program: r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0) connect$bt_l2cap(r0, &(0x7f0000000080)={0x1f, 0x0, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}, 0x7fc}, 0xe) r1 = syz_init_net_socket$bt_hidp(0x1f, 0x3, 0x6) ioctl$sock_bt_hidp_HIDPCONNADD(r1, 0x400448c8, &(0x7f0000000340)={r0, r0, 0xb, 0x0, 0x0, 0x8, 0xb6, 0x7f, 0x7, 0x801, 0x2, 0x10, 'syz0\x00'}) r2 = syz_open_dev$mouse(&(0x7f0000000040), 0x2, 0x80000) read$msr(r2, 0x0, 0x0) syz_clone(0x11, 0x0, 0x0, 0x0, 0x0, 0x0) openat$snapshot(0xffffffffffffff9c, &(0x7f0000000040), 0x100, 0x0) syz_mount_image$hfs(&(0x7f00000001c0), &(0x7f0000000180)='./file1\x00', 0x30000c8, &(0x7f0000000100)=ANY=[], 0x11, 0x2c6, &(0x7f0000005bc0)="$eJzs3btuE08Ux/HfjJ3E/3+isCFBSJSBSNAgCA2iMUKueAIqBMRGirCCgCAuVUBUCEFPR8Er8BA0IF4AKioeIFSLZmbt9WXXNpbjjcP3I8XatWd2z3gvc46laAXgn3Wt9v3jpZ/uz0gllaTXVyQrqSKVJZ3Qycrjnd3t3WajPmhDJd/D/RmFnqavzdZOI6ur6+d7JCK3VtZS53vB4niDRK44jq/+KDoIFM5f/RmstKD5dL0yxZhG8WLMfnsTjmPWmH3t66mWi44DAFCsZP63IZPXUpK/WyttJNO+zw8O2/w/rv2iAzhw8cBPO+Z/X2XFxh3fY/6jtN7zJZz73LaqxFH2PNez7tNH25NgmmFVpY/F/nd3u9k4v3W/Wbd6qWqio9maf62HU7dlSLTrGbXpACOM3WRnlL5etXNuDJsh/ieSuuJfHXOPYzOfzVdz00R6r3o7/yvHxh0mf6SiniMV4r+Qv0U/ysi1UnLbqFartqvJit/JKXWWEsNGWcmuSNQ6o1bU/QNBNCxO3+t4T68wuotDeq1m9tpsreX0Wuvq5UbTPpvz93fQzFtzw6zrlz6p1pH/WxffhgZemelVYzbCVOC/8TCe+ezdlf02o76Zo/9yaX+LC3mh/+69p13/EA++zSHPG93RZS0/evb8XqnZbDx0C7czFh4std+ZeyVltil4QXvpOwuKvb7GrUlpmoGdm+gG3f1jaGN3lR2Kg3KkF2pfpnsiFbFQ8P0JU5Ee9KIjQUFc3mVC/ZfWK+WQ7LmXKDNPH/GHgGSLscux2xVc2jcOGbmk//+qglvMr+D6a66+mtHXXKfPSmdG32OUxHlEmJq+6Ra//wMAAAAAAAAAAAAAAAAAAMyaafw7QdFjBAAAAAAAAAAAAAAAAAAAAABg1rWf/6vW83812vN/e5+7Msnn/77bUfbzfwFM0p8AAAD//0gLf7E=") r3 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000540)='memory.swap.current\x00', 0x275a, 0x0) write$binfmt_script(r3, &(0x7f0000000000), 0x208e24b) r4 = socket$packet(0x11, 0x3, 0x300) ioctl$sock_SIOCGIFINDEX(r4, 0x8933, &(0x7f00000001c0)={'erspan0\x00', 0x0}) setsockopt$packet_int(r4, 0x107, 0xf, &(0x7f0000000000)=0xf3f, 0x4) sendto$packet(r4, &(0x7f00000000c0)="3f03fe7f0300140006001e0089e9aaa911d7c2290f0086dd1327c9167c643c4a1b7880610cc96655b1b141ab059b24d0fbc50df71548a3f6c5609063382a0c1511fdf9435e3ffe46", 0xe90c, 0x0, &(0x7f0000000540)={0xc9, 0x0, r5, 0x1, 0x0, 0x6, @multicast}, 0x14) [ 75.109204][ T5338] syz.0.0 (5338) used greate[ 74.932816][ T5317] Bluetooth: hci0: command tx timeout [ 74.984280][ T5338] input: Bluetooth HID Boot Protocol Device as /devices/virtual/bluetooth/hci0/hci0:200/input5 [ 75.151701][ T5342] loop0: detected capacity change from 0 to 64 [ 75.163049][ T5342] ======================================================= [ 75.163049][ T5342] WARNING: The mand mount option has been deprecated and [ 75.163049][ T5342] and is ignored by this kernel. Remove the mand [ 75.163049][ T5342] option from the mount to silence this warning. [ 75.163049][ T5342] ======================================================= [ 75.286974][ T5339] Bluetooth: hci0: Opcode 0x0c1a failed: -4 [ 75.297567][ T5339] Bluetooth: hci0: Opcode 0x0406 failed: -4 [ 76.898484][ T1314] ieee802154 phy0 wpan0: encryption failed: -22 [ 76.901374][ T1314] ieee802154 phy1 wpan1: encryption failed: -22 [ 77.272771][ T5317] Bluetooth: hci0: command 0x040f tx timeout [ 77.578163][ T5342] syz.0.0: attempt to access beyond end of device [ 77.578163][ T5342] loop0: rw=0, sector=4200, nr_sectors = 1 limit=64 [ 77.588962][ T5342] Buffer I/O error on dev loop0, logical block 4200, async page read [ 77.593108][ T5342] syz.0.0: attempt to access beyond end of device [ 77.593108][ T5342] loop0: rw=0, sector=4201, nr_sectors = 1 limit=64 [ 77.598652][ T5342] Buffer I/O error on dev loop0, logical block 4201, async page read [ 77.602198][ T5342] syz.0.0: attempt to access beyond end of device [ 77.602198][ T5342] loop0: rw=0, sector=4202, nr_sectors = 1 limit=64 [ 77.608689][ T5342] Buffer I/O error on dev loop0, logical block 4202, async page read [ 77.612674][ T5342] syz.0.0: attempt to access beyond end of device [ 77.612674][ T5342] loop0: rw=0, sector=4203, nr_sectors = 1 limit=64 [ 77.618286][ T5342] Buffer I/O error on dev loop0, logical block 4203, async page read [ 77.634984][ T5339] [ 77.636085][ T5339] ====================================================== [ 77.639047][ T5339] WARNING: possible circular locking dependency detected [ 77.642003][ T5339] 6.16.0-rc6-syzkaller #0 Not tainted [ 77.644623][ T5339] ------------------------------------------------------ [ 77.647656][ T5339] syz.0.0/5339 is trying to acquire lock: [ 77.650111][ T5339] ffff888011f77040 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: __flush_work+0xd2/0xbc0 [ 77.655256][ T5339] [ 77.655256][ T5339] but task is already holding lock: [ 77.658542][ T5339] ffff888011f77338 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x70/0x680 [ 77.662394][ T5339] [ 77.662394][ T5339] which lock already depends on the new lock. [ 77.662394][ T5339] [ 77.666581][ T5339] [ 77.666581][ T5339] the existing dependency chain (in reverse order) is: [ 77.670291][ T5339] [ 77.670291][ T5339] -> #1 (&conn->lock#2){+.+.