program:
listen(0xffffffffffffffff, 0x0)
r0 = gettid()
timer_create(0x0, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004, @tid=r0}, &(0x7f0000bbdffc))
timer_settime(0x0, 0x0, &(0x7f0000000340)={{0x0, 0x989680}, {0x0, 0x989680}}, 0x0)
r1 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2)
openat$tun(0xffffffffffffff9c, 0x0, 0x0, 0x0)
perf_event_open(0x0, 0x0, 0x3, 0xffffffffffffffff, 0x1)
r2 = socket$kcm(0x10, 0x400000002, 0x0)
recvmsg$kcm(r2, &(0x7f0000006480)={0x0, 0x0, &(0x7f0000000440)=[{&(0x7f00000034c0)=""/4095, 0xfff}, {&(0x7f0000006280)=""/108, 0x6c}, {&(0x7f00000008c0)=""/200, 0xc8}, {&(0x7f00000024c0)=""/4096, 0x1000}, {&(0x7f0000000a00)=""/97, 0x61}, {&(0x7f0000000a80)=""/224, 0xe0}, {&(0x7f0000000b80)=""/80, 0x50}, {&(0x7f0000000180)=""/49, 0x31}], 0x8}, 0x0)
sendmsg$inet(r2, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000080)=[{&(0x7f0000000140)="1c0000005e007f029ea69801d76ab0a272a2a788bab6c95f79725074", 0x1c}], 0x1}, 0x0)
r3 = syz_open_dev$ndb(&(0x7f0000002080), 0x0, 0x80083)
r4 = socket(0x2, 0x2, 0x0)
r5 = openat$loop_ctrl(0xffffffffffffff9c, &(0x7f0000000000), 0x2001, 0x0)
ioctl$LOOP_CTL_ADD(r5, 0x4c80, 0xa)
ioctl$LOOP_CTL_REMOVE(r5, 0x4c81, 0x0)
r6 = dup2(r5, r5)
r7 = socket$nl_generic(0x10, 0x3, 0x10)
r8 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000140), 0xffffffffffffffff)
sendmsg$NL80211_CMD_REQ_SET_REG(r7, &(0x7f0000000200)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f00000000c0)=ANY=[@ANYBLOB="1c000000", @ANYRES16=r8, @ANYRES16=r1], 0x1c}, 0x1, 0x0, 0x0, 0x40080}, 0x4000)
r9 = ioctl$LOOP_CTL_GET_FREE(r6, 0x4c82)
mount_setattr(r6, &(0x7f0000000040)='./file0\x00', 0x0, &(0x7f0000000080)={0xc, 0x0, 0x60000, {r6}}, 0x20)
ioctl$LOOP_CTL_REMOVE(r5, 0x4c81, r9)
r10 = syz_open_dev$ndb(&(0x7f0000000000), 0x0, 0x0)
ioctl$NBD_SET_SOCK(r10, 0xab00, r4)
ioctl$NBD_DO_IT(r10, 0xab03)
ioctl$NBD_SET_SIZE_BLOCKS(r3, 0xab07, 0x6)

[   67.652112][ T4685] Bluetooth: hci0: command tx timeout
[   67.877742][ T5336] 
[   67.878865][ T5336] ======================================================
[   67.882140][ T5336] WARNING: possible circular locking dependency detected
[   67.885306][ T5336] 6.16.0-rc6-syzkaller-00121-g6832a9317eee #0 Not tainted
[   67.888948][ T5336] ------------------------------------------------------
[   67.892744][ T5336] syz.0.0/5336 is trying to acquire lock:
[   67.895672][ T5336] ffff88801c7cb988 (&set->update_nr_hwq_lock){++++}-{4:4}, at: blk_mq_update_nr_hw_queues+0x3b/0x14c0
[   67.900466][ T5336] 
[   67.900466][ T5336] but task is already holding lock:
[   67.903795][ T5336] ffff88801c7cba30 (&nbd->config_lock){+.+.}-{4:4}, at: nbd_ioctl+0x131/0xeb0
[   67.907953][ T5336] 
[   67.907953][ T5336] which lock already depends on the new lock.
