program:
r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0)
connect$bt_l2cap(r0, &(0x7f0000000080)={0x1f, 0x0, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}, 0x7ff}, 0xe)
r1 = syz_init_net_socket$bt_hidp(0x1f, 0x3, 0x6)
ioctl$sock_bt_hidp_HIDPCONNADD(r1, 0x400448c8, &(0x7f0000000280)={r0, r0, 0xc, 0x1, &(0x7f0000000340)='\x00', 0x9, 0x1, 0x457, 0x7, 0x9, 0x1, 0x1, 'syz1\x00'})
r2 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$sock_bt_hci(r2, 0x400448ca, 0x0) (fail_nth: 14)

[   87.669348][ T4667] Bluetooth: hci0: command tx timeout
[   87.876186][ T5307] hid-multitouch 0005:0457:0007.0002: unknown main item tag 0x0
[   87.899708][ T5307] hid-multitouch 0005:0457:0007.0002: hidraw1: BLUETOOTH HID v0.09 Device [syz1] on aa:aa:aa:aa:aa:aa
[   87.948514][ T5320] FAULT_INJECTION: forcing a failure.
[   87.948514][ T5320] name failslab, interval 1, probability 0, space 0, times 1
[   87.973490][ T5320] CPU: 0 UID: 0 PID: 5320 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[   87.973511][ T5320] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   87.973518][ T5320] Call Trace:
[   87.973524][ T5320]  <TASK>
[   87.973529][ T5320]  dump_stack_lvl+0xe8/0x150
[   87.973640][ T5320]  should_fail_ex+0x412/0x560
[   87.973687][ T5320]  should_failslab+0xa8/0x100
[   87.973700][ T5320]  ? skb_clone+0x212/0x3a0
[   87.973745][ T5320]  kmem_cache_alloc_noprof+0x87/0x650
[   87.973768][ T5320]  skb_clone+0x212/0x3a0
[   87.973782][ T5320]  ? netlink_broadcast_filtered+0x6a0/0x1020
[   87.973797][ T5320]  netlink_broadcast_filtered+0x6ae/0x1020
[   87.973822][ T5320]  ? __pfx_netlink_broadcast_filtered+0x10/0x10
[   87.973835][ T5320]  ? alloc_uevent_skb+0xeb/0x230
[   87.973849][ T5320]  ? __asan_memcpy+0x40/0x70
[   87.973866][ T5320]  netlink_broadcast+0x37/0x50
[   87.973879][ T5320]  kobject_uevent_net_broadcast+0x378/0x560
[   87.973896][ T5320]  kobject_uevent_env+0x55c/0x9e0
[   87.973915][ T5320]  device_release_driver_internal+0x76f/0x860
[   87.973934][ T5320]  bus_remove_device+0x34d/0x440
[   87.973951][ T5320]  device_del+0x527/0x8f0
[   87.973970][ T5320]  ? work_grab_pending+0x3d1/0x990
[   87.973987][ T5320]  ? __pfx_device_del+0x10/0x10
[   87.974003][ T5320]  ? enable_work+0x17f/0x230
[   87.974018][ T5320]  ? lockdep_hardirqs_on+0x7a/0x110
[   87.974034][ T5320]  ? enable_work+0x1fd/0x230
[   87.974051][ T5320]  hid_destroy_device+0x6b/0x1b0
[   87.974068][ T5320]  hidp_session_remove+0x10e/0x260
[   87.974082][ T5320]  l2cap_conn_del+0x249/0x5c0
[   87.974100][ T5320]  ? __pfx_l2cap_disconn_cfm+0x10/0x10
[   87.974113][ T5320]  hci_conn_hash_flush+0x10d/0x260
[   87.974132][ T5320]  hci_dev_close_sync+0x821/0x10e0
[   87.974150][ T5320]  ? __pfx_hci_dev_close_sync+0x10/0x10
[   87.974162][ T5320]  ? lockdep_hardirqs_on+0x7a/0x110
[   87.974177][ T5320]  ? enable_work+0x1fd/0x230
[   87.974196][ T5320]  hci_dev_close+0x108/0x260
[   87.974211][ T5320]  sock_do_ioctl+0x101/0x320
[   87.974225][ T5320]  ? __pfx_sock_do_ioctl+0x10/0x10
[   87.974235][ T5320]  ? __mutex_unlock_slowpath+0x1bd/0x7d0
[   87.974263][ T5320]  sock_ioctl+0x5c6/0x7f0
[   87.974276][ T5320]  ? __pfx_sock_ioctl+0x10/0x10
[   87.974287][ T5320]  ? __fget_files+0x2a/0x420
[   87.974301][ T5320]  ? __fget_files+0x3a0/0x420
[   87.974315][ T5320]  ? __fget_files+0x2a/0x420
[   87.974330][ T5320]  ? bpf_lsm_file_ioctl+0x9/0x20
[   87.974342][ T5320]  ? __pfx_sock_ioctl+0x10/0x10
[   87.974362][ T5320]  __se_sys_ioctl+0xfc/0x170
[   87.974376][ T5320]  do_syscall_64+0x14d/0xf80
[   87.974393][ T5320]  ? trace_irq_disable+0x3b/0x150
[   87.974408][ T5320]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   87.974419][ T5320]  ? clear_bhb_loop+0x40/0x90
[   87.974432][ T5320]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   87.974443][ T5320] RIP: 0033:0x7ffae2d9c799
