program: r0 = socket$can_raw(0x1d, 0x3, 0x1) setsockopt$CAN_RAW_FD_FRAMES(r0, 0x65, 0x5, &(0x7f0000000080)=0x1, 0x4) r1 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route(r1, &(0x7f0000000100)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f00000004c0)=@ipv6_newnexthop={0x50, 0x68, 0x5fb9a818fb7378e9, 0x0, 0x0, {}, [@NHA_BLACKHOLE={0x4}, @NHA_RES_GROUP={0x14, 0xc, 0x0, 0x1, [@NHA_RES_GROUP_BUCKETS={0x6, 0x1, 0xb}, @NHA_RES_GROUP_BUCKETS={0x6, 0x1, 0x2030}]}, @NHA_BLACKHOLE={0x4}, @NHA_GROUP_TYPE={0x6, 0x3, 0x1}, @NHA_GATEWAY={0x14, 0x6, @in6_addr=@local}]}, 0x50}}, 0x4000011) r2 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route(r2, &(0x7f0000000000)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f00000003c0)=ANY=[@ANYBLOB="240000006800010027bd7000fcffff7f00000000000000000c0002000100bfc8dd014cfe1f59300b4ba6575d0000040000003edb75cfd22dc55658bc23bfef6e9034f607ed849e1da31ad8268851bcb08fc8883a423b4f69728c6309e759aea553c4d58e0a14f1b34e2b1d66646e6eb18b14b4ad67fb5ad33b5a01be4b5e43fd2644ea7e6ce7fb9c7b0c35f2ecdbe94f21c6fed0c480757f3e050c8c450032c78d016e919fb4c45ea82310526fff55d2c4cf3df7bdc2fc56b5ad8b30df02c22d86df3dbc7acf7f8ba7b27ed8e362ab5093b30a06e3341a589cd427924fa000840083c68d4ac78247c3b6f7877a1bdfaa61751b9682168c35b48d"], 0x24}}, 0x4000) chdir(0x0) r3 = syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) ioctl$sock_bt_hci(r3, 0x400448cb, 0x0) openat$snapshot(0xffffffffffffff9c, &(0x7f0000000440), 0x100, 0x0) [ 109.286736][ T5302] Bluetooth: hci0: command tx timeout [ 109.296340][ T9] [ 109.297486][ T9] ====================================================== [ 109.301961][ T9] WARNING: possible circular locking dependency detected [ 109.305053][ T9] syzkaller #0 Not tainted [ 109.307142][ T9] ------------------------------------------------------ [ 109.310841][ T9] kworker/0:0/9 is trying to acquire lock: [ 109.318270][ T9] ffff8880417a32f8 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_info_timeout+0x60/0xa0 [ 109.323572][ T9] [ 109.323572][ T9] but task is already holding lock: [ 109.327608][ T9] ffffc9000022fc40 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: process_scheduled_works+0xa8d/0x18c0 [ 109.333267][ T9] [ 109.333267][ T9] which lock already depends on the new lock. [ 109.333267][ T9] [ 109.337894][ T9] [ 109.337894][ T9] the existing dependency chain (in reverse order) is: [ 109.342065][ T9] [ 109.342065][ T9] -> #1 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}: [ 109.347444][ T9] __flush_work+0x700/0xc50 [ 109.349739][ T9] __cancel_work_sync+0xbe/0x110 [ 109.352280][ T9] l2cap_conn_del+0x40f/0x5c0 [ 109.354618][ T9] hci_conn_hash_flush+0x10d/0x260 [ 109.356726][ T9] hci_dev_reset+0x41c/0x6d0 [ 109.359284][ T9] sock_do_ioctl+0x101/0x320 [ 109.362204][ T9] sock_ioctl+0x5c6/0x7f0 [ 109.364543][ T9] __se_sys_ioctl+0xfc/0x170 [ 109.367112][ T9] do_syscall_64+0x14d/0xf80 [ 109.369426][ T9] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 109.371976][ T9] [ 109.371976][ T9] -> #0 (&conn->lock#2){+.+.