Warning: Permanently added '[localhost]:55574' (ECDSA) to the list of known hosts. 2023/02/24 10:51:35 fuzzer started 2023/02/24 10:51:36 dialing manager at localhost:41417 syzkaller login: [ 35.920446] cgroup: Unknown subsys name 'net' [ 36.028743] cgroup: Unknown subsys name 'rlimit' 2023/02/24 10:51:48 syscalls: 2217 2023/02/24 10:51:48 code coverage: enabled 2023/02/24 10:51:48 comparison tracing: enabled 2023/02/24 10:51:48 extra coverage: enabled 2023/02/24 10:51:48 setuid sandbox: enabled 2023/02/24 10:51:48 namespace sandbox: enabled 2023/02/24 10:51:48 Android sandbox: enabled 2023/02/24 10:51:48 fault injection: enabled 2023/02/24 10:51:48 leak checking: enabled 2023/02/24 10:51:48 net packet injection: enabled 2023/02/24 10:51:48 net device setup: enabled 2023/02/24 10:51:48 concurrency sanitizer: /sys/kernel/debug/kcsan does not exist 2023/02/24 10:51:48 devlink PCI setup: PCI device 0000:00:10.0 is not available 2023/02/24 10:51:48 USB emulation: enabled 2023/02/24 10:51:48 hci packet injection: enabled 2023/02/24 10:51:48 wifi device emulation: enabled 2023/02/24 10:51:48 802.15.4 emulation: enabled 2023/02/24 10:51:48 fetching corpus: 0, signal 0/2000 (executing program) 2023/02/24 10:51:48 fetching corpus: 17, signal 18517/21231 (executing program) 2023/02/24 10:51:48 fetching corpus: 29, signal 28698/31796 (executing program) 2023/02/24 10:51:48 fetching corpus: 55, signal 39586/42207 (executing program) 2023/02/24 10:51:49 fetching corpus: 101, signal 57142/57425 (executing program) 2023/02/24 10:51:49 fetching corpus: 105, signal 57218/57553 (executing program) 2023/02/24 10:51:49 fetching corpus: 105, signal 57218/57621 (executing program) 2023/02/24 10:51:49 fetching corpus: 105, signal 57218/57671 (executing program) 2023/02/24 10:51:49 fetching corpus: 105, signal 57218/57733 (executing program) 2023/02/24 10:51:49 fetching corpus: 105, signal 57218/57781 (executing program) 2023/02/24 10:51:49 fetching corpus: 106, signal 57227/57846 (executing program) 2023/02/24 10:51:49 fetching corpus: 106, signal 57469/58067 (executing program) 2023/02/24 10:51:49 fetching corpus: 106, signal 57469/58118 (executing program) 2023/02/24 10:51:49 fetching corpus: 106, signal 57469/58175 (executing program) 2023/02/24 10:51:49 fetching corpus: 106, signal 57469/58229 (executing program) 2023/02/24 10:51:49 fetching corpus: 106, signal 57469/58291 (executing program) 2023/02/24 10:51:49 fetching corpus: 106, signal 57469/58337 (executing program) 2023/02/24 10:51:49 fetching corpus: 106, signal 57469/58399 (executing program) 2023/02/24 10:51:49 fetching corpus: 106, signal 57469/58440 (executing program) 2023/02/24 10:51:49 fetching corpus: 106, signal 57469/58484 (executing program) 2023/02/24 10:51:49 fetching corpus: 106, signal 57469/58553 (executing program) 2023/02/24 10:51:49 fetching corpus: 106, signal 57469/58608 (executing program) 2023/02/24 10:51:49 fetching corpus: 106, signal 57470/58667 (executing program) 2023/02/24 10:51:49 fetching corpus: 106, signal 57470/58720 (executing program) 2023/02/24 10:51:49 