bisecting fixing commit since 6ca2f514c57864e3085a65c5e9d2adca4144bc4c
building syzkaller on b97d64c9fd454c0e4be1a5ab22450d0aeb368d18
testing commit 6ca2f514c57864e3085a65c5e9d2adca4144bc4c
compiler: gcc version 8.4.1 20210217 (GCC)
kernel signature: 88c6edadbd33e260627d8e6eb7e2f797552d708c471136cb01f93ad48be336af
all runs: crashed: INFO: task hung in synchronize_rcu
testing current HEAD b172b44fcb1771e083aad806fa96f3f60e2ddfac
testing commit b172b44fcb1771e083aad806fa96f3f60e2ddfac
compiler: gcc version 8.4.1 20210217 (GCC)
kernel signature: a31a6d4687970cf2494339417eff2508b9c6c9e8a7d2c51fca18e77ae68fe2e6
all runs: crashed: INFO: task hung in synchronize_rcu
revisions tested: 2, total time: 33m26.439312012s (build: 17m34.376734685s, test: 15m14.657416612s)
the crash still happens on HEAD
commit msg: Linux 4.19.206
crash: INFO: task hung in synchronize_rcu
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.2'.
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.1'.
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.0'.
INFO: task kworker/u4:1:23 blocked for more than 140 seconds.
      Not tainted 4.19.206-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
kworker/u4:1    D26264    23      2 0x80000000
Workqueue: events_unbound fsnotify_mark_destroy_workfn
Call Trace:
 context_switch kernel/sched/core.c:2828 [inline]
 __schedule+0x80c/0x1f70 kernel/sched/core.c:3517
nla_parse: 96 callbacks suppressed
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.2'.
 schedule+0x7f/0x1b0 kernel/sched/core.c:3561
 schedule_timeout+0x6f6/0xd20 kernel/time/timer.c:1794
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.4'.
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.1'.
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.0'.
 do_wait_for_common kernel/sched/completion.c:83 [inline]
 __wait_for_common kernel/sched/completion.c:104 [inline]
 wait_for_common+0x3fb/0x5d0 kernel/sched/completion.c:115
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.1'.
 wait_for_completion+0x18/0x20 kernel/sched/completion.c:136
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.2'.
 __synchronize_srcu+0x121/0x200 kernel/rcu/srcutree.c:936
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.3'.
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.4'.
 synchronize_srcu_expedited kernel/rcu/srcutree.c:961 [inline]
 synchronize_srcu+0x161/0x3e0 kernel/rcu/srcutree.c:1012
 fsnotify_mark_destroy_workfn+0xfc/0x390 fs/notify/mark.c:795
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.5'.
 process_one_work+0x7b9/0x15a0 kernel/workqueue.c:2153
netlink: 8 bytes leftover after parsing attributes in process `syz-executor.0'.
 process_scheduled_works kernel/workqueue.c:2212 [inline]
 worker_thread+0x5b0/0xb60 kernel/workqueue.c:2298
 kthread+0x347/0x410 kernel/kthread.c:259
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
INFO: task kworker/u4:5:9218 blocked for more than 140 seconds.
      Not tainted 4.19.206-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
kworker/u4:5    D26952  9218      2 0x80000000
Workqueue: events_unbound fsnotify_connector_destroy_workfn
Call Trace:
 context_switch kernel/sched/core.c:2828 [inline]
 __schedule+0x80c/0x1f70 kernel/sched/core.c:3517
 schedule+0x7f/0x1b0 kernel/sched/core.c:3561
 schedule_timeout+0x6f6/0xd20 kernel/time/timer.c:1794
 do_wait_for_common kernel/sched/completion.c:83 [inline]
 __wait_for_common kernel/sched/completion.c:104 [inline]
 wait_for_common+0x3fb/0x5d0 kernel/sched/completion.c:115
 wait_for_completion+0x18/0x20 kernel/sched/completion.c:136
 __synchronize_srcu+0x121/0x200 kernel/rcu/srcutree.c:936
 synchronize_srcu_expedited kernel/rcu/srcutree.c:961 [inline]
 synchronize_srcu+0x161/0x3e0 kernel/rcu/srcutree.c:1012
 fsnotify_connector_destroy_workfn+0x45/0xa0 fs/notify/mark.c:174
 process_one_work+0x7b9/0x15a0 kernel/workqueue.c:2153
 worker_thread+0x85/0xb60 kernel/workqueue.c:2296
 kthread+0x347/0x410 kernel/kthread.c:259
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415

Showing all locks held in the system:
2 locks held by kworker/u4:1/23:
 #0: 000000007bf642d0 ((wq_completion)"events_unbound"){+.+.}, at: process_one_work+0x6e8/0x15a0 kernel/workqueue.c:2124
 #1: 00000000cdfebc3c ((reaper_work).work){+.+.}, at: process_one_work+0x71b/0x15a0 kernel/workqueue.c:2128
5 locks held by kworker/1:1/52:
1 lock held by khungtaskd/1559:
 #0: 0000000013a34350 (rcu_read_lock){....}, at: debug_show_all_locks+0x5b/0x27a kernel/locking/lockdep.c:4443
1 lock held by in:imklog/7776:
 #0: 00000000ece6dfb9 (&f->f_pos_lock){+.+.}, at: __fdget_pos+0xa7/0xd0 fs/file.c:767
2 locks held by kworker/u4:5/9218:
 #0: 000000007bf642d0 ((wq_completion)"events_unbound"){+.+.}, at: process_one_work+0x6e8/0x15a0 kernel/workqueue.c:2124
 #1: 000000000e5972ce (connector_reaper_work){+.+.}, at: process_one_work+0x71b/0x15a0 kernel/workqueue.c:2128
3 locks held by kworker/u4:6/9857:

=============================================

NMI backtrace for cpu 0
CPU: 0 PID: 1559 Comm: khungtaskd Not tainted 4.19.206-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x17c/0x226 lib/dump_stack.c:118
 nmi_cpu_backtrace.cold.0+0x3c/0x78 lib/nmi_backtrace.c:101
 nmi_trigger_cpumask_backtrace+0xf6/0x120 lib/nmi_backtrace.c:62
 arch_trigger_cpumask_backtrace+0x14/0x20 arch/x86/kernel/apic/hw_nmi.c:38
 trigger_all_cpu_backtrace include/linux/nmi.h:146 [inline]
 check_hung_uninterruptible_tasks kernel/hung_task.c:203 [inline]
 watchdog+0x5c3/0xb40 kernel/hung_task.c:287
 kthread+0x347/0x410 kernel/kthread.c:259
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 PID: 18 Comm: ksoftirqd/1 Not tainted 4.19.206-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:debug_smp_processor_id+0x0/0x20 lib/smp_processor_id.c:55
Code: d0 e8 64 8a 44 fe 48 8b 75 d0 e9 c7 fe ff ff 48 89 75 d0 e8 52 8a 44 fe 48 8b 75 d0 e9 93 fe ff ff 66 0f 1f 84 00 00 00 00 00 <55> 48 c7 c6 e0 23 50 88 48 c7 c7 20 24 50 88 48 89 e5 e8 b9 fd ff
RSP: 0018:ffff8880b5a27348 EFLAGS: 00000286
RAX: 0000000000000001 RBX: 0000000000022ac0 RCX: ffff88809a498dc0
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8880b5a1ad44
RBP: ffff8880b5a27368 R08: 1ffff11016b435a8 R09: ffff8880b5a274f0
R10: ffffed101746455a R11: ffff8880ba322ad3 R12: ffff8880b5a27530
R13: 0000000000000003 R14: ffff88807d3518f0 R15: ffff88807d351840
FS:  0000000000000000(0000) GS:ffff8880ba300000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000970004 CR3: 000000000986d000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 rcu_is_watching+0x10/0x30 kernel/rcu/tree.c:1025
 rcu_read_lock_held+0x87/0xc0 kernel/rcu/update.c:283
 __in6_dev_get include/net/addrconf.h:340 [inline]
 fib6_ignore_linkdown net/ipv6/route.c:655 [inline]
 find_match.part.15+0x285/0x1280 net/ipv6/route.c:673
 find_match net/ipv6/route.c:670 [inline]
 find_rr_leaf net/ipv6/route.c:719 [inline]
 rt6_select net/ipv6/route.c:769 [inline]
 fib6_table_lookup+0x3c1/0xbb0 net/ipv6/route.c:1876
 ip6_pol_route+0x152/0xea0 net/ipv6/route.c:1909
 ip6_pol_route_input+0x4f/0x80 net/ipv6/route.c:1978
 fib6_rule_lookup+0x103/0x480 net/ipv6/fib6_rules.c:118
 ip6_route_input_lookup+0x7e/0x90 net/ipv6/route.c:1990
 ip6_route_input+0x553/0x8c0 net/ipv6/route.c:2125
 ip6_rcv_finish_core.isra.0+0x93/0x3f0 net/ipv6/ip6_input.c:63
 ip6_rcv_finish+0x138/0x280 net/ipv6/ip6_input.c:74
 NF_HOOK include/linux/netfilter.h:289 [inline]
 ipv6_rcv+0xf4/0x320 net/ipv6/ip6_input.c:273
 __netif_receive_skb_one_core+0x112/0x1a0 net/core/dev.c:4954
 __netif_receive_skb+0x1f/0x1b0 net/core/dev.c:5066
 process_backlog+0x220/0x710 net/core/dev.c:5849
 napi_poll net/core/dev.c:6280 [inline]
 net_rx_action+0x454/0xe30 net/core/dev.c:6346
 __do_softirq+0x25f/0x919 kernel/softirq.c:292
 run_ksoftirqd+0x5e/0x100 kernel/softirq.c:653
 smpboot_thread_fn+0x55f/0x8a0 kernel/smpboot.c:164
 kthread+0x347/0x410 kernel/kthread.c:259
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
----------------
Code disassembly (best guess):
   0:	d0 e8                	shr    %al
   2:	64 8a 44 fe 48       	mov    %fs:0x48(%rsi,%rdi,8),%al
   7:	8b 75 d0             	mov    -0x30(%rbp),%esi
   a:	e9 c7 fe ff ff       	jmpq   0xfffffed6
   f:	48 89 75 d0          	mov    %rsi,-0x30(%rbp)
  13:	e8 52 8a 44 fe       	callq  0xfe448a6a
  18:	48 8b 75 d0          	mov    -0x30(%rbp),%rsi
  1c:	e9 93 fe ff ff       	jmpq   0xfffffeb4
  21:	66 0f 1f 84 00 00 00 	nopw   0x0(%rax,%rax,1)
  28:	00 00
* 2a:	55                   	push   %rbp <-- trapping instruction
  2b:	48 c7 c6 e0 23 50 88 	mov    $0xffffffff885023e0,%rsi
  32:	48 c7 c7 20 24 50 88 	mov    $0xffffffff88502420,%rdi
  39:	48 89 e5             	mov    %rsp,%rbp
  3c:	e8                   	.byte 0xe8
  3d:	b9                   	.byte 0xb9
  3e:	fd                   	std
  3f:	ff                   	.byte 0xff