From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-ot1-f80.google.com (mail-ot1-f80.google.com [209.85.210.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 243CB36BCDD for ; Wed, 7 Jan 2026 18:28:23 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.80 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767810507; cv=none; b=T1TovwMVhlJIoLRAqQVGWVx5qT2Z8TIV/K/SD/rMkUxyEHahS42t7hVlgb+tYArIbzn2SQrkKRvteMYK1/84NpG8cDj+m2omvhPe0RppyQE/wMYkaQuWzvZ7ZoQZS0Xz2SWkl2Uy1Y+ZFN8pcgE+YDgBV5iBDsT2O6jzpgt79xY= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767810507; c=relaxed/simple; bh=7US4zvsPP9jpSuTiVlMWTXFyCnYuPRGnfHz2bTh49os=; h=MIME-Version:Date:Message-ID:Subject:From:To:Content-Type; b=ErXfDxPu8jJF+sAiepa8wX7ejgqS0/Gy56ndLl5D9TCZ0EmwGZKI1KCyj3IiAxfN52P8uQGQn6s0qoQUzOa+2bbTTq//vL9EumCX3LJUmJp+O2oKdLB/WqPHJchOK+jSdWlooSrbDc+dE6G9Uk05DaHV0F9SFkerJ+E7VpVfOPU= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com; arc=none smtp.client-ip=209.85.210.80 Authentication-Results: smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com Received: by mail-ot1-f80.google.com with SMTP id 46e09a7af769-7c75b4d04acso7419432a34.2 for ; Wed, 07 Jan 2026 10:28:23 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767810502; x=1768415302; h=to:from:subject:message-id:date:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=SMfhkLfdKcxq4hexUbAFhmi4rs4beyAW/diYL/VtLwE=; b=SaO4XQTSp65LfvKEQjEHEY71GYKHfctFYdw3y+B1H7zE4aymTnj3wKKlqJqX1EPqvl o4M6nPiJpnhZHH8MVmlX+GLtqFW2ntRkgV9LJs0blJy+CDM+2331976l/SjgiGJshuWM RsD5QuE54pVkKNQb3I/Vj8YOeX//IF+vWAUQx29dH1zaBFpjbwRxABi/kNMyc0LVRm0b HUuGsGsM6elnMuD7JynzsbwGUkA6b1G1X27xVE7FjDC9ZmudB3DSwIhkMBcM+LiZq7j/ je+IkHmNox4R/r1MQYvseKCdGTZQOwm1/fifYtMQ8pQY6abnpLuPNbPwDX2u/hHxg7CO GYfg== X-Forwarded-Encrypted: i=1; AJvYcCXOBfqraolj7U6v8wek5uLBAl7Fr8jZv7YCqORkBc2V3jwMyEMCi0+737aExq8dd2QdOa6oCGAlg+FXEh8=@vger.kernel.org X-Gm-Message-State: AOJu0YxxAl20EMfwFApA1YmtOIYVCa5uVOoiEDLhuPIkJwnRbuVaJhTB /gVm4aCklqZ/7qwL2CaS/hYm7XCpMK1+yfhIzHa1ir7yH8IXcZhZDRAdzqXcDZKvwfpgqix3dx3 idS/22iws+zEI8kznyxwsxl+4uAlre+RmzB8+zfnp5n/wqnVt9LoZUXwQQls= X-Google-Smtp-Source: AGHT+IFkpGA8wAmNJ1S+GZHKUBA2kH+z2qoSBRqMpt/tXx3DhEasxgOoRQcfikv2fOuJF4Tx/hHeW1rRmzVqU7XGxtKkSN5ApNSu Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Received: by 2002:a05:6820:6089:b0:65d:56b:4b42 with SMTP id 006d021491bc7-65f54f73c45mr952852eaf.48.1767810502414; Wed, 07 Jan 2026 10:28:22 -0800 (PST) Date: Wed, 07 Jan 2026 10:28:22 -0800 X-Google-Appengine-App-Id: s~syzkaller X-Google-Appengine-App-Id-Alias: syzkaller Message-ID: <695ea5c6.050a0220.1c677c.0374.GAE@google.com> Subject: [syzbot] [kernfs?] possible deadlock in kernfs_find_and_get_ns From: syzbot To: gregkh@linuxfoundation.org, linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com, tj@kernel.org Content-Type: text/plain; charset="UTF-8" Hello, syzbot found the following issue on: HEAD commit: 805f9a061372 Merge tag 'perf-tools-fixes-for-v6.19-2026-01.