INFO: task syz-executor.4:27802 blocked for more than 143 seconds. Not tainted 5.7.0-rc6-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. syz-executor.4 D28816 27802 389 0x80004006 Call Trace: context_switch kernel/sched/core.c:3367 [inline] __schedule+0x892/0x1d80 kernel/sched/core.c:4083 locks_remove_posix+0x277/0x4e0 fs/locks.c:2706 __sched_text_start+0x8/0x8 spin_unlock_irqrestore include/linux/spinlock.h:408 [inline] prepare_to_wait_event+0x129/0x650 kernel/sched/wait.c:305 __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160 [inline] _raw_spin_unlock_irqrestore+0x39/0x40 kernel/locking/spinlock.c:191 schedule+0xcd/0x2b0 kernel/sched/core.c:4158 wdm_flush+0x2ea/0x3c0 drivers/usb/class/cdc-wdm.c:590 wdm_poll+0x280/0x280 include/linux/poll.h:50 finish_wait+0x260/0x260 include/linux/list.h:301 task_work_add+0x97/0x120 kernel/task_work.c:35 wdm_poll+0x280/0x280 include/linux/poll.h:50 filp_close+0xb4/0x170 fs/open.c:1251 close_files fs/file.c:388 [inline] put_files_struct fs/file.c:416 [inline] put_files_struct+0x1d8/0x2e0 fs/file.c:413 exit_files+0x7e/0xa0 fs/file.c:445 do_exit+0xb36/0x2c80 kernel/exit.c:791 find_held_lock+0x2d/0x110 kernel/locking/lockdep.c:4458 mm_update_next_owner+0x7a0/0x7a0 kernel/exit.c:375 lock_downgrade+0x720/0x720 kernel/locking/lockdep.c:4599 do_group_exit+0x125/0x340 kernel/exit.c:894 get_signal+0x480/0x2480 kernel/signal.c:2739 trace_kfree include/trace/events/kmem.h:138 [inline] kfree+0x2a2/0x300 mm/slub.c:4010 do_signal+0x88/0x1ae0 arch/x86/kernel/signal.c:784 finish_wait+0x260/0x260 include/linux/list.h:301 force_valid_ss arch/x86/kernel/signal.c:73 [inline] restore_sigcontext+0x620/0x620 arch/x86/kernel/signal.c:134 wdm_probe+0x2d0/0x2d0 drivers/usb/class/cdc-wdm.c:925 __vfs_write+0x7e/0x100 fs/read_write.c:495 vfs_write+0x161/0x5d0 fs/read_write.c:555 fput_many+0x2f/0x1a0 fs/file_table.c:336 ksys_write+0x1a5/0x250 fs/read_write.c:618 __ia32_sys_read+0xb0/0xb0 fs/read_write.c:596 exit_to_usermode_loop+0x1a2/0x200 arch/x86/entry/common.c:161 prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline] syscall_return_slowpath arch/x86/entry/common.c:279 [inline] do_syscall_64+0x4e0/0x5a0 arch/x86/entry/common.c:305 entry_SYSCALL_64_after_hwframe+0x49/0xb3 INFO: task syz-executor.1:27859 blocked for more than 143 seconds. Not tainted 5.7.0-rc6-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. syz-executor.1 D28552 27859 382 0x80004004 Call Trace: context_switch kernel/sched/core.c:3367 [inline] __schedule+0x892/0x1d80 kernel/sched/core.c:4083 locks_remove_posix+0x277/0x4e0 fs/locks.c:2706 __sched_text_start+0x8/0x8 spin_unlock_irqrestore include/linux/spinlock.h:408 [inline] prepare_to_wait_event+0x129/0x650 kernel/sched/wait.c:305 __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160 [inline] _raw_spin_unlock_irqrestore+0x39/0x40 kernel/locking/spinlock.c:191 schedule+0xcd/0x2b0 kernel/sched/core.c:4158 wdm_flush+0x2ea/0x3c0 drivers/usb/class/cdc-wdm.c:590 wdm_poll+0x280/0x280 include/linux/poll.h:50 finish_wait+0x260/0x260 include/linux/list.h:301 