Extracting prog: 43m54.171590832s Minimizing prog: 44m44.720138849s Simplifying prog options: 0s Extracting C: 3m12.889230036s Simplifying C: 27m21.740901806s extracting reproducer from 40 programs testing a last program of every proc single: executing 10 programs separately with timeout 6m0s testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_tcp-syz_init_net_socket$nl_generic-syz_genetlink_get_family_id$nbd-sendmsg$NBD_CMD_CONNECT-ioctl$sock_SIOCETHTOOL-mount detailed listing: executing program 0: r0 = socket$inet6_tcp(0xa, 0x1, 0x0) r1 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10) r2 = syz_genetlink_get_family_id$nbd(&(0x7f00000001c0), r1) sendmsg$NBD_CMD_CONNECT(r1, &(0x7f0000001ac0)={0x0, 0x0, &(0x7f0000001a80)={&(0x7f0000000080)={0x18, r2, 0x1, 0xfffdffff, 0x0, {}, [@NBD_ATTR_SOCKETS={0x4}]}, 0x18}, 0x1, 0x0, 0x0, 0x8040}, 0x20000000) ioctl$sock_SIOCETHTOOL(r0, 0x8946, &(0x7f0000003240)={'team0\x00', &(0x7f0000003140)=@ethtool_drvinfo={0x3, "fa9cd0d96c074be21052dc8a9e0c4d4c37f5c0271645d7e5a535deb3fbd67ec7", "515d7031cf62448eb1fe6c3124396aff19b1f046f9d8e0bff9f2553410dc4a55", "b9fc3b6f5dbfa8a99fba576249ba5167497168ec15fd173f441fc99afb13cdcd", "8e0dcd93712f205f96c5f37abccf7b6bdb0f22576f47e85b3292bd36dc31110d", "92792ebbf1035c779584ca00005e87a9b526cc2c4ce17681bd5ac64fb5ad8d77", "bab2521a547857bba3f9e2f6", 0x1, 0xfff, 0x9, 0x4, 0x3}}) mount(&(0x7f0000000000)=@rnullb, &(0x7f0000000080)='./cgroup\x00', &(0x7f0000000040)='hpfs\x00', 0x0, 0x0) program did not crash testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$rnullb-openat$btrfs_control-mmap-socket$key-syz_usb_connect-socketpair$unix-openat$cgroup_ro-write$cgroup_subtree-socket$netlink-syz_genetlink_get_family_id$team-ioctl$ifreq_SIOCGIFINDEX_team-sendmsg$TEAM_CMD_OPTIONS_SET-mmap-getsockopt$sock_buf-sendfile detailed listing: executing program 0: r0 = openat$rnullb(0xffffffffffffff9c, &(0x7f0000001140), 0x141342, 0x0) r1 = openat$btrfs_control(0xffffffffffffff9c, &(0x7f0000000000), 0x121080, 0x0) mmap(&(0x7f0000a58000/0xd000)=nil, 0xd000, 0x2, 0x10010, r1, 0x0) r2 = socket$key(0xf, 0x3, 0x2) syz_usb_connect(0x5, 0x24, &(0x7f0000000080)={{0x12, 0x1, 0x0, 0x50, 0x1a, 0x29, 0x20, 0x17cc, 0x1000, 0xc561, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x12, 0x1, 0x0, 0x0, 0x10, 0x0, [{{0x9, 0x4, 0x94, 0x2, 0x0, 0x91, 0x85, 0x8d}}]}}]}}, 0x0) socketpair$unix(0x1, 0x3, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) r4 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f00000001c0)='memory.events\x00', 0x275a, 0x0) write$cgroup_subtree(r4, &(0x7f0000000100)=ANY=[], 0x32600) r5 = socket$netlink(0x10, 0x3, 0x10) r6 = syz_genetlink_get_family_id$team(&(0x7f00000000c0), 0xffffffffffffffff) ioctl$ifreq_SIOCGIFINDEX_team(r5, 0x8933, &(0x7f0000000240)={'team0\x00', 0x0}) sendmsg$TEAM_CMD_OPTIONS_SET(r5, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000500)={&(0x7f0000000840)=ANY=[@ANYBLOB='X\x00\x00\x00', @ANYRES16=r6, @ANYBLOB="01002abd7000fcdbdf250100000008000100", @ANYRES32=r7, @ANYBLOB="3c00028038000100240001"], 0x58}, 0x1, 0x0, 0x0, 0x24004000}, 0x24040840) mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x2000001, 0x12, r4, 0x0) getsockopt$sock_buf(r3, 0x1, 0x1f, 0x0, &(0x7f0000000340)) sendfile(r2, r0, &(0x7f0000001000)=0x81, 0x800007ffff000) program did not crash testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$nl_generic-syz_genetlink_get_family_id$netlbl_unlabel-sendmsg$NLBL_UNLABEL_C_STATICADD-sendmsg$RDMA_NLDEV_CMD_NEWLINK-mount detailed listing: executing program 0: r0 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10) r1 = syz_genetlink_get_family_id$netlbl_unlabel(&(0x7f00000002c0), r0) sendmsg$NLBL_UNLABEL_C_STATICADD(r0, &(0x7f0000000200)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000040)={0x28, r1, 0x201, 0x70bd26, 0xfffffffe, {0x3, 0x0, 0x26}, [@NLBL_UNLABEL_A_IPV6ADDR={0x14, 0x7, @ipv4={'\x00', '\xff\xff', @loopback}}]}, 0x28}, 0x8, 0x3000000000002}, 0x844) sendmsg$RDMA_NLDEV_CMD_NEWLINK(0xffffffffffffffff, &(0x7f0000000180)={&(0x7f0000000080)={0x10, 0x0, 0x0, 0x20000}, 0xc, &(0x7f0000000140)={&(0x7f00000000c0)={0x10, 0x1403, 0x0, 0x70bd2d, 0x25dfdbfc}, 0x10}, 0x1, 0x0, 0x0, 0x10000000}, 0x1) mount(&(0x7f0000000000)=@rnullb, &(0x7f0000000040)='./cgroup\x00', &(0x7f0000000240)='vxfs\x00', 0x20080c4, 0x0) program did not crash testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_init_net_socket$nl_generic-syz_genetlink_get_family_id$netlbl_unlabel-sendmsg$NLBL_UNLABEL_C_STATICADD-sendmsg$RDMA_NLDEV_CMD_NEWLINK-mount detailed listing: executing program 0: r0 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10) r1 = syz_genetlink_get_family_id$netlbl_unlabel(&(0x7f00000002c0), r0) sendmsg$NLBL_UNLABEL_C_STATICADD(r0, &(0x7f0000000200)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000040)={0x28, r1, 0x201, 0x70bd26, 0xfffffffe, {0x3, 0x0, 0x26}, [@NLBL_UNLABEL_A_IPV6ADDR={0x14, 0x7, @ipv4={'\x00', '\xff\xff', @loopback}}]}, 0x28}, 0x8, 0x3000000000002}, 0x844) sendmsg$RDMA_NLDEV_CMD_NEWLINK(0xffffffffffffffff, &(0x7f0000000180)={&(0x7f0000000080)={0x10, 0x0, 0x0, 0x20000}, 0xc, &(0x7f0000000140)={&(0x7f00000000c0)={0x10, 0x1403, 0x0, 0x70bd2d, 0x25dfdbfc}, 0x10}, 0x1, 0x0, 0x0, 0x10000000}, 0x1) mount(&(0x7f0000000000)=@rnullb, &(0x7f0000000040)='./cgroup\x00', &(0x7f0000000240)='vxfs\x00', 0x20080c4, 0x0) program did not crash testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): add_key$keyring-openat$rnullb-fadvise64-socket$inet_sctp-socket$inet6-ioctl$SIOCGSTAMP-sendmmsg$inet6-recvfrom$inet6-ioctl$SIOCGSTAMP-socket$nl_generic-fsconfig$FSCONFIG_SET_BINARY-syz_genetlink_get_family_id$ethtool-sendmsg$ETHTOOL_MSG_DEBUG_SET-setsockopt$inet_sctp_SCTP_RECVNXTINFO-getsockopt$inet_sctp_SCTP_RECVNXTINFO-mmap detailed listing: executing program 0: add_key$keyring(&(0x7f0000000540), &(0x7f0000000180)={'syz', 0x2}, 0x0, 0x0, 0xffffffffffffffff) r0 = openat$rnullb(0xffffffffffffff9c, &(0x7f0000000000), 0x8900, 0x0) fadvise64(r0, 0xc62a, 0x6, 0x2) r1 = socket$inet_sctp(0x2, 0x1, 0x84) r2 = socket$inet6(0xa, 0x3, 0x8) ioctl$SIOCGSTAMP(r2, 0x8906, 0x0) (async) sendmmsg$inet6(r2, &(0x7f0000004580)=[{{&(0x7f0000000080)={0xa, 0x0, 0x0, @mcast2}, 0x1c, 0x0, 0x0, &(0x7f0000000000)=ANY=[@ANYBLOB='$'], 0x28}}], 0x1, 0x0) (async) recvfrom$inet6(r2, 0x0, 0x0, 0x10000, 0x0, 0x0) (async) ioctl$SIOCGSTAMP(r2, 0x8906, &(0x7f0000000040)) r3 = socket$nl_generic(0x10, 0x3, 0x10) (async) fsconfig$FSCONFIG_SET_BINARY(0xffffffffffffffff, 0x2, &(0x7f0000000040)='./binderfs/binder0\x00', 0x0, 0x0) r4 = syz_genetlink_get_family_id$ethtool(&(0x7f0000000080), r3) sendmsg$ETHTOOL_MSG_DEBUG_SET(r3, &(0x7f0000001540)={0x0, 0x0, &(0x7f0000001500)={&(0x7f0000000000)=ANY=[@ANYBLOB='D\x00\x00\x00', @ANYRES16=r4, @ANYBLOB="0100000000000000000008000000180001801400020073797a5f74756e00000000000000000018000280080002002000000004000100080004"], 0x44}, 0x1, 0x0, 0x0, 0x10}, 0x8090) setsockopt$inet_sctp_SCTP_RECVNXTINFO(r1, 0x84, 0x21, &(0x7f00000000c0)=0x2, 0x4) (async) getsockopt$inet_sctp_SCTP_RECVNXTINFO(r1, 0x84, 0x21, &(0x7f0000000040), &(0x7f0000000080)=0x4) (async) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x300000a, 0x22052, r0, 0x93771000) program did not crash testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): add_key$keyring-openat$rnullb-fadvise64-socket$inet_sctp-socket$inet6-ioctl$SIOCGSTAMP-sendmmsg$inet6-recvfrom$inet6-ioctl$SIOCGSTAMP-socket$nl_generic-fsconfig$FSCONFIG_SET_BINARY-syz_genetlink_get_family_id$ethtool-sendmsg$ETHTOOL_MSG_DEBUG_SET-setsockopt$inet_sctp_SCTP_RECVNXTINFO-getsockopt$inet_sctp_SCTP_RECVNXTINFO-mmap detailed listing: executing program 0: add_key$keyring(&(0x7f0000000540), &(0x7f0000000180)={'syz', 0x2}, 0x0, 0x0, 0xffffffffffffffff) r0 = openat$rnullb(0xffffffffffffff9c, &(0x7f0000000000), 0x8900, 0x0) fadvise64(r0, 0xc62a, 0x6, 0x2) r1 = socket$inet_sctp(0x2, 0x1, 0x84) r2 = socket$inet6(0xa, 0x3, 0x8) ioctl$SIOCGSTAMP(r2, 0x8906, 0x0) (async) sendmmsg$inet6(r2, &(0x7f0000004580)=[{{&(0x7f0000000080)={0xa, 0x0, 0x0, @mcast2}, 0x1c, 0x0, 0x0, &(0x7f0000000000)=ANY=[@ANYBLOB='$'], 0x28}}], 0x1, 0x0) (async) recvfrom$inet6(r2, 0x0, 0x0, 0x10000, 0x0, 0x0) (async) ioctl$SIOCGSTAMP(r2, 0x8906, &(0x7f0000000040)) r3 = socket$nl_generic(0x10, 0x3, 0x10) (async) fsconfig$FSCONFIG_SET_BINARY(0xffffffffffffffff, 0x2, &(0x7f0000000040)='./binderfs/binder0\x00', 0x0, 0x0) r4 = syz_genetlink_get_family_id$ethtool(&(0x7f0000000080), r3) sendmsg$ETHTOOL_MSG_DEBUG_SET(r3, &(0x7f0000001540)={0x0, 0x0, &(0x7f0000001500)={&(0x7f0000000000)=ANY=[@ANYBLOB='D\x00\x00\x00', @ANYRES16=r4, @ANYBLOB="0100000000000000000008000000180001801400020073797a5f74756e00000000000000000018000280080002002000000004000100080004"], 0x44}, 0x1, 0x0, 0x0, 0x10}, 0x8090) setsockopt$inet_sctp_SCTP_RECVNXTINFO(r1, 0x84, 0x21, &(0x7f00000000c0)=0x2, 0x4) (async) getsockopt$inet_sctp_SCTP_RECVNXTINFO(r1, 0x84, 0x21, &(0x7f0000000040), &(0x7f0000000080)=0x4) (async) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x300000a, 0x22052, r0, 0x93771000) program did not crash testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$rnullb-mmap-madvise-userfaultfd-ioctl$UFFDIO_API-ioctl$UFFDIO_REGISTER-mremap-ioctl$UFFDIO_CONTINUE-madvise-mlock-mprotect detailed listing: executing program 0: r0 = openat$rnullb(0xffffffffffffff9c, &(0x7f0000001140), 0x60a00, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x3000001, 0x20011, r0, 0xf648a000) (async) madvise(&(0x7f0000000000/0xc00000)=nil, 0xc00000, 0x1) r1 = userfaultfd(0x801) ioctl$UFFDIO_API(r1, 0xc018aa3f, &(0x7f00000000c0)={0xaa, 0x4}) (async) ioctl$UFFDIO_REGISTER(r1, 0xc020aa00, &(0x7f0000000000)={{&(0x7f0000400000/0xc00000)=nil, 0xc00000}, 0x1}) (async, rerun: 32) mremap(&(0x7f0000d59000/0x1000)=nil, 0x1000, 0x1000, 0x7, &(0x7f0000a91000/0x1000)=nil) (async, rerun: 32) ioctl$UFFDIO_CONTINUE(r1, 0xc020aa08, 0x0) madvise(&(0x7f0000000000/0x800000)=nil, 0x800000, 0xe) (async) mlock(&(0x7f0000000000/0x800000)=nil, 0x800000) (async) mprotect(&(0x7f000093e000/0x2000)=nil, 0x2000, 0x3) program crashed: INFO: task hung in exit_mm single: successfully extracted reproducer found reproducer with 11 syscalls minimizing guilty program testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$rnullb-mmap-madvise-userfaultfd-ioctl$UFFDIO_API-ioctl$UFFDIO_REGISTER-mremap-ioctl$UFFDIO_CONTINUE-madvise-mlock detailed listing: executing program 0: r0 = openat$rnullb(0xffffffffffffff9c, &(0x7f0000001140), 0x60a00, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x3000001, 0x20011, r0, 0xf648a000) (async) madvise(&(0x7f0000000000/0xc00000)=nil, 0xc00000, 0x1) r1 = userfaultfd(0x801) ioctl$UFFDIO_API(r1, 0xc018aa3f, &(0x7f00000000c0)={0xaa, 0x4}) (async) ioctl$UFFDIO_REGISTER(r1, 0xc020aa00, &(0x7f0000000000)={{&(0x7f0000400000/0xc00000)=nil, 0xc00000}, 0x1}) (async, rerun: 32) mremap(&(0x7f0000d59000/0x1000)=nil, 0x1000, 0x1000, 0x7, &(0x7f0000a91000/0x1000)=nil) (async, rerun: 32) ioctl$UFFDIO_CONTINUE(r1, 0xc020aa08, 0x0) madvise(&(0x7f0000000000/0x800000)=nil, 0x800000, 0xe) (async) mlock(&(0x7f0000000000/0x800000)=nil, 0x800000) (async) program crashed: INFO: task hung in exit_mm testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$rnullb-mmap-madvise-userfaultfd-ioctl$UFFDIO_API-ioctl$UFFDIO_REGISTER-mremap-ioctl$UFFDIO_CONTINUE-madvise detailed listing: executing program 0: r0 = openat$rnullb(0xffffffffffffff9c, &(0x7f0000001140), 0x60a00, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x3000001, 0x20011, r0, 0xf648a000) (async) madvise(&(0x7f0000000000/0xc00000)=nil, 0xc00000, 0x1) r1 = userfaultfd(0x801) ioctl$UFFDIO_API(r1, 0xc018aa3f, &(0x7f00000000c0)={0xaa, 0x4}) (async) ioctl$UFFDIO_REGISTER(r1, 0xc020aa00, &(0x7f0000000000)={{&(0x7f0000400000/0xc00000)=nil, 0xc00000}, 0x1}) (async, rerun: 32) mremap(&(0x7f0000d59000/0x1000)=nil, 0x1000, 0x1000, 0x7, &(0x7f0000a91000/0x1000)=nil) (async, rerun: 32) ioctl$UFFDIO_CONTINUE(r1, 0xc020aa08, 0x0) madvise(&(0x7f0000000000/0x800000)=nil, 0x800000, 0xe) (async) program crashed: INFO: task hung in userfaultfd_release_all testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$rnullb-mmap-madvise-userfaultfd-ioctl$UFFDIO_API-ioctl$UFFDIO_REGISTER-mremap-ioctl$UFFDIO_CONTINUE detailed listing: executing program 0: r0 = openat$rnullb(0xffffffffffffff9c, &(0x7f0000001140), 