[syzbot] [nbd?] possible deadlock in nbd_ioctl

[syzbot <syzbot+7f46fdd7673b5fec63ac@syzkaller.appspotmail.com>]

Hello,

syzbot found the following issue on:

HEAD commit:    4cb6c8af8591 selftests/filesystems: Fix build of anon_inod..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=101dbed4580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=4db24c5f80c69f73
dashboard link: https://syzkaller.appspot.com/bug?extid=7f46fdd7673b5fec63ac
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: i386

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-4cb6c8af.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/03a3203c4877/vmlinux-4cb6c8af.xz
kernel image: https://storage.googleapis.com/syzbot-assets/5da3a32140dd/bzImage-4cb6c8af.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+7f46fdd7673b5fec63ac@syzkaller.appspotmail.com

	��z\x13\0\x1dj\x01�z/w\x05$��(>��T\v\x04\x01�|�h���\x7f�3\x05\f��\v7�`(*����x�k"޺�G\x16zR����Ao\x0fO�ź�\x14:m@dc�~້��]�F\x01#\x17���<���H�K�S�_\x10	}� �&4�ҽ�:�\fB�@Y�a\x10��H{�I��ȃ�1�/�t�683�-�H�Ӈ՟O�6d��g\x15;��z���G�X�4W\b�6B�g���\�"\\x19�V[1�C�\x1c� c��[H\x0f+���Q�K��l�,NJ��Tt0\f\x05\x1a\x16�\x1e��O3 �~�7�T7�i\x11�[  234.907471][T11482] 
��\x03�BJ*\x1d੗M�<\x18O[  234.908368][T11482] ======================================================
�b�4\x12�2\x03٬\x1d�x/��[  234.911186][T11482] WARNING: possible circular locking dependency detected
ϭ�:+��މ��3l"0�[  234.913886][T11482] 6.15.0-syzkaller-10402-g4cb6c8af8591 #0 Not tainted
Z��d�\bO#��̵G<'�[  234.917367][T11482] ------------------------------------------------------
-�P�%�p���m\x04xB?=[  234.921230][T11482] syz.2.1726/11482 is trying to acquire lock:
̞\v�K�\x13�;\x0f���m$[  234.947847][T11482]        nbd_config_put+0x31/0x750 drivers/block/nbd.c:1423
8\x04������I@�;��͊[  234.950419][T11482]        nbd_release+0xb7/0x190 drivers/block/nbd.c:1735
rmDD"�����eр>w\x01[  234.952630][T11482]        blkdev_put_whole+0xad/0xf0 block/bdev.c:721
��j&\x14/\x1eoc���i�!i[  234.954759][T11482]        bdev_release+0x47e/0x6d0 block/bdev.c:1144
�P_yQ2�3@��\x15\x1cS�[  234.956801][T11482]        blkdev_release+0x15/0x20 block/fops.c:684
v��yAe]\x1fQ3�L.��p[  234.958866][T11482]        __fput+0x402/0xb70 fs/file_table.c:465
9^�:��\x17l\x03��\x1d\x01�~�[  234.960790][T11482]        fput_close_sync+0x118/0x260 fs/file_table.c:570
X����z\x05��~M\a��&[  234.963382][T11482]        __do_sys_close fs/open.c:1589 [inline]
X����z\x05��~M\a��&[  234.963382][T11482]        __se_sys_close fs/open.c:1574 [inline]
X����z\x05��~M\a��&[  234.963382][T11482]        __x64_sys_close+0x8b/0x120 fs/open.c:1574

