last executing test programs: 0s ago: executing program 0 (id=1): r0 = open_tree$auto(0xffffffffffffff9c, &(0x7f0000001100)='./cgroup\x00', 0x0) newfstatat$auto(r0, &(0x7f0000000140)='./cgroup\x00', &(0x7f00000003c0)={0x5, 0x3c, 0xa3, 0x8001, 0xffffffffffffffff, 0xee00, 0x0, 0x1cd, 0xa89, 0x0, 0x8000000000000000, 0xe76b, 0x2, 0x7fffffff, 0x8, 0x79, 0x8}, 0x1) mmap$auto(0x6, 0x40000a, 0x6, 0x9b72, r0, 0x100000000008001) mmap$auto(0x0, 0x40009, 0xe2, 0x9b72, 0x7, 0x28000) close_range$auto(0x2, 0x8, 0x0) socket(0xa, 0x801, 0x106) bpf$auto(0x0, &(0x7f0000000100)=@task_fd_query={0x7, 0x4, 0x200, 0x3, 0x8, 0xc, 0x2e, 0x0, 0x3}, 0x6f4) bpf$auto(0x1, &(0x7f00000001c0)=@bpf_attr_1={0x3, 0xca99, @value=0x7, 0xa}, 0xc) r1 = socket(0x2, 0x1, 0x106) bind$auto(0x3, &(0x7f0000000040)=@in={0x2, 0x3, @empty}, 0x6a) connect$auto(0x3, &(0x7f0000000080)=@in={0x2, 0x3, @dev={0xac, 0x14, 0x14, 0x26}}, 0x54) shutdown$auto(r1, 0x0) openat$auto_def_blk_fops_fs(0xffffffffffffff9c, &(0x7f0000000000)='/dev/ram7\x00', 0x60742, 0x0) r2 = openat$auto_kernfs_file_fops_kernfs_internal(0xffffffffffffff9c, &(0x7f0000000000)='/sys/devices/virtual/block/nbd6/queue/scheduler\x00', 0x189002, 0x0) sendfile$auto(r2, r2, 0x0, 0x3) shutdown$auto(0x200000003, 0x2) mmap$auto(0x200000000000000, 0x400006, 0xdf, 0x12, 0x2, 0x8001) madvise$auto(0x0, 0xffffffffffff0002, 0x19) mbind$auto(0x2000, 0x100000004, 0x100000000, 0x0, 0x6, 0x2) write$auto(0x3, 0x0, 0x7fffffff) openat$auto_kernfs_file_fops_kernfs_internal(0xffffffffffffff9c, &(0x7f0000000100)='/sys/devices/pci0000:00/waiting_for_supplier\x00', 0x80800, 0x0) openat$auto_tracing_fops_trace(0xffffffffffffff9c, &(0x7f0000000040)='/sys/kernel/tracing/trace\x00', 0x20600, 0x0) unshare$auto(0x40000080) mmap$auto(0x0, 0x400008, 0xdf, 0x9b72, 0x2, 0x8000) ioctl$auto(0xffffffffffffffff, 0x64ce, 0xffffffffffffd4b4) syz_clone(0x40011, 0x0, 0x0, 0x0, 0x0, 0x0) mmap$auto(0x0, 0x2020009, 0x3, 0xeb1, 0xfffffffffffffffa, 0x8000) write$auto_kernfs_file_fops_kernfs_internal(0xffffffffffffffff, &(0x7f0000000200), 0x0) mremap$auto(0x4000, 0xfee0, 0x3fd6, 0x3, 0x18000) kernel console output (not intermixed with test programs): Warning: Permanently added '10.128.0.9' (ED25519) to the list of known hosts. [ 97.001530][ T48] cfg80211: failed to load regulatory.db [ 97.873389][ T5817] cgroup: Unknown subsys name 'net' [ 98.045354][ T5817] cgroup: Unknown subsys name 'cpuset' [ 98.055077][ T5817] cgroup: Unknown subsys name 'rlimit' Setting up swapspace version 1, size = 127995904 bytes [ 99.972684][ T5817] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 102.170900][ T5831] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 102.191231][ T5831] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 102.199387][ T5831] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 102.207885][ T5831] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 102.220429][ T5831] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 102.381653][ T5831] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1 [ 102.390487][ T5831] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9 [ 102.398505][ T5831] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9 [ 102.408051][ T5831] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4 [ 102.415939][ T5831] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2 [ 102.460594][ T5831] Bluetooth: hci2: unexpected cc 0x0c03 length: 249 > 1 [ 102.474875][ T5831] Bluetooth: hci2: unexpected cc 0x1003 length: 249 > 