[   87.974454][ T5320] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
[   87.974463][ T5320] RSP: 002b:00007ffae3bf3fe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   87.974479][ T5320] RAX: ffffffffffffffda RBX: 00007ffae3015fa0 RCX: 00007ffae2d9c799
[   87.974487][ T5320] RDX: 0000000000000000 RSI: 00000000400448ca RDI: 0000000000000006
[   87.974493][ T5320] RBP: 00007ffae3bf4050 R08: 0000000000000000 R09: 0000000000000000
[   87.974499][ T5320] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000002
[   87.974527][ T5320] R13: 00007ffae3016038 R14: 00007ffae3015fa0 R15: 00007ffea4e557d8
[   87.974547][ T5320]  </TASK>
[   88.222921][ T5325] fido_id[5325]: Failed to open report descriptor at '/sys/devices/virtual/bluetooth/hci0/hci0:200/report_descriptor': No such file or directory
[   88.303530][ T5320] 
[   88.304625][ T5320] ======================================================
[   88.307932][ T5320] WARNING: possible circular locking dependency detected
[   88.310973][ T5320] syzkaller #0 Not tainted
[   88.313001][ T5320] ------------------------------------------------------
[   88.316590][ T5320] syz.0.0/5320 is trying to acquire lock:
[   88.319462][ T5320] ffff888032ee8840 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: __flush_work+0x100/0xc50
[   88.325215][ T5320] 
[   88.325215][ T5320] but task is already holding lock:
[   88.328847][ T5320] ffff888032ee8af8 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x7b/0x5c0
[   88.333813][ T5320] 
[   88.333813][ T5320] which lock already depends on the new lock.
[   88.333813][ T5320] 
[   88.338577][ T5320] 
[   88.338577][ T5320] the existing dependency chain (in reverse order) is:
[   88.342548][ T5320] 
[   88.342548][ T5320] -> #1 (&conn->lock#2){+.+.}-{4:4}:
[   88.345785][ T5320]        __mutex_lock+0x19f/0x1300
[   88.348406][ T5320]        l2cap_info_timeout+0x60/0xa0
[   88.351235][ T5320]        process_scheduled_works+0xb02/0x1830
[   88.354514][ T5320]        worker_thread+0xa50/0xfc0
[   88.356681][ T5320]        kthread+0x388/0x470
[   88.358709][ T5320]        ret_from_fork+0x51e/0xb90
[   88.361101][ T5320]        ret_from_fork_asm+0x1a/0x30
[   88.363490][ T5320] 
[   88.363490][ T5320] -> #0 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}:
[   88.368086][ T5320]        __lock_acquire+0x15a5/0x2cf0
[   88.370941][ T5320]        lock_acquire+0xf0/0x2e0
[   88.373826][ T5320]        __flush_work+0x700/0xc50
[   88.376169][ T5320]        __cancel_work_sync+0xbe/0x110
[   88.378536][ T5320]        l2cap_conn_del+0x40f/0x5c0
[   88.380852][ T5320]        hci_conn_hash_flush+0x10d/0x260
[   88.383308][ T5320]        hci_dev_close_sync+0x821/0x10e0
[   88.385592][ T5320]        hci_dev_close+0x108/0x260
[   88.388431][ T5320]        sock_do_ioctl+0x101/0x320
[   88.391790][ T5320]        sock_ioctl+0x5c6/0x7f0
[   88.394030][ T5320]        __se_sys_ioctl+0xfc/0x170
[   88.396424][ T5320]        do_syscall_64+0x14d/0xf80
[   88.398653][ T5320]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   88.401512][ T5320] 
[   88.401512][ T5320] other info that might help us debug this:
[   88.401512][ T5320] 
[   88.406245][ T5320]  Possible unsafe locking scenario:
[   88.406245][ T5320] 
[   88.409535][ T5320]        CPU0                    CPU1
[   88.411762][ T5320]        ----                    ----
[   88.413827][ T5320]   lock(&conn->lock#2);
[   88.415598][ T5320]                                lock((work_completion)(&(&conn->info_timer)->work));
[   88.419622][ T5320]                                lock(&conn->lock#2);
[   88.423144][ T5320]   lock((work_completion)(&(&conn->info_timer)->work));
[   88.427249][ T5320] 
[   88.427249][ T5320]  *** DEADLOCK ***
[   88.427249][ T5320] 
[   88.430999][ T5320] 5 locks held by syz.0.0/5320:
[   88.433089][ T5320]  #0: ffff888012790ec0 (&hdev->req_lock){+.+.}-{4:4}, at: hci_dev_close+0x100/0x260
