program:
r0 = gettid()
openat$snapshot(0xffffffffffffff9c, &(0x7f0000000500), 0x0, 0x0)
bpf$PROG_LOAD_XDP(0x5, &(0x7f00000001c0)={0x12, 0x4, &(0x7f0000000080)=@framed={{0x18, 0x0, 0x0, 0x0, 0x4}, [@call={0x85, 0x0, 0x0, 0x31}]}, &(0x7f0000000040)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x14}, 0x94)
timer_create(0x0, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004, @tid=r0}, &(0x7f0000bbdffc))
r1 = syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0)
connect$bt_l2cap(r1, &(0x7f0000000080)={0x1f, 0x0, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}, 0x7ff}, 0xe)
r2 = syz_init_net_socket$bt_hidp(0x1f, 0x3, 0x6)
ioctl$sock_bt_hidp_HIDPCONNADD(r2, 0x400448c8, &(0x7f0000000340)={r1, r1, 0x8, 0x0, 0x0, 0xb, 0x1, 0x15c2, 0xfff9, 0x3, 0x0, 0x8, 'syz0\x00'})
timer_settime(0x0, 0x0, &(0x7f0000000280)={{0x0, 0x989680}, {0x0, 0x989680}}, 0x0)

[   77.060379][ T5302] Bluetooth: hci0: command tx timeout
[   77.081999][ T1313] ieee802154 phy0 wpan0: encryption failed: -22
[   77.106323][ T1313] ieee802154 phy1 wpan1: encryption failed: -22
[   77.430545][ T5325] input: Bluetooth HID Boot Protocol Device as /devices/virtual/bluetooth/hci0/hci0:200/input5
[   77.508914][ T5324] Bluetooth: hci0: Opcode 0x0c1a failed: -4
[   77.519257][ T5324] Bluetooth: hci0: Opcode 0x0406 failed: -4
[   77.632150][ T5324] 
[   77.641746][ T5324] ======================================================
[   77.657376][ T5324] WARNING: possible circular locking dependency detected
[   77.661426][ T5324] syzkaller #0 Not tainted
[   77.664657][ T5324] ------------------------------------------------------
[   77.688704][ T5324] syz.0.0/5324 is trying to acquire lock:
[   77.693808][ T5324] ffff888042f35840 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: __flush_work+0xd2/0xbc0
[   77.714694][ T5324] 
[   77.714694][ T5324] but task is already holding lock:
[   77.719141][ T5324] ffff888042f35b38 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x70/0x680
[   77.741865][ T5324] 
[   77.741865][ T5324] which lock already depends on the new lock.
[   77.741865][ T5324] 
[   77.746318][ T5324] 
[   77.746318][ T5324] the existing dependency chain (in reverse order) is:
[   77.752114][ T5324] 
[   77.752114][ T5324] -> #1 (&conn->lock#2){+.+.}-{4:4}:
[   77.757715][ T5324]        lock_acquire+0x120/0x360
[   77.760531][ T5324]        __mutex_lock+0x187/0x1350
[   77.765168][ T5324]        l2cap_info_timeout+0x60/0xa0
[   77.768735][ T5324]        process_scheduled_works+0xae1/0x17b0
[   77.773397][ T5324]        worker_thread+0x8a0/0xda0
[   77.777288][ T5324]        kthread+0x711/0x8a0
[   77.779965][ T5324]        ret_from_fork+0x4bc/0x870
[   77.785414][ T5324]        ret_from_fork_asm+0x1a/0x30
[   77.816144][ T5324] 
[   77.816144][ T5324] -> #0 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}:
