Extracting prog: 4m53.145318511s
Minimizing prog: 42m31.806703491s
Simplifying prog options: 12m9.331875545s
Extracting C: 5m11.01208329s
Simplifying C: 0s
extracting reproducer from 1 programs
testing a last program of every proc
single: executing 1 programs separately with timeout 6m0s
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$nullb-dup-fallocate-openat$nullb-mmap
detailed listing:
executing program 0:
r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000001000), 0x48882, 0x0)
r1 = dup(r0)
fallocate(r1, 0x11, 0x0, 0x4000000000052000)
r2 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000240), 0x4000000004002, 0x0)
mmap(&(0x7f0000000000/0xe7e000)=nil, 0xe7e000, 0x200000e, 0x13, r2, 0x0)
program crashed: INFO: task hung in page_cache_ra_order
single: successfully extracted reproducer
found reproducer with 5 syscalls
minimizing guilty program
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$nullb-dup-fallocate-openat$nullb
detailed listing:
executing program 0:
r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000001000), 0x48882, 0x0)
r1 = dup(r0)
fallocate(r1, 0x11, 0x0, 0x4000000000052000)
openat$nullb(0xffffffffffffff9c, &(0x7f0000000240), 0x4000000004002, 0x0)
program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$nullb-dup-fallocate-mmap
detailed listing:
executing program 0:
r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000001000), 0x48882, 0x0)
r1 = dup(r0)
fallocate(r1, 0x11, 0x0, 0x4000000000052000)
mmap(&(0x7f0000000000/0xe7e000)=nil, 0xe7e000, 0x200000e, 0x13, 0xffffffffffffffff, 0x0)
program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$nullb-dup-openat$nullb-mmap
detailed listing:
executing program 0:
r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000001000), 0x48882, 0x0)
dup(r0)
r1 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000240), 0x4000000004002, 0x0)
mmap(&(0x7f0000000000/0xe7e000)=nil, 0xe7e000, 0x200000e, 0x13, r1, 0x0)
program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$nullb-fallocate-openat$nullb-mmap
detailed listing:
executing program 0:
openat$nullb(0xffffffffffffff9c, &(0x7f0000001000), 0x48882, 0x0)
fallocate(0xffffffffffffffff, 0x11, 0x0, 0x4000000000052000)
r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000240), 0x4000000004002, 0x0)
mmap(&(0x7f0000000000/0xe7e000)=nil, 0xe7e000, 0x200000e, 0x13, r0, 0x0)
program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): dup-fallocate-openat$nullb-mmap
detailed listing:
executing program 0:
r0 = dup(0xffffffffffffffff)
fallocate(r0, 0x11, 0x0, 0x4000000000052000)
r1 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000240), 0x4000000004002, 0x0)
mmap(&(0x7f0000000000/0xe7e000)=nil, 0xe7e000, 0x200000e, 0x13, r1, 0x0)
program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$nullb-dup-fallocate-openat$nullb-mmap
detailed listing:
executing program 0:
r0 = openat$nullb(0xffffffffffffff9c, 0x0, 0x48882, 0x0)
r1 = dup(r0)
fallocate(r1, 0x11, 0x0, 0x4000000000052000)
r2 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000240), 0x4000000004002, 0x0)
mmap(&(0x7f0000000000/0xe7e000)=nil, 0xe7e000, 0x200000e, 0x13, r2, 0x0)