0x60a00, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x3000001, 0x20011, r0, 0xf648a000) (async) madvise(&(0x7f0000000000/0xc00000)=nil, 0xc00000, 0x1) r1 = userfaultfd(0x801) ioctl$UFFDIO_API(r1, 0xc018aa3f, &(0x7f00000000c0)={0xaa, 0x4}) (async) ioctl$UFFDIO_REGISTER(r1, 0xc020aa00, &(0x7f0000000000)={{&(0x7f0000400000/0xc00000)=nil, 0xc00000}, 0x1}) (async, rerun: 32) mremap(&(0x7f0000d59000/0x1000)=nil, 0x1000, 0x1000, 0x7, &(0x7f0000a91000/0x1000)=nil) (async, rerun: 32) ioctl$UFFDIO_CONTINUE(r1, 0xc020aa08, 0x0) program crashed: INFO: task hung in userfaultfd_release_all testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$rnullb-mmap-madvise-userfaultfd-ioctl$UFFDIO_API-ioctl$UFFDIO_REGISTER-mremap detailed listing: executing program 0: r0 = openat$rnullb(0xffffffffffffff9c, &(0x7f0000001140), 0x60a00, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x3000001, 0x20011, r0, 0xf648a000) (async) madvise(&(0x7f0000000000/0xc00000)=nil, 0xc00000, 0x1) r1 = userfaultfd(0x801) ioctl$UFFDIO_API(r1, 0xc018aa3f, &(0x7f00000000c0)={0xaa, 0x4}) (async) ioctl$UFFDIO_REGISTER(r1, 0xc020aa00, &(0x7f0000000000)={{&(0x7f0000400000/0xc00000)=nil, 0xc00000}, 0x1}) (async, rerun: 32) mremap(&(0x7f0000d59000/0x1000)=nil, 0x1000, 0x1000, 0x7, &(0x7f0000a91000/0x1000)=nil) (async, rerun: 32) program crashed: INFO: task hung in userfaultfd_release_all testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$rnullb-mmap-madvise-userfaultfd-ioctl$UFFDIO_API-ioctl$UFFDIO_REGISTER detailed listing: executing program 0: r0 = openat$rnullb(0xffffffffffffff9c, &(0x7f0000001140), 0x60a00, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x3000001, 0x20011, r0, 0xf648a000) (async) madvise(&(0x7f0000000000/0xc00000)=nil, 0xc00000, 0x1) r1 = userfaultfd(0x801) ioctl$UFFDIO_API(r1, 0xc018aa3f, &(0x7f00000000c0)={0xaa, 0x4}) (async) ioctl$UFFDIO_REGISTER(r1, 0xc020aa00, &(0x7f0000000000)={{&(0x7f0000400000/0xc00000)=nil, 0xc00000}, 0x1}) (async, rerun: 32) program did not crash testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$rnullb-mmap-madvise-userfaultfd-ioctl$UFFDIO_API-mremap detailed listing: executing program 0: r0 = openat$rnullb(0xffffffffffffff9c, &(0x7f0000001140), 0x60a00, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x3000001, 0x20011, r0, 0xf648a000) (async) madvise(&(0x7f0000000000/0xc00000)=nil, 0xc00000, 0x1) r1 = userfaultfd(0x801) ioctl$UFFDIO_API(r1, 0xc018aa3f, &(0x7f00000000c0)={0xaa, 0x4}) (async) mremap(&(0x7f0000d59000/0x1000)=nil, 0x1000, 0x1000, 0x7, &(0x7f0000a91000/0x1000)=nil) (async, rerun: 32) program crashed: INFO: task hung in exit_mm testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$rnullb-mmap-madvise-userfaultfd-mremap detailed listing: executing program 0: r0 = openat$rnullb(0xffffffffffffff9c, &(0x7f0000001140), 0x60a00, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x3000001, 0x20011, r0, 0xf648a000) (async) madvise(&(0x7f0000000000/0xc00000)=nil, 0xc00000, 0x1) userfaultfd(0x801) mremap(&(0x7f0000d59000/0x1000)=nil, 0x1000, 0x1000, 0x7, &(0x7f0000a91000/0x1000)=nil) (async, rerun: 32) program crashed: INFO: task hung in userfaultfd_release_all testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$rnullb-mmap-madvise-mremap detailed listing: executing program 0: r0 = openat$rnullb(0xffffffffffffff9c, &(0x7f0000001140), 0x60a00, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x3000001, 0x20011, r0, 0xf648a000) (async) madvise(&(0x7f0000000000/0xc00000)=nil, 0xc00000, 0x1) mremap(&(0x7f0000d59000/0x1000)=nil, 0x1000, 0x1000, 0x7, &(0x7f0000a91000/0x1000)=nil) (async, rerun: 32) program crashed: INFO: task hung in exit_mm testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$rnullb-mmap-mremap detailed listing: executing program 0: r0 = openat$rnullb(0xffffffffffffff9c, &(0x7f0000001140), 0x60a00, 0x0) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x3000001, 0x20011, r0, 0xf648a000) (async) mremap(&(0x7f0000d59000/0x1000)=nil, 0x1000, 0x1000, 0x7, &(0x7f0000a91000/0x1000)=nil) (async, rerun: 32) program crashed: INFO: task hung in exit_mm testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$rnullb-mremap