PF_BRIDGE: br_mdb_parse() with invalid ifindex ====================================================== WARNING: possible circular locking dependency detected 4.14.307-syzkaller #0 Not tainted ------------------------------------------------------ syz-executor.5/10704 is trying to acquire lock: (&bdev->bd_mutex){+.+.}, at: [] blkdev_reread_part+0x1b/0x40 block/ioctl.c:192 but task is already holding lock: (&nbd->config_lock){+.+.}, at: [] nbd_ioctl+0x11f/0xad0 drivers/block/nbd.c:1369 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #2 (&nbd->config_lock){+.+.}: __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893 nbd_open+0x1ac/0x370 drivers/block/nbd.c:1422 __blkdev_get+0x306/0x1090 fs/block_dev.c:1470 blkdev_get+0x88/0x890 fs/block_dev.c:1611 blkdev_open+0x1cc/0x250 fs/block_dev.c:1772 do_dentry_open+0x44b/0xec0 fs/open.c:777 vfs_open+0x105/0x220 fs/open.c:888 do_last fs/namei.c:3428 [inline] path_openat+0x628/0x2970 fs/namei.c:3571 do_filp_open+0x179/0x3c0 fs/namei.c:3605 do_sys_open+0x296/0x410 fs/open.c:1081 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x5e/0xd3 -> #1 (nbd_index_mutex){+.+.}: __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893 nbd_open+0x1e/0x370 drivers/block/nbd.c:1409 __blkdev_get+0x306/0x1090 fs/block_dev.c:1470 blkdev_get+0x88/0x890 fs/block_dev.c:1611 blkdev_open+0x1cc/0x250 fs/block_dev.c:1772 do_dentry_open+0x44b/0xec0 fs/open.c:777 vfs_open+0x105/0x220 fs/open.c:888 do_last fs/namei.c:3428 [inline] path_openat+0x628/0x2970 fs/namei.c:3571 do_filp_open+0x179/0x3c0 fs/namei.c:3605 do_sys_open+0x296/0x410 fs/open.c:1081 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x5e/0xd3 -> #0 (&bdev->bd_mutex){+.+.}: lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998 __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893 blkdev_reread_part+0x1b/0x40 block/ioctl.c:192 nbd_bdev_reset drivers/block/nbd.c:1076 [inline] nbd_clear_sock_ioctl drivers/block/nbd.c:1282 [inline] __nbd_ioctl drivers/block/nbd.c:1306 [inline] nbd_ioctl+0x802/0xad0 drivers/block/nbd.c:1376 __blkdev_driver_ioctl block/ioctl.c:297 [inline] blkdev_ioctl+0x540/0x1830 block/ioctl.c:594 block_ioctl+0xd9/0x120 fs/block_dev.c:1893 vfs_ioctl fs/ioctl.c:46 [inline] file_ioctl fs/ioctl.c:500 [inline] do_vfs_ioctl+0x75a/0xff0 fs/ioctl.c:684 SYSC_ioctl fs/ioctl.c:701 [inline] SyS_ioctl+0x7f/0xb0 fs/ioctl.c:692 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x5e/0xd3 other info that might help us debug this: Chain exists of: &bdev->bd_mutex --> nbd_index_mutex --> &nbd->config_lock Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&nbd->config_lock); lock(nbd_index_mutex); lock(&nbd->config_lock); lock(&bdev->bd_mutex); *** DEADLOCK *** 1 lock held by syz-executor.5/10704: #0: (&nbd->config_lock){+.+.