syzbot

INFO: task syz.5.1680:11668 blocked for more than 143 seconds.
      Tainted: G             L      syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.5.1680      state:D stack:25464 pid:11668 tgid:11665 ppid:7666   task_flags:0x400040 flags:0x00080006
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5260 [inline]
 __schedule+0x1522/0x51d0 kernel/sched/core.c:6867
 __schedule_loop kernel/sched/core.c:6949 [inline]
 schedule+0x164/0x360 kernel/sched/core.c:6964
 schedule_timeout+0xc3/0x2c0 kernel/time/sleep_timeout.c:75
 ___down_common kernel/locking/semaphore.c:268 [inline]
 __down_common+0x321/0x6a0 kernel/locking/semaphore.c:293
 down+0x80/0xd0 kernel/locking/semaphore.c:100
 console_lock+0x58/0x90 kernel/printk/printk.c:2843
 class_console_lock_constructor include/linux/console.h:737 [inline]
 con_install+0x97/0x770 drivers/tty/vt/vt.c:3647
 tty_driver_install_tty drivers/tty/tty_io.c:1295 [inline]
 tty_init_dev+0xd7/0x4d0 drivers/tty/tty_io.c:1407
 tty_open_by_driver drivers/tty/tty_io.c:2073 [inline]
 tty_open+0x862/0xd70 drivers/tty/tty_io.c:2120
 chrdev_open+0x4cd/0x5e0 fs/char_dev.c:414
 do_dentry_open+0x7ce/0x1420 fs/open.c:962
 vfs_open+0x3b/0x340 fs/open.c:1094
 do_open fs/namei.c:4637 [inline]
 path_openat+0x3486/0x3e20 fs/namei.c:4796
 do_filp_open+0x22d/0x490 fs/namei.c:4823
 do_sys_openat2+0x12f/0x220 fs/open.c:1430
 do_sys_open fs/open.c:1436 [inline]
 __do_sys_openat fs/open.c:1452 [inline]
 __se_sys_openat fs/open.c:1447 [inline]
 __x64_sys_openat+0x138/0x170 fs/open.c:1447
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f0ad355b84e
RSP: 002b:00007f0ad43ecb28 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007f0ad43ed6c0 RCX: 00007f0ad355b84e
RDX: 0000000000000002 RSI: 00007f0ad43ecc00 RDI: ffffffffffffff9c
RBP: 00007f0ad36316e0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f0ad3816128 R14: 00007f0ad3816090 R15: 00007f0ad393fa48
 </TASK>

Showing all locks held in the system:
1 lock held by ksoftirqd/0/15:
3 locks held by kworker/1:0/24:
 #0: ffff88813fe55948 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3232 [inline]
 #0: ffff88813fe55948 ((wq_completion)events){+.+.}-{0:0}, at: process_scheduled_works+0x9d4/0x17a0 kernel/workqueue.c:3340
 #1: ffffc900001e7bc0 ((work_completion)(&data->fib_event_work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3233 [inline]
 #1: ffffc900001e7bc0 ((work_completion)(&data->fib_event_work)){+.+.}-{0:0}, at: process_scheduled_works+0xa0f/0x17a0 kernel/workqueue.c:3340
 #2: ffff888044373240 (&data->fib_lock){+.+.}-{4:4}, at: nsim_fib_event_work+0x202/0x3d0 drivers/net/netdevsim/fib.c:1490
1 lock held by khungtaskd/31:
 #0: ffffffff8e55a360 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
 #0: ffffffff8e55a360 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:867 [inline]
 #0: ffffffff8e55a360 (rcu_read_lock){....}-{1:3}, at: debug_show_all_locks+0x2e/0x180 kernel/locking/lockdep.c:6775
7 locks held by kworker/1:2/797:
2 locks held by getty/5585:
