program:
r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$sock_bt_hci(r0, 0x400448ca, 0x0)
r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
socket$key(0xf, 0x3, 0x2)
close(0x3)
bind$bt_hci(r1, &(0x7f0000000080)={0x1f, 0xffff, 0x3}, 0x6)
write(r1, &(0x7f0000000040)="09000000010001ff15c231a9932463fb33abf28faa00a57a6cbe3dd9fe7b4f91a1ba1572956f51d8c8", 0x29)

[  103.583715][ T5309] Bluetooth: hci0: command tx timeout
[  103.589068][    T9] 
[  103.590379][    T9] ======================================================
[  103.594979][    T9] WARNING: possible circular locking dependency detected
[  103.599049][    T9] syzkaller #0 Not tainted
[  103.601040][    T9] ------------------------------------------------------
[  103.603856][    T9] kworker/0:0/9 is trying to acquire lock:
[  103.606554][    T9] ffff8880360832f8 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_info_timeout+0x60/0xa0
[  103.618798][    T9] 
[  103.618798][    T9] but task is already holding lock:
[  103.623258][    T9] ffffc9000022fc40 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: process_scheduled_works+0xa8d/0x18c0
[  103.629121][    T9] 
[  103.629121][    T9] which lock already depends on the new lock.
[  103.629121][    T9] 
[  103.634278][    T9] 
[  103.634278][    T9] the existing dependency chain (in reverse order) is:
[  103.638412][    T9] 
[  103.638412][    T9] -> #1 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}:
[  103.643840][    T9]        __flush_work+0x700/0xc50
[  103.646394][    T9]        __cancel_work_sync+0xbe/0x110
[  103.648899][    T9]        l2cap_conn_del+0x40f/0x5c0
[  103.651185][    T9]        hci_conn_hash_flush+0x10d/0x260
[  103.653883][    T9]        hci_dev_close_sync+0x821/0x10e0
[  103.656345][    T9]        hci_dev_close+0x108/0x260
[  103.658736][    T9]        sock_do_ioctl+0x101/0x320
[  103.661799][    T9]        sock_ioctl+0x5c6/0x7f0
[  103.665020][    T9]        __se_sys_ioctl+0xfc/0x170
[  103.667229][    T9]        do_syscall_64+0x14d/0xf80
[  103.669737][    T9]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  103.672313][    T9] 
[  103.672313][    T9] -> #0 (&conn->lock#2){+.+.}-{4:4}:
[  103.675348][    T9]        __lock_acquire+0x15a5/0x2cf0
[  103.677738][    T9]        lock_acquire+0xf0/0x2e0
[  103.680367][    T9]        __mutex_lock+0x19f/0x1300
[  103.683732][    T9]        l2cap_info_timeout+0x60/0xa0
[  103.686586][    T9]        process_scheduled_works+0xb6e/0x18c0
[  103.689579][    T9]        worker_thread+0xa53/0xfc0
[  103.691822][    T9]        kthread+0x388/0x470
[  103.693845][    T9]        ret_from_fork+0x51e/0xb90
[  103.695978][    T9]        ret_from_fork_asm+0x1a/0x30
[  103.698433][    T9] 
[  103.698433][    T9] other info that might help us debug this:
[  103.698433][    T9] 
[  103.703305][    T9]  Possible unsafe locking scenario:
[  103.703305][    T9] 
[  103.706444][    T9]        CPU0                    CPU1
[  103.708791][    T9]        ----                    ----
[  103.711060][    T9]   lock((work_completion)(&(&conn->info_timer)->work));
[  103.714371][    T9]                                lock(&conn->lock#2);
[  103.718262][    T9]                                lock((work_completion)(&(&conn->info_timer)->work));
[  103.722890][    T9]   lock(&conn->lock#2);
[  103.724843][    T9] 
[  103.724843][    T9]  *** DEADLOCK ***
[  103.724843][    T9] 
[  103.728294][    T9] 2 locks held by kworker/0:0/9:
[  103.730714][    T9]  #0: ffff88801aca6948 ((wq_completion)events){+.+.}-{0:0}, at: process_scheduled_works+0xa52/0x18c0
[  103.737200][    T9]  #1: ffffc9000022fc40 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: process_scheduled_works+0xa8d/0x18c0
[  103.743480][    T9] 
[  103.743480][    T9] stack backtrace:
[  103.746133][    T9] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:0 Not tainted syzkaller #0 PREEMPT(full) 
[  103.746149][    T9] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[  103.746158][    T9] Workqueue: events l2cap_info_timeout
[  103.746183][    T9] Call Trace:
[  103.746197][    T9]  <TASK>
[  103.746204][    T9]  dump_stack_lvl+0xe8/0x150
[  103.746223][    T9]  print_circular_bug+0x2e1/0x300
[  103.746243][    T9]  check_noncircular+0x12e/0x150
[  103.746261][    T9]  __lock_acquire+0x15a5/0x2cf0
[  103.746278][    T9]  ? arch_stack_walk+0x11b/0x150
[  103.746331][    T9]  ? ret_from_fork_asm+0x1a/0x30
[  103.746349][    T9]  lock_acquire+0xf0/0x2e0
[  103.746362][    T9]  ? l2cap_info_timeout+0x60/0xa0
[  103.746378][    T9]  __mutex_lock+0x19f/0x1300
[  103.746391][    T9]  ? l2cap_info_timeout+0x60/0xa0
[  103.746405][    T9]  ? lockdep_unlock+0x5d/0xd0
[  103.746416][    T9]  ? __lock_acquire+0x146e/0x2cf0
[  103.746436][    T9]  ? l2cap_info_timeout+0x60/0xa0
[  103.746451][    T9]  ? __pfx___mutex_lock+0x10/0x10
[  103.746464][    T9]  ? preempt_schedule_thunk+0x16/0x30
[  103.746478][    T9]  l2cap_info_timeout+0x60/0xa0
[  103.746492][    T9]  ? process_scheduled_works+0xa8d/0x18c0
[  103.746507][    T9]  process_scheduled_works+0xb6e/0x18c0
[  103.746528][    T9]  ? __pfx_process_scheduled_works+0x10/0x10
[  103.746543][    T9]  ? assign_work+0x3d5/0x5e0
[  103.746558][    T9]  worker_thread+0xa53/0xfc0
[  103.746578][    T9]  kthread+0x388/0x470
[  103.746589][    T9]  ? __pfx_worker_thread+0x10/0x10
[  103.746603][    T9]  ? __pfx_kthread+0x10/0x10
[  103.746613][    T9]  ret_from_fork+0x51e/0xb90
[  103.746629][    T9]  ? __pfx_ret_from_fork+0x10/0x10
[  103.746643][    T9]  ? __switch_to+0xc7d/0x1450
[  103.746655][    T9]  ? __pfx_kthread+0x10/0x10
[  103.746665][    T9]  ret_from_fork_asm+0x1a/0x30
[  103.746685][    T9]  </TASK>
[  105.623717][ T5309] Bluetooth: hci0: command tx timeout
[  107.703708][ T5309] Bluetooth: hci0: command tx timeout
[  109.783761][ T5309] Bluetooth: hci0: command tx timeout