INFO: task syz.7.539:7669 blocked for more than 143 seconds.
      Not tainted 6.6.98-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.7.539       state:D stack:23848 pid:7669  ppid:7355   flags:0x00004006
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5381 [inline]
 __schedule+0x14e2/0x4580 kernel/sched/core.c:6700
 schedule+0xbd/0x170 kernel/sched/core.c:6774
 perf_pending_task_sync kernel/events/core.c:5242 [inline]
 _free_event+0x174/0xf30 kernel/events/core.c:5248
 put_event kernel/events/core.c:5376 [inline]
 perf_event_release_kernel+0x836/0x8c0 kernel/events/core.c:5501
 perf_release+0x3b/0x40 kernel/events/core.c:5511
 __fput+0x234/0x970 fs/file_table.c:384
 task_work_run+0x1ce/0x250 kernel/task_work.c:239
 get_signal+0x1235/0x1400 kernel/signal.c:2678
 arch_do_signal_or_restart+0x96/0x780 arch/x86/kernel/signal.c:310
 exit_to_user_mode_loop+0x70/0x110 kernel/entry/common.c:174
 exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:210
 __syscall_exit_to_user_mode_work kernel/entry/common.c:291 [inline]
 syscall_exit_to_user_mode+0x1a/0x50 kernel/entry/common.c:302
 do_syscall_64+0x61/0xb0 arch/x86/entry/common.c:87
 entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7ff04d18e929
RSP: 002b:00007ff04e0a6fe8 EFLAGS: 00000206 ORIG_RAX: 0000000000000038
RAX: fffffffffffffffc RBX: 00007ff04d3b5fa0 RCX: 00007ff04d18e929
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000630c1000
RBP: 00007ff04d210b39 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000000
R13: 0000000000000000 R14: 00007ff04d3b5fa0 R15: 00007ffdd4094028
 </TASK>

Showing all locks held in the system:
1 lock held by pool_workqueue_/3:
2 locks held by kworker/0:0/8:
 #0: ffff888017870938 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2609 [inline]
 #0: ffff888017870938 ((wq_completion)events){+.+.}-{0:0}, at: process_scheduled_works+0x957/0x15b0 kernel/workqueue.c:2711
 #1: ffffc900000d7d00 (free_ipc_work){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2609 [inline]
 #1: ffffc900000d7d00 (free_ipc_work){+.+.}-{0:0}, at: process_scheduled_works+0x957/0x15b0 kernel/workqueue.c:2711
3 locks held by kworker/0:1/9:
2 locks held by kworker/1:1/27:
 #0: ffff888017872538 ((wq_completion)rcu_gp){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2609 [inline]
 #0: ffff888017872538 ((wq_completion)rcu_gp){+.+.}-{0:0}, at: process_scheduled_works+0x957/0x15b0 kernel/workqueue.c:2711
 #1: ffffc90000a2fd00 ((work_completion)(&rew->rew_work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2609 [inline]
 #1: ffffc90000a2fd00 ((work_completion)(&rew->rew_work)){+.+.}-{0:0}, at: process_scheduled_works+0x957/0x15b0 kernel/workqueue.c:2711
1 lock held by khungtaskd/29:
 #0: ffffffff8cd2fae0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:334 [inline]
 #0: ffffffff8cd2fae0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:786 [inline]
 #0: ffffffff8cd2fae0 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x55/0x290 kernel/locking/lockdep.c:6633
2 locks held by kworker/u4:5/140:
