program:
r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$HCIINQUIRY(r0, 0x400448ca, 0x0)
bind$bt_hci(r0, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6)
syz_emit_vhci(&(0x7f0000000200)=ANY=[@ANYBLOB="0587"], 0xa)

[   89.175981][ T4659] Bluetooth: hci0: command tx timeout
[   89.219434][   T53] 
[   89.220609][   T53] ======================================================
[   89.223777][   T53] WARNING: possible circular locking dependency detected
[   89.226817][   T53] syzkaller #0 Not tainted
[   89.228844][   T53] ------------------------------------------------------
[   89.232072][   T53] kworker/0:2/53 is trying to acquire lock:
[   89.234764][   T53] ffff888039f3aaf8 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_info_timeout+0x60/0xa0
[   89.240580][   T53] 
[   89.240580][   T53] but task is already holding lock:
[   89.243793][   T53] ffffc90000af7c40 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: process_scheduled_works+0xa0f/0x17a0
[   89.249397][   T53] 
[   89.249397][   T53] which lock already depends on the new lock.
[   89.249397][   T53] 
[   89.253925][   T53] 
[   89.253925][   T53] the existing dependency chain (in reverse order) is:
[   89.257944][   T53] 
[   89.257944][   T53] -> #1 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}:
[   89.262563][   T53]        __flush_work+0x700/0xc50
[   89.264855][   T53]        __cancel_work_sync+0xbe/0x110
[   89.267185][   T53]        l2cap_conn_del+0x40f/0x5c0
[   89.269555][   T53]        hci_conn_hash_flush+0x10d/0x260
[   89.271946][   T53]        hci_dev_close_sync+0x821/0x10e0
[   89.274393][   T53]        hci_dev_close+0x108/0x260
[   89.276802][   T53]        sock_do_ioctl+0x101/0x320
[   89.278974][   T53]        sock_ioctl+0x5c6/0x7f0
[   89.281145][   T53]        __se_sys_ioctl+0xfc/0x170
[   89.283468][   T53]        do_syscall_64+0x14d/0xf80
[   89.285803][   T53]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   89.288745][   T53] 
[   89.288745][   T53] -> #0 (&conn->lock#2){+.+.}-{4:4}:
[   89.292143][   T53]        __lock_acquire+0x15a5/0x2cf0
[   89.294581][   T53]        lock_acquire+0x106/0x330
[   89.296798][   T53]        __mutex_lock+0x19f/0x1300
[   89.299036][   T53]        l2cap_info_timeout+0x60/0xa0
[   89.301495][   T53]        process_scheduled_works+0xaec/0x17a0
[   89.304083][   T53]        worker_thread+0xa50/0xfc0
[   89.306319][   T53]        kthread+0x388/0x470
[   89.308421][   T53]        ret_from_fork+0x51e/0xb90
[   89.310783][   T53]        ret_from_fork_asm+0x1a/0x30
[   89.313205][   T53] 
[   89.313205][   T53] other info that might help us debug this:
[   89.313205][   T53] 
[   89.317443][   T53]  Possible unsafe locking scenario:
[   89.317443][   T53] 
[   89.320856][   T53]        CPU0                    CPU1
[   89.323209][   T53]        ----                    ----
[   89.325585][   T53]   lock((work_completion)(&(&conn->info_timer)->work));
[   89.328678][   T53]                                lock(&conn->lock#2);
[   89.332195][   T53]                                lock((work_completion)(&(&conn->info_timer)->work));
[   89.336037][   T53]   lock(&conn->lock#2);
[   89.337686][   T53] 
[   89.337686][   T53]  *** DEADLOCK ***
[   89.337686][   T53] 
[   89.340782][   T53] 2 locks held by kworker/0:2/53:
[   89.342661][   T53]  #0: ffff88801a8aad48 ((wq_completion)events){+.+.}-{0:0}, at: process_scheduled_works+0x9d4/0x17a0
[   89.346706][   T53]  #1: ffffc90000af7c40 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: process_scheduled_works+0xa0f/0x17a0
[   89.352057][   T53] 
[   89.352057][   T53] stack backtrace:
[   89.354566][   T53] CPU: 0 UID: 0 PID: 53 Comm: kworker/0:2 Not tainted syzkaller #0 PREEMPT(full) 
[   89.354581][   T53] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   89.354589][   T53] Workqueue: events l2cap_info_timeout
[   89.354611][   T53] Call Trace:
[   89.354618][   T53]  <TASK>
[   89.354624][   T53]  dump_stack_lvl+0xe8/0x150
[   89.354638][   T53]  print_circular_bug+0x2e1/0x300
[   89.354653][   T53]  check_noncircular+0x12e/0x150
[   89.354670][   T53]  __lock_acquire+0x15a5/0x2cf0
[   89.354683][   T53]  ? __schedule+0x1592/0x52b0
[   89.354695][   T53]  ? l2cap_info_timeout+0x60/0xa0
[   89.354709][   T53]  lock_acquire+0x106/0x330
[   89.354721][   T53]  ? l2cap_info_timeout+0x60/0xa0
[   89.354738][   T53]  __mutex_lock+0x19f/0x1300
[   89.354749][   T53]  ? l2cap_info_timeout+0x60/0xa0
[   89.354764][   T53]  ? irqentry_exit+0x59e/0x620
[   89.354776][   T53]  ? lockdep_hardirqs_on+0x7a/0x110
[   89.354788][   T53]  ? l2cap_info_timeout+0x60/0xa0
[   89.354802][   T53]  ? irqentry_exit+0x59e/0x620
[   89.354814][   T53]  ? __pfx___mutex_lock+0x10/0x10
[   89.354827][   T53]  ? lock_acquire+0x221/0x330
[   89.354837][   T53]  l2cap_info_timeout+0x60/0xa0
[   89.354850][   T53]  ? process_scheduled_works+0xa0f/0x17a0
[   89.354862][   T53]  process_scheduled_works+0xaec/0x17a0
[   89.354880][   T53]  ? __pfx_process_scheduled_works+0x10/0x10
[   89.354894][   T53]  ? assign_work+0x3d5/0x5e0
[   89.354905][   T53]  worker_thread+0xa50/0xfc0
[   89.354923][   T53]  kthread+0x388/0x470
[   89.354936][   T53]  ? __pfx_worker_thread+0x10/0x10
[   89.354947][   T53]  ? __pfx_kthread+0x10/0x10
[   89.354960][   T53]  ret_from_fork+0x51e/0xb90
[   89.354972][   T53]  ? __pfx_ret_from_fork+0x10/0x10
[   89.354982][   T53]  ? __switch_to+0xc7d/0x1400
[   89.354991][   T53]  ? __pfx_kthread+0x10/0x10
[   89.355003][   T53]  ret_from_fork_asm+0x1a/0x30
[   89.355019][   T53]  </TASK>
[   91.241316][   T45] Bluetooth: hci0: command tx timeout
[   92.051196][    T9] cfg80211: failed to load regulatory.db
[   93.321475][   T45] Bluetooth: hci0: command tx timeout
[   95.401353][   T45] Bluetooth: hci0: command tx timeout