====================================================== WARNING: possible circular locking dependency detected syzkaller #0 Tainted: G L ------------------------------------------------------ syz.6.1879/11430 is trying to acquire lock: ffff0000c827c678 (&q->elevator_lock){+.+.}-{4:4}, at: elevator_change+0x188/0x35c block/elevator.c:679 but task is already holding lock: ffff0000c827c158 (&q->q_usage_counter(io)#38){++++}-{0:0}, at: blk_mq_freeze_queue_nomemsave+0x20/0x38 block/blk-mq.c:206 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #6 (&q->q_usage_counter(io)#38){++++}-{0:0}: blk_alloc_queue+0x488/0x590 block/blk-core.c:461 blk_mq_alloc_queue+0x148/0x284 block/blk-mq.c:4453 __blk_mq_alloc_disk+0x38/0x10c block/blk-mq.c:4500 nbd_dev_add+0x3d0/0x880 drivers/block/nbd.c:1954 nbd_init+0x15c/0x174 drivers/block/nbd.c:2692 do_one_initcall+0x274/0xc38 init/main.c:1392 do_initcall_level+0x12c/0x1c4 init/main.c:1454 do_initcalls+0x70/0xd0 init/main.c:1470 do_basic_setup+0x7c/0x90 init/main.c:1490 kernel_init_freeable+0x268/0x3a8 init/main.c:1703 kernel_init+0x24/0x1dc init/main.c:1593 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:842 -> #5 (fs_reclaim){+.+.}-{0:0}: __fs_reclaim_acquire mm/page_alloc.c:4320 [inline] fs_reclaim_acquire+0x90/0x110 mm/page_alloc.c:4334 might_alloc include/linux/sched/mm.h:317 [inline] slab_pre_alloc_hook mm/slub.c:4521 [inline] slab_alloc_node mm/slub.c:4876 [inline] kmem_cache_alloc_node_noprof+0x60/0x6c8 mm/slub.c:4951 kmalloc_reserve+0xc4/0x214 net/core/skbuff.c:613 __alloc_skb+0x230/0x610 net/core/skbuff.c:713 alloc_skb include/linux/skbuff.h:1385 [inline] __ip6_append_data+0x289c/0x383c net/ipv6/ip6_output.c:1701 ip6_append_data+0x100/0x270 net/ipv6/ip6_output.c:1891 rawv6_sendmsg+0xe3c/0x1438 net/ipv6/raw.c:913 inet_sendmsg+0xb4/0xd8 net/ipv4/af_inet.c:866 sock_sendmsg_nosec net/socket.c:787 [inline] __sock_sendmsg+0xc8/0x138 net/socket.c:802 ____sys_sendmsg+0x3d0/0x6c8 net/socket.c:2698 ___sys_sendmsg+0x198/0x224 net/socket.c:2752 __sys_sendmsg+0x160/0x214 net/socket.c:2784 __do_sys_sendmsg net/socket.c:2789 [inline] __se_sys_sendmsg net/socket.c:2787 [inline] __arm64_sys_sendmsg+0x80/0x94 net/socket.c:2787 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x244 arch/arm64/kernel/syscall.c:49 el0_svc_common+0xec/0x23c arch/arm64/kernel/syscall.c:121 do_el0_svc+0x4c/0x5c arch/arm64/kernel/syscall.c:140 el0_svc+0x64/0x260 arch/arm64/kernel/entry-common.c:736 el0t_64_sync_handler+0x48/0x148 arch/arm64/kernel/entry-common.c:755 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:594 -> #4 (sk_lock-AF_INET6){+.+.}-{0:0}: lock_sock_nested+0x58/0x110 net/core/sock.c:3787 lock_sock include/net/sock.h:1713 [inline] inet_shutdown+0x74/0x354 net/ipv4/af_inet.c:915 kernel_sock_shutdown+0x6c/0x80 net/socket.c:3785 nbd_mark_nsock_dead+0x280/0x4f4 drivers/block/nbd.c:318 recv_work+0x1d58/0x1e74 drivers/block/nbd.c:1021 process_one_work kernel/workqueue.c:3314 [inline] process_scheduled_works+0x788/0x10b8 kernel/workqueue.c:3397 worker_thread+0x798/0xbd0 kernel/workqueue.c:3478 kthread+0x304/0x3d4 kernel/kthread.c:436 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:842 -> #3 (&nsock->tx_lock){+.