DUID 00:04:d9:3a:76:1c:b4:63:be:bc:0b:c2:08:9c:83:36:98:31 forked to background, child pid 3180 [ 25.453488][ T3181] 8021q: adding VLAN 0 to HW filter on device bond0 [ 25.466885][ T3181] eql: remember to turn off Van-Jacobson compression on your slave devices Starting sshd: OK syzkaller Warning: Permanently added '10.128.0.95' (ECDSA) to the list of known hosts. syzkaller login: [ 56.306246][ T3632] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 56.315357][ T3632] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1 [ 56.315820][ T3633] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1 [ 56.323450][ T3632] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1 [ 56.330613][ T3633] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9 [ 56.337885][ T3632] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9 [ 56.343931][ T3633] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 56.351054][ T3632] Bluetooth: hci5: unexpected cc 0x0c03 length: 249 > 1 [ 56.358053][ T3633] Bluetooth: hci4: unexpected cc 0x0c03 length: 249 > 1 [ 56.366504][ T3632] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 56.372674][ T3633] Bluetooth: hci5: unexpected cc 0x1003 length: 249 > 9 [ 56.379137][ T3632] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9 [ 56.386255][ T3633] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9 [ 56.392869][ T3632] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9 [ 56.407775][ T3633] Bluetooth: hci5: unexpected cc 0x1001 length: 249 > 9 [ 56.408277][ T3632] Bluetooth: hci4: unexpected cc 0x1003 length: 249 > 9 [ 56.415013][ T3633] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9 [ 56.423443][ T3632] Bluetooth: hci4: unexpected cc 0x1001 length: 249 > 9 [ 56.429660][ T3633] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 56.436070][ T3632] Bluetooth: hci2: unexpected cc 0x0c23 length: 249 > 4 [ 56.443167][ T3633] Bluetooth: hci5: unexpected cc 0x0c23 length: 249 > 4 [ 56.450641][ T3632] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4 [ 56.457696][ T3633] Bluetooth: hci2: unexpected cc 0x0c25 length: 249 > 3 [ 56.464365][ T3632] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3 [ 56.470691][ T3633] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4 [ 56.477564][ T3632] Bluetooth: hci4: unexpected cc 0x0c23 length: 249 > 4 [ 56.484915][ T3633] Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2 [ 56.491760][ T3632] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 56.498549][ T3633] Bluetooth: hci1: unexpected cc 0x0c25 length: 249 > 3 [ 56.506415][ T3632] Bluetooth: hci5: unexpected cc 0x0c25 length: 249 > 3 [ 56.513094][ T3633] Bluetooth: hci3: unexpected cc 0x0c25 length: 249 > 3 [ 56.520093][ T3632] Bluetooth: hci4: unexpected cc 0x0c25 length: 249 > 3 [ 56.526756][ T3624] Bluetooth: hci5: unexpected cc 0x0c38 length: 249 > 2 [ 56.534175][ T3632] Bluetooth: hci4: unexpected cc 0x0c38 length: 249 > 2 [ 56.548095][ T3632] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2 [ 56.552724][ T3624] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2 executing program executing program executing program executing program executing program executing program [ 56.783979][ T3611] [ 56.786347][ T3611] ====================================================== [ 56.793369][ T3611] WARNING: possible circular locking dependency detected [ 56.800383][ T3611] 5.19.0-syzkaller-02972-g200e340f2196 #0 Not tainted [ 56.807143][ T3611] ------------------------------------------------------ [ 56.814160][ T3611] syz-executor227/3611 is trying to acquire lock: [ 56.820549][ T3611] ffff888017753130 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: sco_conn_del+0xfe/0x2f0 [ 56.830897][ T3611] [ 56.830897][ T3611] but task is already holding lock: [ 56.838252][ T3611] ffffffff8dd19aa8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_conn_hash_flush+0xb8/0x240 [ 56.847806][ T3611] [ 56.847806][ T3611] which lock already depends on the new lock. [ 56.847806][ T3611] [ 56.858202][ T3611] [ 56.858202][ T3611] the existing dependency chain (in reverse order) is: [ 56.867193][ T3611] [ 56.867193][ T3611] -> #2 (hci_cb_list_lock){+.+.}-{3:3}: [ 56.874916][ T3611] lock_acquire+0x1a7/0x400 [ 56.879942][ T3611] __mutex_lock_common+0x1de/0x26c0 [ 56.885658][ T3611] mutex_lock_nested+0x17/0x20 [ 56.890927][ T3611] hci_remote_features_evt+0x4dd/0xac0 [ 56.896893][ T3611] hci_event_packet+0x7d7/0x1020 [ 56.902333][ T3611] hci_rx_work+0x249/0x430 [ 56.907251][ T3611] process_one_work+0x81c/0xd10 [ 56.912609][ T3611] worker_thread+0xb14/0x1330 [ 56.917788][ T3611] kthread+0x266/0x300 [ 56.922365][ T3611] ret_from_fork+0x1f/0x30 [ 56.927296][ T3611] [ 56.927296][ T3611] -> #1 (&hdev->lock){+.+.}-{3:3}: [ 56.934583][ T3611] lock_acquire+0x1a7/0x400 [ 56.939679][ T3611] __mutex_lock_common+0x1de/0x26c0 [ 56.945476][ T3611] mutex_lock_nested+0x17/0x20 [ 56.950754][ T3611] sco_sock_connect+0x168/0x350 [ 56.956104][ T3611] __sys_connect+0x29b/0x2d0 [ 56.961195][ T3611] __x64_sys_connect+0x76/0x80 [ 56.966457][ T3611] do_syscall_64+0x2b/0x70 [ 56.971392][ T3611] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 56.977786][ T3611] [ 56.977786][ T3611] -> #0 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}: [ 56.986891][ T3611] validate_chain+0x185c/0x65c0 [ 56.992258][ T3611] __lock_acquire+0x129a/0x1f80 [ 56.997610][ T3611] lock_acquire+0x1a7/0x400 [ 57.002615][ T3611] lock_sock_nested+0x44/0xf0 [ 57.007799][ T3611] sco_conn_del+0xfe/0x2f0 [ 57.012726][ T3611] hci_conn_hash_flush+0x112/0x240 [ 57.018362][ T3611] hci_dev_close_sync+0x6e9/0xcb0 [ 57.023887][ T3611] hci_unregister_dev+0x1be/0x470 [ 57.029427][ T3611] vhci_release+0x7f/0xd0 [ 57.034260][ T3611] __fput+0x3b9/0x820 [ 57.038756][ T3611] task_work_run+0x146/0x1c0 [ 57.043845][ T3611] do_exit+0x55e/0x20a0 [ 57.048501][ T3611] do_group_exit+0x23b/0x2f0 [ 57.053594][ T3611] __x64_sys_exit_group+0x3b/0x40 [ 57.059291][ T3611] do_syscall_64+0x2b/0x70 [ 57.064214][ T3611] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 57.070611][ T3611] [ 57.070611][ T3611] other info that might help us debug this: [ 57.070611][ T3611] [ 57.080824][ T3611] Chain exists of: [ 57.080824][ T3611] sk_lock-AF_BLUETOOTH-BTPROTO_SCO --> &hdev->lock --> hci_cb_list_lock [ 57.080824][ T3611] [ 57.095158][ T3611] Possible unsafe locking scenario: [ 57.095158][ T3611] [ 57.102602][ T3611] CPU0 CPU1 [ 57.107946][ T3611] ---- ---- [ 57.113305][ T3611] lock(hci_cb_list_lock); [ 57.117791][ T3611] lock(&hdev->lock); [ 57.124356][ T3611] lock(hci_cb_list_lock); [ 57.131359][ T3611] lock(sk_lock-AF_BLUETOOTH-BTPROTO_SCO); [ 57.137325][ T3611] [ 57.137325][ T3611] *** DEADLOCK *** [ 57.137325][ T3611] [ 57.145448][ T3611] 3 locks held by syz-executor227/3611: [ 57.150970][ T3611] #0: ffff88814630d048 (&hdev->req_lock){+.+.}-{3:3}, at: hci_unregister_dev+0x1b6/0x470 [ 57.160862][ T3611] #1: ffff88814630c078 (&hdev->lock){+.+.