)
socket$nl_rdma(0x10, 0x3, 0x14)
r11 = openat$ubi_ctrl(0xffffffffffffff9c, &(0x7f00000001c0), 0x0, 0x0)
ioctl$TUNGETVNETBE(r11, 0x800454df, &(0x7f00000002c0)=0x1)

[   87.160752][   T46] Bluetooth: hci0: command tx timeout
[   87.183188][  T920] 
[   87.184291][  T920] ======================================================
[   87.187695][  T920] WARNING: possible circular locking dependency detected
[   87.190704][  T920] syzkaller #0 Not tainted
[   87.192697][  T920] ------------------------------------------------------
[   87.195639][  T920] kworker/0:3/920 is trying to acquire lock:
[   87.198278][  T920] ffff888012358338 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_info_timeout+0x60/0xa0
[   87.204976][  T920] 
[   87.204976][  T920] but task is already holding lock:
[   87.208552][  T920] ffffc90002f4fbc0 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: process_scheduled_works+0xa0f/0x17a0
[   87.214545][  T920] 
[   87.214545][  T920] which lock already depends on the new lock.
[   87.214545][  T920] 
[   87.218844][  T920] 
[   87.218844][  T920] the existing dependency chain (in reverse order) is:
[   87.222394][  T920] 
[   87.222394][  T920] -> #1 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}:
[   87.226822][  T920]        __flush_work+0x700/0xc50
[   87.228964][  T920]        __cancel_work_sync+0xbe/0x110
[   87.231343][  T920]        l2cap_conn_del+0x402/0x5b0
[   87.233629][  T920]        hci_conn_hash_flush+0x10d/0x260
[   87.235994][  T920]        hci_dev_close_sync+0x821/0x10e0
[   87.238395][  T920]        hci_dev_close+0x108/0x260
[   87.240508][  T920]        sock_do_ioctl+0x101/0x320
[   87.242627][  T920]        sock_ioctl+0x5c6/0x7f0
[   87.244604][  T920]        __se_sys_ioctl+0xfc/0x170
[   87.246741][  T920]        do_syscall_64+0xe2/0xf80
[   87.248864][  T920]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   87.251724][  T920] 
[   87.251724][  T920] -> #0 (&conn->lock#2){+.+.}-{4:4}:
[   87.254862][  T920]        __lock_acquire+0x15a5/0x2cf0
[   87.257304][  T920]        lock_acquire+0x106/0x330
[   87.259356][  T920]        __mutex_lock+0x19f/0x1300
[   87.261571][  T920]        l2cap_info_timeout+0x60/0xa0
[   87.263899][  T920]        process_scheduled_works+0xaec/0x17a0
[   87.266517][  T920]        worker_thread+0xda6/0x1360
[   87.268743][  T920]        kthread+0x726/0x8b0
[   87.270580][  T920]        ret_from_fork+0x51b/0xa40
[   87.272871][  T920]        ret_from_fork_asm+0x1a/0x30
[   87.275124][  T920] 
[   87.275124][  T920] other info that might help us debug this:
[   87.275124][  T920] 
[   87.279487][  T920]  Possible unsafe locking scenario:
[   87.279487][  T920] 
[   87.282865][  T920]        CPU0                    CPU1
[   87.285285][  T920]        ----                    ----
[   87.287625][  T920]   lock((work_completion)(&(&conn->info_timer)->work));
[   87.290735][  T920]                                lock(&conn->lock#2);
[   87.293761][  T920]                                lock((work_completion)(&(&conn->info_timer)->work));
[   87.297615][  T920]   lock(&conn->lock#2);
[   87.299476][  T920] 
[   87.299476][  T920]  *** DEADLOCK ***
[   87.299476][  T920] 
[   87.303012][  T920] 2 locks held by kworker/0:3/920:
[   87.305230][  T920]  #0: ffff88801ac67548 ((wq_completion)events){+.+.}-{0:0}, at: process_scheduled_works+0x9d4/0x17a0
[   87.309804][  T920]  #1: ffffc90002f4fbc0 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: process_scheduled_works+0xa0f/0x17a0
[   87.315341][  T920] 
[   87.315341][  T920] stack backtrace:
[   87.317865][  T920] CPU: 0 UID: 0 PID: 920 Comm: kworker/0:3 Not tainted syzkaller #0 PREEMPT(full) 
[   87.317887][  T920] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   87.318062][  T920] Workqueue: events l2cap_info_timeout
[   87.318137][  T920] Call Trace:
[   87.318198][  T920]  <TASK>
[   87.318228][  T920]  dump_stack_lvl+0xe8/0x150
[   87.318240][  T920]  print_circular_bug+0x2e1/0x300
[   87.318249][  T920]  check_noncircular+0x12e/0x150
[   87.318257][  T920]  __lock_acquire+0x15a5/0x2cf0
[   87.318269][  T920]  ? __schedule+0x1538/0x51d0
[   87.318304][  T920]  ? l2cap_info_timeout+0x60/0xa0
[   87.318311][  T920]  lock_acquire+0x106/0x330
[   87.318320][  T920]  ? l2cap_info_timeout+0x60/0xa0
[   87.318330][  T920]  __mutex_lock+0x19f/0x1300
[   87.318361][  T920]  ? l2cap_info_timeout+0x60/0xa0
[   87.318374][  T920]  ? irqentry_exit+0x59c/0x620
[   87.318384][  T920]  ? lockdep_hardirqs_on+0x7a/0x110
[   87.318393][  T920]  ? l2cap_info_timeout+0x60/0xa0
[   87.318402][  T920]  ? irqentry_exit+0x59c/0x620
[   87.318413][  T920]  ? __pfx___mutex_lock+0x10/0x10
[   87.318427][  T920]  ? lock_acquire+0x221/0x330
[   87.318441][  T920]  l2cap_info_timeout+0x60/0xa0
[   87.318467][  T920]  ? process_scheduled_works+0xa0f/0x17a0
[   87.318483][  T920]  process_scheduled_works+0xaec/0x17a0
[   87.318503][  T920]  ? __pfx_process_scheduled_works+0x10/0x10
[   87.318518][  T920]  ? do_raw_spin_lock+0x12b/0x2f0
[   87.318530][  T920]  ? __pfx_do_raw_spin_lock+0x10/0x10
[   87.318541][  T920]  ? schedule+0x90/0x360
[   87.318552][  T920]  worker_thread+0xda6/0x1360
[   87.318566][  T920]  kthread+0x726/0x8b0
[   87.318581][  T920]  ? __pfx_worker_thread+0x10/0x10
[   87.318590][  T920]  ? __pfx_kthread+0x10/0x10
[   87.318602][  T920]  ? _raw_spin_unlock_irq+0x23/0x50
[   87.318612][  T920]  ? __pfx_kthread+0x10/0x10
[   87.318623][  T920]  ret_from_fork+0x51b/0xa40
[   87.318635][  T920]  ? __pfx_ret_from_fork+0x10/0x10
[   87.318643][  T920]  ? __switch_to+0xc82/0x1410
[   87.318659][  T920]  ? __pfx_kthread+0x10/0x10
[   87.318671][  T920]  ret_from_fork_asm+0x1a/0x30
[   87.318688][  T920]  </TASK>
[   89.232970][   T46] Bluetooth: hci0: command tx timeout
[   91.313899][   T46] Bluetooth: hci0: command tx timeout
[   91.889020][    T9] cfg80211: failed to load regulatory.db
[   93.392658][   T46] Bluetooth: hci0: command tx timeout