spin_unlock include/linux/spinlock.h:393 [inline] task_unlock include/linux/sched/task.h:180 [inline] exit_files+0x76/0xa0 fs/file.c:444 wdm_poll+0x280/0x280 include/linux/poll.h:50 filp_close+0xb4/0x170 fs/open.c:1251 close_files fs/file.c:388 [inline] put_files_struct fs/file.c:416 [inline] put_files_struct+0x1d8/0x2e0 fs/file.c:413 exit_files+0x7e/0xa0 fs/file.c:445 do_exit+0xb36/0x2c80 kernel/exit.c:791 find_held_lock+0x2d/0x110 kernel/locking/lockdep.c:4458 mm_update_next_owner+0x7a0/0x7a0 kernel/exit.c:375 lock_downgrade+0x720/0x720 kernel/locking/lockdep.c:4599 do_group_exit+0x125/0x340 kernel/exit.c:894 get_signal+0x480/0x2480 kernel/signal.c:2739 schedule_timeout_idle+0x80/0x80 kernel/time/timer.c:1942 do_signal+0x88/0x1ae0 arch/x86/kernel/signal.c:784 free_object+0x5/0x70 lib/debugobjects.c:429 destroy_hrtimer_on_stack kernel/time/hrtimer.c:453 [inline] hrtimer_nanosleep+0x211/0x3a0 kernel/time/hrtimer.c:1947 nanosleep_copyout+0x100/0x100 kernel/time/hrtimer.c:1861 force_valid_ss arch/x86/kernel/signal.c:73 [inline] restore_sigcontext+0x620/0x620 arch/x86/kernel/signal.c:134 hrtimer_init_sleeper_on_stack+0x90/0x90 kernel/time/hrtimer.c:1833 put_old_itimerspec32+0x1d0/0x1d0 kernel/time/time.c:908 __do_sys_nanosleep kernel/time/hrtimer.c:1962 [inline] __se_sys_nanosleep kernel/time/hrtimer.c:1953 [inline] __x64_sys_nanosleep+0x1ed/0x260 kernel/time/hrtimer.c:1953 hrtimer_nanosleep+0x3a0/0x3a0 kernel/time/hrtimer.c:1943 exit_to_usermode_loop+0x1a2/0x200 arch/x86/entry/common.c:161 prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline] syscall_return_slowpath arch/x86/entry/common.c:279 [inline] do_syscall_64+0x4e0/0x5a0 arch/x86/entry/common.c:305 entry_SYSCALL_64_after_hwframe+0x49/0xb3 Showing all locks held in the system: 1 lock held by khungtaskd/23: #0: ffffffff87111260 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x53/0x264 kernel/locking/lockdep.c:5754 1 lock held by in:imklog/269: 2 locks held by agetty/24549: #0: ffff8881cf63c098 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x22/0x80 drivers/tty/tty_ldisc.c:267 #1: ffffc9001103a2e8 (&ldata->atomic_read_lock){+.+.}-{3:3}, at: n_tty_read+0x220/0x1b30 drivers/tty/n_tty.c:2156 ============================================= NMI backtrace for cpu 1 CPU: 1 PID: 23 Comm: khungtaskd Not tainted 5.7.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xef/0x16e lib/dump_stack.c:118 irq_force_complete_move.cold+0x13/0x47 arch/x86/kernel/apic/vector.c:1023 nmi_cpu_backtrace.cold+0x70/0xb1 lib/nmi_backtrace.c:101 lapic_can_unplug_cpu.cold+0x3b/0x3b nmi_trigger_cpumask_backtrace+0x1db/0x207 lib/nmi_backtrace.c:62 trigger_all_cpu_backtrace include/linux/nmi.h:146 [inline] check_hung_uninterruptible_tasks kernel/hung_task.c:205 [inline] watchdog+0xa99/0xfd0 kernel/hung_task.c:289 reset_hung_task_detector+0x30/0x30 kernel/hung_task.c:243 kthread+0x326/0x430 kernel/kthread.c:268 kthread_create_on_node+0xf0/0xf0 kernel/kthread.c:405 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:351 Sending NMI from CPU 1 to CPUs 0: cdc_wdm 5-1:118.0: wdm_int_callback - 0 bytes NMI backtrace for cpu 0 CPU: 0 PID: 149 Comm: systemd-journal Not tainted 5.7.