syzbot

INFO: task syz.0.940:10735 blocked for more than 143 seconds.
      Tainted: G             L      syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.0.940       state:D stack:28136 pid:10735 tgid:10731 ppid:5634   task_flags:0x400140 flags:0x00080002
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5388 [inline]
 __schedule+0x1295/0x67a0 kernel/sched/core.c:7189
 __schedule_loop kernel/sched/core.c:7268 [inline]
 schedule+0xdd/0x390 kernel/sched/core.c:7283
 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:7340
 __mutex_lock_common kernel/locking/mutex.c:726 [inline]
 __mutex_lock+0xced/0x1b10 kernel/locking/mutex.c:820
 nfsd_nl_listener_get_doit+0x13e/0x7b0 fs/nfsd/nfsctl.c:2098
 genl_family_rcv_msg_doit+0x214/0x300 net/netlink/genetlink.c:1114
 genl_family_rcv_msg net/netlink/genetlink.c:1194 [inline]
 genl_rcv_msg+0x560/0x800 net/netlink/genetlink.c:1209
 netlink_rcv_skb+0x159/0x420 net/netlink/af_netlink.c:2555
 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1218
 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
 netlink_unicast+0x585/0x850 net/netlink/af_netlink.c:1344
 netlink_sendmsg+0x8b0/0xda0 net/netlink/af_netlink.c:1899
 sock_sendmsg_nosec net/socket.c:787 [inline]
 __sock_sendmsg net/socket.c:802 [inline]
 ____sys_sendmsg+0x9e1/0xb70 net/socket.c:2698
 ___sys_sendmsg+0x190/0x1e0 net/socket.c:2752
 __sys_sendmsg+0x170/0x220 net/socket.c:2784
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x115/0x840 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fc26419ce59
RSP: 002b:00007fc2650d4028 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007fc264416090 RCX: 00007fc26419ce59
RDX: 0000000020010090 RSI: 0000200000000380 RDI: 0000000000000004
RBP: 00007fc264232d6f R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fc264416128 R14: 00007fc264416090 R15: 00007ffe09153578
 </TASK>

Showing all locks held in the system:
1 lock held by khungtaskd/31:
 #0: ffffffff8e7e53e0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:300 [inline]
 #0: ffffffff8e7e53e0 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:838 [inline]
 #0: ffffffff8e7e53e0 (rcu_read_lock){....}-{1:3}, at: debug_show_all_locks+0x3d/0x184 kernel/locking/lockdep.c:6775
4 locks held by kworker/u9:3/5639:
 #0: ffff888035215140 ((wq_completion)hci9){+.+.}-{0:0}, at: process_one_work+0x12d6/0x1980 kernel/workqueue.c:3289
 #1: ffffc9000419fd08 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_one_work+0x973/0x1980 kernel/workqueue.c:3290
 #2: ffff888053e68ea0 (&hdev->req_lock){+.+.}-{4:4}, at: hci_cmd_sync_work+0x18a/0x470 net/bluetooth/hci_sync.c:331
 #3: ffff888053e680b8 (&hdev->lock){+.+.}-{4:4}, at: hci_abort_conn_sync+0x141/0xb20 net/bluetooth/hci_sync.c:5759
3 locks held by kworker/0:4/5727:
 #0: ffff88813fe57140 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work+0x12d6/0x1980 kernel/workqueue.c:3289
 #1: ffffc9000450fd08 ((fqdir_free_work).work){+.+.}-{0:0}, at: process_one_work+0x973/0x1980 kernel/workqueue.c:3290
 #2: ffffffff8e7f0df8 (rcu_state.barrier_mutex){+.+.}-{4:4}, at: rcu_barrier+0x48/0x6d0 kernel/rcu/tree.c:3828
4 locks held by kworker/u8:11/6352:
 #0: ffff8880b843b420 (&rq->__lock){-.-.}-{2:2}, at: raw_spin_rq_lock_nested kernel/sched/core.c:660 [inline]
 #0: ffff8880b843b420 (&rq->__lock){-.-.}-{2:2}, at: raw_spin_rq_lock_nested+0x88/0x140 kernel/sched/core.c:644
