program: r0 = socket$nl_rdma(0x10, 0x3, 0x14) sendmsg$RDMA_NLDEV_CMD_PORT_GET(r0, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000580)={0x10, 0x1417, 0x92b4a6c53add79b5}, 0x10}}, 0x0) syz_mount_image$ext4(&(0x7f0000000040)='ext4\x00', &(0x7f0000000000)='./bus\x00', 0x4006, &(0x7f00000001c0)={[{@i_version}, {@nombcache}, {@debug_want_extra_isize={'debug_want_extra_isize', 0x3d, 0x68}}, {@lazytime}, {@block_validity}, {@quota}]}, 0x1, 0x443, &(0x7f0000001040)="$eJzs28tvG8UfAPDvrpP019cvpiqPPoBAQVQ8kiYtpQcuIJA4gIQEh3IMSVqVug1qgkSrCgJC5YgqcUcckfgLOMEFASckrsAZVapQLi2cjNbebRzXdpNg1yH+fKRNZnbHmfl6duzZnWwAA2ss+5FE7IqIXyNitJ5dXWCs/uvm8uWZv5YvzyRRrb7xZ1Ird2P58kxRtHjdziIzFJF+ksSBFvUuXLx0drpSmbuQ5ycWz707sXDx0jNnzk2fnjs9d37qxIljRyefOz71bFfizOK6sf+D+YP7Xnnr6mszJ6++/ePXSRF/UxxdMtbp4OPVaper66/dDelkqI8NYV1K9WEaw7XxPxqlWOm80Xj54742DuiparVava/94aUqsIUl0e8WAP1RfNFn17/FdpemHpvC9RfqF0BZ3DfzrX5kKNK8zHDT9W03jUXEyaW/v8i2aL4Psb1HlQIAA+3bbP7zdKv5XxqN94X+n6+hlCPinojYExHHI2JvRNwbUSt7f0Q8sM76mxdJbp9/ptc2FNgaZfO/5/O1rdXzv2L2F+VSnttdi384OXWmMnckf08Ox/C2LD/ZoY7vXvrls3bHGud/2ZbVX8wF83ZcG9q2+jWz04vT/ybmRtc/itg/1Cr+5NZKQBIR+yJi/wbrOPPkVwfbHWsT/8ia/nAX1pmqX0Y8Ue//pWiKv5B0Xp+c+F9U5o5MFGfF7X76+crr7eq/c//3Vtb/O1qe/0X8v5eTxvXahfXXceW3T9teU270/B9J3ly17/3pxcULkxEjyau1fLlx/1RTuamV8ln8hw+1Hv97YuWdOBAR2Un8YEQ8FBEP521/JCIejYhDHeL/4cXH3tl4/L2VxT/bsf+jqf9XEiPRvKd1onT2+29WVVpeT/xZ/x+rpQ7ne9by+beWdm3sbAYAAID/njQidkWSjt9Kp+n4eP1/+PfGjrQyv7D41Kn5987P1p8RKMdwWtzpGm24HzqZX9YX+amm/NH8vvHnpe21/PjMfGW238HDgNvZZvxn/ij1u3VAz3leCwaX8Q+Dy/iHwWX8w+BqMf49egYDotX3/4d9aAdw9zWN/47LfiYGsLW4/ofBZfzD4DL+YSAtbI87PyS/NRJpRGyCZmyVRKSbohkSPUr0+5MJAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACgO/4JAAD//5025W8=") syz_open_dev$midi(&(0x7f0000000000), 0x20000000000003, 0x129a00) openat$snapshot(0xffffffffffffff9c, &(0x7f00000002c0), 0x40, 0x0) syz_emit_vhci(&(0x7f0000000000)=ANY=[@ANYBLOB="043ef502"], 0xf8) openat(0xffffffffffffff9c, &(0x7f0000000100)='./file1\x00', 0x0, 0x0) [ 85.065730][ T4685] Bluetooth: hci0: command tx timeout [ 85.142976][ T5345] loop0: detected capacity change from 0 to 512 [ 85.154758][ T5345] EXT4-fs: Ignoring removed i_version option [ 85.165809][ T5345] EXT4-fs: Warning: mounting with data=journal disables delayed allocation, dioread_nolock, O_DIRECT and fast_commit support! [ 85.170942][ T5345] EXT4-fs (loop0): encrypted files will use data=ordered instead of data journaling mode [ 85.202652][ T5345] EXT4-fs warning (device loop0): ext4_expand_extra_isize_ea:2848: Unable to expand inode 15. Delete some EAs or run e2fsck. [ 85.211615][ T5345] EXT4-fs (loop0): 1 truncate cleaned up [ 85.215762][ T5345] EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: writeback. [ 85.274181][ T4685] Bluetooth: hci0: unknown advertising packet type: 0x6d [ 85.274226][ T4685] Bluetooth: hci0: unknown advertising packet type: 0x78 [ 85.278450][ T4685] Bluetooth: hci0: Dropping invalid advertising data [ 85.285451][ T4685] Bluetooth: hci0: Malformed LE Event: 0x02 [ 85.289701][ T5346] EXT4-fs error (device loop0): ext4_find_extent:903: inode #15: comm syz.0.0: inode has invalid extent depth: 25964 [ 85.297208][ T5346] fs-verity (loop0, inode 15): Error -117 getting verity descriptor size [ 85.954033][ T5345] Bluetooth: hci0: Opcode 0x0c1a failed: -4 [ 85.956887][ T5345] Bluetooth: hci0: Opcode 0x0406 failed: -4 [ 85.959897][ T9] [ 85.961004][ T9] ====================================================== [ 85.963870][ T9] WARNING: possible circular locking dependency detected [ 85.966860][ T9] 6.16.0-rc5-syzkaller-00276-g5d5d62298b8b #0 Not tainted [ 85.970028][ T9] ------------------------------------------------------ [ 85.973382][ T9] kworker/0:0/9 is trying to acquire lock: [ 85.976149][ T9] ffff88803f557b38 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_info_timeout+0x60/0xa0 [ 85.980064][ T9] [ 85.980064][ T9] but task is already holding lock: [ 85.983077][ T9] ffffc900001b7bc0 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: process_scheduled_works+0x9ef/0x17b0 [ 85.988390][ T9] [ 85.988390][ T9] which lock already depends on the new lock. [ 85.988390][ T9] [ 85.992920][ T9] [ 85.992920][ T9] the existing dependency chain (in reverse order) is: [ 85.996864][ T9] [ 85.996864][ T9] -> #1 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}: [ 86.001899][ T9] lock_acquire+0x120/0x360 [ 86.003886][ T9] __flush_work+0x6b8/0xbc0 [ 86.006057][ T9] __cancel_work_sync+0xbe/0x110 [ 86.008520][ T9] l2cap_conn_del+0x4f0/0x680 [ 86.010843][ T9] l2cap_connect_cfm+0x11d/0x1040 [ 86.013356][ T9] hci_conn_failed+0x1cb/0x310 [ 86.015770][ T9] hci_abort_conn_sync+0x5d1/0xdf0 [ 86.018209][ T9] hci_disconnect_all_sync+0x1b5/0x350 [ 86.021102][ T9] hci_suspend_sync+0x3b8/0xc00 [ 86.023387][ T9] hci_suspend_dev+0x28d/0x4d0 [ 86.025859][ T9] hci_suspend_notifier+0xf2/0x290 [ 86.029167][ T9] notifier_call_chain+0x1b3/0x3e0 [ 86.032387][ T9] blocking_notifier_call_chain_robust+0x85/0x100 [ 86.036219][ T9] pm_notifier_call_chain_robust+0x2c/0x60 [ 86.039349][ T9] snapshot_open+0x19c/0x280 [ 86.041999][ T9] misc_open+0x2bc/0x330 [ 86.044273][ T9] chrdev_open+0x4cc/0x5e0 [ 86.046730][ T9] do_dentry_open+0xdf3/0x1970 [ 86.049077][ T9] vfs_open+0x3b/0x340 [ 86.051154][ T9] path_openat+0x2ee5/0x3830 [ 86.053229][ T9] do_filp_open+0x1fa/0x410 [ 86.055331][ T9] do_sys_openat2+0x121/0x1c0 [ 86.057720][ T9] __x64_sys_openat+0x138/0x170 [ 86.060030][ T9] do_syscall_64+0xfa/0x3b0 [ 86.062324][ T9] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 86.065256][ T9] [ 86.065256][ T9] -> #0 (&conn->lock#2){+.+.}-{4:4}: [ 86.069328][ T9] validate_chain+0xb9b/0x2140 [ 86.071670][ T9] __lock_acquire+0xab9/0xd20 [ 86.073913][ T9] lock_acquire+0x120/0x360 [ 86.076031][ T9] __mutex_lock+0x182/0xe80 [ 86.078369][ T9] l2cap_info_timeout+0x60/0xa0 [ 86.080762][ T9] process_scheduled_works+0xae1/0x17b0 [ 86.083257][ T9] worker_thread+0x8a0/0xda0 [ 86.085342][ T9] kthread+0x70e/0x8a0 [ 86.087397][ T9] ret_from_fork+0x3fc/0x770 [ 86.089373][ T9] ret_from_fork_asm+0x1a/0x30 [ 86.091587][ T9] [ 86.091587][ T9] other info that might help us debug this: [ 86.091587][ T9] [ 86.095903][ T9] Possible unsafe locking scenario: [ 86.095903][ T9] [ 86.099241][ T9] CPU0 CPU1 [ 86.101631][ T9] ---- ---- [ 86.104033][ T9] lock((work_completion)(&(&conn->info_timer)->work)); [ 86.106729][ T9] lock(&conn->lock#2); [ 86.109723][ T9] lock((work_completion)(&(&conn->info_timer)->work)); [ 86.114175][ T9] lock(&conn->lock#2); [ 86.116194][ T9] [ 86.116194][ T9] *** DEADLOCK *** [ 86.116194][ T9] [ 86.119801][ T9] 2 locks held by kworker/0:0/9: [ 86.121723][ T9] #0: ffff88801a474d48 ((wq_completion)events){+.+.}-{0:0}, at: process_scheduled_works+0x9b4/0x17b0 [ 86.126181][ T9] #1: ffffc900001b7bc0 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: process_scheduled_works+0x9ef/0x17b0 [ 86.131475][ T9] [ 86.131475][ T9] stack backtrace: [ 86.133937][ T9] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:0 Not tainted 6.16.0-rc5-syzkaller-00276-g5d5d62298b8b #0 PREEMPT(full) [ 86.133954][ T9] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 86.133964][ T9] Workqueue: events l2cap_info_timeout [ 86.133983][ T9] Call Trace: [ 86.133991][ T9] [ 86.133996][ T9] dump_stack_lvl+0x189/0x250 [ 86.134007][ T9] ? __pfx_dump_stack_lvl+0x10/0x10 [ 86.134015][ T9] ? __pfx__printk+0x10/0x10 [ 86.134030][ T9] ? print_lock_name+0xde/0x100 [ 86.134043][ T9] print_circular_bug+0x2ee/0x310 [ 86.134058][ T9] check_noncircular+0x134/0x160 [ 86.134073][ T9] validate_chain+0xb9b/0x2140 [ 86.134087][ T9] ? ret_from_fork_asm+0x1a/0x30 [ 86.134103][ T9] __lock_acquire+0xab9/0xd20 [ 86.134116][ T9] ? l2cap_info_timeout+0x60/0xa0 [ 86.134126][ T9] lock_acquire+0x120/0x360 [ 86.134136][ T9] ? l2cap_info_timeout+0x60/0xa0 [ 86.134151][ T9] __mutex_lock+0x182/0xe80 [ 86.134161][ T9] ? l2cap_info_timeout+0x60/0xa0 [ 86.134169][ T9] ? irqentry_exit+0x74/0x90 [ 86.134178][ T9] ? lockdep_hardirqs_on+0x9c/0x150 [ 86.134193][ T9] ? l2cap_info_timeout+0x60/0xa0 [ 86.134205][ T9] ? __pfx___mutex_lock+0x10/0x10 [ 86.134219][ T9] l2cap_info_timeout+0x60/0xa0 [ 86.134230][ T9] ? process_scheduled_works+0x9ef/0x17b0 [ 86.134243][ T9] process_scheduled_works+0xae1/0x17b0 [ 86.134259][ T9] ? __pfx_process_scheduled_works+0x10/0x10 [ 86.134274][ T9] worker_thread+0x8a0/0xda0 [ 86.134290][ T9] kthread+0x70e/0x8a0 [ 86.134305][ T9] ? __pfx_worker_thread+0x10/0x10 [ 86.134317][ T9] ? __pfx_kthread+0x10/0x10 [ 86.134332][ T9] ? _raw_spin_unlock_irq+0x23/0x50 [ 86.134346][ T9] ? lockdep_hardirqs_on+0x9c/0x150 [ 86.134360][ T9] ? __pfx_kthread+0x10/0x10 [ 86.134375][ T9] ret_from_fork+0x3fc/0x770 [ 86.134387][ T9] ? __pfx_ret_from_fork+0x10/0x10 [ 86.134399][ T9] ? __pfx_kthread+0x10/0x10 [ 86.134412][ T9] ret_from_fork_asm+0x1a/0x30 [ 86.134429][ T9] [ 86.648082][ T10] cfg80211: failed to load regulatory.db [ 87.283974][ T4685] Bluetooth: hci0: command 0x040f tx timeout [ 89.364409][ T4685] Bluetooth: hci0: command 0x040f tx timeout [ 91.443878][ T4685] Bluetooth: hci0: command 0x040f tx timeout