program: r0 = accept4$tipc(0xffffffffffffffff, &(0x7f0000000000), &(0x7f0000000080)=0x10, 0x80800) ioctl$sock_proto_private(r0, 0x89ee, &(0x7f0000000100)="4c2d4ebc88ddbf7190e18f3d0a6f6730754c759fd0074f815041c691f8322fc08af4381e8077446a5b6e4c97a03d73a18719730a61f8968db88000715fbaf437a9e633d1c807d612a44eef5b0f573154c7a13e594af8b36e7587520a0d69b856a8f4e46b3ff8") (async) r1 = seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(0x1, 0x0, &(0x7f00000000c0)={0x1, &(0x7f0000000040)=[{0x6, 0x0, 0x0, 0x7fffffff}]}) r2 = socket$inet6(0xa, 0x1, 0x0) (async) open(&(0x7f0000000340)='./bus\x00', 0x143142, 0x0) lsetxattr$system_posix_acl(&(0x7f0000000180)='./bus\x00', &(0x7f0000000540)='system.posix_acl_access\x00', &(0x7f00000001c0)={{}, {}, [], {}, [{0x8, 0x2}], {0x10, 0x2}}, 0x2c, 0x0) (async, rerun: 64) getxattr(&(0x7f00000002c0)='./bus\x00', &(0x7f0000000380)=@known='system.posix_acl_access\x00', &(0x7f00000005c0)=""/244, 0xf4) (async, rerun: 64) mkdir(&(0x7f0000000580)='./file0\x00', 0x0) mount$tmpfs(0x0, &(0x7f00000000c0)='./file0\x00', &(0x7f0000000040), 0x0, &(0x7f0000000000)={[{@huge_within_size}]}) (async) chdir(&(0x7f0000000140)='./file0\x00') (async) r3 = creat(&(0x7f0000000000)='./bus\x00', 0x0) ftruncate(r3, 0x8) r4 = open(&(0x7f0000000780)='./bus\x00', 0x14117e, 0x0) mmap(&(0x7f0000000000/0x600000)=nil, 0x604100, 0x7ffffe, 0x4002011, r4, 0x0) r5 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$HCIINQUIRY(r5, 0x400448ca, 0x0) (async) bind$bt_hci(r5, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6) (async) r6 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) bind$bt_hci(r6, &(0x7f0000000280)={0x1f, 0xffff, 0x3}, 0x6) io_setup(0x8, &(0x7f00000002c0)=0x0) (async) mknod$loop(&(0x7f00000001c0)='./file0\x00', 0x2000, 0x1) (async) r8 = syz_init_net_socket$bt_rfcomm(0x1f, 0x1, 0x3) connect$bt_rfcomm(r8, 0x0, 0x0) (async) io_submit(r7, 0x8, &(0x7f0000000340)=[&(0x7f0000000100)={0x2000000000, 0x4, 0x0, 0x1, 0x0, r6, &(0x7f0000000040)="0300ffff0000", 0x6}]) (async) r9 = syz_open_procfs(0xffffffffffffffff, &(0x7f0000000080)='smaps\x00') read$FUSE(r9, &(0x7f0000002140)={0x2020}, 0x10c8) (async, rerun: 64) setsockopt$inet6_IPV6_FLOWLABEL_MGR(r2, 0x29, 0x20, &(0x7f0000000180)={@rand_addr=' \x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02', 0x800, 0x0, 0x3, 0x1, 0x40}, 0x20) (async, rerun: 64) setsockopt$inet6_IPV6_FLOWLABEL_MGR(r2, 0x29, 0x20, &(0x7f00000000c0)={@mcast1, 0x0, 0x0, 0x1, 0x1, 0xffff}, 0x20) close_range(r1, 0xffffffffffffffff, 0x0) [ 89.762960][ T534[ 88.005922][ T5320] Bluetooth: hci0: command tx timeout [ 88.051747][ T5340] [ 88.052835][ T5340] ====================================================== [ 88.056220][ T5340] WARNING: possible circular locking dependency detected [ 88.059397][ T5340] 6.16.0-rc7-syzkaller-00140-gec2df4364666 #0 Not tainted [ 88.062332][ T5340] ------------------------------------------------------ [ 88.065331][ T5340] kworker/0:5/5340 is trying to acquire lock: [ 88.067810][ T5340] ffff8880445b9338 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_info_timeout+0x60/0xa0 [ 88.071900][ T5340] [ 88.071900][ T5340] but task is already holding lock: [ 88.076366][ T5340] ffffc9000d47fbc0 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: process_scheduled_works+0x9ef/0x17b0 [ 88.082268][ T5340] [ 88.082268][ T5340] which lock already depends on the new lock. [ 88.082268][ T5340] [ 88.086710][ T5340] [ 88.086710][ T5340] the existing dependency chain (in reverse order) is: [ 88.090291][ T5340] [ 88.090291][ T5340] -> #1 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}: [ 88.094560][ T5340] lock_acquire+0x120/0x360 [ 88.096677][ T5340] __flush_work+0x6b8/0xbc0 [ 88.098880][ T5340] __cancel_work_sync+0xbe/0x110 [ 88.101315][ T5340] l2cap_conn_del+0x4f0/0x680 [ 88.103492][ T5340] hci_conn_hash_flush+0x10d/0x230 [ 88.106718][ T5340] hci_dev_close_sync+0xaef/0x1330 [ 88.109089][ T5340] hci_dev_close+0x108/0x200 [ 88.111335][ T5340] sock_do_ioctl+0xdc/0x300 [ 88.113410][ T5340] sock_ioctl+0x576/0x790 [ 88.115451][ T5340] __se_sys_ioctl+0xfc/0x170 [ 88.117679][ T5340] do_syscall_64+0xfa/0x3b0 [ 88.119931][ T5340] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 88.122635][ T5340] [ 88.122635][ T5340] -> #0 (&conn->lock#2){+.