program: socket$qrtr(0x2a, 0x2, 0x0) r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$sock_bt_hci(r0, 0x400448ca, 0x0) r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$sock_bt_hci(r1, 0x400448cb, 0x0) socket$inet6(0xa, 0x2, 0x3a) r2 = openat$sequencer(0xffffffffffffff9c, &(0x7f0000000180), 0x500, 0x0) r3 = signalfd(r2, &(0x7f0000000140)={[0x3]}, 0x8) close(r3) inotify_init1(0x0) fcntl$setstatus(r3, 0x4, 0x2c00) dup(r3) r4 = socket$inet6_mptcp(0xa, 0x1, 0x106) ioctl$sock_SIOCGIFINDEX(r4, 0x8933, &(0x7f0000000040)={'veth1_to_bridge\x00', 0x0}) ioctl$sock_inet6_SIOCADDRT(r4, 0x890b, &(0x7f0000000540)={@rand_addr=' \x01\x00', @rand_addr=' \x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02', @private1, 0x0, 0x0, 0x0, 0x0, 0x40000000, 0x4400046, r5}) r6 = socket(0x200000100000011, 0x3, 0x0) r7 = socket(0x10, 0x803, 0x0) ioctl$VHOST_VDPA_GET_CONFIG(0xffffffffffffffff, 0x8008af73, &(0x7f0000002200)={0x0, 0x7d, ""/125}) r8 = socket(0x200000100000011, 0x3, 0x0) ioctl$sock_SIOCGIFINDEX(r8, 0x8933, &(0x7f0000000000)={'syz_tun\x00', 0x0}) syz_mount_image$ext4(&(0x7f0000000180)='ext4\x00', &(0x7f0000000280)='\xe9\x1fq\x89Y\x1e\x923aK\x00', 0x800700, &(0x7f0000000880)={[{@noblock_validity}, {@nogrpid}, {@debug_want_extra_isize={'debug_want_extra_isize', 0x3d, 0x58}}, {@minixdf}, {@resgid}, {@sysvgroups}, {@usrjquota}]}, 0x3, 0x455, &(0x7f0000001080)="$eJzs289rHFUcAPDvzCbp7ybWKrRWjRYx+CNp0qo9eFEUPFQU9FCPcZOW0m0jTQRbio0i9SJIQc/iUfAv8OZF1JPgVe9SKBqEVk+R2Z1JN9vd/Gg2u7H7+cAk7+17s++9ffN23sybDaBnDWd/kojdEfFbRAzWosszDNf+3Vq4XP5n4XI5icXFt/5MqvluLlwuF1mL/XblkZE0Iv0kyQuJbfVvO3vx0tnJSmX6Qh4fmzv33tjsxUvPnjk3eXr69PT5iePHjx0df+H5iefW1I5klfSsXTcPfjhz6MBr71x7vXzy2rs/fZvtsztPr29HuwxnDf9rsaox7Yl2F9Zle+rCSV8XK8K6lCIi667+6vgfjFLc7rzBePXjrlYO2FTZuWlb6+T5ReAelsTqef7uREWADitO9Nn1b7F1aOqxJdx4qXYBlLX7Vr7VUvoizfP0N1zfttNwRJyc//erbItNug8BAFDvs/KXJ+KZZvO/NB6sy7c3X0MZioj7ImJfRNwfEfsj4oGILG/jlHJNhhvid85/0ut32bQ1yeZ/L+ZrW8vnf8XsL4ZKeWxPtf39yakzlekj+WcyEv3bsvj4CmV8/8qvn7dKq5//ZVtWfjEXzOtxva/hBt3U5NxkdVLaBjc+ijjY16z9ydJKQBIRByLi4Preem8ROPPUN4d2HGqeafX2r6AN60yLX0c8Wev/+WhofyFZeX1ybHtUpo+MFUfFnX7+5eqbrcrfUPvbIOv/ncuP/8YsQ0n9eu3s+su4+vunLa9p7vb4H0jervbLQP7aB5NzcxfGIwaSE9X4stcnbu9bxIv8WftHDjcf//vyfbJyHoqI7BB+OCIeiYhH87o/FhGPR8ThFdr/48ut07ZC/081/f5bOv4b+n/9gdLZH75rVf7a+v9YNTSSv1L9/lvFWiu4kc8OAAAA/i/S6jPwSTq6FE7T0dHaM/z7Y2damZmde/rUzPvnp2rPyg9Ff1rc6Rqsux86nszn71iLT+T3iov0o/l94y9KO6rx0fJMZarLbYdet6vF+M/8Uep27YBN12wdbWKgCxUBOq5x/KfLo1fe6GRlgI7ye23oXauM/7RT9QA6z/kfelez8X+lIW4tAO5Nzv/Qu4x/6F3GP/Qu4x960kZ+1y/Qy4FIK5Wp7RFbpT4C7Q10+5sJAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACgPf4LAAD//zAd9WE=") chdir(&(0x7f0000000140)='./file0\x00') r10 = open(&(0x7f0000000000)='./bus\x00', 0x60142, 0x0) r11 = open(&(0x7f0000000080)='./bus\x00', 0x185102, 0x80) write$dsp(r10, &(0x7f0000000100)='n', 0x1) pwritev2(r11, &(0x7f0000000040)=[{&(0x7f00000003c0)="789460ce", 0x4}], 0x1, 0xff74, 0x5db5196a, 0x0) sendfile(r10, r11, 0x0, 0x1000000201005) sendmsg$nl_route(r7, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000580)={&(0x7f0000002300)=ANY=[@ANYBLOB="400000001400b59500000000000000000a000000", @ANYRES32=r9, @ANYBLOB="140002f4fd8000000000000000000000dbcc39e852423ded0000004001f0ffff000000000000080287f2c715ad0c994963ad79dcb0c8d178b1664122d28b4ab1024940f95af28e81738b51e5ebbf5f236cd30101f4ba8bc182759c"], 0x40}}, 0x0) ioctl$sock_SIOCGIFINDEX(r6, 0x8933, &(0x7f0000000000)={'syz_tun\x00'}) [ 86.553247][ T9] cfg80211: failed to load regulatory.db [ 86.559592][ T4678] Bluetooth: hci0: command tx timeout [ 86.645102][ T9] [ 86.646149][ T9] ====================================================== [ 86.649159][ T9] WARNING: possible circular locking dependency detected [ 86.651968][ T9] 6.16.0-rc2-syzkaller-00087-g24770983ccfe #0 Not tainted [ 86.654931][ T9] ------------------------------------------------------ [ 86.657829][ T9] kworker/0:0/9 is trying to acquire lock: [ 86.660365][ T9] ffff88803344f338 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_info_timeout+0x60/0xa0 [ 86.664289][ T9] [ 86.664289][ T9] but task is already holding lock: [ 86.667416][ T9] ffffc900001b7bc0 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: process_scheduled_works+0x9ef/0x17b0 [ 86.672691][ T9] [ 86.672691][ T9] which lock already depends on the new lock. [ 86.672691][ T9] [ 86.677175][ T9] [ 86.677175][ T9] the existing dependency chain (in reverse order) is: [ 86.680717][ T9] [ 86.680717][ T9] -> #1 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}: [ 86.685513][ T9] lock_acquire+0x120/0x360 [ 86.687991][ T9] __flush_work+0x6b8/0xbc0 [ 86.690479][ T9] __cancel_work_sync+0xbe/0x110 [ 86.693154][ T9] l2cap_conn_del+0x4f0/0x680 [ 86.695518][ T9] hci_conn_hash_flush+0x10a/0x230 [ 86.697982][ T9] hci_dev_close_sync+0xaef/0x1330 [ 86.700477][ T9] hci_dev_close+0x106/0x200 [ 86.702720][ T9] sock_do_ioctl+0xdc/0x300 [ 86.704963][ T9] sock_ioctl+0x576/0x790 [ 86.707109][ T9] __se_sys_ioctl+0xfc/0x170 [ 86.709380][ T9] do_syscall_64+0xfa/0x3b0 [ 86.711630][ T9] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 86.714446][ T9] [ 86.714446][ T9] -> #0 (&conn->lock#2){+.+.}-{4:4}: [ 86.717819][ T9] validate_chain+0xb9b/0x2140 [ 86.720239][ T9] __lock_acquire+0xab9/0xd20 [ 86.722593][ T9] lock_acquire+0x120/0x360 [ 86.724780][ T9] __mutex_lock+0x182/0xe80 [ 86.727095][ T9] l2cap_info_timeout+0x60/0xa0 [ 86.729419][ T9] process_scheduled_works+0xae1/0x17b0 [ 86.732462][ T9] worker_thread+0x8a0/0xda0 [ 86.734910][ T9] kthread+0x70e/0x8a0 [ 86.737141][ T9] ret_from_fork+0x3f9/0x770 [ 86.739459][ T9] ret_from_fork_asm+0x1a/0x30 [ 86.741838][ T9] [ 86.741838][ T9] other info that might help us debug this: [ 86.741838][ T9] [ 86.746125][ T9] Possible unsafe locking scenario: [ 86.746125][ T9] [ 86.749259][ T9] CPU0 CPU1 [ 86.751628][ T9] ---- ---- [ 86.753839][ T9] lock((work_completion)(&(&conn->info_timer)->work)); [ 86.756438][ T9] lock(&conn->lock#2); [ 86.759129][ T9] lock((work_completion)(&(&conn->info_timer)->work)); [ 86.763289][ T9] lock(&conn->lock#2); [ 86.765134][ T9] [ 86.765134][ T9] *** DEADLOCK *** [ 86.765134][ T9] [ 86.768554][ T9] 2 locks held by kworker/0:0/9: [ 86.770746][ T9] #0: ffff88801a474d48 ((wq_completion)events){+.+.}-{0:0}, at: process_scheduled_works+0x9b4/0x17b0 [ 86.775455][ T9] #1: ffffc900001b7bc0 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: process_scheduled_works+0x9ef/0x17b0 [ 86.781339][ T9] [ 86.781339][ T9] stack backtrace: [ 86.783815][ T9] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:0 Not tainted 6.16.0-rc2-syzkaller-00087-g24770983ccfe #0 PREEMPT(full) [ 86.783832][ T9] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 86.783840][ T9] Workqueue: events l2cap_info_timeout [ 86.783858][ T9] Call Trace: [ 86.783864][ T9] [ 86.783900][ T9] dump_stack_lvl+0x189/0x250 [ 86.783919][ T9] ? __pfx_dump_stack_lvl+0x10/0x10 [ 86.783932][ T9] ? __pfx__printk+0x10/0x10 [ 86.783942][ T9] ? print_lock_name+0xde/0x100 [ 86.783952][ T9] print_circular_bug+0x2ee/0x310 [ 86.783964][ T9] check_noncircular+0x134/0x160 [ 86.783976][ T9] validate_chain+0xb9b/0x2140 [ 86.783990][ T9] ? ret_from_fork_asm+0x1a/0x30 [ 86.784003][ T9] __lock_acquire+0xab9/0xd20 [ 86.784018][ T9] ? l2cap_info_timeout+0x60/0xa0 [ 86.784028][ T9] lock_acquire+0x120/0x360 [ 86.784051][ T9] ? l2cap_info_timeout+0x60/0xa0 [ 86.784066][ T9] __mutex_lock+0x182/0xe80 [ 86.784076][ T9] ? l2cap_info_timeout+0x60/0xa0 [ 86.784088][ T9] ? irqentry_exit+0x74/0x90 [ 86.784103][ T9] ? lockdep_hardirqs_on+0x9c/0x150 [ 86.784119][ T9] ? l2cap_info_timeout+0x60/0xa0 [ 86.784130][ T9] ? __pfx___mutex_lock+0x10/0x10 [ 86.784145][ T9] l2cap_info_timeout+0x60/0xa0 [ 86.784158][ T9] ? process_scheduled_works+0x9ef/0x17b0 [ 86.784174][ T9] process_scheduled_works+0xae1/0x17b0 [ 86.784197][ T9] ? __pfx_process_scheduled_works+0x10/0x10 [ 86.784218][ T9] worker_thread+0x8a0/0xda0 [ 86.784234][ T9] kthread+0x70e/0x8a0 [ 86.784248][ T9] ? __pfx_worker_thread+0x10/0x10 [ 86.784262][ T9] ? __pfx_kthread+0x10/0x10 [ 86.784274][ T9] ? _raw_spin_unlock_irq+0x23/0x50 [ 86.784289][ T9] ? lockdep_hardirqs_on+0x9c/0x150 [ 86.784304][ T9] ? __pfx_kthread+0x10/0x10 [ 86.784317][ T9] ret_from_fork+0x3f9/0x770 [ 86.784334][ T9] ? __pfx_ret_from_fork+0x10/0x10 [ 86.784351][ T9] ? __pfx_kthread+0x10/0x10 [ 86.784363][ T9] ret_from_fork_asm+0x1a/0x30 [ 86.784378][ T9] [ 86.894437][ T5336] loop0: detected capacity change from 0 to 512 [ 86.927178][ T5336] EXT4-fs error (device loop0): ext4_iget_extra_inode:5035: inode #15: comm syz.0.0: corrupted in-inode xattr: invalid ea_ino [ 86.945476][ T5336] EXT4-fs error (device loop0): ext4_orphan_get:1398: comm syz.0.0: couldn't read orphan inode 15 (err -117) [ 86.952305][ T5336] EXT4-fs (loop0): mounted filesystem 00000007-0000-0000-0000-000000000000 r/w without journal. Quota mode: none. [ 86.971705][ T5336] netlink: 20 bytes leftover after parsing attributes in process `syz.0.0'. [ 88.607223][ T4678] Bluetooth: hci0: command tx timeout [ 90.688198][ T4678] Bluetooth: hci0: command tx timeout [ 92.766797][ T4678] Bluetooth: hci0: command tx timeout