program: r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$HCIINQUIRY(r0, 0x400448ca, 0x0) r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) bind$bt_hci(r1, &(0x7f0000000080)={0x1f, 0xffff, 0x3}, 0x6) write(r1, &(0x7f0000000000)="3b000000010006", 0x7) unshare(0x66000080) perf_event_open(&(0x7f00000003c0)={0x2, 0x80, 0xaf, 0xd, 0x0, 0x0, 0x0, 0x0, 0x40, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}, 0x0, 0x0, 0x80}, 0x0, 0x0, 0xffffffffffffffff, 0x0) [ 88.312075][ T5320] Bluetooth: hci0: command tx timeout [ 88.316358][ T54] cfg80211: failed to load regulatory.db [ 88.421550][ T54] [ 88.422789][ T54] ====================================================== [ 88.426228][ T54] WARNING: possible circular locking dependency detected [ 88.429634][ T54] 6.16.0-rc5-syzkaller-00266-g3f31a806a62e #0 Not tainted [ 88.432597][ T54] ------------------------------------------------------ [ 88.435531][ T54] kworker/0:2/54 is trying to acquire lock: [ 88.438054][ T54] ffff8880117adb38 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_info_timeout+0x60/0xa0 [ 88.441944][ T54] [ 88.441944][ T54] but task is already holding lock: [ 88.445266][ T54] ffffc9000101fbc0 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: process_scheduled_works+0x9ef/0x17b0 [ 88.451112][ T54] [ 88.451112][ T54] which lock already depends on the new lock. [ 88.451112][ T54] [ 88.455990][ T54] [ 88.455990][ T54] the existing dependency chain (in reverse order) is: [ 88.459789][ T54] [ 88.459789][ T54] -> #1 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}: [ 88.463975][ T54] lock_acquire+0x120/0x360 [ 88.466101][ T54] __flush_work+0x6b8/0xbc0 [ 88.468255][ T54] __cancel_work_sync+0xbe/0x110 [ 88.470584][ T54] l2cap_conn_del+0x4f0/0x680 [ 88.473333][ T54] hci_conn_hash_flush+0x10a/0x230 [ 88.475913][ T54] hci_dev_close_sync+0xaef/0x1330 [ 88.478333][ T54] hci_dev_close+0x108/0x200 [ 88.480587][ T54] sock_do_ioctl+0xd9/0x300 [ 88.482659][ T54] sock_ioctl+0x576/0x790 [ 88.484797][ T54] __se_sys_ioctl+0xfc/0x170 [ 88.487042][ T54] do_syscall_64+0xfa/0x3b0 [ 88.489298][ T54] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 88.491978][ T54] [ 88.491978][ T54] -> #0 (&conn->lock#2){+.+.}-{4:4}: [ 88.494976][ T54] validate_chain+0xb9b/0x2140 [ 88.497253][ T54] __lock_acquire+0xab9/0xd20 [ 88.499439][ T54] lock_acquire+0x120/0x360 [ 88.501749][ T54] __mutex_lock+0x182/0xe80 [ 88.504074][ T54] l2cap_info_timeout+0x60/0xa0 [ 88.506604][ T54] process_scheduled_works+0xae1/0x17b0 [ 88.509531][ T54] worker_thread+0x8a0/0xda0 [ 88.511684][ T54] kthread+0x70e/0x8a0 [ 88.513689][ T54] ret_from_fork+0x3fc/0x770 [ 88.515837][ T54] ret_from_fork_asm+0x1a/0x30 [ 88.518042][ T54] [ 88.518042][ T54] other info that might help us debug this: [ 88.518042][ T54] [ 88.522230][ T54] Possible unsafe locking scenario: [ 88.522230][ T54] [ 88.525341][ T54] CPU0 CPU1 [ 88.527495][ T54] ---- ---- [ 88.529794][ T54] lock((work_completion)(&(&conn->info_timer)->work)); [ 88.532663][ T54] lock(&conn->lock#2); [ 88.535630][ T54] lock((work_completion)(&(&conn->info_timer)->work)); [ 88.539778][ T54] lock(&conn->lock#2); [ 88.541910][ T54] [ 88.541910][ T54] *** DEADLOCK *** [ 88.541910][ T54] [ 88.545547][ T54] 2 locks held by kworker/0:2/54: [ 88.547702][ T54] #0: ffff88801a474d48 ((wq_completion)events){+.