program: ioctl$SIOCSIFHWADDR(0xffffffffffffffff, 0x8924, &(0x7f0000000000)={'macvtap0\x00', @link_local={0x1, 0x80, 0xc2, 0x0, 0x0, 0x3}}) r0 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2) r1 = socket$igmp6(0xa, 0x3, 0x2) setsockopt$MRT6_INIT(r1, 0x29, 0xc8, &(0x7f00000000c0), 0x4) ioctl$sock_ifreq(r0, 0x8910, &(0x7f0000000000)={'veth0_vlan\x00', @ifru_ivalue=0x7}) ioctl$sock_netdev_private(r0, 0x8949, &(0x7f0000000000)) pipe2$9p(&(0x7f0000000500)={0xffffffffffffffff}, 0x80) mount$9p_fd(0x0, &(0x7f0000000480)='./file0\x00', &(0x7f00000004c0), 0x141070, &(0x7f0000000580)={'trans=fd,', {'rfdno', 0x3d, r2}, 0x2c, {'wfdno', 0x3d, r0}, 0x2c, {[{@ignoreqv}, {@directio}, {@cache_fscache}, {@ignoreqv}, {@mmap}, {@mmap}], [{@dont_measure}, {@smackfsdef={'smackfsdef', 0x3d, 'gre0\x00'}}]}}) setsockopt$netlink_NETLINK_TX_RING(0xffffffffffffffff, 0x10e, 0xc, 0x0, 0x0) r3 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) r4 = syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0) connect$bt_l2cap(r4, &(0x7f0000000080)={0x1f, 0x0, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}, 0x7ff}, 0xe) r5 = syz_init_net_socket$bt_hidp(0x1f, 0x3, 0x6) ioctl$sock_bt_hidp_HIDPCONNADD(r5, 0x400448c8, &(0x7f0000000280)={r4, r4, 0xc, 0x1, &(0x7f0000000340)='\x00', 0x9, 0x1, 0x457, 0x9, 0x9, 0x1, 0x1, 'syz1\x00'}) ioctl$sock_bt_hci(r3, 0x400448ca, 0x0) socket$nl_route(0x10, 0x3, 0x0) r6 = socket$nl_generic(0x10, 0x3, 0x10) r7 = syz_genetlink_get_family_id$ethtool(&(0x7f0000000180), 0xffffffffffffffff) ioctl$sock_ipv4_tunnel_SIOCGETTUNNEL(0xffffffffffffffff, 0x89f0, &(0x7f00000001c0)={'gre0\x00', &(0x7f0000000240)={'gre0\x00', 0x0, 0x7, 0x700, 0x63ae, 0x0, {{0x24, 0x4, 0x2, 0x3a, 0x90, 0x67, 0x0, 0xf5, 0x29, 0x0, @loopback, @local, {[@noop, @cipso={0x86, 0x2f, 0x3, [{0x5, 0x3, 'r'}, {0x1, 0x3, "1c"}, {0x1, 0xa, "61f1ec423102c47c"}, {0x6, 0xa, "308c6515465f1679"}, {0x2, 0xf, "cde8c60c1e4dcf5afa472b98d4"}]}, @end, @rr={0x7, 0x13, 0x93, [@initdev={0xac, 0x1e, 0x1, 0x0}, @multicast1, @dev={0xac, 0x14, 0x14, 0x35}, @empty]}, @timestamp_addr={0x44, 0x14, 0x4f, 0x1, 0x9, [{@initdev={0xac, 0x1e, 0x0, 0x0}, 0xe4f4}, {@multicast2, 0x2}]}, @noop, @timestamp={0x44, 0x1c, 0x4e, 0x0, 0x3, [0x1, 0x4, 0x800, 0xff, 0x6, 0x8]}, @noop, @ra={0x94, 0x4}]}}}}}) getsockopt$PNPIPE_IFINDEX(0xffffffffffffffff, 0x113, 0x2, &(0x7f0000000300)=0x0, &(0x7f0000000340)=0x4) sendmsg$ETHTOOL_MSG_RINGS_GET(r6, &(0x7f0000000440)={&(0x7f0000000140)={0x10, 0x0, 0x0, 0x400}, 0xc, &(0x7f0000000400)={&(0x7f0000000380)={0x4c, r7, 0x800, 0x70bd25, 0x25dfdbfd, {}, [@HEADER={0x38, 0x1, 0x0, 