INFO: task kworker/u4:6:1080 blocked for more than 143 seconds.
      Not tainted syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/u4:6    state:D stack:22536 pid:1080  ppid:2      flags:0x00004000
Workqueue: events_unbound linkwatch_event
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5380 [inline]
 __schedule+0x14d2/0x44d0 kernel/sched/core.c:6699
 schedule+0xbd/0x170 kernel/sched/core.c:6773
 schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:6832
 __mutex_lock_common kernel/locking/mutex.c:679 [inline]
 __mutex_lock+0x6b7/0xcc0 kernel/locking/mutex.c:747
 linkwatch_event+0xe/0x60 net/core/link_watch.c:286
 process_one_work kernel/workqueue.c:2634 [inline]
 process_scheduled_works+0xa45/0x15b0 kernel/workqueue.c:2711
 worker_thread+0xa55/0xfc0 kernel/workqueue.c:2792
 kthread+0x2fa/0x390 kernel/kthread.c:388
 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:152
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:293
 </TASK>
INFO: task syz-executor:5759 blocked for more than 143 seconds.
      Not tainted syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor    state:D stack:21736 pid:5759  ppid:1      flags:0x00004006
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5380 [inline]
 __schedule+0x14d2/0x44d0 kernel/sched/core.c:6699
 schedule+0xbd/0x170 kernel/sched/core.c:6773
 exp_funnel_lock kernel/rcu/tree_exp.h:315 [inline]
 synchronize_rcu_expedited+0x720/0x830 kernel/rcu/tree_exp.h:1004
 namespace_unlock+0x1e7/0x3c0 fs/namespace.c:1581
 drop_collected_mounts fs/namespace.c:2083 [inline]
 put_mnt_ns+0xdf/0x130 fs/namespace.c:4802
 free_nsproxy+0x4d/0x3c0 kernel/nsproxy.c:193
 do_exit+0x906/0x23c0 kernel/exit.c:882
 do_group_exit+0x21b/0x2d0 kernel/exit.c:1024
 get_signal+0x12fc/0x1400 kernel/signal.c:2902
 arch_do_signal_or_restart+0x9c/0x7b0 arch/x86/kernel/signal.c:310
 exit_to_user_mode_loop+0x70/0x110 kernel/entry/common.c:174
 exit_to_user_mode_prepare+0xf6/0x180 kernel/entry/common.c:210
 __syscall_exit_to_user_mode_work kernel/entry/common.c:291 [inline]
 syscall_exit_to_user_mode+0x1a/0x50 kernel/entry/common.c:302
 do_syscall_64+0x61/0xb0 arch/x86/entry/common.c:87
 entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7f78dfd85897
RSP: 002b:00007ffc9c651c80 EFLAGS: 00000293 ORIG_RAX: 000000000000003d
RAX: fffffffffffffe00 RBX: 00000000000000fb RCX: 00007f78dfd85897
RDX: 0000000040000000 RSI: 00007ffc9c651cec RDI: 00000000ffffffff
RBP: 00007ffc9c651cec R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000041
R13: 0000555583040590 R14: 000000000001f5ba R15: 00007ffc9c651d40
 </TASK>
INFO: task syz-executor:5761 blocked for more than 144 seconds.
      Not tainted syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor    state:D stack:21736 pid:5761  ppid:1      flags:0x00004006
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5380 [inline]
 __schedule+0x14d2/0x44d0 kernel/sched/core.c:6699
 schedule+0xbd/0x170 kernel/sched/core.c:6773
 exp_funnel_lock kernel/rcu/tree_exp.h:315 [inline]
 synchronize_rcu_expedited+0x720/0x830 kernel/rcu/tree_exp.h:1004
 namespace_unlock+0x1e7/0x3c0 fs/namespace.c:1581
 drop_collected_mounts fs/namespace.c:2083 [inline]
 put_mnt_ns+0xdf/0x130 fs/namespace.c:4802
 free_nsproxy+0x4d/0x3c0 kernel/nsproxy.c:193
 do_exit+0x906/0x23c0 kernel/exit.c:882
 do_group_exit+0x21b/0x2d0 kernel/exit.c:1024
 get_signal+0x12fc/0x1400 kernel/signal.c:2902
 arch_do_signal_or_restart+0x9c/0x7b0 arch/x86/kernel/signal.c:310
 exit_to_user_mode_loop+0x70/0x110 kernel/entry/common.c:174
 exit_to_user_mode_prepare+0xf6/0x180 kernel/entry/common.c:210
 __syscall_exit_to_user_mode_work kernel/entry/common.c:291 [inline]
 syscall_exit_to_user_mode+0x1a/0x50 kernel/entry/common.c:302
 do_syscall_64+0x61/0xb0 arch/x86/entry/common.c:87
 entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7f5433185897
RSP: 002b:00007fffbe4a9340 EFLAGS: 00000293 ORIG_RAX: 000000000000003d
RAX: fffffffffffffe00 RBX: 0000000000000103 RCX: 00007f5433185897
RDX: 0000000040000000 RSI: 00007fffbe4a93ac RDI: 00000000ffffffff
RBP: 00007fffbe4a93ac R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000045
R13: 00005555731eb590 R14: 000000000001f51e R15: 00007fffbe4a9400
 </TASK>
INFO: task syz-executor:6783 blocked for more than 144 seconds.