 #1: ffff88805e4a6008 (&____s->seqcount#15){.-.-}-{0:0}, at: trace_find_filtered_pid kernel/trace/trace_pid.c:15 [inline]
 #1: ffff88805e4a6008 (&____s->seqcount#15){.-.-}-{0:0}, at: trace_ignore_this_task+0xbc/0x100 kernel/trace/trace_pid.c:44
 #2: ffff8880b8426358 (&base->lock){-.-.}-{2:2}, at: __mod_timer+0x6e7/0xca0 kernel/time/timer.c:1117
 #3: ffffffff9b36c450 (&obj_hash[i].lock){-.-.}-{2:2}, at: debug_object_activate+0x144/0x490 lib/debugobjects.c:845
2 locks held by syz-executor/7510:
 #0: ffff88807a6040d8 (&type->s_umount_key#55){+.+.}-{4:4}, at: __super_lock fs/super.c:58 [inline]
 #0: ffff88807a6040d8 (&type->s_umount_key#55){+.+.}-{4:4}, at: __super_lock_excl fs/super.c:73 [inline]
 #0: ffff88807a6040d8 (&type->s_umount_key#55){+.+.}-{4:4}, at: deactivate_super fs/super.c:508 [inline]
 #0: ffff88807a6040d8 (&type->s_umount_key#55){+.+.}-{4:4}, at: deactivate_super+0xdf/0x110 fs/super.c:505
 #1: ffffffff8ec62260 (nfsd_mutex){+.+.}-{4:4}, at: nfsd_shutdown_threads+0x5b/0xf0 fs/nfsd/nfssvc.c:576
2 locks held by kworker/u8:28/8882:
 #0: ffff88801f3bf140 ((wq_completion)iou_exit){+.+.}-{0:0}, at: process_one_work+0x12d6/0x1980 kernel/workqueue.c:3289
 #1: ffffc90006a17d08 ((work_completion)(&ctx->exit_work)){+.+.}-{0:0}, at: process_one_work+0x973/0x1980 kernel/workqueue.c:3290
3 locks held by kworker/u8:30/8884:
 #0: ffff88801c6a6140 ((wq_completion)netns){+.+.}-{0:0}, at: process_one_work+0x12d6/0x1980 kernel/workqueue.c:3289
 #1: ffffc900069afd08 (net_cleanup_work){+.+.}-{0:0}, at: process_one_work+0x973/0x1980 kernel/workqueue.c:3290
 #2: ffffffff8e7f0df8 (rcu_state.barrier_mutex){+.+.}-{4:4}, at: rcu_barrier+0x48/0x6d0 kernel/rcu/tree.c:3828
2 locks held by syz.0.940/10735:
 #0: ffffffff906b4748 (cb_lock){++++}-{4:4}, at: genl_rcv+0x19/0x40 net/netlink/genetlink.c:1217
 #1: ffffffff8ec62260 (nfsd_mutex){+.+.}-{4:4}, at: nfsd_nl_listener_get_doit+0x13e/0x7b0 fs/nfsd/nfsctl.c:2098
2 locks held by syz.2.941/10734:
 #0: ffffffff906b4748 (cb_lock){++++}-{4:4}, at: genl_rcv+0x19/0x40 net/netlink/genetlink.c:1217
 #1: ffffffff8ec62260 (nfsd_mutex){+.+.}-{4:4}, at: nfsd_nl_threads_set_doit+0x8c8/0x1100 fs/nfsd/nfsctl.c:1644
2 locks held by syz-executor/11009:
 #0: ffff888053bba0d8 (&type->s_umount_key#55){+.+.}-{4:4}, at: __super_lock fs/super.c:58 [inline]
 #0: ffff888053bba0d8 (&type->s_umount_key#55){+.+.}-{4:4}, at: __super_lock_excl fs/super.c:73 [inline]
 #0: ffff888053bba0d8 (&type->s_umount_key#55){+.+.}-{4:4}, at: deactivate_super fs/super.c:508 [inline]
 #0: ffff888053bba0d8 (&type->s_umount_key#55){+.+.}-{4:4}, at: deactivate_super+0xdf/0x110 fs/super.c:505
 #1: ffffffff8ec62260 (nfsd_mutex){+.+.}-{4:4}, at: nfsd_shutdown_threads+0x5b/0xf0 fs/nfsd/nfssvc.c:576
2 locks held by syz-executor/11011:
 #0: ffff88802ac940d8 (&type->s_umount_key#55){+.+.}-{4:4}, at: __super_lock fs/super.c:58 [inline]
 #0: ffff88802ac940d8 (&type->s_umount_key#55){+.+.}-{4:4}, at: __super_lock_excl fs/super.c:73 [inline]
 #0: ffff88802ac940d8 (&type->s_umount_key#55){+.+.}-{4:4}, at: deactivate_super fs/super.c:508 [inline]
 #0: ffff88802ac940d8 (&type->s_umount_key#55){+.+.}-{4:4}, at: deactivate_super+0xdf/0x110 fs/super.c:505
 #1: ffffffff8ec62260 (nfsd_mutex){+.+.}-{4:4}, at: nfsd_shutdown_threads+0x5b/0xf0 fs/nfsd/nfssvc.c:576
3 locks held by syz.1.1270/12384:
 #0: ffff88802be7a630 (&f->f_pos_lock){+.+.}-{4:4}, at: fdget_pos+0x2aa/0x380 fs/file.c:1261
 #1: ffff888026960410 (sb_writers#3){.+.+}-{0:0}, at: do_writev+0x13e/0x340 fs/read_write.c:1105
