ci starts bisection 2025-05-29 09:00:48.117887083 +0000 UTC m=+62846.314887860 bisecting cause commit starting from feacb1774bd5eac6382990d0f6d1378dc01dd78f building syzkaller on 3d2f584ddab119da50e8a8d26765aa98d3b33c02 ensuring issue is reproducible on original commit feacb1774bd5eac6382990d0f6d1378dc01dd78f testing commit feacb1774bd5eac6382990d0f6d1378dc01dd78f gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: c6cd07ee7e04621734e5911ec2b5d7b57b48808a4573434e0a6f58899ceefef8 run #0: crashed: KASAN: slab-use-after-free Write in binderfs_evict_inode run #1: crashed: INFO: task hung in io_uring_del_tctx_node run #2: crashed: INFO: task hung in io_uring_del_tctx_node run #3: crashed: INFO: task hung in io_uring_del_tctx_node run #4: crashed: INFO: task hung in io_uring_del_tctx_node run #5: crashed: INFO: task hung in io_uring_del_tctx_node run #6: crashed: INFO: task hung in io_uring_del_tctx_node run #7: crashed: INFO: task hung in io_uring_del_tctx_node run #8: crashed: INFO: task hung in io_uring_del_tctx_node run #9: crashed: INFO: task hung in io_uring_del_tctx_node run #10: crashed: INFO: task hung in io_uring_del_tctx_node run #11: crashed: INFO: task hung in io_uring_del_tctx_node run #12: crashed: INFO: task hung in io_uring_del_tctx_node run #13: crashed: INFO: task hung in io_uring_del_tctx_node run #14: crashed: INFO: task hung in io_uring_del_tctx_node run #15: crashed: INFO: task hung in io_uring_del_tctx_node run #16: crashed: INFO: task hung in io_uring_del_tctx_node run #17: crashed: INFO: task hung in io_uring_del_tctx_node run #18: crashed: INFO: task hung in io_uring_del_tctx_node run #19: crashed: INFO: task hung in io_uring_del_tctx_node representative crash: INFO: task hung in io_uring_del_tctx_node, types: [HANG] check whether we can drop unnecessary instrumentation disabling configs for [KASAN LOCKDEP ATOMIC_SLEEP LEAK UBSAN BUG], they are not needed testing commit feacb1774bd5eac6382990d0f6d1378dc01dd78f gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: df5b8d7842395f9826757ee95db8df0b3ccb99661f7886b957a1ba113a78b926 all runs: OK false negative chance: 0.000 kconfig minimization: base=4091 full=8343 leaves diff=2131 split chunks (needed=false): <2131> split chunk #0 of len 2131 into 5 parts testing without sub-chunk 1/5 testing commit feacb1774bd5eac6382990d0f6d1378dc01dd78f gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: ec1f8ae08ec5a515fc840636ae8f990bc739da0ed1e976f4c0225ba73e5cfa2a all runs: crashed: INFO: task hung in io_uring_del_tctx_node representative crash: INFO: task hung in io_uring_del_tctx_node, types: [HANG] the chunk can be dropped testing without sub-chunk 2/5 testing commit feacb1774bd5eac6382990d0f6d1378dc01dd78f gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 failed building feacb1774bd5eac6382990d0f6d1378dc01dd78f: ld.lld: error: undefined symbol: devm_drm_of_get_bridge testing without sub-chunk 3/5 testing commit feacb1774bd5eac6382990d0f6d1378dc01dd78f gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: b12b4c162a9a1e91c4bbdc9c305475732140261f3e2404170d4fe868bbb98a77 all runs: crashed: INFO: task hung in io_uring_del_tctx_node representative crash: INFO: task hung in io_uring_del_tctx_node, types: [HANG] the chunk can be dropped testing without sub-chunk 4/5 testing commit feacb1774bd5eac6382990d0f6d1378dc01dd78f gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: fa37e662d039e513624acfb5a8f47c7e864c510a530fbc548e23e159b7169484 all runs: crashed: INFO: task hung in io_uring_del_tctx_node representative crash: INFO: task hung in io_uring_del_tctx_node, types: [HANG] the chunk can be dropped testing without sub-chunk 5/5 testing commit feacb1774bd5eac6382990d0f6d1378dc01dd78f gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: 963bcce7b4099b36b071f347c6886b5765d744ec874008856c7be5a5c1ead308 all runs: crashed: INFO: task hung in io_uring_del_tctx_node representative crash: INFO: task hung in io_uring_del_tctx_node, types: [HANG] the chunk can be dropped minimized to 427 configs; suspects: [6LOWPAN ARCH_ENABLE_MEMORY_HOTREMOVE ASUS_WMI CHARGER_BQ24190 CMA COMMON_CLK DAX DLM DRM DRM_BRIDGE DRM_DISPLAY_DP_HELPER DRM_DISPLAY_DSC_HELPER DRM_DISPLAY_HDCP_HELPER DRM_DISPLAY_HDMI_HELPER DRM_DISPLAY_HELPER DRM_GEM_SHMEM_HELPER DRM_GM12U320 DRM_GUD DRM_I915 DRM_I915_CAPTURE_ERROR DRM_I915_COMPRESS_ERROR DRM_I915_USERPTR DRM_KMS_HELPER