syzbot

======================================================
WARNING: possible circular locking dependency detected
6.11.0-rc5-syzkaller #0 Not tainted
------------------------------------------------------
kworker/u9:8/5234 is trying to acquire lock:
ffff88806ef82258 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1607 [inline]
ffff88806ef82258 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: sco_conn_ready net/bluetooth/sco.c:1290 [inline]
ffff88806ef82258 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: sco_connect_cfm+0x3ee/0xc10 net/bluetooth/sco.c:1362

but task is already holding lock:
ffff88802cf3ba20 (&conn->lock#2){+.+.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline]
ffff88802cf3ba20 (&conn->lock#2){+.+.}-{2:2}, at: sco_conn_ready net/bluetooth/sco.c:1277 [inline]
ffff88802cf3ba20 (&conn->lock#2){+.+.}-{2:2}, at: sco_connect_cfm+0x2d1/0xc10 net/bluetooth/sco.c:1362

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #1 (&conn->lock#2){+.+.}-{2:2}:
       __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
       _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
       spin_lock include/linux/spinlock.h:351 [inline]
       sco_chan_add net/bluetooth/sco.c:234 [inline]
       sco_connect net/bluetooth/sco.c:287 [inline]
       sco_sock_connect+0x39c/0xb00 net/bluetooth/sco.c:596
       __sys_connect_file+0x15f/0x1a0 net/socket.c:2061
       __sys_connect+0x149/0x170 net/socket.c:2078
       __do_sys_connect net/socket.c:2088 [inline]
       __se_sys_connect net/socket.c:2085 [inline]
       __x64_sys_connect+0x72/0xb0 net/socket.c:2085
       do_syscall_x64 arch/x86/entry/common.c:52 [inline]
       do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
       entry_SYSCALL_64_after_hwframe+0x77/0x7f

-> #0 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}:
       check_prev_add kernel/locking/lockdep.c:3133 [inline]
       check_prevs_add kernel/locking/lockdep.c:3252 [inline]
       validate_chain kernel/locking/lockdep.c:3868 [inline]
       __lock_acquire+0x24ed/0x3cb0 kernel/locking/lockdep.c:5142
       lock_acquire kernel/locking/lockdep.c:5759 [inline]
       lock_acquire+0x1b1/0x560 kernel/locking/lockdep.c:5724
       lock_sock_nested+0x3a/0xf0 net/core/sock.c:3543
       lock_sock include/net/sock.h:1607 [inline]
       sco_conn_ready net/bluetooth/sco.c:1290 [inline]
       sco_connect_cfm+0x3ee/0xc10 net/bluetooth/sco.c:1362
       hci_connect_cfm include/net/bluetooth/hci_core.h:1965 [inline]
       hci_sync_conn_complete_evt+0x3a1/0xa10 net/bluetooth/hci_event.c:5009
       hci_event_func net/bluetooth/hci_event.c:7446 [inline]
       hci_event_packet+0x9eb/0x1180 net/bluetooth/hci_event.c:7498
       hci_rx_work+0x2c6/0x1610 net/bluetooth/hci_core.c:4017
       process_one_work+0x9c5/0x1b40 kernel/workqueue.c:3231
       process_scheduled_works kernel/workqueue.c:3312 [inline]
       worker_thread+0x6c8/0xed0 kernel/workqueue.c:3389
       kthread+0x2c1/0x3a0 kernel/kthread.c:389
       ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
       ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

other info that might help us debug this:

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(&conn->lock#2);
                               lock(sk_lock-AF_BLUETOOTH-BTPROTO_SCO);
                               lock(&conn->lock#2);
  lock(sk_lock-AF_BLUETOOTH-BTPROTO_SCO);

