program: socket$nl_rdma(0x10, 0x3, 0x14) openat$rdma_cm(0xffffffffffffff9c, &(0x7f0000000000), 0x2, 0x0) socket$nl_netfilter(0x10, 0x3, 0xc) socket$nl_netfilter(0x10, 0x3, 0xc) socket$nl_netfilter(0x10, 0x3, 0xc) socket$nl_netfilter(0x10, 0x3, 0xc) socket$nl_generic(0x10, 0x3, 0x10) socket$inet6_sctp(0xa, 0x5, 0x84) socket$inet_sctp(0x2, 0x1, 0x84) socket$inet6_sctp(0xa, 0x1, 0x84) socket$inet6_icmp_raw(0xa, 0x3, 0x3a) socket$netlink(0x10, 0x3, 0x14) socket$nl_route(0x10, 0x3, 0x0) syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0) socket$nl_route(0x10, 0x3, 0x0) socket$nl_route(0x10, 0x3, 0x0) socket$nl_route(0x10, 0x3, 0x0) socket(0x200000000000011, 0x2, 0x0) socket$kcm(0x10, 0x2, 0x0) socket$nl_generic(0x10, 0x3, 0x10) socket$inet6_icmp_raw(0xa, 0x3, 0x3a) openat(0xffffffffffffff9c, &(0x7f00000002c0)='./file1\x00', 0x42, 0x0) socket$inet_tcp(0x2, 0x1, 0x0) r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000040)='cgroup.freeze\x00', 0x275a, 0x0) r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$sock_bt_hci(r1, 0x400448cb, 0x0) openat$snapshot(0xffffffffffffff9c, &(0x7f0000000440), 0x100, 0x0) syz_emit_vhci(&(0x7f0000000400)=ANY=[@ANYBLOB="040e0402030c", @ANYRES64=r0], 0x7) [ 89.002151][ T4662] Bluetooth: hci0: command tx timeout [ 89.040320][ T10] [ 89.041399][ T10] ====================================================== [ 89.044239][ T10] WARNING: possible circular locking dependency detected [ 89.047542][ T10] syzkaller #0 Not tainted [ 89.050121][ T10] ------------------------------------------------------ [ 89.053914][ T10] kworker/0:1/10 is trying to acquire lock: [ 89.056706][ T10] ffff888038d772f8 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_info_timeout+0x60/0xa0 [ 89.060927][ T10] [ 89.060927][ T10] but task is already holding lock: [ 89.064076][ T10] ffffc9000023fc40 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: process_scheduled_works+0xa25/0x1830 [ 89.069369][ T10] [ 89.069369][ T10] which lock already depends on the new lock. [ 89.069369][ T10] [ 89.073642][ T10] [ 89.073642][ T10] the existing dependency chain (in reverse order) is: [ 89.077302][ T10] [ 89.077302][ T10] -> #1 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}: [ 89.081620][ T10] __flush_work+0x700/0xc50 [ 89.083794][ T10] __cancel_work_sync+0xbe/0x110 [ 89.086185][ T10] l2cap_conn_del+0x40f/0x5c0 [ 89.088406][ T10] hci_conn_hash_flush+0x10d/0x260 [ 89.090923][ T10] hci_dev_reset+0x41c/0x6d0 [ 89.093178][ T10] sock_do_ioctl+0x101/0x320 [ 89.095698][ T10] sock_ioctl+0x5c6/0x7f0 [ 89.097958][ T10] __se_sys_ioctl+0xfc/0x170 [ 89.100209][ T10] do_syscall_64+0x14d/0xf80 [ 89.102419][ T10] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 89.105195][ T10] [ 89.105195][ T10] -> #0 (&conn->lock#2){+.+.