[   88.437153][ T5320]  #1: ffff8880127900c0 (&hdev->lock){+.+.}-{4:4}, at: hci_dev_close_sync+0x640/0x10e0
[   88.441179][ T5320]  #2: ffffffff8fd5d7e8 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_conn_hash_flush+0xa1/0x260
[   88.446914][ T5320]  #3: ffff888032ee8af8 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x7b/0x5c0
[   88.451924][ T5320]  #4: ffffffff8e7602e0 (rcu_read_lock){....}-{1:3}, at: __flush_work+0x100/0xc50
[   88.455885][ T5320] 
[   88.455885][ T5320] stack backtrace:
[   88.458362][ T5320] CPU: 0 UID: 0 PID: 5320 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[   88.458376][ T5320] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   88.458380][ T5320] Call Trace:
[   88.458386][ T5320]  <TASK>
[   88.458390][ T5320]  dump_stack_lvl+0xe8/0x150
[   88.458408][ T5320]  print_circular_bug+0x2e1/0x300
[   88.458425][ T5320]  check_noncircular+0x12e/0x150
[   88.458440][ T5320]  __lock_acquire+0x15a5/0x2cf0
[   88.458454][ T5320]  ? do_raw_spin_lock+0x12b/0x2f0
[   88.458466][ T5320]  ? do_raw_spin_unlock+0x4d/0x210
[   88.458477][ T5320]  lock_acquire+0xf0/0x2e0
[   88.458488][ T5320]  ? __flush_work+0x100/0xc50
[   88.458499][ T5320]  ? __flush_work+0x100/0xc50
[   88.458508][ T5320]  __flush_work+0x700/0xc50
[   88.458517][ T5320]  ? __flush_work+0x100/0xc50
[   88.458525][ T5320]  ? __flush_work+0x100/0xc50
[   88.458535][ T5320]  ? __pfx___flush_work+0x10/0x10
[   88.458544][ T5320]  ? __pfx_wq_barrier_func+0x10/0x10
[   88.458554][ T5320]  ? __cancel_work_sync+0x5c/0x110
[   88.458563][ T5320]  __cancel_work_sync+0xbe/0x110
[   88.458575][ T5320]  l2cap_conn_del+0x40f/0x5c0
[   88.458589][ T5320]  ? __pfx_l2cap_disconn_cfm+0x10/0x10
[   88.458600][ T5320]  hci_conn_hash_flush+0x10d/0x260
[   88.458615][ T5320]  hci_dev_close_sync+0x821/0x10e0
[   88.458629][ T5320]  ? __pfx_hci_dev_close_sync+0x10/0x10
[   88.458640][ T5320]  ? lockdep_hardirqs_on+0x7a/0x110
[   88.458654][ T5320]  ? enable_work+0x1fd/0x230
[   88.458666][ T5320]  hci_dev_close+0x108/0x260
[   88.458675][ T5320]  sock_do_ioctl+0x101/0x320
[   88.458682][ T5320]  ? __pfx_sock_do_ioctl+0x10/0x10
[   88.458688][ T5320]  ? __mutex_unlock_slowpath+0x1bd/0x7d0
[   88.458704][ T5320]  sock_ioctl+0x5c6/0x7f0
[   88.458713][ T5320]  ? __pfx_sock_ioctl+0x10/0x10
[   88.458721][ T5320]  ? __fget_files+0x2a/0x420
[   88.458734][ T5320]  ? __fget_files+0x3a0/0x420
[   88.458746][ T5320]  ? __fget_files+0x2a/0x420
[   88.458758][ T5320]  ? bpf_lsm_file_ioctl+0x9/0x20
[   88.458770][ T5320]  ? __pfx_sock_ioctl+0x10/0x10
[   88.458779][ T5320]  __se_sys_ioctl+0xfc/0x170
[   88.458789][ T5320]  do_syscall_64+0x14d/0xf80
[   88.458802][ T5320]  ? trace_irq_disable+0x3b/0x150
[   88.458816][ T5320]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   88.458825][ T5320]  ? clear_bhb_loop+0x40/0x90
[   88.458834][ T5320]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   88.458844][ T5320] RIP: 0033:0x7ffae2d9c799
[   88.458855][ T5320] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
[   88.458863][ T5320] RSP: 002b:00007ffae3bf3fe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   88.458875][ T5320] RAX: ffffffffffffffda RBX: 00007ffae3015fa0 RCX: 00007ffae2d9c799
[   88.458881][ T5320] RDX: 0000000000000000 RSI: 00000000400448ca RDI: 0000000000000006
[   88.458888][ T5320] RBP: 00007ffae3bf4050 R08: 0000000000000000 R09: 0000000000000000
[   88.458894][ T5320] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000002
[   88.458900][ T5320] R13: 00007ffae3016038 R14: 00007ffae3015fa0 R15: 00007ffea4e557d8
[   88.458909][ T5320]  </TASK>
[   89.717608][ T5299] Bluetooth: hci0: command tx timeout
[   91.797845][ T5299] Bluetooth: hci0: command tx timeout
[   91.958421][ T1345] cfg80211: failed to load regulatory.db
[   93.877711][ T5299] Bluetooth: hci0: command tx timeout