./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor583031933

<...>
forked to background, child pid 4694
[   49.590723][ T4695] 8021q: adding VLAN 0 to HW filter on device bond0
[   49.618344][ T4695] eql: remember to turn off Van-Jacobson compression on your slave devices
Starting sshd: [   50.027285][ T4772] sshd (4772) used greatest stack depth: 22456 bytes left
OK

syzkaller
Warning: Permanently added '10.128.1.92' (ECDSA) to the list of known hosts.
execve("./syz-executor583031933", ["./syz-executor583031933"], 0x7ffe9ac64ca0 /* 10 vars */) = 0
brk(NULL)                               = 0x555556344000
brk(0x555556344c40)                     = 0x555556344c40
arch_prctl(ARCH_SET_FS, 0x555556344300) = 0
uname({sysname="Linux", nodename="syzkaller", ...}) = 0
set_tid_address(0x5555563445d0)         = 5028
set_robust_list(0x5555563445e0, 24)     = 0
rt_sigaction(SIGRTMIN, {sa_handler=0x7f80dfa95a90, sa_mask=[], sa_flags=SA_RESTORER|SA_SIGINFO, sa_restorer=0x7f80dfa96160}, NULL, 8) = 0
rt_sigaction(SIGRT_1, {sa_handler=0x7f80dfa95b30, sa_mask=[], sa_flags=SA_RESTORER|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f80dfa96160}, NULL, 8) = 0
rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0
prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0
readlink("/proc/self/exe", "/root/syz-executor583031933", 4096) = 27
brk(0x555556365c40)                     = 0x555556365c40
brk(0x555556366000)                     = 0x555556366000
mprotect(0x7f80dfb57000, 16384, PROT_READ) = 0
mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000
mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000
mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000
unshare(CLONE_NEWPID)                   = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5029 attached
, child_tidptr=0x5555563445d0) = 5029
[pid  5029] set_robust_list(0x5555563445e0, 24) = 0
[pid  5029] mount(NULL, "/sys/fs/fuse/connections", "fusectl", 0, NULL) = -1 EBUSY (Device or resource busy)
[pid  5029] socket(AF_BLUETOOTH, SOCK_RAW, BTPROTO_HCI) = 3
[pid  5029] openat(AT_FDCWD, "/dev/vhci", O_RDWR) = 4
[pid  5029] dup2(4, 202)                = 202
[pid  5029] close(4)                    = 0
[pid  5029] write(202, "\xff\x00", 2)   = 2
[pid  5029] read(202, "\xff\x00\x00\x00", 4) = 4
[pid  5029] mmap(NULL, 8392704, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f80df285000
[pid  5029] mprotect(0x7f80df286000, 8388608, PROT_READ|PROT_WRITE) = 0
[pid  5029] clone(child_stack=0x7f80dfa853f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[2], tls=0x7f80dfa85700, child_tidptr=0x7f80dfa859d0) = 2
[pid  5029] ioctl(3, HCIDEVUP./strace-static-x86_64: Process 5031 attached
 <unfinished ...>
[pid  5031] set_robust_list(0x7f80dfa859e0, 24) = 0
[pid  5031] read(202, "\x01\x03\x0c\x00", 1024) = 4
[pid  5031] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x03\x0c", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255
[pid  5031] read(202, "\x01\x03\x10\x00", 1024) = 4
[pid  5031] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x03\x10", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255
[pid  5031] read(202, "\x01\x01\x10\x00", 1024) = 4
[pid  5031] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x01\x10", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255
[pid  5031] read(202, "\x01\x09\x10\x00", 1024) = 4
[pid  5031] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\x0a", iov_len=2}, {iov_base="\x01\x09\x10", iov_len=3}, {iov_base="\x00\xaa\xaa\xaa\xaa\xaa\xaa", iov_len=7}], 4) = 13
[pid  5031] read(202, "\x01\x05\x10\x00", 1024) = 4
[pid  5031] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\x0b", iov_len=2}, {iov_base="\x01\x05\x10", iov_len=3}, {iov_base="\x00\xfd\x03\x60\x04\x00\x06\x00", iov_len=8}], 4) = 14
[pid  5031] read(202, "\x01\x23\x0c\x00", 1024) = 4
[pid  5031] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x23\x0c", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255
[pid  5031] read(202, "\x01\x14\x0c\x00", 1024) = 4
[pid  5031] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x14\x0c", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255
[pid  5031] read(202, "\x01\x25\x0c\x00", 1024) = 4
[pid  5031] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x25\x0c", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255
[pid  5031] read(202, "\x01\x38\x0c\x00", 1024) = 4
syzkaller login: [   79.241942][ T5030] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[   79.251540][ T5030] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[   79.260726][ T5030] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[   79.270582][   T49] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[   79.281515][   T49] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3
[pid  5031] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x38\x0c", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255
[pid  5031] read(202, "\x01\x39\x0c\x00", 1024) = 4
[pid  5031] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x39\x0c", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255
[pid  5031] read(202, "\x01\x16\x0c\x02\x00\x7d", 1024) = 6
[pid  5031] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x16\x0c", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255
[pid  5029] <... ioctl resumed>, 0)     = -1 EALREADY (Operation already in progress)
[pid  5031] read(202,  <unfinished ...>
[pid  5029] ioctl(3, HCISETSCAN <unfinished ...>
[pid  5031] <... read resumed>"\x01\x1a\x0c\x01\x02", 1024) = 5
[pid  5031] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\x04", iov_len=2}, {iov_base="\x01\x1a\x0c", iov_len=3}, {iov_base="\x00", iov_len=1}], 4) = 7
[pid  5029] <... ioctl resumed>, 0x7fff5093791c) = 0
[pid  5029] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x04\x0a", iov_len=2}, {iov_base="\xaa\xaa\xaa\xaa\xaa\x10\x00\x00\x00\x01", iov_len=10}], 3 <unfinished ...>
[pid  5031] madvise(0x7f80df285000, 8372224, MADV_DONTNEED) = 0
[pid  5029] <... writev resumed>)       = 13
[pid  5029] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x03\x0b", iov_len=2}, {iov_base="\x00\xc8\x00\xaa\xaa\xaa\xaa\xaa\x10\x01\x00", iov_len=11}], 3) = 14
[pid  5031] exit(0 <unfinished ...>
[pid  5029] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\v\v", iov_len=2}, {iov_base="\x00\xc8\x00\x00\x00\x00\x00\x00\x00\x00\x00", iov_len=11}], 3 <unfinished ...>
[pid  5031] <... exit resumed>)         = ?