}-{3:3}, at: hci_dev_close_sync+0x3c6/0xcb0 [ 57.170420][ T3611] #2: ffffffff8dd19aa8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_conn_hash_flush+0xb8/0x240 [ 57.180396][ T3611] [ 57.180396][ T3611] stack backtrace: [ 57.186261][ T3611] CPU: 0 PID: 3611 Comm: syz-executor227 Not tainted 5.19.0-syzkaller-02972-g200e340f2196 #0 [ 57.196405][ T3611] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022 [ 57.206458][ T3611] Call Trace: [ 57.209733][ T3611] [ 57.212658][ T3611] dump_stack_lvl+0x1e3/0x2cb [ 57.217348][ T3611] ? io_notif_register+0x5e7/0x5e7 [ 57.222449][ T3611] ? print_circular_bug+0x13e/0x1c0 [ 57.227639][ T3611] check_noncircular+0x2f7/0x3b0 [ 57.232563][ T3611] ? stack_trace_snprint+0xf0/0xf0 [ 57.237660][ T3611] ? add_chain_block+0x850/0x850 [ 57.242579][ T3611] ? lockdep_lock+0x11d/0x2a0 [ 57.247236][ T3611] ? lockdep_unlock+0x163/0x300 [ 57.252090][ T3611] ? lockdep_lock+0x2a0/0x2a0 [ 57.256750][ T3611] ? _find_first_zero_bit+0xe3/0x100 [ 57.262019][ T3611] validate_chain+0x185c/0x65c0 [ 57.266860][ T3611] ? reacquire_held_locks+0x680/0x680 [ 57.272237][ T3611] ? rcu_read_lock_sched_held+0x89/0x130 [ 57.277853][ T3611] ? reacquire_held_locks+0x680/0x680 [ 57.283207][ T3611] ? rcu_read_lock_sched_held+0x89/0x130 [ 57.288849][ T3611] ? __bpf_trace_rcu_stall_warning+0x10/0x10 [ 57.294825][ T3611] ? mark_lock+0x98/0x350 [ 57.299142][ T3611] ? mark_lock+0x98/0x350 [ 57.303453][ T3611] __lock_acquire+0x129a/0x1f80 [ 57.308303][ T3611] lock_acquire+0x1a7/0x400 [ 57.312801][ T3611] ? sco_conn_del+0xfe/0x2f0 [ 57.317386][ T3611] ? trace_lock_release+0x7a/0x190 [ 57.322499][ T3611] ? read_lock_is_recursive+0x10/0x10 [ 57.327857][ T3611] ? read_lock_is_recursive+0x10/0x10 [ 57.333213][ T3611] ? sco_conn_del+0xf4/0x2f0 [ 57.337908][ T3611] ? __lock_acquire+0x1f80/0x1f80 [ 57.342928][ T3611] ? do_raw_spin_lock+0x148/0x360 [ 57.347964][ T3611] lock_sock_nested+0x44/0xf0 [ 57.352634][ T3611] ? sco_conn_del+0xfe/0x2f0 [ 57.357211][ T3611] sco_conn_del+0xfe/0x2f0 [ 57.361636][ T3611] ? sco_connect_cfm+0x100/0x100 [ 57.366589][ T3611] hci_conn_hash_flush+0x112/0x240 [ 57.371695][ T3611] hci_dev_close_sync+0x6e9/0xcb0 [ 57.376716][ T3611] hci_unregister_dev+0x1be/0x470 [ 57.381737][ T3611] ? vhci_open+0x360/0x360 [ 57.386146][ T3611] vhci_release+0x7f/0xd0 [ 57.390470][ T3611] __fput+0x3b9/0x820 [ 57.394446][ T3611] task_work_run+0x146/0x1c0 [ 57.399024][ T3611] do_exit+0x55e/0x20a0 [ 57.403205][ T3611] ? mm_update_next_owner+0x6d0/0x6d0 [ 57.408581][ T3611] ? lockdep_hardirqs_on_prepare+0x448/0x7b0 [ 57.414566][ T3611] ? __ct_user_exit+0x81/0xe0 [ 57.419235][ T3611] do_group_exit+0x23b/0x2f0 [ 57.423810][ T3611] __x64_sys_exit_group+0x3b/0x40 [ 57.428825][ T3611] do_syscall_64+0x2b/0x70 [ 57.433227][ T3611] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 57.439102][ T3611] RIP: 0033:0x7f9a8c11d7e9 [ 57.443497][ T3611] Code: Unable to access opcode bytes at RIP 0x7f9a8c11d7bf. [ 57.450848][ T3611] RSP: 002b:00007ffee988ea38 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 57.459243][ T3611] RAX: ffffffffffffffda RBX: 00007f9a8c1a8450 RCX: 00007f9a8c11d7e9 [ 57.467196][ T3611] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001 [ 57.475147][ T3611] RBP: 0000000000000001 R08: ffffffffffffffb8 R09: 00007f9a8c1a6880 [ 57.483100][ T3611] R10: 0000000000000231 R11: 0000000000000246 R12: 00007f9a8c1a8450 [ 57.491068][ T3611] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 57.499025][ T3611]