Test

[Atul Raut]

#syz test:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git v6.5-rc7

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
memory leak in skb_copy

BUG: memory leak
unreferenced object 0xffff88811cc2a900 (size 240):
comm "kworker/u4:3", pid 55, jiffies 4294966372 (age 43.810s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffff83de912a>] __alloc_skb+0x1ea/0x220 net/core/skbuff.c:634
[<ffffffff83dec20f>] skb_copy+0x5f/0x160 net/core/skbuff.c:1925
[<ffffffff82c1f1bf>] virtual_nci_send+0x3f/0xb0 drivers/nfc/virtual_ncidev.c:58
[<ffffffff8495f449>] nci_send_frame+0x69/0xb0 net/nfc/nci/core.c:1347
[<ffffffff8495f519>] nci_cmd_work+0x89/0xb0 net/nfc/nci/core.c:1567
[<ffffffff812b2161>] process_one_work+0x2f1/0x640 kernel/workqueue.c:2600
[<ffffffff812b2a9c>] worker_thread+0x5c/0x5c0 kernel/workqueue.c:2751
[<ffffffff812bc4cb>] kthread+0x12b/0x170 kernel/kthread.c:389
[<ffffffff8113cbac>] ret_from_fork+0x2c/0x40 arch/x86/kernel/process.c:145
[<ffffffff81002ae1>] ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304

BUG: memory leak
unreferenced object 0xffff88810d84fb80 (size 640):
comm "kworker/u4:3", pid 55, jiffies 4294966372 (age 43.810s)
hex dump (first 32 bytes):
20 00 01 01 00 00 00 00 00 00 00 00 00 00 00 00 ...............
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffff83de5df1>] kmalloc_reserve+0xe1/0x180 net/core/skbuff.c:559
[<ffffffff83de9010>] __alloc_skb+0xd0/0x220 net/core/skbuff.c:644
[<ffffffff83dec20f>] skb_copy+0x5f/0x160 net/core/skbuff.c:1925
[<ffffffff82c1f1bf>] virtual_nci_send+0x3f/0xb0 drivers/nfc/virtual_ncidev.c:58
[<ffffffff8495f449>] nci_send_frame+0x69/0xb0 net/nfc/nci/core.c:1347
[<ffffffff8495f519>] nci_cmd_work+0x89/0xb0 net/nfc/nci/core.c:1567
[<ffffffff812b2161>] process_one_work+0x2f1/0x640 kernel/workqueue.c:2600
[<ffffffff812b2a9c>] worker_thread+0x5c/0x5c0 kernel/workqueue.c:2751
[<ffffffff812bc4cb>] kthread+0x12b/0x170 kernel/kthread.c:389
[<ffffffff8113cbac>] ret_from_fork+0x2c/0x40 arch/x86/kernel/process.c:145
[<ffffffff81002ae1>] ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304



Tested on:

commit: 706a7415 Linux 6.5-rc7
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git v6.5-rc7
console output: https://syzkaller.appspot.com/x/log.txt?x=1180165ba80000
kernel config: https://syzkaller.appspot.com/x/.config?x=e09fa3ff7f42d220
dashboard link: https://syzkaller.appspot.com/bug?extid=6eb09d75211863f15e3e
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=100e09a7a80000

[Atul Raut]

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+e29514...@syzkaller.appspotmail.com

Tested on:

commit: 706a7415 Linux 6.5-rc7
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git v6.5-rc7

console output: https://syzkaller.appspot.com/x/log.txt?x=11b276eba80000
kernel config: https://syzkaller.appspot.com/x/.config?x=69fa083ad661f8d6
dashboard link: https://syzkaller.appspot.com/bug?extid=e295147e14b474e4ad70
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
patch: https://syzkaller.appspot.com/x/patch.diff?x=13630450680000

Note: testing is done by a robot and is best-effort only.

[Atul Raut]

