bisecting fixing commit since 3c8c23092588a23bf1856a64f58c37f477a413be
building syzkaller on ed7d41c582d6f194ff35353d8bfdf7681dc0718e
testing commit 3c8c23092588a23bf1856a64f58c37f477a413be
compiler: gcc version 8.4.1 20210217 (GCC)
kernel signature: 2db7a406f2ba4ae1a658d0deb4cd94ecdc879ca1e348f997b6edd7f11a18abce
all runs: crashed: INFO: task hung in n_tty_poll
testing current HEAD e34184f53363f6bb873c2fe0ce1a08ed7d16e94a
testing commit e34184f53363f6bb873c2fe0ce1a08ed7d16e94a
compiler: gcc version 8.4.1 20210217 (GCC)
kernel signature: ed90b6c5e70279d3d995edde2549b06a4eb1b8ec57f7736c46ac3e681bdb3cb5
all runs: crashed: INFO: task hung in n_tty_poll
revisions tested: 2, total time: 28m17.998493993s (build: 15m42.733782012s, test: 12m12.599989229s)
the crash still happens on HEAD
commit msg: Linux 4.19.210
crash: INFO: task hung in n_tty_poll
Bluetooth: hci5: command 0x0406 tx timeout
Bluetooth: hci0: command 0x0406 tx timeout
Bluetooth: hci4: command 0x0406 tx timeout
ieee802154 phy0 wpan0: encryption failed: -22
ieee802154 phy1 wpan1: encryption failed: -22
INFO: task syz-executor.2:9919 blocked for more than 140 seconds.
      Not tainted 4.19.210-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor.2  D27448  9919   8484 0x00000004
Call Trace:
 context_switch kernel/sched/core.c:2828 [inline]
 __schedule+0x80c/0x1f70 kernel/sched/core.c:3517
 schedule+0x7f/0x1b0 kernel/sched/core.c:3561
 schedule_timeout+0x6f6/0xd20 kernel/time/timer.c:1794
 do_wait_for_common kernel/sched/completion.c:83 [inline]
 __wait_for_common kernel/sched/completion.c:104 [inline]
 wait_for_common+0x3fb/0x5d0 kernel/sched/completion.c:115
 wait_for_completion+0x18/0x20 kernel/sched/completion.c:136
 __flush_work+0x401/0x820 kernel/workqueue.c:2926
 flush_work+0xb/0x10 kernel/workqueue.c:2947
 tty_buffer_flush_work+0xd/0x10 drivers/tty/tty_buffer.c:613
 n_tty_poll+0x450/0x820 drivers/tty/n_tty.c:2410
 tty_poll+0x104/0x160 drivers/tty/tty_io.c:2110
 vfs_poll include/linux/poll.h:90 [inline]
 do_select+0x8de/0x1190 fs/select.c:507
 core_sys_select+0x414/0x6b0 fs/select.c:650
 do_pselect fs/select.c:731 [inline]
 __do_sys_pselect6 fs/select.c:772 [inline]
 __se_sys_pselect6+0x3a1/0x420 fs/select.c:757
 __x64_sys_pselect6+0xdc/0x1a0 fs/select.c:757
 do_syscall_64+0xd0/0x4e0 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4665d9
Code: Bad RIP value.
RSP: 002b:00007fdfb69f6188 EFLAGS: 00000246 ORIG_RAX: 000000000000010e
RAX: ffffffffffffffda RBX: 000000000056bf60 RCX: 00000000004665d9
RDX: 0000000000000000 RSI: 00000000200000c0 RDI: 0000000000000040
RBP: 00000000004bfcb9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000020000140 R11: 0000000000000246 R12: 000000000056bf60
R13: 00007ffc2b0ca51f R14: 00007fdfb69f6300 R15: 0000000000022000
INFO: task syz-executor.3:9951 blocked for more than 140 seconds.
      Not tainted 4.19.210-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor.3  D27656  9951   8479 0x00000004
Call Trace:
 context_switch kernel/sched/core.c:2828 [inline]
 __schedule+0x80c/0x1f70 kernel/sched/core.c:3517
 schedule+0x7f/0x1b0 kernel/sched/core.c:3561
 schedule_timeout+0x6f6/0xd20 kernel/time/timer.c:1794
 do_wait_for_common kernel/sched/completion.c:83 [inline]
 __wait_for_common kernel/sched/completion.c:104 [inline]
 wait_for_common+0x3fb/0x5d0 kernel/sched/completion.c:115
 wait_for_completion+0x18/0x20 kernel/sched/completion.c:136
 __flush_work+0x401/0x820 kernel/workqueue.c:2926
 flush_work+0xb/0x10 kernel/workqueue.c:2947
 tty_buffer_flush_work+0xd/0x10 drivers/tty/tty_buffer.c:613
 n_tty_poll+0x450/0x820 drivers/tty/n_tty.c:2410
 tty_poll+0x104/0x160 drivers/tty/tty_io.c:2110
 vfs_poll include/linux/poll.h:90 [inline]
 do_select+0x8de/0x1190 fs/select.c:507
 core_sys_select+0x414/0x6b0 fs/select.c:650
 do_pselect fs/select.c:731 [inline]
 __do_sys_pselect6 fs/select.c:772 [inline]
 __se_sys_pselect6+0x3a1/0x420 fs/select.c:757
 __x64_sys_pselect6+0xdc/0x1a0 fs/select.c:757
 do_syscall_64+0xd0/0x4e0 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4665d9
Code: Bad RIP value.
RSP: 002b:00007f1504568188 EFLAGS: 00000246 ORIG_RAX: 000000000000010e
RAX: ffffffffffffffda RBX: 000000000056bf60 RCX: 00000000004665d9
RDX: 0000000000000000 RSI: 00000000200000c0 RDI: 0000000000000040
RBP: 00000000004bfcb9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000020000140 R11: 0000000000000246 R12: 000000000056bf60
R13: 00007fffb023f9df R14: 00007f1504568300 R15: 0000000000022000
INFO: task syz-executor.0:9959 blocked for more than 140 seconds.
      Not tainted 4.19.210-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor.0  D27432  9959   8483 0x00000004
Call Trace:
 context_switch kernel/sched/core.c:2828 [inline]
 __schedule+0x80c/0x1f70 kernel/sched/core.c:3517
 schedule+0x7f/0x1b0 kernel/sched/core.c:3561
 schedule_timeout+0x6f6/0xd20 kernel/time/timer.c:1794
 do_wait_for_common kernel/sched/completion.c:83 [inline]
 __wait_for_common kernel/sched/completion.c:104 [inline]
 wait_for_common+0x3fb/0x5d0 kernel/sched/completion.c:115
 wait_for_completion+0x18/0x20 kernel/sched/completion.c:136
 __flush_work+0x401/0x820 kernel/workqueue.c:2926
 flush_work+0xb/0x10 kernel/workqueue.c:2947
 tty_buffer_flush_work+0xd/0x10 drivers/tty/tty_buffer.c:613
 n_tty_poll+0x450/0x820 drivers/tty/n_tty.c:2410
 tty_poll+0x104/0x160 drivers/tty/tty_io.c:2110
 vfs_poll include/linux/poll.h:90 [inline]
 do_select+0x8de/0x1190 fs/select.c:507
 core_sys_select+0x414/0x6b0 fs/select.c:650
 do_pselect fs/select.c:731 [inline]
 __do_sys_pselect6 fs/select.c:772 [inline]
 __se_sys_pselect6+0x3a1/0x420 fs/select.c:757
 __x64_sys_pselect6+0xdc/0x1a0 fs/select.c:757
 do_syscall_64+0xd0/0x4e0 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4665d9
Code: Bad RIP value.
RSP: 002b:00007f36d8a27188 EFLAGS: 00000246 ORIG_RAX: 000000000000010e
RAX: ffffffffffffffda RBX: 000000000056bf60 RCX: 00000000004665d9
RDX: 0000000000000000 RSI: 00000000200000c0 RDI: 0000000000000040
RBP: 00000000004bfcb9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000020000140 R11: 0000000000000246 R12: 000000000056bf60
R13: 00007ffc0a0f45df R14: 00007f36d8a27300 R15: 0000000000022000
INFO: task syz-executor.1:9967 blocked for more than 140 seconds.
