program: r0 = bpf$MAP_CREATE_RINGBUF(0x0, &(0x7f00000001c0)=ANY=[@ANYBLOB="000000000000000004000000000000000000000011c7ab777d3a6fc3d192bba33437a09a09206627a1ab36cc2c62bd55531dc3dea94353b32b2f9740bcf2b1a943dfaafbe28a8b7e5713f88df8acd70b9bd6b57ac246eb1482079e9ce49eed334128999d7c33a4770d584fdbbc00fdb6757ca46e00000000", @ANYRES32=0x0, @ANYBLOB='\x00'/20, @ANYRES32=0x0, @ANYRES32=0x0, @ANYBLOB='\x00'/28], 0x48) syz_open_dev$swradio(&(0x7f00000000c0), 0x0, 0x2) syz_mount_image$vfat(&(0x7f0000000400), &(0x7f0000000280)='./file0\x00', 0x414, &(0x7f0000000000)=ANY=[@ANYBLOB="6e6f6e756d7461696c2c6e66732c73686f72746e616d653d6c6f7765722c757466383d312c64656275672c696f636861727365743d757466382c73686f72746e616d653d6d697865642c757466383d312c004845160000000000"], 0x1, 0x2a1, &(0x7f0000000f40)="$eJzs3MFqE18Ux/Hzb/pv0pQ2EURQUA+60c3QxgfQIC2IAaU2RV0IUzvRkDEpM0MlIjYbcetzFJfuBPUFuhE37t0VQXDThTjiTKZN2rSmbdLE9PuBck9y7o+5bdNyUuis3339pFRwjYLpyVBCZUikJhsi6T9V3X/1dSioR6RRTS6P/fhy9s69+zezudz0rOpMdu5KRlUnzr9/+vzNhY/e2PzbiXdxWUs/WP+e+bp2au30+q+5x0VXi66WK56aulCpeOaCbeli0S0Zqrdty3QtLZZdy2nqF+zK0lJVzfLieHLJsVxXzXJVS1ZVvYp6TlXNR2axrIZh6HhSjrfhNvbkV2dnzeyubT/W0ROh60ZbPek42VrrZn71CM4EAAD6zN7zfzjr7z7/5+bDtcPzvwjzf5fUmh79Zf7HQHCcrJms//w2Y/4HAAAAAAAAAAAAAAAAAAAAAOBfsOH7Kd/3U9EafcRFJCEi0eNenxPdccDv/9UeHRcd1vCPewkR+9VyfjkfrmE/W5Ci2GLJpKTkZ/B6qAvrmRu56UkNpOWDvVLPryznYxKP8pF0q/y5E1NhXpvz/0uy8foZScnJ1tfPtMyPyKWLDXlDUvLpoVTElsXgdb2VfzGlev1Wblt+NNgHAAAAAMAgMHTTjvfvQT/YkJCd/TC/j78PbHt/PSxn2rlFJQAAAAAAODS3+qxk2rblHKCIi8gh4oNaxKQvjrGtuCYifXCMoyoSIhI+oweJf9uMt5Xy29gzLCI9/7Lso+j1byYAAAAAnbY19O8j9PllF08EAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMDx0+79wKL9O1pRY494w+ViR/4JAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAH3kdwAAAP//R8IgDA==") r1 = openat(0xffffffffffffff9c, &(0x7f0000000080)='./file1\x00', 0x105042, 0x1ff) r2 = syz_usb_connect$hid(0x0, 0x3f, &(0x7f0000000040)=ANY=[@ANYBLOB="1201000000000020961b0a9f1500000000010902"], 0x0) r3 = syz_open_dev$hidraw(&(0x7f00000004c0), 0x0, 0x4a940) syz_usb_control_io(r2, 0x0, 0x0) write$hidraw(r3, 0x0, 0x0) r4 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2) connect$bt_sco(r4, &(0x7f0000000000)={0x1f, @none}, 0x8) shutdown(r4, 0x0) syz_emit_vhci(&(0x7f0000000040)=@HCI_EVENT_PKT={0x4, @hci_ev_key_refresh_complete={{0x30, 0x3}, {0x5, 0xc9}}}, 0x6) close_range(0xffffffffffffffff, 0xffffffffffffffff, 0x2) r5 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$HCIINQUIRY(r5, 0x400448ca, 0x0) r6 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) bind$bt_hci(r6, &(0x7f0000000080)={0x1f, 0xffff, 0x3}, 0x6) write(r6, &(0x7f0000000340)="07000000010000", 0x7) cachestat(r1, &(0x7f0000000040)={0xf, 0x6}, &(0x7f0000000100), 0x0) mount$9p_fd(0x0, 0x0, 0x0, 0x0, &(0x7f0000000100)=ANY=[@ANYBLOB='trans=']) mount$nfs(&(0x7f0000000100)='.5.', 0x0, 0x0, 0x0, 0x0) mprotect(&(0x7f0000000000/0x4000)=nil, 0x4000, 0x1) ioctl$vim2m_VIDIOC_TRY_FMT(r1, 