program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$nullb-dup-fallocate-openat$nullb-mmap
detailed listing:
executing program 0:
r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000001000), 0x48882, 0x0)
r1 = dup(r0)
fallocate(r1, 0x11, 0x0, 0x4000000000052000)
r2 = openat$nullb(0xffffffffffffff9c, 0x0, 0x4000000004002, 0x0)
mmap(&(0x7f0000000000/0xe7e000)=nil, 0xe7e000, 0x200000e, 0x13, r2, 0x0)
program did not crash
extracting C reproducer
testing compiled C program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$nullb-dup-fallocate-openat$nullb-mmap
program crashed: no output from test machine
a never seen crash title: no output from test machine, ignore
simplifying guilty program options
testing program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$nullb-dup-fallocate-openat$nullb-mmap
detailed listing:
executing program 0:
r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000001000), 0x48882, 0x0)
r1 = dup(r0)
fallocate(r1, 0x11, 0x0, 0x4000000000052000)
r2 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000240), 0x4000000004002, 0x0)
mmap(&(0x7f0000000000/0xe7e000)=nil, 0xe7e000, 0x200000e, 0x13, r2, 0x0)
program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$nullb-dup-fallocate-openat$nullb-mmap
detailed listing:
executing program 0:
r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000001000), 0x48882, 0x0)
r1 = dup(r0)
fallocate(r1, 0x11, 0x0, 0x4000000000052000)
r2 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000240), 0x4000000004002, 0x0)
mmap(&(0x7f0000000000/0xe7e000)=nil, 0xe7e000, 0x200000e, 0x13, r2, 0x0)
program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$nullb-dup-fallocate-openat$nullb-mmap
detailed listing:
executing program 0:
r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000001000), 0x48882, 0x0)
r1 = dup(r0)
fallocate(r1, 0x11, 0x0, 0x4000000000052000)
r2 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000240), 0x4000000004002, 0x0)
mmap(&(0x7f0000000000/0xe7e000)=nil, 0xe7e000, 0x200000e, 0x13, r2, 0x0)
program crashed: INFO: task hung in page_cache_ra_order
validation run: crashed=true
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$nullb-dup-fallocate-openat$nullb-mmap
detailed listing:
executing program 0:
r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000001000), 0x48882, 0x0)
r1 = dup(r0)
fallocate(r1, 0x11, 0x0, 0x4000000000052000)
r2 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000240), 0x4000000004002, 0x0)
mmap(&(0x7f0000000000/0xe7e000)=nil, 0xe7e000, 0x200000e, 0x13, r2, 0x0)
program crashed: INFO: task hung in page_cache_ra_order
validation run: crashed=true
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$nullb-dup-fallocate-openat$nullb-mmap
detailed listing:
executing program 0:
r0 = openat$nullb(0xffffffffffffff9c, &(0x7f0000001000), 0x48882, 0x0)
r1 = dup(r0)
fallocate(r1, 0x11, 0x0, 0x4000000000052000)
r2 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000240), 0x4000000004002, 0x0)
mmap(&(0x7f0000000000/0xe7e000)=nil, 0xe7e000, 0x200000e, 0x13, r2, 0x0)
program crashed: INFO: task hung in page_cache_ra_order
validation run: crashed=true
reproducing took 1h16m12.536777456s
repro crashed as (corrupted=false):
