[syzbot] [kernfs?] possible deadlock in kernfs_find_and_get_ns
2 views
Skip to first unread message
syzbot
Jan 7, 2026, 1:28:23āÆPMĀ (2 days ago)Ā Jan 7
to gre...@linuxfoundation.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com, t...@kernel.org
Hello,
syzbot found the following issue on:
HEAD commit: 805f9a061372 Merge tag 'perf-tools-fixes-for-v6.19-2026-01..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10efffb4580000
kernel config: https://syzkaller.appspot.com/x/.config?x=8bfa57a8c0ab3aa8
dashboard link: https://syzkaller.appspot.com/bug?extid=e357099a1af26daeee17
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/fae9f657d73f/disk-805f9a06.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/a4cdccd44a08/vmlinux-805f9a06.xz
kernel image: https://storage.googleapis.com/syzbot-assets/5c1c9c290d06/bzImage-805f9a06.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+e35709...@syzkaller.appspotmail.com
======================================================
WARNING: possible circular locking dependency detected
syzkaller #0 Tainted: G L
------------------------------------------------------
kworker/u9:1/19169 is trying to acquire lock:
ffff888140460188 (&root->kernfs_rwsem){++++}-{4:4}, at: kernfs_find_and_get_ns+0x2f/0x70 fs/kernfs/dir.c:938
but task is already holding lock:
ffffffff8f2d0e08 (dev_pm_qos_sysfs_mtx){+.+.}-{4:4}, at: dev_pm_qos_constraints_destroy+0x28/0x780 drivers/base/power/qos.c:254
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #10 (dev_pm_qos_sysfs_mtx){+.+.}-{4:4}:
__mutex_lock_common kernel/locking/mutex.c:614 [inline]
__mutex_lock+0x1aa/0x1ca0 kernel/locking/mutex.c:776
dev_pm_qos_constraints_destroy+0x28/0x780 drivers/base/power/qos.c:254
dpm_sysfs_remove+0x70/0xb0 drivers/base/power/sysfs.c:831
device_del+0x1a0/0x9f0 drivers/base/core.c:3853
device_unregister+0x1d/0xe0 drivers/base/core.c:3919
mce_device_remove arch/x86/kernel/cpu/mce/core.c:2748 [inline]
mce_cpu_pre_down+0x326/0x640 arch/x86/kernel/cpu/mce/core.c:2809
cpuhp_invoke_callback+0x3d5/0xa10 kernel/cpu.c:195
cpuhp_thread_fun+0x47e/0x6f0 kernel/cpu.c:1105
smpboot_thread_fn+0x3f7/0xae0 kernel/smpboot.c:160
kthread+0x3c5/0x780 kernel/kthread.c:463
ret_from_fork+0x983/0xb10 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
-> #9 (cpuhp_state-down){+.+.}-{0:0}:
cpuhp_lock_acquire kernel/cpu.c:104 [inline]
cpuhp_kick_ap_work+0xa4/0xbd0 kernel/cpu.c:1184
_cpu_down+0x37b/0xf40 kernel/cpu.c:1422
__cpu_down_maps_locked+0x6c/0x90 kernel/cpu.c:1468
work_for_cpu_fn+0x55/0xa0 kernel/workqueue.c:6770
process_one_work+0x9ba/0x1b20 kernel/workqueue.c:3257
process_scheduled_works kernel/workqueue.c:3340 [inline]
worker_thread+0x6c8/0xf10 kernel/workqueue.c:3421
kthread+0x3c5/0x780 kernel/kthread.c:463
ret_from_fork+0x983/0xb10 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
-> #8 (cpu_hotplug_lock){++++}-{0:0}:
percpu_down_read_internal include/linux/percpu-rwsem.h:53 [inline]
percpu_down_read include/linux/percpu-rwsem.h:77 [inline]
cpus_read_lock+0x42/0x160 kernel/cpu.c:491
static_key_slow_inc+0x12/0x30 kernel/jump_label.c:190
udp_tunnel_encap_enable include/net/udp_tunnel.h:203 [inline]
setup_udp_tunnel_sock+0x39b/0x680 net/ipv4/udp_tunnel_core.c:92
l2tp_tunnel_register+0x9c8/0xbb0 net/l2tp/l2tp_core.c:1679
pppol2tp_tunnel_get.constprop.0+0x3f0/0x540 net/l2tp/l2tp_ppp.c:662
pppol2tp_connect+0xb1b/0x1ce0 net/l2tp/l2tp_ppp.c:710
__sys_connect_file+0x141/0x1a0 net/socket.c:2089
__sys_connect+0x13b/0x160 net/socket.c:2108
__do_sys_connect net/socket.c:2114 [inline]
__se_sys_connect net/socket.c:2111 [inline]
__x64_sys_connect+0x72/0xb0 net/socket.c:2111
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
-> #7 (sk_lock-AF_INET){+.+.}-{0:0}:
lock_sock_nested+0x41/0xf0 net/core/sock.c:3780
lock_sock include/net/sock.h:1700 [inline]
inet_shutdown+0x67/0x440 net/ipv4/af_inet.c:913
nbd_mark_nsock_dead+0xae/0x5d0 drivers/block/nbd.c:318
recv_work+0x66b/0xa70 drivers/block/nbd.c:1021
process_one_work+0x9ba/0x1b20 kernel/workqueue.c:3257
process_scheduled_works kernel/workqueue.c:3340 [inline]
worker_thread+0x6c8/0xf10 kernel/workqueue.c:3421
