program: openat$kvm(0xffffffffffffff9c, &(0x7f0000000140), 0x0, 0x0) syz_usb_connect(0x2, 0x36, &(0x7f00000000c0)=ANY=[@ANYBLOB="120100008010bd40820514009dbb000000010902"], 0x0) r0 = syz_open_dev$usbfs(&(0x7f0000000180), 0x10000001d, 0x8041) ioctl$USBDEVFS_FREE_STREAMS(r0, 0x8008551d, &(0x7f0000000000)={0x8ee, 0x1, [{0x0, 0x1}]}) syz_init_net_socket$bt_hci(0x1f, 0x3, 0x1) r1 = bpf$MAP_CREATE_TAIL_CALL(0x0, &(0x7f0000000540)=ANY=[@ANYBLOB="1200000004000000040000000a0000f900000000", @ANYRES32=0x0, @ANYBLOB='\x00'/20, @ANYRES32=0x0, @ANYRES32=0x0, @ANYBLOB='\x00'/28], 0x48) r2 = socket$inet6_udplite(0xa, 0x2, 0x88) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000100)={r1, &(0x7f0000000040), &(0x7f00000000c0)=@udp6=r2, 0x2}, 0x20) fanotify_init(0x0, 0x0) perf_event_open(&(0x7f0000000040)={0x2, 0x80, 0xd3, 0x1, 0x0, 0x0, 0x0, 0x0, 0x1400, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10000, 0x5, @perf_config_ext={0xff, 0x7}, 0x104101, 0x184, 0x7, 0x9, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0xec2}, 0x0, 0x0, 0xffffffffffffffff, 0x0) set_mempolicy(0x2, &(0x7f0000000140)=0x8001, 0x2) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x300000e, 0x20c44fb6edc09a38, 0xffffffffffffffff, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='./file1\x00', 0x105042, 0x1ff) socket$nl_netfilter(0x10, 0x3, 0xc) openat$tun(0xffffffffffffff9c, &(0x7f0000000140), 0x40841, 0x0) socket$kcm(0x2, 0xa, 0x2) socket$unix(0x1, 0x1, 0x0) clock_gettime(0xffffffc3, 0x0) r3 = openat$dsp1(0xffffffffffffff9c, &(0x7f0000000140), 0x8481, 0x0) ioctl$SNDCTL_DSP_SUBDIVIDE(r3, 0xc0045009, &(0x7f0000000000)=0x4ed) r4 = syz_open_dev$loop(&(0x7f0000000040), 0x0, 0x0) r5 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000000)='blkio.bfq.io_merged\x00', 0x275a, 0x0) ioctl$LOOP_CONFIGURE(r4, 0x4c0a, &(0x7f00000002c0)={r5, 0x0, {0x2a00, 0x80010000, 0x0, 0x1, 0x2, 0x0, 0x0, 0x13, 0x14, "1271a2ab78fce00d9668dda1af1ea89d62b7080a01000000000300008a03000000000000000000ffffff7f00", "2809e8dbe108598948224ad54afac11d875397bdb22d0000b420a1a93c5240f45f819e01177d3d458dd4992861ac00", "90be8b1c551265406c7f306003d8a0f4bd00", [0x0, 0x4]}}) openat$procfs(0xffffffffffffff9c, &(0x7f0000000240)='/proc/crypto\x00', 0x0, 0x0) r6 = openat$khugepaged_scan(0xffffffffffffff9c, &(0x7f00000000c0), 0x1, 0x0) ioctl$LOOP_CHANGE_FD(r4, 0x4c06, r6) ioctl$KVM_CREATE_VCPU(0xffffffffffffffff, 0xae41, 0x0) r7 = openat$cdrom(0xffffffffffffff9c, &(0x7f0000000180), 0x408000, 0x0) ftruncate(r7, 0x4c8000) ioctl$KVM_SET_MSRS(0xffffffffffffffff, 0xc008ae88, &(0x7f0000000200)={0x2, 0x0, [{0x3f8, 0x0, 0x5}, {0x937, 0x0, 0x2}]}) [ 68.537177][ T5295] Bluetooth: hci0: command tx timeout [ 68.859543][ T10] usb 5-1: new full-speed USB device number 2 using dummy_hcd [ 69.012572][ T10] usb 5-1: config 0 has no interfaces? [ 69.014924][ T10] usb 5-1: New USB device found, idVendor=0582, idProduct=0014, bcdDevice=bb.9d [ 69.018764][ T10] usb 5-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 69.047522][ T10] usb 5-1: config 0 descriptor?? [ 69.269528][ T5309] UDPLite6: UDP-Lite is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list [ 69.432776][ T5310] syz.0.0 uses obsolete (PF_INET,SOCK_PACKET) [ 69.513825][ T5310] [ 69.515040][ T5310] ====================================================== [ 69.518133][ T5310] WARNING: possible circular locking dependency detected [ 69.541342][ T5310] 6.15.0-rc4-syzkaller-00051-g7a13c14ee59d #0 Not tainted [ 69.544470][ T5310] ------------------------------------------------------ [ 69.547349][ T5310] syz.0.0/5310 is trying to acquire lock: [ 69.571973][ T5310] ffff88803042c9e0 (&root->kernfs_iattr_rwsem){++++}-{4:4}, at: kernfs_iop_getattr+0xb3/0x500 [ 69.576641][ T5310] [ 69.576641][ T5310] but task is already holding lock: [ 69.579762][ T5310] ffff888000fc9de8 (&q->q_usage_counter(io)#17){++++}-{0:0}, at: lo_ioctl+0x1c22/0x22e0 [ 69.584592][ T5310] [ 69.584592][ T5310] which lock already depends on the new lock. [ 69.584592][ T5310] [ 69.603251][ T5310] [ 69.603251][ T5310] the existing dependency chain (in reverse order) is: [ 69.607891][ T5310] [ 69.607891][ T5310] -> #3 (&q->q_usage_counter(io)#17){++++}-{0:0}: [ 69.613942][ T5310] lock_acquire+0x120/0x360 [ 69.622226][ T5310] blk_alloc_queue+0x538/0x620 [ 69.624860][ T5310] __blk_mq_alloc_disk+0x164/0x350 [ 69.627659][ T5310] loop_add+0x41d/0xae0 [ 69.647104][ T5310] loop_init+0x173/0x230 [ 69.650798][ T5310] do_one_initcall+0x233/0x820 [ 69.654862][ T5310] do_initcall_level+0x137/0x1f0 [ 69.658532][ T5310] do_initcalls+0x69/0xd0 [ 69.671040][ T5310] kernel_init_freeable+0x3d9/0x570 [ 69.674137][ T5310] kernel_init+0x1d/0x1d0 [ 69.676584][ T5310] ret_from_fork+0x4b/0x80 [ 69.678993][ T5310] ret_from_fork_asm+0x1a/0x30 [ 69.691306][ T5310] [ 69.691306][ T5310] -> #2 (fs_reclaim){+.+.}-{0:0}: [ 69.695564][ T5310] lock_acquire+0x120/0x360 [ 69.698174][ T5310] fs_reclaim_acquire+0x72/0x100 [ 69.710790][ T5310] kmem_cache_alloc_noprof+0x44/0x3c0 [ 69.713966][ T5310] __kernfs_iattrs+0x93/0x280 [ 69.716646][ T5310] kernfs_iop_setattr+0xea/0x3f0 [ 69.719758][ T5310] notify_change+0xb33/0xe40 [ 69.731011][ T5310] do_truncate+0x19a/0x220 [ 69.733428][ T5310] path_openat+0x306c/0x3830 [ 69.736420][ T5310] do_filp_open+0x1fa/0x410 [ 69.738944][ T5310] do_sys_openat2+0x121/0x1c0 [ 69.751693][ T5310] __x64_sys_openat+0x138/0x170 [ 69.755234][ T5310] do_syscall_64+0xf6/0x210 [ 69.757579][ T5310] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 69.761336][ T5310] [ 69.761336][ T5310] -> #1 (iattr_mutex){+.+.}-{4:4}: [ 69.773551][ T5310] lock_acquire+0x120/0x360 [ 69.776028][ T5310] __mutex_lock+0x182/0xe80 [ 69.778381][ T5310] __kernfs_iattrs+0x2a/0x280 [ 69.791098][ T5310] kernfs_iop_setattr+0xea/0x3f0 [ 69.794685][ T5310] notify_change+0xb33/0xe40 [ 69.797181][ T5310] do_truncate+0x19a/0x220 [ 69.800898][ T5310] path_openat+0x306c/0x3830 [ 69.812504][ T5310] do_filp_open+0x1fa/0x410 [ 69.814810][ T5310] do_sys_openat2+0x121/0x1c0 [ 69.817186][ T5310] __x64_sys_openat+0x138/0x170 [ 69.819728][ T5310] do_syscall_64+0xf6/0x210 [ 69.834206][ T5310] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 69.837124][ T5310] [ 69.837124][ T5310] -> #0 (&root->kernfs_iattr_rwsem){++++}-{4:4}: [ 69.841013][ T5310] validate_chain+0xb9b/0x2140 [ 