fetching corpus: 106, signal 57470/58785 (executing program) 2023/02/24 10:51:49 fetching corpus: 106, signal 57470/58839 (executing program) 2023/02/24 10:51:49 fetching corpus: 106, signal 57470/58905 (executing program) 2023/02/24 10:51:49 fetching corpus: 106, signal 57470/58944 (executing program) 2023/02/24 10:51:49 fetching corpus: 106, signal 57470/58992 (executing program) 2023/02/24 10:51:49 fetching corpus: 107, signal 57473/59012 (executing program) 2023/02/24 10:51:49 fetching corpus: 107, signal 57478/59012 (executing program) 2023/02/24 10:51:49 fetching corpus: 107, signal 57579/59012 (executing program) 2023/02/24 10:51:49 fetching corpus: 107, signal 57579/59012 (executing program) 2023/02/24 10:51:52 starting 8 fuzzer processes 10:51:52 executing program 0: r0 = add_key$keyring(&(0x7f0000000240), &(0x7f0000000280)={'syz', 0x0}, 0x0, 0x0, 0xfffffffffffffffd) r1 = add_key$keyring(&(0x7f00000002c0), &(0x7f0000000300)={'syz', 0x1}, 0x0, 0x0, r0) syz_mount_image$ext4(0x0, 0x0, 0x0, 0x2, &(0x7f0000001980)=[{&(0x7f0000000500)="19a36561201fb4429a129cc6ae34f21c5e62954a592faf3778ece462167e4baf0d073f29f8f18efd8141cb7fbedd48dde6105b72d8ea80040129861229ebc407f78160f852ba79fbae9bb3eff113959e935529fd25df9b70f0fa90935d1a400528e3d405ec97093ae83e477167043e5efec8e35958319abc07566a48209636733680c85d4a6f5c64a2729599664118c4739e6fa015a9fb3d2db2bebe83576aa873f311a5740c6199daa343c223", 0xad}, {&(0x7f0000000600)="60e741e2a178879c4a422899be337326733ba146bf3d0e9469866c325907a0f9bad27323", 0x24}], 0x0, 0x0) add_key(&(0x7f0000000000)='dns_resolver\x00', &(0x7f0000000380)={'syz', 0x1}, &(0x7f00000003c0)="18419cc68448de3ae8f97ea6a46d823d4f19cecbf569a58b79851d91f3da031fecf4dfebf4ac3b13988a048b4e35761cb05a5d5b28e1ca6ceebae02cbbf7e894098749d5f99cb226f14f00b6034bfb02a7a5af409f531820bd319b9d7c3405022b550d32ad368fdbbddb8ed631d1dde9a4ed", 0xff10, r1) 10:51:52 executing program 1: perf_event_open(&(0x7f0000000080)={0x2, 0x80, 0xc1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0, 0x2}, 0xcc80}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) io_uring_register$IORING_UNREGISTER_BUFFERS(0xffffffffffffffff, 0x1, 0x1000000, 0x0) syz_io_uring_setup(0x4cdd, &(0x7f0000000140)={0x0, 0x0, 0x10, 0x3, 0x20f}, &(0x7f0000ffd000/0x3000)=nil, &(0x7f0000ffe000/0x2000)=nil, &(0x7f0000000000), &(0x7f0000000300)) perf_event_open(&(0x7f0000000280)={0x1, 0x80, 0x0, 0x0, 0x0, 0x0, 0x0, 0x5, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x4, @perf_bp={&(0x7f0000000040), 0xb}, 0x0, 0x20, 0x0, 0x0, 0x8}, 0x0, 0xfffffeffffffffff, 0xffffffffffffffff, 0x2) r0 = openat(0xffffffffffffff9c, &(0x7f0000000100)='./file1\x00', 0x4042, 0x0) io_uring_enter(0xffffffffffffffff, 0x0, 0x29cf, 0x0, &(0x7f0000000200)={[0x135]}, 0x8) fallocate(r0, 0x0, 0x0, 0x87ffffc) pidfd_open(0x0, 0x0) r1 = openat$full(0xffffffffffffff9c, &(0x7f00000001c0), 0x2040, 0x0) ioctl$AUTOFS_IOC_EXPIRE_MULTI(r1, 0x40049366, &(0x7f0000000240)=0x6) socket$inet6_udp(0xa, 0x2, 0x0) sendmmsg$inet6(0xffffffffffffffff, &(0x7f0000002880), 0x4000101, 0x0) 10:51:52 executing program 4: ptrace(0x10, 