program:
socket(0x1e, 0x4, 0x0)
socketpair$nbd(0x1, 0x1, 0x0, &(0x7f00000002c0)={0xffffffffffffffff, <r0=>0xffffffffffffffff})
r1 = openat$vmci(0xffffffffffffff9c, &(0x7f0000000140), 0x2, 0x0)
ioctl$IOCTL_VMCI_VERSION2(r1, 0x7a7, &(0x7f0000000040)=0x90000)
ioctl$IOCTL_VMCI_INIT_CONTEXT(r1, 0x7a0, &(0x7f0000000000)={@local})
openat$sequencer(0xffffffffffffff9c, &(0x7f0000000300), 0x101000, 0x0)
syz_open_dev$sndmidi(&(0x7f00000004c0), 0x2, 0x141102)
socket(0x2b, 0x80801, 0x1)
pselect6(0x40, &(0x7f0000000240)={0x0, 0x0, 0x1ff, 0x7d, 0x0, 0x8000, 0x4, 0x1}, 0x0, &(0x7f00000002c0)={0x3ff, 0x6, 0xffffffffffffffff, 0x9, 0x0, 0xf, 0x80000006}, 0x0, 0x0)
ioctl$IOCTL_VMCI_QUEUEPAIR_ALLOC(r1, 0x7a8, &(0x7f0000000540)={{@hyper, 0x2}, @hyper, 0x0, 0x0, 0x5e})
r2 = openat$vmci(0xffffffffffffff9c, &(0x7f0000000140), 0x2, 0x0)
ioctl$IOCTL_VMCI_VERSION2(r2, 0x7a7, &(0x7f0000000040)=0x90000)
ioctl$IOCTL_VMCI_INIT_CONTEXT(r2, 0x7a0, &(0x7f0000000240)={@hyper})
ioctl$IOCTL_VMCI_QUEUEPAIR_ALLOC(r2, 0x7a8, &(0x7f0000000540)={{@hyper, 0x2}, @hyper, 0x0, 0x0, 0x5e})
close_range(r0, 0xffffffffffffffff, 0x0)

[   85.699156][ T4685] Bluetooth: hci0: command tx timeout
[   85.925320][ T5339] 
[   85.926626][ T5339] ============================================
[   85.929587][ T5339] WARNING: possible recursive locking detected
[   85.932460][ T5339] syzkaller #0 Not tainted
[   85.934613][ T5339] --------------------------------------------
[   85.937980][ T5339] syz.0.0/5339 is trying to acquire lock:
[   85.941440][ T5339] ffffffff8f3d1fb0 (qp_broker_list.mutex){+.+.}-{4:4}, at: vmci_qp_broker_detach+0x117/0xf20
[   85.947399][ T5339] 
[   85.947399][ T5339] but task is already holding lock:
[   85.951004][ T5339] ffffffff8f3d1fb0 (qp_broker_list.mutex){+.+.}-{4:4}, at: vmci_qp_broker_detach+0x117/0xf20
[   85.956721][ T5339] 
[   85.956721][ T5339] other info that might help us debug this:
[   85.960497][ T5339]  Possible unsafe locking scenario:
[   85.960497][ T5339] 
[   85.964255][ T5339]        CPU0
[   85.966139][ T5339]        ----
[   85.968056][ T5339]   lock(qp_broker_list.mutex);
[   85.970640][ T5339]   lock(qp_broker_list.mutex);
[   85.972943][ T5339] 
[   85.972943][ T5339]  *** DEADLOCK ***
[   85.972943][ T5339] 
[   85.976728][ T5339]  May be due to missing lock nesting notation
[   85.976728][ T5339] 
[   85.981339][ T5339] 1 lock held by syz.0.0/5339:
[   85.983946][ T5339]  #0: ffffffff8f3d1fb0 (qp_broker_list.mutex){+.+.}-{4:4}, at: vmci_qp_broker_detach+0x117/0xf20
[   85.988951][ T5339] 
[   85.988951][ T5339] stack backtrace:
[   85.992044][ T5339] CPU: 0 UID: 0 PID: 5339 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[   85.992061][ T5339] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   85.992071][ T5339] Call Trace:
[   85.992080][ T5339]  <TASK>
[   85.992086][ T5339]  dump_stack_lvl+0xe8/0x150
[   85.992107][ T5339]  print_deadlock_bug+0x279/0x290
[   85.992119][ T5339]  __lock_acquire+0x253f/0x2cf0
[   85.992134][ T5339]  ? is_bpf_text_address+0x292/0x2b0
[   85.992148][ T5339]  ? is_bpf_text_address+0x26/0x2b0
[   85.992160][ T5339]  ? kernel_text_address+0xa5/0xe0
[   85.992171][ T5339]  ? __kernel_text_address+0xd/0x30
[   85.992181][ T5339]  ? vmci_qp_broker_detach+0x117/0xf20
[   85.992190][ T5339]  lock_acquire+0x106/0x350
[   85.992201][ T5339]  ? vmci_qp_broker_detach+0x117/0xf20
[   85.992212][ T5339]  __mutex_lock+0x1a3/0x1550
[   85.993210][ T5339]  ? vmci_qp_broker_detach+0x117/0xf20
[   85.993231][ T5339]  ? kasan_save_track+0x4f/0x80
[   85.993245][ T5339]  ? kasan_save_track+0x3e/0x80
