program: pipe(&(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) sendmsg$nl_route_sched(0xffffffffffffffff, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000000)=@newqdisc={0x3c, 0x24, 0x0, 0x0, 0x0, {0x0, 0x0, 0x0, 0x0, {}, {}, {0x0, 0x5}}, [@qdisc_kind_options=@q_cake={{0x9}, {0xc, 0x2, [@TCA_CAKE_MPU={0x8}]}}]}, 0x3c}}, 0x0) sendmsg$nl_route(0xffffffffffffffff, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000240)={&(0x7f0000000000)=ANY=[@ANYBLOB="4800000010001fff752b056800080000faff8141", @ANYRES32=0x0, @ANYBLOB="67a9fde500000000280012800a00010076786c616e"], 0x3}}, 0x40000) r1 = socket$inet_udp(0x2, 0x2, 0x0) close(r1) r2 = socket$inet6_sctp(0xa, 0x1, 0x84) sendmmsg$inet6(r2, &(0x7f0000000780)=[{{&(0x7f0000000200)={0xa, 0x0, 0x0, @private0={0xfc, 0x0, '\x00', 0x1}, 0x5}, 0x1c, &(0x7f0000000a00)=[{&(0x7f0000000080)=':', 0x1}], 0x1}}], 0x1, 0x40088d5) shutdown(r2, 0x1) getsockopt$inet_sctp6_SCTP_PR_ASSOC_STATUS(r2, 0x84, 0x83, &(0x7f0000000100)={0x0, 0x0, 0x10, 0x8, 0x4}, &(0x7f0000000140)=0x18) r3 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$IPSET_CMD_CREATE(r3, &(0x7f0000000000)={0x0, 0x0, &(0x7f00000004c0)={&(0x7f00000003c0)=ANY=[@ANYBLOB="cc00000002060101000000000000200001000000120003056269746d61703a69702c6d616300000005000400000000000900020073797a31000000002000078005001400060000000c00018008000140000000000800064000000004050005000200000005000100060000000900020073797a320000000044000780050014000000000008001340000000060800174000000100080009400000d52f080009400000000008000840000000c8080017400000000305001500f500000005000100070000000500050003000000"], 0xcc}}, 0x40000) r4 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$IPSET_CMD_CREATE(r4, &(0x7f0000000000)={0x0, 0x0, &(0x7f00000004c0)={&(0x7f0000000d40)={0x64, 0x2, 0x6, 0x5, 0x0, 0x0, {}, [@IPSET_ATTR_TYPENAME={0x12, 0x3, 'bitmap:ip,mac\x00'}, @IPSET_ATTR_REVISION={0x5}, @IPSET_ATTR_SETNAME={0x9, 0x2, 'syz1\x00'}, @IPSET_ATTR_DATA={0x18, 0x7, 0x0, 0x1, [@IPSET_ATTR_CIDR={0x5, 0x3, 0x1f}, @IPSET_ATTR_IP={0xc, 0x1, 0x0, 0x1, @IPSET_ATTR_IPADDR_IPV4={0x8, 0x1, 0x1, 0x0, @loopback}}]}, @IPSET_ATTR_FAMILY={0x5, 0x5, 0x2}, @IPSET_ATTR_PROTOCOL={0x5, 0x1, 0x6}]}, 0x64}, 0x1, 0x0, 0x0, 0x10}, 0x0) socket$nl_route(0x10, 0x3, 0x0) mkdirat(0xffffffffffffff9c, &(0x7f0000002040)='./file0\x00', 0x0) syz_mount_image$minix(&(0x7f0000000180), &(0x7f00000001c0)='./file1\x00', 0x3210050, &(0x7f00000000c0)=ANY=[], 0x0, 0x1af, &(0x7f0000000580)="$eJzs282O0lAYxvGnlALi99fGlYkL3QiKbtzJBXgD7ghUQixqxA3ExHgpcyfcydwAJDO7WU0nLWUCpMBpOzOF4f9LgDc5fc45JD1wzqICcLAehe+WLDlh5fv+v5eSvn6RVMx5cgCula9zH8Chsk/yngGAfEybdrgPGFvS8enf9iR6OYb7h2mzMCsqkhbyJdP8fyv8fFGUJgv5ctTl1v3L0Sz/Wsv5OwnHr67kq1ty1mV+9v3fvFrO35V0T9J9SQ8kPYzOWo8lPYkZv7My/nPD+QNZBHdfLWs+QwfB6vnW89x3cY329rwT5d/HNy/8hIxjLyhF+YbhfNflP6TMl6N8rf3T68S0F1L2C5go5Lz+benMX13/n83zxc3rH8AGg+Hoe8vz3N8JCicsylEPCeLB5QnHosijqMQ0OSnvlp0ugr+vHZiGaTFftTc5FoDbqv6n/6s+GI7e9vqtrtt1fzQ+fpofu8NzeX3t6RzAnlvenAMAAAAAAAAAAAAAgH30VNKzNEHTB/wAAAAA7IyrfWbIkRT/2B8AAAAAAAAAAAAAAAAAAACA7C4CAAD//3Y4Qng=") creat(&(0x7f0000000380)='./bus\x00', 0x0) r5 = open(&(0x7f0000000180)='./bus\x00', 0x16d43e, 0x0) r6 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000600)='cpuacct.usage_percpu_sys\x00', 0x275a, 