[syzbot] [wireless?] WARNING in rfkill_unregister

[syzbot] [wireless?] WARNING in rfkill_unregister

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    c53f467229a7 Merge tag 'scsi-fixes' of git://git.kernel.or..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=16e65b92580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=1f2b6fe1fdf1a00b
dashboard link: https://syzkaller.appspot.com/bug?extid=16210d09509730207241
compiler:       Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/d09cbe6bb078/disk-c53f4672.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/83e2a6822b1d/vmlinux-c53f4672.xz
kernel image: https://storage.googleapis.com/syzbot-assets/9eff6dd4ff63/bzImage-c53f4672.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+16210d09509730207241@syzkaller.appspotmail.com

------------[ cut here ]------------
rtmutex deadlock detected
WARNING: kernel/locking/rtmutex.c:1674 at rt_mutex_handle_deadlock+0x21/0xb0 kernel/locking/rtmutex.c:1674, CPU#0: syz.7.2908/15923
Modules linked in:
CPU: 0 UID: 0 PID: 15923 Comm: syz.7.2908 Not tainted syzkaller #0 PREEMPT_{RT,(full)} 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
RIP: 0010:rt_mutex_handle_deadlock+0x21/0xb0 kernel/locking/rtmutex.c:1674
Code: 90 90 90 90 90 90 90 90 90 41 57 41 56 41 55 41 54 53 83 ff dd 0f 85 86 00 00 00 48 89 f7 e8 a6 39 01 00 48 8d 3d af 7c 0a 04 <67> 48 0f b9 3a 4c 8d 3d 00 00 00 00 65 48 8b 1c 25 08 10 b3 91 4c
RSP: 0018:ffffc90004617710 EFLAGS: 00010286
RAX: 0000000080000000 RBX: ffffc900046177a0 RCX: 0000000000000000
RDX: 0000000000000006 RSI: ffffffff8ce0bbf9 RDI: ffffffff8ede5760
RBP: ffffc900046178c0 R08: ffffffff8edb3477 R09: 1ffffffff1db668e
R10: dffffc0000000000 R11: fffffbfff1db668f R12: 1ffff920008c2ef0
R13: ffffffff8ad3d599 R14: ffffffff8eb910e0 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff888126cef000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000056422df5abe0 CR3: 000000005929c000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 __rt_mutex_slowlock kernel/locking/rtmutex.c:1734 [inline]
 __rt_mutex_slowlock_locked kernel/locking/rtmutex.c:1760 [inline]
 rt_mutex_slowlock+0x666/0x6b0 kernel/locking/rtmutex.c:1800
 __rt_mutex_lock kernel/locking/rtmutex.c:1815 [inline]
 __mutex_lock_common kernel/locking/rtmutex_api.c:534 [inline]
 mutex_lock_nested+0x16a/0x1d0 kernel/locking/rtmutex_api.c:552
 rfkill_unregister+0xd1/0x230 net/rfkill/core.c:1145
 nfc_unregister_device+0x96/0x300 net/nfc/core.c:1167
 virtual_ncidev_close+0x59/0x90 drivers/nfc/virtual_ncidev.c:172
 __fput+0x45b/0xa80 fs/file_table.c:468
 task_work_run+0x1d4/0x260 kernel/task_work.c:233
 exit_task_work include/linux/task_work.h:40 [inline]
 do_exit+0x694/0x22f0 kernel/exit.c:971
 do_group_exit+0x21c/0x2d0 kernel/exit.c:1112
 get_signal+0x125d/0x1310 kernel/signal.c:3034
 arch_do_signal_or_restart+0x9a/0x7a0 arch/x86/kernel/signal.c:337
 __exit_to_user_mode_loop kernel/entry/common.c:41 [inline]
 exit_to_user_mode_loop+0x87/0x4e0 kernel/entry/common.c:75
 __exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]
 syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]
 syscall_exit_to_user_mode_work include/linux/entry-common.h:159 [inline]
 syscall_exit_to_user_mode include/linux/entry-common.h:194 [inline]
 do_syscall_64+0x2b7/0xf80 arch/x86/entry/syscall_64.c:100
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f2e7f9af749
Code: Unable to access opcode bytes at 0x7f2e7f9af71f.
RSP: 002b:00007f2e7dc0e038 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: 0000000000000008 RBX: 00007f2e7fc05fa0 RCX: 00007f2e7f9af749
RDX: 0000000000000002 RSI: 0000200000000500 RDI: ffffffffffffff9c
RBP: 00007f2e7fa33f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f2e7fc06038 R14: 00007f2e7fc05fa0 R15: 00007fff5a2e50f8
 </TASK>
----------------
Code disassembly (best guess):
   0:	90                   	nop
   1:	90                   	nop
   2:	90                   	nop
   3:	90                   	nop
   4:	90                   	nop
   5:	90                   	nop
   6:	90                   	nop
   7:	90                   	nop
   8:	90                   	nop
   9:	41 57                	push   %r15
   b:	41 56                	push   %r14
   d:	41 55                	push   %r13
   f:	41 54                	push   %r12
  11:	53                   	push   %rbx
  12:	83 ff dd             	cmp    $0xffffffdd,%edi
  15:	0f 85 86 00 00 00    	jne    0xa1
  1b:	48 89 f7             	mov    %rsi,%rdi
  1e:	e8 a6 39 01 00       	call   0x139c9
  23:	48 8d 3d af 7c 0a 04 	lea    0x40a7caf(%rip),%rdi        # 0x40a7cd9
* 2a:	67 48 0f b9 3a       	ud1    (%edx),%rdi <-- trapping instruction
  2f:	4c 8d 3d 00 00 00 00 	lea    0x0(%rip),%r15        # 0x36
  36:	65 48 8b 1c 25 08 10 	mov    %gs:0xffffffff91b31008,%rbx
  3d:	b3 91
  3f:	4c                   	rex.WR


