syzbot

 sign-in | mailing list | source | docs
🐞 Open [826]
🐞 Fixed [87]
🐞 Invalid [1187]
Missing Backports [135]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

INFO: task hung in exec_mmap

Status: upstream: reported on 2026/01/09 19:29
Reported-by: syzbot+8cb7b9e5e396cb6449ca@syzkaller.appspotmail.com
First crash: 5d16h, last: 5d16h

Sample crash report:
INFO: task dhcpcd:5862 blocked for more than 143 seconds.
      Not tainted syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:dhcpcd          state:D stack:25128 pid: 5862 ppid:  3852 flags:0x00004002
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5049 [inline]
 __schedule+0x11bb/0x4390 kernel/sched/core.c:6395
 schedule+0x11b/0x1e0 kernel/sched/core.c:6478
 schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:6537
 rwsem_down_read_slowpath+0x528/0x990 kernel/locking/rwsem.c:1055
 __down_read_common kernel/locking/rwsem.c:1239 [inline]
 __down_read kernel/locking/rwsem.c:1252 [inline]
 down_read+0x96/0x2e0 kernel/locking/rwsem.c:1500
 mmap_read_lock include/linux/mmap_lock.h:117 [inline]
 exec_mmap+0x174/0x5c0 fs/exec.c:1000
 begin_new_exec+0x7e8/0x1160 fs/exec.c:1293
 load_elf_binary+0x98e/0x2890 fs/binfmt_elf.c:1001
 search_binary_handler fs/exec.c:1742 [inline]
 exec_binprm fs/exec.c:1783 [inline]
 bprm_execve+0xa92/0x17d0 fs/exec.c:1852
 do_execveat_common+0x51e/0x6d0 fs/exec.c:1957
 do_execve fs/exec.c:2027 [inline]
 __do_sys_execve fs/exec.c:2103 [inline]
 __se_sys_execve fs/exec.c:2098 [inline]
 __x64_sys_execve+0x8e/0xa0 fs/exec.c:2098
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x66/0xd0
RIP: 0033:0x7fd3c6f97107
RSP: 002b:00007fd3c6e00e68 EFLAGS: 00000202 ORIG_RAX: 000000000000003b
RAX: ffffffffffffffda RBX: 00007ffe697fd1c0 RCX: 00007fd3c6f97107
RDX: 0000560579656e20 RSI: 00007ffe697fd3b0 RDI: 00005605704236bd
RBP: 00007fd3c6e00ff0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000008 R11: 0000000000000202 R12: 0000000000000001
R13: 00007ffe697fcea0 R14: 00007fd3c6e00f20 R15: 0000000000000040
 </TASK>

