program:
r0 = bpf$PROG_LOAD(0x5, &(0x7f0000000340)={0x11, 0xc, 0x0, &(0x7f0000000880)='GPL\x00', 0x0, 0x0, 0x0, 0x40f00, 0x0, '\x00', 0x0, @fallback=0x4, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94)
bpf$OBJ_GET_PROG(0x7, &(0x7f0000000040)=@o_path={&(0x7f0000000000)='./file0\x00', 0x0, 0x0, r0}, 0x18)
sendmsg$RDMA_NLDEV_CMD_DELLINK(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000280)={&(0x7f00000015c0)=ANY=[@ANYRESHEX, @ANYRESOCT], 0x18}, 0x1, 0x0, 0x0, 0x671ec167a4b32125}, 0x0)
r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
socket$kcm(0x10, 0x2, 0x0)
setsockopt$SO_ATTACH_FILTER(r1, 0x1, 0x1a, &(0x7f0000000080)={0x1, &(0x7f0000000040)=[{0x6}]}, 0x10)
bind$bt_hci(r1, &(0x7f0000000140)={0x1f, 0xffff, 0x2}, 0x6)
bind$alg(0xffffffffffffffff, 0x0, 0x0)
accept4(0xffffffffffffffff, 0x0, 0x0, 0x0)
r2 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$HCIINQUIRY(r2, 0x400448ca, 0x0)
syz_emit_ethernet(0x4e, &(0x7f0000000180)={@local, @remote, @void, {@ipv4={0x800, @tcp={{0xb, 0x4, 0x0, 0x0, 0x40, 0x0, 0x0, 0x0, 0x5, 0x0, @dev, @private=0xa010100, {[@timestamp_addr={0x44, 0x14, 0x5, 0x3, 0x0, [{@empty}, {@rand_addr=0x64010101}]}, @generic={0x89, 0x2}]}}, {{0x0, 0x0, 0x41424344, 0x41424344, 0x0, 0x6, 0x5, 0x20, 0xfff7}}}}}}, 0x0)

[  108.825551][ T5310] Bluetooth: hci0: command tx timeout
[  108.851373][   T10] 
[  108.853726][   T10] ======================================================
[  108.857517][   T10] WARNING: possible circular locking dependency detected
[  108.861176][   T10] syzkaller #0 Not tainted
[  108.863726][   T10] ------------------------------------------------------
[  108.866970][   T10] kworker/0:1/10 is trying to acquire lock:
[  108.869862][   T10] ffff8880416af2f8 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_info_timeout+0x60/0xa0
[  108.876105][   T10] 
[  108.876105][   T10] but task is already holding lock:
[  108.880311][   T10] ffffc9000023fc40 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: process_scheduled_works+0xa8d/0x18c0
[  108.887356][   T10] 
[  108.887356][   T10] which lock already depends on the new lock.
[  108.887356][   T10] 
[  108.892971][   T10] 
[  108.892971][   T10] the existing dependency chain (in reverse order) is:
[  108.897750][   T10] 
[  108.897750][   T10] -> #1 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}:
[  108.902576][   T10]        __flush_work+0x700/0xc50
[  108.905002][   T10]        __cancel_work_sync+0xbe/0x110
[  108.907877][   T10]        l2cap_conn_del+0x40f/0x5c0
[  108.910473][   T10]        hci_conn_hash_flush+0x10d/0x260
[  108.912908][   T10]        hci_dev_close_sync+0x821/0x10e0
[  108.915438][   T10]        hci_dev_close+0x108/0x260
[  108.917962][   T10]        sock_do_ioctl+0x101/0x320
[  108.920321][   T10]        sock_ioctl+0x5c6/0x7f0
[  108.922518][   T10]        __se_sys_ioctl+0xfc/0x170
[  108.924818][   T10]        do_syscall_64+0x14d/0xf80
[  108.927496][   T10]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  108.930592][   T10] 
[  108.930592][   T10] -> #0 (&conn->lock#2){+.+.}-{4:4}:
[  108.934039][   T10]        __lock_acquire+0x15a5/0x2cf0
[  108.936809][   T10]        lock_acquire+0xf0/0x2e0
[  108.939389][   T10]        __mutex_lock+0x19f/0x1300
[  108.942077][   T10]        l2cap_info_timeout+0x60/0xa0
[  108.944471][   T10]        process_scheduled_works+0xb6e/0x18c0
[  108.947325][   T10]        worker_thread+0xa53/0xfc0
