[ 53.382029][ T41] bridge0: port 1(bridge_slave_0) entered disabled state [ 53.394682][ T41] device veth1_macvtap left promiscuous mode [ 53.400798][ T41] device veth0_macvtap left promiscuous mode [ 53.407662][ T41] device veth1_vlan left promiscuous mode [ 53.413498][ T41] device veth0_vlan left promiscuous mode [ 53.525776][ T41] team0 (unregistering): Port device team_slave_1 removed [ 53.536787][ T41] team0 (unregistering): Port device team_slave_0 removed [ 53.550339][ T41] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface [ 53.566366][ T41] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface [ 53.609696][ T41] bond0 (unregistering): Released all slaves Warning: Permanently added '10.128.15.192' (ECDSA) to the list of known hosts. 2022/11/07 06:35:02 ignoring optional flag "sandboxArg"="0" 2022/11/07 06:35:02 parsed 1 programs 2022/11/07 06:35:02 executed programs: 0 [ 68.817912][ T4034] cgroup: Unknown subsys name 'net' [ 68.827067][ T4034] cgroup: Unknown subsys name 'rlimit' [ 69.927264][ T47] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 69.935493][ T47] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 69.943287][ T47] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 69.951813][ T47] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 69.959699][ T47] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3 [ 69.967163][ T47] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 69.975489][ T4042] Bluetooth: hci0: HCI_REQ-0x0c1a [ 70.037959][ T4042] chnl_net:caif_netlink_parms(): no params data found [ 70.071579][ T4042] bridge0: port 1(bridge_slave_0) entered blocking state [ 70.078983][ T4042] bridge0: port 1(bridge_slave_0) entered disabled state [ 70.087939][ T4042] device bridge_slave_0 entered promiscuous mode [ 70.095855][ T4042] bridge0: port 2(bridge_slave_1) entered blocking state [ 70.102943][ T4042] bridge0: port 2(bridge_slave_1) entered disabled state [ 70.111320][ T4042] device bridge_slave_1 entered promiscuous mode [ 70.128731][ T4042] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 70.139946][ T4042] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 70.160323][ T4042] team0: Port device team_slave_0 added [ 70.168093][ T4042] team0: Port device team_slave_1 added [ 70.182881][ T4042] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 70.190068][ T4042] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 70.216497][ T4042] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 70.228551][ T4042] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 70.235553][ T4042] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 70.262363][ T4042] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 70.286938][ T4042] device hsr_slave_0 entered promiscuous mode [ 70.293458][ T4042] device hsr_slave_1 entered promiscuous mode [ 70.345129][ T4042] bridge0: port 2(bridge_slave_1) entered blocking state [ 70.352198][ T4042] bridge0: port 2(bridge_slave_1) entered forwarding state [ 70.359545][ T4042] bridge0: port 1(bridge_slave_0) entered blocking state [ 70.366638][ T4042] bridge0: port 1(bridge_slave_0) entered forwarding state [ 70.400442][ T4042] 8021q: adding VLAN 0 to HW filter on device bond0 [ 70.413328][ T141] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 70.422345][ T141] bridge0: port 1(bridge_slave_0) entered disabled state [ 70.430456][ T141] bridge0: port 2(bridge_slave_1) entered disabled state [ 70.438000][ T141] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 70.448835][ T4042] 8021q: adding VLAN 0 to HW filter on device team0 [ 70.458498][ T141] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 70.467292][ T141] bridge0: port 1(bridge_slave_0) entered blocking state [ 70.474415][ T141] bridge0: port 1(bridge_slave_0) entered forwarding state [ 70.496622][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 70.505379][ T7] bridge0: port 2(bridge_slave_1) entered blocking state [ 70.512611][ T7] bridge0: port 2(bridge_slave_1) entered forwarding state [ 70.521288][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 70.530210][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 70.538615][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 70.547244][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 70.556832][ T4042] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 70.568069][ T141] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 70.584355][ T4042] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 70.591748][ T141] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 70.600438][ T141] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 70.803237][ T4042] device veth0_vlan entered promiscuous mode [ 70.810933][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 70.819755][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 70.828088][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 70.835971][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 70.849129][ T4042] device veth1_vlan entered promiscuous mode [ 70.863662][ T1155] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 70.872703][ T1155] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 70.880853][ T1155] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 70.892233][ T4042] device veth0_macvtap entered promiscuous mode [ 70.900968][ T4042] device veth1_macvtap entered promiscuous mode [ 70.915360][ T4042] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 70.922678][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 70.932023][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 70.942209][ T4042] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 70.950486][ T141] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 70.976992][ T14] cfg80211: failed to load regulatory.db [ 71.067731][ T41] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 71.094407][ T41] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 71.115272][ T11] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 71.123427][ T11] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 71.131947][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready [ 71.149121][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready [ 72.004888][ T47] Bluetooth: hci0: command 0x0409 tx timeout [ 72.042700][ T4083] [ 72.045053][ T4083] ====================================================== [ 72.052046][ T4083] WARNING: possible circular locking dependency detected [ 72.059138][ T4083] 6.1.0-rc4-syzkaller #0 Not tainted [ 72.064478][ T4083] ------------------------------------------------------ [ 72.071467][ T4083] syz-executor.0/4083 is trying to acquire lock: [ 72.077772][ T4083] ffff888078b7c130 (sk_lock-AF_BLUETOOTH-BTPROTO_RFCOMM){+.+.}-{0:0}, at: rfcomm_sk_state_change+0x51/0x280 [ 72.089216][ T4083] [ 72.089216][ T4083] but task is already holding lock: [ 72.096735][ T4083] ffff88801bd55528 (&d->lock){+.+.}-{3:3}, at: __rfcomm_dlc_close+0x1ed/0x3e0 [ 72.105660][ T4083] [ 72.105660][ T4083] which lock already depends on the new lock. [ 72.105660][ T4083] [ 72.116090][ T4083] [ 72.116090][ T4083] the existing dependency chain (in reverse order) is: [ 72.125073][ T4083] [ 72.125073][ T4083] -> #2 (&d->lock){+.