 *** DEADLOCK ***

5 locks held by kworker/u9:8/5234:
 #0: ffff88805a230948 ((wq_completion)hci5#2){+.+.}-{0:0}, at: process_one_work+0x1277/0x1b40 kernel/workqueue.c:3206
 #1: ffffc90003237d80 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_one_work+0x921/0x1b40 kernel/workqueue.c:3207
 #2: ffff88807c8e8078 (&hdev->lock){+.+.}-{3:3}, at: hci_sync_conn_complete_evt+0x118/0xa10 net/bluetooth/hci_event.c:4926
 #3: ffffffff8fc880e8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_connect_cfm include/net/bluetooth/hci_core.h:1962 [inline]
 #3: ffffffff8fc880e8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_sync_conn_complete_evt+0x336/0xa10 net/bluetooth/hci_event.c:5009
 #4: ffff88802cf3ba20 (&conn->lock#2){+.+.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline]
 #4: ffff88802cf3ba20 (&conn->lock#2){+.+.}-{2:2}, at: sco_conn_ready net/bluetooth/sco.c:1277 [inline]
 #4: ffff88802cf3ba20 (&conn->lock#2){+.+.}-{2:2}, at: sco_connect_cfm+0x2d1/0xc10 net/bluetooth/sco.c:1362

stack backtrace:
CPU: 1 UID: 0 PID: 5234 Comm: kworker/u9:8 Not tainted 6.11.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
Workqueue: hci5 hci_rx_work
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:93 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:119
 check_noncircular+0x31a/0x400 kernel/locking/lockdep.c:2186
 check_prev_add kernel/locking/lockdep.c:3133 [inline]
 check_prevs_add kernel/locking/lockdep.c:3252 [inline]
 validate_chain kernel/locking/lockdep.c:3868 [inline]
 __lock_acquire+0x24ed/0x3cb0 kernel/locking/lockdep.c:5142
 lock_acquire kernel/locking/lockdep.c:5759 [inline]
 lock_acquire+0x1b1/0x560 kernel/locking/lockdep.c:5724
 lock_sock_nested+0x3a/0xf0 net/core/sock.c:3543
 lock_sock include/net/sock.h:1607 [inline]
 sco_conn_ready net/bluetooth/sco.c:1290 [inline]
 sco_connect_cfm+0x3ee/0xc10 net/bluetooth/sco.c:1362
 hci_connect_cfm include/net/bluetooth/hci_core.h:1965 [inline]
 hci_sync_conn_complete_evt+0x3a1/0xa10 net/bluetooth/hci_event.c:5009
 hci_event_func net/bluetooth/hci_event.c:7446 [inline]
 hci_event_packet+0x9eb/0x1180 net/bluetooth/hci_event.c:7498
 hci_rx_work+0x2c6/0x1610 net/bluetooth/hci_core.c:4017
 process_one_work+0x9c5/0x1b40 kernel/workqueue.c:3231
 process_scheduled_works kernel/workqueue.c:3312 [inline]
 worker_thread+0x6c8/0xed0 kernel/workqueue.c:3389
 kthread+0x2c1/0x3a0 kernel/kthread.c:389
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>
BUG: sleeping function called from invalid context at net/core/sock.c:3545
in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 5234, name: kworker/u9:8
preempt_count: 1, expected: 0
RCU nest depth: 0, expected: 0
INFO: lockdep is turned off.
Preemption disabled at:
[<0000000000000000>] 0x0
CPU: 1 UID: 0 PID: 5234 Comm: kworker/u9:8 Not tainted 6.11.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
Workqueue: hci5 hci_rx_work
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:93 [inline]
 dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:119
 __might_resched+0x3c0/0x5e0 kernel/sched/core.c:8463
 lock_sock_nested+0x4b/0xf0 net/core/sock.c:3545
 lock_sock include/net/sock.h:1607 [inline]
 sco_conn_ready net/bluetooth/sco.c:1290 [inline]
 sco_connect_cfm+0x3ee/0xc10 net/bluetooth/sco.c:1362
 hci_connect_cfm include/net/bluetooth/hci_core.h:1965 [inline]
 hci_sync_conn_complete_evt+0x3a1/0xa10 net/bluetooth/hci_event.c:5009
 hci_event_func net/bluetooth/hci_event.c:7446 [inline]
 hci_event_packet+0x9eb/0x1180 net/bluetooth/hci_event.c:7498
 hci_rx_work+0x2c6/0x1610 net/bluetooth/hci_core.c:4017
 process_one_work+0x9c5/0x1b40 kernel/workqueue.c:3231
 process_scheduled_works kernel/workqueue.c:3312 [inline]
 worker_thread+0x6c8/0xed0 kernel/workqueue.c:3389
 kthread+0x2c1/0x3a0 kernel/kthread.c:389
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>
Bluetooth: hci5: command tx timeout