program:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000140), 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
syz_read_part_table(0x634, &(0x7f0000000000)="$eJzs3DFoXVUYB/D/Td+7L2mhreLUpdVZLHY2NSDpo9Kp0q1LVZBQcYhTxJIX6WKGDA7OLkXIUuuioYODtoiTOIUOasVVkKJSi/bIfffmvUQQxLaD8PsNued895zvO1/uXd8N/2sz6SfVeDhIL8nxl/+2Yi07CzLbrE9S+t29c5uLp06XUkrVrDmffp78/OC1JL1uSzVJU0pZnUxO5soH+6+/W436m7eaojfW9zXhufYYh5OnD9Sz4zRNzWmKPQcbPMz/A//N1fmbVXW57mZP/XJ/Ifno58WzW2fW37v2YhdeTb5Mmuf/TvNG7Kx+KxePXeiNh81TfnN33l/bSz2NTB/3XHp7zjC6vDzcWJhf2t4JHBlufvrac78fu55yIl/VvZmdG9U0X52MHrz9pv9Dzdu/sTK/tD28NDe58cT7j3+Ro93kTik53JR8LP0sPISyAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA8IlfnbyYZDTeSpe3hoIsunt06s14neeHV2S50fPeufd31Yi7cbq6rWU5++CT93Yuq5s84MpP+Qhv7/mh5Zjzo7dQfzLWDlT9LKff2J7efvX9k2O7Kjc9OTMutTjJv5fludLe0xpO1f2qyK1EOtVW/vre7/6qXLA83VuaXtoeXfqx6bcMfV6PJMWeSvD7IK20z5W7d7f1j2gYAAAAAAAAAAAAAAAAAAAA8kMVTp9+4043Pzyb56e2ZZlwG7a/cq/3VnvXfDpK5k8mV2VSjhSS3Xvqt/ubg+nfdpwNGGWSU5MCHa+e6LfWeBJNPBFQp9aPsjH/jrwAAAP//8Ap8jg==")
r2 = dup(r1)
r3 = eventfd2(0x0, 0x0)
io_submit(0x0, 0x1, &(0x7f0000000280)=[&(0x7f0000000000)={0x1802, 0x0, 0x0, 0x5, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x1, r3}])
r4 = ioctl$KVM_CREATE_VCPU(r2, 0xae41, 0x2)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000080)={0x0, 0x2, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
syz_kvm_setup_cpu$x86(0xffffffffffffffff, r4, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000300)=[@text64={0x40, 0x0}], 0x1, 0x0, 0x0, 0x0)
syz_kvm_setup_cpu$x86(r1, 0xffffffffffffffff, &(0x7f0000000000/0x18000)=nil, &(0x7f0000000200)=[@textreal={0x8, 0x0}], 0x1, 0x0, 0x0, 0x0)
syz_mount_image$ext4(&(0x7f0000000040)='ext2\x00', &(0x7f0000000000)='./file1\x00', 0x3000044, &(0x7f00000006c0)={[{@grpquota}]}, 0x1, 0x569, &(0x7f0000000800)="$eJzs3c9rHFUcAPDvbDb9kVaTQikqIoEerNZumsQfFTzUo2ixoPe6JNNQsumW7KY0sWB7sBcvUgQRC+Jd7x6L/4B/RUELRUrQg5fIbGbTbbObbNK0m3Y/H5jw3vzY974z817e7NtlA+hbo9mfQsTLEfFtEjEcEUm+rRj5xtHV/ZbvX53KliRWVj77O2nsl+Wbr9U87kCeeSkifv864nhhfbm1xaXZcqWSzuf5sfrcpbHa4tKJC3PlmXQmvTgxOXnqncmJ9997d8difePsvz98evujU98cXf7+17uHbiZxOg7m21rj2Ehx483XWjOjMZqfk8E4/ciO41up+DMg6XUF2JaB/J4ejKwPGI6Bze5w4LnxVUSsAH0q0f6hTzXHAc1n+26fg58X9z5cfQBaH39x9b2R2Nd4NhpaTh56Msqed0d2oPysjN/+unUzW2IL70MAPK5r1yPiZLG4vv9L8v5v+052sc+jZej/4Om5nY1/3mo3/imsjX+izfjnQJu2ux2bt//C3R0opqNs/PdB2/Hv2qTVyECee6Ex5htMzl+opFnf9mJEHIvBvVl+o/mcU8t3Vjptax3/ZUtWfnMsmNfjbnHvw8dMl+vlx4m51b3rEa+0Hf8ma9c/aXP9s/NxtssyjqS3Xuu0bfP4n6yVnyNeb3v9H8xoJRvPT4417oex5l2x3j83jvzRqfxex59d/6GN4x9JWudra51fa7jD+p/2/Zd2OiaPf+jNLP7o/v7fk3zeSO/J110p1+vz4xF7kk/Wr594cGwz39w/i//Y0Y37v3b3//6I+KLzqXjIjcO/vLpJ/D29/tNbuv5bT9z5+MsfO5XfXf/3diN1LF/TTf/XbQUf59wBAAAAAADAblOIiIORFEpr6UKhVFr9fMfhGCpUqrX68fPVhYvT0fiu7EgMFpoz3cMtn4cYzz8P28xPPJKfjIhDEfHdwP5GvjRVrUz3OngAAAAAAAAAAAAAAAAAAADYJQ50+P5/5s+BXtcOeOL85Df0r03b/0780hOwK/n/D/1L+4f+pf1D/9L+oX9p/9C/tH/oX9o/9C/tHwAAAAAAAAAAAAAAAAAAAAAAAAAAAHbU2TNnsmVl+f7VqSw/fXlxYbZ6+cR0WpstzS1Mlaaq85dKM9XqTCUtTVXnNnu9SrV6aXwiFq6M1dNafay2uHRurrpwsX7uwlx5Jj2XDj6VqAAAAAAAAAAAAAAAAAAAAODZUltcmi1XKum8hMS2EsXdUY0dSOzL28RuqU9vEz3umAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACgxf8BAAD//zqCM0E=")
creat(&(0x7f0000000040)='./bus\x00', 0x0)
ioctl$KVM_REGISTER_COALESCED_MMIO(r1, 0x4010ae67, &(0x7f0000000640)={0x0, 0xd000})
ioctl$KVM_NMI(r4, 0xae9a)
ioctl$KVM_RUN(r4, 0xae80, 0x0)

[   75.221102][ T4670] Bluetooth: hci0: command tx timeout
[   75.305179][ T5323] loop0: detected capacity change from 0 to 2048
[   75.335845][ T5323]  loop0: p1 < > p3
[   75.340168][ T5323] loop0: p3 size 134217728 extends beyond EOD, truncated
[   75.351903][ T4729]  loop0: p1 < > p3
[   75.355452][ T4729] loop0: p3 size 134217728 extends beyond EOD, truncated
[   75.474033][ T5323] 
[   75.474962][ T5323] ======================================================
[   75.477520][ T5323] WARNING: possible circular locking dependency detected
[   75.480300][ T5323] 6.15.0-rc2-syzkaller-00400-g3088d26962e8 #0 Not tainted
[   75.482969][ T5323] ------------------------------------------------------
[   75.485542][ T5323] syz.0.0/5323 is trying to acquire lock:
[   75.487612][ T5323] ffff88804138ec38 (kn->active#5){++++}-{0:0}, at: __kernfs_remove+0x336/0x570
[   75.491007][ T5323] 
[   75.491007][ T5323] but task is already holding lock:
[   75.493796][ T5323] ffff888032cb8358 (&disk->open_mutex){+.+.}-{4:4}, at: bdev_release+0x17e/0x700
[   75.497017][ T5323] 
[   75.497017][ T5323] which lock already depends on the new lock.
