====================================================== WARNING: possible circular locking dependency detected 4.14.198-syzkaller #0 Not tainted ------------------------------------------------------ syz-executor.1/542 is trying to acquire lock: ("%s"hdev->name#2){+.+.}, at: [] start_flush_work kernel/workqueue.c:2860 [inline] ("%s"hdev->name#2){+.+.}, at: [] flush_work+0x387/0x770 kernel/workqueue.c:2892 but task is already holding lock: (&hdev->lock){+.+.}, at: [] hci_dev_do_close+0x210/0xc50 net/bluetooth/hci_core.c:1607 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #2 (&hdev->lock){+.+.}: __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893 hci_cc_write_scan_enable net/bluetooth/hci_event.c:360 [inline] hci_cmd_complete_evt+0x4f1a/0x9590 net/bluetooth/hci_event.c:2839 hci_event_packet+0x1a5d/0x7d1d net/bluetooth/hci_event.c:5321 hci_rx_work+0x3e6/0x970 net/bluetooth/hci_core.c:4244 process_one_work+0x793/0x14a0 kernel/workqueue.c:2116 worker_thread+0x5cc/0xff0 kernel/workqueue.c:2250 kthread+0x30d/0x420 kernel/kthread.c:232 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404 -> #1 ((&hdev->rx_work)){+.+.}: process_one_work+0x736/0x14a0 kernel/workqueue.c:2092 worker_thread+0x5cc/0xff0 kernel/workqueue.c:2250 kthread+0x30d/0x420 kernel/kthread.c:232 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404 -> #0 ("%s"hdev->name#2){+.+.}: lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998 start_flush_work kernel/workqueue.c:2861 [inline] flush_work+0x3ac/0x770 kernel/workqueue.c:2892 __cancel_work_timer+0x321/0x460 kernel/workqueue.c:2964 hci_conn_del+0x43/0x620 net/bluetooth/hci_conn.c:575 hci_conn_hash_flush+0x189/0x220 net/bluetooth/hci_conn.c:1377 hci_dev_do_close+0x542/0xc50 net/bluetooth/hci_core.c:1620 hci_rfkill_set_block net/bluetooth/hci_core.c:2050 [inline] hci_rfkill_set_block+0x94/0xe0 net/bluetooth/hci_core.c:2037 rfkill_set_block+0x1b2/0x4a0 net/rfkill/core.c:337 rfkill_fop_write+0x1b6/0x3c0 net/rfkill/core.c:1233 __vfs_write+0xe4/0x630 fs/read_write.c:480 __kernel_write+0xf5/0x330 fs/read_write.c:501 write_pipe_buf+0x143/0x1c0 fs/splice.c:797 splice_from_pipe_feed fs/splice.c:502 [inline] __splice_from_pipe+0x326/0x7a0 fs/splice.c:626 splice_from_pipe fs/splice.c:661 [inline] default_file_splice_write+0xc5/0x150 fs/splice.c:809 do_splice_from fs/splice.c:851 [inline] direct_splice_actor+0x115/0x160 fs/splice.c:1018 splice_direct_to_actor+0x27c/0x730 fs/splice.c:973 do_splice_direct+0x164/0x210 fs/splice.c:1061 do_sendfile+0x47f/0xb30 fs/read_write.c:1441 SYSC_sendfile64 fs/read_write.c:1496 [inline] SyS_sendfile64+0x9b/0x110 fs/read_write.c:1488 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb other info that might help us debug this: Chain exists of: "%s"hdev->name#2 --> (&hdev->rx_work) --> &hdev->lock Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&hdev->lock); lock((&hdev->rx_work)); lock(&hdev->lock); lock("%s"hdev->name#2); *** DEADLOCK *** 3 locks held by syz-executor.1/542: #0: (rfkill_global_mutex){+.+.}, at: [] rfkill_fop_write+0xbf/0x3c0 net/rfkill/core.c:1225 #1: (&hdev->req_lock){+.+.}, at: [] hci_dev_do_close+0xfd/0xc50 net/bluetooth/hci_core.c:1576 #2: (&hdev->lock){+.+.}, at: [] hci_dev_do_close+0x210/0xc50 net/bluetooth/hci_core.c:1607 stack backtrace: CPU: 1 PID: 542 Comm: syz-executor.1 Not tainted 4.14.198-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x1b2/0x283 lib/dump_stack.c:58 print_circular_bug.constprop.0.cold+0x2d7/0x41e kernel/locking/lockdep.c:1258 check_prev_add kernel/locking/lockdep.c:1905 [inline] check_prevs_add kernel/locking/lockdep.c:2022 [inline] validate_chain kernel/locking/lockdep.c:2464 [inline] __lock_acquire+0x2e0e/0x3f20 kernel/locking/lockdep.c:3491 lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998 start_flush_work kernel/workqueue.c:2861 [inline] flush_work+0x3ac/0x770 kernel/workqueue.c:2892 __cancel_work_timer+0x321/0x460 kernel/workqueue.c:2964 hci_conn_del+0x43/0x620 net/bluetooth/hci_conn.c:575 hci_conn_hash_flush+0x189/0x220 net/bluetooth/hci_conn.c:1377 hci_dev_do_close+0x542/0xc50 net/bluetooth/hci_core.c:1620 hci_rfkill_set_block net/bluetooth/hci_core.c:2050 [inline] hci_rfkill_set_block+0x94/0xe0 net/bluetooth/hci_core.c:2037 rfkill_set_block+0x1b2/0x4a0 net/rfkill/core.c:337 rfkill_fop_write+0x1b6/0x3c0 net/rfkill/core.c:1233 __vfs_write+0xe4/0x630 fs/read_write.c:480 __kernel_write+0xf5/0x330 fs/read_write.c:501 write_pipe_buf+0x143/0x1c0 fs/splice.c:797 splice_from_pipe_feed fs/splice.c:502 [inline] __splice_from_pipe+0x326/0x7a0 fs/splice.c:626 splice_from_pipe fs/splice.c:661 [inline] default_file_splice_write+0xc5/0x150 fs/splice.c:809 do_splice_from fs/splice.c:851 [inline] direct_splice_actor+0x115/0x160 fs/splice.c:1018 splice_direct_to_actor+0x27c/0x730 fs/splice.c:973 do_splice_direct+0x164/0x210 fs/splice.c:1061 do_sendfile+0x47f/0xb30 fs/read_write.c:1441 SYSC_sendfile64 fs/read_write.c:1496 [inline] SyS_sendfile64+0x9b/0x110 fs/read_write.c:1488 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb RIP: 0033:0x45de59 RSP: 002b:00007fb1387d0c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000028 RAX: ffffffffffffffda RBX: 0000000000027ec0 RCX: 000000000045de59 RDX: 0000000020000000 RSI: 0000000000000005 RDI: 0000000000000004 RBP: 000000000118bf68 R08: 0000000000000000 R09: 0000000000000000 R10: 7fffffffffffffff R11: 0000000000000246 R12: 000000000118bf2c R13: 00007ffcac60f0cf R14: 00007fb1387d19c0 R15: 000000000118bf2c ieee80211 phy16: mac80211_hwsim_bss_info_changed(changed=0xa00 vif->addr=02:00:00:00:10:00) ieee80211 phy16: BCN EN: 0 (BI=100) ieee80211 phy16: beaconing vifs remaining: 0 ieee80211 phy16: mac80211_hwsim_bss_info_changed(changed=0x4000 vif->addr=02:00:00:00:10:00) ieee80211 phy16: mac80211_hwsim_config (freq=2412(2412 - 0)/noht idle=0 ps=0 smps=static) ieee80211 phy16: mac80211_hwsim_config (freq=2412(2412 - 0)/noht idle=1 ps=0 smps=static) ieee80211 phy16: mac80211_hwsim_remove_interface (type=1 mac_addr=02:00:00:00:10:00) ieee80211 phy16: mac80211_hwsim_stop ieee80211 phy17: mac80211_hwsim_bss_info_changed(changed=0xa00 vif->addr=02:00:00:00:11:00) ieee80211 phy17: BCN EN: 0 (BI=100) ieee80211 phy17: beaconing vifs remaining: 0 ieee80211 phy17: mac80211_hwsim_bss_info_changed(changed=0x4000 vif->addr=02:00:00:00:11:00) ieee80211 phy17: mac80211_hwsim_config (freq=2412(2412 - 0)/noht idle=0 ps=0 smps=static) ieee80211 phy17: mac80211_hwsim_config (freq=2412(2412 - 0)/noht idle=1 ps=0 smps=static) ieee80211 phy17: mac80211_hwsim_remove_interface (type=1 mac_addr=02:00:00:00:11:00) ieee80211 phy17: mac80211_hwsim_stop ieee80211 phy18: mac80211_hwsim_bss_info_changed(changed=0xa00 vif->addr=02:00:00:00:12:00) ieee80211 phy18: BCN EN: 0 (BI=100) ieee80211 phy18: beaconing vifs remaining: 0 ieee80211 phy18: mac80211_hwsim_bss_info_changed(changed=0x4000 vif->addr=02:00:00:00:12:00) ieee80211 phy18: mac80211_hwsim_config (freq=2412(2412 - 0)/noht idle=0 ps=0 smps=static) ieee80211 phy18: mac80211_hwsim_config (freq=2412(2412 - 0)/noht idle=1 ps=0 smps=static) ieee80211 phy18: mac80211_hwsim_remove_interface (type=1 mac_addr=02:00:00:00:12:00) ieee80211 phy18: mac80211_hwsim_stop ieee80211 phy19: mac80211_hwsim_bss_info_changed(changed=0xa00 