====================================================== WARNING: possible circular locking dependency detected 6.14.0-rc3-syzkaller-00060-g6537cfb395f3 #0 Not tainted ------------------------------------------------------ kworker/u9:0/53 is trying to acquire lock: ffff888035a42840 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: rcu_lock_acquire include/linux/rcupdate.h:337 [inline] ffff888035a42840 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: rcu_read_lock include/linux/rcupdate.h:849 [inline] ffff888035a42840 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: start_flush_work kernel/workqueue.c:4148 [inline] ffff888035a42840 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: __flush_work+0xe9/0xc60 kernel/workqueue.c:4206 but task is already holding lock: ffff888035a42b38 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x71/0x690 net/bluetooth/l2cap_core.c:1760 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (&conn->lock#2){+.+.}-{4:4}: lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5851 __mutex_lock_common kernel/locking/mutex.c:585 [inline] __mutex_lock+0x19c/0x1010 kernel/locking/mutex.c:730 l2cap_info_timeout+0x60/0xa0 net/bluetooth/l2cap_core.c:1666 process_one_work kernel/workqueue.c:3236 [inline] process_scheduled_works+0xabe/0x18e0 kernel/workqueue.c:3317 worker_thread+0x870/0xd30 kernel/workqueue.c:3398 kthread+0x7a9/0x920 kernel/kthread.c:464 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 -> #0 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}: check_prev_add kernel/locking/lockdep.c:3163 [inline] check_prevs_add kernel/locking/lockdep.c:3282 [inline] validate_chain+0x18ef/0x5920 kernel/locking/lockdep.c:3906 __lock_acquire+0x1397/0x2100 kernel/locking/lockdep.c:5228 lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5851 touch_work_lockdep_map kernel/workqueue.c:3920 [inline] start_flush_work kernel/workqueue.c:4174 [inline] __flush_work+0x739/0xc60 kernel/workqueue.c:4206 __cancel_work_sync+0xbc/0x110 kernel/workqueue.c:4362 l2cap_conn_del+0x507/0x690 net/bluetooth/l2cap_core.c:1794 l2cap_connect_cfm+0xcc/0x1090 net/bluetooth/l2cap_core.c:7195 hci_connect_cfm include/net/bluetooth/hci_core.h:2051 [inline] hci_conn_failed+0x287/0x400 net/bluetooth/hci_conn.c:1266 hci_abort_conn_sync+0xd27/0x1340 net/bluetooth/hci_sync.c:5588 hci_cmd_sync_work+0x22b/0x400 net/bluetooth/hci_sync.c:332 process_one_work kernel/workqueue.c:3236 [inline] process_scheduled_works+0xabe/0x18e0 kernel/workqueue.c:3317 worker_thread+0x870/0xd30 kernel/workqueue.c:3398 kthread+0x7a9/0x920 kernel/kthread.c:464 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&conn->lock#2); lock((work_completion)(&(&conn->info_timer)->work)); lock(&conn->lock#2); lock((work_completion)(&(&conn->info_timer)->work)); *** DEADLOCK *** 6 locks held by kworker/u9:0/53: #0: ffff888024bc9148 ((wq_completion)hci5){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3211 [inline] #0: ffff888024bc9148 ((wq_completion)hci5){+.+.}-{0:0}, at: process_scheduled_works+0x98b/0x18e0 kernel/workqueue.c:3317 #1: ffffc90000bd7c60 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3212 [inline] #1: ffffc90000bd7c60 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_scheduled_works+0x9c6/0x18e0 kernel/workqueue.c:3317 #2: ffff88805cf6cd80 (&hdev->req_lock){+.+.}-{4:4}, at: hci_cmd_sync_work+0x1ec/0x400 net/bluetooth/hci_sync.c:331 #3: ffff88805cf6c078 (&hdev->lock){+.+.}-{4:4}, at: hci_abort_conn_sync+0x9ee/0x1340 net/bluetooth/hci_sync.c:5569 #4: ffff888035a42b38 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x71/0x690 net/bluetooth/l2cap_core.c:1760 #5: ffffffff8eb38f60 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:337 [inline] #5: ffffffff8eb38f60 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:849 [inline] #5: ffffffff8eb38f60 (rcu_read_lock){....}-{1:3}, at: start_flush_work kernel/workqueue.c:4148 [inline] #5: ffffffff8eb38f60 (rcu_read_lock){....}-{1:3}, at: __flush_work+0xe9/0xc60 kernel/workqueue.c:4206 stack backtrace: CPU: 1 UID: 0 PID: 53 Comm: kworker/u9:0 Not tainted 6.14.0-rc3-syzkaller-00060-g6537cfb395f3 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024 Workqueue: hci5 hci_cmd_sync_work Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_circular_bug+0x13a/0x1b0 kernel/locking/lockdep.c:2076 check_noncircular+0x36a/0x4a0 kernel/locking/lockdep.c:2208 check_prev_add kernel/locking/lockdep.c:3163 [inline] check_prevs_add kernel/locking/lockdep.c:3282 [inline] validate_chain+0x18ef/0x5920 kernel/locking/lockdep.c:3906 __lock_acquire+0x1397/0x2100 kernel/locking/lockdep.c:5228 lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5851 touch_work_lockdep_map kernel/workqueue.c:3920 [inline] start_flush_work kernel/workqueue.c:4174 [inline] __flush_work+0x739/0xc60 kernel/workqueue.c:4206 __cancel_work_sync+0xbc/0x110 kernel/workqueue.c:4362 l2cap_conn_del+0x507/0x690 net/bluetooth/l2cap_core.c:1794 l2cap_connect_cfm+0xcc/0x1090 net/bluetooth/l2cap_core.c:7195 hci_connect_cfm include/net/bluetooth/hci_core.h:2051 [inline] hci_conn_failed+0x287/0x400 net/bluetooth/hci_conn.c:1266 hci_abort_conn_sync+0xd27/0x1340 net/bluetooth/hci_sync.c:5588 hci_cmd_sync_work+0x22b/0x400 net/bluetooth/hci_sync.c:332 process_one_work kernel/workqueue.c:3236 [inline] process_scheduled_works+0xabe/0x18e0 kernel/workqueue.c:3317 worker_thread+0x870/0xd30 kernel/workqueue.c:3398 kthread+0x7a9/0x920 kernel/kthread.c:464 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244