program: r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000580)=@base={0x1e, 0x0, 0xc, 0xa4}, 0x48) bpf$BPF_MAP_LOOKUP_AND_DELETE_ELEM(0x4, &(0x7f0000000100)={r0, 0x0, 0x0}, 0x20) r1 = socket$nl_route(0x10, 0x3, 0x0) r2 = openat$iommufd(0xffffffffffffff9c, &(0x7f0000000080), 0x0, 0x0) syz_usbip_server_init(0x0) connect$inet(0xffffffffffffffff, &(0x7f0000000000)={0x2, 0x0, @remote}, 0x10) syz_emit_vhci(&(0x7f0000000000)=ANY=[@ANYBLOB="04050400c800"], 0x7) ioctl$IOMMU_TEST_OP_MOCK_DOMAIN(r2, 0x3ba0, &(0x7f0000000100)={0x48, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0}) ioctl$IOMMU_HWPT_ALLOC$TEST(r2, 0x3b89, &(0x7f0000000200)={0x25, 0x0, r3, 0x0, 0x0, 0x0, 0xdead, 0x4, &(0x7f0000000240)}) r4 = socket(0x11, 0x80a, 0x0) ioctl$sock_SIOCGIFINDEX(r4, 0x8933, &(0x7f0000000300)={'veth1_to_team\x00', 0x0}) sendmsg$nl_route(r1, &(0x7f0000000340)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f0000000000)=@newlink={0x3c, 0x10, 0x401, 0x0, 0x0, {0x0, 0x0, 0x0, r5, 0x0, 0x19ee0}, [@IFLA_LINKINFO={0x1c, 0x12, 0x0, 0x1, @bond={{0x9}, {0xc, 0x2, 0x0, 0x1, [@IFLA_BOND_ALL_SLAVES_ACTIVE={0x5, 0x11, 0x1}]}}}]}, 0x3c}, 0x1, 0x0, 0x0, 0x8000}, 0x0) [ 86.496833][ T5317] vhci_hcd: Failed attach request for unsupported USB speed: UNKNOWN [ 86.504172][ T5317] iommufd_mock iommufd_mock0: Adding to iommu group 11 [ 86.528575][ T5296] Bluetooth: hci0: command tx timeout [ 86.564383][ T1352] [ 86.565478][ T1352] ====================================================== [ 86.568427][ T1352] WARNING: possible circular locking dependency detected [ 86.571454][ T1352] syzkaller #0 Not tainted [ 86.573408][ T1352] ------------------------------------------------------ [ 86.576460][ T1352] kworker/0:3/1352 is trying to acquire lock: [ 86.579152][ T1352] ffff888032bf1af8 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_info_timeout+0x60/0xa0 [ 86.583854][ T1352] [ 86.583854][ T1352] but task is already holding lock: [ 86.587401][ T1352] ffffc900024dfc40 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: process_scheduled_works+0xa25/0x1830 [ 86.592742][ T1352] [ 86.592742][ T1352] which lock already depends on the new lock. [ 86.592742][ T1352] [ 86.596624][ T1352] [ 86.596624][ T1352] the existing dependency chain (in reverse order) is: [ 86.600002][ T1352] [ 86.600002][ T1352] -> #1 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}: [ 86.603982][ T1352] __flush_work+0x700/0xc50 [ 86.606188][ T1352] __cancel_work_sync+0xbe/0x110 [ 86.608397][ T1352] l2cap_conn_del+0x40f/0x5c0 [ 86.610280][ T1352] hci_disconn_complete_evt+0x501/0x950 [ 86.612806][ T1352] hci_event_packet+0x805/0x12c0 [ 86.615092][ T1352] hci_rx_work+0x3ee/0x1030 [ 86.617323][ T1352] process_scheduled_works+0xb02/0x1830 [ 86.619823][ T1352] worker_thread+0xa50/0xfc0 [ 86.622102][ T1352] kthread+0x388/0x470 [ 86.624253][ T1352] ret_from_fork+0x51e/0xb90 [ 86.626799][ T1352] ret_from_fork_asm+0x1a/0x30 [ 86.629308][ T1352] [ 86.629308][ T1352] -> #0 (&conn->lock#2){+.+.