Extracting prog: 5m2.247642607s
Minimizing prog: 34m34.750410345s
Simplifying prog options: 14m50.656815957s
Extracting C: 5m12.842713135s
Simplifying C: 0s
extracting reproducer from 1 programs
testing a last program of every proc
single: executing 1 programs separately with timeout 6m0s
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$vhost_vsock-openat$uhid-write$UHID_CREATE
detailed listing:
executing program 0:
openat$vhost_vsock(0xffffffffffffff9c, 0x0, 0x2, 0x0)
r0 = openat$uhid(0xffffffffffffff9c, &(0x7f0000000240), 0x2, 0x0)
write$UHID_CREATE(r0, &(0x7f0000001280)={0x0, {'syz0\x00', 'syz0\x00', 'syz1\x00', &(0x7f0000000280)=""/4096, 0x1000, 0x2, 0x8, 0x0, 0x18c, 0x4}}, 0x120)
program crashed: INFO: task hung in uhid_char_release
single: successfully extracted reproducer
found reproducer with 3 syscalls
minimizing guilty program
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$vhost_vsock-openat$uhid
detailed listing:
executing program 0:
openat$vhost_vsock(0xffffffffffffff9c, 0x0, 0x2, 0x0)
openat$uhid(0xffffffffffffff9c, &(0x7f0000000240), 0x2, 0x0)
program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$vhost_vsock-write$UHID_CREATE
detailed listing:
executing program 0:
openat$vhost_vsock(0xffffffffffffff9c, 0x0, 0x2, 0x0)
write$UHID_CREATE(0xffffffffffffffff, &(0x7f0000001280)={0x0, {'syz0\x00', 'syz0\x00', 'syz1\x00', &(0x7f0000000280)=""/4096, 0x1000, 0x2, 0x8, 0x0, 0x18c, 0x4}}, 0x120)
program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$uhid-write$UHID_CREATE
detailed listing:
executing program 0:
r0 = openat$uhid(0xffffffffffffff9c, &(0x7f0000000240), 0x2, 0x0)
write$UHID_CREATE(r0, &(0x7f0000001280)={0x0, {'syz0\x00', 'syz0\x00', 'syz1\x00', &(0x7f0000000280)=""/4096, 0x1000, 0x2, 0x8, 0x0, 0x18c, 0x4}}, 0x120)
program crashed: INFO: task hung in uhid_char_release
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$uhid-write$UHID_CREATE
detailed listing:
executing program 0:
r0 = openat$uhid(0xffffffffffffff9c, 0x0, 0x2, 0x0)
write$UHID_CREATE(r0, &(0x7f0000001280)={0x0, {'syz0\x00', 'syz0\x00', 'syz1\x00', &(0x7f0000000280)=""/4096, 0x1000, 0x2, 0x8, 0x0, 0x18c, 0x4}}, 0x120)
program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$uhid-write$UHID_CREATE
detailed listing:
executing program 0:
r0 = openat$uhid(0xffffffffffffff9c, &(0x7f0000000240), 0x2, 0x0)
write$UHID_CREATE(r0, 0x0, 0x0)
program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$uhid-write$UHID_CREATE
detailed listing:
executing program 0:
r0 = openat$uhid(0xffffffffffffff9c, &(0x7f0000000240), 0x2, 0x0)
write$UHID_CREATE(r0, &(0x7f0000001280)={0x0, {'syz0\x00', 'syz0\x00', 'syz1\x00', 0x0, 0x0, 0x2, 0x8, 0x0, 0x18c, 0x4}}, 0x120)
program did not crash
extracting C reproducer
testing compiled C program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$uhid-write$UHID_CREATE
program crashed: no output from test machine
a never seen crash title: no output from test machine, ignore
simplifying guilty program options
testing program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$uhid-write$UHID_CREATE
detailed listing:
executing program 0:
r0 = openat$uhid(0xffffffffffffff9c, &(0x7f0000000240), 0x2, 0x0)
write$UHID_CREATE(r0, &(0x7f0000001280)={0x0, {'syz0\x00', 'syz0\x00', 'syz1\x00', &(0x7f0000000280)=""/4096, 0x1000, 0x2, 0x8, 0x0, 0x18c, 0x4}}, 0x120)
program crashed: INFO: task hung in uhid_char_release
extracting C reproducer
testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$uhid-write$UHID_CREATE
program crashed: no output from test machine
a never seen crash title: no output from test machine, ignore