DRM_MIPI_DSI DRM_PANEL DRM_PANEL_BRIDGE DRM_PANEL_EDP DRM_PANEL_ORIENTATION_QUIRKS DRM_SIMPLEDRM DRM_TTM DRM_TTM_HELPER DRM_UDL DRM_VGEM DRM_VIRTIO_GPU DRM_VIRTIO_GPU_KMS DRM_VKMS DRM_VMWGFX DUMMY DVB_AF9013 DVB_AF9033 DVB_AS102 DVB_AS102_FE DVB_B2C2_FLEXCOP DVB_B2C2_FLEXCOP_USB DVB_CORE DVB_DIB3000MB DVB_DIB3000MC DVB_EC100 DVB_GP8PSK_FE DVB_RTL2830 DVB_RTL2832 DVB_RTL2832_SDR DVB_TEST_DRIVERS DVB_TTUSB_BUDGET DVB_TTUSB_DEC DVB_USB DVB_USB_A800 DVB_USB_AF9005 DVB_USB_AF9005_REMOTE DVB_USB_AF9015 DVB_USB_AF9035 DVB_USB_ANYSEE DVB_USB_AU6610 DVB_USB_AZ6007 DVB_USB_AZ6027 DVB_USB_CE6230 DVB_USB_CINERGY_T2 DVB_USB_CXUSB DVB_USB_CXUSB_ANALOG DVB_USB_DIB0700 DVB_USB_DIB3000MC DVB_USB_DIBUSB_MB DVB_USB_DIBUSB_MC DVB_USB_DIGITV DVB_USB_DTT200U DVB_USB_DTV5100 DVB_USB_DVBSKY DVB_USB_DW2102 DVB_USB_EC168 DVB_USB_GL861 DVB_USB_GP8PSK DVB_USB_LME2510 DVB_USB_M920X DVB_USB_MXL111SF DVB_USB_NOVA_T_USB2 DVB_USB_OPERA1 DVB_USB_PCTV452E DVB_USB_RTL28XXU DVB_USB_TECHNISAT_USB2 DVB_USB_TTUSB2 DVB_USB_UMT_010 DVB_USB_V2 DVB_USB_VP702X DVB_USB_VP7045 DVB_USB_ZD1301 DVB_VIDTV DVB_ZL10353 ECRYPT_FS ECRYPT_FS_MESSAGING EDAC EFS_FS ENCRYPTED_KEYS EQUALIZER EROFS_FS EROFS_FS_POSIX_ACL EROFS_FS_SECURITY EROFS_FS_XATTR EROFS_FS_ZIP EVM EVM_ADD_XATTRS EVM_ATTR_FSUUID EXFAT_FS EXPORTFS_BLOCK_OPS EXT3_FS EXT3_FS_POSIX_ACL EXT3_FS_SECURITY EXTCON EXTCON_INTEL_CHT_WC EXTCON_PTN5150 EXTCON_USBC_TUSB320 F2FS_CHECK_FS F2FS_FAULT_INJECTION F2FS_FS F2FS_FS_COMPRESSION F2FS_FS_LZ4 F2FS_FS_LZ4HC F2FS_FS_LZO F2FS_FS_LZORLE F2FS_FS_POSIX_ACL F2FS_FS_SECURITY F2FS_FS_XATTR F2FS_FS_ZSTD F2FS_STAT_FS FANOTIFY FANOTIFY_ACCESS_PERMISSIONS FB FB_CFB_COPYAREA FB_CFB_FILLRECT FB_CFB_IMAGEBLIT FB_CORE FB_DEFERRED_IO FB_DEVICE FB_IOMEM_FOPS FB_IOMEM_HELPERS FB_NOTIFY FB_SYSMEM_FOPS FB_SYSMEM_HELPERS FB_SYSMEM_HELPERS_DEFERRED FB_SYS_COPYAREA FB_SYS_FILLRECT FB_SYS_IMAGEBLIT FB_TILEBLITTING FB_VESA FB_VGA16 FB_VIRTUAL FDDI FIREWIRE FIREWIRE_NET FIREWIRE_OHCI FIREWIRE_SBP2 FONT_8x16 FONT_8x8 FONT_SUPPORT FRAMEBUFFER_CONSOLE FRAMEBUFFER_CONSOLE_DETECT_PRIMARY FRAMEBUFFER_CONSOLE_ROTATION FS_DAX FS_DAX_PMD FS_ENCRYPTION FS_ENCRYPTION_ALGS FS_STACK FS_VERITY FS_VERITY_BUILTIN_SIGNATURES FTL FUSE_DAX FUSE_FS FUTEX_MPOL FUTEX_PRIVATE_HASH FW_LOADER_COMPRESS FW_LOADER_PAGED_BUF FW_LOADER_SYSFS FW_LOADER_USER_HELPER FW_LOADER_USER_HELPER_FALLBACK GACT_PROB GARP GENDWARFKSYMS GENERIC_PHY GET_FREE_REGION GFS2_FS GFS2_FS_LOCKING_DLM GNSS GNSS_USB GOOGLE_COREBOOT_TABLE GOOGLE_FIRMWARE GOOGLE_MEMCONSOLE GOOGLE_MEMCONSOLE_COREBOOT GOOGLE_VPD GPIOLIB GPIOLIB_IRQCHIP GPIO_ACPI GPIO_DLN2 GPIO_LJCA GPIO_VIPERBOARD GREENASIA_FF GREYBUS GREYBUS_BRIDGED_PHY GREYBUS_ES2 GREYBUS_HID GREYBUS_USB GTP GUEST_PERF_EVENTS GVE HAS_LTO_CLANG HAVE_ARCH_NODE_DEV_GROUP HAVE_ARCH_USERFAULTFD_MINOR HAVE_ARCH_USERFAULTFD_WP HAVE_BOOTMEM_INFO_NODE HAVE_CLK_PREPARE HAVE_KVM_CPU_RELAX_INTERCEPT HAVE_KVM_DIRTY_RING HAVE_KVM_DIRTY_RING_ACQ_REL HAVE_KVM_DIRTY_RING_TSO HAVE_KVM_IRQCHIP HAVE_KVM_IRQ_BYPASS HAVE_KVM_IRQ_ROUTING HAVE_KVM_MSI HAVE_KVM_NO_POLL HAVE_KVM_PFNCACHE HAVE_KVM_PM_NOTIFIER HAVE_KVM_READONLY_MEM HAVE_SCHED_AVG_IRQ HDLC HDLC_CISCO HDLC_FR HDLC_PPP HDLC_RAW HDLC_RAW_ETH HDLC_X25 HDMI HFSPLUS_FS HFS_FS HID_ACCUTOUCH HID_ACRUX HID_ACRUX_FF HID_ALPS HID_APPLEIR HID_ASUS HID_AUREAL HID_BATTERY_STRENGTH HID_BETOP_FF HID_BIGBEN_FF HID_CMEDIA HID_CORSAIR HID_COUGAR HID_CP2112 HID_CREATIVE_SB0540 HID_ELAN HID_ELECOM HID_ELO HID_EMS_FF HID_EVISION HID_FT260 HID_GEMBIRD HID_GFRM HID_GLORIOUS HID_GOOGLE_STADIA_FF HID_GREENASIA HID_GT683R HID_HOLTEK HID_ICADE HID_JABRA HID_KEYTOUCH HID_KYE HID_LCPOWER HID_LED HID_LENOVO HID_LETSKETCH HID_LOGITECH HID_LOGITECH_DJ HID_LOGITECH_HIDPP HID_MACALLY HID_MAGICMOUSE HID_MALTRON HID_MAYFLASH HID_MCP2200 HID_MCP2221 HID_MEGAWORLD_FF HID_MULTITOUCH HID_NTI HID_ORTEK HID_PENMOUNT HID_PICOLCD HID_PICOLCD_BACKLIGHT HID_PICOLCD_CIR HID_PICOLCD_FB HID_PICOLCD_LCD HID_PICOLCD_LEDS HID_PLANTRONICS HID_PRIMAX HID_PRODIKEYS HID_PXRC HID_RAZER HID_RETRODE HID_RMI HID_ROCCAT HID_SAITEK HID_SEMITEK HID_SENSOR_ACCEL_3D HID_SENSOR_ALS HID_SENSOR_CUSTOM_INTEL_HINGE HID_SENSOR_CUSTOM_SENSOR HID_SENSOR_DEVICE_ROTATION HID_SENSOR_GYRO_3D HID_SENSOR_HUB HID_SENSOR_HUMIDITY HID_SENSOR_IIO_COMMON HID_SENSOR_IIO_TRIGGER HID_SENSOR_INCLINOMETER_3D HID_SENSOR_MAGNETOMETER_3D HID_SENSOR_PRESS HID_SENSOR_PROX HID_SENSOR_TEMP HID_SIGMAMICRO HID_SPEEDLINK HID_STEELSERIES HID_THINGM