Showing all locks held in the system:
1 lock held by khungtaskd/27:
 #0: ffffffff8c11c720 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire+0x0/0x30
1 lock held by klogd/3548:
1 lock held by udevd/3559:
 #0: ffff88807e19f828 (&mm->mmap_lock){++++}-{3:3}, at: mmap_write_lock_killable include/linux/mmap_lock.h:87 [inline]
 #0: ffff88807e19f828 (&mm->mmap_lock){++++}-{3:3}, at: __do_sys_brk mm/mmap.c:204 [inline]
 #0: ffff88807e19f828 (&mm->mmap_lock){++++}-{3:3}, at: __se_sys_brk+0x10b/0x710 mm/mmap.c:194
1 lock held by dhcpcd/3852:
 #0: ffff8880232bdc28 (&mm->mmap_lock){++++}-{3:3}, at: mmap_write_lock_killable include/linux/mmap_lock.h:87 [inline]
 #0: ffff8880232bdc28 (&mm->mmap_lock){++++}-{3:3}, at: __vm_munmap+0xf3/0x230 mm/mmap.c:2949
2 locks held by getty/3948:
 #0: ffff88802bee5098 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x21/0x70 drivers/tty/tty_ldisc.c:252
 #1: ffffc90002cf62e8 (&ldata->atomic_read_lock){+.+.}-{3:3}, at: n_tty_read+0x5ba/0x1a30 drivers/tty/n_tty.c:2158
1 lock held by syz-executor/4170:
 #0: ffff88807ab74728 (&mm->mmap_lock){++++}-{3:3}, at: mmap_write_lock_killable include/linux/mmap_lock.h:87 [inline]
 #0: ffff88807ab74728 (&mm->mmap_lock){++++}-{3:3}, at: vm_mmap_pgoff+0x15d/0x2b0 mm/util.c:549
2 locks held by syz-executor/4185:
 #0: ffffffff8c1a68b0 (dup_mmap_sem){.+.+}-{0:0}, at: dup_mmap kernel/fork.c:503 [inline]
 #0: ffffffff8c1a68b0 (dup_mmap_sem){.+.+}-{0:0}, at: dup_mm kernel/fork.c:1466 [inline]
 #0: ffffffff8c1a68b0 (dup_mmap_sem){.+.+}-{0:0}, at: copy_mm+0x21f/0x1380 kernel/fork.c:1518
 #1: ffff88807ab77128 (&mm->mmap_lock){++++}-{3:3}, at: mmap_write_lock_killable include/linux/mmap_lock.h:87 [inline]
 #1: ffff88807ab77128 (&mm->mmap_lock){++++}-{3:3}, at: dup_mmap kernel/fork.c:504 [inline]
 #1: ffff88807ab77128 (&mm->mmap_lock){++++}-{3:3}, at: dup_mm kernel/fork.c:1466 [inline]
 #1: ffff88807ab77128 (&mm->mmap_lock){++++}-{3:3}, at: copy_mm+0x238/0x1380 kernel/fork.c:1518
2 locks held by syz-executor/4187:
 #0: ffffffff8c1a68b0 (dup_mmap_sem){.+.+}-{0:0}, at: dup_mmap kernel/fork.c:503 [inline]
 #0: ffffffff8c1a68b0 (dup_mmap_sem){.+.+}-{0:0}, at: dup_mm kernel/fork.c:1466 [inline]
 #0: ffffffff8c1a68b0 (dup_mmap_sem){.+.+}-{0:0}, at: copy_mm+0x21f/0x1380 kernel/fork.c:1518
 #1: ffff88807e968f28 (&mm->mmap_lock){++++}-{3:3}, at: mmap_write_lock_killable include/linux/mmap_lock.h:87 [inline]
 #1: ffff88807e968f28 (&mm->mmap_lock){++++}-{3:3}, at: dup_mmap kernel/fork.c:504 [inline]
 #1: ffff88807e968f28 (&mm->mmap_lock){++++}-{3:3}, at: dup_mm kernel/fork.c:1466 [inline]
 #1: ffff88807e968f28 (&mm->mmap_lock){++++}-{3:3}, at: copy_mm+0x238/0x1380 kernel/fork.c:1518
2 locks held by kworker/u4:5/4271:
2 locks held by syz-executor/4522:
 #0: ffffffff8c1a68b0 (dup_mmap_sem){.+.+}-{0:0}, at: dup_mmap kernel/fork.c:503 [inline]
 #0: ffffffff8c1a68b0 (dup_mmap_sem){.+.+}-{0:0}, at: dup_mm kernel/fork.c:1466 [inline]
 #0: ffffffff8c1a68b0 (dup_mmap_sem){.+.+}-{0:0}, at: copy_mm+0x21f/0x1380 kernel/fork.c:1518
 #1: ffff88807daeb228 (&mm->mmap_lock){++++}-{3:3}, at: mmap_write_lock_killable include/linux/mmap_lock.h:87 [inline]
 #1: ffff88807daeb228 (&mm->mmap_lock){++++}-{3:3}, at: dup_mmap kernel/fork.c:504 [inline]
 #1: ffff88807daeb228 (&mm->mmap_lock){++++}-{3:3}, at: dup_mm kernel/fork.c:1466 [inline]
 #1: ffff88807daeb228 (&mm->mmap_lock){++++}-{3:3}, at: copy_mm+0x238/0x1380 kernel/fork.c:1518
1 lock held by udevd/4531:
 #0: ffff88807bef9628 (&mm->mmap_lock){++++}-{3:3}, at: mmap_write_lock_killable include/linux/mmap_lock.h:87 [inline]
 #0: ffff88807bef9628 (&mm->mmap_lock){++++}-{3:3}, at: __vm_munmap+0xf3/0x230 mm/mmap.c:2949
2 locks held by syz-executor/4605:
 #0: ffffffff8c1a68b0 (dup_mmap_sem){.+.+}-{0:0}, at: dup_mmap kernel/fork.c:503 [inline]
 #0: ffffffff8c1a68b0 (dup_mmap_sem){.+.+}-{0:0}, at: dup_mm kernel/fork.c:1466 [inline]
 #0: ffffffff8c1a68b0 (dup_mmap_sem){.+.+}-{0:0}, at: copy_mm+0x21f/0x1380 kernel/fork.c:1518
 #1: ffff88807ec56328 (&mm->mmap_lock){++++}-{3:3}, at: mmap_write_lock_killable include/linux/mmap_lock.h:87 [inline]
 #1: ffff88807ec56328 (&mm->mmap_lock){++++}-{3:3}, at: dup_mmap kernel/fork.c:504 [inline]
 #1: ffff88807ec56328 (&mm->mmap_lock){++++}-{3:3}, at: dup_mm kernel/fork.c:1466 [inline]
 #1: ffff88807ec56328 (&mm->mmap_lock){++++}-{3:3}, at: copy_mm+0x238/0x1380 kernel/fork.c:1518
1 lock held by udevd/5023:
 #0: ffff8880232bf828 (&mm->mmap_lock){++++}-{3:3}, at: mmap_write_lock_killable include/linux/mmap_lock.h:87 [inline]
 #0: ffff8880232bf828 (&mm->mmap_lock){++++}-{3:3}, at: __vm_munmap+0xf3/0x230 mm/mmap.c:2949
3 locks held by dhcpcd/5862:
 #0: ffff888026082c40 (&sig->cred_guard_mutex){+.+.}-{3:3}, at: prepare_bprm_creds fs/exec.c:1479 [inline]
 #0: ffff888026082c40 (&sig->cred_guard_mutex){+.+.}-{3:3}, at: bprm_execve+0xc4/0x17d0 fs/exec.c:1820
 #1: ffff888026082cd8 (&sig->exec_update_lock){++++}-{3:3}, at: exec_mmap+0xf0/0x5c0 fs/exec.c:989
 #2: ffff8880232bdc28 (&mm->mmap_lock){++++}-{3:3}, at: mmap_read_lock include/linux/mmap_lock.h:117 [inline]
 #2: ffff8880232bdc28 (&mm->mmap_lock){++++}-{3:3}, at: exec_mmap+0x174/0x5c0 fs/exec.c:1000

