[syzbot] [block?] [trace?] INFO: task hung in blk_trace_remove (2)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: 7a396820222d Merge tag 'v6.8-rc-part2-smb-client' of git:/..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10c2406be80000
kernel config: https://syzkaller.appspot.com/x/.config?x=4059ab9bf06b6ceb
dashboard link: https://syzkaller.appspot.com/bug?extid=2373f6be3e6de4f92562
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14669c6fe80000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=12d23ae3e80000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/6bbe281de19f/disk-7a396820.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/aad457fc635f/vmlinux-7a396820.xz
kernel image: https://storage.googleapis.com/syzbot-assets/b41601ff5beb/bzImage-7a396820.xz

The issue was bisected to:

commit 0d345996e4cb573f8cc81d49b3ee9a7fd2035bef
Author: Pengfei Xu <pengf...@intel.com>
Date: Mon Jul 31 03:04:18 2023 +0000

x86/kernel: increase kcov coverage under arch/x86/kernel folder

bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=1594cacfe80000
final oops: https://syzkaller.appspot.com/x/report.txt?x=1794cacfe80000
console output: https://syzkaller.appspot.com/x/log.txt?x=1394cacfe80000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+2373f6...@syzkaller.appspotmail.com
Fixes: 0d345996e4cb ("x86/kernel: increase kcov coverage under arch/x86/kernel folder")

INFO: task syz-executor208:5137 blocked for more than 143 seconds.
Not tainted 6.7.0-syzkaller-12991-g7a396820222d #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor208 state:D stack:29312 pid:5137 tgid:5134 ppid:5112 flags:0x00004006
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5400 [inline]
__schedule+0xf12/0x5c00 kernel/sched/core.c:6727
__schedule_loop kernel/sched/core.c:6802 [inline]
schedule+0xe9/0x270 kernel/sched/core.c:6817
schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:6874
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x5b9/0x9d0 kernel/locking/mutex.c:752
blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:406
sg_ioctl_common drivers/scsi/sg.c:1126 [inline]
sg_ioctl+0x9ac/0x2760 drivers/scsi/sg.c:1160
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:871 [inline]
__se_sys_ioctl fs/ioctl.c:857 [inline]
__x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:857
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
RIP: 0033:0x7f61c0ac50d9
RSP: 002b:00007f61c0a60168 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f61c0b4c3d8 RCX: 00007f61c0ac50d9
RDX: 0000000000000000 RSI: 0000000000001276 RDI: 0000000000000003
RBP: 00007f61c0b4c3d0 R08: 00007ffdb9ff9147 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f61c0b4c3dc
R13: 000000000000006e R14: 00007ffdb9ff9060 R15: 00007ffdb9ff9148
</TASK>

Showing all locks held in the system:
1 lock held by khungtaskd/29:
#0: ffffffff8d1acba0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:298 [inline]
#0: ffffffff8d1acba0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:750 [inline]
#0: ffffffff8d1acba0 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x75/0x340 kernel/locking/lockdep.c:6614
2 locks held by getty/4817:
#0: ffff8880297d30a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x24/0x80 drivers/tty/tty_ldisc.c:243
#1: ffffc90002f062f0 (&ldata->atomic_read_lock){+.+.}-{3:3}, at: n_tty_read+0xfc6/0x1490 drivers/tty/n_tty.c:2201
3 locks held by syz-executor208/5136:
1 lock held by syz-executor208/5137:
#0: ffff88801e9032b0 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:406
1 lock held by syz-executor208/5140:
#0: ffff88801e9032b0 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:648
1 lock held by syz-executor208/5141:
#0: ffff88801e9032b0 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:406
1 lock held by syz-executor208/5149:
#0: ffff88801e9032b0 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:648
1 lock held by syz-executor208/5152:
#0: ffff88801e9032b0 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:406
1 lock held by syz-executor208/5151:
#0: ffff88801e9032b0 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:648
1 lock held by syz-executor208/5153:
#0: ffff88801e9032b0 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:406
1 lock held by syz-executor208/5155:
#0: ffff88801e9032b0 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:648
1 lock held by syz-executor208/5156:
#0: ffff88801e9032b0 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:406

=============================================

NMI backtrace for cpu 1
CPU: 1 PID: 29 Comm: khungtaskd Not tainted 6.7.0-syzkaller-12991-g7a396820222d #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
nmi_cpu_backtrace+0x277/0x390 lib/nmi_backtrace.c:113
nmi_trigger_cpumask_backtrace+0x299/0x300 lib/nmi_backtrace.c:62
trigger_all_cpu_backtrace include/linux/nmi.h:160 [inline]
check_hung_uninterruptible_tasks kernel/hung_task.c:222 [inline]
watchdog+0xf87/0x1210 kernel/hung_task.c:379
kthread+0x2c6/0x3a0 kernel/kthread.c:388
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242
</TASK>
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 PID: 5136 Comm: syz-executor208 Not tainted 6.7.0-syzkaller-12991-g7a396820222d #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
RIP: 0010:check_kcov_mode kernel/kcov.c:173 [inline]
RIP: 0010:write_comp_data+0x19/0x80 kernel/kcov.c:236
Code: 8b 80 f0 15 00 00 c3 66 2e 0f 1f 84 00 00 00 00 00 49 89 d2 49 89 f8 49 89 f1 65 48 8b 14 25 80 c2 03 00 65 8b 05 bf a6 7b 7e <a9> 00 01 ff 00 74 0f f6 c4 01 74 59 8b 82 fc 15 00 00 85 c0 74 4f
RSP: 0018:ffffc900045e77e0 EFLAGS: 00000202
RAX: 0000000080000001 RBX: 0000000000000002 RCX: ffffffff813a4c8d
RDX: ffff88806d973b80 RSI: 0000000000000003 RDI: 0000000000000001
RBP: ffffffff8ac9ccc0 R08: 0000000000000001 R09: 0000000000000003
R10: 0000000000000002 R11: 0000000000000002 R12: 0000000000000002
R13: 0000000000000001 R14: 0000000000000003 R15: 0000000000000002
FS: 00007f61c0a606c0(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055e6254f9440 CR3: 000000006e15a000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<NMI>
</NMI>
<TASK>
__sanitizer_cov_trace_switch+0x54/0x90 kernel/kcov.c:341
unwind_next_frame+0x77d/0x2390 arch/x86/kernel/unwind_orc.c:581
__unwind_start+0x5a4/0x880 arch/x86/kernel/unwind_orc.c:760
unwind_start arch/x86/include/asm/unwind.h:64 [inline]
arch_stack_walk+0xaf/0x170 arch/x86/kernel/stacktrace.c:24
stack_trace_save+0x96/0xd0 kernel/stacktrace.c:122
save_stack+0x160/0x1f0 mm/page_owner.c:129
__reset_page_owner+0x51/0x2e0 mm/page_owner.c:150
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1140 [inline]
free_unref_page_prepare+0x51f/0xb10 mm/page_alloc.c:2346
free_unref_page+0x33/0x3c0 mm/page_alloc.c:2486
relay_destroy_buf+0x121/0x3e0 kernel/relay.c:201
relay_remove_buf kernel/relay.c:221 [inline]
kref_put include/linux/kref.h:65 [inline]
relay_close_buf+0x153/0x1b0 kernel/relay.c:430
relay_close kernel/relay.c:766 [inline]
relay_close+0x3a8/0x5d0 kernel/relay.c:752
blk_trace_free+0x37/0x170 kernel/trace/blktrace.c:316
blk_trace_cleanup kernel/trace/blktrace.c:384 [inline]
__blk_trace_remove+0x7f/0x130 kernel/trace/blktrace.c:397
blk_trace_remove+0x27/0x40 kernel/trace/blktrace.c:407
sg_ioctl_common drivers/scsi/sg.c:1126 [inline]
sg_ioctl+0x9ac/0x2760 drivers/scsi/sg.c:1160
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:871 [inline]
__se_sys_ioctl fs/ioctl.c:857 [inline]
__x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:857
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b
RIP: 0033:0x7f61c0ac50d9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 91 1a 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f61c0a60168 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f61c0b4c3d8 RCX: 00007f61c0ac50d9
RDX: 0000000000000000 RSI: 0000000000001276 RDI: 0000000000000003
RBP: 00007f61c0b4c3d0 R08: 00007ffdb9ff9147 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f61c0b4c3dc
R13: 000000000000006e R14: 00007ffdb9ff9060 R15: 00007ffdb9ff9148
</TASK>
INFO: NMI handler (nmi_cpu_backtrace_handler) took too long to run: 1.919 msecs


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

[Edward Adam Davis]

please test task hung in blk_trace_remove

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

diff --git a/kernel/trace/blktrace.c b/kernel/trace/blktrace.c
index d5d94510afd3..43af0e72488c 100644
--- a/kernel/trace/blktrace.c
+++ b/kernel/trace/blktrace.c
@@ -320,8 +320,10 @@ static void blk_trace_free(struct request_queue *q, struct blk_trace *bt)
* under 'q->debugfs_dir', thus lookup and remove them.
*/
if (!bt->dir) {
- debugfs_lookup_and_remove("dropped", q->debugfs_dir);
- debugfs_lookup_and_remove("msg", q->debugfs_dir);
+ struct dentry *debugfs_dir = q ? q->debugfs_dir : bt->debugfs_dir;
+
+ debugfs_lookup_and_remove("dropped", debugfs_dir);
+ debugfs_lookup_and_remove("msg", debugfs_dir);
} else {
debugfs_remove(bt->dir);
}
@@ -377,12 +379,23 @@ static int blk_trace_stop(struct blk_trace *bt)
return 0;
}

+static void blk_trace_rcu_free(struct rcu_head *rcu)
+{
+ struct blk_trace *bt;
+
+ bt = container_of(rcu, struct blk_trace, rcu);
+ if (bt) {
+ blk_trace_free(NULL, bt);
+ put_probe_ref();
+ }
+}
+
static void blk_trace_cleanup(struct request_queue *q, struct blk_trace *bt)
{
blk_trace_stop(bt);
- synchronize_rcu();
- blk_trace_free(q, bt);
- put_probe_ref();
+ if (!bt->dir)
+ bt->debugfs_dir = q->debugfs_dir;
+ call_rcu(&bt->rcu, blk_trace_rcu_free);
}

static int __blk_trace_remove(struct request_queue *q)
diff --git a/include/linux/blktrace_api.h b/include/linux/blktrace_api.h
index 122c62e561fc..4920c201bd12 100644
--- a/include/linux/blktrace_api.h
+++ b/include/linux/blktrace_api.h
@@ -26,6 +26,8 @@ struct blk_trace {
struct dentry *dir;
struct list_head running_list;
atomic_t dropped;
+ struct dentry *debugfs_dir;
+ struct rcu_head rcu;
};

extern int blk_trace_ioctl(struct block_device *, unsigned, char __user *);

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: sleeping function called from invalid context in relay_close

BUG: sleeping function called from invalid context at kernel/locking/mutex.c:585
in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 5650, name: syz-executor.4
preempt_count: 101, expected: 0
RCU nest depth: 0, expected: 0
4 locks held by syz-executor.4/5650:
#0: ffff88801f37c3d0 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:661
#1: ffffffff8d19a1c0 (console_lock){+.+.}-{0:0}, at: console_trylock_spinning kernel/printk/printk.c:1923 [inline]
#1: ffffffff8d19a1c0 (console_lock){+.+.}-{0:0}, at: vprintk_emit+0x162/0x5f0 kernel/printk/printk.c:2302
#2: ffffffff8d19a230 (console_srcu){....}-{0:0}, at: rcu_try_lock_acquire include/linux/rcupdate.h:303 [inline]
#2: ffffffff8d19a230 (console_srcu){....}-{0:0}, at: srcu_read_lock_nmisafe include/linux/srcu.h:232 [inline]
#2: ffffffff8d19a230 (console_srcu){....}-{0:0}, at: console_srcu_read_lock kernel/printk/printk.c:286 [inline]
#2: ffffffff8d19a230 (console_srcu){....}-{0:0}, at: console_flush_all+0x12d/0xd60 kernel/printk/printk.c:2959
#3: ffffffff8d1acac0 (rcu_callback){....}-{0:0}, at: rcu_lock_acquire include/linux/rcupdate.h:298 [inline]
#3: ffffffff8d1acac0 (rcu_callback){....}-{0:0}, at: rcu_do_batch kernel/rcu/tree.c:2184 [inline]
#3: ffffffff8d1acac0 (rcu_callback){....}-{0:0}, at: rcu_core+0x7bd/0x1680 kernel/rcu/tree.c:2465
Preemption disabled at:
[<ffffffff816b4ebd>] vprintk_emit+0x15d/0x5f0 kernel/printk/printk.c:2295
CPU: 0 PID: 5650 Comm: syz-executor.4 Not tainted 6.8.0-rc2-syzkaller-g41bccc98fb79-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
Call Trace:

<IRQ>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x125/0x1b0 lib/dump_stack.c:106
__might_resched+0x3c3/0x5e0 kernel/sched/core.c:10176
__mutex_lock_common kernel/locking/mutex.c:585 [inline]
__mutex_lock+0xe2/0x9d0 kernel/locking/mutex.c:752
relay_close kernel/relay.c:760 [inline]
relay_close+0x36/0x5d0 kernel/relay.c:752
blk_trace_free+0x37/0x190 kernel/trace/blktrace.c:316
blk_trace_rcu_free+0x22/0x30 kernel/trace/blktrace.c:388
rcu_do_batch kernel/rcu/tree.c:2190 [inline]
rcu_core+0x819/0x1680 kernel/rcu/tree.c:2465
__do_softirq+0x21a/0x8de kernel/softirq.c:553
invoke_softirq kernel/softirq.c:427 [inline]
__irq_exit_rcu kernel/softirq.c:632 [inline]
irq_exit_rcu+0xb7/0x120 kernel/softirq.c:644
sysvec_apic_timer_interrupt+0x95/0xb0 arch/x86/kernel/apic/apic.c:1076
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:649
RIP: 0010:console_flush_all+0xa11/0xd60 kernel/printk/printk.c:2973
Code: e8 84 c1 23 00 9c 5b 81 e3 00 02 00 00 31 ff 48 89 de e8 c2 db 1c 00 48 85 db 0f 85 7c 01 00 00 e8 24 e0 1c 00 fb 48 8b 04 24 <4c> 89 fa 83 e2 07 0f b6 00 38 d0 7f 08 84 c0 0f 85 55 02 00 00 41
RSP: 0018:ffffc90009d478d0 EFLAGS: 00000293
RAX: fffff520013a8f41 RBX: 0000000000000000 RCX: ffffffff816b466e
RDX: ffff888029055940 RSI: ffffffff816b467c RDI: 0000000000000007
RBP: dffffc0000000000 R08: 0000000000000007 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000004 R12: 0000000000000000
R13: ffffffff8dda6a58 R14: ffffffff8dda6a00 R15: ffffc90009d47a08
console_unlock+0x10c/0x260 kernel/printk/printk.c:3036
vprintk_emit+0x17f/0x5f0 kernel/printk/printk.c:2303
vprintk+0x7b/0x90 kernel/printk/printk_safe.c:45
_printk+0xc8/0x100 kernel/printk/printk.c:2328
do_blk_trace_setup+0x888/0xaa0 kernel/trace/blktrace.c:590
__blk_trace_setup+0xd8/0x180 kernel/trace/blktrace.c:644
blk_trace_setup+0x47/0x60 kernel/trace/blktrace.c:662
sg_ioctl_common drivers/scsi/sg.c:1118 [inline]
sg_ioctl+0x669/0x2760 drivers/scsi/sg.c:1160

vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:871 [inline]
__se_sys_ioctl fs/ioctl.c:857 [inline]
__x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:857
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b

RIP: 0033:0x7f70eba7cda9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f70ec73a0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f70ebbabf80 RCX: 00007f70eba7cda9
RDX: 0000000020000040 RSI: 00000000c0481273 RDI: 0000000000000003
RBP: 00007f70ebac947a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f70ebbabf80 R15: 00007ffdbca452f8
</TASK>

=============================
[ BUG: Invalid wait context ]
6.8.0-rc2-syzkaller-g41bccc98fb79-dirty #0 Tainted: G W
-----------------------------
syz-executor.4/5650 is trying to lock:
ffffffff8d21c348 (relay_channels_mutex){+.+.}-{3:3}, at: relay_close kernel/relay.c:760 [inline]
ffffffff8d21c348 (relay_channels_mutex){+.+.}-{3:3}, at: relay_close+0x36/0x5d0 kernel/relay.c:752
other info that might help us debug this:
context-{2:2}
4 locks held by syz-executor.4/5650:
#0: ffff88801f37c3d0 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:661
#1: ffffffff8d19a1c0 (console_lock){+.+.}-{0:0}, at: console_trylock_spinning kernel/printk/printk.c:1923 [inline]
#1: ffffffff8d19a1c0 (console_lock){+.+.}-{0:0}, at: vprintk_emit+0x162/0x5f0 kernel/printk/printk.c:2302
#2: ffffffff8d19a230 (console_srcu){....}-{0:0}, at: rcu_try_lock_acquire include/linux/rcupdate.h:303 [inline]
#2: ffffffff8d19a230 (console_srcu){....}-{0:0}, at: srcu_read_lock_nmisafe include/linux/srcu.h:232 [inline]
#2: ffffffff8d19a230 (console_srcu){....}-{0:0}, at: console_srcu_read_lock kernel/printk/printk.c:286 [inline]
#2: ffffffff8d19a230 (console_srcu){....}-{0:0}, at: console_flush_all+0x12d/0xd60 kernel/printk/printk.c:2959
#3: ffffffff8d1acac0 (rcu_callback){....}-{0:0}, at: rcu_lock_acquire include/linux/rcupdate.h:298 [inline]
#3: ffffffff8d1acac0 (rcu_callback){....}-{0:0}, at: rcu_do_batch kernel/rcu/tree.c:2184 [inline]
#3: ffffffff8d1acac0 (rcu_callback){....}-{0:0}, at: rcu_core+0x7bd/0x1680 kernel/rcu/tree.c:2465
stack backtrace:
CPU: 0 PID: 5650 Comm: syz-executor.4 Tainted: G W 6.8.0-rc2-syzkaller-g41bccc98fb79-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
Call Trace:

<IRQ>

__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106

print_lock_invalid_wait_context kernel/locking/lockdep.c:4751 [inline]
check_wait_context kernel/locking/lockdep.c:4821 [inline]
__lock_acquire+0x821/0x3b30 kernel/locking/lockdep.c:5087
lock_acquire kernel/locking/lockdep.c:5754 [inline]
lock_acquire+0x1ae/0x520 kernel/locking/lockdep.c:5719
__mutex_lock_common kernel/locking/mutex.c:608 [inline]
__mutex_lock+0x175/0x9d0 kernel/locking/mutex.c:752
relay_close kernel/relay.c:760 [inline]
relay_close+0x36/0x5d0 kernel/relay.c:752
blk_trace_free+0x37/0x190 kernel/trace/blktrace.c:316
blk_trace_rcu_free+0x22/0x30 kernel/trace/blktrace.c:388
rcu_do_batch kernel/rcu/tree.c:2190 [inline]
rcu_core+0x819/0x1680 kernel/rcu/tree.c:2465
__do_softirq+0x21a/0x8de kernel/softirq.c:553
invoke_softirq kernel/softirq.c:427 [inline]
__irq_exit_rcu kernel/softirq.c:632 [inline]
irq_exit_rcu+0xb7/0x120 kernel/softirq.c:644
sysvec_apic_timer_interrupt+0x95/0xb0 arch/x86/kernel/apic/apic.c:1076
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:649
RIP: 0010:console_flush_all+0xa11/0xd60 kernel/printk/printk.c:2973
Code: e8 84 c1 23 00 9c 5b 81 e3 00 02 00 00 31 ff 48 89 de e8 c2 db 1c 00 48 85 db 0f 85 7c 01 00 00 e8 24 e0 1c 00 fb 48 8b 04 24 <4c> 89 fa 83 e2 07 0f b6 00 38 d0 7f 08 84 c0 0f 85 55 02 00 00 41
RSP: 0018:ffffc90009d478d0 EFLAGS: 00000293
RAX: fffff520013a8f41 RBX: 0000000000000000 RCX: ffffffff816b466e
RDX: ffff888029055940 RSI: ffffffff816b467c RDI: 0000000000000007
RBP: dffffc0000000000 R08: 0000000000000007 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000004 R12: 0000000000000000
R13: ffffffff8dda6a58 R14: ffffffff8dda6a00 R15: ffffc90009d47a08
console_unlock+0x10c/0x260 kernel/printk/printk.c:3036
vprintk_emit+0x17f/0x5f0 kernel/printk/printk.c:2303
vprintk+0x7b/0x90 kernel/printk/printk_safe.c:45
_printk+0xc8/0x100 kernel/printk/printk.c:2328
do_blk_trace_setup+0x888/0xaa0 kernel/trace/blktrace.c:590
__blk_trace_setup+0xd8/0x180 kernel/trace/blktrace.c:644
blk_trace_setup+0x47/0x60 kernel/trace/blktrace.c:662
sg_ioctl_common drivers/scsi/sg.c:1118 [inline]
sg_ioctl+0x669/0x2760 drivers/scsi/sg.c:1160

vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:871 [inline]
__se_sys_ioctl fs/ioctl.c:857 [inline]
__x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:857
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b

RIP: 0033:0x7f70eba7cda9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f70ec73a0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f70ebbabf80 RCX: 00007f70eba7cda9
RDX: 0000000020000040 RSI: 00000000c0481273 RDI: 0000000000000003
RBP: 00007f70ebac947a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f70ebbabf80 R15: 00007ffdbca452f8
</TASK>
------------[ cut here ]------------
kernel BUG at mm/vmalloc.c:2864!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 5650 Comm: syz-executor.4 Tainted: G W 6.8.0-rc2-syzkaller-g41bccc98fb79-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023

RIP: 0010:vunmap+0x77/0xa0 mm/vmalloc.c:2864
Code: 48 89 ef e8 bb fb ff ff 48 85 c0 48 89 c3 74 1c e8 3e d4 b4 ff 48 89 df e8 76 97 02 00 5b 5d e9 2f d4 b4 ff e8 2a d4 b4 ff 90 <0f> 0b e8 22 d4 b4 ff 90 48 c7 c7 80 e8 d9 8a 48 89 ee e8 d2 c4 7a
RSP: 0018:ffffc90000007d18 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000100 RCX: ffffffff81d35224
RDX: ffff888029055940 RSI: ffffffff81d35276 RDI: 0000000000000005
RBP: ffffc9000cea1000 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000100 R11: ffffffff8a9228aa R12: ffff88802d70c4a8
R13: fffffbfff1e75f73 R14: ffffed100d9dd408 R15: ffff88806ceea000
FS: 00007f70ec73a6c0(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007efc1e7739a0 CR3: 000000006a156000 CR4: 00000000003506f0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:

<IRQ>
relay_destroy_buf+0x6e/0x3e0 kernel/relay.c:199

relay_remove_buf kernel/relay.c:221 [inline]
kref_put include/linux/kref.h:65 [inline]
relay_close_buf+0x153/0x1b0 kernel/relay.c:430
relay_close kernel/relay.c:766 [inline]
relay_close+0x3a8/0x5d0 kernel/relay.c:752

blk_trace_free+0x37/0x190 kernel/trace/blktrace.c:316
blk_trace_rcu_free+0x22/0x30 kernel/trace/blktrace.c:388
rcu_do_batch kernel/rcu/tree.c:2190 [inline]
rcu_core+0x819/0x1680 kernel/rcu/tree.c:2465
__do_softirq+0x21a/0x8de kernel/softirq.c:553
invoke_softirq kernel/softirq.c:427 [inline]
__irq_exit_rcu kernel/softirq.c:632 [inline]
irq_exit_rcu+0xb7/0x120 kernel/softirq.c:644
sysvec_apic_timer_interrupt+0x95/0xb0 arch/x86/kernel/apic/apic.c:1076
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:649
RIP: 0010:console_flush_all+0xa11/0xd60 kernel/printk/printk.c:2973
Code: e8 84 c1 23 00 9c 5b 81 e3 00 02 00 00 31 ff 48 89 de e8 c2 db 1c 00 48 85 db 0f 85 7c 01 00 00 e8 24 e0 1c 00 fb 48 8b 04 24 <4c> 89 fa 83 e2 07 0f b6 00 38 d0 7f 08 84 c0 0f 85 55 02 00 00 41
RSP: 0018:ffffc90009d478d0 EFLAGS: 00000293
RAX: fffff520013a8f41 RBX: 0000000000000000 RCX: ffffffff816b466e
RDX: ffff888029055940 RSI: ffffffff816b467c RDI: 0000000000000007
RBP: dffffc0000000000 R08: 0000000000000007 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000004 R12: 0000000000000000
R13: ffffffff8dda6a58 R14: ffffffff8dda6a00 R15: ffffc90009d47a08
console_unlock+0x10c/0x260 kernel/printk/printk.c:3036
vprintk_emit+0x17f/0x5f0 kernel/printk/printk.c:2303
vprintk+0x7b/0x90 kernel/printk/printk_safe.c:45
_printk+0xc8/0x100 kernel/printk/printk.c:2328
do_blk_trace_setup+0x888/0xaa0 kernel/trace/blktrace.c:590
__blk_trace_setup+0xd8/0x180 kernel/trace/blktrace.c:644
blk_trace_setup+0x47/0x60 kernel/trace/blktrace.c:662
sg_ioctl_common drivers/scsi/sg.c:1118 [inline]
sg_ioctl+0x669/0x2760 drivers/scsi/sg.c:1160

vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:871 [inline]
__se_sys_ioctl fs/ioctl.c:857 [inline]
__x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:857
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b

