syzbot

======================================================
WARNING: possible circular locking dependency detected
6.2.0-rc1-syzkaller-00084-gc8451c141e07 #0 Not tainted
------------------------------------------------------
syz-executor245/5091 is trying to acquire lock:
ffff88807db39130 (sk_lock-AF_BLUETOOTH-BTPROTO_RFCOMM){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1725 [inline]
ffff88807db39130 (sk_lock-AF_BLUETOOTH-BTPROTO_RFCOMM){+.+.}-{0:0}, at: rfcomm_sk_state_change+0x52/0x2f0 net/bluetooth/rfcomm/sock.c:73

but task is already holding lock:
ffff8880151a0928 (&d->lock){+.+.}-{3:3}, at: __rfcomm_dlc_close+0x276/0x470 net/bluetooth/rfcomm/core.c:487

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #2 (&d->lock){+.+.}-{3:3}:
       lock_acquire+0x1a7/0x400 kernel/locking/lockdep.c:5668
       __mutex_lock_common+0x1de/0x26c0 kernel/locking/mutex.c:603
       __mutex_lock kernel/locking/mutex.c:747 [inline]
       mutex_lock_nested+0x17/0x20 kernel/locking/mutex.c:799
       __rfcomm_dlc_close+0x276/0x470 net/bluetooth/rfcomm/core.c:487
       rfcomm_dlc_close+0x10d/0x1c0 net/bluetooth/rfcomm/core.c:520
       __rfcomm_sock_close+0x101/0x220 net/bluetooth/rfcomm/sock.c:220
       rfcomm_sock_shutdown+0xad/0x230 net/bluetooth/rfcomm/sock.c:907
       rfcomm_sock_release+0x55/0x120 net/bluetooth/rfcomm/sock.c:928
       __sock_release net/socket.c:650 [inline]
       sock_close+0xd7/0x260 net/socket.c:1365
       __fput+0x3ba/0x880 fs/file_table.c:320
       task_work_run+0x243/0x300 kernel/task_work.c:179
       exit_task_work include/linux/task_work.h:38 [inline]
       do_exit+0x644/0x2150 kernel/exit.c:867
       do_group_exit+0x1fd/0x2b0 kernel/exit.c:1012
       get_signal+0x1755/0x1820 kernel/signal.c:2859
       arch_do_signal_or_restart+0x8d/0x5f0 arch/x86/kernel/signal.c:306
       exit_to_user_mode_loop+0x74/0x160 kernel/entry/common.c:168
       exit_to_user_mode_prepare+0xad/0x110 kernel/entry/common.c:203
       __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
       syscall_exit_to_user_mode+0x2e/0x60 kernel/entry/common.c:296
       entry_SYSCALL_64_after_hwframe+0x63/0xcd

-> #1 (rfcomm_mutex){+.+.}-{3:3}:
       lock_acquire+0x1a7/0x400 kernel/locking/lockdep.c:5668
       __mutex_lock_common+0x1de/0x26c0 kernel/locking/mutex.c:603
       __mutex_lock kernel/locking/mutex.c:747 [inline]
       mutex_lock_nested+0x17/0x20 kernel/locking/mutex.c:799
       rfcomm_dlc_open+0x25/0x50 net/bluetooth/rfcomm/core.c:425
       rfcomm_sock_connect+0x285/0x470 net/bluetooth/rfcomm/sock.c:413
       __sys_connect_file net/socket.c:1976 [inline]
       __sys_connect+0x29b/0x2d0 net/socket.c:1993
       __do_sys_connect net/socket.c:2003 [inline]
       __se_sys_connect net/socket.c:2000 [inline]
       __x64_sys_connect+0x76/0x80 net/socket.c:2000
       do_syscall_x64 arch/x86/entry/common.c:50 [inline]
       do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
       entry_SYSCALL_64_after_hwframe+0x63/0xcd

-> #0 (sk_lock-AF_BLUETOOTH-BTPROTO_RFCOMM){+.+.}-{0:0}:
       check_prev_add kernel/locking/lockdep.c:3097 [inline]
       check_prevs_add kernel/locking/lockdep.c:3216 [inline]
       validate_chain+0x184a/0x6470 kernel/locking/lockdep.c:3831
       __lock_acquire+0x1292/0x1f60 kernel/locking/lockdep.c:5055
       lock_acquire+0x1a7/0x400 kernel/locking/lockdep.c:5668
       lock_sock_nested+0x44/0xf0 net/core/sock.c:3470
       lock_sock include/net/sock.h:1725 [inline]
       rfcomm_sk_state_change+0x52/0x2f0 net/bluetooth/rfcomm/sock.c:73
       __rfcomm_dlc_close+0x2bb/0x470 net/bluetooth/rfcomm/core.c:489
       rfcomm_dlc_close+0x10d/0x1c0 net/bluetooth/rfcomm/core.c:520
       __rfcomm_sock_close+0x101/0x220 net/bluetooth/rfcomm/sock.c:220
       rfcomm_sock_shutdown+0xad/0x230 net/bluetooth/rfcomm/sock.c:907
       rfcomm_sock_release+0x55/0x120 net/bluetooth/rfcomm/sock.c:928
       __sock_release net/socket.c:650 [inline]
       sock_close+0xd7/0x260 net/socket.c:1365
       __fput+0x3ba/0x880 fs/file_table.c:320
       task_work_run+0x243/0x300 kernel/task_work.c:179
       exit_task_work include/linux/task_work.h:38 [inline]
       do_exit+0x644/0x2150 kernel/exit.c:867
       do_group_exit+0x1fd/0x2b0 kernel/exit.c:1012
       get_signal+0x1755/0x1820 kernel/signal.c:2859
       arch_do_signal_or_restart+0x8d/0x5f0 arch/x86/kernel/signal.c:306
       exit_to_user_mode_loop+0x74/0x160 kernel/entry/common.c:168
       exit_to_user_mode_prepare+0xad/0x110 kernel/entry/common.c:203
       __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
       syscall_exit_to_user_mode+0x2e/0x60 kernel/entry/common.c:296
       entry_SYSCALL_64_after_hwframe+0x63/0xcd