9 [ 102.482900][ T5831] Bluetooth: hci2: unexpected cc 0x1001 length: 249 > 9 [ 102.491423][ T5831] Bluetooth: hci2: unexpected cc 0x0c23 length: 249 > 4 [ 102.508267][ T5831] Bluetooth: hci2: unexpected cc 0x0c38 length: 249 > 2 [ 102.554401][ T5831] Bluetooth: hci3: unexpected cc 0x0c03 length: 249 > 1 [ 102.562987][ T5831] Bluetooth: hci3: unexpected cc 0x1003 length: 249 > 9 [ 102.571340][ T5831] Bluetooth: hci3: unexpected cc 0x1001 length: 249 > 9 [ 102.580439][ T5831] Bluetooth: hci3: unexpected cc 0x0c23 length: 249 > 4 [ 102.588479][ T5831] Bluetooth: hci3: unexpected cc 0x0c38 length: 249 > 2 [ 102.710583][ T5830] chnl_net:caif_netlink_parms(): no params data found [ 102.920834][ T5830] bridge0: port 1(bridge_slave_0) entered blocking state [ 102.928084][ T5830] bridge0: port 1(bridge_slave_0) entered disabled state [ 102.936793][ T5830] bridge_slave_0: entered allmulticast mode [ 102.944764][ T5830] bridge_slave_0: entered promiscuous mode [ 102.954381][ T5830] bridge0: port 2(bridge_slave_1) entered blocking state [ 102.961573][ T5830] bridge0: port 2(bridge_slave_1) entered disabled state [ 102.968737][ T5830] bridge_slave_1: entered allmulticast mode [ 102.976417][ T5830] bridge_slave_1: entered promiscuous mode [ 103.039212][ T5830] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 103.051950][ T5830] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 103.127872][ T5830] team0: Port device team_slave_0 added [ 103.181657][ T5830] team0: Port device team_slave_1 added [ 103.303860][ T5830] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 103.311065][ T5830] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 103.337070][ T5830] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 103.354726][ T5830] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 103.364651][ T5830] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 103.390830][ T5830] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 103.403235][ T5838] chnl_net:caif_netlink_parms(): no params data found [ 103.536775][ T5834] chnl_net:caif_netlink_parms(): no params data found [ 103.603798][ T5842] chnl_net:caif_netlink_parms(): no params data found [ 103.629139][ T5830] hsr_slave_0: entered promiscuous mode [ 103.636933][ T5830] hsr_slave_1: entered promiscuous mode [ 103.741298][ T5838] bridge0: port 1(bridge_slave_0) entered blocking state [ 103.748580][ T5838] bridge0: port 1(bridge_slave_0) entered disabled state [ 103.757019][ T5838] bridge_slave_0: entered allmulticast mode [ 103.764895][ T5838] bridge_slave_0: entered promiscuous mode [ 103.824654][ T5838] bridge0: port 2(bridge_slave_1) entered blocking state [ 103.832213][ T5838] bridge0: port 2(bridge_slave_1) entered disabled state [ 103.839368][ T5838] bridge_slave_1: entered allmulticast mode [ 103.846883][ T5838] bridge_slave_1: entered promiscuous mode [ 103.944111][ T5834] bridge0: port 1(bridge_slave_0) entered blocking state [ 103.951517][ T5834] bridge0: port 1(bridge_slave_0) entered disabled state [ 103.958687][ T5834] bridge_slave_0: entered allmulticast mode [ 103.966290][ T5834] bridge_slave_0: entered promiscuous mode [ 104.006785][ T5834] bridge0: port 2(bridge_slave_1) entered blocking state [ 104.014156][ T5834] bridge0: port 2(bridge_slave_1) entered disabled state [ 104.022088][ T5834] bridge_slave_1: entered allmulticast mode [ 104.029400][ T5834] bridge_slave_1: entered promiscuous mode [ 104.052917][ T5842] bridge0: port 1(bridge_slave_0) entered