program: r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x3, 0x0) connect$bt_l2cap(r0, &(0x7f0000000080)={0x1f, 0x0, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}, 0x803}, 0xe) bind$inet(0xffffffffffffffff, &(0x7f0000000040)={0x2, 0x4e22, @empty}, 0x67) setsockopt$SO_BINDTODEVICE(0xffffffffffffffff, 0x1, 0x19, &(0x7f00000005c0)='syz_tun\x00', 0x10) sendto$inet(0xffffffffffffffff, 0x0, 0x0, 0x24000840, &(0x7f0000000080)={0x2, 0x0, @remote}, 0x10) syz_emit_ethernet(0x36, &(0x7f00000002c0)={@local, @remote, @void, {@ipv4={0x800, @tcp={{0x5, 0x4, 0x0, 0x0, 0x28, 0x0, 0x0, 0x0, 0x6, 0x0, @remote, @local}, {{0x0, 0x4e22, 0x41424344, 0x41424344, 0x0, 0x6, 0x5, 0x10}}}}}}, 0x0) setsockopt$inet_tcp_buf(0xffffffffffffffff, 0x6, 0x1f, &(0x7f0000000600)="9a89", 0x2) syz_emit_vhci(&(0x7f0000000340)=ANY=[@ANYBLOB="02c82028002400010007d3040007c4faff020c04000300d3"], 0x2d) r1 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$HCIINQUIRY(r1, 0x400448ca, 0x0) [ 117.201660][ T4664] Bluetooth: hci0: command tx timeout [ 117.238890][ T9] [ 117.240049][ T9] ====================================================== [ 117.243046][ T9] WARNING: possible circular locking dependency detected [ 117.246065][ T9] syzkaller #0 Not tainted [ 117.247999][ T9] ------------------------------------------------------ [ 117.251130][ T9] kworker/0:0/9 is trying to acquire lock: [ 117.254092][ T9] ffff8880403602f8 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_info_timeout+0x60/0xa0 [ 117.258480][ T9] [ 117.258480][ T9] but task is already holding lock: [ 117.261863][ T9] ffffc9000022fc40 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: process_scheduled_works+0xa8d/0x18c0 [ 117.267183][ T9] [ 117.267183][ T9] which lock already depends on the new lock. [ 117.267183][ T9] [ 117.272463][ T9] [ 117.272463][ T9] the existing dependency chain (in reverse order) is: [ 117.277958][ T9] [ 117.277958][ T9] -> #1 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}: [ 117.282294][ T9] __flush_work+0x700/0xc50 [ 117.285005][ T9] __cancel_work_sync+0xbe/0x110 [ 117.287762][ T9] l2cap_conn_del+0x40f/0x5c0 [ 117.290435][ T9] hci_conn_hash_flush+0x10d/0x260 [ 117.293062][ T9] hci_dev_close_sync+0x821/0x10e0 [ 117.295464][ T9] hci_dev_close+0x108/0x260 [ 117.297657][ T9] sock_do_ioctl+0x101/0x320 [ 117.300242][ T9] sock_ioctl+0x5c6/0x7f0 [ 117.303429][ T9] __se_sys_ioctl+0xfc/0x170 [ 117.306183][ T9] do_syscall_64+0x14d/0xf80 [ 117.308428][ T9] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 117.311344][ T9] [ 117.311344][ T9] -> #0 (&conn->lock#2){+.+.