program: bind$bt_hci(0xffffffffffffffff, &(0x7f0000000080)={0x1f, 0xffff, 0x3}, 0x6) r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) r1 = socket$nl_generic(0x10, 0x3, 0x10) r2 = syz_genetlink_get_family_id$mptcp(&(0x7f0000000340), 0xffffffffffffffff) sendmsg$MPTCP_PM_CMD_SUBFLOW_DESTROY(r1, &(0x7f0000000400)={0x0, 0x0, &(0x7f00000003c0)={&(0x7f0000000380)={0x18, r2, 0x1, 0x70bd2c, 0x25dfdbfd, {}, [@MPTCP_PM_ATTR_ADDR={0x4}]}, 0x18}, 0x1, 0x0, 0x0, 0x20040004}, 0x54000) ioctl$sock_bt_hci(r0, 0x400448ca, 0x0) write(0xffffffffffffffff, &(0x7f0000000000)="2e000000010000", 0x7) mkdirat(0xffffffffffffff9c, &(0x7f0000000040)='./file0\x00', 0x1c0) capset(&(0x7f0000000040)={0x20080522}, &(0x7f0000000080)) r3 = syz_open_dev$loop(&(0x7f0000005180), 0x0, 0x2000) ioctl$LOOP_SET_BLOCK_SIZE(r3, 0x4c09, 0xa) r4 = seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(0x1, 0xa, &(0x7f0000000040)={0x1, &(0x7f0000000000)=[{0x6, 0x0, 0x3, 0x7fc00100}]}) sendmsg$NFT_BATCH(0xffffffffffffffff, 0x0, 0x2004001) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x200000d, 0x4008031, 0xffffffffffffffff, 0x0) ioctl$SECCOMP_IOCTL_NOTIF_RECV(r4, 0xc0502100, &(0x7f0000000240)) r5 = socket$nl_generic(0x10, 0x3, 0x10) syz_genetlink_get_family_id$nl80211(&(0x7f0000000000), 0xffffffffffffffff) ioctl$sock_SIOCGIFINDEX_80211(r5, 0x8933, &(0x7f00000002c0)={'wlan0\x00'}) r6 = socket$nl_route(0x10, 0x3, 0x0) ioctl$sock_SIOCGIFINDEX(r6, 0x8933, &(0x7f0000000180)={'wlan1\x00', 0x0}) sendmsg$nl_route(r6, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000280)=ANY=[@ANYBLOB="2000000010000104000000000000000000480000", @ANYRES32=r7, @ANYBLOB="ae"], 0x20}}, 0x0) r8 = socket$nl_generic(0x10, 0x3, 0x10) r9 = socket$unix(0x1, 0x1, 0x0) r10 = syz_genetlink_get_family_id$nl80211(&(0x7f00000000c0), 0xffffffffffffffff) ioctl$sock_SIOCGIFINDEX_80211(r9, 0x8933, &(0x7f0000000100)={'wlan1\x00', 0x0}) sendmsg$NL80211_CMD_NEW_INTERFACE(r8, &(0x7f0000000300)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000340)=ANY=[@ANYBLOB='P\x00\x00\x00', @ANYRES16=r10, @ANYBLOB="010028bd7000fddbdf250700000008000300", @ANYRES32=r11, @ANYBLOB="0c009900ff070000700000001400040073797a6b616c6c65723000000000000008000500070000000a0018"], 0x50}, 0x1, 0x0, 0x0, 0x91}, 0x24044884) r12 = openat$tun(0xffffffffffffff9c, &(0x7f0000000400), 0x0, 0x0) close(r12) socket$inet_sctp(0x2, 0x1, 0x84) ioctl$SIOCSIFHWADDR(r12, 0x8914, &(0x7f0000002280)={'syzkaller0\x00', @link_local}) [ 105.110438][ T5307] Bluetooth: hci0: command tx timeout [ 105.124002][ T1224] [ 105.126410][ T1224] ====================================================== [ 105.129427][ T1224] WARNING: possible circular locking dependency detected [ 105.132912][ T1224] syzkaller #0 Not tainted [ 105.135719][ T1224] ------------------------------------------------------ [ 105.143999][ T1224] kworker/0:3/1224 is trying to acquire lock: [ 105.148215][ T1224] ffff88801fa68af8 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_info_timeout+0x60/0xa0 [ 105.152440][ T1224] [ 105.152440][ T1224] but task is already holding lock: [ 105.155636][ T1224] ffffc900020ffc40 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: process_scheduled_works+0xa25/0x1830 [ 105.162445][ T1224] [ 105.162445][ T1224] which lock already depends on the new lock. [ 105.162445][ T1224] [ 105.166983][ T1224] [ 105.166983][ T1224] the existing dependency chain (in reverse order) is: [ 105.170809][ T1224] [ 105.170809][ T1224] -> #1 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}: [ 105.175797][ T1224] __flush_work+0x700/0xc50 [ 105.179258][ T1224] __cancel_work_sync+0xbe/0x110 [ 105.182390][ T1224] l2cap_conn_del+0x40f/0x5c0 [ 105.184719][ T1224] hci_conn_hash_flush+0x10d/0x260 [ 105.187326][ T1224] hci_dev_close_sync+0x821/0x10e0 [ 105.189681][ T1224] hci_dev_close+0x108/0x260 [ 105.191775][ T1224] sock_do_ioctl+0x101/0x320 [ 105.194208][ T1224] sock_ioctl+0x5c6/0x7f0 [ 105.197064][ T1224] __se_sys_ioctl+0xfc/0x170 [ 105.200051][ T1224] do_syscall_64+0x14d/0xf80 [ 105.202725][ T1224] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 105.205926][ T1224] [ 105.205926][ T1224] -> #0 (&conn->lock#2){+.