}-{4:4}: [ 89.108310][ T10] __lock_acquire+0x15a5/0x2cf0 [ 89.110441][ T10] lock_acquire+0xf0/0x2e0 [ 89.112366][ T10] __mutex_lock+0x19f/0x1300 [ 89.114330][ T10] l2cap_info_timeout+0x60/0xa0 [ 89.116577][ T10] process_scheduled_works+0xb02/0x1830 [ 89.119089][ T10] worker_thread+0xa50/0xfc0 [ 89.121131][ T10] kthread+0x388/0x470 [ 89.123195][ T10] ret_from_fork+0x51e/0xb90 [ 89.125466][ T10] ret_from_fork_asm+0x1a/0x30 [ 89.127611][ T10] [ 89.127611][ T10] other info that might help us debug this: [ 89.127611][ T10] [ 89.132028][ T10] Possible unsafe locking scenario: [ 89.132028][ T10] [ 89.135235][ T10] CPU0 CPU1 [ 89.137829][ T10] ---- ---- [ 89.139936][ T10] lock((work_completion)(&(&conn->info_timer)->work)); [ 89.142549][ T10] lock(&conn->lock#2); [ 89.145122][ T10] lock((work_completion)(&(&conn->info_timer)->work)); [ 89.148991][ T10] lock(&conn->lock#2); [ 89.150938][ T10] [ 89.150938][ T10] *** DEADLOCK *** [ 89.150938][ T10] [ 89.154403][ T10] 2 locks held by kworker/0:1/10: [ 89.156629][ T10] #0: ffff88801acaad48 ((wq_completion)events){+.+.}-{0:0}, at: process_scheduled_works+0x9ea/0x1830 [ 89.161482][ T10] #1: ffffc9000023fc40 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: process_scheduled_works+0xa25/0x1830 [ 89.167034][ T10] [ 89.167034][ T10] stack backtrace: [ 89.169521][ T10] CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Not tainted syzkaller #0 PREEMPT(full) [ 89.169537][ T10] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 89.169550][ T10] Workqueue: events l2cap_info_timeout [ 89.169569][ T10] Call Trace: [ 89.169576][ T10] [ 89.169582][ T10] dump_stack_lvl+0xe8/0x150 [ 89.169598][ T10] print_circular_bug+0x2e1/0x300 [ 89.169614][ T10] check_noncircular+0x12e/0x150 [ 89.169631][ T10] __lock_acquire+0x15a5/0x2cf0 [ 89.169645][ T10] ? __schedule+0x159b/0x5340 [ 89.169659][ T10] ? arch_stack_walk+0x11b/0x150 [ 89.169676][ T10] ? ret_from_fork_asm+0x1a/0x30 [ 89.169693][ T10] lock_acquire+0xf0/0x2e0 [ 89.169704][ T10] ? l2cap_info_timeout+0x60/0xa0 [ 89.169718][ T10] __mutex_lock+0x19f/0x1300 [ 89.169733][ T10] ? l2cap_info_timeout+0x60/0xa0 [ 89.169744][ T10] ? irqentry_exit+0x59e/0x620 [ 89.169759][ T10] ? lockdep_hardirqs_on+0x7a/0x110 [ 89.169773][ T10] ? l2cap_info_timeout+0x60/0xa0 [ 89.169782][ T10] ? irqentry_exit+0x59e/0x620 [ 89.169796][ T10] ? trace_irq_disable+0x3b/0x150 [ 89.169811][ T10] ? __pfx___mutex_lock+0x10/0x10 [ 89.169829][ T10] ? lock_acquire+0x20b/0x2e0 [ 89.169842][ T10] l2cap_info_timeout+0x60/0xa0 [ 89.169853][ T10] ? process_scheduled_works+0xa25/0x1830 [ 89.169867][ T10] process_scheduled_works+0xb02/0x1830 [ 89.169884][ T10] ? __pfx_process_scheduled_works+0x10/0x10 [ 89.169899][ T10] ? assign_work+0x3d5/0x5e0 [ 89.169912][ T10] worker_thread+0xa50/0xfc0 [ 89.169931][ T10] kthread+0x388/0x470 [ 89.169941][ T10] ? __pfx_worker_thread+0x10/0x10 [ 89.169954][ T10] ? __pfx_kthread+0x10/0x10 [ 89.169963][ T10] ret_from_fork+0x51e/0xb90 [ 89.169984][ T10] ? __pfx_ret_from_fork+0x10/0x10 [ 89.169997][ T10] ? __switch_to+0xc7d/0x1450 [ 89.170009][ T10] ? __pfx_kthread+0x10/0x10 [ 89.170019][ T10] ret_from_fork_asm+0x1a/0x30 [ 89.170037][ T10] [ 91.950365][ T1359] cfg80211: failed to load regulatory.db