syzbot

INFO: task syz-executor:8193 blocked for more than 143 seconds.
      Not tainted 6.15.0-rc5-syzkaller-00043-gd76bb1ebb558 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor    state:D stack:21752 pid:8193  tgid:8193  ppid:1      task_flags:0x400140 flags:0x00004006
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5382 [inline]
 __schedule+0x168f/0x4c70 kernel/sched/core.c:6767
 __schedule_loop kernel/sched/core.c:6845 [inline]
 schedule+0x165/0x360 kernel/sched/core.c:6860
 bch2_fs_read_only+0xbcf/0x14a0 fs/bcachefs/super.c:344
 __bch2_fs_stop+0x106/0x5a0 fs/bcachefs/super.c:623
 generic_shutdown_super+0x132/0x2c0 fs/super.c:642
 bch2_kill_sb+0x41/0x50 fs/bcachefs/fs.c:2625
 deactivate_locked_super+0xb9/0x130 fs/super.c:473
 cleanup_mnt+0x425/0x4c0 fs/namespace.c:1435
 task_work_run+0x1d1/0x260 kernel/task_work.c:227
 resume_user_mode_work+0x5e/0x80 include/linux/resume_user_mode.h:50
 exit_to_user_mode_loop kernel/entry/common.c:114 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
 syscall_exit_to_user_mode+0x9a/0x120 kernel/entry/common.c:218
 do_syscall_64+0x103/0x210 arch/x86/entry/syscall_64.c:100
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f89e198fc97
RSP: 002b:00007ffc806512d8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 00007f89e1a1089d RCX: 00007f89e198fc97
RDX: 0000000000000000 RSI: 0000000000000009 RDI: 00007ffc80651390
RBP: 00007ffc80651390 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000246 R12: 00007ffc80652420
R13: 00007f89e1a1089d R14: 000000000004945b R15: 00007ffc80652460
 </TASK>
INFO: task bch-reclaim/loo:8998 blocked for more than 144 seconds.
      Not tainted 6.15.0-rc5-syzkaller-00043-gd76bb1ebb558 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:bch-reclaim/loo state:D stack:26856 pid:8998  tgid:8998  ppid:2      task_flags:0x200840 flags:0x00004000
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5382 [inline]
 __schedule+0x168f/0x4c70 kernel/sched/core.c:6767
 __schedule_loop kernel/sched/core.c:6845 [inline]
 schedule+0x165/0x360 kernel/sched/core.c:6860
 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6917
 __mutex_lock_common kernel/locking/mutex.c:678 [inline]
 __mutex_lock+0x724/0xe80 kernel/locking/mutex.c:746
 btree_write_buffer_flush_seq+0x1829/0x19a0 fs/bcachefs/btree_write_buffer.c:569
 bch2_btree_write_buffer_journal_flush+0x69/0xb0 fs/bcachefs/btree_write_buffer.c:586
 journal_flush_pins+0x8e0/0xe90 fs/bcachefs/journal_reclaim.c:592
 __bch2_journal_reclaim+0x781/0xd10 fs/bcachefs/journal_reclaim.c:723
 bch2_journal_reclaim_thread+0x177/0x4f0 fs/bcachefs/journal_reclaim.c:765
 kthread+0x70e/0x8a0 kernel/kthread.c:464
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:153
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>

Showing all locks held in the system:
1 lock held by pool_workqueue_/3:
 #0: ffffffff8df41338 (rcu_state.exp_mutex){+.+.}-{4:4}, at: exp_funnel_lock kernel/rcu/tree_exp.h:336 [inline]
 #0: ffffffff8df41338 (rcu_state.exp_mutex){+.+.}-{4:4}, at: synchronize_rcu_expedited+0x3b7/0x730 kernel/rcu/tree_exp.h:998
1 lock held by khungtaskd/31:
 #0: ffffffff8df3b860 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
 #0: ffffffff8df3b860 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:841 [inline]
 #0: ffffffff8df3b860 (rcu_read_lock){....}-{1:3}, at: debug_show_all_locks+0x2e/0x180 kernel/locking/lockdep.c:6764
3 locks held by kworker/u8:5/84:
 #0: ffff8880b88399d8 (&rq->__lock){-.-.}-{2:2}, at: raw_spin_rq_lock_nested+0x2a/0x140 kernel/sched/core.c:605
 #1: ffff8880b8823b08 (&per_cpu_ptr(group->pcpu, cpu)->seq){-.-.}-{0:0}, at: psi_task_switch+0x39e/0x6d0 kernel/sched/psi.c:987
 #2: ffff8880b8825558 (&base->lock){-.-.}-{2:2}, at: __mod_timer+0x8ee/0xf30 kernel/time/timer.c:1159
3 locks held by kworker/u8:8/3030:
2 locks held by getty/5582:
 #0: ffff8880338920a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x25/0x70 drivers/tty/tty_ldisc.c:243
 #1: ffffc900036cb2f0 (&ldata->atomic_read_lock){+.+.}-{4:4}, at: n_tty_read+0x43e/0x1400 drivers/tty/n_tty.c:2222
5 locks held by kworker/u9:5/5835:
 #0: ffff888056e8c148 ((wq_completion)hci2){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3213 [inline]
 #0: ffff888056e8c148 ((wq_completion)hci2){+.+.}-{0:0}, at: process_scheduled_works+0x9b1/0x17a0 kernel/workqueue.c:3319
 #1: ffffc9000421fc60 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3214 [inline]
 #1: ffffc9000421fc60 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_scheduled_works+0x9ec/0x17a0 kernel/workqueue.c:3319
 #2: ffff88807ed8cd80 (&hdev->req_lock){+.+.}-{4:4}, at: hci_cmd_sync_work+0x1d4/0x3a0 net/bluetooth/hci_sync.c:331
 #3: ffff88807ed8c078 (&hdev->lock){+.+.}-{4:4}, at: hci_abort_conn_sync+0x1f6/0xdd0 net/bluetooth/hci_sync.c:5597
 #4: ffffffff8df41338 (rcu_state.exp_mutex){+.+.}-{4:4}, at: exp_funnel_lock kernel/rcu/tree_exp.h:336 [inline]
 #4: ffffffff8df41338 (rcu_state.exp_mutex){+.+.}-{4:4}, at: synchronize_rcu_expedited+0x3b7/0x730 kernel/rcu/tree_exp.h:998
2 locks held by syz-executor/8193:
 #0: ffff88802694a0e0 (&type->s_umount_key#63){++++}-{4:4}, at: __super_lock fs/super.c:56 [inline]
 #0: ffff88802694a0e0 (&type->s_umount_key#63){++++}-{4:4}, at: __super_lock_excl fs/super.c:71 [inline]
 #0: ffff88802694a0e0 (&type->s_umount_key#63){++++}-{4:4}, at: deactivate_super+0xa9/0xe0 fs/super.c:505
 #1: ffff888060700278 (&c->state_lock){++++}-{4:4}, at: __bch2_fs_stop+0xfe/0x5a0 fs/bcachefs/super.c:622
3 locks held by bch-reclaim/loo/8998:
 #0: ffff88806074ad28 (&j->reclaim_lock){+.+.}-{4:4}, at: bch2_journal_reclaim_thread+0x16b/0x4f0 fs/bcachefs/journal_reclaim.c:764
 #1: ffff888060704228 (&c->btree_trans_barrier){.+.+}-{0:0}, at: srcu_lock_acquire include/linux/srcu.h:161 [inline]
 #1: ffff888060704228 (&c->btree_trans_barrier){.+.+}-{0:0}, at: srcu_read_lock include/linux/srcu.h:253 [inline]
 #1: ffff888060704228 (&c->btree_trans_barrier){.+.+}-{0:0}, at: __bch2_trans_get+0x806/0xda0 fs/bcachefs/btree_iter.c:3385
 #2: ffff8880607045d0 (&wb->flushing.lock){+.+.}-{4:4}, at: btree_write_buffer_flush_seq+0x1829/0x19a0 fs/bcachefs/btree_write_buffer.c:569
3 locks held by bch-copygc/loop/8999:
 #0: ffff8880607045d0 (&wb->flushing.lock){+.+.}-{4:4}, at: bch2_btree_write_buffer_flush_nocheck_rw fs/bcachefs/btree_write_buffer.c:620 [inline]
 #0: ffff8880607045d0 (&wb->flushing.lock){+.+.}-{4:4}, at: bch2_btree_write_buffer_tryflush+0x130/0x1a0 fs/bcachefs/btree_write_buffer.c:635
 #1: ffff888060704228 (&c->btree_trans_barrier){.+.+}-{0:0}, at: srcu_lock_acquire include/linux/srcu.h:161 [inline]
 #1: ffff888060704228 (&c->btree_trans_barrier){.+.+}-{0:0}, at: srcu_read_lock include/linux/srcu.h:253 [inline]
 #1: ffff888060704228 (&c->btree_trans_barrier){.+.+}-{0:0}, at: bch2_trans_srcu_lock+0xaf/0x220 fs/bcachefs/btree_iter.c:3202
 #2: ffff888060726590 (&c->gc_lock){.+.+}-{4:4}, at: bch2_btree_update_start+0x68f/0x14c0 fs/bcachefs/btree_update_interior.c:1179
1 lock held by syz.3.564/11008:
 #0: ffff88802694a0e0 (&type->s_umount_key#63){++++}-{4:4}, at: __super_lock fs/super.c:58 [inline]
 #0: ffff88802694a0e0 (&type->s_umount_key#63){++++}-{4:4}, at: super_lock+0x2a9/0x3b0 fs/super.c:120
2 locks held by syz.0.610/11532:
 #0: ffff888040800940 (&c->sb_lock){+.+.}-{4:4}, at: bch2_fs_alloc fs/bcachefs/super.c:823 [inline]
 #0: ffff888040800940 (&c->sb_lock){+.+.}-{4:4}, at: bch2_fs_open+0x12e6/0x2820 fs/bcachefs/super.c:2205
 #1: ffff888040804860 (&c->mark_lock){++++}-{0:0}, at: bch2_sb_replicas_to_cpu_replicas+0x117/0x1a0 fs/bcachefs/replicas.c:600
2 locks held by syz.1.608/11534:
 #0: ffff888042a00940 (&c->sb_lock){+.+.}-{4:4}, at: bch2_fs_alloc fs/bcachefs/super.c:823 [inline]
 #0: ffff888042a00940 (&c->sb_lock){+.+.}-{4:4}, at: bch2_fs_open+0x12e6/0x2820 fs/bcachefs/super.c:2205
 #1: ffff888042a04860 (&c->mark_lock){++++}-{0:0}, at: bch2_sb_replicas_to_cpu_replicas+0x117/0x1a0 fs/bcachefs/replicas.c:600
1 lock held by dhcpcd-run-hook/11557:

=============================================

NMI backtrace for cpu 1
CPU: 1 UID: 0 PID: 31 Comm: khungtaskd Not tainted 6.15.0-rc5-syzkaller-00043-gd76bb1ebb558 #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/29/2025
Call Trace:
 <TASK>
 dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
 nmi_cpu_backtrace+0x39e/0x3d0 lib/nmi_backtrace.c:113
 nmi_trigger_cpumask_backtrace+0x17a/0x300 lib/nmi_backtrace.c:62
 trigger_all_cpu_backtrace include/linux/nmi.h:158 [inline]
 check_hung_uninterruptible_tasks kernel/hung_task.c:274 [inline]
 watchdog+0xfee/0x1030 kernel/hung_task.c:437
