program: r0 = pidfd_getfd(0xffffffffffffffff, 0xffffffffffffffff, 0x0) r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$sock_bt_hci(r1, 0x400448ca, 0x0) bpf$MAP_CREATE(0x0, &(0x7f0000000000)=ANY=[@ANYBLOB="0300000007"], 0x50) write$sysctl(0xffffffffffffffff, &(0x7f0000000000)='2\x00', 0x2) r2 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) bind$bt_hci(r2, &(0x7f0000000100)={0x1f, 0xffff, 0x3}, 0x6) write$binfmt_misc(r2, &(0x7f0000000000), 0xd) bpf$BPF_PROG_WITH_BTFID_LOAD(0x5, &(0x7f0000000300)=@bpf_lsm={0x4, 0x12, &(0x7f0000000140)=@framed={{0x66, 0xa, 0x0, 0x0, 0x0, 0x61, 0x11, 0x7e}, [@ringbuf_output={{0x18, 0x1, 0x1, 0x0, r0}, {0x7, 0x0, 0xb, 0x8, 0x0, 0x0, 0x84}, {}, {}, {}, {}, {0x7, 0x0, 0xb, 0x4, 0x0, 0x0, 0x1}}, @call={0x85, 0x0, 0x0, 0x45}, @call={0x85, 0x0, 0x0, 0xad}, @btf_id={0x18, 0x5, 0x3, 0x0, 0x5}, @map_idx={0x18, 0x3, 0x5, 0x0, 0x2}]}, &(0x7f00000002c0)='GPL\x00'}, 0x94) [ 87.144934][ T9] cfg80211: failed to load regulatory.db [ 87.156514][ T4705] Bluetooth: hci0: command tx timeout [ 87.253284][ T9] [ 87.254449][ T9] ====================================================== [ 87.257511][ T9] WARNING: possible circular locking dependency detected [ 87.260491][ T9] 6.17.0-rc1-syzkaller-00150-g8d084337a32f #0 Not tainted [ 87.263491][ T9] ------------------------------------------------------ [ 87.266504][ T9] kworker/0:0/9 is trying to acquire lock: [ 87.268987][ T9] ffff888036738b38 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_info_timeout+0x60/0xa0 [ 87.273234][ T9] [ 87.273234][ T9] but task is already holding lock: [ 87.276354][ T9] ffffc900001b7bc0 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: process_scheduled_works+0x9ef/0x17b0 [ 87.281674][ T9] [ 87.281674][ T9] which lock already depends on the new lock. [ 87.281674][ T9] [ 87.286042][ T9] [ 87.286042][ T9] the existing dependency chain (in reverse order) is: [ 87.289990][ T9] [ 87.289990][ T9] -> #1 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}: [ 87.294259][ T9] lock_acquire+0x120/0x360 [ 87.296461][ T9] __flush_work+0x6b8/0xbc0 [ 87.298735][ T9] __cancel_work_sync+0xbe/0x110 [ 87.300989][ T9] l2cap_conn_del+0x4f0/0x680 [ 87.303286][ T9] hci_conn_hash_flush+0x10a/0x230 [ 87.305832][ T9] hci_dev_close_sync+0xaef/0x1330 [ 87.308365][ T9] hci_dev_close+0x108/0x200 [ 87.310563][ T9] sock_do_ioctl+0xdc/0x300 [ 87.312744][ T9] sock_ioctl+0x576/0x790 [ 87.314922][ T9] __se_sys_ioctl+0xf9/0x170 [ 87.317173][ T9] do_syscall_64+0xfa/0x3b0 [ 87.319319][ T9] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 87.322045][ T9] [ 87.322045][ T9] -> #0 (&conn->lock#2){+.+.