[ 62.734418][ T997] bridge0: port 1(bridge_slave_0) entered disabled state [ 62.751017][ T997] device veth1_macvtap left promiscuous mode [ 62.757678][ T997] device veth0_macvtap left promiscuous mode [ 62.764088][ T997] device veth1_vlan left promiscuous mode [ 62.771414][ T997] device veth0_vlan left promiscuous mode [ 63.029339][ T997] team0 (unregistering): Port device team_slave_1 removed [ 63.048599][ T997] team0 (unregistering): Port device team_slave_0 removed [ 63.062460][ T997] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface [ 63.076165][ T997] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface [ 63.132225][ T997] bond0 (unregistering): Released all slaves [ 76.378845][ T1571] cfg80211: failed to load regulatory.db Warning: Permanently added '10.128.10.61' (ECDSA) to the list of known hosts. 2022/12/28 17:16:30 ignoring optional flag "sandboxArg"="0" 2022/12/28 17:16:30 parsed 1 programs 2022/12/28 17:16:30 executed programs: 0 [ 79.492743][ T5471] cgroup: Unknown subsys name 'net' [ 79.502983][ T5471] cgroup: Unknown subsys name 'rlimit' [ 82.697121][ T47] Bluetooth: hci0: Opcode 0x c03 failed: -110 [ 86.857184][ T47] Bluetooth: hci0: Opcode 0x c03 failed: -110 [ 88.947769][ T4340] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 88.955921][ T4340] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 88.964146][ T4340] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 88.972554][ T4340] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 88.980768][ T4340] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3 [ 88.988218][ T4340] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 89.081886][ T5480] chnl_net:caif_netlink_parms(): no params data found [ 89.129990][ T5480] bridge0: port 1(bridge_slave_0) entered blocking state [ 89.137289][ T5480] bridge0: port 1(bridge_slave_0) entered disabled state [ 89.145244][ T5480] device bridge_slave_0 entered promiscuous mode [ 89.154820][ T5480] bridge0: port 2(bridge_slave_1) entered blocking state [ 89.162328][ T5480] bridge0: port 2(bridge_slave_1) entered disabled state [ 89.170348][ T5480] device bridge_slave_1 entered promiscuous mode [ 89.198590][ T5480] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 89.211442][ T5480] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 89.237988][ T5480] team0: Port device team_slave_0 added [ 89.245883][ T5480] team0: Port device team_slave_1 added [ 89.267941][ T5480] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 89.274925][ T5480] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 89.301190][ T5480] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 89.313481][ T5480] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 89.320570][ T5480] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 89.346792][ T5480] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 89.376346][ T5480] device hsr_slave_0 entered promiscuous mode [ 89.383677][ T5480] device hsr_slave_1 entered promiscuous mode [ 89.457571][ T5480] bridge0: port 2(bridge_slave_1) entered blocking state [ 89.464845][ T5480] bridge0: port 2(bridge_slave_1) entered forwarding state [ 89.472525][ T5480] bridge0: port 1(bridge_slave_0) entered blocking state [ 89.479648][ T5480] bridge0: port 1(bridge_slave_0) entered forwarding state [ 89.524903][ T5480] 8021q: adding VLAN 0 to HW filter on device bond0 [ 89.538504][ T1571] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 89.546589][ T1571] bridge0: port 1(bridge_slave_0) entered disabled state [ 89.554909][ T1571] bridge0: port 2(bridge_slave_1) entered disabled state [ 89.562726][ T1571] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 