program: syz_clone(0x21000011, 0x0, 0x0, 0x0, 0x0, 0x0) (async) r0 = syz_open_dev$tty20(0xc, 0x4, 0x0) ioctl$TIOCL_GETMOUSEREPORTING(r0, 0x541c, &(0x7f0000000040)) r1 = syz_init_net_socket$bt_l2cap(0x1f, 0x3, 0x0) connect$bt_l2cap(r1, &(0x7f0000000080)={0x1f, 0xfffd, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}}, 0xe) openat$snapshot(0xffffffffffffff9c, &(0x7f00000000c0), 0x0, 0x0) r2 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2) connect$bt_sco(r2, &(0x7f00000001c0), 0x8) [ 85.867034][ T5320] Bluetooth: hci0: command tx timeout [ 86.161123][ T5344] Bluetooth: hci0: Opcode 0x0c1a failed: -4 [ 86.164553][ T5344] Bluetooth: hci0: Opcode 0x0406 failed: -4 [ 86.174045][ T5344] [ 86.175511][ T5344] ====================================================== [ 86.178961][ T5344] WARNING: possible circular locking dependency detected [ 86.182609][ T5344] 6.16.0-rc5-syzkaller-00121-gbc9ff192a6c9 #0 Not tainted [ 86.185580][ T5344] ------------------------------------------------------ [ 86.188516][ T5344] syz.0.0/5344 is trying to acquire lock: [ 86.191281][ T5344] ffff888045b33040 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: __flush_work+0xd2/0xbc0 [ 86.196647][ T5344] [ 86.196647][ T5344] but task is already holding lock: [ 86.199925][ T5344] ffff888045b33338 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x70/0x680 [ 86.204076][ T5344] [ 86.204076][ T5344] which lock already depends on the new lock. [ 86.204076][ T5344] [ 86.208967][ T5344] [ 86.208967][ T5344] the existing dependency chain (in reverse order) is: [ 86.212811][ T5344] [ 86.212811][ T5344] -> #1 (&conn->lock#2){+.+.}-{4:4}: [ 86.216085][ T5344] lock_acquire+0x120/0x360 [ 86.218428][ T5344] __mutex_lock+0x182/0xe80 [ 86.221137][ T5344] l2cap_info_timeout+0x60/0xa0 [ 86.223598][ T5344] process_scheduled_works+0xae1/0x17b0 [ 86.226293][ T5344] worker_thread+0x8a0/0xda0 [ 86.228581][ T5344] kthread+0x70e/0x8a0 [ 86.230516][ T5344] ret_from_fork+0x3fc/0x770 [ 86.232588][ T5344] ret_from_fork_asm+0x1a/0x30 [ 86.234811][ T5344] [ 86.234811][ T5344] -> #0 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}: [ 86.239329][ T5344] validate_chain+0xb9b/0x2140 [ 86.241498][ T5344] __lock_acquire+0xab9/0xd20 [ 86.243847][ T5344] lock_acquire+0x120/0x360 [ 86.246210][ T5344] __flush_work+0x6b8/0xbc0 [ 86.248750][ T5344] __cancel_work_sync+0xbe/0x110 [ 86.251575][ T5344] l2cap_conn_del+0x4f0/0x680 [ 86.254011][ T5344] l2cap_connect_cfm+0x11d/0x1040 [ 86.256492][ T5344] hci_conn_failed+0x1ce/0x310 [ 86.258890][ T5344] hci_abort_conn_sync+0x5d1/0xdf0 [ 86.261389][ T5344] hci_disconnect_all_sync+0x1b5/0x350 [ 86.264030][ T5344] hci_suspend_sync+0x3b8/0xc00 [ 86.266659][ T5344] hci_suspend_dev+0x28d/0x4d0 [ 86.269350][ T5344] hci_suspend_notifier+0xf2/0x290 [ 86.272023][ T5344] notifier_call_chain+0x1b3/0x3e0 [ 86.274572][ T5344] blocking_notifier_call_chain_robust+0x85/0x100 [ 86.277524][ T5344] pm_notifier_call_chain_robust+0x2c/0x60 [ 86.280520][ T5344] snapshot_open+0x19c/0x280 [ 86.282967][ T5344] misc_open+0x2b9/0x330 [ 86.285279][ T5344] chrdev_open+0x4c9/0x5e0 [ 86.287607][ T5344] do_dentry_open+0xdf0/0x1970 [ 86.290236][ T5344] vfs_open+0x3b/0x340 [ 86.292622][ T5344] path_openat+0x2ee5/0x3830 [ 86.295067][ T5344] do_filp_open+0x1fa/0x410 [ 86.297328][ T5344] do_sys_openat2+0x121/0x1c0 [ 86.299647][ T5344] __x64_sys_openat+0x138/0x170 [ 86.302047][ T5344] do_syscall_64+0xfa/0x3b0 [ 86.304151][ T5344] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 86.307154][ T5344] [ 86.307154][ T5344] other info that might help us debug this: [ 86.307154][ T5344] [ 86.311968][ T5344] Possible unsafe locking scenario: [ 86.311968][ T5344] [ 86.315173][ T5344] CPU0 CPU1 [ 86.317487][ T5344] ---- ---- [ 86.319799][ T5344] lock(&conn->lock#2); [ 86.321874][ T5344] lock((work_completion)(&(&conn->info_timer)->work)); [ 86.326224][ T5344] lock(&conn->lock#2); [ 86.329249][ T5344] lock((work_completion)(&(&conn->info_timer)->work)); [ 86.332200][ T5344] [ 86.332200][ T5344] *** DEADLOCK *** [ 86.332200][ T5344] [ 86.335826][ T5344] 8 locks held by syz.0.0/5344: [ 86.338118][ T5344] #0: ffffffff8e9c2d48 (misc_mtx){+.+.}-{4:4}, at: misc_open+0x51/0x330 [ 86.342018][ T5344] #1: ffffffff8dfee528 (system_transition_mutex){+.+.}-{4:4}, at: lock_system_sleep+0x4a/0x70 [ 86.347278][ T5344] #2: ffffffff8e012a10 ((pm_chain_head).rwsem){++++}-{4:4}, at: blocking_notifier_call_chain_robust+0x65/0x100 [ 86.352544][ T5344] #3: ffff8880424b4dc0 (&hdev->req_lock){+.+.}-{4:4}, at: hci_suspend_dev+0x285/0x4d0 [ 86.357297][ T5344] #4: ffff8880424b40b8 (&hdev->lock){+.+.}-{4:4}, at: hci_abort_conn_sync+0x1eb/0xdf0 [ 86.361482][ T5344] #5: ffffffff8f685ac8 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_conn_failed+0x165/0x310 [ 86.365771][ T5344] #6: ffff888045b33338 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x70/0x680 [ 86.369689][ T5344] #7: ffffffff8e13f160 (rcu_read_lock){....}-{1:3}, at: __flush_work+0xd2/0xbc0 [ 86.374585][ T5344] [ 86.374585][ T5344] stack backtrace: [ 86.377359][ T5344] CPU: 0 UID: 0 PID: 5344 Comm: syz.0.0 Not tainted 6.16.0-rc5-syzkaller-00121-gbc9ff192a6c9 #0 PREEMPT(full) [ 86.377374][ T5344] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 86.377382][ T5344] Call Trace: [ 86.377389][ T5344] [ 86.377394][ T5344] dump_stack_lvl+0x189/0x250 [ 86.377414][ T5344] ? __pfx_dump_stack_lvl+0x10/0x10 [ 86.377427][ T5344] ? __pfx__printk+0x10/0x10 [ 86.377440][ T5344] ? print_lock_name+0xde/0x100 [ 86.377454][ T5344] print_circular_bug+0x2ee/0x310 [ 86.377469][ T5344] check_noncircular+0x134/0x160 [ 86.377484][ T5344] validate_chain+0xb9b/0x2140 [ 86.377497][ T5344] ? do_raw_spin_lock+0x121/0x290 [ 86.377512][ T5344] ? look_up_lock_class+0x74/0x170 [ 86.377530][ T5344] ? register_lock_class+0x51/0x320 [ 86.377543][ T5344] __lock_acquire+0xab9/0xd20 [ 86.377555][ T5344] ? __flush_work+0xd2/0xbc0 [ 86.377568][ T5344] lock_acquire+0x120/0x360 [ 86.377579][ T5344] ? __flush_work+0xd2/0xbc0 [ 86.377593][ T5344] ? _raw_spin_unlock_irq+0x23/0x50 [ 86.377609][ T5344] ? __flush_work+0xd2/0xbc0 [ 86.377621][ T5344] __flush_work+0x6b8/0xbc0 [ 86.377634][ T5344] ? __flush_work+0xd2/0xbc0 [ 86.377670][ T5344] ? __flush_work+0xd2/0xbc0 [ 86.377683][ T5344] ? __pfx___flush_work+0x10/0x10 [ 86.377695][ T5344] ? __pfx_wq_barrier_func+0x10/0x10 [ 86.377710][ T5344] ? __pfx___cancel_work+0x10/0x10 [ 86.377724][ T5344] ? hci_conn_drop+0x14d/0x280 [ 86.377740][ T5344] __cancel_work_sync+0xbe/0x110 [ 86.377753][ T5344] l2cap_conn_del+0x4f0/0x680 [ 86.377769][ T5344] l2cap_connect_cfm+0x11d/0x1040 [ 86.377785][ T5344] ? __pfx_l2cap_connect_cfm+0x10/0x10 [ 86.377799][ T5344] ? __pfx_l2cap_connect_cfm+0x10/0x10 [ 86.377811][ T5344] hci_conn_failed+0x1ce/0x310 [ 86.377826][ T5344] ? hci_abort_conn_sync+0x1f7/0xdf0 [ 86.377838][ T5344] hci_abort_conn_sync+0x5d1/0xdf0 [ 86.377850][ T5344] ? __lock_acquire+0xab9/0xd20 [ 86.377862][ T5344] ? __pfx_hci_abort_conn_sync+0x10/0x10 [ 86.377874][ T5344] ? hci_disconnect_all_sync+0x2e/0x350 [ 86.377888][ T5344] ? hci_disconnect_all_sync+0x2e/0x350 [ 86.377900][ T5344] ? hci_disconnect_all_sync+0x2e/0x350 [ 86.377914][ T5344] hci_disconnect_all_sync+0x1b5/0x350 [ 86.377927][ T5344] hci_suspend_sync+0x3b8/0xc00 [ 86.377940][ T5344] ? __pfx___mutex_lock+0x10/0x10 [ 86.377950][ T5344] ? enable_work+0x258/0x2c0 [ 86.377963][ T5344] ? __pfx_hci_suspend_sync+0x10/0x10 [ 86.377977][ T5344] ? mgmt_pending_find+0x152/0x170 [ 86.377992][ T5344] ? hci_cmd_sync_cancel_sync+0xc9/0x190 [ 86.378013][ T5344] hci_suspend_dev+0x28d/0x4d0 [ 86.378024][ T5344] ? __pfx_hci_suspend_dev+0x10/0x10 [ 86.378033][ T5344] ? rcu_barrier+0x474/0x570 [ 86.378048][ T5344] hci_suspend_notifier+0xf2/0x290 [ 86.378059][ T5344] notifier_call_chain+0x1b3/0x3e0 [ 86.378075][ T5344] blocking_notifier_call_chain_robust+0x85/0x100 [ 86.378089][ T5344] pm_notifier_call_chain_robust+0x2c/0x60 [ 86.378101][ T5344] snapshot_open+0x19c/0x280 [ 86.378112][ T5344] ? __pfx_snapshot_open+0x10/0x10 [ 86.378123][ T5344] misc_open+0x2b9/0x330 [ 86.378141][ T5344] chrdev_open+0x4c9/0x5e0 [ 86.378156][ T5344] ? __pfx_chrdev_open+0x10/0x10 [ 86.378171][ T5344] ? __pfx_chrdev_open+0x10/0x10 [ 86.378184][ T5344] do_dentry_open+0xdf0/0x1970 [ 86.378204][ T5344] vfs_open+0x3b/0x340 [ 86.378219][ T5344] ? path_openat+0x2ecd/0x3830 [ 86.378230][ T5344] path_openat+0x2ee5/0x3830 [ 86.378240][ T5344] ? arch_stack_walk+0xfc/0x150 [ 86.378260][ T5344] ? __pfx_path_openat+0x10/0x10 [ 86.378270][ T5344] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 86.378286][ T5344] do_filp_open+0x1fa/0x410 [ 86.378296][ T5344] ? __lock_acquire+0xab9/0xd20 [ 86.378306][ T5344] ? __pfx_do_filp_open+0x10/0x10 [ 86.378321][ T5344] ? _raw_spin_unlock+0x28/0x50 [ 86.378335][ T5344] ? alloc_fd+0x64c/0x6c0 [ 86.378351][ T5344] do_sys_openat2+0x121/0x1c0 [ 86.378368][ T5344] ? __pfx_do_sys_openat2+0x10/0x10 [ 86.378385][ T5344] ? rcu_is_watching+0x15/0xb0 [ 86.378398][ T5344] __x64_sys_openat+0x138/0x170 [ 86.378414][ T5344] do_syscall_64+0xfa/0x3b0 [ 86.378425][ T5344] ? lockdep_hardirqs_on+0x9c/0x150 [ 86.378441][ T5344] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 86.378451][ T5344] ? clear_bhb_loop+0x60/0xb0 [ 86.378462][ T5344] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 86.378473][ T5344] RIP: 0033:0x7f1fb558e929 [ 86.378485][ T5344] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 86.378495][ T5344] RSP: 002b:00007f1fb636f038 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 86.378508][ T5344] RAX: ffffffffffffffda RBX: 00007f1fb57b5fa0 RCX: 00007f1fb558e929 [ 86.378516][ T5344] RDX: 0000000000000000 RSI: 00002000000000c0 RDI: ffffffffffffff9c [ 86.378524][ T5344] RBP: 00007f1fb5610b39 R08: 0000000000000000 R09: 0000000000000000 [ 86.378531][ T5344] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 86.378537][ T5344] R13: 0000000000000000 R14: 00007f1fb57b5fa0 R15: 00007ffe7f12dea8 [ 86.378548][ T5344] [ 86.605208][ T793] cfg80211: failed to load regulatory.db [ 88.090037][ T4685] Bluetooth: hci0: command 0x040f tx timeout [ 90.170406][ T4685] Bluetooth: hci0: command 0x040f tx timeout [ 92.250031][ T4685] Bluetooth: hci0: command 0x040f tx timeout