Warning: Permanently added '10.128.0.110' (ED25519) to the list of known hosts. syzkaller login: [ 68.024906][ T5062] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 68.033143][ T5062] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 68.040983][ T5062] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 68.049115][ T5062] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 68.057251][ T5062] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3 [ 68.064470][ T5062] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 executing program [ 68.182832][ T5060] [ 68.185200][ T5060] ====================================================== [ 68.192222][ T5060] WARNING: possible circular locking dependency detected [ 68.199243][ T5060] 6.7.0-rc5-syzkaller-00134-g3f7168591ebf #0 Not tainted [ 68.206270][ T5060] ------------------------------------------------------ [ 68.213290][ T5060] syz-executor299/5060 is trying to acquire lock: [ 68.219707][ T5060] ffff88801f828e10 ((work_completion)(&hdev->tx_work)){+.+.}-{0:0}, at: __flush_work+0xfa/0xa10 [ 68.230196][ T5060] [ 68.230196][ T5060] but task is already holding lock: [ 68.237566][ T5060] ffff88801f829108 (&hdev->req_lock){+.+.}-{3:3}, at: hci_dev_do_close+0x26/0x90 [ 68.247095][ T5060] [ 68.247095][ T5060] which lock already depends on the new lock. [ 68.247095][ T5060] [ 68.257502][ T5060] [ 68.257502][ T5060] the existing dependency chain (in reverse order) is: [ 68.266522][ T5060] [ 68.266522][ T5060] -> #3 (&hdev->req_lock){+.+.}-{3:3}: [ 68.274186][ T5060] __mutex_lock+0x175/0x9d0 [ 68.279227][ T5060] hci_dev_do_close+0x26/0x90 [ 68.284442][ T5060] hci_rfkill_set_block+0x1b9/0x200 [ 68.290172][ T5060] rfkill_set_block+0x200/0x550 [ 68.295546][ T5060] rfkill_fop_write+0x2d4/0x570 [ 68.300919][ T5060] vfs_write+0x2a4/0xdf0 [ 68.305678][ T5060] ksys_write+0x1f0/0x250 [ 68.310525][ T5060] __do_fast_syscall_32+0x62/0xe0 [ 68.316071][ T5060] do_fast_syscall_32+0x33/0x70 [ 68.321448][ T5060] entry_SYSENTER_compat_after_hwframe+0x70/0x7a [ 68.328300][ T5060] [ 68.328300][ T5060] -> #2 (rfkill_global_mutex){+.+.}-{3:3}: [ 68.336290][ T5060] __mutex_lock+0x175/0x9d0 [ 68.341310][ T5060] rfkill_register+0x3a/0xb30 [ 68.346508][ T5060] hci_register_dev+0x43a/0xd40 [ 68.351880][ T5060] __vhci_create_device+0x393/0x800 [ 68.357603][ T5060] vhci_write+0x2c7/0x470 [ 68.362458][ T5060] vfs_write+0x64f/0xdf0 [ 68.367389][ T5060] ksys_write+0x12f/0x250 [ 68.372237][ T5060] __do_fast_syscall_32+0x62/0xe0 [ 68.377786][ T5060] do_fast_syscall_32+0x33/0x70 [ 68.383167][ T5060] entry_SYSENTER_compat_after_hwframe+0x70/0x7a [ 68.390017][ T5060] [ 68.390017][ T5060] -> #1 (&data->open_mutex){+.+.}-{3:3}: [ 68.397836][ T5060] __mutex_lock+0x175/0x9d0 [ 68.402857][ T5060] vhci_send_frame+0x67/0xa0 [ 68.407972][ T5060] hci_send_frame+0x220/0x470 [ 68.413171][ T5060] hci_tx_work+0x1456/0x1e40 [ 68.418276][ T5060] process_one_work+0x886/0x15d0 [ 68.423738][ T5060] worker_thread+0x8b9/0x1290 [ 68.428948][ T5060] kthread+0x2c6/0x3a0 [ 68.433554][ T5060] ret_from_fork+0x45/0x80 [ 68.438502][ T5060] ret_from_fork_asm+0x11/0x20 [ 68.443802][ T5060] [ 68.443802][ T5060] -> #0 ((work_completion)(&hdev->tx_work)){+.+.}-{0:0}: [ 68.453012][ T5060] __lock_acquire+0x2433/0x3b20 [ 68.458393][ T5060] lock_acquire+0x1ae/0x520 [ 68.463509][ T5060] __flush_work+0x103/0xa10 [ 68.468536][ T5060] hci_dev_close_sync+0x22d/0x1160 [ 68.474168][ T5060] hci_dev_do_close+0x2e/0x90 [ 68.479362][ T5060] hci_rfkill_set_block+0x1b9/0x200 [ 68.485078][ T5060] rfkill_set_block+0x200/0x550 [ 68.490458][ T5060] rfkill_fop_write+0x2d4/0x570 [ 68.495832][ T5060] vfs_write+0x2a4/0xdf0 [ 68.500593][ T5060] ksys_write+0x1f0/0x250 [ 68.505441][ T5060] __do_fast_syscall_32+0x62/0xe0 [ 68.510991][ T5060] do_fast_syscall_32+0x33/0x70 [ 68.516365][ T5060] entry_SYSENTER_compat_after_hwframe+0x70/0x7a [ 68.523215][ T5060] [ 68.523215][ T5060] other info that might help us