program:
r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$sock_bt_hci(r0, 0x400448ca, &(0x7f0000000000))

[   73.039499][ T4666] Bluetooth: hci0: command tx timeout
[   73.062726][ T5324] 
[   73.063735][ T5324] ======================================================
[   73.066433][ T5324] WARNING: possible circular locking dependency detected
[   73.069015][ T5324] 6.14.0-rc7-syzkaller-00205-g586de92313fc #0 Not tainted
[   73.071663][ T5324] ------------------------------------------------------
[   73.077968][ T5324] kworker/0:5/5324 is trying to acquire lock:
[   73.084162][ T5324] ffff8880443a7b38 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_info_timeout+0x60/0xa0
[   73.091292][ T5324] 
[   73.091292][ T5324] but task is already holding lock:
[   73.094943][ T5324] ffffc9000d457c60 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: process_scheduled_works+0x9c6/0x18e0
[   73.099789][ T5324] 
[   73.099789][ T5324] which lock already depends on the new lock.
[   73.099789][ T5324] 
[   73.103842][ T5324] 
[   73.103842][ T5324] the existing dependency chain (in reverse order) is:
[   73.107137][ T5324] 
[   73.107137][ T5324] -> #1 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}:
[   73.110986][ T5324]        lock_acquire+0x1ed/0x550
[   73.113016][ T5324]        __flush_work+0x739/0xc60
[   73.115021][ T5324]        __cancel_work_sync+0xbc/0x110
[   73.117215][ T5324]        l2cap_conn_del+0x507/0x690
[   73.119291][ T5324]        hci_conn_hash_flush+0xff/0x240
[   73.121535][ T5324]        hci_dev_close_sync+0xa8b/0x1260
[   73.123898][ T5324]        hci_dev_close+0x112/0x210
[   73.125972][ T5324]        sock_do_ioctl+0x158/0x460
[   73.128119][ T5324]        sock_ioctl+0x626/0x8e0
[   73.130181][ T5324]        __se_sys_ioctl+0xf5/0x170
[   73.132440][ T5324]        do_syscall_64+0xf3/0x230
[   73.134711][ T5324]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   73.137326][ T5324] 
[   73.137326][ T5324] -> #0 (&conn->lock#2){+.+.}-{4:4}:
[   73.140500][ T5324]        validate_chain+0x18ef/0x5920
[   73.142740][ T5324]        __lock_acquire+0x1397/0x2100
[   73.145057][ T5324]        lock_acquire+0x1ed/0x550
[   73.147259][ T5324]        __mutex_lock+0x19c/0x1010
[   73.149377][ T5324]        l2cap_info_timeout+0x60/0xa0
[   73.152643][ T5324]        process_scheduled_works+0xabe/0x18e0
[   73.155082][ T5324]        worker_thread+0x870/0xd30
[   73.157216][ T5324]        kthread+0x7a9/0x920
[   73.159136][ T5324]        ret_from_fork+0x4b/0x80
[   73.161196][ T5324]        ret_from_fork_asm+0x1a/0x30
[   73.163393][ T5324] 
[   73.163393][ T5324] other info that might help us debug this:
[   73.163393][ T5324] 
[   73.167528][ T5324]  Possible unsafe locking scenario:
[   73.167528][ T5324] 
[   73.170296][ T5324]        CPU0                    CPU1
[   73.171945][ T5324]        ----                    ----
[   73.173580][ T5324]   lock((work_completion)(&(&conn->info_timer)->work));
[   73.175901][ T5324]                                lock(&conn->lock#2);
[   73.178134][ T5324]                                lock((work_completion)(&(&conn->info_timer)->work));
[   73.181530][ T5324]   lock(&conn->lock#2);
[   73.183108][ T5324] 
[   73.183108][ T5324]  *** DEADLOCK ***
[   73.183108][ T5324] 
[   73.185913][ T5324] 2 locks held by kworker/0:5/5324:
[   73.187989][ T5324]  #0: ffff88801b074d48 ((wq_completion)events){+.+.}-{0:0}, at: process_scheduled_works+0x98b/0x18e0
[   73.192346][ T5324]  #1: ffffc9000d457c60 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: process_scheduled_works+0x9c6/0x18e0
[   73.197500][ T5324] 
