program: r0 = socket$nl_generic(0x10, 0x3, 0x10) r1 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000e00), 0xffffffffffffffff) r2 = openat$comedi(0xffffff9c, &(0x7f0000000040)='/dev/comedi3\x00', 0x2000, 0x0) ioctl$COMEDI_DEVCONFIG(r2, 0x40946400, &(0x7f0000000140)={'8255\x00', [0xfffffffb, 0x2166, 0x2, 0x100000, 0x88d6, 0x8f, 0xfffffffd, 0x100010, 0x1000002, 0xffffffbf, 0x200, 0x8, 0x8, 0x1, 0x8, 0x7, 0x0, 0x3, 0x3, 0x101, 0x100, 0x3, 0x80, 0x5, 0xb, 0x1, 0x5721, 0x7db, 0x8, 0x7, 0x40000]}) ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f0000000100)={'wlan0\x00', 0x0}) sendmsg$NL80211_CMD_GET_SCAN(r0, &(0x7f0000000f00)={0x0, 0x0, &(0x7f0000000ec0)={&(0x7f0000000380)={0x1c, r1, 0xf21, 0x0, 0x0, {{}, {@val={0x8, 0x3, r3}, @void}}}, 0x1c}, 0x1, 0x0, 0x0, 0x20000015}, 0x44000) syz_80211_inject_frame(&(0x7f0000000300), &(0x7f00000000c0)=@mgmt_frame=@beacon={{{}, {}, @broadcast, @broadcast}, 0x0, @default, 0x1, @val={0x0, 0x6, @default_ap_ssid}, @val, @void, @void, @void, @val={0x5, 0x3, {0x80, 0x1a, 0xe}}, @val={0x25, 0x3, {0x1, 0x6c}}, @void, @void, @val={0x2d, 0x1a, {0xc, 0x0, 0x3, 0x0, {0xe920, 0x5, 0x0, 0x3, 0x0, 0x0, 0x1, 0x0, 0x1}, 0x0, 0x7ff, 0x8}}, @void, @void, @val={0x76, 0x6, {0x1, 0xac, 0x40, 0x7f}}}, 0x5c) readv(r0, &(0x7f0000000580)=[{&(0x7f0000000240)=""/73, 0x49}], 0x1) bpf$BPF_GET_PROG_INFO(0xf, &(0x7f00000003c0)={0xffffffffffffffff, 0xe0, &(0x7f00000002c0)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ""/16, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x44, 0x8, 0x0, 0x0}}, 0xffffffffffffff14) r4 = bpf$MAP_CREATE_CONST_STR(0x0, &(0x7f0000000340)=ANY=[@ANYBLOB="02000000040000000800000001"], 0x48) bpf$MAP_GET_NEXT_KEY(0x4, &(0x7f00000000c0)={r4, 0x0, &(0x7f0000000080)=""/52}, 0x20) bpf$MAP_CREATE(0x0, &(0x7f0000000000)=@base={0x1a, 0xa, 0xb, 0x22}, 0x50) r5 = socket$alg(0x26, 0x5, 0x0) setsockopt$ALG_SET_KEY(r5, 0x117, 0x1, &(0x7f0000000140)="30f18b9ea432f1e0b13c5f5a6ea441594c3256bffadd051307d1437b924a27030288b4d18fc0b939331003a1b17093915a6232f1e76479048dd3a58836c93c625e2badfa9cf26a7342ba4379f5e8bdd6a16e177e4ca4e0d9cd2a57a128c9b23c51a27296778a2543f4ac", 0x6a) r6 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$HCIINQUIRY(r6, 0x400448ca, 0x0) r7 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) bind$bt_hci(r7, &(0x7f0000000100)={0x1f, 0xffff, 0x3}, 0x6) write$binfmt_misc(r7, &(0x7f0000000000), 0xd) [ 105.100546][ T5330] comedi comedi3: 8255: I/O port conflict (0xfffffffffffffffb,4) [ 105.106789][ T5330] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium [ 105.118647][ T5307] Bluetooth: hci0: command tx timeout [ 105.129986][ T1224] [ 105.131600][ T1224] ====================================================== [ 105.135454][ T1224] WARNING: possible circular locking dependency detected [ 105.142205][ T1224] syzkaller #0 Not tainted [ 105.145897][ T1224] ------------------------------------------------------ [ 105.149128][ T1224] kworker/0:3/1224 is trying to acquire lock: [ 105.151994][ T1224] ffff88801fa68af8 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_info_timeout+0x60/0xa0 [ 105.156295][ T1224] [ 105.156295][ T1224] but task is already holding lock: [ 105.159859][ T1224] ffffc900020ffc40 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: process_scheduled_works+0xa25/0x1830 [ 105.166051][ T1224] [ 105.166051][ T1224] which lock already depends on the new lock. [ 105.166051][ T1224] [ 105.171277][ T1224] [ 105.171277][ T1224] the existing dependency chain (in reverse order) is: [ 105.175860][ T1224] [ 105.175860][ T1224] -> #1 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}: [ 105.181171][ T1224] __flush_work+0x700/0xc50 [ 105.183805][ T1224] __cancel_work_sync+0xbe/0x110 [ 105.186705][ T1224] l2cap_conn_del+0x40f/0x5c0 [ 105.189220][ T1224] hci_conn_hash_flush+0x10d/0x260 [ 105.191770][ T1224] hci_dev_close_sync+0x821/0x10e0 [ 105.194178][ T1224] hci_dev_close+0x108/0x260 [ 105.196634][ T1224] sock_do_ioctl+0x101/0x320 [ 105.199710][ T1224] sock_ioctl+0x5c6/0x7f0 [ 105.202379][ T1224] __se_sys_ioctl+0xfc/0x170 [ 105.204987][ T1224] do_syscall_64+0x14d/0xf80 [ 105.207341][ T1224] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 105.210222][ T1224] [ 105.210222][ T1224] -> #0 (&conn->lock#2){+.