INFO: task syz.1.139:5081 blocked for more than 144 seconds.
Not tainted 6.1.143-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.1.139 state:D stack:20912 pid:5081 ppid:4267 flags:0x00004004
Call Trace:
context_switch kernel/sched/core.c:5244 [inline]
__schedule+0x10e9/0x40d0 kernel/sched/core.c:6561
schedule+0xb9/0x180 kernel/sched/core.c:6637
wait_on_state fs/btrfs/extent-io-tree.c:709 [inline]
wait_extent_bit+0x3f1/0x550 fs/btrfs/extent-io-tree.c:742
lock_extent+0xcc/0x140 fs/btrfs/extent-io-tree.c:1657
btrfs_page_mkwrite+0x516/0xbf0 fs/btrfs/inode.c:8622
do_page_mkwrite+0x16b/0x5c0 mm/memory.c:3011
wp_page_shared+0x167/0x370 mm/memory.c:3360
handle_pte_fault mm/memory.c:5049 [inline]
__handle_mm_fault mm/memory.c:5173 [inline]
handle_mm_fault+0x1ca6/0x3e70 mm/memory.c:5294
do_user_addr_fault+0x51f/0xb10 arch/x86/mm/fault.c:1340
handle_page_fault arch/x86/mm/fault.c:1431 [inline]
exc_page_fault+0x60/0x100 arch/x86/mm/fault.c:1487
asm_exc_page_fault+0x22/0x30 arch/x86/include/asm/idtentry.h:608
RIP: 0010:copy_user_short_string+0xd/0x40 arch/x86/lib/copy_user_64.S:233
Code: 74 0a 89 d1 f3 a4 89 c8 0f 01 ca c3 89 d0 0f 01 ca c3 01 ca eb e7 90 90 90 90 90 90 90 89 d1 83 e2 07 c1 e9 03 74 12 4c 8b 06 <4c> 89 07 48 8d 76 08 48 8d 7f 08 ff c9 75 ee 21 d2 74 10 89 d1 8a
RSP: 0018:ffffc9000ad1f5c8 EFLAGS: 00050202
RAX: ffffffff8407db01 RBX: 0000000000000038 RCX: 0000000000000007
RDX: 0000000000000000 RSI: ffffc9000ad1f660 RDI: 00002000000003a0
RBP: 0000000000000000 R08: 0000000000000000 R09: fffff520015a3ed3
R10: fffff520015a3ed3 R11: 1ffff920015a3ecc R12: 00007fffffffefc8
R13: 1ffff920015a3ec8 R14: 00002000000003a0 R15: ffffc9000ad1f660
copy_user_generic arch/x86/include/asm/uaccess_64.h:37 [inline]
raw_copy_to_user arch/x86/include/asm/uaccess_64.h:58 [inline]
_copy_to_user+0xea/0x130 lib/usercopy.c:41
copy_to_user include/linux/uaccess.h:169 [inline]
fiemap_fill_next_extent+0x19d/0x360 fs/ioctl.c:144
emit_last_fiemap_cache fs/btrfs/extent_io.c:3595 [inline]
extent_fiemap+0x1679/0x19b0 fs/btrfs/extent_io.c:4126
btrfs_fiemap+0x152/0x1b0 fs/btrfs/inode.c:8294
ioctl_fiemap fs/ioctl.c:219 [inline]
do_vfs_ioctl+0x1425/0x1d10 fs/ioctl.c:810
__do_sys_ioctl fs/ioctl.c:868 [inline]
__se_sys_ioctl+0x83/0x170 fs/ioctl.c:856
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7f2e3318e929
RSP: 002b:00007f2e33f84038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f2e333b5fa0 RCX: 00007f2e3318e929
RDX: 0000200000000380 RSI: 00000000c020660b RDI: 0000000000000004
RBP: 00007f2e33210b39 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f2e333b5fa0 R15: 00007ffe4858c698
Showing all locks held in the system:
1 lock held by rcu_tasks_kthre/12:
#0: ffffffff8cb2b430 (rcu_tasks.tasks_gp_mutex){+.+.}-{3:3}, at: rcu_tasks_one_gp+0x33/0xf00 kernel/rcu/tasks.h:517
1 lock held by rcu_tasks_trace/13:
#0: ffffffff8cb2bc50 (rcu_tasks_trace.tasks_gp_mutex){+.+.}-{3:3}, at: rcu_tasks_one_gp+0x33/0xf00 kernel/rcu/tasks.h:517
1 lock held by khungtaskd/28:
#0: ffffffff8cb2aaa0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:350 [inline]
#0: ffffffff8cb2aaa0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:791 [inline]
#0: ffffffff8cb2aaa0 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x51/0x290 kernel/locking/lockdep.c:6513
2 locks held by getty/4032:
#0: ffff88814d63c098 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x21/0x70 drivers/tty/tty_ldisc.c:244
#1: ffffc9000327b2f0 (&ldata->atomic_read_lock){+.+.}-{3:3}, at: n_tty_read+0x41b/0x1380 drivers/tty/n_tty.c:2198
2 locks held by kworker/u4:10/4533:
#0: ffff8880b8f3aa98 (&rq->__lock){-.-.}-{2:2}, at: raw_spin_rq_lock_nested+0x26/0x140 kernel/sched/core.c:537
#1: ffff8880b8f27848 (&per_cpu_ptr(group->pcpu, cpu)->seq){-.-.}-{0:0}, at: psi_task_switch+0x398/0x6d0 kernel/sched/psi.c:999
2 locks held by kworker/0:10/4640:
#0: ffff888017472138 ((wq_completion)rcu_gp){+.+.}-{0:0}, at: process_one_work+0x7a1/0x1160 kernel/workqueue.c:2267
#1: ffffc90004fefd00 ((work_completion)(&rew->rew_work)){+.+.}-{0:0}, at: process_one_work+0x7a1/0x1160 kernel/workqueue.c:2267
3 locks held by kworker/0:14/5070:
#0: ffff888017470938 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work+0x7a1/0x1160 kernel/workqueue.c:2267
#1: ffffc90005e2fd00 ((work_completion)(&pwq->unbound_release_work)){+.+.}-{0:0}, at: process_one_work+0x7a1/0x1160 kernel/workqueue.c:2267
#2: ffffffff8cb30778 (rcu_state.exp_mutex){+.+.}-{3:3}, at: exp_funnel_lock kernel/rcu/tree_exp.h:291 [inline]
#2: ffffffff8cb30778 (rcu_state.exp_mutex){+.+.}-{3:3}, at: synchronize_rcu_expedited+0x455/0x830 kernel/rcu/tree_exp.h:962
4 locks held by syz.1.139/5081:
#0: ffff8880702f3600 (&sb->s_type->i_mutex_key#27){++++}-{3:3}, at: inode_lock_shared include/linux/fs.h:768 [inline]
#0: ffff8880702f3600 (&sb->s_type->i_mutex_key#27){++++}-{3:3}, at: btrfs_inode_lock+0x61/0xe0 fs/btrfs/inode.c:147
#1: ffff88807d8362d8 (&mm->mmap_lock){++++}-{3:3}, at: mmap_read_trylock include/linux/mmap_lock.h:136 [inline]
#1: ffff88807d8362d8 (&mm->mmap_lock){++++}-{3:3}, at: get_mmap_lock_carefully mm/memory.c:5322 [inline]
#1: ffff88807d8362d8 (&mm->mmap_lock){++++}-{3:3}, at: lock_mm_and_find_vma+0x2e/0x2f0 mm/memory.c:5384
#2: ffff88807735c558 (sb_pagefaults#3){.+.+}-{0:0}, at: do_page_mkwrite+0x16b/0x5c0 mm/memory.c:3011
#3: ffff8880702f3488 (&ei->i_mmap_lock){++++}-{3:3}, at: btrfs_page_mkwrite+0x3f1/0xbf0 fs/btrfs/inode.c:8611
2 locks held by btrfs-cleaner/5115:
#0: ffff88807735c460 (sb_writers#21){.+.+}-{0:0}, at: cleaner_kthread+0x2e2/0x390 fs/btrfs/disk-io.c:1843
#1: ffff8880702f3600 (&sb->s_type->i_mutex_key#27){++++}-{3:3}, at: inode_lock include/linux/fs.h:758 [inline]
#1: ffff8880702f3600 (&sb->s_type->i_mutex_key#27){++++}-{3:3}, at: btrfs_inode_lock+0x4d/0xe0 fs/btrfs/inode.c:155
2 locks held by syz-executor/5300:
#0: ffff888079a6a0e0 (&type->s_umount_key#57){++++}-{3:3}, at: deactivate_super+0xa0/0xd0 fs/super.c:362
#1: ffffffff8cb30778 (rcu_state.exp_mutex){+.+.}-{3:3}, at: exp_funnel_lock kernel/rcu/tree_exp.h:323 [inline]
#1: ffffffff8cb30778 (rcu_state.exp_mutex){+.+.}-{3:3}, at: synchronize_rcu_expedited+0x346/0x830 kernel/rcu/tree_exp.h:962
2 locks held by kworker/1:12/6482:
#0: ffff888017470938 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work+0x7a1/0x1160 kernel/workqueue.c:2267
#1: ffffc9000c7efd00 ((work_completion)(&pwq->unbound_release_work)){+.+.}-{0:0}, at: process_one_work+0x7a1/0x1160 kernel/workqueue.c:2267
=============================================
NMI backtrace for cpu 0
CPU: 0 PID: 28 Comm: khungtaskd Not tainted 6.1.143-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call Trace:
dump_stack_lvl+0x168/0x22e lib/dump_stack.c:106
nmi_cpu_backtrace+0x3f4/0x470 lib/nmi_backtrace.c:111
nmi_trigger_cpumask_backtrace+0x1d4/0x450 lib/nmi_backtrace.c:62
trigger_all_cpu_backtrace include/linux/nmi.h:148 [inline]
check_hung_uninterruptible_tasks kernel/hung_task.c:220 [inline]
watchdog+0xeee/0xf30 kernel/hung_task.c:377
kthread+0x29d/0x330 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 PID: 4278 Comm: syz-executor Not tainted 6.1.143-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
RIP: 0010:rcu_lockdep_current_cpu_online+0xed/0x120 kernel/rcu/tree.c:778
Code: 67 00 4c 85 3b 75 1a 48 c7 c7 00 09 b3 8c be 04 00 00 00 e8 f5 4b 67 00 83 3d 2e 00 48 0b 00 74 11 b0 01 65 ff 0d 6b 66 97 7e <74> 0a 5b 41 5e 41 5f c3 31 c0 eb ed e8 ca 77 95 ff eb ef 48 c7 c7
RSP: 0018:ffffc90003de74e8 EFLAGS: 00000286
RAX: 1ffffffff1966001 RBX: ffffffff8cb30070 RCX: c9344f0f567d9900
RDX: 0000000000000000 RSI: ffffffff8adf1700 RDI: ffff8880b8f3b960
RBP: 0000000000000001 R08: dffffc0000000000 R09: fffffbfff215c249
R10: fffffbfff215c249 R11: 1ffffffff215c248 R12: dffffc0000000000
R13: 0000000000000120 R14: dffffc0000000000 R15: 0000000000000002
FS: 000055557e92d500(0000) GS:ffff8880b8f00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f2aafd81ab8 CR3: 000000005becf000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
rcu_read_lock_held_common kernel/rcu/update.c:112 [inline]
rcu_read_lock_held+0x1a/0x40 kernel/rcu/update.c:309
lookup_page_ext mm/page_ext.c:277 [inline]
page_ext_get+0x18f/0x2a0 mm/page_ext.c:158
__reset_page_owner+0x31/0x1a0 mm/page_owner.c:144
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1459 [inline]
free_pcp_prepare mm/page_alloc.c:1509 [inline]
free_unref_page_prepare+0x8b4/0x9a0 mm/page_alloc.c:3384
free_unref_page_list+0xbb/0x8e0 mm/page_alloc.c:3525
release_pages+0x1f92/0x2200 mm/swap.c:1035
__pagevec_release+0x6d/0xe0 mm/swap.c:1055
pagevec_release include/linux/pagevec.h:71 [inline]
folio_batch_release include/linux/pagevec.h:135 [inline]
shmem_undo_range+0x75b/0x2050 mm/shmem.c:946
shmem_truncate_range mm/shmem.c:1062 [inline]
shmem_evict_inode+0x248/0xa40 mm/shmem.c:1171
evict+0x485/0x870 fs/inode.c:705
__dentry_kill+0x431/0x650 fs/dcache.c:611
dentry_kill+0xb8/0x290 fs/dcache.c:-1
dput+0xfa/0x1d0 fs/dcache.c:918
__fput+0x5e0/0x920 fs/file_table.c:328
task_work_run+0x1ca/0x250 kernel/task_work.c:203
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop+0xe6/0x110 kernel/entry/common.c:177
exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:210
__syscall_exit_to_user_mode_work kernel/entry/common.c:292 [inline]
syscall_exit_to_user_mode+0x16/0x40 kernel/entry/common.c:303
do_syscall_64+0x58/0xa0 arch/x86/entry/common.c:87
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7f7cb7f8e52b
Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00
RSP: 002b:00007fff0d7b4030 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: 0000000000000000 RBX: 0000000000000003 RCX: 00007f7cb7f8e52b
RDX: 0000000000000000 RSI: 0000000000004c01 RDI: 0000000000000003
RBP: 00007fff0d7b40cc R08: 0000000000000000 R09: 00007fff0d7b3dd7
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000007a
R13: 0000000000000037 R14: 0000000000043b3b R15: 00007fff0d7b4120