[pid  5029] <... writev resumed>)       = 14
[pid  5031] +++ exited with 0 +++
[pid  5029] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x3e\x13", iov_len=2}, {iov_base="\x01\x00\xc9\x00\x01\x00\xaa\xaa\xaa\xaa\xaa\x11\x00\x00\x00\x00\x00\x00\x00", iov_len=19}], 3) = 22
[pid  5029] close(3)                    = 0
[pid  5029] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid  5029] setsid()                    = 1
[pid  5029] openat(AT_FDCWD, "/proc/self/ns/net", O_RDONLY) = 3
[pid  5029] dup2(3, 201)                = 201
[pid  5029] close(3)                    = 0
[pid  5029] prlimit64(0, RLIMIT_AS, {rlim_cur=204800*1024, rlim_max=204800*1024}, NULL) = 0
[pid  5029] prlimit64(0, RLIMIT_MEMLOCK, {rlim_cur=32768*1024, rlim_max=32768*1024}, NULL) = 0
[pid  5029] prlimit64(0, RLIMIT_FSIZE, {rlim_cur=139264*1024, rlim_max=139264*1024}, NULL) = 0
[pid  5029] prlimit64(0, RLIMIT_STACK, {rlim_cur=1024*1024, rlim_max=1024*1024}, NULL) = 0
[pid  5029] prlimit64(0, RLIMIT_CORE, {rlim_cur=131072*1024, rlim_max=131072*1024}, NULL) = 0
[pid  5029] prlimit64(0, RLIMIT_NOFILE, {rlim_cur=256, rlim_max=256}, NULL) = 0
[pid  5029] unshare(CLONE_NEWNS)        = 0
[pid  5029] mount(NULL, "/", NULL, MS_REC|MS_PRIVATE, NULL) = 0
[pid  5029] unshare(CLONE_NEWIPC)       = 0
[pid  5029] unshare(CLONE_NEWCGROUP)    = 0
[pid  5029] unshare(CLONE_NEWUTS)       = 0
[pid  5029] unshare(CLONE_SYSVSEM)      = 0
[pid  5029] openat(AT_FDCWD, "/proc/sys/kernel/shmmax", O_WRONLY|O_CLOEXEC) = 3
[pid  5029] write(3, "16777216", 8)     = 8
[pid  5029] close(3)                    = 0
[pid  5029] openat(AT_FDCWD, "/proc/sys/kernel/shmall", O_WRONLY|O_CLOEXEC) = 3
[pid  5029] write(3, "536870912", 9)    = 9
[pid  5029] close(3)                    = 0
[pid  5029] openat(AT_FDCWD, "/proc/sys/kernel/shmmni", O_WRONLY|O_CLOEXEC) = 3
[pid  5029] write(3, "1024", 4)         = 4
[pid  5029] close(3)                    = 0
[pid  5029] openat(AT_FDCWD, "/proc/sys/kernel/msgmax", O_WRONLY|O_CLOEXEC) = 3
[pid  5029] write(3, "8192", 4)         = 4
[pid  5029] close(3)                    = 0
[pid  5029] openat(AT_FDCWD, "/proc/sys/kernel/msgmni", O_WRONLY|O_CLOEXEC) = 3
[pid  5029] write(3, "1024", 4)         = 4
[pid  5029] close(3)                    = 0
[pid  5029] openat(AT_FDCWD, "/proc/sys/kernel/msgmnb", O_WRONLY|O_CLOEXEC) = 3
[pid  5029] write(3, "1024", 4)         = 4
[   79.290447][   T49] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[pid  5029] close(3)                    = 0
[pid  5029] openat(AT_FDCWD, "/proc/sys/kernel/sem", O_WRONLY|O_CLOEXEC) = 3
[pid  5029] write(3, "1024 1048576 500 1024", 21) = 21
[pid  5029] close(3)                    = 0
[pid  5029] getpid()                    = 1
[pid  5029] capget({version=_LINUX_CAPABILITY_VERSION_3, pid=1}, {effective=1<<CAP_CHOWN|1<<CAP_DAC_OVERRIDE|1<<CAP_DAC_READ_SEARCH|1<<CAP_FOWNER|1<<CAP_FSETID|1<<CAP_KILL|1<<CAP_SETGID|1<<CAP_SETUID|1<<CAP_SETPCAP|1<<CAP_LINUX_IMMUTABLE|1<<CAP_NET_BIND_SERVICE|1<<CAP_NET_BROADCAST|1<<CAP_NET_ADMIN|1<<CAP_NET_RAW|1<<CAP_IPC_LOCK|1<<CAP_IPC_OWNER|1<<CAP_SYS_MODULE|1<<CAP_SYS_RAWIO|1<<CAP_SYS_CHROOT|1<<CAP_SYS_PTRACE|1<<CAP_SYS_PACCT|1<<CAP_SYS_ADMIN|1<<CAP_SYS_BOOT|1<<CAP_SYS_NICE|1<<CAP_SYS_RESOURCE|1<<CAP_SYS_TIME|1<<CAP_SYS_TTY_CONFIG|1<<CAP_MKNOD|1<<CAP_LEASE|1<<CAP_AUDIT_WRITE|1<<CAP_AUDIT_CONTROL|1<<CAP_SETFCAP|1<<CAP_MAC_OVERRIDE|1<<CAP_MAC_ADMIN|1<<CAP_SYSLOG|1<<CAP_WAKE_ALARM|1<<CAP_BLOCK_SUSPEND|1<<CAP_AUDIT_READ|1<<CAP_PERFMON|1<<CAP_BPF|1<<CAP_CHECKPOINT_RESTORE, permitted=1<<CAP_CHOWN|1<<CAP_DAC_OVERRIDE|1<<CAP_DAC_READ_SEARCH|1<<CAP_FOWNER|1<<CAP_FSETID|1<<CAP