[ 457.118272] Bluetooth: hci3: command 0x0406 tx timeout [ 457.124033] Bluetooth: hci2: command 0x0406 tx timeout [ 457.358323] Bluetooth: hci1: command 0x0401 tx timeout [ 459.438233] Bluetooth: hci1: command 0x0401 tx timeout [ 461.563047] Bluetooth: hci1: command 0x0401 tx timeout [ 461.601815] ------------[ cut here ]------------ [ 461.608089] ODEBUG: free active (active state 0) object type: timer_list hint: delayed_work_timer_fn+0x0/0x90 [ 461.618390] WARNING: CPU: 1 PID: 26038 at lib/debugobjects.c:328 debug_print_object+0x168/0x210 [ 461.627245] Kernel panic - not syncing: panic_on_warn set ... [ 461.627245] [ 461.634603] CPU: 1 PID: 26038 Comm: syz-executor.4 Not tainted 4.19.152-syzkaller #0 [ 461.642470] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 461.651805] Call Trace: [ 461.654375] dump_stack+0x17c/0x22a [ 461.657988] ? debug_print_object+0x168/0x210 [ 461.662471] panic+0x1cd/0x375 [ 461.665642] ? __warn_printk+0xd6/0xd6 [ 461.669511] ? lock_downgrade+0x860/0x860 [ 461.673643] __warn.cold.7+0x1b/0x3e [ 461.677340] ? debug_print_object+0x168/0x210 [ 461.681815] report_bug+0x1a4/0x200 [ 461.685422] do_error_trap+0x200/0x350 [ 461.689291] ? math_error+0x340/0x340 [ 461.693159] ? irq_work_queue+0xd/0x50 [ 461.697028] ? wake_up_klogd.part.7+0x71/0xa0 [ 461.701502] ? error_entry+0x7c/0xe0 [ 461.705324] ? trace_hardirqs_off_caller+0x1d/0x180 [ 461.710335] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 461.715167] do_invalid_op+0x1b/0x20 [ 461.718868] invalid_op+0x14/0x20 [ 461.722313] RIP: 0010:debug_print_object+0x168/0x210 [ 461.727396] Code: 67 87 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 92 00 00 00 48 8b 14 dd 80 8a 67 87 4c 89 fe 48 c7 c7 00 80 67 87 e8 7b bf 07 fe <0f> 0b 83 05 9b d6 f2 05 01 48 83 c4 18 5b 41 5c 41 5d 41 5e 41 5f [ 461.746279] RSP: 0018:ffff8880aa3bf800 EFLAGS: 00010082 [ 461.751622] RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000000000 [ 461.758884] RDX: 0000000000000004 RSI: 0000000000000008 RDI: ffffffff8a19da60 [ 461.766136] RBP: ffff8880aa3bf840 R08: ffffed10174e3eef R09: ffffed10174e3eee [ 461.773388] R10: ffffed10174e3eee R11: ffff8880ba71f777 R12: 0000000000000001 [ 461.780639] R13: ffffffff88598d40 R14: ffffffff8153a8c0 R15: ffffffff876786e0 [ 461.788432] ? __internal_add_timer+0x1e0/0x1e0 [ 461.793261] ? _raw_spin_unlock_irqrestore+0x6d/0xd0 [ 461.798347] debug_check_no_obj_freed+0x252/0x428 [ 461.803175] kfree+0xbd/0x220 [ 461.806350] bt_host_release+0x10/0x20 [ 461.810220] device_release+0x71/0x1d0 [ 461.814097] kobject_put+0x115/0x1f0 [ 461.817793] put_device+0x12/0x20 [ 461.821225] hci_free_dev+0x10/0x20 [ 461.824834] vhci_release+0x73/0xe0 [ 461.828443] __fput+0x249/0x7f0 [ 461.831703] ? _raw_spin_unlock_irq+0x27/0x90 [ 461.836183] ____fput+0x9/0x10 [ 461.839355] task_work_run+0x108/0x180 [ 461.843240] do_exit+0xa6a/0x2db0 [ 461.846677] ? mm_update_next_owner+0x680/0x680 [ 461.851438] ? do_futex+0x5d2/0x1910 [ 461.855155] ? get_signal+0x2b7/0x1970 [ 461.859022] ? _raw_spin_unlock_irq+0x27/0x90 [ 461.863498] ? get_signal+0x2b7/0x1970 [ 461.867510] do_group_exit+0xf8/0x2c0 [ 461.871297] get_signal+0x308/0x1970 [ 461.874998] do_signal+0x87/0x1860 [ 461.878532] ? setup_sigcontext+0x7d0/0x7d0 [ 461.882840] ? __se_sys_futex+0x209/0x270 [ 461.886970] ? put_timespec64+0xa9/0x100 [ 461.891028] ? __se_compat_sys_gettimeofday+0x130/0x130 [ 461.896374] ? do_futex+0x1910/0x1910 [ 461.900157] ? exit_to_usermode_loop+0x3a/0x1e0 [ 461.904803] ? do_syscall_64+0x413/0x4e0 [ 461.908844] ? lockdep_hardirqs_on+0x3bb/0x5b0 [ 461.913407] ? exit_to_usermode_loop+0x3a/0x1e0 [ 461.918056] ? trace_hardirqs_on+0x28/0x190 [ 461.922357] exit_to_usermode_loop+0x159/0x1e0 [ 461.926919] do_syscall_64+0x413/0x4e0 [ 461.930809] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 461.935978] RIP: 0033:0x45d5b9 [ 461.939160] Code: Bad RIP value. [ 461.942504] RSP: 002b:00007f5bd4176cf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 461.950193] RAX: fffffffffffffe00 RBX: 000000000118cf48 RCX: 000000000045d5b9 [ 461.957454] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 000000000118cf48 [ 461.964708] RBP: 000000000118cf40 R08: 0000000000000000 R09: 0000000000000000 [ 461.971961] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118cf4c [ 461.979212] R13: 00007fffa5cb91cf R14: 00007f5bd41779c0 R15: 000000000118cf4c [ 461.986472] [ 461.986474] ====================================================== [ 461.986476] WARNING: possible circular locking dependency detected [ 461.986477] 4.19.152-syzkaller #0 Not tainted [ 461.986479] ------------------------------------------------------ [ 461.986480] syz-executor.4/26038 is trying to acquire lock: [ 461.986481] 00000000dcfa9496 ((console_sem).lock){-.-.}, at: down_trylock+0x13/0x70 [ 461.986486] [ 461.986487] but task is already holding lock: [ 461.986488] 00000000920df178 (&obj_hash[i].lock){-.-.}, at: debug_check_no_obj_freed+0xad/0x428 [ 461.986493] [ 461.986494] which lock already depends on the new lock. [ 461.986496] [ 461.986496] [ 461.986498] the existing dependency chain (in reverse order) is: [ 461.986499] [ 461.986500] -> #5 (&obj_hash[i].lock){-.-.