Warning: Permanently added '10.128.1.136' (ED25519) to the list of known hosts. [ 69.988118][ T5072] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 69.996022][ T5072] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 70.003456][ T5072] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 70.012495][ T5072] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 70.020093][ T5072] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3 [ 70.027696][ T5072] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 executing program [ 70.145011][ T5070] [ 70.147380][ T5070] ====================================================== [ 70.154400][ T5070] WARNING: possible circular locking dependency detected [ 70.161428][ T5070] 6.7.0-rc6-syzkaller-00010-g2cf4f94d8e86 #0 Not tainted [ 70.168466][ T5070] ------------------------------------------------------ [ 70.175497][ T5070] syz-executor117/5070 is trying to acquire lock: [ 70.181931][ T5070] ffff888016398e10 ((work_completion)(&hdev->tx_work)){+.+.}-{0:0}, at: __flush_work+0xfa/0xa10 [ 70.192433][ T5070] [ 70.192433][ T5070] but task is already holding lock: [ 70.199799][ T5070] ffff888016399108 (&hdev->req_lock){+.+.}-{3:3}, at: hci_dev_do_close+0x26/0x90 [ 70.208986][ T5070] [ 70.208986][ T5070] which lock already depends on the new lock. [ 70.208986][ T5070] [ 70.219490][ T5070] [ 70.219490][ T5070] the existing dependency chain (in reverse order) is: [ 70.228506][ T5070] [ 70.228506][ T5070] -> #3 (&hdev->req_lock){+.+.}-{3:3}: [ 70.236168][ T5070] __mutex_lock+0x175/0x9d0 [ 70.241207][ T5070] hci_dev_do_close+0x26/0x90 [ 70.246595][ T5070] hci_rfkill_set_block+0x1b9/0x200 [ 70.252338][ T5070] rfkill_set_block+0x200/0x550 [ 70.257737][ T5070] rfkill_fop_write+0x2d4/0x570 [ 70.263124][ T5070] vfs_write+0x2a4/0xdf0 [ 70.267906][ T5070] ksys_write+0x1f0/0x250 [ 70.272757][ T5070] __do_fast_syscall_32+0x62/0xe0 [ 70.278318][ T5070] do_fast_syscall_32+0x33/0x70 [ 70.283695][ T5070] entry_SYSENTER_compat_after_hwframe+0x70/0x7a [ 70.290557][ T5070] [ 70.290557][ T5070] -> #2 (rfkill_global_mutex){+.+.}-{3:3}: [ 70.298563][ T5070] __mutex_lock+0x175/0x9d0 [ 70.303845][ T5070] rfkill_register+0x3a/0xb30 [ 70.309053][ T5070] hci_register_dev+0x43a/0xd40 [ 70.314423][ T5070] __vhci_create_device+0x393/0x800 [ 70.320151][ T5070] vhci_write+0x2c7/0x470 [ 70.325003][ T5070] vfs_write+0x64f/0xdf0 [ 70.329762][ T5070] ksys_write+0x12f/0x250 [ 70.334606][ T5070] __do_fast_syscall_32+0x62/0xe0 [ 70.340156][ T5070] do_fast_syscall_32+0x33/0x70 [ 70.345531][ T5070] entry_SYSENTER_compat_after_hwframe+0x70/0x7a [ 70.352382][ T5070] [ 70.352382][ T5070] -> #1 (&data->open_mutex){+.+.}-{3:3}: [ 70.360205][ T5070] __mutex_lock+0x175/0x9d0 [ 70.365226][ T5070] vhci_send_frame+0x67/0xa0 [ 70.370342][ T5070] hci_send_frame+0x220/0x470 [ 70.375539][ T5070] hci_tx_work+0x1456/0x1e40 [ 70.381252][ T5070] process_one_work+0x886/0x15d0 [ 70.386714][ T5070] worker_thread+0x8b9/0x1290 [ 70.391920][ T5070] kthread+0x2c6/0x3a0 [ 70.396517][ T5070] ret_from_fork+0x45/0x80 [ 70.401626][ T5070] ret_from_fork_asm+0x11/0x20 [ 70.406915][ T5070] [ 70.406915][ T5070] -> #0 ((work_completion)(&hdev->tx_work)){+.+.}-{0:0}: [ 70.416128][ T5070] __lock_acquire+0x2433/0x3b20 [ 70.421506][ T5070] lock_acquire+0x1ae/0x520 [ 70.426536][ T5070] __flush_work+0x103/0xa10 [ 70.431561][ T5070] hci_dev_close_sync+0x22d/0x1160 [ 70.437201][ T5070] hci_dev_do_close+0x2e/0x90 [ 70.442402][ T5070] hci_rfkill_set_block+0x1b9/0x200 [ 70.448119][ T5070] rfkill_set_block+0x200/0x550 [ 70.453493][ T5070] rfkill_fop_write+0x2d4/0x570 [ 70.458870][ T5070] vfs_write+0x2a4/0xdf0 [ 70.463629][ T5070] ksys_write+0x1f0/0x250 [ 70.468475][ T5070] __do_fast_syscall_32+0x62/0xe0 [ 70.474025][ T5070] do_fast_syscall_32+0x33/0x70 [ 70.479398][ T5070] entry_SYSENTER_compat_after_hwframe+0x70/0x7a [ 70.486247][ T5070] [ 70.486247][ T5070] other info that might help us