program: mkdir(&(0x7f0000000000)='./cgroup/../file0\x00', 0x0) r0 = openat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000000), 0x200002, 0x0) rmdir(&(0x7f0000000700)='./cgroup/../file0\x00') syz_usb_connect(0x0, 0x36, &(0x7f00000000c0)=ANY=[@ANYBLOB="1a0100005c6b4408070a64006e40010203030902"], 0x0) bpf$BPF_PROG_QUERY(0x10, &(0x7f0000000080)={@cgroup=r0, 0xd, 0x1, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x40) r1 = socket$nl_xfrm(0x10, 0x3, 0x6) r2 = openat$ptp0(0xffffffffffffff9c, &(0x7f0000000000), 0x80000, 0x0) r3 = dup(r2) ioctl$PTP_EXTTS_REQUEST2(r3, 0x43403d05, 0x0) r4 = syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0) connect$bt_l2cap(r4, &(0x7f0000000080)={0x1f, 0x0, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}, 0x7ff}, 0xe) r5 = syz_init_net_socket$bt_hidp(0x1f, 0x3, 0x6) ioctl$sock_bt_hidp_HIDPCONNADD(r5, 0x400448c8, &(0x7f0000000280)={r4, r4, 0xc, 0x0, 0x0, 0x9, 0x1, 0x457, 0x9, 0x9, 0x1, 0x1, 'syz1\x00'}) socket$nl_generic(0x10, 0x3, 0x10) syz_init_net_socket$bt_hci(0x1f, 0x3, 0x5) close(0x4) syz_open_procfs$namespace(0x0, &(0x7f0000000040)='ns/cgroup\x00') syz_read_part_table(0x5e8, &(0x7f0000006180)="$eJzs3L2LXUUYB+DfOXvP2Q+yrJWV4EIKgxYRUupCFJKYLojW2lqsSKws5N4lgoVGEGzstTAKQayEFAoS1HRWIixaiAj+A1u4jJyvexXtrqCB5ynuzLzvnHcGzpxybri/lb2kVF3vaBWc1WPnlyRNcvTCU8nmEGrGVPfM87cuXb66f63aXMa66GLMtst6u21+GwpnfwzdmeXmrStvvvPebpVF7tXzIbxImk/azPqtDSXe//umT6q+Fv+5c1+U4UW0+S755omdw2qjf/ndefoweSBbeffz5HySjYw/i2S767Xrr3/74G4pY3972MdJaYbRPI+Ux8dck1JKqTM/Oz25kTz05Pnr/1S0yV8/h+4sltKcmZ6tV1/B4Wk7ncMLX/80z9HDy+r9itPmjreTV46fHc51NdRwhAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/n/Ovfrol+00uNj/7uwNo8+efuaj1Kupi+T3qb+/1Tdba69/++Du3o03rtd57eCl719+/ecrv6YZU2eSzeW8F4fm07f6ZjZGH9xed/3D07r9+IOvVnVm1dT79uwPJ2VjHBwvJ6z2lIN63eUBAAAAAAAAAAAAAAAAAACgd+ny1f1rdZ5Lquxmuu5fp2QrqZZ34euklNLfhu/a5MKd2eHNNjd2hvy9HzPMLdWfq19M9naTsvn2Y2M+i77CrJv6L/x9AGv6IwAA///kNmc3") open(&(0x7f0000000200)='./bus\x00', 0x14507e, 0x0) mount(&(0x7f0000000380)=@loop={'/dev/loop', 0x0}, &(0x7f0000000140)='./bus\x00', 0x0, 0x1000, 0x0) r6 = open(&(0x7f0000000200)='./bus\x00', 0x0, 0x0) ioctl$BLKROSET(r6, 0x125d, &(0x7f0000000080)=0x3f) mount(&(0x7f0000000080)=@filename='./file1\x00', &(0x7f0000000040)='./file1\x00', &(0x7f00000000c0)='efs\x00', 0xc000, 0x0) syz_usb_connect$hid(0x0, 0x36, &(0x7f0000000040)={{0x12, 0x1, 0x250, 0x0, 0x0, 0x0, 0x20, 0x28bd, 0x905, 0x0, 0x0, 0x0, 0x0, 0x1, [{{0x9, 0x2, 0x24, 0x1, 0x0, 0x10, 0x40, 0x0, [{{0x9, 0x4, 0x0, 0x8, 0x81, 0x3, 0x0, 0x0, 0x0, {0x9, 0x21, 0x0, 0x0, 0x1, {0x22, 0x2}}, {{{0x9, 0x5, 0x81, 0x3, 0x0, 0x0, 0x0, 0xfc}}}}}]}}]}}, 0x0) r7 = socket(0x14, 0x2, 0x0) ioctl$ifreq_SIOCGIFINDEX_vcan(r7, 0x61e3, 0x0) r8 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$sock_bt_hci(r8, 0x400448ca, 