Extracting prog: 9m15.01517043s
Minimizing prog: 31m10.162910149s
Simplifying prog options: 8m23.858572983s
Extracting C: 5m16.683588917s
Simplifying C: 0s


extracting reproducer from 1 programs
testing a last program of every proc
single: executing 1 programs separately with timeout 30s
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:6 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$uhid-write$UHID_CREATE
detailed listing:
executing program 0:
r0 = openat$uhid(0xffffffffffffff9c, &(0x7f0000000000), 0x802, 0x0)
write$UHID_CREATE(r0, &(0x7f0000001040)={0x0, {'syz0\x00', 'syz0\x00', 'syz1\x00', &(0x7f0000000040)=""/4096, 0x1000}}, 0x120)

program did not crash
program did not crash
single: failed to extract reproducer
single: executing 1 programs separately with timeout 1m40s
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:6 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$uhid-write$UHID_CREATE
detailed listing:
executing program 0:
r0 = openat$uhid(0xffffffffffffff9c, &(0x7f0000000000), 0x802, 0x0)
write$UHID_CREATE(r0, &(0x7f0000001040)={0x0, {'syz0\x00', 'syz0\x00', 'syz1\x00', &(0x7f0000000040)=""/4096, 0x1000}}, 0x120)

program did not crash
single: failed to extract reproducer
single: executing 1 programs separately with timeout 6m0s
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:6 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$uhid-write$UHID_CREATE
detailed listing:
executing program 0:
r0 = openat$uhid(0xffffffffffffff9c, &(0x7f0000000000), 0x802, 0x0)
write$UHID_CREATE(r0, &(0x7f0000001040)={0x0, {'syz0\x00', 'syz0\x00', 'syz1\x00', &(0x7f0000000040)=""/4096, 0x1000}}, 0x120)

program crashed: INFO: task hung in uhid_char_release
single: successfully extracted reproducer
found reproducer with 2 syscalls
minimizing guilty program
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:6 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$uhid
detailed listing:
executing program 0:
openat$uhid(0xffffffffffffff9c, &(0x7f0000000000), 0x802, 0x0)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:6 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): write$UHID_CREATE
detailed listing:
executing program 0:
write$UHID_CREATE(0xffffffffffffffff, &(0x7f0000001040)={0x0, {'syz0\x00', 'syz0\x00', 'syz1\x00', &(0x7f0000000040)=""/4096, 0x1000}}, 0x120)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:6 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$uhid-write$UHID_CREATE
detailed listing:
executing program 0:
r0 = openat$uhid(0xffffffffffffff9c, 0x0, 0x802, 0x0)
write$UHID_CREATE(r0, &(0x7f0000001040)={0x0, {'syz0\x00', 'syz0\x00', 'syz1\x00', &(0x7f0000000040)=""/4096, 0x1000}}, 0x120)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:6 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$uhid-write$UHID_CREATE
detailed listing:
executing program 0:
r0 = openat$uhid(0xffffffffffffff9c, &(0x7f0000000000), 0x802, 0x0)
write$UHID_CREATE(r0, 0x0, 0x0)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:6 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$uhid-write$UHID_CREATE
detailed listing:
executing program 0:
r0 = openat$uhid(0xffffffffffffff9c, &(0x7f0000000000), 0x802, 0x0)
write$UHID_CREATE(r0, &(0x7f0000001040)={0x0, {'syz0\x00', 'syz0\x00', 'syz1\x00', 0x0}}, 0x120)

program did not crash
extracting C reproducer
testing compiled C program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:6 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$uhid-write$UHID_CREATE
program crashed: no output from test machine
a never seen crash title: no output from test machine, ignore
simplifying guilty program options
testing program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:6 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$uhid-write$UHID_CREATE
detailed listing:
executing program 0:
r0 = openat$uhid(0xffffffffffffff9c, &(0x7f0000000000), 0x802, 0x0)
write$UHID_CREATE(r0, &(0x7f0000001040)={0x0, {'syz0\x00', 'syz0\x00', 'syz1\x00', &(0x7f0000000040)=""/4096, 0x1000}}, 0x120)

program crashed: KASAN: slab-use-after-free Write in binderfs_evict_inode
a never seen crash title: KASAN: slab-use-after-free Write in binderfs_evict_inode, ignore
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$uhid-write$UHID_CREATE
detailed listing:
executing program 0:
r0 = openat$uhid(0xffffffffffffff9c, &(0x7f0000000000), 0x802, 0x0)
write$UHID_CREATE(r0, &(0x7f0000001040)={0x0, {'syz0\x00', 'syz0\x00', 'syz1\x00', &(0x7f0000000040)=""/4096, 0x1000}}, 0x120)

program did not crash
reproducing took 54m5.720260527s
repro crashed as (corrupted=false):
INFO: task syz.4.23:6155 blocked for more than 143 seconds.
      Not tainted 6.15.0-rc5-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.4.23        state:D stack:27096 pid:6155  tgid:6155  ppid:5961   task_flags:0x400040 flags:0x00000004
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5382 [inline]
 __schedule+0x16e2/0x4cd0 kernel/sched/core.c:6767
 __schedule_loop kernel/sched/core.c:6845 [inline]
 schedule+0x165/0x360 kernel/sched/core.c:6860
 schedule_timeout+0x9a/0x270 kernel/time/sleep_timeout.c:75
 do_wait_for_common kernel/sched/completion.c:95 [inline]
 __wait_for_common kernel/sched/completion.c:116 [inline]
 wait_for_common kernel/sched/completion.c:127 [inline]
 wait_for_completion+0x2bf/0x5d0 kernel/sched/completion.c:148
 __flush_work+0x9b9/0xbc0 kernel/workqueue.c:4244
 __cancel_work_sync+0xbe/0x110 kernel/workqueue.c:4364
 uhid_dev_destroy drivers/hid/uhid.c:584 [inline]
 uhid_char_release+0xac/0x600 drivers/hid/uhid.c:662
 __fput+0x44c/0xa70 fs/file_table.c:465
 task_work_run+0x1d4/0x260 kernel/task_work.c:227
 resume_user_mode_work+0x5e/0x80 include/linux/resume_user_mode.h:50
 exit_to_user_mode_loop kernel/entry/common.c:114 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
 syscall_exit_to_user_mode+0x9a/0x120 kernel/entry/common.c:218
 do_syscall_64+0x103/0x210 arch/x86/entry/syscall_64.c:100
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fdf16d8e969
RSP: 002b:00007fffc6190598 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
RAX: 0000000000000000 RBX: 0000000000027cda RCX: 00007fdf16d8e969
RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
RBP: 00007fdf16fb7ba0 R08: 0000000000000001 R09: 00000002c619088f
R10: 00007fdf16c00000 R11: 0000000000000246 R12: 00007fdf16fb5fac
R13: 00007fdf16fb5fa0 R14: ffffffffffffffff R15: 00007fffc61906b0
 </TASK>
INFO: task syz.2.18:6165 blocked for more than 143 seconds.
