======================================================
WARNING: possible circular locking dependency detected
4.14.307-syzkaller #0 Not tainted
------------------------------------------------------
syz-executor.3/9955 is trying to acquire lock:
 (&bdev->bd_mutex){+.+.}, at: [<ffffffff830c548b>] blkdev_reread_part+0x1b/0x40 block/ioctl.c:192

but task is already holding lock:
 (&nbd->config_lock){+.+.}, at: [<ffffffff838e839f>] nbd_ioctl+0x11f/0xad0 drivers/block/nbd.c:1369

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #2 (&nbd->config_lock){+.+.}:
       __mutex_lock_common kernel/locking/mutex.c:756 [inline]
       __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893
       nbd_open+0x1ac/0x370 drivers/block/nbd.c:1422
       __blkdev_get+0x306/0x1090 fs/block_dev.c:1470
       blkdev_get+0x88/0x890 fs/block_dev.c:1611
       blkdev_open+0x1cc/0x250 fs/block_dev.c:1772
       do_dentry_open+0x44b/0xec0 fs/open.c:777
       vfs_open+0x105/0x220 fs/open.c:888
       do_last fs/namei.c:3428 [inline]
       path_openat+0x628/0x2970 fs/namei.c:3571
       do_filp_open+0x179/0x3c0 fs/namei.c:3605
       do_sys_open+0x296/0x410 fs/open.c:1081
       do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
       entry_SYSCALL_64_after_hwframe+0x5e/0xd3

-> #1 (nbd_index_mutex){+.+.}:
       __mutex_lock_common kernel/locking/mutex.c:756 [inline]
       __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893
       nbd_open+0x1e/0x370 drivers/block/nbd.c:1409
       __blkdev_get+0x306/0x1090 fs/block_dev.c:1470
       blkdev_get+0x88/0x890 fs/block_dev.c:1611
       blkdev_open+0x1cc/0x250 fs/block_dev.c:1772
       do_dentry_open+0x44b/0xec0 fs/open.c:777
       vfs_open+0x105/0x220 fs/open.c:888
       do_last fs/namei.c:3428 [inline]
       path_openat+0x628/0x2970 fs/namei.c:3571
       do_filp_open+0x179/0x3c0 fs/namei.c:3605
       do_sys_open+0x296/0x410 fs/open.c:1081
       do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
       entry_SYSCALL_64_after_hwframe+0x5e/0xd3

-> #0 (&bdev->bd_mutex){+.+.}:
       lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
       __mutex_lock_common kernel/locking/mutex.c:756 [inline]
       __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893
       blkdev_reread_part+0x1b/0x40 block/ioctl.c:192
       nbd_bdev_reset drivers/block/nbd.c:1076 [inline]
       nbd_clear_sock_ioctl drivers/block/nbd.c:1282 [inline]
       __nbd_ioctl drivers/block/nbd.c:1306 [inline]
       nbd_ioctl+0x802/0xad0 drivers/block/nbd.c:1376
       __blkdev_driver_ioctl block/ioctl.c:297 [inline]
       blkdev_ioctl+0x540/0x1830 block/ioctl.c:594
       block_ioctl+0xd9/0x120 fs/block_dev.c:1893
       vfs_ioctl fs/ioctl.c:46 [inline]
       file_ioctl fs/ioctl.c:500 [inline]
       do_vfs_ioctl+0x75a/0xff0 fs/ioctl.c:684
       SYSC_ioctl fs/ioctl.c:701 [inline]
       SyS_ioctl+0x7f/0xb0 fs/ioctl.c:692
       do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
       entry_SYSCALL_64_after_hwframe+0x5e/0xd3

other info that might help us debug this:

Chain exists of:
  &bdev->bd_mutex --> nbd_index_mutex --> &nbd->config_lock

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(&nbd->config_lock);
                               lock(nbd_index_mutex);
                               lock(&nbd->config_lock);
  lock(&bdev->bd_mutex);

 *** DEADLOCK ***

1 lock held by syz-executor.3/9955:
 #0:  (&nbd->config_lock){+.+.}, at: [<ffffffff838e839f>] nbd_ioctl+0x11f/0xad0 drivers/block/nbd.c:1369

