program:
sendmsg$nl_xfrm(0xffffffffffffffff, &(0x7f0000001340)={0x0, 0x0, &(0x7f0000000480)={&(0x7f0000000140)=@updsa={0xf0, 0x10, 0x1, 0x40000000, 0x200000, {{@in6=@dev, @in=@initdev={0xac, 0x1e, 0x0, 0x0}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x32}, {@in6=@private1, 0x0, 0x32}, @in=@rand_addr=0x64010100, {0x0, 0x0, 0x4, 0x0, 0x8, 0x0, 0x0, 0x8da}, {}, {0x0, 0x0, 0xfffffffe}, 0x0, 0x0, 0xa}}, 0xf0}}, 0x0)
syz_emit_vhci(&(0x7f0000000180)=ANY=[@ANYBLOB="040e07050220"], 0xa)
syz_emit_vhci(&(0x7f0000000100)=ANY=[@ANYBLOB="043e1301"], 0x16) (async)
syz_emit_vhci(&(0x7f0000000100)=ANY=[@ANYBLOB="043e1301"], 0x16)
r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1)
ioctl$HCIINQUIRY(r0, 0x400448ca, 0x0)
[ 86.733230][ T5301] sysfs: cannot create duplicate filename '/devices/virtual/bluetooth/hci0/hci0:0'
[ 86.737458][ T5301] CPU: 0 UID: 0 PID: 5301 Comm: kworker/u5:2 Not tainted syzkaller #0 PREEMPT(full)
[ 86.737476][ T5301] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[ 86.737484][ T5301] Workqueue: hci0 hci_rx_work
[ 86.737607][ T5301] Call Trace:
[ 86.737613][ T5301]
[ 86.737620][ T5301] dump_stack_lvl+0x189/0x250
[ 86.737642][ T5301] ? __pfx_dump_stack_lvl+0x10/0x10
[ 86.737674][ T5301] ? __pfx__printk+0x10/0x10
[ 86.737690][ T5301] ? kernfs_path_from_node+0x250/0x290
[ 86.737731][ T5301] ? kernfs_path_from_node+0x2f/0x290
[ 86.737746][ T5301] sysfs_create_dir_ns+0x259/0x280
[ 86.737762][ T5301] ? __pfx_sysfs_create_dir_ns+0x10/0x10
[ 86.737776][ T5301] ? do_raw_spin_unlock+0x4d/0x240
[ 86.737796][ T5301] kobject_add_internal+0x59f/0xb40
[ 86.737815][ T5301] kobject_add+0x155/0x220
[ 86.737833][ T5301] ? __pfx_kobject_add+0x10/0x10
[ 86.737850][ T5301] ? _raw_spin_unlock+0x28/0x50
[ 86.737867][ T5301] ? get_device_parent+0x366/0x3a0
[ 86.737882][ T5301] device_add+0x408/0xb50
[ 86.737897][ T5301] hci_conn_add_sysfs+0xd5/0x1e0
[ 86.737910][ T5301] le_conn_complete_evt+0xf39/0x1500
[ 86.737934][ T5301] ? __pfx_le_conn_complete_evt+0x10/0x10
[ 86.737949][ T5301] ? __mutex_unlock_slowpath+0x1a1/0x740
[ 86.737963][ T5301] ? __asan_memcpy+0x40/0x70
[ 86.737980][ T5301] ? __pfx___mutex_unlock_slowpath+0x10/0x10
[ 86.737994][ T5301] ? skb_pull_data+0xfb/0x200
[ 86.738010][ T5301] hci_le_conn_complete_evt+0x187/0x450
[ 86.738030][ T5301] hci_event_packet+0x78f/0x1200
[ 86.738044][ T5301] ? __pfx_hci_le_meta_evt+0x10/0x10
[ 86.738061][ T5301] ? __pfx_hci_event_packet+0x10/0x10
[ 86.738075][ T5301] ? kcov_remote_start+0x4d3/0x7f0
[ 86.738088][ T5301] ? local_clock_noinstr+0xe0/0xe0
[ 86.738105][ T5301] ? hci_send_to_monitor+0xe2/0x570
[ 86.738125][ T5301] hci_rx_work+0x46a/0xe80
[ 86.738139][ T5301] ? process_scheduled_works+0x9ef/0x17b0
[ 86.738149][ T5301] process_scheduled_works+0xae1/0x17b0
[ 86.738176][ T5301] ? __pfx_process_scheduled_works+0x10/0x10
[ 86.738199][ T5301] worker_thread+0x8a0/0xda0
[ 86.738219][ T5301] ? __kthread_parkme+0x7b/0x200
[ 86.738239][ T5301] kthread+0x711/0x8a0
[ 86.738257][ T5301] ? __pfx_worker_thread+0x10/0x10
[ 86.738270][ T5301] ? __pfx_kthread+0x10/0x10
[ 86.738288][ T5301] ? _raw_spin_unlock_irq+0x23/0x50
[ 86.738302][ T5301] ? lockdep_hardirqs_on+0x9c/0x150
[ 86.738312][ T5301] ? __pfx_kthread+0x10/0x10
[ 86.738322][ T5301] ret_from_fork+0x4bc/0x870
[ 86.738334][ T5301] ? __pfx_ret_from_fork+0x10/0x10
[ 86.738351][ T5301] ? __pfx_kthread+0x10/0x10
[ 86.738367][ T5301] ret_from_fork_asm+0x1a/0x30
[ 86.738387][ T5301]
[ 86.738467][ T5301] kobject: kobject_add_internal failed for hci0:0 with -EEXIST, don't try to register things with the same name in the same directory.
