program:
r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$sock_bt_hci(r0, 0x400448ca, 0x0)
r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r1, &(0x7f0000000080)={0x1f, 0xffff, 0x3}, 0x6)
write(r1, &(0x7f0000000340)="07000000010000", 0x7)

[   85.900221][ T5296] Bluetooth: hci0: command tx timeout
[   85.908495][ T1230] 
[   85.909964][ T1230] ======================================================
[   85.917140][ T1230] WARNING: possible circular locking dependency detected
[   85.921510][ T1230] syzkaller #0 Not tainted
[   85.923545][ T1230] ------------------------------------------------------
[   85.926631][ T1230] kworker/0:3/1230 is trying to acquire lock:
[   85.929240][ T1230] ffff888044e36af8 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_info_timeout+0x60/0xa0
[   85.933487][ T1230] 
[   85.933487][ T1230] but task is already holding lock:
[   85.936723][ T1230] ffffc90001d2fc40 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: process_scheduled_works+0xa25/0x1830
[   85.941963][ T1230] 
[   85.941963][ T1230] which lock already depends on the new lock.
[   85.941963][ T1230] 
[   85.946532][ T1230] 
[   85.946532][ T1230] the existing dependency chain (in reverse order) is:
[   85.950802][ T1230] 
[   85.950802][ T1230] -> #1 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}:
[   85.955835][ T1230]        __flush_work+0x700/0xc50
[   85.958216][ T1230]        __cancel_work_sync+0xbe/0x110
[   85.960497][ T1230]        l2cap_conn_del+0x40f/0x5c0
[   85.962791][ T1230]        hci_conn_hash_flush+0x10d/0x260
[   85.965323][ T1230]        hci_dev_close_sync+0x821/0x10e0
[   85.967766][ T1230]        hci_dev_close+0x108/0x260
[   85.970107][ T1230]        sock_do_ioctl+0x101/0x320
[   85.972430][ T1230]        sock_ioctl+0x5c6/0x7f0
[   85.974690][ T1230]        __se_sys_ioctl+0xfc/0x170
[   85.977042][ T1230]        do_syscall_64+0x14d/0xf80
[   85.979364][ T1230]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   85.982255][ T1230] 
[   85.982255][ T1230] -> #0 (&conn->lock#2){+.+.}-{4:4}:
[   85.985677][ T1230]        __lock_acquire+0x15a5/0x2cf0
[   85.988135][ T1230]        lock_acquire+0xf0/0x2e0
[   85.990393][ T1230]        __mutex_lock+0x19f/0x1300
[   85.992656][ T1230]        l2cap_info_timeout+0x60/0xa0
[   85.995110][ T1230]        process_scheduled_works+0xb02/0x1830
[   85.997826][ T1230]        worker_thread+0xa50/0xfc0
[   86.000113][ T1230]        kthread+0x388/0x470
[   86.002166][ T1230]        ret_from_fork+0x51e/0xb90
[   86.004500][ T1230]        ret_from_fork_asm+0x1a/0x30
[   86.006900][ T1230] 
[   86.006900][ T1230] other info that might help us debug this:
[   86.006900][ T1230] 
[   86.011511][ T1230]  Possible unsafe locking scenario:
[   86.011511][ T1230] 
[   86.014781][ T1230]        CPU0                    CPU1
[   86.017246][ T1230]        ----                    ----
[   86.019591][ T1230]   lock((work_completion)(&(&conn->info_timer)->work));
[   86.022669][ T1230]                                lock(&conn->lock#2);
[   86.025807][ T1230]                                lock((work_completion)(&(&conn->info_timer)->work));
[   86.030047][ T1230]   lock(&conn->lock#2);
[   86.031950][ T1230] 
[   86.031950][ T1230]  *** DEADLOCK ***
[   86.031950][ T1230] 
[   86.035565][ T1230] 2 locks held by kworker/0:3/1230:
[   86.037839][ T1230]  #0: ffff88801a8aad48 ((wq_completion)events){+.+.}-{0:0}, at: process_scheduled_works+0x9ea/0x1830
[   86.042461][ T1230]  #1: ffffc90001d2fc40 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: process_scheduled_works+0xa25/0x1830
[   86.048115][ T1230] 
[   86.048115][ T1230] stack backtrace:
[   86.050783][ T1230] CPU: 0 UID: 0 PID: 1230 Comm: kworker/0:3 Not tainted syzkaller #0 PREEMPT(full) 
[   86.050798][ T1230] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   86.050805][ T1230] Workqueue: events l2cap_info_timeout
[   86.050869][ T1230] Call Trace:
[   86.050876][ T1230]  <TASK>
[   86.050881][ T1230]  dump_stack_lvl+0xe8/0x150
[   86.050897][ T1230]  print_circular_bug+0x2e1/0x300
[   86.050913][ T1230]  check_noncircular+0x12e/0x150
[   86.050928][ T1230]  __lock_acquire+0x15a5/0x2cf0
[   86.050942][ T1230]  ? __schedule+0x159b/0x5340
[   86.050958][ T1230]  ? arch_stack_walk+0x11b/0x150
[   86.050973][ T1230]  ? ret_from_fork_asm+0x1a/0x30
[   86.050988][ T1230]  lock_acquire+0xf0/0x2e0
[   86.051000][ T1230]  ? l2cap_info_timeout+0x60/0xa0
[   86.051014][ T1230]  __mutex_lock+0x19f/0x1300
[   86.051024][ T1230]  ? l2cap_info_timeout+0x60/0xa0
[   86.051046][ T1230]  ? irqentry_exit+0x59e/0x620
[   86.051055][ T1230]  ? lockdep_hardirqs_on+0x7a/0x110
[   86.051063][ T1230]  ? l2cap_info_timeout+0x60/0xa0
[   86.051074][ T1230]  ? irqentry_exit+0x59e/0x620
[   86.051082][ T1230]  ? trace_irq_disable+0x3b/0x150
[   86.051096][ T1230]  ? __pfx___mutex_lock+0x10/0x10
[   86.051108][ T1230]  ? lock_acquire+0x20b/0x2e0
[   86.051121][ T1230]  l2cap_info_timeout+0x60/0xa0
[   86.051132][ T1230]  ? process_scheduled_works+0xa25/0x1830
[   86.051143][ T1230]  process_scheduled_works+0xb02/0x1830
[   86.051161][ T1230]  ? __pfx_process_scheduled_works+0x10/0x10
[   86.051174][ T1230]  ? assign_work+0x3d5/0x5e0
[   86.051187][ T1230]  worker_thread+0xa50/0xfc0
[   86.051203][ T1230]  kthread+0x388/0x470
[   86.051212][ T1230]  ? __pfx_worker_thread+0x10/0x10
[   86.051224][ T1230]  ? __pfx_kthread+0x10/0x10
[   86.051232][ T1230]  ret_from_fork+0x51e/0xb90
[   86.051246][ T1230]  ? __pfx_ret_from_fork+0x10/0x10
[   86.051259][ T1230]  ? __switch_to+0xc7d/0x1450
[   86.051271][ T1230]  ? __pfx_kthread+0x10/0x10
[   86.051280][ T1230]  ret_from_fork_asm+0x1a/0x30
[   86.051298][ T1230]  </TASK>
[   86.149989][ T5320] Bluetooth: MGMT ver 1.23
[   87.938005][ T5296] Bluetooth: hci0: command tx timeout
[   90.018447][ T5296] Bluetooth: hci0: command tx timeout
[   91.948094][   T54] cfg80211: failed to load regulatory.db