./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor2691547409

<...>
Warning: Permanently added '10.128.0.184' (ED25519) to the list of known hosts.
execve("./syz-executor2691547409", ["./syz-executor2691547409"], 0x7ffe39e5f740 /* 10 vars */) = 0
brk(NULL)                               = 0x555555fbe000
brk(0x555555fbed40)                     = 0x555555fbed40
arch_prctl(ARCH_SET_FS, 0x555555fbe3c0) = 0
set_tid_address(0x555555fbe690)         = 5034
set_robust_list(0x555555fbe6a0, 24)     = 0
rseq(0x555555fbece0, 0x20, 0, 0x53053053) = 0
prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0
readlink("/proc/self/exe", "/root/syz-executor2691547409", 4096) = 28
getrandom("\x76\x3c\x84\x37\xee\x07\x20\x1b", 8, GRND_NONBLOCK) = 8
brk(NULL)                               = 0x555555fbed40
brk(0x555555fdfd40)                     = 0x555555fdfd40
brk(0x555555fe0000)                     = 0x555555fe0000
mprotect(0x7f3ba67ad000, 16384, PROT_READ) = 0
mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000
mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000
mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000
unshare(CLONE_NEWPID)                   = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5035 attached
, child_tidptr=0x555555fbe690) = 5035
[pid  5035] set_robust_list(0x555555fbe6a0, 24) = 0
[pid  5035] mount(NULL, "/sys/fs/fuse/connections", "fusectl", 0, NULL) = -1 EBUSY (Device or resource busy)
[pid  5035] socket(AF_BLUETOOTH, SOCK_RAW, BTPROTO_HCI) = 3
[pid  5035] openat(AT_FDCWD, "/dev/vhci", O_RDWR) = 4
[pid  5035] dup2(4, 202)                = 202
[pid  5035] close(4)                    = 0
[pid  5035] write(202, "\xff\x00", 2)   = 2
[pid  5035] read(202, "\xff\x00\x00\x00", 4) = 4
[pid  5035] rt_sigaction(SIGRT_1, {sa_handler=0x7f3ba674f440, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f3ba6740ac0}, NULL, 8) = 0
[pid  5035] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0
[pid  5035] mmap(NULL, 8392704, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f3ba5eea000
[pid  5035] mprotect(0x7f3ba5eeb000, 8388608, PROT_READ|PROT_WRITE) = 0
[pid  5035] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0
[pid  5035] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f3ba66ea990, parent_tid=0x7f3ba66ea990, exit_signal=0, stack=0x7f3ba5eea000, stack_size=0x800300, tls=0x7f3ba66ea6c0} => {parent_tid=[2]}, 88) = 2
[pid  5035] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
[pid  5035] ioctl(3, HCIDEVUP./strace-static-x86_64: Process 5037 attached
 <unfinished ...>
[pid  5037] rseq(0x7f3ba66eafe0, 0x20, 0, 0x53053053) = 0
[pid  5037] set_robust_list(0x7f3ba66ea9a0, 24) = 0
[pid  5037] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
[pid  5037] read(202, "\x01\x03\x0c\x00", 1024) = 4
[pid  5037] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x03\x0c", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255
[pid  5037] read(202, "\x01\x03\x10\x00", 1024) = 4
[pid  5037] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x03\x10", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255
[pid  5037] read(202, "\x01\x01\x10\x00", 1024) = 4
[pid  5037] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x01\x10", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255
[pid  5037] read(202, "\x01\x09\x10\x00", 1024) = 4
[pid  5037] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\x0a", iov_len=2}, {iov_base="\x01\x09\x10", iov_len=3}, {iov_base="\x00\xaa\xaa\xaa\xaa\xaa\xaa", iov_len=7}], 4) = 13
[pid  5037] read(202, "\x01\x05\x10\x00", 1024) = 4
[pid  5037] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\x0b", iov_len=2}, {iov_base="\x01\x05\x10", iov_len=3}, {iov_base="\x00\xfd\x03\x60\x04\x00\x06\x00", iov_len=8}], 4) = 14
[pid  5037] read(202, "\x01\x23\x0c\x00", 1024) = 4
[pid  5037] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x23\x0c", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255
[pid  5037] read(202, "\x01\x14\x0c\x00", 1024) = 4
[pid  5037] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x14\x0c", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255
[pid  5037] read(202, "\x01\x25\x0c\x00", 1024) = 4
[pid  5037] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x25\x0c", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255
[pid  5037] read(202, "\x01\x38\x0c\x00", 1024) = 4
[pid  5037] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x38\x0c", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255
[   72.868092][ T5038] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[   72.876739][ T5038] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[   72.885112][ T5038] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[   72.895724][ T5038] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[   72.904198][ T5038] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3
[pid  5037] read(202, "\x01\x39\x0c\x00", 1024) = 4
[pid  5037] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x39\x0c", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255
[pid  5037] read(202, "\x01\x16\x0c\x02\x00\x7d", 1024) = 6
[pid  5037] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x16\x0c", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255
[pid  5037] read(202,  <unfinished ...>
[pid  5035] <... ioctl resumed>, 0)     = -1 EALREADY (Operation already in progress)
[pid  5035] ioctl(3, HCISETSCAN <unfinished ...>
[pid  5037] <... read resumed>"\x01\x1a\x0c\x01\x02", 1024) = 5
[pid  5037] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\x04", iov_len=2}, {iov_base="\x01\x1a\x0c", iov_len=3}, {iov_base="\x00", iov_len=1}], 4) = 7
[pid  5037] rt_sigprocmask(SIG_BLOCK, ~[RT_1], NULL, 8) = 0
[pid  5037] madvise(0x7f3ba5eea000, 8372224, MADV_DONTNEED) = 0
[pid  5037] exit(0)                     = ?
[pid  5037] +++ exited with 0 +++
[pid  5035] <... ioctl resumed>, 0x7ffc064feca4) = 0
[pid  5035] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x04\x0a", iov_len=2}, {iov_base="\xaa\xaa\xaa\xaa\xaa\x10\x00\x00\x00\x01", iov_len=10}], 3) = 13