testing program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$uhid-write$UHID_CREATE
detailed listing:
executing program 0:
r0 = openat$uhid(0xffffffffffffff9c, &(0x7f0000000240), 0x2, 0x0)
write$UHID_CREATE(r0, &(0x7f0000001280)={0x0, {'syz0\x00', 'syz0\x00', 'syz1\x00', &(0x7f0000000280)=""/4096, 0x1000, 0x2, 0x8, 0x0, 0x18c, 0x4}}, 0x120)
program did not crash
testing program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$uhid-write$UHID_CREATE
detailed listing:
executing program 0:
r0 = openat$uhid(0xffffffffffffff9c, &(0x7f0000000240), 0x2, 0x0)
write$UHID_CREATE(r0, &(0x7f0000001280)={0x0, {'syz0\x00', 'syz0\x00', 'syz1\x00', &(0x7f0000000280)=""/4096, 0x1000, 0x2, 0x8, 0x0, 0x18c, 0x4}}, 0x120)
program crashed: INFO: task hung in uhid_char_release
validation run: crashed=true
testing program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$uhid-write$UHID_CREATE
detailed listing:
executing program 0:
r0 = openat$uhid(0xffffffffffffff9c, &(0x7f0000000240), 0x2, 0x0)
write$UHID_CREATE(r0, &(0x7f0000001280)={0x0, {'syz0\x00', 'syz0\x00', 'syz1\x00', &(0x7f0000000280)=""/4096, 0x1000, 0x2, 0x8, 0x0, 0x18c, 0x4}}, 0x120)
program crashed: INFO: task hung in uhid_char_release
validation run: crashed=true
testing program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$uhid-write$UHID_CREATE
detailed listing:
executing program 0:
r0 = openat$uhid(0xffffffffffffff9c, &(0x7f0000000240), 0x2, 0x0)
write$UHID_CREATE(r0, &(0x7f0000001280)={0x0, {'syz0\x00', 'syz0\x00', 'syz1\x00', &(0x7f0000000280)=""/4096, 0x1000, 0x2, 0x8, 0x0, 0x18c, 0x4}}, 0x120)
program crashed: INFO: task hung in corrupted
validation run: crashed=true
reproducing took 1h11m5.491843057s
repro crashed as (corrupted=true):
INFO: task syz.0.17:6035 blocked for more than 143 seconds.
Not tainted syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.0.17 state:D stack:26664 pid:6035 ppid:5923 flags:0x00004004
Call Trace:
INFO: task syz.2.19:6036 blocked for more than 144 seconds.
Not tainted syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.2.19 state:D stack:26664 pid:6036 ppid:5929 flags:0x00004004
Call Trace:
context_switch kernel/sched/core.c:5380 [inline]
__schedule+0x14d2/0x44d0 kernel/sched/core.c:6699
schedule+0xbd/0x170 kernel/sched/core.c:6773
schedule_timeout+0x9b/0x280 kernel/time/timer.c:2143
do_wait_for_common kernel/sched/completion.c:95 [inline]
__wait_for_common kernel/sched/completion.c:116 [inline]
wait_for_common kernel/sched/completion.c:127 [inline]
wait_for_completion+0x2bd/0x590 kernel/sched/completion.c:148
__flush_work+0x895/0x9f0 kernel/workqueue.c:3430
__cancel_work_timer+0x3b0/0x520 kernel/workqueue.c:3517
uhid_dev_destroy drivers/hid/uhid.c:585 [inline]
uhid_char_release+0xaf/0x600 drivers/hid/uhid.c:663
__fput+0x234/0x970 fs/file_table.c:384
task_work_run+0x1ce/0x250 kernel/task_work.c:239
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop+0xe6/0x110 kernel/entry/common.c:177
exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:210
__syscall_exit_to_user_mode_work kernel/entry/common.c:291 [inline]
syscall_exit_to_user_mode+0x1a/0x50 kernel/entry/common.c:302
do_syscall_64+0x61/0xb0 arch/x86/entry/common.c:87
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7fe7b3f8ebe9
RSP: 002b:00007fff275abe78 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
RAX: 0000000000000000 RBX: 000000000002daa8 RCX: 00007fe7b3f8ebe9
RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000000000001 R09: 00000002275ac16f
R10: 0000001b2e220000 R11: 0000000000000246 R12: 00007fe7b41c5fac
R13: 00007fe7b41c5fa0 R14: ffffffffffffffff R15: 0000000000000003
INFO: task syz.4.22:6079 blocked for more than 146 seconds.
