[ 60.242982][ T56] bridge0: port 1(bridge_slave_0) entered disabled state [ 60.256062][ T56] device veth1_macvtap left promiscuous mode [ 60.262515][ T56] device veth0_macvtap left promiscuous mode [ 60.269021][ T56] device veth1_vlan left promiscuous mode [ 60.275305][ T56] device veth0_vlan left promiscuous mode [ 60.407160][ T56] team0 (unregistering): Port device team_slave_1 removed [ 60.419429][ T56] team0 (unregistering): Port device team_slave_0 removed [ 60.435942][ T56] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface [ 60.449595][ T56] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface [ 60.499443][ T56] bond0 (unregistering): Released all slaves [ 76.298599][ T2222] cfg80211: failed to load regulatory.db Warning: Permanently added '10.128.0.210' (ECDSA) to the list of known hosts. 2022/12/27 20:47:13 ignoring optional flag "sandboxArg"="0" 2022/12/27 20:47:14 parsed 1 programs 2022/12/27 20:47:14 executed programs: 0 [ 78.700226][ T4388] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 78.708339][ T4388] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 78.715885][ T4388] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 78.725259][ T4388] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 78.732971][ T4388] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3 [ 78.740383][ T4388] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 78.816592][ T5531] chnl_net:caif_netlink_parms(): no params data found [ 78.857667][ T5531] bridge0: port 1(bridge_slave_0) entered blocking state [ 78.864813][ T5531] bridge0: port 1(bridge_slave_0) entered disabled state [ 78.872986][ T5531] device bridge_slave_0 entered promiscuous mode [ 78.882103][ T5531] bridge0: port 2(bridge_slave_1) entered blocking state [ 78.889914][ T5531] bridge0: port 2(bridge_slave_1) entered disabled state [ 78.897813][ T5531] device bridge_slave_1 entered promiscuous mode [ 78.919580][ T5531] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 78.930930][ T5531] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 78.955442][ T5531] team0: Port device team_slave_0 added [ 78.962814][ T5531] team0: Port device team_slave_1 added [ 78.981500][ T5531] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 78.988610][ T5531] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 79.015121][ T5531] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 79.028378][ T5531] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 79.038885][ T5531] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 79.065608][ T5531] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 79.092284][ T5531] device hsr_slave_0 entered promiscuous mode [ 79.099085][ T5531] device hsr_slave_1 entered promiscuous mode [ 79.161158][ T5531] bridge0: port 2(bridge_slave_1) entered blocking state [ 79.168318][ T5531] bridge0: port 2(bridge_slave_1) entered forwarding state [ 79.175683][ T5531] bridge0: port 1(bridge_slave_0) entered blocking state [ 79.182816][ T5531] bridge0: port 1(bridge_slave_0) entered forwarding state [ 79.222188][ T5531] 8021q: adding VLAN 0 to HW filter on device bond0 [ 79.234818][ T897] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 79.243053][ T897] bridge0: port 1(bridge_slave_0) entered disabled state [ 79.251271][ T897] bridge0: port 2(bridge_slave_1) entered disabled state [ 79.259481][ T897] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 79.273122][ T5531] 8021q: adding VLAN 0 to HW filter on device team0 [ 79.283429][ T2222] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 79.292441][ T2222] bridge0: port 1(bridge_slave_0) entered blocking state [ 79.299601][ T2222] bridge0: port 1(bridge_slave_0) entered forwarding state [ 79.317152][ T897] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 79.325562][ T897] bridge0: port 2(bridge_slave_1) entered blocking state [ 79.332888][ T897] bridge0: port 2(bridge_slave_1) entered forwarding state [ 79.344717][ T2222] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 79.360534][ T897] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 79.372644][ T5531] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 79.386821][ T5531] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 79.394957][ T5083] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 79.412630][ T2222] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 79.420454][ T2222] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 79.432728][ T5531] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 79.808761][ T5082] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 79.818700][ T5082] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 79.827239][ T5082] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 79.834899][ T5082] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 79.844156][ T5531] device veth0_vlan entered promiscuous mode [ 79.856124][ T5531] device veth1_vlan entered promiscuous mode [ 79.873519][ T5082] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 79.882009][ T5082] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 79.894082][ T5531] device veth0_macvtap entered promiscuous mode [ 79.910028][ T5531] device veth1_macvtap entered promiscuous mode [ 79.924854][ T5531] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 79.932294][ T5082] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 79.940422][ T5082] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 79.948958][ T5082] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 79.958163][ T5082] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 79.970191][ T5531] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 79.983336][ T2222] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 79.993096][ T2222] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 80.044829][ T56] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 80.062219][ T56] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 80.076491][ T46] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 80.079586][ T2222] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready [ 80.084459][ T46] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 80.102456][ T5082] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready [ 80.777109][ T5074] Bluetooth: hci0: command 0x0409 tx timeout [ 80.969588][ T5552] [ 80.971943][ T5552] ====================================================== [ 80.979378][ T5552] WARNING: possible circular locking dependency detected [ 80.986606][ T5552] 6.1.0-syzkaller-12784-gc183e6c3ec34 #0 Not tainted [ 80.993362][ T5552] ------------------------------------------------------ [ 81.000426][ T5552] syz-executor.0/5552 is trying to acquire lock: [ 81.006822][ T5552] ffff88802bc9c130 (sk_lock-AF_BLUETOOTH-BTPROTO_RFCOMM){+.+.}-{0:0}, at: rfcomm_sk_state_change+0x6d/0x3a0 [ 81.018387][ T5552] [ 81.018387][ T5552] but task is already holding lock: [ 81.025739][ T5552] ffff88806fd9a128 (&d->lock){+.+.}-{3:3}, at: __rfcomm_dlc_close+0x15d/0x890 [ 81.034781][ T5552] [ 81.034781][ T5552] which lock already depends on the new lock. [ 81.034781][ T5552] [ 81.045178][ T5552] [ 81.045178][ T5552] the existing dependency chain (in reverse order) is: [ 81.054373][ T5552] [ 81.054373][ T5552] -> #2 (&d->lock){+.+.}-{3:3}: [ 81.061500][ T5552] __mutex_lock+0x12f/0x1360 [ 81.066624][ T5552] __rfcomm_dlc_close+0x15d/0x890 [ 81.072382][ T5552] rfcomm_dlc_close+0x1e9/0x240 [ 81.077758][ T5552] __rfcomm_sock_close+0x13c/0x250 [ 81.083409][ T5552] rfcomm_sock_shutdown+0xd8/0x230 [ 81.089102][ T5552] rfcomm_sock_release+0x68/0x140 [ 81.094644][ T5552] __sock_release+0xcd/0x280 [ 81.099927][ T5552] sock_close+0x1c/0x20 [ 81.104599][ T5552] __fput+0x27c/0xa90 [ 81.109101][ T5552] task_work_run+0x16f/0x270 [ 81.114203][ T5552] get_signal+0x1c7/0x2450 [ 81.119133][ T5552] arch_do_signal_or_restart+0x79/0x5c0 [ 81.125189][ T5552] exit_to_user_mode_prepare+0x15f/0x250 [ 81.131337][ T5552] syscall_exit_to_user_mode+0x1d/0x50 [ 81.137301][ T5552] do_syscall_64+0x46/0xb0 [ 81.142491][ T5552] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 81.148975][ T5552] [ 81.148975][ T5552] -> #1 (rfcomm_mutex){+.+.}-{3:3}: [ 81.156368][ T5552] __mutex_lock+0x12f/0x1360 [ 81.161580][ T5552] rfcomm_dlc_open+0x93/0xa80 [ 81.166884][ T5552] rfcomm_sock_connect+0x329/0x450 [ 81.172551][ T5552] __sys_connect_file+0x153/0x1a0 [ 81.178294][ T5552] __sys_connect+0x165/0x1a0 [ 81.183519][ T5552] __x64_sys_connect+0x73/0xb0 [ 81.188819][ T5552] do_syscall_64+0x39/0xb0 [ 81.193848][ T5552] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 81.200289][ T5552] [ 81.200289][ T5552] -> #0 (sk_lock-AF_BLUETOOTH-BTPROTO_RFCOMM){+.+.}-{0:0}: [ 81.209919][ T5552] __lock_acquire+0x2a43/0x56d0 [ 81.215293][ T5552] lock_acquire+0x1e3/0x630 [ 81.220577][ T5552] lock_sock_nested+0x3a/0xf0 [ 81.225871][ T5552] rfcomm_sk_state_change+0x6d/0x3a0 [ 81.231944][ T5552] __rfcomm_dlc_close+0x1b1/0x890 [ 81.237488][ T5552] rfcomm_dlc_close+0x1e9/0x240 [ 81.242851][ T5552] __rfcomm_sock_close+0x13c/0x250 [ 81.248474][ T5552] rfcomm_sock_shutdown+0xd8/0x230 [ 81.254096][ T5552] rfcomm_sock_release+0x68/0x140 [ 81.259652][ T5552] __sock_release+0xcd/0x280 [ 81.264752][ T5552] sock_close+0x1c/0x20 [ 81.269437][ T5552] __fput+0x27c/0xa90 [ 81.273934][ T5552] task_work_run+0x16f/0x270 [ 81.279064][ T5552] get_signal+0x1c7/0x2450 [ 81.284002][ T5552] arch_do_signal_or_restart+0x79/0x5c0 [ 81.290060][ T5552] exit_to_user_mode_prepare+0x15f/0x250 [ 81.296210][ T5552] syscall_exit_to_user_mode+0x1d/0x50 [ 81.302180][ T5552] do_syscall_64+0x46/0xb0 [ 81.307113][ T5552] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 81.313525][ T5552] [ 81.313525][ T5552] other info that might help us debug this: [ 81.313525][ T5552] [ 81.323738][ T5552] Chain exists of: [ 81.323738][ T5552] sk_lock-AF_BLUETOOTH-BTPROTO_RFCOMM --> rfcomm_mutex --> &d->lock [ 81.323738][ T5552] [ 81.337715][ T5552] Possible unsafe locking scenario: [ 81.337715][ T5552] [ 81.345153][ T5552] CPU0 CPU1 [ 81.350500][ T5552] ---- ---- [ 81.355849][ T5552] lock(&d->lock); [ 81.359642][ T5552] lock(rfcomm_mutex); [ 81.366409][ T5552] lock(&d->lock); [ 81.372739][ T5552] lock(sk_lock-AF_BLUETOOTH-BTPROTO_RFCOMM); [ 81.379065][ T5552] [ 81.379065][ T5552] *** DEADLOCK *** [ 81.379065][ T5552] [ 81.387198][ T5552] 3 locks held by syz-executor.0/5552: [ 81.392640][ T5552] #0: ffff88806f832c10 (&sb->s_type->i_mutex_key#10){+.+.}-{3:3}, at: __sock_release+0x86/0x280 [ 81.403169][ T5552] #1: ffffffff8e3141c8 (rfcomm_mutex){+.+.}-{3:3}, at: rfcomm_dlc_close+0x33/0x240 [ 81.412825][ T5552] #2: ffff88806fd9a128 (&d->lock){+.+.