}-{4:4}: [ 109.375001][ T9] __lock_acquire+0x15a5/0x2cf0 [ 109.377441][ T9] lock_acquire+0xf0/0x2e0 [ 109.379597][ T9] __mutex_lock+0x19f/0x1300 [ 109.381928][ T9] l2cap_info_timeout+0x60/0xa0 [ 109.384600][ T9] process_scheduled_works+0xb6e/0x18c0 [ 109.388037][ T9] worker_thread+0xa53/0xfc0 [ 109.390812][ T9] kthread+0x388/0x470 [ 109.392922][ T9] ret_from_fork+0x51e/0xb90 [ 109.395151][ T9] ret_from_fork_asm+0x1a/0x30 [ 109.397529][ T9] [ 109.397529][ T9] other info that might help us debug this: [ 109.397529][ T9] [ 109.401885][ T9] Possible unsafe locking scenario: [ 109.401885][ T9] [ 109.405520][ T9] CPU0 CPU1 [ 109.408132][ T9] ---- ---- [ 109.410648][ T9] lock((work_completion)(&(&conn->info_timer)->work)); [ 109.413779][ T9] lock(&conn->lock#2); [ 109.416696][ T9] lock((work_completion)(&(&conn->info_timer)->work)); [ 109.421861][ T9] lock(&conn->lock#2); [ 109.424824][ T9] [ 109.424824][ T9] *** DEADLOCK *** [ 109.424824][ T9] [ 109.429396][ T9] 2 locks held by kworker/0:0/9: [ 109.431553][ T9] #0: ffff88801aca6948 ((wq_completion)events){+.+.}-{0:0}, at: process_scheduled_works+0xa52/0x18c0 [ 109.436288][ T9] #1: ffffc9000022fc40 ((work_completion)(&(&conn->info_timer)->work)){+.+.}-{0:0}, at: process_scheduled_works+0xa8d/0x18c0 [ 109.442145][ T9] [ 109.442145][ T9] stack backtrace: [ 109.445687][ T9] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:0 Not tainted syzkaller #0 PREEMPT(full) [ 109.445711][ T9] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 109.445722][ T9] Workqueue: events l2cap_info_timeout [ 109.445749][ T9] Call Trace: [ 109.445759][ T9] [ 109.445766][ T9] dump_stack_lvl+0xe8/0x150 [ 109.445782][ T9] print_circular_bug+0x2e1/0x300 [ 109.445799][ T9] check_noncircular+0x12e/0x150 [ 109.445818][ T9] __lock_acquire+0x15a5/0x2cf0 [ 109.445834][ T9] ? __schedule+0x15f3/0x52d0 [ 109.445848][ T9] ? ret_from_fork_asm+0x1a/0x30 [ 109.445867][ T9] lock_acquire+0xf0/0x2e0 [ 109.445884][ T9] ? l2cap_info_timeout+0x60/0xa0 [ 109.445901][ T9] __mutex_lock+0x19f/0x1300 [ 109.445916][ T9] ? l2cap_info_timeout+0x60/0xa0 [ 109.445935][ T9] ? irqentry_exit+0x59e/0x620 [ 109.445949][ T9] ? lockdep_hardirqs_on+0x7a/0x110 [ 109.445961][ T9] ? l2cap_info_timeout+0x60/0xa0 [ 109.445976][ T9] ? irqentry_exit+0x59e/0x620 [ 109.445990][ T9] ? trace_irq_disable+0x3b/0x150 [ 109.446003][ T9] ? __pfx___mutex_lock+0x10/0x10 [ 109.446020][ T9] ? lock_acquire+0x20b/0x2e0 [ 109.446036][ T9] l2cap_info_timeout+0x60/0xa0 [ 109.446051][ T9] ? process_scheduled_works+0xa8d/0x18c0 [ 109.446065][ T9] process_scheduled_works+0xb6e/0x18c0 [ 109.446095][ T9] ? __pfx_process_scheduled_works+0x10/0x10 [ 109.446109][ T9] ? assign_work+0x3d5/0x5e0 [ 109.446122][ T9] worker_thread+0xa53/0xfc0 [ 109.446143][ T9] kthread+0x388/0x470 [ 109.446154][ T9] ? __pfx_worker_thread+0x10/0x10 [ 109.446167][ T9] ? __pfx_kthread+0x10/0x10 [ 109.446177][ T9] ret_from_fork+0x51e/0xb90 [ 109.446193][ T9] ? __pfx_ret_from_fork+0x10/0x10 [ 109.446206][ T9] ? __switch_to+0xc7d/0x1450 [ 109.446220][ T9] ? __pfx_kthread+0x10/0x10 [ 109.446230][ T9] ret_from_fork_asm+0x1a/0x30 [ 109.446248][ T9]