====================================================== WARNING: possible circular locking dependency detected 6.1.0-rc1-next-20221020 #1 Not tainted ------------------------------------------------------ syz-executor.0/4987 is trying to acquire lock: ffff8880106e3470 ((work_completion)(&(&conn->timeout_work)->work)){+.+.}-{0:0}, at: __flush_work+0xdd/0xd10 but task is already holding lock: ffffffff857e20a8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_conn_hash_flush+0xc7/0x240 mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #3 (hci_cb_list_lock){+.+.}-{3:3}: __mutex_lock+0x136/0x14e0 hci_remote_features_evt+0x47a/0x9a0 hci_event_packet+0x919/0xf70 hci_rx_work+0xa82/0x1010 process_one_work+0xa17/0x16b0 worker_thread+0x637/0x1270 kthread+0x2ed/0x3b0 ret_from_fork+0x2c/0x50 -> #2 (&hdev->lock){+.+.}-{3:3}: __mutex_lock+0x136/0x14e0 sco_sock_connect+0x1e4/0xa70 __sys_connect_file+0x155/0x1b0 mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium __sys_connect+0x165/0x1b0 __x64_sys_connect+0x6f/0xc0 do_syscall_64+0x3b/0xa0 entry_SYSCALL_64_after_hwframe+0x72/0xdc -> #1 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}: lock_sock_nested+0x3d/0x100 sco_sock_timeout+0xc3/0x240 process_one_work+0xa17/0x16b0 worker_thread+0x637/0x1270 mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium kthread+0x2ed/0x3b0 ret_from_fork+0x2c/0x50 -> #0 ((work_completion)(&(&conn->timeout_work)->work)){+.+.}-{0:0}: __lock_acquire+0x2a02/0x5e80 mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium lock_acquire+0x1a2/0x540 __flush_work+0x105/0xd10 __cancel_work_timer+0x39c/0x4f0 sco_conn_del+0x1e4/0x2d0 sco_disconn_cfm+0x62/0x90 hci_conn_hash_flush+0x119/0x240 hci_dev_close_sync+0x57b/0xff0 hci_unregister_dev+0x10f/0x390 vhci_release+0x7c/0x100 __fput+0x263/0xa50 task_work_run+0x170/0x290 do_exit+0xb21/0x2800 do_group_exit+0xd0/0x2b0 __x64_sys_exit_group+0x3a/0x60 do_syscall_64+0x3b/0xa0 entry_SYSCALL_64_after_hwframe+0x72/0xdc other info that might help us debug this: Chain exists of: (work_completion)(&(&conn->timeout_work)->work) --> &hdev->lock --> hci_cb_list_lock Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(hci_cb_list_lock); lock(&hdev->lock); lock(hci_cb_list_lock); lock((work_completion)(&(&conn->timeout_work)->work)); *** DEADLOCK *** 3 locks held by syz-executor.0/4987: #0: ffff888010655028 (&hdev->req_lock){+.+.}-{3:3}, at: hci_unregister_dev+0x107/0x390 mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium #1: ffff888010654078 (&hdev->lock){+.+.}-{3:3}, at: hci_dev_close_sync+0x2e0/0xff0 #2: ffffffff857e20a8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_conn_hash_flush+0xc7/0x240 stack backtrace: CPU: 0 PID: 4987 Comm: syz-executor.0 Not tainted 6.1.0-rc1-next-20221020 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 Call Trace: dump_stack_lvl+0x8b/0xc3 check_noncircular+0x263/0x2f0 mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium __lock_acquire+0x2a02/0x5e80 lock_acquire+0x1a2/0x540 mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium __flush_work+0x105/0xd10 __cancel_work_timer+0x39c/0x4f0 sco_conn_del+0x1e4/0x2d0 sco_disconn_cfm+0x62/0x90 mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium hci_conn_hash_flush+0x119/0x240 hci_dev_close_sync+0x57b/0xff0 hci_unregister_dev+0x10f/0x390 vhci_release+0x7c/0x100 __fput+0x263/0xa50 task_work_run+0x170/0x290 mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium do_exit+0xb21/0x2800 do_group_exit+0xd0/0x2b0 __x64_sys_exit_group+0x3a/0x60 do_syscall_64+0x3b/0xa0 entry_SYSCALL_64_after_hwframe+0x72/0xdc RIP: 0033:0x7f664734eb19 Code: Unable to access opcode bytes at 0x7f664734eaef. RSP: 002b:00007ffe8af5cfd8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 00007f664734eb19 RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000043 mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium RBP: 0000000000000000 R08: 0000000000000014 R09: 0000000000000006 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f66473a90c3 R13: 0000000000000000 R14: 0000000000000002 R15: 00007ffe8af5d1c0 mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium Bluetooth: hci3: Opcode 0x c03 failed: -110 Bluetooth: hci3: Opcode 0x c03 failed: -110