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:io_serial_in+0x60/0x80 drivers/tty/serial/8250/8250_port.c:447 Code: 0f b6 8d f1 00 00 00 48 8d 7d 40 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 d3 e3 80 3c 02 00 75 13 03 5d 40 89 da ec <5b> 0f b6 c0 5d c3 e8 65 75 44 ff eb c9 e8 8e 75 44 ff eb e6 66 90 RSP: 0018:ffff8881db209440 EFLAGS: 00000002 RAX: dffffc0000000060 RBX: 00000000000003fd RCX: 0000000000000000 RDX: 00000000000003fd RSI: ffffffff8225393c RDI: ffffffff8a059fc0 RBP: ffffffff8a059f80 R08: ffff8881d274e300 R09: ffffed103b64128e R10: 0000000000000003 R11: ffffed103b64128d R12: 0000000000000020 R13: fffffbfff140b441 R14: fffffbfff140b3fa R15: dffffc0000000000 FS: 00007f9814f8c8c0(0000) GS:ffff8881db200000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f980e83f008 CR3: 00000001d1dbd000 CR4: 00000000001406f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: serial_in drivers/tty/serial/8250/8250.h:113 [inline] wait_for_xmitr+0x9a/0x210 drivers/tty/serial/8250/8250_port.c:2057 serial8250_console_putchar+0x1b/0x50 drivers/tty/serial/8250/8250_port.c:3192 uart_console_write+0x59/0x100 drivers/tty/serial/serial_core.c:1949 wait_for_xmitr+0x210/0x210 drivers/tty/serial/8250/8250_port.c:2070 serial8250_console_write+0x87b/0xa20 drivers/tty/serial/8250/8250_port.c:3264 serial8250_config_port+0x2490/0x2490 drivers/tty/serial/8250/8250_port.c:1006 lock_downgrade+0x720/0x720 kernel/locking/lockdep.c:4599 atomic_try_cmpxchg include/asm-generic/atomic-instrumented.h:694 [inline] queued_spin_lock include/asm-generic/qspinlock.h:78 [inline] do_raw_spin_lock+0x129/0x290 kernel/locking/spinlock_debug.c:113 rwlock_bug.part.0+0x90/0x90 include/linux/sched.h:1332 univ8250_console_exit+0x60/0x60 drivers/tty/serial/8250/8250_core.c:615 call_console_drivers kernel/printk/printk.c:1816 [inline] console_unlock+0x843/0xca0 kernel/printk/printk.c:2498 vprintk_emit+0x16d/0x3e0 kernel/printk/printk.c:2021 dev_vprintk_emit+0x4fc/0x541 drivers/base/core.c:3774 dev_attr_show.cold+0x3a/0x3a drivers/base/core.c:1244 unwind_get_return_address arch/x86/kernel/unwind_orc.c:317 [inline] unwind_get_return_address+0x5a/0xa0 arch/x86/kernel/unwind_orc.c:312 profile_setup.cold+0xc1/0xc1 test_bit include/asm-generic/bitops/instrumented-non-atomic.h:110 [inline] hlock_class kernel/locking/lockdep.c:179 [inline] lookup_chain_cache_add kernel/locking/lockdep.c:3146 [inline] validate_chain kernel/locking/lockdep.c:3202 [inline] __lock_acquire+0x2248/0x6650 kernel/locking/lockdep.c:4355 dev_printk_emit+0xba/0xf1 drivers/base/core.c:3785 dev_vprintk_emit+0x541/0x541 drivers/base/core.c:3775 mark_held_locks+0xe0/0xe0 kernel/locking/lockdep.c:3620 rcu_read_lock include/linux/rcupdate.h:602 [inline] percpu_ref_get_many include/linux/percpu-refcount.h:189 [inline] memcg_charge_slab mm/slab.h:377 [inline] charge_slab_page mm/slab.h:491 [inline] alloc_slab_page+0x1b2/0x7d0 mm/slub.c:1530 __dev_printk+0x1db/0x203 