program:
r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0)
setsockopt$bt_BT_DEFER_SETUP(r0, 0x112, 0x7, &(0x7f0000000000)=0x1, 0x4)
connect$bt_l2cap(r0, &(0x7f0000000080)={0x1f, 0x0, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}, 0x7}, 0xe)
r1 = socket$inet_sctp(0x2, 0x5, 0x84)
setsockopt$inet_sctp_SCTP_PEER_ADDR_PARAMS(r1, 0x84, 0x25, &(0x7f0000000080)={0x0, @in={{0x2, 0xfffc, @multicast2}}, 0x0, 0x0, 0x0, 0x2000}, 0x9c)
r2 = syz_init_net_socket$bt_hidp(0x1f, 0x3, 0x6)
r3 = openat$snapshot(0xffffffffffffff9c, &(0x7f0000000040), 0x40, 0x0)
ioctl$SNAPSHOT_AVAIL_SWAP_SIZE(r3, 0x80083313, &(0x7f0000000180))
ioctl$sock_bt_hidp_HIDPCONNADD(r2, 0x400448c8, &(0x7f00000000c0)={r0, r0, 0x206, 0x0, 0x0, 0x2, 0x4e, 0x1, 0x3, 0x3, 0x0, 0x8, 'syz1\x00'})

[   75.539021][ T4665] Bluetooth: hci0: command tx timeout
[   75.683473][ T5318] input: Bluetooth HID Boot Protocol Device as /devices/virtual/bluetooth/hci0/hci0:200/input5
[   76.309397][ T1312] ieee802154 phy0 wpan0: encryption failed: -22
[   76.312838][ T1312] ieee802154 phy1 wpan1: encryption failed: -22
[   76.451577][ T5317] Bluetooth: hci0: Opcode 0x0c1a failed: -4
[   76.455010][ T5317] Bluetooth: hci0: Opcode 0x0406 failed: -4
[   76.561908][ T5317] 
[   76.563898][ T5317] ======================================================
[   76.569042][ T5317] WARNING: possible circular locking dependency detected
[   76.579071][ T5317] syzkaller #0 Not tainted
[   76.581607][ T5317] ------------------------------------------------------
[   76.584449][ T5317] syz.0.0/5317 is trying to acquire lock:
[   76.597037][ T5317] ffff88801a13f040 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: __flush_work+0xd2/0xbc0
[   76.602180][ T5317] 
[   76.602180][ T5317] but task is already holding lock:
[   76.605453][ T5317] ffff88801a13f338 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x70/0x680
[   76.619794][ T5317] 
[   76.619794][ T5317] which lock already depends on the new lock.
[   76.619794][ T5317] 
[   76.624514][ T5317] 
[   76.624514][ T5317] the existing dependency chain (in reverse order) is:
[   76.638937][ T5317] 
[   76.638937][ T5317] -> #1 (&conn->lock#2){+.+.}-{4:4}:
[   76.643146][ T5317]        lock_acquire+0x120/0x360
[   76.647408][ T5317]        __mutex_lock+0x187/0x1350
[   76.658687][ T5317]        l2cap_info_timeout+0x60/0xa0
[   76.661092][ T5317]        process_scheduled_works+0xae1/0x17b0
[   76.664909][ T5317]        worker_thread+0x8a0/0xda0
[   76.669865][ T5317]        kthread+0x711/0x8a0
[   76.707143][ T5317]        ret_from_fork+0x4bc/0x870
[   76.711185][ T5317]        ret_from_fork_asm+0x1a/0x30
[   76.713644][ T5317] 
[   76.713644][ T5317] -> #0 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}:
[   76.736558][ T5317]        validate_chain+0xb9b/0x2140
[   76.739098][ T5317]        __lock_acquire+0xab9/0xd20
