bisecting cause commit starting from 3b0dc529f56b5f2328244130683210be98f16f7f building syzkaller on ef82eb2c4a4a718bdb87ccd783a1d6431ec2faf8 testing commit 3b0dc529f56b5f2328244130683210be98f16f7f compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 0d4e4146a7107656f753417969ea70c79c2ead84d1ad652f1c9152287ed854f9 run #0: crashed: INFO: task hung in addrconf_dad_work run #1: crashed: INFO: task hung in regdb_fw_cb run #2: crashed: INFO: task hung in regdb_fw_cb run #3: crashed: INFO: task hung in addrconf_dad_work run #4: crashed: INFO: task hung in addrconf_dad_work run #5: crashed: INFO: task hung in addrconf_dad_work run #6: crashed: INFO: task hung in linkwatch_event run #7: crashed: INFO: task hung in crda_timeout_work run #8: crashed: INFO: task hung in linkwatch_event run #9: crashed: INFO: task hung in crda_timeout_work run #10: crashed: INFO: task hung in linkwatch_event run #11: crashed: INFO: task hung in crda_timeout_work run #12: crashed: INFO: task hung in linkwatch_event run #13: crashed: INFO: task hung in addrconf_dad_work run #14: crashed: INFO: task hung in addrconf_dad_work run #15: crashed: INFO: task hung in addrconf_dad_work run #16: crashed: INFO: task hung in linkwatch_event run #17: crashed: INFO: task hung in linkwatch_event run #18: crashed: INFO: task hung in regdb_fw_cb run #19: crashed: INFO: task hung in crda_timeout_work testing release v5.18 testing commit 4b0986a3613c92f4ec1bdc7f60ec66fea135991f compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 7c1a0e0d45edacfe0d3ef5ddd44c2a3078743daeb54d86d5c59c36a738ea973e all runs: OK # git bisect start 3b0dc529f56b5f2328244130683210be98f16f7f 4b0986a3613c92f4ec1bdc7f60ec66fea135991f Bisecting: 7260 revisions left to test after this (roughly 13 steps) [d7227785e384d4422b3ca189aa5bf19f462337cc] Merge tag 'sound-5.19-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound testing commit d7227785e384d4422b3ca189aa5bf19f462337cc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 3561a0779e64eb4143c5e07af4cf1fc49ccd47cefbcff27a2e0dd0b2c638cbbc all runs: OK # git bisect good d7227785e384d4422b3ca189aa5bf19f462337cc Bisecting: 3637 revisions left to test after this (roughly 12 steps) [09f73a1ab8207481d1d6bd91ab7d0125c6722005] Merge tag 'perf-tools-for-v5.19-2022-05-28' of git://git.kernel.org/pub/scm/linux/kernel/git/acme/linux testing commit 09f73a1ab8207481d1d6bd91ab7d0125c6722005 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 2c17dafe998f3cc861fa3ce8fa16ef7512575d18bac84d9896038677c5807473 run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: exit status NUM run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good 09f73a1ab8207481d1d6bd91ab7d0125c6722005 Bisecting: 1776 revisions left to test after this (roughly 11 steps) [932c2989b59008e530ffcc7c7e6ef507a28b28ca] Merge tag 'tty-5.19-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty testing commit 932c2989b59008e530ffcc7c7e6ef507a28b28ca compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 359b538761981a074ab6e842e4bf1ccb064edf6dc12020c233b1d362fccf0923 run #0: boot failed: INFO: task hung in add_early_randomness run #1: boot failed: INFO: task hung in add_early_randomness run #2: boot failed: INFO: task hung in add_early_randomness run #3: boot failed: INFO: task hung in add_early_randomness