0x1) sched_setattr(0x0, &(0x7f0000000040)={0x38, 0x6, 0x0, 0x0, 0x0, 0x8000000009917, 0x400000000000fffd}, 0x0) sched_setattr(0x0, &(0x7f0000000080)={0x38, 0x0, 0x0, 0xffffffffffffffff}, 0x0) sched_setattr(0x0, &(0x7f00000000c0)={0x38, 0x0, 0x0, 0x1}, 0x0) 10:51:52 executing program 2: r0 = syz_io_uring_setup(0x1, &(0x7f0000000080)={0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, &(0x7f00000a0000)=nil, &(0x7f00000b0000)=nil, &(0x7f0000000100), &(0x7f0000000140)) r1 = socket$packet(0x11, 0x3, 0x300) ioctl$sock_SIOCGIFINDEX(r1, 0x8933, &(0x7f0000000000)={'syz_tun\x00', 0x0}) bind$packet(r1, &(0x7f00000000c0)={0x11, 0x4, r2, 0x1, 0x0, 0x6, @random="2037f1375c88"}, 0x14) close_range(r0, 0xffffffffffffffff, 0x0) 10:51:52 executing program 3: openat$hpet(0xffffffffffffff9c, &(0x7f0000000140), 0x40200, 0x0) r0 = openat$vcs(0xffffffffffffff9c, 0x0, 0x149200, 0x0) r1 = openat$sr(0xffffffffffffff9c, &(0x7f00000001c0), 0x0, 0x0) ioctl$NS_GET_OWNER_UID(r1, 0xb704, &(0x7f0000000300)=0x0) perf_event_open(&(0x7f0000000080)={0x2, 0x80, 0xc2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xff}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x2) ioctl$AUTOFS_DEV_IOCTL_REQUESTER(r0, 0xc018937b, &(0x7f0000000000)=ANY=[@ANYBLOB="4d0000000000000003473843485be0798e89e520855b29000000000000000000", @ANYRES32=r1, @ANYRES32=r2, @ANYRES32=0xee00, @ANYBLOB="06000000000000"]) io_uring_enter(r3, 0x4dd8, 0x2346, 0x1, &(0x7f0000000340)={[0x7cb]}, 0x8) perf_event_open(&(0x7f0000000280)={0x1, 0x80, 0x0, 0x0, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext, 0x0, 0x0, 0x0, 0x0, 0x0, 0x6, 0xffff}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(0x1, 0x0, &(0x7f0000000040)={0x1, &(0x7f0000000100)=[{0x6, 0x0, 0x0, 0x7fff0000}]}) syz_mount_image$vfat(0x0, &(0x7f0000000100)='./file0\x00', 0x0, 0x0, 0x0, 0x0, 0x0) syz_open_pts(0xffffffffffffffff, 0x4a880) r4 = io_uring_register$IORING_REGISTER_PERSONALITY(0xffffffffffffffff, 0x9, 0x0, 0x0) syz_io_uring_submit(0x0, 0x0, &(0x7f0000000200)=@IORING_OP_POLL_REMOVE={0x7, 0x1, 0x0, 0x0, 0x0, 0x12345, 0x0, 0x0, 0x1, {0x0, r4}}, 0x0) r5 = socket$inet_tcp(0x2, 0x1, 0x0) syz_io_uring_submit(0x0, 0x0, &(0x7f0000000180)=@IORING_OP_PROVIDE_BUFFERS={0x1f, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x0) socket$inet_icmp(0x2, 0x2, 0x1) ioctl$sock_SIOCADDRT(0xffffffffffffffff, 0x890b, &(0x7f0000000380)={0x0, @phonet={0x23, 0x10, 0x9, 0xff}, @tipc=@nameseq={0x1e, 0x1, 0x3, {0x0, 0x1, 0x1}}, @sco, 0x800, 0x0, 0x0, 0x0, 0x2, &(0x7f0000000240)='netpci0\x00', 0x100000001, 0xffff, 0x8}) syz_io_uring_submit(0x0, 0x0, &(0x7f0000000040)=@IORING_OP_CONNECT={0x10, 0x2, 0x0, r5, 0x80, &(0x7f0000000280)=@l2tp={0x2, 0x0, @loopback}}, 0x0) 10:51:52 executing program 5: perf_event_open(&(0x7f0000000080)={0x2, 0x80, 0xc2, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffdfffffffffffff, 0xffffffffffffffff, 0x0) setresuid(0x0, 0x0, 0x0) getpid() r0 = socket$inet6(0xa, 0x1, 0x0) r1 = fcntl$dupfd(r0, 0x0, r0) recvmsg$unix(r1, &(0x7f0000000b40)={0x0, 0x0, 0x0}, 0x2100) openat$nvram(0xffffffffffffff9c, &(0x7f0000000600), 0x10480, 