INFO: task syz.1.977:8062 blocked for more than 143 seconds.
Not tainted syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.1.977 state:D stack:28440 pid:8062 tgid:8061 ppid:5951 task_flags:0x440040 flags:0x00080002
Call Trace:
context_switch kernel/sched/core.c:5298 [inline]
__schedule+0xfee/0x6120 kernel/sched/core.c:6911
__schedule_loop kernel/sched/core.c:6993 [inline]
schedule+0xdd/0x390 kernel/sched/core.c:7008
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:7065
rwsem_down_read_slowpath+0x5dc/0xb30 kernel/locking/rwsem.c:1086
__down_read_common kernel/locking/rwsem.c:1261 [inline]
__down_read kernel/locking/rwsem.c:1274 [inline]
down_read+0xed/0x460 kernel/locking/rwsem.c:1539
filemap_invalidate_lock_shared include/linux/fs.h:1093 [inline]
page_cache_ra_order+0x3ae/0xf30 mm/readahead.c:497
do_sync_mmap_readahead mm/filemap.c:3405 [inline]
filemap_fault+0x191a/0x2eb0 mm/filemap.c:3554
__do_fault+0x10d/0x550 mm/memory.c:5364
do_read_fault mm/memory.c:5799 [inline]
do_fault+0xabb/0x1990 mm/memory.c:5933
do_pte_missing mm/memory.c:4477 [inline]
handle_pte_fault mm/memory.c:6317 [inline]
__handle_mm_fault+0x180f/0x2b60 mm/memory.c:6455
handle_mm_fault+0x36d/0xa20 mm/memory.c:6624
do_user_addr_fault+0x74c/0x12f0 arch/x86/mm/fault.c:1385
handle_page_fault arch/x86/mm/fault.c:1474 [inline]
exc_page_fault+0x6f/0xd0 arch/x86/mm/fault.c:1527
asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:618
RIP: 0010:do_strncpy_from_user lib/strncpy_from_user.c:41 [inline]
RIP: 0010:strncpy_from_user+0xfd/0x2d0 lib/strncpy_from_user.c:130
Code: 00 4d 89 64 1d 00 48 83 ed 08 bf 07 00 00 00 48 83 c3 08 48 89 ee e8 d2 14 de fc 48 83 fd 07 0f 86 bb 00 00 00 e8 e3 19 de fc <4d> 8b 24 1e e8 da 19 de fc 4c 89 e2 31 ff 4d 8d 7c 1d 00 48 b8 ff
RSP: 0018:ffffc9000d597d00 EFLAGS: 00050293
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff852ab246
RDX: ffff88802e2b0000 RSI: ffffffff852ab29d RDI: ffff88802e2b0000
RBP: 00000000000000a8 R08: 0000000000000007 R09: 0000000000000007
R10: 00000000000000a8 R11: 0000000000000000 R12: 0000000000000000
R13: ffff888033f04d18 R14: 0000200000001000 R15: 00000000000000a8
do_getname+0x78/0x390 fs/namei.c:193
getname include/linux/fs.h:2512 [inline]
class_filename_constructor include/linux/fs.h:2539 [inline]
do_sys_openat2+0xc5/0x1e0 fs/open.c:1365
do_sys_open fs/open.c:1372 [inline]
__do_sys_openat fs/open.c:1388 [inline]
__se_sys_openat fs/open.c:1383 [inline]
__x64_sys_openat+0x12d/0x210 fs/open.c:1383
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fd5d679c799
RSP: 002b:00007fd5d7575028 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007fd5d6a15fa0 RCX: 00007fd5d679c799
RDX: 0000000000048882 RSI: 0000200000001000 RDI: ffffffffffffff9c
RBP: 00007fd5d6832c99 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fd5d6a16038 R14: 00007fd5d6a15fa0 R15: 00007fff6ccb3ff8
Showing all locks held in the system:
3 locks held by kworker/u8:1/13:
#0: ffff88801cac9148 ((wq_completion)netns){+.+.}-{0:0}, at: process_one_work+0x1310/0x19a0 kernel/workqueue.c:3251
#1: ffffc90000127d08 (net_cleanup_work){+.+.}-{0:0}, at: process_one_work+0x988/0x19a0 kernel/workqueue.c:3252