detailed listing: executing program 0: openat$rnullb(0xffffffffffffff9c, &(0x7f0000001140), 0x60a00, 0x0) mremap(&(0x7f0000d59000/0x1000)=nil, 0x1000, 0x1000, 0x7, &(0x7f0000a91000/0x1000)=nil) (async, rerun: 32) program crashed: INFO: task hung in exit_mm testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mremap detailed listing: executing program 0: mremap(&(0x7f0000d59000/0x1000)=nil, 0x1000, 0x1000, 0x7, &(0x7f0000a91000/0x1000)=nil) (async, rerun: 32) program crashed: INFO: task hung in exit_mm testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mremap detailed listing: executing program 0: mremap(&(0x7f0000d59000/0x1000)=nil, 0x1000, 0x1000, 0x7, &(0x7f0000a91000/0x1000)=nil) program crashed: INFO: task hung in exit_mm extracting C reproducer testing compiled C program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mremap program crashed: INFO: task hung in exit_mm simplifying C reproducer testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mremap program crashed: no output from test machine a never seen crash title: no output from test machine, ignore testing compiled C program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mremap program crashed: INFO: task hung in exit_mm testing compiled C program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mremap program crashed: INFO: task hung in exit_mm testing compiled C program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mremap program crashed: INFO: task hung in exit_mm testing compiled C program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mremap program crashed: INFO: task hung in exit_mm testing compiled C program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mremap program crashed: INFO: task hung in exit_mm testing compiled C program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mremap program crashed: INFO: task hung in exit_mm testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mremap detailed listing: executing program 0: mremap(&(0x7f0000d59000/0x1000)=nil, 0x1000, 0x1000, 0x7, &(0x7f0000a91000/0x1000)=nil) program crashed: INFO: task hung in exit_mm validation run: crashed=true testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mremap detailed listing: executing program 0: mremap(&(0x7f0000d59000/0x1000)=nil, 0x1000, 0x1000, 0x7, &(0x7f0000a91000/0x1000)=nil) program crashed: INFO: task hung in exit_mm validation run: crashed=true testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): mremap detailed listing: executing program 0: mremap(&(0x7f0000d59000/0x1000)=nil, 0x1000, 0x1000, 0x7, &(0x7f0000a91000/0x1000)=nil) program crashed: INFO: task hung in exit_mm validation run: crashed=true reproducing took 2h8m56.322581879s repro crashed as (corrupted=false): INFO: task syz.0.16:6018 blocked for more than 143 seconds. Not tainted 6.16.0-rc6-next-20250718-syzkaller #0 Blocked by coredump. "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz.0.16 state:D stack:26920 pid:6018 tgid:6018 ppid:5972 task_flags:0x40004c flags:0x00004000 Call Trace: context_switch kernel/sched/core.c:5351 [inline] __schedule+0x1737/0x4d30 kernel/sched/core.c:6954 __schedule_loop kernel/sched/core.c:7036 [inline] schedule+0x165/0x360 kernel/sched/core.c:7051 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:7108 rwsem_down_read_slowpath+0x5fd/0x8f0 kernel/locking/rwsem.c:1088 __down_read_common kernel/locking/rwsem.c:1263 [inline] __down_read kernel/locking/rwsem.c:1276 [inline] down_read+0x98/0x2e0 kernel/locking/rwsem.c:1541 mmap_read_lock include/linux/mmap_lock.h:412 [inline] exit_mm+0xcc/0x2c0 kernel/exit.c:557 do_exit+0x648/0x2300 kernel/exit.c:947 do_group_exit+0x21c/0x2d0 kernel/exit.c:1100 __do_sys_exit_group kernel/exit.c:1111 [inline] __se_sys_exit_group kernel/exit.c:1109 [inline] __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1109 x64_sys_call+0x21f7/0x2200 arch/x86/include/generated/asm/syscalls_64.h:232 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fc793b8e9a9 RSP: 002b:00007ffd9c592508 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fc793b8e9a9 RDX: 0000000000000064 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 0000000000000003 R08: 000000019c5925ff R09: 00007fc793d80260 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fc793d80260 R14: 0000000000000003 R15: 00007ffd9c5925c0 Showing all locks held in the system: 1 lock held by khungtaskd/31: #0: ffffffff8e53d8a0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline] #0: ffffffff8e53d8a0 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:841 [inline] #0: ffffffff8e53d8a0 (rcu_read_lock){....