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

UBSAN: array-index-out-of-bounds in truncate_inode_pages_final

ntfs3: loop5: Different NTFS sector size (1024) and media sector size (512).
================================================================================
UBSAN: array-index-out-of-bounds in ./include/linux/pagevec.h:75:3
index 255 is out of range for type 'struct folio *[15]'
CPU: 0 PID: 8086 Comm: syz-executor.5 Not tainted 6.5.0-rc7-syzkaller-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
Call trace:
dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:233
show_stack+0x2c/0x44 arch/arm64/kernel/stacktrace.c:240
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd0/0x124 lib/dump_stack.c:106
dump_stack+0x1c/0x28 lib/dump_stack.c:113
ubsan_epilogue lib/ubsan.c:217 [inline]
__ubsan_handle_out_of_bounds+0xfc/0x148 lib/ubsan.c:348
folio_batch_add include/linux/pagevec.h:75 [inline]
find_lock_entries+0x90c/0xd90 mm/filemap.c:2089
truncate_inode_pages_range+0x1b0/0xf74 mm/truncate.c:364
truncate_inode_pages mm/truncate.c:449 [inline]
truncate_inode_pages_final+0x90/0xc0 mm/truncate.c:484
ntfs_evict_inode+0x20/0x48 fs/ntfs3/inode.c:1790
evict+0x260/0x68c fs/inode.c:664
iput_final fs/inode.c:1788 [inline]
iput+0x734/0x818 fs/inode.c:1814
ntfs_fill_super+0x3648/0x3f90 fs/ntfs3/super.c:1420
get_tree_bdev+0x378/0x570 fs/super.c:1318
ntfs_fs_get_tree+0x28/0x38 fs/ntfs3/super.c:1647
vfs_get_tree+0x90/0x274 fs/super.c:1519
do_new_mount+0x25c/0x8c8 fs/namespace.c:3335
path_mount+0x590/0xe04 fs/namespace.c:3662
do_mount fs/namespace.c:3675 [inline]
__do_sys_mount fs/namespace.c:3884 [inline]
__se_sys_mount fs/namespace.c:3861 [inline]
__arm64_sys_mount+0x45c/0x594 fs/namespace.c:3861
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x244 arch/arm64/kernel/syscall.c:139
do_el0_svc+0x64/0x198 arch/arm64/kernel/syscall.c:188
el0_svc+0x4c/0x160 arch/arm64/kernel/entry-common.c:647
el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:665
el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:591
================================================================================

Tested on:

commit: 706a7415 Linux 6.5-rc7
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git v6.5-rc7

console output: https://syzkaller.appspot.com/x/log.txt?x=17204bbba80000

kernel config: https://syzkaller.appspot.com/x/.config?x=69fa083ad661f8d6
dashboard link: https://syzkaller.appspot.com/bug?extid=e295147e14b474e4ad70
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64

patch: https://syzkaller.appspot.com/x/patch.diff?x=13a126eba80000

[Atul Raut]

[Atul Raut]

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

INFO: task hung in truncate_inode_pages_final

INFO: task syz-executor.4:8098 blocked for more than 143 seconds.
Not tainted 6.5.0-rc7-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor.4 state:D stack:0 pid:8098 ppid:6357 flags:0x0000000d
Call trace:
__switch_to+0x320/0x754 arch/arm64/kernel/process.c:556
context_switch kernel/sched/core.c:5381 [inline]
__schedule+0x1364/0x23b4 kernel/sched/core.c:6710
schedule+0xc4/0x170 kernel/sched/core.c:6786
io_schedule+0x8c/0x12c kernel/sched/core.c:9028
folio_wait_bit_common+0x65c/0xb90 mm/filemap.c:1304
__folio_lock mm/filemap.c:1632 [inline]
folio_lock include/linux/pagemap.h:959 [inline]
__filemap_get_folio+0x1e4/0x964 mm/filemap.c:1899
truncate_inode_pages_range+0x444/0xf74 mm/truncate.c:377

truncate_inode_pages mm/truncate.c:449 [inline]
truncate_inode_pages_final+0x90/0xc0 mm/truncate.c:484
ntfs_evict_inode+0x20/0x48 fs/ntfs3/inode.c:1790
evict+0x260/0x68c fs/inode.c:664
iput_final fs/inode.c:1788 [inline]
iput+0x734/0x818 fs/inode.c:1814
ntfs_fill_super+0x3648/0x3f90 fs/ntfs3/super.c:1420
get_tree_bdev+0x378/0x570 fs/super.c:1318
ntfs_fs_get_tree+0x28/0x38 fs/ntfs3/super.c:1647
vfs_get_tree+0x90/0x274 fs/super.c:1519
do_new_mount+0x25c/0x8c8 fs/namespace.c:3335
path_mount+0x590/0xe04 fs/namespace.c:3662
do_mount fs/namespace.c:3675 [inline]
__do_sys_mount fs/namespace.c:3884 [inline]
__se_sys_mount fs/namespace.c:3861 [inline]
__arm64_sys_mount+0x45c/0x594 fs/namespace.c:3861
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x244 arch/arm64/kernel/syscall.c:139
do_el0_svc+0x64/0x198 arch/arm64/kernel/syscall.c:188
el0_svc+0x4c/0x160 arch/arm64/kernel/entry-common.c:647
el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:665
el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:591