0x1, [@ETHTOOL_A_HEADER_FLAGS={0x8, 0x3, 0x1}, @ETHTOOL_A_HEADER_DEV_INDEX={0x8, 0x1, r8}, @ETHTOOL_A_HEADER_FLAGS={0x8, 0x3, 0x3}, @ETHTOOL_A_HEADER_DEV_INDEX={0x8, 0x1, r9}, @ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'bond_slave_1\x00'}]}]}, 0x4c}, 0x1, 0x0, 0x0, 0x4800}, 0x0) syz_emit_ethernet(0x3e, &(0x7f0000000000)=ANY=[@ANYBLOB="aaaaaa80c200000108"], 0x0) r10 = openat$mice(0xffffffffffffff9c, &(0x7f0000000100), 0x410280) ioctl$KVM_GET_CLOCK(r10, 0x8030ae7c, &(0x7f0000000200)) bpf$MAP_CREATE(0x0, &(0x7f0000000000)=ANY=[@ANYBLOB='&\x00\x00\x00\a'], 0x50) syz_mount_image$ext4(&(0x7f0000000080)='ext4\x00', &(0x7f00000007c0)='./file0\x00', 0x480, &(0x7f0000000000), 0x1, 0x77d, &(0x7f0000000f80)="$eJzs3c1rHOUfAPDvbPPSX9qfjSBoPQUEDZRuTI2tgoeKBxEsFPRsGzbbULPJluymNCFgiwheBBUPgl569qXevPpy1f/Cg7RUTYMVDxKZzWy6aXbTJGazDfv5wLTPM/Nsnue7z8w8z+4MOwF0raH0n1zE0Yj4MIk4kq1PIqK3luqJOL1a7u7SYiFdklhZeeP3pFZmeWmxEA2vSR3KMk9ExA/vRRzLbay3Mr8wNV4qFWez/Eh1+tJIZX7h+MXp8cniZHHm5OjY2IlTz586uXux/vnzwuFbH736zNen/3738Rsf/JjE6TicbVvu3b166oZiKHtPetO3cJ1X4p3dr7CDkk43gB1JD80Dq0d5HE3SdE+nmwQAtFk6C10BALpMYvwHgC5T/x5geWmxUF86+43E3rr9ckQcXI2/fn1zdUtPds3uYO066MBysu7KSBIRg7tQ/1BEfP7tW1+mS9x3PRWgna5ei4jzg0Mbz//JhnsWtuvZLZQZui/v/Ad757t0/vNCs/lfbm3+E03mP/1Njt2dePDxn7u5C9W0lM7/Xmq4t+1uQ/yZwQNZ7v+1OV9vcuFiqZie2x6JiOHo7U/zo5vUMXznnzvr1/StpRrnf398/PYXaf3p//fK5m729K9/9cR4dfy/xl13+1rEkz3N4k/W+j9pMf89u8U6Xnvx/c9abUvjT+OtLxvjb6+V6xFPN+3/e3e0JZvenzhS2x1G6jtFE9/88ulAq/ob+z9d0vrrnwX2Qtr/A5vHP5g03q9Z2X4dP10/8n2rbQ+Ov/n+35e8WUvXj6Qr49Xq7GhEX/L6xvUn7r22nq+XT+Mffqr58b/Z/p9+Jjy/xfh7bv321c7jb680/olt9X/TxIGsbNMyN+6ubd9ga/0/VksNZ2u2cv7LKu9v3eSd7s0AAAAAAAAAAAAAAAAAAAAAAAAAsH25iDgcSS6/ls7l8vnVZ3g/FgO5UrlSPXahPDczEbVnZQ9Gb67+U5dHGn4PdTT7Pfx6/sR9+eci4tGI+KT/f7V8vlAuTXQ6eAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADIHGrx/P/Ur/2dbh0A0DYHO90AAGDPGf8BoPsY/wGg+xj/AaD7GP8BoPsY/wEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGizs2fOpMvKX0uLhTQ/cXl+bqp8+fhEsTKVn54r5Avl2Uv5yXJ5slTMF8rTD/p7pXL50ljMzF0ZqRYr1ZHK/MK56fLcTPXcxenxyeK5Yu+eRAUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA21OZX5gaL5WKs/s6cfXhaEbbEz1Zrz0s7dkfib6Hoxn7LNHhExMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAPvFvAAAA//8FqyE2") bind$bt_hci(0xffffffffffffffff, &(0x7f0000000540)={0x1f, 0xfffe}, 0x6) write$binfmt_misc(0xffffffffffffffff, &(0x7f0000000000), 0xd) syz_emit_ethernet(0x6a, &(0x7f0000000000)={@local, @link_local, @void, {@ipv4={0x800, @udp={{0x5, 0x4, 0x0, 0x0, 0x5c, 0x0, 0x0, 0x0, 0x11, 0x0, @empty, @empty}, {0x0, 0x4e20, 0x48, 0x0, @wg=@cookie={0x3, 