      Not tainted 4.19.210-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor.1  D27880  9967   8475 0x00000004
Call Trace:
 context_switch kernel/sched/core.c:2828 [inline]
 __schedule+0x80c/0x1f70 kernel/sched/core.c:3517
 schedule+0x7f/0x1b0 kernel/sched/core.c:3561
 schedule_timeout+0x6f6/0xd20 kernel/time/timer.c:1794
 do_wait_for_common kernel/sched/completion.c:83 [inline]
 __wait_for_common kernel/sched/completion.c:104 [inline]
 wait_for_common+0x3fb/0x5d0 kernel/sched/completion.c:115
 wait_for_completion+0x18/0x20 kernel/sched/completion.c:136
 __flush_work+0x401/0x820 kernel/workqueue.c:2926
 flush_work+0xb/0x10 kernel/workqueue.c:2947
 tty_buffer_flush_work+0xd/0x10 drivers/tty/tty_buffer.c:613
 n_tty_poll+0x450/0x820 drivers/tty/n_tty.c:2410
 tty_poll+0x104/0x160 drivers/tty/tty_io.c:2110
 vfs_poll include/linux/poll.h:90 [inline]
 do_select+0x8de/0x1190 fs/select.c:507
 core_sys_select+0x414/0x6b0 fs/select.c:650
 do_pselect fs/select.c:731 [inline]
 __do_sys_pselect6 fs/select.c:772 [inline]
 __se_sys_pselect6+0x3a1/0x420 fs/select.c:757
 __x64_sys_pselect6+0xdc/0x1a0 fs/select.c:757
 do_syscall_64+0xd0/0x4e0 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4665d9
Code: Bad RIP value.
RSP: 002b:00007f73a867f188 EFLAGS: 00000246 ORIG_RAX: 000000000000010e
RAX: ffffffffffffffda RBX: 000000000056bf60 RCX: 00000000004665d9
RDX: 0000000000000000 RSI: 00000000200000c0 RDI: 0000000000000040
RBP: 00000000004bfcb9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000020000140 R11: 0000000000000246 R12: 000000000056bf60
R13: 00007ffea11e9d7f R14: 00007f73a867f300 R15: 0000000000022000
INFO: task syz-executor.4:9978 blocked for more than 140 seconds.
      Not tainted 4.19.210-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor.4  D27656  9978   8485 0x00000004
Call Trace:
 context_switch kernel/sched/core.c:2828 [inline]
 __schedule+0x80c/0x1f70 kernel/sched/core.c:3517
 schedule+0x7f/0x1b0 kernel/sched/core.c:3561
 schedule_timeout+0x6f6/0xd20 kernel/time/timer.c:1794
 do_wait_for_common kernel/sched/completion.c:83 [inline]
 __wait_for_common kernel/sched/completion.c:104 [inline]
 wait_for_common+0x3fb/0x5d0 kernel/sched/completion.c:115
 wait_for_completion+0x18/0x20 kernel/sched/completion.c:136
 __flush_work+0x401/0x820 kernel/workqueue.c:2926
 flush_work+0xb/0x10 kernel/workqueue.c:2947
 tty_buffer_flush_work+0xd/0x10 drivers/tty/tty_buffer.c:613
 n_tty_poll+0x450/0x820 drivers/tty/n_tty.c:2410
 tty_poll+0x104/0x160 drivers/tty/tty_io.c:2110
 vfs_poll include/linux/poll.h:90 [inline]
 do_select+0x8de/0x1190 fs/select.c:507
 core_sys_select+0x414/0x6b0 fs/select.c:650
 do_pselect fs/select.c:731 [inline]
 __do_sys_pselect6 fs/select.c:772 [inline]
 __se_sys_pselect6+0x3a1/0x420 fs/select.c:757
 __x64_sys_pselect6+0xdc/0x1a0 fs/select.c:757
 do_syscall_64+0xd0/0x4e0 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4665d9
Code: Bad RIP value.
RSP: 002b:00007f30a1ce6188 EFLAGS: 00000246 ORIG_RAX: 000000000000010e
RAX: ffffffffffffffda RBX: 000000000056bf60 RCX: 00000000004665d9
RDX: 0000000000000000 RSI: 00000000200000c0 RDI: 0000000000000040
RBP: 00000000004bfcb9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000020000140 R11: 0000000000000246 R12: 000000000056bf60
R13: 00007ffedb85a38f R14: 00007f30a1ce6300 R15: 0000000000022000
INFO: task syz-executor.5:9979 blocked for more than 140 seconds.
