program: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000440), 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) r2 = openat$udambuf(0xffffffffffffff9c, &(0x7f0000000100), 0x2) ioctl$UDMABUF_CREATE_LIST(r2, 0x40087543, &(0x7f0000000340)=ANY=[@ANYBLOB="100092b5dd982119c3375f7a17214373d2a0ad7acb2cd262638c4713fe639685a039861ab98045de49ef8b2ef9eb11b42463a86f9ce4660602c50154b73af5466993268a72be9b982325494bf86e43f54d158a8871fafb6739db7de9b580791751973bad937d9818fced2b1af505864361d6520348c279113df94de6de76c6edb18a0b18e5f420dbe63e020e3a141ade86b957"]) ioctl$KVM_CAP_SPLIT_IRQCHIP(r1, 0x4068aea3, &(0x7f0000000680)) r3 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0) mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x1000003, 0x13, r3, 0x0) write(0xffffffffffffffff, &(0x7f0000000000)='-\x00\x00', 0x3) ioctl$KVM_SET_REGS(r3, 0x4090ae82, &(0x7f00000000c0)={[0x1, 0x0, 0xfffffffffffffffd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x5, 0x6], 0x1000, 0x8340}) newfstatat(0xffffffffffffff9c, &(0x7f0000000040)='./bus\x00', &(0x7f0000000280), 0x4000) syz_mount_image$ext4(&(0x7f00000004c0)='ext4\x00', &(0x7f00000000c0)='./bus\x00', 0x0, &(0x7f0000000080)={[{@nobarrier}, {@grpquota}]}, 0x2, 0x520, &(0x7f0000000700)="$eJzs3U+MG1cZAPBvZr2xk267KfTAn0JDKQQUxd512qjqhXBAFUKVED1ySJddZ7VaO47W3tJdctgcuSNRiROcOCIOSByQeuKOxAE4cSkHpAIRqIvEwWjGduL946yVrO10/ftJT34zz57vvR3Ne9a38kwAM+tSROxFxLmIeCciFnv7k16JG92Sve/j+3dX9+/fXU2i03n7n0nenu2Lgc9knukdsxQR33sz4gfJoaB/jGjt7G6u1Ou1rd6uSrtxp9La2b260VhZr63Xbler15evL71+7bXqqY31pcavPzofEb/77Rc+/MPe13+UdWuh1zY4jtPUHfr8gziZQkR8ZxzBpmCuN55zj/Phx/oQpymNiE9FxMv59b8Yc/nZPOjgafrGBHsHAIxDp7MYncXBbQDgrEvzHFiSlnu5gIVI03K5m8N7IS6k9WarfeVWc/v2WjdXdjHm01sb9dpSL1d4MeaTWxuF2nJe72/Xa9VD29ci4vmI+EnxfL5dXm3W16b5xQcAZtgzh9b//xS76z8AcMaVHlaL0+wHADA5pWl3AACYOOs/AMwe6z8AzB7rPwDMHus/AMwe6z8AzJTvvvVWVjr7vftfr727s73ZfPfqWq21WW5sr5ZXm1t3yuvN5np+z57GScerN5t3ll+N7fcq7VqrXWnt7N5sNLdvt2/m9/W+WZufyKgAgEd5/qUP/pxExN4b5/MSA/f7P3GtfnHcvQPGKZ12B4CpmZt2B4CpKUR8/vy0OwFMhXw8MPCI3nsDu0tHKoe9P9LhU88NhafP5c8+Qf4f+EST/4fZ9Xj5f9/l4SwoTLsDwNR0Ooln/gPAjJHjh1k22gww+P//pc7Axmj//wcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAzaSEvSVruPQt8IdK0XI54NiIuxnxya6NeW4qI5yLiT8X5Yra9PPJTQwCAp1P69yQisnJ58ZWFw63niv8t5q8R8cOfvf3T91ba7a3liHPJvx7sb7/f21+dRv8BgJP01+n+Ot738f27q/0yyf589M3uw0WzuPu90m0pRCF/LeW5hgv/TnrbXdn3lblTiL93LyI+c9z4kzw3crH35NPD8bPYz040fnogfpq3dV+zv8WnH7T85RR6BbPhg2z+uXHc9ZfGpfz1+Ou/lM9QT64//+0fmf/SB/Pf3JD579KhY31rWIxXf//tIzs7i922exGfK0Ts9w8+MP/04ydD4r8y4hj/+uIXXx7W1vl5xOU4bvzJgViVduNOpbWze3WjsbJeW6/drlavL19fev3aa9VKnqOu9DPVR/3jjSvPDYufjf/CkPilE8b/lRHH/4v/vfP9Lz0i/te+fPz5f+ER8bM18asjxl+58JvSsLYs/trB8feWtZPP/5UR43/4t921Ed8KAExAa2d3c6Ver22Nu5KOP0ReSSL2hr/nV6cbtPjLH785oXGNsxJPRzdUTqzcmFysac9MwLg9vOin3RMAAAAAAAAAAAAAAGCYJ/6pUCGONm1GxJZfFgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADB+/w8AAP//qajTdw==") syz_mount_image$fuse(0x0, &(0x7f0000000240)='./file1\x00', 0x0, 0x0, 0x0, 0x0, 0x0) mkdirat(0xffffffffffffff9c, &(0x7f00000001c0)='./bus\x00', 0x0) mount$overlay(0x0, &(0x7f0000000180)='./bus\x00', &(0x7f00000001c0), 0x0, &(0x7f0000000300)={[{@workdir={'workdir', 0x3d, './bus'}}, {@upperdir={'upperdir', 0x3d, './file0'}}, {@lowerdir={'lowerdir', 0x3d, './file1'}}]}) r4 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f00000000c0)='blkio.bfq.idle_time\x00', 0x275a, 0x0) ioctl$EXT4_IOC_MOVE_EXT(r4, 0x8004587d, &(0x7f0000000080)) r5 = syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0) connect$bt_l2cap(r5, &(0x7f0000000080)={0x1f, 0x0, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}, 0x7ff}, 0xe) r6 = syz_init_net_socket$bt_hidp(0x1f, 0x3, 0x6) ioctl$sock_bt_hidp_HIDPCONNADD(r6, 0x400448c8, &(0x7f0000000280)={r5, r5, 0xc, 0x1, &(0x7f0000000340)='\x00', 0x9, 0x1, 0x457, 0x9, 0x9, 0x1, 0x1, 'syz1\x00'}) r7 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$sock_bt_hci(r7, 0x400448cb, 0x0) r8 = ioctl$KVM_CREATE_VM(r4, 0xae01, 0x0) setrlimit(0x1, &(0x7f0000000080)={0x3, 0x80000001}) add_key(&(0x7f0000000000)='big_key\x00', 0x0, &(0x7f0000000180)="a3", 0xfffff, 0xfffffffffffffffc) ioctl$KVM_CREATE_VCPU(r8, 0xae41, 0x1) ioctl$DMA_HEAP_IOCTL_ALLOC(r4, 0xc0184800, &(0x7f0000000200)={0xd42d, r8, 0x1}) ioctl$KVM_RUN(r3, 0xae80, 0x0) [ 85.895856][ T5310] Bluetooth: hci0: command tx timeout [ 86.067738][ T5331] loop0: detected capacity change from 0 to 512 [ 86.128595][ T5331] EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000d40000 r/w without journal. Quota mode: writeback. [ 86.151031][ T5331] ext4 filesystem being mounted at /0/bus supports timestamps until 2038-01-19 (0x7fffffff) [ 86.172701][ T5331] Quota error (device loop0): do_check_range: Getting block 452984836 out of range 1-5 [ 86.176933][ T5331] Quota error (device loop0): qtree_read_dquot: Can't read quota structure for id 0 [ 86.195318][ T5331] EXT4-fs error (device loop0): ext4_acquire_dquot:6933: comm syz.0.0: Failed to acquire dquot type 0 [ 86.204639][ T5331] Quota error (device loop0): do_check_range: Getting block 452984836 out of range 1-5 [ 86.209186][ T5331] Quota error (device loop0): qtree_read_dquot: Can't read quota structure for id 0 [ 86.213969][ T5331] EXT4-fs error (device loop0): ext4_acquire_dquot:6933: comm syz.0.0: Failed to acquire dquot type 0 [ 86.225019][ T5331] Quota error (device loop0): do_check_range: Getting block 452984836 out of range 1-5 [ 86.237840][ T5331] Quota error (device loop0): qtree_read_dquot: Can't read quota structure for id 0 [ 86.242304][ T5331] EXT4-fs error (device loop0): ext4_acquire_dquot:6933: comm syz.0.0: Failed to acquire dquot type 0 [ 86.264172][ T9] hid-multitouch 0005:0457:0009.0002: unknown main item tag 0x0 [ 86.280539][ T9] hid-multitouch 0005:0457:0009.0002: hidraw1: BLUETOOTH HID v0.09 Device [syz1] on aa:aa:aa:aa:aa:aa [ 86.355112][ T5331] [ 86.356566][ T5331] ====================================================== [ 86.359678][ T5331] WARNING: possible circular locking dependency detected [ 86.362566][ T5331] 6.15.0-syzkaller-12426-ge271ed52b344 #0 Not tainted [ 86.365597][ T5331] ------------------------------------------------------ [ 86.368613][ T5331] syz.0.0/5331 is trying to acquire lock: [ 86.371347][ T5331] ffff88803f14f840 