#2: ffffffff8e7f3180 (rcu_state.barrier_mutex){+.+.}-{4:4}, at: rcu_barrier+0x48/0x6d0 kernel/rcu/tree.c:3828
1 lock held by khungtaskd/31:
#0: ffffffff8e7e76a0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:312 [inline]
#0: ffffffff8e7e76a0 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:850 [inline]
#0: ffffffff8e7e76a0 (rcu_read_lock){....}-{1:3}, at: debug_show_all_locks+0x3d/0x184 kernel/locking/lockdep.c:6775
5 locks held by kworker/u8:2/36:
2 locks held by klogd/5166:
2 locks held by getty/5561:
#0: ffff888038ebb0a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x24/0x80 drivers/tty/tty_ldisc.c:243
#1: ffffc9000332b2f0 (&ldata->atomic_read_lock){+.+.}-{4:4}, at: n_tty_read+0x419/0x1500 drivers/tty/n_tty.c:2211
2 locks held by syz.3.20/6095:
1 lock held by syz.1.977/8062:
#0: ffff888027903748 (mapping.invalidate_lock){++++}-{4:4}, at: filemap_invalidate_lock_shared include/linux/fs.h:1093 [inline]
#0: ffff888027903748 (mapping.invalidate_lock){++++}-{4:4}, at: page_cache_ra_order+0x3ae/0xf30 mm/readahead.c:497
1 lock held by syz.4.3426/13160:
#0: ffff888027903748 (mapping.invalidate_lock){++++}-{4:4}, at: filemap_invalidate_lock_shared include/linux/fs.h:1093 [inline]
#0: ffff888027903748 (mapping.invalidate_lock){++++}-{4:4}, at: page_cache_ra_order+0x3ae/0xf30 mm/readahead.c:497
1 lock held by syz.6.3685/13761:
#0: ffff888027903748 (mapping.invalidate_lock){++++}-{4:4}, at: filemap_invalidate_lock_shared include/linux/fs.h:1093 [inline]
#0: ffff888027903748 (mapping.invalidate_lock){++++}-{4:4}, at: page_cache_ra_order+0x3ae/0xf30 mm/readahead.c:497
1 lock held by syz.7.5297/17206:
#0: ffff888027903748 (mapping.invalidate_lock){++++}-{4:4}, at: filemap_invalidate_lock_shared include/linux/fs.h:1093 [inline]
#0: ffff888027903748 (mapping.invalidate_lock){++++}-{4:4}, at: page_cache_ra_order+0x3ae/0xf30 mm/readahead.c:497
1 lock held by syz.5.6066/18828:
#0: ffff888027903748 (mapping.invalidate_lock){++++}-{4:4}, at: filemap_invalidate_lock_shared include/linux/fs.h:1093 [inline]
#0: ffff888027903748 (mapping.invalidate_lock){++++}-{4:4}, at: page_cache_ra_order+0x3ae/0xf30 mm/readahead.c:497
1 lock held by syz.2.6686/20170:
#0: ffff888027903748 (mapping.invalidate_lock){++++}-{4:4}, at: filemap_invalidate_lock_shared include/linux/fs.h:1093 [inline]
#0: ffff888027903748 (mapping.invalidate_lock){++++}-{4:4}, at: page_cache_ra_order+0x3ae/0xf30 mm/readahead.c:497
4 locks held by syz-executor/20811:
9 locks held by syz-executor/22112:
#0: ffff8880380fa420 (sb_writers#8){.+.+}-{0:0}, at: ksys_write+0x12a/0x250 fs/read_write.c:740
#1: ffff888062d3f088 (&of->mutex){+.+.}-{4:4}, at: kernfs_fop_write_iter+0x2c2/0x5f0 fs/kernfs/file.c:343
#2: ffff88802a5265a8 (kn->active#58){.+.+}-{0:0}, at: kernfs_get_active_of fs/kernfs/file.c:80 [inline]
#2: ffff88802a5265a8 (kn->active#58){.+.+}-{0:0}, at: kernfs_fop_write_iter+0x332/0x5f0 fs/kernfs/file.c:344
#3: ffffffff8fb69d28 (nsim_bus_dev_list_lock){+.+.}-{4:4}, at: del_device_store+0xd1/0x480 drivers/net/netdevsim/bus.c:234
#4: ffff88805f5890e8 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:895 [inline]
#4: ffff88805f5890e8 (&dev->mutex){....}-{4:4}, at: __device_driver_lock drivers/base/dd.c:1106 [inline]
