program: r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0) connect$bt_l2cap(r0, &(0x7f0000000080)={0x1f, 0x0, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}, 0x7ff}, 0xe) r1 = syz_init_net_socket$bt_hidp(0x1f, 0x3, 0x6) (async) perf_event_open(0x0, 0xffffffffffffffff, 0x0, 0xffffffffffffffff, 0x0) (async) bpf$BPF_PROG_WITH_BTFID_LOAD(0x5, 0x0, 0x0) (async) bpf$MAP_CREATE(0x0, 0x0, 0x48) (async) perf_event_open(&(0x7f0000000480)={0x1, 0x80, 0x0, 0x0, 0x0, 0x0, 0x0, 0x5d31, 0x482, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) (async) bpf$MAP_CREATE(0x100000000000000, 0x0, 0x0) (async) r2 = socket$inet6_sctp(0xa, 0x5, 0x84) setsockopt$inet_sctp6_SCTP_SOCKOPT_CONNECTX(r2, 0x84, 0x6e, 0x0, 0x0) bpf$MAP_CREATE(0x0, 0x0, 0x0) (async) bpf$PROG_LOAD(0x5, &(0x7f000000e000)={0xd, 0x4, &(0x7f0000000040)=@framed={{0xffffffb4, 0x0, 0x0, 0x0, 0x0, 0x61, 0x11, 0x98}, [@ldst={0x6, 0x0, 0x6, 0x0, 0x0, 0x0, 0x102}]}, &(0x7f0000003ff6)='GPL\x00', 0x5, 0xfd90, &(0x7f000000cf3d)=""/195, 0x0, 0x0, '\x00', 0x0, @sock_ops}, 0x48) (async) ioctl$sock_bt_hidp_HIDPCONNADD(r1, 0x400448c8, &(0x7f0000000280)={r0, r0, 0xc, 0x1, &(0x7f0000000340)='\x00', 0x9, 0x1, 0x457, 0x9, 0x9, 0x1, 0x1, 'syz1\x00'}) r3 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000000)='memory.events.local\x00', 0x275a, 0x0) mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x1, 0x10012, r3, 0x0) (async) ioctl$BTRFS_IOC_START_SYNC(r3, 0x80089418, &(0x7f0000000100)) sendmsg$AUDIT_USER(r3, &(0x7f0000000240)={&(0x7f00000000c0)={0x10, 0x0, 0x0, 0x10000}, 0xc, &(0x7f0000000100)={&(0x7f0000000380)={0xc8, 0x3ed, 0x7e4c4f15baf0e080, 0x70bd2c, 0x25dfdbff, "4764f61e936aa670436fe0bd31bae310b51dfa430d8e4864f77abb28a316f3eeeddb9cc39604cbec427ebaa977f3e41e8003beb6e156b566bb1e894235745eb6b2ac59dc28a9567fae8da400bf3e5066b01e84ef0e0867fe17f5622286f51ea2a2d08b17c16240ed41e470606abc3846a8e0bc7471d2c1ab694f47aced5ec4f6aa433b1856b79676c5f54e27621cb2900337fbb4968c2d857425b916c18d307d6852ffb439d79d150906559a3c311c782eaf3751e66b4b0b", [""]}, 0xc8}, 0x1, 0x0, 0x0, 0x48440}, 0x20000000) r4 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) syz_emit_ethernet(0xa6, &(0x7f0000000000)={@broadcast, @remote, @void, {@ipv6={0x86dd, @icmpv6={0x0, 0x6, "120008", 0x70, 0x3a, 0xff, @remote, @mcast2, {[], @ndisc_ra={0x86, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, [{0x0, 0xa, "a78ce54006598080a8030037004023493b87aafaffffffffffffff23732472eefa45ad96579269748e254c1e4a8a8b3f0ab0c430d3be27df3e34066d42ca0a5c15b37adac15084dbaf736b41e5af1802"}, {0x0, 0x1, "ffffffffff60000000000000"}]}}}}}}, 0x0) r5 = syz_open_procfs(0x0, &(0x7f0000000200)='net/ipv6_route\x00') pread64(r5, &(0x7f0000000140)=""/170, 0xaa, 0x20000000000004) ioctl$sock_bt_hci(r4, 0x400448ca, 0x0) [ 84.371329][ T5304] Bluetooth: hci0: command tx timeout [ 84.552311][ T787] hid-multitouch 0005:0457:0009.0002: unknown main item tag 0x0 [ 84.575599][ T787] hid-multitouch 0005:0457:0009.0002: hidraw1: BLUETOOTH HID v0.09 Device [syz1] on aa:aa:aa:aa:aa:aa [ 84.619810][ T5330] [ 84.620982][ T5330] ====================================================== [ 84.624126][ T5330] WARNING: possible circular locking dependency detected [ 84.627348][ T5330] syzkaller #0 Not tainted [ 84.629408][ T5330] ------------------------------------------------------ [ 84.632564][ T5330] syz.0.0/5330 is trying to acquire lock: [ 84.635033][ T5330] ffff88804312b840 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: __flush_work+0x100/0xc50 [ 84.640351][ T5330] [ 84.640351][ T5330] but task is already holding lock: [ 84.643655][ T5330] ffff88804312bb38 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x7b/0x5b0 [ 84.647632][ T5330] [ 84.647632][ T5330] which lock already depends on the new lock. [ 84.647632][ T5330] [ 84.652061][ T5330] [ 84.652061][ T5330] the existing dependency chain (in reverse order) is: [ 84.656113][ T5330] [ 84.656113][ T5330] -> #1 (&conn->lock#2){+.+.}-{4:4}: [ 84.659504][ T5330] __mutex_lock+0x19f/0x1300 [ 84.661831][ T5330] l2cap_info_timeout+0x60/0xa0 [ 84.664200][ T5330] process_scheduled_works+0xaec/0x17a0 [ 84.666977][ T5330] worker_thread+0xda6/0x1360 [ 84.669320][ T5330] kthread+0x388/0x470 [ 84.671304][ T5330] ret_from_fork+0x51e/0xb90 [ 84.673618][ T5330] ret_from_fork_asm+0x1a/0x30 [ 84.676011][ T5330] [ 84.676011][ T5330] -> #0 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}: [ 84.680398][ T5330] __lock_acquire+0x15a5/0x2cf0 [ 84.682811][ T5330] lock_acquire+0x106/0x330 [ 84.685066][ T5330] __flush_work+0x700/0xc50 [ 84.687334][ T5330] __cancel_work_sync+0xbe/0x110 [ 84.689729][ T5330] l2cap_conn_del+0x402/0x5b0 [ 84.692087][ T5330] hci_conn_hash_flush+0x10d/0x260 [ 84.694536][ T5330] hci_dev_close_sync+0x821/0x10e0 [ 84.696993][ T5330] hci_dev_close+0x108/0x260 [ 84.699143][ T5330] sock_do_ioctl+0x101/0x320 [ 84.701443][ T5330] sock_ioctl+0x5c6/0x7f0 [ 84.703530][ T5330] __se_sys_ioctl+0xfc/0x170 [ 84.706309][ T5330] do_syscall_64+0x14d/0xf80 [ 84.708724][ T5330] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 84.711216][ T5330] [ 84.711216][ T5330] other info that might help us debug this: [ 84.711216][ T5330] [ 84.715137][ T5330] Possible unsafe locking scenario: [ 84.715137][ T5330] [ 84.718089][ T5330] CPU0 CPU1 [ 84.720212][ T5330] ---- ---- [ 84.722317][ T5330] lock(&conn->lock#2); [ 84.724142][ T5330] lock((work_completion)(&(&conn->info_timer)->work)); [ 84.728180][ T5330] lock(&conn->lock#2); [ 84.730959][ T5330] lock((work_completion)(&(&conn->info_timer)->work)); [ 84.733998][ T5330] [ 84.733998][ T5330] *** DEADLOCK *** [ 84.733998][ T5330] [ 84.737457][ T5330] 5 locks held by syz.0.0/5330: [ 84.739582][ T5330] #0: ffff888042078ec0 (&hdev->req_lock){+.+.}-{4:4}, at: hci_dev_close+0x100/0x260 [ 84.744454][ T5330] #1: ffff8880420780c0 (&hdev->lock){+.+.}-{4:4}, at: hci_dev_close_sync+0x640/0x10e0 [ 84.749222][ T5330] #2: ffffffff8fd4caa8 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_conn_hash_flush+0xa1/0x260 [ 84.753598][ T5330] #3: ffff88804312bb38 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x7b/0x5b0 [ 84.757626][ T5330] #4: ffffffff8e75df20 (rcu_read_lock){....