ci starts bisection 2025-07-24 01:24:27.111590126 +0000 UTC m=+16653.625829471
bisecting fixing commit since 87d6aab2389e5ce0197d8257d5f8ee965a67c4cd
building syzkaller on 402f1df054ddb07ed5bb299d08c781354eb06607
ensuring issue is reproducible on original commit 87d6aab2389e5ce0197d8257d5f8ee965a67c4cd

testing commit 87d6aab2389e5ce0197d8257d5f8ee965a67c4cd gcc
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: fbd5d0665d1e0dfc147867f1f9ca4590d63e9563c1497e38ff83e379f28bd5b4
run #0: crashed: INFO: task hung in hugetlb_fault
run #1: crashed: INFO: task hung in hugetlb_fault
run #2: crashed: INFO: task hung in hugetlb_wp
run #3: crashed: INFO: task hung in hugetlb_fault
run #4: crashed: INFO: task hung in hugetlb_fault
run #5: crashed: INFO: task hung in remove_inode_hugepages
run #6: crashed: INFO: task hung in hugetlb_fault
run #7: crashed: INFO: task hung in hugetlb_fault
run #8: crashed: INFO: task hung in hugetlb_wp
run #9: crashed: INFO: task hung in hugetlb_wp
run #10: crashed: INFO: task hung in hugetlb_fault
run #11: crashed: INFO: task hung in hugetlb_wp
run #12: crashed: INFO: task hung in hugetlb_wp
run #13: crashed: INFO: task hung in hugetlb_fault
run #14: crashed: INFO: task hung in hugetlb_fault
run #15: crashed: INFO: task hung in hugetlb_fault
run #16: crashed: INFO: task hung in hugetlb_fault
run #17: crashed: INFO: task hung in hugetlb_fault
run #18: crashed: INFO: task hung in hugetlb_fault
run #19: crashed: INFO: task hung in hugetlb_fault
representative crash: INFO: task hung in hugetlb_fault, types: [HANG]
check whether we can drop unnecessary instrumentation
disabling configs for [ubsan bug_or_warning kasan locking atomic_sleep memleak], they are not needed
testing commit 87d6aab2389e5ce0197d8257d5f8ee965a67c4cd gcc
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: b5ac86d2e8715ce61e0ae84610bc5e378842efbe11c2b2250eaca24f0bf06165
run #0: crashed: INFO: task hung in hugetlb_wp
run #1: crashed: INFO: task hung in hugetlb_fault
run #2: crashed: INFO: task hung in hugetlb_fault
run #3: crashed: INFO: task hung in hugetlb_fault
run #4: crashed: INFO: task hung in hugetlb_wp
run #5: crashed: INFO: task hung in hugetlb_fault
run #6: crashed: INFO: task hung in hugetlb_fault
run #7: crashed: INFO: task hung in hugetlb_fault
run #8: crashed: INFO: task hung in hugetlb_fault
run #9: crashed: INFO: task hung in hugetlb_fault
representative crash: INFO: task hung in hugetlb_wp, types: [HANG]
the bug reproduces without the instrumentation
disabling configs for [kasan locking atomic_sleep memleak ubsan bug_or_warning], they are not needed
kconfig minimization: base=4089 full=8192 leaves diff=2142
split chunks (needed=false): <2142>
split chunk #0 of len 2142 into 5 parts
testing without sub-chunk 1/5
disabling configs for [bug_or_warning kasan locking atomic_sleep memleak ubsan], they are not needed
testing commit 87d6aab2389e5ce0197d8257d5f8ee965a67c4cd gcc
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 25a51b57573703a07a2d02391409820cef57216b80e313bc1f8f466f207ec87c
run #0: crashed: INFO: task hung in hugetlb_wp
run #1: crashed: INFO: task hung in hugetlb_wp
run #2: crashed: INFO: task hung in hugetlb_fault
run #3: crashed: INFO: task hung in hugetlb_fault
run #4: crashed: INFO: task hung in hugetlb_fault
run #5: crashed: INFO: task hung in hugetlb_fault
run #6: crashed: INFO: task hung in hugetlb_fault
run #7: crashed: INFO: task hung in hugetlb_fault
run #8: crashed: INFO: task hung in remove_inode_hugepages
run #9: crashed: INFO: task hung in hugetlb_fault
representative crash: INFO: task hung in hugetlb_wp, types: [HANG]
the chunk can be dropped
testing without sub-chunk 2/5
disabling configs for [memleak ubsan bug_or_warning kasan locking atomic_sleep], they are not needed
testing commit 87d6aab2389e5ce0197d8257d5f8ee965a67c4cd gcc
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 873dde1c4f31fac7b4cbb633e3aced1e33b66769fef83f9029cf42d506f66080
all runs: crashed: INFO: task hung in hugetlb_fault
representative crash: INFO: task hung in hugetlb_fault, types: [HANG]
the chunk can be dropped
testing without sub-chunk 3/5
disabling configs for [kasan locking atomic_sleep memleak ubsan bug_or_warning], they are not needed
testing commit 87d6aab2389e5ce0197d8257d5f8ee965a67c4cd gcc
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 2fa31c70ab5493bbd26deb63de6eecde000d766b4385dd18ed7cde96ce519493
all runs: crashed: INFO: task hung in hugetlb_fault
representative crash: INFO: task hung in hugetlb_fault, types: [HANG]
the chunk can be dropped
testing without sub-chunk 4/5
disabling configs for [memleak ubsan bug_or_warning kasan locking atomic_sleep], they are not needed
testing commit 87d6aab2389e5ce0197d8257d5f8ee965a67c4cd gcc
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: e6344247aed212751cdd85df8149bc19eedc857dad6371e1da27cff716e16c80
run #0: crashed: INFO: task hung in hugetlb_fault
run #1: crashed: INFO: task hung in hugetlb_fault
run #2: crashed: INFO: task hung in hugetlb_fault
run #3: crashed: INFO: task hung in remove_inode_hugepages
run #4: crashed: INFO: task hung in hugetlb_fault
run #5: crashed: INFO: task hung in hugetlb_fault
run #6: crashed: INFO: task hung in hugetlb_fault
run #7: crashed: INFO: task hung in hugetlb_fault
run #8: crashed: INFO: task hung in hugetlb_fault
run #9: crashed: INFO: task hung in hugetlb_fault
representative crash: INFO: task hung in hugetlb_fault, types: [HANG]
the chunk can be dropped
testing without sub-chunk 5/5
disabling configs for [locking atomic_sleep memleak ubsan bug_or_warning kasan], they are not needed
testing commit 87d6aab2389e5ce0197d8257d5f8ee965a67c4cd gcc
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 85762c7bbf0b7e094c071496d611cc5676eaccfb82eb0d2e93d90b2f99874951
run #0: crashed: INFO: task hung in hugetlb_fault
run #1: crashed: INFO: task hung in hugetlb_fault
run #2: crashed: INFO: task hung in hugetlb_fault
run #3: crashed: INFO: task hung in hugetlb_fault
run #4: crashed: INFO: task hung in remove_inode_hugepages
run #5: crashed: INFO: task hung in hugetlb_fault
run #6: crashed: INFO: task hung in remove_inode_hugepages
run #7: crashed: INFO: task hung in hugetlb_fault
run #8: crashed: INFO: task hung in hugetlb_fault
run #9: crashed: INFO: task hung in hugetlb_fault
representative crash: INFO: task hung in hugetlb_fault, types: [HANG]
the chunk can be dropped
disabling configs for [atomic_sleep memleak ubsan bug_or_warning kasan locking], they are not needed
testing current HEAD f9af7b5d9349bf92cc4d0a0baa8a151295f12f4b
testing commit f9af7b5d9349bf92cc4d0a0baa8a151295f12f4b gcc
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
kernel signature: 732c58349e36c6f2d70011da78b8b8365013f9191916f82b976b7a5741c8d018
run #0: crashed: INFO: task hung in hugetlb_fault
run #1: crashed: INFO: task hung in hugetlb_fault
run #2: crashed: INFO: task hung in hugetlb_wp
run #3: crashed: INFO: task hung in hugetlb_fault
run #4: crashed: INFO: task hung in hugetlb_fault
run #5: crashed: INFO: task hung in remove_inode_hugepages
run #6: crashed: INFO: task hung in hugetlb_fault
run #7: crashed: INFO: task hung in hugetlb_fault
run #8: crashed: INFO: task hung in hugetlb_fault
run #9: crashed: INFO: task hung in hugetlb_fault
representative crash: INFO: task hung in hugetlb_fault, types: [HANG]
crash still not fixed/happens on the oldest tested release
revisions tested: 8, total time: 3h4m16.852290765s (build: 1h43m11.618358437s, test: 1h9m50.92555092s)
crash still not fixed or there were kernel test errors
commit msg: Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm
crash: INFO: task hung in hugetlb_fault
INFO: task syz.0.110:4664 blocked for more than 143 seconds.
