wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready Bluetooth: hci0: command 0x0409 tx timeout Bluetooth: hci0: command 0x041b tx timeout ====================================================== WARNING: possible circular locking dependency detected 4.19.211-syzkaller #0 Not tainted ------------------------------------------------------ kworker/u4:2/68 is trying to acquire lock: 000000009d2f4445 (&rs->rs_recv_lock){...-}, at: rds_wake_sk_sleep+0x1d/0xc0 net/rds/af_rds.c:109 but task is already holding lock: 00000000997d3ab9 (&(&rm->m_rs_lock)->rlock){..-.}, at: rds_send_remove_from_sock+0x278/0x8b0 net/rds/send.c:618 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (&(&rm->m_rs_lock)->rlock){..-.}: rds_message_purge net/rds/message.c:138 [inline] rds_message_put+0x198/0xd00 net/rds/message.c:180 rds_inc_put+0xf9/0x140 net/rds/recv.c:87 rds_clear_recv_queue+0x147/0x350 net/rds/recv.c:762 rds_release+0xc6/0x350 net/rds/af_rds.c:73 __sock_release+0xcd/0x2a0 net/socket.c:599 sock_close+0x15/0x20 net/socket.c:1214 __fput+0x2ce/0x890 fs/file_table.c:278 task_work_run+0x148/0x1c0 kernel/task_work.c:113 tracehook_notify_resume include/linux/tracehook.h:193 [inline] exit_to_usermode_loop+0x251/0x2a0 arch/x86/entry/common.c:167 prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline] syscall_return_slowpath arch/x86/entry/common.c:271 [inline] do_syscall_64+0x538/0x620 arch/x86/entry/common.c:296 entry_SYSCALL_64_after_hwframe+0x49/0xbe -> #0 (&rs->rs_recv_lock){...-}: __raw_read_lock_irqsave include/linux/rwlock_api_smp.h:159 [inline] _raw_read_lock_irqsave+0x93/0xd0 kernel/locking/spinlock.c:224 rds_wake_sk_sleep+0x1d/0xc0 net/rds/af_rds.c:109 rds_send_remove_from_sock+0xb1/0x8b0 net/rds/send.c:624 rds_send_path_drop_acked+0x2de/0x3c0 net/rds/send.c:700 rds_tcp_write_space+0x199/0x650 net/rds/tcp_send.c:203 tcp_new_space net/ipv4/tcp_input.c:5167 [inline] tcp_check_space+0x407/0x6f0 net/ipv4/tcp_input.c:5178 tcp_data_snd_check net/ipv4/tcp_input.c:5188 [inline] tcp_rcv_established+0x916/0x1ef0 net/ipv4/tcp_input.c:5681 tcp_v4_do_rcv+0x5d6/0x870 net/ipv4/tcp_ipv4.c:1547 sk_backlog_rcv include/net/sock.h:952 [inline] __release_sock+0x134/0x3a0 net/core/sock.c:2362 release_sock+0x54/0x1b0 net/core/sock.c:2901 do_tcp_setsockopt.constprop.0+0x42e/0x2340 net/ipv4/tcp.c:3098 tcp_setsockopt net/ipv4/tcp.c:3110 [inline] tcp_setsockopt+0xb2/0xd0 net/ipv4/tcp.c:3102 kernel_setsockopt+0x106/0x1c0 net/socket.c:3563 rds_tcp_cork net/rds/tcp_send.c:43 [inline] rds_tcp_xmit_path_complete+0xbf/0x100 net/rds/tcp_send.c:57 rds_send_xmit+0x13b5/0x2290 net/rds/send.c:410 rds_send_worker+0x86/0x280 net/rds/threads.c:199 process_one_work+0x864/0x1570 kernel/workqueue.c:2153 worker_thread+0x64c/0x1130 kernel/workqueue.c:2296 kthread+0x33f/0x460 kernel/kthread.c:259 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&(&rm->m_rs_lock)->rlock); lock(&rs->rs_recv_lock); lock(&(&rm->m_rs_lock)->rlock); lock(&rs->rs_recv_lock); *** DEADLOCK *** 5 locks held by kworker/u4:2/68: #0: 00000000e7974955 ((wq_completion)"%s""krdsd"){+.