HID_TIVO HID_TOPRE HID_TWINHAN HID_U2FZERO HID_UCLOGIC HID_UDRAW_PS3 HID_VIEWSONIC HID_VIVALDI HID_VIVALDI_COMMON HID_VRC2 HID_WACOM HID_WALTOP HID_WIIMOTE HID_XIAOMI HID_XINMO HID_ZYDACRON HMM_MIRROR HOLTEK_FF HOTPLUG_PCI_PCIE HPET_MMAP HPET_MMAP_DEFAULT HPFS_FS I2C_ALGOBIT I2C_CHARDEV I2C_CP2615 I2C_DESIGNWARE_CORE I2C_DESIGNWARE_PLATFORM I2C_DIOLAN_U2C I2C_DLN2 I2C_HID_ACPI I2C_HID_CORE I2C_HID_OF I2C_LJCA I2C_MUX I2C_MUX_REG I2C_ROBOTFUZZ_OSIF I2C_SI4713 I2C_SLAVE I2C_SLAVE_EEPROM I2C_TINY_USB I2C_VIPERBOARD IEEE802154 IEEE802154_6LOWPAN IEEE802154_ATUSB IEEE802154_DRIVERS IEEE802154_HWSIM IEEE802154_NL802154_EXPERIMENTAL IEEE802154_SOCKET IFB IIO IIO_BUFFER IIO_KFIFO_BUF IIO_TRIGGER IIO_TRIGGERED_BUFFER IKCONFIG IKCONFIG_PROC IMA IMA_APPRAISE IMA_APPRAISE_MODSIG IMA_DEFAULT_HASH_SHA256 IMA_LSM_RULES IMA_MEASURE_ASYMMETRIC_KEYS IMA_NG_TEMPLATE IMA_QUEUE_EARLY_BOOT_KEYS IMA_READ_POLICY IMA_WRITE_POLICY INET6_ESPINTCP INET6_ESP_OFFLOAD INET6_IPCOMP INET6_TUNNEL INET6_XFRM_TUNNEL INET_AH INET_DIAG INET_DIAG_DESTROY INET_ESP INET_ESPINTCP INET_ESP_OFFLOAD INET_IPCOMP INET_MPTCP_DIAG INET_RAW_DIAG INET_SCTP_DIAG INET_TCP_DIAG INET_UDP_DIAG INET_XFRM_TUNNEL INFINIBAND INFINIBAND_ADDR_TRANS INFINIBAND_ADDR_TRANS_CONFIGFS INFINIBAND_IPOIB INFINIBAND_IPOIB_CM INFINIBAND_IPOIB_DEBUG INFINIBAND_ISER INFINIBAND_ON_DEMAND_PAGING INFINIBAND_RTRS INFINIBAND_SRP INFINIBAND_USER_ACCESS INFINIBAND_USER_MAD INFINIBAND_USER_MEM INPUT_ATI_REMOTE2 INPUT_CM109 INPUT_IMS_PCU INPUT_JOYDEV INPUT_KEYSPAN_REMOTE INPUT_LEDS INPUT_MOUSEDEV INPUT_MOUSEDEV_PSAUX INPUT_POWERMATE INPUT_UINPUT INPUT_YEALINK INTEGRITY INTEGRITY_ASYMMETRIC_KEYS INTEGRITY_AUDIT INTEGRITY_SIGNATURE INTEGRITY_TRUSTED_KEYRING INTEL_CHTWC_INT33FE INTEL_IDMA64 INTEL_IOATDMA INTEL_IOMMU_DEFAULT_ON INTEL_IOMMU_SVM INTEL_ISHTP_ECLITE INTEL_ISH_FIRMWARE_DOWNLOADER INTEL_ISH_HID INTEL_SOC_PMIC_CHTWC INTERVAL_TREE_SPAN_ITER IOMMUFD IOMMUFD_DRIVER IOMMUFD_DRIVER_CORE IOMMUFD_TEST IO_URING_ZCRX IP6_NF_MATCH_AH IP6_NF_MATCH_EUI64 IP6_NF_MATCH_FRAG IP6_NF_MATCH_HL IP6_NF_MATCH_MH IP6_NF_MATCH_OPTS IP6_NF_MATCH_RPFILTER IP6_NF_MATCH_RT IP6_NF_MATCH_SRH IP6_NF_NAT IP6_NF_RAW IP6_NF_SECURITY IP6_NF_TARGET_HL IP6_NF_TARGET_MASQUERADE IP6_NF_TARGET_NPT IP6_NF_TARGET_SYNPROXY IPV6_FOU IPV6_FOU_TUNNEL IPV6_GRE IPV6_ILA IPV6_MIP6 IPV6_MROUTE IPV6_MROUTE_MULTIPLE_TABLES IPV6_MULTIPLE_TABLES IPV6_OPTIMISTIC_DAD IPV6_PIMSM_V2 IPV6_ROUTER_PREF IPV6_ROUTE_INFO IPV6_RPL_LWTUNNEL IPV6_SEG6_BPF IPV6_SEG6_HMAC IPV6_SEG6_LWTUNNEL IPV6_SIT_6RD IPV6_SUBTREES IPV6_TUNNEL IPV6_VTI IPVLAN IPVLAN_L3S IPVTAP IP_FIB_TRIE_STATS IP_MROUTE_MULTIPLE_TABLES IP_NF_ARPFILTER IP_NF_ARPTABLES IP_NF_ARP_MANGLE IP_NF_MATCH_AH IP_NF_MATCH_ECN IP_NF_MATCH_RPFILTER IP_NF_MATCH_TTL IP_NF_RAW IP_NF_SECURITY IP_NF_TARGET_ECN IP_NF_TARGET_NETMAP IP_NF_TARGET_REDIRECT IP_NF_TARGET_SYNPROXY IP_NF_TARGET_TTL IP_ROUTE_CLASSID IP_SCTP IP_SET IP_SET_BITMAP_IP IP_SET_BITMAP_IPMAC IP_SET_BITMAP_PORT IP_SET_HASH_IP IP_SET_HASH_IPMAC IP_SET_HASH_IPMARK IP_SET_HASH_IPPORT IP_SET_HASH_IPPORTIP IP_SET_HASH_IPPORTNET IP_SET_HASH_MAC IP_SET_HASH_NET IP_SET_HASH_NETIFACE IP_SET_HASH_NETNET IP_SET_HASH_NETPORT IRQ_TIME_ACCOUNTING LAPB LCD_CLASS_DEVICE LEDS_CLASS_MULTICOLOR MAC802154 MEDIA_DIGITAL_TV_SUPPORT MEDIA_RADIO_SUPPORT MEDIA_SDR_SUPPORT MEDIA_SUPPORT MEDIA_TEST_SUPPORT MEDIA_USB_SUPPORT MEMORY_HOTPLUG MEMORY_HOTREMOVE MFD_DLN2 MFD_VIPERBOARD MODVERSIONS MPTCP MTD NETFILTER_ADVANCED NET_ACT_GACT NET_ACT_MIRRED NET_IPGRE_DEMUX NFT_COMPAT NFT_COMPAT_ARP NFT_FWD_NETDEV NF_TABLES NF_TABLES_ARP NF_TABLES_NETDEV PAGE_POOL RADIO_ADAPTERS RADIO_SI4713 RAS RC_CORE REGULATOR RFKILL SND SOUND STAGING TRANSPARENT_HUGEPAGE TYPEC TYPEC_MUX_PI3USB30532 USB_LJCA USB_ROLES_INTEL_XHCI USB_ROLE_SWITCH VIDEO_DEV VIRTIO_FS WAN ZONE_DEVICE] picked [v6.15 v6.14 v6.13 v6.11 v6.9 v6.7 v6.5 v6.3 v6.0 v5.17 v5.14 v5.11 v5.8 v5.5 v5.2 v4.20 v4.19] out of 38 release tags testing release v6.15 testing commit 0ff41df1cb268fc69e703a08a57ee14ae967d0ca gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: d56f27e6558d1afbb8e6d7b6962b7fd4a49f2d5fd90e62422fba587c9dda9f4f run #0: crashed: INFO: task hung in io_uring_del_tctx_node run #1: crashed: INFO: task hung in io_uring_del_tctx_node run #2: crashed: INFO: task hung in io_uring_del_tctx_node run #3: crashed: INFO: task hung in io_uring_del_tctx_node run #4: crashed: INFO: task hung in io_uring_del_tctx_node