program:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$l2tp(&(0x7f0000000000), r0)
r2 = syz_open_dev$vbi(&(0x7f0000000000), 0x0, 0x2)
ioctl$VIDIOC_S_INPUT(r2, 0xc0045627, &(0x7f0000000100)=0x2)
r3 = syz_open_dev$video(&(0x7f0000000000), 0x7, 0x40)
ioctl$VIDIOC_ENUM_FRAMEINTERVALS(r3, 0xc034564b, &(0x7f00000000c0)={0x100, 0x30314247, 0x5, 0x2b7f, 0x4, @stepwise={{0x1, 0x5}, {0x1, 0x4c7}, {0xa9}}})
r4 = socket$pptp(0x18, 0x1, 0x2)
ioctl$PPPIOCGMRU(r4, 0x80047453, &(0x7f0000000180))
r5 = syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0)
connect$bt_l2cap(r5, &(0x7f0000000080)={0x1f, 0x0, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}, 0xfffd}, 0xe)
r6 = syz_init_net_socket$bt_hidp(0x1f, 0x3, 0x6)
ioctl$sock_inet_SIOCSIFBRDADDR(0xffffffffffffffff, 0x891a, &(0x7f0000000380)={'dummy0\x00', {0x2, 0x4e22, @broadcast}})
bind$l2tp(0xffffffffffffffff, &(0x7f00000002c0)={0x2, 0x0, @remote}, 0x10)
ioctl$sock_bt_hidp_HIDPCONNADD(r6, 0x400448c8, &(0x7f0000000580)={r6, r5, 0x8, 0x0, 0x0, 0x82, 0x28, 0x1dc2, 0x5886, 0x6, 0x0, 0x8, 'syz1\x00'})
r7 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$sock_bt_hci(r7, 0x400448ca, 0x0)
r8 = socket(0x29, 0xa, 0x0)
setsockopt$netlink_NETLINK_TX_RING(r8, 0x10e, 0xc, &(0x7f0000000040)={0x8607, 0x8, 0x2, 0xfffffffd}, 0x10)
r9 = socket$pptp(0x18, 0x1, 0x2)
bind$pptp(r9, &(0x7f0000000000)={0x18, 0x2, {0x0, @dev={0xac, 0x14, 0x14, 0x2c}}}, 0x1e)
connect$pptp(r8, &(0x7f0000000040)={0x18, 0x2, {0x0, @rand_addr=0x64010100}}, 0x1e)
bpf$PROG_LOAD(0x5, &(0x7f0000000180)={0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0x38}, 0x94)
r10 = openat$ppp(0xffffffffffffff9c, &(0x7f0000000040), 0x1a01, 0x0)
ioctl$EVIOCGPROP(r10, 0x40047438, &(0x7f0000000180)=""/246)
writev(r10, &(0x7f0000000300)=[{&(0x7f0000000280)="c021", 0xffffffffffffffe0}, {&(0x7f0000000480)="443debe588eee13e168a7a2167648f93d69729875dc3c876250aa55d42195dd30d6e2c42de782844f905a3925f67dc13962306f820e65dbebfe7c7c6d78d2e87959ca8f4a00dc1c6a15a880c5da5ca3bcf293c1791deef1daf86bdb48c591d1fb766cd5091ffa30042cf8608f955c6dd10b38aa3382a0826e5011d6cd86d3692d027c0a032ad8bd6b1b6153392b5ececd84fd33a216695568c", 0xff3a}], 0x1)
r11 = socket$xdp(0x2c, 0x3, 0x0)
getsockopt$XDP_MMAP_OFFSETS(r11, 0x11b, 0x1, &(0x7f0000000240), &(0x7f0000000080)=0x80)
sendmsg$nl_generic(0xffffffffffffffff, &(0x7f0000000540)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000200)=ANY=[@ANYBLOB="280000001400010a27bd700061f88f3fb2e8331d310d000000000000000314000000201600000000"], 0x28}}, 0x4004000)
sendmsg$L2TP_CMD_TUNNEL_GET(r0, &(0x7f0000000200)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f0000000340)=ANY=[@ANYBLOB="14000000", @ANYRES16=r1, @ANYBLOB="a800000000060000000096453120af2acc4672031004000000"], 0x14}}, 0x0)

[   85.499941][ T5338] 
[   85.502648][ T5338] ======================================================
[   85.508635][ T5338] WARNING: possible circular locking dependency detected
[   85.512462][ T5338] syzkaller #0 Not tainted
[   85.515823][ T5338] ------------------------------------------------------
[   85.520297][ T5338] syz.0.0/5338 is trying to acquire lock:
[   85.524436][ T5338] ffff88801a3d9040 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: __flush_work+0xd2/0xbc0
[   85.535705][ T5338] 
[   85.535705][ T5338] but task is already holding lock:
[   85.540685][ T5338] ffff88801a3d9338 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x7b/0x5b0
[   85.548883][ T5338] 
[   85.548883][ T5338] which lock already depends on the new lock.
