program: r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x1, 0x3) connect$packet(r0, &(0x7f0000000200)={0x1f, 0xf8, 0x0, 0x1, 0x2}, 0x14) bpf$BPF_BTF_LOAD(0x12, 0x0, 0x0) r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$HCIINQUIRY(r1, 0x400448ca, 0x0) openat$snapshot(0xffffffffffffff9c, &(0x7f0000000200), 0x800, 0x0) r2 = openat$procfs(0xffffffffffffff9c, &(0x7f0000000080)='/proc/partitions\x00', 0x0, 0x0) r3 = openat$sysctl(0xffffffffffffff9c, &(0x7f0000000040)='/proc/sys/vm/compact_memory\x00', 0x1, 0x0) r4 = socket$nl_generic(0x10, 0x3, 0x10) r5 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff) ioctl$sock_SIOCGIFINDEX_80211(r4, 0x8933, &(0x7f00000000c0)={'wlan1\x00', 0x0}) sendmsg$NL80211_CMD_SET_INTERFACE(r4, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)={0x24, r5, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r6}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x8}]}, 0x24}, 0x1, 0x0, 0x0, 0x40840}, 0x0) sendmsg$NL80211_CMD_CONNECT(r4, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000380)={&(0x7f0000000240)={0x30, r5, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r6}, @void}}, [@NL80211_ATTR_SSID={0xa, 0x34, @default_ap_ssid}, @chandef_params=[@NL80211_ATTR_WIPHY_FREQ={0x8}]]}, 0x30}}, 0x0) syz_80211_inject_frame(&(0x7f00000002c0)=@device_b, &(0x7f00000003c0)=ANY=[@ANYBLOB="54000000480207005ab70851101da5a5294670313ec89a0001080700000000080211000000000000c7ae881bd06901000006020202020202010182720603030303030371"], 0x40) nanosleep(&(0x7f0000000340)={0x0, 0x2faf080}, 0x0) r7 = socket$nl_generic(0x10, 0x3, 0x10) r8 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000680), 0xffffffffffffffff) ioctl$sock_SIOCGIFINDEX_80211(r7, 0x8933, &(0x7f00000016c0)={'wlan0\x00', 0x0}) sendmsg$NL80211_CMD_FRAME(r7, &(0x7f0000003740)={0x0, 0x0, &(0x7f0000003700)={&(0x7f0000000540)={0x4c, r8, 0x1, 0x70bd2a, 0x25dfdbfd, {{}, {@val={0x8, 0x3, r9}, @void}}, [@NL80211_ATTR_FRAME={0x1d, 0x33, @deauth={{{0x0, 0x0, 0xc, 0x0, 0x0, 0x0, 0x0, 0x1}, {0xe}, @device_b, @device_a, @initial, {0x3, 0x7}}, 0x0, @val={0x8c, 0x10, {0x283, "726712ea1b02", @short="acf28009ddef7a20"}}}}]}, 0x4c}, 0x1, 0x0, 0x0, 0x20040080}, 0x28008004) sendfile(r3, r2, &(0x7f00000000c0)=0x58, 0x1e) [ 75.779600][ T5317] Bluetooth: hci0: command tx timeout [ 76.025027][ T5342] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium [ 76.096147][ T5342] netlink: 16 bytes leftover after parsing attributes in process `syz.0.0'. [ 76.187873][ T1311] ieee802154 phy0 wpan0: encryption failed: -22 [ 76.191208][ T1311] ieee802154 phy1 wpan1: encryption failed: -22 [ 77.137120][ T5341] Bluetooth: hci0: Opcode 0x0c1a failed: -4 [ 77.140546][ T5341] Bluetooth: hci0: Opcode 0x0406 failed: -4 [ 77.144897][ T5341] [ 77.145925][ T5341] ====================================================== [ 77.149049][ T5341] WARNING: possible circular locking dependency detected [ 77.152141][ T5341] syzkaller #0 Not