program:
mkdir(&(0x7f0000000280)='./file0\x00', 0x0)
r0 = bpf$PROG_LOAD(0x5, &(0x7f00000023c0)={0x0, 0xc, &(0x7f0000000440)=ANY=[@ANYBLOB="1800000000000000000000000000000018110000", @ANYRES32, @ANYBLOB="0000000000000000b70800000d0000007b8af8ff00000000bfa200000000000007020000f8ffffffb703000008000000b704000000000000850000000100000095"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback=0x23, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
r1 = bpf$MAP_CREATE(0x0, &(0x7f00000002c0)=ANY=[@ANYBLOB="0b00000005000100000000c90500000001000000c804dbec90ebcc95c8ea46928dced46ad443e69b664a97775110e51ccca0532c39a31d80857cdecb011c1fa8f93e40393aa3c452242b06b82780893d2b9c1952940c5054532a5a032d6bfe82c562c6ab44c8a59ca74631910af062be1669e1b0d26e3e89c5205b9fafe25968543ed3f6b252302eb2dfa291e378b01b30ed137e1acb41b53789918baca24e297b167c5a34409f3101e7e23ff0c99ddd595ccf96baacc70bcd223459e710531a3a1cba32e9f8b336e8c3043c6df1369fad7c21ce88d4cd9906576901e830b18335aacfe857d59703", @ANYRES32, @ANYBLOB='\x00'/20, @ANYRES32=0x0, @ANYRES32, @ANYBLOB='\x00'/28], 0x48)
r2 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000280)='blkio.bfq.io_serviced\x00', 0x26e1, 0x0)
close(r2)
ioctl$SIOCSIFHWADDR(r2, 0x8b18, &(0x7f0000000000)={'wlan1\x00', @random="010000000700"})
r3 = syz_genetlink_get_family_id$ethtool(&(0x7f0000000040), 0xffffffffffffffff)
ioctl$sock_ipv4_tunnel_SIOCADDTUNNEL(0xffffffffffffffff, 0x89f1, &(0x7f0000000080)={'syztnl0\x00', &(0x7f0000000180)={'gre0\x00', <r4=>0x0, 0x40, 0x8000, 0x7, 0xfff, {{0x22, 0x4, 0x1, 0x0, 0x88, 0x64, 0x0, 0x9, 0x29, 0x0, @dev={0xac, 0x14, 0x14, 0x2a}, @rand_addr=0x64010102, {[@noop, @lsrr={0x83, 0x13, 0x73, [@loopback, @local, @rand_addr=0x64010102, @loopback]}, @lsrr={0x83, 0xb, 0x17, [@broadcast, @multicast2]}, @ssrr={0x89, 0x1f, 0x95, [@empty, @initdev={0xac, 0x1e, 0x0, 0x0}, @multicast2, @multicast2, @broadcast, @initdev={0xac, 0x1e, 0x0, 0x0}, @multicast2]}, @timestamp_addr={0x44, 0x34, 0xd7, 0x1, 0xe, [{@multicast1, 0x7}, {@dev={0xac, 0x14, 0x14, 0x32}, 0x96ca}, {@multicast1, 0xb}, {@initdev={0xac, 0x1e, 0x1, 0x0}, 0xfffffffc}, {@multicast1, 0x4}, {@private=0xa010101}]}]}}}}})
bpf$BPF_GET_PROG_INFO(0xf, &(0x7f00000007c0)={r0, 0xe0, &(0x7f00000006c0)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8, &(0x7f0000000400)=[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], ""/16, <r5=>0x0, 0x0, 0x0, 0x0, 0x1, 0x4, &(0x7f00000004c0)=[0x0], &(0x7f0000000540)=[0x0, 0x0, 0x0, 0x0], 0x0, 0xf8, &(0x7f0000000580)=[{}, {}], 0x10, 0x10, &(0x7f0000000600), &(0x7f0000000640), 0x8, 0xac, 0x8, 0x8, &(0x7f0000000680)}}, 0x10)