RIP: 0033:0x7f70eba7cda9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f70ec73a0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f70ebbabf80 RCX: 00007f70eba7cda9
RDX: 0000000020000040 RSI: 00000000c0481273 RDI: 0000000000000003
RBP: 00007f70ebac947a R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f70ebbabf80 R15: 00007ffdbca452f8
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:vunmap+0x77/0xa0 mm/vmalloc.c:2864
Code: 48 89 ef e8 bb fb ff ff 48 85 c0 48 89 c3 74 1c e8 3e d4 b4 ff 48 89 df e8 76 97 02 00 5b 5d e9 2f d4 b4 ff e8 2a d4 b4 ff 90 <0f> 0b e8 22 d4 b4 ff 90 48 c7 c7 80 e8 d9 8a 48 89 ee e8 d2 c4 7a
RSP: 0018:ffffc90000007d18 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000100 RCX: ffffffff81d35224
RDX: ffff888029055940 RSI: ffffffff81d35276 RDI: 0000000000000005
RBP: ffffc9000cea1000 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000100 R11: ffffffff8a9228aa R12: ffff88802d70c4a8
R13: fffffbfff1e75f73 R14: ffffed100d9dd408 R15: ffff88806ceea000
FS: 00007f70ec73a6c0(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007efc1e7739a0 CR3: 000000006a156000 CR4: 00000000003506f0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

----------------
Code disassembly (best guess):
0: e8 84 c1 23 00 call 0x23c189
5: 9c pushf
6: 5b pop %rbx
7: 81 e3 00 02 00 00 and $0x200,%ebx
d: 31 ff xor %edi,%edi
f: 48 89 de mov %rbx,%rsi
12: e8 c2 db 1c 00 call 0x1cdbd9
17: 48 85 db test %rbx,%rbx
1a: 0f 85 7c 01 00 00 jne 0x19c
20: e8 24 e0 1c 00 call 0x1ce049
25: fb sti
26: 48 8b 04 24 mov (%rsp),%rax
* 2a: 4c 89 fa mov %r15,%rdx <-- trapping instruction
2d: 83 e2 07 and $0x7,%edx
30: 0f b6 00 movzbl (%rax),%eax
33: 38 d0 cmp %dl,%al
35: 7f 08 jg 0x3f
37: 84 c0 test %al,%al
39: 0f 85 55 02 00 00 jne 0x294
3f: 41 rex.B


Tested on:

commit: 41bccc98 Linux 6.8-rc2
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
console output: https://syzkaller.appspot.com/x/log.txt?x=101b23a0180000
kernel config: https://syzkaller.appspot.com/x/.config?x=b168fa511db3ca08

dashboard link: https://syzkaller.appspot.com/bug?extid=2373f6be3e6de4f92562
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=11c61befe80000

[Edward Adam Davis]

please test task hung in blk_trace_remove

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

diff --git a/kernel/trace/blktrace.c b/kernel/trace/blktrace.c

index d5d94510afd3..ce5a1ed01d64 100644
--- a/kernel/trace/blktrace.c
+++ b/kernel/trace/blktrace.c
@@ -320,14 +320,16 @@ static void blk_trace_free(struct request_queue *q, struct blk_trace *bt)

* under 'q->debugfs_dir', thus lookup and remove them.
*/
if (!bt->dir) {
- debugfs_lookup_and_remove("dropped", q->debugfs_dir);
- debugfs_lookup_and_remove("msg", q->debugfs_dir);
+ struct dentry *debugfs_dir = q ? q->debugfs_dir : bt->debugfs_dir;
+
+ debugfs_lookup_and_remove("dropped", debugfs_dir);
+ debugfs_lookup_and_remove("msg", debugfs_dir);
} else {
debugfs_remove(bt->dir);
}

free_percpu(bt->sequence);
free_percpu(bt->msg_data);
- kfree(bt);
+ kfree_rcu(bt);
}

static void get_probe_ref(void)
@@ -377,12 +379,25 @@ static int blk_trace_stop(struct blk_trace *bt)

return 0;
}

+static void blk_trace_rcu_free(struct rcu_head *rcu)
+{
+ struct blk_trace *bt;
+
+ bt = container_of(rcu, struct blk_trace, rcu);
+ if (bt) {
+ blk_trace_free(NULL, bt);
+ put_probe_ref();
+ }
+}
+
static void blk_trace_cleanup(struct request_queue *q, struct blk_trace *bt)
{
blk_trace_stop(bt);
- synchronize_rcu();
- blk_trace_free(q, bt);
- put_probe_ref();
+ if (!bt->dir)
+ bt->debugfs_dir = q->debugfs_dir;

+ mutex_unlock(&q->debugfs_mutex);
+ call_rcu(&bt->rcu, blk_trace_rcu_free);
+ mutex_lock(&q->debugfs_mutex);

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

kernel/trace/blktrace.c:332:21: error: macro "kfree_rcu" requires 2 arguments, but only 1 given
kernel/trace/blktrace.c:332:9: error: 'kfree_rcu' undeclared (first use in this function)


Tested on:

commit: 861c0981 Merge tag 'jfs-6.8-rc3' of github.com:kleikam..

git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

kernel config: https://syzkaller.appspot.com/x/.config?x=4059ab9bf06b6ceb

dashboard link: https://syzkaller.appspot.com/bug?extid=2373f6be3e6de4f92562
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=17512a0fe80000

[Edward Adam Davis]

please test task hung in blk_trace_remove

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

diff --git a/kernel/trace/blktrace.c b/kernel/trace/blktrace.c

index d5d94510afd3..ff52ad6c7bf2 100644
--- a/kernel/trace/blktrace.c
+++ b/kernel/trace/blktrace.c
@@ -320,8 +320,10 @@ static void blk_trace_free(struct request_queue *q, struct blk_trace *bt)

* under 'q->debugfs_dir', thus lookup and remove them.
*/
if (!bt->dir) {
- debugfs_lookup_and_remove("dropped", q->debugfs_dir);
- debugfs_lookup_and_remove("msg", q->debugfs_dir);
+ struct dentry *debugfs_dir = q ? q->debugfs_dir : bt->debugfs_dir;
+
+ debugfs_lookup_and_remove("dropped", debugfs_dir);
+ debugfs_lookup_and_remove("msg", debugfs_dir);
} else {
debugfs_remove(bt->dir);
}

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: sleeping function called from invalid context in relay_close

BUG: sleeping function called from invalid context at kernel/locking/mutex.c:585

in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 5647, name: syz-executor.2

preempt_count: 101, expected: 0
RCU nest depth: 0, expected: 0

2 locks held by syz-executor.2/5647:
#0: ffff8880293260e0 (&type->s_umount_key#46){+.+.}-{3:3}, at: __super_lock fs/super.c:56 [inline]
#0: ffff8880293260e0 (&type->s_umount_key#46){+.+.}-{3:3}, at: __super_lock_excl fs/super.c:71 [inline]
#0: ffff8880293260e0 (&type->s_umount_key#46){+.+.}-{3:3}, at: deactivate_super+0xd6/0x100 fs/super.c:509
#1: ffffffff8d1acac0 (rcu_callback){....}-{0:0}, at: rcu_lock_acquire include/linux/rcupdate.h:298 [inline]
#1: ffffffff8d1acac0 (rcu_callback){....}-{0:0}, at: rcu_do_batch kernel/rcu/tree.c:2184 [inline]
#1: ffffffff8d1acac0 (rcu_callback){....}-{0:0}, at: rcu_core+0x7bd/0x1680 kernel/rcu/tree.c:2465
Preemption disabled at:
[<0000000000000000>] 0x0
CPU: 0 PID: 5647 Comm: syz-executor.2 Not tainted 6.8.0-rc2-syzkaller-g861c0981648f-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x125/0x1b0 lib/dump_stack.c:106
__might_resched+0x3c3/0x5e0 kernel/sched/core.c:10176
__mutex_lock_common kernel/locking/mutex.c:585 [inline]
__mutex_lock+0xe2/0x9d0 kernel/locking/mutex.c:752
relay_close kernel/relay.c:760 [inline]
relay_close+0x36/0x5d0 kernel/relay.c:752
blk_trace_free+0x37/0x190 kernel/trace/blktrace.c:316
blk_trace_rcu_free+0x22/0x30 kernel/trace/blktrace.c:388
rcu_do_batch kernel/rcu/tree.c:2190 [inline]
rcu_core+0x819/0x1680 kernel/rcu/tree.c:2465
__do_softirq+0x21a/0x8de kernel/softirq.c:553
invoke_softirq kernel/softirq.c:427 [inline]
__irq_exit_rcu kernel/softirq.c:632 [inline]
irq_exit_rcu+0xb7/0x120 kernel/softirq.c:644
sysvec_apic_timer_interrupt+0x95/0xb0 arch/x86/kernel/apic/apic.c:1076
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:649

RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:152 [inline]
RIP: 0010:_raw_spin_unlock_irqrestore+0x31/0x70 kernel/locking/spinlock.c:194
Code: f5 53 48 8b 74 24 10 48 89 fb 48 83 c7 18 e8 d6 85 d6 f6 48 89 df e8 ce fd d6 f6 f7 c5 00 02 00 00 75 1f 9c 58 f6 c4 02 75 2f <bf> 01 00 00 00 e8 c5 9d c8 f6 65 8b 05 e6 d2 71 75 85 c0 74 12 5b
RSP: 0018:ffffc90009927658 EFLAGS: 00000246
RAX: 0000000000000002 RBX: ffffffff92c1b680 RCX: 1ffffffff2436810
RDX: 0000000000000000 RSI: ffffffff8accb000 RDI: ffffffff8b2fdc00
RBP: 0000000000000202 R08: 0000000000000001 R09: fffffbfff242b005
R10: ffffffff9215802f R11: ffffffff8ace3420 R12: 0000000000000001
R13: ffff88801c40a000 R14: 1ffff92001324ed2 R15: ffffffff92c1b678
debug_object_activate+0x349/0x540 lib/debugobjects.c:726
debug_rcu_head_queue kernel/rcu/rcu.h:227 [inline]
__call_rcu_common.constprop.0+0x2c/0x7b0 kernel/rcu/tree.c:2700
security_inode_free+0x9e/0xc0 security/security.c:1616
__destroy_inode+0x1f8/0x740 fs/inode.c:285
destroy_inode+0x91/0x1b0 fs/inode.c:308
iput_final fs/inode.c:1739 [inline]
iput.part.0+0x560/0x7b0 fs/inode.c:1765
iput+0x5c/0x80 fs/inode.c:1755
dentry_unlink_inode+0x292/0x430 fs/dcache.c:400
__dentry_kill+0x1ca/0x5f0 fs/dcache.c:603
shrink_kill fs/dcache.c:1048 [inline]
shrink_dentry_list+0x140/0x5d0 fs/dcache.c:1075
shrink_dcache_parent+0xe2/0x530 fs/dcache.c:1509
do_one_tree fs/dcache.c:1538 [inline]
shrink_dcache_for_umount+0x79/0x390 fs/dcache.c:1555
generic_shutdown_super+0x76/0x3d0 fs/super.c:624
kill_anon_super fs/super.c:1230 [inline]
kill_litter_super+0x70/0xa0 fs/super.c:1240
binderfs_kill_super+0x3b/0xa0 drivers/android/binderfs.c:781
deactivate_locked_super+0xbc/0x1a0 fs/super.c:477
deactivate_super+0xde/0x100 fs/super.c:510
cleanup_mnt+0x222/0x450 fs/namespace.c:1267
task_work_run+0x14d/0x240 kernel/task_work.c:180
exit_task_work include/linux/task_work.h:38 [inline]
do_exit+0xa8a/0x2ad0 kernel/exit.c:871
do_group_exit+0xd4/0x2a0 kernel/exit.c:1020
get_signal+0x23b5/0x2790 kernel/signal.c:2893
arch_do_signal_or_restart+0x90/0x7f0 arch/x86/kernel/signal.c:310
exit_to_user_mode_loop kernel/entry/common.c:105 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:201 [inline]
syscall_exit_to_user_mode+0x156/0x2b0 kernel/entry/common.c:212
do_syscall_64+0xe0/0x250 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x63/0x6b
RIP: 0033:0x7f403447cda9
Code: Unable to access opcode bytes at 0x7f403447cd7f.
RSP: 002b:00007f40352b20c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: 0000000000000000 RBX: 00007f40345ac050 RCX: 00007f403447cda9

RDX: 0000000000000000 RSI: 0000000000001276 RDI: 0000000000000003

RBP: 00007f40344c947a R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 000000000000006e R14: 00007f40345ac050 R15: 00007fff753e8318

</TASK>

=============================
[ BUG: Invalid wait context ]

6.8.0-rc2-syzkaller-g861c0981648f-dirty #0 Tainted: G W
-----------------------------
syz-executor.2/5647 is trying to lock:

ffffffff8d21c348 (relay_channels_mutex){+.+.}-{3:3}, at: relay_close kernel/relay.c:760 [inline]
ffffffff8d21c348 (relay_channels_mutex){+.+.}-{3:3}, at: relay_close+0x36/0x5d0 kernel/relay.c:752
other info that might help us debug this:
context-{2:2}

2 locks held by syz-executor.2/5647:
#0: ffff8880293260e0 (&type->s_umount_key#46){+.+.}-{3:3}
, at: __super_lock fs/super.c:56 [inline]
, at: __super_lock_excl fs/super.c:71 [inline]
, at: deactivate_super+0xd6/0x100 fs/super.c:509
#1: ffffffff8d1acac0 (rcu_callback){....}-{0:0}, at: rcu_lock_acquire include/linux/rcupdate.h:298 [inline]
#1: ffffffff8d1acac0 (rcu_callback){....}-{0:0}, at: rcu_do_batch kernel/rcu/tree.c:2184 [inline]
#1: ffffffff8d1acac0 (rcu_callback){....}-{0:0}, at: rcu_core+0x7bd/0x1680 kernel/rcu/tree.c:2465
stack backtrace:
CPU: 0 PID: 5647 Comm: syz-executor.2 Tainted: G W 6.8.0-rc2-syzkaller-g861c0981648f-dirty #0

RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:152 [inline]
RIP: 0010:_raw_spin_unlock_irqrestore+0x31/0x70 kernel/locking/spinlock.c:194
Code: f5 53 48 8b 74 24 10 48 89 fb 48 83 c7 18 e8 d6 85 d6 f6 48 89 df e8 ce fd d6 f6 f7 c5 00 02 00 00 75 1f 9c 58 f6 c4 02 75 2f <bf> 01 00 00 00 e8 c5 9d c8 f6 65 8b 05 e6 d2 71 75 85 c0 74 12 5b
RSP: 0018:ffffc90009927658 EFLAGS: 00000246
RAX: 0000000000000002 RBX: ffffffff92c1b680 RCX: 1ffffffff2436810
RDX: 0000000000000000 RSI: ffffffff8accb000 RDI: ffffffff8b2fdc00
RBP: 0000000000000202 R08: 0000000000000001 R09: fffffbfff242b005
R10: ffffffff9215802f R11: ffffffff8ace3420 R12: 0000000000000001
R13: ffff88801c40a000 R14: 1ffff92001324ed2 R15: ffffffff92c1b678
debug_object_activate+0x349/0x540 lib/debugobjects.c:726
debug_rcu_head_queue kernel/rcu/rcu.h:227 [inline]
__call_rcu_common.constprop.0+0x2c/0x7b0 kernel/rcu/tree.c:2700
security_inode_free+0x9e/0xc0 security/security.c:1616
__destroy_inode+0x1f8/0x740 fs/inode.c:285
destroy_inode+0x91/0x1b0 fs/inode.c:308
iput_final fs/inode.c:1739 [inline]
iput.part.0+0x560/0x7b0 fs/inode.c:1765
iput+0x5c/0x80 fs/inode.c:1755
dentry_unlink_inode+0x292/0x430 fs/dcache.c:400
__dentry_kill+0x1ca/0x5f0 fs/dcache.c:603
shrink_kill fs/dcache.c:1048 [inline]
shrink_dentry_list+0x140/0x5d0 fs/dcache.c:1075
shrink_dcache_parent+0xe2/0x530 fs/dcache.c:1509
do_one_tree fs/dcache.c:1538 [inline]
shrink_dcache_for_umount+0x79/0x390 fs/dcache.c:1555
generic_shutdown_super+0x76/0x3d0 fs/super.c:624
kill_anon_super fs/super.c:1230 [inline]
kill_litter_super+0x70/0xa0 fs/super.c:1240
binderfs_kill_super+0x3b/0xa0 drivers/android/binderfs.c:781
deactivate_locked_super+0xbc/0x1a0 fs/super.c:477
deactivate_super+0xde/0x100 fs/super.c:510
cleanup_mnt+0x222/0x450 fs/namespace.c:1267
task_work_run+0x14d/0x240 kernel/task_work.c:180
exit_task_work include/linux/task_work.h:38 [inline]
do_exit+0xa8a/0x2ad0 kernel/exit.c:871
do_group_exit+0xd4/0x2a0 kernel/exit.c:1020
get_signal+0x23b5/0x2790 kernel/signal.c:2893
arch_do_signal_or_restart+0x90/0x7f0 arch/x86/kernel/signal.c:310
exit_to_user_mode_loop kernel/entry/common.c:105 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:201 [inline]
syscall_exit_to_user_mode+0x156/0x2b0 kernel/entry/common.c:212
do_syscall_64+0xe0/0x250 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x63/0x6b
RIP: 0033:0x7f403447cda9
Code: Unable to access opcode bytes at 0x7f403447cd7f.
RSP: 002b:00007f40352b20c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: 0000000000000000 RBX: 00007f40345ac050 RCX: 00007f403447cda9

RDX: 0000000000000000 RSI: 0000000000001276 RDI: 0000000000000003

RBP: 00007f40344c947a R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 000000000000006e R14: 00007f40345ac050 R15: 00007fff753e8318
</TASK>
BUG: sleeping function called from invalid context at kernel/irq_work.c:289
in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 5647, name: syz-executor.2

preempt_count: 101, expected: 0
RCU nest depth: 0, expected: 0

INFO: lockdep is turned off.
Preemption disabled at:
[<0000000000000000>] 0x0
CPU: 0 PID: 5647 Comm: syz-executor.2 Tainted: G W 6.8.0-rc2-syzkaller-g861c0981648f-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x125/0x1b0 lib/dump_stack.c:106
__might_resched+0x3c3/0x5e0 kernel/sched/core.c:10176

irq_work_sync+0x8e/0x2f0 kernel/irq_work.c:289
relay_close_buf+0x53/0x1b0 kernel/relay.c:428

relay_close kernel/relay.c:766 [inline]
relay_close+0x3a8/0x5d0 kernel/relay.c:752
blk_trace_free+0x37/0x190 kernel/trace/blktrace.c:316
blk_trace_rcu_free+0x22/0x30 kernel/trace/blktrace.c:388
rcu_do_batch kernel/rcu/tree.c:2190 [inline]
rcu_core+0x819/0x1680 kernel/rcu/tree.c:2465
__do_softirq+0x21a/0x8de kernel/softirq.c:553
invoke_softirq kernel/softirq.c:427 [inline]
__irq_exit_rcu kernel/softirq.c:632 [inline]
irq_exit_rcu+0xb7/0x120 kernel/softirq.c:644
sysvec_apic_timer_interrupt+0x95/0xb0 arch/x86/kernel/apic/apic.c:1076
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:649

RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:152 [inline]
RIP: 0010:_raw_spin_unlock_irqrestore+0x31/0x70 kernel/locking/spinlock.c:194
Code: f5 53 48 8b 74 24 10 48 89 fb 48 83 c7 18 e8 d6 85 d6 f6 48 89 df e8 ce fd d6 f6 f7 c5 00 02 00 00 75 1f 9c 58 f6 c4 02 75 2f <bf> 01 00 00 00 e8 c5 9d c8 f6 65 8b 05 e6 d2 71 75 85 c0 74 12 5b
RSP: 0018:ffffc90009927658 EFLAGS: 00000246
RAX: 0000000000000002 RBX: ffffffff92c1b680 RCX: 1ffffffff2436810
RDX: 0000000000000000 RSI: ffffffff8accb000 RDI: ffffffff8b2fdc00
RBP: 0000000000000202 R08: 0000000000000001 R09: fffffbfff242b005
R10: ffffffff9215802f R11: ffffffff8ace3420 R12: 0000000000000001
R13: ffff88801c40a000 R14: 1ffff92001324ed2 R15: ffffffff92c1b678
debug_object_activate+0x349/0x540 lib/debugobjects.c:726
debug_rcu_head_queue kernel/rcu/rcu.h:227 [inline]
__call_rcu_common.constprop.0+0x2c/0x7b0 kernel/rcu/tree.c:2700
security_inode_free+0x9e/0xc0 security/security.c:1616
__destroy_inode+0x1f8/0x740 fs/inode.c:285
destroy_inode+0x91/0x1b0 fs/inode.c:308
iput_final fs/inode.c:1739 [inline]
iput.part.0+0x560/0x7b0 fs/inode.c:1765
iput+0x5c/0x80 fs/inode.c:1755
dentry_unlink_inode+0x292/0x430 fs/dcache.c:400
__dentry_kill+0x1ca/0x5f0 fs/dcache.c:603
shrink_kill fs/dcache.c:1048 [inline]
shrink_dentry_list+0x140/0x5d0 fs/dcache.c:1075
shrink_dcache_parent+0xe2/0x530 fs/dcache.c:1509
do_one_tree fs/dcache.c:1538 [inline]
shrink_dcache_for_umount+0x79/0x390 fs/dcache.c:1555
generic_shutdown_super+0x76/0x3d0 fs/super.c:624
kill_anon_super fs/super.c:1230 [inline]
kill_litter_super+0x70/0xa0 fs/super.c:1240
binderfs_kill_super+0x3b/0xa0 drivers/android/binderfs.c:781
deactivate_locked_super+0xbc/0x1a0 fs/super.c:477
deactivate_super+0xde/0x100 fs/super.c:510
cleanup_mnt+0x222/0x450 fs/namespace.c:1267
task_work_run+0x14d/0x240 kernel/task_work.c:180
exit_task_work include/linux/task_work.h:38 [inline]
do_exit+0xa8a/0x2ad0 kernel/exit.c:871
do_group_exit+0xd4/0x2a0 kernel/exit.c:1020
get_signal+0x23b5/0x2790 kernel/signal.c:2893
arch_do_signal_or_restart+0x90/0x7f0 arch/x86/kernel/signal.c:310
exit_to_user_mode_loop kernel/entry/common.c:105 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:201 [inline]
syscall_exit_to_user_mode+0x156/0x2b0 kernel/entry/common.c:212
do_syscall_64+0xe0/0x250 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x63/0x6b
RIP: 0033:0x7f403447cda9
Code: Unable to access opcode bytes at 0x7f403447cd7f.
RSP: 002b:00007f40352b20c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: 0000000000000000 RBX: 00007f40345ac050 RCX: 00007f403447cda9

RDX: 0000000000000000 RSI: 0000000000001276 RDI: 0000000000000003

RBP: 00007f40344c947a R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 000000000000006e R14: 00007f40345ac050 R15: 00007fff753e8318

</TASK>
------------[ cut here ]------------
kernel BUG at mm/vmalloc.c:2864!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN

CPU: 0 PID: 5647 Comm: syz-executor.2 Tainted: G W 6.8.0-rc2-syzkaller-g861c0981648f-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
RIP: 0010:vunmap+0x77/0xa0 mm/vmalloc.c:2864

Code: 48 89 ef e8 bb fb ff ff 48 85 c0 48 89 c3 74 1c e8 ce d4 b4 ff 48 89 df e8 36 97 02 00 5b 5d e9 bf d4 b4 ff e8 ba d4 b4 ff 90 <0f> 0b e8 b2 d4 b4 ff 90 48 c7 c7 80 ec d9 8a 48 89 ee e8 d2 c5 7a

RSP: 0018:ffffc90000007d18 EFLAGS: 00010246

RAX: 0000000000000000 RBX: 0000000000000100 RCX: ffffffff81d350c4
RDX: ffff888026f91dc0 RSI: ffffffff81d35116 RDI: 0000000000000005
RBP: ffffc9000dc01000 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000100 R11: ffffffff8a92184a R12: ffff88807c7770a8
R13: fffffbfff1e76003 R14: ffffed1005294888 R15: ffff8880294a4400
FS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 000000c0014eb360 CR3: 000000007a583000 CR4: 00000000003506f0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<IRQ>
relay_destroy_buf+0x6e/0x3e0 kernel/relay.c:199
relay_remove_buf kernel/relay.c:221 [inline]
kref_put include/linux/kref.h:65 [inline]
relay_close_buf+0x153/0x1b0 kernel/relay.c:430
relay_close kernel/relay.c:766 [inline]
relay_close+0x3a8/0x5d0 kernel/relay.c:752
blk_trace_free+0x37/0x190 kernel/trace/blktrace.c:316
blk_trace_rcu_free+0x22/0x30 kernel/trace/blktrace.c:388
rcu_do_batch kernel/rcu/tree.c:2190 [inline]
rcu_core+0x819/0x1680 kernel/rcu/tree.c:2465
__do_softirq+0x21a/0x8de kernel/softirq.c:553
invoke_softirq kernel/softirq.c:427 [inline]
__irq_exit_rcu kernel/softirq.c:632 [inline]
irq_exit_rcu+0xb7/0x120 kernel/softirq.c:644
sysvec_apic_timer_interrupt+0x95/0xb0 arch/x86/kernel/apic/apic.c:1076
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:649

RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:152 [inline]
RIP: 0010:_raw_spin_unlock_irqrestore+0x31/0x70 kernel/locking/spinlock.c:194
Code: f5 53 48 8b 74 24 10 48 89 fb 48 83 c7 18 e8 d6 85 d6 f6 48 89 df e8 ce fd d6 f6 f7 c5 00 02 00 00 75 1f 9c 58 f6 c4 02 75 2f <bf> 01 00 00 00 e8 c5 9d c8 f6 65 8b 05 e6 d2 71 75 85 c0 74 12 5b
RSP: 0018:ffffc90009927658 EFLAGS: 00000246
RAX: 0000000000000002 RBX: ffffffff92c1b680 RCX: 1ffffffff2436810
RDX: 0000000000000000 RSI: ffffffff8accb000 RDI: ffffffff8b2fdc00
RBP: 0000000000000202 R08: 0000000000000001 R09: fffffbfff242b005
R10: ffffffff9215802f R11: ffffffff8ace3420 R12: 0000000000000001
R13: ffff88801c40a000 R14: 1ffff92001324ed2 R15: ffffffff92c1b678
debug_object_activate+0x349/0x540 lib/debugobjects.c:726
debug_rcu_head_queue kernel/rcu/rcu.h:227 [inline]
__call_rcu_common.constprop.0+0x2c/0x7b0 kernel/rcu/tree.c:2700
security_inode_free+0x9e/0xc0 security/security.c:1616
__destroy_inode+0x1f8/0x740 fs/inode.c:285
destroy_inode+0x91/0x1b0 fs/inode.c:308
iput_final fs/inode.c:1739 [inline]
iput.part.0+0x560/0x7b0 fs/inode.c:1765
iput+0x5c/0x80 fs/inode.c:1755
dentry_unlink_inode+0x292/0x430 fs/dcache.c:400
__dentry_kill+0x1ca/0x5f0 fs/dcache.c:603
shrink_kill fs/dcache.c:1048 [inline]
shrink_dentry_list+0x140/0x5d0 fs/dcache.c:1075
shrink_dcache_parent+0xe2/0x530 fs/dcache.c:1509
do_one_tree fs/dcache.c:1538 [inline]
shrink_dcache_for_umount+0x79/0x390 fs/dcache.c:1555
generic_shutdown_super+0x76/0x3d0 fs/super.c:624
kill_anon_super fs/super.c:1230 [inline]
kill_litter_super+0x70/0xa0 fs/super.c:1240
binderfs_kill_super+0x3b/0xa0 drivers/android/binderfs.c:781
deactivate_locked_super+0xbc/0x1a0 fs/super.c:477
deactivate_super+0xde/0x100 fs/super.c:510
cleanup_mnt+0x222/0x450 fs/namespace.c:1267
task_work_run+0x14d/0x240 kernel/task_work.c:180
exit_task_work include/linux/task_work.h:38 [inline]
do_exit+0xa8a/0x2ad0 kernel/exit.c:871
do_group_exit+0xd4/0x2a0 kernel/exit.c:1020
get_signal+0x23b5/0x2790 kernel/signal.c:2893
arch_do_signal_or_restart+0x90/0x7f0 arch/x86/kernel/signal.c:310
exit_to_user_mode_loop kernel/entry/common.c:105 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:201 [inline]
syscall_exit_to_user_mode+0x156/0x2b0 kernel/entry/common.c:212
do_syscall_64+0xe0/0x250 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x63/0x6b
RIP: 0033:0x7f403447cda9
Code: Unable to access opcode bytes at 0x7f403447cd7f.
RSP: 002b:00007f40352b20c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: 0000000000000000 RBX: 00007f40345ac050 RCX: 00007f403447cda9

RDX: 0000000000000000 RSI: 0000000000001276 RDI: 0000000000000003

RBP: 00007f40344c947a R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 000000000000006e R14: 00007f40345ac050 R15: 00007fff753e8318

</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:vunmap+0x77/0xa0 mm/vmalloc.c:2864

Code: 48 89 ef e8 bb fb ff ff 48 85 c0 48 89 c3 74 1c e8 ce d4 b4 ff 48 89 df e8 36 97 02 00 5b 5d e9 bf d4 b4 ff e8 ba d4 b4 ff 90 <0f> 0b e8 b2 d4 b4 ff 90 48 c7 c7 80 ec d9 8a 48 89 ee e8 d2 c5 7a

RSP: 0018:ffffc90000007d18 EFLAGS: 00010246

RAX: 0000000000000000 RBX: 0000000000000100 RCX: ffffffff81d350c4
RDX: ffff888026f91dc0 RSI: ffffffff81d35116 RDI: 0000000000000005
RBP: ffffc9000dc01000 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000100 R11: ffffffff8a92184a R12: ffff88807c7770a8
R13: fffffbfff1e76003 R14: ffffed1005294888 R15: ffff8880294a4400
FS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 000000c0014eb360 CR3: 000000007a583000 CR4: 00000000003506f0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):

0: f5 cmc
1: 53 push %rbx
2: 48 8b 74 24 10 mov 0x10(%rsp),%rsi
7: 48 89 fb mov %rdi,%rbx
a: 48 83 c7 18 add $0x18,%rdi
e: e8 d6 85 d6 f6 call 0xf6d685e9
13: 48 89 df mov %rbx,%rdi
16: e8 ce fd d6 f6 call 0xf6d6fde9
1b: f7 c5 00 02 00 00 test $0x200,%ebp
21: 75 1f jne 0x42
23: 9c pushf
24: 58 pop %rax
25: f6 c4 02 test $0x2,%ah
28: 75 2f jne 0x59
* 2a: bf 01 00 00 00 mov $0x1,%edi <-- trapping instruction
2f: e8 c5 9d c8 f6 call 0xf6c89df9
34: 65 8b 05 e6 d2 71 75 mov %gs:0x7571d2e6(%rip),%eax # 0x7571d321
3b: 85 c0 test %eax,%eax
3d: 74 12 je 0x51
3f: 5b pop %rbx

Tested on:

commit: 861c0981 Merge tag 'jfs-6.8-rc3' of github.com:kleikam..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

console output: https://syzkaller.appspot.com/x/log.txt?x=1562e290180000
kernel config: https://syzkaller.appspot.com/x/.config?x=b168fa511db3ca08

dashboard link: https://syzkaller.appspot.com/bug?extid=2373f6be3e6de4f92562
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=101a1d5be80000

[Edward Adam Davis]

please test task hung in blk_trace_remove

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

diff --git a/kernel/trace/blktrace.c b/kernel/trace/blktrace.c

index d5d94510afd3..9575f19d390d 100644
--- a/kernel/trace/blktrace.c
+++ b/kernel/trace/blktrace.c
@@ -330,6 +330,23 @@ static void blk_trace_free(struct request_queue *q, struct blk_trace *bt)
kfree(bt);
}

+static void blk_trace_free_rcu(struct blk_trace *bt)
+{
+ /*
+ * If 'bt->dir' is not set, then both 'dropped' and 'msg' are created
+ * under 'q->debugfs_dir', thus lookup and remove them.
+ */
+ if (!bt->dir) {
+ debugfs_lookup_and_remove("dropped", bt->debugfs_dir);
+ debugfs_lookup_and_remove("msg", bt->debugfs_dir);
+ } else {
+ debugfs_remove(bt->dir);
+ }
+ free_percpu(bt->sequence);
+ free_percpu(bt->msg_data);
+ kfree(bt);
+}
+
static void get_probe_ref(void)
{
mutex_lock(&blk_probe_mutex);
@@ -377,12 +394,26 @@ static int blk_trace_stop(struct blk_trace *bt)

return 0;
}

+static void blk_trace_rcu_free(struct rcu_head *rcu)
+{
+ struct blk_trace *bt;
+
+ bt = container_of(rcu, struct blk_trace, rcu);
+ if (bt) {

+ blk_trace_free_rcu(bt);

+ put_probe_ref();
+ }
+}
+
static void blk_trace_cleanup(struct request_queue *q, struct blk_trace *bt)
{
blk_trace_stop(bt);
- synchronize_rcu();
- blk_trace_free(q, bt);
- put_probe_ref();
+ if (!bt->dir)
+ bt->debugfs_dir = q->debugfs_dir;
+ mutex_unlock(&q->debugfs_mutex);

+ relay_close(bt->rchan);

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

inconsistent lock state in simple_pin_fs

================================
WARNING: inconsistent lock state
6.8.0-rc2-syzkaller-g861c0981648f-dirty #0 Not tainted
--------------------------------
inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage.
kworker/u4:1/12 [HC0[0]:SC1[1]:HE1:SE0] takes:
ffffffff8d38c8d8 (pin_fs_lock){+.?.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline]
ffffffff8d38c8d8 (pin_fs_lock){+.?.}-{2:2}, at: simple_pin_fs+0x26/0x190 fs/libfs.c:978
{SOFTIRQ-ON-W} state was registered at:

lock_acquire kernel/locking/lockdep.c:5754 [inline]
lock_acquire+0x1ae/0x520 kernel/locking/lockdep.c:5719

__raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
_raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
spin_lock include/linux/spinlock.h:351 [inline]
simple_pin_fs+0x26/0x190 fs/libfs.c:978
securityfs_create_dentry+0x74/0x4c0 security/inode.c:121
securityfs_create_file security/inode.c:204 [inline]
securityfs_init+0x9d/0x100 security/inode.c:345
do_one_initcall+0x11c/0x650 init/main.c:1236
do_initcall_level init/main.c:1298 [inline]
do_initcalls init/main.c:1314 [inline]
do_basic_setup init/main.c:1333 [inline]
kernel_init_freeable+0x687/0xc10 init/main.c:1551
kernel_init+0x1c/0x2a0 init/main.c:1441

ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242

irq event stamp: 4567394
hardirqs last enabled at (4567394): [<ffffffff8a91ffae>] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:151 [inline]
hardirqs last enabled at (4567394): [<ffffffff8a91ffae>] _raw_spin_unlock_irqrestore+0x4e/0x70 kernel/locking/spinlock.c:194
hardirqs last disabled at (4567393): [<ffffffff8a91fd5e>] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline]
hardirqs last disabled at (4567393): [<ffffffff8a91fd5e>] _raw_spin_lock_irqsave+0x4e/0x50 kernel/locking/spinlock.c:162
softirqs last enabled at (4567282): [<ffffffff89e2f8fc>] spin_unlock_bh include/linux/spinlock.h:396 [inline]
softirqs last enabled at (4567282): [<ffffffff89e2f8fc>] cfg80211_inform_single_bss_frame_data+0x96c/0x12c0 net/wireless/scan.c:3039
softirqs last disabled at (4567283): [<ffffffff814ff74a>] do_softirq kernel/softirq.c:454 [inline]
softirqs last disabled at (4567283): [<ffffffff814ff74a>] do_softirq+0xaa/0xe0 kernel/softirq.c:441

other info that might help us debug this:

Possible unsafe locking scenario:

CPU0
----
lock(pin_fs_lock);
<Interrupt>
lock(pin_fs_lock);

*** DEADLOCK ***

4 locks held by kworker/u4:1/12:
#0: ffff888013089938 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work+0x789/0x15d0 kernel/workqueue.c:2608
#1: ffffc90000117d80 ((work_completion)(&rdev->wiphy_work)){+.+.}-{0:0}, at: process_one_work+0x7eb/0x15d0 kernel/workqueue.c:2609
#2: ffff88809d6f0768 (&rdev->wiphy.mtx){+.+.}-{3:3}, at: wiphy_lock include/net/cfg80211.h:5928 [inline]
#2: ffff88809d6f0768 (&rdev->wiphy.mtx){+.+.}-{3:3}, at: cfg80211_wiphy_work+0x2b/0x330 net/wireless/core.c:424
#3: ffffffff8d1acac0 (rcu_callback){....}-{0:0}, at: rcu_lock_acquire include/linux/rcupdate.h:298 [inline]
#3: ffffffff8d1acac0 (rcu_callback){....}-{0:0}, at: rcu_do_batch kernel/rcu/tree.c:2184 [inline]
#3: ffffffff8d1acac0 (rcu_callback){....}-{0:0}, at: rcu_core+0x7bd/0x1680 kernel/rcu/tree.c:2465

stack backtrace:
CPU: 0 PID: 12 Comm: kworker/u4:1 Not tainted 6.8.0-rc2-syzkaller-g861c0981648f-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023

Workqueue: events_unbound cfg80211_wiphy_work

Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106

print_usage_bug kernel/locking/lockdep.c:3971 [inline]
valid_state kernel/locking/lockdep.c:4013 [inline]
mark_lock_irq kernel/locking/lockdep.c:4216 [inline]
mark_lock+0x91a/0xc50 kernel/locking/lockdep.c:4678
mark_usage kernel/locking/lockdep.c:4567 [inline]
__lock_acquire+0x13f6/0x3b30 kernel/locking/lockdep.c:5091

lock_acquire kernel/locking/lockdep.c:5754 [inline]
lock_acquire+0x1ae/0x520 kernel/locking/lockdep.c:5719

__raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
_raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
spin_lock include/linux/spinlock.h:351 [inline]
simple_pin_fs+0x26/0x190 fs/libfs.c:978
debugfs_remove+0x4e/0x80 fs/debugfs/inode.c:811
blk_trace_free_rcu kernel/trace/blktrace.c:343 [inline]
blk_trace_rcu_free+0x57/0x150 kernel/trace/blktrace.c:403

rcu_do_batch kernel/rcu/tree.c:2190 [inline]
rcu_core+0x819/0x1680 kernel/rcu/tree.c:2465
__do_softirq+0x21a/0x8de kernel/softirq.c:553

do_softirq kernel/softirq.c:454 [inline]
do_softirq+0xaa/0xe0 kernel/softirq.c:441
</IRQ>
<TASK>
__local_bh_enable_ip+0xfc/0x120 kernel/softirq.c:381
spin_unlock_bh include/linux/spinlock.h:396 [inline]
cfg80211_inform_single_bss_frame_data+0x96c/0x12c0 net/wireless/scan.c:3039
cfg80211_inform_bss_frame_data+0x14c/0x350 net/wireless/scan.c:3068
ieee80211_bss_info_update+0x311/0xab0 net/mac80211/scan.c:226
ieee80211_rx_bss_info net/mac80211/ibss.c:1098 [inline]
ieee80211_rx_mgmt_probe_beacon net/mac80211/ibss.c:1577 [inline]
ieee80211_ibss_rx_queued_mgmt+0x1973/0x30e0 net/mac80211/ibss.c:1604
ieee80211_iface_process_skb net/mac80211/iface.c:1589 [inline]
ieee80211_iface_work+0xa67/0xda0 net/mac80211/iface.c:1643
cfg80211_wiphy_work+0x24e/0x330 net/wireless/core.c:437
process_one_work+0x886/0x15d0 kernel/workqueue.c:2633
process_scheduled_works kernel/workqueue.c:2706 [inline]
worker_thread+0x8b9/0x1290 kernel/workqueue.c:2787

kthread+0x2c6/0x3a0 kernel/kthread.c:388
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242

</TASK>
BUG: sleeping function called from invalid context at kernel/locking/rwsem.c:1578
in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 12, name: kworker/u4:1

preempt_count: 101, expected: 0
RCU nest depth: 0, expected: 0
INFO: lockdep is turned off.
Preemption disabled at:
[<0000000000000000>] 0x0

CPU: 0 PID: 12 Comm: kworker/u4:1 Not tainted 6.8.0-rc2-syzkaller-g861c0981648f-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023

Workqueue: events_unbound cfg80211_wiphy_work

Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x125/0x1b0 lib/dump_stack.c:106
__might_resched+0x3c3/0x5e0 kernel/sched/core.c:10176

down_write+0x19/0x50 kernel/locking/rwsem.c:1578
inode_lock include/linux/fs.h:802 [inline]
simple_recursive_removal+0x171/0x850 fs/libfs.c:528
debugfs_remove+0x5d/0x80 fs/debugfs/inode.c:812
blk_trace_free_rcu kernel/trace/blktrace.c:343 [inline]
blk_trace_rcu_free+0x57/0x150 kernel/trace/blktrace.c:403

rcu_do_batch kernel/rcu/tree.c:2190 [inline]
rcu_core+0x819/0x1680 kernel/rcu/tree.c:2465
__do_softirq+0x21a/0x8de kernel/softirq.c:553

do_softirq kernel/softirq.c:454 [inline]
do_softirq+0xaa/0xe0 kernel/softirq.c:441
</IRQ>
<TASK>
__local_bh_enable_ip+0xfc/0x120 kernel/softirq.c:381
spin_unlock_bh include/linux/spinlock.h:396 [inline]
cfg80211_inform_single_bss_frame_data+0x96c/0x12c0 net/wireless/scan.c:3039
cfg80211_inform_bss_frame_data+0x14c/0x350 net/wireless/scan.c:3068
ieee80211_bss_info_update+0x311/0xab0 net/mac80211/scan.c:226
ieee80211_rx_bss_info net/mac80211/ibss.c:1098 [inline]
ieee80211_rx_mgmt_probe_beacon net/mac80211/ibss.c:1577 [inline]
ieee80211_ibss_rx_queued_mgmt+0x1973/0x30e0 net/mac80211/ibss.c:1604
ieee80211_iface_process_skb net/mac80211/iface.c:1589 [inline]
ieee80211_iface_work+0xa67/0xda0 net/mac80211/iface.c:1643
cfg80211_wiphy_work+0x24e/0x330 net/wireless/core.c:437
process_one_work+0x886/0x15d0 kernel/workqueue.c:2633
process_scheduled_works kernel/workqueue.c:2706 [inline]
worker_thread+0x8b9/0x1290 kernel/workqueue.c:2787

kthread+0x2c6/0x3a0 kernel/kthread.c:388
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242
</TASK>

BUG: scheduling while atomic: kworker/u4:1/12/0x00000102

INFO: lockdep is turned off.

Modules linked in:

Preemption disabled at:
[<0000000000000000>] 0x0

Tested on:

commit: 861c0981 Merge tag 'jfs-6.8-rc3' of github.com:kleikam..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

console output: https://syzkaller.appspot.com/x/log.txt?x=13751c2fe80000

kernel config: https://syzkaller.appspot.com/x/.config?x=b168fa511db3ca08
dashboard link: https://syzkaller.appspot.com/bug?extid=2373f6be3e6de4f92562
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=15288adfe80000

[Edward Adam Davis]

please test task hung in blk_trace_remove

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

diff --git a/kernel/trace/blktrace.c b/kernel/trace/blktrace.c

index d5d94510afd3..f0d55e9b0fc4 100644
--- a/kernel/trace/blktrace.c
+++ b/kernel/trace/blktrace.c
@@ -330,6 +330,13 @@ static void blk_trace_free(struct request_queue *q, struct blk_trace *bt)

kfree(bt);
}

+static void blk_trace_free_rcu(struct blk_trace *bt)
+{

+ free_percpu(bt->sequence);
+ free_percpu(bt->msg_data);
+ kfree(bt);
+}
+
static void get_probe_ref(void)
{
mutex_lock(&blk_probe_mutex);

@@ -377,12 +384,36 @@ static int blk_trace_stop(struct blk_trace *bt)

return 0;
}

+static void blk_trace_rcu_free(struct rcu_head *rcu)
+{
+ struct blk_trace *bt;
+
+ bt = container_of(rcu, struct blk_trace, rcu);
+ if (bt) {
+ blk_trace_free_rcu(bt);
+ put_probe_ref();
+ }
+}
+
static void blk_trace_cleanup(struct request_queue *q, struct blk_trace *bt)
{
blk_trace_stop(bt);
- synchronize_rcu();
- blk_trace_free(q, bt);
- put_probe_ref();
+ if (!bt->dir)
+ bt->debugfs_dir = q->debugfs_dir;
+ mutex_unlock(&q->debugfs_mutex);
+ relay_close(bt->rchan);

+ /*
+ * If 'bt->dir' is not set, then both 'dropped' and 'msg' are created
+ * under 'q->debugfs_dir', thus lookup and remove them.
+ */
+ if (!bt->dir) {
+ debugfs_lookup_and_remove("dropped", bt->debugfs_dir);
+ debugfs_lookup_and_remove("msg", bt->debugfs_dir);
+ } else {
+ debugfs_remove(bt->dir);
+ }

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

BUG: sleeping function called from invalid context in put_probe_ref

BUG: sleeping function called from invalid context at kernel/locking/mutex.c:585
in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 16, name: ksoftirqd/0
preempt_count: 100, expected: 0

RCU nest depth: 0, expected: 0

1 lock held by ksoftirqd/0/16:
#0: ffffffff8d1acac0 (rcu_callback){....}-{0:0}, at: rcu_lock_acquire include/linux/rcupdate.h:298 [inline]
#0: ffffffff8d1acac0 (rcu_callback){....}-{0:0}, at: rcu_do_batch kernel/rcu/tree.c:2184 [inline]
#0: ffffffff8d1acac0 (rcu_callback){....}-{0:0}, at: rcu_core+0x7bd/0x1680 kernel/rcu/tree.c:2465
Preemption disabled at:
[<ffffffff8a922753>] softirq_handle_begin kernel/softirq.c:394 [inline]
[<ffffffff8a922753>] __do_softirq+0x123/0x8de kernel/softirq.c:529
CPU: 0 PID: 16 Comm: ksoftirqd/0 Not tainted 6.8.0-rc2-syzkaller-g861c0981648f-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023

Call Trace:
<TASK>

__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x125/0x1b0 lib/dump_stack.c:106
__might_resched+0x3c3/0x5e0 kernel/sched/core.c:10176

__mutex_lock_common kernel/locking/mutex.c:585 [inline]
__mutex_lock+0xe2/0x9d0 kernel/locking/mutex.c:752

put_probe_ref+0x14/0x1b0 kernel/trace/blktrace.c:350
blk_trace_rcu_free+0x71/0x90 kernel/trace/blktrace.c:394

rcu_do_batch kernel/rcu/tree.c:2190 [inline]
rcu_core+0x819/0x1680 kernel/rcu/tree.c:2465
__do_softirq+0x21a/0x8de kernel/softirq.c:553

run_ksoftirqd kernel/softirq.c:921 [inline]
run_ksoftirqd+0x31/0x60 kernel/softirq.c:913
smpboot_thread_fn+0x660/0xa10 kernel/smpboot.c:164

kthread+0x2c6/0x3a0 kernel/kthread.c:388
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242
</TASK>

=============================
[ BUG: Invalid wait context ]
6.8.0-rc2-syzkaller-g861c0981648f-dirty #0 Tainted: G W
-----------------------------

ksoftirqd/0/16 is trying to lock:
ffffffff8d22fa28 (blk_probe_mutex){+.+.}-{3:3}, at: put_probe_ref+0x14/0x1b0 kernel/trace/blktrace.c:350

other info that might help us debug this:

context-{2:2}
1 lock held by ksoftirqd/0/16:
#0: ffffffff8d1acac0 (rcu_callback){....}-{0:0}, at: rcu_lock_acquire include/linux/rcupdate.h:298 [inline]
#0: ffffffff8d1acac0 (rcu_callback){....}-{0:0}, at: rcu_do_batch kernel/rcu/tree.c:2184 [inline]
#0: ffffffff8d1acac0 (rcu_callback){....}-{0:0}, at: rcu_core+0x7bd/0x1680 kernel/rcu/tree.c:2465
stack backtrace:
CPU: 0 PID: 16 Comm: ksoftirqd/0 Tainted: G W 6.8.0-rc2-syzkaller-g861c0981648f-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023

Call Trace:
<TASK>

__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106

print_lock_invalid_wait_context kernel/locking/lockdep.c:4751 [inline]
check_wait_context kernel/locking/lockdep.c:4821 [inline]
__lock_acquire+0x821/0x3b30 kernel/locking/lockdep.c:5087

lock_acquire kernel/locking/lockdep.c:5754 [inline]
lock_acquire+0x1ae/0x520 kernel/locking/lockdep.c:5719

__mutex_lock_common kernel/locking/mutex.c:608 [inline]
__mutex_lock+0x175/0x9d0 kernel/locking/mutex.c:752

put_probe_ref+0x14/0x1b0 kernel/trace/blktrace.c:350
blk_trace_rcu_free+0x71/0x90 kernel/trace/blktrace.c:394

rcu_do_batch kernel/rcu/tree.c:2190 [inline]
rcu_core+0x819/0x1680 kernel/rcu/tree.c:2465
__do_softirq+0x21a/0x8de kernel/softirq.c:553

run_ksoftirqd kernel/softirq.c:921 [inline]
run_ksoftirqd+0x31/0x60 kernel/softirq.c:913
smpboot_thread_fn+0x660/0xa10 kernel/smpboot.c:164

kthread+0x2c6/0x3a0 kernel/kthread.c:388
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242
</TASK>

BUG: scheduling while atomic: ksoftirqd/0/16/0x00000101

INFO: lockdep is turned off.
Modules linked in:
Preemption disabled at:

[<ffffffff8a922753>] softirq_handle_begin kernel/softirq.c:394 [inline]
[<ffffffff8a922753>] __do_softirq+0x123/0x8de kernel/softirq.c:529

Tested on:

commit: 861c0981 Merge tag 'jfs-6.8-rc3' of github.com:kleikam..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

console output: https://syzkaller.appspot.com/x/log.txt?x=121ea1fde80000

kernel config: https://syzkaller.appspot.com/x/.config?x=b168fa511db3ca08
dashboard link: https://syzkaller.appspot.com/bug?extid=2373f6be3e6de4f92562
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=13151c40180000

[Edward Adam Davis]

please test task hung in blk_trace_remove

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

diff --git a/kernel/trace/blktrace.c b/kernel/trace/blktrace.c

index d5d94510afd3..f3d02bf98a80 100644

--- a/kernel/trace/blktrace.c
+++ b/kernel/trace/blktrace.c
@@ -330,6 +330,13 @@ static void blk_trace_free(struct request_queue *q, struct blk_trace *bt)
kfree(bt);
}

+static void blk_trace_free_rcu(struct blk_trace *bt)
+{
+ free_percpu(bt->sequence);
+ free_percpu(bt->msg_data);
+ kfree(bt);
+}
+
static void get_probe_ref(void)
{
mutex_lock(&blk_probe_mutex);
@@ -377,12 +384,36 @@ static int blk_trace_stop(struct blk_trace *bt)
return 0;
}

+static void blk_trace_rcu_free(struct rcu_head *rcu)
+{
+ struct blk_trace *bt;
+
+ bt = container_of(rcu, struct blk_trace, rcu);
+ if (bt) {
+ blk_trace_free_rcu(bt);
+ }

+}
+
static void blk_trace_cleanup(struct request_queue *q, struct blk_trace *bt)
{
blk_trace_stop(bt);
- synchronize_rcu();
- blk_trace_free(q, bt);

+ if (!bt->dir)
+ bt->debugfs_dir = q->debugfs_dir;
+ mutex_unlock(&q->debugfs_mutex);
+ relay_close(bt->rchan);
+ /*
+ * If 'bt->dir' is not set, then both 'dropped' and 'msg' are created
+ * under 'q->debugfs_dir', thus lookup and remove them.
+ */
+ if (!bt->dir) {
+ debugfs_lookup_and_remove("dropped", bt->debugfs_dir);
+ debugfs_lookup_and_remove("msg", bt->debugfs_dir);
+ } else {
+ debugfs_remove(bt->dir);
+ }

put_probe_ref();

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+2373f6...@syzkaller.appspotmail.com

Tested on:

commit: 861c0981 Merge tag 'jfs-6.8-rc3' of github.com:kleikam..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

console output: https://syzkaller.appspot.com/x/log.txt?x=1742ec47e80000

kernel config: https://syzkaller.appspot.com/x/.config?x=b168fa511db3ca08
dashboard link: https://syzkaller.appspot.com/bug?extid=2373f6be3e6de4f92562
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=16171997e80000

Note: testing is done by a robot and is best-effort only.

