program:
r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$sock_bt_hci(r0, 0x400448ca, 0x0)
r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$sock_bt_hci(r1, 0x400448cb, 0x0)

[   89.595973][ T4670] Bluetooth: hci0: command tx timeout
[   89.610190][ T5322] 
[   89.611619][ T5322] ======================================================
[   89.616522][ T5322] WARNING: possible circular locking dependency detected
[   89.620429][ T5322] syzkaller #0 Not tainted
[   89.622548][ T5322] ------------------------------------------------------
[   89.627711][ T5322] kworker/0:5/5322 is trying to acquire lock:
[   89.633742][ T5322] ffff88801c3a6af8 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_info_timeout+0x60/0xa0
[   89.638562][ T5322] 
[   89.638562][ T5322] but task is already holding lock:
[   89.641726][ T5322] ffffc9000dce7c40 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: process_scheduled_works+0xa8d/0x18c0
[   89.647101][ T5322] 
[   89.647101][ T5322] which lock already depends on the new lock.
[   89.647101][ T5322] 
[   89.651854][ T5322] 
[   89.651854][ T5322] the existing dependency chain (in reverse order) is:
[   89.656232][ T5322] 
[   89.656232][ T5322] -> #1 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}:
[   89.661321][ T5322]        __flush_work+0x700/0xc50
[   89.664017][ T5322]        __cancel_work_sync+0xbe/0x110
[   89.666527][ T5322]        l2cap_conn_del+0x40f/0x5c0
[   89.668997][ T5322]        hci_conn_hash_flush+0x10d/0x260
[   89.671692][ T5322]        hci_dev_close_sync+0x821/0x10e0
[   89.674373][ T5322]        hci_dev_close+0x108/0x260
[   89.676737][ T5322]        sock_do_ioctl+0x101/0x320
[   89.679636][ T5322]        sock_ioctl+0x5c6/0x7f0
[   89.682555][ T5322]        __se_sys_ioctl+0xfc/0x170
[   89.685393][ T5322]        do_syscall_64+0x14d/0xf80
[   89.687954][ T5322]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   89.690964][ T5322] 
[   89.690964][ T5322] -> #0 (&conn->lock#2){+.+.}-{4:4}:
[   89.694504][ T5322]        __lock_acquire+0x15a5/0x2cf0
[   89.697299][ T5322]        lock_acquire+0xf0/0x2e0
[   89.700193][ T5322]        __mutex_lock+0x19f/0x1300
[   89.702739][ T5322]        l2cap_info_timeout+0x60/0xa0
[   89.705385][ T5322]        process_scheduled_works+0xb6e/0x18c0
[   89.708223][ T5322]        worker_thread+0xa53/0xfc0
[   89.710730][ T5322]        kthread+0x388/0x470
[   89.713236][ T5322]        ret_from_fork+0x51e/0xb90
[   89.716153][ T5322]        ret_from_fork_asm+0x1a/0x30
[   89.718956][ T5322] 
[   89.718956][ T5322] other info that might help us debug this:
[   89.718956][ T5322] 
[   89.723638][ T5322]  Possible unsafe locking scenario:
[   89.723638][ T5322] 
[   89.727939][ T5322]        CPU0                    CPU1
[   89.730997][ T5322]        ----                    ----
[   89.733615][ T5322]   lock((work_completion)(&(&conn->info_timer)->work));
[   89.736903][ T5322]                                lock(&conn->lock#2);
[   89.740279][ T5322]                                lock((work_completion)(&(&conn->info_timer)->work));
[   89.745671][ T5322]   lock(&conn->lock#2);
[   89.747720][ T5322] 
[   89.747720][ T5322]  *** DEADLOCK ***
[   89.747720][ T5322] 
[   89.751506][ T5322] 2 locks held by kworker/0:5/5322:
[   89.754123][ T5322]  #0: ffff88801aca6948 ((wq_completion)events){+.+.}-{0:0}, at: process_scheduled_works+0xa52/0x18c0
[   89.760492][ T5322]  #1: ffffc9000dce7c40 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: process_scheduled_works+0xa8d/0x18c0
[   89.766779][ T5322] 
[   89.766779][ T5322] stack backtrace:
[   89.769820][ T5322] CPU: 0 UID: 0 PID: 5322 Comm: kworker/0:5 Not tainted syzkaller #0 PREEMPT(full) 
[   89.769843][ T5322] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   89.769852][ T5322] Workqueue: events l2cap_info_timeout
[   89.769914][ T5322] Call Trace:
[   89.769924][ T5322]  <TASK>
[   89.769933][ T5322]  dump_stack_lvl+0xe8/0x150
[   89.769952][ T5322]  print_circular_bug+0x2e1/0x300
[   89.769973][ T5322]  check_noncircular+0x12e/0x150
[   89.769989][ T5322]  __lock_acquire+0x15a5/0x2cf0
[   89.770004][ T5322]  ? __schedule+0x15f3/0x52d0
[   89.770024][ T5322]  ? ret_from_fork_asm+0x1a/0x30
[   89.770042][ T5322]  lock_acquire+0xf0/0x2e0
[   89.770055][ T5322]  ? l2cap_info_timeout+0x60/0xa0
[   89.770071][ T5322]  __mutex_lock+0x19f/0x1300
[   89.770082][ T5322]  ? l2cap_info_timeout+0x60/0xa0
[   89.770095][ T5322]  ? irqentry_exit+0x59e/0x620
[   89.770110][ T5322]  ? lockdep_hardirqs_on+0x7a/0x110
[   89.770119][ T5322]  ? l2cap_info_timeout+0x60/0xa0
[   89.770131][ T5322]  ? irqentry_exit+0x59e/0x620
[   89.770140][ T5322]  ? trace_irq_disable+0x3b/0x150
[   89.770160][ T5322]  ? __pfx___mutex_lock+0x10/0x10
[   89.770173][ T5322]  ? lock_acquire+0x20b/0x2e0
[   89.770186][ T5322]  l2cap_info_timeout+0x60/0xa0
[   89.770197][ T5322]  ? process_scheduled_works+0xa8d/0x18c0
[   89.770212][ T5322]  process_scheduled_works+0xb6e/0x18c0
[   89.770230][ T5322]  ? __pfx_process_scheduled_works+0x10/0x10
[   89.770244][ T5322]  ? assign_work+0x3d5/0x5e0
[   89.770257][ T5322]  worker_thread+0xa53/0xfc0
[   89.770276][ T5322]  kthread+0x388/0x470
[   89.770288][ T5322]  ? __pfx_worker_thread+0x10/0x10
[   89.770301][ T5322]  ? __pfx_kthread+0x10/0x10
[   89.770310][ T5322]  ret_from_fork+0x51e/0xb90
[   89.770326][ T5322]  ? __pfx_ret_from_fork+0x10/0x10
[   89.770339][ T5322]  ? __switch_to+0xc7d/0x1450
[   89.770353][ T5322]  ? __pfx_kthread+0x10/0x10
[   89.770362][ T5322]  ret_from_fork_asm+0x1a/0x30
[   89.770380][ T5322]  </TASK>
[   91.628148][   T45] Bluetooth: hci0: command tx timeout
[   93.707235][   T45] Bluetooth: hci0: command tx timeout
[   95.786509][   T45] Bluetooth: hci0: command tx timeout