+.}-{4:4}: __mutex_lock_common kernel/locking/mutex.c:646 [inline] __mutex_lock+0x164/0xed0 kernel/locking/mutex.c:820 mutex_lock_nested+0x24/0x30 kernel/locking/mutex.c:873 nbd_handle_cmd drivers/block/nbd.c:1143 [inline] nbd_queue_rq+0x1f4/0xbd8 drivers/block/nbd.c:1207 blk_mq_dispatch_rq_list+0x3d4/0x13a8 block/blk-mq.c:2148 __blk_mq_do_dispatch_sched block/blk-mq-sched.c:168 [inline] blk_mq_do_dispatch_sched block/blk-mq-sched.c:182 [inline] __blk_mq_sched_dispatch_requests+0xa48/0x10e8 block/blk-mq-sched.c:307 blk_mq_sched_dispatch_requests+0xa8/0x158 block/blk-mq-sched.c:329 blk_mq_run_hw_queue+0x300/0x4dc block/blk-mq.c:2387 blk_mq_dispatch_list+0xa28/0xb2c block/blk-mq.c:-1 blk_mq_flush_plug_list+0x3ac/0x494 block/blk-mq.c:2997 __blk_flush_plug+0x364/0x440 block/blk-core.c:1230 blk_finish_plug block/blk-core.c:1257 [inline] __submit_bio+0x3a0/0x480 block/blk-core.c:649 __submit_bio_noacct_mq block/blk-core.c:722 [inline] submit_bio_noacct_nocheck+0x288/0xaac block/blk-core.c:753 submit_bio_noacct+0xd7c/0x17f0 block/blk-core.c:884 submit_bio+0x38c/0x528 block/blk-core.c:926 blk_crypto_submit_bio include/linux/blk-crypto.h:203 [inline] submit_bh_wbc+0x4c8/0x5ac fs/buffer.c:2737 submit_bh fs/buffer.c:2742 [inline] block_read_full_folio+0x47c/0x754 fs/buffer.c:2344 blkdev_read_folio+0x28/0x38 block/fops.c:494 filemap_read_folio+0xf0/0x2fc mm/filemap.c:2502 do_read_cache_folio+0x35c/0x5a8 mm/filemap.c:4107 read_cache_folio+0x68/0x88 mm/filemap.c:4139 read_mapping_folio include/linux/pagemap.h:1017 [inline] read_part_sector+0xcc/0x708 block/partitions/core.c:724 adfspart_check_ICS+0xa4/0x720 block/partitions/acorn.c:356 check_partition block/partitions/core.c:143 [inline] blk_add_partitions block/partitions/core.c:591 [inline] bdev_disk_changed+0x6c4/0x11ec block/partitions/core.c:695 blkdev_get_whole+0x15c/0x240 block/bdev.c:756 bdev_open+0x2b4/0x880 block/bdev.c:965 blkdev_open+0x2d4/0x408 block/fops.c:697 do_dentry_open+0x5c4/0xfb8 fs/open.c:947 vfs_open+0x44/0x2dc fs/open.c:1079 do_open fs/namei.c:4699 [inline] path_openat+0x22d4/0x2b88 fs/namei.c:4858 do_file_open+0x1c8/0x2e8 fs/namei.c:4887 do_sys_openat2+0x114/0x1e8 fs/open.c:1364 do_sys_open+0xac/0xdc fs/open.c:1370 __do_sys_openat fs/open.c:1386 [inline] __se_sys_openat fs/open.c:1381 [inline] __arm64_sys_openat+0xa0/0xbc fs/open.c:1381 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x244 arch/arm64/kernel/syscall.c:49 el0_svc_common+0xec/0x23c arch/arm64/kernel/syscall.c:121 do_el0_svc+0x4c/0x5c arch/arm64/kernel/syscall.c:140 el0_svc+0x64/0x260 arch/arm64/kernel/entry-common.c:736 el0t_64_sync_handler+0x48/0x148 arch/arm64/kernel/entry-common.c:755 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:594 -> #2 (&cmd->lock){+.+.