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] [wireless?] WARNING in rfkill_unregister

[Johannes Berg]

Hi,

> ------------[ cut here ]------------
> rtmutex deadlock detected
> WARNING: kernel/locking/rtmutex.c:1674 at rt_mutex_handle_deadlock+0x21/0xb0 kernel/locking/rtmutex.c:1674, CPU#0: syz.7.2908/15923
> Modules linked in:
> CPU: 0 UID: 0 PID: 15923 Comm: syz.7.2908 Not tainted syzkaller #0 PREEMPT_{RT,(full)} 
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
> RIP: 0010:rt_mutex_handle_deadlock+0x21/0xb0 kernel/locking/rtmutex.c:1674
> Code: 90 90 90 90 90 90 90 90 90 41 57 41 56 41 55 41 54 53 83 ff dd 0f 85 86 00 00 00 48 89 f7 e8 a6 39 01 00 48 8d 3d af 7c 0a 04 <67> 48 0f b9 3a 4c 8d 3d 00 00 00 00 65 48 8b 1c 25 08 10 b3 91 4c
> RSP: 0018:ffffc90004617710 EFLAGS: 00010286
> RAX: 0000000080000000 RBX: ffffc900046177a0 RCX: 0000000000000000
> RDX: 0000000000000006 RSI: ffffffff8ce0bbf9 RDI: ffffffff8ede5760
> RBP: ffffc900046178c0 R08: ffffffff8edb3477 R09: 1ffffffff1db668e
> R10: dffffc0000000000 R11: fffffbfff1db668f R12: 1ffff920008c2ef0
> R13: ffffffff8ad3d599 R14: ffffffff8eb910e0 R15: dffffc0000000000
> FS:  0000000000000000(0000) GS:ffff888126cef000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 000056422df5abe0 CR3: 000000005929c000 CR4: 00000000003526f0
> Call Trace:
>  <TASK>
>  __rt_mutex_slowlock kernel/locking/rtmutex.c:1734 [inline]
>  __rt_mutex_slowlock_locked kernel/locking/rtmutex.c:1760 [inline]
>  rt_mutex_slowlock+0x666/0x6b0 kernel/locking/rtmutex.c:1800
>  __rt_mutex_lock kernel/locking/rtmutex.c:1815 [inline]
>  __mutex_lock_common kernel/locking/rtmutex_api.c:534 [inline]
>  mutex_lock_nested+0x16a/0x1d0 kernel/locking/rtmutex_api.c:552
>  rfkill_unregister+0xd1/0x230 net/rfkill/core.c:1145
>  nfc_unregister_device+0x96/0x300 net/nfc/core.c:1167
>  virtual_ncidev_close+0x59/0x90 drivers/nfc/virtual_ncidev.c:172

NFC has been issues with this for *years*. Technically, Krzysztof is
listed as a maintainer but I suspect that's mostly dead.

Is there a way you could route rfkill issues to NFC (and have them
ignored there) if NFC is involved?

Clearly they're not useful if nobody is interested in fixing NFC, so
maybe we should just disable the virtual NFC driver completely and just
not have syzbot run on anything there...

If this email doesn't wake anyone up, I'll do that on the next syzbot
rfkill vs. NFC report I get :)

johannes

Re: [syzbot] [wireless?] WARNING in rfkill_unregister

[Krzysztof Kozlowski]

On 01/01/2026 13:07, Johannes Berg wrote:
> Hi,
> 
>> ------------[ cut here ]------------
>> rtmutex deadlock detected
>> WARNING: kernel/locking/rtmutex.c:1674 at rt_mutex_handle_deadlock+0x21/0xb0 kernel/locking/rtmutex.c:1674, CPU#0: syz.7.2908/15923
>> Modules linked in:
>> CPU: 0 UID: 0 PID: 15923 Comm: syz.7.2908 Not tainted syzkaller #0 PREEMPT_{RT,(full)} 
>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
>> RIP: 0010:rt_mutex_handle_deadlock+0x21/0xb0 kernel/locking/rtmutex.c:1674
>> Code: 90 90 90 90 90 90 90 90 90 41 57 41 56 41 55 41 54 53 83 ff dd 0f 85 86 00 00 00 48 89 f7 e8 a6 39 01 00 48 8d 3d af 7c 0a 04 <67> 48 0f b9 3a 4c 8d 3d 00 00 00 00 65 48 8b 1c 25 08 10 b3 91 4c
>> RSP: 0018:ffffc90004617710 EFLAGS: 00010286
>> RAX: 0000000080000000 RBX: ffffc900046177a0 RCX: 0000000000000000
>> RDX: 0000000000000006 RSI: ffffffff8ce0bbf9 RDI: ffffffff8ede5760
>> RBP: ffffc900046178c0 R08: ffffffff8edb3477 R09: 1ffffffff1db668e
>> R10: dffffc0000000000 R11: fffffbfff1db668f R12: 1ffff920008c2ef0
>> R13: ffffffff8ad3d599 R14: ffffffff8eb910e0 R15: dffffc0000000000
>> FS:  0000000000000000(0000) GS:ffff888126cef000(0000) knlGS:0000000000000000
>> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>> CR2: 000056422df5abe0 CR3: 000000005929c000 CR4: 00000000003526f0
>> Call Trace:
>>  <TASK>
>>  __rt_mutex_slowlock kernel/locking/rtmutex.c:1734 [inline]
>>  __rt_mutex_slowlock_locked kernel/locking/rtmutex.c:1760 [inline]
>>  rt_mutex_slowlock+0x666/0x6b0 kernel/locking/rtmutex.c:1800
>>  __rt_mutex_lock kernel/locking/rtmutex.c:1815 [inline]
>>  __mutex_lock_common kernel/locking/rtmutex_api.c:534 [inline]
>>  mutex_lock_nested+0x16a/0x1d0 kernel/locking/rtmutex_api.c:552
>>  rfkill_unregister+0xd1/0x230 net/rfkill/core.c:1145
>>  nfc_unregister_device+0x96/0x300 net/nfc/core.c:1167
>>  virtual_ncidev_close+0x59/0x90 drivers/nfc/virtual_ncidev.c:172
> 
> NFC has been issues with this for *years*. Technically, Krzysztof is
> listed as a maintainer but I suspect that's mostly dead.

And I have little time nowadays to do any real maintenance. I am
thinking that NFC should be marked Odd Fixes.

> 
> Is there a way you could route rfkill issues to NFC (and have them
> ignored there) if NFC is involved?
> 
> Clearly they're not useful if nobody is interested in fixing NFC, so
> maybe we should just disable the virtual NFC driver completely and just
> not have syzbot run on anything there...

Great benefit of virtual NFC driver was to show how buggy the NFC stack
is :)

Best regards,
Krzysztof

Re: [syzbot] [wireless?] WARNING in rfkill_unregister

[Tetsuo Handa]

On 2026/01/01 21:07, Johannes Berg wrote:
> If this email doesn't wake anyone up, I'll do that on the next syzbot
> rfkill vs. NFC report I get :)

Is the next report https://syzkaller.appspot.com/bug?extid=ef8f802abdb9a32343fc ?

Obviously deadlocked (but lockdep cannot report due to dev->mutex being marked as novalidate).

INFO: task syz.4.1326:10654 blocked for more than 143 seconds.
      Not tainted syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.4.1326      state:D stack:27848 pid:10654 tgid:10645 ppid:5823   task_flags:0x400040 flags:0x00080002
Call Trace:
 context_switch kernel/sched/core.c:5256 [inline]
 __schedule+0x14bc/0x5000 kernel/sched/core.c:6863
 __schedule_loop kernel/sched/core.c:6945 [inline]
 schedule+0x165/0x360 kernel/sched/core.c:6960
 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:7017
 __mutex_lock_common kernel/locking/mutex.c:692 [inline]
 __mutex_lock+0x7e6/0x1350 kernel/locking/mutex.c:776
 rfkill_unregister+0xc8/0x220 net/rfkill/core.c:1145
 nfc_unregister_device+0x96/0x300 net/nfc/core.c:1167
 virtual_ncidev_close+0x56/0x90 drivers/nfc/virtual_ncidev.c:172
 __fput+0x44c/0xa70 fs/file_table.c:468
 fput_close_sync+0x113/0x220 fs/file_table.c:573
 __do_sys_close fs/open.c:1573 [inline]
 __se_sys_close fs/open.c:1558 [inline]
 __x64_sys_close+0x7f/0x110 fs/open.c:1558
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
2 locks held by syz.4.1326/10654:
 #0: ffff888078c13100 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:895 [inline]
 #0: ffff888078c13100 (&dev->mutex){....}-{4:4}, at: nfc_unregister_device+0x63/0x300 net/nfc/core.c:1165
 #1: ffffffff8f5fd668 (rfkill_global_mutex){+.+.}-{4:4}, at: rfkill_unregister+0xc8/0x220 net/rfkill/core.c:1145

INFO: task syz.3.1329:10652 blocked for more than 144 seconds.
      Not tainted syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.3.1329      state:D stack:26824 pid:10652 tgid:10651 ppid:5820   task_flags:0x400140 flags:0x00080002
Call Trace:
 context_switch kernel/sched/core.c:5256 [inline]
 __schedule+0x14bc/0x5000 kernel/sched/core.c:6863
 __schedule_loop kernel/sched/core.c:6945 [inline]
 schedule+0x165/0x360 kernel/sched/core.c:6960
 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:7017
 __mutex_lock_common kernel/locking/mutex.c:692 [inline]
 __mutex_lock+0x7e6/0x1350 kernel/locking/mutex.c:776
 device_lock include/linux/device.h:895 [inline]
 nfc_dev_down+0x3b/0x290 net/nfc/core.c:143
 nfc_rfkill_set_block+0x2d/0x100 net/nfc/core.c:179
 rfkill_set_block+0x1d2/0x440 net/rfkill/core.c:346
 rfkill_fop_write+0x44b/0x570 net/rfkill/core.c:1301
 vfs_write+0x27e/0xb30 fs/read_write.c:684
 ksys_write+0x145/0x250 fs/read_write.c:738
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
2 locks held by syz.3.1329/10652:
 #0: ffffffff8f5fd668 (rfkill_global_mutex){+.+.}-{4:4}, at: rfkill_fop_write+0x191/0x570 net/rfkill/core.c:1293
 #1: ffff888078c13100 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:895 [inline]
 #1: ffff888078c13100 (&dev->mutex){....}-{4:4}, at: nfc_dev_down+0x3b/0x290 net/nfc/core.c:143

Re: [syzbot] [wireless?] WARNING in rfkill_unregister

[Johannes Berg]

On Fri, 2026-01-02 at 19:28 +0900, Tetsuo Handa wrote:
> On 2026/01/01 21:07, Johannes Berg wrote:
> > If this email doesn't wake anyone up, I'll do that on the next syzbot
> > rfkill vs. NFC report I get :)
> 
> Is the next report https://syzkaller.appspot.com/bug?extid=ef8f802abdb9a32343fc ?

Seems similar and related to the NFC locking issues. I guess I really
meant "the next email I get from syzbot" :)

johannes