INFO: task syz-executor:3644 blocked for more than 143 seconds.
      Not tainted 6.1.111-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor    state:D stack:19864 pid:3644  ppid:1      flags:0x00004004
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5241 [inline]
 __schedule+0x143f/0x4570 kernel/sched/core.c:6558
 schedule+0xbf/0x180 kernel/sched/core.c:6634
 schedule_timeout+0xac/0x300 kernel/time/timer.c:1941
 do_wait_for_common kernel/sched/completion.c:85 [inline]
 __wait_for_common kernel/sched/completion.c:106 [inline]
 wait_for_common kernel/sched/completion.c:117 [inline]
 wait_for_completion+0x350/0x610 kernel/sched/completion.c:138
 kthread_stop+0x1ab/0x690 kernel/kthread.c:709
 ext4_stop_mmpd+0x43/0xb0 fs/ext4/mmp.c:261
 ext4_put_super+0xb49/0x10e0 fs/ext4/super.c:1293
 generic_shutdown_super+0x130/0x340 fs/super.c:501
 kill_block_super+0x7a/0xe0 fs/super.c:1470
 deactivate_locked_super+0xa0/0x110 fs/super.c:332
 cleanup_mnt+0x490/0x520 fs/namespace.c:1186
 task_work_run+0x246/0x300 kernel/task_work.c:203
 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
 exit_to_user_mode_loop+0xde/0x100 kernel/entry/common.c:177
 exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:210
 __syscall_exit_to_user_mode_work kernel/entry/common.c:292 [inline]
 syscall_exit_to_user_mode+0x60/0x270 kernel/entry/common.c:303
 do_syscall_64+0x47/0xb0 arch/x86/entry/common.c:87
 entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7fd82df7f227
RSP: 002b:00007fff81b503d8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 00007fd82dff0a14 RCX: 00007fd82df7f227
RDX: 0000000000000000 RSI: 0000000000000009 RDI: 00007fff81b50490
RBP: 00007fff81b50490 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000246 R12: 00007fff81b51510
R13: 00007fd82dff0a14 R14: 0000000000019e2d R15: 00007fff81b51550
 </TASK>
INFO: task kmmpd-loop4:4431 blocked for more than 145 seconds.
      Not tainted 6.1.111-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kmmpd-loop4     state:D stack:28024 pid:4431  ppid:2      flags:0x00024000
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5241 [inline]
 __schedule+0x143f/0x4570 kernel/sched/core.c:6558
 schedule+0xbf/0x180 kernel/sched/core.c:6634
 percpu_rwsem_wait+0x3b9/0x450 kernel/locking/percpu-rwsem.c:162
 __percpu_down_read+0xe6/0x130 kernel/locking/percpu-rwsem.c:177
 percpu_down_read include/linux/percpu-rwsem.h:65 [inline]
 __sb_start_write include/linux/fs.h:1891 [inline]
 sb_start_write include/linux/fs.h:1966 [inline]
 write_mmp_block+0x2ee/0x390 fs/ext4/mmp.c:66
 kmmpd+0x263/0xa70 fs/ext4/mmp.c:246
 kthread+0x28d/0x320 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
 </TASK>

Showing all locks held in the system:
1 lock held by rcu_tasks_kthre/12:
 #0: ffffffff8d32b1d0 (rcu_tasks.tasks_gp_mutex){+.+.}-{3:3}, at: rcu_tasks_one_gp+0x29/0xe30 kernel/rcu/tasks.h:517
1 lock held by rcu_tasks_trace/13:
 #0: ffffffff8d32b9d0 (rcu_tasks_trace.tasks_gp_mutex){+.+.}-{3:3}, at: rcu_tasks_one_gp+0x29/0xe30 kernel/rcu/tasks.h:517
2 locks held by kworker/1:1/26:
 #0: ffff888017c70938 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work+0x7a9/0x11d0 kernel/workqueue.c:2267
 #1: ffffc90000a1fd20 (free_ipc_work){+.+.}-{0:0}, at: process_one_work+0x7a9/0x11d0 kernel/workqueue.c:2267
1 lock held by khungtaskd/28:
 #0: ffffffff8d32b000 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:350 [inline]
 #0: ffffffff8d32b000 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:791 [inline]
 #0: ffffffff8d32b000 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x51/0x290 kernel/locking/lockdep.c:6494
3 locks held by kworker/u4:4/56:
 #0: ffff888017c79138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work+0x7a9/0x11d0 kernel/workqueue.c:2267
 #1: ffffc90001577d20 ((linkwatch_work).work){+.+.}-{0:0}, at: process_one_work+0x7a9/0x11d0 kernel/workqueue.c:2267
 #2: ffffffff8e4f97a8 (rtnl_mutex){+.+.}-{3:3}, at: linkwatch_event+0xa/0x50 net/core/link_watch.c:263
1 lock held by dhcpcd/3305:
 #0: ffffffff8e4f97a8 (rtnl_mutex){+.+.}-{3:3}, at: __netlink_dump_start+0x12e/0x6c0 net/netlink/af_netlink.c:2301
2 locks held by getty/3398:
 #0: ffff88814bdcc098 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x21/0x70 drivers/tty/tty_ldisc.c:244
 #1: ffffc900031262f0 (&ldata->atomic_read_lock){+.+.}-{3:3}, at: n_tty_read+0x6a7/0x1db0 drivers/tty/n_tty.c:2198
1 lock held by syz-executor/3644:
 #0: ffff88807f3b40e0 (&type->s_umount_key#31){++++}-{3:3}, at: deactivate_super+0xa9/0xe0 fs/super.c:362
3 locks held by kworker/1:4/3683:
 #0: ffff888017c70938 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work+0x7a9/0x11d0 kernel/workqueue.c:2267
 #1: ffffc9000435fd20 ((work_completion)(&pwq->unbound_release_work)){+.+.}-{0:0}, at: process_one_work+0x7a9/0x11d0 kernel/workqueue.c:2267
 #2: ffffffff8d3305f8 (rcu_state.exp_mutex){+.+.}-{3:3}, at: exp_funnel_lock kernel/rcu/tree_exp.h:323 [inline]
 #2: ffffffff8d3305f8 (rcu_state.exp_mutex){+.+.}-{3:3}, at: synchronize_rcu_expedited+0x360/0x930 kernel/rcu/tree_exp.h:962
7 locks held by kworker/u4:6/3696:
 #0: ffff888017e1e938 ((wq_completion)netns){+.+.}-{0:0}, at: process_one_work+0x7a9/0x11d0 kernel/workqueue.c:2267
 #1: ffffc9000441fd20 (net_cleanup_work){+.+.}-{0:0}, at: process_one_work+0x7a9/0x11d0 kernel/workqueue.c:2267
 #2: ffffffff8e4ed450 (pernet_ops_rwsem){++++}-{3:3}, at: cleanup_net+0xf1/0xb60 net/core/net_namespace.c:566
 #3: ffffffff8e4f97a8 (rtnl_mutex){+.+.}-{3:3}, at: ieee80211_unregister_hw+0x51/0x290 net/mac80211/main.c:1469
 #4: ffff888028bd07c8 (&rdev->wiphy.mtx){+.+.}-{3:3}, at: wiphy_lock include/net/cfg80211.h:5639 [inline]
 #4: ffff888028bd07c8 (&rdev->wiphy.mtx){+.+.}-{3:3}, at: cfg80211_netdev_notifier_call+0x4cd/0x16c0 net/wireless/core.c:1503
 #5: ffff88805a650d40 (&wdev->mtx){+.+.}-{3:3}, at: wdev_lock net/wireless/core.h:232 [inline]
 #5: ffff88805a650d40 (&wdev->mtx){+.+.}-{3:3}, at: cfg80211_leave+0x9c/0x190 net/wireless/core.c:1341
 #6: ffffffff8d3305f8 (rcu_state.exp_mutex){+.+.}-{3:3}, at: exp_funnel_lock kernel/rcu/tree_exp.h:291 [inline]
 #6: ffffffff8d3305f8 (rcu_state.exp_mutex){+.+.}-{3:3}, at: synchronize_rcu_expedited+0x4f0/0x930 kernel/rcu/tree_exp.h:962
2 locks held by kworker/0:6/3718:
 #0: ffff888017c72138 ((wq_completion)rcu_gp){+.+.}-{0:0}, at: process_one_work+0x7a9/0x11d0 kernel/workqueue.c:2267
 #1: ffffc9000440fd20 ((work_completion)(&rew->rew_work)){+.+.}-{0:0}, at: process_one_work+0x7a9/0x11d0 kernel/workqueue.c:2267
3 locks held by kworker/u4:8/4168:
2 locks held by kworker/1:10/4344:
 #0: ffff888017c70938 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work+0x7a9/0x11d0 kernel/workqueue.c:2267
 #1: ffffc900035afd20 ((work_completion)(&pwq->unbound_release_work)){+.+.}-{0:0}, at: process_one_work+0x7a9/0x11d0 kernel/workqueue.c:2267
1 lock held by kmmpd-loop4/4431:
 #0: ffff88807f3b4460 (sb_writers#4){++++}-{0:0}, at: kmmpd+0x263/0xa70 fs/ext4/mmp.c:246
1 lock held by syz.3.187/4932:
 #0: ffff88807f3b40e0 (&type->s_umount_key#31){++++}-{3:3}, at: iterate_supers+0xac/0x1e0 fs/super.c:755
1 lock held by syz.0.248/5306:
 #0: ffffffff8e4f97a8 (rtnl_mutex){+.+.}-{3:3}, at: tun_detach drivers/net/tun.c:698 [inline]
 #0: ffffffff8e4f97a8 (rtnl_mutex){+.+.}-{3:3}, at: tun_chr_close+0x3a/0x1b0 drivers/net/tun.c:3492
1 lock held by syz-executor/5355:
 #0: ffffffff8e4f97a8 (rtnl_mutex){+.+.}-{3:3}, at: tun_detach drivers/net/tun.c:698 [inline]
 #0: ffffffff8e4f97a8 (rtnl_mutex){+.+.}-{3:3}, at: tun_chr_close+0x3a/0x1b0 drivers/net/tun.c:3492
3 locks held by syz-executor/5409:
 #0: ffff888056ce50b8 (&hdev->req_lock){+.+.}-{3:3}, at: hci_dev_do_close net/bluetooth/hci_core.c:508 [inline]
 #0: ffff888056ce50b8 (&hdev->req_lock){+.+.}-{3:3}, at: hci_unregister_dev+0x1ff/0x500 net/bluetooth/hci_core.c:2710
 #1: ffff888056ce4078 (&hdev->lock){+.+.}-{3:3}, at: hci_dev_close_sync+0x48d/0x1020 net/bluetooth/hci_sync.c:5053
 #2: ffffffff8e650b88 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_disconn_cfm include/net/bluetooth/hci_core.h:1800 [inline]
 #2: ffffffff8e650b88 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_conn_hash_flush+0xb8/0x2a0 net/bluetooth/hci_conn.c:2446
3 locks held by syz-executor/5410:
 #0: ffff888050db50b8 (&hdev->req_lock){+.+.}-{3:3}, at: hci_dev_do_close net/bluetooth/hci_core.c:508 [inline]
 #0: ffff888050db50b8 (&hdev->req_lock){+.+.}-{3:3}, at: hci_unregister_dev+0x1ff/0x500 net/bluetooth/hci_core.c:2710
 #1: ffff888050db4078 (&hdev->lock){+.+.}-{3:3}, at: hci_dev_close_sync+0x48d/0x1020 net/bluetooth/hci_sync.c:5053
 #2: ffffffff8e650b88 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_disconn_cfm include/net/bluetooth/hci_core.h:1800 [inline]
 #2: ffffffff8e650b88 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_conn_hash_flush+0xb8/0x2a0 net/bluetooth/hci_conn.c:2446
2 locks held by syz-executor/5452:
 #0: ffffffff8e4ed450 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x378/0x5d0 net/core/net_namespace.c:477
 #1: ffffffff8e4f97a8 (rtnl_mutex){+.+.}-{3:3}, at: wg_netns_pre_exit+0x1b/0x1d0 drivers/net/wireguard/device.c:420
2 locks held by syz-executor/5456:
 #0: ffffffff8e4ed450 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x378/0x5d0 net/core/net_namespace.c:477
 #1: ffffffff8e4f97a8 (rtnl_mutex){+.+.}-{3:3}, at: wg_netns_pre_exit+0x1b/0x1d0 drivers/net/wireguard/device.c:420

=============================================

NMI backtrace for cpu 0
CPU: 0 PID: 28 Comm: khungtaskd Not tainted 6.1.111-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
 nmi_cpu_backtrace+0x4e1/0x560 lib/nmi_backtrace.c:111
 nmi_trigger_cpumask_backtrace+0x1ae/0x3f0 lib/nmi_backtrace.c:62
 trigger_all_cpu_backtrace include/linux/nmi.h:148 [inline]
 check_hung_uninterruptible_tasks kernel/hung_task.c:220 [inline]
 watchdog+0xf88/0xfd0 kernel/hung_task.c:377
 kthread+0x28d/0x320 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
 </TASK>
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 PID: 5309 Comm: kworker/u4:9 Not tainted 6.1.111-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
Workqueue: phy25 ieee80211_iface_work
RIP: 0010:get_stack_info_noinstr+0xf3/0x130 arch/x86/kernel/dumpstack_64.c:189
Code: e9 77 2f 48 8d 50 08 48 39 ea 76 26 41 c7 04 24 02 00 00 00 49 89 4c 24 08 49 89 54 24 10 48 8b 00 49 89 44 24 18 44 89 f0 5b <41> 5c 41 5e 41 5f 5d c3 48 89 ef 4c 89 e6 5b 41 5c 41 5e 41 5f 5d
RSP: 0018:ffffc9000385f1c0 EFLAGS: 00000202
RAX: 000000000385f201 RBX: ffffc9000385f280 RCX: ffffc90003858000
RDX: ffffc9000385f280 RSI: ffffc90003860000 RDI: ffffc9000385f220
RBP: ffffc9000385f220 R08: dffffc0000000001 R09: ffffc9000385f280
R10: 0000000000000000 R11: dffffc0000000001 R12: ffffc9000385f280
R13: ffffc9000385f2a8 R14: ffffc9000385f201 R15: 1ffff9200070be55
FS:  0000000000000000(0000) GS:ffff8880b8f00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000021000000 CR3: 000000000d08e000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <NMI>
 </NMI>
 <TASK>
 get_stack_info+0x37/0xf0 arch/x86/kernel/dumpstack_64.c:199
 __unwind_start+0x437/0x720 arch/x86/kernel/unwind_orc.c:686
 unwind_start arch/x86/include/asm/unwind.h:64 [inline]
 arch_stack_walk+0xdb/0x140 arch/x86/kernel/stacktrace.c:24
 stack_trace_save+0x113/0x1c0 kernel/stacktrace.c:122
 kasan_save_stack mm/kasan/common.c:45 [inline]
 kasan_set_track+0x4b/0x70 mm/kasan/common.c:52
 kasan_save_free_info+0x27/0x40 mm/kasan/generic.c:516
 ____kasan_slab_free+0xd6/0x120 mm/kasan/common.c:236
 kasan_slab_free include/linux/kasan.h:177 [inline]
 slab_free_hook mm/slub.c:1724 [inline]
 slab_free_freelist_hook mm/slub.c:1750 [inline]
 slab_free mm/slub.c:3661 [inline]
 __kmem_cache_free+0x25c/0x3c0 mm/slub.c:3674
 ieee80211_bss_info_update+0xa54/0xf00 net/mac80211/scan.c:223
 ieee80211_rx_bss_info net/mac80211/ibss.c:1120 [inline]
 ieee80211_rx_mgmt_probe_beacon net/mac80211/ibss.c:1609 [inline]
 ieee80211_ibss_rx_queued_mgmt+0x1962/0x2dd0 net/mac80211/ibss.c:1638
 ieee80211_iface_process_skb net/mac80211/iface.c:1653 [inline]
 ieee80211_iface_work+0x7aa/0xce0 net/mac80211/iface.c:1707
 process_one_work+0x8a9/0x11d0 kernel/workqueue.c:2292
 worker_thread+0xa47/0x1200 kernel/workqueue.c:2439
 kthread+0x28d/0x320 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
 </TASK>