_KILL|1<<CAP_SETGID|1<<CAP_SETUID|1<<CAP_SETPCAP|1<<CAP_LINUX_IMMUTABLE|1<<CAP_NET_BIND_SERVICE|1<<CAP_NET_BROADCAST|1<<CAP_NET_ADMIN|1<<CAP_NET_RAW|1<<CAP_IPC_LOCK|1<<CAP_IPC_OWNER|1<<CAP_SYS_MODULE|1<<CAP_SYS_RAWIO|1<<CAP_SYS_CHROOT|1<<CAP_SYS_PTRACE|1<<CAP_SYS_PACCT|1<<CAP_SYS_ADMIN|1<<CAP_SYS_BOOT|1<<CAP_SYS_NICE|1<<CAP_SYS_RESOURCE|1<<CAP_SYS_TIME|1<<CAP_SYS_TTY_CONFIG|1<<CAP_MKNOD|1<<CAP_LEASE|1<<CAP_AUDIT_WRITE|1<<CAP_AUDIT_CONTROL|1<<CAP_SETFCAP|1<<CAP_MAC_OVERRIDE|1<<CAP_MAC_ADMIN|1<<CAP_SYSLOG|1<<CAP_WAKE_ALARM|1<<CAP_BLOCK_SUSPEND|1<<CAP_AUDIT_READ|1<<CAP_PERFMON|1<<CAP_BPF|1<<CAP_CHECKPOINT_RESTORE, inheritable=0}) = 0
[pid  5029] capset({version=_LINUX_CAPABILITY_VERSION_3, pid=1}, {effective=1<<CAP_CHOWN|1<<CAP_DAC_OVERRIDE|1<<CAP_DAC_READ_SEARCH|1<<CAP_FOWNER|1<<CAP_FSETID|1<<CAP_KILL|1<<CAP_SETGID|1<<CAP_SETUID|1<<CAP_SETPCAP|1<<CAP_LINUX_IMMUTABLE|1<<CAP_NET_BIND_SERVICE|1<<CAP_NET_BROADCAST|1<<CAP_NET_ADMIN|1<<CAP_NET_RAW|1<<CAP_IPC_LOCK|1<<CAP_IPC_OWNER|1<<CAP_SYS_MODULE|1<<CAP_SYS_RAWIO|1<<CAP_SYS_CHROOT|1<<CAP_SYS_PACCT|1<<CAP_SYS_ADMIN|1<<CAP_SYS_BOOT|1<<CAP_SYS_RESOURCE|1<<CAP_SYS_TIME|1<<CAP_SYS_TTY_CONFIG|1<<CAP_MKNOD|1<<CAP_LEASE|1<<CAP_AUDIT_WRITE|1<<CAP_AUDIT_CONTROL|1<<CAP_SETFCAP|1<<CAP_MAC_OVERRIDE|1<<CAP_MAC_ADMIN|1<<CAP_SYSLOG|1<<CAP_WAKE_ALARM|1<<CAP_BLOCK_SUSPEND|1<<CAP_AUDIT_READ|1<<CAP_PERFMON|1<<CAP_BPF|1<<CAP_CHECKPOINT_RESTORE, permitted=1<<CAP_CHOWN|1<<CAP_DAC_OVERRIDE|1<<CAP_DAC_READ_SEARCH|1<<CAP_FOWNER|1<<CAP_FSETID|1<<CAP_KILL|1<<CAP_SETGID|1<<CAP_SETUID|1<<CAP_SETPCAP|1<<CAP_LINUX_IMMUTABLE|1<<CAP_NET_BIND_SERVICE|1<<CAP_NET_BROADCAST|1<<CAP_NET_ADMIN|1<<CAP_NET_RAW|1<<CAP_IPC_LOCK|1<<CAP_IPC_OWNER|1<<CAP_SYS_MODULE|1<<CAP_SYS_RAWIO|1<<CAP_SYS_CHROOT|1<<CAP_SYS_PACCT|1<<CAP_SYS_ADMIN|1<<CAP_SYS_BOOT|1<<CAP_SYS_RESOURCE|1<<CAP_SYS_TIME|1<<CAP_SYS_TTY_CONFIG|1<<CAP_MKNOD|1<<CAP_LEASE|1<<CAP_AUDIT_WRITE|1<<CAP_AUDIT_CONTROL|1<<CAP_SETFCAP|1<<CAP_MAC_OVERRIDE|1<<CAP_MAC_ADMIN|1<<CAP_SYSLOG|1<<CAP_WAKE_ALARM|1<<CAP_BLOCK_SUSPEND|1<<CAP_AUDIT_READ|1<<CAP_PERFMON|1<<CAP_BPF|1<<CAP_CHECKPOINT_RESTORE, inheritable=0}) = 0
[pid  5029] unshare(CLONE_NEWNET)       = 0
[pid  5029] openat(AT_FDCWD, "/proc/sys/net/ipv4/ping_group_range", O_WRONLY|O_CLOEXEC) = 3
[pid  5029] write(3, "0 65535", 7)      = 7
[pid  5029] close(3)                    = 0
[pid  5029] mkdir("/dev/binderfs", 0777) = 0
[pid  5029] mount("binder", "/dev/binderfs", "binder", 0, NULL) = 0
[pid  5029] symlink("/dev/binderfs", "./binderfs") = 0
[pid  5029] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555563445d0) = 3
./strace-static-x86_64: Process 5034 attached
[pid  5034] set_robust_list(0x5555563445e0, 24) = 0
[pid  5034] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid  5034] setpgid(0, 0)               = 0
[pid  5034] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid  5034] write(3, "1000", 4)         = 4
[pid  5034] close(3)                    = 0
[pid  5034] openat(AT_FDCWD, "/proc/self/ns/net", O_RDONLY) = 3
[pid  5034] setns(201, 0)               = 0
[pid  5034] socket(AF_BLUETOOTH, SOCK_STREAM, BTPROTO_L2CAP) = 4
[pid  5034] setns(3, 0)                 = 0
[pid  5034] close(3)                    = 0
[   81.348192][ T4431] Bluetooth: hci0: command 0x0409 tx timeout
[   83.417443][ T4431] Bluetooth: hci0: command 0x041b tx timeout
[pid  5034] connect(4, {sa_family=AF_BLUETOOTH, l2_psm=htobs(L2CAP_PSM_RFCOMM), l2_bdaddr=aa:aa:aa:aa:aa:10, l2_cid=htobs(0 /* L2CAP_CID_??? */), l2_bdaddr_type=BDADDR_BREDR}, 14 <unfinished ...>
[pid  5029] kill(-3, SIGKILL)           = 0
[pid  5034] <... connect resumed>)      = ?