kthread+0x3c5/0x780 kernel/kthread.c:463
ret_from_fork+0x983/0xb10 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
-> #6 (&nsock->tx_lock){+.+.}-{4:4}:
__mutex_lock_common kernel/locking/mutex.c:614 [inline]
__mutex_lock+0x1aa/0x1ca0 kernel/locking/mutex.c:776
nbd_handle_cmd drivers/block/nbd.c:1143 [inline]
nbd_queue_rq+0x423/0x12d0 drivers/block/nbd.c:1207
blk_mq_dispatch_rq_list+0x416/0x1e20 block/blk-mq.c:2138
__blk_mq_do_dispatch_sched block/blk-mq-sched.c:168 [inline]
blk_mq_do_dispatch_sched block/blk-mq-sched.c:182 [inline]
__blk_mq_sched_dispatch_requests+0xcbd/0x15f0 block/blk-mq-sched.c:307
blk_mq_sched_dispatch_requests+0xd8/0x1b0 block/blk-mq-sched.c:329
blk_mq_run_hw_queue+0x239/0x670 block/blk-mq.c:2376
blk_mq_dispatch_list+0x514/0x1300 block/blk-mq.c:2939
blk_mq_flush_plug_list block/blk-mq.c:2987 [inline]
blk_mq_flush_plug_list+0x130/0x600 block/blk-mq.c:2959
__blk_flush_plug+0x2c4/0x4b0 block/blk-core.c:1225
blk_finish_plug block/blk-core.c:1252 [inline]
blk_finish_plug block/blk-core.c:1249 [inline]
__submit_bio+0x542/0x690 block/blk-core.c:651
__submit_bio_noacct_mq block/blk-core.c:724 [inline]
submit_bio_noacct_nocheck+0x53d/0xbe0 block/blk-core.c:755
submit_bio_noacct+0x5bd/0x1f40 block/blk-core.c:879
submit_bh fs/buffer.c:2829 [inline]
block_read_full_folio+0x4db/0x850 fs/buffer.c:2461
filemap_read_folio+0xc8/0x2a0 mm/filemap.c:2496
do_read_cache_folio+0x266/0x5c0 mm/filemap.c:4096
read_mapping_folio include/linux/pagemap.h:1017 [inline]
read_part_sector+0xd4/0x370 block/partitions/core.c:722
adfspart_check_ICS+0x93/0x940 block/partitions/acorn.c:360
check_partition block/partitions/core.c:141 [inline]
blk_add_partitions block/partitions/core.c:589 [inline]
bdev_disk_changed+0x723/0x1520 block/partitions/core.c:693
blkdev_get_whole+0x187/0x290 block/bdev.c:765
bdev_open+0x2c7/0xe40 block/bdev.c:974
blkdev_open+0x34e/0x4f0 block/fops.c:698
do_dentry_open+0x748/0x1590 fs/open.c:962
vfs_open+0x82/0x3f0 fs/open.c:1094
do_open fs/namei.c:4628 [inline]
path_openat+0x2078/0x3140 fs/namei.c:4787
do_filp_open+0x20b/0x470 fs/namei.c:4814
do_sys_openat2+0x121/0x290 fs/open.c:1430
do_sys_open fs/open.c:1436 [inline]
__do_sys_openat fs/open.c:1452 [inline]
__se_sys_openat fs/open.c:1447 [inline]
__x64_sys_openat+0x174/0x210 fs/open.c:1447
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
-> #5 (&cmd->lock){+.+.}-{4:4}:
__mutex_lock_common kernel/locking/mutex.c:614 [inline]
__mutex_lock+0x1aa/0x1ca0 kernel/locking/mutex.c:776
nbd_queue_rq+0xbd/0x12d0 drivers/block/nbd.c:1199
blk_mq_dispatch_rq_list+0x416/0x1e20 block/blk-mq.c:2138
__blk_mq_do_dispatch_sched block/blk-mq-sched.c:168 [inline]
blk_mq_do_dispatch_sched block/blk-mq-sched.c:182 [inline]
__blk_mq_sched_dispatch_requests+0xcbd/0x15f0 block/blk-mq-sched.c:307
blk_mq_sched_dispatch_requests+0xd8/0x1b0 block/blk-mq-sched.c:329
blk_mq_run_hw_queue+0x239/0x670 block/blk-mq.c:2376
blk_mq_dispatch_list+0x514/0x1300 block/blk-mq.c:2939
blk_mq_flush_plug_list block/blk-mq.c:2987 [inline]
blk_mq_flush_plug_list+0x130/0x600 block/blk-mq.c:2959
__blk_flush_plug+0x2c4/0x4b0 block/blk-core.c:1225
blk_finish_plug block/blk-core.c:1252 [inline]
blk_finish_plug block/blk-core.c:1249 [inline]
__submit_bio+0x542/0x690 block/blk-core.c:651
__submit_bio_noacct_mq block/blk-core.c:724 [inline]
submit_bio_noacct_nocheck+0x53d/0xbe0 block/blk-core.c:755
submit_bio_noacct+0x5bd/0x1f40 block/blk-core.c:879
submit_bh fs/buffer.c:2829 [inline]
block_read_full_folio+0x4db/0x850 fs/buffer.c:2461
filemap_read_folio+0xc8/0x2a0 mm/filemap.c:2496
do_read_cache_folio+0x266/0x5c0 mm/filemap.c:4096
read_mapping_folio include/linux/pagemap.h:1017 [inline]
read_part_sector+0xd4/0x370 block/partitions/core.c:722
adfspart_check_ICS+0x93/0x940 block/partitions/acorn.c:360
check_partition block/partitions/core.c:141 [inline]
blk_add_partitions block/partitions/core.c:589 [inline]
bdev_disk_changed+0x723/0x1520 block/partitions/core.c:693
blkdev_get_whole+0x187/0x290 block/bdev.c:765
bdev_open+0x2c7/0xe40 block/bdev.c:974
blkdev_open+0x34e/0x4f0 block/fops.c:698
do_dentry_open+0x748/0x1590 fs/open.c:962