      Not tainted 4.19.210-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor.5  D27944  9979   8477 0x00000004
Call Trace:
 context_switch kernel/sched/core.c:2828 [inline]
 __schedule+0x80c/0x1f70 kernel/sched/core.c:3517
 schedule+0x7f/0x1b0 kernel/sched/core.c:3561
 schedule_timeout+0x6f6/0xd20 kernel/time/timer.c:1794
 do_wait_for_common kernel/sched/completion.c:83 [inline]
 __wait_for_common kernel/sched/completion.c:104 [inline]
 wait_for_common+0x3fb/0x5d0 kernel/sched/completion.c:115
 wait_for_completion+0x18/0x20 kernel/sched/completion.c:136
 __flush_work+0x401/0x820 kernel/workqueue.c:2926
 flush_work+0xb/0x10 kernel/workqueue.c:2947
 tty_buffer_flush_work+0xd/0x10 drivers/tty/tty_buffer.c:613
 n_tty_poll+0x450/0x820 drivers/tty/n_tty.c:2410
 tty_poll+0x104/0x160 drivers/tty/tty_io.c:2110
 vfs_poll include/linux/poll.h:90 [inline]
 do_select+0x8de/0x1190 fs/select.c:507
 core_sys_select+0x414/0x6b0 fs/select.c:650
 do_pselect fs/select.c:731 [inline]
 __do_sys_pselect6 fs/select.c:772 [inline]
 __se_sys_pselect6+0x3a1/0x420 fs/select.c:757
 __x64_sys_pselect6+0xdc/0x1a0 fs/select.c:757
 do_syscall_64+0xd0/0x4e0 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4665d9
Code: Bad RIP value.
RSP: 002b:00007fa138d3e188 EFLAGS: 00000246 ORIG_RAX: 000000000000010e
RAX: ffffffffffffffda RBX: 000000000056bf60 RCX: 00000000004665d9
RDX: 0000000000000000 RSI: 00000000200000c0 RDI: 0000000000000040
RBP: 00000000004bfcb9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000020000140 R11: 0000000000000246 R12: 000000000056bf60
R13: 00007ffc9f9ba3cf R14: 00007fa138d3e300 R15: 0000000000022000

Showing all locks held in the system:
6 locks held by kworker/u4:0/7:
5 locks held by kworker/u4:2/29:
6 locks held by kworker/u4:3/479:
1 lock held by khungtaskd/1570:
 #0: 000000002321fac3 (rcu_read_lock){....}, at: debug_show_all_locks+0x5b/0x27a kernel/locking/lockdep.c:4443
6 locks held by kworker/u4:4/2913:
2 locks held by kworker/u4:5/3498:
 #0: 00000000b1557f31 (&rq->lock){-.-.}, at: rq_lock kernel/sched/sched.h:1826 [inline]
 #0: 00000000b1557f31 (&rq->lock){-.-.}, at: __schedule+0x1f6/0x1f70 kernel/sched/core.c:3455
 #1: 00000000503cc461 ((work_completion)(&buf->work)){+.+.}, at: process_one_work+0x71b/0x15a0 kernel/workqueue.c:2128
1 lock held by in:imklog/7820:
 #0: 0000000079b8bf05 (&f->f_pos_lock){+.+.}, at: __fdget_pos+0xa7/0xd0 fs/file.c:767
5 locks held by kworker/u4:6/8082:
6 locks held by kworker/u4:7/9766:
1 lock held by syz-executor.2/9919:
 #0: 00000000cab12f53 (&tty->ldisc_sem){++++}, at: ldsem_down_read+0x2d/0x40 drivers/tty/tty_ldsem.c:362
1 lock held by syz-executor.3/9951:
 #0: 00000000aa063753 (&tty->ldisc_sem){++++}, at: ldsem_down_read+0x2d/0x40 drivers/tty/tty_ldsem.c:362
1 lock held by syz-executor.0/9959:
 #0: 000000000c93b9d8 (&tty->ldisc_sem){++++}, at: ldsem_down_read+0x2d/0x40 drivers/tty/tty_ldsem.c:362
1 lock held by syz-executor.1/9967:
 #0: 000000000071cd2d (&tty->ldisc_sem){++++}, at: ldsem_down_read+0x2d/0x40 drivers/tty/tty_ldsem.c:362