0x0, "6d4dfdeb8cf7bbfe143803bec2ce783e04cd32308cdd8dde", "c71cb8adfce542a4bc5a026c208fd0c45787e4aa384e3d26b21ea41cc128364c"}}}}}}, 0x0) [ 86.029852][ T4673] Bluetooth: hci0: command tx timeout [ 86.145547][ T5324] hid-multitouch 0005:0457:0009.0002: unknown main item tag 0x0 [ 86.164999][ T5324] hid-multitouch 0005:0457:0009.0002: hidraw1: BLUETOOTH HID v0.09 Device [syz1] on aa:aa:aa:aa:aa:aa [ 86.218890][ T5335] [ 86.219969][ T5335] ====================================================== [ 86.222403][ T5335] WARNING: possible circular locking dependency detected [ 86.225073][ T5335] 6.16.0-rc2-syzkaller-00162-g41687a5c6f8b #0 Not tainted [ 86.227739][ T5335] ------------------------------------------------------ [ 86.230310][ T5335] syz.0.0/5335 is trying to acquire lock: [ 86.232557][ T5335] ffff888045d58840 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: __flush_work+0xd2/0xbc0 [ 86.237130][ T5335] [ 86.237130][ T5335] but task is already holding lock: [ 86.240323][ T5335] ffff888045d58b38 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x70/0x680 [ 86.243937][ T5335] [ 86.243937][ T5335] which lock already depends on the new lock. [ 86.243937][ T5335] [ 86.248074][ T5335] [ 86.248074][ T5335] the existing dependency chain (in reverse order) is: [ 86.251647][ T5335] [ 86.251647][ T5335] -> #1 (&conn->lock#2){+.+.}-{4:4}: [ 86.255040][ T5335] lock_acquire+0x120/0x360 [ 86.257115][ T5335] __mutex_lock+0x182/0xe80 [ 86.259241][ T5335] l2cap_info_timeout+0x60/0xa0 [ 86.261422][ T5335] process_scheduled_works+0xae1/0x17b0 [ 86.264306][ T5335] worker_thread+0x8a0/0xda0 [ 86.267116][ T5335] kthread+0x70e/0x8a0 [ 86.269175][ T5335] ret_from_fork+0x3f9/0x770 [ 86.271361][ T5335] ret_from_fork_asm+0x1a/0x30 [ 86.273570][ T5335] [ 86.273570][ T5335] -> #0 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}: [ 86.277684][ T5335] validate_chain+0xb9b/0x2140 [ 86.279963][ T5335] __lock_acquire+0xab9/0xd20 [ 86.282182][ T5335] lock_acquire+0x120/0x360 [ 86.284374][ T5335] __flush_work+0x6b8/0xbc0 [ 86.286521][ T5335] __cancel_work_sync+0xbe/0x110 [ 86.288834][ T5335] l2cap_conn_del+0x4f0/0x680 [ 86.290901][ T5335] hci_conn_hash_flush+0x10d/0x230 [ 86.293234][ T5335] hci_dev_close_sync+0xaef/0x1330 [ 86.295681][ T5335] hci_dev_close+0x106/0x200 [ 86.297839][ T5335] sock_do_ioctl+0xd9/0x300 [ 86.299987][ T5335] sock_ioctl+0x576/0x790 [ 86.302095][ T5335] __se_sys_ioctl+0xfc/0x170 [ 86.304425][ T5335] do_syscall_64+0xfa/0x3b0 [ 86.306730][ T5335] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 86.309471][ T5335] [ 86.309471][ T5335] other info that might help us debug