[   77.820311][ T5324]        validate_chain+0xb9b/0x2140
[   77.822479][ T5324]        __lock_acquire+0xab9/0xd20
[   77.833310][ T5324]        lock_acquire+0x120/0x360
[   77.839061][ T5324]        __flush_work+0x6b8/0xbc0
[   77.843214][ T5324]        __cancel_work_sync+0xbe/0x110
[   77.845545][ T5324]        l2cap_conn_del+0x4f0/0x680
[   77.847684][ T5324]        l2cap_connect_cfm+0x11d/0x1040
[   77.849929][ T5324]        hci_conn_failed+0x1ce/0x310
[   77.853594][ T5324]        hci_abort_conn_sync+0x658/0xe30
[   77.857593][ T5324]        hci_disconnect_all_sync+0x1b5/0x350
[   77.861807][ T5324]        hci_suspend_sync+0x3fc/0xc60
[   77.867147][ T5324]        hci_suspend_dev+0x28d/0x4d0
[   77.871492][ T5324]        hci_suspend_notifier+0xf2/0x290
[   77.874777][ T5324]        notifier_call_chain+0x1b6/0x3e0
[   77.878041][ T5324]        blocking_notifier_call_chain_robust+0x85/0x100
[   77.883433][ T5324]        pm_notifier_call_chain_robust+0x2c/0x60
[   77.897216][ T5324]        snapshot_open+0x19c/0x280
[   77.900230][ T5324]        misc_open+0x2d5/0x350
[   77.904352][ T5324]        chrdev_open+0x4cc/0x5e0
[   77.907253][ T5324]        do_dentry_open+0x953/0x13f0
[   77.923936][ T5324]        vfs_open+0x3b/0x340
[   77.946902][ T5324]        path_openat+0x2ee5/0x3830
[   77.949061][ T5324]        do_filp_open+0x1fa/0x410
[   77.951097][ T5324]        do_sys_openat2+0x121/0x1c0
[   77.953277][ T5324]        __x64_sys_openat+0x138/0x170
[   77.956105][ T5324]        do_syscall_64+0xfa/0xfa0
[   77.958980][ T5324]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   77.962077][ T5324] 
[   77.962077][ T5324] other info that might help us debug this:
[   77.962077][ T5324] 
[   77.971787][ T5324]  Possible unsafe locking scenario:
[   77.971787][ T5324] 
[   77.995480][ T5324]        CPU0                    CPU1
[   78.006063][ T5324]        ----                    ----
[   78.008596][ T5324]   lock(&conn->lock#2);
[   78.012864][ T5324]                                lock((work_completion)(&(&conn->info_timer)->work));
[   78.028340][ T5324]                                lock(&conn->lock#2);
[   78.031829][ T5324]   lock((work_completion)(&(&conn->info_timer)->work));
[   78.035707][ T5324] 
[   78.035707][ T5324]  *** DEADLOCK ***
[   78.035707][ T5324] 
[   78.039920][ T5324] 8 locks held by syz.0.0/5324:
[   78.042087][ T5324]  #0: ffffffff8e7776a8 (misc_mtx){+.+.}-{4:4}, at: misc_open+0x51/0x350
[   78.055237][ T5324]  #1: ffffffff8dded268 (system_transition_mutex){+.+.}-{4:4}, at: lock_system_sleep+0x4a/0x70
[   78.067447][ T5324]  #2: ffffffff8de10970 ((pm_chain_head).rwsem){++++}-{4:4}, at: blocking_notifier_call_chain_robust+0x65/0x100
[   78.072056][ T5324]  #3: ffff88803a7c0dc8 (&hdev->req_lock){+.+.}-{4:4}, at: hci_suspend_dev+0x285/0x4d0
[   78.077638][ T5324]  #4: ffff88803a7c00b8 (&hdev->lock){+.+.}-{4:4}, at: hci_abort_conn_sync+0x242/0xe30
