[syzbot] [ntfs3?] [usb?] general protection fault in rtlock_slowlock_locked
3 views
Skip to first unread message
syzbot
Oct 2, 2025, 12:01:32 PMOct 2
to almaz.ale...@paragon-software.com, linux-...@vger.kernel.org, linu...@vger.kernel.org, nt...@lists.linux.dev, syzkall...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 99bade344cfa Merge tag 'rust-fixes-6.17' of git://git.kern..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15f513a2580000
kernel config: https://syzkaller.appspot.com/x/.config?x=98e114f4eb77e551
dashboard link: https://syzkaller.appspot.com/bug?extid=08df3e4c9b304b37cb04
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/309f13a7cc12/disk-99bade34.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/0d782186486b/vmlinux-99bade34.xz
kernel image: https://storage.googleapis.com/syzbot-assets/174f592d16e2/bzImage-99bade34.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+08df3e...@syzkaller.appspotmail.com
loop7: detected capacity change from 0 to 4096
Oops: general protection fault, probably for non-canonical address 0xffdffc0000000148: 0000 [#1] SMP KASAN PTI
KASAN: maybe wild-memory-access in range [0xff00000000000a40-0xff00000000000a47]
CPU: 0 UID: 0 PID: 11227 Comm: syz.7.607 Tainted: G W 6.17.0-rc1-syzkaller-00214-g99bade344cfa #0 PREEMPT_{RT,(full)}
Tainted: [W]=WARN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
RIP: 0010:debug_spin_lock_before kernel/locking/spinlock_debug.c:86 [inline]
RIP: 0010:do_raw_spin_lock+0x78/0x290 kernel/locking/spinlock_debug.c:115
Code: aa 9c 81 48 8d 4c 24 20 48 c1 e9 03 48 b8 f1 f1 f1 f1 04 f3 f3 f3 48 89 4c 24 18 4a 89 04 39 4c 8d 77 04 4c 89 f0 48 c1 e8 03 <42> 0f b6 04 38 84 c0 0f 85 9f 01 00 00 41 8b 06 3d ad 4e ad de 0f
RSP: 0018:ffffc900049ff4c0 EFLAGS: 00010807
RAX: 1fe0000000000148 RBX: ff00000000000a40 RCX: 1ffff9200093fe9c
RDX: 0000000000000000 RSI: ffffffff8b620b60 RDI: ff00000000000a40
RBP: ffffc900049ff570 R08: 0000000000000001 R09: 0000000000000000
R10: dffffc0000000000 R11: ffffed10053788b9 R12: ffff88808316a1b0
R13: ff00000000000000 R14: ff00000000000a44 R15: dffffc0000000000
FS: 00007f7f773fe6c0(0000) GS:ffff8881268c5000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f7f79182020 CR3: 000000005aace000 CR4: 00000000003526f0
Call Trace:
<TASK>
task_blocks_on_rt_mutex kernel/locking/rtmutex.c:1265 [inline]
rtlock_slowlock_locked+0x8ef/0x4010 kernel/locking/rtmutex.c:1851
rtlock_slowlock kernel/locking/rtmutex.c:1895 [inline]
rtlock_lock kernel/locking/spinlock_rt.c:43 [inline]
__rt_spin_lock kernel/locking/spinlock_rt.c:49 [inline]
rt_spin_lock+0x152/0x2c0 kernel/locking/spinlock_rt.c:57
spin_lock include/linux/spinlock_rt.h:44 [inline]
iput_final fs/inode.c:1886 [inline]
iput+0x5c1/0x9d0 fs/inode.c:1923
ntfs_fill_super+0x38fa/0x40b0 fs/ntfs3/super.c:1514
get_tree_bdev_flags+0x40e/0x4d0 fs/super.c:1692
vfs_get_tree+0x8f/0x2b0 fs/super.c:1815
do_new_mount+0x2a2/0x9e0 fs/namespace.c:3805
do_mount fs/namespace.c:4133 [inline]
__do_sys_mount fs/namespace.c:4344 [inline]
__se_sys_mount+0x317/0x410 fs/namespace.c:4321
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f7f791a038a
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f7f773fde68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007f7f773fdef0 RCX: 00007f7f791a038a
RDX: 0000200000000080 RSI: 0000200000000000 RDI: 00007f7f773fdeb0
RBP: 0000200000000080 R08: 00007f7f773fdef0 R09: 0000000002010c10
R10: 0000000002010c10 R11: 0000000000000246 R12: 0000200000000000
R13: 00007f7f773fdeb0 R14: 000000000001f743 R15: 0000200000000380
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:debug_spin_lock_before kernel/locking/spinlock_debug.c:86 [inline]
RIP: 0010:do_raw_spin_lock+0x78/0x290 kernel/locking/spinlock_debug.c:115
Code: aa 9c 81 48 8d 4c 24 20 48 c1 e9 03 48 b8 f1 f1 f1 f1 04 f3 f3 f3 48 89 4c 24 18 4a 89 04 39 4c 8d 77 04 4c 89 f0 48 c1 e8 03 <42> 0f b6 04 38 84 c0 0f 85 9f 01 00 00 41 8b 06 3d ad 4e ad de 0f
RSP: 0018:ffffc900049ff4c0 EFLAGS: 00010807
RAX: 1fe0000000000148 RBX: ff00000000000a40 RCX: 1ffff9200093fe9c
RDX: 0000000000000000 RSI: ffffffff8b620b60 RDI: ff00000000000a40
RBP: ffffc900049ff570 R08: 0000000000000001 R09: 0000000000000000
R10: dffffc0000000000 R11: ffffed10053788b9 R12: ffff88808316a1b0
R13: ff00000000000000 R14: ff00000000000a44 R15: dffffc0000000000
FS: 00007f7f773fe6c0(0000) GS:ffff8881268c5000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f7f79182020 CR3: 000000005aace000 CR4: 00000000003526f0
----------------
Code disassembly (best guess):
0: aa stos %al,%es:(%rdi)
1: 9c pushf
2: 81 48 8d 4c 24 20 48 orl $0x4820244c,-0x73(%rax)
9: c1 e9 03 shr $0x3,%ecx
c: 48 b8 f1 f1 f1 f1 04 movabs $0xf3f3f304f1f1f1f1,%rax
13: f3 f3 f3
16: 48 89 4c 24 18 mov %rcx,0x18(%rsp)
1b: 4a 89 04 39 mov %rax,(%rcx,%r15,1)
1f: 4c 8d 77 04 lea 0x4(%rdi),%r14
23: 4c 89 f0 mov %r14,%rax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 42 0f b6 04 38 movzbl (%rax,%r15,1),%eax <-- trapping instruction
2f: 84 c0 test %al,%al
31: 0f 85 9f 01 00 00 jne 0x1d6
37: 41 8b 06 mov (%r14),%eax
3a: 3d ad 4e ad de cmp $0xdead4ead,%eax
3f: 0f .byte 0xf
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 99bade344cfa Merge tag 'rust-fixes-6.17' of git://git.kern..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15f513a2580000
kernel config: https://syzkaller.appspot.com/x/.config?x=98e114f4eb77e551
dashboard link: https://syzkaller.appspot.com/bug?extid=08df3e4c9b304b37cb04
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/309f13a7cc12/disk-99bade34.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/0d782186486b/vmlinux-99bade34.xz
kernel image: https://storage.googleapis.com/syzbot-assets/174f592d16e2/bzImage-99bade34.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+08df3e...@syzkaller.appspotmail.com
loop7: detected capacity change from 0 to 4096
Oops: general protection fault, probably for non-canonical address 0xffdffc0000000148: 0000 [#1] SMP KASAN PTI
KASAN: maybe wild-memory-access in range [0xff00000000000a40-0xff00000000000a47]
CPU: 0 UID: 0 PID: 11227 Comm: syz.7.607 Tainted: G W 6.17.0-rc1-syzkaller-00214-g99bade344cfa #0 PREEMPT_{RT,(full)}
Tainted: [W]=WARN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
RIP: 0010:debug_spin_lock_before kernel/locking/spinlock_debug.c:86 [inline]
RIP: 0010:do_raw_spin_lock+0x78/0x290 kernel/locking/spinlock_debug.c:115
Code: aa 9c 81 48 8d 4c 24 20 48 c1 e9 03 48 b8 f1 f1 f1 f1 04 f3 f3 f3 48 89 4c 24 18 4a 89 04 39 4c 8d 77 04 4c 89 f0 48 c1 e8 03 <42> 0f b6 04 38 84 c0 0f 85 9f 01 00 00 41 8b 06 3d ad 4e ad de 0f
RSP: 0018:ffffc900049ff4c0 EFLAGS: 00010807
RAX: 1fe0000000000148 RBX: ff00000000000a40 RCX: 1ffff9200093fe9c
RDX: 0000000000000000 RSI: ffffffff8b620b60 RDI: ff00000000000a40
RBP: ffffc900049ff570 R08: 0000000000000001 R09: 0000000000000000
R10: dffffc0000000000 R11: ffffed10053788b9 R12: ffff88808316a1b0
R13: ff00000000000000 R14: ff00000000000a44 R15: dffffc0000000000
FS: 00007f7f773fe6c0(0000) GS:ffff8881268c5000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f7f79182020 CR3: 000000005aace000 CR4: 00000000003526f0
Call Trace:
<TASK>
task_blocks_on_rt_mutex kernel/locking/rtmutex.c:1265 [inline]
rtlock_slowlock_locked+0x8ef/0x4010 kernel/locking/rtmutex.c:1851
rtlock_slowlock kernel/locking/rtmutex.c:1895 [inline]
rtlock_lock kernel/locking/spinlock_rt.c:43 [inline]
__rt_spin_lock kernel/locking/spinlock_rt.c:49 [inline]
rt_spin_lock+0x152/0x2c0 kernel/locking/spinlock_rt.c:57
spin_lock include/linux/spinlock_rt.h:44 [inline]
iput_final fs/inode.c:1886 [inline]
iput+0x5c1/0x9d0 fs/inode.c:1923
ntfs_fill_super+0x38fa/0x40b0 fs/ntfs3/super.c:1514
get_tree_bdev_flags+0x40e/0x4d0 fs/super.c:1692
vfs_get_tree+0x8f/0x2b0 fs/super.c:1815
do_new_mount+0x2a2/0x9e0 fs/namespace.c:3805
do_mount fs/namespace.c:4133 [inline]
__do_sys_mount fs/namespace.c:4344 [inline]
__se_sys_mount+0x317/0x410 fs/namespace.c:4321
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f7f791a038a
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f7f773fde68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007f7f773fdef0 RCX: 00007f7f791a038a
RDX: 0000200000000080 RSI: 0000200000000000 RDI: 00007f7f773fdeb0
RBP: 0000200000000080 R08: 00007f7f773fdef0 R09: 0000000002010c10
R10: 0000000002010c10 R11: 0000000000000246 R12: 0000200000000000
R13: 00007f7f773fdeb0 R14: 000000000001f743 R15: 0000200000000380
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:debug_spin_lock_before kernel/locking/spinlock_debug.c:86 [inline]
RIP: 0010:do_raw_spin_lock+0x78/0x290 kernel/locking/spinlock_debug.c:115
Code: aa 9c 81 48 8d 4c 24 20 48 c1 e9 03 48 b8 f1 f1 f1 f1 04 f3 f3 f3 48 89 4c 24 18 4a 89 04 39 4c 8d 77 04 4c 89 f0 48 c1 e8 03 <42> 0f b6 04 38 84 c0 0f 85 9f 01 00 00 41 8b 06 3d ad 4e ad de 0f
RSP: 0018:ffffc900049ff4c0 EFLAGS: 00010807
RAX: 1fe0000000000148 RBX: ff00000000000a40 RCX: 1ffff9200093fe9c
RDX: 0000000000000000 RSI: ffffffff8b620b60 RDI: ff00000000000a40
RBP: ffffc900049ff570 R08: 0000000000000001 R09: 0000000000000000
R10: dffffc0000000000 R11: ffffed10053788b9 R12: ffff88808316a1b0
R13: ff00000000000000 R14: ff00000000000a44 R15: dffffc0000000000
FS: 00007f7f773fe6c0(0000) GS:ffff8881268c5000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f7f79182020 CR3: 000000005aace000 CR4: 00000000003526f0
----------------
Code disassembly (best guess):
0: aa stos %al,%es:(%rdi)
1: 9c pushf
2: 81 48 8d 4c 24 20 48 orl $0x4820244c,-0x73(%rax)
9: c1 e9 03 shr $0x3,%ecx
c: 48 b8 f1 f1 f1 f1 04 movabs $0xf3f3f304f1f1f1f1,%rax
13: f3 f3 f3
16: 48 89 4c 24 18 mov %rcx,0x18(%rsp)
1b: 4a 89 04 39 mov %rax,(%rcx,%r15,1)
1f: 4c 8d 77 04 lea 0x4(%rdi),%r14
23: 4c 89 f0 mov %r14,%rax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 42 0f b6 04 38 movzbl (%rax,%r15,1),%eax <-- trapping instruction
2f: 84 c0 test %al,%al
31: 0f 85 9f 01 00 00 jne 0x1d6
37: 41 8b 06 mov (%r14),%eax
3a: 3d ad 4e ad de cmp $0xdead4ead,%eax
3f: 0f .byte 0xf
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Nov 7, 2025, 11:01:28 PMNov 7
to almaz.ale...@paragon-software.com, ax...@kernel.dk, linux...@vger.kernel.org, linux-...@vger.kernel.org, linu...@vger.kernel.org, nt...@lists.linux.dev, syzkall...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: da32d155f4a8 Merge tag 'gpio-fixes-for-v6.18-rc5' of git:/..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=118faa58580000
kernel config: https://syzkaller.appspot.com/x/.config?x=41ad820f608cb833
dashboard link: https://syzkaller.appspot.com/bug?extid=08df3e4c9b304b37cb04
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=103d4412580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/811f765ca0a8/disk-da32d155.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/1f6516907c8f/vmlinux-da32d155.xz
kernel image: https://storage.googleapis.com/syzbot-assets/45682ff9dc9c/bzImage-da32d155.xz
mounted in repro #1: https://storage.googleapis.com/syzbot-assets/cb5a9fd06f24/mount_0.gz
fsck result: failed (log: https://syzkaller.appspot.com/x/fsck.log?x=13312a92580000)
mounted in repro #2: https://storage.googleapis.com/syzbot-assets/d496dd2d1446/mount_6.gz
fsck result: failed (log: https://syzkaller.appspot.com/x/fsck.log?x=1516117c580000)
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+08df3e...@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-use-after-free in __raw_spin_lock_irq include/linux/spinlock_api_smp.h:119 [inline]
BUG: KASAN: slab-use-after-free in _raw_spin_lock_irq+0xa2/0xf0 kernel/locking/spinlock.c:170
Read of size 1 at addr ffff888030dcba68 by task ksoftirqd/1/30
CPU: 1 UID: 0 PID: 30 Comm: ksoftirqd/1 Not tainted syzkaller #0 PREEMPT_{RT,(full)}
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x240 mm/kasan/report.c:482
kasan_report+0x118/0x150 mm/kasan/report.c:595
__kasan_check_byte+0x2a/0x40 mm/kasan/common.c:580
kasan_check_byte include/linux/kasan.h:401 [inline]
lock_acquire+0x8d/0x360 kernel/locking/lockdep.c:5842
__raw_spin_lock_irq include/linux/spinlock_api_smp.h:119 [inline]
_raw_spin_lock_irq+0xa2/0xf0 kernel/locking/spinlock.c:170
rtlock_slowlock_locked+0x3821/0x4010 kernel/locking/rtmutex.c:1871
spin_lock include/linux/spinlock_rt.h:44 [inline]
__wake_up_common_lock+0x2f/0x1e0 kernel/sched/wait.c:124
blk_update_request+0x57e/0xe60 block/blk-mq.c:998
blk_mq_end_request+0x3e/0x70 block/blk-mq.c:1160
blk_complete_reqs block/blk-mq.c:1235 [inline]
blk_done_softirq+0x10a/0x160 block/blk-mq.c:1240
handle_softirqs+0x22f/0x710 kernel/softirq.c:622
run_ksoftirqd+0xac/0x210 kernel/softirq.c:1063
smpboot_thread_fn+0x542/0xa60 kernel/smpboot.c:160
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
Allocated by task 7682:
kasan_save_stack mm/kasan/common.c:56 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:77
poison_kmalloc_redzone mm/kasan/common.c:400 [inline]
__kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:417
kasan_kmalloc include/linux/kasan.h:262 [inline]
__kmalloc_cache_noprof+0x1ef/0x6c0 mm/slub.c:5767
kmalloc_noprof include/linux/slab.h:957 [inline]
lbmLogInit fs/jfs/jfs_logmgr.c:1821 [inline]
lmLogInit+0x3db/0x19e0 fs/jfs/jfs_logmgr.c:1269
open_inline_log fs/jfs/jfs_logmgr.c:1175 [inline]
lmLogOpen+0x4e1/0xfa0 fs/jfs/jfs_logmgr.c:1069
jfs_mount_rw+0xe9/0x670 fs/jfs/jfs_mount.c:257
jfs_fill_super+0x754/0xd80 fs/jfs/super.c:532
get_tree_bdev_flags+0x40e/0x4d0 fs/super.c:1691
vfs_get_tree+0x92/0x2b0 fs/super.c:1751
fc_mount fs/namespace.c:1208 [inline]
do_new_mount_fc fs/namespace.c:3651 [inline]
do_new_mount+0x302/0xa10 fs/namespace.c:3727
do_mount fs/namespace.c:4050 [inline]
__do_sys_mount fs/namespace.c:4238 [inline]
__se_sys_mount+0x313/0x410 fs/namespace.c:4215
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 5925:
kasan_save_stack mm/kasan/common.c:56 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:77
__kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:587
kasan_save_free_info mm/kasan/kasan.h:406 [inline]
poison_slab_object mm/kasan/common.c:252 [inline]
__kasan_slab_free+0x5c/0x80 mm/kasan/common.c:284
kasan_slab_free include/linux/kasan.h:234 [inline]
slab_free_hook mm/slub.c:2539 [inline]
slab_free mm/slub.c:6634 [inline]
kfree+0x197/0x950 mm/slub.c:6841
lbmLogShutdown fs/jfs/jfs_logmgr.c:1864 [inline]
lmLogShutdown+0x441/0x830 fs/jfs/jfs_logmgr.c:1683
lmLogClose+0x28a/0x520 fs/jfs/jfs_logmgr.c:1459
jfs_umount+0x2ef/0x3c0 fs/jfs/jfs_umount.c:114
jfs_put_super+0x8c/0x190 fs/jfs/super.c:194
generic_shutdown_super+0x135/0x2c0 fs/super.c:642