vfs_open+0x82/0x3f0 fs/open.c:1094
do_open fs/namei.c:4628 [inline]
path_openat+0x2078/0x3140 fs/namei.c:4787
do_filp_open+0x20b/0x470 fs/namei.c:4814
do_sys_openat2+0x121/0x290 fs/open.c:1430
do_sys_open fs/open.c:1436 [inline]
__do_sys_openat fs/open.c:1452 [inline]
__se_sys_openat fs/open.c:1447 [inline]
__x64_sys_openat+0x174/0x210 fs/open.c:1447
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
-> #4 (set->srcu){.+.+}-{0:0}:
srcu_lock_sync include/linux/srcu.h:197 [inline]
__synchronize_srcu+0xa2/0x250 kernel/rcu/srcutree.c:1503
blk_mq_wait_quiesce_done block/blk-mq.c:284 [inline]
blk_mq_wait_quiesce_done block/blk-mq.c:281 [inline]
blk_mq_quiesce_queue block/blk-mq.c:304 [inline]
blk_mq_quiesce_queue+0x149/0x1b0 block/blk-mq.c:299
elevator_switch+0x17d/0x7f0 block/elevator.c:576
elevator_change+0x38b/0x570 block/elevator.c:680
elevator_set_default+0x2d2/0x390 block/elevator.c:753
blk_register_queue+0x384/0x4e0 block/blk-sysfs.c:932
__add_disk+0x74a/0xf00 block/genhd.c:528
add_disk_fwnode+0x13f/0x5d0 block/genhd.c:597
add_disk include/linux/blkdev.h:785 [inline]
nbd_dev_add+0x783/0xbb0 drivers/block/nbd.c:1984
nbd_init+0x181/0x320 drivers/block/nbd.c:2692
do_one_initcall+0x123/0x680 init/main.c:1378
do_initcall_level init/main.c:1440 [inline]
do_initcalls init/main.c:1456 [inline]
do_basic_setup init/main.c:1475 [inline]
kernel_init_freeable+0x5c8/0x920 init/main.c:1688
kernel_init+0x1c/0x2b0 init/main.c:1578
ret_from_fork+0x983/0xb10 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
-> #3 (&q->elevator_lock){+.+.}-{4:4}:
__mutex_lock_common kernel/locking/mutex.c:614 [inline]
__mutex_lock+0x1aa/0x1ca0 kernel/locking/mutex.c:776
elevator_change+0x1ed/0x570 block/elevator.c:678
elv_iosched_store+0x3e8/0x4a0 block/elevator.c:811
queue_attr_store+0x26b/0x310 block/blk-sysfs.c:859
sysfs_kf_write+0xf2/0x150 fs/sysfs/file.c:142
kernfs_fop_write_iter+0x3af/0x570 fs/kernfs/file.c:352
iter_file_splice_write+0xa24/0x12b0 fs/splice.c:738
do_splice_from fs/splice.c:938 [inline]
direct_splice_actor+0x192/0x6c0 fs/splice.c:1161
splice_direct_to_actor+0x345/0xa30 fs/splice.c:1105
do_splice_direct_actor fs/splice.c:1204 [inline]
do_splice_direct+0x174/0x240 fs/splice.c:1230
do_sendfile+0xb06/0xe50 fs/read_write.c:1370
__do_sys_sendfile64 fs/read_write.c:1431 [inline]
__se_sys_sendfile64 fs/read_write.c:1417 [inline]
__x64_sys_sendfile64+0x1d8/0x220 fs/read_write.c:1417
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
-> #2 (&q->q_usage_counter(io)#66){++++}-{0:0}:
blk_alloc_queue+0x610/0x750 block/blk-core.c:461
blk_mq_alloc_queue+0x172/0x280 block/blk-mq.c:4415
__blk_mq_alloc_disk+0x29/0x120 block/blk-mq.c:4462
null_add_dev+0xf2e/0x1eb0 drivers/block/null_blk/main.c:1999
null_create_dev drivers/block/null_blk/main.c:2097 [inline]
null_init+0x2c9/0x610 drivers/block/null_blk/main.c:2169
do_one_initcall+0x123/0x680 init/main.c:1378
do_initcall_level init/main.c:1440 [inline]
do_initcalls init/main.c:1456 [inline]
do_basic_setup init/main.c:1475 [inline]
kernel_init_freeable+0x5c8/0x920 init/main.c:1688
kernel_init+0x1c/0x2b0 init/main.c:1578
ret_from_fork+0x983/0xb10 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
-> #1 (fs_reclaim){+.+.}-{0:0}:
__fs_reclaim_acquire mm/page_alloc.c:4301 [inline]
fs_reclaim_acquire+0x102/0x150 mm/page_alloc.c:4315
might_alloc include/linux/sched/mm.h:317 [inline]
slab_pre_alloc_hook mm/slub.c:4904 [inline]
slab_alloc_node mm/slub.c:5239 [inline]
kmem_cache_alloc_lru_noprof+0x5f/0x770 mm/slub.c:5282
alloc_inode+0xc3/0x240 fs/inode.c:348
iget_locked+0x1d9/0x6d0 fs/inode.c:1470
kernfs_get_inode+0x46/0x470 fs/kernfs/inode.c:253
kernfs_fill_super fs/kernfs/mount.c:308 [inline]
kernfs_get_tree+0x62a/0xb60 fs/kernfs/mount.c:392
sysfs_get_tree+0x41/0x140 fs/sysfs/mount.c:31
vfs_get_tree+0x8e/0x330 fs/super.c:1751
fc_mount fs/namespace.c:1199 [inline]
do_new_mount_fc fs/namespace.c:3636 [inline]
do_new_mount fs/namespace.c:3712 [inline]
path_mount+0x7bf/0x23a0 fs/namespace.c:4022
do_mount fs/namespace.c:4035 [inline]
