ci starts bisection 2024-10-10 14:48:41.780577286 +0000 UTC m=+5751.478772383 bisecting cause commit starting from 87d6aab2389e5ce0197d8257d5f8ee965a67c4cd building syzkaller on 402f1df054ddb07ed5bb299d08c781354eb06607 ensuring issue is reproducible on original commit 87d6aab2389e5ce0197d8257d5f8ee965a67c4cd testing commit 87d6aab2389e5ce0197d8257d5f8ee965a67c4cd gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 399c62e3e392c46b0e26c08aeec0c999e0365e00c9d4675da3896e4575784bc9 run #0: crashed: INFO: task hung in hugetlb_fault run #1: crashed: INFO: task hung in remove_inode_hugepages run #2: crashed: INFO: task hung in hugetlb_wp run #3: crashed: INFO: task hung in hugetlb_fault run #4: crashed: INFO: task hung in hugetlb_wp run #5: crashed: INFO: task hung in hugetlb_fault run #6: crashed: INFO: task hung in hugetlb_wp run #7: crashed: INFO: task hung in hugetlb_fault run #8: crashed: INFO: task hung in hugetlb_wp run #9: crashed: INFO: task hung in hugetlb_wp run #10: crashed: INFO: task hung in remove_inode_hugepages run #11: crashed: INFO: task hung in hugetlb_fault run #12: crashed: INFO: task hung in hugetlb_fault run #13: crashed: INFO: task hung in remove_inode_hugepages run #14: crashed: INFO: task hung in hugetlb_fault run #15: crashed: INFO: task hung in hugetlb_fault run #16: crashed: INFO: task hung in hugetlb_fault run #17: crashed: INFO: task hung in hugetlb_fault run #18: crashed: INFO: task hung in hugetlb_fault run #19: crashed: INFO: task hung in hugetlb_fault representative crash: INFO: task hung in hugetlb_fault, types: [HANG] check whether we can drop unnecessary instrumentation disabling configs for [LOCKDEP ATOMIC_SLEEP LEAK UBSAN BUG KASAN], they are not needed testing commit 87d6aab2389e5ce0197d8257d5f8ee965a67c4cd gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: b53b8de04d3d89df69382404bc9ba248f1bd07a43db220c179b8d8628cd4d902 run #0: crashed: INFO: task hung in hugetlb_wp run #1: crashed: INFO: task hung in hugetlb_wp run #2: crashed: INFO: task hung in hugetlb_fault run #3: crashed: INFO: task hung in hugetlb_fault run #4: crashed: INFO: task hung in hugetlb_fault run #5: crashed: INFO: task hung in hugetlb_fault run #6: crashed: INFO: task hung in hugetlb_fault run #7: crashed: INFO: task hung in hugetlb_fault run #8: crashed: INFO: task hung in hugetlb_fault run #9: crashed: INFO: task hung in hugetlb_wp representative crash: INFO: task hung in hugetlb_wp, types: [HANG] the bug reproduces without the instrumentation disabling configs for [ATOMIC_SLEEP LEAK UBSAN BUG KASAN LOCKDEP], they are not needed kconfig minimization: base=4046 full=8192 leaves diff=2108 split chunks (needed=false): <2108> split chunk #0 of len 2108 into 5 parts testing without sub-chunk 1/5 disabling configs for [LEAK UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP], they are not needed testing commit 87d6aab2389e5ce0197d8257d5f8ee965a67c4cd gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 12bef0f8dd2b60130df05e380cdc155e18a6286358ccb2df3fe3e91213008673 run #0: crashed: INFO: task hung in hugetlb_fault run #1: crashed: INFO: task hung in remove_inode_hugepages run #2: crashed: INFO: task hung in hugetlb_fault run #3: crashed: INFO: task hung in hugetlb_fault run #4: crashed: INFO: task hung in hugetlb_fault run #5: crashed: INFO: task hung in hugetlb_fault run #6: crashed: INFO: task hung in hugetlb_fault run #7: crashed: INFO: task hung in hugetlb_wp run #8: crashed: INFO: task hung in remove_inode_hugepages run #9: crashed: INFO: task hung in hugetlb_fault representative crash: INFO: task hung in hugetlb_fault, types: [HANG] the chunk can be dropped testing without sub-chunk 2/5 disabling configs for [BUG KASAN LOCKDEP ATOMIC_SLEEP LEAK UBSAN], they are not needed testing commit 87d6aab2389e5ce0197d8257d5f8ee965a67c4cd gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 772f296dcc7e29869c3cee08c42b500dc904859b4d5365060066e2a223422f62 run #0: crashed: INFO: task hung in hugetlb_fault run #1: crashed: INFO: task hung in remove_inode_hugepages run #2: crashed: INFO: task hung in hugetlb_fault run #3: crashed: INFO: task hung in hugetlb_fault run #4: crashed: INFO: task hung in hugetlb_fault run #5: crashed: INFO: task hung in hugetlb_fault run #6: crashed: INFO: task hung in hugetlb_fault run #7: crashed: INFO: task hung in hugetlb_fault run #8: crashed: INFO: task hung in hugetlb_wp run #9: crashed: INFO: task hung in remove_inode_hugepages representative crash: INFO: task hung in hugetlb_fault, types: [HANG] the chunk can be dropped testing without sub-chunk 3/5 disabling configs for [ATOMIC_SLEEP LEAK UBSAN BUG KASAN LOCKDEP], they are not needed testing commit 87d6aab2389e5ce0197d8257d5f8ee965a67c4cd gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 9aeac9eb3ae7086ba503f001a57cf34cda039f989d5c23c55ad085c62826bdb7 run #0: crashed: INFO: task hung in hugetlb_fault run #1: crashed: INFO: task hung in hugetlb_fault run #2: crashed: INFO: task hung in remove_inode_hugepages run #3: crashed: INFO: task hung in hugetlb_fault run #4: crashed: INFO: task hung in hugetlb_fault run #5: crashed: INFO: task hung in hugetlb_fault run #6: crashed: INFO: task hung in hugetlb_fault run #7: crashed: INFO: task hung in hugetlb_fault run #8: crashed: INFO: task hung in hugetlb_fault run #9: crashed: INFO: task hung in hugetlb_fault representative crash: INFO: task hung in hugetlb_fault, types: [HANG] the chunk can be dropped testing without sub-chunk 4/5 disabling configs for [LEAK UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP], they are not needed testing commit 87d6aab2389e5ce0197d8257d5f8ee965a67c4cd gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 37dbf35d82ac009bd719ce2999dbc24fea8fd1e26c0196c6722325a1647a7d48 all runs: crashed: INFO: task hung in hugetlb_fault representative crash: INFO: task hung in hugetlb_fault, types: [HANG] the chunk can be dropped testing without sub-chunk 5/5 disabling configs for [KASAN LOCKDEP ATOMIC_SLEEP LEAK UBSAN BUG], they are not needed testing commit 87d6aab2389e5ce0197d8257d5f8ee965a67c4cd gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 8b3a9b4000dbec8c42ae967585aab77b42d044926538d3342a26dcff5c3af834 run #0: crashed: INFO: task hung in hugetlb_fault run #1: crashed: INFO: task hung in hugetlb_fault run #2: crashed: INFO: task hung in hugetlb_fault run #3: crashed: INFO: task hung in hugetlb_fault run #4: crashed: INFO: task hung in hugetlb_fault run #5: crashed: INFO: task hung in hugetlb_fault run #6: crashed: INFO: task hung in hugetlb_fault run #7: crashed: INFO: task hung in hugetlb_fault run #8: crashed: INFO: task hung in hugetlb_wp run #9: crashed: INFO: task hung in hugetlb_fault representative crash: INFO: task hung in hugetlb_fault, types: [HANG] the chunk can be dropped disabling configs for [LEAK UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP], they are not needed picked [v6.11 v6.10 v6.9 v6.7 v6.5 v6.3 v6.1 v5.19 v5.16 v5.13 v5.10 v5.7 v5.4 v5.1 v4.19] out of 34 release tags testing release v6.11 testing commit 98f7e32f20d28ec452afb208f9cffc08448a2652 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: f2f4276be7037961f505ec789e5f9fb12bc9ffef727260d5859b440ca87c33c6 run #0: crashed: INFO: task hung in hugetlb_fault run #1: crashed: INFO: task hung in hugetlb_fault run #2: crashed: INFO: task hung in remove_inode_hugepages run #3: crashed: INFO: task hung in hugetlb_fault run #4: crashed: INFO: task hung in hugetlb_fault run #5: crashed: INFO: task hung in hugetlb_wp run #6: crashed: INFO: task hung in hugetlb_fault run #7: crashed: INFO: task hung in hugetlb_fault run #8: crashed: INFO: task hung in hugetlb_fault run #9: crashed: INFO: task hung in hugetlb_fault representative crash: INFO: task hung in hugetlb_fault, types: [HANG] testing release v6.10 testing commit 0c3836482481200ead7b416ca80c68a29cfdaabd gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 9d708bf9eada42cee8ea7f72c4aeb7378feaed9377e409142432b12e9ee2ff65 all runs: crashed: INFO: task hung in hugetlb_fault representative crash: INFO: task hung in hugetlb_fault, types: [HANG] testing release v6.9 testing commit a38297e3fb012ddfa7ce0321a7e5a8daeb1872b6 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 0c195c4edd85c23c96484bb0b0d8d2eb7739db8c3b1c108422ccfc1f0df95a51 run #0: crashed: INFO: task hung in remove_inode_hugepages run #1: crashed: INFO: task hung in hugetlb_fault run #2: crashed: INFO: task hung in hugetlb_wp run #3: crashed: INFO: task hung in remove_inode_hugepages run #4: crashed: INFO: task hung in hugetlb_fault run #5: crashed: INFO: task hung in hugetlb_fault run #6: crashed: INFO: task hung in hugetlb_fault run #7: crashed: INFO: task hung in hugetlb_fault run #8: crashed: INFO: task hung in hugetlb_fault run #9: crashed: INFO: task hung in hugetlb_fault representative crash: INFO: task hung in remove_inode_hugepages, types: [HANG] testing release v6.7 testing commit 0dd3ee31125508cd67f7e7172247f05b7fd1753a gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 8942ad7fbb9520e0193b6a992e27dbf0a29cad031392738d5d5a2b7d8f5681a9 run #0: crashed: INFO: task hung in hugetlb_fault run #1: crashed: INFO: task hung in hugetlb_fault run #2: crashed: INFO: task hung in hugetlb_fault run #3: crashed: INFO: task hung in hugetlb_fault run #4: crashed: INFO: task hung in hugetlb_fault run #5: crashed: INFO: task hung in hugetlb_fault run #6: crashed: INFO: task hung in hugetlb_fault run #7: crashed: INFO: task hung in hugetlb_fault run #8: crashed: INFO: task hung in remove_inode_hugepages run #9: crashed: INFO: task hung in hugetlb_fault representative crash: INFO: task hung in hugetlb_fault, types: [HANG] testing release v6.5 testing commit 2dde18cd1d8fac735875f2e4987f11817cc0bc2c gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 9de829e735f2315e3954e486f68f087344821da2ccb3252bb32bde4b500a8013 all runs: crashed: INFO: task hung in hugetlb_fault representative crash: INFO: task hung in hugetlb_fault, types: [HANG] testing release v6.3 testing commit 457391b0380335d5e9a5babdec90ac53928b23b4 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 69e6167e730b1b8f73a6c10bfd1f06ee9c9d7f5c4f8933af4a702fa90b95cf91 all runs: crashed: INFO: task hung in hugetlb_fault representative crash: INFO: task hung in hugetlb_fault, types: [HANG] testing release v6.1 testing commit 830b3c68c1fb1e9176028d02ef86f3cf76aa2476 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 1e56177a56aea1d01aa98d3e2356405344133df5283d9e2356a50ee95080b2b4 