program: r0 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$sock_bt_hci(r0, 0x400448ca, 0x0) r1 = openat$rfkill(0xffffffffffffff9c, &(0x7f0000000040), 0x801, 0x0) r2 = socket$nl_generic(0x10, 0x3, 0x10) r3 = syz_genetlink_get_family_id$nl80211(&(0x7f00000000c0), 0xffffffffffffffff) ioctl$sock_SIOCGIFINDEX_80211(r2, 0x8933, &(0x7f0000000680)={'wlan0\x00', 0x0}) sendmsg$NL80211_CMD_NEW_INTERFACE(r2, &(0x7f0000000300)={0x0, 0x0, &(0x7f00000003c0)={&(0x7f0000000440)={0x44, r3, 0x1, 0x70bd28, 0x25dfdbfd, {{}, {@void, @val={0x8, 0x3, r4}, @val={0xc, 0x99, {0x7ff, 0x74}}}}, [@NL80211_ATTR_IFNAME={0x14, 0x4, 'syzkaller0\x00'}, @NL80211_ATTR_IFTYPE={0x8, 0x5, 0x4}]}, 0x44}, 0x1, 0x0, 0x0, 0x81}, 0x24044884) write$rfkill(r1, &(0x7f0000000080)={0x0, 0x0, 0x3, 0x1}, 0x8) [ 109.098018][ T5305] Bluetooth: hci0: command tx timeout [ 109.246405][ T9] [ 109.248334][ T9] ====================================================== [ 109.255069][ T9] WARNING: possible circular locking dependency detected [ 109.261130][ T9] syzkaller #0 Not tainted [ 109.267084][ T9] ------------------------------------------------------ [ 109.276044][ T9] kworker/0:0/9 is trying to acquire lock: [ 109.281472][ T9] ffff8880129152f8 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_info_timeout+0x60/0xa0 [ 109.289226][ T9] [ 109.289226][ T9] but task is already holding lock: [ 109.293388][ T9] ffffc9000022fc40 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: process_scheduled_works+0xa8d/0x18c0 [ 109.304653][ T9] [ 109.304653][ T9] which lock already depends on the new lock. [ 109.304653][ T9] [ 109.311453][ T9] [ 109.311453][ T9] the existing dependency chain (in reverse order) is: [ 109.318825][ T9] [ 109.318825][ T9] -> #1 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}: [ 109.329831][ T9] __flush_work+0x700/0xc50 [ 109.332918][ T9] __cancel_work_sync+0xbe/0x110 [ 109.336228][ T9] l2cap_conn_del+0x40f/0x5c0 [ 109.338911][ T9] hci_conn_hash_flush+0x10d/0x260 [ 109.343396][ T9] hci_dev_close_sync+0x821/0x10e0 [ 109.347021][ T9] hci_dev_close+0x108/0x260 [ 109.349605][ T9] sock_do_ioctl+0x101/0x320 [ 109.352019][ T9] sock_ioctl+0x5c6/0x7f0 [ 109.356842][ T9] __se_sys_ioctl+0xfc/0x170 [ 109.362922][ T9] do_syscall_64+0x14d/0xf80 [ 109.367789][ T9] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 109.372844][ T9] [ 109.372844][ T9] -> #0 (&conn->lock#2){+.+.}-{4:4}: [ 109.377449][ T9] __lock_acquire+0x15a5/0x2cf0 [ 109.382021][ T9] lock_acquire+0xf0/0x2e0 [ 109.385959][ T9] __mutex_lock+0x19f/0x1300 [ 109.390266][ T9] l2cap_info_timeout+0x60/0xa0 [ 109.395447][ T9] process_scheduled_works+0xb6e/0x18c0 [ 109.398885][ T9] worker_thread+0xa53/0xfc0 [ 109.401319][ T9] kthread+0x388/0x470 [ 109.403793][ T9] ret_from_fork+0x51e/0xb90 [ 109.406479][ T9] ret_from_fork_asm+0x1a/0x30 [ 109.408751][ T9] [ 109.408751][ T9] other info that might help us debug this: [ 109.408751][ T9] [ 109.417348][ T9] Possible unsafe locking scenario: [ 109.417348][ T9] [ 109.421233][ T9] CPU0 CPU1 [ 109.423663][ T9] ---- ---- [ 109.428494][ T9] lock((work_completion)(&(&conn->info_timer)->work)); [ 109.433279][ T9] lock(&conn->lock#2); [ 109.442062][ T9] lock((work_completion)(&(&conn->info_timer)->work)); [ 109.448934][ T9] lock(&conn->lock#2); [ 109.451900][ T9] [ 109.451900][ T9] *** DEADLOCK *** [ 109.451900][ T9] [ 109.455761][ T9] 2 locks held by kworker/0:0/9: [ 109.458705][ T9] #0: ffff88801aca6948 ((wq_completion)events){+.+.}-{0:0}, at: process_scheduled_works+0xa52/0x18c0 [ 109.469638][ T9] #1: ffffc9000022fc40 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: process_scheduled_works+0xa8d/0x18c0 [ 109.480913][ T9] [ 109.480913][ T9] stack backtrace: [ 109.488376][ T9] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:0 Not tainted syzkaller #0 PREEMPT(full) [ 109.488396][ T9] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 109.488405][ T9] Workqueue: events l2cap_info_timeout [ 109.488430][ T9] Call Trace: [ 109.488438][ T9] [ 109.488446][ T9] dump_stack_lvl+0xe8/0x150 [ 109.488464][ T9] print_circular_bug+0x2e1/0x300 [ 109.488483][ T9] check_noncircular+0x12e/0x150 [ 109.488501][ T9] __lock_acquire+0x15a5/0x2cf0 [ 109.488516][ T9] ? __schedule+0x15f3/0x52d0 [ 109.488535][ T9] ? ret_from_fork_asm+0x1a/0x30 [ 109.488552][ T9] lock_acquire+0xf0/0x2e0 [ 109.488564][ T9] ? l2cap_info_timeout+0x60/0xa0 [ 109.488579][ T9] __mutex_lock+0x19f/0x1300 [ 109.488592][ T9] ? l2cap_info_timeout+0x60/0xa0 [ 109.488606][ T9] ? irqentry_exit+0x59e/0x620 [ 109.488618][ T9] ? lockdep_hardirqs_on+0x7a/0x110 [ 109.488636][ T9] ? l2cap_info_timeout+0x60/0xa0 [ 109.488650][ T9] ? irqentry_exit+0x59e/0x620 [ 109.488660][ T9] ? trace_irq_disable+0x3b/0x150 [ 109.488679][ T9] ? __pfx___mutex_lock+0x10/0x10 [ 109.488693][ T9] ? lock_acquire+0x20b/0x2e0 [ 109.488707][ T9] l2cap_info_timeout+0x60/0xa0 [ 109.488721][ T9] ? process_scheduled_works+0xa8d/0x18c0 [ 109.488737][ T9] process_scheduled_works+0xb6e/0x18c0 [ 109.488757][ T9] ? __pfx_process_scheduled_works+0x10/0x10 [ 109.488772][ T9] ? assign_work+0x3d5/0x5e0 [ 109.488786][ T9] worker_thread+0xa53/0xfc0 [ 109.488806][ T9] kthread+0x388/0x470 [ 109.488817][ T9] ? __pfx_worker_thread+0x10/0x10 [ 109.488831][ T9] ? __pfx_kthread+0x10/0x10 [ 109.488841][ T9] ret_from_fork+0x51e/0xb90 [ 109.488856][ T9] ? __pfx_ret_from_fork+0x10/0x10 [ 109.488900][ T9] ? __switch_to+0xc7d/0x1450 [ 109.488913][ T9] ? __pfx_kthread+0x10/0x10 [ 109.488924][ T9] ret_from_fork_asm+0x1a/0x30 [ 109.488944][ T9] [ 111.152626][ T4669] Bluetooth: hci0: command tx timeout [ 113.213755][ T4669] Bluetooth: hci0: command tx timeout