====================================================== WARNING: possible circular locking dependency detected 5.10.214 #1 Not tainted ------------------------------------------------------ syz-executor.3/780102 is trying to acquire lock: ffff88800eae4b78 ((work_completion)(&hdev->bg_scan_update)){+.+.}-{0:0}, at: __flush_work+0xdd/0xa90 kernel/workqueue.c:3050 but task is already holding lock: ffffffff8561a8c8 (rfkill_global_mutex){+.+.}-{3:3}, at: rfkill_fop_write+0xff/0x4b0 net/rfkill/core.c:1232 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #4 (rfkill_global_mutex){+.+.}-{3:3}: __mutex_lock_common kernel/locking/mutex.c:968 [inline] __mutex_lock+0x13d/0x10b0 kernel/locking/mutex.c:1109 rfkill_register+0x36/0xa10 net/rfkill/core.c:1016 hci_register_dev+0x42e/0xc00 net/bluetooth/hci_core.c:3774 __vhci_create_device+0x2c8/0x5c0 drivers/bluetooth/hci_vhci.c:129 vhci_create_device drivers/bluetooth/hci_vhci.c:153 [inline] vhci_open_timeout+0x38/0x50 drivers/bluetooth/hci_vhci.c:310 process_one_work+0x9a9/0x14b0 kernel/workqueue.c:2282 worker_thread+0x61d/0x1310 kernel/workqueue.c:2428 kthread+0x38f/0x470 kernel/kthread.c:313 ret_from_fork+0x22/0x30 arch/x86/entry/entry_64.S:299 -> #3 (&data->open_mutex){+.+.}-{3:3}: __mutex_lock_common kernel/locking/mutex.c:968 [inline] __mutex_lock+0x13d/0x10b0 kernel/locking/mutex.c:1109 vhci_send_frame+0x63/0xa0 drivers/bluetooth/hci_vhci.c:71 hci_send_frame+0x1b9/0x320 net/bluetooth/hci_core.c:4061 hci_sched_acl_pkt net/bluetooth/hci_core.c:4586 [inline] hci_sched_acl net/bluetooth/hci_core.c:4671 [inline] hci_tx_work+0x10af/0x1660 net/bluetooth/hci_core.c:4742 process_one_work+0x9a9/0x14b0 kernel/workqueue.c:2282 worker_thread+0x61d/0x1310 kernel/workqueue.c:2428 kthread+0x38f/0x470 kernel/kthread.c:313 ret_from_fork+0x22/0x30 arch/x86/entry/entry_64.S:299 -> #2 ((work_completion)(&hdev->tx_work)){+.+.}-{0:0}: __flush_work+0x105/0xa90 kernel/workqueue.c:3053 hci_dev_do_close+0x131/0x1240 net/bluetooth/hci_core.c:1745 hci_dev_close+0x175/0x1d0 net/bluetooth/hci_core.c:1865 hci_sock_ioctl+0x288/0x980 net/bluetooth/hci_sock.c:1067 sock_do_ioctl+0xd3/0x300 net/socket.c:1066 sock_ioctl+0x3ea/0x700 net/socket.c:1206 vfs_ioctl fs/ioctl.c:48 [inline] __do_sys_ioctl fs/ioctl.c:753 [inline] __se_sys_ioctl fs/ioctl.c:739 [inline] __x64_sys_ioctl+0x19a/0x210 fs/ioctl.c:739 do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x62/0xc7 -> #1 (&hdev->req_lock){+.+.}-{3:3}: __mutex_lock_common kernel/locking/mutex.c:968 [inline] __mutex_lock+0x13d/0x10b0 kernel/locking/mutex.c:1109 hci_req_sync net/bluetooth/hci_request.c:275 [inline] bg_scan_update+0x82/0x500 net/bluetooth/hci_request.c:2895 process_one_work+0x9a9/0x14b0 kernel/workqueue.c:2282 worker_thread+0x61d/0x1310 kernel/workqueue.c:2428 kthread+0x38f/0x470 kernel/kthread.c:313 ret_from_fork+0x22/0x30 arch/x86/entry/entry_64.S:299 -> #0 ((work_completion)(&hdev->bg_scan_update)){+.+.}-{0:0}: check_prev_add kernel/locking/lockdep.c:2988 [inline] check_prevs_add kernel/locking/lockdep.c:3113 [inline] validate_chain kernel/locking/lockdep.c:3729 [inline] __lock_acquire+0x29e7/0x5b00 kernel/locking/lockdep.c:4955 lock_acquire kernel/locking/lockdep.c:5566 [inline] lock_acquire+0x197/0x470 kernel/locking/lockdep.c:5531 __flush_work+0x105/0xa90 kernel/workqueue.c:3053 __cancel_work_timer+0x368/0x4c0 kernel/workqueue.c:3144 hci_request_cancel_all+0x73/0x230 net/bluetooth/hci_request.c:3438 hci_dev_do_close+0xd9/0x1240 net/bluetooth/hci_core.c:1733 hci_rfkill_set_block+0x166/0x1a0 net/bluetooth/hci_core.c:2223 rfkill_set_block+0x1fd/0x540 net/rfkill/core.c:341 rfkill_fop_write+0x253/0x4b0 net/rfkill/core.c:1240 vfs_write+0x29a/0xa70 fs/read_write.c:603 ksys_write+0x1f6/0x260 fs/read_write.c:658 do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x62/0xc7 other info that might help us debug this: Chain exists of: (work_completion)(&hdev->bg_scan_update) --> &data->open_mutex --> rfkill_global_mutex Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(rfkill_global_mutex); lock(&data->open_mutex); lock(rfkill_global_mutex); lock((work_completion)(&hdev->bg_scan_update)); *** DEADLOCK *** 1 lock held by syz-executor.3/780102: #0: ffffffff8561a8c8 (rfkill_global_mutex){+.