      Not tainted 6.15.0-rc5-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.2.18        state:D
 stack:27096 pid:6165  tgid:6165  ppid:5950   task_flags:0x400040 flags:0x00000004
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5382 [inline]
 __schedule+0x16e2/0x4cd0 kernel/sched/core.c:6767
 __schedule_loop kernel/sched/core.c:6845 [inline]
 schedule+0x165/0x360 kernel/sched/core.c:6860
 schedule_timeout+0x9a/0x270 kernel/time/sleep_timeout.c:75
 do_wait_for_common kernel/sched/completion.c:95 [inline]
 __wait_for_common kernel/sched/completion.c:116 [inline]
 wait_for_common kernel/sched/completion.c:127 [inline]
 wait_for_completion+0x2bf/0x5d0 kernel/sched/completion.c:148
 __flush_work+0x9b9/0xbc0 kernel/workqueue.c:4244
 __cancel_work_sync+0xbe/0x110 kernel/workqueue.c:4364
 uhid_dev_destroy drivers/hid/uhid.c:584 [inline]
 uhid_char_release+0xac/0x600 drivers/hid/uhid.c:662
 __fput+0x44c/0xa70 fs/file_table.c:465
 task_work_run+0x1d4/0x260 kernel/task_work.c:227
 resume_user_mode_work+0x5e/0x80 include/linux/resume_user_mode.h:50
 exit_to_user_mode_loop kernel/entry/common.c:114 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
 syscall_exit_to_user_mode+0x9a/0x120 kernel/entry/common.c:218
 do_syscall_64+0x103/0x210 arch/x86/entry/syscall_64.c:100
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fb77af8e969
RSP: 002b:00007ffdfe3588d8 EFLAGS: 00000246
 ORIG_RAX: 00000000000001b4
RAX: 0000000000000000 RBX: 00000000000284fa RCX: 00007fb77af8e969
RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
RBP: 00007fb77b1b7ba0 R08: 0000000000000001 R09: 00000002fe358bcf
R10: 00007fb77ae00000 R11: 0000000000000246 R12: 00007fb77b1b5fac
R13: 00007fb77b1b5fa0 R14: ffffffffffffffff R15: 00007ffdfe3589f0
 </TASK>

Showing all locks held in the system:
1 lock held by khungtaskd/31:
 #0: ffffffff8df3b860
 (
rcu_read_lock
){....}-{1:3}
, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
, at: rcu_read_lock include/linux/rcupdate.h:841 [inline]
, at: debug_show_all_locks+0x2e/0x180 kernel/locking/lockdep.c:6764
3 locks held by kworker/u8:3/53:
 #0: ffff88801a081148 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3213 [inline]
 #0: ffff88801a081148 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_scheduled_works+0x9b1/0x17a0 kernel/workqueue.c:3319
 #1: ffffc90000bf7c60 ((linkwatch_work).work){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3214 [inline]
 #1: ffffc90000bf7c60 ((linkwatch_work).work){+.+.}-{0:0}, at: process_scheduled_works+0x9ec/0x17a0 kernel/workqueue.c:3319
 #2: ffffffff8f2f4808 (rtnl_mutex){+.+.}-{4:4}, at: linkwatch_event+0xe/0x60 net/core/link_watch.c:303
6 locks held by kworker/u8:4/63:
 #0: ffff88801aef6148 ((wq_completion)netns){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3213 [inline]
 #0: ffff88801aef6148 ((wq_completion)netns){+.+.}-{0:0}, at: process_scheduled_works+0x9b1/0x17a0 kernel/workqueue.c:3319
 #1: ffffc90001557c60 (net_cleanup_work){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3214 [inline]
 #1: ffffc90001557c60 (net_cleanup_work){+.+.}-{0:0}, at: process_scheduled_works+0x9ec/0x17a0 kernel/workqueue.c:3319
 #2: ffffffff8f2e7cd0 (pernet_ops_rwsem){++++}-{4:4}, at: cleanup_net+0x145/0xbd0 net/core/net_namespace.c:608
 #3: ffff88805ed890e8 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:922 [inline]
 #3: ffff88805ed890e8 (&dev->mutex){....}-{4:4}, at: devl_dev_lock net/devlink/devl_internal.h:108 [inline]
 #3: ffff88805ed890e8 (&dev->mutex){....}-{4:4}, at: devlink_pernet_pre_exit+0x10a/0x3d0 net/devlink/core.c:506
 #4: ffff88805ed8b250 (&devlink->lock_key#11){+.+.}-{4:4}, at: devl_lock net/devlink/core.c:276 [inline]
 #4: ffff88805ed8b250 (&devlink->lock_key#11){+.+.}-{4:4}, at: devl_dev_lock net/devlink/devl_internal.h:109 [inline]
 #4: ffff88805ed8b250 (&devlink->lock_key#11){+.+.}-{4:4}, at: devlink_pernet_pre_exit+0x11c/0x3d0 net/devlink/core.c:506
 #5: ffffffff8f2f4808 (rtnl_mutex){+.+.}-{4:4}, at: register_nexthop_notifier+0x80/0x210 net/ipv4/nexthop.c:3918
7 locks held by kworker/0:2/1562:
3 locks held by kworker/u8:7/2920:
2 locks held by dhcpcd/5486:
 #0: ffffffff8f2d92e8 (vlan_ioctl_mutex){+.+.}-{4:4}, at: sock_ioctl+0x5ee/0x790 net/socket.c:1273
 #1: ffffffff8f2f4808 (rtnl_mutex){+.+.}-{4:4}, at: vlan_ioctl_handler+0xd0/0x650 net/8021q/vlan.c:554
2 locks held by getty/5576:
 #0: ffff8880346790a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x25/0x70 drivers/tty/tty_ldisc.c:243
 #1: 
ffffc900030062f0
 (
&ldata->atomic_read_lock
){+.+.}-{4:4}
, at: n_tty_read+0x43e/0x1400 drivers/tty/n_tty.c:2222
8 locks held by kworker/0:5/6058:
3 locks held by kworker/1:6/6117:
 #0: 
ffff88801a078d48 (
(wq_completion)events){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3213 [inline]
(wq_completion)events){+.+.}-{0:0}, at: process_scheduled_works+0x9b1/0x17a0 kernel/workqueue.c:3319
 #1: ffffc90002e6fc60 (deferred_process_work){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3214 [inline]
 #1: ffffc90002e6fc60 (deferred_process_work){+.+.}-{0:0}, at: process_scheduled_works+0x9ec/0x17a0 kernel/workqueue.c:3319
 #2: ffffffff8f2f4808 (rtnl_mutex){+.+.}-{4:4}, at: switchdev_deferred_process_work+0xe/0x20 net/switchdev/switchdev.c:104
3 locks held by kworker/0:7/6179:
3 locks held by kworker/0:9/6181:
2 locks held by syz-executor/6447:
 #0: ffffffff8ea8e460 (&ops->srcu#2){.+.+}-{0:0}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
 #0: ffffffff8ea8e460 (&ops->srcu#2){.+.+}-{0:0}, at: rcu_read_lock include/linux/rcupdate.h:841 [inline]
 #0: ffffffff8ea8e460 (&ops->srcu#2){.+.+}-{0:0}, at: rtnl_link_ops_get+0x23/0x250 net/core/rtnetlink.c:570
 #1: ffffffff8f2f4808 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_lock net/core/rtnetlink.c:80 [inline]
 #1: ffffffff8f2f4808 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_nets_lock net/core/rtnetlink.c:341 [inline]
 #1: ffffffff8f2f4808 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0x8db/0x1c70 net/core/rtnetlink.c:4064
2 locks held by syz-executor/6451:
 #0: ffffffff8ea8e460 (&ops->srcu#2){.+.+}-{0:0}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
 #0: ffffffff8ea8e460 (&ops->srcu#2){.+.+}-{0:0}, at: rcu_read_lock include/linux/rcupdate.h:841 [inline]
 #0: ffffffff8ea8e460 (&ops->srcu#2){.+.+}-{0:0}, at: rtnl_link_ops_get+0x23/0x250 net/core/rtnetlink.c:570
 #1: ffffffff8f2f4808 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_lock net/core/rtnetlink.c:80 [inline]
 #1: ffffffff8f2f4808 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_nets_lock net/core/rtnetlink.c:341 [inline]
 #1: ffffffff8f2f4808 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0x8db/0x1c70 net/core/rtnetlink.c:4064
3 locks held by syz-executor/6455:
 #0: ffffffff8ea8e460 (&ops->srcu#2){.+.+}-{0:0}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
 #0: ffffffff8ea8e460 (&ops->srcu#2){.+.+}-{0:0}, at: rcu_read_lock include/linux/rcupdate.h:841 [inline]
 #0: ffffffff8ea8e460 (&ops->srcu#2){.+.+}-{0:0}, at: rtnl_link_ops_get+0x23/0x250 net/core/rtnetlink.c:570
 #1: ffffffff8f2f4808 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_lock net/core/rtnetlink.c:80 [inline]
 #1: ffffffff8f2f4808 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_nets_lock net/core/rtnetlink.c:341 [inline]
 #1: ffffffff8f2f4808 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0x8db/0x1c70 net/core/rtnetlink.c:4064
 #2: ffffffff8df41338 (rcu_state.exp_mutex){+.+.}-{4:4}, at: exp_funnel_lock kernel/rcu/tree_exp.h:304 [inline]
 #2: ffffffff8df41338 (rcu_state.exp_mutex){+.+.}-{4:4}, at: synchronize_rcu_expedited+0x2f4/0x730 kernel/rcu/tree_exp.h:998
2 locks held by syz-executor/6459:
 #0: ffffffff8ea8e460 (&ops->srcu#2){.+.+}-{0:0}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
 #0: ffffffff8ea8e460 (&ops->srcu#2){.+.+}-{0:0}, at: rcu_read_lock include/linux/rcupdate.h:841 [inline]
 #0: ffffffff8ea8e460 (&ops->srcu#2){.+.+}-{0:0}, at: rtnl_link_ops_get+0x23/0x250 net/core/rtnetlink.c:570
 #1: ffffffff8f2f4808 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_lock net/core/rtnetlink.c:80 [inline]
 #1: ffffffff8f2f4808 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_nets_lock net/core/rtnetlink.c:341 [inline]
 #1: ffffffff8f2f4808 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0x8db/0x1c70 net/core/rtnetlink.c:4064
2 locks held by syz-executor/6462:
 #0: ffffffff8ea8e460 (&ops->srcu#2){.+.+}-{0:0}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
 #0: ffffffff8ea8e460 (&ops->srcu#2){.+.+}-{0:0}, at: rcu_read_lock include/linux/rcupdate.h:841 [inline]
 #0: ffffffff8ea8e460 (&ops->srcu#2){.+.+}-{0:0}, at: rtnl_link_ops_get+0x23/0x250 net/core/rtnetlink.c:570
 #1: ffffffff8f2f4808 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_lock net/core/rtnetlink.c:80 [inline]
 #1: ffffffff8f2f4808 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_nets_lock net/core/rtnetlink.c:341 [inline]
 #1: ffffffff8f2f4808 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0x8db/0x1c70 net/core/rtnetlink.c:4064
2 locks held by syz-executor/6465:
 #0: ffffffff8ea8e460 (&ops->srcu#2){.+.+}-{0:0}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
 #0: ffffffff8ea8e460 (&ops->srcu#2){.+.+}-{0:0}, at: rcu_read_lock include/linux/rcupdate.h:841 [inline]
 #0: ffffffff8ea8e460 (&ops->srcu#2){.+.+}-{0:0}, at: rtnl_link_ops_get+0x23/0x250 net/core/rtnetlink.c:570
 #1: ffffffff8f2f4808 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_lock net/core/rtnetlink.c:80 [inline]
 #1: ffffffff8f2f4808 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_nets_lock net/core/rtnetlink.c:341 [inline]
 #1: ffffffff8f2f4808 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0x8db/0x1c70 net/core/rtnetlink.c:4064

=============================================

NMI backtrace for cpu 1
CPU: 1 UID: 0 PID: 31 Comm: khungtaskd Not tainted 6.15.0-rc5-syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/29/2025
Call Trace:
 <TASK>
 dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
 nmi_cpu_backtrace+0x39e/0x3d0 lib/nmi_backtrace.c:113
 nmi_trigger_cpumask_backtrace+0x17a/0x300 lib/nmi_backtrace.c:62
 trigger_all_cpu_backtrace include/linux/nmi.h:158 [inline]
 check_hung_uninterruptible_tasks kernel/hung_task.c:274 [inline]
 watchdog+0xfee/0x1030 kernel/hung_task.c:437
 kthread+0x711/0x8a0 kernel/kthread.c:464
 ret_from_fork+0x4e/0x80 arch/x86/kernel/process.c:153
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 UID: 0 PID: 6058 Comm: kworker/0:5 Not tainted 6.15.0-rc5-syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/29/2025
Workqueue: events uhid_device_add_worker
RIP: 0010:orc_ip arch/x86/kernel/unwind_orc.c:80 [inline]
RIP: 0010:__orc_find arch/x86/kernel/unwind_orc.c:102 [inline]
RIP: 0010:orc_find arch/x86/kernel/unwind_orc.c:227 [inline]
RIP: 0010:unwind_next_frame+0x130e/0x2390 arch/x86/kernel/unwind_orc.c:494
Code: c1 e8 3f 48 01 c8 48 83 e0 fe 4c 8d 3c 45 00 00 00 00 49 01 ef 4c 89 f8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df 0f b6 04 08 <84> c0 75 27 49 63 07 4c 01 f8 49 8d 4f 04 4c 39 e0 48 0f 46 e9 49
RSP: 0018:ffffc900000073d8 EFLAGS: 00000213
RAX: 0000000000000000 RBX: ffffffff8f949cc4 RCX: dffffc0000000000
RDX: ffffffff8f949cc4 RSI: ffffffff901083fa RDI: ffffffff8bc1d180
RBP: ffffffff8f949cc4 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: ffffffff8171a9f5 R12: ffffffff81a0dd2f
R13: ffffffff8f949cc4 R14: ffffc900000074a8 R15: ffffffff8f949cc4
FS:  0000000000000000(0000) GS:ffff8881260cb000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005586f379f088 CR3: 00000000332c8000 CR4: 0000000000350ef0
Call Trace:
 <IRQ>
 arch_stack_walk+0x11c/0x150 arch/x86/kernel/stacktrace.c:25
 stack_trace_save+0x9c/0xe0 kernel/stacktrace.c:122
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
 unpoison_slab_object mm/kasan/common.c:319 [inline]
 __kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:345
 kasan_slab_alloc include/linux/kasan.h:250 [inline]
 slab_post_alloc_hook mm/slub.c:4147 [inline]
 slab_alloc_node mm/slub.c:4196 [inline]
 kmem_cache_alloc_node_noprof+0x1bb/0x3c0 mm/slub.c:4248
 kmalloc_reserve+0xbd/0x290 net/core/skbuff.c:577
 __alloc_skb+0x142/0x2d0 net/core/skbuff.c:668
 __netdev_alloc_skb+0x108/0x970 net/core/skbuff.c:732
 netdev_alloc_skb include/linux/skbuff.h:3413 [inline]
 dev_alloc_skb include/linux/skbuff.h:3426 [inline]
 __ieee80211_beacon_get+0xe32/0x1630 net/mac80211/tx.c:5475
 ieee80211_beacon_get_tim+0xb4/0x2b0 net/mac80211/tx.c:5597
 ieee80211_beacon_get include/net/mac80211.h:5648 [inline]
 mac80211_hwsim_beacon_tx+0x3d2/0x860 drivers/net/wireless/virtual/mac80211_hwsim.c:2313
 __iterate_interfaces+0x2ab/0x590 net/mac80211/util.c:761
 ieee80211_iterate_active_interfaces_atomic+0xdb/0x180 net/mac80211/util.c:797
 mac80211_hwsim_beacon+0xbb/0x1c0 drivers/net/wireless/virtual/mac80211_hwsim.c:2347
 __run_hrtimer kernel/time/hrtimer.c:1761 [inline]
 __hrtimer_run_queues+0x52c/0xc60 kernel/time/hrtimer.c:1825
 hrtimer_run_softirq+0x187/0x2b0 kernel/time/hrtimer.c:1842
 handle_softirqs+0x286/0x870 kernel/softirq.c:579
