program: r0 = syz_open_dev$tty1(0xc, 0x4, 0x1) ioctl$KDSETLED(r0, 0x4b32, 0x6) r1 = syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0) connect$bt_l2cap(r1, &(0x7f0000000080)={0x1f, 0x0, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}, 0x7ff}, 0xe) r2 = syz_init_net_socket$bt_hidp(0x1f, 0x3, 0x6) ioctl$sock_bt_hidp_HIDPCONNADD(r2, 0x400448c8, &(0x7f00000000c0)={r1, r1, 0x206, 0x0, 0x0, 0x2, 0x72, 0x1, 0x3, 0x7, 0x0, 0x8, 'syz1\x00'}) r3 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$HCIINQUIRY(r3, 0x400448ca, 0x0) r4 = socket$nl_xfrm(0x10, 0x3, 0x6) sendmsg$nl_xfrm(r4, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000600)=@newsa={0x154, 0x10, 0x1, 0x0, 0x0, {{@in6=@private1, @in=@remote}, {@in, 0x0, 0x32}, @in6=@private1={0xfc, 0x1, '\x00', 0x1}, {}, {0x0, 0x0, 0x8000000}, {}, 0x0, 0x0, 0x2, 0x0, 0x0, 0xcd}, [@algo_crypt={0x48, 0x2, {{'cbc(aes)\x00'}}}, @replay_esn_val={0x1c, 0x17, {0x0, 0x0, 0x0, 0x0, 0x70bd28}}]}, 0x154}}, 0x0) [ 84.695548][ T4681] Bluetooth: hci0: command tx timeout [ 84.803425][ T5337] input: Bluetooth HID Boot Protocol Device as /devices/virtual/bluetooth/hci0/hci0:200/input5 [ 85.033305][ T5338] [ 85.034496][ T5338] ====================================================== [ 85.037888][ T5338] WARNING: possible circular locking dependency detected [ 85.041063][ T5338] syzkaller #0 Not tainted [ 85.043153][ T5338] ------------------------------------------------------ [ 85.046298][ T5338] syz.0.0/5338 is trying to acquire lock: [ 85.048904][ T5338] ffff888042a5b840 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: __flush_work+0x100/0xc50 [ 85.053869][ T5338] [ 85.053869][ T5338] but task is already holding lock: [ 85.056961][ T5338] ffff888042a5bb38 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x7b/0x5b0 [ 85.060688][ T5338] [ 85.060688][ T5338] which lock already depends on the new lock. [ 85.060688][ T5338] [ 85.064977][ T5338] [ 85.064977][ T5338] the existing dependency chain (in reverse order) is: [ 85.069117][ T5338] [ 85.069117][ T5338] -> #1 (&conn->lock#2){+.+.}-{4:4}: [ 85.072405][ T5338] __mutex_lock+0x19f/0x1340 [ 85.074785][ T5338] l2cap_info_timeout+0x60/0xa0 [ 85.077238][ T5338] process_scheduled_works+0xaec/0x17a0 [ 85.080018][ T5338] worker_thread+0x89f/0xd90 [ 85.082275][ T5338] kthread+0x726/0x8b0 [ 85.084400][ T5338] ret_from_fork+0x51b/0xa40 [ 85.086756][ T5338] ret_from_fork_asm+0x1a/0x30 [ 85.089080][ T5338] [ 85.089080][ T5338] -> #0 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}: [ 85.093624][ T5338] __lock_acquire+0x15a5/0x2cf0 [ 85.096105][ T5338] lock_acquire+0x106/0x330 [ 85.098440][ T5338] __flush_work+0x700/0xc50 [ 85.100698][ T5338] __cancel_work_sync+0xbe/0x110 [ 85.103120][ T5338] l2cap_conn_del+0x402/0x5b0 [ 85.105349][ T5338] hci_conn_hash_flush+0x10d/0x260 [ 85.107867][ T5338] hci_dev_close_sync+0x821/0x10e0 [ 85.110310][ T5338] hci_dev_close+0x108/0x260 [ 85.112655][ T5338] sock_do_ioctl+0x101/0x320 [ 85.115030][ T5338] sock_ioctl+0x5c6/0x7f0 [ 85.117261][ T5338] __se_sys_ioctl+0xfc/0x170 [ 85.119706][ T5338] do_syscall_64+0xe2/0xf80 [ 85.121945][ T5338] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 85.125000][ T5338] [ 85.125000][ T5338] other info that might help us debug this: [ 85.125000][ T5338] [ 85.129655][ T5338] Possible unsafe locking scenario: [ 85.129655][ T5338] [ 85.133009][ T5338] CPU0 CPU1 [ 85.135499][ T5338] ---- ---- [ 85.137994][ T5338] lock(&conn->lock#2); [ 85.139842][ T5338] lock((work_completion)(&(&conn->info_timer)->work)); [ 85.143737][ T5338] lock(&conn->lock#2); [ 85.146553][ T5338] lock((work_completion)(&(&conn->info_timer)->work)); [ 85.149462][ T5338] [ 85.149462][ T5338] *** DEADLOCK *** [ 85.149462][ T5338] [ 85.152909][ T5338] 5 locks held by syz.0.0/5338: [ 85.155157][ T5338] #0: ffff88801a44cec0 (&hdev->req_lock){+.