Warning: Permanently added '10.128.0.52' (ED25519) to the list of known hosts. [ 66.738057][ T50] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 66.745974][ T50] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 66.753960][ T50] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 66.762366][ T50] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 66.770426][ T50] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3 [ 66.778161][ T50] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 executing program [ 66.913287][ T5062] [ 66.915657][ T5062] ====================================================== [ 66.922677][ T5062] WARNING: possible circular locking dependency detected [ 66.929694][ T5062] 6.7.0-rc6-syzkaller-00022-g55cb5f43689d #0 Not tainted [ 66.936728][ T5062] ------------------------------------------------------ [ 66.943749][ T5062] syz-executor882/5062 is trying to acquire lock: [ 66.950167][ T5062] ffff8880786c0e10 ((work_completion)(&hdev->tx_work)){+.+.}-{0:0}, at: __flush_work+0xfa/0xa10 [ 66.960664][ T5062] [ 66.960664][ T5062] but task is already holding lock: [ 66.968033][ T5062] ffff8880786c1108 (&hdev->req_lock){+.+.}-{3:3}, at: hci_dev_do_close+0x26/0x90 [ 66.977210][ T5062] [ 66.977210][ T5062] which lock already depends on the new lock. [ 66.977210][ T5062] [ 66.987621][ T5062] [ 66.987621][ T5062] the existing dependency chain (in reverse order) is: [ 66.996625][ T5062] [ 66.996625][ T5062] -> #3 (&hdev->req_lock){+.+.}-{3:3}: [ 67.004270][ T5062] __mutex_lock+0x175/0x9d0 [ 67.009296][ T5062] hci_dev_do_close+0x26/0x90 [ 67.014587][ T5062] hci_rfkill_set_block+0x1b9/0x200 [ 67.020308][ T5062] rfkill_set_block+0x200/0x550 [ 67.025684][ T5062] rfkill_fop_write+0x2d4/0x570 [ 67.031150][ T5062] vfs_write+0x2a4/0xdf0 [ 67.035909][ T5062] ksys_write+0x1f0/0x250 [ 67.040756][ T5062] __do_fast_syscall_32+0x62/0xe0 [ 67.046306][ T5062] do_fast_syscall_32+0x33/0x70 [ 67.051681][ T5062] entry_SYSENTER_compat_after_hwframe+0x70/0x7a [ 67.058535][ T5062] [ 67.058535][ T5062] -> #2 (rfkill_global_mutex){+.+.}-{3:3}: [ 67.066526][ T5062] __mutex_lock+0x175/0x9d0 [ 67.071546][ T5062] rfkill_register+0x3a/0xb30 [ 67.076745][ T5062] hci_register_dev+0x43a/0xd40 [ 67.082118][ T5062] __vhci_create_device+0x393/0x800 [ 67.087845][ T5062] vhci_write+0x2c7/0x470 [ 67.092705][ T5062] vfs_write+0x64f/0xdf0 [ 67.097465][ T5062] ksys_write+0x12f/0x250 [ 67.102312][ T5062] __do_fast_syscall_32+0x62/0xe0 [ 67.107859][ T5062] do_fast_syscall_32+0x33/0x70 [ 67.113407][ T5062] entry_SYSENTER_compat_after_hwframe+0x70/0x7a [ 67.120263][ T5062] [ 67.120263][ T5062] -> #1 (&data->open_mutex){+.+.}-{3:3}: [ 67.128080][ T5062] __mutex_lock+0x175/0x9d0 [ 67.133106][ T5062] vhci_send_frame+0x67/0xa0 [ 67.138226][ T5062] hci_send_frame+0x220/0x470 [ 67.143429][ T5062] hci_tx_work+0x1456/0x1e40 [ 67.148546][ T5062] process_one_work+0x886/0x15d0 [ 67.154010][ T5062] worker_thread+0x8b9/0x1290 [ 67.159208][ T5062] kthread+0x2c6/0x3a0 [ 67.163890][ T5062] ret_from_fork+0x45/0x80 [ 67.168840][ T5062] ret_from_fork_asm+0x11/0x20 [ 67.174128][ T5062] [ 67.174128][ T5062] -> #0 ((work_completion)(&hdev->tx_work)){+.+.}-{0:0}: [ 67.183522][ T5062] __lock_acquire+0x2433/0x3b20 [ 67.188909][ T5062] lock_acquire+0x1ae/0x520 [ 67.194025][ T5062] __flush_work+0x103/0xa10 [ 67.199052][ T5062] hci_dev_close_sync+0x22d/0x1160 [ 67.204717][ T5062] hci_dev_do_close+0x2e/0x90 [ 67.209913][ T5062] hci_rfkill_set_block+0x1b9/0x200 [ 67.215630][ T5062] rfkill_set_block+0x200/0x550 [ 67.221005][ T5062] rfkill_fop_write+0x2d4/0x570 [ 67.226382][ T5062] vfs_write+0x2a4/0xdf0 [ 67.231171][ T5062] ksys_write+0x1f0/0x250 [ 67.236020][ T5062] __do_fast_syscall_32+0x62/0xe0 [ 67.241570][ T5062] do_fast_syscall_32+0x33/0x70 [ 67.246941][ T5062] entry_SYSENTER_compat_after_hwframe+0x70/0x7a [ 67.253791][ T5062] [ 67.253791][ T5062] other info that might help us debug this: [ 