blocking state [ 104.060186][ T5842] bridge0: port 1(bridge_slave_0) entered disabled state [ 104.067520][ T5842] bridge_slave_0: entered allmulticast mode [ 104.075178][ T5842] bridge_slave_0: entered promiscuous mode [ 104.085981][ T5838] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 104.100567][ T5838] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 104.135341][ T5834] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 104.145121][ T5842] bridge0: port 2(bridge_slave_1) entered blocking state [ 104.152673][ T5842] bridge0: port 2(bridge_slave_1) entered disabled state [ 104.160069][ T5842] bridge_slave_1: entered allmulticast mode [ 104.167329][ T5842] bridge_slave_1: entered promiscuous mode [ 104.196989][ T5834] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 104.272189][ T5838] team0: Port device team_slave_0 added [ 104.280190][ T5141] Bluetooth: hci0: command tx timeout [ 104.303303][ T5842] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 104.316603][ T5842] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 104.328254][ T5838] team0: Port device team_slave_1 added [ 104.368146][ T5834] team0: Port device team_slave_0 added [ 104.411777][ T5834] team0: Port device team_slave_1 added [ 104.435111][ T5842] team0: Port device team_slave_0 added [ 104.442539][ T5838] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 104.450181][ T5838] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 104.476838][ T5838] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 104.489128][ T5838] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 104.496348][ T5838] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 104.522422][ T5141] Bluetooth: hci1: command tx timeout [ 104.522970][ T5838] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 104.562744][ T5842] team0: Port device team_slave_1 added [ 104.593040][ T5834] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 104.600517][ T5834] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 104.627378][ T5141] Bluetooth: hci2: command tx timeout [ 104.632972][ T5834] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 104.679816][ T5141] Bluetooth: hci3: command tx timeout [ 104.699000][ T5834] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 104.706343][ T5834] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 104.732316][ T5834] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 104.775533][ T5842] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 104.782664][ T5842] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 104.809529][ T5842] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 104.842465][ T5838] hsr_slave_0: entered promiscuous mode [ 104.849011][ T5838] hsr_slave_1: entered promiscuous mode [ 104.855650][ T5838] debugfs: Directory 'hsr0' with parent 'hsr' already present! [ 104.863484][ T5838] Cannot create hsr debugfs directory [ 104.870387][ T5842] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 104.877455][ T5842] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 104.904757][ T5842] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 104.968988][ T5834] hsr_slave_0: entered promiscuous mode [ 104.976320][ T5834] hsr_slave_1: entered promiscuous mode [ 104.982669][ T5834] debugfs: Directory 'hsr0' with parent 'hsr' already present! [ 104.990473][ T5834] Cannot create hsr debugfs directory [ 105.083011][ T5842] hsr_slave_0: entered promiscuous mode [ 105.089420][ T5842] hsr_slave_1: entered promiscuous mode [ 105.096115][ T5842] debugfs: Directory 'hsr0' with parent 'hsr' already present! [ 105.104196][ T5842] Cannot create hsr debugfs directory [ 105.199020][ T5830] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 105.252935][ T5830] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 105.296472][ T5830] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 105.327394][ T5830] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 105.571749][ T5838] netdevsim netdevsim2 netdevsim0: renamed from eth0 [ 105.590431][ T5838] netdevsim netdevsim2 netdevsim1: renamed from eth1 [ 105.603996][ T5838] netdevsim netdevsim2 netdevsim2: renamed from eth2 [ 105.615141][ T5838] netdevsim netdevsim2 netdevsim3: renamed from eth3 [ 105.707608][ T5842] netdevsim netdevsim1 netdevsim0: renamed from eth0 [ 105.724766][ T5842] netdevsim netdevsim1 netdevsim1: renamed from eth1 [ 105.740047][ T5842] netdevsim netdevsim1 netdevsim2: renamed from eth2 [ 105.755517][ T5842] netdevsim netdevsim1 netdevsim3: renamed from eth3 [ 105.894576][ T5830] 8021q: adding VLAN 0 to HW filter on device bond0 [ 105.904140][ T5834] netdevsim netdevsim3 netdevsim0: renamed from eth0 [ 105.917526][ T5834] netdevsim netdevsim3 netdevsim1: renamed from eth1 [ 105.928306][ T5834] netdevsim netdevsim3 netdevsim2: renamed from eth2 [ 105.943569][ T5834] netdevsim netdevsim3 netdevsim3: renamed from eth3 [ 105.994289][ T5830] 8021q: adding VLAN 0 to HW filter on device team0 [ 106.037725][ T53] bridge0: port 1(bridge_slave_0) entered blocking state [ 106.045047][ T53] bridge0: port 1(bridge_slave_0) entered forwarding state [ 106.062720][ T1053] bridge0: port 2(bridge_slave_1) entered blocking state [ 106.069957][ T1053] bridge0: port 2(bridge_slave_1) entered forwarding state [ 106.094412][ T5838] 8021q: adding VLAN 0 to HW filter on device bond0 [ 106.184822][ T5838] 8021q: adding VLAN 0 to HW filter on device team0 [ 106.204996][ T36] bridge0: port 1(bridge_slave_0) entered blocking state [ 106.212227][ T36] bridge0: port 1(bridge_slave_0) entered forwarding state [ 106.247484][ T5830] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 106.274480][ T5842] 8021q: adding VLAN 0 to HW filter on device bond0 [ 106.303899][ T36] bridge0: port 2(bridge_slave_1) entered blocking state [ 106.311576][ T36] bridge0: port 2(bridge_slave_1) entered forwarding state [ 106.364357][ T5834] 8021q: adding VLAN 0 to HW filter on device bond0 [ 106.369579][ T5141] Bluetooth: hci0: command tx timeout [ 106.405041][ T5842] 8021q: adding VLAN 0 to HW filter on device team0 [ 106.452979][ T1053] bridge0: port 1(bridge_slave_0) entered blocking state [ 106.460253][ T1053] bridge0: port 1(bridge_slave_0) entered forwarding state [ 106.476682][ T1053] bridge0: port 2(bridge_slave_1) entered blocking state [ 106.483988][ T1053] bridge0: port 2(bridge_slave_1) entered forwarding state [ 106.578957][ T5834] 8021q: adding VLAN 0 to HW filter on device team0 [ 106.600649][ T5141] Bluetooth: hci1: command tx timeout [ 106.644396][ T68] bridge0: port 1(bridge_slave_0) entered blocking state [ 106.651589][ T68] bridge0: port 1(bridge_slave_0) entered forwarding state [ 106.680606][ T5141] Bluetooth: hci2: command tx timeout [ 106.713145][ T36] bridge0: port 2(bridge_slave_1) entered blocking state [ 106.720790][ T36] bridge0: port 2(bridge_slave_1) entered forwarding state [ 106.754602][ T5830] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 106.770738][ T5141] Bluetooth: hci3: command tx timeout [ 107.002439][ T5830] veth0_vlan: entered promiscuous mode [ 107.027977][ T5830] veth1_vlan: entered promiscuous mode [ 107.148638][ T5830] veth0_macvtap: entered promiscuous mode [ 107.186643][ T5830] veth1_macvtap: entered promiscuous mode [ 107.249417][ T5830] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 107.287820][ T5830] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 107.336095][ T5830] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 107.347622][ T5830] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 107.357357][ T5830] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 107.366835][ T5830] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 107.398851][ T5842] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 107.412259][ T5838] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 107.523578][ T5834] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 107.586397][ T68] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 107.606433][ T68] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 107.638255][ T5842] veth0_vlan: entered promiscuous mode [ 107.666701][ T5838] veth0_vlan: entered promiscuous mode [ 107.693537][ T5842] veth1_vlan: entered promiscuous mode [ 107.705876][ T36] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 107.714652][ T5838] veth1_vlan: entered promiscuous mode [ 107.721553][ T36] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 107.768405][ T5834] veth0_vlan: entered promiscuous mode [ 107.806742][ T5834] veth1_vlan: entered promiscuous mode [ 107.835535][ T5838] veth0_macvtap: entered promiscuous mode [ 107.875393][ T5838] veth1_macvtap: entered promiscuous mode [ 107.893515][ T5842] veth0_macvtap: entered promiscuous mode [ 107.901037][ T5830] soft_limit_in_bytes is deprecated and will be removed. Please report your usecase to linux-mm@kvack.org if you depend on this functionality. [ 107.955034][ T5842] veth1_macvtap: entered promiscuous mode [ 108.024340][ T5834] veth0_macvtap: entered promiscuous mode [ 108.052223][ T5838] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 108.074092][ T5838] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 108.089322][ T5834] veth1_macvtap: entered promiscuous mode [ 108.109267][ T5842] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 108.122798][ T5838] netdevsim netdevsim2 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 108.134223][ T5838] netdevsim netdevsim2 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 108.145305][ T5838] netdevsim netdevsim2 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 108.154304][ T5838] netdevsim netdevsim2 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 108.185135][ T5842] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 108.211170][ T5834] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 108.220497][ T5888] [ 108.222869][ T5888] ====================================================== [ 108.229910][ T5888] WARNING: possible circular locking dependency detected [ 108.236967][ T5888] 6.15.0-rc7-syzkaller-00144-gb1427432d3b6 #0 Not tainted [ 108.244086][ T5888] ------------------------------------------------------ [ 108.251112][ T5888] syz.0.1/5888 is trying to acquire lock: [ 108.256863][ T5888] ffff8881433bf118 (&q->elevator_lock){+.+.