Extracting prog: 10m26.962135092s
Minimizing prog: 32m48.090415574s
Simplifying prog options: 16m56.978640677s
Extracting C: 5m48.24769487s
Simplifying C: 0s


extracting reproducer from 1 programs
testing a last program of every proc
single: executing 1 programs separately with timeout 30s
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:6 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$uhid-write$UHID_CREATE
detailed listing:
executing program 0:
r0 = openat$uhid(0xffffffffffffff9c, &(0x7f0000000000), 0x2, 0x0)
write$UHID_CREATE(r0, &(0x7f0000001040)={0x0, {'syz1\x00', 'syz1\x00', 'syz0\x00', &(0x7f0000000040)=""/4096, 0x1000, 0x1, 0x98e, 0x0, 0x2, 0x798e}}, 0x120)

program did not crash
program did not crash
single: failed to extract reproducer
single: executing 1 programs separately with timeout 1m40s
testing program (duration=1m40s, {Threaded:true Repeat:true RepeatTimes:0 Procs:6 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$uhid-write$UHID_CREATE
detailed listing:
executing program 0:
r0 = openat$uhid(0xffffffffffffff9c, &(0x7f0000000000), 0x2, 0x0)
write$UHID_CREATE(r0, &(0x7f0000001040)={0x0, {'syz1\x00', 'syz1\x00', 'syz0\x00', &(0x7f0000000040)=""/4096, 0x1000, 0x1, 0x98e, 0x0, 0x2, 0x798e}}, 0x120)

program did not crash
single: failed to extract reproducer
single: executing 1 programs separately with timeout 6m0s
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:6 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$uhid-write$UHID_CREATE
detailed listing:
executing program 0:
r0 = openat$uhid(0xffffffffffffff9c, &(0x7f0000000000), 0x2, 0x0)
write$UHID_CREATE(r0, &(0x7f0000001040)={0x0, {'syz1\x00', 'syz1\x00', 'syz0\x00', &(0x7f0000000040)=""/4096, 0x1000, 0x1, 0x98e, 0x0, 0x2, 0x798e}}, 0x120)

program crashed: INFO: task hung in uhid_char_release
single: successfully extracted reproducer
found reproducer with 2 syscalls
minimizing guilty program
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:6 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$uhid
detailed listing:
executing program 0:
openat$uhid(0xffffffffffffff9c, &(0x7f0000000000), 0x2, 0x0)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:6 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): write$UHID_CREATE
detailed listing:
executing program 0:
write$UHID_CREATE(0xffffffffffffffff, &(0x7f0000001040)={0x0, {'syz1\x00', 'syz1\x00', 'syz0\x00', &(0x7f0000000040)=""/4096, 0x1000, 0x1, 0x98e, 0x0, 0x2, 0x798e}}, 0x120)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:6 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$uhid-write$UHID_CREATE
detailed listing:
executing program 0:
r0 = openat$uhid(0xffffffffffffff9c, 0x0, 0x2, 0x0)
write$UHID_CREATE(r0, &(0x7f0000001040)={0x0, {'syz1\x00', 'syz1\x00', 'syz0\x00', &(0x7f0000000040)=""/4096, 0x1000, 0x1, 0x98e, 0x0, 0x2, 0x798e}}, 0x120)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:6 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$uhid-write$UHID_CREATE
detailed listing:
executing program 0:
r0 = openat$uhid(0xffffffffffffff9c, &(0x7f0000000000), 0x2, 0x0)
write$UHID_CREATE(r0, 0x0, 0x0)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:6 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$uhid-write$UHID_CREATE
detailed listing:
executing program 0:
r0 = openat$uhid(0xffffffffffffff9c, &(0x7f0000000000), 0x2, 0x0)
write$UHID_CREATE(r0, &(0x7f0000001040)={0x0, {'syz1\x00', 'syz1\x00', 'syz0\x00', 0x0, 0x0, 0x1, 0x98e, 0x0, 0x2, 0x798e}}, 0x120)

