program:
r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0)
connect$bt_l2cap(r0, &(0x7f0000000080)={0x1f, 0x0, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}, 0x7ff}, 0xe)
r1 = syz_init_net_socket$bt_hidp(0x1f, 0x3, 0x6)
ioctl$sock_bt_hidp_HIDPCONNADD(r1, 0x400448c8, &(0x7f0000000280)={r0, r0, 0xc, 0x1, &(0x7f0000000340)='\x00', 0x9, 0x1, 0x457, 0x9, 0x9, 0x1, 0x1, 'syz1\x00'})
r2 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$sock_bt_hci(r2, 0x400448ca, 0x0) (fail_nth: 3)

[   84.468181][ T5333] FAULT_INJECTION: forcing a failure.
[   84.468181][ T5333] name failslab, interval 1, probability 0, space 0, times 1
[   84.474854][    T9] hid-multitouch 0005:0457:0009.0002: unknown main item tag 0x0
[   84.491341][ T5333] CPU: 0 UID: 0 PID: 5333 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[   84.491360][ T5333] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   84.491368][ T5333] Call Trace:
[   84.491373][ T5333]  <TASK>
[   84.491378][ T5333]  dump_stack_lvl+0xe8/0x150
[   84.491480][ T5333]  should_fail_ex+0x412/0x560
[   84.491527][ T5333]  should_failslab+0xa8/0x100
[   84.491541][ T5333]  kmem_cache_alloc_node_noprof+0x8b/0x6f0
[   84.491558][ T5333]  ? __alloc_skb+0x1d7/0x390
[   84.491597][ T5333]  ? __local_bh_enable_ip+0xd0/0x130
[   84.491609][ T5333]  ? __alloc_skb+0x193/0x390
[   84.491621][ T5333]  __alloc_skb+0x1d7/0x390
[   84.491635][ T5333]  create_monitor_ctrl_open+0x15c/0x8b0
[   84.491652][ T5333]  ? __pfx_create_monitor_ctrl_open+0x10/0x10
[   84.491665][ T5333]  ? bpf_lsm_capable+0x9/0x20
[   84.491683][ T5333]  hci_sock_ioctl+0x2f2/0x940
[   84.491699][ T5333]  sock_do_ioctl+0x101/0x320
[   84.491716][ T5333]  ? __pfx_sock_do_ioctl+0x10/0x10
[   84.491729][ T5333]  ? __mutex_unlock_slowpath+0x1bd/0x7d0
[   84.491751][ T5333]  sock_ioctl+0x5c6/0x7f0
[   84.491767][ T5333]  ? __pfx_sock_ioctl+0x10/0x10
[   84.491781][ T5333]  ? __fget_files+0x2a/0x420
[   84.491791][ T5333]  ? __fget_files+0x3a0/0x420
[   84.491800][ T5333]  ? __fget_files+0x2a/0x420
[   84.491812][ T5333]  ? bpf_lsm_file_ioctl+0x9/0x20
[   84.491823][ T5333]  ? __pfx_sock_ioctl+0x10/0x10
[   84.491837][ T5333]  __se_sys_ioctl+0xfc/0x170
[   84.491854][ T5333]  do_syscall_64+0xe2/0xf80
[   84.491865][ T5333]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   84.491875][ T5333]  ? trace_irq_disable+0x37/0x100
[   84.491886][ T5333]  ? clear_bhb_loop+0x60/0xb0
[   84.491899][ T5333]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   84.491909][ T5333] RIP: 0033:0x7ff11d59aeb9
[   84.491938][ T5333] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
[   84.491948][ T5333] RSP: 002b:00007ff11e448028 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   84.491962][ T5333] RAX: ffffffffffffffda RBX: 00007ff11d815fa0 RCX: 00007ff11d59aeb9
[   84.491970][ T5333] RDX: 0000000000000000 RSI: 00000000400448ca RDI: 0000000000000006
[   84.491977][ T5333] RBP: 00007ff11e448090 R08: 0000000000000000 R09: 0000000000000000
[   84.491983][ T5333] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
[   84.491990][ T5333] R13: 00007ff11d816038 R14: 00007ff11d815fa0 R15: 00007fffe505f318
[   84.492006][ T5333]  </TASK>
[   84.610083][    T9] hid-multitouch 0005:0457:0009.0002: hidraw1: BLUETOOTH HID v0.09 Device [syz1] on aa:aa:aa:aa:aa:aa
[   84.627682][ T5333] 
[   84.628851][ T5333] ======================================================
[   84.632039][ T5333] WARNING: possible circular locking dependency detected
[   84.635142][ T5333] syzkaller #0 Not tainted
[   84.637126][ T5333] ------------------------------------------------------
[   84.640229][ T5333] syz.0.0/5333 is trying to acquire lock:
[   84.642835][ T5333] ffff888011ccf040 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: __flush_work+0x100/0xc50
[   84.647987][ T5333] 
[   84.647987][ T5333] but task is already holding lock:
[   84.651230][ T5333] ffff888011ccf338 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x7b/0x5b0
[   84.655226][ T5333] 
[   84.655226][ T5333] which lock already depends on the new lock.