}-{4:4}, at: elv_iosched_store+0x201/0x5f0 [ 108.266472][ T5888] [ 108.266472][ T5888] but task is already holding lock: [ 108.273858][ T5888] ffff8881433bebe8 (&q->q_usage_counter(io)#55){++++}-{0:0}, at: blk_mq_freeze_queue_nomemsave+0x15/0x20 [ 108.285129][ T5888] [ 108.285129][ T5888] which lock already depends on the new lock. [ 108.285129][ T5888] [ 108.295535][ T5888] [ 108.295535][ T5888] the existing dependency chain (in reverse order) is: [ 108.304554][ T5888] [ 108.304554][ T5888] -> #2 (&q->q_usage_counter(io)#55){++++}-{0:0}: [ 108.313202][ T5888] blk_alloc_queue+0x619/0x760 [ 108.318520][ T5888] blk_mq_alloc_queue+0x179/0x290 [ 108.324103][ T5888] __blk_mq_alloc_disk+0x29/0x120 [ 108.329691][ T5888] nbd_dev_add+0x49d/0xbb0 [ 108.334910][ T5888] nbd_init+0x181/0x320 [ 108.339627][ T5888] do_one_initcall+0x120/0x6e0 [ 108.344966][ T5888] kernel_init_freeable+0x5c2/0x900 [ 108.350726][ T5888] kernel_init+0x1c/0x2b0 [ 108.355605][ T5888] ret_from_fork+0x48/0x80 [ 108.360573][ T5888] ret_from_fork_asm+0x1a/0x30 [ 108.365914][ T5888] [ 108.365914][ T5888] -> #1 (fs_reclaim){+.+.}-{0:0}: [ 108.373149][ T5888] fs_reclaim_acquire+0x102/0x150 [ 108.378731][ T5888] kmem_cache_alloc_noprof+0x53/0x3b0 [ 108.384652][ T5888] __kernfs_new_node+0xd2/0x8a0 [ 108.390056][ T5888] kernfs_new_node+0x13c/0x1e0 [ 108.395392][ T5888] kernfs_create_dir_ns+0x4c/0x1a0 [ 108.401053][ T5888] sysfs_create_dir_ns+0x13a/0x2b0 [ 108.406749][ T5888] kobject_add_internal+0x2c4/0x9b0 [ 108.412499][ T5888] kobject_add+0x16e/0x240 [ 108.417463][ T5888] elv_register_queue+0xd3/0x2a0 [ 108.422983][ T5888] blk_register_queue+0x3c4/0x560 [ 108.428547][ T5888] add_disk_fwnode+0x911/0x13a0 [ 108.433968][ T5888] nbd_dev_add+0x78e/0xbb0 [ 108.438920][ T5888] nbd_init+0x181/0x320 [ 108.443634][ T5888] do_one_initcall+0x120/0x6e0 [ 108.448949][ T5888] kernel_init_freeable+0x5c2/0x900 [ 108.454704][ T5888] kernel_init+0x1c/0x2b0 [ 108.459580][ T5888] ret_from_fork+0x48/0x80 [ 108.464637][ T5888] ret_from_fork_asm+0x1a/0x30 [ 108.469965][ T5888] [ 108.469965][ T5888] -> #0 (&q->elevator_lock){+.+.}-{4:4}: [ 108.477829][ T5888] __lock_acquire+0x1173/0x1ba0 [ 108.483221][ T5888] lock_acquire+0x179/0x350 [ 108.488261][ T5888] __mutex_lock+0x199/0xb90 [ 108.493380][ T5888] elv_iosched_store+0x201/0x5f0 [ 108.498886][ T5888] queue_attr_store+0x273/0x310 [ 108.504359][ T5888] sysfs_kf_write+0xef/0x150 [ 108.509509][ T5888] kernfs_fop_write_iter+0x351/0x510 [ 108.515367][ T5888] iter_file_splice_write+0x91f/0x1150 [ 108.521389][ T5888] direct_splice_actor+0x18f/0x6c0 [ 108.527092][ T5888] splice_direct_to_actor+0x342/0xa30 [ 108.533034][ T5888] do_splice_direct+0x174/0x240 [ 108.538457][ T5888] do_sendfile+0xafd/0xe50 [ 108.543410][ T5888] __x64_sys_sendfile64+0x1d8/0x220 [ 108.549170][ T5888] do_syscall_64+0xcd/0x230 [ 108.554229][ T5888] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 108.560675][ T5888] [ 108.560675][ T5888] other info that might help us debug this: [ 108.560675][ T5888] [ 108.570941][ T5888] Chain exists of: [ 108.570941][ T5888] &q->elevator_lock --> fs_reclaim --> &q->q_usage_counter(io)#55 [ 108.570941][ T5888] [ 108.584717][ T5888] Possible unsafe locking scenario: [ 108.584717][ T5888] [ 108.592172][ T5888] CPU0 CPU1 [ 108.597549][ T5888] ---- ---- [ 108.602919][ T5888] lock(&q->q_usage_counter(io)#55); [ 108.608327][ T5888] lock(fs_reclaim); [ 108.614854][ T5888] lock(&q->q_usage_counter(io)#55); [ 108.622771][ T5888] lock(&q->elevator_lock); [ 108.627382][ T5888] [ 108.627382][ T5888] *** DEADLOCK *** [ 108.627382][ T5888] [ 108.635536][ T5888] 5 locks held by syz.0.1/5888: [ 108.640411][ T5888] #0: ffff888034fe4420 (sb_writers#7){.