Warning: Permanently added '10.128.0.90' (ED25519) to the list of known hosts. [ 37.244179][ T4294] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 37.246922][ T4294] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 37.249197][ T4294] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 37.251795][ T4294] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 37.254361][ T4294] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3 [ 37.256432][ T4294] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 executing program [ 37.356242][ T4294] BUG: sleeping function called from invalid context at net/core/sock.c:3490 [ 37.358630][ T4294] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 4294, name: kworker/u5:2 [ 37.361065][ T4294] preempt_count: 1, expected: 0 [ 37.362419][ T4294] RCU nest depth: 0, expected: 0 [ 37.363724][ T4294] 5 locks held by kworker/u5:2/4294: [ 37.365134][ T4294] #0: ffff0000c6fd0938 ((wq_completion)hci0#2){+.+.}-{0:0}, at: process_one_work+0x6bc/0x1484 [ 37.368124][ T4294] #1: ffff800021117c20 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_one_work+0x6fc/0x1484 [ 37.371213][ T4294] #2: ffff0000d99d8078 (&hdev->lock){+.+.}-{3:3}, at: hci_sync_conn_complete_evt+0xe8/0x9b0 [ 37.374148][ T4294] #3: ffff0000c3147620 (&conn->lock#2){+.+.}-{2:2}, at: sco_connect_cfm+0x24c/0x8ec [ 37.376808][ T4294] #4: ffff0000cdfdf130 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: sco_connect_cfm+0x3d8/0x8ec [ 37.379790][ T4294] Preemption disabled at: [ 37.379800][ T4294] [] sco_connect_cfm+0x24c/0x8ec [ 37.382833][ T4294] CPU: 1 PID: 4294 Comm: kworker/u5:2 Not tainted 6.1.129-syzkaller #0 [ 37.385071][ T4294] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024 [ 37.387637][ T4294] Workqueue: hci0 hci_rx_work [ 37.388870][ T4294] Call trace: [ 37.389700][ T4294] dump_backtrace+0x1c8/0x1f4 [ 37.391002][ T4294] show_stack+0x2c/0x3c [ 37.392195][ T4294] dump_stack_lvl+0x108/0x170 [ 37.393422][ T4294] dump_stack+0x1c/0x58 [ 37.394492][ T4294] __might_resched+0x37c/0x4d8 [ 37.395799][ T4294] __might_sleep+0x90/0xe4 [ 37.396960][ T4294] lock_sock_nested+0x88/0x138 [ 37.398204][ T4294] sco_connect_cfm+0x3d8/0x8ec [ 37.399486][ T4294] hci_sync_conn_complete_evt+0x4f0/0x9b0 [ 37.401019][ T4294] hci_event_packet+0x744/0x109c [ 37.402341][ T4294] hci_rx_work+0x310/0xa84 [ 37.403436][ T4294] process_one_work+0x804/0x1484 [ 37.404756][ T4294] worker_thread+0x8e4/0xfec [ 37.406017][ T4294] kthread+0x250/0x2d8 [ 37.407120][ T4294] ret_from_fork+0x10/0x20 [ 37.716668][ T4291] [ 37.717355][ T4291] ====================================================== [ 37.719226][ T4291] WARNING: possible circular locking dependency detected [ 37.721049][ T4291] 6.1.129-syzkaller #0 Tainted: G W [ 37.722771][ T4291] ------------------------------------------------------ [ 37.724585][ T4291] syz-executor143/4291 is trying to acquire lock: [ 37.726351][ T4291] ffff0000de91f130 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}, at: bt_accept_dequeue+0xe8/0x530 [ 37.728934][ T4291] [ 37.728934][ T4291] but task is already holding lock: [ 37.730826][ T4291] ffff0000cdfdf130 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: sco_sock_release+0x60/0x2c0 [ 37.733689][ T4291] [ 37.733689][ T4291] which lock already depends on the new lock. [ 37.733689][ T4291] [ 37.736427][ T4291] [ 37.736427][ T4291] the existing dependency chain (in reverse order) is: [ 37.738802][ T4291] [ 37.738802][ T4291] -> #2 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}: [ 37.741269][ T4291] lock_sock_nested+0x78/0x138 [ 37.742596][ T4291] sco_connect_cfm+0x3d8/0x8ec [ 37.744025][ T4291] hci_sync_conn_complete_evt+0x4f0/0x9b0 [ 37.745734][ T4291] hci_event_packet+0x744/0x109c [ 37.747289][ T4291] hci_rx_work+0x310/0xa84 [ 37.748577][ T4291] process_one_work+0x804/0x1484 [ 37.750059][ T4291] worker_thread+0x8e4/0xfec [ 37.751442][ T4291] kthread+0x250/0x2d8 [ 37.752597][ T4291] ret_from_fork+0x10/0x20 [ 37.753971][ T4291] [ 37.753971][ T4291] -> #1 (&conn->lock#2){+.+.}-{2:2}: [ 37.756062][ T4291] _raw_spin_lock+0x54/0x6c [ 37.757398][ T4291] sco_conn_del+0x1c4/0x4ac [ 37.758848][ T4291] sco_disconn_cfm+0x38/0x70 [ 37.760194][ T4291] hci_conn_hash_flush+0x194/0x330 [ 37.761700][ T4291] hci_dev_close_sync+0x7e0/0xf1c [ 37.763245][ T4291] hci_unregister_dev+0x200/0x4c4 [ 37.764712][ T4291] vhci_release+0x7c/0xcc [ 37.766066][ T4291] __fput+0x1c8/0x7c8 [ 37.767340][ T4291] ____fput+0x20/0x30 [ 37.768551][ T4291] task_work_run+0x240/0x2f0 [ 37.769864][ T4291] do_exit+0x550/0x1a84 [ 37.771087][ T4291] do_group_exit+0x194/0x22c [ 37.772418][ T4291] __wake_up_parent+0x0/0x60 [ 37.773829][ T4291] invoke_syscall+0x98/0x2bc [ 37.775290][ T4291] el0_svc_common+0x138/0x258 [ 37.776763][ T4291] do_el0_svc+0x58/0x13c [ 37.778049][ T4291] el0_svc+0x58/0x168 [ 37.779230][ T4291] el0t_64_sync_handler+0x84/0xf0 [ 37.780700][ T4291] el0t_64_sync+0x18c/0x190 [ 37.782041][ T4291] [ 37.782041][ T4291] -> #0 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}: [ 37.784146][ T4291] __lock_acquire+0x3338/0x7680 [ 37.785581][ T4291] lock_acquire+0x26c/0x7cc [ 37.786909][ T4291] lock_sock_nested+0x78/0x138 [ 37.788316][ T4291] bt_accept_dequeue+0xe8/0x530 [ 37.789800][ T4291] __sco_sock_close+0xfc/0x7b0 [ 37.791270][ T4291] sco_sock_release+0xb4/0x2c0 [ 37.792720][ T4291] sock_close+0xb8/0x1fc [ 37.794088][ T4291] __fput+0x1c8/0x7c8 [ 37.795249][ T4291] ____fput+0x20/0x30 [ 37.796392][ T4291] task_work_run+0x240/0x2f0 [ 37.797813][ T4291] do_exit+0x550/0x1a84 [ 37.799096][ T4291] do_group_exit+0x194/0x22c [ 37.800484][ T4291] __wake_up_parent+0x0/0x60 [ 37.801888][ T4291] invoke_syscall+0x98/0x2bc [ 37.803325][ T4291] el0_svc_common+0x138/0x258 [ 37.804731][ T4291] do_el0_svc+0x58/0x13c [ 37.806012][ T4291] el0_svc+0x58/0x168 [ 37.807145][ T4291] el0t_64_sync_handler+0x84/0xf0 [ 37.808684][ T4291] el0t_64_sync+0x18c/0x190 [ 37.809989][ T4291] [ 37.809989][ T4291] other info that might help us debug this: [ 37.809989][ T4291] [ 37.812809][ T4291] Chain exists of: [ 37.812809][ T4291] sk_lock-AF_BLUETOOTH --> &conn->lock#2 --> sk_lock-AF_BLUETOOTH-BTPROTO_SCO [ 37.812809][ T4291] [ 37.816830][ T4291] Possible unsafe locking scenario: [ 37.816830][ T4291] [ 37.818919][ T4291] CPU0 CPU1 [ 37.820360][ T4291] ---- ---- [ 37.821832][ T4291] lock(sk_lock-AF_BLUETOOTH-BTPROTO_SCO); [ 37.823557][ T4291] lock(&conn->lock#2); [ 37.825470][ T4291] lock(sk_lock-AF_BLUETOOTH-BTPROTO_SCO); [ 37.827795][ T4291] lock(sk_lock-AF_BLUETOOTH); [ 37.829248][ T4291] [ 37.829248][ T4291] *** DEADLOCK *** [ 37.829248][ T4291] [ 37.831488][ T4291] 2 locks held by syz-executor143/4291: [ 37.833042][ T4291] #0: ffff0000e1abee10 (&sb->s_type->i_mutex_key#11){+.+.}-{3:3}, at: sock_close+0x80/0x1fc [ 37.836047][ T4291] #1: ffff0000cdfdf130 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: sco_sock_release+0x60/0x2c0 [ 37.839109][ T4291] [ 37.839109][ T4291] stack backtrace: [ 37.840639][ T4291] CPU: 1 PID: 4291 Comm: syz-executor143 Tainted: G W 6.1.129-syzkaller #0 [ 37.843347][ T4291] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024 [ 37.846096][ T4291] Call trace: [ 37.846980][ T4291] dump_backtrace+0x1c8/0x1f4 [ 37.848496][ T4291] show_stack+0x2c/0x3c [ 37.849602][ T4291] dump_stack_lvl+0x108/0x170 [ 37.851007][ T4291] dump_stack+0x1c/0x58 [ 37.852143][ T4291] print_circular_bug+0x150/0x1b8 [ 37.853512][ T4291] check_noncircular+0x2cc/0x378 [ 37.854898][ T4291] __lock_acquire+0x3338/0x7680 [ 37.856218][ T4291] lock_acquire+0x26c/0x7cc [ 37.857503][ T4291] lock_sock_nested+0x78/0x138 [ 37.858751][ T4291] bt_accept_dequeue+0xe8/0x530 [ 37.860068][ T4291] __sco_sock_close+0xfc/0x7b0 [ 37.861383][ T4291] sco_sock_release+0xb4/0x2c0 [ 37.862650][ T4291] sock_close+0xb8/0x1fc [ 37.863861][ T4291] __fput+0x1c8/0x7c8 [ 37.864913][ T4291] ____fput+0x20/0x30 [ 37.866068][ T4291] task_work_run+0x240/0x2f0 [ 37.867254][ T4291] do_exit+0x550/0x1a84 [ 37.868367][ T4291] do_group_exit+0x194/0x22c [ 37.869579][ T4291] __wake_up_parent+0x0/0x60 [ 37.870769][ T4291] invoke_syscall+0x98/0x2bc [ 37.872053][ T4291] el0_svc_common+0x138/0x258 [ 37.873321][ T4291] do_el0_svc+0x58/0x13c [ 37.874481][ T4291] el0_svc+0x58/0x168 [ 37.875555][ T4291] el0t_64_sync_handler+0x84/0xf0 [ 37.876928][ T4291] el0t_64_sync+0x18c/0x190