0x0) ioprio_set$uid(0x0, 0x0, 0x0) 10:51:52 executing program 6: r0 = socket$nl_generic(0x10, 0x3, 0x10) r1 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff) ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f00000000c0)={'wlan1\x00', 0x0}) sendmsg$NL80211_CMD_SET_INTERFACE(r0, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)={0x24, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x2}]}, 0x24}}, 0x0) sendmsg$NL80211_CMD_CONNECT(r0, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000240)={0x3c, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_SSID={0xa, 0x34, @default_ap_ssid}, @NL80211_ATTR_MAC={0xa, 0x6, @from_mac}, @chandef_params=[@NL80211_ATTR_WIPHY_FREQ={0x8}]]}, 0x3c}}, 0x0) syz_80211_inject_frame(0x0, 0x0, 0x0) nanosleep(0x0, 0x0) syz_80211_inject_frame(0x0, 0x0, 0x0) nanosleep(0x0, 0x0) syz_80211_inject_frame(0x0, 0x0, 0x0) [ 51.787965] audit: type=1400 audit(1677235912.084:6): avc: denied { execmem } for pid=258 comm="syz-executor.0" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 10:51:52 executing program 7: r0 = syz_io_uring_setup(0x1, &(0x7f0000000000)={0x0, 0x0, 0x1}, &(0x7f0000ffd000/0x2000)=nil, &(0x7f00000b0000)=nil, &(0x7f0000000080)=0x0, &(0x7f0000000200)=0x0) syz_io_uring_submit(r1, r2, &(0x7f0000000240)=@IORING_OP_READV=@use_registered_buffer, 0x0) io_uring_enter(r0, 0x1, 0x0, 0xf, 0x0, 0x18) [ 53.078823] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 53.080985] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 53.112093] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 53.114353] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1 [ 53.127754] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9 [ 53.129129] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9 [ 53.132491] Bluetooth: hci2: unexpected cc 0x0c23 length: 249 > 4 [ 53.135018] Bluetooth: hci2: unexpected cc 0x0c25 length: 249 > 3 [ 53.136106] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 53.136220] Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2 [ 53.142406] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1 [ 53.143997] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9 [ 53.145760] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9 [ 53.148839] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4 [ 53.150875] Bluetooth: hci1: unexpected cc 0x0c25 length: 249 > 3 [ 53.152080] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2 [ 53.172115] Bluetooth: hci5: unexpected cc 0x0c03 length: 249 > 1 [ 53.174040] Bluetooth: hci5: unexpected cc 0x1003 length: 249 > 9 [ 53.193958] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1 [ 53.195768] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9 [ 53.197422] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9 [ 53.200222] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4 [ 53.201194] Bluetooth: hci5: unexpected cc 0x1001 length: 249 > 9 [ 53.205058] Bluetooth: hci3: unexpected cc 0x0c25 length: 249 > 3 [ 53.206057] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3 [ 53.212729] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2 [ 