}-{4:4}: [ 87.325457][ T9] validate_chain+0xb9b/0x2140 [ 87.327810][ T9] __lock_acquire+0xab9/0xd20 [ 87.330024][ T9] lock_acquire+0x120/0x360 [ 87.332174][ T9] __mutex_lock+0x187/0x1360 [ 87.334406][ T9] l2cap_info_timeout+0x60/0xa0 [ 87.336894][ T9] process_scheduled_works+0xade/0x17b0 [ 87.339514][ T9] worker_thread+0x8a0/0xda0 [ 87.341779][ T9] kthread+0x70e/0x8a0 [ 87.343840][ T9] ret_from_fork+0x3f9/0x770 [ 87.346183][ T9] ret_from_fork_asm+0x1a/0x30 [ 87.348535][ T9] [ 87.348535][ T9] other info that might help us debug this: [ 87.348535][ T9] [ 87.352915][ T9] Possible unsafe locking scenario: [ 87.352915][ T9] [ 87.356226][ T9] CPU0 CPU1 [ 87.358602][ T9] ---- ---- [ 87.360955][ T9] lock((work_completion)(&(&conn->info_timer)->work)); [ 87.363911][ T9] lock(&conn->lock#2); [ 87.366792][ T9] lock((work_completion)(&(&conn->info_timer)->work)); [ 87.370826][ T9] lock(&conn->lock#2); [ 87.372713][ T9] [ 87.372713][ T9] *** DEADLOCK *** [ 87.372713][ T9] [ 87.376451][ T9] 2 locks held by kworker/0:0/9: [ 87.378727][ T9] #0: ffff88801a474d48 ((wq_completion)events){+.+.}-{0:0}, at: process_scheduled_works+0x9b4/0x17b0 [ 87.383410][ T9] #1: ffffc900001b7bc0 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: process_scheduled_works+0x9ef/0x17b0 [ 87.389328][ T9] [ 87.389328][ T9] stack backtrace: [ 87.391911][ T9] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:0 Not tainted 6.17.0-rc1-syzkaller-00150-g8d084337a32f #0 PREEMPT(full) [ 87.391928][ T9] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 87.391936][ T9] Workqueue: events l2cap_info_timeout [ 87.391956][ T9] Call Trace: [ 87.391964][ T9] [ 87.391970][ T9] dump_stack_lvl+0x189/0x250 [ 87.391986][ T9] ? __pfx_dump_stack_lvl+0x10/0x10 [ 87.391999][ T9] ? __pfx__printk+0x10/0x10 [ 87.392013][ T9] ? print_lock_name+0xde/0x100 [ 87.392028][ T9] print_circular_bug+0x2ee/0x310 [ 87.392042][ T9] check_noncircular+0x134/0x160 [ 87.392054][ T9] validate_chain+0xb9b/0x2140 [ 87.392069][ T9] __lock_acquire+0xab9/0xd20 [ 87.392085][ T9] ? l2cap_info_timeout+0x60/0xa0 [ 87.392098][ T9] lock_acquire+0x120/0x360 [ 87.392146][ T9] ? l2cap_info_timeout+0x60/0xa0 [ 87.392162][ T9] __mutex_lock+0x187/0x1360 [ 87.392177][ T9] ? l2cap_info_timeout+0x60/0xa0 [ 87.392191][ T9] ? irqentry_exit+0x74/0x90 [ 87.392204][ T9] ? lockdep_hardirqs_on+0x9c/0x150 [ 87.392216][ T9] ? l2cap_info_timeout+0x60/0xa0 [ 87.392229][ T9] ? __pfx___mutex_lock+0x10/0x10 [ 87.392246][ T9] l2cap_info_timeout+0x60/0xa0 [ 87.392258][ T9] ? process_scheduled_works+0x9ef/0x17b0 [ 87.392268][ T9] process_scheduled_works+0xade/0x17b0 [ 87.392283][ T9] ? __pfx_process_scheduled_works+0x10/0x10 [ 87.392297][ T9] worker_thread+0x8a0/0xda0 [ 87.392313][ T9] kthread+0x70e/0x8a0 [ 87.392326][ T9] ? __pfx_worker_thread+0x10/0x10 [ 87.392335][ T9] ? __pfx_kthread+0x10/0x10 [ 87.392347][ T9] ? _raw_spin_unlock_irq+0x23/0x50 [ 87.392359][ T9] ? lockdep_hardirqs_on+0x9c/0x150 [ 87.392370][ T9] ? __pfx_kthread+0x10/0x10 [ 87.392382][ T9] ret_from_fork+0x3f9/0x770 [ 87.392394][ T9] ? __pfx_ret_from_fork+0x10/0x10 [ 87.392406][ T9] ? __pfx_kthread+0x10/0x10 [ 87.392418][ T9] ret_from_fork_asm+0x1a/0x30 [ 87.392436][ T9] [ 87.480090][ T5365] Bluetooth: MGMT ver 1.23 [ 89.194519][ T4705] Bluetooth: hci0: command tx timeout [ 91.273103][ T4705] Bluetooth: hci0: command tx timeout [ 93.352733][ T4705] Bluetooth: hci0: command tx timeout