 #0: ffff88814d92b0a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x25/0x70 drivers/tty/tty_ldisc.c:243
 #1: ffffc9000332b2f0 (&ldata->atomic_read_lock){+.+.}-{4:4}, at: n_tty_read+0x45c/0x13c0 drivers/tty/n_tty.c:2211
6 locks held by syz.7.1622/11402:
2 locks held by syz.2.1659/11574:
2 locks held by syz.5.1680/11668:
 #0: ffffffff8edd7cc8 (tty_mutex){+.+.}-{4:4}, at: tty_open_by_driver drivers/tty/tty_io.c:2037 [inline]
 #0: ffffffff8edd7cc8 (tty_mutex){+.+.}-{4:4}, at: tty_open+0x22d/0xd70 drivers/tty/tty_io.c:2120
 #1: ffff8880596661c0 (&tty->legacy_mutex){+.+.}-{4:4}, at: tty_init_dev+0x74/0x4d0 drivers/tty/tty_io.c:1406
1 lock held by syz.8.1707/11872:
 #0: ffffffff8edd7cc8 (tty_mutex){+.+.}-{4:4}, at: class_mutex_constructor include/linux/mutex.h:253 [inline]
 #0: ffffffff8edd7cc8 (tty_mutex){+.+.}-{4:4}, at: ptmx_open+0x108/0x340 drivers/tty/pty.c:798
1 lock held by syz.9.1739/12082:
 #0: ffffffff8edd7cc8 (tty_mutex){+.+.}-{4:4}, at: class_mutex_constructor include/linux/mutex.h:253 [inline]
 #0: ffffffff8edd7cc8 (tty_mutex){+.+.}-{4:4}, at: ptmx_open+0x108/0x340 drivers/tty/pty.c:798
1 lock held by syz.4.1814/12630:
 #0: ffffffff8edd7cc8 (tty_mutex){+.+.}-{4:4}, at: tty_open_by_driver drivers/tty/tty_io.c:2037 [inline]
 #0: ffffffff8edd7cc8 (tty_mutex){+.+.}-{4:4}, at: tty_open+0x22d/0xd70 drivers/tty/tty_io.c:2120
1 lock held by syz.7.1843/12787:
 #0: ffffffff8edd7cc8 (tty_mutex){+.+.}-{4:4}, at: tty_open_by_driver drivers/tty/tty_io.c:2037 [inline]
 #0: ffffffff8edd7cc8 (tty_mutex){+.+.}-{4:4}, at: tty_open+0x22d/0xd70 drivers/tty/tty_io.c:2120
1 lock held by syz.2.1863/12950:
 #0: ffffffff8edd7cc8 (tty_mutex){+.+.}-{4:4}, at: tty_open_by_driver drivers/tty/tty_io.c:2037 [inline]
 #0: ffffffff8edd7cc8 (tty_mutex){+.+.}-{4:4}, at: tty_open+0x22d/0xd70 drivers/tty/tty_io.c:2120
1 lock held by syz.6.1884/13105:
 #0: ffffffff8edd7cc8 (tty_mutex){+.+.}-{4:4}, at: tty_open_by_driver drivers/tty/tty_io.c:2037 [inline]
 #0: ffffffff8edd7cc8 (tty_mutex){+.+.}-{4:4}, at: tty_open+0x22d/0xd70 drivers/tty/tty_io.c:2120
4 locks held by syz-executor/13319:
1 lock held by syz.9.1899/13476:
1 lock held by dhcpcd-run-hook/13482:
 #0: ffff88807ba17068 (&pipe->mutex){+.+.}-{4:4}, at: anon_pipe_read+0xd84/0x10a0 fs/pipe.c:392
1 lock held by syz.8.1922/13488:
 #0: ffff888043610340 (&mm->mmap_lock){++++}-{4:4}, at: mmap_write_lock_killable include/linux/mmap_lock.h:353 [inline]
 #0: ffff888043610340 (&mm->mmap_lock){++++}-{4:4}, at: vm_mmap_pgoff+0x234/0x4f0 mm/util.c:579
1 lock held by syz.8.1922/13492:
1 lock held by dhcpcd-run-hook/13493:

=============================================

NMI backtrace for cpu 1
CPU: 1 UID: 0 PID: 31 Comm: khungtaskd Tainted: G             L      syzkaller #0 PREEMPT(full) 
Tainted: [L]=SOFTLOCKUP
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026
Call Trace:
 <TASK>
 dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
 nmi_cpu_backtrace+0x274/0x2d0 lib/nmi_backtrace.c:113
 nmi_trigger_cpumask_backtrace+0x17a/0x300 lib/nmi_backtrace.c:62
 trigger_all_cpu_backtrace include/linux/nmi.h:161 [inline]
