Warning: Permanently added '10.128.1.10' (ED25519) to the list of known hosts. [ 69.926791][ T5066] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 69.935548][ T5066] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 69.943606][ T5066] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 69.952045][ T5066] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 69.960321][ T5066] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3 [ 69.967643][ T5066] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 executing program [ 70.097612][ T5065] [ 70.099992][ T5065] ====================================================== [ 70.107021][ T5065] WARNING: possible circular locking dependency detected [ 70.114051][ T5065] 6.7.0-rc5-syzkaller #0 Not tainted [ 70.119347][ T5065] ------------------------------------------------------ [ 70.126375][ T5065] syz-executor410/5065 is trying to acquire lock: [ 70.132800][ T5065] ffff8880777cce10 ((work_completion)(&hdev->tx_work)){+.+.}-{0:0}, at: __flush_work+0xfa/0xa10 [ 70.143301][ T5065] [ 70.143301][ T5065] but task is already holding lock: [ 70.150679][ T5065] ffff8880777cd108 (&hdev->req_lock){+.+.}-{3:3}, at: hci_dev_do_close+0x26/0x90 [ 70.159864][ T5065] [ 70.159864][ T5065] which lock already depends on the new lock. [ 70.159864][ T5065] [ 70.170267][ T5065] [ 70.170267][ T5065] the existing dependency chain (in reverse order) is: [ 70.179277][ T5065] [ 70.179277][ T5065] -> #3 (&hdev->req_lock){+.+.}-{3:3}: [ 70.186931][ T5065] __mutex_lock+0x175/0x9d0 [ 70.191988][ T5065] hci_dev_do_close+0x26/0x90 [ 70.197187][ T5065] hci_rfkill_set_block+0x1b9/0x200 [ 70.202906][ T5065] rfkill_set_block+0x200/0x550 [ 70.208285][ T5065] rfkill_fop_write+0x2d4/0x570 [ 70.213667][ T5065] vfs_write+0x2a4/0xdf0 [ 70.218431][ T5065] ksys_write+0x1f0/0x250 [ 70.223280][ T5065] __do_fast_syscall_32+0x62/0xe0 [ 70.228833][ T5065] do_fast_syscall_32+0x33/0x70 [ 70.234207][ T5065] entry_SYSENTER_compat_after_hwframe+0x70/0x7a [ 70.241063][ T5065] [ 70.241063][ T5065] -> #2 (rfkill_global_mutex){+.+.}-{3:3}: [ 70.249061][ T5065] __mutex_lock+0x175/0x9d0 [ 70.254105][ T5065] rfkill_register+0x3a/0xb30 [ 70.259316][ T5065] hci_register_dev+0x43a/0xd40 [ 70.264696][ T5065] __vhci_create_device+0x393/0x800 [ 70.270425][ T5065] vhci_write+0x2c7/0x470 [ 70.275280][ T5065] vfs_write+0x64f/0xdf0 [ 70.280042][ T5065] ksys_write+0x12f/0x250 [ 70.284889][ T5065] __do_fast_syscall_32+0x62/0xe0 [ 70.290443][ T5065] do_fast_syscall_32+0x33/0x70 [ 70.295815][ T5065] entry_SYSENTER_compat_after_hwframe+0x70/0x7a [ 70.302667][ T5065] [ 70.302667][ T5065] -> #1 (&data->open_mutex){+.+.}-{3:3}: [ 70.310484][ T5065] __mutex_lock+0x175/0x9d0 [ 70.315521][ T5065] vhci_send_frame+0x67/0xa0 [ 70.320637][ T5065] hci_send_frame+0x220/0x470 [ 70.325828][ T5065] hci_tx_work+0x1456/0x1e40 [ 70.330937][ T5065] process_one_work+0x886/0x15d0 [ 70.336398][ T5065] worker_thread+0x8b9/0x1290 [ 70.341602][ T5065] kthread+0x2c6/0x3a0 [ 70.346197][ T5065] ret_from_fork+0x45/0x80 [ 70.351143][ T5065] ret_from_fork_asm+0x11/0x20 [ 70.356446][ T5065] [ 70.356446][ T5065] -> #0 ((work_completion)(&hdev->tx_work)){+.+.