[   85.993257][ T5339]  ? kasan_save_free_info+0x46/0x50
[   85.993276][ T5339]  ? __kasan_slab_free+0x5c/0x80
[   85.993290][ T5339]  ? kfree+0x1c5/0x640
[   85.993309][ T5339]  ? vmci_ctx_put+0x5ef/0xc40
[   85.993324][ T5339]  ? vmci_ctx_enqueue_datagram+0x3ab/0x420
[   85.993341][ T5339]  ? vmci_datagram_dispatch+0x450/0xc60
[   85.993356][ T5339]  ? vmci_qp_broker_detach+0x8dd/0xf20
[   85.993369][ T5339]  ? vmci_host_close+0x98/0x160
[   85.993381][ T5339]  ? vmci_qp_broker_detach+0x117/0xf20
[   85.993393][ T5339]  ? exit_to_user_mode_loop+0xed/0x480
[   85.993411][ T5339]  ? __pfx___mutex_lock+0x10/0x10
[   85.993432][ T5339]  vmci_qp_broker_detach+0x117/0xf20
[   85.993449][ T5339]  ? __pfx_vmci_qp_broker_detach+0x10/0x10
[   85.993461][ T5339]  ? kasan_quarantine_put+0xbb/0x1f0
[   85.993472][ T5339]  ? lockdep_hardirqs_on+0x7a/0x110
[   85.993485][ T5339]  ? kfree+0x1c5/0x640
[   85.993502][ T5339]  ? vmci_ctx_put+0x5ef/0xc40
[   85.993517][ T5339]  ? vmci_ctx_put+0x141/0xc40
[   85.993534][ T5339]  vmci_ctx_put+0x64e/0xc40
[   85.993551][ T5339]  ? __pfx___schedule+0x10/0x10
[   85.993564][ T5339]  ? vmci_ctx_put+0x141/0xc40
[   85.993580][ T5339]  ? __pfx_vmci_ctx_put+0x10/0x10
[   85.993598][ T5339]  ? preempt_schedule_thunk+0x16/0x30
[   85.993614][ T5339]  ? preempt_schedule_common+0x82/0xd0
[   85.993630][ T5339]  vmci_ctx_enqueue_datagram+0x3ab/0x420
[   85.993650][ T5339]  vmci_datagram_dispatch+0x450/0xc60
[   85.993669][ T5339]  ? __pfx_vmci_datagram_dispatch+0x10/0x10
[   85.993689][ T5339]  vmci_qp_broker_detach+0x8dd/0xf20
[   85.993709][ T5339]  ? __pfx_vmci_qp_broker_detach+0x10/0x10
[   85.993723][ T5339]  ? kasan_quarantine_put+0xbb/0x1f0
[   85.993735][ T5339]  ? kfree+0x1c5/0x640
[   85.993752][ T5339]  ? vmci_ctx_put+0x5ef/0xc40
[   85.993768][ T5339]  ? vmci_ctx_put+0x141/0xc40
[   85.993785][ T5339]  vmci_ctx_put+0x64e/0xc40
[   85.993801][ T5339]  ? vmci_ctx_put+0x141/0xc40
[   85.993818][ T5339]  ? __pfx_vmci_ctx_put+0x10/0x10
[   85.993850][ T5339]  vmci_host_close+0x98/0x160
[   85.993868][ T5339]  ? __pfx_vmci_host_close+0x10/0x10
[   85.993883][ T5339]  __fput+0x44f/0xa60
[   85.993906][ T5339]  task_work_run+0x1d9/0x270
[   85.993923][ T5339]  ? __pfx_task_work_run+0x10/0x10
[   85.993938][ T5339]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   85.993953][ T5339]  exit_to_user_mode_loop+0xed/0x480
[   85.993971][ T5339]  ? rcu_is_watching+0x15/0xb0
[   85.993984][ T5339]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   85.993997][ T5339]  do_syscall_64+0x33e/0xf80
[   85.994013][ T5339]  ? trace_irq_disable+0x3b/0x140
[   85.994029][ T5339]  ? clear_bhb_loop+0x40/0x90
[   85.994043][ T5339]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   85.994056][ T5339] RIP: 0033:0x7f8f3cd9cdd9
[   85.994072][ T5339] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
[   85.994085][ T5339] RSP: 002b:00007f8f391f4fe8 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
[   85.994102][ T5339] RAX: 0000000000000000 RBX: 00007f8f3d016090 RCX: 00007f8f3cd9cdd9
[   85.994111][ T5339] RDX: 0000000000000000 RSI: ffffffffffffffff RDI: 0000000000000005
[   85.994119][ T5339] RBP: 00007f8f3ce32d69 R08: 0000000000000000 R09: 0000000000000000
[   85.994128][ T5339] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   85.994136][ T5339] R13: 00007f8f3d016128 R14: 00007f8f3d016090 R15: 00007ffcbfaa2078
[   85.994149][ T5339]  </TASK>
[   87.709404][ T4685] Bluetooth: hci0: command tx timeout
[   89.789676][ T4685] Bluetooth: hci0: command tx timeout
[   91.869389][ T4685] Bluetooth: hci0: command tx timeout