Not tainted syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.4.22 state:D
stack:26664 pid:6079 ppid:6038 flags:0x00004004
Call Trace:
context_switch kernel/sched/core.c:5380 [inline]
__schedule+0x14d2/0x44d0 kernel/sched/core.c:6699
schedule+0xbd/0x170 kernel/sched/core.c:6773
schedule_timeout+0x9b/0x280 kernel/time/timer.c:2143
do_wait_for_common kernel/sched/completion.c:95 [inline]
__wait_for_common kernel/sched/completion.c:116 [inline]
wait_for_common kernel/sched/completion.c:127 [inline]
wait_for_completion+0x2bd/0x590 kernel/sched/completion.c:148
__flush_work+0x895/0x9f0 kernel/workqueue.c:3430
__cancel_work_timer+0x3b0/0x520 kernel/workqueue.c:3517
uhid_dev_destroy drivers/hid/uhid.c:585 [inline]
uhid_char_release+0xaf/0x600 drivers/hid/uhid.c:663
__fput+0x234/0x970 fs/file_table.c:384
task_work_run+0x1ce/0x250 kernel/task_work.c:239
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop+0xe6/0x110 kernel/entry/common.c:177
exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:210
__syscall_exit_to_user_mode_work kernel/entry/common.c:291 [inline]
syscall_exit_to_user_mode+0x1a/0x50 kernel/entry/common.c:302
do_syscall_64+0x61/0xb0 arch/x86/entry/common.c:87
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7fd0acb8ebe9
RSP: 002b:00007fffa360bc88 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
RAX: 0000000000000000 RBX: 000000000003198c RCX: 00007fd0acb8ebe9
RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000000000001 R09: 00000002a360bf7f
R10: 0000001b2d520000 R11: 0000000000000246 R12: 00007fd0acdc5fac
R13: 00007fd0acdc5fa0 R14: ffffffffffffffff R15: 0000000000000003
Showing all locks held in the system:
3 locks held by kworker/0:0/8:
3 locks held by kworker/1:0/23:
2 locks held by kworker/1:1/27:
1 lock held by khungtaskd/29:
#0: ffffffff8cd2fc20 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:334 [inline]
#0: ffffffff8cd2fc20 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:786 [inline]
#0: ffffffff8cd2fc20 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x55/0x290 kernel/locking/lockdep.c:6633
5 locks held by kworker/u4:5/138:
#0: ffff888017873938 ((wq_completion)netns){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2609 [inline]
#0: ffff888017873938 ((wq_completion)netns){+.+.}-{0:0}, at: process_scheduled_works+0x957/0x15b0 kernel/workqueue.c:2711
#1: ffffc90002db7d00 (net_cleanup_work){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2609 [inline]
#1: ffffc90002db7d00 (net_cleanup_work){+.+.}-{0:0}, at: process_scheduled_works+0x957/0x15b0 kernel/workqueue.c:2711
#2: ffffffff8dfaf650 (pernet_ops_rwsem){++++}-{3:3}, at: cleanup_net+0x136/0xb90 net/core/net_namespace.c:606
#3: ffff88807a8d5250 (&devlink->lock_key#12){+.+.}-{3:3}, at: devl_lock net/devlink/core.c:60 [inline]
#3: ffff88807a8d5250 (&devlink->lock_key#12){+.+.}-{3:3}, at: devlink_pernet_pre_exit+0xe1/0x340 net/devlink/core.c:285
#4: ffffffff8dfbc488 (rtnl_mutex){+.+.}-{3:3}, at: nsim_init_netdevsim drivers/net/netdevsim/netdev.c:335 [inline]
#4: ffffffff8dfbc488 (rtnl_mutex){+.+.}-{3:3}, at: nsim_create+0x384/0x4a0 drivers/net/netdevsim/netdev.c:401
3 locks held by kworker/1:2/787:
3 locks held by kworker/u4:6/1134:
#0: ffff888017871538 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2609 [inline]
#0: ffff888017871538 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_scheduled_works+0x957/0x15b0 kernel/workqueue.c:2711
#1:
ffff8880b8f289c0
(
psi_seq
){-.-.}-{0:0}