[pid  5029] kill(3, SIGKILL)            = 0
[pid  5034] +++ killed by SIGKILL +++
[pid  5029] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_KILLED, si_pid=3, si_uid=0, si_status=SIGKILL, si_utime=0, si_stime=1 /* 0.01 s */} ---
[pid  5029] restart_syscall(<... resuming interrupted kill ...>) = 0
[pid  5029] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5035 attached
, child_tidptr=0x5555563445d0) = 4
[pid  5035] set_robust_list(0x5555563445e0, 24) = 0
[pid  5035] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid  5035] setpgid(0, 0)               = 0
[pid  5035] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid  5035] write(3, "1000", 4)         = 4
[pid  5035] close(3)                    = 0
[pid  5035] openat(AT_FDCWD, "/proc/self/ns/net", O_RDONLY) = 3
[pid  5035] setns(201, 0)               = 0
[pid  5035] socket(AF_BLUETOOTH, SOCK_STREAM, BTPROTO_L2CAP) = 4
[pid  5035] setns(3, 0)                 = 0
[pid  5035] close(3)                    = 0
[   85.497459][ T4431] Bluetooth: hci0: command 0x040f tx timeout
[   87.587443][ T4431] Bluetooth: hci0: command 0x0419 tx timeout
[pid  5035] connect(4, {sa_family=AF_BLUETOOTH, l2_psm=htobs(L2CAP_PSM_RFCOMM), l2_bdaddr=aa:aa:aa:aa:aa:10, l2_cid=htobs(0 /* L2CAP_CID_??? */), l2_bdaddr_type=BDADDR_BREDR}, 14 <unfinished ...>
[pid  5029] kill(-4, SIGKILL <unfinished ...>
[pid  5035] <... connect resumed>)      = ?
[pid  5029] <... kill resumed>)         = 0
[pid  5029] kill(4, SIGKILL <unfinished ...>
[pid  5035] +++ killed by SIGKILL +++
[pid  5029] <... kill resumed>)         = 0
[pid  5029] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_KILLED, si_pid=4, si_uid=0, si_status=SIGKILL, si_utime=0, si_stime=0} ---
[pid  5029] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5036 attached
, child_tidptr=0x5555563445d0) = 5
[pid  5036] set_robust_list(0x5555563445e0, 24) = 0
[pid  5036] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid  5036] setpgid(0, 0)               = 0
[pid  5036] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid  5036] write(3, "1000", 4)         = 4
[pid  5036] close(3)                    = 0
[pid  5036] openat(AT_FDCWD, "/proc/self/ns/net", O_RDONLY) = 3
[pid  5036] setns(201, 0)               = 0
[pid  5036] socket(AF_BLUETOOTH, SOCK_STREAM, BTPROTO_L2CAP) = 4
[pid  5036] setns(3, 0)                 = 0
[pid  5036] close(3)                    = 0
[   91.979747][    T9] cfg80211: failed to load regulatory.db
[pid  5036] connect(4, {sa_family=AF_BLUETOOTH, l2_psm=htobs(L2CAP_PSM_RFCOMM), l2_bdaddr=aa:aa:aa:aa:aa:10, l2_cid=htobs(0 /* L2CAP_CID_??? */), l2_bdaddr_type=BDADDR_BREDR}, 14 <unfinished ...>
[pid  5029] kill(-5, SIGKILL <unfinished ...>
[pid  5036] <... connect resumed>)      = ?
[pid  5029] <... kill resumed>)         = 0
[pid  5036] +++ killed by SIGKILL +++
[pid  5029] kill(5, SIGKILL)            = 0
[pid  5029] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_KILLED, si_pid=5, si_uid=0, si_status=SIGKILL, si_utime=0, si_stime=0} ---
[pid  5029] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555563445d0) = 6
./strace-static-x86_64: Process 5038 attached
[pid  5038] set_robust_list(0x5555563445e0, 24) = 0
[pid  5038] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid  5038] setpgid(0, 0)               = 0
[pid  5038] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid  5038] write(3, "1000", 4)         = 4
[pid  5038] close(3)                    = 0
[pid  5038] openat(AT_FDCWD, "/proc/self/ns/net", O_RDONLY) = 3
[pid  5038] setns(201, 0)               = 0
[pid  5038] socket(AF_BLUETOOTH, SOCK_STREAM, BTPROTO_L2CAP) = 4
[pid  5038] setns(3, 0)                 = 0
[pid  5038] close(3)                    = 0
[pid  5038] connect(4, {sa_family=AF_BLUETOOTH, l2_psm=htobs(L2CAP_PSM_RFCOMM), l2_bdaddr=aa:aa:aa:aa:aa:10, l2_cid=htobs(0 /* L2CAP_CID_??? */), l2_bdaddr_type=BDADDR_BREDR}, 14 <unfinished ...>
[pid  5029] kill(-6, SIGKILL <unfinished ...>
[pid  5038] <... connect resumed>)      = ?
[pid  5029] <... kill resumed>)         = 0
[pid  5029] kill(6, SIGKILL)            = 0
[pid  5038] +++ killed by SIGKILL +++
[pid  5029] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_KILLED, si_pid=6, si_uid=0, si_status=SIGKILL, si_utime=0, si_stime=0} ---
[pid  5029] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5041 attached
, child_tidptr=0x5555563445d0) = 7
[pid  5041] set_robust_list(0x5555563445e0, 24) = 0
[pid  5041] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid  5041] setpgid(0, 0)               = 0
[pid  5041] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid  5041] write(3, "1000", 4)         = 4
[pid  5041] close(3)                    = 0
[pid  5041] openat(AT_FDCWD, "/proc/self/ns/net", O_RDONLY) = 3
[pid  5041] setns(201, 0)               = 0
[pid  5041] socket(AF_BLUETOOTH, SOCK_STREAM, BTPROTO_L2CAP) = 4
[pid  5041] setns(3, 0)                 = 0
[pid  5041] close(3)                    = 0
[pid  5041] connect(4, {sa_family=AF_BLUETOOTH, l2_psm=htobs(L2CAP_PSM_RFCOMM), l2_bdaddr=aa:aa:aa:aa:aa:10, l2_cid=htobs(0 /* L2CAP_CID_??? */), l2_bdaddr_type=BDADDR_BREDR}, 14 <unfinished ...>
[pid  5029] kill(-7, SIGKILL <unfinished ...>
[pid  5041] <... connect resumed>)      = ?
[pid  5029] <... kill resumed>)         = 0
[pid  5029] kill(7, SIGKILL)            = 0
[pid  5041] +++ killed by SIGKILL +++
[pid  5029] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_KILLED, si_pid=7, si_uid=0, si_status=SIGKILL, si_utime=0, si_stime=0} ---
[pid  5029] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5043 attached
, child_tidptr=0x5555563445d0) = 8
[pid  5043] set_robust_list(0x5555563445e0, 24) = 0
[pid  5043] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid  5043] setpgid(0, 0)               = 0
[pid  5043] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid  5043] write(3, "1000", 4)         = 4
[pid  5043] close(3)                    = 0
[pid  5043] openat(AT_FDCWD, "/proc/self/ns/net", O_RDONLY) = 3
[pid  5043] setns(201, 0)               = 0
[pid  5043] socket(AF_BLUETOOTH, SOCK_STREAM, BTPROTO_L2CAP) = 4
[pid  5043] setns(3, 0)                 = 0
[pid  5043] close(3)                    = 0
[pid  5043] connect(4, {sa_family=AF_BLUETOOTH, l2_psm=htobs(L2CAP_PSM_RFCOMM), l2_bdaddr=aa:aa:aa:aa:aa:10, l2_cid=htobs(0 /* L2CAP_CID_??? */), l2_bdaddr_type=BDADDR_BREDR}, 14 <unfinished ...>
[pid  5029] kill(-8, SIGKILL <unfinished ...>
[pid  5043] <... connect resumed>)      = ?
[pid  5029] <... kill resumed>)         = 0
[pid  5029] kill(8, SIGKILL <unfinished ...>
[pid  5043] +++ killed by SIGKILL +++
[pid  5029] <... kill resumed>)         = 0
[pid  5029] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_KILLED, si_pid=8, si_uid=0, si_status=SIGKILL, si_utime=0, si_stime=0} ---
[pid  5029] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5046 attached
, child_tidptr=0x5555563445d0) = 9
[pid  5046] set_robust_list(0x5555563445e0, 24) = 0
[pid  5046] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid  5046] setpgid(0, 0)               = 0
[pid  5046] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid  5046] write(3, "1000", 4)         = 4
[pid  5046] close(3)                    = 0
[pid  5046] openat(AT_FDCWD, "/proc/self/ns/net", O_RDONLY) = 3
[pid  5046] setns(201, 0)               = 0
[pid  5046] socket(AF_BLUETOOTH, SOCK_STREAM, BTPROTO_L2CAP) = 4
[pid  5046] setns(3, 0)                 = 0
[pid  5046] close(3)                    = 0
[pid  5046] connect(4, {sa_family=AF_BLUETOOTH, l2_psm=htobs(L2CAP_PSM_RFCOMM), l2_bdaddr=aa:aa:aa:aa:aa:10, l2_cid=htobs(0 /* L2CAP_CID_??? */), l2_bdaddr_type=BDADDR_BREDR}, 14 <unfinished ...>
[pid  5029] kill(-9, SIGKILL <unfinished ...>
[pid  5046] <... connect resumed>)      = ?
[pid  5046] +++ killed by SIGKILL +++
[pid  5029] <... kill resumed>)         = 0
[pid  5029] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_KILLED, si_pid=9, si_uid=0, si_status=SIGKILL, si_utime=0, si_stime=0} ---
[pid  5029] kill(9, SIGKILL)            = 0
[pid  5029] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5052 attached
, child_tidptr=0x5555563445d0) = 10
[pid  5052] set_robust_list(0x5555563445e0, 24) = 0
[pid  5052] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid  5052] setpgid(0, 0)               = 0
[pid  5052] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid  5052] write(3, "1000", 4)         = 4
[pid  5052] close(3)                    = 0
[pid  5052] openat(AT_FDCWD, "/proc/self/ns/net", O_RDONLY) = 3
[pid  5052] setns(201, 0)               = 0
[pid  5052] socket(AF_BLUETOOTH, SOCK_STREAM, BTPROTO_L2CAP) = 4
[pid  5052] setns(3, 0)                 = 0
[pid  5052] close(3)                    = 0
[pid  5052] connect(4, {sa_family=AF_BLUETOOTH, l2_psm=htobs(L2CAP_PSM_RFCOMM), l2_bdaddr=aa:aa:aa:aa:aa:10, l2_cid=htobs(0 /* L2CAP_CID_??? */), l2_bdaddr_type=BDADDR_BREDR}, 14 <unfinished ...>
[pid  5029] kill(-10, SIGKILL)          = 0
[pid  5052] <... connect resumed>)      = ?
[pid  5029] kill(10, SIGKILL)           = 0
[pid  5052] +++ killed by SIGKILL +++
[pid  5029] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_KILLED, si_pid=10, si_uid=0, si_status=SIGKILL, si_utime=0, si_stime=0} ---
[pid  5029] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5057 attached
, child_tidptr=0x5555563445d0) = 11
[pid  5057] set_robust_list(0x5555563445e0, 24) = 0
[pid  5057] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid  5057] setpgid(0, 0)               = 0
[pid  5057] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid  5057] write(3, "1000", 4)         = 4
[pid  5057] close(3)                    = 0
[pid  5057] openat(AT_FDCWD, "/proc/self/ns/net", O_RDONLY) = 3
[pid  5057] setns(201, 0)               = 0
[pid  5057] socket(AF_BLUETOOTH, SOCK_STREAM, BTPROTO_L2CAP) = 4
[pid  5057] setns(3, 0)                 = 0
[pid  5057] close(3)                    = 0
[pid  5057] connect(4, {sa_family=AF_BLUETOOTH, l2_psm=htobs(L2CAP_PSM_RFCOMM), l2_bdaddr=aa:aa:aa:aa:aa:10, l2_cid=htobs(0 /* L2CAP_CID_??? */), l2_bdaddr_type=BDADDR_BREDR}, 14 <unfinished ...>
[pid  5029] kill(-11, SIGKILL <unfinished ...>
[pid  5057] <... connect resumed>)      = ?