=============================================

NMI backtrace for cpu 0
CPU: 0 PID: 27 Comm: khungtaskd Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Call Trace:
 <TASK>
 dump_stack_lvl+0x168/0x230 lib/dump_stack.c:106
 nmi_cpu_backtrace+0x397/0x3d0 lib/nmi_backtrace.c:111
 nmi_trigger_cpumask_backtrace+0x163/0x280 lib/nmi_backtrace.c:62
 trigger_all_cpu_backtrace include/linux/nmi.h:148 [inline]
 check_hung_uninterruptible_tasks kernel/hung_task.c:212 [inline]
 watchdog+0xe0f/0xe50 kernel/hung_task.c:369
 kthread+0x436/0x520 kernel/kthread.c:334
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:287
 </TASK>
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 PID: 3548 Comm: klogd Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
RIP: 0010:free_pages_prepare mm/page_alloc.c:1349 [inline]
RIP: 0010:free_pcp_prepare mm/page_alloc.c:1391 [inline]
RIP: 0010:free_unref_page_prepare+0x23a/0x6c0 mm/page_alloc.c:3317
Code: 00 00 83 fd 40 0f 83 77 03 00 00 44 89 f9 49 d3 e5 4c 89 e7 4c 89 ee e8 d4 7b aa ff 4c 89 e7 4c 89 ee e8 59 0c 2d 02 41 b5 01 <83> fd 20 0f 83 93 03 00 00 41 bc 01 00 00 00 89 e9 41 d3 e4 0f 1f
RSP: 0018:ffffc900010df458 EFLAGS: 00000292
RAX: 87533c27fe874d00 RBX: ffffea00011c3e00 RCX: ffffffff8c1f1000
RDX: dffffc0000000000 RSI: 0000000000008000 RDI: ffff8880470f8000
RBP: 0000000000000003 R08: dffffc0000000000 R09: ffffed10030ea5fb
R10: ffffed10030ea5fb R11: 1ffff110030ea5fa R12: ffff8880470f8000
R13: 0000000000008001 R14: 00000000000470f8 R15: 0000000000000003
FS:  00007f77dfb46c80(0000) GS:ffff8880b9100000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f454d368218 CR3: 000000002aec6000 CR4: 00000000003526e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 free_unref_page+0x94/0x280 mm/page_alloc.c:3396
 free_slab mm/slub.c:2020 [inline]
 discard_slab mm/slub.c:2026 [inline]
 __unfreeze_partials+0x1a5/0x200 mm/slub.c:2512
 put_cpu_partial+0x12d/0x190 mm/slub.c:2592
 qlist_free_all+0x35/0x90 mm/kasan/quarantine.c:176
 kasan_quarantine_reduce+0x150/0x160 mm/kasan/quarantine.c:283
 ____kasan_kmalloc mm/kasan/common.c:479 [inline]
 __kasan_kmalloc+0x2f/0xf0 mm/kasan/common.c:522
 kmalloc_reserve net/core/skbuff.c:356 [inline]
 __alloc_skb+0x22c/0x750 net/core/skbuff.c:427
 alloc_skb include/linux/skbuff.h:1162 [inline]
 alloc_skb_with_frags+0xa7/0x730 net/core/skbuff.c:6170
 sock_alloc_send_pskb+0x853/0x980 net/core/sock.c:2536
 unix_dgram_sendmsg+0x5ef/0x1890 net/unix/af_unix.c:1809
 sock_sendmsg_nosec net/socket.c:706 [inline]
 __sock_sendmsg net/socket.c:718 [inline]
 __sys_sendto+0x423/0x580 net/socket.c:2073
 __do_sys_sendto net/socket.c:2085 [inline]
 __se_sys_sendto net/socket.c:2081 [inline]
 __x64_sys_sendto+0xda/0xf0 net/socket.c:2081
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x66/0xd0
RIP: 0033:0x7f77dfc96407
Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff
RSP: 002b:00007fffd139b2c0 EFLAGS: 00000202 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007f77dfb46c80 RCX: 00007f77dfc96407
RDX: 000000000000005e RSI: 00007fffd139b400 RDI: 0000000000000003
RBP: 00007fffd139b830 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000004000 R11: 0000000000000202 R12: 00007fffd139b848
R13: 00007fffd139b400 R14: 0000000000000043 R15: 00007fffd139b400
 </TASK>

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2026/01/09 19:28 linux-5.15.y 68efe5a6c16a d6526ea3 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan INFO: task hung in exec_mmap
* Struck through repros no longer work on HEAD.