program:
r0 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
bind$bt_sco(r0, &(0x7f0000000040), 0x32)
add_key(&(0x7f00000001c0)='blacklist\x00', 0x0, 0x0, 0x0, 0xfffffffffffffffc)
listen(r0, 0x0)
syz_emit_vhci(&(0x7f0000000400)=ANY=[@ANYBLOB="0404"], 0xd)
syz_emit_vhci(&(0x7f00000047c0)=ANY=[@ANYBLOB="042c"], 0x14)
[ 68.820532][ T5307] Bluetooth: hci0: command tx timeout
[ 68.892086][ T5307] BUG: sleeping function called from invalid context at net/core/sock.c:3664
[ 68.896025][ T5307] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 5307, name: kworker/u5:2
[ 68.900021][ T5307] preempt_count: 1, expected: 0
[ 68.902053][ T5307] RCU nest depth: 0, expected: 0
[ 68.904043][ T5307] 5 locks held by kworker/u5:2/5307:
[ 68.906132][ T5307] #0: ffff888045d27148 ((wq_completion)hci0#2){+.+.}-{0:0}, at: process_scheduled_works+0x98b/0x18e0
[ 68.910464][ T5307] #1: ffffc9000d527c60 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_scheduled_works+0x9c6/0x18e0
[ 68.914707][ T5307] #2: ffff888051b90078 (&hdev->lock){+.+.}-{4:4}, at: hci_sync_conn_complete_evt+0x10d/0xb50
[ 68.918673][ T5307] #3: ffff888040562020 (&conn->lock#3){+.+.}-{3:3}, at: sco_connect_cfm+0x262/0xae0
[ 68.922643][ T5307] #4: ffff888053256258 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: sco_connect_cfm+0x439/0xae0
[ 68.927113][ T5307] Preemption disabled at:
[ 68.927126][ T5307] [<0000000000000000>] 0x0
[ 68.932956][ T5307] CPU: 0 UID: 0 PID: 5307 Comm: kworker/u5:2 Not tainted 6.14.0-rc6-syzkaller-00007-g0b46b049d6ec #0
[ 68.932983][ T5307] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[ 68.932991][ T5307] Workqueue: hci0 hci_rx_work
[ 68.933030][ T5307] Call Trace:
[ 68.933041][ T5307]
[ 68.933046][ T5307] dump_stack_lvl+0x241/0x360
[ 68.933064][ T5307] ? __pfx_dump_stack_lvl+0x10/0x10
[ 68.933076][ T5307] ? __pfx__printk+0x10/0x10
[ 68.933095][ T5307] __might_resched+0x5d4/0x780
[ 68.933111][ T5307] ? __pfx_lock_acquire+0x10/0x10
[ 68.933131][ T5307] ? __pfx___might_resched+0x10/0x10
[ 68.933145][ T5307] ? __pfx_lock_release+0x10/0x10
[ 68.933158][ T5307] ? do_raw_spin_lock+0x14f/0x370
[ 68.933174][ T5307] ? __pfx_do_raw_spin_lock+0x10/0x10
[ 68.933218][ T5307] lock_sock_nested+0x5d/0x100
[ 68.933239][ T5307] sco_connect_cfm+0x439/0xae0
[ 68.933257][ T5307] ? hci_cb_lookup+0x1b3/0x3c0
[ 68.933274][ T5307] ? __pfx_sco_connect_cfm+0x10/0x10
[ 68.933289][ T5307] ? hci_cb_lookup+0x3a0/0x3c0