H~�h� !�c�N'�[  234.965568][T11482]        do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
H~�h� !�c�N'�[  234.965568][T11482]        do_syscall_64+0xcd/0x490 arch/x86/entry/syscall_64.c:94
оZ8í �a���πL[  234.967679][T11482]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
R�\x10%�(\x03ޅ��]��Z\x7f[  234.970149][T11482] 
G��\x12Ӆ�\x15\x18Ԗ��\x0fj�[  234.973111][T11482]        __mutex_lock_common kernel/locking/mutex.c:601 [inline]
G��\x12Ӆ�\x15\x18Ԗ��\x0fj�[  234.973111][T11482]        __mutex_lock+0x199/0xb90 kernel/locking/mutex.c:746
���3�\x7f�D^[\f��C9\x1f�[  234.975247][T11482]        __del_gendisk+0xf5/0xbd0 block/genhd.c:706
���R8�\vM�2�xZ\x01��[  234.977457][T11482]        del_gendisk+0x13e/0x1e0 block/genhd.c:819
b\x11��%�#\x14R��|f���[  234.979465][T11482]        loop_remove drivers/block/loop.c:2081 [inline]
b\x11��%�#\x14R��|f���[  234.979465][T11482]        loop_control_remove drivers/block/loop.c:2140 [inline]
b\x11��%�#\x14R��|f���[  234.979465][T11482]        loop_control_ioctl+0x4eb/0x630 drivers/block/loop.c:2178
�\x06�䷓�l_I��\G_b[  234.981839][T11482]        __do_compat_sys_ioctl fs/ioctl.c:1005 [inline]
�\x06�䷓�l_I��\G_b[  234.981839][T11482]        __se_compat_sys_ioctl fs/ioctl.c:948 [inline]
�\x06�䷓�l_I��\G_b[  234.981839][T11482]        __ia32_compat_sys_ioctl+0x23f/0x370 fs/ioctl.c:948
�h�Vi��?�NfgV�Bp[  234.984163][T11482]        do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
�h�Vi��?�NfgV�Bp[  234.984163][T11482]        __do_fast_syscall_32+0x7c/0x3a0 arch/x86/entry/syscall_32.c:306
I+�\x18\x1f�h9\x14�?\x19�� [  234.986400][T11482]        do_fast_syscall_32+0x32/0x80 arch/x86/entry/syscall_32.c:331
�Mv�s����>�\x14'�p�[  234.988602][T11482]        entry_SYSENTER_compat_after_hwframe+0x84/0x8e
MX�sQ\x17�.�`��l�[  234.991286][T11482] 
q�x��I��\x18�z4Rg[�[  234.994371][T11482]        check_prev_add kernel/locking/lockdep.c:3168 [inline]
q�x��I��\x18�z4Rg[�[  234.994371][T11482]        check_prevs_add kernel/locking/lockdep.c:3287 [inline]
q�x��I��\x18�z4Rg[�[  234.994371][T11482]        validate_chain kernel/locking/lockdep.c:3911 [inline]
q�x��I��\x18�z4Rg[�[  234.994371][T11482]        __lock_acquire+0x126f/0x1c90 kernel/locking/lockdep.c:5240
Ҫa_�^\x17�AHz��z\x7f/[  234.996519][T11482]        lock_acquire kernel/locking/lockdep.c:5871 [inline]
Ҫa_�^\x17�AHz��z\x7f/[  234.996519][T11482]        lock_acquire+0x179/0x350 kernel/locking/lockdep.c:5828
f�2=ah��\x0eeRW����[  234.998553][T11482]        down_write+0x92/0x200 kernel/locking/rwsem.c:1577
5:
&�6�k,c����[  235.000504][T11482]        blk_mq_update_nr_hw_queues+0x32/0xcb0 block/blk-mq.c:5041
�#\x17��VIVH\x10\x12\x16F���[  235.002954][T11482]        nbd_start_device+0x172/0xcd0 drivers/block/nbd.c:1476
`���\x02��
�W\x05�\x0e[  235.005099][T11482]        nbd_start_device_ioctl drivers/block/nbd.c:1527 [inline]
�W\x05�\x0e[  235.005099][T11482]        __nbd_ioctl drivers/block/nbd.c:1602 [inline]
�W\x05�\x0e[  235.005099][T11482]        nbd_ioctl+0x219/0xda0 drivers/block/nbd.c:1642
Vo&W��l����Iir��[  235.007199][T11482]        compat_blkdev_ioctl+0x2ee/0x7a0 block/ioctl.c:760
\x1f\x0f�����d�c���\x1d�[  235.009416][T11482]        __do_compat_sys_ioctl fs/ioctl.c:1005 [inline]
\x1f\x0f�����d�c���\x1d�[  235.009416][T11482]        __se_compat_sys_ioctl fs/ioctl.c:948 [inline]