      Not tainted 6.16.0-rc7-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.0.110       state:D stack:13952 pid:4664  tgid:4664  ppid:2430   task_flags:0x400040 flags:0x00004004
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5397 [inline]
 __schedule+0x594/0xd20 kernel/sched/core.c:6786
 __schedule_loop kernel/sched/core.c:6864 [inline]
 schedule+0x25/0x110 kernel/sched/core.c:6879
 io_schedule+0x41/0x60 kernel/sched/core.c:7724
 folio_wait_bit_common+0x141/0x380 mm/filemap.c:1317
 __folio_lock mm/filemap.c:1675 [inline]
 folio_lock include/linux/pagemap.h:1114 [inline]
 folio_lock include/linux/pagemap.h:1110 [inline]
 __filemap_get_folio+0x1bb/0x370 mm/filemap.c:1928
 filemap_lock_folio include/linux/pagemap.h:785 [inline]
 filemap_lock_hugetlb_folio include/linux/hugetlb.h:817 [inline]
 hugetlb_fault+0x77a/0xc80 mm/hugetlb.c:6767
 handle_mm_fault+0x341/0x350 mm/memory.c:6379
 do_user_addr_fault arch/x86/mm/fault.c:1336 [inline]
 handle_page_fault arch/x86/mm/fault.c:1476 [inline]
 exc_page_fault+0x18b/0x750 arch/x86/mm/fault.c:1532
 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623
RIP: 0033:0x7fc8dc497208
RSP: 002b:00007ffeceebe8c8 EFLAGS: 00010246
RAX: 0000000020000640 RBX: 0000000000000004 RCX: 006b6e696c766564
RDX: 0000000000000008 RSI: 006b6e696c766564 RDI: 0000000020000640
RBP: 00007fc8dc687a80 R08: 00007fc8dc350000 R09: 0000000000000001
R10: 0000000000000001 R11: 0000000000000009 R12: 000000000000e39d
R13: 00007ffeceebe9d0 R14: 0000000000000032 R15: fffffffffffffffe
 </TASK>
INFO: task syz.0.110:4670 blocked for more than 143 seconds.
      Not tainted 6.16.0-rc7-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.0.110       state:D stack:14168 pid:4670  tgid:4664  ppid:2430   task_flags:0x400140 flags:0x00004004
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5397 [inline]
 __schedule+0x594/0xd20 kernel/sched/core.c:6786
 __schedule_loop kernel/sched/core.c:6864 [inline]
 schedule+0x25/0x110 kernel/sched/core.c:6879
 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6936
 __mutex_lock_common kernel/locking/mutex.c:679 [inline]
 __mutex_lock+0x617/0xb10 kernel/locking/mutex.c:747
 hugetlb_wp+0x858/0xcf0 mm/hugetlb.c:6252
 hugetlb_fault+0xadc/0xc80 mm/hugetlb.c:6815
 handle_mm_fault+0x341/0x350 mm/memory.c:6379
 do_user_addr_fault arch/x86/mm/fault.c:1387 [inline]
 handle_page_fault arch/x86/mm/fault.c:1476 [inline]
 exc_page_fault+0x21c/0x750 arch/x86/mm/fault.c:1532
 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623
RIP: 0010:rep_movs_alternative+0x33/0x90 arch/x86/lib/copy_user_64.S:61
Code: 73 25 85 c9 74 0f 8a 06 88 07 48 ff c7 48 ff c6 48 ff c9 75 f1 c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 8b 06 <48> 89 07 48 83 c6 08 48 83 c7 08 83 e9 08 74 db 83 f9 08 73 e8 eb
RSP: 0018:ffffc90001fa7de0 EFLAGS: 00050246
RAX: 0000000000000000 RBX: 0000000000000008 RCX: 0000000000000008
RDX: 000000002001ffa0 RSI: ffffc90001fa7e10 RDI: 000000002001ff98
RBP: 000000002001ff98 R08: 0000000000080000 R09: 0000000000000001
R10: 0000000000000001 R11: 0000000000000001 R12: ffffc90001fa7e10
R13: 0000000000000000 R14: 0000000020019680 R15: 0000000000006918
 copy_user_generic arch/x86/include/asm/uaccess_64.h:126 [inline]
 raw_copy_to_user arch/x86/include/asm/uaccess_64.h:147 [inline]
 _inline_copy_to_user include/linux/uaccess.h:197 [inline]
 _copy_to_user+0x56/0x70 lib/usercopy.c:26
 copy_to_user include/linux/uaccess.h:225 [inline]
 msr_read+0x6a/0xf0 arch/x86/kernel/msr.c:69
 vfs_read+0xad/0x370 fs/read_write.c:570
 ksys_read+0x6e/0xf0 fs/read_write.c:715
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x6d/0x2d0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fc8dc4cdff9
RSP: 002b:00007fc8dbf4f038 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 00007fc8dc685f80 RCX: 00007fc8dc4cdff9
RDX: 0000000000018ff8 RSI: 0000000020019680 RDI: 0000000000000003
RBP: 00007fc8dc540296 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007fc8dc685f80 R15: 00007ffeceebe768
 </TASK>
INFO: task syz.3.109:4665 blocked for more than 143 seconds.
      Not tainted 6.16.0-rc7-syzkaller #0
      Blocked by coredump.
