Bluetooth: hci5: Opcode 0x0406 failed: -4 Bluetooth: hci5: Opcode 0x0406 failed: -4 efivarfs: resyncing variable state ============================================ WARNING: possible recursive locking detected 6.14.0-rc6-syzkaller-g78e3fd2b7e4b #0 Not tainted -------------------------------------------- syz.5.135/7271 is trying to acquire lock: ffff0000d4a0e558 (&sb->s_type->i_mutex_key#32){++++}-{4:4}, at: inode_lock include/linux/fs.h:877 [inline] ffff0000d4a0e558 (&sb->s_type->i_mutex_key#32){++++}-{4:4}, at: efivarfs_actor+0x1b8/0x2b8 fs/efivarfs/super.c:424 but task is already holding lock: ffff0000f9840558 (&sb->s_type->i_mutex_key#32){++++}-{4:4}, at: iterate_dir+0x3b4/0x5f4 fs/readdir.c:101 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(&sb->s_type->i_mutex_key#32); lock(&sb->s_type->i_mutex_key#32); *** DEADLOCK *** May be due to missing lock nesting notation 3 locks held by syz.5.135/7271: #0: ffff80008fc57248 (system_transition_mutex){+.+.}-{4:4}, at: lock_system_sleep+0x68/0xc0 kernel/power/main.c:56 #1: ffff80008fc75db0 ((pm_chain_head).rwsem){++++}-{4:4}, at: blocking_notifier_call_chain+0x58/0xa0 kernel/notifier.c:379 #2: ffff0000f9840558 (&sb->s_type->i_mutex_key#32){++++}-{4:4}, at: iterate_dir+0x3b4/0x5f4 fs/readdir.c:101 stack backtrace: CPU: 1 UID: 0 PID: 7271 Comm: syz.5.135 Not tainted 6.14.0-rc6-syzkaller-g78e3fd2b7e4b #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 Call trace: show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:466 (C) __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:120 dump_stack+0x1c/0x28 lib/dump_stack.c:129 print_deadlock_bug+0x4e8/0x668 kernel/locking/lockdep.c:3039 check_deadlock kernel/locking/lockdep.c:3091 [inline] validate_chain kernel/locking/lockdep.c:3893 [inline] __lock_acquire+0x6240/0x7904 kernel/locking/lockdep.c:5228 lock_acquire+0x23c/0x724 kernel/locking/lockdep.c:5851 down_write+0x50/0xc0 kernel/locking/rwsem.c:1577 inode_lock include/linux/fs.h:877 [inline] efivarfs_actor+0x1b8/0x2b8 fs/efivarfs/super.c:424 dir_emit include/linux/fs.h:3851 [inline] dcache_readdir+0x2dc/0x4e8 fs/libfs.c:209 iterate_dir+0x46c/0x5f4 fs/readdir.c:108 efivarfs_pm_notify+0x2f4/0x350 fs/efivarfs/super.c:519 notifier_call_chain+0x1c4/0x550 kernel/notifier.c:85 blocking_notifier_call_chain+0x70/0xa0 kernel/notifier.c:380 pm_notifier_call_chain+0x2c/0x3c kernel/power/main.c:109 snapshot_release+0x128/0x1b8 kernel/power/user.c:125 __fput+0x340/0x760 fs/file_table.c:464 ____fput+0x20/0x30 fs/file_table.c:492 task_work_run+0x230/0x2e0 kernel/task_work.c:227 get_signal+0x1324/0x1500 kernel/signal.c:2809 do_signal+0x22c/0x3a04 arch/arm64/kernel/signal.c:1658 do_notify_resume+0x74/0x1f4 arch/arm64/kernel/entry-common.c:148 exit_to_user_mode_prepare arch/arm64/kernel/entry-common.c:169 [inline] exit_to_user_mode arch/arm64/kernel/entry-common.c:178 [inline] el0_svc+0xac/0x168 arch/arm64/kernel/entry-common.c:745 el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600 Unable to handle kernel paging request at virtual address dfff800000000000 KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] Mem abort info: ESR = 0x0000000096000005 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x05: level 1 translation fault Data abort info: ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [dfff800000000000] address between user and kernel address ranges Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP Modules linked in: CPU: 1 UID: 0 PID: 7271 Comm: syz.5.135 Tainted: G W 6.14.0-rc6-syzkaller-g78e3fd2b7e4b #0 Tainted: [W]=WARN Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : d_hash_and_lookup+0x74/0x214 fs/dcache.c:2391 lr : d_hash_and_lookup+0x5c/0x214 fs/dcache.c:2390 sp : ffff80009ee77390 x29: ffff80009ee77390 x28: ffff700013dcee7c x27: ffff0000d55d2068 x26: 000000000000002d x25: ffff0000d5d1e000 x24: ffff80009ee77420 x23: ffff80009ee77408 x22: dfff800000000000 x21: 000000005173f8ed x20: 0000000000000000 x19: ffff80009ee77420 x18: 1fffe000366f6086 x17: ffff80008fbbd000 x16: ffff80008b79f784 x15: ffff700013dcede4 x14: 0000000000000002 x13: 0000000000000009 x12: ffff0000d92adb80 x11: 0000000000080000 x10: 000000000006e906 x9 : e3d3fdb010521091 x8 : 0000000000000000 x7 : 0000000000000000 x6 : ffff80009ee77380 x5 : ffff80009ee77300 x4 : 0000000000000000 x3 : ffffffffffff0a00 x2 : 000000000000002d x1 : 0000000000000005 x0 : 000000005173f8ed Call trace: d_hash_and_lookup+0x74/0x214 fs/dcache.c:2390 (P) efivarfs_check_missing+0x2fc/0x554 fs/efivarfs/super.c:456 efivar_init+0x2ac/0x618 fs/efivarfs/vars.c:426 efivarfs_pm_notify+0x33c/0x350 fs/efivarfs/super.c:533 notifier_call_chain+0x1c4/0x550 kernel/notifier.c:85 blocking_notifier_call_chain+0x70/0xa0 kernel/notifier.c:380 pm_notifier_call_chain+0x2c/0x3c kernel/power/main.c:109 snapshot_release+0x128/0x1b8 kernel/power/user.c:125 __fput+0x340/0x760 fs/file_table.c:464 ____fput+0x20/0x30 fs/file_table.c:492 task_work_run+0x230/0x2e0 kernel/task_work.c:227 get_signal+0x1324/0x1500 kernel/signal.c:2809 do_signal+0x22c/0x3a04 arch/arm64/kernel/signal.c:1658 do_notify_resume+0x74/0x1f4 arch/arm64/kernel/entry-common.c:148 exit_to_user_mode_prepare arch/arm64/kernel/entry-common.c:169 [inline] exit_to_user_mode arch/arm64/kernel/entry-common.c:178 [inline] el0_svc+0xac/0x168 arch/arm64/kernel/entry-common.c:745 el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600 Code: 38f66908 35000ba8 d343fe88 b9000275 (38f66908) ---[ end trace 0000000000000000 ]--- pstore: backend (efi_pstore) writing error (-16) ---------------- Code disassembly (best guess): 0: 38f66908 ldrsb w8, [x8, x22] 4: 35000ba8 cbnz w8, 0x178 8: d343fe88 lsr x8, x20, #3 c: b9000275 str w21, [x19] * 10: 38f66908 ldrsb w8, [x8, x22] <-- trapping instruction