Warning: Permanently added '10.128.0.223' (ED25519) to the list of known hosts. [ 69.386316][ T51] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 69.394384][ T51] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 69.402112][ T51] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 69.410596][ T51] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 69.418507][ T51] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3 [ 69.426312][ T51] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 executing program [ 69.549243][ T5071] [ 69.551617][ T5071] ====================================================== [ 69.558647][ T5071] WARNING: possible circular locking dependency detected [ 69.565676][ T5071] 6.7.0-rc6-syzkaller-00010-g2cf4f94d8e86 #0 Not tainted [ 69.572702][ T5071] ------------------------------------------------------ [ 69.579728][ T5071] syz-executor429/5071 is trying to acquire lock: [ 69.586153][ T5071] ffff88807b3b8e10 ((work_completion)(&hdev->tx_work)){+.+.}-{0:0}, at: __flush_work+0xfa/0xa10 [ 69.596655][ T5071] [ 69.596655][ T5071] but task is already holding lock: [ 69.604026][ T5071] ffff88807b3b9108 (&hdev->req_lock){+.+.}-{3:3}, at: hci_dev_do_close+0x26/0x90 [ 69.613213][ T5071] [ 69.613213][ T5071] which lock already depends on the new lock. [ 69.613213][ T5071] [ 69.623628][ T5071] [ 69.623628][ T5071] the existing dependency chain (in reverse order) is: [ 69.632653][ T5071] [ 69.632653][ T5071] -> #3 (&hdev->req_lock){+.+.}-{3:3}: [ 69.640326][ T5071] __mutex_lock+0x175/0x9d0 [ 69.645374][ T5071] hci_dev_do_close+0x26/0x90 [ 69.650593][ T5071] hci_rfkill_set_block+0x1b9/0x200 [ 69.656335][ T5071] rfkill_set_block+0x200/0x550 [ 69.661734][ T5071] rfkill_fop_write+0x2d4/0x570 [ 69.667130][ T5071] vfs_write+0x2a4/0xdf0 [ 69.671915][ T5071] ksys_write+0x1f0/0x250 [ 69.676781][ T5071] __do_fast_syscall_32+0x62/0xe0 [ 69.682352][ T5071] do_fast_syscall_32+0x33/0x70 [ 69.687757][ T5071] entry_SYSENTER_compat_after_hwframe+0x70/0x7a [ 69.694639][ T5071] [ 69.694639][ T5071] -> #2 (rfkill_global_mutex){+.+.}-{3:3}: [ 69.702655][ T5071] __mutex_lock+0x175/0x9d0 [ 69.707698][ T5071] rfkill_register+0x3a/0xb30 [ 69.712921][ T5071] hci_register_dev+0x43a/0xd40 [ 69.718319][ T5071] __vhci_create_device+0x393/0x800 [ 69.724067][ T5071] vhci_write+0x2c7/0x470 [ 69.728945][ T5071] vfs_write+0x64f/0xdf0 [ 69.733726][ T5071] ksys_write+0x12f/0x250 [ 69.738594][ T5071] __do_fast_syscall_32+0x62/0xe0 [ 69.744166][ T5071] do_fast_syscall_32+0x33/0x70 [ 69.749565][ T5071] entry_SYSENTER_compat_after_hwframe+0x70/0x7a [ 69.756440][ T5071] [ 69.756440][ T5071] -> #1 (&data->open_mutex){+.+.}-{3:3}: [ 69.764283][ T5071] __mutex_lock+0x175/0x9d0 [ 69.769324][ T5071] vhci_send_frame+0x67/0xa0 [ 69.774466][ T5071] hci_send_frame+0x220/0x470 [ 69.779690][ T5071] hci_tx_work+0x1456/0x1e40 [ 69.784826][ T5071] process_one_work+0x886/0x15d0 [ 69.790310][ T5071] worker_thread+0x8b9/0x1290 [ 69.795537][ T5071] kthread+0x2c6/0x3a0 [ 69.800149][ T5071] ret_from_fork+0x45/0x80 [ 69.805115][ T5071] ret_from_fork_asm+0x11/0x20 [ 69.810435][ T5071] [ 69.810435][ T5071] -> #0 ((work_completion)(&hdev->tx_work)){+.+.}-{0:0}: [ 69.819671][ T5071] __lock_acquire+0x2433/0x3b20 [ 69.825075][ T5071] lock_acquire+0x1ae/0x520 [ 69.830129][ T5071] __flush_work+0x103/0xa10 [ 69.835184][ T5071] hci_dev_close_sync+0x22d/0x1160 [ 69.840836][ T5071] hci_dev_do_close+0x2e/0x90 [ 69.846051][ T5071] hci_rfkill_set_block+0x1b9/0x200 [ 69.851794][ T5071] rfkill_set_block+0x200/0x550 [ 69.857189][ T5071] rfkill_fop_write+0x2d4/0x570 [ 69.862591][ T5071] vfs_write+0x2a4/0xdf0 [ 69.867367][ T5071] ksys_write+0x1f0/0x250 [ 69.872235][ T5071] __do_fast_syscall_32+0x62/0xe0 [ 69.877816][ T5071] do_fast_syscall_32+0x33/0x70 [ 69.883210][ T5071] entry_SYSENTER_compat_after_hwframe+0x70/0x7a [ 69.890091][ T5071] [ 69.890091][ T5071] other info that might help us debug