, at: psi_sched_switch kernel/sched/stats.h:189 [inline]
, at: __schedule+0x20ee/0x44d0 kernel/sched/core.c:6694
#2:
ffff88807d190768
(
&rdev->wiphy.mtx
){+.+.}-{3:3}
, at: rcu_lock_acquire include/linux/rcupdate.h:334 [inline]
, at: rcu_read_lock include/linux/rcupdate.h:786 [inline]
, at: batadv_nc_purge_orig_hash net/batman-adv/network-coding.c:408 [inline]
, at: batadv_nc_worker+0xd2/0x610 net/batman-adv/network-coding.c:719
2 locks held by dhcpcd/5450:
#0:
ffffffff8dfa1648
(
vlan_ioctl_mutex
){+.+.}-{3:3}
, at: sock_ioctl+0x505/0x7a0 net/socket.c:1303
#1:
ffffffff8dfbc488 (rtnl_mutex){+.+.}-{3:3}, at: vlan_ioctl_handler+0xd1/0x650 net/8021q/vlan.c:578
2 locks held by getty/5554:
#0: ffff888030b790a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x25/0x70 drivers/tty/tty_ldisc.c:243
#1: ffffc9000327b2f0 (&ldata->atomic_read_lock){+.+.}-{3:3}, at: n_tty_read+0x425/0x1380 drivers/tty/n_tty.c:2217
3 locks held by kworker/0:4/5924:
7 locks held by kworker/0:5/6006:
3 locks held by kworker/0:6/6020:
3 locks held by syz.0.17/6035:
#0:
ffff88807d38ce70
(
&hdev->req_lock){+.+.}-{3:3}, at: hci_dev_do_close net/bluetooth/hci_core.c:521 [inline]
&hdev->req_lock){+.+.}-{3:3}, at: hci_unregister_dev+0x212/0x510 net/bluetooth/hci_core.c:2709
#1: ffff88807d38c0b8 (&hdev->lock){+.+.}-{3:3}, at: hci_dev_close_sync+0x4c9/0xfb0 net/bluetooth/hci_sync.c:5259
#2: ffffffff8cd35bf8 (rcu_state.exp_mutex){+.+.}-{3:3}, at: exp_funnel_lock kernel/rcu/tree_exp.h:324 [inline]
#2: ffffffff8cd35bf8 (rcu_state.exp_mutex){+.+.}-{3:3}, at: synchronize_rcu_expedited+0x360/0x830 kernel/rcu/tree_exp.h:1004
3 locks held by kworker/1:7/6130:
3 locks held by kworker/u4:9/6288:
#0: ffff888017871538 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2609 [inline]
#0: ffff888017871538 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_scheduled_works+0x957/0x15b0 kernel/workqueue.c:2711
#1: ffffc90004d2fd00 ((linkwatch_work).work){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:2609 [inline]
#1: ffffc90004d2fd00 ((linkwatch_work).work){+.+.}-{0:0}, at: process_scheduled_works+0x957/0x15b0 kernel/workqueue.c:2711
#2: ffffffff8dfbc488 (rtnl_mutex){+.+.}-{3:3}, at: linkwatch_event+0xe/0x60 net/core/link_watch.c:286
4 locks held by syz-executor/6290:
#0: ffff888030f26418 (sb_writers#8){.+.+}-{0:0}, at: vfs_write+0x20e/0x940 fs/read_write.c:580
#1:
ffff88805d161c88
(
&of->mutex
){+.+.}-{3:3}
, at: kernfs_fop_write_iter+0x1e9/0x4d0 fs/kernfs/file.c:325
#2:
ffff888142377ca0
report is corrupted, running repro again
testing program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$uhid-write$UHID_CREATE
detailed listing:
executing program 0:
r0 = openat$uhid(0xffffffffffffff9c, &(0x7f0000000240), 0x2, 0x0)
write$UHID_CREATE(r0, &(0x7f0000001280)={0x0, {'syz0\x00', 'syz0\x00', 'syz1\x00', &(0x7f0000000280)=""/4096, 0x1000, 0x2, 0x8, 0x0, 0x18c, 0x4}}, 0x120)
program crashed: INFO: task hung in corrupted
report is corrupted, running repro again
testing program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$uhid-write$UHID_CREATE
detailed listing:
executing program 0:
r0 = openat$uhid(0xffffffffffffff9c, &(0x7f0000000240), 0x2, 0x0)
write$UHID_CREATE(r0, &(0x7f0000001280)={0x0, {'syz0\x00', 'syz0\x00', 'syz1\x00', &(0x7f0000000280)=""/4096, 0x1000, 0x2, 0x8, 0x0, 0x18c, 0x4}}, 0x120)
program crashed: INFO: task hung in uhid_char_release
final repro crashed as (corrupted=false):
INFO: task syz.2.19:6018 blocked for more than 143 seconds.
