program: syz_emit_vhci(&(0x7f0000000180)=ANY=[@ANYBLOB="04040a00000000000000fc0082"], 0xd) r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$sock_bt_hci(r0, 0x400448ca, 0x0) [ 88.532842][ T5313] Bluetooth: hci0: command tx timeout [ 88.542357][ T54] cfg80211: failed to load regulatory.db [ 88.571131][ T10] [ 88.573131][ T10] ====================================================== [ 88.577210][ T10] WARNING: possible circular locking dependency detected [ 88.580295][ T10] 6.16.0-rc2-syzkaller #0 Not tainted [ 88.582742][ T10] ------------------------------------------------------ [ 88.585745][ T10] kworker/0:1/10 is trying to acquire lock: [ 88.588898][ T10] ffff8880432d4338 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_info_timeout+0x60/0xa0 [ 88.593615][ T10] [ 88.593615][ T10] but task is already holding lock: [ 88.596621][ T10] ffffc900001c7bc0 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: process_scheduled_works+0x9ef/0x17b0 [ 88.601387][ T10] [ 88.601387][ T10] which lock already depends on the new lock. [ 88.601387][ T10] [ 88.606324][ T10] [ 88.606324][ T10] the existing dependency chain (in reverse order) is: [ 88.610375][ T10] [ 88.610375][ T10] -> #1 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}: [ 88.614805][ T10] lock_acquire+0x120/0x360 [ 88.617304][ T10] __flush_work+0x6b8/0xbc0 [ 88.620136][ T10] __cancel_work_sync+0xbe/0x110 [ 88.623100][ T10] l2cap_conn_del+0x4f0/0x680 [ 88.625463][ T10] hci_conn_hash_flush+0x10d/0x230 [ 88.627981][ T10] hci_dev_close_sync+0xaef/0x1330 [ 88.630780][ T10] hci_dev_close+0x106/0x200 [ 88.633316][ T10] sock_do_ioctl+0xdc/0x300 [ 88.635867][ T10] sock_ioctl+0x576/0x790 [ 88.638524][ T10] __se_sys_ioctl+0xf9/0x170 [ 88.641112][ T10] do_syscall_64+0xfa/0x3b0 [ 88.643431][ T10] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 88.646247][ T10] [ 88.646247][ T10] -> #0 (&conn->lock#2){+.+.}-{4:4}: [ 88.649603][ T10] validate_chain+0xb9b/0x2140 [ 88.652383][ T10] __lock_acquire+0xab9/0xd20 [ 88.655124][ T10] lock_acquire+0x120/0x360 [ 88.657633][ T10] __mutex_lock+0x182/0xe80 [ 88.659792][ T10] l2cap_info_timeout+0x60/0xa0 [ 88.662421][ T10] process_scheduled_works+0xae1/0x17b0 [ 88.665004][ T10] worker_thread+0x8a0/0xda0 [ 88.667131][ T10] kthread+0x70e/0x8a0 [ 88.669132][ T10] ret_from_fork+0x3fc/0x770 [ 88.671600][ T10] ret_from_fork_asm+0x1a/0x30 [ 88.673741][ T10] [ 88.673741][ T10] other info that might help us debug this: [ 88.673741][ T10] [ 88.678280][ T10] Possible unsafe locking scenario: [ 88.678280][ T10] [ 88.681731][ T10] CPU0 CPU1 [ 88.684885][ T10] ---- ---- [ 88.687656][ T10] lock((work_completion)(&(&conn->info_timer)->work)); [ 88.690581][ T10] lock(&conn->lock#2); [ 88.693575][ T10] lock((work_completion)(&(&conn->info_timer)->work)); [ 88.697959][ T10] lock(&conn->lock#2); [ 88.700303][ T10] [ 88.700303][ T10] *** DEADLOCK *** [ 88.700303][ T10] [ 88.704863][ T10] 2 locks held by kworker/0:1/10: [ 88.707090][ T10] #0: ffff88801a474d48 ((wq_completion)events){+.+.}-{0:0}, at: process_scheduled_works+0x9b4/0x17b0 [ 88.712023][ T10] #1: ffffc900001c7bc0 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: process_scheduled_works+0x9ef/0x17b0 [ 88.718648][ T10] [ 88.718648][ T10] stack backtrace: [ 88.721480][ T10] CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Not tainted 6.16.0-rc2-syzkaller #0 PREEMPT(full) [ 88.721496][ T10] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 88.721505][ T10] Workqueue: events l2cap_info_timeout [ 88.721529][ T10] Call Trace: [ 88.721538][ T10] [ 88.721545][ T10] dump_stack_lvl+0x189/0x250 [ 88.721563][ T10] ? __pfx_dump_stack_lvl+0x10/0x10 [ 88.721576][ T10] ? __pfx__printk+0x10/0x10 [ 88.721584][ T10] ? print_lock_name+0xde/0x100 [ 88.721592][ T10] print_circular_bug+0x2ee/0x310 [ 88.721602][ T10] check_noncircular+0x134/0x160 [ 88.721613][ T10] validate_chain+0xb9b/0x2140 [ 88.721624][ T10] ? ret_from_fork_asm+0x1a/0x30 [ 88.721636][ T10] __lock_acquire+0xab9/0xd20 [ 88.721653][ T10] ? l2cap_info_timeout+0x60/0xa0 [ 88.721662][ T10] lock_acquire+0x120/0x360 [ 88.721675][ T10] ? l2cap_info_timeout+0x60/0xa0 [ 88.721687][ T10] __mutex_lock+0x182/0xe80 [ 88.721697][ T10] ? l2cap_info_timeout+0x60/0xa0 [ 88.721708][ T10] ? irqentry_exit+0x74/0x90 [ 88.721724][ T10] ? lockdep_hardirqs_on+0x9c/0x150 [ 88.721739][ T10] ? l2cap_info_timeout+0x60/0xa0 [ 88.721751][ T10] ? __pfx___mutex_lock+0x10/0x10 [ 88.721763][ T10] l2cap_info_timeout+0x60/0xa0 [ 88.721775][ T10] ? process_scheduled_works+0x9ef/0x17b0 [ 88.721789][ T10] process_scheduled_works+0xae1/0x17b0 [ 88.721810][ T10] ? __pfx_process_scheduled_works+0x10/0x10 [ 88.721829][ T10] worker_thread+0x8a0/0xda0 [ 88.721844][ T10] kthread+0x70e/0x8a0 [ 88.721857][ T10] ? __pfx_worker_thread+0x10/0x10 [ 88.721871][ T10] ? __pfx_kthread+0x10/0x10 [ 88.721882][ T10] ? _raw_spin_unlock_irq+0x23/0x50 [ 88.721896][ T10] ? lockdep_hardirqs_on+0x9c/0x150 [ 88.721909][ T10] ? __pfx_kthread+0x10/0x10 [ 88.721921][ T10] ret_from_fork+0x3fc/0x770 [ 88.721936][ T10] ? __pfx_ret_from_fork+0x10/0x10 [ 88.721960][ T10] ? __pfx_kthread+0x10/0x10 [ 88.721971][ T10] ret_from_fork_asm+0x1a/0x30 [ 88.721987][ T10] [ 90.576845][ T4678] Bluetooth: hci0: command tx timeout [ 92.657587][ T4678] Bluetooth: hci0: command tx timeout [ 94.736881][ T4678] Bluetooth: hci0: command tx timeout