+.}-{3:3}, at: rfkill_fop_write+0xff/0x4b0 net/rfkill/core.c:1232 stack backtrace: CPU: 1 PID: 780102 Comm: syz-executor.3 Not tainted 5.10.214 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x107/0x167 lib/dump_stack.c:118 check_noncircular+0x263/0x2e0 kernel/locking/lockdep.c:2123 check_prev_add kernel/locking/lockdep.c:2988 [inline] check_prevs_add kernel/locking/lockdep.c:3113 [inline] validate_chain kernel/locking/lockdep.c:3729 [inline] __lock_acquire+0x29e7/0x5b00 kernel/locking/lockdep.c:4955 lock_acquire kernel/locking/lockdep.c:5566 [inline] lock_acquire+0x197/0x470 kernel/locking/lockdep.c:5531 __flush_work+0x105/0xa90 kernel/workqueue.c:3053 __cancel_work_timer+0x368/0x4c0 kernel/workqueue.c:3144 hci_request_cancel_all+0x73/0x230 net/bluetooth/hci_request.c:3438 hci_dev_do_close+0xd9/0x1240 net/bluetooth/hci_core.c:1733 hci_rfkill_set_block+0x166/0x1a0 net/bluetooth/hci_core.c:2223 rfkill_set_block+0x1fd/0x540 net/rfkill/core.c:341 rfkill_fop_write+0x253/0x4b0 net/rfkill/core.c:1240 vfs_write+0x29a/0xa70 fs/read_write.c:603 ksys_write+0x1f6/0x260 fs/read_write.c:658 do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x62/0xc7 RIP: 0033:0x7f117d516b19 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f117aa8c188 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00007f117d629f60 RCX: 00007f117d516b19 RDX: 0000000000000008 RSI: 0000000020000080 RDI: 0000000000000003 RBP: 00007f117d570f6d R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffec9dffc2f R14: 00007f117aa8c300 R15: 0000000000022000 netlink: 8 bytes leftover after parsing attributes in process `syz-executor.7'. ieee80211 phy349: Selected rate control algorithm 'minstrel_ht' netlink: 8 bytes leftover after parsing attributes in process `syz-executor.6'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor.6'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor.6'. selinux_netlink_send: 182 callbacks suppressed SELinux: unrecognized netlink message: protocol=9 nlmsg_type=35144 sclass=netlink_audit_socket pid=781258 comm=syz-executor.1 SELinux: unrecognized netlink message: protocol=9 nlmsg_type=34247 sclass=netlink_audit_socket pid=781258 comm=syz-executor.1 SELinux: unrecognized netlink message: protocol=9 nlmsg_type=53893 sclass=netlink_audit_socket pid=781258 comm=syz-executor.1 SELinux: unrecognized netlink message: protocol=9 nlmsg_type=53481 sclass=netlink_audit_socket pid=781258 comm=syz-executor.1 SELinux: unrecognized netlink message: protocol=9 nlmsg_type=35656 sclass=netlink_audit_socket pid=781258 comm=syz-executor.1 SELinux: unrecognized netlink message: protocol=9 nlmsg_type=0 sclass=netlink_audit_socket pid=781258 comm=syz-executor.1 SELinux: unrecognized netlink message: protocol=9 nlmsg_type=33608 sclass=netlink_audit_socket pid=781258 comm=syz-executor.1 SELinux: unrecognized netlink message: protocol=9 nlmsg_type=35140 sclass=netlink_audit_socket pid=781258 comm=syz-executor.1 SELinux: unrecognized netlink message: protocol=9 nlmsg_type=17 sclass=netlink_audit_socket pid=781258 comm=syz-executor.1 SELinux: unrecognized netlink message: protocol=9 nlmsg_type=21 sclass=netlink_audit_socket pid=781258 comm=syz-executor.1 netlink: 8 bytes leftover after parsing attributes in process `syz-executor.6'. blktrace: Concurrent blktraces are not allowed on loop4 ieee80211 phy350: Selected rate control algorithm 'minstrel_ht' blktrace: Concurrent blktraces are not allowed on loop4 ieee80211 phy351: Selected rate control algorithm 'minstrel_ht' blktrace: Concurrent