[   85.548883][ T5338] 
[   85.559198][ T5338] 
[   85.559198][ T5338] the existing dependency chain (in reverse order) is:
[   85.568563][ T5338] 
[   85.568563][ T5338] -> #1 (&conn->lock#2){+.+.}-{4:4}:
[   85.578933][ T5338]        __mutex_lock+0x187/0x1350
[   85.583531][ T5338]        l2cap_info_timeout+0x60/0xa0
[   85.588643][ T5338]        process_scheduled_works+0xad1/0x1770
[   85.594523][ T5338]        worker_thread+0x8a0/0xda0
[   85.600485][ T5338]        kthread+0x711/0x8a0
[   85.603569][ T5338]        ret_from_fork+0x599/0xb30
[   85.606604][ T5338]        ret_from_fork_asm+0x1a/0x30
[   85.610233][ T5338] 
[   85.610233][ T5338] -> #0 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}:
[   85.621269][ T5338]        __lock_acquire+0x15a6/0x2cf0
[   85.625431][ T5338]        lock_acquire+0x117/0x340
[   85.630118][ T5338]        __flush_work+0x6b8/0xbc0
[   85.632850][ T5338]        __cancel_work_sync+0xbe/0x110
[   85.635111][ T5338]        l2cap_conn_del+0x402/0x5b0
[   85.639442][ T5338]        hci_conn_hash_flush+0x10d/0x260
[   85.641890][ T5338]        hci_dev_close_sync+0x821/0x1100
[   85.649699][ T5338]        hci_dev_close+0x108/0x270
[   85.652210][ T5338]        sock_do_ioctl+0xdc/0x300
[   85.654282][ T5338]        sock_ioctl+0x576/0x790
[   85.656292][ T5338]        __se_sys_ioctl+0xfc/0x170
[   85.658432][ T5338]        do_syscall_64+0xfa/0xf80
[   85.660535][ T5338]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   85.670130][ T5338] 
[   85.670130][ T5338] other info that might help us debug this:
[   85.670130][ T5338] 
[   85.684172][ T5338]  Possible unsafe locking scenario:
[   85.684172][ T5338] 
[   85.695551][ T5338]        CPU0                    CPU1
[   85.698781][ T5338]        ----                    ----
[   85.700970][ T5338]   lock(&conn->lock#2);
[   85.702735][ T5338]                                lock((work_completion)(&(&conn->info_timer)->work));
[   85.715561][ T5338]                                lock(&conn->lock#2);
[   85.722565][ T5338]   lock((work_completion)(&(&conn->info_timer)->work));
[   85.730608][ T5338] 
[   85.730608][ T5338]  *** DEADLOCK ***
[   85.730608][ T5338] 
[   85.740698][ T5338] 5 locks held by syz.0.0/5338:
[   85.746647][ T5338]  #0: ffff888041004ec0 (&hdev->req_lock){+.+.}-{4:4}, at: hci_dev_close+0x100/0x270
[   85.755828][ T5338]  #1: ffff8880410040c0 (&hdev->lock){+.+.}-{4:4}, at: hci_dev_close_sync+0x640/0x1100
[   85.765098][ T5338]  #2: ffffffff8f6858c8 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_conn_hash_flush+0xa1/0x260
[   85.777087][ T5338]  #3: ffff88801a3d9338 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x7b/0x5b0
[   85.790782][ T5338]  #4: ffffffff8e141a20 (rcu_read_lock){....}-{1:3}, at: __flush_work+0xd2/0xbc0
[   85.801564][ T5338] 
[   85.801564][ T5338] stack backtrace:
[   85.823509][ T5338] CPU: 0 UID: 0 PID: 5338 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[   85.823529][ T5338] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   85.823538][ T5338] Call Trace:
[   85.823546][ T5338]  <TASK>
[   85.823553][ T5338]  dump_stack_lvl+0x189/0x250
[   85.823574][ T5338]  ? __pfx_dump_stack_lvl+0x10/0x10
[   85.823589][ T5338]  ? __pfx__printk+0x10/0x10