0x0) sendmsg$nl_xfrm(r1, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000340)=ANY=[@ANYBLOB="6d7046d09f34ab1bec549f1f55dd7cdcddb4190fc7c73553345086c708c64459a98c565b8b36eb5f2dbb3d0bdd9517db514c4f3f6589bd910d4f1b75d47b094168dd9575819981b7fff44a59d3461dcefae252c6b0d4b655187e3f355dda7a871ab1ffbe18264f305fe087c0e0e4d0c12fed867ed553d483e15d5414bb7e0e792e50f74921b08989ae940049f10024ad32aa634456fe4a6350fbf7ad7df2e9f5c4971dc2a2cd499da5657a5dc830c3e24b73ee75cfcb1585aee7903b211a3da609f0dd518f2280ae6f43e47df8cf9a895dbf54ab84f145546b968ed1146367758a2959f2b122498e6842e4156b47582b", @ANYRES32=r1, @ANYRES32=0xee00, @ANYBLOB="2e31e4e30000000000000000000000000008002032000000fc0000000000000000000000000000010000000000000000070000000000000000000000000000000400000000000000000000000000002004000000000000000800000000020000010000000000000001000000010000000800000000000000cc000000000000000000000000000000f8000000000000000000000005000000040000000200000100000000000000a057a0c5e88e485e9825d9005f8bff8e9b5521aaadc28d29001200726663343330392863636d2861657329290000000000000000000000000044cf431413db833aa2589bf8e657c08300000000000000000000000000000000000000000000000000000000000000000000980000004077fe511564a75701ae92ad33956cb710f109aacea0a2d6b2dd64195e348502474a0c57a56ffb01062e3c171bba75b0b64b9f20ebff210000000000000018fb87719b640bb547b4c43c9a28702e04a488d865f89bcf961f293cce74904e61f426f02de47341bcb7f666e2757ae3c73fb2eaa6010b49af598abb3162ddad9654fe0e0c96671726a23bd5442b891fb5e4f4643c7d974815e11644aceb0035adcf69a8dc8785e701298c207d8e20fa657fc2cc429dcfc254c99e531042cade3ebce81ec14e67bc0aec68e80560b5563a33e6c1da5810448f37548515e31a6e9a312110"], 0x150}}, 0x8044) [ 75.398401][ T4668] Bluetooth: hci0: command tx timeout [ 75.690422][ T10] usb 5-1: new high-speed USB device number 2 using dummy_hcd [ 75.840345][ T10] usb 5-1: Using ep0 maxpacket: 8 [ 75.845734][ T10] usb 5-1: config 0 has no interfaces? [ 75.850083][ T10] usb 5-1: config 0 has no interfaces? [ 75.854043][ T10] usb 5-1: config 0 has no interfaces? [ 75.858613][ T10] usb 5-1: New USB device found, idVendor=0a07, idProduct=0064, bcdDevice=40.6e [ 75.862741][ T10] usb 5-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 75.866060][ T10] usb 5-1: Product: syz [ 75.867744][ T10] usb 5-1: Manufacturer: syz [ 75.869608][ T10] usb 5-1: SerialNumber: syz [ 75.891195][ T10] usb 5-1: config 0 descriptor?? [ 76.109694][ T5318] input: Bluetooth HID Boot Protocol Device as /devices/virtual/bluetooth/hci0/hci0:200/input5 [ 76.190733][ T10] usb 5-1: USB disconnect, device number 2 [ 76.234967][ T5319] loop0: detected capacity change from 0 to 2048 [ 76.272951][ T5319] loop0: p1 < > p3 p4 < > [ 76.278395][ T5319] loop0: p3 start 4284289 is beyond EOD, truncated [ 76.640343][ T10] usb 5-1: new high-speed USB device number 3 using dummy_hcd [ 76.790602][ T10] usb 5-1: Using ep0 maxpacket: 32 [ 76.815482][ T5318] [ 76.816908][ T5318] ====================================================== [ 76.820485][ T5318] WARNING: possible circular locking dependency detected [ 76.824000][ T5318] syzkaller #0 Not tainted [ 76.826060][ T5318] ------------------------------------------------------ [ 76.829222][ T5318] syz.0.0/5318 is trying to acquire lock: [ 76.831824][ T5318] ffff88801f8d4840 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: __flush_work+0x100/0xc50 [ 76.837131][ T5318] [ 76.837131][ T5318] but task is already holding lock: [ 76.840516][ T5318] ffff88801f8d4b38 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x7b/0x5b0 [ 76.844607][ T5318] [ 76.844607][ T5318] which lock already depends on the new lock. [ 76.844607][ T5318] [ 76.849357][ T5318] [ 76.849357][ T5318] the existing dependency chain (in reverse order) is: [ 76.853392][ T5318] [ 76.853392][ T5318] -> #1 (&conn->lock#2){+.