 __do_softirq kernel/softirq.c:613 [inline]
 invoke_softirq kernel/softirq.c:453 [inline]
 __irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:680
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline]
 sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1049
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:console_trylock_spinning kernel/printk/printk.c:2061 [inline]
RIP: 0010:vprintk_emit+0x58f/0x7a0 kernel/printk/printk.c:2449
Code: 85 32 01 00 00 e8 41 f3 1e 00 41 89 df 4d 85 f6 48 8b 1c 24 75 07 e8 30 f3 1e 00 eb 06 e8 29 f3 1e 00 fb 48 c7 c7 80 fa f2 8d <31> f6 ba 01 00 00 00 31 c9 41 b8 01 00 00 00 45 31 c9 53 e8 f9 3f
RSP: 0018:ffffc9000302f100 EFLAGS: 00000293
RAX: ffffffff81a0dd27 RBX: ffffffff81a0dbe4 RCX: ffff88802f553c00
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff8df2fa80
RBP: ffffc9000302f210 R08: ffffffff8f7ed977 R09: 1ffffffff1efdb2e
R10: dffffc0000000000 R11: fffffbfff1efdb2f R12: dffffc0000000000
R13: 1ffff92000605e24 R14: 0000000000000200 R15: 000000000000003a
 dev_vprintk_emit+0x337/0x3f0 drivers/base/core.c:4917
 dev_printk_emit+0xe0/0x130 drivers/base/core.c:4928
 _dev_warn+0x10a/0x160 drivers/base/core.c:4984
 hid_parser_main+0x8b8/0xc40 drivers/hid/hid-core.c:-1
 hid_open_report+0x85b/0xee0 drivers/hid/hid-core.c:1328
 hid_parse include/linux/hid.h:1126 [inline]
 hid_generic_probe+0x3d/0x90 drivers/hid/hid-generic.c:66
 __hid_device_probe drivers/hid/hid-core.c:2717 [inline]
 hid_device_probe+0x39a/0x710 drivers/hid/hid-core.c:2754
 call_driver_probe drivers/base/dd.c:-1 [inline]
 really_probe+0x26d/0x9a0 drivers/base/dd.c:657
 __driver_probe_device+0x18c/0x2f0 drivers/base/dd.c:799
 driver_probe_device+0x4f/0x430 drivers/base/dd.c:829
 __device_attach_driver+0x2ce/0x530 drivers/base/dd.c:957
 bus_for_each_drv+0x251/0x2e0 drivers/base/bus.c:462
 __device_attach+0x2b8/0x400 drivers/base/dd.c:1029
 bus_probe_device+0x185/0x260 drivers/base/bus.c:537
 device_add+0x7b6/0xb50 drivers/base/core.c:3692
 hid_add_device+0x398/0x540 drivers/hid/hid-core.c:2900
 uhid_device_add_worker+0x43/0xf0 drivers/hid/uhid.c:73
 process_one_work kernel/workqueue.c:3238 [inline]
 process_scheduled_works+0xade/0x17a0 kernel/workqueue.c:3319
 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3400
 kthread+0x711/0x8a0 kernel/kthread.c:464
 ret_from_fork+0x4e/0x80 arch/x86/kernel/process.c:153
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>

final repro crashed as (corrupted=false):
INFO: task syz.4.23:6155 blocked for more than 143 seconds.
      Not tainted 6.15.0-rc5-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.4.23        state:D stack:27096 pid:6155  tgid:6155  ppid:5961   task_flags:0x400040 flags:0x00000004
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5382 [inline]
 __schedule+0x16e2/0x4cd0 kernel/sched/core.c:6767
 __schedule_loop kernel/sched/core.c:6845 [inline]
 schedule+0x165/0x360 kernel/sched/core.c:6860
 schedule_timeout+0x9a/0x270 kernel/time/sleep_timeout.c:75
 do_wait_for_common kernel/sched/completion.c:95 [inline]
 __wait_for_common kernel/sched/completion.c:116 [inline]
 wait_for_common kernel/sched/completion.c:127 [inline]
 wait_for_completion+0x2bf/0x5d0 kernel/sched/completion.c:148
 __flush_work+0x9b9/0xbc0 kernel/workqueue.c:4244
 __cancel_work_sync+0xbe/0x110 kernel/workqueue.c:4364
 uhid_dev_destroy drivers/hid/uhid.c:584 [inline]
 uhid_char_release+0xac/0x600 drivers/hid/uhid.c:662
 __fput+0x44c/0xa70 fs/file_table.c:465
 task_work_run+0x1d4/0x260 kernel/task_work.c:227
 resume_user_mode_work+0x5e/0x80 include/linux/resume_user_mode.h:50
 exit_to_user_mode_loop kernel/entry/common.c:114 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
 syscall_exit_to_user_mode+0x9a/0x120 kernel/entry/common.c:218
 do_syscall_64+0x103/0x210 arch/x86/entry/syscall_64.c:100
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fdf16d8e969
RSP: 002b:00007fffc6190598 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
RAX: 0000000000000000 RBX: 0000000000027cda RCX: 00007fdf16d8e969
RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
RBP: 00007fdf16fb7ba0 R08: 0000000000000001 R09: 00000002c619088f
R10: 00007fdf16c00000 R11: 0000000000000246 R12: 00007fdf16fb5fac
R13: 00007fdf16fb5fa0 R14: ffffffffffffffff R15: 00007fffc61906b0
 </TASK>
INFO: task syz.2.18:6165 blocked for more than 143 seconds.
