program: r0 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$IPCTNL_MSG_CT_DELETE(r0, &(0x7f00000005c0)={&(0x7f0000000280)={0x10, 0x0, 0x0, 0x2000000}, 0xc, &(0x7f00000002c0)={&(0x7f0000000340)={0xc4, 0x2, 0x1, 0x101, 0x0, 0x0, {0x2, 0x0, 0x8}, [@CTA_TUPLE_ORIG={0x14, 0x1, 0x0, 0x1, [@CTA_TUPLE_ZONE={0x6, 0x3, 0x1, 0x0, 0x2}, @CTA_TUPLE_ZONE={0x6, 0x3, 0x1, 0x0, 0x2}]}, @CTA_NAT_DST={0x3c, 0xd, 0x0, 0x1, [@CTA_NAT_PROTO={0x14, 0x3, 0x0, 0x1, [@CTA_PROTONAT_PORT_MAX={0x6, 0x2, 0x4e24}, @CTA_PROTONAT_PORT_MAX={0x6, 0x2, 0x4e20}]}, @CTA_NAT_V4_MAXIP={0x8, 0x2, @dev={0xac, 0x14, 0x14, 0x1e}}, @CTA_NAT_V6_MAXIP={0x14, 0x5, @private2}, @CTA_NAT_V4_MAXIP={0x8, 0x2, @local}]}, @CTA_LABELS_MASK={0xc, 0x17, [0xc6f, 0x5]}, @CTA_ZONE={0x6, 0x12, 0x1, 0x0, 0x2}, @CTA_NAT_SRC={0x14, 0x6, 0x0, 0x1, [@CTA_NAT_V4_MAXIP={0x8, 0x2, @multicast2}, @CTA_NAT_V4_MINIP={0x8, 0x1, @remote}]}, @CTA_STATUS_MASK={0x8, 0x1a, 0x1, 0x0, 0x7}, @CTA_NAT_SRC={0x30, 0x6, 0x0, 0x1, [@CTA_NAT_V6_MINIP={0x14, 0x4, @mcast1}, @CTA_NAT_V4_MINIP={0x8, 0x1, @initdev={0xac, 0x1e, 0x1, 0x0}}, @CTA_NAT_V4_MAXIP={0x8, 0x2, @initdev={0xac, 0x1e, 0x0, 0x0}}, @CTA_NAT_V4_MINIP={0x8, 0x1, @multicast1}]}]}, 0xc4}, 0x1, 0x0, 0x0, 0x1}, 0x44) openat$fb0(0xffffffffffffff9c, &(0x7f0000000040), 0x0, 0x0) (async) r1 = openat$fb0(0xffffffffffffff9c, &(0x7f0000000040), 0x0, 0x0) ioctl$FBIOPUT_VSCREENINFO(r1, 0x4601, &(0x7f0000000100)={0x400, 0x300, 0x2000, 0x0, 0x0, 0x0, 0x0, 0x0, {}, {}, {}, {}, 0x0, 0x3f0, 0x0, 0x0, 0x0, 0x0, 0x8, 0xfffffffc, 0x0, 0x0, 0x0, 0x0, 0x2d, 0x1, 0x0, 0x5}) sendmsg$IPSET_CMD_CREATE(r0, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000180)=ANY=[@ANYBLOB="5000000002060500000000010000000000000000050005000a000000050004000000000005000100070000000900020073797a310000000016000300686173683a6e65742c706f72742c6e6574"], 0x50}}, 0x0) socket$nl_generic(0x10, 0x3, 0x10) (async) r2 = socket$nl_generic(0x10, 0x3, 0x10) r3 = syz_genetlink_get_family_id$tipc2(&(0x7f0000000100), 0xffffffffffffffff) sendmsg$TIPC_NL_BEARER_ENABLE(r2, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000080)={0x54, r3, 0x1, 0x0, 0x0, {}, [@TIPC_NLA_BEARER={0x40, 0x1, 0x0, 0x1, [@TIPC_NLA_BEARER_UDP_OPTS={0x2c, 0x4, {{0x4a, 0x1, @in={0x2, 0x0, @loopback}}, {0x14, 0x2, @in={0x2, 0x4e24, @multicast2}}}}, @TIPC_NLA_BEARER_NAME={0xd, 0x1, @udp='udp:syz1\x00'}]}]}, 0x54}}, 0x4800) (async) sendmsg$TIPC_NL_BEARER_ENABLE(r2, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000080)={0x54, r3, 0x1, 0x0, 0x0, {}, [@TIPC_NLA_BEARER={0x40, 0x1, 0x0, 0x1, [@TIPC_NLA_BEARER_UDP_OPTS={0x2c, 0x4, {{0x4a, 0x1, @in={0x2, 0x0, @loopback}}, {0x14, 0x2, @in={0x2, 0x4e24, @multicast2}}}}, @TIPC_NLA_BEARER_NAME={0xd, 0x1, @udp='udp:syz1\x00'}]}]}, 