======================================================
[ INFO: possible circular locking dependency detected ]
4.4.174+ #17 Not tainted
-------------------------------------------------------
syz-executor.3/32233 is trying to acquire lock:
 (&bdev->bd_mutex){+.+.+.}, at: [<ffffffff81a7920f>] blkdev_reread_part+0x1f/0x40 block/ioctl.c:189

but task is already holding lock:
 (loop_ctl_mutex#2){+.+.+.}, at: [<ffffffff81d48065>] lo_compat_ioctl+0x105/0x140 drivers/block/loop.c:1599

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #2 (loop_ctl_mutex#2){+.+.+.}:
       [<ffffffff81205f6e>] lock_acquire+0x15e/0x450 kernel/locking/lockdep.c:3592
       [<ffffffff8270c191>] __mutex_lock_common kernel/locking/mutex.c:521 [inline]
       [<ffffffff8270c191>] mutex_lock_nested+0xc1/0xb80 kernel/locking/mutex.c:621
       [<ffffffff81d48124>] __lo_release drivers/block/loop.c:1653 [inline]
       [<ffffffff81d48124>] lo_release+0x84/0x1b0 drivers/block/loop.c:1676
       [<ffffffff8154e4e1>] __blkdev_put+0x461/0x840 fs/block_dev.c:1535
       [<ffffffff8154f738>] blkdev_put+0x88/0x560 fs/block_dev.c:1600
       [<ffffffff8154fc9b>] blkdev_close+0x8b/0xb0 fs/block_dev.c:1607
       [<ffffffff8149c8c6>] __fput+0x246/0x710 fs/file_table.c:208
       [<ffffffff8149ce16>] ____fput+0x16/0x20 fs/file_table.c:244
       [<ffffffff8112f352>] task_work_run+0x202/0x2b0 kernel/task_work.c:115
       [<ffffffff81003dca>] tracehook_notify_resume include/linux/tracehook.h:191 [inline]
       [<ffffffff81003dca>] exit_to_usermode_loop+0x14a/0x170 arch/x86/entry/common.c:188
       [<ffffffff8100569b>] prepare_exit_to_usermode arch/x86/entry/common.c:221 [inline]
       [<ffffffff8100569b>] syscall_return_slowpath+0x25b/0x2e0 arch/x86/entry/common.c:286
       [<ffffffff82718ce1>] int_ret_from_sys_call+0x25/0xa3

-> #1 (loop_index_mutex){+.+.+.}:
       [<ffffffff81205f6e>] lock_acquire+0x15e/0x450 kernel/locking/lockdep.c:3592
       [<ffffffff8270c191>] __mutex_lock_common kernel/locking/mutex.c:521 [inline]
       [<ffffffff8270c191>] mutex_lock_nested+0xc1/0xb80 kernel/locking/mutex.c:621
       [<ffffffff81d3d70d>] lo_open+0x1d/0xb0 drivers/block/loop.c:1633
       [<ffffffff8154eb6e>] __blkdev_get+0x2ae/0xdf0 fs/block_dev.c:1213
       [<ffffffff81551938>] blkdev_get+0x2e8/0x920 fs/block_dev.c:1353
       [<ffffffff8155219a>] blkdev_open+0x1aa/0x250 fs/block_dev.c:1508
       [<ffffffff8149154f>] do_dentry_open+0x38f/0xbd0 fs/open.c:749
       [<ffffffff81494d3b>] vfs_open+0x10b/0x210 fs/open.c:862
       [<ffffffff814c5ddf>] do_last fs/namei.c:3269 [inline]
       [<ffffffff814c5ddf>] path_openat+0x136f/0x4470 fs/namei.c:3406
       [<ffffffff814ccab1>] do_filp_open+0x1a1/0x270 fs/namei.c:3440
       [<ffffffff81495668>] do_sys_open+0x2f8/0x600 fs/open.c:1038
       [<ffffffff8149599d>] SYSC_open fs/open.c:1056 [inline]
       [<ffffffff8149599d>] SyS_open+0x2d/0x40 fs/open.c:1051
       [<ffffffff82718ba1>] entry_SYSCALL_64_fastpath+0x1e/0x9a

