INFO: task syz-executor.0:6553 blocked for more than 143 seconds. Not tainted 5.15.0-rc1-next-20210917-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz-executor.0 state:D stack:22816 pid: 6553 ppid: 6552 flags:0x00000000 Call Trace: context_switch kernel/sched/core.c:4955 [inline] __schedule+0x940/0x26f0 kernel/sched/core.c:6236 schedule+0xd3/0x270 kernel/sched/core.c:6315 rwsem_down_write_slowpath+0x7b9/0x11d0 kernel/locking/rwsem.c:1107 __down_write_common kernel/locking/rwsem.c:1262 [inline] __down_write_common kernel/locking/rwsem.c:1259 [inline] __down_write kernel/locking/rwsem.c:1271 [inline] down_write+0x137/0x150 kernel/locking/rwsem.c:1518 i_mmap_lock_write include/linux/fs.h:501 [inline] dup_mmap kernel/fork.c:577 [inline] dup_mm+0x761/0x13e0 kernel/fork.c:1504 copy_mm kernel/fork.c:1556 [inline] copy_process+0x6fcf/0x7580 kernel/fork.c:2245 kernel_clone+0xe7/0xac0 kernel/fork.c:2635 __do_sys_clone+0xc8/0x110 kernel/fork.c:2752 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f0305db5d2b RSP: 002b:00007ffdd04b2840 EFLAGS: 00000246 ORIG_RAX: 0000000000000038 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f0305db5d2b RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000001200011 RBP: 0000000000000001 R08: 0000000000000000 R09: 00005555556fa400 R10: 00005555556fa6d0 R11: 0000000000000246 R12: 0000000000000001 R13: 0000000000000000 R14: 0000000000000001 R15: 00007ffdd04b2930 INFO: task syz-executor.3:6559 blocked for more than 144 seconds. Not tainted 5.15.0-rc1-next-20210917-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz-executor.3 state:D stack:22680 pid: 6559 ppid: 6558 flags:0x00004000 Call Trace: context_switch kernel/sched/core.c:4955 [inline] __schedule+0x940/0x26f0 kernel/sched/core.c:6236 schedule+0xd3/0x270 kernel/sched/core.c:6315 rwsem_down_write_slowpath+0x7b9/0x11d0 kernel/locking/rwsem.c:1107 __down_write_common kernel/locking/rwsem.c:1262 [inline] __down_write_common kernel/locking/rwsem.c:1259 [inline] __down_write kernel/locking/rwsem.c:1271 [inline] down_write+0x137/0x150 kernel/locking/rwsem.c:1518 i_mmap_lock_write include/linux/fs.h:501 [inline] dup_mmap kernel/fork.c:577 [inline] dup_mm+0x761/0x13e0 kernel/fork.c:1504 copy_mm kernel/fork.c:1556 [inline] copy_process+0x6fcf/0x7580 kernel/fork.c:2245 kernel_clone+0xe7/0xac0 kernel/fork.c:2635 __do_sys_clone+0xc8/0x110 kernel/fork.c:2752 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f8cf4774d2b RSP: 002b:00007ffc9ff8f350 EFLAGS: 00000246 ORIG_RAX: 0000000000000038 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f8cf4774d2b RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000001200011 RBP: 0000000000000001 R08: 0000000000000000 R09: 00005555559e6400 R10: 00005555559e66d0 R11: 0000000000000246 R12: 0000000000000001 R13: 0000000000000000 R14: 0000000000000001 R15: 00007ffc9ff8f440 INFO: task