kill_block_super+0x44/0x90 fs/super.c:1722
deactivate_locked_super+0xbc/0x130 fs/super.c:473
cleanup_mnt+0x425/0x4c0 fs/namespace.c:1327
task_work_run+0x1d4/0x260 kernel/task_work.c:227
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
exit_to_user_mode_loop+0xe9/0x130 kernel/entry/common.c:43
exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
do_syscall_64+0x2bd/0xfa0 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff888030dcba00
which belongs to the cache kmalloc-256 of size 256
The buggy address is located 104 bytes inside of
freed 256-byte region [ffff888030dcba00, ffff888030dcbb00)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x30dca
head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
ksm flags: 0x80000000000040(head|node=0|zone=1)
page_type: f5(slab)
raw: 0080000000000040 ffff88813ff26b40 ffffea000157d380 dead000000000003
raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
head: 0080000000000040 ffff88813ff26b40 ffffea000157d380 dead000000000003
head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
head: 0080000000000001 ffffea0000c37281 00000000ffffffff 00000000ffffffff
head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000002
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 1, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5919, tgid 5919 (syz-executor), ts 100669428717, free_ts 100657311754
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1850
prep_new_page mm/page_alloc.c:1858 [inline]
get_page_from_freelist+0x28c0/0x2960 mm/page_alloc.c:3884
__alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5183
alloc_pages_mpol+0xd1/0x380 mm/mempolicy.c:2416
alloc_slab_page mm/slub.c:3055 [inline]
allocate_slab+0x96/0x350 mm/slub.c:3228
new_slab mm/slub.c:3282 [inline]
___slab_alloc+0xb10/0x1400 mm/slub.c:4651
__slab_alloc+0xc6/0x1f0 mm/slub.c:4774
__slab_alloc_node mm/slub.c:4850 [inline]
slab_alloc_node mm/slub.c:5272 [inline]
__do_kmalloc_node mm/slub.c:5645 [inline]
__kmalloc_noprof+0x14b/0x7d0 mm/slub.c:5658
kmalloc_noprof include/linux/slab.h:961 [inline]
kmalloc_array_noprof include/linux/slab.h:1003 [inline]
security_inode_init_security+0x107/0x3f0 security/security.c:1868
__ext4_new_inode+0x3314/0x3cb0 fs/ext4/ialloc.c:1325
ext4_mkdir+0x3cb/0xc50 fs/ext4/namei.c:3007
vfs_mkdir+0x306/0x510 fs/namei.c:4453
do_mkdirat+0x247/0x590 fs/namei.c:4486
__do_sys_mkdir fs/namei.c:4508 [inline]
__se_sys_mkdir fs/namei.c:4506 [inline]
__x64_sys_mkdir+0x6c/0x80 fs/namei.c:4506
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 20 tgid 20 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1394 [inline]
__free_frozen_pages+0xfb6/0x1140 mm/page_alloc.c:2906
mm_free_pgd kernel/fork.c:541 [inline]
__mmdrop+0xb5/0x4f0 kernel/fork.c:683
rcu_do_batch kernel/rcu/tree.c:2605 [inline]
rcu_core kernel/rcu/tree.c:2861 [inline]
rcu_cpu_kthread+0xbf6/0x1b50 kernel/rcu/tree.c:2949
smpboot_thread_fn+0x542/0xa60 kernel/smpboot.c:160
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
Memory state around the buggy address:
ffff888030dcb900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888030dcb980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888030dcba00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888030dcba80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888030dcbb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
HEAD commit: da32d155f4a8 Merge tag 'gpio-fixes-for-v6.18-rc5' of git:/..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=118faa58580000
kernel config: https://syzkaller.appspot.com/x/.config?x=41ad820f608cb833
dashboard link: https://syzkaller.appspot.com/bug?extid=08df3e4c9b304b37cb04
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=103d4412580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/811f765ca0a8/disk-da32d155.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/1f6516907c8f/vmlinux-da32d155.xz
kernel image: https://storage.googleapis.com/syzbot-assets/45682ff9dc9c/bzImage-da32d155.xz
mounted in repro #1: https://storage.googleapis.com/syzbot-assets/cb5a9fd06f24/mount_0.gz
fsck result: failed (log: https://syzkaller.appspot.com/x/fsck.log?x=13312a92580000)
mounted in repro #2: https://storage.googleapis.com/syzbot-assets/d496dd2d1446/mount_6.gz
fsck result: failed (log: https://syzkaller.appspot.com/x/fsck.log?x=1516117c580000)
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+08df3e...@syzkaller.appspotmail.com
BUG: KASAN: slab-use-after-free in __raw_spin_lock_irq include/linux/spinlock_api_smp.h:119 [inline]
BUG: KASAN: slab-use-after-free in _raw_spin_lock_irq+0xa2/0xf0 kernel/locking/spinlock.c:170
Read of size 1 at addr ffff888030dcba68 by task ksoftirqd/1/30
CPU: 1 UID: 0 PID: 30 Comm: ksoftirqd/1 Not tainted syzkaller #0 PREEMPT_{RT,(full)}
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x240 mm/kasan/report.c:482
kasan_report+0x118/0x150 mm/kasan/report.c:595
__kasan_check_byte+0x2a/0x40 mm/kasan/common.c:580
kasan_check_byte include/linux/kasan.h:401 [inline]
lock_acquire+0x8d/0x360 kernel/locking/lockdep.c:5842
__raw_spin_lock_irq include/linux/spinlock_api_smp.h:119 [inline]
_raw_spin_lock_irq+0xa2/0xf0 kernel/locking/spinlock.c:170
rtlock_slowlock_locked+0x3821/0x4010 kernel/locking/rtmutex.c:1871
rtlock_slowlock kernel/locking/rtmutex.c:1895 [inline]
rtlock_lock kernel/locking/spinlock_rt.c:43 [inline]
__rt_spin_lock kernel/locking/spinlock_rt.c:49 [inline]
rt_spin_lock+0x158/0x3e0 kernel/locking/spinlock_rt.c:57
rtlock_lock kernel/locking/spinlock_rt.c:43 [inline]
__rt_spin_lock kernel/locking/spinlock_rt.c:49 [inline]
spin_lock include/linux/spinlock_rt.h:44 [inline]
__wake_up_common_lock+0x2f/0x1e0 kernel/sched/wait.c:124
blk_update_request+0x57e/0xe60 block/blk-mq.c:998
blk_mq_end_request+0x3e/0x70 block/blk-mq.c:1160
blk_complete_reqs block/blk-mq.c:1235 [inline]
blk_done_softirq+0x10a/0x160 block/blk-mq.c:1240
handle_softirqs+0x22f/0x710 kernel/softirq.c:622
run_ksoftirqd+0xac/0x210 kernel/softirq.c:1063
smpboot_thread_fn+0x542/0xa60 kernel/smpboot.c:160
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
Allocated by task 7682:
kasan_save_stack mm/kasan/common.c:56 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:77
poison_kmalloc_redzone mm/kasan/common.c:400 [inline]
__kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:417
kasan_kmalloc include/linux/kasan.h:262 [inline]
__kmalloc_cache_noprof+0x1ef/0x6c0 mm/slub.c:5767
kmalloc_noprof include/linux/slab.h:957 [inline]
lbmLogInit fs/jfs/jfs_logmgr.c:1821 [inline]
lmLogInit+0x3db/0x19e0 fs/jfs/jfs_logmgr.c:1269
open_inline_log fs/jfs/jfs_logmgr.c:1175 [inline]
lmLogOpen+0x4e1/0xfa0 fs/jfs/jfs_logmgr.c:1069
jfs_mount_rw+0xe9/0x670 fs/jfs/jfs_mount.c:257
jfs_fill_super+0x754/0xd80 fs/jfs/super.c:532
get_tree_bdev_flags+0x40e/0x4d0 fs/super.c:1691
vfs_get_tree+0x92/0x2b0 fs/super.c:1751
fc_mount fs/namespace.c:1208 [inline]
do_new_mount_fc fs/namespace.c:3651 [inline]
do_new_mount+0x302/0xa10 fs/namespace.c:3727
do_mount fs/namespace.c:4050 [inline]
__do_sys_mount fs/namespace.c:4238 [inline]
__se_sys_mount+0x313/0x410 fs/namespace.c:4215
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 5925:
kasan_save_stack mm/kasan/common.c:56 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:77
__kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:587
kasan_save_free_info mm/kasan/kasan.h:406 [inline]
poison_slab_object mm/kasan/common.c:252 [inline]
__kasan_slab_free+0x5c/0x80 mm/kasan/common.c:284
kasan_slab_free include/linux/kasan.h:234 [inline]
slab_free_hook mm/slub.c:2539 [inline]
slab_free mm/slub.c:6634 [inline]
kfree+0x197/0x950 mm/slub.c:6841
lbmLogShutdown fs/jfs/jfs_logmgr.c:1864 [inline]
lmLogShutdown+0x441/0x830 fs/jfs/jfs_logmgr.c:1683
lmLogClose+0x28a/0x520 fs/jfs/jfs_logmgr.c:1459
jfs_umount+0x2ef/0x3c0 fs/jfs/jfs_umount.c:114
jfs_put_super+0x8c/0x190 fs/jfs/super.c:194
generic_shutdown_super+0x135/0x2c0 fs/super.c:642
kill_block_super+0x44/0x90 fs/super.c:1722
deactivate_locked_super+0xbc/0x130 fs/super.c:473
cleanup_mnt+0x425/0x4c0 fs/namespace.c:1327
task_work_run+0x1d4/0x260 kernel/task_work.c:227
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
exit_to_user_mode_loop+0xe9/0x130 kernel/entry/common.c:43
exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
do_syscall_64+0x2bd/0xfa0 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff888030dcba00
which belongs to the cache kmalloc-256 of size 256
The buggy address is located 104 bytes inside of
freed 256-byte region [ffff888030dcba00, ffff888030dcbb00)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x30dca
head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
ksm flags: 0x80000000000040(head|node=0|zone=1)
page_type: f5(slab)
raw: 0080000000000040 ffff88813ff26b40 ffffea000157d380 dead000000000003
raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
head: 0080000000000040 ffff88813ff26b40 ffffea000157d380 dead000000000003
head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
head: 0080000000000001 ffffea0000c37281 00000000ffffffff 00000000ffffffff
head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000002
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 1, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5919, tgid 5919 (syz-executor), ts 100669428717, free_ts 100657311754
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1850
prep_new_page mm/page_alloc.c:1858 [inline]
get_page_from_freelist+0x28c0/0x2960 mm/page_alloc.c:3884
__alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5183
alloc_pages_mpol+0xd1/0x380 mm/mempolicy.c:2416
alloc_slab_page mm/slub.c:3055 [inline]
allocate_slab+0x96/0x350 mm/slub.c:3228
new_slab mm/slub.c:3282 [inline]
___slab_alloc+0xb10/0x1400 mm/slub.c:4651
__slab_alloc+0xc6/0x1f0 mm/slub.c:4774
__slab_alloc_node mm/slub.c:4850 [inline]
slab_alloc_node mm/slub.c:5272 [inline]
__do_kmalloc_node mm/slub.c:5645 [inline]
__kmalloc_noprof+0x14b/0x7d0 mm/slub.c:5658
kmalloc_noprof include/linux/slab.h:961 [inline]
kmalloc_array_noprof include/linux/slab.h:1003 [inline]
security_inode_init_security+0x107/0x3f0 security/security.c:1868
__ext4_new_inode+0x3314/0x3cb0 fs/ext4/ialloc.c:1325
ext4_mkdir+0x3cb/0xc50 fs/ext4/namei.c:3007
vfs_mkdir+0x306/0x510 fs/namei.c:4453
do_mkdirat+0x247/0x590 fs/namei.c:4486
__do_sys_mkdir fs/namei.c:4508 [inline]
__se_sys_mkdir fs/namei.c:4506 [inline]
__x64_sys_mkdir+0x6c/0x80 fs/namei.c:4506
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 20 tgid 20 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1394 [inline]
__free_frozen_pages+0xfb6/0x1140 mm/page_alloc.c:2906
mm_free_pgd kernel/fork.c:541 [inline]
__mmdrop+0xb5/0x4f0 kernel/fork.c:683
rcu_do_batch kernel/rcu/tree.c:2605 [inline]
rcu_core kernel/rcu/tree.c:2861 [inline]
rcu_cpu_kthread+0xbf6/0x1b50 kernel/rcu/tree.c:2949
smpboot_thread_fn+0x542/0xa60 kernel/smpboot.c:160
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
Memory state around the buggy address:
ffff888030dcb900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888030dcb980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888030dcba00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888030dcba80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888030dcbb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
Hillf Danton
Nov 8, 2025, 2:43:58 AMNov 8
to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com
> Date: Fri, 07 Nov 2025 20:01:26 -0800
--- x/fs/jfs/jfs_logmgr.c
+++ y/fs/jfs/jfs_logmgr.c
@@ -149,6 +149,7 @@ do { \
* of log page
*/
#define lbmDIRECT 0x0100
+#define lbmInflight 0x0200
/*
* Global list of active external journals
@@ -1861,6 +1862,8 @@ static void lbmLogShutdown(struct jfs_lo
while (lbuf) {
struct lbuf *next = lbuf->l_freelist;
__free_page(lbuf->l_page);
+ while (lbuf->l_flag & lbmInflight)
+ schedule_timeout_idle(HZ);
kfree(lbuf);
lbuf = next;
}
@@ -2130,6 +2133,7 @@ static void lbmStartIO(struct lbuf * bp)
bio->bi_iter.bi_size = 0;
lbmIODone(bio);
} else {
+ bp->l_flag |= lbmInflight;
submit_bio(bio);
INCREMENT(lmStat.submitted);
}
@@ -2226,6 +2230,7 @@ static void lbmIODone(struct bio *bio)
if (bp->l_flag & lbmDIRECT) {
LCACHE_WAKEUP(&bp->l_ioevent);
LCACHE_UNLOCK(flags);
+ bp->l_flag &= ~lbmInflight;
return;
}
@@ -2305,6 +2310,7 @@ static void lbmIODone(struct bio *bio)
LCACHE_UNLOCK(flags); /* unlock+enable */
}
+ bp->l_flag &= ~lbmInflight;
}
int jfsIOWait(void *arg)
--
> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: da32d155f4a8 Merge tag 'gpio-fixes-for-v6.18-rc5' of git:/..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=118faa58580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=41ad820f608cb833
> dashboard link: https://syzkaller.appspot.com/bug?extid=08df3e4c9b304b37cb04
> compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=103d4412580000
#syz test
>
> HEAD commit: da32d155f4a8 Merge tag 'gpio-fixes-for-v6.18-rc5' of git:/..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=118faa58580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=41ad820f608cb833
> dashboard link: https://syzkaller.appspot.com/bug?extid=08df3e4c9b304b37cb04
> compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=103d4412580000
--- x/fs/jfs/jfs_logmgr.c
+++ y/fs/jfs/jfs_logmgr.c
@@ -149,6 +149,7 @@ do { \
* of log page
*/
#define lbmDIRECT 0x0100
+#define lbmInflight 0x0200
/*
* Global list of active external journals
@@ -1861,6 +1862,8 @@ static void lbmLogShutdown(struct jfs_lo
while (lbuf) {
struct lbuf *next = lbuf->l_freelist;
__free_page(lbuf->l_page);
+ while (lbuf->l_flag & lbmInflight)
+ schedule_timeout_idle(HZ);
kfree(lbuf);
lbuf = next;
}
@@ -2130,6 +2133,7 @@ static void lbmStartIO(struct lbuf * bp)
bio->bi_iter.bi_size = 0;
lbmIODone(bio);
} else {
+ bp->l_flag |= lbmInflight;
submit_bio(bio);
INCREMENT(lmStat.submitted);
}
@@ -2226,6 +2230,7 @@ static void lbmIODone(struct bio *bio)
if (bp->l_flag & lbmDIRECT) {
LCACHE_WAKEUP(&bp->l_ioevent);
LCACHE_UNLOCK(flags);
+ bp->l_flag &= ~lbmInflight;
return;
}
@@ -2305,6 +2310,7 @@ static void lbmIODone(struct bio *bio)
LCACHE_UNLOCK(flags); /* unlock+enable */
}
+ bp->l_flag &= ~lbmInflight;
}
int jfsIOWait(void *arg)
--
syzbot
Nov 8, 2025, 3:11:04 AMNov 8
to hda...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+08df3e...@syzkaller.appspotmail.com
Tested-by: syzbot+08df3e...@syzkaller.appspotmail.com
Tested on:
commit: e811c33b Merge tag 'drm-fixes-2025-11-08' of https://g..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15c5117c580000
Note: testing is done by a robot and is best-effort only.
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+08df3e...@syzkaller.appspotmail.com
Tested-by: syzbot+08df3e...@syzkaller.appspotmail.com
Tested on:
commit: e811c33b Merge tag 'drm-fixes-2025-11-08' of https://g..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15c5117c580000
kernel config: https://syzkaller.appspot.com/x/.config?x=41ad820f608cb833
dashboard link: https://syzkaller.appspot.com/bug?extid=08df3e4c9b304b37cb04
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=11746a58580000
dashboard link: https://syzkaller.appspot.com/bug?extid=08df3e4c9b304b37cb04
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
Note: testing is done by a robot and is best-effort only.
Edward Adam Davis
Nov 10, 2025, 7:13:26 AMNov 10
to syzbot+08df3e...@syzkaller.appspotmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
#syz test
diff --git a/fs/jfs/jfs_logmgr.c b/fs/jfs/jfs_logmgr.c
index b343c5ea1159..ee6e9ed5e3af 100644
--- a/fs/jfs/jfs_logmgr.c
+++ b/fs/jfs/jfs_logmgr.c
@@ -1860,6 +1860,7 @@ static void lbmLogShutdown(struct jfs_log * log)
lbuf = log->lbuf_free;
__free_page(lbuf->l_page);
kfree(lbuf);
lbuf = next;
diff --git a/fs/jfs/jfs_logmgr.c b/fs/jfs/jfs_logmgr.c
index b343c5ea1159..ee6e9ed5e3af 100644
--- a/fs/jfs/jfs_logmgr.c
+++ b/fs/jfs/jfs_logmgr.c
@@ -1860,6 +1860,7 @@ static void lbmLogShutdown(struct jfs_log * log)
lbuf = log->lbuf_free;
while (lbuf) {
struct lbuf *next = lbuf->l_freelist;
+ lbmIOWait(lbuf, 0);
struct lbuf *next = lbuf->l_freelist;
__free_page(lbuf->l_page);
kfree(lbuf);
lbuf = next;
syzbot
Nov 10, 2025, 7:52:07 AMNov 10
to ead...@qq.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
INFO: task hung in lbmIOWait
INFO: task syz-executor:6320 blocked for more than 143 seconds.
Not tainted syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor state:D stack:21768 pid:6320 tgid:6320 ppid:1 task_flags:0x400140 flags:0x00080003
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5325 [inline]
__schedule+0x16f3/0x4c20 kernel/sched/core.c:6929
__schedule_loop kernel/sched/core.c:7011 [inline]
schedule+0x165/0x360 kernel/sched/core.c:7026
io_schedule+0x81/0xe0 kernel/sched/core.c:7871
lbmIOWait+0x1e5/0x610 fs/jfs/jfs_logmgr.c:2152
lbmLogShutdown fs/jfs/jfs_logmgr.c:1863 [inline]
lmLogShutdown+0x43e/0x850 fs/jfs/jfs_logmgr.c:1683
RSP: 002b:00007ffe632254d8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 00007fab38741d7d RCX: 00007fab386c09f7
RDX: 0000000000000000 RSI: 0000000000000009 RDI: 00007ffe63225590
RBP: 00007ffe63225590 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000246 R12: 00007ffe63226620
R13: 00007fab38741d7d R14: 000000000002f114 R15: 00007ffe63226660
</TASK>
INFO: task syz-executor:6321 blocked for more than 143 seconds.
Not tainted syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor state:D stack:21768 pid:6321 tgid:6321 ppid:1 task_flags:0x400140 flags:0x00080002
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5325 [inline]
__schedule+0x16f3/0x4c20 kernel/sched/core.c:6929
__schedule_loop kernel/sched/core.c:7011 [inline]
rt_mutex_schedule+0x77/0xf0 kernel/sched/core.c:7307
rt_mutex_slowlock_block+0x5ba/0x6d0 kernel/locking/rtmutex.c:1647
__rt_mutex_slowlock kernel/locking/rtmutex.c:1721 [inline]
__rt_mutex_slowlock_locked kernel/locking/rtmutex.c:1760 [inline]
rt_mutex_slowlock+0x2b1/0x6e0 kernel/locking/rtmutex.c:1800
__rt_mutex_lock kernel/locking/rtmutex.c:1815 [inline]
__mutex_lock_common kernel/locking/rtmutex_api.c:536 [inline]
mutex_lock_nested+0x16a/0x1d0 kernel/locking/rtmutex_api.c:547
lmLogClose+0xb4/0x520 fs/jfs/jfs_logmgr.c:1443
RSP: 002b:00007ffe3768bce8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 00007f8687931d7d RCX: 00007f86878b09f7
RDX: 0000000000000000 RSI: 0000000000000009 RDI: 00007ffe3768bda0
RBP: 00007ffe3768bda0 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000246 R12: 00007ffe3768ce30
R13: 00007f8687931d7d R14: 000000000002f508 R15: 00007ffe3768ce70
</TASK>
INFO: task syz-executor:6328 blocked for more than 143 seconds.
Not tainted syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor state:D stack:21544 pid:6328 tgid:6328 ppid:1 task_flags:0x400140 flags:0x00080003
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5325 [inline]
__schedule+0x16f3/0x4c20 kernel/sched/core.c:6929
__schedule_loop kernel/sched/core.c:7011 [inline]
rt_mutex_schedule+0x77/0xf0 kernel/sched/core.c:7307
rt_mutex_slowlock_block+0x5ba/0x6d0 kernel/locking/rtmutex.c:1647
__rt_mutex_slowlock kernel/locking/rtmutex.c:1721 [inline]
__rt_mutex_slowlock_locked kernel/locking/rtmutex.c:1760 [inline]
rt_mutex_slowlock+0x2b1/0x6e0 kernel/locking/rtmutex.c:1800
__rt_mutex_lock kernel/locking/rtmutex.c:1815 [inline]
__mutex_lock_common kernel/locking/rtmutex_api.c:536 [inline]
mutex_lock_nested+0x16a/0x1d0 kernel/locking/rtmutex_api.c:547
lmLogClose+0xb4/0x520 fs/jfs/jfs_logmgr.c:1443
RSP: 002b:00007ffcd289ea18 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 00007fb668d71d7d RCX: 00007fb668cf09f7
RDX: 0000000000000000 RSI: 0000000000000009 RDI: 00007ffcd289ead0
RBP: 00007ffcd289ead0 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000246 R12: 00007ffcd289fb60
R13: 00007fb668d71d7d R14: 000000000002fbeb R15: 00007ffcd289fba0
</TASK>
INFO: task syz-executor:6332 blocked for more than 143 seconds.
Not tainted syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor state:D stack:21768 pid:6332 tgid:6332 ppid:1 task_flags:0x400140 flags:0x00080002
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5325 [inline]
__schedule+0x16f3/0x4c20 kernel/sched/core.c:6929
__schedule_loop kernel/sched/core.c:7011 [inline]
rt_mutex_schedule+0x77/0xf0 kernel/sched/core.c:7307
rt_mutex_slowlock_block+0x5ba/0x6d0 kernel/locking/rtmutex.c:1647
__rt_mutex_slowlock kernel/locking/rtmutex.c:1721 [inline]
__rt_mutex_slowlock_locked kernel/locking/rtmutex.c:1760 [inline]
rt_mutex_slowlock+0x2b1/0x6e0 kernel/locking/rtmutex.c:1800
__rt_mutex_lock kernel/locking/rtmutex.c:1815 [inline]
__mutex_lock_common kernel/locking/rtmutex_api.c:536 [inline]
mutex_lock_nested+0x16a/0x1d0 kernel/locking/rtmutex_api.c:547
lmLogClose+0xb4/0x520 fs/jfs/jfs_logmgr.c:1443
RSP: 002b:00007ffda4a96418 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 00007fcbed5d1d7d RCX: 00007fcbed5509f7
RDX: 0000000000000000 RSI: 0000000000000009 RDI: 00007ffda4a964d0
RBP: 00007ffda4a964d0 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000246 R12: 00007ffda4a97560
R13: 00007fcbed5d1d7d R14: 000000000002fc05 R15: 00007ffda4a975a0
</TASK>
INFO: task syz-executor:6334 blocked for more than 143 seconds.
Not tainted syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor state:D stack:21768 pid:6334 tgid:6334 ppid:1 task_flags:0x400140 flags:0x00080003
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5325 [inline]
__schedule+0x16f3/0x4c20 kernel/sched/core.c:6929
__schedule_loop kernel/sched/core.c:7011 [inline]
rt_mutex_schedule+0x77/0xf0 kernel/sched/core.c:7307
rt_mutex_slowlock_block+0x5ba/0x6d0 kernel/locking/rtmutex.c:1647
__rt_mutex_slowlock kernel/locking/rtmutex.c:1721 [inline]
__rt_mutex_slowlock_locked kernel/locking/rtmutex.c:1760 [inline]
rt_mutex_slowlock+0x2b1/0x6e0 kernel/locking/rtmutex.c:1800
__rt_mutex_lock kernel/locking/rtmutex.c:1815 [inline]
__mutex_lock_common kernel/locking/rtmutex_api.c:536 [inline]
mutex_lock_nested+0x16a/0x1d0 kernel/locking/rtmutex_api.c:547
lmLogClose+0xb4/0x520 fs/jfs/jfs_logmgr.c:1443
RSP: 002b:00007fffe5843fa8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 00007fb21bff1d7d RCX: 00007fb21bf709f7
RDX: 0000000000000000 RSI: 0000000000000009 RDI: 00007fffe5844060
RBP: 00007fffe5844060 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000246 R12: 00007fffe58450f0
R13: 00007fb21bff1d7d R14: 000000000002ffbb R15: 00007fffe5845130
</TASK>
Showing all locks held in the system:
1 lock held by khungtaskd/38:
#0: ffffffff8d5aa840 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
#0: ffffffff8d5aa840 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:867 [inline]
#0: ffffffff8d5aa840 (rcu_read_lock){....}-{1:3}, at: debug_show_all_locks+0x2e/0x180 kernel/locking/lockdep.c:6775
2 locks held by getty/5554:
#0: ffff88823bf688a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x25/0x70 drivers/tty/tty_ldisc.c:243
#1: ffffc90003e8b2e0 (&ldata->atomic_read_lock){+.+.}-{4:4}, at: n_tty_read+0x444/0x1400 drivers/tty/n_tty.c:2222
2 locks held by syz-executor/6320:
#0: ffff8880335d60d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: __super_lock fs/super.c:57 [inline]
#0: ffff8880335d60d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: __super_lock_excl fs/super.c:72 [inline]
#0: ffff8880335d60d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: deactivate_super+0xa9/0xe0 fs/super.c:505
#1: ffffffff8d9dfab8 (jfs_log_mutex){+.+.}-{4:4}, at: lmLogClose+0xb4/0x520 fs/jfs/jfs_logmgr.c:1443
2 locks held by syz-executor/6321:
#0: ffff8880563d60d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: __super_lock fs/super.c:57 [inline]
#0: ffff8880563d60d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: __super_lock_excl fs/super.c:72 [inline]
#0: ffff8880563d60d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: deactivate_super+0xa9/0xe0 fs/super.c:505
#1: ffffffff8d9dfab8 (jfs_log_mutex){+.+.}-{4:4}, at: lmLogClose+0xb4/0x520 fs/jfs/jfs_logmgr.c:1443
2 locks held by syz-executor/6328:
#0: ffff888026a7e0d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: __super_lock fs/super.c:57 [inline]
#0: ffff888026a7e0d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: __super_lock_excl fs/super.c:72 [inline]
#0: ffff888026a7e0d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: deactivate_super+0xa9/0xe0 fs/super.c:505
#1: ffffffff8d9dfab8 (jfs_log_mutex){+.+.}-{4:4}, at: lmLogClose+0xb4/0x520 fs/jfs/jfs_logmgr.c:1443
2 locks held by syz-executor/6332:
#0: ffff8880548c80d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: __super_lock fs/super.c:57 [inline]
#0: ffff8880548c80d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: __super_lock_excl fs/super.c:72 [inline]
#0: ffff8880548c80d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: deactivate_super+0xa9/0xe0 fs/super.c:505
#1: ffffffff8d9dfab8 (jfs_log_mutex){+.+.}-{4:4}, at: lmLogClose+0xb4/0x520 fs/jfs/jfs_logmgr.c:1443
2 locks held by syz-executor/6334:
#0: ffff8880385d80d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: __super_lock fs/super.c:57 [inline]
#0: ffff8880385d80d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: __super_lock_excl fs/super.c:72 [inline]
#0: ffff8880385d80d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: deactivate_super+0xa9/0xe0 fs/super.c:505
#1: ffffffff8d9dfab8 (jfs_log_mutex){+.+.}-{4:4}, at: lmLogClose+0xb4/0x520 fs/jfs/jfs_logmgr.c:1443
2 locks held by syz-executor/6886:
#0: ffff8880260e80d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: __super_lock fs/super.c:57 [inline]
#0: ffff8880260e80d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: __super_lock_excl fs/super.c:72 [inline]
#0: ffff8880260e80d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: deactivate_super+0xa9/0xe0 fs/super.c:505
#1: ffffffff8d9dfab8 (jfs_log_mutex){+.+.}-{4:4}, at: lmLogClose+0xb4/0x520 fs/jfs/jfs_logmgr.c:1443
2 locks held by syz-executor/6898:
#0: ffff8880472520d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: __super_lock fs/super.c:57 [inline]
#0: ffff8880472520d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: __super_lock_excl fs/super.c:72 [inline]
#0: ffff8880472520d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: deactivate_super+0xa9/0xe0 fs/super.c:505
#1: ffffffff8d9dfab8 (jfs_log_mutex){+.+.}-{4:4}, at: lmLogClose+0xb4/0x520 fs/jfs/jfs_logmgr.c:1443
2 locks held by syz-executor/6904:
#0: ffff8880596a40d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: __super_lock fs/super.c:57 [inline]
#0: ffff8880596a40d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: __super_lock_excl fs/super.c:72 [inline]
#0: ffff8880596a40d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: deactivate_super+0xa9/0xe0 fs/super.c:505
#1: ffffffff8d9dfab8 (jfs_log_mutex){+.+.}-{4:4}, at: lmLogClose+0xb4/0x520 fs/jfs/jfs_logmgr.c:1443
2 locks held by syz-executor/6905:
#0: ffff8880592f00d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: __super_lock fs/super.c:57 [inline]
#0: ffff8880592f00d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: __super_lock_excl fs/super.c:72 [inline]
#0: ffff8880592f00d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: deactivate_super+0xa9/0xe0 fs/super.c:505
#1: ffffffff8d9dfab8 (jfs_log_mutex){+.+.}-{4:4}, at: lmLogClose+0xb4/0x520 fs/jfs/jfs_logmgr.c:1443
2 locks held by syz-executor/6920:
#0: ffff88805b3100d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: __super_lock fs/super.c:57 [inline]
#0: ffff88805b3100d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: __super_lock_excl fs/super.c:72 [inline]
#0: ffff88805b3100d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: deactivate_super+0xa9/0xe0 fs/super.c:505
#1: ffffffff8d9dfab8 (jfs_log_mutex){+.+.}-{4:4}, at: lmLogClose+0xb4/0x520 fs/jfs/jfs_logmgr.c:1443
1 lock held by syz.4.211/7506:
1 lock held by syz.3.212/7508:
2 locks held by syz.0.213/7510:
2 locks held by syz.1.215/7514:
=============================================
NMI backtrace for cpu 1
CPU: 1 UID: 0 PID: 38 Comm: khungtaskd Not tainted syzkaller #0 PREEMPT_{RT,(full)}
nmi_trigger_cpumask_backtrace+0x17a/0x300 lib/nmi_backtrace.c:62
trigger_all_cpu_backtrace include/linux/nmi.h:160 [inline]
check_hung_uninterruptible_tasks kernel/hung_task.c:332 [inline]
watchdog+0xf60/0xfa0 kernel/hung_task.c:495
NMI backtrace for cpu 0
CPU: 0 UID: 0 PID: 7514 Comm: syz.1.215 Not tainted syzkaller #0 PREEMPT_{RT,(full)}
Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 55 41 57 41 56 41 55 41 54 53 48 81 ec e0 00 00 00 49 89 cf 65 48 8b 05 c4 5c 06 10 <48> 89 84 24 d8 00 00 00 8b 46 20 89 c1 81 e1 00 80 04 00 81 f9 00
RSP: 0018:ffffc9000625ef30 EFLAGS: 00000086
RAX: 45c4b56d1d97b400 RBX: 0000000000000002 RCX: 2c8d01d5bb98a066
RDX: 0000000000000000 RSI: ffff88801dba8bb0 RDI: ffff88801dba8000
RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffff81737c15
R10: ffffc9000625f298 R11: ffffffff81aadce0 R12: 00000000ea4a1b54
R13: ffff88801dba8b60 R14: ffff88801dba8bb0 R15: 2c8d01d5bb98a066
FS: 00007f0949f5e6c0(0000) GS:ffff888126df7000(0000) knlGS:0000000000000000
Call Trace:
<TASK>
__lock_acquire+0xab9/0xd20 kernel/locking/lockdep.c:5237
lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5868
rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
rcu_read_lock include/linux/rcupdate.h:867 [inline]
class_rcu_constructor include/linux/rcupdate.h:1195 [inline]
unwind_next_frame+0xc2/0x2390 arch/x86/kernel/unwind_orc.c:479
arch_stack_walk+0x11c/0x150 arch/x86/kernel/stacktrace.c:25
stack_trace_save+0x9c/0xe0 kernel/stacktrace.c:122
save_stack+0xf7/0x1f0 mm/page_owner.c:156
__set_page_owner+0x8d/0x4b0 mm/page_owner.c:332
shmem_alloc_folio mm/shmem.c:1871 [inline]
shmem_alloc_and_add_folio mm/shmem.c:1910 [inline]
shmem_get_folio_gfp+0x633/0x1a70 mm/shmem.c:2533
shmem_get_folio mm/shmem.c:2639 [inline]
shmem_write_begin+0xef/0x2a0 mm/shmem.c:3289
generic_perform_write+0x29d/0x8c0 mm/filemap.c:4242
shmem_file_write_iter+0xfb/0x120 mm/shmem.c:3464
new_sync_write fs/read_write.c:593 [inline]
vfs_write+0x5d5/0xb40 fs/read_write.c:686
ksys_write+0x14b/0x260 fs/read_write.c:738
Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 f9 92 02 00 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 4c 93 02 00 48
RSP: 002b:00007f0949f5ddf0 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000001000000 RCX: 00007f094a8ee17f
RDX: 0000000001000000 RSI: 00007f0941b3e000 RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000005f6e
R10: 0000000000000778 R11: 0000000000000293 R12: 0000000000000003
R13: 00007f0949f5def0 R14: 00007f0949f5deb0 R15: 00007f0941b3e000
</TASK>
Tested on:
commit: e9a6fb0b Linux 6.18-rc5
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1284b412580000
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
INFO: task hung in lbmIOWait
INFO: task syz-executor:6320 blocked for more than 143 seconds.
