program:
r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$HCIINQUIRY(r0, 0x400448ca, 0x0)
bind$bt_hci(r0, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6)
r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$sock_bt_hci(r1, 0x400448cb, 0x0)

[   88.023563][ T4666] Bluetooth: hci0: command tx timeout
[   88.055267][ T1361] 
[   88.056313][ T1361] ======================================================
[   88.059035][ T1361] WARNING: possible circular locking dependency detected
[   88.061789][ T1361] syzkaller #0 Not tainted
[   88.063660][ T1361] ------------------------------------------------------
[   88.066723][ T1361] kworker/0:3/1361 is trying to acquire lock:
[   88.069285][ T1361] ffff8880363e6b38 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_info_timeout+0x60/0xa0
[   88.073210][ T1361] 
[   88.073210][ T1361] but task is already holding lock:
[   88.076255][ T1361] ffffc90008bafbc0 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: process_scheduled_works+0xa0f/0x17a0
[   88.081553][ T1361] 
[   88.081553][ T1361] which lock already depends on the new lock.
[   88.081553][ T1361] 
[   88.085893][ T1361] 
[   88.085893][ T1361] the existing dependency chain (in reverse order) is:
[   88.089636][ T1361] 
[   88.089636][ T1361] -> #1 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}:
[   88.093976][ T1361]        __flush_work+0x700/0xc50
[   88.096155][ T1361]        __cancel_work_sync+0xbe/0x110
[   88.098581][ T1361]        l2cap_conn_del+0x402/0x5b0
[   88.100969][ T1361]        hci_conn_hash_flush+0x10d/0x260
[   88.103326][ T1361]        hci_dev_close_sync+0x821/0x10e0
[   88.105715][ T1361]        hci_dev_close+0x108/0x260
[   88.107805][ T1361]        sock_do_ioctl+0x101/0x320
[   88.109961][ T1361]        sock_ioctl+0x5c6/0x7f0
[   88.112049][ T1361]        __se_sys_ioctl+0xfc/0x170
[   88.114207][ T1361]        do_syscall_64+0xe2/0xf80
[   88.116413][ T1361]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   88.119156][ T1361] 
[   88.119156][ T1361] -> #0 (&conn->lock#2){+.+.}-{4:4}:
[   88.122381][ T1361]        __lock_acquire+0x15a5/0x2cf0
[   88.124629][ T1361]        lock_acquire+0x106/0x330
[   88.126802][ T1361]        __mutex_lock+0x19f/0x1300
[   88.129036][ T1361]        l2cap_info_timeout+0x60/0xa0
[   88.131452][ T1361]        process_scheduled_works+0xaec/0x17a0
[   88.134154][ T1361]        worker_thread+0xda6/0x1360
[   88.136447][ T1361]        kthread+0x726/0x8b0
[   88.138459][ T1361]        ret_from_fork+0x51b/0xa40
[   88.140502][ T1361]        ret_from_fork_asm+0x1a/0x30
[   88.142537][ T1361] 
[   88.142537][ T1361] other info that might help us debug this:
[   88.142537][ T1361] 
[   88.146223][ T1361]  Possible unsafe locking scenario:
[   88.146223][ T1361] 
[   88.149347][ T1361]        CPU0                    CPU1
[   88.151631][ T1361]        ----                    ----
[   88.153910][ T1361]   lock((work_completion)(&(&conn->info_timer)->work));
[   88.156886][ T1361]                                lock(&conn->lock#2);
