program:
r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0)
connect$bt_l2cap(r0, &(0x7f0000000080)={0x1f, 0x0, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}, 0x7fc}, 0xe)
r1 = syz_init_net_socket$bt_hidp(0x1f, 0x3, 0x6)
ioctl$sock_bt_hidp_HIDPCONNADD(r1, 0x400448c8, &(0x7f0000000340)={r0, r0, 0xb, 0x0, 0x0, 0x8, 0xb6, 0x7f, 0x7, 0x801, 0x2, 0x10, 'syz0\x00'})
syz_open_dev$mouse(&(0x7f0000000040), 0x2, 0x80000)
r2 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$sock_bt_hci(r2, 0x400448ca, 0x0)
r3 = socket$l2tp6(0xa, 0x2, 0x73)
bind$l2tp6(r3, &(0x7f0000000100)={0xa, 0x0, 0x4, @local, 0x81, 0x1}, 0x20)
r4 = fanotify_init(0x0, 0x0)
r5 = memfd_create(&(0x7f0000000180)='-B\xd5NI\xc5j\x9appp\xf0\b\x84\xa2m\x00\v\x18\x004\xa6Ey\xdb\xd1\xa7\xb1S\xf1:)\x00\xca\xd7Uw\x00\xbc\xfa2\xb3\xbb\x8d\xac\xacva}knh#\xcf)\x0f\xc8\xc0:\x9cc\x10d\xee\xa9\x8b\x066\xb8G\xd1c\xe1$\xff\x97k\xde\xc5\xe96\xddU)\xc98M\xcd\xfb\xcc\x82n=\x7f=\xcdJx\xaa\x8f~\xb90a\xa9\xb2\x04K\x98\x93=\xabQ\xf7\x05\x1d\xa1\xce\x8b\x19\xea\xef\xe3', 0x0)
r6 = dup(r5)
fanotify_mark(r4, 0x1, 0x1029, r6, 0x0)
r7 = memfd_create(&(0x7f00000001c0)='/duv/udmabuf\x00', 0x0)
fsetxattr$trusted_overlay_origin(r7, &(0x7f0000000080), 0x0, 0x0, 0x0)
fremovexattr(r7, &(0x7f0000000000)=@known='trusted.overlay.origin\x00')
syz_open_procfs(0x0, &(0x7f00000001c0)='fd/3\x00')
r8 = socket$nl_generic(0x10, 0x3, 0x10)
sendmsg$nl_generic(r8, &(0x7f0000000140)={0x0, 0x0, &(0x7f0000001ac0)={&(0x7f0000000080)={0x18, 0x2d, 0x1, 0x70bd26, 0x25dfdbfc, {0x4}, [@nested={0x4, 0x12}]}, 0x18}}, 0x8004)
syz_init_net_socket$x25(0x9, 0x5, 0x0)
r9 = socket$qrtr(0x2a, 0x2, 0x0)
connect$qrtr(r9, &(0x7f00000000c0)={0x2a, 0xffffffff, 0xfffffffe}, 0xc)

[   85.933241][ T5328] input: Bluetooth HID Boot Protocol Device as /devices/virtual/bluetooth/hci0/hci0:200/input5
[   86.025949][ T5329] 
[   86.027089][ T5329] ======================================================
[   86.030083][ T5329] WARNING: possible circular locking dependency detected
[   86.033018][ T5329] syzkaller #0 Not tainted
[   86.034805][ T5329] ------------------------------------------------------
[   86.037741][ T5329] syz.0.0/5329 is trying to acquire lock:
[   86.040038][ T5329] ffff88803ec8b040 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: __flush_work+0xd2/0xbc0
[   86.044649][ T5329] 
[   86.044649][ T5329] but task is already holding lock:
[   86.047716][ T5329] ffff88803ec8b338 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x70/0x680
[   86.051330][ T5329] 
[   86.051330][ T5329] which lock already depends on the new lock.
[   86.051330][ T5329] 
[   86.055277][ T5329] 
[   86.055277][ T5329] the existing dependency chain (in reverse order) is:
[   86.058553][ T5329] 
[   86.058553][ T5329] -> #1 (&conn->lock#2){+.+.}-{4:4}:
[   86.061374][ T5329]        lock_acquire+0x120/0x360
[   86.063406][ T5329]        __mutex_lock+0x187/0x1350
[   86.065761][ T5329]        l2cap_info_timeout+0x60/0xa0
[   86.068148][ T5329]        process_scheduled_works+0xae1/0x17b0
[   86.070812][ T5329]        worker_thread+0x8a0/0xda0
[   86.073080][ T5329]        kthread+0x711/0x8a0
[   86.075103][ T5329]        ret_from_fork+0x4bc/0x870
[   86.077362][ T5329]        ret_from_fork_asm+0x1a/0x30
[   86.079526][ T5329] 
[   86.079526][ T5329] -> #0 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}:
[   86.083576][ T5329]        validate_chain+0xb9b/0x2140
[   86.085879][ T5329]        __lock_acquire+0xab9/0xd20
[   86.088190][ T5329]        lock_acquire+0x120/0x360
[   86.090437][ T5329]        __flush_work+0x6b8/0xbc0
[   86.092707][ T5329]        __cancel_work_sync+0xbe/0x110
[   86.095087][ T5329]        l2cap_conn_del+0x4f0/0x680
[   86.097379][ T5329]        hci_conn_hash_flush+0x10d/0x230
[   86.099835][ T5329]        hci_dev_close_sync+0xaef/0x1330
[   86.102063][ T5329]        hci_dev_close+0x108/0x200
[   86.103695][ T5329]        sock_do_ioctl+0xdc/0x300
[   86.105324][ T5329]        sock_ioctl+0x576/0x790
[   86.107259][ T5329]        __se_sys_ioctl+0xfc/0x170
[   86.109424][ T5329]        do_syscall_64+0xfa/0xfa0
[   86.111560][ T5329]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   86.114340][ T5329] 
[   86.114340][ T5329] other info that might help us debug this:
[   86.114340][ T5329] 
[   86.118628][ T5329]  Possible unsafe locking scenario:
[   86.118628][ T5329] 
[   86.121434][ T5329]        CPU0                    CPU1
[   86.123539][ T5329]        ----                    ----
[   86.125841][ T5329]   lock(&conn->lock#2);
[   86.127562][ T5329]                                lock((work_completion)(&(&conn->info_timer)->work));
[   86.131118][ T5329]                                lock(&conn->lock#2);
[   86.133731][ T5329]   lock((work_completion)(&(&conn->info_timer)->work));
[   86.136488][ T5329] 
[   86.136488][ T5329]  *** DEADLOCK ***
[   86.136488][ T5329] 
[   86.140161][ T5329] 5 locks held by syz.0.0/5329:
[   86.142375][ T5329]  #0: ffff888033630dc8 (&hdev->req_lock){+.+.}-{4:4}, at: hci_dev_close+0x100/0x200
[   86.146090][ T5329]  #1: ffff8880336300b8 (&hdev->lock){+.+.}-{4:4}, at: hci_dev_close_sync+0x66a/0x1330
[   86.149699][ T5329]  #2: ffffffff8f64b268 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_conn_hash_flush+0xa1/0x230
[   86.153528][ T5329]  #3: ffff88803ec8b338 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x70/0x680
[   86.157419][ T5329]  #4: ffffffff8e13d2e0 (rcu_read_lock){....}-{1:3}, at: __flush_work+0xd2/0xbc0
[   86.161171][ T5329] 
[   86.161171][ T5329] stack backtrace:
[   86.163547][ T5329] CPU: 0 UID: 0 PID: 5329 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[   86.163560][ T5329] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   86.163568][ T5329] Call Trace:
[   86.163576][ T5329]  <TASK>
[   86.163582][ T5329]  dump_stack_lvl+0x189/0x250
[   86.163598][ T5329]  ? __pfx_dump_stack_lvl+0x10/0x10