+.}-{4:4}: [ 105.213657][ T1224] __lock_acquire+0x15a5/0x2cf0 [ 105.216932][ T1224] lock_acquire+0xf0/0x2e0 [ 105.220045][ T1224] __mutex_lock+0x19f/0x1300 [ 105.222413][ T1224] l2cap_info_timeout+0x60/0xa0 [ 105.224776][ T1224] process_scheduled_works+0xb02/0x1830 [ 105.227526][ T1224] worker_thread+0xa50/0xfc0 [ 105.229808][ T1224] kthread+0x388/0x470 [ 105.231941][ T1224] ret_from_fork+0x51e/0xb90 [ 105.234290][ T1224] ret_from_fork_asm+0x1a/0x30 [ 105.237067][ T1224] [ 105.237067][ T1224] other info that might help us debug this: [ 105.237067][ T1224] [ 105.242230][ T1224] Possible unsafe locking scenario: [ 105.242230][ T1224] [ 105.245552][ T1224] CPU0 CPU1 [ 105.248122][ T1224] ---- ---- [ 105.250631][ T1224] lock((work_completion)(&(&conn->info_timer)->work)); [ 105.253946][ T1224] lock(&conn->lock#2); [ 105.257073][ T1224] lock((work_completion)(&(&conn->info_timer)->work)); [ 105.261384][ T1224] lock(&conn->lock#2); [ 105.263365][ T1224] [ 105.263365][ T1224] *** DEADLOCK *** [ 105.263365][ T1224] [ 105.267188][ T1224] 2 locks held by kworker/0:3/1224: [ 105.269858][ T1224] #0: ffff88801aca6948 ((wq_completion)events){+.+.}-{0:0}, at: process_scheduled_works+0x9ea/0x1830 [ 105.276262][ T1224] #1: ffffc900020ffc40 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: process_scheduled_works+0xa25/0x1830 [ 105.281916][ T1224] [ 105.281916][ T1224] stack backtrace: [ 105.284662][ T1224] CPU: 0 UID: 0 PID: 1224 Comm: kworker/0:3 Not tainted syzkaller #0 PREEMPT(full) [ 105.284682][ T1224] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 105.284691][ T1224] Workqueue: events l2cap_info_timeout [ 105.284716][ T1224] Call Trace: [ 105.284725][ T1224] [ 105.284732][ T1224] dump_stack_lvl+0xe8/0x150 [ 105.284751][ T1224] print_circular_bug+0x2e1/0x300 [ 105.284771][ T1224] check_noncircular+0x12e/0x150 [ 105.284788][ T1224] __lock_acquire+0x15a5/0x2cf0 [ 105.284803][ T1224] ? __schedule+0x15f3/0x52d0 [ 105.284819][ T1224] ? ret_from_fork_asm+0x1a/0x30 [ 105.284837][ T1224] lock_acquire+0xf0/0x2e0 [ 105.284850][ T1224] ? l2cap_info_timeout+0x60/0xa0 [ 105.284865][ T1224] __mutex_lock+0x19f/0x1300 [ 105.284880][ T1224] ? l2cap_info_timeout+0x60/0xa0 [ 105.284892][ T1224] ? irqentry_exit+0x59e/0x620 [ 105.284905][ T1224] ? lockdep_hardirqs_on+0x7a/0x110 [ 105.284918][ T1224] ? l2cap_info_timeout+0x60/0xa0 [ 105.284927][ T1224] ? irqentry_exit+0x59e/0x620 [ 105.284941][ T1224] ? trace_irq_disable+0x3b/0x150 [ 105.284958][ T1224] ? __pfx___mutex_lock+0x10/0x10 [ 105.284975][ T1224] ? lock_acquire+0x20b/0x2e0 [ 105.284995][ T1224] l2cap_info_timeout+0x60/0xa0 [ 105.285005][ T1224] ? process_scheduled_works+0xa25/0x1830 [ 105.285018][ T1224] process_scheduled_works+0xb02/0x1830 [ 105.285038][ T1224] ? __pfx_process_scheduled_works+0x10/0x10 [ 105.285050][ T1224] ? assign_work+0x3d5/0x5e0 [ 105.285063][ T1224] worker_thread+0xa50/0xfc0 [ 105.285082][ T1224] kthread+0x388/0x470 [ 105.285093][ T1224] ? __pfx_worker_thread+0x10/0x10 [ 105.285103][ T1224] ? __pfx_kthread+0x10/0x10 [ 105.285111][ T1224] ret_from_fork+0x51e/0xb90 [ 105.285127][ T1224] ? __pfx_ret_from_fork+0x10/0x10 [ 105.285138][ T1224] ? __switch_to+0xc7d/0x1450 [ 105.285149][ T1224] ? __pfx_kthread+0x10/0x10 [ 105.285158][ T1224] ret_from_fork_asm+0x1a/0x30 [ 105.285176][ T1224] [ 107.175030][ T5307] Bluetooth: hci0: command tx timeout [ 109.255245][ T5307] Bluetooth: hci0: command tx timeout