[Edward Adam Davis]

please test task hung in blk_trace_remove

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

diff --git a/kernel/trace/blktrace.c b/kernel/trace/blktrace.c

index d5d94510afd3..81e48f841764 100644
--- a/kernel/trace/blktrace.c
+++ b/kernel/trace/blktrace.c
@@ -327,7 +327,7 @@ static void blk_trace_free(struct request_queue *q, struct blk_trace *bt)

}
free_percpu(bt->sequence);
free_percpu(bt->msg_data);
- kfree(bt);

+ kfree_rcu(bt, rcu);
}

static void get_probe_ref(void)
@@ -380,7 +380,6 @@ static int blk_trace_stop(struct blk_trace *bt)

static void blk_trace_cleanup(struct request_queue *q, struct blk_trace *bt)
{
blk_trace_stop(bt);
- synchronize_rcu();

blk_trace_free(q, bt);
put_probe_ref();
}
diff --git a/include/linux/blktrace_api.h b/include/linux/blktrace_api.h
index 122c62e561fc..5f927328b7e6 100644
--- a/include/linux/blktrace_api.h
+++ b/include/linux/blktrace_api.h
@@ -26,6 +26,7 @@ struct blk_trace {

struct dentry *dir;
struct list_head running_list;
atomic_t dropped;

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

INFO: task hung in blk_trace_setup

INFO: task syz-executor.4:5650 blocked for more than 143 seconds.
Not tainted 6.8.0-rc2-syzkaller-g861c0981648f-dirty #0

"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz-executor.4 state:D stack:27776 pid:5650 tgid:5649 ppid:5434 flags:0x00000006

Call Trace:
<TASK>
context_switch kernel/sched/core.c:5400 [inline]
__schedule+0xf12/0x5c00 kernel/sched/core.c:6727
__schedule_loop kernel/sched/core.c:6802 [inline]
schedule+0xe9/0x270 kernel/sched/core.c:6817
schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:6874
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x5b9/0x9d0 kernel/locking/mutex.c:752

blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:647

sg_ioctl_common drivers/scsi/sg.c:1118 [inline]
sg_ioctl+0x669/0x2760 drivers/scsi/sg.c:1160
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:871 [inline]
__se_sys_ioctl fs/ioctl.c:857 [inline]
__x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:857
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b

RIP: 0033:0x7f406fc7cda9
RSP: 002b:00007f4070a040c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f406fdabf80 RCX: 00007f406fc7cda9

RDX: 0000000020000040 RSI: 00000000c0481273 RDI: 0000000000000003

RBP: 00007f406fcc947a R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 000000000000000b R14: 00007f406fdabf80 R15: 00007ffc9ad00358
</TASK>
INFO: task syz-executor.4:5651 blocked for more than 143 seconds.
Not tainted 6.8.0-rc2-syzkaller-g861c0981648f-dirty #0

"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz-executor.4 state:D stack:28480 pid:5651 tgid:5649 ppid:5434 flags:0x00000006

Call Trace:
<TASK>
context_switch kernel/sched/core.c:5400 [inline]
__schedule+0xf12/0x5c00 kernel/sched/core.c:6727
__schedule_loop kernel/sched/core.c:6802 [inline]
schedule+0xe9/0x270 kernel/sched/core.c:6817
schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:6874
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x5b9/0x9d0 kernel/locking/mutex.c:752

blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:405
sg_ioctl_common drivers/scsi/sg.c:1126 [inline]
sg_ioctl+0x9ac/0x2760 drivers/scsi/sg.c:1160

vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:871 [inline]
__se_sys_ioctl fs/ioctl.c:857 [inline]
__x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:857
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b

RIP: 0033:0x7f406fc7cda9
RSP: 002b:00007f40709e30c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f406fdac050 RCX: 00007f406fc7cda9

RDX: 0000000000000000 RSI: 0000000000001276 RDI: 0000000000000003

RBP: 00007f406fcc947a R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 000000000000006e R14: 00007f406fdac050 R15: 00007ffc9ad00358
</TASK>
INFO: task syz-executor.1:5653 blocked for more than 144 seconds.
Not tainted 6.8.0-rc2-syzkaller-g861c0981648f-dirty #0

"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz-executor.1 state:D stack:27776 pid:5653 tgid:5652 ppid:5428 flags:0x00000006

Call Trace:
<TASK>
context_switch kernel/sched/core.c:5400 [inline]
__schedule+0xf12/0x5c00 kernel/sched/core.c:6727
__schedule_loop kernel/sched/core.c:6802 [inline]
schedule+0xe9/0x270 kernel/sched/core.c:6817
schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:6874
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x5b9/0x9d0 kernel/locking/mutex.c:752

blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:647

sg_ioctl_common drivers/scsi/sg.c:1118 [inline]
sg_ioctl+0x669/0x2760 drivers/scsi/sg.c:1160
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:871 [inline]
__se_sys_ioctl fs/ioctl.c:857 [inline]
__x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:857
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b

RIP: 0033:0x7f76ba07cda9
RSP: 002b:00007f76baed70c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f76ba1abf80 RCX: 00007f76ba07cda9

RDX: 0000000020000040 RSI: 00000000c0481273 RDI: 0000000000000003

RBP: 00007f76ba0c947a R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 000000000000000b R14: 00007f76ba1abf80 R15: 00007fffb67c90d8
</TASK>
INFO: task syz-executor.1:5655 blocked for more than 144 seconds.
Not tainted 6.8.0-rc2-syzkaller-g861c0981648f-dirty #0

"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz-executor.1 state:D stack:29536 pid:5655 tgid:5652 ppid:5428 flags:0x00000006

Call Trace:
<TASK>
context_switch kernel/sched/core.c:5400 [inline]
__schedule+0xf12/0x5c00 kernel/sched/core.c:6727
__schedule_loop kernel/sched/core.c:6802 [inline]
schedule+0xe9/0x270 kernel/sched/core.c:6817
schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:6874
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x5b9/0x9d0 kernel/locking/mutex.c:752

blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:405
sg_ioctl_common drivers/scsi/sg.c:1126 [inline]
sg_ioctl+0x9ac/0x2760 drivers/scsi/sg.c:1160

vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:871 [inline]
__se_sys_ioctl fs/ioctl.c:857 [inline]
__x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:857
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b

RIP: 0033:0x7f76ba07cda9
RSP: 002b:00007f76baeb60c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f76ba1ac050 RCX: 00007f76ba07cda9

RDX: 0000000000000000 RSI: 0000000000001276 RDI: 0000000000000003

RBP: 00007f76ba0c947a R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 000000000000006e R14: 00007f76ba1ac050 R15: 00007fffb67c90d8
</TASK>
INFO: task syz-executor.2:5662 blocked for more than 145 seconds.
Not tainted 6.8.0-rc2-syzkaller-g861c0981648f-dirty #0

"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz-executor.2 state:D stack:27776 pid:5662 tgid:5660 ppid:5443 flags:0x00000006

Call Trace:
<TASK>
context_switch kernel/sched/core.c:5400 [inline]
__schedule+0xf12/0x5c00 kernel/sched/core.c:6727
__schedule_loop kernel/sched/core.c:6802 [inline]
schedule+0xe9/0x270 kernel/sched/core.c:6817
schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:6874
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x5b9/0x9d0 kernel/locking/mutex.c:752

blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:647

sg_ioctl_common drivers/scsi/sg.c:1118 [inline]
sg_ioctl+0x669/0x2760 drivers/scsi/sg.c:1160
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:871 [inline]
__se_sys_ioctl fs/ioctl.c:857 [inline]
__x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:857
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b

RIP: 0033:0x7efebe87cda9
RSP: 002b:00007efebf5ca0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007efebe9abf80 RCX: 00007efebe87cda9

RDX: 0000000020000040 RSI: 00000000c0481273 RDI: 0000000000000003

RBP: 00007efebe8c947a R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 000000000000000b R14: 00007efebe9abf80 R15: 00007ffd09f13438
</TASK>
INFO: task syz-executor.2:5663 blocked for more than 145 seconds.
Not tainted 6.8.0-rc2-syzkaller-g861c0981648f-dirty #0

"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz-executor.2 state:D stack:29536 pid:5663 tgid:5660 ppid:5443 flags:0x00000006

Call Trace:
<TASK>
context_switch kernel/sched/core.c:5400 [inline]
__schedule+0xf12/0x5c00 kernel/sched/core.c:6727
__schedule_loop kernel/sched/core.c:6802 [inline]
schedule+0xe9/0x270 kernel/sched/core.c:6817
schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:6874
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x5b9/0x9d0 kernel/locking/mutex.c:752

blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:405
sg_ioctl_common drivers/scsi/sg.c:1126 [inline]
sg_ioctl+0x9ac/0x2760 drivers/scsi/sg.c:1160

vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:871 [inline]
__se_sys_ioctl fs/ioctl.c:857 [inline]
__x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:857
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b

RIP: 0033:0x7efebe87cda9
RSP: 002b:00007efebf5a90c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007efebe9ac050 RCX: 00007efebe87cda9

RDX: 0000000000000000 RSI: 0000000000001276 RDI: 0000000000000003

RBP: 00007efebe8c947a R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 000000000000006e R14: 00007efebe9ac050 R15: 00007ffd09f13438
</TASK>
INFO: task syz-executor.0:5665 blocked for more than 145 seconds.
Not tainted 6.8.0-rc2-syzkaller-g861c0981648f-dirty #0

"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz-executor.0 state:D stack:27776 pid:5665 tgid:5664 ppid:5435 flags:0x00000006

Call Trace:
<TASK>
context_switch kernel/sched/core.c:5400 [inline]
__schedule+0xf12/0x5c00 kernel/sched/core.c:6727
__schedule_loop kernel/sched/core.c:6802 [inline]
schedule+0xe9/0x270 kernel/sched/core.c:6817
schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:6874
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x5b9/0x9d0 kernel/locking/mutex.c:752

blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:647

sg_ioctl_common drivers/scsi/sg.c:1118 [inline]
sg_ioctl+0x669/0x2760 drivers/scsi/sg.c:1160
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:871 [inline]
__se_sys_ioctl fs/ioctl.c:857 [inline]
__x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:857
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b

RIP: 0033:0x7f640727cda9
RSP: 002b:00007f640802c0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f64073abf80 RCX: 00007f640727cda9

RDX: 0000000020000040 RSI: 00000000c0481273 RDI: 0000000000000003

RBP: 00007f64072c947a R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 000000000000000b R14: 00007f64073abf80 R15: 00007fff0e30aa68
</TASK>
INFO: task syz-executor.0:5667 blocked for more than 146 seconds.
Not tainted 6.8.0-rc2-syzkaller-g861c0981648f-dirty #0

"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz-executor.0 state:D stack:29536 pid:5667 tgid:5664 ppid:5435 flags:0x00000006

Call Trace:
<TASK>
context_switch kernel/sched/core.c:5400 [inline]
__schedule+0xf12/0x5c00 kernel/sched/core.c:6727
__schedule_loop kernel/sched/core.c:6802 [inline]
schedule+0xe9/0x270 kernel/sched/core.c:6817
schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:6874
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x5b9/0x9d0 kernel/locking/mutex.c:752

blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:405
sg_ioctl_common drivers/scsi/sg.c:1126 [inline]
sg_ioctl+0x9ac/0x2760 drivers/scsi/sg.c:1160

vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:871 [inline]
__se_sys_ioctl fs/ioctl.c:857 [inline]
__x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:857
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b

RIP: 0033:0x7f640727cda9
RSP: 002b:00007f640800b0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f64073ac050 RCX: 00007f640727cda9

RDX: 0000000000000000 RSI: 0000000000001276 RDI: 0000000000000003

RBP: 00007f64072c947a R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 000000000000006e R14: 00007f64073ac050 R15: 00007fff0e30aa68

</TASK>

Showing all locks held in the system:
1 lock held by khungtaskd/29:

#0: ffffffff8d1acbe0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:298 [inline]
#0: ffffffff8d1acbe0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:750 [inline]
#0: ffffffff8d1acbe0 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x75/0x340 kernel/locking/lockdep.c:6614
2 locks held by kworker/u4:2/38:
3 locks held by kworker/0:2/922:
#0: ffff888029122d38 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: process_one_work+0x789/0x15d0 kernel/workqueue.c:2608
#1: ffffc90004167d80 ((work_completion)(&(&ifa->dad_work)->work)){+.+.}-{0:0}, at: process_one_work+0x7eb/0x15d0 kernel/workqueue.c:2609
#2: ffffffff8ecc25a8 (rtnl_mutex){+.+.}-{3:3}, at: addrconf_dad_work+0xcf/0x14b0 net/ipv6/addrconf.c:4129
5 locks held by kworker/u5:1/4459:
#0: ffff88802168a538 ((wq_completion)hci8){+.+.}-{0:0}, at: process_one_work+0x789/0x15d0 kernel/workqueue.c:2608
#1: ffffc9000d8f7d80 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_one_work+0x7eb/0x15d0 kernel/workqueue.c:2609
#2: ffff8882053c5060 (&hdev->req_lock){+.+.}-{3:3}, at: hci_cmd_sync_work+0x170/0x410 net/bluetooth/hci_sync.c:305
#3: ffff8882053c4078 (&hdev->lock){+.+.}-{3:3}, at: hci_abort_conn_sync+0x150/0xb50 net/bluetooth/hci_sync.c:5337
#4: ffffffff8d1b8438 (rcu_state.exp_mutex){+.+.}-{3:3}, at: exp_funnel_lock kernel/rcu/tree_exp.h:324 [inline]
#4: ffffffff8d1b8438 (rcu_state.exp_mutex){+.+.}-{3:3}, at: synchronize_rcu_expedited+0x3ff/0x800 kernel/rcu/tree_exp.h:995
2 locks held by getty/4816:
#0: ffff888029b910a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x24/0x80 drivers/tty/tty_ldisc.c:243
#1: ffffc90002f062f0 (&ldata->atomic_read_lock){+.+.}-{3:3}, at: n_tty_read+0xfc6/0x1490 drivers/tty/n_tty.c:2201
2 locks held by kworker/0:5/5076:
#0: ffff88801308a938 ((wq_completion)rcu_gp){+.+.}-{0:0}, at: process_one_work+0x789/0x15d0 kernel/workqueue.c:2608
#1: ffffc900042e7d80 ((work_completion)(&rew->rew_work)){+.+.}-{0:0}, at: process_one_work+0x7eb/0x15d0 kernel/workqueue.c:2609
3 locks held by kworker/1:7/5518:
#0: ffff888029122d38 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: process_one_work+0x789/0x15d0 kernel/workqueue.c:2608
#1: ffffc900097a7d80 ((work_completion)(&(&ifa->dad_work)->work)){+.+.}-{0:0}, at: process_one_work+0x7eb/0x15d0 kernel/workqueue.c:2609
#2: ffffffff8ecc25a8 (rtnl_mutex){+.+.}-{3:3}, at: addrconf_dad_work+0xcf/0x14b0 net/ipv6/addrconf.c:4129
3 locks held by syz-executor.5/5642:
1 lock held by syz-executor.4/5650:
#0: ffff88801f9a1070 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:647
1 lock held by syz-executor.4/5651:
#0: ffff88801f9a1070 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:405
1 lock held by syz-executor.1/5653:
#0: ffff88801f9a1070 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:647
1 lock held by syz-executor.1/5655:
#0: ffff88801f9a1070 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:405
1 lock held by syz-executor.2/5662:
#0: ffff88801f9a1070 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:647
1 lock held by syz-executor.2/5663:
#0: ffff88801f9a1070 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:405
1 lock held by syz-executor.0/5665:
#0: ffff88801f9a1070 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:647
1 lock held by syz-executor.0/5667:
#0: ffff88801f9a1070 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:405
1 lock held by syz-executor.3/5951:
#0: ffff88801f9a1070 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:647
1 lock held by syz-executor.3/5952:
#0: ffff88801f9a1070 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:405
1 lock held by syz-executor.5/5979:
#0: ffff88801f9a1070 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:647
1 lock held by syz-executor.5/5980:
#0: ffff88801f9a1070 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:405
1 lock held by syz-executor.1/5983:
#0: ffff88801f9a1070 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:647
1 lock held by syz-executor.1/5986:
#0: ffff88801f9a1070 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:405
1 lock held by syz-executor.4/5993:
#0: ffff88801f9a1070 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:647
1 lock held by syz-executor.4/5994:
#0: ffff88801f9a1070 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:405
1 lock held by syz-executor.0/5997:
#0: ffff88801f9a1070 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:647
1 lock held by syz-executor.0/5998:
#0: ffff88801f9a1070 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:405
1 lock held by syz-executor.2/6000:
#0: ffff88801f9a1070 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:647
1 lock held by syz-executor.2/6001:
#0: ffff88801f9a1070 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:405
1 lock held by syz-executor.3/6019:
#0: ffff88801f9a1070 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:647
1 lock held by syz-executor.3/6020:
#0: ffff88801f9a1070 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:405
1 lock held by syz-executor.5/6093:
#0: ffff88801f9a1070 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:647
1 lock held by syz-executor.5/6094:
#0: ffff88801f9a1070 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:405
1 lock held by syz-executor.1/6105:
#0: ffff88801f9a1070 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:647
1 lock held by syz-executor.1/6106:
#0: ffff88801f9a1070 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:405
1 lock held by syz-executor.4/6109:
#0: ffff88801f9a1070 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:647
1 lock held by syz-executor.4/6110:
#0: ffff88801f9a1070 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:405
1 lock held by syz-executor.2/6120:
#0: ffff88801f9a1070 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:647
1 lock held by syz-executor.2/6121:
#0: ffff88801f9a1070 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:405
1 lock held by syz-executor.0/6127:
#0: ffff88801f9a1070 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:647
1 lock held by syz-executor.0/6128:
#0: ffff88801f9a1070 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:405
1 lock held by syz-executor.3/6138:
#0: ffff88801f9a1070 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:647
1 lock held by syz-executor.3/6139:
#0: ffff88801f9a1070 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:405
1 lock held by syz-executor.1/6165:
#0: ffffffff8ecc25a8 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:79 [inline]
#0: ffffffff8ecc25a8 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x372/0xe00 net/core/rtnetlink.c:6612
1 lock held by syz-executor.4/6168:
#0: ffffffff8ecc25a8 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:79 [inline]
#0: ffffffff8ecc25a8 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x372/0xe00 net/core/rtnetlink.c:6612
1 lock held by syz-executor.2/6184:
#0: ffffffff8ecc25a8 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:79 [inline]
#0: ffffffff8ecc25a8 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x372/0xe00 net/core/rtnetlink.c:6612
2 locks held by syz-executor.0/6187:
#0: ffffffff8ecc25a8 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:79 [inline]
#0: ffffffff8ecc25a8 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x372/0xe00 net/core/rtnetlink.c:6612
#1: ffffffff8d1b8438 (rcu_state.exp_mutex){+.+.}-{3:3}, at: exp_funnel_lock kernel/rcu/tree_exp.h:324 [inline]
#1: ffffffff8d1b8438 (rcu_state.exp_mutex){+.+.}-{3:3}, at: synchronize_rcu_expedited+0x3ff/0x800 kernel/rcu/tree_exp.h:995
1 lock held by syz-executor.5/6191:
#0: ffff88801f9a1070 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:647
1 lock held by syz-executor.5/6192:
#0: ffff88801f9a1070 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:405
1 lock held by syz-executor.3/6199:
#0: ffffffff8ecc25a8 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:79 [inline]
#0: ffffffff8ecc25a8 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x372/0xe00 net/core/rtnetlink.c:6612

=============================================

NMI backtrace for cpu 1

CPU: 1 PID: 29 Comm: khungtaskd Not tainted 6.8.0-rc2-syzkaller-g861c0981648f-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]

dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
nmi_cpu_backtrace+0x277/0x390 lib/nmi_backtrace.c:113
nmi_trigger_cpumask_backtrace+0x299/0x300 lib/nmi_backtrace.c:62
trigger_all_cpu_backtrace include/linux/nmi.h:160 [inline]
check_hung_uninterruptible_tasks kernel/hung_task.c:222 [inline]
watchdog+0xf87/0x1210 kernel/hung_task.c:379

kthread+0x2c6/0x3a0 kernel/kthread.c:388
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242
</TASK>

Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0

CPU: 0 PID: 59 Comm: kworker/u4:4 Not tainted 6.8.0-rc2-syzkaller-g861c0981648f-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023

Workqueue: bat_events batadv_nc_worker
RIP: 0010:check_preemption_disabled+0x2/0xe0 lib/smp_processor_id.c:13
Code: ac 04 85 c0 74 1a 65 8b 05 b3 22 74 75 85 c0 75 0f 65 8b 05 bc 1f 74 75 85 c0 74 04 90 0f 0b 90 e9 83 fc ff ff 0f 1f 00 41 54 <55> 53 48 83 ec 08 65 8b 1d cd 59 75 75 65 8b 05 c2 59 75 75 a9 ff
RSP: 0018:ffffc900015a7a48 EFLAGS: 00000082
RAX: 0000000000000001 RBX: 1ffff920002b4f4d RCX: 00000000154dd6e4
RDX: 0000000000000001 RSI: ffffffff8accb300 RDI: ffffffff8b2fdc00
RBP: 0000000000000200 R08: 0000000000000000 R09: fffffbfff242afe8
R10: ffffffff92157f47 R11: 0000000000000002 R12: 0000000000000000
R13: 0000000000000000 R14: ffffffff8d1acbe0 R15: 0000000000000000

FS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 000055ae8684eb68 CR3: 000000006b120000 CR4: 00000000003506f0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:

<NMI>
</NMI>
<TASK>
lockdep_recursion_finish kernel/locking/lockdep.c:467 [inline]
lock_acquire kernel/locking/lockdep.c:5756 [inline]
lock_acquire+0x1be/0x520 kernel/locking/lockdep.c:5719
rcu_lock_acquire include/linux/rcupdate.h:298 [inline]
rcu_read_lock include/linux/rcupdate.h:750 [inline]
batadv_nc_process_nc_paths.part.0+0xe4/0x3e0 net/batman-adv/network-coding.c:687
batadv_nc_process_nc_paths net/batman-adv/network-coding.c:679 [inline]
batadv_nc_worker+0xded/0x10e0 net/batman-adv/network-coding.c:735

process_one_work+0x886/0x15d0 kernel/workqueue.c:2633
process_scheduled_works kernel/workqueue.c:2706 [inline]
worker_thread+0x8b9/0x1290 kernel/workqueue.c:2787

kthread+0x2c6/0x3a0 kernel/kthread.c:388
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242
</TASK>

Tested on:

commit: 861c0981 Merge tag 'jfs-6.8-rc3' of github.com:kleikam..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

console output: https://syzkaller.appspot.com/x/log.txt?x=175259dfe80000

kernel config: https://syzkaller.appspot.com/x/.config?x=b168fa511db3ca08
dashboard link: https://syzkaller.appspot.com/bug?extid=2373f6be3e6de4f92562
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=17cf4860180000

[Edward Adam Davis]

please test task hung in blk_trace_remove

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

diff --git a/kernel/trace/blktrace.c b/kernel/trace/blktrace.c

index d5d94510afd3..5eecdf9b8570 100644
--- a/kernel/trace/blktrace.c
+++ b/kernel/trace/blktrace.c

@@ -330,6 +330,13 @@ static void blk_trace_free(struct request_queue *q, struct blk_trace *bt)
kfree(bt);
}

+static void blk_trace_free_rcu(struct blk_trace *bt)
+{
+ free_percpu(bt->sequence);
+ free_percpu(bt->msg_data);
+ kfree(bt);
+}
+
static void get_probe_ref(void)
{
mutex_lock(&blk_probe_mutex);

@@ -377,12 +384,32 @@ static int blk_trace_stop(struct blk_trace *bt)

return 0;
}

+static void blk_trace_rcu_free(struct rcu_head *rcu)
+{
+ struct blk_trace *bt;
+
+ bt = container_of(rcu, struct blk_trace, rcu);
+ if (bt) {
+ blk_trace_free_rcu(bt);
+ }
+}
+

static void blk_trace_cleanup(struct request_queue *q, struct blk_trace *bt)
{
blk_trace_stop(bt);
- synchronize_rcu();

- blk_trace_free(q, bt);

+ relay_close(bt->rchan);
+ /*
+ * If 'bt->dir' is not set, then both 'dropped' and 'msg' are created
+ * under 'q->debugfs_dir', thus lookup and remove them.
+ */
+ if (!bt->dir) {

+ debugfs_lookup_and_remove("dropped", q->debugfs_dir);
+ debugfs_lookup_and_remove("msg", q->debugfs_dir);

+ } else {
+ debugfs_remove(bt->dir);
+ }
put_probe_ref();
+ call_rcu(&bt->rcu, blk_trace_rcu_free);
}

static int __blk_trace_remove(struct request_queue *q)

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
INFO: task hung in blk_trace_setup

INFO: task syz-executor.3:5666 blocked for more than 143 seconds.
Not tainted 6.8.0-rc2-syzkaller-g1bbb19b6eb1b-dirty #0

"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz-executor.3 state:D stack:27776 pid:5666 tgid:5665 ppid:5428 flags:0x00000006

Call Trace:
<TASK>
context_switch kernel/sched/core.c:5400 [inline]
__schedule+0xf12/0x5c00 kernel/sched/core.c:6727
__schedule_loop kernel/sched/core.c:6802 [inline]
schedule+0xe9/0x270 kernel/sched/core.c:6817
schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:6874
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x5b9/0x9d0 kernel/locking/mutex.c:752

blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:675

sg_ioctl_common drivers/scsi/sg.c:1118 [inline]
sg_ioctl+0x669/0x2760 drivers/scsi/sg.c:1160
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:871 [inline]
__se_sys_ioctl fs/ioctl.c:857 [inline]
__x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:857
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b

RIP: 0033:0x7f680bc7cda9
RSP: 002b:00007f680ca220c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f680bdabf80 RCX: 00007f680bc7cda9

