WARNING: possible circular locking dependency detected 4.19.195-syzkaller #0 Not tainted ------------------------------------------------------ kworker/1:2/3412 is trying to acquire lock: 000000002567295b (&sb->s_type->i_mutex_key#13){+.+.}, at: inode_lock include/linux/fs.h:748 [inline] 000000002567295b (&sb->s_type->i_mutex_key#13){+.+.}, at: __sock_release+0x86/0x2a0 net/socket.c:578 binder: binder_mmap: 22174 20000000-20400000 bad vm_flags failed -1 but task is already holding lock: 000000002867715b ((delayed_fput_work).work){+.+.}, at: process_one_work+0x79c/0x1570 kernel/workqueue.c:2128 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #3 ((delayed_fput_work).work){+.+.}: worker_thread+0x64c/0x1130 kernel/workqueue.c:2296 kthread+0x33f/0x460 kernel/kthread.c:259 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 -> #2 ((wq_completion)"events"){+.+.}: flush_scheduled_work include/linux/workqueue.h:599 [inline] tipc_exit_net+0x38/0x60 net/tipc/core.c:100 ops_exit_list+0xa5/0x150 net/core/net_namespace.c:153 cleanup_net+0x3b4/0x8b0 net/core/net_namespace.c:553 process_one_work+0x864/0x1570 kernel/workqueue.c:2153 worker_thread+0x64c/0x1130 kernel/workqueue.c:2296 kthread+0x33f/0x460 kernel/kthread.c:259 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 -> #1 (pernet_ops_rwsem){++++}: unregister_netdevice_notifier+0x7b/0x330 net/core/dev.c:1708 raw_release+0x58/0x820 net/can/raw.c:358 __sock_release+0xcd/0x2a0 net/socket.c:579 sock_close+0x15/0x20 net/socket.c:1140 __fput+0x2ce/0x890 fs/file_table.c:278 task_work_run+0x148/0x1c0 kernel/task_work.c:113 exit_task_work include/linux/task_work.h:22 [inline] do_exit+0xbf3/0x2be0 kernel/exit.c:870 do_group_exit+0x125/0x310 kernel/exit.c:967 get_signal+0x3f2/0x1f70 kernel/signal.c:2589 do_signal+0x8f/0x1670 arch/x86/kernel/signal.c:799 exit_to_usermode_loop+0x204/0x2a0 arch/x86/entry/common.c:163 prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline] syscall_return_slowpath arch/x86/entry/common.c:271 [inline] do_syscall_64+0x538/0x620 arch/x86/entry/common.c:296 entry_SYSCALL_64_after_hwframe+0x49/0xbe -> #0 (&sb->s_type->i_mutex_key#13){+.+.}: down_write+0x34/0x90 kernel/locking/rwsem.c:70 inode_lock include/linux/fs.h:748 [inline] __sock_release+0x86/0x2a0 net/socket.c:578 sock_close+0x15/0x20 net/socket.c:1140 __fput+0x2ce/0x890 fs/file_table.c:278 delayed_fput+0x56/0x70 fs/file_table.c:304 process_one_work+0x864/0x1570 kernel/workqueue.c:2153 worker_thread+0x64c/0x1130 kernel/workqueue.c:2296 kthread+0x33f/0x460 kernel/kthread.c:259 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 other info that might help us debug this: Chain exists of: &sb->s_type->i_mutex_key#13 --> (wq_completion)"events" --> (delayed_fput_work).work Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock((delayed_fput_work).work); lock((wq_completion)"events"); lock((delayed_fput_work).work); lock(&sb->s_type->i_mutex_key#13); *** DEADLOCK *** 2 locks held by kworker/1:2/3412: #0: 00000000594c75a9 ((wq_completion)"events"){+.+.}, at: process_one_work+0x767/0x1570 kernel/workqueue.c:2124 vhci_hcd: disconnect device #1: 000000002867715b ((delayed_fput_work).work){+.+.