DUID 00:04:a4:d9:44:a1:3e:a2:79:db:da:6d:5d:0b:f7:25:ed:85 forked to background, child pid 3212 [ 28.120507][ T3213] 8021q: adding VLAN 0 to HW filter on device bond0 [ 28.130881][ T3213] eql: remember to turn off Van-Jacobson compression on your slave devices Starting sshd: OK syzkaller Warning: Permanently added '10.128.0.207' (ECDSA) to the list of known hosts. syzkaller login: [ 51.981989][ T3544] cgroup: Unknown subsys name 'net' [ 52.126917][ T3544] cgroup: Unknown subsys name 'rlimit' [ 52.335791][ T3565] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 52.339408][ T3571] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1 [ 52.345427][ T3572] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1 [ 52.352039][ T3571] Bluetooth: hci4: unexpected cc 0x0c03 length: 249 > 1 [ 52.358252][ T3572] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1 [ 52.364754][ T3571] Bluetooth: hci5: unexpected cc 0x0c03 length: 249 > 1 [ 52.371964][ T3572] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 52.379217][ T3571] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9 [ 52.386436][ T3572] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9 [ 52.393305][ T3571] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9 [ 52.399937][ T3572] Bluetooth: hci5: unexpected cc 0x1003 length: 249 > 9 [ 52.406806][ T3571] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 52.413661][ T3572] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9 [ 52.420796][ T3571] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9 [ 52.427457][ T3572] Bluetooth: hci4: unexpected cc 0x1003 length: 249 > 9 [ 52.434193][ T3571] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9 [ 52.441579][ T3572] Bluetooth: hci5: unexpected cc 0x1001 length: 249 > 9 [ 52.449082][ T3571] Bluetooth: hci4: unexpected cc 0x1001 length: 249 > 9 [ 52.463194][ T3572] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 52.463488][ T3571] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4 [ 52.470793][ T3572] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4 [ 52.477359][ T3571] Bluetooth: hci2: unexpected cc 0x0c23 length: 249 > 4 [ 52.485337][ T3572] Bluetooth: hci5: unexpected cc 0x0c23 length: 249 > 4 [ 52.491823][ T3571] Bluetooth: hci3: unexpected cc 0x0c25 length: 249 > 3 [ 52.498394][ T3572] Bluetooth: hci1: unexpected cc 0x0c25 length: 249 > 3 [ 52.505198][ T3571] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3 [ 52.512964][ T3572] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2 [ 52.519490][ T3571] Bluetooth: hci2: unexpected cc 0x0c25 length: 249 > 3 [ 52.525998][ T3572] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2 [ 52.533602][ T3571] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 52.540118][ T3572] Bluetooth: hci5: unexpected cc 0x0c25 length: 249 > 3 [ 52.547271][ T3571] Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2 [ 52.554427][ T3572] Bluetooth: hci5: unexpected cc 0x0c38 length: 249 > 2 [ 52.569329][ T3572] Bluetooth: hci4: unexpected cc 0x0c23 length: 249 > 4 [ 52.583234][ T3572] Bluetooth: hci4: unexpected cc 0x0c25 length: 249 > 3 [ 52.590506][ T3572] Bluetooth: hci4: unexpected cc 0x0c38 length: 249 > 2 executing program executing program executing program executing program executing program executing program [ 52.816336][ T3554] cgroup: fork rejected by pids controller in /syz2 [ 52.825340][ T3553] cgroup: fork rejected by pids controller in /syz3 [ 52.863564][ T3550] cgroup: fork rejected by pids controller in /syz0 [ 52.882162][ T3561] cgroup: fork rejected by pids controller in /syz5 [ 52.882202][ T3562] cgroup: fork rejected by pids controller in /syz1 [ 52.914740][ T3562] [ 52.917109][ T3562] ====================================================== [ 52.924135][ T3562] WARNING: possible circular locking dependency detected [ 52.931163][ T3562] 6.1.32-syzkaller #0 Not tainted [ 52.936197][ T3562] ------------------------------------------------------ [ 52.943231][ T3562] syz-executor124/3562 is trying to acquire lock: [ 52.949643][ T3562] ffff8880224c3130 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: sco_conn_del+0x104/0x300 [ 52.960076][ T3562] [ 52.960076][ T3562] but task is already holding lock: [ 52.967419][ T3562] ffffffff8e1eb548 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_conn_hash_flush+0xb8/0x280 [ 52.976963][ T3562] [ 52.976963][ T3562] which lock already depends on the new lock. [ 52.976963][ T3562] [ 52.987350][ T3562] [ 52.987350][ T3562] the existing dependency chain (in reverse order) is: [ 52.996358][ T3562] [ 52.996358][ T3562] -> #2 (hci_cb_list_lock){+.+.}-{3:3}: [ 53.004084][ T3562] lock_acquire+0x1f8/0x5a0 [ 53.009094][ T3562] __mutex_lock_common+0x1d4/0x2520 [ 53.014802][ T3562] mutex_lock_nested+0x17/0x20 [ 53.020073][ T3562] hci_remote_features_evt+0x671/0xaa0 [ 53.026042][ T3562] hci_event_packet+0x96c/0x1360 [ 53.031509][ T3562] hci_rx_work+0x40d/0xa80 [ 53.036448][ T3562] process_one_work+0x8aa/0x11f0 [ 53.042244][ T3562] worker_thread+0xa5f/0x1210 [ 53.047427][ T3562] kthread+0x26e/0x300 [ 53.052001][ T3562] ret_from_fork+0x1f/0x30 [ 53.056938][ T3562] [ 53.056938][ T3562] -> #1 (&hdev->lock){+.+.}-{3:3}: [ 53.064230][ T3562] lock_acquire+0x1f8/0x5a0 [ 53.069246][ T3562] __mutex_lock_common+0x1d4/0x2520 [ 53.074956][ T3562] mutex_lock_nested+0x17/0x20 [ 53.080274][ T3562] sco_sock_connect+0x181/0x8d0 [ 53.085633][ T3562] __sys_connect+0x2c9/0x300 [ 53.090731][ T3562] __x64_sys_connect+0x76/0x80 [ 53.096001][ T3562] do_syscall_64+0x3d/0xb0 [ 53.100922][ T3562] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 53.107318][ T3562] [ 53.107318][ T3562] -> #0 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}: [ 53.116415][ T3562] validate_chain+0x1667/0x58e0 [ 53.121776][ T3562] __lock_acquire+0x125b/0x1f80 [ 53.127130][ T3562] lock_acquire+0x1f8/0x5a0 [ 53.132134][ T3562] lock_sock_nested+0x44/0x100 [ 53.137401][ T3562] sco_conn_del+0x104/0x300 [ 53.142409][ T3562] hci_conn_hash_flush+0x10e/0x280 [ 53.148032][ T3562] hci_dev_close_sync+0xa2d/0x1000 [ 53.153660][ T3562] hci_unregister_dev+0x1c6/0x470 [ 53.159202][ T3562] vhci_release+0x7f/0xd0 [ 53.164049][ T3562] __fput+0x3b7/0x890 [ 53.168532][ T3562] task_work_run+0x246/0x300 [ 53.173635][ T3562] do_exit+0x6fb/0x2300 [ 53.178300][ T3562] do_group_exit+0x202/0x2b0 [ 53.183397][ T3562] __x64_sys_exit_group+0x3b/0x40 [ 53.188929][ T3562] do_syscall_64+0x3d/0xb0 [ 53.193855][ T3562] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 53.200251][ T3562] [ 53.200251][ T3562] other info that might help us debug this: [ 53.200251][ T3562] [ 53.210460][ T3562] Chain exists of: [ 53.210460][ T3562] sk_lock-AF_BLUETOOTH-BTPROTO_SCO --> &hdev->lock --> hci_cb_list_lock [ 53.210460][ T3562] [ 53.224688][ T3562] Possible unsafe locking scenario: [ 53.224688][ T3562] [ 53.232122][ T3562] CPU0 CPU1 [ 53.237465][ T3562] ---- ---- [ 53.242812][ T3562] lock(hci_cb_list_lock); [ 53.247296][ T3562] lock(&hdev->lock); [ 53.253862][ T3562] lock(hci_cb_list_lock); [ 53.260863][ T3562] lock(sk_lock-AF_BLUETOOTH-BTPROTO_SCO); [ 53.266733][ T3562] [ 53.266733][ T3562] *** DEADLOCK *** [ 53.266733][ T3562] [ 53.274859][ T3562] 3 locks held by syz-executor124/3562: [ 53.280384][ T3562] #0: ffff88807e181028 (&hdev->req_lock){+.+.}-{3:3}, at: hci_unregister_dev+0x1be/0x470 [ 53.290283][ T3562] #1: ffff88807e180078 (&hdev->lock){+.+.