program: r0 = socket$kcm(0x23, 0x5, 0x0) listen(r0, 0x800) r1 = socket$kcm(0x10, 0x2, 0x0) sendmsg$inet(r1, &(0x7f0000000440)={0x0, 0x0, &(0x7f0000000f00)=[{&(0x7f0000000200)="5c00000014006b05c84e21000ab16d6e230675f811000000440002005817d30461bc24eeb556a7ef595105ea1698fa51f60a64c9f408000000e786a6d0bdbdc3d44bd70011b6c0504bb9189d9193e9bd00"/92, 0x5c}], 0x1, 0x0, 0x0, 0x1f00c00e}, 0x240040c4) mkdirat(0xffffffffffffff9c, &(0x7f0000000100)='./file0\x00', 0x0) mount$afs(0x0, &(0x7f0000002840)='./file0\x00', &(0x7f0000002880), 0x700, &(0x7f0000000200)=ANY=[@ANYBLOB='dyn']) fchownat(0xffffffffffffff9c, &(0x7f0000000100)='./file0\x00', 0xee01, 0xee01, 0x1000) umount2(&(0x7f00000002c0)='./file0\x00', 0x9) r2 = socket$phonet_pipe(0x23, 0x5, 0x2) connect$phonet_pipe(r2, &(0x7f0000000040)={0x23, 0x0, 0x58}, 0x10) accept4(r0, 0x0, 0x0, 0x80000) write$uinput_user_dev(r2, &(0x7f0000000400)={'syz0\x00', {0x3, 0x2, 0x6, 0xfffa}, 0x3a, [0x8000, 0xc95a, 0x12, 0x8, 0x80, 0x2, 0x3, 0x7f, 0x20000006, 0x4d, 0x6, 0x5f, 0x9, 0x100, 0xffff2d37, 0xff7fff01, 0x6, 0x3, 0x7, 0x5, 0x4, 0x0, 0x7, 0x3c5b, 0x1, 0x24, 0xd, 0x1, 0x0, 0xffffffff, 0xe661, 0x4, 0x7, 0x3, 0x8, 0x4c74, 0x10000, 0x242, 0x2, 0xe, 0x0, 0x80008071, 0x7, 0x17, 0x1, 0x7, 0x5, 0x3e, 0x8e, 0x6, 0x6, 0x0, 0x5, 0x4, 0x8, 0x3ff, 0x80, 0x0, 0x5, 0x6, 0x8, 0x4, 0x1, 0x40], [0x10000007, 0x9, 0x8000012f, 0x8004, 0x5, 0xfffffff3, 0x129432e6, 0xc8, 0xf9, 0xe, 0x2bf, 0x6c7, 0x9, 0xfffffffc, 0x3, 0x0, 0x0, 0x5, 0x2f, 0xe, 0x312, 0x78, 0xea4, 0x0, 0x4, 0x7, 0x7fff, 0x6, 0x400, 0x401, 0x6, 0x1, 0xff, 0x5, 0x1000005, 0x5f31, 0xd, 0x4e0, 0x2, 0x4, 0xb, 0x4, 0x9, 0x8, 0x9, 0x6, 0x47, 0x8000, 0x1, 0xfe000000, 0xffff, 0x2, 0x4, 0x9, 0x3, 0x3, 0x9, 0x1, 0x3, 0x3, 0xbc45, 0x48c93690, 0x42, 0x3], [0x7, 0x408, 0x4, 0x5, 0xfffffffe, 0x100, 0x4, 0x9, 0x5, 0x7fff, 0x0, 0x5, 0xb, 0x4, 0x5, 0x5, 0x5, 0x1ef, 0x5, 0x8, 0x86, 0x3, 0x303c, 0x3e7, 0xb, 0x5, 0x2, 0x2, 0x3, 0x20000008, 0x4, 0x6d01, 0x46, 0x38, 0x233, 0x200, 0x80, 0x3, 0x4, 0x2950bfaf, 0x1000, 0xa2, 0x7602, 0xa9, 0x5, 0x6, 0xac8, 0xbf, 0x2, 0x3, 0x7ff, 0x12b, 0x4, 0x1, 0xa, 0x0, 0x5, 0x1c, 0x120000, 0x3, 0x2006, 0x80a2ed, 0xf4, 0x25], [0x9, 0xbb33, 0x7, 0xb, 0x5, 0x938, 0x6, 0x6, 0x0, 0xb9, 0xce4, 0x1ff, 0x2, 0x57, 0x5, 0x3, 0x101, 0x10000, 0x4, 0x7fff, 0xffff, 0xa620, 0x1, 0x5, 0x1, 0x2000002, 0x14c, 0x60a7, 0x6, 0x16, 0xffffffff, 0x80000000, 0x5, 0x4, 0xc8, 0x1, 0xfffff000, 0x10000, 0x3, 0x7e, 0x100, 0x9622, 0x7, 0xaf, 0x8, 0x6, 0x226, 0x5, 0x5, 0x0, 0x30b1d693, 0xa1f, 0xf40, 0x7, 0x1, 0x6c1b, 0x0, 0x4, 0x5, 0xb1e, 0xd7, 0x200, 0xffff3441, 0xfff]}, 0x45c) ppoll(&(0x7f00000000c0)=[{}, {}], 0x20000000000000dc, 0x0, 0x0, 0x0) syz_clone3(&(0x7f0000000340)={0x105480, &(0x7f00000000c0), 0x0, 0x0, {}, 0x0, 0x0, 0x0, 0x0}, 0x58) [ 85.056991][ T5333] netlink: 'syz.0.0': attribute type 2 has an invalid length. [ 85.198413][ C0] [ 85.199447][ C0] ================================ [ 85.201476][ C0] WARNING: inconsistent lock state [ 85.203399][ C0] syzkaller #0 Not tainted [ 85.205145][ C0] -------------------------------- [ 85.207331][ C0] inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage. [ 85.210034][ C0] syz.0.0/5333 [HC0[0]:SC1[1]:HE1:SE0] takes: [ 85.212627][ C0] ffff888037183c68 (slock-AF_PHONET/1){+.?.}-{3:3}, at: __sk_receive_skb+0x1bf/0x9e0 [ 85.218429][ C0] {SOFTIRQ-ON-W} state was registered at: [ 85.220866][ C0] lock_acquire+0x106/0x350 [ 85.222901][ C0] _raw_spin_lock_nested+0x32/0x50 [ 85.225194][ C0] __sk_receive_skb+0x1bf/0x9e0 [ 85.227363][ C0] pep_do_rcv+0x685/0xaa0 [ 85.229402][ C0] __release_sock+0x297/0x3a0 [ 85.231529][ C0] release_sock+0x190/0x260 [ 85.233486][ C0] pep_sock_accept+0xdf5/0x12b0 [ 85.235550][ C0] pn_socket_accept+0xc9/0x2e0 [ 85.237804][ C0] do_accept+0x521/0x760 [ 85.239707][ C0] __sys_accept4+0x139/0x230 [ 85.241909][ C0] __x64_sys_accept4+0x9a/0xb0 [ 85.244046][ C0] do_syscall_64+0x15f/0xf80 [ 85.246153][ C0] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 85.248828][ C0] irq event stamp: 1732 [ 85.250623][ C0] hardirqs last enabled at (1732): [] _raw_spin_unlock_irq+0x23/0x50 [ 85.254781][ C0] hardirqs last disabled at (1731): [] _raw_spin_lock_irq+0x17/0x50 [ 85.258831][ C0] softirqs last enabled at (1726): [] netif_rx+0x79/0x90 [ 85.262604][ C0] softirqs last disabled at (1727): [] do_softirq+0x76/0xd0 [ 85.266332][ C0] [ 85.266332][ C0] other info that might help us debug this: [ 85.269773][ C0] Possible unsafe locking scenario: [ 85.269773][ C0] [ 85.273019][ C0] CPU0 [ 85.274519][ C0] ---- [ 85.275986][ C0] lock(slock-AF_PHONET/1); [ 85.278033][ C0] [ 85.279497][ C0] lock(slock-AF_PHONET/1); [ 85.281571][ C0] [ 85.281571][ C0] *** DEADLOCK *** [ 85.281571][ C0] [ 85.284883][ C0] 4 locks held by syz.0.0/5333: [ 85.286948][ C0] #0: ffff888037184360 (sk_lock-AF_PHONET){+.+.}-{0:0}, at: pep_sendmsg+0x248/0xb00 [ 85.290978][ C0] #1: ffffffff8e95cde0 (rcu_read_lock){....