program: socket$nl_route(0x10, 0x3, 0x0) (async, rerun: 64) syz_emit_vhci(&(0x7f0000000340)=ANY=[@ANYBLOB="02c82028002400010007d3040007c4faff020c04000300d3"], 0x2d) (rerun: 64) r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$HCIINQUIRY(r0, 0x400448ca, 0x0) (async, rerun: 64) sendmsg$nl_route_sched(0xffffffffffffffff, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000100)=@gettaction={0x50, 0x32, 0x20, 0x70bd25, 0x25dfdbfe, {}, [@action_gd=@TCA_ACT_TAB={0x1c, 0x1, [{0xc, 0x1c, 0x0, 0x0, @TCA_ACT_KIND={0x8, 0x1, 'bpf\x00'}}, {0xc, 0x1d, 0x0, 0x0, @TCA_ACT_KIND={0x8, 0x1, 'ife\x00'}}]}, @action_gd=@TCA_ACT_TAB={0x20, 0x1, [{0x10, 0xe, 0x0, 0x0, @TCA_ACT_KIND={0xb, 0x1, 'mirred\x00'}}, {0xc, 0x17, 0x0, 0x0, @TCA_ACT_INDEX={0x8, 0x3, 0x40}}]}]}, 0x50}, 0x1, 0x0, 0x0, 0x40000}, 0x4048840) (async, rerun: 64) r1 = socket(0x2000000000000021, 0x2, 0x10000000000002) (async) r2 = socket$kcm(0x21, 0x2, 0x2) r3 = dup2(r2, r1) setsockopt$MRT6_ADD_MFC_PROXY(r3, 0x110, 0xd2, 0x0, 0x0) (async, rerun: 64) r4 = bpf$MAP_CREATE(0x0, &(0x7f0000000400)=@base={0x12, 0x1, 0x8, 0x100c}, 0x50) (async, rerun: 64) getsockopt$inet_sctp_SCTP_PEER_ADDR_THLDS(r1, 0x84, 0x1f, &(0x7f0000000500)={0x0, @in6={{0xa, 0x4e21, 0x9, @private0={0xfc, 0x0, '\x00', 0x1}, 0x3}}, 0xd5, 0x1ff}, &(0x7f00000005c0)=0x90) getsockopt$inet_sctp6_SCTP_STREAM_SCHEDULER_VALUE(r3, 0x84, 0x7c, &(0x7f0000000600)={r5, 0x6, 0x8}, &(0x7f0000000640)=0x8) (async) bpf$MAP_GET_NEXT_KEY(0x4, &(0x7f00000010c0)={r4, 0x0, 0x0}, 0x20) (async, rerun: 32) sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000340)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f0000000480)=ANY=[@ANYRESHEX=r1, @ANYRESDEC=r0, @ANYBLOB="00000000001400001c00128009000100626f6e64000000000c000280080014"], 0x3c}}, 0x4001) (async, rerun: 32) sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000300)={0x0, 0x0, &(0x7f0000000080)={0x0, 0x44}, 0x1, 0x0, 0x0, 0x8000010}, 0x0) (async) sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000340)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000100)=ANY=[@ANYBLOB="500000001000010425bbe5ad600027842cf52300", @ANYRES32=0x0, @ANYBLOB="0300000000000000280012800a00010076786c616e"], 0x50}, 0x1, 0x0, 0x0, 0x13d33d22cca65c15}, 0x4008840) (async, rerun: 64) sendmsg$nl_route_sched(0xffffffffffffffff, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000280)={&(0x7f0000000180)=@newqdisc={0x24, 0x24, 0x1, 0x70bd2a, 0x25dfdbfe, {0x0, 0x0, 0x0, 0x0, {}, {0xffff, 0xffff}, {0x5}}}, 0x24}, 0x1, 0x0, 0x0, 0x40}, 0x0) (async, rerun: 64) r6 = socket$netlink(0x10, 0x3, 0x0) sendmmsg(r6, &(0x7f00000002c0), 0x40000000000009f, 0x0) (async) r7 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10) r8 = syz_genetlink_get_family_id$nl802154(&(0x7f00000000c0), 0xffffffffffffffff) (async) ioctl$sock_SIOCGIFINDEX_802154(0xffffffffffffffff, 0x8933, &(0x7f0000000200)={'wpan1\x00', 0x0}) sendmsg$NL802154_CMD_GET_WPAN_PHY(r7, &(0x7f00000003c0)={&(0x7f0000000000)={0x10, 0x0, 0x0, 0x10000000}, 0xc, &(0x7f0000000380)={&(0x7f0000000240)={0x40, r8, 0x10, 0x70bd26, 0x25dfdbff, {}, [@NL802154_ATTR_IFINDEX={0x8, 0x3, r9}, @NL802154_ATTR_WPAN_DEV={0xc, 0x6, 0x3}, @NL802154_ATTR_WPAN_DEV={0xc, 0x6, 0x200000002}, @NL802154_ATTR_WPAN_DEV={0xc, 0x6, 0x200000002}]}, 0x40}, 0x1, 0x0, 0x0, 0x8040}, 0x40800) fallocate(r1, 0x20, 0x6, 0x8) [ 