ioctl$sock_ipv4_tunnel_SIOCDELTUNNEL(0xffffffffffffffff, 0x89f2, &(0x7f0000000840)={'gre0\x00', &(0x7f0000000800)={'tunl0\x00', <r6=>0x0, 0x1, 0x7800, 0x0, 0x8, {{0x6, 0x4, 0x2, 0xf, 0x18, 0x67, 0x0, 0x6, 0x2f, 0x0, @rand_addr=0x64010101, @dev={0xac, 0x14, 0x14, 0x40}, {[@end]}}}}})
bpf$BPF_GET_PROG_INFO(0xf, &(0x7f0000000b40)={r0, 0xe0, &(0x7f0000000a40)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, &(0x7f0000000880)=[0x0], ""/16, <r7=>0x0, 0x0, 0x0, 0x0, 0x2, 0x2, &(0x7f00000008c0)=[0x0, 0x0], &(0x7f0000000900)=[0x0, 0x0], 0x0, 0x32, &(0x7f0000000940)=[{}, {}, {}, {}, {}], 0x28, 0x10, &(0x7f0000000980), &(0x7f00000009c0), 0x8, 0xd0, 0x8, 0x8, &(0x7f0000000a00)}}, 0x10)
ioctl$sock_ipv4_tunnel_SIOCADDTUNNEL(0xffffffffffffffff, 0x89f1, &(0x7f0000000c00)={'ip_vti0\x00', &(0x7f0000000b80)={'syztnl2\x00', <r8=>0x0, 0x8, 0x7800, 0x9, 0x7fff, {{0x15, 0x4, 0x1, 0x7, 0x54, 0x68, 0x0, 0x9, 0x2f, 0x0, @private=0xa010100, @empty, {[@ssrr={0x89, 0x13, 0xd5, [@private=0xa010100, @rand_addr=0x64010100, @remote, @dev={0xac, 0x14, 0x14, 0x26}]}, @noop, @rr={0x7, 0xf, 0x8b, [@empty, @empty, @empty]}, @ra={0x94, 0x4, 0x1}, @lsrr={0x83, 0x17, 0x2d, [@rand_addr=0x64010102, @dev={0xac, 0x14, 0x14, 0x29}, @dev={0xac, 0x14, 0x14, 0x21}, @dev={0xac, 0x14, 0x14, 0x26}, @remote]}]}}}}})
ioctl$ifreq_SIOCGIFINDEX_vcan(r0, 0x8933, &(0x7f0000000c40)={'vxcan1\x00', <r9=>0x0})
r10 = socket$nl_xfrm(0x10, 0x3, 0x6)
sendmsg$nl_xfrm(r10, &(0x7f00000035c0)={0x0, 0x0, &(0x7f0000003580)={&(0x7f00000002c0)=@newsa={0x138, 0x10, 0x1, 0x0, 0x0, {{@in=@local, @in=@broadcast, 0x200, 0x0, 0x2000, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff}, {@in6=@mcast2, 0x0, 0x6c}, @in6=@remote, {0x0, 0x0, 0x0, 0x1}, {}, {}, 0x0, 0x0, 0x2, 0x4}, [@algo_comp={0x48, 0x3, {{'deflate\x00'}}}]}, 0x138}}, 0x0)
getsockopt$inet_mreqn(0xffffffffffffffff, 0x0, 0x20, &(0x7f0000000c80)={@initdev, @multicast2, <r11=>0x0}, &(0x7f0000000cc0)=0xc)
ioctl$ifreq_SIOCGIFINDEX_batadv_hard(0xffffffffffffffff, 0x8933, &(0x7f0000000d00)={'batadv_slave_1\x00', <r12=>0x0})
r13 = syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0)
connect$bt_l2cap(r13, &(0x7f0000000080)={0x1f, 0x0, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}, 0x7ff}, 0xe)
r14 = syz_init_net_socket$bt_hidp(0x1f, 0x3, 0x6)
ioctl$sock_bt_hidp_HIDPCONNADD(r14, 0x400448c8, &(0x7f0000000280)={r13, r13, 0xc, 0x1, &(0x7f0000000340)='\x00', 0x9, 0x1, 0x457, 0x9, 0x9, 0x1, 0x1, 'syz1\x00'})
r15 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$HCIINQUIRY(r15, 0x400448ca, 0x0)