[ 68.933303][ T5307] ? __pfx_sco_connect_cfm+0x10/0x10
[ 68.933318][ T5307] hci_sync_conn_complete_evt+0x6f1/0xb50
[ 68.933335][ T5307] ? __pfx_hci_sync_conn_complete_evt+0x10/0x10
[ 68.933352][ T5307] ? skb_pull_data+0x112/0x230
[ 68.933369][ T5307] hci_event_packet+0xac1/0x1540
[ 68.933384][ T5307] ? __pfx_hci_sync_conn_complete_evt+0x10/0x10
[ 68.933401][ T5307] ? __pfx_hci_event_packet+0x10/0x10
[ 68.933413][ T5307] ? do_raw_spin_unlock+0x58/0x8b0
[ 68.933429][ T5307] ? kcov_remote_start+0x3e0/0x7d0
[ 68.933444][ T5307] ? insn_get_prefixes+0x630/0x1ac0
[ 68.933462][ T5307] ? hci_send_to_monitor+0xdc/0x530
[ 68.933480][ T5307] hci_rx_work+0x3f3/0xdb0
[ 68.933499][ T5307] ? process_scheduled_works+0x9c6/0x18e0
[ 68.933513][ T5307] process_scheduled_works+0xabe/0x18e0
[ 68.933545][ T5307] ? __pfx_process_scheduled_works+0x10/0x10
[ 68.933567][ T5307] ? assign_work+0x364/0x3d0
[ 68.933585][ T5307] worker_thread+0x870/0xd30
[ 68.933604][ T5307] ? _raw_spin_unlock_irqrestore+0xdd/0x140
[ 68.933621][ T5307] ? __kthread_parkme+0x169/0x1d0
[ 68.933639][ T5307] ? __pfx_worker_thread+0x10/0x10
[ 68.933654][ T5307] kthread+0x7a9/0x920
[ 68.933679][ T5307] ? __pfx_kthread+0x10/0x10
[ 68.933697][ T5307] ? __pfx_worker_thread+0x10/0x10
[ 68.933711][ T5307] ? __pfx_kthread+0x10/0x10
[ 68.933734][ T5307] ? __pfx_kthread+0x10/0x10
[ 68.933755][ T5307] ? __pfx_kthread+0x10/0x10
[ 68.933770][ T5307] ? _raw_spin_unlock_irq+0x23/0x50
[ 68.933783][ T5307] ? lockdep_hardirqs_on+0x99/0x150
[ 68.933795][ T5307] ? __pfx_kthread+0x10/0x10
[ 68.933809][ T5307] ret_from_fork+0x4b/0x80
[ 68.933821][ T5307] ? __pfx_kthread+0x10/0x10
[ 68.933835][ T5307] ret_from_fork_asm+0x1a/0x30
[ 68.933857][ T5307]
[ 69.053440][ T5322]
[ 69.054491][ T5322] ======================================================
[ 69.057336][ T5322] WARNING: possible circular locking dependency detected
[ 69.060279][ T5322] 6.14.0-rc6-syzkaller-00007-g0b46b049d6ec #0 Tainted: G W
[ 69.063827][ T5322] ------------------------------------------------------
[ 69.066591][ T5322] syz.0.0/5322 is trying to acquire lock:
[ 69.068925][ T5322] ffff888040562020 (&conn->lock#3){+.+.}-{3:3}, at: sco_chan_del+0x74/0x180
[ 69.072451][ T5322]
[ 69.072451][ T5322] but task is already holding lock:
[ 69.075406][ T5322] ffff888053282258 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}, at: __sco_sock_close+0xe8/0x310
[ 69.079255][ T5322]
[ 69.079255][ T5322] which lock already depends on the new lock.
