program: r0 = syz_init_net_socket$ax25(0x3, 0x5, 0xce) r1 = socket$nl_generic(0x10, 0x3, 0x10) fstat(r1, &(0x7f0000000240)={0x0, 0x0, 0x0, 0x0, 0x0}) ioctl$SIOCAX25ADDUID(r0, 0x89e1, &(0x7f0000000000)={0x3, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x0}, r2}) bind$ax25(r0, &(0x7f00000001c0)={{0x3, @default, 0x1}, [@null, @null, @null, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x0}, @bcast, @null, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @null]}, 0x48) r3 = socket$nl_generic(0x10, 0x3, 0x10) r4 = syz_genetlink_get_family_id$nl80211(&(0x7f00000000c0), 0xffffffffffffffff) ioctl$sock_SIOCGIFINDEX_80211(r3, 0x8933, &(0x7f0000000000)={'wlan0\x00', 0x0}) sendmsg$NL80211_CMD_NEW_INTERFACE(r3, &(0x7f0000000300)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000480)={0x3c, r4, 0x1, 0x70bd28, 0x25dfdbfd, {{}, {@void, @val={0x8, 0x3, r5}, @val={0xc, 0x99, {0x7ff, 0x70}}}}, [@NL80211_ATTR_4ADDR={0x5, 0x53, 0x1}, @NL80211_ATTR_MESH_ID={0xa}]}, 0x3c}, 0x1, 0x0, 0x0, 0x81}, 0x2001cc86) r6 = openat$tun(0xffffffffffffff9c, &(0x7f0000000400), 0x0, 0x0) close(r6) socket$inet_sctp(0x2, 0x1, 0x84) socket$can_raw(0x1d, 0x3, 0x1) sendto$inet(0xffffffffffffffff, 0x0, 0x0, 0x200007fd, 0x0, 0x0) r7 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$sock_bt_hci(r7, 0x400448ca, 0x0) write(0xffffffffffffffff, 0x0, 0x0) sendmsg$NL80211_CMD_SET_MPATH(r1, &(0x7f0000000440)={&(0x7f0000000340)={0x10, 0x0, 0x0, 0x800}, 0xc, &(0x7f00000003c0)={&(0x7f0000000380)={0x40, r4, 0x1, 0x70bd2c, 0x25dfdbfd, {{}, {@val={0x8, 0x3, r5}, @void}}, [@NL80211_ATTR_MAC={0xa, 0x6, @device_b}, @NL80211_ATTR_MAC={0xa}, @NL80211_ATTR_MAC={0xa}]}, 0x40}}, 0x20000000) r8 = openat$snapshot(0xffffffffffffff9c, &(0x7f0000000040), 0x200, 0x0) read$snapshot(r8, &(0x7f0000000a40)=""/211, 0xd3) ioctl$SIOCSIFHWADDR(r6, 0x8914, &(0x7f0000002280)={'syzkaller0\x00', @link_local}) unshare(0x62000000) syz_usb_connect(0x0, 0x3f, &(0x7f00000000c0)=ANY=[@ANYBLOB="11010000733336088dee1adb2361000000010902"], 0x0) r9 = socket$igmp(0x2, 0x3, 0x2) getsockopt$IPT_SO_GET_INFO(r9, 0x0, 0x40, &(0x7f0000000000)={'nat\x00', 0x0, [0x401, 0x6, 0x6, 0x2, 0x800000]}, &(0x7f0000000180)=0x54) r10 = socket$nl_generic(0x10, 0x3, 0x10) sendmsg$NL80211_CMD_REGISTER_BEACONS(r10, &(0x7f00000002c0)={&(0x7f0000000100)={0x10, 0x0, 0x0, 0x200}, 0xc, &(0x7f0000000180)={&(0x7f0000000140)={0x28, r4, 0x200, 0x70bd28, 0x25dfdbfb, {{}, {@val={0x8, 0x1, 0x36}, @void, @val={0xc, 0x99, {0x8, 0x3c}}}}, ["", "", "", "", "", "", "", "", ""]}, 0x28}}, 0x80) r11 = socket$nl_generic(0x10, 0x3, 0x10) syz_genetlink_get_family_id$nl80211(&(0x7f00000014c0), 0xffffffffffffffff) ioctl$sock_SIOCGIFINDEX_80211(r11, 