run #0: crashed: INFO: task hung in hugetlb_fault run #1: crashed: INFO: task hung in hugetlb_fault run #2: crashed: INFO: task hung in hugetlb_fault run #3: crashed: INFO: task hung in hugetlb_fault run #4: crashed: INFO: task hung in remove_inode_hugepages run #5: crashed: INFO: task hung in hugetlb_fault run #6: crashed: INFO: task hung in hugetlb_fault run #7: crashed: INFO: task hung in hugetlb_wp run #8: crashed: INFO: task hung in hugetlb_fault run #9: crashed: INFO: task hung in hugetlb_fault representative crash: INFO: task hung in hugetlb_fault, types: [HANG] testing release v5.19 testing commit 3d7cb6b04c3f3115719235cc6866b10326de34cd gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 399fbfb69a151efef4f2ec348c92b5adad2fbef1f1b7b65fe63f409e09e3a67b run #0: crashed: INFO: task hung in hugetlb_fault run #1: crashed: INFO: task hung in hugetlb_wp run #2: crashed: INFO: task hung in hugetlb_fault run #3: crashed: INFO: task hung in hugetlb_fault run #4: crashed: INFO: task hung in hugetlb_fault run #5: crashed: INFO: task hung in hugetlb_fault run #6: crashed: INFO: task hung in hugetlb_fault run #7: crashed: INFO: task hung in hugetlb_wp run #8: crashed: INFO: task hung in hugetlb_fault run #9: OK representative crash: INFO: task hung in hugetlb_fault, types: [HANG] testing release v5.16 testing commit df0cc57e057f18e44dac8e6c18aba47ab53202f9 gcc compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 34d7990b39bc79a10ae9f80e6d7b35842803fe4b913915e609f06e58ec953d77 run #0: crashed: INFO: task hung in hugetlb_cow run #1: crashed: INFO: task hung in hugetlb_fault run #2: crashed: INFO: task hung in hugetlb_cow run #3: crashed: INFO: task hung in hugetlb_fault run #4: crashed: INFO: task hung in hugetlb_cow run #5: crashed: INFO: task hung in hugetlb_fault run #6: crashed: INFO: task hung in hugetlb_cow run #7: crashed: INFO: task hung in hugetlb_cow run #8: crashed: INFO: task hung in hugetlb_cow run #9: OK representative crash: INFO: task hung in hugetlb_cow, types: [HANG] testing release v5.13 testing commit 62fb9874f5da54fdb243003b386128037319b219 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: df4734e516647615c4deb13ab9f8ce7d278653c5db0aa5d8d05a27fedfb6103d run #0: crashed: INFO: task hung in hugetlb_fault run #1: crashed: INFO: task hung in hugetlb_fault run #2: crashed: INFO: task hung in hugetlb_fault run #3: crashed: INFO: task hung in hugetlb_fault run #4: crashed: INFO: task hung in hugetlb_fault run #5: crashed: INFO: task hung in hugetlb_fault run #6: crashed: INFO: task hung in hugetlb_cow run #7: crashed: INFO: task hung in hugetlb_cow run #8: crashed: INFO: task hung in hugetlb_cow run #9: crashed: INFO: task hung in hugetlb_cow representative crash: INFO: task hung in hugetlb_fault, types: [HANG] testing release v5.10 testing commit 2c85ebc57b3e1817b6ce1a6b703928e113a90442 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: e3b62a10fb5f943778cc6f8554f64edb383a81003ce63a72b4ddbd17ca68cec0 all runs: crashed: INFO: task hung in hugetlb_fault representative crash: INFO: task hung in hugetlb_fault, types: [HANG] testing release v5.7 testing commit 3d77e6a8804abcc0504c904bd6e5cdf3a5cf8162 gcc compiler: gcc version 8.4.1 20210217 (GCC), GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 548b4ba1d00fc839d199fe1f553e14a4b033be426f35383b47e513f7b96f660c all runs: OK false negative chance: 0.000 # git bisect start 2c85ebc57b3e1817b6ce1a6b703928e113a90442 3d77e6a8804abcc0504c904bd6e5cdf3a5cf8162 Bisecting: 25308 revisions left to test after this (roughly 15 steps) [47ec5303d73ea344e84f46660fff693c57641386] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next testing commit 47ec5303d73ea344e84f46660fff693c57641386 gcc compiler: gcc (GCC) 8.4.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: b3ff6fdcd201ddee1272a9958c08e238612c8048d9b4a85b23d1aea9b76164d7 run #0: crashed: INFO: task hung in hugetlb_fault run #1: crashed: INFO: task hung in hugetlb_fault run #2: crashed: INFO: task hung in hugetlb_fault run #3: crashed: INFO: task hung in hugetlb_fault run #4: crashed: INFO: task hung in hugetlb_fault run #5: crashed: INFO: task hung in hugetlb_fault run #6: crashed: INFO: task hung in hugetlb_cow run #7: crashed: INFO: task hung in hugetlb_fault run #8: crashed: INFO: task hung in hugetlb_fault run #9: crashed: INFO: task hung in hugetlb_fault representative crash: INFO: task hung in hugetlb_fault, types: [HANG] # git bisect bad 47ec5303d73ea344e84f46660fff693c57641386 Bisecting: 12878 revisions left to test after this (roughly 14 steps) [4e3a16ee9148e966678bbc713579235422271a63] Merge tag 'iommu-updates-v5.8' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu testing commit 4e3a16ee9148e966678bbc713579235422271a63 gcc compiler: gcc (GCC) 8.4.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 4a36844181e3f975d08e6408366bbfdc4ffc6010b45f03e58812813b794b9ca9 all runs: crashed: INFO: task hung in hugetlb_fault representative crash: INFO: task hung in hugetlb_fault, types: [HANG] # git bisect bad 4e3a16ee9148e966678bbc713579235422271a63 Bisecting: 5764 revisions left to test after this (roughly 13 steps) [cb8e59cc87201af93dfbb6c3dccc8fcad72a09c2] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next testing commit cb8e59cc87201af93dfbb6c3dccc8fcad72a09c2 gcc compiler: gcc version 8.4.1 20210217 (GCC), GNU ld (GNU Binutils for Debian) 2.40 kernel signature: c9939b2018b404dbda7858834734c822008234661f2bff92f41bb6d6ffe79a6e all runs: OK false negative chance: 0.000 # git bisect good cb8e59cc87201af93dfbb6c3dccc8fcad72a09c2 Bisecting: 3022 revisions left to test after this (roughly 12 steps) [084623e468d535d98f883cc2ccf2c4fdf2108556] Merge tag 'modules-for-v5.8' of git://git.kernel.org/pub/scm/linux/kernel/git/jeyu/linux testing commit 084623e468d535d98f883cc2ccf2c4fdf2108556 gcc compiler: gcc version 8.4.1 20210217 (GCC), GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 58f4d126cd1e816592ed6587235febaee94b8d7ca8ff02f27adf98574dd1a66f all runs: OK false negative chance: 0.000 # git bisect good 084623e468d535d98f883cc2ccf2c4fdf2108556 Bisecting: 1408 revisions left to test after this (roughly 11 steps) [e611c0fe318c6d6827ee2bba660fbc23cf73f7dc] Merge tag 'usb-5.8-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb testing commit e611c0fe318c6d6827ee2bba660fbc23cf73f7dc gcc compiler: gcc (GCC) 8.4.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 7ef5ceabab0f635beedba51727ee91fc39a7c7cbdf8ac3dfcd28fb17c7fcb733 all runs: OK false negative chance: 0.000 # git bisect good e611c0fe318c6d6827ee2bba660fbc23cf73f7dc Bisecting: 712 revisions left to test after this (roughly 10 steps) [80ef846e9909f22ccdc2a4a6d931266cecce8b2c] Merge tag 'staging-5.8-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging testing commit 80ef846e9909f22ccdc2a4a6d931266cecce8b2c gcc compiler: gcc (GCC) 8.4.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 6d1b45adcb75813c2f1b96e016ff49d66a1845af82ad09fc7a91780499276247 all runs: OK false negative chance: 0.000 # git bisect good 80ef846e9909f22ccdc2a4a6d931266cecce8b2c Bisecting: 372 revisions left to test after this (roughly 9 steps) [e8dff03aef6a76c5c9184ed1dd3c770d4ce9c885] Merge tag 'rtc-5.8' of git://git.kernel.org/pub/scm/linux/kernel/git/abelloni/linux testing commit e8dff03aef6a76c5c9184ed1dd3c770d4ce9c885 gcc compiler: gcc (GCC) 8.4.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 8abd77e6f6c940d85a2ceefbe56330422373cdebfcff0f1fd824da6e2a9dcc56 all runs: OK false negative chance: 0.000 # git bisect good e8dff03aef6a76c5c9184ed1dd3c770d4ce9c885 Bisecting: 177 revisions left to test after this (roughly 8 steps) [20b0d06722169e6e66049c8fe6f1a48adffb79c6] Merge branch 'akpm' (patches from Andrew) testing commit 20b0d06722169e6e66049c8fe6f1a48adffb79c6 gcc compiler: gcc (GCC) 8.4.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 6a2c4913527f00018aa9338d48e6c98c3640402e0d7f38ef3c41e6bfdffb0204 all runs: crashed: INFO: task hung in hugetlb_fault representative crash: INFO: task hung in hugetlb_fault, types: [HANG] # git bisect bad 20b0d06722169e6e66049c8fe6f1a48adffb79c6 Bisecting: 92 revisions left to test after this (roughly 7 steps) [52e0ad262cd76696e8cd8510944b0bfdc0c140a9] Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc-next testing commit 52e0ad262cd76696e8cd8510944b0bfdc0c140a9 gcc compiler: gcc (GCC) 8.4.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 8abd77e6f6c940d85a2ceefbe56330422373cdebfcff0f1fd824da6e2a9dcc56 all runs: OK false negative chance: 0.000 # git bisect good 52e0ad262cd76696e8cd8510944b0bfdc0c140a9 Bisecting: 46 revisions left to test after this (roughly 6 steps) [a1e81f9654eef650d3ee35c94a8cab00b5cd379c] m68k: implement flush_icache_user_range testing commit a1e81f9654eef650d3ee35c94a8cab00b5cd379c gcc compiler: gcc (GCC) 8.4.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: f6e8db1ddd795ccc7e8762aad8706cca2d54a58c5f957c273fa00fd4be34d634 run #0: crashed: INFO: task hung in hugetlb_fault run #1: crashed: INFO: task hung in hugetlb_fault run #2: crashed: INFO: task hung in hugetlb_fault run #3: crashed: INFO: task hung in hugetlb_fault run #4: crashed: INFO: task hung in hugetlb_fault run #5: crashed: INFO: task hung in hugetlb_fault run #6: crashed: INFO: task hung in hugetlb_cow run #7: crashed: INFO: task hung in hugetlb_fault run #8: crashed: INFO: task hung in hugetlb_fault run #9: crashed: INFO: task hung in hugetlb_fault representative crash: INFO: task hung in hugetlb_fault, types: [HANG] # git bisect bad a1e81f9654eef650d3ee35c94a8cab00b5cd379c Bisecting: 22 revisions left to test after this (roughly 5 steps) [ce450ebf6179acf6e90dcc090e90face215faec4] arm: fix the flush_icache_range arguments in set_fiq_handler testing commit ce450ebf6179acf6e90dcc090e90face215faec4 gcc compiler: gcc (GCC) 8.4.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: f6e8db1ddd795ccc7e8762aad8706cca2d54a58c5f957c273fa00fd4be34d634 run #0: crashed: INFO: task hung in hugetlb_fault run #1: crashed: INFO: task hung in hugetlb_fault run #2: crashed: INFO: task hung in hugetlb_fault run #3: crashed: INFO: task hung in hugetlb_fault run #4: crashed: INFO: task hung in hugetlb_fault run #5: crashed: INFO: task hung in hugetlb_fault run #6: crashed: INFO: task hung in hugetlb_fault run #7: crashed: INFO: task hung in hugetlb_cow run #8: crashed: INFO: task hung in hugetlb_fault run #9: crashed: INFO: task hung in hugetlb_fault representative crash: INFO: task hung in hugetlb_fault, types: [HANG] # git bisect bad ce450ebf6179acf6e90dcc090e90face215faec4 Bisecting: 11 revisions left to test after this (roughly 4 steps) [4f2f682d89d83fb6194562321d875253282d8496] lib/test_sysctl: support testing of sysctl. boot parameter testing commit 4f2f682d89d83fb6194562321d875253282d8496 gcc compiler: gcc (GCC) 8.4.