program: r0 = openat$dsp(0xffffffffffffff9c, &(0x7f0000000040), 0x801, 0x0) ioctl$SNDCTL_DSP_SPEED(r0, 0xc0045002, &(0x7f0000000080)=0x40000001) ioctl$SNDCTL_DSP_SUBDIVIDE(r0, 0xc0045009, &(0x7f0000000000)=0x1) r1 = socket$kcm(0x10, 0x5, 0x0) socket$netlink(0x10, 0x3, 0x0) socket$nl_route(0x10, 0x3, 0x0) bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000280)={0x18, 0x2078, &(0x7f00000000c0)=ANY=[@ANYRES64=r1, @ANYBLOB="ae428794356b07ad9efe61847c10692bcbb0bebf10917cd950a51fdf80a89336326735f5f82e77c02a2b529b4aab36580fcc858c72e2247d5bc1d24dc610e8be062b50395e60053e09a2dc186b1af29e6cb730c4b546f26f22b8364905f7cd3c0f2a909dad599d9104ac61"], &(0x7f0000000240)='GPL\x00'}, 0x94) syz_open_dev$I2C(&(0x7f0000000000), 0x1, 0x101182) syz_usbip_server_init(0x1) syz_usbip_server_init(0x5) syz_usbip_server_init(0x1) syz_usbip_server_init(0x0) socket$inet_udp(0x2, 0x2, 0x0) syz_usbip_server_init(0x2) syz_usbip_server_init(0x0) syz_usbip_server_init(0x4) r2 = syz_open_dev$tty1(0xc, 0x4, 0x1) syz_usb_connect(0x0, 0x24, &(0x7f0000000480)={{0x12, 0x1, 0x201, 0xb7, 0xea, 0x50, 0x8, 0x13d3, 0x3395, 0xd6c5, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x12, 0x1, 0x21, 0x7, 0x20, 0x8}}]}}, 0x0) dup(r2) syz_open_dev$tty20(0xc, 0x4, 0x1) socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000000)) socket$nl_generic(0x10, 0x3, 0x10) syz_usbip_server_init(0x0) socket$netlink(0x10, 0x3, 0x0) socket$nl_generic(0x10, 0x3, 0x10) socket$nl_netfilter(0x10, 0x3, 0xc) openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000040)='cgroup.freeze\x00', 0x275a, 0x0) r3 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$sock_bt_hci(r3, 0x400448cb, 0x0) openat$snapshot(0xffffffffffffff9c, &(0x7f0000000440), 0x100, 0x0) [ 83.733241][ T45] Bluetooth: hci0: command tx timeout [ 83.925383][ T5325] vhci_hcd vhci_hcd.0: pdev(0) rhport(0) sockfd(7) [ 83.928702][ T5325] vhci_hcd vhci_hcd.0: devid(0) speed(1) speed_str(low-speed) [ 83.949288][ T5325] vhci_hcd vhci_hcd.0: Device attached [ 83.958411][ T5325] vhci_hcd vhci_hcd.0: pdev(0) rhport(0) sockfd(9) [ 83.961518][ T5325] vhci_hcd vhci_hcd.0: devid(0) speed(5) speed_str(super-speed) [ 83.973846][ T5325] vhci_hcd vhci_hcd.0: Device attached [ 83.980002][ T5325] vhci_hcd vhci_hcd.0: pdev(0) rhport(1) sockfd(11) [ 83.983119][ T5325] vhci_hcd vhci_hcd.0: devid(0) speed(1) speed_str(low-speed) [ 84.003773][ T5325] vhci_hcd vhci_hcd.0: Device attached [ 84.015602][ T5325] vhci_hcd: Failed attach request for unsupported USB speed: UNKNOWN [ 84.045483][ T5325] vhci_hcd vhci_hcd.0: pdev(0) rhport(3) sockfd(16) [ 84.048583][ T5325] vhci_hcd vhci_hcd.0: devid(0) speed(2) speed_str(full-speed) [ 84.073872][ T5325] vhci_hcd vhci_hcd.0: Device attached [ 84.086794][ T5325] vhci_hcd: Failed attach request for unsupported USB speed: UNKNOWN [ 84.125678][ T5325] vhci_hcd vhci_hcd.0: pdev(0) rhport(5) sockfd(20) [ 84.128871][ T5325] vhci_hcd vhci_hcd.0: devid(0) speed(4) speed_str(wireless) [ 84.183756][ T5325] vhci_hcd vhci_hcd.0: Device attached [ 84.206846][ T1230] usb 6-1: new low-speed USB device number 2 using vhci_hcd [ 84.443865][ T5309] usb 5-1: new high-speed USB device number 2 using dummy_hcd [ 84.594038][ T5309] usb 5-1: Using ep0 maxpacket: 8 [ 84.626663][ T5325] vhci_hcd: Failed attach request for unsupported USB speed: UNKNOWN [ 84.646779][ T5325] [ 84.648003][ T5325] ====================================================== [ 