INFO: task syz.4.145:5974 blocked for more than 143 seconds.
      Not tainted 6.11.0-rc6-syzkaller-00355-g5dadc1be8fc5 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.4.145       state:D stack:26520 pid:5974  tgid:5974  ppid:5257   flags:0x00000004
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5188 [inline]
 __schedule+0x1800/0x4a60 kernel/sched/core.c:6529
 __schedule_loop kernel/sched/core.c:6606 [inline]
 schedule+0x14b/0x320 kernel/sched/core.c:6621
 io_schedule+0x8d/0x110 kernel/sched/core.c:7401
 folio_wait_bit_common+0x882/0x12b0 mm/filemap.c:1307
 __filemap_get_folio+0xb7/0xc10 mm/filemap.c:1898
 hugetlb_fault+0x1b72/0x3770 mm/hugetlb.c:6531
 handle_mm_fault+0x1901/0x1bc0 mm/memory.c:5830
 do_user_addr_fault arch/x86/mm/fault.c:1338 [inline]
 handle_page_fault arch/x86/mm/fault.c:1481 [inline]
 exc_page_fault+0x459/0x8c0 arch/x86/mm/fault.c:1539
 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623
RIP: 0033:0x7fb81734497c
RSP: 002b:00007fb81765fb88 EFLAGS: 00010246
RAX: 0000000020000d00 RBX: 0000000000000004 RCX: 8000000000000010
RDX: 0000000000000010 RSI: 00007fb816e005d8 RDI: 0000000020000d00
RBP: 00007fb817537a80 R08: 00007fb817200000 R09: 0000000000000001
R10: 0000000000000001 R11: 0000000000000009 R12: 000000000001fa58
R13: 00007fb81765fc90 R14: 0000000000000032 R15: fffffffffffffffe
 </TASK>
INFO: task syz.4.145:5975 blocked for more than 144 seconds.
      Not tainted 6.11.0-rc6-syzkaller-00355-g5dadc1be8fc5 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.4.145       state:D stack:23960 pid:5975  tgid:5974  ppid:5257   flags:0x00004006
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5188 [inline]
 __schedule+0x1800/0x4a60 kernel/sched/core.c:6529
 __schedule_loop kernel/sched/core.c:6606 [inline]
 schedule+0x14b/0x320 kernel/sched/core.c:6621
 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6678
 __mutex_lock_common kernel/locking/mutex.c:684 [inline]
 __mutex_lock+0x6a4/0xd70 kernel/locking/mutex.c:752
 hugetlb_wp+0x104d/0x3a90 mm/hugetlb.c:6027
 hugetlb_fault+0x27b2/0x3770 mm/hugetlb.c:6579
 handle_mm_fault+0x1901/0x1bc0 mm/memory.c:5830
 do_user_addr_fault arch/x86/mm/fault.c:1389 [inline]
 handle_page_fault arch/x86/mm/fault.c:1481 [inline]
 exc_page_fault+0x2b9/0x8c0 arch/x86/mm/fault.c:1539
 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623
RIP: 0010:rep_movs_alternative+0x4a/0x70 arch/x86/lib/copy_user_64.S:71
Code: 75 f1 c3 cc cc cc cc 66 0f 1f 84 00 00 00 00 00 48 8b 06 48 89 07 48 83 c6 08 48 83 c7 08 83 e9 08 74 df 83 f9 08 73 e8 eb c9 <f3> a4 c3 cc cc cc cc 48 89 c8 48 c1 e9 03 83 e0 07 f3 48 a5 89 c1
RSP: 0018:ffffc90002d9fad0 EFLAGS: 00050246
RAX: ffffffff84b29f01 RBX: 000000002001c100 RCX: 0000000000000040
RDX: 0000000000000000 RSI: ffffc90002d9fb60 RDI: 000000002001c0c0
RBP: ffffc90002d9fc10 R08: ffffc90002d9fb9f R09: 1ffff920005b3f73
R10: dffffc0000000000 R11: fffff520005b3f74 R12: 0000000000000040
R13: 000000000001ba80 R14: 000000002001c0c0 R15: ffffc90002d9fb60
 copy_user_generic arch/x86/include/asm/uaccess_64.h:110 [inline]
 raw_copy_to_user arch/x86/include/asm/uaccess_64.h:131 [inline]
 _inline_copy_to_user include/linux/uaccess.h:181 [inline]
 _copy_to_user+0x86/0xb0 lib/usercopy.c:26
 copy_to_user include/linux/uaccess.h:209 [inline]
 rng_dev_read+0x3be/0x6d0 drivers/char/hw_random/core.c:251
 do_loop_readv_writev fs/read_write.c:761 [inline]
 vfs_readv+0x6c2/0xa90 fs/read_write.c:934