[   88.159726][ T1361]                                lock((work_completion)(&(&conn->info_timer)->work));
[   88.163694][ T1361]   lock(&conn->lock#2);
[   88.165607][ T1361] 
[   88.165607][ T1361]  *** DEADLOCK ***
[   88.165607][ T1361] 
[   88.168922][ T1361] 2 locks held by kworker/0:3/1361:
[   88.171074][ T1361]  #0: ffff88801a867548 ((wq_completion)events){+.+.}-{0:0}, at: process_scheduled_works+0x9d4/0x17a0
[   88.175810][ T1361]  #1: ffffc90008bafbc0 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: process_scheduled_works+0xa0f/0x17a0
[   88.181407][ T1361] 
[   88.181407][ T1361] stack backtrace:
[   88.184353][ T1361] CPU: 0 UID: 0 PID: 1361 Comm: kworker/0:3 Not tainted syzkaller #0 PREEMPT(full) 
[   88.184369][ T1361] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   88.184378][ T1361] Workqueue: events l2cap_info_timeout
[   88.184395][ T1361] Call Trace:
[   88.184421][ T1361]  <TASK>
[   88.184427][ T1361]  dump_stack_lvl+0xe8/0x150
[   88.184442][ T1361]  print_circular_bug+0x2e1/0x300
[   88.184455][ T1361]  check_noncircular+0x12e/0x150
[   88.184467][ T1361]  __lock_acquire+0x15a5/0x2cf0
[   88.184483][ T1361]  ? __schedule+0x1500/0x5050
[   88.184502][ T1361]  ? l2cap_info_timeout+0x60/0xa0
[   88.184510][ T1361]  lock_acquire+0x106/0x330
[   88.184524][ T1361]  ? l2cap_info_timeout+0x60/0xa0
[   88.184535][ T1361]  __mutex_lock+0x19f/0x1300
[   88.184546][ T1361]  ? l2cap_info_timeout+0x60/0xa0
[   88.184557][ T1361]  ? irqentry_exit+0x59c/0x620
[   88.184567][ T1361]  ? lockdep_hardirqs_on+0x7a/0x110
[   88.184577][ T1361]  ? l2cap_info_timeout+0x60/0xa0
[   88.184586][ T1361]  ? irqentry_exit+0x59c/0x620
[   88.184596][ T1361]  ? __pfx___mutex_lock+0x10/0x10
[   88.184609][ T1361]  ? lock_acquire+0x221/0x330
[   88.184623][ T1361]  l2cap_info_timeout+0x60/0xa0
[   88.184632][ T1361]  ? process_scheduled_works+0xa0f/0x17a0
[   88.184647][ T1361]  process_scheduled_works+0xaec/0x17a0
[   88.184668][ T1361]  ? __pfx_process_scheduled_works+0x10/0x10
[   88.184682][ T1361]  ? do_raw_spin_lock+0x12b/0x2f0
[   88.184694][ T1361]  ? __pfx_do_raw_spin_lock+0x10/0x10
[   88.184705][ T1361]  ? schedule+0x90/0x360
[   88.184717][ T1361]  worker_thread+0xda6/0x1360
[   88.184726][ T1361]  ? __kthread_parkme+0x19c/0x1f0
[   88.184733][ T1361]  kthread+0x726/0x8b0
[   88.184741][ T1361]  ? __pfx_worker_thread+0x10/0x10
[   88.184747][ T1361]  ? __pfx_kthread+0x10/0x10
[   88.184754][ T1361]  ? _raw_spin_unlock_irq+0x23/0x50
[   88.184764][ T1361]  ? __pfx_kthread+0x10/0x10
[   88.184771][ T1361]  ret_from_fork+0x51b/0xa40
[   88.184778][ T1361]  ? __pfx_ret_from_fork+0x10/0x10
[   88.184783][ T1361]  ? __switch_to+0xc82/0x1410
[   88.184793][ T1361]  ? __pfx_kthread+0x10/0x10
[   88.184800][ T1361]  ret_from_fork_asm+0x1a/0x30
[   88.184812][ T1361]  </TASK>
[   90.053514][   T46] Bluetooth: hci0: command tx timeout
[   91.903548][    T9] cfg80211: failed to load regulatory.db
[   92.134010][   T46] Bluetooth: hci0: command tx timeout