+.}, at: process_one_work+0x767/0x1570 kernel/workqueue.c:2124 #1: 00000000aada2942 ((work_completion)(&(&cp->cp_send_w)->work)){+.+.}, at: process_one_work+0x79c/0x1570 kernel/workqueue.c:2128 #2: 00000000d4e59231 (k-sk_lock-AF_INET){+.+.}, at: lock_sock include/net/sock.h:1512 [inline] #2: 00000000d4e59231 (k-sk_lock-AF_INET){+.+.}, at: do_tcp_setsockopt.constprop.0+0x13f/0x2340 net/ipv4/tcp.c:2816 #3: 000000007d1145e6 (k-clock-AF_INET){++.-}, at: rds_tcp_write_space+0x25/0x650 net/rds/tcp_send.c:189 #4: 00000000997d3ab9 (&(&rm->m_rs_lock)->rlock){..-.}, at: rds_send_remove_from_sock+0x278/0x8b0 net/rds/send.c:618 stack backtrace: CPU: 1 PID: 68 Comm: kworker/u4:2 Not tainted 4.19.211-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Workqueue: krdsd rds_send_worker Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1fc/0x2ef lib/dump_stack.c:118 print_circular_bug.constprop.0.cold+0x2d7/0x41e kernel/locking/lockdep.c:1222 check_prev_add kernel/locking/lockdep.c:1866 [inline] check_prevs_add kernel/locking/lockdep.c:1979 [inline] validate_chain kernel/locking/lockdep.c:2420 [inline] __lock_acquire+0x30c9/0x3ff0 kernel/locking/lockdep.c:3416 lock_acquire+0x170/0x3c0 kernel/locking/lockdep.c:3908 __raw_read_lock_irqsave include/linux/rwlock_api_smp.h:159 [inline] _raw_read_lock_irqsave+0x93/0xd0 kernel/locking/spinlock.c:224 rds_wake_sk_sleep+0x1d/0xc0 net/rds/af_rds.c:109 rds_send_remove_from_sock+0xb1/0x8b0 net/rds/send.c:624 rds_send_path_drop_acked+0x2de/0x3c0 net/rds/send.c:700 rds_tcp_write_space+0x199/0x650 net/rds/tcp_send.c:203 tcp_new_space net/ipv4/tcp_input.c:5167 [inline] tcp_check_space+0x407/0x6f0 net/ipv4/tcp_input.c:5178 tcp_data_snd_check net/ipv4/tcp_input.c:5188 [inline] tcp_rcv_established+0x916/0x1ef0 net/ipv4/tcp_input.c:5681 tcp_v4_do_rcv+0x5d6/0x870 net/ipv4/tcp_ipv4.c:1547 sk_backlog_rcv include/net/sock.h:952 [inline] __release_sock+0x134/0x3a0 net/core/sock.c:2362 release_sock+0x54/0x1b0 net/core/sock.c:2901 do_tcp_setsockopt.constprop.0+0x42e/0x2340 net/ipv4/tcp.c:3098 tcp_setsockopt net/ipv4/tcp.c:3110 [inline] tcp_setsockopt+0xb2/0xd0 net/ipv4/tcp.c:3102 kernel_setsockopt+0x106/0x1c0 net/socket.c:3563 rds_tcp_cork net/rds/tcp_send.c:43 [inline] rds_tcp_xmit_path_complete+0xbf/0x100 net/rds/tcp_send.c:57 rds_send_xmit+0x13b5/0x2290 net/rds/send.c:410 rds_send_worker+0x86/0x280 net/rds/threads.c:199 process_one_work+0x864/0x1570 kernel/workqueue.c:2153 worker_thread+0x64c/0x1130 kernel/workqueue.c:2296 kthread+0x33f/0x460 kernel/kthread.c:259 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 Bluetooth: hci0: command 0x040f tx timeout Bluetooth: hci0: command 0x0419 tx timeout