program:
r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$HCIINQUIRY(r0, 0x400448ca, 0x0)
r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r1, &(0x7f0000000080)={0x1f, 0xffff, 0x3}, 0x6)
r2 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
bind$bt_hci(r2, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6) (async, rerun: 64)
r3 = socket$kcm(0x10, 0x2, 0x0) (rerun: 64)
r4 = socket$key(0xf, 0x3, 0x2) (async)
sendmsg$key(0xffffffffffffffff, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={0x0}}, 0x0) (async, rerun: 64)
r5 = socket$nl_netfilter(0x10, 0x3, 0xc) (rerun: 64)
sendmsg$NFT_BATCH(r5, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000040)={&(0x7f00000002c0)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a20000000000a01020000000000000000010000000900010073797a30000000002c000000030a01080000000000000000010000000900030073797a32000000000900010073797a300000000069000000060a010400000000000000000100000008000b40000000000900010073797a300000000024000480200001800e000100636f6e6e6c696d69740000000c0002800800014000000000140000001100010000000000000000000000000a"], 0xc0}}, 0x0) (async)
r6 = openat$tun(0xffffffffffffff9c, &(0x7f0000000000), 0x40241, 0x0) (async, rerun: 32)
syz_mount_image$minix(&(0x7f0000000180), &(0x7f00000001c0)='./file0\x00', 0x0, &(0x7f0000000200), 0x1, 0x185, &(0x7f0000000580)="$eJzs28tO6lAUxvGvBc7hcG6c+4kjE010IuWmiTN5FAIViUWJOIGYGB/FJ/MFYODImTUWgrYCNiSlgv9fQvZelMVae7DpZlABeLcOJBkylJbkuu7l0aah9bibArAQ7mi8d6e7m3ENwDJLzNr6AFbYoJLw7v9tSTe3F7X+6JUOeX4YVExvfPwf0X+W/2nyx80X+VeGN64l/fkZSZ/DnF+uh/lbgfpfwvY/qp8J5H8NnT9c0vaGP/+bpO+SspJ+SPop6Zek35L+TKhfD9T/H7I+AAAAAABhGMoFY98bpg6bjp0fxykvLozjD15cDMSlcfzRi3O1U6ce1RIAzMl8Zf8nAvs/Gdj/AJZXp9s7rjqOfRbJROmovjnSibJvog0mTKKfpKZcivuXCUDUrPNW2+p0ezvNVrVhN+yTYnl3r1wq7OeLlnfyt/znfwCr4+mmH3cnAAAAAAAAAAAAAABgXn8l/Yu7CQAAAAALsYgnjeJeIwAAAAAAAAAAAAAAq+4hAAD//+dwSQU=") (async, rerun: 32)
syz_clone(0x4008011, 0x0, 0xffffffffffffffe9, 0x0, 0x0, 0x0)
r7 = openat(0xffffffffffffff9c, &(0x7f0000000080)='./file1\x00', 0x105042, 0x1ff) (async)
truncate(&(0x7f0000000000)='./file1\x00', 0x8800000)
mmap$IORING_OFF_SQ_RING(&(0x7f0000000000/0x4000)=nil, 0x4000, 0x5000003, 0x11, r7, 0x0) (async)
r8 = openat(0xffffffffffffff9c, &(0x7f0000000080)='./file1\x00', 0x105042, 0x1ff)
write(r8, &(0x7f0000000280)=')$~', 0x3)
ioctl$TUNSETIFF(r6, 0x400454ca, &(0x7f0000000200)={'syzkaller1\x00', 0xc201}) (async)
r9 = socket$kcm(0x2, 0xa, 0x2)
ioctl$SIOCSIFHWADDR(r9, 0x8914, &(0x7f0000000180)={'syzkaller1\x00', @link_local})
write$tun(r6, &(0x7f0000000240)={@val={0x0, 0x86dd}, @val={0x0, 0x0, 0x11}, @mpls={[], @ipv6=@icmpv6={0x0, 0x6, "ec9700", 0x30, 0x2c, 0x0, @local, @mcast2, {[@fragment={0x3a}], @ndisc_redir={0x89, 0x2, 0x0, '\x00', @private0, @ipv4={'\x00', '\xff\xff', @multicast1}}}}}}, 0xfdef) (async)
sendmsg$key(0xffffffffffffffff, &(0x7f00000001c0)={0x40000000, 0x0, &(0x7f0000000040)={&(0x7f0000000080)=ANY=[@ANYBLOB="02030609100000000000004c9e0000000200130002000000da16c167d803f1f805000600200000000a00060000000000ff0000000000000000001ffeff0001000003f1dc7f7c6e7c0200010000000000004000020000000005000500000000000a"], 0x80}}, 0x0) (async)
r10 = bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f00000003c0)=ANY=[@ANYBLOB="0200000004000000080000000100000080000000", @ANYRES32=0x0, @ANYBLOB="000000000000000000000000000000000000000074de191c9c2e8affa69b74d3714f555fb37b8880266cb2991901baf31b35a037a6", @ANYRES32=0x0, @ANYRES32=0x0, @ANYBLOB='\x00'/28], 0x48)