      Not tainted 6.15.0-rc5-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.2.18        state:D
 stack:27096 pid:6165  tgid:6165  ppid:5950   task_flags:0x400040 flags:0x00000004
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5382 [inline]
 __schedule+0x16e2/0x4cd0 kernel/sched/core.c:6767
 __schedule_loop kernel/sched/core.c:6845 [inline]
 schedule+0x165/0x360 kernel/sched/core.c:6860
 schedule_timeout+0x9a/0x270 kernel/time/sleep_timeout.c:75
 do_wait_for_common kernel/sched/completion.c:95 [inline]
 __wait_for_common kernel/sched/completion.c:116 [inline]
 wait_for_common kernel/sched/completion.c:127 [inline]
 wait_for_completion+0x2bf/0x5d0 kernel/sched/completion.c:148
 __flush_work+0x9b9/0xbc0 kernel/workqueue.c:4244
 __cancel_work_sync+0xbe/0x110 kernel/workqueue.c:4364
 uhid_dev_destroy drivers/hid/uhid.c:584 [inline]
 uhid_char_release+0xac/0x600 drivers/hid/uhid.c:662
 __fput+0x44c/0xa70 fs/file_table.c:465
 task_work_run+0x1d4/0x260 kernel/task_work.c:227
 resume_user_mode_work+0x5e/0x80 include/linux/resume_user_mode.h:50
 exit_to_user_mode_loop kernel/entry/common.c:114 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
 syscall_exit_to_user_mode+0x9a/0x120 kernel/entry/common.c:218
 do_syscall_64+0x103/0x210 arch/x86/entry/syscall_64.c:100
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fb77af8e969
RSP: 002b:00007ffdfe3588d8 EFLAGS: 00000246
 ORIG_RAX: 00000000000001b4
RAX: 0000000000000000 RBX: 00000000000284fa RCX: 00007fb77af8e969
RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
RBP: 00007fb77b1b7ba0 R08: 0000000000000001 R09: 00000002fe358bcf
R10: 00007fb77ae00000 R11: 0000000000000246 R12: 00007fb77b1b5fac
R13: 00007fb77b1b5fa0 R14: ffffffffffffffff R15: 00007ffdfe3589f0
 </TASK>

Showing all locks held in the system:
1 lock held by khungtaskd/31:
 #0: ffffffff8df3b860
 (
rcu_read_lock
){....}-{1:3}
, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
, at: rcu_read_lock include/linux/rcupdate.h:841 [inline]
, at: debug_show_all_locks+0x2e/0x180 kernel/locking/lockdep.c:6764
3 locks held by kworker/u8:3/53:
 #0: ffff88801a081148 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3213 [inline]
 #0: ffff88801a081148 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_scheduled_works+0x9b1/0x17a0 kernel/workqueue.c:3319
 #1: ffffc90000bf7c60 ((linkwatch_work).work){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3214 [inline]
 #1: ffffc90000bf7c60 ((linkwatch_work).work){+.+.}-{0:0}, at: process_scheduled_works+0x9ec/0x17a0 kernel/workqueue.c:3319
 #2: ffffffff8f2f4808 (rtnl_mutex){+.+.}-{4:4}, at: linkwatch_event+0xe/0x60 net/core/link_watch.c:303
6 locks held by kworker/u8:4/63:
 #0: ffff88801aef6148 ((wq_completion)netns){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3213 [inline]
 #0: ffff88801aef6148 ((wq_completion)netns){+.+.}-{0:0}, at: process_scheduled_works+0x9b1/0x17a0 kernel/workqueue.c:3319
 #1: ffffc90001557c60 (net_cleanup_work){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3214 [inline]
 #1: ffffc90001557c60 (net_cleanup_work){+.+.}-{0:0}, at: process_scheduled_works+0x9ec/0x17a0 kernel/workqueue.c:3319
 #2: ffffffff8f2e7cd0 (pernet_ops_rwsem){++++}-{4:4}, at: cleanup_net+0x145/0xbd0 net/core/net_namespace.c:608
 #3: ffff88805ed890e8 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:922 [inline]
 #3: ffff88805ed890e8 (&dev->mutex){....}-{4:4}, at: devl_dev_lock net/devlink/devl_internal.h:108 [inline]
 #3: ffff88805ed890e8 (&dev->mutex){....}-{4:4}, at: devlink_pernet_pre_exit+0x10a/0x3d0 net/devlink/core.c:506
 #4: ffff88805ed8b250 (&devlink->lock_key#11){+.+.}-{4:4}, at: devl_lock net/devlink/core.c:276 [inline]
 #4: ffff88805ed8b250 (&devlink->lock_key#11){+.+.}-{4:4}, at: devl_dev_lock net/devlink/devl_internal.h:109 [inline]
 #4: ffff88805ed8b250 (&devlink->lock_key#11){+.+.}-{4:4}, at: devlink_pernet_pre_exit+0x11c/0x3d0 net/devlink/core.c:506
 #5: ffffffff8f2f4808 (rtnl_mutex){+.+.}-{4:4}, at: register_nexthop_notifier+0x80/0x210 net/ipv4/nexthop.c:3918
7 locks held by kworker/0:2/1562:
3 locks held by kworker/u8:7/2920:
2 locks held by dhcpcd/5486:
 #0: ffffffff8f2d92e8 (vlan_ioctl_mutex){+.+.}-{4:4}, at: sock_ioctl+0x5ee/0x790 net/socket.c:1273
 #1: ffffffff8f2f4808 (rtnl_mutex){+.+.}-{4:4}, at: vlan_ioctl_handler+0xd0/0x650 net/8021q/vlan.c:554
2 locks held by getty/5576:
 #0: ffff8880346790a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x25/0x70 drivers/tty/tty_ldisc.c:243
 #1: 
ffffc900030062f0
 (
&ldata->atomic_read_lock
){+.+.}-{4:4}
, at: n_tty_read+0x43e/0x1400 drivers/tty/n_tty.c:2222
8 locks held by kworker/0:5/6058:
3 locks held by kworker/1:6/6117:
 #0: 
ffff88801a078d48 (
(wq_completion)events){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3213 [inline]
(wq_completion)events){+.+.}-{0:0}, at: process_scheduled_works+0x9b1/0x17a0 kernel/workqueue.c:3319
 #1: ffffc90002e6fc60 (deferred_process_work){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3214 [inline]
 #1: ffffc90002e6fc60 (deferred_process_work){+.+.}-{0:0}, at: process_scheduled_works+0x9ec/0x17a0 kernel/workqueue.c:3319