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=10efffb4580000 kernel config: https://syzkaller.appspot.com/x/.config?x=8bfa57a8c0ab3aa8 dashboard link: https://syzkaller.appspot.com/bug?extid=e357099a1af26daeee17 compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 Unfortunately, I don't have any reproducer for this issue yet. Downloadable assets: disk image: https://storage.googleapis.com/syzbot-assets/fae9f657d73f/disk-805f9a06.raw.xz vmlinux: https://storage.googleapis.com/syzbot-assets/a4cdccd44a08/vmlinux-805f9a06.xz kernel image: https://storage.googleapis.com/syzbot-assets/5c1c9c290d06/bzImage-805f9a06.xz IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+e357099a1af26daeee17@syzkaller.appspotmail.com ====================================================== WARNING: possible circular locking dependency detected syzkaller #0 Tainted: G L ------------------------------------------------------ kworker/u9:1/19169 is trying to acquire lock: ffff888140460188 (&root->kernfs_rwsem){++++}-{4:4}, at: kernfs_find_and_get_ns+0x2f/0x70 fs/kernfs/dir.c:938 but task is already holding lock: ffffffff8f2d0e08 (dev_pm_qos_sysfs_mtx){+.+.}-{4:4}, at: dev_pm_qos_constraints_destroy+0x28/0x780 drivers/base/power/qos.c:254 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #10 (dev_pm_qos_sysfs_mtx){+.+.}-{4:4}: __mutex_lock_common kernel/locking/mutex.c:614 [inline] __mutex_lock+0x1aa/0x1ca0 kernel/locking/mutex.c:776 dev_pm_qos_constraints_destroy+0x28/0x780 drivers/base/power/qos.c:254 dpm_sysfs_remove+0x70/0xb0 drivers/base/power/sysfs.c:831 device_del+0x1a0/0x9f0 drivers/base/core.c:3853 device_unregister+0x1d/0xe0 drivers/base/core.c:3919 mce_device_remove arch/x86/kernel/cpu/mce/core.c:2748 [inline] mce_cpu_pre_down+0x326/0x640 arch/x86/kernel/cpu/mce/core.c:2809 cpuhp_invoke_callback+0x3d5/0xa10 kernel/cpu.c:195 cpuhp_thread_fun+0x47e/0x6f0 kernel/cpu.c:1105 smpboot_thread_fn+0x3f7/0xae0 kernel/smpboot.c:160 kthread+0x3c5/0x780 kernel/kthread.c:463 ret_from_fork+0x983/0xb10 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 -> #9 (cpuhp_state-down){+.+.}-{0:0}: cpuhp_lock_acquire kernel/cpu.c:104 [inline] cpuhp_kick_ap_work+0xa4/0xbd0 kernel/cpu.c:1184 _cpu_down+0x37b/0xf40 kernel/cpu.c:1422 __cpu_down_maps_locked+0x6c/0x90 kernel/cpu.c:1468 work_for_cpu_fn+0x55/0xa0 kernel/workqueue.c:6770 process_one_work+0x9ba/0x1b20 kernel/workqueue.c:3257 process_scheduled_works kernel/workqueue.c:3340 [inline] worker_thread+0x6c8/0xf10 kernel/workqueue.c:3421 kthread+0x3c5/0x780 kernel/kthread.c:463 ret_from_fork+0x983/0xb10 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 -> #8 (cpu_hotplug_lock){++++}-{0:0}: percpu_down_read_internal include/linux/percpu-rwsem.h:53 [inline] percpu_down_read include/linux/percpu-rwsem.h:77 [inline] cpus_read_lock+0x42/0x160 kernel/cpu.c:491 static_key_slow_inc+0x12/0x30 kernel/jump_label.c:190 udp_tunnel_encap_enable include/net/udp_tunnel.h:203 [inline] setup_udp_tunnel_sock+0x39b/0x680 net/ipv4/udp_tunnel_core.c:92 l2tp_tunnel_register+0x9c8/0xbb0 net/l2tp/l2tp_core.c:1679 pppol2tp_tunnel_get.constprop.0+0x3f0/0x540 net/l2tp/l2tp_ppp.c:662 pppol2tp_connect+0xb1b/0x1ce0 net/l2tp/l2tp_ppp.c:710 __sys_connect_file+0x141/0x1a0 net/socket.c:2089 __sys_connect+0x13b/0x160 net/socket.c:2108 __do_sys_connect net/socket.c:2114 [inline] __se_sys_connect net/socket.c:2111 [inline] __x64_sys_connect+0x72/0xb0 net/socket.c:2111 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f -> #7 (sk_lock-AF_INET){+.+.}-{0:0}: lock_sock_nested+0x41/0xf0 net/core/sock.c:3780 lock_sock include/net/sock.h:1700 [inline] inet_shutdown+0x67/0x440 net/ipv4/af_inet.c:913 nbd_mark_nsock_dead+0xae/0x5d0 drivers/block/nbd.c:318 recv_work+0x66b/0xa70 drivers/block/nbd.c:1021 process_one_work+0x9ba/0x1b20 kernel/workqueue.c:3257 process_scheduled_works kernel/workqueue.c:3340 [inline] worker_thread+0x6c8/0xf10 kernel/workqueue.c:3421 kthread+0x3c5/0x780 kernel/kthread.c:463 ret_from_fork+0x983/0xb10 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 -> #6 (&nsock->tx_lock){+.+.}-{4:4}: __mutex_lock_common kernel/locking/mutex.c:614 [inline] __mutex_lock+0x1aa/0x1ca0 kernel/locking/mutex.c:776 nbd_handle_cmd drivers/block/nbd.c:1143 [inline] nbd_queue_rq+0x423/0x12d0 drivers/block/nbd.c:1207 blk_mq_dispatch_rq_list+0x416/0x1e20 block/blk-mq.c:2138 __blk_mq_do_dispatch_sched block/blk-mq-sched.c:168 [inline] blk_mq_do_dispatch_sched block/blk-mq-sched.c:182 [inline] __blk_mq_sched_dispatch_requests+0xcbd/0x15f0 block/blk-mq-sched.c:307 blk_mq_sched_dispatch_requests+0xd8/0x1b0 block/blk-mq-sched.c:329 blk_mq_run_hw_queue+0x239/0x670 block/blk-mq.c:2376 blk_mq_dispatch_list+0x514/0x1300 block/blk-mq.c:2939 blk_mq_flush_plug_list block/blk-mq.c:2987 [inline] blk_mq_flush_plug_list+0x130/0x600 block/blk-mq.c:2959 __blk_flush_plug+0x2c4/0x4b0 block/blk-core.c:1225 blk_finish_plug block/blk-core.c:1252 [inline] blk_finish_plug block/blk-core.c:1249 [inline] __submit_bio+0x542/0x690 block/blk-core.c:651 __submit_bio_noacct_mq block/blk-core.c:724 [inline] submit_bio_noacct_nocheck+0x53d/0xbe0 block/blk-core.c:755 submit_bio_noacct+0x5bd/0x1f40 block/blk-core.c:879 submit_bh fs/buffer.c:2829 [inline] block_read_full_folio+0x4db/0x850 fs/buffer.c:2461 filemap_read_folio+0xc8/0x2a0 mm/filemap.c:2496 do_read_cache_folio+0x266/0x5c0 mm/filemap.c:4096 read_mapping_folio include/linux/pagemap.h:1017 [inline] read_part_sector+0xd4/0x370 block/partitions/core.c:722 adfspart_check_ICS+0x93/0x940 block/partitions/acorn.c:360 check_partition block/partitions/core.c:141 [inline] blk_add_partitions block/partitions/core.c:589 [inline] bdev_disk_changed+0x723/0x1520 block/partitions/core.c:693 blkdev_get_whole+0x187/0x290 block/bdev.c:765 bdev_open+0x2c7/0xe40 block/bdev.c:974 blkdev_open+0x34e/0x4f0 block/fops.c:698 do_dentry_open+0x748/0x1590 fs/open.c:962 vfs_open+0x82/0x3f0 fs/open.c:1094 do_open fs/namei.c:4628 [inline] path_openat+0x2078/0x3140 fs/namei.c:4787 do_filp_open+0x20b/0x470 fs/namei.c:4814 do_sys_openat2+0x121/0x290 fs/open.c:1430 do_sys_open fs/open.c:1436 [inline] __do_sys_openat fs/open.c:1452 [inline] __se_sys_openat fs/open.c:1447 [inline] __x64_sys_openat+0x174/0x210 fs/open.c:1447 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f -> #5 (&cmd->lock){+.+.}-{4:4}: __mutex_lock_common kernel/locking/mutex.c:614 [inline] __mutex_lock+0x1aa/0x1ca0 kernel/locking/mutex.c:776 nbd_queue_rq+0xbd/0x12d0 drivers/block/nbd.c:1199 blk_mq_dispatch_rq_list+0x416/0x1e20 block/blk-mq.c:2138 __blk_mq_do_dispatch_sched block/blk-mq-sched.c:168 [inline] blk_mq_do_dispatch_sched block/blk-mq-sched.c:182 [inline] __blk_mq_sched_dispatch_requests+0xcbd/0x15f0 block/blk-mq-sched.c:307 blk_mq_sched_dispatch_requests+0xd8/0x1b0 block/blk-mq-sched.c:329 blk_mq_run_hw_queue+0x239/0x670 block/blk-mq.c:2376 blk_mq_dispatch_list+0x514/0x1300 block/blk-mq.c:2939 blk_mq_flush_plug_list block/blk-mq.c:2987 [inline] blk_mq_flush_plug_list+0x130/0x600 block/blk-mq.c:2959 __blk_flush_plug+0x2c4/0x4b0 block/blk-core.c:1225 blk_finish_plug block/blk-core.c:1252 [inline] blk_finish_plug block/blk-core.c:1249 [inline] __submit_bio+0x542/0x690 block/blk-core.c:651 __submit_bio_noacct_mq block/blk-core.c:724 [inline] submit_bio_noacct_nocheck+0x53d/0xbe0 block/blk-core.c:755 submit_bio_noacct+0x5bd/0x1f40 block/blk-core.c:879 submit_bh fs/buffer.c:2829 [inline] block_read_full_folio+0x4db/0x850 fs/buffer.c:2461 filemap_read_folio+0xc8/0x2a0 mm/filemap.c:2496 do_read_cache_folio+0x266/0x5c0 mm/filemap.c:4096 read_mapping_folio include/linux/pagemap.h:1017 [inline] read_part_sector+0xd4/0x370 block/partitions/core.c:722 adfspart_check_ICS+0x93/0x940 block/partitions/acorn.c:360 check_partition block/partitions/core.c:141 [inline] blk_add_partitions block/partitions/core.c:589 [inline] bdev_disk_changed+0x723/0x1520 block/partitions/core.c:693 blkdev_get_whole+0x187/0x290 block/bdev.c:765 bdev_open+0x2c7/0xe40 block/bdev.c:974 blkdev_open+0x34e/0x4f0 block/fops.c:698 do_dentry_open+0x748/0x1590 fs/open.c:962 vfs_open+0x82/0x3f0 fs/open.c:1094 do_open fs/namei.c:4628 [inline] path_openat+0x2078/0x3140 fs/namei.c:4787 do_filp_open+0x20b/0x470 fs/namei.c:4814 do_sys_openat2+0x121/0x290 fs/open.c:1430 do_sys_open fs/open.c:1436 [inline] __do_sys_openat fs/open.c:1452 [inline] __se_sys_openat fs/open.c:1447 [inline] __x64_sys_openat+0x174/0x210 fs/open.c:1447 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f -> #4 (set->srcu){.+.+}-{0:0}: srcu_lock_sync include/linux/srcu.h:197 [inline] __synchronize_srcu+0xa2/0x250 kernel/rcu/srcutree.c:1503 blk_mq_wait_quiesce_done block/blk-mq.c:284 [inline] blk_mq_wait_quiesce_done block/blk-mq.c:281 [inline] blk_mq_quiesce_queue block/blk-mq.c:304 [inline] blk_mq_quiesce_queue+0x149/0x1b0 block/blk-mq.c:299 elevator_switch+0x17d/0x7f0 block/elevator.c:576 elevator_change+0x38b/0x570 block/elevator.c:680 elevator_set_default+0x2d2/0x390 block/elevator.c:753 blk_register_queue+0x384/0x4e0 block/blk-sysfs.c:932 __add_disk+0x74a/0xf00 block/genhd.c:528 add_disk_fwnode+0x13f/0x5d0 block/genhd.c:597 add_disk include/linux/blkdev.h:785 [inline] nbd_dev_add+0x783/0xbb0 drivers/block/nbd.c:1984 nbd_init+0x181/0x320 drivers/block/nbd.c:2692 do_one_initcall+0x123/0x680 init/main.c:1378 do_initcall_level init/main.c:1440 [inline] do_initcalls init/main.c:1456 [inline] do_basic_setup init/main.c:1475 [inline] kernel_init_freeable+0x5c8/0x920 init/main.c:1688 kernel_init+0x1c/0x2b0 init/main.c:1578 ret_from_fork+0x983/0xb10 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 -> #3 (&q->elevator_lock){+.+.}-{4:4}: __mutex_lock_common kernel/locking/mutex.c:614 [inline] __mutex_lock+0x1aa/0x1ca0 kernel/locking/mutex.c:776 elevator_change+0x1ed/0x570 block/elevator.c:678 elv_iosched_store+0x3e8/0x4a0 block/elevator.c:811 queue_attr_store+0x26b/0x310 block/blk-sysfs.c:859 sysfs_kf_write+0xf2/0x150 fs/sysfs/file.c:142 kernfs_fop_write_iter+0x3af/0x570 fs/kernfs/file.c:352 iter_file_splice_write+0xa24/0x12b0 fs/splice.c:738 do_splice_from fs/splice.c:938 [inline] direct_splice_actor+0x192/0x6c0 fs/splice.c:1161 splice_direct_to_actor+0x345/0xa30 fs/splice.c:1105 do_splice_direct_actor fs/splice.c:1204 [inline] do_splice_direct+0x174/0x240 fs/splice.c:1230 do_sendfile+0xb06/0xe50 fs/read_write.c:1370 __do_sys_sendfile64 fs/read_write.c:1431 [inline] __se_sys_sendfile64 fs/read_write.c:1417 [inline] __x64_sys_sendfile64+0x1d8/0x220 fs/read_write.c:1417 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f -> #2 (&q->q_usage_counter(io)#66){++++}-{0:0}: blk_alloc_queue+0x610/0x750 block/blk-core.c:461 blk_mq_alloc_queue+0x172/0x280 block/blk-mq.c:4415 __blk_mq_alloc_disk+0x29/0x120 block/blk-mq.c:4462 null_add_dev+0xf2e/0x1eb0 drivers/block/null_blk/main.c:1999 null_create_dev drivers/block/null_blk/main.c:2097 [inline] null_init+0x2c9/0x610 drivers/block/null_blk/main.c:2169 do_one_initcall+0x123/0x680 init/main.c:1378 do_initcall_level init/main.c:1440 [inline] do_initcalls init/main.c:1456 [inline] do_basic_setup init/main.c:1475 [inline] kernel_init_freeable+0x5c8/0x920 init/main.c:1688 kernel_init+0x1c/0x2b0 init/main.c:1578 ret_from_fork+0x983/0xb10 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 -> #1 (fs_reclaim){+.+.}-{0:0}: __fs_reclaim_acquire mm/page_alloc.c:4301 [inline] fs_reclaim_acquire+0x102/0x150 mm/page_alloc.c:4315 might_alloc include/linux/sched/mm.h:317 [inline] slab_pre_alloc_hook mm/slub.c:4904 [inline] slab_alloc_node mm/slub.c:5239 [inline] kmem_cache_alloc_lru_noprof+0x5f/0x770 mm/slub.c:5282 alloc_inode+0xc3/0x240 fs/inode.c:348 iget_locked+0x1d9/0x6d0 fs/inode.c:1470 kernfs_get_inode+0x46/0x470 fs/kernfs/inode.c:253 kernfs_fill_super fs/kernfs/mount.c:308 [inline] kernfs_get_tree+0x62a/0xb60 fs/kernfs/mount.c:392 sysfs_get_tree+0x41/0x140 fs/sysfs/mount.c:31 vfs_get_tree+0x8e/0x330 fs/super.c:1751 fc_mount fs/namespace.c:1199 [inline] do_new_mount_fc fs/namespace.c:3636 [inline] do_new_mount fs/namespace.c:3712 [inline] path_mount+0x7bf/0x23a0 fs/namespace.c:4022 do_mount fs/namespace.c:4035 [inline] __do_sys_mount fs/namespace.c:4224 [inline] __se_sys_mount fs/namespace.c:4201 [inline] __x64_sys_mount+0x293/0x310 fs/namespace.c:4201 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f -> #0 (&root->kernfs_rwsem){++++}-{4:4}: check_prev_add kernel/locking/lockdep.c:3165 [inline] check_prevs_add kernel/locking/lockdep.c:3284 [inline] validate_chain kernel/locking/lockdep.c:3908 [inline] __lock_acquire+0x1669/0x2890 kernel/locking/lockdep.c:5237 lock_acquire kernel/locking/lockdep.c:5868 [inline] lock_acquire+0x179/0x330 kernel/locking/lockdep.c:5825 down_read+0x9b/0x460 kernel/locking/rwsem.c:1537 kernfs_find_and_get_ns+0x2f/0x70 fs/kernfs/dir.c:938 kernfs_find_and_get include/linux/kernfs.h:612 [inline] sysfs_unmerge_group+0x61/0x170 fs/sysfs/group.c:405 dev_pm_qos_constraints_destroy+0x30/0x780 drivers/base/power/qos.c:260 dpm_sysfs_remove+0x70/0xb0 drivers/base/power/sysfs.c:831 device_del+0x1a0/0x9f0 drivers/base/core.c:3853 device_unregister+0x1d/0xe0 drivers/base/core.c:3919 hci_conn_del_sysfs+0xdd/0x1a0 net/bluetooth/hci_sysfs.c:79 hci_conn_cleanup net/bluetooth/hci_conn.c:173 [inline] hci_conn_del+0x680/0x11d0 net/bluetooth/hci_conn.c:1234 hci_abort_conn_sync+0x76a/0xb20 net/bluetooth/hci_sync.c:5721 abort_conn_sync+0x197/0x360 net/bluetooth/hci_conn.c:2962 hci_cmd_sync_work+0x1ab/0x470 net/bluetooth/hci_sync.c:332 process_one_work+0x9ba/0x1b20 kernel/workqueue.c:3257 process_scheduled_works kernel/workqueue.c:3340 [inline] worker_thread+0x6c8/0xf10 kernel/workqueue.c:3421 kthread+0x3c5/0x780 kernel/kthread.c:463 ret_from_fork+0x983/0xb10 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 other info that might help us debug this: Chain exists of: &root->kernfs_rwsem --> cpuhp_state-down --> dev_pm_qos_sysfs_mtx Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(dev_pm_qos_sysfs_mtx); lock(cpuhp_state-down); lock(dev_pm_qos_sysfs_mtx); rlock(&root->kernfs_rwsem); *** DEADLOCK *** 5 locks held by kworker/u9:1/19169: #0: ffff8880340a9948 ((wq_completion)hci1){+.