program:
bpf$PROG_LOAD(0x5, 0x0, 0x0) (async)
r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000000c0)={0x11, 0x5, &(0x7f00000002c0)=ANY=[@ANYBLOB="180000000004000000000000000000008500000050000000850000005000000095"], &(0x7f0000000040)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2}, 0x78)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f00000000c0)={&(0x7f0000000080)='ext4_ext_remove_space_done\x00', r0}, 0x10) (async)
r1 = socket$nl_generic(0x10, 0x3, 0x10) (async)
r2 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$sock_bt_hci(r2, 0x400448ca, 0x0) (async, rerun: 32)
syz_mount_image$hfs(&(0x7f0000000040), &(0x7f0000000100)='\x13\x13w\xc5\xfc5\xd4\x14T\xd5\xd4\x1d)\xad\x1a`)Y\x81F\xe6\xbe\x16nA\xad\r\xbd@T\x03<\x9f3\xbb\xda\x82$\xa2\xf3\xd7r\xe7cnH\xb3<\xbfp\x83r\xe8\xf1\xb9\x93>\xc5\x12wC\xbe\"\x06 \x9e\xf0-\xf9\xcb\xf2\xf6\xe8\x80\xd38/\x00', 0x30000c0, &(0x7f0000002d00)={[{}, {@creator={'creator', 0x3d, "d4675f16"}}, {}, {}, {@iocharset={'iocharset', 0x3d, 'cp857'}}]}, 0x11, 0x2b6, &(0x7f0000000200)="$eJzs3U9rE0EYx/HfbNI22lK3tiJ4rBb0Ilov4iUieRGeRG0iFENFrfjnVMWTiN69+xZ8EV4U34CePPkC6mllZifZJLvZTUOTber3Aw2b7D47z2T/zDyBsgLw37rV+Pn52m/7Z6SKKtK7G1IgqSZVJZ3R2dqznd3t3Xarmbejiouwf0ZxpElts7XTygq1cS7CC+27qpZ6P8NkRFF081fZSaB07urPEEgL/up062tTzyzf6zHj9g45j1lj9rWvF1ouOw8AQLn8+B/4cX7Jz9+DQNrww/6RHP/HtV92AhMX5a7tGf9dlRUZe3xPuVVJvedKOLs+6FSJo7Q8N/B+XvGZ1TfBNEVVpcslOPFgu926vPWo3Qz0RnWvZ7M199qMT92OgmzXM2rTHCP03WTPKBddH+ZsHzbj/J9L6st/dcwWx2a+mu/mjgn1Sc3u/K8aGXuY3JEKB45UnP+V4Xt0vQztVvK3jXq9HvRtsuIaOedb8Ap6WcuuSNQ5o1bU/wNBWJSnizo9EBX37mpB1Gpm1Gbn3ZCotb4o25vu2Ty8vUkzH8xts64/+qJGz/w/sPltKPfKTK4asxEPBe4bj/szn91c1e0zTI0c6cul+y0uDEv9b/49DQfwXvd1XctPX756WGm3W0/swr2MhcdL3U/m3kqZ25S8oL3kkwVFTmrjzqA0zcQuHeoO7f2jcGN7lR2Jg3KsFxrfpnsilbFQ8v0JU5Ec9LIzQUnsvMvE9V9Sr1TjyZ59CTPn6SP+EOD3GNk5dreCS2KjeEYu6eSBKrjF4RVcuuZK1Yyu5jp/Uboweouhz/OYMA390F1+/wcAAAAAAAAAAAAAAAAAAJg10/h3grL7CAAAAAAAAAAAAAAAAAAAAADArOs+/1ed5/9qtOf/Dj6K5TCf//txRzz/F5i8fwEAAP//FZd8vg==") (async, rerun: 32)
r3 = open_tree(0xffffffffffffff9c, &(0x7f0000000640)='\x00', 0x89901)
r4 = openat$cgroup_ro(r3, &(0x7f0000000000)='memory.events\x00', 0x275a, 0x0) (async)
r5 = socket$nl_generic(0x10, 0x3, 0x10)
r6 = socket$unix(0x1, 0x2, 0x0) (async, rerun: 64)
r7 = syz_genetlink_get_family_id$nl80211(&(0x7f00000000c0), 0xffffffffffffffff) (async, rerun: 64)
r8 = socket$kcm(0x10, 0x3, 0x0)
sendmsg$kcm(r8, &(0x7f0000000600)={0x0, 0xc, &(0x7f0000000000)=[{&(0x7f0000000080)="2e00000010008188e6b62aa73772cc9f1ba1f848480000005e140602000000000e000a000f000000028000001294", 0x2e}], 0x1}, 0x0)
syz_80211_join_ibss(&(0x7f0000000100)='wlan1\x00', &(0x7f0000000180)=@default_ibss_ssid, 0x6, 0x2)
ioctl$sock_SIOCGIFINDEX_80211(r6, 0x8933, &(0x7f0000000140)={'wlan1\x00', <r9=>0x0})