run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good 932c2989b59008e530ffcc7c7e6ef507a28b28ca Bisecting: 888 revisions left to test after this (roughly 10 steps) [71e80720dbf0f08c6979e54f21ddaa5735ce742d] Merge tag 'kbuild-v5.19-3' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild testing commit 71e80720dbf0f08c6979e54f21ddaa5735ce742d compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 3c8ebdc616e07ab2f223756ba2afcddc18d3e7fe913c5a6d876dbc6b54a05981 run #0: boot failed: INFO: task hung in add_early_randomness run #1: boot failed: INFO: task hung in add_early_randomness run #2: boot failed: INFO: task hung in add_early_randomness run #3: boot failed: INFO: task hung in add_early_randomness run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good 71e80720dbf0f08c6979e54f21ddaa5735ce742d Bisecting: 444 revisions left to test after this (roughly 9 steps) [6e3f3c239ee547c5b55a85f467c92a6ba7eee83a] drm/i915/gt: Fix memory leaks in per-gt sysfs testing commit 6e3f3c239ee547c5b55a85f467c92a6ba7eee83a compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: bd9187505083c9361848fb23e0cfc4d88824acd7118599aad2748552d8e8c403 run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: failed to write control pipe: write |NUM: broken pipe run #1: basic kernel testing failed: BUG: program execution failed: executor NUM: exit status NUM run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good 6e3f3c239ee547c5b55a85f467c92a6ba7eee83a Bisecting: 223 revisions left to test after this (roughly 8 steps) [cc2fb31d49f8956283e7cd25face1327dcfa4c16] Merge tag 'loongarch-fixes-5.19-2' of git://git.kernel.org/pub/scm/linux/kernel/git/chenhuacai/linux-loongson testing commit cc2fb31d49f8956283e7cd25face1327dcfa4c16 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: ce0d476e6a3b3a3734e526b4d5d2e24559a18ea4761ee8b38d0a3ddc69e3a7a2 all runs: OK # git bisect good cc2fb31d49f8956283e7cd25face1327dcfa4c16 Bisecting: 111 revisions left to test after this (roughly 7 steps) [ff872b76b3d89a09a997cc45c133e4a3ddc12f90] Merge tag 'for-5.19-rc3-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux testing commit ff872b76b3d89a09a997cc45c133e4a3ddc12f90 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 3ee01064a5a0e5bc8946273469ba31e583be755c91fe8d1018afcf2e39c0cd9b all runs: OK # git bisect good ff872b76b3d89a09a997cc45c133e4a3ddc12f90 Bisecting: 60 revisions left to test after this (roughly 6 steps) [12378a5a75e33f34f8586706eb61cca9e6d4690c] net: openvswitch: fix parsing of nw_proto for IPv6 fragments testing commit 12378a5a75e33f34f8586706eb61cca9e6d4690c compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 2775eb0b99d8ff29783db93c2f464c94868ebbb148efdd958cab81a78569f016 run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: failed to write control pipe: write |NUM: broken pipe run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK # git bisect good 12378a5a75e33f34f8586706eb61cca9e6d4690c Bisecting: 27 revisions left to test after this (roughly 5 steps) [ddfe80311b81a83d3fde7e59fddc6aa822a5188d] Merge tag 'sound-5.19-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound testing commit ddfe80311b81a83d3fde7e59fddc6aa822a5188d compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 349d4f923dcea43513eeab88820c514bebe51e1120b02ee504d56f9cb8d9443b