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.3.109       state:D stack:14152 pid:4665  tgid:4665  ppid:1942   task_flags:0x40004c flags:0x00004002
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5397 [inline]
 __schedule+0x594/0xd20 kernel/sched/core.c:6786
 __schedule_loop kernel/sched/core.c:6864 [inline]
 schedule+0x25/0x110 kernel/sched/core.c:6879
 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6936
 __mutex_lock_common kernel/locking/mutex.c:679 [inline]
 __mutex_lock+0x617/0xb10 kernel/locking/mutex.c:747
 remove_inode_hugepages+0x111/0x5b0 fs/hugetlbfs/inode.c:591
 hugetlbfs_evict_inode+0x2f/0x90 fs/hugetlbfs/inode.c:617
 evict+0x119/0x2a0 fs/inode.c:810
 __dentry_kill+0x6f/0x1c0 fs/dcache.c:669
 dput fs/dcache.c:911 [inline]
 dput+0x14e/0x290 fs/dcache.c:899
 __fput+0x139/0x2b0 fs/file_table.c:473
 task_work_run+0x57/0x80 kernel/task_work.c:227
 exit_task_work include/linux/task_work.h:40 [inline]
 do_exit+0x283/0xba0 kernel/exit.c:964
 __do_sys_exit kernel/exit.c:1072 [inline]
 __se_sys_exit kernel/exit.c:1070 [inline]
 __x64_sys_exit+0x16/0x20 kernel/exit.c:1070
 x64_sys_call+0xea3/0x1730 arch/x86/include/generated/asm/syscalls_64.h:61
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x6d/0x2d0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f2cf068dff9
RSP: 002b:00007f2cf00e5fe8 EFLAGS: 00000246 ORIG_RAX: 000000000000003c
RAX: ffffffffffffffda RBX: 00007f2cf0846058 RCX: 00007f2cf068dff9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 00007f2cf0700296 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f2cf0846058 R15: 00007ffc1ddb1e98
 </TASK>
INFO: task syz.1.114:4686 blocked for more than 143 seconds.
      Not tainted 6.16.0-rc7-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.1.114       state:D stack:13288 pid:4686  tgid:4686  ppid:2428   task_flags:0x400040 flags:0x00004004
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5397 [inline]
 __schedule+0x594/0xd20 kernel/sched/core.c:6786
 __schedule_loop kernel/sched/core.c:6864 [inline]
 schedule+0x25/0x110 kernel/sched/core.c:6879
 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6936
 __mutex_lock_common kernel/locking/mutex.c:679 [inline]
 __mutex_lock+0x617/0xb10 kernel/locking/mutex.c:747
 hugetlb_fault+0xbd/0xc80 mm/hugetlb.c:6683
 handle_mm_fault+0x341/0x350 mm/memory.c:6379
 do_user_addr_fault arch/x86/mm/fault.c:1336 [inline]
 handle_page_fault arch/x86/mm/fault.c:1476 [inline]
 exc_page_fault+0x18b/0x750 arch/x86/mm/fault.c:1532
 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623
RIP: 0033:0x7f6515517208
RSP: 002b:00007ffd54b5b838 EFLAGS: 00010246
RAX: 0000000020000640 RBX: 0000000000000004 RCX: 006b6e696c766564
RDX: 0000000000000008 RSI: 006b6e696c766564 RDI: 0000000020000640
RBP: 00007f6515707a80 R08: 00007f65153c8000 R09: 0000000000000001
R10: 0000000000000001 R11: 0000000000000009 R12: 000000000000e4ae
R13: 00007ffd54b5b940 R14: 0000000000000032 R15: fffffffffffffffe
 </TASK>
INFO: task syz.1.114:4698 blocked for more than 144 seconds.
      Not tainted 6.16.0-rc7-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.1.114       state:D stack:13336 pid:4698  tgid:4686  ppid:2428   task_flags:0x400040 flags:0x00004004
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5397 [inline]
 __schedule+0x594/0xd20 kernel/sched/core.c:6786
 __schedule_loop kernel/sched/core.c:6864 [inline]
 schedule+0x25/0x110 kernel/sched/core.c:6879
 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6936
 __mutex_lock_common kernel/locking/mutex.c:679 [inline]
 __mutex_lock+0x617/0xb10 kernel/locking/mutex.c:747
 hugetlbfs_fallocate+0x263/0x740 fs/hugetlbfs/inode.c:801
 vfs_fallocate+0x124/0x3c0 fs/open.c:341
 ksys_fallocate fs/open.c:365 [inline]
 __do_sys_fallocate fs/open.c:370 [inline]
 __se_sys_fallocate fs/open.c:368 [inline]
 __x64_sys_fallocate+0x44/0xa0 fs/open.c:368
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x6d/0x2d0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f651554dff9
RSP: 002b:00007f6514fa6038 EFLAGS: 00000246 ORIG_RAX: 000000000000011d
RAX: ffffffffffffffda RBX: 00007f6515706058 RCX: 00007f651554dff9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004
RBP: 00007f65155c0296 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000400 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f6515706058 R15: 00007ffd54b5b6d8
 </TASK>
INFO: task syz.4.151:4841 blocked for more than 144 seconds.
      Not tainted 6.16.0-rc7-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.4.151       state:D stack:13952 pid:4841  tgid:4841  ppid:2439   task_flags:0x400040 flags:0x00004004
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5397 [inline]
 __schedule+0x594/0xd20 kernel/sched/core.c:6786
 __schedule_loop kernel/sched/core.c:6864 [inline]
 schedule+0x25/0x110 kernel/sched/core.c:6879
 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6936
 __mutex_lock_common kernel/locking/mutex.c:679 [inline]
 __mutex_lock+0x617/0xb10 kernel/locking/mutex.c:747
 hugetlb_fault+0xbd/0xc80 mm/hugetlb.c:6683
 handle_mm_fault+0x341/0x350 mm/memory.c:6379
 do_user_addr_fault arch/x86/mm/fault.c:1336 [inline]
 handle_page_fault arch/x86/mm/fault.c:1476 [inline]
 exc_page_fault+0x18b/0x750 arch/x86/mm/fault.c:1532
 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623
RIP: 0033:0x7fd6ce007208
RSP: 002b:00007ffe7df14448 EFLAGS: 00010246
RAX: 0000000020000640 RBX: 0000000000000004 RCX: 006b6e696c766564
RDX: 0000000000000008 RSI: 006b6e696c766564 RDI: 0000000020000640
RBP: 00007fd6ce1f7a80 R08: 00007fd6cdeb8000 R09: 0000000000000001
R10: 0000000000000001 R11: 0000000000000009 R12: 000000000000e8ea
R13: 00007ffe7df14550 R14: 0000000000000032 R15: fffffffffffffffe
 </TASK>
INFO: task syz.4.151:4842 blocked for more than 144 seconds.