debug this: [ 70.486247][ T5070] [ 70.496462][ T5070] Chain exists of: [ 70.496462][ T5070] (work_completion)(&hdev->tx_work) --> rfkill_global_mutex --> &hdev->req_lock [ 70.496462][ T5070] [ 70.511408][ T5070] Possible unsafe locking scenario: [ 70.511408][ T5070] [ 70.518846][ T5070] CPU0 CPU1 [ 70.524206][ T5070] ---- ---- [ 70.529558][ T5070] lock(&hdev->req_lock); [ 70.533966][ T5070] lock(rfkill_global_mutex); [ 70.541244][ T5070] lock(&hdev->req_lock); [ 70.548172][ T5070] lock((work_completion)(&hdev->tx_work)); [ 70.554144][ T5070] [ 70.554144][ T5070] *** DEADLOCK *** [ 70.554144][ T5070] [ 70.562274][ T5070] 2 locks held by syz-executor117/5070: [ 70.567809][ T5070] #0: ffffffff8ef2caa8 (rfkill_global_mutex){+.+.}-{3:3}, at: rfkill_fop_write+0x16e/0x570 [ 70.577917][ T5070] #1: ffff888016399108 (&hdev->req_lock){+.+.}-{3:3}, at: hci_dev_do_close+0x26/0x90 [ 70.587493][ T5070] [ 70.587493][ T5070] stack backtrace: [ 70.593367][ T5070] CPU: 0 PID: 5070 Comm: syz-executor117 Not tainted 6.7.0-rc6-syzkaller-00010-g2cf4f94d8e86 #0 [ 70.603773][ T5070] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 [ 70.613819][ T5070] Call Trace: [ 70.617097][ T5070] [ 70.620037][ T5070] dump_stack_lvl+0xd9/0x1b0 [ 70.624634][ T5070] check_noncircular+0x317/0x400 [ 70.629580][ T5070] ? print_circular_bug+0x5c0/0x5c0 [ 70.634783][ T5070] ? is_bpf_text_address+0x94/0x1a0 [ 70.639989][ T5070] ? lockdep_lock+0xc6/0x200 [ 70.644583][ T5070] ? hlock_class+0x130/0x130 [ 70.649266][ T5070] __lock_acquire+0x2433/0x3b20 [ 70.654133][ T5070] ? lockdep_hardirqs_on_prepare+0x420/0x420 [ 70.660123][ T5070] ? save_trace+0x4e/0xb30 [ 70.664542][ T5070] ? _find_first_zero_bit+0x94/0xb0 [ 70.669754][ T5070] lock_acquire+0x1ae/0x520 [ 70.674267][ T5070] ? __flush_work+0xfa/0xa10 [ 70.678863][ T5070] ? lock_sync+0x190/0x190 [ 70.683300][ T5070] ? __flush_work+0xfa/0xa10 [ 70.687895][ T5070] __flush_work+0x103/0xa10 [ 70.692408][ T5070] ? __flush_work+0xfa/0xa10 [ 70.697003][ T5070] ? cancel_delayed_work+0x20/0x20 [ 70.702147][ T5070] hci_dev_close_sync+0x22d/0x1160 [ 70.707262][ T5070] ? find_held_lock+0x2d/0x110 [ 70.712045][ T5070] ? hci_reset_sync+0x50/0x50 [ 70.716723][ T5070] ? reacquire_held_locks+0x4c0/0x4c0 [ 70.722114][ T5070] hci_dev_do_close+0x2e/0x90 [ 70.726793][ T5070] hci_rfkill_set_block+0x1b9/0x200 [ 70.732000][ T5070] ? lockdep_hardirqs_on+0x7d/0x110 [ 70.737208][ T5070] ? hci_power_on+0x670/0x670 [ 70.741974][ T5070] rfkill_set_block+0x200/0x550 [ 70.746838][ T5070] rfkill_fop_write+0x2d4/0x570 [ 70.751706][ T5070] ? rfkill_register+0xb30/0xb30 [ 70.756714][ T5070] ? bpf_lsm_inode_remove_acl+0x10/0x10 [ 70.762267][ T5070] ? security_file_permission+0x94/0x100 [ 70.767911][ T5070] vfs_write+0x2a4/0xdf0 [ 70.772156][ T5070] ? rfkill_register+0xb30/0xb30 [ 70.777124][ T5070] ? kernel_write+0x6c0/0x6c0 [ 70.781801][ T5070] ? do_sys_openat2+0xb1/0x1e0 [ 70.786579][ T5070] ? build_open_flags+0x690/0x690 [ 70.791615][ T5070] ? find_held_lock+0x2d/0x110 [ 70.796389][ T5070] ? __fget_light+0x1fc/0x260 [ 70.801077][ T5070] ksys_write+0x1f0/0x250 [ 70.805409][ T5070] ? __ia32_sys_read+0xb0/0xb0 [ 70.810179][ T5070] __do_fast_syscall_32+0x62/0xe0 [ 70.815214][ T5070] do_fast_syscall_32+0x33/0x70 [ 70.820072][ T5070] entry_SYSENTER_compat_after_hwframe+0x70/0x7a [ 70.826407][ T5070] RIP: 0023:0xf7ea3579 [ 70.830474][ T5070] Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00 [ 70.850084][ T5070] RSP: 002b:00000000ffa2e38c EFLAGS: 00000246 ORIG_RAX: 0000000000000004 [ 70.858497][ T5070] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000080 [ 70.866467][ T5070] RDX: 0000000000000008 RSI: 0000000000000070 RDI: 0000000000000000 [ 70.874441][ T5070] RBP: 00000000ffa2e3f0 R08: 0000000000000000 R09: 0000000000000000 [ 70.882409][ T5070] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 70.890375][ T5070] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [