program:
r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$HCIINQUIRY(r0, 0x400448ca, 0x0)
bind$bt_hci(r0, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6)
io_setup(0x8, &(0x7f00000002c0)=<r1=>0x0)
bpf$MAP_CREATE(0x0, &(0x7f0000000640)=ANY=[@ANYBLOB="1800000000000000000000000000000021090400", @ANYRES32, @ANYBLOB='\x00'/20, @ANYRES32=0x0, @ANYRES32, @ANYBLOB="00000000008bab285d3100"/28], 0x50)
r2 = syz_init_net_socket$ax25(0x3, 0x2, 0x0)
setsockopt$ax25_int(r2, 0x101, 0xc, &(0x7f0000000080)=0x10000, 0x4)
connect$ax25(r2, &(0x7f0000000100)={{0x3, @bcast, 0x4}, [@rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @bcast, @bcast, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @default, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x2}]}, 0x48)
io_submit(r1, 0x1, &(0x7f0000000340)=[&(0x7f0000000140)={0x2000000000, 0x4, 0x0, 0x1, 0x0, r0, &(0x7f0000000180)="2c2442e6f7", 0x5}])
r3 = openat$null(0xffffffffffffff9c, &(0x7f0000000040), 0x100, 0x0)
sendmsg$NL80211_CMD_RELOAD_REGDB(r3, &(0x7f00000001c0)={&(0x7f00000000c0)={0x10, 0x0, 0x0, 0x20000000}, 0xc, &(0x7f0000000180)={&(0x7f0000000100)={0x14, 0x0, 0x2, 0x70bd2d, 0x25dfdbfb, {}, ["", ""]}, 0x14}, 0x1, 0x0, 0x0, 0x40000}, 0x40000)
r4 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route(r4, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000400)={&(0x7f00000002c0)=ANY=[@ANYBLOB="3c000000100001002abd70000000000000000000", @ANYRES32=0x0, @ANYBLOB="802100000000000014000300626176655f310000080004000e0400"/36], 0x3c}}, 0x0)
r5 = syz_init_net_socket$bt_rfcomm(0x1f, 0x1, 0x3)
r6 = socket$netlink(0x10, 0x3, 0x0)
ioctl$sock_SIOCGIFINDEX(r6, 0x8933, &(0x7f0000000180)={'geneve0\x00', <r7=>0x0})
sendmsg$nl_route(r6, &(0x7f0000000040)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000240)=ANY=[@ANYBLOB="3c00000010000300"/20, @ANYRES32=<r8=>r7, @ANYBLOB="00000000000000001c0012800b00010067656e65766500000c0002800500040001"], 0x3c}, 0x1, 0x2}, 0x0)
r9 = socket$packet(0x11, 0x3, 0x300)
ioctl$sock_SIOCGIFINDEX_802154(0xffffffffffffffff, 0x8933, &(0x7f0000000380)={'wpan4\x00'})
ioctl$sock_SIOCGIFINDEX_802154(0xffffffffffffffff, 0x8933, &(0x7f00000003c0)={'wpan3\x00'})
ioctl$sock_SIOCGIFINDEX_802154(0xffffffffffffffff, 0x8933, &(0x7f0000000440)={'wpan3\x00'})
r10 = socket$nl_xfrm(0x10, 0x3, 0x6)
ioctl$sock_SIOCGIFINDEX(r10, 0x8933, &(0x7f0000002740)={'geneve0\x00', <r11=>0x0})
sendto$packet(r9, &(0x7f00000000c0)="f4416eb4e859495d589fefa788a8684c88a8", 0x36, 0x0, &(0x7f0000002780)={0x11, 0x0, r11, 0x1, 0x0, 0x6, @link_local}, 0x14)
setsockopt$bt_rfcomm_RFCOMM_LM(r5, 0x12, 0x3, &(0x7f0000000300)=0x30, 0x4)
shutdown(r5, 0x1)
connect$bt_rfcomm(r5, &(0x7f0000005dc0)={0x1f, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x13}, 0x15}, 0xa)
r12 = socket$nl_route(0x10, 0x3, 0x0)
sendmsg$nl_route(r12, &(0x7f0000000140)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000200)=ANY=[@ANYRES8=r5, @ANYRES32=0x0, @ANYBLOB='\x00\x00\x00\x00@\x00\x00\x00\b\x00\n\x00', @ANYRES32=0x0, @ANYRES8=r8], 0x30}}, 0xccf37bd6c1f5314e)

[  135.487263][ T4668] Bluetooth: hci0: command tx timeout
[  135.508075][    T9] 
[  135.509195][    T9] ======================================================
[  135.512112][    T9] WARNING: possible circular locking dependency detected
[  135.515812][    T9] syzkaller #0 Not tainted
[  135.524875][    T9] ------------------------------------------------------
[  135.529361][    T9] kworker/0:0/9 is trying to acquire lock:
[  135.531989][    T9] ffff88803d55baf8 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_info_timeout+0x60/0xa0
[  135.536221][    T9] 
[  135.536221][    T9] but task is already holding lock:
[  135.539471][    T9] ffffc9000022fc40 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: process_scheduled_works+0xa8d/0x18c0
[  135.545163][    T9] 
[  135.545163][    T9] which lock already depends on the new lock.