[   67.907953][ T5336] 
[   67.912565][ T5336] 
[   67.912565][ T5336] the existing dependency chain (in reverse order) is:
[   67.916638][ T5336] 
[   67.916638][ T5336] -> #2 (&nbd->config_lock){+.+.}-{4:4}:
[   67.919886][ T5336]        lock_acquire+0x120/0x360
[   67.922010][ T5336]        __mutex_lock+0x182/0xe80
[   67.924264][ T5336]        refcount_dec_and_mutex_lock+0x30/0xa0
[   67.927199][ T5336]        nbd_config_put+0x2c/0x790
[   67.929667][ T5336]        nbd_release+0xfe/0x140
[   67.931856][ T5336]        bdev_release+0x536/0x650
[   67.934139][ T5336]        blkdev_release+0x15/0x20
[   67.936271][ T5336]        __fput+0x44c/0xa70
[   67.938275][ T5336]        fput_close_sync+0x119/0x200
[   67.940501][ T5336]        __x64_sys_close+0x7f/0x110
[   67.942723][ T5336]        do_syscall_64+0xfa/0x3b0
[   67.944813][ T5336]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   67.947521][ T5336] 
[   67.947521][ T5336] -> #1 (&disk->open_mutex){+.+.}-{4:4}:
[   67.950750][ T5336]        lock_acquire+0x120/0x360
[   67.952825][ T5336]        __mutex_lock+0x182/0xe80
[   67.954890][ T5336]        __del_gendisk+0x129/0x9e0
[   67.957073][ T5336]        del_gendisk+0xe8/0x160
[   67.959315][ T5336]        loop_remove+0x42/0xc0
[   67.961568][ T5336]        loop_control_ioctl+0x4ac/0x5a0
[   67.963702][ T5336]        __se_sys_ioctl+0xf9/0x170
[   67.966073][ T5336]        do_syscall_64+0xfa/0x3b0
[   67.968341][ T5336]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   67.971342][ T5336] 
[   67.971342][ T5336] -> #0 (&set->update_nr_hwq_lock){++++}-{4:4}:
[   67.976009][ T5336]        validate_chain+0xb9b/0x2140
[   67.978364][ T5336]        __lock_acquire+0xab9/0xd20
[   67.980602][ T5336]        lock_acquire+0x120/0x360
[   67.982860][ T5336]        down_write+0x96/0x1f0
[   67.984861][ T5336]        blk_mq_update_nr_hw_queues+0x3b/0x14c0
[   67.987396][ T5336]        nbd_start_device+0x16c/0xac0
[   67.989552][ T5336]        nbd_ioctl+0x636/0xeb0
[   67.991610][ T5336]        blkdev_ioctl+0x5a8/0x6d0
[   67.993811][ T5336]        __se_sys_ioctl+0xf9/0x170
[   67.995823][ T5336]        do_syscall_64+0xfa/0x3b0
[   67.997713][ T5336]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   68.000170][ T5336] 
[   68.000170][ T5336] other info that might help us debug this:
[   68.000170][ T5336] 
[   68.003962][ T5336] Chain exists of:
[   68.003962][ T5336]   &set->update_nr_hwq_lock --> &disk->open_mutex --> &nbd->config_lock
[   68.003962][ T5336] 
[   68.009600][ T5336]  Possible unsafe locking scenario:
[   68.009600][ T5336] 
[   68.012641][ T5336]        CPU0                    CPU1
[   68.014594][ T5336]        ----                    ----
[   68.016577][ T5336]   lock(&nbd->config_lock);
[   68.018472][ T5336]                                lock(&disk->open_mutex);
[   68.021180][ T5336]                                lock(&nbd->config_lock);
[   68.024149][ T5336]   lock(&set->update_nr_hwq_lock);
[   68.026478][ T5336] 
[   68.026478][ T5336]  *** DEADLOCK ***
[   68.026478][ T5336] 
[   68.030006][ T5336] 1 lock held by syz.0.0/5336:
[   68.032230][ T5336]  #0: ffff88801c7cba30 (&nbd->config_lock){+.+.}-{4:4}, at: nbd_ioctl+0x131/0xeb0
[   68.036088][ T5336] 
[   68.036088][ T5336] stack backtrace:
[   68.038730][ T5336] CPU: 0 UID: 0 PID: 5336 Comm: syz.0.0 Not tainted 6.16.0-rc6-syzkaller-00121-g6832a9317eee #0 PREEMPT(full) 
[   68.038741][ T5336] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   68.038746][ T5336] Call Trace:
[   68.038752][ T5336]  <TASK>
[   68.038756][ T5336]  dump_stack_lvl+0x189/0x250
[   68.038770][ T5336]  ? __pfx_dump_stack_lvl+0x10/0x10
[   68.038778][ T5336]  ? __pfx__printk+0x10/0x10
[   68.038789][ T5336]  ? print_lock_name+0xde/0x100
[   68.038798][ T5336]  print_circular_bug+0x2ee/0x310
[   68.038810][ T5336]  check_noncircular+0x134/0x160
[   68.038820][ T5336]  validate_chain+0xb9b/0x2140
[   68.038829][ T5336]  ? stack_depot_save_flags+0x40/0x900
[   68.038843][ T5336]  __lock_acquire+0xab9/0xd20
[   68.038851][ T5336]  ? blk_mq_update_nr_hw_queues+0x3b/0x14c0
[   68.038860][ T5336]  lock_acquire+0x120/0x360
[   68.038868][ T5336]  ? blk_mq_update_nr_hw_queues+0x3b/0x14c0
[   68.038881][ T5336]  ? __mutex_trylock_common+0x153/0x260
[   68.038890][ T5336]  down_write+0x96/0x1f0
[   68.038903][ T5336]  ? blk_mq_update_nr_hw_queues+0x3b/0x14c0
[   68.038912][ T5336]  ? __pfx_down_write+0x10/0x10
[   68.038919][ T5336]  ? rcu_is_watching+0x15/0xb0