run #5: crashed: INFO: task hung in io_uring_del_tctx_node run #6: crashed: INFO: task hung in io_uring_del_tctx_node run #7: crashed: INFO: task hung in io_uring_del_tctx_node run #8: crashed: INFO: task hung in io_uring_del_tctx_node run #9: OK representative crash: INFO: task hung in io_uring_del_tctx_node, types: [HANG] testing release v6.14 testing commit 38fec10eb60d687e30c8c6b5420d86e8149f7557 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: 3472c0152fd5819edbc5e7ae84dfce657e099bb7f11e1634f0a2f2ec482eeac0 all runs: crashed: INFO: task hung in io_uring_del_tctx_node representative crash: INFO: task hung in io_uring_del_tctx_node, types: [HANG] testing release v6.13 testing commit ffd294d346d185b70e28b1a28abe367bbfe53c04 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: bc29c934b1f3f1690e00c77dc6deda0234b170b94dedaec4742af2d6fe5d4d0d all runs: crashed: INFO: task hung in io_uring_del_tctx_node representative crash: INFO: task hung in io_uring_del_tctx_node, types: [HANG] testing release v6.11 testing commit 98f7e32f20d28ec452afb208f9cffc08448a2652 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: bf8fbe482114dc7fd2675e99a17e88590efa98db99ddd45ddf755b8d4396c7b0 run #0: crashed: INFO: task hung in io_uring_del_tctx_node run #1: crashed: INFO: task hung in io_uring_del_tctx_node run #2: crashed: INFO: task hung in io_uring_del_tctx_node run #3: crashed: INFO: task hung in io_uring_del_tctx_node run #4: crashed: INFO: task hung in io_uring_del_tctx_node run #5: crashed: INFO: task hung in io_uring_del_tctx_node run #6: crashed: INFO: task hung in io_uring_del_tctx_node run #7: crashed: INFO: task hung in io_uring_del_tctx_node run #8: crashed: INFO: task hung in io_uring_del_tctx_node run #9: OK representative crash: INFO: task hung in io_uring_del_tctx_node, types: [HANG] testing release v6.9 testing commit a38297e3fb012ddfa7ce0321a7e5a8daeb1872b6 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: 305e2995f03025fc81efb907ea2f71798f15f745694a0de053ab5ce43561fe4b all runs: crashed: INFO: task hung in io_uring_del_tctx_node representative crash: INFO: task hung in io_uring_del_tctx_node, types: [HANG] testing release v6.7 testing commit 0dd3ee31125508cd67f7e7172247f05b7fd1753a gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: a7713d2f54afd5d79db191e1695164a5dcf5a83c1aaefc4a1021119f5834af9a run #0: crashed: INFO: task hung in io_uring_del_tctx_node run #1: crashed: INFO: task hung in io_uring_del_tctx_node run #2: crashed: INFO: task hung in io_uring_del_tctx_node run #3: crashed: INFO: task hung in io_uring_del_tctx_node run #4: crashed: INFO: task hung in io_uring_del_tctx_node run #5: crashed: INFO: task hung in io_uring_del_tctx_node run #6: crashed: INFO: task hung in io_uring_del_tctx_node run #7: crashed: INFO: task hung in io_uring_del_tctx_node run #8: crashed: INFO: task hung in io_uring_del_tctx_node run #9: OK representative crash: INFO: task hung in io_uring_del_tctx_node, types: [HANG] testing release v6.5 testing commit 2dde18cd1d8fac735875f2e4987f11817cc0bc2c gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: 8ece5e47b9c1180677c609cce473d5eabd6b9d929665e1de8bc98cc9390f1634 all runs: OK false negative chance: 0.000 # git bisect start 0dd3ee31125508cd67f7e7172247f05b7fd1753a 2dde18cd1d8fac735875f2e4987f11817cc0bc2c Bisecting: 16833 revisions left to test after this (roughly 14 steps) [ec4c20ca09831ddba8fac10a7d82a9902e96e717] Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net testing commit ec4c20ca09831ddba8fac10a7d82a9902e96e717 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: 408a797c24455ffa956497c4680d4a97ecb499e5ffa7e0ff390e7e2de397b968 all runs: OK false negative chance: 0.000 # git bisect good ec4c20ca09831ddba8fac10a7d82a9902e96e717 Bisecting: 8387 revisions left to test after this (roughly 13 steps) [385903a7ec75bb400f4bf0f07d8d5ad61390270d] Merge tag 'soc-drivers-6.7' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc testing commit 385903a7ec75bb400f4bf0f07d8d5ad61390270d gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: 44a03df70c963a0803a5712ab222bd52937ee08ddbb66f9d5925d1bf1d5fa1ea all runs: crashed: INFO: task hung in io_uring_del_tctx_node representative crash: INFO: task hung in io_uring_del_tctx_node, types: [HANG] # git bisect bad 385903a7ec75bb400f4bf0f07d8d5ad61390270d Bisecting: 4172 revisions left to test after this (roughly 12 steps) [89ed67ef126c4160349c1b96fdb775ea6170ac90] Merge tag 'net-next-6.7' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next testing commit 89ed67ef126c4160349c1b96fdb775ea6170ac90 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: d23618e5b57fec2e0d0eeb7310c033897b9c80c320242535bef892f1d19fdf89 all runs: OK false negative chance: 0.000 # git bisect good 89ed67ef126c4160349c1b96fdb775ea6170ac90 Bisecting: 2348 revisions left to test after this (roughly 11 steps) [631808095a82e6b6f8410a95f8b12b8d0d38b161] Merge tag 'amd-drm-next-6.7-2023-10-27' of https://gitlab.freedesktop.org/agd5f/linux into drm-next testing commit 631808095a82e6b6f8410a95f8b12b8d0d38b161 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: f3e8cf91d7d08b7db23a5ee0dca0a9a4b420c445038028a75fae1a429b9b0bac all runs: OK false negative chance: 0.000 # git bisect good 631808095a82e6b6f8410a95f8b12b8d0d38b161 Bisecting: 1175 revisions left to test after this (roughly 10 steps) [8999ad99f4cb19638d9ecb8017831f9a0ab8dc3d] Merge tag 'x86_tdx_for_6.7' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip testing commit 8999ad99f4cb19638d9ecb8017831f9a0ab8dc3d gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: 0a3627387d161d01109421601fedf4a7ceaf11cda4dcb62e518fde916ea276db all runs: OK false negative chance: 0.000 # git bisect good 8999ad99f4cb19638d9ecb8017831f9a0ab8dc3d Bisecting: 576 revisions left to test after this (roughly 9 steps) [79d01625c3c77d823e987610cf289fcfd6f31cad] Merge tag 'v6.6-next-dts64.3' of https://git.kernel.org/pub/scm/linux/kernel/git/matthias.bgg/linux into soc/dt testing commit 79d01625c3c77d823e987610cf289fcfd6f31cad gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: 1d6aa981728af7487cf35c90ac95321af4a3604f9d0a6727f339f8043d3a3b35 all runs: OK false negative chance: 0.000 # git bisect good 79d01625c3c77d823e987610cf289fcfd6f31cad Bisecting: 287 revisions left to test after this (roughly 8 steps) [009fbfc97b6367762efa257f1478ec86d37949f9] Merge tag 'dma-mapping-6.7-2023-10-30' of git://git.infradead.org/users/hch/dma-mapping testing commit 009fbfc97b6367762efa257f1478ec86d37949f9 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: f8cfe82650a0b4bd5ee5b9a7ed72f14d341a27eaa1f54df0cf79be86fefa6a7b run #0: crashed: INFO: task hung in io_uring_del_tctx_node run #1: crashed: INFO: task hung in io_uring_del_tctx_node run #2: crashed: INFO: task hung in io_uring_del_tctx_node run #3: crashed: INFO: task hung in io_uring_del_tctx_node run #4: crashed: INFO: task hung in io_uring_del_tctx_node run #5: crashed: INFO: task hung in io_uring_del_tctx_node run #6: crashed: INFO: task hung in io_uring_del_tctx_node run #7: crashed: INFO: task hung in io_uring_del_tctx_node run #8: crashed: INFO: task hung in io_uring_del_tctx_node run #9: OK representative crash: INFO: task hung in io_uring_del_tctx_node, types: [HANG] # git bisect bad 009fbfc97b6367762efa257f1478ec86d37949f9 Bisecting: 139 revisions left to test after this (roughly 7 steps) [90d624af2e5a9945eedd5cafd6ae6d88f32cc977] Merge tag 'for-6.7/block-2023-10-30' of git://git.kernel.dk/linux testing commit 90d624af2e5a9945eedd5cafd6ae6d88f32cc977 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: ab61c3eddcbebc5663895e3db56fc6d2254163f8b3c69cd7068bd54518bfd1d1 all runs: crashed: INFO: task hung in io_uring_del_tctx_node representative crash: INFO: task hung in io_uring_del_tctx_node, types: [HANG] # git bisect bad 90d624af2e5a9945eedd5cafd6ae6d88f32cc977 Bisecting: 74 revisions left to test after this (roughly 6 steps) [d451fdd0fe8323bf970b735cf276d4e11ae8cdcc] Merge branch 'for-6.7/io_uring' into for-6.7/block testing commit d451fdd0fe8323bf970b735cf276d4e11ae8cdcc gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: f74775865b7ef75e98a20963f7577c202b84756f2184b2716cb5cf482eb458f6 all runs: crashed: INFO: task hung in io_uring_del_tctx_node representative crash: INFO: task hung in io_uring_del_tctx_node, types: [HANG] # git bisect bad d451fdd0fe8323bf970b735cf276d4e11ae8cdcc Bisecting: 36 revisions left to test after this (roughly 5 steps) [1b0a2d950ee2a54aa04fb31ead32144be0bbf690] md: use new apis to suspend array for ioctls involed array reconfiguration testing commit 1b0a2d950ee2a54aa04fb31ead32144be0bbf690 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: a07baff2819a20792c0de73cca1109f67f428f96055aa9c09aae047f54bf3883 all runs: OK false negative chance: 0.000 # git bisect good 1b0a2d950ee2a54aa04fb31ead32144be0bbf690 Bisecting: 14 revisions left to test after this (roughly 4 steps) [ae3059cf95f3bf11695d48b77f00568e87329aae] Merge tag 'md-next-20231012' of https://git.kernel.org/pub/scm/linux/kernel/git/song/md into for-6.7/block testing commit ae3059cf95f3bf11695d48b77f00568e87329aae gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: 3851ce5e5e89ca605b7bc6ee2b8f3ff01be10c0628f22be4d819915618f9ed57 all runs: OK false negative chance: 0.000 # git bisect good ae3059cf95f3bf11695d48b77f00568e87329aae Bisecting: 7 revisions left to test after this (roughly 3 steps) [2e521a2064bf8b26cf178c0f7644a70ed1a512fa] exit: add internal include file with helpers testing commit 2e521a2064bf8b26cf178c0f7644a70ed1a512fa gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: 7778535502536383017ea35464b27dd5c80366f84c44e9ef3b8b031a1cea9603 all runs: OK false negative chance: 0.000 # git bisect good 2e521a2064bf8b26cf178c0f7644a70ed1a512fa Bisecting: 3 revisions left to test after this (roughly 2 steps) [922a2c78f13611e2c08fc48f615c0cd367dcb6da] io_uring/rsrc: cleanup io_pin_pages() testing commit 922a2c78f13611e2c08fc48f615c0cd367dcb6da gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: ba0fd6f7c67413601c7fda441bb6f13f175505b2d96d5e12fa185ece76ddec34 all runs: OK false negative chance: 0.000 # git bisect good 922a2c78f13611e2c08fc48f615c0cd367dcb6da Bisecting: 1 revision left to test after this (roughly 1 step) [f74c746e476b9dad51448b9a9421aae72b60e25f] io_uring/kbuf: Allow the full buffer id space for provided buffers testing commit f74c746e476b9dad51448b9a9421aae72b60e25f gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: f9bdee7ea0fd5e9f4b140437adce00b0fb4be018e3ed60a376694e76719224c6 all runs: OK false negative chance: 0.000 # git bisect good f74c746e476b9dad51448b9a9421aae72b60e25f Bisecting: 0 revisions left to test after this (roughly 0 steps) [b3a4dbc89d4021b3f90ff6a13537111a004f9d07] io_uring/kbuf: Use slab for struct io_buffer objects testing commit b3a4dbc89d4021b3f90ff6a13537111a004f9d07 gcc compiler: Debian clang version 20.1.6 (++20250514063057+1e4d39e07757-1~exp1~20250514183223.118), Debian LLD 20.1.6 kernel signature: 740855c698fed7bb989e74c6585a90a4856d6f66a5ecadfa93f2371a1621e7c2 all runs: crashed: INFO: task hung in io_uring_del_tctx_node representative crash: INFO: task hung in io_uring_del_tctx_node, types: [HANG] # git bisect bad b3a4dbc89d4021b3f90ff6a13537111a004f9d07 b3a4dbc89d4021b3f90ff6a13537111a004f9d07 is the first bad commit commit b3a4dbc89d4021b3f90ff6a13537111a004f9d07 Author: Gabriel Krisman Bertazi Date: Wed Oct 4 20:05:31 2023 -0400 io_uring/kbuf: Use slab for struct io_buffer objects The allocation of struct io_buffer for metadata of provided buffers is done through a custom allocator that directly gets pages and fragments them. But, slab would do just fine, as this is not a hot path (in fact, it is a deprecated feature) and, by keeping a custom allocator implementation we lose benefits like tracking, poisoning, sanitizers. Finally, the custom code is more complex and requires keeping the list of pages in struct ctx for no good reason. This patch cleans this path up and just uses slab. I microbenchmarked it by forcing the allocation of a large number of objects with the least number of io_uring commands possible (keeping nbufs=USHRT_MAX), with and without the patch. There is a slight increase in time spent in the allocation with slab, of course, but even when allocating to system resources exhaustion, which is not very realistic and happened around 1/2 billion provided buffers for me, it wasn't a significant hit in system time. Specially if we think of a real-world scenario, an application doing register/unregister of provided buffers will hit ctx->io_buffers_cache more often than actually going to slab. Signed-off-by: Gabriel Krisman Bertazi Link: https://lore.kernel.org/r/20231005000531.30800-4-krisman@suse.de Signed-off-by: Jens Axboe include/linux/io_uring_types.h | 2 -- io_uring/io_uring.c | 4 +++- io_uring/io_uring.h | 1 + io_uring/kbuf.c | 47 +++++++++++++++++++++++------------------- 4 files changed, 30 insertions(+), 24 deletions(-) accumulated error probability: 0.00 culprit signature: 740855c698fed7bb989e74c6585a90a4856d6f66a5ecadfa93f2371a1621e7c2 parent signature: f9bdee7ea0fd5e9f4b140437adce00b0fb4be018e3ed60a376694e76719224c6 revisions tested: 28, total time: 10h30m39.377492859s (build: 5h17m53.383739102s, test: 4h49m58.77439495s) first bad commit: b3a4dbc89d4021b3f90ff6a13537111a004f9d07 io_uring/kbuf: Use slab for struct io_buffer objects recipients (to): ["axboe@kernel.dk" "axboe@kernel.dk" "io-uring@vger.kernel.org" "krisman@suse.de"] recipients (cc): ["asml.silence@gmail.com" "linux-kernel@vger.kernel.org"] crash: INFO: task hung in io_uring_del_tctx_node INFO: task syz.0.16:4919 blocked for more than 143 seconds. Not tainted 6.6.0-rc2-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz.0.16 state:D stack:27840 pid:4919 ppid:3103 flags:0x00004000 Call Trace: context_switch kernel/sched/core.c:5382 [inline] __schedule+0x14df/0x2370 kernel/sched/core.c:6695 schedule+0xe8/0x1f0 kernel/sched/core.c:6771 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6830 __mutex_lock_common kernel/locking/mutex.c:679 [inline] __mutex_lock+0x68b/0xc90 kernel/locking/mutex.c:747 io_uring_del_tctx_node+0xe0/0x280 io_uring/tctx.c:169 io_uring_clean_tctx+0xb6/0x140 io_uring/tctx.c:185 io_uring_cancel_generic+0x595/0x5e0 io_uring/io_uring.c:3426 io_uring_files_cancel include/linux/io_uring.h:78 [inline] do_exit+0x445/0x1e40 kernel/exit.c:831 do_group_exit+0x1b0/0x280 kernel/exit.c:1026 get_signal+0xe3e/0xf10 kernel/signal.c:2892 arch_do_signal_or_restart+0x80/0x590 arch/x86/kernel/signal.c:309 exit_to_user_mode_loop+0x70/0xf0 kernel/entry/common.c:168 exit_to_user_mode_prepare+0xac/0x130 kernel/entry/common.c:204 __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline] syscall_exit_to_user_mode+0x1b/0x60 kernel/entry/common.c:296 do_syscall_64+0x6a/0xb0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x6f/0xd9 RIP: 0033:0x7f293538e969 RSP: 002b:00007f293612c0e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca RAX: fffffffffffffe00 RBX: 00007f29355b5fa8 RCX: 00007f293538e969 RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f29355b5fa8 RBP: 00007f29355b5fa0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f29355b5fac R13: 0000000000000000 R14: 00007ffc43dab1a0 R15: 00007ffc43dab288 Showing all locks held in the system: 2 locks held by kworker/u4:0/11: #0: ffff888100079938 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2605 [inline] #0: ffff888100079938 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_scheduled_works+0x7e3/0xfb0 kernel/workqueue.c:2703 #1: ffffc900000bfd00 ((work_completion)(&sub_info->work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2605 [inline] #1: ffffc900000bfd00 ((work_completion)(&sub_info->work)){+.+.}-{0:0}, at: process_scheduled_works+0x7e3/0xfb0 kernel/workqueue.c:2703 1 lock held by khungtaskd/27: #0: ffffffff864ce200 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:303 [inline] #0: ffffffff864ce200 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:749 [inline] #0: ffffffff864ce200 (rcu_read_lock){....}-{1:3}, at: debug_show_all_locks+0x55/0x290 kernel/locking/lockdep.c:6613 2 locks held by kworker/u4:5/418: #0: ffff888100079938 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2605 [inline] #0: ffff888100079938 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_scheduled_works+0x7e3/0xfb0 kernel/workqueue.c:2703 #1: ffffc90001e6fd00 ((work_completion)(&sub_info->work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2605 [inline] #1: ffffc90001e6fd00 ((work_completion)(&sub_info->work)){+.+.}-{0:0}, at: process_scheduled_works+0x7e3/0xfb0 kernel/workqueue.c:2703 2 locks held by kworker/u4:7/687: #0: ffff888100079938 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2605 [inline] #0: ffff888100079938 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_scheduled_works+0x7e3/0xfb0 kernel/workqueue.c:2703 #1: ffffc90002817d00 ((work_completion)(&sub_info->work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2605 [inline] #1: ffffc90002817d00 ((work_completion)(&sub_info->work)){+.+.}-{0:0}, at: process_scheduled_works+0x7e3/0xfb0 kernel/workqueue.c:2703 2 locks held by kworker/u4:12/916: 2 locks held by kworker/u4:17/1243: #0: ffff888100079938 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2605 [inline] #0: ffff888100079938 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_scheduled_works+0x7e3/0xfb0 kernel/workqueue.c:2703 #1: ffffc900043c7d00 ((work_completion)(&sub_info->work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2605 [inline] #1: ffffc900043c7d00 ((work_completion)(&sub_info->work)){+.