program: r0 = socket$nl_generic(0x10, 0x3, 0x10) r1 = bpf$PROG_LOAD(0x5, &(0x7f0000000140)={0x12, 0x4, &(0x7f0000000340)=ANY=[@ANYBLOB="1800000000000000000000000000000071180a000000000095"], &(0x7f00000000c0)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @cgroup_sock_addr=0xb, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) r2 = openat(0xffffffffffffff9c, &(0x7f0000000280)='./cgroup\x00', 0x40000, 0x2) r3 = bpf$BPF_LINK_CREATE(0x1c, &(0x7f0000000040)={r1, r2, 0xb, 0x0, @void}, 0x10) r4 = syz_genetlink_get_family_id$fou(&(0x7f00000002c0), 0xffffffffffffffff) r5 = socket$nl_generic(0x10, 0x3, 0x10) sendmsg$FOU_CMD_ADD(r5, &(0x7f0000000100)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000200)={0x38, r4, 0x1, 0x0, 0x0, {}, [@FOU_ATTR_PEER_PORT={0x6, 0xa, 0x4e20}, @FOU_ATTR_AF={0x5, 0x2, 0xa}, @FOU_ATTR_PEER_V6={0x14, 0x9, @ipv4={'\x00', '\xff\xff', @loopback}}]}, 0x38}}, 0x0) sendmsg$nl_route_sched(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000180)=@newqdisc={0x24, 0x24, 0x1, 0x70bd2a, 0x25dfdbfe, {0x0, 0x0, 0x0, 0x0, {0x0, 0x9}, {0xffff, 0xffff}, {0x5, 0x1}}}, 0x24}, 0x1, 0x0, 0x0, 0x40}, 0x0) r6 = syz_genetlink_get_family_id$nl80211(&(0x7f00000003c0), 0xffffffffffffffff) r7 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) r8 = bpf$ITER_CREATE(0xb, &(0x7f0000000100), 0x8) r9 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$sock_bt_hci(r9, 0x400448ca, 0x0) bind$bt_hci(r9, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6) bind$bt_hci(r7, &(0x7f0000000000)={0x1f, 0xffff, 0x3}, 0x6) setsockopt$packet_fanout_data(r8, 0x107, 0x16, &(0x7f0000000100)={0x3c, &(0x7f0000000180)=[{0x0, 0x80}, {0x1, 0x1}]}, 0x10) write$binfmt_misc(r7, &(0x7f0000000100), 0x6) r10 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCGIFINDEX_80211(r10, 0x8933, &(0x7f0000000540)={'wlan0\x00', 0x0}) setsockopt$bt_BT_VOICE(r3, 0x112, 0xb, &(0x7f0000000080)=0x3, 0x2) sendmsg$NL80211_CMD_NEW_KEY(r10, &(0x7f00000006c0)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000140)=ANY=[@ANYBLOB='|\x00\x00\x00', @ANYRES16=r6, @ANYBLOB="010829bd7000000000000b00000008000300", @ANYRES32=r11, @ANYBLOB="60005080110001004abee339084eeef16f162471f4000000080003000cac0f000500020007"], 0x7c}, 0x1, 0x0, 0x0, 0x4}, 0x0) ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f00000000c0)={'wlan0\x00', 0x0}) sendmsg$NL80211_CMD_SET_INTERFACE(r0, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000240)=ANY=[@ANYBLOB='$\x00\x00\x00', @ANYRES16, @ANYBLOB="150000000003000000000600000008004e6a980954af03e1824f918e8c7b01", @ANYRES32=r12, @ANYBLOB="0800050003000000"], 0x24}}, 0x0) [ 86.748035][ T4672] Bluetooth: hci0: command tx timeout [ 86.757753][ T10] cfg80211: failed to load regulatory.db [ 86.763115][ T55] [ 86.764223][ T55] ====================================================== [ 86.768101][ T55] WARNING: possible circular locking dependency detected [ 86.771066][ T55] syzkaller #0 Not tainted [ 86.773052][ T55] ------------------------------------------------------ [ 86.776236][ T55] kworker/0:2/55 is trying to acquire lock: [ 86.782220][ T55] ffff888044d13338 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_info_timeout+0x60/0xa0 [ 86.789614][ T55] [ 86.789614][ T55] but task is already holding lock: [ 86.792762][ T55] ffffc9000101fba0 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: process_scheduled_works+0x9ef/0x17b0 [ 86.797912][ T55] [ 86.797912][ T55] which lock already depends on the new lock. [ 86.797912][ T55] [ 86.802355][ T55] [ 86.802355][ T55] the existing dependency chain (in reverse order) is: [ 86.806222][ T55] [ 86.806222][ T55] -> #1 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}: [ 86.810611][ T55] lock_acquire+0x120/0x360 [ 86.812865][ T55] __flush_work+0x6b8/0xbc0 [ 86.814835][ T55] __cancel_work_sync+0xbe/0x110 [ 86.817161][ T55] l2cap_conn_del+0x4f0/0x680 [ 86.819450][ T55] hci_conn_hash_flush+0x10d/0x230 [ 86.821746][ T55] hci_dev_close_sync+0xaef/0x1330 [ 86.824113][ T55] hci_dev_close+0x108/0x200 [ 86.826335][ T55] sock_do_ioctl+0xdc/0x300 [ 86.828354][ T55] sock_ioctl+0x576/0x790 [ 86.830484][ T55] __se_sys_ioctl+0xfc/0x170 [ 86.832688][ T55] do_syscall_64+0xfa/0xfa0 [ 86.834895][ T55] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 86.837607][ T55] [ 86.837607][ T55] -> #0 (&conn->lock#2){+.