[pid  5029] <... kill resumed>)         = 0
[pid  5029] kill(11, SIGKILL)           = 0
[pid  5057] +++ killed by SIGKILL +++
[pid  5029] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_KILLED, si_pid=11, si_uid=0, si_status=SIGKILL, si_utime=0, si_stime=1 /* 0.01 s */} ---
[pid  5029] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555563445d0) = 12
./strace-static-x86_64: Process 5060 attached
[pid  5060] set_robust_list(0x5555563445e0, 24) = 0
[pid  5060] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid  5060] setpgid(0, 0)               = 0
[pid  5060] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid  5060] write(3, "1000", 4)         = 4
[pid  5060] close(3)                    = 0
[pid  5060] openat(AT_FDCWD, "/proc/self/ns/net", O_RDONLY) = 3
[pid  5060] setns(201, 0)               = 0
[pid  5060] socket(AF_BLUETOOTH, SOCK_STREAM, BTPROTO_L2CAP) = 4
[pid  5060] setns(3, 0)                 = 0
[pid  5060] close(3)                    = 0
[  124.460222][ T4431] Bluetooth: hci0: link tx timeout
[  124.465646][ T4431] Bluetooth: hci0: killing stalled connection 11:aa:aa:aa:aa:aa
[  124.473916][ T4431] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:580
[  124.483407][ T4431] in_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 4431, name: kworker/u5:1
[  124.492701][ T4431] preempt_count: 0, expected: 0
[  124.498022][ T4431] RCU nest depth: 1, expected: 0
[  124.503003][ T4431] 3 locks held by kworker/u5:1/4431:
[  124.508401][ T4431]  #0: ffff88807e8a8138 ((wq_completion)hci0#2){+.+.}-{0:0}, at: process_one_work+0x8fd/0x16f0
[  124.518958][ T4431]  #1: ffffc900070efdb0 ((work_completion)(&hdev->tx_work)){+.+.}-{0:0}, at: process_one_work+0x930/0x16f0
[  124.530484][ T4431]  #2: ffffffff8c9a2d80 (rcu_read_lock){....}-{1:2}, at: __check_timeout+0x171/0x480
[  124.540102][ T4431] CPU: 1 PID: 4431 Comm: kworker/u5:1 Not tainted 6.4.0-next-20230630-syzkaller #0
[  124.549497][ T4431] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023
[  124.559589][ T4431] Workqueue: hci0 hci_tx_work
[  124.564313][ T4431] Call Trace:
[  124.567636][ T4431]  <TASK>
[  124.570602][ T4431]  dump_stack_lvl+0x136/0x150
[  124.575324][ T4431]  __might_resched+0x358/0x580
[  124.580126][ T4431]  ? preempt_schedule_thunk+0x1a/0x30
[  124.585538][ T4431]  ? create_big_sync+0x260/0x260
[  124.590777][ T4431]  __mutex_lock+0x9f/0x1350
[  124.595352][ T4431]  ? hci_cmd_sync_submit+0x3b/0x330
[  124.600586][ T4431]  ? __wake_up_klogd.part.0+0x99/0xf0
[  124.605988][ T4431]  ? mutex_lock_io_nested+0x11a0/0x11a0
[  124.611578][ T4431]  ? vprintk+0x8c/0xa0
[  124.615677][ T4431]  ? _printk+0xbf/0xf0
[  124.619786][ T4431]  ? syslog_print_all+0x3a0/0x3a0
[  124.624866][ T4431]  ? create_big_sync+0x260/0x260
[  124.629843][ T4431]  hci_cmd_sync_submit+0x3b/0x330
[  124.634929][ T4431]  ? create_big_sync+0x260/0x260
[  124.639904][ T4431]  hci_cmd_sync_queue+0x7b/0xb0
[  124.644816][ T4431]  hci_abort_conn+0x15b/0x330
[  124.649525][ T4431]  hci_disconnect+0xc3/0x220
[  124.654141][ T4431]  ? hci_abort_conn+0x330/0x330
[  124.659057][ T4431]  ? hci_sched_sco+0x2f0/0x2f0
[  124.663867][ T4431]  __check_timeout+0x2cc/0x480
[  124.668662][ T4431]  hci_tx_work+0x82b/0x1bb0
[  124.673204][ T4431]  ? hci_chan_sent+0xbc0/0xbc0
[  124.678006][ T4431]  ? _raw_spin_unlock_irq+0x23/0x50
[  124.683250][ T4431]  process_one_work+0xa34/0x16f0
[  124.688241][ T4431]  ? lock_sync+0x190/0x190
[  124.692754][ T4431]  ? pwq_dec_nr_in_flight+0x2a0/0x2a0
[  124.698193][ T4431]  ? spin_bug+0x1c0/0x1c0
[  124.702559][ T4431]  ? _raw_spin_lock_irq+0x45/0x50
[  124.707643][ T4431]  worker_thread+0x67d/0x10c0
[  124.712389][ T4431]  ? process_one_work+0x16f0/0x16f0
[  124.717630][ T4431]  kthread+0x344/0x440
[  124.721763][ T4431]  ? kthread_complete_and_exit+0x40/0x40
[  124.727435][ T4431]  ret_from_fork+0x1f/0x30
[  124.731905][ T4431]  </TASK>
[  124.735290][ T4431] 
