program: r0 = syz_init_net_socket$bt_l2cap(0x1f, 0x1, 0x0) bind$bt_l2cap(r0, &(0x7f0000000000)={0x1f, 0x0, @any, 0x4}, 0xe) connect$bt_l2cap(r0, &(0x7f0000000080)={0x1f, 0x0, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}, 0x800}, 0xe) recvmmsg(r0, &(0x7f0000001200)=[{{0x0, 0x0, 0x0}, 0x5}], 0x1, 0x40000100, 0x0) syz_emit_vhci(&(0x7f0000000040)=@HCI_EVENT_PKT={0x4, @hci_ev_disconn_complete={{0x5, 0x4}, {0x0, 0xc8, 0x9}}}, 0x7) [ 84.665763][ T45] Bluetooth: hci0: command tx timeout [ 84.893809][ T45] [ 84.894973][ T45] ====================================================== [ 84.898060][ T45] WARNING: possible circular locking dependency detected [ 84.901237][ T45] syzkaller #0 Not tainted [ 84.903318][ T45] ------------------------------------------------------ [ 84.906544][ T45] kworker/u5:0/45 is trying to acquire lock: [ 84.909289][ T45] ffff888040d40840 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: __flush_work+0x100/0xc50 [ 84.914802][ T45] [ 84.914802][ T45] but task is already holding lock: [ 84.917791][ T45] ffff888040d40af8 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x7b/0x5c0 [ 84.921489][ T45] [ 84.921489][ T45] which lock already depends on the new lock. [ 84.921489][ T45] [ 84.926044][ T45] [ 84.926044][ T45] the existing dependency chain (in reverse order) is: [ 84.929994][ T45] [ 84.929994][ T45] -> #1 (&conn->lock#2){+.+.}-{4:4}: [ 84.933279][ T45] __mutex_lock+0x19f/0x1300 [ 84.935554][ T45] l2cap_info_timeout+0x60/0xa0 [ 84.937776][ T45] process_scheduled_works+0xb02/0x1830 [ 84.940453][ T45] worker_thread+0xa50/0xfc0 [ 84.942821][ T45] kthread+0x388/0x470 [ 84.944924][ T45] ret_from_fork+0x51e/0xb90 [ 84.947223][ T45] ret_from_fork_asm+0x1a/0x30 [ 84.949750][ T45] [ 84.949750][ T45] -> #0 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}: [ 84.954342][ T45] __lock_acquire+0x15a5/0x2cf0 [ 84.957318][ T45] lock_acquire+0xf0/0x2e0 [ 84.959440][ T45] __flush_work+0x700/0xc50 [ 84.961597][ T45] __cancel_work_sync+0xbe/0x110 [ 84.963905][ T45] l2cap_conn_del+0x40f/0x5c0 [ 84.965957][ T45] hci_disconn_complete_evt+0x501/0x950 [ 84.968252][ T45] hci_event_packet+0x805/0x12c0 [ 84.970452][ T45] hci_rx_work+0x3ee/0x1030 [ 84.972471][ T45] process_scheduled_works+0xb02/0x1830 [ 84.975048][ T45] worker_thread+0xa50/0xfc0 [ 84.977341][ T45] kthread+0x388/0x470 [ 84.979341][ T45] ret_from_fork+0x51e/0xb90 [ 84.981675][ T45] ret_from_fork_asm+0x1a/0x30 [ 84.983911][ T45] [ 84.983911][ T45] other info that might help us debug this: [ 84.983911][ T45] [ 84.988356][ T45] Possible unsafe locking scenario: [ 84.988356][ T45] [ 84.991335][ T45] CPU0 CPU1 [ 84.993425][ T45] ---- ---- [ 84.995702][ T45] lock(&conn->lock#2); [ 84.997641][ T45] lock((work_completion)(&(&conn->info_timer)->work)); [ 85.001735][ T45] lock(&conn->lock#2); [ 85.004976][ T45] lock((work_completion)(&(&conn->info_timer)->work)); [ 85.008029][ T45] [ 85.008029][ T45] *** DEADLOCK *** [ 85.008029][ T45] [ 85.011558][ T45] 6 locks held by kworker/u5:0/45: [ 85.013978][ T45] #0: ffff888040d41948 ((wq_completion)hci0#2){+.+.}-{0:0}, at: process_scheduled_works+0x9ea/0x1830 [ 85.018731][ T45] #1: ffffc90000477c40 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_scheduled_works+0xa25/0x1830 [ 85.023835][ T45] #2: ffff88801cbb80c0 (&hdev->lock){+.+.}-{4:4}, at: hci_disconn_complete_evt+0x3f/0x950 [ 85.028078][ T45] #3: ffffffff8fd5aea8 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_disconn_complete_evt+0x49b/0x950 [ 85.033233][ T45] #4: ffff888040d40af8 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x7b/0x5c0 [ 85.037877][ T45] #5: ffffffff8e7602e0 (rcu_read_lock){....}-{1:3}, at: __flush_work+0x100/0xc50 [ 85.041862][ T45] [ 85.041862][ T45] stack backtrace: [ 85.044913][ T45] CPU: 0 UID: 0 PID: 45 Comm: kworker/u5:0 Not tainted syzkaller #0 PREEMPT(full) [ 85.044929][ T45] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 85.044937][ T45] Workqueue: hci0 hci_rx_work [ 85.045024][ T45] Call Trace: [ 85.045032][ T45] [ 85.045057][ T45] dump_stack_lvl+0xe8/0x150 [ 85.045076][ T45] print_circular_bug+0x2e1/0x300 [ 85.045095][ T45] check_noncircular+0x12e/0x150 [ 85.045132][ T45] __lock_acquire+0x15a5/0x2cf0 [ 85.045147][ T45] ? do_raw_spin_lock+0x12b/0x2f0 [ 85.045179][ T45] ? do_raw_spin_unlock+0x4d/0x210 [ 85.045206][ T45] lock_acquire+0xf0/0x2e0 [ 85.045218][ T45] ? __flush_work+0x100/0xc50 [ 85.045237][ T45] ? __flush_work+0x100/0xc50 [ 85.045268][ T45] __flush_work+0x700/0xc50 [ 85.045285][ T45] ? __flush_work+0x100/0xc50 [ 85.045301][ T45] ? __flush_work+0x100/0xc50 [ 85.045345][ T45] ? __pfx___flush_work+0x10/0x10 [ 85.045360][ T45] ? __pfx_wq_barrier_func+0x10/0x10 [ 85.045378][ T45] ? __cancel_work_sync+0x5c/0x110 [ 85.045413][ T45] __cancel_work_sync+0xbe/0x110 [ 85.045430][ T45] l2cap_conn_del+0x40f/0x5c0 [ 85.045469][ T45] ? __pfx_l2cap_disconn_cfm+0x10/0x10 [ 85.045482][ T45] hci_disconn_complete_evt+0x501/0x950 [ 85.045501][ T45] hci_event_packet+0x805/0x12c0 [ 85.045531][ T45] ? trace_irq_disable+0x3b/0x150 [ 85.045566][ T45] ? __pfx_hci_disconn_complete_evt+0x10/0x10 [ 85.045583][ T45] ? __pfx_hci_event_packet+0x10/0x10 [ 85.045646][ T45] ? hci_send_to_monitor+0xe2/0x590 [ 85.045660][ T45] hci_rx_work+0x3ee/0x1030 [ 85.045677][ T45] ? process_scheduled_works+0xa25/0x1830 [ 85.045705][ T45] process_scheduled_works+0xb02/0x1830 [ 85.045725][ T45] ? __pfx_process_scheduled_works+0x10/0x10 [ 85.045740][ T45] ? assign_work+0x3d5/0x5e0 [ 85.045794][ T45] worker_thread+0xa50/0xfc0 [ 85.045815][ T45] kthread+0x388/0x470 [ 85.045826][ T45] ? __pfx_worker_thread+0x10/0x10 [ 85.045840][ T45] ? __pfx_kthread+0x10/0x10 [ 85.046804][ T45] ret_from_fork+0x51e/0xb90 [ 85.046820][ T45] ? __pfx_ret_from_fork+0x10/0x10 [ 85.046834][ T45] ? __switch_to+0xc7d/0x1450 [ 85.046863][ T45] ? __pfx_kthread+0x10/0x10 [ 85.046873][ T45] ret_from_fork_asm+0x1a/0x30 [ 85.046893][ T45]