bisecting fixing commit since 1e986fe9ad15b8406034c504afc5ae76f0a8e852 building syzkaller on 3c7fef3361a6007112b26adc1c5a550189ef43fe testing commit 1e986fe9ad15b8406034c504afc5ae76f0a8e852 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: 51a82c57e1da1912c962a6d41d7c00c956d95eab0d5a0e0875b738f3de777f59 all runs: crashed: INFO: task hung in __sync_dirty_buffer testing current HEAD b172b44fcb1771e083aad806fa96f3f60e2ddfac testing commit b172b44fcb1771e083aad806fa96f3f60e2ddfac compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: 388e82d767f4d08ccdad4af959785d1e85b601b2815ddd14922edddeaa280304 all runs: crashed: INFO: task hung in __sync_dirty_buffer revisions tested: 2, total time: 28m42.665605865s (build: 16m17.351603522s, test: 12m2.271483681s) the crash still happens on HEAD commit msg: Linux 4.19.206 crash: INFO: task hung in __sync_dirty_buffer Bluetooth: hci3: command 0x0406 tx timeout Bluetooth: hci1: command 0x0406 tx timeout Bluetooth: hci5: command 0x0406 tx timeout ieee802154 phy0 wpan0: encryption failed: -22 ieee802154 phy1 wpan1: encryption failed: -22 INFO: task syz-executor.1:9867 blocked for more than 140 seconds. Not tainted 4.19.206-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. syz-executor.1 D25624 9867 8493 0x00000004 Call Trace: context_switch kernel/sched/core.c:2828 [inline] __schedule+0x80c/0x1f70 kernel/sched/core.c:3517 schedule+0x7f/0x1b0 kernel/sched/core.c:3561 io_schedule+0x1c/0x70 kernel/sched/core.c:5181 bit_wait_io+0xf/0x90 kernel/sched/wait_bit.c:207 __wait_on_bit_lock+0xbb/0x160 kernel/sched/wait_bit.c:89 out_of_line_wait_on_bit_lock+0xde/0x110 kernel/sched/wait_bit.c:116 wait_on_bit_lock_io include/linux/wait_bit.h:208 [inline] __lock_buffer+0x3c/0x40 fs/buffer.c:65 lock_buffer include/linux/buffer_head.h:374 [inline] __sync_dirty_buffer+0x180/0x1f0 fs/buffer.c:3178 sync_dirty_buffer+0xe/0x10 fs/buffer.c:3204 __ext4_handle_dirty_metadata+0x17a/0x520 fs/ext4/ext4_jbd2.c:300 ext4_convert_inline_data_nolock+0x4f8/0xc40 fs/ext4/inline.c:1240 ext4_convert_inline_data+0x299/0x3c0 fs/ext4/inline.c:2027 ext4_punch_hole+0x15a/0xfd0 fs/ext4/inode.c:4305 ext4_fallocate+0x290/0x1920 fs/ext4/extents.c:4960 vfs_fallocate+0x2b5/0x7c0 fs/open.c:308 ksys_fallocate+0x3c/0x80 fs/open.c:331 __do_sys_fallocate fs/open.c:339 [inline] __se_sys_fallocate fs/open.c:337 [inline] __x64_sys_fallocate+0x92/0xf0 fs/open.c:337 do_syscall_64+0xd0/0x4e0 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4665d9 Code: Bad RIP value. RSP: 002b:00007fad51c7e188 EFLAGS: 00000246 ORIG_RAX: 000000000000011d RAX: ffffffffffffffda RBX: 000000000056bf80 RCX: 00000000004665d9 RDX: 0000000000000000 RSI: 0000000100000003 RDI: 0000000000000003 RBP: 00000000004bfcb9 R08: 0000000000000000 R09: 0000000000000000 R10: 00000000008001a0 R11: 0000000000000246 R12: 000000000056bf80 R13: 00007fffa6e1d8af R14: 00007fad51c7e300 R15: 0000000000022000 INFO: task syz-executor.1:10018 blocked for more than 140 seconds. Not tainted 4.19.206-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. syz-executor.1 D28776 10018 8493 0x00000004 Call Trace: context_switch kernel/sched/core.c:2828 [inline] __schedule+0x80c/0x1f70 kernel/sched/core.c:3517 schedule+0x7f/0x1b0 kernel/sched/core.c:3561 __rwsem_down_write_failed_common kernel/locking/rwsem-xadd.c:589 [inline] rwsem_down_write_failed+0x3bb/0x780 kernel/locking/rwsem-xadd.c:618 call_rwsem_down_write_failed+0x17/0x30 arch/x86/lib/rwsem.S:117 __down_write arch/x86/include/asm/rwsem.h:142 [inline] down_write+0x53/0x90 kernel/locking/rwsem.c:72 ext4_setattr+0xe2c/0x1f50 fs/ext4/inode.c:5694 notify_change+0x6c3/0xcc0 fs/attr.c:334 do_truncate+0xef/0x1a0 fs/open.c:63 handle_truncate fs/namei.c:3009 [inline] do_last fs/namei.c:3427 [inline] path_openat+0x1b3a/0x2900 fs/namei.c:3537 do_filp_open+0x177/0x250 fs/namei.c:3567 do_sys_open+0x1dc/0x350 fs/open.c:1085 ksys_open include/linux/syscalls.h:1276 [inline] __do_sys_creat fs/open.c:1143 [inline] __se_sys_creat