audit: type=1804 audit(1571531747.192:106): pid=11406 uid=0 auid=4294967295 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 op="invalid_pcr" cause="open_writers" comm="syz-executor.5" name="/root/syzkaller-testdir655376845/syzkaller.Fh85NR/179/file0/file0" dev="sda1" ino=16865 res=1 block nbd2: shutting down sockets ============================================ WARNING: possible recursive locking detected 4.14.150 #0 Not tainted -------------------------------------------- kworker/u5:1/11413 is trying to acquire lock: ("knbd%d-recv"nbd->index){+.+.}, at: [] flush_workqueue+0xda/0x1400 kernel/workqueue.c:2613 but task is already holding lock: ("knbd%d-recv"nbd->index){+.+.}, at: [] work_static include/linux/workqueue.h:199 [inline] ("knbd%d-recv"nbd->index){+.+.}, at: [] set_work_data kernel/workqueue.c:619 [inline] ("knbd%d-recv"nbd->index){+.+.}, at: [] set_work_pool_and_clear_pending kernel/workqueue.c:646 [inline] ("knbd%d-recv"nbd->index){+.+.}, at: [] process_one_work+0x76e/0x1600 kernel/workqueue.c:2085 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock("knbd%d-recv"nbd->index); lock("knbd%d-recv"nbd->index); *** DEADLOCK *** May be due to missing lock nesting notation 3 locks held by kworker/u5:1/11413: #0: ("knbd%d-recv"nbd->index){+.+.}, at: [] work_static include/linux/workqueue.h:199 [inline] #0: ("knbd%d-recv"nbd->index){+.+.}, at: [] set_work_data kernel/workqueue.c:619 [inline] #0: ("knbd%d-recv"nbd->index){+.+.}, at: [] set_work_pool_and_clear_pending kernel/workqueue.c:646 [inline] #0: ("knbd%d-recv"nbd->index){+.+.}, at: [] process_one_work+0x76e/0x1600 kernel/workqueue.c:2085 #1: ((&args->work)){+.+.}, at: [] process_one_work+0x7ab/0x1600 kernel/workqueue.c:2089 #2: (&nbd->config_lock){+.+.}, at: [] refcount_dec_and_mutex_lock lib/refcount.c:312 [inline] #2: (&nbd->config_lock){+.+.}, at: [] refcount_dec_and_mutex_lock+0x49/0x6c lib/refcount.c:307 stack backtrace: CPU: 0 PID: 11413 Comm: kworker/u5:1 Not tainted 4.14.150 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 kobject: 'loop4' (ffff8880a4a6ca20): kobject_uevent_env Workqueue: knbd2-recv recv_work Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x138/0x197 lib/dump_stack.c:53 print_deadlock_bug kernel/locking/lockdep.c:1796 [inline] check_deadlock kernel/locking/lockdep.c:1843 [inline] validate_chain kernel/locking/lockdep.c:2444 [inline] __lock_acquire.cold+0x2bf/0x8dc kernel/locking/lockdep.c:3487 lock_acquire+0x16f/0x430 kernel/locking/lockdep.c:3994 flush_workqueue+0x109/0x1400 kernel/workqueue.c:2616 kobject: 'loop4' (ffff8880a4a6ca20): fill_kobj_path: path = '/devices/virtual/block/loop4' drain_workqueue+0x177/0x3e0 kernel/workqueue.c:2781 destroy_workqueue+0x21/0x620 kernel/workqueue.c:4088 nbd_config_put+0x43c/0x7a0 drivers/block/nbd.c:1124 recv_work+0x18d/0x1f0 drivers/block/nbd.c:724 process_one_work+0x863/0x1600 kernel/workqueue.c:2114 worker_thread+0x5d9/0x1050 kernel/workqueue.c:2248 kthread+0x319/0x430 kernel/kthread.c:232 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404 kobject: 'loop4' (ffff8880a4a6ca20): kobject_uevent_env