0x0) write$binfmt_script(r6, &(0x7f0000000000), 0xfea7) mmap(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x7ffffe, 0x11, r5, 0x0) ftruncate(r5, 0x7fff) io_setup(0x7, &(0x7f00000000c0)=0x0) io_submit(r7, 0x1, &(0x7f0000000500)=[&(0x7f0000000140)={0x0, 0x0, 0x0, 0x0, 0x0, r5, &(0x7f0000000080)='f', 0x1}]) mount$afs(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f00000002c0), 0x0, &(0x7f0000000200)=ANY=[@ANYBLOB='dyn']) chdir(&(0x7f0000000340)='./file0\x00') mount$overlay(0x0, &(0x7f00000000c0)='./bus\x00', 0x0, 0x0, 0x0) r8 = open(&(0x7f00000000c0)='.\x00', 0x0, 0x0) getdents(r8, &(0x7f0000001fc0)=""/184, 0xb8) write$binfmt_misc(r0, &(0x7f0000000000), 0xfffffecc) [ 70.085295][ T5304] Bluetooth: hci0: command tx timeout [ 70.162390][ T5322] loop0: detected capacity change from 0 to 64 [ 70.177770][ T5322] ======================================================= [ 70.177770][ T5322] WARNING: The mand mount option has been deprecated and [ 70.177770][ T5322] and is ignored by this kernel. Remove the mand [ 70.177770][ T5322] option from the mount to silence this warning. [ 70.177770][ T5322] ======================================================= [ 70.222410][ T25] audit: type=1800 audit(1742993337.533:2): pid=5322 uid=0 auid=4294967295 ses=4294967295 subj=unconfined op=collect_data cause=failed(directio) comm="syz.0.0" name="bus" dev="tmpfs" ino=20 res=0 errno=0 [ 70.255793][ T5322] BUG: sleeping function called from invalid context at ./include/linux/sched/mm.h:321 [ 70.261020][ T5322] in_atomic(): 0, irqs_disabled(): 0, non_block: 0, pid: 5322, name: syz.0.0 [ 70.264363][ T5322] preempt_count: 0, expected: 0 [ 70.266253][ T5322] RCU nest depth: 1, expected: 0 [ 70.269792][ T5322] 4 locks held by syz.0.0/5322: [ 70.271632][ T5322] #0: ffff888000b269b8 (&f->f_pos_lock){+.+.}-{4:4}, at: fdget_pos+0x247/0x310 [ 70.275376][ T5322] #1: ffff888053010148 (&type->i_mutex_dir_key#8){.+.+}-{4:4}, at: iterate_dir+0x4a6/0x760 [ 70.279686][ T5322] #2: ffffffff8eb3a860 (rcu_read_lock){....}-{1:3}, at: afs_dynroot_readdir+0x466/0xbe0 [ 70.283427][ T5322] #3: ffff888043c4d1e0 (&mm->mmap_lock){++++}-{4:4}, at: lock_mm_and_find_vma+0x32/0x2f0 [ 70.288573][ T5322] CPU: 0 UID: 0 PID: 5322 Comm: syz.0.0 Not tainted 6.14.0-syzkaller-02665-g1e26c5e28ca5 #0 PREEMPT(full) [ 70.288589][ T5322] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 70.288596][ T5322] Call Trace: [ 70.288601][ T5322] [ 70.288605][ T5322] dump_stack_lvl+0x241/0x360 [ 70.288625][ T5322] ? __pfx_dump_stack_lvl+0x10/0x10 [ 70.288646][ T5322] __might_resched+0x558/0x6c0 [ 70.288658][ T5322] ? down_read_trylock+0xd5/0x3c0 [ 70.288671][ T5322] ? __pfx___might_resched+0x10/0x10 [ 70.288687][ T5322] ? __alloc_frozen_pages_noprof+0x181/0x7b0 [ 70.288701][ T5322] prepare_alloc_pages+0x1cc/0x5c0 [ 70.288722][ T5322] __alloc_frozen_pages_noprof+0x181/0x7b0 [ 70.288734][ T5322] ? __pfx___alloc_frozen_pages_noprof+0x10/0x10 [ 70.288753][ T5322] alloc_pages_mpol+0x339/0x690 [ 70.288769][ T5322] ? __pfx_alloc_pages_mpol+0x10/0x10 [ 70.288785][ T5322] folio_alloc_mpol_noprof+0x36/0x70 [ 70.288799][ T5322] shmem_alloc_and_add_folio+0x490/0x1070 [ 70.288817][ T5322] ? __pfx_shmem_alloc_and_add_folio+0x10/0x10 [ 70.288831][ T5322] ? shmem_allowable_huge_orders+0x1a2/0x420 [ 70.288848][ T5322] shmem_get_folio_gfp+0x655/0x1800 [ 70.288857][ T5322] ? tomoyo_check_open_permission+0x361/0x4f0 [ 70.288868][ T5322] ? security_file_open+0xac/0x250 [ 70.288888][ T5322] ? __pfx_shmem_get_folio_gfp+0x10/0x10 [ 70.288904][ T5322] shmem_fault+0x223/0x5c0 [ 70.288919][ T5322] ? __pfx_shmem_fault+0x10/0x10 [ 70.288929][ T5322] ? __pfx____pte_offset_map+0x10/0x10 [ 70.288949][ T5322] __do_fault+0x135/0x390 [ 70.288962][ T5322] __handle_mm_fault+0x2043/0x6ef0 [ 70.288989][ T5322] ? __pfx___handle_mm_fault+0x10/0x10 [ 70.289009][ T5322] ? mtree_range_walk+0x700/0x8e0 [ 70.289074][ T5322] ? mt_find+0x28a/0x8f0 [ 70.289088][ T5322] ? mt_find+0x28a/0x8f0 [ 70.289126][ T5322] ? mt_find+0x699/0x8f0 [ 70.289141][ T5322] ? mt_find+0x28a/0x8f0 [ 70.289155][ T5322] ? __pfx_mt_find+0x10/0x10 [ 70.289177][ T5322] ? find_vma+0xfa/0x170 [ 70.289191][ T5322] ? __pfx_find_vma+0x10/0x10 [ 70.289206][ T5322] handle_mm_fault+0x3e5/0x8d0 [ 70.289218][ T5322] exc_page_fault+0x2bb/0x8b0 [ 70.289233][ T5322] asm_exc_page_fault+0x26/0x30 [ 70.289242][ T5322] RIP: 0010:filldir+0x2c4/0x6a0 [ 70.289255][ T5322] Code: 87 55 02 00 00 0f 01 cb 0f ae e8 48 8b 44 24 30 49 89 46 08 48 8b 4c 24 10 48 8b 44 24 60 48 89 01 48 8b 44 24 18 8b 6c 24 3c <66> 89 41 10 48 98 40 88 6c 01 ff 48 89 44 24 30 4d 63 f5 42 c6 44 [ 70.289263][ T5322] RSP: 0018:ffffc9000d467be0 EFLAGS: 00050283 [ 70.289274][ T5322] RAX: 0000000000000018 RBX: 0000200000002008 RCX: 0000200000001ff0 [ 70.289282][ T5322] RDX: ffffc9000ed6a000 RSI: 0000200000001fd8 RDI: 0000200000002008 [ 70.289290][ T5322] RBP: 0000000000000004 R08: ffffffff82433a5d R09: 1ffff110001c2000 [ 70.289298][ T5322] R10: dffffc0000000000 R11: ffffed10001c2001 R12: ffff888040081601 [ 70.289307][ T5322] R13: 0000000000000003 R14: 0000200000001fd8 R15: 00007ffffffff000 [ 70.289317][ T5322] ? filldir+0x28d/0x6a0 [ 70.289335][ T5322] afs_dynroot_readdir+0x814/0xbe0 [ 70.289346][ T5322] ? __pfx___mutex_lock+0x10/0x10 [ 70.289360][ T5322] ? afs_dynroot_readdir+0x466/0xbe0 [ 70.289370][ T5322] ? __pfx_afs_dynroot_readdir+0x10/0x10 [ 70.289380][ T5322] ? common_file_perm+0x1a6/0x210 [ 70.289399][ T5322] iterate_dir+0x5a9/0x760 [ 70.289414][ T5322] __se_sys_getdents+0x1ff/0x4e0 [ 70.289431][ T5322] ? __pfx___se_sys_getdents+0x10/0x10 [ 70.289442][ T5322] ? __pfx_filldir+0x10/0x10 [ 70.289458][ T5322] ? do_syscall_64+0xb6/0x230 [ 70.289474][ T5322] do_syscall_64+0xf3/0x230 [ 70.289485][ T5322] ? clear_bhb_loop+0x45/0xa0 [ 70.289496][ T5322] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 70.289505][ T5322] RIP: 0033:0x7f0c54d8d169 [ 70.289514][ T5322] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 70.289522][ T5322] RSP: 002b:00007f0c55bab038 EFLAGS: 00000246 ORIG_RAX: 000000000000004e [ 70.289532][ T5322] RAX: ffffffffffffffda RBX: 00007f0c54fa5fa0 RCX: 00007f0c54d8d169 [ 70.289540][ T5322] RDX: 00000000000000b8 RSI: 0000200000001fc0 RDI: 000000000000000d [ 70.289547][ T5322] RBP: 00007f0c54e0e2a0 R08: 0000000000000000 R09: 0000000000000000 [ 70.289554][ T5322] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 70.289560][ T5322] R13: 0000000000000000 R14: 00007f0c54fa5fa0 R15: 00007ffd4556d1d8 [ 70.289574][ T5322]