}, at: process_one_work+0x79c/0x1570 kernel/workqueue.c:2128 stack backtrace: CPU: 1 PID: 3412 Comm: kworker/1:2 Not tainted 4.19.195-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events delayed_fput Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1fc/0x2ef lib/dump_stack.c:118 print_circular_bug.constprop.0.cold+0x2d7/0x41e kernel/locking/lockdep.c:1222 check_prev_add kernel/locking/lockdep.c:1866 [inline] check_prevs_add kernel/locking/lockdep.c:1979 [inline] validate_chain kernel/locking/lockdep.c:2420 [inline] __lock_acquire+0x30c9/0x3ff0 kernel/locking/lockdep.c:3416 lock_acquire+0x170/0x3c0 kernel/locking/lockdep.c:3908 down_write+0x34/0x90 kernel/locking/rwsem.c:70 inode_lock include/linux/fs.h:748 [inline] __sock_release+0x86/0x2a0 net/socket.c:578 sock_close+0x15/0x20 net/socket.c:1140 __fput+0x2ce/0x890 fs/file_table.c:278 delayed_fput+0x56/0x70 fs/file_table.c:304 process_one_work+0x864/0x1570 kernel/workqueue.c:2153 worker_thread+0x64c/0x1130 kernel/workqueue.c:2296 kthread+0x33f/0x460 kernel/kthread.c:259 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 vhci_hcd vhci_hcd.0: pdev(5) rhport(1) sockfd(5) vhci_hcd vhci_hcd.0: devid(0) speed(3) speed_str(high-speed) vhci_hcd: connection closed vhci_hcd vhci_hcd.0: Device attached vhci_hcd: stop threads vhci_hcd: release socket vhci_hcd: disconnect device binder: binder_mmap: 22217 20000000-20400000 bad vm_flags failed -1 binder: binder_mmap: 22231 20000000-20400000 bad vm_flags failed -1 binder: binder_mmap: 22254 20000000-20400000 bad vm_flags failed -1 FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 CPU: 1 PID: 22263 Comm: syz-executor.0 Not tainted 4.19.195-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1fc/0x2ef lib/dump_stack.c:118 fail_dump lib/fault-inject.c:51 [inline] should_fail.cold+0xa/0xf lib/fault-inject.c:149 __should_failslab+0x115/0x180 mm/failslab.c:32 should_failslab+0x5/0x10 mm/slab_common.c:1588 slab_pre_alloc_hook mm/slab.h:424 [inline] slab_alloc mm/slab.c:3383 [inline] kmem_cache_alloc_trace+0x284/0x380 mm/slab.c:3623 kmalloc include/linux/slab.h:515 [inline] kzalloc include/linux/slab.h:709 [inline] nbd_add_socket+0x248/0x840 drivers/block/nbd.c:988 __nbd_ioctl drivers/block/nbd.c:1320 [inline] nbd_ioctl+0x584/0xbe0 drivers/block/nbd.c:1387 __blkdev_driver_ioctl block/ioctl.c:303 [inline] blkdev_ioctl+0x5cb/0x1a80 block/ioctl.c:601 block_ioctl+0xe9/0x130 fs/block_dev.c:1906 vfs_ioctl fs/ioctl.c:46 [inline] file_ioctl fs/ioctl.c:501 [inline] do_vfs_ioctl+0xcdb/0x12e0 fs/ioctl.c:688 ksys_ioctl+0x9b/0xc0 fs/ioctl.c:705 __do_sys_ioctl fs/ioctl.c:712 [inline] __se_sys_ioctl fs/ioctl.c:710 [inline] __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:710 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4665d9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007faa93273188 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 000000000056bf80 RCX: 00000000004665d9 RDX: 0000000000000006 RSI: 000000000000ab00 RDI: 0000000000000005 RBP: 00007faa932731d0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 R13: 00007ffcf6c0b54f R14: 00007faa93273300 R15: 0000000000022000 block nbd5: shutting down sockets FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 CPU: 1 PID: 22320 Comm: syz-executor.0 Not tainted 4.19.195-syzkaller #0 binder: binder_mmap: 22326 20000000-20400000 bad vm_flags failed -1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1fc/0x2ef lib/dump_stack.c:118 fail_dump lib/fault-inject.c:51 [inline] should_fail.cold+0xa/0xf lib/fault-inject.c:149 __should_failslab+0x115/0x180 mm/failslab.c:32 should_failslab+0x5/0x10 mm/slab_common.c:1588 slab_pre_alloc_hook mm/slab.h:424 [inline] slab_alloc mm/slab.c:3383 [inline] __do_kmalloc mm/slab.c:3725 [inline] __kmalloc_track_caller+0x2a6/0x3c0 mm/slab.c:3742 __do_krealloc mm/slab_common.c:1499 [inline] krealloc+0x57/0xc0 mm/slab_common.c:1546 nbd_add_socket+0x2c7/0x840 