[   75.497017][ T5323] 
[   75.500818][ T5323] 
[   75.500818][ T5323] the existing dependency chain (in reverse order) is:
[   75.503976][ T5323] 
[   75.503976][ T5323] -> #2 (&disk->open_mutex){+.+.}-{4:4}:
[   75.507072][ T5323]        lock_acquire+0x116/0x2f0
[   75.509139][ T5323]        __mutex_lock+0x1a5/0x10c0
[   75.511322][ T5323]        bdev_open+0xf7/0xcd0
[   75.513262][ T5323]        bdev_file_open_by_dev+0x1b2/0x230
[   75.515660][ T5323]        disk_scan_partitions+0x1be/0x2b0
[   75.517925][ T5323]        add_disk_fwnode+0xd26/0x1020
[   75.520044][ T5323]        pmem_attach_disk+0xd42/0x1020
[   75.522153][ T5323]        nvdimm_bus_probe+0x147/0x4e0
[   75.524171][ T5323]        really_probe+0x2b9/0xad0
[   75.526315][ T5323]        __driver_probe_device+0x1a2/0x390
[   75.528639][ T5323]        driver_probe_device+0x50/0x430
[   75.530778][ T5323]        __driver_attach+0x45f/0x710
[   75.532797][ T5323]        bus_for_each_dev+0x23e/0x2b0
[   75.534816][ T5323]        bus_add_driver+0x346/0x670
[   75.536794][ T5323]        driver_register+0x23a/0x320
[   75.539232][ T5323]        do_one_initcall+0x24a/0x940
[   75.541934][ T5323]        do_initcall_level+0x157/0x210
[   75.544838][ T5323]        do_initcalls+0x71/0xd0
[   75.547232][ T5323]        kernel_init_freeable+0x432/0x5d0
[   75.550040][ T5323]        kernel_init+0x1d/0x2b0
[   75.552286][ T5323]        ret_from_fork+0x4b/0x80
[   75.554405][ T5323]        ret_from_fork_asm+0x1a/0x30
[   75.556685][ T5323] 
[   75.556685][ T5323] -> #1 (&nvdimm_namespace_key){+.+.}-{4:4}:
[   75.560071][ T5323]        lock_acquire+0x116/0x2f0
[   75.562198][ T5323]        __mutex_lock+0x1a5/0x10c0
[   75.564334][ T5323]        uevent_show+0x17d/0x340
[   75.566368][ T5323]        dev_attr_show+0x55/0xc0
[   75.568436][ T5323]        sysfs_kf_seq_show+0x32b/0x4a0
[   75.570704][ T5323]        seq_read_iter+0x461/0xda0
[   75.572728][ T5323]        vfs_read+0x9a0/0xb90
[   75.574734][ T5323]        ksys_read+0x19d/0x2d0
[   75.576863][ T5323]        do_syscall_64+0xf3/0x210
[   75.578955][ T5323]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   75.581635][ T5323] 
[   75.581635][ T5323] -> #0 (kn->active#5){++++}-{0:0}:
[   75.584711][ T5323]        validate_chain+0xa69/0x24e0
[   75.586868][ T5323]        __lock_acquire+0xad5/0xd80
[   75.589008][ T5323]        lock_acquire+0x116/0x2f0
[   75.591057][ T5323]        kernfs_drain+0x275/0x5e0
[   75.593149][ T5323]        __kernfs_remove+0x336/0x570
[   75.595350][ T5323]        kernfs_remove_by_name_ns+0xad/0x130
[   75.597759][ T5323]        device_del+0x56c/0x9b0
[   75.599785][ T5323]        drop_partition+0x11b/0x180
[   75.601822][ T5323]        bdev_disk_changed+0x2ca/0x14e0
[   75.604049][ T5323]        lo_release+0x540/0x850
[   75.606076][ T5323]        bdev_release+0x5dd/0x700
[   75.607901][ T5323]        blkdev_release+0x15/0x20
[   75.609650][ T5323]        __fput+0x3e9/0x9f0
[   75.611553][ T5323]        fput_close_sync+0x1ef/0x270
[   75.613724][ T5323]        __x64_sys_close+0x7f/0x110
[   75.615662][ T5323]        do_syscall_64+0xf3/0x210
[   75.617336][ T5323]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   75.619668][ T5323] 
[   75.619668][ T5323] other info that might help us debug this:
[   75.619668][ T5323] 
[   75.624099][ T5323] Chain exists of:
[   75.624099][ T5323]   kn->active#5 --> &nvdimm_namespace_key --> &disk->open_mutex
[   75.624099][ T5323] 
[   75.630006][ T5323]  Possible unsafe locking scenario:
[   75.630006][ T5323] 
[   75.633154][ T5323]        CPU0                    CPU1
[   75.635454][ T5323]        ----                    ----
[   75.637721][ T5323]   lock(&disk->open_mutex);
[   75.639687][ T5323]                                lock(&nvdimm_namespace_key);
