Bluetooth: hci0: link tx timeout
Bluetooth: hci0: killing stalled connection 10:aa:aa:aa:aa:aa
BUG: sleeping function called from invalid context at kernel/locking/mutex.c:580
in_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 47, name: kworker/u5:0
preempt_count: 0, expected: 0
RCU nest depth: 1, expected: 0
3 locks held by kworker/u5:0/47:
 #0: ffff0000d4a3a138 ((wq_completion)hci0#2){+.+.}-{0:0}, at: process_one_work+0x664/0x1404 kernel/workqueue.c:2265
 #1: ffff80001b347c20 ((work_completion)(&hdev->tx_work)){+.+.}-{0:0}, at: process_one_work+0x6a8/0x1404 kernel/workqueue.c:2267
 #2: ffff800015a24ca0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire+0x10/0x4c include/linux/rcupdate.h:349
CPU: 1 PID: 47 Comm: kworker/u5:0 Not tainted 6.1.87-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Workqueue: hci0 hci_tx_work
Call trace:
 dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
 dump_stack+0x1c/0x5c lib/dump_stack.c:113
 __might_resched+0x37c/0x4d8 kernel/sched/core.c:9942
 __might_sleep+0x90/0xe4 kernel/sched/core.c:9871
 __mutex_lock_common+0xcc/0x21a0 kernel/locking/mutex.c:580
 __mutex_lock kernel/locking/mutex.c:747 [inline]
 mutex_lock_nested+0x38/0x44 kernel/locking/mutex.c:799
 hci_cmd_sync_submit+0x4c/0x230 net/bluetooth/hci_sync.c:702
 hci_cmd_sync_queue+0x84/0x9c net/bluetooth/hci_sync.c:742
 hci_abort_conn+0x19c/0x2f8 net/bluetooth/hci_conn.c:2821
 hci_disconnect+0xe4/0x288 net/bluetooth/hci_conn.c:255
 hci_link_tx_to net/bluetooth/hci_core.c:3455 [inline]
 __check_timeout+0x2d8/0x3fc net/bluetooth/hci_core.c:3601
 hci_sched_acl_pkt net/bluetooth/hci_core.c:3659 [inline]
 hci_sched_acl net/bluetooth/hci_core.c:3762 [inline]
 hci_tx_work+0xa30/0x18e4 net/bluetooth/hci_core.c:3861
 process_one_work+0x7ac/0x1404 kernel/workqueue.c:2292
 worker_thread+0x8e4/0xfec kernel/workqueue.c:2439
 kthread+0x250/0x2d8 kernel/kthread.c:376
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:864

=============================
[ BUG: Invalid wait context ]
6.1.87-syzkaller #0 Tainted: G        W         
-----------------------------
kworker/u5:0/47 is trying to lock:
ffff0000dde5c9b0 (&hdev->unregister_lock){+.+.}-{3:3}, at: hci_cmd_sync_submit+0x4c/0x230 net/bluetooth/hci_sync.c:702
other info that might help us debug this:
context-{4:4}
3 locks held by kworker/u5:0/47:
 #0: ffff0000d4a3a138 ((wq_completion)hci0#2){+.+.}-{0:0}, at: process_one_work+0x664/0x1404 kernel/workqueue.c:2265
 #1: ffff80001b347c20 ((work_completion)(&hdev->tx_work)){+.+.}-{0:0}, at: process_one_work+0x6a8/0x1404 kernel/workqueue.c:2267
 #2: ffff800015a24ca0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire+0x10/0x4c include/linux/rcupdate.h:349
stack backtrace:
CPU: 1 PID: 47 Comm: kworker/u5:0 Tainted: G        W          6.1.87-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Workqueue: hci0 hci_tx_work
Call trace:
 dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
 dump_stack+0x1c/0x5c lib/dump_stack.c:113
 print_lock_invalid_wait_context kernel/locking/lockdep.c:4701 [inline]
 check_wait_context kernel/locking/lockdep.c:4762 [inline]
 __lock_acquire+0x1b14/0x7680 kernel/locking/lockdep.c:4999
 lock_acquire+0x26c/0x7cc kernel/locking/lockdep.c:5662
 __mutex_lock_common+0x190/0x21a0 kernel/locking/mutex.c:603
 __mutex_lock kernel/locking/mutex.c:747 [inline]
 mutex_lock_nested+0x38/0x44 kernel/locking/mutex.c:799
 hci_cmd_sync_submit+0x4c/0x230 net/bluetooth/hci_sync.c:702
 hci_cmd_sync_queue+0x84/0x9c net/bluetooth/hci_sync.c:742
 hci_abort_conn+0x19c/0x2f8 net/bluetooth/hci_conn.c:2821
 hci_disconnect+0xe4/0x288 net/bluetooth/hci_conn.c:255
 hci_link_tx_to net/bluetooth/hci_core.c:3455 [inline]
 __check_timeout+0x2d8/0x3fc net/bluetooth/hci_core.c:3601
 hci_sched_acl_pkt net/bluetooth/hci_core.c:3659 [inline]
 hci_sched_acl net/bluetooth/hci_core.c:3762 [inline]
 hci_tx_work+0xa30/0x18e4 net/bluetooth/hci_core.c:3861
 process_one_work+0x7ac/0x1404 kernel/workqueue.c:2292
 worker_thread+0x8e4/0xfec kernel/workqueue.c:2439
 kthread+0x250/0x2d8 kernel/kthread.c:376
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:864
Bluetooth: hci0: link tx timeout
Bluetooth: hci0: killing stalled connection 11:aa:aa:aa:aa:aa
Bluetooth: hci0: command 0x0406 tx timeout