#4: ffff88805f5890e8 (&dev->mutex){....}-{4:4}, at: device_release_driver_internal+0xaa/0x600 drivers/base/dd.c:1304
#5: ffff888022eff250 (&devlink->lock_key#15){+.+.}-{4:4}, at: nsim_drv_remove+0x4a/0x1e0 drivers/net/netdevsim/dev.c:1778
#6: ffffffff90611468 (rtnl_mutex){+.+.}-{4:4}, at: nsim_destroy+0x108/0x830 drivers/net/netdevsim/netdev.c:1177
#7: ffff8880262fcd40 (&dev_instance_lock_key#24){+.+.}-{4:4}, at: netdev_lock include/linux/netdevice.h:2784 [inline]
#7: ffff8880262fcd40 (&dev_instance_lock_key#24){+.+.}-{4:4}, at: unregister_netdevice_many_notify+0x47f/0x2580 net/core/dev.c:12374
#8: ffffffff8e7f32b8 (rcu_state.exp_mutex){+.+.}-{4:4}, at: exp_funnel_lock+0x27f/0x3c0 kernel/rcu/tree_exp.h:311
=============================================
NMI backtrace for cpu 1
CPU: 1 UID: 0 PID: 31 Comm: khungtaskd Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
Call Trace:
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120
nmi_cpu_backtrace.cold+0x12d/0x151 lib/nmi_backtrace.c:113
nmi_trigger_cpumask_backtrace+0x1d7/0x230 lib/nmi_backtrace.c:62
trigger_all_cpu_backtrace include/linux/nmi.h:161 [inline]
__sys_info lib/sys_info.c:157 [inline]
sys_info+0x141/0x190 lib/sys_info.c:165
check_hung_uninterruptible_tasks kernel/hung_task.c:346 [inline]
watchdog+0xd25/0x1050 kernel/hung_task.c:515
kthread+0x370/0x450 kernel/kthread.c:436
ret_from_fork+0x754/0xd80 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 UID: 0 PID: 13 Comm: kworker/u8:1 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
Workqueue: events_unbound toggle_allocation_gate
RIP: 0010:__text_poke+0x26/0xae0 arch/x86/kernel/alternative.c:2535
Code: 90 90 90 90 41 57 49 89 cf 41 56 41 55 41 54 55 48 89 f5 53 48 bb 00 00 00 00 00 fc ff df 48 81 ec b8 00 00 00 48 8d 44 24 58 <48> 89 54 24 10 48 c1 e8 03 48 89 7c 24 08 48 89 44 24 28 48 01 d8
RSP: 0018:ffffc90000127918 EFLAGS: 00000296
RAX: ffffc90000127970 RBX: dffffc0000000000 RCX: 0000000000000001
RDX: ffffc90000127a70 RSI: ffffffff8269ce51 RDI: ffffffff81ac8f80
RBP: ffffffff8269ce51 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: ffffffff9412fa5a
R13: 0000000000000005 R14: dffffc0000000000 R15: 0000000000000001
FS: 0000000000000000(0000) GS:ffff888124342000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f3835a4eddd CR3: 000000000e598000 CR4: 00000000003526f0
Call Trace:
smp_text_poke_batch_finish+0x6b5/0xc60 arch/x86/kernel/alternative.c:3049
arch_jump_label_transform_apply+0x1c/0x30 arch/x86/kernel/jump_label.c:146
jump_label_update+0x37a/0x550 kernel/jump_label.c:919
static_key_disable_cpuslocked+0x162/0x1c0 kernel/jump_label.c:240
static_key_disable+0x1a/0x20 kernel/jump_label.c:248
toggle_allocation_gate mm/kfence/core.c:907 [inline]
toggle_allocation_gate+0x149/0x2d0 mm/kfence/core.c:892
process_one_work+0xa23/0x19a0 kernel/workqueue.c:3276
process_scheduled_works kernel/workqueue.c:3359 [inline]
worker_thread+0x5ef/0xe50 kernel/workqueue.c:3440
kthread+0x370/0x450 kernel/kthread.c:436
ret_from_fork+0x754/0xd80 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
final repro crashed as (corrupted=false):
INFO: task syz.1.977:8062 blocked for more than 143 seconds.
