loop4: p251 start 1854537728 is beyond EOD, truncated loop4: p252 start 1854537728 is beyond EOD, truncated loop4: p253 start 1854537728 is beyond EOD, truncated loop4: p254 start 1854537728 is beyond EOD, truncated loop4: p255 start 1854537728 is beyond EOD, truncated INFO: task init:746 blocked for more than 140 seconds. Not tainted 4.9.205-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. init D29304 746 1 0x00000000 0000000000000087 ffff8801a0d42f80 ffff8801d0e1b700 ffff8801db71ffc0 ffff8801d140c740 ffff8801db71ffd8 ffff8801ccb7f758 ffffffff8280a6ae ffff8801a0d43848 ffff8801a0d43820 00ff8801a0d43850 ffff8801db7208b0 Call Trace: [<00000000ced48827>] schedule+0x92/0x1c0 kernel/sched/core.c:3546 [<00000000b68f7881>] schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:3579 [<00000000dc037450>] __mutex_lock_common kernel/locking/mutex.c:582 [inline] [<00000000dc037450>] mutex_lock_nested+0x38d/0x920 kernel/locking/mutex.c:621 [<000000005850fc85>] tty_open_by_driver drivers/tty/tty_io.c:2062 [inline] [<000000005850fc85>] tty_open+0x3f9/0xe10 drivers/tty/tty_io.c:2140 [<000000002bd59ad6>] chrdev_open+0x230/0x630 fs/char_dev.c:398 [<000000009b1caf7e>] do_dentry_open+0x422/0xd20 fs/open.c:791 [<00000000d65ed6fe>] vfs_open+0x105/0x230 fs/open.c:904 [<00000000daa344dc>] do_last fs/namei.c:3457 [inline] [<00000000daa344dc>] path_openat+0xbf5/0x2f60 fs/namei.c:3581 [<0000000080596693>] do_filp_open+0x1a1/0x280 fs/namei.c:3615 [<00000000a9e5037c>] do_sys_open+0x2f0/0x610 fs/open.c:1097 [<0000000029f57824>] SYSC_open fs/open.c:1115 [inline] [<0000000029f57824>] SyS_open+0x2d/0x40 fs/open.c:1110 [<00000000e4961a78>] do_syscall_64+0x1ad/0x5c0 arch/x86/entry/common.c:288 [<00000000721c1562>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb Showing all locks held in the system: 2 locks held by khungtaskd/24: #0: (rcu_read_lock){......}, at: [<00000000c8ceea7d>] check_hung_uninterruptible_tasks kernel/hung_task.c:169 [inline] #0: (rcu_read_lock){......}, at: [<00000000c8ceea7d>] watchdog+0x14b/0xaf0 kernel/hung_task.c:263 #1: (tasklist_lock){.+.+..}, at: [<000000008172d7dc>] debug_show_all_locks+0x7f/0x21f kernel/locking/lockdep.c:4339 1 lock held by rsyslogd/1899: #0: (&f->f_pos_lock){+.+.+.}, at: [<0000000031abfb3c>] __fdget_pos+0xa8/0xd0 fs/file.c:782 2 locks held by getty/2026: #0: (&tty->ldisc_sem){++++++}, at: [<000000005dabe19e>] ldsem_down_read+0x33/0x40 drivers/tty/tty_ldsem.c:376 #1: (&ldata->atomic_read_lock){+.+...}, at: [<00000000b5a6b84b>] n_tty_read+0x1fe/0x1820 drivers/tty/n_tty.c:2156 1 lock held by init/746: #0: (tty_mutex){+.+.+.}, at: [<000000005850fc85>] tty_open_by_driver drivers/tty/tty_io.c:2062 [inline] #0: (tty_mutex){+.+.+.}, at: [<000000005850fc85>] tty_open+0x3f9/0xe10 drivers/tty/tty_io.c:2140 1 lock held by init/747: #0: (tty_mutex){+.+.+.}, at: [<000000005850fc85>] tty_open_by_driver drivers/tty/tty_io.c:2062 [inline] #0: (tty_mutex){+.+.+.}, at: [<000000005850fc85>] tty_open+0x3f9/0xe10 drivers/tty/tty_io.c:2140 1 lock held by init/1188: #0: (tty_mutex){+.+.+.}, at: [<000000005850fc85>] tty_open_by_driver drivers/tty/tty_io.c:2062 [inline] #0: (tty_mutex){+.+.+.}, at: [<000000005850fc85>] tty_open+0x3f9/0xe10 drivers/tty/tty_io.c:2140 1 lock held by init/1189: #0: (tty_mutex){+.+.+.}, at: [<000000005850fc85>] tty_open_by_driver drivers/tty/tty_io.c:2062 [inline] #0: (tty_mutex){+.+.+.}, at: [<000000005850fc85>] tty_open+0x3f9/0xe10 drivers/tty/tty_io.c:2140 1 lock held by init/1190: #0: (tty_mutex){+.+.+.}, at: [<000000005850fc85>] tty_open_by_driver drivers/tty/tty_io.c:2062 [inline] #0: (tty_mutex){+.+.+.}, at: [<000000005850fc85>] tty_open+0x3f9/0xe10 drivers/tty/tty_io.c:2140 3 locks held by blkid/12564: #0: (&bdev->bd_mutex){+.+.+.}, at: [<00000000d43aa0e2>] __blkdev_put+0xbb/0x840 fs/block_dev.c:1587 #1: (loop_index_mutex){+.+.+.}, at: [<000000004aef6390>] lo_release+0x20/0x1b0 drivers/block/loop.c:1664 #2: (&lo->lo_ctl_mutex#2){+.+.+.}, at: [<00000000513f2bb9>] __lo_release drivers/block/loop.c:1642 [inline] #2: (&lo->lo_ctl_mutex#2){+.+.+.}, at: [<00000000513f2bb9>] lo_release+0x8c/0x1b0 drivers/block/loop.c:1665 ============================================= NMI backtrace for cpu 1 CPU: 1 PID: 24 Comm: khungtaskd Not tainted 4.9.205-syzkaller #0 ffff8801d98d7cc8 ffffffff81b55e6b 0000000000000001 0000000000000000 0000000000000001 ffffffff8109a001 dffffc0000000000 ffff8801d98d7d00 ffffffff81b6110c 0000000000000001 0000000000000000 0000000000000001 Call Trace: [<0000000066d72fba>] __dump_stack lib/dump_stack.c:15 [inline] [<0000000066d72fba>] dump_stack+0xcb/0x130 lib/dump_stack.c:56 [<000000006858472a>] nmi_cpu_backtrace.cold+0x47/0x87 lib/nmi_backtrace.c:99 [<0000000047e9d0e0>] nmi_trigger_cpumask_backtrace+0x124/0x155 lib/nmi_backtrace.c:60 [<00000000f1345c60>] arch_trigger_cpumask_backtrace+0x14/0x20 arch/x86/kernel/apic/hw_nmi.c:37 [<00000000d8a3b6b9>] trigger_all_cpu_backtrace include/linux/nmi.h:58 [inline] [<00000000d8a3b6b9>] check_hung_task kernel/hung_task.c:126 [inline] [<00000000d8a3b6b9>] check_hung_uninterruptible_tasks kernel/hung_task.c:183 [inline] [<00000000d8a3b6b9>] watchdog+0x670/0xaf0 kernel/hung_task.c:263 [<0000000003cebedd>] kthread+0x278/0x310 kernel/kthread.c:211 [<00000000c02d7f40>] ret_from_fork+0x5c/0x70 arch/x86/entry/entry_64.S:375 Sending NMI from CPU 1 to CPUs 0: BAD LUCK: lost 57 message(s) from NMI context! NMI backtrace for cpu 0 CPU: 0 PID: 12528 Comm: syz-executor.0 Not tainted 4.9.205-syzkaller #0 task: 0000000062b402c3 task.stack: 000000002c5aee56 RIP: 0010:[] c [<00000000637af29d>] rol32 include/linux/bitops.h:81 [inline] RIP: 0010:[] c [<00000000637af29d>] jhash2 include/linux/jhash.h:139 [inline] RIP: 0010:[] c [<00000000637af29d>] hash_stack lib/stackdepot.c:161 [inline] RIP: 0010:[] c [<00000000637af29d>] depot_save_stack+0x29c/0x4a0 lib/stackdepot.c:217 RSP: 0018:ffff8801a5116910 EFLAGS: 00000282 RAX: 0000000070872e94 RBX: 00000000c4c085ec RCX: 0000000000000023 RDX: 00000000447ab78b RSI: 0000000000000002 RDI: ffff8801a5116988 RBP: ffff8801a5116960 R08: 000000007664ed9f R09: 00000000c1770aea R10: ffffed0034a22d24 R11: ffff8801a5116927 R12: ffff8801da579500 R13: ffff8801a5116970 R14: 0000000000000022 R15: 0000000000000246 FS: 00007f867f44a700(0000) GS:ffff8801db600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffde7b2dd2c CR3: 00000001d63b4000 CR4: 00000000001606b0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Stack: ffff880102000000c 0000000000000000c ffff8801a5117f48c 0000000000000000c c3c6eee0a32f6cc3c ffff8801c572c360c ffff8801da579500c ffff8801c572c280c ffff8801da579500c 0000000000000246c ffff8801a5116ba0c ffffffff814fe0a4c Call Trace: [<0000000086e49ea8>] save_stack mm/kasan/kasan.c:518 [inline] [<0000000086e49ea8>] set_track mm/kasan/kasan.c:524 [inline] [<0000000086e49ea8>] kasan_slab_free+0x104/0x190 mm/kasan/kasan.c:589 [<000000006342074b>] slab_free_hook mm/slub.c:1355 [inline] [<000000006342074b>] slab_free_freelist_hook mm/slub.c:1377 [inline] [<000000006342074b>] slab_free mm/slub.c:2958 [inline] [<000000006342074b>] kmem_cache_free+0xbe/0x310 mm/slub.c:2980 [<0000000049ddb1f2>] kfree_skbmem+0x9f/0x100 net/core/skbuff.c:627 [<00000000adf5be28>] __kfree_skb net/core/skbuff.c:689 [inline] [<00000000adf5be28>] consume_skb+0xce/0x340 net/core/skbuff.c:761 [<00000000c2b24387>] packet_rcv+0xe0/0x11e0 net/packet/af_packet.c:2140 [<0000000077de7303>] dev_queue_xmit_nit+0x5e0/0x800 net/core/dev.c:1950 [<000000007eef2bf7>] xmit_one net/core/dev.c:2973 [inline] [<000000007eef2bf7>] dev_hard_start_xmit+0xa7/0x8b0 net/core/dev.c:2993 [<00000000b25f6bc2>] __dev_queue_xmit+0x11a3/0x1bd0 net/core/dev.c:3473 [<00000000f1e49d80>] dev_queue_xmit+0x18/0x20 net/core/dev.c:3506 [<00000000ab8aa336>] neigh_hh_output include/net/neighbour.h:486 [inline] [<00000000ab8aa336>] dst_neigh_output include/net/dst.h:468 [inline] [<00000000ab8aa336>] ip_finish_output2+0xbf2/0x1280 net/ipv4/ip_output.c:225 [<0000000096debf0e>] ip_finish_output+0x3c4/0xce0 net/ipv4/ip_output.c:313 [<00000000d6ac9bc9>] NF_HOOK_COND include/linux/netfilter.h:246 [inline] [<00000000d6ac9bc9>] ip_output+0x1ec/0x5b0 net/ipv4/ip_output.c:401 [<000000000b9fe7f1>] dst_output include/net/dst.h:507 [inline] [<000000000b9fe7f1>] ip_local_out+0x9c/0x180 net/ipv4/ip_output.c:124 [<000000007d2b431a>] ip_queue_xmit+0x8a5/0x1890 net/ipv4/ip_output.c:500 [<0000000097f181ee>] __tcp_transmit_skb+0x1943/0x2f20 net/ipv4/tcp_output.c:1041 [<00000000ef46847c>] tcp_transmit_skb net/ipv4/tcp_output.c:1057 [inline] [<00000000ef46847c>] __tcp_retransmit_skb+0x61a/0x1b30 net/ipv4/tcp_output.c:2781 [<0000000011cb2af1>] tcp_retransmit_skb+0x29/0x2b0 net/ipv4/tcp_output.c:2800 [<00000000f08d8434>] tcp_xmit_retransmit_queue.part.0+0x3c1/0xc30 net/ipv4/tcp_output.c:2946 [<000000001f526ef7>] tcp_xmit_retransmit_queue+0x4c/0x60 net/ipv4/tcp_output.c:2873 [<00000000f7a19cb9>] tcp_xmit_recovery.part.0+0x23/0x120 net/ipv4/tcp_input.c:3620 [<00000000995a30cc>] tcp_xmit_recovery net/ipv4/tcp_input.c:3758 [inline] [<00000000995a30cc>] tcp_ack+0x2969/0x4e30 net/ipv4/tcp_input.c:3757 [<00000000978c1542>] tcp_rcv_established+0x426/0x20b0 net/ipv4/tcp_input.c:5611 [<00000000eac33869>] tcp_v4_do_rcv+0x510/0x750 net/ipv4/tcp_ipv4.c:1417 [<0000000000dae1a9>] sk_backlog_rcv include/net/sock.h:881 [inline] [<0000000000dae1a9>] __release_sock+0x138/0x390 net/core/sock.c:2065 [<00000000e93446fc>] release_sock+0x59/0x1c0 net/core/sock.c:2529 [<00000000ee8c9205>] tcp_recvmsg+0xb73/0x2770 net/ipv4/tcp.c:1964 [<00000000ab1e178b>] inet_recvmsg+0x23e/0x4d0 net/ipv4/af_inet.c:797 [<0000000091845a57>] sock_recvmsg_nosec net/socket.c:751 [inline] [<0000000091845a57>] sock_recvmsg net/socket.c:758 [inline] [<0000000091845a57>] sock_recvmsg+0xc8/0x110 net/socket.c:754 [<000000002af1d307>] ___sys_recvmsg+0x234/0x4f0 net/socket.c:2142 [<00000000485441a5>] __sys_recvmsg+0xc5/0x160 net/socket.c:2187 [<00000000fab6b609>] SYSC_recvmsg net/socket.c:2199 [inline] [<00000000fab6b609>] SyS_recvmsg+0x2d/0x50 net/socket.c:2194 [<00000000e4961a78>] do_syscall_64+0x1ad/0x5c0 arch/x86/entry/common.c:288 [<00000000721c1562>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb Code: c44 c89 cc2 c44 c31 cc0 cc1