syz-executor.4:8058 blocked for more than 145 seconds. Not tainted 5.15.0-rc1-next-20210917-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz-executor.4 state:D stack:23584 pid: 8058 ppid: 8057 flags:0x00004000 Call Trace: context_switch kernel/sched/core.c:4955 [inline] __schedule+0x940/0x26f0 kernel/sched/core.c:6236 schedule+0xd3/0x270 kernel/sched/core.c:6315 rwsem_down_write_slowpath+0x7b9/0x11d0 kernel/locking/rwsem.c:1107 __down_write_common kernel/locking/rwsem.c:1262 [inline] __down_write_common kernel/locking/rwsem.c:1259 [inline] __down_write kernel/locking/rwsem.c:1271 [inline] down_write+0x137/0x150 kernel/locking/rwsem.c:1518 i_mmap_lock_write include/linux/fs.h:501 [inline] dup_mmap kernel/fork.c:577 [inline] dup_mm+0x761/0x13e0 kernel/fork.c:1504 copy_mm kernel/fork.c:1556 [inline] copy_process+0x6fcf/0x7580 kernel/fork.c:2245 kernel_clone+0xe7/0xac0 kernel/fork.c:2635 __do_sys_clone+0xc8/0x110 kernel/fork.c:2752 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7fa1356a7d2b RSP: 002b:00007ffda7066e10 EFLAGS: 00000246 ORIG_RAX: 0000000000000038 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fa1356a7d2b RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000001200011 RBP: 0000000000000001 R08: 0000000000000000 R09: 0000555556754400 R10: 00005555567546d0 R11: 0000000000000246 R12: 0000000000000001 R13: 0000000000000000 R14: 0000000000000001 R15: 00007ffda7066f00 INFO: task syz-executor.1:28964 can't die for more than 146 seconds. task:syz-executor.1 state:R running task stack:28144 pid:28964 ppid: 8425 flags:0x00004006 Call Trace: context_switch kernel/sched/core.c:4955 [inline] __schedule+0x940/0x26f0 kernel/sched/core.c:6236 preempt_schedule_common+0x45/0xc0 kernel/sched/core.c:6408 preempt_schedule_thunk+0x16/0x18 arch/x86/entry/thunk_64.S:35 __raw_spin_unlock include/linux/spinlock_api_smp.h:152 [inline] _raw_spin_unlock+0x36/0x40 kernel/locking/spinlock.c:186 spin_unlock include/linux/spinlock.h:408 [inline] zap_pte_range mm/memory.c:1408 [inline] zap_pmd_range mm/memory.c:1467 [inline] zap_pud_range mm/memory.c:1496 [inline] zap_p4d_range mm/memory.c:1517 [inline] unmap_page_range+0x107c/0x29f0 mm/memory.c:1538 unmap_single_vma+0x198/0x310 mm/memory.c:1583 zap_page_range_single+0x2ca/0x430 mm/memory.c:1666 unmap_mapping_range_vma mm/memory.c:3306 [inline] unmap_mapping_range_tree mm/memory.c:3327 [inline] unmap_mapping_pages+0x1f4/0x290 mm/memory.c:3393 truncate_pagecache+0x51/0x90 mm/truncate.c:749 simple_setattr+0xed/0x110 fs/libfs.c:508 debugfs_setattr+0x7b/0xa0 fs/debugfs/inode.c:55 notify_change+0xaef/0x10c0 fs/attr.c:410 do_truncate+0x13c/0x200 fs/open.c:64 do_sys_ftruncate+0x544/0x740 fs/open.c:192 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f197c72e739 RSP: 002b:00007f1979ca5188 EFLAGS: 00000246 ORIG_RAX: 000000000000004d RAX: ffffffffffffffda RBX: 00007f197c832f80 RCX: 00007f197c72e739 RDX: 0000000000000000 RSI: 00000000000007ff RDI: 0000000000000003 RBP: 00007f197c788cc4 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f197c832f80 R13: 00007ffd2b4df59f R14: 00007f1979ca5300 R15: 0000000000022000 INFO: task syz-executor.1:28972 can't die for more than 147 seconds. task:syz-executor.1 state:D stack:29576 pid:28972 ppid: 8425 flags:0x00004004 Call Trace: context_switch kernel/sched/core.c:4955 [inline] __schedule+0x940/0x26f0 kernel/sched/core.c:6236 schedule+0xd3/0x270 kernel/sched/core.c:6315 rwsem_down_write_slowpath+0x7b9/0x11d0 kernel/locking/rwsem.c:1107 __down_write_common kernel/locking/rwsem.c:1262 [inline] __down_write_common kernel/locking/rwsem.c:1259 [inline] __down_write kernel/locking/rwsem.c:1271 [inline] down_write+0x137/0x150 kernel/locking/rwsem.c:1518 inode_lock include/linux/fs.h:786 [inline] do_truncate+0x12a/0x200 fs/open.c:62 do_sys_ftruncate+0x544/0x740 fs/open.c:192 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f197c72e739 RSP: 002b:00007f1979c63188 EFLAGS: 00000246 ORIG_RAX: 000000000000004d RAX: ffffffffffffffda RBX: 00007f197c8330f0 RCX: 00007f197c72e739 RDX: 0000000000000000 RSI: 00000000000007ff RDI: 0000000000000003 RBP: 00007f197c788cc4 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f197c8330f0 R13: 00007ffd2b4df59f R14: 00007f1979c63300 R15: 0000000000022000 INFO: task syz-executor.1:28972 blocked for more than 147 seconds. Not tainted 5.15.0-rc1-next-20210917-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz-executor.1 state:D stack:29576 pid:28972 ppid: 8425 flags:0x00004004 Call Trace: context_switch kernel/sched/core.c:4955 [inline] __schedule+0x940/0x26f0 kernel/sched/core.c:6236 schedule+0xd3/0x270 kernel/sched/core.c:6315 rwsem_down_write_slowpath+0x7b9/0x11d0 kernel/locking/rwsem.c:1107 __down_write_common kernel/locking/rwsem.c:1262 [inline] __down_write_common kernel/locking/rwsem.c:1259 [inline] __down_write kernel/locking/rwsem.c:1271 [inline] down_write+0x137/0x150 kernel/locking/rwsem.c:1518 inode_lock include/linux/fs.h:786 [inline] do_truncate+0x12a/0x200 fs/open.c:62 do_sys_ftruncate+0x544/0x740 fs/open.c:192 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f197c72e739 RSP: 002b:00007f1979c63188 EFLAGS: 00000246 ORIG_RAX: 000000000000004d RAX: ffffffffffffffda RBX: 00007f197c8330f0 RCX: 00007f197c72e739 RDX: 0000000000000000 RSI: 00000000000007ff RDI: 0000000000000003 RBP: 00007f197c788cc4 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f197c8330f0 R13: 00007ffd2b4df59f R14: 00007f1979c63300 R15: 0000000000022000 INFO: task syz-executor.5:28966 blocked for more than 148 seconds. Not tainted 5.15.0-rc1-next-20210917-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz-executor.5 state:D stack:26880 pid:28966 ppid: 6859 flags:0x00004000 Call Trace: context_switch kernel/sched/core.c:4955 [inline] __schedule+0x940/0x26f0 