 #0: ffff888017871538 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2609 [inline]
 #0: ffff888017871538 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_scheduled_works+0x957/0x15b0 kernel/workqueue.c:2711
 #1: ffffffff8cd2fae0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:334 [inline]
 #1: ffffffff8cd2fae0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:786 [inline]
 #1: ffffffff8cd2fae0 (rcu_read_lock){....}-{1:2}, at: do_perf_sw_event kernel/events/core.c:9913 [inline]
 #1: ffffffff8cd2fae0 (rcu_read_lock){....}-{1:2}, at: ___perf_sw_event+0x161/0x6f0 kernel/events/core.c:9951
5 locks held by kworker/u4:10/3493:
 #0: ffff888017873938 ((wq_completion)netns){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2609 [inline]
 #0: ffff888017873938 ((wq_completion)netns){+.+.}-{0:0}, at: process_scheduled_works+0x957/0x15b0 kernel/workqueue.c:2711
 #1: ffffc9000c567d00 (net_cleanup_work){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2609 [inline]
 #1: ffffc9000c567d00 (net_cleanup_work){+.+.}-{0:0}, at: process_scheduled_works+0x957/0x15b0 kernel/workqueue.c:2711
 #2: ffffffff8dfafb50 (pernet_ops_rwsem){++++}-{3:3}, at: cleanup_net+0x136/0xb90 net/core/net_namespace.c:606
 #3: ffffffff8dfbc948 (rtnl_mutex){+.+.}-{3:3}, at: ip6gre_exit_batch_net+0xc3/0x490 net/ipv6/ip6_gre.c:1644
 #4: ffffffff8cd35ab8 (rcu_state.exp_mutex){+.+.}-{3:3}, at: exp_funnel_lock kernel/rcu/tree_exp.h:324 [inline]
 #4: ffffffff8cd35ab8 (rcu_state.exp_mutex){+.+.}-{3:3}, at: synchronize_rcu_expedited+0x360/0x830 kernel/rcu/tree_exp.h:1004
2 locks held by getty/5556:
 #0: ffff88802da790a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x25/0x70 drivers/tty/tty_ldisc.c:243
 #1: ffffc9000326e2f0 (&ldata->atomic_read_lock){+.+.}-{3:3}, at: n_tty_read+0x425/0x1380 drivers/tty/n_tty.c:2217
1 lock held by syz-executor/8326:
4 locks held by syz-executor/8600:
 #0: ffff888064d54e70 (&hdev->req_lock){+.+.}-{3:3}, at: hci_dev_do_close net/bluetooth/hci_core.c:521 [inline]
 #0: ffff888064d54e70 (&hdev->req_lock){+.+.}-{3:3}, at: hci_unregister_dev+0x212/0x510 net/bluetooth/hci_core.c:2709
 #1: ffff888064d540b8 (&hdev->lock){+.+.}-{3:3}, at: hci_dev_close_sync+0x4c9/0xfb0 net/bluetooth/hci_sync.c:5211
 #2: ffffffff8e129f08 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_disconn_cfm include/net/bluetooth/hci_core.h:1982 [inline]
 #2: ffffffff8e129f08 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_conn_hash_flush+0xa1/0x220 net/bluetooth/hci_conn.c:2539
 #3: ffff888054931338 (&conn->lock#2){+.+.}-{3:3}, at: l2cap_conn_del+0x70/0x660 net/bluetooth/l2cap_core.c:1762
1 lock held by syz.4.801/8741:
 #0: ffffffff8cd35ab8 (rcu_state.exp_mutex){+.+.}-{3:3}, at: exp_funnel_lock kernel/rcu/tree_exp.h:324 [inline]
 #0: ffffffff8cd35ab8 (rcu_state.exp_mutex){+.+.}-{3:3}, at: synchronize_rcu_expedited+0x360/0x830 kernel/rcu/tree_exp.h:1004
2 locks held by syz.5.824/8820:
 #0: ffffffff8d7db668 (ppp_mutex){+.+.}-{3:3}, at: ppp_ioctl+0xce/0x1980 drivers/net/ppp/ppp_generic.c:738
