Warning: Permanently added '10.128.1.94' (ED25519) to the list of known hosts. [ 67.475980][ T50] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 67.483996][ T50] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 67.491565][ T50] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 67.499651][ T50] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 67.507332][ T50] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3 [ 67.515113][ T50] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 executing program [ 67.636299][ T5064] [ 67.638663][ T5064] ====================================================== [ 67.645688][ T5064] WARNING: possible circular locking dependency detected [ 67.652702][ T5064] 6.7.0-rc6-syzkaller #0 Not tainted [ 67.657978][ T5064] ------------------------------------------------------ [ 67.664987][ T5064] syz-executor279/5064 is trying to acquire lock: [ 67.671388][ T5064] ffff888021a40e10 ((work_completion)(&hdev->tx_work)){+.+.}-{0:0}, at: __flush_work+0xfa/0xa10 [ 67.681858][ T5064] [ 67.681858][ T5064] but task is already holding lock: [ 67.689225][ T5064] ffff888021a41108 (&hdev->req_lock){+.+.}-{3:3}, at: hci_dev_do_close+0x26/0x90 [ 67.698387][ T5064] [ 67.698387][ T5064] which lock already depends on the new lock. [ 67.698387][ T5064] [ 67.708779][ T5064] [ 67.708779][ T5064] the existing dependency chain (in reverse order) is: [ 67.717781][ T5064] [ 67.717781][ T5064] -> #3 (&hdev->req_lock){+.+.}-{3:3}: [ 67.725442][ T5064] __mutex_lock+0x175/0x9d0 [ 67.730467][ T5064] hci_dev_do_close+0x26/0x90 [ 67.735666][ T5064] hci_rfkill_set_block+0x1b9/0x200 [ 67.741381][ T5064] rfkill_set_block+0x200/0x550 [ 67.746762][ T5064] rfkill_fop_write+0x2d4/0x570 [ 67.752138][ T5064] vfs_write+0x2a4/0xdf0 [ 67.756901][ T5064] ksys_write+0x1f0/0x250 [ 67.761753][ T5064] __do_fast_syscall_32+0x62/0xe0 [ 67.767306][ T5064] do_fast_syscall_32+0x33/0x70 [ 67.772682][ T5064] entry_SYSENTER_compat_after_hwframe+0x70/0x7a [ 67.779531][ T5064] [ 67.779531][ T5064] -> #2 (rfkill_global_mutex){+.+.}-{3:3}: [ 67.787533][ T5064] __mutex_lock+0x175/0x9d0 [ 67.792560][ T5064] rfkill_register+0x3a/0xb30 [ 67.797763][ T5064] hci_register_dev+0x43a/0xd40 [ 67.803138][ T5064] __vhci_create_device+0x393/0x800 [ 67.808866][ T5064] vhci_write+0x2c7/0x470 [ 67.813721][ T5064] vfs_write+0x64f/0xdf0 [ 67.818481][ T5064] ksys_write+0x12f/0x250 [ 67.823331][ T5064] __do_fast_syscall_32+0x62/0xe0 [ 67.828887][ T5064] do_fast_syscall_32+0x33/0x70 [ 67.834263][ T5064] entry_SYSENTER_compat_after_hwframe+0x70/0x7a [ 67.841114][ T5064] [ 67.841114][ T5064] -> #1 (&data->open_mutex){+.+.}-{3:3}: [ 67.848941][ T5064] __mutex_lock+0x175/0x9d0 [ 67.853967][ T5064] vhci_send_frame+0x67/0xa0 [ 67.859083][ T5064] hci_send_frame+0x220/0x470 [ 67.864279][ T5064] hci_tx_work+0x1456/0x1e40 [ 67.869384][ T5064] process_one_work+0x886/0x15d0 [ 67.874843][ T5064] worker_thread+0x8b9/0x1290 [ 67.880040][ T5064] kthread+0x2c6/0x3a0 [ 67.884629][ T5064] ret_from_fork+0x45/0x80 [ 67.889568][ T5064] ret_from_fork_asm+0x11/0x20 [ 67.894854][ T5064] [ 67.894854][ T5064] -> #0 ((work_completion)(&hdev->tx_work)){+.+.}-{0:0}: [ 67.904063][ T5064] __lock_acquire+0x2433/0x3b20 [ 67.909438][ T5064] lock_acquire+0x1ae/0x520 [ 67.914479][ T5064] __flush_work+0x103/0xa10 [ 67.919605][ T5064] hci_dev_close_sync+0x22d/0x1160 [ 67.925243][ T5064] hci_dev_do_close+0x2e/0x90 [ 67.930445][ T5064] hci_rfkill_set_block+0x1b9/0x200 [ 67.936170][ T5064] rfkill_set_block+0x200/0x550 [ 67.941545][ T5064] rfkill_fop_write+0x2d4/0x570 [ 67.946921][ T5064] vfs_write+0x2a4/0xdf0 [ 67.951681][ T5064] ksys_write+0x1f0/0x250 [ 67.956529][ T5064] __do_fast_syscall_32+0x62/0xe0 [ 67.962077][ T5064] do_fast_syscall_32+0x33/0x70 [ 67.967449][ T5064] entry_SYSENTER_compat_after_hwframe+0x70/0x7a [ 67.974300][ T5064] [ 67.974300][ T5064] other info that might help us debug this: [ 