0x54}}, 0x4800) r4 = socket$nl_netfilter(0x10, 0x3, 0xc) open(&(0x7f0000000180)='./bus\x00', 0x14957e, 0x0) syz_emit_vhci(&(0x7f0000000080)=@HCI_EVENT_PKT={0x4, @inquiry_info_with_rssi={{0x22, 0x1d}, {0x2, [{@any, 0x4, 0x81, "78d048", 0xff, 0x3}, {@none, 0x9, 0x68, "3992c1", 0x51, 0x40}]}}}, 0x20) (async) syz_emit_vhci(&(0x7f0000000080)=@HCI_EVENT_PKT={0x4, @inquiry_info_with_rssi={{0x22, 0x1d}, {0x2, [{@any, 0x4, 0x81, "78d048", 0xff, 0x3}, {@none, 0x9, 0x68, "3992c1", 0x51, 0x40}]}}}, 0x20) r5 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$sock_bt_hci(r5, 0x400448ca, 0x0) (async) ioctl$sock_bt_hci(r5, 0x400448ca, 0x0) mount(&(0x7f0000000040)=@nullb, &(0x7f0000000280)='./bus\x00', &(0x7f0000000240)='minix\x00', 0x0, 0x0) syz_mount_image$cramfs(&(0x7f0000000000), &(0x7f0000000180)='./file1\x00', 0x40, &(0x7f0000000080)=ANY=[], 0x1, 0x159, &(0x7f0000000440)="$eJxytT2rwcDIAAfO+bkFRanFxakpCkH+vm7Bm7bsYYbJcYAV5hYUgURSwEJ/DzgyMGQwMDAcYGFgeNsIET7My8CQlpmTqpecnwPiv3VkYNBgYGBw4mZgYMhkZXjJwMDwv5GBgQskJgJRa8gA0a+hzMBwSBQiZoQmxsmQwwwiQUCKhYHBiZ/hYAADAwMrAwPDBWEGBnaoO2HmfWFgYKiYo71uzSm/Myc9dbWWyTIztHpqywszoorLpfYYuUku5pFgZmgA6XeDmnNSlxXK8vH39T9rbGRkZmxgaGBgesn/9BlP04YJDCwePGUMDFFo5rH9r2dgCIW4dA4jA8MasPzbgywgow4t+O6fy88uwsDAwMYgwMDAWDFHhYGRFyLDArXvQx5EJjlBgnVxgogAEwMzSixBmBD/NjCMglEwCkbBKBgFo2AUjIJRMApGwSgYBYQAIAAA//+hoFsK") open(&(0x7f0000000000)='./file1\x00', 0x0, 0x0) sendmsg$IPSET_CMD_TEST(r4, &(0x7f0000000300)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000200)={0x6c, 0xb, 0x6, 0x801, 0x0, 0x0, {0x2, 0x0, 0x2}, [@IPSET_ATTR_PROTOCOL={0x5}, @IPSET_ATTR_DATA={0x44, 0x7, 0x0, 0x1, [@IPSET_ATTR_IP2={0x18, 0x14, 0x0, 0x1, @IPSET_ATTR_IPADDR_IPV6={0x14, 0x2, 0x1, 0x0, @dev={0xfe, 0x80, '\x00', 0x1f}}}, @IPSET_ATTR_IP={0x18, 0x1, 0x0, 0x1, @IPSET_ATTR_IPADDR_IPV6={0x14, 0x2, 0x1, 0x0, @private1}}, @IPSET_ATTR_PORT={0x6, 0x4, 0x1, 0x0, 0x4e24}, @IPSET_ATTR_CIDR2={0x5, 0x15, 0x85}]}, @IPSET_ATTR_SETNAME={0x9, 0x2, 'syz1\x00'}]}, 0x6c}, 0x1, 0x0, 0x0, 0x48}, 0x4800) [ 100.033769][ T5322] netlink: 40 bytes leftover after parsing attributes in process `syz.0.0'. [ 100.038389][ T5322] tipc: Invalid UDP bearer configuration [ 100.038433][ T5322] tipc: Enabling of bearer rejected, failed to enable media [ 100.047001][ T5324] netlink: 40 bytes leftover after parsing attributes in process `syz.0.0'. [ 100.051378][ T5324] tipc: Invalid UDP bearer configuration [ 100.051418][ T5324] tipc: Enabling of bearer rejected, failed to enable media [ 100.091040][ T5299] Bluetooth: hci0: command tx timeout [ 100.110515][ T4714] [ 100.111995][ T4714] ====================================================== [ 100.115447][ T4714] WARNING: possible circular locking dependency detected [ 100.118420][ T4714] syzkaller #0 Not tainted [ 100.120404][ T4714] ------------------------------------------------------ [ 100.123554][ T4714] kworker/0:4/4714 is trying to acquire lock: [ 100.126310][ T4714] ffff8880121e2af8 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_info_timeout+0x60/0xa0 [ 100.130749][ T4714] [ 100.130749][ T4714] but task is already holding lock: [ 100.134860][ T4714] ffffc9000252fc40 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: process_scheduled_works+0xa8d/0x18c0 [ 100.140957][ T4714] [ 100.140957][ T4714] which lock already depends on the new lock. [ 100.140957][ T4714] [ 100.145603][ T4714] [ 100.145603][ T4714] the existing dependency chain (in reverse order) is: [ 100.149938][ T4714] [ 100.149938][ T4714] -> #1 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}: [ 100.156087][ T4714] __flush_work+0x700/0xc50 [ 100.158365][ T4714] __cancel_work_sync+0xbe/0x110 [ 100.160848][ T4714] l2cap_conn_del+0x40f/0x5c0 [ 100.163150][ T4714] hci_conn_hash_flush+0x10d/0x260 [ 100.165728][ T4714] hci_dev_close_sync+0x821/0x10e0 [ 100.168392][ T4714] hci_dev_close+0x108/0x260 [ 100.171057][ T4714] sock_do_ioctl+0x101/0x320 [ 100.174101][ T4714] sock_ioctl+0x5c6/0x7f0 [ 100.176840][ T4714] __se_sys_ioctl+0xfc/0x170 [ 100.179087][ T4714] do_syscall_64+0x14d/0xf80 [ 100.181497][ T4714] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 100.184335][ T4714] [ 100.184335][ T4714] -> #0 (&conn->lock#2){+.+.}-{4:4}: [ 100.188119][ T4714] __lock_acquire+0x15a5/0x2cf0 [ 100.191255][ T4714] lock_acquire+0xf0/0x2e0 [ 100.193975][ T4714] __mutex_lock+0x19f/0x1300 [ 100.196444][ T4714] l2cap_info_timeout+0x60/0xa0 [ 100.198847][ T4714] process_scheduled_works+0xb6e/0x18c0 [ 100.201696][ T4714] worker_thread+0xa53/0xfc0 [ 100.204037][ T4714] kthread+0x388/0x470 [ 100.206065][ T4714] ret_from_fork+0x51e/0xb90 [ 100.208537][ T4714] ret_from_fork_asm+0x1a/0x30 [ 100.211466][ T4714] [ 100.211466][ T4714] other info that might help us debug this: [ 100.211466][ T4714] [ 100.217277][ T4714] Possible unsafe locking scenario: [ 100.217277][ T4714] [ 100.220749][ T4714] CPU0 CPU1 [ 100.223144][ T4714] ---- ---- [ 100.225693][ T4714] lock((work_completion)(&(&conn->info_timer)->work)); [ 100.228825][ T4714] lock(&conn->lock#2); [ 100.232165][ T4714] lock((work_completion)(&(&conn->info_timer)->work)); [ 100.237331][ T4714] lock(&conn->lock#2); [ 100.239458][ T4714] [ 100.239458][ T4714] *** DEADLOCK *** [ 100.239458][ T4714] [ 100.243024][ T4714] 2 locks held by kworker/0:4/4714: [ 100.245371][ T4714] #0: ffff88801aca6948 ((wq_completion)events){+.+.