all runs: OK # git bisect good ddfe80311b81a83d3fde7e59fddc6aa822a5188d Bisecting: 13 revisions left to test after this (roughly 4 steps) [0e597e2affb90d6ea48df6890d882924acf71e19] net: dp83822: disable rx error interrupt testing commit 0e597e2affb90d6ea48df6890d882924acf71e19 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: a647f944389de760195b7bd6f0f6648e625294f478a60217524c59e1aac42e89 all runs: OK # git bisect good 0e597e2affb90d6ea48df6890d882924acf71e19 Bisecting: 6 revisions left to test after this (roughly 3 steps) [76b39b94382f9e0a639e1c70c3253de248cc4c83] net/sched: act_api: Notify user space if any actions were flushed before error testing commit 76b39b94382f9e0a639e1c70c3253de248cc4c83 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 8013af85e89e45cf01c7767333a7ba8c2dfd9ca3c5be38766454abb771b33458 run #0: basic kernel testing failed: BUG: program execution failed: executor NUM: failed to write control pipe: write |NUM: broken pipe run #1: crashed: INFO: task hung in addrconf_dad_work run #2: crashed: INFO: task hung in addrconf_dad_work run #3: crashed: INFO: task hung in regdb_fw_cb run #4: crashed: INFO: task hung in addrconf_dad_work run #5: crashed: INFO: task hung in addrconf_dad_work run #6: crashed: INFO: task hung in linkwatch_event run #7: crashed: INFO: task hung in linkwatch_event run #8: crashed: INFO: task hung in addrconf_dad_work run #9: crashed: INFO: task hung in crda_timeout_work # git bisect bad 76b39b94382f9e0a639e1c70c3253de248cc4c83 Bisecting: 3 revisions left to test after this (roughly 2 steps) [853a7614880231747040cada91d2b8d2e995c51a] tunnels: do not assume mac header is set in skb_tunnel_check_pmtu() testing commit 853a7614880231747040cada91d2b8d2e995c51a compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 89f0e9cf4609e7ec3a844175bdc7173ffaa04a46d85f01f5fb4ac290a9899d69 all runs: OK # git bisect good 853a7614880231747040cada91d2b8d2e995c51a Bisecting: 1 revision left to test after this (roughly 1 step) [a8fc8cb5692aebb9c6f7afd4265366d25dcd1d01] net: tun: stop NAPI when detaching queues testing commit a8fc8cb5692aebb9c6f7afd4265366d25dcd1d01 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: cdb0876cdb50866364078e6104a5a890978c2fd1b7467d009944b3b45656551d run #0: crashed: INFO: task hung in regdb_fw_cb run #1: crashed: INFO: task hung in addrconf_dad_work run #2: crashed: INFO: task hung in addrconf_dad_work run #3: crashed: INFO: task hung in crda_timeout_work run #4: crashed: INFO: task hung in addrconf_dad_work run #5: crashed: INFO: task hung in regdb_fw_cb run #6: crashed: INFO: task hung in addrconf_dad_work run #7: crashed: INFO: task hung in regdb_fw_cb run #8: crashed: INFO: task hung in linkwatch_event run #9: crashed: INFO: task hung in addrconf_dad_work # git bisect bad a8fc8cb5692aebb9c6f7afd4265366d25dcd1d01 Bisecting: 0 revisions left to test after this (roughly 0 steps) [cb8092d70a6f5f01ec1490fce4d35efed3ed996c] tipc: move bc link creation back to tipc_node_create testing commit cb8092d70a6f5f01ec1490fce4d35efed3ed996c compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: dbeff30f6fc2d71071cbd84bfb7a7393e2b4fbc83facf4eb393d0ec5fb4adfc4 all runs: OK # git bisect good cb8092d70a6f5f01ec1490fce4d35efed3ed996c a8fc8cb5692aebb9c6f7afd4265366d25dcd1d01 