\x1f\x0f�����d�c���\x1d�[  235.009416][T11482]        __ia32_compat_sys_ioctl+0x23f/0x370 fs/ioctl.c:948
\v\x11�2�-\x1a����\x7fe�d\x17[  235.011817][T11482]        do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
\v\x11�2�-\x1a����\x7fe�d\x17[  235.011817][T11482]        __do_fast_syscall_32+0x7c/0x3a0 arch/x86/entry/syscall_32.c:306
��D�*\x05��.=�8󗴦[  235.014044][T11482]        do_fast_syscall_32+0x32/0x80 arch/x86/entry/syscall_32.c:331
��;�\v�?�w����1)\x18[  235.016183][T11482]        entry_SYSENTER_compat_after_hwframe+0x84/0x8e
n�߱[�uy�S W��q�[  235.018768][T11482] 
��5�'Zb�ʌ��0y�m[  235.022468][T11482] Chain exists of:
:��}kk��\x01\x11 |�V�[  235.027258][T11482]  Possible unsafe locking scenario:
ג;�%�+�\x1el\x13�\x01;�H[  235.030064][T11482]        CPU0                    CPU1
���#��\x1co�F�\x1d��J[  235.032316][T11482]        ----                    ----
�;��\x18
!Yg\x06��e\x154[  235.034467][T11482]   lock(&nbd->config_lock);
���\x12<;�ύ����#~�[  235.036367][T11482]                                lock(&disk->open_mutex);
���Op�L�}q�(Q�\x1f�[  235.039016][T11482]                                lock(&nbd->config_lock);
;��gj<��\x1a\x1f�\vN%��[  235.041733][T11482]   lock(&set->update_nr_hwq_lock);
Q�=@�~NHN\x05߄0�4\x12[  235.043812][T11482] 
�\x12�	����gū�\x11��[  235.046785][T11482] 1 lock held by syz.2.1726/11482:
G�,S0\x11l�,��Ðwm"[  235.048846][T11482]  #0: ffff888022f0b230 (&nbd->config_lock){+.+.}-{4:4}, at: nbd_ioctl+0x150/0xda0 drivers/block/nbd.c:1635
;�\x10���o����\x1d\x1f涠[  235.052525][T11482] 
`��H�7��v��\x02���I�j϶U�(\x1e������[  235.055507][T11482] CPU: 0 UID: 0 PID: 11482 Comm: syz.2.1726 Not tainted 6.15.0-syzkaller-10402-g4cb6c8af8591 #0 PREEMPT(full) 
c�ޗ�Y�m�\x11O\x11[�A�[  235.055528][T11482] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
�Yɜ�0π`��;�W�\x01[  235.055536][T11482] Call Trace:
�d����!�xX~# ���[  235.055541][T11482]  <TASK>
�\x04�;\f\x02�����`VH�[  235.055547][T11482]  __dump_stack lib/dump_stack.c:94 [inline]
�\x04�;\f\x02�����`VH�[  235.055547][T11482]  dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
dU����+��\x1c\x1d\x15\x10*�[  235.055563][T11482]  print_circular_bug+0x275/0x350 kernel/locking/lockdep.c:2046
us����^[6;מ�9[<[  235.055603][T11482]  check_prev_add kernel/locking/lockdep.c:3168 [inline]
us����^[6;מ�9[<[  235.055603][T11482]  check_prevs_add kernel/locking/lockdep.c:3287 [inline]
us����^[6;מ�9[<[  235.055603][T11482]  validate_chain kernel/locking/lockdep.c:3911 [inline]
us����^[6;מ�9[<[  235.055603][T11482]  __lock_acquire+0x126f/0x1c90 kernel/locking/lockdep.c:5240
�����*I4\x0f1�=\x02\x19��[  235.055617][T11482]  lock_acquire kernel/locking/lockdep.c:5871 [inline]
�����*I4\x0f1�=\x02\x19��[  235.055617][T11482]  lock_acquire+0x179/0x350 kernel/locking/lockdep.c:5828
E0�A��ϝ���Pn��][  235.055645][T11482]  ? __pfx___might_resched+0x10/0x10 kernel/sched/core.c:5899
�-�Y�����͌��@z=[  235.055677][T11482]  down_write+0x92/0x200 kernel/locking/rwsem.c:1577
�\x05����8\x13���ސ\x03�[  235.055690][T11482]  ? blk_mq_update_nr_hw_queues+0x32/0xcb0 block/blk-mq.c:5041
�[w��+����ؿ�bMU[  235.055718][T11482]  ? __mutex_lock_common kernel/locking/mutex.c:611 [inline]
�[w��+����ؿ�bMU[  235.055718][T11482]  ? __mutex_lock+0x1ca/0xb90 kernel/locking/mutex.c:746