[   76.744023][ T5317]        lock_acquire+0x120/0x360
[   76.757237][ T5317]        __flush_work+0x6b8/0xbc0
[   76.759690][ T5317]        __cancel_work_sync+0xbe/0x110
[   76.761941][ T5317]        l2cap_conn_del+0x4f0/0x680
[   76.764512][ T5317]        l2cap_connect_cfm+0x11d/0x1040
[   76.769268][ T5317]        hci_conn_failed+0x1ce/0x310
[   76.786788][ T5317]        hci_abort_conn_sync+0x658/0xe30
[   76.790353][ T5317]        hci_disconnect_all_sync+0x1b5/0x350
[   76.793140][ T5317]        hci_suspend_sync+0x3fc/0xc60
[   76.795585][ T5317]        hci_suspend_dev+0x28d/0x4d0
[   76.818367][ T5317]        hci_suspend_notifier+0xf2/0x290
[   76.821031][ T5317]        notifier_call_chain+0x1b6/0x3e0
[   76.848072][ T5317]        blocking_notifier_call_chain_robust+0x85/0x100
[   76.851128][ T5317]        pm_notifier_call_chain_robust+0x2c/0x60
[   76.853979][ T5317]        snapshot_open+0x19c/0x280
[   76.886359][ T5317]        misc_open+0x2d5/0x350
[   76.888717][ T5317]        chrdev_open+0x4cc/0x5e0
[   76.891035][ T5317]        do_dentry_open+0x953/0x13f0
[   76.899298][ T5317]        vfs_open+0x3b/0x340
[   76.901444][ T5317]        path_openat+0x2ee5/0x3830
[   76.903738][ T5317]        do_filp_open+0x1fa/0x410
[   76.916231][ T5317]        do_sys_openat2+0x121/0x1c0
[   76.926227][ T5317]        __x64_sys_openat+0x138/0x170
[   76.931759][ T5317]        do_syscall_64+0xfa/0xfa0
[   76.936673][ T5317]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   76.947534][ T5317] 
[   76.947534][ T5317] other info that might help us debug this:
[   76.947534][ T5317] 
[   76.962080][ T5317]  Possible unsafe locking scenario:
[   76.962080][ T5317] 
[   76.965338][ T5317]        CPU0                    CPU1
[   76.970091][ T5317]        ----                    ----
[   76.973121][ T5317]   lock(&conn->lock#2);
[   76.977877][ T5317]                                lock((work_completion)(&(&conn->info_timer)->work));
[   76.983170][ T5317]                                lock(&conn->lock#2);
[   76.987136][ T5317]   lock((work_completion)(&(&conn->info_timer)->work));
[   76.990946][ T5317] 
[   76.990946][ T5317]  *** DEADLOCK ***
[   76.990946][ T5317] 
[   76.997187][ T5317] 8 locks held by syz.0.0/5317:
[   77.000119][ T5317]  #0: ffffffff8e98cba8 (misc_mtx){+.+.}-{4:4}, at: misc_open+0x51/0x350
[   77.019005][ T5317]  #1: ffffffff8dfed0a8 (system_transition_mutex){+.+.}-{4:4}, at: lock_system_sleep+0x4a/0x70
[   77.045383][ T5317]  #2: ffffffff8e0107b0 ((pm_chain_head).rwsem){++++}-{4:4}, at: blocking_notifier_call_chain_robust+0x65/0x100
[   77.050195][ T5317]  #3: ffff88803600cdc8 (&hdev->req_lock){+.+.}-{4:4}, at: hci_suspend_dev+0x285/0x4d0
[   77.053995][ T5317]  #4: ffff88803600c0b8 (&hdev->lock){+.+.}-{4:4}, at: hci_abort_conn_sync+0x242/0xe30