sendmsg$ETHTOOL_MSG_WOL_GET(r2, &(0x7f0000000f80)={&(0x7f0000000000)={0x10, 0x0, 0x0, 0x400000}, 0xc, &(0x7f0000000f40)={&(0x7f0000000d40)=ANY=[@ANYBLOB="c4010000", @ANYRES16=r3, @ANYBLOB="000326bd7000fddbdf250900000028000180080003000200000014000200626f6e645f736c6176655f300000000008000100", @ANYRES32=0x0, @ANYBLOB="340001801400020070696d72656731000000000000000000140002007663616e30000000000000000000000008000300010000009400018008000300010000001400020067726574617030000000000000000000080003000200000014000200626f6e643000000000000000000000001400020076657468315f766c616e000000000000140002007663616e300000000000000000000000080003000100000014000200766c616e3100000000000000000000001400020076657468305f6d6163767461700000003c000180080003000000000008000300020000000800030003000000080003000200000008000100", @ANYRES32=r4, @ANYBLOB="08000100", @ANYRES32=r5, @ANYBLOB="eabf0000", @ANYRES32=r6, @ANYBLOB="6800018008000100", @ANYRES32=r7, @ANYBLOB="14000200766c616e30000000000000000000000008000300010000000800030003000000140002007767310000000000000000000000000008000100", @ANYRES32=0x0, @ANYBLOB="08000100", @ANYRES32=r8, @ANYBLOB="1400020076657468305f6d6163767461700000001c00018008000100", @ANYRES32=r9, @ANYBLOB="08000100", @ANYRES32=r11, @ANYBLOB="08000100", @ANYRES32=r12, @ANYBLOB], 0x1c4}, 0x1, 0x0, 0x0, 0x4000044}, 0x1)
bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000440)=ANY=[@ANYBLOB="1800000000800000000000000000000018110000", @ANYRES32=r1], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
r16 = bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x11, 0xc, &(0x7f0000000440)=ANY=[], &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x6, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f00000005c0)={&(0x7f0000000500)='9p_client_req\x00', r16}, 0x10)
r17 = bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x11, 0xc, &(0x7f0000000440)=ANY=[], &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f00000005c0)={&(0x7f0000000500)='9p_client_req\x00', r17}, 0x10)
mount$9p_virtio(&(0x7f0000003500), &(0x7f0000003540)='./file0\x00', &(0x7f0000003580), 0x8d0, 0x0)

[  125.586143][   T10] hid-multitouch 0005:0457:0009.0002: unknown main item tag 0x0
[  125.609096][   T10] hid-multitouch 0005:0457:0009.0002: hidraw1: BLUETOOTH HID v0.09 Device [syz1] on aa:aa:aa:aa:aa:aa
[  125.641916][ T5341] 
[  125.643088][ T5341] ======================================================
[  125.646251][ T5341] WARNING: possible circular locking dependency detected
[  125.649422][ T5341] syzkaller #0 Not tainted
[  125.651265][ T5341] ------------------------------------------------------
[  125.654272][ T5341] syz.0.0/5341 is trying to acquire lock:
[  125.656759][ T5341] ffff8880421a0840 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: __flush_work+0x100/0xc50
[  125.662324][ T5341] 
[  125.662324][ T5341] but task is already holding lock:
[  125.665525][ T5341] ffff8880421a0af8 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x7b/0x5c0
[  125.669482][ T5341] 
[  125.669482][ T5341] which lock already depends on the new lock.