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: 7140c653f667dbd273ee1ba37e053f6cd60f2823d469707718c8b5d0d6381e66 run #0: crashed: INFO: task hung in hugetlb_cow run #1: crashed: INFO: task hung in hugetlb_fault run #2: crashed: INFO: task hung in hugetlb_fault run #3: crashed: INFO: task hung in hugetlb_cow run #4: crashed: INFO: task hung in hugetlb_fault run #5: crashed: INFO: task hung in hugetlb_cow run #6: crashed: INFO: task hung in hugetlb_fault run #7: crashed: INFO: task hung in hugetlb_fault run #8: crashed: INFO: task hung in hugetlb_fault run #9: crashed: INFO: task hung in hugetlb_fault representative crash: INFO: task hung in hugetlb_cow, types: [HANG] # git bisect bad 4f2f682d89d83fb6194562321d875253282d8496 Bisecting: 5 revisions left to test after this (roughly 3 steps) [db38d5c106dfdd7cb7207c83267d82fdf4950b61] kernel: add panic_on_taint testing commit db38d5c106dfdd7cb7207c83267d82fdf4950b61 gcc compiler: gcc (GCC) 8.4.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: ec96f125de6ba868f4b272443fd21f3e1d3a75589ecaaa50b1d0e767e20c6edb all runs: OK false negative chance: 0.000 # git bisect good db38d5c106dfdd7cb7207c83267d82fdf4950b61 Bisecting: 2 revisions left to test after this (roughly 2 steps) [0a477e1ae21b28267b9bd8599f75c115291b1666] kernel/sysctl: support handling command line aliases testing commit 0a477e1ae21b28267b9bd8599f75c115291b1666 gcc compiler: gcc (GCC) 8.4.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: b7d8684eb4dfbc80c9bbbb55a5061f24cc776d5b5549488155b67c12d2988db2 run #0: crashed: INFO: task hung in hugetlb_fault run #1: crashed: INFO: task hung in hugetlbfs_fallocate run #2: crashed: INFO: task hung in hugetlb_fault run #3: crashed: INFO: task hung in hugetlb_fault run #4: crashed: INFO: task hung in hugetlb_cow run #5: crashed: INFO: task hung in hugetlb_fault run #6: crashed: INFO: task hung in hugetlb_fault run #7: crashed: INFO: task hung in hugetlb_cow run #8: crashed: INFO: task hung in hugetlb_cow run #9: crashed: INFO: task hung in hugetlb_fault representative crash: INFO: task hung in hugetlb_fault, types: [HANG] # git bisect bad 0a477e1ae21b28267b9bd8599f75c115291b1666 Bisecting: 0 revisions left to test after this (roughly 1 step) [3db978d480e2843979a2b56f2f7da726f2b295b2] kernel/sysctl: support setting sysctl parameters from kernel command line testing commit 3db978d480e2843979a2b56f2f7da726f2b295b2 gcc compiler: gcc (GCC) 8.4.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: e546849bd5187a5c5fbd59c59dbaecdcac239b7f0a2d73cab758e41d3ba4e5e4 run #0: crashed: INFO: task hung in hugetlb_fault run #1: crashed: INFO: task hung in hugetlb_fault run #2: crashed: INFO: task hung in hugetlb_fault run #3: crashed: INFO: task hung in hugetlb_fault run #4: crashed: INFO: task hung in hugetlb_fault run #5: crashed: INFO: task hung in hugetlb_fault run #6: crashed: INFO: task hung in hugetlb_cow run #7: crashed: INFO: task hung in hugetlb_fault run #8: crashed: INFO: task hung in hugetlb_fault run #9: crashed: INFO: task hung in hugetlb_fault representative crash: INFO: task hung in hugetlb_fault, types: [HANG] # git bisect bad 3db978d480e2843979a2b56f2f7da726f2b295b2 Bisecting: 0 revisions left to test after this (roughly 0 steps) [01f39c1c11ee5bf44a1df49e47eb53a86515b9dc] xarray.h: correct return code documentation for xa_store_{bh,irq}() testing commit 01f39c1c11ee5bf44a1df49e47eb53a86515b9dc gcc compiler: gcc (GCC) 8.4.1 20210217, GNU ld (GNU Binutils for Debian) 2.40 kernel signature: ec96f125de6ba868f4b272443fd21f3e1d3a75589ecaaa50b1d0e767e20c6edb all runs: OK false negative chance: 0.000 # git bisect good 01f39c1c11ee5bf44a1df49e47eb53a86515b9dc 3db978d480e2843979a2b56f2f7da726f2b295b2 is the first bad commit commit 3db978d480e2843979a2b56f2f7da726f2b295b2 Author: Vlastimil Babka Date: Sun Jun 7 21:40:24 2020 -0700 kernel/sysctl: support setting sysctl parameters from kernel command line Patch series "support setting sysctl parameters from kernel command line", v3. This series adds support for something that seems like many people always wanted but nobody added it yet, so here's the ability to set sysctl parameters via kernel command line options in the form of sysctl.vm.something=1 The important part is Patch 1. The second, not so important part is an attempt to clean up legacy one-off parameters that do the same thing as a sysctl. I don't want to remove them completely for compatibility reasons, but with generic sysctl support the idea is to remove the one-off param handlers and treat the parameters as aliases for the sysctl variants. I have identified several parameters that mention sysctl counterparts in Documentation/admin-guide/kernel-parameters.txt but there might be more. The conversion also has varying level of success: - numa_zonelist_order is converted in Patch 2 together with adding the necessary infrastructure. It's easy as it doesn't really do anything but warn on deprecated value these days. - hung_task_panic is converted in Patch 3, but there's a downside that now it only accepts 0 and 1, while previously it was any integer value - nmi_watchdog maps to two sysctls nmi_watchdog and hardlockup_panic, so there's no straighforward conversion possible - traceoff_on_warning is a flag without value and it would be required to handle that somehow in the conversion infractructure, which seems pointless for a single flag This patch (of 5): A recently proposed patch to add vm_swappiness command line parameter in addition to existing sysctl [1] made me wonder why we don't have a general support for passing sysctl parameters via command line. Googling found only somebody else wondering the same [2], but I haven't found any prior discussion with reasons why not to do this. Settings the vm_swappiness issue aside (the underlying issue might be solved in a different way), quick search of kernel-parameters.txt shows there are already some that exist as both sysctl and kernel parameter - hung_task_panic, nmi_watchdog, numa_zonelist_order, traceoff_on_warning. A general mechanism would remove the need to add more of those one-offs and might be handy in situations where configuration by e.g. /etc/sysctl.d/ is impractical. Hence, this patch adds a new parse_args() pass that looks for parameters prefixed by 'sysctl.' and tries to interpret them as writes to the corresponding sys/ files using an temporary in-kernel procfs mount. This mechanism was suggested by Eric W. Biederman [3], as it handles all dynamically registered sysctl tables, even though we don't handle modular sysctls. Errors due to e.g. invalid parameter name or value are reported in the kernel log. The processing is hooked right before the init process is loaded, as some handlers might be more complicated than simple setters and might need some subsystems to be initialized. At the moment the init process can be started and eventually execute a process writing to /proc/sys/ then it should be also fine to do that from the kernel. Sysctls registered later on module load time are not set by this mechanism - it's expected that in such scenarios, setting sysctl values from userspace is practical enough. [1] https://lore.kernel.org/r/BL0PR02MB560167492CA4094C91589930E9FC0@BL0PR02MB5601.namprd02.prod.outlook.com/ [2] https://unix.stackexchange.com/questions/558802/how-to-set-sysctl-using-kernel-command-line-parameter [3] https://lore.kernel.org/r/87bloj2skm.fsf@x220.int.ebiederm.org/ Signed-off-by: Vlastimil Babka Signed-off-by: Andrew Morton Reviewed-by: Luis Chamberlain Reviewed-by: Masami Hiramatsu Acked-by: Kees Cook Acked-by: Michal Hocko Cc: Iurii Zaikin Cc: Ivan Teterevkov Cc: Michal Hocko Cc: David Rientjes Cc: Matthew Wilcox Cc: "Eric W . Biederman" Cc: "Guilherme G . Piccoli" Cc: Alexey Dobriyan Cc: Thomas Gleixner Cc: Greg Kroah-Hartman Cc: Christian Brauner Link: http://lkml.kernel.org/r/20200427180433.7029-1-vbabka@suse.cz Link: http://lkml.kernel.org/r/20200427180433.7029-2-vbabka@suse.cz Signed-off-by: Linus Torvalds Documentation/admin-guide/kernel-parameters.txt | 9 ++ fs/proc/proc_sysctl.c | 107 ++++++++++++++++++++++++ include/linux/sysctl.h | 4 + init/main.c | 2 + 4 files changed, 122 insertions(+) accumulated error probability: 0.00 culprit signature: e546849bd5187a5c5fbd59c59dbaecdcac239b7f0a2d73cab758e41d3ba4e5e4 parent signature: ec96f125de6ba868f4b272443fd21f3e1d3a75589ecaaa50b1d0e767e20c6edb revisions tested: 35, total time: 7h4m59.46661496s (build: 2h8m24.148993729s, test: 4h36m1.051473031s) first bad commit: 3db978d480e2843979a2b56f2f7da726f2b295b2 kernel/sysctl: support setting sysctl parameters from kernel command line recipients (to): ["akpm@linux-foundation.org" "keescook@chromium.org" "mcgrof@kernel.org" "mhiramat@kernel.org" "mhocko@suse.com" "torvalds@linux-foundation.org" "vbabka@suse.cz"] recipients (cc): [] crash: INFO: task hung in hugetlb_fault INFO: task syz.3.73:4433 blocked for more than 143 seconds. Not tainted 5.7.0-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. syz.3.73 D14600 4433 2561 0x00000004 Call Trace: context_switch kernel/sched/core.c:3430 [inline] __schedule+0x2ca/0x650 kernel/sched/core.c:4156 schedule+0x3b/0xa0 kernel/sched/core.c:4231 rwsem_down_read_slowpath+0x318/0x560 kernel/locking/rwsem.c:1099 __down_read kernel/locking/rwsem.c:1341 [inline] down_read+0xa4/0xd0 kernel/locking/rwsem.c:1494 i_mmap_lock_read include/linux/fs.h:543 [inline] hugetlb_fault+0x9b/0xaa0 mm/hugetlb.c:4555 handle_mm_fault+0x60a/0xe60 mm/memory.c:4382 do_user_addr_fault arch/x86/mm/fault.c:1301 [inline] do_page_fault+0x2ad/0x59f arch/x86/mm/fault.c:1390 page_fault+0x39/0x40 arch/x86/entry/entry_64.S:1203 RIP: 0033:0x7fddb4822a98 Code: Bad RIP value. RSP: 002b:00007ffd81f64228 EFLAGS: 00010246 RAX: 0000000020000640 RBX: 0000000000000004 RCX: 006b6e696c766564 RDX: 0000000000000008 RSI: 006b6e696c766564 RDI: 0000000020000640 RBP: 00007fddb4a14a80 R08: 00007fddb46dd000 R09: 0000000000000001 R10: 0000000000000001 R11: 0000000000000009 R12: 000000000000d2e4 R13: 00007ffd81f64330 R14: 0000000000000032 R15: fffffffffffffffe INFO: task syz.3.73:4435 blocked for more than 143 seconds. Not tainted 5.7.0-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. syz.3.73 D14400 4435 2561 0x00004004 Call Trace: context_switch kernel/sched/core.c:3430 [inline] __schedule+0x2ca/0x650 kernel/sched/core.c:4156 schedule+0x3b/0xa0 kernel/sched/core.c:4231 rwsem_down_write_slowpath+0x38b/0x570 kernel/locking/rwsem.c:1235 i_mmap_lock_write include/linux/fs.h:528 [inline] unmap_ref_private mm/hugetlb.c:4085 [inline] hugetlb_cow+0x1ac/0x540 mm/hugetlb.c:4176 hugetlb_fault+0x6f6/0xaa0 mm/hugetlb.c:4632 handle_mm_fault+0x60a/0xe60 mm/memory.c:4382 do_user_addr_fault arch/x86/mm/fault.c:1301 [inline] do_page_fault+0x2ad/0x59f arch/x86/mm/fault.c:1390 page_fault+0x39/0x40 arch/x86/entry/entry_64.S:1203 RIP: 0010:copy_user_generic_unrolled+0x89/0xc0 arch/x86/lib/copy_user_64.S:91 Code: 38 4c 89 47 20 4c 89 4f 28 4c 89 57 30 4c 89 5f 38 48 8d 76 40 48 8d 7f 40 ff c9 75 b6 89 d1 83 e2 07 c1 e9 03 74 12 4c 8b 06 <4c> 89 07 48 8d 76 08 48 8d 7f 08 ff c9 75 ee 21 d2 74 10 89 d1 8a RSP: 0018:ffffc90001a17e70 EFLAGS: 00050202 RAX: 000000002002bb18 RBX: 0000000000012490 RCX: 0000000000000001 RDX: 0000000000000000 RSI: ffffc90001a17e88 RDI: 000000002002bb10 RBP: 0000000000000000 R08: 0000000000000000 R09: ffff888222dd2040 R10: 0000000000000001 R11: ffff888222dd17c0 R12: 000000002002bb10 R13: 0000000000018ff8 R14: 0000000020019680 R15: ffffc90001a17e8c copy_user_generic arch/x86/include/asm/uaccess_64.h:37 [inline] raw_copy_to_user arch/x86/include/asm/uaccess_64.h:74 [inline] _copy_to_user+0x22/0x30 lib/usercopy.c:29 copy_to_user include/linux/uaccess.h:152 [inline] msr_read+0x62/0xe0 arch/x86/kernel/msr.c:62 vfs_read fs/read_write.c:462 [inline] vfs_read+0x8f/0x150 fs/read_write.c:447 ksys_read+0x5a/0xd0 fs/read_write.c:588 do_syscall_64+0x50/0x180 arch/x86/entry/common.c:295 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x7fddb485aff9 Code: Bad RIP value. RSP: 002b:00007fddb42dc038 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 00007fddb4a12f80 RCX: 00007fddb485aff9 RDX: 0000000000018ff8 RSI: 0000000020019680 RDI: 0000000000000003 RBP: 00007fddb48cd296 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007fddb4a12f80 R15: 00007ffd81f640c8 INFO: task syz.3.73:4452 blocked for more than 143 seconds. Not tainted 5.7.0-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. syz.3.73 D15032 4452 4433 0x80000000 Call Trace: context_switch kernel/sched/core.c:3430 [inline] __schedule+0x2ca/0x650 kernel/sched/core.c:4156 schedule+0x3b/0xa0 kernel/sched/core.c:4231 rwsem_down_write_slowpath+0x38b/0x570 kernel/locking/rwsem.c:1235 i_mmap_lock_write include/linux/fs.h:528 [inline] unmap_single_vma+0xaf/0xf0 mm/memory.c:1305 unmap_vmas+0x37/0x50 mm/memory.c:1342 exit_mmap+0xa4/0x180 mm/mmap.c:3150 __mmput kernel/fork.c:1094 [inline] mmput+0x2e/0xe0 kernel/fork.c:1115 exit_mm kernel/exit.c:483 [inline] do_exit+0x32c/0xb60 kernel/exit.c:793 __do_sys_exit kernel/exit.c:873 [inline] __se_sys_exit kernel/exit.c:871 [inline] __x64_sys_exit+0x12/0x20 kernel/exit.c:871 do_syscall_64+0x50/0x180 arch/x86/entry/common.c:295 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x7fddb485aff9 Code: Bad RIP value. RSP: 002b:00007fddb42bafe8 EFLAGS: 00000246 ORIG_RAX: 000000000000003c RAX: ffffffffffffffda RBX: 00007fddb4a13058 RCX: 00007fddb485aff9 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 00007fddb48cd296 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007fddb4a13058 R15: 00007ffd81f640c8 INFO: task syz.4.79:4589 blocked for more than 144 seconds. Not tainted 5.7.0-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. syz.4.79 D13696 4589 2562 0x00000004 Call Trace: context_switch kernel/sched/core.c:3430 [inline] __schedule+0x2ca/0x650 kernel/sched/core.c:4156 schedule+0x3b/0xa0 kernel/sched/core.c:4231 rwsem_down_read_slowpath+0x318/0x560 kernel/locking/rwsem.c:1099 __down_read kernel/locking/rwsem.c:1341 [inline] down_read+0xa4/0xd0 kernel/locking/rwsem.c:1494 i_mmap_lock_read include/linux/fs.h:543 [inline] hugetlb_fault+0x9b/0xaa0 mm/hugetlb.c:4555 handle_mm_fault+0x60a/0xe60 mm/memory.c:4382 do_user_addr_fault arch/x86/mm/fault.c:1301 [inline] do_page_fault+0x2ad/0x59f arch/x86/mm/fault.c:1390 page_fault+0x39/0x40 arch/x86/entry/entry_64.S:1203 RIP: 0033:0x7fc2188eca98 Code: Bad RIP value. RSP: 002b:00007ffc0763b378 EFLAGS: 00010246 RAX: 0000000020000640 RBX: 0000000000000004 RCX: 006b6e696c766564 RDX: 0000000000000008 RSI: 006b6e696c766564 RDI: 0000000020000640 RBP: 00007fc218adea80 R08: 00007fc2187a7000 R09: 0000000000000001 R10: 0000000000000001 R11: 0000000000000009 R12: 000000000000d447 R13: 00007ffc0763b480 R14: 0000000000000032 R15: fffffffffffffffe INFO: task syz.4.79:4590 blocked for more than 144 seconds. Not tainted 5.7.0-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. syz.4.79 D14560 4590 2562 0x00004004 Call Trace: context_switch kernel/sched/core.c:3430 [inline] __schedule+0x2ca/0x650 kernel/sched/core.c:4156 schedule+0x3b/0xa0 kernel/sched/core.c:4231 rwsem_down_write_slowpath+0x38b/0x570 kernel/locking/rwsem.c:1235 i_mmap_lock_write include/linux/fs.h:528 [inline] unmap_ref_private mm/hugetlb.c:4085 [inline] hugetlb_cow+0x1ac/0x540 mm/hugetlb.c:4176 hugetlb_fault+0x6f6/0xaa0 mm/hugetlb.c:4632 handle_mm_fault+0x60a/0xe60 mm/memory.c:4382 do_user_addr_fault arch/x86/mm/fault.c:1301 [inline] do_page_fault+0x2ad/0x59f arch/x86/mm/fault.c:1390 page_fault+0x39/0x40 arch/x86/entry/entry_64.S:1203 RIP: 0010:copy_user_generic_unrolled+0x89/0xc0 arch/x86/lib/copy_user_64.S:91 Code: 38 4c 89 47 20 4c 89 4f 28 4c 89 57 30 4c 89 5f 38 48 8d 76 40 48 8d 7f 40 ff c9 75 b6 89 d1 83 e2 07 c1 e9 03 74 12 4c 8b 06 <4c> 89 07 48 8d 76 08 48 8d 7f 08 ff c9 75 ee 21 d2 74 10 89 d1 8a RSP: 0018:ffffc90001aafe70 EFLAGS: 00050202 RAX: 000000002001d818 RBX: 0000000000004190 RCX: 0000000000000001 RDX: 0000000000000000 RSI: ffffc90001aafe88 RDI: 000000002001d810 RBP: 0000000000000000 R08: 0000000000000000 R09: ffff888222de0880 R10: 0000000000000001 R11: ffff888222de0000 R12: 000000002001d810 R13: 0000000000018ff8 R14: 0000000020019680 R15: ffffc90001aafe8c copy_user_generic arch/x86/include/asm/uaccess_64.h:37 [inline] raw_copy_to_user arch/x86/include/asm/uaccess_64.h:74 [inline] _copy_to_user+0x22/0x30 lib/usercopy.c:29 copy_to_user include/linux/uaccess.h:152 [inline] msr_read+0x62/0xe0 arch/x86/kernel/msr.c:62 vfs_read fs/read_write.c:462 [inline] vfs_read+0x8f/0x150 fs/read_write.c:447 ksys_read+0x5a/0xd0 fs/read_write.c:588 do_syscall_64+0x50/0x180 arch/x86/entry/common.c:295 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x7fc218924ff9 Code: Bad RIP value. RSP: 002b:00007fc2183a6038 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 00007fc218adcf80 RCX: 00007fc218924ff9 RDX: 0000000000018ff8 RSI: 0000000020019680 RDI: 0000000000000003 RBP: 00007fc218997296 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007fc218adcf80 R15: 00007ffc0763b218 INFO: task syz.4.79:4608 blocked for more than 144 seconds. Not tainted 5.7.0-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. syz.4.79 D15032 4608 4589 0x80000000 Call Trace: context_switch kernel/sched/core.c:3430 [inline] __schedule+0x2ca/0x650 kernel/sched/core.c:4156 schedule+0x3b/0xa0 kernel/sched/core.c:4231 rwsem_down_write_slowpath+0x38b/0x570 kernel/locking/rwsem.c:1235 i_mmap_lock_write include/linux/fs.h:528 [inline] unmap_single_vma+0xaf/0xf0 mm/memory.c:1305 unmap_vmas+0x37/0x50 mm/memory.c:1342 exit_mmap+0xa4/0x180 mm/mmap.c:3150 __mmput kernel/fork.c:1094 [inline] mmput+0x2e/0xe0 kernel/fork.c:1115 exit_mm kernel/exit.c:483 [inline] do_exit+0x32c/0xb60 kernel/exit.c:793 __do_sys_exit kernel/exit.c:873 [inline] __se_sys_exit kernel/exit.c:871 [inline] __x64_sys_exit+0x12/0x20 kernel/exit.c:871 do_syscall_64+0x50/0x180 arch/x86/entry/common.c:295 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x7fc218924ff9 Code: Bad RIP value. RSP: 002b:00007fc218384fe8 EFLAGS: 00000246 ORIG_RAX: 000000000000003c RAX: ffffffffffffffda RBX: 00007fc218add058 RCX: 00007fc218924ff9 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 00007fc218997296 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007fc218add058 R15: 00007ffc0763b218 INFO: task syz.1.83:4650 blocked for more than 145 seconds. Not tainted 5.7.0-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. syz.1.83 D14600 4650 2079 0x00000004 Call Trace: context_switch kernel/sched/core.c:3430 [inline] __schedule+0x2ca/0x650 kernel/sched/core.c:4156 schedule+0x3b/0xa0 kernel/sched/core.c:4231 rwsem_down_read_slowpath+0x318/0x560 kernel/locking/rwsem.c:1099 __down_read kernel/locking/rwsem.c:1341 [inline] down_read+0xa4/0xd0 kernel/locking/rwsem.c:1494 i_mmap_lock_read include/linux/fs.h:543 [inline] hugetlb_fault+0x9b/0xaa0 mm/hugetlb.c:4555 handle_mm_fault+0x60a/0xe60 mm/memory.c:4382 do_user_addr_fault arch/x86/mm/fault.c:1301 [inline] do_page_fault+0x2ad/0x59f arch/x86/mm/fault.c:1390 page_fault+0x39/0x40 arch/x86/entry/entry_64.S:1203 RIP: 0033:0x7f7e8a4faa98 Code: Bad RIP value. RSP: 002b:00007ffc183a6598 EFLAGS: 00010246 RAX: 0000000020000640 RBX: 0000000000000004 RCX: 006b6e696c766564 RDX: 0000000000000008 RSI: 006b6e696c766564 RDI: 0000000020000640 RBP: 00007f7e8a6eca80 R08: 00007f7e8a3b5000 R09: 0000000000000001 R10: 0000000000000001 R11: 0000000000000009 R12: 000000000000d573 R13: 00007ffc183a66a0 R14: 0000000000000032 R15: fffffffffffffffe INFO: task syz.1.83:4653 blocked for more than 145 seconds. Not tainted 5.7.0-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. syz.1.83 D14568 4653 2079 0x00004004 Call Trace: context_switch kernel/sched/core.c:3430 [inline] __schedule+0x2ca/0x650 kernel/sched/core.c:4156 schedule+0x3b/0xa0 kernel/sched/core.c:4231 rwsem_down_write_slowpath+0x38b/0x570 kernel/locking/rwsem.c:1235 i_mmap_lock_write include/linux/fs.h:528 [inline] unmap_ref_private mm/hugetlb.c:4085 [inline] hugetlb_cow+0x1ac/0x540 mm/hugetlb.c:4176 hugetlb_fault+0x6f6/0xaa0 mm/hugetlb.c:4632 handle_mm_fault+0x60a/0xe60 mm/memory.c:4382 do_user_addr_fault arch/x86/mm/fault.c:1301 [inline] do_page_fault+0x2ad/0x59f arch/x86/mm/fault.c:1390 page_fault+0x39/0x40 arch/x86/entry/entry_64.S:1203 RIP: 0010:copy_user_generic_unrolled+0x89/0xc0 arch/x86/lib/copy_user_64.S:91 Code: 38 4c 89 47 20 4c 89 4f 28 4c 89 57 30 4c 89 5f 38 48 8d 76 40 48 8d 7f 40 ff c9 75 b6 89 d1 83 e2 07 c1 e9 03 74 12 4c 8b 06 <4c> 89 07 48 8d 76 08 48 8d 7f 08 ff c9 75 ee 21 d2 74 10 89 d1 8a RSP: 0018:ffffc90001adfe70 EFLAGS: 00050202 RAX: 0000000020020290 RBX: 0000000000006c08 RCX: 0000000000000001 RDX: 0000000000000000 RSI: ffffc90001adfe88 RDI: 0000000020020288 RBP: 0000000000000000 R08: 0000000000000000 R09: ffff888222c56780 R10: 0000000000000001 R11: ffff888222c55f00 R12: 0000000020020288 R13: 0000000000018ff8 R14: 0000000020019680 R15: ffffc90001adfe8c copy_user_generic arch/x86/include/asm/uaccess_64.h:37 [inline] raw_copy_to_user arch/x86/include/asm/uaccess_64.h:74 [inline] _copy_to_user+0x22/0x30 lib/usercopy.c:29 copy_to_user include/linux/uaccess.h:152 [inline] msr_read+0x62/0xe0 arch/x86/kernel/msr.c:62 vfs_read fs/read_write.c:462 [inline] vfs_read+0x8f/0x150 fs/read_write.c:447 ksys_read+0x5a/0xd0 fs/read_write.c:588 do_syscall_64+0x50/0x180 arch/x86/entry/common.c:295 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x7f7e8a532ff9 Code: Bad RIP value. RSP: 002b:00007f7e89fb4038 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 00007f7e8a6eaf80 RCX: 00007f7e8a532ff9 RDX: 0000000000018ff8 RSI: 0000000020019680 RDI: 0000000000000003 RBP: 00007f7e8a5a5296 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f7e8a6eaf80 R15: 00007ffc183a6438 INFO: task syz.1.83:4657 blocked for more than 145 seconds. Not tainted 5.7.0-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. syz.1.83 D15032 4657 4650 0x80000000 Call Trace: context_switch kernel/sched/core.c:3430 [inline] __schedule+0x2ca/0x650 kernel/sched/core.c:4156 schedule+0x3b/0xa0 kernel/sched/core.c:4231 rwsem_down_write_slowpath+0x38b/0x570 kernel/locking/rwsem.c:1235 i_mmap_lock_write include/linux/fs.h:528 [inline] unmap_single_vma+0xaf/0xf0 mm/memory.c:1305 unmap_vmas+0x37/0x50 mm/memory.c:1342 exit_mmap+0xa4/0x180 mm/mmap.c:3150 __mmput kernel/fork.c:1094 [inline] mmput+0x2e/0xe0 kernel/fork.c:1115 exit_mm kernel/exit.c:483 [inline] do_exit+0x32c/0xb60 kernel/exit.c:793 __do_sys_exit kernel/exit.c:873 [inline] __se_sys_exit kernel/exit.c:871 [inline] __x64_sys_exit+0x12/0x20 kernel/exit.c:871 do_syscall_64+0x50/0x180 arch/x86/entry/common.c:295 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x7f7e8a532ff9 Code: Bad RIP value. RSP: 002b:00007f7e89f92fe8 EFLAGS: 00000246 ORIG_RAX: 000000000000003c RAX: ffffffffffffffda RBX: 00007f7e8a6eb058 RCX: 00007f7e8a532ff9 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 00007f7e8a5a5296 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f7e8a6eb058 R15: 00007ffc183a6438 INFO: task syz.0.84:4666 blocked for more than 145 seconds. Not tainted 5.7.0-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. syz.0.84 D14584 4666 2553 0x00004004 Call Trace: context_switch kernel/sched/core.c:3430 [inline] __schedule+0x2ca/0x650 kernel/sched/core.c:4156 schedule+0x3b/0xa0 kernel/sched/core.c:4231 schedule_preempt_disabled+0x5/0x10 kernel/sched/core.c:4290 __mutex_lock_common kernel/locking/mutex.c:1033 [inline] __mutex_lock+0x3c4/0x700 kernel/locking/mutex.c:1103 hugetlb_fault+0x1ab/0xaa0 mm/hugetlb.c:4569 handle_mm_fault+0x60a/0xe60 mm/memory.c:4382 do_user_addr_fault arch/x86/mm/fault.c:1301 [inline] do_page_fault+0x2ad/0x59f arch/x86/mm/fault.c:1390 page_fault+0x39/0x40 arch/x86/entry/entry_64.S:1203 RIP: 0010:copy_user_generic_unrolled+0x89/0xc0 arch/x86/lib/copy_user_64.S:91 Code: 38 4c 89 47 20 4c 89 4f 28 4c 89 57 30 4c 89 5f 38 48 8d 76 40 48 8d 7f 40 ff c9 75 b6 89 d1 83 e2 07 c1 e9 03 74 12 4c 8b 06 <4c> 89 07 48 8d 76 08 48 8d 7f 08 ff c9 75 ee 21 d2 74 10 89 d1 8a RSP: 0018:ffffc90001ae7e70 EFLAGS: 00050202 RAX: 000000002001fcc8 RBX: 0000000000006640 RCX: 0000000000000001 RDX: 0000000000000000 RSI: ffffc90001ae7e88 RDI: 000000002001fcc0 RBP: 0000000000000000 R08: 0000000000000000 R09: ffff888222db4fc0 R10: 0000000000000001 R11: ffff888222db4740 R12: 000000002001fcc0 R13: 0000000000018ff8 R14: 0000000020019680 R15: ffffc90001ae7e8c copy_user_generic arch/x86/include/asm/uaccess_64.h:37 [inline] raw_copy_to_user arch/x86/include/asm/uaccess_64.h:74 [inline] _copy_to_user+0x22/0x30 lib/usercopy.c:29 copy_to_user include/linux/uaccess.h:152 [inline] msr_read+0x62/0xe0 arch/x86/kernel/msr.c:62 vfs_read fs/read_write.c:462 [inline] vfs_read+0x8f/0x150 fs/read_write.c:447 ksys_read+0x5a/0xd0 fs/read_write.c:588 do_syscall_64+0x50/0x180 arch/x86/entry/common.c:295 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x7f9276e64ff9 Code: Bad RIP value. RSP: 002b:00007f92768e6038 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 00007f927701cf80 RCX: 00007f9276e64ff9 RDX: 0000000000018ff8 RSI: 0000000020019680 RDI: 0000000000000003 RBP: 00007f9276ed7296 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f927701cf80 R15: 00007fff79880d48 Showing all locks held in the system: 2 locks held by kworker/u4:0/7: #0: ffff888236c20938 ((wq_completion)events_unbound){....}-{0:0}, at: wake_up_worker kernel/workqueue.c:837 [inline] #0: ffff888236c20938 ((wq_completion)events_unbound){....}-{0:0}, at: process_one_work+0x1bd/0x460 kernel/workqueue.c:2232 #1: ffffc90000043e78 ((work_completion)(&sub_info->work)){....}-{0:0}, at: wake_up_worker kernel/workqueue.c:837 [inline] #1: ffffc90000043e78 ((work_completion)(&sub_info->work)){....}-{0:0}, at: process_one_work+0x1bd/0x460 kernel/workqueue.c:2232 2 locks held by kworker/u4:1/21: #0: ffff888236c20938 ((wq_completion)events_unbound){....}-{0:0}, at: wake_up_worker kernel/workqueue.c:837 [inline] #0: ffff888236c20938 ((wq_completion)events_unbound){....}-{0:0}, at: process_one_work+0x1bd/0x460 kernel/workqueue.c:2232 #1: ffffc900000bfe78 ((work_completion)(&sub_info->work)){....}-{0:0}, at: wake_up_worker kernel/workqueue.c:837 [inline] #1: ffffc900000bfe78 ((work_completion)(&sub_info->work)){....}-{0:0}, at: process_one_work+0x1bd/0x460 kernel/workqueue.c:2232 1 lock held by khungtaskd/217: #0: ffffffff8226cd60 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x15/0xfc kernel/locking/lockdep.c:5780 1 lock held by klogd/887: #0: ffff888237c2b3d8 (&rq->lock){....}-{2:2}, at: rq_lock kernel/sched/sched.h:1261 [inline] #0: ffff888237c2b3d8 (&rq->lock){....}-{2:2}, at: __schedule+0xa5/0x650 kernel/sched/core.c:4102 2 locks held by getty/959: #0: ffff8882315a0098 (&tty->ldisc_sem){....}-{0:0}, at: tty_ldisc_ref_wait+0x1f/0x50 drivers/tty/tty_ldisc.c:267 #1: ffffc900015672e8 (&ldata->atomic_read_lock){....}-{3:3}, at: n_tty_read+0xd4/0x9c0 drivers/tty/n_tty.c:2156 2 locks held by kworker/u4:3/1018: #0: ffff888236c20938 ((wq_completion)events_unbound){....}-{0:0}, at: wake_up_worker kernel/workqueue.c:837 [inline] #0: ffff888236c20938 ((wq_completion)events_unbound){....}-{0:0}, at: process_one_work+0x1bd/0x460 kernel/workqueue.c:2232 #1: ffffc90000177e78 ((work_completion)(&sub_info->work)){....}-{0:0}, at: wake_up_worker kernel/workqueue.c:837 [inline] #1: ffffc90000177e78 ((work_completion)(&sub_info->work)){....}-{0:0}, at: process_one_work+0x1bd/0x460 kernel/workqueue.c:2232 2 locks held by kworker/u4:5/1028: #0: ffff888236c20938 ((wq_completion)events_unbound){....}-{0:0}, at: wake_up_worker kernel/workqueue.c:837 [inline] #0: ffff888236c20938 ((wq_completion)events_unbound){....}-{0:0}, at: process_one_work+0x1bd/0x460 kernel/workqueue.c:2232 #1: ffffc90000217e78 ((work_completion)(&sub_info->work)){....}-{0:0}, at: wake_up_worker kernel/workqueue.c:837 [inline] #1: ffffc90000217e78 ((work_completion)(&sub_info->work)){....}-{0:0}, at: process_one_work+0x1bd/0x460 kernel/workqueue.c:2232 2 locks held by syz.3.73/4433: #0: ffff888222d58da8 (&mm->mmap_sem#2){....}-{3:3}, at: do_user_addr_fault arch/x86/mm/fault.c:1242 [inline] #0: ffff888222d58da8 (&mm->mmap_sem#2){....}-{3:3}, at: do_page_fault+0x11d/0x59f arch/x86/mm/fault.c:1390 #1: ffff888222d90350 (&hugetlbfs_i_mmap_rwsem_key){....}-{3:3}, at: i_mmap_lock_read include/linux/fs.h:543 [inline] #1: ffff888222d90350 (&hugetlbfs_i_mmap_rwsem_key){....}-{3:3}, at: hugetlb_fault+0x9b/0xaa0 mm/hugetlb.c:4555 4 locks held by syz.3.73/4435: #0: ffff888222d58da8 (&mm->mmap_sem#2){....}-{3:3}, at: do_user_addr_fault arch/x86/mm/fault.c:1242 [inline] #0: ffff888222d58da8 (&mm->mmap_sem#2){....}-{3:3}, at: do_page_fault+0x11d/0x59f arch/x86/mm/fault.c:1390 #1: ffff888222d90350 (&hugetlbfs_i_mmap_rwsem_key){....}-{3:3}, at: i_mmap_lock_read include/linux/fs.h:543 [inline] #1: ffff888222d90350 (&hugetlbfs_i_mmap_rwsem_key){....}-{3:3}, at: hugetlb_fault+0x9b/0xaa0 mm/hugetlb.c:4555 #2: ffff8882333e6338 (&hugetlb_fault_mutex_table[i]){....}-{3:3}, at: hugetlb_fault+0x1ab/0xaa0 mm/hugetlb.c:4569 #3: ffff888222d90350 (&hugetlbfs_i_mmap_rwsem_key){....}-{3:3}, at: i_mmap_lock_write include/linux/fs.h:528 [inline] #3: ffff888222d90350 (&hugetlbfs_i_mmap_rwsem_key){....}-{3:3}, at: unmap_ref_private mm/hugetlb.c:4085 [inline] #3: ffff888222d90350 (&hugetlbfs_i_mmap_rwsem_key){....}-{3:3}, at: hugetlb_cow+0x1ac/0x540 mm/hugetlb.c:4176 1 lock held by syz.3.73/4452: #0: ffff888222d90350 (&hugetlbfs_i_mmap_rwsem_key){....}-{3:3}, at: i_mmap_lock_write include/linux/fs.h:528 [inline] #0: ffff888222d90350 (&hugetlbfs_i_mmap_rwsem_key){....}-{3:3}, at: unmap_single_vma+0xaf/0xf0 mm/memory.c:1305 2 locks held by syz.4.79/4589: #0: ffff888226740128 (&mm->mmap_sem#2){....}-{3:3}, at: do_user_addr_fault arch/x86/mm/fault.c:1242 [inline] #0: ffff888226740128 (&mm->mmap_sem#2){....}-{3:3}, at: do_page_fault+0x11d/0x59f arch/x86/mm/fault.c:1390 #1: ffff888222d74350 (&hugetlbfs_i_mmap_rwsem_key){....}-{3:3}, at: i_mmap_lock_read include/linux/fs.h:543 [inline] #1: ffff888222d74350 (&hugetlbfs_i_mmap_rwsem_key){....}-{3:3}, at: hugetlb_fault+0x9b/0xaa0 mm/hugetlb.c:4555 4 locks held by syz.4.79/4590: #0: ffff888226740128 (&mm->mmap_sem#2){....}-{3:3}, at: do_user_addr_fault arch/x86/mm/fault.c:1242 [inline] #0: ffff888226740128 (&mm->mmap_sem#2){....}-{3:3}, at: do_page_fault+0x11d/0x59f arch/x86/mm/fault.c:1390 #1: ffff888222d74350 (&hugetlbfs_i_mmap_rwsem_key){....}-{3:3}, at: i_mmap_lock_read include/linux/fs.h:543 [inline] #1: ffff888222d74350 (&hugetlbfs_i_mmap_rwsem_key){....}-{3:3}, at: hugetlb_fault+0x9b/0xaa0 mm/hugetlb.c:4555 #2: ffff8882333e6608 (&hugetlb_fault_mutex_table[i]){....}-{3:3}, at: hugetlb_fault+0x1ab/0xaa0 mm/hugetlb.c:4569 #3: ffff888222d74350 (&hugetlbfs_i_mmap_rwsem_key){....}-{3:3}, at: i_mmap_lock_write include/linux/fs.h:528 [inline] #3: ffff888222d74350 (&hugetlbfs_i_mmap_rwsem_key){....}-{3:3}, at: unmap_ref_private mm/hugetlb.c:4085 [inline] #3: ffff888222d74350 (&hugetlbfs_i_mmap_rwsem_key){....}-{3:3}, at: hugetlb_cow+0x1ac/0x540 mm/hugetlb.c:4176 1 lock held by syz.4.79/4608: #0: ffff888222d74350 (&hugetlbfs_i_mmap_rwsem_key){....}-{3:3}, at: i_mmap_lock_write include/linux/fs.h:528 [inline] #0: ffff888222d74350 (&hugetlbfs_i_mmap_rwsem_key){....