syzbot

INFO: task syz.0.17:6035 blocked for more than 143 seconds.
      Not tainted 6.16.0-rc5-syzkaller-00053-g8c2e52ebbe88 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.0.17        state:D stack:17544 pid:6035  tgid:6034  ppid:5974   task_flags:0x440140 flags:0x00004004
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5401 [inline]
 __schedule+0x16a2/0x4cb0 kernel/sched/core.c:6790
 __schedule_loop kernel/sched/core.c:6868 [inline]
 schedule+0x165/0x360 kernel/sched/core.c:6883
 __bch2_two_state_lock+0x1ea/0x370 fs/bcachefs/two_state_shared_lock.c:7
 bch2_two_state_lock fs/bcachefs/two_state_shared_lock.h:55 [inline]
 bch2_readahead+0x94f/0x1100 fs/bcachefs/fs-io-buffered.c:296
 read_pages+0x17a/0x580 mm/readahead.c:160
 page_cache_ra_order+0xa81/0xc70 mm/readahead.c:515
 filemap_get_pages+0x43c/0x1ea0 mm/filemap.c:2602
 filemap_splice_read+0x4fc/0xbc0 mm/filemap.c:2990
 do_splice_read fs/splice.c:979 [inline]
 splice_direct_to_actor+0x4a9/0xcc0 fs/splice.c:1083
 do_splice_direct_actor fs/splice.c:1201 [inline]
 do_splice_direct+0x181/0x270 fs/splice.c:1227
 vfs_copy_file_range+0xabc/0x1310 fs/read_write.c:1627
 __do_sys_copy_file_range fs/read_write.c:1677 [inline]
 __se_sys_copy_file_range+0x2fb/0x470 fs/read_write.c:1644
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fedf798e929
RSP: 002b:00007fedf87aa038 EFLAGS: 00000246 ORIG_RAX: 0000000000000146
RAX: ffffffffffffffda RBX: 00007fedf7bb5fa0 RCX: 00007fedf798e929
RDX: 0000000000000005 RSI: 0000000000000000 RDI: 0000000000000006
RBP: 00007fedf7a10b39 R08: 0000000000008001 R09: 0700000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007fedf7bb5fa0 R15: 00007ffe298cad58
 </TASK>
INFO: task syz.0.17:6046 blocked for more than 143 seconds.
      Not tainted 6.16.0-rc5-syzkaller-00053-g8c2e52ebbe88 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.0.17        state:D stack:27208 pid:6046  tgid:6034  ppid:5974   task_flags:0x400140 flags:0x00004004
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5401 [inline]
 __schedule+0x16a2/0x4cb0 kernel/sched/core.c:6790
 __schedule_loop kernel/sched/core.c:6868 [inline]
 schedule+0x165/0x360 kernel/sched/core.c:6883
 io_schedule+0x81/0xe0 kernel/sched/core.c:7728
 folio_wait_bit_common+0x6b0/0xb90 mm/filemap.c:1317
 folio_lock include/linux/pagemap.h:1114 [inline]
 invalidate_inode_pages2_range+0x557/0xa80 mm/truncate.c:690
 bch2_write_invalidate_inode_pages_range+0xc5/0x110 fs/bcachefs/fs-io-pagecache.c:68
 bch2_remap_file_range+0x56f/0xd10 fs/bcachefs/fs-io.c:920
 vfs_copy_file_range+0xd56/0x1310 fs/read_write.c:1591
 __do_sys_copy_file_range fs/read_write.c:1677 [inline]
 __se_sys_copy_file_range+0x2fb/0x470 fs/read_write.c:1644
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fedf798e929
RSP: 002b:00007fedf8789038 EFLAGS: 00000246 ORIG_RAX: 0000000000000146
RAX: ffffffffffffffda RBX: 00007fedf7bb6080 RCX: 00007fedf798e929
RDX: 0000000000000008 RSI: 0000000000000000 RDI: 0000000000000004
RBP: 00007fedf7a10b39 R08: fffffbffa003e45b R09: 0700000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007fedf7bb6080 R15: 00007ffe298cad58
 </TASK>

Showing all locks held in the system:
1 lock held by khungtaskd/31:
 #0: ffffffff8e13f160 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
 #0: ffffffff8e13f160 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:841 [inline]
 #0: ffffffff8e13f160 (rcu_read_lock){....}-{1:3}, at: debug_show_all_locks+0x2e/0x180 kernel/locking/lockdep.c:6770
1 lock held by klogd/5199:
 #0: ffff8880b8739e18 (&rq->__lock){-.-.}-{2:2}, at: raw_spin_rq_lock_nested+0x2a/0x140 kernel/sched/core.c:606
2 locks held by getty/5606:
 #0: ffff88814c7340a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x25/0x70 drivers/tty/tty_ldisc.c:243
 #1: ffffc9000332e2f0 (&ldata->atomic_read_lock){+.+.}-{4:4}, at: n_tty_read+0x43e/0x1400 drivers/tty/n_tty.c:2222
1 lock held by syz.0.17/6035:
 #0: ffff8880330b8a80 (mapping.invalidate_lock#3){.+.+}-{4:4}, at: filemap_invalidate_lock_shared include/linux/fs.h:934 [inline]
 #0: ffff8880330b8a80 (mapping.invalidate_lock#3){.+.+}-{4:4}, at: page_cache_ra_order+0x445/0xc70 mm/readahead.c:491
3 locks held by syz.0.17/6046:
 #0: ffff8880346b6428 (sb_writers#12){.+.+}-{0:0}, at: file_start_write include/linux/fs.h:3096 [inline]
 #0: ffff8880346b6428 (sb_writers#12){.+.+}-{0:0}, at: vfs_copy_file_range+0x916/0x1310 fs/read_write.c:1579
 #1: ffff8880330b8148 (&sb->s_type->i_mutex_key#20){+.+.}-{4:4}, at: inode_lock include/linux/fs.h:869 [inline]
 #1: ffff8880330b8148 (&sb->s_type->i_mutex_key#20){+.+.}-{4:4}, at: lock_two_nondirectories+0xe7/0x180 fs/inode.c:1233
 #2: ffff8880330b88e0 (&sb->s_type->i_mutex_key#20/4){+.+.}-{4:4}, at: bch2_remap_file_range+0x2b0/0xd10 fs/bcachefs/fs-io.c:906
1 lock held by syz.1.59/6576:
 #0: ffff8880770ab810 (mapping.invalidate_lock#3){.+.+}-{4:4}, at: filemap_invalidate_lock_shared include/linux/fs.h:934 [inline]
 #0: ffff8880770ab810 (mapping.invalidate_lock#3){.+.+}-{4:4}, at: page_cache_ra_order+0x445/0xc70 mm/readahead.c:491
3 locks held by syz.1.59/6587:
 #0: ffff88807b25e428 (sb_writers#12){.+.+}-{0:0}, at: file_start_write include/linux/fs.h:3096 [inline]
 #0: ffff88807b25e428 (sb_writers#12){.+.+}-{0:0}, at: vfs_copy_file_range+0x916/0x1310 fs/read_write.c:1579
 #1: ffff8880770ab670 (&sb->s_type->i_mutex_key#20){+.+.}-{4:4}, at: inode_lock include/linux/fs.h:869 [inline]
 #1: ffff8880770ab670 (&sb->s_type->i_mutex_key#20){+.+.}-{4:4}, at: lock_two_nondirectories+0xe7/0x180 fs/inode.c:1233
 #2: ffff8880770abe08 (&sb->s_type->i_mutex_key#20/4){+.+.}-{4:4}, at: bch2_remap_file_range+0x2b0/0xd10 fs/bcachefs/fs-io.c:906
1 lock held by syz.2.81/6872:
 #0: ffff8880736f65a0 (mapping.invalidate_lock#3){.+.+}-{4:4}, at: filemap_invalidate_lock_shared include/linux/fs.h:934 [inline]
 #0: ffff8880736f65a0 (mapping.invalidate_lock#3){.+.+}-{4:4}, at: page_cache_ra_order+0x445/0xc70 mm/readahead.c:491
3 locks held by syz.2.81/6883:
 #0: ffff88807c3fa428 (sb_writers#12){.+.+}-{0:0}, at: file_start_write include/linux/fs.h:3096 [inline]
 #0: ffff88807c3fa428 (sb_writers#12){.+.+}-{0:0}, at: vfs_copy_file_range+0x916/0x1310 fs/read_write.c:1579
 #1: ffff8880330bb670 (&sb->s_type->i_mutex_key#20){+.+.}-{4:4}, at: inode_lock include/linux/fs.h:869 [inline]
 #1: ffff8880330bb670 (&sb->s_type->i_mutex_key#20){+.+.}-{4:4}, at: lock_two_nondirectories+0xe7/0x180 fs/inode.c:1233
 #2: ffff8880736f6400 (&sb->s_type->i_mutex_key#20/4){+.+.}-{4:4}, at: bch2_remap_file_range+0x2b0/0xd10 fs/bcachefs/fs-io.c:906
1 lock held by syz.3.121/7387:
 #0: ffff8880770aa8e0 (mapping.invalidate_lock#3){.+.+}-{4:4}, at: filemap_invalidate_lock_shared include/linux/fs.h:934 [inline]
 #0: ffff8880770aa8e0 (mapping.invalidate_lock#3){.+.+}-{4:4}, at: page_cache_ra_order+0x445/0xc70 mm/readahead.c:491
3 locks held by syz.3.121/7398:
 #0: ffff88807a900428 (sb_writers#12){.+.+}-{0:0}, at: file_start_write include/linux/fs.h:3096 [inline]
 #0: ffff88807a900428 (sb_writers#12){.+.+}-{0:0}, at: vfs_copy_file_range+0x916/0x1310 fs/read_write.c:1579
 #1: ffff8880770aa740 (&sb->s_type->i_mutex_key#20){+.+.}-{4:4}, at: inode_lock include/linux/fs.h:869 [inline]
 #1: ffff8880770aa740 (&sb->s_type->i_mutex_key#20){+.+.}-{4:4}, at: lock_two_nondirectories+0xe7/0x180 fs/inode.c:1233
 #2: ffff8880770aaed8 (&sb->s_type->i_mutex_key#20/4){+.+.}-{4:4}, at: bch2_remap_file_range+0x2b0/0xd10 fs/bcachefs/fs-io.c:906

=============================================

NMI backtrace for cpu 1
CPU: 1 UID: 0 PID: 31 Comm: khungtaskd Not tainted 6.16.0-rc5-syzkaller-00053-g8c2e52ebbe88 #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call Trace:
 <TASK>
 dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
 nmi_cpu_backtrace+0x39e/0x3d0 lib/nmi_backtrace.c:113
 nmi_trigger_cpumask_backtrace+0x17a/0x300 lib/nmi_backtrace.c:62
 trigger_all_cpu_backtrace include/linux/nmi.h:158 [inline]
 check_hung_uninterruptible_tasks kernel/hung_task.c:307 [inline]
 watchdog+0xfee/0x1030 kernel/hung_task.c:470
 kthread+0x711/0x8a0 kernel/kthread.c:464
 ret_from_fork+0x3f9/0x770 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.16.0-rc5-syzkaller-00053-g8c2e52ebbe88 #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
RIP: 0010:pv_native_safe_halt+0x13/0x20 arch/x86/kernel/paravirt.c:82
Code: cc cc cc cc cc cc cc 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 66 90 0f 00 2d 93 3d 20 00 f3 0f 1e fa fb f4 <e9> 88 dd 02 00 cc cc cc cc cc cc cc cc 90 90 90 90 90 90 90 90 90
RSP: 0018:ffffffff8de07d80 EFLAGS: 000002c6
RAX: 09d36b177e00fc00 RBX: ffffffff81975b68 RCX: 09d36b177e00fc00
RDX: 0000000000000001 RSI: ffffffff8d984d62 RDI: ffffffff8be1ca40
RBP: ffffffff8de07ea8 R08: ffff8880b8632f5b R09: 1ffff110170c65eb
R10: dffffc0000000000 R11: ffffed10170c65ec R12: ffffffff8fa0c5f0
R13: 0000000000000000 R14: 0000000000000000 R15: 1ffffffff1bd2a50
FS:  0000000000000000(0000) GS:ffff888125c4f000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fba1d180700 CR3: 0000000076ba4000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 arch_safe_halt arch/x86/include/asm/paravirt.h:107 [inline]
 default_idle+0x13/0x20 arch/x86/kernel/process.c:749
 default_idle_call+0x74/0xb0 kernel/sched/idle.c:117
 cpuidle_idle_call kernel/sched/idle.c:185 [inline]
 do_idle+0x1e8/0x510 kernel/sched/idle.c:325
 cpu_startup_entry+0x44/0x60 kernel/sched/idle.c:423
 rest_init+0x2de/0x300 init/main.c:745
 start_kernel+0x47d/0x500 init/main.c:1102
 x86_64_start_reservations+0x24/0x30 arch/x86/kernel/head64.c:307
 x86_64_start_kernel+0x143/0x1c0 arch/x86/kernel/head64.c:288
 common_startup_64+0x13e/0x147
 </TASK>