[13803] 0 13803 17651 8198 25 4 0 0 syz-executor5 Out of memory: Kill process 16226 (syz-executor4) score 1004 or sacrifice child Killed process 16226 (syz-executor4) total-vm:70340kB, anon-rss:148kB, file-rss:32640kB, shmem-rss:0kB oom_reaper: reaped process 16226 (syz-executor4), now anon-rss:0kB, file-rss:0kB, shmem-rss:0kB INFO: task init:11092 blocked for more than 140 seconds. Not tainted 4.14.87+ #21 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. init D28744 11092 1 0x00000000 Call Trace: schedule+0x7f/0x1b0 kernel/sched/core.c:3490 schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:3548 __mutex_lock_common kernel/locking/mutex.c:833 [inline] __mutex_lock+0x521/0x1480 kernel/locking/mutex.c:893 tty_open_by_driver drivers/tty/tty_io.c:1927 [inline] tty_open+0x3a8/0x980 drivers/tty/tty_io.c:2011 chrdev_open+0x20d/0x570 fs/char_dev.c:417 do_dentry_open+0x426/0xda0 fs/open.c:764 vfs_open+0x11c/0x210 fs/open.c:878 do_last fs/namei.c:3455 [inline] path_openat+0x5f9/0x2930 fs/namei.c:3597 do_filp_open+0x197/0x270 fs/namei.c:3631 do_sys_open+0x2ef/0x580 fs/open.c:1071 do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x7ff22061b120 RSP: 002b:00007fffdf789848 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 RAX: ffffffffffffffda RBX: 00000000024e5010 RCX: 00007ff22061b120 RDX: 0000000000000010 RSI: 0000000000000902 RDI: 00000000004072c8 RBP: 0000000000000000 R08: 0000000000407370 R09: 0000000000000001 R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000902 R13: 0000000000000102 R14: 00007fffdf7899c0 R15: 00000000024e5018 INFO: task init:11093 blocked for more than 140 seconds. Not tainted 4.14.87+ #21 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. init D29224 11093 1 0x00000000 Call Trace: schedule+0x7f/0x1b0 kernel/sched/core.c:3490 schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:3548 __mutex_lock_common kernel/locking/mutex.c:833 [inline] __mutex_lock+0x521/0x1480 kernel/locking/mutex.c:893 tty_open_by_driver drivers/tty/tty_io.c:1927 [inline] tty_open+0x3a8/0x980 drivers/tty/tty_io.c:2011 chrdev_open+0x20d/0x570 fs/char_dev.c:417 do_dentry_open+0x426/0xda0 fs/open.c:764 vfs_open+0x11c/0x210 fs/open.c:878 do_last fs/namei.c:3455 [inline] path_openat+0x5f9/0x2930 fs/namei.c:3597 do_filp_open+0x197/0x270 fs/namei.c:3631 do_sys_open+0x2ef/0x580 fs/open.c:1071 do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x7ff22061b120 RSP: 002b:00007fffdf789848 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 RAX: ffffffffffffffda RBX: 00000000024e50e0 RCX: 00007ff22061b120 RDX: 0000000000000010 RSI: 0000000000000902 RDI: 00000000004072c8 RBP: 0000000000000000 R08: 0000000000407370 R09: 0000000000000001 R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000902 R13: 0000000000000102 R14: 00007fffdf7899c0 R15: 00000000024e50e8 INFO: task init:11094 blocked for more than 140 seconds. Not tainted 4.14.87+ #21 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. init D28520 11094 1 0x00000000 Call Trace: schedule+0x7f/0x1b0 kernel/sched/core.c:3490 schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:3548 __mutex_lock_common kernel/locking/mutex.c:833 [inline] __mutex_lock+0x521/0x1480 kernel/locking/mutex.c:893 tty_open_by_driver drivers/tty/tty_io.c:1927 [inline] tty_open+0x3a8/0x980 drivers/tty/tty_io.c:2011 chrdev_open+0x20d/0x570 fs/char_dev.c:417 do_dentry_open+0x426/0xda0 fs/open.c:764 vfs_open+0x11c/0x210 fs/open.c:878 do_last fs/namei.c:3455 [inline] path_openat+0x5f9/0x2930 fs/namei.c:3597 do_filp_open+0x197/0x270 fs/namei.c:3631 do_sys_open+0x2ef/0x580 fs/open.c:1071 do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x7ff22061b120 RSP: 002b:00007fffdf789848 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 RAX: ffffffffffffffda RBX: 00000000024e51b0 RCX: 00007ff22061b120 RDX: 0000000000000010 RSI: 0000000000000902 RDI: 00000000004072c8 RBP: 0000000000000000 R08: 0000000000407370 R09: 0000000000000001 R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000902 R13: 0000000000000102 R14: 00007fffdf7899c0 R15: 00000000024e51b8 INFO: task init:11095 blocked for more than 140 seconds. Not tainted 4.14.87+ #21 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. init D28056 11095 1 0x00000000 Call Trace: schedule+0x7f/0x1b0 kernel/sched/core.c:3490 schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:3548 __mutex_lock_common kernel/locking/mutex.c:833 [inline] __mutex_lock+0x521/0x1480 kernel/locking/mutex.c:893 tty_open_by_driver drivers/tty/tty_io.c:1927 [inline] tty_open+0x3a8/0x980 drivers/tty/tty_io.c:2011 chrdev_open+0x20d/0x570 fs/char_dev.c:417 do_dentry_open+0x426/0xda0 fs/open.c:764 vfs_open+0x11c/0x210 fs/open.c:878 do_last fs/namei.c:3455 [inline] path_openat+0x5f9/0x2930 fs/namei.c:3597 do_filp_open+0x197/0x270 fs/namei.c:3631 do_sys_open+0x2ef/0x580 fs/open.c:1071 do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x7ff22061b120 RSP: 002b:00007fffdf789848 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 RAX: ffffffffffffffda RBX: 00000000024e5350 RCX: 00007ff22061b120 RDX: 0000000000000010 RSI: 0000000000000902 RDI: 00000000004072c8 RBP: 0000000000000000 R08: 0000000000407370 R09: 0000000000000001 R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000902 R13: 0000000000000102 R14: 00007fffdf7899c0 R15: 00000000024e5358 INFO: task init:11096 blocked for more than 140 seconds. Not tainted 4.14.87+ #21 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. init D28056 11096 1 0x00000000 Call Trace: schedule+0x7f/0x1b0 kernel/sched/core.c:3490 schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:3548 __mutex_lock_common kernel/locking/mutex.c:833 [inline] __mutex_lock+0x521/0x1480 kernel/locking/mutex.c:893 tty_open_by_driver drivers/tty/tty_io.c:1927 [inline] tty_open+0x3a8/0x980 drivers/tty/tty_io.c:2011 chrdev_open+0x20d/0x570 fs/char_dev.c:417 do_dentry_open+0x426/0xda0 fs/open.c:764 vfs_open+0x11c/0x210 fs/open.c:878 do_last fs/namei.c:3455 [inline] path_openat+0x5f9/0x2930 fs/namei.c:3597 do_filp_open+0x197/0x270 fs/namei.c:3631 do_sys_open+0x2ef/0x580 fs/open.c:1071 do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x7ff22061b120 RSP: 002b:00007fffdf789848 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 RAX: ffffffffffffffda RBX: 00000000024e5280 RCX: 00007ff22061b120 RDX: 0000000000000010 RSI: 0000000000000902 RDI: 00000000004072c8 RBP: 0000000000000000 R08: 0000000000407370 R09: 0000000000000001 R10: 0000000000000008 R11: 0000000000000246 R12: 0000000000000902 R13: 0000000000000102 R14: 00007fffdf7899c0 R15: 00000000024e5288 Showing all locks held in the system: 1 lock held by khungtaskd/23: #0: (tasklist_lock){.+.+}, at: [] debug_show_all_locks+0x74/0x20f kernel/locking/lockdep.c:4541 1 lock held by rsyslogd/1626: #0: (&f->f_pos_lock){+.+.}, at: [] __fdget_pos+0xa2/0xc0 fs/file.c:768 2 locks held by getty/1754: #0: (&tty->ldisc_sem){++++}, at: [] tty_ldisc_ref_wait+0x20/0x80 drivers/tty/tty_ldisc.c:275 #1: (&ldata->atomic_read_lock){+.+.}, at: [] n_tty_read+0x1ff/0x1700 drivers/tty/n_tty.c:2156 2 locks held by syz-fuzzer/1773: #0: (&mm->mmap_sem){++++}, at: [] __do_page_fault+0x26d/0xb60 arch/x86/mm/fault.c:1354 #1: (&ei->i_mmap_sem){++++}, at: [] ext4_filemap_fault+0x75/0xb0 fs/ext4/inode.c:6178 2 locks held by syz-fuzzer/1784: #0: (&mm->mmap_sem){++++}, at: [] __do_page_fault+0x26d/0xb60 arch/x86/mm/fault.c:1354 #1: (&ei->i_mmap_sem){++++}, at: [] ext4_filemap_fault+0x75/0xb0 fs/ext4/inode.c:6178 1 lock held by syz-executor0/5800: #0: (tty_mutex){+.+.}, at: [] tty_release_struct+0x2a/0x50 drivers/tty/tty_io.c:1605 1 lock held by syz-executor2/13246: #0: (tty_mutex){+.+.}, at: [] tty_release_struct+0x2a/0x50 drivers/tty/tty_io.c:1605 1 lock held by syz-executor2/26076: #0: (tty_mutex){+.+.}, at: [] tty_release_struct+0x2a/0x50 drivers/tty/tty_io.c:1605 1 lock held by syz-executor2/26085: #0: (tty_mutex){+.+.}, at: [] tty_release_struct+0x2a/0x50 drivers/tty/tty_io.c:1605 1 lock held by init/11092: #0: (tty_mutex){+.+.}, at: [] tty_open_by_driver drivers/tty/tty_io.c:1927 [inline] #0: (tty_mutex){+.+.}, at: [] tty_open+0x3a8/0x980 drivers/tty/tty_io.c:2011 1 lock held by init/11093: #0: (tty_mutex){+.+.}, at: [] tty_open_by_driver drivers/tty/tty_io.c:1927 [inline] #0: (tty_mutex){+.+.}, at: [] tty_open+0x3a8/0x980 drivers/tty/tty_io.c:2011 1 lock held by init/11094: #0: (tty_mutex){+.+.}, at: [] tty_open_by_driver drivers/tty/tty_io.c:1927 [inline] #0: (tty_mutex){+.+.}, at: [] tty_open+0x3a8/0x980 drivers/tty/tty_io.c:2011 1 lock held by init/11095: #0: (tty_mutex){+.+.}, at: [] tty_open_by_driver drivers/tty/tty_io.c:1927 [inline] #0: (tty_mutex){+.+.}, at: [] tty_open+0x3a8/0x980 drivers/tty/tty_io.c:2011 1 lock held by init/11096: #0: (tty_mutex){+.+.}, at: [] tty_open_by_driver drivers/tty/tty_io.c:1927 [inline] #0: (tty_mutex){+.+.}, at: [] tty_open+0x3a8/0x980 drivers/tty/tty_io.c:2011 1 lock held by syz-executor2/13810: #0: (&mm->mmap_sem){++++}, at: [] vm_mmap_pgoff+0x14f/0x1d0 mm/util.c:331 2 locks held by syz-executor2/13812: #0: (&mm->mmap_sem){++++}, at: [] __mm_populate+0x206/0x300 mm/gup.c:1247 #1: (&ei->i_mmap_sem){++++}, at: [] ext4_filemap_fault+0x75/0xb0 fs/ext4/inode.c:6178 1 lock held by syz-executor0/13811: #0: (&mm->mmap_sem){++++}, at: [] vm_mmap_pgoff+0x14f/0x1d0 mm/util.c:331 2 locks held by syz-executor0/13814: #0: (&mm->mmap_sem){++++}, at: [] __mm_populate+0x206/0x300 mm/gup.c:1247 #1: (&ei->i_mmap_sem){++++}, at: [] ext4_filemap_fault+0x75/0xb0 fs/ext4/inode.c:6178 2 locks held by syz-executor3/13815: #0: (&mm->mmap_sem){++++}, at: [] __do_page_fault+0x26d/0xb60 arch/x86/mm/fault.c:1354 #1: (&ei->i_mmap_sem){++++}, at: [] ext4_filemap_fault+0x75/0xb0 fs/ext4/inode.c:6178 1 lock held by syz-executor3/13817: #0: (tty_mutex){+.+.}, at: [] ptmx_open+0xe8/0x2f0 drivers/tty/pty.c:834 1 lock held by syz-executor4/13826: #0: (&mm->mmap_sem){++++}, at: [] __do_page_fault+0x868/0xb60 arch/x86/mm/fault.c:1361 3 locks held by syz-executor4/13829: #0: (&dup_mmap_sem){.+.+}, at: [] dup_mmap kernel/fork.c:609 [inline] #0: (&dup_mmap_sem){.+.+}, at: [] dup_mm kernel/fork.c:1202 [inline] #0: (&dup_mmap_sem){.+.+}, at: [] copy_mm kernel/fork.c:1256 [inline] #0: (&dup_mmap_sem){.+.+}, at: [] copy_process.part.6+0x3989/0x6530 kernel/fork.c:1762 #1: (&mm->mmap_sem){++++}, at: [] dup_mmap kernel/fork.c:610 [inline] #1: (&mm->mmap_sem){++++}, at: [] dup_mm kernel/fork.c:1202 [inline] #1: (&mm->mmap_sem){++++}, at: [] copy_mm kernel/fork.c:1256 [inline] #1: (&mm->mmap_sem){++++}, at: [] copy_process.part.6+0x39a5/0x6530 kernel/fork.c:1762 #2: (&mm->mmap_sem/1){+.+.}, at: [] dup_mmap kernel/fork.c:619 [inline] #2: (&mm->mmap_sem/1){+.+.}, at: [] dup_mm kernel/fork.c:1202 [inline] #2: (&mm->mmap_sem/1){+.+.}, at: [] copy_mm kernel/fork.c:1256 [inline] #2: (&mm->mmap_sem/1){+.+.}, at: [] copy_process.part.6+0x39ed/0x6530 kernel/fork.c:1762 ============================================= NMI backtrace for cpu 0 CPU: 0 PID: 23 Comm: khungtaskd Not tainted 4.14.87+ #21 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0xb9/0x11b lib/dump_stack.c:53 nmi_cpu_backtrace.cold.0+0x47/0x85 lib/nmi_backtrace.c:101 nmi_trigger_cpumask_backtrace+0x121/0x146 lib/nmi_backtrace.c:62 trigger_all_cpu_backtrace include/linux/nmi.h:140 [inline] check_hung_uninterruptible_tasks kernel/hung_task.c:196 [inline] watchdog+0x574/0xa70 kernel/hung_task.c:252 kthread+0x348/0x420 kernel/kthread.c:232 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:402 Sending NMI from CPU 0 to CPUs 1: INFO: NMI handler (nmi_cpu_backtrace_handler) took too long to run: 1.150 msecs NMI backtrace for cpu 1 CPU: 1 PID: 13805 Comm: syz-executor5 Not tainted 4.14.87+ #21 task: ffff8881cfcb8000 task.stack: ffff8881c52c0000 RIP: 0010:rcu_lockdep_current_cpu_online+0x35/0x130 kernel/rcu/tree.c:1186 RSP: 0018:ffff8881c52c6368 EFLAGS: 00000046 RAX: 0000000000000001 RBX: 0000000000000001 RCX: 0000000000040000 RDX: ffffffff81b914c4 RSI: ffffc90001328000 RDI: ffffffff9714e400 RBP: ffff8881a1967848 R08: 0000000000000001 R09: 0000000000000000 R10: ffff8881cfcb88d0 R11: 0000000000000001 R12: 0000000000000000 R13: ffff8881dbb249c0 R14: ffff8881a1967878 R15: ffff8881dbb24a80 FS: 00007f0e00d62700(0000) GS:ffff8881dbb00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000be2d30 CR3: 00000000a131a005 CR4: 00000000001606a0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600 Call Trace: rcu_read_lock_sched_held+0x91/0x120 kernel/rcu/update.c:113 trace_hrtimer_cancel include/trace/events/timer.h:278 [inline] debug_deactivate kernel/time/hrtimer.c:454 [inline] remove_hrtimer kernel/time/hrtimer.c:925 [inline] hrtimer_try_to_cancel+0x434/0x540 kernel/time/hrtimer.c:1030 hrtimer_cancel+0x1e/0x40 kernel/time/hrtimer.c:1050 perf_swevent_cancel_hrtimer kernel/events/core.c:8812 [inline] cpu_clock_event_stop+0x65/0x70 kernel/events/core.c:8810 event_sched_out.isra.53+0x43a/0xac0 kernel/events/core.c:1866 group_sched_out+0xa8/0x230 kernel/events/core.c:1896 ctx_sched_out+0x43d/0x680 kernel/events/core.c:2851 task_ctx_sched_out+0x5b/0x80 kernel/events/core.c:2319 perf_event_context_sched_out kernel/events/core.c:3034 [inline] __perf_event_task_sched_out+0x68f/0x1020 kernel/events/core.c:3125 perf_event_task_sched_out include/linux/perf_event.h:1099 [inline] prepare_task_switch kernel/sched/core.c:2652 [inline] context_switch kernel/sched/core.c:2824 [inline] __schedule+0x154f/0x1ed0 kernel/sched/core.c:3446 preempt_schedule_common+0x1f/0xc0 kernel/sched/core.c:3570 ___preempt_schedule+0x16/0x18 __raw_spin_unlock include/linux/spinlock_api_smp.h:152 [inline] _raw_spin_unlock+0x3b/0x40 kernel/locking/spinlock.c:184 spin_unlock include/linux/spinlock.h:357 [inline] __list_lru_count_one mm/list_lru.c:174 [inline] list_lru_count_one+0x12d/0x1d0 mm/list_lru.c:182 list_lru_shrink_count include/linux/list_lru.h:117 [inline] super_cache_count+0x18a/0x2a0 fs/super.c:144 do_shrink_slab mm/vmscan.c:328 [inline] shrink_slab.part.8+0x25c/0xa30 mm/vmscan.c:504 shrink_slab mm/vmscan.c:468 [inline] shrink_node+0x8c8/0xbf0 mm/vmscan.c:2665 shrink_zones mm/vmscan.c:2812 [inline] do_try_to_free_pages+0x349/0xde0 mm/vmscan.c:2874 try_to_free_pages+0x204/0x6b0 mm/vmscan.c:3080 __perform_reclaim mm/page_alloc.c:3593 [inline] __alloc_pages_direct_reclaim mm/page_alloc.c:3614 [inline] __alloc_pages_slowpath mm/page_alloc.c:4011 [inline] __alloc_pages_nodemask+0xaf2/0x2280 mm/page_alloc.c:4220 __alloc_pages include/linux/gfp.h:461 [inline] __alloc_pages_node include/linux/gfp.h:474 [inline] alloc_pages_node include/linux/gfp.h:488 [inline] alloc_slab_page mm/slub.c:1437 [inline] allocate_slab mm/slub.c:1588 [inline] new_slab+0x3c0/0x470 mm/slub.c:1651 new_slab_objects mm/slub.c:2434 [inline] ___slab_alloc.constprop.35+0x2e2/0x480 mm/slub.c:2586 __slab_alloc.isra.26.constprop.34+0x4b/0x90 mm/slub.c:2626 slab_alloc_node mm/slub.c:2689 [inline] slab_alloc mm/slub.c:2731 [inline] kmem_cache_alloc+0x19e/0x2b0 mm/slub.c:2736 kmem_cache_alloc_node include/linux/slab.h:361 [inline] __alloc_skb+0xd8/0x550 net/core/skbuff.c:193 alloc_skb include/linux/skbuff.h:980 [inline] alloc_skb_with_frags+0xab/0x500 net/core/skbuff.c:5172 sock_alloc_send_pskb+0x55e/0x6e0 net/core/sock.c:2075 __ip6_append_data.isra.3+0x1698/0x2940 net/ipv6/ip6_output.c:1417 ip6_make_skb+0x24d/0x420 net/ipv6/ip6_output.c:1766 udpv6_sendmsg+0x1ecf/0x2510 net/ipv6/udp.c:1347 inet_sendmsg+0x168/0x540 net/ipv4/af_inet.c:781 sock_sendmsg_nosec net/socket.c:645 [inline] sock_sendmsg+0xb5/0x100 net/socket.c:655 ___sys_sendmsg+0x41d/0x890 net/socket.c:2061 __sys_sendmmsg+0x13d/0x360 net/socket.c:2151 SYSC_sendmmsg net/socket.c:2182 [inline] SyS_sendmmsg+0x2f/0x50 net/socket.c:2177 do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x457679 RSP: 002b:00007f0e00d61c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 0000000000457679 RDX: 00000000000004ff RSI: 00000000200092c0 RDI: 0000000000000004 RBP: 000000000072bfa0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f0e00d626d4 R13: 00000000004c3e34 R14: 00000000004d6c58 R15: 00000000ffffffff Code: 05 a1 04 bd 6a a9 00 00 10 00 bb 01 00 00 00 74 0b 48 83 c4 08 89 d8 5b 5d 41 5c c3 bf 01 00 00 00 e8 10 45 f1 ff e8 9b 3c 94 00 <48> c7 c3 40 b1 02 00 48 ba 00 00 00 00 00 fc ff df 89 c0 48 8d