program: r0 = socket$netlink(0x10, 0x3, 0xc) bind$netlink(r0, &(0x7f0000514ff4)={0x10, 0x0, 0x0, 0x2ffffffff}, 0xc) setsockopt$netlink_NETLINK_BROADCAST_ERROR(r0, 0x10e, 0x4, &(0x7f0000000140)=0x6, 0x4) setsockopt$sock_int(r0, 0x1, 0x8, &(0x7f0000000200), 0x4) r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$HCIINQUIRY(r1, 0x400448ca, 0x0) bind$bt_hci(r1, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6) r2 = openat$rfkill(0xffffffffffffff9c, &(0x7f0000000080), 0x602, 0x0) setsockopt$bt_hci_HCI_DATA_DIR(r1, 0x0, 0x1, &(0x7f0000000000)=0xffffffff, 0x4) write$rfkill(r2, &(0x7f0000000300)={0x0, 0x2, 0x3, 0x1}, 0x8) r3 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$IPCTNL_MSG_CT_NEW(r3, &(0x7f0000000080)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f00000001c0)=ANY=[@ANYBLOB="980000000001010400000000000000000a0000003c0001802c00018014000300fe8000000000000000000000000000aa14000400ff0100000000000000000000000000010c00028005000100000000003c0002802c00018014000300fe8000000000000000000000000000aa14000400fe8800000000000000000000000000010c0002800500010000000000080007"], 0x98}}, 0x0) r4 = socket$nl_netfilter(0x10, 0x3, 0xc) r5 = socket$phonet_pipe(0x23, 0x5, 0x2) capset(&(0x7f0000000000)={0x20080522}, &(0x7f0000000280)={0x0, 0x0, 0x0, 0x81, 0xffffffff}) setsockopt$PNPIPE_ENCAP(r5, 0x113, 0x1, &(0x7f00000002c0)=0x1, 0x4) sendmsg$IPCTNL_MSG_CT_NEW(r4, &(0x7f0000000080)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000002800)={0x94, 0x0, 0x1, 0x401, 0x0, 0x0, {0xa}, [@CTA_TUPLE_ORIG={0x3c, 0x1, 0x0, 0x1, [@CTA_TUPLE_IP={0x2c, 0x1, 0x0, 0x1, @ipv6={{0x14, 0x3, @empty}, {0x14, 0x4, @ipv4={'\x00', '\xff\xff', @initdev={0xac, 0x1e, 0x0, 0x0}}}}}, @CTA_TUPLE_PROTO={0xc, 0x2, 0x0, 0x1, {0x5}}]}, @CTA_TUPLE_REPLY={0x3c, 0x2, 0x0, 0x1, [@CTA_TUPLE_IP={0x2c, 0x1, 0x0, 0x1, @ipv6={{0x14, 0x3, @loopback}, {0x14, 0x4, @local}}}, @CTA_TUPLE_PROTO={0xc, 0x2, 0x0, 0x1, {0x5}}]}, @CTA_TIMEOUT={0x8}]}, 0x94}, 0x1, 0x0, 0x0, 0x4}, 0x0) sendmsg$IPCTNL_MSG_CT_DELETE(r4, &(0x7f00000003c0)={0x0, 0x0, &(0x7f0000000380)={&(0x7f0000000300)={0x14, 0x2, 0x1, 0x101, 0x0, 0x0, {0x0, 0x0, 0x2}}, 0x14}, 0x1, 0x0, 0x0, 0x8094}, 0x4) [ 86.429038][ T4685] Bluetooth: hci0: command tx timeout [ 86.540710][ T5338] [ 86.541921][ T5338] ====================================================== [ 86.545032][ T5338] WARNING: possible circular locking dependency detected [ 86.548202][ T5338] 6.16.0-rc5-syzkaller #0 Not tainted [ 86.550647][ T5338] ------------------------------------------------------ [ 86.553842][ T5338] kworker/0:5/5338 is trying to acquire lock: [ 86.556571][ T5338] ffff888035967b38 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_info_timeout+0x60/0xa0 [ 86.560798][ T5338] [ 86.560798][ T5338] but task is already holding lock: [ 86.564372][ T5338] ffffc9000d4c7bc0 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: process_scheduled_works+0x9ef/0x17b0 [ 86.569458][ T5338] [ 86.569458][ T5338] which lock already depends on the new lock. [ 86.569458][ T5338] [ 86.573898][ T5338] [ 86.573898][ T5338] the existing dependency chain (in reverse order) is: [ 86.578455][ T5338] [ 86.578455][ T5338] -> #1 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}: [ 86.583121][ T5338] lock_acquire+0x120/0x360 [ 86.585528][ T5338] __flush_work+0x6b8/0xbc0 [ 86.587832][ T5338] __cancel_work_sync+0xbe/0x110 [ 86.590238][ T5338] l2cap_conn_del+0x4f0/0x680 [ 86.592530][ T5338] hci_conn_hash_flush+0x10a/0x230 [ 86.594985][ T5338] hci_dev_close_sync+0xaef/0x1330 [ 86.597508][ T5338] hci_dev_close+0x108/0x200 [ 86.599632][ T5338] sock_do_ioctl+0xdc/0x300 [ 86.601797][ T5338] sock_ioctl+0x576/0x790 [ 86.604013][ T5338] __se_sys_ioctl+0xf9/0x170 [ 86.606941][ T5338] do_syscall_64+0xfa/0x3b0 [ 86.609455][ T5338] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 86.612283][ T5338] [ 86.612283][ T5338] -> #0 (&conn->lock#2){+.