[pid  5035] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x03\x0b", iov_len=2}, {iov_base="\x00\xc8\x00\xaa\xaa\xaa\xaa\xaa\x10\x01\x00", iov_len=11}], 3) = 14
[pid  5035] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\v\v", iov_len=2}, {iov_base="\x00\xc8\x00\x00\x00\x00\x00\x00\x00\x00\x00", iov_len=11}], 3) = 14
[pid  5035] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x3e\x13", iov_len=2}, {iov_base="\x01\x00\xc9\x00\x01\x00\xaa\xaa\xaa\xaa\xaa\x11\x00\x00\x00\x00\x00\x00\x00", iov_len=19}], 3) = 22
[pid  5035] close(3)                    = 0
[pid  5035] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid  5035] setsid()                    = 1
[pid  5035] prlimit64(0, RLIMIT_AS, {rlim_cur=204800*1024, rlim_max=204800*1024}, NULL) = 0
[pid  5035] prlimit64(0, RLIMIT_MEMLOCK, {rlim_cur=32768*1024, rlim_max=32768*1024}, NULL) = 0
[pid  5035] prlimit64(0, RLIMIT_FSIZE, {rlim_cur=139264*1024, rlim_max=139264*1024}, NULL) = 0
[pid  5035] prlimit64(0, RLIMIT_STACK, {rlim_cur=1024*1024, rlim_max=1024*1024}, NULL) = 0
[pid  5035] prlimit64(0, RLIMIT_CORE, {rlim_cur=131072*1024, rlim_max=131072*1024}, NULL) = 0
[pid  5035] prlimit64(0, RLIMIT_NOFILE, {rlim_cur=256, rlim_max=256}, NULL) = 0
[pid  5035] unshare(CLONE_NEWNS)        = 0
[pid  5035] mount(NULL, "/", NULL, MS_REC|MS_PRIVATE, NULL) = 0
[pid  5035] unshare(CLONE_NEWIPC)       = 0
[pid  5035] unshare(CLONE_NEWCGROUP)    = 0
[pid  5035] unshare(CLONE_NEWUTS)       = 0
[pid  5035] unshare(CLONE_SYSVSEM)      = 0
[pid  5035] openat(AT_FDCWD, "/proc/sys/kernel/shmmax", O_WRONLY|O_CLOEXEC) = 3
[pid  5035] write(3, "16777216", 8)     = 8
[pid  5035] close(3)                    = 0
[pid  5035] openat(AT_FDCWD, "/proc/sys/kernel/shmall", O_WRONLY|O_CLOEXEC) = 3
[pid  5035] write(3, "536870912", 9)    = 9
[pid  5035] close(3)                    = 0
[pid  5035] openat(AT_FDCWD, "/proc/sys/kernel/shmmni", O_WRONLY|O_CLOEXEC) = 3
[pid  5035] write(3, "1024", 4)         = 4
[pid  5035] close(3)                    = 0
[pid  5035] openat(AT_FDCWD, "/proc/sys/kernel/msgmax", O_WRONLY|O_CLOEXEC) = 3
[pid  5035] write(3, "8192", 4)         = 4
[pid  5035] close(3)                    = 0
[pid  5035] openat(AT_FDCWD, "/proc/sys/kernel/msgmni", O_WRONLY|O_CLOEXEC) = 3
[pid  5035] write(3, "1024", 4)         = 4
[pid  5035] close(3)                    = 0
[pid  5035] openat(AT_FDCWD, "/proc/sys/kernel/msgmnb", O_WRONLY|O_CLOEXEC) = 3
[pid  5035] write(3, "1024", 4)         = 4
[pid  5035] close(3)                    = 0
[pid  5035] openat(AT_FDCWD, "/proc/sys/kernel/sem", O_WRONLY|O_CLOEXEC) = 3
[pid  5035] write(3, "1024 1048576 500 1024", 21) = 21
[pid  5035] close(3)                    = 0
[pid  5035] getpid()                    = 1
