program:
r0 = socket$nl_route(0x10, 0x3, 0x0)
socket$nl_generic(0x10, 0x3, 0x10)
r1 = socket(0x200000000000011, 0x2, 0x0)
setsockopt$MRT6_DONE(r1, 0x29, 0xc9, 0x0, 0x0)
ioctl$sock_SIOCGIFINDEX(r1, 0x8933, &(0x7f0000000000)={'bridge0\x00', <r2=>0x0})
fallocate(0xffffffffffffffff, 0x10, 0x2, 0x7fff)
syz_emit_vhci(&(0x7f0000005bc0)=ANY=[@ANYBLOB="04228809aa"], 0x8b)
r3 = socket$inet6_udp(0xa, 0x2, 0x0)
setsockopt$IP6T_SO_SET_REPLACE(r3, 0x29, 0x40, &(0x7f0000000040)=@mangle={'mangle\x00', 0x64, 0x6, 0x648, 0x0, 0x3d0, 0xd0, 0xd0, 0xd0, 0x578, 0x578, 0x578, 0x578, 0x578, 0x6, 0x0, {[{{@ipv6={@private0, @private1, [], [], 'veth1\x00', 'veth1_vlan\x00'}, 0x0, 0xa8, 0xd0, 0x0, {0x0, 0x3a010000}}, @HL={0x28}}, {{@ipv6={@private1, @loopback, [], [], 'tunl0\x00', 'bridge_slave_1\x00'}, 0x0, 0xa8, 0xd0}, @common=@unspec=@STANDARD={0x28, '\x00', 0x0, 0x3d0}}, {{@ipv6={@private0, @remote, [], [], 'veth0_to_team\x00', 'tunl0\x00', {}, {}, 0x11, 0x0, 0x3, 0x44}, 0x0, 0x138, 0x160, 0x0, {}, [@common=@srh1={{0x90}, {0x0, 0x0, 0x0, 0x0, 0x0, @dev, @private1, @mcast2}}]}, @unspec=@CHECKSUM={0x28}}, {{@uncond, 0x0, 0xa8, 0xd0}, @common=@inet=@SYNPROXY={0x28}}, {{@ipv6={@loopback, @private2, [], [], 'syzkaller1\x00', 'veth0_to_batadv\x00'}, 0x0, 0x160, 0x1a8, 0x0, {}, [@inet=@rpfilter={{0x28}}, @common=@srh1={{0x90}, {0x0, 0x0, 0x0, 0x0, 0x0, @dev, @private0, @local}}]}, @common=@inet=@TEE={0x48, 'TEE\x00', 0x1, {@ipv4=@initdev={0xac, 0x1e, 0x0, 0x0}, 'vlan0\x00'}}}], {{'\x00', 0x0, 0xa8, 0xd0}, {0x28}}}}, 0x6a8)
r4 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$sock_bt_hci(r4, 0x400448cb, 0x0)
sendmsg$nl_route(r0, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000080)=@newlink={0x20, 0x10, 0x403, 0x0, 0x25dfdbfc, {0x0, 0x0, 0x74, r2}}, 0x20}}, 0x0)
io_uring_register$IORING_REGISTER_CLONE_BUFFERS(0xffffffffffffffff, 0x1e, &(0x7f0000000040)={r1}, 0x1)
ioctl$sock_inet_SIOCGIFDSTADDR(r1, 0x8917, &(0x7f00000000c0)={'bond_slave_1\x00', {0x2, 0x0, @empty}})

[  139.697433][ T4670] Bluetooth: hci0: command tx timeout
[  139.761876][ T5338] xt_CHECKSUM: CHECKSUM should be avoided.  If really needed, restrict with "-p udp" and only use in OUTPUT
[  139.807947][    T9] 
[  139.821531][    T9] ======================================================
[  139.824508][    T9] WARNING: possible circular locking dependency detected
[  139.827478][    T9] 6.15.0-rc1-syzkaller #0 Not tainted
[  139.854338][    T9] ------------------------------------------------------
[  139.857560][    T9] kworker/0:0/9 is trying to acquire lock:
[  139.874296][    T9] ffff888037511b38 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_info_timeout+0x60/0xa0
[  139.883026][    T9] 
[  139.883026][    T9] but task is already holding lock:
[  139.893561][    T9] ffffc900001b7c60 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: process_scheduled_works+0x9cb/0x18e0
[  139.898726][    T9] 
[  139.898726][    T9] which lock already depends on the new lock.
