program:
r0 = syz_genetlink_get_family_id$ipvs(&(0x7f0000000040), 0xffffffffffffffff)
r1 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$IPVS_CMD_NEW_SERVICE(r1, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000080)={0x50, r0, 0x1, 0x0, 0x0, {}, [@IPVS_CMD_ATTR_SERVICE={0x3c, 0x1, 0x0, 0x1, [@IPVS_SVC_ATTR_AF={0x6, 0x1, 0xa}, @IPVS_SVC_ATTR_FWMARK={0x8}, @IPVS_SVC_ATTR_FLAGS={0xc}, @IPVS_SVC_ATTR_NETMASK={0x8, 0x9, 0x64}, @IPVS_SVC_ATTR_SCHED_NAME={0x9, 0x6, 'none\x00'}, @IPVS_SVC_ATTR_TIMEOUT={0x8}]}]}, 0x50}}, 0x0)
setsockopt$netlink_NETLINK_TX_RING(0xffffffffffffffff, 0x10e, 0xc, 0x0, 0x0)
r2 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
r3 = syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0)
connect$bt_l2cap(r3, &(0x7f0000000080)={0x1f, 0x0, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}, 0x7ff}, 0xe)
r4 = syz_init_net_socket$bt_hidp(0x1f, 0x3, 0x6)
ioctl$sock_bt_hidp_HIDPCONNADD(r4, 0x400448c8, &(0x7f0000000280)={r3, r3, 0xc, 0x1, &(0x7f0000000340)='\x00', 0x9, 0x1, 0x457, 0x9, 0x9, 0x1, 0x1, 'syz1\x00'})
ioctl$sock_bt_hci(r2, 0x400448ca, 0x0)

[   85.730565][ T5308] Bluetooth: hci0: command tx timeout
[   85.764218][    T9] IPVS: starting estimator thread 0...
[   85.807925][    T9] hid-multitouch 0005:0457:0009.0002: unknown main item tag 0x0
[   85.823611][    T9] hid-multitouch 0005:0457:0009.0002: hidraw1: BLUETOOTH HID v0.09 Device [syz1] on aa:aa:aa:aa:aa:aa
[   85.850512][ T5336] IPVS: using max 56 ests per chain, 134400 per kthread
[   85.856735][ T5334] 
[   85.857776][ T5334] ======================================================
[   85.860951][ T5334] WARNING: possible circular locking dependency detected
[   85.863875][ T5334] 6.16.0-rc2-syzkaller-00278-g3f75bfff44be #0 Not tainted
[   85.867000][ T5334] ------------------------------------------------------
[   85.870086][ T5334] syz.0.0/5334 is trying to acquire lock:
[   85.872587][ T5334] ffff888043fd8840 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: __flush_work+0xd2/0xbc0
[   85.877911][ T5334] 
[   85.877911][ T5334] but task is already holding lock:
[   85.881153][ T5334] ffff888043fd8b38 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x70/0x680
[   85.884920][ T5334] 
[   85.884920][ T5334] which lock already depends on the new lock.