Not tainted syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.1.977 state:D stack:28440 pid:8062 tgid:8061 ppid:5951 task_flags:0x440040 flags:0x00080002
Call Trace:
context_switch kernel/sched/core.c:5298 [inline]
__schedule+0xfee/0x6120 kernel/sched/core.c:6911
__schedule_loop kernel/sched/core.c:6993 [inline]
schedule+0xdd/0x390 kernel/sched/core.c:7008
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:7065
rwsem_down_read_slowpath+0x5dc/0xb30 kernel/locking/rwsem.c:1086
__down_read_common kernel/locking/rwsem.c:1261 [inline]
__down_read kernel/locking/rwsem.c:1274 [inline]
down_read+0xed/0x460 kernel/locking/rwsem.c:1539
filemap_invalidate_lock_shared include/linux/fs.h:1093 [inline]
page_cache_ra_order+0x3ae/0xf30 mm/readahead.c:497
do_sync_mmap_readahead mm/filemap.c:3405 [inline]
filemap_fault+0x191a/0x2eb0 mm/filemap.c:3554
__do_fault+0x10d/0x550 mm/memory.c:5364
do_read_fault mm/memory.c:5799 [inline]
do_fault+0xabb/0x1990 mm/memory.c:5933
do_pte_missing mm/memory.c:4477 [inline]
handle_pte_fault mm/memory.c:6317 [inline]
__handle_mm_fault+0x180f/0x2b60 mm/memory.c:6455
handle_mm_fault+0x36d/0xa20 mm/memory.c:6624
do_user_addr_fault+0x74c/0x12f0 arch/x86/mm/fault.c:1385
handle_page_fault arch/x86/mm/fault.c:1474 [inline]
exc_page_fault+0x6f/0xd0 arch/x86/mm/fault.c:1527
asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:618
RIP: 0010:do_strncpy_from_user lib/strncpy_from_user.c:41 [inline]
RIP: 0010:strncpy_from_user+0xfd/0x2d0 lib/strncpy_from_user.c:130
Code: 00 4d 89 64 1d 00 48 83 ed 08 bf 07 00 00 00 48 83 c3 08 48 89 ee e8 d2 14 de fc 48 83 fd 07 0f 86 bb 00 00 00 e8 e3 19 de fc <4d> 8b 24 1e e8 da 19 de fc 4c 89 e2 31 ff 4d 8d 7c 1d 00 48 b8 ff
RSP: 0018:ffffc9000d597d00 EFLAGS: 00050293
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff852ab246
RDX: ffff88802e2b0000 RSI: ffffffff852ab29d RDI: ffff88802e2b0000
RBP: 00000000000000a8 R08: 0000000000000007 R09: 0000000000000007
R10: 00000000000000a8 R11: 0000000000000000 R12: 0000000000000000
R13: ffff888033f04d18 R14: 0000200000001000 R15: 00000000000000a8
do_getname+0x78/0x390 fs/namei.c:193
getname include/linux/fs.h:2512 [inline]
class_filename_constructor include/linux/fs.h:2539 [inline]
do_sys_openat2+0xc5/0x1e0 fs/open.c:1365
do_sys_open fs/open.c:1372 [inline]
__do_sys_openat fs/open.c:1388 [inline]
__se_sys_openat fs/open.c:1383 [inline]
__x64_sys_openat+0x12d/0x210 fs/open.c:1383
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fd5d679c799
RSP: 002b:00007fd5d7575028 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007fd5d6a15fa0 RCX: 00007fd5d679c799
RDX: 0000000000048882 RSI: 0000200000001000 RDI: ffffffffffffff9c
RBP: 00007fd5d6832c99 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fd5d6a16038 R14: 00007fd5d6a15fa0 R15: 00007fff6ccb3ff8
Showing all locks held in the system:
3 locks held by kworker/u8:1/13:
#0: ffff88801cac9148 ((wq_completion)netns){+.+.}-{0:0}, at: process_one_work+0x1310/0x19a0 kernel/workqueue.c:3251
#1: ffffc90000127d08 (net_cleanup_work){+.+.}-{0:0}, at: process_one_work+0x988/0x19a0 kernel/workqueue.c:3252