}-{1:3}, at: process_backlog+0x3eb/0x1950 [ 85.294214][ C0] #2: ffff888037184968 (slock-AF_PHONET){+.-.}-{3:3}, at: __sk_receive_skb+0x1f1/0x9e0 [ 85.298207][ C0] #3: ffff8880371849e0 (sk_lock-AF_PHONET){+.+.}-{0:0}, at: phonet_rcv+0x781/0xc40 [ 85.302137][ C0] [ 85.302137][ C0] stack backtrace: [ 85.304543][ C0] CPU: 0 UID: 0 PID: 5333 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 85.304557][ C0] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 85.304563][ C0] Call Trace: [ 85.304571][ C0] [ 85.304576][ C0] dump_stack_lvl+0xe8/0x150 [ 85.304598][ C0] print_usage_bug+0x28b/0x2e0 [ 85.304620][ C0] mark_lock_irq+0x410/0x420 [ 85.304631][ C0] ? pep_sock_accept+0xdf5/0x12b0 [ 85.304644][ C0] ? pn_socket_accept+0xc9/0x2e0 [ 85.304653][ C0] ? __sys_accept4+0x139/0x230 [ 85.304665][ C0] ? __x64_sys_accept4+0x9a/0xb0 [ 85.304674][ C0] ? do_syscall_64+0x15f/0xf80 [ 85.304689][ C0] mark_lock+0x115/0x190 [ 85.304701][ C0] __lock_acquire+0x689/0x2cf0 [ 85.304714][ C0] ? sk_filter_trim_cap+0x1a7/0xe70 [ 85.304729][ C0] ? sk_filter_trim_cap+0x91e/0xe70 [ 85.304743][ C0] ? __sk_receive_skb+0x1bf/0x9e0 [ 85.304754][ C0] lock_acquire+0x106/0x350 [ 85.304764][ C0] ? __sk_receive_skb+0x1bf/0x9e0 [ 85.304776][ C0] _raw_spin_lock_nested+0x32/0x50 [ 85.304790][ C0] ? __sk_receive_skb+0x1bf/0x9e0 [ 85.304801][ C0] __sk_receive_skb+0x1bf/0x9e0 [ 85.304813][ C0] pep_do_rcv+0x685/0xaa0 [ 85.304825][ C0] ? __pfx_pep_do_rcv+0x10/0x10 [ 85.304841][ C0] ? __pfx_pep_do_rcv+0x10/0x10 [ 85.304852][ C0] ? phonet_rcv+0x781/0xc40 [ 85.304862][ C0] __sk_receive_skb+0x962/0x9e0 [ 85.304877][ C0] phonet_rcv+0x781/0xc40 [ 85.304890][ C0] ? __pfx_phonet_rcv+0x10/0x10 [ 85.304902][ C0] ? process_backlog+0x3eb/0x1950 [ 85.304913][ C0] ? process_backlog+0x3eb/0x1950 [ 85.304923][ C0] ? __pfx_phonet_rcv+0x10/0x10 [ 85.304934][ C0] ? process_backlog+0x3eb/0x1950 [ 85.304944][ C0] process_backlog+0xc66/0x1950 [ 85.304959][ C0] __napi_poll+0xae/0x340 [ 85.304969][ C0] ? skb_defer_free_flush+0x233/0x260 [ 85.304979][ C0] net_rx_action+0x627/0xf70 [ 85.304987][ C0] ? lock_acquire+0x106/0x350 [ 85.304998][ C0] ? __pfx_net_rx_action+0x10/0x10 [ 85.305012][ C0] handle_softirqs+0x22a/0x840 [ 85.305025][ C0] ? do_softirq+0x76/0xd0 [ 85.305036][ C0] ? netif_rx+0x79/0x90 [ 85.305048][ C0] do_softirq+0x76/0xd0 [ 85.305059][ C0] [ 85.305063][ C0] [ 85.305067][ C0] __local_bh_enable_ip+0xf8/0x130 [ 85.305077][ C0] netif_rx+0x83/0x90 [ 85.305088][ C0] pn_send+0x62a/0x8e0 [ 85.305104][ C0] pn_skb_send+0x218/0x510 [ 85.305115][ C0] pipe_skb_send+0x2f7/0x540 [ 85.305126][ C0] pep_sendmsg+0x9ca/0xb00 [ 85.305140][ C0] ? release_sock+0x2f/0x260 [ 85.305179][ C0] ? __pfx_pep_sendmsg+0x10/0x10 [ 85.305193][ C0] ? pn_socket_bind+0x40d/0x550 [ 85.305205][ C0] ? pn_socket_bind+0x40d/0x550 [ 85.305215][ C0] ? __local_bh_enable_ip+0xd0/0x130 [ 85.305225][ C0] ? lockdep_hardirqs_on+0x7a/0x110 [ 85.305237][ C0] ? pn_socket_bind+0x40d/0x550 [ 85.305248][ C0] ? __local_bh_enable_ip+0xd0/0x130 [ 85.305257][ C0] ? pn_socket_bind+0x40d/0x550 [ 85.305268][ C0] pn_socket_sendmsg+0x1e5/0x250 [ 85.305279][ C0] ? tomoyo_socket_sendmsg_permission+0x1e0/0x300 [ 85.306094][ C0] ? __pfx_pn_socket_sendmsg+0x10/0x10 [ 85.306105][ C0] ? __pfx_futex_wake_mark+0x10/0x10 [ 85.306119][ C0] ? aa_sock_msg_perm+0xf1/0x1b0 [ 85.306130][ C0] ? bpf_lsm_socket_sendmsg+0x9/0x20 [ 85.306142][ C0] ? __pfx_pn_socket_sendmsg+0x10/0x10 [ 85.306152][ C0] sock_write_iter+0x49b/0x4f0 [ 85.306167][ C0] ? __pfx_sock_write_iter+0x10/0x10 [ 85.306183][ C0] ? bpf_lsm_file_permission+0x9/0x20 [ 85.306195][ C0] ? security_file_permission+0x75/0x260 [ 85.306211][ C0] vfs_write+0x61d/0xb90 [ 85.306225][ C0] ? __pfx_vfs_write+0x10/0x10 [ 85.306239][ C0] ? __fget_files+0x2a/0x420 [ 85.306252][ C0] ksys_write+0x150/0x270 [ 85.306264][ C0] ? __pfx_ksys_write+0x10/0x10 [ 85.306276][ C0] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 85.306287][ C0] do_syscall_64+0x15f/0xf80 [ 85.306300][ C0] ? trace_irq_disable+0x3b/0x140 [ 85.306312][ C0] ? clear_bhb_loop+0x40/0x90 [ 85.306321][ C0] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 85.306330][ C0] RIP: 0033:0x7f820c19ce59 [ 85.306343][ C0] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 85.306352][ C0] RSP: 002b:00007f820cf6ffe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 85.306364][ C0] RAX: ffffffffffffffda RBX: 00007f820c415fa0 RCX: 00007f820c19ce59 [ 85.306371][ C0] RDX: 000000000000045c RSI: 0000200000000400 RDI: 0000000000000005 [ 85.306378][ C0] RBP: 00007f820c232d6f R08: 0000000000000000 R09: 0000000000000000 [ 85.306385][ C0] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 85.306390][ C0] R13: 00007f820c416038 R14: 00007f820c415fa0 R15: 00007ffc833f0b38 [ 85.306398][ C0] [ 85.509524][ T5293] Bluetooth: hci0: command tx timeout