vif->addr=02:00:00:00:13:00) ieee80211 phy19: BCN EN: 0 (BI=100) ieee80211 phy19: beaconing vifs remaining: 0 ieee80211 phy19: mac80211_hwsim_bss_info_changed(changed=0x4000 vif->addr=02:00:00:00:13:00) ieee80211 phy19: mac80211_hwsim_config (freq=2412(2412 - 0)/noht idle=0 ps=0 smps=static) EXT4-fs (loop5): mounted filesystem without journal. Opts: ,errors=continue ieee80211 phy19: mac80211_hwsim_config (freq=2412(2412 - 0)/noht idle=1 ps=0 smps=static) ieee80211 phy19: mac80211_hwsim_remove_interface (type=1 mac_addr=02:00:00:00:13:00) ieee80211 phy19: mac80211_hwsim_stop ieee80211 phy32: mac80211_hwsim_bss_info_changed(changed=0xa00 vif->addr=02:00:00:00:20:00) ieee80211 phy32: BCN EN: 0 (BI=100) ieee80211 phy32: beaconing vifs remaining: 0 ieee80211 phy32: mac80211_hwsim_bss_info_changed(changed=0x4000 vif->addr=02:00:00:00:20:00) ieee80211 phy32: mac80211_hwsim_config (freq=2412(2412 - 0)/noht idle=0 ps=0 smps=static) ieee80211 phy32: mac80211_hwsim_config (freq=2412(2412 - 0)/noht idle=1 ps=0 smps=static) ieee80211 phy32: mac80211_hwsim_remove_interface (type=1 mac_addr=02:00:00:00:20:00) ieee80211 phy32: mac80211_hwsim_stop ieee80211 phy33: mac80211_hwsim_bss_info_changed(changed=0xa00 vif->addr=02:00:00:00:21:00) ieee80211 phy33: BCN EN: 0 (BI=100) ieee80211 phy33: beaconing vifs remaining: 0 ieee80211 phy33: mac80211_hwsim_bss_info_changed(changed=0x4000 vif->addr=02:00:00:00:21:00) ieee80211 phy33: mac80211_hwsim_config (freq=2412(2412 - 0)/noht idle=0 ps=0 smps=static) ieee80211 phy33: mac80211_hwsim_config (freq=2412(2412 - 0)/noht idle=1 ps=0 smps=static) ieee80211 phy33: mac80211_hwsim_remove_interface (type=1 mac_addr=02:00:00:00:21:00) ieee80211 phy33: mac80211_hwsim_stop ieee80211 phy34: mac80211_hwsim_bss_info_changed(changed=0xa00 vif->addr=02:00:00:00:22:00) ieee80211 phy34: BCN EN: 0 (BI=100) ieee80211 phy34: beaconing vifs remaining: 0 ieee80211 phy34: mac80211_hwsim_bss_info_changed(changed=0x4000 vif->addr=02:00:00:00:22:00) ieee80211 phy34: mac80211_hwsim_config (freq=2412(2412 - 0)/noht idle=0 ps=0 smps=static) ieee80211 phy34: mac80211_hwsim_config (freq=2412(2412 - 0)/noht idle=1 ps=0 smps=static) ieee80211 phy34: mac80211_hwsim_remove_interface (type=1 mac_addr=02:00:00:00:22:00) ieee80211 phy34: mac80211_hwsim_stop ieee80211 phy35: mac80211_hwsim_bss_info_changed(changed=0xa00 vif->addr=02:00:00:00:23:00) ieee80211 phy35: BCN EN: 0 (BI=100) ieee80211 phy35: beaconing vifs remaining: 0 ieee80211 phy35: mac80211_hwsim_bss_info_changed(changed=0x4000 vif->addr=02:00:00:00:23:00) ieee80211 phy35: mac80211_hwsim_config (freq=2412(2412 - 0)/noht idle=0 ps=0 smps=static) ieee80211 phy35: mac80211_hwsim_config (freq=2412(2412 - 0)/noht idle=1 ps=0 smps=static) ieee80211 phy35: mac80211_hwsim_remove_interface (type=1 mac_addr=02:00:00:00:23:00) ieee80211 phy35: mac80211_hwsim_stop ieee80211 phy38: mac80211_hwsim_bss_info_changed(changed=0xa00 vif->addr=02:00:00:00:26:00) ieee80211 phy38: BCN EN: 0 (BI=100) ieee80211 phy38: beaconing vifs remaining: 0 ieee80211 phy38: mac80211_hwsim_bss_info_changed(changed=0x4000 vif->addr=02:00:00:00:26:00) ieee80211 phy38: mac80211_hwsim_config (freq=2412(2412 - 0)/noht idle=0 ps=0 smps=static) ieee80211 phy38: mac80211_hwsim_config (freq=2412(2412 - 0)/noht idle=1 ps=0 smps=static) ieee80211 phy38: mac80211_hwsim_remove_interface (type=1 mac_addr=02:00:00:00:26:00) ieee80211 phy38: mac80211_hwsim_stop ieee80211 phy39: mac80211_hwsim_bss_info_changed(changed=0xa00 vif->addr=02:00:00:00:27:00) ieee80211 phy39: BCN EN: 0 (BI=100) ieee80211 phy39: beaconing vifs remaining: 0 ieee80211 phy39: mac80211_hwsim_bss_info_changed(changed=0x4000 vif->addr=02:00:00:00:27:00) ieee80211 phy39: mac80211_hwsim_config (freq=2412(2412 - 0)/noht idle=0 ps=0 smps=static) ieee80211 phy39: mac80211_hwsim_config (freq=2412(2412 - 0)/noht idle=1 ps=0 smps=static) ieee80211 phy39: mac80211_hwsim_remove_interface (type=1 mac_addr=02:00:00:00:27:00) ieee80211 phy39: mac80211_hwsim_stop netlink: 41519 bytes leftover after parsing attributes in process `syz-executor.0'. netlink: 41519 bytes leftover after parsing attributes in process `syz-executor.0'. netlink: 41143 bytes leftover after parsing attributes in process `syz-executor.1'. A link change request failed with some changes committed already. Interface caif0 may have been left with an inconsistent configuration, please check. netlink: 41519 bytes leftover after parsing attributes in process `syz-executor.0'. netlink: 41143 bytes leftover after parsing attributes in process `syz-executor.1'. A link change request failed with some changes committed already. Interface caif0 may have been left with an inconsistent configuration, please check. netlink: 41519 bytes leftover after parsing attributes in process `syz-executor.0'. netlink: 41143 bytes leftover after parsing attributes in process `syz-executor.5'. A link change request failed with some changes committed already. Interface caif0 may have been left with an inconsistent configuration, please check. EXT4-fs (loop0): mounted filesystem without journal. Opts: ,errors=continue netlink: 41143 bytes leftover after parsing attributes in process `syz-executor.1'. A link change request failed with some changes committed already. Interface caif0 may have been left with an inconsistent configuration, please check. netlink: 41143 bytes leftover after parsing attributes in process `syz-executor.5'. A link change request failed with some changes committed already. Interface caif0 may have been left with an inconsistent configuration, please check. netlink: 41143 bytes leftover after parsing attributes in process `syz-executor.5'. EXT4-fs (loop1): mounted filesystem without journal. Opts: ,errors=continue A link change request failed with some changes committed already. Interface caif0 may have been left with an inconsistent configuration, please check. EXT4-fs (loop0): mounted filesystem without journal. Opts: ,errors=continue EXT4-fs (loop0): mounted filesystem without journal. Opts: ,errors=continue EXT4-fs (loop1): mounted filesystem without journal. Opts: ,errors=continue EXT4-fs (loop1): mounted filesystem without journal. Opts: ,errors=continue MINIX-fs: bad superblock or unable to read bitmaps MINIX-fs: bad superblock or unable to read bitmaps MINIX-fs: bad superblock or unable to read bitmaps MINIX-fs: bad superblock or unable to read bitmaps MINIX-fs: bad superblock or unable to read bitmaps print_req_error: I/O error, dev loop0, sector 0 Buffer I/O error on dev loop0, logical block 0, async page read sch_fq: defrate 0 ignored. sch_fq: defrate 0 ignored. sch_fq: defrate 0 ignored. sch_fq: defrate 0 ignored. sch_fq: defrate 0 ignored. EXT4-fs (loop0): mounted filesystem without journal. Opts: ,errors=continue Unknown ioctl 44672 EXT4-fs (loop0): mounted filesystem without journal. Opts: ,errors=continue EXT4-fs (loop1): mounted filesystem without journal. Opts: ,errors=continue EXT4-fs (loop0): mounted filesystem without journal. Opts: ,errors=continue EXT4-fs (loop1): mounted filesystem without journal. Opts: ,errors=continue EXT4-fs (loop0): mounted filesystem without journal. Opts: ,errors=continue EXT4-fs (loop1): mounted filesystem without journal. Opts: ,errors=continue