      Not tainted 6.16.0-rc7-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.4.151       state:D stack:12768 pid:4842  tgid:4841  ppid:2439   task_flags:0x400140 flags:0x00004004
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5397 [inline]
 __schedule+0x594/0xd20 kernel/sched/core.c:6786
 __schedule_loop kernel/sched/core.c:6864 [inline]
 schedule+0x25/0x110 kernel/sched/core.c:6879
 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6936
 __mutex_lock_common kernel/locking/mutex.c:679 [inline]
 __mutex_lock+0x617/0xb10 kernel/locking/mutex.c:747
 hugetlbfs_fallocate+0x263/0x740 fs/hugetlbfs/inode.c:801
 vfs_fallocate+0x124/0x3c0 fs/open.c:341
 ksys_fallocate fs/open.c:365 [inline]
 __do_sys_fallocate fs/open.c:370 [inline]
 __se_sys_fallocate fs/open.c:368 [inline]
 __x64_sys_fallocate+0x44/0xa0 fs/open.c:368
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x6d/0x2d0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fd6ce03dff9
RSP: 002b:00007fd6cdab7038 EFLAGS: 00000246 ORIG_RAX: 000000000000011d
RAX: ffffffffffffffda RBX: 00007fd6ce1f5f80 RCX: 00007fd6ce03dff9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004
RBP: 00007fd6ce0b0296 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000400 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007fd6ce1f5f80 R15: 00007ffe7df142e8
 </TASK>
INFO: task syz.3.398:5868 blocked for more than 144 seconds.
      Not tainted 6.16.0-rc7-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.3.398       state:D stack:13288 pid:5868  tgid:5868  ppid:1942   task_flags:0x400040 flags:0x00004004
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5397 [inline]
 __schedule+0x594/0xd20 kernel/sched/core.c:6786
 __schedule_loop kernel/sched/core.c:6864 [inline]
 schedule+0x25/0x110 kernel/sched/core.c:6879
 io_schedule+0x41/0x60 kernel/sched/core.c:7724
 folio_wait_bit_common+0x141/0x380 mm/filemap.c:1317
 __folio_lock mm/filemap.c:1675 [inline]
 folio_lock include/linux/pagemap.h:1114 [inline]
 folio_lock include/linux/pagemap.h:1110 [inline]
 __filemap_get_folio+0x1bb/0x370 mm/filemap.c:1928
 filemap_lock_folio include/linux/pagemap.h:785 [inline]
 filemap_lock_hugetlb_folio include/linux/hugetlb.h:817 [inline]
 hugetlb_fault+0x77a/0xc80 mm/hugetlb.c:6767
 handle_mm_fault+0x341/0x350 mm/memory.c:6379
 do_user_addr_fault arch/x86/mm/fault.c:1336 [inline]
 handle_page_fault arch/x86/mm/fault.c:1476 [inline]
 exc_page_fault+0x18b/0x750 arch/x86/mm/fault.c:1532
 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623
RIP: 0033:0x7f2cf0657208
RSP: 002b:00007ffc1ddb1ff8 EFLAGS: 00010246
RAX: 0000000020000640 RBX: 0000000000000004 RCX: 006b6e696c766564
RDX: 0000000000000008 RSI: 006b6e696c766564 RDI: 0000000020000640
RBP: 00007f2cf0847a80 R08: 00007f2cf0508000 R09: 0000000000000001
R10: 0000000000000001 R11: 0000000000000009 R12: 0000000000010536
R13: 00007ffc1ddb2100 R14: 0000000000000032 R15: fffffffffffffffe
 </TASK>
INFO: task syz.3.398:5869 blocked for more than 144 seconds.
      Not tainted 6.16.0-rc7-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.3.398       state:D stack:14096 pid:5869  tgid:5868  ppid:1942   task_flags:0x400140 flags:0x00004004
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5397 [inline]
 __schedule+0x594/0xd20 kernel/sched/core.c:6786
 __schedule_loop kernel/sched/core.c:6864 [inline]
 schedule+0x25/0x110 kernel/sched/core.c:6879
 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6936
 __mutex_lock_common kernel/locking/mutex.c:679 [inline]
 __mutex_lock+0x617/0xb10 kernel/locking/mutex.c:747
 hugetlb_wp+0x858/0xcf0 mm/hugetlb.c:6252
 hugetlb_fault+0xadc/0xc80 mm/hugetlb.c:6815
 handle_mm_fault+0x341/0x350 mm/memory.c:6379
 do_user_addr_fault arch/x86/mm/fault.c:1387 [inline]
 handle_page_fault arch/x86/mm/fault.c:1476 [inline]
 exc_page_fault+0x21c/0x750 arch/x86/mm/fault.c:1532
 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623
RIP: 0010:rep_movs_alternative+0x33/0x90 arch/x86/lib/copy_user_64.S:61
Code: 73 25 85 c9 74 0f 8a 06 88 07 48 ff c7 48 ff c6 48 ff c9 75 f1 c3 cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 8b 06 <48> 89 07 48 83 c6 08 48 83 c7 08 83 e9 08 74 db 83 f9 08 73 e8 eb
RSP: 0018:ffffc9000313bde0 EFLAGS: 00050246
RAX: 0000000000000000 RBX: 0000000000000008 RCX: 0000000000000008
RDX: 00000000200273c8 RSI: ffffc9000313be10 RDI: 00000000200273c0
RBP: 00000000200273c0 R08: 0000000000080000 R09: 0000000000000001
R10: 0000000000000001 R11: 0000000000000001 R12: ffffc9000313be10
R13: 0000000000000000 R14: 0000000020019680 R15: 000000000000dd40
 copy_user_generic arch/x86/include/asm/uaccess_64.h:126 [inline]
 raw_copy_to_user arch/x86/include/asm/uaccess_64.h:147 [inline]
 _inline_copy_to_user include/linux/uaccess.h:197 [inline]
 _copy_to_user+0x56/0x70 lib/usercopy.c:26
 copy_to_user include/linux/uaccess.h:225 [inline]
 msr_read+0x6a/0xf0 arch/x86/kernel/msr.c:69
 vfs_read+0xad/0x370 fs/read_write.c:570
 ksys_read+0x6e/0xf0 fs/read_write.c:715
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x6d/0x2d0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f2cf068dff9
RSP: 002b:00007f2cf0107038 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 00007f2cf0845f80 RCX: 00007f2cf068dff9
RDX: 0000000000018ff8 RSI: 0000000020019680 RDI: 0000000000000003
RBP: 00007f2cf0700296 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f2cf0845f80 R15: 00007ffc1ddb1e98
 </TASK>
INFO: task syz.2.426:5981 blocked for more than 144 seconds.
      Not tainted 6.16.0-rc7-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.2.426       state:D stack:13336 pid:5981  tgid:5980  ppid:2423   task_flags:0x400140 flags:0x00004004
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5397 [inline]
 __schedule+0x594/0xd20 kernel/sched/core.c:6786
 __schedule_loop kernel/sched/core.c:6864 [inline]
 schedule+0x25/0x110 kernel/sched/core.c:6879
 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6936
 __mutex_lock_common kernel/locking/mutex.c:679 [inline]
 __mutex_lock+0x617/0xb10 kernel/locking/mutex.c:747
 hugetlbfs_fallocate+0x263/0x740 fs/hugetlbfs/inode.c:801
 vfs_fallocate+0x124/0x3c0 fs/open.c:341
 ksys_fallocate fs/open.c:365 [inline]
 __do_sys_fallocate fs/open.c:370 [inline]
 __se_sys_fallocate fs/open.c:368 [inline]
 __x64_sys_fallocate+0x44/0xa0 fs/open.c:368
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x6d/0x2d0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f523db9dff9
RSP: 002b:00007f523d61f038 EFLAGS: 00000246 ORIG_RAX: 000000000000011d
RAX: ffffffffffffffda RBX: 00007f523dd55f80 RCX: 00007f523db9dff9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004
RBP: 00007f523dc10296 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000400 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f523dd55f80 R15: 00007ffcc95dc728
 </TASK>
Future hung task reports are suppressed, see sysctl kernel.hung_task_warnings

Showing all locks held in the system:
1 lock held by khungtaskd/31:
 #0: ffffffff82980700 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
 #0: ffffffff82980700 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:841 [inline]
 #0: ffffffff82980700 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x36/0x120 kernel/locking/lockdep.c:6770
2 locks held by getty/846:
 #0: ffff8881066e90a0 (&tty->ldisc_sem){....}-{0:0}, at: tty_ldisc_ref_wait+0x23/0x60 drivers/tty/tty_ldisc.c:243
 #1: ffffc90001c172f0 (&ldata->atomic_read_lock){....}-{3:3}, at: n_tty_read+0x17a/0x660 drivers/tty/n_tty.c:2222
3 locks held by syz.0.110/4664:
 #0: ffff8881013f4288 (vm_lock){....}-{0:0}, at: do_user_addr_fault arch/x86/mm/fault.c:1327 [inline]
 #0: ffff8881013f4288 (vm_lock){....}-{0:0}, at: handle_page_fault arch/x86/mm/fault.c:1476 [inline]
 #0: ffff8881013f4288 (vm_lock){....}-{0:0}, at: exc_page_fault+0x14c/0x750 arch/x86/mm/fault.c:1532
 #1: ffff8881016f47b8 (&hugetlb_fault_mutex_table[i]){....}-{3:3}, at: hugetlb_fault+0xbd/0xc80 mm/hugetlb.c:6683
 #2: ffff8881103e52e8 (&resv_map->rw_sema){....}-{3:3}, at: hugetlb_fault+0xc5/0xc80 mm/hugetlb.c:6690
2 locks held by syz.0.110/4670:
 #0: ffff88811e961460 (&mm->mmap_lock){....}-{3:3}, at: mmap_read_trylock include/linux/mmap_lock.h:431 [inline]
 #0: ffff88811e961460 (&mm->mmap_lock){....}-{3:3}, at: get_mmap_lock_carefully mm/mmap_lock.c:188 [inline]
 #0: ffff88811e961460 (&mm->mmap_lock){....}-{3:3}, at: lock_mm_and_find_vma+0x26/0x650 mm/mmap_lock.c:248
 #1: ffff8881016f47b8 (&hugetlb_fault_mutex_table[i]){....}-{3:3}, at: hugetlb_wp+0x858/0xcf0 mm/hugetlb.c:6252
1 lock held by syz.3.109/4665:
 #0: ffff8881016f47b8 (&hugetlb_fault_mutex_table[i]){....}-{3:3}, at: remove_inode_hugepages+0x111/0x5b0 fs/hugetlbfs/inode.c:591
2 locks held by syz.1.114/4686:
 #0: ffff88811ebb2088 (vm_lock){....}-{0:0}, at: do_user_addr_fault arch/x86/mm/fault.c:1327 [inline]
 #0: ffff88811ebb2088 (vm_lock){....}-{0:0}, at: handle_page_fault arch/x86/mm/fault.c:1476 [inline]
 #0: ffff88811ebb2088 (vm_lock){....}-{0:0}, at: exc_page_fault+0x14c/0x750 arch/x86/mm/fault.c:1532
 #1: ffff8881016f47b8 (&hugetlb_fault_mutex_table[i]){....}-{3:3}, at: hugetlb_fault+0xbd/0xc80 mm/hugetlb.c:6683
3 locks held by syz.1.114/4698:
 #0: ffff888102e92400 (sb_writers#13){....}-{0:0}, at: ksys_fallocate fs/open.c:365 [inline]
 #0: ffff888102e92400 (sb_writers#13){....}-{0:0}, at: __do_sys_fallocate fs/open.c:370 [inline]
 #0: ffff888102e92400 (sb_writers#13){....}-{0:0}, at: __se_sys_fallocate fs/open.c:368 [inline]
 #0: ffff888102e92400 (sb_writers#13){....}-{0:0}, at: __x64_sys_fallocate+0x44/0xa0 fs/open.c:368
 #1: ffff888102a9e0c8 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: inode_lock include/linux/fs.h:869 [inline]
 #1: ffff888102a9e0c8 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: hugetlbfs_fallocate+0xce/0x740 fs/hugetlbfs/inode.c:757
 #2: ffff8881016f47b8 (&hugetlb_fault_mutex_table[i]){....}-{3:3}, at: hugetlbfs_fallocate+0x263/0x740 fs/hugetlbfs/inode.c:801
2 locks held by syz.4.151/4841:
 #0: ffff888236fbef88 (vm_lock){....}-{0:0}, at: do_user_addr_fault arch/x86/mm/fault.c:1327 [inline]
 #0: ffff888236fbef88 (vm_lock){....}-{0:0}, at: handle_page_fault arch/x86/mm/fault.c:1476 [inline]
 #0: ffff888236fbef88 (vm_lock){....}-{0:0}, at: exc_page_fault+0x14c/0x750 arch/x86/mm/fault.c:1532
 #1: ffff8881016f47b8 (&hugetlb_fault_mutex_table[i]){....}-{3:3}, at: hugetlb_fault+0xbd/0xc80 mm/hugetlb.c:6683
3 locks held by syz.4.151/4842:
 #0: ffff888102e92400 (sb_writers#13){....}-{0:0}, at: ksys_fallocate fs/open.c:365 [inline]
 #0: ffff888102e92400 (sb_writers#13){....}-{0:0}, at: __do_sys_fallocate fs/open.c:370 [inline]
 #0: ffff888102e92400 (sb_writers#13){....}-{0:0}, at: __se_sys_fallocate fs/open.c:368 [inline]
 #0: ffff888102e92400 (sb_writers#13){....}-{0:0}, at: __x64_sys_fallocate+0x44/0xa0 fs/open.c:368
 #1: ffff88810a3e4148 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: inode_lock include/linux/fs.h:869 [inline]