 kthread+0x70e/0x8a0 kernel/kthread.c:464
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:153
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 UID: 0 PID: 8618 Comm: udevd Not tainted 6.15.0-rc5-syzkaller-00043-gd76bb1ebb558 #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/29/2025
RIP: 0010:native_save_fl arch/x86/include/asm/irqflags.h:26 [inline]
RIP: 0010:arch_local_save_flags arch/x86/include/asm/irqflags.h:109 [inline]
RIP: 0010:check_preemption_disabled+0x59/0x120 lib/smp_processor_id.c:19
Code: 8b 0d 2b ee 22 07 48 3b 4c 24 08 0f 85 cc 00 00 00 48 83 c4 10 5b 41 5e 41 5f 5d c3 cc cc cc cc cc 48 c7 04 24 00 00 00 00 9c <8f> 04 24 f7 04 24 00 02 00 00 74 c8 65 4c 8b 3c 25 08 20 72 92 41
RSP: 0018:ffffc90003f6f848 EFLAGS: 00000046
RAX: 0000000000000000 RBX: ffffffff8b519782 RCX: 0000000080000000
RDX: 0000000000000000 RSI: ffffffff8d787884 RDI: ffffffff8bc0fe60
RBP: ffffc90003f6f958 R08: ffffc90003f6f9e7 R09: 0000000000000000
R10: ffffc90003f6f9c0 R11: fffff520007edf3d R12: dffffc0000000000
R13: ffff88803119e240 R14: 0000000000000a06 R15: 1ffff920007edf18
FS:  00007f5df562b880(0000) GS:ffff8881260fe000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f5df5604000 CR3: 00000000756cc000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 lockdep_hardirqs_off+0xab/0x110 kernel/locking/lockdep.c:4496
 trace_hardirqs_off+0x12/0x40 kernel/trace/trace_preemptirq.c:104
 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline]
 _raw_spin_lock_irqsave+0x82/0xf0 kernel/locking/spinlock.c:162
 __debug_check_no_obj_freed lib/debugobjects.c:1088 [inline]
 debug_check_no_obj_freed+0x17a/0x470 lib/debugobjects.c:1129
 slab_free_hook mm/slub.c:2311 [inline]
 slab_free mm/slub.c:4642 [inline]
 kmem_cache_free+0x116/0x3f0 mm/slub.c:4744
 remove_vma mm/vma.c:430 [inline]
 vms_complete_munmap_vmas+0x626/0x8a0 mm/vma.c:1249
 do_vmi_align_munmap+0x358/0x420 mm/vma.c:1492
 do_vmi_munmap+0x253/0x2e0 mm/vma.c:1540
 __vm_munmap+0x23b/0x3d0 mm/vma.c:3013
 __do_sys_munmap mm/mmap.c:1084 [inline]
 __se_sys_munmap mm/mmap.c:1081 [inline]
 __x64_sys_munmap+0x60/0x70 mm/mmap.c:1081
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xf6/0x210 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f5df4f1e097
Code: 73 01 c3 48 8b 0d 61 2d 0d 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 0b 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 31 2d 0d 00 f7 d8 64 89 01 48
RSP: 002b:00007fff182b13c8 EFLAGS: 00000246 ORIG_RAX: 000000000000000b
RAX: ffffffffffffffda RBX: 0000556c7a396160 RCX: 00007f5df4f1e097
RDX: 0000556c7a396b38 RSI: 0000000000001400 RDI: 00007f5df5613000
RBP: 0000556c7a388c90 R08: 0000556c7a383600 R09: 0000000000000003
R10: 0000556c7a388c80 R11: 0000000000000246 R12: 00007f5df57507c0
R13: 00007f5df575239c R14: 0000000000000022 R15: 0000000000000001
 </TASK>