stack backtrace:
CPU: 0 PID: 9955 Comm: syz-executor.3 Not tainted 4.14.307-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/16/2023
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x1b2/0x281 lib/dump_stack.c:58
 print_circular_bug.constprop.0.cold+0x2d7/0x41e kernel/locking/lockdep.c:1258
 check_prev_add kernel/locking/lockdep.c:1905 [inline]
 check_prevs_add kernel/locking/lockdep.c:2022 [inline]
 validate_chain kernel/locking/lockdep.c:2464 [inline]
 __lock_acquire+0x2e0e/0x3f20 kernel/locking/lockdep.c:3491
 lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998
 __mutex_lock_common kernel/locking/mutex.c:756 [inline]
 __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893
 blkdev_reread_part+0x1b/0x40 block/ioctl.c:192
 nbd_bdev_reset drivers/block/nbd.c:1076 [inline]
 nbd_clear_sock_ioctl drivers/block/nbd.c:1282 [inline]
 __nbd_ioctl drivers/block/nbd.c:1306 [inline]
 nbd_ioctl+0x802/0xad0 drivers/block/nbd.c:1376
 __blkdev_driver_ioctl block/ioctl.c:297 [inline]
 blkdev_ioctl+0x540/0x1830 block/ioctl.c:594
 block_ioctl+0xd9/0x120 fs/block_dev.c:1893
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:500 [inline]
 do_vfs_ioctl+0x75a/0xff0 fs/ioctl.c:684
 SYSC_ioctl fs/ioctl.c:701 [inline]
 SyS_ioctl+0x7f/0xb0 fs/ioctl.c:692
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x5e/0xd3
RIP: 0033:0x7f3ecb5a50f9
RSP: 002b:00007f3ec9b17168 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f3ecb6c4f80 RCX: 00007f3ecb5a50f9
RDX: 0000000000000000 RSI: 000000000000ab04 RDI: 0000000000000003
RBP: 00007f3ecb600ae9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffff667173f R14: 00007f3ec9b17300 R15: 0000000000022000
======================================================
WARNING: the mand mount option is being deprecated and
         will be removed in v5.15!
======================================================
EXT4-fs (loop2): can't mount with dioread_nolock if block size != PAGE_SIZE
device geneve0 entered promiscuous mode
device macsec1 entered promiscuous mode
device geneve0 left promiscuous mode
EXT4-fs (loop2): can't mount with dioread_nolock if block size != PAGE_SIZE
EXT4-fs (loop2): can't mount with dioread_nolock if block size != PAGE_SIZE
device geneve0 entered promiscuous mode
device macsec1 entered promiscuous mode
device geneve0 left promiscuous mode
L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html for details.
block nbd1: shutting down sockets
netlink: 12 bytes leftover after parsing attributes in process `syz-executor.3'.
Bluetooth: hci0 command 0x0401 tx timeout
netlink: 376 bytes leftover after parsing attributes in process `syz-executor.0'.
Bluetooth: hci0 command 0x0401 tx timeout
caif:caif_disconnect_client(): nothing to disconnect
caif:caif_disconnect_client(): nothing to disconnect
netlink: 324 bytes leftover after parsing attributes in process `syz-executor.3'.
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.4'.
device geneve0 entered promiscuous mode
device macsec1 entered promiscuous mode
device geneve0 left promiscuous mode
device geneve0 entered promiscuous mode
device macsec1 entered promiscuous mode
device geneve0 left promiscuous mode
netlink: 4 bytes leftover after parsing attributes in process `syz-executor.5'.
netlink: 12 bytes leftover after parsing attributes in process `syz-executor.5'.
device geneve0 entered promiscuous mode
device macsec1 entered promiscuous mode
device geneve0 left promiscuous mode
netlink: 76 bytes leftover after parsing attributes in process `syz-executor.5'.
device geneve0 entered promiscuous mode
unregister_netdevice: waiting for ip6gre0 to become free. Usage count = -1
device macsec1 entered promiscuous mode
device geneve0 left promiscuous mode
netlink: 24 bytes leftover after parsing attributes in process `syz-executor.2'.
netlink: 4 bytes leftover after parsing attributes in process `syz-executor.5'.
netlink: 4 bytes leftover after parsing attributes in process `syz-executor.5'.
device geneve0 entered promiscuous mode
device macsec1 entered promiscuous mode
device geneve0 left promiscuous mode
device geneve0 entered promiscuous mode
device macsec1 entered promiscuous mode
device geneve0 left promiscuous mode
EXT4-fs (loop3): Ignoring removed nomblk_io_submit option
EXT4-fs: Warning: mounting with data=journal disables delayed allocation and O_DIRECT support!
device geneve0 entered promiscuous mode
EXT4-fs (loop3): can't mount with both data=journal and dioread_nolock
device macsec1 entered promiscuous mode
device geneve0 left promiscuous mode
Bluetooth: hci4 command 0x0401 tx timeout
device geneve0 entered promiscuous mode
device macsec1 entered promiscuous mode
QAT: Device 0 not found
BTRFS: device fsid a6a605fc-d5f1-4e66-8595-3726e2b761d6 devid 1 transid 8 /dev/loop2
BTRFS error (device loop2): unsupported checksum algorithm 3
BTRFS error (device loop2): superblock checksum mismatch
BTRFS error (device loop2): open_ctree failed
QAT: Device 0 not found
QAT: Device 0 not found
QAT: Invalid ioctl
QAT: Device 0 not found