program: mknodat$null(0xffffffffffffff9c, &(0x7f0000000000)='./file0\x00', 0x0, 0x103) r0 = socket$inet6_sctp(0xa, 0x5, 0x84) r1 = syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0) connect$bt_l2cap(r1, &(0x7f0000000080)={0x1f, 0x0, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}, 0x7ff}, 0xe) r2 = syz_init_net_socket$bt_hidp(0x1f, 0x3, 0x6) ioctl$sock_bt_hidp_HIDPCONNADD(r2, 0x400448c8, &(0x7f0000000280)={r1, r1, 0xc, 0x1, &(0x7f0000000340)='\x00', 0x9, 0x1, 0x457, 0x7, 0x9, 0x1, 0x1, 'syz1\x00'}) r3 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$sock_bt_hci(r3, 0x400448ca, 0x0) shutdown(r0, 0x0) setsockopt$inet6_IPV6_XFRM_POLICY(r0, 0x29, 0x23, &(0x7f0000000180)={{{@in=@rand_addr=0x64010102, @in6=@ipv4={'\x00', '\xff\xff', @initdev={0xac, 0x1e, 0x0, 0x0}}, 0x4e22, 0x0, 0x0, 0x8, 0x2, 0x0, 0x0, 0x1d}, {0xfffffffffffffffd, 0x0, 0x6, 0x0, 0x5, 0x80000000, 0x0, 0x7fffffffffffffff}, {0x8, 0x0, 0xffffffffffffffff, 0x20000000000000}, 0x0, 0x0, 0x1}, {{@in=@empty, 0x4d5, 0x6c}, 0xa, @in=@private=0xa010101, 0x350a, 0x4, 0x0, 0xfc, 0x0, 0x2, 0x200000}}, 0xe8) getsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX3(r0, 0x84, 0x6f, &(0x7f0000000200)={0x0, 0x10, &(0x7f00000001c0)=[@in={0x2, 0x4e23, @rand_addr=0x64010100}]}, &(0x7f0000000140)=0x10) getsockopt$inet_sctp6_SCTP_PRIMARY_ADDR(r0, 0x84, 0x7a, &(0x7f0000000040)={r4, @in6={{0xa, 0x4e25, 0xfffffff7, @ipv4={'\x00', '\xff\xff', @loopback}, 0x74}}}, &(0x7f0000000280)=0x84) mount(&(0x7f00000000c0)=@nullb, &(0x7f0000000140)='./file0\x00', &(0x7f0000000080)='affs\x00', 0x8090, 0x0) r5 = socket$nl_generic(0x10, 0x3, 0x10) r6 = syz_genetlink_get_family_id$ipvs(&(0x7f0000000040), 0xffffffffffffffff) r7 = socket$nl_generic(0x10, 0x3, 0x10) sendmsg$IPVS_CMD_NEW_SERVICE(r7, &(0x7f0000000180)={0x0, 0x0, &(0x7f00000005c0)={&(0x7f0000000080)={0x50, r6, 0x1, 0x70bd2b, 0x0, {}, [@IPVS_CMD_ATTR_SERVICE={0x3c, 0x1, 0x0, 0x1, [@IPVS_SVC_ATTR_AF={0x6, 0x1, 0xa}, @IPVS_SVC_ATTR_SCHED_NAME={0xa, 0x6, 'lblcr\x00'}, @IPVS_SVC_ATTR_NETMASK={0x8, 0x9, 0x64}, @IPVS_SVC_ATTR_FLAGS={0xc}, @IPVS_SVC_ATTR_FWMARK={0x8}, @IPVS_SVC_ATTR_TIMEOUT={0x8}]}]}, 0x50}}, 0x0) sendmsg$IPVS_CMD_FLUSH(r5, &(0x7f0000000340)={&(0x7f0000000100)={0x10, 0x0, 0x0, 0x8000}, 0xc, &(0x7f0000000300)={&(0x7f00000002c0)={0x40, r6, 0x300, 0x70bd27, 0x25dfdbff, {}, [@IPVS_CMD_ATTR_DAEMON={0x2c, 0x3, 0x0, 0x1, [@IPVS_DAEMON_ATTR_STATE={0x8}, @IPVS_DAEMON_ATTR_STATE={0x8, 0x1, 0x1}, @IPVS_DAEMON_ATTR_MCAST_PORT={0x6, 0x7, 0x4e24}, @IPVS_DAEMON_ATTR_SYNC_ID={0x8}, @IPVS_DAEMON_ATTR_STATE={0x8}]}]}, 0x40}, 0x1, 0x0, 0x0, 0x48080}, 0x80000) [ 100.231101][ T5299] Bluetooth: hci0: command tx timeout [ 100.367922][ T5325] hid-multitouch 0005:0457:0007.0002: unknown main item tag 0x0 [ 100.401336][ T5325] hid-multitouch 0005:0457:0007.0002: hidraw1: BLUETOOTH HID v0.09 Device [syz1] on aa:aa:aa:aa:aa:aa [ 100.457808][ T5321] [ 100.459327][ T5321] ====================================================== [ 100.463509][ T5321] WARNING: possible circular locking dependency detected [ 100.467064][ T5321] syzkaller #0 Not tainted [ 100.469232][ T5321] ------------------------------------------------------ [ 100.472569][ T5321] syz.0.0/5321 is