Warning: Permanently added '10.128.1.66' (ED25519) to the list of known hosts. [ 59.300074][ T3548] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 59.308656][ T3548] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 59.316432][ T3548] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 59.324326][ T3548] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 59.332016][ T3548] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3 [ 59.340141][ T3546] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 executing program [ 59.400064][ T3544] input: syz1 as /devices/virtual/input/input5 [ 59.486531][ T7] [ 59.488902][ T7] ====================================================== [ 59.495951][ T7] WARNING: possible circular locking dependency detected [ 59.502982][ T7] 6.1.60-syzkaller #0 Not tainted [ 59.508000][ T7] ------------------------------------------------------ [ 59.515009][ T7] kworker/0:0/7 is trying to acquire lock: [ 59.520808][ T7] ffff888073b810b8 (&hdev->req_lock){+.+.}-{3:3}, at: hci_rfkill_set_block+0x129/0x200 [ 59.530515][ T7] [ 59.530515][ T7] but task is already holding lock: [ 59.537870][ T7] ffffffff8e543da8 (rfkill_global_mutex){+.+.}-{3:3}, at: rfkill_epo+0x47/0x180 [ 59.546921][ T7] [ 59.546921][ T7] which lock already depends on the new lock. [ 59.546921][ T7] [ 59.557322][ T7] [ 59.557322][ T7] the existing dependency chain (in reverse order) is: [ 59.566330][ T7] [ 59.566330][ T7] -> #3 (rfkill_global_mutex){+.+.}-{3:3}: [ 59.574323][ T7] lock_acquire+0x1f8/0x5a0 [ 59.579357][ T7] __mutex_lock+0x132/0xd80 [ 59.584388][ T7] rfkill_register+0x30/0x880 [ 59.589589][ T7] hci_register_dev+0x4df/0xa40 [ 59.594965][ T7] vhci_create_device+0x3ba/0x6f0 [ 59.600508][ T7] vhci_write+0x38b/0x440 [ 59.605354][ T7] vfs_write+0x7ae/0xba0 [ 59.610123][ T7] ksys_write+0x19c/0x2c0 [ 59.614982][ T7] do_syscall_64+0x3d/0xb0 [ 59.619925][ T7] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 59.626352][ T7] [ 59.626352][ T7] -> #2 (&data->open_mutex){+.+.}-{3:3}: [ 59.634172][ T7] lock_acquire+0x1f8/0x5a0 [ 59.639203][ T7] __mutex_lock+0x132/0xd80 [ 59.644233][ T7] vhci_send_frame+0x8a/0xf0 [ 59.649345][ T7] hci_send_frame+0x1ef/0x370 [ 59.654549][ T7] hci_tx_work+0xec8/0x1ec0 [ 59.659592][ T7] process_one_work+0x8a9/0x11d0 [ 59.665054][ T7] worker_thread+0xa47/0x1200 [ 59.670262][ T7] kthread+0x28d/0x320 [ 59.674859][ T7] ret_from_fork+0x1f/0x30 [ 59.679802][ T7] [ 59.679802][ T7] -> #1 ((work_completion)(&hdev->tx_work)){+.+.}-{0:0}: [ 59.689007][ T7] lock_acquire+0x1f8/0x5a0 [ 59.694033][ T7] __flush_work+0xfe/0xad0 [ 59.698985][ T7] hci_dev_close_sync+0x233/0xfc0 [ 59.704531][ T7] hci_unregister_dev+0x1df/0x4d0 [ 59.710081][ T7] vhci_release+0x7f/0xd0 [ 59.714931][ T7] __fput+0x3b7/0x890 [ 59.719435][ T7] task_work_run+0x246/0x300 [ 59.724551][ T7] do_exit+0xa73/0x26a0 [ 59.729230][ T7] do_group_exit+0x202/0x2b0 [ 59.734344][ T7] __x64_sys_exit_group+0x3b/0x40 [ 59.739891][ T7] do_syscall_64+0x3d/0xb0 [ 59.744831][ T7] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 59.751247][ T7] [ 59.751247][ T7] -> #0 (&hdev->req_lock){+.+.