hrtimer: interrupt took 28942 ns block nbd3: shutting down sockets ====================================================== WARNING: possible circular locking dependency detected 4.14.307-syzkaller #0 Not tainted ------------------------------------------------------ syz-executor.3/10153 is trying to acquire lock: (&bdev->bd_mutex){+.+.}, at: [] blkdev_reread_part+0x1b/0x40 block/ioctl.c:192 but task is already holding lock: (&nbd->config_lock){+.+.}, at: [] nbd_ioctl+0x11f/0xad0 drivers/block/nbd.c:1369 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #2 (&nbd->config_lock){+.+.}: __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893 nbd_open+0x1ac/0x370 drivers/block/nbd.c:1422 __blkdev_get+0x306/0x1090 fs/block_dev.c:1470 blkdev_get+0x88/0x890 fs/block_dev.c:1611 blkdev_open+0x1cc/0x250 fs/block_dev.c:1772 do_dentry_open+0x44b/0xec0 fs/open.c:777 vfs_open+0x105/0x220 fs/open.c:888 do_last fs/namei.c:3428 [inline] path_openat+0x628/0x2970 fs/namei.c:3571 do_filp_open+0x179/0x3c0 fs/namei.c:3605 do_sys_open+0x296/0x410 fs/open.c:1081 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x5e/0xd3 -> #1 (nbd_index_mutex){+.+.}: __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893 nbd_open+0x1e/0x370 drivers/block/nbd.c:1409 __blkdev_get+0x306/0x1090 fs/block_dev.c:1470 blkdev_get+0x88/0x890 fs/block_dev.c:1611 blkdev_open+0x1cc/0x250 fs/block_dev.c:1772 do_dentry_open+0x44b/0xec0 fs/open.c:777 vfs_open+0x105/0x220 fs/open.c:888 do_last fs/namei.c:3428 [inline] path_openat+0x628/0x2970 fs/namei.c:3571 do_filp_open+0x179/0x3c0 fs/namei.c:3605 do_sys_open+0x296/0x410 fs/open.c:1081 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x5e/0xd3 -> #0 (&bdev->bd_mutex){+.+.}: lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998 __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893 blkdev_reread_part+0x1b/0x40 block/ioctl.c:192 nbd_bdev_reset drivers/block/nbd.c:1076 [inline] nbd_clear_sock_ioctl drivers/block/nbd.c:1282 [inline] __nbd_ioctl drivers/block/nbd.c:1306 [inline] nbd_ioctl+0x802/0xad0 drivers/block/nbd.c:1376 __blkdev_driver_ioctl block/ioctl.c:297 [inline] blkdev_ioctl+0x540/0x1830 block/ioctl.c:594 block_ioctl+0xd9/0x120 fs/block_dev.c:1893 vfs_ioctl fs/ioctl.c:46 [inline] file_ioctl fs/ioctl.c:500 [inline] do_vfs_ioctl+0x75a/0xff0 fs/ioctl.c:684 SYSC_ioctl fs/ioctl.c:701 [inline] SyS_ioctl+0x7f/0xb0 fs/ioctl.c:692 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x5e/0xd3 other info that might help us debug this: Chain exists of: &bdev->bd_mutex --> nbd_index_mutex --> &nbd->config_lock Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&nbd->config_lock); lock(nbd_index_mutex); lock(&nbd->config_lock); lock(&bdev->bd_mutex); *** DEADLOCK *** 1 lock held by syz-executor.3/10153: #0: (&nbd->config_lock){+.+.}, at: [] nbd_ioctl+0x11f/0xad0 drivers/block/nbd.c:1369 stack backtrace: CPU: 0 PID: 10153 Comm: syz-executor.3 Not tainted 4.14.307-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x1b2/0x281 lib/dump_stack.c:58 print_circular_bug.constprop.0.cold+0x2d7/0x41e kernel/locking/lockdep.c:1258 check_prev_add kernel/locking/lockdep.c:1905 [inline] check_prevs_add kernel/locking/lockdep.c:2022 [inline] validate_chain kernel/locking/lockdep.c:2464 [inline] __lock_acquire+0x2e0e/0x3f20 kernel/locking/lockdep.c:3491 lock_acquire+0x170/0x3f0 kernel/locking/lockdep.c:3998 __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0xc4/0x1310 