[ 86.864356][ T5301] Bluetooth: hci0: failed to register connection device
[ 86.869176][ T5317]
[ 86.870292][ T5317] ======================================================
[ 86.873308][ T5317] WARNING: possible circular locking dependency detected
[ 86.876230][ T5317] syzkaller #0 Not tainted
[ 86.878204][ T5317] ------------------------------------------------------
[ 86.881166][ T5317] kworker/0:4/5317 is trying to acquire lock:
[ 86.883608][ T5317] ffff88803fb20338 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_info_timeout+0x60/0xa0
[ 86.887377][ T5317]
[ 86.887377][ T5317] but task is already holding lock:
[ 86.890493][ T5317] ffffc9000d377ba0 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: process_scheduled_works+0x9ef/0x17b0
[ 86.895813][ T5317]
[ 86.895813][ T5317] which lock already depends on the new lock.
[ 86.895813][ T5317]
[ 86.900279][ T5317]
[ 86.900279][ T5317] the existing dependency chain (in reverse order) is:
[ 86.904202][ T5317]
[ 86.904202][ T5317] -> #1 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}:
[ 86.908453][ T5317] lock_acquire+0x120/0x360
[ 86.910599][ T5317] __flush_work+0x6b8/0xbc0
[ 86.912735][ T5317] __cancel_work_sync+0xbe/0x110
[ 86.915019][ T5317] l2cap_conn_del+0x4f0/0x680
[ 86.917299][ T5317] hci_conn_hash_flush+0x10d/0x230
[ 86.919678][ T5317] hci_dev_close_sync+0xaef/0x1330
[ 86.922191][ T5317] hci_dev_close+0x108/0x200
[ 86.924473][ T5317] sock_do_ioctl+0xdc/0x300
[ 86.926644][ T5317] sock_ioctl+0x576/0x790
[ 86.928728][ T5317] __se_sys_ioctl+0xfc/0x170
[ 86.930857][ T5317] do_syscall_64+0xfa/0xfa0
[ 86.933044][ T5317] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 86.935726][ T5317]
[ 86.935726][ T5317] -> #0 (&conn->lock#2){+.+.}-{4:4}:
[ 86.938892][ T5317] validate_chain+0xb9b/0x2140
[ 86.941253][ T5317] __lock_acquire+0xab9/0xd20
[ 86.943427][ T5317] lock_acquire+0x120/0x360
[ 86.945584][ T5317] __mutex_lock+0x187/0x1350
[ 86.947598][ T5317] l2cap_info_timeout+0x60/0xa0
[ 86.949588][ T5317] process_scheduled_works+0xae1/0x17b0
[ 86.952042][ T5317] worker_thread+0x8a0/0xda0
[ 86.954257][ T5317] kthread+0x711/0x8a0
[ 86.956362][ T5317] ret_from_fork+0x4bc/0x870
[ 86.958583][ T5317] ret_from_fork_asm+0x1a/0x30
[ 86.960838][ T5317]
[ 86.960838][ T5317] other info that might help us debug this:
[ 86.960838][ T5317]
[ 86.965127][ T5317] Possible unsafe locking scenario:
[ 86.965127][ T5317]
[ 86.968235][ T5317] CPU0 CPU1
[ 86.970497][ T5317] ---- ----
[ 86.972843][ T5317] lock((work_completion)(&(&conn->info_timer)->work));
[ 86.975823][ T5317] lock(&conn->lock#2);
[ 86.978679][ T5317] lock((work_completion)(&(&conn->info_timer)->work));
[ 86.982758][ T5317] lock(&conn->lock#2);
[ 86.984605][ T5317]
