INFO: task syz-executor.4:20010 blocked for more than 143 seconds.
      Not tainted 5.17.0-rc7-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor.4  state:D stack:27640 pid:20010 ppid:  3635 flags:0x00004004
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:4995 [inline]
 __schedule+0x926/0x1080 kernel/sched/core.c:6304
 schedule+0x12b/0x1f0 kernel/sched/core.c:6377
 rwsem_down_write_slowpath+0xdb7/0x1480 kernel/locking/rwsem.c:1142
 __down_write_common kernel/locking/rwsem.c:1259 [inline]
 __down_write kernel/locking/rwsem.c:1268 [inline]
 down_write+0x163/0x170 kernel/locking/rwsem.c:1515
 inode_lock include/linux/fs.h:777 [inline]
 chown_common+0x4fd/0x820 fs/open.c:677
 do_fchownat+0x165/0x240 fs/open.c:711
 __do_sys_chown fs/open.c:731 [inline]
 __se_sys_chown fs/open.c:729 [inline]
 __x64_sys_chown+0x7e/0x90 fs/open.c:729
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f99c6b19049
RSP: 002b:00007f99c546d168 EFLAGS: 00000246 ORIG_RAX: 000000000000005c
RAX: ffffffffffffffda RBX: 00007f99c6c2c030 RCX: 00007f99c6b19049
RDX: 000000000000ee00 RSI: 000000000000ee00 RDI: 0000000020000040
RBP: 00007f99c6b7308d R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fff537e492f R14: 00007f99c546d300 R15: 0000000000022000
 </TASK>
INFO: task syz-executor.3:20011 blocked for more than 144 seconds.
      Not tainted 5.17.0-rc7-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor.3  state:D stack:28624 pid:20011 ppid:  3632 flags:0x00004004
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:4995 [inline]
 __schedule+0x926/0x1080 kernel/sched/core.c:6304
 schedule+0x12b/0x1f0 kernel/sched/core.c:6377
 rwsem_down_write_slowpath+0xdb7/0x1480 kernel/locking/rwsem.c:1142
 __down_write_common kernel/locking/rwsem.c:1259 [inline]
 __down_write kernel/locking/rwsem.c:1268 [inline]
 down_write+0x163/0x170 kernel/locking/rwsem.c:1515
 inode_lock include/linux/fs.h:777 [inline]
 chown_common+0x4fd/0x820 fs/open.c:677
 do_fchownat+0x165/0x240 fs/open.c:711
 __do_sys_chown fs/open.c:731 [inline]
 __se_sys_chown fs/open.c:729 [inline]
 __x64_sys_chown+0x7e/0x90 fs/open.c:729
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f656b6fa049
RSP: 002b:00007f656a04e168 EFLAGS: 00000246 ORIG_RAX: 000000000000005c
RAX: ffffffffffffffda RBX: 00007f656b80d030 RCX: 00007f656b6fa049
RDX: 000000000000ee00 RSI: 000000000000ee00 RDI: 0000000020000040
RBP: 00007f656b75408d R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffd1397333f R14: 00007f656a04e300 R15: 0000000000022000
 </TASK>

Showing all locks held in the system:
1 lock held by khungtaskd/26:
 #0: ffffffff8cb1d460 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire+0x0/0x30
5 locks held by kworker/u4:4/941:
 #0: ffff8881445ab138 ((wq_completion)netns){+.+.}-{0:0}, at: process_one_work+0x7db/0x1190 kernel/workqueue.c:2280
 #1: ffffc900043ffd20 (net_cleanup_work){+.+.}-{0:0}, at: process_one_work+0x81b/0x1190 kernel/workqueue.c:2282
 #2: ffffffff8db8e670 (pernet_ops_rwsem){++++}-{3:3}, at: cleanup_net+0xf0/0xc70 net/core/net_namespace.c:559
 #3: ffffffff8db9a608 (rtnl_mutex){+.+.}-{3:3}, at: sit_exit_batch_net+0xc0/0x4e0 net/ipv6/sit.c:1946
 #4: ffffffff8cb22428 (rcu_state.exp_mutex){+.+.}-{3:3}, at: exp_funnel_lock kernel/rcu/tree_exp.h:322 [inline]
 #4: ffffffff8cb22428 (rcu_state.exp_mutex){+.+.}-{3:3}, at: synchronize_rcu_expedited+0x356/0x740 kernel/rcu/tree_exp.h:840
1 lock held by dhcpcd/3176:
 #0: ffffffff8db9a608 (rtnl_mutex){+.+.}-{3:3}, at: devinet_ioctl+0x22c/0x1d10 net/ipv4/devinet.c:1068
2 locks held by getty/3275:
 #0: ffff88802444e098 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x21/0x70 drivers/tty/tty_ldisc.c:244
 #1: ffffc90002b662e8 (&ldata->atomic_read_lock){+.+.}-{3:3}, at: n_tty_read+0x6c5/0x1c60 drivers/tty/n_tty.c:2075
2 locks held by kworker/1:3/3657:
 #0: ffff888011466538 ((wq_completion)rcu_gp){+.+.}-{0:0}, at: process_one_work+0x7db/0x1190 kernel/workqueue.c:2280
 #1: ffffc900029afd20 ((work_completion)(&rew.rew_work)){+.+.}-{0:0}, at: process_one_work+0x81b/0x1190 kernel/workqueue.c:2282
6 locks held by kworker/0:16/8448:
 #0: ffff8880b9a39798 (&rq->__lock){-.-.}-{2:2}, at: raw_spin_rq_lock_nested+0x25/0x110 kernel/sched/core.c:489
 #1: ffff8880b9a27848 (&per_cpu_ptr(group->pcpu, cpu)->seq){-.-.}-{0:0}, at: psi_task_switch+0x4d3/0x790 kernel/sched/psi.c:891
 #2: ffffffff8cb2ffc8 (tk_core.seq.seqcount){----}-{0:0}, at: spin_lock include/linux/spinlock.h:349 [inline]
 #2: ffffffff8cb2ffc8 (tk_core.seq.seqcount){----}-{0:0}, at: p9_read_work+0x4c9/0xfd0 net/9p/trans_fd.c:361
 #3: ffff8880b9a38fd8 (&pool->lock){-.-.}-{2:2}, at: __wake_up_common_lock kernel/sched/wait.c:137 [inline]
 #3: ffff8880b9a38fd8 (&pool->lock){-.-.}-{2:2}, at: __wake_up+0xf8/0x1c0 kernel/sched/wait.c:157
 #4: ffff88801f800998 (&p->pi_lock){-.-.}-{2:2}, at: try_to_wake_up+0x9f/0xc70 kernel/sched/core.c:4017
 #5: ffff8880b9a39798 (&rq->__lock){-.-.}-{2:2}, at: raw_spin_rq_lock_nested+0x25/0x110 kernel/sched/core.c:489
2 locks held by kworker/u4:1/19560:
1 lock held by syz-executor.4/20001:
 #0: ffffffff8cb22428 (rcu_state.exp_mutex){+.+.}-{3:3}, at: exp_funnel_lock kernel/rcu/tree_exp.h:322 [inline]
 #0: ffffffff8cb22428 (rcu_state.exp_mutex){+.+.}-{3:3}, at: synchronize_rcu_expedited+0x356/0x740 kernel/rcu/tree_exp.h:840
2 locks held by syz-executor.1/20163:
2 locks held by syz-executor.1/20165:
 #0: ffff888078f68460 (sb_writers#14){.+.+}-{0:0}, at: mnt_want_write+0x3b/0x80 fs/namespace.c:377
 #1: ffff8880723f3bd8 (&sb->s_type->i_mutex_key#21){++++}-{3:3}, at: inode_lock include/linux/fs.h:777 [inline]
 #1: ffff8880723f3bd8 (&sb->s_type->i_mutex_key#21){++++}-{3:3}, at: chown_common+0x4fd/0x820 fs/open.c:677
2 locks held by syz-executor.5/20431:
 #0: ffffffff8db8e670 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x33d/0x5c0 net/core/net_namespace.c:470
 #1: ffffffff8db9a608 (rtnl_mutex){+.+.}-{3:3}, at: wg_netns_pre_exit+0x1b/0x1d0 drivers/net/wireguard/device.c:403
1 lock held by syz-executor.5/20432:
 #0: ffffffff8db9a608 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:72 [inline]
 #0: ffffffff8db9a608 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x92d/0xec0 net/core/rtnetlink.c:5593

=============================================

NMI backtrace for cpu 1
CPU: 1 PID: 26 Comm: khungtaskd Not tainted 5.17.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1dc/0x2d8 lib/dump_stack.c:106
 nmi_cpu_backtrace+0x45f/0x490 lib/nmi_backtrace.c:111
 nmi_trigger_cpumask_backtrace+0x16a/0x280 lib/nmi_backtrace.c:62
