program: sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000040)=ANY=[@ANYBLOB="1c00000018000800"], 0x1c}}, 0x4) r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$sock_bt_hci(r0, 0x400448cb, 0x0) openat$snapshot(0xffffffffffffff9c, &(0x7f00000002c0), 0x40040, 0x0) syz_emit_vhci(&(0x7f0000000040)=ANY=[@ANYBLOB="040e0402030c"], 0x7) [ 83.340994][ T1312] ieee802154 phy0 wpan0: encryption failed: -22 [ 83.343822][ T1312] ieee802154 phy1 wpan1: encryption failed: -22 [ 83.346958][ T4669] Bluetooth: hci0: command tx timeout [ 83.555321][ T9] [ 83.556387][ T9] ====================================================== [ 83.569654][ T9] WARNING: possible circular locking dependency detected [ 83.581120][ T9] 6.15.0-rc1-syzkaller-00065-g3b07108ada81 #0 Not tainted [ 83.584962][ T9] ------------------------------------------------------ [ 83.589408][ T9] kworker/0:0/9 is trying to acquire lock: [ 83.599850][ T9] ffff88803f92ab38 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_info_timeout+0x60/0xa0 [ 83.604673][ T9] [ 83.604673][ T9] but task is already holding lock: [ 83.608164][ T9] ffffc900001b7c60 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: process_scheduled_works+0x9cb/0x18e0 [ 83.620379][ T9] [ 83.620379][ T9] which lock already depends on the new lock. [ 83.620379][ T9] [ 83.624904][ T9] [ 83.624904][ T9] the existing dependency chain (in reverse order) is: [ 83.628240][ T9] [ 83.628240][ T9] -> #1 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}: [ 83.651794][ T9] lock_acquire+0x116/0x2f0 [ 83.654490][ T9] __flush_work+0x75b/0xc60 [ 83.657370][ T9] __cancel_work_sync+0xbc/0x110 [ 83.660525][ T9] l2cap_conn_del+0x507/0x690 [ 83.670791][ T9] hci_conn_hash_flush+0xff/0x240 [ 83.672868][ T9] hci_dev_reset+0x3ed/0x5d0 [ 83.674683][ T9] sock_do_ioctl+0x15a/0x490 [ 83.691339][ T9] sock_ioctl+0x644/0x900 [ 83.694220][ T9] __se_sys_ioctl+0xf1/0x160 [ 83.697195][ T9] do_syscall_64+0xf3/0x230 [ 83.699930][ T9] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 83.703818][ T9] [ 83.703818][ T9] -> #0 (&conn->lock#2){+.+.}-{4:4}: [ 83.707864][ T9] validate_chain+0xa69/0x24e0 [ 83.726002][ T9] __lock_acquire+0xad5/0xd80 [ 83.730624][ T9] lock_acquire+0x116/0x2f0 [ 83.735003][ T9] __mutex_lock+0x1a5/0x10c0 [ 83.738437][ T9] l2cap_info_timeout+0x60/0xa0 [ 83.741989][ T9] process_scheduled_works+0xac3/0x18e0 [ 83.746079][ T9] worker_thread+0x870/0xd50 [ 83.750869][ T9] kthread+0x7b7/0x940 [ 83.763061][ T9] ret_from_fork+0x4b/0x80 [ 83.764972][ T9] ret_from_fork_asm+0x1a/0x30 [ 83.767076][ T9] [ 83.767076][ T9] other info that might help us debug this: [ 83.767076][ T9] [ 83.771144][ T9] Possible unsafe locking scenario: [ 83.771144][ T9] [ 83.774575][ T9] CPU0 CPU1 [ 83.793644][ T9] ---- ---- [ 83.796319][ T9] lock((work_completion)(&(&conn->info_timer)->work)); [ 83.803243][ T9] lock(&conn->lock#2); [ 83.811606][ T9] lock((work_completion)(&(&conn->info_timer)->work)); [ 83.815837][ T9] lock(&conn->lock#2); [ 83.821926][ T9] [ 83.821926][ T9] *** DEADLOCK *** [ 83.821926][ T9] [ 83.831969][ T9] 2 locks held by kworker/0:0/9: [ 83.833638][ T9] #0: ffff88801b074d48 ((wq_completion)events){+.