blktraces are not allowed on loop4 ieee80211 phy352: Selected rate control algorithm 'minstrel_ht' ieee80211 phy353: Selected rate control algorithm 'minstrel_ht' ieee80211 phy354: Selected rate control algorithm 'minstrel_ht' ieee80211 phy355: Selected rate control algorithm 'minstrel_ht' PM: hibernation: Marking nosave pages: [mem 0x00000000-0x00000fff] PM: hibernation: Marking nosave pages: [mem 0x0009f000-0x000fffff] PM: hibernation: Basic memory bitmaps created PM: hibernation: Basic memory bitmaps freed PM: hibernation: Marking nosave pages: [mem 0x00000000-0x00000fff] PM: hibernation: Marking nosave pages: [mem 0x0009f000-0x000fffff] PM: hibernation: Basic memory bitmaps created PM: hibernation: Basic memory bitmaps freed PM: hibernation: Marking nosave pages: [mem 0x00000000-0x00000fff] PM: hibernation: Marking nosave pages: [mem 0x0009f000-0x000fffff] PM: hibernation: Basic memory bitmaps created PM: hibernation: Basic memory bitmaps freed kauditd_printk_skb: 53 callbacks suppressed audit: type=1326 audit(1712593422.800:3938): auid=0 uid=0 gid=0 ses=4 subj=system_u:system_r:kernel_t:s0 pid=785828 comm="syz-executor.7" exe="/syz-executor.7" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7f4371a2db19 code=0x7ffc0000 audit: type=1326 audit(1712593422.808:3939): auid=0 uid=0 gid=0 ses=4 subj=system_u:system_r:kernel_t:s0 pid=785828 comm="syz-executor.7" exe="/syz-executor.7" sig=0 arch=c000003e syscall=163 compat=0 ip=0x7f4371a2db19 code=0x7ffc0000 audit: type=1326 audit(1712593422.893:3940): auid=0 uid=0 gid=0 ses=4 subj=system_u:system_r:kernel_t:s0 pid=785828 comm="syz-executor.7" exe="/syz-executor.7" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7f4371a2db19 code=0x7ffc0000 audit: type=1326 audit(1712593422.893:3941): auid=0 uid=0 gid=0 ses=4 subj=system_u:system_r:kernel_t:s0 pid=785828 comm="syz-executor.7" exe="/syz-executor.7" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7f4371a2db19 code=0x7ffc0000 audit: type=1326 audit(1712593422.898:3942): auid=0 uid=0 gid=0 ses=4 subj=system_u:system_r:kernel_t:s0 pid=785828 comm="syz-executor.7" exe="/syz-executor.7" sig=0 arch=c000003e syscall=317 compat=0 ip=0x7f4371a2db19 code=0x7ffc0000 audit: type=1326 audit(1712593422.898:3943): auid=0 uid=0 gid=0 ses=4 subj=system_u:system_r:kernel_t:s0 pid=785828 comm="syz-executor.7" exe="/syz-executor.7" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7f4371a2db19 code=0x7ffc0000 netlink: 8 bytes leftover after parsing attributes in process `syz-executor.1'. audit: type=1326 audit(1712593423.859:3944): auid=0 uid=0 gid=0 ses=4 subj=system_u:system_r:kernel_t:s0 pid=787841 comm="syz-executor.7" exe="/syz-executor.7" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7f4371a2db19 code=0x7ffc0000 netlink: 8 bytes leftover after parsing attributes in process `syz-executor.1'. audit: type=1326 audit(1712593423.866:3945): auid=0 uid=0 gid=0 ses=4 subj=system_u:system_r:kernel_t:s0 pid=787841 comm="syz-executor.7" exe="/syz-executor.7" sig=0 arch=c000003e syscall=163 compat=0 ip=0x7f4371a2db19 code=0x7ffc0000 audit: type=1326 audit(1712593423.866:3946): auid=0 uid=0 gid=0 ses=4 subj=system_u:system_r:kernel_t:s0 pid=787841 comm="syz-executor.7" exe="/syz-executor.7" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7f4371a2db19 code=0x7ffc0000 audit: type=1326 audit(1712593424.144:3947): auid=0 uid=0 gid=0 ses=4 subj=system_u:system_r:kernel_t:s0 pid=788026 comm="syz-executor.7" exe="/syz-executor.7" sig=0 arch=c000003e syscall=202 compat=0 ip=0x7f4371a2db19 code=0x7ffc0000 netlink: 8 bytes leftover after parsing attributes in process `syz-executor.1'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor.1'. device lo entered promiscuous mode device lo left promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode Process accounting resumed Process accounting resumed Process accounting resumed