this: [ 86.309471][ T5335] [ 86.313882][ T5335] Possible unsafe locking scenario: [ 86.313882][ T5335] [ 86.317206][ T5335] CPU0 CPU1 [ 86.319545][ T5335] ---- ---- [ 86.321867][ T5335] lock(&conn->lock#2); [ 86.323710][ T5335] lock((work_completion)(&(&conn->info_timer)->work)); [ 86.327877][ T5335] lock(&conn->lock#2); [ 86.330824][ T5335] lock((work_completion)(&(&conn->info_timer)->work)); [ 86.333838][ T5335] [ 86.333838][ T5335] *** DEADLOCK *** [ 86.333838][ T5335] [ 86.337442][ T5335] 5 locks held by syz.0.0/5335: [ 86.339566][ T5335] #0: ffff8880338f0d80 (&hdev->req_lock){+.+.}-{4:4}, at: hci_dev_close+0xfe/0x200 [ 86.343783][ T5335] #1: ffff8880338f0078 (&hdev->lock){+.+.}-{4:4}, at: hci_dev_close_sync+0x66a/0x1330 [ 86.347898][ T5335] #2: ffffffff8f6783a8 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_conn_hash_flush+0xa1/0x230 [ 86.352184][ T5335] #3: ffff888045d58b38 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x70/0x680 [ 86.356339][ T5335] #4: ffffffff8e13eda0 (rcu_read_lock){....}-{1:3}, at: __flush_work+0xd2/0xbc0 [ 86.360415][ T5335] [ 86.360415][ T5335] stack backtrace: [ 86.363017][ T5335] CPU: 0 UID: 0 PID: 5335 Comm: syz.0.0 Not tainted 6.16.0-rc2-syzkaller-00162-g41687a5c6f8b #0 PREEMPT(full) [ 86.363033][ T5335] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 86.363040][ T5335] Call Trace: [ 86.363047][ T5335] [ 86.363053][ T5335] dump_stack_lvl+0x189/0x250 [ 86.363076][ T5335] ? __pfx_dump_stack_lvl+0x10/0x10 [ 86.363091][ T5335] ? __pfx__printk+0x10/0x10 [ 86.363103][ T5335] ? print_lock_name+0xde/0x100 [ 86.363113][ T5335] print_circular_bug+0x2ee/0x310 [ 86.363123][ T5335] check_noncircular+0x134/0x160 [ 86.363137][ T5335] validate_chain+0xb9b/0x2140 [ 86.363147][ T5335] ? do_raw_spin_lock+0x121/0x290 [ 86.363160][ T5335] ? look_up_lock_class+0x74/0x170 [ 86.363178][ T5335] ? register_lock_class+0x51/0x320 [ 86.363218][ T5335] __lock_acquire+0xab9/0xd20 [ 86.363238][ T5335] ? __flush_work+0xd2/0xbc0 [ 86.363248][ T5335] lock_acquire+0x120/0x360 [ 86.363265][ T5335] ? __flush_work+0xd2/0xbc0 [ 86.363277][ T5335] ? _raw_spin_unlock_irq+0x23/0x50 [ 86.363291][ T5335] ? __flush_work+0xd2/0xbc0 [ 86.363300][ T5335] __flush_work+0x6b8/0xbc0 [ 86.363312][ T5335] ? __flush_work+0xd2/0xbc0 [ 86.363323][ T5335] ? __flush_work+0xd2/0xbc0 [ 86.363334][ T5335] ? __pfx___flush_work+0x10/0x10 [ 86.363345][ T5335] ? __pfx_wq_barrier_func+0x10/0x10 [ 86.363364][ T5335] ? __pfx___cancel_work+0x10/0x10 [ 86.363376][ T5335] ? hci_conn_drop+0x14d/0x280 [ 86.363393][ T5335] __cancel_work_sync+0xbe/0x110 [ 