program: r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$HCIINQUIRY(r0, 0x400448ca, 0x0) bind$bt_hci(r0, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6) io_setup(0x8, &(0x7f00000002c0)=0x0) io_submit(r1, 0x1, &(0x7f0000000340)=[&(0x7f0000000100)={0x2000000000, 0x4, 0x0, 0x1, 0x0, r0, &(0x7f0000000040)="0b01ffff51", 0x5}]) [ 87.731479][ T10] cfg80211: failed to load regulatory.db [ 87.739340][ T5338] Bluetooth: hci0: command tx timeout [ 87.865895][ T10] [ 87.867019][ T10] ====================================================== [ 87.870182][ T10] WARNING: possible circular locking dependency detected [ 87.873530][ T10] 6.16.0-syzkaller-11489-gd2eedaa3909b #0 Not tainted [ 87.876616][ T10] ------------------------------------------------------ [ 87.879808][ T10] kworker/0:1/10 is trying to acquire lock: [ 87.882568][ T10] ffff88803317cb38 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_info_timeout+0x60/0xa0 [ 87.887057][ T10] [ 87.887057][ T10] but task is already holding lock: [ 87.890398][ T10] ffffc900001c7bc0 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: process_scheduled_works+0x9ef/0x17b0 [ 87.896533][ T10] [ 87.896533][ T10] which lock already depends on the new lock. [ 87.896533][ T10] [ 87.901368][ T10] [ 87.901368][ T10] the existing dependency chain (in reverse order) is: [ 87.905338][ T10] [ 87.905338][ T10] -> #1 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}: [ 87.909964][ T10] lock_acquire+0x120/0x360 [ 87.912226][ T10] __flush_work+0x6b8/0xbc0 [ 87.914280][ T10] __cancel_work_sync+0xbe/0x110 [ 87.916552][ T10] l2cap_conn_del+0x4f0/0x680 [ 87.918742][ T10] hci_conn_hash_flush+0x10a/0x230 [ 87.921293][ T10] hci_dev_close_sync+0xaef/0x1330 [ 87.923668][ T10] hci_dev_close+0x108/0x200 [ 87.925968][ T10] sock_do_ioctl+0xdc/0x300 [ 87.928269][ T10] sock_ioctl+0x576/0x790 [ 87.930422][ T10] __se_sys_ioctl+0xf9/0x170 [ 87.932922][ T10] do_syscall_64+0xfa/0x3b0 [ 87.935369][ T10] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 87.938309][ T10] [ 87.938309][ T10] -> #0 (&conn->lock#2){+.+.}-{4:4}: [ 87.942024][ T10] validate_chain+0xb9b/0x2140 [ 87.944242][ T10] __lock_acquire+0xab9/0xd20 [ 87.946442][ T10] lock_acquire+0x120/0x360 [ 87.948606][ T10] __mutex_lock+0x187/0x1360 [ 87.950970][ T10] l2cap_info_timeout+0x60/0xa0 [ 87.953354][ T10] process_scheduled_works+0xade/0x17b0 [ 87.956165][ T10] worker_thread+0x8a0/0xda0 [ 87.958800][ T10] kthread+0x711/0x8a0 [ 87.960979][ T10] ret_from_fork+0x3f9/0x770 [ 87.963244][ T10] ret_from_fork_asm+0x1a/0x30 [ 87.965843][ T10] [ 87.965843][ T10] other info that might help us debug this: [ 87.965843][ T10] [ 87.971397][ T10] Possible unsafe locking scenario: [ 87.971397][ T10] [ 87.974670][ T10] CPU0 CPU1 [ 87.976938][ T10] ---- ---- [ 87.979319][ T10] lock((work_completion)(&(&conn->info_timer)->work)); [ 87.982415][ T10] lock(&conn->lock#2); [ 87.985429][ T10] lock((work_completion)(&(&conn->info_timer)->work)); [ 87.989427][ T10] lock(&conn->lock#2); [ 87.991277][ T10] [ 87.991277][ T10] *** DEADLOCK *** [ 87.991277][ T10] [ 87.994918][ T10] 2 locks held by kworker/0:1/10: [ 87.997452][ T10] #0: ffff88801a474d48 ((wq_completion)events){+.