kernel/sched/core.c:6236 schedule+0xd3/0x270 kernel/sched/core.c:6315 rwsem_down_write_slowpath+0x7b9/0x11d0 kernel/locking/rwsem.c:1107 __down_write_common kernel/locking/rwsem.c:1262 [inline] __down_write_common kernel/locking/rwsem.c:1259 [inline] __down_write kernel/locking/rwsem.c:1271 [inline] down_write+0x137/0x150 kernel/locking/rwsem.c:1518 i_mmap_lock_write include/linux/fs.h:501 [inline] unlink_file_vma+0x7d/0x110 mm/mmap.c:169 free_pgtables+0x1b3/0x2f0 mm/memory.c:427 exit_mmap+0x1df/0x630 mm/mmap.c:3172 __mmput+0x122/0x4b0 kernel/fork.c:1166 mmput+0x58/0x60 kernel/fork.c:1187 exit_mm kernel/exit.c:501 [inline] do_exit+0xabc/0x2a30 kernel/exit.c:812 do_group_exit+0x125/0x310 kernel/exit.c:922 get_signal+0x47f/0x2160 kernel/signal.c:2868 arch_do_signal_or_restart+0x2a9/0x1c40 arch/x86/kernel/signal.c:863 handle_signal_work kernel/entry/common.c:148 [inline] exit_to_user_mode_loop kernel/entry/common.c:172 [inline] exit_to_user_mode_prepare+0x17d/0x290 kernel/entry/common.c:209 __syscall_exit_to_user_mode_work kernel/entry/common.c:291 [inline] syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:302 do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f0dfef30739 RSP: 002b:00007f0dfc4a7188 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffea RBX: 00007f0dff034f80 RCX: 00007f0dfef30739 RDX: 0000000000000048 RSI: 0000000020000440 RDI: 0000000000000005 RBP: 00007f0dfef8acc4 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f0dff034f80 R13: 00007ffe7bb6aa4f R14: 00007f0dfc4a7300 R15: 0000000000022000 INFO: task syz-executor.2:28969 blocked for more than 149 seconds. Not tainted 5.15.0-rc1-next-20210917-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz-executor.2 state:D stack:28568 pid:28969 ppid: 6557 flags:0x00004000 Call Trace: context_switch kernel/sched/core.c:4955 [inline] __schedule+0x940/0x26f0 kernel/sched/core.c:6236 schedule+0xd3/0x270 kernel/sched/core.c:6315 rwsem_down_write_slowpath+0x7b9/0x11d0 kernel/locking/rwsem.c:1107 __down_write_common kernel/locking/rwsem.c:1262 [inline] __down_write_common kernel/locking/rwsem.c:1259 [inline] __down_write kernel/locking/rwsem.c:1271 [inline] down_write+0x137/0x150 kernel/locking/rwsem.c:1518 i_mmap_lock_write include/linux/fs.h:501 [inline] unlink_file_vma+0x7d/0x110 mm/mmap.c:169 free_pgtables+0x1b3/0x2f0 mm/memory.c:427 exit_mmap+0x1df/0x630 mm/mmap.c:3172 __mmput+0x122/0x4b0 kernel/fork.c:1166 mmput+0x58/0x60 kernel/fork.c:1187 exit_mm kernel/exit.c:501 [inline] do_exit+0xabc/0x2a30 kernel/exit.c:812 do_group_exit+0x125/0x310 kernel/exit.c:922 get_signal+0x47f/0x2160 kernel/signal.c:2868 arch_do_signal_or_restart+0x2a9/0x1c40 arch/x86/kernel/signal.c:863 handle_signal_work kernel/entry/common.c:148 [inline] exit_to_user_mode_loop kernel/entry/common.c:172 [inline] exit_to_user_mode_prepare+0x17d/0x290 kernel/entry/common.c:209 __syscall_exit_to_user_mode_work kernel/entry/common.c:291 [inline] syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:302 do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7faf010e6739 RSP: 002b:00007faefe63c218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca RAX: 0000000000000001 RBX: 00007faf011eb040 RCX: 00007faf010e6739 RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00007faf011eb044 RBP: 00007faf011eb038 R08: 0000000000000016 R09: 0000000000000000 R10: ffffffffffffffff R11: 0000000000000246 R12: 00007faf011eb044 R13: 00007ffcbae929ef R14: 00007faefe63c300 R15: 0000000000022000 Showing all locks held in the system: 1 lock held by khungtaskd/26: #0: ffffffff8b980460 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x53/0x260 kernel/locking/lockdep.c:6446 1 lock held by systemd-udevd/2969: 1 lock held by in:imklog/6232: #0: ffff88801b658870 (&f->f_pos_lock){+.+.}-{3:3}, at: __fdget_pos+0xe9/0x100 fs/file.c:990 1 lock held by syz-executor.0/6552: #0: ffff888017b26208 (&mapping->i_mmap_rwsem){++++}-{3:3}, at: i_mmap_lock_write include/linux/fs.h:501 [inline] #0: ffff888017b26208 (&mapping->i_mmap_rwsem){++++}-{3:3}, at: unlink_file_vma+0x7d/0x110 mm/mmap.c:169 4 locks held by syz-executor.0/6553: #0: ffffffff8ba52b90 (dup_mmap_sem){.+.+}-{0:0}, at: dup_mmap kernel/fork.c:498 [inline] #0: ffffffff8ba52b90 (dup_mmap_sem){.+.+}-{0:0}, at: dup_mm+0x108/0x13e0 kernel/fork.c:1504 #1: ffff8880766cab28 (&mm->mmap_lock#2){++++}-{3:3}, at: mmap_write_lock_killable include/linux/mmap_lock.h:87 [inline] #1: ffff8880766cab28 (&mm->mmap_lock#2){++++}-{3:3}, at: dup_mmap kernel/fork.c:499 [inline] #1: ffff8880766cab28 (&mm->mmap_lock#2){++++}-{3:3}, at: dup_mm+0x12e/0x13e0 kernel/fork.c:1504 #2: ffff88818148f828 (&mm->mmap_lock/1){+.+.}-{3:3}, at: mmap_write_lock_nested include/linux/mmap_lock.h:78 [inline] #2: ffff88818148f828 (&mm->mmap_lock/1){+.+.}-{3:3}, at: dup_mmap kernel/fork.c:508 [inline] #2: ffff88818148f828 (&mm->mmap_lock/1){+.+.}-{3:3}, at: dup_mm+0x18a/0x13e0 kernel/fork.c:1504 #3: ffff888017b26208 (&mapping->i_mmap_rwsem){++++}-{3:3}, at: i_mmap_lock_write include/linux/fs.h:501 [inline] #3: ffff888017b26208 (&mapping->i_mmap_rwsem){++++}-{3:3}, at: dup_mmap kernel/fork.c:577 [inline] #3: ffff888017b26208 (&mapping->i_mmap_rwsem){++++}-{3:3}, at: dup_mm+0x761/0x13e0 kernel/fork.c:1504 1 lock held by syz-executor.2/6556: #0: ffff888017b26208 (&mapping->i_mmap_rwsem){++++}-{3:3}, at: i_mmap_lock_write include/linux/fs.h:501 [inline] #0: ffff888017b26208 (&mapping->i_mmap_rwsem){++++}-{3:3}, at: unlink_file_vma+0x7d/0x110 mm/mmap.c:169 1 lock held by syz-executor.3/6558: #0: ffff888017b26208 (&mapping->i_mmap_rwsem){++++}-{3:3}, at: i_mmap_lock_write include/linux/fs.h:501 [inline] #0: ffff888017b26208 (&mapping->i_mmap_rwsem){++++}-{3:3}, at: unlink_file_vma+0x7d/0x110 mm/mmap.c:169 4 locks held by syz-executor.3/6559: #0: ffffffff8ba52b90 (dup_mmap_sem){.