program: r0 = socket$can_j1939(0x1d, 0x2, 0x7) ioctl$ifreq_SIOCGIFINDEX_vcan(r0, 0x8933, &(0x7f00000000c0)={'vxcan0\x00', 0x0}) r2 = openat$drirender128(0xffffffffffffff9c, &(0x7f0000000100), 0x10000, 0x0) r3 = socket$netlink(0x10, 0x3, 0x10) bind$netlink(r3, &(0x7f0000514ff4)={0x10, 0x0, 0x0, 0x2ffffffff}, 0xc) socket$netlink(0x10, 0x3, 0x10) (async) r4 = socket$netlink(0x10, 0x3, 0x10) bind$netlink(r4, &(0x7f0000514ff4)={0x10, 0x0, 0x0, 0x2ffffffff}, 0xc) socket$kcm(0x10, 0x2, 0x0) (async) r5 = socket$kcm(0x10, 0x2, 0x0) recvmmsg(r4, &(0x7f0000004440)=[{{0x0, 0x0, 0x0}, 0x5}], 0x1, 0x20, 0x0) sendmsg$kcm(r5, &(0x7f0000000600)={0x0, 0x3, &(0x7f0000000040)=[{&(0x7f0000000000)="2e00000010008188e6b62aa73772cc9f1ba1f848430000005e140602000000000e0003000f000000028000001294", 0x2e}], 0x1}, 0x0) syz_open_dev$dri(&(0x7f00000000c0), 0x1ff, 0x0) (async) r6 = syz_open_dev$dri(&(0x7f00000000c0), 0x1ff, 0x0) r7 = syz_open_dev$dri(&(0x7f0000000080), 0x40100001, 0x0) ioctl$DRM_IOCTL_SET_CLIENT_CAP(r7, 0x4010640d, &(0x7f0000000000)={0x3, 0x2}) (async) ioctl$DRM_IOCTL_SET_CLIENT_CAP(r7, 0x4010640d, &(0x7f0000000000)={0x3, 0x2}) ioctl$DRM_IOCTL_MODE_GETPLANERESOURCES(r7, 0xc01064b5, &(0x7f0000000140)={&(0x7f0000000100)=[0x0], 0x1}) (async) ioctl$DRM_IOCTL_MODE_GETPLANERESOURCES(r7, 0xc01064b5, &(0x7f0000000140)={&(0x7f0000000100)=[0x0], 0x1}) ioctl$DRM_IOCTL_MODE_GETPLANE(r6, 0xc02064b6, &(0x7f00000002c0)={r8, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) (async) ioctl$DRM_IOCTL_MODE_GETPLANE(r6, 0xc02064b6, &(0x7f00000002c0)={r8, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}) ioctl$DRM_IOCTL_MODE_GETENCODER(0xffffffffffffffff, 0xc01464a6, &(0x7f0000000140)={0x0, 0x0, 0x0}) r10 = syz_init_net_socket$bt_l2cap(0x1f, 0x1, 0x3) connect(r10, &(0x7f0000000000)=@rc={0x1f, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}, 0x8}, 0x80) r11 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$HCIINQUIRY(r11, 0x400448ca, 0x0) (async) ioctl$HCIINQUIRY(r11, 0x400448ca, 0x0) ioctl$DRM_IOCTL_MODE_GETCONNECTOR(0xffffffffffffffff, 0xc05064a7, &(0x7f0000000440)={&(0x7f0000000200)=[0x0], &(0x7f0000000280)=[{}, {}, {}, {}], &(0x7f00000003c0)=[0x0], &(0x7f0000000400)=[0x0], 0x4, 0x1, 0x1}) ioctl$DRM_IOCTL_MODE_GETCONNECTOR(0xffffffffffffffff, 0xc05064a7, &(0x7f0000000600)={&(0x7f00000004c0)=[0x0], &(0x7f0000000500)=[{}], &(0x7f0000000580)=[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], &(0x7f00000005c0)=[0x0], 0x1, 0x7, 0x1}) ioctl$DRM_IOCTL_MODE_OBJ_GETPROPERTIES(0xffffffffffffffff, 0xc02064b9, &(0x7f0000000700)={&(0x7f0000000680)=[0x0, 0x0], &(0x7f00000006c0)=[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x2, 0x0, 0xfbfbfbfb}) (async) ioctl$DRM_IOCTL_MODE_OBJ_GETPROPERTIES(0xffffffffffffffff, 0xc02064b9, &(0x7f0000000700)={&(0x7f0000000680)=[0x0, 0x0], &(0x7f00000006c0)=[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x2, 0x0, 0xfbfbfbfb}) ioctl$DRM_IOCTL_MODE_ATOMIC(r2, 0xc03864bc, &(0x7f00000007c0)={0x0, 0x2, &(0x7f0000000180)=[r8, r9], &(0x7f00000001c0)=[0x0, 0x1ff], &(0x7f0000000740)=[r12, 0x0, 0x0, 0x0, r13, r14], &(0x7f0000000780)=[0x4, 0x7, 0x401, 0xfd, 0xfffffffffffffffa, 0x7fff], 0x0, 0x2}) bind$can_j1939(r0, &(0x7f0000000240)={0x1d, r1}, 0x18) socket$inet6_udp(0xa, 0x2, 0x0) ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000000)={'veth0_vlan\x00'}) (async) ioctl$sock_SIOCGIFINDEX(r0, 0x8933, &(0x7f0000000000)={'veth0_vlan\x00', 