program:
r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
r1 = gettid()
timer_create(0x0, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004, @tid=r1}, &(0x7f0000bbdffc))
timer_settime(0x0, 0x0, &(0x7f0000000280)={{0x0, 0x989680}, {0x0, 0x989680}}, 0x0)
ioctl$sock_bt_hci(r0, 0x400448cb, 0x0)
socketpair$unix(0x1, 0x1, 0x0, &(0x7f00000004c0)={<r2=>0xffffffffffffffff, <r3=>0xffffffffffffffff})
close(r3)
perf_event_open(&(0x7f0000000380)={0x0, 0x80, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0, 0xb}, 0x0, 0xca}, 0x0, 0x0, 0xffffffffffffffff, 0x0)
recvmsg$unix(r2, &(0x7f0000000400)={0x0, 0x0, 0x0, 0x0, &(0x7f00000003c0)}, 0x0)
read$FUSE(0xffffffffffffffff, &(0x7f0000000500)={0x2020}, 0x2020)
read$FUSE(0xffffffffffffffff, &(0x7f0000007f80)={0x2020}, 0x2020)
openat$snapshot(0xffffffffffffff9c, &(0x7f00000000c0), 0x0, 0x0)

[   70.339412][   T49] Bluetooth: hci0: command tx timeout
[   70.423330][   T10] 
[   70.424357][   T10] ======================================================
[   70.427106][   T10] WARNING: possible circular locking dependency detected
[   70.429740][   T10] 6.14.0-syzkaller-10514-g7f2ff7b62617 #0 Not tainted
[   70.432353][   T10] ------------------------------------------------------
[   70.435018][   T10] kworker/0:1/10 is trying to acquire lock:
[   70.437293][   T10] ffff8880431c3338 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_info_timeout+0x60/0xa0
[   70.442784][   T10] 
[   70.442784][   T10] but task is already holding lock:
[   70.445767][   T10] ffffc900001c7c60 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: process_scheduled_works+0x9cb/0x18e0
[   70.450629][   T10] 
[   70.450629][   T10] which lock already depends on the new lock.
[   70.450629][   T10] 
[   70.454882][   T10] 
[   70.454882][   T10] the existing dependency chain (in reverse order) is:
[   70.458299][   T10] 
[   70.458299][   T10] -> #1 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}:
[   70.462380][   T10]        lock_acquire+0x116/0x2f0
[   70.464583][   T10]        __flush_work+0x75b/0xc60
[   70.466638][   T10]        __cancel_work_sync+0xbc/0x110
[   70.468842][   T10]        l2cap_conn_del+0x507/0x690
[   70.470849][   T10]        hci_conn_hash_flush+0xff/0x240
[   70.472870][   T10]        hci_dev_reset+0x3ed/0x5d0
[   70.474657][   T10]        sock_do_ioctl+0x15a/0x490
[   70.476521][   T10]        sock_ioctl+0x644/0x900
[   70.478323][   T10]        __se_sys_ioctl+0xf1/0x160
[   70.480242][   T10]        do_syscall_64+0xf3/0x230
[   70.482118][   T10]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   70.484784][   T10] 
[   70.484784][   T10] -> #0 (&conn->lock#2){+.+.}-{4:4}:
[   70.487795][   T10]        validate_chain+0xa69/0x24e0
[   70.490050][   T10]        __lock_acquire+0xad5/0xd80
[   70.492270][   T10]        lock_acquire+0x116/0x2f0
[   70.494438][   T10]        __mutex_lock+0x1a5/0x10c0
[   70.496533][   T10]        l2cap_info_timeout+0x60/0xa0
[   70.498760][   T10]        process_scheduled_works+0xac3/0x18e0
[   70.501284][   T10]        worker_thread+0x870/0xd50
[   70.503453][   T10]        kthread+0x7b7/0x940
[   70.505383][   T10]        ret_from_fork+0x4b/0x80
[   70.507332][   T10]        ret_from_fork_asm+0x1a/0x30
[   70.509310][   T10] 
[   70.509310][   T10] other info that might help us debug this:
[   70.509310][   T10] 
[   70.513619][   T10]  Possible unsafe locking scenario:
[   70.513619][   T10] 
[   70.516631][   T10]        CPU0                    CPU1
[   70.519239][   T10]        ----                    ----
[   70.521839][   T10]   lock((work_completion)(&(&conn->info_timer)->work));
[   70.525190][   T10]                                lock(&conn->lock#2);
[   70.527949][   T10]                                lock((work_completion)(&(&conn->info_timer)->work));
[   70.531657][   T10]   lock(&conn->lock#2);
[   70.533537][   T10] 
[   70.533537][   T10]  *** DEADLOCK ***
[   70.533537][   T10] 
[   70.536737][   T10] 2 locks held by kworker/0:1/10:
[   70.538856][   T10]  #0: ffff88801b074d48 ((wq_completion)events){+.+.}-{0:0}, at: process_scheduled_works+0x990/0x18e0
[   70.543205][   T10]  #1: ffffc900001c7c60 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: process_scheduled_works+0x9cb/0x18e0
[   70.548388][   T10] 
[   70.548388][   T10] stack backtrace:
[   70.550934][   T10] CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Not tainted 6.14.0-syzkaller-10514-g7f2ff7b62617 #0 PREEMPT(full) 
[   70.550945][   T10] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   70.550953][   T10] Workqueue: events l2cap_info_timeout
[   70.550972][   T10] Call Trace:
[   70.550979][   T10]  <TASK>
[   70.550984][   T10]  dump_stack_lvl+0x241/0x360
[   70.551001][   T10]  ? __pfx_dump_stack_lvl+0x10/0x10
[   70.551013][   T10]  ? __pfx__printk+0x10/0x10
[   70.551026][   T10]  ? print_lock+0x171/0x1a0
[   70.551038][   T10]  print_circular_bug+0x2e1/0x300
[   70.551059][   T10]  check_noncircular+0x142/0x160
[   70.551072][   T10]  validate_chain+0xa69/0x24e0
[   70.551087][   T10]  __lock_acquire+0xad5/0xd80
[   70.551098][   T10]  lock_acquire+0x116/0x2f0
[   70.551108][   T10]  ? l2cap_info_timeout+0x60/0xa0
[   70.551122][   T10]  __mutex_lock+0x1a5/0x10c0
[   70.551137][   T10]  ? l2cap_info_timeout+0x60/0xa0
[   70.551150][   T10]  ? irqentry_exit+0x63/0x90
[   70.551162][   T10]  ? lockdep_hardirqs_on+0x9d/0x150
[   70.551175][   T10]  ? l2cap_info_timeout+0x60/0xa0
[   70.551187][   T10]  ? __pfx___mutex_lock+0x10/0x10
[   70.551201][   T10]  ? lock_acquire+0x167/0x2f0
[   70.551212][   T10]  l2cap_info_timeout+0x60/0xa0
[   70.551225][   T10]  ? process_scheduled_works+0x9cb/0x18e0
[   70.551236][   T10]  process_scheduled_works+0xac3/0x18e0
[   70.551251][   T10]  ? __pfx_process_scheduled_works+0x10/0x10
[   70.551264][   T10]  ? assign_work+0x367/0x3d0
[   70.551275][   T10]  worker_thread+0x870/0xd50
[   70.551288][   T10]  ? __kthread_parkme+0x1a8/0x200
[   70.551300][   T10]  ? __pfx_worker_thread+0x10/0x10
[   70.551311][   T10]  kthread+0x7b7/0x940
[   70.551324][   T10]  ? __pfx_worker_thread+0x10/0x10
[   70.551334][   T10]  ? __pfx_kthread+0x10/0x10
[   70.551346][   T10]  ? __pfx_kthread+0x10/0x10
[   70.551358][   T10]  ? __pfx_kthread+0x10/0x10
[   70.551371][   T10]  ? __pfx_kthread+0x10/0x10
[   70.551383][   T10]  ? _raw_spin_unlock_irq+0x23/0x50
[   70.551393][   T10]  ? lockdep_hardirqs_on+0x9d/0x150
[   70.551405][   T10]  ? __pfx_kthread+0x10/0x10
[   70.551417][   T10]  ret_from_fork+0x4b/0x80
[   70.551428][   T10]  ? __pfx_kthread+0x10/0x10
[   70.551440][   T10]  ret_from_fork_asm+0x1a/0x30
[   70.551451][   T10]  </TASK>
[   76.180331][ T1310] ieee802154 phy0 wpan0: encryption failed: -22
[   76.182682][ T1310] ieee802154 phy1 wpan1: encryption failed: -22