Not tainted syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor state:D stack:21768 pid:6320 tgid:6320 ppid:1 task_flags:0x400140 flags:0x00080003
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5325 [inline]
__schedule+0x16f3/0x4c20 kernel/sched/core.c:6929
__schedule_loop kernel/sched/core.c:7011 [inline]
schedule+0x165/0x360 kernel/sched/core.c:7026
io_schedule+0x81/0xe0 kernel/sched/core.c:7871
lbmIOWait+0x1e5/0x610 fs/jfs/jfs_logmgr.c:2152
lbmLogShutdown fs/jfs/jfs_logmgr.c:1863 [inline]
lmLogShutdown+0x43e/0x850 fs/jfs/jfs_logmgr.c:1683
lmLogClose+0x28a/0x520 fs/jfs/jfs_logmgr.c:1459
jfs_umount+0x2ef/0x3c0 fs/jfs/jfs_umount.c:114
jfs_put_super+0x8c/0x190 fs/jfs/super.c:194
generic_shutdown_super+0x135/0x2c0 fs/super.c:642
kill_block_super+0x44/0x90 fs/super.c:1722
deactivate_locked_super+0xbc/0x130 fs/super.c:473
cleanup_mnt+0x425/0x4c0 fs/namespace.c:1327
task_work_run+0x1d4/0x260 kernel/task_work.c:227
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
exit_to_user_mode_loop+0xe9/0x130 kernel/entry/common.c:43
exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
do_syscall_64+0x2bd/0xfa0 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fab386c09f7
jfs_umount+0x2ef/0x3c0 fs/jfs/jfs_umount.c:114
jfs_put_super+0x8c/0x190 fs/jfs/super.c:194
generic_shutdown_super+0x135/0x2c0 fs/super.c:642
kill_block_super+0x44/0x90 fs/super.c:1722
deactivate_locked_super+0xbc/0x130 fs/super.c:473
cleanup_mnt+0x425/0x4c0 fs/namespace.c:1327
task_work_run+0x1d4/0x260 kernel/task_work.c:227
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
exit_to_user_mode_loop+0xe9/0x130 kernel/entry/common.c:43
exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
do_syscall_64+0x2bd/0xfa0 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RSP: 002b:00007ffe632254d8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 00007fab38741d7d RCX: 00007fab386c09f7
RDX: 0000000000000000 RSI: 0000000000000009 RDI: 00007ffe63225590
RBP: 00007ffe63225590 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000246 R12: 00007ffe63226620
R13: 00007fab38741d7d R14: 000000000002f114 R15: 00007ffe63226660
</TASK>
INFO: task syz-executor:6321 blocked for more than 143 seconds.
Not tainted syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor state:D stack:21768 pid:6321 tgid:6321 ppid:1 task_flags:0x400140 flags:0x00080002
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5325 [inline]
__schedule+0x16f3/0x4c20 kernel/sched/core.c:6929
__schedule_loop kernel/sched/core.c:7011 [inline]
rt_mutex_schedule+0x77/0xf0 kernel/sched/core.c:7307
rt_mutex_slowlock_block+0x5ba/0x6d0 kernel/locking/rtmutex.c:1647
__rt_mutex_slowlock kernel/locking/rtmutex.c:1721 [inline]
__rt_mutex_slowlock_locked kernel/locking/rtmutex.c:1760 [inline]
rt_mutex_slowlock+0x2b1/0x6e0 kernel/locking/rtmutex.c:1800
__rt_mutex_lock kernel/locking/rtmutex.c:1815 [inline]
__mutex_lock_common kernel/locking/rtmutex_api.c:536 [inline]
mutex_lock_nested+0x16a/0x1d0 kernel/locking/rtmutex_api.c:547
lmLogClose+0xb4/0x520 fs/jfs/jfs_logmgr.c:1443
jfs_umount+0x2ef/0x3c0 fs/jfs/jfs_umount.c:114
jfs_put_super+0x8c/0x190 fs/jfs/super.c:194
generic_shutdown_super+0x135/0x2c0 fs/super.c:642
kill_block_super+0x44/0x90 fs/super.c:1722
deactivate_locked_super+0xbc/0x130 fs/super.c:473
cleanup_mnt+0x425/0x4c0 fs/namespace.c:1327
task_work_run+0x1d4/0x260 kernel/task_work.c:227
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
exit_to_user_mode_loop+0xe9/0x130 kernel/entry/common.c:43
exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
do_syscall_64+0x2bd/0xfa0 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f86878b09f7
jfs_put_super+0x8c/0x190 fs/jfs/super.c:194
generic_shutdown_super+0x135/0x2c0 fs/super.c:642
kill_block_super+0x44/0x90 fs/super.c:1722
deactivate_locked_super+0xbc/0x130 fs/super.c:473
cleanup_mnt+0x425/0x4c0 fs/namespace.c:1327
task_work_run+0x1d4/0x260 kernel/task_work.c:227
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
exit_to_user_mode_loop+0xe9/0x130 kernel/entry/common.c:43
exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
do_syscall_64+0x2bd/0xfa0 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RSP: 002b:00007ffe3768bce8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 00007f8687931d7d RCX: 00007f86878b09f7
RDX: 0000000000000000 RSI: 0000000000000009 RDI: 00007ffe3768bda0
RBP: 00007ffe3768bda0 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000246 R12: 00007ffe3768ce30
R13: 00007f8687931d7d R14: 000000000002f508 R15: 00007ffe3768ce70
</TASK>
INFO: task syz-executor:6328 blocked for more than 143 seconds.
Not tainted syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor state:D stack:21544 pid:6328 tgid:6328 ppid:1 task_flags:0x400140 flags:0x00080003
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5325 [inline]
__schedule+0x16f3/0x4c20 kernel/sched/core.c:6929
__schedule_loop kernel/sched/core.c:7011 [inline]
rt_mutex_schedule+0x77/0xf0 kernel/sched/core.c:7307
rt_mutex_slowlock_block+0x5ba/0x6d0 kernel/locking/rtmutex.c:1647
__rt_mutex_slowlock kernel/locking/rtmutex.c:1721 [inline]
__rt_mutex_slowlock_locked kernel/locking/rtmutex.c:1760 [inline]
rt_mutex_slowlock+0x2b1/0x6e0 kernel/locking/rtmutex.c:1800
__rt_mutex_lock kernel/locking/rtmutex.c:1815 [inline]
__mutex_lock_common kernel/locking/rtmutex_api.c:536 [inline]
mutex_lock_nested+0x16a/0x1d0 kernel/locking/rtmutex_api.c:547
lmLogClose+0xb4/0x520 fs/jfs/jfs_logmgr.c:1443
jfs_umount+0x2ef/0x3c0 fs/jfs/jfs_umount.c:114
jfs_put_super+0x8c/0x190 fs/jfs/super.c:194
generic_shutdown_super+0x135/0x2c0 fs/super.c:642
kill_block_super+0x44/0x90 fs/super.c:1722
deactivate_locked_super+0xbc/0x130 fs/super.c:473
cleanup_mnt+0x425/0x4c0 fs/namespace.c:1327
task_work_run+0x1d4/0x260 kernel/task_work.c:227
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
exit_to_user_mode_loop+0xe9/0x130 kernel/entry/common.c:43
exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
do_syscall_64+0x2bd/0xfa0 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fb668cf09f7
jfs_put_super+0x8c/0x190 fs/jfs/super.c:194
generic_shutdown_super+0x135/0x2c0 fs/super.c:642
kill_block_super+0x44/0x90 fs/super.c:1722
deactivate_locked_super+0xbc/0x130 fs/super.c:473
cleanup_mnt+0x425/0x4c0 fs/namespace.c:1327
task_work_run+0x1d4/0x260 kernel/task_work.c:227
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
exit_to_user_mode_loop+0xe9/0x130 kernel/entry/common.c:43
exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
do_syscall_64+0x2bd/0xfa0 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RSP: 002b:00007ffcd289ea18 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 00007fb668d71d7d RCX: 00007fb668cf09f7
RDX: 0000000000000000 RSI: 0000000000000009 RDI: 00007ffcd289ead0
RBP: 00007ffcd289ead0 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000246 R12: 00007ffcd289fb60
R13: 00007fb668d71d7d R14: 000000000002fbeb R15: 00007ffcd289fba0
</TASK>
INFO: task syz-executor:6332 blocked for more than 143 seconds.
Not tainted syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor state:D stack:21768 pid:6332 tgid:6332 ppid:1 task_flags:0x400140 flags:0x00080002
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5325 [inline]
__schedule+0x16f3/0x4c20 kernel/sched/core.c:6929
__schedule_loop kernel/sched/core.c:7011 [inline]
rt_mutex_schedule+0x77/0xf0 kernel/sched/core.c:7307
rt_mutex_slowlock_block+0x5ba/0x6d0 kernel/locking/rtmutex.c:1647
__rt_mutex_slowlock kernel/locking/rtmutex.c:1721 [inline]
__rt_mutex_slowlock_locked kernel/locking/rtmutex.c:1760 [inline]
rt_mutex_slowlock+0x2b1/0x6e0 kernel/locking/rtmutex.c:1800
__rt_mutex_lock kernel/locking/rtmutex.c:1815 [inline]
__mutex_lock_common kernel/locking/rtmutex_api.c:536 [inline]
mutex_lock_nested+0x16a/0x1d0 kernel/locking/rtmutex_api.c:547
lmLogClose+0xb4/0x520 fs/jfs/jfs_logmgr.c:1443
jfs_umount+0x2ef/0x3c0 fs/jfs/jfs_umount.c:114
jfs_put_super+0x8c/0x190 fs/jfs/super.c:194
generic_shutdown_super+0x135/0x2c0 fs/super.c:642
kill_block_super+0x44/0x90 fs/super.c:1722
deactivate_locked_super+0xbc/0x130 fs/super.c:473
cleanup_mnt+0x425/0x4c0 fs/namespace.c:1327
task_work_run+0x1d4/0x260 kernel/task_work.c:227
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
exit_to_user_mode_loop+0xe9/0x130 kernel/entry/common.c:43
exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
do_syscall_64+0x2bd/0xfa0 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fcbed5509f7
jfs_put_super+0x8c/0x190 fs/jfs/super.c:194
generic_shutdown_super+0x135/0x2c0 fs/super.c:642
kill_block_super+0x44/0x90 fs/super.c:1722
deactivate_locked_super+0xbc/0x130 fs/super.c:473
cleanup_mnt+0x425/0x4c0 fs/namespace.c:1327
task_work_run+0x1d4/0x260 kernel/task_work.c:227
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
exit_to_user_mode_loop+0xe9/0x130 kernel/entry/common.c:43
exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
do_syscall_64+0x2bd/0xfa0 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RSP: 002b:00007ffda4a96418 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 00007fcbed5d1d7d RCX: 00007fcbed5509f7
RDX: 0000000000000000 RSI: 0000000000000009 RDI: 00007ffda4a964d0
RBP: 00007ffda4a964d0 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000246 R12: 00007ffda4a97560
R13: 00007fcbed5d1d7d R14: 000000000002fc05 R15: 00007ffda4a975a0
</TASK>
INFO: task syz-executor:6334 blocked for more than 143 seconds.
Not tainted syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor state:D stack:21768 pid:6334 tgid:6334 ppid:1 task_flags:0x400140 flags:0x00080003
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5325 [inline]
__schedule+0x16f3/0x4c20 kernel/sched/core.c:6929
__schedule_loop kernel/sched/core.c:7011 [inline]
rt_mutex_schedule+0x77/0xf0 kernel/sched/core.c:7307
rt_mutex_slowlock_block+0x5ba/0x6d0 kernel/locking/rtmutex.c:1647
__rt_mutex_slowlock kernel/locking/rtmutex.c:1721 [inline]
__rt_mutex_slowlock_locked kernel/locking/rtmutex.c:1760 [inline]
rt_mutex_slowlock+0x2b1/0x6e0 kernel/locking/rtmutex.c:1800
__rt_mutex_lock kernel/locking/rtmutex.c:1815 [inline]
__mutex_lock_common kernel/locking/rtmutex_api.c:536 [inline]
mutex_lock_nested+0x16a/0x1d0 kernel/locking/rtmutex_api.c:547
lmLogClose+0xb4/0x520 fs/jfs/jfs_logmgr.c:1443
jfs_umount+0x2ef/0x3c0 fs/jfs/jfs_umount.c:114
jfs_put_super+0x8c/0x190 fs/jfs/super.c:194
generic_shutdown_super+0x135/0x2c0 fs/super.c:642
kill_block_super+0x44/0x90 fs/super.c:1722
deactivate_locked_super+0xbc/0x130 fs/super.c:473
cleanup_mnt+0x425/0x4c0 fs/namespace.c:1327
task_work_run+0x1d4/0x260 kernel/task_work.c:227
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
exit_to_user_mode_loop+0xe9/0x130 kernel/entry/common.c:43
exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
do_syscall_64+0x2bd/0xfa0 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fb21bf709f7
jfs_put_super+0x8c/0x190 fs/jfs/super.c:194
generic_shutdown_super+0x135/0x2c0 fs/super.c:642
kill_block_super+0x44/0x90 fs/super.c:1722
deactivate_locked_super+0xbc/0x130 fs/super.c:473
cleanup_mnt+0x425/0x4c0 fs/namespace.c:1327
task_work_run+0x1d4/0x260 kernel/task_work.c:227
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
exit_to_user_mode_loop+0xe9/0x130 kernel/entry/common.c:43
exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
do_syscall_64+0x2bd/0xfa0 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RSP: 002b:00007fffe5843fa8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 00007fb21bff1d7d RCX: 00007fb21bf709f7
RDX: 0000000000000000 RSI: 0000000000000009 RDI: 00007fffe5844060
RBP: 00007fffe5844060 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000246 R12: 00007fffe58450f0
R13: 00007fb21bff1d7d R14: 000000000002ffbb R15: 00007fffe5845130
</TASK>
Showing all locks held in the system:
1 lock held by khungtaskd/38:
#0: ffffffff8d5aa840 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
#0: ffffffff8d5aa840 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:867 [inline]
#0: ffffffff8d5aa840 (rcu_read_lock){....}-{1:3}, at: debug_show_all_locks+0x2e/0x180 kernel/locking/lockdep.c:6775
2 locks held by getty/5554:
#0: ffff88823bf688a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x25/0x70 drivers/tty/tty_ldisc.c:243
#1: ffffc90003e8b2e0 (&ldata->atomic_read_lock){+.+.}-{4:4}, at: n_tty_read+0x444/0x1400 drivers/tty/n_tty.c:2222
2 locks held by syz-executor/6320:
#0: ffff8880335d60d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: __super_lock fs/super.c:57 [inline]
#0: ffff8880335d60d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: __super_lock_excl fs/super.c:72 [inline]
#0: ffff8880335d60d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: deactivate_super+0xa9/0xe0 fs/super.c:505
#1: ffffffff8d9dfab8 (jfs_log_mutex){+.+.}-{4:4}, at: lmLogClose+0xb4/0x520 fs/jfs/jfs_logmgr.c:1443
2 locks held by syz-executor/6321:
#0: ffff8880563d60d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: __super_lock fs/super.c:57 [inline]
#0: ffff8880563d60d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: __super_lock_excl fs/super.c:72 [inline]
#0: ffff8880563d60d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: deactivate_super+0xa9/0xe0 fs/super.c:505
#1: ffffffff8d9dfab8 (jfs_log_mutex){+.+.}-{4:4}, at: lmLogClose+0xb4/0x520 fs/jfs/jfs_logmgr.c:1443
2 locks held by syz-executor/6328:
#0: ffff888026a7e0d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: __super_lock fs/super.c:57 [inline]
#0: ffff888026a7e0d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: __super_lock_excl fs/super.c:72 [inline]
#0: ffff888026a7e0d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: deactivate_super+0xa9/0xe0 fs/super.c:505
#1: ffffffff8d9dfab8 (jfs_log_mutex){+.+.}-{4:4}, at: lmLogClose+0xb4/0x520 fs/jfs/jfs_logmgr.c:1443
2 locks held by syz-executor/6332:
#0: ffff8880548c80d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: __super_lock fs/super.c:57 [inline]
#0: ffff8880548c80d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: __super_lock_excl fs/super.c:72 [inline]
#0: ffff8880548c80d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: deactivate_super+0xa9/0xe0 fs/super.c:505
#1: ffffffff8d9dfab8 (jfs_log_mutex){+.+.}-{4:4}, at: lmLogClose+0xb4/0x520 fs/jfs/jfs_logmgr.c:1443
2 locks held by syz-executor/6334:
#0: ffff8880385d80d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: __super_lock fs/super.c:57 [inline]
#0: ffff8880385d80d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: __super_lock_excl fs/super.c:72 [inline]
#0: ffff8880385d80d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: deactivate_super+0xa9/0xe0 fs/super.c:505
#1: ffffffff8d9dfab8 (jfs_log_mutex){+.+.}-{4:4}, at: lmLogClose+0xb4/0x520 fs/jfs/jfs_logmgr.c:1443
2 locks held by syz-executor/6886:
#0: ffff8880260e80d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: __super_lock fs/super.c:57 [inline]
#0: ffff8880260e80d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: __super_lock_excl fs/super.c:72 [inline]
#0: ffff8880260e80d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: deactivate_super+0xa9/0xe0 fs/super.c:505
#1: ffffffff8d9dfab8 (jfs_log_mutex){+.+.}-{4:4}, at: lmLogClose+0xb4/0x520 fs/jfs/jfs_logmgr.c:1443
2 locks held by syz-executor/6898:
#0: ffff8880472520d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: __super_lock fs/super.c:57 [inline]
#0: ffff8880472520d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: __super_lock_excl fs/super.c:72 [inline]
#0: ffff8880472520d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: deactivate_super+0xa9/0xe0 fs/super.c:505
#1: ffffffff8d9dfab8 (jfs_log_mutex){+.+.}-{4:4}, at: lmLogClose+0xb4/0x520 fs/jfs/jfs_logmgr.c:1443
2 locks held by syz-executor/6904:
#0: ffff8880596a40d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: __super_lock fs/super.c:57 [inline]
#0: ffff8880596a40d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: __super_lock_excl fs/super.c:72 [inline]
#0: ffff8880596a40d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: deactivate_super+0xa9/0xe0 fs/super.c:505
#1: ffffffff8d9dfab8 (jfs_log_mutex){+.+.}-{4:4}, at: lmLogClose+0xb4/0x520 fs/jfs/jfs_logmgr.c:1443
2 locks held by syz-executor/6905:
#0: ffff8880592f00d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: __super_lock fs/super.c:57 [inline]
#0: ffff8880592f00d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: __super_lock_excl fs/super.c:72 [inline]
#0: ffff8880592f00d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: deactivate_super+0xa9/0xe0 fs/super.c:505
#1: ffffffff8d9dfab8 (jfs_log_mutex){+.+.}-{4:4}, at: lmLogClose+0xb4/0x520 fs/jfs/jfs_logmgr.c:1443
2 locks held by syz-executor/6920:
#0: ffff88805b3100d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: __super_lock fs/super.c:57 [inline]
#0: ffff88805b3100d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: __super_lock_excl fs/super.c:72 [inline]
#0: ffff88805b3100d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: deactivate_super+0xa9/0xe0 fs/super.c:505
#1: ffffffff8d9dfab8 (jfs_log_mutex){+.+.}-{4:4}, at: lmLogClose+0xb4/0x520 fs/jfs/jfs_logmgr.c:1443
1 lock held by syz.4.211/7506:
1 lock held by syz.3.212/7508:
2 locks held by syz.0.213/7510:
2 locks held by syz.1.215/7514:
=============================================
NMI backtrace for cpu 1
CPU: 1 UID: 0 PID: 38 Comm: khungtaskd Not tainted syzkaller #0 PREEMPT_{RT,(full)}
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
nmi_cpu_backtrace+0x39e/0x3d0 lib/nmi_backtrace.c:113
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
nmi_trigger_cpumask_backtrace+0x17a/0x300 lib/nmi_backtrace.c:62
trigger_all_cpu_backtrace include/linux/nmi.h:160 [inline]
check_hung_uninterruptible_tasks kernel/hung_task.c:332 [inline]
watchdog+0xf60/0xfa0 kernel/hung_task.c:495
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
Sending NMI from CPU 1 to CPUs 0:
ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
NMI backtrace for cpu 0
CPU: 0 UID: 0 PID: 7514 Comm: syz.1.215 Not tainted syzkaller #0 PREEMPT_{RT,(full)}
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
RIP: 0010:validate_chain+0x1c/0x2140 kernel/locking/lockdep.c:3864
Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 55 41 57 41 56 41 55 41 54 53 48 81 ec e0 00 00 00 49 89 cf 65 48 8b 05 c4 5c 06 10 <48> 89 84 24 d8 00 00 00 8b 46 20 89 c1 81 e1 00 80 04 00 81 f9 00
RSP: 0018:ffffc9000625ef30 EFLAGS: 00000086
RAX: 45c4b56d1d97b400 RBX: 0000000000000002 RCX: 2c8d01d5bb98a066
RDX: 0000000000000000 RSI: ffff88801dba8bb0 RDI: ffff88801dba8000
RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffff81737c15
R10: ffffc9000625f298 R11: ffffffff81aadce0 R12: 00000000ea4a1b54
R13: ffff88801dba8b60 R14: ffff88801dba8bb0 R15: 2c8d01d5bb98a066
FS: 00007f0949f5e6c0(0000) GS:ffff888126df7000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000200000010000 CR3: 000000003936a000 CR4: 00000000003526f0
Call Trace:
<TASK>
__lock_acquire+0xab9/0xd20 kernel/locking/lockdep.c:5237
lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5868
rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
rcu_read_lock include/linux/rcupdate.h:867 [inline]
class_rcu_constructor include/linux/rcupdate.h:1195 [inline]
unwind_next_frame+0xc2/0x2390 arch/x86/kernel/unwind_orc.c:479
arch_stack_walk+0x11c/0x150 arch/x86/kernel/stacktrace.c:25
stack_trace_save+0x9c/0xe0 kernel/stacktrace.c:122
save_stack+0xf7/0x1f0 mm/page_owner.c:156
__set_page_owner+0x8d/0x4b0 mm/page_owner.c:332
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1850
prep_new_page mm/page_alloc.c:1858 [inline]
get_page_from_freelist+0x28c0/0x2960 mm/page_alloc.c:3884
__alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5183
alloc_pages_mpol+0xd1/0x380 mm/mempolicy.c:2416
folio_alloc_mpol_noprof+0x39/0xe0 mm/mempolicy.c:2435
post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1850
prep_new_page mm/page_alloc.c:1858 [inline]
get_page_from_freelist+0x28c0/0x2960 mm/page_alloc.c:3884
__alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5183
alloc_pages_mpol+0xd1/0x380 mm/mempolicy.c:2416
shmem_alloc_folio mm/shmem.c:1871 [inline]
shmem_alloc_and_add_folio mm/shmem.c:1910 [inline]
shmem_get_folio_gfp+0x633/0x1a70 mm/shmem.c:2533
shmem_get_folio mm/shmem.c:2639 [inline]
shmem_write_begin+0xef/0x2a0 mm/shmem.c:3289
generic_perform_write+0x29d/0x8c0 mm/filemap.c:4242
shmem_file_write_iter+0xfb/0x120 mm/shmem.c:3464
new_sync_write fs/read_write.c:593 [inline]
vfs_write+0x5d5/0xb40 fs/read_write.c:686
ksys_write+0x14b/0x260 fs/read_write.c:738
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f094a8ee17f
do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 f9 92 02 00 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 4c 93 02 00 48
RSP: 002b:00007f0949f5ddf0 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000001000000 RCX: 00007f094a8ee17f
RDX: 0000000001000000 RSI: 00007f0941b3e000 RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000005f6e
R10: 0000000000000778 R11: 0000000000000293 R12: 0000000000000003
R13: 00007f0949f5def0 R14: 00007f0949f5deb0 R15: 00007f0941b3e000
</TASK>
Tested on:
commit: e9a6fb0b Linux 6.18-rc5
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1284b412580000
kernel config: https://syzkaller.appspot.com/x/.config?x=41ad820f608cb833
dashboard link: https://syzkaller.appspot.com/bug?extid=08df3e4c9b304b37cb04
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=15cd07cd980000
dashboard link: https://syzkaller.appspot.com/bug?extid=08df3e4c9b304b37cb04
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
Edward Adam Davis
Nov 10, 2025, 8:09:15 AMNov 10
to syzbot+08df3e...@syzkaller.appspotmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
#syz test
diff --git a/fs/jfs/jfs_logmgr.c b/fs/jfs/jfs_logmgr.c
index b343c5ea1159..e61a7f02b14d 100644
diff --git a/fs/jfs/jfs_logmgr.c b/fs/jfs/jfs_logmgr.c
--- a/fs/jfs/jfs_logmgr.c
+++ b/fs/jfs/jfs_logmgr.c
@@ -1860,6 +1860,7 @@ static void lbmLogShutdown(struct jfs_log * log)
lbuf = log->lbuf_free;
while (lbuf) {
struct lbuf *next = lbuf->l_freelist;
+ lbmIOWait(lbuf, 0);
__free_page(lbuf->l_page);
kfree(lbuf);
lbuf = next;
@@ -2146,10 +2147,9 @@ static int lbmIOWait(struct lbuf * bp, int flag)
+++ b/fs/jfs/jfs_logmgr.c
@@ -1860,6 +1860,7 @@ static void lbmLogShutdown(struct jfs_log * log)
lbuf = log->lbuf_free;
while (lbuf) {
struct lbuf *next = lbuf->l_freelist;
+ lbmIOWait(lbuf, 0);
__free_page(lbuf->l_page);
kfree(lbuf);
lbuf = next;
jfs_info("lbmIOWait1: bp:0x%p flag:0x%x:0x%x", bp, bp->l_flag, flag);
- LCACHE_LOCK(flags); /* disable+lock */
-
LCACHE_SLEEP_COND(bp->l_ioevent, (bp->l_flag & lbmDONE), flags);
+ LCACHE_LOCK(flags); /* disable+lock */
rc = (bp->l_flag & lbmERROR) ? -EIO : 0;
if (flag & lbmFREE)
syzbot
Nov 10, 2025, 8:26:05 AMNov 10
to ead...@qq.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING: bad unlock balance in lbmIOWait
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
loop1: detected capacity change from 0 to 32768
=====================================
WARNING: bad unlock balance detected!
syzkaller #0 Not tainted
-------------------------------------
syz.1.18/6461 is trying to release lock (jfsLCacheLock) at:
[<ffffffff833d0e04>] spin_unlock_irqrestore include/linux/spinlock_rt.h:122 [inline]
[<ffffffff833d0e04>] lbmIOWait+0x1d4/0x610 fs/jfs/jfs_logmgr.c:2150
but there are no more locks to release!
