Warning: Permanently added '10.128.0.188' (ED25519) to the list of known hosts. [ 69.152930][ T5073] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 69.160717][ T5073] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 69.169007][ T5073] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 69.177259][ T5073] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 69.185243][ T5073] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3 [ 69.192564][ T5073] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 executing program [ 69.314814][ T5069] [ 69.317167][ T5069] ====================================================== [ 69.324187][ T5069] WARNING: possible circular locking dependency detected [ 69.331204][ T5069] 6.7.0-rc5-syzkaller-00047-g5bd7ef53ffe5 #0 Not tainted [ 69.338230][ T5069] ------------------------------------------------------ [ 69.345251][ T5069] syz-executor231/5069 is trying to acquire lock: [ 69.351672][ T5069] ffff888075050e10 ((work_completion)(&hdev->tx_work)){+.+.}-{0:0}, at: __flush_work+0xfa/0xa10 [ 69.362162][ T5069] [ 69.362162][ T5069] but task is already holding lock: [ 69.369526][ T5069] ffff888075051108 (&hdev->req_lock){+.+.}-{3:3}, at: hci_dev_do_close+0x26/0x90 [ 69.378692][ T5069] [ 69.378692][ T5069] which lock already depends on the new lock. [ 69.378692][ T5069] [ 69.389091][ T5069] [ 69.389091][ T5069] the existing dependency chain (in reverse order) is: [ 69.398092][ T5069] [ 69.398092][ T5069] -> #3 (&hdev->req_lock){+.+.}-{3:3}: [ 69.405731][ T5069] __mutex_lock+0x175/0x9d0 [ 69.410761][ T5069] hci_dev_do_close+0x26/0x90 [ 69.415960][ T5069] hci_rfkill_set_block+0x1b9/0x200 [ 69.421678][ T5069] rfkill_set_block+0x200/0x550 [ 69.427047][ T5069] rfkill_fop_write+0x2d4/0x570 [ 69.432425][ T5069] vfs_write+0x2a4/0xdf0 [ 69.437185][ T5069] ksys_write+0x1f0/0x250 [ 69.442029][ T5069] __do_fast_syscall_32+0x62/0xe0 [ 69.447574][ T5069] do_fast_syscall_32+0x33/0x70 [ 69.452952][ T5069] entry_SYSENTER_compat_after_hwframe+0x70/0x7a [ 69.459803][ T5069] [ 69.459803][ T5069] -> #2 (rfkill_global_mutex){+.+.}-{3:3}: [ 69.467809][ T5069] __mutex_lock+0x175/0x9d0 [ 69.472837][ T5069] rfkill_register+0x3a/0xb30 [ 69.478041][ T5069] hci_register_dev+0x43a/0xd40 [ 69.483410][ T5069] __vhci_create_device+0x393/0x800 [ 69.489146][ T5069] vhci_write+0x2c7/0x470 [ 69.494001][ T5069] vfs_write+0x64f/0xdf0 [ 69.498758][ T5069] ksys_write+0x12f/0x250 [ 69.503600][ T5069] __do_fast_syscall_32+0x62/0xe0 [ 69.509143][ T5069] do_fast_syscall_32+0x33/0x70 [ 69.514509][ T5069] entry_SYSENTER_compat_after_hwframe+0x70/0x7a [ 69.521352][ T5069] [ 69.521352][ T5069] -> #1 (&data->open_mutex){+.+.}-{3:3}: [ 69.529175][ T5069] __mutex_lock+0x175/0x9d0 [ 69.534204][ T5069] vhci_send_frame+0x67/0xa0 [ 69.539312][ T5069] hci_send_frame+0x220/0x470 [ 69.544502][ T5069] hci_tx_work+0x1456/0x1e40 [ 69.549607][ T5069] process_one_work+0x886/0x15d0 [ 69.555069][ T5069] worker_thread+0x8b9/0x1290 [ 69.560266][ T5069] kthread+0x2c6/0x3a0 [ 69.564851][ T5069] ret_from_fork+0x45/0x80 [ 69.569786][ T5069] ret_from_fork_asm+0x11/0x20 [ 69.575071][ T5069] [ 69.575071][ T5069] -> #0 ((work_completion)(&hdev->tx_work)){+.+.}-{0:0}: [ 69.584272][ T5069] __lock_acquire+0x2433/0x3b20 [ 69.589649][ T5069] lock_acquire+0x1ae/0x520 [ 69.594673][ T5069] __flush_work+0x103/0xa10 [ 69.599692][ T5069] hci_dev_close_sync+0x22d/0x1160 [ 69.605318][ T5069] hci_dev_do_close+0x2e/0x90 [ 69.610507][ T5069] hci_rfkill_set_block+0x1b9/0x200 [ 69.616219][ T5069] rfkill_set_block+0x200/0x550 [ 69.621588][ T5069] rfkill_fop_write+0x2d4/0x570 [ 69.626953][ T5069] vfs_write+0x2a4/0xdf0 [ 69.631706][ T5069] ksys_write+0x1f0/0x250 [ 69.636545][ T5069] __do_fast_syscall_32+0x62/0xe0 [ 69.642089][ T5069] do_fast_syscall_32+0x33/0x70 [ 69.647455][ T5069] entry_SYSENTER_compat_after_hwframe+0x70/0x7a [ 69.654297][ T5069] [ 69.654297][ T5069] other info that might help us debug this: [ 69.654297][ T5069] [ 69.664511][ T5069] Chain exists of: [ 69.664511][ T5069] (work_completion)(&hdev->tx_work) --> rfkill_global_mutex --> &hdev->req_lock [ 69.664511][ T5069] [ 69.679447][ T5069] Possible unsafe locking scenario: [ 69.679447][ T5069] [ 69.686878][ T5069] CPU0 CPU1 [ 69.692233][ T5069] ---- ---- [ 69.697580][ T5069] lock(&hdev->req_lock); [ 69.701987][ T5069] lock(rfkill_global_mutex); [ 69.709256][ T5069] lock(&hdev->req_lock); [ 69.716179][ T5069] lock((work_completion)(&hdev->tx_work)); [ 69.722144][ T5069] [ 69.722144][ T5069] *** DEADLOCK *** [ 69.722144][ T5069] [ 69.730269][ T5069] 2 locks held by syz-executor231/5069: [ 69.735800][ T5069] #0: ffffffff8ef2db28 (rfkill_global_mutex){+.+.}-{3:3}, at: rfkill_fop_write+0x16e/0x570 [ 69.745901][ T5069] #1: ffff888075051108 (&hdev->req_lock){+.+.}-{3:3}, at: hci_dev_do_close+0x26/0x90 [ 69.755470][ T5069] [ 69.755470][ T5069] stack backtrace: [ 69.761339][ T5069] CPU: 1 PID: 5069 Comm: syz-executor231 Not tainted 6.7.0-rc5-syzkaller-00047-g5bd7ef53ffe5 #0 [ 69.771741][ T5069] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023 [ 69.781785][ T5069] Call Trace: [ 69.785055][ T5069] [ 69.787975][ T5069] dump_stack_lvl+0xd9/0x1b0 [ 69.792564][ T5069] check_noncircular+0x317/0x400 [ 69.797504][ T5069] ? print_circular_bug+0x5c0/0x5c0 [ 69.802702][ T5069] ? is_bpf_text_address+0x94/0x1a0 [ 69.807900][ T5069] ? lockdep_lock+0xc6/0x200 [ 69.812488][ T5069] ? hlock_class+0x130/0x130 [ 69.817077][ T5069] __lock_acquire+0x2433/0x3b20 [ 69.821933][ T5069] ? lockdep_hardirqs_on_prepare+0x420/0x420 [ 69.827915][ T5069] ? save_trace+0x4e/0xb30 [ 69.832331][ T5069] ? _find_first_zero_bit+0x94/0xb0 [ 69.837534][ T5069] lock_acquire+0x1ae/0x520 [ 69.842038][ T5069] ? __flush_work+0xfa/0xa10 [ 69.846629][ T5069] ? lock_sync+0x190/0x190 [ 69.851048][ T5069] ? __flush_work+0xfa/0xa10 [ 69.855637][ T5069] __flush_work+0x103/0xa10 [ 69.860137][ T5069] ? __flush_work+0xfa/0xa10 [ 69.864726][ T5069] ? cancel_delayed_work+0x20/0x20 [ 69.869852][ T5069] hci_dev_close_sync+0x22d/0x1160 [ 69.874969][ T5069] ? find_held_lock+0x2d/0x110 [ 69.879732][ T5069] ? hci_reset_sync+0x50/0x50 [ 69.884414][ T5069] ? reacquire_held_locks+0x4c0/0x4c0 [ 69.889788][ T5069] hci_dev_do_close+0x2e/0x90 [ 69.894460][ T5069] hci_rfkill_set_block+0x1b9/0x200 [ 69.899653][ T5069] ? lockdep_hardirqs_on+0x7d/0x110 [ 69.904854][ T5069] ? hci_power_on+0x670/0x670 [ 69.909529][ T5069] rfkill_set_block+0x200/0x550 [ 69.914382][ T5069] rfkill_fop_write+0x2d4/0x570 [ 69.919231][ T5069] ? rfkill_register+0xb30/0xb30 [ 69.924165][ T5069] ? bpf_lsm_inode_killpriv+0x10/0x10 [ 69.929532][ T5069] ? security_file_permission+0x94/0x100 [ 69.935165][ T5069] vfs_write+0x2a4/0xdf0 [ 69.939399][ T5069] ? rfkill_register+0xb30/0xb30 [ 69.944338][ T5069] ? kernel_write+0x6c0/0x6c0 [ 69.949010][ T5069] ? do_sys_openat2+0xb1/0x1e0 [ 69.953772][ T5069] ? build_open_flags+0x690/0x690 [ 69.958804][ T5069] ? find_held_lock+0x2d/0x110 [ 69.963571][ T5069] ? __fget_light+0x1fc/0x260 [ 69.968241][ T5069] ksys_write+0x1f0/0x250 [ 69.972563][ T5069] ? __ia32_sys_read+0xb0/0xb0 [ 69.977324][ T5069] __do_fast_syscall_32+0x62/0xe0 [ 69.982348][ T5069] do_fast_syscall_32+0x33/0x70 [ 69.987199][ T5069] entry_SYSENTER_compat_after_hwframe+0x70/0x7a [ 69.993526][ T5069] RIP: 0023:0xf7e92579 [ 69.997587][ T5069] Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00 [ 70.017187][ T5069] RSP: 002b:00000000ffc1747c EFLAGS: 00000246 ORIG_RAX: 0000000000000004 [ 70.025594][ T5069] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000080 [ 70.033556][ T5069] RDX: 0000000000000008 RSI: 0000000000000070 RDI: 0000000000000000 [ 70.041514][ T5069] RBP: 00000000ffc174e0 R08: 0000000000000000 R09: 0000000000000000 [ 70.049477][ T5069] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 70.057439][ T5069] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 70.065494][ T5069]