program: r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$sock_bt_hci(r0, 0x400448ca, 0x0) r1 = openat$snapshot(0xffffffffffffff9c, &(0x7f0000000140), 0x0, 0x0) ioctl$SNAPSHOT_ATOMIC_RESTORE(r1, 0x3304) [ 86.803757][ T5339] Bluetooth: hci0: command tx timeout [ 86.809825][ T10] cfg80211: failed to load regulatory.db [ 86.895390][ T1351] [ 86.896585][ T1351] ====================================================== [ 86.899660][ T1351] WARNING: possible circular locking dependency detected [ 86.902835][ T1351] syzkaller #0 Not tainted [ 86.904899][ T1351] ------------------------------------------------------ [ 86.908020][ T1351] kworker/0:3/1351 is trying to acquire lock: [ 86.910856][ T1351] ffff888034119b38 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_info_timeout+0x60/0xa0 [ 86.915439][ T1351] [ 86.915439][ T1351] but task is already holding lock: [ 86.919422][ T1351] ffffc9000297fbc0 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: process_scheduled_works+0x9ef/0x17b0 [ 86.925494][ T1351] [ 86.925494][ T1351] which lock already depends on the new lock. [ 86.925494][ T1351] [ 86.930440][ T1351] [ 86.930440][ T1351] the existing dependency chain (in reverse order) is: [ 86.934604][ T1351] [ 86.934604][ T1351] -> #1 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}: [ 86.939002][ T1351] lock_acquire+0x120/0x360 [ 86.941247][ T1351] __flush_work+0x6b8/0xbc0 [ 86.943534][ T1351] __cancel_work_sync+0xbe/0x110 [ 86.946280][ T1351] l2cap_conn_del+0x4f0/0x680 [ 86.948752][ T1351] hci_conn_hash_flush+0x10a/0x230 [ 86.951157][ T1351] hci_dev_close_sync+0xaef/0x1330 [ 86.953538][ T1351] hci_dev_close+0x108/0x200 [ 86.955991][ T1351] sock_do_ioctl+0xdc/0x300 [ 86.958266][ T1351] sock_ioctl+0x576/0x790 [ 86.960622][ T1351] __se_sys_ioctl+0xf9/0x170 [ 86.963581][ T1351] do_syscall_64+0xfa/0x3b0 [ 86.966363][ T1351] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 86.969155][ T1351] [ 86.969155][ T1351] -> #0 (&conn->lock#2){+.+.}-{4:4}: [ 86.972572][ T1351] validate_chain+0xb9b/0x2140 [ 86.974945][ T1351] __lock_acquire+0xab9/0xd20 [ 86.977269][ T1351] lock_acquire+0x120/0x360 [ 86.979637][ T1351] __mutex_lock+0x187/0x1350 [ 86.982213][ T1351] l2cap_info_timeout+0x60/0xa0 [ 86.984739][ T1351] process_scheduled_works+0xae1/0x17b0 [ 86.987701][ T1351] worker_thread+0x8a0/0xda0 [ 86.990067][ T1351] kthread+0x70e/0x8a0 [ 86.992214][ T1351] ret_from_fork+0x3f9/0x770 [ 86.994444][ T1351] ret_from_fork_asm+0x1a/0x30 [ 86.996730][ T1351] [ 86.996730][ T1351] other info that might help us debug this: [ 86.996730][ T1351] [ 87.000941][ T1351] Possible unsafe locking scenario: [ 87.000941][ T1351] [ 87.004256][ T1351] CPU0 CPU1 [ 87.006957][ T1351] ---- ---- [ 87.009453][ T1351] lock((work_completion)(&(&conn->info_timer)->work)); [ 87.012705][ T1351] lock(&conn->lock#2); [ 87.015908][ T1351] lock((work_completion)(&(&conn->info_timer)->work)); [ 87.020281][ T1351] lock(&conn->lock#2); [ 87.022340][ T1351] [ 87.022340][ T1351] *** DEADLOCK *** [ 87.022340][ T1351] [ 87.026400][ T1351] 2 locks held by kworker/0:3/1351: [ 87.029141][ T1351] #0: ffff88801a474d48 ((wq_completion)events){+.