[   78.083451][ T5324]  #5: ffffffff8f437f28 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_conn_failed+0x165/0x310
[   78.087477][ T5324]  #6: ffff888042f35b38 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x70/0x680
[   78.091245][ T5324]  #7: ffffffff8df3d6e0 (rcu_read_lock){....}-{1:3}, at: __flush_work+0xd2/0xbc0
[   78.096905][ T5324] 
[   78.096905][ T5324] stack backtrace:
[   78.102802][ T5324] CPU: 0 UID: 0 PID: 5324 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[   78.102865][ T5324] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   78.102880][ T5324] Call Trace:
[   78.102929][ T5324]  <TASK>
[   78.102937][ T5324]  dump_stack_lvl+0x189/0x250
[   78.102997][ T5324]  ? __pfx_dump_stack_lvl+0x10/0x10
[   78.103015][ T5324]  ? __pfx__printk+0x10/0x10
[   78.103028][ T5324]  ? print_lock_name+0xde/0x100
[   78.103083][ T5324]  print_circular_bug+0x2ee/0x310
[   78.103099][ T5324]  check_noncircular+0x134/0x160
[   78.103155][ T5324]  validate_chain+0xb9b/0x2140
[   78.103169][ T5324]  ? do_raw_spin_lock+0x121/0x290
[   78.103228][ T5324]  ? look_up_lock_class+0x74/0x170
[   78.103285][ T5324]  ? register_lock_class+0x51/0x320
[   78.103298][ T5324]  __lock_acquire+0xab9/0xd20
[   78.103312][ T5324]  ? __flush_work+0xd2/0xbc0
[   78.103325][ T5324]  lock_acquire+0x120/0x360
[   78.103379][ T5324]  ? __flush_work+0xd2/0xbc0
[   78.103395][ T5324]  ? _raw_spin_unlock_irq+0x23/0x50
[   78.103452][ T5324]  ? __flush_work+0xd2/0xbc0
[   78.103465][ T5324]  __flush_work+0x6b8/0xbc0
[   78.103521][ T5324]  ? __flush_work+0xd2/0xbc0
[   78.103535][ T5324]  ? __flush_work+0xd2/0xbc0
[   78.103590][ T5324]  ? __pfx___flush_work+0x10/0x10
[   78.103602][ T5324]  ? __pfx_wq_barrier_func+0x10/0x10
[   78.103655][ T5324]  ? __pfx___cancel_work+0x10/0x10
[   78.103671][ T5324]  ? hci_conn_drop+0x14d/0x280
[   78.103683][ T5324]  __cancel_work_sync+0xbe/0x110
[   78.103739][ T5324]  l2cap_conn_del+0x4f0/0x680
[   78.103794][ T5324]  l2cap_connect_cfm+0x11d/0x1040
[   78.103813][ T5324]  ? __pfx_l2cap_connect_cfm+0x10/0x10
[   78.103875][ T5324]  ? __pfx_l2cap_connect_cfm+0x10/0x10
[   78.103890][ T5324]  hci_conn_failed+0x1ce/0x310
[   78.103947][ T5324]  ? hci_abort_conn_sync+0x24e/0xe30
[   78.103964][ T5324]  hci_abort_conn_sync+0x658/0xe30
[   78.104022][ T5324]  ? __lock_acquire+0xab9/0xd20
[   78.104035][ T5324]  ? __pfx_hci_abort_conn_sync+0x10/0x10
[   78.104093][ T5324]  ? hci_disconnect_all_sync+0x2e/0x350
[   78.104160][ T5324]  ? hci_disconnect_all_sync+0x2e/0x350
[   78.104177][ T5324]  ? hci_disconnect_all_sync+0x2e/0x350
[   78.104232][ T5324]  hci_disconnect_all_sync+0x1b5/0x350
[   78.104248][ T5324]  hci_suspend_sync+0x3fc/0xc60
[   78.104311][ T5324]  ? __pfx___mutex_lock+0x10/0x10
[   78.104367][ T5324]  ? enable_work+0x258/0x2c0