other info that might help us debug this:

Chain exists of:
  sk_lock-AF_BLUETOOTH-BTPROTO_RFCOMM --> rfcomm_mutex --> &d->lock

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(&d->lock);
                               lock(rfcomm_mutex);
                               lock(&d->lock);
  lock(sk_lock-AF_BLUETOOTH-BTPROTO_RFCOMM);

 *** DEADLOCK ***

3 locks held by syz-executor245/5091:
 #0: ffff8880730a7a10 (&sb->s_type->i_mutex_key#9){+.+.}-{3:3}, at: inode_lock include/linux/fs.h:756 [inline]
 #0: ffff8880730a7a10 (&sb->s_type->i_mutex_key#9){+.+.}-{3:3}, at: __sock_release net/socket.c:649 [inline]
 #0: ffff8880730a7a10 (&sb->s_type->i_mutex_key#9){+.+.}-{3:3}, at: sock_close+0x93/0x260 net/socket.c:1365
 #1: ffffffff8e7e2388 (rfcomm_mutex){+.+.}-{3:3}, at: rfcomm_dlc_close+0x32/0x1c0 net/bluetooth/rfcomm/core.c:507
 #2: ffff8880151a0928 (&d->lock){+.+.}-{3:3}, at: __rfcomm_dlc_close+0x276/0x470 net/bluetooth/rfcomm/core.c:487

stack backtrace:
CPU: 0 PID: 5091 Comm: syz-executor245 Not tainted 6.2.0-rc1-syzkaller-00084-gc8451c141e07 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1e3/0x2d0 lib/dump_stack.c:106
 check_noncircular+0x2f9/0x3b0 kernel/locking/lockdep.c:2177
 check_prev_add kernel/locking/lockdep.c:3097 [inline]
 check_prevs_add kernel/locking/lockdep.c:3216 [inline]
 validate_chain+0x184a/0x6470 kernel/locking/lockdep.c:3831
 __lock_acquire+0x1292/0x1f60 kernel/locking/lockdep.c:5055
 lock_acquire+0x1a7/0x400 kernel/locking/lockdep.c:5668
 lock_sock_nested+0x44/0xf0 net/core/sock.c:3470
 lock_sock include/net/sock.h:1725 [inline]
 rfcomm_sk_state_change+0x52/0x2f0 net/bluetooth/rfcomm/sock.c:73
 __rfcomm_dlc_close+0x2bb/0x470 net/bluetooth/rfcomm/core.c:489
 rfcomm_dlc_close+0x10d/0x1c0 net/bluetooth/rfcomm/core.c:520
 __rfcomm_sock_close+0x101/0x220 net/bluetooth/rfcomm/sock.c:220
 rfcomm_sock_shutdown+0xad/0x230 net/bluetooth/rfcomm/sock.c:907
 rfcomm_sock_release+0x55/0x120 net/bluetooth/rfcomm/sock.c:928
 __sock_release net/socket.c:650 [inline]
 sock_close+0xd7/0x260 net/socket.c:1365
 __fput+0x3ba/0x880 fs/file_table.c:320
 task_work_run+0x243/0x300 kernel/task_work.c:179
 exit_task_work include/linux/task_work.h:38 [inline]
 do_exit+0x644/0x2150 kernel/exit.c:867
 do_group_exit+0x1fd/0x2b0 kernel/exit.c:1012
 get_signal+0x1755/0x1820 kernel/signal.c:2859
 arch_do_signal_or_restart+0x8d/0x5f0 arch/x86/kernel/signal.c:306
 exit_to_user_mode_loop+0x74/0x160 kernel/entry/common.c:168
 exit_to_user_mode_prepare+0xad/0x110 kernel/entry/common.c:203
 __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline]
 syscall_exit_to_user_mode+0x2e/0x60 kernel/entry/common.c:296
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fb6ce0544b9
Code: Unable to access opcode bytes at 0x7fb6ce05448f.
RSP: 002b:00007ffde0070378 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
RAX: fffffffffffffffc RBX: 0000000000000003 RCX: 00007fb6ce0544b9
RDX: 000000000000000a RSI: 0000000020000000 RDI: 0000000000000005
RBP: 0000000000000003 R08: 0000000000000150 R09: 0000000000000150
R10: 0000000000000150 R11: 0000000000000246 R12: 00005555568332b8
R13: 0000000000000072 R14: 00007ffde00703e0 R15: 0000000000000003
 </TASK>