+.+}-{0:0}, at: dup_mmap kernel/fork.c:498 [inline] #0: ffffffff8ba52b90 (dup_mmap_sem){.+.+}-{0:0}, at: dup_mm+0x108/0x13e0 kernel/fork.c:1504 #1: ffff8880766cf128 (&mm->mmap_lock#2){++++}-{3:3}, at: mmap_write_lock_killable include/linux/mmap_lock.h:87 [inline] #1: ffff8880766cf128 (&mm->mmap_lock#2){++++}-{3:3}, at: dup_mmap kernel/fork.c:499 [inline] #1: ffff8880766cf128 (&mm->mmap_lock#2){++++}-{3:3}, at: dup_mm+0x12e/0x13e0 kernel/fork.c:1504 #2: ffff88818ab82428 (&mm->mmap_lock/1){+.+.}-{3:3}, at: mmap_write_lock_nested include/linux/mmap_lock.h:78 [inline] #2: ffff88818ab82428 (&mm->mmap_lock/1){+.+.}-{3:3}, at: dup_mmap kernel/fork.c:508 [inline] #2: ffff88818ab82428 (&mm->mmap_lock/1){+.+.}-{3:3}, at: dup_mm+0x18a/0x13e0 kernel/fork.c:1504 #3: ffff888017b26208 (&mapping->i_mmap_rwsem){++++}-{3:3}, at: i_mmap_lock_write include/linux/fs.h:501 [inline] #3: ffff888017b26208 (&mapping->i_mmap_rwsem){++++}-{3:3}, at: dup_mmap kernel/fork.c:577 [inline] #3: ffff888017b26208 (&mapping->i_mmap_rwsem){++++}-{3:3}, at: dup_mm+0x761/0x13e0 kernel/fork.c:1504 1 lock held by syz-executor.5/6728: #0: ffff888017b26208 (&mapping->i_mmap_rwsem){++++}-{3:3}, at: i_mmap_lock_write include/linux/fs.h:501 [inline] #0: ffff888017b26208 (&mapping->i_mmap_rwsem){++++}-{3:3}, at: unlink_file_vma+0x7d/0x110 mm/mmap.c:169 1 lock held by syz-executor.4/8057: #0: ffff888017b26208 (&mapping->i_mmap_rwsem){++++}-{3:3}, at: i_mmap_lock_write include/linux/fs.h:501 [inline] #0: ffff888017b26208 (&mapping->i_mmap_rwsem){++++}-{3:3}, at: unlink_file_vma+0x7d/0x110 mm/mmap.c:169 4 locks held by syz-executor.4/8058: #0: ffffffff8ba52b90 (dup_mmap_sem){.+.+}-{0:0}, at: dup_mmap kernel/fork.c:498 [inline] #0: ffffffff8ba52b90 (dup_mmap_sem){.+.+}-{0:0}, at: dup_mm+0x108/0x13e0 kernel/fork.c:1504 #1: ffff88807e77f128 (&mm->mmap_lock#2){++++}-{3:3}, at: mmap_write_lock_killable include/linux/mmap_lock.h:87 [inline] #1: ffff88807e77f128 (&mm->mmap_lock#2){++++}-{3:3}, at: dup_mmap kernel/fork.c:499 [inline] #1: ffff88807e77f128 (&mm->mmap_lock#2){++++}-{3:3}, at: dup_mm+0x12e/0x13e0 kernel/fork.c:1504 #2: ffff88818ab80f28 (&mm->mmap_lock/1){+.+.}-{3:3}, at: mmap_write_lock_nested include/linux/mmap_lock.h:78 [inline] #2: ffff88818ab80f28 (&mm->mmap_lock/1){+.+.}-{3:3}, at: dup_mmap kernel/fork.c:508 [inline] #2: ffff88818ab80f28 (&mm->mmap_lock/1){+.+.}-{3:3}, at: dup_mm+0x18a/0x13e0 kernel/fork.c:1504 #3: ffff888017b26208 (&mapping->i_mmap_rwsem){++++}-{3:3}, at: i_mmap_lock_write include/linux/fs.h:501 [inline] #3: ffff888017b26208 (&mapping->i_mmap_rwsem){++++}-{3:3}, at: dup_mmap kernel/fork.c:577 [inline] #3: ffff888017b26208 (&mapping->i_mmap_rwsem){++++}-{3:3}, at: dup_mm+0x761/0x13e0 kernel/fork.c:1504 1 lock held by syz-executor.1/8424: #0: ffff888017b26208 (&mapping->i_mmap_rwsem){++++}-{3:3}, at: i_mmap_lock_write include/linux/fs.h:501 [inline] #0: ffff888017b26208 (&mapping->i_mmap_rwsem){++++}-{3:3}, at: unlink_file_vma+0x7d/0x110 mm/mmap.c:169 1 lock held by syz-executor.2/17400: 5 locks held by kworker/0:0/17281: #0: ffff8880b9c31a58 (&rq->__lock){-.