}-{3:3}: [ 59.758890][ T7] validate_chain+0x1667/0x58e0 [ 59.764271][ T7] __lock_acquire+0x125b/0x1f80 [ 59.769648][ T7] lock_acquire+0x1f8/0x5a0 [ 59.774676][ T7] __mutex_lock+0x132/0xd80 [ 59.779703][ T7] hci_rfkill_set_block+0x129/0x200 [ 59.785429][ T7] rfkill_set_block+0x1e7/0x430 [ 59.790798][ T7] rfkill_epo+0x7c/0x180 [ 59.795565][ T7] rfkill_op_handler+0x7e/0x260 [ 59.800942][ T7] process_one_work+0x8a9/0x11d0 [ 59.806397][ T7] worker_thread+0xa47/0x1200 [ 59.811608][ T7] kthread+0x28d/0x320 [ 59.816204][ T7] ret_from_fork+0x1f/0x30 [ 59.821155][ T7] [ 59.821155][ T7] other info that might help us debug this: [ 59.821155][ T7] [ 59.831375][ T7] Chain exists of: [ 59.831375][ T7] &hdev->req_lock --> &data->open_mutex --> rfkill_global_mutex [ 59.831375][ T7] [ 59.844939][ T7] Possible unsafe locking scenario: [ 59.844939][ T7] [ 59.852385][ T7] CPU0 CPU1 [ 59.857798][ T7] ---- ---- [ 59.863158][ T7] lock(rfkill_global_mutex); [ 59.867923][ T7] lock(&data->open_mutex); [ 59.875033][ T7] lock(rfkill_global_mutex); [ 59.882313][ T7] lock(&hdev->req_lock); [ 59.886731][ T7] [ 59.886731][ T7] *** DEADLOCK *** [ 59.886731][ T7] [ 59.894870][ T7] 3 locks held by kworker/0:0/7: [ 59.899803][ T7] #0: ffff888012470d38 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work+0x7a9/0x11d0 [ 59.910168][ T7] #1: ffffc900000c7d20 ((rfkill_op_work).work){+.+.}-{0:0}, at: process_one_work+0x7a9/0x11d0 [ 59.920548][ T7] #2: ffffffff8e543da8 (rfkill_global_mutex){+.+.}-{3:3}, at: rfkill_epo+0x47/0x180 [ 59.930037][ T7] [ 59.930037][ T7] stack backtrace: [ 59.935929][ T7] CPU: 0 PID: 7 Comm: kworker/0:0 Not tainted 6.1.60-syzkaller #0 [ 59.943731][ T7] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023 [ 59.953782][ T7] Workqueue: events rfkill_op_handler [ 59.959178][ T7] Call Trace: [ 59.962456][ T7] [ 59.965404][ T7] dump_stack_lvl+0x1e3/0x2cb [ 59.970113][ T7] ? nf_tcp_handle_invalid+0x642/0x642 [ 59.975593][ T7] ? print_circular_bug+0x12b/0x1a0 [ 59.980921][ T7] check_noncircular+0x2fa/0x3b0 [ 59.985904][ T7] ? add_chain_block+0x850/0x850 [ 59.990857][ T7] ? lockdep_lock+0x11f/0x2a0 [ 59.995555][ T7] ? validate_chain+0x115/0x58e0 [ 60.000525][ T7] ? _find_first_zero_bit+0xd0/0x100 [ 60.005848][ T7] validate_chain+0x1667/0x58e0 [ 60.010717][ T7] ? preempt_count_add+0x8f/0x180 [ 60.015773][ T7] ? validate_chain+0x115/0x58e0 [ 60.020719][ T7] ? reacquire_held_locks+0x660/0x660 [ 60.026102][ T7] ? stack_trace_save+0x1c0/0x1c0 [ 60.031131][ T7] ? arch_stack_walk+0x10d/0x140 [ 60.036074][ T7] ? reacquire_held_locks+0x660/0x660 [ 60.041455][ T7] ? mark_lock+0x9a/0x340 [ 60.045795][ T7] __lock_acquire+0x125b/0x1f80 [ 60.050665][ T7] lock_acquire+0x1f8/0x5a0 [ 60.055175][ T7] ? hci_rfkill_set_block+0x129/0x200 [ 60.060644][ T7] ? read_lock_is_recursive+0x10/0x10 [ 60.066293][ T7] ? __might_sleep+0xb0/0xb0 [ 60.070891][ T7] __mutex_lock+0x132/0xd80 [ 60.075402][ T7] ? hci_rfkill_set_block+0x129/0x200 [ 60.080785][ T7] ? lockdep_hardirqs_on_prepare+0x438/0x7a0 [ 60.086780][ T7] ? hci_rfkill_set_block+0x129/0x200 [ 60.092163][ T7] ? print_irqtrace_events+0x210/0x210 [ 60.097629][ T7] ? mutex_lock_nested+0x10/0x10 [ 60.102576][ T7] ? do_raw_spin_unlock+0x137/0x8a0 [ 60.107776][ T7] ? lockdep_hardirqs_on+0x94/0x130 [ 60.112986][ T7] ? _raw_spin_unlock_irqrestore+0xd9/0x130 [ 60.118883][ T7] ? _raw_spin_unlock+0x40/0x40 [ 60.123734][ T7] ? kobject_uevent_env+0x54a/0x8c0 [ 60.128932][ T7] hci_rfkill_set_block+0x129/0x200 [ 60.134161][ T7] ? hci_req_cmd_complete+0x910/0x910 [ 60.139538][ T7] rfkill_set_block+0x1e7/0x430 [ 60.144393][ T7] rfkill_epo+0x7c/0x180 [ 60.148635][ T7] ? process_one_work+0x7a9/0x11d0 [ 60.153753][ T7] rfkill_op_handler+0x7e/0x260 [ 60.158610][ T7] process_one_work+0x8a9/0x11d0 [ 60.163554][ T7] ? worker_detach_from_pool+0x260/0x260 [ 60.169211][ T7] ? _raw_spin_lock_irqsave+0x120/0x120 [ 60.174759][ T7] ? kthread_data+0x4e/0xc0 [ 60.179286][ T7] ? wq_worker_running+0x97/0x190 [ 60.184349][ T7] worker_thread+0xa47/0x1200 [ 60.1