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: __flush_work+0xd2/0xbc0 [ 86.377813][ T5331] [ 86.377813][ T5331] but task is already holding lock: [ 86.380962][ T5331] ffff88803f14fb38 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x70/0x680 [ 86.384939][ T5331] [ 86.384939][ T5331] which lock already depends on the new lock. [ 86.384939][ T5331] [ 86.389755][ T5331] [ 86.389755][ T5331] the existing dependency chain (in reverse order) is: [ 86.394212][ T5331] [ 86.394212][ T5331] -> #1 (&conn->lock#2){+.+.}-{4:4}: [ 86.397376][ T5331] lock_acquire+0x120/0x360 [ 86.399422][ T5331] __mutex_lock+0x182/0xe80 [ 86.401683][ T5331] l2cap_info_timeout+0x60/0xa0 [ 86.404297][ T5331] process_scheduled_works+0xae1/0x17b0 [ 86.407445][ T5331] worker_thread+0x8a0/0xda0 [ 86.409876][ T5331] kthread+0x70e/0x8a0 [ 86.411958][ T5331] ret_from_fork+0x3f9/0x770 [ 86.414093][ T5331] ret_from_fork_asm+0x1a/0x30 [ 86.416469][ T5331] [ 86.416469][ T5331] -> #0 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}: [ 86.420914][ T5331] validate_chain+0xb9b/0x2140 [ 86.423611][ T5331] __lock_acquire+0xab9/0xd20 [ 86.426267][ T5331] lock_acquire+0x120/0x360 [ 86.428509][ T5331] __flush_work+0x6b8/0xbc0 [ 86.430740][ T5331] __cancel_work_sync+0xbe/0x110 [ 86.433369][ T5331] l2cap_conn_del+0x4f0/0x680 [ 86.436128][ T5331] hci_conn_hash_flush+0x10a/0x230 [ 86.438888][ T5331] hci_dev_reset+0x3e0/0x5c0 [ 86.441198][ T5331] sock_do_ioctl+0xd9/0x300 [ 86.443371][ T5331] sock_ioctl+0x576/0x790 [ 86.445721][ T5331] __se_sys_ioctl+0xfc/0x170 [ 86.448049][ T5331] do_syscall_64+0xfa/0x3b0 [ 86.450074][ T5331] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 86.452824][ T5331] [ 86.452824][ T5331] other info that might help us debug this: [ 86.452824][ T5331] [ 86.457497][ T5331] Possible unsafe locking scenario: [ 86.457497][ T5331] [ 86.460717][ T5331] CPU0 CPU1 [ 86.463261][ T5331] ---- ---- [ 86.465930][ T5331] lock(&conn->lock#2); [ 86.467811][ T5331] lock((work_completion)(&(&conn->info_timer)->work)); [ 86.471926][ T5331] lock(&conn->lock#2); [ 86.475344][ T5331] lock((work_completion)(&(&conn->info_timer)->work)); [ 86.478950][ T5331] [ 86.478950][ T5331] *** DEADLOCK *** [ 86.478950][ T5331] [ 86.482455][ T5331] 5 locks held by syz.0.0/5331: [ 86.484556][ T5331] #0: ffff888036018d80 (&hdev->req_lock){+.+.}-{4:4}, at: hci_dev_reset+0x139/0x5c0 [ 86.488670][ T5331] #1: ffff888036018078 (&hdev->lock){+.+.}-{4:4}, at: hci_dev_reset+0x1c9/0x5c0 [ 86.493001][ T5331] #2: ffffffff8f677668 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_conn_hash_flush+0xa1/0x230 [ 86.497965][ T5331] #3: ffff88803f14fb38 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x70/0x680 [ 86.502019][ T5331] #4: ffffffff8e13f060 (rcu_read_lock){....