other info that might help us debug this:
1 lock held by syz.1.18/6461:
#0: ffff888027e480d0 (&type->s_umount_key#53/1){+.+.}-{4:4}, at: alloc_super+0x1ba/0x9a0 fs/super.c:344
stack backtrace:
CPU: 1 UID: 0 PID: 6461 Comm: syz.1.18 Not tainted syzkaller #0 PREEMPT_{RT,(full)}
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_unlock_imbalance_bug+0xdc/0xf0 kernel/locking/lockdep.c:5298
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
__lock_release kernel/locking/lockdep.c:5537 [inline]
lock_release+0x269/0x3e0 kernel/locking/lockdep.c:5889
rt_spin_unlock+0x29/0x200 kernel/locking/spinlock_rt.c:80
spin_unlock_irqrestore include/linux/spinlock_rt.h:122 [inline]
lbmIOWait+0x1d4/0x610 fs/jfs/jfs_logmgr.c:2150
lmLogInit+0xeb1/0x1a00 fs/jfs/jfs_logmgr.c:1372
open_inline_log fs/jfs/jfs_logmgr.c:1175 [inline]
lmLogOpen+0x4e1/0xfa0 fs/jfs/jfs_logmgr.c:1069
jfs_mount_rw+0xe9/0x670 fs/jfs/jfs_mount.c:257
jfs_fill_super+0x754/0xd80 fs/jfs/super.c:532
get_tree_bdev_flags+0x40e/0x4d0 fs/super.c:1691
vfs_get_tree+0x92/0x2b0 fs/super.c:1751
fc_mount fs/namespace.c:1208 [inline]
do_new_mount_fc fs/namespace.c:3651 [inline]
do_new_mount+0x302/0xa10 fs/namespace.c:3727
do_mount fs/namespace.c:4050 [inline]
__do_sys_mount fs/namespace.c:4238 [inline]
__se_sys_mount+0x313/0x410 fs/namespace.c:4215
lmLogOpen+0x4e1/0xfa0 fs/jfs/jfs_logmgr.c:1069
jfs_mount_rw+0xe9/0x670 fs/jfs/jfs_mount.c:257
jfs_fill_super+0x754/0xd80 fs/jfs/super.c:532
get_tree_bdev_flags+0x40e/0x4d0 fs/super.c:1691
vfs_get_tree+0x92/0x2b0 fs/super.c:1751
fc_mount fs/namespace.c:1208 [inline]
do_new_mount_fc fs/namespace.c:3651 [inline]
do_new_mount+0x302/0xa10 fs/namespace.c:3727
do_mount fs/namespace.c:4050 [inline]
__do_sys_mount fs/namespace.c:4238 [inline]
__se_sys_mount+0x313/0x410 fs/namespace.c:4215
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f0b7cee0e6a
do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f0b7c545e68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007f0b7c545ef0 RCX: 00007f0b7cee0e6a
RDX: 0000200000000400 RSI: 0000200000000380 RDI: 00007f0b7c545eb0
RBP: 0000200000000400 R08: 00007f0b7c545ef0 R09: 000000000001c802
R10: 000000000001c802 R11: 0000000000000246 R12: 0000200000000380
R13: 00007f0b7c545eb0 R14: 0000000000005f74 R15: 0000200000002740
</TASK>
------------[ cut here ]------------
WARNING: CPU: 1 PID: 6461 at ./include/linux/sched.h:2353 __migrate_enable include/linux/sched.h:2353 [inline]
WARNING: CPU: 1 PID: 6461 at ./include/linux/sched.h:2353 migrate_enable include/linux/sched.h:2417 [inline]
WARNING: CPU: 1 PID: 6461 at ./include/linux/sched.h:2353 rt_spin_unlock+0x174/0x200 kernel/locking/spinlock_rt.c:81
Modules linked in:
CPU: 1 UID: 0 PID: 6461 Comm: syz.1.18 Not tainted syzkaller #0 PREEMPT_{RT,(full)}
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
RIP: 0010:__migrate_enable include/linux/sched.h:2353 [inline]
RIP: 0010:migrate_enable include/linux/sched.h:2417 [inline]
RIP: 0010:rt_spin_unlock+0x174/0x200 kernel/locking/spinlock_rt.c:81
Code: 8d 35 00 00 00 00 48 c7 c7 40 a8 5a 8d e8 e4 36 d9 f6 e8 af f1 e2 f6 48 89 df 5b 41 5c 41 5d 41 5e 41 5f 5d e9 9d 00 00 00 90 <0f> 0b 90 eb 8d e8 32 4c cd f6 e9 1b ff ff ff 44 89 f1 80 e1 07 fe
RSP: 0018:ffffc900041f7708 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffffffff8d9dfb40 RCX: ecc696ffabe70d00
RDX: 0000000000000000 RSI: ffffffff8cf64ad6 RDI: ffffffff8b3ddd60
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: dffffc0000000000 R11: fffffbfff1a90bc0 R12: 1ffff11004a2e090
R13: ffff888025170000 R14: ffff888025170480 R15: dffffc0000000000
FS: 00007f0b7c5466c0(0000) GS:ffff888126ef7000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f51a5c94000 CR3: 000000005514c000 CR4: 00000000003526f0
Call Trace:
<TASK>
spin_unlock_irqrestore include/linux/spinlock_rt.h:122 [inline]
lbmIOWait+0x1d4/0x610 fs/jfs/jfs_logmgr.c:2150
lmLogInit+0xeb1/0x1a00 fs/jfs/jfs_logmgr.c:1372
open_inline_log fs/jfs/jfs_logmgr.c:1175 [inline]
lmLogOpen+0x4e1/0xfa0 fs/jfs/jfs_logmgr.c:1069
jfs_mount_rw+0xe9/0x670 fs/jfs/jfs_mount.c:257
jfs_fill_super+0x754/0xd80 fs/jfs/super.c:532
get_tree_bdev_flags+0x40e/0x4d0 fs/super.c:1691
vfs_get_tree+0x92/0x2b0 fs/super.c:1751
fc_mount fs/namespace.c:1208 [inline]
do_new_mount_fc fs/namespace.c:3651 [inline]
do_new_mount+0x302/0xa10 fs/namespace.c:3727
do_mount fs/namespace.c:4050 [inline]
__do_sys_mount fs/namespace.c:4238 [inline]
__se_sys_mount+0x313/0x410 fs/namespace.c:4215
lmLogOpen+0x4e1/0xfa0 fs/jfs/jfs_logmgr.c:1069
jfs_mount_rw+0xe9/0x670 fs/jfs/jfs_mount.c:257
jfs_fill_super+0x754/0xd80 fs/jfs/super.c:532
get_tree_bdev_flags+0x40e/0x4d0 fs/super.c:1691
vfs_get_tree+0x92/0x2b0 fs/super.c:1751
fc_mount fs/namespace.c:1208 [inline]
do_new_mount_fc fs/namespace.c:3651 [inline]
do_new_mount+0x302/0xa10 fs/namespace.c:3727
do_mount fs/namespace.c:4050 [inline]
__do_sys_mount fs/namespace.c:4238 [inline]
__se_sys_mount+0x313/0x410 fs/namespace.c:4215
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f0b7cee0e6a
do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f0b7c545e68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007f0b7c545ef0 RCX: 00007f0b7cee0e6a
RDX: 0000200000000400 RSI: 0000200000000380 RDI: 00007f0b7c545eb0
RBP: 0000200000000400 R08: 00007f0b7c545ef0 R09: 000000000001c802
R10: 000000000001c802 R11: 0000000000000246 R12: 0000200000000380
R13: 00007f0b7c545eb0 R14: 0000000000005f74 R15: 0000200000002740
</TASK>
Tested on:
commit: e9a6fb0b Linux 6.18-rc5
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=134a30b4580000
Tested on:
commit: e9a6fb0b Linux 6.18-rc5
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=41ad820f608cb833
dashboard link: https://syzkaller.appspot.com/bug?extid=08df3e4c9b304b37cb04
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=13a4b412580000
dashboard link: https://syzkaller.appspot.com/bug?extid=08df3e4c9b304b37cb04
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
Edward Adam Davis
Nov 10, 2025, 9:18:29 AMNov 10
to syzbot+08df3e...@syzkaller.appspotmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
#syz test
diff --git a/fs/jfs/jfs_lock.h b/fs/jfs/jfs_lock.h
index feb37dd9debf..6aa5ff62ca7c 100644
--- a/fs/jfs/jfs_lock.h
+++ b/fs/jfs/jfs_lock.h
@@ -19,7 +19,7 @@
*
* lock_cmd and unlock_cmd take and release the spinlock
*/
-#define __SLEEP_COND(wq, cond, lock_cmd, unlock_cmd) \
+#define __SLEEP_COND(wq, cond, lock_cmd, unlock_cmd, idle) \
do { \
DECLARE_WAITQUEUE(__wait, current); \
\
@@ -29,7 +29,10 @@ do { \
if (cond) \
break; \
unlock_cmd; \
- io_schedule(); \
+ if (idle) \
+ schedule_timeout_idle(HZ*10); \
+ else \
+ io_schedule(); \
lock_cmd; \
} \
__set_current_state(TASK_RUNNING); \
diff --git a/fs/jfs/jfs_logmgr.c b/fs/jfs/jfs_logmgr.c
index b343c5ea1159..e70bde3b7f40 100644
--- a/fs/jfs/jfs_logmgr.c
+++ b/fs/jfs/jfs_logmgr.c
@@ -113,11 +113,11 @@ static DEFINE_SPINLOCK(jfsLCacheLock);
/*
* See __SLEEP_COND in jfs_locks.h
*/
-#define LCACHE_SLEEP_COND(wq, cond, flags) \
+#define LCACHE_SLEEP_COND(wq, cond, flags, idle) \
do { \
if (cond) \
break; \
- __SLEEP_COND(wq, cond, LCACHE_LOCK(flags), LCACHE_UNLOCK(flags)); \
+ __SLEEP_COND(wq, cond, LCACHE_LOCK(flags), LCACHE_UNLOCK(flags), idle); \
} while (0)
#define LCACHE_WAKEUP(event) wake_up(event)
@@ -711,7 +711,7 @@ int lmGroupCommit(struct jfs_log * log, struct tblock * tblk)
tblk->flag |= tblkGC_READY;
__SLEEP_COND(tblk->gcwait, (tblk->flag & tblkGC_COMMITTED),
- LOGGC_LOCK(log), LOGGC_UNLOCK(log));
+ LOGGC_LOCK(log), LOGGC_UNLOCK(log), 0);
/* removed from commit queue */
if (tblk->flag & tblkGC_ERROR)
* recycle from log buffer freelist if any
*/
LCACHE_LOCK(flags);
- LCACHE_SLEEP_COND(log->free_wait, (bp = log->lbuf_free), flags);
+ LCACHE_SLEEP_COND(log->free_wait, (bp = log->lbuf_free), flags, 0);
log->lbuf_free = bp->l_freelist;
LCACHE_UNLOCK(flags);
@@ -2148,7 +2149,8 @@ static int lbmIOWait(struct lbuf * bp, int flag)
LCACHE_LOCK(flags); /* disable+lock */
- LCACHE_SLEEP_COND(bp->l_ioevent, (bp->l_flag & lbmDONE), flags);
+ LCACHE_SLEEP_COND(bp->l_ioevent, (bp->l_flag & lbmDONE), flags,
+ bp->l_flag & (lbmWRITE | lbmSYNC | lbmDIRECT));
diff --git a/fs/jfs/jfs_lock.h b/fs/jfs/jfs_lock.h
index feb37dd9debf..6aa5ff62ca7c 100644
--- a/fs/jfs/jfs_lock.h
+++ b/fs/jfs/jfs_lock.h
@@ -19,7 +19,7 @@
*
* lock_cmd and unlock_cmd take and release the spinlock
*/
-#define __SLEEP_COND(wq, cond, lock_cmd, unlock_cmd) \
+#define __SLEEP_COND(wq, cond, lock_cmd, unlock_cmd, idle) \
do { \
DECLARE_WAITQUEUE(__wait, current); \
\
@@ -29,7 +29,10 @@ do { \
if (cond) \
break; \
unlock_cmd; \
- io_schedule(); \
+ if (idle) \
+ schedule_timeout_idle(HZ*10); \
+ else \
+ io_schedule(); \
lock_cmd; \
} \
__set_current_state(TASK_RUNNING); \
diff --git a/fs/jfs/jfs_logmgr.c b/fs/jfs/jfs_logmgr.c
index b343c5ea1159..e70bde3b7f40 100644
--- a/fs/jfs/jfs_logmgr.c
+++ b/fs/jfs/jfs_logmgr.c
@@ -113,11 +113,11 @@ static DEFINE_SPINLOCK(jfsLCacheLock);
/*
* See __SLEEP_COND in jfs_locks.h
*/
-#define LCACHE_SLEEP_COND(wq, cond, flags) \
+#define LCACHE_SLEEP_COND(wq, cond, flags, idle) \
do { \
if (cond) \
break; \
- __SLEEP_COND(wq, cond, LCACHE_LOCK(flags), LCACHE_UNLOCK(flags)); \
+ __SLEEP_COND(wq, cond, LCACHE_LOCK(flags), LCACHE_UNLOCK(flags), idle); \
} while (0)
#define LCACHE_WAKEUP(event) wake_up(event)
@@ -711,7 +711,7 @@ int lmGroupCommit(struct jfs_log * log, struct tblock * tblk)
tblk->flag |= tblkGC_READY;
__SLEEP_COND(tblk->gcwait, (tblk->flag & tblkGC_COMMITTED),
- LOGGC_LOCK(log), LOGGC_UNLOCK(log));
+ LOGGC_LOCK(log), LOGGC_UNLOCK(log), 0);
/* removed from commit queue */
if (tblk->flag & tblkGC_ERROR)
@@ -1860,6 +1860,7 @@ static void lbmLogShutdown(struct jfs_log * log)
lbuf = log->lbuf_free;
while (lbuf) {
struct lbuf *next = lbuf->l_freelist;
+ lbmIOWait(lbuf, 0);
__free_page(lbuf->l_page);
kfree(lbuf);
lbuf = next;
@@ -1881,7 +1882,7 @@ static struct lbuf *lbmAllocate(struct jfs_log * log, int pn)
lbuf = log->lbuf_free;
while (lbuf) {
struct lbuf *next = lbuf->l_freelist;
+ lbmIOWait(lbuf, 0);
__free_page(lbuf->l_page);
kfree(lbuf);
lbuf = next;
* recycle from log buffer freelist if any
*/
LCACHE_LOCK(flags);
- LCACHE_SLEEP_COND(log->free_wait, (bp = log->lbuf_free), flags);
+ LCACHE_SLEEP_COND(log->free_wait, (bp = log->lbuf_free), flags, 0);
log->lbuf_free = bp->l_freelist;
LCACHE_UNLOCK(flags);
@@ -2148,7 +2149,8 @@ static int lbmIOWait(struct lbuf * bp, int flag)
LCACHE_LOCK(flags); /* disable+lock */
- LCACHE_SLEEP_COND(bp->l_ioevent, (bp->l_flag & lbmDONE), flags);
+ bp->l_flag & (lbmWRITE | lbmSYNC | lbmDIRECT));
syzbot
Nov 10, 2025, 9:41:03 AMNov 10
to ead...@qq.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
kernel BUG in txLock
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG at fs/jfs/jfs_txnmgr.c:662 assert(last)
------------[ cut here ]------------
kernel BUG at fs/jfs/jfs_txnmgr.c:662!
Oops: invalid opcode: 0000 [#1] SMP KASAN PTI
CPU: 0 UID: 0 PID: 6791 Comm: syz.1.18 Not tainted syzkaller #0 PREEMPT_{RT,(full)}
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
RIP: 0010:txLock+0x1b79/0x1cb0 fs/jfs/jfs_txnmgr.c:662
Code: e9 6a f8 ff ff e8 a7 2b 81 fe 48 c7 c7 e0 48 24 8b 48 c7 c6 d9 44 24 8b ba 96 02 00 00 48 c7 c1 e0 49 24 8b e8 88 aa e9 fd 90 <0f> 0b e8 80 2b 81 fe 48 c7 c7 a0 4a 24 8b e8 74 aa e9 fd 48 c7 c7
RSP: 0018:ffffc90004507780 EFLAGS: 00010246
RAX: 000000000000002b RBX: 0000000000000000 RCX: 0fb1e517ffc2aa00
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc900045078a8 R08: 0000000000000000 R09: 0000000000000000
R10: dffffc0000000000 R11: fffff520008a0e95 R12: 1ffff920006a1200
R13: ffffc90003509000 R14: 0000000000000000 R15: 0000000000000000
FS: 00007f0164d3d6c0(0000) GS:ffff888126df7000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f424b06b000 CR3: 0000000022db0000 CR4: 00000000003526f0
Call Trace:
<TASK>
diWrite+0x444/0x1f40 fs/jfs/jfs_imap.c:654
txCommit+0x852/0x5430 fs/jfs/jfs_txnmgr.c:1256
jfs_mkdir+0x856/0xa70 fs/jfs/namei.c:290
vfs_mkdir+0x306/0x510 fs/namei.c:4453
do_mkdirat+0x247/0x590 fs/namei.c:4486
__do_sys_mkdirat fs/namei.c:4503 [inline]
do_mkdirat+0x247/0x590 fs/namei.c:4486
__se_sys_mkdirat fs/namei.c:4501 [inline]
__x64_sys_mkdirat+0x87/0xa0 fs/namei.c:4501
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f016daede17
do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Code: 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 02 01 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f0164d3ce68 EFLAGS: 00000246 ORIG_RAX: 0000000000000102
RAX: ffffffffffffffda RBX: 00007f0164d3cef0 RCX: 00007f016daede17
RDX: 00000000000001ff RSI: 0000200000000240 RDI: 00000000ffffff9c
RBP: 0000000000000000 R08: 0000200000000240 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000200000000240
R13: 00007f0164d3ceb0 R14: 0000000000000000 R15: 0000000000000000
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:txLock+0x1b79/0x1cb0 fs/jfs/jfs_txnmgr.c:662
Modules linked in:
---[ end trace 0000000000000000 ]---
Code: e9 6a f8 ff ff e8 a7 2b 81 fe 48 c7 c7 e0 48 24 8b 48 c7 c6 d9 44 24 8b ba 96 02 00 00 48 c7 c1 e0 49 24 8b e8 88 aa e9 fd 90 <0f> 0b e8 80 2b 81 fe 48 c7 c7 a0 4a 24 8b e8 74 aa e9 fd 48 c7 c7
RSP: 0018:ffffc90004507780 EFLAGS: 00010246
RAX: 000000000000002b RBX: 0000000000000000 RCX: 0fb1e517ffc2aa00
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc900045078a8 R08: 0000000000000000 R09: 0000000000000000
R10: dffffc0000000000 R11: fffff520008a0e95 R12: 1ffff920006a1200
R13: ffffc90003509000 R14: 0000000000000000 R15: 0000000000000000
FS: 00007f0164d3d6c0(0000) GS:ffff888126df7000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f424b06b000 CR3: 0000000022db0000 CR4: 00000000003526f0
Tested on:
commit: e9a6fb0b Linux 6.18-rc5
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=41ad820f608cb833
dashboard link: https://syzkaller.appspot.com/bug?extid=08df3e4c9b304b37cb04
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=14cb07cd980000
dashboard link: https://syzkaller.appspot.com/bug?extid=08df3e4c9b304b37cb04
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
Edward Adam Davis
Nov 10, 2025, 9:50:54 AMNov 10
to syzbot+08df3e...@syzkaller.appspotmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
#syz test
diff --git a/fs/jfs/jfs_lock.h b/fs/jfs/jfs_lock.h
index feb37dd9debf..6aa5ff62ca7c 100644
--- a/fs/jfs/jfs_lock.h
+++ b/fs/jfs/jfs_lock.h
@@ -19,7 +19,7 @@
*
* lock_cmd and unlock_cmd take and release the spinlock
*/
-#define __SLEEP_COND(wq, cond, lock_cmd, unlock_cmd) \
+#define __SLEEP_COND(wq, cond, lock_cmd, unlock_cmd, idle) \
do { \
DECLARE_WAITQUEUE(__wait, current); \
\
@@ -29,7 +29,10 @@ do { \
if (cond) \
break; \
unlock_cmd; \
- io_schedule(); \
+ if (idle) \
+ schedule_timeout_idle(HZ); \
diff --git a/fs/jfs/jfs_lock.h b/fs/jfs/jfs_lock.h
index feb37dd9debf..6aa5ff62ca7c 100644
--- a/fs/jfs/jfs_lock.h
+++ b/fs/jfs/jfs_lock.h
@@ -19,7 +19,7 @@
*
* lock_cmd and unlock_cmd take and release the spinlock
*/
-#define __SLEEP_COND(wq, cond, lock_cmd, unlock_cmd) \
+#define __SLEEP_COND(wq, cond, lock_cmd, unlock_cmd, idle) \
do { \
DECLARE_WAITQUEUE(__wait, current); \
\
@@ -29,7 +29,10 @@ do { \
if (cond) \
break; \
unlock_cmd; \
- io_schedule(); \
+ if (idle) \
syzbot
Nov 10, 2025, 10:17:06 AMNov 10
to ead...@qq.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
INFO: task hung in lbmIOWait
INFO: task syz-executor:6322 blocked for more than 143 seconds.