}-{3:3}, at: __rfcomm_dlc_close+0x15d/0x890 [ 81.422123][ T5552] [ 81.422123][ T5552] stack backtrace: [ 81.427995][ T5552] CPU: 0 PID: 5552 Comm: syz-executor.0 Not tainted 6.1.0-syzkaller-12784-gc183e6c3ec34 #0 [ 81.437963][ T5552] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 81.448103][ T5552] Call Trace: [ 81.451373][ T5552] [ 81.454291][ T5552] dump_stack_lvl+0xd1/0x138 [ 81.458880][ T5552] check_noncircular+0x25f/0x2e0 [ 81.463805][ T5552] ? __lock_acquire+0x2567/0x56d0 [ 81.468820][ T5552] ? print_circular_bug+0x1e0/0x1e0 [ 81.474014][ T5552] ? lockdep_hardirqs_on_prepare+0x410/0x410 [ 81.480170][ T5552] __lock_acquire+0x2a43/0x56d0 [ 81.485014][ T5552] ? lockdep_hardirqs_on_prepare+0x410/0x410 [ 81.490985][ T5552] lock_acquire+0x1e3/0x630 [ 81.495476][ T5552] ? rfcomm_sk_state_change+0x6d/0x3a0 [ 81.500936][ T5552] ? lock_release+0x810/0x810 [ 81.505610][ T5552] ? __rfcomm_dlc_close+0x15d/0x890 [ 81.510819][ T5552] ? _raw_spin_unlock_irqrestore+0x54/0x70 [ 81.516628][ T5552] ? mutex_lock_io_nested+0x11a0/0x11a0 [ 81.522202][ T5552] ? _raw_spin_unlock_irqrestore+0x41/0x70 [ 81.528001][ T5552] ? __timer_delete+0xe8/0x1b0 [ 81.532778][ T5552] lock_sock_nested+0x3a/0xf0 [ 81.537534][ T5552] ? rfcomm_sk_state_change+0x6d/0x3a0 [ 81.542989][ T5552] rfcomm_sk_state_change+0x6d/0x3a0 [ 81.548356][ T5552] __rfcomm_dlc_close+0x1b1/0x890 [ 81.553368][ T5552] rfcomm_dlc_close+0x1e9/0x240 [ 81.558365][ T5552] ? __sanitizer_cov_trace_switch+0x54/0x90 [ 81.564255][ T5552] __rfcomm_sock_close+0x13c/0x250 [ 81.569357][ T5552] ? lockdep_hardirqs_on+0x7d/0x100 [ 81.574646][ T5552] rfcomm_sock_shutdown+0xd8/0x230 [ 81.579767][ T5552] rfcomm_sock_release+0x68/0x140 [ 81.584795][ T5552] __sock_release+0xcd/0x280 [ 81.589375][ T5552] sock_close+0x1c/0x20 [ 81.593520][ T5552] __fput+0x27c/0xa90 [ 81.597531][ T5552] ? __sock_release+0x280/0x280 [ 81.602390][ T5552] task_work_run+0x16f/0x270 [ 81.606995][ T5552] ? task_work_cancel+0x30/0x30 [ 81.611930][ T5552] ? rfcomm_sock_connect+0x159/0x450 [ 81.617294][ T5552] get_signal+0x1c7/0x2450 [ 81.621717][ T5552] ? task_work_func_match+0x40/0x40 [ 81.626913][ T5552] ? exit_signals+0x8b0/0x8b0 [ 81.631630][ T5552] ? rfcomm_sock_connect+0x15e/0x450 [ 81.637258][ T5552] arch_do_signal_or_restart+0x79/0x5c0 [ 81.642821][ T5552] ? get_sigframe_size+0x10/0x10 [ 81.647752][ T5552] exit_to_user_mode_prepare+0x15f/0x250 [ 81.653563][ T5552] syscall_exit_to_user_mode+0x1d/0x50 [ 81.659286][ T5552] do_syscall_64+0x46/0xb0 [ 81.663708][ T5552] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 81.669608][ T5552] RIP: 0033:0x4665f9 [ 81.673499][ T5552] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 [ 81.693550][ T5552] RSP: 002b:00007f7b0760c188 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 81.702233][ T5552] RAX: fffffffffffffffc RBX: 000000000056bf80 RCX: 00000000004665f9 [ 81.710281][ T5552] RDX: 0000000000000080 RSI: 0000000020000000 RDI: 0000000000000004 [ 81.718242][ T5552] RBP: 00000000004bfcc4 R08: 0000000000000000 R09: 0000000000000000 [ 81.726205][ T5552] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf80 [ 81.734161][ T5552] R13: 00007fff7ac8d25f R14: 00007f7b0760c300 R15: 0000000000022000 [ 81.742127][ T5552] [ 82.856406][ T4388] Bluetooth: hci0: command 0x041b tx timeout 2022/12/27 20:47:20 executed programs: 3 [ 84.936375][ T4388] Bluetooth: hci0: command 0x040f tx timeout [ 87.016212][ T4388] Bluetooth: hci0: command 0x0419 tx timeout 2022/12/27 20:47:25 executed programs: 9 [ 89.096241][ T4388] Bluetooth: hci0: command 0x0405 tx timeout