syzbot

INFO: task syz-executor158:8221 blocked for more than 140 seconds.
      Not tainted 4.19.211-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor158 D27400  8221   8138 0x00000004
Call Trace:
 context_switch kernel/sched/core.c:2828 [inline]
 __schedule+0x887/0x2040 kernel/sched/core.c:3517
 schedule+0x8d/0x1b0 kernel/sched/core.c:3561
 schedule_timeout+0x92d/0xfe0 kernel/time/timer.c:1794
 do_wait_for_common kernel/sched/completion.c:83 [inline]
 __wait_for_common kernel/sched/completion.c:104 [inline]
 wait_for_common+0x29c/0x470 kernel/sched/completion.c:115
 __flush_work+0x4bb/0x8b0 kernel/workqueue.c:2926
 __cancel_work_timer+0x412/0x590 kernel/workqueue.c:3013
 p9_conn_destroy net/9p/trans_fd.c:899 [inline]
 p9_fd_close+0x29c/0x520 net/9p/trans_fd.c:934
 p9_client_create+0x901/0x12e0 net/9p/client.c:1084
 v9fs_session_init+0x1dd/0x1770 fs/9p/v9fs.c:421
 v9fs_mount+0x73/0x910 fs/9p/vfs_super.c:135
 mount_fs+0xa3/0x310 fs/super.c:1261
 vfs_kern_mount.part.0+0x68/0x470 fs/namespace.c:961
 vfs_kern_mount fs/namespace.c:951 [inline]
 do_new_mount fs/namespace.c:2492 [inline]
 do_mount+0x115c/0x2f50 fs/namespace.c:2822
 ksys_mount+0xcf/0x130 fs/namespace.c:3038
 __do_sys_mount fs/namespace.c:3052 [inline]
 __se_sys_mount fs/namespace.c:3049 [inline]
 __x64_sys_mount+0xba/0x150 fs/namespace.c:3049
 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7f3351de8359
Code: Bad RIP value.
RSP: 002b:00007f3351d74278 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007f3351e6d4f0 RCX: 00007f3351de8359
RDX: 0000000020000080 RSI: 0000000020000300 RDI: 0000000000000000
RBP: 00007f3351e3a0bc R08: 0000000020000740 R09: 65732f636f72702f
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f3351d74280
R13: 7277732f7665642f R14: 64663d736e617274 R15: 00007f3351e6d4f8

Showing all locks held in the system:
2 locks held by kworker/0:1/14:
 #0: 00000000e305f09a ((wq_completion)"events"){+.+.}, at: process_one_work+0x767/0x1570 kernel/workqueue.c:2124
 #1: 000000003e9ac0c2 ((work_completion)(&m->rq)){+.+.}, at: process_one_work+0x79c/0x1570 kernel/workqueue.c:2128
1 lock held by khungtaskd/1570:
 #0: 00000000eca63a1d (rcu_read_lock){....}, at: debug_show_all_locks+0x53/0x265 kernel/locking/lockdep.c:4441
1 lock held by in:imklog/7824:
 #0: 0000000040d68714 (&f->f_pos_lock){+.+.}, at: __fdget_pos+0x26f/0x310 fs/file.c:767

=============================================

NMI backtrace for cpu 1
CPU: 1 PID: 1570 Comm: khungtaskd Not tainted 4.19.211-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1fc/0x2ef lib/dump_stack.c:118
 nmi_cpu_backtrace.cold+0x63/0xa2 lib/nmi_backtrace.c:101
 nmi_trigger_cpumask_backtrace+0x1a6/0x1f0 lib/nmi_backtrace.c:62
 trigger_all_cpu_backtrace include/linux/nmi.h:146 [inline]
 check_hung_uninterruptible_tasks kernel/hung_task.c:203 [inline]
 watchdog+0x991/0xe60 kernel/hung_task.c:287
 kthread+0x33f/0x460 kernel/kthread.c:259
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 PID: 4690 Comm: systemd-journal Not tainted 4.19.211-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:check_kcov_mode kernel/kcov.c:67 [inline]
RIP: 0010:__sanitizer_cov_trace_pc+0x14/0x50 kernel/kcov.c:101
Code: 35 00 e9 23 fe ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 48 8b 34 24 65 48 8b 04 25 c0 df 01 00 65 8b 15 cc 59 9f 7e <81> e2 00 01 1f 00 75 2b 8b 90 60 13 00 00 83 fa 02 75 20 48 8b 88
RSP: 0018:ffff8880a139fa28 EFLAGS: 00000246
RAX: ffff8880a1394500 RBX: dffffc0000000000 RCX: ffffffff816c5cc8
RDX: 0000000080000000 RSI: ffffffff816c36e5 RDI: ffffc90001b12072
RBP: ffff8880a139fb00 R08: 0000000000000000 R09: 0000000000000015
R10: 0000000000000006 R11: 0000000000000000 R12: ffffffff886fb460
R13: ffffed1014273f62 R14: ffffc90001b121e0 R15: 0000000040000000
FS:  00007f293b3f08c0(0000) GS:ffff8880ba000000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f29387c9000 CR3: 00000000a1186000 CR4: 00000000003406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 ___bpf_prog_run+0x45/0x4e80 kernel/bpf/core.c:1065
----------------
Code disassembly (best guess), 2 bytes skipped:
   0:	e9 23 fe ff ff       	jmpq   0xfffffe28
   5:	90                   	nop
   6:	90                   	nop
   7:	90                   	nop
   8:	90                   	nop
   9:	90                   	nop
   a:	90                   	nop
   b:	90                   	nop
   c:	90                   	nop
   d:	90                   	nop
   e:	90                   	nop
   f:	90                   	nop
  10:	90                   	nop
  11:	90                   	nop
  12:	90                   	nop
  13:	90                   	nop
  14:	48 8b 34 24          	mov    (%rsp),%rsi
  18:	65 48 8b 04 25 c0 df 	mov    %gs:0x1dfc0,%rax
  1f:	01 00
  21:	65 8b 15 cc 59 9f 7e 	mov    %gs:0x7e9f59cc(%rip),%edx        # 0x7e9f59f4
* 28:	81 e2 00 01 1f 00    	and    $0x1f0100,%edx <-- trapping instruction
  2e:	75 2b                	jne    0x5b
  30:	8b 90 60 13 00 00    	mov    0x1360(%rax),%edx
  36:	83 fa 02             	cmp    $0x2,%edx
  39:	75 20                	jne    0x5b
  3b:	48                   	rex.W
  3c:	8b                   	.byte 0x8b
  3d:	88                   	.byte 0x88