 do_preadv fs/read_write.c:1049 [inline]
 __do_sys_preadv fs/read_write.c:1099 [inline]
 __se_sys_preadv fs/read_write.c:1094 [inline]
 __x64_sys_preadv+0x1c7/0x2d0 fs/read_write.c:1094
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fb81737cef9
RSP: 002b:00007fb818245038 EFLAGS: 00000246 ORIG_RAX: 0000000000000127
RAX: ffffffffffffffda RBX: 00007fb817535f80 RCX: 00007fb81737cef9
RDX: 0000000000000002 RSI: 0000000020000580 RDI: 0000000000000005
RBP: 00007fb8173ef046 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007fb817535f80 R15: 00007fb81765fa28
 </TASK>

Showing all locks held in the system:
3 locks held by kworker/0:0/8:
 #0: ffff8880b883e9d8 (&rq->__lock){-.-.}-{2:2}, at: raw_spin_rq_lock_nested+0xb0/0x140 kernel/sched/core.c:568
 #1: ffff8880b8828948 (&per_cpu_ptr(group->pcpu, cpu)->seq){-.-.}-{0:0}, at: psi_task_switch+0x441/0x770 kernel/sched/psi.c:989
 #2: ffff8880b8828948 (&per_cpu_ptr(group->pcpu, cpu)->seq){-.-.}-{0:0}, at: psi_task_change+0xfd/0x280 kernel/sched/psi.c:913
3 locks held by kworker/1:0/25:
1 lock held by khungtaskd/30:
 #0: ffffffff8e938320 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:326 [inline]
 #0: ffffffff8e938320 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:838 [inline]
 #0: ffffffff8e938320 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x55/0x2a0 kernel/locking/lockdep.c:6626
4 locks held by kworker/u8:11/2972:
 #0: ffff88801bae5948 ((wq_completion)netns){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3206 [inline]
 #0: ffff88801bae5948 ((wq_completion)netns){+.+.}-{0:0}, at: process_scheduled_works+0x90a/0x1830 kernel/workqueue.c:3312
 #1: ffffc90009807d00 (net_cleanup_work){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3207 [inline]
 #1: ffffc90009807d00 (net_cleanup_work){+.+.}-{0:0}, at: process_scheduled_works+0x945/0x1830 kernel/workqueue.c:3312
 #2: ffffffff8fc7f810 (pernet_ops_rwsem){++++}-{3:3}, at: cleanup_net+0x16a/0xcc0 net/core/net_namespace.c:594
 #3: ffffffff8e93d6f8 (rcu_state.exp_mutex){+.+.}-{3:3}, at: exp_funnel_lock kernel/rcu/tree_exp.h:328 [inline]
 #3: ffffffff8e93d6f8 (rcu_state.exp_mutex){+.+.}-{3:3}, at: synchronize_rcu_expedited+0x451/0x830 kernel/rcu/tree_exp.h:958
2 locks held by dhcpcd/4906:
 #0: ffff888032721678 (nlk_cb_mutex-ROUTE){+.+.}-{3:3}, at: __netlink_dump_start+0x119/0x790 net/netlink/af_netlink.c:2404
 #1: ffffffff8fc8c3c8 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:79 [inline]
 #1: ffffffff8fc8c3c8 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_dumpit+0x99/0x200 net/core/rtnetlink.c:6506
2 locks held by getty/4998:
 #0: ffff888034bca0a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x25/0x70 drivers/tty/tty_ldisc.c:243
 #1: ffffc900031332f0 (&ldata->atomic_read_lock){+.+.}-{3:3}, at: n_tty_read+0x6ac/0x1e00 drivers/tty/n_tty.c:2211
5 locks held by kworker/1:3/5242:
 #0: ffff88801e6a5148 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3206 [inline]
 #0: ffff88801e6a5148 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_scheduled_works+0x90a/0x1830 kernel/workqueue.c:3312
 #1: ffffc90003c37d00 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3207 [inline]
 #1: ffffc90003c37d00 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_scheduled_works+0x945/0x1830 kernel/workqueue.c:3312
 #2: ffff888029244190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1009 [inline]
 #2: ffff888029244190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1fe/0x5150 drivers/usb/core/hub.c:5849
 #3: ffff88806010f190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1009 [inline]
 #3: ffff88806010f190 (&dev->mutex){....}-{3:3}, at: __device_attach+0x8e/0x520 drivers/base/dd.c:1004
 #4: ffff8880216d0278 (&(&priv->bus_notifier)->rwsem){++++}-{3:3}, at: blocking_notifier_call_chain+0x53/0x90 kernel/notifier.c:387
3 locks held by syz.4.145/5974:
 #0: ffff8880288b02f8 (&vma->vm_lock->lock){++++}-{3:3}, at: vma_start_read include/linux/mm.h:694 [inline]
 #0: ffff8880288b02f8 (&vma->vm_lock->lock){++++}-{3:3}, at: lock_vma_under_rcu+0x2f9/0x6e0 mm/memory.c:5998
 #1: ffff8880212aa698 (&hugetlb_fault_mutex_table[i]){+.+.}-{3:3}, at: hugetlb_fault+0x56f/0x3770 mm/hugetlb.c:6451
 #2: ffff888060d0a8e8 (&resv_map->rw_sema){++++}-{3:3}, at: hugetlb_fault+0x675/0x3770 mm/hugetlb.c:6458
2 locks held by syz.4.145/5975:
 #0: ffff88805783a798 (&mm->mmap_lock){++++}-{3:3}, at: mmap_read_lock_killable+0x1d/0x70 include/linux/mmap_lock.h:153
 #1: ffff8880212aa698 (&hugetlb_fault_mutex_table[i]){+.+.}-{3:3}, at: hugetlb_wp+0x104d/0x3a90 mm/hugetlb.c:6027
2 locks held by syz-executor/8195:
 #0: ffffffff8fc7f810 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x4c6/0x7b0 net/core/net_namespace.c:504
 #1: ffffffff8fc8c3c8 (rtnl_mutex){+.+.}-{3:3}, at: ip_tunnel_init_net+0x20e/0x710 net/ipv4/ip_tunnel.c:1158
2 locks held by syz.4.682/8216:
 #0: ffffffff8ff639c8 (rfkill_global_mutex){+.+.}-{3:3}, at: rfkill_fop_write+0x1a9/0x790 net/rfkill/core.c:1297
 #1: ffffffff8fc8c3c8 (rtnl_mutex){+.+.}-{3:3}, at: cfg80211_rfkill_set_block+0x1e/0x50 net/wireless/core.c:311
3 locks held by syz.2.684/8232:
 #0: ffff88806eca4d80 (&hdev->req_lock){+.+.}-{3:3}, at: hci_dev_do_close net/bluetooth/hci_core.c:481 [inline]
 #0: ffff88806eca4d80 (&hdev->req_lock){+.+.}-{3:3}, at: hci_unregister_dev+0x203/0x510 net/bluetooth/hci_core.c:2698
 #1: ffff88806eca4078 (&hdev->lock){+.+.}-{3:3}, at: hci_dev_close_sync+0x572/0x11a0 net/bluetooth/hci_sync.c:5183
 #2: ffffffff8fdf7ee8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_disconn_cfm include/net/bluetooth/hci_core.h:1972 [inline]
 #2: ffffffff8fdf7ee8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_conn_hash_flush+0xa6/0x240 net/bluetooth/hci_conn.c:2592
2 locks held by syz.1.685/8238:
 #0: ffffffff8fcf1b30 (cb_lock){++++}-{3:3}, at: genl_rcv+0x19/0x40 net/netlink/genetlink.c:1218
 #1: ffffffff8fc8c3c8 (rtnl_mutex){+.+.}-{3:3}, at: nl80211_pre_doit+0x5f/0x8b0 net/wireless/nl80211.c:16547
1 lock held by syz.3.686/8240:
 #0: ffffffff8ff639c8 (rfkill_global_mutex){+.+.}-{3:3}, at: rfkill_unregister+0xd0/0x230 net/rfkill/core.c:1149

=============================================

NMI backtrace for cpu 1
CPU: 1 UID: 0 PID: 30 Comm: khungtaskd Not tainted 6.11.0-rc6-syzkaller-00355-g5dadc1be8fc5 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:93 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119
 nmi_cpu_backtrace+0x49c/0x4d0 lib/nmi_backtrace.c:113
 nmi_trigger_cpumask_backtrace+0x198/0x320 lib/nmi_backtrace.c:62
 trigger_all_cpu_backtrace include/linux/nmi.h:162 [inline]
 check_hung_uninterruptible_tasks kernel/hung_task.c:223 [inline]
 watchdog+0xff4/0x1040 kernel/hung_task.c:379
 kthread+0x2f0/0x390 kernel/kthread.c:389
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 UID: 0 PID: 8232 Comm: syz.2.684 Not tainted 6.11.0-rc6-syzkaller-00355-g5dadc1be8fc5 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
RIP: 0010:__bfs kernel/locking/lockdep.c:1736 [inline]
RIP: 0010:__bfs_backwards kernel/locking/lockdep.c:1843 [inline]
RIP: 0010:check_irq_usage kernel/locking/lockdep.c:2803 [inline]
RIP: 0010:check_prev_add kernel/locking/lockdep.c:3137 [inline]
RIP: 0010:check_prevs_add kernel/locking/lockdep.c:3252 [inline]
RIP: 0010:validate_chain+0x1d53/0x5900 kernel/locking/lockdep.c:3868
Code: 85 ed 0f 84 aa 04 00 00 4d 8d 75 10 4c 89 f0 48 c1 e8 03 48 89 44 24 68 42 80 3c 20 00 74 08 4c 89 f7 e8 60 37 8a 00 49 8b 1e <48> 85 db 0f 84 60 27 00 00 48 83 c3 5c 49 89 df 49 c1 ef 03 43 0f
RSP: 0018:ffffc9000344eba0 EFLAGS: 00000046
RAX: 1ffffffff2d86b87 RBX: ffffffff93c37e80 RCX: dffffc0000000000
RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffffc9000344ecc0
RBP: ffffc9000344eea0 R08: ffffffff941e4857 R09: 1ffffffff283c90a
R10: dffffc0000000000 R11: fffffbfff283c90b R12: dffffc0000000000
R13: ffffffff96c35c28 R14: ffffffff96c35c38 R15: ffffffff96c35c28
FS:  0000000000000000(0000) GS:ffff8880b8800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000555a2d32d131 CR3: 000000000e734000 CR4: 00000000003506f0
DR0: 0000000000000200 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <NMI>
 </NMI>
 <TASK>
 __lock_acquire+0x137a/0x2040 kernel/locking/lockdep.c:5142
 lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5759
 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
 _raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162
 remove_entity_load_avg kernel/sched/fair.c:4806 [inline]
 migrate_task_rq_fair+0xbf/0x7a0 kernel/sched/fair.c:8266
 set_task_cpu+0xed/0x5d0 kernel/sched/core.c:3194
 try_to_wake_up+0x754/0x1470 kernel/sched/core.c:4161
 wake_up_process kernel/sched/core.c:4299 [inline]
 wake_up_q+0xc8/0x120 kernel/sched/core.c:1029
 __mutex_unlock_slowpath+0x6f9/0x750 kernel/locking/mutex.c:956
 synchronize_rcu_expedited+0x6a3/0x830 kernel/rcu/tree_exp.h:977
 synchronize_rcu+0x11b/0x360 kernel/rcu/tree.c:4020
 hci_conn_hash_del include/net/bluetooth/hci_core.h:996 [inline]
 hci_conn_cleanup net/bluetooth/hci_conn.c:152 [inline]
 hci_conn_del+0x578/0xc40 net/bluetooth/hci_conn.c:1162
 hci_conn_hash_flush+0x18e/0x240 net/bluetooth/hci_conn.c:2593
 hci_dev_close_sync+0x9ef/0x11a0 net/bluetooth/hci_sync.c:5195
 hci_dev_do_close net/bluetooth/hci_core.c:483 [inline]
 hci_unregister_dev+0x20b/0x510 net/bluetooth/hci_core.c:2698
 vhci_release+0x83/0xd0 drivers/bluetooth/hci_vhci.c:664
 __fput+0x24a/0x8a0 fs/file_table.c:422
 task_work_run+0x24f/0x310 kernel/task_work.c:228
 exit_task_work include/linux/task_work.h:40 [inline]
 do_exit+0xa2f/0x27f0 kernel/exit.c:882
 do_group_exit+0x207/0x2c0 kernel/exit.c:1031
 get_signal+0x16a1/0x1740 kernel/signal.c:2917
 arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:310
 exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
 syscall_exit_to_user_mode+0xc9/0x370 kernel/entry/common.c:218
 do_syscall_64+0x100/0x230 arch/x86/entry/common.c:89
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f27b4f7cef9
Code: Unable to access opcode bytes at 0x7f27b4f7cecf.
RSP: 002b:00007f27b5d1d038 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: 0000000000000001 RBX: 00007f27b5136058 RCX: 00007f27b4f7cef9
RDX: 0000000000000001 RSI: 00000000200003c0 RDI: 0000000000000003
RBP: 00007f27b4fef046 R08: 0000000020000380 R09: 0000000000000010
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f27b5136058 R15: 00007f27b525fa28
 </TASK>