#2: ffffffff8e7f3180 (rcu_state.barrier_mutex){+.+.}-{4:4}, at: rcu_barrier+0x48/0x6d0 kernel/rcu/tree.c:3828
1 lock held by khungtaskd/31:
#0: ffffffff8e7e76a0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:312 [inline]
#0: ffffffff8e7e76a0 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:850 [inline]
#0: ffffffff8e7e76a0 (rcu_read_lock){....}-{1:3}, at: debug_show_all_locks+0x3d/0x184 kernel/locking/lockdep.c:6775
5 locks held by kworker/u8:2/36:
2 locks held by klogd/5166:
2 locks held by getty/5561:
#0: ffff888038ebb0a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x24/0x80 drivers/tty/tty_ldisc.c:243
#1: ffffc9000332b2f0 (&ldata->atomic_read_lock){+.+.}-{4:4}, at: n_tty_read+0x419/0x1500 drivers/tty/n_tty.c:2211
2 locks held by syz.3.20/6095:
1 lock held by syz.1.977/8062:
#0: ffff888027903748 (mapping.invalidate_lock){++++}-{4:4}, at: filemap_invalidate_lock_shared include/linux/fs.h:1093 [inline]
#0: ffff888027903748 (mapping.invalidate_lock){++++}-{4:4}, at: page_cache_ra_order+0x3ae/0xf30 mm/readahead.c:497
1 lock held by syz.4.3426/13160:
#0: ffff888027903748 (mapping.invalidate_lock){++++}-{4:4}, at: filemap_invalidate_lock_shared include/linux/fs.h:1093 [inline]
#0: ffff888027903748 (mapping.invalidate_lock){++++}-{4:4}, at: page_cache_ra_order+0x3ae/0xf30 mm/readahead.c:497
1 lock held by syz.6.3685/13761:
#0: ffff888027903748 (mapping.invalidate_lock){++++}-{4:4}, at: filemap_invalidate_lock_shared include/linux/fs.h:1093 [inline]
#0: ffff888027903748 (mapping.invalidate_lock){++++}-{4:4}, at: page_cache_ra_order+0x3ae/0xf30 mm/readahead.c:497
1 lock held by syz.7.5297/17206:
#0: ffff888027903748 (mapping.invalidate_lock){++++}-{4:4}, at: filemap_invalidate_lock_shared include/linux/fs.h:1093 [inline]
#0: ffff888027903748 (mapping.invalidate_lock){++++}-{4:4}, at: page_cache_ra_order+0x3ae/0xf30 mm/readahead.c:497
1 lock held by syz.5.6066/18828:
#0: ffff888027903748 (mapping.invalidate_lock){++++}-{4:4}, at: filemap_invalidate_lock_shared include/linux/fs.h:1093 [inline]
#0: ffff888027903748 (mapping.invalidate_lock){++++}-{4:4}, at: page_cache_ra_order+0x3ae/0xf30 mm/readahead.c:497
1 lock held by syz.2.6686/20170:
#0: ffff888027903748 (mapping.invalidate_lock){++++}-{4:4}, at: filemap_invalidate_lock_shared include/linux/fs.h:1093 [inline]
#0: ffff888027903748 (mapping.invalidate_lock){++++}-{4:4}, at: page_cache_ra_order+0x3ae/0xf30 mm/readahead.c:497
4 locks held by syz-executor/20811:
9 locks held by syz-executor/22112:
#0: ffff8880380fa420 (sb_writers#8){.+.+}-{0:0}, at: ksys_write+0x12a/0x250 fs/read_write.c:740
#1: ffff888062d3f088 (&of->mutex){+.+.}-{4:4}, at: kernfs_fop_write_iter+0x2c2/0x5f0 fs/kernfs/file.c:343
#2: ffff88802a5265a8 (kn->active#58){.+.+}-{0:0}, at: kernfs_get_active_of fs/kernfs/file.c:80 [inline]
#2: ffff88802a5265a8 (kn->active#58){.+.+}-{0:0}, at: kernfs_fop_write_iter+0x332/0x5f0 fs/kernfs/file.c:344
#3: ffffffff8fb69d28 (nsim_bus_dev_list_lock){+.+.}-{4:4}, at: del_device_store+0xd1/0x480 drivers/net/netdevsim/bus.c:234
#4: ffff88805f5890e8 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:895 [inline]
