Warning: Permanently added '10.128.0.191' (ED25519) to the list of known hosts. [ 68.225422][ T5070] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 68.235277][ T50] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 68.243103][ T50] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 68.251414][ T50] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 68.259454][ T50] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3 [ 68.267169][ T50] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 executing program [ 68.396131][ T5067] [ 68.398495][ T5067] ====================================================== [ 68.405519][ T5067] WARNING: possible circular locking dependency detected [ 68.412540][ T5067] 6.7.0-rc6-syzkaller-00044-g1a44b0073b92 #0 Not tainted [ 68.419566][ T5067] ------------------------------------------------------ [ 68.426584][ T5067] syz-executor352/5067 is trying to acquire lock: [ 68.433177][ T5067] ffff888075748e10 ((work_completion)(&hdev->tx_work)){+.+.}-{0:0}, at: __flush_work+0xfa/0xa10 [ 68.443674][ T5067] [ 68.443674][ T5067] but task is already holding lock: [ 68.451046][ T5067] ffff888075749108 (&hdev->req_lock){+.+.}-{3:3}, at: hci_dev_do_close+0x26/0x90 [ 68.460227][ T5067] [ 68.460227][ T5067] which lock already depends on the new lock. [ 68.460227][ T5067] [ 68.470635][ T5067] [ 68.470635][ T5067] the existing dependency chain (in reverse order) is: [ 68.479655][ T5067] [ 68.479655][ T5067] -> #3 (&hdev->req_lock){+.+.}-{3:3}: [ 68.487328][ T5067] __mutex_lock+0x175/0x9d0 [ 68.492383][ T5067] hci_dev_do_close+0x26/0x90 [ 68.497599][ T5067] hci_rfkill_set_block+0x1b9/0x200 [ 68.503336][ T5067] rfkill_set_block+0x200/0x550 [ 68.508725][ T5067] rfkill_fop_write+0x2d4/0x570 [ 68.514103][ T5067] vfs_write+0x2a4/0xdf0 [ 68.518862][ T5067] ksys_write+0x1f0/0x250 [ 68.523719][ T5067] __do_fast_syscall_32+0x62/0xe0 [ 68.529279][ T5067] do_fast_syscall_32+0x33/0x70 [ 68.534670][ T5067] entry_SYSENTER_compat_after_hwframe+0x70/0x7a [ 68.541548][ T5067] [ 68.541548][ T5067] -> #2 (rfkill_global_mutex){+.+.}-{3:3}: [ 68.549546][ T5067] __mutex_lock+0x175/0x9d0 [ 68.554585][ T5067] rfkill_register+0x3a/0xb30 [ 68.559798][ T5067] hci_register_dev+0x43a/0xd40 [ 68.565188][ T5067] __vhci_create_device+0x393/0x800 [ 68.570925][ T5067] vhci_write+0x2c7/0x470 [ 68.575789][ T5067] vfs_write+0x64f/0xdf0 [ 68.580558][ T5067] ksys_write+0x12f/0x250 [ 68.585411][ T5067] __do_fast_syscall_32+0x62/0xe0 [ 68.590965][ T5067] do_fast_syscall_32+0x33/0x70 [ 68.596353][ T5067] entry_SYSENTER_compat_after_hwframe+0x70/0x7a [ 68.603249][ T5067] [ 68.603249][ T5067] -> #1 (&data->open_mutex){+.+.}-{3:3}: [ 68.611078][ T5067] __mutex_lock+0x175/0x9d0 [ 68.616124][ T5067] vhci_send_frame+0x67/0xa0 [ 68.621250][ T5067] hci_send_frame+0x220/0x470 [ 68.626465][ T5067] hci_tx_work+0x1456/0x1e40 [ 68.631581][ T5067] process_one_work+0x886/0x15d0 [ 68.637047][ T5067] worker_thread+0x8b9/0x1290 [ 68.642255][ T5067] kthread+0x2c6/0x3a0 [ 68.646850][ T5067] ret_from_fork+0x45/0x80 [ 68.651795][ T5067] ret_from_fork_asm+0x11/0x20 [ 68.657088][ T5067] [ 68.657088][ T5067] -> #0 ((work_completion)(&hdev->tx_work)){+.+.}-{0:0}: [ 68.666312][ T5067] __lock_acquire+0x2433/0x3b20 [ 68.671807][ T5067] lock_acquire+0x1ae/0x520 [ 68.676941][ T5067] __flush_work+0x103/0xa10 [ 68.681976][ T5067] hci_dev_close_sync+0x22d/0x1160 [ 68.687617][ T5067] hci_dev_do_close+0x2e/0x90 [ 68.692843][ T5067] hci_rfkill_set_block+0x1b9/0x200 [ 68.698564][ T5067] rfkill_set_block+0x200/0x550 [ 68.703940][ T5067] rfkill_fop_write+0x2d4/0x570 [ 68.709314][ T5067] vfs_write+0x2a4/0xdf0 [ 68.714077][ T5067] ksys_write+0x1f0/0x250 [ 68.718923][ T5067] __do_fast_syscall_32+0x62/0xe0 [ 68.724472][ T5067] do_fast_syscall_32+0x33/0x70 [ 68.729850][ T5067] entry_SYSENTER_compat_after_hwframe+0x70/0x7a [ 68.736702][ T5067] [ 68.736702][ T5067] other info that might help us debug this: [ 