[  108.949975][   T10]        kthread+0x388/0x470
[  108.952371][   T10]        ret_from_fork+0x51e/0xb90
[  108.954862][   T10]        ret_from_fork_asm+0x1a/0x30
[  108.957469][   T10] 
[  108.957469][   T10] other info that might help us debug this:
[  108.957469][   T10] 
[  108.962685][   T10]  Possible unsafe locking scenario:
[  108.962685][   T10] 
[  108.966151][   T10]        CPU0                    CPU1
[  108.968690][   T10]        ----                    ----
[  108.971606][   T10]   lock((work_completion)(&(&conn->info_timer)->work));
[  108.975336][   T10]                                lock(&conn->lock#2);
[  108.978761][   T10]                                lock((work_completion)(&(&conn->info_timer)->work));
[  108.983110][   T10]   lock(&conn->lock#2);
[  108.984794][   T10] 
[  108.984794][   T10]  *** DEADLOCK ***
[  108.984794][   T10] 
[  108.987923][   T10] 2 locks held by kworker/0:1/10:
[  108.990356][   T10]  #0: ffff88801aca6948 ((wq_completion)events){+.+.}-{0:0}, at: process_scheduled_works+0xa52/0x18c0
[  108.995405][   T10]  #1: ffffc9000023fc40 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: process_scheduled_works+0xa8d/0x18c0
[  109.001176][   T10] 
[  109.001176][   T10] stack backtrace:
[  109.004002][   T10] CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Not tainted syzkaller #0 PREEMPT(full) 
[  109.004020][   T10] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[  109.004030][   T10] Workqueue: events l2cap_info_timeout
[  109.004063][   T10] Call Trace:
[  109.004075][   T10]  <TASK>
[  109.004082][   T10]  dump_stack_lvl+0xe8/0x150
[  109.004100][   T10]  print_circular_bug+0x2e1/0x300
[  109.004116][   T10]  check_noncircular+0x12e/0x150
[  109.004132][   T10]  __lock_acquire+0x15a5/0x2cf0
[  109.004146][   T10]  ? __schedule+0x15f3/0x52d0
[  109.004158][   T10]  ? ret_from_fork_asm+0x1a/0x30
[  109.004175][   T10]  lock_acquire+0xf0/0x2e0
[  109.004186][   T10]  ? l2cap_info_timeout+0x60/0xa0
[  109.004196][   T10]  __mutex_lock+0x19f/0x1300
[  109.004204][   T10]  ? l2cap_info_timeout+0x60/0xa0
[  109.004213][   T10]  ? irqentry_exit+0x59e/0x620
[  109.004220][   T10]  ? lockdep_hardirqs_on+0x7a/0x110
[  109.004226][   T10]  ? l2cap_info_timeout+0x60/0xa0
[  109.004234][   T10]  ? irqentry_exit+0x59e/0x620
[  109.004240][   T10]  ? trace_irq_disable+0x3b/0x150
[  109.004248][   T10]  ? __pfx___mutex_lock+0x10/0x10
[  109.004256][   T10]  ? lock_acquire+0x20b/0x2e0
[  109.004264][   T10]  l2cap_info_timeout+0x60/0xa0
[  109.004273][   T10]  ? process_scheduled_works+0xa8d/0x18c0
[  109.004284][   T10]  process_scheduled_works+0xb6e/0x18c0
[  109.004296][   T10]  ? __pfx_process_scheduled_works+0x10/0x10
[  109.004305][   T10]  ? assign_work+0x3d5/0x5e0
[  109.004313][   T10]  worker_thread+0xa53/0xfc0
[  109.004326][   T10]  kthread+0x388/0x470
[  109.004336][   T10]  ? __pfx_worker_thread+0x10/0x10
[  109.004346][   T10]  ? __pfx_kthread+0x10/0x10
[  109.004354][   T10]  ret_from_fork+0x51e/0xb90
[  109.004368][   T10]  ? __pfx_ret_from_fork+0x10/0x10
[  109.004379][   T10]  ? __switch_to+0xc7d/0x1450
[  109.004390][   T10]  ? __pfx_kthread+0x10/0x10
[  109.004396][   T10]  ret_from_fork_asm+0x1a/0x30
[  109.004408][   T10]  </TASK>
[  110.854341][ T5310] Bluetooth: hci0: command tx timeout
[  112.934725][ T5310] Bluetooth: hci0: command tx timeout
[  115.014282][ T5310] Bluetooth: hci0: command tx timeout