program:
r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0)
connect$bt_l2cap(r0, &(0x7f0000000080)={0x1f, 0x0, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}, 0x7ff}, 0xe)
r1 = syz_init_net_socket$bt_hidp(0x1f, 0x3, 0x6)
ioctl$sock_bt_hidp_HIDPCONNADD(r1, 0x400448c8, &(0x7f0000000340)={r0, r0, 0x8, 0x0, 0x0, 0xb, 0x1, 0x16c0, 0x5df, 0x3, 0x0, 0x8, 'syz0\x00'})
r2 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000180)={0x11, 0x5, &(0x7f0000000280)=ANY=[@ANYBLOB="1801000021000000000000004cc311ec8500000075000000a70000000800000095"], &(0x7f0000000080)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2}, 0x94)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000540)={&(0x7f0000000000)='kfree\x00', r2}, 0x10)
openat$snapshot(0xffffffffffffff9c, &(0x7f0000000140), 0x20000, 0x300)

[   84.988881][ T5296] Bluetooth: hci0: command tx timeout
[   85.140126][ T5320] input: Bluetooth HID Boot Protocol Device as /devices/virtual/bluetooth/hci0/hci0:200/input5
[   85.291549][ T5320] Bluetooth: hci0: Opcode 0x0c1a failed: -4
[   85.295547][ T5320] Bluetooth: hci0: Opcode 0x0406 failed: -4
[   85.326595][ T5320] 
[   85.327993][ T5320] ======================================================
[   85.331512][ T5320] WARNING: possible circular locking dependency detected
[   85.334289][ T5320] syzkaller #0 Not tainted
[   85.336006][ T5320] ------------------------------------------------------
[   85.338774][ T5320] syz.0.0/5320 is trying to acquire lock:
[   85.341155][ T5320] ffff888041af5040 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: __flush_work+0x100/0xc50
[   85.345953][ T5320] 
[   85.345953][ T5320] but task is already holding lock:
[   85.348914][ T5320] ffff888041af52f8 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x7b/0x5c0
[   85.352788][ T5320] 
[   85.352788][ T5320] which lock already depends on the new lock.
[   85.352788][ T5320] 
[   85.357473][ T5320] 
[   85.357473][ T5320] the existing dependency chain (in reverse order) is:
[   85.361509][ T5320] 
[   85.361509][ T5320] -> #1 (&conn->lock#2){+.+.}-{4:4}:
[   85.364735][ T5320]        __mutex_lock+0x19f/0x1300
[   85.367068][ T5320]        l2cap_info_timeout+0x60/0xa0
[   85.369484][ T5320]        process_scheduled_works+0xb02/0x1830
[   85.371724][ T5320]        worker_thread+0xa50/0xfc0
[   85.373936][ T5320]        kthread+0x388/0x470
[   85.375922][ T5320]        ret_from_fork+0x51e/0xb90
[   85.378189][ T5320]        ret_from_fork_asm+0x1a/0x30
[   85.380613][ T5320] 
[   85.380613][ T5320] -> #0 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}:
[   85.385174][ T5320]        __lock_acquire+0x15a5/0x2cf0
[   85.387493][ T5320]        lock_acquire+0xf0/0x2e0
[   85.389548][ T5320]        __flush_work+0x700/0xc50
[   85.391673][ T5320]        __cancel_work_sync+0xbe/0x110
[   85.394000][ T5320]        l2cap_conn_del+0x40f/0x5c0
[   85.396026][ T5320]        l2cap_connect_cfm+0x12b/0x1390
[   85.398292][ T5320]        hci_conn_failed+0x1ce/0x340
[   85.400520][ T5320]        hci_abort_conn_sync+0xdd0/0x1190
[   85.402965][ T5320]        hci_disconnect_all_sync+0x1b5/0x350
[   85.406110][ T5320]        hci_suspend_sync+0x417/0xd20
[   85.408769][ T5320]        hci_suspend_dev+0x28d/0x540
[   85.411396][ T5320]        hci_suspend_notifier+0xf2/0x2f0
[   85.413616][ T5320]        notifier_call_chain+0x1be/0x400
[   85.415683][ T5320]        blocking_notifier_call_chain_robust+0x85/0x100
[   85.418055][ T5320]        pm_notifier_call_chain_robust+0x2c/0x60
[   85.420550][ T5320]        snapshot_open+0x19c/0x280
[   85.422674][ T5320]        misc_open+0x2d5/0x350
[   85.424697][ T5320]        chrdev_open+0x4cd/0x5e0
