./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor1823900660 <...> Warning: Permanently added '10.128.1.61' (ED25519) to the list of known hosts. execve("./syz-executor1823900660", ["./syz-executor1823900660"], 0x7ffcf3b03fd0 /* 10 vars */) = 0 brk(NULL) = 0x55555a0c2000 brk(0x55555a0c2d40) = 0x55555a0c2d40 arch_prctl(ARCH_SET_FS, 0x55555a0c23c0) = 0 set_tid_address(0x55555a0c2690) = 5088 set_robust_list(0x55555a0c26a0, 24) = 0 rseq(0x55555a0c2ce0, 0x20, 0, 0x53053053) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor1823900660", 4096) = 28 getrandom("\xdf\x85\xf9\xc2\xc9\x91\x70\x97", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x55555a0c2d40 brk(0x55555a0e3d40) = 0x55555a0e3d40 brk(0x55555a0e4000) = 0x55555a0e4000 mprotect(0x7ff7ff8be000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 mount(NULL, "/proc/sys/fs/binfmt_misc", "binfmt_misc", 0, NULL) = -1 EBUSY (Device or resource busy) unshare(CLONE_NEWPID) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55555a0c2690) = 5089 ./strace-static-x86_64: Process 5089 attached [pid 5089] set_robust_list(0x55555a0c26a0, 24) = 0 [pid 5089] mount(NULL, "/sys/fs/fuse/connections", "fusectl", 0, NULL) = -1 EBUSY (Device or resource busy) [pid 5089] socket(AF_BLUETOOTH, SOCK_RAW, BTPROTO_HCI) = 3 [pid 5089] openat(AT_FDCWD, "/dev/vhci", O_RDWR) = 4 [pid 5089] dup2(4, 202) = 202 [pid 5089] close(4) = 0 [pid 5089] write(202, "\xff\x00", 2) = 2 [pid 5089] read(202, "\xff\x00\x00\x00", 4) = 4 [pid 5089] rt_sigaction(SIGRT_1, {sa_handler=0x7ff7ff867fb0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7ff7ff859dc0}, NULL, 8) = 0 [pid 5089] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5089] mmap(NULL, 8392704, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7ff7fee00000 [pid 5089] mprotect(0x7ff7fee01000, 8388608, PROT_READ|PROT_WRITE) = 0 [pid 5089] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5089] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7ff7ff600990, parent_tid=0x7ff7ff600990, exit_signal=0, stack=0x7ff7fee00000, stack_size=0x800300, tls=0x7ff7ff6006c0}./strace-static-x86_64: Process 5092 attached => {parent_tid=[2]}, 88) = 2 [pid 5092] rseq(0x7ff7ff600fe0, 0x20, 0, 0x53053053 [pid 5089] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5089] ioctl(3, HCIDEVUP [pid 5092] <... rseq resumed>) = 0 [pid 5092] set_robust_list(0x7ff7ff6009a0, 24) = 0 [pid 5092] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5092] read(202, "\x01\x03\x0c\x00", 1024) = 4 [pid 5092] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x03\x0c", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255 [pid 5092] read(202, "\x01\x03\x10\x00", 1024) = 4 [pid 5092] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x03\x10", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255 [pid 5092] read(202, "\x01\x01\x10\x00", 1024) = 4 [pid 5092] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x01\x10", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255 [pid 5092] read(202, "\x01\x09\x10\x00", 1024) = 4 [pid 5092] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\x0a", iov_len=2}, {iov_base="\x01\x09\x10", iov_len=3}, {iov_base="\x00\xaa\xaa\xaa\xaa\xaa\xaa", iov_len=7}], 