0xc0d05640, &(0x7f0000000300)={0x1, @sliced={0x4, [0x8, 0x9, 0x66, 0x3, 0x0, 0xfffb, 0x2, 0x4, 0x268f, 0x2, 0x6, 0x0, 0x7, 0x73, 0x6, 0x7, 0x100, 0x101, 0x5025, 0x45, 0x8, 0x1000, 0x0, 0xc000, 0x6, 0xdc, 0x4, 0x2, 0x8, 0x8, 0x200, 0x14e, 0x0, 0xffff, 0x7, 0x20, 0x3, 0x6, 0xffff, 0xbc9a, 0x400, 0x9, 0x8, 0x94, 0x6, 0xe158, 0x9, 0x8], 0xc8d}}) r7 = accept4$inet6(r1, &(0x7f0000000480)={0xa, 0x0, 0x0, @loopback}, &(0x7f0000000540)=0x1c, 0x80800) bind$inet6(r7, &(0x7f0000000500)={0xa, 0x4e26, 0xf, @initdev={0xfe, 0x88, '\x00', 0x0, 0x0}, 0x9}, 0x1c) socket$netlink(0x10, 0x3, 0x0) sendmsg$nl_route(r1, &(0x7f0000000300)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000040)=@ipv6_getmulticast={0x14, 0x3a, 0x800, 0x70bd27, 0x25dfdbfc, {}, ["", "", ""]}, 0x14}, 0x1, 0x0, 0x0, 0x4}, 0x5ecd9ff4f55a80aa) r8 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000100)='net_prio.prioidx\x00', 0x275a, 0x0) ioctl$UFFDIO_REGISTER(r8, 0xc020aa00, &(0x7f0000000440)={{&(0x7f0000000000/0x6000)=nil, 0x6000}, 0x2}) bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000680)={0x6, 0xf, &(0x7f0000000140)=ANY=[@ANYBLOB="1800000000000000000000000000000018110000", @ANYRES32=r0, @ANYBLOB="0000000000000000b702000014000000030000000000008500000083000000bf0900000000000055090100000000009500000000000000bf91000000000000b7fc0000000000b08500000088000000b7000000000000009500000000000000"], &(0x7f00000002c0)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x25, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x90) [ 59.604620][ T5321] loop0: detected capacity change from 0 to 128 [ 59.613425][ T5321] FAT-fs (loop0): utf8 is not a recommended IO charset for FAT filesystems, filesystem will be case sensitive! [ 59.629346][ T5321] FAT-fs (loop0): Invalid FSINFO signature: 0x41615252, 0x80417272 (sector = 1) [ 59.642793][ T24] audit: type=1800 audit(1730281258.744:2): pid=5321 uid=0 auid=4294967295 ses=4294967295 subj=unconfined op=collect_data cause=failed(directio) comm="syz.0.0" name="file1" dev="loop0" ino=1048584 res=0 errno=0 [ 59.756535][ T4669] Bluetooth: hci0: command tx timeout [ 59.895021][ T5319] usb 5-1: new high-speed USB device number 2 using dummy_hcd [ 60.048653][ T5319] usb 5-1: Using ep0 maxpacket: 32 [ 60.054534][ T5319] usb 5-1: config 0 has an invalid descriptor of length 0, skipping remainder of the config [ 60.059636][ T5319] usb 5-1: config 0 has no interfaces? [ 60.061723][ T5319] usb 5-1: New USB device found, idVendor=1b96, idProduct=9f0a, bcdDevice= 0.15 [ 60.066122][ T5319] usb 5-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 60.072213][ T5319] usb 5-1: config 0 descriptor?? [ 60.790697][ T5321] Bluetooth: MGMT ver 1.23 [ 61.837016][ T5307] Bluetooth: hci0: command tx timeout [ 63.915529][ T5307] Bluetooth: hci0: command 0x040f tx timeout [ 63.918974][ T5323] [ 63.919948][ T5323] ============================================ [ 63.922216][ T5323] WARNING: possible recursive locking detected [ 63.924429][ T5323] 6.12.0-rc5-syzkaller-00044-gc1e939a21eb1 #0 Not tainted [ 63.926980][ T5323] -------------------------------------------- [ 63.929300][ T5323] syz.0.0/5323 is trying to acquire lock: [ 63.932271][ T5323] ffff88804ed90078 (&hdev->lock){+.