program:
r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$HCIINQUIRY(r0, 0x400448ca, 0x0)
bind$bt_hci(r0, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6)
r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$sock_bt_hci(r1, 0x400448df, &(0x7f0000000b40))

[  147.956285][ T4671] Bluetooth: hci0: command tx timeout
[  148.026878][  T789] 
[  148.028101][  T789] ======================================================
[  148.031662][  T789] WARNING: possible circular locking dependency detected
[  148.035695][  T789] syzkaller #0 Not tainted
[  148.037742][  T789] ------------------------------------------------------
[  148.040913][  T789] kworker/0:2/789 is trying to acquire lock:
[  148.043740][  T789] ffff888041b4d2f8 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_info_timeout+0x60/0xa0
[  148.048805][  T789] 
[  148.048805][  T789] but task is already holding lock:
[  148.052567][  T789] ffffc900040efc40 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: process_scheduled_works+0xa8d/0x18c0
[  148.059151][  T789] 
[  148.059151][  T789] which lock already depends on the new lock.
[  148.059151][  T789] 
[  148.064916][  T789] 
[  148.064916][  T789] the existing dependency chain (in reverse order) is:
[  148.069681][  T789] 
[  148.069681][  T789] -> #1 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}:
[  148.075211][  T789]        __flush_work+0x700/0xc50
[  148.078241][  T789]        __cancel_work_sync+0xbe/0x110
[  148.081025][  T789]        l2cap_conn_del+0x40f/0x5c0
[  148.083423][  T789]        hci_conn_hash_flush+0x10d/0x260
[  148.086020][  T789]        hci_dev_close_sync+0x821/0x10e0
[  148.088682][  T789]        hci_dev_close+0x108/0x260
[  148.091456][  T789]        sock_do_ioctl+0x101/0x320
[  148.094263][  T789]        sock_ioctl+0x5c6/0x7f0
[  148.096572][  T789]        __se_sys_ioctl+0xfc/0x170
[  148.098954][  T789]        do_syscall_64+0x14d/0xf80
[  148.101551][  T789]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  148.105076][  T789] 
[  148.105076][  T789] -> #0 (&conn->lock#2){+.+.}-{4:4}:
[  148.108607][  T789]        __lock_acquire+0x15a5/0x2cf0
[  148.111549][  T789]        lock_acquire+0xf0/0x2e0
[  148.114594][  T789]        __mutex_lock+0x19f/0x1300
[  148.118779][  T789]        l2cap_info_timeout+0x60/0xa0
[  148.122204][  T789]        process_scheduled_works+0xb6e/0x18c0
[  148.125341][  T789]        worker_thread+0xa53/0xfc0
[  148.127754][  T789]        kthread+0x388/0x470
[  148.129932][  T789]        ret_from_fork+0x51e/0xb90
[  148.132532][  T789]        ret_from_fork_asm+0x1a/0x30
[  148.135271][  T789] 
[  148.135271][  T789] other info that might help us debug this:
[  148.135271][  T789] 
[  148.140253][  T789]  Possible unsafe locking scenario:
[  148.140253][  T789] 
[  148.143511][  T789]        CPU0                    CPU1
[  148.146299][  T789]        ----                    ----
[  148.148832][  T789]   lock((work_completion)(&(&conn->info_timer)->work));
[  148.151940][  T789]                                lock(&conn->lock#2);
[  148.155096][  T789]                                lock((work_completion)(&(&conn->info_timer)->work));
[  148.159527][  T789]   lock(&conn->lock#2);
[  148.161854][  T789] 
[  148.161854][  T789]  *** DEADLOCK ***
[  148.161854][  T789] 
[  148.165489][  T789] 2 locks held by kworker/0:2/789:
[  148.167751][  T789]  #0: ffff88801aca6948 ((wq_completion)events){+.+.}-{0:0}, at: process_scheduled_works+0xa52/0x18c0
[  148.172454][  T789]  #1: ffffc900040efc40 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: process_scheduled_works+0xa8d/0x18c0
[  148.178302][  T789] 
[  148.178302][  T789] stack backtrace:
[  148.181326][  T789] CPU: 0 UID: 0 PID: 789 Comm: kworker/0:2 Not tainted syzkaller #0 PREEMPT(full) 
[  148.181345][  T789] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[  148.181355][  T789] Workqueue: events l2cap_info_timeout
[  148.181406][  T789] Call Trace:
[  148.181415][  T789]  <TASK>
[  148.181422][  T789]  dump_stack_lvl+0xe8/0x150
[  148.181441][  T789]  print_circular_bug+0x2e1/0x300
[  148.181456][  T789]  check_noncircular+0x12e/0x150
[  148.181470][  T789]  __lock_acquire+0x15a5/0x2cf0
[  148.181482][  T789]  ? __schedule+0x15f3/0x52d0
[  148.181503][  T789]  ? ret_from_fork_asm+0x1a/0x30
[  148.181523][  T789]  lock_acquire+0xf0/0x2e0
[  148.181539][  T789]  ? l2cap_info_timeout+0x60/0xa0
[  148.181556][  T789]  __mutex_lock+0x19f/0x1300
[  148.181569][  T789]  ? l2cap_info_timeout+0x60/0xa0
[  148.181584][  T789]  ? irqentry_exit+0x59e/0x620
[  148.181595][  T789]  ? lockdep_hardirqs_on+0x7a/0x110
[  148.181606][  T789]  ? l2cap_info_timeout+0x60/0xa0
[  148.181619][  T789]  ? irqentry_exit+0x59e/0x620
[  148.181630][  T789]  ? trace_irq_disable+0x3b/0x150
[  148.181646][  T789]  ? __pfx___mutex_lock+0x10/0x10
[  148.181656][  T789]  ? lock_acquire+0x20b/0x2e0
[  148.181665][  T789]  l2cap_info_timeout+0x60/0xa0
[  148.181676][  T789]  ? process_scheduled_works+0xa8d/0x18c0
[  148.181690][  T789]  process_scheduled_works+0xb6e/0x18c0
[  148.181710][  T789]  ? __pfx_process_scheduled_works+0x10/0x10
[  148.181726][  T789]  ? assign_work+0x3d5/0x5e0
[  148.181739][  T789]  worker_thread+0xa53/0xfc0
[  148.181763][  T789]  kthread+0x388/0x470
[  148.181774][  T789]  ? __pfx_worker_thread+0x10/0x10
[  148.181788][  T789]  ? __pfx_kthread+0x10/0x10
[  148.181799][  T789]  ret_from_fork+0x51e/0xb90
[  148.181815][  T789]  ? __pfx_ret_from_fork+0x10/0x10
[  148.181827][  T789]  ? __switch_to+0xc7d/0x1450
[  148.181840][  T789]  ? __pfx_kthread+0x10/0x10
[  148.181857][  T789]  ret_from_fork_asm+0x1a/0x30
[  148.181876][  T789]  </TASK>
[  150.004830][ T4671] Bluetooth: hci0: command tx timeout
[  152.085042][ T4671] Bluetooth: hci0: command tx timeout
[  154.164070][ T4671] Bluetooth: hci0: command tx timeout