program: r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x1, 0x3) perf_event_open(&(0x7f00000003c0)={0x2, 0x80, 0x6d, 0x10, 0x0, 0x0, 0x0, 0x0, 0x8, 0x5, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4, @perf_bp={0x0, 0xc}, 0x100001, 0x3, 0x0, 0x6, 0x1ffff, 0x0, 0x3ff, 0x0, 0x0, 0x0, 0x2}, 0x0, 0x0, 0xffffffffffffffff, 0x8) mkdirat(0xffffffffffffff9c, &(0x7f0000000040)='./file0\x00', 0x0) mount$9p_virtio(&(0x7f00000001c0), &(0x7f0000000080)='./file0\x00', &(0x7f00000004c0), 0x8, 0x0) r1 = syz_open_dev$vcsa(&(0x7f00000000c0), 0xc, 0x1c280) ioctl$LOOP_SET_STATUS64(r1, 0x4c04, &(0x7f0000000200)={0x0, 0x0, 0x0, 0x6, 0x10000, 0x0, 0x12, 0xd, 0x1, "dd9d421cf4527d724979016c89d525758ef0be135fdb098296072a9637b761784791b36b3dd5bb9e510e083d3565cc7a7ee5dfdfbb20f86292f4c965eb016e0f", "8e3b5851d555e840081d93f38b0b77cbf74390e3352664789152a86fdc5f730b19ebfc29ffa8beb8493351bbfe69f42d53466be2e40aaded68f6a53fdce89716", "cae6d8b38e84741f307ecae618bfc7cdf478a879b46609be5c687212eb7eeccb", [0xffffffffffffffff, 0x100000000]}) chdir(&(0x7f0000000100)='./file0\x00') mkdirat(0xffffffffffffff9c, &(0x7f0000000840)='./bus\x00', 0x0) (async) connect(r0, &(0x7f0000000000)=@rc={0x1f, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}, 0x8}, 0x80) (async) r2 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$HCIINQUIRY(r2, 0x400448ca, 0x0) [ 100.891919][ T5302] Bluetooth: hci0: command tx timeout [ 101.055492][ T5331] [ 101.056711][ T5331] ====================================================== [ 101.060202][ T5331] WARNING: possible circular locking dependency detected [ 101.063680][ T5331] syzkaller #0 Not tainted [ 101.065751][ T5331] ------------------------------------------------------ [ 101.068873][ T5331] syz.0.0/5331 is trying to acquire lock: [ 101.071415][ T5331] ffff88801ccb0040 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: __flush_work+0x100/0xc50 [ 101.077290][ T5331] [ 101.077290][ T5331] but task is already holding lock: [ 101.080878][ T5331] ffff88801ccb02f8 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x7b/0x5c0 [ 101.084885][ T5331] [ 101.084885][ T5331] which lock already depends on the new lock. [ 101.084885][ T5331] [ 101.089492][ T5331] [ 101.089492][ T5331] the existing dependency chain (in reverse order) is: [ 101.094437][ T5331] [ 101.094437][ T5331] -> #1 (&conn->lock#2){+.+.}-{4:4}: [ 101.097866][ T5331] __mutex_lock+0x19f/0x1300 [ 101.100057][ T5331] l2cap_info_timeout+0x60/0xa0 [ 101.102476][ T5331] process_scheduled_works+0xb6e/0x18c0 [ 101.105174][ T5331] worker_thread+0xa53/0xfc0 [ 101.107664][ T5331] kthread+0x388/0x470 [ 101.110246][ T5331] ret_from_fork+0x51e/0xb90 [ 101.113684][ T5331] ret_from_fork_asm+0x1a/0x30 [ 101.116272][ T5331] [ 101.116272][ T5331] -> #0 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}: [ 101.120913][ T5331] __lock_acquire+0x15a5/0x2cf0 [ 101.123371][ T5331] lock_acquire+0xf0/0x2e0 [ 101.125783][ T5331] __flush_work+0x700/0xc50 [ 101.129001][ T5331] __cancel_work_sync+0xbe/0x110 [ 101.132499][ T5331] l2cap_conn_del+0x40f/0x5c0 [ 101.135390][ T5331] hci_conn_hash_flush+0x10d/0x260 [ 101.137994][ T5331] hci_dev_close_sync+0x821/0x10e0 [ 101.140707][ T5331] hci_dev_close+0x108/0x260 [ 101.143036][ T5331] sock_do_ioctl+0x101/0x320 [ 101.145294][ T5331] sock_ioctl+0x5c6/0x7f0 [ 101.147444][ T5331] __se_sys_ioctl+0xfc/0x170 [ 101.150282][ T5331] do_syscall_64+0x14d/0xf80 [ 101.153018][ T5331] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 101.156836][ T5331] [ 101.156836][ T5331] other info that might help us debug this: [ 101.156836][ T5331] [ 101.162487][ T5331] Possible unsafe locking scenario: [ 101.162487][ T5331] [ 101.165833][ T5331] CPU0 CPU1 [ 101.168032][ T5331] ---- ---- [ 101.170367][ T5331] lock(&conn->lock#2); [ 101.172328][ T5331] lock((work_completion)(&(&conn->info_timer)->work)); [ 101.176708][ T5331] lock(&conn->lock#2); [ 101.179971][ T5331] lock((work_completion)(&(&conn->info_timer)->work)); [ 101.183298][ T5331] [ 101.183298][ T5331] *** DEADLOCK *** [ 101.183298][ T5331] [ 101.186995][ T5331] 5 locks held by syz.0.0/5331: [ 101.189489][ T5331] #0: ffff88801fb74ec0 (&hdev->req_lock){+.