 #1: ffff88810a3e4148 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: hugetlbfs_fallocate+0xce/0x740 fs/hugetlbfs/inode.c:757
 #2: ffff8881016f47b8 (&hugetlb_fault_mutex_table[i]){....}-{3:3}, at: hugetlbfs_fallocate+0x263/0x740 fs/hugetlbfs/inode.c:801
3 locks held by syz.3.398/5868:
 #0: ffff888118dc8888 (vm_lock){....}-{0:0}, at: do_user_addr_fault arch/x86/mm/fault.c:1327 [inline]
 #0: ffff888118dc8888 (vm_lock){....}-{0:0}, at: handle_page_fault arch/x86/mm/fault.c:1476 [inline]
 #0: ffff888118dc8888 (vm_lock){....}-{0:0}, at: exc_page_fault+0x14c/0x750 arch/x86/mm/fault.c:1532
 #1: ffff8881016f40f8 (&hugetlb_fault_mutex_table[i]){....}-{3:3}, at: hugetlb_fault+0xbd/0xc80 mm/hugetlb.c:6683
 #2: ffff8881103e54e8 (&resv_map->rw_sema){....}-{3:3}, at: hugetlb_fault+0xc5/0xc80 mm/hugetlb.c:6690
2 locks held by syz.3.398/5869:
 #0: ffff88811e9642a0 (&mm->mmap_lock){....}-{3:3}, at: mmap_read_trylock include/linux/mmap_lock.h:431 [inline]
 #0: ffff88811e9642a0 (&mm->mmap_lock){....}-{3:3}, at: get_mmap_lock_carefully mm/mmap_lock.c:188 [inline]
 #0: ffff88811e9642a0 (&mm->mmap_lock){....}-{3:3}, at: lock_mm_and_find_vma+0x26/0x650 mm/mmap_lock.c:248
 #1: ffff8881016f40f8 (&hugetlb_fault_mutex_table[i]){....}-{3:3}, at: hugetlb_wp+0x858/0xcf0 mm/hugetlb.c:6252
2 locks held by syz.2.426/5980:
 #0: ffff88810478bf88 (vm_lock){....}-{0:0}, at: do_user_addr_fault arch/x86/mm/fault.c:1327 [inline]
 #0: ffff88810478bf88 (vm_lock){....}-{0:0}, at: handle_page_fault arch/x86/mm/fault.c:1476 [inline]
 #0: ffff88810478bf88 (vm_lock){....}-{0:0}, at: exc_page_fault+0x14c/0x750 arch/x86/mm/fault.c:1532
 #1: ffff8881016f40f8 (&hugetlb_fault_mutex_table[i]){....}-{3:3}, at: hugetlb_fault+0xbd/0xc80 mm/hugetlb.c:6683
3 locks held by syz.2.426/5981:
 #0: ffff888102e92400 (sb_writers#13){....}-{0:0}, at: ksys_fallocate fs/open.c:365 [inline]
 #0: ffff888102e92400 (sb_writers#13){....}-{0:0}, at: __do_sys_fallocate fs/open.c:370 [inline]
 #0: ffff888102e92400 (sb_writers#13){....}-{0:0}, at: __se_sys_fallocate fs/open.c:368 [inline]
 #0: ffff888102e92400 (sb_writers#13){....}-{0:0}, at: __x64_sys_fallocate+0x44/0xa0 fs/open.c:368
 #1: ffff88810a3e5348 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: inode_lock include/linux/fs.h:869 [inline]
 #1: ffff88810a3e5348 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: hugetlbfs_fallocate+0xce/0x740 fs/hugetlbfs/inode.c:757
 #2: ffff8881016f40f8 (&hugetlb_fault_mutex_table[i]){....}-{3:3}, at: hugetlbfs_fallocate+0x263/0x740 fs/hugetlbfs/inode.c:801
3 locks held by syz.0.432/6567:
 #0: ffff888102e92400 (sb_writers#13){....}-{0:0}, at: ksys_fallocate fs/open.c:365 [inline]
 #0: ffff888102e92400 (sb_writers#13){....}-{0:0}, at: __do_sys_fallocate fs/open.c:370 [inline]
 #0: ffff888102e92400 (sb_writers#13){....}-{0:0}, at: __se_sys_fallocate fs/open.c:368 [inline]
 #0: ffff888102e92400 (sb_writers#13){....}-{0:0}, at: __x64_sys_fallocate+0x44/0xa0 fs/open.c:368
 #1: ffff88810a3e4a48 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: inode_lock include/linux/fs.h:869 [inline]
 #1: ffff88810a3e4a48 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: hugetlbfs_fallocate+0xce/0x740 fs/hugetlbfs/inode.c:757
 #2: ffff8881016f40f8 (&hugetlb_fault_mutex_table[i]){....}-{3:3}, at: hugetlbfs_fallocate+0x263/0x740 fs/hugetlbfs/inode.c:801
3 locks held by syz.1.522/7700:
 #0: ffff888102e92400 (sb_writers#13){....}-{0:0}, at: ksys_fallocate fs/open.c:365 [inline]
 #0: ffff888102e92400 (sb_writers#13){....}-{0:0}, at: __do_sys_fallocate fs/open.c:370 [inline]
 #0: ffff888102e92400 (sb_writers#13){....}-{0:0}, at: __se_sys_fallocate fs/open.c:368 [inline]
 #0: ffff888102e92400 (sb_writers#13){....}-{0:0}, at: __x64_sys_fallocate+0x44/0xa0 fs/open.c:368
 #1: ffff88810b382548 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: inode_lock include/linux/fs.h:869 [inline]
 #1: ffff88810b382548 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: hugetlbfs_fallocate+0xce/0x740 fs/hugetlbfs/inode.c:757
 #2: ffff8881016f47b8 (&hugetlb_fault_mutex_table[i]){....}-{3:3}, at: hugetlbfs_fallocate+0x263/0x740 fs/hugetlbfs/inode.c:801
3 locks held by syz.4.552/7800:
 #0: ffff888102e92400 (sb_writers#13){....}-{0:0}, at: ksys_fallocate fs/open.c:365 [inline]
 #0: ffff888102e92400 (sb_writers#13){....}-{0:0}, at: __do_sys_fallocate fs/open.c:370 [inline]
 #0: ffff888102e92400 (sb_writers#13){....}-{0:0}, at: __se_sys_fallocate fs/open.c:368 [inline]
 #0: ffff888102e92400 (sb_writers#13){....}-{0:0}, at: __x64_sys_fallocate+0x44/0xa0 fs/open.c:368
 #1: ffff88810b383748 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: inode_lock include/linux/fs.h:869 [inline]
 #1: ffff88810b383748 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: hugetlbfs_fallocate+0xce/0x740 fs/hugetlbfs/inode.c:757
 #2: ffff8881016f40f8 (&hugetlb_fault_mutex_table[i]){....}-{3:3}, at: hugetlbfs_fallocate+0x263/0x740 fs/hugetlbfs/inode.c:801
3 locks held by syz.1.1751/14636:
 #0: ffff888102e92400 (sb_writers#13){....}-{0:0}, at: ksys_fallocate fs/open.c:365 [inline]
 #0: ffff888102e92400 (sb_writers#13){....}-{0:0}, at: __do_sys_fallocate fs/open.c:370 [inline]
 #0: ffff888102e92400 (sb_writers#13){....}-{0:0}, at: __se_sys_fallocate fs/open.c:368 [inline]
 #0: ffff888102e92400 (sb_writers#13){....}-{0:0}, at: __x64_sys_fallocate+0x44/0xa0 fs/open.c:368