 #2: ffffffff8ec62260 (nfsd_mutex){+.+.}-{4:4}, at: expkey_flush+0x18/0x90 fs/nfsd/export.c:261
2 locks held by syz.8.1446/13321:
1 lock held by syz.7.1449/13334:
 #0: ffff888036f11bb8 (&mm->mmap_lock){++++}-{4:4}, at: mmap_write_lock_killable include/linux/mmap_lock.h:554 [inline]
 #0: ffff888036f11bb8 (&mm->mmap_lock){++++}-{4:4}, at: vm_mmap_pgoff+0x1f5/0x470 mm/util.c:579
2 locks held by syz.7.1449/13335:
1 lock held by syz.7.1449/13342:
 #0: ffff88805989c360 (sk_lock-AF_INET){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1713 [inline]
 #0: ffff88805989c360 (sk_lock-AF_INET){+.+.}-{0:0}, at: sockopt_lock_sock net/core/sock.c:1154 [inline]
 #0: ffff88805989c360 (sk_lock-AF_INET){+.+.}-{0:0}, at: sockopt_lock_sock net/core/sock.c:1145 [inline]
 #0: ffff88805989c360 (sk_lock-AF_INET){+.+.}-{0:0}, at: sk_setsockopt+0x237c/0x5c40 net/core/sock.c:1312
1 lock held by syz.7.1449/13345:
 #0: ffff88805989c360 (sk_lock-AF_INET){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1713 [inline]
 #0: ffff88805989c360 (sk_lock-AF_INET){+.+.}-{0:0}, at: tcp_recvmsg+0x11d/0x630 net/ipv4/tcp.c:2944
1 lock held by syz.7.1449/13351:
 #0: ffffffff8e7f0f28 (rcu_state.exp_mutex){+.+.}-{4:4}, at: exp_funnel_lock+0x19e/0x3c0 kernel/rcu/tree_exp.h:343
2 locks held by syz.9.1450/13344:
 #0: ffff88805c2a1f00 (&sb->s_type->i_mutex_key#13){+.+.}-{4:4}, at: inode_lock include/linux/fs.h:1029 [inline]
 #0: ffff88805c2a1f00 (&sb->s_type->i_mutex_key#13){+.+.}-{4:4}, at: __sock_release+0x86/0x260 net/socket.c:721
 #1: ffffffff8e7f0f28 (rcu_state.exp_mutex){+.+.}-{4:4}, at: exp_funnel_lock+0x19e/0x3c0 kernel/rcu/tree_exp.h:343
1 lock held by syz.9.1450/13346:
 #0: ffff88801db3b1f0 (&sig->exec_update_lock){++++}-{4:4}, at: landlock_restrict_sibling_threads+0x1ea/0x1490 security/landlock/tsync.c:493

=============================================

NMI backtrace for cpu 1
CPU: 1 UID: 0 PID: 31 Comm: khungtaskd Tainted: G             L      syzkaller #0 PREEMPT(full) 
Tainted: [L]=SOFTLOCKUP
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120
 nmi_cpu_backtrace.cold+0x12d/0x151 lib/nmi_backtrace.c:113
 nmi_trigger_cpumask_backtrace+0x1d7/0x230 lib/nmi_backtrace.c:62
 trigger_all_cpu_backtrace include/linux/nmi.h:162 [inline]
 __sys_info lib/sys_info.c:157 [inline]
 sys_info+0x141/0x190 lib/sys_info.c:165
 check_hung_uninterruptible_tasks kernel/hung_task.c:353 [inline]
 watchdog+0xcb1/0x1030 kernel/hung_task.c:561
 kthread+0x370/0x450 kernel/kthread.c:436
 ret_from_fork+0x72b/0xd50 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 UID: 0 PID: 13338 Comm: syz.9.1450 Tainted: G             L      syzkaller #0 PREEMPT(full) 
Tainted: [L]=SOFTLOCKUP
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
RIP: 0033:0x7f6f2da714c7
Code: 03 14 ef 80 3d 01 69 3a 00 00 49 89 d6 48 89 d3 74 28 25 ff 0f 00 00 83 f0 3d 8d 04 c0 89 c3 c1 eb 04 31 c3 69 db 2d eb d4 27 <89> d8 c1 e8 0f 31 c3 81 e3 ff 0f 00 00 48 31 d3 80 3d 6a 0b 3a 00
RSP: 002b:00007ffe22fa6370 EFLAGS: 00000a83
RAX: 0000000000002934 RBX: 00000000bf65f95b RCX: ffffffff82b754f5
RDX: ffffffff82b753f2 RSI: ffffffff82b754f5 RDI: 00007f6f2d5ff008
RBP: 0000000000002736 R08: 00007f6f2de00000 R09: 00007f6f2de02000
R10: 0000000082b754f9 R11: 0000000000000015 R12: 00007f6f2de16038
R13: 0000000000042392 R14: ffffffff82b753f2 R15: 00007f6f2e945720
FS:  0000555566699500 GS:  0000000000000000