[  124.737639][ T4431] =============================
[  124.742485][ T4431] [ BUG: Invalid wait context ]
[  124.747338][ T4431] 6.4.0-next-20230630-syzkaller #0 Tainted: G        W         
[  124.754977][ T4431] -----------------------------
[  124.759825][ T4431] kworker/u5:1/4431 is trying to lock:
[  124.765286][ T4431] ffff888021b149b0 (&hdev->unregister_lock){+.+.}-{3:3}, at: hci_cmd_sync_submit+0x3b/0x330
[  124.775424][ T4431] other info that might help us debug this:
[  124.781313][ T4431] context-{4:4}
[  124.784776][ T4431] 3 locks held by kworker/u5:1/4431:
[  124.790066][ T4431]  #0: ffff88807e8a8138 ((wq_completion)hci0#2){+.+.}-{0:0}, at: process_one_work+0x8fd/0x16f0
[  124.800562][ T4431]  #1: ffffc900070efdb0 ((work_completion)(&hdev->tx_work)){+.+.}-{0:0}, at: process_one_work+0x930/0x16f0
[  124.812001][ T4431]  #2: ffffffff8c9a2d80 (rcu_read_lock){....}-{1:2}, at: __check_timeout+0x171/0x480
[  124.821520][ T4431] stack backtrace:
[  124.825241][ T4431] CPU: 1 PID: 4431 Comm: kworker/u5:1 Tainted: G        W          6.4.0-next-20230630-syzkaller #0
[  124.836015][ T4431] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023
[  124.846082][ T4431] Workqueue: hci0 hci_tx_work
[  124.850781][ T4431] Call Trace:
[  124.854067][ T4431]  <TASK>
[  124.857013][ T4431]  dump_stack_lvl+0xd9/0x150
[  124.861628][ T4431]  __lock_acquire+0x15e8/0x5e20
[  124.866515][ T4431]  ? show_trace_log_lvl+0xa2/0x390
[  124.871652][ T4431]  ? print_usage_bug.part.0+0x670/0x670
[  124.877232][ T4431]  ? lockdep_hardirqs_on_prepare+0x410/0x410
[  124.883333][ T4431]  ? mark_held_locks+0x9f/0xe0
[  124.888129][ T4431]  lock_acquire+0x1b1/0x520
[  124.892660][ T4431]  ? hci_cmd_sync_submit+0x3b/0x330
[  124.897893][ T4431]  ? lock_sync+0x190/0x190
[  124.902336][ T4431]  ? dump_stack_lvl+0x113/0x150
[  124.907203][ T4431]  ? dump_stack_lvl+0x115/0x150
[  124.912073][ T4431]  ? create_big_sync+0x260/0x260
[  124.917039][ T4431]  __mutex_lock+0x12f/0x1350
[  124.921672][ T4431]  ? hci_cmd_sync_submit+0x3b/0x330
[  124.926905][ T4431]  ? hci_cmd_sync_submit+0x3b/0x330
[  124.932150][ T4431]  ? __wake_up_klogd.part.0+0x99/0xf0
[  124.937550][ T4431]  ? mutex_lock_io_nested+0x11a0/0x11a0
[  124.943130][ T4431]  ? vprintk+0x8c/0xa0
[  124.947228][ T4431]  ? _printk+0xbf/0xf0
[  124.951324][ T4431]  ? syslog_print_all+0x3a0/0x3a0
[  124.956376][ T4431]  ? create_big_sync+0x260/0x260
[  124.961339][ T4431]  hci_cmd_sync_submit+0x3b/0x330
[  124.966402][ T4431]  ? create_big_sync+0x260/0x260
[  124.971370][ T4431]  hci_cmd_sync_queue+0x7b/0xb0
[  124.976256][ T4431]  hci_abort_conn+0x15b/0x330
[  124.980964][ T4431]  hci_disconnect+0xc3/0x220
[  124.985582][ T4431]  ? hci_abort_conn+0x330/0x330
[  124.990462][ T4431]  ? hci_sched_sco+0x2f0/0x2f0
[  124.995246][ T4431]  __check_timeout+0x2cc/0x480
[  125.000027][ T4431]  hci_tx_work+0x82b/0x1bb0
[  125.004550][ T4431]  ? hci_chan_sent+0xbc0/0xbc0
[  125.009331][ T4431]  ? _raw_spin_unlock_irq+0x23/0x50
[  125.014547][ T4431]  process_one_work+0xa34/0x16f0
[  125.019516][ T4431]  ? lock_sync+0x190/0x190
[  125.023961][ T4431]  ? pwq_dec_nr_in_flight+0x2a0/0x2a0
[  125.029447][ T4431]  ? spin_bug+0x1c0/0x1c0
[  125.033806][ T4431]  ? _raw_spin_lock_irq+0x45/0x50
[  125.038869][ T4431]  worker_thread+0x67d/0x10c0
[  125.043585][ T4431]  ? process_one_work+0x16f0/0x16f0
[  125.048897][ T4431]  kthread+0x344/0x440
[  125.052986][ T4431]  ? kthread_complete_and_exit+0x40/0x40
[  125.058815][ T4431]  ret_from_fork+0x1f/0x30
[  125.063278][ T4431]  </TASK>
[  127.097415][ T4431] Bluetooth: hci0: command 0x0406 tx timeout
[pid  5060] connect(4, {sa_family=AF_BLUETOOTH, l2_psm=htobs(L2CAP_PSM_RFCOMM), l2_bdaddr=aa:aa:aa:aa:aa:10, l2_cid=htobs(0 /* L2CAP_CID_??? */), l2_bdaddr_type=BDADDR_BREDR}, 14 <unfinished ...>
[pid  5029] kill(-12, SIGKILL <unfinished ...>
[pid  5060] <... connect resumed>)      = ?
