program:
bind$inet(0xffffffffffffffff, &(0x7f00000000c0)={0x2, 0x4e24, @multicast2}, 0x10)
r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$HCIINQUIRY(r0, 0x400448ca, 0x0)
bind$bt_hci(r0, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6)
write$binfmt_misc(r0, &(0x7f00000000c0), 0x4)

[   86.870691][ T4680] Bluetooth: hci0: command tx timeout
[   86.912550][  T785] 
[   86.913737][  T785] ======================================================
[   86.916847][  T785] WARNING: possible circular locking dependency detected
[   86.920123][  T785] syzkaller #0 Not tainted
[   86.922221][  T785] ------------------------------------------------------
[   86.925502][  T785] kworker/0:2/785 is trying to acquire lock:
[   86.928234][  T785] ffff888035b19338 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_info_timeout+0x60/0xa0
[   86.932452][  T785] 
[   86.932452][  T785] but task is already holding lock:
[   86.935688][  T785] ffffc90001b17b80 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: process_scheduled_works+0x9ef/0x1770
[   86.941565][  T785] 
[   86.941565][  T785] which lock already depends on the new lock.
[   86.941565][  T785] 
[   86.946162][  T785] 
[   86.946162][  T785] the existing dependency chain (in reverse order) is:
[   86.950387][  T785] 
[   86.950387][  T785] -> #1 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}:
[   86.954860][  T785]        __flush_work+0x6b8/0xbc0
[   86.957276][  T785]        __cancel_work_sync+0xbe/0x110
[   86.959747][  T785]        l2cap_conn_del+0x402/0x5b0
[   86.962179][  T785]        hci_conn_hash_flush+0x10d/0x260
[   86.964738][  T785]        hci_dev_close_sync+0x821/0x1100
[   86.967171][  T785]        hci_dev_close+0x108/0x270
[   86.969348][  T785]        sock_do_ioctl+0xdc/0x300
[   86.971513][  T785]        sock_ioctl+0x576/0x790
[   86.973695][  T785]        __se_sys_ioctl+0xfc/0x170
[   86.976162][  T785]        do_syscall_64+0xfa/0xf80
[   86.978475][  T785]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   86.981394][  T785] 
[   86.981394][  T785] -> #0 (&conn->lock#2){+.+.}-{4:4}:
[   86.984848][  T785]        __lock_acquire+0x15a6/0x2cf0
[   86.987369][  T785]        lock_acquire+0x117/0x340
[   86.989544][  T785]        __mutex_lock+0x187/0x1350
[   86.991726][  T785]        l2cap_info_timeout+0x60/0xa0
[   86.994046][  T785]        process_scheduled_works+0xad1/0x1770
[   86.996516][  T785]        worker_thread+0x8a0/0xda0
[   86.998591][  T785]        kthread+0x711/0x8a0
[   87.000776][  T785]        ret_from_fork+0x599/0xb30
[   87.003430][  T785]        ret_from_fork_asm+0x1a/0x30
[   87.006231][  T785] 
[   87.006231][  T785] other info that might help us debug this:
[   87.006231][  T785] 
[   87.011375][  T785]  Possible unsafe locking scenario:
[   87.011375][  T785] 
[   87.014791][  T785]        CPU0                    CPU1
[   87.017206][  T785]        ----                    ----
[   87.019647][  T785]   lock((work_completion)(&(&conn->info_timer)->work));
[   87.022846][  T785]                                lock(&conn->lock#2);
[   87.025969][  T785]                                lock((work_completion)(&(&conn->info_timer)->work));
[   87.030241][  T785]   lock(&conn->lock#2);
[   87.032200][  T785] 
[   87.032200][  T785]  *** DEADLOCK ***
[   87.032200][  T785] 
[   87.035877][  T785] 2 locks held by kworker/0:2/785:
[   87.038184][  T785]  #0: ffff88801a467548 ((wq_completion)events){+.+.}-{0:0}, at: process_scheduled_works+0x9b4/0x1770
[   87.043172][  T785]  #1: ffffc90001b17b80 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: process_scheduled_works+0x9ef/0x1770
[   87.048999][  T785] 
[   87.048999][  T785] stack backtrace:
[   87.051767][  T785] CPU: 0 UID: 0 PID: 785 Comm: kworker/0:2 Not tainted syzkaller #0 PREEMPT(full) 
[   87.051781][  T785] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   87.051788][  T785] Workqueue: events l2cap_info_timeout
[   87.051808][  T785] Call Trace:
[   87.051816][  T785]  <TASK>
[   87.051821][  T785]  dump_stack_lvl+0x189/0x250
[   87.051841][  T785]  ? __pfx_dump_stack_lvl+0x10/0x10
[   87.051853][  T785]  ? __pfx__printk+0x10/0x10
[   87.051868][  T785]  ? print_lock_name+0xde/0x100
[   87.051881][  T785]  print_circular_bug+0x2e2/0x300
[   87.051894][  T785]  check_noncircular+0x12e/0x150
[   87.051907][  T785]  __lock_acquire+0x15a6/0x2cf0
[   87.051922][  T785]  ? l2cap_info_timeout+0x60/0xa0
[   87.051932][  T785]  lock_acquire+0x117/0x340
[   87.051945][  T785]  ? l2cap_info_timeout+0x60/0xa0
[   87.051955][  T785]  ? preempt_schedule_irq+0xde/0x150
[   87.051970][  T785]  __mutex_lock+0x187/0x1350
[   87.051983][  T785]  ? l2cap_info_timeout+0x60/0xa0
[   87.051992][  T785]  ? irqentry_exit+0x5dd/0x660
[   87.052008][  T785]  ? l2cap_info_timeout+0x60/0xa0
[   87.052018][  T785]  ? __pfx___mutex_lock+0x10/0x10
[   87.052039][  T785]  l2cap_info_timeout+0x60/0xa0
[   87.052049][  T785]  ? process_scheduled_works+0x9ef/0x1770
[   87.052063][  T785]  process_scheduled_works+0xad1/0x1770
[   87.052082][  T785]  ? __pfx_process_scheduled_works+0x10/0x10
[   87.052094][  T785]  worker_thread+0x8a0/0xda0
[   87.052110][  T785]  kthread+0x711/0x8a0
[   87.052122][  T785]  ? __pfx_worker_thread+0x10/0x10
[   87.052164][  T785]  ? __pfx_kthread+0x10/0x10
[   87.052176][  T785]  ? _raw_spin_unlock_irq+0x23/0x50
[   87.052187][  T785]  ? lockdep_hardirqs_on+0x98/0x140
[   87.052200][  T785]  ? __pfx_kthread+0x10/0x10
[   87.052212][  T785]  ret_from_fork+0x599/0xb30
[   87.052228][  T785]  ? __pfx_ret_from_fork+0x10/0x10
[   87.052239][  T785]  ? __pfx_kthread+0x10/0x10
[   87.052251][  T785]  ret_from_fork_asm+0x1a/0x30
[   87.052267][  T785]  </TASK>
[   88.899724][ T4680] Bluetooth: hci0: command tx timeout
[   90.979892][ T4680] Bluetooth: hci0: command tx timeout
[   91.869590][    T9] cfg80211: failed to load regulatory.db
[   93.059715][ T4680] Bluetooth: hci0: command tx timeout