0x8933, &(0x7f00000004c0)={'wlan0\x00'}) [ 123.650219][ T45] Bluetooth: hci0: command tx timeout [ 123.698488][ T53] [ 123.699841][ T53] ====================================================== [ 123.703636][ T53] WARNING: possible circular locking dependency detected [ 123.707007][ T53] syzkaller #0 Not tainted [ 123.708873][ T53] ------------------------------------------------------ [ 123.712703][ T53] kworker/0:2/53 is trying to acquire lock: [ 123.715342][ T53] ffff888012b1e2f8 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_info_timeout+0x60/0xa0 [ 123.719317][ T53] [ 123.719317][ T53] but task is already holding lock: [ 123.722885][ T53] ffffc90000affc40 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: process_scheduled_works+0xa8d/0x18c0 [ 123.728710][ T53] [ 123.728710][ T53] which lock already depends on the new lock. [ 123.728710][ T53] [ 123.733645][ T53] [ 123.733645][ T53] the existing dependency chain (in reverse order) is: [ 123.738084][ T53] [ 123.738084][ T53] -> #1 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}: [ 123.743161][ T53] __flush_work+0x700/0xc50 [ 123.745375][ T53] __cancel_work_sync+0xbe/0x110 [ 123.747754][ T53] l2cap_conn_del+0x40f/0x5c0 [ 123.750463][ T53] hci_conn_hash_flush+0x10d/0x260 [ 123.754144][ T53] hci_dev_close_sync+0x821/0x10e0 [ 123.756858][ T53] hci_dev_close+0x108/0x260 [ 123.759539][ T53] sock_do_ioctl+0x101/0x320 [ 123.762316][ T53] sock_ioctl+0x5c6/0x7f0 [ 123.765015][ T53] __se_sys_ioctl+0xfc/0x170 [ 123.768112][ T53] do_syscall_64+0x14d/0xf80 [ 123.771293][ T53] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 123.774324][ T53] [ 123.774324][ T53] -> #0 (&conn->lock#2){+.+.}-{4:4}: [ 123.777519][ T53] __lock_acquire+0x15a5/0x2cf0 [ 123.779736][ T53] lock_acquire+0xf0/0x2e0 [ 123.782065][ T53] __mutex_lock+0x19f/0x1300 [ 123.784549][ T53] l2cap_info_timeout+0x60/0xa0 [ 123.787044][ T53] process_scheduled_works+0xb6e/0x18c0 [ 123.790010][ T53] worker_thread+0xa53/0xfc0 [ 123.792828][ T53] kthread+0x388/0x470 [ 123.795362][ T53] ret_from_fork+0x51e/0xb90 [ 123.797695][ T53] ret_from_fork_asm+0x1a/0x30 [ 123.800151][ T53] [ 123.800151][ T53] other info that might help us debug this: [ 123.800151][ T53] [ 123.805114][ T53] Possible unsafe locking scenario: [ 123.805114][ T53] [ 123.808950][ T53] CPU0 CPU1 [ 123.811257][ T53] ---- ---- [ 123.813564][ T53] lock((work_completion)(&(&conn->info_timer)->work)); [ 123.816820][ T53] lock(&conn->lock#2); [ 123.820817][ T53] lock((work_completion)(&(&conn->info_timer)->work)); [ 123.825034][ T53] lock(&conn->lock#2); [ 123.827061][ T53] [ 123.827061][ T53] *** DEADLOCK *** [ 123.827061][ T53] [ 123.831047][ T53] 2 locks held by kworker/0:2/53: [ 123.833683][ T53] #0: ffff88801aca6948 ((wq_completion)events){+.