possible deadlock in mgmt_remove_adv_monitor

Title	Replies (including bot)	Last reply
[syzbot] [bluetooth?] possible deadlock in mgmt_remove_adv_monitor_complete	0 (1)	2024/05/03 01:13

======================================================
WARNING: possible circular locking dependency detected
6.12.0-syzkaller-00971-g158f238aa69d #0 Not tainted
------------------------------------------------------
syz.0.2325/17760 is trying to acquire lock:
ffff888034b78078 (&hdev->lock){+.+.}-{3:3}, at: mgmt_remove_adv_monitor_complete+0xaf/0x550 net/bluetooth/mgmt.c:5454

but task is already holding lock:
ffff888034b78690 (&hdev->cmd_sync_work_lock){+.+.}-{3:3}, at: hci_cmd_sync_clear+0x4e/0x220 net/bluetooth/hci_sync.c:658

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #1 (&hdev->cmd_sync_work_lock){+.+.}-{3:3}:
       lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5825
       __mutex_lock_common kernel/locking/mutex.c:608 [inline]
       __mutex_lock+0x136/0xd70 kernel/locking/mutex.c:752
       hci_cmd_sync_lookup_entry net/bluetooth/hci_sync.c:838 [inline]
       hci_cmd_sync_queue_once+0x43/0x240 net/bluetooth/hci_sync.c:782
       le_conn_complete_evt+0xae1/0x12e0 net/bluetooth/hci_event.c:5773
       hci_le_conn_complete_evt+0x18c/0x420 net/bluetooth/hci_event.c:5784
       hci_event_func net/bluetooth/hci_event.c:7440 [inline]
       hci_event_packet+0xa55/0x1540 net/bluetooth/hci_event.c:7495
       hci_rx_work+0x3e8/0xca0 net/bluetooth/hci_core.c:4029
       process_one_work kernel/workqueue.c:3229 [inline]
       process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310
       worker_thread+0x870/0xd30 kernel/workqueue.c:3391
       kthread+0x2f0/0x390 kernel/kthread.c:389
       ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
       ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

-> #0 (&hdev->lock){+.+.}-{3:3}:
       check_prev_add kernel/locking/lockdep.c:3161 [inline]
       check_prevs_add kernel/locking/lockdep.c:3280 [inline]
       validate_chain+0x18ef/0x5920 kernel/locking/lockdep.c:3904
       __lock_acquire+0x1384/0x2050 kernel/locking/lockdep.c:5202
       lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5825
       __mutex_lock_common kernel/locking/mutex.c:608 [inline]
       __mutex_lock+0x136/0xd70 kernel/locking/mutex.c:752
       mgmt_remove_adv_monitor_complete+0xaf/0x550 net/bluetooth/mgmt.c:5454
       _hci_cmd_sync_cancel_entry net/bluetooth/hci_sync.c:645 [inline]
       hci_cmd_sync_clear+0x107/0x220 net/bluetooth/hci_sync.c:660
       hci_unregister_dev+0x181/0x510 net/bluetooth/hci_core.c:2694
       vhci_release+0x80/0xd0 drivers/bluetooth/hci_vhci.c:664
       __fput+0x23c/0xa50 fs/file_table.c:450
       task_work_run+0x24f/0x310 kernel/task_work.c:239
       exit_task_work include/linux/task_work.h:43 [inline]
       do_exit+0xa2f/0x28e0 kernel/exit.c:938
       do_group_exit+0x207/0x2c0 kernel/exit.c:1087
       get_signal+0x16a3/0x1740 kernel/signal.c:2918
       arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:337
       exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
       exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
       __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
       syscall_exit_to_user_mode+0xc9/0x370 kernel/entry/common.c:218
       do_syscall_64+0x100/0x230 arch/x86/entry/common.c:89
       entry_SYSCALL_64_after_hwframe+0x77/0x7f

other info that might help us debug this:

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(&hdev->cmd_sync_work_lock);
                               lock(&hdev->lock);
                               lock(&hdev->cmd_sync_work_lock);
  lock(&hdev->lock);

 *** DEADLOCK ***

1 lock held by syz.0.2325/17760:
 #0: ffff888034b78690 (&hdev->cmd_sync_work_lock){+.+.}-{3:3}, at: hci_cmd_sync_clear+0x4e/0x220 net/bluetooth/hci_sync.c:658

stack backtrace:
CPU: 1 UID: 0 PID: 17760 Comm: syz.0.2325 Not tainted 6.12.0-syzkaller-00971-g158f238aa69d #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
 print_circular_bug+0x13a/0x1b0 kernel/locking/lockdep.c:2074
 check_noncircular+0x36a/0x4a0 kernel/locking/lockdep.c:2206
 check_prev_add kernel/locking/lockdep.c:3161 [inline]
 check_prevs_add kernel/locking/lockdep.c:3280 [inline]
 validate_chain+0x18ef/0x5920 kernel/locking/lockdep.c:3904
 __lock_acquire+0x1384/0x2050 kernel/locking/lockdep.c:5202
 lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5825
 __mutex_lock_common kernel/locking/mutex.c:608 [inline]
 __mutex_lock+0x136/0xd70 kernel/locking/mutex.c:752
 mgmt_remove_adv_monitor_complete+0xaf/0x550 net/bluetooth/mgmt.c:5454
 _hci_cmd_sync_cancel_entry net/bluetooth/hci_sync.c:645 [inline]
 hci_cmd_sync_clear+0x107/0x220 net/bluetooth/hci_sync.c:660
 hci_unregister_dev+0x181/0x510 net/bluetooth/hci_core.c:2694
 vhci_release+0x80/0xd0 drivers/bluetooth/hci_vhci.c:664
 __fput+0x23c/0xa50 fs/file_table.c:450
 task_work_run+0x24f/0x310 kernel/task_work.c:239
 exit_task_work include/linux/task_work.h:43 [inline]
 do_exit+0xa2f/0x28e0 kernel/exit.c:938
 do_group_exit+0x207/0x2c0 kernel/exit.c:1087
 get_signal+0x16a3/0x1740 kernel/signal.c:2918
 arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:337
 exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
 syscall_exit_to_user_mode+0xc9/0x370 kernel/entry/common.c:218
 do_syscall_64+0x100/0x230 arch/x86/entry/common.c:89
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f6051d7e759
Code: Unable to access opcode bytes at 0x7f6051d7e72f.
RSP: 002b:00007f6052aae038 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: 0000000000018ff8 RBX: 00007f6051f35f80 RCX: 00007f6051d7e759
RDX: 0000000000018ff8 RSI: 0000000020019680 RDI: 0000000000000006
RBP: 00007f6051df175e R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f6051f35f80 R15: 00007fff2e4b8c48
 </TASK>