fs/open.c:1141 [inline] __x64_sys_creat+0x5c/0x80 fs/open.c:1141 do_syscall_64+0xd0/0x4e0 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4665d9 Code: Bad RIP value. RSP: 002b:00007fad51c3c188 EFLAGS: 00000246 ORIG_RAX: 0000000000000055 RAX: ffffffffffffffda RBX: 000000000056c0f0 RCX: 00000000004665d9 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000100 RBP: 00000000004bfcb9 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056c0f0 R13: 00007fffa6e1d8af R14: 00007fad51c3c300 R15: 0000000000022000 INFO: task syz-executor.3:9946 blocked for more than 140 seconds. Not tainted 4.19.206-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. syz-executor.3 D26584 9946 8485 0x00000004 Call Trace: context_switch kernel/sched/core.c:2828 [inline] __schedule+0x80c/0x1f70 kernel/sched/core.c:3517 schedule+0x7f/0x1b0 kernel/sched/core.c:3561 io_schedule+0x1c/0x70 kernel/sched/core.c:5181 bit_wait_io+0xf/0x90 kernel/sched/wait_bit.c:207 __wait_on_bit_lock+0xbb/0x160 kernel/sched/wait_bit.c:89 out_of_line_wait_on_bit_lock+0xde/0x110 kernel/sched/wait_bit.c:116 wait_on_bit_lock_io include/linux/wait_bit.h:208 [inline] __lock_buffer+0x3c/0x40 fs/buffer.c:65 lock_buffer include/linux/buffer_head.h:374 [inline] __sync_dirty_buffer+0x180/0x1f0 fs/buffer.c:3178 sync_dirty_buffer+0xe/0x10 fs/buffer.c:3204 __ext4_handle_dirty_metadata+0x17a/0x520 fs/ext4/ext4_jbd2.c:300 ext4_convert_inline_data_nolock+0x4f8/0xc40 fs/ext4/inline.c:1240 ext4_convert_inline_data+0x299/0x3c0 fs/ext4/inline.c:2027 ext4_punch_hole+0x15a/0xfd0 fs/ext4/inode.c:4305 ext4_fallocate+0x290/0x1920 fs/ext4/extents.c:4960 vfs_fallocate+0x2b5/0x7c0 fs/open.c:308 ksys_fallocate+0x3c/0x80 fs/open.c:331 __do_sys_fallocate fs/open.c:339 [inline] __se_sys_fallocate fs/open.c:337 [inline] __x64_sys_fallocate+0x92/0xf0 fs/open.c:337 do_syscall_64+0xd0/0x4e0 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4665d9 Code: Bad RIP value. RSP: 002b:00007f1e51322188 EFLAGS: 00000246 ORIG_RAX: 000000000000011d RAX: ffffffffffffffda RBX: 000000000056bf80 RCX: 00000000004665d9 RDX: 0000000000000000 RSI: 0000000100000003 RDI: 0000000000000003 RBP: 00000000004bfcb9 R08: 0000000000000000 R09: 0000000000000000 R10: 00000000008001a0 R11: 0000000000000246 R12: 000000000056bf80 R13: 00007ffd944031df R14: 00007f1e51322300 R15: 0000000000022000 INFO: task syz-executor.3:10022 blocked for more than 140 seconds. Not tainted 4.19.206-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. syz-executor.3 D28024 10022 8485 0x00000004 Call Trace: context_switch kernel/sched/core.c:2828 [inline] __schedule+0x80c/0x1f70 kernel/sched/core.c:3517 schedule+0x7f/0x1b0 kernel/sched/core.c:3561 __rwsem_down_write_failed_common kernel/locking/rwsem-xadd.c:589 [inline] rwsem_down_write_failed+0x3bb/0x780 kernel/locking/rwsem-xadd.c:618 call_rwsem_down_write_failed+0x17/0x30 arch/x86/lib/rwsem.S:117 __down_write arch/x86/include/asm/rwsem.h:142 [inline] down_write+0x53/0x90 kernel/locking/rwsem.c:72 inode_lock include/linux/fs.h:748 [inline] process_measurement+0x324/0x14a0 security/integrity/ima/ima_main.c:205 ima_file_check+0xc8/0x110 security/integrity/ima/ima_main.c:391 do_last fs/namei.c:3425 [inline] path_openat+0x970/0x2900 fs/namei.c:3537 do_filp_open+0x177/0x250 fs/namei.c:3567 do_sys_open+0x1dc/0x350 fs/open.c:1085 ksys_open include/linux/syscalls.h:1276 [inline] __do_sys_creat fs/open.c:1143 [inline] __se_sys_creat fs/open.c:1141 [inline] __x64_sys_creat+0x5c/0x80 fs/open.c:1141 do_syscall_64+0xd0/0x4e0 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4665d9 Code: Bad RIP value. RSP: 002b:00007f1e51301188 EFLAGS: 00000246 ORIG_RAX: 0000000000000055 RAX: ffffffffffffffda RBX: 000000000056c038 RCX: 00000000004665d9 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000300 RBP: 00000000004bfcb9 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056c038 R13: 00007ffd944031df R14: 00007f1e51301300 R15: 0000000000022000 INFO: task syz-executor.3:10023 