 #2: ffffffff8f2f4808 (rtnl_mutex){+.+.}-{4:4}, at: switchdev_deferred_process_work+0xe/0x20 net/switchdev/switchdev.c:104
3 locks held by kworker/0:7/6179:
3 locks held by kworker/0:9/6181:
2 locks held by syz-executor/6447:
 #0: ffffffff8ea8e460 (&ops->srcu#2){.+.+}-{0:0}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
 #0: ffffffff8ea8e460 (&ops->srcu#2){.+.+}-{0:0}, at: rcu_read_lock include/linux/rcupdate.h:841 [inline]
 #0: ffffffff8ea8e460 (&ops->srcu#2){.+.+}-{0:0}, at: rtnl_link_ops_get+0x23/0x250 net/core/rtnetlink.c:570
 #1: ffffffff8f2f4808 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_lock net/core/rtnetlink.c:80 [inline]
 #1: ffffffff8f2f4808 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_nets_lock net/core/rtnetlink.c:341 [inline]
 #1: ffffffff8f2f4808 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0x8db/0x1c70 net/core/rtnetlink.c:4064
2 locks held by syz-executor/6451:
 #0: ffffffff8ea8e460 (&ops->srcu#2){.+.+}-{0:0}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
 #0: ffffffff8ea8e460 (&ops->srcu#2){.+.+}-{0:0}, at: rcu_read_lock include/linux/rcupdate.h:841 [inline]
 #0: ffffffff8ea8e460 (&ops->srcu#2){.+.+}-{0:0}, at: rtnl_link_ops_get+0x23/0x250 net/core/rtnetlink.c:570
 #1: ffffffff8f2f4808 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_lock net/core/rtnetlink.c:80 [inline]
 #1: ffffffff8f2f4808 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_nets_lock net/core/rtnetlink.c:341 [inline]
 #1: ffffffff8f2f4808 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0x8db/0x1c70 net/core/rtnetlink.c:4064
3 locks held by syz-executor/6455:
 #0: ffffffff8ea8e460 (&ops->srcu#2){.+.+}-{0:0}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
 #0: ffffffff8ea8e460 (&ops->srcu#2){.+.+}-{0:0}, at: rcu_read_lock include/linux/rcupdate.h:841 [inline]
 #0: ffffffff8ea8e460 (&ops->srcu#2){.+.+}-{0:0}, at: rtnl_link_ops_get+0x23/0x250 net/core/rtnetlink.c:570
 #1: ffffffff8f2f4808 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_lock net/core/rtnetlink.c:80 [inline]
 #1: ffffffff8f2f4808 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_nets_lock net/core/rtnetlink.c:341 [inline]
 #1: ffffffff8f2f4808 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0x8db/0x1c70 net/core/rtnetlink.c:4064
 #2: ffffffff8df41338 (rcu_state.exp_mutex){+.+.}-{4:4}, at: exp_funnel_lock kernel/rcu/tree_exp.h:304 [inline]
 #2: ffffffff8df41338 (rcu_state.exp_mutex){+.+.}-{4:4}, at: synchronize_rcu_expedited+0x2f4/0x730 kernel/rcu/tree_exp.h:998
2 locks held by syz-executor/6459:
 #0: ffffffff8ea8e460 (&ops->srcu#2){.+.+}-{0:0}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
 #0: ffffffff8ea8e460 (&ops->srcu#2){.+.+}-{0:0}, at: rcu_read_lock include/linux/rcupdate.h:841 [inline]
 #0: ffffffff8ea8e460 (&ops->srcu#2){.+.+}-{0:0}, at: rtnl_link_ops_get+0x23/0x250 net/core/rtnetlink.c:570
 #1: ffffffff8f2f4808 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_lock net/core/rtnetlink.c:80 [inline]
 #1: ffffffff8f2f4808 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_nets_lock net/core/rtnetlink.c:341 [inline]
 #1: ffffffff8f2f4808 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0x8db/0x1c70 net/core/rtnetlink.c:4064
2 locks held by syz-executor/6462:
 #0: ffffffff8ea8e460 (&ops->srcu#2){.+.+}-{0:0}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
 #0: ffffffff8ea8e460 (&ops->srcu#2){.+.+}-{0:0}, at: rcu_read_lock include/linux/rcupdate.h:841 [inline]
 #0: ffffffff8ea8e460 (&ops->srcu#2){.+.+}-{0:0}, at: rtnl_link_ops_get+0x23/0x250 net/core/rtnetlink.c:570
 #1: ffffffff8f2f4808 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_lock net/core/rtnetlink.c:80 [inline]
 #1: ffffffff8f2f4808 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_nets_lock net/core/rtnetlink.c:341 [inline]
 #1: ffffffff8f2f4808 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0x8db/0x1c70 net/core/rtnetlink.c:4064
2 locks held by syz-executor/6465:
 #0: ffffffff8ea8e460 (&ops->srcu#2){.+.+}-{0:0}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
 #0: ffffffff8ea8e460 (&ops->srcu#2){.+.+}-{0:0}, at: rcu_read_lock include/linux/rcupdate.h:841 [inline]
 #0: ffffffff8ea8e460 (&ops->srcu#2){.+.+}-{0:0}, at: rtnl_link_ops_get+0x23/0x250 net/core/rtnetlink.c:570
 #1: ffffffff8f2f4808 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_lock net/core/rtnetlink.c:80 [inline]
 #1: ffffffff8f2f4808 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_nets_lock net/core/rtnetlink.c:341 [inline]
 #1: ffffffff8f2f4808 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0x8db/0x1c70 net/core/rtnetlink.c:4064

=============================================

NMI backtrace for cpu 1
CPU: 1 UID: 0 PID: 31 Comm: khungtaskd Not tainted 6.15.0-rc5-syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/29/2025
Call Trace:
 <TASK>
 dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
 nmi_cpu_backtrace+0x39e/0x3d0 lib/nmi_backtrace.c:113
 nmi_trigger_cpumask_backtrace+0x17a/0x300 lib/nmi_backtrace.c:62
 trigger_all_cpu_backtrace include/linux/nmi.h:158 [inline]
 check_hung_uninterruptible_tasks kernel/hung_task.c:274 [inline]
 watchdog+0xfee/0x1030 kernel/hung_task.c:437
 kthread+0x711/0x8a0 kernel/kthread.c:464