+.}-{4:4}: [ 86.615233][ T5338] validate_chain+0xb9b/0x2140 [ 86.617140][ T5338] __lock_acquire+0xab9/0xd20 [ 86.619355][ T5338] lock_acquire+0x120/0x360 [ 86.621418][ T5338] __mutex_lock+0x182/0xe80 [ 86.623528][ T5338] l2cap_info_timeout+0x60/0xa0 [ 86.625910][ T5338] process_scheduled_works+0xae1/0x17b0 [ 86.628666][ T5338] worker_thread+0x8a0/0xda0 [ 86.630934][ T5338] kthread+0x70e/0x8a0 [ 86.632847][ T5338] ret_from_fork+0x3fc/0x770 [ 86.635028][ T5338] ret_from_fork_asm+0x1a/0x30 [ 86.637510][ T5338] [ 86.637510][ T5338] other info that might help us debug this: [ 86.637510][ T5338] [ 86.641874][ T5338] Possible unsafe locking scenario: [ 86.641874][ T5338] [ 86.644847][ T5338] CPU0 CPU1 [ 86.647167][ T5338] ---- ---- [ 86.649461][ T5338] lock((work_completion)(&(&conn->info_timer)->work)); [ 86.652283][ T5338] lock(&conn->lock#2); [ 86.655050][ T5338] lock((work_completion)(&(&conn->info_timer)->work)); [ 86.658974][ T5338] lock(&conn->lock#2); [ 86.660527][ T5338] [ 86.660527][ T5338] *** DEADLOCK *** [ 86.660527][ T5338] [ 86.663768][ T5338] 2 locks held by kworker/0:5/5338: [ 86.666160][ T5338] #0: ffff88801a474d48 ((wq_completion)events){+.+.}-{0:0}, at: process_scheduled_works+0x9b4/0x17b0 [ 86.671132][ T5338] #1: ffffc9000d4c7bc0 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: process_scheduled_works+0x9ef/0x17b0 [ 86.676808][ T5338] [ 86.676808][ T5338] stack backtrace: [ 86.679341][ T5338] CPU: 0 UID: 0 PID: 5338 Comm: kworker/0:5 Not tainted 6.16.0-rc5-syzkaller #0 PREEMPT(full) [ 86.679358][ T5338] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 86.679367][ T5338] Workqueue: events l2cap_info_timeout [ 86.679386][ T5338] Call Trace: [ 86.679392][ T5338] [ 86.679398][ T5338] dump_stack_lvl+0x189/0x250 [ 86.679414][ T5338] ? __pfx_dump_stack_lvl+0x10/0x10 [ 86.679426][ T5338] ? __pfx__printk+0x10/0x10 [ 86.679440][ T5338] ? print_lock_name+0xde/0x100 [ 86.679456][ T5338] print_circular_bug+0x2ee/0x310 [ 86.679471][ T5338] check_noncircular+0x134/0x160 [ 86.679487][ T5338] validate_chain+0xb9b/0x2140 [ 86.679501][ T5338] ? ret_from_fork_asm+0x1a/0x30 [ 86.679518][ T5338] __lock_acquire+0xab9/0xd20 [ 86.679529][ T5338] ? l2cap_info_timeout+0x60/0xa0 [ 86.679541][ T5338] lock_acquire+0x120/0x360 [ 86.679551][ T5338] ? l2cap_info_timeout+0x60/0xa0 [ 86.679564][ T5338] __mutex_lock+0x182/0xe80 [ 86.679576][ T5338] ? l2cap_info_timeout+0x60/0xa0 [ 86.679587][ T5338] ? irqentry_exit+0x74/0x90 [ 86.679596][ T5338] ? lockdep_hardirqs_on+0x9c/0x150 [ 86.679612][ T5338] ? l2cap_info_timeout+0x60/0xa0 [ 86.679624][ T5338] ? __pfx___mutex_lock+0x10/0x10 [ 86.679638][ T5338] l2cap_info_timeout+0x60/0xa0 [ 86.679649][ T5338] ? process_scheduled_works+0x9ef/0x17b0 [ 86.679661][ T5338] process_scheduled_works+0xae1/0x17b0 [ 86.679679][ T5338] ? __pfx_process_scheduled_works+0x10/0x10 [ 86.679693][ T5338] worker_thread+0x8a0/0xda0 [ 86.679708][ T5338] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 86.679723][ T5338] ? __kthread_parkme+0x7b/0x200 [ 86.679738][ T5338] kthread+0x70e/0x8a0 [ 86.679753][ T5338] ? __pfx_worker_thread+0x10/0x10 [ 86.679765][ T5338] ? __pfx_kthread+0x10/0x10 [ 86.679779][ T5338] ? _raw_spin_unlock_irq+0x23/0x50 [ 86.679791][ T5338] ? lockdep_hardirqs_on+0x9c/0x150 [ 86.679807][ T5338] ? __pfx_kthread+0x10/0x10 [ 86.679820][ T5338] ret_from_fork+0x3fc/0x770 [ 86.679834][ T5338] ? __pfx_ret_from_fork+0x10/0x10 [ 86.679845][ T5338] ? __pfx_kthread+0x10/0x10 [ 86.679858][ T5338] ret_from_fork_asm+0x1a/0x30 [ 86.679876][ T5338] [ 86.896523][ T5350] netlink: 4 bytes leftover after parsing attributes in process `syz.0.0'. [ 88.488499][ T5319] Bluetooth: hci0: command tx timeout [ 90.569029][ T5319] Bluetooth: hci0: command tx timeout [ 91.612939][ T54] cfg80211: failed to load regulatory.db [ 92.648665][ T5319] Bluetooth: hci0: command tx timeout