[v6.6] possible deadlock in __flush_workqueue
0 views
Skip to first unread message
syzbot
Oct 28, 2025, 11:21:32 PM (8 days ago) Oct 28
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 4a243110dc88 Linux 6.6.114
git tree: linux-6.6.y
console output: https://syzkaller.appspot.com/x/log.txt?x=15219f34580000
kernel config: https://syzkaller.appspot.com/x/.config?x=12606d4b8832c7e4
dashboard link: https://syzkaller.appspot.com/bug?extid=932b000b5a48d78ee5d0
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/1950ac2cd960/disk-4a243110.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/d7dccd93693b/vmlinux-4a243110.xz
kernel image: https://storage.googleapis.com/syzbot-assets/6f93496e2b47/bzImage-4a243110.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+932b00...@syzkaller.appspotmail.com
Bluetooth: hci1: command 0x0406 tx timeout
Bluetooth: hci1: hardware error 0x00
============================================
WARNING: possible recursive locking detected
syzkaller #0 Not tainted
--------------------------------------------
kworker/u5:3/5796 is trying to acquire lock:
ffff88802f35fd38 ((wq_completion)hci1){+.+.}-{0:0}, at: touch_wq_lockdep_map kernel/workqueue.c:3138 [inline]
ffff88802f35fd38 ((wq_completion)hci1){+.+.}-{0:0}, at: __flush_workqueue+0x128/0x1380 kernel/workqueue.c:3168
but task is already holding lock:
ffff88802f35fd38 ((wq_completion)hci1){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2609 [inline]
ffff88802f35fd38 ((wq_completion)hci1){+.+.}-{0:0}, at: process_scheduled_works+0x957/0x15b0 kernel/workqueue.c:2711
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock((wq_completion)hci1);
lock((wq_completion)hci1);
*** DEADLOCK ***
May be due to missing lock nesting notation
2 locks held by kworker/u5:3/5796:
#0: ffff88802f35fd38 ((wq_completion)hci1){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2609 [inline]
#0: ffff88802f35fd38 ((wq_completion)hci1){+.+.}-{0:0}, at: process_scheduled_works+0x957/0x15b0 kernel/workqueue.c:2711
#1: ffffc9000469fd00 ((work_completion)(&hdev->error_reset)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2609 [inline]
#1: ffffc9000469fd00 ((work_completion)(&hdev->error_reset)){+.+.}-{0:0}, at: process_scheduled_works+0x957/0x15b0 kernel/workqueue.c:2711
stack backtrace:
CPU: 0 PID: 5796 Comm: kworker/u5:3 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
Workqueue: hci1 hci_error_reset
Call Trace:
<TASK>
dump_stack_lvl+0x16c/0x230 lib/dump_stack.c:106
check_deadlock kernel/locking/lockdep.c:3062 [inline]
validate_chain kernel/locking/lockdep.c:3856 [inline]
__lock_acquire+0x5d40/0x7c80 kernel/locking/lockdep.c:5137
lock_acquire+0x197/0x410 kernel/locking/lockdep.c:5754
touch_wq_lockdep_map kernel/workqueue.c:3138 [inline]
__flush_workqueue+0x141/0x1380 kernel/workqueue.c:3168
drain_workqueue+0xd3/0x380 kernel/workqueue.c:3332
destroy_workqueue+0xc4/0xf20 kernel/workqueue.c:4826
hci_release_dev+0xe2/0x1400 net/bluetooth/hci_core.c:2744
bt_host_release+0x82/0x90 net/bluetooth/hci_sysfs.c:87
device_release+0x96/0x1c0 drivers/base/core.c:-1
kobject_cleanup lib/kobject.c:689 [inline]
kobject_release lib/kobject.c:720 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0x221/0x470 lib/kobject.c:737
process_one_work kernel/workqueue.c:2634 [inline]
process_scheduled_works+0xa45/0x15b0 kernel/workqueue.c:2711
worker_thread+0xa55/0xfc0 kernel/workqueue.c:2792
kthread+0x2fa/0x390 kernel/kthread.c:388
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:152
