program: r0 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$IPSET_CMD_CREATE(r0, &(0x7f0000000140)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000380)=ANY=[@ANYBLOB="1400000002062300000000000000000005000000"], 0x14}, 0x1, 0x0, 0x0, 0x5004}, 0x0) r1 = syz_init_net_socket$bt_l2cap(0x1f, 0x1, 0x0) bind$bt_l2cap(r1, &(0x7f0000000000)={0x1f, 0x0, @any, 0x4, 0x1}, 0xe) listen(r1, 0x3) r2 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000100), 0x0, 0x0) r3 = ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) write(r4, &(0x7f0000000000)="240000005800410f9c00f4f90085b3a85c91fddf080001000501009f0800028001000000", 0x24) r5 = socket$nl_route(0x10, 0x3, 0x0) socket(0x10, 0x3, 0x0) (async) r6 = socket(0x10, 0x3, 0x0) r7 = socket(0x10, 0x803, 0x0) syz_genetlink_get_family_id$mptcp(&(0x7f00000000c0), r7) getsockname$packet(r7, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f00000003c0)=0x14) (async) getsockname$packet(r7, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f00000003c0)=0x14) sendmsg$nl_route_sched(r6, &(0x7f0000005840)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000001240)=@newqdisc={0x2c, 0x24, 0x5820a61ca228651, 0x0, 0x0, {0x0, 0x0, 0x0, r8, {}, {0xffff, 0xffff}, {0x0, 0xb}}, [@qdisc_kind_options=@q_qfg={0x8}]}, 0x2c}, 0x1, 0x0, 0x0, 0x20004000}, 0x0) (async) sendmsg$nl_route_sched(r6, &(0x7f0000005840)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000001240)=@newqdisc={0x2c, 0x24, 0x5820a61ca228651, 0x0, 0x0, {0x0, 0x0, 0x0, r8, {}, {0xffff, 0xffff}, {0x0, 0xb}}, [@qdisc_kind_options=@q_qfg={0x8}]}, 0x2c}, 0x1, 0x0, 0x0, 0x20004000}, 0x0) sendmsg$nl_route_sched(r5, &(0x7f0000000140)={0x0, 0x0, &(0x7f0000000180)={&(0x7f00000024c0)=@newtfilter={0x3c, 0x28, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r8, {0xfff1}}, [@filter_kind_options=@f_basic={{0xa}, {0x4}}, @TCA_RATE={0x6, 0x5, {0x3, 0x3}}]}, 0x3c}}, 0x0) (async) sendmsg$nl_route_sched(r5, &(0x7f0000000140)={0x0, 0x0, &(0x7f0000000180)={&(0x7f00000024c0)=@newtfilter={0x3c, 0x28, 0xd27, 0x0, 0x0, {0x0, 0x0, 0x0, r8, {0xfff1}}, [@filter_kind_options=@f_basic={{0xa}, {0x4}}, @TCA_RATE={0x6, 0x5, {0x3, 0x3}}]}, 0x3c}}, 0x0) r9 = socket(0x10, 0x3, 0x0) setsockopt$netlink_NETLINK_TX_RING(r9, 0x10e, 0xc, &(0x7f00000000c0)={0x9}, 0x10) sendmsg$nl_route_sched(r9, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000200)=@gettaction={0x1c, 0x5a, 0xc6b747b6bf1c6b95, 0x0, 0x0, {}, [@action_dump_flags=@TCA_ROOT_TIME_DELTA={0x8}]}, 0x1c}}, 0x0) (async) sendmsg$nl_route_sched(r9, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000200)=@gettaction={0x1c, 0x5a, 0xc6b747b6bf1c6b95, 0x0, 0x0, {}, [@action_dump_flags=@TCA_ROOT_TIME_DELTA={0x8}]}, 0x1c}}, 0x0) r10 = ioctl$KVM_CREATE_VCPU(r3, 0xae41, 0x0) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r10, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000140)=[@text64={0x40, 0x0}], 0x1, 0x74, 0x0, 0x0) (async) syz_kvm_setup_cpu$x86(0xffffffffffffffff, r10, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000140)=[@text64={0x40, 0x0}], 0x1, 0x74, 0x0, 0x0) openat2$dir(0xffffffffffffff9c, &(0x7f0000000180)='\x00', &(0x7f0000000200)={0x420080, 0x14, 0x4}, 0x18) (async) r11 = openat2$dir(0xffffffffffffff9c, &(0x7f0000000180)='\x00', &(0x7f0000000200)={0x420080, 