[   84.655226][ T5333] 
[   84.659794][ T5333] 
[   84.659794][ T5333] the existing dependency chain (in reverse order) is:
[   84.663540][ T5333] 
[   84.663540][ T5333] -> #1 (&conn->lock#2){+.+.}-{4:4}:
[   84.666294][ T5333]        __mutex_lock+0x19f/0x1300
[   84.668200][ T5333]        l2cap_info_timeout+0x60/0xa0
[   84.670197][ T5333]        process_scheduled_works+0xaec/0x17a0
[   84.672442][ T5333]        worker_thread+0xda6/0x1360
[   84.674319][ T5333]        kthread+0x726/0x8b0
[   84.676016][ T5333]        ret_from_fork+0x51b/0xa40
[   84.677835][ T5333]        ret_from_fork_asm+0x1a/0x30
[   84.679767][ T5333] 
[   84.679767][ T5333] -> #0 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}:
[   84.683006][ T5333]        __lock_acquire+0x15a5/0x2cf0
[   84.684783][ T5333]        lock_acquire+0x106/0x330
[   84.686535][ T5333]        __flush_work+0x700/0xc50
[   84.688281][ T5333]        __cancel_work_sync+0xbe/0x110
[   84.690481][ T5333]        l2cap_conn_del+0x402/0x5b0
[   84.692825][ T5333]        hci_conn_hash_flush+0x10d/0x260
[   84.695370][ T5333]        hci_dev_close_sync+0x821/0x10e0
[   84.698225][ T5333]        hci_dev_close+0x108/0x260
[   84.700810][ T5333]        sock_do_ioctl+0x101/0x320
[   84.703135][ T5333]        sock_ioctl+0x5c6/0x7f0
[   84.705513][ T5333]        __se_sys_ioctl+0xfc/0x170
[   84.708079][ T5333]        do_syscall_64+0xe2/0xf80
[   84.710391][ T5333]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   84.713687][ T5333] 
[   84.713687][ T5333] other info that might help us debug this:
[   84.713687][ T5333] 
[   84.718242][ T5333]  Possible unsafe locking scenario:
[   84.718242][ T5333] 
[   84.721503][ T5333]        CPU0                    CPU1
[   84.723759][ T5333]        ----                    ----
[   84.726102][ T5333]   lock(&conn->lock#2);
[   84.727962][ T5333]                                lock((work_completion)(&(&conn->info_timer)->work));
[   84.732035][ T5333]                                lock(&conn->lock#2);
[   84.734899][ T5333]   lock((work_completion)(&(&conn->info_timer)->work));
[   84.737961][ T5333] 
[   84.737961][ T5333]  *** DEADLOCK ***
[   84.737961][ T5333] 
[   84.741449][ T5333] 5 locks held by syz.0.0/5333:
[   84.743617][ T5333]  #0: ffff88801c8a8ec0 (&hdev->req_lock){+.+.}-{4:4}, at: hci_dev_close+0x100/0x260
[   84.747686][ T5333]  #1: ffff88801c8a80c0 (&hdev->lock){+.+.}-{4:4}, at: hci_dev_close_sync+0x640/0x10e0
[   84.751883][ T5333]  #2: ffffffff8fb3ad28 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_conn_hash_flush+0xa1/0x260
[   84.756250][ T5333]  #3: ffff888011ccf338 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x7b/0x5b0
[   84.760331][ T5333]  #4: ffffffff8e55a360 (rcu_read_lock){....}-{1:3}, at: __flush_work+0x100/0xc50
[   84.764399][ T5333] 
[   84.764399][ T5333] stack backtrace:
[   84.767037][ T5333] CPU: 0 UID: 0 PID: 5333 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[   84.767052][ T5333] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   84.767060][ T5333] Call Trace:
[   84.767068][ T5333]  <TASK>
[   84.767075][ T5333]  dump_stack_lvl+0xe8/0x150