}-{0:0}, at: process_scheduled_works+0xa52/0x18c0 [ 100.250536][ T4714] #1: ffffc9000252fc40 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: process_scheduled_works+0xa8d/0x18c0 [ 100.257430][ T4714] [ 100.257430][ T4714] stack backtrace: [ 100.260220][ T4714] CPU: 0 UID: 0 PID: 4714 Comm: kworker/0:4 Not tainted syzkaller #0 PREEMPT(full) [ 100.260239][ T4714] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 100.260249][ T4714] Workqueue: events l2cap_info_timeout [ 100.260274][ T4714] Call Trace: [ 100.260282][ T4714] [ 100.260288][ T4714] dump_stack_lvl+0xe8/0x150 [ 100.260306][ T4714] print_circular_bug+0x2e1/0x300 [ 100.260327][ T4714] check_noncircular+0x12e/0x150 [ 100.260344][ T4714] __lock_acquire+0x15a5/0x2cf0 [ 100.260359][ T4714] ? __schedule+0x15f3/0x52d0 [ 100.260372][ T4714] ? ret_from_fork_asm+0x1a/0x30 [ 100.260390][ T4714] lock_acquire+0xf0/0x2e0 [ 100.260404][ T4714] ? l2cap_info_timeout+0x60/0xa0 [ 100.260420][ T4714] __mutex_lock+0x19f/0x1300 [ 100.260432][ T4714] ? l2cap_info_timeout+0x60/0xa0 [ 100.260447][ T4714] ? irqentry_exit+0x59e/0x620 [ 100.260458][ T4714] ? lockdep_hardirqs_on+0x7a/0x110 [ 100.260469][ T4714] ? l2cap_info_timeout+0x60/0xa0 [ 100.260482][ T4714] ? irqentry_exit+0x59e/0x620 [ 100.260493][ T4714] ? trace_irq_disable+0x3b/0x150 [ 100.260504][ T4714] ? __pfx___mutex_lock+0x10/0x10 [ 100.260516][ T4714] ? lock_acquire+0x20b/0x2e0 [ 100.260528][ T4714] l2cap_info_timeout+0x60/0xa0 [ 100.260542][ T4714] ? process_scheduled_works+0xa8d/0x18c0 [ 100.260556][ T4714] process_scheduled_works+0xb6e/0x18c0 [ 100.260576][ T4714] ? __pfx_process_scheduled_works+0x10/0x10 [ 100.260592][ T4714] ? assign_work+0x3d5/0x5e0 [ 100.260606][ T4714] worker_thread+0xa53/0xfc0 [ 100.260626][ T4714] kthread+0x388/0x470 [ 100.260638][ T4714] ? __pfx_worker_thread+0x10/0x10 [ 100.260651][ T4714] ? __pfx_kthread+0x10/0x10 [ 100.260661][ T4714] ret_from_fork+0x51e/0xb90 [ 100.260677][ T4714] ? __pfx_ret_from_fork+0x10/0x10 [ 100.260690][ T4714] ? __switch_to+0xc7d/0x1450 [ 100.260703][ T4714] ? __pfx_kthread+0x10/0x10 [ 100.260714][ T4714] ret_from_fork_asm+0x1a/0x30 [ 100.260733][ T4714] [ 100.381035][ T5321] VFS: Can't find a Minix filesystem V1 | V2 | V3 on device nullb0. [ 100.410528][ T5321] loop0: detected capacity change from 0 to 8 [ 100.416729][ T5321] ======================================================= [ 100.416729][ T5321] WARNING: The mand mount option has been deprecated and [ 100.416729][ T5321] and is ignored by this kernel. Remove the mand [ 100.416729][ T5321] option from the mount to silence this warning. [ 100.416729][ T5321] ======================================================= [ 100.452062][ T5321] cramfs: Unknown parameter '"' [ 102.170462][ T4665] Bluetooth: hci0: command tx timeout [ 104.250532][ T4665] Bluetooth: hci0: command tx timeout