84.651125][ T5325] WARNING: possible circular locking dependency detected [ 84.654299][ T5325] syzkaller #0 Not tainted [ 84.656311][ T5325] ------------------------------------------------------ [ 84.659457][ T5325] syz.0.0/5325 is trying to acquire lock: [ 84.661986][ T5325] ffff888040989840 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: __flush_work+0x100/0xc50 [ 84.667304][ T5325] [ 84.667304][ T5325] but task is already holding lock: [ 84.671198][ T5325] ffff888040989af8 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x7b/0x5c0 [ 84.675724][ T5325] [ 84.675724][ T5325] which lock already depends on the new lock. [ 84.675724][ T5325] [ 84.680341][ T5325] [ 84.680341][ T5325] the existing dependency chain (in reverse order) is: [ 84.684309][ T5325] [ 84.684309][ T5325] -> #1 (&conn->lock#2){+.+.}-{4:4}: [ 84.687303][ T5325] __mutex_lock+0x19f/0x1300 [ 84.689415][ T5325] l2cap_info_timeout+0x60/0xa0 [ 84.691874][ T5325] process_scheduled_works+0xb02/0x1830 [ 84.694731][ T5325] worker_thread+0xa50/0xfc0 [ 84.697180][ T5325] kthread+0x388/0x470 [ 84.699618][ T5325] ret_from_fork+0x51e/0xb90 [ 84.702107][ T5325] ret_from_fork_asm+0x1a/0x30 [ 84.705096][ T5325] [ 84.705096][ T5325] -> #0 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}: [ 84.710591][ T5325] __lock_acquire+0x15a5/0x2cf0 [ 84.713061][ T5325] lock_acquire+0xf0/0x2e0 [ 84.715377][ T5325] __flush_work+0x700/0xc50 [ 84.717622][ T5325] __cancel_work_sync+0xbe/0x110 [ 84.720184][ T5325] l2cap_conn_del+0x40f/0x5c0 [ 84.722780][ T5325] hci_conn_hash_flush+0x10d/0x260 [ 84.725930][ T5325] hci_dev_reset+0x41c/0x6d0 [ 84.728772][ T5325] sock_do_ioctl+0x101/0x320 [ 84.731113][ T5325] sock_ioctl+0x5c6/0x7f0 [ 84.733328][ T5325] __se_sys_ioctl+0xfc/0x170 [ 84.735685][ T5325] do_syscall_64+0x14d/0xf80 [ 84.737983][ T5325] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 84.741499][ T5325] [ 84.741499][ T5325] other info that might help us debug this: [ 84.741499][ T5325] [ 84.746760][ T5325] Possible unsafe locking scenario: [ 84.746760][ T5325] [ 84.749988][ T5325] CPU0 CPU1 [ 84.752401][ T5325] ---- ---- [ 84.754867][ T5325] lock(&conn->lock#2); [ 84.756936][ T5325] lock((work_completion)(&(&conn->info_timer)->work)); [ 84.762227][ T5325] lock(&conn->lock#2); [ 84.765035][ T5325] lock((work_completion)(&(&conn->info_timer)->work)); [ 84.767941][ T5325] [ 84.767941][ T5325] *** DEADLOCK *** [ 84.767941][ T5325] [ 84.771320][ T5325] 6 locks held by syz.0.0/5325: [ 84.773750][ T5325] #0: ffff88801cdb4028 (&hdev->srcu){.+.+}-{0:0}, at: __hci_dev_get+0x103/0x270 [ 84.778547][ T5325] #1: ffff88801cdb4ec0 (&hdev->req_lock){+.+.}-{4:4}, at: hci_dev_reset+0x153/0x6d0 [ 84.782961][ T5325] #2: ffff88801cdb40c0 (&hdev->lock){+.+.}-{4:4}, at: hci_dev_reset+0x1e9/0x6d0 [ 84.787258][ T5325] #3: ffffffff8fd5b9e8 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_conn_hash_flush+0xa1/0x260 [ 84.793253][ T5325] #4: ffff888040989af8 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x7b/0x5c0 [ 84.798025][ T5325] #5: ffffffff8e75e3e0 (rcu_read_lock){....