}-{0:0}: [ 70.365664][ T5065] __lock_acquire+0x2433/0x3b20 [ 70.371046][ T5065] lock_acquire+0x1ae/0x520 [ 70.376075][ T5065] __flush_work+0x103/0xa10 [ 70.381099][ T5065] hci_dev_close_sync+0x22d/0x1160 [ 70.386749][ T5065] hci_dev_do_close+0x2e/0x90 [ 70.391947][ T5065] hci_rfkill_set_block+0x1b9/0x200 [ 70.397666][ T5065] rfkill_set_block+0x200/0x550 [ 70.403043][ T5065] rfkill_fop_write+0x2d4/0x570 [ 70.408418][ T5065] vfs_write+0x2a4/0xdf0 [ 70.413178][ T5065] ksys_write+0x1f0/0x250 [ 70.418022][ T5065] __do_fast_syscall_32+0x62/0xe0 [ 70.423572][ T5065] do_fast_syscall_32+0x33/0x70 [ 70.428945][ T5065] entry_SYSENTER_compat_after_hwframe+0x70/0x7a [ 70.435796][ T5065] [ 70.435796][ T5065] other info that might help us debug this: [ 70.435796][ T5065] [ 70.446017][ T5065] Chain exists of: [ 70.446017][ T5065] (work_completion)(&hdev->tx_work) --> rfkill_global_mutex --> &hdev->req_lock [ 70.446017][ T5065] [ 70.460981][ T5065] Possible unsafe locking scenario: [ 70.460981][ T5065] [ 70.468426][ T5065] CPU0 CPU1 [ 70.473782][ T5065] ---- ---- [ 70.479134][ T5065] lock(&hdev->req_lock); [ 70.483543][ T5065] lock(rfkill_global_mutex); [ 70.490821][ T5065] lock(&hdev->req_lock); [ 70.497751][ T5065] lock((work_completion)(&hdev->tx_work)); [ 70.503726][ T5065] [ 70.503726][ T5065] *** DEADLOCK *** [ 70.503726][ T5065] [ 70.511862][ T5065] 2 locks held by syz-executor410/5065: [ 70.517399][ T5065] #0: ffffffff8ef2d9e8 (rfkill_global_mutex){+.+.}-{3:3}, at: rfkill_fop_write+0x16e/0x570 [ 70.527505][ T5065] #1: ffff8880777cd108 (&hdev->req_lock){+.+.}-{3:3}, at: hci_dev_do_close+0x26/0x90 [ 70.537080][ T5065] [ 70.537080][ T5065] stack backtrace: [ 70.542957][ T5065] CPU: 0 PID: 5065 Comm: syz-executor410 Not tainted 6.7.0-rc5-syzkaller #0 [ 70.551634][ T5065] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023 [ 70.561703][ T5065] Call Trace: [ 70.564989][ T5065] [ 70.567933][ T5065] dump_stack_lvl+0xd9/0x1b0 [ 70.572549][ T5065] check_noncircular+0x317/0x400 [ 70.577515][ T5065] ? print_circular_bug+0x5c0/0x5c0 [ 70.582726][ T5065] ? is_bpf_text_address+0x94/0x1a0 [ 70.587933][ T5065] ? lockdep_lock+0xc6/0x200 [ 70.592533][ T5065] ? hlock_class+0x130/0x130 [ 70.597136][ T5065] __lock_acquire+0x2433/0x3b20 [ 70.602006][ T5065] ? lockdep_hardirqs_on_prepare+0x420/0x420 [ 70.608028][ T5065] ? save_trace+0x4e/0xb30 [ 70.612467][ T5065] ? _find_first_zero_bit+0x94/0xb0 [ 70.617680][ T5065] lock_acquire+0x1ae/0x520 [ 70.622212][ T5065] ? __flush_work+0xfa/0xa10 [ 70.626832][ T5065] ? lock_sync+0x190/0x190 [ 70.631268][ T5065] ? __flush_work+0xfa/0xa10 [ 70.635947][ T5065] __flush_work+0x103/0xa10 [ 70.640465][ T5065] ? __flush_work+0xfa/0xa10 [ 70.645067][ T5065] ? cancel_delayed_work+0x20/0x20 [ 70.650209][ T5065] hci_dev_close_sync+0x22d/0x1160 [ 70.655333][ T5065] ? find_held_lock+0x2d/0x110 [ 70.660123][ T5065] ? hci_reset_sync+0x50/0x50 [ 70.664811][ T5065] ? reacquire_held_locks+0x4c0/0x4c0 [ 70.670201][ T5065] hci_dev_do_close+0x2e/0x90 [ 70.674881][ T5065] hci_rfkill_set_block+0x1b9/0x200 [ 70.680086][ T5065] ? lockdep_hardirqs_on+0x7d/0x110 [ 70.685297][ T5065] ? hci_power_on+0x670/0x670 [ 70.689976][ T5065] rfkill_set_block+0x200/0x550 [ 70.694838][ T5065] rfkill_fop_write+0x2d4/0x570 [ 70.699697][ T5065] ? rfkill_register+0xb30/0xb30 [ 70.704641][ T5065] ? bpf_lsm_inode_killpriv+0x10/0x10 [ 70.710019][ T5065] ? security_file_permission+0x94/0x100 [ 70.715660][ T5065] vfs_write+0x2a4/0xdf0 [ 70.719905][ T5065] ? rfkill_register+0xb30/0xb30 [ 70.724847][ T5065] ? kernel_write+0x6c0/0x6c0 [ 70.729529][ T5065] ? do_sys_openat2+0xb1/0x1e0 [ 70.734298][ T5065] ? build_open_flags+0x690/0x690 [ 70.739328][ T5065] ? find_held_lock+0x2d/0x110 [ 70.744124][ T5065] ? __fget_light+0x1fc/0x260 [ 70.748807][ T5065] ksys_write+0x1f0/0x250 [ 70.753151][ T5065] ? __ia32_sys_read+0xb0/0xb0 [ 70.757925][ T5065] __do_fast_syscall_32+0x62/0xe0 [ 70.762968][ T5065] do_fast_syscall_32+0x33/0x70 [ 70.767832][ T5065] entry_SYSENTER_compat_after_hwframe+0x70/0x7a [ 70.774176][ T5065] RIP: 0023:0xf7e52579 [ 70.778245][ T5065] Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00 [ 70.797885][ T5065] RSP: 002b:00