bisecting cause commit starting from 249155c20f9b0754bc1b932a33344cfb4e0c2101 building syzkaller on 7509bf360eba1461ac6059e4cacfbc29c9d2d4c7 testing commit 249155c20f9b0754bc1b932a33344cfb4e0c2101 with gcc (GCC) 8.1.0 all runs: crashed: INFO: task hung in do_exit testing release v5.1 testing commit e93c9c99a629c61837d5a7fc2120cd2b6c70dbdd with gcc (GCC) 8.1.0 run #0: OK run #1: crashed: INFO: task hung in do_exit run #2: crashed: INFO: task hung in do_exit run #3: crashed: INFO: task hung in do_exit run #4: crashed: INFO: task hung in do_exit run #5: crashed: INFO: task hung in do_exit run #6: crashed: INFO: task hung in do_exit run #7: crashed: INFO: task hung in do_exit run #8: crashed: INFO: task hung in do_exit run #9: crashed: INFO: task hung in do_exit testing release v5.0 testing commit 1c163f4c7b3f621efff9b28a47abb36f7378d783 with gcc (GCC) 8.1.0 all runs: crashed: INFO: task hung in do_exit testing release v4.20 testing commit 8fe28cb58bcb235034b64cbbb7550a8a43fd88be with gcc (GCC) 8.1.0 all runs: crashed: INFO: task hung in do_exit testing release v4.19 testing commit 84df9525b0c27f3ebc2ebb1864fa62a97fdedb7d with gcc (GCC) 8.1.0 all runs: crashed: INFO: task hung in do_exit testing release v4.18 testing commit 94710cac0ef4ee177a63b5227664b38c95bbf703 with gcc (GCC) 8.1.0 all runs: crashed: INFO: task hung in do_exit testing release v4.17 testing commit 29dcea88779c856c7dc92040a0c01233263101d4 with gcc (GCC) 8.1.0 all runs: crashed: INFO: task hung in do_exit testing release v4.16 testing commit 0adb32858b0bddf4ada5f364a84ed60b196dbcda with gcc (GCC) 8.1.0 all runs: crashed: INFO: task hung in do_exit testing release v4.15 testing commit d8a5b80568a9cb66810e75b182018e9edb68e8ff with gcc (GCC) 8.1.0 all runs: crashed: INFO: task hung in khugepaged testing release v4.14 testing commit bebc6082da0a9f5d47a1ea2edc099bf671058bd4 with gcc (GCC) 8.1.0 all runs: crashed: INFO: task hung in khugepaged testing release v4.13 testing commit 569dbb88e80deb68974ef6fdd6a13edb9d686261 with gcc (GCC) 8.1.0 all runs: crashed: INFO: task hung in khugepaged testing release v4.12 testing commit 6f7da290413ba713f0cdd9ff1a2a9bb129ef4f6c with gcc (GCC) 8.1.0 all runs: crashed: INFO: task hung in khugepaged testing release v4.11 testing commit a351e9b9fc24e982ec2f0e76379a49826036da12 with gcc (GCC) 7.3.0 all runs: crashed: INFO: task hung in khugepaged testing release v4.10 testing commit c470abd4fde40ea6a0846a2beab642a578c0b8cd with gcc (GCC) 5.5.0 all runs: crashed: INFO: task hung in khugepaged testing release v4.9 testing commit 69973b830859bc6529a7a0468ba0d80ee5117826 with gcc (GCC) 5.5.0 all runs: crashed: INFO: task hung in khugepaged testing release v4.8 testing commit c8d2bc9bc39ebea8437fd974fdbc21847bb897a3 with gcc (GCC) 5.5.0 all runs: crashed: INFO: task hung in khugepaged testing release v4.7 testing commit 523d939ef98fd712632d93a5a2b588e477a7565e with gcc (GCC) 5.5.0 all runs: crashed: INFO: task hung in khugepaged testing release v4.6 testing commit 2dcd0af568b0cf583645c8a317dd12e344b1c72a