====================================================== WARNING: possible circular locking dependency detected 5.10.205 #1 Not tainted ------------------------------------------------------ syz-executor.2/203399 is trying to acquire lock: ffff88800d168b78 ((work_completion)(&hdev->bg_scan_update)){+.+.}-{0:0}, at: __flush_work+0xdd/0xa90 kernel/workqueue.c:3050 but task is already holding lock: ffffffff85619628 (rfkill_global_mutex){+.+.}-{3:3}, at: rfkill_fop_write+0xff/0x4b0 net/rfkill/core.c:1232 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #4 (rfkill_global_mutex){+.+.}-{3:3}: __mutex_lock_common kernel/locking/mutex.c:968 [inline] __mutex_lock+0x13d/0x10b0 kernel/locking/mutex.c:1109 rfkill_register+0x36/0xa10 net/rfkill/core.c:1016 hci_register_dev+0x42e/0xc00 net/bluetooth/hci_core.c:3773 __vhci_create_device+0x2c8/0x5c0 drivers/bluetooth/hci_vhci.c:129 vhci_create_device drivers/bluetooth/hci_vhci.c:153 [inline] vhci_open_timeout+0x38/0x50 drivers/bluetooth/hci_vhci.c:310 process_one_work+0x9a9/0x14b0 kernel/workqueue.c:2282 worker_thread+0x61d/0x1310 kernel/workqueue.c:2428 kthread+0x38f/0x470 kernel/kthread.c:313 ret_from_fork+0x22/0x30 arch/x86/entry/entry_64.S:299 -> #3 (&data->open_mutex){+.+.}-{3:3}: __mutex_lock_common kernel/locking/mutex.c:968 [inline] __mutex_lock+0x13d/0x10b0 kernel/locking/mutex.c:1109 vhci_send_frame+0x63/0xa0 drivers/bluetooth/hci_vhci.c:71 hci_send_frame+0x1b9/0x320 net/bluetooth/hci_core.c:4060 hci_sched_acl_pkt net/bluetooth/hci_core.c:4585 [inline] hci_sched_acl net/bluetooth/hci_core.c:4670 [inline] hci_tx_work+0x10af/0x1660 net/bluetooth/hci_core.c:4741 process_one_work+0x9a9/0x14b0 kernel/workqueue.c:2282 worker_thread+0x61d/0x1310 kernel/workqueue.c:2428 kthread+0x38f/0x470 kernel/kthread.c:313 ret_from_fork+0x22/0x30 arch/x86/entry/entry_64.S:299 -> #2 ((work_completion)(&hdev->tx_work)){+.+.}-{0:0}: __flush_work+0x105/0xa90 kernel/workqueue.c:3053 hci_dev_do_close+0x131/0x1240 net/bluetooth/hci_core.c:1745 hci_dev_close+0x175/0x1d0 net/bluetooth/hci_core.c:1865 hci_sock_ioctl+0x288/0x980 net/bluetooth/hci_sock.c:1067 sock_do_ioctl+0xd3/0x300 net/socket.c:1064 sock_ioctl+0x3ea/0x700 net/socket.c:1204 vfs_ioctl fs/ioctl.c:48 [inline] __do_sys_ioctl fs/ioctl.c:753 [inline] __se_sys_ioctl fs/ioctl.c:739 [inline] __x64_sys_ioctl+0x19a/0x210 fs/ioctl.c:739 do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x62/0xc7 -> #1 (&hdev->req_lock){+.+.}-{3:3}: __mutex_lock_common kernel/locking/mutex.c:968 [inline] __mutex_lock+0x13d/0x10b0 kernel/locking/mutex.c:1109 hci_req_sync net/bluetooth/hci_request.c:275 [inline] bg_scan_update+0x82/0x500 net/bluetooth/hci_request.c:2895 process_one_work+0x9a9/0x14b0 kernel/workqueue.c:2282 worker_thread+0x61d/0x1310 kernel/workqueue.c:2428 kthread+0x38f/0x470 kernel/kthread.c:313 ret_from_fork+0x22/0x30 arch/x86/entry/entry_64.S:299 -> #0 ((work_completion)(&hdev->bg_scan_update)){+.+.}-{0:0}: check_prev_add kernel/locking/lockdep.c:2988 [inline] check_prevs_add kernel/locking/lockdep.c:3113 [inline] validate_chain kernel/locking/lockdep.c:3729 [inline] __lock_acquire+0x29e7/0x5b00 kernel/locking/lockdep.c:4955 lock_acquire kernel/locking/lockdep.c:5566 [inline] lock_acquire+0x197/0x470 kernel/locking/lockdep.c:5531 __flush_work+0x105/0xa90 kernel/workqueue.c:3053 __cancel_work_timer+0x368/0x4c0 kernel/workqueue.c:3144 hci_request_cancel_all+0x73/0x230 net/bluetooth/hci_request.c:3438 hci_dev_do_close+0xd9/0x1240 net/bluetooth/hci_core.c:1733 hci_rfkill_set_block+0x166/0x1a0 net/bluetooth/hci_core.c:2223 rfkill_set_block+0x1fd/0x540 net/rfkill/core.c:341 rfkill_fop_write+0x253/0x4b0 net/rfkill/core.c:1240 vfs_write+0x29a/0xa70 fs/read_write.c:603 ksys_write+0x1f6/0x260 fs/read_write.c:658 do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x62/0xc7 other info that might help us debug this: Chain exists of: (work_completion)(&hdev->bg_scan_update) --> &data->open_mutex --> rfkill_global_mutex Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(rfkill_global_mutex); lock(&data->open_mutex); lock(rfkill_global_mutex); lock((work_completion)(&hdev->bg_scan_update)); *** DEADLOCK *** 1 lock held by syz-executor.2/203399: #0: ffffffff85619628 (rfkill_global_mutex){+.+.}-{3:3}, at: rfkill_fop_write+0xff/0x4b0 net/rfkill/core.c:1232 stack backtrace: CPU: 0 PID: 203399 Comm: syz-executor.2 Not tainted 5.10.205 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x107/0x167 lib/dump_stack.c:118 check_noncircular+0x263/0x2e0 kernel/locking/lockdep.c:2123 check_prev_add kernel/locking/lockdep.c:2988 [inline] check_prevs_add kernel/locking/lockdep.c:3113 [inline] validate_chain kernel/locking/lockdep.c:3729 [inline] __lock_acquire+0x29e7/0x5b00 kernel/locking/lockdep.c:4955 lock_acquire kernel/locking/lockdep.c:5566 [inline] lock_acquire+0x197/0x470 kernel/locking/lockdep.c:5531 __flush_work+0x105/0xa90 kernel/workqueue.c:3053 __cancel_work_timer+0x368/0x4c0 kernel/workqueue.c:3144 hci_request_cancel_all+0x73/0x230 net/bluetooth/hci_request.c:3438 hci_dev_do_close+0xd9/0x1240 net/bluetooth/hci_core.c:1733 hci_rfkill_set_block+0x166/0x1a0 net/bluetooth/hci_core.c:2223 rfkill_set_block+0x1fd/0x540 net/rfkill/core.c:341 rfkill_fop_write+0x253/0x4b0 net/rfkill/core.c:1240 vfs_write+0x29a/0xa70 fs/read_write.c:603 ksys_write+0x1f6/0x260 fs/read_write.c:658 do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x62/0xc7 RIP: 0033:0x7fb88bc71b19 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fb8891e7188 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00007fb88bd84f60 RCX: 00007fb88bc71b19 RDX: 0000000000000008 RSI: 00000000200000c0 RDI: 0000000000000004 RBP: 00007fb88bccbf6d R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffe47e76fcf R14: 00007fb8891e7300 R15: 0000000000022000 Module has invalid ELF structures Module has invalid ELF structures Module has invalid ELF structures Module has invalid ELF structures Module has invalid ELF structures Module has invalid ELF structures Module has invalid ELF structures netlink: 12 bytes leftover after parsing attributes in process `syz-executor.5'. netlink: 12 bytes leftover after parsing attributes in process `syz-executor.5'. netlink: 12 bytes leftover after parsing attributes in process `syz-executor.5'. netlink: 12 bytes leftover after parsing attributes in process `syz-executor.5'. TCP: request_sock_TCP: Possible SYN flooding on port 20000. Sending cookies. Check SNMP counters. kauditd_printk_skb: 7 callbacks suppressed audit: type=1326 audit(625.022:1160): auid=0 uid=0 gid=0 ses=4 subj=system_u:system_r:kernel_t:s0 pid=209445 comm="syz-executor.6" exe="/syz-executor.6" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7f57b81c5b19 code=0x7ffc0000 audit: type=1326 audit(625.029:1161): auid=0 uid=0 gid=0 ses=4 subj=system_u:system_r:kernel_t:s0 pid=209445 comm="syz-executor.6" exe="/syz-executor.6" sig=0 arch=c000003e syscall=11 compat=0 ip=0x7f57b81c5b19 code=0x7ffc0000 audit: type=1326 audit(625.032:1162): auid=0 uid=0 gid=0 ses=4 subj=system_u:system_r:kernel_t:s0 pid=209445 comm="syz-executor.6" exe="/syz-executor.6" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7f57b81c5b19 code=0x7ffc0000 audit: type=1326 audit(625.035:1163): auid=0 uid=0 gid=0 ses=4 subj=system_u:system_r:kernel_t:s0 pid=209445 comm="syz-executor.6" exe="/syz-executor.6" sig=0 arch=c000003e syscall=317 compat=0 ip=0x7f57b81c5b19 code=0x7ffc0000 audit: type=1326 audit(625.035:1164): auid=0 uid=0 gid=0 ses=4 subj=system_u:system_r:kernel_t:s0 pid=209445 comm="syz-executor.6" exe="/syz-executor.6" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7f57b81c5b19 code=0x7ffc0000 TCP: request_sock_TCP: Possible SYN flooding on port 20000. Sending cookies. Check SNMP counters. TCP: request_sock_TCP: Possible SYN flooding on port 20000. Sending cookies. Check SNMP counters. TCP: request_sock_TCP: Possible SYN flooding on port 20000. Sending cookies. Check SNMP counters. TCP: request_sock_TCP: Possible SYN flooding on port 20000. Sending cookies. Check SNMP counters. TCP: request_sock_TCP: Possible SYN flooding on port 20000. Sending cookies. Check SNMP counters. TCP: request_sock_TCP: Possible SYN flooding on port 20000. Sending cookies. Check SNMP counters. netlink: 8 bytes leftover after parsing attributes in process `syz-executor.4'. ieee80211 phy102: Selected rate control algorithm 'minstrel_ht' ieee80211 phy103: Selected rate control algorithm 'minstrel_ht' ieee80211 phy104: Selected rate control algorithm 'minstrel_ht' ieee80211 phy105: Selected rate control algorithm 'minstrel_ht' ieee80211 phy106: Selected rate control algorithm 'minstrel_ht' ieee80211 phy107: Selected rate control algorithm 'minstrel_ht' ieee80211 phy108: Selected rate control algorithm 'minstrel_ht' rfkill: input handler disabled rfkill: input handler enabled mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium netlink: 'syz-executor.2': attribute type 28 has an invalid length. mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium netlink: 'syz-executor.2': attribute type 28 has an invalid length. netlink: 'syz-executor.2': attribute type 28 has an invalid length. netlink: 'syz-executor.2': attribute type 28 has an invalid length. mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium netlink: 20 bytes leftover after parsing attributes in process `syz-executor.2'. netlink: 20 bytes leftover after parsing attributes in process `syz-executor.2'. netlink: 20 bytes leftover after parsing attributes in process `syz-executor.2'. netlink: 20 bytes leftover after parsing attributes in process `syz-executor.2'.