85.989945][ T5341] [ 85.990900][ T5341] ====================================================== [ 85.993567][ T5341] WARNING: possible circular locking dependency detected [ 85.996563][ T5341] syzkaller #0 Not tainted [ 85.998577][ T5341] ------------------------------------------------------ [ 86.001466][ T5341] syz.0.0/5341 is trying to acquire lock: [ 86.003683][ T5341] ffff888037910040 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: __flush_work+0xd2/0xbc0 [ 86.008445][ T5341] [ 86.008445][ T5341] but task is already holding lock: [ 86.011715][ T5341] ffff888037910338 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x7b/0x5b0 [ 86.015426][ T5341] [ 86.015426][ T5341] which lock already depends on the new lock. [ 86.015426][ T5341] [ 86.019744][ T5341] [ 86.019744][ T5341] the existing dependency chain (in reverse order) is: [ 86.023376][ T5341] [ 86.023376][ T5341] -> #1 (&conn->lock#2){+.+.}-{4:4}: [ 86.026570][ T5341] __mutex_lock+0x187/0x1350 [ 86.028795][ T5341] l2cap_info_timeout+0x60/0xa0 [ 86.030997][ T5341] process_scheduled_works+0xad1/0x1770 [ 86.033418][ T5341] worker_thread+0x8a0/0xda0 [ 86.035172][ T5341] kthread+0x711/0x8a0 [ 86.037091][ T5341] ret_from_fork+0x599/0xb30 [ 86.039174][ T5341] ret_from_fork_asm+0x1a/0x30 [ 86.041118][ T5341] [ 86.041118][ T5341] -> #0 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}: [ 86.045180][ T5341] __lock_acquire+0x15a6/0x2cf0 [ 86.047490][ T5341] lock_acquire+0x117/0x340 [ 86.049694][ T5341] __flush_work+0x6b8/0xbc0 [ 86.051855][ T5341] __cancel_work_sync+0xbe/0x110 [ 86.054236][ T5341] l2cap_conn_del+0x402/0x5b0 [ 86.056488][ T5341] hci_conn_hash_flush+0x10d/0x260 [ 86.058890][ T5341] hci_dev_close_sync+0x821/0x1100 [ 86.061381][ T5341] hci_dev_close+0x108/0x270 [ 86.063589][ T5341] sock_do_ioctl+0xdc/0x300 [ 86.065888][ T5341] sock_ioctl+0x576/0x790 [ 86.067949][ T5341] __se_sys_ioctl+0xfc/0x170 [ 86.070248][ T5341] do_syscall_64+0xfa/0xf80 [ 86.072472][ T5341] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 86.075380][ T5341] [ 86.075380][ T5341] other info that might help us debug this: [ 86.075380][ T5341] [ 86.079858][ T5341] Possible unsafe locking scenario: [ 86.079858][ T5341] [ 86.083407][ T5341] CPU0 CPU1 [ 86.086444][ T5341] ---- ---- [ 86.089453][ T5341] lock(&conn->lock#2); [ 86.091557][ T5341] lock((work_completion)(&(&conn->info_timer)->work)); [ 86.095706][ T5341] lock(&conn->lock#2); [ 86.098612][ T5341] lock((work_completion)(&(&conn->info_timer)->work)); [ 86.101671][ T5341] [ 86.101671][ T5341] *** DEADLOCK *** [ 86.101671][ T5341] [ 86.105146][ T5341] 5 locks held by syz.0.0/5341: [ 86.108808][ T5341] #0: ffff888011754ec0 (&hdev->req_lock){+.+.}-{4:4}, at: hci_dev_close+0x100/0x270 [ 86.113014][ T5341] #1: ffff8880117540c0 (&hdev->lock){+.+.}-{4:4}, at: hci_dev_close_sync+0x640/0x1100 [ 86.117840][ T5341] #2: ffffffff8f67b088 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_conn_hash_flush+0xa1/0x260 [ 86.122252][ T5341] #3: ffff888037910338 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x7b/0x5b0 [ 86.126439][ T5341] #4: ffffffff8e1419e0 (rcu_read_lock){....