ci starts bisection 2025-12-19 20:26:20.969005019 +0000 UTC m=+2017570.494491143
bisecting fixing commit since 552c50713f273b494ac6c77052032a49bc9255e2
building syzkaller on 252fbbadf10d41c4028958c2b430c1291c1f9201
ensuring issue is reproducible on original commit 552c50713f273b494ac6c77052032a49bc9255e2
testing commit 552c50713f273b494ac6c77052032a49bc9255e2 gcc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
kernel signature: 68ad5669ba5cf593b809742052944a9741bddb270d448d5f34e8ee64b05d99b2
all runs: crashed: INFO: task hung in __rmap_walk_file
representative crash: INFO: task hung in __rmap_walk_file, types: [HANG]
check whether we can drop unnecessary instrumentation
disabling configs for [ubsan bug_or_warning kasan locking atomic_sleep memleak], they are not needed
testing commit 552c50713f273b494ac6c77052032a49bc9255e2 gcc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
kernel signature: 6136a04559210ea00265a2cc588d307f13e268dadba27187199b6b671ccf5499
all runs: crashed: INFO: task hung in __rmap_walk_file
representative crash: INFO: task hung in __rmap_walk_file, types: [HANG]
the bug reproduces without the instrumentation
disabling configs for [memleak ubsan bug_or_warning kasan locking atomic_sleep], they are not needed
kconfig minimization: base=4116 full=8528 leaves diff=2154
split chunks (needed=false): <2154>
split chunk #0 of len 2154 into 5 parts
testing without sub-chunk 1/5
disabling configs for [bug_or_warning kasan locking atomic_sleep memleak ubsan], they are not needed
testing commit 552c50713f273b494ac6c77052032a49bc9255e2 gcc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
kernel signature: c0c8ed58ec818b9fe33609a71f075db86830ecf4642ef68aa9b28ec15bb42451
all runs: crashed: INFO: task hung in __rmap_walk_file
representative crash: INFO: task hung in __rmap_walk_file, types: [HANG]
the chunk can be dropped
testing without sub-chunk 2/5
disabling configs for [memleak ubsan bug_or_warning kasan locking atomic_sleep], they are not needed
testing commit 552c50713f273b494ac6c77052032a49bc9255e2 gcc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
kernel signature: 9858c14ef71086727faf2a9e645dcbe729305cdf1ae8fc20924eb7c549f7b9a7
all runs: crashed: INFO: task hung in __rmap_walk_file
representative crash: INFO: task hung in __rmap_walk_file, types: [HANG]
the chunk can be dropped
testing without sub-chunk 3/5
disabling configs for [locking atomic_sleep memleak ubsan bug_or_warning kasan], they are not needed
testing commit 552c50713f273b494ac6c77052032a49bc9255e2 gcc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
kernel signature: 2ab1009fcb8eee08afe17a704a64700b1e5a5d3ff4203ca0d8b253dd4e79a21b
run #0: crashed: INFO: task hung in __rmap_walk_file
run #1: crashed: INFO: task hung in __rmap_walk_file
run #2: crashed: INFO: task hung in __rmap_walk_file
run #3: crashed: INFO: task hung in __rmap_walk_file
run #4: crashed: INFO: task hung in __rmap_walk_file
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
representative crash: INFO: task hung in __rmap_walk_file, types: [HANG]
the chunk can be dropped
testing without sub-chunk 4/5
disabling configs for [kasan locking atomic_sleep memleak ubsan bug_or_warning], they are not needed
testing commit 552c50713f273b494ac6c77052032a49bc9255e2 gcc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
kernel signature: 3fd39f8b57490026c43f38ca99f9320fc7b1b1fd662995f6d3ca0a713260b116
run #0: crashed: INFO: task hung in __rmap_walk_file
run #1: crashed: INFO: task hung in __rmap_walk_file
run #2: crashed: INFO: task hung in __rmap_walk_file
run #3: crashed: INFO: task hung in __rmap_walk_file
run #4: crashed: INFO: task hung in __rmap_walk_file
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
representative crash: INFO: task hung in __rmap_walk_file, types: [HANG]
the chunk can be dropped