53.213645] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 53.227458] Bluetooth: hci5: unexpected cc 0x0c23 length: 249 > 4 [ 53.299565] Bluetooth: hci5: unexpected cc 0x0c25 length: 249 > 3 [ 53.301143] Bluetooth: hci5: unexpected cc 0x0c38 length: 249 > 2 [ 55.195480] Bluetooth: hci6: Opcode 0x c03 failed: -110 [ 55.196529] Bluetooth: hci2: command 0x0409 tx timeout [ 55.197116] Bluetooth: hci1: command 0x0409 tx timeout [ 55.198040] Bluetooth: hci4: Opcode 0x c03 failed: -110 [ 55.198113] [ 55.198675] ====================================================== [ 55.199269] WARNING: possible circular locking dependency detected [ 55.200022] 6.2.0-next-20230224 #1 Not tainted [ 55.200576] ------------------------------------------------------ [ 55.202062] syz-executor.5/270 is trying to acquire lock: [ 55.203147] ffff8880199e8880 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: __flush_work+0xdd/0xd80 [ 55.204535] [ 55.204535] but task is already holding lock: [ 55.205069] ffff8880199e8920 (&hdev->cmd_sync_work_lock){+.+.}-{3:3}, at: hci_cmd_sync_clear+0x45/0x250 [ 55.205949] [ 55.205949] which lock already depends on the new lock. [ 55.205949] [ 55.206666] [ 55.206666] the existing dependency chain (in reverse order) is: [ 55.207326] [ 55.207326] -> #1 (&hdev->cmd_sync_work_lock){+.+.}-{3:3}: [ 55.207981] __mutex_lock+0x133/0x14a0 [ 55.208412] hci_cmd_sync_work+0x1e6/0x320 [ 55.208863] process_one_work+0xa0f/0x1790 [ 55.209315] worker_thread+0x63b/0x1260 [ 55.209746] kthread+0x2e9/0x3a0 [ 55.210113] ret_from_fork+0x2c/0x50 [ 55.210512] [ 55.210512] -> #0 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}: [ 55.211252] __lock_acquire+0x2d56/0x6380 [ 55.211701] lock_acquire.part.0+0xea/0x320 [ 55.212163] __flush_work+0x109/0xd80 [ 55.212574] __cancel_work_timer+0x39c/0x4e0 [ 55.213023] hci_cmd_sync_clear+0x52/0x250 [ 55.213471] hci_unregister_dev+0xf9/0x410 [ 55.213917] vhci_release+0x80/0x100 [ 55.214317] __fput+0x263/0xa40 [ 55.214679] task_work_run+0x174/0x280 [ 55.215097] do_exit+0xad8/0x2800 [ 55.215473] do_group_exit+0xd4/0x2a0 [ 55.215892] __x64_sys_exit_group+0x3e/0x50 [ 55.216342] do_syscall_64+0x3f/0x90 [ 55.216734] entry_SYSCALL_64_after_hwframe+0x72/0xdc [ 55.217250] [ 55.217250] other info that might help us debug this: [ 55.217250] [ 55.217998] Possible unsafe locking scenario: [ 55.217998] [ 55.218571] CPU0 CPU1 [ 55.219021] ---- ---- [ 55.219438] lock(&hdev->cmd_sync_work_lock); [ 55.219868] lock((work_completion)(&hdev->cmd_sync_work)); [ 55.220597] lock(&hdev->cmd_sync_work_lock); [ 55.221217] lock((work_completion)(&hdev->cmd_sync_work)); [ 55.221741] [ 55.221741] *** DEADLOCK *** [ 55.221741] [ 55.222312] 1 lock held by syz-executor.5/270: [ 55.222728] #0: ffff8880199e8920 (&hdev->cmd_sync_work_lock){+.+.