tainted [ 77.154079][ T5341] ------------------------------------------------------ [ 77.157091][ T5341] syz.0.0/5341 is trying to acquire lock: [ 77.159587][ T5341] ffff8880367fb840 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: __flush_work+0xd2/0xbc0 [ 77.164840][ T5341] [ 77.164840][ T5341] but task is already holding lock: [ 77.167854][ T5341] ffff8880367fbb38 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x7b/0x5b0 [ 77.171650][ T5341] [ 77.171650][ T5341] which lock already depends on the new lock. [ 77.171650][ T5341] [ 77.175940][ T5341] [ 77.175940][ T5341] the existing dependency chain (in reverse order) is: [ 77.179745][ T5341] [ 77.179745][ T5341] -> #1 (&conn->lock#2){+.+.}-{4:4}: [ 77.183054][ T5341] __mutex_lock+0x187/0x1350 [ 77.185382][ T5341] l2cap_info_timeout+0x60/0xa0 [ 77.187660][ T5341] process_scheduled_works+0xad1/0x1770 [ 77.190460][ T5341] worker_thread+0x8a0/0xda0 [ 77.192786][ T5341] kthread+0x711/0x8a0 [ 77.194812][ T5341] ret_from_fork+0x510/0xa50 [ 77.197019][ T5341] ret_from_fork_asm+0x1a/0x30 [ 77.199290][ T5341] [ 77.199290][ T5341] -> #0 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}: [ 77.203922][ T5341] __lock_acquire+0x15a6/0x2cf0 [ 77.206103][ T5341] lock_acquire+0x107/0x340 [ 77.208329][ T5341] __flush_work+0x6b8/0xbc0 [ 77.210572][ T5341] __cancel_work_sync+0xbe/0x110 [ 77.212834][ T5341] l2cap_conn_del+0x402/0x5b0 [ 77.214987][ T5341] l2cap_connect_cfm+0x122/0x10e0 [ 77.217322][ T5341] hci_conn_failed+0x1ce/0x340 [ 77.219451][ T5341] hci_abort_conn_sync+0x658/0xe30 [ 77.221789][ T5341] hci_disconnect_all_sync+0x1b5/0x350 [ 77.224338][ T5341] hci_suspend_sync+0x3fc/0xc90 [ 77.226650][ T5341] hci_suspend_dev+0x28d/0x530 [ 77.229001][ T5341] hci_suspend_notifier+0xf2/0x2f0 [ 77.231481][ T5341] notifier_call_chain+0x19d/0x3a0 [ 77.234113][ T5341] blocking_notifier_call_chain_robust+0x85/0x100 [ 77.237165][ T5341] pm_notifier_call_chain_robust+0x2c/0x60 [ 77.239972][ T5341] snapshot_open+0x19c/0x280 [ 77.242194][ T5341] misc_open+0x2d5/0x350 [ 77.244362][ T5341] chrdev_open+0x4cc/0x5e0 [ 77.246592][ T5341] do_dentry_open+0x7ce/0x1420 [ 77.248919][ T5341] vfs_open+0x3b/0x340 [ 77.250893][ T5341] path_openat+0x340e/0x3dd0 [ 77.253072][ T5341] do_filp_open+0x1fa/0x410 [ 77.255291][ T5341] do_sys_openat2+0x121/0x200 [ 77.257518][ T5341] __x64_sys_openat+0x138/0x170 [ 77.260092][ T5341] do_syscall_64+0xec/0xf80 [ 77.262261][ T5341] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 77.264969][ T5341] [ 77.264969][ T5341] other info that might help us debug this: [ 77.264969][ T5341] [ 77.269159][ T5341] Possible unsafe locking scenario: [ 77.269159][ T5341] [ 77.272295][ T5341] CPU0 CPU1 [ 77.274782][ T5341] ---- ---- [ 77.277059][ T5341] lock(&conn->lock#2); [ 77.279101][ T5341] lock((work_completion)(&(&conn->info_timer)->work)); [ 77.283426][ T5341] lock(&conn->lock#2); [ 77.286508][ T5341] lock((work_completion)(&(&conn->info_timer)->work)); [ 77.289765][ T5341] [ 77.289765][ T5341] *** DEADLOCK *** [ 77.289765][ T5341] [ 77.293471][ T5341] 8 locks held by syz.0.0/5341: [ 77.295633][ T5341] #0: ffffffff8e7a1ca8 (misc_mtx){+.