INFO: task kworker/0:4:31566 blocked for more than 143 seconds. Not tainted 5.15.0-rc1-next-20210917-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/0:4 state:D stack:29304 pid:31566 ppid: 2 flags:0x00004000 Workqueue: events nsim_dev_trap_report_work Call Trace: context_switch kernel/sched/core.c:4955 [inline] __schedule+0x940/0x26f0 kernel/sched/core.c:6236 schedule+0xd3/0x270 kernel/sched/core.c:6315 schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:6374 __mutex_lock_common kernel/locking/mutex.c:669 [inline] __mutex_lock+0xa34/0x12f0 kernel/locking/mutex.c:729 nsim_dev_trap_report_work+0x5d/0xbd0 drivers/net/netdevsim/dev.c:757 process_one_work+0x9b2/0x1690 kernel/workqueue.c:2297 worker_thread+0x658/0x11f0 kernel/workqueue.c:2444 kthread+0x3e5/0x4d0 kernel/kthread.c:319 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 Showing all locks held in the system: 1 lock held by khungtaskd/27: #0: ffffffff8b980460 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x53/0x260 kernel/locking/lockdep.c:6446 1 lock held by khugepaged/33: #0: ffffffff8ba63208 (lock#5){+.+.}-{3:3}, at: __lru_add_drain_all+0x65/0x760 mm/swap.c:775 2 locks held by kworker/u4:4/1142: 1 lock held by systemd-journal/2962: 1 lock held by in:imklog/6241: #0: ffff88801f1319f0 ( &f->f_pos_lock){+.+.}-{3:3}, at: __fdget_pos+0xe9/0x100 fs/file.c:990 8 locks held by kworker/u4:6/10677: #0: ffff888011ef3138 ((wq_completion)netns){+.+.}-{0:0}, at: arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline] #0: ffff888011ef3138 ((wq_completion)netns){+.+.}-{0:0}, at: arch_atomic_long_set include/linux/atomic/atomic-long.h:41 [inline] #0: ffff888011ef3138 ((wq_completion)netns){+.+.}-{0:0}, at: atomic_long_set include/linux/atomic/atomic-instrumented.h:1198 [inline] #0: ffff888011ef3138 ((wq_completion)netns){+.+.}-{0:0}, at: set_work_data kernel/workqueue.c:634 [inline] #0: ffff888011ef3138 ((wq_completion)netns){+.+.}-{0:0}, at: set_work_pool_and_clear_pending kernel/workqueue.c:661 [inline] #0: ffff888011ef3138 ((wq_completion)netns){+.+.}-{0:0}, at: process_one_work+0x896/0x1690 kernel/workqueue.c:2268 #1: ffffc90011ce7db0 (net_cleanup_work ){+.+.}-{0:0}, at: process_one_work+0x8ca/0x1690 kernel/workqueue.c:2272 #2: ffffffff8d0d28d0 (pernet_ops_rwsem){++++}-{3:3}, at: cleanup_net+0x9b/0xb00 net/core/net_namespace.c:553 #3: ffffffff8d1122c8 (devlink_mutex){+.+.}-{3:3}, at: devlink_pernet_pre_exit+0x84/0x3b0 net/core/devlink.c:11485 #4: ffff88807e3e8658 (&nsim_bus_dev->nsim_bus_reload_lock){+.+.}-{3:3}, at: nsim_dev_reload_down+0x5c/0x190 drivers/net/netdevsim/dev.c:870 #5: ffff88807e3ea400 (&nsim_dev->port_list_lock){+.+.}-{3:3}, at: nsim_dev_port_del_all drivers/net/netdevsim/dev.c:1359 [inline] #5: ffff88807e3ea400 (&nsim_dev->port_list_lock){+.+.}-{3:3}, at: nsim_dev_reload_destroy+0x147/0x300 drivers/net/netdevsim/dev.c:1561 #6: ffffffff8d0e5e68 (rtnl_mutex){+.+.}-{3:3}, at: nsim_destroy+0x35/0x190 drivers/net/netdevsim/netdev.c:381 #7: ffffffff8b9897e8 (rcu_state.exp_mutex){+.+.}-{3:3}, at: exp_funnel_lock kernel/rcu/tree_exp.h:290 [inline] #7: ffffffff8b9897e8 (rcu_state.exp_mutex){+.+.