}-{4:4}: [ 86.632262][ T1352] __lock_acquire+0x15a5/0x2cf0 [ 86.634572][ T1352] lock_acquire+0xf0/0x2e0 [ 86.636610][ T1352] __mutex_lock+0x19f/0x1300 [ 86.638773][ T1352] l2cap_info_timeout+0x60/0xa0 [ 86.640921][ T1352] process_scheduled_works+0xb02/0x1830 [ 86.643811][ T1352] worker_thread+0xa50/0xfc0 [ 86.645919][ T1352] kthread+0x388/0x470 [ 86.647812][ T1352] ret_from_fork+0x51e/0xb90 [ 86.650074][ T1352] ret_from_fork_asm+0x1a/0x30 [ 86.652196][ T1352] [ 86.652196][ T1352] other info that might help us debug this: [ 86.652196][ T1352] [ 86.656645][ T1352] Possible unsafe locking scenario: [ 86.656645][ T1352] [ 86.659939][ T1352] CPU0 CPU1 [ 86.662136][ T1352] ---- ---- [ 86.664370][ T1352] lock((work_completion)(&(&conn->info_timer)->work)); [ 86.667324][ T1352] lock(&conn->lock#2); [ 86.670231][ T1352] lock((work_completion)(&(&conn->info_timer)->work)); [ 86.674220][ T1352] lock(&conn->lock#2); [ 86.675976][ T1352] [ 86.675976][ T1352] *** DEADLOCK *** [ 86.675976][ T1352] [ 86.678970][ T1352] 2 locks held by kworker/0:3/1352: [ 86.681138][ T1352] #0: ffff88801a8aad48 ((wq_completion)events){+.+.}-{0:0}, at: process_scheduled_works+0x9ea/0x1830 [ 86.685743][ T1352] #1: ffffc900024dfc40 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: process_scheduled_works+0xa25/0x1830 [ 86.691044][ T1352] [ 86.691044][ T1352] stack backtrace: [ 86.693623][ T1352] CPU: 0 UID: 0 PID: 1352 Comm: kworker/0:3 Not tainted syzkaller #0 PREEMPT(full) [ 86.693639][ T1352] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 86.693647][ T1352] Workqueue: events l2cap_info_timeout [ 86.693675][ T1352] Call Trace: [ 86.693682][ T1352] [ 86.693718][ T1352] dump_stack_lvl+0xe8/0x150 [ 86.693755][ T1352] print_circular_bug+0x2e1/0x300 [ 86.693773][ T1352] check_noncircular+0x12e/0x150 [ 86.693790][ T1352] __lock_acquire+0x15a5/0x2cf0 [ 86.693803][ T1352] ? __schedule+0x159b/0x5340 [ 86.693837][ T1352] ? arch_stack_walk+0x11b/0x150 [ 86.693868][ T1352] ? ret_from_fork_asm+0x1a/0x30 [ 86.693890][ T1352] lock_acquire+0xf0/0x2e0 [ 86.693902][ T1352] ? l2cap_info_timeout+0x60/0xa0 [ 86.693918][ T1352] __mutex_lock+0x19f/0x1300 [ 86.693930][ T1352] ? l2cap_info_timeout+0x60/0xa0 [ 86.693945][ T1352] ? irqentry_exit+0x59e/0x620 [ 86.693957][ T1352] ? lockdep_hardirqs_on+0x7a/0x110 [ 86.693967][ T1352] ? l2cap_info_timeout+0x60/0xa0 [ 86.693980][ T1352] ? irqentry_exit+0x59e/0x620 [ 86.693991][ T1352] ? trace_irq_disable+0x3b/0x150 [ 86.694007][ T1352] ? __pfx___mutex_lock+0x10/0x10 [ 86.694021][ T1352] ? lock_acquire+0x20b/0x2e0 [ 86.694034][ T1352] l2cap_info_timeout+0x60/0xa0 [ 86.694048][ T1352] ? process_scheduled_works+0xa25/0x1830 [ 86.694061][ T1352] process_scheduled_works+0xb02/0x1830 [ 86.694078][ T1352] ? __pfx_process_scheduled_works+0x10/0x10 [ 86.694092][ T1352] ? assign_work+0x3d5/0x5e0 [ 86.694105][ T1352] worker_thread+0xa50/0xfc0 [ 86.694123][ T1352] kthread+0x388/0x470 [ 86.694133][ T1352] ? __pfx_worker_thread+0x10/0x10 [ 86.694145][ T1352] ? __pfx_kthread+0x10/0x10 [ 86.694155][ T1352] ret_from_fork+0x51e/0xb90 [ 86.694169][ T1352] ? __pfx_ret_from_fork+0x10/0x10 [ 86.694181][ T1352] ? __switch_to+0xc7d/0x1450 [ 86.694193][ T1352] ? __pfx_kthread+0x10/0x10 [ 86.694202][ T1352] ret_from_fork_asm+0x1a/0x30 [ 86.694220][ T1352]