blocked for more than 140 seconds. Not tainted 4.19.206-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. syz-executor.3 D29064 10023 8485 0x00000004 Call Trace: context_switch kernel/sched/core.c:2828 [inline] __schedule+0x80c/0x1f70 kernel/sched/core.c:3517 schedule+0x7f/0x1b0 kernel/sched/core.c:3561 __rwsem_down_write_failed_common kernel/locking/rwsem-xadd.c:589 [inline] rwsem_down_write_failed+0x3bb/0x780 kernel/locking/rwsem-xadd.c:618 call_rwsem_down_write_failed+0x17/0x30 arch/x86/lib/rwsem.S:117 __down_write arch/x86/include/asm/rwsem.h:142 [inline] down_write+0x53/0x90 kernel/locking/rwsem.c:72 ext4_setattr+0xe2c/0x1f50 fs/ext4/inode.c:5694 notify_change+0x6c3/0xcc0 fs/attr.c:334 do_truncate+0xef/0x1a0 fs/open.c:63 handle_truncate fs/namei.c:3009 [inline] do_last fs/namei.c:3427 [inline] path_openat+0x1b3a/0x2900 fs/namei.c:3537 do_filp_open+0x177/0x250 fs/namei.c:3567 do_sys_open+0x1dc/0x350 fs/open.c:1085 ksys_open include/linux/syscalls.h:1276 [inline] __do_sys_creat fs/open.c:1143 [inline] __se_sys_creat fs/open.c:1141 [inline] __x64_sys_creat+0x5c/0x80 fs/open.c:1141 do_syscall_64+0xd0/0x4e0 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4665d9 Code: Bad RIP value. RSP: 002b:00007f1e512e0188 EFLAGS: 00000246 ORIG_RAX: 0000000000000055 RAX: ffffffffffffffda RBX: 000000000056c0f0 RCX: 00000000004665d9 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000100 RBP: 00000000004bfcb9 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056c0f0 R13: 00007ffd944031df R14: 00007f1e512e0300 R15: 0000000000022000 INFO: task syz-executor.0:9964 blocked for more than 140 seconds. Not tainted 4.19.206-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. syz-executor.0 D26680 9964 8488 0x00000004 Call Trace: context_switch kernel/sched/core.c:2828 [inline] __schedule+0x80c/0x1f70 kernel/sched/core.c:3517 schedule+0x7f/0x1b0 kernel/sched/core.c:3561 io_schedule+0x1c/0x70 kernel/sched/core.c:5181 bit_wait_io+0xf/0x90 kernel/sched/wait_bit.c:207 __wait_on_bit_lock+0xbb/0x160 kernel/sched/wait_bit.c:89 out_of_line_wait_on_bit_lock+0xde/0x110 kernel/sched/wait_bit.c:116 wait_on_bit_lock_io include/linux/wait_bit.h:208 [inline] __lock_buffer+0x3c/0x40 fs/buffer.c:65 lock_buffer include/linux/buffer_head.h:374 [inline] __sync_dirty_buffer+0x180/0x1f0 fs/buffer.c:3178 sync_dirty_buffer+0xe/0x10 fs/buffer.c:3204 __ext4_handle_dirty_metadata+0x17a/0x520 fs/ext4/ext4_jbd2.c:300 ext4_convert_inline_data_nolock+0x4f8/0xc40 fs/ext4/inline.c:1240 ext4_convert_inline_data+0x299/0x3c0 fs/ext4/inline.c:2027 ext4_punch_hole+0x15a/0xfd0 fs/ext4/inode.c:4305 ext4_fallocate+0x290/0x1920 fs/ext4/extents.c:4960 vfs_fallocate+0x2b5/0x7c0 fs/open.c:308 ksys_fallocate+0x3c/0x80 fs/open.c:331 __do_sys_fallocate fs/open.c:339 [inline] __se_sys_fallocate fs/open.c:337 [inline] __x64_sys_fallocate+0x92/0xf0 fs/open.c:337 do_syscall_64+0xd0/0x4e0 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4665d9 Code: Bad RIP value. RSP: 002b:00007f9dbf42f188 EFLAGS: 00000246 ORIG_RAX: 000000000000011d RAX: ffffffffffffffda RBX: 000000000056bf80 RCX: 00000000004665d9 RDX: 0000000000000000 RSI: 0000000100000003 RDI: 0000000000000003 RBP: 00000000004bfcb9 R08: 0000000000000000 R09: 0000000000000000 R10: 00000000008001a0 R11: 0000000000000246 R12: 000000000056bf80 R13: 00007ffd59a8af2f R14: 00007f9dbf42f300 R15: 0000000000022000 INFO: task syz-executor.0:10027 blocked for more than 140 seconds. Not tainted 4.19.206-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. syz-executor.0 D28408 10027 8488 0x00000004 Call Trace: context_switch kernel/sched/core.c:2828 [inline] __schedule+0x80c/0x1f70 kernel/sched/core.c:3517 schedule+0x7f/0x1b0 kernel/sched/core.c:3561 __rwsem_down_write_failed_common kernel/locking/rwsem-xadd.c:589 [inline] rwsem_down_write_failed+0x3bb/0x780 kernel/locking/rwsem-xadd.c:618 call_rwsem_down_write_failed+0x17/0x30 arch/x86/lib/rwsem.S:117 __down_write arch/x86/include/asm/rwsem.h:142 [inline] down_write+0x53/0x90 kernel/locking/rwsem.c:72 inode_lock include/linux/fs.h:748 [inline] process_measurement+0x324/0x14a0 security/integrity/ima/ima_main.c:205 ima_file_check+0xc8/0x110 security/integrity/ima/ima_main.c:391 do_last fs/namei.c:3425 [inline] path_openat+0x970/0x2900 fs/namei.c:3537 do_filp_open+0x177/0x250 fs/namei.c:3567 do_sys_open+0x1dc/0x350 fs/open.c:1085 ksys_open include/linux/syscalls.h:1276 [inline] __do_sys_creat fs/open.c:1143 [inline] __se_sys_creat fs/open.c:1141 [inline] __x64_sys_creat+0x5c/0x80 fs/open.c:1141 do_syscall_64+0xd0/0x4e0 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4665d9 Code: Bad RIP value. RSP: 002b:00007f9dbf40e188 EFLAGS: 00000246 ORIG_RAX: 0000000000000055 RAX: ffffffffffffffda RBX: 000000000056c038 RCX: 00000000004665d9 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000300 RBP: 00000000004bfcb9 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056c038 R13: 00007ffd59a8af2f R14: 00007f9dbf40e300 R15: 0000000000022000 INFO: task syz-executor.0:10028 blocked for more than 140 seconds. Not tainted 4.19.206-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. syz-executor.0 D28776 10028 8488 0x00000004 Call Trace: context_switch kernel/sched/core.c:2828 [inline] __schedule+0x80c/0x1f70 kernel/sched/core.c:3517 schedule+0x7f/0x1b0 kernel/sched/core.c:3561 __rwsem_down_write_failed_common kernel/locking/rwsem-xadd.c:589 [inline] rwsem_down_write_failed+0x3bb/0x780 kernel/locking/rwsem-xadd.c:618 call_rwsem_down_write_failed+0x17/0x30 arch/x86/lib/rwsem.S:117 __down_write arch/x86/include/asm/rwsem.h:142 [inline] down_write+0x53/0x90 kernel/locking/rwsem.c:72 ext4_setattr+0xe2c/0x1f50 fs/ext4/inode.c:5694 notify_change+0x6c3/0xcc0 fs/attr.c:334 do_truncate+0xef/0x1a0 fs/open.c:63 handle_truncate fs/namei.c:3009 [inline] do_last fs/namei.c:3427 [inline] path_openat+0x1b3a/0x2900 fs/namei.c:3537 do_filp_open+0x177/0x250 fs/namei.c:3567 do_sys_open+0x1dc/0x350 fs/open.c:1085 ksys_open include/linux/syscalls.h:1276 [inline] __do_sys_creat fs/open.c:1143 [inline] __se_sys_creat fs/open.c:1141 [inline] __x64_sys_creat+0x5c/0x80 fs/open.c:1141 do_syscall_64+0xd0/0x4e0 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4665d9 Code: Bad RIP value. RSP: 002b:00007f9dbf3ed188 EFLAGS: 00000246 ORIG_RAX: 0000000000000055 RAX: ffffffffffffffda RBX: 000000000056c0f0 RCX: 00000000004665d9 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000100 RBP: 00000000004bfcb9 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056c0f0 R13: 00007ffd59a8af2f R14: 00007f9dbf3ed300 R15: 0000000000022000 INFO: task syz-executor.5:9989 blocked for more than 140 seconds. Not tainted 4.19.206-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. syz-executor.5 D25800 9989 8490 0x00000004 Call Trace: context_switch kernel/sched/core.c:2828 [inline] __schedule+0x80c/0x1f70 kernel/sched/core.c:3517 schedule+0x7f/0x1b0 kernel/sched/core.c:3561 io_schedule+0x1c/0x70 kernel/sched/core.c:5181 bit_wait_io+0xf/0x90 kernel/sched/wait_bit.c:207 __wait_on_bit_lock+0xbb/0x160 kernel/sched/wait_bit.c:89 out_of_line_wait_on_bit_lock+0xde/0x110 kernel/sched/wait_bit.c:116 wait_on_bit_lock_io include/linux/wait_bit.h:208 [inline] __lock_buffer+0x3c/0x40 fs/buffer.c:65 lock_buffer include/linux/buffer_head.h:374 [inline] __sync_dirty_buffer+0x180/0x1f0 fs/buffer.c:3178 sync_dirty_buffer+0xe/0x10 fs/buffer.c:3204 __ext4_handle_dirty_metadata+0x17a/0x520 fs/ext4/ext4_jbd2.c:300 ext4_convert_inline_data_nolock+0x4f8/0xc40 fs/ext4/inline.c:1240 ext4_convert_inline_data+0x299/0x3c0 fs/ext4/inline.c:2027 ext4_punch_hole+0x15a/0xfd0 fs/ext4/inode.c:4305 ext4_fallocate+0x290/0x1920 fs/ext4/extents.c:4960 vfs_fallocate+0x2b5/0x7c0 fs/open.c:308 ksys_fallocate+0x3c/0x80 fs/open.c:331 __do_sys_fallocate fs/open.c:339 [inline] __se_sys_fallocate fs/open.c:337 [inline] __x64_sys_fallocate+0x92/0xf0 fs/open.c:337 do_syscall_64+0xd0/0x4e0 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4665d9 