}-{4:4}: [ 77.673388][ T5339] lock_acquire+0x120/0x360 [ 77.675527][ T5339] __mutex_lock+0x182/0xe80 [ 77.677976][ T5339] l2cap_info_timeout+0x60/0xa0 [ 77.680304][ T5339] process_scheduled_works+0xae1/0x17b0 [ 77.682949][ T5339] worker_thread+0x8a0/0xda0 [ 77.684996][ T5339] kthread+0x70e/0x8a0 [ 77.686836][ T5339] ret_from_fork+0x3fc/0x770 [ 77.689007][ T5339] ret_from_fork_asm+0x1a/0x30 [ 77.691045][ T5339] [ 77.691045][ T5339] -> #0 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}: [ 77.695196][ T5339] validate_chain+0xb9b/0x2140 [ 77.697548][ T5339] __lock_acquire+0xab9/0xd20 [ 77.699603][ T5339] lock_acquire+0x120/0x360 [ 77.701874][ T5339] __flush_work+0x6b8/0xbc0 [ 77.704163][ T5339] __cancel_work_sync+0xbe/0x110 [ 77.706545][ T5339] l2cap_conn_del+0x4f0/0x680 [ 77.708739][ T5339] l2cap_connect_cfm+0x11d/0x1040 [ 77.711061][ T5339] hci_conn_failed+0x1cb/0x310 [ 77.713721][ T5339] hci_abort_conn_sync+0x5d1/0xdf0 [ 77.716096][ T5339] hci_disconnect_all_sync+0x1b5/0x350 [ 77.718459][ T5339] hci_suspend_sync+0x3b8/0xc00 [ 77.720818][ T5339] hci_suspend_dev+0x28d/0x4d0 [ 77.723132][ T5339] hci_suspend_notifier+0xf2/0x290 [ 77.725629][ T5339] notifier_call_chain+0x1b3/0x3e0 [ 77.728195][ T5339] blocking_notifier_call_chain_robust+0x85/0x100 [ 77.731251][ T5339] pm_notifier_call_chain_robust+0x2c/0x60 [ 77.733881][ T5339] snapshot_open+0x19c/0x280 [ 77.735943][ T5339] misc_open+0x2bc/0x330 [ 77.738130][ T5339] chrdev_open+0x4cc/0x5e0 [ 77.740270][ T5339] do_dentry_open+0xdf3/0x1970 [ 77.742580][ T5339] vfs_open+0x3b/0x340 [ 77.744617][ T5339] path_openat+0x2ee5/0x3830 [ 77.747018][ T5339] do_filp_open+0x1fa/0x410 [ 77.749541][ T5339] do_sys_openat2+0x121/0x1c0 [ 77.751875][ T5339] __x64_sys_openat+0x138/0x170 [ 77.754275][ T5339] do_syscall_64+0xfa/0x3b0 [ 77.756423][ T5339] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 77.759208][ T5339] [ 77.759208][ T5339] other info that might help us debug this: [ 77.759208][ T5339] [ 77.763863][ T5339] Possible unsafe locking scenario: [ 77.763863][ T5339] [ 77.767057][ T5339] CPU0 CPU1 [ 77.769302][ T5339] ---- ---- [ 77.771544][ T5339] lock(&conn->lock#2); [ 77.773344][ T5339] lock((work_completion)(&(&conn->info_timer)->work)); [ 77.776991][ T5339] lock(&conn->lock#2); [ 77.779938][ T5339] lock((work_completion)(&(&conn->info_timer)->work)); [ 77.783201][ T5339] [ 77.783201][ T5339] *** DEADLOCK *** [ 77.783201][ T5339] [ 77.786745][ T5339] 8 locks held by syz.0.0/5339: [ 77.788979][ T5339] #0: ffffffff8e9c2d88 (misc_mtx){+.+.}-{4:4}, at: misc_open+0x51/0x330 [ 77.792844][ T5339] #1: ffffffff8dfee568 (system_transition_mutex){+.+.}-{4:4}, at: lock_system_sleep+0x4a/0x70 [ 77.798632][ T5339] #2: ffffffff8e012990 ((pm_chain_head).rwsem){++++}-{4:4}, at: blocking_notifier_call_chain_robust+0x65/0x100 [ 77.805313][ T5339] #3: ffff88801a2e4dc0 (&hdev->req_lock){+.+.}-{4:4}, at: hci_suspend_dev+0x285/0x4d0 [ 77.810388][ T5339] #4: ffff88801a2e40b8 (&hdev->lock){+.+.