[  125.669482][ T5341] 
[  125.674096][ T5341] 
[  125.674096][ T5341] the existing dependency chain (in reverse order) is:
[  125.678046][ T5341] 
[  125.678046][ T5341] -> #1 (&conn->lock#2){+.+.}-{4:4}:
[  125.681291][ T5341]        __mutex_lock+0x19f/0x1300
[  125.683568][ T5341]        l2cap_info_timeout+0x60/0xa0
[  125.686153][ T5341]        process_scheduled_works+0xb02/0x1830
[  125.688811][ T5341]        worker_thread+0xa50/0xfc0
[  125.691110][ T5341]        kthread+0x388/0x470
[  125.693140][ T5341]        ret_from_fork+0x51e/0xb90
[  125.695457][ T5341]        ret_from_fork_asm+0x1a/0x30
[  125.697929][ T5341] 
[  125.697929][ T5341] -> #0 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}:
[  125.702347][ T5341]        __lock_acquire+0x15a5/0x2cf0
[  125.704712][ T5341]        lock_acquire+0xf0/0x2e0
[  125.706883][ T5341]        __flush_work+0x700/0xc50
[  125.709137][ T5341]        __cancel_work_sync+0xbe/0x110
[  125.711329][ T5341]        l2cap_conn_del+0x40f/0x5c0
[  125.713384][ T5341]        hci_conn_hash_flush+0x10d/0x260
[  125.715620][ T5341]        hci_dev_close_sync+0x821/0x10e0
[  125.718004][ T5341]        hci_dev_close+0x108/0x260
[  125.720129][ T5341]        sock_do_ioctl+0x101/0x320
[  125.722171][ T5341]        sock_ioctl+0x5c6/0x7f0
[  125.723914][ T5341]        __se_sys_ioctl+0xfc/0x170
[  125.725889][ T5341]        do_syscall_64+0x14d/0xf80
[  125.728103][ T5341]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  125.730807][ T5341] 
[  125.730807][ T5341] other info that might help us debug this:
[  125.730807][ T5341] 
[  125.735341][ T5341]  Possible unsafe locking scenario:
[  125.735341][ T5341] 
[  125.738466][ T5341]        CPU0                    CPU1
[  125.740636][ T5341]        ----                    ----
[  125.742916][ T5341]   lock(&conn->lock#2);
[  125.744888][ T5341]                                lock((work_completion)(&(&conn->info_timer)->work));
[  125.749095][ T5341]                                lock(&conn->lock#2);
[  125.751996][ T5341]   lock((work_completion)(&(&conn->info_timer)->work));
[  125.754864][ T5341] 
[  125.754864][ T5341]  *** DEADLOCK ***
[  125.754864][ T5341] 
[  125.757859][ T5341] 5 locks held by syz.0.0/5341:
[  125.759958][ T5341]  #0: ffff88801cbf0ec0 (&hdev->req_lock){+.+.}-{4:4}, at: hci_dev_close+0x100/0x260
[  125.764023][ T5341]  #1: ffff88801cbf00c0 (&hdev->lock){+.+.}-{4:4}, at: hci_dev_close_sync+0x640/0x10e0
[  125.768288][ T5341]  #2: ffffffff8fd5aea8 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_conn_hash_flush+0xa1/0x260
[  125.772363][ T5341]  #3: ffff8880421a0af8 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x7b/0x5c0
[  125.776363][ T5341]  #4: ffffffff8e7602e0 (rcu_read_lock){....}-{1:3}, at: __flush_work+0x100/0xc50
[  125.780436][ T5341] 
[  125.780436][ T5341] stack backtrace:
[  125.783069][ T5341] CPU: 0 UID: 0 PID: 5341 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[  125.783086][ T5341] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[  125.783094][ T5341] Call Trace:
[  125.783102][ T5341]  <TASK>
[  125.783193][ T5341]  dump_stack_lvl+0xe8/0x150
[  125.783214][ T5341]  print_circular_bug+0x2e1/0x300
[  125.783233][ T5341]  check_noncircular+0x12e/0x150
[  125.783250][ T5341]  __lock_acquire+0x15a5/0x2cf0
[  125.783263][ T5341]  ? do_raw_spin_lock+0x12b/0x2f0