}-{1:3}, at: __flush_work+0x100/0xc50 [ 84.761683][ T5330] [ 84.761683][ T5330] stack backtrace: [ 84.764260][ T5330] CPU: 0 UID: 0 PID: 5330 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 84.764275][ T5330] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 84.764282][ T5330] Call Trace: [ 84.764291][ T5330] [ 84.764347][ T5330] dump_stack_lvl+0xe8/0x150 [ 84.764389][ T5330] print_circular_bug+0x2e1/0x300 [ 84.764408][ T5330] check_noncircular+0x12e/0x150 [ 84.764421][ T5330] __lock_acquire+0x15a5/0x2cf0 [ 84.764434][ T5330] ? do_raw_spin_lock+0x12b/0x2f0 [ 84.764488][ T5330] ? irqentry_exit+0x59e/0x620 [ 84.764503][ T5330] ? lockdep_hardirqs_on+0x7a/0x110 [ 84.764516][ T5330] ? irqentry_exit+0x59e/0x620 [ 84.764529][ T5330] ? __flush_work+0x100/0xc50 [ 84.764543][ T5330] lock_acquire+0x106/0x330 [ 84.764553][ T5330] ? __flush_work+0x100/0xc50 [ 84.764568][ T5330] ? __flush_work+0x100/0xc50 [ 84.764580][ T5330] __flush_work+0x700/0xc50 [ 84.764592][ T5330] ? __flush_work+0x100/0xc50 [ 84.764604][ T5330] ? __flush_work+0x100/0xc50 [ 84.764615][ T5330] ? __pfx___flush_work+0x10/0x10 [ 84.764627][ T5330] ? __pfx_wq_barrier_func+0x10/0x10 [ 84.764644][ T5330] ? __cancel_work_sync+0x5c/0x110 [ 84.764658][ T5330] __cancel_work_sync+0xbe/0x110 [ 84.764671][ T5330] l2cap_conn_del+0x402/0x5b0 [ 84.764688][ T5330] ? __pfx_l2cap_disconn_cfm+0x10/0x10 [ 84.764702][ T5330] hci_conn_hash_flush+0x10d/0x260 [ 84.764727][ T5330] hci_dev_close_sync+0x821/0x10e0 [ 84.764743][ T5330] ? __pfx_hci_dev_close_sync+0x10/0x10 [ 84.764757][ T5330] ? lockdep_hardirqs_on+0x7a/0x110 [ 84.764770][ T5330] ? enable_work+0x1fd/0x230 [ 84.764784][ T5330] hci_dev_close+0x108/0x260 [ 84.764799][ T5330] sock_do_ioctl+0x101/0x320 [ 84.764812][ T5330] ? __pfx_sock_do_ioctl+0x10/0x10 [ 84.764823][ T5330] ? do_futex+0x333/0x420 [ 84.764861][ T5330] sock_ioctl+0x5c6/0x7f0 [ 84.764873][ T5330] ? __pfx_sock_ioctl+0x10/0x10 [ 84.764885][ T5330] ? __fget_files+0x2a/0x420 [ 84.764904][ T5330] ? __fget_files+0x3a0/0x420 [ 84.764918][ T5330] ? __fget_files+0x2a/0x420 [ 84.764935][ T5330] ? bpf_lsm_file_ioctl+0x9/0x20 [ 84.764950][ T5330] ? __pfx_sock_ioctl+0x10/0x10 [ 84.764962][ T5330] __se_sys_ioctl+0xfc/0x170 [ 84.764975][ T5330] do_syscall_64+0x14d/0xf80 [ 84.764990][ T5330] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 84.765001][ T5330] ? trace_irq_disable+0x37/0x100 [ 84.765015][ T5330] ? clear_bhb_loop+0x40/0x90 [ 84.765027][ T5330] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 84.765038][ T5330] RIP: 0033:0x7f80b4f9bf79 [ 84.765050][ T5330] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 84.765060][ T5330] RSP: 002b:00007f80b13f5028 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 84.765102][ T5330] RAX: ffffffffffffffda RBX: 00007f80b5215fa0 RCX: 00007f80b4f9bf79 [ 84.765110][ T5330] RDX: 0000000000000000 RSI: 00000000400448ca RDI: 000000000000000a [ 84.765117][ T5330] RBP: 00007f80b50327e0 R08: 0000000000000000 R09: 0000000000000000 [ 84.765124][ T5330] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 84.765131][ T5330] R13: 00007f80b5216038 R14: 00007f80b5215fa0 R15: 00007fff91932348 [ 84.765142][ T5330] [ 84.945454][ T5334] fido_id[5334]: Failed to open report descriptor at '/sys/devices/virtual/bluetooth/hci0/hci0:200/report_descriptor': No such file or directory [ 86.450714][ T4669] Bluetooth: hci0: command tx timeout [ 88.531139][ T4669] Bluetooth: hci0: command tx timeout [ 90.610527][ T4669] Bluetooth: hci0: command tx timeout