Not tainted syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor state:D stack:21000 pid:6322 tgid:6322 ppid:1 task_flags:0x400140 flags:0x00080003
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5325 [inline]
__schedule+0x16f3/0x4c20 kernel/sched/core.c:6929
__schedule_loop kernel/sched/core.c:7011 [inline]
schedule+0x165/0x360 kernel/sched/core.c:7026
io_schedule+0x81/0xe0 kernel/sched/core.c:7871
lbmIOWait+0x189/0x6a0 fs/jfs/jfs_logmgr.c:2152
<TASK>
context_switch kernel/sched/core.c:5325 [inline]
__schedule+0x16f3/0x4c20 kernel/sched/core.c:6929
__schedule_loop kernel/sched/core.c:7011 [inline]
schedule+0x165/0x360 kernel/sched/core.c:7026
io_schedule+0x81/0xe0 kernel/sched/core.c:7871
lbmLogShutdown fs/jfs/jfs_logmgr.c:1863 [inline]
lmLogShutdown+0x43e/0x850 fs/jfs/jfs_logmgr.c:1683
lmLogClose+0x28a/0x520 fs/jfs/jfs_logmgr.c:1459
jfs_umount+0x2ef/0x3c0 fs/jfs/jfs_umount.c:114
jfs_put_super+0x8c/0x190 fs/jfs/super.c:194
generic_shutdown_super+0x135/0x2c0 fs/super.c:642
kill_block_super+0x44/0x90 fs/super.c:1722
deactivate_locked_super+0xbc/0x130 fs/super.c:473
cleanup_mnt+0x425/0x4c0 fs/namespace.c:1327
task_work_run+0x1d4/0x260 kernel/task_work.c:227
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
exit_to_user_mode_loop+0xe9/0x130 kernel/entry/common.c:43
exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
do_syscall_64+0x2bd/0xfa0 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f3488f909f7
lmLogShutdown+0x43e/0x850 fs/jfs/jfs_logmgr.c:1683
lmLogClose+0x28a/0x520 fs/jfs/jfs_logmgr.c:1459
jfs_umount+0x2ef/0x3c0 fs/jfs/jfs_umount.c:114
jfs_put_super+0x8c/0x190 fs/jfs/super.c:194
generic_shutdown_super+0x135/0x2c0 fs/super.c:642
kill_block_super+0x44/0x90 fs/super.c:1722
deactivate_locked_super+0xbc/0x130 fs/super.c:473
cleanup_mnt+0x425/0x4c0 fs/namespace.c:1327
task_work_run+0x1d4/0x260 kernel/task_work.c:227
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
exit_to_user_mode_loop+0xe9/0x130 kernel/entry/common.c:43
exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
do_syscall_64+0x2bd/0xfa0 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RSP: 002b:00007fff27296f08 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 00007f3489011d7d RCX: 00007f3488f909f7
RDX: 0000000000000000 RSI: 0000000000000009 RDI: 00007fff27296fc0
RBP: 00007fff27296fc0 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000246 R12: 00007fff27298050
R13: 00007f3489011d7d R14: 000000000002bbc3 R15: 00007fff27298090
</TASK>
INFO: task syz-executor:6326 blocked for more than 143 seconds.
Not tainted syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor state:D stack:21768 pid:6326 tgid:6326 ppid:1 task_flags:0x400140 flags:0x00080003
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
RSP: 002b:00007ffebb033f08 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 00007f00d3f51d7d RCX: 00007f00d3ed09f7
RDX: 0000000000000000 RSI: 0000000000000009 RDI: 00007ffebb033fc0
RBP: 00007ffebb033fc0 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000246 R12: 00007ffebb035050
R13: 00007f00d3f51d7d R14: 000000000002c600 R15: 00007ffebb035090
</TASK>
INFO: task syz-executor:6328 blocked for more than 143 seconds.
Not tainted syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor state:D stack:21672 pid:6328 tgid:6328 ppid:1 task_flags:0x400140 flags:0x00080003
INFO: task syz-executor:6328 blocked for more than 143 seconds.
Not tainted syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
RSP: 002b:00007ffd1a51e4a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 00007ff3df531d7d RCX: 00007ff3df4b09f7
RDX: 0000000000000000 RSI: 0000000000000009 RDI: 00007ffd1a51e560
RBP: 00007ffd1a51e560 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000246 R12: 00007ffd1a51f5f0
R13: 00007ff3df531d7d R14: 000000000002bde0 R15: 00007ffd1a51f630
</TASK>
INFO: task syz-executor:6332 blocked for more than 143 seconds.
Not tainted syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor state:D stack:21000 pid:6332 tgid:6332 ppid:1 task_flags:0x400140 flags:0x00080003
INFO: task syz-executor:6332 blocked for more than 143 seconds.
Not tainted syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
RSP: 002b:00007ffd370c5f48 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 00007fee8aa11d7d RCX: 00007fee8a9909f7
RDX: 0000000000000000 RSI: 0000000000000009 RDI: 00007ffd370c6000
RBP: 00007ffd370c6000 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000246 R12: 00007ffd370c7090
R13: 00007fee8aa11d7d R14: 000000000002c444 R15: 00007ffd370c70d0
</TASK>
INFO: task syz-executor:6334 blocked for more than 143 seconds.
Not tainted syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor state:D stack:21128 pid:6334 tgid:6334 ppid:1 task_flags:0x400140 flags:0x00080002
INFO: task syz-executor:6334 blocked for more than 143 seconds.
Not tainted syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
RSP: 002b:00007ffffb9ab768 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 00007f54847c1d7d RCX: 00007f54847409f7
RDX: 0000000000000000 RSI: 0000000000000009 RDI: 00007ffffb9ab820
RBP: 00007ffffb9ab820 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000246 R12: 00007ffffb9ac8b0
R13: 00007f54847c1d7d R14: 000000000002c760 R15: 00007ffffb9ac8f0
</TASK>
Showing all locks held in the system:
1 lock held by khungtaskd/38:
#0: ffffffff8d5aa840 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
#0: ffffffff8d5aa840 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:867 [inline]
#0: ffffffff8d5aa840 (rcu_read_lock){....}-{1:3}, at: debug_show_all_locks+0x2e/0x180 kernel/locking/lockdep.c:6775
2 locks held by getty/5556:
Showing all locks held in the system:
1 lock held by khungtaskd/38:
#0: ffffffff8d5aa840 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
#0: ffffffff8d5aa840 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:867 [inline]
#0: ffffffff8d5aa840 (rcu_read_lock){....}-{1:3}, at: debug_show_all_locks+0x2e/0x180 kernel/locking/lockdep.c:6775
#0: ffff88823bf520a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x25/0x70 drivers/tty/tty_ldisc.c:243
#1: ffffc90003e8b2e0 (&ldata->atomic_read_lock){+.+.}-{4:4}, at: n_tty_read+0x444/0x1400 drivers/tty/n_tty.c:2222
2 locks held by syz-executor/6322:
#0: ffff8880378700d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: __super_lock fs/super.c:57 [inline]
#0: ffff8880378700d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: __super_lock_excl fs/super.c:72 [inline]
#0: ffff8880378700d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: deactivate_super+0xa9/0xe0 fs/super.c:505
#1: ffffffff8d9dfab8 (jfs_log_mutex){+.+.}-{4:4}, at: lmLogClose+0xb4/0x520 fs/jfs/jfs_logmgr.c:1443
2 locks held by syz-executor/6326:
#0: ffff8880234ac0d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: __super_lock fs/super.c:57 [inline]
#0: ffff8880234ac0d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: __super_lock_excl fs/super.c:72 [inline]
#0: ffff8880234ac0d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: deactivate_super+0xa9/0xe0 fs/super.c:505
#1: ffffffff8d9dfab8 (jfs_log_mutex){+.+.}-{4:4}, at: lmLogClose+0xb4/0x520 fs/jfs/jfs_logmgr.c:1443
2 locks held by syz-executor/6328:
#0: ffff88805973a0d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: __super_lock fs/super.c:57 [inline]
2 locks held by syz-executor/6328:
#0: ffff88805973a0d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: __super_lock_excl fs/super.c:72 [inline]
#0: ffff88805973a0d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: deactivate_super+0xa9/0xe0 fs/super.c:505
#1: ffffffff8d9dfab8 (jfs_log_mutex){+.+.}-{4:4}, at: lmLogClose+0xb4/0x520 fs/jfs/jfs_logmgr.c:1443
2 locks held by syz-executor/6332:
#0: ffff8880322ce0d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: __super_lock fs/super.c:57 [inline]
2 locks held by syz-executor/6332:
#0: ffff8880322ce0d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: __super_lock_excl fs/super.c:72 [inline]
#0: ffff8880322ce0d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: deactivate_super+0xa9/0xe0 fs/super.c:505
#1: ffffffff8d9dfab8 (jfs_log_mutex){+.+.}-{4:4}, at: lmLogClose+0xb4/0x520 fs/jfs/jfs_logmgr.c:1443
2 locks held by syz-executor/6334:
#0: ffff8880591020d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: __super_lock fs/super.c:57 [inline]
2 locks held by syz-executor/6334:
#0: ffff8880591020d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: __super_lock_excl fs/super.c:72 [inline]
#0: ffff8880591020d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: deactivate_super+0xa9/0xe0 fs/super.c:505
#1: ffffffff8d9dfab8 (jfs_log_mutex){+.+.}-{4:4}, at: lmLogClose+0xb4/0x520 fs/jfs/jfs_logmgr.c:1443
2 locks held by syz-executor/6887:
#0: ffff8880326a40d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: __super_lock fs/super.c:57 [inline]
#0: ffff8880326a40d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: __super_lock_excl fs/super.c:72 [inline]
#0: ffff8880326a40d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: deactivate_super+0xa9/0xe0 fs/super.c:505
#1: ffffffff8d9dfab8 (jfs_log_mutex){+.+.}-{4:4}, at: lmLogClose+0xb4/0x520 fs/jfs/jfs_logmgr.c:1443
2 locks held by syz-executor/6890:
#0: ffff88803ba640d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: __super_lock fs/super.c:57 [inline]
#0: ffff88803ba640d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: __super_lock_excl fs/super.c:72 [inline]
#0: ffff88803ba640d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: deactivate_super+0xa9/0xe0 fs/super.c:505
#1: ffffffff8d9dfab8 (jfs_log_mutex){+.+.}-{4:4}, at: lmLogClose+0xb4/0x520 fs/jfs/jfs_logmgr.c:1443
2 locks held by syz-executor/6910:
#0: ffff8880387200d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: __super_lock fs/super.c:57 [inline]
#0: ffff8880387200d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: __super_lock_excl fs/super.c:72 [inline]
#0: ffff8880387200d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: deactivate_super+0xa9/0xe0 fs/super.c:505
#1: ffffffff8d9dfab8 (jfs_log_mutex){+.+.}-{4:4}, at: lmLogClose+0xb4/0x520 fs/jfs/jfs_logmgr.c:1443
2 locks held by syz-executor/6911:
#0: ffff8880570960d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: __super_lock fs/super.c:57 [inline]
#0: ffff8880570960d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: __super_lock_excl fs/super.c:72 [inline]
#0: ffff8880570960d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: deactivate_super+0xa9/0xe0 fs/super.c:505
#1: ffffffff8d9dfab8 (jfs_log_mutex){+.+.}-{4:4}, at: lmLogClose+0xb4/0x520 fs/jfs/jfs_logmgr.c:1443
2 locks held by syz-executor/6912:
#0: ffff888061dcc0d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: __super_lock fs/super.c:57 [inline]
#0: ffff888061dcc0d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: __super_lock_excl fs/super.c:72 [inline]
#0: ffff888061dcc0d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: deactivate_super+0xa9/0xe0 fs/super.c:505
#1: ffffffff8d9dfab8 (jfs_log_mutex){+.+.}-{4:4}, at: lmLogClose+0xb4/0x520 fs/jfs/jfs_logmgr.c:1443
2 locks held by kworker/u8:11/7073:
5 locks held by kworker/u8:12/7077:
2 locks held by syz.4.255/7597:
3 locks held by syz.3.256/7599:
2 locks held by syz.0.257/7601:
2 locks held by syz.1.258/7603:
2 locks held by syz.2.259/7605:
=============================================
NMI backtrace for cpu 0
CPU: 0 UID: 0 PID: 38 Comm: khungtaskd Not tainted syzkaller #0 PREEMPT_{RT,(full)}
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
nmi_cpu_backtrace+0x39e/0x3d0 lib/nmi_backtrace.c:113
nmi_trigger_cpumask_backtrace+0x17a/0x300 lib/nmi_backtrace.c:62
trigger_all_cpu_backtrace include/linux/nmi.h:160 [inline]
check_hung_uninterruptible_tasks kernel/hung_task.c:332 [inline]
watchdog+0xf60/0xfa0 kernel/hung_task.c:495
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
Sending NMI from CPU 0 to CPUs 1:
nmi_trigger_cpumask_backtrace+0x17a/0x300 lib/nmi_backtrace.c:62
trigger_all_cpu_backtrace include/linux/nmi.h:160 [inline]
check_hung_uninterruptible_tasks kernel/hung_task.c:332 [inline]
watchdog+0xf60/0xfa0 kernel/hung_task.c:495
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
NMI backtrace for cpu 1
CPU: 1 UID: 0 PID: 7077 Comm: kworker/u8:12 Not tainted syzkaller #0 PREEMPT_{RT,(full)}
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
Workqueue: events_unbound nsim_dev_trap_report_work
RIP: 0010:arch_irqs_disabled_flags arch/x86/include/asm/irqflags.h:146 [inline]
RIP: 0010:check_preemption_disabled+0x5c/0x120 lib/smp_processor_id.c:19
Code: 04 e2 06 48 3b 4c 24 08 0f 85 cc 00 00 00 48 83 c4 10 5b 41 5e 41 5f 5d e9 d1 a3 03 00 cc 48 c7 04 24 00 00 00 00 9c 8f 04 24 <f7> 04 24 00 02 00 00 74 c8 65 4c 8b 3c 25 08 90 a2 91 41 f6 47 2f
RSP: 0018:ffffc9000598f2c0 EFLAGS: 00000046
RAX: 0000000000000001 RBX: 0000000000000000 RCX: 0000000080000000
RDX: 0000000000000000 RSI: ffffffff8cda17fc RDI: ffffffff8b3ddd60
RBP: ffffffff81737c15 R08: 0000000000000000 R09: 0000000000000000
R10: ffffc9000598f4c8 R11: fffff52000b31ea5 R12: 0000000000000002
R13: ffffffff8d5aa840 R14: 0000000000000000 R15: 0000000000000246
FS: 0000000000000000(0000) GS:ffff888126ef7000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f2cf74bd000 CR3: 000000003573c000 CR4: 00000000003526f0
Call Trace:
<TASK>
lockdep_recursion_inc kernel/locking/lockdep.c:465 [inline]
lock_acquire+0xe7/0x360 kernel/locking/lockdep.c:5867
rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
rcu_read_lock include/linux/rcupdate.h:867 [inline]
class_rcu_constructor include/linux/rcupdate.h:1195 [inline]
unwind_next_frame+0xc2/0x2390 arch/x86/kernel/unwind_orc.c:479
__unwind_start+0x5b9/0x760 arch/x86/kernel/unwind_orc.c:758
rcu_read_lock include/linux/rcupdate.h:867 [inline]
class_rcu_constructor include/linux/rcupdate.h:1195 [inline]
unwind_next_frame+0xc2/0x2390 arch/x86/kernel/unwind_orc.c:479
unwind_start arch/x86/include/asm/unwind.h:64 [inline]
arch_stack_walk+0xe4/0x150 arch/x86/kernel/stacktrace.c:24
stack_trace_save+0x9c/0xe0 kernel/stacktrace.c:122
kasan_save_stack mm/kasan/common.c:56 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:77
__kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:587
kasan_save_free_info mm/kasan/kasan.h:406 [inline]
poison_slab_object mm/kasan/common.c:252 [inline]
__kasan_slab_free+0x5c/0x80 mm/kasan/common.c:284
kasan_slab_free include/linux/kasan.h:234 [inline]
slab_free_hook mm/slub.c:2539 [inline]
slab_free mm/slub.c:6634 [inline]
kfree+0x197/0x950 mm/slub.c:6841
skb_release_data+0x62d/0x7c0 net/core/skbuff.c:1087
kasan_save_track+0x3e/0x80 mm/kasan/common.c:77
__kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:587
kasan_save_free_info mm/kasan/kasan.h:406 [inline]
poison_slab_object mm/kasan/common.c:252 [inline]
__kasan_slab_free+0x5c/0x80 mm/kasan/common.c:284
kasan_slab_free include/linux/kasan.h:234 [inline]
slab_free_hook mm/slub.c:2539 [inline]
slab_free mm/slub.c:6634 [inline]
kfree+0x197/0x950 mm/slub.c:6841
skb_release_all net/core/skbuff.c:1152 [inline]
__kfree_skb net/core/skbuff.c:1166 [inline]
consume_skb+0x9e/0xf0 net/core/skbuff.c:1398
nsim_dev_trap_report drivers/net/netdevsim/dev.c:836 [inline]
nsim_dev_trap_report_work+0x7fa/0xbc0 drivers/net/netdevsim/dev.c:866
process_one_work kernel/workqueue.c:3263 [inline]
process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3346
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3427
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
Tested on:
commit: e9a6fb0b Linux 6.18-rc5
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10b79a58580000
commit: e9a6fb0b Linux 6.18-rc5
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=41ad820f608cb833
dashboard link: https://syzkaller.appspot.com/bug?extid=08df3e4c9b304b37cb04
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=152e1a92580000
dashboard link: https://syzkaller.appspot.com/bug?extid=08df3e4c9b304b37cb04
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
Edward Adam Davis
Nov 10, 2025, 6:20:55 PMNov 10
to syzbot+08df3e...@syzkaller.appspotmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
#syz test
diff --git a/fs/jfs/jfs_lock.h b/fs/jfs/jfs_lock.h
index feb37dd9debf..ab798de87202 100644
diff --git a/fs/jfs/jfs_lock.h b/fs/jfs/jfs_lock.h
--- a/fs/jfs/jfs_lock.h
+++ b/fs/jfs/jfs_lock.h
@@ -29,7 +29,7 @@ do { \
if (cond) \
break; \
unlock_cmd; \
- io_schedule(); \
+ io_schedule_timeout(HZ); \
break; \
unlock_cmd; \
- io_schedule(); \
lock_cmd; \
} \
__set_current_state(TASK_RUNNING); \
diff --git a/fs/jfs/jfs_logmgr.c b/fs/jfs/jfs_logmgr.c
index b343c5ea1159..ee6e9ed5e3af 100644
} \
__set_current_state(TASK_RUNNING); \
diff --git a/fs/jfs/jfs_logmgr.c b/fs/jfs/jfs_logmgr.c
--- a/fs/jfs/jfs_logmgr.c
+++ b/fs/jfs/jfs_logmgr.c
syzbot
Nov 10, 2025, 7:12:05 PMNov 10
to ead...@qq.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
INFO: task hung in lmLogClose
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
INFO: task syz-executor:6329 blocked for more than 143 seconds.