}-{4:4}: [ 117.314619][ T9] __lock_acquire+0x15a5/0x2cf0 [ 117.317218][ T9] lock_acquire+0xf0/0x2e0 [ 117.320070][ T9] __mutex_lock+0x19f/0x1300 [ 117.322642][ T9] l2cap_info_timeout+0x60/0xa0 [ 117.325368][ T9] process_scheduled_works+0xb6e/0x18c0 [ 117.328025][ T9] worker_thread+0xa53/0xfc0 [ 117.330499][ T9] kthread+0x388/0x470 [ 117.332982][ T9] ret_from_fork+0x51e/0xb90 [ 117.336036][ T9] ret_from_fork_asm+0x1a/0x30 [ 117.338824][ T9] [ 117.338824][ T9] other info that might help us debug this: [ 117.338824][ T9] [ 117.343539][ T9] Possible unsafe locking scenario: [ 117.343539][ T9] [ 117.347299][ T9] CPU0 CPU1 [ 117.349774][ T9] ---- ---- [ 117.352390][ T9] lock((work_completion)(&(&conn->info_timer)->work)); [ 117.355894][ T9] lock(&conn->lock#2); [ 117.359151][ T9] lock((work_completion)(&(&conn->info_timer)->work)); [ 117.363509][ T9] lock(&conn->lock#2); [ 117.365440][ T9] [ 117.365440][ T9] *** DEADLOCK *** [ 117.365440][ T9] [ 117.368943][ T9] 2 locks held by kworker/0:0/9: [ 117.371440][ T9] #0: ffff88801aca6948 ((wq_completion)events){+.+.}-{0:0}, at: process_scheduled_works+0xa52/0x18c0 [ 117.376648][ T9] #1: ffffc9000022fc40 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: process_scheduled_works+0xa8d/0x18c0 [ 117.382583][ T9] [ 117.382583][ T9] stack backtrace: [ 117.385229][ T9] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:0 Not tainted syzkaller #0 PREEMPT(full) [ 117.385252][ T9] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 117.385262][ T9] Workqueue: events l2cap_info_timeout [ 117.385293][ T9] Call Trace: [ 117.385304][ T9] [ 117.385313][ T9] dump_stack_lvl+0xe8/0x150 [ 117.385328][ T9] print_circular_bug+0x2e1/0x300 [ 117.385343][ T9] check_noncircular+0x12e/0x150 [ 117.385355][ T9] __lock_acquire+0x15a5/0x2cf0 [ 117.385367][ T9] ? __schedule+0x15f3/0x52d0 [ 117.385388][ T9] ? ret_from_fork_asm+0x1a/0x30 [ 117.385404][ T9] lock_acquire+0xf0/0x2e0 [ 117.385415][ T9] ? l2cap_info_timeout+0x60/0xa0 [ 117.385429][ T9] __mutex_lock+0x19f/0x1300 [ 117.385442][ T9] ? l2cap_info_timeout+0x60/0xa0 [ 117.385456][ T9] ? irqentry_exit+0x59e/0x620 [ 117.385467][ T9] ? lockdep_hardirqs_on+0x7a/0x110 [ 117.385477][ T9] ? l2cap_info_timeout+0x60/0xa0 [ 117.385489][ T9] ? irqentry_exit+0x59e/0x620 [ 117.385499][ T9] ? trace_irq_disable+0x3b/0x150 [ 117.385515][ T9] ? __pfx___mutex_lock+0x10/0x10 [ 117.385527][ T9] ? lock_acquire+0x20b/0x2e0 [ 117.385540][ T9] l2cap_info_timeout+0x60/0xa0 [ 117.385554][ T9] ? process_scheduled_works+0xa8d/0x18c0 [ 117.385568][ T9] process_scheduled_works+0xb6e/0x18c0 [ 117.385588][ T9] ? __pfx_process_scheduled_works+0x10/0x10 [ 117.385599][ T9] ? assign_work+0x3d5/0x5e0 [ 117.385609][ T9] worker_thread+0xa53/0xfc0 [ 117.385626][ T9] kthread+0x388/0x470 [ 117.385638][ T9] ? __pfx_worker_thread+0x10/0x10 [ 117.385650][ T9] ? __pfx_kthread+0x10/0x10 [ 117.385661][ T9] ret_from_fork+0x51e/0xb90 [ 117.385678][ T9] ? __pfx_ret_from_fork+0x10/0x10 [ 117.385690][ T9] ? __switch_to+0xc7d/0x1450 [ 117.385705][ T9] ? __pfx_kthread+0x10/0x10 [ 117.385714][ T9] ret_from_fork_asm+0x1a/0x30 [ 117.385733][ T9] [ 119.261174][ T4664] Bluetooth: hci0: command tx timeout [ 121.341628][ T4664] Bluetooth: hci0: command tx timeout