trying to acquire lock: [ 100.475014][ T5321] ffff888040866840 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: __flush_work+0x100/0xc50 [ 100.480239][ T5321] [ 100.480239][ T5321] but task is already holding lock: [ 100.484293][ T5321] ffff888040866af8 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x7b/0x5c0 [ 100.489652][ T5321] [ 100.489652][ T5321] which lock already depends on the new lock. [ 100.489652][ T5321] [ 100.494242][ T5321] [ 100.494242][ T5321] the existing dependency chain (in reverse order) is: [ 100.498166][ T5321] [ 100.498166][ T5321] -> #1 (&conn->lock#2){+.+.}-{4:4}: [ 100.501251][ T5321] __mutex_lock+0x19f/0x1300 [ 100.504173][ T5321] l2cap_info_timeout+0x60/0xa0 [ 100.507154][ T5321] process_scheduled_works+0xb02/0x1830 [ 100.510180][ T5321] worker_thread+0xa50/0xfc0 [ 100.512570][ T5321] kthread+0x388/0x470 [ 100.514469][ T5321] ret_from_fork+0x51e/0xb90 [ 100.516534][ T5321] ret_from_fork_asm+0x1a/0x30 [ 100.518665][ T5321] [ 100.518665][ T5321] -> #0 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}: [ 100.524153][ T5321] __lock_acquire+0x15a5/0x2cf0 [ 100.527256][ T5321] lock_acquire+0xf0/0x2e0 [ 100.529985][ T5321] __flush_work+0x700/0xc50 [ 100.532115][ T5321] __cancel_work_sync+0xbe/0x110 [ 100.534518][ T5321] l2cap_conn_del+0x40f/0x5c0 [ 100.536879][ T5321] hci_conn_hash_flush+0x10d/0x260 [ 100.539524][ T5321] hci_dev_close_sync+0x821/0x10e0 [ 100.541886][ T5321] hci_dev_close+0x108/0x260 [ 100.544332][ T5321] sock_do_ioctl+0x101/0x320 [ 100.546495][ T5321] sock_ioctl+0x5c6/0x7f0 [ 100.548513][ T5321] __se_sys_ioctl+0xfc/0x170 [ 100.550760][ T5321] do_syscall_64+0x14d/0xf80 [ 100.553245][ T5321] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 100.556517][ T5321] [ 100.556517][ T5321] other info that might help us debug this: [ 100.556517][ T5321] [ 100.561431][ T5321] Possible unsafe locking scenario: [ 100.561431][ T5321] [ 100.566269][ T5321] CPU0 CPU1 [ 100.570406][ T5321] ---- ---- [ 100.572895][ T5321] lock(&conn->lock#2); [ 100.574883][ T5321] lock((work_completion)(&(&conn->info_timer)->work)); [ 100.579135][ T5321] lock(&conn->lock#2); [ 100.582195][ T5321] lock((work_completion)(&(&conn->info_timer)->work)); [ 100.585938][ T5321] [ 100.585938][ T5321] *** DEADLOCK *** [ 100.585938][ T5321] [ 100.589974][ T5321] 5 locks held by syz.0.0/5321: [ 100.591941][ T5321] #0: ffff888040c6cec0 (&hdev->req_lock){+.+.}-{4:4}, at: hci_dev_close+0x100/0x260 [ 100.595476][ T5321] #1: ffff888040c6c0c0 (&hdev->lock){+.+.}-{4:4}, at: hci_dev_close_sync+0x640/0x10e0 [ 100.599662][ T5321] #2: ffffffff8fd5ba68 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_conn_hash_flush+0xa1/0x260 [ 100.605141][ T5321] #3: ffff888040866af8 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x7b/0x5c0 [ 100.609372][ T5321] #4: ffffffff8e75e3e0 (rcu_read_lock){....