}-{3:3}, at: hci_dev_close_sync+0x445/0x1000 [ 53.299916][ T3562] #2: ffffffff8e1eb548 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_conn_hash_flush+0xb8/0x280 [ 53.309898][ T3562] [ 53.309898][ T3562] stack backtrace: [ 53.315769][ T3562] CPU: 1 PID: 3562 Comm: syz-executor124 Not tainted 6.1.32-syzkaller #0 [ 53.324162][ T3562] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023 [ 53.334203][ T3562] Call Trace: [ 53.337485][ T3562] [ 53.340410][ T3562] dump_stack_lvl+0x1e3/0x2cb [ 53.345082][ T3562] ? nf_tcp_handle_invalid+0x642/0x642 [ 53.350544][ T3562] ? print_circular_bug+0x12b/0x1a0 [ 53.355730][ T3562] check_noncircular+0x2fa/0x3b0 [ 53.360649][ T3562] ? mark_lock+0x9a/0x340 [ 53.364961][ T3562] ? add_chain_block+0x850/0x850 [ 53.369877][ T3562] ? lockdep_lock+0x11f/0x2a0 [ 53.374541][ T3562] ? _find_first_zero_bit+0xd0/0x100 [ 53.379827][ T3562] validate_chain+0x1667/0x58e0 [ 53.384677][ T3562] ? reacquire_held_locks+0x660/0x660 [ 53.390029][ T3562] ? mark_lock+0x9a/0x340 [ 53.394338][ T3562] ? lockdep_hardirqs_on_prepare+0x438/0x7a0 [ 53.400298][ T3562] ? print_irqtrace_events+0x210/0x210 [ 53.405738][ T3562] ? do_raw_spin_unlock+0x137/0x8a0 [ 53.410916][ T3562] ? raw_spin_rq_unlock_irq+0x17/0x80 [ 53.416275][ T3562] ? lockdep_hardirqs_on+0x94/0x130 [ 53.421461][ T3562] ? raw_spin_rq_unlock_irq+0x17/0x80 [ 53.426818][ T3562] ? mark_lock+0x9a/0x340 [ 53.431137][ T3562] __lock_acquire+0x125b/0x1f80 [ 53.435973][ T3562] lock_acquire+0x1f8/0x5a0 [ 53.440456][ T3562] ? sco_conn_del+0x104/0x300 [ 53.445125][ T3562] ? read_lock_is_recursive+0x10/0x10 [ 53.450490][ T3562] ? preempt_schedule+0xd9/0xe0 [ 53.455323][ T3562] ? preempt_schedule_common+0xa6/0xd0 [ 53.460775][ T3562] ? preempt_schedule+0xd9/0xe0 [ 53.465619][ T3562] ? schedule_preempt_disabled+0x20/0x20 [ 53.471243][ T3562] ? __lock_acquire+0x1f80/0x1f80 [ 53.476267][ T3562] lock_sock_nested+0x44/0x100 [ 53.481024][ T3562] ? sco_conn_del+0x104/0x300 [ 53.485692][ T3562] sco_conn_del+0x104/0x300 [ 53.490183][ T3562] ? sco_connect_cfm+0xc40/0xc40 [ 53.495106][ T3562] hci_conn_hash_flush+0x10e/0x280 [ 53.500205][ T3562] hci_dev_close_sync+0xa2d/0x1000 [ 53.505303][ T3562] hci_unregister_dev+0x1c6/0x470 [ 53.510315][ T3562] vhci_release+0x7f/0xd0 [ 53.514630][ T3562] ? vhci_open+0x360/0x360 [ 53.519031][ T3562] __fput+0x3b7/0x890 [ 53.523001][ T3562] task_work_run+0x246/0x300 [ 53.527581][ T3562] ? kasan_quarantine_put+0xd4/0x220 [ 53.532850][ T3562] ? task_work_cancel+0x2b0/0x2b0 [ 53.537868][ T3562] ? kmem_cache_free+0x292/0x510 [ 53.542793][ T3562] ? do_exit+0x6f6/0x2300 [ 53.547107][ T3562] do_exit+0x6fb/0x2300 [ 53.551251][ T3562] ? do_group_exit+0x1f2/0x2b0 [ 53.556002][ T3562] ? put_task_struct+0x80/0x80 [ 53.560747][ T3562] ? lockdep_hardirqs_on_prepare+0x438/0x7a0 [ 53.566707][ T3562] ? print_irqtrace_events+0x210/0x210 [ 53.572155][ T3562] ? _raw_spin_unlock_irq+0x1f/0x40 [ 53.577339][ T3562] ? lockdep_hardirqs_on+0x94/0x130 [ 53.582523][ T3562] do_group_exit+0x202/0x2b0 [ 53.587105][ T3562] __x64_sys_exit_group+0x3b/0x40 [ 53.592115][ T3562] do_syscall_64+0x3d/0xb0 [ 53.596519][ T3562] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 53.602402][ T3562] RIP: 0033:0x7fcef8dd2819 [ 53.606797][ T3562] Code: Unable to access opcode bytes at 0x7fcef8dd27ef. [ 53.613792][ T3562] RSP: 002b:00007fffa9d7c3e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 53.622186][ T3562] RAX: ffffffffffffffda RBX: 00007fcef8e55450 RCX: 00007fcef8dd2819 [ 53.630140][ T3562] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001 [ 53.638267][ T3562] RBP: 0000000000000001 R08: ffffffffffffffb8 R09: 0000000000000000 [ 53.646220][ T3562] R10: 0000555555e375d0 R11: 0000000000000246 R12: 00007fcef8e55450 [ 53.654179][ T3562] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 53.662144][ T3562] [ 53.678137][ T3552] cgroup: fork rejected by pids controller in /syz4