drivers/base/core.c:3797 _dev_err+0xd7/0x109 drivers/base/core.c:3840 _dev_crit+0x109/0x109 drivers/base/core.c:3839 find_held_lock+0x2d/0x110 kernel/locking/lockdep.c:4458 kcov_remote_start_usb include/linux/kcov.h:52 [inline] __usb_hcd_giveback_urb+0x26f/0x550 drivers/usb/core/hcd.c:1649 atomic_try_cmpxchg include/asm-generic/atomic-instrumented.h:694 [inline] queued_spin_lock include/asm-generic/qspinlock.h:78 [inline] do_raw_spin_lock+0x129/0x290 kernel/locking/spinlock_debug.c:113 lock_downgrade+0x720/0x720 kernel/locking/lockdep.c:4599 wdm_int_callback+0x136/0x7c0 drivers/usb/class/cdc-wdm.c:258 wdm_int_callback.cold+0x155/0x2a6 drivers/usb/class/cdc-wdm.c:259 __usb_hcd_giveback_urb+0x29a/0x550 drivers/usb/core/hcd.c:1650 usb_hcd_giveback_urb+0x368/0x420 drivers/usb/core/hcd.c:1716 dummy_timer+0x125e/0x32b4 drivers/usb/gadget/udc/dummy_hcd.c:1967 test_bit include/asm-generic/bitops/instrumented-non-atomic.h:110 [inline] hlock_class kernel/locking/lockdep.c:179 [inline] lookup_chain_cache_add kernel/locking/lockdep.c:3146 [inline] validate_chain kernel/locking/lockdep.c:3202 [inline] __lock_acquire+0x2248/0x6650 kernel/locking/lockdep.c:4355 dummy_udc_probe+0x980/0x980 include/linux/device.h:699 lock_is_held include/linux/lockdep.h:406 [inline] rcu_read_lock_sched_held+0x9c/0xd0 kernel/rcu/update.c:121 rcu_read_lock_bh_held+0xb0/0xb0 kernel/rcu/update.c:333 call_timer_fn+0x1ac/0x700 kernel/time/timer.c:1405 dummy_udc_probe+0x980/0x980 include/linux/device.h:699 timer_fixup_init+0x60/0x60 kernel/time/timer.c:632 lock_downgrade+0x720/0x720 kernel/locking/lockdep.c:4599 lock_is_held include/linux/lockdep.h:406 [inline] rcu_read_lock_sched_held+0x9c/0xd0 kernel/rcu/update.c:121 rcu_read_lock_bh_held+0xb0/0xb0 kernel/rcu/update.c:333 __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:168 [inline] _raw_spin_unlock_irq+0x1f/0x30 kernel/locking/spinlock.c:199 dummy_udc_probe+0x980/0x980 include/linux/device.h:699 expire_timers kernel/time/timer.c:1450 [inline] __run_timers kernel/time/timer.c:1774 [inline] __run_timers kernel/time/timer.c:1741 [inline] run_timer_softirq+0x5f9/0x1500 kernel/time/timer.c:1787 add_timer+0x7a0/0x7a0 kernel/time/timer.c:893 lock_is_held include/linux/lockdep.h:406 [inline] rcu_read_lock_sched_held+0x9c/0xd0 kernel/rcu/update.c:121 rcu_read_lock_bh_held+0xb0/0xb0 kernel/rcu/update.c:333 __do_softirq+0x21e/0x9aa kernel/softirq.c:292 invoke_softirq kernel/softirq.c:373 [inline] irq_exit+0x178/0x1a0 kernel/softirq.c:413 exiting_irq arch/x86/include/asm/apic.h:546 [inline] smp_apic_timer_interrupt+0x141/0x540 arch/x86/kernel/apic/apic.c:1140 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829 RIP: 0010:__sanitizer_cov_trace_pc+0x31/0x60 kernel/kcov.c:197 Code: 02 00 65 8b 15 e8 cf c1 7e f7 c2 00 01 1f 00 48 8b 34 24 74 0f 80 e6 01 74 35 8b 90 2c 13 00 00 85 d2 74 2b 8b 90 08 13 00 00 <83> fa 02 75 20 48 8b 88 10 13 00 00 8b 80 0c 13 00 00 48 8b 11 48 RSP: 0018:ffff8881d1937980 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13 RAX: ffff8881d274e300 RBX: ffff8881da1636a0 RCX: ffffffff81756f21 RDX: 0000000000000000 RSI: ffffffff81756f35 RDI: 0000000000000004 RBP: 00000000000013f4 R08: ffff8881d274e300 R09: ffffed103a88cd54 R10: ffff8881d4466a9b R11: ffffed103a88cd53 R12: 00000000000013f4 R13: 0000000000000002 R14: 0000000000000000 R15: ffff8881d1937bc0 __legitimize_mnt+0x21/0x240 fs/namespace.c:566 __legitimize_mnt+0x35/0x240 fs/namespace.c:571 __legitimize_mnt+0x35/0x240 fs/namespace.c:571 __legitimize_path.isra.0+0x3c/0x1c0 fs/namei.c:596 legitimize_path fs/namei.c:613 [inline] legitimize_root+0x106/0x160 fs/namei.c:643 unlazy_walk+0x12a/0x3b0 fs/namei.c:679 may_lookup fs/namei.c:1558 [inline] link_path_walk.part.0+0x6c7/0xb50 fs/namei.c:2111 walk_component+0x6a0/0x6a0 fs/namei.c:482 mark_held_locks+0xe0/0xe0 kernel/locking/lockdep.c:3620 link_path_walk fs/namei.c:2097 [inline] path_lookupat.isra.0+0x8d/0x530 fs/namei.c:2318 filename_lookup+0x1a3/0x3e0 fs/namei.c:2352 fs_reclaim_release+0xa/0x20 mm/page_alloc.c:4170 nd_jump_link+0x360/0x360 fs/namei.c:895 __phys_addr_symbol+0x2c/0x70 arch/x86/mm/physaddr.c:42 overlaps mm/usercopy.c:110 [inline] check_kernel_text_object mm/usercopy.c:142 [inline] __check_object_size mm/usercopy.c:289 [inline] __check_object_size+0x1af/0x39f mm/usercopy.c:256 strncpy_from_user+0x2ac/0x3e0 lib/strncpy_from_user.c:122 audit_getname include/linux/audit.h:328 [inline] getname_flags fs/namei.c:202 [inline] getname_flags+0x275/0x5b0 fs/namei.c:128 user_path_at include/linux/namei.h:59 [inline] vfs_statx+0x119/0x1e0 fs/stat.c:197 vfs_statx_fd+0xb0/0xb0 fs/stat.c:140 pv_queued_spin_unlock arch/x86/include/asm/paravirt.h:650 [inline] queued_spin_unlock arch/x86/include/asm/qspinlock.h:55 [inline] do_raw_spin_unlock+0x148/0x220 kernel/locking/spinlock_debug.c:139 fast_dput fs/dcache.c:727 [inline] dput+0x35/0xdf0 fs/dcache.c:846 __raw_spin_unlock include/linux/spinlock_api_smp.h:151 [inline] _raw_spin_unlock+0x1a/0x30 kernel/locking/spinlock.c:183 vfs_lstat include/linux/fs.h:3284 [inline] __do_sys_newlstat+0x96/0x120 fs/stat.c:364 __do_sys_newstat+0x120/0x120 fs/stat.c:356 __secure_computing+0xb4/0x280 kernel/seccomp.c:950 syscall_trace_enter+0x41d/0xcd0 arch/x86/entry/common.c:130 syscall_slow_exit_work+0x5f0/0x5f0 include/linux/tracehook.h:75 trace_hardirqs_off_caller+0x55/0x200 kernel/trace/trace_preemptirq.c:73 do_syscall_64+0xb6/0x5a0 arch/x86/entry/common.c:295 entry_SYSCALL_64_after_hwframe+0x49/0xb3 RIP: 0033:0x7f9814248335 Code: 69 db 2b 00 64 c7 00 16 00 00 00 b8 ff ff ff ff c3 0f 1f 40 00 83 ff 01 48 89 f0 77 30 48 89 c7 48 89 d6 b8 06 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 03 f3 c3 90 48 8b 15 31 db 2b 00 f7 d8 64 89 RSP: 002b:00007ffdb2273c98 EFLAGS: 00000246 ORIG_RAX: 0000000000000006 RAX: ffffffffffffffda RBX: 000055922e32e290 RCX: 00007f9814248335 RDX: 00007ffdb2273cd0 RSI: 00007ffdb2273cd0 RDI: 000055922e32d290 RBP: 00007ffdb2273d90 R08: 0000000000000003 R09: 0000000000001010 R10: 0000000000000030 R11: 0000000000000246 R12: 000055922e32d290 R13: 000055922e32d2a5 R14: 000055922e32ac86 R15: 000055922e32ac8e