bpf$BPF_MAP_CONST_STR_FREEZE(0x16, &(0x7f00000007c0)={r10}, 0x4) (async)
bpf$PROG_LOAD(0x5, &(0x7f00000004c0)={0x3, 0x10, &(0x7f0000000580)=@framed={{}, [@snprintf={{}, {}, {}, {}, {}, {}, {}, {}, {}, {0x18, 0x3, 0x2, 0x0, r10}, {0x7, 0x0, 0xb, 0x5, 0x0, 0x0, 0x4}}]}, &(0x7f0000000600)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @sched_cls, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x90)
sendmmsg(r4, &(0x7f0000000180), 0x400008a, 0x0) (async, rerun: 32)
sendmsg$kcm(r3, &(0x7f0000000600)={0x0, 0x0, &(0x7f0000000040)=[{&(0x7f0000000000)="2e00000010008188e6b62aa73772cc9f1ba1f848430000005e140602000000000e000a000f000000028000001294", 0x2e}], 0x1}, 0x0) (rerun: 32)
openat$autofs(0xffffffffffffff9c, &(0x7f0000000100), 0x4000, 0x0)

[   92.581946][ T1355] cfg80211: failed to load regulatory.db
[   92.586504][ T4679] Bluetooth: hci0: command tx timeout
[   92.703780][ T1355] 
[   92.704792][ T1355] ======================================================
[   92.708053][ T1355] WARNING: possible circular locking dependency detected
[   92.710980][ T1355] syzkaller #0 Not tainted
[   92.712890][ T1355] ------------------------------------------------------
[   92.715812][ T1355] kworker/0:3/1355 is trying to acquire lock:
[   92.718338][ T1355] ffff888041014338 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_info_timeout+0x60/0xa0
[   92.722290][ T1355] 
[   92.722290][ T1355] but task is already holding lock:
[   92.725246][ T1355] ffffc900083efb80 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: process_scheduled_works+0x9ef/0x1770
[   92.730349][ T1355] 
[   92.730349][ T1355] which lock already depends on the new lock.
[   92.730349][ T1355] 
[   92.734509][ T1355] 
[   92.734509][ T1355] the existing dependency chain (in reverse order) is:
[   92.738434][ T1355] 
[   92.738434][ T1355] -> #1 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}:
[   92.742838][ T1355]        __flush_work+0x6b8/0xbc0
[   92.745219][ T1355]        __cancel_work_sync+0xbe/0x110
[   92.747528][ T1355]        l2cap_conn_del+0x402/0x5b0
[   92.749989][ T1355]        hci_conn_hash_flush+0x10d/0x260
[   92.752352][ T1355]        hci_dev_close_sync+0x821/0x1100
[   92.754630][ T1355]        hci_dev_close+0x108/0x270
[   92.757013][ T1355]        sock_do_ioctl+0xdc/0x300
[   92.759292][ T1355]        sock_ioctl+0x576/0x790
[   92.761562][ T1355]        __se_sys_ioctl+0xfc/0x170
[   92.763979][ T1355]        do_syscall_64+0xfa/0xf80
[   92.766415][ T1355]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   92.769397][ T1355] 
[   92.769397][ T1355] -> #0 (&conn->lock#2){+.+.}-{4:4}:
[   92.772448][ T1355]        __lock_acquire+0x15a6/0x2cf0
[   92.774761][ T1355]        lock_acquire+0x117/0x340
[   92.777199][ T1355]        __mutex_lock+0x187/0x1350
[   92.779433][ T1355]        l2cap_info_timeout+0x60/0xa0
[   92.781811][ T1355]        process_scheduled_works+0xad1/0x1770
[   92.784464][ T1355]        worker_thread+0x8a0/0xda0
[   92.786717][ T1355]        kthread+0x711/0x8a0
[   92.788736][ T1355]        ret_from_fork+0x599/0xb30
[   92.790996][ T1355]        ret_from_fork_asm+0x1a/0x30
[   92.793975][ T1355] 