is the first bad commit commit a8fc8cb5692aebb9c6f7afd4265366d25dcd1d01 Author: Jakub Kicinski Date: Wed Jun 22 21:21:05 2022 -0700 net: tun: stop NAPI when detaching queues While looking at a syzbot report I noticed the NAPI only gets disabled before it's deleted. I think that user can detach the queue before destroying the device and the NAPI will never be stopped. Fixes: 943170998b20 ("tun: enable NAPI for TUN/TAP driver") Acked-by: Petar Penkov Link: https://lore.kernel.org/r/20220623042105.2274812-1-kuba@kernel.org Signed-off-by: Jakub Kicinski drivers/net/tun.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) culprit signature: cdb0876cdb50866364078e6104a5a890978c2fd1b7467d009944b3b45656551d parent signature: dbeff30f6fc2d71071cbd84bfb7a7393e2b4fbc83facf4eb393d0ec5fb4adfc4 revisions tested: 16, total time: 4h28m46.222798976s (build: 1h46m12.881617927s, test: 2h40m55.963528662s) first bad commit: a8fc8cb5692aebb9c6f7afd4265366d25dcd1d01 net: tun: stop NAPI when detaching queues recipients (to): ["davem@davemloft.net" "edumazet@google.com" "kuba@kernel.org" "kuba@kernel.org" "netdev@vger.kernel.org" "pabeni@redhat.com" "ppenkov@aviatrix.com"] recipients (cc): ["linux-kernel@vger.kernel.org"] crash: INFO: task hung in addrconf_dad_work INFO: task kworker/0:0:6 blocked for more than 143 seconds. Not tainted 5.19.0-rc3-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/0:0 state:D stack:27360 pid: 6 ppid: 2 flags:0x00004000 Workqueue: ipv6_addrconf addrconf_dad_work Call Trace: context_switch kernel/sched/core.c:5146 [inline] __schedule+0x9cd/0x4b20 kernel/sched/core.c:6458 schedule+0xd2/0x1f0 kernel/sched/core.c:6530 schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:6589 __mutex_lock_common kernel/locking/mutex.c:679 [inline] __mutex_lock+0xa70/0x1350 kernel/locking/mutex.c:747 addrconf_dad_work+0x9f/0x1080 net/ipv6/addrconf.c:4083 process_one_work+0x865/0x13d0 kernel/workqueue.c:2289 worker_thread+0x598/0xec0 kernel/workqueue.c:2436 kthread+0x299/0x340 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302 INFO: task kworker/0:1:14 blocked for more than 143 seconds. Not tainted 5.19.0-rc3-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/0:1 state:D stack:26968 pid: 14 ppid: 2 flags:0x00004000 Workqueue: events request_firmware_work_func Call Trace: context_switch kernel/sched/core.c:5146 [inline] __schedule+0x9cd/0x4b20 kernel/sched/core.c:6458 schedule+0xd2/0x1f0 kernel/sched/core.c:6530 schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:6589 __mutex_lock_common kernel/locking/mutex.c:679 [inline] __mutex_lock+0xa70/0x1350 kernel/locking/mutex.c:747 regdb_fw_cb.cold+0x4d/0x6e net/wireless/reg.c:1053 request_firmware_work_func+0x126/0x230 drivers/base/firmware_loader/main.c:1107 process_one_work+0x865/0x13d0 kernel/workqueue.c:2289 worker_thread+0x598/0xec0 kernel/workqueue.c:2436 kthread+0x299/0x340 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302 INFO: task kworker/1:1:27 blocked for more than 143 seconds. Not tainted 5.19.0-rc3-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/1:1 state:D stack:26480 pid: 27 ppid: 2 flags:0x00004000 Workqueue: ipv6_addrconf addrconf_dad_work Call Trace: context_switch kernel/sched/core.c:5146 [inline] __schedule+0x9cd/0x4b20 kernel/sched/core.c:6458 