======================================================
WARNING: possible circular locking dependency detected
6.12.0-rc5-syzkaller #0 Not tainted
------------------------------------------------------
kworker/u9:4/5849 is trying to acquire lock:
ffff88807aea7258 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1611 [inline]
ffff88807aea7258 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: sco_conn_ready net/bluetooth/sco.c:1296 [inline]
ffff88807aea7258 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: sco_connect_cfm+0x461/0xb40 net/bluetooth/sco.c:1368
but task is already holding lock:
ffff888022f52820 (&conn->lock#2){+.+.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline]
ffff888022f52820 (&conn->lock#2){+.+.}-{2:2}, at: sco_conn_ready net/bluetooth/sco.c:1283 [inline]
ffff888022f52820 (&conn->lock#2){+.+.}-{2:2}, at: sco_connect_cfm+0x28a/0xb40 net/bluetooth/sco.c:1368
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (&conn->lock#2){+.+.}-{2:2}:
lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5825
__raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
_raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
spin_lock include/linux/spinlock.h:351 [inline]
sco_chan_add net/bluetooth/sco.c:240 [inline]
sco_connect net/bluetooth/sco.c:293 [inline]
sco_sock_connect+0x347/0x990 net/bluetooth/sco.c:602
__sys_connect_file net/socket.c:2071 [inline]
__sys_connect+0x2d1/0x300 net/socket.c:2088
__do_sys_connect net/socket.c:2098 [inline]
__se_sys_connect net/socket.c:2095 [inline]
__x64_sys_connect+0x7a/0x90 net/socket.c:2095
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
-> #0 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}:
check_prev_add kernel/locking/lockdep.c:3161 [inline]
check_prevs_add kernel/locking/lockdep.c:3280 [inline]
validate_chain+0x18ef/0x5920 kernel/locking/lockdep.c:3904
__lock_acquire+0x1384/0x2050 kernel/locking/lockdep.c:5202
lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5825
lock_sock_nested+0x48/0x100 net/core/sock.c:3611
lock_sock include/net/sock.h:1611 [inline]
sco_conn_ready net/bluetooth/sco.c:1296 [inline]
sco_connect_cfm+0x461/0xb40 net/bluetooth/sco.c:1368
hci_connect_cfm include/net/bluetooth/hci_core.h:1960 [inline]
hci_sync_conn_complete_evt+0x5ab/0xaa0 net/bluetooth/hci_event.c:5009
hci_event_func net/bluetooth/hci_event.c:7443 [inline]
hci_event_packet+0xac2/0x1540 net/bluetooth/hci_event.c:7495
hci_rx_work+0x3fe/0xd80 net/bluetooth/hci_core.c:4031
process_one_work kernel/workqueue.c:3229 [inline]
process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310
worker_thread+0x870/0xd30 kernel/workqueue.c:3391
kthread+0x2f0/0x390 kernel/kthread.c:389
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&conn->lock#2);
lock(sk_lock-AF_BLUETOOTH-BTPROTO_SCO);
lock(&conn->lock#2);
lock(sk_lock-AF_BLUETOOTH-BTPROTO_SCO);
*** DEADLOCK ***
5 locks held by kworker/u9:4/5849:
#0: ffff88803564f148 ((wq_completion)hci1#2){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3204 [inline]
#0: ffff88803564f148 ((wq_completion)hci1#2){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1850 kernel/workqueue.c:3310
#1: ffffc90004057d00 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3205 [inline]
#1: ffffc90004057d00 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1850 kernel/workqueue.c:3310
#2: ffff88805dfb0078 (&hdev->lock){+.+.}-{3:3}, at: hci_sync_conn_complete_evt+0xb1/0xaa0 net/bluetooth/hci_event.c:4926
#3: ffffffff8fe2d668 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_connect_cfm include/net/bluetooth/hci_core.h:1957 [inline]
#3: ffffffff8fe2d668 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_sync_conn_complete_evt+0x532/0xaa0 net/bluetooth/hci_event.c:5009
#4: ffff888022f52820 (&conn->lock#2){+.+.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline]
#4: ffff888022f52820 (&conn->lock#2){+.+.}-{2:2}, at: sco_conn_ready net/bluetooth/sco.c:1283 [inline]
#4: ffff888022f52820 (&conn->lock#2){+.+.}-{2:2}, at: sco_connect_cfm+0x28a/0xb40 net/bluetooth/sco.c:1368
stack backtrace:
CPU: 0 UID: 0 PID: 5849 Comm: kworker/u9:4 Not tainted 6.12.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Workqueue: hci1 hci_rx_work
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_circular_bug+0x13a/0x1b0 kernel/locking/lockdep.c:2074
check_noncircular+0x36a/0x4a0 kernel/locking/lockdep.c:2206
check_prev_add kernel/locking/lockdep.c:3161 [inline]
check_prevs_add kernel/locking/lockdep.c:3280 [inline]
validate_chain+0x18ef/0x5920 kernel/locking/lockdep.c:3904
__lock_acquire+0x1384/0x2050 kernel/locking/lockdep.c:5202
lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5825
lock_sock_nested+0x48/0x100 net/core/sock.c:3611
lock_sock include/net/sock.h:1611 [inline]
sco_conn_ready net/bluetooth/sco.c:1296 [inline]
sco_connect_cfm+0x461/0xb40 net/bluetooth/sco.c:1368
hci_connect_cfm include/net/bluetooth/hci_core.h:1960 [inline]
hci_sync_conn_complete_evt+0x5ab/0xaa0 net/bluetooth/hci_event.c:5009
hci_event_func net/bluetooth/hci_event.c:7443 [inline]
hci_event_packet+0xac2/0x1540 net/bluetooth/hci_event.c:7495
hci_rx_work+0x3fe/0xd80 net/bluetooth/hci_core.c:4031
process_one_work kernel/workqueue.c:3229 [inline]
process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310
worker_thread+0x870/0xd30 kernel/workqueue.c:3391
kthread+0x2f0/0x390 kernel/kthread.c:389
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
BUG: sleeping function called from invalid context at net/core/sock.c:3613
in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 5849, name: kworker/u9:4
preempt_count: 1, expected: 0
RCU nest depth: 0, expected: 0
INFO: lockdep is turned off.