      Not tainted syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor    state:D stack:25320 pid:6783  ppid:1      flags:0x00004004
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5380 [inline]
 __schedule+0x14d2/0x44d0 kernel/sched/core.c:6699
 schedule+0xbd/0x170 kernel/sched/core.c:6773
 schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:6832
 __mutex_lock_common kernel/locking/mutex.c:679 [inline]
 __mutex_lock+0x6b7/0xcc0 kernel/locking/mutex.c:747
 rtnl_lock net/core/rtnetlink.c:78 [inline]
 rtnetlink_rcv_msg+0x76f/0xf10 net/core/rtnetlink.c:6469
 netlink_rcv_skb+0x216/0x480 net/netlink/af_netlink.c:2545
 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
 netlink_unicast+0x751/0x8d0 net/netlink/af_netlink.c:1346
 netlink_sendmsg+0x8c1/0xbe0 net/netlink/af_netlink.c:1894
 sock_sendmsg_nosec net/socket.c:730 [inline]
 __sock_sendmsg net/socket.c:745 [inline]
 __sys_sendto+0x46a/0x620 net/socket.c:2201
 __do_sys_sendto net/socket.c:2213 [inline]
 __se_sys_sendto net/socket.c:2209 [inline]
 __x64_sys_sendto+0xde/0xf0 net/socket.c:2209
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x55/0xb0 arch/x86/entry/common.c:81
 entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7f7a317915dc
RSP: 002b:00007ffd27c8f8c0 EFLAGS: 00000293 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007f7a32514620 RCX: 00007f7a317915dc
RDX: 0000000000000028 RSI: 00007f7a32514670 RDI: 0000000000000003
RBP: 0000000000000000 R08: 00007ffd27c8f914 R09: 000000000000000c
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000003
R13: 0000000000000000 R14: 00007f7a32514670 R15: 0000000000000000
 </TASK>
INFO: task syz-executor:6786 blocked for more than 145 seconds.
      Not tainted syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor    state:D stack:25320 pid:6786  ppid:1      flags:0x00004004
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5380 [inline]
 __schedule+0x14d2/0x44d0 kernel/sched/core.c:6699
 schedule+0xbd/0x170 kernel/sched/core.c:6773
 schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:6832
 __mutex_lock_common kernel/locking/mutex.c:679 [inline]
 __mutex_lock+0x6b7/0xcc0 kernel/locking/mutex.c:747
 rtnl_lock net/core/rtnetlink.c:78 [inline]
 rtnetlink_rcv_msg+0x76f/0xf10 net/core/rtnetlink.c:6469
 netlink_rcv_skb+0x216/0x480 net/netlink/af_netlink.c:2545
 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
 netlink_unicast+0x751/0x8d0 net/netlink/af_netlink.c:1346
 netlink_sendmsg+0x8c1/0xbe0 net/netlink/af_netlink.c:1894
 sock_sendmsg_nosec net/socket.c:730 [inline]
 __sock_sendmsg net/socket.c:745 [inline]
 __sys_sendto+0x46a/0x620 net/socket.c:2201
 __do_sys_sendto net/socket.c:2213 [inline]
 __se_sys_sendto net/socket.c:2209 [inline]
 __x64_sys_sendto+0xde/0xf0 net/socket.c:2209
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x55/0xb0 arch/x86/entry/common.c:81
 entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7fa5599915dc
RSP: 002b:00007ffd75a2a1b0 EFLAGS: 00000293 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007fa55a714620 RCX: 00007fa5599915dc
RDX: 0000000000000028 RSI: 00007fa55a714670 RDI: 0000000000000003
RBP: 0000000000000000 R08: 00007ffd75a2a204 R09: 000000000000000c
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000003
R13: 0000000000000000 R14: 00007fa55a714670 R15: 0000000000000000
 </TASK>
INFO: task syz-executor:6789 blocked for more than 146 seconds.
      Not tainted syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor    state:D stack:25320 pid:6789  ppid:1      flags:0x00004004
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5380 [inline]
 __schedule+0x14d2/0x44d0 kernel/sched/core.c:6699
 schedule+0xbd/0x170 kernel/sched/core.c:6773
 schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:6832
 __mutex_lock_common kernel/locking/mutex.c:679 [inline]
 __mutex_lock+0x6b7/0xcc0 kernel/locking/mutex.c:747
 rtnl_lock net/core/rtnetlink.c:78 [inline]
 rtnetlink_rcv_msg+0x76f/0xf10 net/core/rtnetlink.c:6469
 netlink_rcv_skb+0x216/0x480 net/netlink/af_netlink.c:2545
 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
 netlink_unicast+0x751/0x8d0 net/netlink/af_netlink.c:1346
 netlink_sendmsg+0x8c1/0xbe0 net/netlink/af_netlink.c:1894
 sock_sendmsg_nosec net/socket.c:730 [inline]
 __sock_sendmsg net/socket.c:745 [inline]
 __sys_sendto+0x46a/0x620 net/socket.c:2201
 __do_sys_sendto net/socket.c:2213 [inline]
 __se_sys_sendto net/socket.c:2209 [inline]
 __x64_sys_sendto+0xde/0xf0 net/socket.c:2209
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x55/0xb0 arch/x86/entry/common.c:81
 entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7f21a39915dc
RSP: 002b:00007ffea3fc5910 EFLAGS: 00000293 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007f21a4714620 RCX: 00007f21a39915dc
RDX: 0000000000000028 RSI: 00007f21a4714670 RDI: 0000000000000003
RBP: 0000000000000000 R08: 00007ffea3fc5964 R09: 000000000000000c
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000003
R13: 0000000000000000 R14: 00007f21a4714670 R15: 0000000000000000
 </TASK>

Showing all locks held in the system:
3 locks held by kworker/0:0/8:
 #0: ffff888017871d38 ((wq_completion)events_power_efficient){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2609 [inline]