Showing all locks held in the system:
1 lock held by rcu_tasks_kthre/13:
#0: ffff80008e271850 (rcu_tasks.tasks_gp_mutex){+.+.}-{3:3}, at: rcu_tasks_one_gp+0x44/0xcf4 kernel/rcu/tasks.h:522
1 lock held by rcu_tasks_trace/14:
#0: ffff80008e271c10 (rcu_tasks_trace.tasks_gp_mutex){+.+.}-{3:3}, at: rcu_tasks_one_gp+0x44/0xcf4 kernel/rcu/tasks.h:522
1 lock held by khungtaskd/28:
#0: ffff80008e271680 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire+0xc/0x44 include/linux/rcupdate.h:302
2 locks held by udevd/5608:
2 locks held by getty/5745:
#0: ffff0000cf08d098 (&tty->ldisc_sem){++++}-{0:0}, at: ldsem_down_read+0x3c/0x4c drivers/tty/tty_ldsem.c:340
#1: ffff800093ffd2f0 (&ldata->atomic_read_lock){+.+.}-{3:3}, at: n_tty_read+0x414/0x1214 drivers/tty/n_tty.c:2187
1 lock held by syz-executor.2/6351:
#0: ffff80008e276cb8 (rcu_state.exp_mutex){+.+.}-{3:3}, at: exp_funnel_lock kernel/rcu/tree_exp.h:325 [inline]
#0: ffff80008e276cb8 (rcu_state.exp_mutex){+.+.}-{3:3}, at: synchronize_rcu_expedited+0x37c/0x728 kernel/rcu/tree_exp.h:992
1 lock held by syz-executor.5/6361:
#0: ffff80008e276cb8 (rcu_state.exp_mutex){+.+.}-{3:3}, at: exp_funnel_lock kernel/rcu/tree_exp.h:293 [inline]
#0: ffff80008e276cb8 (rcu_state.exp_mutex){+.+.}-{3:3}, at: synchronize_rcu_expedited+0x3ac/0x728 kernel/rcu/tree_exp.h:992
1 lock held by syz-executor.4/8098:
#0: ffff0000dc47e0e0 (&type->s_umount_key#49/1){+.+.}-{3:3}, at: alloc_super+0x1b4/0x80c fs/super.c:228
1 lock held by syz-executor.3/11738:
3 locks held by syz-executor.1/11741:
2 locks held by syz-executor.4/11743:
2 locks held by syz-executor.0/11744:

=============================================



Tested on:

commit: 706a7415 Linux 6.5-rc7
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git v6.5-rc7

console output: https://syzkaller.appspot.com/x/log.txt?x=1635a450680000

kernel config: https://syzkaller.appspot.com/x/.config?x=69fa083ad661f8d6
dashboard link: https://syzkaller.appspot.com/bug?extid=e295147e14b474e4ad70
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64

Note: no patches were applied.

[Atul Raut]

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

fs/ntfs3/inode.c:1815:1: error: function definition is not allowed here
fs/ntfs3/inode.c:1902:1: error: function definition is not allowed here
fs/ntfs3/inode.c:2055:1: error: function definition is not allowed here
fs/ntfs3/inode.c:2079:14: error: use of undeclared identifier 'ntfs_get_link'; did you mean 'vfs_get_link'?
fs/ntfs3/inode.c:2079:14: error: incompatible function pointer types initializing 'const char *(*)(struct dentry *, struct inode *, struct delayed_call *)' with an expression of type 'const char *(struct dentry *, struct delayed_call *)' [-Werror,-Wincompatible-function-pointer-types]
fs/ntfs3/inode.c:2101:19: error: expected '}'

Tested on:

commit: 706a7415 Linux 6.5-rc7
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git v6.5-rc7

kernel config: https://syzkaller.appspot.com/x/.config?x=4f6a8d3c0bd07f11

dashboard link: https://syzkaller.appspot.com/bug?extid=e295147e14b474e4ad70
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64

patch: https://syzkaller.appspot.com/x/patch.diff?x=10f9f233a80000

[Atul Raut]

[Atul Raut]

[Atul Raut]

[Atul Raut]

[syzbot]

> #syz test:

Your commands are accepted, but please keep syzkall...@googlegroups.com mailing list in CC next time. It serves as a history of what happened with each bug report. Thank you.

> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git v6.5-rc7
>

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

kernel BUG in evict

------------[ cut here ]------------
kernel BUG at fs/inode.c:676!
Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP
Modules linked in:
CPU: 1 PID: 6528 Comm: syz-executor.3 Not tainted 6.5.0-rc7-syzkaller-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023

pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : evict+0x658/0x68c fs/inode.c:676
lr : evict+0x658/0x68c fs/inode.c:676
sp : ffff800096ac7650
x29: ffff800096ac7670 x28: 1fffe0001cfb1168 x27: dfff800000000000
x26: 1fffe0001cfb116d x25: 1fffe0001cfb113b x24: 1fffe0001cfb116d
x23: ffff0000e7d88a38 x22: 0000000000000020 x21: ffff0000e7d88b68
x20: ffff0000e7d889d8 x19: ffff0000e7d889b0 x18: ffff800096ac7320
x17: ffff80008e09d000 x16: ffff8000803325fc x15: ffff700012d58eb0
x14: 1ffff00012d58eb0 x13: 0000000000000004 x12: ffffffffffffffff
x11: 0000000000000001 x10: 0000000000000000 x9 : 0000000000000000
x8 : ffff0000d98fb780 x7 : ffff800080af55a4 x6 : 0000000000000000
x5 : 0000000000000000 x4 : 0000000000000001 x3 : ffff80008033272c
x2 : 0000000000000001 x1 : 0000000000000020 x0 : 0000000000000060
Call trace:
evict+0x658/0x68c fs/inode.c:676

iput_final fs/inode.c:1788 [inline]
iput+0x734/0x818 fs/inode.c:1814

ntfs_fill_super+0x23dc/0x3f90 fs/ntfs3/super.c:1210

get_tree_bdev+0x378/0x570 fs/super.c:1318
ntfs_fs_get_tree+0x28/0x38 fs/ntfs3/super.c:1647
vfs_get_tree+0x90/0x274 fs/super.c:1519
do_new_mount+0x25c/0x8c8 fs/namespace.c:3335
path_mount+0x590/0xe04 fs/namespace.c:3662
do_mount fs/namespace.c:3675 [inline]
__do_sys_mount fs/namespace.c:3884 [inline]
__se_sys_mount fs/namespace.c:3861 [inline]
__arm64_sys_mount+0x45c/0x594 fs/namespace.c:3861
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x244 arch/arm64/kernel/syscall.c:139
do_el0_svc+0x64/0x198 arch/arm64/kernel/syscall.c:188
el0_svc+0x4c/0x160 arch/arm64/kernel/entry-common.c:647
el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:665
el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:591

Code: d4210000 97e88569 d4210000 97e88567 (d4210000)
---[ end trace 0000000000000000 ]---

Tested on:

commit: 706a7415 Linux 6.5-rc7
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git v6.5-rc7

console output: https://syzkaller.appspot.com/x/log.txt?x=12854587a80000
kernel config: https://syzkaller.appspot.com/x/.config?x=69fa083ad661f8d6

dashboard link: https://syzkaller.appspot.com/bug?extid=e295147e14b474e4ad70
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64

patch: https://syzkaller.appspot.com/x/patch.diff?x=14cefca8680000

[Atul Raut]

[Atul Raut]

#syz test:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git v6.5

[syzbot]

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

INFO: task hung in truncate_inode_pages_final

INFO: task syz-executor.0:12366 blocked for more than 143 seconds.
Not tainted 6.5.0-syzkaller-dirty #0

"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz-executor.0 state:D stack:0 pid:12366 ppid:6351 flags:0x0000000d

Call trace:
__switch_to+0x320/0x754 arch/arm64/kernel/process.c:556
context_switch kernel/sched/core.c:5381 [inline]
__schedule+0x1364/0x23b4 kernel/sched/core.c:6710
schedule+0xc4/0x170 kernel/sched/core.c:6786
io_schedule+0x8c/0x12c kernel/sched/core.c:9028
folio_wait_bit_common+0x65c/0xb90 mm/filemap.c:1304
__folio_lock mm/filemap.c:1632 [inline]
folio_lock include/linux/pagemap.h:959 [inline]
__filemap_get_folio+0x1e4/0x964 mm/filemap.c:1899
truncate_inode_pages_range+0x444/0xf74 mm/truncate.c:377
truncate_inode_pages mm/truncate.c:449 [inline]
truncate_inode_pages_final+0x90/0xc0 mm/truncate.c:484

ntfs_evict_inode+0x64/0xc0 fs/ntfs3/inode.c:1791
evict+0x260/0x68c fs/inode.c:664