 #1: ffff888102b99348 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: inode_lock include/linux/fs.h:869 [inline]
 #1: ffff888102b99348 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: hugetlbfs_fallocate+0xce/0x740 fs/hugetlbfs/inode.c:757
 #2: ffff8881016f47b8 (&hugetlb_fault_mutex_table[i]){....}-{3:3}, at: hugetlbfs_fallocate+0x263/0x740 fs/hugetlbfs/inode.c:801
3 locks held by syz.3.1757/14641:
 #0: ffff888102e92400 (sb_writers#13){....}-{0:0}, at: ksys_fallocate fs/open.c:365 [inline]
 #0: ffff888102e92400 (sb_writers#13){....}-{0:0}, at: __do_sys_fallocate fs/open.c:370 [inline]
 #0: ffff888102e92400 (sb_writers#13){....}-{0:0}, at: __se_sys_fallocate fs/open.c:368 [inline]
 #0: ffff888102e92400 (sb_writers#13){....}-{0:0}, at: __x64_sys_fallocate+0x44/0xa0 fs/open.c:368
 #1: ffff888102b99c48 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: inode_lock include/linux/fs.h:869 [inline]
 #1: ffff888102b99c48 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: hugetlbfs_fallocate+0xce/0x740 fs/hugetlbfs/inode.c:757
 #2: ffff8881016f47b8 (&hugetlb_fault_mutex_table[i]){....}-{3:3}, at: hugetlbfs_fallocate+0x263/0x740 fs/hugetlbfs/inode.c:801
3 locks held by syz.1.2557/18634:
 #0: ffff888102e92400 (sb_writers#13){....}-{0:0}, at: ksys_fallocate fs/open.c:365 [inline]
 #0: ffff888102e92400 (sb_writers#13){....}-{0:0}, at: __do_sys_fallocate fs/open.c:370 [inline]
 #0: ffff888102e92400 (sb_writers#13){....}-{0:0}, at: __se_sys_fallocate fs/open.c:368 [inline]
 #0: ffff888102e92400 (sb_writers#13){....}-{0:0}, at: __x64_sys_fallocate+0x44/0xa0 fs/open.c:368
 #1: ffff88810eb58148 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: inode_lock include/linux/fs.h:869 [inline]
 #1: ffff88810eb58148 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: hugetlbfs_fallocate+0xce/0x740 fs/hugetlbfs/inode.c:757
 #2: ffff8881016f40f8 (&hugetlb_fault_mutex_table[i]){....}-{3:3}, at: hugetlbfs_fallocate+0x263/0x740 fs/hugetlbfs/inode.c:801
3 locks held by syz.3.2560/18642:
 #0: ffff888102e92400 (sb_writers#13){....}-{0:0}, at: ksys_fallocate fs/open.c:365 [inline]
 #0: ffff888102e92400 (sb_writers#13){....}-{0:0}, at: __do_sys_fallocate fs/open.c:370 [inline]
 #0: ffff888102e92400 (sb_writers#13){....}-{0:0}, at: __se_sys_fallocate fs/open.c:368 [inline]
 #0: ffff888102e92400 (sb_writers#13){....}-{0:0}, at: __x64_sys_fallocate+0x44/0xa0 fs/open.c:368
 #1: ffff88810eb58ec8 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: inode_lock include/linux/fs.h:869 [inline]
 #1: ffff88810eb58ec8 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: hugetlbfs_fallocate+0xce/0x740 fs/hugetlbfs/inode.c:757
 #2: ffff8881016f40f8 (&hugetlb_fault_mutex_table[i]){....}-{3:3}, at: hugetlbfs_fallocate+0x263/0x740 fs/hugetlbfs/inode.c:801
3 locks held by syz.0.2685/19132:
 #0: ffff888102e92400 (sb_writers#13){....}-{0:0}, at: ksys_fallocate fs/open.c:365 [inline]
 #0: ffff888102e92400 (sb_writers#13){....}-{0:0}, at: __do_sys_fallocate fs/open.c:370 [inline]
 #0: ffff888102e92400 (sb_writers#13){....}-{0:0}, at: __se_sys_fallocate fs/open.c:368 [inline]
 #0: ffff888102e92400 (sb_writers#13){....}-{0:0}, at: __x64_sys_fallocate+0x44/0xa0 fs/open.c:368
 #1: ffff88810ebb1c48 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: inode_lock include/linux/fs.h:869 [inline]
 #1: ffff88810ebb1c48 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: hugetlbfs_fallocate+0xce/0x740 fs/hugetlbfs/inode.c:757
 #2: ffff8881016f47b8 (&hugetlb_fault_mutex_table[i]){....}-{3:3}, at: hugetlbfs_fallocate+0x263/0x740 fs/hugetlbfs/inode.c:801
3 locks held by syz.4.2686/19131:
 #0: ffff888102e92400 (sb_writers#13){....}-{0:0}, at: ksys_fallocate fs/open.c:365 [inline]
 #0: ffff888102e92400 (sb_writers#13){....}-{0:0}, at: __do_sys_fallocate fs/open.c:370 [inline]
 #0: ffff888102e92400 (sb_writers#13){....}-{0:0}, at: __se_sys_fallocate fs/open.c:368 [inline]
 #0: ffff888102e92400 (sb_writers#13){....}-{0:0}, at: __x64_sys_fallocate+0x44/0xa0 fs/open.c:368
 #1: ffff88810ebb20c8 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: inode_lock include/linux/fs.h:869 [inline]
 #1: ffff88810ebb20c8 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: hugetlbfs_fallocate+0xce/0x740 fs/hugetlbfs/inode.c:757
 #2: ffff8881016f40f8 (&hugetlb_fault_mutex_table[i]){....}-{3:3}, at: hugetlbfs_fallocate+0x263/0x740 fs/hugetlbfs/inode.c:801
3 locks held by syz.2.2756/19804:
 #0: ffff888102e92400 (sb_writers#13){....}-{0:0}, at: ksys_fallocate fs/open.c:365 [inline]
 #0: ffff888102e92400 (sb_writers#13){....}-{0:0}, at: __do_sys_fallocate fs/open.c:370 [inline]
 #0: ffff888102e92400 (sb_writers#13){....}-{0:0}, at: __se_sys_fallocate fs/open.c:368 [inline]
 #0: ffff888102e92400 (sb_writers#13){....}-{0:0}, at: __x64_sys_fallocate+0x44/0xa0 fs/open.c:368
 #1: ffff88810ebb29c8 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: inode_lock include/linux/fs.h:869 [inline]
 #1: ffff88810ebb29c8 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: hugetlbfs_fallocate+0xce/0x740 fs/hugetlbfs/inode.c:757
 #2: ffff8881016f47b8 (&hugetlb_fault_mutex_table[i]){....}-{3:3}, at: hugetlbfs_fallocate+0x263/0x740 fs/hugetlbfs/inode.c:801
3 locks held by syz.3.2759/20726:
 #0: ffff888102e92400 (sb_writers#13){....}-{0:0}, at: ksys_fallocate fs/open.c:365 [inline]
 #0: ffff888102e92400 (sb_writers#13){....}-{0:0}, at: __do_sys_fallocate fs/open.c:370 [inline]