+.}-{3:3}, at: mgmt_set_connectable_complete+0xaf/0x500 [ 63.935784][ T5323] [ 63.935784][ T5323] but task is already holding lock: [ 63.938534][ T5323] ffff88804ed90078 (&hdev->lock){+.+.}-{3:3}, at: hci_dev_close_sync+0x5c8/0x11c0 [ 63.941820][ T5323] [ 63.941820][ T5323] other info that might help us debug this: [ 63.944890][ T5323] Possible unsafe locking scenario: [ 63.944890][ T5323] [ 63.947762][ T5323] CPU0 [ 63.949115][ T5323] ---- [ 63.950458][ T5323] lock(&hdev->lock); [ 63.952092][ T5323] lock(&hdev->lock); [ 63.953702][ T5323] [ 63.953702][ T5323] *** DEADLOCK *** [ 63.953702][ T5323] [ 63.956814][ T5323] May be due to missing lock nesting notation [ 63.956814][ T5323] [ 63.960071][ T5323] 3 locks held by syz.0.0/5323: [ 63.962018][ T5323] #0: ffff88804ed90d80 (&hdev->req_lock){+.+.}-{3:3}, at: hci_dev_close+0x10a/0x210 [ 63.965619][ T5323] #1: ffff88804ed90078 (&hdev->lock){+.+.}-{3:3}, at: hci_dev_close_sync+0x5c8/0x11c0 [ 63.969277][ T5323] #2: ffff88804ed90690 (&hdev->cmd_sync_work_lock){+.+.}-{3:3}, at: hci_cmd_sync_dequeue+0x44/0x3d0 [ 63.973519][ T5323] [ 63.973519][ T5323] stack backtrace: [ 63.975854][ T5323] CPU: 0 UID: 0 PID: 5323 Comm: syz.0.0 Not tainted 6.12.0-rc5-syzkaller-00044-gc1e939a21eb1 #0 [ 63.980659][ T5323] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 63.984442][ T5323] Call Trace: [ 63.985806][ T5323] [ 63.986886][ T5323] dump_stack_lvl+0x241/0x360 [ 63.988848][ T5323] ? __pfx_dump_stack_lvl+0x10/0x10 [ 63.990723][ T5323] ? __pfx__printk+0x10/0x10 [ 63.992358][ T5323] ? lockdep_unlock+0x16a/0x300 [ 63.994058][ T5323] print_deadlock_bug+0x483/0x620 [ 63.996544][ T5323] validate_chain+0x15e2/0x5920 [ 63.998716][ T5323] ? validate_chain+0x15c0/0x5920 [ 64.001010][ T5323] ? __pfx_validate_chain+0x10/0x10 [ 64.003374][ T5323] ? __pfx_validate_chain+0x10/0x10 [ 64.005652][ T5323] ? is_bpf_text_address+0x26/0x2a0 [ 64.007890][ T5323] ? __pfx_stack_trace_consume_entry+0x10/0x10 [ 64.010609][ T5323] ? mark_lock+0x9a/0x360 [ 64.012543][ T5323] __lock_acquire+0x1384/0x2050 [ 64.014657][ T5323] lock_acquire+0x1ed/0x550 [ 64.016591][ T5323] ? mgmt_set_connectable_complete+0xaf/0x500 [ 64.019285][ T5323] ? __pfx_lock_acquire+0x10/0x10 [ 64.021584][ T5323] ? __pfx___might_resched+0x10/0x10 [ 64.023723][ T5323] __mutex_lock+0x136/0xd70 [ 64.025519][ T5323] ? mgmt_set_connectable_complete+0xaf/0x500 [ 64.027933][ T5323] ? __pfx___mutex_trylock_common+0x10/0x10 [ 64.030242][ T5323] ? mgmt_set_connectable_complete+0xaf/0x500 [ 64.032341][ T5323] ? __pfx___mutex_lock+0x10/0x10 [ 