}: [ 461.986504] _raw_spin_lock_irqsave+0x99/0xd0 [ 461.986506] debug_object_activate+0x11c/0x4e0 [ 461.986507] enqueue_hrtimer+0x26/0x300 [ 461.986508] hrtimer_start_range_ns+0x47a/0xa40 [ 461.986510] watchdog_enable+0x127/0x1a0 [ 461.986511] softlockup_start_fn+0x10/0x20 [ 461.986512] smp_call_on_cpu_callback+0xcd/0x1c0 [ 461.986514] process_one_work+0x7b9/0x15a0 [ 461.986515] worker_thread+0x85/0xb60 [ 461.986516] kthread+0x347/0x410 [ 461.986517] ret_from_fork+0x24/0x30 [ 461.986518] [ 461.986519] -> #4 (hrtimer_bases.lock){-.-.}: [ 461.986524] _raw_spin_lock_irqsave+0x99/0xd0 [ 461.986525] lock_hrtimer_base.isra.1+0x6b/0x140 [ 461.986527] hrtimer_start_range_ns+0xd7/0xa40 [ 461.986528] enqueue_task_rt+0x68e/0xd40 [ 461.986529] __sched_setscheduler.constprop.12+0xea7/0x22f0 [ 461.986531] _sched_setscheduler+0xfd/0x1a0 [ 461.986532] sched_setscheduler+0xe/0x10 [ 461.986533] watchdog_dev_init+0xbe/0x15f [ 461.986535] watchdog_init+0x12/0x13b [ 461.986536] do_one_initcall+0xbc/0x518 [ 461.986537] kernel_init_freeable+0x755/0x7f9 [ 461.986538] kernel_init+0xc/0x10e [ 461.986540] ret_from_fork+0x24/0x30 [ 461.986540] [ 461.986541] -> #3 (&rt_b->rt_runtime_lock){-.-.}: [ 461.986546] _raw_spin_lock+0x2d/0x40 [ 461.986547] rq_online_rt+0xb7/0x390 [ 461.986548] set_rq_online.part.10+0xe1/0x140 [ 461.986550] sched_cpu_activate+0x16e/0x280 [ 461.986551] cpuhp_invoke_callback+0x187/0x1390 [ 461.986552] cpuhp_thread_fun+0x39b/0x700 [ 461.986554] smpboot_thread_fn+0x55f/0x8a0 [ 461.986555] kthread+0x347/0x410 [ 461.986556] ret_from_fork+0x24/0x30 [ 461.986557] [ 461.986558] -> #2 (&rq->lock){-.-.}: [ 461.986562] _raw_spin_lock+0x2d/0x40 [ 461.986563] task_fork_fair+0x65/0x460 [ 461.986565] sched_fork+0x3eb/0x910 [ 461.986566] copy_process.part.2+0x1a79/0x76e0 [ 461.986567] _do_fork+0x159/0xb20 [ 461.986568] kernel_thread+0x24/0x30 [ 461.986570] rest_init+0x1d/0x23d [ 461.986571] start_kernel+0x648/0x686 [ 461.986572] x86_64_start_reservations+0x29/0x2b [ 461.986574] x86_64_start_kernel+0x76/0x79 [ 461.986575] secondary_startup_64+0xa4/0xb0 [ 461.986576] [ 461.986577] -> #1 (&p->pi_lock){-.-.}: [ 461.986581] _raw_spin_lock_irqsave+0x99/0xd0 [ 461.986582] try_to_wake_up+0x8a/0x1010 [ 461.986584] wake_up_process+0x10/0x20 [ 461.986585] __up.isra.0+0x136/0x1a0 [ 461.986586] up+0x95/0xe0 [ 461.986587] __up_console_sem+0xa0/0x150 [ 461.986589] console_unlock+0x430/0xe20 [ 461.986590] fb_flashcursor+0x112/0x3c0 [ 461.986591] process_one_work+0x7b9/0x15a0 [ 461.986592] worker_thread+0x85/0xb60 [ 461.986594] kthread+0x347/0x410 [ 461.986595] ret_from_fork+0x24/0x30 [ 461.986596] [ 461.986596] -> #0 ((console_sem).lock){-.-.