Not tainted syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor state:D stack:21768 pid:6329 tgid:6329 ppid:1 task_flags:0x400140 flags:0x00080002
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
RSP: 002b:00007fff8b07eca8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 00007f7aaf071d7d RCX: 00007f7aaeff09f7
RDX: 0000000000000000 RSI: 0000000000000009 RDI: 00007fff8b07ed60
RBP: 00007fff8b07ed60 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000246 R12: 00007fff8b07fdf0
R13: 00007f7aaf071d7d R14: 000000000002acee R15: 00007fff8b07fe30
</TASK>
INFO: task syz-executor:6332 blocked for more than 143 seconds.
Not tainted syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor state:D stack:21768 pid:6332 tgid:6332 ppid:1 task_flags:0x400140 flags:0x00080003
INFO: task syz-executor:6332 blocked for more than 143 seconds.
Not tainted syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
RSP: 002b:00007fffc0564578 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 00007f5334081d7d RCX: 00007f53340009f7
RDX: 0000000000000000 RSI: 0000000000000009 RDI: 00007fffc0564630
RBP: 00007fffc0564630 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000246 R12: 00007fffc05656c0
R13: 00007f5334081d7d R14: 000000000002b399 R15: 00007fffc0565700
</TASK>
INFO: task syz-executor:6333 blocked for more than 143 seconds.
Not tainted syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor state:D stack:21512 pid:6333 tgid:6333 ppid:1 task_flags:0x400140 flags:0x00080003
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
RSP: 002b:00007fff36361348 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 00007f8ecd6c1d7d RCX: 00007f8ecd6409f7
RDX: 0000000000000000 RSI: 0000000000000009 RDI: 00007fff36361400
RBP: 00007fff36361400 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000246 R12: 00007fff36362490
R13: 00007f8ecd6c1d7d R14: 000000000002af4b R15: 00007fff363624d0
</TASK>
INFO: task syz-executor:6334 blocked for more than 143 seconds.
Not tainted syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor state:D stack:20968 pid:6334 tgid:6334 ppid:1 task_flags:0x400140 flags:0x00080003
INFO: task syz-executor:6334 blocked for more than 143 seconds.
Not tainted syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
RSP: 002b:00007ffd68f8e948 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 00007f377a2d1d7d RCX: 00007f377a2509f7
RDX: 0000000000000000 RSI: 0000000000000009 RDI: 00007ffd68f8ea00
RBP: 00007ffd68f8ea00 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000246 R12: 00007ffd68f8fa90
R13: 00007f377a2d1d7d R14: 000000000002b4b8 R15: 00007ffd68f8fad0
</TASK>
Showing all locks held in the system:
4 locks held by pr/legacy/17:
Showing all locks held in the system:
1 lock held by khungtaskd/38:
#0: ffffffff8d5aa840 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
#0: ffffffff8d5aa840 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:867 [inline]
#0: ffffffff8d5aa840 (rcu_read_lock){....}-{1:3}, at: debug_show_all_locks+0x2e/0x180 kernel/locking/lockdep.c:6775
1 lock held by syslogd/5150:
#0: ffffffff8d5aa840 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
#0: ffffffff8d5aa840 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:867 [inline]
#0: ffffffff8d5aa840 (rcu_read_lock){....}-{1:3}, at: debug_show_all_locks+0x2e/0x180 kernel/locking/lockdep.c:6775
#0: ffff8881499ff598 (&ei->socket.wq.wait){+.+.}-{3:3}, at: spin_lock include/linux/spinlock_rt.h:44 [inline]
#0: ffff8881499ff598 (&ei->socket.wq.wait){+.+.}-{3:3}, at: finish_wait+0xbf/0x1f0 kernel/sched/wait.c:394
3 locks held by klogd/5157:
2 locks held by getty/5560:
#0: ffff88823bf3c8a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x25/0x70 drivers/tty/tty_ldisc.c:243
#1: ffffc90003e832e0 (&ldata->atomic_read_lock){+.+.}-{4:4}, at: n_tty_read+0x444/0x1400 drivers/tty/n_tty.c:2222
2 locks held by syz-executor/6325:
#0: ffff8880597e00d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: __super_lock fs/super.c:57 [inline]
#0: ffff8880597e00d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: __super_lock_excl fs/super.c:72 [inline]
#0: ffff8880597e00d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: deactivate_super+0xa9/0xe0 fs/super.c:505
#1: ffffffff8d9dfab8 (jfs_log_mutex){+.+.}-{4:4}, at: lmLogClose+0xb4/0x520 fs/jfs/jfs_logmgr.c:1443
2 locks held by syz-executor/6329:
#0: ffff8880353f20d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: __super_lock fs/super.c:57 [inline]
#0: ffff8880353f20d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: __super_lock_excl fs/super.c:72 [inline]
#0: ffff8880353f20d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: deactivate_super+0xa9/0xe0 fs/super.c:505
#1: ffffffff8d9dfab8 (jfs_log_mutex){+.+.}-{4:4}, at: lmLogClose+0xb4/0x520 fs/jfs/jfs_logmgr.c:1443
2 locks held by syz-executor/6332:
#0: ffff88805bfdc0d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: __super_lock fs/super.c:57 [inline]
2 locks held by syz-executor/6332:
#0: ffff88805bfdc0d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: __super_lock_excl fs/super.c:72 [inline]
#0: ffff88805bfdc0d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: deactivate_super+0xa9/0xe0 fs/super.c:505
#1: ffffffff8d9dfab8 (jfs_log_mutex){+.+.}-{4:4}, at: lmLogClose+0xb4/0x520 fs/jfs/jfs_logmgr.c:1443
2 locks held by syz-executor/6333:
#0: ffff888035c120d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: __super_lock fs/super.c:57 [inline]
#0: ffff888035c120d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: __super_lock_excl fs/super.c:72 [inline]
#0: ffff888035c120d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: deactivate_super+0xa9/0xe0 fs/super.c:505
#1: ffffffff8d9dfab8 (jfs_log_mutex){+.+.}-{4:4}, at: lmLogClose+0xb4/0x520 fs/jfs/jfs_logmgr.c:1443
2 locks held by syz-executor/6334:
#0: ffff888055c2c0d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: __super_lock fs/super.c:57 [inline]
2 locks held by syz-executor/6334:
#0: ffff888055c2c0d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: __super_lock_excl fs/super.c:72 [inline]
#0: ffff888055c2c0d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: deactivate_super+0xa9/0xe0 fs/super.c:505
#1: ffffffff8d9dfab8 (jfs_log_mutex){+.+.}-{4:4}, at: lmLogClose+0xb4/0x520 fs/jfs/jfs_logmgr.c:1443
2 locks held by syz-executor/6841:
#0: ffff888025ce40d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: __super_lock fs/super.c:57 [inline]
#0: ffff888025ce40d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: __super_lock_excl fs/super.c:72 [inline]
#0: ffff888025ce40d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: deactivate_super+0xa9/0xe0 fs/super.c:505
#1: ffffffff8d9dfab8 (jfs_log_mutex){+.+.}-{4:4}, at: lmLogClose+0xb4/0x520 fs/jfs/jfs_logmgr.c:1443
2 locks held by syz-executor/6842:
#0: ffff8880385120d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: __super_lock fs/super.c:57 [inline]
#0: ffff8880385120d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: __super_lock_excl fs/super.c:72 [inline]
#0: ffff8880385120d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: deactivate_super+0xa9/0xe0 fs/super.c:505
#1: ffffffff8d9dfab8 (jfs_log_mutex){+.+.}-{4:4}, at: lmLogClose+0xb4/0x520 fs/jfs/jfs_logmgr.c:1443
2 locks held by syz-executor/6859:
#0: ffff8880605a40d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: __super_lock fs/super.c:57 [inline]
#0: ffff8880605a40d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: __super_lock_excl fs/super.c:72 [inline]
#0: ffff8880605a40d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: deactivate_super+0xa9/0xe0 fs/super.c:505
#1: ffffffff8d9dfab8 (jfs_log_mutex){+.+.}-{4:4}, at: lmLogClose+0xb4/0x520 fs/jfs/jfs_logmgr.c:1443
2 locks held by syz-executor/6864:
#0: ffff888036a0a0d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: __super_lock fs/super.c:57 [inline]
#0: ffff888036a0a0d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: __super_lock_excl fs/super.c:72 [inline]
#0: ffff888036a0a0d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: deactivate_super+0xa9/0xe0 fs/super.c:505
#1: ffffffff8d9dfab8 (jfs_log_mutex){+.+.}-{4:4}, at: lmLogClose+0xb4/0x520 fs/jfs/jfs_logmgr.c:1443
2 locks held by syz-executor/6866:
#0: ffff8880372cc0d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: __super_lock fs/super.c:57 [inline]
#0: ffff8880372cc0d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: __super_lock_excl fs/super.c:72 [inline]
#0: ffff8880372cc0d0 (&type->s_umount_key#54){+.+.}-{4:4}, at: deactivate_super+0xa9/0xe0 fs/super.c:505
#1: ffffffff8d9dfab8 (jfs_log_mutex){+.+.}-{4:4}, at: lmLogClose+0xb4/0x520 fs/jfs/jfs_logmgr.c:1443
2 locks held by syz.2.269/7574:
3 locks held by syz.4.270/7576:
3 locks held by syz.0.271/7578:
3 locks held by syz.1.273/7582:
=============================================
NMI backtrace for cpu 1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
nmi_cpu_backtrace+0x39e/0x3d0 lib/nmi_backtrace.c:113
nmi_trigger_cpumask_backtrace+0x17a/0x300 lib/nmi_backtrace.c:62
trigger_all_cpu_backtrace include/linux/nmi.h:160 [inline]
check_hung_uninterruptible_tasks kernel/hung_task.c:332 [inline]
watchdog+0xf60/0xfa0 kernel/hung_task.c:495
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
Sending NMI from CPU 1 to CPUs 0:
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
nmi_cpu_backtrace+0x39e/0x3d0 lib/nmi_backtrace.c:113
nmi_trigger_cpumask_backtrace+0x17a/0x300 lib/nmi_backtrace.c:62
trigger_all_cpu_backtrace include/linux/nmi.h:160 [inline]
check_hung_uninterruptible_tasks kernel/hung_task.c:332 [inline]
watchdog+0xf60/0xfa0 kernel/hung_task.c:495
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
NMI backtrace for cpu 0
CPU: 0 UID: 0 PID: 17 Comm: pr/legacy Not tainted syzkaller #0 PREEMPT_{RT,(full)}
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
RIP: 0010:io_serial_in+0x77/0xc0 drivers/tty/serial/8250/8250_port.c:400
Code: e8 0e 05 ba fc 44 89 f9 d3 e3 49 83 ee 80 4c 89 f0 48 c1 e8 03 42 80 3c 20 00 74 08 4c 89 f7 e8 3f bd 1b fd 41 03 1e 89 da ec <0f> b6 c0 5b 41 5c 41 5e 41 5f e9 da 76 bf 05 cc 44 89 f9 80 e1 07
RSP: 0000:ffffc90000167870 EFLAGS: 00000202
RAX: 1ffffffff31d2100 RBX: 00000000000003fd RCX: 0000000000000000
RDX: 00000000000003fd RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffffff98e910f0 R08: 0000000000000000 R09: 0000000000000000
R10: dffffc0000000000 R11: ffffffff8504a800 R12: dffffc0000000000
R13: 0000000000000000 R14: ffffffff98e90e60 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff888126df7000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fd0a792a000 CR3: 000000003556c000 CR4: 00000000003526f0
Call Trace:
<TASK>
serial_in drivers/tty/serial/8250/8250.h:137 [inline]
serial_lsr_in drivers/tty/serial/8250/8250.h:159 [inline]
wait_for_lsr+0x1aa/0x2f0 drivers/tty/serial/8250/8250_port.c:1961
fifo_wait_for_lsr drivers/tty/serial/8250/8250_port.c:3234 [inline]
serial8250_console_fifo_write drivers/tty/serial/8250/8250_port.c:3275 [inline]
serial8250_console_write+0x1341/0x1b40 drivers/tty/serial/8250/8250_port.c:3342
console_emit_next_record kernel/printk/printk.c:3091 [inline]
console_flush_all+0x666/0xb40 kernel/printk/printk.c:3199
__console_flush_and_unlock+0x9b/0x160 kernel/printk/printk.c:3258
legacy_kthread_func+0x13b/0x1a0 kernel/printk/printk.c:3611
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
Tested on:
commit: 4427259c Merge tag 'riscv-for-linus-6.18-rc6' of git:/..
ret_from_fork+0x4bc/0x870 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
Tested on:
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=14cb30b4580000
kernel config: https://syzkaller.appspot.com/x/.config?x=41ad820f608cb833
dashboard link: https://syzkaller.appspot.com/bug?extid=08df3e4c9b304b37cb04
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=1195b412580000
dashboard link: https://syzkaller.appspot.com/bug?extid=08df3e4c9b304b37cb04
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
Reply all
Reply to author
Forward
0 new messages