program: r0 = openat$rfkill(0xffffffffffffff9c, &(0x7f0000000040), 0x801, 0x0) write$rfkill(r0, &(0x7f0000000080)={0x9913, 0x0, 0x3, 0x1}, 0x8) [ 85.013903][ T5305] Bluetooth: hci0: command tx timeout [ 85.900347][ T5324] Bluetooth: hci0: Opcode 0x0c1a failed: -4 [ 85.902970][ T5324] Bluetooth: hci0: Error when powering off device on rfkill (-4) [ 85.906879][ T5321] [ 85.907967][ T5321] ====================================================== [ 85.910583][ T5321] WARNING: possible circular locking dependency detected [ 85.913394][ T5321] 6.15.0-syzkaller-09161-g0f70f5b08a47 #0 Not tainted [ 85.916113][ T5321] ------------------------------------------------------ [ 85.918956][ T5321] kworker/0:5/5321 is trying to acquire lock: [ 85.921546][ T5321] ffff88801a155b38 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_info_timeout+0x60/0xa0 [ 85.925951][ T5321] [ 85.925951][ T5321] but task is already holding lock: [ 85.928833][ T5321] ffffc9000f33fbc0 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: process_scheduled_works+0x9ef/0x17b0 [ 85.933642][ T5321] [ 85.933642][ T5321] which lock already depends on the new lock. [ 85.933642][ T5321] [ 85.937705][ T5321] [ 85.937705][ T5321] the existing dependency chain (in reverse order) is: [ 85.941176][ T5321] [ 85.941176][ T5321] -> #1 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}: [ 85.945411][ T5321] lock_acquire+0x120/0x360 [ 85.947676][ T5321] __flush_work+0x6b8/0xbc0 [ 85.949827][ T5321] __cancel_work_sync+0xbe/0x110 [ 85.952065][ T5321] l2cap_conn_del+0x4f0/0x680 [ 85.954314][ T5321] hci_conn_hash_flush+0x10a/0x230 [ 85.956701][ T5321] hci_dev_close_sync+0xaef/0x1330 [ 85.959069][ T5321] hci_dev_do_close+0x2f/0x90 [ 85.961261][ T5321] hci_rfkill_set_block+0x21d/0x2e0 [ 85.963686][ T5321] rfkill_set_block+0x1cf/0x440 [ 85.965906][ T5321] rfkill_fop_write+0x44b/0x570 [ 85.968127][ T5321] vfs_write+0x27b/0xa90 [ 85.970206][ T5321] ksys_write+0x145/0x250 [ 85.972304][ T5321] do_syscall_64+0xfa/0x3b0 [ 85.975792][ T5321] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 85.978987][ T5321] [ 85.978987][ T5321] -> #0 (&conn->lock#2){+.+.}-{4:4}: [ 85.982736][ T5321] validate_chain+0xb9b/0x2140 [ 85.985049][ T5321] __lock_acquire+0xab9/0xd20 [ 85.987080][ T5321] lock_acquire+0x120/0x360 [ 85.989108][ T5321] __mutex_lock+0x182/0xe80 [ 85.991123][ T5321] l2cap_info_timeout+0x60/0xa0 [ 85.993831][ T5321] process_scheduled_works+0xade/0x17b0 [ 85.996325][ T5321] worker_thread+0x8a0/0xda0 [ 85.998500][ T5321] kthread+0x711/0x8a0 [ 86.000467][ T5321] ret_from_fork+0x3fc/0x770 [ 86.002662][ T5321] ret_from_fork_asm+0x1a/0x30 [ 86.004902][ T5321] [ 86.004902][ T5321] other info that might help us debug this: [ 86.004902][ T5321] [ 86.009123][ T5321] Possible unsafe locking scenario: [ 86.009123][ T5321] [ 86.012265][ T5321] CPU0 CPU1 [ 86.014566][ T5321] ---- ---- [ 86.016727][ T5321] lock((work_completion)(&(&conn->info_timer)->work)); [ 86.019697][ T5321] lock(&conn->lock#2); [ 86.022496][ T5321] lock((work_completion)(&(&conn->info_timer)->work)); [ 86.026283][ T5321] lock(&conn->lock#2); [ 86.028118][ T5321] [ 86.028118][ T5321] *** DEADLOCK *** [ 86.028118][ T5321] [ 86.031208][ T5321] 2 locks held by kworker/0:5/5321: [ 86.033164][ T5321] #0: ffff88801a474d48 ((wq_completion)events){+.