[  125.783301][ T5341]  ? do_raw_spin_unlock+0x4d/0x210
[  125.783312][ T5341]  lock_acquire+0xf0/0x2e0
[  125.783326][ T5341]  ? __flush_work+0x100/0xc50
[  125.783343][ T5341]  ? __flush_work+0x100/0xc50
[  125.783358][ T5341]  __flush_work+0x700/0xc50
[  125.783371][ T5341]  ? __flush_work+0x100/0xc50
[  125.783384][ T5341]  ? __flush_work+0x100/0xc50
[  125.783397][ T5341]  ? __pfx___flush_work+0x10/0x10
[  125.783411][ T5341]  ? __pfx_wq_barrier_func+0x10/0x10
[  125.783427][ T5341]  ? __cancel_work_sync+0x5c/0x110
[  125.783442][ T5341]  __cancel_work_sync+0xbe/0x110
[  125.783456][ T5341]  l2cap_conn_del+0x40f/0x5c0
[  125.783469][ T5341]  ? __pfx_l2cap_disconn_cfm+0x10/0x10
[  125.783480][ T5341]  hci_conn_hash_flush+0x10d/0x260
[  125.783494][ T5341]  hci_dev_close_sync+0x821/0x10e0
[  125.783507][ T5341]  ? __pfx_hci_dev_close_sync+0x10/0x10
[  125.783516][ T5341]  ? lockdep_hardirqs_on+0x7a/0x110
[  125.783529][ T5341]  ? enable_work+0x1fd/0x230
[  125.783544][ T5341]  hci_dev_close+0x108/0x260
[  125.783556][ T5341]  sock_do_ioctl+0x101/0x320
[  125.783571][ T5341]  ? __pfx_sock_do_ioctl+0x10/0x10
[  125.783586][ T5341]  ? do_futex+0x333/0x420
[  125.783603][ T5341]  sock_ioctl+0x5c6/0x7f0
[  125.783617][ T5341]  ? __pfx_sock_ioctl+0x10/0x10
[  125.783630][ T5341]  ? __fget_files+0x2a/0x420
[  125.783674][ T5341]  ? __fget_files+0x3a0/0x420
[  125.783686][ T5341]  ? __fget_files+0x2a/0x420
[  125.783698][ T5341]  ? bpf_lsm_file_ioctl+0x9/0x20
[  125.783710][ T5341]  ? __pfx_sock_ioctl+0x10/0x10
[  125.783724][ T5341]  __se_sys_ioctl+0xfc/0x170
[  125.783740][ T5341]  do_syscall_64+0x14d/0xf80
[  125.783753][ T5341]  ? trace_irq_disable+0x3b/0x150
[  125.783768][ T5341]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  125.783778][ T5341]  ? clear_bhb_loop+0x40/0x90
[  125.783788][ T5341]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  125.783798][ T5341] RIP: 0033:0x7fd5e359c629
[  125.783810][ T5341] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
[  125.783825][ T5341] RSP: 002b:00007fd5e44be028 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[  125.783838][ T5341] RAX: ffffffffffffffda RBX: 00007fd5e3815fa0 RCX: 00007fd5e359c629
[  125.783846][ T5341] RDX: 0000000000000000 RSI: 00000000400448ca RDI: 0000000000000007
[  125.783852][ T5341] RBP: 00007fd5e3632b39 R08: 0000000000000000 R09: 0000000000000000
[  125.783859][ T5341] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[  125.783865][ T5341] R13: 00007fd5e3816038 R14: 00007fd5e3815fa0 R15: 00007ffea93911f8
[  125.783877][ T5341]  </TASK>
[  125.931150][ T5345] fido_id[5345]: Failed to open report descriptor at '/sys/devices/virtual/bluetooth/hci0/hci0:200/report_descriptor': No such file or directory
[  125.938901][ T4665] Bluetooth: hci0: command tx timeout
[  125.963738][ T5342] =======================================================
[  125.963738][ T5342] WARNING: The mand mount option has been deprecated and
[  125.963738][ T5342]          and is ignored by this kernel. Remove the mand
[  125.963738][ T5342]          option from the mount to silence this warning.
[  125.963738][ T5342] =======================================================
[  128.001818][ T4665] Bluetooth: hci0: command tx timeout
[  130.081657][ T4665] Bluetooth: hci0: command tx timeout