kernel/locking/mutex.c:893 blkdev_reread_part+0x1b/0x40 block/ioctl.c:192 nbd_bdev_reset drivers/block/nbd.c:1076 [inline] nbd_clear_sock_ioctl drivers/block/nbd.c:1282 [inline] __nbd_ioctl drivers/block/nbd.c:1306 [inline] nbd_ioctl+0x802/0xad0 drivers/block/nbd.c:1376 __blkdev_driver_ioctl block/ioctl.c:297 [inline] blkdev_ioctl+0x540/0x1830 block/ioctl.c:594 block_ioctl+0xd9/0x120 fs/block_dev.c:1893 vfs_ioctl fs/ioctl.c:46 [inline] file_ioctl fs/ioctl.c:500 [inline] do_vfs_ioctl+0x75a/0xff0 fs/ioctl.c:684 SYSC_ioctl fs/ioctl.c:701 [inline] SyS_ioctl+0x7f/0xb0 fs/ioctl.c:692 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x5e/0xd3 RIP: 0033:0x7f52fd06b0f9 RSP: 002b:00007f52fb5dd168 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f52fd18af80 RCX: 00007f52fd06b0f9 RDX: 0000000000000000 RSI: 000000000000ab04 RDI: 0000000000000009 RBP: 00007f52fd0c6ae9 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffc034ed14f R14: 00007f52fb5dd300 R15: 0000000000022000 block nbd3: shutting down sockets EXT4-fs (loop2): mounted filesystem without journal. Opts: barrier,errors=remount-ro,abort,nodiscard,usrjquota=, EXT4-fs error (device loop2): ext4_find_extent:928: inode #2: comm syz-executor.2: pblk 1 bad header/extent: invalid magic - magic 2, entries 0, max 3(0), depth 0(4) EXT4-fs (loop2): Remounting filesystem read-only EXT4-fs error (device loop2): ext4_find_extent:928: inode #2: comm syz-executor.2: pblk 1 bad header/extent: invalid magic - magic 2, entries 0, max 3(0), depth 0(4) kauditd_printk_skb: 11 callbacks suppressed audit: type=1326 audit(1678058695.954:23): auid=4294967295 uid=0 gid=0 ses=4294967295 pid=10454 comm="syz-executor.5" exe="/root/syz-executor.5" sig=31 arch=c000003e syscall=202 compat=0 ip=0x7f7e7122c0f9 code=0x0 audit: type=1326 audit(1678058696.004:24): auid=4294967295 uid=0 gid=0 ses=4294967295 pid=10452 comm="syz-executor.3" exe="/root/syz-executor.3" sig=31 arch=c000003e syscall=202 compat=0 ip=0x7f52fd06b0f9 code=0x0 EXT4-fs (loop2): mounted filesystem without journal. Opts: barrier,errors=remount-ro,abort,nodiscard,usrjquota=, EXT4-fs error (device loop2): ext4_find_extent:928: inode #2: comm syz-executor.2: pblk 1 bad header/extent: invalid magic - magic 2, entries 0, max 3(0), depth 0(4) EXT4-fs (loop2): Remounting filesystem read-only EXT4-fs error (device loop2): ext4_find_extent:928: inode #2: comm syz-executor.2: pblk 1 bad header/extent: invalid magic - magic 2, entries 0, max 3(0), depth 0(4) audit: type=1326 audit(1678058696.124:25): auid=4294967295 uid=0 gid=0 ses=4294967295 pid=10481 comm="syz-executor.1" exe="/root/syz-executor.1" sig=31 arch=c000003e syscall=202 compat=0 ip=0x7f3e033dc0f9 code=0x0 EXT4-fs (loop2): mounted filesystem without journal. Opts: barrier,errors=remount-ro,abort,nodiscard,usrjquota=, EXT4-fs error (device loop2): ext4_find_extent:928: inode #2: comm syz-executor.2: pblk 1 bad header/extent: invalid magic - magic 2, entries 0, max 3(0), depth 0(4) EXT4-fs (loop2): Remounting filesystem read-only EXT4-fs error (device loop2): ext4_find_extent:928: inode #2: comm syz-executor.2: pblk 1 bad header/extent: invalid magic - magic 2, entries 0, max 3(0), depth 0(4) EXT4-fs (loop2): mounted filesystem without journal. Opts: barrier,errors=remount-ro,abort,nodiscard,usrjquota=, EXT4-fs error (device loop2): ext4_find_extent:928: inode #2: comm syz-executor.2: pblk 1 bad