 #0: ffff888102e92400 (sb_writers#13){....}-{0:0}, at: __se_sys_fallocate fs/open.c:368 [inline]
 #0: ffff888102e92400 (sb_writers#13){....}-{0:0}, at: __x64_sys_fallocate+0x44/0xa0 fs/open.c:368
 #1: ffff88810ebb2e48 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: inode_lock include/linux/fs.h:869 [inline]
 #1: ffff88810ebb2e48 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: hugetlbfs_fallocate+0xce/0x740 fs/hugetlbfs/inode.c:757
 #2: ffff8881016f40f8 (&hugetlb_fault_mutex_table[i]){....}-{3:3}, at: hugetlbfs_fallocate+0x263/0x740 fs/hugetlbfs/inode.c:801
3 locks held by syz.2.3023/22985:
 #0: ffff888102e92400 (sb_writers#13){....}-{0:0}, at: ksys_fallocate fs/open.c:365 [inline]
 #0: ffff888102e92400 (sb_writers#13){....}-{0:0}, at: __do_sys_fallocate fs/open.c:370 [inline]
 #0: ffff888102e92400 (sb_writers#13){....}-{0:0}, at: __se_sys_fallocate fs/open.c:368 [inline]
 #0: ffff888102e92400 (sb_writers#13){....}-{0:0}, at: __x64_sys_fallocate+0x44/0xa0 fs/open.c:368
 #1: ffff88810f3f8ec8 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: inode_lock include/linux/fs.h:869 [inline]
 #1: ffff88810f3f8ec8 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: hugetlbfs_fallocate+0xce/0x740 fs/hugetlbfs/inode.c:757
 #2: ffff8881016f40f8 (&hugetlb_fault_mutex_table[i]){....}-{3:3}, at: hugetlbfs_fallocate+0x263/0x740 fs/hugetlbfs/inode.c:801
3 locks held by syz.1.3026/23002:
 #0: ffff888102e92400 (sb_writers#13){....}-{0:0}, at: ksys_fallocate fs/open.c:365 [inline]
 #0: ffff888102e92400 (sb_writers#13){....}-{0:0}, at: __do_sys_fallocate fs/open.c:370 [inline]
 #0: ffff888102e92400 (sb_writers#13){....}-{0:0}, at: __se_sys_fallocate fs/open.c:368 [inline]
 #0: ffff888102e92400 (sb_writers#13){....}-{0:0}, at: __x64_sys_fallocate+0x44/0xa0 fs/open.c:368
 #1: ffff88810f3fa0c8 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: inode_lock include/linux/fs.h:869 [inline]
 #1: ffff88810f3fa0c8 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: hugetlbfs_fallocate+0xce/0x740 fs/hugetlbfs/inode.c:757
 #2: ffff8881016f47b8 (&hugetlb_fault_mutex_table[i]){....}-{3:3}, at: hugetlbfs_fallocate+0x263/0x740 fs/hugetlbfs/inode.c:801
3 locks held by syz.4.3039/23048:
 #0: ffff888102e92400 (sb_writers#13){....}-{0:0}, at: ksys_fallocate fs/open.c:365 [inline]
 #0: ffff888102e92400 (sb_writers#13){....}-{0:0}, at: __do_sys_fallocate fs/open.c:370 [inline]
 #0: ffff888102e92400 (sb_writers#13){....}-{0:0}, at: __se_sys_fallocate fs/open.c:368 [inline]
 #0: ffff888102e92400 (sb_writers#13){....}-{0:0}, at: __x64_sys_fallocate+0x44/0xa0 fs/open.c:368
 #1: ffff88810f3fa9c8 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: inode_lock include/linux/fs.h:869 [inline]
 #1: ffff88810f3fa9c8 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: hugetlbfs_fallocate+0xce/0x740 fs/hugetlbfs/inode.c:757
 #2: ffff8881016f47b8 (&hugetlb_fault_mutex_table[i]){....}-{3:3}, at: hugetlbfs_fallocate+0x263/0x740 fs/hugetlbfs/inode.c:801

=============================================

NMI backtrace for cpu 1
CPU: 1 UID: 0 PID: 31 Comm: khungtaskd Not tainted 6.16.0-rc7-syzkaller #0 PREEMPT(none) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x5a/0x90 lib/dump_stack.c:120
 nmi_cpu_backtrace+0xd4/0x110 lib/nmi_backtrace.c:113
 nmi_trigger_cpumask_backtrace+0xd5/0x140 lib/nmi_backtrace.c:62
 trigger_all_cpu_backtrace include/linux/nmi.h:158 [inline]
 check_hung_uninterruptible_tasks kernel/hung_task.c:307 [inline]
 watchdog+0x652/0x690 kernel/hung_task.c:470
 kthread+0x104/0x200 kernel/kthread.c:464
 ret_from_fork+0x172/0x190 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 UID: 0 PID: 5014 Comm: syz.2.6064 Not tainted 6.16.0-rc7-syzkaller #0 PREEMPT(none) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
RIP: 0010:native_read_msr_safe arch/x86/include/asm/msr.h:121 [inline]
RIP: 0010:__rdmsr_safe_on_cpu+0xf/0x50 arch/x86/lib/msr-smp.c:156
Code: c7 c1 60 06 85 81 e9 00 ff ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 41 54 55 53 48 89 fb 8b 0f 0f 32 <45> 31 e4 66 90 48 c1 e2 20 48 09 c2 48 89 d5 48 89 6b 08 48 8d 7b
RSP: 0018:ffffc90004cbfcc8 EFLAGS: 00000002
RAX: 0000000000000000 RBX: ffffc90004cbfd40 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff82535404 RDI: ffffc90004cbfd40
RBP: 0000000000000246 R08: 0000000000000002 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffffc90004cbfd40
R13: 0000000000000000 R14: 0000000000000000 R15: 00000000000015e0
FS:  00007f7c8507f6c0(0000) GS:ffff8882b49e6000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000002001a000 CR3: 0000000109ffa000 CR4: 00000000003506f0
Call Trace:
 <TASK>
 csd_do_func kernel/smp.c:134 [inline]
 generic_exec_single+0x7c/0x1a0 kernel/smp.c:433
 smp_call_function_single_async+0x2c/0x70 kernel/smp.c:724
 rdmsr_safe_on_cpu+0x8f/0xe0 arch/x86/lib/msr-smp.c:179
 msr_read+0x92/0xf0 arch/x86/kernel/msr.c:66
 vfs_read+0xad/0x370 fs/read_write.c:570
 ksys_read+0x6e/0xf0 fs/read_write.c:715
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x6d/0x2d0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f7c855fdff9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f7c8507f038 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 00007f7c857b5f80 RCX: 00007f7c855fdff9
RDX: 0000000000018ff8 RSI: 0000000020019680 RDI: 0000000000000003
RBP: 00007f7c85670296 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f7c857b5f80 R15: 00007fff75774d38
 </TASK>