testing without sub-chunk 5/5
disabling configs for [bug_or_warning kasan locking atomic_sleep memleak ubsan], they are not needed
testing commit 552c50713f273b494ac6c77052032a49bc9255e2 gcc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
kernel signature: cb6a49d678a2de2533cde8b1b574d076ac760b12f79b4aa9744d890a70542a09
run #0: crashed: INFO: task hung in __rmap_walk_file
run #1: crashed: INFO: task hung in __rmap_walk_file
run #2: crashed: INFO: task hung in __rmap_walk_file
run #3: crashed: INFO: task hung in __rmap_walk_file
run #4: crashed: INFO: task hung in __rmap_walk_file
run #5: crashed: INFO: task hung in __rmap_walk_file
run #6: crashed: INFO: task hung in __rmap_walk_file
run #7: crashed: INFO: task hung in __rmap_walk_file
run #8: OK
run #9: OK
representative crash: INFO: task hung in __rmap_walk_file, types: [HANG]
the chunk can be dropped
disabling configs for [memleak ubsan bug_or_warning kasan locking atomic_sleep], they are not needed
testing current HEAD dd9b004b7ff3289fb7bae35130c0a5c0537266af
testing commit dd9b004b7ff3289fb7bae35130c0a5c0537266af gcc
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
kernel signature: 568a1727532b8c469fb593981ec564b9a211e1d5358bc0718306cfb27d4e0e5f
run #0: crashed: INFO: task hung in __rmap_walk_file
run #1: crashed: INFO: task hung in __rmap_walk_file
run #2: crashed: INFO: task hung in __rmap_walk_file
run #3: crashed: INFO: task hung in __rmap_walk_file
run #4: crashed: INFO: task hung in __rmap_walk_file
run #5: crashed: INFO: task hung in __rmap_walk_file
run #6: crashed: INFO: task hung in __rmap_walk_file
run #7: OK
run #8: crashed: INFO: task hung in __rmap_walk_file
run #9: OK
representative crash: INFO: task hung in __rmap_walk_file, types: [HANG]
crash still not fixed/happens on the oldest tested release
revisions tested: 8, total time: 2h45m5.870103346s (build: 58m41.872119475s, test: 1h22m23.239392057s)
crash still not fixed or there were kernel test errors
commit msg: Merge tag 'trace-v6.19-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace
crash: INFO: task hung in __rmap_walk_file
INFO: task syz.0.1923:8076 blocked for more than 143 seconds.
Not tainted syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.0.1923 state:D stack:12968 pid:8076 tgid:8075 ppid:2440 task_flags:0x400140 flags:0x00080002
Call Trace:
context_switch kernel/sched/core.c:5256 [inline]
__schedule+0x937/0xe00 kernel/sched/core.c:6863
__schedule_loop kernel/sched/core.c:6945 [inline]
schedule+0xac/0x140 kernel/sched/core.c:6960
schedule_preempt_disabled+0x32/0x60 kernel/sched/core.c:7017
rwsem_down_read_slowpath+0x282/0x540 kernel/locking/rwsem.c:1086
__down_read_common kernel/locking/rwsem.c:1261 [inline]
__down_read kernel/locking/rwsem.c:1274 [inline]
down_read+0x86/0xf0 kernel/locking/rwsem.c:1539
i_mmap_lock_read include/linux/fs.h:532 [inline]
__rmap_walk_file+0x9c/0x220 mm/rmap.c:2914
remove_migration_ptes mm/migrate.c:472 [inline]
unmap_and_move_huge_page mm/migrate.c:1528 [inline]
migrate_hugetlbs mm/migrate.c:1649 [inline]
migrate_pages+0x440/0xd40 mm/migrate.c:2088
do_mbind mm/mempolicy.c:1609 [inline]
kernel_mbind mm/mempolicy.c:1752 [inline]
__do_sys_mbind mm/mempolicy.c:1826 [inline]
__se_sys_mbind+0x632/0x720 mm/mempolicy.c:1822
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x8f/0x2f0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f24b7abefc9
RSP: 002b:00007f24b7927038 EFLAGS: 00000246 ORIG_RAX: 00000000000000ed
RAX: ffffffffffffffda RBX: 00007f24b7d15fa0 RCX: 00007f24b7abefc9
RDX: 0000000000000000 RSI: 0000000000800000 RDI: 0000200000001000
RBP: 00007f24b7b41f91 R08: 0000000000000000 R09: 0000000000000002
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f24b7d16038 R14: 00007f24b7d15fa0 R15: 00007ffdfad30858
INFO: task syz.0.1923:8105 blocked for more than 143 seconds.