header/extent: invalid magic - magic 2, entries 0, max 3(0), depth 0(4) EXT4-fs (loop2): Remounting filesystem read-only EXT4-fs error (device loop2): ext4_find_extent:928: inode #2: comm syz-executor.2: pblk 1 bad header/extent: invalid magic - magic 2, entries 0, max 3(0), depth 0(4) audit: type=1326 audit(1678058696.654:26): auid=4294967295 uid=0 gid=0 ses=4294967295 pid=10614 comm="syz-executor.0" exe="/root/syz-executor.0" sig=31 arch=c000003e syscall=202 compat=0 ip=0x7f516ce0b0f9 code=0x0 audit: type=1326 audit(1678058696.704:27): auid=4294967295 uid=0 gid=0 ses=4294967295 pid=10625 comm="syz-executor.4" exe="/root/syz-executor.4" sig=31 arch=c000003e syscall=202 compat=0 ip=0x7fd5fae980f9 code=0x0 audit: type=1326 audit(1678058696.744:28): auid=4294967295 uid=0 gid=0 ses=4294967295 pid=10635 comm="syz-executor.0" exe="/root/syz-executor.0" sig=31 arch=c000003e syscall=202 compat=0 ip=0x7f516ce0b0f9 code=0x0 audit: type=1326 audit(1678058696.804:29): auid=4294967295 uid=0 gid=0 ses=4294967295 pid=10655 comm="syz-executor.3" exe="/root/syz-executor.3" sig=31 arch=c000003e syscall=202 compat=0 ip=0x7f52fd06b0f9 code=0x0 audit: type=1326 audit(1678058696.964:30): auid=4294967295 uid=0 gid=0 ses=4294967295 pid=10698 comm="syz-executor.5" exe="/root/syz-executor.5" sig=31 arch=c000003e syscall=202 compat=0 ip=0x7f7e7122c0f9 code=0x0 syz-executor.1 calls setitimer() with new_value NULL pointer. Misfeature support will be removed L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html for details. netlink: 184 bytes leftover after parsing attributes in process `syz-executor.2'. netlink: 28 bytes leftover after parsing attributes in process `syz-executor.2'. IPv6: ADDRCONF(NETDEV_CHANGE): vcan0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): vcan0: link becomes ready chnl_net:chnl_net_open(): err: Unable to register and open device, Err:-19 caif:caif_disconnect_client(): nothing to disconnect chnl_net:chnl_flowctrl_cb(): NET flowctrl func called flow: CLOSE/DEINIT chnl_net:chnl_net_open(): state disconnected A link change request failed with some changes committed already. Interface caif0 may have been left with an inconsistent configuration, please check. netlink: 4 bytes leftover after parsing attributes in process `syz-executor.5'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor.4'. netlink: 172 bytes leftover after parsing attributes in process `syz-executor.1'. PF_BRIDGE: RTM_SETLINK with unknown ifindex audit: type=1326 audit(1678058699.984:31): auid=4294967295 uid=0 gid=0 ses=4294967295 pid=11183 comm="syz-executor.4" exe="/root/syz-executor.4" sig=31 arch=c000003e syscall=202 compat=0 ip=0x7fd5fae980f9 code=0x0 PF_BRIDGE: RTM_SETLINK with unknown ifindex netlink: 8 bytes leftover after parsing attributes in process `syz-executor.4'. netlink: 20 bytes leftover after parsing attributes in process `syz-executor.3'. netlink: 4 bytes leftover after parsing attributes in process `syz-executor.1'. IPv6: ADDRCONF(NETDEV_CHANGE): vcan0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready netlink: 24 bytes leftover after parsing attributes in process `syz-executor.2'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor.5'. Zero length message leads to an empty skb audit: type=1326 audit(1678058701.474:32): auid=4294967295 uid=0 gid=0 ses=4294967295 pid=11430 comm="syz-executor.0" exe="/root/syz-executor.0" sig=31 arch=c000003e