[ 69.079255][ T5322]
[ 69.083193][ T5322]
[ 69.083193][ T5322] the existing dependency chain (in reverse order) is:
[ 69.086583][ T5322]
[ 69.086583][ T5322] -> #2 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}:
[ 69.089942][ T5322] lock_acquire+0x1ed/0x550
[ 69.092008][ T5322] lock_sock_nested+0x48/0x100
[ 69.094165][ T5322] bt_accept_dequeue+0xfa/0x570
[ 69.096389][ T5322] __sco_sock_close+0xd2/0x310
[ 69.098460][ T5322] sco_sock_release+0xb3/0x320
[ 69.100587][ T5322] sock_close+0xbc/0x240
[ 69.102391][ T5322] __fput+0x3e9/0x9f0
[ 69.104193][ T5322] task_work_run+0x24f/0x310
[ 69.106192][ T5322] syscall_exit_to_user_mode+0x13f/0x340
[ 69.108666][ T5322] do_syscall_64+0x100/0x230
[ 69.110799][ T5322] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 69.113308][ T5322]
[ 69.113308][ T5322] -> #1 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}:
[ 69.117267][ T5322] lock_acquire+0x1ed/0x550
[ 69.119298][ T5322] lock_sock_nested+0x48/0x100
[ 69.121437][ T5322] sco_connect_cfm+0x439/0xae0
[ 69.123596][ T5322] hci_sync_conn_complete_evt+0x6f1/0xb50
[ 69.126126][ T5322] hci_event_packet+0xac1/0x1540
[ 69.128298][ T5322] hci_rx_work+0x3f3/0xdb0
[ 69.130293][ T5322] process_scheduled_works+0xabe/0x18e0
[ 69.132721][ T5322] worker_thread+0x870/0xd30
[ 69.134856][ T5322] kthread+0x7a9/0x920
[ 69.136705][ T5322] ret_from_fork+0x4b/0x80
[ 69.138865][ T5322] ret_from_fork_asm+0x1a/0x30
[ 69.141087][ T5322]
[ 69.141087][ T5322] -> #0 (&conn->lock#3){+.+.}-{3:3}:
[ 69.144161][ T5322] validate_chain+0x18ef/0x5920
[ 69.146380][ T5322] __lock_acquire+0x1397/0x2100
[ 69.148629][ T5322] lock_acquire+0x1ed/0x550
[ 69.150685][ T5322] _raw_spin_lock+0x2e/0x40
[ 69.152742][ T5322] sco_chan_del+0x74/0x180
[ 69.154767][ T5322] __sco_sock_close+0x152/0x310
[ 69.156881][ T5322] sco_sock_release+0xb3/0x320
[ 69.159001][ T5322] sock_close+0xbc/0x240
[ 69.161098][ T5322] __fput+0x3e9/0x9f0
[ 69.162990][ T5322] task_work_run+0x24f/0x310
[ 69.164958][ T5322] syscall_exit_to_user_mode+0x13f/0x340
[ 69.167422][ T5322] do_syscall_64+0x100/0x230
[ 69.169515][ T5322] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 69.171919][ T5322]
[ 69.171919][ T5322] other info that might help us debug this:
[ 69.171919][ T5322]
[ 69.176066][ T5322] Chain exists of:
[ 69.176066][ T5322] &conn->lock#3 --> sk_lock-AF_BLUETOOTH-BTPROTO_SCO --> sk_lock-AF_BLUETOOTH
[ 69.176066][ T5322]
[ 69.181883][ T5322] Possible unsafe locking scenario:
[ 69.181883][ T5322]
[ 69.184964][ T5322] CPU0 CPU1
[ 69.187122][ T5322] ---- ----
[ 69.189295][ T5322] lock(sk_lock-AF_BLUETOOTH);
[ 69.191202][ T5322] lock(sk_lock-AF_BLUETOOTH-BTPROTO_SCO);
[ 69.194514][ T5322] lock(sk_lock-AF_BLUETOOTH);
[ 69.197428][ T5322] lock(&conn->lock#3);
[ 69.199098][ T5322]
[ 69.199098][ T5322] *** DEADLOCK ***
[ 69.199098][ T5322]
[ 69.202466][ T5322] 3 locks held by syz.0.0/5322:
[ 69.204361][ T5322] #0: ffff888043b9f208 (&sb->s_type->i_mutex_key#10){+.+.}-{4:4}, at: sock_close+0x90/0x240
[ 69.208436][ T5322] #1: ffff888053256258 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: sco_sock_release+0x5a/0x320
[ 69.212863][ T5322] #2: ffff888053282258 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}, at: __sco_sock_close+0xe8/0x310
