Warning: Permanently added '10.128.0.25' (ECDSA) to the list of known hosts. syzkaller login: [ 61.116196][ T3553] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 61.123858][ T3553] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 61.131838][ T3553] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 61.139743][ T3553] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 61.147190][ T3553] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3 [ 61.154683][ T3553] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 executing program [ 61.443349][ T3560] nci: nci_start_poll: failed to set local general bytes [ 63.248941][ T3553] Bluetooth: hci0: command 0x0409 tx timeout [ 65.327894][ T3553] Bluetooth: hci0: command 0x041b tx timeout [ 66.448353][ T3551] nci: __nci_request: wait_for_completion_interruptible_timeout failed 0 [ 66.457011][ T3551] [ 66.459329][ T3551] ====================================================== [ 66.466333][ T3551] WARNING: possible circular locking dependency detected [ 66.473349][ T3551] 6.1.32-syzkaller #0 Not tainted [ 66.478363][ T3551] ------------------------------------------------------ [ 66.485377][ T3551] syz-executor346/3551 is trying to acquire lock: [ 66.491786][ T3551] ffffffff8d7cd688 (nci_mutex){+.+.}-{3:3}, at: virtual_nci_close+0x13/0x40 [ 66.500516][ T3551] [ 66.500516][ T3551] but task is already holding lock: [ 66.507866][ T3551] ffff888020dfd350 (&ndev->req_lock){+.+.}-{3:3}, at: nci_close_device+0x106/0x5f0 [ 66.517187][ T3551] [ 66.517187][ T3551] which lock already depends on the new lock. [ 66.517187][ T3551] [ 66.527587][ T3551] [ 66.527587][ T3551] the existing dependency chain (in reverse order) is: [ 66.536673][ T3551] [ 66.536673][ T3551] -> #3 (&ndev->req_lock){+.+.}-{3:3}: [ 66.544318][ T3551] lock_acquire+0x1f8/0x5a0 [ 66.549339][ T3551] __mutex_lock_common+0x1d4/0x2520 [ 66.555059][ T3551] mutex_lock_nested+0x17/0x20 [ 66.560352][ T3551] nci_start_poll+0x59f/0xf20 [ 66.565556][ T3551] nfc_start_poll+0x184/0x2f0 [ 66.570753][ T3551] nfc_genl_start_poll+0x1e7/0x350 [ 66.576376][ T3551] genl_rcv_msg+0xc1a/0xf70 [ 66.581390][ T3551] netlink_rcv_skb+0x1cd/0x410 [ 66.586671][ T3551] genl_rcv+0x24/0x40 [ 66.591164][ T3551] netlink_unicast+0x7bf/0x990 [ 66.596443][ T3551] netlink_sendmsg+0xa26/0xd60 [ 66.601723][ T3551] ____sys_sendmsg+0x59e/0x8f0 [ 66.607003][ T3551] __sys_sendmsg+0x2a9/0x390 [ 66.612113][ T3551] do_syscall_64+0x3d/0xb0 [ 66.617045][ T3551] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 66.623453][ T3551] [ 66.623453][ T3551] -> #2 (&genl_data->genl_data_mutex){+.+.}-{3:3}: [ 66.632132][ T3551] lock_acquire+0x1f8/0x5a0 [ 66.637151][ T3551] __mutex_lock_common+0x1d4/0x2520 [ 66.642866][ T3551] mutex_lock_nested+0x17/0x20 [ 66.648145][ T3551] nfc_urelease_event_work+0x113/0x2f0 [ 66.654116][ T3551] process_one_work+0x8aa/0x11f0 [ 66.659571][ T3551] worker_thread+0xa5f/0x1210 [ 66.664762][ T3551] kthread+0x26e/0x300 [ 66.669343][ T3551] ret_from_fork+0x1f/0x30 [ 66.674275][ T3551] [ 66.674275][ T3551] -> #1 (nfc_devlist_mutex){+.