__do_sys_mount fs/namespace.c:4224 [inline]
__se_sys_mount fs/namespace.c:4201 [inline]
__x64_sys_mount+0x293/0x310 fs/namespace.c:4201
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
-> #0 (&root->kernfs_rwsem){++++}-{4:4}:
check_prev_add kernel/locking/lockdep.c:3165 [inline]
check_prevs_add kernel/locking/lockdep.c:3284 [inline]
validate_chain kernel/locking/lockdep.c:3908 [inline]
__lock_acquire+0x1669/0x2890 kernel/locking/lockdep.c:5237
lock_acquire kernel/locking/lockdep.c:5868 [inline]
lock_acquire+0x179/0x330 kernel/locking/lockdep.c:5825
down_read+0x9b/0x460 kernel/locking/rwsem.c:1537
kernfs_find_and_get_ns+0x2f/0x70 fs/kernfs/dir.c:938
kernfs_find_and_get include/linux/kernfs.h:612 [inline]
sysfs_unmerge_group+0x61/0x170 fs/sysfs/group.c:405
dev_pm_qos_constraints_destroy+0x30/0x780 drivers/base/power/qos.c:260
dpm_sysfs_remove+0x70/0xb0 drivers/base/power/sysfs.c:831
device_del+0x1a0/0x9f0 drivers/base/core.c:3853
device_unregister+0x1d/0xe0 drivers/base/core.c:3919
hci_conn_del_sysfs+0xdd/0x1a0 net/bluetooth/hci_sysfs.c:79
hci_conn_cleanup net/bluetooth/hci_conn.c:173 [inline]
hci_conn_del+0x680/0x11d0 net/bluetooth/hci_conn.c:1234
hci_abort_conn_sync+0x76a/0xb20 net/bluetooth/hci_sync.c:5721
abort_conn_sync+0x197/0x360 net/bluetooth/hci_conn.c:2962
hci_cmd_sync_work+0x1ab/0x470 net/bluetooth/hci_sync.c:332
process_one_work+0x9ba/0x1b20 kernel/workqueue.c:3257
process_scheduled_works kernel/workqueue.c:3340 [inline]
worker_thread+0x6c8/0xf10 kernel/workqueue.c:3421
kthread+0x3c5/0x780 kernel/kthread.c:463
ret_from_fork+0x983/0xb10 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
other info that might help us debug this:
Chain exists of:
&root->kernfs_rwsem --> cpuhp_state-down --> dev_pm_qos_sysfs_mtx
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(dev_pm_qos_sysfs_mtx);
lock(cpuhp_state-down);
lock(dev_pm_qos_sysfs_mtx);
rlock(&root->kernfs_rwsem);
*** DEADLOCK ***
5 locks held by kworker/u9:1/19169:
#0: ffff8880340a9948 ((wq_completion)hci1){+.+.}-{0:0}, at: process_one_work+0x128d/0x1b20 kernel/workqueue.c:3232
#1: ffffc9000459fc90 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_one_work+0x914/0x1b20 kernel/workqueue.c:3233
#2: ffff888076df4ec0 (&hdev->req_lock){+.+.}-{4:4}, at: hci_cmd_sync_work+0x175/0x470 net/bluetooth/hci_sync.c:331
#3: ffff888076df40c0 (&hdev->lock){+.+.}-{4:4}, at: hci_abort_conn_sync+0x13f/0xb20 net/bluetooth/hci_sync.c:5702
#4: ffffffff8f2d0e08 (dev_pm_qos_sysfs_mtx){+.+.}-{4:4}, at: dev_pm_qos_constraints_destroy+0x28/0x780 drivers/base/power/qos.c:254
stack backtrace:
CPU: 0 UID: 0 PID: 19169 Comm: kworker/u9:1 Tainted: G L syzkaller #0 PREEMPT(full)
Tainted: [L]=SOFTLOCKUP
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Workqueue: hci1 hci_cmd_sync_work
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
print_circular_bug+0x275/0x340 kernel/locking/lockdep.c:2043
check_noncircular+0x146/0x160 kernel/locking/lockdep.c:2175
check_prev_add kernel/locking/lockdep.c:3165 [inline]
check_prevs_add kernel/locking/lockdep.c:3284 [inline]
validate_chain kernel/locking/lockdep.c:3908 [inline]
__lock_acquire+0x1669/0x2890 kernel/locking/lockdep.c:5237
lock_acquire kernel/locking/lockdep.c:5868 [inline]
lock_acquire+0x179/0x330 kernel/locking/lockdep.c:5825
down_read+0x9b/0x460 kernel/locking/rwsem.c:1537
kernfs_find_and_get_ns+0x2f/0x70 fs/kernfs/dir.c:938
kernfs_find_and_get include/linux/kernfs.h:612 [inline]
sysfs_unmerge_group+0x61/0x170 fs/sysfs/group.c:405
dev_pm_qos_constraints_destroy+0x30/0x780 drivers/base/power/qos.c:260
dpm_sysfs_remove+0x70/0xb0 drivers/base/power/sysfs.c:831
device_del+0x1a0/0x9f0 drivers/base/core.c:3853
device_unregister+0x1d/0xe0 drivers/base/core.c:3919
hci_conn_del_sysfs+0xdd/0x1a0 net/bluetooth/hci_sysfs.c:79
hci_conn_cleanup net/bluetooth/hci_conn.c:173 [inline]
hci_conn_del+0x680/0x11d0 net/bluetooth/hci_conn.c:1234
hci_abort_conn_sync+0x76a/0xb20 net/bluetooth/hci_sync.c:5721
abort_conn_sync+0x197/0x360 net/bluetooth/hci_conn.c:2962
hci_cmd_sync_work+0x1ab/0x470 net/bluetooth/hci_sync.c:332
process_one_work+0x9ba/0x1b20 kernel/workqueue.c:3257
process_scheduled_works kernel/workqueue.c:3340 [inline]