Not tainted syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.2.19 state:D stack:26664 pid:6018 ppid:5910 flags:0x00004004
Call Trace:
context_switch kernel/sched/core.c:5380 [inline]
__schedule+0x14d2/0x44d0 kernel/sched/core.c:6699
schedule+0xbd/0x170 kernel/sched/core.c:6773
schedule_timeout+0x9b/0x280 kernel/time/timer.c:2143
do_wait_for_common kernel/sched/completion.c:95 [inline]
__wait_for_common kernel/sched/completion.c:116 [inline]
wait_for_common kernel/sched/completion.c:127 [inline]
wait_for_completion+0x2bd/0x590 kernel/sched/completion.c:148
__flush_work+0x895/0x9f0 kernel/workqueue.c:3430
__cancel_work_timer+0x3b0/0x520 kernel/workqueue.c:3517
uhid_dev_destroy drivers/hid/uhid.c:585 [inline]
uhid_char_release+0xaf/0x600 drivers/hid/uhid.c:663
__fput+0x234/0x970 fs/file_table.c:384
task_work_run+0x1ce/0x250 kernel/task_work.c:239
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop+0xe6/0x110 kernel/entry/common.c:177
exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:210
__syscall_exit_to_user_mode_work kernel/entry/common.c:291 [inline]
syscall_exit_to_user_mode+0x1a/0x50 kernel/entry/common.c:302
do_syscall_64+0x61/0xb0 arch/x86/entry/common.c:87
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7fe04df8ebe9
RSP: 002b:00007ffda176d1d8 EFLAGS: 00000246
ORIG_RAX: 00000000000001b4
RAX: 0000000000000000 RBX: 000000000001ba82 RCX: 00007fe04df8ebe9
RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000000000001 R09: 00000002a176d4cf
R10: 0000001b2d120000 R11: 0000000000000246 R12: 00007fe04e1c5fac
R13: 00007fe04e1c5fa0 R14: ffffffffffffffff R15: 0000000000000003
INFO: task syz.0.17:6020 blocked for more than 146 seconds.
Not tainted syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.0.17 state:D
stack:26664 pid:6020 ppid:5908 flags:0x00004004
Call Trace:
context_switch kernel/sched/core.c:5380 [inline]
__schedule+0x14d2/0x44d0 kernel/sched/core.c:6699
schedule+0xbd/0x170 kernel/sched/core.c:6773
schedule_timeout+0x9b/0x280 kernel/time/timer.c:2143
do_wait_for_common kernel/sched/completion.c:95 [inline]
__wait_for_common kernel/sched/completion.c:116 [inline]
wait_for_common kernel/sched/completion.c:127 [inline]
wait_for_completion+0x2bd/0x590 kernel/sched/completion.c:148
__flush_work+0x895/0x9f0 kernel/workqueue.c:3430
__cancel_work_timer+0x3b0/0x520 kernel/workqueue.c:3517
uhid_dev_destroy drivers/hid/uhid.c:585 [inline]
uhid_char_release+0xaf/0x600 drivers/hid/uhid.c:663
__fput+0x234/0x970 fs/file_table.c:384
task_work_run+0x1ce/0x250 kernel/task_work.c:239
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop+0xe6/0x110 kernel/entry/common.c:177
exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:210
__syscall_exit_to_user_mode_work kernel/entry/common.c:291 [inline]
syscall_exit_to_user_mode+0x1a/0x50 kernel/entry/common.c:302
do_syscall_64+0x61/0xb0 arch/x86/entry/common.c:87
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7fd7b7f8ebe9
RSP: 002b:00007ffff2ece038 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
RAX: 0000000000000000 RBX: 000000000001bd19 RCX: 00007fd7b7f8ebe9
RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000000000001 R09: 00000002f2ece32f
R10: 0000001b2cf20000 R11: 0000000000000246 R12: 00007fd7b81c5fac
R13: 00007fd7b81c5fa0 R14: ffffffffffffffff R15: 0000000000000003
Showing all locks held in the system:
3 locks held by kworker/0:0/8:
1 lock held by khungtaskd/29:
#0: ffffffff8cd2fc20 (rcu_read_lock
){....}-{1:2}
, at: rcu_lock_acquire include/linux/rcupdate.h:334 [inline]
, at: rcu_read_lock include/linux/rcupdate.h:786 [inline]
, at: debug_show_all_locks+0x55/0x290 kernel/locking/lockdep.c:6633
3 locks held by kworker/u4:3/48:
2 locks held by kworker/1:2/54:
#0:
ffff888017872538
(