BUG: workqueue leaked atomic, lock or RCU: kworker/u9:5[5233]
     preempt=0x00000000 lock=0->1 RCU=0->0 workfn=hci_rx_work
1 lock held by kworker/u9:5/5233:
 #0: ffff888023973518 (&chan->lock/1){+.+.}-{3:3}, at: l2cap_chan_lock include/net/bluetooth/l2cap.h:827 [inline]
 #0: ffff888023973518 (&chan->lock/1){+.+.}-{3:3}, at: l2cap_conless_channel net/bluetooth/l2cap_core.c:6764 [inline]
 #0: ffff888023973518 (&chan->lock/1){+.+.}-{3:3}, at: l2cap_recv_frame+0x7ce/0x10840 net/bluetooth/l2cap_core.c:6830
CPU: 1 UID: 0 PID: 5233 Comm: kworker/u9:5 Not tainted 6.11.0-rc1-syzkaller-00272-g17712b7ea075 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
Workqueue: hci5 hci_rx_work
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:93 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119
 process_one_work kernel/workqueue.c:3252 [inline]
 process_scheduled_works+0x1121/0x1830 kernel/workqueue.c:3312
 worker_thread+0x86d/0xd40 kernel/workqueue.c:3390
 kthread+0x2f2/0x390 kernel/kthread.c:389
 ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>

======================================================
WARNING: possible circular locking dependency detected
6.11.0-rc1-syzkaller-00272-g17712b7ea075 #0 Not tainted
------------------------------------------------------
kworker/u9:5/5233 is trying to acquire lock:
ffff88807ae0d948 ((wq_completion)hci5#2){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3206 [inline]
ffff88807ae0d948 ((wq_completion)hci5#2){+.+.}-{0:0}, at: process_scheduled_works+0x90a/0x1830 kernel/workqueue.c:3312

but task is already holding lock:
ffff888023973518 (&chan->lock/1){+.+.}-{3:3}, at: l2cap_chan_lock include/net/bluetooth/l2cap.h:827 [inline]
ffff888023973518 (&chan->lock/1){+.+.}-{3:3}, at: l2cap_conless_channel net/bluetooth/l2cap_core.c:6764 [inline]
ffff888023973518 (&chan->lock/1){+.+.}-{3:3}, at: l2cap_recv_frame+0x7ce/0x10840 net/bluetooth/l2cap_core.c:6830

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #1 (&chan->lock/1){+.+.}-{3:3}:
       reacquire_held_locks+0x3eb/0x690 kernel/locking/lockdep.c:5284
       __lock_release kernel/locking/lockdep.c:5473 [inline]
       lock_release+0x396/0xa30 kernel/locking/lockdep.c:5780
       process_one_work kernel/workqueue.c:3238 [inline]
       process_scheduled_works+0xb34/0x1830 kernel/workqueue.c:3312
       worker_thread+0x86d/0xd40 kernel/workqueue.c:3390
       kthread+0x2f2/0x390 kernel/kthread.c:389
       ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
       ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

-> #0 ((wq_completion)hci5#2){+.+.}-{0:0}:
       check_prev_add kernel/locking/lockdep.c:3133 [inline]
       check_prevs_add kernel/locking/lockdep.c:3252 [inline]
       validate_chain+0x18e0/0x5900 kernel/locking/lockdep.c:3868
       __lock_acquire+0x137a/0x2040 kernel/locking/lockdep.c:5142
       lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5759
       process_one_work kernel/workqueue.c:3206 [inline]
       process_scheduled_works+0x91f/0x1830 kernel/workqueue.c:3312
       worker_thread+0x86d/0xd40 kernel/workqueue.c:3390
       kthread+0x2f2/0x390 kernel/kthread.c:389
       ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
       ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

other info that might help us debug this:

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(&chan->lock/1);
                               lock((wq_completion)hci5#2);
                               lock(&chan->lock/1);
  lock((wq_completion)hci5#2);

 *** DEADLOCK ***

1 lock held by kworker/u9:5/5233:
 #0: ffff888023973518 (&chan->lock/1){+.+.}-{3:3}, at: l2cap_chan_lock include/net/bluetooth/l2cap.h:827 [inline]
 #0: ffff888023973518 (&chan->lock/1){+.+.}-{3:3}, at: l2cap_conless_channel net/bluetooth/l2cap_core.c:6764 [inline]
 #0: ffff888023973518 (&chan->lock/1){+.+.}-{3:3}, at: l2cap_recv_frame+0x7ce/0x10840 net/bluetooth/l2cap_core.c:6830

stack backtrace:
CPU: 1 UID: 0 PID: 5233 Comm: kworker/u9:5 Not tainted 6.11.0-rc1-syzkaller-00272-g17712b7ea075 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
Workqueue: hci5 hci_rx_work
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:93 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119
 check_noncircular+0x36a/0x4a0 kernel/locking/lockdep.c:2186
 check_prev_add kernel/locking/lockdep.c:3133 [inline]
 check_prevs_add kernel/locking/lockdep.c:3252 [inline]
 validate_chain+0x18e0/0x5900 kernel/locking/lockdep.c:3868
 __lock_acquire+0x137a/0x2040 kernel/locking/lockdep.c:5142
 lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5759
 process_one_work kernel/workqueue.c:3206 [inline]
 process_scheduled_works+0x91f/0x1830 kernel/workqueue.c:3312
 worker_thread+0x86d/0xd40 kernel/workqueue.c:3390
 kthread+0x2f2/0x390 kernel/kthread.c:389
 ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>
BUG: workqueue leaked atomic, lock or RCU: kworker/u9:5[5233]
     preempt=0x00000000 lock=1->0 RCU=0->0 workfn=hci_rx_work
INFO: lockdep is turned off.
CPU: 1 UID: 0 PID: 5233 Comm: kworker/u9:5 Not tainted 6.11.0-rc1-syzkaller-00272-g17712b7ea075 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
Workqueue: hci5 hci_rx_work
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:93 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119
 process_one_work kernel/workqueue.c:3252 [inline]
 process_scheduled_works+0x1121/0x1830 kernel/workqueue.c:3312
 worker_thread+0x86d/0xd40 kernel/workqueue.c:3390
 kthread+0x2f2/0x390 kernel/kthread.c:389
 ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>