[   92.793975][ T1355] other info that might help us debug this:
[   92.793975][ T1355] 
[   92.798836][ T1355]  Possible unsafe locking scenario:
[   92.798836][ T1355] 
[   92.802198][ T1355]        CPU0                    CPU1
[   92.804641][ T1355]        ----                    ----
[   92.807070][ T1355]   lock((work_completion)(&(&conn->info_timer)->work));
[   92.810061][ T1355]                                lock(&conn->lock#2);
[   92.812960][ T1355]                                lock((work_completion)(&(&conn->info_timer)->work));
[   92.817030][ T1355]   lock(&conn->lock#2);
[   92.819080][ T1355] 
[   92.819080][ T1355]  *** DEADLOCK ***
[   92.819080][ T1355] 
[   92.822629][ T1355] 2 locks held by kworker/0:3/1355:
[   92.824782][ T1355]  #0: ffff88801a467548 ((wq_completion)events){+.+.}-{0:0}, at: process_scheduled_works+0x9b4/0x1770
[   92.829148][ T1355]  #1: ffffc900083efb80 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: process_scheduled_works+0x9ef/0x1770
[   92.835263][ T1355] 
[   92.835263][ T1355] stack backtrace:
[   92.838241][ T1355] CPU: 0 UID: 0 PID: 1355 Comm: kworker/0:3 Not tainted syzkaller #0 PREEMPT(full) 
[   92.838259][ T1355] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   92.838269][ T1355] Workqueue: events l2cap_info_timeout
[   92.838291][ T1355] Call Trace:
[   92.838299][ T1355]  <TASK>
[   92.838306][ T1355]  dump_stack_lvl+0x189/0x250
[   92.838324][ T1355]  ? __pfx_dump_stack_lvl+0x10/0x10
[   92.838337][ T1355]  ? __pfx__printk+0x10/0x10
[   92.838353][ T1355]  ? print_lock_name+0xde/0x100
[   92.838369][ T1355]  print_circular_bug+0x2e2/0x300
[   92.838384][ T1355]  check_noncircular+0x12e/0x150
[   92.838398][ T1355]  __lock_acquire+0x15a6/0x2cf0
[   92.838414][ T1355]  ? l2cap_info_timeout+0x60/0xa0
[   92.838427][ T1355]  lock_acquire+0x117/0x340
[   92.838437][ T1355]  ? l2cap_info_timeout+0x60/0xa0
[   92.838451][ T1355]  ? preempt_schedule_irq+0xde/0x150
[   92.838469][ T1355]  __mutex_lock+0x187/0x1350
[   92.838480][ T1355]  ? l2cap_info_timeout+0x60/0xa0
[   92.838494][ T1355]  ? irqentry_exit+0x5dd/0x660
[   92.838507][ T1355]  ? l2cap_info_timeout+0x60/0xa0
[   92.838520][ T1355]  ? __pfx___mutex_lock+0x10/0x10
[   92.838535][ T1355]  l2cap_info_timeout+0x60/0xa0
[   92.838550][ T1355]  ? process_scheduled_works+0x9ef/0x1770
[   92.838563][ T1355]  process_scheduled_works+0xad1/0x1770
[   92.838579][ T1355]  ? __pfx_process_scheduled_works+0x10/0x10
[   92.838594][ T1355]  worker_thread+0x8a0/0xda0
[   92.838606][ T1355]  ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[   92.838625][ T1355]  ? __kthread_parkme+0x7b/0x200
[   92.838650][ T1355]  kthread+0x711/0x8a0
[   92.838665][ T1355]  ? __pfx_worker_thread+0x10/0x10
[   92.838676][ T1355]  ? __pfx_kthread+0x10/0x10
[   92.838690][ T1355]  ? _raw_spin_unlock_irq+0x23/0x50
[   92.838705][ T1355]  ? lockdep_hardirqs_on+0x98/0x140
[   92.838714][ T1355]  ? __pfx_kthread+0x10/0x10
[   92.838728][ T1355]  ret_from_fork+0x599/0xb30
[   92.838739][ T1355]  ? __pfx_ret_from_fork+0x10/0x10
[   92.838751][ T1355]  ? __pfx_kthread+0x10/0x10
[   92.838764][ T1355]  ret_from_fork_asm+0x1a/0x30
[   92.838783][ T1355]  </TASK>
[   94.654366][ T4679] Bluetooth: hci0: command tx timeout
[   96.735027][ T4679] Bluetooth: hci0: command tx timeout