+.}-{4:4}, at: hci_dev_close+0x100/0x260 [ 85.159424][ T5338] #1: ffff88801a44c0c0 (&hdev->lock){+.+.}-{4:4}, at: hci_dev_close_sync+0x640/0x10e0 [ 85.163871][ T5338] #2: ffffffff8f889208 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_conn_hash_flush+0xa1/0x260 [ 85.168348][ T5338] #3: ffff888042a5bb38 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x7b/0x5b0 [ 85.172639][ T5338] #4: ffffffff8e341b60 (rcu_read_lock){....}-{1:3}, at: __flush_work+0x100/0xc50 [ 85.176821][ T5338] [ 85.176821][ T5338] stack backtrace: [ 85.179529][ T5338] CPU: 0 UID: 0 PID: 5338 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 85.179545][ T5338] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 85.179553][ T5338] Call Trace: [ 85.179562][ T5338] [ 85.179569][ T5338] dump_stack_lvl+0xe8/0x150 [ 85.179586][ T5338] print_circular_bug+0x2e1/0x300 [ 85.179605][ T5338] check_noncircular+0x12e/0x150 [ 85.179622][ T5338] __lock_acquire+0x15a5/0x2cf0 [ 85.179637][ T5338] ? do_raw_spin_lock+0x12b/0x2f0 [ 85.179654][ T5338] ? __pfx___schedule+0x10/0x10 [ 85.179668][ T5338] ? irqentry_exit+0x59c/0x620 [ 85.179708][ T5338] ? __flush_work+0x100/0xc50 [ 85.179723][ T5338] lock_acquire+0x106/0x330 [ 85.179736][ T5338] ? __flush_work+0x100/0xc50 [ 85.179750][ T5338] ? preempt_schedule_thunk+0x16/0x30 [ 85.179763][ T5338] ? __flush_work+0x100/0xc50 [ 85.179778][ T5338] __flush_work+0x700/0xc50 [ 85.179791][ T5338] ? __flush_work+0x100/0xc50 [ 85.179804][ T5338] ? __flush_work+0x100/0xc50 [ 85.179818][ T5338] ? __pfx___flush_work+0x10/0x10 [ 85.179831][ T5338] ? __pfx_wq_barrier_func+0x10/0x10 [ 85.179847][ T5338] ? __cancel_work_sync+0x5c/0x110 [ 85.179863][ T5338] __cancel_work_sync+0xbe/0x110 [ 85.179877][ T5338] l2cap_conn_del+0x402/0x5b0 [ 85.179890][ T5338] ? __pfx_l2cap_disconn_cfm+0x10/0x10 [ 85.179902][ T5338] hci_conn_hash_flush+0x10d/0x260 [ 85.179917][ T5338] hci_dev_close_sync+0x821/0x10e0 [ 85.179936][ T5338] ? __pfx_hci_dev_close_sync+0x10/0x10 [ 85.179954][ T5338] ? lockdep_hardirqs_on+0x7a/0x110 [ 85.179968][ T5338] ? enable_work+0x1e9/0x220 [ 85.179984][ T5338] hci_dev_close+0x108/0x260 [ 85.180002][ T5338] sock_do_ioctl+0x101/0x320 [ 85.180026][ T5338] ? __pfx_sock_do_ioctl+0x10/0x10 [ 85.180043][ T5338] ? do_futex+0x333/0x420 [ 85.180058][ T5338] sock_ioctl+0x5c6/0x7f0 [ 85.180076][ T5338] ? __pfx_sock_ioctl+0x10/0x10 [ 85.180092][ T5338] ? __fget_files+0x2a/0x420 [ 85.180105][ T5338] ? __fget_files+0x3a0/0x420 [ 85.180117][ T5338] ? __fget_files+0x2a/0x420 [ 85.180132][ T5338] ? bpf_lsm_file_ioctl+0x9/0x20 [ 85.180151][ T5338] ? __pfx_sock_ioctl+0x10/0x10 [ 85.180165][ T5338] __se_sys_ioctl+0xfc/0x170 [ 85.180184][ T5338] do_syscall_64+0xe2/0xf80 [ 85.180205][ T5338] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 85.180218][ T5338] ? trace_irq_disable+0x37/0x100 [ 85.180233][ T5338] ? clear_bhb_loop+0x60/0xb0 [ 85.180247][ T5338] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 85.180262][ T5338] RIP: 0033:0x7fe6def9acb9 [ 85.180275][ T5338] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 85.180286][ T5338] RSP: 002b:00007fe6db3d4028 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 85.180300][ T5338] RAX: ffffffffffffffda RBX: 00007fe6df216090 RCX: 00007fe6def9acb9 [ 85.180310][ T5338] RDX: 0000000000000000 RSI: 00000000400448ca RDI: 0000000000000007 [ 85.180317][ T5338] RBP: 00007fe6df008bf7 R08: 0000000000000000 R09: 0000000000000000 [ 85.180324][ T5338] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 85.180332][ T5338] R13: 00007fe6df216128 R14: 00007fe6df216090 R15: 00007ffeb20d32e8 [ 85.180345][ T5338] [ 86.773032][ T4681] Bluetooth: hci0: command tx timeout [ 88.853322][ T4681] Bluetooth: hci0: command tx timeout [ 90.932572][ T4681] Bluetooth: hci0: command tx timeout