89.576355][ T5480] 8021q: adding VLAN 0 to HW filter on device team0 [ 89.587860][ T1571] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 89.596583][ T1571] bridge0: port 1(bridge_slave_0) entered blocking state [ 89.603832][ T1571] bridge0: port 1(bridge_slave_0) entered forwarding state [ 89.615990][ T1989] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 89.625392][ T1989] bridge0: port 2(bridge_slave_1) entered blocking state [ 89.632533][ T1989] bridge0: port 2(bridge_slave_1) entered forwarding state [ 89.659193][ T1571] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 89.668496][ T1571] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 89.677463][ T1571] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 89.688127][ T5480] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 89.709128][ T1571] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 89.717922][ T1571] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 89.729584][ T5480] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 90.028835][ T5032] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 90.044940][ T1989] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 90.053644][ T1989] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 90.061671][ T1989] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 90.073145][ T5480] device veth0_vlan entered promiscuous mode [ 90.084608][ T5480] device veth1_vlan entered promiscuous mode [ 90.105786][ T1989] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 90.114550][ T1989] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 90.125647][ T5480] device veth0_macvtap entered promiscuous mode [ 90.136245][ T5480] device veth1_macvtap entered promiscuous mode [ 90.153156][ T5480] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 90.160583][ T5032] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 90.169308][ T5032] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 90.178750][ T5032] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 90.188201][ T5032] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 90.201609][ T5480] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 90.208946][ T1989] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 90.218458][ T1989] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 90.272400][ T56] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 90.280669][ T56] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 90.290830][ T892] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready [ 90.312042][ T56] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 90.320086][ T56] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 90.329583][ T892] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready [ 91.028341][ T4340] Bluetooth: hci0: command 0x0409 tx timeout [ 91.205630][ T5500] [ 91.208003][ T5500] ====================================================== [ 91.215008][ T5500] WARNING: possible circular locking dependency detected [ 91.222014][ T5500] 6.2.0-rc1-syzkaller #0 Not tainted [ 91.227318][ T5500] ------------------------------------------------------ [ 91.234671][ T5500] syz-executor.0/5500 is trying to acquire lock: [ 91.240980][ T5500] ffff88807eb9f130 (sk_lock-AF_BLUETOOTH-BTPROTO_RFCOMM){+.+.}-{0:0}, at: rfcomm_sk_state_change+0x51/0x280 [ 91.252467][ T5500] [ 91.252467][ T5500] but task is already holding lock: [ 91.259882][ T5500] ffff888145f13128 (&d->lock){+.+.}-{3:3}, at: __rfcomm_dlc_close+0x1ed/0x3e0 [ 91.268917][ T5500] [ 91.268917][ T5500] which lock already depends on the new lock. [ 91.268917][ T5500] [ 91.279302][ T5500] [ 91.279302][ T5500] the existing dependency chain (in reverse order) is: [ 91.288301][ T5500] [ 91.288301][ T5500] -> #2 (&d->lock){+.