0x0}) bind$can_j1939(r0, &(0x7f0000000080)={0x1d, r15}, 0x18) bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000980)={0xe, 0x4, &(0x7f0000000040)=@framed={{}, [@ldst={0x1, 0x2, 0x3, 0x0, 0x1, 0x63}]}, &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x24, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x40}, 0x94) [ 86.017466][ T5344] netdevsim netdevsim0 : renamed from netdevsim0 (while UP) [ 86.097560][ T5345] [ 86.098617][ T5345] ====================================================== [ 86.101509][ T5345] WARNING: possible circular locking dependency detected [ 86.104531][ T5345] syzkaller #0 Not tainted [ 86.106461][ T5345] ------------------------------------------------------ [ 86.109419][ T5345] syz.0.0/5345 is trying to acquire lock: [ 86.112021][ T5345] ffff888040d81840 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: __flush_work+0xd2/0xbc0 [ 86.117334][ T5345] [ 86.117334][ T5345] but task is already holding lock: [ 86.120488][ T5345] ffff888040d81b38 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x7b/0x5b0 [ 86.124432][ T5345] [ 86.124432][ T5345] which lock already depends on the new lock. [ 86.124432][ T5345] [ 86.128926][ T5345] [ 86.128926][ T5345] the existing dependency chain (in reverse order) is: [ 86.132722][ T5345] [ 86.132722][ T5345] -> #1 (&conn->lock#2){+.+.}-{4:4}: [ 86.135895][ T5345] __mutex_lock+0x187/0x1350 [ 86.138113][ T5345] l2cap_info_timeout+0x60/0xa0 [ 86.140431][ T5345] process_scheduled_works+0xad1/0x1770 [ 86.143030][ T5345] worker_thread+0x8a0/0xda0 [ 86.145374][ T5345] kthread+0x711/0x8a0 [ 86.147451][ T5345] ret_from_fork+0x510/0xa50 [ 86.149712][ T5345] ret_from_fork_asm+0x1a/0x30 [ 86.152101][ T5345] [ 86.152101][ T5345] -> #0 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}: [ 86.156571][ T5345] __lock_acquire+0x15a6/0x2cf0 [ 86.158965][ T5345] lock_acquire+0x107/0x340 [ 86.161203][ T5345] __flush_work+0x6b8/0xbc0 [ 86.163460][ T5345] __cancel_work_sync+0xbe/0x110 [ 86.165645][ T5345] l2cap_conn_del+0x402/0x5b0 [ 86.167658][ T5345] hci_conn_hash_flush+0x10d/0x260 [ 86.170073][ T5345] hci_dev_close_sync+0x821/0x1100 [ 86.172546][ T5345] hci_dev_close+0x108/0x270 [ 86.174771][ T5345] sock_do_ioctl+0xdc/0x300 [ 86.176789][ T5345] sock_ioctl+0x576/0x790 [ 86.178696][ T5345] __se_sys_ioctl+0xfc/0x170 [ 86.180848][ T5345] do_syscall_64+0xec/0xf80 [ 86.182980][ T5345] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 86.185447][ T5345] [ 86.185447][ T5345] other info that might help us debug this: [ 86.185447][ T5345] [ 86.189436][ T5345] Possible unsafe locking scenario: [ 86.189436][ T5345] [ 86.192385][ T5345] CPU0 CPU1 [ 86.194502][ T5345] ---- ---- [ 86.196678][ T5345] lock(&conn->lock#2); [ 86.198536][ T5345] lock((work_completion)(&(&conn->info_timer)->work)); [ 86.202521][ T5345] lock(&conn->lock#2); [ 86.205541][ T5345] lock((work_completion)(&(&conn->info_timer)->work)); [ 86.208507][ T5345] [ 86.208507][ T5345] *** DEADLOCK *** [ 86.208507][ T5345] [ 86.211779][ T5345] 5 locks held by syz.0.0/5345: [ 86.213678][ T5345] #0: ffff888011178ec0 (&hdev->req_lock){+.+.}-{4:4}, at: hci_dev_close+0x100/0x270 [ 86.217421][ T5345] #1: ffff8880111780c0 (&hdev->lock){+.+.}-{4:4}, at: hci_dev_close_sync+0x640/0x1100 [ 86.221433][ T5345] #2: ffffffff8f485c88 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_conn_hash_flush+0xa1/0x260 [ 86.225639][ T5345] #3: ffff888040d81b38 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x7b/0x5b0 [ 86.229412][ T5345] #4: ffffffff8df41aa0 (rcu_read_lock){....