worker_thread+0x6c8/0xf10 kernel/workqueue.c:3421
kthread+0x3c5/0x780 kernel/kthread.c:463
ret_from_fork+0x983/0xb10 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 805f9a061372 Merge tag 'perf-tools-fixes-for-v6.19-2026-01..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10efffb4580000
kernel config: https://syzkaller.appspot.com/x/.config?x=8bfa57a8c0ab3aa8
dashboard link: https://syzkaller.appspot.com/bug?extid=e357099a1af26daeee17
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/fae9f657d73f/disk-805f9a06.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/a4cdccd44a08/vmlinux-805f9a06.xz
kernel image: https://storage.googleapis.com/syzbot-assets/5c1c9c290d06/bzImage-805f9a06.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+e35709...@syzkaller.appspotmail.com
======================================================
WARNING: possible circular locking dependency detected
syzkaller #0 Tainted: G L
------------------------------------------------------
kworker/u9:1/19169 is trying to acquire lock:
ffff888140460188 (&root->kernfs_rwsem){++++}-{4:4}, at: kernfs_find_and_get_ns+0x2f/0x70 fs/kernfs/dir.c:938
but task is already holding lock:
ffffffff8f2d0e08 (dev_pm_qos_sysfs_mtx){+.+.}-{4:4}, at: dev_pm_qos_constraints_destroy+0x28/0x780 drivers/base/power/qos.c:254
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #10 (dev_pm_qos_sysfs_mtx){+.+.}-{4:4}:
__mutex_lock_common kernel/locking/mutex.c:614 [inline]
__mutex_lock+0x1aa/0x1ca0 kernel/locking/mutex.c:776
dev_pm_qos_constraints_destroy+0x28/0x780 drivers/base/power/qos.c:254
dpm_sysfs_remove+0x70/0xb0 drivers/base/power/sysfs.c:831
device_del+0x1a0/0x9f0 drivers/base/core.c:3853
device_unregister+0x1d/0xe0 drivers/base/core.c:3919
mce_device_remove arch/x86/kernel/cpu/mce/core.c:2748 [inline]
mce_cpu_pre_down+0x326/0x640 arch/x86/kernel/cpu/mce/core.c:2809
cpuhp_invoke_callback+0x3d5/0xa10 kernel/cpu.c:195
cpuhp_thread_fun+0x47e/0x6f0 kernel/cpu.c:1105
smpboot_thread_fn+0x3f7/0xae0 kernel/smpboot.c:160
kthread+0x3c5/0x780 kernel/kthread.c:463
ret_from_fork+0x983/0xb10 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
-> #9 (cpuhp_state-down){+.+.}-{0:0}:
cpuhp_lock_acquire kernel/cpu.c:104 [inline]
cpuhp_kick_ap_work+0xa4/0xbd0 kernel/cpu.c:1184
_cpu_down+0x37b/0xf40 kernel/cpu.c:1422
__cpu_down_maps_locked+0x6c/0x90 kernel/cpu.c:1468
work_for_cpu_fn+0x55/0xa0 kernel/workqueue.c:6770
process_one_work+0x9ba/0x1b20 kernel/workqueue.c:3257
process_scheduled_works kernel/workqueue.c:3340 [inline]
worker_thread+0x6c8/0xf10 kernel/workqueue.c:3421
kthread+0x3c5/0x780 kernel/kthread.c:463
ret_from_fork+0x983/0xb10 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
-> #8 (cpu_hotplug_lock){++++}-{0:0}:
percpu_down_read_internal include/linux/percpu-rwsem.h:53 [inline]
percpu_down_read include/linux/percpu-rwsem.h:77 [inline]
cpus_read_lock+0x42/0x160 kernel/cpu.c:491
static_key_slow_inc+0x12/0x30 kernel/jump_label.c:190
udp_tunnel_encap_enable include/net/udp_tunnel.h:203 [inline]
setup_udp_tunnel_sock+0x39b/0x680 net/ipv4/udp_tunnel_core.c:92
l2tp_tunnel_register+0x9c8/0xbb0 net/l2tp/l2tp_core.c:1679
pppol2tp_tunnel_get.constprop.0+0x3f0/0x540 net/l2tp/l2tp_ppp.c:662
pppol2tp_connect+0xb1b/0x1ce0 net/l2tp/l2tp_ppp.c:710
__sys_connect_file+0x141/0x1a0 net/socket.c:2089
__sys_connect+0x13b/0x160 net/socket.c:2108
__do_sys_connect net/socket.c:2114 [inline]
__se_sys_connect net/socket.c:2111 [inline]
__x64_sys_connect+0x72/0xb0 net/socket.c:2111
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
-> #7 (sk_lock-AF_INET){+.+.}-{0:0}:
lock_sock_nested+0x41/0xf0 net/core/sock.c:3780
lock_sock include/net/sock.h:1700 [inline]
inet_shutdown+0x67/0x440 net/ipv4/af_inet.c:913
nbd_mark_nsock_dead+0xae/0x5d0 drivers/block/nbd.c:318
recv_work+0x66b/0xa70 drivers/block/nbd.c:1021
process_one_work+0x9ba/0x1b20 kernel/workqueue.c:3257
process_scheduled_works kernel/workqueue.c:3340 [inline]
worker_thread+0x6c8/0xf10 kernel/workqueue.c:3421
kthread+0x3c5/0x780 kernel/kthread.c:463
ret_from_fork+0x983/0xb10 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
-> #6 (&nsock->tx_lock){+.+.}-{4:4}:
__mutex_lock_common kernel/locking/mutex.c:614 [inline]
__mutex_lock+0x1aa/0x1ca0 kernel/locking/mutex.c:776
nbd_handle_cmd drivers/block/nbd.c:1143 [inline]
nbd_queue_rq+0x423/0x12d0 drivers/block/nbd.c:1207
blk_mq_dispatch_rq_list+0x416/0x1e20 block/blk-mq.c:2138
__blk_mq_do_dispatch_sched block/blk-mq-sched.c:168 [inline]
blk_mq_do_dispatch_sched block/blk-mq-sched.c:182 [inline]
__blk_mq_sched_dispatch_requests+0xcbd/0x15f0 block/blk-mq-sched.c:307
blk_mq_sched_dispatch_requests+0xd8/0x1b0 block/blk-mq-sched.c:329
blk_mq_run_hw_queue+0x239/0x670 block/blk-mq.c:2376
blk_mq_dispatch_list+0x514/0x1300 block/blk-mq.c:2939
blk_mq_flush_plug_list block/blk-mq.c:2987 [inline]
blk_mq_flush_plug_list+0x130/0x600 block/blk-mq.c:2959
__blk_flush_plug+0x2c4/0x4b0 block/blk-core.c:1225
blk_finish_plug block/blk-core.c:1252 [inline]
blk_finish_plug block/blk-core.c:1249 [inline]
__submit_bio+0x542/0x690 block/blk-core.c:651
__submit_bio_noacct_mq block/blk-core.c:724 [inline]
submit_bio_noacct_nocheck+0x53d/0xbe0 block/blk-core.c:755
submit_bio_noacct+0x5bd/0x1f40 block/blk-core.c:879
submit_bh fs/buffer.c:2829 [inline]
block_read_full_folio+0x4db/0x850 fs/buffer.c:2461
filemap_read_folio+0xc8/0x2a0 mm/filemap.c:2496
do_read_cache_folio+0x266/0x5c0 mm/filemap.c:4096
read_mapping_folio include/linux/pagemap.h:1017 [inline]
read_part_sector+0xd4/0x370 block/partitions/core.c:722
adfspart_check_ICS+0x93/0x940 block/partitions/acorn.c:360
check_partition block/partitions/core.c:141 [inline]
blk_add_partitions block/partitions/core.c:589 [inline]
bdev_disk_changed+0x723/0x1520 block/partitions/core.c:693
blkdev_get_whole+0x187/0x290 block/bdev.c:765
bdev_open+0x2c7/0xe40 block/bdev.c:974
blkdev_open+0x34e/0x4f0 block/fops.c:698
do_dentry_open+0x748/0x1590 fs/open.c:962
vfs_open+0x82/0x3f0 fs/open.c:1094
do_open fs/namei.c:4628 [inline]
path_openat+0x2078/0x3140 fs/namei.c:4787
do_filp_open+0x20b/0x470 fs/namei.c:4814
do_sys_openat2+0x121/0x290 fs/open.c:1430
do_sys_open fs/open.c:1436 [inline]
__do_sys_openat fs/open.c:1452 [inline]
__se_sys_openat fs/open.c:1447 [inline]
__x64_sys_openat+0x174/0x210 fs/open.c:1447
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
-> #5 (&cmd->lock){+.+.}-{4:4}:
__mutex_lock_common kernel/locking/mutex.c:614 [inline]
__mutex_lock+0x1aa/0x1ca0 kernel/locking/mutex.c:776
nbd_queue_rq+0xbd/0x12d0 drivers/block/nbd.c:1199
blk_mq_dispatch_rq_list+0x416/0x1e20 block/blk-mq.c:2138
__blk_mq_do_dispatch_sched block/blk-mq-sched.c:168 [inline]
blk_mq_do_dispatch_sched block/blk-mq-sched.c:182 [inline]
__blk_mq_sched_dispatch_requests+0xcbd/0x15f0 block/blk-mq-sched.c:307
blk_mq_sched_dispatch_requests+0xd8/0x1b0 block/blk-mq-sched.c:329
blk_mq_run_hw_queue+0x239/0x670 block/blk-mq.c:2376
blk_mq_dispatch_list+0x514/0x1300 block/blk-mq.c:2939
blk_mq_flush_plug_list block/blk-mq.c:2987 [inline]
blk_mq_flush_plug_list+0x130/0x600 block/blk-mq.c:2959
__blk_flush_plug+0x2c4/0x4b0 block/blk-core.c:1225
blk_finish_plug block/blk-core.c:1252 [inline]
blk_finish_plug block/blk-core.c:1249 [inline]
__submit_bio+0x542/0x690 block/blk-core.c:651
__submit_bio_noacct_mq block/blk-core.c:724 [inline]
submit_bio_noacct_nocheck+0x53d/0xbe0 block/blk-core.c:755
submit_bio_noacct+0x5bd/0x1f40 block/blk-core.c:879
submit_bh fs/buffer.c:2829 [inline]
block_read_full_folio+0x4db/0x850 fs/buffer.c:2461
filemap_read_folio+0xc8/0x2a0 mm/filemap.c:2496
do_read_cache_folio+0x266/0x5c0 mm/filemap.c:4096
read_mapping_folio include/linux/pagemap.h:1017 [inline]
read_part_sector+0xd4/0x370 block/partitions/core.c:722
adfspart_check_ICS+0x93/0x940 block/partitions/acorn.c:360
check_partition block/partitions/core.c:141 [inline]
blk_add_partitions block/partitions/core.c:589 [inline]
bdev_disk_changed+0x723/0x1520 block/partitions/core.c:693
blkdev_get_whole+0x187/0x290 block/bdev.c:765
bdev_open+0x2c7/0xe40 block/bdev.c:974
blkdev_open+0x34e/0x4f0 block/fops.c:698
do_dentry_open+0x748/0x1590 fs/open.c:962
vfs_open+0x82/0x3f0 fs/open.c:1094
do_open fs/namei.c:4628 [inline]
path_openat+0x2078/0x3140 fs/namei.c:4787
do_filp_open+0x20b/0x470 fs/namei.c:4814