}-{3:3}, at: unmap_single_vma+0xaf/0xf0 mm/memory.c:1305 2 locks held by syz.1.83/4650: #0: ffff888222c4b328 (&mm->mmap_sem#2){....}-{3:3}, at: do_user_addr_fault arch/x86/mm/fault.c:1242 [inline] #0: ffff888222c4b328 (&mm->mmap_sem#2){....}-{3:3}, at: do_page_fault+0x11d/0x59f arch/x86/mm/fault.c:1390 #1: ffff888222c24350 (&hugetlbfs_i_mmap_rwsem_key){....}-{3:3}, at: i_mmap_lock_read include/linux/fs.h:543 [inline] #1: ffff888222c24350 (&hugetlbfs_i_mmap_rwsem_key){....}-{3:3}, at: hugetlb_fault+0x9b/0xaa0 mm/hugetlb.c:4555 4 locks held by syz.1.83/4653: #0: ffff888222c4b328 (&mm->mmap_sem#2){....}-{3:3}, at: do_user_addr_fault arch/x86/mm/fault.c:1252 [inline] #0: ffff888222c4b328 (&mm->mmap_sem#2){....}-{3:3}, at: do_page_fault+0x4ec/0x59f arch/x86/mm/fault.c:1390 #1: ffff888222c24350 (&hugetlbfs_i_mmap_rwsem_key){....}-{3:3}, at: i_mmap_lock_read include/linux/fs.h:543 [inline] #1: ffff888222c24350 (&hugetlbfs_i_mmap_rwsem_key){....}-{3:3}, at: hugetlb_fault+0x9b/0xaa0 mm/hugetlb.c:4555 #2: ffff8882333e6848 (&hugetlb_fault_mutex_table[i]){....}-{3:3}, at: hugetlb_fault+0x1ab/0xaa0 mm/hugetlb.c:4569 #3: ffff888222c24350 (&hugetlbfs_i_mmap_rwsem_key){....}-{3:3}, at: i_mmap_lock_write include/linux/fs.h:528 [inline] #3: ffff888222c24350 (&hugetlbfs_i_mmap_rwsem_key){....}-{3:3}, at: unmap_ref_private mm/hugetlb.c:4085 [inline] #3: ffff888222c24350 (&hugetlbfs_i_mmap_rwsem_key){....}-{3:3}, at: hugetlb_cow+0x1ac/0x540 mm/hugetlb.c:4176 1 lock held by syz.1.83/4657: #0: ffff888222c24350 (&hugetlbfs_i_mmap_rwsem_key){....}-{3:3}, at: i_mmap_lock_write include/linux/fs.h:528 [inline] #0: ffff888222c24350 (&hugetlbfs_i_mmap_rwsem_key){....}-{3:3}, at: unmap_single_vma+0xaf/0xf0 mm/memory.c:1305 3 locks held by syz.0.84/4666: #0: ffff888222df8da8 (&mm->mmap_sem#2){....}-{3:3}, at: do_user_addr_fault arch/x86/mm/fault.c:1252 [inline] #0: ffff888222df8da8 (&mm->mmap_sem#2){....}-{3:3}, at: do_page_fault+0x4ec/0x59f arch/x86/mm/fault.c:1390 #1: ffff888222e08350 (&hugetlbfs_i_mmap_rwsem_key){....}-{3:3}, at: i_mmap_lock_read include/linux/fs.h:543 [inline] #1: ffff888222e08350 (&hugetlbfs_i_mmap_rwsem_key){....}-{3:3}, at: hugetlb_fault+0x9b/0xaa0 mm/hugetlb.c:4555 #2: ffff8882333e6848 (&hugetlb_fault_mutex_table[i]){....}-{3:3}, at: hugetlb_fault+0x1ab/0xaa0 mm/hugetlb.c:4569 3 locks held by syz.0.84/4673: #0: ffff8882345fd438 (sb_writers#14){....}-{0:0}, at: file_start_write include/linux/fs.h:2917 [inline] #0: ffff8882345fd438 (sb_writers#14){....}-{0:0}, at: vfs_fallocate+0x218/0x270 fs/open.c:308 #1: ffff888222e08198 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: inode_lock include/linux/fs.h:799 [inline] #1: ffff888222e08198 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: hugetlbfs_fallocate+0xb2/0x530 fs/hugetlbfs/inode.c:655 #2: ffff8882333e6848 (&hugetlb_fault_mutex_table[i]){....}-{3:3}, at: hugetlbfs_fallocate+0x1ca/0x530 fs/hugetlbfs/inode.c:708 2 locks held by syz.2.93/4714: #0: ffff8882267e2068 (&mm->mmap_sem#2){....}-{3:3}, at: do_user_addr_fault arch/x86/mm/fault.c:1242 [inline] #0: ffff8882267e2068 (&mm->mmap_sem#2){....}-{3:3}, at: do_page_fault+0x11d/0x59f arch/x86/mm/fault.c:1390 #1: ffff888222e71890 (&hugetlbfs_i_mmap_rwsem_key){....}-{3:3}, at: i_mmap_lock_read include/linux/fs.h:543 [inline] #1: ffff888222e71890 (&hugetlbfs_i_mmap_rwsem_key){....}-{3:3}, at: hugetlb_fault+0x9b/0xaa0 mm/hugetlb.c:4555 4 locks held by syz.2.93/4715: #0: ffff8882267e2068 (&mm->mmap_sem#2){....}-{3:3}, at: do_user_addr_fault arch/x86/mm/fault.c:1242 [inline] #0: ffff8882267e2068 (&mm->mmap_sem#2){....}-{3:3}, at: do_page_fault+0x11d/0x59f arch/x86/mm/fault.c:1390 #1: ffff888222e71890 (&hugetlbfs_i_mmap_rwsem_key){....}-{3:3}, at: i_mmap_lock_read include/linux/fs.h:543 [inline] #1: ffff888222e71890 (&hugetlbfs_i_mmap_rwsem_key){....}-{3:3}, at: hugetlb_fault+0x9b/0xaa0 mm/hugetlb.c:4555 #2: ffff8882333e6218 (&hugetlb_fault_mutex_table[i]){....}-{3:3}, at: hugetlb_fault+0x1ab/0xaa0 mm/hugetlb.c:4569 #3: ffff888222e71890 (&hugetlbfs_i_mmap_rwsem_key){....}-{3:3}, at: i_mmap_lock_write include/linux/fs.h:528 [inline] #3: ffff888222e71890 (&hugetlbfs_i_mmap_rwsem_key){....}-{3:3}, at: unmap_ref_private mm/hugetlb.c:4085 [inline] #3: ffff888222e71890 (&hugetlbfs_i_mmap_rwsem_key){....}-{3:3}, at: hugetlb_cow+0x1ac/0x540 mm/hugetlb.c:4176 1 lock held by syz.2.93/4717: #0: ffff888222e71890 (&hugetlbfs_i_mmap_rwsem_key){....}-{3:3}, at: i_mmap_lock_write include/linux/fs.h:528 [inline] #0: ffff888222e71890 (&hugetlbfs_i_mmap_rwsem_key){....}-{3:3}, at: unmap_single_vma+0xaf/0xf0 mm/memory.c:1305 3 locks held by syz.3.102/5967: #0: ffff888226600da8 (&mm->mmap_sem#2){....}-{3:3}, at: do_user_addr_fault arch/x86/mm/fault.c:1242 [inline] #0: ffff888226600da8 (&mm->mmap_sem#2){....}-{3:3}, at: do_page_fault+0x11d/0x59f arch/x86/mm/fault.c:1390 #1: ffff888222dc0bd0 (&hugetlbfs_i_mmap_rwsem_key){....}-{3:3}, at: i_mmap_lock_read include/linux/fs.h:543 [inline] #1: ffff888222dc0bd0 (&hugetlbfs_i_mmap_rwsem_key){....}-{3:3}, at: hugetlb_fault+0x9b/0xaa0 mm/hugetlb.c:4555 #2: ffff8882333e6848 (&hugetlb_fault_mutex_table[i]){....}-{3:3}, at: hugetlb_fault+0x1ab/0xaa0 mm/hugetlb.c:4569 3 locks held by syz.3.102/6000: #0: ffff8882345fd438 (sb_writers#14){....}-{0:0}, at: file_start_write include/linux/fs.h:2917 [inline] #0: ffff8882345fd438 (sb_writers#14){....}-{0:0}, at: vfs_fallocate+0x218/0x270 fs/open.c:308 #1: ffff888222dc0a18 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: inode_lock include/linux/fs.h:799 [inline] #1: ffff888222dc0a18 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: hugetlbfs_fallocate+0xb2/0x530 fs/hugetlbfs/inode.c:655 #2: ffff8882333e6848 (&hugetlb_fault_mutex_table[i]){....}-{3:3}, at: hugetlbfs_fallocate+0x1ca/0x530 fs/hugetlbfs/inode.c:708 3 locks held by syz.4.104/6005: #0: ffff888222d40da8 (&mm->mmap_sem#2){....}-{3:3}, at: do_user_addr_fault arch/x86/mm/fault.c:1242 [inline] #0: ffff888222d40da8 (&mm->mmap_sem#2){....}-{3:3}, at: do_page_fault+0x11d/0x59f arch/x86/mm/fault.c:1390 #1: ffff888222d74790 (&hugetlbfs_i_mmap_rwsem_key){....}-{3:3}, at: i_mmap_lock_read include/linux/fs.h:543 [inline] #1: ffff888222d74790 (&hugetlbfs_i_mmap_rwsem_key){....}-{3:3}, at: hugetlb_fault+0x9b/0xaa0 mm/hugetlb.c:4555 #2: ffff8882333e6218 (&hugetlb_fault_mutex_table[i]){....}-{3:3}, at: hugetlb_fault+0x1ab/0xaa0 mm/hugetlb.c:4569 3 locks held by syz.4.104/6030: #0: ffff8882345fd438 (sb_writers#14){....}-{0:0}, at: file_start_write include/linux/fs.h:2917 [inline] #0: ffff8882345fd438 (sb_writers#14){....}-{0:0}, at: vfs_fallocate+0x218/0x270 fs/open.c:308 #1: ffff888222d745d8 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: inode_lock include/linux/fs.h:799 [inline] #1: ffff888222d745d8 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: hugetlbfs_fallocate+0xb2/0x530 fs/hugetlbfs/inode.c:655 #2: ffff8882333e6218 (&hugetlb_fault_mutex_table[i]){....}-{3:3}, at: hugetlbfs_fallocate+0x1ca/0x530 fs/hugetlbfs/inode.c:708 1 lock held by syz.3.102/6025: #0: ffff888222dc0bd0 (&hugetlbfs_i_mmap_rwsem_key){....}-{3:3}, at: i_mmap_lock_write include/linux/fs.h:528 [inline] #0: ffff888222dc0bd0 (&hugetlbfs_i_mmap_rwsem_key){....}-{3:3}, at: unmap_single_vma+0xaf/0xf0 mm/memory.c:1305 3 locks held by syz.1.97/6971: #0: ffff888222c4cc28 (&mm->mmap_sem#2){....}-{3:3}, at: do_user_addr_fault arch/x86/mm/fault.c:1242 [inline] #0: ffff888222c4cc28 (&mm->mmap_sem#2){....}-{3:3}, at: do_page_fault+0x11d/0x59f arch/x86/mm/fault.c:1390 #1: ffff888222c26dd0 (&hugetlbfs_i_mmap_rwsem_key){....}-{3:3}, at: i_mmap_lock_read include/linux/fs.h:543 [inline] #1: ffff888222c26dd0 (&hugetlbfs_i_mmap_rwsem_key){....}-{3:3}, at: hugetlb_fault+0x9b/0xaa0 mm/hugetlb.c:4555 #2: ffff8882333e6338 (&hugetlb_fault_mutex_table[i]){....}-{3:3}, at: hugetlb_fault+0x1ab/0xaa0 mm/hugetlb.c:4569 3 locks held by syz.1.97/6972: #0: ffff8882345fd438 (sb_writers#14){....}-{0:0}, at: file_start_write include/linux/fs.h:2917 [inline] #0: ffff8882345fd438 (sb_writers#14){....}-{0:0}, at: vfs_fallocate+0x218/0x270 fs/open.c:308 #1: ffff888222c26c18 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: inode_lock include/linux/fs.h:799 [inline] #1: ffff888222c26c18 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: hugetlbfs_fallocate+0xb2/0x530 fs/hugetlbfs/inode.c:655 #2: ffff8882333e6338 (&hugetlb_fault_mutex_table[i]){....}-{3:3}, at: hugetlbfs_fallocate+0x1ca/0x530 fs/hugetlbfs/inode.c:708 1 lock held by syz.1.97/7026: #0: ffff888222c26dd0 (&hugetlbfs_i_mmap_rwsem_key){....}-{3:3}, at: i_mmap_lock_write include/linux/fs.h:528 [inline] #0: ffff888222c26dd0 (&hugetlbfs_i_mmap_rwsem_key){....}-{3:3}, at: unmap_single_vma+0xaf/0xf0 mm/memory.c:1305 3 locks held by syz.2.98/7029: #0: ffff8882345fd438 (sb_writers#14){....}-{0:0}, at: file_start_write include/linux/fs.h:2917 [inline] #0: ffff8882345fd438 (sb_writers#14){....}-{0:0}, at: vfs_fallocate+0x218/0x270 fs/open.c:308 #1: ffff888222ea4a18 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: inode_lock include/linux/fs.h:799 [inline] #1: ffff888222ea4a18 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: hugetlbfs_fallocate+0xb2/0x530 fs/hugetlbfs/inode.c:655 #2: ffff8882333e6608 (&hugetlb_fault_mutex_table[i]){....}-{3:3}, at: hugetlbfs_fallocate+0x1ca/0x530 fs/hugetlbfs/inode.c:708 3 locks held by syz.0.108/7047: #0: ffff8882345fd438 (sb_writers#14){....}-{0:0}, at: file_start_write include/linux/fs.h:2917 [inline] #0: ffff8882345fd438 (sb_writers#14){....}-{0:0}, at: vfs_fallocate+0x218/0x270 fs/open.c:308 #1: ffff888222e096d8 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: inode_lock include/linux/fs.h:799 [inline] #1: ffff888222e096d8 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: hugetlbfs_fallocate+0xb2/0x530 fs/hugetlbfs/inode.c:655 #2: ffff8882333e6608 (&hugetlb_fault_mutex_table[i]){....}-{3:3}, at: hugetlbfs_fallocate+0x1ca/0x530 fs/hugetlbfs/inode.c:708 3 locks held by syz.4.114/8212: #0: ffff8882345fd438 (sb_writers#14){....}-{0:0}, at: file_start_write include/linux/fs.h:2917 [inline] #0: ffff8882345fd438 (sb_writers#14){....}-{0:0}, at: vfs_fallocate+0x218/0x270 fs/open.c:308 #1: ffff888222c7d298 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: inode_lock include/linux/fs.h:799 [inline] #1: ffff888222c7d298 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: hugetlbfs_fallocate+0xb2/0x530 fs/hugetlbfs/inode.c:655 #2: ffff8882333e6218 (&hugetlb_fault_mutex_table[i]){....