program: r0 = syz_open_dev$radio(&(0x7f0000000240), 0x0, 0x2) r1 = socket$inet6_udplite(0xa, 0x2, 0x88) close_range(r0, r1, 0x0) r2 = syz_init_net_socket$bt_l2cap(0x1f, 0x2, 0x0) connect$bt_l2cap(r2, &(0x7f0000000080)={0x1f, 0x0, @fixed={'\xaa\xaa\xaa\xaa\xaa', 0x10}, 0x7ff}, 0xe) bpf$BPF_PROG_TEST_RUN(0xa, &(0x7f0000000380)={0xffffffffffffffff, 0x0, 0xa7, 0x67, &(0x7f00000000c0)="d135775a85a48b4b418c1c7489815dfd3386268770b22c065c385becb3d09fe2f9f29574e8bcf61a2fe5470432b9b900e84aa23e3a011e2953cbf555eb0cda51ea2b4b1c177ff9db6282a751c5f59bfd6e52838cdfa772e030244970bb73a87570f67831694b57f541fef6cf83c8bf613de8f291d78695fcc5c674d2da3027a7e71a9e1e66712ec0ba2c06629443c3c79ba1a9c5b9ce302f2ce6f5177173953a89e2756df178b3", &(0x7f0000000000)=""/103, 0x0, 0x0, 0x49, 0x6, &(0x7f0000000180)="0f76c9edd28dde40259060d12dba374d187cb7118ef381de97bab2a2056e4d419870c0e5bb94bca06007995c0495eb466c16c0a835bfc22368b9bb693eb45abf71ed07b5502a47a443", &(0x7f0000000200)="c783da1eb9fc", 0x6, 0x0, 0x8}, 0x50) r3 = syz_init_net_socket$bt_hidp(0x1f, 0x3, 0x6) r4 = socket$netlink(0x10, 0x3, 0x0) r5 = socket(0x11, 0x800000003, 0x0) syz_open_dev$audion(&(0x7f0000000400), 0xe66ec2, 0x2100) ioctl$ifreq_SIOCGIFINDEX_team(r5, 0x8933, &(0x7f0000000600)={'team0\x00', 0x0}) sendmsg$nl_route_sched(r4, &(0x7f00000007c0)={0x0, 0x0, &(0x7f0000000640)={&(0x7f0000000a00)=@newqdisc={0x1f0, 0x24, 0xf0b, 0x0, 0x0, {0x0, 0x0, 0x12, r6, {}, {0x6, 0xffff}}, [@qdisc_kind_options=@q_taprio={{0xb}, {0x1c0, 0x2, [@TCA_TAPRIO_ATTR_SCHED_ENTRY_LIST={0x1bc, 0x2, 0x0, 0x1, [{0xc, 0x1, 0x0, 0x1, [@TCA_TAPRIO_SCHED_ENTRY_GATE_MASK={0x8, 0x3, 0x10}]}, {0x3c, 0x1, 0x0, 0x1, [@TCA_TAPRIO_SCHED_ENTRY_CMD={0x5, 0x2, 0x9}, @TCA_TAPRIO_SCHED_ENTRY_GATE_MASK={0x8, 0x3, 0x6}, @TCA_TAPRIO_SCHED_ENTRY_INTERVAL={0x8, 0x4, 0xbc}, @TCA_TAPRIO_SCHED_ENTRY_CMD={0x5, 0x2, 0x6}, @TCA_TAPRIO_SCHED_ENTRY_GATE_MASK={0x8, 0x3, 0x3ff}, @TCA_TAPRIO_SCHED_ENTRY_INTERVAL={0x8, 0x4, 0x5}, @TCA_TAPRIO_SCHED_ENTRY_GATE_MASK={0x8, 0x3, 0x3}]}, {0x1c, 0x1, 0x0, 0x1, [@TCA_TAPRIO_SCHED_ENTRY_GATE_MASK={0x8, 0x3, 0x701}, @TCA_TAPRIO_SCHED_ENTRY_GATE_MASK={0x8, 0x3, 0x3}, @TCA_TAPRIO_SCHED_ENTRY_GATE_MASK={0x8, 0x3, 0x7}]}, {0x3c, 0x1, 0x0, 0x1, [@TCA_TAPRIO_SCHED_ENTRY_CMD={0x5, 0x2, 0xf7}, @TCA_TAPRIO_SCHED_ENTRY_CMD={0x5, 0x2, 0xd}, @TCA_TAPRIO_SCHED_ENTRY_CMD={0x5, 0x2, 0x4}, @TCA_TAPRIO_SCHED_ENTRY_GATE_MASK={0x8, 0x3, 