}-{3:3}, at: hci_cmd_sync_clear+0x45/0x250 [ 55.223666] [ 55.223666] stack backtrace: [ 55.224076] CPU: 0 PID: 270 Comm: syz-executor.5 Not tainted 6.2.0-next-20230224 #1 [ 55.224763] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 [ 55.225565] Call Trace: [ 55.225826] [ 55.226065] dump_stack_lvl+0x91/0xf0 [ 55.226476] check_noncircular+0x263/0x2e0 [ 55.226921] ? __pfx_check_noncircular+0x10/0x10 [ 55.227412] ? queued_spin_lock_slowpath+0xd1/0xc50 [ 55.227958] __lock_acquire+0x2d56/0x6380 [ 55.228398] ? __pfx___lock_acquire+0x10/0x10 [ 55.228875] ? __pfx_queued_spin_lock_slowpath+0x10/0x10 [ 55.229425] ? __wait_for_common+0x394/0x550 [ 55.229890] ? __pfx_lock_release+0x10/0x10 [ 55.230343] lock_acquire.part.0+0xea/0x320 [ 55.230796] ? __flush_work+0xdd/0xd80 [ 55.231207] ? __pfx_lock_acquire.part.0+0x10/0x10 [ 55.231728] ? __flush_work+0xdd/0xd80 [ 55.232138] ? rcu_read_lock_sched_held+0x42/0x80 [ 55.232636] ? trace_lock_acquire+0x170/0x1e0 [ 55.233101] ? __flush_work+0xdd/0xd80 [ 55.233524] ? lock_acquire+0x32/0xc0 [ 55.233922] ? __flush_work+0xdd/0xd80 [ 55.234337] __flush_work+0x109/0xd80 [ 55.234746] ? __flush_work+0xdd/0xd80 [ 55.235171] ? __pfx_mark_lock.part.0+0x10/0x10 [ 55.235672] ? __pfx___flush_work+0x10/0x10 [ 55.236123] ? lock_acquire.part.0+0xea/0x320 [ 55.236591] ? hci_cmd_sync_clear+0x45/0x250 [ 55.237042] ? __pfx_lock_acquire.part.0+0x10/0x10 [ 55.237561] ? hci_cmd_sync_clear+0x45/0x250 [ 55.238021] ? rcu_read_lock_sched_held+0x42/0x80 [ 55.238525] ? trace_lock_acquire+0x170/0x1e0 [ 55.238997] ? lock_is_held_type+0x9f/0x120 [ 55.239421] ? mark_held_locks+0x9e/0xe0 [ 55.239822] __cancel_work_timer+0x39c/0x4e0 [ 55.240234] ? __pfx___cancel_work_timer+0x10/0x10 [ 55.240686] ? __cancel_work_timer+0x2aa/0x4e0 [ 55.241115] ? __pfx___cancel_work_timer+0x10/0x10 [ 55.241571] ? lock_release+0x1e3/0x710 [ 55.241958] ? __pfx_lock_release+0x10/0x10 [ 55.242376] ? do_raw_write_lock+0x11e/0x3b0 [ 55.242796] ? __pfx_vhci_release+0x10/0x10 [ 55.243208] hci_cmd_sync_clear+0x52/0x250 [ 55.243617] ? __pfx_vhci_release+0x10/0x10 [ 55.244025] hci_unregister_dev+0xf9/0x410 [ 55.244458] vhci_release+0x80/0x100 [ 55.244857] __fput+0x263/0xa40 [ 55.245206] task_work_run+0x174/0x280 [ 55.245613] ? __pfx_task_work_run+0x10/0x10 [ 55.246072] ? do_raw_spin_unlock+0x53/0x220 [ 55.246528] do_exit+0xad8/0x2800 [ 55.246889] ? lock_release+0x1e3/0x710 [ 55.247305] ? __pfx_lock_release+0x10/0x10 [ 55.247777] ? do_raw_spin_lock+0x125/0x270 [ 55.248221] ? __pfx_do_exit+0x10/0x10 [ 55.248624] do_group_exit+0xd4/0x2a0 [ 55.249017] __x64_sys_exit_group+0x3e/0x50 [ 55.249468] do_syscall_64+0x3f/0x90 [ 55.249850] entry_SYSCALL_64_after_hwframe+0x72/0xdc [ 55.250372] RIP: 0033:0x7f36bcdd6b19 [ 55.250752] Code: Unable to access opcode bytes at 0x7f36bcdd6aef. [ 55.251361] RSP: 002b:00007ffe0df69a28 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 55.252119] RAX: ffffffffffffffda RBX: 00007ffe0df6a208 RCX: 00007f36bcdd6b19 [ 55.252839] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000043 [ 55.253541] RBP: 0000000000000000 R08: 0000000000000026 R09: 00007ffe0df6a208 [ 55.254251] R10: 0000000000000020 R11: 0000000000000246 R12: 00007f36bce30233 [ 55.254952] R13: 0000000000000002 R14: 0000000000000000 R15: 00000000000000f8 [ 55.255705] [ 55.259357] Bluetooth: hci7: Opcode 0x c03 failed: -110 [ 55.259395] Bluetooth: hci0: command 0x0409 tx timeout [ 