}-{3:3}, at: hugetlbfs_fallocate+0x1ca/0x530 fs/hugetlbfs/inode.c:708 3 locks held by syz.3.121/8365: #0: ffff8882345fd438 (sb_writers#14){....}-{0:0}, at: file_start_write include/linux/fs.h:2917 [inline] #0: ffff8882345fd438 (sb_writers#14){....}-{0:0}, at: vfs_fallocate+0x218/0x270 fs/open.c:308 #1: ffff888222dc2398 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: inode_lock include/linux/fs.h:799 [inline] #1: ffff888222dc2398 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: hugetlbfs_fallocate+0xb2/0x530 fs/hugetlbfs/inode.c:655 #2: ffff8882333e6338 (&hugetlb_fault_mutex_table[i]){....}-{3:3}, at: hugetlbfs_fallocate+0x1ca/0x530 fs/hugetlbfs/inode.c:708 3 locks held by syz.2.113/9367: #0: ffff8882345fd438 (sb_writers#14){....}-{0:0}, at: file_start_write include/linux/fs.h:2917 [inline] #0: ffff8882345fd438 (sb_writers#14){....}-{0:0}, at: vfs_fallocate+0x218/0x270 fs/open.c:308 #1: ffff888222ea4e58 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: inode_lock include/linux/fs.h:799 [inline] #1: ffff888222ea4e58 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: hugetlbfs_fallocate+0xb2/0x530 fs/hugetlbfs/inode.c:655 #2: ffff8882333e6218 (&hugetlb_fault_mutex_table[i]){....}-{3:3}, at: hugetlbfs_fallocate+0x1ca/0x530 fs/hugetlbfs/inode.c:708 3 locks held by syz.0.126/9383: #0: ffff8882345fd438 (sb_writers#14){....}-{0:0}, at: file_start_write include/linux/fs.h:2917 [inline] #0: ffff8882345fd438 (sb_writers#14){....}-{0:0}, at: vfs_fallocate+0x218/0x270 fs/open.c:308 #1: ffff888222f145d8 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: inode_lock include/linux/fs.h:799 [inline] #1: ffff888222f145d8 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: hugetlbfs_fallocate+0xb2/0x530 fs/hugetlbfs/inode.c:655 #2: ffff8882333e6608 (&hugetlb_fault_mutex_table[i]){....}-{3:3}, at: hugetlbfs_fallocate+0x1ca/0x530 fs/hugetlbfs/inode.c:708 3 locks held by syz.1.136/9420: #0: ffff8882345fd438 (sb_writers#14){....}-{0:0}, at: file_start_write include/linux/fs.h:2917 [inline] #0: ffff8882345fd438 (sb_writers#14){....}-{0:0}, at: vfs_fallocate+0x218/0x270 fs/open.c:308 #1: ffff888222c27058 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: inode_lock include/linux/fs.h:799 [inline] #1: ffff888222c27058 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: hugetlbfs_fallocate+0xb2/0x530 fs/hugetlbfs/inode.c:655 #2: ffff8882333e6608 (&hugetlb_fault_mutex_table[i]){....}-{3:3}, at: hugetlbfs_fallocate+0x1ca/0x530 fs/hugetlbfs/inode.c:708 3 locks held by syz.3.140/10341: #0: ffff8882345fd438 (sb_writers#14){....}-{0:0}, at: file_start_write include/linux/fs.h:2917 [inline] #0: ffff8882345fd438 (sb_writers#14){....}-{0:0}, at: vfs_fallocate+0x218/0x270 fs/open.c:308 #1: ffff888222dc2c18 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: inode_lock include/linux/fs.h:799 [inline] #1: ffff888222dc2c18 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: hugetlbfs_fallocate+0xb2/0x530 fs/hugetlbfs/inode.c:655 #2: ffff8882333e6848 (&hugetlb_fault_mutex_table[i]){....}-{3:3}, at: hugetlbfs_fallocate+0x1ca/0x530 fs/hugetlbfs/inode.c:708 3 locks held by syz.4.150/10450: #0: ffff8882345fd438 (sb_writers#14){....}-{0:0}, at: file_start_write include/linux/fs.h:2917 [inline] #0: ffff8882345fd438 (sb_writers#14){....}-{0:0}, at: vfs_fallocate+0x218/0x270 fs/open.c:308 #1: ffff888222c7ec18 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: inode_lock include/linux/fs.h:799 [inline] #1: ffff888222c7ec18 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: hugetlbfs_fallocate+0xb2/0x530 fs/hugetlbfs/inode.c:655 #2: ffff8882333e6848 (&hugetlb_fault_mutex_table[i]){....}-{3:3}, at: hugetlbfs_fallocate+0x1ca/0x530 fs/hugetlbfs/inode.c:708 3 locks held by syz.2.155/11356: #0: ffff8882345fd438 (sb_writers#14){....}-{0:0}, at: file_start_write include/linux/fs.h:2917 [inline] #0: ffff8882345fd438 (sb_writers#14){....}-{0:0}, at: vfs_fallocate+0x218/0x270 fs/open.c:308 #1: ffff888222e72398 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: inode_lock include/linux/fs.h:799 [inline] #1: ffff888222e72398 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: hugetlbfs_fallocate+0xb2/0x530 fs/hugetlbfs/inode.c:655 #2: ffff8882333e6848 (&hugetlb_fault_mutex_table[i]){....}-{3:3}, at: hugetlbfs_fallocate+0x1ca/0x530 fs/hugetlbfs/inode.c:708 3 locks held by syz.0.147/11392: #0: ffff8882345fd438 (sb_writers#14){....}-{0:0}, at: file_start_write include/linux/fs.h:2917 [inline] #0: ffff8882345fd438 (sb_writers#14){....}-{0:0}, at: vfs_fallocate+0x218/0x270 fs/open.c:308 #1: ffff888222f14a18 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: inode_lock include/linux/fs.h:799 [inline] #1: ffff888222f14a18 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: hugetlbfs_fallocate+0xb2/0x530 fs/hugetlbfs/inode.c:655 #2: ffff8882333e6338 (&hugetlb_fault_mutex_table[i]){....}-{3:3}, at: hugetlbfs_fallocate+0x1ca/0x530 fs/hugetlbfs/inode.c:708 3 locks held by syz.1.157/11766: #0: ffff8882345fd438 (sb_writers#14){....}-{0:0}, at: file_start_write include/linux/fs.h:2917 [inline] #0: ffff8882345fd438 (sb_writers#14){....}-{0:0}, at: vfs_fallocate+0x218/0x270 fs/open.c:308 #1: ffff888222c25b18 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: inode_lock include/linux/fs.h:799 [inline] #1: ffff888222c25b18 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: hugetlbfs_fallocate+0xb2/0x530 fs/hugetlbfs/inode.c:655 #2: ffff8882333e6218 (&hugetlb_fault_mutex_table[i]){....}-{3:3}, at: hugetlbfs_fallocate+0x1ca/0x530 fs/hugetlbfs/inode.c:708 3 locks held by syz.3.162/12701: #0: ffff8882345fd438 (sb_writers#14){....}-{0:0}, at: file_start_write include/linux/fs.h:2917 [inline] #0: ffff8882345fd438 (sb_writers#14){....}-{0:0}, at: vfs_fallocate+0x218/0x270 fs/open.c:308 #1: ffff888222d90e58 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: inode_lock include/linux/fs.h:799 [inline] #1: ffff888222d90e58 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: hugetlbfs_fallocate+0xb2/0x530 fs/hugetlbfs/inode.c:655 #2: ffff8882333e6218 (&hugetlb_fault_mutex_table[i]){....}-{3:3}, at: hugetlbfs_fallocate+0x1ca/0x530 fs/hugetlbfs/inode.c:708 3 locks held by syz.4.167/12782: #0: ffff8882345fd438 (sb_writers#14){....}-{0:0}, at: file_start_write include/linux/fs.h:2917 [inline] #0: ffff8882345fd438 (sb_writers#14){....}-{0:0}, at: vfs_fallocate+0x218/0x270 fs/open.c:308 #1: ffff888222c7f058 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: inode_lock include/linux/fs.h:799 [inline] #1: ffff888222c7f058 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: hugetlbfs_fallocate+0xb2/0x530 fs/hugetlbfs/inode.c:655 #2: ffff8882333e6608 (&hugetlb_fault_mutex_table[i]){....}-{3:3}, at: hugetlbfs_fallocate+0x1ca/0x530 fs/hugetlbfs/inode.c:708 3 locks held by syz.0.170/13631: #0: ffff8882345fd438 (sb_writers#14){....}-{0:0}, at: file_start_write include/linux/fs.h:2917 [inline] #0: ffff8882345fd438 (sb_writers#14){....}-{0:0}, at: vfs_fallocate+0x218/0x270 fs/open.c:308 #1: ffff888222e09b18 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: inode_lock include/linux/fs.h:799 [inline] #1: ffff888222e09b18 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: hugetlbfs_fallocate+0xb2/0x530 fs/hugetlbfs/inode.c:655 #2: ffff8882333e6338 (&hugetlb_fault_mutex_table[i]){....}-{3:3}, at: hugetlbfs_fallocate+0x1ca/0x530 fs/hugetlbfs/inode.c:708 3 locks held by syz.2.173/13763: #0: ffff8882345fd438 (sb_writers#14){....}-{0:0}, at: file_start_write include/linux/fs.h:2917 [inline] #0: ffff8882345fd438 (sb_writers#14){....}-{0:0}, at: vfs_fallocate+0x218/0x270 fs/open.c:308 #1: ffff888222e73058 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: inode_lock include/linux/fs.h:799 [inline] #1: ffff888222e73058 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: hugetlbfs_fallocate+0xb2/0x530 fs/hugetlbfs/inode.c:655 #2: ffff8882333e6218 (&hugetlb_fault_mutex_table[i]){....}-{3:3}, at: hugetlbfs_fallocate+0x1ca/0x530 fs/hugetlbfs/inode.c:708 3 locks held by syz.1.176/14105: #0: ffff8882345fd438 (sb_writers#14){....}-{0:0}, at: file_start_write include/linux/fs.h:2917 [inline] #0: ffff8882345fd438 (sb_writers#14){....}-{0:0}, at: vfs_fallocate+0x218/0x270 fs/open.c:308 #1: ffff888222c256d8 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: inode_lock include/linux/fs.h:799 [inline] #1: ffff888222c256d8 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: hugetlbfs_fallocate+0xb2/0x530 fs/hugetlbfs/inode.c:655 #2: ffff8882333e6848 (&hugetlb_fault_mutex_table[i]){....}-{3:3}, at: hugetlbfs_fallocate+0x1ca/0x530 fs/hugetlbfs/inode.c:708 3 locks held by syz.3.181/15135: #0: ffff8882345fd438 (sb_writers#14){....}-{0:0}, at: file_start_write include/linux/fs.h:2917 [inline] #0: ffff8882345fd438 (sb_writers#14){....}-{0:0}, at: vfs_fallocate+0x218/0x270 fs/open.c:308 #1: ffff888222d91298 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: inode_lock include/linux/fs.h:799 [inline] #1: ffff888222d91298 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: hugetlbfs_fallocate+0xb2/0x530 fs/hugetlbfs/inode.c:655 #2: ffff8882333e6338 (&hugetlb_fault_mutex_table[i]){....}-{3:3}, at: hugetlbfs_fallocate+0x1ca/0x530 fs/hugetlbfs/inode.c:708 3 locks held by syz.4.184/15181: #0: ffff8882345fd438 (sb_writers#14){....}-{0:0}, at: file_start_write include/linux/fs.h:2917 [inline] #0: ffff8882345fd438 (sb_writers#14){....}-{0:0}, at: vfs_fallocate+0x218/0x270 fs/open.c:308 #1: ffff888222d75298 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: inode_lock include/linux/fs.h:799 [inline] #1: ffff888222d75298 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: hugetlbfs_fallocate+0xb2/0x530 fs/hugetlbfs/inode.c:655 #2: ffff8882333e6338 (&hugetlb_fault_mutex_table[i]){....}-{3:3}, at: hugetlbfs_fallocate+0x1ca/0x530 fs/hugetlbfs/inode.c:708 3 locks held by syz.0.186/15858: #0: ffff8882345fd438 (sb_writers#14){....}-{0:0}, at: file_start_write include/linux/fs.h:2917 [inline] #0: ffff8882345fd438 (sb_writers#14){....}-{0:0}, at: vfs_fallocate+0x218/0x270 fs/open.c:308 #1: ffff888222e09f58 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: inode_lock include/linux/fs.h:799 [inline] #1: ffff888222e09f58 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: hugetlbfs_fallocate+0xb2/0x530 fs/hugetlbfs/inode.c:655 #2: ffff8882333e6848 (&hugetlb_fault_mutex_table[i]){....}-{3:3}, at: hugetlbfs_fallocate+0x1ca/0x530 fs/hugetlbfs/inode.c:708 3 locks held by syz.2.189/16121: #0: ffff8882345fd438 (sb_writers#14){....