[   85.884920][ T5334] 
[   85.889168][ T5334] 
[   85.889168][ T5334] the existing dependency chain (in reverse order) is:
[   85.893218][ T5334] 
[   85.893218][ T5334] -> #1 (&conn->lock#2){+.+.}-{4:4}:
[   85.896708][ T5334]        lock_acquire+0x120/0x360
[   85.899213][ T5334]        __mutex_lock+0x182/0xe80
[   85.901579][ T5334]        l2cap_info_timeout+0x60/0xa0
[   85.903908][ T5334]        process_scheduled_works+0xae1/0x17b0
[   85.906555][ T5334]        worker_thread+0x8a0/0xda0
[   85.908766][ T5334]        kthread+0x70e/0x8a0
[   85.910820][ T5334]        ret_from_fork+0x3f9/0x770
[   85.913149][ T5334]        ret_from_fork_asm+0x1a/0x30
[   85.915869][ T5334] 
[   85.915869][ T5334] -> #0 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}:
[   85.921083][ T5334]        validate_chain+0xb9b/0x2140
[   85.923289][ T5334]        __lock_acquire+0xab9/0xd20
[   85.925483][ T5334]        lock_acquire+0x120/0x360
[   85.927595][ T5334]        __flush_work+0x6b8/0xbc0
[   85.929808][ T5334]        __cancel_work_sync+0xbe/0x110
[   85.932179][ T5334]        l2cap_conn_del+0x4f0/0x680
[   85.934441][ T5334]        hci_conn_hash_flush+0x10d/0x230
[   85.936792][ T5334]        hci_dev_close_sync+0xaef/0x1330
[   85.938829][ T5334]        hci_dev_close+0x106/0x200
[   85.940947][ T5334]        sock_do_ioctl+0xd9/0x300
[   85.943081][ T5334]        sock_ioctl+0x576/0x790
[   85.945091][ T5334]        __se_sys_ioctl+0xfc/0x170
[   85.947213][ T5334]        do_syscall_64+0xfa/0x3b0
[   85.949210][ T5334]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   85.951968][ T5334] 
[   85.951968][ T5334] other info that might help us debug this:
[   85.951968][ T5334] 
[   85.956455][ T5334]  Possible unsafe locking scenario:
[   85.956455][ T5334] 
[   85.959640][ T5334]        CPU0                    CPU1
[   85.961664][ T5334]        ----                    ----
[   85.963736][ T5334]   lock(&conn->lock#2);
[   85.965235][ T5334]                                lock((work_completion)(&(&conn->info_timer)->work));
[   85.968810][ T5334]                                lock(&conn->lock#2);
[   85.971233][ T5334]   lock((work_completion)(&(&conn->info_timer)->work));
[   85.974092][ T5334] 
[   85.974092][ T5334]  *** DEADLOCK ***
[   85.974092][ T5334] 
[   85.977551][ T5334] 5 locks held by syz.0.0/5334:
[   85.979605][ T5334]  #0: ffff88803650cd80 (&hdev->req_lock){+.+.}-{4:4}, at: hci_dev_close+0xfe/0x200
[   85.983499][ T5334]  #1: ffff88803650c078 (&hdev->lock){+.+.}-{4:4}, at: hci_dev_close_sync+0x66a/0x1330
[   85.987398][ T5334]  #2: ffffffff8f678068 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_conn_hash_flush+0xa1/0x230
[   85.991374][ T5334]  #3: ffff888043fd8b38 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x70/0x680
[   85.994908][ T5334]  #4: ffffffff8e13eda0 (rcu_read_lock){....}-{1:3}, at: __flush_work+0xd2/0xbc0
[   85.998724][ T5334] 
[   85.998724][ T5334] stack backtrace:
[   86.001383][ T5334] CPU: 0 UID: 0 PID: 5334 Comm: syz.0.0 Not tainted 6.16.0-rc2-syzkaller-00278-g3f75bfff44be #0 PREEMPT(full) 
[   86.001398][ T5334] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   86.001406][ T5334] Call Trace:
[   86.001414][ T5334]  <TASK>
[   86.001419][ T5334]  dump_stack_lvl+0x189/0x250
[   86.001440][ T5334]  ? __pfx_dump_stack_lvl+0x10/0x10
[   86.001456][ T5334]  ? __pfx__printk+0x10/0x10