[ 86.984605][ T5317] *** DEADLOCK ***
[ 86.984605][ T5317]
[ 86.988057][ T5317] 2 locks held by kworker/0:4/5317:
[ 86.990247][ T5317] #0: ffff88801a067548 ((wq_completion)events){+.+.}-{0:0}, at: process_scheduled_works+0x9b4/0x17b0
[ 86.994867][ T5317] #1: ffffc9000d377ba0 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: process_scheduled_works+0x9ef/0x17b0
[ 86.999950][ T5317]
[ 86.999950][ T5317] stack backtrace:
[ 87.002322][ T5317] CPU: 0 UID: 0 PID: 5317 Comm: kworker/0:4 Not tainted syzkaller #0 PREEMPT(full)
[ 87.002338][ T5317] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[ 87.002347][ T5317] Workqueue: events l2cap_info_timeout
[ 87.002368][ T5317] Call Trace:
[ 87.002375][ T5317]
[ 87.002381][ T5317] dump_stack_lvl+0x189/0x250
[ 87.002400][ T5317] ? __pfx_dump_stack_lvl+0x10/0x10
[ 87.002414][ T5317] ? __pfx__printk+0x10/0x10
[ 87.002426][ T5317] ? print_lock_name+0xde/0x100
[ 87.002438][ T5317] print_circular_bug+0x2ee/0x310
[ 87.002469][ T5317] check_noncircular+0x134/0x160
[ 87.002485][ T5317] validate_chain+0xb9b/0x2140
[ 87.002504][ T5317] __lock_acquire+0xab9/0xd20
[ 87.002517][ T5317] ? l2cap_info_timeout+0x60/0xa0
[ 87.002531][ T5317] lock_acquire+0x120/0x360
[ 87.002542][ T5317] ? l2cap_info_timeout+0x60/0xa0
[ 87.002558][ T5317] __mutex_lock+0x187/0x1350
[ 87.002574][ T5317] ? l2cap_info_timeout+0x60/0xa0
[ 87.002588][ T5317] ? irqentry_exit+0x74/0x90
[ 87.002600][ T5317] ? lockdep_hardirqs_on+0x9c/0x150
[ 87.002614][ T5317] ? l2cap_info_timeout+0x60/0xa0
[ 87.002628][ T5317] ? __pfx___mutex_lock+0x10/0x10
[ 87.002647][ T5317] l2cap_info_timeout+0x60/0xa0
[ 87.002660][ T5317] ? process_scheduled_works+0x9ef/0x17b0
[ 87.002671][ T5317] process_scheduled_works+0xae1/0x17b0
[ 87.002689][ T5317] ? __pfx_process_scheduled_works+0x10/0x10
[ 87.002704][ T5317] worker_thread+0x8a0/0xda0
[ 87.002717][ T5317] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[ 87.002731][ T5317] ? __kthread_parkme+0x7b/0x200
[ 87.002745][ T5317] kthread+0x711/0x8a0
[ 87.002758][ T5317] ? __pfx_worker_thread+0x10/0x10
[ 87.002768][ T5317] ? __pfx_kthread+0x10/0x10
[ 87.002781][ T5317] ? _raw_spin_unlock_irq+0x23/0x50
[ 87.002794][ T5317] ? lockdep_hardirqs_on+0x9c/0x150
[ 87.002807][ T5317] ? __pfx_kthread+0x10/0x10
[ 87.002821][ T5317] ret_from_fork+0x4bc/0x870
[ 87.002834][ T5317] ? __pfx_ret_from_fork+0x10/0x10
[ 87.002846][ T5317] ? __pfx_kthread+0x10/0x10
[ 87.002861][ T5317] ret_from_fork_asm+0x1a/0x30
[ 87.002875][ T5317]
[ 88.906686][ T5301] Bluetooth: hci0: command tx timeout
[ 90.987016][ T5301] Bluetooth: hci0: command tx timeout
[ 91.710255][ T9] cfg80211: failed to load regulatory.db
[ 93.066635][ T5301] Bluetooth: hci0: command tx timeout