program:
r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$HCIINQUIRY(r1, 0x400448ca, 0x0)
bind$bt_hci(r1, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6)
io_setup(0x8, &(0x7f00000002c0)=<r2=>0x0)
io_submit(r2, 0x1, &(0x7f0000000340)=[&(0x7f0000000100)={0x2000000000, 0x4, 0x0, 0x1, 0x0, r1, &(0x7f0000000040)="0b01ffff51", 0x5}])
sendmsg$nl_generic(r0, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000180)={&(0x7f0000000280)=ANY=[@ANYBLOB="300000003e000701fcfffffffddbdf25017c0000100036800c00020004000000000000000c0001800600060086dd"], 0x30}, 0x1, 0x0, 0x0, 0x800}, 0xc000)

[   86.428682][ T4685] Bluetooth: hci0: command tx timeout
[   86.509395][ T5333] 
[   86.510607][ T5333] ======================================================
[   86.513612][ T5333] WARNING: possible circular locking dependency detected
[   86.516620][ T5333] 6.16.0-rc5-syzkaller #0 Not tainted
[   86.519008][ T5333] ------------------------------------------------------
[   86.521809][ T5333] kworker/0:4/5333 is trying to acquire lock:
[   86.524237][ T5333] ffff888035967b38 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_info_timeout+0x60/0xa0
[   86.528020][ T5333] 
[   86.528020][ T5333] but task is already holding lock:
[   86.530976][ T5333] ffffc9000d4b7bc0 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: process_scheduled_works+0x9ef/0x17b0
[   86.536081][ T5333] 
[   86.536081][ T5333] which lock already depends on the new lock.
[   86.536081][ T5333] 
[   86.540412][ T5333] 
[   86.540412][ T5333] the existing dependency chain (in reverse order) is:
[   86.544132][ T5333] 
[   86.544132][ T5333] -> #1 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}:
[   86.548533][ T5333]        lock_acquire+0x120/0x360
[   86.550662][ T5333]        __flush_work+0x6b8/0xbc0
[   86.552967][ T5333]        __cancel_work_sync+0xbe/0x110
[   86.555443][ T5333]        l2cap_conn_del+0x4f0/0x680
[   86.557841][ T5333]        hci_conn_hash_flush+0x10a/0x230
[   86.560565][ T5333]        hci_dev_close_sync+0xaef/0x1330
[   86.563260][ T5333]        hci_dev_close+0x108/0x200
[   86.565586][ T5333]        sock_do_ioctl+0xdc/0x300
[   86.567784][ T5333]        sock_ioctl+0x576/0x790
[   86.570008][ T5333]        __se_sys_ioctl+0xf9/0x170
[   86.572357][ T5333]        do_syscall_64+0xfa/0x3b0
[   86.574622][ T5333]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   86.577480][ T5333] 
[   86.577480][ T5333] -> #0 (&conn->lock#2){+.+.}-{4:4}:
[   86.580820][ T5333]        validate_chain+0xb9b/0x2140
[   86.583170][ T5333]        __lock_acquire+0xab9/0xd20
[   86.585566][ T5333]        lock_acquire+0x120/0x360
[   86.587817][ T5333]        __mutex_lock+0x182/0xe80
[   86.590154][ T5333]        l2cap_info_timeout+0x60/0xa0
[   86.592578][ T5333]        process_scheduled_works+0xae1/0x17b0
[   86.595274][ T5333]        worker_thread+0x8a0/0xda0
[   86.597618][ T5333]        kthread+0x70e/0x8a0
[   86.599736][ T5333]        ret_from_fork+0x3fc/0x770
[   86.602031][ T5333]        ret_from_fork_asm+0x1a/0x30
[   86.604401][ T5333] 
[   86.604401][ T5333] other info that might help us debug this:
[   86.604401][ T5333] 
[   86.608886][ T5333]  Possible unsafe locking scenario:
[   86.608886][ T5333] 
[   86.612112][ T5333]        CPU0                    CPU1
[   86.614555][ T5333]        ----                    ----