sendmsg$NL80211_CMD_NEW_INTERFACE(r5, &(0x7f0000000300)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000340)={0x50, r7, 0x1, 0x70bd28, 0x25dfdbfd, {{}, {@void, @val={0x8, 0x3, r9}, @val={0xc, 0x99, {0x7ff, 0x78}}}}, [@NL80211_ATTR_IFNAME={0x14, 0x4, 'syzkaller0\x00'}, @NL80211_ATTR_IFTYPE={0x8, 0x5, 0x7}, @NL80211_ATTR_MESH_ID={0xa}]}, 0x50}, 0x1, 0x0, 0x0, 0x91}, 0x24044884) (async)
r10 = openat$tun(0xffffffffffffff9c, &(0x7f0000000400), 0x0, 0x0)
close(r10)
socket$nl_netfilter(0x10, 0x3, 0xc) (async)
ioctl$SIOCSIFHWADDR(r10, 0x8914, &(0x7f0000002280)={'syzkaller0\x00', @link_local={0x1, 0x80, 0xc2, 0x0, 0x0, 0x1}}) (async, rerun: 32)
r11 = openat$rfkill(0xffffffffffffff9c, &(0x7f0000000040), 0x801, 0x0) (rerun: 32)
write$rfkill(r11, &(0x7f0000000080)={0x0, 0x0, 0x3, 0x1}, 0x8) (async)
sendmsg$nl_generic(r1, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000180)={&(0x7f00000001c0)={0x14, 0x36, 0x107, 0xfffffffc, 0x810000, {0x1, 0x7c}}, 0x14}, 0x1, 0x0, 0x0, 0x4048011}, 0xc000) (async)
syz_emit_ethernet(0x66, &(0x7f0000000080)={@multicast, @empty, @void, {@ipv6={0x86dd, @icmpv6={0x3, 0x6, "269fe0", 0x30, 0x3a, 0xff, @empty, @ipv4={'\x00', '\xff\xff', @private=0xa010101}, {[], @pkt_toobig={0x2, 0x0, 0x0, 0x5, {0x4, 0x6, "020600", 0x8, 0x0, 0x0, @loopback, @empty}}}}}}}, 0x0) (async)
syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000000)=ANY=[@ANYBLOB="1201000000000020ac050f02220001828301090224000101000000090400000203010200092100050001220000090581"], 0x0) (async, rerun: 32)
r12 = syz_open_dev$usbfs(&(0x7f0000000180), 0x10000001d, 0x8041) (rerun: 32)
ioctl$USBDEVFS_IOCTL(r12, 0xc0105512, &(0x7f0000000200)=@usbdevfs_connect) (async)
bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000000c0)={0x11, 0x5, &(0x7f00000002c0)=ANY=[], &(0x7f0000000040)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2}, 0x78) (async, rerun: 64)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f00000000c0)={&(0x7f00000004c0)='ext4_ext_remove_space_done\x00', r4}, 0x18) (rerun: 64)

[  101.463962][ T4669] Bluetooth: hci0: command tx timeout
[  101.569965][ T5329] 
[  101.571428][ T5329] ======================================================
[  101.575157][ T5329] WARNING: possible circular locking dependency detected
[  101.579169][ T5329] syzkaller #0 Not tainted
[  101.581424][ T5329] ------------------------------------------------------
[  101.585114][ T5329] syz.0.0/5329 is trying to acquire lock:
[  101.587675][ T5329] ffff888041758040 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: __flush_work+0x100/0xc50
[  101.593660][ T5329] 
[  101.593660][ T5329] but task is already holding lock:
[  101.597412][ T5329] ffff8880417582f8 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x7b/0x5c0
[  101.601384][ T5329] 
[  101.601384][ T5329] which lock already depends on the new lock.