+.}-{4:4}: [ 88.125750][ T5340] validate_chain+0xb9b/0x2140 [ 88.127925][ T5340] __lock_acquire+0xab9/0xd20 [ 88.130319][ T5340] lock_acquire+0x120/0x360 [ 88.132489][ T5340] __mutex_lock+0x182/0xe80 [ 88.134583][ T5340] l2cap_info_timeout+0x60/0xa0 [ 88.136791][ T5340] process_scheduled_works+0xae1/0x17b0 [ 88.139338][ T5340] worker_thread+0x8a0/0xda0 [ 88.141548][ T5340] kthread+0x711/0x8a0 [ 88.143605][ T5340] ret_from_fork+0x3fc/0x770 [ 88.145816][ T5340] ret_from_fork_asm+0x1a/0x30 [ 88.148164][ T5340] [ 88.148164][ T5340] other info that might help us debug this: [ 88.148164][ T5340] [ 88.152650][ T5340] Possible unsafe locking scenario: [ 88.152650][ T5340] [ 88.155951][ T5340] CPU0 CPU1 [ 88.158267][ T5340] ---- ---- [ 88.160503][ T5340] lock((work_completion)(&(&conn->info_timer)->work)); [ 88.163618][ T5340] lock(&conn->lock#2); [ 88.167061][ T5340] lock((work_completion)(&(&conn->info_timer)->work)); [ 88.171021][ T5340] lock(&conn->lock#2); [ 88.172814][ T5340] [ 88.172814][ T5340] *** DEADLOCK *** [ 88.172814][ T5340] [ 88.176073][ T5340] 2 locks held by kworker/0:5/5340: [ 88.178200][ T5340] #0: ffff88801a474d48 ((wq_completion)events){+.+.}-{0:0}, at: process_scheduled_works+0x9b4/0x17b0 [ 88.182944][ T5340] #1: ffffc9000d47fbc0 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: process_scheduled_works+0x9ef/0x17b0 [ 88.188767][ T5340] [ 88.188767][ T5340] stack backtrace: [ 88.191244][ T5340] CPU: 0 UID: 0 PID: 5340 Comm: kworker/0:5 Not tainted 6.16.0-rc7-syzkaller-00140-gec2df4364666 #0 PREEMPT(full) [ 88.191260][ T5340] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 88.191268][ T5340] Workqueue: events l2cap_info_timeout [ 88.191287][ T5340] Call Trace: [ 88.191294][ T5340] [ 88.191300][ T5340] dump_stack_lvl+0x189/0x250 [ 88.191315][ T5340] ? __pfx_dump_stack_lvl+0x10/0x10 [ 88.191327][ T5340] ? __pfx__printk+0x10/0x10 [ 88.191340][ T5340] ? print_lock_name+0xde/0x100 [ 88.191354][ T5340] print_circular_bug+0x2ee/0x310 [ 88.191367][ T5340] check_noncircular+0x134/0x160 [ 88.191380][ T5340] validate_chain+0xb9b/0x2140 [ 88.191394][ T5340] ? ret_from_fork_asm+0x1a/0x30 [ 88.191408][ T5340] __lock_acquire+0xab9/0xd20 [ 88.191419][ T5340] ? l2cap_info_timeout+0x60/0xa0 [ 88.191429][ T5340] lock_acquire+0x120/0x360 [ 88.191438][ T5340] ? l2cap_info_timeout+0x60/0xa0 [ 88.191451][ T5340] __mutex_lock+0x182/0xe80 [ 88.191462][ T5340] ? l2cap_info_timeout+0x60/0xa0 [ 88.191473][ T5340] ? irqentry_exit+0x74/0x90 [ 88.191482][ T5340] ? lockdep_hardirqs_on+0x9c/0x150 [ 88.191492][ T5340] ? l2cap_info_timeout+0x60/0xa0 [ 88.191503][ T5340] ? __pfx___mutex_lock+0x10/0x10 [ 88.191517][ T5340] l2cap_info_timeout+0x60/0xa0 [ 88.191528][ T5340] ? process_scheduled_works+0x9ef/0x17b0 [ 88.191539][ T5340] process_scheduled_works+0xae1/0x17b0 [ 88.191555][ T5340] ? __pfx_process_scheduled_works+0x10/0x10 [ 88.191565][ T5340] worker_thread+0x8a0/0xda0 [ 88.191573][ T5340] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 88.191584][ T5340] ? __kthread_parkme+0x7b/0x200 [ 88.191597][ T5340] kthread+0x711/0x8a0 [ 88.191611][ T5340] ? __pfx_worker_thread+0x10/0x10 [ 88.191622][ T5340] ? __pfx_kthread+0x10/0x10 [ 88.191635][ T5340] ? _raw_spin_unlock_irq+0x23/0x50 [ 88.191648][ T5340] ? lockdep_hardirqs_on+0x9c/0x150 [ 88.191657][ T5340] ? __pfx_kthread+0x10/0x10 [ 88.191669][ T5340] ret_from_fork+0x3fc/0x770 [ 88.191681][ T5340] ? __pfx_ret_from_fork+0x10/0x10 [ 88.191693][ T5340] ? __pfx_kthread+0x10/0x10 [ 88.191705][ T5340] ret_from_fork_asm+0x1a/0x30 [ 88.191721][ T5340] [ 90.023908][ T4686] Bluetooth: hci0: command tx timeout [ 91.550185][ T10] cfg80211: failed to load regulatory.db [ 92.104214][ T4686] Bluetooth: hci0: command tx timeout [ 94.183997][ T4686] Bluetooth: hci0: command tx timeout