[ 70.815598][ T4474] [ 70.825047][ T4474] WARNING: possible circular locking dependency detected [ 70.833466][ T4474] syzkaller #0 Not tainted [ 70.846252][ T4474] syz.2.24/4474 is trying to acquire lock: [ 70.853435][ T4474] ffff88802c4e0c28 ((work_completion)(&hdev->bg_scan_update)){+.+.}-{0:0}, at: __flush_work+0xc1/0x1b0 kernel/workqueue.c:3090 [ 70.873186][ T4474] ffffffff8d4c01a8 (rfkill_global_mutex){+.+.}-{3:3}, at: rfkill_fop_write+0x19e/0x560 net/rfkill/core.c:1266 [ 70.884208][ T4474] [ 70.905024][ T4474] [ 70.914409][ T4474] __mutex_lock_common+0x1eb/0x2390 kernel/locking/mutex.c:596 [ 70.921618][ T4474] __mutex_lock kernel/locking/mutex.c:729 [inline] [ 70.921618][ T4474] mutex_lock_nested+0x17/0x20 kernel/locking/mutex.c:743 [ 70.928281][ T4474] rfkill_register+0x33/0x8a0 net/rfkill/core.c:1045 [ 70.934875][ T4474] hci_register_dev+0x452/0x970 net/bluetooth/hci_core.c:3960 [ 70.941635][ T4474] __vhci_create_device drivers/bluetooth/hci_vhci.c:129 [inline] [ 70.941635][ T4474] vhci_create_device+0x32c/0x5c0 drivers/bluetooth/hci_vhci.c:153 [ 70.948563][ T4474] vhci_get_user drivers/bluetooth/hci_vhci.c:210 [inline] [ 70.948563][ T4474] vhci_write+0x391/0x450 drivers/bluetooth/hci_vhci.c:290 [ 70.959610][ T4474] ksys_write+0x14d/0x250 fs/read_write.c:647 [ 70.970770][ T4474] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 70.978637][ T4474] [ 70.987829][ T4474] __mutex_lock_common+0x1eb/0x2390 kernel/locking/mutex.c:596 [ 70.994926][ T4474] __mutex_lock kernel/locking/mutex.c:729 [inline] [ 70.994926][ T4474] mutex_lock_nested+0x17/0x20 kernel/locking/mutex.c:743 [ 71.001598][ T4474] vhci_send_frame+0x88/0x100 drivers/bluetooth/hci_vhci.c:71 [ 71.008205][ T4474] hci_send_frame+0x1a9/0x2e0 net/bluetooth/hci_core.c:4256 [ 71.014895][ T4474] hci_sched_acl_pkt net/bluetooth/hci_core.c:4781 [inline] [ 71.014895][ T4474] hci_sched_acl net/bluetooth/hci_core.c:4866 [inline] [ 71.014895][ T4474] hci_tx_work+0x9f9/0x1710 net/bluetooth/hci_core.c:4932 SYZFAIL: failed to recv rpc fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor) [ 71.021300][ T4474] process_one_work+0x863/0x1000 kernel/workqueue.c:2310 [ 71.033323][ T4474] kthread+0x436/0x520 kernel/kthread.c:334 [ 71.039298][ T4474] ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:287 [ 71.045614][ T4474] [ 71.061131][ T4474] hci_dev_do_close+0x1e7/0x1030 net/bluetooth/hci_core.c:1756 [ 71.067961][ T4474] hci_unregister_dev+0x2d7/0x580 net/bluetooth/hci_core.c:4040 [ 71.074899][ T4474] vhci_release+0x73/0xc0 drivers/bluetooth/hci_vhci.c:345 [ 71.081133][ T4474] __fput+0x234/0x930 fs/file_table.c:311 [ 71.087012][ T4474] task_work_run+0x125/0x1a0 kernel/task_work.c:188 [ 71.093500][ T4474] exit_task_work include/linux/task_work.h:33 [inline] [ 71.093500][ T4474] do_exit+0x61e/0x20a0 kernel/exit.c:883 [ 71.099595][ T4474] do_group_exit+0x12e/0x300 kernel/exit.c:997 [ 71.106090][ T4474] __do_sys_exit_group kernel/exit.c:1008 [inline] [ 71.106090][ T4474] __se_sys_exit_group kernel/exit.c:1006 [inline] [ 71.106090][ T4474] __x64_sys_exit_group+0x3b/0x40 kernel/exit.c:1006 [ 71.113017][ T4474] do_syscall_x64 arch/x86/entry/common.c:50 [inline] [ 71.113017][ T4474] do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80 [ 71.119329][ T4474] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 71.127120][ T4474] [ 71.136123][ T4474] __mutex_lock_common+0x1eb/0x2390 kernel/locking/mutex.c:596 [ 71.143226][ T4474] __mutex_lock kernel/locking/mutex.c:729 [inline] [ 71.143226][ T4474] mutex_lock_nested+0x17/0x20 kernel/locking/mutex.c:743 [ 71.149884][ T4474] hci_req_sync net/bluetooth/hci_request.c:278 [inline] [ 71.149884][ T4474] bg_scan_update+0x44/0x3b0 net/bluetooth/hci_request.c:2952 ./fi[ 71.161840][ T4474] worker_thread+0xaa8/0x12a0 kernel/workqueue.c:2457 le0/file0[ 71.173022][ T4474] ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:287 [ 71.179334][ T4474] [ 71.190519][ T4474] check_prev_add kernel/locking/lockdep.c:3053 [inline] [ 71.190519][ T4474] check_prevs_add kernel/locking/lockdep.c:3172 [inline] [ 71.190519][ T4474] validate_chain kernel/locking/lockdep.c:3788 [inline] [ 71.190519][ T4474] __lock_acquire+0x2c33/0x7c60 kernel/locking/lockdep.c:5012 [ 71.202314][ T4474] __flush_work+0xdd/0x1b0 kernel/workqueue.c:3090 [ 71.208618][ T4474] __cancel_work_timer+0x3ac/0x520 kernel/workqueue.c:3181 [ 71.215616][ T4474] hci_request_cancel_all+0xcc/0x300 net/bluetooth/hci_request.c:3522 [ 71.222801][ T4474] hci_dev_do_close+0x4e/0x1030 net/bluetooth/hci_core.c:1736 [ 71.229557][ T4474] hci_rfkill_set_block+0x10a/0x190 net/bluetooth/hci_core.c:2235 [ 71.236652][ T4474] rfkill_set_block+0x1c6/0x420 net/rfkill/core.c:345 [ 71.243404][ T4474] rfkill_fop_write+0x458/0x560 net/rfkill/core.c:1274 [ 71.250148][ T4474] vfs_write+0x300/0xd00 fs/read_write.c:592 [ 71.256285][ T4474] ksys_write+0x14d/0x250 fs/read_write.c:647 [ 71.262509][ T4474] do_syscall_x64 arch/x86/entry/common.c:50 [inline] [ 71.262509][ T4474] do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80 [ 71.268824][ T4474] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 71.276611][ T4474] [ 71.288218][ T4474] Chain exists of: [ 71.305310][ T4474] Possible unsafe locking scenario: [ 71.314133][ T4474] CPU0 CPU1 [ 71.320865][ T4474] ---- ---- [ 71.327593][ T4474] lock(rfkill_global_mutex); [ 71.333715][ T4474] lock(&data->open_mutex); [ 71.342204][ T4474] lock(rfkill_global_mutex); [ 71.350849][ T4474] lock((work_completion)(&hdev->bg_scan_update)); [ 71.366947][ T4474] 1 lock held by syz.2.24/4474: [ 71.373161][ T4474] #0: ffffffff8d4c01a8 (rfkill_global_mutex){+.+.}-{3:3}, at: rfkill_fop_write+0x19e/0x560 net/rfkill/core.c:1266 [ 71.384578][ T4474] [ 71.391829][ T4474] CPU: 1 PID: 4474 Comm: syz.2.24 Not tainted syzkaller #0 [ 71.400376][ T4474] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 [ 71.411815][ T4474] Call Trace: [ 71.416441][ T4474] [ 71.420737][ T4474] dump_stack_lvl+0x168/0x230 lib/dump_stack.c:106 [ 71.426768][ T4474] ? load_image+0x3b0/0x3b0 [ 71.432628][ T4474] ? show_regs_print_info+0x20/0x20 [ 71.439186][ T4474] ? print_circular_bug+0x12b/0x1a0 kernel/locking/lockdep.c:2010 [ 71.445739][ T4474] check_noncircular+0x274/0x310 kernel/locking/lockdep.c:2133 [ 71.452035][ T4474] ? add_chain_block+0x940/0x940 [ 71.458328][ T4474] ? instrument_atomic_read_write include/linux/instrumented.h:101 [inline] [ 71.458328][ T4474] ? atomic_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:512 [inline] [ 71.458328][ T4474] ? queued_spin_lock include/asm-generic/qspinlock.h:82 [inline] [ 71.458328][ T4474] ? lockdep_lock+0xdc/0x1e0 kernel/locking/lockdep.c:113 [ 71.464277][ T4474] ? instrument_atomic_read include/linux/instrumented.h:71 [inline] [ 71.464277][ T4474] ? test_bit include/asm-generic/bitops/instrumented-non-atomic.h:134 [inline] [ 71.464277][ T4474] ? hlock_class kernel/locking/lockdep.c:197 [inline] [ 71.464277][ T4474] ? __lock_acquire+0x12d9/0x7c60 kernel/locking/lockdep.c:5009 [ 71.470657][ T4474] ? lockdep_lock+0x1e0/0x1e0 [ 71.476692][ T4474] ? instrument_atomic_read include/linux/instrumented.h:71 [inline] [ 71.476692][ T4474] ? test_bit include/asm-generic/bitops/instrumented-non-atomic.h:134 [inline] [ 71.476692][ T4474] ? hlock_class kernel/locking/lockdep.c:197 [inline] [ 71.476692][ T4474] ? mark_lock+0x94/0x320 kernel/locking/lockdep.c:4569 [ 71.482380][ T4474] check_prev_add kernel/locking/lockdep.c:3053 [inline] [ 71.482380][ T4474] check_prevs_add kernel/locking/lockdep.c:3172 [inline] [ 71.482380][ T4474] validate_chain kernel/locking/lockdep.c:3788 [inline] [ 71.482380][ T4474] __lock_acquire+0x2c33/0x7c60 kernel/locking/lockdep.c:5012 [ 71.488593][ T4474] ? psi_task_switch+0x495/0x810 kernel/sched/psi.c:882 [ 71.494882][ T4474] ? verify_lock_unused+0x140/0x140 [ 71.501445][ T4474] lock_acquire+0x197/0x3f0 kernel/locking/lockdep.c:5623 [ 71.507299][ T4474] ? __flush_work+0xc1/0x1b0 kernel/workqueue.c:3090 [ 71.513251][ T4474] ? __lock_acquire+0x7c60/0x7c60 [ 71.519637][ T4474] ? read_lock_is_recursive+0x10/0x10 kernel/locking/lockdep.c:5578 [ 71.526366][ T4474] ? rcu_read_unlock include/linux/rcupdate.h:772 [inline] [ 71.526366][ T4474] ? start_flush_work+0x776/0x820 kernel/workqueue.c:-1 [ 71.532753][ T4474] __flush_work+0xdd/0x1b0 kernel/workqueue.c:3090 [ 71.538528][ T4474] ? __flush_work+0xc1/0x1b0 kernel/workqueue.c:3090 [ 71.544474][ T4474] ? flush_work+0x20/0x20 [ 71.550163][ T4474] ? try_to_grab_pending+0xf3/0x7e0 kernel/workqueue.c:1272 [ 71.556723][ T4474] ? lockdep_hardirqs_off+0x70/0x100 kernel/locking/lockdep.c:4379 [ 71.563372][ T4474] ? instrument_atomic_read include/linux/instrumented.h:71 [inline] [ 71.563372][ T4474] ? test_bit include/asm-generic/bitops/instrumented-non-atomic.h:134 [inline] [ 71.563372][ T4474] ? hlock_class kernel/locking/lockdep.c:197 [inline] [ 71.563372][ T4474] ? mark_lock+0x94/0x320 kernel/locking/lockdep.c:4569 [ 71.569148][ T4474] ? lockdep_recursion_finish kernel/locking/lockdep.c:436 [inline] [ 71.569148][ T4474] ? lockdep_hardirqs_on_prepare+0x3fc/0x760 kernel/locking/lockdep.c:4279 [ 71.576529][ T4474] ? lock_chain_count+0x20/0x20