+.}-{4:4}, at: hci_dev_close+0x100/0x260 [ 101.194628][ T5331] #1: ffff88801fb740c0 (&hdev->lock){+.+.}-{4:4}, at: hci_dev_close_sync+0x640/0x10e0 [ 101.198434][ T5331] #2: ffffffff8fd5c828 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_conn_hash_flush+0xa1/0x260 [ 101.202618][ T5331] #3: ffff88801ccb02f8 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x7b/0x5c0 [ 101.206828][ T5331] #4: ffffffff8e75e520 (rcu_read_lock){....}-{1:3}, at: __flush_work+0x100/0xc50 [ 101.211222][ T5331] [ 101.211222][ T5331] stack backtrace: [ 101.214691][ T5331] CPU: 0 UID: 0 PID: 5331 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 101.214714][ T5331] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 101.214723][ T5331] Call Trace: [ 101.214733][ T5331] [ 101.214741][ T5331] dump_stack_lvl+0xe8/0x150 [ 101.214768][ T5331] print_circular_bug+0x2e1/0x300 [ 101.214792][ T5331] check_noncircular+0x12e/0x150 [ 101.214813][ T5331] __lock_acquire+0x15a5/0x2cf0 [ 101.214831][ T5331] ? do_raw_spin_lock+0x12b/0x2f0 [ 101.214847][ T5331] ? do_raw_spin_unlock+0x4d/0x210 [ 101.214861][ T5331] lock_acquire+0xf0/0x2e0 [ 101.214877][ T5331] ? __flush_work+0x100/0xc50 [ 101.214900][ T5331] ? __flush_work+0x100/0xc50 [ 101.214918][ T5331] __flush_work+0x700/0xc50 [ 101.214936][ T5331] ? __flush_work+0x100/0xc50 [ 101.214954][ T5331] ? __flush_work+0x100/0xc50 [ 101.214973][ T5331] ? __pfx___flush_work+0x10/0x10 [ 101.214992][ T5331] ? __pfx_wq_barrier_func+0x10/0x10 [ 101.215014][ T5331] ? __cancel_work_sync+0x5c/0x110 [ 101.215033][ T5331] __cancel_work_sync+0xbe/0x110 [ 101.215053][ T5331] l2cap_conn_del+0x40f/0x5c0 [ 101.215074][ T5331] ? __pfx_l2cap_disconn_cfm+0x10/0x10 [ 101.215092][ T5331] hci_conn_hash_flush+0x10d/0x260 [ 101.215113][ T5331] hci_dev_close_sync+0x821/0x10e0 [ 101.215132][ T5331] ? __pfx_hci_dev_close_sync+0x10/0x10 [ 101.215148][ T5331] ? lockdep_hardirqs_on+0x7a/0x110 [ 101.215161][ T5331] ? enable_work+0x1fd/0x230 [ 101.215181][ T5331] hci_dev_close+0x108/0x260 [ 101.215199][ T5331] sock_do_ioctl+0x101/0x320 [ 101.215215][ T5331] ? __pfx_sock_do_ioctl+0x10/0x10 [ 101.215226][ T5331] ? do_futex+0x395/0x420 [ 101.215242][ T5331] sock_ioctl+0x5c6/0x7f0 [ 101.215258][ T5331] ? __pfx_sock_ioctl+0x10/0x10 [ 101.215270][ T5331] ? __fget_files+0x2a/0x420 [ 101.215284][ T5331] ? __fget_files+0x3a0/0x420 [ 101.215297][ T5331] ? __fget_files+0x2a/0x420 [ 101.215311][ T5331] ? bpf_lsm_file_ioctl+0x9/0x20 [ 101.215325][ T5331] ? __pfx_sock_ioctl+0x10/0x10 [ 101.215337][ T5331] __se_sys_ioctl+0xfc/0x170 [ 101.215350][ T5331] do_syscall_64+0x14d/0xf80 [ 101.215361][ T5331] ? trace_irq_disable+0x3b/0x150 [ 101.215375][ T5331] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 101.215383][ T5331] ? clear_bhb_loop+0x40/0x90 [ 101.215392][ T5331] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 101.215400][ T5331] RIP: 0033:0x7f9b1139c799 [ 101.215411][ T5331] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 101.215418][ T5331] RSP: 002b:00007f9b0d7d3fe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 101.215429][ T5331] RAX: ffffffffffffffda RBX: 00007f9b11616180 RCX: 00007f9b1139c799 [ 101.215436][ T5331] RDX: 0000000000000000 RSI: 00000000400448ca RDI: 0000000000000006 [ 101.215441][ T5331] RBP: 00007f9b11432c99 R08: 0000000000000000 R09: 0000000000000000 [ 101.215446][ T5331] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 101.215459][ T5331] R13: 00007f9b11616218 R14: 00007f9b11616180 R15: 00007ffe561469d8 [ 101.215467][ T5331] [ 102.969188][ T4668] Bluetooth: hci0: command tx timeout [ 105.049551][ T4668] Bluetooth: hci0: command tx timeout [ 107.129222][ T4668] Bluetooth: hci0: command tx timeout