#4: ffff88805f5890e8 (&dev->mutex){....}-{4:4}, at: __device_driver_lock drivers/base/dd.c:1106 [inline]
#4: ffff88805f5890e8 (&dev->mutex){....}-{4:4}, at: device_release_driver_internal+0xaa/0x600 drivers/base/dd.c:1304
#5: ffff888022eff250 (&devlink->lock_key#15){+.+.}-{4:4}, at: nsim_drv_remove+0x4a/0x1e0 drivers/net/netdevsim/dev.c:1778
#6: ffffffff90611468 (rtnl_mutex){+.+.}-{4:4}, at: nsim_destroy+0x108/0x830 drivers/net/netdevsim/netdev.c:1177
#7: ffff8880262fcd40 (&dev_instance_lock_key#24){+.+.}-{4:4}, at: netdev_lock include/linux/netdevice.h:2784 [inline]
#7: ffff8880262fcd40 (&dev_instance_lock_key#24){+.+.}-{4:4}, at: unregister_netdevice_many_notify+0x47f/0x2580 net/core/dev.c:12374
#8: ffffffff8e7f32b8 (rcu_state.exp_mutex){+.+.}-{4:4}, at: exp_funnel_lock+0x27f/0x3c0 kernel/rcu/tree_exp.h:311
=============================================
NMI backtrace for cpu 1
CPU: 1 UID: 0 PID: 31 Comm: khungtaskd Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
Call Trace:
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120
nmi_cpu_backtrace.cold+0x12d/0x151 lib/nmi_backtrace.c:113
nmi_trigger_cpumask_backtrace+0x1d7/0x230 lib/nmi_backtrace.c:62
trigger_all_cpu_backtrace include/linux/nmi.h:161 [inline]
__sys_info lib/sys_info.c:157 [inline]
sys_info+0x141/0x190 lib/sys_info.c:165
check_hung_uninterruptible_tasks kernel/hung_task.c:346 [inline]
watchdog+0xd25/0x1050 kernel/hung_task.c:515
kthread+0x370/0x450 kernel/kthread.c:436
ret_from_fork+0x754/0xd80 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 UID: 0 PID: 13 Comm: kworker/u8:1 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
Workqueue: events_unbound toggle_allocation_gate
RIP: 0010:__text_poke+0x26/0xae0 arch/x86/kernel/alternative.c:2535
Code: 90 90 90 90 41 57 49 89 cf 41 56 41 55 41 54 55 48 89 f5 53 48 bb 00 00 00 00 00 fc ff df 48 81 ec b8 00 00 00 48 8d 44 24 58 <48> 89 54 24 10 48 c1 e8 03 48 89 7c 24 08 48 89 44 24 28 48 01 d8
RSP: 0018:ffffc90000127918 EFLAGS: 00000296
RAX: ffffc90000127970 RBX: dffffc0000000000 RCX: 0000000000000001
RDX: ffffc90000127a70 RSI: ffffffff8269ce51 RDI: ffffffff81ac8f80
RBP: ffffffff8269ce51 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: ffffffff9412fa5a
R13: 0000000000000005 R14: dffffc0000000000 R15: 0000000000000001
FS: 0000000000000000(0000) GS:ffff888124342000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f3835a4eddd CR3: 000000000e598000 CR4: 00000000003526f0
Call Trace:
smp_text_poke_batch_finish+0x6b5/0xc60 arch/x86/kernel/alternative.c:3049
arch_jump_label_transform_apply+0x1c/0x30 arch/x86/kernel/jump_label.c:146
jump_label_update+0x37a/0x550 kernel/jump_label.c:919
static_key_disable_cpuslocked+0x162/0x1c0 kernel/jump_label.c:240
static_key_disable+0x1a/0x20 kernel/jump_label.c:248
toggle_allocation_gate mm/kfence/core.c:907 [inline]
toggle_allocation_gate+0x149/0x2d0 mm/kfence/core.c:892
process_one_work+0xa23/0x19a0 kernel/workqueue.c:3276
process_scheduled_works kernel/workqueue.c:3359 [inline]
worker_thread+0x5ef/0xe50 kernel/workqueue.c:3440
kthread+0x370/0x450 kernel/kthread.c:436
ret_from_fork+0x754/0xd80 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245