0x14, 0x4}, 0x18) dup(r11) syz_emit_vhci(&(0x7f0000000540)=ANY=[@ANYBLOB="043e1f0a"], 0x22) (async) syz_emit_vhci(&(0x7f0000000540)=ANY=[@ANYBLOB="043e1f0a"], 0x22) r12 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$sock_bt_hci(r12, 0x400448ca, 0x0) socket$nl_netfilter(0x10, 0x3, 0xc) (async) r13 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$IPSET_CMD_ADD(r13, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000100)={0x38, 0x9, 0x6, 0x201, 0x0, 0x0, {}, [@IPSET_ATTR_SETNAME={0x9, 0x2, 'syz1\x00'}, @IPSET_ATTR_PROTOCOL={0x5}, @IPSET_ATTR_DATA={0x10, 0x7, 0x0, 0x1, [@IPSET_ATTR_IP={0xc, 0x1, 0x0, 0x1, @IPSET_ATTR_IPADDR_IPV4={0x8, 0x1, 0x1, 0x0, @empty=0xfffffffe}}]}]}, 0x38}, 0x1, 0x0, 0x0, 0x10000047}, 0x4000084) r14 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$IPSET_CMD_FLUSH(r14, &(0x7f0000000380)={0x0, 0x0, &(0x7f0000000340)={&(0x7f0000000300)=ANY=[@ANYBLOB="1c00000004060102000000002074605b50a3aac90000000001000009"], 0x1c}, 0x1, 0x0, 0x0, 0x40000}, 0x800) (async) sendmsg$IPSET_CMD_FLUSH(r14, &(0x7f0000000380)={0x0, 0x0, &(0x7f0000000340)={&(0x7f0000000300)=ANY=[@ANYBLOB="1c00000004060102000000002074605b50a3aac90000000001000009"], 0x1c}, 0x1, 0x0, 0x0, 0x40000}, 0x800) [ 86.503123][ T5318] netlink: 4 bytes leftover after parsing attributes in process `syz.0.0'. [ 86.547371][ T5296] Bluetooth: hci0: command tx timeout [ 86.582156][ T1352] [ 86.583356][ T1352] ====================================================== [ 86.586401][ T1352] WARNING: possible circular locking dependency detected [ 86.590176][ T1352] syzkaller #0 Not tainted [ 86.592797][ T1352] ------------------------------------------------------ [ 86.596393][ T1352] kworker/0:3/1352 is trying to acquire lock: [ 86.599044][ T1352] ffff888032bf1af8 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_info_timeout+0x60/0xa0 [ 86.603140][ T1352] [ 86.603140][ T1352] but task is already holding lock: [ 86.605896][ T1352] ffffc900024dfc40 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: process_scheduled_works+0xa25/0x1830 [ 86.611055][ T1352] [ 86.611055][ T1352] which lock already depends on the new lock. [ 86.611055][ T1352] [ 86.615617][ T1352] [ 86.615617][ T1352] the existing dependency chain (in reverse order) is: [ 86.620007][ T1352] [ 86.620007][ T1352] -> #1 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}: [ 86.624594][ T1352] __flush_work+0x700/0xc50 [ 86.626849][ T1352] __cancel_work_sync+0xbe/0x110 [ 86.629075][ T1352] l2cap_conn_del+0x40f/0x5c0 [ 86.631081][ T1352] hci_conn_hash_flush+0x10d/0x260 [ 86.633530][ T1352] hci_dev_close_sync+0x821/0x10e0 [ 86.635930][ T1352] hci_dev_close+0x108/0x260 [ 86.638042][ T1352] sock_do_ioctl+0x101/0x320 [ 86.640097][ T1352] sock_ioctl+0x5c6/0x7f0 [ 86.642091][ T1352] __se_sys_ioctl+0xfc/0x170 [ 86.644319][ T1352] do_syscall_64+0x14d/0xf80 [ 86.646385][ T1352] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 86.648965][ T1352] [ 86.648965][ T1352] -> #0 (&conn->lock#2){+.+.