69.843326][ T5310] __lock_acquire+0xaac/0xd20 [ 69.845778][ T5310] lock_acquire+0x120/0x360 [ 69.848252][ T5310] down_read+0x46/0x2e0 [ 69.860816][ T5310] kernfs_iop_getattr+0xb3/0x500 [ 69.863534][ T5310] vfs_getattr_nosec+0x2de/0x430 [ 69.866074][ T5310] loop_assign_backing_file+0x227/0x410 [ 69.873158][ T5310] lo_ioctl+0x1c94/0x22e0 [ 69.882164][ T5310] blkdev_ioctl+0x5a5/0x6d0 [ 69.884213][ T5310] __se_sys_ioctl+0xf9/0x170 [ 69.892478][ T5310] do_syscall_64+0xf6/0x210 [ 69.895142][ T5310] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 69.902904][ T5310] [ 69.902904][ T5310] other info that might help us debug this: [ 69.902904][ T5310] [ 69.907575][ T5310] Chain exists of: [ 69.907575][ T5310] &root->kernfs_iattr_rwsem --> fs_reclaim --> &q->q_usage_counter(io)#17 [ 69.907575][ T5310] [ 69.924233][ T5310] Possible unsafe locking scenario: [ 69.924233][ T5310] [ 69.928193][ T5310] CPU0 CPU1 [ 69.941003][ T5310] ---- ---- [ 69.943300][ T5310] lock(&q->q_usage_counter(io)#17); [ 69.945681][ T5310] lock(fs_reclaim); [ 69.956343][ T5310] lock(&q->q_usage_counter(io)#17); [ 69.972918][ T5310] rlock(&root->kernfs_iattr_rwsem); [ 69.975304][ T5310] [ 69.975304][ T5310] *** DEADLOCK *** [ 69.975304][ T5310] [ 69.979009][ T5310] 3 locks held by syz.0.0/5310: [ 69.982250][ T5310] #0: ffff88803403bb68 (&lo->lo_mutex){+.+.}-{4:4}, at: lo_ioctl+0xef0/0x22e0 [ 69.991220][ T5310] #1: ffff888000fc9de8 (&q->q_usage_counter(io)#17){++++}-{0:0}, at: lo_ioctl+0x1c22/0x22e0 [ 70.001625][ T5310] #2: ffff888000fc9e20 (&q->q_usage_counter(queue)#20){+.+.}-{0:0}, at: lo_ioctl+0x1c22/0x22e0 [ 70.012153][ T5310] [ 70.012153][ T5310] stack backtrace: [ 70.014538][ T5310] CPU: 0 UID: 0 PID: 5310 Comm: syz.0.0 Not tainted 6.15.0-rc4-syzkaller-00051-g7a13c14ee59d #0 PREEMPT(full) [ 70.014555][ T5310] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 70.014563][ T5310] Call Trace: [ 70.014571][ T5310] [ 70.014577][ T5310] dump_stack_lvl+0x189/0x250 [ 70.014599][ T5310] ? __pfx_dump_stack_lvl+0x10/0x10 [ 70.014615][ T5310] ? __pfx__printk+0x10/0x10 [ 70.014626][ T5310] ? print_lock_name+0xde/0x100 [ 70.014642][ T5310] print_circular_bug+0x2ee/0x310 [ 70.014653][ T5310] check_noncircular+0x134/0x160 [ 70.014665][ T5310] validate_chain+0xb9b/0x2140 [ 70.014680][ T5310] __lock_acquire+0xaac/0xd20 [ 70.014696][ T5310] ? kernfs_iop_getattr+0xb3/0x500 [ 70.014711][ T5310] lock_acquire+0x120/0x360 [ 70.014725][ T5310] ? kernfs_iop_getattr+0xb3/0x500 [ 70.014740][ T5310] down_read+0x46/0x2e0 [ 70.014751][ T5310] ? kernfs_iop_getattr+0xb3/0x500 [ 70.014763][ T5310] kernfs_iop_getattr+0xb3/0x500 [ 70.014775][ T5310] vfs_getattr_nosec+0x2de/0x430 [ 70.014790][ T5310] loop_assign_backing_file+0x227/0x410 [ 70.014805][ T5310] ? __pfx_loop_assign_backing_file+0x10/0x10 [ 70.014818][ T5310] ? schedule+0x91/0x360 [ 70.014829][ T5310] ? percpu_ref_kill_and_confirm+0xa3/0x130 [ 70.014842][ T5310] lo_ioctl+0x1c94/0x22e0 [ 70.014855][ T5310] ? __pfx_lo_ioctl+0x10/0x10 [ 70.014866][ T5310] ? ima_match_policy+0x10b/0x2150 [ 70.014878][ T5310] ? look_up_lock_class+0x74/0x170 [ 70.014890][ T5310] ? register_lock_class+0x51/0x320 [ 