RDX: 0000000020000040 RSI: 00000000c0481273 RDI: 0000000000000003

RBP: 00007f680bcc947a R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 000000000000000b R14: 00007f680bdabf80 R15: 00007ffd8f207988
</TASK>
INFO: task syz-executor.3:5667 blocked for more than 143 seconds.
Not tainted 6.8.0-rc2-syzkaller-g1bbb19b6eb1b-dirty #0

"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz-executor.3 state:D stack:29536 pid:5667 tgid:5665 ppid:5428 flags:0x00000006

Call Trace:
<TASK>
context_switch kernel/sched/core.c:5400 [inline]
__schedule+0xf12/0x5c00 kernel/sched/core.c:6727
__schedule_loop kernel/sched/core.c:6802 [inline]
schedule+0xe9/0x270 kernel/sched/core.c:6817
schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:6874
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x5b9/0x9d0 kernel/locking/mutex.c:752

blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:433

sg_ioctl_common drivers/scsi/sg.c:1126 [inline]
sg_ioctl+0x9ac/0x2760 drivers/scsi/sg.c:1160
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:871 [inline]
__se_sys_ioctl fs/ioctl.c:857 [inline]
__x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:857
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b

RIP: 0033:0x7f680bc7cda9
RSP: 002b:00007f680ca010c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f680bdac050 RCX: 00007f680bc7cda9

RDX: 0000000000000000 RSI: 0000000000001276 RDI: 0000000000000003

RBP: 00007f680bcc947a R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 000000000000006e R14: 00007f680bdac050 R15: 00007ffd8f207988
</TASK>
INFO: task syz-executor.5:5682 blocked for more than 144 seconds.
Not tainted 6.8.0-rc2-syzkaller-g1bbb19b6eb1b-dirty #0

"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz-executor.5 state:D stack:27776 pid:5682 tgid:5681 ppid:5430 flags:0x00000006

Call Trace:
<TASK>
context_switch kernel/sched/core.c:5400 [inline]
__schedule+0xf12/0x5c00 kernel/sched/core.c:6727
__schedule_loop kernel/sched/core.c:6802 [inline]
schedule+0xe9/0x270 kernel/sched/core.c:6817
schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:6874
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x5b9/0x9d0 kernel/locking/mutex.c:752

blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:675

sg_ioctl_common drivers/scsi/sg.c:1118 [inline]
sg_ioctl+0x669/0x2760 drivers/scsi/sg.c:1160
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:871 [inline]
__se_sys_ioctl fs/ioctl.c:857 [inline]
__x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:857
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b

RIP: 0033:0x7f950f07cda9
RSP: 002b:00007f950fd610c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f950f1abf80 RCX: 00007f950f07cda9

RDX: 0000000020000040 RSI: 00000000c0481273 RDI: 0000000000000003

RBP: 00007f950f0c947a R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 000000000000000b R14: 00007f950f1abf80 R15: 00007ffe1f43dd68
</TASK>
INFO: task syz-executor.5:5683 blocked for more than 144 seconds.
Not tainted 6.8.0-rc2-syzkaller-g1bbb19b6eb1b-dirty #0

"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz-executor.5 state:D stack:29536 pid:5683 tgid:5681 ppid:5430 flags:0x00004006

Call Trace:
<TASK>
context_switch kernel/sched/core.c:5400 [inline]
__schedule+0xf12/0x5c00 kernel/sched/core.c:6727
__schedule_loop kernel/sched/core.c:6802 [inline]
schedule+0xe9/0x270 kernel/sched/core.c:6817
schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:6874
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x5b9/0x9d0 kernel/locking/mutex.c:752

blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:433

sg_ioctl_common drivers/scsi/sg.c:1126 [inline]
sg_ioctl+0x9ac/0x2760 drivers/scsi/sg.c:1160
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:871 [inline]
__se_sys_ioctl fs/ioctl.c:857 [inline]
__x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:857
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b

RIP: 0033:0x7f950f07cda9
RSP: 002b:00007f950fd400c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f950f1ac050 RCX: 00007f950f07cda9

RDX: 0000000000000000 RSI: 0000000000001276 RDI: 0000000000000003

RBP: 00007f950f0c947a R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 000000000000006e R14: 00007f950f1ac050 R15: 00007ffe1f43dd68
</TASK>
INFO: task syz-executor.1:5692 blocked for more than 145 seconds.
Not tainted 6.8.0-rc2-syzkaller-g1bbb19b6eb1b-dirty #0

"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz-executor.1 state:D stack:27776 pid:5692 tgid:5691 ppid:5442 flags:0x00000006

Call Trace:
<TASK>
context_switch kernel/sched/core.c:5400 [inline]
__schedule+0xf12/0x5c00 kernel/sched/core.c:6727
__schedule_loop kernel/sched/core.c:6802 [inline]
schedule+0xe9/0x270 kernel/sched/core.c:6817
schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:6874
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x5b9/0x9d0 kernel/locking/mutex.c:752

blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:675

sg_ioctl_common drivers/scsi/sg.c:1118 [inline]
sg_ioctl+0x669/0x2760 drivers/scsi/sg.c:1160
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:871 [inline]
__se_sys_ioctl fs/ioctl.c:857 [inline]
__x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:857
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b

RIP: 0033:0x7fbb0187cda9
RSP: 002b:00007fbb025800c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fbb019abf80 RCX: 00007fbb0187cda9

RDX: 0000000020000040 RSI: 00000000c0481273 RDI: 0000000000000003

RBP: 00007fbb018c947a R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 000000000000000b R14: 00007fbb019abf80 R15: 00007ffd83ded188
</TASK>
INFO: task syz-executor.1:5693 blocked for more than 145 seconds.
Not tainted 6.8.0-rc2-syzkaller-g1bbb19b6eb1b-dirty #0

"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz-executor.1 state:D stack:29536 pid:5693 tgid:5691 ppid:5442 flags:0x00000006

Call Trace:
<TASK>
context_switch kernel/sched/core.c:5400 [inline]
__schedule+0xf12/0x5c00 kernel/sched/core.c:6727
__schedule_loop kernel/sched/core.c:6802 [inline]
schedule+0xe9/0x270 kernel/sched/core.c:6817
schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:6874
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x5b9/0x9d0 kernel/locking/mutex.c:752

blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:433

sg_ioctl_common drivers/scsi/sg.c:1126 [inline]
sg_ioctl+0x9ac/0x2760 drivers/scsi/sg.c:1160
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:871 [inline]
__se_sys_ioctl fs/ioctl.c:857 [inline]
__x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:857
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b

RIP: 0033:0x7fbb0187cda9
RSP: 002b:00007fbb0255f0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fbb019ac050 RCX: 00007fbb0187cda9

RDX: 0000000000000000 RSI: 0000000000001276 RDI: 0000000000000003

RBP: 00007fbb018c947a R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 000000000000006e R14: 00007fbb019ac050 R15: 00007ffd83ded188

</TASK>

Showing all locks held in the system:

3 locks held by kworker/0:1/9:
#0: ffff888013088d38 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work+0x789/0x15d0 kernel/workqueue.c:2608
#1: ffffc900000e7d80 ((work_completion)(&data->fib_event_work)){+.+.}-{0:0}, at: process_one_work+0x7eb/0x15d0 kernel/workqueue.c:2609
#2: ffff888170815240 (&data->fib_lock){+.+.}-{3:3}, at: nsim_fib_event_work+0x1bb/0x26e0 drivers/net/netdevsim/fib.c:1489
1 lock held by khungtaskd/28:

#0: ffffffff8d1acbe0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:298 [inline]
#0: ffffffff8d1acbe0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:750 [inline]
#0: ffffffff8d1acbe0 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x75/0x340 kernel/locking/lockdep.c:6614

3 locks held by kworker/1:1/34:
#0: ffff8880289ac138 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: process_one_work+0x789/0x15d0 kernel/workqueue.c:2608
#1: ffffc90000aafd80 ((work_completion)(&data->fib_event_work)){+.+.}-{0:0}, at: process_one_work+0x7eb/0x15d0 kernel/workqueue.c:2609
#2: ffff8880206a3240 (&data->fib_lock){+.+.}-{3:3}, at: nsim_fib_event_work+0x1bb/0x26e0 drivers/net/netdevsim/fib.c:1489
2 locks held by kworker/u4:2/36:
#0: ffff8880b993ccd8 (&rq->__lock){-.-.}-{2:2}, at: raw_spin_rq_lock_nested+0x29/0x130 kernel/sched/core.c:559
#1: ffff8880b9928a08 (&per_cpu_ptr(group->pcpu, cpu)->seq){-.-.}-{0:0}, at: psi_task_switch+0x2d9/0x900 kernel/sched/psi.c:988
3 locks held by kworker/u4:9/2474:
2 locks held by getty/4818:
#0: ffff88802e4880a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x24/0x80 drivers/tty/tty_ldisc.c:243

#1: ffffc90002f062f0 (&ldata->atomic_read_lock){+.+.}-{3:3}, at: n_tty_read+0xfc6/0x1490 drivers/tty/n_tty.c:2201

2 locks held by kworker/0:5/5077:

#0: ffff88801308a938 ((wq_completion)rcu_gp){+.+.}-{0:0}, at: process_one_work+0x789/0x15d0 kernel/workqueue.c:2608

#1: ffffc90003c1fd80 ((work_completion)(&rew->rew_work)){+.+.}-{0:0}, at: process_one_work+0x7eb/0x15d0 kernel/workqueue.c:2609
3 locks held by kworker/0:6/5530:
#0: ffff8880289ac138 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: process_one_work+0x789/0x15d0 kernel/workqueue.c:2608
#1: ffffc90004ff7d80 ((work_completion)(&(&ifa->dad_work)->work)){+.+.}-{0:0}, at: process_one_work+0x7eb/0x15d0 kernel/workqueue.c:2609

#2: ffffffff8ecc25a8 (rtnl_mutex){+.+.}-{3:3}, at: addrconf_dad_work+0xcf/0x14b0 net/ipv6/addrconf.c:4129

3 locks held by syz-executor.0/5653:
1 lock held by syz-executor.3/5666:
#0: ffff88801f122a20 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:675
1 lock held by syz-executor.3/5667:
#0: ffff88801f122a20 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:433
1 lock held by syz-executor.5/5682:
#0: ffff88801f122a20 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:675
1 lock held by syz-executor.5/5683:
#0: ffff88801f122a20 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:433
1 lock held by syz-executor.1/5692:
#0: ffff88801f122a20 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:675
1 lock held by syz-executor.1/5693:
#0: ffff88801f122a20 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:433
1 lock held by syz-executor.2/5973:
#0: ffff88801f122a20 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:675
1 lock held by syz-executor.2/5974:
#0: ffff88801f122a20 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:433
1 lock held by syz-executor.4/5980:
#0: ffff88801f122a20 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:675
1 lock held by syz-executor.4/5981:
#0: ffff88801f122a20 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:433
1 lock held by syz-executor.0/5985:
#0: ffff88801f122a20 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:675
1 lock held by syz-executor.0/5986:
#0: ffff88801f122a20 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:433
1 lock held by syz-executor.1/5996:
#0: ffff88801f122a20 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:675
1 lock held by syz-executor.1/5997:
#0: ffff88801f122a20 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:433
1 lock held by syz-executor.3/5999:
#0: ffff88801f122a20 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:675
1 lock held by syz-executor.3/6001:
#0: ffff88801f122a20 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:433
1 lock held by syz-executor.5/6003:
#0: ffff88801f122a20 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:675
1 lock held by syz-executor.5/6004:
#0: ffff88801f122a20 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:433
1 lock held by syz-executor.2/6072:
#0: ffff88801f122a20 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:675
1 lock held by syz-executor.2/6073:
#0: ffff88801f122a20 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:433
1 lock held by syz-executor.0/6098:
#0: ffff88801f122a20 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:675
1 lock held by syz-executor.0/6099:
#0: ffff88801f122a20 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:433
1 lock held by syz-executor.4/6111:
#0: ffff88801f122a20 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:675
1 lock held by syz-executor.4/6113:
#0: ffff88801f122a20 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:433
1 lock held by syz-executor.1/6115:
#0: ffff88801f122a20 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:675
1 lock held by syz-executor.1/6116:
#0: ffff88801f122a20 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:433
1 lock held by syz-executor.3/6118:
#0: ffff88801f122a20 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:675
1 lock held by syz-executor.3/6119:
#0: ffff88801f122a20 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:433
1 lock held by syz-executor.5/6123:
#0: ffff88801f122a20 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:675
1 lock held by syz-executor.5/6124:
#0: ffff88801f122a20 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:433
1 lock held by syz-executor.0/6146:

#0: ffffffff8ecc25a8 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:79 [inline]
#0: ffffffff8ecc25a8 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x372/0xe00 net/core/rtnetlink.c:6612

1 lock held by syz-executor.2/6150:
#0: ffff88801f122a20 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:675
1 lock held by syz-executor.2/6151:
#0: ffff88801f122a20 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:433
1 lock held by syz-executor.4/6159:

#0: ffffffff8ecc25a8 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:79 [inline]
#0: ffffffff8ecc25a8 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x372/0xe00 net/core/rtnetlink.c:6612

2 locks held by syz-executor.1/6168:

#0: ffffffff8ecc25a8 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:79 [inline]
#0: ffffffff8ecc25a8 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x372/0xe00 net/core/rtnetlink.c:6612

#1: ffffffff8d1b8438 (rcu_state.exp_mutex){+.+.}-{3:3}, at: exp_funnel_lock kernel/rcu/tree_exp.h:292 [inline]
#1: ffffffff8d1b8438 (rcu_state.exp_mutex){+.+.}-{3:3}, at: synchronize_rcu_expedited+0x6b1/0x800 kernel/rcu/tree_exp.h:995
1 lock held by syz-executor.3/6171:

#0: ffffffff8ecc25a8 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:79 [inline]
#0: ffffffff8ecc25a8 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x372/0xe00 net/core/rtnetlink.c:6612

1 lock held by syz-executor.5/6177:

#0: ffffffff8ecc25a8 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:79 [inline]

#0: ffffffff8ecc25a8 (rtnl_mutex){+.+.}-{3:3}, at: __rtnl_newlink+0x657/0x1940 net/core/rtnetlink.c:3725

=============================================

NMI backtrace for cpu 0
CPU: 0 PID: 28 Comm: khungtaskd Not tainted 6.8.0-rc2-syzkaller-g1bbb19b6eb1b-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
nmi_cpu_backtrace+0x277/0x390 lib/nmi_backtrace.c:113
nmi_trigger_cpumask_backtrace+0x299/0x300 lib/nmi_backtrace.c:62
trigger_all_cpu_backtrace include/linux/nmi.h:160 [inline]
check_hung_uninterruptible_tasks kernel/hung_task.c:222 [inline]
watchdog+0xf87/0x1210 kernel/hung_task.c:379
kthread+0x2c6/0x3a0 kernel/kthread.c:388
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242
</TASK>

Sending NMI from CPU 0 to CPUs 1:

NMI backtrace for cpu 1

CPU: 1 PID: 5666 Comm: syz-executor.3 Not tainted 6.8.0-rc2-syzkaller-g1bbb19b6eb1b-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023

RIP: 0010:__sanitizer_cov_trace_pc+0x19/0x60 kernel/kcov.c:203
Code: ff 31 c0 c3 66 66 2e 0f 1f 84 00 00 00 00 00 66 90 f3 0f 1e fa 65 48 8b 14 25 80 c2 03 00 65 8b 05 a4 9c 7b 7e a9 00 01 ff 00 <48> 8b 34 24 74 0f f6 c4 01 74 35 8b 82 fc 15 00 00 85 c0 74 2b 8b
RSP: 0018:ffffc9000528f618 EFLAGS: 00000246
RAX: 0000000080000000 RBX: 0000000000000000 RCX: ffffffff81eac359
RDX: ffff88801e088000 RSI: 000000000000003f RDI: 0000000000000005
RBP: 0000000000000001 R08: 0000000000000005 R09: 000000000000003f
R10: 0000000000000000 R11: 0000000000000002 R12: ffff88801417ceb0
R13: 0000000000000000 R14: ffff88801417ceac R15: dffffc0000000000
FS: 00007f680ca226c0(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007fff3a50a9a8 CR3: 0000000061d18000 CR4: 00000000003506f0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<NMI>
</NMI>
<TASK>

__page_table_check_zero+0x198/0x5e0 mm/page_table_check.c:142
prep_new_page mm/page_alloc.c:1540 [inline]
get_page_from_freelist+0xa28/0x3780 mm/page_alloc.c:3311
__alloc_pages+0x22f/0x2440 mm/page_alloc.c:4567
alloc_pages_mpol+0x258/0x5f0 mm/mempolicy.c:2133
relay_alloc_buf kernel/relay.c:121 [inline]
relay_create_buf kernel/relay.c:162 [inline]
relay_open_buf.part.0+0x27d/0xba0 kernel/relay.c:384
relay_open_buf kernel/relay.c:536 [inline]
relay_open+0x641/0xab0 kernel/relay.c:517
do_blk_trace_setup+0x4a9/0xaa0 kernel/trace/blktrace.c:618
__blk_trace_setup+0xd8/0x180 kernel/trace/blktrace.c:658
blk_trace_setup+0x47/0x60 kernel/trace/blktrace.c:676

sg_ioctl_common drivers/scsi/sg.c:1118 [inline]
sg_ioctl+0x669/0x2760 drivers/scsi/sg.c:1160
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:871 [inline]
__se_sys_ioctl fs/ioctl.c:857 [inline]
__x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:857
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b

RIP: 0033:0x7f680bc7cda9

Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007f680ca220c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f680bdabf80 RCX: 00007f680bc7cda9

RDX: 0000000020000040 RSI: 00000000c0481273 RDI: 0000000000000003

RBP: 00007f680bcc947a R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 000000000000000b R14: 00007f680bdabf80 R15: 00007ffd8f207988
</TASK>


Tested on:

commit: 1bbb19b6 Merge tag 'erofs-for-6.8-rc3-fixes' of git://..

git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

console output: https://syzkaller.appspot.com/x/log.txt?x=164d3090180000

kernel config: https://syzkaller.appspot.com/x/.config?x=b168fa511db3ca08
dashboard link: https://syzkaller.appspot.com/bug?extid=2373f6be3e6de4f92562
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=14ec6d0fe80000

[Edward Adam Davis]

please test task hung in blk_trace_remove

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

diff --git a/kernel/trace/blktrace.c b/kernel/trace/blktrace.c

index d5d94510afd3..1af3c8aa78a3 100644
--- a/kernel/trace/blktrace.c
+++ b/kernel/trace/blktrace.c
@@ -311,7 +311,7 @@ static void __blk_add_trace(struct blk_trace *bt, sector_t sector, int bytes,
local_irq_restore(flags);
}

-static void blk_trace_free(struct request_queue *q, struct blk_trace *bt)
+static void blk_trace_free_top(struct request_queue *q, struct blk_trace *bt)
{
relay_close(bt->rchan);

@@ -325,11 +325,21 @@ static void blk_trace_free(struct request_queue *q, struct blk_trace *bt)
} else {
debugfs_remove(bt->dir);
}
+}
+
+static void blk_trace_free_bt(struct blk_trace *bt)
+{
free_percpu(bt->sequence);
free_percpu(bt->msg_data);
kfree(bt);
}

+static void blk_trace_free(struct request_queue *q, struct blk_trace *bt)
+{
+ blk_trace_free_top(q, bt);
+ blk_trace_free_bt(bt);

+}
+
static void get_probe_ref(void)
{
mutex_lock(&blk_probe_mutex);

@@ -377,12 +387,23 @@ static int blk_trace_stop(struct blk_trace *bt)

return 0;
}

+static void blk_trace_rcu_free(struct rcu_head *rcu)
+{
+ struct blk_trace *bt;
+
+ bt = container_of(rcu, struct blk_trace, rcu);
+ if (bt)

+ blk_trace_free_bt(bt);

+}
+
static void blk_trace_cleanup(struct request_queue *q, struct blk_trace *bt)
{
blk_trace_stop(bt);
- synchronize_rcu();
- blk_trace_free(q, bt);

+ blk_trace_free_top(q, bt);
put_probe_ref();
+ mutex_unlock(&q->debugfs_mutex);

+ call_rcu(&bt->rcu, blk_trace_rcu_free);
+ mutex_lock(&q->debugfs_mutex);
}

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
INFO: task hung in blk_trace_setup

INFO: task syz-executor.4:5637 blocked for more than 143 seconds.

Not tainted 6.8.0-rc2-syzkaller-g1bbb19b6eb1b-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz-executor.4 state:D stack:27776 pid:5637 tgid:5635 ppid:5428 flags:0x00000006

Call Trace:
<TASK>
context_switch kernel/sched/core.c:5400 [inline]
__schedule+0xf12/0x5c00 kernel/sched/core.c:6727
__schedule_loop kernel/sched/core.c:6802 [inline]
schedule+0xe9/0x270 kernel/sched/core.c:6817
schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:6874
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x5b9/0x9d0 kernel/locking/mutex.c:752

blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:669

sg_ioctl_common drivers/scsi/sg.c:1118 [inline]
sg_ioctl+0x669/0x2760 drivers/scsi/sg.c:1160
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:871 [inline]
__se_sys_ioctl fs/ioctl.c:857 [inline]
__x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:857
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b

RIP: 0033:0x7f92fce7cda9
RSP: 002b:00007f92fdcc30c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f92fcfabf80 RCX: 00007f92fce7cda9

RDX: 0000000020000040 RSI: 00000000c0481273 RDI: 0000000000000003

RBP: 00007f92fcec947a R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 000000000000000b R14: 00007f92fcfabf80 R15: 00007ffd5e0ef4b8
</TASK>
INFO: task syz-executor.4:5639 blocked for more than 144 seconds.

Not tainted 6.8.0-rc2-syzkaller-g1bbb19b6eb1b-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz-executor.4 state:D stack:28480 pid:5639 tgid:5635 ppid:5428 flags:0x00000006

Call Trace:
<TASK>
context_switch kernel/sched/core.c:5400 [inline]
__schedule+0xf12/0x5c00 kernel/sched/core.c:6727
__schedule_loop kernel/sched/core.c:6802 [inline]
schedule+0xe9/0x270 kernel/sched/core.c:6817
schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:6874
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x5b9/0x9d0 kernel/locking/mutex.c:752

blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:427

sg_ioctl_common drivers/scsi/sg.c:1126 [inline]
sg_ioctl+0x9ac/0x2760 drivers/scsi/sg.c:1160
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:871 [inline]
__se_sys_ioctl fs/ioctl.c:857 [inline]
__x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:857
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b

RIP: 0033:0x7f92fce7cda9
RSP: 002b:00007f92fdca20c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f92fcfac050 RCX: 00007f92fce7cda9

RDX: 0000000000000000 RSI: 0000000000001276 RDI: 0000000000000003

RBP: 00007f92fcec947a R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 000000000000006e R14: 00007f92fcfac050 R15: 00007ffd5e0ef4b8
</TASK>
INFO: task syz-executor.2:5650 blocked for more than 145 seconds.

Not tainted 6.8.0-rc2-syzkaller-g1bbb19b6eb1b-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz-executor.2 state:D stack:27776 pid:5650 tgid:5649 ppid:5430 flags:0x00004006

Call Trace:
<TASK>
context_switch kernel/sched/core.c:5400 [inline]
__schedule+0xf12/0x5c00 kernel/sched/core.c:6727
__schedule_loop kernel/sched/core.c:6802 [inline]
schedule+0xe9/0x270 kernel/sched/core.c:6817
schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:6874
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x5b9/0x9d0 kernel/locking/mutex.c:752

blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:669

sg_ioctl_common drivers/scsi/sg.c:1118 [inline]
sg_ioctl+0x669/0x2760 drivers/scsi/sg.c:1160
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:871 [inline]
__se_sys_ioctl fs/ioctl.c:857 [inline]
__x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:857
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b

RIP: 0033:0x7f63a947cda9
RSP: 002b:00007f63aa2680c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f63a95abf80 RCX: 00007f63a947cda9

RDX: 0000000020000040 RSI: 00000000c0481273 RDI: 0000000000000003

RBP: 00007f63a94c947a R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 000000000000000b R14: 00007f63a95abf80 R15: 00007ffeba8b3558
</TASK>
INFO: task syz-executor.2:5651 blocked for more than 145 seconds.

Not tainted 6.8.0-rc2-syzkaller-g1bbb19b6eb1b-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz-executor.2 state:D stack:29536 pid:5651 tgid:5649 ppid:5430 flags:0x00000006

Call Trace:
<TASK>
context_switch kernel/sched/core.c:5400 [inline]
__schedule+0xf12/0x5c00 kernel/sched/core.c:6727
__schedule_loop kernel/sched/core.c:6802 [inline]
schedule+0xe9/0x270 kernel/sched/core.c:6817
schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:6874
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x5b9/0x9d0 kernel/locking/mutex.c:752

blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:427

sg_ioctl_common drivers/scsi/sg.c:1126 [inline]
sg_ioctl+0x9ac/0x2760 drivers/scsi/sg.c:1160
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:871 [inline]
__se_sys_ioctl fs/ioctl.c:857 [inline]
__x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:857
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b

RIP: 0033:0x7f63a947cda9
RSP: 002b:00007f63aa2470c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f63a95ac050 RCX: 00007f63a947cda9

RDX: 0000000000000000 RSI: 0000000000001276 RDI: 0000000000000003

RBP: 00007f63a94c947a R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 000000000000006e R14: 00007f63a95ac050 R15: 00007ffeba8b3558
</TASK>
INFO: task syz-executor.0:5660 blocked for more than 146 seconds.

Not tainted 6.8.0-rc2-syzkaller-g1bbb19b6eb1b-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz-executor.0 state:D stack:27776 pid:5660 tgid:5658 ppid:5431 flags:0x00000006

Call Trace:
<TASK>
context_switch kernel/sched/core.c:5400 [inline]
__schedule+0xf12/0x5c00 kernel/sched/core.c:6727
__schedule_loop kernel/sched/core.c:6802 [inline]
schedule+0xe9/0x270 kernel/sched/core.c:6817
schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:6874
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x5b9/0x9d0 kernel/locking/mutex.c:752

blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:669

sg_ioctl_common drivers/scsi/sg.c:1118 [inline]
sg_ioctl+0x669/0x2760 drivers/scsi/sg.c:1160
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:871 [inline]
__se_sys_ioctl fs/ioctl.c:857 [inline]
__x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:857
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b

RIP: 0033:0x7f574aa7cda9
RSP: 002b:00007f574b8b00c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f574ababf80 RCX: 00007f574aa7cda9

RDX: 0000000020000040 RSI: 00000000c0481273 RDI: 0000000000000003

RBP: 00007f574aac947a R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 000000000000000b R14: 00007f574ababf80 R15: 00007ffd7a97ed28
</TASK>
INFO: task syz-executor.0:5661 blocked for more than 147 seconds.