+.}-{0:0}, at: process_scheduled_works+0x990/0x18e0 [ 83.837389][ T9] #1: ffffc900001b7c60 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: process_scheduled_works+0x9cb/0x18e0 [ 83.874849][ T9] [ 83.874849][ T9] stack backtrace: [ 83.887140][ T9] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:0 Not tainted 6.15.0-rc1-syzkaller-00065-g3b07108ada81 #0 PREEMPT(full) [ 83.887160][ T9] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 83.887169][ T9] Workqueue: events l2cap_info_timeout [ 83.887190][ T9] Call Trace: [ 83.887199][ T9] [ 83.887206][ T9] dump_stack_lvl+0x241/0x360 [ 83.887224][ T9] ? __pfx_dump_stack_lvl+0x10/0x10 [ 83.887237][ T9] ? __pfx__printk+0x10/0x10 [ 83.887251][ T9] ? print_lock+0x171/0x1a0 [ 83.887265][ T9] print_circular_bug+0x2e1/0x300 [ 83.887279][ T9] check_noncircular+0x142/0x160 [ 83.887293][ T9] validate_chain+0xa69/0x24e0 [ 83.887309][ T9] __lock_acquire+0xad5/0xd80 [ 83.887321][ T9] lock_acquire+0x116/0x2f0 [ 83.887331][ T9] ? l2cap_info_timeout+0x60/0xa0 [ 83.887343][ T9] __mutex_lock+0x1a5/0x10c0 [ 83.887357][ T9] ? l2cap_info_timeout+0x60/0xa0 [ 83.887368][ T9] ? irqentry_exit+0x63/0x90 [ 83.887379][ T9] ? lockdep_hardirqs_on+0x9d/0x150 [ 83.887390][ T9] ? l2cap_info_timeout+0x60/0xa0 [ 83.887400][ T9] ? __pfx___mutex_lock+0x10/0x10 [ 83.887412][ T9] ? lock_acquire+0x167/0x2f0 [ 83.887422][ T9] l2cap_info_timeout+0x60/0xa0 [ 83.887433][ T9] ? process_scheduled_works+0x9cb/0x18e0 [ 83.887445][ T9] process_scheduled_works+0xac3/0x18e0 [ 83.887471][ T9] ? __pfx_process_scheduled_works+0x10/0x10 [ 83.887483][ T9] ? assign_work+0x367/0x3d0 [ 83.887494][ T9] worker_thread+0x870/0xd50 [ 83.887510][ T9] ? __kthread_parkme+0x1a8/0x200 [ 83.887523][ T9] ? __pfx_worker_thread+0x10/0x10 [ 83.887535][ T9] kthread+0x7b7/0x940 [ 83.887549][ T9] ? __pfx_worker_thread+0x10/0x10 [ 83.887560][ T9] ? __pfx_kthread+0x10/0x10 [ 83.887572][ T9] ? __pfx_kthread+0x10/0x10 [ 83.887583][ T9] ? __pfx_kthread+0x10/0x10 [ 83.887595][ T9] ? __pfx_kthread+0x10/0x10 [ 83.887607][ T9] ? _raw_spin_unlock_irq+0x23/0x50 [ 83.887617][ T9] ? lockdep_hardirqs_on+0x9d/0x150 [ 83.887626][ T9] ? __pfx_kthread+0x10/0x10 [ 83.887638][ T9] ret_from_fork+0x4b/0x80 [ 83.887650][ T9] ? __pfx_kthread+0x10/0x10 [ 83.887662][ T9] ret_from_fork_asm+0x1a/0x30 [ 83.887675][ T9] [ 86.574927][ T57] cfg80211: failed to load regulatory.db