+.}-{0:0}, at: process_scheduled_works+0x9b4/0x17b0 [ 88.002479][ T10] #1: ffffc900001c7bc0 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: process_scheduled_works+0x9ef/0x17b0 [ 88.007861][ T10] [ 88.007861][ T10] stack backtrace: [ 88.010322][ T10] CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Not tainted 6.16.0-syzkaller-11489-gd2eedaa3909b #0 PREEMPT(full) [ 88.010339][ T10] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 88.010347][ T10] Workqueue: events l2cap_info_timeout [ 88.010369][ T10] Call Trace: [ 88.010380][ T10] [ 88.010385][ T10] dump_stack_lvl+0x189/0x250 [ 88.010401][ T10] ? __pfx_dump_stack_lvl+0x10/0x10 [ 88.010412][ T10] ? __pfx__printk+0x10/0x10 [ 88.010427][ T10] ? print_lock_name+0xde/0x100 [ 88.010447][ T10] print_circular_bug+0x2ee/0x310 [ 88.010460][ T10] check_noncircular+0x134/0x160 [ 88.010472][ T10] validate_chain+0xb9b/0x2140 [ 88.010485][ T10] ? trace_sched_exit_tp+0x36/0x110 [ 88.010499][ T10] ? __schedule+0x17ae/0x4cc0 [ 88.010517][ T10] __lock_acquire+0xab9/0xd20 [ 88.010533][ T10] ? l2cap_info_timeout+0x60/0xa0 [ 88.010548][ T10] lock_acquire+0x120/0x360 [ 88.010562][ T10] ? l2cap_info_timeout+0x60/0xa0 [ 88.010578][ T10] __mutex_lock+0x187/0x1360 [ 88.010588][ T10] ? l2cap_info_timeout+0x60/0xa0 [ 88.010602][ T10] ? rcu_is_watching+0x15/0xb0 [ 88.010613][ T10] ? trace_irq_disable+0x37/0x110 [ 88.010626][ T10] ? preempt_schedule_irq+0xde/0x150 [ 88.010640][ T10] ? __pfx_preempt_schedule_irq+0x10/0x10 [ 88.010654][ T10] ? l2cap_info_timeout+0x60/0xa0 [ 88.010669][ T10] ? __pfx___mutex_lock+0x10/0x10 [ 88.010678][ T10] ? irqentry_exit+0x74/0x90 [ 88.010686][ T10] ? lockdep_hardirqs_on+0x9c/0x150 [ 88.010702][ T10] ? process_scheduled_works+0x9ef/0x17b0 [ 88.010712][ T10] ? __pfx_l2cap_info_timeout+0x10/0x10 [ 88.010728][ T10] l2cap_info_timeout+0x60/0xa0 [ 88.010743][ T10] ? process_scheduled_works+0x9ef/0x17b0 [ 88.010753][ T10] process_scheduled_works+0xade/0x17b0 [ 88.010767][ T10] ? __pfx_process_scheduled_works+0x10/0x10 [ 88.010780][ T10] worker_thread+0x8a0/0xda0 [ 88.010790][ T10] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 88.010806][ T10] ? __kthread_parkme+0x7b/0x200 [ 88.010819][ T10] kthread+0x711/0x8a0 [ 88.010832][ T10] ? __pfx_worker_thread+0x10/0x10 [ 88.010842][ T10] ? __pfx_kthread+0x10/0x10 [ 88.010854][ T10] ? _raw_spin_unlock_irq+0x23/0x50 [ 88.010868][ T10] ? lockdep_hardirqs_on+0x9c/0x150 [ 88.010882][ T10] ? __pfx_kthread+0x10/0x10 [ 88.010894][ T10] ret_from_fork+0x3f9/0x770 [ 88.010905][ T10] ? __pfx_ret_from_fork+0x10/0x10 [ 88.010916][ T10] ? __pfx_kthread+0x10/0x10 [ 88.010928][ T10] ret_from_fork_asm+0x1a/0x30 [ 88.010945][ T10] [ 89.816559][ T5338] Bluetooth: hci0: command tx timeout [ 91.896565][ T5338] Bluetooth: hci0: command tx timeout [ 93.976489][ T5338] Bluetooth: hci0: command tx timeout