}-{4:4}, at: hci_abort_conn_sync+0x1eb/0xdf0 [ 77.814337][ T5339] #5: ffffffff8f685c88 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_conn_failed+0x165/0x310 [ 77.817852][ T5339] #6: ffff888011f77338 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x70/0x680 [ 77.821458][ T5339] #7: ffffffff8e13f0e0 (rcu_read_lock){....}-{1:3}, at: __flush_work+0xd2/0xbc0 [ 77.825475][ T5339] [ 77.825475][ T5339] stack backtrace: [ 77.827875][ T5339] CPU: 0 UID: 0 PID: 5339 Comm: syz.0.0 Not tainted 6.16.0-rc6-syzkaller #0 PREEMPT(full) [ 77.827893][ T5339] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 77.827901][ T5339] Call Trace: [ 77.827910][ T5339] [ 77.827916][ T5339] dump_stack_lvl+0x189/0x250 [ 77.827938][ T5339] ? __pfx_dump_stack_lvl+0x10/0x10 [ 77.827951][ T5339] ? __pfx__printk+0x10/0x10 [ 77.827967][ T5339] ? print_lock_name+0xde/0x100 [ 77.827983][ T5339] print_circular_bug+0x2ee/0x310 [ 77.828000][ T5339] check_noncircular+0x134/0x160 [ 77.828015][ T5339] validate_chain+0xb9b/0x2140 [ 77.828027][ T5339] ? do_raw_spin_lock+0x121/0x290 [ 77.828043][ T5339] ? look_up_lock_class+0x74/0x170 [ 77.828061][ T5339] ? register_lock_class+0x51/0x320 [ 77.828074][ T5339] __lock_acquire+0xab9/0xd20 [ 77.828090][ T5339] ? __flush_work+0xd2/0xbc0 [ 77.828104][ T5339] lock_acquire+0x120/0x360 [ 77.828115][ T5339] ? __flush_work+0xd2/0xbc0 [ 77.828129][ T5339] ? _raw_spin_unlock_irq+0x23/0x50 [ 77.828145][ T5339] ? __flush_work+0xd2/0xbc0 [ 77.828157][ T5339] __flush_work+0x6b8/0xbc0 [ 77.828171][ T5339] ? __flush_work+0xd2/0xbc0 [ 77.828184][ T5339] ? __flush_work+0xd2/0xbc0 [ 77.828197][ T5339] ? __pfx___flush_work+0x10/0x10 [ 77.828211][ T5339] ? __pfx_wq_barrier_func+0x10/0x10 [ 77.828226][ T5339] ? __pfx___cancel_work+0x10/0x10 [ 77.828240][ T5339] ? hci_conn_drop+0x14d/0x280 [ 77.828258][ T5339] __cancel_work_sync+0xbe/0x110 [ 77.828273][ T5339] l2cap_conn_del+0x4f0/0x680 [ 77.828289][ T5339] l2cap_connect_cfm+0x11d/0x1040 [ 77.828304][ T5339] ? __pfx_l2cap_connect_cfm+0x10/0x10 [ 77.828319][ T5339] ? __pfx_l2cap_connect_cfm+0x10/0x10 [ 77.828332][ T5339] hci_conn_failed+0x1cb/0x310 [ 77.828346][ T5339] ? hci_abort_conn_sync+0x1f7/0xdf0 [ 77.828359][ T5339] hci_abort_conn_sync+0x5d1/0xdf0 [ 77.828370][ T5339] ? __lock_acquire+0xab9/0xd20 [ 77.828382][ T5339] ? __pfx_hci_abort_conn_sync+0x10/0x10 [ 77.828394][ T5339] ? hci_disconnect_all_sync+0x2e/0x350 [ 77.828408][ T5339] ? hci_disconnect_all_sync+0x2e/0x350 [ 77.828429][ T5339] ? hci_disconnect_all_sync+0x2e/0x350 [ 77.828442][ T5339] hci_disconnect_all_sync+0x1b5/0x350 [ 77.828458][ T5339] hci_suspend_sync+0x3b8/0xc00 [ 77.828472][ T5339] ? __pfx___mutex_lock+0x10/0x10 [ 77.828482][ T5339] ? enable_work+0x258/0x2c0 [ 77.828495][ T5339] ? __pfx_hci_suspend_sync+0x10/0x10 [ 77.828509][ T5339] ? mgmt_pending_find+0x152/0x170 [ 77.828523][ T5339] ? hci_cmd_sync_cancel_sync+0xc9/0x190 [ 77.828539][ T5339] hci_suspend_dev+0x28d/0x4d0 [ 77.828549][ T5339] ? __pfx_hci_suspend_dev+0x10/0x10 [ 77.828559][ T5339] ? rcu_barrier+0x474/0x570 [ 77.828575][ T5339] hci_suspend_notifier+0xf2/0x290 [ 77.828586][ T5339] notifier_call_chain+0x1b3/0x3e0 [ 77.828603][ T5339] blocking_notifier_call_chain_robust+0x85/0x100 [ 77.828632][ T5339] pm_notifier_call_chain_robust+0x2c/0x60 [ 77.828645][ T5339] snapshot_open+0x19c/0x280 [ 77.828657][ T5339] ? __pfx_snapshot_open+0x10/0x10 [ 77.828669][ T5339] misc_open+0x2bc/0x330 [ 77.828687][ T5339] chrdev_open+0x4cc/0x5e0 [ 77.828703][ T5339] ? __pfx_chrdev_open+0x10/0x10 [ 77.828722][ T5339] ? __pfx_chrdev_open+0x10/0x10 [ 77.828737][ T5339] do_dentry_open+0xdf3/0x1970 [ 77.828756][ T5339] vfs_open+0x3b/0x340 [ 77.828771][ T5339] ? path_openat+0x2ecd/0x3830 [ 77.828782][ T5339] path_openat+0x2ee5/0x3830 [ 77.828793][ T5339] ? arch_stack_walk+0xfc/0x150 [ 77.828813][ T5339] ? __pfx_path_openat+0x10/0x10 [ 77.828823][ T5339] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 77.828838][ T5339] do_filp_open+0x1fa/0x410 [ 77.828848][ T5339] ? __lock_acquire+0xab9/0xd20 [ 77.828859][ T5339] ? __pfx_do_filp_open+0x10/0x10 [ 77.828875][ T5339] ? _raw_spin_unlock+0x28/0x50 [ 77.828891][ T5339] ? alloc_fd+0x64c/0x6c0 [ 77.828906][ T5339] do_sys_openat2+0x121/0x1c0 [ 77.828924][ T5339] ? __pfx_do_sys_openat2+0x10/0x10 [ 77.828940][ T5339] ? rcu_is_watching+0x15/0xb0 [ 77.828954][ T5339] __x64_sys_openat+0x138/0x170 [ 77.828971][ T5339] do_syscall_64+0xfa/0x3b0 [ 77.828982][ T5339] ? lockdep_hardirqs_on+0x9c/0x150 [ 77.828998][ T5339] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 77.829008][ T5339] ? clear_bhb_loop+0x60/0xb0 [ 77.829020][ T5339] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 77.829031][ T5339] RIP: 0033:0x7f3d7e98e929 [ 77.829044][ T5339] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 77.829052][ T5339] RSP: 002b:00007f3d7f829038 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 77.829067][ T5339] RAX: ffffffffffffffda RBX: 00007f3d7ebb6080 RCX: 00007f3d7e98e929 [ 77.829076][ T5339] RDX: 0000000000000100 RSI: 0000200000000040 RDI: ffffffffffffff9c [ 77.829085][ T5339] RBP: 00007f3d7ea10b39 R08: 0000000000000000 R09: 0000000000000000 [ 77.829092][ T5339] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 77.829098][ T5339] R13: 0000000000000000 R14: 00007f3d7ebb6080 R15: 00007ffd42b140e8 [ 77.829109][ T5339] [ 79.313588][ T4686] Bluetooth: hci0: command 0x040f tx timeout [ 81.392816][ T4686] Bluetooth: hci0: command 0x040f tx timeout