program:
r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$sock_bt_hci(r0, 0x400448cb, 0x0)
sendmsg(0xffffffffffffffff, &(0x7f0000001180)={0x0, 0x0, &(0x7f0000000680)=[{&(0x7f0000000040)="24000000180003", 0x7}], 0x1}, 0x0)
openat$snapshot(0xffffffffffffff9c, &(0x7f00000002c0), 0x40040, 0x0)
syz_emit_vhci(&(0x7f0000000040)=ANY=[@ANYBLOB="040e0402030c"], 0x7)

[   73.973566][ T5305] Bluetooth: hci0: command tx timeout
[   73.991650][   T56] 
[   73.993665][   T56] ======================================================
[   73.996857][   T56] WARNING: possible circular locking dependency detected
[   73.999786][   T56] 6.14.0-rc3-syzkaller-00213-g8a61cb6e150e #0 Not tainted
[   74.002627][   T56] ------------------------------------------------------
[   74.007994][   T56] kworker/0:2/56 is trying to acquire lock:
[   74.012317][   T56] ffff888042bae338 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_info_timeout+0x60/0xa0
[   74.016944][   T56] 
[   74.016944][   T56] but task is already holding lock:
[   74.019849][   T56] ffffc9000103fc60 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: process_scheduled_works+0x9c6/0x18e0
[   74.025845][   T56] 
[   74.025845][   T56] which lock already depends on the new lock.
[   74.025845][   T56] 
[   74.029910][   T56] 
[   74.029910][   T56] the existing dependency chain (in reverse order) is:
[   74.032923][   T56] 
[   74.032923][   T56] -> #1 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}:
[   74.036798][   T56]        lock_acquire+0x1ed/0x550
[   74.038625][   T56]        __flush_work+0x739/0xc60
[   74.040499][   T56]        __cancel_work_sync+0xbc/0x110
[   74.042930][   T56]        l2cap_conn_del+0x507/0x690
[   74.045445][   T56]        hci_conn_hash_flush+0x1be/0x350
[   74.047956][   T56]        hci_dev_reset+0x3ed/0x5d0
[   74.050109][   T56]        sock_do_ioctl+0x158/0x460
[   74.052454][   T56]        sock_ioctl+0x626/0x8e0
[   74.054686][   T56]        __se_sys_ioctl+0xf5/0x170
[   74.057389][   T56]        do_syscall_64+0xf3/0x230
[   74.059918][   T56]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   74.062557][   T56] 
[   74.062557][   T56] -> #0 (&conn->lock#2){+.+.}-{4:4}:
[   74.066091][   T56]        validate_chain+0x18ef/0x5920
[   74.068754][   T56]        __lock_acquire+0x1397/0x2100
[   74.071366][   T56]        lock_acquire+0x1ed/0x550
[   74.073728][   T56]        __mutex_lock+0x19c/0x1010
[   74.075956][   T56]        l2cap_info_timeout+0x60/0xa0
[   74.078137][   T56]        process_scheduled_works+0xabe/0x18e0
[   74.080388][   T56]        worker_thread+0x870/0xd30
[   74.082262][   T56]        kthread+0x7a9/0x920
[   74.084195][   T56]        ret_from_fork+0x4b/0x80
[   74.086380][   T56]        ret_from_fork_asm+0x1a/0x30
[   74.088744][   T56] 
[   74.088744][   T56] other info that might help us debug this:
[   74.088744][   T56] 
[   74.092978][   T56]  Possible unsafe locking scenario:
[   74.092978][   T56] 
[   74.095694][   T56]        CPU0                    CPU1
[   74.097633][   T56]        ----                    ----
[   74.099690][   T56]   lock((work_completion)(&(&conn->info_timer)->work));
[   74.102568][   T56]                                lock(&conn->lock#2);
[   74.105571][   T56]                                lock((work_completion)(&(&conn->info_timer)->work));
[   74.108792][   T56]   lock(&conn->lock#2);
[   74.110273][   T56] 
[   74.110273][   T56]  *** DEADLOCK ***
[   74.110273][   T56] 
[   74.113219][   T56] 2 locks held by kworker/0:2/56:
[   74.115347][   T56]  #0: ffff88801b074d48 ((wq_completion)events){+.+.}-{0:0}, at: process_scheduled_works+0x98b/0x18e0