[ 69.216875][ T5322]
[ 69.216875][ T5322] stack backtrace:
[ 69.219140][ T5322] CPU: 0 UID: 0 PID: 5322 Comm: syz.0.0 Tainted: G W 6.14.0-rc6-syzkaller-00007-g0b46b049d6ec #0
[ 69.219156][ T5322] Tainted: [W]=WARN
[ 69.219160][ T5322] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[ 69.219166][ T5322] Call Trace:
[ 69.219174][ T5322]
[ 69.219179][ T5322] dump_stack_lvl+0x241/0x360
[ 69.219195][ T5322] ? __pfx_dump_stack_lvl+0x10/0x10
[ 69.219205][ T5322] ? __pfx__printk+0x10/0x10
[ 69.219215][ T5322] print_circular_bug+0x13a/0x1b0
[ 69.219229][ T5322] check_noncircular+0x36a/0x4a0
[ 69.219241][ T5322] ? __pfx_check_noncircular+0x10/0x10
[ 69.219251][ T5322] ? lockdep_lock+0x123/0x2b0
[ 69.219267][ T5322] validate_chain+0x18ef/0x5920
[ 69.219280][ T5322] ? do_raw_spin_lock+0x14f/0x370
[ 69.219292][ T5322] ? __pfx_validate_chain+0x10/0x10
[ 69.219301][ T5322] ? do_raw_spin_unlock+0x58/0x8b0
[ 69.219314][ T5322] ? _raw_spin_unlock_irqrestore+0xdd/0x140
[ 69.219327][ T5322] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[ 69.219339][ T5322] ? __lock_acquire+0x1397/0x2100
[ 69.219355][ T5322] ? debug_object_assert_init+0x2dd/0x4b0
[ 69.219415][ T5322] ? __pfx_debug_object_assert_init+0x10/0x10
[ 69.219430][ T5322] ? mark_lock+0x9a/0x360
[ 69.219440][ T5322] __lock_acquire+0x1397/0x2100
[ 69.219456][ T5322] lock_acquire+0x1ed/0x550
[ 69.219468][ T5322] ? sco_chan_del+0x74/0x180
[ 69.219482][ T5322] ? __pfx_lock_acquire+0x10/0x10
[ 69.219496][ T5322] ? __cancel_work+0x24a/0x390
[ 69.219510][ T5322] ? lockdep_hardirqs_on+0x99/0x150
[ 69.219523][ T5322] ? __cancel_work+0x2ee/0x390
[ 69.219536][ T5322] ? __pfx___cancel_work+0x10/0x10
[ 69.219548][ T5322] ? __sco_sock_close+0xe8/0x310
[ 69.219558][ T5322] ? __pfx___local_bh_enable_ip+0x10/0x10
[ 69.219569][ T5322] _raw_spin_lock+0x2e/0x40
[ 69.219579][ T5322] ? sco_chan_del+0x74/0x180
[ 69.219589][ T5322] sco_chan_del+0x74/0x180
[ 69.219600][ T5322] __sco_sock_close+0x152/0x310
[ 69.219613][ T5322] sco_sock_release+0xb3/0x320
[ 69.219625][ T5322] sock_close+0xbc/0x240
[ 69.219638][ T5322] ? __pfx_sock_close+0x10/0x10
[ 69.219649][ T5322] __fput+0x3e9/0x9f0
[ 69.219665][ T5322] task_work_run+0x24f/0x310
[ 69.219684][ T5322] ? _raw_spin_unlock+0x28/0x50
[ 69.219696][ T5322] ? __pfx_task_work_run+0x10/0x10
[ 69.219707][ T5322] ? syscall_exit_to_user_mode+0xa3/0x340
[ 69.219721][ T5322] syscall_exit_to_user_mode+0x13f/0x340
[ 69.219735][ T5322] do_syscall_64+0x100/0x230
[ 69.219749][ T5322] ? clear_bhb_loop+0x35/0x90
[ 69.219763][ T5322] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 69.219777][ T5322] RIP: 0033:0x7fbdee18d169
[ 69.219788][ T5322] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[ 69.219796][ T5322] RSP: 002b:00007ffdb284e108 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
[ 69.219807][ T5322] RAX: 0000000000000000 RBX: 0000000000010c79 RCX: 00007fbdee18d169
[ 69.219814][ T5322] RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
[ 69.219820][ T5322] RBP: 00007fbdee3a7ba0 R08: 0000000000000001 R09: 00000006b284e3ff
[ 69.219826][ T5322] R10: 00007fbdedfff030 R11: 0000000000000246 R12: 00007fbdee3a5fac
[ 69.219832][ T5322] R13: 00007fbdee3a5fa0 R14: ffffffffffffffff R15: 00007ffdb284e220
[ 69.219842][ T5322]