program did not crash
extracting C reproducer
testing compiled C program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:6 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$uhid-write$UHID_CREATE
program crashed: no output from test machine
a never seen crash title: no output from test machine, ignore
simplifying guilty program options
testing program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:6 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$uhid-write$UHID_CREATE
detailed listing:
executing program 0:
r0 = openat$uhid(0xffffffffffffff9c, &(0x7f0000000000), 0x2, 0x0)
write$UHID_CREATE(r0, &(0x7f0000001040)={0x0, {'syz1\x00', 'syz1\x00', 'syz0\x00', &(0x7f0000000040)=""/4096, 0x1000, 0x1, 0x98e, 0x0, 0x2, 0x798e}}, 0x120)

program crashed: INFO: task hung in uhid_char_release
extracting C reproducer
testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:6 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$uhid-write$UHID_CREATE
program crashed: no output from test machine
a never seen crash title: no output from test machine, ignore
testing program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): openat$uhid-write$UHID_CREATE
detailed listing:
executing program 0:
r0 = openat$uhid(0xffffffffffffff9c, &(0x7f0000000000), 0x2, 0x0)
write$UHID_CREATE(r0, &(0x7f0000001040)={0x0, {'syz1\x00', 'syz1\x00', 'syz0\x00', &(0x7f0000000040)=""/4096, 0x1000, 0x1, 0x98e, 0x0, 0x2, 0x798e}}, 0x120)

program did not crash
reproducing took 1h5m32.005138772s
repro crashed as (corrupted=false):
INFO: task syz.1.17:6100 blocked for more than 143 seconds.
      Not tainted 6.15.0-rc3-syzkaller-00342-g5bc1018675ec #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.1.17        state:D
 stack:26744 pid:6100  tgid:6100  ppid:5962   task_flags:0x400040 flags:0x00000004
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5382 [inline]
 __schedule+0x16e2/0x4cd0 kernel/sched/core.c:6767
 __schedule_loop kernel/sched/core.c:6845 [inline]
 schedule+0x165/0x360 kernel/sched/core.c:6860
 schedule_timeout+0x9a/0x270 kernel/time/sleep_timeout.c:75
 do_wait_for_common kernel/sched/completion.c:95 [inline]
 __wait_for_common kernel/sched/completion.c:116 [inline]
 wait_for_common kernel/sched/completion.c:127 [inline]
 wait_for_completion+0x2bf/0x5d0 kernel/sched/completion.c:148
 __flush_work+0x9b9/0xbc0 kernel/workqueue.c:4244
 __cancel_work_sync+0xbe/0x110 kernel/workqueue.c:4364
 uhid_dev_destroy drivers/hid/uhid.c:584 [inline]
 uhid_char_release+0xac/0x600 drivers/hid/uhid.c:662
 __fput+0x44c/0xa70 fs/file_table.c:465
 task_work_run+0x1d4/0x260 kernel/task_work.c:227
 resume_user_mode_work+0x5e/0x80 include/linux/resume_user_mode.h:50
 exit_to_user_mode_loop kernel/entry/common.c:114 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
 syscall_exit_to_user_mode+0x9a/0x120 kernel/entry/common.c:218
 do_syscall_64+0x103/0x210 arch/x86/entry/syscall_64.c:100
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fcd19f8e969
RSP: 002b:00007ffc732a0858 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
RAX: 0000000000000000 RBX: 000000000004e223 RCX: 00007fcd19f8e969
RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000000000001 R09: 00000002732a0b4f
R10: 00007fcd19e00000 R11: 0000000000000246 R12: 00007fcd1a1b5fac
R13: 00007fcd1a1b5fa0 R14: ffffffffffffffff R15: 0000000000000003
 </TASK>
INFO: task syz.5.23:6106 blocked for more than 143 seconds.