}: [ 461.986601] lock_acquire+0x180/0x3a0 [ 461.986602] _raw_spin_lock_irqsave+0x99/0xd0 [ 461.986603] down_trylock+0x13/0x70 [ 461.986605] __down_trylock_console_sem+0x93/0x1a0 [ 461.986606] console_trylock+0x11/0x50 [ 461.986607] vprintk_emit+0x184/0x540 [ 461.986609] vprintk_default+0x1a/0x20 [ 461.986610] vprintk_func+0x49/0x12c [ 461.986611] printk+0x9a/0xc0 [ 461.986612] __warn_printk+0x86/0xd6 [ 461.986614] debug_print_object+0x168/0x210 [ 461.986615] debug_check_no_obj_freed+0x252/0x428 [ 461.986616] kfree+0xbd/0x220 [ 461.986617] bt_host_release+0x10/0x20 [ 461.986619] device_release+0x71/0x1d0 [ 461.986620] kobject_put+0x115/0x1f0 [ 461.986621] put_device+0x12/0x20 [ 461.986622] hci_free_dev+0x10/0x20 [ 461.986624] vhci_release+0x73/0xe0 [ 461.986625] __fput+0x249/0x7f0 [ 461.986626] ____fput+0x9/0x10 [ 461.986627] task_work_run+0x108/0x180 [ 461.986628] do_exit+0xa6a/0x2db0 [ 461.986630] do_group_exit+0xf8/0x2c0 [ 461.986631] get_signal+0x308/0x1970 [ 461.986632] do_signal+0x87/0x1860 [ 461.986633] exit_to_usermode_loop+0x159/0x1e0 [ 461.986635] do_syscall_64+0x413/0x4e0 [ 461.986636] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 461.986637] [ 461.986638] other info that might help us debug this: [ 461.986639] [ 461.986640] Chain exists of: [ 461.986641] (console_sem).lock --> hrtimer_bases.lock --> &obj_hash[i].lock [ 461.986647] [ 461.986649] Possible unsafe locking scenario: [ 461.986649] [ 461.986651] CPU0 CPU1 [ 461.986652] ---- ---- [ 461.986653] lock(&obj_hash[i].lock); [ 461.986656] lock(hrtimer_bases.lock); [ 461.986659] lock(&obj_hash[i].lock); [ 461.986662] lock((console_sem).lock); [ 461.986664] [ 461.986665] *** DEADLOCK *** [ 461.986666] [ 461.986668] 1 lock held by syz-executor.4/26038: [ 461.986668] #0: 00000000920df178 (&obj_hash[i].lock){-.-.}, at: debug_check_no_obj_freed+0xad/0x428 [ 461.986674] [ 461.986675] stack backtrace: [ 461.986677] CPU: 1 PID: 26038 Comm: syz-executor.4 Not tainted 4.19.152-syzkaller #0 [ 461.986679] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 461.986680] Call Trace: [ 461.986681] dump_stack+0x17c/0x22a [ 461.986683] print_circular_bug.isra.17.cold.34+0x2e3/0x41e [ 461.986684] ? save_trace+0xe0/0x290 [ 461.986685] __lock_acquire+0x35bc/0x47c0 [ 461.986686] ? mark_held_locks+0x130/0x130 [ 461.986688] ? enable_ptr_key_workfn+0x30/0x30 [ 461.986689] ? kasan_check_read+0x11/0x20 [ 461.986690] ? kvm_clock_read+0x18/0x30 [ 461.986691] ? kvm_sched_clock_read+0x9/0x20 [ 461.986693] lock_acquire+0x180/0x3a0 [ 461.986694] ? down_trylock+0x13/0x70 [ 461.986695] ? _raw_spin_lock_irqsave+0x74/0xd0 [ 461.986696] ? vprintk_emit+0x184/0x540 [ 461.986698] _raw_spin_lock_irqsave+0x99/0xd0 [ 461.986699] ? down_trylock+0x13/0x70 [ 461.986700] down_trylock+0x13/0x70 [ 461.986701] ? vprintk_emit+0x184/0x540 [ 461.986703] __down_trylock_console_sem+0x93/0x1a0 [ 461.986704] console_trylock+0x11/0x50 [ 461.986705] vprintk_emit+0x184/0x540 [ 461.986707] ? __internal_add_timer+0x1e0/0x1e0 [ 461.986708] vprintk_default+0x1a/0x20 [ 461.986709] vprintk_func+0x49/0x12c [ 461.986710] printk+0x9a/0xc0 [ 461.986711] ? log_store.cold.12+0x11/0x11 [ 461.986713] ? __pv_queued_spin_lock_slowpath+0x24a/0xc00 [ 461.986714] ? trace_hardirqs_off+0x41/0x180 [ 461.986715] ? work_on_cpu_safe+0x60/0x60 [ 461.986717] __warn_printk+0x86/0xd6 [ 461.986718] ? add_taint.cold.4+0x11/0x11 [ 461.986719] ? __free_object+0xe1/0x1f0 [ 461.986720] ? lock_downgrade+0x860/0x860 [ 461.986722] ? work_on_cpu_safe+0x60/0x60 [ 461.986723] debug_print_object+0x168/0x210 [ 461.986724] ? _raw_spin_unlock_irqrestore+0x6d/0xd0 [ 461.986726] debug_check_no_obj_freed+0x252/0x428 [ 461.986727] kfree+0xbd/0x220 [ 461.986728] bt_host_release+0x10/0x20 [ 461.986729] device_release+0x71/0x1d0 [ 461.986730] kobject_put+0x115/0x1f0 [ 461.986732] put_device+0x12/0x20 [ 461.986733] hci_free_dev+0x10/0x20 [ 461.986734] vhci_release+0x73/0xe0 [ 461.986735] __fput+0x249/0x7f0 [ 461.986737] ? _raw_spin_unlock_irq+0x27/0x90 [ 461.986738] ____fput+0x9/0x10 [ 461.986739] task_work_run+0x108/0x180 [ 461.986740] do_exit+0xa6a/0x2db0 [ 461.986741] ? mm_update_next_owner+0x680/0x680 [ 461.986743] ? do_futex+0x5d2/0x1910 [ 461.986744] ? get_signal+0x2b7/0x1970 [ 461.986745] ? _raw_spin_unlock_irq+0x27/0x90 [ 461.986746] ? get_signal+0x2b7/0x1970 [ 461.986748] do_group_exit+0xf8/0x2c0 [ 461.986749] get_signal+0x308/0x1970 [ 461.986750] do_signal+0x87/0x1860 [ 461.986751] ? setup_sigcontext+0x7d0/0x7d0 [ 461.986757] ? __se_sys_futex+0x209/0x270 [ 461.986758] ? put_timespec64+0xa9/0x100 [ 461.986759] ? __se_compat_sys_gettimeofday+0x130/0x130 [ 461.986761] ? do_futex+0x1910/0x1910 [ 461.986762] ? exit_to_usermode_loop+0x3a/0x1e0 [ 461.986763] ? do_syscall_64+0x413/0x4e0 [ 461.986765] ? lockdep_hardirqs_on+0x3bb/0x5b0 [ 461.986766] ? exit_to_usermode_loop+0x3a/0x1e0 [ 461.986767] ? trace_hardirqs_on+0x28/0x190 [ 461.986769] exit_to_usermode_loop+0x159/0x1e0 [ 461.986770] do_syscall_64+0x413/0x4e0 [ 461.986771] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 461.986772] RIP: 0033:0x45d5b9 [ 461.986774] Code: Bad RIP value. [ 461.986775] RSP: 002b:00007f5bd4176cf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 461.986778] RAX: fffffffffffffe00 RBX: 000000000118cf48 RCX: 000000000045d5b9 [ 461.986780] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 000000000118cf48 [ 461.986781] RBP: 000000000118cf40 R08: 0000000000000000 R09: 0000000000000000 [ 461.986783] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118cf4c [ 461.986784] R13: 00007fffa5cb91cf R14: 00007f5bd41779c0 R15: 000000000118cf4c [ 461.988364] Kernel Offset: disabled [ 462.916116] Rebooting in 86400 seconds..