}-{4:4}: __mutex_lock_common kernel/locking/mutex.c:646 [inline] __mutex_lock+0x164/0xed0 kernel/locking/mutex.c:820 mutex_lock_nested+0x24/0x30 kernel/locking/mutex.c:873 nbd_queue_rq+0xb0/0xbd8 drivers/block/nbd.c:1199 blk_mq_dispatch_rq_list+0x3d4/0x13a8 block/blk-mq.c:2148 __blk_mq_do_dispatch_sched block/blk-mq-sched.c:168 [inline] blk_mq_do_dispatch_sched block/blk-mq-sched.c:182 [inline] __blk_mq_sched_dispatch_requests+0xa48/0x10e8 block/blk-mq-sched.c:307 blk_mq_sched_dispatch_requests+0xa8/0x158 block/blk-mq-sched.c:329 blk_mq_run_hw_queue+0x300/0x4dc block/blk-mq.c:2387 blk_mq_dispatch_list+0xa28/0xb2c block/blk-mq.c:-1 blk_mq_flush_plug_list+0x3ac/0x494 block/blk-mq.c:2997 __blk_flush_plug+0x364/0x440 block/blk-core.c:1230 blk_finish_plug block/blk-core.c:1257 [inline] __submit_bio+0x3a0/0x480 block/blk-core.c:649 __submit_bio_noacct_mq block/blk-core.c:722 [inline] submit_bio_noacct_nocheck+0x288/0xaac block/blk-core.c:753 submit_bio_noacct+0xd7c/0x17f0 block/blk-core.c:884 submit_bio+0x38c/0x528 block/blk-core.c:926 blk_crypto_submit_bio include/linux/blk-crypto.h:203 [inline] submit_bh_wbc+0x4c8/0x5ac fs/buffer.c:2737 submit_bh fs/buffer.c:2742 [inline] block_read_full_folio+0x47c/0x754 fs/buffer.c:2344 blkdev_read_folio+0x28/0x38 block/fops.c:494 filemap_read_folio+0xf0/0x2fc mm/filemap.c:2502 do_read_cache_folio+0x35c/0x5a8 mm/filemap.c:4107 read_cache_folio+0x68/0x88 mm/filemap.c:4139 read_mapping_folio include/linux/pagemap.h:1017 [inline] read_part_sector+0xcc/0x708 block/partitions/core.c:724 adfspart_check_ICS+0xa4/0x720 block/partitions/acorn.c:356 check_partition block/partitions/core.c:143 [inline] blk_add_partitions block/partitions/core.c:591 [inline] bdev_disk_changed+0x6c4/0x11ec block/partitions/core.c:695 blkdev_get_whole+0x15c/0x240 block/bdev.c:756 bdev_open+0x2b4/0x880 block/bdev.c:965 blkdev_open+0x2d4/0x408 block/fops.c:697 do_dentry_open+0x5c4/0xfb8 fs/open.c:947 vfs_open+0x44/0x2dc fs/open.c:1079 do_open fs/namei.c:4699 [inline] path_openat+0x22d4/0x2b88 fs/namei.c:4858 do_file_open+0x1c8/0x2e8 fs/namei.c:4887 do_sys_openat2+0x114/0x1e8 fs/open.c:1364 do_sys_open+0xac/0xdc fs/open.c:1370 __do_sys_openat fs/open.c:1386 [inline] __se_sys_openat fs/open.c:1381 [inline] __arm64_sys_openat+0xa0/0xbc fs/open.c:1381 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x244 arch/arm64/kernel/syscall.c:49 el0_svc_common+0xec/0x23c arch/arm64/kernel/syscall.c:121 do_el0_svc+0x4c/0x5c arch/arm64/kernel/syscall.c:140 el0_svc+0x64/0x260 arch/arm64/kernel/entry-common.c:736 el0t_64_sync_handler+0x48/0x148 arch/arm64/kernel/entry-common.c:755 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:594 -> #1 (set->srcu){.+.+}-{0:0}: srcu_lock_sync include/linux/srcu.h:199 [inline] __synchronize_srcu+0xc8/0x268 kernel/rcu/srcutree.c:1481 synchronize_srcu+0x41c/0x5d4 kernel/rcu/srcutree.c:-1 blk_mq_wait_quiesce_done+0x88/0xac block/blk-mq.c:284 blk_mq_quiesce_queue+0x70/0x8c block/blk-mq.c:304 elevator_switch+0x128/0x38c block/elevator.c:576 elevator_change+0x204/0x35c block/elevator.c:681 elevator_set_default+0x190/0x2b0 block/elevator.c:754 blk_register_queue+0x2fc/0x3d4 block/blk-sysfs.c:987 __add_disk+0x558/0xb44 block/genhd.c:528 add_disk_fwnode+0xd4/0x404 block/genhd.c:597 device_add_disk+0x38/0x4c block/genhd.c:627 add_disk include/linux/blkdev.h:794 [inline] nbd_dev_add+0x598/0x880 drivers/block/nbd.c:1984 nbd_init+0x15c/0x174 drivers/block/nbd.c:2692 do_one_initcall+0x274/0xc38 init/main.c:1392 do_initcall_level+0x12c/0x1c4 init/main.c:1454 do_initcalls+0x70/0xd0 init/main.c:1470 do_basic_setup+0x7c/0x90 init/main.c:1490 kernel_init_freeable+0x268/0x3a8 init/main.c:1703 kernel_init+0x24/0x1dc init/main.c:1593 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:842 -> #0 (&q->elevator_lock){+.