[  135.545163][    T9] 
[  135.549922][    T9] 
[  135.549922][    T9] the existing dependency chain (in reverse order) is:
[  135.556451][    T9] 
[  135.556451][    T9] -> #1 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}:
[  135.561514][    T9]        __flush_work+0x700/0xc50
[  135.563927][    T9]        __cancel_work_sync+0xbe/0x110
[  135.566621][    T9]        l2cap_conn_del+0x40f/0x5c0
[  135.569006][    T9]        hci_conn_hash_flush+0x10d/0x260
[  135.571435][    T9]        hci_dev_close_sync+0x821/0x10e0
[  135.574065][    T9]        hci_dev_close+0x108/0x260
[  135.576312][    T9]        sock_do_ioctl+0x101/0x320
[  135.578678][    T9]        sock_ioctl+0x5c6/0x7f0
[  135.581043][    T9]        __se_sys_ioctl+0xfc/0x170
[  135.583261][    T9]        do_syscall_64+0x14d/0xf80
[  135.585539][    T9]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  135.588281][    T9] 
[  135.588281][    T9] -> #0 (&conn->lock#2){+.+.}-{4:4}:
[  135.593951][    T9]        __lock_acquire+0x15a5/0x2cf0
[  135.597220][    T9]        lock_acquire+0xf0/0x2e0
[  135.600017][    T9]        __mutex_lock+0x19f/0x1300
[  135.602656][    T9]        l2cap_info_timeout+0x60/0xa0
[  135.605315][    T9]        process_scheduled_works+0xb6e/0x18c0
[  135.608113][    T9]        worker_thread+0xa53/0xfc0
[  135.610448][    T9]        kthread+0x388/0x470
[  135.612685][    T9]        ret_from_fork+0x51e/0xb90
[  135.615015][    T9]        ret_from_fork_asm+0x1a/0x30
[  135.617467][    T9] 
[  135.617467][    T9] other info that might help us debug this:
[  135.617467][    T9] 
[  135.622188][    T9]  Possible unsafe locking scenario:
[  135.622188][    T9] 
[  135.625540][    T9]        CPU0                    CPU1
[  135.628178][    T9]        ----                    ----
[  135.631671][    T9]   lock((work_completion)(&(&conn->info_timer)->work));
[  135.635673][    T9]                                lock(&conn->lock#2);
[  135.639128][    T9]                                lock((work_completion)(&(&conn->info_timer)->work));
[  135.643120][    T9]   lock(&conn->lock#2);
[  135.645080][    T9] 
[  135.645080][    T9]  *** DEADLOCK ***
[  135.645080][    T9] 
[  135.648754][    T9] 2 locks held by kworker/0:0/9:
[  135.650902][    T9]  #0: ffff88801aca6948 ((wq_completion)events){+.+.}-{0:0}, at: process_scheduled_works+0xa52/0x18c0
[  135.656666][    T9]  #1: ffffc9000022fc40 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: process_scheduled_works+0xa8d/0x18c0
[  135.662551][    T9] 
[  135.662551][    T9] stack backtrace:
[  135.665328][    T9] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:0 Not tainted syzkaller #0 PREEMPT(full) 
[  135.665343][    T9] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[  135.665350][    T9] Workqueue: events l2cap_info_timeout
[  135.665370][    T9] Call Trace:
[  135.665378][    T9]  <TASK>
[  135.665385][    T9]  dump_stack_lvl+0xe8/0x150
[  135.665404][    T9]  print_circular_bug+0x2e1/0x300
[  135.665423][    T9]  check_noncircular+0x12e/0x150
[  135.665439][    T9]  __lock_acquire+0x15a5/0x2cf0
[  135.665453][    T9]  ? __schedule+0x15f3/0x52d0
[  135.665467][    T9]  ? ret_from_fork_asm+0x1a/0x30
[  135.665484][    T9]  lock_acquire+0xf0/0x2e0
[  135.665497][    T9]  ? l2cap_info_timeout+0x60/0xa0
[  135.665512][    T9]  __mutex_lock+0x19f/0x1300
[  135.665522][    T9]  ? l2cap_info_timeout+0x60/0xa0
[  135.665536][    T9]  ? irqentry_exit+0x59e/0x620
[  135.665548][    T9]  ? lockdep_hardirqs_on+0x7a/0x110
[  135.665559][    T9]  ? l2cap_info_timeout+0x60/0xa0
[  135.665572][    T9]  ? irqentry_exit+0x59e/0x620
[  135.665582][    T9]  ? trace_irq_disable+0x3b/0x150
[  135.665593][    T9]  ? __pfx___mutex_lock+0x10/0x10
[  135.665607][    T9]  ? lock_acquire+0x20b/0x2e0
[  135.665620][    T9]  l2cap_info_timeout+0x60/0xa0
[  135.665635][    T9]  ? process_scheduled_works+0xa8d/0x18c0
[  135.665649][    T9]  process_scheduled_works+0xb6e/0x18c0
[  135.665670][    T9]  ? __pfx_process_scheduled_works+0x10/0x10
[  135.665685][    T9]  ? assign_work+0x3d5/0x5e0
[  135.665698][    T9]  worker_thread+0xa53/0xfc0
[  135.665718][    T9]  kthread+0x388/0x470
[  135.665729][    T9]  ? __pfx_worker_thread+0x10/0x10
[  135.665741][    T9]  ? __pfx_kthread+0x10/0x10
[  135.665752][    T9]  ret_from_fork+0x51e/0xb90
[  135.665768][    T9]  ? __pfx_ret_from_fork+0x10/0x10
[  135.665781][    T9]  ? __switch_to+0xc7d/0x1450
[  135.665792][    T9]  ? __pfx_kthread+0x10/0x10
[  135.665802][    T9]  ret_from_fork_asm+0x1a/0x30
[  135.665821][    T9]  </TASK>
[  135.834330][ T5331] netlink: 8 bytes leftover after parsing attributes in process `syz.0.0'.
[  137.518589][ T4668] Bluetooth: hci0: command tx timeout
[  139.598754][ T4668] Bluetooth: hci0: command tx timeout