Code: Bad RIP value. RSP: 002b:00007effd5dd9188 EFLAGS: 00000246 ORIG_RAX: 000000000000011d RAX: ffffffffffffffda RBX: 000000000056bf80 RCX: 00000000004665d9 RDX: 0000000000000000 RSI: 0000000100000003 RDI: 0000000000000003 RBP: 00000000004bfcb9 R08: 0000000000000000 R09: 0000000000000000 R10: 00000000008001a0 R11: 0000000000000246 R12: 000000000056bf80 R13: 00007ffd65fdadef R14: 00007effd5dd9300 R15: 0000000000022000 INFO: task syz-executor.5:10032 blocked for more than 140 seconds. Not tainted 4.19.206-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. syz-executor.5 D28408 10032 8490 0x00000004 Call Trace: context_switch kernel/sched/core.c:2828 [inline] __schedule+0x80c/0x1f70 kernel/sched/core.c:3517 schedule+0x7f/0x1b0 kernel/sched/core.c:3561 __rwsem_down_write_failed_common kernel/locking/rwsem-xadd.c:589 [inline] rwsem_down_write_failed+0x3bb/0x780 kernel/locking/rwsem-xadd.c:618 call_rwsem_down_write_failed+0x17/0x30 arch/x86/lib/rwsem.S:117 __down_write arch/x86/include/asm/rwsem.h:142 [inline] down_write+0x53/0x90 kernel/locking/rwsem.c:72 inode_lock include/linux/fs.h:748 [inline] process_measurement+0x324/0x14a0 security/integrity/ima/ima_main.c:205 ima_file_check+0xc8/0x110 security/integrity/ima/ima_main.c:391 do_last fs/namei.c:3425 [inline] path_openat+0x970/0x2900 fs/namei.c:3537 do_filp_open+0x177/0x250 fs/namei.c:3567 do_sys_open+0x1dc/0x350 fs/open.c:1085 ksys_open include/linux/syscalls.h:1276 [inline] __do_sys_creat fs/open.c:1143 [inline] __se_sys_creat fs/open.c:1141 [inline] __x64_sys_creat+0x5c/0x80 fs/open.c:1141 do_syscall_64+0xd0/0x4e0 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4665d9 Code: Bad RIP value. RSP: 002b:00007effd5db8188 EFLAGS: 00000246 ORIG_RAX: 0000000000000055 RAX: ffffffffffffffda RBX: 000000000056c038 RCX: 00000000004665d9 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000300 RBP: 00000000004bfcb9 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056c038 R13: 00007ffd65fdadef R14: 00007effd5db8300 R15: 0000000000022000 Showing all locks held in the system: 3 locks held by kworker/u4:1/23: #0: 000000003e2b82cf (&rq->lock){-.-.}, at: rq_lock kernel/sched/sched.h:1824 [inline] #0: 000000003e2b82cf (&rq->lock){-.-.}, at: __schedule+0x1f6/0x1f70 kernel/sched/core.c:3455 #1: 00000000b32d487f (rcu_read_lock){....}, at: trace_sched_stat_runtime include/trace/events/sched.h:428 [inline] #1: 00000000b32d487f (rcu_read_lock){....}, at: update_curr+0x2cf/0x870 kernel/sched/fair.c:857 #2: 0000000052634c0b (&base->lock){-.-.}, at: lock_timer_base+0xc8/0x160 kernel/time/timer.c:950 3 locks held by kworker/u4:2/33: 1 lock held by khungtaskd/1571: #0: 00000000b32d487f (rcu_read_lock){....}, at: debug_show_all_locks+0x5b/0x27a kernel/locking/lockdep.c:4443 1 lock held by in:imklog/7800: #0: 00000000a06c2e14 (&f->f_pos_lock){+.+.}, at: __fdget_pos+0xa7/0xd0 fs/file.c:767 3 locks held by syz-executor.1/9867: #0: 00000000182391c0 (sb_writers#3){.+.+}, at: file_start_write include/linux/fs.h:2779 [inline] #0: 00000000182391c0 (sb_writers#3){.+.+}, at: vfs_fallocate+0x4df/0x7c0 fs/open.c:307 #1: 000000008e3c3f23 (&ei->i_mmap_sem){++++}, at: ext4_punch_hole+0x152/0xfd0 fs/ext4/inode.c:4304 #2: 000000003f1ad960 (&ei->xattr_sem){++++}, at: ext4_write_lock_xattr fs/ext4/xattr.h:141 [inline] #2: 000000003f1ad960 (&ei->xattr_sem){++++}, at: ext4_convert_inline_data+0x1dc/0x3c0 fs/ext4/inline.c:2025 3 locks held by syz-executor.1/10018: #0: 00000000182391c0 (sb_writers#3){.+.+}, at: sb_start_write include/linux/fs.h:1579 [inline] #0: 00000000182391c0 (sb_writers#3){.+.+}, at: mnt_want_write+0x3c/0xa0 fs/namespace.c:360 #1: 00000000337ebda3 (&sb->s_type->i_mutex_key#10){+.+.}, at: inode_lock include/linux/fs.h:748 [inline] #1: 00000000337ebda3 (&sb->s_type->i_mutex_key#10){+.+.}, at: do_truncate+0xe1/0x1a0 fs/open.c:61 #2: 000000008e3c3f23 (&ei->i_mmap_sem){++++}, at: ext4_setattr+0xe2c/0x1f50 fs/ext4/inode.c:5694 4 locks held by kworker/u4:8/9895: #0: 000000003e2b82cf (&rq->lock){-.