Not tainted 6.8.0-rc2-syzkaller-g1bbb19b6eb1b-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz-executor.0 state:D stack:29536 pid:5661 tgid:5658 ppid:5431 flags:0x00000006

Call Trace:
<TASK>
context_switch kernel/sched/core.c:5400 [inline]
__schedule+0xf12/0x5c00 kernel/sched/core.c:6727
__schedule_loop kernel/sched/core.c:6802 [inline]
schedule+0xe9/0x270 kernel/sched/core.c:6817
schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:6874
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x5b9/0x9d0 kernel/locking/mutex.c:752

blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:427

sg_ioctl_common drivers/scsi/sg.c:1126 [inline]
sg_ioctl+0x9ac/0x2760 drivers/scsi/sg.c:1160
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:871 [inline]
__se_sys_ioctl fs/ioctl.c:857 [inline]
__x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:857
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b

RIP: 0033:0x7f574aa7cda9
RSP: 002b:00007f574b88f0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f574abac050 RCX: 00007f574aa7cda9

RDX: 0000000000000000 RSI: 0000000000001276 RDI: 0000000000000003

RBP: 00007f574aac947a R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 000000000000006e R14: 00007f574abac050 R15: 00007ffd7a97ed28
</TASK>
INFO: task syz-executor.5:5666 blocked for more than 147 seconds.

Not tainted 6.8.0-rc2-syzkaller-g1bbb19b6eb1b-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz-executor.5 state:D stack:27776 pid:5666 tgid:5664 ppid:5427 flags:0x00000006

Call Trace:
<TASK>
context_switch kernel/sched/core.c:5400 [inline]
__schedule+0xf12/0x5c00 kernel/sched/core.c:6727
__schedule_loop kernel/sched/core.c:6802 [inline]
schedule+0xe9/0x270 kernel/sched/core.c:6817
schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:6874
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x5b9/0x9d0 kernel/locking/mutex.c:752

blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:669

sg_ioctl_common drivers/scsi/sg.c:1118 [inline]
sg_ioctl+0x669/0x2760 drivers/scsi/sg.c:1160
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:871 [inline]
__se_sys_ioctl fs/ioctl.c:857 [inline]
__x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:857
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b

RIP: 0033:0x7f6b7be7cda9
RSP: 002b:00007f6b7cbf80c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f6b7bfabf80 RCX: 00007f6b7be7cda9

RDX: 0000000020000040 RSI: 00000000c0481273 RDI: 0000000000000003

RBP: 00007f6b7bec947a R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 000000000000000b R14: 00007f6b7bfabf80 R15: 00007ffc5bbb9978
</TASK>
INFO: task syz-executor.5:5668 blocked for more than 148 seconds.

Not tainted 6.8.0-rc2-syzkaller-g1bbb19b6eb1b-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz-executor.5 state:D stack:29536 pid:5668 tgid:5664 ppid:5427 flags:0x00000006

Call Trace:
<TASK>
context_switch kernel/sched/core.c:5400 [inline]
__schedule+0xf12/0x5c00 kernel/sched/core.c:6727
__schedule_loop kernel/sched/core.c:6802 [inline]
schedule+0xe9/0x270 kernel/sched/core.c:6817
schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:6874
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x5b9/0x9d0 kernel/locking/mutex.c:752

blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:427

sg_ioctl_common drivers/scsi/sg.c:1126 [inline]
sg_ioctl+0x9ac/0x2760 drivers/scsi/sg.c:1160
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:871 [inline]
__se_sys_ioctl fs/ioctl.c:857 [inline]
__x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:857
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b

RIP: 0033:0x7f6b7be7cda9
RSP: 002b:00007f6b7cbd70c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f6b7bfac050 RCX: 00007f6b7be7cda9

RDX: 0000000000000000 RSI: 0000000000001276 RDI: 0000000000000003

RBP: 00007f6b7bec947a R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 000000000000006e R14: 00007f6b7bfac050 R15: 00007ffc5bbb9978

</TASK>

Showing all locks held in the system:

3 locks held by kworker/0:0/8:
#0: ffff88802887ad38 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: process_one_work+0x789/0x15d0 kernel/workqueue.c:2608
#1: ffffc900000d7d80 ((work_completion)(&(&ifa->dad_work)->work)){+.+.}-{0:0}, at: process_one_work+0x7eb/0x15d0 kernel/workqueue.c:2609

#2: ffffffff8ecc25a8 (rtnl_mutex){+.+.}-{3:3}, at: addrconf_dad_work+0xcf/0x14b0 net/ipv6/addrconf.c:4129

3 locks held by kworker/u4:1/12:

1 lock held by khungtaskd/29:

#0: ffffffff8d1acbe0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:298 [inline]
#0: ffffffff8d1acbe0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:750 [inline]
#0: ffffffff8d1acbe0 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x75/0x340 kernel/locking/lockdep.c:6614

2 locks held by kworker/0:2/781:

#0: ffff88801308a938 ((wq_completion)rcu_gp){+.+.}-{0:0}, at: process_one_work+0x789/0x15d0 kernel/workqueue.c:2608

#1: ffffc90003e9fd80 ((work_completion)(&rew->rew_work)){+.+.}-{0:0}, at: process_one_work+0x7eb/0x15d0 kernel/workqueue.c:2609
2 locks held by getty/4820:
#0: ffff88802911a0a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x24/0x80 drivers/tty/tty_ldisc.c:243

#1: ffffc90002f062f0 (&ldata->atomic_read_lock){+.+.}-{3:3}, at: n_tty_read+0xfc6/0x1490 drivers/tty/n_tty.c:2201

5 locks held by kworker/u5:2/5064:
#0: ffff88807df2ed38 ((wq_completion)hci7){+.+.}-{0:0}, at: process_one_work+0x789/0x15d0 kernel/workqueue.c:2608
#1: ffffc90003ccfd80 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_one_work+0x7eb/0x15d0 kernel/workqueue.c:2609
#2: ffff8881ef9d5060 (&hdev->req_lock){+.+.}-{3:3}, at: hci_cmd_sync_work+0x170/0x410 net/bluetooth/hci_sync.c:305
#3: ffff8881ef9d4078 (&hdev->lock){+.+.}-{3:3}, at: hci_abort_conn_sync+0x150/0xb50 net/bluetooth/hci_sync.c:5337
#4: ffffffff8ef238c8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_connect_cfm include/net/bluetooth/hci_core.h:1983 [inline]
#4: ffffffff8ef238c8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_conn_failed+0x158/0x370 net/bluetooth/hci_conn.c:1289
3 locks held by kworker/1:5/5076:
#0: ffff88802887ad38 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: process_one_work+0x789/0x15d0 kernel/workqueue.c:2608
#1: ffffc90003d5fd80 ((work_completion)(&(&ifa->dad_work)->work)){+.+.}-{0:0}, at: process_one_work+0x7eb/0x15d0 kernel/workqueue.c:2609

#2: ffffffff8ecc25a8 (rtnl_mutex){+.+.}-{3:3}, at: addrconf_dad_work+0xcf/0x14b0 net/ipv6/addrconf.c:4129

2 locks held by kworker/0:4/5077:
5 locks held by kworker/u5:4/5435:
#0: ffff888020c70d38 ((wq_completion)hci6){+.+.}-{0:0}, at: process_one_work+0x789/0x15d0 kernel/workqueue.c:2608
#1: ffffc900049a7d80 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_one_work+0x7eb/0x15d0 kernel/workqueue.c:2609
#2: ffff8881ed859060 (&hdev->req_lock){+.+.}-{3:3}, at: hci_cmd_sync_work+0x170/0x410 net/bluetooth/hci_sync.c:305
#3: ffff8881ed858078 (&hdev->lock){+.+.}-{3:3}, at: hci_abort_conn_sync+0x150/0xb50 net/bluetooth/hci_sync.c:5337
#4: ffffffff8ef238c8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_connect_cfm include/net/bluetooth/hci_core.h:1983 [inline]
#4: ffffffff8ef238c8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_conn_failed+0x158/0x370 net/bluetooth/hci_conn.c:1289
5 locks held by kworker/u5:7/5441:
#0: ffff88807fa3cd38 ((wq_completion)hci9){+.+.}-{0:0}, at: process_one_work+0x789/0x15d0 kernel/workqueue.c:2608
#1: ffffc90004a87d80 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_one_work+0x7eb/0x15d0 kernel/workqueue.c:2609
#2: ffff8881f4771060 (&hdev->req_lock){+.+.}-{3:3}, at: hci_cmd_sync_work+0x170/0x410 net/bluetooth/hci_sync.c:305
#3: ffff8881f4770078 (&hdev->lock){+.+.}-{3:3}, at: hci_abort_conn_sync+0x150/0xb50 net/bluetooth/hci_sync.c:5337
#4: ffffffff8d1b8438 (rcu_state.exp_mutex){+.+.}-{3:3}, at: exp_funnel_lock kernel/rcu/tree_exp.h:324 [inline]
#4: ffffffff8d1b8438 (rcu_state.exp_mutex){+.+.}-{3:3}, at: synchronize_rcu_expedited+0x3ff/0x800 kernel/rcu/tree_exp.h:995
1 lock held by syz-executor.3/5626:
#0: ffff88801f2e3b40 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_cleanup kernel/trace/blktrace.c:406 [inline]
#0: ffff88801f2e3b40 (&q->debugfs_mutex){+.+.}-{3:3}, at: __blk_trace_remove+0x109/0x250 kernel/trace/blktrace.c:418
3 locks held by syz-executor.1/5633:
1 lock held by syz-executor.4/5637:
#0: ffff88801f2e3b40 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:669

1 lock held by syz-executor.4/5639:

#0: ffff88801f2e3b40 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:427

1 lock held by syz-executor.2/5650:

#0: ffff88801f2e3b40 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:669
1 lock held by syz-executor.2/5651:
#0: ffff88801f2e3b40 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:427
1 lock held by syz-executor.0/5660:
#0: ffff88801f2e3b40 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:669
1 lock held by syz-executor.0/5661:
#0: ffff88801f2e3b40 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:427
1 lock held by syz-executor.5/5666:
#0: ffff88801f2e3b40 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:669
1 lock held by syz-executor.5/5668:
#0: ffff88801f2e3b40 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:427
1 lock held by syz-executor.3/5969:
#0: ffff88801f2e3b40
(&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:669
1 lock held by syz-executor.3/5970:
#0: ffff88801f2e3b40 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:427

1 lock held by syz-executor.1/5973:

#0: ffff88801f2e3b40 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:669
1 lock held by syz-executor.1/5975:
#0: ffff88801f2e3b40 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:427
1 lock held by syz-executor.4/5986:
#0: ffff88801f2e3b40 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:669
1 lock held by syz-executor.4/5988:
#0: ffff88801f2e3b40 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:427

1 lock held by syz-executor.0/5998:

#0: ffff88801f2e3b40 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:669
1 lock held by syz-executor.0/5999:
#0: ffff88801f2e3b40 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:427

1 lock held by syz-executor.2/6001:

#0: ffff88801f2e3b40 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:669
1 lock held by syz-executor.2/6002:
#0: ffff88801f2e3b40 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:427

1 lock held by syz-executor.5/6004:

#0: ffff88801f2e3b40 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:669
1 lock held by syz-executor.5/6005:
#0: ffff88801f2e3b40 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:427
1 lock held by syz-executor.3/6075:
#0: ffff88801f2e3b40 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:669
1 lock held by syz-executor.3/6076:
#0: ffff88801f2e3b40 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:427
1 lock held by syz-executor.1/6099:
#0: ffff88801f2e3b40 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:669
1 lock held by syz-executor.1/6100:
#0: ffff88801f2e3b40 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:427
1 lock held by syz-executor.0/6115:
#0: ffff88801f2e3b40 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:669
1 lock held by syz-executor.0/6116:
#0: ffff88801f2e3b40 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:427
1 lock held by syz-executor.4/6119:
#0: ffff88801f2e3b40 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:669
1 lock held by syz-executor.4/6120:
#0: ffff88801f2e3b40 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:427
1 lock held by syz-executor.2/6122:
#0: ffff88801f2e3b40 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:669
1 lock held by syz-executor.2/6123:
#0: ffff88801f2e3b40 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:427
1 lock held by syz-executor.5/6125:
#0: ffff88801f2e3b40 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:669
1 lock held by syz-executor.5/6126:
#0: ffff88801f2e3b40 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:427
3 locks held by syz-executor.3/6128:

#0: ffffffff8ecc25a8 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:79 [inline]
#0: ffffffff8ecc25a8 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x372/0xe00 net/core/rtnetlink.c:6612

#1: ffff88802ac793e8 (&wg->device_update_lock){+.+.}-{3:3}, at: wg_open+0x203/0x4e0 drivers/net/wireguard/device.c:50
#2: ffffffff8d1b8438 (rcu_state.exp_mutex){+.+.}-{3:3}, at: exp_funnel_lock kernel/rcu/tree_exp.h:324 [inline]
#2: ffffffff8d1b8438 (rcu_state.exp_mutex){+.+.}-{3:3}, at: synchronize_rcu_expedited+0x3ff/0x800 kernel/rcu/tree_exp.h:995
7 locks held by syz-executor.1/6139:
#0: ffff888028d7c420 (sb_writers#8){.+.+}-{0:0}, at: ksys_write+0x12f/0x250 fs/read_write.c:643
#1: ffff888036f8e088 (&of->mutex){+.+.}-{3:3}, at: kernfs_fop_write_iter+0x27d/0x500 fs/kernfs/file.c:325
#2: ffff88802169b6d0 (kn->active#50){.+.+}-{0:0}, at: kernfs_fop_write_iter+0x2a0/0x500 fs/kernfs/file.c:326
#3: ffffffff8e356208 (nsim_bus_dev_list_lock){+.+.}-{3:3}, at: del_device_store+0xd2/0x4b0 drivers/net/netdevsim/bus.c:216
#4: ffff88806895e0e8 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:990 [inline]
#4: ffff88806895e0e8 (&dev->mutex){....}-{3:3}, at: __device_driver_lock drivers/base/dd.c:1095 [inline]
#4: ffff88806895e0e8 (&dev->mutex){....}-{3:3}, at: device_release_driver_internal+0xa4/0x610 drivers/base/dd.c:1292
#5: ffff888068958250 (&devlink->lock_key#15){+.+.}-{3:3}, at: nsim_drv_remove+0x4a/0x1d0 drivers/net/netdevsim/dev.c:1672
#6: ffffffff8ecc25a8 (rtnl_mutex){+.+.}-{3:3}, at: nsim_destroy+0x39/0x1c0 drivers/net/netdevsim/netdev.c:417
2 locks held by syz-executor.0/6152:
#0: ffffffff8ecacf50 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x2cc/0x660 net/core/net_namespace.c:491
#1: ffffffff8ecc25a8 (rtnl_mutex){+.+.}-{3:3}, at: register_netdev+0x13/0x50 net/core/dev.c:10391
2 locks held by syz-executor.4/6158:
#0: ffffffff8ecacf50 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x2cc/0x660 net/core/net_namespace.c:491
#1: ffffffff8ecc25a8 (rtnl_mutex){+.+.}-{3:3}, at: ip_tunnel_init_net+0x225/0x5e0 net/ipv4/ip_tunnel.c:1090
2 locks held by syz-executor.2/6161:
#0: ffffffff8ecacf50 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x2cc/0x660 net/core/net_namespace.c:491
#1: ffffffff8ecc25a8 (rtnl_mutex){+.+.}-{3:3}, at: ip_tunnel_init_net+0x225/0x5e0 net/ipv4/ip_tunnel.c:1090
2 locks held by syz-executor.5/6164:
#0: ffffffff8ecacf50 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x2cc/0x660 net/core/net_namespace.c:491
#1: ffffffff8ecc25a8 (rtnl_mutex){+.+.}-{3:3}, at: ip_tunnel_init_net+0x225/0x5e0 net/ipv4/ip_tunnel.c:1090

=============================================

NMI backtrace for cpu 1

CPU: 1 PID: 29 Comm: khungtaskd Not tainted 6.8.0-rc2-syzkaller-g1bbb19b6eb1b-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
nmi_cpu_backtrace+0x277/0x390 lib/nmi_backtrace.c:113
nmi_trigger_cpumask_backtrace+0x299/0x300 lib/nmi_backtrace.c:62
trigger_all_cpu_backtrace include/linux/nmi.h:160 [inline]
check_hung_uninterruptible_tasks kernel/hung_task.c:222 [inline]
watchdog+0xf87/0x1210 kernel/hung_task.c:379
kthread+0x2c6/0x3a0 kernel/kthread.c:388
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242
</TASK>

Sending NMI from CPU 1 to CPUs 0:

NMI backtrace for cpu 0

CPU: 0 PID: 5490 Comm: kworker/0:5 Not tainted 6.8.0-rc2-syzkaller-g1bbb19b6eb1b-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023

Workqueue: events nsim_dev_trap_report_work
RIP: 0010:stack_access_ok+0x2/0x270 arch/x86/kernel/unwind_orc.c:389
Code: 89 85 30 ff ff ff e8 cd b9 a5 00 48 8b 95 18 ff ff ff 48 8b 8d 28 ff ff ff 44 8b 85 30 ff ff ff e9 6f fe ff ff 0f 1f 00 41 57 <41> 56 41 55 41 54 55 48 89 f5 53 48 89 fb 4c 8d 63 08 48 83 ec 10
RSP: 0018:ffffc90004e876f8 EFLAGS: 00000097
RAX: 0000000000000000 RBX: ffffc90004e87788 RCX: 0000000000000001
RDX: 0000000000000008 RSI: ffffc90004e87ac0 RDI: ffffc90004e87788
RBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000004
R10: 0000000000000001 R11: 0000000000000004 R12: ffffc90004e87ac0
R13: ffffc90004e87ad8 R14: 0000000000000001 R15: 0000000000000001
FS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007f5266cd5000 CR3: 000000002147d000 CR4: 00000000003506f0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<NMI>
</NMI>
<TASK>

deref_stack_reg arch/x86/kernel/unwind_orc.c:403 [inline]
unwind_next_frame+0x1a98/0x2390 arch/x86/kernel/unwind_orc.c:648
arch_stack_walk+0xfa/0x170 arch/x86/kernel/stacktrace.c:25
stack_trace_save+0x96/0xd0 kernel/stacktrace.c:122
kasan_save_stack+0x33/0x50 mm/kasan/common.c:47
__kasan_record_aux_stack+0xba/0x100 mm/kasan/generic.c:586
insert_work+0x38/0x230 kernel/workqueue.c:1653
__queue_work+0x62e/0x11d0 kernel/workqueue.c:1802
__queue_delayed_work+0x1bf/0x270 kernel/workqueue.c:1953
queue_delayed_work_on+0x106/0x130 kernel/workqueue.c:1989
queue_delayed_work include/linux/workqueue.h:563 [inline]
schedule_delayed_work include/linux/workqueue.h:677 [inline]
nsim_dev_trap_report_work+0x9c0/0xc80 drivers/net/netdevsim/dev.c:842

process_one_work+0x886/0x15d0 kernel/workqueue.c:2633
process_scheduled_works kernel/workqueue.c:2706 [inline]
worker_thread+0x8b9/0x1290 kernel/workqueue.c:2787

kthread+0x2c6/0x3a0 kernel/kthread.c:388
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242
</TASK>

Tested on:

commit: 1bbb19b6 Merge tag 'erofs-for-6.8-rc3-fixes' of git://..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

console output: https://syzkaller.appspot.com/x/log.txt?x=1041cb97e80000

kernel config: https://syzkaller.appspot.com/x/.config?x=b168fa511db3ca08
dashboard link: https://syzkaller.appspot.com/bug?extid=2373f6be3e6de4f92562
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=10419e1fe80000

[Edward Adam Davis]

[Edward Adam Davis]

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
INFO: task hung in blk_trace_setup

INFO: task syz-executor.1:5676 blocked for more than 143 seconds.

Not tainted 6.8.0-rc2-syzkaller-g1bbb19b6eb1b-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz-executor.1 state:D stack:27776 pid:5676 tgid:5675 ppid:5434 flags:0x00000006

Call Trace:
<TASK>
context_switch kernel/sched/core.c:5400 [inline]
__schedule+0xf12/0x5c00 kernel/sched/core.c:6727
__schedule_loop kernel/sched/core.c:6802 [inline]
schedule+0xe9/0x270 kernel/sched/core.c:6817
schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:6874
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x5b9/0x9d0 kernel/locking/mutex.c:752
blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:669
sg_ioctl_common drivers/scsi/sg.c:1118 [inline]
sg_ioctl+0x669/0x2760 drivers/scsi/sg.c:1160
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:871 [inline]
__se_sys_ioctl fs/ioctl.c:857 [inline]
__x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:857
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b

RIP: 0033:0x7faf0ce7cda9
RSP: 002b:00007faf0db790c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007faf0cfabf80 RCX: 00007faf0ce7cda9

RDX: 0000000020000040 RSI: 00000000c0481273 RDI: 0000000000000003

RBP: 00007faf0cec947a R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 000000000000000b R14: 00007faf0cfabf80 R15: 00007fff4f06f188
</TASK>
INFO: task syz-executor.1:5679 blocked for more than 143 seconds.

Not tainted 6.8.0-rc2-syzkaller-g1bbb19b6eb1b-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz-executor.1 state:D stack:29536 pid:5679 tgid:5675 ppid:5434 flags:0x00000006

Call Trace:
<TASK>
context_switch kernel/sched/core.c:5400 [inline]
__schedule+0xf12/0x5c00 kernel/sched/core.c:6727
__schedule_loop kernel/sched/core.c:6802 [inline]
schedule+0xe9/0x270 kernel/sched/core.c:6817
schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:6874
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x5b9/0x9d0 kernel/locking/mutex.c:752
blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:427
sg_ioctl_common drivers/scsi/sg.c:1126 [inline]
sg_ioctl+0x9ac/0x2760 drivers/scsi/sg.c:1160
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:871 [inline]
__se_sys_ioctl fs/ioctl.c:857 [inline]
__x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:857
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b

RIP: 0033:0x7faf0ce7cda9
RSP: 002b:00007faf0db580c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007faf0cfac050 RCX: 00007faf0ce7cda9

RDX: 0000000000000000 RSI: 0000000000001276 RDI: 0000000000000003

RBP: 00007faf0cec947a R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 000000000000006e R14: 00007faf0cfac050 R15: 00007fff4f06f188
</TASK>
INFO: task syz-executor.3:5686 blocked for more than 144 seconds.

Not tainted 6.8.0-rc2-syzkaller-g1bbb19b6eb1b-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz-executor.3 state:D stack:27776 pid:5686 tgid:5685 ppid:5428 flags:0x00000006

Call Trace:
<TASK>
context_switch kernel/sched/core.c:5400 [inline]
__schedule+0xf12/0x5c00 kernel/sched/core.c:6727
__schedule_loop kernel/sched/core.c:6802 [inline]
schedule+0xe9/0x270 kernel/sched/core.c:6817
schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:6874
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x5b9/0x9d0 kernel/locking/mutex.c:752
blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:669
sg_ioctl_common drivers/scsi/sg.c:1118 [inline]
sg_ioctl+0x669/0x2760 drivers/scsi/sg.c:1160
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:871 [inline]
__se_sys_ioctl fs/ioctl.c:857 [inline]
__x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:857
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b

RIP: 0033:0x7f558c67cda9
RSP: 002b:00007f558d3d30c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f558c7abf80 RCX: 00007f558c67cda9

RDX: 0000000020000040 RSI: 00000000c0481273 RDI: 0000000000000003

RBP: 00007f558c6c947a R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 000000000000000b R14: 00007f558c7abf80 R15: 00007fff93ec0c98
</TASK>
INFO: task syz-executor.3:5687 blocked for more than 144 seconds.

Not tainted 6.8.0-rc2-syzkaller-g1bbb19b6eb1b-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz-executor.3 state:D stack:29536 pid:5687 tgid:5685 ppid:5428 flags:0x00004006

Call Trace:
<TASK>
context_switch kernel/sched/core.c:5400 [inline]
__schedule+0xf12/0x5c00 kernel/sched/core.c:6727
__schedule_loop kernel/sched/core.c:6802 [inline]
schedule+0xe9/0x270 kernel/sched/core.c:6817
schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:6874
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x5b9/0x9d0 kernel/locking/mutex.c:752

blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:427
sg_ioctl_common drivers/scsi/sg.c:1126 [inline]
sg_ioctl+0x9ac/0x2760 drivers/scsi/sg.c:1160
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:871 [inline]
__se_sys_ioctl fs/ioctl.c:857 [inline]
__x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:857
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b

RIP: 0033:0x7f558c67cda9
RSP: 002b:00007f558d3b20c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f558c7ac050 RCX: 00007f558c67cda9

RDX: 0000000000000000 RSI: 0000000000001276 RDI: 0000000000000003

RBP: 00007f558c6c947a R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 000000000000006e R14: 00007f558c7ac050 R15: 00007fff93ec0c98
</TASK>
INFO: task syz-executor.5:5695 blocked for more than 145 seconds.

Not tainted 6.8.0-rc2-syzkaller-g1bbb19b6eb1b-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz-executor.5 state:D stack:26608 pid:5695 tgid:5692 ppid:5441 flags:0x00000006

Call Trace:
<TASK>
context_switch kernel/sched/core.c:5400 [inline]
__schedule+0xf12/0x5c00 kernel/sched/core.c:6727
__schedule_loop kernel/sched/core.c:6802 [inline]
schedule+0xe9/0x270 kernel/sched/core.c:6817
schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:6874
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x5b9/0x9d0 kernel/locking/mutex.c:752
blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:669
sg_ioctl_common drivers/scsi/sg.c:1118 [inline]
sg_ioctl+0x669/0x2760 drivers/scsi/sg.c:1160
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:871 [inline]
__se_sys_ioctl fs/ioctl.c:857 [inline]
__x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:857
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b

RIP: 0033:0x7fda7f47cda9
RSP: 002b:00007fda800ff0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fda7f5abf80 RCX: 00007fda7f47cda9

RDX: 0000000020000040 RSI: 00000000c0481273 RDI: 0000000000000003

RBP: 00007fda7f4c947a R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 000000000000000b R14: 00007fda7f5abf80 R15: 00007fff85183bd8
</TASK>
INFO: task syz-executor.5:5696 blocked for more than 146 seconds.