}-{1:3}, at: debug_show_all_locks+0x2e/0x180 kernel/locking/lockdep.c:6770 2 locks held by getty/5610: #0: ffff8880303bc0a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x25/0x70 drivers/tty/tty_ldisc.c:243 #1: ffffc900036cb2f0 (&ldata->atomic_read_lock){+.+.}-{4:4}, at: n_tty_read+0x43e/0x1400 drivers/tty/n_tty.c:2222 1 lock held by syz.0.16/6018: #0: ffff88807b8101e0 (&mm->mmap_lock){++++}-{4:4}, at: mmap_read_lock include/linux/mmap_lock.h:412 [inline] #0: ffff88807b8101e0 (&mm->mmap_lock){++++}-{4:4}, at: exit_mm+0xcc/0x2c0 kernel/exit.c:557 1 lock held by syz.0.16/6019: 1 lock held by syz.1.17/6042: #0: ffff88807b8162a0 (&mm->mmap_lock){++++}-{4:4}, at: mmap_read_lock include/linux/mmap_lock.h:412 [inline] #0: ffff88807b8162a0 (&mm->mmap_lock){++++}-{4:4}, at: exit_mm+0xcc/0x2c0 kernel/exit.c:557 1 lock held by syz.1.17/6043: 1 lock held by syz.2.18/6071: #0: ffff8880334837a0 (&mm->mmap_lock){++++}-{4:4}, at: mmap_read_lock include/linux/mmap_lock.h:412 [inline] #0: ffff8880334837a0 (&mm->mmap_lock){++++}-{4:4}, at: exit_mm+0xcc/0x2c0 kernel/exit.c:557 1 lock held by syz.2.18/6072: 1 lock held by syz.3.19/6094: #0: ffff8880291face0 (&mm->mmap_lock){++++}-{4:4}, at: mmap_read_lock include/linux/mmap_lock.h:412 [inline] #0: ffff8880291face0 (&mm->mmap_lock){++++}-{4:4}, at: exit_mm+0xcc/0x2c0 kernel/exit.c:557 1 lock held by syz.3.19/6095: 1 lock held by syz.4.20/6123: #0: ffff8880326c01e0 (&mm->mmap_lock){++++}-{4:4}, at: mmap_read_lock include/linux/mmap_lock.h:412 [inline] #0: ffff8880326c01e0 (&mm->mmap_lock){++++}-{4:4}, at: exit_mm+0xcc/0x2c0 kernel/exit.c:557 1 lock held by syz.4.20/6124: 1 lock held by syz.5.21/6159: #0: ffff8880223a2220 (&mm->mmap_lock){++++}-{4:4}, at: mmap_read_lock include/linux/mmap_lock.h:412 [inline] #0: ffff8880223a2220 (&mm->mmap_lock){++++}-{4:4}, at: exit_mm+0xcc/0x2c0 kernel/exit.c:557 1 lock held by syz.5.21/6160: 1 lock held by syz.6.22/6189: #0: ffff88807b814d20 (&mm->mmap_lock){++++}-{4:4}, at: mmap_read_lock include/linux/mmap_lock.h:412 [inline] #0: ffff88807b814d20 (&mm->mmap_lock){++++}-{4:4}, at: exit_mm+0xcc/0x2c0 kernel/exit.c:557 1 lock held by syz.6.22/6190: 1 lock held by syz.7.23/6219: #0: ffff888033482220 (&mm->mmap_lock){++++}-{4:4}, at: mmap_read_lock include/linux/mmap_lock.h:412 [inline] #0: ffff888033482220 (&mm->mmap_lock){++++}-{4:4}, at: exit_mm+0xcc/0x2c0 kernel/exit.c:557 1 lock held by syz.7.23/6220: ============================================= NMI backtrace for cpu 0 CPU: 0 UID: 0 PID: 31 Comm: khungtaskd Not tainted 6.16.0-rc6-next-20250718-syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 Call Trace: dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 nmi_cpu_backtrace+0x39e/0x3d0 lib/nmi_backtrace.c:113 nmi_trigger_cpumask_backtrace+0x17a/0x300 lib/nmi_backtrace.c:62 trigger_all_cpu_backtrace include/linux/nmi.h:160 [inline] check_hung_uninterruptible_tasks kernel/hung_task.c:328 [inline] watchdog+0xf93/0xfe0 kernel/hung_task.c:491 kthread+0x70e/0x8a0 kernel/kthread.c:463 ret_from_fork+0x3f9/0x770 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Sending NMI from CPU 0 to CPUs 1: NMI backtrace for cpu 1 CPU: 1 UID: 0 PID: 36 Comm: kworker/u8:2 Not tainted 6.16.0-rc6-next-20250718-syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 Workqueue: events_unbound toggle_allocation_gate RIP: 0010:check_preemption_disabled+0x1/0x120 lib/smp_processor_id.c:13 Code: a0 d3 04 8c 48 c7 c6 e0 d3 04 8c eb 1c 66 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 55 <41> 57 41 56 53 48 83 ec 10 65 48 8b 05 7e c1 67 07 48 89 44 24 08 RSP: 