}-{3:3}, at: synchronize_rcu_expedited+0x4fc/0x620 kernel/rcu/tree_exp.h:836 2 locks held by kworker/u4:1/4501: #0: ffff888010c69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline] ffff888010c69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: arch_atomic_long_set include/linux/atomic/atomic-long.h:41 [inline] ffff888010c69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: atomic_long_set include/linux/atomic/atomic-instrumented.h:1198 [inline] ffff888010c69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: set_work_data kernel/workqueue.c:634 [inline] ffff888010c69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: set_work_pool_and_clear_pending kernel/workqueue.c:661 [inline] ffff888010c69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work+0x896/0x1690 kernel/workqueue.c:2268 #1: ffffc90010aa7db0 ((reaper_work).work){+.+.}-{0:0}, at: process_one_work+0x8ca/0x1690 kernel/workqueue.c:2272 2 locks held by kworker/u4:0/18467: #0: ffff888010c69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline] #0: ffff888010c69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: arch_atomic_long_set include/linux/atomic/atomic-long.h:41 [inline] #0: ffff888010c69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: atomic_long_set include/linux/atomic/atomic-instrumented.h:1198 [inline] #0: ffff888010c69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: set_work_data kernel/workqueue.c:634 [inline] #0: ffff888010c69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: set_work_pool_and_clear_pending kernel/workqueue.c:661 [inline] #0: ffff888010c69138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work+0x896/0x1690 kernel/workqueue.c:2268 #1: ffffc9000fedfdb0 (connector_reaper_work){+.+.}-{0:0}, at: process_one_work+0x8ca/0x1690 kernel/workqueue.c:2272 8 locks held by kworker/0:0/30766: 3 locks held by kworker/1:4/31550: 3 locks held by kworker/0:4/31566: #0: ffff888010c64d38 ((wq_completion)events){+.+.}-{0:0}, at: arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline] #0: ffff888010c64d38 ((wq_completion)events){+.+.}-{0:0}, at: arch_atomic_long_set include/linux/atomic/atomic-long.h:41 [inline] #0: ffff888010c64d38 ((wq_completion)events){+.+.}-{0:0}, at: atomic_long_set include/linux/atomic/atomic-instrumented.h:1198 [inline] #0: ffff888010c64d38 ((wq_completion)events){+.+.}-{0:0}, at: set_work_data kernel/workqueue.c:634 [inline] #0: ffff888010c64d38 ((wq_completion)events){+.+.}-{0:0}, at: set_work_pool_and_clear_pending kernel/workqueue.c:661 [inline] #0: ffff888010c64d38 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work+0x896/0x1690 kernel/workqueue.c:2268 #1: ffffc9000fe8fdb0 ((work_completion)(&(&nsim_dev->trap_data->trap_report_dw)->work) ){+.+.}-{0:0}, at: process_one_work+0x8ca/0x1690 kernel/workqueue.c:2272 #2: ffff88807e3ea400 (&nsim_dev->port_list_lock){+.+.}-{3:3}, at: nsim_dev_trap_report_work+0x5d/0xbd0 drivers/net/netdevsim/dev.c:757 1 lock held by syz-executor.0/31739: #0: ffffffff8d0e5e68 (rtnl_mutex){+.+.}-{3:3}, at: __tun_chr_ioctl.isra.0+0x19e/0x4230 drivers/net/tun.c:3011 1 lock held by syz-executor.0/31744: #0: ffffffff8d0e5e68 (rtnl_mutex){+.+.}-{3:3}, at: __tun_chr_ioctl.isra.0+0x19e/0x4230 drivers/net/tun.c:3011 1 lock held by syz-executor.2/31741: #0: ffffffff8d0e5e68 (rtnl_mutex){+.+.}-{3:3}, at: __tun_chr_ioctl.isra.0+0x19e/0x4230 drivers/net/tun.c:3011 ============================================= NMI backtrace for cpu 1 CPU: 1 PID: 27 Comm: khungtaskd Not tainted 5.15.0-rc1-next-20210917-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 nmi_cpu_backtrace.cold+0x47/0x144 lib/nmi_backtrace.c:105 nmi_trigger_cpumask_backtrace+0x1ae/0x220 lib/nmi_backtrace.c:62 trigger_all_cpu_backtrace include/linux/nmi.h:146 [inline] check_hung_uninterruptible_tasks kernel/hung_task.c:254 [inline] watchdog+0xcb7/0xed0 kernel/hung_task.c:339 kthread+0x3e5/0x4d0 kernel/kthread.c:319 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 Sending NMI from CPU 1 to CPUs 0: NMI backtrace for cpu 0 CPU: 0 PID: 253 Comm: kworker/u4:3 Not tainted 5.15.0-rc1-next-20210917-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: phy3 ieee80211_iface_work RIP: 0010:__sanitizer_cov_trace_pc+0x37/0x60 kernel/kcov.c:197 Code: 81 e1 00 01 00 00 65 48 8b 14 25 40 f0 01 00 a9 00 01 ff 00 74 0e 85 c9 74 35 8b 82 44 15 00 00 85 c0 74 2b 8b 82 20 15 00 00 <83> f8 02 75 20 48 8b 8a 28 15 00 00 8b 92 24 15 00 00 48 8b 01 48 RSP: 0018:ffffc90001f4fb18 EFLAGS: 00000046 RAX: 0000000000000000 RBX: 00000000000000a8 RCX: 0000000000000000 RDX: ffff8880185d0000 RSI: ffffffff81bc6401 RDI: 0000000000000003 RBP: ffff88823bccee00 R08: ffff88823bcceb23 R09: 00000000ffffffa8 R10: ffffffff81bc63f3 R11: 00000000000000a8 R12: ffff88823bcceb23 R13: ffffffff902960d0 R14: ffff88823bccee00 R15: 00000000ffffffa8 FS: 0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fc33a57c010 CR3: 000000001a97c000 CR4: 00000000001506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: for_each_canary mm/kfence/core.c:249 [inline] kfence_guarded_free+0x191/0x940 mm/kfence/core.c:386 __kfence_free+0x70/0x150 mm/kfence/core.c:817 do_slab_free mm/slub.c:3480 [inline] slab_free mm/slub.c:3493 [inline] kfree+0x47f/0x550 mm/slub.c:4552 skb_free_head net/core/skbuff.c:651 [inline] skb_release_data+0x65a/0x790 net/core/skbuff.c:673 skb_release_all net/core/skbuff.c:738 [inline] __kfree_skb net/core/skbuff.c:752 [inline] kfree_skb net/core/skbuff.c:770 [inline] kfree_skb+0x133/0x3f0 net/core/skbuff.c:764 ieee80211_iface_work+0x411/0xd00 net/mac80211/iface.c:1495 process_one_work+0x9b2/0x1690 kernel/workqueue.c:2297 worker_thread+0x658/0x11f0 kernel/workqueue.c:2444 kthread+0x3e5/0x4d0 kernel/kthread.c:319 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 ---------------- Code disassembly (best guess): 0: 81 e1 00 01 00 00 and $0x100,%ecx 6: 65 48 8b 14 25 40 f0 mov %gs:0x1f040,%rdx d: 01 00 f: a9 00 01 ff 00 test $0xff0100,%eax 14: 74 0e je 0x24 16: 85 c9 test %ecx,%ecx 18: 74 35 je 0x4f 1a: 8b 82 44 15 00 00 mov 0x1544(%rdx),%eax 20: 85 c0 test %eax,%eax 22: 74 2b je 0x4f 24: 8b 82 20 15 00 00 mov 0x1520(%rdx),%eax * 2a: 83 f8 02 cmp $0x2,%eax <-- trapping instruction 2d: 75 20 jne 0x4f 2f: 48 8b 8a 28 15 00 00 mov 0x1528(%rdx),%rcx 36: 8b 92 24 15 00 00 mov 0x1524(%rdx),%edx 3c: 48 8b 01 mov (%rcx),%rax 3f: 48 rex.W