}, at: [] nbd_ioctl+0x11f/0xad0 drivers/block/nbd.c:1369 stack backtrace: CPU: 0 PID: 10704 Comm: syz-executor.5 Not tainted 4.14.307-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x1b2/0x281 lib/dump_stack.c:58 print_circular_bug.constprop.0.cold+0x2d7/0x41e kernel/locking/lockdep.c:1258 check_prev_add kernel/locking/lockdep.c:1905 [inline] check_prevs_add kernel/locking/lockdep.c:2022 [inline] validate_chain kernel/locking/lockdep.c:2464 [inline] __lock_acquire+0x2e0e/0x3f20 kernel/locking/lockdep.c:3491 lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998 __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893 blkdev_reread_part+0x1b/0x40 block/ioctl.c:192 nbd_bdev_reset drivers/block/nbd.c:1076 [inline] nbd_clear_sock_ioctl drivers/block/nbd.c:1282 [inline] __nbd_ioctl drivers/block/nbd.c:1306 [inline] nbd_ioctl+0x802/0xad0 drivers/block/nbd.c:1376 __blkdev_driver_ioctl block/ioctl.c:297 [inline] blkdev_ioctl+0x540/0x1830 block/ioctl.c:594 block_ioctl+0xd9/0x120 fs/block_dev.c:1893 vfs_ioctl fs/ioctl.c:46 [inline] file_ioctl fs/ioctl.c:500 [inline] do_vfs_ioctl+0x75a/0xff0 fs/ioctl.c:684 SYSC_ioctl fs/ioctl.c:701 [inline] SyS_ioctl+0x7f/0xb0 fs/ioctl.c:692 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x5e/0xd3 RIP: 0033:0x7f6083bf50f9 RSP: 002b:00007f6082167168 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f6083d14f80 RCX: 00007f6083bf50f9 RDX: 0000000000000000 RSI: 000000000000ab04 RDI: 0000000000000003 RBP: 00007f6083c50ae9 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffcb20e598f R14: 00007f6082167300 R15: 0000000000022000 netlink: 52 bytes leftover after parsing attributes in process `syz-executor.5'. netlink: 120 bytes leftover after parsing attributes in process `syz-executor.5'. netlink: 32 bytes leftover after parsing attributes in process `syz-executor.1'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor.2'. netlink: 532 bytes leftover after parsing attributes in process `syz-executor.1'. sit0: Invalid MTU 536871552 requested, hw max 65555 netlink: 8 bytes leftover after parsing attributes in process `syz-executor.2'. netlink: 52 bytes leftover after parsing attributes in process `syz-executor.0'. IPVS: ftp: loaded support on port[0] = 21 audit: type=1326 audit(1677962642.255:21): auid=4294967295 uid=0 gid=0 ses=4294967295 pid=11756 comm="syz-executor.0" exe="/root/syz-executor.0" sig=31 arch=c000003e syscall=202 compat=0 ip=0x7f94512f70f9 code=0x0 audit: type=1326 audit(1677962642.325:22): auid=4294967295 uid=0 gid=0 ses=4294967295 pid=11773 comm="syz-executor.3" exe="/root/syz-executor.3" sig=31 arch=c000003e syscall=202 compat=0 ip=0x7f4997f440f9 code=0x0 audit: type=1326 audit(1677962643.125:23): auid=4294967295 uid=0 gid=0 ses=4294967295 pid=11814 comm="syz-executor.0" exe="/root/syz-executor.0" sig=31 arch=c000003e syscall=202 compat=0 ip=0x7f94512f70f9 code=0x0 audit: type=1326 audit(1677962643.185:24): auid=4294967295 uid=0 gid=0 ses=4294967295 pid=11835 comm="syz-executor.0" exe="/root/syz-executor.0" sig=31 arch=c000003e syscall=202 compat=0 ip=0x7f94512f70f9 code=0x0 ====================================================== WARNING: the mand mount option is being deprecated and will be removed in v5.15! ====================================================== audit: type=1326 audit(1677962644.055:25): auid=4294967295 uid=0 gid=0 ses=4294967295 pid=11873 comm="syz-executor.3" exe="/root/syz-executor.3" sig=31 arch=c000003e syscall=202 compat=0 ip=0x7f4997f440f9 code=0x0 audit: type=1326 audit(1677962644.865:26): auid=4294967295 uid=0 gid=0 ses=4294967295 pid=11905 comm="syz-executor.3" exe="/root/syz-executor.3" sig=31 arch=c000003e syscall=202 compat=0 ip=0x7f4997f440f9 code=0x0 Unknown ioctl -1072143861