0018:ffffc90000ac7560 EFLAGS: 00000082 RAX: 0000000000000001 RBX: 00002aaaaaaab000 RCX: 000000000000000c RDX: 00002aaaaaaac000 RSI: ffffffff8c04d3e0 RDI: ffffffff8c04d3a0 RBP: ffffc90000ac76d0 R08: 0000000000000000 R09: 000000000002147c R10: dffffc0000000000 R11: ffffed100350e0ec R12: ffff88801a870000 R13: 00002aaaaaaac000 R14: 000000000000000c R15: 000000000000000c FS: 0000000000000000(0000) GS:ffff8881258ab000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055557e0fc808 CR3: 000000000e338000 CR4: 00000000003526f0 Call Trace: get_flush_tlb_info+0x2b/0x260 arch/x86/mm/tlb.c:1387 flush_tlb_mm_range+0xee/0x12d0 arch/x86/mm/tlb.c:1439 __text_poke+0x6e9/0xa10 arch/x86/kernel/alternative.c:2553 text_poke arch/x86/kernel/alternative.c:2590 [inline] smp_text_poke_batch_finish+0xd0a/0x1100 arch/x86/kernel/alternative.c:2979 arch_jump_label_transform_apply+0x1c/0x30 arch/x86/kernel/jump_label.c:146 static_key_disable_cpuslocked+0xc5/0x1b0 kernel/jump_label.c:240 static_key_disable+0x1a/0x20 kernel/jump_label.c:248 toggle_allocation_gate+0x1a1/0x240 mm/kfence/core.c:855 process_one_work kernel/workqueue.c:3236 [inline] process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3319 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3400 kthread+0x70e/0x8a0 kernel/kthread.c:463 ret_from_fork+0x3f9/0x770 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 final repro crashed as (corrupted=false): INFO: task syz.0.16:6018 blocked for more than 143 seconds. Not tainted 6.16.0-rc6-next-20250718-syzkaller #0 Blocked by coredump. "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz.0.16 state:D stack:26920 pid:6018 tgid:6018 ppid:5972 task_flags:0x40004c flags:0x00004000 Call Trace: context_switch kernel/sched/core.c:5351 [inline] __schedule+0x1737/0x4d30 kernel/sched/core.c:6954 __schedule_loop kernel/sched/core.c:7036 [inline] schedule+0x165/0x360 kernel/sched/core.c:7051 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:7108 rwsem_down_read_slowpath+0x5fd/0x8f0 kernel/locking/rwsem.c:1088 __down_read_common kernel/locking/rwsem.c:1263 [inline] __down_read kernel/locking/rwsem.c:1276 [inline] down_read+0x98/0x2e0 kernel/locking/rwsem.c:1541 mmap_read_lock include/linux/mmap_lock.h:412 [inline] exit_mm+0xcc/0x2c0 kernel/exit.c:557 do_exit+0x648/0x2300 kernel/exit.c:947 do_group_exit+0x21c/0x2d0 kernel/exit.c:1100 __do_sys_exit_group kernel/exit.c:1111 [inline] __se_sys_exit_group kernel/exit.c:1109 [inline] __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1109 x64_sys_call+0x21f7/0x2200 arch/x86/include/generated/asm/syscalls_64.h:232 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fc793b8e9a9 RSP: 002b:00007ffd9c592508 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fc793b8e9a9 RDX: 0000000000000064 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 0000000000000003 R08: 000000019c5925ff R09: 00007fc793d80260 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fc793d80260 R14: 0000000000000003 R15: 00007ffd9c5925c0 Showing all locks held in the system: 1 lock held by khungtaskd/31: #0: ffffffff8e53d8a0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline] #0: ffffffff8e53d8a0 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:841 [inline] #0: ffffffff8e53d8a0 (rcu_read_lock){....}-{1:3}, at: debug_show_all_locks+0x2e/0x180 kernel/locking/lockdep.c:6770 2 locks held by getty/5610: #0: ffff8880303bc0a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x25/0x70 drivers/tty/tty_ldisc.c:243 #1: ffffc900036cb2f0 (&ldata->atomic_read_lock){+.+.