67.253791][ T5062] [ 67.264009][ T5062] Chain exists of: [ 67.264009][ T5062] (work_completion)(&hdev->tx_work) --> rfkill_global_mutex --> &hdev->req_lock [ 67.264009][ T5062] [ 67.279061][ T5062] Possible unsafe locking scenario: [ 67.279061][ T5062] [ 67.286509][ T5062] CPU0 CPU1 [ 67.291870][ T5062] ---- ---- [ 67.297226][ T5062] lock(&hdev->req_lock); [ 67.301639][ T5062] lock(rfkill_global_mutex); [ 67.308915][ T5062] lock(&hdev->req_lock); [ 67.315843][ T5062] lock((work_completion)(&hdev->tx_work)); [ 67.321818][ T5062] [ 67.321818][ T5062] *** DEADLOCK *** [ 67.321818][ T5062] [ 67.329951][ T5062] 2 locks held by syz-executor882/5062: [ 67.335494][ T5062] #0: ffffffff8ef2caa8 (rfkill_global_mutex){+.+.}-{3:3}, at: rfkill_fop_write+0x16e/0x570 [ 67.345690][ T5062] #1: ffff8880786c1108 (&hdev->req_lock){+.+.}-{3:3}, at: hci_dev_do_close+0x26/0x90 [ 67.355381][ T5062] [ 67.355381][ T5062] stack backtrace: [ 67.361272][ T5062] CPU: 0 PID: 5062 Comm: syz-executor882 Not tainted 6.7.0-rc6-syzkaller-00022-g55cb5f43689d #0 [ 67.371775][ T5062] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 [ 67.382090][ T5062] Call Trace: [ 67.385363][ T5062] [ 67.388288][ T5062] dump_stack_lvl+0xd9/0x1b0 [ 67.393007][ T5062] check_noncircular+0x317/0x400 [ 67.397997][ T5062] ? print_circular_bug+0x5c0/0x5c0 [ 67.403494][ T5062] ? is_bpf_text_address+0x94/0x1a0 [ 67.408757][ T5062] ? lockdep_lock+0xc6/0x200 [ 67.413375][ T5062] ? hlock_class+0x130/0x130 [ 67.417988][ T5062] __lock_acquire+0x2433/0x3b20 [ 67.422880][ T5062] ? lockdep_hardirqs_on_prepare+0x420/0x420 [ 67.428876][ T5062] ? save_trace+0x4e/0xb30 [ 67.433298][ T5062] ? _find_first_zero_bit+0x94/0xb0 [ 67.438617][ T5062] lock_acquire+0x1ae/0x520 [ 67.443133][ T5062] ? __flush_work+0xfa/0xa10 [ 67.447994][ T5062] ? lock_sync+0x190/0x190 [ 67.452427][ T5062] ? __flush_work+0xfa/0xa10 [ 67.457031][ T5062] __flush_work+0x103/0xa10 [ 67.461547][ T5062] ? __flush_work+0xfa/0xa10 [ 67.466145][ T5062] ? cancel_delayed_work+0x20/0x20 [ 67.471279][ T5062] hci_dev_close_sync+0x22d/0x1160 [ 67.476399][ T5062] ? find_held_lock+0x2d/0x110 [ 67.481171][ T5062] ? hci_reset_sync+0x50/0x50 [ 67.485848][ T5062] ? reacquire_held_locks+0x4c0/0x4c0 [ 67.491233][ T5062] hci_dev_do_close+0x2e/0x90 [ 67.495913][ T5062] hci_rfkill_set_block+0x1b9/0x200 [ 67.501116][ T5062] ? lockdep_hardirqs_on+0x7d/0x110 [ 67.506329][ T5062] ? hci_power_on+0x670/0x670 [ 67.511005][ T5062] rfkill_set_block+0x200/0x550 [ 67.515863][ T5062] rfkill_fop_write+0x2d4/0x570 [ 67.520734][ T5062] ? rfkill_register+0xb30/0xb30 [ 67.525680][ T5062] ? bpf_lsm_inode_getsecurity+0x10/0x10 [ 67.531317][ T5062] ? security_file_permission+0x94/0x100 [ 67.536957][ T5062] vfs_write+0x2a4/0xdf0 [ 67.541218][ T5062] ? rfkill_register+0xb30/0xb30 [ 67.546189][ T5062] ? kernel_write+0x6c0/0x6c0 [ 67.550886][ T5062] ? do_sys_openat2+0xb1/0x1e0 [ 67.555668][ T5062] ? build_open_flags+0x690/0x690 [ 67.560703][ T5062] ? find_held_lock+0x2d/0x110 [ 67.565577][ T5062] ? __fget_light+0x1fc/0x260 [ 67.570256][ T5062] ksys_write+0x1f0/0x250 [ 67.574597][ T5062] ? __ia32_sys_read+0xb0/0xb0 [ 67.579367][ T5062] __do_fast_syscall_32+0x62/0xe0 [ 67.584401][ T5062] do_fast_syscall_32+0x33/0x70 [ 67.589271][ T5062] entry_SYSENTER_compat_after_hwframe+0x70/0x7a [ 67.595629][ T5062] RIP: 0023:0xf7ecf579 [ 67.599694][ T5062] Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00 [ 67.619334][ T5062] RSP: 002b:00000000fffb81bc EFLAGS: 00000246 ORIG_RAX: 0000000000000004 [ 67.627748][ T5062] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000040 [ 67.635744][ T5062] RDX: 0000000000000008 RSI: 0000000000000070 RDI: 0000000000000000 [ 67.643776][ T5062] RBP: 00000000fffb8220 R08: 0000000000000000 R09: 0000000000000000 [ 67.651743][ T5062] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 67.659721][ T5062] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 67.667698][ T5062]