schedule+0xd2/0x1f0 kernel/sched/core.c:6530 schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:6589 __mutex_lock_common kernel/locking/mutex.c:679 [inline] __mutex_lock+0xa70/0x1350 kernel/locking/mutex.c:747 addrconf_dad_work+0x9f/0x1080 net/ipv6/addrconf.c:4083 process_one_work+0x865/0x13d0 kernel/workqueue.c:2289 worker_thread+0x598/0xec0 kernel/workqueue.c:2436 kthread+0x299/0x340 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302 INFO: task kworker/0:5:3640 blocked for more than 143 seconds. Not tainted 5.19.0-rc3-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/0:5 state:D stack:26120 pid: 3640 ppid: 2 flags:0x00004000 Workqueue: events linkwatch_event Call Trace: context_switch kernel/sched/core.c:5146 [inline] __schedule+0x9cd/0x4b20 kernel/sched/core.c:6458 schedule+0xd2/0x1f0 kernel/sched/core.c:6530 schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:6589 __mutex_lock_common kernel/locking/mutex.c:679 [inline] __mutex_lock+0xa70/0x1350 kernel/locking/mutex.c:747 linkwatch_event+0x5/0x50 net/core/link_watch.c:263 process_one_work+0x865/0x13d0 kernel/workqueue.c:2289 worker_thread+0x598/0xec0 kernel/workqueue.c:2436 kthread+0x299/0x340 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302 Showing all locks held in the system: 3 locks held by kworker/0:0/6: #0: ffff888025354138 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline] #0: ffff888025354138 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: arch_atomic_long_set include/linux/atomic/atomic-long.h:41 [inline] #0: ffff888025354138 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: atomic_long_set include/linux/atomic/atomic-instrumented.h:1280 [inline] #0: ffff888025354138 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: set_work_data kernel/workqueue.c:636 [inline] #0: ffff888025354138 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: set_work_pool_and_clear_pending kernel/workqueue.c:663 [inline] #0: ffff888025354138 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: process_one_work+0x78a/0x13d0 kernel/workqueue.c:2260 #1: ffffc900000b7db8 ((work_completion)(&(&ifa->dad_work)->work)){+.+.}-{0:0}, at: process_one_work+0x7b7/0x13d0 kernel/workqueue.c:2264 #2: ffffffff8c8ce968 (rtnl_mutex){+.+.}-{3:3}, at: addrconf_dad_work+0x9f/0x1080 net/ipv6/addrconf.c:4083 3 locks held by kworker/0:1/14: #0: ffff888010c64d38 ((wq_completion)events){+.+.}-{0:0}, at: arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline] #0: ffff888010c64d38 ((wq_completion)events){+.+.}-{0:0}, at: arch_atomic_long_set include/linux/atomic/atomic-long.h:41 [inline] #0: ffff888010c64d38 ((wq_completion)events){+.+.}-{0:0}, at: atomic_long_set include/linux/atomic/atomic-instrumented.h:1280 [inline] #0: ffff888010c64d38 ((wq_completion)events){+.+.}-{0:0}, at: set_work_data kernel/workqueue.c:636 [inline] #0: ffff888010c64d38 ((wq_completion)events){+.+.}-{0:0}, at: set_work_pool_and_clear_pending kernel/workqueue.c:663 [inline] #0: ffff888010c64d38 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work+0x78a/0x13d0 kernel/workqueue.c:2260 #1: ffffc90000137db8 ((work_completion)(&fw_work->work)){+.+.}-{0:0}, at: process_one_work+0x7b7/0x13d0 kernel/workqueue.c:2264 #2: ffffffff8c8ce968 (rtnl_mutex){+.+.