-> #0 (&bdev->bd_mutex){+.+.+.}:
       [<ffffffff81202d86>] check_prev_add kernel/locking/lockdep.c:1853 [inline]
       [<ffffffff81202d86>] check_prevs_add kernel/locking/lockdep.c:1958 [inline]
       [<ffffffff81202d86>] validate_chain kernel/locking/lockdep.c:2144 [inline]
       [<ffffffff81202d86>] __lock_acquire+0x37d6/0x4f50 kernel/locking/lockdep.c:3213
       [<ffffffff81205f6e>] lock_acquire+0x15e/0x450 kernel/locking/lockdep.c:3592
       [<ffffffff8270c191>] __mutex_lock_common kernel/locking/mutex.c:521 [inline]
       [<ffffffff8270c191>] mutex_lock_nested+0xc1/0xb80 kernel/locking/mutex.c:621
       [<ffffffff81a7920f>] blkdev_reread_part+0x1f/0x40 block/ioctl.c:189
       [<ffffffff81d3ed4c>] loop_reread_partitions+0x7c/0x90 drivers/block/loop.c:649
       [<ffffffff81d3f962>] loop_set_status+0xc02/0x1260 drivers/block/loop.c:1208
       [<ffffffff81d40072>] loop_set_status_compat+0xb2/0x110 drivers/block/loop.c:1572
       [<ffffffff81d48070>] lo_compat_ioctl+0x110/0x140 drivers/block/loop.c:1600
       [<ffffffff81aa7200>] compat_blkdev_ioctl+0xca0/0x344f block/compat_ioctl.c:751
       [<ffffffff8159b2c3>] C_SYSC_ioctl fs/compat_ioctl.c:1592 [inline]
       [<ffffffff8159b2c3>] compat_SyS_ioctl+0x403/0x2210 fs/compat_ioctl.c:1544
       [<ffffffff8100603d>] do_syscall_32_irqs_on arch/x86/entry/common.c:330 [inline]
       [<ffffffff8100603d>] do_fast_syscall_32+0x32d/0xa90 arch/x86/entry/common.c:397
       [<ffffffff8271a350>] sysenter_flags_fixed+0xd/0x1a

other info that might help us debug this:

Chain exists of:
  &bdev->bd_mutex --> loop_index_mutex --> loop_ctl_mutex#2

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(loop_ctl_mutex#2);
                               lock(loop_index_mutex);
                               lock(loop_ctl_mutex#2);
  lock(&bdev->bd_mutex);

 *** DEADLOCK ***

1 lock held by syz-executor.3/32233:
 #0:  (loop_ctl_mutex#2){+.+.+.}, at: [<ffffffff81d48065>] lo_compat_ioctl+0x105/0x140 drivers/block/loop.c:1599

