Warning: Permanently added '10.128.0.69' (ED25519) to the list of known hosts. [ 69.580277][ T5064] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 69.588724][ T5064] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 69.596557][ T5064] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 69.605051][ T5064] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 69.612994][ T5064] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3 [ 69.621092][ T5064] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 executing program [ 69.744579][ T5061] [ 69.746934][ T5061] ====================================================== [ 69.753950][ T5061] WARNING: possible circular locking dependency detected [ 69.760979][ T5061] 6.7.0-rc5-syzkaller-00030-geaadbbaaff74 #0 Not tainted [ 69.768089][ T5061] ------------------------------------------------------ [ 69.775109][ T5061] syz-executor293/5061 is trying to acquire lock: [ 69.781522][ T5061] ffff888073f64e10 ((work_completion)(&hdev->tx_work)){+.+.}-{0:0}, at: __flush_work+0xfa/0xa10 [ 69.792012][ T5061] [ 69.792012][ T5061] but task is already holding lock: [ 69.799389][ T5061] ffff888073f65108 (&hdev->req_lock){+.+.}-{3:3}, at: hci_dev_do_close+0x26/0x90 [ 69.808562][ T5061] [ 69.808562][ T5061] which lock already depends on the new lock. [ 69.808562][ T5061] [ 69.818974][ T5061] [ 69.818974][ T5061] the existing dependency chain (in reverse order) is: [ 69.827988][ T5061] [ 69.827988][ T5061] -> #3 (&hdev->req_lock){+.+.}-{3:3}: [ 69.835658][ T5061] __mutex_lock+0x175/0x9d0 [ 69.840711][ T5061] hci_dev_do_close+0x26/0x90 [ 69.845926][ T5061] hci_rfkill_set_block+0x1b9/0x200 [ 69.851658][ T5061] rfkill_set_block+0x200/0x550 [ 69.857050][ T5061] rfkill_fop_write+0x2d4/0x570 [ 69.862444][ T5061] vfs_write+0x2a4/0xdf0 [ 69.867221][ T5061] ksys_write+0x1f0/0x250 [ 69.872256][ T5061] __do_fast_syscall_32+0x62/0xe0 [ 69.877821][ T5061] do_fast_syscall_32+0x33/0x70 [ 69.883209][ T5061] entry_SYSENTER_compat_after_hwframe+0x70/0x7a [ 69.890075][ T5061] [ 69.890075][ T5061] -> #2 (rfkill_global_mutex){+.+.}-{3:3}: [ 69.898085][ T5061] __mutex_lock+0x175/0x9d0 [ 69.903133][ T5061] rfkill_register+0x3a/0xb30 [ 69.908348][ T5061] hci_register_dev+0x43a/0xd40 [ 69.913734][ T5061] __vhci_create_device+0x393/0x800 [ 69.919479][ T5061] vhci_write+0x2c7/0x470 [ 69.924352][ T5061] vfs_write+0x64f/0xdf0 [ 69.929126][ T5061] ksys_write+0x12f/0x250 [ 69.933991][ T5061] __do_fast_syscall_32+0x62/0xe0 [ 69.939563][ T5061] do_fast_syscall_32+0x33/0x70 [ 69.944957][ T5061] entry_SYSENTER_compat_after_hwframe+0x70/0x7a [ 69.951827][ T5061] [ 69.951827][ T5061] -> #1 (&data->open_mutex){+.+.}-{3:3}: [ 69.959660][ T5061] __mutex_lock+0x175/0x9d0 [ 69.964709][ T5061] vhci_send_frame+0x67/0xa0 [ 69.969843][ T5061] hci_send_frame+0x220/0x470 [ 69.975047][ T5061] hci_tx_work+0x1456/0x1e40 [ 69.980172][ T5061] process_one_work+0x886/0x15d0 [ 69.985646][ T5061] worker_thread+0x8b9/0x1290 [ 69.990866][ T5061] kthread+0x2c6/0x3a0 [ 69.995469][ T5061] ret_from_fork+0x45/0x80 [ 70.000422][ T5061] ret_from_fork_asm+0x11/0x20 [ 70.005729][ T5061] [ 70.005729][ T5061] -> #0 ((work_completion)(&hdev->tx_work)){+.+.}-{0:0}: [ 70.014952][ T5061] __lock_acquire+0x2433/0x3b20 [ 70.020353][ T5061] lock_acquire+0x1ae/0x520 [ 70.025399][ T5061] __flush_work+0x103/0xa10 [ 70.030446][ T5061] hci_dev_close_sync+0x22d/0x1160 [ 70.036095][ T5061] hci_dev_do_close+0x2e/0x90 [ 70.041306][ T5061] hci_rfkill_set_block+0x1b9/0x200 [ 70.047037][ T5061] rfkill_set_block+0x200/0x550 [ 70.052427][ T5061] rfkill_fop_write+0x2d4/0x570 [ 70.057815][ T5061] vfs_write+0x2a4/0xdf0 [ 70.062588][ T5061] ksys_write+0x1f0/0x250 [ 70.067450][ T5061] __do_fast_syscall_32+0x62/0xe0 [ 70.073014][ T5061] do_fast_syscall_32+0x33/0x70 [ 70.078404][ T5061] entry_SYSENTER_compat_after_hwframe+0x70/0x7a [ 70.085274][ T5061] [ 70.085274][ T5061] other info that might help us debug this: [ 70.085274][ T5061] [ 70.095507][ T5061] Chain exists of: [ 70.095507][ T5061] (work_completion)(&hdev->tx_work) --> rfkill_global_mutex --> &hdev->req_lock [ 70.095507][ T5061] [ 70.110568][ T5061] Possible unsafe locking scenario: [ 70.110568][ T5061] [ 70.118024][ T5061] CPU0 CPU1 [ 70.123396][ T5061] ---- ---- [ 70.128764][ T5061] lock(&hdev->req_lock); [ 70.133191][ T5061] lock(rfkill_global_mutex); [ 70.140484][ T5061] lock(&hdev->req_lock); [ 70.147436][ T5061] lock((work_completion)(&hdev->tx_work)); [ 70.153426][ T5061] [ 70.153426][ T5061] *** DEADLOCK *** [ 70.153426][ T5061] [ 70.161568][ T5061] 2 locks held by syz-executor293/5061: [ 70.167119][ T5061] #0: ffffffff8ef2daa8 (rfkill_global_mutex){+.+.}-{3:3}, at: rfkill_fop_write+0x16e/0x570 [ 70.177253][ T5061] #1: ffff888073f65108 (&hdev->req_lock){+.+.}-{3:3}, at: hci_dev_do_close+0x26/0x90 [ 70.186857][ T5061] [ 70.186857][ T5061] stack backtrace: [ 70.192748][ T5061] CPU: 0 PID: 5061 Comm: syz-executor293 Not tainted 6.7.0-rc5-syzkaller-00030-geaadbbaaff74 #0 [ 70.203174][ T5061] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023 [ 70.213240][ T5061] Call Trace: [ 70.216527][ T5061] [ 70.219465][ T5061] dump_stack_lvl+0xd9/0x1b0 [ 70.224107][ T5061] check_noncircular+0x317/0x400 [ 70.229079][ T5061] ? print_circular_bug+0x5c0/0x5c0 [ 70.234304][ T5061] ? is_bpf_text_address+0x94/0x1a0 [ 70.239528][ T5061] ? lockdep_lock+0xc6/0x200 [ 70.244145][ T5061] ? hlock_class+0x130/0x130 [ 70.248759][ T5061] __lock_acquire+0x2433/0x3b20 [ 70.253647][ T5061] ? lockdep_hardirqs_on_prepare+0x420/0x420 [ 70.259657][ T5061] ? save_trace+0x4e/0xb30 [ 70.264096][ T5061] ? _find_first_zero_bit+0x94/0xb0 [ 70.269321][ T5061] lock_acquire+0x1ae/0x520 [ 70.273940][ T5061] ? __flush_work+0xfa/0xa10 [ 70.278552][ T5061] ? lock_sync+0x190/0x190 [ 70.283007][ T5061] ? __flush_work+0xfa/0xa10 [ 70.287626][ T5061] __flush_work+0x103/0xa10 [ 70.292152][ T5061] ? __flush_work+0xfa/0xa10 [ 70.296768][ T5061] ? cancel_delayed_work+0x20/0x20 [ 70.301918][ T5061] hci_dev_close_sync+0x22d/0x1160 [ 70.307048][ T5061] ? find_held_lock+0x2d/0x110 [ 70.311835][ T5061] ? hci_reset_sync+0x50/0x50 [ 70.316543][ T5061] ? reacquire_held_locks+0x4c0/0x4c0 [ 70.321945][ T5061] hci_dev_do_close+0x2e/0x90 [ 70.326637][ T5061] hci_rfkill_set_block+0x1b9/0x200 [ 70.331853][ T5061] ? lockdep_hardirqs_on+0x7d/0x110 [ 70.337080][ T5061] ? hci_power_on+0x670/0x670 [ 70.341773][ T5061] rfkill_set_block+0x200/0x550 [ 70.346648][ T5061] rfkill_fop_write+0x2d4/0x570 [ 70.351521][ T5061] ? rfkill_register+0xb30/0xb30 [ 70.356480][ T5061] ? bpf_lsm_inode_killpriv+0x10/0x10 [ 70.361864][ T5061] ? security_file_permission+0x94/0x100 [ 70.367520][ T5061] vfs_write+0x2a4/0xdf0 [ 70.371779][ T5061] ? rfkill_register+0xb30/0xb30 [ 70.376739][ T5061] ? kernel_write+0x6c0/0x6c0 [ 70.381434][ T5061] ? do_sys_openat2+0xb1/0x1e0 [ 70.386227][ T5061] ? build_open_flags+0x690/0x690 [ 70.391280][ T5061] ? find_held_lock+0x2d/0x110 [ 70.396075][ T5061] ? __fget_light+0x1fc/0x260 [ 70.400776][ T5061] ksys_write+0x1f0/0x250 [ 70.405123][ T5061] ? __ia32_sys_read+0xb0/0xb0 [ 70.409908][ T5061] __do_fast_syscall_32+0x62/0xe0 [ 70.414959][ T5061] do_fast_syscall_32+0x33/0x70 [ 70.419834][ T5061] entry_SYSENTER_compat_after_hwframe+0x70/0x7a [ 70.426183][ T5061] RIP: 0023:0xf7f06579 [ 70.430264][ T5061] Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00 [ 70.449891][ T5061] RSP: 002b:00000000ffbe46ec EFLAGS: 00000246 ORIG_RAX: 0000000000000004 [ 70.458324][ T5061] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000080 [ 70.466315][ T5061] RDX: 0000000000000008 RSI: 0000000000000070 RDI: 0000000000000000 [ 70.474296][ T5061] RBP: 00000000ffbe4750 R08: 0000000000000000 R09: 0000000000000000 [ 70.482282][ T5061] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 70.490266][ T5061] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 70.498261][ T5061]