}-{1:3}, at: __flush_work+0x100/0xc50 [ 84.802248][ T5325] [ 84.802248][ T5325] stack backtrace: [ 84.805002][ T5325] CPU: 0 UID: 0 PID: 5325 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 84.805022][ T5325] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 84.805030][ T5325] Call Trace: [ 84.805040][ T5325] [ 84.805046][ T5325] dump_stack_lvl+0xe8/0x150 [ 84.805069][ T5325] print_circular_bug+0x2e1/0x300 [ 84.805091][ T5325] check_noncircular+0x12e/0x150 [ 84.805107][ T5325] __lock_acquire+0x15a5/0x2cf0 [ 84.805120][ T5325] ? irqentry_exit+0x59e/0x620 [ 84.805139][ T5325] ? lockdep_hardirqs_on+0x7a/0x110 [ 84.805153][ T5325] ? irqentry_exit+0x59e/0x620 [ 84.805169][ T5325] ? trace_irq_disable+0x3b/0x150 [ 84.805186][ T5325] lock_acquire+0xf0/0x2e0 [ 84.805199][ T5325] ? __flush_work+0x100/0xc50 [ 84.805216][ T5325] ? __flush_work+0x100/0xc50 [ 84.805228][ T5325] __flush_work+0x700/0xc50 [ 84.805241][ T5325] ? __flush_work+0x100/0xc50 [ 84.805255][ T5325] ? __flush_work+0x100/0xc50 [ 84.805270][ T5325] ? __pfx___flush_work+0x10/0x10 [ 84.805285][ T5325] ? __pfx_wq_barrier_func+0x10/0x10 [ 84.805301][ T5325] ? __cancel_work_sync+0x5c/0x110 [ 84.805314][ T5325] __cancel_work_sync+0xbe/0x110 [ 84.805328][ T5325] l2cap_conn_del+0x40f/0x5c0 [ 84.805340][ T5325] ? __pfx_l2cap_disconn_cfm+0x10/0x10 [ 84.805352][ T5325] hci_conn_hash_flush+0x10d/0x260 [ 84.805368][ T5325] hci_dev_reset+0x41c/0x6d0 [ 84.805379][ T5325] ? hci_sock_ioctl+0x5b7/0x940 [ 84.805406][ T5325] sock_do_ioctl+0x101/0x320 [ 84.805415][ T5325] ? __pfx_sock_do_ioctl+0x10/0x10 [ 84.805422][ T5325] ? do_futex+0x395/0x420 [ 84.805435][ T5325] sock_ioctl+0x5c6/0x7f0 [ 84.805443][ T5325] ? __pfx_sock_ioctl+0x10/0x10 [ 84.805450][ T5325] ? __fget_files+0x2a/0x420 [ 84.805461][ T5325] ? __fget_files+0x3a0/0x420 [ 84.805473][ T5325] ? __fget_files+0x2a/0x420 [ 84.805485][ T5325] ? bpf_lsm_file_ioctl+0x9/0x20 [ 84.805496][ T5325] ? __pfx_sock_ioctl+0x10/0x10 [ 84.805505][ T5325] __se_sys_ioctl+0xfc/0x170 [ 84.805516][ T5325] do_syscall_64+0x14d/0xf80 [ 84.805530][ T5325] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 84.805540][ T5325] ? clear_bhb_loop+0x40/0x90 [ 84.805553][ T5325] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 84.805566][ T5325] RIP: 0033:0x7fb39f19c799 [ 84.805580][ T5325] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 84.805590][ T5325] RSP: 002b:00007fb3a00dbfe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 84.805603][ T5325] RAX: ffffffffffffffda RBX: 00007fb39f415fa0 RCX: 00007fb39f19c799 [ 84.805612][ T5325] RDX: 0000000000000000 RSI: 00000000400448cb RDI: 0000000000000024 [ 84.805620][ T5325] RBP: 00007fb39f232bd9 R08: 0000000000000000 R09: 0000000000000000 [ 84.805629][ T5325] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 84.805635][ T5325] R13: 00007fb39f416038 R14: 00007fb39f415fa0 R15: 00007ffe93453e48 [ 84.805646][ T5325] [ 89.604288][ T5309] usb 5-1: unable to get BOS descriptor or descriptor too short [ 89.608647][ T5309] usb 5-1: unable to read config index 0 descriptor/start: -32 [ 89.612183][ T5309] usb 5-1: chopping to 0 config(s) [ 89.615575][ T5309] usb 5-1: can't read configurations, error -32 [ 89.743858][ T5309] usb 5-1: new high-speed USB device number 3 using dummy_hcd [ 89.873848][ T5309] usb 5-1: device descriptor read/64, error -32 [ 89.983948][ T5309] usb usb5-port1: attempt power cycle [ 90.324221][ T5309] usb 5-1: new high-speed USB device number 4 using dummy_hcd [ 90.344247][ T5309] usb 5-1: device descriptor read/8, error -32 [ 90.583808][ T5309] usb 5-1: new high-speed USB device number 5 using dummy_hcd [ 90.604153][ T5309] usb 5-1: device descriptor read/8, error -32