+.}-{0:0}, at: process_scheduled_works+0xa52/0x18c0 [ 123.838416][ T53] #1: ffffc90000affc40 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: process_scheduled_works+0xa8d/0x18c0 [ 123.843812][ T53] [ 123.843812][ T53] stack backtrace: [ 123.846579][ T53] CPU: 0 UID: 0 PID: 53 Comm: kworker/0:2 Not tainted syzkaller #0 PREEMPT(full) [ 123.846598][ T53] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 123.846607][ T53] Workqueue: events l2cap_info_timeout [ 123.846631][ T53] Call Trace: [ 123.846640][ T53] [ 123.846646][ T53] dump_stack_lvl+0xe8/0x150 [ 123.846664][ T53] print_circular_bug+0x2e1/0x300 [ 123.846684][ T53] check_noncircular+0x12e/0x150 [ 123.846700][ T53] __lock_acquire+0x15a5/0x2cf0 [ 123.846714][ T53] ? __schedule+0x15f3/0x52d0 [ 123.846727][ T53] ? ret_from_fork_asm+0x1a/0x30 [ 123.846743][ T53] lock_acquire+0xf0/0x2e0 [ 123.846754][ T53] ? l2cap_info_timeout+0x60/0xa0 [ 123.846768][ T53] __mutex_lock+0x19f/0x1300 [ 123.846780][ T53] ? l2cap_info_timeout+0x60/0xa0 [ 123.846794][ T53] ? irqentry_exit+0x59e/0x620 [ 123.846805][ T53] ? lockdep_hardirqs_on+0x7a/0x110 [ 123.846816][ T53] ? l2cap_info_timeout+0x60/0xa0 [ 123.846827][ T53] ? irqentry_exit+0x59e/0x620 [ 123.846838][ T53] ? trace_irq_disable+0x3b/0x150 [ 123.846884][ T53] ? __pfx___mutex_lock+0x10/0x10 [ 123.846898][ T53] ? lock_acquire+0x20b/0x2e0 [ 123.846911][ T53] l2cap_info_timeout+0x60/0xa0 [ 123.846923][ T53] ? process_scheduled_works+0xa8d/0x18c0 [ 123.846938][ T53] process_scheduled_works+0xb6e/0x18c0 [ 123.846958][ T53] ? __pfx_process_scheduled_works+0x10/0x10 [ 123.846971][ T53] ? assign_work+0x3d5/0x5e0 [ 123.846983][ T53] worker_thread+0xa53/0xfc0 [ 123.847003][ T53] kthread+0x388/0x470 [ 123.847015][ T53] ? __pfx_worker_thread+0x10/0x10 [ 123.847028][ T53] ? __pfx_kthread+0x10/0x10 [ 123.847038][ T53] ret_from_fork+0x51e/0xb90 [ 123.847053][ T53] ? __pfx_ret_from_fork+0x10/0x10 [ 123.847064][ T53] ? __switch_to+0xc7d/0x1450 [ 123.847075][ T53] ? __pfx_kthread+0x10/0x10 [ 123.847084][ T53] ret_from_fork_asm+0x1a/0x30 [ 123.847102][ T53] [ 124.308596][ T1240] usb 5-1: new high-speed USB device number 2 using dummy_hcd [ 124.458677][ T1240] usb 5-1: Using ep0 maxpacket: 8 [ 124.462703][ T1240] usb 5-1: config 0 has no interfaces? [ 124.465300][ T1240] usb 5-1: New USB device found, idVendor=ee8d, idProduct=db1a, bcdDevice=61.23 [ 124.469723][ T1240] usb 5-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 124.486658][ T1240] usb 5-1: config 0 descriptor?? [ 125.718792][ T45] Bluetooth: hci0: command tx timeout [ 127.799749][ T45] Bluetooth: hci0: command tx timeout