syzbot

INFO: task syz.0.117:6573 blocked for more than 143 seconds.
      Not tainted syzkall[  334.098022][   T38]       Not tainted syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.0.117       state:D stack:25496 pid:6573  tgid:6572  ppid:5801   task_flags:0x400140 flags:0x00080002
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5256 [inline]
 __schedule+0x145f/0x5070 kernel/sched/core.c:6863
 __schedule_loop kernel/sched/core.c:6945 [inline]
 schedule+0x165/0x360 kernel/sched/core.c:6960
 percpu_rwsem_wait+0x2e6/0x330 kernel/locking/percpu-rwsem.c:164
 __percpu_down_read+0xfc/0x140 kernel/locking/percpu-rwsem.c:180
 percpu_down_read_internal include/linux/percpu-rwsem.h:67 [inline]
 percpu_down_read_freezable include/linux/percpu-rwsem.h:83 [inline]
 __sb_start_write include/linux/fs/super.h:19 [inline]
 sb_start_write include/linux/fs/super.h:125 [inline]
 quotactl_block fs/quota/quota.c:899 [inline]
 __do_sys_quotactl fs/quota/quota.c:955 [inline]
 __se_sys_quotactl+0x83c/0x950 fs/quota/quota.c:917
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xec/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fcec88af749
RSP: 002b:00007fcec6b16038 EFLAGS: 00000246 ORIG_RAX: 00000000000000b3
RAX: ffffffffffffffda RBX: 00007fcec8b05fa0 RCX: 00007fcec88af749
RDX: 0000000000000000 RSI: 0000200000000080 RDI: ffffffff80000800
RBP: 00007fcec8933f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000200000000100 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fcec8b06038 R14: 00007fcec8b05fa0 R15: 00007ffdd5374638
 </TASK>
INFO: task syz.0.117:6583 blocked for more than 143 seconds.
      Not tainted syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.0.117       state:D stack:28088 pid:6583  tgid:6572  ppid:5801   task_flags:0x400140 flags:0x00080002
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5256 [inline]
 __schedule+0x145f/0x5070 kernel/sched/core.c:6863
 __schedule_loop kernel/sched/core.c:6945 [inline]
 schedule+0x165/0x360 kernel/sched/core.c:6960
 percpu_rwsem_wait+0x2e6/0x330 kernel/locking/percpu-rwsem.c:164
 __percpu_down_read+0xfc/0x140 kernel/locking/percpu-rwsem.c:180
 percpu_down_read_internal include/linux/percpu-rwsem.h:67 [inline]
 percpu_down_read_freezable include/linux/percpu-rwsem.h:83 [inline]
 __sb_start_write include/linux/fs/super.h:19 [inline]
 sb_start_write+0x18e/0x1c0 include/linux/fs/super.h:125
 mnt_want_write_file+0x63/0x210 fs/namespace.c:543
 ioctl_setflags+0x131/0x1e0 fs/file_attr.c:332
 do_vfs_ioctl+0x8f0/0x1440 fs/ioctl.c:560
 __do_sys_ioctl fs/ioctl.c:595 [inline]
 __se_sys_ioctl+0x82/0x170 fs/ioctl.c:583
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xec/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fcec88af749
RSP: 002b:00007fcec6ad4038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fcec8b06180 RCX: 00007fcec88af749
RDX: 00002000000001c0 RSI: 0000000040086602 RDI: 0000000000000006
RBP: 00007fcec8933f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fcec8b06218 R14: 00007fcec8b06180 R15: 00007ffdd5374638
 </TASK>

Showing all locks held in the system:
1 lock held by khungtaskd/38:
 #0: ffffffff8d5ae940 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
 #0: ffffffff8d5ae940 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:867 [inline]
 #0: ffffffff8d5ae940 (rcu_read_lock){....}-{1:3}, at: debug_show_all_locks+0x2e/0x180 kernel/locking/lockdep.c:6775
3 locks held by kworker/u8:3/50:
 #0: ffff88814d260938 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3232 [inline]
 #0: ffff88814d260938 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: process_scheduled_works+0x9b4/0x1770 kernel/workqueue.c:3340
 #1: ffffc90000bc7bc0 ((work_completion)(&(&ifa->dad_work)->work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3233 [inline]
 #1: ffffc90000bc7bc0 ((work_completion)(&(&ifa->dad_work)->work)){+.+.}-{0:0}, at: process_scheduled_works+0x9ef/0x1770 kernel/workqueue.c:3340
 #2: ffffffff8e8a5838 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_net_lock include/linux/rtnetlink.h:130 [inline]
 #2: ffffffff8e8a5838 (rtnl_mutex){+.+.}-{4:4}, at: addrconf_dad_work+0x119/0x15a0 net/ipv6/addrconf.c:4194
3 locks held by kworker/u8:4/68:
 #0: ffff888144abd138 ((wq_completion)cfg80211){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3232 [inline]
 #0: ffff888144abd138 ((wq_completion)cfg80211){+.+.}-{0:0}, at: process_scheduled_works+0x9b4/0x1770 kernel/workqueue.c:3340
 #1: ffffc9000153fbc0 ((work_completion)(&(&rdev->dfs_update_channels_wk)->work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3233 [inline]
 #1: ffffc9000153fbc0 ((work_completion)(&(&rdev->dfs_update_channels_wk)->work)){+.+.}-{0:0}, at: process_scheduled_works+0x9ef/0x1770 kernel/workqueue.c:3340
 #2: ffffffff8e8a5838 (rtnl_mutex){+.+.}-{4:4}, at: cfg80211_dfs_channels_update_work+0xc4/0x650 net/wireless/mlme.c:1040
2 locks held by getty/5560:
 #0: ffff888034f150a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x25/0x70 drivers/tty/tty_ldisc.c:243
 #1: ffffc90003e8b2e0 (&ldata->atomic_read_lock){+.+.}-{4:4}, at: n_tty_read+0x44f/0x1460 drivers/tty/n_tty.c:2211
3 locks held by syz-executor/5799:
4 locks held by kworker/u8:21/6433:
 #0: ffff888019ad4938 ((wq_completion)netns){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3232 [inline]
 #0: ffff888019ad4938 ((wq_completion)netns){+.+.}-{0:0}, at: process_scheduled_works+0x9b4/0x1770 kernel/workqueue.c:3340
 #1: ffffc9000d6f7bc0 (net_cleanup_work){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3233 [inline]
 #1: ffffc9000d6f7bc0 (net_cleanup_work){+.+.}-{0:0}, at: process_scheduled_works+0x9ef/0x1770 kernel/workqueue.c:3340
 #2: ffffffff8e898720 (pernet_ops_rwsem){++++}-{4:4}, at: cleanup_net+0xf7/0x7b0 net/core/net_namespace.c:670
 #3: ffffffff8e8a5838 (rtnl_mutex){+.+.}-{4:4}, at: wiphy_unregister+0x244/0xab0 net/wireless/core.c:1180
1 lock held by syz.0.117/6573:
 #0: ffff88802a11a480 (sb_writers#21){++++}-{0:0}, at: do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 #0: ffff88802a11a480 (sb_writers#21){++++}-{0:0}, at: do_syscall_64+0xec/0xf80 arch/x86/entry/syscall_64.c:94
1 lock held by syz.0.117/6583:
 #0: ffff88802a11a480 (sb_writers#21){++++}-{0:0}, at: mnt_want_write_file+0x63/0x210 fs/namespace.c:543
2 locks held by syz-executor/7527:
 #0: ffffffff8dffb608 (&ops->srcu#2){.+.+}-{0:0}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
 #0: ffffffff8dffb608 (&ops->srcu#2){.+.+}-{0:0}, at: rcu_read_lock include/linux/rcupdate.h:867 [inline]
 #0: ffffffff8dffb608 (&ops->srcu#2){.+.+}-{0:0}, at: rtnl_link_ops_get+0x23/0x250 net/core/rtnetlink.c:570
 #1: ffffffff8e8a5838 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_lock net/core/rtnetlink.c:80 [inline]
 #1: ffffffff8e8a5838 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_nets_lock net/core/rtnetlink.c:341 [inline]
 #1: ffffffff8e8a5838 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0x8ec/0x1c90 net/core/rtnetlink.c:4071
2 locks held by syz-executor/7553:
 #0: ffffffff8e021d88 (&ops->srcu#2){.+.+}-{0:0}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
 #0: ffffffff8e021d88 (&ops->srcu#2){.+.+}-{0:0}, at: rcu_read_lock include/linux/rcupdate.h:867 [inline]
 #0: ffffffff8e021d88 (&ops->srcu#2){.+.+}-{0:0}, at: rtnl_link_ops_get+0x23/0x250 net/core/rtnetlink.c:570
 #1: ffffffff8e8a5838 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_lock net/core/rtnetlink.c:80 [inline]
 #1: ffffffff8e8a5838 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_nets_lock net/core/rtnetlink.c:341 [inline]
 #1: ffffffff8e8a5838 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0x8ec/0x1c90 net/core/rtnetlink.c:4071
2 locks held by syz-executor/7557:
 #0: ffffffff8e021d88 (&ops->srcu#2){.+.+}-{0:0}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
 #0: ffffffff8e021d88 (&ops->srcu#2){.+.+}-{0:0}, at: rcu_read_lock include/linux/rcupdate.h:867 [inline]
 #0: ffffffff8e021d88 (&ops->srcu#2){.+.+}-{0:0}, at: rtnl_link_ops_get+0x23/0x250 net/core/rtnetlink.c:570
 #1: ffffffff8e8a5838 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_lock net/core/rtnetlink.c:80 [inline]
 #1: ffffffff8e8a5838 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_nets_lock net/core/rtnetlink.c:341 [inline]
 #1: ffffffff8e8a5838 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0x8ec/0x1c90 net/core/rtnetlink.c:4071
2 locks held by syz-executor/7560:
 #0: ffffffff8e021d88 (&ops->srcu#2){.+.+}-{0:0}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
 #0: ffffffff8e021d88 (&ops->srcu#2){.+.+}-{0:0}, at: rcu_read_lock include/linux/rcupdate.h:867 [inline]
 #0: ffffffff8e021d88 (&ops->srcu#2){.+.+}-{0:0}, at: rtnl_link_ops_get+0x23/0x250 net/core/rtnetlink.c:570
 #1: ffffffff8e8a5838 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_lock net/core/rtnetlink.c:80 [inline]
 #1: ffffffff8e8a5838 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_nets_lock net/core/rtnetlink.c:341 [inline]
 #1: ffffffff8e8a5838 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0x8ec/0x1c90 net/core/rtnetlink.c:4071
1 lock held by syz-executor/7633:
 #0: ffffffff8e8a5838 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_net_lock include/linux/rtnetlink.h:130 [inline]
 #0: ffffffff8e8a5838 (rtnl_mutex){+.+.}-{4:4}, at: inet6_rtm_newaddr+0x5b7/0xd20 net/ipv6/addrconf.c:5027
1 lock held by dhcpcd-run-hook/7693:

=============================================

NMI backtrace for cpu 0
CPU: 0 UID: 0 PID: 38 Comm: khungtaskd Not tainted syzkaller #0 PREEMPT_{RT,(full)} 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Call Trace:
 <TASK>
 dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