+.}-{3:3}: [ 66.682098][ T3551] lock_acquire+0x1f8/0x5a0 [ 66.687121][ T3551] __mutex_lock_common+0x1d4/0x2520 [ 66.692840][ T3551] mutex_lock_nested+0x17/0x20 [ 66.698125][ T3551] nfc_register_device+0x38/0x310 [ 66.703682][ T3551] nci_register_device+0x7be/0x900 [ 66.709317][ T3551] virtual_ncidev_open+0x55/0xc0 [ 66.714780][ T3551] misc_open+0x304/0x380 [ 66.719553][ T3551] chrdev_open+0x54a/0x630 [ 66.724502][ T3551] do_dentry_open+0x7f9/0x10f0 [ 66.729782][ T3551] path_openat+0x2644/0x2e60 [ 66.734886][ T3551] do_filp_open+0x230/0x480 [ 66.739905][ T3551] do_sys_openat2+0x13b/0x500 [ 66.745184][ T3551] __x64_sys_openat+0x243/0x290 [ 66.750556][ T3551] do_syscall_64+0x3d/0xb0 [ 66.755483][ T3551] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 66.761894][ T3551] [ 66.761894][ T3551] -> #0 (nci_mutex){+.+.}-{3:3}: [ 66.769011][ T3551] validate_chain+0x1667/0x58e0 [ 66.774387][ T3551] __lock_acquire+0x125b/0x1f80 [ 66.779759][ T3551] lock_acquire+0x1f8/0x5a0 [ 66.784793][ T3551] __mutex_lock_common+0x1d4/0x2520 [ 66.790532][ T3551] mutex_lock_nested+0x17/0x20 [ 66.795820][ T3551] virtual_nci_close+0x13/0x40 [ 66.801104][ T3551] nci_close_device+0x3a8/0x5f0 [ 66.806476][ T3551] nci_unregister_device+0x3c/0x230 [ 66.812192][ T3551] virtual_ncidev_close+0x55/0x90 [ 66.817734][ T3551] __fput+0x3b7/0x890 [ 66.822231][ T3551] task_work_run+0x246/0x300 [ 66.827337][ T3551] exit_to_user_mode_loop+0xd9/0x100 [ 66.833134][ T3551] exit_to_user_mode_prepare+0xb1/0x140 [ 66.839203][ T3551] syscall_exit_to_user_mode+0x60/0x270 [ 66.845268][ T3551] do_syscall_64+0x49/0xb0 [ 66.850207][ T3551] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 66.856626][ T3551] [ 66.856626][ T3551] other info that might help us debug this: [ 66.856626][ T3551] [ 66.866863][ T3551] Chain exists of: [ 66.866863][ T3551] nci_mutex --> &genl_data->genl_data_mutex --> &ndev->req_lock [ 66.866863][ T3551] [ 66.880417][ T3551] Possible unsafe locking scenario: [ 66.880417][ T3551] [ 66.887856][ T3551] CPU0 CPU1 [ 66.893991][ T3551] ---- ---- [ 66.899341][ T3551] lock(&ndev->req_lock); [ 66.903745][ T3551] lock(&genl_data->genl_data_mutex); [ 66.911713][ T3551] lock(&ndev->req_lock); [ 66.918641][ T3551] lock(nci_mutex); [ 66.922553][ T3551] [ 66.922553][ T3551] *** DEADLOCK *** [ 66.922553][ T3551] [ 66.930697][ T3551] 1 lock held by syz-executor346/3551: [ 66.936155][ T3551] #0: ffff888020dfd350 (&ndev->req_lock){+.+.}-{3:3}, at: nci_close_device+0x106/0x5f0 [ 66.945909][ T3551] [ 66.945909][ T3551] stack backtrace: [ 66.951784][ T3551] CPU: 1 PID: 3551 Comm: syz-executor346 Not tainted 6.1.32-syzkaller #0 [ 66.960190][ T3551] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023 [ 66.970237][ T3551] Call Trace: [ 66.973510][ T3551] [ 66.976432][ T3551] dump_stack_lvl+0x1e3/0x2cb [ 66.981108][ T3551] ? nf_tcp_handle_invalid+0x642/0x642 [ 66.986563][ T3551] ? print_circular_bug+0x12b/0x1a0 [ 66.991757][ T3551] check_noncircular+0x2fa/0x3b0 [ 66.996772][ T3551] ? add_chain_block+0x850/0x850 [ 67.001699][ T3551] ? lockdep_lock+0x11f/0x2a0 [ 