this: [ 69.890091][ T5071] [ 69.900326][ T5071] Chain exists of: [ 69.900326][ T5071] (work_completion)(&hdev->tx_work) --> rfkill_global_mutex --> &hdev->req_lock [ 69.900326][ T5071] [ 69.915299][ T5071] Possible unsafe locking scenario: [ 69.915299][ T5071] [ 69.922755][ T5071] CPU0 CPU1 [ 69.928126][ T5071] ---- ---- [ 69.933497][ T5071] lock(&hdev->req_lock); [ 69.937925][ T5071] lock(rfkill_global_mutex); [ 69.945220][ T5071] lock(&hdev->req_lock); [ 69.952171][ T5071] lock((work_completion)(&hdev->tx_work)); [ 69.958163][ T5071] [ 69.958163][ T5071] *** DEADLOCK *** [ 69.958163][ T5071] [ 69.966311][ T5071] 2 locks held by syz-executor429/5071: [ 69.971883][ T5071] #0: ffffffff8ef2caa8 (rfkill_global_mutex){+.+.}-{3:3}, at: rfkill_fop_write+0x16e/0x570 [ 69.982110][ T5071] #1: ffff88807b3b9108 (&hdev->req_lock){+.+.}-{3:3}, at: hci_dev_do_close+0x26/0x90 [ 69.991726][ T5071] [ 69.991726][ T5071] stack backtrace: [ 69.997619][ T5071] CPU: 0 PID: 5071 Comm: syz-executor429 Not tainted 6.7.0-rc6-syzkaller-00010-g2cf4f94d8e86 #0 [ 70.008050][ T5071] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 [ 70.018124][ T5071] Call Trace: [ 70.021416][ T5071] [ 70.024358][ T5071] dump_stack_lvl+0xd9/0x1b0 [ 70.028972][ T5071] check_noncircular+0x317/0x400 [ 70.033946][ T5071] ? print_circular_bug+0x5c0/0x5c0 [ 70.039175][ T5071] ? is_bpf_text_address+0x94/0x1a0 [ 70.044423][ T5071] ? lockdep_lock+0xc6/0x200 [ 70.049045][ T5071] ? hlock_class+0x130/0x130 [ 70.053663][ T5071] __lock_acquire+0x2433/0x3b20 [ 70.058552][ T5071] ? lockdep_hardirqs_on_prepare+0x420/0x420 [ 70.064563][ T5071] ? save_trace+0x4e/0xb30 [ 70.069004][ T5071] ? _find_first_zero_bit+0x94/0xb0 [ 70.074238][ T5071] lock_acquire+0x1ae/0x520 [ 70.078770][ T5071] ? __flush_work+0xfa/0xa10 [ 70.083389][ T5071] ? lock_sync+0x190/0x190 [ 70.087841][ T5071] ? __flush_work+0xfa/0xa10 [ 70.092461][ T5071] __flush_work+0x103/0xa10 [ 70.096990][ T5071] ? __flush_work+0xfa/0xa10 [ 70.101612][ T5071] ? cancel_delayed_work+0x20/0x20 [ 70.106763][ T5071] hci_dev_close_sync+0x22d/0x1160 [ 70.111900][ T5071] ? find_held_lock+0x2d/0x110 [ 70.116694][ T5071] ? hci_reset_sync+0x50/0x50 [ 70.121395][ T5071] ? reacquire_held_locks+0x4c0/0x4c0 [ 70.126802][ T5071] hci_dev_do_close+0x2e/0x90 [ 70.131500][ T5071] hci_rfkill_set_block+0x1b9/0x200 [ 70.136718][ T5071] ? lockdep_hardirqs_on+0x7d/0x110 [ 70.141953][ T5071] ? hci_power_on+0x670/0x670 [ 70.146650][ T5071] rfkill_set_block+0x200/0x550 [ 70.151531][ T5071] rfkill_fop_write+0x2d4/0x570 [ 70.156429][ T5071] ? rfkill_register+0xb30/0xb30 [ 70.161406][ T5071] ? bpf_lsm_inode_remove_acl+0x10/0x10 [ 70.166972][ T5071] ? security_file_permission+0x94/0x100 [ 70.172642][ T5071] vfs_write+0x2a4/0xdf0 [ 70.176905][ T5071] ? rfkill_register+0xb30/0xb30 [ 70.181872][ T5071] ? kernel_write+0x6c0/0x6c0 [ 70.186572][ T5071] ? do_sys_openat2+0xb1/0x1e0 [ 70.191372][ T5071] ? build_open_flags+0x690/0x690 [ 70.196425][ T5071] ? find_held_lock+0x2d/0x110 [ 70.201222][ T5071] ? __fget_light+0x1fc/0x260 [ 70.205919][ T5071] ksys_write+0x1f0/0x250 [ 70.210274][ T5071] ? __ia32_sys_read+0xb0/0xb0 [ 70.215069][ T5071] __do_fast_syscall_32+0x62/0xe0 [ 70.220122][ T5071] do_fast_syscall_32+0x33/0x70 [ 70.225004][ T5071] entry_SYSENTER_compat_after_hwframe+0x70/0x7a [ 70.231380][ T5071] RIP: 0023:0xf7e96579 [ 70.235458][ T5071] Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00 [ 70.255085][ T5071] RSP: 002b:00000000ffd8f2dc EFLAGS: 00000246 ORIG_RAX: 0000000000000004 [ 70.263518][ T5071] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000080 [ 70.271505][ T5071] RDX: 0000000000000008 RSI: 0000000000000070 RDI: 0000000000000000 [ 70.279495][ T5071] RBP: 00000000ffd8f340 R08: 0000000000000000 R09: 0000000000000000 [ 70.287481][ T5071] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 70.295509][ T5071] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000