Preemption disabled at:
[<0000000000000000>] 0x0
CPU: 0 UID: 0 PID: 5849 Comm: kworker/u9:4 Not tainted 6.12.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Workqueue: hci1 hci_rx_work
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
__might_resched+0x5d4/0x780 kernel/sched/core.c:8653
lock_sock_nested+0x5d/0x100 net/core/sock.c:3613
lock_sock include/net/sock.h:1611 [inline]
sco_conn_ready net/bluetooth/sco.c:1296 [inline]
sco_connect_cfm+0x461/0xb40 net/bluetooth/sco.c:1368
hci_connect_cfm include/net/bluetooth/hci_core.h:1960 [inline]
hci_sync_conn_complete_evt+0x5ab/0xaa0 net/bluetooth/hci_event.c:5009
hci_event_func net/bluetooth/hci_event.c:7443 [inline]
hci_event_packet+0xac2/0x1540 net/bluetooth/hci_event.c:7495
hci_rx_work+0x3fe/0xd80 net/bluetooth/hci_core.c:4031
process_one_work kernel/workqueue.c:3229 [inline]
process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310
worker_thread+0x870/0xd30 kernel/workqueue.c:3391
kthread+0x2f0/0x390 kernel/kthread.c:389
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
==================================================================
BUG: KASAN: slab-use-after-free in debug_spin_lock_before kernel/locking/spinlock_debug.c:86 [inline]
BUG: KASAN: slab-use-after-free in do_raw_spin_lock+0x299/0x370 kernel/locking/spinlock_debug.c:115
Read of size 4 at addr ffff88807aea71c4 by task kworker/u9:4/5849
CPU: 0 UID: 0 PID: 5849 Comm: kworker/u9:4 Tainted: G W 6.12.0-rc5-syzkaller #0
Tainted: [W]=WARN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Workqueue: hci1 hci_rx_work
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
debug_spin_lock_before kernel/locking/spinlock_debug.c:86 [inline]
do_raw_spin_lock+0x299/0x370 kernel/locking/spinlock_debug.c:115
spin_lock_bh include/linux/spinlock.h:356 [inline]
lock_sock_nested+0x6a/0x100 net/core/sock.c:3614
lock_sock include/net/sock.h:1611 [inline]
sco_conn_ready net/bluetooth/sco.c:1296 [inline]
sco_connect_cfm+0x461/0xb40 net/bluetooth/sco.c:1368
hci_connect_cfm include/net/bluetooth/hci_core.h:1960 [inline]
hci_sync_conn_complete_evt+0x5ab/0xaa0 net/bluetooth/hci_event.c:5009
hci_event_func net/bluetooth/hci_event.c:7443 [inline]
hci_event_packet+0xac2/0x1540 net/bluetooth/hci_event.c:7495
hci_rx_work+0x3fe/0xd80 net/bluetooth/hci_core.c:4031
process_one_work kernel/workqueue.c:3229 [inline]
process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310
worker_thread+0x870/0xd30 kernel/workqueue.c:3391
kthread+0x2f0/0x390 kernel/kthread.c:389
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
Allocated by task 8604:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:257 [inline]
__do_kmalloc_node mm/slub.c:4264 [inline]
__kmalloc_noprof+0x1fc/0x400 mm/slub.c:4276
kmalloc_noprof include/linux/slab.h:882 [inline]
sk_prot_alloc+0xe0/0x210 net/core/sock.c:2164
sk_alloc+0x38/0x370 net/core/sock.c:2217
bt_sock_alloc+0x3c/0x340 net/bluetooth/af_bluetooth.c:148
sco_sock_alloc net/bluetooth/sco.c:506 [inline]
sco_sock_create+0xbb/0x390 net/bluetooth/sco.c:537
bt_sock_create+0x161/0x230 net/bluetooth/af_bluetooth.c:132
__sock_create+0x490/0x940 net/socket.c:1576
sock_create net/socket.c:1632 [inline]
__sys_socket_create net/socket.c:1669 [inline]
__sys_socket+0x150/0x3c0 net/socket.c:1716
__do_sys_socket net/socket.c:1730 [inline]
__se_sys_socket net/socket.c:1728 [inline]
__x64_sys_socket+0x7a/0x90 net/socket.c:1728
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 8604:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x59/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:230 [inline]
slab_free_hook mm/slub.c:2342 [inline]
slab_free mm/slub.c:4579 [inline]
kfree+0x1a0/0x440 mm/slub.c:4727
sk_prot_free net/core/sock.c:2200 [inline]
__sk_destruct+0x479/0x5f0 net/core/sock.c:2292
sco_sock_release+0x25e/0x320 net/bluetooth/sco.c:1265