[   78.104382][ T5324]  ? __pfx_hci_suspend_sync+0x10/0x10
[   78.104578][ T5324]  ? mgmt_pending_find+0x152/0x170
[   78.104599][ T5324]  ? hci_cmd_sync_cancel_sync+0xc9/0x190
[   78.104657][ T5324]  hci_suspend_dev+0x28d/0x4d0
[   78.104719][ T5324]  ? __pfx_hci_suspend_dev+0x10/0x10
[   78.104733][ T5324]  ? rcu_barrier+0x474/0x570
[   78.104790][ T5324]  hci_suspend_notifier+0xf2/0x290
[   78.104806][ T5324]  notifier_call_chain+0x1b6/0x3e0
[   78.104888][ T5324]  blocking_notifier_call_chain_robust+0x85/0x100
[   78.104904][ T5324]  pm_notifier_call_chain_robust+0x2c/0x60
[   78.104916][ T5324]  snapshot_open+0x19c/0x280
[   78.104971][ T5324]  ? __pfx_snapshot_open+0x10/0x10
[   78.104982][ T5324]  misc_open+0x2d5/0x350
[   78.104995][ T5324]  chrdev_open+0x4cc/0x5e0
[   78.105064][ T5324]  ? __pfx_chrdev_open+0x10/0x10
[   78.105121][ T5324]  ? fsnotify_open_perm_and_set_mode+0x113/0x610
[   78.105210][ T5324]  ? __pfx_chrdev_open+0x10/0x10
[   78.105340][ T5324]  do_dentry_open+0x953/0x13f0
[   78.105469][ T5324]  vfs_open+0x3b/0x340
[   78.105534][ T5324]  ? path_openat+0x2ecd/0x3830
[   78.105606][ T5324]  path_openat+0x2ee5/0x3830
[   78.105803][ T5324]  ? __pfx_path_openat+0x10/0x10
[   78.105822][ T5324]  do_filp_open+0x1fa/0x410
[   78.105881][ T5324]  ? __lock_acquire+0xab9/0xd20
[   78.105892][ T5324]  ? __pfx_do_filp_open+0x10/0x10
[   78.105956][ T5324]  ? _raw_spin_unlock+0x28/0x50
[   78.105973][ T5324]  ? alloc_fd+0x64c/0x6c0
[   78.106033][ T5324]  do_sys_openat2+0x121/0x1c0
[   78.106045][ T5324]  ? __pfx_do_sys_openat2+0x10/0x10
[   78.106105][ T5324]  ? rcu_is_watching+0x15/0xb0
[   78.106182][ T5324]  __x64_sys_openat+0x138/0x170
[   78.106198][ T5324]  do_syscall_64+0xfa/0xfa0
[   78.106217][ T5324]  ? lockdep_hardirqs_on+0x9c/0x150
[   78.106233][ T5324]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   78.106243][ T5324]  ? clear_bhb_loop+0x60/0xb0
[   78.106256][ T5324]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   78.106268][ T5324] RIP: 0033:0x7fc520d8f6c9
[   78.106280][ T5324] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   78.106290][ T5324] RSP: 002b:00007fc521cab038 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
[   78.106303][ T5324] RAX: ffffffffffffffda RBX: 00007fc520fe5fa0 RCX: 00007fc520d8f6c9
[   78.106312][ T5324] RDX: 0000000000000000 RSI: 0000200000000500 RDI: ffffffffffffff9c
[   78.106318][ T5324] RBP: 00007fc520e11f91 R08: 0000000000000000 R09: 0000000000000000
[   78.106325][ T5324] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   78.106330][ T5324] R13: 00007fc520fe6038 R14: 00007fc520fe5fa0 R15: 00007ffd228c7ac8
[   78.106348][ T5324]  </TASK>
[   79.439778][ T4667] Bluetooth: hci0: command 0x040f tx timeout
[   81.520605][ T4667] Bluetooth: hci0: command 0x040f tx timeout
[   83.600256][ T4667] Bluetooth: hci0: command 0x040f tx timeout