0x7e}, @TCA_TAPRIO_SCHED_ENTRY_CMD={0x5, 0x2, 0x1}, @TCA_TAPRIO_SCHED_ENTRY_INTERVAL={0x8, 0x4, 0x6}, @TCA_TAPRIO_SCHED_ENTRY_CMD={0x5, 0x2, 0x9}]}, {0x34, 0x1, 0x0, 0x1, [@TCA_TAPRIO_SCHED_ENTRY_GATE_MASK={0x8}, @TCA_TAPRIO_SCHED_ENTRY_INTERVAL={0x8, 0x4, 0x8}, @TCA_TAPRIO_SCHED_ENTRY_GATE_MASK={0x8, 0x3, 0x8}, @TCA_TAPRIO_SCHED_ENTRY_INTERVAL={0x8, 0x4, 0xfffffff7}, @TCA_TAPRIO_SCHED_ENTRY_INTERVAL={0x8, 0x4, 0x3}, @TCA_TAPRIO_SCHED_ENTRY_GATE_MASK={0x8, 0x3, 0x200}]}, {0x24, 0x1, 0x0, 0x1, [@TCA_TAPRIO_SCHED_ENTRY_GATE_MASK={0x8, 0x3, 0x3}, @TCA_TAPRIO_SCHED_ENTRY_CMD={0x5, 0x2, 0x8}, @TCA_TAPRIO_SCHED_ENTRY_INTERVAL={0x8, 0x4, 0xa}, @TCA_TAPRIO_SCHED_ENTRY_GATE_MASK={0x8, 0x3, 0x6b}]}, {0x3c, 0x1, 0x0, 0x1, [@TCA_TAPRIO_SCHED_ENTRY_INTERVAL={0x8, 0x4, 0x4}, @TCA_TAPRIO_SCHED_ENTRY_INTERVAL={0x8, 0x4, 0x80}, @TCA_TAPRIO_SCHED_ENTRY_INTERVAL={0x8, 0x4, 0x5}, @TCA_TAPRIO_SCHED_ENTRY_GATE_MASK={0x8, 0x3, 0x4}, @TCA_TAPRIO_SCHED_ENTRY_CMD={0x5, 0x2, 0x7f}, @TCA_TAPRIO_SCHED_ENTRY_CMD={0x5, 0x2, 0xfb}, @TCA_TAPRIO_SCHED_ENTRY_CMD={0x5, 0x2, 0x8}]}, {0x2c, 0x1, 0x0, 0x1, [@TCA_TAPRIO_SCHED_ENTRY_GATE_MASK={0x8, 0x3, 0x7f}, @TCA_TAPRIO_SCHED_ENTRY_CMD={0x5, 0x2, 0x1}, @TCA_TAPRIO_SCHED_ENTRY_GATE_MASK={0x8, 0x3, 0xffffeb68}, @TCA_TAPRIO_SCHED_ENTRY_INTERVAL={0x8, 0x4, 0x3ff}, @TCA_TAPRIO_SCHED_ENTRY_CMD={0x5, 0x2, 0x3}]}, {0x3c, 0x1, 0x0, 0x1, [@TCA_TAPRIO_SCHED_ENTRY_CMD={0x5, 0x2, 0x1}, @TCA_TAPRIO_SCHED_ENTRY_CMD={0x5}, @TCA_TAPRIO_SCHED_ENTRY_INTERVAL={0x8, 0x4, 0xe5}, @TCA_TAPRIO_SCHED_ENTRY_CMD={0x5, 0x2, 0xd4}, @TCA_TAPRIO_SCHED_ENTRY_INTERVAL={0x8, 0x4, 0xfffffffe}, @TCA_TAPRIO_SCHED_ENTRY_CMD={0x5, 0x2, 0x80}, @TCA_TAPRIO_SCHED_ENTRY_CMD={0x5, 0x2, 0x9}]}, {0x1c, 0x1, 0x0, 0x1, [@TCA_TAPRIO_SCHED_ENTRY_CMD={0x5, 0x2, 0x8}, @TCA_TAPRIO_SCHED_ENTRY_GATE_MASK={0x8, 0x3, 0x4}, @TCA_TAPRIO_SCHED_ENTRY_GATE_MASK={0x8, 0x3, 0x8}]}]}]}}]}, 0x1f0}}, 0x24008001) ioctl$sock_bt_hidp_HIDPCONNADD(r3, 0x400448c8, &(0x7f0000000280)={r2, r2, 0xc, 0x1, &(0x7f0000000340)='\x00', 0x9, 0x1, 0x457, 0x9, 0x9, 0x1, 0x1, 'syz1\x00'}) r7 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) r8 = socket$packet(0x11, 0x3, 0x300) ioctl$sock_SIOCGIFINDEX(r8, 0x8933, &(0x7f0000000080)={'bridge_slave_0\x00', 0x0}) r10 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route(r10, &(0x7f0000000200)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f00000009c0)=@bridge_dellink={0x3c, 0x13, 