[pid  5029] <... kill resumed>)         = 0
[pid  5029] kill(12, SIGKILL)           = 0
[pid  5060] +++ killed by SIGKILL +++
[pid  5029] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_KILLED, si_pid=12, si_uid=0, si_status=SIGKILL, si_utime=0, si_stime=0} ---
[pid  5029] restart_syscall(<... resuming interrupted kill ...>) = 0
[pid  5029] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555563445d0) = 13
./strace-static-x86_64: Process 5061 attached
[pid  5061] set_robust_list(0x5555563445e0, 24) = 0
[pid  5061] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid  5061] setpgid(0, 0)               = 0
[pid  5061] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid  5061] write(3, "1000", 4)         = 4
[pid  5061] close(3)                    = 0
[pid  5061] openat(AT_FDCWD, "/proc/self/ns/net", O_RDONLY) = 3
[pid  5061] setns(201, 0)               = 0
[pid  5061] socket(AF_BLUETOOTH, SOCK_STREAM, BTPROTO_L2CAP) = 4
[pid  5061] setns(3, 0)                 = 0
[pid  5061] close(3)                    = 0
[  129.463015][ T5030] Bluetooth: hci0: link tx timeout
[  129.468333][ T5030] Bluetooth: hci0: killing stalled connection 10:aa:aa:aa:aa:aa
[  129.475992][ T5030] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:580
[  129.485867][ T5030] in_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 5030, name: kworker/u5:2
[  129.495123][ T5030] preempt_count: 0, expected: 0
[  129.500018][ T5030] RCU nest depth: 1, expected: 0
[  129.504962][ T5030] INFO: lockdep is turned off.
[  129.509760][ T5030] CPU: 1 PID: 5030 Comm: kworker/u5:2 Tainted: G        W          6.4.0-next-20230630-syzkaller #0
[  129.520601][ T5030] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023
[  129.530685][ T5030] Workqueue: hci0 hci_tx_work
[  129.535386][ T5030] Call Trace:
[  129.538686][ T5030]  <TASK>
[  129.541650][ T5030]  dump_stack_lvl+0x136/0x150
[  129.546373][ T5030]  __might_resched+0x358/0x580
[  129.551182][ T5030]  ? console_unlock+0x19e/0x1f0
[  129.556083][ T5030]  ? create_big_sync+0x260/0x260
[  129.561056][ T5030]  __mutex_lock+0x9f/0x1350
[  129.565604][ T5030]  ? hci_cmd_sync_submit+0x3b/0x330
[  129.570875][ T5030]  ? __wake_up_klogd.part.0+0x99/0xf0
[  129.576277][ T5030]  ? mutex_lock_io_nested+0x11a0/0x11a0
[  129.581849][ T5030]  ? vprintk+0x8c/0xa0
[  129.585955][ T5030]  ? _printk+0xbf/0xf0
[  129.590070][ T5030]  ? syslog_print_all+0x3a0/0x3a0
[  129.595117][ T5030]  ? rcu_is_watching+0x12/0xb0
[  129.599906][ T5030]  ? create_big_sync+0x260/0x260
[  129.604889][ T5030]  hci_cmd_sync_submit+0x3b/0x330
[  129.609952][ T5030]  ? create_big_sync+0x260/0x260
[  129.614914][ T5030]  hci_cmd_sync_queue+0x7b/0xb0
[  129.619798][ T5030]  hci_abort_conn+0x15b/0x330
[  129.624499][ T5030]  hci_disconnect+0xc3/0x220
[  129.629120][ T5030]  ? hci_abort_conn+0x330/0x330
[  129.634025][ T5030]  ? hci_sched_sco+0x2f0/0x2f0
[  129.638803][ T5030]  __check_timeout+0x2cc/0x480
[  129.643584][ T5030]  hci_tx_work+0x1194/0x1bb0
[  129.648208][ T5030]  ? hci_chan_sent+0xbc0/0xbc0
[  129.653005][ T5030]  ? spin_bug+0x1c0/0x1c0
[  129.657369][ T5030]  ? rcu_is_watching+0x12/0xb0
[  129.662172][ T5030]  process_one_work+0xa34/0x16f0
[  129.667158][ T5030]  ? lock_sync+0x190/0x190
[  129.671611][ T5030]  ? pwq_dec_nr_in_flight+0x2a0/0x2a0
[  129.677007][ T5030]  ? spin_bug+0x1c0/0x1c0
[  129.681373][ T5030]  ? _raw_spin_lock_irq+0x45/0x50
[  129.686470][ T5030]  worker_thread+0x67d/0x10c0
[  129.691194][ T5030]  ? process_one_work+0x16f0/0x16f0
[  129.696428][ T5030]  kthread+0x344/0x440
[  129.700535][ T5030]  ? kthread_complete_and_exit+0x40/0x40
[  129.706197][ T5030]  ret_from_fork+0x1f/0x30
[  129.710661][ T5030]  </TASK>
[  129.714079][ T5030] Bluetooth: hci0: link tx timeout
[  129.719399][ T5030] Bluetooth: hci0: killing stalled connection 11:aa:aa:aa:aa:aa
[  131.737404][ T5030] Bluetooth: hci0: command 0x0406 tx timeout
[pid  5061] connect(4, {sa_family=AF_BLUETOOTH, l2_psm=htobs(L2CAP_PSM_RFCOMM), l2_bdaddr=aa:aa:aa:aa:aa:10, l2_cid=htobs(0 /* L2CAP_CID_??? */), l2_bdaddr_type=BDADDR_BREDR}, 14 <unfinished ...>
[pid  5029] kill(-13, SIGKILL <unfinished ...>
[pid  5061] <... connect resumed>)      = ?
[pid  5029] <... kill resumed>)         = 0
[pid  5061] +++ killed by SIGKILL +++
[pid  5029] kill(13, SIGKILL)           = 0
[pid  5029] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_KILLED, si_pid=13, si_uid=0, si_status=SIGKILL, si_utime=0, si_stime=0} ---
[pid  5029] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x5555563445d0) = 14
./strace-static-x86_64: Process 5062 attached
[pid  5062] set_robust_list(0x5555563445e0, 24) = 0
[pid  5062] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid  5062] setpgid(0, 0)               = 0
[pid  5062] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid  5062] write(3, "1000", 4)         = 4
[pid  5062] close(3)                    = 0
[pid  5062] openat(AT_FDCWD, "/proc/self/ns/net", O_RDONLY) = 3
[pid  5062] setns(201, 0)               = 0
[pid  5062] socket(AF_BLUETOOTH, SOCK_STREAM, BTPROTO_L2CAP) = 4
[pid  5062] setns(3, 0)                 = 0
[pid  5062] close(3)                    = 0