INFO: task syz-executor310:7966 blocked for more than 140 seconds. Not tainted 4.14.281-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. syz-executor310 D28288 7966 7958 0x00000004 Call Trace: context_switch kernel/sched/core.c:2811 [inline] __schedule+0x88b/0x1de0 kernel/sched/core.c:3387 schedule+0x8d/0x1b0 kernel/sched/core.c:3431 schedule_timeout+0x80a/0xe90 kernel/time/timer.c:1724 do_wait_for_common kernel/sched/completion.c:91 [inline] __wait_for_common kernel/sched/completion.c:112 [inline] wait_for_common+0x272/0x430 kernel/sched/completion.c:123 flush_work+0x3fe/0x770 kernel/workqueue.c:2894 __cancel_work_timer+0x321/0x460 kernel/workqueue.c:2965 p9_conn_destroy net/9p/trans_fd.c:898 [inline] p9_fd_close+0x28d/0x420 net/9p/trans_fd.c:925 p9_client_create+0x736/0x12c0 net/9p/client.c:1095 v9fs_session_init+0x1c5/0x1540 fs/9p/v9fs.c:422 v9fs_mount+0x73/0x860 fs/9p/vfs_super.c:135 mount_fs+0x92/0x2a0 fs/super.c:1237 vfs_kern_mount.part.0+0x5b/0x470 fs/namespace.c:1046 vfs_kern_mount fs/namespace.c:1036 [inline] do_new_mount fs/namespace.c:2572 [inline] do_mount+0xe65/0x2a30 fs/namespace.c:2905 SYSC_mount fs/namespace.c:3121 [inline] SyS_mount+0xa8/0x120 fs/namespace.c:3098 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb RIP: 0033:0x7f0bd02d6359 RSP: 002b:00007f0bd0262278 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 00007f0bd035b4f0 RCX: 00007f0bd02d6359 RDX: 0000000020000080 RSI: 0000000020000300 RDI: 0000000000000000 RBP: 00007f0bd03280bc R08: 0000000020000740 R09: 65732f636f72702f R10: 0000000000000000 R11: 0000000000000246 R12: 00007f0bd0262280 R13: 7277732f7665642f R14: 64663d736e617274 R15: 00007f0bd035b4f8 Showing all locks held in the system: 1 lock held by khungtaskd/1534: #0: (tasklist_lock){.+.+}, at: [] debug_show_all_locks+0x7c/0x21a kernel/locking/lockdep.c:4548 2 locks held by kworker/1:2/3586: #0: ("events"){+.+.}, at: [] process_one_work+0x6b0/0x14a0 kernel/workqueue.c:2088 #1: ((&m->rq)){+.+.}, at: [] process_one_work+0x6e6/0x14a0 kernel/workqueue.c:2092 1 lock held by in:imklog/7642: #0: (&f->f_pos_lock){+.+.}, at: [] __fdget_pos+0x1fb/0x2b0 fs/file.c:819 ============================================= NMI backtrace for cpu 1 CPU: 1 PID: 1534 Comm: khungtaskd Not tainted 4.14.281-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x1b2/0x281 lib/dump_stack.c:58 nmi_cpu_backtrace.cold+0x57/0x93 lib/nmi_backtrace.c:101 nmi_trigger_cpumask_backtrace+0x13a/0x180 lib/nmi_backtrace.c:62 trigger_all_cpu_backtrace include/linux/nmi.h:140 [inline] check_hung_uninterruptible_tasks kernel/hung_task.c:195 [inline] watchdog+0x5b9/0xb40 kernel/hung_task.c:274 kthread+0x30d/0x420 kernel/kthread.c:232 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:404 Sending NMI from CPU 1 to CPUs 0: NMI backtrace for cpu 0 CPU: 0 PID: 4625 Comm: systemd-journal Not tainted 4.14.281-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 task: ffff8880a1214180 task.stack: ffff8880a1218000 RIP: 0010:____cache_alloc mm/slab.c:3116 [inline] RIP: 0010:__do_cache_alloc mm/slab.c:3347 [inline] RIP: 0010:slab_alloc mm/slab.c:3382 [inline] RIP: 0010:kmem_cache_alloc+0x1ae/0x3c0 mm/slab.c:3550 RSP: 0018:ffff8880a121fb58 EFLAGS: 00000082 RAX: 0000000000000000 RBX: 00000000014080c0 RCX: 0000000000000000 RDX: 000000000000001b RSI: ffffffff87ccff80 RDI: ffffffff87ccffc0 RBP: ffff8880b60bf080 R08: ffffffff8b9ad0c8 R09: 0000000000000000 R10: 0000000000000000 R11: ffff8880a1214180 R12: ffffe8ffffc02a80 R13: 00000000014080c0 R14: ffff8880b60bf080 R15: 0000000000000282 FS: 00007fe3657538c0(0000) GS:ffff8880ba400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fe362b22000 CR3: 00000000a1305000 CR4: 00000000003406f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: kmem_cache_zalloc include/linux/slab.h:651 [inline] get_empty_filp+0x86/0x3f0 fs/file_table.c:123 path_openat+0x84/0x2970 fs/namei.c:3545 do_filp_open+0x179/0x3c0 fs/namei.c:3603 do_sys_open+0x296/0x410 fs/open.c:1081 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb RIP: 0033:0x7fe364ce2840 RSP: 002b:00007ffccf1a8e78 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 RAX: ffffffffffffffda RBX: 00007ffccf1a9180 RCX: 00007fe364ce2840 RDX: 00000000000001a0 RSI: 0000000000080042 RDI: 000055777c2b6460 RBP: 000000000000000d R08: 000000000000ffc0 R09: 00000000ffffffff R10: 0000000000000069 R11: 0000000000000246 R12: 00000000ffffffff R13: 000055777c2ab040 R14: 00007ffccf1a9140 R15: 000055777c2b64b0 Code: c6 e9 c7 fe ff ff 48 8b 80 a8 04 00 00 a8 04 0f 85 13 ff ff ff 4d 8b 26 e8 90 4a 9b 01 89 c0 4c 03 24 c5 60 9d cc 88 41 8b 14 24 <85> d2 0f 84 73 01 00 00 41 c7 44 24 0c 01 00 00 00 83 ea 01 41 ---------------- Code disassembly (best guess), 1 bytes skipped: 0: e9 c7 fe ff ff jmpq 0xfffffecc 5: 48 8b 80 a8 04 00 00 mov 0x4a8(%rax),%rax c: a8 04 test $0x4,%al e: 0f 85 13 ff ff ff jne 0xffffff27 14: 4d 8b 26 mov (%r14),%r12 17: e8 90 4a 9b 01 callq 0x19b4aac 1c: 89 c0 mov %eax,%eax 1e: 4c 03 24 c5 60 9d cc add -0x773362a0(,%rax,8),%r12 25: 88 26: 41 8b 14 24 mov (%r12),%edx * 2a: 85 d2 test %edx,%edx <-- trapping instruction 2c: 0f 84 73 01 00 00 je 0x1a5 32: 41 c7 44 24 0c 01 00 movl $0x1,0xc(%r12) 39: 00 00 3b: 83 ea 01 sub $0x1,%edx 3e: 41 rex.B