}-{1:3}, at: __flush_work+0xd2/0xbc0 [ 86.233271][ T5345] [ 86.233271][ T5345] stack backtrace: [ 86.235878][ T5345] CPU: 0 UID: 0 PID: 5345 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 86.235891][ T5345] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 86.235898][ T5345] Call Trace: [ 86.235905][ T5345] [ 86.235911][ T5345] dump_stack_lvl+0xe8/0x150 [ 86.235928][ T5345] print_circular_bug+0x2e2/0x300 [ 86.235943][ T5345] check_noncircular+0x12e/0x150 [ 86.235955][ T5345] __lock_acquire+0x15a6/0x2cf0 [ 86.235965][ T5345] ? do_raw_spin_lock+0x121/0x290 [ 86.235979][ T5345] ? __flush_work+0xd2/0xbc0 [ 86.235989][ T5345] lock_acquire+0x107/0x340 [ 86.235998][ T5345] ? __flush_work+0xd2/0xbc0 [ 86.236011][ T5345] ? __flush_work+0xd2/0xbc0 [ 86.236021][ T5345] __flush_work+0x6b8/0xbc0 [ 86.236031][ T5345] ? __flush_work+0xd2/0xbc0 [ 86.236042][ T5345] ? __flush_work+0xd2/0xbc0 [ 86.236052][ T5345] ? __pfx___flush_work+0x10/0x10 [ 86.236063][ T5345] ? __pfx_wq_barrier_func+0x10/0x10 [ 86.236077][ T5345] ? __cancel_work_sync+0x5c/0x110 [ 86.236089][ T5345] __cancel_work_sync+0xbe/0x110 [ 86.236101][ T5345] l2cap_conn_del+0x402/0x5b0 [ 86.236117][ T5345] ? __pfx_l2cap_disconn_cfm+0x10/0x10 [ 86.236130][ T5345] hci_conn_hash_flush+0x10d/0x260 [ 86.236145][ T5345] hci_dev_close_sync+0x821/0x1100 [ 86.236159][ T5345] ? __pfx_hci_dev_close_sync+0x10/0x10 [ 86.236169][ T5345] ? lockdep_hardirqs_on+0x7b/0x110 [ 86.236178][ T5345] ? enable_work+0x1e9/0x220 [ 86.236190][ T5345] hci_dev_close+0x108/0x270 [ 86.236203][ T5345] sock_do_ioctl+0xdc/0x300 [ 86.236217][ T5345] ? __pfx_sock_do_ioctl+0x10/0x10 [ 86.236227][ T5345] ? do_futex+0x333/0x420 [ 86.236241][ T5345] sock_ioctl+0x576/0x790 [ 86.236251][ T5345] ? __pfx_sock_ioctl+0x10/0x10 [ 86.236260][ T5345] ? __fget_files+0x2a/0x420 [ 86.236271][ T5345] ? __fget_files+0x3a0/0x420 [ 86.236280][ T5345] ? __fget_files+0x2a/0x420 [ 86.236289][ T5345] ? bpf_lsm_file_ioctl+0x9/0x20 [ 86.236304][ T5345] ? __pfx_sock_ioctl+0x10/0x10 [ 86.236314][ T5345] __se_sys_ioctl+0xfc/0x170 [ 86.236329][ T5345] do_syscall_64+0xec/0xf80 [ 86.236339][ T5345] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 86.236349][ T5345] ? trace_irq_disable+0x37/0x100 [ 86.236361][ T5345] ? clear_bhb_loop+0x60/0xb0 [ 86.236372][ T5345] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 86.236382][ T5345] RIP: 0033:0x7fcadc38f7c9 [ 86.236392][ T5345] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 86.236400][ T5345] RSP: 002b:00007fcadd143038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 86.236411][ T5345] RAX: ffffffffffffffda RBX: 00007fcadc5e6090 RCX: 00007fcadc38f7c9 [ 86.236418][ T5345] RDX: 0000000000000000 RSI: 00000000400448ca RDI: 000000000000000e [ 86.236424][ T5345] RBP: 00007fcadc413f91 R08: 0000000000000000 R09: 0000000000000000 [ 86.236429][ T5345] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 86.236434][ T5345] R13: 00007fcadc5e6128 R14: 00007fcadc5e6090 R15: 00007ffe2e3db2b8 [ 86.236443][ T5345] [ 86.367860][ T5317] Bluetooth: hci0: command tx timeout [ 88.411436][ T5317] Bluetooth: hci0: command tx timeout [ 90.491467][ T5317] Bluetooth: hci0: command tx timeout [ 91.853782][ T9] cfg80211: failed to load regulatory.db