}-{4:4}: [ 86.652098][ T1352] __lock_acquire+0x15a5/0x2cf0 [ 86.654413][ T1352] lock_acquire+0xf0/0x2e0 [ 86.656547][ T1352] __mutex_lock+0x19f/0x1300 [ 86.658785][ T1352] l2cap_info_timeout+0x60/0xa0 [ 86.661118][ T1352] process_scheduled_works+0xb02/0x1830 [ 86.663765][ T1352] worker_thread+0xa50/0xfc0 [ 86.665957][ T1352] kthread+0x388/0x470 [ 86.668000][ T1352] ret_from_fork+0x51e/0xb90 [ 86.670263][ T1352] ret_from_fork_asm+0x1a/0x30 [ 86.672602][ T1352] [ 86.672602][ T1352] other info that might help us debug this: [ 86.672602][ T1352] [ 86.676942][ T1352] Possible unsafe locking scenario: [ 86.676942][ T1352] [ 86.680101][ T1352] CPU0 CPU1 [ 86.682468][ T1352] ---- ---- [ 86.684927][ T1352] lock((work_completion)(&(&conn->info_timer)->work)); [ 86.688124][ T1352] lock(&conn->lock#2); [ 86.691004][ T1352] lock((work_completion)(&(&conn->info_timer)->work)); [ 86.694944][ T1352] lock(&conn->lock#2); [ 86.696830][ T1352] [ 86.696830][ T1352] *** DEADLOCK *** [ 86.696830][ T1352] [ 86.700395][ T1352] 2 locks held by kworker/0:3/1352: [ 86.703242][ T1352] #0: ffff88801a8aad48 ((wq_completion)events){+.+.}-{0:0}, at: process_scheduled_works+0x9ea/0x1830 [ 86.708465][ T1352] #1: ffffc900024dfc40 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: process_scheduled_works+0xa25/0x1830 [ 86.714188][ T1352] [ 86.714188][ T1352] stack backtrace: [ 86.716736][ T1352] CPU: 0 UID: 0 PID: 1352 Comm: kworker/0:3 Not tainted syzkaller #0 PREEMPT(full) [ 86.716753][ T1352] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 86.716761][ T1352] Workqueue: events l2cap_info_timeout [ 86.716783][ T1352] Call Trace: [ 86.716791][ T1352] [ 86.716795][ T1352] dump_stack_lvl+0xe8/0x150 [ 86.716812][ T1352] print_circular_bug+0x2e1/0x300 [ 86.716828][ T1352] check_noncircular+0x12e/0x150 [ 86.716844][ T1352] __lock_acquire+0x15a5/0x2cf0 [ 86.716857][ T1352] ? __schedule+0x159b/0x5340 [ 86.716869][ T1352] ? arch_stack_walk+0x11b/0x150 [ 86.716886][ T1352] ? ret_from_fork_asm+0x1a/0x30 [ 86.716901][ T1352] lock_acquire+0xf0/0x2e0 [ 86.716908][ T1352] ? l2cap_info_timeout+0x60/0xa0 [ 86.716921][ T1352] __mutex_lock+0x19f/0x1300 [ 86.716933][ T1352] ? l2cap_info_timeout+0x60/0xa0 [ 86.716949][ T1352] ? irqentry_exit+0x59e/0x620 [ 86.716961][ T1352] ? lockdep_hardirqs_on+0x7a/0x110 [ 86.716972][ T1352] ? l2cap_info_timeout+0x60/0xa0 [ 86.716985][ T1352] ? irqentry_exit+0x59e/0x620 [ 86.716995][ T1352] ? trace_irq_disable+0x3b/0x150 [ 86.717012][ T1352] ? __pfx___mutex_lock+0x10/0x10 [ 86.717026][ T1352] ? lock_acquire+0x20b/0x2e0 [ 86.717039][ T1352] l2cap_info_timeout+0x60/0xa0 [ 86.717053][ T1352] ? process_scheduled_works+0xa25/0x1830 [ 86.717066][ T1352] process_scheduled_works+0xb02/0x1830 [ 86.717078][ T1352] ? __pfx_process_scheduled_works+0x10/0x10 [ 86.717087][ T1352] ? assign_work+0x3d5/0x5e0 [ 86.717095][ T1352] worker_thread+0xa50/0xfc0 [ 86.717110][ T1352] kthread+0x388/0x470 [ 86.717119][ T1352] ? __pfx_worker_thread+0x10/0x10 [ 86.717131][ T1352] ? __pfx_kthread+0x10/0x10 [ 86.717141][ T1352] ret_from_fork+0x51e/0xb90 [ 86.717155][ T1352] ? __pfx_ret_from_fork+0x10/0x10 [ 86.717167][ T1352] ? __switch_to+0xc7d/0x1450 [ 86.717179][ T1352] ? __pfx_kthread+0x10/0x10 [ 86.717189][ T1352] ret_from_fork_asm+0x1a/0x30 [ 86.717201][ T1352] [ 88.637454][ T4663] Bluetooth: hci0: command tx timeout [ 90.717873][ T4663] Bluetooth: hci0: command tx timeout [ 92.003889][ T9] cfg80211: failed to load regulatory.db [ 92.797513][ T4663] Bluetooth: hci0: command tx timeout