[   86.616998][ T5333]   lock((work_completion)(&(&conn->info_timer)->work));
[   86.620132][ T5333]                                lock(&conn->lock#2);
[   86.623107][ T5333]                                lock((work_completion)(&(&conn->info_timer)->work));
[   86.627254][ T5333]   lock(&conn->lock#2);
[   86.629126][ T5333] 
[   86.629126][ T5333]  *** DEADLOCK ***
[   86.629126][ T5333] 
[   86.632721][ T5333] 2 locks held by kworker/0:4/5333:
[   86.635112][ T5333]  #0: ffff88801a474d48 ((wq_completion)events){+.+.}-{0:0}, at: process_scheduled_works+0x9b4/0x17b0
[   86.639917][ T5333]  #1: ffffc9000d4b7bc0 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: process_scheduled_works+0x9ef/0x17b0
[   86.645696][ T5333] 
[   86.645696][ T5333] stack backtrace:
[   86.648294][ T5333] CPU: 0 UID: 0 PID: 5333 Comm: kworker/0:4 Not tainted 6.16.0-rc5-syzkaller #0 PREEMPT(full) 
[   86.648310][ T5333] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   86.648347][ T5333] Workqueue: events l2cap_info_timeout
[   86.648369][ T5333] Call Trace:
[   86.648377][ T5333]  <TASK>
[   86.648384][ T5333]  dump_stack_lvl+0x189/0x250
[   86.648402][ T5333]  ? __pfx_dump_stack_lvl+0x10/0x10
[   86.648416][ T5333]  ? __pfx__printk+0x10/0x10
[   86.648434][ T5333]  ? print_lock_name+0xde/0x100
[   86.648450][ T5333]  print_circular_bug+0x2ee/0x310
[   86.648466][ T5333]  check_noncircular+0x134/0x160
[   86.648481][ T5333]  validate_chain+0xb9b/0x2140
[   86.648496][ T5333]  ? ret_from_fork_asm+0x1a/0x30
[   86.648513][ T5333]  __lock_acquire+0xab9/0xd20
[   86.648525][ T5333]  ? l2cap_info_timeout+0x60/0xa0
[   86.648536][ T5333]  lock_acquire+0x120/0x360
[   86.648547][ T5333]  ? l2cap_info_timeout+0x60/0xa0
[   86.648563][ T5333]  __mutex_lock+0x182/0xe80
[   86.648574][ T5333]  ? l2cap_info_timeout+0x60/0xa0
[   86.648585][ T5333]  ? irqentry_exit+0x74/0x90
[   86.648595][ T5333]  ? lockdep_hardirqs_on+0x9c/0x150
[   86.648612][ T5333]  ? l2cap_info_timeout+0x60/0xa0
[   86.648625][ T5333]  ? __pfx___mutex_lock+0x10/0x10
[   86.648639][ T5333]  l2cap_info_timeout+0x60/0xa0
[   86.648652][ T5333]  ? process_scheduled_works+0x9ef/0x17b0
[   86.648666][ T5333]  process_scheduled_works+0xae1/0x17b0
[   86.648685][ T5333]  ? __pfx_process_scheduled_works+0x10/0x10
[   86.648702][ T5333]  worker_thread+0x8a0/0xda0
[   86.648715][ T5333]  ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[   86.648734][ T5333]  ? __kthread_parkme+0x7b/0x200
[   86.648750][ T5333]  kthread+0x70e/0x8a0
[   86.648767][ T5333]  ? __pfx_worker_thread+0x10/0x10
[   86.648780][ T5333]  ? __pfx_kthread+0x10/0x10
[   86.648795][ T5333]  ? _raw_spin_unlock_irq+0x23/0x50
[   86.648811][ T5333]  ? lockdep_hardirqs_on+0x9c/0x150
[   86.648828][ T5333]  ? __pfx_kthread+0x10/0x10
[   86.648843][ T5333]  ret_from_fork+0x3fc/0x770
[   86.648857][ T5333]  ? __pfx_ret_from_fork+0x10/0x10
[   86.648871][ T5333]  ? __pfx_kthread+0x10/0x10
[   86.648887][ T5333]  ret_from_fork_asm+0x1a/0x30
[   86.648906][ T5333]  </TASK>
[   86.803548][ T5349] openvswitch: netlink: Missing key (keys=40, expected=100)
[   88.488569][ T5319] Bluetooth: hci0: command tx timeout
[   90.569345][ T5319] Bluetooth: hci0: command tx timeout
[   91.613478][   T54] cfg80211: failed to load regulatory.db
[   92.648604][ T5319] Bluetooth: hci0: command tx timeout