+.}-{3:3}: [ 72.132072][ T4083] lock_acquire+0x1a7/0x400 [ 72.137075][ T4083] __mutex_lock_common+0x1de/0x26c0 [ 72.142849][ T4083] mutex_lock_nested+0x17/0x20 [ 72.148119][ T4083] __rfcomm_dlc_close+0x1ed/0x3e0 [ 72.153674][ T4083] rfcomm_dlc_close+0xf0/0x180 [ 72.158954][ T4083] __rfcomm_sock_close+0xf5/0x1d0 [ 72.164487][ T4083] rfcomm_sock_shutdown+0x98/0x1c0 [ 72.170092][ T4083] rfcomm_sock_release+0x4b/0x100 [ 72.175610][ T4083] sock_close+0xcc/0x230 [ 72.180348][ T4083] __fput+0x339/0x710 [ 72.184822][ T4083] task_work_run+0x227/0x2b0 [ 72.189902][ T4083] get_signal+0x115d/0x1310 [ 72.194894][ T4083] arch_do_signal_or_restart+0x8d/0x6f0 [ 72.200932][ T4083] exit_to_user_mode_loop+0x74/0x160 [ 72.206708][ T4083] exit_to_user_mode_prepare+0xad/0x110 [ 72.212754][ T4083] syscall_exit_to_user_mode+0x2e/0x60 [ 72.218710][ T4083] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 72.225184][ T4083] [ 72.225184][ T4083] -> #1 (rfcomm_mutex){+.+.}-{3:3}: [ 72.232628][ T4083] lock_acquire+0x1a7/0x400 [ 72.237622][ T4083] __mutex_lock_common+0x1de/0x26c0 [ 72.243401][ T4083] mutex_lock_nested+0x17/0x20 [ 72.248655][ T4083] rfcomm_dlc_open+0x20/0x50 [ 72.253738][ T4083] rfcomm_sock_connect+0x222/0x3f0 [ 72.259341][ T4083] __sys_connect+0x234/0x260 [ 72.264419][ T4083] __x64_sys_connect+0x71/0x80 [ 72.269671][ T4083] do_syscall_64+0x2b/0x50 [ 72.274579][ T4083] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 72.280962][ T4083] [ 72.280962][ T4083] -> #0 (sk_lock-AF_BLUETOOTH-BTPROTO_RFCOMM){+.+.}-{0:0}: [ 72.290305][ T4083] validate_chain+0x184a/0x6470 [ 72.295670][ T4083] __lock_acquire+0x1292/0x1f60 [ 72.301033][ T4083] lock_acquire+0x1a7/0x400 [ 72.306050][ T4083] lock_sock_nested+0x3a/0xd0 [ 72.311225][ T4083] rfcomm_sk_state_change+0x51/0x280 [ 72.317004][ T4083] __rfcomm_dlc_close+0x230/0x3e0 [ 72.322517][ T4083] rfcomm_dlc_close+0xf0/0x180 [ 72.327774][ T4083] __rfcomm_sock_close+0xf5/0x1d0 [ 72.333289][ T4083] rfcomm_sock_shutdown+0x98/0x1c0 [ 72.338901][ T4083] rfcomm_sock_release+0x4b/0x100 [ 72.344415][ T4083] sock_close+0xcc/0x230 [ 72.349231][ T4083] __fput+0x339/0x710 [ 72.353710][ T4083] task_work_run+0x227/0x2b0 [ 72.358793][ T4083] get_signal+0x115d/0x1310 [ 72.363786][ T4083] arch_do_signal_or_restart+0x8d/0x6f0 [ 72.369836][ T4083] exit_to_user_mode_loop+0x74/0x160 [ 72.375612][ T4083] exit_to_user_mode_prepare+0xad/0x110 [ 72.381647][ T4083] syscall_exit_to_user_mode+0x2e/0x60 [ 72.387595][ T4083] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 72.393981][ T4083] [ 72.393981][ T4083] other info that might help us debug this: [ 72.393981][ T4083] [ 72.404180][ T4083] Chain exists of: [ 72.404180][ T4083] sk_lock-AF_BLUETOOTH-BTPROTO_RFCOMM --> rfcomm_mutex --> &d->lock [ 72.404180][ T4083] [ 72.418045][ T4083] Possible unsafe locking scenario: [ 72.418045][ T4083] [ 72.425477][ T4083] CPU0 CPU1 [ 72.430815][ T4083] ---- ---- [ 72.436246][ T4083] lock(&d->lock); [ 72.440028][ T4083] lock(rfcomm_mutex); [ 72.446680][ T4083] lock(&d->lock); [ 72.452985][ T4083] lock(sk_lock-AF_BLUETOOTH-BTPROTO_RFCOMM); [ 72.459108][ T4083] [ 72.459108][ T4083] *** DEADLOCK *** [ 72.459108][ T4083] [ 72.467224][ T4083] 3 locks held by syz-executor.0/4083: [ 72.472652][ T4083] #0: ffff888073cc7a10 (&sb->s_type->i_mutex_key#9){+.+.}-{3:3}, at: sock_close+0x88/0x230 [ 72.482699][ T4083] #1: ffffffff8cc25888 (rfcomm_mutex){+.+.}-{3:3}, at: rfcomm_dlc_close+0x2d/0x180 [ 72.492072][ T4083] #2: ffff88801bd55528 (&d->lock){+.+.