Not tainted syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.0.1923 state:D stack:14016 pid:8105 tgid:8075 ppid:2440 task_flags:0x400040 flags:0x00080002
Call Trace:
context_switch kernel/sched/core.c:5256 [inline]
__schedule+0x937/0xe00 kernel/sched/core.c:6863
__schedule_loop kernel/sched/core.c:6945 [inline]
schedule+0xac/0x140 kernel/sched/core.c:6960
io_schedule+0x3f/0x60 kernel/sched/core.c:7789
folio_wait_bit_common+0x1d9/0x390 mm/filemap.c:1323
__folio_lock mm/filemap.c:1699 [inline]
folio_lock include/linux/pagemap.h:1159 [inline]
__filemap_get_folio_mpol+0x150/0x3e0 mm/filemap.c:1954
__filemap_get_folio include/linux/pagemap.h:763 [inline]
filemap_lock_folio include/linux/pagemap.h:825 [inline]
filemap_lock_hugetlb_folio include/linux/hugetlb.h:817 [inline]
hugetlbfs_zero_partial_page+0x3a/0x130 fs/hugetlbfs/inode.c:664
hugetlbfs_punch_hole fs/hugetlbfs/inode.c:718 [inline]
hugetlbfs_fallocate+0x2dc/0x5e0 fs/hugetlbfs/inode.c:751
vfs_fallocate+0x1ab/0x1d0 fs/open.c:339
madvise_remove mm/madvise.c:1046 [inline]
madvise_vma_behavior+0x58c/0x11d0 mm/madvise.c:1360
madvise_walk_vmas mm/madvise.c:1721 [inline]
madvise_do_behavior+0x30f/0x4c0 mm/madvise.c:1937
do_madvise+0x194/0x1f0 mm/madvise.c:2030
__do_sys_madvise mm/madvise.c:2039 [inline]
__se_sys_madvise mm/madvise.c:2037 [inline]
__x64_sys_madvise+0x24/0x30 mm/madvise.c:2037
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x8f/0x2f0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f24b7abefc9
RSP: 002b:00007f24b78d3038 EFLAGS: 00000246 ORIG_RAX: 000000000000001c
RAX: ffffffffffffffda RBX: 00007f24b7d16090 RCX: 00007f24b7abefc9
RDX: 0000000000000009 RSI: 0000000000600002 RDI: 0000200000000000
RBP: 00007f24b7b41f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f24b7d16128 R14: 00007f24b7d16090 R15: 00007ffdfad30858
Showing all locks held in the system:
1 lock held by khungtaskd/31:
#0: ffffffff8297c5e0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
#0: ffffffff8297c5e0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:867 [inline]
#0: ffffffff8297c5e0 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x2e/0x100 kernel/locking/lockdep.c:6775
2 locks held by kworker/u8:4/152:
#0: ffff88810007c948 ((wq_completion)events_unbound){....}-{0:0}, at: process_one_work kernel/workqueue.c:3232 [inline]
#0: ffff88810007c948 ((wq_completion)events_unbound){....}-{0:0}, at: process_scheduled_works+0x27f/0x5e0 kernel/workqueue.c:3340
#1: ffffc90000ed3e48 ((work_completion)(&sub_info->work)){....}-{0:0}, at: process_one_work kernel/workqueue.c:3233 [inline]
#1: ffffc90000ed3e48 ((work_completion)(&sub_info->work)){....}-{0:0}, at: process_scheduled_works+0x29f/0x5e0 kernel/workqueue.c:3340