 trigger_all_cpu_backtrace include/linux/nmi.h:146 [inline]
 check_hung_uninterruptible_tasks kernel/hung_task.c:212 [inline]
 watchdog+0xc82/0xcd0 kernel/hung_task.c:369
 kthread+0x2a3/0x2d0 kernel/kthread.c:377
 ret_from_fork+0x1f/0x30
 </TASK>
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 PID: 20163 Comm: syz-executor.1 Not tainted 5.17.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:freelist_dereference mm/slub.c:345 [inline]
RIP: 0010:get_freepointer mm/slub.c:352 [inline]
RIP: 0010:slab_free_freelist_hook+0xa7/0x1a0 mm/slub.c:1751
Code: 49 c7 07 00 00 00 00 49 c7 45 00 00 00 00 00 eb 13 66 90 48 8b 04 24 ff 08 48 3b 6c 24 10 0f 84 d1 00 00 00 4c 89 f5 8b 43 28 <4d> 8b 34 06 0f 1f 44 00 00 45 31 e4 8b 73 1c 48 89 ef e8 52 44 95
RSP: 0018:ffffc90002a3f8c0 EFLAGS: 00000292
RAX: 0000000000010000 RBX: ffff88814aed3640 RCX: fffffffdfa540000
RDX: ffffc90002a3f918 RSI: ffffc90002a3f920 RDI: ffff88814aed3640
RBP: ffff888036140000 R08: ffffffff813c8e57 R09: ffffed100f3f6d62
R10: ffffed100f3f6d62 R11: 0000000000000000 R12: 00fff00000010200
R13: ffffc90002a3f918 R14: ffff888036140000 R15: ffffc90002a3f920
FS:  00007fdbc7824700(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fd17fe11000 CR3: 0000000035da1000 CR4: 00000000003506f0
Call Trace:
 <TASK>
 slab_free mm/slub.c:3509 [inline]
 kmem_cache_free+0xb6/0x1c0 mm/slub.c:3526
 p9_fcall_fini net/9p/client.c:246 [inline]
 p9_req_free net/9p/client.c:377 [inline]
 kref_put include/linux/kref.h:65 [inline]
 p9_req_put+0x9f/0x190 net/9p/client.c:384
 p9_tag_remove net/9p/client.c:370 [inline]
 p9_client_read_once+0x57b/0x910 net/9p/client.c:1635
 p9_client_read+0xa6/0x190 net/9p/client.c:1561
 v9fs_dir_readdir+0x2fa/0x930 fs/9p/vfs_dir.c:113
 iterate_dir+0x2aa/0x640
 __do_sys_getdents64 fs/readdir.c:369 [inline]
 __se_sys_getdents64+0x1ea/0x4e0 fs/readdir.c:354
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7fdbc8eaf049
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fdbc7824168 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9
RAX: ffffffffffffffda RBX: 00007fdbc8fc1f60 RCX: 00007fdbc8eaf049
RDX: 0000000000000034 RSI: 0000000000000000 RDI: 0000000000000006
RBP: 00007fdbc8f0908d R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffc4be4366f R14: 00007fdbc7824300 R15: 0000000000022000
 </TASK>
----------------
Code disassembly (best guess):
   0:	49 c7 07 00 00 00 00 	movq   $0x0,(%r15)
   7:	49 c7 45 00 00 00 00 	movq   $0x0,0x0(%r13)
   e:	00
   f:	eb 13                	jmp    0x24
  11:	66 90                	xchg   %ax,%ax
  13:	48 8b 04 24          	mov    (%rsp),%rax
  17:	ff 08                	decl   (%rax)
  19:	48 3b 6c 24 10       	cmp    0x10(%rsp),%rbp
  1e:	0f 84 d1 00 00 00    	je     0xf5
  24:	4c 89 f5             	mov    %r14,%rbp
  27:	8b 43 28             	mov    0x28(%rbx),%eax
* 2a:	4d 8b 34 06          	mov    (%r14,%rax,1),%r14 <-- trapping instruction
  2e:	0f 1f 44 00 00       	nopl   0x0(%rax,%rax,1)
  33:	45 31 e4             	xor    %r12d,%r12d
  36:	8b 73 1c             	mov    0x1c(%rbx),%esi
  39:	48 89 ef             	mov    %rbp,%rdi
  3c:	e8                   	.byte 0xe8
  3d:	52                   	push   %rdx
  3e:	44 95                	rex.R xchg %eax,%ebp