 #0: ffff888017871d38 ((wq_completion)events_power_efficient){+.+.}-{0:0}, at: process_scheduled_works+0x957/0x15b0 kernel/workqueue.c:2711
 #1: ffffc900000d7d00 ((reg_check_chans).work){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2609 [inline]
 #1: ffffc900000d7d00 ((reg_check_chans).work){+.+.}-{0:0}, at: process_scheduled_works+0x957/0x15b0 kernel/workqueue.c:2711
 #2: ffffffff8dfb5448 (rtnl_mutex){+.+.}-{3:3}, at: reg_check_chans_work+0x91/0xd70 net/wireless/reg.c:2463
1 lock held by khungtaskd/29:
 #0: ffffffff8cd2ff20 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:334 [inline]
 #0: ffffffff8cd2ff20 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:786 [inline]
 #0: ffffffff8cd2ff20 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x55/0x290 kernel/locking/lockdep.c:6633
3 locks held by kworker/u4:2/42:
 #0: ffff88802c0ad138 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2609 [inline]
 #0: ffff88802c0ad138 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: process_scheduled_works+0x957/0x15b0 kernel/workqueue.c:2711
 #1: ffffc90000b2fd00 ((work_completion)(&(&net->ipv6.addr_chk_work)->work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2609 [inline]
 #1: ffffc90000b2fd00 ((work_completion)(&(&net->ipv6.addr_chk_work)->work)){+.+.}-{0:0}, at: process_scheduled_works+0x957/0x15b0 kernel/workqueue.c:2711
 #2: ffffffff8dfb5448 (rtnl_mutex){+.+.}-{3:3}, at: addrconf_verify_work+0x19/0x30 net/ipv6/addrconf.c:4700
5 locks held by kworker/u5:0/51:
 #0: ffff88802b558138 ((wq_completion)hci3){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2609 [inline]
 #0: ffff88802b558138 ((wq_completion)hci3){+.+.}-{0:0}, at: process_scheduled_works+0x957/0x15b0 kernel/workqueue.c:2711
 #1: ffffc90000bc7d00 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2609 [inline]
 #1: ffffc90000bc7d00 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_scheduled_works+0x957/0x15b0 kernel/workqueue.c:2711
 #2: ffff88802ee4ce70 (&hdev->req_lock){+.+.}-{3:3}, at: hci_cmd_sync_work+0x1d4/0x390 net/bluetooth/hci_sync.c:326
 #3: ffff88802ee4c0b8 (&hdev->lock){+.+.}-{3:3}, at: hci_abort_conn_sync+0x1f7/0xdc0 net/bluetooth/hci_sync.c:5658
 #4: ffffffff8e1225c8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_connect_cfm include/net/bluetooth/hci_core.h:1996 [inline]
 #4: ffffffff8e1225c8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_conn_failed+0x165/0x300 net/bluetooth/hci_conn.c:1251
2 locks held by kworker/0:2/966:
 #0: ffff888017872538 ((wq_completion)rcu_gp){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2609 [inline]
 #0: ffff888017872538 ((wq_completion)rcu_gp){+.+.}-{0:0}, at: process_scheduled_works+0x957/0x15b0 kernel/workqueue.c:2711
 #1: ffffc900042a7d00 ((work_completion)(&rew->rew_work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2609 [inline]
 #1: ffffc900042a7d00 ((work_completion)(&rew->rew_work)){+.+.}-{0:0}, at: process_scheduled_works+0x957/0x15b0 kernel/workqueue.c:2711
3 locks held by kworker/u4:6/1080:
 #0: ffff888017871538 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2609 [inline]
 #0: ffff888017871538 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_scheduled_works+0x957/0x15b0 kernel/workqueue.c:2711
 #1: ffffc9000466fd00 ((linkwatch_work).work){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2609 [inline]
 #1: ffffc9000466fd00 ((linkwatch_work).work){+.+.}-{0:0}, at: process_scheduled_works+0x957/0x15b0 kernel/workqueue.c:2711
 #2: ffffffff8dfb5448 (rtnl_mutex){+.+.}-{3:3}, at: linkwatch_event+0xe/0x60 net/core/link_watch.c:286
5 locks held by kworker/u4:7/1082:
 #0: ffff888017871538 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2609 [inline]
 #0: ffff888017871538 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_scheduled_works+0x957/0x15b0 kernel/workqueue.c:2711
 #1: ffffc900045cfd00 ((work_completion)(&rdev->wiphy_work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2609 [inline]
 #1: ffffc900045cfd00 ((work_completion)(&rdev->wiphy_work)){+.+.}-{0:0}, at: process_scheduled_works+0x957/0x15b0 kernel/workqueue.c:2711
 #2: ffff888079650768 (&rdev->wiphy.mtx){+.+.}-{3:3}, at: wiphy_lock include/net/cfg80211.h:5777 [inline]
 #2: ffff888079650768 (&rdev->wiphy.mtx){+.+.}-{3:3}, at: cfg80211_wiphy_work+0x35/0x260 net/wireless/core.c:424
 #3: ffff88805b90cd40 (&wdev->mtx){+.+.}-{3:3}, at: sdata_lock net/mac80211/ieee80211_i.h:1135 [inline]
 #3: ffff88805b90cd40 (&wdev->mtx){+.+.}-{3:3}, at: ieee80211_ibss_work+0xa4/0x10c0 net/mac80211/ibss.c:1684
 #4: ffff888079651768 (&local->sta_mtx){+.+.}-{3:3}, at: ieee80211_ibss_sta_expire net/mac80211/ibss.c:1260 [inline]
 #4: ffff888079651768 (&local->sta_mtx){+.+.}-{3:3}, at: ieee80211_sta_merge_ibss net/mac80211/ibss.c:1303 [inline]
 #4: ffff888079651768 (&local->sta_mtx){+.+.}-{3:3}, at: ieee80211_ibss_work+0x57b/0x10c0 net/mac80211/ibss.c:1712
4 locks held by kworker/u5:1/5080:
 #0: ffff88805c349938 ((wq_completion)hci10#2){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2609 [inline]
 #0: ffff88805c349938 ((wq_completion)hci10#2){+.+.}-{0:0}, at: process_scheduled_works+0x957/0x15b0 kernel/workqueue.c:2711
 #1: ffffc9000f967d00 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2609 [inline]