Not tainted 6.8.0-rc2-syzkaller-g1bbb19b6eb1b-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz-executor.5 state:D stack:29536 pid:5696 tgid:5692 ppid:5441 flags:0x00000006

Call Trace:
<TASK>
context_switch kernel/sched/core.c:5400 [inline]
__schedule+0xf12/0x5c00 kernel/sched/core.c:6727
__schedule_loop kernel/sched/core.c:6802 [inline]
schedule+0xe9/0x270 kernel/sched/core.c:6817
schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:6874
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x5b9/0x9d0 kernel/locking/mutex.c:752
blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:427
sg_ioctl_common drivers/scsi/sg.c:1126 [inline]
sg_ioctl+0x9ac/0x2760 drivers/scsi/sg.c:1160
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:871 [inline]
__se_sys_ioctl fs/ioctl.c:857 [inline]
__x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:857
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b

RIP: 0033:0x7fda7f47cda9
RSP: 002b:00007fda7efff0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fda7f5ac050 RCX: 00007fda7f47cda9

RDX: 0000000000000000 RSI: 0000000000001276 RDI: 0000000000000003

RBP: 00007fda7f4c947a R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 000000000000006e R14: 00007fda7f5ac050 R15: 00007fff85183bd8
</TASK>
INFO: task syz-executor.4:5701 blocked for more than 146 seconds.

Not tainted 6.8.0-rc2-syzkaller-g1bbb19b6eb1b-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz-executor.4 state:D stack:27616 pid:5701 tgid:5700 ppid:5438 flags:0x00000006

Call Trace:
<TASK>
context_switch kernel/sched/core.c:5400 [inline]
__schedule+0xf12/0x5c00 kernel/sched/core.c:6727
__schedule_loop kernel/sched/core.c:6802 [inline]
schedule+0xe9/0x270 kernel/sched/core.c:6817
schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:6874
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x5b9/0x9d0 kernel/locking/mutex.c:752
blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:669
sg_ioctl_common drivers/scsi/sg.c:1118 [inline]
sg_ioctl+0x669/0x2760 drivers/scsi/sg.c:1160
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:871 [inline]
__se_sys_ioctl fs/ioctl.c:857 [inline]
__x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:857
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b

RIP: 0033:0x7f576747cda9
RSP: 002b:00007f57682830c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f57675abf80 RCX: 00007f576747cda9

RDX: 0000000020000040 RSI: 00000000c0481273 RDI: 0000000000000003

RBP: 00007f57674c947a R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 000000000000000b R14: 00007f57675abf80 R15: 00007fff90f5ca68
</TASK>
INFO: task syz-executor.4:5703 blocked for more than 147 seconds.

Not tainted 6.8.0-rc2-syzkaller-g1bbb19b6eb1b-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz-executor.4 state:D stack:29536 pid:5703 tgid:5700 ppid:5438 flags:0x00004006

Call Trace:
<TASK>
context_switch kernel/sched/core.c:5400 [inline]
__schedule+0xf12/0x5c00 kernel/sched/core.c:6727
__schedule_loop kernel/sched/core.c:6802 [inline]
schedule+0xe9/0x270 kernel/sched/core.c:6817
schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:6874
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x5b9/0x9d0 kernel/locking/mutex.c:752

blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:427
sg_ioctl_common drivers/scsi/sg.c:1126 [inline]
sg_ioctl+0x9ac/0x2760 drivers/scsi/sg.c:1160
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:871 [inline]
__se_sys_ioctl fs/ioctl.c:857 [inline]
__x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:857
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b

RIP: 0033:0x7f576747cda9
RSP: 002b:00007f57682620c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f57675ac050 RCX: 00007f576747cda9

RDX: 0000000000000000 RSI: 0000000000001276 RDI: 0000000000000003

RBP: 00007f57674c947a R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 000000000000006e R14: 00007f57675ac050 R15: 00007fff90f5ca68

</TASK>

Showing all locks held in the system:

4 locks held by kworker/0:0/8:
3 locks held by kworker/1:0/23:
#0: ffff888013088d38 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work+0x789/0x15d0 kernel/workqueue.c:2608
#1: ffffc900001d7d80 ((linkwatch_work).work){+.+.}-{0:0}, at: process_one_work+0x7eb/0x15d0 kernel/workqueue.c:2609
#2: ffffffff8ecc25a8 (rtnl_mutex){+.+.}-{3:3}, at: linkwatch_event+0x51/0xc0 net/core/link_watch.c:281

1 lock held by khungtaskd/29:
#0: ffffffff8d1acbe0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:298 [inline]
#0: ffffffff8d1acbe0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:750 [inline]
#0: ffffffff8d1acbe0 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x75/0x340 kernel/locking/lockdep.c:6614

3 locks held by kworker/u4:3/49:
2 locks held by kworker/1:2/924:

#0: ffff88801308a938 ((wq_completion)rcu_gp){+.+.}-{0:0}, at: process_one_work+0x789/0x15d0 kernel/workqueue.c:2608

#1: ffffc90004eafd80 ((work_completion)(&rew->rew_work)){+.+.}-{0:0}, at: process_one_work+0x7eb/0x15d0 kernel/workqueue.c:2609
2 locks held by getty/4814:
#0: ffff8880298f20a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x24/0x80 drivers/tty/tty_ldisc.c:243

#1: ffffc90002f062f0 (&ldata->atomic_read_lock){+.+.}-{3:3}, at: n_tty_read+0xfc6/0x1490 drivers/tty/n_tty.c:2201

5 locks held by kworker/u5:2/5068:
#0: ffff88801d20a538 ((wq_completion)hci7){+.+.}-{0:0}, at: process_one_work+0x789/0x15d0 kernel/workqueue.c:2608
#1: ffffc90003c4fd80 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_one_work+0x7eb/0x15d0 kernel/workqueue.c:2609
#2: ffff88807c465060 (&hdev->req_lock){+.+.}-{3:3}, at: hci_cmd_sync_work+0x170/0x410 net/bluetooth/hci_sync.c:305
#3: ffff88807c464078 (&hdev->lock){+.+.}-{3:3}, at: hci_abort_conn_sync+0x150/0xb50 net/bluetooth/hci_sync.c:5337

#4: ffffffff8ef238c8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_connect_cfm include/net/bluetooth/hci_core.h:1983 [inline]
#4: ffffffff8ef238c8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_conn_failed+0x158/0x370 net/bluetooth/hci_conn.c:1289

6 locks held by kworker/u5:3/5431:
#0: ffff88802360cd38 ((wq_completion)hci8){+.+.}-{0:0}, at: process_one_work+0x789/0x15d0 kernel/workqueue.c:2608
#1: ffffc900055c7d80 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_one_work+0x7eb/0x15d0 kernel/workqueue.c:2609
#2: ffff8882052a1060 (&hdev->req_lock){+.+.}-{3:3}, at: hci_cmd_sync_work+0x170/0x410 net/bluetooth/hci_sync.c:305
#3: ffff8882052a0078 (&hdev->lock){+.+.}-{3:3}, at: hci_abort_conn_sync+0x150/0xb50 net/bluetooth/hci_sync.c:5337

#4: ffffffff8ef238c8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_connect_cfm include/net/bluetooth/hci_core.h:1983 [inline]
#4: ffffffff8ef238c8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_conn_failed+0x158/0x370 net/bluetooth/hci_conn.c:1289

#5: ffffffff8d1b8438 (rcu_state.exp_mutex){+.+.}-{3:3}, at: exp_funnel_lock kernel/rcu/tree_exp.h:324 [inline]
#5: ffffffff8d1b8438 (rcu_state.exp_mutex){+.+.}-{3:3}, at: synchronize_rcu_expedited+0x3ff/0x800 kernel/rcu/tree_exp.h:995
5 locks held by kworker/u5:7/5439:
#0: ffff888078793138 ((wq_completion)hci11){+.+.}-{0:0}, at: process_one_work+0x789/0x15d0 kernel/workqueue.c:2608
#1: ffffc90005707d80 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_one_work+0x7eb/0x15d0 kernel/workqueue.c:2609
#2: ffff888205ca1060 (&hdev->req_lock){+.+.}-{3:3}, at: hci_cmd_sync_work+0x170/0x410 net/bluetooth/hci_sync.c:305
#3: ffff888205ca0078 (&hdev->lock){+.+.}-{3:3}, at: hci_abort_conn_sync+0x150/0xb50 net/bluetooth/hci_sync.c:5337

#4: ffffffff8ef238c8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_connect_cfm include/net/bluetooth/hci_core.h:1983 [inline]
#4: ffffffff8ef238c8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_conn_failed+0x158/0x370 net/bluetooth/hci_conn.c:1289

3 locks held by kworker/0:6/5528:
#0: ffff88802917dd38 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: process_one_work+0x789/0x15d0 kernel/workqueue.c:2608
#1: ffffc90005cafd80 ((work_completion)(&(&ifa->dad_work)->work)){+.+.}-{0:0}, at: process_one_work+0x7eb/0x15d0 kernel/workqueue.c:2609

#2: ffffffff8ecc25a8 (rtnl_mutex){+.+.}-{3:3}, at: addrconf_dad_work+0xcf/0x14b0 net/ipv6/addrconf.c:4129

3 locks held by kworker/0:7/5533:
#0: ffff888013088d38 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work+0x789/0x15d0 kernel/workqueue.c:2608
#1: ffffc90005cdfd80 (deferred_process_work){+.+.}-{0:0}, at: process_one_work+0x7eb/0x15d0 kernel/workqueue.c:2609
#2: ffffffff8ecc25a8 (rtnl_mutex){+.+.}-{3:3}, at: switchdev_deferred_process_work+0xe/0x20 net/switchdev/switchdev.c:75
1 lock held by syz-executor.0/5646:
#0: ffff88801f275d80 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_cleanup kernel/trace/blktrace.c:406 [inline]
#0: ffff88801f275d80 (&q->debugfs_mutex){+.+.}-{3:3}, at: __blk_trace_remove+0x109/0x250 kernel/trace/blktrace.c:418
3 locks held by syz-executor.2/5664:
#0: ffff88801f275d80 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:427
#1: ffffffff8d22fa28 (blk_probe_mutex){+.+.}-{3:3}, at: put_probe_ref+0x14/0x1b0 kernel/trace/blktrace.c:353

#2: ffffffff8d1b8438 (rcu_state.exp_mutex){+.+.}-{3:3}, at: exp_funnel_lock kernel/rcu/tree_exp.h:324 [inline]
#2: ffffffff8d1b8438 (rcu_state.exp_mutex){+.+.}-{3:3}, at: synchronize_rcu_expedited+0x3ff/0x800 kernel/rcu/tree_exp.h:995

1 lock held by syz-executor.1/5676:
#0: ffff88801f275d80 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:669
1 lock held by syz-executor.1/5679:
#0: ffff88801f275d80 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:427
1 lock held by syz-executor.3/5686:
#0: ffff88801f275d80 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:669
1 lock held by syz-executor.3/5687:
#0: ffff88801f275d80 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:427
1 lock held by syz-executor.5/5695:
#0: ffff88801f275d80 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:669
1 lock held by syz-executor.5/5696:
#0: ffff88801f275d80 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:427
1 lock held by syz-executor.4/5701:
#0: ffff88801f275d80 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:669
1 lock held by syz-executor.4/5703:
#0: ffff88801f275d80 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:427
1 lock held by syz-executor.0/5959:
#0: ffff88801f275d80 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:669
1 lock held by syz-executor.0/5960:
#0: ffff88801f275d80 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:427
1 lock held by syz-executor.1/5970:
#0: ffff88801f275d80 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:669
1 lock held by syz-executor.1/5972:
#0: ffff88801f275d80 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:427
1 lock held by syz-executor.2/5980:
#0: ffff88801f275d80 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:669
1 lock held by syz-executor.2/5981:
#0: ffff88801f275d80 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:427
1 lock held by syz-executor.3/5993:
#0: ffff88801f275d80 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:669
1 lock held by syz-executor.3/5994:
#0: ffff88801f275d80 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:427
1 lock held by syz-executor.5/5996:
#0: ffff88801f275d80 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:669
1 lock held by syz-executor.5/5997:
#0: ffff88801f275d80 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:427
1 lock held by syz-executor.4/5999:
#0: ffff88801f275d80 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:669
1 lock held by syz-executor.4/6000:
#0: ffff88801f275d80 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:427
1 lock held by syz-executor.0/6062:
#0: ffff88801f275d80 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:669
1 lock held by syz-executor.0/6063:
#0: ffff88801f275d80 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:427
1 lock held by syz-executor.1/6076:
#0: ffff88801f275d80 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:669
1 lock held by syz-executor.1/6077:
#0: ffff88801f275d80 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:427
1 lock held by syz-executor.2/6085:
#0: ffff88801f275d80 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:669
1 lock held by syz-executor.2/6087:
#0: ffff88801f275d80 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:427
1 lock held by syz-executor.3/6104:
#0: ffff88801f275d80 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:669
1 lock held by syz-executor.3/6106:
#0: ffff88801f275d80 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:427
1 lock held by syz-executor.5/6112:
#0: ffff88801f275d80 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:669
1 lock held by syz-executor.5/6113:
#0: ffff88801f275d80 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:427
1 lock held by syz-executor.4/6116:
#0: ffff88801f275d80 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:669
1 lock held by syz-executor.4/6117:
#0: ffff88801f275d80 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:427
1 lock held by syz-executor.0/6138:
#0: ffff88801f275d80 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:669
1 lock held by syz-executor.0/6139:
#0: ffff88801f275d80 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:427
1 lock held by syz-executor.2/6152:

#0: ffffffff8ecc25a8 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:79 [inline]
#0: ffffffff8ecc25a8 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x372/0xe00 net/core/rtnetlink.c:6612

7 locks held by syz-executor.3/6165:
#0: ffff88802ecd0420 (sb_writers#8){.+.+}-{0:0}, at: ksys_write+0x12f/0x250 fs/read_write.c:643
#1: ffff8880ae4b7088 (&of->mutex){+.+.}-{3:3}, at: kernfs_fop_write_iter+0x27d/0x500 fs/kernfs/file.c:325
#2: ffff8880210a04e0 (kn->active#50){.+.+}-{0:0}, at: kernfs_fop_write_iter+0x2a0/0x500 fs/kernfs/file.c:326

#3: ffffffff8e356208 (nsim_bus_dev_list_lock){+.+.}-{3:3}, at: del_device_store+0xd2/0x4b0 drivers/net/netdevsim/bus.c:216

#4: ffff88801eb6a0e8 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:990 [inline]
#4: ffff88801eb6a0e8 (&dev->mutex){....}-{3:3}, at: __device_driver_lock drivers/base/dd.c:1095 [inline]
#4: ffff88801eb6a0e8 (&dev->mutex){....}-{3:3}, at: device_release_driver_internal+0xa4/0x610 drivers/base/dd.c:1292
#5: ffff888029be8250 (&devlink->lock_key#17){+.+.}-{3:3}, at: nsim_drv_remove+0x4a/0x1d0 drivers/net/netdevsim/dev.c:1672

#6: ffffffff8ecc25a8 (rtnl_mutex){+.+.}-{3:3}, at: nsim_destroy+0x39/0x1c0 drivers/net/netdevsim/netdev.c:417

1 lock held by syz-executor.5/6171:

#0: ffffffff8ecc25a8 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:79 [inline]
#0: ffffffff8ecc25a8 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x372/0xe00 net/core/rtnetlink.c:6612

1 lock held by syz-executor.4/6177:

#0: ffffffff8ecc25a8 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:79 [inline]
#0: ffffffff8ecc25a8 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x372/0xe00 net/core/rtnetlink.c:6612

1 lock held by syz-executor.1/6189:
#0: ffff88801f275d80 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:669
1 lock held by syz-executor.1/6190:
#0: ffff88801f275d80 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:427

=============================================

NMI backtrace for cpu 0
CPU: 0 PID: 29 Comm: khungtaskd Not tainted 6.8.0-rc2-syzkaller-g1bbb19b6eb1b-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
nmi_cpu_backtrace+0x277/0x390 lib/nmi_backtrace.c:113
nmi_trigger_cpumask_backtrace+0x299/0x300 lib/nmi_backtrace.c:62
trigger_all_cpu_backtrace include/linux/nmi.h:160 [inline]
check_hung_uninterruptible_tasks kernel/hung_task.c:222 [inline]
watchdog+0xf87/0x1210 kernel/hung_task.c:379
kthread+0x2c6/0x3a0 kernel/kthread.c:388
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242
</TASK>

Sending NMI from CPU 0 to CPUs 1:

NMI backtrace for cpu 1

CPU: 1 PID: 6177 Comm: syz-executor.4 Not tainted 6.8.0-rc2-syzkaller-g1bbb19b6eb1b-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023

RIP: 0010:rdtsc_ordered arch/x86/include/asm/msr.h:215 [inline]
RIP: 0010:delay_tsc+0x49/0xb0 arch/x86/lib/delay.c:72
Code: 0f 01 f9 66 90 48 c1 e2 20 48 09 c2 48 89 d5 eb 16 f3 90 bf 01 00 00 00 e8 84 40 d8 f6 e8 8f e0 0b 00 44 39 e0 75 36 0f 01 f9 <66> 90 48 c1 e2 20 48 89 d3 48 09 c3 48 89 d8 48 29 e8 4c 39 e8 73
RSP: 0018:ffffc9000381ec18 EFLAGS: 00000046
RAX: 000000009607868a RBX: 000000939607861e RCX: 0000000000000001
RDX: 0000000000000093 RSI: ffffffff8b2fdb80 RDI: ffffffff8b2fdbc0
RBP: 0000009396077df2 R08: 0000000000000005 R09: 0000000000000000
R10: 00000000000026ea R11: 0000000000000004 R12: 0000000000000001
R13: 0000000000000899 R14: fffffbfff2597ce2 R15: dffffc0000000000
FS: 0000555555bc0480(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 000055fadbdbff78 CR3: 000000008ba57000 CR4: 00000000003506f0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<NMI>
</NMI>
<TASK>

wait_for_lsr+0x96/0x180 drivers/tty/serial/8250/8250_port.c:2087
serial8250_console_fifo_write drivers/tty/serial/8250/8250_port.c:3366 [inline]
serial8250_console_write+0xc79/0x1060 drivers/tty/serial/8250/8250_port.c:3444
console_emit_next_record kernel/printk/printk.c:2901 [inline]
console_flush_all+0x4d8/0xd60 kernel/printk/printk.c:2967

console_unlock+0x10c/0x260 kernel/printk/printk.c:3036
vprintk_emit+0x17f/0x5f0 kernel/printk/printk.c:2303
vprintk+0x7b/0x90 kernel/printk/printk_safe.c:45
_printk+0xc8/0x100 kernel/printk/printk.c:2328

__netdev_printk+0x33c/0x4b0 net/core/dev.c:11489
netdev_info+0xe5/0x120 net/core/dev.c:11536
__dev_set_promiscuity+0x177/0x590 net/core/dev.c:8439
dev_set_promiscuity+0x52/0x150 net/core/dev.c:8477
br_port_set_promisc net/bridge/br_if.c:108 [inline]
br_manage_promisc+0x2cf/0x500 net/bridge/br_if.c:157
nbp_update_port_count net/bridge/br_if.c:242 [inline]
br_add_if+0xca2/0x1b70 net/bridge/br_if.c:640
do_set_master+0x1b5/0x220 net/core/rtnetlink.c:2704
do_setlink+0xae7/0x4080 net/core/rtnetlink.c:2910
__rtnl_newlink+0xc28/0x1940 net/core/rtnetlink.c:3701
rtnl_newlink+0x67/0xa0 net/core/rtnetlink.c:3748
rtnetlink_rcv_msg+0x3c7/0xe00 net/core/rtnetlink.c:6615
netlink_rcv_skb+0x16b/0x440 net/netlink/af_netlink.c:2543
netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]
netlink_unicast+0x53b/0x810 net/netlink/af_netlink.c:1367
netlink_sendmsg+0x8b7/0xd70 net/netlink/af_netlink.c:1908
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg+0xd5/0x180 net/socket.c:745
__sys_sendto+0x225/0x310 net/socket.c:2191
__do_sys_sendto net/socket.c:2203 [inline]
__se_sys_sendto net/socket.c:2199 [inline]
__x64_sys_sendto+0xe0/0x1b0 net/socket.c:2199

do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b

RIP: 0033:0x7fb90a07ea9c
Code: 1a 51 02 00 44 8b 4c 24 2c 4c 8b 44 24 20 89 c5 44 8b 54 24 28 48 8b 54 24 18 b8 2c 00 00 00 48 8b 74 24 10 8b 7c 24 08 0f 05 <48> 3d 00 f0 ff ff 77 34 89 ef 48 89 44 24 08 e8 60 51 02 00 48 8b
RSP: 002b:00007ffdc9860bd0 EFLAGS: 00000293 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007fb90acd4620 RCX: 00007fb90a07ea9c
RDX: 0000000000000028 RSI: 00007fb90acd4670 RDI: 0000000000000003
RBP: 0000000000000000 R08: 00007ffdc9860c24 R09: 000000000000000c
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000003
R13: 0000000000000000 R14: 00007fb90acd4670 R15: 0000000000000000

</TASK>


Tested on:

commit: 1bbb19b6 Merge tag 'erofs-for-6.8-rc3-fixes' of git://..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

console output: https://syzkaller.appspot.com/x/log.txt?x=17cfaa67e80000

kernel config: https://syzkaller.appspot.com/x/.config?x=b168fa511db3ca08
dashboard link: https://syzkaller.appspot.com/bug?extid=2373f6be3e6de4f92562
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=125a592fe80000

[Edward Adam Davis]

+ mutex_unlock(&q->debugfs_mutex);
+ blk_trace_free_top(q, bt);
put_probe_ref();

[Edward Adam Davis]

please test task hung in blk_trace_remove

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

diff --git a/kernel/trace/blktrace.c b/kernel/trace/blktrace.c

index d5d94510afd3..eede951d198a 100644
--- a/kernel/trace/blktrace.c
+++ b/kernel/trace/blktrace.c
@@ -381,8 +381,10 @@ static void blk_trace_cleanup(struct request_queue *q, struct blk_trace *bt)
{
blk_trace_stop(bt);
synchronize_rcu();
+ mutex_unlock(&q->debugfs_mutex);
blk_trace_free(q, bt);
put_probe_ref();

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
INFO: task hung in blk_trace_setup

INFO: task syz-executor.4:5645 blocked for more than 143 seconds.

Not tainted 6.8.0-rc2-syzkaller-g1bbb19b6eb1b-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz-executor.4 state:D stack:27776 pid:5645 tgid:5644 ppid:5439 flags:0x00000006

Call Trace:
<TASK>
context_switch kernel/sched/core.c:5400 [inline]
__schedule+0xf12/0x5c00 kernel/sched/core.c:6727
__schedule_loop kernel/sched/core.c:6802 [inline]
schedule+0xe9/0x270 kernel/sched/core.c:6817
schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:6874
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x5b9/0x9d0 kernel/locking/mutex.c:752
blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:669
sg_ioctl_common drivers/scsi/sg.c:1118 [inline]
sg_ioctl+0x669/0x2760 drivers/scsi/sg.c:1160
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:871 [inline]
__se_sys_ioctl fs/ioctl.c:857 [inline]
__x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:857
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b

RIP: 0033:0x7f142fa7cda9
RSP: 002b:00007f142f5ff0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f142fbabf80 RCX: 00007f142fa7cda9

RDX: 0000000020000040 RSI: 00000000c0481273 RDI: 0000000000000003

RBP: 00007f142fac947a R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 000000000000000b R14: 00007f142fbabf80 R15: 00007ffe08407bc8
</TASK>
INFO: task syz-executor.4:5647 blocked for more than 143 seconds.

Not tainted 6.8.0-rc2-syzkaller-g1bbb19b6eb1b-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz-executor.4 state:D stack:28384 pid:5647 tgid:5644 ppid:5439 flags:0x00000006

Call Trace:
<TASK>
context_switch kernel/sched/core.c:5400 [inline]
__schedule+0xf12/0x5c00 kernel/sched/core.c:6727
__schedule_loop kernel/sched/core.c:6802 [inline]
schedule+0xe9/0x270 kernel/sched/core.c:6817
schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:6874
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x5b9/0x9d0 kernel/locking/mutex.c:752
blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:427
sg_ioctl_common drivers/scsi/sg.c:1126 [inline]
sg_ioctl+0x9ac/0x2760 drivers/scsi/sg.c:1160
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:871 [inline]
__se_sys_ioctl fs/ioctl.c:857 [inline]
__x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:857
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b

RIP: 0033:0x7f142fa7cda9
RSP: 002b:00007f142f5de0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f142fbac050 RCX: 00007f142fa7cda9

RDX: 0000000000000000 RSI: 0000000000001276 RDI: 0000000000000003

RBP: 00007f142fac947a R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 000000000000006e R14: 00007f142fbac050 R15: 00007ffe08407bc8
</TASK>
INFO: task syz-executor.0:5655 blocked for more than 144 seconds.

Not tainted 6.8.0-rc2-syzkaller-g1bbb19b6eb1b-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz-executor.0 state:D stack:27776 pid:5655 tgid:5654 ppid:5433 flags:0x00000006

Call Trace:
<TASK>
context_switch kernel/sched/core.c:5400 [inline]
__schedule+0xf12/0x5c00 kernel/sched/core.c:6727
__schedule_loop kernel/sched/core.c:6802 [inline]
schedule+0xe9/0x270 kernel/sched/core.c:6817
schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:6874
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x5b9/0x9d0 kernel/locking/mutex.c:752
blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:669
sg_ioctl_common drivers/scsi/sg.c:1118 [inline]
sg_ioctl+0x669/0x2760 drivers/scsi/sg.c:1160
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:871 [inline]
__se_sys_ioctl fs/ioctl.c:857 [inline]
__x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:857
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b

RIP: 0033:0x7f6155a7cda9
RSP: 002b:00007f615670b0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f6155babf80 RCX: 00007f6155a7cda9

RDX: 0000000020000040 RSI: 00000000c0481273 RDI: 0000000000000003

RBP: 00007f6155ac947a R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 000000000000000b R14: 00007f6155babf80 R15: 00007ffcf00f40b8
</TASK>
INFO: task syz-executor.0:5656 blocked for more than 144 seconds.