stack backtrace:
CPU: 1 PID: 32233 Comm: syz-executor.3 Not tainted 4.4.174+ #17
 0000000000000000 381e772ad8053897 ffff88009aae75e0 ffffffff81aad1a1
 ffffffff84057a80 ffff8800b7030000 ffffffff83aa0cc0 ffffffff83ac6df0
 ffffffff83aa1890 ffff88009aae7630 ffffffff813abcda ffffffff83e1b180
Call Trace:
 [<ffffffff81aad1a1>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81aad1a1>] dump_stack+0xc1/0x120 lib/dump_stack.c:51
 [<ffffffff813abcda>] print_circular_bug.cold+0x2f7/0x44e kernel/locking/lockdep.c:1226
 [<ffffffff81202d86>] check_prev_add kernel/locking/lockdep.c:1853 [inline]
 [<ffffffff81202d86>] check_prevs_add kernel/locking/lockdep.c:1958 [inline]
 [<ffffffff81202d86>] validate_chain kernel/locking/lockdep.c:2144 [inline]
 [<ffffffff81202d86>] __lock_acquire+0x37d6/0x4f50 kernel/locking/lockdep.c:3213
 [<ffffffff81205f6e>] lock_acquire+0x15e/0x450 kernel/locking/lockdep.c:3592
 [<ffffffff8270c191>] __mutex_lock_common kernel/locking/mutex.c:521 [inline]
 [<ffffffff8270c191>] mutex_lock_nested+0xc1/0xb80 kernel/locking/mutex.c:621
 [<ffffffff81a7920f>] blkdev_reread_part+0x1f/0x40 block/ioctl.c:189
 [<ffffffff81d3ed4c>] loop_reread_partitions+0x7c/0x90 drivers/block/loop.c:649
 [<ffffffff81d3f962>] loop_set_status+0xc02/0x1260 drivers/block/loop.c:1208
 [<ffffffff81d40072>] loop_set_status_compat+0xb2/0x110 drivers/block/loop.c:1572
 [<ffffffff81d48070>] lo_compat_ioctl+0x110/0x140 drivers/block/loop.c:1600
 [<ffffffff81aa7200>] compat_blkdev_ioctl+0xca0/0x344f block/compat_ioctl.c:751
 [<ffffffff8159b2c3>] C_SYSC_ioctl fs/compat_ioctl.c:1592 [inline]
 [<ffffffff8159b2c3>] compat_SyS_ioctl+0x403/0x2210 fs/compat_ioctl.c:1544
 [<ffffffff8100603d>] do_syscall_32_irqs_on arch/x86/entry/common.c:330 [inline]
 [<ffffffff8100603d>] do_fast_syscall_32+0x32d/0xa90 arch/x86/entry/common.c:397
 [<ffffffff8271a350>] sysenter_flags_fixed+0xd/0x1a
loop_reread_partitions: partition scan of loop0 (
ñy§rZ³²èï>¥iÛj¦î$^¡g/¼ }÷ó€éI­×oòzy#
¸„«`‰¡Þ‡£RnVÊAIn) failed (rc=-13)
binder: 32229:32241 got new transaction with bad transaction stack, transaction 2346 has target 32229:32234
binder: 32229:32241 transaction failed 29201/-71, size 0-0 line 3041
uinput: write device info first
uinput: write device info first
binder: BINDER_SET_CONTEXT_MGR already set
binder: 32229:32263 ioctl 40046207 0 returned -16
binder: release 32229:32241 transaction 2346 out, still active
binder: undelivered TRANSACTION_COMPLETE
binder: undelivered TRANSACTION_ERROR: 29201
binder: release 32229:32234 transaction 2346 in, still active
binder: send failed reply for transaction 2346, target dead
binder: 32229:32265 transaction failed 29189/-22, size 0-0 line 3014
binder: undelivered TRANSACTION_ERROR: 29189
binder: 32277:32279 got new transaction with bad transaction stack, transaction 2350 has target 32277:32278
binder: 32277:32279 transaction failed 29201/-71, size 0-0 line 3041
uinput: write device info first
binder: release 32277:32279 transaction 2350 out, still active
binder: undelivered TRANSACTION_COMPLETE
binder: BINDER_SET_CONTEXT_MGR already set
binder: undelivered TRANSACTION_ERROR: 29201
binder: 32277:32294 ioctl 40046207 0 returned -16
binder: release 32277:32278 transaction 2350 in, still active
binder: 32277:32295 transaction failed 29189/-22, size 0-0 line 3014
binder: send failed reply for transaction 2350, target dead
binder: undelivered TRANSACTION_ERROR: 29189
uinput: write device info first
uinput: write device info first
binder: 32300:32313 got new transaction with bad transaction stack, transaction 2355 has target 32300:32305
binder: 32300:32313 transaction failed 29201/-71, size 0-0 line 3041
binder: 32309:32316 got new transaction with bad transaction stack, transaction 2356 has target 32309:32310
binder: 32309:32316 transaction failed 29201/-71, size 0-0 line 3041
binder: release 32300:32313 transaction 2355 out, still active
binder: BINDER_SET_CONTEXT_MGR already set
binder: 32300:32321 ioctl 40046207 0 returned -16
binder: undelivered TRANSACTION_COMPLETE
binder: undelivered TRANSACTION_ERROR: 29201
binder: release 32309:32316 transaction 2356 out, still active