+.}-{3:3}: [ 91.295401][ T5500] lock_acquire+0x1a7/0x400 [ 91.300500][ T5500] __mutex_lock_common+0x1de/0x26c0 [ 91.306288][ T5500] mutex_lock_nested+0x17/0x20 [ 91.311813][ T5500] __rfcomm_dlc_close+0x1ed/0x3e0 [ 91.317340][ T5500] rfcomm_dlc_close+0xf0/0x180 [ 91.322613][ T5500] __rfcomm_sock_close+0xf5/0x1d0 [ 91.328159][ T5500] rfcomm_sock_shutdown+0x98/0x1c0 [ 91.333789][ T5500] rfcomm_sock_release+0x4b/0x100 [ 91.339315][ T5500] sock_close+0xcc/0x230 [ 91.344066][ T5500] __fput+0x339/0x710 [ 91.348551][ T5500] task_work_run+0x227/0x2b0 [ 91.353647][ T5500] get_signal+0x116e/0x1300 [ 91.358679][ T5500] arch_do_signal_or_restart+0x8d/0x5d0 [ 91.364733][ T5500] exit_to_user_mode_loop+0x74/0x160 [ 91.370549][ T5500] exit_to_user_mode_prepare+0xad/0x110 [ 91.376885][ T5500] syscall_exit_to_user_mode+0x2e/0x60 [ 91.382952][ T5500] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 91.389414][ T5500] [ 91.389414][ T5500] -> #1 (rfcomm_mutex){+.+.}-{3:3}: [ 91.397138][ T5500] lock_acquire+0x1a7/0x400 [ 91.402249][ T5500] __mutex_lock_common+0x1de/0x26c0 [ 91.407954][ T5500] mutex_lock_nested+0x17/0x20 [ 91.413307][ T5500] rfcomm_dlc_open+0x20/0x50 [ 91.418403][ T5500] rfcomm_sock_connect+0x222/0x3f0 [ 91.424106][ T5500] __sys_connect+0x234/0x260 [ 91.429216][ T5500] __x64_sys_connect+0x71/0x80 [ 91.434479][ T5500] do_syscall_64+0x2b/0x50 [ 91.439397][ T5500] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 91.445790][ T5500] [ 91.445790][ T5500] -> #0 (sk_lock-AF_BLUETOOTH-BTPROTO_RFCOMM){+.+.}-{0:0}: [ 91.455162][ T5500] validate_chain+0x184a/0x6470 [ 91.460518][ T5500] __lock_acquire+0x1292/0x1f60 [ 91.465870][ T5500] lock_acquire+0x1a7/0x400 [ 91.470873][ T5500] lock_sock_nested+0x3a/0xd0 [ 91.476052][ T5500] rfcomm_sk_state_change+0x51/0x280 [ 91.481857][ T5500] __rfcomm_dlc_close+0x230/0x3e0 [ 91.487423][ T5500] rfcomm_dlc_close+0xf0/0x180 [ 91.492699][ T5500] __rfcomm_sock_close+0xf5/0x1d0 [ 91.498226][ T5500] rfcomm_sock_shutdown+0x98/0x1c0 [ 91.503839][ T5500] rfcomm_sock_release+0x4b/0x100 [ 91.509363][ T5500] sock_close+0xcc/0x230 [ 91.514114][ T5500] __fput+0x339/0x710 [ 91.518618][ T5500] task_work_run+0x227/0x2b0 [ 91.523737][ T5500] get_signal+0x116e/0x1300 [ 91.528757][ T5500] arch_do_signal_or_restart+0x8d/0x5d0 [ 91.534811][ T5500] exit_to_user_mode_loop+0x74/0x160 [ 91.540603][ T5500] exit_to_user_mode_prepare+0xad/0x110 [ 91.546649][ T5500] syscall_exit_to_user_mode+0x2e/0x60 [ 91.552607][ T5500] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 91.559003][ T5500] [ 91.559003][ T5500] other info that might help us debug this: [ 91.559003][ T5500] [ 91.569221][ T5500] Chain exists of: [ 91.569221][ T5500] sk_lock-AF_BLUETOOTH-BTPROTO_RFCOMM --> rfcomm_mutex --> &d->lock [ 91.569221][ T5500] [ 91.583102][ T5500] Possible unsafe locking scenario: [ 91.583102][ T5500] [ 91.590541][ T5500] CPU0 CPU1 [ 91.595889][ T5500] ---- ---- [ 91.601237][ T5500] lock(&d->lock); [ 91.605032][ T5500] lock(rfcomm_mutex); [ 91.611689][ T5500] lock(&d->lock); [ 91.617996][ T5500] lock(sk_lock-AF_BLUETOOTH-BTPROTO_RFCOMM); [ 91.624134][ T5500] [ 91.624134][ T5500] *** DEADLOCK *** [ 91.624134][ T5500] [ 91.632261][ T5500] 3 locks held by syz-executor.0/5500: [ 91.637727][ T5500] #0: ffff888072008e10 (&sb->s_type->i_mutex_key#9){+.+.}-{3:3}, at: sock_close+0x88/0x230 [ 91.647793][ T5500] #1: ffffffff8ce21da8 (rfcomm_mutex){+.+.}-{3:3}, at: rfcomm_dlc_close+0x2d/0x180 [ 91.657163][ T5500] #2: ffff888145f13128 (&d->lock){+.+.