[pid  5035] capget({version=_LINUX_CAPABILITY_VERSION_3, pid=1}, {effective=1<<CAP_CHOWN|1<<CAP_DAC_OVERRIDE|1<<CAP_DAC_READ_SEARCH|1<<CAP_FOWNER|1<<CAP_FSETID|1<<CAP_KILL|1<<CAP_SETGID|1<<CAP_SETUID|1<<CAP_SETPCAP|1<<CAP_LINUX_IMMUTABLE|1<<CAP_NET_BIND_SERVICE|1<<CAP_NET_BROADCAST|1<<CAP_NET_ADMIN|1<<CAP_NET_RAW|1<<CAP_IPC_LOCK|1<<CAP_IPC_OWNER|1<<CAP_SYS_MODULE|1<<CAP_SYS_RAWIO|1<<CAP_SYS_CHROOT|1<<CAP_SYS_PTRACE|1<<CAP_SYS_PACCT|1<<CAP_SYS_ADMIN|1<<CAP_SYS_BOOT|1<<CAP_SYS_NICE|1<<CAP_SYS_RESOURCE|1<<CAP_SYS_TIME|1<<CAP_SYS_TTY_CONFIG|1<<CAP_MKNOD|1<<CAP_LEASE|1<<CAP_AUDIT_WRITE|1<<CAP_AUDIT_CONTROL|1<<CAP_SETFCAP|1<<CAP_MAC_OVERRIDE|1<<CAP_MAC_ADMIN|1<<CAP_SYSLOG|1<<CAP_WAKE_ALARM|1<<CAP_BLOCK_SUSPEND|1<<CAP_AUDIT_READ|1<<CAP_PERFMON|1<<CAP_BPF|1<<CAP_CHECKPOINT_RESTORE, permitted=1<<CAP_CHOWN|1<<CAP_DAC_OVERRIDE|1<<CAP_DAC_READ_SEARCH|1<<CAP_FOWNER|1<<CAP_FSETID|1<<CAP_KILL|1<<CAP_SETGID|1<<CAP_SETUID|1<<CAP_SETPCAP|1<<CAP_LINUX_IMMUTABLE|1<<CAP_NET_BIND_SERVICE|1<<CAP_NET_BROADCAST|1<<CAP_NET_ADMIN|1<<CAP_NET_RAW|1<<CAP_IPC_LOCK|1<<CAP_IPC_OWNER|1<<CAP_SYS_MODULE|1<<CAP_SYS_RAWIO|1<<CAP_SYS_CHROOT|1<<CAP_SYS_PTRACE|1<<CAP_SYS_PACCT|1<<CAP_SYS_ADMIN|1<<CAP_SYS_BOOT|1<<CAP_SYS_NICE|1<<CAP_SYS_RESOURCE|1<<CAP_SYS_TIME|1<<CAP_SYS_TTY_CONFIG|1<<CAP_MKNOD|1<<CAP_LEASE|1<<CAP_AUDIT_WRITE|1<<CAP_AUDIT_CONTROL|1<<CAP_SETFCAP|1<<CAP_MAC_OVERRIDE|1<<CAP_MAC_ADMIN|1<<CAP_SYSLOG|1<<CAP_WAKE_ALARM|1<<CAP_BLOCK_SUSPEND|1<<CAP_AUDIT_READ|1<<CAP_PERFMON|1<<CAP_BPF|1<<CAP_CHECKPOINT_RESTORE, inheritable=0}) = 0
[pid  5035] capset({version=_LINUX_CAPABILITY_VERSION_3, pid=1}, {effective=1<<CAP_CHOWN|1<<CAP_DAC_OVERRIDE|1<<CAP_DAC_READ_SEARCH|1<<CAP_FOWNER|1<<CAP_FSETID|1<<CAP_KILL|1<<CAP_SETGID|1<<CAP_SETUID|1<<CAP_SETPCAP|1<<CAP_LINUX_IMMUTABLE|1<<CAP_NET_BIND_SERVICE|1<<CAP_NET_BROADCAST|1<<CAP_NET_ADMIN|1<<CAP_NET_RAW|1<<CAP_IPC_LOCK|1<<CAP_IPC_OWNER|1<<CAP_SYS_MODULE|1<<CAP_SYS_RAWIO|1<<CAP_SYS_CHROOT|1<<CAP_SYS_PACCT|1<<CAP_SYS_ADMIN|1<<CAP_SYS_BOOT|1<<CAP_SYS_RESOURCE|1<<CAP_SYS_TIME|1<<CAP_SYS_TTY_CONFIG|1<<CAP_MKNOD|1<<CAP_LEASE|1<<CAP_AUDIT_WRITE|1<<CAP_AUDIT_CONTROL|1<<CAP_SETFCAP|1<<CAP_MAC_OVERRIDE|1<<CAP_MAC_ADMIN|1<<CAP_SYSLOG|1<<CAP_WAKE_ALARM|1<<CAP_BLOCK_SUSPEND|1<<CAP_AUDIT_READ|1<<CAP_PERFMON|1<<CAP_BPF|1<<CAP_CHECKPOINT_RESTORE, permitted=1<<CAP_CHOWN|1<<CAP_DAC_OVERRIDE|1<<CAP_DAC_READ_SEARCH|1<<CAP_FOWNER|1<<CAP_FSETID|1<<CAP_KILL|1<<CAP_SETGID|1<<CAP_SETUID|1<<CAP_SETPCAP|1<<CAP_LINUX_IMMUTABLE|1<<CAP_NET_BIND_SERVICE|1<<CAP_NET_BROADCAST|1<<CAP_NET_ADMIN|1<<CAP_NET_RAW|1<<CAP_IPC_LOCK|1<<CAP_IPC_OWNER|1<<CAP_SYS_MODULE|1<<CAP_SYS_RAWIO|1<<CAP_SYS_CHROOT|1<<CAP_SYS_PACCT|1<<CAP_SYS_ADMIN|1<<CAP_SYS_BOOT|1<<CAP_SYS_RESOURCE|1<<CAP_SYS_TIME|1<<CAP_SYS_TTY_CONFIG|1<<CAP_MKNOD|1<<CAP_LEASE|1<<CAP_AUDIT_WRITE|1<<CAP_AUDIT_CONTROL|1<<CAP_SETFCAP|1<<CAP_MAC_OVERRIDE|1<<CAP_MAC_ADMIN|1<<CAP_SYSLOG|1<<CAP_WAKE_ALARM|1<<CAP_BLOCK_SUSPEND|1<<CAP_AUDIT_READ|1<<CAP_PERFMON|1<<CAP_BPF|1<<CAP_CHECKPOINT_RESTORE, inheritable=0}) = 0
[   72.912976][ T5038] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[pid  5035] unshare(CLONE_NEWNET)       = 0
[pid  5035] openat(AT_FDCWD, "/proc/sys/net/ipv4/ping_group_range", O_WRONLY|O_CLOEXEC) = 3