}-{1:3}, at: __flush_work+0xd2/0xbc0 [ 86.506156][ T5331] [ 86.506156][ T5331] stack backtrace: [ 86.508688][ T5331] CPU: 0 UID: 0 PID: 5331 Comm: syz.0.0 Not tainted 6.15.0-syzkaller-12426-ge271ed52b344 #0 PREEMPT(full) [ 86.508703][ T5331] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 86.508710][ T5331] Call Trace: [ 86.508717][ T5331] [ 86.508723][ T5331] dump_stack_lvl+0x189/0x250 [ 86.508743][ T5331] ? __pfx_dump_stack_lvl+0x10/0x10 [ 86.508758][ T5331] ? __pfx__printk+0x10/0x10 [ 86.508768][ T5331] ? print_lock_name+0xde/0x100 [ 86.508779][ T5331] print_circular_bug+0x2ee/0x310 [ 86.508790][ T5331] check_noncircular+0x134/0x160 [ 86.508802][ T5331] validate_chain+0xb9b/0x2140 [ 86.508811][ T5331] ? do_raw_spin_lock+0x121/0x290 [ 86.508823][ T5331] ? look_up_lock_class+0x74/0x170 [ 86.508834][ T5331] ? register_lock_class+0x51/0x320 [ 86.508847][ T5331] __lock_acquire+0xab9/0xd20 [ 86.508858][ T5331] ? __flush_work+0xd2/0xbc0 [ 86.508869][ T5331] lock_acquire+0x120/0x360 [ 86.508884][ T5331] ? __flush_work+0xd2/0xbc0 [ 86.508896][ T5331] ? _raw_spin_unlock_irq+0x23/0x50 [ 86.508911][ T5331] ? __flush_work+0xd2/0xbc0 [ 86.508923][ T5331] __flush_work+0x6b8/0xbc0 [ 86.508932][ T5331] ? __flush_work+0xd2/0xbc0 [ 86.508942][ T5331] ? __flush_work+0xd2/0xbc0 [ 86.508952][ T5331] ? __pfx___flush_work+0x10/0x10 [ 86.508966][ T5331] ? __pfx_wq_barrier_func+0x10/0x10 [ 86.508986][ T5331] ? __pfx___cancel_work+0x10/0x10 [ 86.509001][ T5331] __cancel_work_sync+0xbe/0x110 [ 86.509014][ T5331] l2cap_conn_del+0x4f0/0x680 [ 86.509025][ T5331] ? __pfx_l2cap_disconn_cfm+0x10/0x10 [ 86.509033][ T5331] hci_conn_hash_flush+0x10a/0x230 [ 86.509043][ T5331] hci_dev_reset+0x3e0/0x5c0 [ 86.509052][ T5331] sock_do_ioctl+0xd9/0x300 [ 86.509065][ T5331] ? __pfx_sock_do_ioctl+0x10/0x10 [ 86.509074][ T5331] ? __lock_acquire+0xab9/0xd20 [ 86.509086][ T5331] sock_ioctl+0x576/0x790 [ 86.509097][ T5331] ? __pfx_sock_ioctl+0x10/0x10 [ 86.509114][ T5331] ? __fget_files+0x2a/0x420 [ 86.509125][ T5331] ? __fget_files+0x3a0/0x420 [ 86.509136][ T5331] ? __fget_files+0x2a/0x420 [ 86.509148][ T5331] ? bpf_lsm_file_ioctl+0x9/0x20 [ 86.509180][ T5331] ? __pfx_sock_ioctl+0x10/0x10 [ 86.509191][ T5331] __se_sys_ioctl+0xfc/0x170 [ 86.509206][ T5331] do_syscall_64+0xfa/0x3b0 [ 86.509220][ T5331] ? lockdep_hardirqs_on+0x9c/0x150 [ 86.509232][ T5331] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 86.509242][ T5331] ? clear_bhb_loop+0x60/0xb0 [ 86.509252][ T5331] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 86.509262][ T5331] RIP: 0033:0x7f136f38e929 [ 86.509273][ T5331] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 86.509280][ T5331] RSP: 002b:00007f137013f038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 86.509292][ T5331] RAX: ffffffffffffffda RBX: 00007f136f5b5fa0 RCX: 00007f136f38e929 [ 86.509302][ T5331] RDX: 0000000000000000 RSI: 00000000400448cb RDI: 000000000000000b [ 86.509310][ T5331] RBP: 00007f136f410b39 R08: 0000000000000000 R09: 0000000000000000 [ 86.509317][ T5331] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 86.509324][ T5331] R13: 0000000000000000 R14: 00007f136f5b5fa0 R15: 00007fff8ebc25b8 [ 86.509336][ T5331] [ 86.668662][ T5342] fido_id[5342]: Failed to open report descriptor at '/sys/devices/virtual/bluetooth/hci0/hci0:200/report_descriptor': No such file or directory [ 91.685857][ T10] cfg80211: failed to load regulatory.db