}-{3:3}, at: __rfcomm_dlc_close+0x1ed/0x3e0 [ 91.666462][ T5500] [ 91.666462][ T5500] stack backtrace: [ 91.672341][ T5500] CPU: 1 PID: 5500 Comm: syz-executor.0 Not tainted 6.2.0-rc1-syzkaller #0 [ 91.680905][ T5500] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 91.690964][ T5500] Call Trace: [ 91.694237][ T5500] [ 91.697172][ T5500] dump_stack_lvl+0x163/0x220 [ 91.701857][ T5500] ? nf_tcp_handle_invalid+0x4e0/0x4e0 [ 91.707310][ T5500] ? print_circular_bug+0x13e/0x1c0 [ 91.712494][ T5500] check_noncircular+0x2f9/0x3b0 [ 91.717417][ T5500] ? add_chain_block+0x850/0x850 [ 91.722335][ T5500] ? lockdep_lock+0x11d/0x2a0 [ 91.727002][ T5500] validate_chain+0x184a/0x6470 [ 91.731840][ T5500] ? reacquire_held_locks+0x680/0x680 [ 91.737194][ T5500] ? register_lock_class+0xfe/0x9b0 [ 91.742374][ T5500] ? mark_lock+0x9a/0x350 [ 91.746686][ T5500] ? is_dynamic_key+0x1f0/0x1f0 [ 91.751536][ T5500] ? mark_lock+0x9a/0x350 [ 91.755849][ T5500] ? __lock_acquire+0x1292/0x1f60 [ 91.760862][ T5500] ? mark_lock+0x9a/0x350 [ 91.765179][ T5500] __lock_acquire+0x1292/0x1f60 [ 91.770015][ T5500] lock_acquire+0x1a7/0x400 [ 91.774500][ T5500] ? rfcomm_sk_state_change+0x51/0x280 [ 91.779942][ T5500] ? trace_contention_end+0x72/0x1d0 [ 91.785211][ T5500] ? read_lock_is_recursive+0x10/0x10 [ 91.790576][ T5500] ? __rfcomm_dlc_close+0x1ed/0x3e0 [ 91.796020][ T5500] ? __timer_delete+0x307/0x3a0 [ 91.800939][ T5500] ? mutex_lock_io_nested+0x60/0x60 [ 91.806299][ T5500] lock_sock_nested+0x3a/0xd0 [ 91.811049][ T5500] ? rfcomm_sk_state_change+0x51/0x280 [ 91.816926][ T5500] rfcomm_sk_state_change+0x51/0x280 [ 91.822198][ T5500] __rfcomm_dlc_close+0x230/0x3e0 [ 91.827267][ T5500] rfcomm_dlc_close+0xf0/0x180 [ 91.832113][ T5500] __rfcomm_sock_close+0xf5/0x1d0 [ 91.837150][ T5500] rfcomm_sock_shutdown+0x98/0x1c0 [ 91.842246][ T5500] rfcomm_sock_release+0x4b/0x100 [ 91.847344][ T5500] sock_close+0xcc/0x230 [ 91.851669][ T5500] __fput+0x339/0x710 [ 91.855723][ T5500] task_work_run+0x227/0x2b0 [ 91.860298][ T5500] ? task_work_cancel+0x2a0/0x2a0 [ 91.865308][ T5500] get_signal+0x116e/0x1300 [ 91.869796][ T5500] ? kick_process+0xd6/0x140 [ 91.874369][ T5500] ? task_work_add+0x1e9/0x270 [ 91.879120][ T5500] ? rcu_lock_release+0x20/0x20 [ 91.883955][ T5500] ? ptrace_notify+0x320/0x320 [ 91.888704][ T5500] arch_do_signal_or_restart+0x8d/0x5d0 [ 91.894235][ T5500] ? get_sigframe_size+0x10/0x10 [ 91.899158][ T5500] ? exit_to_user_mode_loop+0x42/0x160 [ 91.904603][ T5500] exit_to_user_mode_loop+0x74/0x160 [ 91.909873][ T5500] exit_to_user_mode_prepare+0xad/0x110 [ 91.915401][ T5500] syscall_exit_to_user_mode+0x2e/0x60 [ 91.920845][ T5500] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 91.926722][ T5500] RIP: 0033:0x7eff33689049 [ 91.931125][ T5500] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 91.950799][ T5500] RSP: 002b:00007eff34863168 EFLAGS: 00000246 ORIG_RAX: 000000000000002a 2022/12/28 17:16:43 executed programs: 1 [ 91.959197][ T5500] RAX: fffffffffffffffc RBX: 00007eff3379bf60 RCX: 00007eff33689049 [ 91.967154][ T5500] RDX: 000000000000005a RSI: 0000000020000000 RDI: 0000000000000004 [ 91.975109][ T5500] RBP: 00007eff336e308d R08: 0000000000000000 R09: 0000000000000000 [ 91.983062][ T5500] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 91.991025][ T5500] R13: 00007ffd1b4517bf R14: 00007eff34863300 R15: 0000000000022000 [ 91.999000][ T5500] [ 93.097215][ T4340] Bluetooth: hci0: command 0x041b tx timeout [ 95.187257][ T4340] Bluetooth: hci0: command 0x040f tx timeout 2022/12/28 17:16:48 executed programs: 7 [ 97.257180][ T4340] Bluetooth: hci0: command 0x0419 tx timeout [ 99.337038][ T4340] Bluetooth: hci0: command 0x0405 tx timeout