+.}-{4:4}: [ 76.856805][ T5318] __mutex_lock+0x19f/0x1300 [ 76.859036][ T5318] l2cap_info_timeout+0x60/0xa0 [ 76.861467][ T5318] process_scheduled_works+0xaec/0x17a0 [ 76.863958][ T5318] worker_thread+0xda6/0x1360 [ 76.866093][ T5318] kthread+0x726/0x8b0 [ 76.868146][ T5318] ret_from_fork+0x51b/0xa40 [ 76.870514][ T5318] ret_from_fork_asm+0x1a/0x30 [ 76.872705][ T5318] [ 76.872705][ T5318] -> #0 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}: [ 76.877051][ T5318] __lock_acquire+0x15a5/0x2cf0 [ 76.879418][ T5318] lock_acquire+0x106/0x330 [ 76.881588][ T5318] __flush_work+0x700/0xc50 [ 76.883836][ T5318] __cancel_work_sync+0xbe/0x110 [ 76.886366][ T5318] l2cap_conn_del+0x402/0x5b0 [ 76.888674][ T5318] hci_conn_hash_flush+0x10d/0x260 [ 76.891204][ T5318] hci_dev_close_sync+0x821/0x10e0 [ 76.893693][ T5318] hci_dev_close+0x108/0x260 [ 76.896023][ T5318] sock_do_ioctl+0x101/0x320 [ 76.898274][ T5318] sock_ioctl+0x5c6/0x7f0 [ 76.900466][ T5318] __se_sys_ioctl+0xfc/0x170 [ 76.902799][ T5318] do_syscall_64+0xe2/0xf80 [ 76.904951][ T5318] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 76.907781][ T5318] [ 76.907781][ T5318] other info that might help us debug this: [ 76.907781][ T5318] [ 76.912153][ T5318] Possible unsafe locking scenario: [ 76.912153][ T5318] [ 76.915333][ T5318] CPU0 CPU1 [ 76.917669][ T5318] ---- ---- [ 76.920044][ T5318] lock(&conn->lock#2); [ 76.922013][ T5318] lock((work_completion)(&(&conn->info_timer)->work)); [ 76.925979][ T5318] lock(&conn->lock#2); [ 76.928952][ T5318] lock((work_completion)(&(&conn->info_timer)->work)); [ 76.931940][ T5318] [ 76.931940][ T5318] *** DEADLOCK *** [ 76.931940][ T5318] [ 76.935229][ T5318] 5 locks held by syz.0.0/5318: [ 76.937362][ T5318] #0: ffff8880121c8ec0 (&hdev->req_lock){+.+.}-{4:4}, at: hci_dev_close+0x100/0x260 [ 76.941494][ T5318] #1: ffff8880121c80c0 (&hdev->lock){+.+.}-{4:4}, at: hci_dev_close_sync+0x640/0x10e0 [ 76.945439][ T5318] #2: ffffffff8fb3ac68 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_conn_hash_flush+0xa1/0x260 [ 76.949702][ T5318] #3: ffff88801f8d4b38 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x7b/0x5b0 [ 76.953641][ T5318] #4: ffffffff8e55a360 (rcu_read_lock){....}-{1:3}, at: __flush_work+0x100/0xc50 [ 76.957539][ T5318] [ 76.957539][ T5318] stack backtrace: [ 76.960098][ T5318] CPU: 0 UID: 0 PID: 5318 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 76.960114][ T5318] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 76.960122][ T5318] Call Trace: [ 76.960132][ T5318] [ 76.960138][ T5318] dump_stack_lvl+0xe8/0x150 [ 76.960156][ T5318] print_circular_bug+0x2e1/0x300 [ 76.960171][ T5318] check_noncircular+0x12e/0x150 [ 76.960183][ T5318] __lock_acquire+0x15a5/0x2cf0 [ 76.960200][ T5318] ? do_raw_spin_lock+0x12b/0x2f0 [ 76.960213][ T5318] ? irqentry_exit+0x59c/0x620 [ 76.960224][ T5318] ? lockdep_hardirqs_on+0x7a/0x110 [ 76.960232][ T5318] ? irqentry_exit+0x59c/0x620 [ 76.960243][ T5318] ? __flush_work+0x100/0xc50 [ 76.960255][ T5318] lock_acquire+0x106/0x330 [ 76.960270][ T5318] ? __flush_work+0x100/0xc50 [ 76.960284][ T5318] ? __flush_work+0x100/0xc50 [ 76.960294][ T5318] __flush_work+0x700/0xc50 [ 76.960304][ T5318] ? __flush_work+0x100/0xc50 [ 76.960315][ T5318] ? __flush_work+0x100/0xc50 [ 76.960326][ T5318] ? __pfx___flush_work+0x10/0x10 [ 76.960337][ T5318] ? __pfx_wq_barrier_func+0x10/0x10 [ 76.960358][ T5318] ? __cancel_work_sync+0x5c/0x110 [ 76.960369][ T5318] __cancel_work_sync+0xbe/0x110 [ 76.960381][ T5318] l2cap_conn_del+0x402/0x5b0 [ 76.960393][ T5318] ? __pfx_l2cap_disconn_cfm+0x10/0x10 [ 76.960404][ T5318] hci_conn_hash_flush+0x10d/0x260 [ 76.960418][ T5318] hci_dev_close_sync+0x821/0x10e0 [ 76.960430][ T5318] ? __pfx_hci_dev_close_sync+0x10/0x10 [ 76.960440][ T5318] ? lockdep_hardirqs_on+0x7a/0x110 [ 76.960449][ T5318] ? enable_work+0x1fd/0x230 [ 76.960461][ T5318] hci_dev_close+0x108/0x260 [ 76.960472][ T5318] sock_do_ioctl+0x101/0x320 [ 76.960488][ T5318] ? __pfx_sock_do_ioctl+0x10/0x10 [ 76.960503][ T5318] ? do_futex+0x333/0x420 [ 76.960524][ T5318] sock_ioctl+0x5c6/0x7f0 [ 76.960537][ T5318] ? __pfx_sock_ioctl+0x10/0x10 [ 76.960550][ T5318] ? __fget_files+0x2a/0x420 [ 76.960560][ T5318] ? __fget_files+0x3a0/0x420 [ 76.960569][ T5318] ? __fget_files+0x2a/0x420 [ 76.960579][ T5318] ? bpf_lsm_file_ioctl+0x9/0x20 [ 76.960591][ T5318] ? __pfx_sock_ioctl+0x10/0x10 [ 76.960604][ T5318] __se_sys_ioctl+0xfc/0x170 [ 76.960616][ T5318] do_syscall_64+0xe2/0xf80 [ 76.960626][ T5318] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 76.960637][ T5318] ? trace_irq_disable+0x37/0x100 [ 76.960648][ T5318] ? clear_bhb_loop+0x60/0xb0 [ 76.960661][ T5318] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 76.960673][ T5318] RIP: 0033:0x7f8cf3f9aeb9 [ 76.960705][ T5318] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 76.960715][ T5318] RSP: 002b:00007f8cf4d91028 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 76.960729][ T5318] RAX: ffffffffffffffda RBX: 00007f8cf4215fa0 RCX: 00007f8cf3f9aeb9 [ 76.960738][ T5318] RDX: 0000000000000000 RSI: 00000000400448ca RDI: 000000000000000f [ 76.960745][ T5318] RBP: 00007f8cf4008c1f R08: 0000000000000000 R09: 0000000000000000 [ 76.960753][ T5318] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 76.960760][ T5318] R13: 00007f8cf4216038 R14: 00007f8cf4215fa0 R15: 00007ffd3e6fbe38 [ 76.960771][ T5318] [ 77.451186][ T5299] Bluetooth: hci0: command tx timeout [ 79.531036][ T5299] Bluetooth: hci0: command tx timeout [ 81.453362][ T1314] ieee802154 phy0 wpan0: encryption failed: -22 [ 81.456256][ T1314] ieee802154 phy1 wpan1: encryption failed: -22 [ 81.610426][ T5299] Bluetooth: hci0: command tx timeout [ 81.850509][ T10] usb 5-1: unable to get BOS descriptor or descriptor too short [ 81.854682][ T10] usb 5-1: unable to read config index 0 descriptor/start: -32 [ 81.857699][ T10] usb 5-1: chopping to 0 config(s) [ 81.860073][ T10] usb 5-1: can't read configurations, error -32 [ 81.990317][ T10] usb 5-1: new high-speed USB device number 4 using dummy_hcd [ 82.120344][ T10] usb 5-1: device descriptor read/64, error -32 [ 82.231194][ T10] usb usb5-port1: attempt power cycle