2 locks held by kworker/u8:10/741:
#0: ffff888103297d48 ((wq_completion)iou_exit){....}-{0:0}, at: process_one_work kernel/workqueue.c:3232 [inline]
#0: ffff888103297d48 ((wq_completion)iou_exit){....}-{0:0}, at: process_scheduled_works+0x27f/0x5e0 kernel/workqueue.c:3340
#1: ffffc90001b03e48 ((work_completion)(&ctx->exit_work)){....}-{0:0}, at: process_one_work kernel/workqueue.c:3233 [inline]
#1: ffffc90001b03e48 ((work_completion)(&ctx->exit_work)){....}-{0:0}, at: process_scheduled_works+0x29f/0x5e0 kernel/workqueue.c:3340
2 locks held by getty/871:
#0: ffff888104a890a0 (&tty->ldisc_sem){....}-{0:0}, at: tty_ldisc_ref_wait+0x20/0x40 drivers/tty/tty_ldisc.c:243
#1: ffffc90001b772f0 (&ldata->atomic_read_lock){....}-{3:3}, at: n_tty_read+0x1c4/0x700 drivers/tty/n_tty.c:2211
1 lock held by syz.0.1923/8076:
#0: ffff88810afee390 (&hugetlbfs_i_mmap_rwsem_key){....}-{3:3}, at: i_mmap_lock_read include/linux/fs.h:532 [inline]
#0: ffff88810afee390 (&hugetlbfs_i_mmap_rwsem_key){....}-{3:3}, at: __rmap_walk_file+0x9c/0x220 mm/rmap.c:2914
3 locks held by syz.0.1923/8105:
#0: ffff888102ec33f8 (sb_writers#12){....}-{0:0}, at: vfs_fallocate+0x18f/0x1d0 fs/open.c:338
#1: ffff88810afee0c8 (&sb->s_type->i_mutex_key#17){....}-{3:3}, at: inode_lock include/linux/fs.h:1027 [inline]
#1: ffff88810afee0c8 (&sb->s_type->i_mutex_key#17){....}-{3:3}, at: hugetlbfs_punch_hole fs/hugetlbfs/inode.c:693 [inline]
#1: ffff88810afee0c8 (&sb->s_type->i_mutex_key#17){....}-{3:3}, at: hugetlbfs_fallocate+0x1f2/0x5e0 fs/hugetlbfs/inode.c:751
#2: ffff88810afee390 (&hugetlbfs_i_mmap_rwsem_key){....}-{3:3}, at: i_mmap_lock_write include/linux/fs.h:512 [inline]
#2: ffff88810afee390 (&hugetlbfs_i_mmap_rwsem_key){....}-{3:3}, at: hugetlbfs_punch_hole fs/hugetlbfs/inode.c:701 [inline]
#2: ffff88810afee390 (&hugetlbfs_i_mmap_rwsem_key){....}-{3:3}, at: hugetlbfs_fallocate+0x24e/0x5e0 fs/hugetlbfs/inode.c:751
1 lock held by syz.7.31702/17052:
#0: ffffffff8297d5b8 (rcu_state.exp_mutex){....}-{3:3}, at: exp_funnel_lock kernel/rcu/tree_exp.h:343 [inline]
#0: ffffffff8297d5b8 (rcu_state.exp_mutex){....}-{3:3}, at: synchronize_rcu_expedited+0x179/0x620 kernel/rcu/tree_exp.h:956
1 lock held by syz.2.31705/17081:
#0: ffffffff8297d5b8 (rcu_state.exp_mutex){....}-{3:3}, at: exp_funnel_lock kernel/rcu/tree_exp.h:343 [inline]
#0: ffffffff8297d5b8 (rcu_state.exp_mutex){....}-{3:3}, at: synchronize_rcu_expedited+0x179/0x620 kernel/rcu/tree_exp.h:956
1 lock held by modprobe/17100:
#0: ffff888237d2a998 (&rq->__lock){....}-{2:2}, at: raw_spin_rq_lock_nested+0x20/0x70 kernel/sched/core.c:639
=============================================
NMI backtrace for cpu 0
CPU: 0 UID: 0 PID: 31 Comm: khungtaskd Not tainted syzkaller #0 PREEMPT(none)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Call Trace:
dump_stack_lvl+0xa2/0xf0 lib/dump_stack.c:120
nmi_cpu_backtrace+0x109/0x170 lib/nmi_backtrace.c:113
nmi_trigger_cpumask_backtrace+0x8e/0x140 lib/nmi_backtrace.c:62
trigger_all_cpu_backtrace include/linux/nmi.h:160 [inline]
__sys_info lib/sys_info.c:157 [inline]
sys_info+0x95/0xb0 lib/sys_info.c:165
check_hung_uninterruptible_tasks kernel/hung_task.c:346 [inline]
watchdog+0x590/0x5b0 kernel/hung_task.c:515
kthread+0x203/0x230 kernel/kthread.c:463
ret_from_fork+0xf2/0x230 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 UID: 0 PID: 17117 Comm: modprobe Not tainted syzkaller #0 PREEMPT(none)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
RIP: 0010:__lock_acquire+0x1c4/0x4c0 kernel/locking/lockdep.c:5207
Code: 44 09 c1 09 f1 44 09 c9 89 8c c3 68 0a 00 00 89 bc c3 6c 0a 00 00 83 3d 59 46 d2 05 00 75 11 48 63 ca 48 0f a3 0d 7c 3c 4f 02 <0f> 83 7e 02 00 00 48 8b ab 38 0a 00 00 4d 85 ff 75 19 83 3d 33 46
RSP: 0018:ffffc900060ffac8 EFLAGS: 00000047
RAX: 0000000000000000 RBX: ffff88811e3b1b80 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffffff870edce8 R08: 0000000000080000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff8882b4b01000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fdba8f52eb8 CR3: 000000011f1c0000 CR4: 00000000003506f0
Call Trace:
lock_acquire+0xd6/0x200 kernel/locking/lockdep.c:5868
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0x52/0x90 kernel/locking/spinlock.c:162
__debug_check_no_obj_freed lib/debugobjects.c:1088 [inline]
debug_check_no_obj_freed+0xfd/0x260 lib/debugobjects.c:1129
slab_free_hook mm/slub.c:2471 [inline]
slab_free mm/slub.c:6668 [inline]
kmem_cache_free+0xf5/0x530 mm/slub.c:6779
path_openat+0xeb5/0xfe0 fs/namei.c:4796
do_filp_open+0xc6/0x180 fs/namei.c:4814
do_sys_openat2+0x7c/0xf0 fs/open.c:1430
do_sys_open fs/open.c:1436 [inline]
__do_sys_openat fs/open.c:1452 [inline]
__se_sys_openat fs/open.c:1447 [inline]
__x64_sys_openat+0x7b/0xa0 fs/open.c:1447
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x8f/0x2f0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fdba923d0ba
Code: 41 89 f2 48 89 54 24 e0 41 83 e2 40 75 2a 89 f0 f7 d0 a9 00 00 41 00 74 1f 89 f2 b8 01 01 00 00 48 89 fe bf 9c ff ff ff 0f 05 <48> 3d 00 f0 ff ff 77 2e c3 0f 1f 44 00 00 48 8d 44 24 08 c7 44 24
RSP: 002b:00007ffc4d3c8628 EFLAGS: 00000206 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007ffc4d3c86a0 RCX: 00007fdba923d0ba
RDX: 0000000000080000 RSI: 00007ffc4d3c86a0 RDI: 00000000ffffff9c
RBP: 00007ffc4d3c8690 R08: 00007ffc4d3c8897 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000032
R13: 00007fdba9211050 R14: 00007ffc4d3c88b0 R15: 0000000000000000