Not tainted 6.8.0-rc2-syzkaller-g1bbb19b6eb1b-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz-executor.0 state:D stack:29536 pid:5656 tgid:5654 ppid:5433 flags:0x00000006

Call Trace:
<TASK>
context_switch kernel/sched/core.c:5400 [inline]
__schedule+0xf12/0x5c00 kernel/sched/core.c:6727
__schedule_loop kernel/sched/core.c:6802 [inline]
schedule+0xe9/0x270 kernel/sched/core.c:6817
schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:6874
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x5b9/0x9d0 kernel/locking/mutex.c:752
blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:427
sg_ioctl_common drivers/scsi/sg.c:1126 [inline]
sg_ioctl+0x9ac/0x2760 drivers/scsi/sg.c:1160
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:871 [inline]
__se_sys_ioctl fs/ioctl.c:857 [inline]
__x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:857
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b

RIP: 0033:0x7f6155a7cda9
RSP: 002b:00007f61555ff0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f6155bac050 RCX: 00007f6155a7cda9

RDX: 0000000000000000 RSI: 0000000000001276 RDI: 0000000000000003

RBP: 00007f6155ac947a R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 000000000000006e R14: 00007f6155bac050 R15: 00007ffcf00f40b8
</TASK>
INFO: task syz-executor.3:5675 blocked for more than 145 seconds.

Not tainted 6.8.0-rc2-syzkaller-g1bbb19b6eb1b-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz-executor.3 state:D stack:27776 pid:5675 tgid:5674 ppid:5431 flags:0x00000006

Call Trace:
<TASK>
context_switch kernel/sched/core.c:5400 [inline]
__schedule+0xf12/0x5c00 kernel/sched/core.c:6727
__schedule_loop kernel/sched/core.c:6802 [inline]
schedule+0xe9/0x270 kernel/sched/core.c:6817
schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:6874
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x5b9/0x9d0 kernel/locking/mutex.c:752
blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:669
sg_ioctl_common drivers/scsi/sg.c:1118 [inline]
sg_ioctl+0x669/0x2760 drivers/scsi/sg.c:1160
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:871 [inline]
__se_sys_ioctl fs/ioctl.c:857 [inline]
__x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:857
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b

RIP: 0033:0x7ff9d207cda9
RSP: 002b:00007ff9d2d8d0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007ff9d21abf80 RCX: 00007ff9d207cda9

RDX: 0000000020000040 RSI: 00000000c0481273 RDI: 0000000000000003

RBP: 00007ff9d20c947a R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 000000000000000b R14: 00007ff9d21abf80 R15: 00007ffce595a448
</TASK>
INFO: task syz-executor.3:5678 blocked for more than 146 seconds.

Not tainted 6.8.0-rc2-syzkaller-g1bbb19b6eb1b-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz-executor.3 state:D stack:29536 pid:5678 tgid:5674 ppid:5431 flags:0x00000006

Call Trace:
<TASK>
context_switch kernel/sched/core.c:5400 [inline]
__schedule+0xf12/0x5c00 kernel/sched/core.c:6727
__schedule_loop kernel/sched/core.c:6802 [inline]
schedule+0xe9/0x270 kernel/sched/core.c:6817
schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:6874
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x5b9/0x9d0 kernel/locking/mutex.c:752
blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:427
sg_ioctl_common drivers/scsi/sg.c:1126 [inline]
sg_ioctl+0x9ac/0x2760 drivers/scsi/sg.c:1160
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:871 [inline]
__se_sys_ioctl fs/ioctl.c:857 [inline]
__x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:857
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b

RIP: 0033:0x7ff9d207cda9
RSP: 002b:00007ff9d2d6c0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007ff9d21ac050 RCX: 00007ff9d207cda9

RDX: 0000000000000000 RSI: 0000000000001276 RDI: 0000000000000003

RBP: 00007ff9d20c947a R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 000000000000006e R14: 00007ff9d21ac050 R15: 00007ffce595a448
</TASK>
INFO: task syz-executor.5:5682 blocked for more than 146 seconds.

Not tainted 6.8.0-rc2-syzkaller-g1bbb19b6eb1b-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz-executor.5 state:D stack:27776 pid:5682 tgid:5681 ppid:5441 flags:0x00000006

Call Trace:
<TASK>
context_switch kernel/sched/core.c:5400 [inline]
__schedule+0xf12/0x5c00 kernel/sched/core.c:6727
__schedule_loop kernel/sched/core.c:6802 [inline]
schedule+0xe9/0x270 kernel/sched/core.c:6817
schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:6874
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x5b9/0x9d0 kernel/locking/mutex.c:752
blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:669
sg_ioctl_common drivers/scsi/sg.c:1118 [inline]
sg_ioctl+0x669/0x2760 drivers/scsi/sg.c:1160
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:871 [inline]
__se_sys_ioctl fs/ioctl.c:857 [inline]
__x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:857
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b

RIP: 0033:0x7f489387cda9
RSP: 002b:00007f48945760c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f48939abf80 RCX: 00007f489387cda9

RDX: 0000000020000040 RSI: 00000000c0481273 RDI: 0000000000000003

RBP: 00007f48938c947a R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 000000000000000b R14: 00007f48939abf80 R15: 00007fff7affaad8
</TASK>
INFO: task syz-executor.5:5684 blocked for more than 147 seconds.

Not tainted 6.8.0-rc2-syzkaller-g1bbb19b6eb1b-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz-executor.5 state:D stack:29536 pid:5684 tgid:5681 ppid:5441 flags:0x00000006

Call Trace:
<TASK>
context_switch kernel/sched/core.c:5400 [inline]
__schedule+0xf12/0x5c00 kernel/sched/core.c:6727
__schedule_loop kernel/sched/core.c:6802 [inline]
schedule+0xe9/0x270 kernel/sched/core.c:6817
schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:6874
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x5b9/0x9d0 kernel/locking/mutex.c:752
blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:427
sg_ioctl_common drivers/scsi/sg.c:1126 [inline]
sg_ioctl+0x9ac/0x2760 drivers/scsi/sg.c:1160
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:871 [inline]
__se_sys_ioctl fs/ioctl.c:857 [inline]
__x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:857
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b

RIP: 0033:0x7f489387cda9
RSP: 002b:00007f48945550c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f48939ac050 RCX: 00007f489387cda9

RDX: 0000000000000000 RSI: 0000000000001276 RDI: 0000000000000003

RBP: 00007f48938c947a R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 000000000000006e R14: 00007f48939ac050 R15: 00007fff7affaad8

</TASK>

Showing all locks held in the system:

2 locks held by kworker/u4:0/11:
3 locks held by kworker/1:1/27:

#0: ffff888013088d38 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work+0x789/0x15d0 kernel/workqueue.c:2608

#1: ffffc90000a2fd80 ((work_completion)(&(&devlink->rwork)->work)){+.+.}-{0:0}, at: process_one_work+0x7eb/0x15d0 kernel/workqueue.c:2609

#2: ffffffff8d1b8438 (rcu_state.exp_mutex){+.+.}-{3:3}, at: exp_funnel_lock kernel/rcu/tree_exp.h:324 [inline]
#2: ffffffff8d1b8438 (rcu_state.exp_mutex){+.+.}-{3:3}, at: synchronize_rcu_expedited+0x3ff/0x800 kernel/rcu/tree_exp.h:995

1 lock held by khungtaskd/29:
#0: ffffffff8d1acbe0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:298 [inline]
#0: ffffffff8d1acbe0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:750 [inline]
#0: ffffffff8d1acbe0 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x75/0x340 kernel/locking/lockdep.c:6614

3 locks held by kworker/1:2/781:
#0: ffff8880293f9138 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: process_one_work+0x789/0x15d0 kernel/workqueue.c:2608
#1: ffffc90003b17d80 ((work_completion)(&(&ifa->dad_work)->work)){+.+.}-{0:0}, at: process_one_work+0x7eb/0x15d0 kernel/workqueue.c:2609

#2: ffffffff8ecc25a8 (rtnl_mutex){+.+.}-{3:3}, at: addrconf_dad_work+0xcf/0x14b0 net/ipv6/addrconf.c:4129

2 locks held by getty/4820:

#0: ffff88802daca0a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x24/0x80 drivers/tty/tty_ldisc.c:243
#1: ffffc90002efe2f0 (&ldata->atomic_read_lock){+.+.}-{3:3}, at: n_tty_read+0xfc6/0x1490 drivers/tty/n_tty.c:2201
5 locks held by kworker/u5:2/5069:
#0: ffff88806d9d5d38 ((wq_completion)hci11){+.+.}-{0:0}, at: process_one_work+0x789/0x15d0 kernel/workqueue.c:2608
#1: ffffc90003a77d80 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_one_work+0x7eb/0x15d0 kernel/workqueue.c:2609
#2: ffff888067ff5060 (&hdev->req_lock){+.+.}-{3:3}, at: hci_cmd_sync_work+0x170/0x410 net/bluetooth/hci_sync.c:305
#3: ffff888067ff4078 (&hdev->lock){+.+.}-{3:3}, at: hci_abort_conn_sync+0x150/0xb50 net/bluetooth/hci_sync.c:5337

#4: ffffffff8ef238c8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_connect_cfm include/net/bluetooth/hci_core.h:1983 [inline]
#4: ffffffff8ef238c8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_conn_failed+0x158/0x370 net/bluetooth/hci_conn.c:1289

3 locks held by kworker/1:4/5080:

#0: ffff888013088d38 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work+0x789/0x15d0 kernel/workqueue.c:2608

#1: ffffc90003b37d80 ((linkwatch_work).work){+.+.}-{0:0}, at: process_one_work+0x7eb/0x15d0 kernel/workqueue.c:2609

#2: ffffffff8ecc25a8 (rtnl_mutex){+.+.}-{3:3}, at: linkwatch_event+0x51/0xc0 net/core/link_watch.c:281

2 locks held by kworker/1:5/5081:
2 locks held by kworker/1:6/5082:

#0: ffff88801308a938 ((wq_completion)rcu_gp){+.+.}-{0:0}, at: process_one_work+0x789/0x15d0 kernel/workqueue.c:2608

#1: ffffc90003b57d80 ((work_completion)(&rew->rew_work)){+.+.}-{0:0}, at: process_one_work+0x7eb/0x15d0 kernel/workqueue.c:2609
4 locks held by kworker/u5:3/5435:
#0: ffff88802083c538 ((wq_completion)hci9){+.+.}-{0:0}, at: process_one_work+0x789/0x15d0 kernel/workqueue.c:2608
#1: ffffc90004d1fd80 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_one_work+0x7eb/0x15d0 kernel/workqueue.c:2609
#2: ffff888204551060 (&hdev->req_lock){+.+.}-{3:3}, at: hci_cmd_sync_work+0x170/0x410 net/bluetooth/hci_sync.c:305
#3: ffff888204550078 (&hdev->lock){+.+.}-{3:3}, at: hci_abort_conn_sync+0x150/0xb50 net/bluetooth/hci_sync.c:5337
6 locks held by kworker/u5:4/5438:
#0: ffff88820592c538 ((wq_completion)hci10){+.+.}-{0:0}, at: process_one_work+0x789/0x15d0 kernel/workqueue.c:2608
#1: ffffc90004d5fd80 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_one_work+0x7eb/0x15d0 kernel/workqueue.c:2609
#2: ffff888205929060 (&hdev->req_lock){+.+.}-{3:3}, at: hci_cmd_sync_work+0x170/0x410 net/bluetooth/hci_sync.c:305
#3: ffff888205928078 (&hdev->lock){+.+.}-{3:3}, at: hci_abort_conn_sync+0x150/0xb50 net/bluetooth/hci_sync.c:5337

#4: ffffffff8ef238c8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_connect_cfm include/net/bluetooth/hci_core.h:1983 [inline]
#4: ffffffff8ef238c8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_conn_failed+0x158/0x370 net/bluetooth/hci_conn.c:1289
#5: ffffffff8d1b8438 (rcu_state.exp_mutex){+.+.}-{3:3}, at: exp_funnel_lock kernel/rcu/tree_exp.h:324 [inline]
#5: ffffffff8d1b8438 (rcu_state.exp_mutex){+.+.}-{3:3}, at: synchronize_rcu_expedited+0x3ff/0x800 kernel/rcu/tree_exp.h:995

3 locks held by kworker/0:6/5519:
#0: ffff8880293f9138 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: process_one_work+0x789/0x15d0 kernel/workqueue.c:2608
#1: ffffc900054b7d80 ((work_completion)(&(&ifa->dad_work)->work)){+.+.}-{0:0}, at: process_one_work+0x7eb/0x15d0 kernel/workqueue.c:2609

#2: ffffffff8ecc25a8 (rtnl_mutex){+.+.}-{3:3}, at: addrconf_dad_work+0xcf/0x14b0 net/ipv6/addrconf.c:4129

3 locks held by syz-executor.1/5639:

1 lock held by syz-executor.4/5645:

#0: ffff88801f454c60 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:669
1 lock held by syz-executor.4/5647:
#0: ffff88801f454c60 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:427
1 lock held by syz-executor.0/5655:
#0: ffff88801f454c60 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:669
1 lock held by syz-executor.0/5656:
#0: ffff88801f454c60 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:427
1 lock held by syz-executor.3/5675:
#0: ffff88801f454c60 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:669
1 lock held by syz-executor.3/5678:
#0: ffff88801f454c60 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:427
1 lock held by syz-executor.5/5682:
#0: ffff88801f454c60 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:669
1 lock held by syz-executor.5/5684:
#0: ffff88801f454c60 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:427
1 lock held by syz-executor.2/5960:
#0: ffff88801f454c60 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:669
1 lock held by syz-executor.2/5961:
#0: ffff88801f454c60 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:427
1 lock held by syz-executor.1/5987:
#0: ffff88801f454c60 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:669
1 lock held by syz-executor.1/5988:
#0: ffff88801f454c60 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:427
1 lock held by syz-executor.4/5996:
#0: ffff88801f454c60 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:669
1 lock held by syz-executor.4/5998:
#0: ffff88801f454c60 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:427
1 lock held by syz-executor.0/6004:
#0: ffff88801f454c60 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:669
1 lock held by syz-executor.0/6005:
#0: ffff88801f454c60 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:427
1 lock held by syz-executor.3/6007:
#0: ffff88801f454c60 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:669
1 lock held by syz-executor.3/6008:
#0: ffff88801f454c60 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:427
1 lock held by syz-executor.5/6011:
#0: ffff88801f454c60 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:669
1 lock held by syz-executor.5/6012:
#0: ffff88801f454c60 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:427
1 lock held by syz-executor.2/6031:
#0: ffff88801f454c60 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:669
1 lock held by syz-executor.2/6032:
#0: ffff88801f454c60 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:427
1 lock held by syz-executor.1/6101:
#0: ffff88801f454c60 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:669
1 lock held by syz-executor.1/6102:
#0: ffff88801f454c60 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:427
1 lock held by syz-executor.4/6110:
#0: ffff88801f454c60 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:669

1 lock held by syz-executor.4/6111:

#0: ffff88801f454c60 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:427
1 lock held by syz-executor.0/6116:
#0: ffff88801f454c60 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:669
1 lock held by syz-executor.0/6117:
#0: ffff88801f454c60 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:427
1 lock held by syz-executor.3/6122:
#0: ffff88801f454c60 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:669
1 lock held by syz-executor.3/6123:
#0: ffff88801f454c60 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:427
1 lock held by syz-executor.5/6131:
#0: ffff88801f454c60 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:669
1 lock held by syz-executor.5/6132:
#0: ffff88801f454c60 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:427

1 lock held by syz-executor.2/6150:

#0: ffff88801f454c60 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:669
1 lock held by syz-executor.2/6151:
#0: ffff88801f454c60 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:427
1 lock held by syz-executor.4/6165:

#0: ffffffff8ecc25a8 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:79 [inline]
#0: ffffffff8ecc25a8 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x372/0xe00 net/core/rtnetlink.c:6612

7 locks held by syz-executor.0/6175:
#0: ffff888029680420 (sb_writers#8){.+.+}-{0:0}, at: ksys_write+0x12f/0x250 fs/read_write.c:643
#1: ffff8881b7959888 (&of->mutex){+.+.}-{3:3}, at: kernfs_fop_write_iter+0x27d/0x500 fs/kernfs/file.c:325
#2: ffff88802036fe90 (kn->active#51){.+.+}-{0:0}, at: kernfs_fop_write_iter+0x2a0/0x500 fs/kernfs/file.c:326
#3: ffffffff8e356208 (nsim_bus_dev_list_lock){+.+.}-{3:3}, at: new_device_store+0x183/0x730 drivers/net/netdevsim/bus.c:166
#4: ffff88806de8b0e8 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:990 [inline]
#4: ffff88806de8b0e8 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005
#5: ffff88808c6d7250 (&devlink->lock_key#23){+.+.}-{3:3}, at: nsim_drv_probe+0xd5/0x1490 drivers/net/netdevsim/dev.c:1534
#6: ffffffff8ecc25a8 (rtnl_mutex){+.+.}-{3:3}, at: fib_seq_sum+0x30/0x2e0 net/core/fib_notifier.c:46
4 locks held by syz-executor.3/6180:
#0: ffff888029680420 (sb_writers#8){.+.+}-{0:0}, at: ksys_write+0x12f/0x250 fs/read_write.c:643
#1: ffff888092264c88 (&of->mutex){+.+.}-{3:3}, at: kernfs_fop_write_iter+0x27d/0x500 fs/kernfs/file.c:325
#2: ffff88802036c008 (kn->active#50){.+.+}-{0:0}, at: kernfs_fop_write_iter+0x2a0/0x500 fs/kernfs/file.c:326

#3: ffffffff8e356208 (nsim_bus_dev_list_lock){+.+.}-{3:3}, at: del_device_store+0xd2/0x4b0 drivers/net/netdevsim/bus.c:216

1 lock held by syz-executor.5/6194:

#0: ffffffff8ecc25a8 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:79 [inline]
#0: ffffffff8ecc25a8 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x372/0xe00 net/core/rtnetlink.c:6612

1 lock held by syz-executor.2/6203:

#0: ffffffff8ecc25a8 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:79 [inline]
#0: ffffffff8ecc25a8 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x372/0xe00 net/core/rtnetlink.c:6612

1 lock held by syz-executor.1/6207:
#0: ffff88801f454c60 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_setup+0x33/0x60 kernel/trace/blktrace.c:669
1 lock held by syz-executor.1/6208:
#0: ffff88801f454c60 (&q->debugfs_mutex){+.+.}-{3:3}, at: blk_trace_remove+0x1f/0x40 kernel/trace/blktrace.c:427

=============================================

NMI backtrace for cpu 1
CPU: 1 PID: 29 Comm: khungtaskd Not tainted 6.8.0-rc2-syzkaller-g1bbb19b6eb1b-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
nmi_cpu_backtrace+0x277/0x390 lib/nmi_backtrace.c:113
nmi_trigger_cpumask_backtrace+0x299/0x300 lib/nmi_backtrace.c:62
trigger_all_cpu_backtrace include/linux/nmi.h:160 [inline]
check_hung_uninterruptible_tasks kernel/hung_task.c:222 [inline]
watchdog+0xf87/0x1210 kernel/hung_task.c:379
kthread+0x2c6/0x3a0 kernel/kthread.c:388
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:242
</TASK>

Sending NMI from CPU 1 to CPUs 0:

NMI backtrace for cpu 0

CPU: 0 PID: 5645 Comm: syz-executor.4 Not tainted 6.8.0-rc2-syzkaller-g1bbb19b6eb1b-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023

RIP: 0010:rcu_lockdep_current_cpu_online+0x24/0x140 kernel/rcu/tree.c:4269
Code: 00 00 00 0f 1f 00 f3 0f 1e fa 65 8b 15 0d 4a 93 7e 81 e2 00 00 f0 00 b8 01 00 00 00 75 0a 8b 15 66 88 ca 0d 85 d2 75 01 c3 55 <53> 65 ff 05 ec 49 93 7e e8 ef 00 1e 09 48 c7 c3 c0 db 03 00 83 f8
RSP: 0018:ffffc900055a75b0 EFLAGS: 00000202
RAX: 0000000000000001 RBX: 000000000005637c RCX: ffffffff81ea9084
RDX: 0000000000000001 RSI: ffffffff8b2fdb80 RDI: ffffffff8ca99a60
RBP: ffff88813fff9140 R08: 0000000000000007 R09: 000000000007ffff
R10: 000000000000000a R11: 0000000000000002 R12: ffff888014300000
R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000000
FS: 00007f142f5ff6c0(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007ffea2813f98 CR3: 000000005b0c1000 CR4: 00000000003506f0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<NMI>
</NMI>
<TASK>

rcu_read_lock_held_common kernel/rcu/update.c:113 [inline]
rcu_read_lock_held+0x23/0x40 kernel/rcu/update.c:349
lookup_page_ext mm/page_ext.c:240 [inline]
page_ext_get+0x132/0x310 mm/page_ext.c:509
__set_page_owner+0x2a/0x60 mm/page_owner.c:197
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook+0x2d0/0x350 mm/page_alloc.c:1533

prep_new_page mm/page_alloc.c:1540 [inline]
get_page_from_freelist+0xa28/0x3780 mm/page_alloc.c:3311
__alloc_pages+0x22f/0x2440 mm/page_alloc.c:4567
alloc_pages_mpol+0x258/0x5f0 mm/mempolicy.c:2133
relay_alloc_buf kernel/relay.c:121 [inline]
relay_create_buf kernel/relay.c:162 [inline]
relay_open_buf.part.0+0x27d/0xba0 kernel/relay.c:384
relay_open_buf kernel/relay.c:536 [inline]
relay_open+0x641/0xab0 kernel/relay.c:517

do_blk_trace_setup+0x4ad/0xc80 kernel/trace/blktrace.c:612
__blk_trace_setup+0xd8/0x180 kernel/trace/blktrace.c:652
blk_trace_setup+0x47/0x60 kernel/trace/blktrace.c:670

sg_ioctl_common drivers/scsi/sg.c:1118 [inline]
sg_ioctl+0x669/0x2760 drivers/scsi/sg.c:1160
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:871 [inline]
__se_sys_ioctl fs/ioctl.c:857 [inline]
__x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:857
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd3/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b

RIP: 0033:0x7f142fa7cda9

Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 20 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007f142f5ff0c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f142fbabf80 RCX: 00007f142fa7cda9

RDX: 0000000020000040 RSI: 00000000c0481273 RDI: 0000000000000003

RBP: 00007f142fac947a R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 000000000000000b R14: 00007f142fbabf80 R15: 00007ffe08407bc8

</TASK>


Tested on:

commit: 1bbb19b6 Merge tag 'erofs-for-6.8-rc3-fixes' of git://..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

console output: https://syzkaller.appspot.com/x/log.txt?x=106b00afe80000

kernel config: https://syzkaller.appspot.com/x/.config?x=b168fa511db3ca08
dashboard link: https://syzkaller.appspot.com/bug?extid=2373f6be3e6de4f92562
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=13d4f940180000

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+2373f6...@syzkaller.appspotmail.com

Tested on:

commit: 1bbb19b6 Merge tag 'erofs-for-6.8-rc3-fixes' of git://..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

console output: https://syzkaller.appspot.com/x/log.txt?x=1527cad3e80000

kernel config: https://syzkaller.appspot.com/x/.config?x=b168fa511db3ca08
dashboard link: https://syzkaller.appspot.com/bug?extid=2373f6be3e6de4f92562
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=1650be40180000

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+2373f6...@syzkaller.appspotmail.com

Tested on:

commit: 1bbb19b6 Merge tag 'erofs-for-6.8-rc3-fixes' of git://..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

console output: https://syzkaller.appspot.com/x/log.txt?x=13b02540180000

kernel config: https://syzkaller.appspot.com/x/.config?x=b168fa511db3ca08
dashboard link: https://syzkaller.appspot.com/bug?extid=2373f6be3e6de4f92562
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=107c63dfe80000

[Edward Adam Davis]

please test task hung in blk_trace_remove

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

diff --git a/kernel/trace/blktrace.c b/kernel/trace/blktrace.c

index d5d94510afd3..4543be718362 100644
--- a/kernel/trace/blktrace.c
+++ b/kernel/trace/blktrace.c
@@ -313,6 +313,7 @@ static void __blk_add_trace(struct blk_trace *bt, sector_t sector, int bytes,

static void blk_trace_free(struct request_queue *q, struct blk_trace *bt)
{
+ mutex_unlock(&q->debugfs_mutex);
relay_close(bt->rchan);

/*
@@ -325,6 +326,7 @@ static void blk_trace_free(struct request_queue *q, struct blk_trace *bt)
} else {
debugfs_remove(bt->dir);
}
+ mutex_lock(&q->debugfs_mutex);

free_percpu(bt->sequence);
free_percpu(bt->msg_data);
kfree(bt);

--
2.43.0

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+2373f6...@syzkaller.appspotmail.com

Tested on:

commit: 1bbb19b6 Merge tag 'erofs-for-6.8-rc3-fixes' of git://..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

console output: https://syzkaller.appspot.com/x/log.txt?x=13adc87be80000

kernel config: https://syzkaller.appspot.com/x/.config?x=b168fa511db3ca08
dashboard link: https://syzkaller.appspot.com/bug?extid=2373f6be3e6de4f92562
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=145135fde80000

[Edward Adam Davis]

Delete critical sections that are time-consuming and protected by other mutexes
to avoid this issue.

Reported-and-tested-by: syzbot+2373f6...@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <ead...@qq.com>
---
kernel/trace/blktrace.c | 2 ++
1 file changed, 2 insertions(+)

[Jens Axboe]

On 1/31/24 6:28 AM, Edward Adam Davis wrote:
> Delete critical sections that are time-consuming and protected by other mutexes
> to avoid this issue.

What is "this issue"?

--
Jens Axboe