+.}-{0:0}, at: process_one_work+0x128d/0x1b20 kernel/workqueue.c:3232 #1: ffffc9000459fc90 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_one_work+0x914/0x1b20 kernel/workqueue.c:3233 #2: ffff888076df4ec0 (&hdev->req_lock){+.+.}-{4:4}, at: hci_cmd_sync_work+0x175/0x470 net/bluetooth/hci_sync.c:331 #3: ffff888076df40c0 (&hdev->lock){+.+.}-{4:4}, at: hci_abort_conn_sync+0x13f/0xb20 net/bluetooth/hci_sync.c:5702 #4: ffffffff8f2d0e08 (dev_pm_qos_sysfs_mtx){+.+.}-{4:4}, at: dev_pm_qos_constraints_destroy+0x28/0x780 drivers/base/power/qos.c:254 stack backtrace: CPU: 0 UID: 0 PID: 19169 Comm: kworker/u9:1 Tainted: G L syzkaller #0 PREEMPT(full) Tainted: [L]=SOFTLOCKUP Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 Workqueue: hci1 hci_cmd_sync_work Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_circular_bug+0x275/0x340 kernel/locking/lockdep.c:2043 check_noncircular+0x146/0x160 kernel/locking/lockdep.c:2175 check_prev_add kernel/locking/lockdep.c:3165 [inline] check_prevs_add kernel/locking/lockdep.c:3284 [inline] validate_chain kernel/locking/lockdep.c:3908 [inline] __lock_acquire+0x1669/0x2890 kernel/locking/lockdep.c:5237 lock_acquire kernel/locking/lockdep.c:5868 [inline] lock_acquire+0x179/0x330 kernel/locking/lockdep.c:5825 down_read+0x9b/0x460 kernel/locking/rwsem.c:1537 kernfs_find_and_get_ns+0x2f/0x70 fs/kernfs/dir.c:938 kernfs_find_and_get include/linux/kernfs.h:612 [inline] sysfs_unmerge_group+0x61/0x170 fs/sysfs/group.c:405 dev_pm_qos_constraints_destroy+0x30/0x780 drivers/base/power/qos.c:260 dpm_sysfs_remove+0x70/0xb0 drivers/base/power/sysfs.c:831 device_del+0x1a0/0x9f0 drivers/base/core.c:3853 device_unregister+0x1d/0xe0 drivers/base/core.c:3919 hci_conn_del_sysfs+0xdd/0x1a0 net/bluetooth/hci_sysfs.c:79 hci_conn_cleanup net/bluetooth/hci_conn.c:173 [inline] hci_conn_del+0x680/0x11d0 net/bluetooth/hci_conn.c:1234 hci_abort_conn_sync+0x76a/0xb20 net/bluetooth/hci_sync.c:5721 abort_conn_sync+0x197/0x360 net/bluetooth/hci_conn.c:2962 hci_cmd_sync_work+0x1ab/0x470 net/bluetooth/hci_sync.c:332 process_one_work+0x9ba/0x1b20 kernel/workqueue.c:3257 process_scheduled_works kernel/workqueue.c:3340 [inline] worker_thread+0x6c8/0xf10 kernel/workqueue.c:3421 kthread+0x3c5/0x780 kernel/kthread.c:463 ret_from_fork+0x983/0xb10 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkaller@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. If the report is already addressed, let syzbot know by replying with: #syz fix: exact-commit-title If you want to overwrite report's subsystems, reply with: #syz set subsystems: new-subsystem (See the list of subsystem names on the web dashboard) If the report is a duplicate of another one, reply with: #syz dup: exact-subject-of-another-report If you want to undo deduplication, reply with: #syz undup