+.}-{4:4}, at: misc_open+0x51/0x350 [ 77.299467][ T5341] #1: ffffffff8ddf09a8 (system_transition_mutex){+.+.}-{4:4}, at: lock_system_sleep+0x4a/0x70 [ 77.303881][ T5341] #2: ffffffff8de14770 ((pm_chain_head).rwsem){++++}-{4:4}, at: blocking_notifier_call_chain_robust+0x65/0x100 [ 77.309283][ T5341] #3: ffff888036860ec0 (&hdev->req_lock){+.+.}-{4:4}, at: hci_suspend_dev+0x285/0x530 [ 77.313678][ T5341] #4: ffff8880368600c0 (&hdev->lock){+.+.}-{4:4}, at: hci_abort_conn_sync+0x242/0xe30 [ 77.318148][ T5341] #5: ffffffff8f485c88 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_conn_failed+0x165/0x340 [ 77.322196][ T5341] #6: ffff8880367fbb38 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x7b/0x5b0 [ 77.326132][ T5341] #7: ffffffff8df41aa0 (rcu_read_lock){....}-{1:3}, at: __flush_work+0xd2/0xbc0 [ 77.330250][ T5341] [ 77.330250][ T5341] stack backtrace: [ 77.333000][ T5341] CPU: 0 UID: 0 PID: 5341 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 77.333016][ T5341] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 77.333024][ T5341] Call Trace: [ 77.333032][ T5341] [ 77.333038][ T5341] dump_stack_lvl+0xe8/0x150 [ 77.333056][ T5341] print_circular_bug+0x2e2/0x300 [ 77.333072][ T5341] check_noncircular+0x12e/0x150 [ 77.333088][ T5341] __lock_acquire+0x15a6/0x2cf0 [ 77.333102][ T5341] ? do_raw_spin_lock+0x121/0x290 [ 77.333117][ T5341] ? __flush_work+0xd2/0xbc0 [ 77.333128][ T5341] lock_acquire+0x107/0x340 [ 77.333137][ T5341] ? __flush_work+0xd2/0xbc0 [ 77.333150][ T5341] ? __flush_work+0xd2/0xbc0 [ 77.333159][ T5341] __flush_work+0x6b8/0xbc0 [ 77.333169][ T5341] ? __flush_work+0xd2/0xbc0 [ 77.333180][ T5341] ? __flush_work+0xd2/0xbc0 [ 77.333190][ T5341] ? __pfx___flush_work+0x10/0x10 [ 77.333200][ T5341] ? __pfx_wq_barrier_func+0x10/0x10 [ 77.333215][ T5341] ? __cancel_work_sync+0x5c/0x110 [ 77.333225][ T5341] __cancel_work_sync+0xbe/0x110 [ 77.333236][ T5341] l2cap_conn_del+0x402/0x5b0 [ 77.333251][ T5341] l2cap_connect_cfm+0x122/0x10e0 [ 77.333265][ T5341] ? __pfx_l2cap_connect_cfm+0x10/0x10 [ 77.333279][ T5341] ? __pfx_l2cap_connect_cfm+0x10/0x10 [ 77.333292][ T5341] hci_conn_failed+0x1ce/0x340 [ 77.333305][ T5341] ? hci_abort_conn_sync+0x24e/0xe30 [ 77.333318][ T5341] hci_abort_conn_sync+0x658/0xe30 [ 77.333332][ T5341] ? __pfx_hci_abort_conn_sync+0x10/0x10 [ 77.333345][ T5341] ? hci_disconnect_all_sync+0x2e/0x350 [ 77.333358][ T5341] ? hci_disconnect_all_sync+0x2e/0x350 [ 77.333370][ T5341] ? hci_disconnect_all_sync+0x2e/0x350 [ 77.333383][ T5341] hci_disconnect_all_sync+0x1b5/0x350 [ 77.333396][ T5341] hci_suspend_sync+0x3fc/0xc90 [ 77.333409][ T5341] ? __pfx___mutex_lock+0x10/0x10 [ 77.333419][ T5341] ? __pfx_hci_suspend_sync+0x10/0x10 [ 77.333433][ T5341] ? _raw_spin_unlock_irqrestore+0x30/0x80 [ 77.333446][ T5341] ? __wake_up_common_lock+0x190/0x1f0 [ 77.333460][ T5341] hci_suspend_dev+0x28d/0x530 [ 77.333471][ T5341] ? __pfx_hci_suspend_dev+0x10/0x10 [ 77.333482][ T5341] ? rcu_barrier+0x474/0x570 [ 77.333496][ T5341] hci_suspend_notifier+0xf2/0x2f0 [ 77.333507][ T5341] notifier_call_chain+0x19d/0x3a0 [ 77.333520][ T5341] blocking_notifier_call_chain_robust+0x85/0x100 [ 77.333532][ T5341] pm_notifier_call_chain_robust+0x2c/0x60 [ 77.333542][ T5341] snapshot_open+0x19c/0x280 [ 77.333553][ T5341] ? __pfx_snapshot_open+0x10/0x10 [ 77.333563][ T5341] misc_open+0x2d5/0x350 [ 77.333576][ T5341] chrdev_open+0x4cc/0x5e0 [ 77.333586][ T5341] ? __pfx_chrdev_open+0x10/0x10 [ 77.333595][ T5341] ? fsnotify_open_perm_and_set_mode+0x113/0x610 [ 77.333609][ T5341] ? __pfx_chrdev_open+0x10/0x10 [ 77.333618][ T5341] do_dentry_open+0x7ce/0x1420 [ 77.333631][ T5341] vfs_open+0x3b/0x340 [ 77.333641][ T5341] ? path_openat+0x33f3/0x3dd0 [ 77.333650][ T5341] path_openat+0x340e/0x3dd0 [ 77.333667][ T5341] ? __pfx_stack_trace_save+0x10/0x10 [ 77.333679][ T5341] ? page_table_check_set+0x148/0x610 [ 77.333690][ T5341] ? kmem_cache_alloc_noprof+0x37d/0x710 [ 77.333702][ T5341] ? getname_flags+0xb8/0x540 [ 77.333711][ T5341] ? __pfx_path_openat+0x10/0x10 [ 77.333722][ T5341] ? __lock_acquire+0x6b6/0x2cf0 [ 77.333735][ T5341] do_filp_open+0x1fa/0x410 [ 77.333748][ T5341] ? __pfx_do_filp_open+0x10/0x10 [ 77.333763][ T5341] ? _raw_spin_unlock+0x28/0x50 [ 77.333776][ T5341] ? alloc_fd+0x64c/0x6c0 [ 77.333788][ T5341] do_sys_openat2+0x121/0x200 [ 77.333800][ T5341] ? __pfx_do_sys_openat2+0x10/0x10 [ 77.333810][ T5341] ? exc_page_fault+0x71/0xd0 [ 77.333825][ T5341] ? do_user_addr_fault+0xc85/0x1380 [ 77.333836][ T5341] __x64_sys_openat+0x138/0x170 [ 77.333849][ T5341] do_syscall_64+0xec/0xf80 [ 77.333858][ T5341] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 77.333868][ T5341] ? trace_irq_disable+0x37/0x100 [ 77.333881][ T5341] ? clear_bhb_loop+0x60/0xb0 [ 77.333892][ T5341] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 77.333904][ T5341] RIP: 0033:0x7f9646f8f7c9 [ 77.333914][ T5341] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 77.333923][ T5341] RSP: 002b:00007f9647e27038 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 77.333935][ T5341] RAX: ffffffffffffffda RBX: 00007f96471e6180 RCX: 00007f9646f8f7c9 [ 77.333943][ T5341] RDX: 0000000000000800 RSI: 0000200000000200 RDI: ffffffffffffff9c [ 77.333951][ T5341] RBP: 00007f9647013f91 R08: 0000000000000000 R09: 0000000000000000 [ 77.333958][ T5341] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 77.333964][ T5341] R13: 00007f96471e6218 R14: 00007f96471e6180 R15: 00007ffce1ae83d8 [ 77.333975][ T5341] [ 78.024344][ T5317] Bluetooth: hci0: command 0x040f tx timeout [ 80.104478][ T5317] Bluetooth: hci0: command 0x040f tx timeout [ 82.183778][ T5317] Bluetooth: hci0: command 0x040f tx timeout