syzbot

INFO: task syz.5.1081:9008 blocked for more than 143 seconds.
      Not tainted syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.5.1081      state:D stack:27344 pid: 9008 ppid:  4404 flags:0x00004000
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5049 [inline]
 __schedule+0x11ef/0x43c0 kernel/sched/core.c:6395
 schedule+0x11b/0x1e0 kernel/sched/core.c:6478
 schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:6537
 __mutex_lock_common+0xcfc/0x2400 kernel/locking/mutex.c:669
 __mutex_lock kernel/locking/mutex.c:729 [inline]
 mutex_lock_nested+0x17/0x20 kernel/locking/mutex.c:743
 io_uring_del_tctx_node+0xe8/0x2c0 io_uring/io_uring.c:9825
 io_uring_clean_tctx io_uring/io_uring.c:9841 [inline]
 io_uring_cancel_generic+0x5b6/0x810 io_uring/io_uring.c:9921
 io_uring_files_cancel include/linux/io_uring.h:16 [inline]
 do_exit+0x252/0x20c0 kernel/exit.c:829
 do_group_exit+0x12e/0x300 kernel/exit.c:997
 get_signal+0x6ca/0x12c0 kernel/signal.c:2900
 arch_do_signal_or_restart+0xe7/0x12c0 arch/x86/kernel/signal.c:867
 handle_signal_work kernel/entry/common.c:154 [inline]
 exit_to_user_mode_loop+0x9e/0x130 kernel/entry/common.c:178
 exit_to_user_mode_prepare+0xee/0x180 kernel/entry/common.c:214
 __syscall_exit_to_user_mode_work kernel/entry/common.c:296 [inline]
 syscall_exit_to_user_mode+0x16/0x40 kernel/entry/common.c:307
 do_syscall_64+0x58/0xa0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x66/0xd0
RIP: 0033:0x7fd658976f79
RSP: 002b:00007fd656bb00e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007fd658bf1098 RCX: 00007fd658976f79
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007fd658bf1098
RBP: 00007fd658bf1090 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fd658bf1128 R14: 00007ffddccce040 R15: 00007ffddccce128
 </TASK>

Showing all locks held in the system:
1 lock held by khungtaskd/27:
 #0: ffffffff8c31eaa0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire+0x0/0x30
1 lock held by udevd/3560:
2 locks held by getty/3945:
 #0: ffff88802c8a7098 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x21/0x70 drivers/tty/tty_ldisc.c:252
 #1: ffffc900025ce2e8 (&ldata->atomic_read_lock){+.+.}-{3:3}, at: n_tty_read+0x5df/0x1a70 drivers/tty/n_tty.c:2158
2 locks held by kworker/1:7/4341:
 #0: ffff888016c72138 ((wq_completion)rcu_gp){+.+.}-{0:0}, at: process_one_work+0x761/0x1010 kernel/workqueue.c:-1
 #1: ffffc900030efd00 ((work_completion)(&rew.rew_work)){+.+.}-{0:0}, at: process_one_work+0x79f/0x1010 kernel/workqueue.c:2285
1 lock held by syz.5.1081/9007:
1 lock held by syz.5.1081/9008:
 #0: ffff88807508e0a8 (&ctx->uring_lock){+.+.}-{3:3}, at: io_uring_del_tctx_node+0xe8/0x2c0 io_uring/io_uring.c:9825
2 locks held by syz.7.1546/11056:
2 locks held by syz.8.1599/11297:
 #0: ffffffff8d43c748 (rtnl_mutex){+.+.}-{3:3}, at: tun_detach drivers/net/tun.c:699 [inline]
 #0: ffffffff8d43c748 (rtnl_mutex){+.+.}-{3:3}, at: tun_chr_close+0x3d/0x1b0 drivers/net/tun.c:3440
 #1: ffffffff8c323528 (rcu_state.exp_mutex){+.+.}-{3:3}, at: exp_funnel_lock kernel/rcu/tree_exp.h:290 [inline]
 #1: ffffffff8c323528 (rcu_state.exp_mutex){+.+.}-{3:3}, at: synchronize_rcu_expedited+0x2d1/0x750 kernel/rcu/tree_exp.h:845

=============================================

NMI backtrace for cpu 0
CPU: 0 PID: 27 Comm: khungtaskd Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
Call Trace:
 <TASK>
 dump_stack_lvl+0x188/0x250 lib/dump_stack.c:106
 nmi_cpu_backtrace+0x3a2/0x3d0 lib/nmi_backtrace.c:111
 nmi_trigger_cpumask_backtrace+0x163/0x280 lib/nmi_backtrace.c:62
 trigger_all_cpu_backtrace include/linux/nmi.h:148 [inline]
 check_hung_uninterruptible_tasks kernel/hung_task.c:212 [inline]
 watchdog+0xe0f/0xe50 kernel/hung_task.c:369
 kthread+0x436/0x520 kernel/kthread.c:334
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:287
 </TASK>
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 PID: 4341 Comm: kworker/1:7 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
Workqueue: events bpf_prog_free_deferred
RIP: 0010:preempt_count arch/x86/include/asm/preempt.h:27 [inline]
RIP: 0010:preempt_count_sub+0x33/0x160 kernel/sched/core.c:5536
Code: fc ff df 48 c7 c0 80 8f 2d 96 48 c1 e8 03 0f b6 04 18 84 c0 0f 85 bd 00 00 00 83 3d 36 2d db 14 00 75 25 65 8b 05 75 0d b0 7e <89> c1 81 e1 ff ff ff 7f 39 cf 7f 25 81 ff ff 00 00 00 0f 93 c1 84
RSP: 0018:ffffc900030ef3f0 EFLAGS: 00000246
RAX: 0000000080000003 RBX: dffffc0000000000 RCX: ffffffff962d8f03
RDX: ffffc900030ef501 RSI: ffffc900030ef7d0 RDI: 0000000000000001
RBP: ffffc900030ef510 R08: ffffc900030ef527 R09: ffffc900030ef518
R10: dffffc0000000000 R11: fffff5200061dea5 R12: ffffc900030e8000
R13: dffffc0000000000 R14: ffffc900030ef4d8 R15: ffffc900030ef7e0
FS:  0000000000000000(0000) GS:ffff8880b9100000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000560f57486fa8 CR3: 000000002ae2b000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000001800
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 unwind_next_frame+0x1296/0x1d90 arch/x86/kernel/unwind_orc.c:616
 arch_stack_walk+0x10c/0x140 arch/x86/kernel/stacktrace.c:25
 stack_trace_save+0xa6/0xf0 kernel/stacktrace.c:122
 save_stack+0x121/0x230 mm/page_owner.c:119
 __reset_page_owner+0x51/0x180 mm/page_owner.c:140
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1340 [inline]
 free_pcp_prepare mm/page_alloc.c:1391 [inline]
 free_unref_page_prepare+0x637/0x6c0 mm/page_alloc.c:3317
 free_unref_page+0x8f/0x2a0 mm/page_alloc.c:3396
 kasan_depopulate_vmalloc_pte+0x67/0x80 mm/kasan/shadow.c:375
 apply_to_pte_range mm/memory.c:2573 [inline]
 apply_to_pmd_range mm/memory.c:2617 [inline]
 apply_to_pud_range mm/memory.c:2653 [inline]
 apply_to_p4d_range mm/memory.c:2689 [inline]
 __apply_to_page_range+0x983/0xd10 mm/memory.c:2725
 kasan_release_vmalloc+0x93/0xb0 mm/kasan/shadow.c:485
 __purge_vmap_area_lazy+0xafc/0x1950 mm/vmalloc.c:1711
 _vm_unmap_aliases+0x410/0x4a0 mm/vmalloc.c:2114
 vm_remove_mappings mm/vmalloc.c:2591 [inline]
 __vunmap+0x71d/0xa50 mm/vmalloc.c:2618
 bpf_jit_binary_free kernel/bpf/core.c:918 [inline]
 bpf_jit_free+0x92/0x180 kernel/bpf/core.c:931
 process_one_work+0x85f/0x1010 kernel/workqueue.c:2310
 worker_thread+0xaa6/0x1290 kernel/workqueue.c:2457
 kthread+0x436/0x520 kernel/kthread.c:334
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:287
 </TASK>