[   73.197500][ T5324] stack backtrace:
[   73.199820][ T5324] CPU: 0 UID: 0 PID: 5324 Comm: kworker/0:5 Not tainted 6.14.0-rc7-syzkaller-00205-g586de92313fc #0
[   73.199835][ T5324] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   73.199843][ T5324] Workqueue: events l2cap_info_timeout
[   73.199863][ T5324] Call Trace:
[   73.199870][ T5324]  <TASK>
[   73.199875][ T5324]  dump_stack_lvl+0x241/0x360
[   73.199888][ T5324]  ? __pfx_dump_stack_lvl+0x10/0x10
[   73.199898][ T5324]  ? __pfx__printk+0x10/0x10
[   73.199910][ T5324]  print_circular_bug+0x13a/0x1b0
[   73.199923][ T5324]  check_noncircular+0x36a/0x4a0
[   73.199934][ T5324]  ? __pfx_check_noncircular+0x10/0x10
[   73.199945][ T5324]  ? lockdep_lock+0x123/0x2b0
[   73.199959][ T5324]  ? __lock_acquire+0x1397/0x2100
[   73.199974][ T5324]  validate_chain+0x18ef/0x5920
[   73.199989][ T5324]  ? __pfx_validate_chain+0x10/0x10
[   73.199998][ T5324]  ? lockdep_hardirqs_on_prepare+0x43d/0x780
[   73.200012][ T5324]  ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[   73.200026][ T5324]  ? do_raw_spin_unlock+0x58/0x8b0
[   73.200037][ T5324]  ? finish_task_switch+0x1e5/0x870
[   73.200047][ T5324]  ? lockdep_hardirqs_on+0x99/0x150
[   73.200061][ T5324]  ? finish_task_switch+0x1e5/0x870
[   73.200070][ T5324]  ? __schedule+0x1916/0x4c90
[   73.200084][ T5324]  ? mark_lock+0x9a/0x360
[   73.200094][ T5324]  __lock_acquire+0x1397/0x2100
[   73.200110][ T5324]  lock_acquire+0x1ed/0x550
[   73.200122][ T5324]  ? l2cap_info_timeout+0x60/0xa0
[   73.200136][ T5324]  ? __pfx_lock_acquire+0x10/0x10
[   73.200149][ T5324]  ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[   73.200162][ T5324]  ? __pfx___might_resched+0x10/0x10
[   73.200173][ T5324]  ? irqentry_exit+0x63/0x90
[   73.200188][ T5324]  __mutex_lock+0x19c/0x1010
[   73.200210][ T5324]  ? l2cap_info_timeout+0x60/0xa0
[   73.200224][ T5324]  ? lock_acquire+0x264/0x550
[   73.200237][ T5324]  ? l2cap_info_timeout+0x60/0xa0
[   73.200249][ T5324]  ? __pfx___mutex_lock+0x10/0x10
[   73.200262][ T5324]  ? lockdep_hardirqs_on_prepare+0x43d/0x780
[   73.200276][ T5324]  ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[   73.200291][ T5324]  l2cap_info_timeout+0x60/0xa0
[   73.200305][ T5324]  ? process_scheduled_works+0x9c6/0x18e0
[   73.200317][ T5324]  process_scheduled_works+0xabe/0x18e0
[   73.200334][ T5324]  ? __pfx_process_scheduled_works+0x10/0x10
[   73.200349][ T5324]  ? assign_work+0x364/0x3d0
[   73.200361][ T5324]  worker_thread+0x870/0xd30
[   73.200375][ T5324]  ? _raw_spin_unlock_irqrestore+0xdd/0x140
[   73.200388][ T5324]  ? __kthread_parkme+0x169/0x1d0
[   73.200402][ T5324]  ? __pfx_worker_thread+0x10/0x10
[   73.200415][ T5324]  kthread+0x7a9/0x920
[   73.200428][ T5324]  ? __pfx_kthread+0x10/0x10
[   73.200442][ T5324]  ? __pfx_worker_thread+0x10/0x10
[   73.200454][ T5324]  ? __pfx_kthread+0x10/0x10
[   73.200468][ T5324]  ? __pfx_kthread+0x10/0x10
[   73.200481][ T5324]  ? __pfx_kthread+0x10/0x10
[   73.200495][ T5324]  ? _raw_spin_unlock_irq+0x23/0x50
[   73.200507][ T5324]  ? lockdep_hardirqs_on+0x99/0x150
[   73.200520][ T5324]  ? __pfx_kthread+0x10/0x10
[   73.200534][ T5324]  ret_from_fork+0x4b/0x80
[   73.200548][ T5324]  ? __pfx_kthread+0x10/0x10
[   73.200562][ T5324]  ret_from_fork_asm+0x1a/0x30
[   73.200577][ T5324]  </TASK>
[   75.091386][ T4666] Bluetooth: hci0: command tx timeout
[   76.292838][ T1310] ieee802154 phy0 wpan0: encryption failed: -22
[   76.295433][ T1310] ieee802154 phy1 wpan1: encryption failed: -22
[   77.171743][ T4666] Bluetooth: hci0: command tx timeout
[   79.251332][ T4666] Bluetooth: hci0: command tx timeout