program:
r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r0, &(0x7f00000002c0)={0x1f, 0xffffffffffffffff}, 0x6)
r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$sock_bt_hci(r1, 0x400448ca, 0x0)

[   86.876973][ T4680] Bluetooth: hci0: command tx timeout
[   86.919413][  T785] 
[   86.920613][  T785] ======================================================
[   86.923643][  T785] WARNING: possible circular locking dependency detected
[   86.926712][  T785] syzkaller #0 Not tainted
[   86.928777][  T785] ------------------------------------------------------
[   86.931795][  T785] kworker/0:2/785 is trying to acquire lock:
[   86.934369][  T785] ffff888035b19338 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_info_timeout+0x60/0xa0
[   86.938368][  T785] 
[   86.938368][  T785] but task is already holding lock:
[   86.941568][  T785] ffffc90001b17b80 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: process_scheduled_works+0x9ef/0x1770
[   86.946687][  T785] 
[   86.946687][  T785] which lock already depends on the new lock.
[   86.946687][  T785] 
[   86.950874][  T785] 
[   86.950874][  T785] the existing dependency chain (in reverse order) is:
[   86.954467][  T785] 
[   86.954467][  T785] -> #1 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}:
[   86.958758][  T785]        __flush_work+0x6b8/0xbc0
[   86.961089][  T785]        __cancel_work_sync+0xbe/0x110
[   86.963437][  T785]        l2cap_conn_del+0x402/0x5b0
[   86.965723][  T785]        hci_conn_hash_flush+0x10d/0x260
[   86.968166][  T785]        hci_dev_close_sync+0x821/0x1100
[   86.970868][  T785]        hci_dev_close+0x108/0x270
[   86.973107][  T785]        sock_do_ioctl+0xdc/0x300
[   86.975368][  T785]        sock_ioctl+0x576/0x790
[   86.977586][  T785]        __se_sys_ioctl+0xfc/0x170
[   86.980576][  T785]        do_syscall_64+0xfa/0xf80
[   86.983100][  T785]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   86.985944][  T785] 
[   86.985944][  T785] -> #0 (&conn->lock#2){+.+.}-{4:4}:
[   86.989156][  T785]        __lock_acquire+0x15a6/0x2cf0
[   86.991591][  T785]        lock_acquire+0x117/0x340
[   86.993917][  T785]        __mutex_lock+0x187/0x1350
[   86.996289][  T785]        l2cap_info_timeout+0x60/0xa0
[   86.998520][  T785]        process_scheduled_works+0xad1/0x1770
[   87.001184][  T785]        worker_thread+0x8a0/0xda0
[   87.003345][  T785]        kthread+0x711/0x8a0
[   87.005391][  T785]        ret_from_fork+0x599/0xb30
[   87.007663][  T785]        ret_from_fork_asm+0x1a/0x30
[   87.009935][  T785] 
[   87.009935][  T785] other info that might help us debug this:
[   87.009935][  T785] 
[   87.014480][  T785]  Possible unsafe locking scenario:
[   87.014480][  T785] 
[   87.017502][  T785]        CPU0                    CPU1
[   87.019738][  T785]        ----                    ----
[   87.021997][  T785]   lock((work_completion)(&(&conn->info_timer)->work));
[   87.024896][  T785]                                lock(&conn->lock#2);
[   87.027913][  T785]                                lock((work_completion)(&(&conn->info_timer)->work));
[   87.032072][  T785]   lock(&conn->lock#2);
[   87.034006][  T785] 
[   87.034006][  T785]  *** DEADLOCK ***
[   87.034006][  T785] 
[   87.037083][  T785] 2 locks held by kworker/0:2/785:
[   87.039194][  T785]  #0: ffff88801a467548 ((wq_completion)events){+.+.}-{0:0}, at: process_scheduled_works+0x9b4/0x1770
[   87.043951][  T785]  #1: ffffc90001b17b80 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: process_scheduled_works+0x9ef/0x1770
[   87.049264][  T785] 
[   87.049264][  T785] stack backtrace:
[   87.051833][  T785] CPU: 0 UID: 0 PID: 785 Comm: kworker/0:2 Not tainted syzkaller #0 PREEMPT(full) 
[   87.051849][  T785] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   87.051857][  T785] Workqueue: events l2cap_info_timeout
[   87.051875][  T785] Call Trace:
[   87.051883][  T785]  <TASK>
[   87.051889][  T785]  dump_stack_lvl+0x189/0x250
[   87.051903][  T785]  ? __pfx_dump_stack_lvl+0x10/0x10
[   87.051914][  T785]  ? __pfx__printk+0x10/0x10
[   87.051929][  T785]  ? print_lock_name+0xde/0x100
[   87.051942][  T785]  print_circular_bug+0x2e2/0x300
[   87.051957][  T785]  check_noncircular+0x12e/0x150
[   87.051971][  T785]  __lock_acquire+0x15a6/0x2cf0
[   87.051985][  T785]  ? l2cap_info_timeout+0x60/0xa0
[   87.051995][  T785]  lock_acquire+0x117/0x340
[   87.052005][  T785]  ? l2cap_info_timeout+0x60/0xa0
[   87.052016][  T785]  ? preempt_schedule_irq+0xde/0x150
[   87.052031][  T785]  __mutex_lock+0x187/0x1350
[   87.052045][  T785]  ? l2cap_info_timeout+0x60/0xa0
[   87.052055][  T785]  ? irqentry_exit+0x5dd/0x660
[   87.052069][  T785]  ? l2cap_info_timeout+0x60/0xa0
[   87.052080][  T785]  ? __pfx___mutex_lock+0x10/0x10
[   87.052097][  T785]  l2cap_info_timeout+0x60/0xa0
[   87.052107][  T785]  ? process_scheduled_works+0x9ef/0x1770
[   87.052117][  T785]  process_scheduled_works+0xad1/0x1770
[   87.052133][  T785]  ? __pfx_process_scheduled_works+0x10/0x10
[   87.052146][  T785]  worker_thread+0x8a0/0xda0
[   87.052161][  T785]  kthread+0x711/0x8a0
[   87.052175][  T785]  ? __pfx_worker_thread+0x10/0x10
[   87.052185][  T785]  ? __pfx_kthread+0x10/0x10
[   87.052197][  T785]  ? _raw_spin_unlock_irq+0x23/0x50
[   87.052210][  T785]  ? lockdep_hardirqs_on+0x98/0x140
[   87.052222][  T785]  ? __pfx_kthread+0x10/0x10
[   87.052233][  T785]  ret_from_fork+0x599/0xb30
[   87.052241][  T785]  ? __pfx_ret_from_fork+0x10/0x10
[   87.052248][  T785]  ? __pfx_kthread+0x10/0x10
[   87.052256][  T785]  ret_from_fork_asm+0x1a/0x30
[   87.052267][  T785]  </TASK>
[   88.899773][ T4680] Bluetooth: hci0: command tx timeout
[   90.980215][ T4680] Bluetooth: hci0: command tx timeout
[   91.869288][    T9] cfg80211: failed to load regulatory.db
[   93.060070][ T4680] Bluetooth: hci0: command tx timeout