 #1: ffffffff8dfbc948 (rtnl_mutex){+.+.}-{3:3}, at: ppp_create_interface drivers/net/ppp/ppp_generic.c:3356 [inline]
 #1: ffffffff8dfbc948 (rtnl_mutex){+.+.}-{3:3}, at: ppp_unattached_ioctl drivers/net/ppp/ppp_generic.c:1069 [inline]
 #1: ffffffff8dfbc948 (rtnl_mutex){+.+.}-{3:3}, at: ppp_ioctl+0x698/0x1980 drivers/net/ppp/ppp_generic.c:742

=============================================

NMI backtrace for cpu 1
CPU: 1 PID: 29 Comm: khungtaskd Not tainted 6.6.98-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call Trace:
 <TASK>
 dump_stack_lvl+0x16c/0x230 lib/dump_stack.c:106
 nmi_cpu_backtrace+0x39b/0x3d0 lib/nmi_backtrace.c:113
 nmi_trigger_cpumask_backtrace+0x17a/0x2f0 lib/nmi_backtrace.c:62
 trigger_all_cpu_backtrace include/linux/nmi.h:160 [inline]
 check_hung_uninterruptible_tasks kernel/hung_task.c:222 [inline]
 watchdog+0xf41/0xf80 kernel/hung_task.c:379
 kthread+0x2fa/0x390 kernel/kthread.c:388
 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:152
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:293
 </TASK>
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 PID: 8820 Comm: syz.5.824 Not tainted 6.6.98-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
RIP: 0010:validate_chain kernel/locking/lockdep.c:3836 [inline]
RIP: 0010:__lock_acquire+0x1307/0x7c80 kernel/locking/lockdep.c:5137
Code: 0f 84 a6 4b 00 00 49 c1 e4 20 48 8b 44 24 48 42 0f b6 04 00 84 c0 0f 85 97 59 00 00 4d 09 f4 41 8b 07 89 c1 81 e1 00 80 04 00 <81> f9 00 00 04 00 0f 85 9b 05 00 00 89 c3 81 e3 ff 1f 00 00 c1 e8
RSP: 0018:ffffc900000075e0 EFLAGS: 00000046
RAX: 00000000000a4021 RBX: ffffffff9070fef0 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffffffff90da6520
RBP: ffffc90000007828 R08: dffffc0000000000 R09: 1ffffffff21b4ca4
R10: dffffc0000000000 R11: fffffbfff21b4ca5 R12: 58cce5e7c8d5ebdc
R13: ffff88802e655a00 R14: 00000000c8d5ebdc R15: ffff88802e656578
FS:  00007f35dc6ae6c0(0000) GS:ffff8880b8e00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007efeb30e7d60 CR3: 000000005eee6000 CR4: 00000000003506f0
Call Trace:
 <IRQ>
 lock_acquire+0x197/0x410 kernel/locking/lockdep.c:5754
 rcu_lock_acquire include/linux/rcupdate.h:334 [inline]
 rcu_read_lock include/linux/rcupdate.h:786 [inline]
 __perf_event_output kernel/events/core.c:7955 [inline]
 perf_event_output_forward+0xb5/0x3a0 kernel/events/core.c:7978
 __perf_event_overflow+0x447/0x630 kernel/events/core.c:9703
 perf_swevent_hrtimer+0x3bc/0x530 kernel/events/core.c:11173
 __run_hrtimer kernel/time/hrtimer.c:1755 [inline]
 __hrtimer_run_queues+0x4df/0xc40 kernel/time/hrtimer.c:1819
 hrtimer_interrupt+0x3c9/0x9c0 kernel/time/hrtimer.c:1881
 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1077 [inline]
 __sysvec_apic_timer_interrupt+0xfb/0x3b0 arch/x86/kernel/apic/apic.c:1094
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1088 [inline]
 sysvec_apic_timer_interrupt+0x9f/0xc0 arch/x86/kernel/apic/apic.c:1088
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:687
RIP: 0010:_compound_head include/linux/page-flags.h:246 [inline]
RIP: 0010:free_tail_page_prepare+0x3d6/0x460 mm/page_alloc.c:1019