}-{4:4}, at: n_tty_read+0x43e/0x1400 drivers/tty/n_tty.c:2222 1 lock held by syz.0.16/6018: #0: ffff88807b8101e0 (&mm->mmap_lock){++++}-{4:4}, at: mmap_read_lock include/linux/mmap_lock.h:412 [inline] #0: ffff88807b8101e0 (&mm->mmap_lock){++++}-{4:4}, at: exit_mm+0xcc/0x2c0 kernel/exit.c:557 1 lock held by syz.0.16/6019: 1 lock held by syz.1.17/6042: #0: ffff88807b8162a0 (&mm->mmap_lock){++++}-{4:4}, at: mmap_read_lock include/linux/mmap_lock.h:412 [inline] #0: ffff88807b8162a0 (&mm->mmap_lock){++++}-{4:4}, at: exit_mm+0xcc/0x2c0 kernel/exit.c:557 1 lock held by syz.1.17/6043: 1 lock held by syz.2.18/6071: #0: ffff8880334837a0 (&mm->mmap_lock){++++}-{4:4}, at: mmap_read_lock include/linux/mmap_lock.h:412 [inline] #0: ffff8880334837a0 (&mm->mmap_lock){++++}-{4:4}, at: exit_mm+0xcc/0x2c0 kernel/exit.c:557 1 lock held by syz.2.18/6072: 1 lock held by syz.3.19/6094: #0: ffff8880291face0 (&mm->mmap_lock){++++}-{4:4}, at: mmap_read_lock include/linux/mmap_lock.h:412 [inline] #0: ffff8880291face0 (&mm->mmap_lock){++++}-{4:4}, at: exit_mm+0xcc/0x2c0 kernel/exit.c:557 1 lock held by syz.3.19/6095: 1 lock held by syz.4.20/6123: #0: ffff8880326c01e0 (&mm->mmap_lock){++++}-{4:4}, at: mmap_read_lock include/linux/mmap_lock.h:412 [inline] #0: ffff8880326c01e0 (&mm->mmap_lock){++++}-{4:4}, at: exit_mm+0xcc/0x2c0 kernel/exit.c:557 1 lock held by syz.4.20/6124: 1 lock held by syz.5.21/6159: #0: ffff8880223a2220 (&mm->mmap_lock){++++}-{4:4}, at: mmap_read_lock include/linux/mmap_lock.h:412 [inline] #0: ffff8880223a2220 (&mm->mmap_lock){++++}-{4:4}, at: exit_mm+0xcc/0x2c0 kernel/exit.c:557 1 lock held by syz.5.21/6160: 1 lock held by syz.6.22/6189: #0: ffff88807b814d20 (&mm->mmap_lock){++++}-{4:4}, at: mmap_read_lock include/linux/mmap_lock.h:412 [inline] #0: ffff88807b814d20 (&mm->mmap_lock){++++}-{4:4}, at: exit_mm+0xcc/0x2c0 kernel/exit.c:557 1 lock held by syz.6.22/6190: 1 lock held by syz.7.23/6219: #0: ffff888033482220 (&mm->mmap_lock){++++}-{4:4}, at: mmap_read_lock include/linux/mmap_lock.h:412 [inline] #0: ffff888033482220 (&mm->mmap_lock){++++}-{4:4}, at: exit_mm+0xcc/0x2c0 kernel/exit.c:557 1 lock held by syz.7.23/6220: ============================================= NMI backtrace for cpu 0 CPU: 0 UID: 0 PID: 31 Comm: khungtaskd Not tainted 6.16.0-rc6-next-20250718-syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 Call Trace: dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 nmi_cpu_backtrace+0x39e/0x3d0 lib/nmi_backtrace.c:113 nmi_trigger_cpumask_backtrace+0x17a/0x300 lib/nmi_backtrace.c:62 trigger_all_cpu_backtrace include/linux/nmi.h:160 [inline] check_hung_uninterruptible_tasks kernel/hung_task.c:328 [inline] watchdog+0xf93/0xfe0 kernel/hung_task.c:491 kthread+0x70e/0x8a0 kernel/kthread.c:463 ret_from_fork+0x3f9/0x770 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Sending NMI from CPU 0 to CPUs 1: NMI backtrace for cpu 1 CPU: 1 UID: 0 PID: 36 Comm: kworker/u8:2 Not tainted 6.16.0-rc6-next-20250718-syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 Workqueue: events_unbound toggle_allocation_gate RIP: 0010:check_preemption_disabled+0x1/0x120 lib/smp_processor_id.c:13 Code: a0 d3 04 8c 48 c7 c6 e0 d3 04 8c eb 1c 66 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 55 <41> 57 41 56 53 48 83 ec 10 65 48 8b 05 7e c1 67 07 48 89 44 24 08 RSP: 0018:ffffc90000ac7560 EFLAGS: 00000082 RAX: 0000000000000001 RBX: 00002aaaaaaab000 RCX: 000000000000000c RDX: 00002aaaaaaac000 RSI: ffffffff8c04d3e0 RDI: ffffffff8c04d3a0 RBP: ffffc90000ac76d0 R08: 0000000000000000 R09: 000000000002147c R10: dffffc0000000000 R11: ffffed100350e0ec R12: ffff88801a870000 R13: 00002aaaaaaac000 R14: 000000000000000c R15: 000000000000000c FS: 0000000000000000(0000) GS:ffff8881258ab000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055557e0fc808 CR3: 000000000e338000 CR4: 00000000003526f0 Call Trace: get_flush_tlb_info+0x2b/0x260 arch/x86/mm/tlb.c:1387 flush_tlb_mm_range+0xee/0x12d0 arch/x86/mm/tlb.c:1439 __text_poke+0x6e9/0xa10 arch/x86/kernel/alternative.c:2553 text_poke arch/x86/kernel/alternative.c:2590 [inline] smp_text_poke_batch_finish+0xd0a/0x1100 arch/x86/kernel/alternative.c:2979 arch_jump_label_transform_apply+0x1c/0x30 arch/x86/kernel/jump_label.c:146 static_key_disable_cpuslocked+0xc5/0x1b0 kernel/jump_label.c:240 static_key_disable+0x1a/0x20 kernel/jump_label.c:248 toggle_allocation_gate+0x1a1/0x240 mm/kfence/core.c:855 process_one_work kernel/workqueue.c:3236 [inline] process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3319 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3400 kthread+0x70e/0x8a0 kernel/kthread.c:463 ret_from_fork+0x3f9/0x770 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245