0x8, 0x0, 0x0, {0x7, 0x0, 0x0, r9}, [@IFLA_AF_SPEC={0x1c, 0x1a, 0x0, 0x1, [@AF_INET={0x18, 0x5, 0x0, 0x1, {0x14, 0x1, 0x0, 0x1, [{0x8, 0x2}, {0x8, 0x1}]}}]}]}, 0x3c}}, 0x4) ioctl$HCIINQUIRY(r7, 0x400448ca, 0x0) [ 109.775065][ T5307] Bluetooth: hci0: command tx timeout [ 109.883503][ T5326] UDPLite6: UDP-Lite is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list [ 110.032157][ T9] hid-multitouch 0005:0457:0009.0002: unknown main item tag 0x0 [ 110.077722][ T9] hid-multitouch 0005:0457:0009.0002: hidraw1: BLUETOOTH HID v0.09 Device [syz1] on aa:aa:aa:aa:aa:aa [ 110.178450][ T5326] [ 110.180193][ T5326] ====================================================== [ 110.184013][ T5326] WARNING: possible circular locking dependency detected [ 110.187101][ T5326] syzkaller #0 Not tainted [ 110.189106][ T5326] ------------------------------------------------------ [ 110.192641][ T5326] syz.0.0/5326 is trying to acquire lock: [ 110.195475][ T5326] ffff8880416e4040 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: __flush_work+0x100/0xc50 [ 110.200742][ T5326] [ 110.200742][ T5326] but task is already holding lock: [ 110.205186][ T5326] ffff8880416e42f8 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x7b/0x5c0 [ 110.209960][ T5326] [ 110.209960][ T5326] which lock already depends on the new lock. [ 110.209960][ T5326] [ 110.214798][ T5326] [ 110.214798][ T5326] the existing dependency chain (in reverse order) is: [ 110.225008][ T5326] [ 110.225008][ T5326] -> #1 (&conn->lock#2){+.+.}-{4:4}: [ 110.229804][ T5326] __mutex_lock+0x19f/0x1300 [ 110.233291][ T5326] l2cap_info_timeout+0x60/0xa0 [ 110.237106][ T5326] process_scheduled_works+0xb6e/0x18c0 [ 110.245348][ T5326] worker_thread+0xa53/0xfc0 [ 110.252695][ T5326] kthread+0x388/0x470 [ 110.254741][ T5326] ret_from_fork+0x51e/0xb90 [ 110.257162][ T5326] ret_from_fork_asm+0x1a/0x30 [ 110.260187][ T5326] [ 110.260187][ T5326] -> #0 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}: [ 110.264958][ T5326] __lock_acquire+0x15a5/0x2cf0 [ 110.267705][ T5326] lock_acquire+0xf0/0x2e0 [ 110.270015][ T5326] __flush_work+0x700/0xc50 [ 110.272274][ T5326] __cancel_work_sync+0xbe/0x110 [ 110.274900][ T5326] l2cap_conn_del+0x40f/0x5c0 [ 110.277334][ T5326] hci_conn_hash_flush+0x10d/0x260 [ 110.279745][ T5326] hci_dev_close_sync+0x821/0x10e0 [ 110.282136][ T5326] hci_dev_close+0x108/0x260 [ 110.284350][ T5326] sock_do_ioctl+0x101/0x320 [ 110.286697][ T5326] sock_ioctl+0x5c6/0x7f0 [ 110.288849][ T5326] __se_sys_ioctl+0xfc/0x170 [ 110.291393][ T5326] do_syscall_64+0x14d/0xf80 [ 110.294959][ T5326] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 110.298962][ T5326] [ 110.298962][ T5326] other info that might help us debug this: [ 110.298962][ T5326] [ 110.305039][ T5326] Possible unsafe locking scenario: [ 110.305039][ T5326] [ 110.309345][ T5326] CPU0 CPU1 [ 110.311842][ T5326] ---- ---- [ 110.314255][ T5326] lock(&conn->lock#2); [ 110.316279][ T5326] lock((work_completion)(&(&conn->info_timer)->work)); [ 110.321521][ T5326] lock(&conn->lock#2); [ 110.325418][ T5326] lock((work_completion)(&(&conn->info_timer)->work)); [ 110.331717][ T5326] [ 110.331717][ T5326] *** DEADLOCK *** [ 110.331717][ T5326] [ 110.336517][ T5326] 5 locks held by syz.0.0/5326: [ 110.340526][ T5326] #0: ffff888011b70ec0 (&hdev->req_lock){+.+.}-{4:4}, at: hci_dev_close+0x100/0x260 [ 110.347042][ T5326] #1: ffff888011b700c0 (&hdev->lock){+.+.}-{4:4}, at: hci_dev_close_sync+0x640/0x10e0 [ 110.355312][ T5326] #2: ffffffff8fd5c768 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_conn_hash_flush+0xa1/0x260 [ 110.362796][ T5326] #3: ffff8880416e42f8 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x7b/0x5c0 [ 110.369727][ T5326] #4: ffffffff8e75e460 (rcu_read_lock){....}-{1:3}, at: __flush_work+0x100/0xc50 [ 110.375356][ T5326] [ 110.375356][ T5326] stack backtrace: [ 110.378352][ T5326] CPU: 0 UID: 0 PID: 5326 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 110.378371][ T5326] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 110.378385][ T5326] Call Trace: [ 110.378464][ T5326] [ 110.378471][ T5326] dump_stack_lvl+0xe8/0x150 [ 110.378495][ T5326] print_circular_bug+0x2e1/0x300 [ 110.378519][ T5326] check_noncircular+0x12e/0x150 [ 110.378542][ T5326] __lock_acquire+0x15a5/0x2cf0 [ 110.378560][ T5326] ? do_raw_spin_lock+0x12b/0x2f0 [ 110.378576][ T5326] ? do_raw_spin_unlock+0x4d/0x210 [ 110.378591][ T5326] lock_acquire+0xf0/0x2e0 [ 110.378612][ T5326] ? __flush_work+0x100/0xc50 [ 110.378631][ T5326] ? __flush_work+0x100/0xc50 [ 110.378648][ T5326] __flush_work+0x700/0xc50 [ 110.378666][ T5326] ? __flush_work+0x100/0xc50 [ 110.378684][ T5326] ? __flush_work+0x100/0xc50 [ 110.378702][ T5326] ? __pfx___flush_work+0x10/0x10 [ 110.378721][ T5326] ? __pfx_wq_barrier_func+0x10/0x10 [ 110.378744][ T5326] ? __cancel_work_sync+0x5c/0x110 [ 110.378762][ T5326] __cancel_work_sync+0xbe/0x110 [ 110.378780][ T5326] l2cap_conn_del+0x40f/0x5c0 [ 110.378850][ T5326] ? __pfx_l2cap_disconn_cfm+0x10/0x10 [ 110.378867][ T5326] hci_conn_hash_flush+0x10d/0x260 [ 110.378890][ T5326] hci_dev_close_sync+0x821/0x10e0 [ 110.378911][ T5326] ? __pfx_hci_dev_close_sync+0x10/0x10 [ 110.378926][ T5326] ? lockdep_hardirqs_on+0x7a/0x110 [ 110.378939][ T5326] ? enable_work+0x1fd/0x230 [ 110.378958][ T5326] hci_dev_close+0x108/0x260 [ 110.378975][ T5326] sock_do_ioctl+0x101/0x320 [ 110.379020][ T5326] ? __pfx_sock_do_ioctl+0x10/0x10 [ 110.379035][ T5326] ? do_futex+0x395/0x420 [ 110.379075][ T5326] sock_ioctl+0x5c6/0x7f0 [ 110.379090][ T5326] ? __pfx_sock_ioctl+0x10/0x10 [ 110.379104][ T5326] ? __fget_files+0x2a/0x420 [ 110.379124][ T5326] ? __fget_files+0x3a0/0x420 [ 110.379141][ T5326] ? __fget_files+0x2a/0x420 [ 110.379157][ T5326] ? bpf_lsm_file_ioctl+0x9/0x20 [ 110.379188][ T5326] ? __pfx_sock_ioctl+0x10/0x10 [ 110.379202][ T5326] __se_sys_ioctl+0xfc/0x170 [ 110.379231][ T5326] do_syscall_64+0x14d/0xf80 [ 110.379272][ T5326] ? trace_irq_disable+0x3b/0x150 [ 110.379320][ T5326] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 110.379334][ T5326] ? clear_bhb_loop+0x40/0x90 [ 110.379350][ T5326] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 110.379364][ T5326] RIP: 0033:0x7f717f79c799 [ 110.379391][ T5326] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 110.379402][ T5326] RSP: 002b:00007f718065afe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 110.379418][ T5326] RAX: ffffffffffffffda RBX: 00007f717fa15fa0 RCX: 00007f717f79c799 [ 110.379428][ T5326] RDX: 0000000000000000 RSI: 00000000400448ca RDI: 0000000000000008 [ 110.379437][ T5326] RBP: 00007f717f832c99 R08: 0000000000000000 R09: 0000000000000000 [ 110.379446][ T5326] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 110.379454][ T5326] R13: 00007f717fa16038 R14: 00007f717fa15fa0 R15: 00007fffe1759a48 [ 110.379467][ T5326] [ 110.623076][ T5334] fido_id[5334]: Failed to open report descriptor at '/sys/devices/virtual/bluetooth/hci0/hci0:200/report_descriptor': No such file or directory [ 111.813974][ T4670] Bluetooth: hci0: command tx timeout [ 113.894324][ T4670] Bluetooth: hci0: command tx timeout [ 115.973938][ T4670] Bluetooth: hci0: command tx timeout