 #1: ffffc9000f967d00 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_scheduled_works+0x957/0x15b0 kernel/workqueue.c:2711
 #2: ffff8880269340b8 (&hdev->lock){+.+.}-{3:3}, at: hci_remote_features_evt+0x9c/0x8d0 net/bluetooth/hci_event.c:3688
 #3: ffffffff8e1225c8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_connect_cfm include/net/bluetooth/hci_core.h:1996 [inline]
 #3: ffffffff8e1225c8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_remote_features_evt+0x517/0x8d0 net/bluetooth/hci_event.c:3722
2 locks held by getty/5520:
 #0: ffff88823bd0a8a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x25/0x70 drivers/tty/tty_ldisc.c:243
 #1: ffffc9000326e2f0 (&ldata->atomic_read_lock){+.+.}-{3:3}, at: n_tty_read+0x425/0x1380 drivers/tty/n_tty.c:2217
4 locks held by kworker/u5:2/5763:
 #0: ffff88805be0e138 ((wq_completion)hci9#2){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2609 [inline]
 #0: ffff88805be0e138 ((wq_completion)hci9#2){+.+.}-{0:0}, at: process_scheduled_works+0x957/0x15b0 kernel/workqueue.c:2711
 #1: ffffc900046dfd00 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2609 [inline]
 #1: ffffc900046dfd00 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_scheduled_works+0x957/0x15b0 kernel/workqueue.c:2711
 #2: ffff88802fe740b8 (&hdev->lock){+.+.}-{3:3}, at: hci_remote_features_evt+0x9c/0x8d0 net/bluetooth/hci_event.c:3688
 #3: ffffffff8e1225c8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_connect_cfm include/net/bluetooth/hci_core.h:1996 [inline]
 #3: ffffffff8e1225c8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_remote_features_evt+0x517/0x8d0 net/bluetooth/hci_event.c:3722
6 locks held by kworker/u5:3/5767:
 #0: ffff88802b55a138 ((wq_completion)hci0){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2609 [inline]
 #0: ffff88802b55a138 ((wq_completion)hci0){+.+.}-{0:0}, at: process_scheduled_works+0x957/0x15b0 kernel/workqueue.c:2711
 #1: ffffc9000471fd00 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2609 [inline]
 #1: ffffc9000471fd00 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_scheduled_works+0x957/0x15b0 kernel/workqueue.c:2711
 #2: ffff888027380e70 (&hdev->req_lock){+.+.}-{3:3}, at: hci_cmd_sync_work+0x1d4/0x390 net/bluetooth/hci_sync.c:326
 #3: ffff8880273800b8 (&hdev->lock){+.+.}-{3:3}, at: hci_abort_conn_sync+0x1f7/0xdc0 net/bluetooth/hci_sync.c:5658
 #4: ffffffff8e1225c8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_connect_cfm include/net/bluetooth/hci_core.h:1996 [inline]
 #4: ffffffff8e1225c8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_conn_failed+0x165/0x300 net/bluetooth/hci_conn.c:1251
 #5: ffff88814dd54338 (&conn->lock#2){+.+.}-{3:3}, at: l2cap_conn_del+0x70/0x660 net/bluetooth/l2cap_core.c:1763
5 locks held by kworker/u5:4/5769:
 #0: ffff88805bf52938 ((wq_completion)hci4){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2609 [inline]
 #0: ffff88805bf52938 ((wq_completion)hci4){+.+.}-{0:0}, at: process_scheduled_works+0x957/0x15b0 kernel/workqueue.c:2711
 #1: ffffc9000473fd00 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2609 [inline]
 #1: ffffc9000473fd00 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_scheduled_works+0x957/0x15b0 kernel/workqueue.c:2711
 #2: ffff88807efe4e70 (&hdev->req_lock){+.+.}-{3:3}, at: hci_cmd_sync_work+0x1d4/0x390 net/bluetooth/hci_sync.c:326
 #3: ffff88807efe40b8 (&hdev->lock){+.+.}-{3:3}, at: hci_abort_conn_sync+0x1f7/0xdc0 net/bluetooth/hci_sync.c:5658
 #4: ffffffff8e1225c8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_connect_cfm include/net/bluetooth/hci_core.h:1996 [inline]
 #4: ffffffff8e1225c8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_conn_failed+0x165/0x300 net/bluetooth/hci_conn.c:1251
5 locks held by kworker/u5:5/5770:
 #0: ffff88802f3e6538 ((wq_completion)hci1){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2609 [inline]
 #0: ffff88802f3e6538 ((wq_completion)hci1){+.+.}-{0:0}, at: process_scheduled_works+0x957/0x15b0 kernel/workqueue.c:2711
 #1: ffffc9000475fd00 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2609 [inline]
 #1: ffffc9000475fd00 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_scheduled_works+0x957/0x15b0 kernel/workqueue.c:2711
 #2: ffff88802f830e70 (&hdev->req_lock){+.+.}-{3:3}, at: hci_cmd_sync_work+0x1d4/0x390 net/bluetooth/hci_sync.c:326
 #3: ffff88802f8300b8 (&hdev->lock){+.+.}-{3:3}, at: hci_abort_conn_sync+0x1f7/0xdc0 net/bluetooth/hci_sync.c:5658
 #4: ffffffff8e1225c8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_connect_cfm include/net/bluetooth/hci_core.h:1996 [inline]
 #4: ffffffff8e1225c8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_conn_failed+0x165/0x300 net/bluetooth/hci_conn.c:1251
4 locks held by kworker/u5:6/5772:
 #0: ffff88805c019138 ((wq_completion)hci11#2){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2609 [inline]
 #0: ffff88805c019138 ((wq_completion)hci11#2){+.+.}-{0:0}, at: process_scheduled_works+0x957/0x15b0 kernel/workqueue.c:2711
 #1: ffffc9000476fd00 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2609 [inline]
 #1: ffffc9000476fd00 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_scheduled_works+0x957/0x15b0 kernel/workqueue.c:2711