}-{1:3}, at: __flush_work+0x100/0xc50 [ 100.612872][ T5321] [ 100.612872][ T5321] stack backtrace: [ 100.615356][ T5321] CPU: 0 UID: 0 PID: 5321 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 100.615370][ T5321] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 100.615394][ T5321] Call Trace: [ 100.615447][ T5321] [ 100.615476][ T5321] dump_stack_lvl+0xe8/0x150 [ 100.615498][ T5321] print_circular_bug+0x2e1/0x300 [ 100.615512][ T5321] check_noncircular+0x12e/0x150 [ 100.615527][ T5321] __lock_acquire+0x15a5/0x2cf0 [ 100.615540][ T5321] ? do_raw_spin_lock+0x12b/0x2f0 [ 100.615551][ T5321] ? do_raw_spin_unlock+0x4d/0x210 [ 100.615558][ T5321] lock_acquire+0xf0/0x2e0 [ 100.615567][ T5321] ? __flush_work+0x100/0xc50 [ 100.615578][ T5321] ? __flush_work+0x100/0xc50 [ 100.615591][ T5321] __flush_work+0x700/0xc50 [ 100.615604][ T5321] ? __flush_work+0x100/0xc50 [ 100.615615][ T5321] ? __flush_work+0x100/0xc50 [ 100.615627][ T5321] ? __pfx___flush_work+0x10/0x10 [ 100.615637][ T5321] ? __pfx_wq_barrier_func+0x10/0x10 [ 100.615649][ T5321] ? __cancel_work_sync+0x5c/0x110 [ 100.615663][ T5321] __cancel_work_sync+0xbe/0x110 [ 100.615678][ T5321] l2cap_conn_del+0x40f/0x5c0 [ 100.615707][ T5321] ? __pfx_l2cap_disconn_cfm+0x10/0x10 [ 100.615723][ T5321] hci_conn_hash_flush+0x10d/0x260 [ 100.615743][ T5321] hci_dev_close_sync+0x821/0x10e0 [ 100.615758][ T5321] ? __pfx_hci_dev_close_sync+0x10/0x10 [ 100.615765][ T5321] ? lockdep_hardirqs_on+0x7a/0x110 [ 100.615775][ T5321] ? enable_work+0x1fd/0x230 [ 100.615792][ T5321] hci_dev_close+0x108/0x260 [ 100.615807][ T5321] sock_do_ioctl+0x101/0x320 [ 100.615818][ T5321] ? __pfx_sock_do_ioctl+0x10/0x10 [ 100.615830][ T5321] ? do_futex+0x395/0x420 [ 100.615849][ T5321] sock_ioctl+0x5c6/0x7f0 [ 100.615862][ T5321] ? __pfx_sock_ioctl+0x10/0x10 [ 100.615871][ T5321] ? __fget_files+0x2a/0x420 [ 100.615889][ T5321] ? __fget_files+0x3a0/0x420 [ 100.615903][ T5321] ? __fget_files+0x2a/0x420 [ 100.615915][ T5321] ? bpf_lsm_file_ioctl+0x9/0x20 [ 100.615924][ T5321] ? __pfx_sock_ioctl+0x10/0x10 [ 100.615933][ T5321] __se_sys_ioctl+0xfc/0x170 [ 100.615942][ T5321] do_syscall_64+0x14d/0xf80 [ 100.615956][ T5321] ? trace_irq_disable+0x3b/0x150 [ 100.615969][ T5321] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 100.615977][ T5321] ? clear_bhb_loop+0x40/0x90 [ 100.615984][ T5321] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 100.615993][ T5321] RIP: 0033:0x7f37be39c799 [ 100.616014][ T5321] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 100.616022][ T5321] RSP: 002b:00007f37bf1a1fe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 100.616073][ T5321] RAX: ffffffffffffffda RBX: 00007f37be615fa0 RCX: 00007f37be39c799 [ 100.616079][ T5321] RDX: 0000000000000000 RSI: 00000000400448ca RDI: 0000000000000007 [ 100.616085][ T5321] RBP: 00007f37be432bd9 R08: 0000000000000000 R09: 0000000000000000 [ 100.616090][ T5321] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 100.616094][ T5321] R13: 00007f37be616038 R14: 00007f37be615fa0 R15: 00007ffcafe66b88 [ 100.616104][ T5321] [ 100.822474][ T5329] fido_id[5329]: Failed to open report descriptor at '/sys/devices/virtual/bluetooth/hci0/hci0:200/report_descriptor': No such file or directory [ 100.851491][ T1361] IPVS: starting estimator thread 0... [ 100.940410][ T5330] IPVS: using max 117 ests per chain, 280800 per kthread [ 102.291102][ T4666] Bluetooth: hci0: command tx timeout [ 104.371251][ T4666] Bluetooth: hci0: command tx timeout [ 106.451388][ T4666] Bluetooth: hci0: command tx timeout