55.259897] Bluetooth: hci3: command 0x0409 tx timeout [ 55.323390] Bluetooth: hci5: command 0x0409 tx timeout [ 57.243407] Bluetooth: hci2: command 0x041b tx timeout [ 57.243837] Bluetooth: hci1: command 0x041b tx timeout [ 57.307379] Bluetooth: hci0: command 0x041b tx timeout [ 57.307813] Bluetooth: hci3: command 0x041b tx timeout [ 57.371361] Bluetooth: hci5: command 0x041b tx timeout [ 57.953534] Bluetooth: hci4: unexpected cc 0x0c03 length: 249 > 1 [ 57.954153] Bluetooth: hci4: unexpected cc 0x1003 length: 249 > 9 [ 57.955854] Bluetooth: hci4: unexpected cc 0x1001 length: 249 > 9 [ 57.956884] Bluetooth: hci4: unexpected cc 0x0c23 length: 249 > 4 [ 57.959286] Bluetooth: hci4: unexpected cc 0x0c25 length: 249 > 3 [ 57.960876] Bluetooth: hci4: unexpected cc 0x0c38 length: 249 > 2 [ 59.291378] Bluetooth: hci1: command 0x040f tx timeout [ 59.291388] Bluetooth: hci2: command 0x040f tx timeout [ 59.355444] Bluetooth: hci3: command 0x040f tx timeout [ 59.356157] Bluetooth: hci0: command 0x040f tx timeout [ 59.419370] Bluetooth: hci5: command 0x040f tx timeout [ 59.995457] Bluetooth: hci4: command 0x0409 tx timeout [ 60.059352] Bluetooth: hci7: Opcode 0x c03 failed: -110 [ 60.059849] Bluetooth: hci6: Opcode 0x c03 failed: -110 [ 61.339402] Bluetooth: hci2: command 0x0419 tx timeout [ 61.339871] Bluetooth: hci1: command 0x0419 tx timeout [ 61.403396] Bluetooth: hci0: command 0x0419 tx timeout [ 61.403844] Bluetooth: hci3: command 0x0419 tx timeout [ 61.467382] Bluetooth: hci5: command 0x0419 tx timeout [ 62.043362] Bluetooth: hci4: command 0x041b tx timeout [ 62.442610] Bluetooth: hci6: unexpected cc 0x0c03 length: 249 > 1 [ 62.444311] Bluetooth: hci6: unexpected cc 0x1003 length: 249 > 9 [ 62.445680] Bluetooth: hci6: unexpected cc 0x1001 length: 249 > 9 [ 62.449725] Bluetooth: hci6: unexpected cc 0x0c23 length: 249 > 4 [ 62.450774] Bluetooth: hci6: unexpected cc 0x0c25 length: 249 > 3 [ 62.451365] Bluetooth: hci6: unexpected cc 0x0c38 length: 249 > 2 [ 64.091388] Bluetooth: hci4: command 0x040f tx timeout [ 64.475405] Bluetooth: hci6: command 0x0409 tx timeout [ 64.539397] Bluetooth: hci7: Opcode 0x c03 failed: -110 VM DIAGNOSIS: 10:51:55 Registers: info registers vcpu 0 RAX=dffffc0000000060 RBX=00000000000003fd RCX=0000000000000000 RDX=00000000000003fd RSI=ffffffff825027d0 RDI=ffffffff87f10da0 RBP=ffffffff87f10d60 RSP=ffff888037147138 R8 =0000000000000004 R9 =0000000000000010 R10=0000000000000010 R11=0000000000000001 R12=0000000000002710 R13=0000000000000020 R14=fffffbfff0fe2205 R15=dffffc0000000000 RIP=ffffffff82502825 RFL=00000002 [-------] CPL=0 II=0 A20=1 SMM=0 HLT=0 ES =0000 0000000000000000 00000000 00000000 CS =0010 0000000000000000 ffffffff 00a09b00 DPL=0 CS64 [-RA] SS =0018 0000000000000000 ffffffff 00c09300 DPL=0 DS [-WA] DS =0000 0000000000000000 00000000 00000000 FS =0000 0000000000000000 00000000 00000000 GS =0000 ffff88806ce00000 00000000 00000000 LDT=0000 fffffe0000000000 00000000 00000000 TR =0040 fffffe749a3fa000 00004087 00008b00 DPL=0 TSS64-busy GDT= fffffe749a3f8000 0000007f IDT= fffffe0000000000 00000fff CR0=80050033 