      Not tainted 6.15.0-rc3-syzkaller-00342-g5bc1018675ec #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.5.23        state:D stack:27992 pid:6106  tgid:6106  ppid:5967   task_flags:0x400040 flags:0x00000004
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5382 [inline]
 __schedule+0x16e2/0x4cd0 kernel/sched/core.c:6767
 __schedule_loop kernel/sched/core.c:6845 [inline]
 schedule+0x165/0x360 kernel/sched/core.c:6860
 schedule_timeout+0x9a/0x270 kernel/time/sleep_timeout.c:75
 do_wait_for_common kernel/sched/completion.c:95 [inline]
 __wait_for_common kernel/sched/completion.c:116 [inline]
 wait_for_common kernel/sched/completion.c:127 [inline]
 wait_for_completion+0x2bf/0x5d0 kernel/sched/completion.c:148
 __flush_work+0x9b9/0xbc0 kernel/workqueue.c:4244
 __cancel_work_sync+0xbe/0x110 kernel/workqueue.c:4364
 uhid_dev_destroy drivers/hid/uhid.c:584 [inline]
 uhid_char_release+0xac/0x600 drivers/hid/uhid.c:662
 __fput+0x44c/0xa70 fs/file_table.c:465
 task_work_run+0x1d4/0x260 kernel/task_work.c:227
 resume_user_mode_work+0x5e/0x80 include/linux/resume_user_mode.h:50
 exit_to_user_mode_loop kernel/entry/common.c:114 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
 syscall_exit_to_user_mode+0x9a/0x120 kernel/entry/common.c:218
 do_syscall_64+0x103/0x210 arch/x86/entry/syscall_64.c:100
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f1796d8e969
RSP: 002b:00007ffd5e38d898 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
RAX: 0000000000000000 RBX: 000000000004e953 RCX: 00007f1796d8e969
RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000000000001 R09: 000000025e38db8f
R10: 00007f1796c00000 R11: 0000000000000246 R12: 00007f1796fb5fac
R13: 00007f1796fb5fa0 R14: ffffffffffffffff R15: 0000000000000003
 </TASK>
INFO: task syz.3.25:6110 blocked for more than 144 seconds.
      Not tainted 6.15.0-rc3-syzkaller-00342-g5bc1018675ec #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.3.25        state:D stack:27288 pid:6110  tgid:6110  ppid:5966   task_flags:0x400040 flags:0x00000004
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5382 [inline]
 __schedule+0x16e2/0x4cd0 kernel/sched/core.c:6767
 __schedule_loop kernel/sched/core.c:6845 [inline]
 schedule+0x165/0x360 kernel/sched/core.c:6860
 schedule_timeout+0x9a/0x270 kernel/time/sleep_timeout.c:75
 do_wait_for_common kernel/sched/completion.c:95 [inline]
 __wait_for_common kernel/sched/completion.c:116 [inline]
 wait_for_common kernel/sched/completion.c:127 [inline]
 wait_for_completion+0x2bf/0x5d0 kernel/sched/completion.c:148
 __flush_work+0x9b9/0xbc0 kernel/workqueue.c:4244
 __cancel_work_sync+0xbe/0x110 kernel/workqueue.c:4364
 uhid_dev_destroy drivers/hid/uhid.c:584 [inline]
 uhid_char_release+0xac/0x600 drivers/hid/uhid.c:662
 __fput+0x44c/0xa70 fs/file_table.c:465
 task_work_run+0x1d4/0x260 kernel/task_work.c:227
 resume_user_mode_work+0x5e/0x80 include/linux/resume_user_mode.h:50
 exit_to_user_mode_loop kernel/entry/common.c:114 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
 syscall_exit_to_user_mode+0x9a/0x120 kernel/entry/common.c:218
 do_syscall_64+0x103/0x210 arch/x86/entry/syscall_64.c:100
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f1b6478e969