[  101.601384][ T5329] 
[  101.606257][ T5329] 
[  101.606257][ T5329] the existing dependency chain (in reverse order) is:
[  101.610592][ T5329] 
[  101.610592][ T5329] -> #1 (&conn->lock#2){+.+.}-{4:4}:
[  101.613956][ T5329]        __mutex_lock+0x19f/0x1300
[  101.616385][ T5329]        l2cap_info_timeout+0x60/0xa0
[  101.619373][ T5329]        process_scheduled_works+0xb6e/0x18c0
[  101.622612][ T5329]        worker_thread+0xa53/0xfc0
[  101.625067][ T5329]        kthread+0x388/0x470
[  101.627201][ T5329]        ret_from_fork+0x51e/0xb90
[  101.629614][ T5329]        ret_from_fork_asm+0x1a/0x30
[  101.632366][ T5329] 
[  101.632366][ T5329] -> #0 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}:
[  101.637716][ T5329]        __lock_acquire+0x15a5/0x2cf0
[  101.640273][ T5329]        lock_acquire+0xf0/0x2e0
[  101.642634][ T5329]        __flush_work+0x700/0xc50
[  101.645290][ T5329]        __cancel_work_sync+0xbe/0x110
[  101.648448][ T5329]        l2cap_conn_del+0x40f/0x5c0
[  101.650778][ T5329]        hci_conn_hash_flush+0x10d/0x260
[  101.653377][ T5329]        hci_dev_close_sync+0x821/0x10e0
[  101.656073][ T5329]        hci_dev_close+0x108/0x260
[  101.658724][ T5329]        sock_do_ioctl+0x101/0x320
[  101.661432][ T5329]        sock_ioctl+0x5c6/0x7f0
[  101.663989][ T5329]        __se_sys_ioctl+0xfc/0x170
[  101.666496][ T5329]        do_syscall_64+0x14d/0xf80
[  101.669016][ T5329]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  101.672484][ T5329] 
[  101.672484][ T5329] other info that might help us debug this:
[  101.672484][ T5329] 
[  101.677190][ T5329]  Possible unsafe locking scenario:
[  101.677190][ T5329] 
[  101.680316][ T5329]        CPU0                    CPU1
[  101.682470][ T5329]        ----                    ----
[  101.685036][ T5329]   lock(&conn->lock#2);
[  101.687128][ T5329]                                lock((work_completion)(&(&conn->info_timer)->work));
[  101.691254][ T5329]                                lock(&conn->lock#2);
[  101.694439][ T5329]   lock((work_completion)(&(&conn->info_timer)->work));
[  101.698031][ T5329] 
[  101.698031][ T5329]  *** DEADLOCK ***
[  101.698031][ T5329] 
[  101.701853][ T5329] 5 locks held by syz.0.0/5329:
[  101.704165][ T5329]  #0: ffff888040cccec0 (&hdev->req_lock){+.+.}-{4:4}, at: hci_dev_close+0x100/0x260
[  101.709138][ T5329]  #1: ffff888040ccc0c0 (&hdev->lock){+.+.}-{4:4}, at: hci_dev_close_sync+0x640/0x10e0
[  101.713403][ T5329]  #2: ffffffff8fd5c868 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_conn_hash_flush+0xa1/0x260
[  101.718211][ T5329]  #3: ffff8880417582f8 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x7b/0x5c0
[  101.722966][ T5329]  #4: ffffffff8e75e520 (rcu_read_lock){....}-{1:3}, at: __flush_work+0x100/0xc50
[  101.727106][ T5329] 
[  101.727106][ T5329] stack backtrace:
[  101.729765][ T5329] CPU: 0 UID: 0 PID: 5329 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[  101.729786][ T5329] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[  101.729794][ T5329] Call Trace:
[  101.729803][ T5329]  <TASK>
[  101.729809][ T5329]  dump_stack_lvl+0xe8/0x150
[  101.729839][ T5329]  print_circular_bug+0x2e1/0x300
[  101.729858][ T5329]  check_noncircular+0x12e/0x150
[  101.729876][ T5329]  __lock_acquire+0x15a5/0x2cf0
[  101.729892][ T5329]  ? do_raw_spin_lock+0x12b/0x2f0
[  101.729906][ T5329]  ? do_raw_spin_unlock+0x4d/0x210
[  101.729919][ T5329]  lock_acquire+0xf0/0x2e0
[  101.729933][ T5329]  ? __flush_work+0x100/0xc50
[  101.729952][ T5329]  ? __flush_work+0x100/0xc50
[  101.729968][ T5329]  __flush_work+0x700/0xc50
[  101.729983][ T5329]  ? __flush_work+0x100/0xc50
[  101.729998][ T5329]  ? __flush_work+0x100/0xc50
[  101.730014][ T5329]  ? __pfx___flush_work+0x10/0x10
[  101.730030][ T5329]  ? __pfx_wq_barrier_func+0x10/0x10
[  101.730049][ T5329]  ? __cancel_work_sync+0x5c/0x110
[  101.730066][ T5329]  __cancel_work_sync+0xbe/0x110
[  101.730082][ T5329]  l2cap_conn_del+0x40f/0x5c0
[  101.730100][ T5329]  ? __pfx_l2cap_disconn_cfm+0x10/0x10
[  101.730116][ T5329]  hci_conn_hash_flush+0x10d/0x260
[  101.730135][ T5329]  hci_dev_close_sync+0x821/0x10e0
[  101.730152][ T5329]  ? __pfx_hci_dev_close_sync+0x10/0x10
[  101.730165][ T5329]  ? lockdep_hardirqs_on+0x7a/0x110
[  101.730176][ T5329]  ? enable_work+0x1fd/0x230
[  101.730193][ T5329]  hci_dev_close+0x108/0x260
[  101.730210][ T5329]  sock_do_ioctl+0x101/0x320
[  101.730225][ T5329]  ? __pfx_sock_do_ioctl+0x10/0x10
[  101.730237][ T5329]  ? do_futex+0x333/0x420
[  101.730256][ T5329]  sock_ioctl+0x5c6/0x7f0
[  101.730269][ T5329]  ? __pfx_sock_ioctl+0x10/0x10
[  101.730282][ T5329]  ? __fget_files+0x2a/0x420
[  101.730298][ T5329]  ? __fget_files+0x3a0/0x420
[  101.730312][ T5329]  ? __fget_files+0x2a/0x420
[  101.730325][ T5329]  ? bpf_lsm_file_ioctl+0x9/0x20
[  101.730339][ T5329]  ? __pfx_sock_ioctl+0x10/0x10
[  101.730352][ T5329]  __se_sys_ioctl+0xfc/0x170
[  101.730365][ T5329]  do_syscall_64+0x14d/0xf80
[  101.730378][ T5329]  ? trace_irq_disable+0x3b/0x150
[  101.730395][ T5329]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  101.730405][ T5329]  ? clear_bhb_loop+0x40/0x90
[  101.730413][ T5329]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  101.730422][ T5329] RIP: 0033:0x7f77ced9c799
[  101.730434][ T5329] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
[  101.730443][ T5329] RSP: 002b:00007f77cfb9dfe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[  101.730457][ T5329] RAX: ffffffffffffffda RBX: 00007f77cf016090 RCX: 00007f77ced9c799
[  101.730465][ T5329] RDX: 0000000000000000 RSI: 00000000400448ca RDI: 0000000000000006
[  101.730472][ T5329] RBP: 00007f77cee32c99 R08: 0000000000000000 R09: 0000000000000000
[  101.730479][ T5329] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[  101.730486][ T5329] R13: 00007f77cf016128 R14: 00007f77cf016090 R15: 00007ffff1d77058
[  101.730497][ T5329]  </TASK>
[  103.485339][ T4669] Bluetooth: hci0: command tx timeout
[  105.565901][ T4669] Bluetooth: hci0: command tx timeout
[  107.645026][ T4669] Bluetooth: hci0: command tx timeout