uinput: write device info first
binder_alloc: 32300: binder_alloc_buf, no vma
binder: 32300:32325 transaction failed 29189/-3, size 0-0 line 3137
binder: undelivered TRANSACTION_COMPLETE
binder: undelivered TRANSACTION_ERROR: 29201
binder: undelivered TRANSACTION_ERROR: 29189
binder: release 32309:32310 transaction 2356 in, still active
binder: send failed reply for transaction 2356, target dead
binder: release 32300:32305 transaction 2355 in, still active
binder: send failed reply for transaction 2355, target dead
binder: 32326:32333 transaction failed 29189/-22, size 0-0 line 3014
binder: 32334:32335 unknown command 808464432
binder: 32334:32335 ioctl c0306201 20000040 returned -22
binder_alloc: 32334: binder_alloc_buf size 72058556110602248 failed, no address space
binder_alloc: allocated: 0 (num: 0 largest: 0), free: 12288 (num: 1 largest: 12288)
binder: 32334:32335 transaction failed 29201/-28, size 0-0 line 3137
binder: 32334:32338 transaction failed 29201/-22, size -6362429673443999977-7882864070155720365 line 3137
uinput: write device info first
binder: release 32326:32328 transaction 2364 out, still active
binder: undelivered TRANSACTION_COMPLETE
binder: undelivered TRANSACTION_ERROR: 29189
binder: BINDER_SET_CONTEXT_MGR already set
binder: 32355:32356 ioctl 40046207 0 returned -16
binder: send failed reply for transaction 2364, target dead
binder: undelivered TRANSACTION_ERROR: 29201
binder: BINDER_SET_CONTEXT_MGR already set
binder: 32334:32357 ioctl 40046207 0 returned -16
binder: 32334:32357 unknown command 808464432
binder: 32334:32357 ioctl c0306201 20000040 returned -22
binder_alloc: 32334: binder_alloc_buf, no vma
binder: 32334:32357 transaction failed 29189/-3, size 0-0 line 3137
uinput: write device info first
binder: undelivered TRANSACTION_ERROR: 29201
binder: undelivered TRANSACTION_ERROR: 29189
uinput: write device info first
binder: 32355:32368 transaction failed 29189/-22, size 0-0 line 3014
binder: 32355:32376 transaction failed 29189/-22, size 0-0 line 3014
binder: 32366:32373 got new transaction with bad transaction stack, transaction 2369 has target 32366:32370
binder: 32366:32373 transaction failed 29201/-71, size 0-0 line 3041
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29189
uinput: write device info first
binder: release 32366:32373 transaction 2369 out, still active
binder: 32397:32401 got new transaction with bad transaction stack, transaction 2373 has target 32397:32398
binder: 32397:32401 transaction failed 29201/-71, size 0-0 line 3041
binder: BINDER_SET_CONTEXT_MGR already set
binder: 32406:32407 ioctl 40046207 0 returned -16
binder: undelivered TRANSACTION_COMPLETE
binder: undelivered TRANSACTION_ERROR: 29201
binder: release 32366:32370 transaction 2369 in, still active
binder: send failed reply for transaction 2369, target dead
binder: 32406:32412 unknown command 0
uinput: write device info first
binder: 32406:32412 ioctl c0306201 20000600 returned -22
binder: 32406:32416 transaction failed 29189/-22, size 0-0 line 3014
binder: release 32397:32401 transaction 2373 out, still active
binder: undelivered TRANSACTION_COMPLETE
binder: undelivered TRANSACTION_ERROR: 29201
binder: BINDER_SET_CONTEXT_MGR already set
binder: 32438:32440 ioctl 40046207 0 returned -16
uinput: write device info first
binder: release 32397:32398 transaction 2373 in, still active
binder: send failed reply for transaction 2373, target dead
binder: 32438:32444 transaction failed 29189/-22, size 0-0 line 3014
binder: undelivered TRANSACTION_ERROR: 29189
binder: 32406:32407 unknown command 0
binder: 32406:32407 ioctl c0306201 20000600 returned -22
binder: release 32406:32407 transaction 2378 out, still active
binder: 32438:32447 transaction failed 29189/-22, size 0-0 line 3014
binder: undelivered TRANSACTION_COMPLETE
binder: send failed reply for transaction 2378, target dead
uinput: write device info first
binder: 32450:32455 unknown command 80579956
binder: 32450:32455 ioctl c0306201 20000600 returned -22
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29189
binder: 32480:32482 got new transaction with bad transaction stack, transaction 2383 has target 32480:32481
binder: 32480:32482 transaction failed 29201/-71, size 0-0 line 3041
binder: release 32450:32460 transaction 2381 out, still active
binder: BINDER_SET_CONTEXT_MGR already set
binder: undelivered TRANSACTION_COMPLETE
uinput: write device info first
binder: 32450:32460 ioctl 40046207 0 returned -16
binder: release 32450:32451 transaction 2381 in, still active
binder: send failed reply for transaction 2381, target dead
binder: 32450:32485 unknown command 80579956
binder: 32450:32485 ioctl c0306201 20000600 returned -22
uinput: write device info first
binder: 32450:32485 transaction failed 29189/-22, size 0-0 line 3014
binder: undelivered TRANSACTION_ERROR: 29189
binder_alloc: 32493: binder_alloc_buf size -26090282341205856 failed, no address space
binder_alloc: allocated: 0 (num: 0 largest: 0), free: 12288 (num: 1 largest: 12288)
binder: 32493:32496 transaction failed 29201/-28, size 0-0 line 3137
binder: release 32480:32482 transaction 2383 out, still active
binder: undelivered TRANSACTION_COMPLETE
binder: undelivered TRANSACTION_ERROR: 29201
binder: BINDER_SET_CONTEXT_MGR already set
binder: 32509:32510 ioctl 40046207 0 returned -16
binder: release 32480:32481 transaction 2383 in, still active
binder: send failed reply for transaction 2383, target dead
binder: 32509:32511 transaction failed 29189/-22, size 0-0 line 3014
binder: 32509:32512 transaction failed 29189/-22, size 0-0 line 3014
uinput: write device info first
uinput: write device info first
binder: BINDER_SET_CONTEXT_MGR already set
binder: 32493:32518 ioctl 40046207 0 returned -16
binder: undelivered TRANSACTION_ERROR: 29201
binder: 32493:32520 transaction failed 29189/-22, size 0-0 line 3014
binder: undelivered TRANSACTION_ERROR: 29189
binder: 32523:32525 got new transaction with bad transaction stack, transaction 2392 has target 32523:32524
binder: 32523:32525 transaction failed 29201/-71, size 0-0 line 3041
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29189
binder: 32535:32539 got new transaction with bad transaction stack, transaction 2395 has target 32535:32537
binder: 32535:32539 transaction failed 29201/-71, size 0-0 line 3041
uinput: write device info first
uinput: write device info first
binder: release 32523:32525 transaction 2392 out, still active
binder: BINDER_SET_CONTEXT_MGR already set
binder: 32523:32526 ioctl 40046207 0 returned -16
binder: undelivered TRANSACTION_COMPLETE
binder: undelivered TRANSACTION_ERROR: 29201
binder: release 32523:32524 transaction 2392 in, still active
binder: send failed reply for transaction 2392, target dead
binder: 32550:32552 transaction failed 29201/-28, size 2055027769442799792--6619098067854819097 line 3137
binder: release 32535:32539 transaction 2395 out, still active
binder: undelivered TRANSACTION_COMPLETE
binder: undelivered TRANSACTION_ERROR: 29201
binder: release 32535:32537 transaction 2395 in, still active
binder: send failed reply for transaction 2395, target dead
binder: 32561:32565 got new transaction with bad transaction stack, transaction 2401 has target 32561:32563
uinput: write device info first
binder: 32561:32565 transaction failed 29201/-71, size 0-0 line 3041
uinput: write device info first
binder: release 32550:32552 transaction 2398 out, still active
binder: BINDER_SET_CONTEXT_MGR already set
binder: undelivered TRANSACTION_COMPLETE
binder: undelivered TRANSACTION_ERROR: 29201
binder: 32550:32574 ioctl 40046207 0 returned -16
binder: release 32550:32551 transaction 2398 in, still active
binder: send failed reply for transaction 2398, target dead
binder: 32550:32575 transaction failed 29189/-22, size 0-0 line 3014
binder: undelivered TRANSACTION_ERROR: 29189
binder: 32578:32581 got new transaction with bad transaction stack, transaction 2405 has target 32578:32579
binder: 32578:32581 transaction failed 29201/-71, size 0-0 line 3041
binder: release 32561:32565 transaction 2401 out, still active
binder: undelivered TRANSACTION_COMPLETE
binder: undelivered TRANSACTION_ERROR: 29201
binder: BINDER_SET_CONTEXT_MGR already set
binder: 32588:32589 ioctl 40046207 0 returned -16