RSP: 002b:00007ffe60940478 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
RAX: 0000000000000000 RBX: 000000000004f082 RCX: 00007f1b6478e969
RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000000000001 R09: 000000026094076f
R10: 00007f1b64600000 R11: 0000000000000246 R12: 00007f1b649b5fac
R13: 00007f1b649b5fa0 R14: ffffffffffffffff R15: 0000000000000003
 </TASK>

Showing all locks held in the system:
5 locks held by kworker/u8:1/13:
1 lock held by khungtaskd/31:
 #0: ffffffff8df3b860 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
 #0: ffffffff8df3b860 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:841 [inline]
 #0: ffffffff8df3b860 (rcu_read_lock){....}-{1:3}, at: debug_show_all_locks+0x2e/0x180 kernel/locking/lockdep.c:6764
8 locks held by kworker/1:1/47:
3 locks held by kworker/1:2/968:
4 locks held by kworker/u8:6/1157:
3 locks held by kworker/u8:7/1330:
 #0: ffff88814ce09148 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3213 [inline]
 #0: ffff88814ce09148 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: process_scheduled_works+0x9b1/0x17a0 kernel/workqueue.c:3319
 #1: ffffc900044cfc60 ((work_completion)(&(&ifa->dad_work)->work)
){+.+.}-{0:0}
, at: process_one_work kernel/workqueue.c:3214 [inline]
, at: process_scheduled_works+0x9ec/0x17a0 kernel/workqueue.c:3319
 #2: 
ffffffff8f2f37c8
 (
rtnl_mutex
){+.+.}-{4:4}
, at: rtnl_net_lock include/linux/rtnetlink.h:130 [inline]
, at: addrconf_dad_work+0x112/0x14b0 net/ipv6/addrconf.c:4195
2 locks held by dhcpcd/5490:
 #0: 
ffff88805f9496d0
 (
nlk_cb_mutex-ROUTE
){+.+.}-{4:4}
, at: netlink_dump+0xcd/0xe70 net/netlink/af_netlink.c:2255
 #1: 
ffffffff8f2f37c8
 (
rtnl_mutex
){+.+.}-{4:4}
, at: rtnl_lock net/core/rtnetlink.c:80 [inline]
, at: rtnl_dumpit+0x92/0x200 net/core/rtnetlink.c:6823
2 locks held by getty/5581:
 #0: 
ffff88802fd6f0a0
 (
&tty->ldisc_sem
){++++}-{0:0}
, at: tty_ldisc_ref_wait+0x25/0x70 drivers/tty/tty_ldisc.c:243
 #1: 
ffffc90002ffe2f0
 (&ldata->atomic_read_lock
){+.+.}-{4:4}, at: n_tty_read+0x43e/0x1400 drivers/tty/n_tty.c:2222
8 locks held by kworker/1:6/6082:
3 locks held by kworker/u8:9/6211:
 #0: ffff88801a081148 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3213 [inline]
 #0: ffff88801a081148 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_scheduled_works+0x9b1/0x17a0 kernel/workqueue.c:3319
 #1: ffffc90003d4fc60 ((linkwatch_work).work){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3214 [inline]
 #1: ffffc90003d4fc60 ((linkwatch_work).work){+.+.}-{0:0}, at: process_scheduled_works+0x9ec/0x17a0 kernel/workqueue.c:3319
 #2: ffffffff8f2f37c8 (rtnl_mutex){+.+.}-{4:4}, at: linkwatch_event+0xe/0x60 net/core/link_watch.c:303
4 locks held by syz-executor/6237:
 #0: ffff88803432c420 (sb_writers#7){.+.+}-{0:0}, at: file_start_write include/linux/fs.h:3041 [inline]
 #0: ffff88803432c420 (sb_writers#7){.+.+}-{0:0}, at: vfs_write+0x211/0xa90 fs/read_write.c:680
 #1: ffff88802813d888 (&of->mutex){+.+.}-{4:4}, at: kernfs_fop_write_iter+0x1e0/0x4f0 fs/kernfs/file.c:325
 #2: ffff8880267242d8 (kn->active#55){.+.+}-{0:0}, at: kernfs_fop_write_iter+0x203/0x4f0 fs/kernfs/file.c:326