86.363404][ T5335] l2cap_conn_del+0x4f0/0x680 [ 86.363419][ T5335] ? __pfx_l2cap_disconn_cfm+0x10/0x10 [ 86.363431][ T5335] hci_conn_hash_flush+0x10d/0x230 [ 86.363444][ T5335] hci_dev_close_sync+0xaef/0x1330 [ 86.363457][ T5335] ? __pfx_hci_dev_close_sync+0x10/0x10 [ 86.363469][ T5335] hci_dev_close+0x106/0x200 [ 86.363482][ T5335] sock_do_ioctl+0xd9/0x300 [ 86.363498][ T5335] ? __pfx_sock_do_ioctl+0x10/0x10 [ 86.363513][ T5335] ? __lock_acquire+0xab9/0xd20 [ 86.363539][ T5335] sock_ioctl+0x576/0x790 [ 86.363555][ T5335] ? __pfx_sock_ioctl+0x10/0x10 [ 86.363571][ T5335] ? __fget_files+0x2a/0x420 [ 86.363582][ T5335] ? __fget_files+0x3a0/0x420 [ 86.363593][ T5335] ? __fget_files+0x2a/0x420 [ 86.363604][ T5335] ? bpf_lsm_file_ioctl+0x9/0x20 [ 86.363618][ T5335] ? __pfx_sock_ioctl+0x10/0x10 [ 86.363633][ T5335] __se_sys_ioctl+0xfc/0x170 [ 86.363651][ T5335] do_syscall_64+0xfa/0x3b0 [ 86.363663][ T5335] ? lockdep_hardirqs_on+0x9c/0x150 [ 86.363677][ T5335] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 86.363687][ T5335] ? clear_bhb_loop+0x60/0xb0 [ 86.363700][ T5335] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 86.363710][ T5335] RIP: 0033:0x7f5cf1f8e929 [ 86.363721][ T5335] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 86.363732][ T5335] RSP: 002b:00007f5cf2e2c038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 86.363746][ T5335] RAX: ffffffffffffffda RBX: 00007f5cf21b6080 RCX: 00007f5cf1f8e929 [ 86.363754][ T5335] RDX: 0000000000000000 RSI: 00000000400448ca RDI: 0000000000000008 [ 86.363761][ T5335] RBP: 00007f5cf2010b39 R08: 0000000000000000 R09: 0000000000000000 [ 86.363767][ T5335] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 86.363772][ T5335] R13: 0000000000000000 R14: 00007f5cf21b6080 R15: 00007ffd3181e6a8 [ 86.363782][ T5335] [ 86.516202][ T5337] fido_id[5337]: Failed to open report descriptor at '/sys/devices/virtual/bluetooth/hci0/hci0:200/report_descriptor': No such file or directory [ 86.561875][ T5334] loop0: detected capacity change from 0 to 2048 [ 86.565705][ T9] e1000: eth0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: None [ 86.614905][ T10] cfg80211: failed to load regulatory.db [ 86.639327][ T5334] EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: none. [ 88.044687][ T5308] Bluetooth: hci0: command tx timeout [ 89.325030][ T5341] EXT4-fs error (device loop0): ext4_mb_generate_buddy:1220: group 0, block bitmap and bg descriptor inconsistent: 25 vs 281 free clusters [ 90.124928][ T5308] Bluetooth: hci0: command tx timeout [ 92.204530][ T5308] Bluetooth: hci0: command tx timeout