[   85.426820][ T5320]        do_dentry_open+0x785/0x14e0
[   85.428980][ T5320]        vfs_open+0x3b/0x340
[   85.431023][ T5320]        path_openat+0x2e08/0x3860
[   85.433270][ T5320]        do_file_open+0x23e/0x4a0
[   85.435137][ T5320]        do_sys_openat2+0x113/0x200
[   85.437390][ T5320]        __x64_sys_openat+0x138/0x170
[   85.439778][ T5320]        do_syscall_64+0x14d/0xf80
[   85.441910][ T5320]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   85.444506][ T5320] 
[   85.444506][ T5320] other info that might help us debug this:
[   85.444506][ T5320] 
[   85.448491][ T5320]  Possible unsafe locking scenario:
[   85.448491][ T5320] 
[   85.451586][ T5320]        CPU0                    CPU1
[   85.453737][ T5320]        ----                    ----
[   85.455580][ T5320]   lock(&conn->lock#2);
[   85.457217][ T5320]                                lock((work_completion)(&(&conn->info_timer)->work));
[   85.460558][ T5320]                                lock(&conn->lock#2);
[   85.463025][ T5320]   lock((work_completion)(&(&conn->info_timer)->work));
[   85.465862][ T5320] 
[   85.465862][ T5320]  *** DEADLOCK ***
[   85.465862][ T5320] 
[   85.469142][ T5320] 8 locks held by syz.0.0/5320:
[   85.471478][ T5320]  #0: ffffffff8f01a268 (misc_mtx){+.+.}-{4:4}, at: misc_open+0x51/0x350
[   85.474959][ T5320]  #1: ffffffff8e609c68 (system_transition_mutex){+.+.}-{4:4}, at: lock_system_sleep+0x49/0x70
[   85.479196][ T5320]  #2: ffffffff8e631250 ((pm_chain_head).rwsem){++++}-{4:4}, at: blocking_notifier_call_chain_robust+0x65/0x100
[   85.484326][ T5320]  #3: ffff888012098ec0 (&hdev->req_lock){+.+.}-{4:4}, at: hci_suspend_dev+0x285/0x540
[   85.488352][ T5320]  #4: ffff8880120980c0 (&hdev->lock){+.+.}-{4:4}, at: hci_abort_conn_sync+0xa6f/0x1190
[   85.492460][ T5320]  #5: ffffffff8fd5a368 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_conn_failed+0x165/0x340
[   85.496066][ T5320]  #6: ffff888041af52f8 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x7b/0x5c0
[   85.500034][ T5320]  #7: ffffffff8e7602e0 (rcu_read_lock){....}-{1:3}, at: __flush_work+0x100/0xc50
[   85.503195][ T5320] 
[   85.503195][ T5320] stack backtrace:
[   85.505161][ T5320] CPU: 0 UID: 0 PID: 5320 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[   85.505180][ T5320] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   85.505209][ T5320] Call Trace:
[   85.505218][ T5320]  <TASK>
[   85.505226][ T5320]  dump_stack_lvl+0xe8/0x150
[   85.505245][ T5320]  print_circular_bug+0x2e1/0x300
[   85.505262][ T5320]  check_noncircular+0x12e/0x150
[   85.505283][ T5320]  __lock_acquire+0x15a5/0x2cf0
[   85.505298][ T5320]  ? do_raw_spin_lock+0x12b/0x2f0
[   85.505309][ T5320]  ? do_raw_spin_unlock+0x4d/0x210
[   85.505321][ T5320]  lock_acquire+0xf0/0x2e0
[   85.505334][ T5320]  ? __flush_work+0x100/0xc50
[   85.505351][ T5320]  ? __flush_work+0x100/0xc50
[   85.505365][ T5320]  __flush_work+0x700/0xc50
[   85.505379][ T5320]  ? __flush_work+0x100/0xc50
[   85.505396][ T5320]  ? __flush_work+0x100/0xc50
[   85.505410][ T5320]  ? __pfx___flush_work+0x10/0x10
[   85.505424][ T5320]  ? __pfx_wq_barrier_func+0x10/0x10
[   85.505444][ T5320]  ? __cancel_work_sync+0x5c/0x110
[   85.505460][ T5320]  __cancel_work_sync+0xbe/0x110
[   85.505476][ T5320]  l2cap_conn_del+0x40f/0x5c0
[   85.505492][ T5320]  l2cap_connect_cfm+0x12b/0x1390
[   85.505505][ T5320]  ? __pfx___mutex_lock+0x10/0x10
[   85.505520][ T5320]  ? __pfx_l2cap_connect_cfm+0x10/0x10
[   85.505530][ T5320]  ? __pfx_l2cap_connect_cfm+0x10/0x10
[   85.505537][ T5320]  hci_conn_failed+0x1ce/0x340
[   85.505545][ T5320]  ? hci_abort_conn_sync+0xa7b/0x1190
[   85.505553][ T5320]  hci_abort_conn_sync+0xdd0/0x1190