[   84.767093][ T5333]  print_circular_bug+0x2e1/0x300
[   84.767106][ T5333]  check_noncircular+0x12e/0x150
[   84.767118][ T5333]  __lock_acquire+0x15a5/0x2cf0
[   84.767134][ T5333]  ? do_raw_spin_lock+0x12b/0x2f0
[   84.767149][ T5333]  ? __flush_work+0x100/0xc50
[   84.767159][ T5333]  lock_acquire+0x106/0x330
[   84.767172][ T5333]  ? __flush_work+0x100/0xc50
[   84.767185][ T5333]  ? __flush_work+0x100/0xc50
[   84.767195][ T5333]  __flush_work+0x700/0xc50
[   84.767226][ T5333]  ? __flush_work+0x100/0xc50
[   84.767240][ T5333]  ? __flush_work+0x100/0xc50
[   84.767250][ T5333]  ? __pfx___flush_work+0x10/0x10
[   84.767260][ T5333]  ? __pfx_wq_barrier_func+0x10/0x10
[   84.767280][ T5333]  ? __cancel_work_sync+0x5c/0x110
[   84.767291][ T5333]  __cancel_work_sync+0xbe/0x110
[   84.767304][ T5333]  l2cap_conn_del+0x402/0x5b0
[   84.767318][ T5333]  ? __pfx_l2cap_disconn_cfm+0x10/0x10
[   84.767328][ T5333]  hci_conn_hash_flush+0x10d/0x260
[   84.767341][ T5333]  hci_dev_close_sync+0x821/0x10e0
[   84.767353][ T5333]  ? __pfx_hci_dev_close_sync+0x10/0x10
[   84.767362][ T5333]  ? lockdep_hardirqs_on+0x7a/0x110
[   84.767373][ T5333]  ? enable_work+0x1fd/0x230
[   84.767385][ T5333]  hci_dev_close+0x108/0x260
[   84.767396][ T5333]  sock_do_ioctl+0x101/0x320
[   84.767413][ T5333]  ? __pfx_sock_do_ioctl+0x10/0x10
[   84.767425][ T5333]  ? __mutex_unlock_slowpath+0x1bd/0x7d0
[   84.767441][ T5333]  sock_ioctl+0x5c6/0x7f0
[   84.767455][ T5333]  ? __pfx_sock_ioctl+0x10/0x10
[   84.767468][ T5333]  ? __fget_files+0x2a/0x420
[   84.767478][ T5333]  ? __fget_files+0x3a0/0x420
[   84.767487][ T5333]  ? __fget_files+0x2a/0x420
[   84.767497][ T5333]  ? bpf_lsm_file_ioctl+0x9/0x20
[   84.767508][ T5333]  ? __pfx_sock_ioctl+0x10/0x10
[   84.767521][ T5333]  __se_sys_ioctl+0xfc/0x170
[   84.767535][ T5333]  do_syscall_64+0xe2/0xf80
[   84.767546][ T5333]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   84.767556][ T5333]  ? trace_irq_disable+0x37/0x100
[   84.767567][ T5333]  ? clear_bhb_loop+0x60/0xb0
[   84.767579][ T5333]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   84.767589][ T5333] RIP: 0033:0x7ff11d59aeb9
[   84.767601][ T5333] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
[   84.767618][ T5333] RSP: 002b:00007ff11e448028 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   84.767631][ T5333] RAX: ffffffffffffffda RBX: 00007ff11d815fa0 RCX: 00007ff11d59aeb9
[   84.767639][ T5333] RDX: 0000000000000000 RSI: 00000000400448ca RDI: 0000000000000006
[   84.767646][ T5333] RBP: 00007ff11e448090 R08: 0000000000000000 R09: 0000000000000000
[   84.767652][ T5333] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
[   84.767658][ T5333] R13: 00007ff11d816038 R14: 00007ff11d815fa0 R15: 00007fffe505f318
[   84.767669][ T5333]  </TASK>
[   84.913588][ T5308] Bluetooth: hci0: command tx timeout
[   84.946485][ T5336] fido_id[5336]: Failed to open report descriptor at '/sys/devices/virtual/bluetooth/hci0/hci0:200/report_descriptor': No such file or directory
[   86.989692][ T5308] Bluetooth: hci0: command tx timeout
[   89.068916][ T5308] Bluetooth: hci0: command tx timeout