-.}, at: rq_lock kernel/sched/sched.h:1824 [inline] #0: 000000003e2b82cf (&rq->lock){-.-.}, at: __schedule+0x1f6/0x1f70 kernel/sched/core.c:3455 #1: 00000000b32d487f (rcu_read_lock){....}, at: trace_sched_stat_runtime include/trace/events/sched.h:428 [inline] #1: 00000000b32d487f (rcu_read_lock){....}, at: update_curr+0x2cf/0x870 kernel/sched/fair.c:857 #2: 00000000b7532e83 (&wdev->mtx){+.+.}, at: sdata_lock net/mac80211/ieee80211_i.h:977 [inline] #2: 00000000b7532e83 (&wdev->mtx){+.+.}, at: ieee80211_ibss_work+0x8b/0xdb0 net/mac80211/ibss.c:1675 #3: 00000000b32d487f (rcu_read_lock){....}, at: sdata_assert_lock net/mac80211/ieee80211_i.h:994 [inline] #3: 00000000b32d487f (rcu_read_lock){....}, at: ieee80211_sta_active_ibss+0x7d/0x2a0 net/mac80211/ibss.c:668 3 locks held by syz-executor.3/9946: #0: 0000000074af944d (sb_writers#3){.+.+}, at: file_start_write include/linux/fs.h:2779 [inline] #0: 0000000074af944d (sb_writers#3){.+.+}, at: vfs_fallocate+0x4df/0x7c0 fs/open.c:307 #1: 000000002e984510 (&ei->i_mmap_sem){++++}, at: ext4_punch_hole+0x152/0xfd0 fs/ext4/inode.c:4304 #2: 0000000045e4e702 (&ei->xattr_sem){++++}, at: ext4_write_lock_xattr fs/ext4/xattr.h:141 [inline] #2: 0000000045e4e702 (&ei->xattr_sem){++++}, at: ext4_convert_inline_data+0x1dc/0x3c0 fs/ext4/inline.c:2025 2 locks held by syz-executor.3/10022: #0: 0000000074af944d (sb_writers#3){.+.+}, at: sb_start_write include/linux/fs.h:1579 [inline] #0: 0000000074af944d (sb_writers#3){.+.+}, at: mnt_want_write+0x3c/0xa0 fs/namespace.c:360 #1: 0000000024fad667 (&sb->s_type->i_mutex_key#10){+.+.}, at: inode_lock include/linux/fs.h:748 [inline] #1: 0000000024fad667 (&sb->s_type->i_mutex_key#10){+.+.}, at: process_measurement+0x324/0x14a0 security/integrity/ima/ima_main.c:205 3 locks held by syz-executor.3/10023: #0: 0000000074af944d (sb_writers#3){.+.+}, at: sb_start_write include/linux/fs.h:1579 [inline] #0: 0000000074af944d (sb_writers#3){.+.+}, at: mnt_want_write+0x3c/0xa0 fs/namespace.c:360 #1: 0000000024fad667 (&sb->s_type->i_mutex_key#10){+.+.}, at: inode_lock include/linux/fs.h:748 [inline] #1: 0000000024fad667 (&sb->s_type->i_mutex_key#10){+.+.}, at: do_truncate+0xe1/0x1a0 fs/open.c:61 #2: 000000002e984510 (&ei->i_mmap_sem){++++}, at: ext4_setattr+0xe2c/0x1f50 fs/ext4/inode.c:5694 3 locks held by syz-executor.0/9964: #0: 00000000d250248a (sb_writers#3){.+.+}, at: file_start_write include/linux/fs.h:2779 [inline] #0: 00000000d250248a (sb_writers#3){.+.+}, at: vfs_fallocate+0x4df/0x7c0 fs/open.c:307 #1: 00000000a32174f8 (&ei->i_mmap_sem){++++}, at: ext4_punch_hole+0x152/0xfd0 fs/ext4/inode.c:4304 #2: 000000000ca7d104 (&ei->xattr_sem){++++}, at: ext4_write_lock_xattr fs/ext4/xattr.h:141 [inline] #2: 000000000ca7d104 (&ei->xattr_sem){++++}, at: ext4_convert_inline_data+0x1dc/0x3c0 fs/ext4/inline.c:2025 2 locks held by syz-executor.0/10027: #0: 00000000d250248a (sb_writers#3){.+.+}, at: sb_start_write include/linux/fs.h:1579 [inline] #0: 00000000d250248a (sb_writers#3){.+.+}, at: mnt_want_write+0x3c/0xa0 fs/namespace.c:360 #1: 0000000055f8c8bf (&sb->s_type->i_mutex_key#10){+.+.}, at: inode_lock include/linux/fs.h:748 [inline] #1: 0000000055f8c8bf (&sb->s_type->i_mutex_key#10){+.+.}, at: process_measurement+0x324/0x14a0 security/integrity/ima/ima_main.c:205 3 locks held by syz-executor.0/10028: #0: 00000000d250248a (sb_writers#3){.+.+}, at: sb_start_write include/linux/fs.h:1579 [inline] #0: 00000000d250248a (sb_writers#3){.+.+}, at: mnt_want_write+0x3c/0xa0 fs/namespace.c:360 #1: 0000000055f8c8bf (&sb->s_type->i_mutex_key#10){+.+.}, at: inode_lock include/linux/fs.h:748 [inline] #1: 0000000055f8c8bf (&sb->s_type->i_mutex_key#10){+.+.}, at: do_truncate+0xe1/0x1a0 fs/open.c:61 #2: 00000000a32174f8 (&ei->i_mmap_sem){++++}, at: ext4_setattr+0xe2c/0x1f50 fs/ext4/inode.c:5694 3 locks held by syz-executor.5/9989: #0: 000000007b0bf62a (sb_writers#3){.+.+}, at: file_start_write include/linux/fs.h:2779 [inline] #0: 000000007b0bf62a (sb_writers#3){.