-.}-{2:2}, at: raw_spin_rq_lock_nested kernel/sched/core.c:474 [inline] #0: ffff8880b9c31a58 (&rq->__lock){-.-.}-{2:2}, at: raw_spin_rq_lock kernel/sched/sched.h:1323 [inline] #0: ffff8880b9c31a58 (&rq->__lock){-.-.}-{2:2}, at: rq_lock kernel/sched/sched.h:1626 [inline] #0: ffff8880b9c31a58 (&rq->__lock){-.-.}-{2:2}, at: __schedule+0x236/0x26f0 kernel/sched/core.c:6150 #1: ffff8880b9c1f9c8 (&per_cpu_ptr(group->pcpu, cpu)->seq){-.-.}-{0:0}, at: debug_object_deactivate lib/debugobjects.c:735 [inline] #1: ffff8880b9c1f9c8 (&per_cpu_ptr(group->pcpu, cpu)->seq){-.-.}-{0:0}, at: debug_object_deactivate+0x101/0x300 lib/debugobjects.c:723 #2: ffff8880b9c20030 (krc.lock){..-.}-{2:2}, at: kfree_rcu_monitor+0x2f/0x830 kernel/rcu/tree.c:3332 #3: ffffffff904613d8 (&obj_hash[i].lock){-.-.}-{2:2}, at: debug_object_activate+0x12e/0x3e0 lib/debugobjects.c:661 #4: ffffffff904d5e38 (&obj_hash[i].lock){-.-.}-{2:2}, at: debug_object_activate+0x12e/0x3e0 lib/debugobjects.c:661 3 locks held by syz-executor.1/28964: 2 locks held by syz-executor.1/28972: #0: ffff8880157ba460 (sb_writers#11){.+.+}-{0:0}, at: do_syscall_x64 arch/x86/entry/common.c:50 [inline] #0: ffff8880157ba460 (sb_writers#11){.+.+}-{0:0}, at: do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 #1: ffff888017b25fb0 (&sb->s_type->i_mutex_key#3){++++}-{3:3}, at: inode_lock include/linux/fs.h:786 [inline] #1: ffff888017b25fb0 (&sb->s_type->i_mutex_key#3){++++}-{3:3}, at: do_truncate+0x12a/0x200 fs/open.c:62 1 lock held by syz-executor.5/28966: #0: ffff888017b26208 (&mapping->i_mmap_rwsem){++++}-{3:3}, at: i_mmap_lock_write include/linux/fs.h:501 [inline] #0: ffff888017b26208 (&mapping->i_mmap_rwsem){++++}-{3:3}, at: unlink_file_vma+0x7d/0x110 mm/mmap.c:169 1 lock held by syz-executor.2/28969: #0: ffff888017b26208 (&mapping->i_mmap_rwsem){++++}-{3:3}, at: i_mmap_lock_write include/linux/fs.h:501 [inline] #0: ffff888017b26208 (&mapping->i_mmap_rwsem){++++}-{3:3}, at: unlink_file_vma+0x7d/0x110 mm/mmap.c:169 ============================================= NMI backtrace for cpu 0 CPU: 0 PID: 26 Comm: khungtaskd Not tainted 5.15.0-rc1-next-20210917-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 nmi_cpu_backtrace.cold+0x47/0x144 lib/nmi_backtrace.c:105 nmi_trigger_cpumask_backtrace+0x1ae/0x220 lib/nmi_backtrace.c:62 trigger_all_cpu_backtrace include/linux/nmi.h:146 [inline] check_hung_uninterruptible_tasks kernel/hung_task.c:254 [inline] watchdog+0xcb7/0xed0 kernel/hung_task.c:339 kthread+0x3e5/0x4d0 kernel/kthread.c:319 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 Sending NMI from