 #3: ffffffff8eb943a8 (nsim_bus_dev_list_lock){+.+.}-{4:4}, at: del_device_store+0xd1/0x360 drivers/net/netdevsim/bus.c:216
4 locks held by syz-executor/6241:
 #0: ffff88803432c420 (sb_writers#7){.+.+}-{0:0}, at: file_start_write include/linux/fs.h:3041 [inline]
 #0: ffff88803432c420 (sb_writers#7){.+.+}-{0:0}, at: vfs_write+0x211/0xa90 fs/read_write.c:680
 #1: ffff888055d12088 (&of->mutex){+.+.}-{4:4}, at: kernfs_fop_write_iter+0x1e0/0x4f0 fs/kernfs/file.c:325
 #2: ffff8880267241e8 (kn->active#56){.+.+}-{0:0}, at: kernfs_fop_write_iter+0x203/0x4f0 fs/kernfs/file.c:326
 #3: ffffffff8eb943a8 (nsim_bus_dev_list_lock){+.+.}-{4:4}, at: new_device_store+0x12c/0x6f0 drivers/net/netdevsim/bus.c:166
7 locks held by syz-executor/6248:
 #0: 
ffff88803432c420
 (
sb_writers
#7
){.+.+}-{0:0}
, at: file_start_write include/linux/fs.h:3041 [inline]
, at: vfs_write+0x211/0xa90 fs/read_write.c:680
 #1: ffff88805a140488 (&of->mutex){+.+.}-{4:4}, at: kernfs_fop_write_iter+0x1e0/0x4f0 fs/kernfs/file.c:325
 #2: 
ffff8880267241e8
 (
kn->active
#56
){.+.+}-{0:0}
, at: kernfs_fop_write_iter+0x203/0x4f0 fs/kernfs/file.c:326
 #3: 
ffffffff8eb943a8
 (
nsim_bus_dev_list_lock
){+.+.}-{4:4}
, at: new_device_store+0x12c/0x6f0 drivers/net/netdevsim/bus.c:166
 #4: 
ffff8880217440e8
 (
&dev->mutex){....}-{4:4}
, at: device_lock include/linux/device.h:922 [inline]
, at: __device_attach+0x88/0x400 drivers/base/dd.c:1004
 #5: 
ffff888021745250
 (&devlink->lock_key#14){+.+.}-{4:4}, at: nsim_drv_probe+0xc1/0xb70 drivers/net/netdevsim/dev.c:1537
 #6: ffffffff8f2f37c8 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_net_lock include/linux/rtnetlink.h:130 [inline]
 #6: ffffffff8f2f37c8 (rtnl_mutex){+.+.}-{4:4}, at: register_netdevice_notifier_net+0x1a/0xa0 net/core/dev.c:2029
1 lock held by syz-executor/6254:
 #0: ffffffff8f2f37c8 (rtnl_mutex){+.+.}-{4:4}, at: tun_detach drivers/net/tun.c:633 [inline]
 #0: ffffffff8f2f37c8 (rtnl_mutex){+.+.}-{4:4}, at: tun_chr_close+0x3e/0x1c0 drivers/net/tun.c:3390
2 locks held by syz-executor/6399:
 #0: ffffffff8f80cab8 (&ops->srcu#2){.+.+}-{0:0}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
 #0: ffffffff8f80cab8 (&ops->srcu#2){.+.+}-{0:0}, at: rcu_read_lock include/linux/rcupdate.h:841 [inline]
 #0: ffffffff8f80cab8 (&ops->srcu#2){.+.+}-{0:0}, at: rtnl_link_ops_get+0x23/0x250 net/core/rtnetlink.c:570
 #1: ffffffff8f2f37c8 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_lock net/core/rtnetlink.c:80 [inline]
 #1: ffffffff8f2f37c8 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_nets_lock net/core/rtnetlink.c:341 [inline]
 #1: ffffffff8f2f37c8 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0x8db/0x1c70 net/core/rtnetlink.c:4064
2 locks held by syz-executor/6402:
 #0: ffffffff8f7f01b0 (&ops->srcu#2){.+.+}-{0:0}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
 #0: ffffffff8f7f01b0 (&ops->srcu#2){.+.+}-{0:0}, at: rcu_read_lock include/linux/rcupdate.h:841 [inline]
 #0: ffffffff8f7f01b0 (&ops->srcu#2){.+.+}-{0:0}, at: rtnl_link_ops_get+0x23/0x250 net/core/rtnetlink.c:570
 #1: ffffffff8f2f37c8 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_lock net/core/rtnetlink.c:80 [inline]