[   85.823607][ T5338]  ? print_lock_name+0xde/0x100
[   85.823623][ T5338]  print_circular_bug+0x2e2/0x300
[   85.823640][ T5338]  check_noncircular+0x12e/0x150
[   85.823654][ T5338]  __lock_acquire+0x15a6/0x2cf0
[   85.823667][ T5338]  ? do_raw_spin_unlock+0x4d/0x240
[   85.823685][ T5338]  ? _raw_spin_unlock_irqrestore+0xad/0x110
[   85.823700][ T5338]  ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[   85.823716][ T5338]  ? __flush_work+0xd2/0xbc0
[   85.823731][ T5338]  lock_acquire+0x117/0x340
[   85.823741][ T5338]  ? __flush_work+0xd2/0xbc0
[   85.823754][ T5338]  ? _raw_spin_unlock_irq+0x23/0x50
[   85.823770][ T5338]  ? __flush_work+0xd2/0xbc0
[   85.823782][ T5338]  __flush_work+0x6b8/0xbc0
[   85.823794][ T5338]  ? __flush_work+0xd2/0xbc0
[   85.823806][ T5338]  ? __flush_work+0xd2/0xbc0
[   85.823820][ T5338]  ? __pfx___flush_work+0x10/0x10
[   85.823832][ T5338]  ? __pfx_wq_barrier_func+0x10/0x10
[   85.823846][ T5338]  ? __pfx___cancel_work+0x10/0x10
[   85.823860][ T5338]  ? hci_conn_drop+0x153/0x2b0
[   85.823871][ T5338]  ? __cancel_work_sync+0x5c/0x110
[   85.823885][ T5338]  __cancel_work_sync+0xbe/0x110
[   85.823898][ T5338]  l2cap_conn_del+0x402/0x5b0
[   85.823917][ T5338]  ? __pfx_l2cap_disconn_cfm+0x10/0x10
[   85.823933][ T5338]  hci_conn_hash_flush+0x10d/0x260
[   85.823951][ T5338]  hci_dev_close_sync+0x821/0x1100
[   85.823968][ T5338]  ? __pfx_hci_dev_close_sync+0x10/0x10
[   85.823983][ T5338]  ? __cancel_work_sync+0x5c/0x110
[   85.823997][ T5338]  hci_dev_close+0x108/0x270
[   85.824012][ T5338]  sock_do_ioctl+0xdc/0x300
[   85.824027][ T5338]  ? __pfx_sock_do_ioctl+0x10/0x10
[   85.824040][ T5338]  ? do_futex+0x333/0x420
[   85.824066][ T5338]  sock_ioctl+0x576/0x790
[   85.824080][ T5338]  ? __pfx_sock_ioctl+0x10/0x10
[   85.824096][ T5338]  ? __fget_files+0x3a0/0x420
[   85.824109][ T5338]  ? __fget_files+0x2a/0x420
[   85.824121][ T5338]  ? bpf_lsm_file_ioctl+0x9/0x20
[   85.824131][ T5338]  ? __pfx_sock_ioctl+0x10/0x10
[   85.824145][ T5338]  __se_sys_ioctl+0xfc/0x170
[   85.824162][ T5338]  do_syscall_64+0xfa/0xf80
[   85.824177][ T5338]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   85.824189][ T5338]  ? clear_bhb_loop+0x60/0xb0
[   85.824202][ T5338]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   85.824215][ T5338] RIP: 0033:0x7f1cc0d8f7c9
[   85.824228][ T5338] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   85.824238][ T5338] RSP: 002b:00007f1cc1ce5038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   85.824252][ T5338] RAX: ffffffffffffffda RBX: 00007f1cc0fe5fa0 RCX: 00007f1cc0d8f7c9
[   85.824261][ T5338] RDX: 0000000000000000 RSI: 00000000400448ca RDI: 000000000000000a
[   85.824269][ T5338] RBP: 00007f1cc0e13f91 R08: 0000000000000000 R09: 0000000000000000
[   85.824276][ T5338] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   85.824283][ T5338] R13: 00007f1cc0fe6038 R14: 00007f1cc0fe5fa0 R15: 00007ffee1f9a948
[   85.824296][ T5338]  </TASK>
[   86.179355][ T4678] Bluetooth: hci0: command tx timeout
[   88.215188][ T4678] Bluetooth: hci0: command tx timeout
[   90.296013][ T4678] Bluetooth: hci0: command tx timeout
[   91.825586][   T10] cfg80211: failed to load regulatory.db