iput_final fs/inode.c:1788 [inline]
iput+0x734/0x818 fs/inode.c:1814

ntfs_fill_super+0x3648/0x3f90 fs/ntfs3/super.c:1420

get_tree_bdev+0x378/0x570 fs/super.c:1318
ntfs_fs_get_tree+0x28/0x38 fs/ntfs3/super.c:1647
vfs_get_tree+0x90/0x274 fs/super.c:1519
do_new_mount+0x25c/0x8c8 fs/namespace.c:3335
path_mount+0x590/0xe04 fs/namespace.c:3662
do_mount fs/namespace.c:3675 [inline]
__do_sys_mount fs/namespace.c:3884 [inline]
__se_sys_mount fs/namespace.c:3861 [inline]
__arm64_sys_mount+0x45c/0x594 fs/namespace.c:3861
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x244 arch/arm64/kernel/syscall.c:139
do_el0_svc+0x64/0x198 arch/arm64/kernel/syscall.c:188
el0_svc+0x4c/0x160 arch/arm64/kernel/entry-common.c:647
el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:665
el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:591

Showing all locks held in the system:
1 lock held by rcu_tasks_kthre/13:
#0: ffff80008e271850 (rcu_tasks.tasks_gp_mutex){+.+.}-{3:3}, at: rcu_tasks_one_gp+0x44/0xcf4 kernel/rcu/tasks.h:522
1 lock held by rcu_tasks_trace/14:
#0: ffff80008e271c10 (rcu_tasks_trace.tasks_gp_mutex){+.+.}-{3:3}, at: rcu_tasks_one_gp+0x44/0xcf4 kernel/rcu/tasks.h:522
1 lock held by khungtaskd/28:
#0: ffff80008e271680 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire+0xc/0x44 include/linux/rcupdate.h:302

1 lock held by udevd/5608:
2 locks held by getty/5753:
#0:
ffff0000c1925098 (&tty->ldisc_sem){++++}-{0:0}, at: ldsem_down_read+0x3c/0x4c drivers/tty/tty_ldsem.c:340
#1: ffff8000959122f0 (&ldata->atomic_read_lock){+.+.}-{3:3}, at: n_tty_read+0x414/0x1214 drivers/tty/n_tty.c:2187
1 lock held by syz-executor.1/6360:

#0: ffff80008e276cb8 (rcu_state.exp_mutex){+.+.}-{3:3}, at: exp_funnel_lock kernel/rcu/tree_exp.h:293 [inline]
#0: ffff80008e276cb8 (rcu_state.exp_mutex){+.+.}-{3:3}, at: synchronize_rcu_expedited+0x3ac/0x728 kernel/rcu/tree_exp.h:992

1 lock held by syz-executor.2/6372:

#0: ffff80008e276cb8 (rcu_state.exp_mutex){+.+.}-{3:3}, at: exp_funnel_lock kernel/rcu/tree_exp.h:325 [inline]
#0: ffff80008e276cb8 (rcu_state.exp_mutex){+.+.}-{3:3}, at: synchronize_rcu_expedited+0x37c/0x728 kernel/rcu/tree_exp.h:992

1 lock held by syz-executor.0/12366:
#0: ffff0000e3cfe0e0 (&type->s_umount_key#49/1){+.+.}-{3:3}, at: alloc_super+0x1b4/0x80c fs/super.c:228
1 lock held by syz-executor.3/15674:
#0: ffff0001b41ea998 (&rq->__lock){-.-.}-{2:2}, at: raw_spin_rq_lock_nested kernel/sched/core.c:558 [inline]
#0: ffff0001b41ea998 (&rq->__lock){-.-.}-{2:2}, at: raw_spin_rq_lock kernel/sched/sched.h:1366 [inline]
#0: ffff0001b41ea998 (&rq->__lock){-.-.}-{2:2}, at: rq_lock kernel/sched/sched.h:1675 [inline]
#0: ffff0001b41ea998 (&rq->__lock){-.-.}-{2:2}, at: __schedule+0x2d8/0x23b4 kernel/sched/core.c:6627
2 locks held by syz-executor.0/15680:

=============================================



Tested on:

commit: 2dde18cd Linux 6.5
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git v6.5
console output: https://syzkaller.appspot.com/x/log.txt?x=147d6567a80000
kernel config: https://syzkaller.appspot.com/x/.config?x=7abc21298dbfa4d

dashboard link: https://syzkaller.appspot.com/bug?extid=e295147e14b474e4ad70
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64

patch: https://syzkaller.appspot.com/x/patch.diff?x=10c16a77a80000