[   68.038927][ T5336]  ? trace_contention_end+0x39/0x120
[   68.038934][ T5336]  ? __mutex_lock+0x330/0xe80
[   68.038941][ T5336]  blk_mq_update_nr_hw_queues+0x3b/0x14c0
[   68.038948][ T5336]  ? blkdev_common_ioctl+0xfc3/0x2450
[   68.038955][ T5336]  ? __pfx_aa_get_newest_label+0x10/0x10
[   68.038965][ T5336]  ? nbd_ioctl+0x131/0xeb0
[   68.038973][ T5336]  ? __pfx___mutex_lock+0x10/0x10
[   68.038980][ T5336]  nbd_start_device+0x16c/0xac0
[   68.038988][ T5336]  ? security_capable+0x7e/0x2e0
[   68.038997][ T5336]  nbd_ioctl+0x636/0xeb0
[   68.039005][ T5336]  ? __pfx_nbd_ioctl+0x10/0x10
[   68.039013][ T5336]  ? __pfx_nbd_ioctl+0x10/0x10
[   68.039020][ T5336]  blkdev_ioctl+0x5a8/0x6d0
[   68.039026][ T5336]  ? __pfx_blkdev_ioctl+0x10/0x10
[   68.039032][ T5336]  ? __fget_files+0x2a/0x420
[   68.039041][ T5336]  ? bpf_lsm_file_ioctl+0x9/0x20
[   68.039048][ T5336]  ? __pfx_blkdev_ioctl+0x10/0x10
[   68.039054][ T5336]  __se_sys_ioctl+0xf9/0x170
[   68.039061][ T5336]  do_syscall_64+0xfa/0x3b0
[   68.039068][ T5336]  ? lockdep_hardirqs_on+0x9c/0x150
[   68.039073][ T5336]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   68.039080][ T5336]  ? clear_bhb_loop+0x60/0xb0
[   68.039087][ T5336]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   68.039093][ T5336] RIP: 0033:0x7fa5c9d8e9a9
[   68.039102][ T5336] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   68.039107][ T5336] RSP: 002b:00007fa5cac1e038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   68.039115][ T5336] RAX: ffffffffffffffda RBX: 00007fa5c9fb5fa0 RCX: 00007fa5c9d8e9a9
[   68.039121][ T5336] RDX: 0000000000000000 RSI: 000000000000ab03 RDI: 0000000000000009
[   68.039126][ T5336] RBP: 00007fa5c9e10ca1 R08: 0000000000000000 R09: 0000000000000000
[   68.039130][ T5336] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   68.039134][ T5336] R13: 0000000000000000 R14: 00007fa5c9fb5fa0 R15: 00007fff3753a6a8
[   68.039140][ T5336]  </TASK>
[   68.213303][ T5336] block nbd0: shutting down sockets
[   68.262916][ T5337] nbd0: detected capacity change from 0 to 12
[   68.268453][ T5310] I/O error, dev nbd0, sector 0 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 0
[   68.272550][ T5310] Buffer I/O error on dev nbd0, logical block 0, async page read
[   68.277186][ T5310] I/O error, dev nbd0, sector 0 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 0
[   68.281098][ T5310] Buffer I/O error on dev nbd0, logical block 0, async page read
[   68.285550][ T5310] I/O error, dev nbd0, sector 0 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 0
[   68.289701][ T5310] Buffer I/O error on dev nbd0, logical block 0, async page read
[   68.294289][ T5310] I/O error, dev nbd0, sector 0 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 0
[   68.298451][ T5310] Buffer I/O error on dev nbd0, logical block 0, async page read
[   68.302093][ T5310] I/O error, dev nbd0, sector 0 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 0
[   68.306761][ T5310] Buffer I/O error on dev nbd0, logical block 0, async page read
[   68.310731][ T5310] I/O error, dev nbd0, sector 0 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 0
[   68.315113][ T5310] Buffer I/O error on dev nbd0, logical block 0, async page read
[   68.318642][ T5310] I/O error, dev nbd0, sector 0 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 0
[   68.323166][ T5310] Buffer I/O error on dev nbd0, logical block 0, async page read
[   68.327084][ T5310] I/O error, dev nbd0, sector 0 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 0
[   68.331076][ T5310] Buffer I/O error on dev nbd0, logical block 0, async page read
[   68.335074][ T5310] ldm_validate_partition_table(): Disk read failed.
[   68.338410][ T5310] I/O error, dev nbd0, sector 0 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 0
[   68.342508][ T5310] Buffer I/O error on dev nbd0, logical block 0, async page read
[   68.346881][ T5310] I/O error, dev nbd0, sector 0 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 0
[   68.350593][ T5310] Buffer I/O error on dev nbd0, logical block 0, async page read
[   68.354304][ T5310] Dev nbd0: unable to read RDB block 0
[   68.356855][ T5310]  nbd0: unable to read partition table
[   68.359377][ T5310] nbd0: partition table beyond EOD, truncated
[   68.375031][ T5310] ldm_validate_partition_table(): Disk read failed.
[   68.378375][ T5310] Dev nbd0: unable to read RDB block 0
[   68.380995][ T5310]  nbd0: unable to read partition table