}-{0:0}, at: file_start_write include/linux/fs.h:2917 [inline] #0: ffff8882345fd438 (sb_writers#14){....}-{0:0}, at: vfs_fallocate+0x218/0x270 fs/open.c:308 #1: ffff888222ea5f58 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: inode_lock include/linux/fs.h:799 [inline] #1: ffff888222ea5f58 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: hugetlbfs_fallocate+0xb2/0x530 fs/hugetlbfs/inode.c:655 #2: ffff8882333e6848 (&hugetlb_fault_mutex_table[i]){....}-{3:3}, at: hugetlbfs_fallocate+0x1ca/0x530 fs/hugetlbfs/inode.c:708 3 locks held by syz.1.252/16650: #0: ffff8882345fd438 (sb_writers#14){....}-{0:0}, at: file_start_write include/linux/fs.h:2917 [inline] #0: ffff8882345fd438 (sb_writers#14){....}-{0:0}, at: vfs_fallocate+0x218/0x270 fs/open.c:308 #1: ffff888222c3e7d8 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: inode_lock include/linux/fs.h:799 [inline] #1: ffff888222c3e7d8 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: hugetlbfs_fallocate+0xb2/0x530 fs/hugetlbfs/inode.c:655 #2: ffff8882333e6608 (&hugetlb_fault_mutex_table[i]){....}-{3:3}, at: hugetlbfs_fallocate+0x1ca/0x530 fs/hugetlbfs/inode.c:708 3 locks held by syz.3.259/17172: #0: ffff8882345fd438 (sb_writers#14){....}-{0:0}, at: file_start_write include/linux/fs.h:2917 [inline] #0: ffff8882345fd438 (sb_writers#14){....}-{0:0}, at: vfs_fallocate+0x218/0x270 fs/open.c:308 #1: ffff888222dc3d18 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: inode_lock include/linux/fs.h:799 [inline] #1: ffff888222dc3d18 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: hugetlbfs_fallocate+0xb2/0x530 fs/hugetlbfs/inode.c:655 #2: ffff8882333e6608 (&hugetlb_fault_mutex_table[i]){....}-{3:3}, at: hugetlbfs_fallocate+0x1ca/0x530 fs/hugetlbfs/inode.c:708 3 locks held by syz.4.268/18196: #0: ffff8882345fd438 (sb_writers#14){....}-{0:0}, at: file_start_write include/linux/fs.h:2917 [inline] #0: ffff8882345fd438 (sb_writers#14){....}-{0:0}, at: vfs_fallocate+0x218/0x270 fs/open.c:308 #1: ffff888222d756d8 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: inode_lock include/linux/fs.h:799 [inline] #1: ffff888222d756d8 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: hugetlbfs_fallocate+0xb2/0x530 fs/hugetlbfs/inode.c:655 #2: ffff8882333e6848 (&hugetlb_fault_mutex_table[i]){....}-{3:3}, at: hugetlbfs_fallocate+0x1ca/0x530 fs/hugetlbfs/inode.c:708 3 locks held by syz.0.271/18241: #0: ffff8882345fd438 (sb_writers#14){....}-{0:0}, at: file_start_write include/linux/fs.h:2917 [inline] #0: ffff8882345fd438 (sb_writers#14){....}-{0:0}, at: vfs_fallocate+0x218/0x270 fs/open.c:308 #1: ffff888222e0ac18 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: inode_lock include/linux/fs.h:799 [inline] #1: ffff888222e0ac18 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: hugetlbfs_fallocate+0xb2/0x530 fs/hugetlbfs/inode.c:655 #2: ffff8882333e6848 (&hugetlb_fault_mutex_table[i]){....}-{3:3}, at: hugetlbfs_fallocate+0x1ca/0x530 fs/hugetlbfs/inode.c:708 3 locks held by syz.2.284/18583: #0: ffff8882345fd438 (sb_writers#14){....}-{0:0}, at: file_start_write include/linux/fs.h:2917 [inline] #0: ffff8882345fd438 (sb_writers#14){....}-{0:0}, at: vfs_fallocate+0x218/0x270 fs/open.c:308 #1: ffff888222e738d8 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: inode_lock include/linux/fs.h:799 [inline] #1: ffff888222e738d8 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: hugetlbfs_fallocate+0xb2/0x530 fs/hugetlbfs/inode.c:655 #2: ffff8882333e6608 (&hugetlb_fault_mutex_table[i]){....}-{3:3}, at: hugetlbfs_fallocate+0x1ca/0x530 fs/hugetlbfs/inode.c:708 3 locks held by syz.1.314/19140: #0: ffff8882345fd438 (sb_writers#14){....}-{0:0}, at: file_start_write include/linux/fs.h:2917 [inline] #0: ffff8882345fd438 (sb_writers#14){....}-{0:0}, at: vfs_fallocate+0x218/0x270 fs/open.c:308 #1: ffff888222c3f8d8 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: inode_lock include/linux/fs.h:799 [inline] #1: ffff888222c3f8d8 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: hugetlbfs_fallocate+0xb2/0x530 fs/hugetlbfs/inode.c:655 #2: ffff8882333e6338 (&hugetlb_fault_mutex_table[i]){....}-{3:3}, at: hugetlbfs_fallocate+0x1ca/0x530 fs/hugetlbfs/inode.c:708 3 locks held by syz.3.320/19714: #0: ffff8882345fd438 (sb_writers#14){....}-{0:0}, at: file_start_write include/linux/fs.h:2917 [inline] #0: ffff8882345fd438 (sb_writers#14){....}-{0:0}, at: vfs_fallocate+0x218/0x270 fs/open.c:308 #1: ffff888222d916d8 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: inode_lock include/linux/fs.h:799 [inline] #1: ffff888222d916d8 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: hugetlbfs_fallocate+0xb2/0x530 fs/hugetlbfs/inode.c:655 #2: ffff8882333e6608 (&hugetlb_fault_mutex_table[i]){....}-{3:3}, at: hugetlbfs_fallocate+0x1ca/0x530 fs/hugetlbfs/inode.c:708 3 locks held by syz.0.342/21644: #0: ffff8882345fd438 (sb_writers#14){....}-{0:0}, at: file_start_write include/linux/fs.h:2917 [inline] #0: ffff8882345fd438 (sb_writers#14){....}-{0:0}, at: vfs_fallocate+0x218/0x270 fs/open.c:308 #1: ffff888222f15b18 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: inode_lock include/linux/fs.h:799 [inline] #1: ffff888222f15b18 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: hugetlbfs_fallocate+0xb2/0x530 fs/hugetlbfs/inode.c:655 #2: ffff8882333e6608 (&hugetlb_fault_mutex_table[i]){....}-{3:3}, at: hugetlbfs_fallocate+0x1ca/0x530 fs/hugetlbfs/inode.c:708 3 locks held by syz.4.345/21776: #0: ffff8882345fd438 (sb_writers#14){....}-{0:0}, at: file_start_write include/linux/fs.h:2917 [inline] #0: ffff8882345fd438 (sb_writers#14){....}-{0:0}, at: vfs_fallocate+0x218/0x270 fs/open.c:308 #1: ffff888222c7fd18 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: inode_lock include/linux/fs.h:799 [inline] #1: ffff888222c7fd18 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: hugetlbfs_fallocate+0xb2/0x530 fs/hugetlbfs/inode.c:655 #2: ffff8882333e6608 (&hugetlb_fault_mutex_table[i]){....}-{3:3}, at: hugetlbfs_fallocate+0x1ca/0x530 fs/hugetlbfs/inode.c:708 3 locks held by syz.2.367/22389: #0: ffff8882345fd438 (sb_writers#14){....}-{0:0}, at: file_start_write include/linux/fs.h:2917 [inline] #0: ffff8882345fd438 (sb_writers#14){....}-{0:0}, at: vfs_fallocate+0x218/0x270 fs/open.c:308 #1: ffff888222e70e58 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: inode_lock include/linux/fs.h:799 [inline] #1: ffff888222e70e58 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: hugetlbfs_fallocate+0xb2/0x530 fs/hugetlbfs/inode.c:655 #2: ffff8882333e6218 (&hugetlb_fault_mutex_table[i]){....}-{3:3}, at: hugetlbfs_fallocate+0x1ca/0x530 fs/hugetlbfs/inode.c:708 3 locks held by syz.1.492/24892: #0: ffff8882345fd438 (sb_writers#14){....}-{0:0}, at: file_start_write include/linux/fs.h:2917 [inline] #0: ffff8882345fd438 (sb_writers#14){....}-{0:0}, at: vfs_fallocate+0x218/0x270 fs/open.c:308 #1: ffff888222c3c5d8 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: inode_lock include/linux/fs.h:799 [inline] #1: ffff888222c3c5d8 (&sb->s_type->i_mutex_key#15){....}-{3:3}, at: hugetlbfs_fallocate+0xb2/0x530 fs/hugetlbfs/inode.c:655 #2: ffff8882333e6608 (&hugetlb_fault_mutex_table[i]){....}-{3:3}, at: hugetlbfs_fallocate+0x1ca/0x530 fs/hugetlbfs/inode.c:708 1 lock held by syz-executor/5841: #0: ffffffff8226d6a0 (rcu_state.exp_mutex){....}-{3:3}, at: exp_funnel_lock kernel/rcu/tree_exp.h:290 [inline] #0: ffffffff8226d6a0 (rcu_state.exp_mutex){....}-{3:3}, at: synchronize_rcu_expedited+0x2c4/0x360 kernel/rcu/tree_exp.h:838 1 lock held by kworker/u4:1/7688: ============================================= NMI backtrace for cpu 1 CPU: 1 PID: 217 Comm: khungtaskd Not tainted 5.7.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x50/0x70 lib/dump_stack.c:118 nmi_cpu_backtrace.cold.7+0x13/0x50 lib/nmi_backtrace.c:101 nmi_trigger_cpumask_backtrace+0x9b/0x9d lib/nmi_backtrace.c:62 trigger_all_cpu_backtrace include/linux/nmi.h:146 [inline] check_hung_uninterruptible_tasks kernel/hung_task.c:205 [inline] watchdog+0x327/0x4b0 kernel/hung_task.c:289 kthread+0x10e/0x130 kernel/kthread.c:268 ret_from_fork+0x22/0x30 arch/x86/entry/entry_64.S:351 Sending NMI from CPU 1 to CPUs 0: NMI backtrace for cpu 0 CPU: 0 PID: 7869 Comm: modprobe Not tainted 5.7.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 RIP: 0010:page_remove_file_rmap mm/rmap.c:1260 [inline] RIP: 0010:page_remove_rmap+0x105/0x2a0 mm/rmap.c:1331 Code: 89 df e8 7e 3e ff ff e9 4e ff ff ff 40 84 ed 0f 85 e5 00 00 00 48 89 df e8 f8 a9 01 00 85 c0 0f 85 50 01 00 00 f0 83 43 30 ff <0f> 89 2a ff ff ff 48 8b 53 08 48 8d 42 ff 83 e2 01 48 0f 44 c3 48 RSP: 0018:ffffc9000535fcd0 EFLAGS: 00000213 RAX: 0000000000000000 RBX: ffffea0008df2c00 RCX: 0000000082092f8a RDX: 0000000000000000 RSI: 0000000052133621 RDI: ffffea0008df2c00 RBP: 0000000000000000 R08: 0000000000000002 R09: ffff88821db7cfc0 R10: 0000000000000001 R11: ffff88821db7c740 R12: ffffea0008df2c00 R13: 0000000237cb0025 R14: 00007f7289e65000 R15: ffffc9000535fde0 FS: 0000000000000000(0000) GS:ffff888237c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f7289ed6440 CR3: 000000021db82000 CR4: 00000000003406f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: zap_pte_range mm/memory.c:1090 [inline] zap_pmd_range mm/memory.c:1194 [inline] zap_pud_range mm/memory.c:1223 [inline] zap_p4d_range mm/memory.c:1244 [inline] unmap_page_range+0x51e/0x9a0 mm/memory.c:1265 unmap_vmas+0x37/0x50 mm/memory.c:1342 exit_mmap+0xa4/0x180 mm/mmap.c:3150 __mmput kernel/fork.c:1094 [inline] mmput+0x2e/0xe0 kernel/fork.c:1115 exit_mm kernel/exit.c:483 [inline] do_exit+0x32c/0xb60 kernel/exit.c:793 do_group_exit+0x42/0xb0 kernel/exit.c:904 __do_sys_exit_group kernel/exit.c:915 [inline] __se_sys_exit_group kernel/exit.c:913 [inline] __x64_sys_exit_group+0xf/0x10 kernel/exit.c:913 do_syscall_64+0x50/0x180 arch/x86/entry/common.c:295 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x7f7289f94a90 Code: 0f 05 57 3d 01 f0 ff ff 73 01 c3 48 8b 0d 90 43 0f 00 f7 d8 64 89 01 48 83 c8 ff c3 ba e7 00 00 00 be 3c 00 00 00 89 d0 0f 05 <48> 3d 00 f0 ff ff 76 0c 48 8b 0d 69 43 0f 00 f7 d8 64 89 01 89 f0 RSP: 002b:00007ffe7963f4a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 RAX: ffffffffffffffda RBX: 00007f728a085860 RCX: 00007f7289f94a90 RDX: 00000000000000e7 RSI: 000000000000003c RDI: 0000000000000001 RBP: 00007f728a085860 R08: 0000000000000000 R09: 8ada9396961be19c R10: 00007ffe7963f360 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000001 R14: 00007f728a089658 R15: 0000000000000001