CPU 0 to CPUs 1: NMI backtrace for cpu 1 CPU: 1 PID: 2964 Comm: systemd-journal Not tainted 5.15.0-rc1-next-20210917-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:preempt_count arch/x86/include/asm/preempt.h:27 [inline] RIP: 0010:check_kcov_mode kernel/kcov.c:163 [inline] RIP: 0010:__sanitizer_cov_trace_pc+0x0/0x60 kernel/kcov.c:197 Code: 01 f0 4d 89 03 e9 63 fd ff ff b9 ff ff ff ff ba 08 00 00 00 4d 8b 03 48 0f bd ca 49 8b 45 00 48 63 c9 e9 64 ff ff ff 0f 1f 00 <65> 8b 05 99 e1 8b 7e 89 c1 48 8b 34 24 81 e1 00 01 00 00 65 48 8b RSP: 0018:ffffc9000d6ffeb0 EFLAGS: 00000093 RAX: 0000000000000000 RBX: dffffc0000000000 RCX: 0000000000000000 RDX: ffff88807bbf3900 RSI: ffffffff817c34db RDI: 0000000000000003 RBP: ffff88807bbf4220 R08: 0000000000000000 R09: ffff88807bbf418f R10: ffffffff817c34bd R11: 0000000000000000 R12: ffff88807bbf4220 R13: ffff88807bbf3900 R14: 0000000000000000 R15: ffff888196f03680 FS: 00007f3e9642f8c0(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f3e939be000 CR3: 0000000019b43000 CR4: 00000000001526e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: __raw_spin_lock_irq include/linux/spinlock_api_smp.h:126 [inline] _raw_spin_lock_irq+0x41/0x50 kernel/locking/spinlock.c:170 task_work_run+0xb4/0x1a0 kernel/task_work.c:159 tracehook_notify_resume include/linux/tracehook.h:189 [inline] exit_to_user_mode_loop kernel/entry/common.c:175 [inline] exit_to_user_mode_prepare+0x27e/0x290 kernel/entry/common.c:209 __syscall_exit_to_user_mode_work kernel/entry/common.c:291 [inline] syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:302 do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f3e959be840 Code: 73 01 c3 48 8b 0d 68 77 20 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 89 bb 20 00 00 75 10 b8 02 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 1e f6 ff ff 48 89 04 24 RSP: 002b:00007ffd3e15b3b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 RAX: fffffffffffffffe RBX: 00007ffd3e15b6c0 RCX: 00007f3e959be840 RDX: 00000000000001a0 RSI: 0000000000080042 RDI: 0000557afd5e3d80 RBP: 000000000000000d R08: 000000000000ffc0 R09: 00000000ffffffff R10: 0000000000000069 R11: 0000000000000246 R12: 00000000ffffffff R13: 0000557afd5d6040 R14: 00007ffd3e15b680 R15: 0000557afd5e40e0 ---------------- Code disassembly (best guess): 0: 01 f0 add %esi,%eax 2: 4d 89 03 mov %r8,(%r11) 5: e9 63 fd ff ff jmpq 0xfffffd6d a: b9 ff ff ff ff mov $0xffffffff,%ecx f: ba 08 00 00 00 mov $0x8,%edx 14: 4d 8b 03 mov (%r11),%r8 17: 48 0f bd ca bsr %rdx,%rcx 1b: 49 8b 45 00 mov 0x0(%r13),%rax 1f: 48 63 c9 movslq %ecx,%rcx 22: e9 64 ff ff ff jmpq 0xffffff8b 27: 0f 1f 00 nopl (%rax) * 2a: 65 8b 05 99 e1 8b 7e mov %gs:0x7e8be199(%rip),%eax # 0x7e8be1ca <-- trapping instruction 31: 89 c1 mov %eax,%ecx 33: 48 8b 34 24 mov (%rsp),%rsi 37: 81 e1 00 01 00 00 and $0x100,%ecx 3d: 65 gs 3e: 48 rex.W 3f: 8b .byte 0x8b