__sock_release net/socket.c:658 [inline]
sock_close+0xbc/0x240 net/socket.c:1426
__fput+0x23f/0x880 fs/file_table.c:431
task_work_run+0x24f/0x310 kernel/task_work.c:239
get_signal+0x15e8/0x1740 kernel/signal.c:2690
arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:337
exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0xc9/0x370 kernel/entry/common.c:218
do_syscall_64+0x100/0x230 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff88807aea7000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 452 bytes inside of
freed 2048-byte region [ffff88807aea7000, ffff88807aea7800)
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7aea0
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
anon flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88801ac42000 0000000000000000 dead000000000001
raw: 0000000000000000 0000000000080008 00000001f5000000 0000000000000000
head: 00fff00000000040 ffff88801ac42000 0000000000000000 dead000000000001
head: 0000000000000000 0000000000080008 00000001f5000000 0000000000000000
head: 00fff00000000003 ffffea0001eba801 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5842, tgid 5842 (syz-executor), ts 73598371645, free_ts 73568146965
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1537
prep_new_page mm/page_alloc.c:1545 [inline]
get_page_from_freelist+0x3039/0x3180 mm/page_alloc.c:3457
__alloc_pages_noprof+0x292/0x710 mm/page_alloc.c:4733
alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2265
alloc_slab_page+0x6a/0x120 mm/slub.c:2412
allocate_slab+0x5a/0x2f0 mm/slub.c:2578
new_slab mm/slub.c:2631 [inline]
___slab_alloc+0xcd1/0x14b0 mm/slub.c:3818
__slab_alloc+0x58/0xa0 mm/slub.c:3908
__slab_alloc_node mm/slub.c:3961 [inline]
slab_alloc_node mm/slub.c:4122 [inline]
__do_kmalloc_node mm/slub.c:4263 [inline]
__kmalloc_node_noprof+0x286/0x440 mm/slub.c:4270
__kvmalloc_node_noprof+0x72/0x190 mm/util.c:658
kvmalloc_array_node_noprof include/linux/slab.h:1040 [inline]
__ptr_ring_init_queue_alloc_noprof include/linux/ptr_ring.h:471 [inline]
ptr_ring_init_noprof include/linux/ptr_ring.h:489 [inline]
page_pool_init net/core/page_pool.c:262 [inline]
page_pool_create_percpu+0x2ca/0xa00 net/core/page_pool.c:339
nsim_create_page_pool drivers/net/netdevsim/netdev.c:373 [inline]
nsim_init_napi drivers/net/netdevsim/netdev.c:398 [inline]
nsim_open+0x38c/0x880 drivers/net/netdevsim/netdev.c:435
__dev_open+0x2d3/0x450 net/core/dev.c:1476
__dev_change_flags+0x1e2/0x6f0 net/core/dev.c:8841
dev_change_flags+0x8b/0x1a0 net/core/dev.c:8913
do_setlink+0xcd0/0x41f0 net/core/rtnetlink.c:2929
page last free pid 5833 tgid 5833 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1108 [inline]
free_unref_page+0xcd0/0xf00 mm/page_alloc.c:2638
__slab_free+0x31b/0x3d0 mm/slub.c:4490
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x9a/0x140 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x14f/0x170 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x23/0x80 mm/kasan/common.c:329
kasan_slab_alloc include/linux/kasan.h:247 [inline]
slab_post_alloc_hook mm/slub.c:4085 [inline]
slab_alloc_node mm/slub.c:4134 [inline]
kmem_cache_alloc_noprof+0x135/0x2a0 mm/slub.c:4141
getname_flags+0xb7/0x540 fs/namei.c:139
do_sys_openat2+0xd2/0x1d0 fs/open.c:1409
do_sys_open fs/open.c:1430 [inline]
__do_sys_openat fs/open.c:1446 [inline]
__se_sys_openat fs/open.c:1441 [inline]
__x64_sys_openat+0x247/0x2a0 fs/open.c:1441
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff88807aea7080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88807aea7100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88807aea7180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88807aea7200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88807aea7280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================