kobject: 'loop4' (ffff8880a4a6ca20): fill_kobj_path: path = '/devices/virtual/block/loop4' netlink: 4 bytes leftover after parsing attributes in process `syz-executor.4'. kobject: 'bridge2' (ffff888058668d30): kobject_add_internal: parent: 'net', set: 'devices' kobject: 'bridge2' (ffff888058668d30): kobject_uevent_env kobject: 'bridge2' (ffff888058668d30): fill_kobj_path: path = '/devices/virtual/net/bridge2' kobject: 'queues' (ffff88809f2ff948): kobject_add_internal: parent: 'bridge2', set: '' kobject: 'queues' (ffff88809f2ff948): kobject_uevent_env kobject: 'queues' (ffff88809f2ff948): kobject_uevent_env: filter function caused the event to drop! kobject: 'rx-0' (ffff8880a1b07490): kobject_add_internal: parent: 'queues', set: 'queues' kobject: 'rx-0' (ffff8880a1b07490): kobject_uevent_env kobject: 'rx-0' (ffff8880a1b07490): fill_kobj_path: path = '/devices/virtual/net/bridge2/queues/rx-0' kobject: 'tx-0' (ffff888093afc518): kobject_add_internal: parent: 'queues', set: 'queues' kobject: 'loop5' (ffff8880a4abcaa0): kobject_uevent_env kobject: 'loop5' (ffff8880a4abcaa0): fill_kobj_path: path = '/devices/virtual/block/loop5' kobject: 'tx-0' (ffff888093afc518): kobject_uevent_env kobject: 'tx-0' (ffff888093afc518): fill_kobj_path: path = '/devices/virtual/net/bridge2/queues/tx-0' kobject: 'kvm' (ffff888219fb2d90): kobject_uevent_env kobject: 'kvm' (ffff888219fb2d90): fill_kobj_path: path = '/devices/virtual/misc/kvm' kobject: 'brif' (ffff88808292f280): kobject_add_internal: parent: 'bridge2', set: '' kobject: 'batman_adv' (ffff8880a7d9b000): kobject_add_internal: parent: 'bridge2', set: '' kobject: 'loop4' (ffff8880a4a6ca20): kobject_uevent_env kobject: 'loop4' (ffff8880a4a6ca20): fill_kobj_path: path = '/devices/virtual/block/loop4' kobject: 'loop3' (ffff8880a49de9a0): kobject_uevent_env kobject: 'loop3' (ffff8880a49de9a0): fill_kobj_path: path = '/devices/virtual/block/loop3' net_ratelimit: 18 callbacks suppressed protocol 88fb is buggy, dev hsr_slave_0 protocol 88fb is buggy, dev hsr_slave_1 kobject: 'kvm' (ffff888219fb2d90): kobject_uevent_env protocol 88fb is buggy, dev hsr_slave_0 protocol 88fb is buggy, dev hsr_slave_1 protocol 88fb is buggy, dev hsr_slave_0 protocol 88fb is buggy, dev hsr_slave_1 kobject: 'kvm' (ffff888219fb2d90): fill_kobj_path: path = '/devices/virtual/misc/kvm' kobject: 'loop5' (ffff8880a4abcaa0): kobject_uevent_env kobject: 'loop5' (ffff8880a4abcaa0): fill_kobj_path: path = '/devices/virtual/block/loop5' protocol 88fb is buggy, dev hsr_slave_0 protocol 88fb is buggy, dev hsr_slave_1 protocol 88fb is buggy, dev hsr_slave_0 protocol 88fb is buggy, dev hsr_slave_1 net_ratelimit: 22 callbacks suppressed protocol 88fb is buggy, dev hsr_slave_0 protocol 88fb is buggy, dev hsr_slave_1 protocol 88fb is buggy, dev hsr_slave_0 protocol 88fb is buggy, dev hsr_slave_1 protocol 88fb is buggy, dev hsr_slave_0 protocol 88fb is buggy, dev hsr_slave_1 protocol 88fb is buggy, dev hsr_slave_0 protocol 88fb is buggy, dev hsr_slave_1 protocol 88fb is buggy, dev hsr_slave_0 protocol 88fb is buggy, dev hsr_slave_1