l�\x0f��\x16�e*�4x�\x1c \0[  235.055752][T11482]  blk_mq_update_nr_hw_queues+0x32/0xcb0 block/blk-mq.c:5041
\x7f���8�X��p�|&�d_[  235.055767][T11482]  ? __pfx___mutex_lock+0x10/0x10 usercopy_64.c:-1
\vʚֵ����\x19�->�E�[  235.055797][T11482]  nbd_start_device+0x172/0xcd0 drivers/block/nbd.c:1476
�k]�\x19\x18Pת�	_pv��[  235.055814][T11482]  ? bpf_lsm_capable+0x9/0x10 include/linux/lsm_hook_defs.h:44
S.��R\x06\x01�\b�^�fx,^[  235.055843][T11482]  ? __pfx_nbd_ioctl+0x10/0x10 drivers/block/nbd.c:828
�}m\x13�V�5p/ӯ��Y[  235.055862][T11482]  ? find_held_lock+0x2b/0x80 kernel/locking/lockdep.c:5353
N�ǐ�\x1dS�\x1f\x04\x1c9i`�P[  235.055891][T11482]  compat_blkdev_ioctl+0x2ee/0x7a0 block/ioctl.c:760
\x14\x05�!�(�m[,|"���F[  235.055904][T11482]  ? __pfx_compat_blkdev_ioctl+0x10/0x10 block/ioctl.c:702
 ��w]�e�4w�~�\x01�h[  235.055931][T11482]  __do_compat_sys_ioctl fs/ioctl.c:1005 [inline]
 ��w]�e�4w�~�\x01�h[  235.055931][T11482]  __se_compat_sys_ioctl fs/ioctl.c:948 [inline]
 ��w]�e�4w�~�\x01�h[  235.055931][T11482]  __ia32_compat_sys_ioctl+0x23f/0x370 fs/ioctl.c:948
���2\x049\x1d����b�ڬ\x02[  235.055950][T11482]  do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline]
���2\x049\x1d����b�ڬ\x02[  235.055950][T11482]  __do_fast_syscall_32+0x7c/0x3a0 arch/x86/entry/syscall_32.c:306
@�ׯ�?\x1d\x18��T\x10���[  235.055964][T11482]  do_fast_syscall_32+0x32/0x80 arch/x86/entry/syscall_32.c:331
�R�\x7f��>K���yZ+bt[  235.055977][T11482]  entry_SYSENTER_compat_after_hwframe+0x84/0x8e
�\x7fڞ\x1dW��-bQ\x19�Պ	[  235.055992][T11482] RIP: 0023:0xf7fc5579
~�f�i\0\x15�hv�^��|/[  235.056012][T11482] RSP: 002b:00000000f50e655c EFLAGS: 00000296 ORIG_RAX: 0000000000000036
�x\x12\x02�$,Y���	㣖[  235.056023][T11482] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000000ab03
\x14�A��ɴ�V\x7f�G�\x1aHL[  235.056030][T11482] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
SMK\x15\x15�\x17�*S\x1fu���[  235.056036][T11482] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
L��ݭ�8*�1m&��Q�[  235.056049][T11482] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
�pϿ\x0e5��=�X����\x06�\x1a
�\x02:==�B>\x17];�oF����\fj�+�X��s�m�ogI�OP\0瀎���\x05p�=w���\a�\x1c�姩\x06!z\x17���\0\x7f[\x04ȭ�ׂ\x13G$�[\x10\0�niUJ�\b\�B԰\x01ǯJ���\x05z�\x0f�䐲�G��Y\x18E�]Apaxe\x10�\x1f�&1]\x06�/h�KDRkZ*��E�k7�ܪ\x17c�\v,\f�k*�u?'\x18^[��rϓkV\x0e}'r�e��SJ�ަkpᄔ����\x0f�R��\x03\x1a�\f��\x12$�H$��.\x1eā<W�G@\x0f�?^�'��!�a�)�\0鈏}�"�ܩ�X�\x1axɉR�	G�B;�\x19���j\f�a:N���!�^[&���8���B��r��S��|'V~\x19\x06z04`e���\v��u*\x04�wB�J\a�ѻQ͇b���H1\x062��$\x7f��\x05saئ\x03r��\x13�\a�q�{SαE��M\x01�^[<� �?\x02��N��1�j\x1fҳձ�\x13D�%�K�K�\x1c�\x7f_�рmLؒ�Yͼ_�QM��㇡�;\��*Pt��3�+��\x05|�\x10���Sn��\x1el�?�(�CG\x03���v_0\x1c��ؔ��٧x��\x02}"�-R�!��O\x05��\x19k\x0f\x16/�S��\x03��w�\x01�&��]-z��~\x0e�\x1c�L\x1f�/'� A�T�H%���
�;\x17gz&(�M=\vc�\x13aD�=�i���Y�G�Cӫ�[>`���{������^���\x17�D\x0eY���� ��ۆIdmy/kQm��\x7f��ң�9���t��\0��\x1d\x01F�Vܐ|�A\`K�G���J��\x17�\x14%�.��R\vD\x04h)��T"/0�K\x05�h�B�\x16��\x18��&�ƈ��J�+a
z9�Y2��z����	���\x0e\x14\x1ddX�[E�
SYZFAIL: failed to recv rpc
fd=3 want=4 recv=0 n=0 (errno 9: Bad file descriptor)
E�<�r��V\x1c9	'Nu�\x19\x12xq��=x�\x1d��m��Tlz�=�\x10��\x1acpz�>�J�i�VAoU�m4\aT�[�-\x7f�>`�\x0f�g-^[;��3e-��4$�녋��\x14��6#<�\0\0\x10[  235.199512][T11481] netlink: 4 bytes leftover after parsing attributes in process `syz.6.1727'.


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup