Warning: Permanently added '10.128.0.109' (ECDSA) to the list of known hosts. [ 35.108761][ T4220] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 35.111726][ T4220] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 35.114328][ T4220] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 35.117041][ T4220] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 35.119452][ T4220] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3 [ 35.122040][ T4220] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 executing program [ 35.160430][ T4220] [ 35.161149][ T4220] ===================================== [ 35.162695][ T4220] WARNING: bad unlock balance detected! [ 35.164223][ T4220] 6.1.26-syzkaller #0 Not tainted [ 35.165520][ T4220] ------------------------------------- [ 35.166961][ T4220] kworker/u5:1/4220 is trying to release lock (&conn->chan_lock) at: [ 35.169167][ T4220] [] l2cap_disconnect_rsp+0x210/0x30c [ 35.170955][ T4220] but there are no more locks to release! [ 35.172513][ T4220] [ 35.172513][ T4220] other info that might help us debug this: [ 35.174673][ T4220] 2 locks held by kworker/u5:1/4220: [ 35.176099][ T4220] #0: ffff0000d5137938 ((wq_completion)hci0#2){+.+.}-{0:0}, at: process_one_work+0x664/0x1404 [ 35.178971][ T4220] #1: ffff80001dd67c20 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_one_work+0x6a8/0x1404 [ 35.182061][ T4220] [ 35.182061][ T4220] stack backtrace: [ 35.183620][ T4220] CPU: 0 PID: 4220 Comm: kworker/u5:1 Not tainted 6.1.26-syzkaller #0 [ 35.185842][ T4220] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/30/2023 [ 35.188564][ T4220] Workqueue: hci0 hci_rx_work [ 35.189819][ T4220] Call trace: [ 35.190746][ T4220] dump_backtrace+0x1c8/0x1f4 [ 35.191987][ T4220] show_stack+0x2c/0x3c [ 35.193161][ T4220] dump_stack_lvl+0x108/0x170 [ 35.194456][ T4220] dump_stack+0x1c/0x5c [ 35.195586][ T4220] print_unlock_imbalance_bug+0x250/0x2a4 [ 35.197154][ T4220] lock_release+0x4dc/0xa50 [ 35.198353][ T4220] __mutex_unlock_slowpath+0xe0/0x6cc [ 35.199796][ T4220] mutex_unlock+0x24/0x30 [ 35.200987][ T4220] l2cap_disconnect_rsp+0x210/0x30c [ 35.202392][ T4220] l2cap_recv_frame+0x18b4/0x6a14 [ 35.203788][ T4220] l2cap_recv_acldata+0x4f4/0x163c [ 35.205196][ T4220] hci_rx_work+0x2cc/0x8b8 [ 35.206372][ T4220] process_one_work+0x7ac/0x1404 [ 35.207681][ T4220] worker_thread+0x8e4/0xfec [ 35.208900][ T4220] kthread+0x250/0x2d8 [ 35.210014][ T4220] ret_from_fork+0x10/0x20