Warning: Permanently added '10.128.1.98' (ED25519) to the list of known hosts. [ 35.621865][ T4229] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 35.624252][ T4229] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 35.626439][ T4229] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 35.628798][ T4229] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 35.630794][ T4229] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3 [ 35.632555][ T4229] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 executing program [ 35.777967][ T4231] [ 35.778499][ T4231] ====================================================== [ 35.779918][ T4231] WARNING: possible circular locking dependency detected [ 35.781498][ T4231] 6.1.77-syzkaller #0 Not tainted [ 35.782598][ T4231] ------------------------------------------------------ [ 35.784062][ T4231] syz-executor218/4231 is trying to acquire lock: [ 35.785497][ T4231] ffff0000cc0c7130 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: sco_conn_del+0xec/0x498 [ 35.787779][ T4231] [ 35.787779][ T4231] but task is already holding lock: [ 35.789317][ T4231] ffff800017f6a748 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_conn_hash_flush+0xb0/0x27c [ 35.791401][ T4231] [ 35.791401][ T4231] which lock already depends on the new lock. [ 35.791401][ T4231] [ 35.793685][ T4231] [ 35.793685][ T4231] the existing dependency chain (in reverse order) is: [ 35.795627][ T4231] [ 35.795627][ T4231] -> #2 (hci_cb_list_lock){+.+.}-{3:3}: [ 35.797385][ T4231] __mutex_lock_common+0x190/0x21a0 [ 35.798549][ T4231] mutex_lock_nested+0x38/0x44 [ 35.799712][ T4231] hci_remote_features_evt+0x458/0x8c4 [ 35.801066][ T4231] hci_event_packet+0x748/0x109c [ 35.802306][ T4231] hci_rx_work+0x318/0xa68 [ 35.803407][ T4231] process_one_work+0x7ac/0x1404 [ 35.804524][ T4231] worker_thread+0x8e4/0xfec [ 35.805608][ T4231] kthread+0x250/0x2d8 [ 35.806627][ T4231] ret_from_fork+0x10/0x20 [ 35.807676][ T4231] [ 35.807676][ T4231] -> #1 (&hdev->lock){+.+.}-{3:3}: [ 35.809270][ T4231] __mutex_lock_common+0x190/0x21a0 [ 35.810488][ T4231] mutex_lock_nested+0x38/0x44 [ 35.811692][ T4231] sco_sock_connect+0x170/0x84c [ 35.812906][ T4231] __sys_connect+0x268/0x290 [ 35.814035][ T4231] __arm64_sys_connect+0x7c/0x94 [ 35.815214][ T4231] invoke_syscall+0x98/0x2c0 [ 35.816414][ T4231] el0_svc_common+0x138/0x258 [ 35.817506][ T4231] do_el0_svc+0x64/0x218 [ 35.818525][ T4231] el0_svc+0x58/0x168 [ 35.819602][ T4231] el0t_64_sync_handler+0x84/0xf0 [ 35.820803][ T4231] el0t_64_sync+0x18c/0x190 [ 35.821885][ T4231] [ 35.821885][ T4231] -> #0 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}: [ 35.823894][ T4231] __lock_acquire+0x3338/0x7680 [ 35.824981][ T4231] lock_acquire+0x26c/0x7cc [ 35.825974][ T4231] lock_sock_nested+0x78/0x138 [ 35.827105][ T4231] sco_conn_del+0xec/0x498 [ 35.828218][ T4231] sco_disconn_cfm+0x8c/0xdc [ 35.829318][ T4231] hci_conn_hash_flush+0x104/0x27c [ 35.830587][ T4231] hci_dev_close_sync+0x7e0/0xf1c [ 35.831813][ T4231] hci_rfkill_set_block+0xf0/0x20c [ 35.832971][ T4231] rfkill_set_block+0x18c/0x37c [ 35.834068][ T4231] rfkill_fop_write+0x578/0x734 [ 35.835252][ T4231] vfs_write+0x2a4/0x914 [ 35.836270][ T4231] ksys_write+0x15c/0x26c [ 35.837303][ T4231] __arm64_sys_write+0x7c/0x90 [ 35.838487][ T4231] invoke_syscall+0x98/0x2c0 [ 35.839638][ T4231] el0_svc_common+0x138/0x258 [ 35.840823][ T4231] do_el0_svc+0x64/0x218 [ 35.841893][ T4231] el0_svc+0x58/0x168 [ 35.842881][ T4231] el0t_64_sync_handler+0x84/0xf0 [ 35.844098][ T4231] el0t_64_sync+0x18c/0x190 [ 35.845243][ T4231] [ 35.845243][ T4231] other info that might help us debug this: [ 35.845243][ T4231] [ 35.847486][ T4231] Chain exists of: [ 35.847486][ T4231] sk_lock-AF_BLUETOOTH-BTPROTO_SCO --> &hdev->lock --> hci_cb_list_lock [ 35.847486][ T4231] [ 35.850605][ T4231] Possible unsafe locking scenario: [ 35.850605][ T4231] [ 35.852182][ T4231] CPU0 CPU1 [ 35.853330][ T4231] ---- ---- [ 35.854505][ T4231] lock(hci_cb_list_lock); [ 35.855437][ T4231] lock(&hdev->lock); [ 35.856943][ T4231] lock(hci_cb_list_lock); [ 35.858535][ T4231] lock(sk_lock-AF_BLUETOOTH-BTPROTO_SCO); [ 35.859863][ T4231] [ 35.859863][ T4231] *** DEADLOCK *** [ 35.859863][ T4231] [ 35.861558][ T4231] 4 locks held by syz-executor218/4231: [ 35.862784][ T4231] #0: ffff8000180bd928 (rfkill_global_mutex){+.+.}-{3:3}, at: rfkill_fop_write+0x234/0x734 [ 35.865044][ T4231] #1: ffff0000c97890b8 (&hdev->req_lock){+.+.}-{3:3}, at: hci_rfkill_set_block+0xe8/0x20c [ 35.867245][ T4231] #2: ffff0000c9788078 (&hdev->lock){+.+.}-{3:3}, at: hci_dev_close_sync+0x39c/0xf1c [ 35.869386][ T4231] #3: ffff800017f6a748 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_conn_hash_flush+0xb0/0x27c [ 35.871653][ T4231] [ 35.871653][ T4231] stack backtrace: [ 35.872942][ T4231] CPU: 0 PID: 4231 Comm: syz-executor218 Not tainted 6.1.77-syzkaller #0 [ 35.874792][ T4231] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 [ 35.877043][ T4231] Call trace: [ 35.877732][ T4231] dump_backtrace+0x1c8/0x1f4 [ 35.878792][ T4231] show_stack+0x2c/0x3c [ 35.879691][ T4231] dump_stack_lvl+0x108/0x170 [ 35.880671][ T4231] dump_stack+0x1c/0x58 [ 35.881569][ T4231] print_circular_bug+0x150/0x1b8 [ 35.882696][ T4231] check_noncircular+0x2cc/0x378 [ 35.883823][ T4231] __lock_acquire+0x3338/0x7680 [ 35.884876][ T4231] lock_acquire+0x26c/0x7cc [ 35.885844][ T4231] lock_sock_nested+0x78/0x138 [ 35.886889][ T4231] sco_conn_del+0xec/0x498 [ 35.887862][ T4231] sco_disconn_cfm+0x8c/0xdc [ 35.888901][ T4231] hci_conn_hash_flush+0x104/0x27c [ 35.890095][ T4231] hci_dev_close_sync+0x7e0/0xf1c [ 35.891148][ T4231] hci_rfkill_set_block+0xf0/0x20c [ 35.892309][ T4231] rfkill_set_block+0x18c/0x37c [ 35.893391][ T4231] rfkill_fop_write+0x578/0x734 [ 35.894389][ T4231] vfs_write+0x2a4/0x914 [ 35.895338][ T4231] ksys_write+0x15c/0x26c [ 35.896317][ T4231] __arm64_sys_write+0x7c/0x90 [ 35.897431][ T4231] invoke_syscall+0x98/0x2c0 [ 35.898471][ T4231] el0_svc_common+0x138/0x258 [ 35.899535][ T4231] do_el0_svc+0x64/0x218 [ 35.900449][ T4231] el0_svc+0x58/0x168 [ 35.901338][ T4231] el0t_64_sync_handler+0x84/0xf0 [ 35.902497][ T4231] el0t_64_sync+0x18c/0x190