program:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = socket$nl_generic(0x10, 0x3, 0x10)
r2 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000040), 0xffffffffffffffff)
ioctl$sock_SIOCGIFINDEX_80211(r1, 0x8933, &(0x7f0000000740)={'wlan1\x00', <r3=>0x0})
syz_80211_inject_frame(&(0x7f00000003c0)=@device_b, &(0x7f0000000140)=ANY=[@ANYBLOB="b0000300080211000001080211000000fffffffffffff8ffffff00002400"], 0x1e)
r4 = syz_init_net_socket$bt_l2cap(0x1f, 0x1, 0x3)
connect(r4, &(0x7f0000000000)=@rc={0x1f, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}, 0x8}, 0x80)
r5 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
r6 = socket$nl_route(0x10, 0x3, 0x0)
r7 = socket$inet6_udp(0xa, 0x2, 0x0)
ioctl$sock_SIOCGIFINDEX(r7, 0x8933, &(0x7f0000000040)={'lo\x00', <r8=>0x0})
sendmsg$nl_route_sched(r6, &(0x7f00000012c0)={0x0, 0x0, &(0x7f0000000000)={&(0x7f00000004c0)=@gettfilter={0x24, 0x2e, 0x100, 0x70bd28, 0x25dfdbfe, {0x0, 0x0, 0x0, r8, {0xffff, 0xffe0}, {0xa, 0x5}, {0x2, 0xd}}}, 0x24}, 0x1, 0x0, 0x0, 0x400}, 0x90)
r9 = socket(0x840000000002, 0x3, 0xfa)
connect$inet(r9, &(0x7f0000000140)={0x2, 0x0, @remote}, 0x10)
syz_usb_connect$cdc_ecm(0x2, 0x0, 0x0, 0x0)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, <r10=>0xffffffffffffffff})
ioctl$sock_SIOCGIFINDEX(r10, 0x8933, &(0x7f0000000000)={'lo\x00', <r11=>0x0})
r12 = socket(0x10, 0x3, 0x0)
sendmsg$nl_route_sched(r12, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000780)={&(0x7f0000002340)=@newqdisc={0x3c, 0x24, 0xd0f, 0x0, 0x0, {0x60, 0x0, 0x0, r11, {}, {0xfff2, 0xa}, {0x2}}, [@qdisc_kind_options=@q_fq_pie={{0xb}, {0x2e, 0x2, [@TCA_FQ_PIE_TUPDATE={0x8}]}}]}, 0x3c}, 0x1, 0x0, 0x0, 0x80c0}, 0x4000)
sendmmsg$inet(r9, &(0x7f0000005240), 0x4000095, 0x0)
ioctl$HCIINQUIRY(r5, 0x400448ca, 0x0)
r13 = socket$nl_generic(0x10, 0x3, 0x10)
r14 = syz_open_dev$video(&(0x7f0000000180), 0x7, 0x0)
ioctl$VIDIOC_S_FREQUENCY(r14, 0x402c5639, &(0x7f0000000380)={0x0, 0x2, 0x300})
sendmsg$NL80211_CMD_REGISTER_FRAME(r13, &(0x7f00000005c0)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000780)={0x150, r2, 0x400, 0x0, 0x0, {{}, {@val={0x8, 0x3, r3}, @void}}, [@NL80211_ATTR_FRAME_MATCH={0xd1, 0x5b, "c35a301e9f9aa5a23628b698409b019a723a9cb943aafae5537216579671c9f4d03dbced075a368967051cef5dbdfd02a78abc29b6ce26837d061ce6477d22373b2762801dc0a134e3bcf9efb82030143db064ccc342bb2d3e5d7be4c390777aceac432c95b4b269bba4ec4c9ba38cba6fe34bb86f8b8ab801b494562b7fe5945ad79e79139d6a11b0c5ff9a6f69c31fb470ce4ddb831752da491c0aac57a1293d1306203e49e719af701122b839f7313865f1f9b455dfa3cb781fdfe0479d920e2732d94ae65374c2a8c14ded"}, @NL80211_ATTR_FRAME_MATCH={0x5f, 0x5b, "a60147a3344ef376d0ae2b179abc64c7d813120f9639de5baa932b080525fc6c6279281cdfb3b45d2875c3bb6b016942b4b0a95399f382431304852d7861e6471e9deb9a88725551c81df9676ff86da52724e0c52d836f0925ff07"}]}, 0x150}}, 0x0)