+.}-{0:0}, at: process_scheduled_works+0x9b4/0x17b0 [ 88.552113][ T54] #1: ffffc9000101fbc0 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: process_scheduled_works+0x9ef/0x17b0 [ 88.557307][ T54] [ 88.557307][ T54] stack backtrace: [ 88.559924][ T54] CPU: 0 UID: 0 PID: 54 Comm: kworker/0:2 Not tainted 6.16.0-rc5-syzkaller-00266-g3f31a806a62e #0 PREEMPT(full) [ 88.559935][ T54] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 88.559942][ T54] Workqueue: events l2cap_info_timeout [ 88.559955][ T54] Call Trace: [ 88.559961][ T54] [ 88.559966][ T54] dump_stack_lvl+0x189/0x250 [ 88.559982][ T54] ? __pfx_dump_stack_lvl+0x10/0x10 [ 88.559994][ T54] ? __pfx__printk+0x10/0x10 [ 88.560009][ T54] ? print_lock_name+0xde/0x100 [ 88.560024][ T54] print_circular_bug+0x2ee/0x310 [ 88.560039][ T54] check_noncircular+0x134/0x160 [ 88.560054][ T54] validate_chain+0xb9b/0x2140 [ 88.560069][ T54] ? ret_from_fork_asm+0x1a/0x30 [ 88.560084][ T54] __lock_acquire+0xab9/0xd20 [ 88.560096][ T54] ? l2cap_info_timeout+0x60/0xa0 [ 88.560108][ T54] lock_acquire+0x120/0x360 [ 88.560118][ T54] ? l2cap_info_timeout+0x60/0xa0 [ 88.560131][ T54] __mutex_lock+0x182/0xe80 [ 88.560142][ T54] ? l2cap_info_timeout+0x60/0xa0 [ 88.560154][ T54] ? irqentry_exit+0x74/0x90 [ 88.560163][ T54] ? lockdep_hardirqs_on+0x9c/0x150 [ 88.560179][ T54] ? l2cap_info_timeout+0x60/0xa0 [ 88.560191][ T54] ? __pfx___mutex_lock+0x10/0x10 [ 88.560205][ T54] l2cap_info_timeout+0x60/0xa0 [ 88.560217][ T54] ? process_scheduled_works+0x9ef/0x17b0 [ 88.560229][ T54] process_scheduled_works+0xae1/0x17b0 [ 88.560241][ T54] ? __pfx_process_scheduled_works+0x10/0x10 [ 88.560250][ T54] worker_thread+0x8a0/0xda0 [ 88.560259][ T54] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 88.560270][ T54] ? __kthread_parkme+0x7b/0x200 [ 88.560279][ T54] kthread+0x70e/0x8a0 [ 88.560289][ T54] ? __pfx_worker_thread+0x10/0x10 [ 88.560296][ T54] ? __pfx_kthread+0x10/0x10 [ 88.560305][ T54] ? _raw_spin_unlock_irq+0x23/0x50 [ 88.560314][ T54] ? lockdep_hardirqs_on+0x9c/0x150 [ 88.560323][ T54] ? __pfx_kthread+0x10/0x10 [ 88.560333][ T54] ret_from_fork+0x3fc/0x770 [ 88.560342][ T54] ? __pfx_ret_from_fork+0x10/0x10 [ 88.560350][ T54] ? __pfx_kthread+0x10/0x10 [ 88.560360][ T54] ret_from_fork_asm+0x1a/0x30 [ 88.560371][ T54] [ 88.656148][ T5345] Bluetooth: MGMT ver 1.23 [ 90.363698][ T5320] Bluetooth: hci0: command tx timeout [ 92.444147][ T5320] Bluetooth: hci0: command tx timeout [ 94.523836][ T5320] Bluetooth: hci0: command tx timeout