program: r0 = socket$netlink(0x10, 0x3, 0x0) socketpair$unix(0x1, 0x5, 0x0, &(0x7f00000000c0)={0xffffffffffffffff, 0xffffffffffffffff}) r2 = dup(r1) getsockname$packet(r2, &(0x7f00000000c0)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @random}, &(0x7f0000000140)=0x14) sendmsg$nl_route(r0, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000500)=@newlink={0x34, 0x10, 0x801, 0x0, 0x0, {0x0, 0x0, 0x0, r3}, [@IFLA_AF_SPEC={0x14, 0x1a, 0x0, 0x1, [@AF_INET={0x10, 0x2, 0x0, 0x1, {0xc, 0x1, 0x0, 0x1, [{0x8}]}}]}]}, 0x34}}, 0x0) r4 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000180)={0x11, 0x5, &(0x7f0000000040)=ANY=[], &(0x7f0000000080)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', r3, 0x2}, 0x94) r5 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10) r6 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10) r7 = syz_genetlink_get_family_id$nfc(&(0x7f0000000100), r6) sendmsg$NFC_CMD_DEV_UP(r6, &(0x7f0000000140)={0x0, 0x0, &(0x7f0000000180)={&(0x7f00000001c0)={0x1c, r7, 0x1, 0x123, 0x234, {}, [@NFC_ATTR_DEVICE_INDEX={0x8}]}, 0x1c}}, 0x0) sendmsg$NFC_CMD_START_POLL(r5, &(0x7f0000000100)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000040)={0x24, r7, 0x1, 0x70bd27, 0x25dfdbfe, {}, [@NFC_ATTR_DEVICE_INDEX={0x8}, @NFC_ATTR_TM_PROTOCOLS={0x8, 0xe, 0x22}]}, 0x24}, 0x1, 0x0, 0x0, 0x20040000}, 0x4010) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000b00)={&(0x7f00000000c0)='qdisc_dequeue\x00', r4, 0x0, 0x1}, 0x18) r8 = openat$rfkill(0xffffffffffffff9c, &(0x7f0000000040), 0x801, 0x0) write$rfkill(r8, &(0x7f0000000080)={0x0, 0x0, 0x3, 0x1, 0x10}, 0x32) [ 85.389484][ T5335] Bluetooth: hci0: command tx timeout [ 86.300481][ T5356] Bluetooth: hci0: Opcode 0x0c1a failed: -4 [ 86.303514][ T5356] Bluetooth: hci0: Error when powering off device on rfkill (-4) [ 86.309604][ T5349] [ 86.310706][ T5349] ====================================================== [ 86.313693][ T5349] WARNING: possible circular locking dependency detected [ 86.316460][ T5349] syzkaller #0 Not tainted [ 86.318010][ T5349] ------------------------------------------------------ [ 86.320713][ T5349] kworker/0:4/5349 is trying to acquire lock: [ 86.323041][ T5349] ffff888051cf8b38 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_info_timeout+0x60/0xa0 [ 86.326954][ T5349] [ 86.326954][ T5349] but task is already holding lock: [ 86.329970][ T5349] ffffc9000d24fbc0 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: process_scheduled_works+0x9ef/0x17b0 [ 86.335830][ T5349] [ 86.335830][ T5349] which lock already depends on the new lock. [ 86.335830][ T5349] [ 86.340485][ T5349] [ 86.340485][ T5349] the existing dependency chain (in reverse order) is: [ 86.344266][ T5349] [ 86.344266][ T5349] -> #1 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}: [ 86.349264][ T5349] lock_acquire+0x120/0x360 [ 86.351949][ T5349] __flush_work+0x6b8/0xbc0 [ 86.354278][ T5349] __cancel_work_sync+0xbe/0x110 [ 86.356621][ T5349] l2cap_conn_del+0x4f0/0x680 [ 86.358842][ T5349] hci_conn_hash_flush+0x10a/0x230 [ 86.361167][ T5349] hci_dev_close_sync+0xaef/0x1330 [ 86.363496][ T5349] hci_dev_do_close+0x2f/0x90 [ 86.365671][ T5349] hci_rfkill_set_block+0x21d/0x2e0 [ 86.367774][ T5349] rfkill_set_block+0x1cf/0x440 [ 86.369835][ T5349] rfkill_fop_write+0x44b/0x570 [ 86.371863][ T5349] vfs_write+0x27e/0xb30 [ 86.374420][ T5349] ksys_write+0x145/0x250 [ 86.377057][ T5349] do_syscall_64+0xfa/0x3b0 [ 86.379697][ T5349] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 86.382395][ T5349] [ 86.382395][ T5349] -> #0 (&conn->lock#2){+.+.