}-{1:3}, at: __flush_work+0xd2/0xbc0 [ 86.130492][ T5341] [ 86.130492][ T5341] stack backtrace: [ 86.133051][ T5341] CPU: 0 UID: 0 PID: 5341 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 86.133065][ T5341] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 86.133071][ T5341] Call Trace: [ 86.133078][ T5341] [ 86.133084][ T5341] dump_stack_lvl+0x189/0x250 [ 86.133100][ T5341] ? __pfx_dump_stack_lvl+0x10/0x10 [ 86.133111][ T5341] ? __pfx__printk+0x10/0x10 [ 86.133125][ T5341] ? print_lock_name+0xde/0x100 [ 86.133139][ T5341] print_circular_bug+0x2e2/0x300 [ 86.133154][ T5341] check_noncircular+0x12e/0x150 [ 86.133168][ T5341] __lock_acquire+0x15a6/0x2cf0 [ 86.133179][ T5341] ? do_raw_spin_unlock+0x4d/0x240 [ 86.133193][ T5341] ? _raw_spin_unlock_irqrestore+0xad/0x110 [ 86.133205][ T5341] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 86.133217][ T5341] ? __flush_work+0xd2/0xbc0 [ 86.133228][ T5341] lock_acquire+0x117/0x340 [ 86.133238][ T5341] ? __flush_work+0xd2/0xbc0 [ 86.133250][ T5341] ? _raw_spin_unlock_irq+0x23/0x50 [ 86.133260][ T5341] ? __flush_work+0xd2/0xbc0 [ 86.133270][ T5341] __flush_work+0x6b8/0xbc0 [ 86.133280][ T5341] ? __flush_work+0xd2/0xbc0 [ 86.133297][ T5341] ? __flush_work+0xd2/0xbc0 [ 86.133309][ T5341] ? __pfx___flush_work+0x10/0x10 [ 86.133319][ T5341] ? __pfx_wq_barrier_func+0x10/0x10 [ 86.133331][ T5341] ? __pfx___cancel_work+0x10/0x10 [ 86.133343][ T5341] ? l2cap_conn_del+0x379/0x5b0 [ 86.133355][ T5341] ? __cancel_work_sync+0x5c/0x110 [ 86.133367][ T5341] __cancel_work_sync+0xbe/0x110 [ 86.133380][ T5341] l2cap_conn_del+0x402/0x5b0 [ 86.133391][ T5341] ? __pfx_l2cap_disconn_cfm+0x10/0x10 [ 86.133399][ T5341] hci_conn_hash_flush+0x10d/0x260 [ 86.133407][ T5341] hci_dev_close_sync+0x821/0x1100 [ 86.133415][ T5341] ? __pfx_hci_dev_close_sync+0x10/0x10 [ 86.133424][ T5341] ? __cancel_work_sync+0x5c/0x110 [ 86.133436][ T5341] hci_dev_close+0x108/0x270 [ 86.133446][ T5341] sock_do_ioctl+0xdc/0x300 [ 86.133463][ T5341] ? __pfx_sock_do_ioctl+0x10/0x10 [ 86.133477][ T5341] ? do_futex+0x333/0x420 [ 86.133491][ T5341] sock_ioctl+0x576/0x790 [ 86.133505][ T5341] ? __pfx_sock_ioctl+0x10/0x10 [ 86.133514][ T5341] ? __fget_files+0x3a0/0x420 [ 86.133521][ T5341] ? __fget_files+0x2a/0x420 [ 86.133528][ T5341] ? bpf_lsm_file_ioctl+0x9/0x20 [ 86.133534][ T5341] ? __pfx_sock_ioctl+0x10/0x10 [ 86.133544][ T5341] __se_sys_ioctl+0xfc/0x170 [ 86.133554][ T5341] do_syscall_64+0xfa/0xf80 [ 86.133563][ T5341] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 86.133569][ T5341] ? clear_bhb_loop+0x60/0xb0 [ 86.133576][ T5341] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 86.133583][ T5341] RIP: 0033:0x7fe48438f7c9 [ 86.133592][ T5341] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 86.133598][ T5341] RSP: 002b:00007fe4852b0038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 86.133606][ T5341] RAX: ffffffffffffffda RBX: 00007fe4845e5fa0 RCX: 00007fe48438f7c9 [ 86.133611][ T5341] RDX: 0000000000000000 RSI: 00000000400448ca RDI: 0000000000000045 [ 86.133615][ T5341] RBP: 00007fe484413f91 R08: 0000000000000000 R09: 0000000000000000 [ 86.133620][ T5341] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 86.133623][ T5341] R13: 00007fe4845e6038 R14: 00007fe4845e5fa0 R15: 00007fff6330dee8 [ 86.133630][ T5341] [ 86.290573][ T46] Bluetooth: hci0: command tx timeout [ 88.358823][ T46] Bluetooth: hci0: command tx timeout [ 90.439023][ T46] Bluetooth: hci0: command tx timeout [ 91.728847][ T1361] cfg80211: failed to load regulatory.db