program: r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$sock_bt_hci(r1, 0x400448ca, 0x0) bind$bt_hci(r0, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6) r2 = socket$inet6_udplite(0xa, 0x2, 0x88) close_range(r2, 0xffffffffffffffff, 0x0) [ 86.962862][ T4703] Bluetooth: hci0: command tx timeout [ 87.092344][ T5354] [ 87.107208][ T5354] ====================================================== [ 87.110982][ T5354] WARNING: possible circular locking dependency detected [ 87.114221][ T5354] syzkaller #0 Not tainted [ 87.116286][ T5354] ------------------------------------------------------ [ 87.119477][ T5354] kworker/0:5/5354 is trying to acquire lock: [ 87.122228][ T5354] ffff888052051b38 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_info_timeout+0x60/0xa0 [ 87.136117][ T5354] [ 87.136117][ T5354] but task is already holding lock: [ 87.144086][ T5354] ffffc9000d4efbc0 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: process_scheduled_works+0x9ef/0x17b0 [ 87.155985][ T5354] [ 87.155985][ T5354] which lock already depends on the new lock. [ 87.155985][ T5354] [ 87.174740][ T5354] [ 87.174740][ T5354] the existing dependency chain (in reverse order) is: [ 87.178910][ T5354] [ 87.178910][ T5354] -> #1 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}: [ 87.184228][ T5354] lock_acquire+0x120/0x360 [ 87.186576][ T5354] __flush_work+0x6b8/0xbc0 [ 87.203738][ T5354] __cancel_work_sync+0xbe/0x110 [ 87.206408][ T5354] l2cap_conn_del+0x4f0/0x680 [ 87.209086][ T5354] hci_conn_hash_flush+0x10a/0x230 [ 87.212119][ T5354] hci_dev_close_sync+0xaef/0x1330 [ 87.215577][ T5354] hci_dev_close+0x108/0x200 [ 87.232692][ T5354] sock_do_ioctl+0xd9/0x300 [ 87.235768][ T5354] sock_ioctl+0x576/0x790 [ 87.238007][ T5354] __se_sys_ioctl+0xfc/0x170 [ 87.240598][ T5354] do_syscall_64+0xfa/0x3b0 [ 87.245207][ T5354] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 87.248129][ T5354] [ 87.248129][ T5354] -> #0 (&conn->lock#2){+.+.}-{4:4}: [ 87.267298][ T5354] validate_chain+0xb9b/0x2140 [ 87.275051][ T5354] __lock_acquire+0xab9/0xd20 [ 87.280121][ T5354] lock_acquire+0x120/0x360 [ 87.286515][ T5354] __mutex_lock+0x187/0x1350 [ 87.307942][ T5354] l2cap_info_timeout+0x60/0xa0 [ 87.311134][ T5354] process_scheduled_works+0xae1/0x17b0 [ 87.314210][ T5354] worker_thread+0x8a0/0xda0 [ 87.316525][ T5354] kthread+0x70e/0x8a0 [ 87.319033][ T5354] ret_from_fork+0x3fc/0x770 [ 87.323802][ T5354] ret_from_fork_asm+0x1a/0x30 [ 87.342779][ T5354] [ 87.342779][ T5354] other info that might help us debug this: [ 87.342779][ T5354] [ 87.347805][ T5354] Possible unsafe locking scenario: [ 87.347805][ T5354] [ 87.351844][ T5354] CPU0 CPU1 [ 87.354736][ T5354] ---- ---- [ 87.357324][ T5354] lock((work_completion)(&(&conn->info_timer)->work)); [ 87.375009][ T5354] lock(&conn->lock#2); [ 87.378814][ T5354] lock((work_completion)(&(&conn->info_timer)->work)); [ 87.385148][ T5354] lock(&conn->lock#2); [ 87.387862][ T5354] [ 87.387862][ T5354] *** DEADLOCK *** [ 87.387862][ T5354] [ 87.398614][ T5354] 2 locks held by kworker/0:5/5354: [ 87.402122][ T5354] #0: ffff88801a474d48 ((wq_completion)events){+.