[   86.001470][ T5334]  ? print_lock_name+0xde/0x100
[   86.001480][ T5334]  print_circular_bug+0x2ee/0x310
[   86.001493][ T5334]  check_noncircular+0x134/0x160
[   86.001505][ T5334]  validate_chain+0xb9b/0x2140
[   86.001514][ T5334]  ? do_raw_spin_lock+0x121/0x290
[   86.001527][ T5334]  ? look_up_lock_class+0x74/0x170
[   86.001542][ T5334]  ? register_lock_class+0x51/0x320
[   86.001556][ T5334]  __lock_acquire+0xab9/0xd20
[   86.001572][ T5334]  ? __flush_work+0xd2/0xbc0
[   86.001581][ T5334]  lock_acquire+0x120/0x360
[   86.001595][ T5334]  ? __flush_work+0xd2/0xbc0
[   86.001606][ T5334]  ? _raw_spin_unlock_irq+0x23/0x50
[   86.001620][ T5334]  ? __flush_work+0xd2/0xbc0
[   86.001629][ T5334]  __flush_work+0x6b8/0xbc0
[   86.001646][ T5334]  ? __flush_work+0xd2/0xbc0
[   86.001656][ T5334]  ? __flush_work+0xd2/0xbc0
[   86.001667][ T5334]  ? __pfx___flush_work+0x10/0x10
[   86.001678][ T5334]  ? __pfx_wq_barrier_func+0x10/0x10
[   86.001696][ T5334]  ? __pfx___cancel_work+0x10/0x10
[   86.001707][ T5334]  ? hci_conn_drop+0x14d/0x280
[   86.001721][ T5334]  __cancel_work_sync+0xbe/0x110
[   86.001732][ T5334]  l2cap_conn_del+0x4f0/0x680
[   86.001745][ T5334]  ? __pfx_l2cap_disconn_cfm+0x10/0x10
[   86.001755][ T5334]  hci_conn_hash_flush+0x10d/0x230
[   86.001778][ T5334]  hci_dev_close_sync+0xaef/0x1330
[   86.001793][ T5334]  ? __pfx_hci_dev_close_sync+0x10/0x10
[   86.001807][ T5334]  hci_dev_close+0x106/0x200
[   86.001820][ T5334]  sock_do_ioctl+0xd9/0x300
[   86.001835][ T5334]  ? __pfx_sock_do_ioctl+0x10/0x10
[   86.001850][ T5334]  ? __lock_acquire+0xab9/0xd20
[   86.001867][ T5334]  sock_ioctl+0x576/0x790
[   86.001880][ T5334]  ? __pfx_sock_ioctl+0x10/0x10
[   86.001894][ T5334]  ? __fget_files+0x2a/0x420
[   86.001904][ T5334]  ? __fget_files+0x3a0/0x420
[   86.001915][ T5334]  ? __fget_files+0x2a/0x420
[   86.001928][ T5334]  ? bpf_lsm_file_ioctl+0x9/0x20
[   86.001943][ T5334]  ? __pfx_sock_ioctl+0x10/0x10
[   86.001955][ T5334]  __se_sys_ioctl+0xfc/0x170
[   86.001971][ T5334]  do_syscall_64+0xfa/0x3b0
[   86.001981][ T5334]  ? lockdep_hardirqs_on+0x9c/0x150
[   86.001995][ T5334]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   86.002005][ T5334]  ? clear_bhb_loop+0x60/0xb0
[   86.002016][ T5334]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   86.002027][ T5334] RIP: 0033:0x7f9845f8e929
[   86.002038][ T5334] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   86.002048][ T5334] RSP: 002b:00007f9846e28038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   86.002059][ T5334] RAX: ffffffffffffffda RBX: 00007f98461b5fa0 RCX: 00007f9845f8e929
[   86.002067][ T5334] RDX: 0000000000000000 RSI: 00000000400448ca RDI: 0000000000000005
[   86.002074][ T5334] RBP: 00007f9846010b39 R08: 0000000000000000 R09: 0000000000000000
[   86.002082][ T5334] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   86.002088][ T5334] R13: 0000000000000000 R14: 00007f98461b5fa0 R15: 00007ffce889dc18
[   86.002099][ T5334]  </TASK>
[   86.169387][ T5338] fido_id[5338]: Failed to open report descriptor at '/sys/devices/virtual/bluetooth/hci0/hci0:200/report_descriptor': No such file or directory
[   86.724451][   T54] cfg80211: failed to load regulatory.db
[   87.760513][ T4674] Bluetooth: hci0: command tx timeout
[   89.841133][ T4674] Bluetooth: hci0: command tx timeout
[   91.920574][ T4674] Bluetooth: hci0: command tx timeout