68.736702][ T5067] [ 68.746922][ T5067] Chain exists of: [ 68.746922][ T5067] (work_completion)(&hdev->tx_work) --> rfkill_global_mutex --> &hdev->req_lock [ 68.746922][ T5067] [ 68.761866][ T5067] Possible unsafe locking scenario: [ 68.761866][ T5067] [ 68.769304][ T5067] CPU0 CPU1 [ 68.774659][ T5067] ---- ---- [ 68.780029][ T5067] lock(&hdev->req_lock); [ 68.784451][ T5067] lock(rfkill_global_mutex); [ 68.791738][ T5067] lock(&hdev->req_lock); [ 68.798678][ T5067] lock((work_completion)(&hdev->tx_work)); [ 68.804661][ T5067] [ 68.804661][ T5067] *** DEADLOCK *** [ 68.804661][ T5067] [ 68.812803][ T5067] 2 locks held by syz-executor352/5067: [ 68.818427][ T5067] #0: ffffffff8ef2cca8 (rfkill_global_mutex){+.+.}-{3:3}, at: rfkill_fop_write+0x16e/0x570 [ 68.828536][ T5067] #1: ffff888075749108 (&hdev->req_lock){+.+.}-{3:3}, at: hci_dev_do_close+0x26/0x90 [ 68.838114][ T5067] [ 68.838114][ T5067] stack backtrace: [ 68.843991][ T5067] CPU: 1 PID: 5067 Comm: syz-executor352 Not tainted 6.7.0-rc6-syzkaller-00044-g1a44b0073b92 #0 [ 68.854397][ T5067] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 [ 68.864449][ T5067] Call Trace: [ 68.867724][ T5067] [ 68.870652][ T5067] dump_stack_lvl+0xd9/0x1b0 [ 68.875252][ T5067] check_noncircular+0x317/0x400 [ 68.880202][ T5067] ? print_circular_bug+0x5c0/0x5c0 [ 68.885408][ T5067] ? is_bpf_text_address+0x94/0x1a0 [ 68.890613][ T5067] ? lockdep_lock+0xc6/0x200 [ 68.895209][ T5067] ? hlock_class+0x130/0x130 [ 68.899809][ T5067] __lock_acquire+0x2433/0x3b20 [ 68.904680][ T5067] ? lockdep_hardirqs_on_prepare+0x420/0x420 [ 68.910676][ T5067] ? save_trace+0x4e/0xb30 [ 68.915097][ T5067] ? _find_first_zero_bit+0x94/0xb0 [ 68.920306][ T5067] lock_acquire+0x1ae/0x520 [ 68.924819][ T5067] ? __flush_work+0xfa/0xa10 [ 68.929418][ T5067] ? lock_sync+0x190/0x190 [ 68.933848][ T5067] ? __flush_work+0xfa/0xa10 [ 68.938446][ T5067] __flush_work+0x103/0xa10 [ 68.942971][ T5067] ? __flush_work+0xfa/0xa10 [ 68.947569][ T5067] ? cancel_delayed_work+0x20/0x20 [ 68.952712][ T5067] hci_dev_close_sync+0x22d/0x1160 [ 68.957828][ T5067] ? find_held_lock+0x2d/0x110 [ 68.962599][ T5067] ? hci_reset_sync+0x50/0x50 [ 68.967278][ T5067] ? reacquire_held_locks+0x4c0/0x4c0 [ 68.972659][ T5067] hci_dev_do_close+0x2e/0x90 [ 68.977340][ T5067] hci_rfkill_set_block+0x1b9/0x200 [ 68.982537][ T5067] ? lockdep_hardirqs_on+0x7d/0x110 [ 68.987749][ T5067] ? hci_power_on+0x670/0x670 [ 68.992425][ T5067] rfkill_set_block+0x200/0x550 [ 68.997288][ T5067] rfkill_fop_write+0x2d4/0x570 [ 69.002145][ T5067] ? rfkill_register+0xb30/0xb30 [ 69.007089][ T5067] ? bpf_lsm_inode_getsecurity+0x10/0x10 [ 69.012721][ T5067] ? security_file_permission+0x94/0x100 [ 69.018448][ T5067] vfs_write+0x2a4/0xdf0 [ 69.022689][ T5067] ? rfkill_register+0xb30/0xb30 [ 69.027632][ T5067] ? kernel_write+0x6c0/0x6c0 [ 69.032311][ T5067] ? do_sys_openat2+0xb1/0x1e0 [ 69.037083][ T5067] ? build_open_flags+0x690/0x690 [ 69.042115][ T5067] ? find_held_lock+0x2d/0x110 [ 69.046890][ T5067] ? __fget_light+0x1fc/0x260 [ 69.051567][ T5067] ksys_write+0x1f0/0x250 [ 69.055897][ T5067] ? __ia32_sys_read+0xb0/0xb0 [ 69.060669][ T5067] __do_fast_syscall_32+0x62/0xe0 [ 69.065701][ T5067] do_fast_syscall_32+0x33/0x70 [ 69.070557][ T5067] entry_SYSENTER_compat_after_hwframe+0x70/0x7a [ 69.076891][ T5067] RIP: 0023:0xf7ebe579 [ 69.080956][ T5067] Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00 [ 69.100562][ T5067] RSP: 002b:00000000ffdd1c8c EFLAGS: 00000246 ORIG_RAX: 0000000000000004 [ 69.108973][ T5067] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000080 [ 69.116941][ T5067] RDX: 0000000000000008 RSI: 0000000000000070 RDI: 0000000000000000 [ 69.124919][ T5067] RBP: 00000000ffdd1cf0 R08: 0000000000000000 R09: 0000000000000000 [ 69.132892][ T5067] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 69.140861][ T5067] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 69.148837][ T5067]