drivers/block/nbd.c:994 __nbd_ioctl drivers/block/nbd.c:1320 [inline] nbd_ioctl+0x584/0xbe0 drivers/block/nbd.c:1387 binder: binder_mmap: 22335 20000000-20400000 bad vm_flags failed -1 __blkdev_driver_ioctl block/ioctl.c:303 [inline] blkdev_ioctl+0x5cb/0x1a80 block/ioctl.c:601 block_ioctl+0xe9/0x130 fs/block_dev.c:1906 vfs_ioctl fs/ioctl.c:46 [inline] file_ioctl fs/ioctl.c:501 [inline] do_vfs_ioctl+0xcdb/0x12e0 fs/ioctl.c:688 ksys_ioctl+0x9b/0xc0 fs/ioctl.c:705 __do_sys_ioctl fs/ioctl.c:712 [inline] __se_sys_ioctl fs/ioctl.c:710 [inline] __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:710 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4665d9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007faa93273188 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 000000000056bf80 RCX: 00000000004665d9 RDX: 0000000000000006 RSI: 000000000000ab00 RDI: 0000000000000005 RBP: 00007faa932731d0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 R13: 00007ffcf6c0b54f R14: 00007faa93273300 R15: 0000000000022000 block nbd5: shutting down sockets block nbd3: Receive control failed (result -107) binder: binder_mmap: 22342 20000000-20400000 bad vm_flags failed -1 block nbd3: shutting down sockets block nbd0: shutting down sockets binder: binder_mmap: 22381 20000000-20400000 bad vm_flags failed -1 block nbd0: shutting down sockets block nbd5: Receive control failed (result -107) block nbd5: shutting down sockets binder: binder_mmap: 22430 20000000-20400000 bad vm_flags failed -1 block nbd5: shutting down sockets block nbd5: shutting down sockets binder: binder_mmap: 22464 20000000-20400000 bad vm_flags failed -1 binder: binder_mmap: 22493 20000000-20400000 bad vm_flags failed -1 block nbd5: Receive control failed (result -107) block nbd5: shutting down sockets block nbd5: Receive control failed (result -107) block nbd5: shutting down sockets binder: binder_mmap: 22524 20000000-20400000 bad vm_flags failed -1 block nbd5: Receive control failed (result -107) block nbd5: shutting down sockets block nbd3: Receive control failed (result -107) block nbd3: shutting down sockets binder: binder_mmap: 22556 20000000-20400000 bad vm_flags failed -1 block nbd5: Receive control failed (result -107) block nbd5: shutting down sockets binder: binder_mmap: 22605 20000000-20400000 bad vm_flags failed -1 binder: binder_mmap: 22635 20000000-20400000 bad vm_flags failed -1 block nbd5: shutting down sockets block nbd3: Receive control failed (result -107) block nbd3: shutting down sockets binder: binder_mmap: 22678 20000000-20400000 bad vm_flags failed -1 audit: type=1804 audit(1625015032.999:71): pid=22714 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor.5" name="/root/syzkaller-testdir383786255/syzkaller.J6SM9C/288/bus" dev="sda1" ino=13925 res=1 block nbd5: shutting down sockets block nbd3: Receive control failed (result -107) block nbd3: shutting down sockets binder: binder_mmap: 22735 20000000-20400000 bad vm_flags failed -1 block nbd5: shutting down sockets VFS: Can't find a Minix filesystem V1 | V2 | V3 on device loop3. block nbd3: Receive control failed (result -107) block nbd3: shutting down sockets VFS: Can't find a Minix filesystem V1 | V2 | V3 on device loop3. block nbd3: Receive control failed (result -107) block nbd3: shutting down sockets binder: binder_mmap: 22874 20000000-20400000 bad vm_flags failed -1 binder: 22874:22883 ioctl c0306201 20000100 returned -14 block nbd5: Receive control failed (result -107) block nbd5: shutting down sockets block nbd5: Receive control failed (result -107) block nbd5: shutting down sockets block nbd3: Receive control failed (result -107) block nbd3: shutting down sockets binder: binder_mmap: 22909 20000000-20400000 bad vm_flags failed -1 block nbd5: Receive control failed (result -107) binder: binder_mmap: 22946 20000000-20400000 bad vm_flags failed -1 block nbd5: shutting down sockets block nbd3: Receive control failed (result -107) block nbd5: Receive control failed (result -107) block nbd3: shutting down sockets block nbd5: shutting down sockets block nbd5: Could not allocate knbd recv work queue. block nbd5: shutting down sockets block nbd3: Receive control failed (result -107) block nbd3: shutting down sockets binder: binder_mmap: 23024 20000000-20400000 bad vm_flags failed -1 binder: binder_mmap: 23057 20000000-20400000 bad vm_flags failed -1 block nbd1: Device being setup by another task block nbd1: Device being setup by another task binder: binder_mmap: 23086 20000000-20400000 bad vm_flags failed -1 block nbd5: Receive control failed (result -107) block nbd5: shutting down sockets block nbd3: shutting down sockets block nbd3: Receive control failed (result -107) block nbd3: shutting down sockets block nbd5: shutting down sockets block nbd3: shutting down sockets binder: binder_mmap: 23216 20000000-20400000 bad vm_flags failed -1 binder: 23216:23220 ioctl c0306201 20000100 returned -14 binder: binder_mmap: 23248 20000000-20400000 bad vm_flags failed -1 binder: binder_mmap: 23266 20000000-20400000 bad vm_flags failed -1 block nbd5: Receive control failed (result -107) block nbd5: shutting down sockets block nbd5: Receive control failed (result -107) block nbd5: shutting down sockets block nbd3: Receive control failed (result -107) binder: binder_mmap: 23293 20000000-20400000 bad vm_flags failed -1 block nbd3: shutting down sockets block nbd1: Device being setup by another task block nbd5: Receive control failed (result -107) block nbd5: shutting down sockets block nbd0: NBD_DISCONNECT block nbd0: NBD_DISCONNECT binder: binder_mmap: 23349 20000000-20400000 bad vm_flags failed -1 block nbd1: Device being setup by another task REISERFS warning (device loop5): super-6502 reiserfs_getopt: unknown mount option "/proc/sys/net/ipv4/vs/backup_only" block nbd1: Device being setup by another task binder: binder_mmap: 23378 20000000-20400000 bad vm_flags failed -1 binder: binder_mmap: 23396 20000000-20400000 bad vm_flags failed -1 block nbd4: Receive control failed (result -107) block nbd4: shutting down sockets audit: type=1800 audit(1625015037.429:72): pid=23422 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="syz-executor.4" name="file0" dev="sda1" ino=14690 res=0 binder: binder_mmap: 23433 20000000-20400000 bad vm_flags failed -1 block nbd4: Receive control failed (result -107) block nbd4: shutting down sockets binder: binder_mmap: 23453 20000000-20400000 bad vm_flags failed -1 block nbd4: Receive control failed (result -107) block nbd4: shutting down sockets block nbd3: shutting down sockets binder: binder_mmap: 23513 20000000-20400000 bad vm_flags failed -1 block nbd5: Receive control failed (result -107) block nbd5: shutting down sockets binder: binder_mmap: 23536 20000000-20400000 bad vm_flags failed -1 binder: binder_mmap: 23559 20000000-20400000 bad vm_flags failed -1 block nbd4: Receive control failed (result -107) block nbd4: shutting down sockets block nbd4: Could not allocate knbd recv work queue. block nbd4: shutting down sockets binder: binder_mmap: 23579 20000000-20400000 bad vm_flags failed -1