4) = 13 [pid 5092] read(202, "\x01\x05\x10\x00", 1024) = 4 [pid 5092] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\x0b", iov_len=2}, {iov_base="\x01\x05\x10", iov_len=3}, {iov_base="\x00\xfd\x03\x60\x04\x00\x06\x00", iov_len=8}], 4) = 14 [pid 5092] read(202, "\x01\x23\x0c\x00", 1024) = 4 [pid 5092] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x23\x0c", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255 [ 76.803784][ T5090] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 76.823994][ T5090] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 76.832109][ T5090] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [pid 5092] read(202, "\x01\x14\x0c\x00", 1024) = 4 [pid 5092] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x14\x0c", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255 [pid 5092] read(202, "\x01\x25\x0c\x00", 1024) = 4 [pid 5092] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x25\x0c", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255 [pid 5092] read(202, "\x01\x38\x0c\x00", 1024) = 4 [pid 5092] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x38\x0c", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255 [pid 5092] read(202, "\x01\x39\x0c\x00", 1024) = 4 [pid 5092] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x39\x0c", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255 [pid 5092] read(202, "\x01\x16\x0c\x02\x00\x7d", 1024) = 6 [pid 5092] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\xfc", iov_len=2}, {iov_base="\x01\x16\x0c", iov_len=3}, {iov_base="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"..., iov_len=249}], 4) = 255 [pid 5092] read(202, [pid 5089] <... ioctl resumed>, 0) = -1 EALREADY (Operation already in progress) [pid 5089] ioctl(3, HCISETSCAN [pid 5092] <... read resumed>"\x01\x1a\x0c\x01\x02", 1024) = 5 [pid 5092] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x0e\x04", iov_len=2}, {iov_base="\x01\x1a\x0c", iov_len=3}, {iov_base="\x00", iov_len=1}], 4) = 7 [pid 5092] rt_sigprocmask(SIG_BLOCK, ~[RT_1], [pid 5089] <... ioctl resumed>, 0x7ffdf60a6258) = 0 [pid 5089] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x04\x0a", iov_len=2}, {iov_base="\xaa\xaa\xaa\xaa\xaa\x10\x00\x00\x00\x01", iov_len=10}], 3 [pid 5092] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5089] <... writev resumed>) = 13 [pid 5092] madvise(0x7ff7fee00000, 8372224, MADV_DONTNEED) = 0 [pid 5089] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x03\x0b", iov_len=2}, {iov_base="\x00\xc8\x00\xaa\xaa\xaa\xaa\xaa\x10\x01\x00", iov_len=11}], 3 [pid 5092] exit(0 [pid 5089] <... writev resumed>) = 14 [pid 5092] <... exit resumed>) = ? [pid 5092] +++ exited with 0 +++ [pid 5089] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\v\v", iov_len=2}, {iov_base="\x00\xc8\x00\x00\x00\x00\x00\x00\x00\x00\x00", iov_len=11}], 3) = 14 [ 76.852313][ T5090] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 76.861744][ T5090] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3 [ 76.870014][ T5090] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [pid 5089] writev(202, [{iov_base="\x04", iov_len=1}, {iov_base="\x3e\x13", iov_len=2}, {iov_base="\x01\x00\xc9\x00\x01\x00\xaa\xaa\xaa\xaa\xaa\x11\x00\x00\x00\x00\x00\x00\x00", iov_len=19}], 