 nmi_cpu_backtrace+0x274/0x2d0 lib/nmi_backtrace.c:113
 nmi_trigger_cpumask_backtrace+0x17a/0x300 lib/nmi_backtrace.c:62
 trigger_all_cpu_backtrace include/linux/nmi.h:160 [inline]
 __sys_info lib/sys_info.c:157 [inline]
 sys_info+0x135/0x170 lib/sys_info.c:165
 check_hung_uninterruptible_tasks kernel/hung_task.c:346 [inline]
 watchdog+0xf95/0xfe0 kernel/hung_task.c:515
 kthread+0x711/0x8a0 kernel/kthread.c:463
 ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
 </TASK>
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 UID: 0 PID: 7705 Comm: dhcpcd-run-hook Not tainted syzkaller #0 PREEMPT_{RT,(full)} 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
RIP: 0010:check_wait_context kernel/locking/lockdep.c:-1 [inline]
RIP: 0010:__lock_acquire+0x592/0x2cf0 kernel/locking/lockdep.c:5187
Code: c9 0f b6 81 c4 00 00 00 84 c0 0f 84 77 ff ff ff 41 0f b6 f4 0f b6 d0 40 38 c6 0f 42 d6 80 b9 c6 00 00 00 02 0f 84 60 ff ff ff <89> d0 e9 59 ff ff ff 48 c7 c7 d0 e2 47 8d 4c 89 fe e8 d8 fb 19 03
RSP: 0000:ffffc90003b376b8 EFLAGS: 00000093
RAX: 0000000000000003 RBX: ffff888028cf0c00 RCX: ffffffff925bbc28
RDX: 0000000000000003 RSI: 0000000000000003 RDI: 0000000000000000
RBP: ffff888028cf0c80 R08: ffffffff8228d04a R09: ffffffff8d5aea00
R10: dffffc0000000000 R11: fffff940000819b1 R12: 0000000000000003
R13: ffff888028cf0c80 R14: ffff888028cf0000 R15: 0000000000000002
FS:  00007f1b7dfffc80(0000) GS:ffff888126def000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f1b7e1b29e0 CR3: 000000003b074000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 lock_acquire+0x107/0x340 kernel/locking/lockdep.c:5868
 rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
 rcu_read_lock_sched include/linux/rcupdate.h:958 [inline]
 pfn_valid+0xd6/0x490 include/linux/mmzone.h:2183
 page_table_check_set+0x25/0x610 mm/page_table_check.c:105
 page_table_check_ptes_set include/linux/page_table_check.h:76 [inline]
 set_ptes include/linux/pgtable.h:292 [inline]
 set_pte_range+0x848/0x8a0 mm/memory.c:5483
 filemap_map_order0_folio mm/filemap.c:3856 [inline]
 filemap_map_pages+0xd00/0x1cc0 mm/filemap.c:3921
 do_fault_around mm/memory.c:5713 [inline]
 do_read_fault mm/memory.c:5746 [inline]
 do_fault mm/memory.c:5889 [inline]
 do_pte_missing+0x175b/0x27a0 mm/memory.c:4401
 handle_pte_fault mm/memory.c:6273 [inline]
 __handle_mm_fault mm/memory.c:6411 [inline]
 handle_mm_fault+0xcc1/0x1330 mm/memory.c:6580
 do_user_addr_fault+0xa7c/0x1380 arch/x86/mm/fault.c:1336
 handle_page_fault arch/x86/mm/fault.c:1476 [inline]
 exc_page_fault+0x71/0xd0 arch/x86/mm/fault.c:1532
 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:618
RIP: 0033:0x7f1b7e1b29e0
Code: dc 0e 00 48 89 54 24 08 e8 5d d2 f9 ff 48 8b 54 24 08 ff 12 eb b3 48 8d 3d ad dc 0e 00 e8 98 d1 f9 ff eb b6 66 0f 1f 44 00 00 <41> 57 89 f1 49 89 d7 41 56 41 89 fe 41 55 41 54 55 53 31 db 48 83
RSP: 002b:00007ffe97e241a8 EFLAGS: 00010246
RAX: 00007f1b7dffff40 RBX: 0000000000000000 RCX: 00007f1b7e107f07
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000001
RBP: 00007f1b7dfffc80 R08: 00007f1b7e29ab60 R09: 0000000000000000
R10: 0000000000000008 R11: 0000000000000246 R12: 00007f1b7e3a9b10
R13: 0000000000000000 R14: 0000000000000000 R15: 00007f1b7e3a9b10
 </TASK>