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:293
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 4a243110dc88 Linux 6.6.114
git tree: linux-6.6.y
console output: https://syzkaller.appspot.com/x/log.txt?x=15219f34580000
kernel config: https://syzkaller.appspot.com/x/.config?x=12606d4b8832c7e4
dashboard link: https://syzkaller.appspot.com/bug?extid=932b000b5a48d78ee5d0
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/1950ac2cd960/disk-4a243110.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/d7dccd93693b/vmlinux-4a243110.xz
kernel image: https://storage.googleapis.com/syzbot-assets/6f93496e2b47/bzImage-4a243110.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+932b00...@syzkaller.appspotmail.com
Bluetooth: hci1: command 0x0406 tx timeout
Bluetooth: hci1: hardware error 0x00
============================================
WARNING: possible recursive locking detected
syzkaller #0 Not tainted
--------------------------------------------
kworker/u5:3/5796 is trying to acquire lock:
ffff88802f35fd38 ((wq_completion)hci1){+.+.}-{0:0}, at: touch_wq_lockdep_map kernel/workqueue.c:3138 [inline]
ffff88802f35fd38 ((wq_completion)hci1){+.+.}-{0:0}, at: __flush_workqueue+0x128/0x1380 kernel/workqueue.c:3168
but task is already holding lock:
ffff88802f35fd38 ((wq_completion)hci1){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2609 [inline]
ffff88802f35fd38 ((wq_completion)hci1){+.+.}-{0:0}, at: process_scheduled_works+0x957/0x15b0 kernel/workqueue.c:2711
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock((wq_completion)hci1);
lock((wq_completion)hci1);
*** DEADLOCK ***
May be due to missing lock nesting notation
2 locks held by kworker/u5:3/5796:
#0: ffff88802f35fd38 ((wq_completion)hci1){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2609 [inline]
#0: ffff88802f35fd38 ((wq_completion)hci1){+.+.}-{0:0}, at: process_scheduled_works+0x957/0x15b0 kernel/workqueue.c:2711
#1: ffffc9000469fd00 ((work_completion)(&hdev->error_reset)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2609 [inline]
#1: ffffc9000469fd00 ((work_completion)(&hdev->error_reset)){+.+.}-{0:0}, at: process_scheduled_works+0x957/0x15b0 kernel/workqueue.c:2711
stack backtrace:
CPU: 0 PID: 5796 Comm: kworker/u5:3 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
Workqueue: hci1 hci_error_reset
Call Trace:
<TASK>
dump_stack_lvl+0x16c/0x230 lib/dump_stack.c:106
check_deadlock kernel/locking/lockdep.c:3062 [inline]
validate_chain kernel/locking/lockdep.c:3856 [inline]
__lock_acquire+0x5d40/0x7c80 kernel/locking/lockdep.c:5137
lock_acquire+0x197/0x410 kernel/locking/lockdep.c:5754
touch_wq_lockdep_map kernel/workqueue.c:3138 [inline]
__flush_workqueue+0x141/0x1380 kernel/workqueue.c:3168
drain_workqueue+0xd3/0x380 kernel/workqueue.c:3332
destroy_workqueue+0xc4/0xf20 kernel/workqueue.c:4826
hci_release_dev+0xe2/0x1400 net/bluetooth/hci_core.c:2744
bt_host_release+0x82/0x90 net/bluetooth/hci_sysfs.c:87
device_release+0x96/0x1c0 drivers/base/core.c:-1
kobject_cleanup lib/kobject.c:689 [inline]
kobject_release lib/kobject.c:720 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0x221/0x470 lib/kobject.c:737
process_one_work kernel/workqueue.c:2634 [inline]
process_scheduled_works+0xa45/0x15b0 kernel/workqueue.c:2711
worker_thread+0xa55/0xfc0 kernel/workqueue.c:2792
kthread+0x2fa/0x390 kernel/kthread.c:388
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:152
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:293
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages