program: r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$HCIINQUIRY(r0, 0x400448ca, 0x0) bind$bt_hci(r0, &(0x7f0000000040)={0x1f, 0x0, 0x1}, 0x6) r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$HCIINQUIRY(r1, 0x400448e3, &(0x7f0000000040)={0x0, 0x0, "961a58"}) [ 85.529862][ T47] Bluetooth: hci0: command tx timeout [ 85.539934][ T5326] [ 85.541709][ T5326] ====================================================== [ 85.544721][ T5326] WARNING: possible circular locking dependency detected [ 85.547591][ T5326] syzkaller #0 Not tainted [ 85.549563][ T5326] ------------------------------------------------------ [ 85.555148][ T5326] kworker/0:6/5326 is trying to acquire lock: [ 85.560455][ T5326] ffff8880123e0b38 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_info_timeout+0x60/0xa0 [ 85.564561][ T5326] [ 85.564561][ T5326] but task is already holding lock: [ 85.567745][ T5326] ffffc9000c3efbc0 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: process_scheduled_works+0xa0f/0x17a0 [ 85.573139][ T5326] [ 85.573139][ T5326] which lock already depends on the new lock. [ 85.573139][ T5326] [ 85.577662][ T5326] [ 85.577662][ T5326] the existing dependency chain (in reverse order) is: [ 85.581153][ T5326] [ 85.581153][ T5326] -> #1 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}: [ 85.585661][ T5326] __flush_work+0x700/0xc50 [ 85.588168][ T5326] __cancel_work_sync+0xbe/0x110 [ 85.590559][ T5326] l2cap_conn_del+0x402/0x5b0 [ 85.592881][ T5326] hci_conn_hash_flush+0x10d/0x260 [ 85.595315][ T5326] hci_dev_close_sync+0x821/0x10e0 [ 85.597678][ T5326] hci_dev_close+0x108/0x260 [ 85.600230][ T5326] sock_do_ioctl+0x101/0x320 [ 85.602805][ T5326] sock_ioctl+0x5c6/0x7f0 [ 85.605430][ T5326] __se_sys_ioctl+0xfc/0x170 [ 85.608225][ T5326] do_syscall_64+0xe2/0xf80 [ 85.610546][ T5326] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 85.613437][ T5326] [ 85.613437][ T5326] -> #0 (&conn->lock#2){+.+.}-{4:4}: [ 85.616776][ T5326] __lock_acquire+0x15a5/0x2cf0 [ 85.619066][ T5326] lock_acquire+0x106/0x330 [ 85.621289][ T5326] __mutex_lock+0x19f/0x1300 [ 85.623635][ T5326] l2cap_info_timeout+0x60/0xa0 [ 85.625983][ T5326] process_scheduled_works+0xaec/0x17a0 [ 85.628488][ T5326] worker_thread+0xda6/0x1360 [ 85.630746][ T5326] kthread+0x726/0x8b0 [ 85.632628][ T5326] ret_from_fork+0x51b/0xa40 [ 85.634759][ T5326] ret_from_fork_asm+0x1a/0x30 [ 85.636915][ T5326] [ 85.636915][ T5326] other info that might help us debug this: [ 85.636915][ T5326] [ 85.641460][ T5326] Possible unsafe locking scenario: [ 85.641460][ T5326] [ 85.644710][ T5326] CPU0 CPU1 [ 85.647002][ T5326] ---- ---- [ 85.649314][ T5326] lock((work_completion)(&(&conn->info_timer)->work)); [ 85.652031][ T5326] lock(&conn->lock#2); [ 85.654671][ T5326] lock((work_completion)(&(&conn->info_timer)->work)); [ 85.658596][ T5326] lock(&conn->lock#2); [ 85.660492][ T5326] [ 85.660492][ T5326] *** DEADLOCK *** [ 85.660492][ T5326] [ 85.664056][ T5326] 2 locks held by kworker/0:6/5326: [ 85.666424][ T5326] #0: ffff88801a867548 ((wq_completion)events){+.+.}-{0:0}, at: process_scheduled_works+0x9d4/0x17a0 [ 85.671031][ T5326] #1: ffffc9000c3efbc0 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: process_scheduled_works+0xa0f/0x17a0 [ 85.676468][ T5326] [ 85.676468][ T5326] stack backtrace: [ 85.679066][ T5326] CPU: 0 UID: 0 PID: 5326 Comm: kworker/0:6 Not tainted syzkaller #0 PREEMPT(full) [ 85.679077][ T5326] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 85.679085][ T5326] Workqueue: events l2cap_info_timeout [ 85.679104][ T5326] Call Trace: [ 85.679112][ T5326] [ 85.679117][ T5326] dump_stack_lvl+0xe8/0x150 [ 85.679133][ T5326] print_circular_bug+0x2e1/0x300 [ 85.679146][ T5326] check_noncircular+0x12e/0x150 [ 85.679158][ T5326] __lock_acquire+0x15a5/0x2cf0 [ 85.679173][ T5326] ? __schedule+0x1538/0x51d0 [ 85.679191][ T5326] ? l2cap_info_timeout+0x60/0xa0 [ 85.679200][ T5326] lock_acquire+0x106/0x330 [ 85.679213][ T5326] ? l2cap_info_timeout+0x60/0xa0 [ 85.679226][ T5326] __mutex_lock+0x19f/0x1300 [ 85.679237][ T5326] ? l2cap_info_timeout+0x60/0xa0 [ 85.679248][ T5326] ? irqentry_exit+0x59c/0x620 [ 85.679258][ T5326] ? lockdep_hardirqs_on+0x7a/0x110 [ 85.679268][ T5326] ? l2cap_info_timeout+0x60/0xa0 [ 85.679274][ T5326] ? irqentry_exit+0x59c/0x620 [ 85.679281][ T5326] ? __pfx___mutex_lock+0x10/0x10 [ 85.679292][ T5326] ? lock_acquire+0x221/0x330 [ 85.679305][ T5326] l2cap_info_timeout+0x60/0xa0 [ 85.679314][ T5326] ? process_scheduled_works+0xa0f/0x17a0 [ 85.679330][ T5326] process_scheduled_works+0xaec/0x17a0 [ 85.679351][ T5326] ? __pfx_process_scheduled_works+0x10/0x10 [ 85.679366][ T5326] ? do_raw_spin_lock+0x12b/0x2f0 [ 85.679379][ T5326] ? __pfx_do_raw_spin_lock+0x10/0x10 [ 85.679388][ T5326] ? schedule+0x90/0x360 [ 85.679404][ T5326] worker_thread+0xda6/0x1360 [ 85.679413][ T5326] ? __kthread_parkme+0x19c/0x1f0 [ 85.679421][ T5326] kthread+0x726/0x8b0 [ 85.679432][ T5326] ? __pfx_worker_thread+0x10/0x10 [ 85.679440][ T5326] ? __pfx_kthread+0x10/0x10 [ 85.679451][ T5326] ? _raw_spin_unlock_irq+0x23/0x50 [ 85.679465][ T5326] ? __pfx_kthread+0x10/0x10 [ 85.679477][ T5326] ret_from_fork+0x51b/0xa40 [ 85.679488][ T5326] ? __pfx_ret_from_fork+0x10/0x10 [ 85.679497][ T5326] ? __switch_to+0xc82/0x1410 [ 85.679512][ T5326] ? __pfx_kthread+0x10/0x10 [ 85.679523][ T5326] ret_from_fork_asm+0x1a/0x30 [ 85.679536][ T5326] [ 87.580172][ T47] Bluetooth: hci0: command tx timeout [ 89.659954][ T47] Bluetooth: hci0: command tx timeout [ 91.740405][ T10] cfg80211: failed to load regulatory.db