ieee802154 phy0 wpan0: encryption failed: -22 ieee802154 phy1 wpan1: encryption failed: -22 INFO: task syz-fuzzer:8126 blocked for more than 140 seconds. Not tainted 4.19.211-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. syz-fuzzer D26400 8126 8117 0x00000004 Call Trace: context_switch kernel/sched/core.c:2828 [inline] __schedule+0x887/0x2040 kernel/sched/core.c:3517 schedule+0x8d/0x1b0 kernel/sched/core.c:3561 __rwsem_down_read_failed_common kernel/locking/rwsem-xadd.c:292 [inline] rwsem_down_read_failed+0x20a/0x390 kernel/locking/rwsem-xadd.c:309 call_rwsem_down_read_failed+0x14/0x30 arch/x86/lib/rwsem.S:94 __down_read arch/x86/include/asm/rwsem.h:83 [inline] down_read+0x44/0x80 kernel/locking/rwsem.c:26 __do_page_fault+0x97f/0xd60 arch/x86/mm/fault.c:1348 page_fault+0x1e/0x30 arch/x86/entry/entry_64.S:1205 RIP: 0033:0x418478 Code: Bad RIP value. RSP: 002b:000000c0037130a0 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 00007f2e27965d08 RCX: 00007f2e27965d08 RDX: 00007f2e29a4b080 RSI: 00007f2e27965d08 RDI: 00000011000001c9 RBP: 000000c003713108 R08: 00000000018983b8 R09: 0000000000000000 R10: 0000000000000004 R11: 0000000000000000 R12: 0000000000000040 R13: 0000000000000040 R14: ffffffffffffffff R15: 000000c020ea4ea0 Showing all locks held in the system: 4 locks held by kworker/u4:1/23: 2 locks held by kworker/u4:2/54: #0: 000000001e193950 ((wq_completion)"events_unbound"){+.+.}, at: process_one_work+0x767/0x1570 kernel/workqueue.c:2124 #1: 000000000c7c2b69 (connector_reaper_work){+.+.}, at: process_one_work+0x79c/0x1570 kernel/workqueue.c:2128 2 locks held by kworker/u4:3/211: #0: 000000001e193950 ((wq_completion)"events_unbound"){+.+.}, at: process_one_work+0x767/0x1570 kernel/workqueue.c:2124 #1: 000000007bded1d2 ((reaper_work).work){+.+.}, at: process_one_work+0x79c/0x1570 kernel/workqueue.c:2128 1 lock held by khungtaskd/1570: #0: 000000009e0c672b (rcu_read_lock){....}, at: debug_show_all_locks+0x53/0x265 kernel/locking/lockdep.c:4441 2 locks held by kworker/1:2/2733: 3 locks held by kworker/u4:5/2945: 1 lock held by systemd-journal/4678: 1 lock held by in:imklog/7821: 1 lock held by syz-fuzzer/8120: #0: 000000006b255565 (&mm->mmap_sem){++++}, at: __do_page_fault+0x97f/0xd60 arch/x86/mm/fault.c:1348 1 lock held by syz-fuzzer/8126: #0: 000000006b255565 (&mm->mmap_sem){++++}, at: __do_page_fault+0x97f/0xd60 arch/x86/mm/fault.c:1348 3 locks held by kworker/u4:6/9388: 3 locks held by syz-executor.4/10173: #0: 00000000ad01c14a (&hdev->req_lock){+.+.}, at: hci_dev_do_close+0x122/0x1020 net/bluetooth/hci_core.c:1629 #1: 000000005c42330d (&hdev->lock){+.+.}, at: hci_dev_do_close+0x343/0x1020 net/bluetooth/hci_core.c:1674 #2: 00000000fd725e7e (hci_cb_list_lock){+.+.}, at: hci_disconn_cfm include/net/bluetooth/hci_core.h:1260 [inline] #2: 00000000fd725e7e (hci_cb_list_lock){+.+.}, at: hci_conn_hash_flush+0xda/0x260 net/bluetooth/hci_conn.c:1512 1 lock held by syz-executor.1/10658: #0: 0000000066cbe9c1 (rcu_preempt_state.exp_mutex){+.+.}, at: exp_funnel_lock kernel/rcu/tree_exp.h:329 [inline] #0: 0000000066cbe9c1 (rcu_preempt_state.exp_mutex){+.+.}, at: _synchronize_rcu_expedited+0x256/0x6f0 kernel/rcu/tree_exp.h:667 3 locks held by kworker/u4:10/11044: 3 locks held by kworker/u4:11/11061: 1 lock held by syz-executor.5/15704: #0: 0000000066cbe9c1 (rcu_preempt_state.exp_mutex){+.+.