[pid  5035] write(3, "0 65535", 7)      = 7
[pid  5035] close(3)                    = 0
[pid  5035] mkdir("/dev/binderfs", 0777) = 0
[pid  5035] mount("binder", "/dev/binderfs", "binder", 0, NULL) = 0
[pid  5035] symlink("/dev/binderfs", "./binderfs") = 0
[pid  5035] openat(AT_FDCWD, "/dev/rfkill", O_WRONLY|O_NONBLOCK) = 3
[   73.065982][ T5035] 
[   73.068369][ T5035] ======================================================
[   73.075492][ T5035] WARNING: possible circular locking dependency detected
[   73.082528][ T5035] 6.6.0-rc6-syzkaller-00182-gce55c22ec8b2 #0 Not tainted
[   73.089569][ T5035] ------------------------------------------------------
[   73.096690][ T5035] syz-executor269/5035 is trying to acquire lock:
[   73.103122][ T5035] ffff8880737b4dc0 ((work_completion)(&hdev->tx_work)){+.+.}-{0:0}, at: __flush_work+0xe9/0xac0
[   73.113679][ T5035] 
[   73.113679][ T5035] but task is already holding lock:
[   73.121059][ T5035] ffff8880737b50b8 (&hdev->req_lock){+.+.}-{3:3}, at: hci_rfkill_set_block+0x12d/0x210
[   73.130786][ T5035] 
[   73.130786][ T5035] which lock already depends on the new lock.
[   73.130786][ T5035] 
[   73.141202][ T5035] 
[   73.141202][ T5035] the existing dependency chain (in reverse order) is:
[   73.150217][ T5035] 
[   73.150217][ T5035] -> #3 (&hdev->req_lock){+.+.}-{3:3}:
[   73.157870][ T5035]        __mutex_lock+0x136/0xd60
[   73.162903][ T5035]        hci_rfkill_set_block+0x12d/0x210
[   73.168635][ T5035]        rfkill_set_block+0x1e7/0x430
[   73.174013][ T5035]        rfkill_fop_write+0x5bb/0x790
[   73.179391][ T5035]        vfs_write+0x286/0xaf0
[   73.184162][ T5035]        ksys_write+0x1a0/0x2c0
[   73.189021][ T5035]        do_syscall_64+0x41/0xc0
[   73.193978][ T5035]        entry_SYSCALL_64_after_hwframe+0x63/0xcd
[   73.200407][ T5035] 
[   73.200407][ T5035] -> #2 (rfkill_global_mutex){+.+.}-{3:3}:
[   73.208404][ T5035]        __mutex_lock+0x136/0xd60
[   73.213454][ T5035]        rfkill_register+0x34/0x8c0
[   73.218656][ T5035]        hci_register_dev+0x4e3/0xa40
[   73.224037][ T5035]        vhci_create_device+0x3ba/0x720
[   73.229584][ T5035]        vhci_write+0x3c7/0x480
[   73.234435][ T5035]        vfs_write+0x782/0xaf0
[   73.239224][ T5035]        ksys_write+0x1a0/0x2c0
[   73.244084][ T5035]        do_syscall_64+0x41/0xc0
[   73.249030][ T5035]        entry_SYSCALL_64_after_hwframe+0x63/0xcd
[   73.255459][ T5035] 
[   73.255459][ T5035] -> #1 (&data->open_mutex){+.+.}-{3:3}:
[   73.263286][ T5035]        __mutex_lock+0x136/0xd60
[   73.268312][ T5035]        vhci_send_frame+0x8e/0xf0
[   73.273423][ T5035]        hci_send_frame+0x1ef/0x370
[   73.278628][ T5035]        hci_tx_work+0xed4/0x1ef0
[   73.283657][ T5035]        process_scheduled_works+0x90f/0x1400
[   73.289725][ T5035]        worker_thread+0xa5f/0xff0
[   73.294840][ T5035]        kthread+0x2d3/0x370
[   73.299433][ T5035]        ret_from_fork+0x48/0x80