+.+}-{0:0}, at: splice_direct_to_actor+0x342/0xa30 [ 108.650536][ T5888] #1: ffff888024c90888 (&of->mutex){+.+.}-{4:4}, at: kernfs_fop_write_iter+0x28f/0x510 [ 108.660346][ T5888] #2: ffff888140f82c38 (kn->active#59){.+.+}-{0:0}, at: kernfs_fop_write_iter+0x2b2/0x510 [ 108.670443][ T5888] #3: ffff8881433bebe8 (&q->q_usage_counter(io)#55){++++}-{0:0}, at: blk_mq_freeze_queue_nomemsave+0x15/0x20 [ 108.682239][ T5888] #4: ffff8881433bec20 (&q->q_usage_counter(queue)#7){+.+.}-{0:0}, at: blk_mq_freeze_queue_nomemsave+0x15/0x20 [ 108.694124][ T5888] [ 108.694124][ T5888] stack backtrace: [ 108.700051][ T5888] CPU: 0 UID: 0 PID: 5888 Comm: syz.0.1 Not tainted 6.15.0-rc7-syzkaller-00144-gb1427432d3b6 #0 PREEMPT(full) [ 108.700092][ T5888] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 [ 108.700115][ T5888] Call Trace: [ 108.700125][ T5888] [ 108.700141][ T5888] dump_stack_lvl+0x116/0x1f0 [ 108.700197][ T5888] print_circular_bug+0x275/0x350 [ 108.700240][ T5888] check_noncircular+0x14c/0x170 [ 108.700287][ T5888] __lock_acquire+0x1173/0x1ba0 [ 108.700337][ T5888] lock_acquire+0x179/0x350 [ 108.700384][ T5888] ? elv_iosched_store+0x201/0x5f0 [ 108.700429][ T5888] ? __pfx___might_resched+0x10/0x10 [ 108.700465][ T5888] ? do_raw_spin_lock+0x12c/0x2b0 [ 108.700515][ T5888] __mutex_lock+0x199/0xb90 [ 108.700562][ T5888] ? elv_iosched_store+0x201/0x5f0 [ 108.700605][ T5888] ? _raw_spin_unlock_irqrestore+0x52/0x80 [ 108.700649][ T5888] ? elv_iosched_store+0x201/0x5f0 [ 108.700690][ T5888] ? lockdep_hardirqs_on+0x7c/0x110 [ 108.700738][ T5888] ? __pfx___mutex_lock+0x10/0x10 [ 108.700791][ T5888] ? __pfx_autoremove_wake_function+0x10/0x10 [ 108.700838][ T5888] ? elv_iosched_store+0x201/0x5f0 [ 108.700878][ T5888] elv_iosched_store+0x201/0x5f0 [ 108.700920][ T5888] ? __x64_sys_sendfile64+0x1d8/0x220 [ 108.700959][ T5888] ? __pfx_elv_iosched_store+0x10/0x10 [ 108.701003][ T5888] ? __mutex_trylock_common+0xe9/0x250 [ 108.701046][ T5888] ? __pfx_elv_iosched_store+0x10/0x10 [ 108.701086][ T5888] queue_attr_store+0x273/0x310 [ 108.701115][ T5888] ? __pfx_queue_attr_store+0x10/0x10 [ 108.701165][ T5888] ? find_held_lock+0x2b/0x80 [ 108.701194][ T5888] ? sysfs_file_kobj+0xe4/0x290 [ 108.701238][ T5888] ? __pfx_queue_attr_store+0x10/0x10 [ 108.701268][ T5888] sysfs_kf_write+0xef/0x150 [ 108.701312][ T5888] kernfs_fop_write_iter+0x351/0x510 [ 108.701351][ T5888] ? __pfx_sysfs_kf_write+0x10/0x10 [ 108.701407][ T5888] iter_file_splice_write+0x91f/0x1150 [ 108.701455][ T5888] ? __pfx_iter_file_splice_write+0x10/0x10 [ 108.701495][ T5888] ? __pfx_copy_splice_read+0x10/0x10 [ 108.701537][ T5888] ? __pfx_iter_file_splice_write+0x10/0x10 [ 108.701576][ T5888] direct_splice_actor+0x18f/0x6c0 [ 108.701613][ T5888] splice_direct_to_actor+0x342/0xa30 [ 108.701650][ T5888] ? __pfx_direct_splice_actor+0x10/0x10 [ 108.701689][ T5888] ? __pfx_splice_direct_to_actor+0x10/0x10 [ 108.701729][ T5888] do_splice_direct+0x174/0x240 [ 108.701764][ T5888] ? __pfx_do_splice_direct+0x10/0x10 [ 108.701800][ T5888] ? __pfx_direct_file_splice_eof+0x10/0x10 [ 108.701837][ T5888] ? rw_verify_area+0xcf/0x680 [ 108.701873][ T5888] do_sendfile+0xafd/0xe50 [ 108.701896][ T5888] ? __pfx_do_sendfile+0x10/0x10 [ 108.701919][ T5888] ? __x64_sys_futex+0x1e0/0x4c0 [ 108.701944][ T5888] ? __x64_sys_futex+0x1e9/0x4c0 [ 108.701971][ T5888] __x64_sys_sendfile64+0x1d8/0x220 [ 108.701999][ T5888] ? __pfx___x64_sys_sendfile64+0x10/0x10 [ 108.702027][ T5888] ? rcu_is_watching+0x12/0xc0 [ 108.702052][ T5888] do_syscall_64+0xcd/0x230 [ 108.702087][ T5888] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 108.702110][ T5888] RIP: 0033:0x7f3bce38e969 [ 108.702127][ T5888] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 108.702148][ T5888] RSP: 002b:00007f3bcf157038 EFLAGS: 00000246 ORIG_RAX: 0000000000000028 [ 108.702168][ T5888] RAX: ffffffffffffffda RBX: 00007f3bce5b5fa0 RCX: 00007f3bce38e969 [ 108.702183][ T5888] RDX: 0000000000000000 RSI: 0000000000000005 RDI: 0000000000000005 [ 108.702195][ T5888] RBP: 00007f3bce410ab1 R08: 0000000000000000 R09: 0000000000000000 [ 108.702208][ T5888] R10: 0000000000000003 R11: 0000000000000246 R12: 0000000000000000 [ 108.702221][ T5888] R13: 0000000000000000 R14: 00007f3bce5b5fa0 R15: 00007fff35ce8798 [ 108.702241][ T5888] [ 109.071727][ T5141] Bluetooth: hci0: command tx timeout [ 109.077166][ T5141] Bluetooth: hci1: command tx timeout [ 109.083010][ T5141] Bluetooth: hci2: command tx timeout [ 109.088440][ T5141] Bluetooth: hci3: command tx timeout [ 109.097807][ T5842] netdevsim netdevsim1 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 109.106701][ T5842] netdevsim netdevsim1 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 109.115736][ T5842] netdevsim netdevsim1 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 109.124486][ T5842] netdevsim netdevsim1 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 109.163770][ T5834] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 109.206740][ T5834] netdevsim netdevsim3 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 109.217265][ T5834] netdevsim netdevsim3 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 109.228277][ T5834] netdevsim netdevsim3 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 109.237426][ T5834] netdevsim netdevsim3 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 109.278624][ T5838] ieee80211 phy5: Selected rate control algorithm 'minstrel_ht' [ 109.339927][ T5842] ieee80211 phy6: Selected rate control algorithm 'minstrel_ht' [ 109.355739][ T68] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 109.381068][ T68] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 109.396961][ T5842] ieee80211 phy7: Selected rate control algorithm 'minstrel_ht' [ 109.406838][ T1053] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 109.423973][ T1053] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 109.460976][ T5838] ieee80211 phy8: Selected rate control algorithm 'minstrel_ht' [ 109.501486][ T53] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 109.509363][ T53] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 109.546262][ T5834] ieee80211 phy9: Selected rate control algorithm 'minstrel_ht' [ 109.580444][ T12] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 109.588420][ T12] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 109.602782][ T53] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 109.612021][ T53] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 109.618542][ T5834] ieee80211 phy10: Selected rate control algorithm 'minstrel_ht' [ 109.675737][ T36] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 109.702284][ T36] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 111.169846][ T5831] Bluetooth: hci3: command tx timeout [ 111.173211][ T5141] Bluetooth: hci2: command tx timeout [ 111.175298][ T5831] Bluetooth: hci1: command tx timeout [ 111.182627][ T5141] Bluetooth: hci0: command tx timeout