 #2: ffff8880269300b8 (&hdev->lock){+.+.}-{3:3}, at: hci_remote_features_evt+0x9c/0x8d0 net/bluetooth/hci_event.c:3688
 #3: ffffffff8e1225c8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_connect_cfm include/net/bluetooth/hci_core.h:1996 [inline]
 #3: ffffffff8e1225c8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_remote_features_evt+0x517/0x8d0 net/bluetooth/hci_event.c:3722
5 locks held by kworker/u5:7/5773:
 #0: ffff8881462d3138 ((wq_completion)hci2){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2609 [inline]
 #0: ffff8881462d3138 ((wq_completion)hci2){+.+.}-{0:0}, at: process_scheduled_works+0x957/0x15b0 kernel/workqueue.c:2711
 #1: ffffc9000477fd00 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2609 [inline]
 #1: ffffc9000477fd00 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_scheduled_works+0x957/0x15b0 kernel/workqueue.c:2711
 #2: ffff88802f3f0e70 (&hdev->req_lock){+.+.}-{3:3}, at: hci_cmd_sync_work+0x1d4/0x390 net/bluetooth/hci_sync.c:326
 #3: ffff88802f3f00b8 (&hdev->lock){+.+.}-{3:3}, at: hci_abort_conn_sync+0x1f7/0xdc0 net/bluetooth/hci_sync.c:5658
 #4: ffffffff8e1225c8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_connect_cfm include/net/bluetooth/hci_core.h:1996 [inline]
 #4: ffffffff8e1225c8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_conn_failed+0x165/0x300 net/bluetooth/hci_conn.c:1251
5 locks held by kworker/u5:8/5774:
 #0: ffff8880273f1138 ((wq_completion)hci7){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2609 [inline]
 #0: ffff8880273f1138 ((wq_completion)hci7){+.+.}-{0:0}, at: process_scheduled_works+0x957/0x15b0 kernel/workqueue.c:2711
 #1: ffffc9000479fd00 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2609 [inline]
 #1: ffffc9000479fd00 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_scheduled_works+0x957/0x15b0 kernel/workqueue.c:2711
 #2: ffff888024eb4e70 (&hdev->req_lock){+.+.}-{3:3}, at: hci_cmd_sync_work+0x1d4/0x390 net/bluetooth/hci_sync.c:326
 #3: ffff888024eb40b8 (&hdev->lock){+.+.}-{3:3}, at: hci_abort_conn_sync+0x1f7/0xdc0 net/bluetooth/hci_sync.c:5658
 #4: ffffffff8e1225c8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_connect_cfm include/net/bluetooth/hci_core.h:1996 [inline]
 #4: ffffffff8e1225c8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_conn_failed+0x165/0x300 net/bluetooth/hci_conn.c:1251
2 locks held by syz.4.225/6729:
 #0: ffffffff8cd85ea8 (event_mutex){+.+.}-{3:3}, at: perf_trace_destroy+0x2e/0x140 kernel/trace/trace_event_perf.c:239
 #1: ffffffff8cd358f8 (rcu_state.exp_mutex){+.+.}-{3:3}, at: exp_funnel_lock kernel/rcu/tree_exp.h:324 [inline]
 #1: ffffffff8cd358f8 (rcu_state.exp_mutex){+.+.}-{3:3}, at: synchronize_rcu_expedited+0x360/0x830 kernel/rcu/tree_exp.h:1004
2 locks held by syz.0.229/6746:
1 lock held by syz.3.233/6769:
 #0: ffff88802f5a0820 (&sb->s_type->i_mutex_key#11){+.+.}-{3:3}, at: inode_lock include/linux/fs.h:804 [inline]
 #0: ffff88802f5a0820 (&sb->s_type->i_mutex_key#11){+.+.}-{3:3}, at: __sock_release net/socket.c:658 [inline]
 #0: ffff88802f5a0820 (&sb->s_type->i_mutex_key#11){+.+.}-{3:3}, at: sock_close+0x9b/0x230 net/socket.c:1421
2 locks held by syz-executor/6774:
 #0: ffffffff8dfb5448 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:78 [inline]
 #0: ffffffff8dfb5448 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x76f/0xf10 net/core/rtnetlink.c:6469
 #1: ffffffff8cd358f8 (rcu_state.exp_mutex){+.+.}-{3:3}, at: exp_funnel_lock kernel/rcu/tree_exp.h:324 [inline]
 #1: ffffffff8cd358f8 (rcu_state.exp_mutex){+.+.}-{3:3}, at: synchronize_rcu_expedited+0x360/0x830 kernel/rcu/tree_exp.h:1004
1 lock held by syz-executor/6783:
 #0: ffffffff8dfb5448 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:78 [inline]
 #0: ffffffff8dfb5448 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x76f/0xf10 net/core/rtnetlink.c:6469
1 lock held by syz-executor/6786:
 #0: ffffffff8dfb5448 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:78 [inline]
 #0: ffffffff8dfb5448 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x76f/0xf10 net/core/rtnetlink.c:6469
1 lock held by syz-executor/6789:
 #0: ffffffff8dfb5448 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:78 [inline]
 #0: ffffffff8dfb5448 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x76f/0xf10 net/core/rtnetlink.c:6469
1 lock held by dhcpcd/6791:
 #0: ffff8880213fe130 (sk_lock-AF_PACKET){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1767 [inline]
 #0: ffff8880213fe130 (sk_lock-AF_PACKET){+.+.}-{0:0}, at: packet_do_bind+0x32/0xcc0 net/packet/af_packet.c:3258
1 lock held by dhcpcd/6792:
 #0: ffff8880573b8130 (sk_lock-AF_PACKET){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1767 [inline]
 #0: ffff8880573b8130 (sk_lock-AF_PACKET){+.+.}-{0:0}, at: packet_do_bind+0x32/0xcc0 net/packet/af_packet.c:3258
1 lock held by dhcpcd/6793:
 #0: ffff88804e146130 (sk_lock-AF_PACKET){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1767 [inline]
 #0: ffff88804e146130 (sk_lock-AF_PACKET){+.+.}-{0:0}, at: packet_do_bind+0x32/0xcc0 net/packet/af_packet.c:3258
1 lock held by dhcpcd/6794:
 #0: ffff88804dd46130 (sk_lock-AF_PACKET){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1767 [inline]
 #0: ffff88804dd46130 (sk_lock-AF_PACKET){+.+.}-{0:0}, at: packet_do_bind+0x32/0xcc0 net/packet/af_packet.c:3258
1 lock held by dhcpcd/6795:
 #0: ffff888024daa130 (sk_lock-AF_PACKET){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1767 [inline]
 #0: ffff888024daa130 (sk_lock-AF_PACKET){+.+.}-{0:0}, at: packet_do_bind+0x32/0xcc0 net/packet/af_packet.c:3258
1 lock held by dhcpcd/6796:
 #0: ffff888024dac130 (sk_lock-AF_PACKET){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1767 [inline]
 #0: ffff888024dac130 (sk_lock-AF_PACKET){+.+.}-{0:0}, at: packet_do_bind+0x32/0xcc0 net/packet/af_packet.c:3258
1 lock held by syz-executor/6798:
 #0: ffffffff8dfb5448 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:78 [inline]
 #0: ffffffff8dfb5448 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x76f/0xf10 net/core/rtnetlink.c:6469
1 lock held by syz-executor/6803:
 #0: ffffffff8dfb5448 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:78 [inline]
 #0: ffffffff8dfb5448 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x76f/0xf10 net/core/rtnetlink.c:6469
1 lock held by syz-executor/6806:
 #0: ffffffff8dfb5448 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:78 [inline]
 #0: ffffffff8dfb5448 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x76f/0xf10 net/core/rtnetlink.c:6469
1 lock held by syz-executor/6809:
 #0: ffffffff8dfb5448 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:78 [inline]
 #0: ffffffff8dfb5448 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x76f/0xf10 net/core/rtnetlink.c:6469
4 locks held by kworker/u5:9/6810:
 #0: ffff88805ac2ed38 ((wq_completion)hci12#2){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2609 [inline]
 #0: ffff88805ac2ed38 ((wq_completion)hci12#2){+.+.}-{0:0}, at: process_scheduled_works+0x957/0x15b0 kernel/workqueue.c:2711
 #1: ffffc9000f57fd00 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2609 [inline]
 #1: ffffc9000f57fd00 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_scheduled_works+0x957/0x15b0 kernel/workqueue.c:2711
 #2: ffff888026d7c0b8 (&hdev->lock){+.+.}-{3:3}, at: hci_remote_features_evt+0x9c/0x8d0 net/bluetooth/hci_event.c:3688
 #3: ffffffff8e1225c8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_connect_cfm include/net/bluetooth/hci_core.h:1996 [inline]
 #3: ffffffff8e1225c8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_remote_features_evt+0x517/0x8d0 net/bluetooth/hci_event.c:3722
5 locks held by kworker/u5:10/6812:
 #0: ffff88805c374d38 ((wq_completion)hci5){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2609 [inline]
 #0: ffff88805c374d38 ((wq_completion)hci5){+.+.}-{0:0}, at: process_scheduled_works+0x957/0x15b0 kernel/workqueue.c:2711
 #1: ffffc9000f58fd00 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2609 [inline]
 #1: ffffc9000f58fd00 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_scheduled_works+0x957/0x15b0 kernel/workqueue.c:2711
 #2: ffff888078d50e70 (&hdev->req_lock){+.+.}-{3:3}, at: hci_cmd_sync_work+0x1d4/0x390 net/bluetooth/hci_sync.c:326
 #3: ffff888078d500b8 (&hdev->lock){+.+.}-{3:3}, at: hci_abort_conn_sync+0x1f7/0xdc0 net/bluetooth/hci_sync.c:5658
 #4: ffffffff8e1225c8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_connect_cfm include/net/bluetooth/hci_core.h:1996 [inline]
 #4: ffffffff8e1225c8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_conn_failed+0x165/0x300 net/bluetooth/hci_conn.c:1251
4 locks held by kworker/u5:11/6813:
 #0: ffff8880247df938 ((wq_completion)hci13#2){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2609 [inline]
 #0: ffff8880247df938 ((wq_completion)hci13#2){+.+.}-{0:0}, at: process_scheduled_works+0x957/0x15b0 kernel/workqueue.c:2711
 #1: ffffc9000c917d00 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2609 [inline]
 #1: ffffc9000c917d00 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_scheduled_works+0x957/0x15b0 kernel/workqueue.c:2711
 #2: ffff888026d780b8 (&hdev->lock){+.+.}-{3:3}, at: hci_remote_features_evt+0x9c/0x8d0 net/bluetooth/hci_event.c:3688
 #3: ffffffff8e1225c8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_connect_cfm include/net/bluetooth/hci_core.h:1996 [inline]
 #3: ffffffff8e1225c8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_remote_features_evt+0x517/0x8d0 net/bluetooth/hci_event.c:3722
1 lock held by syz-executor/6815:
 #0: ffffffff8dfb5448 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:78 [inline]
 #0: ffffffff8dfb5448 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x76f/0xf10 net/core/rtnetlink.c:6469
4 locks held by kworker/u5:12/6818:
 #0: ffff888030594138 ((wq_completion)hci15#2){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2609 [inline]
 #0: ffff888030594138 ((wq_completion)hci15#2){+.+.}-{0:0}, at: process_scheduled_works+0x957/0x15b0 kernel/workqueue.c:2711
 #1: ffffc9000f5dfd00 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2609 [inline]
 #1: ffffc9000f5dfd00 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_scheduled_works+0x957/0x15b0 kernel/workqueue.c:2711
 #2: ffff88802f1700b8 (&hdev->lock){+.+.}-{3:3}, at: hci_remote_features_evt+0x9c/0x8d0 net/bluetooth/hci_event.c:3688
 #3: ffffffff8e1225c8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_connect_cfm include/net/bluetooth/hci_core.h:1996 [inline]
 #3: ffffffff8e1225c8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_remote_features_evt+0x517/0x8d0 net/bluetooth/hci_event.c:3722
1 lock held by syz-executor/6821:
 #0: ffffffff8dfb5448 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:78 [inline]
 #0: ffffffff8dfb5448 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x76f/0xf10 net/core/rtnetlink.c:6469
4 locks held by kworker/u5:13/6822:
 #0: ffff88805b17c938 ((wq_completion)hci14#2){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2609 [inline]
 #0: ffff88805b17c938 ((wq_completion)hci14#2){+.+.}-{0:0}, at: process_scheduled_works+0x957/0x15b0 kernel/workqueue.c:2711
 #1: ffffc9000f5ffd00 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2609 [inline]
 #1: ffffc9000f5ffd00 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_scheduled_works+0x957/0x15b0 kernel/workqueue.c:2711
 #2: ffff88807c82c0b8 (&hdev->lock){+.+.}-{3:3}, at: hci_remote_features_evt+0x9c/0x8d0 net/bluetooth/hci_event.c:3688
 #3: ffffffff8e1225c8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_connect_cfm include/net/bluetooth/hci_core.h:1996 [inline]
 #3: ffffffff8e1225c8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_remote_features_evt+0x517/0x8d0 net/bluetooth/hci_event.c:3722
1 lock held by syz-executor/6825:
 #0: ffffffff8dfb5448 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:78 [inline]
 #0: ffffffff8dfb5448 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x76f/0xf10 net/core/rtnetlink.c:6469
5 locks held by kworker/u5:14/6826:
 #0: ffff88805bc7b938 ((wq_completion)hci8){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2609 [inline]
 #0: ffff88805bc7b938 ((wq_completion)hci8){+.+.}-{0:0}, at: process_scheduled_works+0x957/0x15b0 kernel/workqueue.c:2711
 #1: ffffc9000f637d00 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2609 [inline]
 #1: ffffc9000f637d00 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_scheduled_works+0x957/0x15b0 kernel/workqueue.c:2711
 #2: ffff88802fe70e70 (&hdev->req_lock){+.+.}-{3:3}, at: hci_cmd_sync_work+0x1d4/0x390 net/bluetooth/hci_sync.c:326
 #3: ffff88802fe700b8 (&hdev->lock){+.+.}-{3:3}, at: hci_abort_conn_sync+0x1f7/0xdc0 net/bluetooth/hci_sync.c:5658
 #4: ffffffff8e1225c8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_connect_cfm include/net/bluetooth/hci_core.h:1996 [inline]
 #4: ffffffff8e1225c8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_conn_failed+0x165/0x300 net/bluetooth/hci_conn.c:1251
5 locks held by kworker/u5:15/6829:
 #0: ffff88805bd77538 ((wq_completion)hci6){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2609 [inline]
 #0: ffff88805bd77538 ((wq_completion)hci6){+.+.}-{0:0}, at: process_scheduled_works+0x957/0x15b0 kernel/workqueue.c:2711
 #1: ffffc9000f55fd00 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2609 [inline]
 #1: ffffc9000f55fd00 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_scheduled_works+0x957/0x15b0 kernel/workqueue.c:2711
 #2: ffff88807c5f4e70 (&hdev->req_lock){+.+.}-{3:3}, at: hci_cmd_sync_work+0x1d4/0x390 net/bluetooth/hci_sync.c:326
 #3: ffff88807c5f40b8 (&hdev->lock){+.+.}-{3:3}, at: hci_abort_conn_sync+0x1f7/0xdc0 net/bluetooth/hci_sync.c:5658
 #4: ffffffff8e1225c8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_connect_cfm include/net/bluetooth/hci_core.h:1996 [inline]
 #4: ffffffff8e1225c8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_conn_failed+0x165/0x300 net/bluetooth/hci_conn.c:1251
4 locks held by kworker/u5:17/6831:
 #0: ffff88802df19138 ((wq_completion)hci16#2){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2609 [inline]
 #0: ffff88802df19138 ((wq_completion)hci16#2){+.+.}-{0:0}, at: process_scheduled_works+0x957/0x15b0 kernel/workqueue.c:2711
 #1: ffffc9000f66fd00 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2609 [inline]
 #1: ffffc9000f66fd00 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_scheduled_works+0x957/0x15b0 kernel/workqueue.c:2711
 #2: ffff88802f1740b8 (&hdev->lock){+.+.}-{3:3}, at: hci_remote_features_evt+0x9c/0x8d0 net/bluetooth/hci_event.c:3688
 #3: ffffffff8e1225c8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_connect_cfm include/net/bluetooth/hci_core.h:1996 [inline]
 #3: ffffffff8e1225c8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_remote_features_evt+0x517/0x8d0 net/bluetooth/hci_event.c:3722
1 lock held by syz-executor/6832:
 #0: ffffffff8dfb5448 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:78 [inline]
 #0: ffffffff8dfb5448 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x76f/0xf10 net/core/rtnetlink.c:6469

=============================================

NMI backtrace for cpu 0
CPU: 0 PID: 29 Comm: khungtaskd Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Call Trace:
 <TASK>
 dump_stack_lvl+0x16c/0x230 lib/dump_stack.c:106
 nmi_cpu_backtrace+0x39b/0x3d0 lib/nmi_backtrace.c:113
 nmi_trigger_cpumask_backtrace+0x17a/0x2f0 lib/nmi_backtrace.c:62
 trigger_all_cpu_backtrace include/linux/nmi.h:160 [inline]
 check_hung_uninterruptible_tasks kernel/hung_task.c:222 [inline]
 watchdog+0xf41/0xf80 kernel/hung_task.c:379
 kthread+0x2fa/0x390 kernel/kthread.c:388
 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:152
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:293
 </TASK>
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 PID: 6746 Comm: syz.0.229 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
RIP: 0010:get_current arch/x86/include/asm/current.h:41 [inline]
RIP: 0010:__sanitizer_cov_trace_pc+0x8/0x60 kernel/kcov.c:215
Code: 00 00 f3 0f 1e fa 53 48 89 fb e8 13 00 00 00 48 8b 3d 9c 92 c4 0c 48 89 de 5b e9 43 9d 56 00 cc cc cc f3 0f 1e fa 48 8b 04 24 <65> 48 8b 0d f0 24 7e 7e 65 8b 15 f1 24 7e 7e 81 e2 00 01 ff 00 74
RSP: 0018:ffffc900001f0680 EFLAGS: 00000086
RAX: ffffffff81acdf85 RBX: dffffc0000000000 RCX: ffffffff8cd83460
RDX: 0000000000000001 RSI: 0000000000000014 RDI: ffffe8ffffdb8000
RBP: 0000000000000014 R08: 0000000000000001 R09: ffff8880b8f36888
R10: ffffe8ffffdb800c R11: fffff91ffffb7003 R12: ffffe8ffffdb8000
R13: ffffffff8cd83460 R14: ffff8880b8f36888 R15: dffffc0000000000
FS:  00007f933c5ee6c0(0000) GS:ffff8880b8f00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f78e0b156c0 CR3: 0000000058258000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
Call Trace:
 <IRQ>
 perf_trace_run_bpf_submit+0x35/0x1c0 kernel/events/core.c:10260
 perf_trace_preemptirq_template+0x281/0x340 include/trace/events/preemptirq.h:14
 trace_irq_enable+0xbf/0xe0 include/trace/events/preemptirq.h:40
 trace_hardirqs_on+0x18/0x40 kernel/trace/trace_preemptirq.c:56
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:687
RIP: 0010:seqcount_lockdep_reader_access+0x17f/0x1c0 include/linux/seqlock.h:105
Code: 00 4d 85 e4 75 16 e8 90 90 0f 00 eb 15 e8 89 90 0f 00 e8 14 77 f1 08 4d 85 e4 74 ea e8 7a 90 0f 00 fb 48 c7 04 24 0e 36 e0 45 <4b> c7 04 3e 00 00 00 00 66 43 c7 44 3e 09 00 00 43 c6 44 3e 0b 00
RSP: 0018:ffffc900001f0880 EFLAGS: 00000246
RAX: ffffffff81760046 RBX: 0000000000000000 RCX: ffff88802ce1da00
RDX: 0000000000000100 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc900001f0938 R08: ffffffff90d945ff R09: 1ffffffff21b28bf
R10: dffffc0000000000 R11: fffffbfff21b28c0 R12: 0000000000000200
R13: ffff888089a36780 R14: 1ffff9200003e110 R15: dffffc0000000000
 ktime_get_with_offset+0x94/0x330 kernel/time/timekeeping.c:889
 ktime_get_boottime include/linux/timekeeping.h:95 [inline]
 ktime_get_boottime_ns include/linux/timekeeping.h:164 [inline]
 mac80211_hwsim_tx_frame_no_nl+0x6ae/0x1170 drivers/net/wireless/virtual/mac80211_hwsim.c:1784
 mac80211_hwsim_tx_frame+0x1b5/0x200 drivers/net/wireless/virtual/mac80211_hwsim.c:2176
 mac80211_hwsim_beacon_tx+0x3e9/0x780 drivers/net/wireless/virtual/mac80211_hwsim.c:2269
 __iterate_interfaces+0x243/0x500 net/mac80211/util.c:766
 ieee80211_iterate_active_interfaces_atomic+0xdb/0x180 net/mac80211/util.c:802
 mac80211_hwsim_beacon+0xbb/0x1b0 drivers/net/wireless/virtual/mac80211_hwsim.c:2295
 __run_hrtimer kernel/time/hrtimer.c:1750 [inline]
 __hrtimer_run_queues+0x51e/0xc40 kernel/time/hrtimer.c:1814
 hrtimer_run_softirq+0x187/0x2b0 kernel/time/hrtimer.c:1831
 handle_softirqs+0x280/0x820 kernel/softirq.c:578
 __do_softirq kernel/softirq.c:612 [inline]
 invoke_softirq kernel/softirq.c:452 [inline]
 __irq_exit_rcu+0xc7/0x190 kernel/softirq.c:661
 irq_exit_rcu+0x9/0x20 kernel/softirq.c:673
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1088 [inline]
 sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1088
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:687
RIP: 0010:finish_task_switch+0x26a/0x920 kernel/sched/core.c:5254
Code: 0f 84 37 01 00 00 48 85 db 0f 85 56 01 00 00 0f 1f 44 00 00 4c 8b 75 d0 4c 89 e7 e8 80 ca 14 09 e8 4b a4 2f 00 fb 4c 8b 65 c0 <49> 8d bc 24 f8 15 00 00 48 89 f8 48 c1 e8 03 42 0f b6 04 28 84 c0
RSP: 0018:ffffc9000b62f938 EFLAGS: 00000282
RAX: a0cd1247f98b5700 RBX: 0000000000000000 RCX: a0cd1247f98b5700
RDX: dffffc0000000000 RSI: ffffffff8aaabce0 RDI: ffffffff8afc6f80
RBP: ffffc9000b62f990 R08: ffffffff90d945ff R09: 1ffffffff21b28bf
R10: dffffc0000000000 R11: fffffbfff21b28c0 R12: ffff88802ce1da00
R13: dffffc0000000000 R14: ffff88802db0da00 R15: ffff8880b8f3cac8
 context_switch kernel/sched/core.c:5383 [inline]
 __schedule+0x14da/0x44d0 kernel/sched/core.c:6699
 preempt_schedule_common+0x82/0xc0 kernel/sched/core.c:6866
 preempt_schedule+0xab/0xc0 kernel/sched/core.c:6890
 preempt_schedule_thunk+0x1a/0x30 arch/x86/entry/thunk_64.S:45
 __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:152 [inline]
 _raw_spin_unlock_irqrestore+0xfa/0x110 kernel/locking/spinlock.c:194
 __do_sys_perf_event_open kernel/events/core.c:12916 [inline]
 __se_sys_perf_event_open+0x1802/0x1c20 kernel/events/core.c:12567
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x55/0xb0 arch/x86/entry/common.c:81
 entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7f933b78f749
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f933c5ee038 EFLAGS: 00000246 ORIG_RAX: 000000000000012a
RAX: ffffffffffffffda RBX: 00007f933b9e5fa0 RCX: 00007f933b78f749
RDX: ffffffffffffffff RSI: 0000000000000000 RDI: 0000200000000140
RBP: 00007f933b813f91 R08: 0000000000000002 R09: 0000000000000000
R10: ffffffffffffffff R11: 0000000000000246 R12: 0000000000000000
R13: 00007f933b9e6038 R14: 00007f933b9e5fa0 R15: 00007fff432eeee8
 </TASK>