+.+}, at: vfs_fallocate+0x4df/0x7c0 fs/open.c:307 #1: 00000000e073312e (&ei->i_mmap_sem){++++}, at: ext4_punch_hole+0x152/0xfd0 fs/ext4/inode.c:4304 #2: 000000007edcbe73 (&ei->xattr_sem){++++}, at: ext4_write_lock_xattr fs/ext4/xattr.h:141 [inline] #2: 000000007edcbe73 (&ei->xattr_sem){++++}, at: ext4_convert_inline_data+0x1dc/0x3c0 fs/ext4/inline.c:2025 2 locks held by syz-executor.5/10032: #0: 000000007b0bf62a (sb_writers#3){.+.+}, at: sb_start_write include/linux/fs.h:1579 [inline] #0: 000000007b0bf62a (sb_writers#3){.+.+}, at: mnt_want_write+0x3c/0xa0 fs/namespace.c:360 #1: 00000000afcb37d4 (&sb->s_type->i_mutex_key#10){+.+.}, at: inode_lock include/linux/fs.h:748 [inline] #1: 00000000afcb37d4 (&sb->s_type->i_mutex_key#10){+.+.}, at: process_measurement+0x324/0x14a0 security/integrity/ima/ima_main.c:205 3 locks held by syz-executor.5/10033: #0: 000000007b0bf62a (sb_writers#3){.+.+}, at: sb_start_write include/linux/fs.h:1579 [inline] #0: 000000007b0bf62a (sb_writers#3){.+.+}, at: mnt_want_write+0x3c/0xa0 fs/namespace.c:360 #1: 00000000afcb37d4 (&sb->s_type->i_mutex_key#10){+.+.}, at: inode_lock include/linux/fs.h:748 [inline] #1: 00000000afcb37d4 (&sb->s_type->i_mutex_key#10){+.+.}, at: do_truncate+0xe1/0x1a0 fs/open.c:61 #2: 00000000e073312e (&ei->i_mmap_sem){++++}, at: ext4_setattr+0xe2c/0x1f50 fs/ext4/inode.c:5694 3 locks held by syz-executor.2/10004: #0: 000000000f0f1a7a (sb_writers#3){.+.+}, at: file_start_write include/linux/fs.h:2779 [inline] #0: 000000000f0f1a7a (sb_writers#3){.+.+}, at: vfs_fallocate+0x4df/0x7c0 fs/open.c:307 #1: 000000006cd0d50a (&ei->i_mmap_sem){++++}, at: ext4_punch_hole+0x152/0xfd0 fs/ext4/inode.c:4304 #2: 000000005515e1d4 (&ei->xattr_sem){++++}, at: ext4_write_lock_xattr fs/ext4/xattr.h:141 [inline] #2: 000000005515e1d4 (&ei->xattr_sem){++++}, at: ext4_convert_inline_data+0x1dc/0x3c0 fs/ext4/inline.c:2025 2 locks held by syz-executor.2/10037: #0: 000000000f0f1a7a (sb_writers#3){.+.+}, at: sb_start_write include/linux/fs.h:1579 [inline] #0: 000000000f0f1a7a (sb_writers#3){.+.+}, at: mnt_want_write+0x3c/0xa0 fs/namespace.c:360 #1: 00000000fca19599 (&sb->s_type->i_mutex_key#10){+.+.}, at: inode_lock include/linux/fs.h:748 [inline] #1: 00000000fca19599 (&sb->s_type->i_mutex_key#10){+.+.}, at: process_measurement+0x324/0x14a0 security/integrity/ima/ima_main.c:205 3 locks held by syz-executor.2/10039: #0: 000000000f0f1a7a (sb_writers#3){.+.+}, at: sb_start_write include/linux/fs.h:1579 [inline] #0: 000000000f0f1a7a (sb_writers#3){.+.+}, at: mnt_want_write+0x3c/0xa0 fs/namespace.c:360 #1: 00000000fca19599 (&sb->s_type->i_mutex_key#10){+.+.}, at: inode_lock include/linux/fs.h:748 [inline] #1: 00000000fca19599 (&sb->s_type->i_mutex_key#10){+.+.}, at: do_truncate+0xe1/0x1a0 fs/open.c:61 #2: 000000006cd0d50a (&ei->i_mmap_sem){++++}, at: ext4_setattr+0xe2c/0x1f50 fs/ext4/inode.c:5694 3 locks held by syz-executor.4/10012: #0: 0000000074043352 (sb_writers#3){.+.+}, at: file_start_write include/linux/fs.h:2779 [inline] #0: 0000000074043352 (sb_writers#3){.+.+}, at: vfs_fallocate+0x4df/0x7c0 fs/open.c:307 #1: 0000000073b9ec0a (&ei->i_mmap_sem){++++}, at: ext4_punch_hole+0x152/0xfd0 fs/ext4/inode.c:4304 #2: 0000000021e8cb9f (&ei->xattr_sem){++++}, at: ext4_write_lock_xattr fs/ext4/xattr.h:141 [inline] #2: 0000000021e8cb9f (&ei->xattr_sem){++++}, at: ext4_convert_inline_data+0x1dc/0x3c0 fs/ext4/inline.c:2025 2 locks held by syz-executor.4/10041: #0: 0000000074043352 (sb_writers#3){.+.+}, at: sb_start_write include/linux/fs.h:1579 [inline] #0: 0000000074043352 (sb_writers#3){.+.+}, at: mnt_want_write+0x3c/0xa0 fs/namespace.c:360 #1: 00000000c5a1cefb (&sb->s_type->i_mutex_key#10){+.+.}, at: inode_lock include/linux/fs.h:748 [inline] #1: 00000000c5a1cefb (&sb->s_type->i_mutex_key#10){+.+.}, at: process_measurement+0x324/0x14a0 security/integrity/ima/ima_main.c:205 3 locks held by syz-executor.4/10043: #0: 0000000074043352 (sb_writers#3){.+.