+.}-{4:4}: check_prev_add kernel/locking/lockdep.c:3165 [inline] check_prevs_add kernel/locking/lockdep.c:3284 [inline] validate_chain kernel/locking/lockdep.c:3908 [inline] __lock_acquire+0x17c0/0x2ebc kernel/locking/lockdep.c:5237 lock_acquire+0x140/0x364 kernel/locking/lockdep.c:5868 __mutex_lock_common kernel/locking/mutex.c:646 [inline] __mutex_lock+0x164/0xed0 kernel/locking/mutex.c:820 mutex_lock_nested+0x24/0x30 kernel/locking/mutex.c:873 elevator_change+0x188/0x35c block/elevator.c:679 elevator_set_none+0xa8/0x13c block/elevator.c:769 blk_mq_elv_switch_none block/blk-mq.c:5134 [inline] __blk_mq_update_nr_hw_queues block/blk-mq.c:5179 [inline] blk_mq_update_nr_hw_queues+0x4c4/0x11e0 block/blk-mq.c:5244 nbd_start_device+0x15c/0xa44 drivers/block/nbd.c:1489 nbd_genl_connect+0xffc/0x15d4 drivers/block/nbd.c:2239 genl_family_rcv_msg_doit+0x1e4/0x2d4 net/netlink/genetlink.c:1114 genl_family_rcv_msg net/netlink/genetlink.c:1194 [inline] genl_rcv_msg+0x43c/0x620 net/netlink/genetlink.c:1209 netlink_rcv_skb+0x238/0x414 net/netlink/af_netlink.c:2555 genl_rcv+0x38/0x50 net/netlink/genetlink.c:1218 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x600/0x7f8 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x648/0x948 net/netlink/af_netlink.c:1899 sock_sendmsg_nosec net/socket.c:787 [inline] __sock_sendmsg+0xc8/0x138 net/socket.c:802 ____sys_sendmsg+0x3d0/0x6c8 net/socket.c:2698 ___sys_sendmsg+0x198/0x224 net/socket.c:2752 __sys_sendmsg+0x160/0x214 net/socket.c:2784 __do_sys_sendmsg net/socket.c:2789 [inline] __se_sys_sendmsg net/socket.c:2787 [inline] __arm64_sys_sendmsg+0x80/0x94 net/socket.c:2787 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x244 arch/arm64/kernel/syscall.c:49 el0_svc_common+0xec/0x23c arch/arm64/kernel/syscall.c:121 do_el0_svc+0x4c/0x5c arch/arm64/kernel/syscall.c:140 el0_svc+0x64/0x260 arch/arm64/kernel/entry-common.c:736 el0t_64_sync_handler+0x48/0x148 arch/arm64/kernel/entry-common.c:755 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:594 other info that might help us debug this: Chain exists of: &q->elevator_lock --> fs_reclaim --> &q->q_usage_counter(io)#38 Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&q->q_usage_counter(io)#38); lock(fs_reclaim); lock(&q->q_usage_counter(io)#38); lock(&q->elevator_lock); *** DEADLOCK *** 6 locks held by syz.6.1879/11430: #0: ffff800089d30d48 (cb_lock){++++}-{4:4}, at: genl_rcv+0x28/0x50 net/netlink/genetlink.c:1217 #1: ffff800089d30b80 (genl_mutex){+.+.}-{4:4}, at: genl_lock net/netlink/genetlink.c:35 [inline] #1: ffff800089d30b80 (genl_mutex){+.+.}-{4:4}, at: genl_op_lock net/netlink/genetlink.c:60 [inline] #1: ffff800089d30b80 (genl_mutex){+.