program:
r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x1, 0x3)
connect(r0, &(0x7f0000000000)=@rc={0x1f, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}, 0x8}, 0x80)
r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$HCIINQUIRY(r1, 0x400448ca, 0x0)
socket$kcm(0x2, 0x5, 0x84)
open$dir(&(0x7f0000000080)='.\x00', 0x0, 0x0)
creat(&(0x7f00000004c0)='./file0\x00', 0x124)
r2 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000000), 0x149802, 0x0)
r3 = dup(r2)
read$FUSE(r2, &(0x7f0000001900)={0x2020}, 0x19b8)
sendfile(r2, r3, 0x0, 0x80006)
socket$packet(0x11, 0x2, 0x300)
socket(0x10, 0x3, 0x0)
r4 = openat$nci(0xffffffffffffff9c, &(0x7f0000000080), 0x2, 0x0)
perf_event_open(&(0x7f0000000180)={0x2, 0x80, 0xa8, 0x3, 0x0, 0x0, 0x0, 0x5, 0x1001, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1e9b, 0x1, @perf_config_ext={0x80, 0x1ff}, 0x84, 0x0, 0x0, 0x4, 0x0, 0xfffbfffd, 0x6}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
socket(0x2000000000000021, 0x2, 0x10000000000002)
openat(0xffffffffffffff9c, &(0x7f00000002c0)='./file1\x00', 0x42, 0x0)
ioctl$IOCTL_GET_NCIDEV_IDX(r4, 0x0, &(0x7f00000000c0))
syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
r5 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
syz_genetlink_get_family_id$nfc(&(0x7f0000000100), r5)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000040)={<r6=>0xffffffffffffffff, <r7=>0xffffffffffffffff})
sendmsg$inet(r7, &(0x7f0000001b00)={0x0, 0x0, 0x0, 0x0, &(0x7f0000001d80)=ANY=[@ANYBLOB="28010000000000000100000001"], 0x128}, 0x0)
recvmsg$unix(r6, &(0x7f0000000140)={0x0, 0x0, 0x0, 0x0, &(0x7f00000003c0)=[@cred={{0x1c}}, @rights={{0x14, 0x1, 0x1, [0xffffffffffffffff]}}, @cred={{0x1c}}, @cred={{0x1c}}, @rights={{0x2c, 0x1, 0x1, [0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff]}}], 0xa8}, 0x0)
socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000240)={<r8=>0xffffffffffffffff, <r9=>0xffffffffffffffff})
sendmsg$inet(r9, &(0x7f0000001b00)={0x0, 0x0, 0x0, 0x0, &(0x7f0000001d80)=ANY=[], 0x128}, 0x0)
recvmsg$unix(r8, &(0x7f0000000000)={0x0, 0x0, 0x0, 0x0, &(0x7f0000000080), 0x100}, 0x0)
socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000040)={<r10=>0xffffffffffffffff, <r11=>0xffffffffffffffff})
sendmsg$inet(r11, &(0x7f0000001b00)={0x0, 0x0, 0x0, 0x0, &(0x7f0000001d80)=ANY=[], 0x132}, 0x0)
recvmsg$unix(r10, &(0x7f0000000000)={0x0, 0x0, 0x0, 0x0, &(0x7f0000000900), 0x100}, 0x0)

[   94.088518][ T5328] 
[   94.089691][ T5328] ======================================================
[   94.092814][ T5328] WARNING: possible circular locking dependency detected
[   94.095802][ T5328] syzkaller #0 Not tainted
[   94.097750][ T5328] ------------------------------------------------------
[   94.100690][ T5328] syz.0.0/5328 is trying to acquire lock:
[   94.103387][ T5328] ffff88804217b040 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: __flush_work+0x100/0xc50
[   94.108678][ T5328] 
[   94.108678][ T5328] but task is already holding lock:
[   94.111870][ T5328] ffff88804217b338 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x7b/0x5b0
[   94.115682][ T5328] 
[   94.115682][ T5328] which lock already depends on the new lock.
[   94.115682][ T5328] 
[   94.120243][ T5328] 
[   94.120243][ T5328] the existing dependency chain (in reverse order) is:
[   94.124164][ T5328] 
[   94.124164][ T5328] -> #1 (&conn->lock#2){+.+.}-{4:4}:
[   94.127450][ T5328]        __mutex_lock+0x19f/0x1300
[   94.129661][ T5328]        l2cap_info_timeout+0x60/0xa0
[   94.132073][ T5328]        process_scheduled_works+0xaec/0x17a0
[   94.134596][ T5328]        worker_thread+0xda6/0x1360
[   94.136753][ T5328]        kthread+0x726/0x8b0
[   94.138769][ T5328]        ret_from_fork+0x51b/0xa40
[   94.140889][ T5328]        ret_from_fork_asm+0x1a/0x30
[   94.143282][ T5328] 
[   94.143282][ T5328] -> #0 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}:
[   94.147939][ T5328]        __lock_acquire+0x15a5/0x2cf0
[   94.150282][ T5328]        lock_acquire+0x106/0x330
[   94.152469][ T5328]        __flush_work+0x700/0xc50
[   94.154729][ T5328]        __cancel_work_sync+0xbe/0x110
[   94.157095][ T5328]        l2cap_conn_del+0x402/0x5b0
[   94.159459][ T5328]        hci_conn_hash_flush+0x10d/0x260
[   94.162029][ T5328]        hci_dev_close_sync+0x821/0x10e0
[   94.164579][ T5328]        hci_dev_close+0x108/0x260
[   94.166890][ T5328]        sock_do_ioctl+0x101/0x320
[   94.169305][ T5328]        sock_ioctl+0x5c6/0x7f0
[   94.171427][ T5328]        __se_sys_ioctl+0xfc/0x170
[   94.173759][ T5328]        do_syscall_64+0xe2/0xf80
[   94.175926][ T5328]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   94.178574][ T5328] 
[   94.178574][ T5328] other info that might help us debug this:
[   94.178574][ T5328] 
[   94.182701][ T5328]  Possible unsafe locking scenario:
[   94.182701][ T5328] 
[   94.185704][ T5328]        CPU0                    CPU1
[   94.188127][ T5328]        ----                    ----
[   94.190323][ T5328]   lock(&conn->lock#2);
[   94.192128][ T5328]                                lock((work_completion)(&(&conn->info_timer)->work));
[   94.195968][ T5328]                                lock(&conn->lock#2);
[   94.198831][ T5328]   lock((work_completion)(&(&conn->info_timer)->work));
[   94.201758][ T5328] 
[   94.201758][ T5328]  *** DEADLOCK ***
[   94.201758][ T5328] 
[   94.205024][ T5328] 5 locks held by syz.0.0/5328:
[   94.207174][ T5328]  #0: ffff888012840ec0 (&hdev->req_lock){+.+.}-{4:4}, at: hci_dev_close+0x100/0x260
[   94.211074][ T5328]  #1: ffff8880128400c0 (&hdev->lock){+.+.}-{4:4}, at: hci_dev_close_sync+0x640/0x10e0
[   94.215048][ T5328]  #2: ffffffff8fb3b268 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_conn_hash_flush+0xa1/0x260
[   94.219198][ T5328]  #3: ffff88804217b338 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x7b/0x5b0
[   94.222986][ T5328]  #4: ffffffff8e55a360 (rcu_read_lock){....}-{1:3}, at: __flush_work+0x100/0xc50
[   94.226788][ T5328] 
[   94.226788][ T5328] stack backtrace:
[   94.229225][ T5328] CPU: 0 UID: 0 PID: 5328 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[   94.229243][ T5328] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   94.229252][ T5328] Call Trace:
[   94.229261][ T5328]  <TASK>
[   94.229267][ T5328]  dump_stack_lvl+0xe8/0x150
[   94.229291][ T5328]  print_circular_bug+0x2e1/0x300
[   94.229305][ T5328]  check_noncircular+0x12e/0x150
[   94.229319][ T5328]  __lock_acquire+0x15a5/0x2cf0
[   94.229337][ T5328]  ? do_raw_spin_lock+0x12b/0x2f0
[   94.229351][ T5328]  ? __flush_work+0x100/0xc50
[   94.229363][ T5328]  lock_acquire+0x106/0x330
[   94.229378][ T5328]  ? __flush_work+0x100/0xc50
[   94.229390][ T5328]  ? __flush_work+0x100/0xc50
[   94.229400][ T5328]  __flush_work+0x700/0xc50
[   94.229409][ T5328]  ? __flush_work+0x100/0xc50
[   94.229418][ T5328]  ? __flush_work+0x100/0xc50
[   94.229429][ T5328]  ? __pfx___flush_work+0x10/0x10
[   94.229438][ T5328]  ? __pfx_wq_barrier_func+0x10/0x10
[   94.229457][ T5328]  ? __cancel_work_sync+0x5c/0x110
[   94.229468][ T5328]  __cancel_work_sync+0xbe/0x110
[   94.229480][ T5328]  l2cap_conn_del+0x402/0x5b0
[   94.229491][ T5328]  ? __pfx_l2cap_disconn_cfm+0x10/0x10
[   94.229501][ T5328]  hci_conn_hash_flush+0x10d/0x260
[   94.229514][ T5328]  hci_dev_close_sync+0x821/0x10e0
[   94.229525][ T5328]  ? __pfx_hci_dev_close_sync+0x10/0x10
[   94.229536][ T5328]  ? lockdep_hardirqs_on+0x7a/0x110
[   94.229546][ T5328]  ? enable_work+0x1fd/0x230
[   94.229557][ T5328]  hci_dev_close+0x108/0x260
[   94.229568][ T5328]  sock_do_ioctl+0x101/0x320
[   94.229582][ T5328]  ? __pfx_sock_do_ioctl+0x10/0x10
[   94.229595][ T5328]  ? do_futex+0x333/0x420
[   94.229612][ T5328]  sock_ioctl+0x5c6/0x7f0
[   94.229625][ T5328]  ? __pfx_sock_ioctl+0x10/0x10
[   94.229637][ T5328]  ? __fget_files+0x2a/0x420
[   94.229647][ T5328]  ? __fget_files+0x3a0/0x420
[   94.229655][ T5328]  ? __fget_files+0x2a/0x420
[   94.229664][ T5328]  ? bpf_lsm_file_ioctl+0x9/0x20
[   94.229676][ T5328]  ? __pfx_sock_ioctl+0x10/0x10
[   94.229688][ T5328]  __se_sys_ioctl+0xfc/0x170
[   94.229701][ T5328]  do_syscall_64+0xe2/0xf80
[   94.229711][ T5328]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   94.229751][ T5328]  ? trace_irq_disable+0x37/0x100
[   94.229764][ T5328]  ? clear_bhb_loop+0x60/0xb0
[   94.229776][ T5328]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   94.229787][ T5328] RIP: 0033:0x7fd090f9aeb9
[   94.229798][ T5328] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
[   94.229808][ T5328] RSP: 002b:00007fd091e11028 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   94.229821][ T5328] RAX: ffffffffffffffda RBX: 00007fd091216090 RCX: 00007fd090f9aeb9
[   94.229830][ T5328] RDX: 0000000000000000 RSI: 00000000400448ca RDI: 0000000000000005
[   94.229844][ T5328] RBP: 00007fd091008c1f R08: 0000000000000000 R09: 0000000000000000
[   94.229850][ T5328] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   94.229857][ T5328] R13: 00007fd091216128 R14: 00007fd091216090 R15: 00007ffcdcbff7b8
[   94.229869][ T5328]  </TASK>
[   94.359247][ T4669] Bluetooth: hci0: command tx timeout
[   96.399668][ T4669] Bluetooth: hci0: command tx timeout
[   98.479853][ T4669] Bluetooth: hci0: command tx timeout