 #1: ffffffff8f2f37c8 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_nets_lock net/core/rtnetlink.c:341 [inline]
 #1: ffffffff8f2f37c8 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0x8db/0x1c70 net/core/rtnetlink.c:4064
2 locks held by syz-executor/6405:
 #0: ffffffff8f7f0d08 (&ops->srcu#2){.+.+}-{0:0}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
 #0: ffffffff8f7f0d08 (&ops->srcu#2){.+.+}-{0:0}, at: rcu_read_lock include/linux/rcupdate.h:841 [inline]
 #0: ffffffff8f7f0d08 (&ops->srcu#2){.+.+}-{0:0}, at: rtnl_link_ops_get+0x23/0x250 net/core/rtnetlink.c:570
 #1: ffffffff8f2f37c8 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_lock net/core/rtnetlink.c:80 [inline]
 #1: ffffffff8f2f37c8 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_nets_lock net/core/rtnetlink.c:341 [inline]
 #1: ffffffff8f2f37c8 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0x8db/0x1c70 net/core/rtnetlink.c:4064
2 locks held by syz-executor/6408:
 #0: ffffffff8f80ad58 (&ops->srcu#2){.+.+}-{0:0}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
 #0: ffffffff8f80ad58 (&ops->srcu#2){.+.+}-{0:0}, at: rcu_read_lock include/linux/rcupdate.h:841 [inline]
 #0: ffffffff8f80ad58 (&ops->srcu#2){.+.+}-{0:0}, at: rtnl_link_ops_get+0x23/0x250 net/core/rtnetlink.c:570
 #1: ffffffff8f2f37c8 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_lock net/core/rtnetlink.c:80 [inline]
 #1: ffffffff8f2f37c8 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_nets_lock net/core/rtnetlink.c:341 [inline]
 #1: ffffffff8f2f37c8 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0x8db/0x1c70 net/core/rtnetlink.c:4064
2 locks held by syz-executor/6414:
 #0: ffffffff8f2e6c90 (pernet_ops_rwsem){++++}-{4:4}, at: copy_net_ns+0x317/0x590 net/core/net_namespace.c:514
 #1: ffffffff8f2f37c8 (rtnl_mutex){+.+.}-{4:4}, at: ip_tunnel_init_net+0x2ab/0x800 net/ipv4/ip_tunnel.c:1160
1 lock held by syz-executor/6439:
 #0: ffffffff8f2f37c8 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_net_lock include/linux/rtnetlink.h:130 [inline]
 #0: ffffffff8f2f37c8 (rtnl_mutex){+.+.}-{4:4}, at: inet_rtm_newaddr+0x3b0/0x18b0 net/ipv4/devinet.c:979

=============================================

NMI backtrace for cpu 0
CPU: 0 UID: 0 PID: 31 Comm: khungtaskd Not tainted 6.15.0-rc3-syzkaller-00342-g5bc1018675ec #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/19/2025
Call Trace:
 <TASK>
 dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
 nmi_cpu_backtrace+0x39e/0x3d0 lib/nmi_backtrace.c:113
 nmi_trigger_cpumask_backtrace+0x17a/0x300 lib/nmi_backtrace.c:62
 trigger_all_cpu_backtrace include/linux/nmi.h:158 [inline]
 check_hung_uninterruptible_tasks kernel/hung_task.c:274 [inline]
 watchdog+0xfee/0x1030 kernel/hung_task.c:437
 kthread+0x711/0x8a0 kernel/kthread.c:464
 ret_from_fork+0x4e/0x80 arch/x86/kernel/process.c:153
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 UID: 0 PID: 6082 Comm: kworker/1:6 Not tainted 6.15.0-rc3-syzkaller-00342-g5bc1018675ec #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/19/2025
Workqueue: events uhid_device_add_worker
RIP: 0010:orc_find arch/x86/kernel/unwind_orc.c:217 [inline]
RIP: 0010:unwind_next_frame+0x214/0x2390 arch/x86/kernel/unwind_orc.c:494