do_sys_openat2+0x121/0x290 fs/open.c:1430
do_sys_open fs/open.c:1436 [inline]
__do_sys_openat fs/open.c:1452 [inline]
__se_sys_openat fs/open.c:1447 [inline]
__x64_sys_openat+0x174/0x210 fs/open.c:1447
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
-> #4 (set->srcu){.+.+}-{0:0}:
srcu_lock_sync include/linux/srcu.h:197 [inline]
__synchronize_srcu+0xa2/0x250 kernel/rcu/srcutree.c:1503
blk_mq_wait_quiesce_done block/blk-mq.c:284 [inline]
blk_mq_wait_quiesce_done block/blk-mq.c:281 [inline]
blk_mq_quiesce_queue block/blk-mq.c:304 [inline]
blk_mq_quiesce_queue+0x149/0x1b0 block/blk-mq.c:299
elevator_switch+0x17d/0x7f0 block/elevator.c:576
elevator_change+0x38b/0x570 block/elevator.c:680
elevator_set_default+0x2d2/0x390 block/elevator.c:753
blk_register_queue+0x384/0x4e0 block/blk-sysfs.c:932
__add_disk+0x74a/0xf00 block/genhd.c:528
add_disk_fwnode+0x13f/0x5d0 block/genhd.c:597
add_disk include/linux/blkdev.h:785 [inline]
nbd_dev_add+0x783/0xbb0 drivers/block/nbd.c:1984
nbd_init+0x181/0x320 drivers/block/nbd.c:2692
do_one_initcall+0x123/0x680 init/main.c:1378
do_initcall_level init/main.c:1440 [inline]
do_initcalls init/main.c:1456 [inline]
do_basic_setup init/main.c:1475 [inline]
kernel_init_freeable+0x5c8/0x920 init/main.c:1688
kernel_init+0x1c/0x2b0 init/main.c:1578
ret_from_fork+0x983/0xb10 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
-> #3 (&q->elevator_lock){+.+.}-{4:4}:
__mutex_lock_common kernel/locking/mutex.c:614 [inline]
__mutex_lock+0x1aa/0x1ca0 kernel/locking/mutex.c:776
elevator_change+0x1ed/0x570 block/elevator.c:678
elv_iosched_store+0x3e8/0x4a0 block/elevator.c:811
queue_attr_store+0x26b/0x310 block/blk-sysfs.c:859
sysfs_kf_write+0xf2/0x150 fs/sysfs/file.c:142
kernfs_fop_write_iter+0x3af/0x570 fs/kernfs/file.c:352
iter_file_splice_write+0xa24/0x12b0 fs/splice.c:738
do_splice_from fs/splice.c:938 [inline]
direct_splice_actor+0x192/0x6c0 fs/splice.c:1161
splice_direct_to_actor+0x345/0xa30 fs/splice.c:1105
do_splice_direct_actor fs/splice.c:1204 [inline]
do_splice_direct+0x174/0x240 fs/splice.c:1230
do_sendfile+0xb06/0xe50 fs/read_write.c:1370
__do_sys_sendfile64 fs/read_write.c:1431 [inline]
__se_sys_sendfile64 fs/read_write.c:1417 [inline]
__x64_sys_sendfile64+0x1d8/0x220 fs/read_write.c:1417
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
-> #2 (&q->q_usage_counter(io)#66){++++}-{0:0}:
blk_alloc_queue+0x610/0x750 block/blk-core.c:461
blk_mq_alloc_queue+0x172/0x280 block/blk-mq.c:4415
__blk_mq_alloc_disk+0x29/0x120 block/blk-mq.c:4462
null_add_dev+0xf2e/0x1eb0 drivers/block/null_blk/main.c:1999
null_create_dev drivers/block/null_blk/main.c:2097 [inline]
null_init+0x2c9/0x610 drivers/block/null_blk/main.c:2169
do_one_initcall+0x123/0x680 init/main.c:1378
do_initcall_level init/main.c:1440 [inline]
do_initcalls init/main.c:1456 [inline]
do_basic_setup init/main.c:1475 [inline]
kernel_init_freeable+0x5c8/0x920 init/main.c:1688
kernel_init+0x1c/0x2b0 init/main.c:1578
ret_from_fork+0x983/0xb10 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
-> #1 (fs_reclaim){+.+.}-{0:0}:
__fs_reclaim_acquire mm/page_alloc.c:4301 [inline]
fs_reclaim_acquire+0x102/0x150 mm/page_alloc.c:4315
might_alloc include/linux/sched/mm.h:317 [inline]
slab_pre_alloc_hook mm/slub.c:4904 [inline]
slab_alloc_node mm/slub.c:5239 [inline]
kmem_cache_alloc_lru_noprof+0x5f/0x770 mm/slub.c:5282
alloc_inode+0xc3/0x240 fs/inode.c:348
iget_locked+0x1d9/0x6d0 fs/inode.c:1470
kernfs_get_inode+0x46/0x470 fs/kernfs/inode.c:253
kernfs_fill_super fs/kernfs/mount.c:308 [inline]
kernfs_get_tree+0x62a/0xb60 fs/kernfs/mount.c:392
sysfs_get_tree+0x41/0x140 fs/sysfs/mount.c:31
vfs_get_tree+0x8e/0x330 fs/super.c:1751
fc_mount fs/namespace.c:1199 [inline]
do_new_mount_fc fs/namespace.c:3636 [inline]
do_new_mount fs/namespace.c:3712 [inline]
path_mount+0x7bf/0x23a0 fs/namespace.c:4022
do_mount fs/namespace.c:4035 [inline]
__do_sys_mount fs/namespace.c:4224 [inline]
__se_sys_mount fs/namespace.c:4201 [inline]
__x64_sys_mount+0x293/0x310 fs/namespace.c:4201
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
-> #0 (&root->kernfs_rwsem){++++}-{4:4}:
check_prev_add kernel/locking/lockdep.c:3165 [inline]
check_prevs_add kernel/locking/lockdep.c:3284 [inline]
validate_chain kernel/locking/lockdep.c:3908 [inline]
__lock_acquire+0x1669/0x2890 kernel/locking/lockdep.c:5237
lock_acquire kernel/locking/lockdep.c:5868 [inline]
lock_acquire+0x179/0x330 kernel/locking/lockdep.c:5825
down_read+0x9b/0x460 kernel/locking/rwsem.c:1537
kernfs_find_and_get_ns+0x2f/0x70 fs/kernfs/dir.c:938
kernfs_find_and_get include/linux/kernfs.h:612 [inline]
sysfs_unmerge_group+0x61/0x170 fs/sysfs/group.c:405
dev_pm_qos_constraints_destroy+0x30/0x780 drivers/base/power/qos.c:260
dpm_sysfs_remove+0x70/0xb0 drivers/base/power/sysfs.c:831
device_del+0x1a0/0x9f0 drivers/base/core.c:3853
device_unregister+0x1d/0xe0 drivers/base/core.c:3919
hci_conn_del_sysfs+0xdd/0x1a0 net/bluetooth/hci_sysfs.c:79
hci_conn_cleanup net/bluetooth/hci_conn.c:173 [inline]
hci_conn_del+0x680/0x11d0 net/bluetooth/hci_conn.c:1234
hci_abort_conn_sync+0x76a/0xb20 net/bluetooth/hci_sync.c:5721
abort_conn_sync+0x197/0x360 net/bluetooth/hci_conn.c:2962
hci_cmd_sync_work+0x1ab/0x470 net/bluetooth/hci_sync.c:332
process_one_work+0x9ba/0x1b20 kernel/workqueue.c:3257
process_scheduled_works kernel/workqueue.c:3340 [inline]
worker_thread+0x6c8/0xf10 kernel/workqueue.c:3421
kthread+0x3c5/0x780 kernel/kthread.c:463
ret_from_fork+0x983/0xb10 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
other info that might help us debug this:
Chain exists of:
&root->kernfs_rwsem --> cpuhp_state-down --> dev_pm_qos_sysfs_mtx
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(dev_pm_qos_sysfs_mtx);
lock(cpuhp_state-down);
lock(dev_pm_qos_sysfs_mtx);
rlock(&root->kernfs_rwsem);
*** DEADLOCK ***
5 locks held by kworker/u9:1/19169:
#0: ffff8880340a9948 ((wq_completion)hci1){+.+.}-{0:0}, at: process_one_work+0x128d/0x1b20 kernel/workqueue.c:3232
#1: ffffc9000459fc90 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_one_work+0x914/0x1b20 kernel/workqueue.c:3233
#2: ffff888076df4ec0 (&hdev->req_lock){+.+.}-{4:4}, at: hci_cmd_sync_work+0x175/0x470 net/bluetooth/hci_sync.c:331
#3: ffff888076df40c0 (&hdev->lock){+.+.}-{4:4}, at: hci_abort_conn_sync+0x13f/0xb20 net/bluetooth/hci_sync.c:5702
#4: ffffffff8f2d0e08 (dev_pm_qos_sysfs_mtx){+.+.}-{4:4}, at: dev_pm_qos_constraints_destroy+0x28/0x780 drivers/base/power/qos.c:254
stack backtrace:
CPU: 0 UID: 0 PID: 19169 Comm: kworker/u9:1 Tainted: G L syzkaller #0 PREEMPT(full)
Tainted: [L]=SOFTLOCKUP
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Workqueue: hci1 hci_cmd_sync_work
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
print_circular_bug+0x275/0x340 kernel/locking/lockdep.c:2043
check_noncircular+0x146/0x160 kernel/locking/lockdep.c:2175
check_prev_add kernel/locking/lockdep.c:3165 [inline]
check_prevs_add kernel/locking/lockdep.c:3284 [inline]
validate_chain kernel/locking/lockdep.c:3908 [inline]
__lock_acquire+0x1669/0x2890 kernel/locking/lockdep.c:5237
lock_acquire kernel/locking/lockdep.c:5868 [inline]
lock_acquire+0x179/0x330 kernel/locking/lockdep.c:5825
down_read+0x9b/0x460 kernel/locking/rwsem.c:1537
kernfs_find_and_get_ns+0x2f/0x70 fs/kernfs/dir.c:938
kernfs_find_and_get include/linux/kernfs.h:612 [inline]
sysfs_unmerge_group+0x61/0x170 fs/sysfs/group.c:405
dev_pm_qos_constraints_destroy+0x30/0x780 drivers/base/power/qos.c:260
dpm_sysfs_remove+0x70/0xb0 drivers/base/power/sysfs.c:831
device_del+0x1a0/0x9f0 drivers/base/core.c:3853
device_unregister+0x1d/0xe0 drivers/base/core.c:3919
hci_conn_del_sysfs+0xdd/0x1a0 net/bluetooth/hci_sysfs.c:79
hci_conn_cleanup net/bluetooth/hci_conn.c:173 [inline]
hci_conn_del+0x680/0x11d0 net/bluetooth/hci_conn.c:1234
hci_abort_conn_sync+0x76a/0xb20 net/bluetooth/hci_sync.c:5721
abort_conn_sync+0x197/0x360 net/bluetooth/hci_conn.c:2962
hci_cmd_sync_work+0x1ab/0x470 net/bluetooth/hci_sync.c:332
process_one_work+0x9ba/0x1b20 kernel/workqueue.c:3257
process_scheduled_works kernel/workqueue.c:3340 [inline]
worker_thread+0x6c8/0xf10 kernel/workqueue.c:3421
kthread+0x3c5/0x780 kernel/kthread.c:463
ret_from_fork+0x983/0xb10 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages