Extracting prog: 2m15.538909002s
Minimizing prog: 6m46.09098684s
Simplifying prog options: 0s
Extracting C: 31.948355177s
Simplifying C: 2m25.843483243s


extracting reproducer from 30 programs
first checking the prog from the crash report
single: executing 1 programs separately with timeout 30s
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mmap-userfaultfd-ioctl$UFFDIO_API-ioctl$UFFDIO_COPY
detailed listing:
executing program 0:
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0)
r0 = userfaultfd(0x80001)
ioctl$UFFDIO_API(r0, 0xc018aa3f, &(0x7f00000000c0))
ioctl$UFFDIO_COPY(r0, 0xc028aa05, &(0x7f0000000040)={&(0x7f0000ffd000/0x3000)=nil, &(0x7f0000000000/0x3000)=nil, 0x3000})

program crashed: possible deadlock in move_pages
single: successfully extracted reproducer
found reproducer with 4 syscalls
minimizing guilty program
testing program (duration=54.350627361s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mmap-userfaultfd-ioctl$UFFDIO_API
detailed listing:
executing program 0:
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0)
r0 = userfaultfd(0x80001)
ioctl$UFFDIO_API(r0, 0xc018aa3f, &(0x7f00000000c0))

program did not crash
testing program (duration=54.350627361s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mmap-userfaultfd-ioctl$UFFDIO_COPY
detailed listing:
executing program 0:
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0)
r0 = userfaultfd(0x80001)
ioctl$UFFDIO_COPY(r0, 0xc028aa05, &(0x7f0000000040)={&(0x7f0000ffd000/0x3000)=nil, &(0x7f0000000000/0x3000)=nil, 0x3000})

program did not crash
testing program (duration=54.350627361s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mmap-ioctl$UFFDIO_API-ioctl$UFFDIO_COPY
detailed listing:
executing program 0:
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0)
ioctl$UFFDIO_API(0xffffffffffffffff, 0xc018aa3f, &(0x7f00000000c0))
ioctl$UFFDIO_COPY(0xffffffffffffffff, 0xc028aa05, &(0x7f0000000040)={&(0x7f0000ffd000/0x3000)=nil, &(0x7f0000000000/0x3000)=nil, 0x3000})

program did not crash
testing program (duration=54.350627361s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): userfaultfd-ioctl$UFFDIO_API-ioctl$UFFDIO_COPY
detailed listing:
executing program 0:
r0 = userfaultfd(0x80001)
ioctl$UFFDIO_API(r0, 0xc018aa3f, &(0x7f00000000c0))
ioctl$UFFDIO_COPY(r0, 0xc028aa05, &(0x7f0000000040)={&(0x7f0000ffd000/0x3000)=nil, &(0x7f0000000000/0x3000)=nil, 0x3000})

program did not crash
testing program (duration=54.350627361s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mmap-userfaultfd-ioctl$UFFDIO_API-ioctl$UFFDIO_COPY
detailed listing:
executing program 0:
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0)
r0 = userfaultfd(0x80001)
ioctl$UFFDIO_API(r0, 0xc018aa3f, 0x0)
ioctl$UFFDIO_COPY(r0, 0xc028aa05, &(0x7f0000000040)={&(0x7f0000ffd000/0x3000)=nil, &(0x7f0000000000/0x3000)=nil, 0x3000})

program did not crash
testing program (duration=54.350627361s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mmap-userfaultfd-ioctl$UFFDIO_API-ioctl$UFFDIO_COPY
detailed listing:
executing program 0:
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0)
r0 = userfaultfd(0x80001)
ioctl$UFFDIO_API(r0, 0xc018aa3f, &(0x7f00000000c0))
ioctl$UFFDIO_COPY(r0, 0xc028aa05, 0x0)

program did not crash
extracting C reproducer
testing compiled C program (duration=54.350627361s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mmap-userfaultfd-ioctl$UFFDIO_API-ioctl$UFFDIO_COPY
program crashed: possible deadlock in move_pages
simplifying C reproducer
testing compiled C program (duration=54.350627361s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mmap-userfaultfd-ioctl$UFFDIO_API-ioctl$UFFDIO_COPY
program crashed: possible deadlock in move_pages
testing compiled C program (duration=54.350627361s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mmap-userfaultfd-ioctl$UFFDIO_API-ioctl$UFFDIO_COPY
program crashed: possible deadlock in move_pages
testing compiled C program (duration=54.350627361s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mmap-userfaultfd-ioctl$UFFDIO_API-ioctl$UFFDIO_COPY
program crashed: possible deadlock in move_pages
testing compiled C program (duration=54.350627361s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mmap-userfaultfd-ioctl$UFFDIO_API-ioctl$UFFDIO_COPY
program crashed: possible deadlock in move_pages
testing compiled C program (duration=54.350627361s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mmap-userfaultfd-ioctl$UFFDIO_API-ioctl$UFFDIO_COPY
program crashed: possible deadlock in move_pages
testing compiled C program (duration=54.350627361s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mmap-userfaultfd-ioctl$UFFDIO_API-ioctl$UFFDIO_COPY
program crashed: possible deadlock in move_pages
testing compiled C program (duration=54.350627361s, {Threaded:false Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mmap-userfaultfd-ioctl$UFFDIO_API-ioctl$UFFDIO_COPY
program crashed: possible deadlock in move_pages
reproducing took 11m59.421754345s
repro crashed as (corrupted=false):
============================================
WARNING: possible recursive locking detected
6.13.0-rc6-next-20250107-syzkaller #0 Not tainted
--------------------------------------------
syz-executor410/5827 is trying to acquire lock:
ffff88802e7c9848 (vm_lock){++++}-{0:0}, at: uffd_move_lock mm/userfaultfd.c:1477 [inline]
ffff88802e7c9848 (vm_lock){++++}-{0:0}, at: move_pages+0x26b/0x1680 mm/userfaultfd.c:1632

but task is already holding lock:
ffff88802e7c9708 (vm_lock){++++}-{0:0}, at: vma_start_read_locked include/linux/mm.h:808 [inline]
ffff88802e7c9708 (vm_lock){++++}-{0:0}, at: uffd_lock_vma+0x20c/0x2c0 mm/userfaultfd.c:88

other info that might help us debug this:
 Possible unsafe locking scenario:

       CPU0
       ----
  lock(vm_lock);
  lock(vm_lock);

 *** DEADLOCK ***

 May be due to missing lock nesting notation

2 locks held by syz-executor410/5827:
 #0: ffff88802e7c9708 (vm_lock){++++}-{0:0}, at: vma_start_read_locked include/linux/mm.h:808 [inline]
 #0: ffff88802e7c9708 (vm_lock){++++}-{0:0}, at: uffd_lock_vma+0x20c/0x2c0 mm/userfaultfd.c:88
 #1: ffffffff8e937ee0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:337 [inline]
 #1: ffffffff8e937ee0 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:849 [inline]
 #1: ffffffff8e937ee0 (rcu_read_lock){....}-{1:3}, at: lock_vma_under_rcu+0x1dd/0x9a0 mm/memory.c:6431

stack backtrace:
CPU: 1 UID: 0 PID: 5827 Comm: syz-executor410 Not tainted 6.13.0-rc6-next-20250107-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
 print_deadlock_bug+0x483/0x620 kernel/locking/lockdep.c:3039
 check_deadlock kernel/locking/lockdep.c:3091 [inline]
 validate_chain+0x15e2/0x5920 kernel/locking/lockdep.c:3893
 __lock_acquire+0x1397/0x2100 kernel/locking/lockdep.c:5228
 lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5851
 vma_start_read include/linux/mm.h:749 [inline]
 lock_vma_under_rcu+0x35f/0x9a0 mm/memory.c:6436
 uffd_move_lock mm/userfaultfd.c:1477 [inline]
 move_pages+0x26b/0x1680 mm/userfaultfd.c:1632
 userfaultfd_move fs/userfaultfd.c:1899 [inline]
 userfaultfd_ioctl+0x5221/0x6840 fs/userfaultfd.c:2022
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:906 [inline]
 __se_sys_ioctl+0xf5/0x170 fs/ioctl.c:892
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f05acff8329
Code: 48 83 c4 28 c3 e8 37 17 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff5737ab28 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fff5737ac

final repro crashed as (corrupted=false):
============================================
WARNING: possible recursive locking detected
6.13.0-rc6-next-20250107-syzkaller #0 Not tainted
--------------------------------------------
syz-executor410/5827 is trying to acquire lock:
ffff88802e7c9848 (vm_lock){++++}-{0:0}, at: uffd_move_lock mm/userfaultfd.c:1477 [inline]
ffff88802e7c9848 (vm_lock){++++}-{0:0}, at: move_pages+0x26b/0x1680 mm/userfaultfd.c:1632

but task is already holding lock:
ffff88802e7c9708 (vm_lock){++++}-{0:0}, at: vma_start_read_locked include/linux/mm.h:808 [inline]
ffff88802e7c9708 (vm_lock){++++}-{0:0}, at: uffd_lock_vma+0x20c/0x2c0 mm/userfaultfd.c:88

other info that might help us debug this:
 Possible unsafe locking scenario:

       CPU0
       ----
  lock(vm_lock);
  lock(vm_lock);

 *** DEADLOCK ***

 May be due to missing lock nesting notation

2 locks held by syz-executor410/5827:
 #0: ffff88802e7c9708 (vm_lock){++++}-{0:0}, at: vma_start_read_locked include/linux/mm.h:808 [inline]
 #0: ffff88802e7c9708 (vm_lock){++++}-{0:0}, at: uffd_lock_vma+0x20c/0x2c0 mm/userfaultfd.c:88
 #1: ffffffff8e937ee0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:337 [inline]
 #1: ffffffff8e937ee0 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:849 [inline]
 #1: ffffffff8e937ee0 (rcu_read_lock){....}-{1:3}, at: lock_vma_under_rcu+0x1dd/0x9a0 mm/memory.c:6431

stack backtrace:
CPU: 1 UID: 0 PID: 5827 Comm: syz-executor410 Not tainted 6.13.0-rc6-next-20250107-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
 print_deadlock_bug+0x483/0x620 kernel/locking/lockdep.c:3039
 check_deadlock kernel/locking/lockdep.c:3091 [inline]
 validate_chain+0x15e2/0x5920 kernel/locking/lockdep.c:3893
 __lock_acquire+0x1397/0x2100 kernel/locking/lockdep.c:5228
 lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5851
 vma_start_read include/linux/mm.h:749 [inline]
 lock_vma_under_rcu+0x35f/0x9a0 mm/memory.c:6436
 uffd_move_lock mm/userfaultfd.c:1477 [inline]
 move_pages+0x26b/0x1680 mm/userfaultfd.c:1632
 userfaultfd_move fs/userfaultfd.c:1899 [inline]
 userfaultfd_ioctl+0x5221/0x6840 fs/userfaultfd.c:2022
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:906 [inline]
 __se_sys_ioctl+0xf5/0x170 fs/ioctl.c:892
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f05acff8329
Code: 48 83 c4 28 c3 e8 37 17 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff5737ab28 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fff5737ac