}-{3:3}, at: __rfcomm_dlc_close+0x1ed/0x3e0 [ 72.501445][ T4083] [ 72.501445][ T4083] stack backtrace: [ 72.507395][ T4083] CPU: 1 PID: 4083 Comm: syz-executor.0 Not tainted 6.1.0-rc4-syzkaller #0 [ 72.515951][ T4083] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 72.525979][ T4083] Call Trace: [ 72.529244][ T4083] [ 72.532157][ T4083] dump_stack_lvl+0x163/0x213 [ 72.536816][ T4083] ? nf_tcp_handle_invalid+0x4d9/0x4d9 [ 72.542243][ T4083] ? print_circular_bug+0x13e/0x1c0 [ 72.547416][ T4083] check_noncircular+0x2f9/0x3b0 [ 72.552328][ T4083] ? add_chain_block+0x850/0x850 [ 72.557333][ T4083] ? lockdep_lock+0x11d/0x2a0 [ 72.561982][ T4083] validate_chain+0x184a/0x6470 [ 72.566813][ T4083] ? reacquire_held_locks+0x680/0x680 [ 72.572155][ T4083] ? register_lock_class+0xfe/0x9b0 [ 72.577326][ T4083] ? mark_lock+0x9a/0x350 [ 72.581695][ T4083] ? is_dynamic_key+0x1f0/0x1f0 [ 72.586516][ T4083] ? mark_lock+0x9a/0x350 [ 72.590820][ T4083] ? __lock_acquire+0x1292/0x1f60 [ 72.595816][ T4083] ? mark_lock+0x9a/0x350 [ 72.600115][ T4083] __lock_acquire+0x1292/0x1f60 [ 72.604943][ T4083] lock_acquire+0x1a7/0x400 [ 72.609415][ T4083] ? rfcomm_sk_state_change+0x51/0x280 [ 72.614938][ T4083] ? trace_contention_end+0x72/0x1d0 [ 72.620195][ T4083] ? read_lock_is_recursive+0x10/0x10 [ 72.625545][ T4083] ? __rfcomm_dlc_close+0x1ed/0x3e0 [ 72.630711][ T4083] ? del_timer+0x2f6/0x380 [ 72.635117][ T4083] ? mutex_lock_io_nested+0x60/0x60 [ 72.640303][ T4083] lock_sock_nested+0x3a/0xd0 [ 72.644969][ T4083] ? rfcomm_sk_state_change+0x51/0x280 [ 72.650404][ T4083] rfcomm_sk_state_change+0x51/0x280 [ 72.655660][ T4083] __rfcomm_dlc_close+0x230/0x3e0 [ 72.660667][ T4083] rfcomm_dlc_close+0xf0/0x180 [ 72.665406][ T4083] __rfcomm_sock_close+0xf5/0x1d0 [ 72.670581][ T4083] rfcomm_sock_shutdown+0x98/0x1c0 [ 72.675683][ T4083] rfcomm_sock_release+0x4b/0x100 [ 72.680700][ T4083] sock_close+0xcc/0x230 [ 72.684928][ T4083] __fput+0x339/0x710 [ 72.689068][ T4083] task_work_run+0x227/0x2b0 [ 72.693644][ T4083] ? task_work_cancel+0x2a0/0x2a0 [ 72.698643][ T4083] get_signal+0x115d/0x1310 [ 72.703122][ T4083] ? task_work_add+0x1e9/0x270 [ 72.708012][ T4083] ? ptrace_notify+0x320/0x320 [ 72.712778][ T4083] arch_do_signal_or_restart+0x8d/0x6f0 [ 72.718759][ T4083] ? __sys_connect+0xf0/0x260 [ 72.723417][ T4083] ? get_sigframe_size+0x10/0x10 [ 72.728502][ T4083] ? exit_to_user_mode_loop+0x42/0x160 [ 72.733937][ T4083] exit_to_user_mode_loop+0x74/0x160 [ 72.739207][ T4083] exit_to_user_mode_prepare+0xad/0x110 [ 72.744745][ T4083] syscall_exit_to_user_mode+0x2e/0x60 [ 72.750186][ T4083] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 72.756056][ T4083] RIP: 0033:0x7f0b91489049 [ 72.760532][ T4083] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 72.780131][ T4083] RSP: 002b:00007f0b925ff168 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 72.788524][ T4083] RAX: fffffffffffffffc RBX: 00007f0b9159bf60 RCX: 00007f0b91489049 [ 72.796468][ T4083] RDX: 0000000000000080 RSI: 0000000020000000 RDI: 0000000000000004 [ 72.804411][ T4083] RBP: 00007f0b914e308d R08: 0000000000000000 R09: 0000000000000000 [ 72.812373][ T4083] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 72.820321][ T4083] R13: 00007ffc83ebf75f R14: 00007f0b925ff300 R15: 0000000000022000 [ 72.828382][ T4083] [ 74.084230][ T47] Bluetooth: hci0: command 0x041b tx timeout 2022/11/07 06:35:08 executed programs: 3 [ 76.164128][ T47] Bluetooth: hci0: command 0x040f tx timeout [ 78.244054][ T47] Bluetooth: hci0: command 0x0419 tx timeout 2022/11/07 06:35:13 executed programs: 9 [ 80.324109][ T47] Bluetooth: hci0: command 0x0405 tx timeout