+.}-{4:4}: [ 86.840845][ T55] validate_chain+0xb9b/0x2140 [ 86.843626][ T55] __lock_acquire+0xab9/0xd20 [ 86.846558][ T55] lock_acquire+0x120/0x360 [ 86.848930][ T55] __mutex_lock+0x187/0x1350 [ 86.851056][ T55] l2cap_info_timeout+0x60/0xa0 [ 86.853670][ T55] process_scheduled_works+0xae1/0x17b0 [ 86.856637][ T55] worker_thread+0x8a0/0xda0 [ 86.859281][ T55] kthread+0x711/0x8a0 [ 86.861836][ T55] ret_from_fork+0x4bc/0x870 [ 86.864588][ T55] ret_from_fork_asm+0x1a/0x30 [ 86.867429][ T55] [ 86.867429][ T55] other info that might help us debug this: [ 86.867429][ T55] [ 86.871586][ T55] Possible unsafe locking scenario: [ 86.871586][ T55] [ 86.874602][ T55] CPU0 CPU1 [ 86.876787][ T55] ---- ---- [ 86.879039][ T55] lock((work_completion)(&(&conn->info_timer)->work)); [ 86.881938][ T55] lock(&conn->lock#2); [ 86.884732][ T55] lock((work_completion)(&(&conn->info_timer)->work)); [ 86.888900][ T55] lock(&conn->lock#2); [ 86.890659][ T55] [ 86.890659][ T55] *** DEADLOCK *** [ 86.890659][ T55] [ 86.894226][ T55] 2 locks held by kworker/0:2/55: [ 86.896441][ T55] #0: ffff88801a067548 ((wq_completion)events){+.+.}-{0:0}, at: process_scheduled_works+0x9b4/0x17b0 [ 86.900884][ T55] #1: ffffc9000101fba0 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: process_scheduled_works+0x9ef/0x17b0 [ 86.906134][ T55] [ 86.906134][ T55] stack backtrace: [ 86.908632][ T55] CPU: 0 UID: 0 PID: 55 Comm: kworker/0:2 Not tainted syzkaller #0 PREEMPT(full) [ 86.908648][ T55] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 86.908657][ T55] Workqueue: events l2cap_info_timeout [ 86.908677][ T55] Call Trace: [ 86.908685][ T55] [ 86.908691][ T55] dump_stack_lvl+0x189/0x250 [ 86.908709][ T55] ? __pfx_dump_stack_lvl+0x10/0x10 [ 86.908720][ T55] ? __pfx__printk+0x10/0x10 [ 86.908727][ T55] ? print_lock_name+0xde/0x100 [ 86.908734][ T55] print_circular_bug+0x2ee/0x310 [ 86.908748][ T55] check_noncircular+0x134/0x160 [ 86.908761][ T55] validate_chain+0xb9b/0x2140 [ 86.908778][ T55] __lock_acquire+0xab9/0xd20 [ 86.908790][ T55] ? l2cap_info_timeout+0x60/0xa0 [ 86.908805][ T55] lock_acquire+0x120/0x360 [ 86.908816][ T55] ? l2cap_info_timeout+0x60/0xa0 [ 86.908833][ T55] __mutex_lock+0x187/0x1350 [ 86.908849][ T55] ? l2cap_info_timeout+0x60/0xa0 [ 86.908866][ T55] ? irqentry_exit+0x74/0x90 [ 86.908881][ T55] ? lockdep_hardirqs_on+0x9c/0x150 [ 86.908894][ T55] ? l2cap_info_timeout+0x60/0xa0 [ 86.908908][ T55] ? __pfx___mutex_lock+0x10/0x10 [ 86.908925][ T55] l2cap_info_timeout+0x60/0xa0 [ 86.908938][ T55] ? process_scheduled_works+0x9ef/0x17b0 [ 86.908949][ T55] process_scheduled_works+0xae1/0x17b0 [ 86.908965][ T55] ? __pfx_process_scheduled_works+0x10/0x10 [ 86.908979][ T55] worker_thread+0x8a0/0xda0 [ 86.908994][ T55] kthread+0x711/0x8a0 [ 86.909008][ T55] ? __pfx_worker_thread+0x10/0x10 [ 86.909020][ T55] ? __pfx_kthread+0x10/0x10 [ 86.909033][ T55] ? _raw_spin_unlock_irq+0x23/0x50 [ 86.909046][ T55] ? lockdep_hardirqs_on+0x9c/0x150 [ 86.909058][ T55] ? __pfx_kthread+0x10/0x10 [ 86.909071][ T55] ret_from_fork+0x4bc/0x870 [ 86.909083][ T55] ? __pfx_ret_from_fork+0x10/0x10 [ 86.909095][ T55] ? __pfx_kthread+0x10/0x10 [ 86.909108][ T55] ret_from_fork_asm+0x1a/0x30 [ 86.909121][ T55] [ 87.047832][ T5335] netlink: 56 bytes leftover after parsing attributes in process `syz.0.0'. [ 88.768966][ T4672] Bluetooth: hci0: command tx timeout [ 90.849594][ T4672] Bluetooth: hci0: command tx timeout