syscall=202 compat=0 ip=0x7f516ce0b0f9 code=0x0 audit: type=1326 audit(1678058701.504:33): auid=4294967295 uid=0 gid=0 ses=4294967295 pid=11430 comm="syz-executor.0" exe="/root/syz-executor.0" sig=31 arch=c000003e syscall=3 compat=0 ip=0x7f516cdbcfab code=0x0 audit: type=1326 audit(1678058701.654:34): auid=4294967295 uid=0 gid=0 ses=4294967295 pid=11466 comm="syz-executor.5" exe="/root/syz-executor.5" sig=31 arch=c000003e syscall=202 compat=0 ip=0x7f7e7122c0f9 code=0x0 device lo entered promiscuous mode device tunl0 entered promiscuous mode device gre0 entered promiscuous mode device gretap0 entered promiscuous mode device erspan0 entered promiscuous mode device ip_vti0 entered promiscuous mode device ip6_vti0 entered promiscuous mode device sit0 entered promiscuous mode device ip6tnl0 entered promiscuous mode device ip6gre0 entered promiscuous mode device syz_tun entered promiscuous mode device ip6gretap0 entered promiscuous mode bridge0: port 2(bridge_slave_1) entered disabled state bridge0: port 1(bridge_slave_0) entered disabled state device bridge0 entered promiscuous mode device vcan0 entered promiscuous mode device bond0 entered promiscuous mode device bond_slave_0 entered promiscuous mode device bond_slave_1 entered promiscuous mode device team0 entered promiscuous mode device team_slave_0 entered promiscuous mode device team_slave_1 entered promiscuous mode device dummy0 entered promiscuous mode device nlmon0 entered promiscuous mode device caif0 entered promiscuous mode device batadv0 entered promiscuous mode device vxcan0 entered promiscuous mode device vxcan1 entered promiscuous mode device veth0 entered promiscuous mode device veth1 entered promiscuous mode device veth0_to_bridge entered promiscuous mode device veth1_to_bridge entered promiscuous mode device veth0_to_bond entered promiscuous mode device veth1_to_bond entered promiscuous mode device veth0_to_team entered promiscuous mode device veth1_to_team entered promiscuous mode device veth0_to_batadv entered promiscuous mode batman_adv: batadv0: Interface deactivated: batadv_slave_0 device batadv_slave_0 entered promiscuous mode device veth1_to_batadv entered promiscuous mode batman_adv: batadv0: Interface deactivated: batadv_slave_1 device batadv_slave_1 entered promiscuous mode device veth0_to_hsr entered promiscuous mode device veth1_to_hsr entered promiscuous mode device hsr0 entered promiscuous mode device veth1_virt_wifi entered promiscuous mode device veth0_virt_wifi entered promiscuous mode device vlan0 entered promiscuous mode device vlan1 entered promiscuous mode device macvlan0 entered promiscuous mode device macvlan1 entered promiscuous mode device ipvlan0 entered promiscuous mode device ipvlan1 entered promiscuous mode device macvtap0 entered promiscuous mode device macsec0 entered promiscuous mode device geneve0 entered promiscuous mode device geneve1 entered promiscuous mode syz-executor.4 (11473) used greatest stack depth: 24992 bytes left cannot load conntrack support for proto=10 unregister_netdevice: waiting for ip6gre0 to become free. Usage count = -1 netlink: 4472 bytes leftover after parsing attributes in process `syz-executor.2'. netlink: 16 bytes leftover after parsing attributes in process `syz-executor.0'. netlink: 4 bytes leftover after parsing attributes in process `syz-executor.0'. netlink: 4 bytes leftover after parsing attributes in process `syz-executor.2'.