INFO: task syz.6.1984:16071 blocked for more than 143 seconds.
Not tainted 6.12.0-syzkaller-01892-g8f7c8b88bda4 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.6.1984 state:D stack:25808 pid:16071 tgid:16071 ppid:10666 flags:0x00000004
Call Trace:
context_switch kernel/sched/core.c:5369 [inline]
__schedule+0xe5a/0x5ae0 kernel/sched/core.c:6756
__schedule_loop kernel/sched/core.c:6833 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6848
schedule_timeout+0x244/0x280 kernel/time/sleep_timeout.c:75
do_wait_for_common kernel/sched/completion.c:95 [inline]
__wait_for_common+0x3e1/0x600 kernel/sched/completion.c:116
wait_for_common kernel/sched/completion.c:127 [inline]
wait_for_completion_state+0x1c/0x40 kernel/sched/completion.c:264
coredump_wait fs/coredump.c:418 [inline]
do_coredump+0x82f/0x4160 fs/coredump.c:575
get_signal+0x23f3/0x2610 kernel/signal.c:3001
arch_do_signal_or_restart+0x90/0x7e0 arch/x86/kernel/signal.c:337
exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
irqentry_exit_to_user_mode+0x13f/0x280 kernel/entry/common.c:231
asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623
RIP: 0033:0x7fbfda6516c9
RSP: 002b:00007ffceaea7000 EFLAGS: 00010246
RAX: 0000000000000080 RBX: 0000000000000002 RCX: ffffffffe0000000
RDX: d9cbc58115de25d3 RSI: 0000000000000000 RDI: 000055558f1f13c8
RBP: 00007fbfda937ba0 R08: 00007fbfda600000 R09: 0000000000000003
R10: 0000000000000001 R11: 0000000000000004 R12: 0000000000087eb4
R13: 00007fbfda936160 R14: 0000000000000032 R15: fffffffffffffffe
Showing all locks held in the system:
1 lock held by khungtaskd/30:
#0: ffffffff8ddba680 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:337 [inline]
#0: ffffffff8ddba680 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:849 [inline]
#0: ffffffff8ddba680 (rcu_read_lock){....}-{1:3}, at: debug_show_all_locks+0x7f/0x390 kernel/locking/lockdep.c:6744
2 locks held by getty/5603:
#0: ffff88814d75a0a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x24/0x80 drivers/tty/tty_ldisc.c:243
#1: ffffc900032332f0 (&ldata->atomic_read_lock){+.+.}-{4:4}, at: n_tty_read+0xfba/0x1480 drivers/tty/n_tty.c:2211
5 locks held by kworker/u9:2/5842:
#0: ffff888031256148 ((wq_completion)hci7){+.+.}-{0:0}, at: process_one_work+0x1212/0x1b30 kernel/workqueue.c:3204
#1: ffffc900037cfd80 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_one_work+0x8bb/0x1b30 kernel/workqueue.c:3205
#2: ffff888061564d80 (&hdev->req_lock){+.+.}-{4:4}, at: hci_cmd_sync_work+0x170/0x410 net/bluetooth/hci_sync.c:331
#3: ffff888061564078 (&hdev->lock){+.+.}-{4:4}, at: hci_abort_conn_sync+0x151/0xba0 net/bluetooth/hci_sync.c:5577
#4: ffffffff8ddc5fb8 (rcu_state.exp_mutex){+.+.}-{4:4}, at: exp_funnel_lock+0x282/0x3b0 kernel/rcu/tree_exp.h:297
5 locks held by kworker/u9:5/5852:
#0: ffff888075d72948 ((wq_completion)hci5){+.+.}-{0:0}, at: process_one_work+0x1212/0x1b30 kernel/workqueue.c:3204
#1: ffffc9000385fd80 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_one_work+0x8bb/0x1b30 kernel/workqueue.c:3205
#2: ffff88803f8b4d80 (&hdev->req_lock){+.+.}-{4:4}, at: hci_cmd_sync_work+0x170/0x410 net/bluetooth/hci_sync.c:331
#3: ffff88803f8b4078 (&hdev->lock){+.+.}-{4:4}, at: hci_abort_conn_sync+0x151/0xba0 net/bluetooth/hci_sync.c:5577