debug this: [ 68.523215][ T5060] [ 68.533432][ T5060] Chain exists of: [ 68.533432][ T5060] (work_completion)(&hdev->tx_work) --> rfkill_global_mutex --> &hdev->req_lock [ 68.533432][ T5060] [ 68.548374][ T5060] Possible unsafe locking scenario: [ 68.548374][ T5060] [ 68.555814][ T5060] CPU0 CPU1 [ 68.561171][ T5060] ---- ---- [ 68.566526][ T5060] lock(&hdev->req_lock); [ 68.570936][ T5060] lock(rfkill_global_mutex); [ 68.578216][ T5060] lock(&hdev->req_lock); [ 68.585142][ T5060] lock((work_completion)(&hdev->tx_work)); [ 68.591119][ T5060] [ 68.591119][ T5060] *** DEADLOCK *** [ 68.591119][ T5060] [ 68.599268][ T5060] 2 locks held by syz-executor299/5060: [ 68.604802][ T5060] #0: ffffffff8ef2dae8 (rfkill_global_mutex){+.+.}-{3:3}, at: rfkill_fop_write+0x16e/0x570 [ 68.614903][ T5060] #1: ffff88801f829108 (&hdev->req_lock){+.+.}-{3:3}, at: hci_dev_do_close+0x26/0x90 [ 68.624483][ T5060] [ 68.624483][ T5060] stack backtrace: [ 68.630384][ T5060] CPU: 1 PID: 5060 Comm: syz-executor299 Not tainted 6.7.0-rc5-syzkaller-00134-g3f7168591ebf #0 [ 68.640792][ T5060] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 [ 68.650842][ T5060] Call Trace: [ 68.654122][ T5060] [ 68.657051][ T5060] dump_stack_lvl+0xd9/0x1b0 [ 68.661651][ T5060] check_noncircular+0x317/0x400 [ 68.666598][ T5060] ? print_circular_bug+0x5c0/0x5c0 [ 68.671805][ T5060] ? is_bpf_text_address+0x94/0x1a0 [ 68.677008][ T5060] ? lockdep_lock+0xc6/0x200 [ 68.681604][ T5060] ? hlock_class+0x130/0x130 [ 68.686212][ T5060] __lock_acquire+0x2433/0x3b20 [ 68.691073][ T5060] ? lockdep_hardirqs_on_prepare+0x420/0x420 [ 68.697076][ T5060] ? save_trace+0x4e/0xb30 [ 68.701513][ T5060] ? _find_first_zero_bit+0x94/0xb0 [ 68.706731][ T5060] lock_acquire+0x1ae/0x520 [ 68.711246][ T5060] ? __flush_work+0xfa/0xa10 [ 68.715930][ T5060] ? lock_sync+0x190/0x190 [ 68.720361][ T5060] ? __flush_work+0xfa/0xa10 [ 68.724965][ T5060] __flush_work+0x103/0xa10 [ 68.729481][ T5060] ? __flush_work+0xfa/0xa10 [ 68.734078][ T5060] ? cancel_delayed_work+0x20/0x20 [ 68.739209][ T5060] hci_dev_close_sync+0x22d/0x1160 [ 68.744320][ T5060] ? find_held_lock+0x2d/0x110 [ 68.749088][ T5060] ? hci_reset_sync+0x50/0x50 [ 68.753767][ T5060] ? reacquire_held_locks+0x4c0/0x4c0 [ 68.759150][ T5060] hci_dev_do_close+0x2e/0x90 [ 68.763830][ T5060] hci_rfkill_set_block+0x1b9/0x200 [ 68.769028][ T5060] ? lockdep_hardirqs_on+0x7d/0x110 [ 68.774231][ T5060] ? hci_power_on+0x670/0x670 [ 68.778907][ T5060] rfkill_set_block+0x200/0x550 [ 68.783766][ T5060] rfkill_fop_write+0x2d4/0x570 [ 68.788622][ T5060] ? rfkill_register+0xb30/0xb30 [ 68.793561][ T5060] ? bpf_lsm_inode_killpriv+0x10/0x10 [ 68.798931][ T5060] ? security_file_permission+0x94/0x100 [ 68.804570][ T5060] vfs_write+0x2a4/0xdf0 [ 68.808811][ T5060] ? rfkill_register+0xb30/0xb30 [ 68.813752][ T5060] ? kernel_write+0x6c0/0x6c0 [ 68.818429][ T5060] ? do_sys_openat2+0xb1/0x1e0 [ 68.823199][ T5060] ? build_open_flags+0x690/0x690 [ 68.828238][ T5060] ? find_held_lock+0x2d/0x110 [ 68.833018][ T5060] ? __fget_light+0x1fc/0x260 [ 68.837700][ T5060] ksys_write+0x1f0/0x250 [ 68.842036][ T5060] ? __ia32_sys_read+0xb0/0xb0 [ 68.846822][ T5060] __do_fast_syscall_32+0x62/0xe0 [ 68.851864][ T5060] do_fast_syscall_32+0x33/0x70 [ 68.856718][ T5060] entry_SYSENTER_compat_after_hwframe+0x70/0x7a [ 68.863047][ T5060] RIP: 0023:0xf7ea9579 [ 68.867107][ T5060] Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00 [ 68.886717][ T5060] RSP: 002b:00000000ffc6ccfc EFLAGS: 00000246 ORIG_RAX: 0000000000000004 [ 68.895141][ T5060] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000180 [ 68.903114][ T5060] RDX: 0000000000000008 RSI: 0000000000000070 RDI: 0000000000000000 [ 68.911081][ T5060] RBP: 00000000ffc6cd60 R08: 0000000000000000 R09: 0000000000000000 [ 68.919057][ T5060] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 68.927022][ T5060] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 68.934994][ T5060]