program:
socket$nl_route(0x10, 0x3, 0x0)
syz_emit_vhci(&(0x7f0000000340)=ANY=[@ANYBLOB="02c82028002400010007d3040007c4faff020c04000300d3"], 0x2d)
r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$HCIINQUIRY(r0, 0x400448ca, 0x0)

[   87.683835][ T4679] Bluetooth: hci0: command tx timeout
[   87.717580][ T5336] 
[   87.718676][ T5336] ======================================================
[   87.721857][ T5336] WARNING: possible circular locking dependency detected
[   87.724845][ T5336] syzkaller #0 Not tainted
[   87.726855][ T5336] ------------------------------------------------------
[   87.729763][ T5336] syz.0.0/5336 is trying to acquire lock:
[   87.732170][ T5336] ffff8880114bc040 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: __flush_work+0xd2/0xbc0
[   87.737069][ T5336] 
[   87.737069][ T5336] but task is already holding lock:
[   87.740365][ T5336] ffff8880114bc338 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x7b/0x5b0
[   87.744319][ T5336] 
[   87.744319][ T5336] which lock already depends on the new lock.
[   87.744319][ T5336] 
[   87.748728][ T5336] 
[   87.748728][ T5336] the existing dependency chain (in reverse order) is:
[   87.752639][ T5336] 
[   87.752639][ T5336] -> #1 (&conn->lock#2){+.+.}-{4:4}:
[   87.755810][ T5336]        __mutex_lock+0x187/0x1350
[   87.758341][ T5336]        l2cap_info_timeout+0x60/0xa0
[   87.761218][ T5336]        process_scheduled_works+0xad1/0x1770
[   87.764017][ T5336]        worker_thread+0x8a0/0xda0
[   87.766409][ T5336]        kthread+0x711/0x8a0
[   87.768617][ T5336]        ret_from_fork+0x599/0xb30
[   87.771024][ T5336]        ret_from_fork_asm+0x1a/0x30
[   87.773388][ T5336] 
[   87.773388][ T5336] -> #0 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}:
[   87.777848][ T5336]        __lock_acquire+0x15a6/0x2cf0
[   87.780299][ T5336]        lock_acquire+0x117/0x340
[   87.782959][ T5336]        __flush_work+0x6b8/0xbc0
[   87.785216][ T5336]        __cancel_work_sync+0xbe/0x110
[   87.787643][ T5336]        l2cap_conn_del+0x402/0x5b0
[   87.789914][ T5336]        hci_conn_hash_flush+0x10d/0x260
[   87.792443][ T5336]        hci_dev_close_sync+0x821/0x1100
[   87.794929][ T5336]        hci_dev_close+0x108/0x270
[   87.797240][ T5336]        sock_do_ioctl+0xdc/0x300
[   87.799591][ T5336]        sock_ioctl+0x576/0x790
[   87.801731][ T5336]        __se_sys_ioctl+0xfc/0x170
[   87.804113][ T5336]        do_syscall_64+0xfa/0xf80
[   87.806317][ T5336]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   87.809203][ T5336] 
[   87.809203][ T5336] other info that might help us debug this:
[   87.809203][ T5336] 
[   87.813743][ T5336]  Possible unsafe locking scenario:
[   87.813743][ T5336] 
[   87.816949][ T5336]        CPU0                    CPU1
[   87.819326][ T5336]        ----                    ----
[   87.821677][ T5336]   lock(&conn->lock#2);
[   87.823525][ T5336]                                lock((work_completion)(&(&conn->info_timer)->work));
[   87.827601][ T5336]                                lock(&conn->lock#2);
[   87.830480][ T5336]   lock((work_completion)(&(&conn->info_timer)->work));
[   87.833515][ T5336] 
[   87.833515][ T5336]  *** DEADLOCK ***
[   87.833515][ T5336] 
[   87.837061][ T5336] 5 locks held by syz.0.0/5336:
[   87.839281][ T5336]  #0: ffff888041d1cec0 (&hdev->req_lock){+.+.}-{4:4}, at: hci_dev_close+0x100/0x270
[   87.843511][ T5336]  #1: ffff888041d1c0c0 (&hdev->lock){+.+.}-{4:4}, at: hci_dev_close_sync+0x640/0x1100
[   87.847675][ T5336]  #2: ffffffff8f6857c8 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_conn_hash_flush+0xa1/0x260
[   87.852649][ T5336]  #3: ffff8880114bc338 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x7b/0x5b0
[   87.856702][ T5336]  #4: ffffffff8e141a20 (rcu_read_lock){....}-{1:3}, at: __flush_work+0xd2/0xbc0
[   87.860818][ T5336] 
[   87.860818][ T5336] stack backtrace:
[   87.863606][ T5336] CPU: 0 UID: 0 PID: 5336 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[   87.863627][ T5336] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   87.863635][ T5336] Call Trace:
[   87.863643][ T5336]  <TASK>
[   87.863649][ T5336]  dump_stack_lvl+0x189/0x250
[   87.863670][ T5336]  ? __pfx_dump_stack_lvl+0x10/0x10
[   87.863683][ T5336]  ? __pfx__printk+0x10/0x10
[   87.863700][ T5336]  ? print_lock_name+0xde/0x100
[   87.863743][ T5336]  print_circular_bug+0x2e2/0x300
[   87.863762][ T5336]  check_noncircular+0x12e/0x150
[   87.863777][ T5336]  __lock_acquire+0x15a6/0x2cf0
[   87.863791][ T5336]  ? do_raw_spin_unlock+0x4d/0x240
[   87.863808][ T5336]  ? _raw_spin_unlock_irqrestore+0xad/0x110
[   87.863826][ T5336]  ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[   87.863841][ T5336]  ? __flush_work+0xd2/0xbc0
[   87.863849][ T5336]  lock_acquire+0x117/0x340
[   87.863856][ T5336]  ? __flush_work+0xd2/0xbc0
[   87.863865][ T5336]  ? _raw_spin_unlock_irq+0x23/0x50
[   87.863876][ T5336]  ? __flush_work+0xd2/0xbc0
[   87.863884][ T5336]  __flush_work+0x6b8/0xbc0
[   87.863894][ T5336]  ? __flush_work+0xd2/0xbc0
[   87.863906][ T5336]  ? __flush_work+0xd2/0xbc0
[   87.863917][ T5336]  ? __pfx___flush_work+0x10/0x10
[   87.863929][ T5336]  ? __pfx_wq_barrier_func+0x10/0x10
[   87.863942][ T5336]  ? __pfx___cancel_work+0x10/0x10
[   87.863956][ T5336]  ? l2cap_conn_del+0x379/0x5b0
[   87.863969][ T5336]  ? __cancel_work_sync+0x5c/0x110
[   87.863984][ T5336]  __cancel_work_sync+0xbe/0x110
[   87.864000][ T5336]  l2cap_conn_del+0x402/0x5b0
[   87.864017][ T5336]  ? __pfx_l2cap_disconn_cfm+0x10/0x10
[   87.864033][ T5336]  hci_conn_hash_flush+0x10d/0x260
[   87.864049][ T5336]  hci_dev_close_sync+0x821/0x1100
[   87.864065][ T5336]  ? __pfx_hci_dev_close_sync+0x10/0x10
[   87.864079][ T5336]  ? __cancel_work_sync+0x5c/0x110
[   87.864091][ T5336]  hci_dev_close+0x108/0x270
[   87.864106][ T5336]  sock_do_ioctl+0xdc/0x300
[   87.864121][ T5336]  ? __pfx_sock_do_ioctl+0x10/0x10
[   87.864133][ T5336]  ? do_futex+0x395/0x420
[   87.864149][ T5336]  sock_ioctl+0x576/0x790
[   87.864160][ T5336]  ? __pfx_sock_ioctl+0x10/0x10
[   87.864172][ T5336]  ? __fget_files+0x3a0/0x420
[   87.864183][ T5336]  ? __fget_files+0x2a/0x420
[   87.864196][ T5336]  ? bpf_lsm_file_ioctl+0x9/0x20
[   87.864206][ T5336]  ? __pfx_sock_ioctl+0x10/0x10
[   87.864218][ T5336]  __se_sys_ioctl+0xfc/0x170
[   87.864234][ T5336]  do_syscall_64+0xfa/0xf80
[   87.864245][ T5336]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   87.864256][ T5336]  ? clear_bhb_loop+0x60/0xb0
[   87.864269][ T5336]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   87.864280][ T5336] RIP: 0033:0x7f007698f7c9
[   87.864292][ T5336] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   87.864302][ T5336] RSP: 002b:00007f0077802038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   87.864316][ T5336] RAX: ffffffffffffffda RBX: 00007f0076be5fa0 RCX: 00007f007698f7c9
[   87.864324][ T5336] RDX: 0000000000000000 RSI: 00000000400448ca RDI: 0000000000000005
[   87.864330][ T5336] RBP: 00007f0076a13f91 R08: 0000000000000000 R09: 0000000000000000
[   87.864337][ T5336] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   87.864343][ T5336] R13: 00007f0076be6038 R14: 00007f0076be5fa0 R15: 00007ffecf938388
[   87.864364][ T5336]  </TASK>
[   89.763458][ T4679] Bluetooth: hci0: command tx timeout
[   91.706606][  T784] cfg80211: failed to load regulatory.db
[   91.844314][ T4679] Bluetooth: hci0: command tx timeout