====================================================== WARNING: possible circular locking dependency detected 6.10.0-next-20240719-syzkaller #0 Not tainted ------------------------------------------------------ syz-executor/7028 is trying to acquire lock: ffff888023be8078 (&hdev->lock){+.+.}-{3:3}, at: mgmt_set_connectable_complete+0xaf/0x500 net/bluetooth/mgmt.c:1685 but task is already holding lock: ffff888023be8690 (&hdev->cmd_sync_work_lock){+.+.}-{3:3}, at: hci_cmd_sync_clear+0x4e/0x220 net/bluetooth/hci_sync.c:654 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (&hdev->cmd_sync_work_lock){+.+.}-{3:3}: lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5822 __mutex_lock_common kernel/locking/mutex.c:608 [inline] __mutex_lock+0x136/0xd70 kernel/locking/mutex.c:752 hci_cmd_sync_lookup_entry net/bluetooth/hci_sync.c:796 [inline] hci_cmd_sync_queue_once+0x43/0x240 net/bluetooth/hci_sync.c:778 le_conn_complete_evt+0xae1/0x12e0 net/bluetooth/hci_event.c:5775 hci_le_conn_complete_evt+0x18c/0x420 net/bluetooth/hci_event.c:5786 hci_event_func net/bluetooth/hci_event.c:7442 [inline] hci_event_packet+0xa55/0x1540 net/bluetooth/hci_event.c:7497 hci_rx_work+0x3e8/0xca0 net/bluetooth/hci_core.c:4029 process_one_work kernel/workqueue.c:3231 [inline] process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3312 worker_thread+0x86d/0xd40 kernel/workqueue.c:3390 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:144 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 -> #0 (&hdev->lock){+.+.}-{3:3}: check_prev_add kernel/locking/lockdep.c:3158 [inline] check_prevs_add kernel/locking/lockdep.c:3277 [inline] validate_chain+0x18ef/0x5920 kernel/locking/lockdep.c:3901 __lock_acquire+0x1384/0x2050 kernel/locking/lockdep.c:5199 lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5822 __mutex_lock_common kernel/locking/mutex.c:608 [inline] __mutex_lock+0x136/0xd70 kernel/locking/mutex.c:752 mgmt_set_connectable_complete+0xaf/0x500 net/bluetooth/mgmt.c:1685 _hci_cmd_sync_cancel_entry net/bluetooth/hci_sync.c:641 [inline] hci_cmd_sync_clear+0x107/0x220 net/bluetooth/hci_sync.c:656 hci_unregister_dev+0x181/0x510 net/bluetooth/hci_core.c:2695 vhci_release+0x83/0xd0 drivers/bluetooth/hci_vhci.c:666 __fput+0x24a/0x8a0 fs/file_table.c:422 task_work_run+0x24f/0x310 kernel/task_work.c:222 exit_task_work include/linux/task_work.h:40 [inline] do_exit+0xa2f/0x27f0 kernel/exit.c:882 do_group_exit+0x207/0x2c0 kernel/exit.c:1031 get_signal+0x16a1/0x1740 kernel/signal.c:2917 arch_do_signal_or_restart+0x96/0x830 arch/x86/kernel/signal.c:310 exit_to_user_mode_loop kernel/entry/common.c:111 [inline] exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline] __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline] syscall_exit_to_user_mode+0xc9/0x370 kernel/entry/common.c:218 do_syscall_64+0x100/0x230 arch/x86/entry/common.c:89 entry_SYSCALL_64_after_hwframe+0x77/0x7f other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&hdev->cmd_sync_work_lock); lock(&hdev->lock); lock(&hdev->cmd_sync_work_lock); lock(&hdev->lock); *** DEADLOCK *** 1 lock held by syz-executor/7028: #0: ffff888023be8690 (&hdev->cmd_sync_work_lock){+.+.}-{3:3}, at: hci_cmd_sync_clear+0x4e/0x220 net/bluetooth/hci_sync.c:654 stack backtrace: CPU: 0 UID: 0 PID: 7028 Comm: syz-executor Not tainted 6.10.0-next-20240719-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_circular_bug+0x13a/0x1b0 kernel/locking/lockdep.c:2074 check_noncircular+0x36a/0x4a0 kernel/locking/lockdep.c:2203 check_prev_add kernel/locking/lockdep.c:3158 [inline] check_prevs_add kernel/locking/lockdep.c:3277 [inline] validate_chain+0x18ef/0x5920 kernel/locking/lockdep.c:3901 __lock_acquire+0x1384/0x2050 kernel/locking/lockdep.c:5199 lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5822 __mutex_lock_common kernel/locking/mutex.c:608 [inline] __mutex_lock+0x136/0xd70 kernel/locking/mutex.c:752 mgmt_set_connectable_complete+0xaf/0x500 net/bluetooth/mgmt.c:1685 _hci_cmd_sync_cancel_entry net/bluetooth/hci_sync.c:641 [inline] hci_cmd_sync_clear+0x107/0x220 net/bluetooth/hci_sync.c:656 hci_unregister_dev+0x181/0x510 net/bluetooth/hci_core.c:2695 vhci_release+0x83/0xd0 drivers/bluetooth/hci_vhci.c:666 __fput+0x24a/0x8a0 fs/file_table.c:422 task_work_run+0x24f/0x310 kernel/task_work.c:222 exit_task_work include/linux/task_work.h:40 [inline] do_exit+0xa2f/0x27f0 kernel/exit.c:882 do_group_exit+0x207/0x2c0 kernel/exit.c:1031 get_signal+0x16a1/0x1740 kernel/signal.c:2917 arch_do_signal_or_restart+0x96/0x830 arch/x86/kernel/signal.c:310 exit_to_user_mode_loop kernel/entry/common.c:111 [inline] exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline] __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline] syscall_exit_to_user_mode+0xc9/0x370 kernel/entry/common.c:218 do_syscall_64+0x100/0x230 arch/x86/entry/common.c:89 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fc096d6be57 Code: Unable to access opcode bytes at 0x7fc096d6be2d. RSP: 002b:00007ffc4d5c6ed0 EFLAGS: 00000293 ORIG_RAX: 000000000000003d RAX: fffffffffffffe00 RBX: 0000000000000024 RCX: 00007fc096d6be57 RDX: 0000000040000000 RSI: 00007ffc4d5c6f4c RDI: 00000000ffffffff RBP: 00007ffc4d5c6f4c R08: 0000000000000000 R09: 7fffffffffffffff R10: 0000000000000000 R11: 0000000000000293 R12: 00007ffc4d5c6fc0 R13: 000055558c2e55eb R14: 000055558c2e5590 R15: 000000000003c24c