+}, at: sb_start_write include/linux/fs.h:1579 [inline] #0: 0000000074043352 (sb_writers#3){.+.+}, at: mnt_want_write+0x3c/0xa0 fs/namespace.c:360 #1: 00000000c5a1cefb (&sb->s_type->i_mutex_key#10){+.+.}, at: inode_lock include/linux/fs.h:748 [inline] #1: 00000000c5a1cefb (&sb->s_type->i_mutex_key#10){+.+.}, at: do_truncate+0xe1/0x1a0 fs/open.c:61 #2: 0000000073b9ec0a (&ei->i_mmap_sem){++++}, at: ext4_setattr+0xe2c/0x1f50 fs/ext4/inode.c:5694 ============================================= NMI backtrace for cpu 0 CPU: 0 PID: 1571 Comm: khungtaskd Not tainted 4.19.206-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x17c/0x226 lib/dump_stack.c:118 nmi_cpu_backtrace.cold.0+0x3c/0x78 lib/nmi_backtrace.c:101 nmi_trigger_cpumask_backtrace+0xf6/0x120 lib/nmi_backtrace.c:62 arch_trigger_cpumask_backtrace+0x14/0x20 arch/x86/kernel/apic/hw_nmi.c:38 trigger_all_cpu_backtrace include/linux/nmi.h:146 [inline] check_hung_uninterruptible_tasks kernel/hung_task.c:203 [inline] watchdog+0x5c3/0xb40 kernel/hung_task.c:287 kthread+0x347/0x410 kernel/kthread.c:259 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 Sending NMI from CPU 0 to CPUs 1: NMI backtrace for cpu 1 CPU: 1 PID: 3462 Comm: kworker/u4:5 Not tainted 4.19.206-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: writeback wb_workfn (flush-7:4) RIP: 0010:mem_cgroup_wb_domain+0x49/0x80 mm/memcontrol.c:3940 Code: 03 80 3c 02 00 75 3d 48 8b 9b 98 04 00 00 48 b8 00 00 00 00 00 fc ff df 48 8d bb 28 01 00 00 48 89 fa 48 c1 ea 03 80 3c 02 00 <75> 1f 48 8b 83 28 01 00 00 48 81 c3 08 0b 00 00 48 85 c0 48 0f 45 RSP: 0018:ffff8880a92e73b0 EFLAGS: 00000046 RAX: dffffc0000000000 RBX: ffff88823b2d4900 RCX: 0000000000000000 RDX: 1ffff1104765a945 RSI: ffffffff88523c80 RDI: ffff88823b2d4a28 RBP: ffff8880a92e73b8 R08: 1ffff110152319a8 R09: ffffed1016353695 R10: ffffed1016353695 R11: ffff8880b1a9b4ab R12: ffff8880b1a9b4a0 R13: ffff88813be804c0 R14: 0000000000000001 R15: ffff88823b2d4900 FS: 0000000000000000(0000) GS:ffff8880ba300000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f057fd5d000 CR3: 00000000b2457000 CR4: 00000000001406e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: __wb_writeout_inc mm/page-writeback.c:607 [inline] test_clear_page_writeback+0x55c/0xfe0 mm/page-writeback.c:2734 end_page_writeback+0x167/0x330 mm/filemap.c:1252 __block_write_full_page+0x536/0xc00 fs/buffer.c:1793 block_write_full_page+0x1b1/0x230 fs/buffer.c:2951 blkdev_writepage+0x13/0x20 fs/block_dev.c:581 __writepage+0x56/0xb0 mm/page-writeback.c:2305 write_cache_pages+0x5bc/0xf70 mm/page-writeback.c:2240 generic_writepages mm/page-writeback.c:2329 [inline] generic_writepages+0xca/0x130 mm/page-writeback.c:2318 blkdev_writepages+0x9/0x10 fs/block_dev.c:1994 do_writepages+0xca/0x240 mm/page-writeback.c:2344 __writeback_single_inode+0xc6/0xc40 fs/fs-writeback.c:1385 writeback_sb_inodes+0x47b/0xd40 fs/fs-writeback.c:1647 __writeback_inodes_wb+0xec/0x1e0 fs/fs-writeback.c:1716 wb_writeback+0x593/0x910 fs/fs-writeback.c:1822 wb_check_old_data_flush fs/fs-writeback.c:1924 [inline] wb_do_writeback fs/fs-writeback.c:1977 [inline] wb_workfn+0x828/0xde0 fs/fs-writeback.c:2006 process_one_work+0x7b9/0x15a0 kernel/workqueue.c:2153 worker_thread+0x85/0xb60 kernel/workqueue.c:2296 kthread+0x347/0x410 kernel/kthread.c:259 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 ---------------- Code disassembly (best guess), 1 bytes skipped: 0: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) 4: 75 3d jne 0x43 6: 48 8b 9b 98 04 00 00 mov 0x498(%rbx),%rbx d: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax 14: fc ff df 17: 48 8d bb 28 01 00 00 lea 0x128(%rbx),%rdi 1e: 48 89 fa mov %rdi,%rdx 21: 48 c1 ea 03 shr $0x3,%rdx 25: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) * 29: 75 1f jne 0x4a <-- trapping instruction 2b: 48 8b 83 28 01 00 00 mov 0x128(%rbx),%rax 32: 48 81 c3 08 0b 00 00 add $0xb08,%rbx 39: 48 85 c0 test %rax,%rax 3c: 48 rex.W 3d: 0f .byte 0xf 3e: 45 rex.RB