 ret_from_fork+0x4e/0x80 arch/x86/kernel/process.c:153
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 UID: 0 PID: 6058 Comm: kworker/0:5 Not tainted 6.15.0-rc5-syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/29/2025
Workqueue: events uhid_device_add_worker
RIP: 0010:orc_ip arch/x86/kernel/unwind_orc.c:80 [inline]
RIP: 0010:__orc_find arch/x86/kernel/unwind_orc.c:102 [inline]
RIP: 0010:orc_find arch/x86/kernel/unwind_orc.c:227 [inline]
RIP: 0010:unwind_next_frame+0x130e/0x2390 arch/x86/kernel/unwind_orc.c:494
Code: c1 e8 3f 48 01 c8 48 83 e0 fe 4c 8d 3c 45 00 00 00 00 49 01 ef 4c 89 f8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df 0f b6 04 08 <84> c0 75 27 49 63 07 4c 01 f8 49 8d 4f 04 4c 39 e0 48 0f 46 e9 49
RSP: 0018:ffffc900000073d8 EFLAGS: 00000213
RAX: 0000000000000000 RBX: ffffffff8f949cc4 RCX: dffffc0000000000
RDX: ffffffff8f949cc4 RSI: ffffffff901083fa RDI: ffffffff8bc1d180
RBP: ffffffff8f949cc4 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: ffffffff8171a9f5 R12: ffffffff81a0dd2f
R13: ffffffff8f949cc4 R14: ffffc900000074a8 R15: ffffffff8f949cc4
FS:  0000000000000000(0000) GS:ffff8881260cb000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005586f379f088 CR3: 00000000332c8000 CR4: 0000000000350ef0
Call Trace:
 <IRQ>
 arch_stack_walk+0x11c/0x150 arch/x86/kernel/stacktrace.c:25
 stack_trace_save+0x9c/0xe0 kernel/stacktrace.c:122
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
 unpoison_slab_object mm/kasan/common.c:319 [inline]
 __kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:345
 kasan_slab_alloc include/linux/kasan.h:250 [inline]
 slab_post_alloc_hook mm/slub.c:4147 [inline]
 slab_alloc_node mm/slub.c:4196 [inline]
 kmem_cache_alloc_node_noprof+0x1bb/0x3c0 mm/slub.c:4248
 kmalloc_reserve+0xbd/0x290 net/core/skbuff.c:577
 __alloc_skb+0x142/0x2d0 net/core/skbuff.c:668
 __netdev_alloc_skb+0x108/0x970 net/core/skbuff.c:732
 netdev_alloc_skb include/linux/skbuff.h:3413 [inline]
 dev_alloc_skb include/linux/skbuff.h:3426 [inline]
 __ieee80211_beacon_get+0xe32/0x1630 net/mac80211/tx.c:5475
 ieee80211_beacon_get_tim+0xb4/0x2b0 net/mac80211/tx.c:5597
 ieee80211_beacon_get include/net/mac80211.h:5648 [inline]
 mac80211_hwsim_beacon_tx+0x3d2/0x860 drivers/net/wireless/virtual/mac80211_hwsim.c:2313
 __iterate_interfaces+0x2ab/0x590 net/mac80211/util.c:761
 ieee80211_iterate_active_interfaces_atomic+0xdb/0x180 net/mac80211/util.c:797
 mac80211_hwsim_beacon+0xbb/0x1c0 drivers/net/wireless/virtual/mac80211_hwsim.c:2347
 __run_hrtimer kernel/time/hrtimer.c:1761 [inline]
 __hrtimer_run_queues+0x52c/0xc60 kernel/time/hrtimer.c:1825
 hrtimer_run_softirq+0x187/0x2b0 kernel/time/hrtimer.c:1842
 handle_softirqs+0x286/0x870 kernel/softirq.c:579
 __do_softirq kernel/softirq.c:613 [inline]
 invoke_softirq kernel/softirq.c:453 [inline]
 __irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:680
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline]
 sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1049
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:console_trylock_spinning kernel/printk/printk.c:2061 [inline]
RIP: 0010:vprintk_emit+0x58f/0x7a0 kernel/printk/printk.c:2449
Code: 85 32 01 00 00 e8 41 f3 1e 00 41 89 df 4d 85 f6 48 8b 1c 24 75 07 e8 30 f3 1e 00 eb 06 e8 29 f3 1e 00 fb 48 c7 c7 80 fa f2 8d <31> f6 ba 01 00 00 00 31 c9 41 b8 01 00 00 00 45 31 c9 53 e8 f9 3f
RSP: 0018:ffffc9000302f100 EFLAGS: 00000293
RAX: ffffffff81a0dd27 RBX: ffffffff81a0dbe4 RCX: ffff88802f553c00
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff8df2fa80
RBP: ffffc9000302f210 R08: ffffffff8f7ed977 R09: 1ffffffff1efdb2e
R10: dffffc0000000000 R11: fffffbfff1efdb2f R12: dffffc0000000000
R13: 1ffff92000605e24 R14: 0000000000000200 R15: 000000000000003a
 dev_vprintk_emit+0x337/0x3f0 drivers/base/core.c:4917
 dev_printk_emit+0xe0/0x130 drivers/base/core.c:4928
 _dev_warn+0x10a/0x160 drivers/base/core.c:4984
 hid_parser_main+0x8b8/0xc40 drivers/hid/hid-core.c:-1
 hid_open_report+0x85b/0xee0 drivers/hid/hid-core.c:1328
 hid_parse include/linux/hid.h:1126 [inline]
 hid_generic_probe+0x3d/0x90 drivers/hid/hid-generic.c:66
 __hid_device_probe drivers/hid/hid-core.c:2717 [inline]
 hid_device_probe+0x39a/0x710 drivers/hid/hid-core.c:2754
 call_driver_probe drivers/base/dd.c:-1 [inline]
 really_probe+0x26d/0x9a0 drivers/base/dd.c:657
 __driver_probe_device+0x18c/0x2f0 drivers/base/dd.c:799
 driver_probe_device+0x4f/0x430 drivers/base/dd.c:829
 __device_attach_driver+0x2ce/0x530 drivers/base/dd.c:957
 bus_for_each_drv+0x251/0x2e0 drivers/base/bus.c:462
 __device_attach+0x2b8/0x400 drivers/base/dd.c:1029
 bus_probe_device+0x185/0x260 drivers/base/bus.c:537
 device_add+0x7b6/0xb50 drivers/base/core.c:3692
 hid_add_device+0x398/0x540 drivers/hid/hid-core.c:2900
 uhid_device_add_worker+0x43/0xf0 drivers/hid/uhid.c:73
 process_one_work kernel/workqueue.c:3238 [inline]
 process_scheduled_works+0xade/0x17a0 kernel/workqueue.c:3319
 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3400
 kthread+0x711/0x8a0 kernel/kthread.c:464
 ret_from_fork+0x4e/0x80 arch/x86/kernel/process.c:153
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>