64.034361][ T5323] ? trace_contention_end+0x3c/0x120 [ 64.036348][ T5323] ? hci_sock_get_channel+0xd/0x50 [ 64.038373][ T5323] ? mgmt_pending_find+0x112/0x130 [ 64.040347][ T5323] mgmt_set_connectable_complete+0xaf/0x500 [ 64.042702][ T5323] ? __pfx_mgmt_set_connectable_complete+0x10/0x10 [ 64.045062][ T5323] ? __pfx_mgmt_set_connectable_complete+0x10/0x10 [ 64.047456][ T5323] hci_cmd_sync_dequeue+0x22b/0x3d0 [ 64.049281][ T5323] cmd_complete_rsp+0x4c/0x180 [ 64.051167][ T5323] mgmt_pending_foreach+0xd1/0x130 [ 64.053057][ T5323] ? __pfx_cmd_complete_rsp+0x10/0x10 [ 64.054985][ T5323] __mgmt_power_off+0x183/0x430 [ 64.056793][ T5323] ? __pfx___mgmt_power_off+0x10/0x10 [ 64.058651][ T5323] ? __mutex_trylock_common+0x183/0x2e0 [ 64.061408][ T5323] ? __pfx___might_resched+0x10/0x10 [ 64.063393][ T5323] ? __pfx___mutex_trylock_common+0x10/0x10 [ 64.065740][ T5323] ? rcu_is_watching+0x15/0xb0 [ 64.067694][ T5323] ? trace_contention_end+0x3c/0x120 [ 64.069740][ T5323] ? __mutex_lock+0x2ef/0xd70 [ 64.071640][ T5323] ? __mutex_unlock_slowpath+0x21d/0x750 [ 64.073899][ T5323] ? hci_dev_close_sync+0x5c8/0x11c0 [ 64.076025][ T5323] ? __pfx___mutex_lock+0x10/0x10 [ 64.078133][ T5323] ? lockdep_hardirqs_on+0x99/0x150 [ 64.080027][ T5323] ? _raw_spin_unlock_irq+0x2e/0x50 [ 64.081953][ T5323] ? drain_workqueue+0x2d3/0x3a0 [ 64.083795][ T5323] ? hci_discovery_set_state+0x57/0x180 [ 64.085570][ T5323] hci_dev_close_sync+0x6c4/0x11c0 [ 64.087280][ T5323] hci_dev_close+0x112/0x210 [ 64.089065][ T5323] sock_do_ioctl+0x158/0x460 [ 64.090855][ T5323] ? __pfx_sock_do_ioctl+0x10/0x10 [ 64.092765][ T5323] ? do_futex+0x392/0x560 [ 64.094399][ T5323] ? call_rcu+0x731/0xa70 [ 64.095942][ T5323] sock_ioctl+0x626/0x8e0 [ 64.097349][ T5323] ? __pfx_sock_ioctl+0x10/0x10 [ 64.099051][ T5323] ? lockdep_hardirqs_on_prepare+0x43d/0x780 [ 64.101164][ T5323] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10 [ 64.103426][ T5323] ? __pfx_sock_ioctl+0x10/0x10 [ 64.104985][ T5323] __se_sys_ioctl+0xf9/0x170 [ 64.106422][ T5323] do_syscall_64+0xf3/0x230 [ 64.107823][ T5323] ? clear_bhb_loop+0x35/0x90 [ 64.109268][ T5323] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 64.111458][ T5323] RIP: 0033:0x7f1ff6b7e719 [ 64.112920][ T5323] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 64.121203][ T5323] RSP: 002b:00007f1ff7912038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 64.124677][ T5323] RAX: ffffffffffffffda RBX: 00007f1ff6d36130 RCX: 00007f1ff6b7e719 [ 64.128437][ T5323] RDX: 0000000000000000 RSI: 00000000400448ca RDI: 000000000000000a [ 64.131453][ T5323] RBP: 00007f1ff6bf132e R08: 0000000000000000 R09: 0000000000000000 [ 64.134225][ T5323] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 64.137162][ T5323] R13: 0000000000000000 R14: 00007f1ff6d36130 R15: 00007ffc48c0ae58 [ 64.139764][ T5323] [ 65.995004][ T5307] Bluetooth: hci0: command 0x040f tx timeout