70.014904][ T5310] ? __lock_acquire+0xaac/0xd20 [ 70.014921][ T5310] ? process_measurement+0x3d8/0x1a40 [ 70.014931][ T5310] ? ima_match_policy+0x10b/0x2150 [ 70.014945][ T5310] ? __lock_acquire+0xaac/0xd20 [ 70.014959][ T5310] ? __lock_acquire+0xaac/0xd20 [ 70.014975][ T5310] ? __lock_acquire+0xaac/0xd20 [ 70.014991][ T5310] ? __lock_acquire+0xaac/0xd20 [ 70.015005][ T5310] ? is_bpf_text_address+0x26/0x2b0 [ 70.015019][ T5310] ? is_bpf_text_address+0x292/0x2b0 [ 70.015032][ T5310] ? is_bpf_text_address+0x26/0x2b0 [ 70.015045][ T5310] ? kernel_text_address+0xa5/0xe0 [ 70.015058][ T5310] ? __kernel_text_address+0xd/0x40 [ 70.015068][ T5310] ? unwind_get_return_address+0x4d/0x90 [ 70.015090][ T5310] ? __pfx_stack_trace_consume_entry+0x10/0x10 [ 70.015103][ T5310] ? arch_stack_walk+0xfc/0x150 [ 70.015120][ T5310] ? stack_trace_save+0x9c/0xe0 [ 70.015132][ T5310] ? stack_depot_save_flags+0x40/0x910 [ 70.015145][ T5310] ? kasan_save_track+0x4f/0x80 [ 70.015157][ T5310] ? kasan_save_track+0x3e/0x80 [ 70.015168][ T5310] ? do_vfs_ioctl+0xf36/0x1eb0 [ 70.015178][ T5310] ? __se_sys_ioctl+0x47/0x170 [ 70.015187][ T5310] ? do_syscall_64+0xf6/0x210 [ 70.015200][ T5310] ? __pfx_do_vfs_ioctl+0x10/0x10 [ 70.015216][ T5310] ? kasan_quarantine_put+0xdd/0x220 [ 70.015228][ T5310] ? blkdev_common_ioctl+0xfc3/0x2450 [ 70.015239][ T5310] ? tomoyo_path_number_perm+0x1bc/0x5a0 [ 70.015253][ T5310] ? __pfx_blkdev_common_ioctl+0x10/0x10 [ 70.015263][ T5310] ? tomoyo_path_number_perm+0x1bc/0x5a0 [ 70.015277][ T5310] ? tomoyo_path_number_perm+0x4e2/0x5a0 [ 70.015291][ T5310] ? tomoyo_path_number_perm+0x1bc/0x5a0 [ 70.015305][ T5310] ? __pfx_tomoyo_path_number_perm+0x10/0x10 [ 70.015320][ T5310] ? __lock_acquire+0xaac/0xd20 [ 70.015334][ T5310] ? __pfx_lo_ioctl+0x10/0x10 [ 70.015345][ T5310] blkdev_ioctl+0x5a5/0x6d0 [ 70.015357][ T5310] ? __pfx_blkdev_ioctl+0x10/0x10 [ 70.015367][ T5310] ? __fget_files+0x3a0/0x420 [ 70.015378][ T5310] ? __fget_files+0x2a/0x420 [ 70.015389][ T5310] ? bpf_lsm_file_ioctl+0x9/0x20 [ 70.015401][ T5310] ? __pfx_blkdev_ioctl+0x10/0x10 [ 70.015411][ T5310] __se_sys_ioctl+0xf9/0x170 [ 70.015420][ T5310] do_syscall_64+0xf6/0x210 [ 70.015431][ T5310] ? clear_bhb_loop+0x45/0xa0 [ 70.015443][ T5310] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 70.015453][ T5310] RIP: 0033:0x7ff844d8e969 [ 70.015465][ T5310] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 70.015473][ T5310] RSP: 002b:00007ff845c05038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 70.015485][ T5310] RAX: ffffffffffffffda RBX: 00007ff844fb6080 RCX: 00007ff844d8e969 [ 70.015493][ T5310] RDX: 0000000000000013 RSI: 0000000000004c06 RDI: 0000000000000010 [ 70.015500][ T5310] RBP: 00007ff844e10ab1 R08: 0000000000000000 R09: 0000000000000000 [ 70.015507][ T5310] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 70.015513][ T5310] R13: 0000000000000000 R14: 00007ff844fb6080 R15: 00007ffcea84b6e8 [ 70.015524][ T5310] [ 70.609770][ T5295] Bluetooth: hci0: command tx timeout [ 70.846766][ T5307] usb 5-1: USB disconnect, device number 2 [ 71.364334][ T5309] syz.0.0 (5309) used greatest stack depth: 20592 bytes left