INFO: task syz.7.2534:13318 blocked for more than 143 seconds.
      Tainted: G             L      syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.7.2534      state:D
 stack:23432 pid:13318 tgid:13317 ppid:12535  task_flags:0x400140 flags:0x00080002
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5256 [inline]
 __schedule+0x14bc/0x5000 kernel/sched/core.c:6863
 __schedule_loop kernel/sched/core.c:6945 [inline]
 schedule+0x165/0x360 kernel/sched/core.c:6960
 io_schedule+0x80/0xd0 kernel/sched/core.c:7789
 __lock_metapage fs/jfs/jfs_metapage.c:52 [inline]
 lock_metapage+0x1f3/0x400 fs/jfs/jfs_metapage.c:66
 __get_metapage+0x49a/0xde0 fs/jfs/jfs_metapage.c:748
 xtSplitPage+0x281/0x2150 fs/jfs/jfs_xtree.c:989
 xtSplitUp+0x31b/0x1f40 fs/jfs/jfs_xtree.c:786
 xtInsert+0x415/0xe30 fs/jfs/jfs_xtree.c:608
 extAlloc+0xa9a/0xfb0 fs/jfs/jfs_extent.c:150
 jfs_get_block+0x346/0xab0 fs/jfs/inode.c:254
 get_more_blocks fs/direct-io.c:648 [inline]
 do_direct_IO fs/direct-io.c:936 [inline]
 __blockdev_direct_IO+0x16ff/0x3490 fs/direct-io.c:1243
 blockdev_direct_IO include/linux/fs.h:3075 [inline]
 jfs_direct_IO+0x119/0x220 fs/jfs/inode.c:339
 generic_file_direct_write+0x1db/0x3e0 mm/filemap.c:4248
 __generic_file_write_iter+0x11d/0x230 mm/filemap.c:4417
 generic_file_write_iter+0x117/0x550 mm/filemap.c:4457
 iter_file_splice_write+0x972/0x10b0 fs/splice.c:738
 do_splice_from fs/splice.c:938 [inline]
 direct_splice_actor+0x101/0x160 fs/splice.c:1161
 splice_direct_to_actor+0x5a8/0xcc0 fs/splice.c:1105
 do_splice_direct_actor fs/splice.c:1204 [inline]
 do_splice_direct+0x181/0x270 fs/splice.c:1230
 do_sendfile+0x4da/0x7e0 fs/read_write.c:1370
 __do_sys_sendfile64 fs/read_write.c:1431 [inline]
 __se_sys_sendfile64+0x13e/0x190 fs/read_write.c:1417
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f791bd8f749
RSP: 002b:00007f791cbe8038 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
RAX: ffffffffffffffda RBX: 00007f791bfe5fa0 RCX: 00007f791bd8f749
RDX: 0000000000000000 RSI: 0000000000000005 RDI: 0000000000000004
RBP: 00007f791be13f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000020fffe82 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f791bfe6038 R14: 00007f791bfe5fa0 R15: 00007ffecd8d8e38
 </TASK>

Showing all locks held in the system:
3 locks held by kworker/0:1/10:
 #0: ffff88813fe55948 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work+0x841/0x15a0 kernel/workqueue.c:3236
 #1: ffffc900000f7b80 (deferred_process_work){+.+.}-{0:0}, at: process_one_work+0x868/0x15a0 kernel/workqueue.c:3237
 #2: ffffffff8f310348 (rtnl_mutex){+.+.}-{4:4}, at: switchdev_deferred_process_work+0xe/0x20 net/switchdev/switchdev.c:104
5 locks held by kworker/u8:0/12:
1 lock held by khungtaskd/31:
 #0: ffffffff8df419e0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
 #0: ffffffff8df419e0 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:867 [inline]
 #0: ffffffff8df419e0 (rcu_read_lock){....}-{1:3}, at: debug_show_all_locks+0x2e/0x180 kernel/locking/lockdep.c:6775
3 locks held by kworker/u8:3/49:
 #0: ffff88813fe69948 ((wq_completion)events_unbound#2){+.+.}-{0:0}, at: process_one_work+0x841/0x15a0 kernel/workqueue.c:3236
