program: setsockopt$netlink_NETLINK_TX_RING(0xffffffffffffffff, 0x10e, 0xc, 0x0, 0x0) r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) r1 = syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0) connect$bt_l2cap(r1, &(0x7f0000000080)={0x1f, 0x0, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}, 0x7ff}, 0xe) r2 = syz_init_net_socket$bt_hidp(0x1f, 0x3, 0x6) ioctl$sock_bt_hidp_HIDPCONNADD(r2, 0x400448c8, &(0x7f0000000280)={r1, r1, 0xc, 0x1, &(0x7f0000000340)='\x00', 0x9, 0x1, 0x457, 0x9, 0x9, 0x1, 0x1, 'syz1\x00'}) ioctl$sock_bt_hci(r0, 0x400448ca, 0x0) (fail_nth: 5) [ 85.903474][ T5311] Bluetooth: hci0: command tx timeout [ 86.039298][ T5333] [ 86.040578][ T5333] ====================================================== [ 86.044596][ T5333] WARNING: possible circular locking dependency detected [ 86.048550][ T5333] 6.15.0-syzkaller-13473-gc0c9379f235d #0 Not tainted [ 86.051696][ T5333] ------------------------------------------------------ [ 86.054985][ T5333] syz.0.0/5333 is trying to acquire lock: [ 86.057618][ T5333] ffff888011e01840 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: __flush_work+0xd2/0xbc0 [ 86.063462][ T5333] [ 86.063462][ T5333] but task is already holding lock: [ 86.067599][ T5333] ffff888011e01b38 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x70/0x680 [ 86.071718][ T5333] [ 86.071718][ T5333] which lock already depends on the new lock. [ 86.071718][ T5333] [ 86.076357][ T5333] [ 86.076357][ T5333] the existing dependency chain (in reverse order) is: [ 86.081123][ T5333] [ 86.081123][ T5333] -> #1 (&conn->lock#2){+.+.}-{4:4}: [ 86.085321][ T5333] lock_acquire+0x120/0x360 [ 86.088131][ T5333] __mutex_lock+0x182/0xe80 [ 86.090556][ T5333] l2cap_info_timeout+0x60/0xa0 [ 86.093457][ T5333] process_scheduled_works+0xae1/0x17b0 [ 86.096196][ T5333] worker_thread+0x8a0/0xda0 [ 86.098607][ T5333] kthread+0x70e/0x8a0 [ 86.100763][ T5333] ret_from_fork+0x3f9/0x770 [ 86.103157][ T5333] ret_from_fork_asm+0x1a/0x30 [ 86.105575][ T5333] [ 86.105575][ T5333] -> #0 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}: [ 86.110252][ T5333] validate_chain+0xb9b/0x2140 [ 86.112666][ T5333] __lock_acquire+0xab9/0xd20 [ 86.115078][ T5333] lock_acquire+0x120/0x360 [ 86.117373][ T5333] __flush_work+0x6b8/0xbc0 [ 86.119752][ T5333] __cancel_work_sync+0xbe/0x110 [ 86.122394][ T5333] l2cap_conn_del+0x4f0/0x680 [ 86.125144][ T5333] hci_conn_hash_flush+0x10a/0x230 [ 86.128515][ T5333] hci_dev_close_sync+0xaef/0x1330 [ 86.131356][ T5333] hci_dev_close+0x106/0x200 [ 86.133639][ T5333] sock_do_ioctl+0xd9/0x300 [ 86.135649][ T5333] sock_ioctl+0x576/0x790 [ 86.137783][ T5333] __se_sys_ioctl+0xfc/0x170 [ 86.140209][ T5333] do_syscall_64+0xfa/0x3b0 [ 86.142708][ T5333] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 86.145985][ T5333] [ 86.145985][ T5333] other info that might help us debug this: [ 86.145985][ T5333] [ 86.150547][ T5333] Possible unsafe locking scenario: [ 86.150547][ T5333] [ 86.153732][ T5333] CPU0 CPU1 [ 86.156076][ T5333] ---- ---- [ 86.158694][ T5333] lock(&conn->lock#2); [ 86.161317][ T5333] lock((work_completion)(&(&conn->info_timer)->work)); [ 86.166223][ T5333] lock(&conn->lock#2); [ 86.169373][ T5333] lock((work_completion)(&(&conn->info_timer)->work)); [ 86.172412][ T5333] [ 86.172412][ T5333] *** DEADLOCK *** [ 86.172412][ T5333] [ 86.175922][ T5333] 5 locks held by syz.0.0/5333: [ 86.178114][ T5333] #0: ffff8880119dcd80 (&hdev->req_lock){+.+.}-{4:4}, at: hci_dev_close+0xfe/0x200 [ 86.183530][ T5333] #1: ffff8880119dc078 (&hdev->lock){+.+.}-{4:4}, at: hci_dev_close_sync+0x66a/0x1330 [ 86.188127][ T5333] #2: ffffffff8f6786a8 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_conn_hash_flush+0xa1/0x230 [ 86.192581][ T5333] #3: ffff888011e01b38 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x70/0x680 [ 86.196930][ T5333] #4: ffffffff8e13f060 (rcu_read_lock){....}-{1:3}, at: __flush_work+0xd2/0xbc0 [ 86.201954][ T5333] [ 86.201954][ T5333] stack backtrace: [ 86.204976][ T5333] CPU: 0 UID: 0 PID: 5333 Comm: syz.0.0 Not tainted 6.15.0-syzkaller-13473-gc0c9379f235d #0 PREEMPT(full) [ 86.204996][ T5333] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 86.205004][ T5333] Call Trace: [ 86.205013][ T5333] [ 86.205020][ T5333] dump_stack_lvl+0x189/0x250 [ 86.205044][ T5333] ? __pfx_dump_stack_lvl+0x10/0x10 [ 86.205062][ T5333] ? __pfx__printk+0x10/0x10 [ 86.205076][ T5333] ? print_lock_name+0xde/0x100 [ 86.205089][ T5333] print_circular_bug+0x2ee/0x310 [ 86.205105][ T5333] check_noncircular+0x134/0x160 [ 86.205119][ T5333] validate_chain+0xb9b/0x2140 [ 86.205131][ T5333] ? do_raw_spin_lock+0x121/0x290 [ 86.205146][ T5333] ? look_up_lock_class+0x74/0x170 [ 86.205166][ T5333] ? register_lock_class+0x51/0x320 [ 86.205184][ T5333] __lock_acquire+0xab9/0xd20 [ 86.205199][ T5333] ? __flush_work+0xd2/0xbc0 [ 86.205212][ T5333] lock_acquire+0x120/0x360 [ 86.205225][ T5333] ? __flush_work+0xd2/0xbc0 [ 86.205235][ T5333] ? _raw_spin_unlock_irq+0x23/0x50 [ 86.205248][ T5333] ? __flush_work+0xd2/0xbc0 [ 86.205256][ T5333] __flush_work+0x6b8/0xbc0 [ 86.205265][ T5333] ? __flush_work+0xd2/0xbc0 [ 86.205276][ T5333] ? __flush_work+0xd2/0xbc0 [ 86.205286][ T5333] ? __pfx___flush_work+0x10/0x10 [ 86.205294][ T5333] ? __pfx_wq_barrier_func+0x10/0x10 [ 86.205310][ T5333] ? __pfx___cancel_work+0x10/0x10 [ 86.205321][ T5333] ? hci_conn_drop+0x14d/0x280 [ 86.205335][ T5333] __cancel_work_sync+0xbe/0x110 [ 86.205347][ T5333] l2cap_conn_del+0x4f0/0x680 [ 86.205361][ T5333] ? __pfx_l2cap_disconn_cfm+0x10/0x10 [ 86.205372][ T5333] hci_conn_hash_flush+0x10a/0x230 [ 86.205389][ T5333] hci_dev_close_sync+0xaef/0x1330 [ 86.205405][ T5333] ? __pfx_hci_dev_close_sync+0x10/0x10 [ 86.205445][ T5333] hci_dev_close+0x106/0x200 [ 86.205457][ T5333] sock_do_ioctl+0xd9/0x300 [ 86.205474][ T5333] ? __pfx_sock_do_ioctl+0x10/0x10 [ 86.205486][ T5333] ? __lock_acquire+0xab9/0xd20 [ 86.205501][ T5333] sock_ioctl+0x576/0x790 [ 86.205515][ T5333] ? __pfx_sock_ioctl+0x10/0x10 [ 86.205529][ T5333] ? __fget_files+0x2a/0x420 [ 86.205540][ T5333] ? __fget_files+0x3a0/0x420 [ 86.205550][ T5333] ? __fget_files+0x2a/0x420 [ 86.205562][ T5333] ? bpf_lsm_file_ioctl+0x9/0x20 [ 86.205578][ T5333] ? __pfx_sock_ioctl+0x10/0x10 [ 86.205590][ T5333] __se_sys_ioctl+0xfc/0x170 [ 86.205602][ T5333] do_syscall_64+0xfa/0x3b0 [ 86.205612][ T5333] ? lockdep_hardirqs_on+0x9c/0x150 [ 86.205624][ T5333] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 86.205633][ T5333] ? clear_bhb_loop+0x60/0xb0 [ 86.205643][ T5333] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 86.205652][ T5333] RIP: 0033:0x7f4fcef8e929 [ 86.205664][ T5333] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 86.205672][ T5333] RSP: 002b:00007f4fcfe8f038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 86.205684][ T5333] RAX: ffffffffffffffda RBX: 00007f4fcf1b5fa0 RCX: 00007f4fcef8e929 [ 86.205691][ T5333] RDX: 0000000000000000 RSI: 00000000400448ca RDI: 0000000000000004 [ 86.205697][ T5333] RBP: 00007f4fcfe8f090 R08: 0000000000000000 R09: 0000000000000000 [ 86.205703][ T5333] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 86.205708][ T5333] R13: 0000000000000000 R14: 00007f4fcf1b5fa0 R15: 00007ffe0d88f6a8 [ 86.205718][ T5333] [ 87.944951][ T5311] Bluetooth: hci0: command tx timeout [ 90.020198][ T5311] Bluetooth: hci0: command tx timeout [ 92.030368][ T54] cfg80211: failed to load regulatory.db [ 92.100262][ T5311] Bluetooth: hci0: command tx timeout