67.974300][ T5064] [ 67.984515][ T5064] Chain exists of: [ 67.984515][ T5064] (work_completion)(&hdev->tx_work) --> rfkill_global_mutex --> &hdev->req_lock [ 67.984515][ T5064] [ 67.999461][ T5064] Possible unsafe locking scenario: [ 67.999461][ T5064] [ 68.006901][ T5064] CPU0 CPU1 [ 68.012253][ T5064] ---- ---- [ 68.017603][ T5064] lock(&hdev->req_lock); [ 68.022012][ T5064] lock(rfkill_global_mutex); [ 68.029286][ T5064] lock(&hdev->req_lock); [ 68.036214][ T5064] lock((work_completion)(&hdev->tx_work)); [ 68.042186][ T5064] [ 68.042186][ T5064] *** DEADLOCK *** [ 68.042186][ T5064] [ 68.050320][ T5064] 2 locks held by syz-executor279/5064: [ 68.055852][ T5064] #0: ffffffff8ef2ca28 (rfkill_global_mutex){+.+.}-{3:3}, at: rfkill_fop_write+0x16e/0x570 [ 68.065966][ T5064] #1: ffff888021a41108 (&hdev->req_lock){+.+.}-{3:3}, at: hci_dev_do_close+0x26/0x90 [ 68.075541][ T5064] [ 68.075541][ T5064] stack backtrace: [ 68.081414][ T5064] CPU: 0 PID: 5064 Comm: syz-executor279 Not tainted 6.7.0-rc6-syzkaller #0 [ 68.090092][ T5064] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 [ 68.100156][ T5064] Call Trace: [ 68.103435][ T5064] [ 68.106367][ T5064] dump_stack_lvl+0xd9/0x1b0 [ 68.110968][ T5064] check_noncircular+0x317/0x400 [ 68.115918][ T5064] ? print_circular_bug+0x5c0/0x5c0 [ 68.121124][ T5064] ? is_bpf_text_address+0x94/0x1a0 [ 68.126334][ T5064] ? lockdep_lock+0xc6/0x200 [ 68.130944][ T5064] ? hlock_class+0x130/0x130 [ 68.135552][ T5064] __lock_acquire+0x2433/0x3b20 [ 68.140418][ T5064] ? lockdep_hardirqs_on_prepare+0x420/0x420 [ 68.146410][ T5064] ? save_trace+0x4e/0xb30 [ 68.150834][ T5064] ? _find_first_zero_bit+0x94/0xb0 [ 68.156043][ T5064] lock_acquire+0x1ae/0x520 [ 68.160560][ T5064] ? __flush_work+0xfa/0xa10 [ 68.165161][ T5064] ? lock_sync+0x190/0x190 [ 68.169590][ T5064] ? __flush_work+0xfa/0xa10 [ 68.174200][ T5064] __flush_work+0x103/0xa10 [ 68.178720][ T5064] ? __flush_work+0xfa/0xa10 [ 68.183324][ T5064] ? cancel_delayed_work+0x20/0x20 [ 68.188458][ T5064] hci_dev_close_sync+0x22d/0x1160 [ 68.193571][ T5064] ? find_held_lock+0x2d/0x110 [ 68.198350][ T5064] ? hci_reset_sync+0x50/0x50 [ 68.203029][ T5064] ? reacquire_held_locks+0x4c0/0x4c0 [ 68.208418][ T5064] hci_dev_do_close+0x2e/0x90 [ 68.213097][ T5064] hci_rfkill_set_block+0x1b9/0x200 [ 68.218294][ T5064] ? lockdep_hardirqs_on+0x7d/0x110 [ 68.223505][ T5064] ? hci_power_on+0x670/0x670 [ 68.228186][ T5064] rfkill_set_block+0x200/0x550 [ 68.233044][ T5064] rfkill_fop_write+0x2d4/0x570 [ 68.237901][ T5064] ? rfkill_register+0xb30/0xb30 [ 68.242840][ T5064] ? bpf_lsm_inode_remove_acl+0x10/0x10 [ 68.248400][ T5064] ? security_file_permission+0x94/0x100 [ 68.254044][ T5064] vfs_write+0x2a4/0xdf0 [ 68.258285][ T5064] ? rfkill_register+0xb30/0xb30 [ 68.263225][ T5064] ? kernel_write+0x6c0/0x6c0 [ 68.267899][ T5064] ? do_sys_openat2+0xb1/0x1e0 [ 68.272667][ T5064] ? build_open_flags+0x690/0x690 [ 68.277695][ T5064] ? find_held_lock+0x2d/0x110 [ 68.282471][ T5064] ? __fget_light+0x1fc/0x260 [ 68.287149][ T5064] ksys_write+0x1f0/0x250 [ 68.291479][ T5064] ? __ia32_sys_read+0xb0/0xb0 [ 68.296243][ T5064] __do_fast_syscall_32+0x62/0xe0 [ 68.301273][ T5064] do_fast_syscall_32+0x33/0x70 [ 68.306129][ T5064] entry_SYSENTER_compat_after_hwframe+0x70/0x7a [ 68.312459][ T5064] RIP: 0023:0xf7e8d579 [ 68.316523][ T5064] Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00 [ 68.336127][ T5064] RSP: 002b:00000000ffe84bfc EFLAGS: 00000246 ORIG_RAX: 0000000000000004 [ 68.344537][ T5064] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000100 [ 68.352504][ T5064] RDX: 0000000000000008 RSI: 0000000000000070 RDI: 0000000000000000 [ 68.360471][ T5064] RBP: 00000000ffe84c60 R08: 0000000000000000 R09: 0000000000000000 [ 68.368437][ T5064] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 68.376402][ T5064] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 68.384383][ T5064]