}-{3:3}, at: regdb_fw_cb.cold+0x4d/0x6e net/wireless/reg.c:1053 3 locks held by kworker/1:1/27: #0: ffff888025354138 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline] #0: ffff888025354138 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: arch_atomic_long_set include/linux/atomic/atomic-long.h:41 [inline] #0: ffff888025354138 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: atomic_long_set include/linux/atomic/atomic-instrumented.h:1280 [inline] #0: ffff888025354138 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: set_work_data kernel/workqueue.c:636 [inline] #0: ffff888025354138 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: set_work_pool_and_clear_pending kernel/workqueue.c:663 [inline] #0: ffff888025354138 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: process_one_work+0x78a/0x13d0 kernel/workqueue.c:2260 #1: ffffc90000a2fdb8 ((work_completion)(&(&ifa->dad_work)->work)){+.+.}-{0:0}, at: process_one_work+0x7b7/0x13d0 kernel/workqueue.c:2264 #2: ffffffff8c8ce968 (rtnl_mutex){+.+.}-{3:3}, at: addrconf_dad_work+0x9f/0x1080 net/ipv6/addrconf.c:4083 1 lock held by khungtaskd/29: #0: ffffffff8b17cca0 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x53/0x260 kernel/locking/lockdep.c:6491 2 locks held by getty/3285: #0: ffff8880178f0098 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x1f/0x70 drivers/tty/tty_ldisc.c:244 #1: ffffc900015622e8 (&ldata->atomic_read_lock){+.+.}-{3:3}, at: n_tty_read+0xb14/0x1040 drivers/tty/n_tty.c:2124 3 locks held by kworker/0:4/3633: #0: ffff888010c65d38 ((wq_completion)events_power_efficient){+.+.}-{0:0}, at: arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline] #0: ffff888010c65d38 ((wq_completion)events_power_efficient){+.+.}-{0:0}, at: arch_atomic_long_set include/linux/atomic/atomic-long.h:41 [inline] #0: ffff888010c65d38 ((wq_completion)events_power_efficient){+.+.}-{0:0}, at: atomic_long_set include/linux/atomic/atomic-instrumented.h:1280 [inline] #0: ffff888010c65d38 ((wq_completion)events_power_efficient){+.+.}-{0:0}, at: set_work_data kernel/workqueue.c:636 [inline] #0: ffff888010c65d38 ((wq_completion)events_power_efficient){+.+.}-{0:0}, at: set_work_pool_and_clear_pending kernel/workqueue.c:663 [inline] #0: ffff888010c65d38 ((wq_completion)events_power_efficient){+.+.}-{0:0}, at: process_one_work+0x78a/0x13d0 kernel/workqueue.c:2260 #1: ffffc90002c1fdb8 ((reg_check_chans).work){+.+.}-{0:0}, at: process_one_work+0x7b7/0x13d0 kernel/workqueue.c:2264 #2: ffffffff8c8ce968 (rtnl_mutex){+.+.}-{3:3}, at: reg_check_chans_work+0x74/0xad0 net/wireless/reg.c:2461 3 locks held by kworker/0:5/3640: #0: ffff888010c64d38 ((wq_completion)events){+.+.}-{0:0}, at: arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline] #0: ffff888010c64d38 ((wq_completion)events){+.+.}-{0:0}, at: arch_atomic_long_set include/linux/atomic/atomic-long.h:41 [inline] #0: ffff888010c64d38 ((wq_completion)events){+.+.}-{0:0}, at: atomic_long_set include/linux/atomic/atomic-instrumented.h:1280 [inline] #0: ffff888010c64d38 ((wq_completion)events){+.+.}-{0:0}, at: set_work_data kernel/workqueue.c:636 [inline] #0: ffff888010c64d38 ((wq_completion)events){+.+.}-{0:0}, at: set_work_pool_and_clear_pending kernel/workqueue.c:663 [inline] #0: ffff888010c64d38 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work+0x78a/0x13d0 kernel/workqueue.c:2260 #1: ffffc90002cffdb8 ((linkwatch_work).work){+.