[   74.120500][   T56]  #1: ffffc9000103fc60 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: process_scheduled_works+0x9c6/0x18e0
[   74.125530][   T56] 
[   74.125530][   T56] stack backtrace:
[   74.127941][   T56] CPU: 0 UID: 0 PID: 56 Comm: kworker/0:2 Not tainted 6.14.0-rc3-syzkaller-00213-g8a61cb6e150e #0
[   74.127958][   T56] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   74.127967][   T56] Workqueue: events l2cap_info_timeout
[   74.127986][   T56] Call Trace:
[   74.127994][   T56]  <TASK>
[   74.128000][   T56]  dump_stack_lvl+0x241/0x360
[   74.128014][   T56]  ? __pfx_dump_stack_lvl+0x10/0x10
[   74.128025][   T56]  ? __pfx__printk+0x10/0x10
[   74.128037][   T56]  print_circular_bug+0x13a/0x1b0
[   74.128051][   T56]  check_noncircular+0x36a/0x4a0
[   74.128063][   T56]  ? __pfx_check_noncircular+0x10/0x10
[   74.128073][   T56]  ? lockdep_lock+0x123/0x2b0
[   74.128087][   T56]  ? __lock_acquire+0x1397/0x2100
[   74.128102][   T56]  validate_chain+0x18ef/0x5920
[   74.128116][   T56]  ? __pfx_validate_chain+0x10/0x10
[   74.128125][   T56]  ? lockdep_hardirqs_on_prepare+0x43d/0x780
[   74.128139][   T56]  ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[   74.128152][   T56]  ? do_raw_spin_unlock+0x58/0x8b0
[   74.128164][   T56]  ? finish_task_switch+0x1e5/0x870
[   74.128174][   T56]  ? lockdep_hardirqs_on+0x99/0x150
[   74.128188][   T56]  ? finish_task_switch+0x1e5/0x870
[   74.128198][   T56]  ? __schedule+0x1916/0x4c90
[   74.128211][   T56]  ? mark_lock+0x9a/0x360
[   74.128220][   T56]  __lock_acquire+0x1397/0x2100
[   74.128236][   T56]  lock_acquire+0x1ed/0x550
[   74.128249][   T56]  ? l2cap_info_timeout+0x60/0xa0
[   74.128261][   T56]  ? __pfx_lock_acquire+0x10/0x10
[   74.128275][   T56]  ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[   74.128287][   T56]  ? __pfx___might_resched+0x10/0x10
[   74.128299][   T56]  ? irqentry_exit+0x63/0x90
[   74.128312][   T56]  __mutex_lock+0x19c/0x1010
[   74.128326][   T56]  ? l2cap_info_timeout+0x60/0xa0
[   74.128337][   T56]  ? lock_acquire+0x264/0x550
[   74.128351][   T56]  ? l2cap_info_timeout+0x60/0xa0
[   74.128362][   T56]  ? __pfx___mutex_lock+0x10/0x10
[   74.128374][   T56]  ? lockdep_hardirqs_on_prepare+0x43d/0x780
[   74.128389][   T56]  ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10
[   74.128404][   T56]  l2cap_info_timeout+0x60/0xa0
[   74.128423][   T56]  ? process_scheduled_works+0x9c6/0x18e0
[   74.128436][   T56]  process_scheduled_works+0xabe/0x18e0
[   74.128453][   T56]  ? __pfx_process_scheduled_works+0x10/0x10
[   74.128466][   T56]  ? assign_work+0x364/0x3d0
[   74.128478][   T56]  worker_thread+0x870/0xd30
[   74.128491][   T56]  ? _raw_spin_unlock_irqrestore+0xdd/0x140
[   74.128505][   T56]  ? __kthread_parkme+0x169/0x1d0
[   74.128518][   T56]  ? __pfx_worker_thread+0x10/0x10
[   74.128530][   T56]  kthread+0x7a9/0x920
[   74.128543][   T56]  ? __pfx_kthread+0x10/0x10
[   74.128557][   T56]  ? __pfx_worker_thread+0x10/0x10
[   74.128569][   T56]  ? __pfx_kthread+0x10/0x10
[   74.128582][   T56]  ? __pfx_kthread+0x10/0x10
[   74.128596][   T56]  ? __pfx_kthread+0x10/0x10
[   74.128609][   T56]  ? _raw_spin_unlock_irq+0x23/0x50
[   74.128619][   T56]  ? lockdep_hardirqs_on+0x99/0x150
[   74.128629][   T56]  ? __pfx_kthread+0x10/0x10
[   74.128643][   T56]  ret_from_fork+0x4b/0x80
[   74.128656][   T56]  ? __pfx_kthread+0x10/0x10
[   74.128669][   T56]  ret_from_fork_asm+0x1a/0x30
[   74.128683][   T56]  </TASK>
[   76.262317][ T1311] ieee802154 phy0 wpan0: encryption failed: -22
[   76.265956][ T1311] ieee802154 phy1 wpan1: encryption failed: -22