with gcc (GCC) 5.5.0 all runs: crashed: INFO: task hung in khugepaged testing release v4.5 testing commit b562e44f507e863c6792946e4e1b1449fbbac85d with gcc (GCC) 5.5.0 all runs: crashed: INFO: task hung in khugepaged testing release v4.4 testing commit afd2ff9b7e1b367172f18ba7f693dfb62bdcb2dc with gcc (GCC) 5.5.0 all runs: crashed: INFO: task hung in khugepaged testing release v4.3 testing commit 6a13feb9c82803e2b815eca72fa7a9f5561d7861 with gcc (GCC) 5.5.0 all runs: crashed: INFO: task hung in khugepaged testing release v4.2 testing commit 64291f7db5bd8150a74ad2036f1037e6a0428df2 with gcc (GCC) 5.5.0 all runs: crashed: INFO: task hung in khugepaged testing release v4.1 testing commit b953c0d234bc72e8489d3bf51a276c5c4ec85345 with gcc (GCC) 5.5.0 all runs: crashed: INFO: task hung in khugepaged revisions tested: 23, total time: 4h49m49.639065369s (build: 1h42m58.834546106s, test: 2h59m52.351287035s) the crash already happened on the oldest tested release crash: INFO: task hung in khugepaged bridge0: port 1(bridge_slave_0) entered forwarding state bridge0: port 2(bridge_slave_1) entered forwarding state bridge0: port 1(bridge_slave_0) entered forwarding state bridge0: port 2(bridge_slave_1) entered forwarding state INFO: task khugepaged:871 blocked for more than 140 seconds. Not tainted 4.1.0 #1 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. khugepaged D ffff88012b34fc30 14560 871 2 0x00000000 ffff88012b34fc30 0000000000000000 ffff88012b35c350 ffff88012a7086f8 ffff88012b350000 ffff88012a7086e0 ffffffffffffffff ffff88012a7086f8 0000000000000000 ffff88012b34fc50 ffffffff826412d2 ffff88012a7086e0 Call Trace: [] schedule+0x32/0x80 kernel/sched/core.c:2826 [] rwsem_down_read_failed+0xb5/0x100 kernel/locking/rwsem-xadd.c:250 [] call_rwsem_down_read_failed+0x14/0x30 arch/x86/lib/rwsem.S:92 [] khugepaged_scan_mm_slot mm/huge_memory.c:2691 [inline] [] khugepaged_do_scan mm/huge_memory.c:2810 [inline] [] khugepaged+0x3d7/0x1870 mm/huge_memory.c:2847 [] kthread+0xea/0x100 drivers/block/aoe/aoecmd.c:1312 [] ret_from_fork+0x42/0x70 arch/x86/kernel/entry_64.S:639 INFO: lockdep is turned off. sending NMI to all CPUs: NMI backtrace for cpu 0 CPU: 0 PID: 6180 Comm: syz-executor.4 Not tainted 4.1.0 #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 task: ffff8801296c0350 ti: ffff8801296f4000 task.ti: ffff8801296f4000 RIP: 0010:[] [] arch_spin_lock arch/x86/include/asm/spinlock.h:106 [inline] RIP: 0010:[] [] __mutex_unlock_common_slowpath kernel/locking/mutex.c:734 [inline] RIP: 0010:[] [] __mutex_unlock_slowpath+0x6b/0x2a0 kernel/locking/mutex.c:760 RSP: 0018:ffff8801296f7cc8 EFLAGS: 00000082 RAX: 0000000000000286 RBX: ffff8800b1a3eac0 RCX: 0000000000000000 RDX: 0000000000009898 RSI: 0000000000000000 RDI: ffffffff8264457c RBP: ffff8801296f7ce8 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000286 R13: ffff8800b1a3eac8 R14: 0000000000000002 R15: 0000000000000000 FS: 00007fb802767700(0000) GS:ffff88012c000000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fd9355c6140 