+.}-{0:0}, at: process_scheduled_works+0x9b4/0x17b0 [ 87.034336][ T1351] #1: ffffc9000297fbc0 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: process_scheduled_works+0x9ef/0x17b0 [ 87.040022][ T1351] [ 87.040022][ T1351] stack backtrace: [ 87.042658][ T1351] CPU: 0 UID: 0 PID: 1351 Comm: kworker/0:3 Not tainted syzkaller #0 PREEMPT(full) [ 87.042678][ T1351] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 87.042687][ T1351] Workqueue: events l2cap_info_timeout [ 87.042712][ T1351] Call Trace: [ 87.042720][ T1351] [ 87.042726][ T1351] dump_stack_lvl+0x189/0x250 [ 87.042743][ T1351] ? __pfx_dump_stack_lvl+0x10/0x10 [ 87.042755][ T1351] ? __pfx__printk+0x10/0x10 [ 87.042770][ T1351] ? print_lock_name+0xde/0x100 [ 87.042785][ T1351] print_circular_bug+0x2ee/0x310 [ 87.042799][ T1351] check_noncircular+0x134/0x160 [ 87.042812][ T1351] validate_chain+0xb9b/0x2140 [ 87.042828][ T1351] __lock_acquire+0xab9/0xd20 [ 87.042844][ T1351] ? l2cap_info_timeout+0x60/0xa0 [ 87.042856][ T1351] lock_acquire+0x120/0x360 [ 87.042872][ T1351] ? l2cap_info_timeout+0x60/0xa0 [ 87.042889][ T1351] __mutex_lock+0x187/0x1350 [ 87.042907][ T1351] ? l2cap_info_timeout+0x60/0xa0 [ 87.042921][ T1351] ? irqentry_exit+0x74/0x90 [ 87.042935][ T1351] ? lockdep_hardirqs_on+0x9c/0x150 [ 87.042949][ T1351] ? l2cap_info_timeout+0x60/0xa0 [ 87.042963][ T1351] ? __pfx___mutex_lock+0x10/0x10 [ 87.042980][ T1351] l2cap_info_timeout+0x60/0xa0 [ 87.042993][ T1351] ? process_scheduled_works+0x9ef/0x17b0 [ 87.043005][ T1351] process_scheduled_works+0xae1/0x17b0 [ 87.043021][ T1351] ? __pfx_process_scheduled_works+0x10/0x10 [ 87.043034][ T1351] worker_thread+0x8a0/0xda0 [ 87.043046][ T1351] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 87.043061][ T1351] ? __kthread_parkme+0x7b/0x200 [ 87.043073][ T1351] kthread+0x70e/0x8a0 [ 87.043085][ T1351] ? __pfx_worker_thread+0x10/0x10 [ 87.043094][ T1351] ? __pfx_kthread+0x10/0x10 [ 87.043106][ T1351] ? _raw_spin_unlock_irq+0x23/0x50 [ 87.043118][ T1351] ? lockdep_hardirqs_on+0x9c/0x150 [ 87.043130][ T1351] ? __pfx_kthread+0x10/0x10 [ 87.043142][ T1351] ret_from_fork+0x3f9/0x770 [ 87.043154][ T1351] ? __pfx_ret_from_fork+0x10/0x10 [ 87.043166][ T1351] ? __pfx_kthread+0x10/0x10 [ 87.043178][ T1351] ret_from_fork_asm+0x1a/0x30 [ 87.043196][ T1351] [ 88.841807][ T5339] Bluetooth: hci0: command tx timeout [ 90.922087][ T5339] Bluetooth: hci0: command tx timeout [ 93.002107][ T5339] Bluetooth: hci0: command tx timeout