 #1: ffffc90000ba7b80 ((linkwatch_work).work){+.+.}-{0:0}, at: process_one_work+0x868/0x15a0 kernel/workqueue.c:3237
 #2: ffffffff8f310348 (rtnl_mutex){+.+.}-{4:4}, at: linkwatch_event+0xe/0x60 net/core/link_watch.c:303
5 locks held by kworker/0:2/130:
 #0: ffff88801da9b548 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x841/0x15a0 kernel/workqueue.c:3236
 #1: ffffc90002ed7b80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x868/0x15a0 kernel/workqueue.c:3237
 #2: ffff888028f48198 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:895 [inline]
 #2: ffff888028f48198 (&dev->mutex){....}-{4:4}, at: hub_event+0x187/0x4ef0 drivers/usb/core/hub.c:5899
 #3: ffff8880526d2198 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:895 [inline]
 #3: ffff8880526d2198 (&dev->mutex){....}-{4:4}, at: __device_attach+0x88/0x430 drivers/base/dd.c:1006
 #4: ffff888028e86b68 (hcd->bandwidth_mutex){+.+.}-{4:4}, at: usb_set_configuration+0x53e/0x2110 drivers/usb/core/message.c:2077
2 locks held by kworker/u8:8/1309:
 #0: ffff888143aee948 ((wq_completion)iou_exit){+.+.}-{0:0}, at: process_one_work+0x841/0x15a0 kernel/workqueue.c:3236
 #1: ffffc9000478fb80 ((work_completion)(&ctx->exit_work)){+.+.}-{0:0}, at: process_one_work+0x868/0x15a0 kernel/workqueue.c:3237
5 locks held by kworker/u8:11/3500:
 #0: ffff88801b2df148 ((wq_completion)netns){+.+.}-{0:0}, at: process_one_work+0x841/0x15a0 kernel/workqueue.c:3236
 #1: ffffc9000c827b80 (net_cleanup_work){+.+.}-{0:0}, at: process_one_work+0x868/0x15a0 kernel/workqueue.c:3237
 #2: ffffffff8f302d30 (pernet_ops_rwsem){++++}-{4:4}, at: cleanup_net+0xf7/0x7a0 net/core/net_namespace.c:670
 #3: ffffffff8f310348 (rtnl_mutex){+.+.}-{4:4}, at: ops_exit_rtnl_list net/core/net_namespace.c:173 [inline]
 #3: ffffffff8f310348 (rtnl_mutex){+.+.}-{4:4}, at: ops_undo_list+0x2a4/0x990 net/core/net_namespace.c:248
 #4: ffffffff8df47538 (rcu_state.exp_mutex){+.+.}-{4:4}, at: exp_funnel_lock kernel/rcu/tree_exp.h:343 [inline]
 #4: ffffffff8df47538 (rcu_state.exp_mutex){+.+.}-{4:4}, at: synchronize_rcu_expedited+0x3b9/0x730 kernel/rcu/tree_exp.h:956
2 locks held by getty/5587:
 #0: ffff8880340a00a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x25/0x70 drivers/tty/tty_ldisc.c:243
 #1: ffffc9000332b2f0 (&ldata->atomic_read_lock){+.+.}-{4:4}, at: n_tty_read+0x449/0x1460 drivers/tty/n_tty.c:2211
3 locks held by kworker/0:4/5890:
 #0: ffff8880b863a918 (&rq->__lock){-.-.}-{2:2}, at: raw_spin_rq_lock_nested+0x2a/0x140 kernel/sched/core.c:639
 #1: ffff8880b8624588 (psi_seq){-.-.}-{0:0}, at: psi_task_switch+0x53/0x880 kernel/sched/psi.c:933
 #2: ffff8880b8627198 (&base->lock){-.-.}-{2:2}, at: lock_timer_base kernel/time/timer.c:1004 [inline]
 #2: ffff8880b8627198 (&base->lock){-.-.}-{2:2}, at: add_timer_on+0x1ac/0x570 kernel/time/timer.c:1319
3 locks held by kworker/0:8/5923:
 #0: ffff88813fe55948 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work+0x841/0x15a0 kernel/workqueue.c:3236
 #1: ffffc9000468fb80 (free_ipc_work){+.+.}-{0:0}, at: process_one_work+0x868/0x15a0 kernel/workqueue.c:3237
 #2: ffffffff8df47538 (rcu_state.exp_mutex){+.+.}-{4:4}, at: exp_funnel_lock kernel/rcu/tree_exp.h:311 [inline]
 #2: ffffffff8df47538 (rcu_state.exp_mutex){+.+.}-{4:4}, at: synchronize_rcu_expedited+0x2f6/0x730 kernel/rcu/tree_exp.h:956
4 locks held by kworker/u8:19/11186:
 #0: ffff88801cab6148 ((wq_completion)writeback){+.+.}-{0:0}, at: process_one_work+0x841/0x15a0 kernel/workqueue.c:3236
 #1: ffffc90003517b80 ((work_completion)(&(&wb->dwork)->work)){+.+.}-{0:0}, at: process_one_work+0x868/0x15a0 kernel/workqueue.c:3237
 #2: ffff88807660a0e0 (&type->s_umount_key#83){++++}-{4:4}, at: super_trylock_shared+0x20/0xf0 fs/super.c:563
 #3: ffff88806b6b01c8 (&jfs_ip->commit_mutex){+.+.}-{4:4}, at: jfs_commit_inode+0x1ca/0x530 fs/jfs/inode.c:108
4 locks held by syz.7.2534/13318:
 #0: ffff88807660a420 (sb_writers#24){.+.+}-{0:0}, at: direct_splice_actor+0x49/0x160 fs/splice.c:1160
 #1: ffff88806b6b0578 (&sb->s_type->i_mutex_key#37){+.+.}-{4:4}, at: inode_lock include/linux/fs.h:1027 [inline]
 #1: ffff88806b6b0578 (&sb->s_type->i_mutex_key#37){+.+.}-{4:4}, at: generic_file_write_iter+0xeb/0x550 mm/filemap.c:4454
 #2: ffff88806b6b0138 (&jfs_ip->rdwrlock#2){++++}-{4:4}, at: jfs_get_block+0x141/0xab0 fs/jfs/inode.c:219
 #3: ffff88806b6b01c8 (&jfs_ip->commit_mutex){+.+.}-{4:4}, at: extAlloc+0x13c/0xfb0 fs/jfs/jfs_extent.c:86
1 lock held by syz-executor/17019:
 #0: ffffffff8f310348 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_lock net/core/rtnetlink.c:80 [inline]
 #0: ffffffff8f310348 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_nets_lock net/core/rtnetlink.c:341 [inline]
 #0: ffffffff8f310348 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0x8ec/0x1c90 net/core/rtnetlink.c:4071
2 locks held by syz.1.3781/17041:
 #0: ffffffff8f377f30 (cb_lock){++++}-{4:4}, at: genl_rcv+0x19/0x40 net/netlink/genetlink.c:1218
 #1: ffffffff8f310348 (rtnl_mutex){+.+.}-{4:4}, at: nl80211_pre_doit+0x5f/0x8e0 net/wireless/nl80211.c:17932
4 locks held by syz.5.3786/17056:
 #0: ffff88807b590ec0 (&hdev->req_lock){+.+.}-{4:4}, at: hci_dev_do_close net/bluetooth/hci_core.c:499 [inline]
 #0: ffff88807b590ec0 (&hdev->req_lock){+.+.}-{4:4}, at: hci_unregister_dev+0x212/0x5b0 net/bluetooth/hci_core.c:2715
 #1: ffff88807b5900c0 (&hdev->lock){+.+.}-{4:4}, at: hci_dev_close_sync+0x640/0x1100 net/bluetooth/hci_sync.c:5314
 #2: ffffffff8f481f48 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_disconn_cfm include/net/bluetooth/hci_core.h:2143 [inline]
 #2: ffffffff8f481f48 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_conn_hash_flush+0xa1/0x260 net/bluetooth/hci_conn.c:2637
 #3: ffff88806a123b38 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x7b/0x5b0 net/bluetooth/l2cap_core.c:1763
2 locks held by syz.7.3787/17055:
 #0: ffffffff8f824570 (&ops->srcu#2){.+.+}-{0:0}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
 #0: ffffffff8f824570 (&ops->srcu#2){.+.+}-{0:0}, at: rcu_read_lock include/linux/rcupdate.h:867 [inline]
 #0: ffffffff8f824570 (&ops->srcu#2){.+.+}-{0:0}, at: rtnl_link_ops_get+0x23/0x250 net/core/rtnetlink.c:570
 #1: ffffffff8f310348 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_lock net/core/rtnetlink.c:80 [inline]
 #1: ffffffff8f310348 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_nets_lock net/core/rtnetlink.c:341 [inline]
 #1: ffffffff8f310348 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0x8ec/0x1c90 net/core/rtnetlink.c:4071
3 locks held by syz.4.3788/17058:
 #0: ffff88805b5e8ec0 (&hdev->req_lock){+.+.}-{4:4}, at: hci_dev_do_close net/bluetooth/hci_core.c:499 [inline]
 #0: ffff88805b5e8ec0 (&hdev->req_lock){+.+.}-{4:4}, at: hci_unregister_dev+0x212/0x5b0 net/bluetooth/hci_core.c:2715
 #1: ffff88805b5e80c0 (&hdev->lock){+.+.}-{4:4}, at: hci_dev_close_sync+0x640/0x1100 net/bluetooth/hci_sync.c:5314
 #2: ffffffff8f481f48 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_disconn_cfm include/net/bluetooth/hci_core.h:2143 [inline]
 #2: ffffffff8f481f48 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_conn_hash_flush+0xa1/0x260 net/bluetooth/hci_conn.c:2637

=============================================

NMI backtrace for cpu 0
CPU: 0 UID: 0 PID: 31 Comm: khungtaskd Tainted: G             L      syzkaller #0 PREEMPT(full) 
Tainted: [L]=SOFTLOCKUP
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Call Trace:
 <TASK>
 dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
 nmi_cpu_backtrace+0x39e/0x3d0 lib/nmi_backtrace.c:113
 nmi_trigger_cpumask_backtrace+0x17a/0x300 lib/nmi_backtrace.c:62
 trigger_all_cpu_backtrace include/linux/nmi.h:160 [inline]
 __sys_info lib/sys_info.c:157 [inline]
 sys_info+0x135/0x170 lib/sys_info.c:165
 check_hung_uninterruptible_tasks kernel/hung_task.c:346 [inline]
 watchdog+0xf95/0xfe0 kernel/hung_task.c:515
 kthread+0x711/0x8a0 kernel/kthread.c:463
 ret_from_fork+0x599/0xb30 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
 </TASK>
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Tainted: G             L      syzkaller #0 PREEMPT(full) 
Tainted: [L]=SOFTLOCKUP
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
RIP: 0010:trace_save_cmdline+0x2ad/0x500 kernel/trace/trace_sched_switch.c:275
Code: be 00 00 00 00 00 fc ff df 48 8b 44 24 38 42 0f b6 04 30 84 c0 0f 85 81 01 00 00 48 8b 44 24 10 44 8b 28 4c 8d bb 08 00 02 00 <4c> 89 f8 48 c1 e8 03 42 80 3c 30 00 74 08 4c 89 ff e8 ad aa 5e 00
RSP: 0018:ffffc90000197aa0 EFLAGS: 00000046
RAX: ffff888030954318 RBX: ffff88813fe80000 RCX: ffff88801cee5b80
RDX: 0000000000000000 RSI: 00000000000000bf RDI: 00000000ffffffff
RBP: ffffc90000197b78 R08: 0000000000000003 R09: 0000000000000004
R10: dffffc0000000000 R11: fffff52000032f60 R12: 00000000000000bf
R13: 0000000000002bb3 R14: dffffc0000000000 R15: ffff88813fea0008
FS:  0000000000000000(0000) GS:ffff888125f37000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fff3f545fec CR3: 000000000dd3a000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 tracing_record_taskinfo_sched_switch+0x9a/0x370 kernel/trace/trace_sched_switch.c:417
 __do_trace_sched_switch include/trace/events/sched.h:220 [inline]
 trace_sched_switch include/trace/events/sched.h:220 [inline]
 __schedule+0x256b/0x5000 kernel/sched/core.c:6860
 schedule_idle+0x52/0x90 kernel/sched/core.c:6986
 do_idle+0x4b3/0x520 kernel/sched/idle.c:360
 cpu_startup_entry+0x44/0x60 kernel/sched/idle.c:430
 start_secondary+0x101/0x110 arch/x86/kernel/smpboot.c:312
 common_startup_64+0x13e/0x147
 </TASK>
IPVS: rr: UDP 224.0.0.2:0 - no destination available