CR3: 000000012939b000 CR4: 00000000001407f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Stack: ffff8800b1a3e800 ffff8800b1a3eac0 ffff8800b7ec4dc0 0000000000000002 ffff8801296f7cf8 ffffffff826447c9 ffff8801296f7d68 ffffffff8126b650 ffff8801296f7d68 ffffffff812b6d05 ffff8800b68245e8 0000000000000000 Call Trace: [] mutex_unlock+0x9/0x10 kernel/locking/mutex.c:437 [] perf_mmap+0x210/0x740 kernel/events/core.c:4648 [] mmap_region+0x3f0/0x670 mm/mmap.c:1615 [] do_mmap_pgoff+0x317/0x400 mm/mmap.c:1391 [] vm_mmap_pgoff+0x90/0xc0 mm/util.c:297 [] SYSC_mmap_pgoff mm/mmap.c:1441 [inline] [] SyS_mmap_pgoff+0x1d7/0x280 mm/mmap.c:1399 [] SYSC_mmap arch/x86/kernel/sys_x86_64.c:95 [inline] [] SyS_mmap+0x16/0x30 arch/x86/kernel/sys_x86_64.c:86 [] system_call_fastpath+0x16/0x7a Code: 83 3d a9 13 bf 00 00 49 89 c4 0f 84 c0 01 00 00 fa 66 0f 1f 44 00 00 e8 14 c5 b7 fe 4c 8d 6b 08 ba 00 02 00 00 f0 66 0f c1 53 08 <0f> b6 ce 38 d1 0f 85 a2 01 00 00 8b 15 bc e2 c6 01 85 d2 0f 84 NMI backtrace for cpu 1 CPU: 1 PID: 867 Comm: khungtaskd Not tainted 4.1.0 #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 task: ffff88012b0e4b10 ti: ffff88012ad44000 task.ti: ffff88012ad44000 RIP: 0010:[] [] native_write_msr_safe+0xa/0x10 arch/x86/include/asm/msr.h:95 RSP: 0018:ffff88012ad47d08 EFLAGS: 00000082 RAX: 0000000000000400 RBX: 0000000000000001 RCX: 0000000000000830 RDX: 0000000000000001 RSI: 0000000000000400 RDI: 0000000000000830 RBP: ffff88012ad47d08 R08: 0000000000000000 R09: 0000000000000003 R10: ffff88012b0e4b10 R11: 0000000000000001 R12: ffffffff8341a808 R13: 0000000000080000 R14: 0000000000000001 R15: 000000000000a120 FS: 0000000000000000(0000) GS:ffff88012c100000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000625208 CR3: 000000012939b000 CR4: 00000000001407e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Stack: ffff88012ad47d68 ffffffff810c502f ffff88012ad47d78 0000000000000296 000000022b35c350 0000000000000002 ffff88012ad47d88 0000000000000040 000000000000d3c0 0000000000000001 ffff88012b35c350 000000000000008c Call Trace: [] paravirt_write_msr arch/x86/include/asm/paravirt.h:133 [inline] [] native_x2apic_icr_write arch/x86/include/asm/apic.h:168 [inline] [] __x2apic_send_IPI_dest arch/x86/include/asm/x2apic.h:26 [inline] [] __x2apic_send_IPI_mask+0x10f/0x1a0 arch/x86/kernel/apic/x2apic_phys.c:52 [] x2apic_send_IPI_mask+0xe/0x10 arch/x86/kernel/apic/x2apic_cluster.c:79 [] arch_trigger_all_cpu_backtrace+0x33d/0x350 arch/x86/kernel/apic/hw_nmi.c:89 [] trigger_all_cpu_backtrace include/linux/nmi.h:43 [inline] [] check_hung_task kernel/hung_task.c:125 [inline] [] check_hung_uninterruptible_tasks kernel/hung_task.c:182 [inline] [] watchdog+0x47e/0x6c0 kernel/hung_task.c:238 [] kthread+0xea/0x100 drivers/block/aoe/aoecmd.c:1312 [] ret_from_fork+0x42/0x70 arch/x86/kernel/entry_64.S:639 Code: 00 55 89 f9 48 89 e5 0f 32 45 31 c0 48 89 d7 44 89 06 89 c6 5d 48 c1 e7 20 48 89 f8 48 09 f0 c3 90 55 89 f0 89 f9 48 89 e5 0f 30 <31> c0 5d c3 66 90 55 89 f9 48 89 e5 0f 33 48 89 d7 89 c1 5d 48