program: r0 = socket$inet_udplite(0x2, 0x2, 0x88) r1 = socket(0x21, 0x3, 0x0) getsockname$packet(r1, &(0x7f0000000200)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000001480)=0x14) r3 = syz_open_dev$dri(&(0x7f0000000000), 0x1, 0x40402) ioctl$DRM_IOCTL_MODE_GETRESOURCES(r3, 0xc04064a0, &(0x7f0000000300)={0x0, &(0x7f0000000240)=[0x0], 0x0, 0x0, 0x0, 0x1}) r5 = openat$iommufd(0xffffffffffffff9c, &(0x7f0000000000), 0x40200, 0x0) ioctl$IOMMU_VFIO_IOAS$SET(r5, 0x3b88, &(0x7f0000000040)={0xc, 0x0, 0x1, 0x204}) ioctl$DRM_IOCTL_MODE_GETCRTC(r3, 0xc06864a1, &(0x7f00000001c0)={0x0, 0x0, r4, 0x0}) ioctl$DRM_IOCTL_MODE_SETCRTC(r3, 0xc06864a2, &(0x7f0000000d80)={0x0, 0x0, r4, r6, 0x0, 0x1, 0x7, 0x2, {0x4, 0x7, 0x3, 0xd, 0x7, 0x7, 0x5, 0x9, 0xb, 0x0, 0x7, 0x3, 0x100, 0x7, "dcdda51c878b0cbcd373cf12c16f0008f713dc15cc1772401486460adfc8af74"}}) sendmsg$IPCTNL_MSG_CT_NEW(0xffffffffffffffff, &(0x7f0000000300)={0x0, 0x0, &(0x7f00000000c0)={0x0}}, 0x0) sendmsg$nl_route_sched(0xffffffffffffffff, &(0x7f0000000100)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000800)=@newtfilter={0x30, 0x2c, 0xd27, 0x70bd2d, 0x0, {0x0, 0x0, 0x0, r2, {0xffff}, {}, {0x8, 0xb}}, [@filter_kind_options=@f_fw={{0x7}, {0x4}}]}, 0x30}}, 0x4000) r7 = socket$netlink(0x10, 0x3, 0x0) r8 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$sock_bt_hci(r8, 0x400448cb, 0x0) getsockopt$inet6_IPV6_FLOWLABEL_MGR(0xffffffffffffffff, 0x29, 0x20, &(0x7f0000000100)={@loopback, 0x1, 0x1, 0x3, 0x1a, 0xffff}, 0x0) r9 = socket$nl_generic(0x10, 0x3, 0x10) r10 = syz_genetlink_get_family_id$tipc2(&(0x7f0000000180), 0xffffffffffffffff) sendmsg$TIPC_NL_MEDIA_SET(r9, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000040)=ANY=[@ANYBLOB='4\x00\x00\x00', @ANYRES16=r10, @ANYBLOB="01002cbd7000fddbdf250c00000020000580070001006962000014000280080003000002000008000400070000009cd2dc8c0701c5"], 0x34}, 0x1, 0x0, 0x0, 0x8040}, 0x80) ioctl$BTRFS_IOC_BALANCE_CTL(r7, 0x40049421, 0x2) r11 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$IPCTNL_MSG_CT_NEW(r11, &(0x7f0000000080)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000740)={0x14, 0x0, 0x1, 0x401, 0x0, 0x0, {0xa}}, 0x14}}, 0x0) r12 = syz_init_net_socket$bt_l2cap(0x1f, 0x3, 0x3) ioctl$FS_IOC_GETFSLABEL(r12, 0x400452c8, &(0x7f0000000100)) sendmmsg(r7, &(0x7f00000002c0), 0x40000000000009f, 0x0) sendmmsg$inet(r0, &(0x7f0000002240)=[{{&(0x7f0000000140)={0x2, 0x4e22, @dev={0xac, 0x14, 0x14, 0x44}}, 0x10, 0x0}}], 0x1, 0x4000000) [ 86.453927][ T4680] Bluetooth: hci0: command tx timeout [ 86.533546][ T5333] UDPLite: UDP-Lite is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list [ 86.647863][ T5333] [ 86.649000][ T5333] ====================================================== [ 86.652302][ T5333] WARNING: possible circular locking dependency detected [ 86.655378][ T5333] 6.16.0-rc1-syzkaller #0 Not tainted [ 86.658042][ T5333] ------------------------------------------------------ [ 86.661773][ T5333] syz.0.0/5333 is trying to acquire lock: [ 86.664345][ T5333] ffff88803f062040 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: __flush_work+0xd2/0xbc0 [ 86.669565][ T5333] [ 86.669565][ T5333] but task is already holding lock: [ 86.673017][ T5333] ffff88803f062338 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x70/0x680 [ 86.677753][ T5333] [ 86.677753][ T5333] which lock already depends on the new lock. [ 86.677753][ T5333] [ 86.682347][ T5333] [ 86.682347][ T5333] the existing dependency chain (in reverse order) is: [ 86.686580][ T5333] [ 86.686580][ T5333] -> #1 (&conn->lock#2){+.+.}-{4:4}: [ 86.690422][ T5333] lock_acquire+0x120/0x360 [ 86.692834][ T5333] __mutex_lock+0x182/0xe80 [ 86.695255][ T5333] l2cap_info_timeout+0x60/0xa0 [ 86.697683][ T5333] process_scheduled_works+0xae1/0x17b0 [ 86.700996][ T5333] worker_thread+0x8a0/0xda0 [ 86.703639][ T5333] kthread+0x70e/0x8a0 [ 86.705724][ T5333] ret_from_fork+0x3fc/0x770 [ 86.708084][ T5333] ret_from_fork_asm+0x1a/0x30 [ 86.710364][ T5333] [ 86.710364][ T5333] -> #0 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}: [ 86.715331][ T5333] validate_chain+0xb9b/0x2140 [ 86.718007][ T5333] __lock_acquire+0xab9/0xd20 [ 86.720218][ T5333] lock_acquire+0x120/0x360 [ 86.722464][ T5333] __flush_work+0x6b8/0xbc0 [ 86.724800][ T5333] __cancel_work_sync+0xbe/0x110 [ 86.727548][ T5333] l2cap_conn_del+0x4f0/0x680 [ 86.730411][ T5333] hci_conn_hash_flush+0x10a/0x230 [ 86.733029][ T5333] hci_dev_reset+0x3e0/0x5c0 [ 86.735296][ T5333] sock_do_ioctl+0xd9/0x300 [ 86.737615][ T5333] sock_ioctl+0x576/0x790 [ 86.739950][ T5333] __se_sys_ioctl+0xf9/0x170 [ 86.742729][ T5333] do_syscall_64+0xfa/0x3b0 [ 86.745258][ T5333] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 86.748288][ T5333] [ 86.748288][ T5333] other info that might help us debug this: [ 86.748288][ T5333] [ 86.752855][ T5333] Possible unsafe locking scenario: [ 86.752855][ T5333] [ 86.756702][ T5333] CPU0 CPU1 [ 86.759577][ T5333] ---- ---- [ 86.761859][ T5333] lock(&conn->lock#2); [ 86.763757][ T5333] lock((work_completion)(&(&conn->info_timer)->work)); [ 86.768100][ T5333] lock(&conn->lock#2); [ 86.771653][ T5333] lock((work_completion)(&(&conn->info_timer)->work)); [ 86.774859][ T5333] [ 86.774859][ T5333] *** DEADLOCK *** [ 86.774859][ T5333] [ 86.778263][ T5333] 5 locks held by syz.0.0/5333: [ 86.780317][ T5333] #0: ffff888033230d80 (&hdev->req_lock){+.+.}-{4:4}, at: hci_dev_reset+0x139/0x5c0 [ 86.785266][ T5333] #1: ffff888033230078 (&hdev->lock){+.+.}-{4:4}, at: hci_dev_reset+0x1c9/0x5c0 [ 86.789568][ T5333] #2: ffffffff8f678068 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_conn_hash_flush+0xa1/0x230 [ 86.793868][ T5333] #3: ffff88803f062338 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x70/0x680 [ 86.797886][ T5333] #4: ffffffff8e13eda0 (rcu_read_lock){....