bisecting fixing commit since 9ebcfadb0610322ac537dd7aa5d9cbc2b2894c68
building syzkaller on 917afeaa705dfdebeebcd674db3bcba279241d5e
testing commit 9ebcfadb0610322ac537dd7aa5d9cbc2b2894c68 with gcc (GCC) 8.4.1 20210217
kernel signature: 9420adc3f6d9b5c4946c3e43327eceb41f0270a2135318f24793a7190ee24f4e
all runs: crashed: INFO: task hung in synchronize_rcu
testing current HEAD d19cc4bfbff1ae72c3505a00fb8ce0d3fa519e6c
testing commit d19cc4bfbff1ae72c3505a00fb8ce0d3fa519e6c with gcc (GCC) 10.2.1 20210217
kernel signature: e7e4acfc966c57a067c7376b2a405a22fa1b00a5c1685541116afc4c840001df
all runs: crashed: INFO: task hung in synchronize_rcu
revisions tested: 2, total time: 27m43.49196252s (build: 12m30.729987376s, test: 14m9.874307178s)
the crash still happens on HEAD
commit msg: Merge tag 'trace-v5.12-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace
crash: INFO: task hung in synchronize_rcu
INFO: task kworker/u4:0:7 blocked for more than 143 seconds.
      Not tainted 5.12.0-rc5-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/u4:0    state:D stack:26448 pid:    7 ppid:     2 flags:0x00004000
Workqueue: events_unbound fsnotify_connector_destroy_workfn
Call Trace:
 context_switch kernel/sched/core.c:4322 [inline]
 __schedule+0xf86/0x2180 kernel/sched/core.c:5073
 schedule+0xcf/0x270 kernel/sched/core.c:5152
 schedule_timeout+0x19d/0x210 kernel/time/timer.c:1868
 do_wait_for_common kernel/sched/completion.c:85 [inline]
 __wait_for_common kernel/sched/completion.c:106 [inline]
 wait_for_common kernel/sched/completion.c:117 [inline]
 wait_for_completion+0x168/0x270 kernel/sched/completion.c:138
 __synchronize_srcu+0x1a6/0x280 kernel/rcu/srcutree.c:935
 fsnotify_connector_destroy_workfn+0x4a/0xa0 fs/notify/mark.c:164
 process_one_work+0x84c/0x13b0 kernel/workqueue.c:2275
 worker_thread+0x598/0xf80 kernel/workqueue.c:2421
 kthread+0x36f/0x450 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
INFO: task kworker/u4:1:24 blocked for more than 143 seconds.
      Not tainted 5.12.0-rc5-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/u4:1    state:D stack:26528 pid:   24 ppid:     2 flags:0x00004000
Workqueue: events_unbound fsnotify_mark_destroy_workfn
Call Trace:
 context_switch kernel/sched/core.c:4322 [inline]
 __schedule+0xf86/0x2180 kernel/sched/core.c:5073
 schedule+0xcf/0x270 kernel/sched/core.c:5152
 schedule_timeout+0x19d/0x210 kernel/time/timer.c:1868
 do_wait_for_common kernel/sched/completion.c:85 [inline]
 __wait_for_common kernel/sched/completion.c:106 [inline]
 wait_for_common kernel/sched/completion.c:117 [inline]
 wait_for_completion+0x168/0x270 kernel/sched/completion.c:138
 __synchronize_srcu+0x1a6/0x280 kernel/rcu/srcutree.c:935
 fsnotify_mark_destroy_workfn+0xeb/0x330 fs/notify/mark.c:836
 process_one_work+0x84c/0x13b0 kernel/workqueue.c:2275
 worker_thread+0x598/0xf80 kernel/workqueue.c:2421
 kthread+0x36f/0x450 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
INFO: task khugepaged:1189 blocked for more than 144 seconds.
      Not tainted 5.12.0-rc5-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:khugepaged      state:D stack:24312 pid: 1189 ppid:     2 flags:0x00004000
Call Trace:
 context_switch kernel/sched/core.c:4322 [inline]
 __schedule+0xf86/0x2180 kernel/sched/core.c:5073
 schedule+0xcf/0x270 kernel/sched/core.c:5152
 schedule_timeout+0x19d/0x210 kernel/time/timer.c:1868
 do_wait_for_common kernel/sched/completion.c:85 [inline]
 __wait_for_common kernel/sched/completion.c:106 [inline]
 wait_for_common kernel/sched/completion.c:117 [inline]
 wait_for_completion+0x168/0x270 kernel/sched/completion.c:138
 __flush_work+0x424/0x910 kernel/workqueue.c:3052
 lru_add_drain_all+0x30a/0x530 mm/swap.c:826
 khugepaged_do_scan mm/khugepaged.c:2213 [inline]
 khugepaged+0xdf/0x2d50 mm/khugepaged.c:2274
 kthread+0x36f/0x450 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294

Showing all locks held in the system:
2 locks held by kworker/u4:0/7:
 #0: 
ffff888100071138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline]
ffff888100071138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: atomic64_set include/asm-generic/atomic-instrumented.h:856 [inline]
ffff888100071138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: atomic_long_set include/asm-generic/atomic-long.h:41 [inline]
ffff888100071138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: set_work_data kernel/workqueue.c:616 [inline]
ffff888100071138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: set_work_pool_and_clear_pending kernel/workqueue.c:643 [inline]
ffff888100071138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work+0x771/0x13b0 kernel/workqueue.c:2246
 #1: ffffc9000008fdb0 (connector_reaper_work){+.+.}-{0:0}, at: process_one_work+0x79e/0x13b0 kernel/workqueue.c:2250
2 locks held by kworker/u4:1/24:
 #0: ffff888100071138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline]
 #0: ffff888100071138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: atomic64_set include/asm-generic/atomic-instrumented.h:856 [inline]
 #0: ffff888100071138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: atomic_long_set include/asm-generic/atomic-long.h:41 [inline]
 #0: ffff888100071138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: set_work_data kernel/workqueue.c:616 [inline]
 #0: ffff888100071138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: set_work_pool_and_clear_pending kernel/workqueue.c:643 [inline]
 #0: ffff888100071138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work+0x771/0x13b0 kernel/workqueue.c:2246
 #1: ffffc900001b7db0 ((reaper_work).work){+.+.}-{0:0}, at: process_one_work+0x79e/0x13b0 kernel/workqueue.c:2250
2 locks held by kworker/u4:2/48:
1 lock held by khungtaskd/1172:
 #0: ffffffff894c3880 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x53/0x260 kernel/locking/lockdep.c:6327
1 lock held by khugepaged/1189:
 #0: ffffffff8954f028 (lock#5){+.+.}-{3:3}, at: lru_add_drain_all+0x55/0x530 mm/swap.c:777
1 lock held by systemd-udevd/3528:
1 lock held by in:imklog/5875:
 #0: ffff888117c026b0 (&f->f_pos_lock){+.+.}-{3:3}, at: __fdget_pos+0x9c/0xb0 fs/file.c:961
6 locks held by kworker/1:3/6277:

=============================================

NMI backtrace for cpu 0
CPU: 0 PID: 1172 Comm: khungtaskd Not tainted 5.12.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack+0x10c/0x14b lib/dump_stack.c:120
 nmi_cpu_backtrace.cold+0x30/0x99 lib/nmi_backtrace.c:105
 nmi_trigger_cpumask_backtrace+0x11f/0x170 lib/nmi_backtrace.c:62
 trigger_all_cpu_backtrace include/linux/nmi.h:146 [inline]
 check_hung_uninterruptible_tasks kernel/hung_task.c:209 [inline]
 watchdog+0x956/0xc30 kernel/hung_task.c:294
 kthread+0x36f/0x450 kernel/kthread.c:292
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 PID: 3528 Comm: systemd-udevd Not tainted 5.12.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:tomoyo_domain_quota_is_ok+0x31e/0x450 security/tomoyo/util.c:1068
Code: fd 7a fe eb d2 48 8d 7d 1a 48 89 f8 48 89 fa 48 c1 e8 03 83 e2 07 42 0f b6 04 20 38 d0 7f b8 84 c0 74 b4 e8 d4 fd 7a fe eb ad <48> 8d 7d 1a 48 89 f8 48 c1 e8 03 42 0f b6 14 20 48 89 f8 83 e0 07
RSP: 0018:ffffc900003578a8 EFLAGS: 00000293
RAX: 0000000000000000 RBX: 00000000000003e3 RCX: 0000000000000001
RDX: 0000000000000001 RSI: 0000000000000001 RDI: ffff88810f81a099
RBP: ffff88810f81a080 R08: ffffc90000357bbc R09: ffffffff8c4e3f27
R10: fffffbfff189c7e4 R11: 000000000006a085 R12: dffffc0000000000
R13: ffffc90000357b70 R14: ffff88810e160a00 R15: ffff88810e160a10
FS:  00007f71a418c8c0(0000) GS:ffff8881f6500000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fd944a35010 CR3: 0000000110999006 CR4: 00000000001706e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 tomoyo_supervisor+0x29d/0xc00 security/tomoyo/common.c:2089
 tomoyo_audit_path_log security/tomoyo/file.c:168 [inline]
 tomoyo_path_permission security/tomoyo/file.c:587 [inline]
 tomoyo_path_permission+0x23d/0x330 security/tomoyo/file.c:573
 tomoyo_path_perm+0x27f/0x340 security/tomoyo/file.c:838
 security_inode_getattr+0xab/0x100 security/security.c:1288
 vfs_getattr fs/stat.c:131 [inline]
 vfs_statx+0xe8/0x2e0 fs/stat.c:199
 vfs_fstatat fs/stat.c:217 [inline]
 vfs_lstat include/linux/fs.h:3240 [inline]
 __do_sys_newlstat+0x85/0xe0 fs/stat.c:372
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f71a2ffe335
Code: 69 db 2b 00 64 c7 00 16 00 00 00 b8 ff ff ff ff c3 0f 1f 40 00 83 ff 01 48 89 f0 77 30 48 89 c7 48 89 d6 b8 06 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 03 f3 c3 90 48 8b 15 31 db 2b 00 f7 d8 64 89
RSP: 002b:00007fff044291a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000006
RAX: ffffffffffffffda RBX: 000055d7d73108f0 RCX: 00007f71a2ffe335
RDX: 00007fff044291e0 RSI: 00007fff044291e0 RDI: 000055d7d730f8f0
RBP: 00007fff044292a0 R08: 00007f71a32bd178 R09: 0000000000001010
R10: 00007f71a32bcb58 R11: 0000000000000246 R12: 000055d7d730f8f0
R13: 000055d7d730f915 R14: 000055d7d73117b4 R15: 000055d7d73117b5