[   77.058277][ T5317]  #5: ffffffff8f64af28 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_conn_failed+0x165/0x310
[   77.080424][ T5317]  #6: ffff88801a13f338 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x70/0x680
[   77.086897][ T5317]  #7: ffffffff8e13d2e0 (rcu_read_lock){....}-{1:3}, at: __flush_work+0xd2/0xbc0
[   77.091076][ T5317] 
[   77.091076][ T5317] stack backtrace:
[   77.096123][ T5317] CPU: 0 UID: 0 PID: 5317 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[   77.096360][ T5317] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   77.096476][ T5317] Call Trace:
[   77.096584][ T5317]  <TASK>
[   77.096592][ T5317]  dump_stack_lvl+0x189/0x250
[   77.096612][ T5317]  ? __pfx_dump_stack_lvl+0x10/0x10
[   77.096623][ T5317]  ? __pfx__printk+0x10/0x10
[   77.096635][ T5317]  ? print_lock_name+0xde/0x100
[   77.096647][ T5317]  print_circular_bug+0x2ee/0x310
[   77.096665][ T5317]  check_noncircular+0x134/0x160
[   77.096681][ T5317]  validate_chain+0xb9b/0x2140
[   77.096696][ T5317]  ? do_raw_spin_lock+0x121/0x290
[   77.096709][ T5317]  ? look_up_lock_class+0x74/0x170
[   77.096754][ T5317]  ? register_lock_class+0x51/0x320
[   77.096777][ T5317]  __lock_acquire+0xab9/0xd20
[   77.096792][ T5317]  ? __flush_work+0xd2/0xbc0
[   77.096801][ T5317]  lock_acquire+0x120/0x360
[   77.096812][ T5317]  ? __flush_work+0xd2/0xbc0
[   77.096823][ T5317]  ? _raw_spin_unlock_irq+0x23/0x50
[   77.096839][ T5317]  ? __flush_work+0xd2/0xbc0
[   77.096850][ T5317]  __flush_work+0x6b8/0xbc0
[   77.096860][ T5317]  ? __flush_work+0xd2/0xbc0
[   77.096870][ T5317]  ? __flush_work+0xd2/0xbc0
[   77.096880][ T5317]  ? __pfx___flush_work+0x10/0x10
[   77.096891][ T5317]  ? __pfx_wq_barrier_func+0x10/0x10
[   77.096909][ T5317]  ? __pfx___cancel_work+0x10/0x10
[   77.096918][ T5317]  ? hci_conn_drop+0x14d/0x280
[   77.096932][ T5317]  __cancel_work_sync+0xbe/0x110
[   77.096942][ T5317]  l2cap_conn_del+0x4f0/0x680
[   77.097012][ T5317]  l2cap_connect_cfm+0x11d/0x1040
[   77.097027][ T5317]  ? __pfx_l2cap_connect_cfm+0x10/0x10
[   77.097041][ T5317]  ? __pfx_l2cap_connect_cfm+0x10/0x10
[   77.097052][ T5317]  hci_conn_failed+0x1ce/0x310
[   77.097063][ T5317]  ? hci_abort_conn_sync+0x24e/0xe30
[   77.097074][ T5317]  hci_abort_conn_sync+0x658/0xe30
[   77.097085][ T5317]  ? __lock_acquire+0xab9/0xd20
[   77.097100][ T5317]  ? __pfx_hci_abort_conn_sync+0x10/0x10
[   77.097110][ T5317]  ? hci_disconnect_all_sync+0x2e/0x350
[   77.097122][ T5317]  ? hci_disconnect_all_sync+0x2e/0x350
[   77.097132][ T5317]  ? hci_disconnect_all_sync+0x2e/0x350
[   77.097143][ T5317]  hci_disconnect_all_sync+0x1b5/0x350
[   77.097156][ T5317]  hci_suspend_sync+0x3fc/0xc60
[   77.097167][ T5317]  ? __pfx___mutex_lock+0x10/0x10
[   77.097178][ T5317]  ? enable_work+0x258/0x2c0
[   77.097187][ T5317]  ? __pfx_hci_suspend_sync+0x10/0x10
[   77.097199][ T5317]  ? mgmt_pending_find+0x152/0x170
[   77.097210][ T5317]  ? hci_cmd_sync_cancel_sync+0xc9/0x190
[   77.097225][ T5317]  hci_suspend_dev+0x28d/0x4d0
[   77.097240][ T5317]  ? __pfx_hci_suspend_dev+0x10/0x10
[   77.097251][ T5317]  ? rcu_barrier+0x474/0x570
[   77.097262][ T5317]  hci_suspend_notifier+0xf2/0x290
[   77.097277][ T5317]  notifier_call_chain+0x1b6/0x3e0
[   77.097293][ T5317]  blocking_notifier_call_chain_robust+0x85/0x100
[   77.097307][ T5317]  pm_notifier_call_chain_robust+0x2c/0x60
[   77.097318][ T5317]  snapshot_open+0x19c/0x280
[   77.097330][ T5317]  ? __pfx_snapshot_open+0x10/0x10
[   77.097340][ T5317]  misc_open+0x2d5/0x350
[   77.097443][ T5317]  chrdev_open+0x4cc/0x5e0
[   77.097465][ T5317]  ? __pfx_chrdev_open+0x10/0x10
[   77.097480][ T5317]  ? fsnotify_open_perm_and_set_mode+0x113/0x610
[   77.097502][ T5317]  ? __pfx_chrdev_open+0x10/0x10
[   77.097514][ T5317]  do_dentry_open+0x953/0x13f0
[   77.097536][ T5317]  vfs_open+0x3b/0x340
[   77.097554][ T5317]  ? path_openat+0x2ecd/0x3830
[   77.097576][ T5317]  path_openat+0x2ee5/0x3830
[   77.097605][ T5317]  ? __pfx_path_openat+0x10/0x10
[   77.097629][ T5317]  do_filp_open+0x1fa/0x410
[   77.097647][ T5317]  ? __lock_acquire+0xab9/0xd20
[   77.097667][ T5317]  ? __pfx_do_filp_open+0x10/0x10
[   77.097695][ T5317]  ? _raw_spin_unlock+0x28/0x50
[   77.097717][ T5317]  ? alloc_fd+0x64c/0x6c0
[   77.097785][ T5317]  do_sys_openat2+0x121/0x1c0
[   77.097812][ T5317]  ? __pfx_do_sys_openat2+0x10/0x10
[   77.097839][ T5317]  ? rcu_is_watching+0x15/0xb0
[   77.097864][ T5317]  __x64_sys_openat+0x138/0x170
[   77.097885][ T5317]  do_syscall_64+0xfa/0xfa0
[   77.098200][ T5317]  ? lockdep_hardirqs_on+0x9c/0x150
[   77.098221][ T5317]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   77.098232][ T5317]  ? clear_bhb_loop+0x60/0xb0
[   77.098244][ T5317]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   77.098255][ T5317] RIP: 0033:0x7f388cf8eec9
[   77.098327][ T5317] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   77.098339][ T5317] RSP: 002b:00007f388dd72038 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
[   77.098352][ T5317] RAX: ffffffffffffffda RBX: 00007f388d1e5fa0 RCX: 00007f388cf8eec9
[   77.098360][ T5317] RDX: 0000000000000040 RSI: 0000200000000040 RDI: ffffffffffffff9c
[   77.098368][ T5317] RBP: 00007f388d011f91 R08: 0000000000000000 R09: 0000000000000000
[   77.098376][ T5317] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   77.098382][ T5317] R13: 00007f388d1e6038 R14: 00007f388d1e5fa0 R15: 00007ffda719f108
[   77.098394][ T5317]  </TASK>
[   77.723819][ T5297] Bluetooth: hci0: command 0x040f tx timeout
[   79.746339][ T5297] Bluetooth: hci0: command 0x040f tx timeout
[   81.825966][ T5297] Bluetooth: hci0: command 0x040f tx timeout