+.}-{0:0}, at: process_scheduled_works+0x9b4/0x17b0 [ 86.037722][ T5321] #1: ffffc9000f33fbc0 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: process_scheduled_works+0x9ef/0x17b0 [ 86.043273][ T5321] [ 86.043273][ T5321] stack backtrace: [ 86.045806][ T5321] CPU: 0 UID: 0 PID: 5321 Comm: kworker/0:5 Not tainted 6.15.0-syzkaller-09161-g0f70f5b08a47 #0 PREEMPT(full) [ 86.045821][ T5321] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 86.045829][ T5321] Workqueue: events l2cap_info_timeout [ 86.045847][ T5321] Call Trace: [ 86.045855][ T5321] [ 86.045860][ T5321] dump_stack_lvl+0x189/0x250 [ 86.045877][ T5321] ? __pfx_dump_stack_lvl+0x10/0x10 [ 86.045890][ T5321] ? __pfx__printk+0x10/0x10 [ 86.045902][ T5321] ? print_lock_name+0xde/0x100 [ 86.045912][ T5321] print_circular_bug+0x2ee/0x310 [ 86.045927][ T5321] check_noncircular+0x134/0x160 [ 86.045940][ T5321] validate_chain+0xb9b/0x2140 [ 86.045952][ T5321] ? rcu_is_watching+0x15/0xb0 [ 86.045964][ T5321] ? trace_sched_exit_tp+0x38/0x120 [ 86.045974][ T5321] ? __schedule+0x1713/0x4d00 [ 86.045991][ T5321] __lock_acquire+0xab9/0xd20 [ 86.046003][ T5321] ? l2cap_info_timeout+0x60/0xa0 [ 86.046013][ T5321] lock_acquire+0x120/0x360 [ 86.046023][ T5321] ? l2cap_info_timeout+0x60/0xa0 [ 86.046036][ T5321] __mutex_lock+0x182/0xe80 [ 86.046046][ T5321] ? l2cap_info_timeout+0x60/0xa0 [ 86.046056][ T5321] ? rcu_is_watching+0x15/0xb0 [ 86.046067][ T5321] ? trace_irq_disable+0x37/0x110 [ 86.046077][ T5321] ? preempt_schedule_irq+0xde/0x150 [ 86.046085][ T5321] ? __pfx_preempt_schedule_irq+0x10/0x10 [ 86.046094][ T5321] ? l2cap_info_timeout+0x60/0xa0 [ 86.046105][ T5321] ? __pfx___mutex_lock+0x10/0x10 [ 86.046115][ T5321] ? irqentry_exit+0x74/0x90 [ 86.046123][ T5321] ? lockdep_hardirqs_on+0x9c/0x150 [ 86.046134][ T5321] ? process_scheduled_works+0x9ef/0x17b0 [ 86.046145][ T5321] ? __pfx_l2cap_info_timeout+0x10/0x10 [ 86.046158][ T5321] l2cap_info_timeout+0x60/0xa0 [ 86.046169][ T5321] ? process_scheduled_works+0x9ef/0x17b0 [ 86.046180][ T5321] process_scheduled_works+0xade/0x17b0 [ 86.046198][ T5321] ? __pfx_process_scheduled_works+0x10/0x10 [ 86.046212][ T5321] worker_thread+0x8a0/0xda0 [ 86.046224][ T5321] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 86.046240][ T5321] ? __kthread_parkme+0x7b/0x200 [ 86.046255][ T5321] kthread+0x711/0x8a0 [ 86.046269][ T5321] ? __pfx_worker_thread+0x10/0x10 [ 86.046280][ T5321] ? __pfx_kthread+0x10/0x10 [ 86.046293][ T5321] ? _raw_spin_unlock_irq+0x23/0x50 [ 86.046306][ T5321] ? lockdep_hardirqs_on+0x9c/0x150 [ 86.046314][ T5321] ? __pfx_kthread+0x10/0x10 [ 86.046327][ T5321] ret_from_fork+0x3fc/0x770 [ 86.046340][ T5321] ? __pfx_ret_from_fork+0x10/0x10 [ 86.046351][ T5321] ? __pfx_kthread+0x10/0x10 [ 86.046364][ T5321] ret_from_fork_asm+0x1a/0x30 [ 86.046378][ T5321] [ 86.611431][ T9] cfg80211: failed to load regulatory.db [ 87.089726][ T5305] Bluetooth: hci0: command tx timeout [ 89.169565][ T5305] Bluetooth: hci0: command tx timeout [ 91.249066][ T5305] Bluetooth: hci0: command tx timeout