program: ioctl$sock_bt_hci(0xffffffffffffffff, 0x400448cb, 0x0) (async) r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$sock_bt_hci(r0, 0x400448df, 0x0) (async) openat$snapshot(0xffffffffffffff9c, &(0x7f00000002c0), 0x40040, 0x0) [ 84.709348][ T5308] Bluetooth: hci0: command tx timeout [ 85.585838][ T5332] Bluetooth: hci0: Opcode 0x0c1a failed: -4 [ 85.588819][ T5332] Bluetooth: hci0: Opcode 0x0406 failed: -4 [ 85.596193][ T5332] [ 85.597327][ T5332] ====================================================== [ 85.600307][ T5332] WARNING: possible circular locking dependency detected [ 85.603212][ T5332] 6.16.0-rc3-syzkaller-00329-gdfba48a70cb6 #0 Not tainted [ 85.605956][ T5332] ------------------------------------------------------ [ 85.608855][ T5332] syz.0.0/5332 is trying to acquire lock: [ 85.611162][ T5332] ffff888033525040 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: __flush_work+0xd2/0xbc0 [ 85.615882][ T5332] [ 85.615882][ T5332] but task is already holding lock: [ 85.618753][ T5332] ffff888033525338 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x70/0x680 [ 85.622510][ T5332] [ 85.622510][ T5332] which lock already depends on the new lock. [ 85.622510][ T5332] [ 85.627165][ T5332] [ 85.627165][ T5332] the existing dependency chain (in reverse order) is: [ 85.631128][ T5332] [ 85.631128][ T5332] -> #1 (&conn->lock#2){+.+.}-{4:4}: [ 85.634413][ T5332] lock_acquire+0x120/0x360 [ 85.636607][ T5332] __mutex_lock+0x182/0xe80 [ 85.638721][ T5332] l2cap_info_timeout+0x60/0xa0 [ 85.641064][ T5332] process_scheduled_works+0xae1/0x17b0 [ 85.643646][ T5332] worker_thread+0x8a0/0xda0 [ 85.645839][ T5332] kthread+0x70e/0x8a0 [ 85.647902][ T5332] ret_from_fork+0x3fc/0x770 [ 85.650056][ T5332] ret_from_fork_asm+0x1a/0x30 [ 85.652552][ T5332] [ 85.652552][ T5332] -> #0 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}: [ 85.657080][ T5332] validate_chain+0xb9b/0x2140 [ 85.659316][ T5332] __lock_acquire+0xab9/0xd20 [ 85.661607][ T5332] lock_acquire+0x120/0x360 [ 85.663794][ T5332] __flush_work+0x6b8/0xbc0 [ 85.665933][ T5332] __cancel_work_sync+0xbe/0x110 [ 85.668380][ T5332] l2cap_conn_del+0x4f0/0x680 [ 85.670698][ T5332] l2cap_connect_cfm+0x11d/0x1040 [ 85.673140][ T5332] hci_conn_failed+0x1ce/0x310 [ 85.675416][ T5332] hci_abort_conn_sync+0x5d1/0xdf0 [ 85.677907][ T5332] hci_disconnect_all_sync+0x1b5/0x350 [ 85.680976][ T5332] hci_suspend_sync+0x3b8/0xc00 [ 85.683691][ T5332] hci_suspend_dev+0x28d/0x4d0 [ 85.686007][ T5332] hci_suspend_notifier+0xf2/0x290 [ 85.688484][ T5332] notifier_call_chain+0x1b3/0x3e0 [ 85.690810][ T5332] blocking_notifier_call_chain_robust+0x85/0x100 [ 85.693678][ T5332] pm_notifier_call_chain_robust+0x2c/0x60 [ 85.696338][ T5332] snapshot_open+0x19c/0x280 [ 85.698612][ T5332] misc_open+0x2b9/0x330 [ 85.700837][ T5332] chrdev_open+0x4c9/0x5e0 [ 85.702962][ T5332] do_dentry_open+0xdf0/0x1970 [ 85.705363][ T5332] vfs_open+0x3b/0x340 [ 85.707444][ T5332] path_openat+0x2ee5/0x3830 [ 85.709572][ T5332] do_filp_open+0x1fa/0x410 [ 85.711662][ T5332] do_sys_openat2+0x121/0x1c0 [ 85.713846][ T5332] __x64_sys_openat+0x138/0x170 [ 85.716147][ T5332] do_syscall_64+0xfa/0x3b0 [ 85.718264][ T5332] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 85.720936][ T5332] [ 85.720936][ T5332] other info that might help us debug this: [ 85.720936][ T5332] [ 85.725151][ T5332] Possible unsafe locking scenario: [ 85.725151][ T5332] [ 85.728364][ T5332] CPU0 CPU1 [ 85.730659][ T5332] ---- ---- [ 85.733048][ T5332] lock(&conn->lock#2); [ 85.734898][ T5332] lock((work_completion)(&(&conn->info_timer)->work)); [ 85.739109][ T5332] lock(&conn->lock#2); [ 85.741956][ T5332] lock((work_completion)(&(&conn->info_timer)->work)); [ 85.744935][ T5332] [ 85.744935][ T5332] *** DEADLOCK *** [ 85.744935][ T5332] [ 85.748218][ T5332] 8 locks held by syz.0.0/5332: [ 85.749990][ T5332] #0: ffffffff8e9c20c8 (misc_mtx){+.+.}-{4:4}, at: misc_open+0x51/0x330 [ 85.753530][ T5332] #1: ffffffff8dfee228 (system_transition_mutex){+.+.}-{4:4}, at: lock_system_sleep+0x4a/0x70 [ 85.758033][ T5332] #2: ffffffff8e012710 ((pm_chain_head).rwsem){++++}-{4:4}, at: blocking_notifier_call_chain_robust+0x65/0x100 [ 85.763191][ T5332] #3: ffff888033c6cdc0 (&hdev->req_lock){+.+.}-{4:4}, at: hci_suspend_dev+0x285/0x4d0 [ 85.767225][ T5332] #4: ffff888033c6c0b8 (&hdev->lock){+.+.}-{4:4}, at: hci_abort_conn_sync+0x1eb/0xdf0 [ 85.771354][ T5332] #5: ffffffff8f677868 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_conn_failed+0x165/0x310 [ 85.776038][ T5332] #6: ffff888033525338 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x70/0x680 [ 85.780371][ T5332] #7: ffffffff8e13ee60 (rcu_read_lock){....}-{1:3}, at: __flush_work+0xd2/0xbc0 [ 85.784271][ T5332] [ 85.784271][ T5332] stack backtrace: [ 85.786913][ T5332] CPU: 0 UID: 0 PID: 5332 Comm: syz.0.0 Not tainted 6.16.0-rc3-syzkaller-00329-gdfba48a70cb6 #0 PREEMPT(full) [ 85.786929][ T5332] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 85.786936][ T5332] Call Trace: [ 85.786945][ T5332] [ 85.786951][ T5332] dump_stack_lvl+0x189/0x250 [ 85.786973][ T5332] ? __pfx_dump_stack_lvl+0x10/0x10 [ 85.786988][ T5332] ? __pfx__printk+0x10/0x10 [ 85.787000][ T5332] ? print_lock_name+0xde/0x100 [ 85.787011][ T5332] print_circular_bug+0x2ee/0x310 [ 85.787023][ T5332] check_noncircular+0x134/0x160 [ 85.787033][ T5332] validate_chain+0xb9b/0x2140 [ 85.787044][ T5332] ? do_raw_spin_lock+0x121/0x290 [ 85.787057][ T5332] ? look_up_lock_class+0x74/0x170 [ 85.787079][ T5332] ? register_lock_class+0x51/0x320 [ 85.787094][ T5332] __lock_acquire+0xab9/0xd20 [ 85.787109][ T5332] ? __flush_work+0xd2/0xbc0 [ 85.787119][ T5332] lock_acquire+0x120/0x360 [ 85.787132][ T5332] ? __flush_work+0xd2/0xbc0 [ 85.787143][ T5332] ? _raw_spin_unlock_irq+0x23/0x50 [ 85.787157][ T5332] ? __flush_work+0xd2/0xbc0 [ 85.787166][ T5332] __flush_work+0x6b8/0xbc0 [ 85.787176][ T5332] ? __flush_work+0xd2/0xbc0 [ 85.787186][ T5332] ? __flush_work+0xd2/0xbc0 [ 85.787195][ T5332] ? __pfx___flush_work+0x10/0x10 [ 85.787205][ T5332] ? __pfx_wq_barrier_func+0x10/0x10 [ 85.787223][ T5332] ? __pfx___cancel_work+0x10/0x10 [ 85.787244][ T5332] ? rcu_is_watching+0x15/0xb0 [ 85.787260][ T5332] __cancel_work_sync+0xbe/0x110 [ 85.787269][ T5332] l2cap_conn_del+0x4f0/0x680 [ 85.787279][ T5332] l2cap_connect_cfm+0x11d/0x1040 [ 85.787288][ T5332] ? __pfx_l2cap_connect_cfm+0x10/0x10 [ 85.787300][ T5332] ? __pfx_l2cap_connect_cfm+0x10/0x10 [ 85.787311][ T5332] hci_conn_failed+0x1ce/0x310 [ 85.787323][ T5332] ? hci_abort_conn_sync+0x1f7/0xdf0 [ 85.787333][ T5332] hci_abort_conn_sync+0x5d1/0xdf0 [ 85.787343][ T5332] ? __lock_acquire+0xab9/0xd20 [ 85.787358][ T5332] ? __pfx_hci_abort_conn_sync+0x10/0x10 [ 85.787369][ T5332] ? hci_disconnect_all_sync+0x2e/0x350 [ 85.787408][ T5332] ? hci_disconnect_all_sync+0x2e/0x350 [ 85.787419][ T5332] ? hci_disconnect_all_sync+0x2e/0x350 [ 85.787429][ T5332] hci_disconnect_all_sync+0x1b5/0x350 [ 85.787447][ T5332] hci_suspend_sync+0x3b8/0xc00 [ 85.787463][ T5332] ? __pfx___mutex_lock+0x10/0x10 [ 85.787477][ T5332] ? enable_work+0x258/0x2c0 [ 85.787487][ T5332] ? __pfx_hci_suspend_sync+0x10/0x10 [ 85.787498][ T5332] ? mgmt_pending_find+0x152/0x170 [ 85.787511][ T5332] ? hci_cmd_sync_cancel_sync+0xc9/0x190 [ 85.787529][ T5332] hci_suspend_dev+0x28d/0x4d0 [ 85.787546][ T5332] ? __pfx_hci_suspend_dev+0x10/0x10 [ 85.787560][ T5332] ? rcu_barrier+0x474/0x570 [ 85.787573][ T5332] hci_suspend_notifier+0xf2/0x290 [ 85.787588][ T5332] notifier_call_chain+0x1b3/0x3e0 [ 85.787605][ T5332] blocking_notifier_call_chain_robust+0x85/0x100 [ 85.787617][ T5332] pm_notifier_call_chain_robust+0x2c/0x60 [ 85.787631][ T5332] snapshot_open+0x19c/0x280 [ 85.787646][ T5332] ? __pfx_snapshot_open+0x10/0x10 [ 85.787663][ T5332] misc_open+0x2b9/0x330 [ 85.787677][ T5332] chrdev_open+0x4c9/0x5e0 [ 85.787690][ T5332] ? __pfx_chrdev_open+0x10/0x10 [ 85.787702][ T5332] ? __pfx_chrdev_open+0x10/0x10 [ 85.787713][ T5332] do_dentry_open+0xdf0/0x1970 [ 85.787728][ T5332] vfs_open+0x3b/0x340 [ 85.787739][ T5332] ? path_openat+0x2ecd/0x3830 [ 85.787754][ T5332] path_openat+0x2ee5/0x3830 [ 85.787767][ T5332] ? arch_stack_walk+0xfc/0x150 [ 85.787785][ T5332] ? __pfx_path_openat+0x10/0x10 [ 85.787798][ T5332] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 85.787811][ T5332] do_filp_open+0x1fa/0x410 [ 85.787824][ T5332] ? __lock_acquire+0xab9/0xd20 [ 85.787838][ T5332] ? __pfx_do_filp_open+0x10/0x10 [ 85.787856][ T5332] ? _raw_spin_unlock+0x28/0x50 [ 85.787868][ T5332] ? alloc_fd+0x64c/0x6c0 [ 85.787880][ T5332] do_sys_openat2+0x121/0x1c0 [ 85.787894][ T5332] ? __pfx_do_sys_openat2+0x10/0x10 [ 85.787908][ T5332] ? rcu_is_watching+0x15/0xb0 [ 85.787923][ T5332] __x64_sys_openat+0x138/0x170 [ 85.787937][ T5332] do_syscall_64+0xfa/0x3b0 [ 85.787952][ T5332] ? lockdep_hardirqs_on+0x9c/0x150 [ 85.787965][ T5332] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 85.787974][ T5332] ? clear_bhb_loop+0x60/0xb0 [ 85.787985][ T5332] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 85.787995][ T5332] RIP: 0033:0x7f86c4d8e929 [ 85.788007][ T5332] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 85.788016][ T5332] RSP: 002b:00007f86c5c58038 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 85.788028][ T5332] RAX: ffffffffffffffda RBX: 00007f86c4fb5fa0 RCX: 00007f86c4d8e929 [ 85.788036][ T5332] RDX: 0000000000040040 RSI: 00002000000002c0 RDI: ffffffffffffff9c [ 85.788044][ T5332] RBP: 00007f86c4e10b39 R08: 0000000000000000 R09: 0000000000000000 [ 85.788050][ T5332] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 85.788055][ T5332] R13: 0000000000000000 R14: 00007f86c4fb5fa0 R15: 00007ffdf30a2678 [ 85.788067][ T5332] [ 86.712487][ T9] cfg80211: failed to load regulatory.db [ 86.872136][ T5308] Bluetooth: hci0: command 0x040f tx timeout [ 88.954329][ T5308] Bluetooth: hci0: command 0x040f tx timeout [ 91.032171][ T5308] Bluetooth: hci0: command 0x040f tx timeout