[   86.163610][ T5329]  ? __pfx__printk+0x10/0x10
[   86.163620][ T5329]  ? print_lock_name+0xde/0x100
[   86.163631][ T5329]  print_circular_bug+0x2ee/0x310
[   86.163648][ T5329]  check_noncircular+0x134/0x160
[   86.163665][ T5329]  validate_chain+0xb9b/0x2140
[   86.163679][ T5329]  ? do_raw_spin_lock+0x121/0x290
[   86.163690][ T5329]  ? look_up_lock_class+0x74/0x170
[   86.163701][ T5329]  ? register_lock_class+0x51/0x320
[   86.163715][ T5329]  __lock_acquire+0xab9/0xd20
[   86.163729][ T5329]  ? __flush_work+0xd2/0xbc0
[   86.163746][ T5329]  lock_acquire+0x120/0x360
[   86.163758][ T5329]  ? __flush_work+0xd2/0xbc0
[   86.163768][ T5329]  ? _raw_spin_unlock_irq+0x23/0x50
[   86.163782][ T5329]  ? __flush_work+0xd2/0xbc0
[   86.163790][ T5329]  __flush_work+0x6b8/0xbc0
[   86.163798][ T5329]  ? __flush_work+0xd2/0xbc0
[   86.163807][ T5329]  ? __flush_work+0xd2/0xbc0
[   86.163817][ T5329]  ? __pfx___flush_work+0x10/0x10
[   86.163826][ T5329]  ? __pfx_wq_barrier_func+0x10/0x10
[   86.163842][ T5329]  ? __pfx___cancel_work+0x10/0x10
[   86.163851][ T5329]  ? hci_conn_drop+0x14d/0x280
[   86.163865][ T5329]  __cancel_work_sync+0xbe/0x110
[   86.163874][ T5329]  l2cap_conn_del+0x4f0/0x680
[   86.163886][ T5329]  ? __pfx_l2cap_disconn_cfm+0x10/0x10
[   86.163898][ T5329]  hci_conn_hash_flush+0x10d/0x230
[   86.163912][ T5329]  hci_dev_close_sync+0xaef/0x1330
[   86.163925][ T5329]  ? __pfx_hci_dev_close_sync+0x10/0x10
[   86.163936][ T5329]  ? do_raw_read_unlock+0x3d/0x80
[   86.163947][ T5329]  hci_dev_close+0x108/0x200
[   86.163959][ T5329]  sock_do_ioctl+0xdc/0x300
[   86.163969][ T5329]  ? __pfx_sock_do_ioctl+0x10/0x10
[   86.163982][ T5329]  sock_ioctl+0x576/0x790
[   86.163992][ T5329]  ? __pfx_sock_ioctl+0x10/0x10
[   86.164001][ T5329]  ? __fget_files+0x3a0/0x420
[   86.164013][ T5329]  ? __fget_files+0x2a/0x420
[   86.164025][ T5329]  ? bpf_lsm_file_ioctl+0x9/0x20
[   86.164039][ T5329]  ? __pfx_sock_ioctl+0x10/0x10
[   86.164047][ T5329]  __se_sys_ioctl+0xfc/0x170
[   86.164061][ T5329]  do_syscall_64+0xfa/0xfa0
[   86.164071][ T5329]  ? lockdep_hardirqs_on+0x9c/0x150
[   86.164085][ T5329]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   86.164094][ T5329]  ? clear_bhb_loop+0x60/0xb0
[   86.164105][ T5329]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   86.164115][ T5329] RIP: 0033:0x7fc762b8eec9
[   86.164125][ T5329] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   86.164133][ T5329] RSP: 002b:00007fc7639c1038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   86.164145][ T5329] RAX: ffffffffffffffda RBX: 00007fc762de6090 RCX: 00007fc762b8eec9
[   86.164153][ T5329] RDX: 0000000000000000 RSI: 00000000400448ca RDI: 0000000000000007
[   86.164160][ T5329] RBP: 00007fc762c11f91 R08: 0000000000000000 R09: 0000000000000000
[   86.164167][ T5329] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   86.164174][ T5329] R13: 00007fc762de6128 R14: 00007fc762de6090 R15: 00007ffc3ec1dc28
[   86.164187][ T5329]  </TASK>
[   86.310832][ T4666] Bluetooth: hci0: command tx timeout
[   86.342126][ T5328] ieee80211 phy5: Selected rate control algorithm 'minstrel_ht'
[   86.664751][    T9] cfg80211: failed to load regulatory.db
[   88.342469][ T4666] Bluetooth: hci0: command tx timeout
[   90.423000][ T4666] Bluetooth: hci0: command tx timeout