+.}-{0:0}, at: process_scheduled_works+0x7e3/0xfb0 kernel/workqueue.c:2703 2 locks held by getty/1603: #0: ffff88810bf560a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x20/0x60 drivers/tty/tty_ldisc.c:243 #1: ffffc900000532f0 (&ldata->atomic_read_lock){+.+.}-{4:4}, at: n_tty_read+0x36b/0xf30 drivers/tty/n_tty.c:2206 1 lock held by syz.4.20/4906: 1 lock held by syz.7.18/4914: 1 lock held by syz.0.16/4919: #0: ffff88817ae120a8 (&ctx->uring_lock){+.+.}-{4:4}, at: io_uring_del_tctx_node+0xe0/0x280 io_uring/tctx.c:169 1 lock held by syz.0.16/4921: 1 lock held by syz.3.19/4930: 1 lock held by syz.8.27/5336: 1 lock held by syz.2.23/7114: 1 lock held by syz.9.29/7117: #0: ffff88817e93e0a8 (&ctx->uring_lock){+.+.}-{4:4}, at: io_uring_del_tctx_node+0xe0/0x280 io_uring/tctx.c:169 1 lock held by syz.9.29/7119: 1 lock held by syz.1.24/7126: 1 lock held by syz.5.25/7130: #0: ffff88817e3dc0a8 (&ctx->uring_lock){+.+.}-{4:4}, at: io_uring_del_tctx_node+0xe0/0x280 io_uring/tctx.c:169 1 lock held by syz.5.25/7131: 1 lock held by syz.6.42/7370: #0: ffff88815b0160a8 (&ctx->uring_lock){+.+.}-{4:4}, at: io_uring_del_tctx_node+0xe0/0x280 io_uring/tctx.c:169 1 lock held by syz.6.42/7371: 1 lock held by modprobe/8704: #0: ffff8881f6039cd8 (&rq->__lock){-.-.}-{2:2}, at: raw_spin_rq_lock_nested kernel/sched/core.c:558 [inline] #0: ffff8881f6039cd8 (&rq->__lock){-.-.}-{2:2}, at: raw_spin_rq_lock kernel/sched/sched.h:1372 [inline] #0: ffff8881f6039cd8 (&rq->__lock){-.-.}-{2:2}, at: rq_lock kernel/sched/sched.h:1681 [inline] #0: ffff8881f6039cd8 (&rq->__lock){-.-.}-{2:2}, at: __schedule+0x2df/0x2370 kernel/sched/core.c:6612 1 lock held by modprobe/8706: ============================================= NMI backtrace for cpu 1 CPU: 1 PID: 27 Comm: khungtaskd Not tainted 6.6.0-rc2-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 Call Trace: dump_stack_lvl+0xd6/0x150 lib/dump_stack.c:106 nmi_cpu_backtrace+0x209/0x2b0 lib/nmi_backtrace.c:113 nmi_trigger_cpumask_backtrace+0x102/0x210 lib/nmi_backtrace.c:62 trigger_all_cpu_backtrace include/linux/nmi.h:160 [inline] check_hung_uninterruptible_tasks kernel/hung_task.c:222 [inline] watchdog+0xb04/0xb40 kernel/hung_task.c:379 kthread+0x27d/0x300 kernel/kthread.c:388 ret_from_fork+0x32/0x70 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:304 Sending NMI from CPU 1 to CPUs 0: NMI backtrace for cpu 0 CPU: 0 PID: 970 Comm: kworker/u4:13 Not tainted 6.6.0-rc2-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 Workqueue: events_unbound toggle_allocation_gate RIP: 0010:__raw_callee_save___pv_queued_spin_unlock+0x10/0x1a Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 52 b8 01 00 00 00 31 d2 f0 0f b0 17 <3c> 01 75 06 5a c3 cc cc cc cc 56 0f b6 f0 e8 9d ff ff ff 5e 5a c3 RSP: 0000:ffffc900035d7838 EFLAGS: 00000046 RAX: 0000000000000001 RBX: ffffffff8f3f9de8 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffff8f3f9de8 RBP: 1ffffffff1e7f3be R08: ffffffff8f3f9deb R09: 1ffffffff1e7f3bd R10: dffffc0000000000 R11: fffffbfff1e7f3be R12: dffffc0000000000 R13: 1ffffffff1e7f3bf R14: ffffffff8f3f9df8 R15: ffffffff8f3f9df0 FS: 0000000000000000(0000) GS:ffff8881f6000000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f5b5b458f50 CR3: 00000000062e4000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: pv_queued_spin_unlock arch/x86/include/asm/paravirt.h:591 [inline] queued_spin_unlock arch/x86/include/asm/qspinlock.h:57 [inline] do_raw_spin_unlock+0x121/0x230 kernel/locking/spinlock_debug.c:141 __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:150 [inline] _raw_spin_unlock_irqrestore+0x6b/0xf0 kernel/locking/spinlock.c:194 debug_object_assert_init+0x1ed/0x2d0 lib/debugobjects.c:930 debug_timer_assert_init kernel/time/timer.c:792 [inline] debug_assert_init kernel/time/timer.c:837 [inline] __mod_timer+0x3f/0xa70 kernel/time/timer.c:1020 queue_delayed_work_on+0xc7/0x140 kernel/workqueue.c:1986 queue_delayed_work include/linux/workqueue.h:569 [inline] toggle_allocation_gate+0x17d/0x1c0 mm/kfence/core.c:837 process_one_work kernel/workqueue.c:2630 [inline] process_scheduled_works+0x87f/0xfb0 kernel/workqueue.c:2703 worker_thread+0x883/0xd20 kernel/workqueue.c:2784 kthread+0x27d/0x300 kernel/kthread.c:388 ret_from_fork+0x32/0x70 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:304