+.}-{0:0}, at: process_one_work+0x7b7/0x13d0 kernel/workqueue.c:2264 #2: ffffffff8c8ce968 (rtnl_mutex){+.+.}-{3:3}, at: linkwatch_event+0x5/0x50 net/core/link_watch.c:263 1 lock held by syz-executor.0/4101: ============================================= NMI backtrace for cpu 1 CPU: 1 PID: 29 Comm: khungtaskd Not tainted 5.19.0-rc3-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x57/0x7d lib/dump_stack.c:106 nmi_cpu_backtrace.cold+0x30/0xc0 lib/nmi_backtrace.c:111 nmi_trigger_cpumask_backtrace+0x140/0x170 lib/nmi_backtrace.c:62 trigger_all_cpu_backtrace include/linux/nmi.h:146 [inline] check_hung_uninterruptible_tasks kernel/hung_task.c:220 [inline] watchdog+0x891/0xc20 kernel/hung_task.c:378 kthread+0x299/0x340 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302 Sending NMI from CPU 1 to CPUs 0: NMI backtrace for cpu 0 CPU: 0 PID: 977 Comm: kworker/u4:4 Not tainted 5.19.0-rc3-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events_unbound toggle_allocation_gate RIP: 0010:flush_tlb_mm_range+0x0/0x410 arch/x86/mm/tlb.c:961 Code: 48 83 c4 08 5b c3 0f 0b 48 c7 c7 e0 50 ff 8a 48 89 34 24 e8 42 2b 80 00 48 8b 34 24 eb cf 66 66 2e 0f 1f 84 00 00 00 00 00 90 <41> 57 41 56 41 55 41 89 cd 41 54 49 89 f4 55 48 89 d5 53 48 89 fb RSP: 0018:ffffc900046c7a28 EFLAGS: 00000086 RAX: fffffffffffff000 RBX: 0000000000000007 RCX: 000000000000000c RDX: 00002aaaaaaac000 RSI: 00002aaaaaaab000 RDI: ffff88813fe68000 RBP: ffff88813fe4e558 R08: 0000000000000000 R09: ffffffff8b2b5c73 R10: fffffbfff1656b8e R11: 0000000000000001 R12: ffffffff81afa6dc R13: 0000000000000001 R14: 00000000000006dd R15: ffffffff8b2b5700 FS: 0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005581bd6d9600 CR3: 000000000ae8e000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: __text_poke+0x59a/0x8e0 arch/x86/kernel/alternative.c:1100 text_poke arch/x86/kernel/alternative.c:1137 [inline] text_poke_bp_batch+0x44c/0x6d0 arch/x86/kernel/alternative.c:1483 text_poke_flush arch/x86/kernel/alternative.c:1589 [inline] text_poke_flush arch/x86/kernel/alternative.c:1586 [inline] text_poke_finish+0x16/0x30 arch/x86/kernel/alternative.c:1596 arch_jump_label_transform_apply+0x13/0x20 arch/x86/kernel/jump_label.c:146 static_key_enable_cpuslocked+0x15f/0x220 kernel/jump_label.c:177 static_key_enable+0x11/0x20 kernel/jump_label.c:190 toggle_allocation_gate mm/kfence/core.c:808 [inline] toggle_allocation_gate+0xe3/0x310 mm/kfence/core.c:800 process_one_work+0x865/0x13d0 kernel/workqueue.c:2289 worker_thread+0x598/0xec0 kernel/workqueue.c:2436 kthread+0x299/0x340 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302 ---------------- Code disassembly (best guess): 0: 48 83 c4 08 add $0x8,%rsp 4: 5b pop %rbx 5: c3 retq 6: 0f 0b ud2 8: 48 c7 c7 e0 50 ff 8a mov $0xffffffff8aff50e0,%rdi f: 48 89 34 24 mov %rsi,(%rsp) 13: e8 42 2b 80 00 callq 0x802b5a 18: 48 8b 34 24 mov (%rsp),%rsi 1c: eb cf jmp 0xffffffed 1e: 66 66 2e 0f 1f 84 00 data16 nopw %cs:0x0(%rax,%rax,1) 25: 00 00 00 00 29: 90 nop * 2a: 41 57 push %r15 <-- trapping instruction 2c: 41 56 push %r14 2e: 41 55 push %r13 30: 41 89 cd mov %ecx,%r13d 33: 41 54 push %r12 35: 49 89 f4 mov %rsi,%r12 38: 55 push %rbp 39: 48 89 d5 mov %rdx,%rbp 3c: 53 push %rbx 3d: 48 89 fb mov %rdi,%rbx