3) = 22 [pid 5089] close(3) = 0 [pid 5089] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5089] setsid() = 1 [pid 5089] openat(AT_FDCWD, "/proc/self/ns/net", O_RDONLY) = 3 [pid 5089] dup2(3, 201) = 201 [pid 5089] close(3) = 0 [pid 5089] prlimit64(0, RLIMIT_AS, {rlim_cur=204800*1024, rlim_max=204800*1024}, NULL) = 0 [pid 5089] prlimit64(0, RLIMIT_MEMLOCK, {rlim_cur=32768*1024, rlim_max=32768*1024}, NULL) = 0 [pid 5089] prlimit64(0, RLIMIT_FSIZE, {rlim_cur=139264*1024, rlim_max=139264*1024}, NULL) = 0 [pid 5089] prlimit64(0, RLIMIT_STACK, {rlim_cur=1024*1024, rlim_max=1024*1024}, NULL) = 0 [pid 5089] prlimit64(0, RLIMIT_CORE, {rlim_cur=131072*1024, rlim_max=131072*1024}, NULL) = 0 [pid 5089] prlimit64(0, RLIMIT_NOFILE, {rlim_cur=256, rlim_max=256}, NULL) = 0 [pid 5089] unshare(CLONE_NEWNS) = 0 [pid 5089] mount(NULL, "/", NULL, MS_REC|MS_PRIVATE, NULL) = 0 [pid 5089] unshare(CLONE_NEWIPC) = 0 [pid 5089] unshare(CLONE_NEWCGROUP) = 0 [pid 5089] unshare(CLONE_NEWUTS) = 0 [pid 5089] unshare(CLONE_SYSVSEM) = 0 [pid 5089] openat(AT_FDCWD, "/proc/sys/kernel/shmmax", O_WRONLY|O_CLOEXEC) = 3 [pid 5089] write(3, "16777216", 8) = 8 [pid 5089] close(3) = 0 [pid 5089] openat(AT_FDCWD, "/proc/sys/kernel/shmall", O_WRONLY|O_CLOEXEC) = 3 [pid 5089] write(3, "536870912", 9) = 9 [pid 5089] close(3) = 0 [pid 5089] openat(AT_FDCWD, "/proc/sys/kernel/shmmni", O_WRONLY|O_CLOEXEC) = 3 [pid 5089] write(3, "1024", 4) = 4 [pid 5089] close(3) = 0 [pid 5089] openat(AT_FDCWD, "/proc/sys/kernel/msgmax", O_WRONLY|O_CLOEXEC) = 3 [pid 5089] write(3, "8192", 4) = 4 [pid 5089] close(3) = 0 [pid 5089] openat(AT_FDCWD, "/proc/sys/kernel/msgmni", O_WRONLY|O_CLOEXEC) = 3 [pid 5089] write(3, "1024", 4) = 4 [pid 5089] close(3) = 0 [pid 5089] openat(AT_FDCWD, "/proc/sys/kernel/msgmnb", O_WRONLY|O_CLOEXEC) = 3 [pid 5089] write(3, "1024", 4) = 4 [pid 5089] close(3) = 0 [pid 5089] openat(AT_FDCWD, "/proc/sys/kernel/sem", O_WRONLY|O_CLOEXEC) = 3 [pid 5089] write(3, "1024 1048576 500 1024", 21) = 21 [pid 5089] close(3) = 0 [pid 5089] getpid() = 1 [pid 5089] capget({version=_LINUX_CAPABILITY_VERSION_3, pid=1}, {effective=1<rx_work)){+.+.}-{0:0}, at: process_scheduled_works+0x945/0x1830 [ 83.772899][ T5090] #2: ffff8880214bc078 (&hdev->lock){+.+.}-{3:3}, at: hci_sync_conn_complete_evt+0xb1/0xaa0 [ 83.783360][ T5090] #3: ffffffff8f73f388 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_sync_conn_complete_evt+0x532/0xaa0 [ 83.794283][ T5090] #4: ffff8880122c1220 (&conn->lock#2){+.+.}-{2:2}, at: sco_connect_cfm+0x28a/0xb40 [ 83.804057][ T5090] #5: ffff88802bc87258 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: sco_connect_cfm+0x461/0xb40 [ 83.815352][ T5090] Preemption disabled at: [ 83.815370][ T5090] [<0000000000000000>] 0x0 [ 83.824326][ T5090] CPU: 0 PID: 5090 Comm: kworker/u9:2 Not tainted 6.10.0-rc5-syzkaller-00243-g6c0483dbfe72 #0 [ 83.834580][ T5090] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 [ 83.844661][ T5090] Workqueue: hci0 hci_rx_work [ 83.849370][ T5090] Call Trace: [ 83.852674][ T5090] [ 83.855603][ T5090] dump_stack_lvl+0x241/0x360 [ 83.860295][ T5090] ? __pfx_dump_stack_lvl+0x10/0x10 [ 83.865503][ T5090] ? __pfx__printk+0x10/0x10 [ 83.870113][ T5090] __might_resched+0x5d4/0x780 [ 83.874882][ T5090] ? __pfx_lock_acquire+0x10/0x10 [ 83.879924][ T5090] ? __pfx___might_resched+0x10/0x10 [ 83.885237][ T5090] ? __pfx_lock_release+0x10/0x10 [ 83.890271][ T5090] ? do_raw_spin_lock+0x14f/0x370 [ 83.895312][ T5090] ? __pfx_do_raw_spin_lock+0x10/0x10 [ 83.900716][ T5090] lock_sock_nested+0x5d/0x100 [ 83.905495][ T5090] sco_connect_cfm+0x461/0xb40 [ 83.910280][ T5090] ? __pfx_sco_connect_cfm+0x10/0x10 [ 83.915590][ T5090] ? hci_conn_add_sysfs+0xfc/0x200 [ 83.920715][ T5090] ? __pfx_sco_connect_cfm+0x10/0x10 [ 83.926007][ T5090] hci_sync_conn_complete_evt+0x5ab/0xaa0 [ 83.931757][ T5090] hci_event_packet+0xac0/0x1540 [ 83.936718][ T5090] ? __pfx_hci_sync_conn_complete_evt+0x10/0x10 [ 83.942981][ T5090] ? __pfx_hci_event_packet+0x10/0x10 [ 83.948366][ T5090] ? do_raw_spin_unlock+0x13c/0x8b0 [ 83.953583][ T5090] ? kcov_remote_start+0x9e/0x7e0 [ 83.958619][ T5090] ? hci_send_to_monitor+0xd8/0x7f0 [ 83.963826][ T5090] ? skb_dequeue+0x113/0x150 [ 83.968428][ T5090] hci_rx_work+0x3e8/0xca0 [ 83.972869][ T5090] ? process_scheduled_works+0x945/0x1830 [ 83.978600][ T5090] process_scheduled_works+0xa2c/0x1830 [ 83.984180][ T5090] ? __pfx_process_scheduled_works+0x10/0x10 [ 83.990177][ T5090] ? assign_work+0x364/0x3d0 [ 83.994780][ T5090] worker_thread+0x86d/0xd50 [ 83.999407][ T5090] ? _raw_spin_unlock_irqrestore+0xdd/0x140 [ 84.005329][ T5090] ? __kthread_parkme+0x169/0x1d0 [ 84.010392][ T5090] ? __pfx_worker_thread+0x10/0x10 [ 84.015527][ T5090] kthread+0x2f0/0x390 [ 84.019730][ T5090] ? __pfx_worker_thread+0x10/0x10 [ 84.024877][ T5090] ? __pfx_kthread+0x10/0x10 [ 84.029495][ T5090] ret_from_fork+0x4b/0x80 [ 84.033934][ T5090] ? __pfx_kthread+0x10/0x10 [ 84.038542][ T5090] ret_from_fork_asm+0x1a/0x30 [ 84.043339][ T5090] [ 84.430127][ T5089] [ 84.432505][ T5089] ====================================================== [ 84.439522][ T5089] WARNING: possible circular locking dependency detected [ 84.446535][ T5089] 6.10.0-rc5-syzkaller-00243-g6c0483dbfe72 #0 Tainted: G W [ 84.455133][ T5089] ------------------------------------------------------ [ 84.462146][ T5089] syz-executor182/5089 is trying to acquire lock: [ 84.468563][ T5089] ffff88802c28a258 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}, at: bt_accept_dequeue+0xfa/0x560 [ 84.478345][ T5089] [ 84.478345][ T5089] but task is already holding lock: [ 84.485704][ T5089] ffff88802bc87258 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: sco_sock_release+0x5a/0x320 [ 84.496415][ T5089] [ 84.496415][ T5089] which lock already depends on the new lock. [ 84.496415][ T5089] [ 84.506806][ T5089] [ 84.506806][ T5089] the existing dependency chain (in reverse order) is: [ 84.515805][ T5089] [ 84.515805][ T5089] -> #2 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}: [ 84.524940][ T5089] lock_acquire+0x1ed/0x550 [ 84.529959][ T5089] lock_sock_nested+0x48/0x100 [ 84.536214][ T5089] sco_connect_cfm+0x461/0xb40 [ 84.541508][ T5089] hci_sync_conn_complete_evt+0x5ab/0xaa0 [ 84.547759][ T5089] hci_event_packet+0xac0/0x1540 [ 84.553237][ T5089] hci_rx_work+0x3e8/0xca0 [ 84.558197][ T5089] process_scheduled_works+0xa2c/0x1830 [ 84.564273][ T5089] worker_thread+0x86d/0xd50 [ 84.569397][ T5089] kthread+0x2f0/0x390 [ 84.573994][ T5089] ret_from_fork+0x4b/0x80 [ 84.578938][ T5089] ret_from_fork_asm+0x1a/0x30 [ 84.584229][ T5089] [ 84.584229][ T5089] -> #1 (&conn->lock#2){+.