[   85.505561][ T5320]  ? __pfx_hci_abort_conn_sync+0x10/0x10
[   85.505568][ T5320]  ? hci_disconnect_all_sync+0x2e/0x350
[   85.505577][ T5320]  ? hci_disconnect_all_sync+0x2e/0x350
[   85.505584][ T5320]  ? hci_disconnect_all_sync+0x2e/0x350
[   85.505592][ T5320]  hci_disconnect_all_sync+0x1b5/0x350
[   85.505602][ T5320]  hci_suspend_sync+0x417/0xd20
[   85.505615][ T5320]  ? __pfx_hci_suspend_sync+0x10/0x10
[   85.505627][ T5320]  ? lockdep_hardirqs_on+0x7a/0x110
[   85.505642][ T5320]  ? enable_work+0x1fd/0x230
[   85.505658][ T5320]  ? hci_cmd_sync_cancel_sync+0xc9/0x1c0
[   85.505674][ T5320]  hci_suspend_dev+0x28d/0x540
[   85.505691][ T5320]  ? __pfx_hci_suspend_dev+0x10/0x10
[   85.505703][ T5320]  ? rcu_barrier+0x474/0x580
[   85.505714][ T5320]  hci_suspend_notifier+0xf2/0x2f0
[   85.505725][ T5320]  notifier_call_chain+0x1be/0x400
[   85.505737][ T5320]  blocking_notifier_call_chain_robust+0x85/0x100
[   85.505749][ T5320]  pm_notifier_call_chain_robust+0x2c/0x60
[   85.505758][ T5320]  snapshot_open+0x19c/0x280
[   85.505767][ T5320]  ? __pfx_snapshot_open+0x10/0x10
[   85.505775][ T5320]  misc_open+0x2d5/0x350
[   85.505787][ T5320]  chrdev_open+0x4cd/0x5e0
[   85.505795][ T5320]  ? __pfx_chrdev_open+0x10/0x10
[   85.505804][ T5320]  ? fsnotify_open_perm_and_set_mode+0x135/0x6d0
[   85.505820][ T5320]  ? __pfx_chrdev_open+0x10/0x10
[   85.505829][ T5320]  do_dentry_open+0x785/0x14e0
[   85.505845][ T5320]  vfs_open+0x3b/0x340
[   85.505856][ T5320]  ? path_openat+0x2df0/0x3860
[   85.505871][ T5320]  path_openat+0x2e08/0x3860
[   85.505890][ T5320]  ? __pfx_stack_trace_save+0x10/0x10
[   85.505899][ T5320]  ? stack_depot_save_flags+0x33/0x810
[   85.505908][ T5320]  ? __pfx_path_openat+0x10/0x10
[   85.505918][ T5320]  ? __x64_sys_openat+0x138/0x170
[   85.505930][ T5320]  ? do_syscall_64+0x14d/0xf80
[   85.505944][ T5320]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   85.505958][ T5320]  ? __lock_acquire+0x6b5/0x2cf0
[   85.505972][ T5320]  do_file_open+0x23e/0x4a0
[   85.505996][ T5320]  ? __pfx_do_file_open+0x10/0x10
[   85.506021][ T5320]  ? _raw_spin_unlock+0x28/0x50
[   85.506035][ T5320]  ? alloc_fd+0x64b/0x6c0
[   85.506051][ T5320]  do_sys_openat2+0x113/0x200
[   85.506064][ T5320]  ? __se_sys_futex+0x3a8/0x450
[   85.506078][ T5320]  ? __pfx_do_sys_openat2+0x10/0x10
[   85.506090][ T5320]  ? rcu_is_watching+0x15/0xb0
[   85.506101][ T5320]  __x64_sys_openat+0x138/0x170
[   85.506109][ T5320]  do_syscall_64+0x14d/0xf80
[   85.506119][ T5320]  ? trace_irq_disable+0x3b/0x150
[   85.506129][ T5320]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   85.506135][ T5320]  ? clear_bhb_loop+0x40/0x90
[   85.506143][ T5320]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   85.506151][ T5320] RIP: 0033:0x7fac28f9c629
[   85.506159][ T5320] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
[   85.506165][ T5320] RSP: 002b:00007fac29db4028 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
[   85.506174][ T5320] RAX: ffffffffffffffda RBX: 00007fac29215fa0 RCX: 00007fac28f9c629
[   85.506179][ T5320] RDX: 0000000000020000 RSI: 0000200000000140 RDI: ffffffffffffff9c
[   85.506184][ T5320] RBP: 00007fac29032b39 R08: 0000000000000000 R09: 0000000000000000
[   85.506188][ T5320] R10: 0000000000000300 R11: 0000000000000246 R12: 0000000000000000
[   85.506192][ T5320] R13: 00007fac29216038 R14: 00007fac29215fa0 R15: 00007fff1a9af438
[   85.506200][ T5320]  </TASK>
[   87.308422][ T5296] Bluetooth: hci0: command 0x040f tx timeout
[   89.388855][ T5296] Bluetooth: hci0: command 0x040f tx timeout
[   91.468726][ T5296] Bluetooth: hci0: command 0x040f tx timeout
[   91.789701][ T1229] cfg80211: failed to load regulatory.db