[   75.642602][ T5323]                                lock(&disk->open_mutex);
[   75.645268][ T5323]   lock(kn->active#5);
[   75.646864][ T5323] 
[   75.646864][ T5323]  *** DEADLOCK ***
[   75.646864][ T5323] 
[   75.649816][ T5323] 1 lock held by syz.0.0/5323:
[   75.651636][ T5323]  #0: ffff888032cb8358 (&disk->open_mutex){+.+.}-{4:4}, at: bdev_release+0x17e/0x700
[   75.655242][ T5323] 
[   75.655242][ T5323] stack backtrace:
[   75.657668][ T5323] CPU: 0 UID: 0 PID: 5323 Comm: syz.0.0 Not tainted 6.15.0-rc2-syzkaller-00400-g3088d26962e8 #0 PREEMPT(full) 
[   75.657683][ T5323] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   75.657690][ T5323] Call Trace:
[   75.657698][ T5323]  <TASK>
[   75.657703][ T5323]  dump_stack_lvl+0x241/0x360
[   75.657722][ T5323]  ? __pfx_dump_stack_lvl+0x10/0x10
[   75.657737][ T5323]  ? __pfx__printk+0x10/0x10
[   75.657752][ T5323]  ? print_lock+0x171/0x1a0
[   75.657768][ T5323]  print_circular_bug+0x2e1/0x300
[   75.657784][ T5323]  check_noncircular+0x142/0x160
[   75.657798][ T5323]  validate_chain+0xa69/0x24e0
[   75.657813][ T5323]  ? lockdep_unlock+0x8d/0x120
[   75.657828][ T5323]  __lock_acquire+0xad5/0xd80
[   75.657844][ T5323]  ? up_write+0x1ab/0x590
[   75.657854][ T5323]  lock_acquire+0x116/0x2f0
[   75.657866][ T5323]  ? __kernfs_remove+0x336/0x570
[   75.657881][ T5323]  kernfs_drain+0x275/0x5e0
[   75.657892][ T5323]  ? __kernfs_remove+0x336/0x570
[   75.657905][ T5323]  ? __pfx_kernfs_drain+0x10/0x10
[   75.657922][ T5323]  __kernfs_remove+0x336/0x570
[   75.657933][ T5323]  kernfs_remove_by_name_ns+0xad/0x130
[   75.657943][ T5323]  device_del+0x56c/0x9b0
[   75.657952][ T5323]  ? __pfx_device_del+0x10/0x10
[   75.657959][ T5323]  ? kobject_put+0x446/0x480
[   75.657968][ T5323]  drop_partition+0x11b/0x180
[   75.657979][ T5323]  bdev_disk_changed+0x2ca/0x14e0
[   75.657986][ T5323]  ? kobject_uevent_env+0x54d/0x8e0
[   75.657997][ T5323]  ? __pfx_bdev_disk_changed+0x10/0x10
[   75.658003][ T5323]  ? kobject_uevent_env+0x54d/0x8e0
[   75.658012][ T5323]  lo_release+0x540/0x850
[   75.658021][ T5323]  ? __pfx_lo_release+0x10/0x10
[   75.658033][ T5323]  ? do_raw_spin_unlock+0x58/0x8b0
[   75.658042][ T5323]  ? __pfx_lo_release+0x10/0x10
[   75.658048][ T5323]  bdev_release+0x5dd/0x700
[   75.658058][ T5323]  blkdev_release+0x15/0x20
[   75.658067][ T5323]  ? __pfx_blkdev_release+0x10/0x10
[   75.658075][ T5323]  __fput+0x3e9/0x9f0
[   75.658083][ T5323]  fput_close_sync+0x1ef/0x270
[   75.658091][ T5323]  ? __pfx_fput_close_sync+0x10/0x10
[   75.658098][ T5323]  ? do_raw_spin_unlock+0x58/0x8b0
[   75.658106][ T5323]  ? filp_flush+0x116/0x190
[   75.658113][ T5323]  __x64_sys_close+0x7f/0x110
[   75.658121][ T5323]  do_syscall_64+0xf3/0x210
[   75.658129][ T5323]  ? clear_bhb_loop+0x45/0xa0
[   75.658138][ T5323]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   75.658149][ T5323] RIP: 0033:0x7fc7b3f8cdca
[   75.658161][ T5323] Code: 48 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c 24 0c e8 43 91 02 00 8b 7c 24 0c 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 36 89 d7 89 44 24 0c e8 a3 91 02 00 8b 44 24
[   75.658169][ T5323] RSP: 002b:00007fc7b4d0fe00 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
[   75.658179][ T5323] RAX: ffffffffffffffda RBX: 0000000000000009 RCX: 00007fc7b3f8cdca
[   75.658184][ T5323] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000009
[   75.658189][ T5323] RBP: 0000000000000010 R08: 0000000000000000 R09: 0000000000000563
[   75.658194][ T5323] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000008
[   75.658201][ T5323] R13: 00007fc7b4d0fef0 R14: 00007fc7b4d10668 R15: 00007fc7a7e00000
[   75.658213][ T5323]  </TASK>
[   75.808733][ T5303] udevd[5303]: inotify_add_watch(7, /dev/loop0p1, 10) failed: No such file or directory