[   73.304376][ T5035]        ret_from_fork_asm+0x11/0x20
[   73.309674][ T5035] 
[   73.309674][ T5035] -> #0 ((work_completion)(&hdev->tx_work)){+.+.}-{0:0}:
[   73.318892][ T5035]        __lock_acquire+0x39ff/0x7f70
[   73.324270][ T5035]        lock_acquire+0x1e3/0x520
[   73.329410][ T5035]        __flush_work+0x102/0xac0
[   73.334875][ T5035]        hci_dev_close_sync+0x237/0xfe0
[   73.340447][ T5035]        hci_rfkill_set_block+0x135/0x210
[   73.346268][ T5035]        rfkill_set_block+0x1e7/0x430
[   73.351647][ T5035]        rfkill_fop_write+0x5bb/0x790
[   73.357026][ T5035]        vfs_write+0x286/0xaf0
[   73.361795][ T5035]        ksys_write+0x1a0/0x2c0
[   73.366656][ T5035]        do_syscall_64+0x41/0xc0
[   73.371601][ T5035]        entry_SYSCALL_64_after_hwframe+0x63/0xcd
[   73.378025][ T5035] 
[   73.378025][ T5035] other info that might help us debug this:
[   73.378025][ T5035] 
[   73.388251][ T5035] Chain exists of:
[   73.388251][ T5035]   (work_completion)(&hdev->tx_work) --> rfkill_global_mutex --> &hdev->req_lock
[   73.388251][ T5035] 
[   73.403204][ T5035]  Possible unsafe locking scenario:
[   73.403204][ T5035] 
[   73.410647][ T5035]        CPU0                    CPU1
[   73.416008][ T5035]        ----                    ----
[   73.421799][ T5035]   lock(&hdev->req_lock);
[   73.426231][ T5035]                                lock(rfkill_global_mutex);
[   73.433515][ T5035]                                lock(&hdev->req_lock);
[   73.440453][ T5035]   lock((work_completion)(&hdev->tx_work));
[   73.446452][ T5035] 
[   73.446452][ T5035]  *** DEADLOCK ***
[   73.446452][ T5035] 
[   73.454607][ T5035] 2 locks held by syz-executor269/5035:
[   73.460171][ T5035]  #0: ffffffff8e794ea8 (rfkill_global_mutex){+.+.}-{3:3}, at: rfkill_fop_write+0x1a9/0x790
[   73.470310][ T5035]  #1: ffff8880737b50b8 (&hdev->req_lock){+.+.}-{3:3}, at: hci_rfkill_set_block+0x12d/0x210
[   73.480453][ T5035] 
[   73.480453][ T5035] stack backtrace:
[   73.486350][ T5035] CPU: 1 PID: 5035 Comm: syz-executor269 Not tainted 6.6.0-rc6-syzkaller-00182-gce55c22ec8b2 #0
[   73.496806][ T5035] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023
[   73.506884][ T5035] Call Trace:
[   73.510184][ T5035]  <TASK>
[   73.513126][ T5035]  dump_stack_lvl+0x1e7/0x2d0
[   73.517826][ T5035]  ? nf_tcp_handle_invalid+0x650/0x650
[   73.523322][ T5035]  ? print_circular_bug+0x12b/0x1a0
[   73.528555][ T5035]  check_noncircular+0x375/0x4a0
[   73.533526][ T5035]  ? is_bpf_text_address+0x26/0x2a0
[   73.538743][ T5035]  ? print_deadlock_bug+0x600/0x600
[   73.543971][ T5035]  ? lockdep_lock+0x123/0x2b0
[   73.548675][ T5035]  ? arch_stack_walk+0x162/0x1a0
[   73.553623][ T5035]  ? mark_lock+0x9a/0x340
[   73.558317][ T5035]  ? _find_first_zero_bit+0xd4/0x100
[   73.563631][ T5035]  __lock_acquire+0x39ff/0x7f70
[   73.568508][ T5035]  ? lockdep_unlock+0x169/0x300
[   73.573373][ T5035]  ? verify_lock_unused+0x140/0x140
[   73.578578][ T5035]  ? add_lock_to_list+0x1de/0x2e0