CR2=00007f29833941f0 CR3=000000000eabe000 CR4=00350ef0 DR0=0000000000000000 DR1=0000000000000000 DR2=0000000000000000 DR3=0000000000000000 DR6=00000000ffff0ff0 DR7=0000000000000400 EFER=0000000000000d01 FCW=037f FSW=0000 [ST=0] FTW=00 MXCSR=00001f80 FPR0=0000000000000000 0000 FPR1=0000000000000000 0000 FPR2=0000000000000000 0000 FPR3=0000000000000000 0000 FPR4=0000000000000000 0000 FPR5=0000000000000000 0000 FPR6=0000000000000000 0000 FPR7=0000000000000000 0000 XMM00=756e696c2d34365f3638782f62696c2f XMM01=6461657268747062696c2f756e672d78 XMM02=00302e6f732e6461657268747062696c XMM03=2f756e672d78756e696c2d34365f3638 XMM04=00000000000000000000000000000000 XMM05=00000000000000000000000000000000 XMM06=00000000000000000000000000000000 XMM07=00000000000000000000000000000000 XMM08=00000000000000000000000000000000 XMM09=00000000000000000000000000000000 XMM10=00000000000000000000000000000000 XMM11=00000000000000000000000000000000 XMM12=00000000000000000000000000000000 XMM13=00000000000000000000000000000000 XMM14=00000000000000000000000000000000 XMM15=00000000000000000000000000000000 info registers vcpu 1 RAX=dffffc0000000000 RBX=ffffffff813a4c60 RCX=0000000000000001 RDX=1ffff1100776deda RSI=ffffffff8443b78f RDI=ffff88803bb6f740 RBP=ffff88803bb6f710 RSP=ffff88803bb6f670 R8 =0000000000000001 R9 =ffff88803bb6f6b8 R10=0000000000038001 R11=0000000000000001 R12=ffff88803bb6f740 R13=0000000000000000 R14=ffff88801c475040 R15=ffff88800eb03e10 RIP=ffffffff813a4c6e RFL=00000282 [--S----] CPL=0 II=0 A20=1 SMM=0 HLT=0 ES =0000 0000000000000000 00000000 00000000 CS =0010 0000000000000000 ffffffff 00a09b00 DPL=0 CS64 [-RA] SS =0018 0000000000000000 ffffffff 00c09300 DPL=0 DS [-WA] DS =0000 0000000000000000 00000000 00000000 FS =0000 0000000000000000 00000000 00000000 GS =0000 ffff88806cf00000 00000000 00000000 LDT=0000 fffffe0000000000 00000000 00000000 TR =0040 fffffe5e27ceb000 00004087 00008b00 DPL=0 TSS64-busy GDT= fffffe5e27ce9000 0000007f IDT= fffffe0000000000 00000fff CR0=80050033 CR2=00007f4e8a0b58e0 CR3=000000003baa6000 CR4=00350ee0 DR0=0000000000000000 DR1=0000000000000000 DR2=0000000000000000 DR3=0000000000000000 DR6=00000000ffff0ff0 DR7=0000000000000400 EFER=0000000000000d01 FCW=037f FSW=0000 [ST=0] FTW=00 MXCSR=00001f80 FPR0=0000000000000000 0000 FPR1=0000000000000000 0000 FPR2=0000000000000000 0000 FPR3=0000000000000000 0000 FPR4=0000000000000000 0000 FPR5=0000000000000000 0000 FPR6=0000000000000000 0000 FPR7=0000000000000000 0000 XMM00=756e696c2d34365f3638782f62696c2f XMM01=00362e6f732e6362696c2f756e672d78 XMM02=ffff0000000000ffffffffffffffffff XMM03=ffffffffffffffffffffffffffffffff XMM04=00000000000000000000000000000000 XMM05=00000000000000000000000000000000 XMM06=00000000000000000000000000000000 XMM07=00000000000000000000000000000000 XMM08=00000000000000000000000000000000 XMM09=00000000000000000000000000000000 XMM10=00000000000000000000000000000000 XMM11=00000000000000000000000000000000 XMM12=00000000000000000000000000000000 XMM13=00000000000000000000000000000000 XMM14=00000000000000000000000000000000 XMM15=00000000000000000000000000000000