sendmsg$NL80211_CMD_REGISTER_FRAME(r1, &(0x7f00000005c0)={0x0, 0x0, &(0x7f0000000580)={&(0x7f0000000180)=ANY=[@ANYBLOB="18dc0000", @ANYRES16=r2, @ANYBLOB="010000000000000000003a00000013005b00f376071686bdab131968b9688d7b5600"], 0x28}}, 0x0)
syz_genetlink_get_family_id$nl80211(&(0x7f0000000280), 0xffffffffffffffff)
sendmsg$NL80211_CMD_GET_SCAN(r13, &(0x7f0000000300)={&(0x7f0000000080)={0x10, 0x0, 0x0, 0x4000000}, 0xc, &(0x7f0000000240)={&(0x7f00000001c0)={0x14, r2, 0x10, 0x70bd2a, 0x25dfdbff, {{}, {@void, @void}}, ["", ""]}, 0x14}, 0x1, 0x0, 0x0, 0x4002800}, 0x40001)
sendmsg$L2TP_CMD_TUNNEL_GET(r13, &(0x7f0000000100)={&(0x7f0000000000)={0x10, 0x0, 0x0, 0xe2a828043dccd117}, 0xc, &(0x7f00000000c0)={&(0x7f0000000400)=ANY=[@ANYBLOB='<\x00\x00\x00', @ANYRES16=0x0, @ANYBLOB="6c3d27bd7000fedbdf250400000006001c000700000006001b004e24000006001c008000000008000a000300000008000c0004000000101b76faee3465f984be2b7f77a400f8ffd11ee6029a81832c5badb2c5e88866fc799083eb8aec43fc9b4b56992cb10630d783d3958c6edb7f86de502edbe33501ac692cf315ed69f962e4fcb3f5f1c11df94b8da6a5f289705259c38fc195843f4098a0"], 0x3c}, 0x1, 0x0, 0x0, 0x140}, 0x40)
ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f00000002c0)={'wlan0\x00'})

[   86.136601][ T5344] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium
[   86.230512][ T5345] netlink: 12 bytes leftover after parsing attributes in process `syz.0.0'.
[   86.305585][ T5346] 
[   86.306574][ T5346] ======================================================
[   86.309227][ T5346] WARNING: possible circular locking dependency detected
[   86.311654][ T5346] syzkaller #0 Not tainted
[   86.313315][ T5346] ------------------------------------------------------
[   86.316353][ T5346] syz.0.0/5346 is trying to acquire lock:
[   86.318726][ T5346] ffff888045227040 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: __flush_work+0xd2/0xbc0
[   86.323313][ T5346] 
[   86.323313][ T5346] but task is already holding lock:
[   86.326254][ T5346] ffff888045227338 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x70/0x680
[   86.329911][ T5346] 
[   86.329911][ T5346] which lock already depends on the new lock.