[   73.583612][ T5035]  ? mark_lock+0x9a/0x340
[   73.587948][ T5035]  ? __lock_acquire+0x1267/0x7f70
[   73.592983][ T5035]  ? __flush_work+0x9ac/0xac0
[   73.597665][ T5035]  lock_acquire+0x1e3/0x520
[   73.602194][ T5035]  ? __flush_work+0xe9/0xac0
[   73.606810][ T5035]  ? flush_work+0x20/0x20
[   73.611146][ T5035]  ? read_lock_is_recursive+0x20/0x20
[   73.616624][ T5035]  ? print_irqtrace_events+0x220/0x220
[   73.622098][ T5035]  ? __flush_work+0xe9/0xac0
[   73.626694][ T5035]  __flush_work+0x102/0xac0
[   73.631200][ T5035]  ? __flush_work+0xe9/0xac0
[   73.635884][ T5035]  ? flush_work+0x20/0x20
[   73.640228][ T5035]  ? led_trigger_event+0x28/0x1e0
[   73.645267][ T5035]  hci_dev_close_sync+0x237/0xfe0
[   73.650294][ T5035]  ? _raw_spin_unlock_irqrestore+0xdd/0x140
[   73.656204][ T5035]  hci_rfkill_set_block+0x135/0x210
[   73.661421][ T5035]  ? hci_req_cmd_complete+0x920/0x920
[   73.666803][ T5035]  rfkill_set_block+0x1e7/0x430
[   73.671684][ T5035]  rfkill_fop_write+0x5bb/0x790
[   73.676547][ T5035]  ? rfkill_fop_read+0x470/0x470
[   73.681496][ T5035]  ? fsnotify_perm+0x63/0x5a0
[   73.686354][ T5035]  ? security_file_permission+0x79/0xa0
[   73.691911][ T5035]  ? rfkill_fop_read+0x470/0x470
[   73.696863][ T5035]  vfs_write+0x286/0xaf0
[   73.701127][ T5035]  ? file_end_write+0x250/0x250
[   73.705990][ T5035]  ? print_irqtrace_events+0x220/0x220
[   73.711481][ T5035]  ? _raw_spin_unlock_irq+0x23/0x50
[   73.716687][ T5035]  ? lockdep_hardirqs_on+0x98/0x140
[   73.721888][ T5035]  ? __fdget_pos+0x1df/0x340
[   73.726483][ T5035]  ksys_write+0x1a0/0x2c0
[   73.730828][ T5035]  ? __ia32_sys_read+0x90/0x90
[   73.735608][ T5035]  ? syscall_enter_from_user_mode+0x32/0x230
[   73.741596][ T5035]  ? syscall_enter_from_user_mode+0x8c/0x230
[   73.747580][ T5035]  do_syscall_64+0x41/0xc0
[   73.752014][ T5035]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[   73.757922][ T5035] RIP: 0033:0x7f3ba6729479
[   73.762362][ T5035] Code: 48 83 c4 28 c3 e8 e7 18 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
[   73.781970][ T5035] RSP: 002b:00007ffc064fec88 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[   73.790415][ T5035] RAX: ffffffffffffffda RBX: 00007f3ba6780043 RCX: 00007f3ba6729479
[   73.798409][ T5035] RDX: 0000000000000008 RSI: 0000000020000080 RDI: 0000000000000003
[   73.806393][ T5035] RBP: 00007ffc064fecd0 R08: 000000ff00fff650 R09: 000000ff00fff650
[pid  5035] write(3, "\x00\x00\x00\x00\x00\x03\x01\x00", 8) = 8
[pid  5035] exit_group(1)               = ?
[pid  5035] +++ exited with 1 +++
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5035, si_uid=0, si_status=1, si_utime=0, si_stime=11 /* 0.11 s */} ---
exit_group(0)                           = ?
+++ exited with 0 +++
[   73.814365][ T5035] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffc064fecb8
[   73.822335][ T5035] R13: 00007f3ba67ad5b0 R14: 0000000000000000 R15: 0000000000000001
[   73.830314][ T5035]  </TASK>