+.}-{0:0}, at: process_scheduled_works+0x9b4/0x17b0 [ 87.416709][ T5354] #1: ffffc9000d4efbc0 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: process_scheduled_works+0x9ef/0x17b0 [ 87.437625][ T5354] [ 87.437625][ T5354] stack backtrace: [ 87.454215][ T5354] CPU: 0 UID: 0 PID: 5354 Comm: kworker/0:5 Not tainted syzkaller #0 PREEMPT(full) [ 87.454234][ T5354] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 87.454243][ T5354] Workqueue: events l2cap_info_timeout [ 87.454267][ T5354] Call Trace: [ 87.454276][ T5354] [ 87.454283][ T5354] dump_stack_lvl+0x189/0x250 [ 87.454299][ T5354] ? __pfx_dump_stack_lvl+0x10/0x10 [ 87.454322][ T5354] ? __pfx__printk+0x10/0x10 [ 87.454337][ T5354] ? print_lock_name+0xde/0x100 [ 87.454350][ T5354] print_circular_bug+0x2ee/0x310 [ 87.454364][ T5354] check_noncircular+0x134/0x160 [ 87.454375][ T5354] validate_chain+0xb9b/0x2140 [ 87.454389][ T5354] __lock_acquire+0xab9/0xd20 [ 87.454406][ T5354] ? l2cap_info_timeout+0x60/0xa0 [ 87.454419][ T5354] lock_acquire+0x120/0x360 [ 87.454432][ T5354] ? l2cap_info_timeout+0x60/0xa0 [ 87.454449][ T5354] __mutex_lock+0x187/0x1350 [ 87.454465][ T5354] ? l2cap_info_timeout+0x60/0xa0 [ 87.454480][ T5354] ? irqentry_exit+0x74/0x90 [ 87.454500][ T5354] ? lockdep_hardirqs_on+0x9c/0x150 [ 87.454514][ T5354] ? l2cap_info_timeout+0x60/0xa0 [ 87.454528][ T5354] ? __pfx___mutex_lock+0x10/0x10 [ 87.454546][ T5354] l2cap_info_timeout+0x60/0xa0 [ 87.454560][ T5354] ? process_scheduled_works+0x9ef/0x17b0 [ 87.454571][ T5354] process_scheduled_works+0xae1/0x17b0 [ 87.454587][ T5354] ? __pfx_process_scheduled_works+0x10/0x10 [ 87.454602][ T5354] worker_thread+0x8a0/0xda0 [ 87.454614][ T5354] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 87.454630][ T5354] ? __kthread_parkme+0x7b/0x200 [ 87.454642][ T5354] kthread+0x70e/0x8a0 [ 87.454656][ T5354] ? __pfx_worker_thread+0x10/0x10 [ 87.454666][ T5354] ? __pfx_kthread+0x10/0x10 [ 87.454679][ T5354] ? _raw_spin_unlock_irq+0x23/0x50 [ 87.454691][ T5354] ? lockdep_hardirqs_on+0x9c/0x150 [ 87.454705][ T5354] ? __pfx_kthread+0x10/0x10 [ 87.454716][ T5354] ret_from_fork+0x3fc/0x770 [ 87.454729][ T5354] ? __pfx_ret_from_fork+0x10/0x10 [ 87.454741][ T5354] ? __pfx_kthread+0x10/0x10 [ 87.454752][ T5354] ret_from_fork_asm+0x1a/0x30 [ 87.454770][ T5354] [ 87.811491][ T5365] UDPLite6: UDP-Lite is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list [ 88.995057][ T4703] Bluetooth: hci0: command tx timeout [ 91.075173][ T4703] Bluetooth: hci0: command tx timeout [ 91.722498][ T10] cfg80211: failed to load regulatory.db [ 93.155080][ T4703] Bluetooth: hci0: command tx timeout