}-{1:3}, at: __flush_work+0xd2/0xbc0 [ 86.802297][ T5333] [ 86.802297][ T5333] stack backtrace: [ 86.805062][ T5333] CPU: 0 UID: 0 PID: 5333 Comm: syz.0.0 Not tainted 6.16.0-rc1-syzkaller #0 PREEMPT(full) [ 86.805081][ T5333] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 86.805091][ T5333] Call Trace: [ 86.805102][ T5333] [ 86.805110][ T5333] dump_stack_lvl+0x189/0x250 [ 86.805162][ T5333] ? __pfx_dump_stack_lvl+0x10/0x10 [ 86.805211][ T5333] ? __pfx__printk+0x10/0x10 [ 86.805226][ T5333] ? print_lock_name+0xde/0x100 [ 86.805239][ T5333] print_circular_bug+0x2ee/0x310 [ 86.805253][ T5333] check_noncircular+0x134/0x160 [ 86.805265][ T5333] validate_chain+0xb9b/0x2140 [ 86.805276][ T5333] ? do_raw_spin_lock+0x121/0x290 [ 86.805291][ T5333] ? look_up_lock_class+0x74/0x170 [ 86.805309][ T5333] ? register_lock_class+0x51/0x320 [ 86.805328][ T5333] __lock_acquire+0xab9/0xd20 [ 86.805346][ T5333] ? __flush_work+0xd2/0xbc0 [ 86.805357][ T5333] lock_acquire+0x120/0x360 [ 86.805370][ T5333] ? __flush_work+0xd2/0xbc0 [ 86.805381][ T5333] ? _raw_spin_unlock_irq+0x23/0x50 [ 86.805395][ T5333] ? __flush_work+0xd2/0xbc0 [ 86.805405][ T5333] __flush_work+0x6b8/0xbc0 [ 86.805416][ T5333] ? __flush_work+0xd2/0xbc0 [ 86.805428][ T5333] ? __flush_work+0xd2/0xbc0 [ 86.805438][ T5333] ? __pfx___flush_work+0x10/0x10 [ 86.805449][ T5333] ? __pfx_wq_barrier_func+0x10/0x10 [ 86.805465][ T5333] ? __pfx___cancel_work+0x10/0x10 [ 86.805477][ T5333] ? __pfx___mutex_lock+0x10/0x10 [ 86.805487][ T5333] ? hci_dev_reset+0x1c9/0x5c0 [ 86.805502][ T5333] __cancel_work_sync+0xbe/0x110 [ 86.805517][ T5333] l2cap_conn_del+0x4f0/0x680 [ 86.805531][ T5333] ? __pfx_l2cap_disconn_cfm+0x10/0x10 [ 86.805544][ T5333] hci_conn_hash_flush+0x10a/0x230 [ 86.805560][ T5333] hci_dev_reset+0x3e0/0x5c0 [ 86.805573][ T5333] sock_do_ioctl+0xd9/0x300 [ 86.805594][ T5333] ? __pfx_sock_do_ioctl+0x10/0x10 [ 86.805611][ T5333] ? __lock_acquire+0xab9/0xd20 [ 86.805629][ T5333] sock_ioctl+0x576/0x790 [ 86.805643][ T5333] ? __pfx_sock_ioctl+0x10/0x10 [ 86.805657][ T5333] ? __fget_files+0x2a/0x420 [ 86.805677][ T5333] ? __fget_files+0x3a0/0x420 [ 86.805689][ T5333] ? __fget_files+0x2a/0x420 [ 86.805701][ T5333] ? bpf_lsm_file_ioctl+0x9/0x20 [ 86.805716][ T5333] ? __pfx_sock_ioctl+0x10/0x10 [ 86.805731][ T5333] __se_sys_ioctl+0xf9/0x170 [ 86.805747][ T5333] do_syscall_64+0xfa/0x3b0 [ 86.805758][ T5333] ? lockdep_hardirqs_on+0x9c/0x150 [ 86.805773][ T5333] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 86.805785][ T5333] ? clear_bhb_loop+0x60/0xb0 [ 86.805797][ T5333] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 86.805808][ T5333] RIP: 0033:0x7f393c98e929 [ 86.805820][ T5333] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 86.805831][ T5333] RSP: 002b:00007f393d891038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 86.805846][ T5333] RAX: ffffffffffffffda RBX: 00007f393cbb5fa0 RCX: 00007f393c98e929 [ 86.805855][ T5333] RDX: 0000000000000000 RSI: 00000000400448cb RDI: 0000000000000008 [ 86.805863][ T5333] RBP: 00007f393ca10b39 R08: 0000000000000000 R09: 0000000000000000 [ 86.805871][ T5333] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 86.805879][ T5333] R13: 0000000000000000 R14: 00007f393cbb5fa0 R15: 00007ffefe928a38 [ 86.805890][ T5333] [ 86.968331][ T10] cfg80211: failed to load regulatory.db [ 87.048503][ T5342] Zero length message leads to an empty skb