+.}-{4:4}: [ 105.209457][ T1224] __lock_acquire+0x15a5/0x2cf0 [ 105.211795][ T1224] lock_acquire+0xf0/0x2e0 [ 105.214198][ T1224] __mutex_lock+0x19f/0x1300 [ 105.217006][ T1224] l2cap_info_timeout+0x60/0xa0 [ 105.219906][ T1224] process_scheduled_works+0xb02/0x1830 [ 105.222909][ T1224] worker_thread+0xa50/0xfc0 [ 105.225270][ T1224] kthread+0x388/0x470 [ 105.227319][ T1224] ret_from_fork+0x51e/0xb90 [ 105.229701][ T1224] ret_from_fork_asm+0x1a/0x30 [ 105.233006][ T1224] [ 105.233006][ T1224] other info that might help us debug this: [ 105.233006][ T1224] [ 105.238311][ T1224] Possible unsafe locking scenario: [ 105.238311][ T1224] [ 105.241429][ T1224] CPU0 CPU1 [ 105.243906][ T1224] ---- ---- [ 105.246522][ T1224] lock((work_completion)(&(&conn->info_timer)->work)); [ 105.250468][ T1224] lock(&conn->lock#2); [ 105.254571][ T1224] lock((work_completion)(&(&conn->info_timer)->work)); [ 105.259169][ T1224] lock(&conn->lock#2); [ 105.260951][ T1224] [ 105.260951][ T1224] *** DEADLOCK *** [ 105.260951][ T1224] [ 105.264274][ T1224] 2 locks held by kworker/0:3/1224: [ 105.266755][ T1224] #0: ffff88801aca6948 ((wq_completion)events){+.+.}-{0:0}, at: process_scheduled_works+0x9ea/0x1830 [ 105.271552][ T1224] #1: ffffc900020ffc40 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: process_scheduled_works+0xa25/0x1830 [ 105.279284][ T1224] [ 105.279284][ T1224] stack backtrace: [ 105.282307][ T1224] CPU: 0 UID: 0 PID: 1224 Comm: kworker/0:3 Not tainted syzkaller #0 PREEMPT(full) [ 105.282327][ T1224] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 105.282336][ T1224] Workqueue: events l2cap_info_timeout [ 105.282357][ T1224] Call Trace: [ 105.282365][ T1224] [ 105.282371][ T1224] dump_stack_lvl+0xe8/0x150 [ 105.282390][ T1224] print_circular_bug+0x2e1/0x300 [ 105.282408][ T1224] check_noncircular+0x12e/0x150 [ 105.282424][ T1224] __lock_acquire+0x15a5/0x2cf0 [ 105.282438][ T1224] ? __schedule+0x15f3/0x52d0 [ 105.282452][ T1224] ? ret_from_fork_asm+0x1a/0x30 [ 105.282468][ T1224] lock_acquire+0xf0/0x2e0 [ 105.282480][ T1224] ? l2cap_info_timeout+0x60/0xa0 [ 105.282492][ T1224] __mutex_lock+0x19f/0x1300 [ 105.282505][ T1224] ? l2cap_info_timeout+0x60/0xa0 [ 105.282516][ T1224] ? irqentry_exit+0x59e/0x620 [ 105.282531][ T1224] ? lockdep_hardirqs_on+0x7a/0x110 [ 105.282544][ T1224] ? l2cap_info_timeout+0x60/0xa0 [ 105.282554][ T1224] ? irqentry_exit+0x59e/0x620 [ 105.282567][ T1224] ? trace_irq_disable+0x3b/0x150 [ 105.282579][ T1224] ? __pfx___mutex_lock+0x10/0x10 [ 105.282590][ T1224] ? lock_acquire+0x20b/0x2e0 [ 105.282598][ T1224] l2cap_info_timeout+0x60/0xa0 [ 105.282605][ T1224] ? process_scheduled_works+0xa25/0x1830 [ 105.282614][ T1224] process_scheduled_works+0xb02/0x1830 [ 105.282626][ T1224] ? __pfx_process_scheduled_works+0x10/0x10 [ 105.282634][ T1224] ? assign_work+0x3d5/0x5e0 [ 105.282642][ T1224] worker_thread+0xa50/0xfc0 [ 105.282654][ T1224] kthread+0x388/0x470 [ 105.282661][ T1224] ? __pfx_worker_thread+0x10/0x10 [ 105.282669][ T1224] ? __pfx_kthread+0x10/0x10 [ 105.282675][ T1224] ret_from_fork+0x51e/0xb90 [ 105.282684][ T1224] ? __pfx_ret_from_fork+0x10/0x10 [ 105.282691][ T1224] ? __switch_to+0xc7d/0x1450 [ 105.282699][ T1224] ? __pfx_kthread+0x10/0x10 [ 105.282705][ T1224] ret_from_fork_asm+0x1a/0x30 [ 105.282716][ T1224] [ 105.750705][ T5331] Zero length message leads to an empty skb [ 107.174830][ T5307] Bluetooth: hci0: command tx timeout [ 109.255051][ T5307] Bluetooth: hci0: command tx timeout