Time	Kernel	Commit	Syzkaller	Config	Log	Report	VM info	Assets (help?)	Manager	Title
2024/11/19 17:04	upstream	158f238aa69d	571351cb	.config	console log	report	info	[disk image] [vmlinux] [kernel image]	ci-upstream-kasan-gce-smack-root	possible deadlock in mgmt_remove_adv_monitor_complete
2024/11/07 23:45	upstream	ff7afaeca1a1	c069283c	.config	console log	report	info	[disk image] [vmlinux] [kernel image]	ci-upstream-kasan-badwrites-root	possible deadlock in mgmt_remove_adv_monitor_complete
2024/10/25 08:08	upstream	ae90f6a6170d	c79b8ca5	.config	console log	report	info	[disk image] [vmlinux] [kernel image]	ci-upstream-kasan-badwrites-root	possible deadlock in mgmt_remove_adv_monitor_complete
2024/10/24 22:10	upstream	c2ee9f594da8	9fc8fe02	.config	console log	report	info	[disk image] [vmlinux] [kernel image]	ci-upstream-kasan-gce-smack-root	possible deadlock in mgmt_remove_adv_monitor_complete
2024/10/23 00:26	upstream	c2ee9f594da8	9d74f456	.config	console log	report	info	[disk image] [vmlinux] [kernel image]	ci-upstream-kasan-gce-smack-root	possible deadlock in mgmt_remove_adv_monitor_complete
2024/10/10 14:16	upstream	d3d1556696c1	8fbfc0c8	.config	console log	report	info	[disk image] [vmlinux] [kernel image]	ci-upstream-kasan-badwrites-root	possible deadlock in mgmt_remove_adv_monitor_complete
2024/07/17 15:44	upstream	51835949dda3	03114f55	.config	console log	report	info	[disk image] [vmlinux] [kernel image]	ci-upstream-kasan-gce-smack-root	possible deadlock in mgmt_remove_adv_monitor_complete
2024/10/29 01:30	upstream	e42b1a9a2557	5fe1d0f5	.config	console log	report	info	[disk image (non-bootable)] [vmlinux] [kernel image]	ci-qemu-upstream	possible deadlock in mgmt_remove_adv_monitor_complete
2024/10/24 06:11	upstream	c2ee9f594da8	15fa2979	.config	console log	report	info	[disk image (non-bootable)] [vmlinux] [kernel image]	ci-qemu-upstream-386	possible deadlock in mgmt_remove_adv_monitor_complete
2024/04/29 01:09	upstream	245c8e81741b	07b455f9	.config	console log	report	info	[disk image (non-bootable)] [vmlinux] [kernel image]	ci-qemu-upstream-386	possible deadlock in mgmt_remove_adv_monitor_complete
2024/10/24 21:56	net	9efc44fb2dba	9fc8fe02	.config	console log	report	info	[disk image] [vmlinux] [kernel image]	ci-upstream-net-this-kasan-gce	possible deadlock in mgmt_remove_adv_monitor_complete
2024/10/20 05:04	net	07d6bf634bc8	cd6fc0a3	.config	console log	report	info	[disk image] [vmlinux] [kernel image]	ci-upstream-net-this-kasan-gce	possible deadlock in mgmt_remove_adv_monitor_complete
2024/10/13 01:12	net	174714f0e505	084d8178	.config	console log	report	info	[disk image] [vmlinux] [kernel image]	ci-upstream-net-this-kasan-gce	possible deadlock in mgmt_remove_adv_monitor_complete
2024/07/22 19:54	net	d7e78951a8b8	f063dfd9	.config	console log	report	info	[disk image] [vmlinux] [kernel image]	ci-upstream-net-this-kasan-gce	possible deadlock in mgmt_remove_adv_monitor_complete
2024/11/05 03:47	net-next	ecf99864ea6b	509da429	.config	console log	report	info	[disk image] [vmlinux] [kernel image]	ci-upstream-net-kasan-gce	possible deadlock in mgmt_remove_adv_monitor_complete
2024/10/31 11:30	net-next	d30b56c8666d	fb888278	.config	console log	report	info	[disk image] [vmlinux] [kernel image]	ci-upstream-net-kasan-gce	possible deadlock in mgmt_remove_adv_monitor_complete
2024/10/30 12:46	net-next	2b1d193a5a57	66aeb999	.config	console log	report	info	[disk image] [vmlinux] [kernel image]	ci-upstream-net-kasan-gce	possible deadlock in mgmt_remove_adv_monitor_complete
2024/10/11 10:42	net-next	59ae83dcf102	cd942402	.config	console log	report	info	[disk image] [vmlinux] [kernel image]	ci-upstream-net-kasan-gce	possible deadlock in mgmt_remove_adv_monitor_complete