+.}-{4:4}, at: genl_rcv_msg+0xec/0x620 net/netlink/genetlink.c:1208 #2: ffff0000c817b1c0 (&set->update_nr_hwq_lock){++++}-{4:4}, at: blk_mq_update_nr_hw_queues+0x98/0x11e0 block/blk-mq.c:5242 #3: ffff0000c817b0d0 (&set->tag_list_lock){+.+.}-{4:4}, at: blk_mq_update_nr_hw_queues+0xa4/0x11e0 block/blk-mq.c:5243 #4: ffff0000c827c158 (&q->q_usage_counter(io)#38){++++}-{0:0}, at: blk_mq_freeze_queue_nomemsave+0x20/0x38 block/blk-mq.c:206 #5: ffff0000c827c190 (&q->q_usage_counter(queue)#22){+.+.}-{0:0}, at: blk_mq_freeze_queue_nomemsave+0x20/0x38 block/blk-mq.c:206 stack backtrace: CPU: 0 UID: 0 PID: 11430 Comm: syz.6.1879 Tainted: G L syzkaller #0 PREEMPT Tainted: [L]=SOFTLOCKUP Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/02/2026 Call trace: show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:499 (C) __dump_stack+0x30/0x40 lib/dump_stack.c:94 dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120 dump_stack+0x1c/0x28 lib/dump_stack.c:129 print_circular_bug+0x328/0x330 kernel/locking/lockdep.c:2043 check_noncircular+0x158/0x174 kernel/locking/lockdep.c:2175 check_prev_add kernel/locking/lockdep.c:3165 [inline] check_prevs_add kernel/locking/lockdep.c:3284 [inline] validate_chain kernel/locking/lockdep.c:3908 [inline] __lock_acquire+0x17c0/0x2ebc kernel/locking/lockdep.c:5237 lock_acquire+0x140/0x364 kernel/locking/lockdep.c:5868 __mutex_lock_common kernel/locking/mutex.c:646 [inline] __mutex_lock+0x164/0xed0 kernel/locking/mutex.c:820 mutex_lock_nested+0x24/0x30 kernel/locking/mutex.c:873 elevator_change+0x188/0x35c block/elevator.c:679 elevator_set_none+0xa8/0x13c block/elevator.c:769 blk_mq_elv_switch_none block/blk-mq.c:5134 [inline] __blk_mq_update_nr_hw_queues block/blk-mq.c:5179 [inline] blk_mq_update_nr_hw_queues+0x4c4/0x11e0 block/blk-mq.c:5244 nbd_start_device+0x15c/0xa44 drivers/block/nbd.c:1489 nbd_genl_connect+0xffc/0x15d4 drivers/block/nbd.c:2239 genl_family_rcv_msg_doit+0x1e4/0x2d4 net/netlink/genetlink.c:1114 genl_family_rcv_msg net/netlink/genetlink.c:1194 [inline] genl_rcv_msg+0x43c/0x620 net/netlink/genetlink.c:1209 netlink_rcv_skb+0x238/0x414 net/netlink/af_netlink.c:2555 genl_rcv+0x38/0x50 net/netlink/genetlink.c:1218 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x600/0x7f8 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x648/0x948 net/netlink/af_netlink.c:1899 sock_sendmsg_nosec net/socket.c:787 [inline] __sock_sendmsg+0xc8/0x138 net/socket.c:802 ____sys_sendmsg+0x3d0/0x6c8 net/socket.c:2698 ___sys_sendmsg+0x198/0x224 net/socket.c:2752 __sys_sendmsg+0x160/0x214 net/socket.c:2784 __do_sys_sendmsg net/socket.c:2789 [inline] __se_sys_sendmsg net/socket.c:2787 [inline] __arm64_sys_sendmsg+0x80/0x94 net/socket.c:2787 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x244 arch/arm64/kernel/syscall.c:49 el0_svc_common+0xec/0x23c arch/arm64/kernel/syscall.c:121 do_el0_svc+0x4c/0x5c arch/arm64/kernel/syscall.c:140 el0_svc+0x64/0x260 arch/arm64/kernel/entry-common.c:736 el0t_64_sync_handler+0x48/0x148 arch/arm64/kernel/entry-common.c:755 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:594