}, at: exp_funnel_lock kernel/rcu/tree_exp.h:329 [inline] #0: 0000000066cbe9c1 (rcu_preempt_state.exp_mutex){+.+.}, at: _synchronize_rcu_expedited+0x256/0x6f0 kernel/rcu/tree_exp.h:667 1 lock held by syz-executor.0/16661: #0: 0000000026428a5f (&anon_vma->rwsem){++++}, at: lock_anon_vma_root mm/rmap.c:238 [inline] #0: 0000000026428a5f (&anon_vma->rwsem){++++}, at: unlink_anon_vmas+0x178/0x840 mm/rmap.c:388 4 locks held by syz-executor.0/16722: 1 lock held by syz-executor.0/16905: #0: 0000000026428a5f (&anon_vma->rwsem){++++}, at: lock_anon_vma_root mm/rmap.c:238 [inline] #0: 0000000026428a5f (&anon_vma->rwsem){++++}, at: unlink_anon_vmas+0x178/0x840 mm/rmap.c:388 1 lock held by syz-executor.0/16917: #0: 0000000026428a5f (&anon_vma->rwsem){++++}, at: lock_anon_vma_root mm/rmap.c:238 [inline] #0: 0000000026428a5f (&anon_vma->rwsem){++++}, at: unlink_anon_vmas+0x178/0x840 mm/rmap.c:388 1 lock held by syz-executor.0/17303: #0: 0000000026428a5f (&anon_vma->rwsem){++++}, at: lock_anon_vma_root mm/rmap.c:238 [inline] #0: 0000000026428a5f (&anon_vma->rwsem){++++}, at: unlink_anon_vmas+0x178/0x840 mm/rmap.c:388 1 lock held by syz-executor.0/17441: #0: 0000000026428a5f (&anon_vma->rwsem){++++}, at: lock_anon_vma_root mm/rmap.c:238 [inline] #0: 0000000026428a5f (&anon_vma->rwsem){++++}, at: unlink_anon_vmas+0x178/0x840 mm/rmap.c:388 4 locks held by syz-executor.0/17576: 1 lock held by syz-executor.0/17667: #0: 0000000026428a5f (&anon_vma->rwsem){++++}, at: lock_anon_vma_root mm/rmap.c:238 [inline] #0: 0000000026428a5f (&anon_vma->rwsem){++++}, at: unlink_anon_vmas+0x178/0x840 mm/rmap.c:388 4 locks held by syz-executor.0/17800: 1 lock held by syz-executor.0/17848: #0: 0000000026428a5f (&anon_vma->rwsem){++++}, at: lock_anon_vma_root mm/rmap.c:238 [inline] #0: 0000000026428a5f (&anon_vma->rwsem){++++}, at: unlink_anon_vmas+0x178/0x840 mm/rmap.c:388 1 lock held by syz-executor.0/17985: #0: 00000000bfd67296 (&rq->lock){-.-.}, at: rq_lock kernel/sched/sched.h:1826 [inline] #0: 00000000bfd67296 (&rq->lock){-.-.}, at: __schedule+0x1f9/0x2040 kernel/sched/core.c:3455 1 lock held by syz-executor.0/18052: #0: 0000000026428a5f (&anon_vma->rwsem){++++}, at: lock_anon_vma_root mm/rmap.c:238 [inline] #0: 0000000026428a5f (&anon_vma->rwsem){++++}, at: unlink_anon_vmas+0x178/0x840 mm/rmap.c:388 1 lock held by syz-executor.0/18590: #0: 00000000bfd67296 (&rq->lock){-.-.}, at: rq_lock kernel/sched/sched.h:1826 [inline] #0: 00000000bfd67296 (&rq->lock){-.-.}, at: __schedule+0x1f9/0x2040 kernel/sched/core.c:3455 1 lock held by syz-executor.0/19568: 4 locks held by syz-executor.0/20464: 4 locks held by syz-executor.0/20846: ============================================= NMI backtrace for cpu 0 CPU: 0 PID: 1570 Comm: khungtaskd Not tainted 4.19.211-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1fc/0x2ef lib/dump_stack.c:118 nmi_cpu_backtrace.cold+0x63/0xa2 lib/nmi_backtrace.c:101 nmi_trigger_cpumask_backtrace+0x1a6/0x1f0 lib/nmi_backtrace.c:62 trigger_all_cpu_backtrace include/linux/nmi.h:146 [inline] check_hung_uninterruptible_tasks kernel/hung_task.c:203 [inline] watchdog+0x991/0xe60 kernel/hung_task.c:287 kthread+0x33f/0x460 kernel/kthread.c:259 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 Sending NMI from CPU 0 to CPUs 1: NMI backtrace for cpu 1 CPU: 1 PID: 20846 Comm: syz-executor.0 Not tainted 4.19.211-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:__lock_acquire+0x1ef/0x3ff0 kernel/locking/lockdep.c:3295 Code: 48 81 c4 98 01 00 00 44 89 f8 5b 5d 41 5c 41 5d 41 5e 41 5f c3 48 b8 00 00 00 00 00 fc ff df 4c 89 f2 48 c1 ea 03 80 3c 02 00 <0f> 85 b3 2a 00 00 49 81 3e 20 f2 66 8c 0f 84 65 ff ff ff 83 fe 01 RSP: 0018:ffff8881b754f2d8 EFLAGS: 00000046 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 1ffffffff1a82bc4 RSI: 0000000000000000 RDI: 0000000000000001 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000001 R10: 0000000000000005 R11: 0000000000000000 R12: 0000000000000001 R13: ffff8881b753c280 R14: ffffffff8d415e20 R15: 0000000000000001 FS: 00007f4f7f051700(0000) GS:ffff8880ba100000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f4f7f0516bc CR3: 00000001b7526000 CR4: 00000000003406e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: lock_acquire+0x170/0x3c0 kernel/locking/lockdep.c:3908 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0x8c/0xc0 kernel/locking/spinlock.c:152 __debug_check_no_obj_freed lib/debugobjects.c:776 [inline] debug_check_no_obj_freed+0xb5/0x490 lib/debugobjects.c:817 free_pages_prepare mm/page_alloc.c:1056 [inline] free_pcp_prepare mm/page_alloc.c:1070 [inline] free_unref_page_prepare+0x1ea/0x5d0 mm/page_alloc.c:2763 free_unref_page+0x20/0x170 mm/page_alloc.c:2812 slab_destroy mm/slab.c:1713 [inline] slabs_destroy+0x90/0xd0 mm/slab.c:1729 cache_flusharray mm/slab.c:3490 [inline] ___cache_free+0x295/0x3a0 mm/slab.c:3532 qlink_free mm/kasan/quarantine.c:147 [inline] qlist_free_all+0x79/0x140 mm/kasan/quarantine.c:166 quarantine_reduce+0x1a9/0x230 mm/kasan/quarantine.c:259 kasan_kmalloc+0xa2/0x160 mm/kasan/kasan.c:538 kmem_cache_alloc+0x122/0x370 mm/slab.c:3559 ptlock_alloc+0x1d/0x70 mm/memory.c:4969 ptlock_init include/linux/mm.h:1900 [inline] pgtable_page_ctor include/linux/mm.h:1934 [inline] pte_alloc_one+0x68/0x190 arch/x86/mm/pgtable.c:38 __pte_alloc+0x21/0x340 mm/memory.c:665 copy_pte_range mm/memory.c:1089 [inline] copy_pmd_range mm/memory.c:1165 [inline] copy_pud_range mm/memory.c:1199 [inline] copy_p4d_range mm/memory.c:1221 [inline] copy_page_range+0x1d3d/0x2ff0 mm/memory.c:1283 dup_mmap kernel/fork.c:549 [inline] dup_mm kernel/fork.c:1285 [inline] copy_mm kernel/fork.c:1341 [inline] copy_process.part.0+0x5b22/0x8260 kernel/fork.c:1913 copy_process kernel/fork.c:1710 [inline] _do_fork+0x22f/0xf30 kernel/fork.c:2219 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x7f4f806dbe99 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f4f7f051168 EFLAGS: 00000246 ORIG_RAX: 0000000000000038 RAX: ffffffffffffffda RBX: 00007f4f807eef60 RCX: 00007f4f806dbe99 RDX: 0000000020000080 RSI: 0000000000000000 RDI: 0000000000100000 RBP: 00007f4f80735ff1 R08: 0000000020000140 R09: 0000000000000000 R10: 00000000200000c0 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffcde29d9af R14: 00007f4f7f051300 R15: 0000000000022000 ---------------- Code disassembly (best guess): 0: 48 81 c4 98 01 00 00 add $0x198,%rsp 7: 44 89 f8 mov %r15d,%eax a: 5b pop %rbx b: 5d pop %rbp c: 41 5c pop %r12 e: 41 5d pop %r13 10: 41 5e pop %r14 12: 41 5f pop %r15 14: c3 retq 15: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax 1c: fc ff df 1f: 4c 89 f2 mov %r14,%rdx 22: 48 c1 ea 03 shr $0x3,%rdx 26: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) * 2a: 0f 85 b3 2a 00 00 jne 0x2ae3 <-- trapping instruction 30: 49 81 3e 20 f2 66 8c cmpq $0xffffffff8c66f220,(%r14) 37: 0f 84 65 ff ff ff je 0xffffffa2 3d: 83 fe 01 cmp $0x1,%esi