[   86.329911][ T5346] 
[   86.334110][ T5346] 
[   86.334110][ T5346] the existing dependency chain (in reverse order) is:
[   86.337920][ T5346] 
[   86.337920][ T5346] -> #1 (&conn->lock#2){+.+.}-{4:4}:
[   86.341248][ T5346]        __mutex_lock+0x187/0x1350
[   86.343520][ T5346]        l2cap_info_timeout+0x60/0xa0
[   86.345981][ T5346]        process_scheduled_works+0xad1/0x1770
[   86.348539][ T5346]        worker_thread+0x8a0/0xda0
[   86.350718][ T5346]        kthread+0x711/0x8a0
[   86.352665][ T5346]        ret_from_fork+0x599/0xb30
[   86.354827][ T5346]        ret_from_fork_asm+0x1a/0x30
[   86.357154][ T5346] 
[   86.357154][ T5346] -> #0 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}:
[   86.361600][ T5346]        __lock_acquire+0x15a6/0x2cf0
[   86.364073][ T5346]        lock_acquire+0x117/0x340
[   86.366235][ T5346]        __flush_work+0x6b8/0xbc0
[   86.368436][ T5346]        __cancel_work_sync+0xbe/0x110
[   86.370736][ T5346]        l2cap_conn_del+0x4f3/0x680
[   86.373285][ T5346]        hci_conn_hash_flush+0x10d/0x230
[   86.375830][ T5346]        hci_dev_close_sync+0x821/0xff0
[   86.378089][ T5346]        hci_dev_close+0x108/0x200
[   86.380217][ T5346]        sock_do_ioctl+0xdc/0x300
[   86.382279][ T5346]        sock_ioctl+0x576/0x790
[   86.384380][ T5346]        __se_sys_ioctl+0xfc/0x170
[   86.386658][ T5346]        do_syscall_64+0xfa/0xf80
[   86.388775][ T5346]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   86.391730][ T5346] 
[   86.391730][ T5346] other info that might help us debug this:
[   86.391730][ T5346] 
[   86.396453][ T5346]  Possible unsafe locking scenario:
[   86.396453][ T5346] 
[   86.399589][ T5346]        CPU0                    CPU1
[   86.402026][ T5346]        ----                    ----
[   86.404338][ T5346]   lock(&conn->lock#2);
[   86.406176][ T5346]                                lock((work_completion)(&(&conn->info_timer)->work));
[   86.410086][ T5346]                                lock(&conn->lock#2);
[   86.412933][ T5346]   lock((work_completion)(&(&conn->info_timer)->work));
[   86.415888][ T5346] 
[   86.415888][ T5346]  *** DEADLOCK ***
[   86.415888][ T5346] 
[   86.419129][ T5346] 5 locks held by syz.0.0/5346:
[   86.421290][ T5346]  #0: ffff888045230ec0 (&hdev->req_lock){+.+.}-{4:4}, at: hci_dev_close+0x100/0x200
[   86.425498][ T5346]  #1: ffff8880452300c0 (&hdev->lock){+.+.}-{4:4}, at: hci_dev_close_sync+0x640/0xff0
[   86.429761][ T5346]  #2: ffffffff8f46a3c8 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_conn_hash_flush+0xa1/0x230
[   86.433929][ T5346]  #3: ffff888045227338 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x70/0x680
[   86.438325][ T5346]  #4: ffffffff8df41cc0 (rcu_read_lock){....}-{1:3}, at: __flush_work+0xd2/0xbc0
[   86.446987][ T5346] 
[   86.446987][ T5346] stack backtrace:
[   86.449494][ T5346] CPU: 0 UID: 0 PID: 5346 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[   86.449509][ T5346] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   86.449517][ T5346] Call Trace:
[   86.449524][ T5346]  <TASK>
[   86.449542][ T5346]  dump_stack_lvl+0x189/0x250
[   86.449563][ T5346]  ? __pfx_dump_stack_lvl+0x10/0x10
[   86.449577][ T5346]  ? __pfx__printk+0x10/0x10