Code: 00 48 8b 43 48 a8 01 0f 94 c1 48 ff c8 48 39 c3 0f 94 c0 08 c8 0f 85 67 fe ff ff 43 80 3c 2c 00 74 08 4c 89 f7 e8 7a 33 0b 00 <49> 8b 06 a8 01 75 7a 66 90 48 89 d8 48 39 04 24 0f 84 30 fc ff ff
RSP: 0018:ffffc9000472f308 EFLAGS: 00000246
RAX: ffffea0001dec201 RBX: ffffea0001dec3c0 RCX: dffffc0000000000
RDX: 0000000000000000 RSI: ffffea0001dec3c0 RDI: ffffea0001dec200
RBP: 0000000000000000 R08: ffffea0001dec3b7 R09: 1ffffd40003bd876
R10: dffffc0000000000 R11: fffff940003bd877 R12: 1ffffd40003bd879
R13: dffffc0000000000 R14: ffffea0001dec3c8 R15: ffffffff8ab56d80
 free_pages_prepare mm/page_alloc.c:1131 [inline]
 free_unref_page_prepare+0x49d/0x8e0 mm/page_alloc.c:2336
 free_unref_page+0x32/0x2e0 mm/page_alloc.c:2429
 discard_slab mm/slub.c:2122 [inline]
 __unfreeze_partials+0x1cf/0x210 mm/slub.c:2662
 put_cpu_partial+0x17c/0x250 mm/slub.c:2738
 __slab_free+0x31d/0x410 mm/slub.c:3686
 qlink_free mm/kasan/quarantine.c:166 [inline]
 qlist_free_all+0x75/0xe0 mm/kasan/quarantine.c:185
 kasan_quarantine_reduce+0x143/0x160 mm/kasan/quarantine.c:292
 __kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:305
 kasan_slab_alloc include/linux/kasan.h:188 [inline]
 slab_post_alloc_hook+0x6e/0x4d0 mm/slab.h:767
 slab_alloc_node mm/slub.c:3485 [inline]
 slab_alloc mm/slub.c:3493 [inline]
 __kmem_cache_alloc_lru mm/slub.c:3500 [inline]
 kmem_cache_alloc+0x11e/0x2e0 mm/slub.c:3509
 kmem_cache_zalloc include/linux/slab.h:711 [inline]
 __kernfs_new_node+0xd8/0x7e0 fs/kernfs/dir.c:624
 kernfs_new_node+0x14c/0x260 fs/kernfs/dir.c:700
 __kernfs_create_file+0x4b/0x2e0 fs/kernfs/file.c:1050
 sysfs_add_file_mode_ns+0x238/0x300 fs/sysfs/file.c:294
 create_files fs/sysfs/group.c:64 [inline]
 internal_create_group+0x428/0xd00 fs/sysfs/group.c:152
 internal_create_groups fs/sysfs/group.c:192 [inline]
 sysfs_create_groups+0x59/0x120 fs/sysfs/group.c:218
 device_add_groups drivers/base/core.c:2785 [inline]
 device_add_attrs+0x1b2/0x810 drivers/base/core.c:2905
 device_add+0x528/0xc20 drivers/base/core.c:3637
 netdev_register_kobject+0x17a/0x310 net/core/net-sysfs.c:2042
 register_netdevice+0x128f/0x1ae0 net/core/dev.c:10268
 ppp_unit_register drivers/net/ppp/ppp_generic.c:1228 [inline]
 ppp_dev_configure+0x84b/0xad0 drivers/net/ppp/ppp_generic.c:1284
 ppp_create_interface drivers/net/ppp/ppp_generic.c:3358 [inline]
 ppp_unattached_ioctl drivers/net/ppp/ppp_generic.c:1069 [inline]
 ppp_ioctl+0x6a8/0x1980 drivers/net/ppp/ppp_generic.c:742
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:871 [inline]
 __se_sys_ioctl+0xfd/0x170 fs/ioctl.c:857
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x55/0xb0 arch/x86/entry/common.c:81
 entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7f35db78e929
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f35dc6ae038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f35db9b5fa0 RCX: 00007f35db78e929
RDX: 000000110c230000 RSI: 00000000c004743e RDI: 0000000000000004
RBP: 00007f35db810b39 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f35db9b5fa0 R15: 00007ffc512293a8
 </TASK>