[  139.898726][    T9] 
[  139.913455][    T9] 
[  139.913455][    T9] the existing dependency chain (in reverse order) is:
[  139.919539][    T9] 
[  139.919539][    T9] -> #1 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}:
[  139.923994][    T9]        lock_acquire+0x116/0x2f0
[  139.926150][    T9]        __flush_work+0x75b/0xc60
[  139.945179][    T9]        __cancel_work_sync+0xbc/0x110
[  139.947500][    T9]        l2cap_conn_del+0x507/0x690
[  139.949749][    T9]        hci_conn_hash_flush+0xff/0x240
[  139.952105][    T9]        hci_dev_reset+0x3ed/0x5d0
[  139.973806][    T9]        sock_do_ioctl+0x15a/0x490
[  139.975956][    T9]        sock_ioctl+0x644/0x900
[  139.978081][    T9]        __se_sys_ioctl+0xf1/0x160
[  139.980340][    T9]        do_syscall_64+0xf3/0x230
[  139.982549][    T9]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[  140.005115][    T9] 
[  140.005115][    T9] -> #0 (&conn->lock#2){+.+.}-{4:4}:
[  140.011750][    T9]        validate_chain+0xa69/0x24e0
[  140.013905][    T9]        __lock_acquire+0xad5/0xd80
[  140.016129][    T9]        lock_acquire+0x116/0x2f0
[  140.026347][    T9]        __mutex_lock+0x1a5/0x10c0
[  140.030610][    T9]        l2cap_info_timeout+0x60/0xa0
[  140.032900][    T9]        process_scheduled_works+0xac3/0x18e0
[  140.043226][    T9]        worker_thread+0x870/0xd50
[  140.045344][    T9]        kthread+0x7b7/0x940
[  140.047185][    T9]        ret_from_fork+0x4b/0x80
[  140.057377][    T9]        ret_from_fork_asm+0x1a/0x30
[  140.065505][    T9] 
[  140.065505][    T9] other info that might help us debug this:
[  140.065505][    T9] 
[  140.086812][    T9]  Possible unsafe locking scenario:
[  140.086812][    T9] 
[  140.090360][    T9]        CPU0                    CPU1
[  140.092912][    T9]        ----                    ----
[  140.095487][    T9]   lock((work_completion)(&(&conn->info_timer)->work));
[  140.098823][    T9]                                lock(&conn->lock#2);
[  140.126103][    T9]                                lock((work_completion)(&(&conn->info_timer)->work));
[  140.130425][    T9]   lock(&conn->lock#2);
[  140.132434][    T9] 
[  140.132434][    T9]  *** DEADLOCK ***
[  140.132434][    T9] 
[  140.135997][    T9] 2 locks held by kworker/0:0/9:
[  140.144135][    T9]  #0: ffff88801b074d48 ((wq_completion)events){+.+.}-{0:0}, at: process_scheduled_works+0x990/0x18e0
[  140.149637][    T9]  #1: ffffc900001b7c60 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: process_scheduled_works+0x9cb/0x18e0
[  140.172079][    T9] 
[  140.172079][    T9] stack backtrace:
[  140.179375][    T9] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:0 Not tainted 6.15.0-rc1-syzkaller #0 PREEMPT(full) 
[  140.179393][    T9] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[  140.179401][    T9] Workqueue: events l2cap_info_timeout
[  140.179420][    T9] Call Trace:
[  140.179427][    T9]  <TASK>
[  140.179434][    T9]  dump_stack_lvl+0x241/0x360
[  140.179452][    T9]  ? __pfx_dump_stack_lvl+0x10/0x10
[  140.179467][    T9]  ? __pfx__printk+0x10/0x10
[  140.179480][    T9]  ? print_lock+0x171/0x1a0
[  140.179492][    T9]  print_circular_bug+0x2e1/0x300
[  140.179507][    T9]  check_noncircular+0x142/0x160
[  140.179521][    T9]  validate_chain+0xa69/0x24e0
[  140.179538][    T9]  __lock_acquire+0xad5/0xd80
[  140.179549][    T9]  lock_acquire+0x116/0x2f0
[  140.179559][    T9]  ? l2cap_info_timeout+0x60/0xa0
[  140.179580][    T9]  __mutex_lock+0x1a5/0x10c0
[  140.179593][    T9]  ? l2cap_info_timeout+0x60/0xa0
[  140.179605][    T9]  ? irqentry_exit+0x63/0x90
[  140.179616][    T9]  ? lockdep_hardirqs_on+0x9d/0x150
[  140.179627][    T9]  ? l2cap_info_timeout+0x60/0xa0
[  140.179637][    T9]  ? __pfx___mutex_lock+0x10/0x10
[  140.179649][    T9]  ? lock_acquire+0x167/0x2f0
[  140.179662][    T9]  l2cap_info_timeout+0x60/0xa0
[  140.179672][    T9]  ? process_scheduled_works+0x9cb/0x18e0
[  140.179683][    T9]  process_scheduled_works+0xac3/0x18e0
[  140.179700][    T9]  ? __pfx_process_scheduled_works+0x10/0x10
[  140.179714][    T9]  ? assign_work+0x367/0x3d0
[  140.179725][    T9]  worker_thread+0x870/0xd50
[  140.179739][    T9]  ? __kthread_parkme+0x1a8/0x200
[  140.179752][    T9]  ? __pfx_worker_thread+0x10/0x10
[  140.179763][    T9]  kthread+0x7b7/0x940
[  140.179776][    T9]  ? __pfx_worker_thread+0x10/0x10
[  140.179788][    T9]  ? __pfx_kthread+0x10/0x10
[  140.179801][    T9]  ? __pfx_kthread+0x10/0x10
[  140.179813][    T9]  ? __pfx_kthread+0x10/0x10
[  140.179825][    T9]  ? __pfx_kthread+0x10/0x10
[  140.179839][    T9]  ? _raw_spin_unlock_irq+0x23/0x50
[  140.179882][    T9]  ? lockdep_hardirqs_on+0x9d/0x150
[  140.179892][    T9]  ? __pfx_kthread+0x10/0x10
[  140.179906][    T9]  ret_from_fork+0x4b/0x80
[  140.179918][    T9]  ? __pfx_kthread+0x10/0x10
[  140.179930][    T9]  ret_from_fork_asm+0x1a/0x30
[  140.179944][    T9]  </TASK>