[   86.449596][ T5346]  ? print_lock_name+0xde/0x100
[   86.449615][ T5346]  print_circular_bug+0x2e2/0x300
[   86.449631][ T5346]  check_noncircular+0x12e/0x150
[   86.449645][ T5346]  __lock_acquire+0x15a6/0x2cf0
[   86.449658][ T5346]  ? do_raw_spin_unlock+0x4d/0x240
[   86.449673][ T5346]  ? _raw_spin_unlock_irqrestore+0xad/0x110
[   86.449688][ T5346]  ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[   86.449706][ T5346]  ? __flush_work+0xd2/0xbc0
[   86.449720][ T5346]  lock_acquire+0x117/0x340
[   86.449732][ T5346]  ? __flush_work+0xd2/0xbc0
[   86.449744][ T5346]  ? _raw_spin_unlock_irq+0x23/0x50
[   86.449757][ T5346]  ? __flush_work+0xd2/0xbc0
[   86.449768][ T5346]  __flush_work+0x6b8/0xbc0
[   86.449780][ T5346]  ? __flush_work+0xd2/0xbc0
[   86.449792][ T5346]  ? __flush_work+0xd2/0xbc0
[   86.449805][ T5346]  ? __pfx___flush_work+0x10/0x10
[   86.449817][ T5346]  ? __pfx_wq_barrier_func+0x10/0x10
[   86.449827][ T5346]  ? __pfx___cancel_work+0x10/0x10
[   86.449835][ T5346]  ? l2cap_conn_del+0x3de/0x680
[   86.449844][ T5346]  ? __cancel_work_sync+0x5c/0x110
[   86.449853][ T5346]  __cancel_work_sync+0xbe/0x110
[   86.449862][ T5346]  l2cap_conn_del+0x4f3/0x680
[   86.449875][ T5346]  ? __pfx_l2cap_disconn_cfm+0x10/0x10
[   86.449888][ T5346]  hci_conn_hash_flush+0x10d/0x230
[   86.449903][ T5346]  hci_dev_close_sync+0x821/0xff0
[   86.449918][ T5346]  ? __pfx_hci_dev_close_sync+0x10/0x10
[   86.449932][ T5346]  ? __cancel_work_sync+0x5c/0x110
[   86.449944][ T5346]  hci_dev_close+0x108/0x200
[   86.449957][ T5346]  sock_do_ioctl+0xdc/0x300
[   86.449970][ T5346]  ? __pfx_sock_do_ioctl+0x10/0x10
[   86.449983][ T5346]  ? count_memcg_event_mm+0x21/0x260
[   86.449998][ T5346]  sock_ioctl+0x576/0x790
[   86.450010][ T5346]  ? __pfx_sock_ioctl+0x10/0x10
[   86.450024][ T5346]  ? __fget_files+0x3a0/0x420
[   86.450039][ T5346]  ? __fget_files+0x2a/0x420
[   86.450054][ T5346]  ? bpf_lsm_file_ioctl+0x9/0x20
[   86.450070][ T5346]  ? __pfx_sock_ioctl+0x10/0x10
[   86.450081][ T5346]  __se_sys_ioctl+0xfc/0x170
[   86.450094][ T5346]  do_syscall_64+0xfa/0xf80
[   86.450108][ T5346]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   86.450115][ T5346]  ? clear_bhb_loop+0x60/0xb0
[   86.450125][ T5346]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   86.450136][ T5346] RIP: 0033:0x7f5d63d8f7c9
[   86.450167][ T5346] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   86.450179][ T5346] RSP: 002b:00007f5d64caa038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   86.450194][ T5346] RAX: ffffffffffffffda RBX: 00007f5d63fe6180 RCX: 00007f5d63d8f7c9
[   86.450203][ T5346] RDX: 0000000000000000 RSI: 00000000400448ca RDI: 0000000000000007
[   86.450210][ T5346] RBP: 00007f5d63e13f91 R08: 0000000000000000 R09: 0000000000000000
[   86.450216][ T5346] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   86.450221][ T5346] R13: 00007f5d63fe6218 R14: 00007f5d63fe6180 R15: 00007ffc57be4b98
[   86.450230][ T5346]  </TASK>
[   86.595770][   T46] Bluetooth: hci0: command tx timeout
[   86.705520][   T10] cfg80211: failed to load regulatory.db
[   88.618954][   T46] Bluetooth: hci0: command tx timeout
[   90.699068][   T46] Bluetooth: hci0: command tx timeout