}-{4:4}: [ 86.385589][ T5349] validate_chain+0xb9b/0x2140 [ 86.387946][ T5349] __lock_acquire+0xab9/0xd20 [ 86.390311][ T5349] lock_acquire+0x120/0x360 [ 86.392645][ T5349] __mutex_lock+0x187/0x1350 [ 86.394871][ T5349] l2cap_info_timeout+0x60/0xa0 [ 86.397503][ T5349] process_scheduled_works+0xae1/0x17b0 [ 86.400181][ T5349] worker_thread+0x8a0/0xda0 [ 86.402524][ T5349] kthread+0x70e/0x8a0 [ 86.404623][ T5349] ret_from_fork+0x3fc/0x770 [ 86.406690][ T5349] ret_from_fork_asm+0x1a/0x30 [ 86.408824][ T5349] [ 86.408824][ T5349] other info that might help us debug this: [ 86.408824][ T5349] [ 86.413130][ T5349] Possible unsafe locking scenario: [ 86.413130][ T5349] [ 86.416647][ T5349] CPU0 CPU1 [ 86.419631][ T5349] ---- ---- [ 86.422015][ T5349] lock((work_completion)(&(&conn->info_timer)->work)); [ 86.424994][ T5349] lock(&conn->lock#2); [ 86.427819][ T5349] lock((work_completion)(&(&conn->info_timer)->work)); [ 86.431817][ T5349] lock(&conn->lock#2); [ 86.433629][ T5349] [ 86.433629][ T5349] *** DEADLOCK *** [ 86.433629][ T5349] [ 86.437553][ T5349] 2 locks held by kworker/0:4/5349: [ 86.440939][ T5349] #0: ffff88801a474d48 ((wq_completion)events){+.+.}-{0:0}, at: process_scheduled_works+0x9b4/0x17b0 [ 86.446264][ T5349] #1: ffffc9000d24fbc0 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: process_scheduled_works+0x9ef/0x17b0 [ 86.452039][ T5349] [ 86.452039][ T5349] stack backtrace: [ 86.454552][ T5349] CPU: 0 UID: 0 PID: 5349 Comm: kworker/0:4 Not tainted syzkaller #0 PREEMPT(full) [ 86.454568][ T5349] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 86.454577][ T5349] Workqueue: events l2cap_info_timeout [ 86.454599][ T5349] Call Trace: [ 86.454607][ T5349] [ 86.454613][ T5349] dump_stack_lvl+0x189/0x250 [ 86.454628][ T5349] ? __pfx_dump_stack_lvl+0x10/0x10 [ 86.454641][ T5349] ? __pfx__printk+0x10/0x10 [ 86.454656][ T5349] ? print_lock_name+0xde/0x100 [ 86.454670][ T5349] print_circular_bug+0x2ee/0x310 [ 86.454685][ T5349] check_noncircular+0x134/0x160 [ 86.454698][ T5349] validate_chain+0xb9b/0x2140 [ 86.454710][ T5349] ? trace_sched_exit_tp+0x36/0x110 [ 86.454724][ T5349] ? __schedule+0x17ae/0x4cc0 [ 86.454740][ T5349] __lock_acquire+0xab9/0xd20 [ 86.454758][ T5349] ? l2cap_info_timeout+0x60/0xa0 [ 86.454771][ T5349] lock_acquire+0x120/0x360 [ 86.454785][ T5349] ? l2cap_info_timeout+0x60/0xa0 [ 86.454801][ T5349] __mutex_lock+0x187/0x1350 [ 86.454817][ T5349] ? l2cap_info_timeout+0x60/0xa0 [ 86.454831][ T5349] ? rcu_is_watching+0x15/0xb0 [ 86.454841][ T5349] ? trace_irq_disable+0x37/0x110 [ 86.454855][ T5349] ? preempt_schedule_irq+0xde/0x150 [ 86.454868][ T5349] ? l2cap_info_timeout+0x60/0xa0 [ 86.454883][ T5349] ? __pfx___mutex_lock+0x10/0x10 [ 86.454897][ T5349] ? irqentry_exit+0x74/0x90 [ 86.454911][ T5349] ? lockdep_hardirqs_on+0x9c/0x150 [ 86.454926][ T5349] ? process_scheduled_works+0x9ef/0x17b0 [ 86.454936][ T5349] ? __pfx_l2cap_info_timeout+0x10/0x10 [ 86.454950][ T5349] l2cap_info_timeout+0x60/0xa0 [ 86.454963][ T5349] ? process_scheduled_works+0x9ef/0x17b0 [ 86.454973][ T5349] process_scheduled_works+0xae1/0x17b0 [ 86.454987][ T5349] ? __pfx_process_scheduled_works+0x10/0x10 [ 86.455000][ T5349] worker_thread+0x8a0/0xda0 [ 86.455011][ T5349] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 86.455026][ T5349] ? __kthread_parkme+0x7b/0x200 [ 86.455039][ T5349] kthread+0x70e/0x8a0 [ 86.455051][ T5349] ? __pfx_worker_thread+0x10/0x10 [ 86.455058][ T5349] ? __pfx_kthread+0x10/0x10 [ 86.455066][ T5349] ? _raw_spin_unlock_irq+0x23/0x50 [ 86.455074][ T5349] ? lockdep_hardirqs_on+0x9c/0x150 [ 86.455083][ T5349] ? __pfx_kthread+0x10/0x10 [ 86.455090][ T5349] ret_from_fork+0x3fc/0x770 [ 86.455098][ T5349] ? __pfx_ret_from_fork+0x10/0x10 [ 86.455105][ T5349] ? __pfx_kthread+0x10/0x10 [ 86.455113][ T5349] ret_from_fork_asm+0x1a/0x30 [ 86.455125][ T5349] [ 87.409005][ T4702] Bluetooth: hci0: command tx timeout [ 89.489408][ T4702] Bluetooth: hci0: command tx timeout [ 91.569057][ T4702] Bluetooth: hci0: command tx timeout [ 91.735990][ T9] cfg80211: failed to load regulatory.db