#4: ffffffff8fd34308 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_connect_cfm include/net/bluetooth/hci_core.h:1957 [inline]
#4: ffffffff8fd34308 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_conn_failed+0x158/0x340 net/bluetooth/hci_conn.c:1265
3 locks held by kworker/0:6/5898:
#0: ffff88801ac80948 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work+0x1212/0x1b30 kernel/workqueue.c:3204
#1: ffffc90003e1fd80 (free_ipc_work){+.+.}-{0:0}, at: process_one_work+0x8bb/0x1b30 kernel/workqueue.c:3205
#2: ffffffff8ddc5fb8 (rcu_state.exp_mutex){+.+.}-{4:4}, at: exp_funnel_lock+0x1a4/0x3b0 kernel/rcu/tree_exp.h:329
3 locks held by kworker/u8:15/8185:
5 locks held by kworker/u9:0/14117:
#0: ffff88806555a948 ((wq_completion)hci6){+.+.}-{0:0}, at: process_one_work+0x1212/0x1b30 kernel/workqueue.c:3204
#1: ffffc9000535fd80 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_one_work+0x8bb/0x1b30 kernel/workqueue.c:3205
#2: ffff88807eca8d80 (&hdev->req_lock){+.+.}-{4:4}, at: hci_cmd_sync_work+0x170/0x410 net/bluetooth/hci_sync.c:331
#3: ffff88807eca8078 (&hdev->lock){+.+.}-{4:4}, at: hci_abort_conn_sync+0x151/0xba0 net/bluetooth/hci_sync.c:5577
#4: ffffffff8fd34308 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_connect_cfm include/net/bluetooth/hci_core.h:1957 [inline]
#4: ffffffff8fd34308 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_conn_failed+0x158/0x340 net/bluetooth/hci_conn.c:1265
2 locks held by syz.6.1984/16075:
#0: ffffffff8fb6c890 (cb_lock){++++}-{4:4}, at: genl_rcv+0x19/0x40 net/netlink/genetlink.c:1218
#1: ffffffff8e1d8868 (nfsd_mutex){+.+.}-{4:4}, at: nfsd_nl_listener_set_doit+0xe3/0x1b40 fs/nfsd/nfsctl.c:1964
2 locks held by syz.3.2001/16185:
#0: ffffffff8fb6c890 (cb_lock){++++}-{4:4}, at: genl_rcv+0x19/0x40 net/netlink/genetlink.c:1218
#1: ffffffff8e1d8868 (nfsd_mutex){+.+.}-{4:4}, at: nfsd_nl_threads_set_doit+0x694/0xbe0 fs/nfsd/nfsctl.c:1671
2 locks held by syz.8.2004/16211:
#0: ffff88806ac460e0 (&type->s_umount_key#52){++++}-{4:4}, at: __super_lock fs/super.c:56 [inline]
#0: ffff88806ac460e0 (&type->s_umount_key#52){++++}-{4:4}, at: __super_lock_excl fs/super.c:71 [inline]
#0: ffff88806ac460e0 (&type->s_umount_key#52){++++}-{4:4}, at: deactivate_super+0xd6/0x100 fs/super.c:505
#1: ffffffff8e1d8868 (nfsd_mutex){+.+.}-{4:4}, at: nfsd_shutdown_threads+0x5b/0xf0 fs/nfsd/nfssvc.c:625
2 locks held by syz.5.2006/16258:
#0: ffffffff8fb6c890 (cb_lock){++++}-{4:4}, at: genl_rcv+0x19/0x40 net/netlink/genetlink.c:1218
#1: ffffffff8e1d8868 (nfsd_mutex){+.+.}-{4:4}, at: nfsd_nl_threads_set_doit+0x694/0xbe0 fs/nfsd/nfsctl.c:1671
2 locks held by syz-executor/16641:
#0: ffff88803531c0e0 (&type->s_umount_key#52){++++}-{4:4}, at: __super_lock fs/super.c:56 [inline]
#0: ffff88803531c0e0 (&type->s_umount_key#52){++++}-{4:4}, at: __super_lock_excl fs/super.c:71 [inline]
#0: ffff88803531c0e0 (&type->s_umount_key#52){++++}-{4:4}, at: deactivate_super+0xd6/0x100 fs/super.c:505
#1: ffffffff8e1d8868 (nfsd_mutex){+.+.}-{4:4}, at: nfsd_shutdown_threads+0x5b/0xf0 fs/nfsd/nfssvc.c:625
2 locks held by syz-executor/16679:
#0: ffff888097e480e0 (&type->s_umount_key#52){++++}-{4:4}, at: __super_lock fs/super.c:56 [inline]
#0: ffff888097e480e0 (&type->s_umount_key#52){++++}-{4:4}, at: __super_lock_excl fs/super.c:71 [inline]
#0: ffff888097e480e0 (&type->s_umount_key#52){++++}-{4:4}, at: deactivate_super+0xd6/0x100 fs/super.c:505
#1: ffffffff8e1d8868 (nfsd_mutex){+.+.}-{4:4}, at: nfsd_shutdown_threads+0x5b/0xf0 fs/nfsd/nfssvc.c:625
2 locks held by syz-executor/16712:
#0: ffff8880835a60e0 (&type->s_umount_key#52){++++}-{4:4}, at: __super_lock fs/super.c:56 [inline]
#0: ffff8880835a60e0 (&type->s_umount_key#52){++++}-{4:4}, at: __super_lock_excl fs/super.c:71 [inline]
#0: ffff8880835a60e0 (&type->s_umount_key#52){++++}-{4:4}, at: deactivate_super+0xd6/0x100 fs/super.c:505
#1: ffffffff8e1d8868 (nfsd_mutex){+.+.}-{4:4}, at: nfsd_shutdown_threads+0x5b/0xf0 fs/nfsd/nfssvc.c:625
2 locks held by syz.4.2192/17929:
#0: ffff88802789c0e0 (&type->s_umount_key#52){++++}-{4:4}, at: __super_lock fs/super.c:56 [inline]
#0: ffff88802789c0e0 (&type->s_umount_key#52){++++}-{4:4}, at: __super_lock_excl fs/super.c:71 [inline]
#0: ffff88802789c0e0 (&type->s_umount_key#52){++++}-{4:4}, at: deactivate_super+0xd6/0x100 fs/super.c:505
#1: ffffffff8e1d8868 (nfsd_mutex){+.+.}-{4:4}, at: nfsd_shutdown_threads+0x5b/0xf0 fs/nfsd/nfssvc.c:625
3 locks held by syz-executor/18564:
#0: ffff88809d100d80 (&hdev->req_lock){+.+.}-{4:4}, at: hci_dev_do_close+0x26/0x90 net/bluetooth/hci_core.c:481
#1: ffff88809d100078 (&hdev->lock){+.+.}-{4:4}, at: hci_dev_close_sync+0x34c/0x1260 net/bluetooth/hci_sync.c:5193
#2: ffffffff8fd34308 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_disconn_cfm include/net/bluetooth/hci_core.h:1972 [inline]
#2: ffffffff8fd34308 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_conn_hash_flush+0xc4/0x260 net/bluetooth/hci_conn.c:2592
2 locks held by syz-executor/18694:
#0: ffff888096cc00e0 (&type->s_umount_key#52){++++}-{4:4}, at: __super_lock fs/super.c:56 [inline]
#0: ffff888096cc00e0 (&type->s_umount_key#52){++++}-{4:4}, at: __super_lock_excl fs/super.c:71 [inline]
#0: ffff888096cc00e0 (&type->s_umount_key#52){++++}-{4:4}, at: deactivate_super+0xd6/0x100 fs/super.c:505
#1: ffffffff8e1d8868 (nfsd_mutex){+.+.}-{4:4}, at: nfsd_shutdown_threads+0x5b/0xf0 fs/nfsd/nfssvc.c:625
3 locks held by syz.3.2269/19319:
#0: ffff88809da8cd80 (&hdev->req_lock){+.+.}-{4:4}, at: hci_dev_do_close+0x26/0x90 net/bluetooth/hci_core.c:481
#1: ffff88809da8c078 (&hdev->lock){+.+.}-{4:4}, at: hci_dev_close_sync+0x34c/0x1260 net/bluetooth/hci_sync.c:5193
#2: ffffffff8fd34308 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_disconn_cfm include/net/bluetooth/hci_core.h:1972 [inline]
#2: ffffffff8fd34308 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_conn_hash_flush+0xc4/0x260 net/bluetooth/hci_conn.c:2592
1 lock held by syz.0.2322/19726:
3 locks held by syz-executor/19837:
#0: ffff888098220d80 (&hdev->req_lock){+.+.}-{4:4}, at: hci_dev_do_close+0x26/0x90 net/bluetooth/hci_core.c:481
#1: ffff888098220078 (&hdev->lock){+.+.}-{4:4}, at: hci_dev_close_sync+0x34c/0x1260 net/bluetooth/hci_sync.c:5193
#2: ffffffff8fd34308 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_disconn_cfm include/net/bluetooth/hci_core.h:1972 [inline]
#2: ffffffff8fd34308 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_conn_hash_flush+0xc4/0x260 net/bluetooth/hci_conn.c:2592
=============================================
NMI backtrace for cpu 1
CPU: 1 UID: 0 PID: 30 Comm: khungtaskd Not tainted 6.12.0-syzkaller-01892-g8f7c8b88bda4 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024
Call Trace:
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
nmi_cpu_backtrace+0x27b/0x390 lib/nmi_backtrace.c:113
nmi_trigger_cpumask_backtrace+0x29c/0x300 lib/nmi_backtrace.c:62
trigger_all_cpu_backtrace include/linux/nmi.h:162 [inline]
check_hung_uninterruptible_tasks kernel/hung_task.c:223 [inline]
watchdog+0xf0c/0x1240 kernel/hung_task.c:379
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 UID: 0 PID: 8185 Comm: kworker/u8:15 Not tainted 6.12.0-syzkaller-01892-g8f7c8b88bda4 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024
Workqueue: events_unbound cfg80211_wiphy_work
RIP: 0010:on_stack arch/x86/include/asm/stacktrace.h:55 [inline]
RIP: 0010:stack_access_ok+0x0/0x200 arch/x86/kernel/unwind_orc.c:393
Code: 8b 8d 28 ff ff ff 44 8b 85 30 ff ff ff e9 b0 fe ff ff 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 <48> b8 00 00 00 00 00 fc ff df 41 57 41 56 4c 8d 77 08 41 55 41 54
RSP: 0018:ffffc9000d6b6ba0 EFLAGS: 00000283
RAX: 0000000000000000 RBX: 0000000000000001 RCX: ffffffff90ac7628
RDX: 0000000000000008 RSI: ffffc9000d6b6cf8 RDI: ffffc9000d6b6c68
RBP: ffffc9000d6b6cf8 R08: 0000000000000001 R09: ffffffff90ac762c
R10: ffffc9000d6b6c68 R11: 0000000000003431 R12: ffffc9000d6b6cb8
R13: ffffc9000d6b6c68 R14: ffffc9000d6b6d08 R15: ffffc9000d6b6d00
FS: 0000000000000000(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f4e50ce3cbd CR3: 000000000db7e000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
deref_stack_reg arch/x86/kernel/unwind_orc.c:403 [inline]
unwind_next_frame+0x15dd/0x20c0 arch/x86/kernel/unwind_orc.c:648
__unwind_start arch/x86/kernel/unwind_orc.c:760 [inline]
__unwind_start+0x437/0x7c0 arch/x86/kernel/unwind_orc.c:685
unwind_start arch/x86/include/asm/unwind.h:64 [inline]
arch_stack_walk+0x74/0x100 arch/x86/kernel/stacktrace.c:24
stack_trace_save+0x95/0xd0 kernel/stacktrace.c:122
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:257 [inline]
__do_kmalloc_node mm/slub.c:4264 [inline]
__kmalloc_noprof+0x1e8/0x410 mm/slub.c:4276
kmalloc_noprof include/linux/slab.h:883 [inline]
kzalloc_noprof include/linux/slab.h:1015 [inline]
ieee802_11_parse_elems_full+0xe6/0x1630 net/mac80211/parse.c:958
ieee802_11_parse_elems_crc net/mac80211/ieee80211_i.h:2385 [inline]
ieee802_11_parse_elems net/mac80211/ieee80211_i.h:2392 [inline]
ieee80211_inform_bss+0xf1/0x10f0 net/mac80211/scan.c:79
rdev_inform_bss net/wireless/rdev-ops.h:418 [inline]
cfg80211_inform_single_bss_data+0x8b1/0x1e40 net/wireless/scan.c:2333
cfg80211_inform_bss_data+0x254/0x3e40 net/wireless/scan.c:3188
cfg80211_inform_bss_frame_data+0x253/0x8a0 net/wireless/scan.c:3283
ieee80211_bss_info_update+0x311/0xab0 net/mac80211/scan.c:226
ieee80211_rx_bss_info net/mac80211/ibss.c:1100 [inline]
ieee80211_rx_mgmt_probe_beacon net/mac80211/ibss.c:1579 [inline]
ieee80211_ibss_rx_queued_mgmt+0x1952/0x3030 net/mac80211/ibss.c:1606
ieee80211_iface_process_skb net/mac80211/iface.c:1603 [inline]
ieee80211_iface_work+0xc0b/0xf00 net/mac80211/iface.c:1657
cfg80211_wiphy_work+0x3d9/0x550 net/wireless/core.c:440
process_one_work+0x958/0x1b30 kernel/workqueue.c:3229
process_scheduled_works kernel/workqueue.c:3310 [inline]
worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244