 __sys_info lib/sys_info.c:157 [inline]
 sys_info+0x135/0x170 lib/sys_info.c:165
 check_hung_uninterruptible_tasks kernel/hung_task.c:346 [inline]
 watchdog+0xf90/0xfe0 kernel/hung_task.c:515
 kthread+0x726/0x8b0 kernel/kthread.c:463
 ret_from_fork+0x51b/0xa40 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
 </TASK>
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 UID: 0 PID: 13493 Comm: dhcpcd-run-hook Tainted: G             L      syzkaller #0 PREEMPT(full) 
Tainted: [L]=SOFTLOCKUP
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026
RIP: 0010:__orc_find arch/x86/kernel/unwind_orc.c:110 [inline]
RIP: 0010:orc_find arch/x86/kernel/unwind_orc.c:238 [inline]
RIP: 0010:unwind_next_frame+0x2ca/0x23c0 arch/x86/kernel/unwind_orc.c:510
Code: 4a 8d 1c 82 48 83 c3 fc 49 89 d5 48 39 da 0f 86 21 02 00 00 49 29 d5 49 c1 fd 02 4a 8d 04 6d 00 00 00 00 4c 01 e8 48 8d 14 46 <48> bd 00 00 00 00 00 fc ff df e9 8f 01 00 00 31 db e9 cf 17 00 00
RSP: 0018:ffffc9000b76f758 EFLAGS: 00000246
RAX: 0000000000000000 RBX: ffffffff90069be0 RCX: ffffffff90069be4
RDX: ffffffff90819332 RSI: ffffffff90819332 RDI: ffffffff8c073aa0
RBP: ffffffff90069be4 R08: 0000000000000007 R09: ffffffff8e55a360
R10: ffffc9000b76f8d8 R11: fffff520016edf1d R12: ffffffff816c2472
R13: 0000000000000000 R14: ffffc9000b76f888 R15: ffffffff90069be0
FS:  0000000000000000(0000) GS:ffff8881256f3000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00002000002c6030 CR3: 0000000030b60000 CR4: 00000000003526f0
DR0: ffffffffffffffff DR1: 00000000000001f8 DR2: 0000000000000083
DR3: ffffffffefffff15 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 __unwind_start+0x5b8/0x760 arch/x86/kernel/unwind_orc.c:773
 unwind_start arch/x86/include/asm/unwind.h:64 [inline]
 arch_stack_walk+0xe3/0x150 arch/x86/kernel/stacktrace.c:24
 stack_trace_save+0xa9/0x100 kernel/stacktrace.c:122
 kasan_save_stack+0x3e/0x60 mm/kasan/common.c:57
 kasan_record_aux_stack+0xbd/0xd0 mm/kasan/generic.c:556
 slab_free_hook mm/slub.c:2501 [inline]
 slab_free mm/slub.c:6674 [inline]
 kmem_cache_free+0x46e/0x610 mm/slub.c:6789
 task_work_run+0x1d9/0x270 kernel/task_work.c:233
 exit_task_work include/linux/task_work.h:40 [inline]
 do_exit+0x69b/0x2310 kernel/exit.c:971
 do_group_exit+0x21b/0x2d0 kernel/exit.c:1112
 __do_sys_exit_group kernel/exit.c:1123 [inline]
 __se_sys_exit_group kernel/exit.c:1121 [inline]
 __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1121
 x64_sys_call+0x2210/0x2210 arch/x86/include/generated/asm/syscalls_64.h:232
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f835e8c76c5
Code: Unable to access opcode bytes at 0x7f835e8c769b.
RSP: 002b:00007fff4c9cc468 EFLAGS: 00000202 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 00007fff4c9cc704 RCX: 00007f835e8c76c5
RDX: 00000000000000e7 RSI: ffffffffffffff88 RDI: 0000000000000000
RBP: 0000000000000003 R08: 00007fff4c9cc560 R09: 0000000000000002
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000
R13: 00007fff4c9cc7a0 R14: 00007f835ead7000 R15: 0000556dc0b75d98
 </TASK>