67.006394][ T3551] ? prb_read_valid+0xf0/0xf0 [ 67.011076][ T3551] ? _find_first_zero_bit+0xd0/0x100 [ 67.016371][ T3551] validate_chain+0x1667/0x58e0 [ 67.021248][ T3551] ? __lock_acquire+0x125b/0x1f80 [ 67.026276][ T3551] ? desc_read+0x200/0x3f0 [ 67.030694][ T3551] ? memcpy+0x3c/0x60 [ 67.034672][ T3551] ? reacquire_held_locks+0x660/0x660 [ 67.040038][ T3551] ? desc_read+0x1a2/0x3f0 [ 67.044450][ T3551] ? _prb_read_valid+0xb46/0xbe0 [ 67.049403][ T3551] ? mark_lock+0x9a/0x340 [ 67.053727][ T3551] __lock_acquire+0x125b/0x1f80 [ 67.058587][ T3551] lock_acquire+0x1f8/0x5a0 [ 67.063086][ T3551] ? virtual_nci_close+0x13/0x40 [ 67.068019][ T3551] ? read_lock_is_recursive+0x10/0x10 [ 67.073381][ T3551] ? __might_sleep+0xb0/0xb0 [ 67.077968][ T3551] ? find_next_clump8+0x1a0/0x1a0 [ 67.082986][ T3551] ? console_unlock+0x2f1/0x6e0 [ 67.087826][ T3551] ? console_unlock+0x6aa/0x6e0 [ 67.092692][ T3551] __mutex_lock_common+0x1d4/0x2520 [ 67.098237][ T3551] ? virtual_nci_close+0x13/0x40 [ 67.103174][ T3551] ? irq_work_queue+0xc6/0x150 [ 67.107934][ T3551] ? __wake_up_klogd+0xd5/0x100 [ 67.112779][ T3551] ? vprintk_emit+0x109/0x1f0 [ 67.117457][ T3551] ? virtual_nci_close+0x13/0x40 [ 67.122389][ T3551] ? _printk+0xd1/0x111 [ 67.126539][ T3551] ? mutex_lock_io_nested+0x60/0x60 [ 67.131738][ T3551] ? panic+0x75d/0x75d [ 67.135805][ T3551] ? _raw_spin_unlock_irq+0x1f/0x40 [ 67.141010][ T3551] mutex_lock_nested+0x17/0x20 [ 67.145795][ T3551] virtual_nci_close+0x13/0x40 [ 67.150569][ T3551] nci_close_device+0x3a8/0x5f0 [ 67.155425][ T3551] ? nci_unregister_device+0x230/0x230 [ 67.160878][ T3551] ? mutex_unlock+0x10/0x10 [ 67.165382][ T3551] nci_unregister_device+0x3c/0x230 [ 67.170596][ T3551] ? virtual_ncidev_open+0xc0/0xc0 [ 67.175733][ T3551] virtual_ncidev_close+0x55/0x90 [ 67.180767][ T3551] ? virtual_ncidev_open+0xc0/0xc0 [ 67.185893][ T3551] __fput+0x3b7/0x890 [ 67.189909][ T3551] task_work_run+0x246/0x300 [ 67.194543][ T3551] ? task_work_cancel+0x2b0/0x2b0 [ 67.199588][ T3551] ? exit_to_user_mode_loop+0x39/0x100 [ 67.205052][ T3551] exit_to_user_mode_loop+0xd9/0x100 [ 67.210336][ T3551] exit_to_user_mode_prepare+0xb1/0x140 [ 67.215888][ T3551] syscall_exit_to_user_mode+0x60/0x270 [ 67.221443][ T3551] do_syscall_64+0x49/0xb0 [ 67.225879][ T3551] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 67.231765][ T3551] RIP: 0033:0x7f72dec890bb [ 67.236188][ T3551] Code: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8 63 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 fc ff ff 8b 44 [ 67.255805][ T3551] RSP: 002b:00007ffc07a05bb0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 [ 67.264223][ T3551] RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00007f72dec890bb [ 67.272192][ T3551] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 [ 67.280153][ T3551] RBP: 0000000000000032 R08: 0000000000000000 R09: 0000000000000010 [ 67.288190][ T3551] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000009 [ 67.296161][ T3551] R13: 00007ffc07a05c20 R14: 00007ffc07a05cc0 R15: 00007f72ded514fc [ 67.304140][ T3551]