+.}-{2:2}: [ 84.591722][ T5089] lock_acquire+0x1ed/0x550 [ 84.596781][ T5089] _raw_spin_lock+0x2e/0x40 [ 84.601808][ T5089] sco_chan_del+0x64/0x1e0 [ 84.606746][ T5089] sco_conn_del+0x19b/0x310 [ 84.611790][ T5089] hci_conn_hash_flush+0xff/0x240 [ 84.617361][ T5089] hci_dev_close_sync+0x911/0xf60 [ 84.622914][ T5089] hci_unregister_dev+0x1db/0x4e0 [ 84.628465][ T5089] vhci_release+0x83/0xd0 [ 84.633325][ T5089] __fput+0x406/0x8b0 [ 84.637846][ T5089] task_work_run+0x24f/0x310 [ 84.642973][ T5089] do_exit+0xa27/0x27e0 [ 84.647757][ T5089] do_group_exit+0x207/0x2c0 [ 84.652888][ T5089] __x64_sys_exit_group+0x3f/0x40 [ 84.658432][ T5089] do_syscall_64+0xf3/0x230 [ 84.663455][ T5089] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 84.669883][ T5089] [ 84.669883][ T5089] -> #0 (sk_lock-AF_BLUETOOTH){+.+.}-{0:0}: [ 84.677956][ T5089] validate_chain+0x18e0/0x5900 [ 84.683323][ T5089] __lock_acquire+0x1346/0x1fd0 [ 84.688699][ T5089] lock_acquire+0x1ed/0x550 [ 84.693730][ T5089] lock_sock_nested+0x48/0x100 [ 84.699004][ T5089] bt_accept_dequeue+0xfa/0x560 [ 84.704365][ T5089] __sco_sock_close+0xd6/0x570 [ 84.709645][ T5089] sco_sock_release+0xb3/0x320 [ 84.714942][ T5089] sock_close+0xbc/0x240 [ 84.719724][ T5089] __fput+0x406/0x8b0 [ 84.724326][ T5089] task_work_run+0x24f/0x310 [ 84.729438][ T5089] do_exit+0xa27/0x27e0 [ 84.734119][ T5089] do_group_exit+0x207/0x2c0 [ 84.739229][ T5089] __x64_sys_exit_group+0x3f/0x40 [ 84.744863][ T5089] do_syscall_64+0xf3/0x230 [ 84.749889][ T5089] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 84.756308][ T5089] [ 84.756308][ T5089] other info that might help us debug this: [ 84.756308][ T5089] [ 84.766534][ T5089] Chain exists of: [ 84.766534][ T5089] sk_lock-AF_BLUETOOTH --> &conn->lock#2 --> sk_lock-AF_BLUETOOTH-BTPROTO_SCO [ 84.766534][ T5089] [ 84.781321][ T5089] Possible unsafe locking scenario: [ 84.781321][ T5089] [ 84.788789][ T5089] CPU0 CPU1 [ 84.794146][ T5089] ---- ---- [ 84.799496][ T5089] lock(sk_lock-AF_BLUETOOTH-BTPROTO_SCO); [ 84.805396][ T5089] lock(&conn->lock#2); [ 84.812163][ T5089] lock(sk_lock-AF_BLUETOOTH-BTPROTO_SCO); [ 84.820583][ T5089] lock(sk_lock-AF_BLUETOOTH); [ 84.825438][ T5089] [ 84.825438][ T5089] *** DEADLOCK *** [ 84.825438][ T5089] [ 84.833667][ T5089] 2 locks held by syz-executor182/5089: [ 84.839204][ T5089] #0: ffff88807a2ba610 (&sb->s_type->i_mutex_key#9){+.+.}-{3:3}, at: sock_close+0x90/0x240 [ 84.849351][ T5089] #1: ffff88802bc87258 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: sco_sock_release+0x5a/0x320 [ 84.860519][ T5089] [ 84.860519][ T5089] stack backtrace: [ 84.866425][ T5089] CPU: 0 PID: 5089 Comm: syz-executor182 Tainted: G W 6.10.0-rc5-syzkaller-00243-g6c0483dbfe72 #0 [ 84.878408][ T5089] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 [ 84.888465][ T5089] Call Trace: [ 84.891746][ T5089] [ 84.894674][ T5089] dump_stack_lvl+0x241/0x360 [ 84.899360][ T5089] ? __pfx_dump_stack_lvl+0x10/0x10 [ 84.904564][ T5089] ? print_circular_bug+0x130/0x1a0 [ 84.909791][ T5089] check_noncircular+0x36a/0x4a0 [ 84.914741][ T5089] ? __pfx_check_noncircular+0x10/0x10 [ 84.920207][ T5089] ? queued_spin_lock_slowpath+0x42/0x50 [ 84.925855][ T5089] ? lockdep_lock+0x1b0/0x2b0 [ 84.930531][ T5089] ? __pfx_check_noncircular+0x10/0x10 [ 84.936002][ T5089] ? queued_spin_lock_slowpath+0x42/0x50 [ 84.941634][ T5089] ? _find_first_zero_bit+0xd3/0x100 [ 84.946940][ T5089] validate_chain+0x18e0/0x5900 [ 84.951804][ T5089] ? __pfx_validate_chain+0x10/0x10 [ 84.957002][ T5089] ? __pfx_validate_chain+0x10/0x10 [ 84.962205][ T5089] ? __pfx_validate_chain+0x10/0x10 [ 84.967397][ T5089] ? is_bpf_text_address+0x285/0x2a0 [ 84.972692][ T5089] ? mark_lock+0x9a/0x350 [ 84.977033][ T5089] __lock_acquire+0x1346/0x1fd0 [ 84.981900][ T5089] lock_acquire+0x1ed/0x550 [ 84.986394][ T5089] ? bt_accept_dequeue+0xfa/0x560 [ 84.991424][ T5089] ? __pfx_lock_acquire+0x10/0x10 [ 84.996440][ T5089] ? lockdep_hardirqs_on_prepare+0x43d/0x780 [ 85.002423][ T5089] ? sco_sock_release+0x5a/0x320 [ 85.007353][ T5089] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10 [ 85.013675][ T5089] lock_sock_nested+0x48/0x100 [ 85.018442][ T5089] ? bt_accept_dequeue+0xfa/0x560 [ 85.023457][ T5089] bt_accept_dequeue+0xfa/0x560 [ 85.028312][ T5089] __sco_sock_close+0xd6/0x570 [ 85.033091][ T5089] sco_sock_release+0xb3/0x320 [ 85.037866][ T5089] sock_close+0xbc/0x240 [ 85.042139][ T5089] ? __pfx_sock_close+0x10/0x10 [ 85.047030][ T5089] __fput+0x406/0x8b0 [ 85.051036][ T5089] task_work_run+0x24f/0x310 [ 85.055639][ T5089] ? __pfx_task_work_run+0x10/0x10 [ 85.060760][ T5089] ? do_exit+0xa22/0x27e0 [ 85.065100][ T5089] ? kmem_cache_free+0x145/0x350 [ 85.070050][ T5089] do_exit+0xa27/0x27e0 [ 85.074239][ T5089] ? __pfx_do_exit+0x10/0x10 [ 85.078859][ T5089] ? lockdep_hardirqs_on_prepare+0x43d/0x780 [ 85.084953][ T5089] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10 [ 85.091303][ T5089] ? _raw_spin_unlock_irq+0x23/0x50 [ 85.096511][ T5089] ? lockdep_hardirqs_on+0x99/0x150 [ 85.101806][ T5089] do_group_exit+0x207/0x2c0 [ 85.106434][ T5089] __x64_sys_exit_group+0x3f/0x40 [ 85.111480][ T5089] do_syscall_64+0xf3/0x230 [ 85.116010][ T5089] ? clear_bhb_loop+0x35/0x90 [ 85.120705][ T5089] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 85.126655][ T5089] RIP: 0033:0x7ff7ff83e779 [ 85.131078][ T5089] Code: Unable to access opcode bytes at 0x7ff7ff83e74f. [ 85.138104][ T5089] RSP: 002b:00007ffdf60a61b8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 85.146528][ T5089] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007ff7ff83e779 [ 85.154518][ T5089] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001 [ 85.162507][ T5089] RBP: 00007ff7ff8c43b0 R08: ffffffffffffffb0 R09: 000055555a0c3000 [ 85.170483][ T5089] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ff7ff8c43b0 [pid 5089] +++ exited with 1 +++ --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=5089, si_uid=0, si_status=1, si_utime=0, si_stime=123 /* 1.23 s */} --- exit_group(0) = ? +++ exited with 0 +++ [ 85.178468][ T5089] R13: 0000000000000000 R14: 00007f