Code: ef 08 8b 15 be 35 25 0c 8d 42 ff 44 39 f8 0f 86 65 18 00 00 44 89 f8 4c 8d 2c 85 2c 1d b8 90 4c 89 e8 48 c1 e8 03 0f b6 04 28 <84> c0 48 89 eb 0f 85 1c 1c 00 00 45 8b 6d 00 44 89 f8 ff c0 48 8d
RSP: 0018:ffffc90000a08378 EFLAGS: 00000213
RAX: 0000000000000000 RBX: 0000000000000001 RCX: f6c9e215fa3bcf00
RDX: 00000000000a595b RSI: ffffffff8bc1cdc0 RDI: ffffffff8bc1cd80
RBP: dffffc0000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: ffffffff817199f5 R12: ffffffff86e7264a
R13: ffffffff90cfb9c4 R14: ffffc90000a08448 R15: 000000000005e726
FS:  0000000000000000(0000) GS:ffff8881261cc000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005573712d6d88 CR3: 0000000031b94000 CR4: 0000000000350ef0
Call Trace:
 <IRQ>
 arch_stack_walk+0x11c/0x150 arch/x86/kernel/stacktrace.c:25
 stack_trace_save+0x9c/0xe0 kernel/stacktrace.c:122
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
 unpoison_slab_object mm/kasan/common.c:319 [inline]
 __kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:345
 kasan_slab_alloc include/linux/kasan.h:250 [inline]
 slab_post_alloc_hook mm/slub.c:4161 [inline]
 slab_alloc_node mm/slub.c:4210 [inline]
 kmem_cache_alloc_node_noprof+0x1bb/0x3c0 mm/slub.c:4262
 kmalloc_reserve+0xbd/0x290 net/core/skbuff.c:577
 __alloc_skb+0x142/0x2d0 net/core/skbuff.c:668
 skb_copy+0x188/0x800 net/core/skbuff.c:2131
 mac80211_hwsim_tx_frame_no_nl+0xc85/0x1180 drivers/net/wireless/virtual/mac80211_hwsim.c:1866
 mac80211_hwsim_tx_frame+0x1b5/0x200 drivers/net/wireless/virtual/mac80211_hwsim.c:2217
 mac80211_hwsim_beacon_tx+0x3f6/0x860 drivers/net/wireless/virtual/mac80211_hwsim.c:2317
 __iterate_interfaces+0x2ab/0x590 net/mac80211/util.c:761
 ieee80211_iterate_active_interfaces_atomic+0xdb/0x180 net/mac80211/util.c:797
 mac80211_hwsim_beacon+0xbb/0x1c0 drivers/net/wireless/virtual/mac80211_hwsim.c:2347
 __run_hrtimer kernel/time/hrtimer.c:1761 [inline]
 __hrtimer_run_queues+0x52c/0xc60 kernel/time/hrtimer.c:1825
 hrtimer_run_softirq+0x187/0x2b0 kernel/time/hrtimer.c:1842
 handle_softirqs+0x286/0x870 kernel/softirq.c:579
 __do_softirq kernel/softirq.c:613 [inline]
 invoke_softirq kernel/softirq.c:453 [inline]
 __irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:680
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline]
 sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1049
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:console_flush_all+0x7f7/0xc40 kernel/printk/printk.c:3227
Code: 48 21 c3 0f 85 e9 01 00 00 e8 85 b5 1e 00 48 8b 5c 24 20 4d 85 f6 75 07 e8 76 b5 1e 00 eb 06 e8 6f b5 1e 00 fb 48 8b 44 24 28 <42> 80 3c 20 00 74 08 48 89 df e8 5a aa 80 00 48 8b 1b 48 8b 44 24
RSP: 0018:ffffc90002ed6ee0 EFLAGS: 00000293
RAX: 1ffffffff1cf3eeb RBX: ffffffff8e79f758 RCX: ffff8880290f0000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90002ed7030 R08: ffffffff8f7ec977 R09: 1ffffffff1efd92e
R10: dffffc0000000000 R11: fffffbfff1efd92f R12: dffffc0000000000
R13: 0000000000000001 R14: 0000000000000200 R15: ffffffff8e79f700
 __console_flush_and_unlock kernel/printk/printk.c:3285 [inline]
 console_unlock+0xc4/0x270 kernel/printk/printk.c:3325
 vprintk_emit+0x5b7/0x7a0 kernel/printk/printk.c:2450
 dev_vprintk_emit+0x337/0x3f0 drivers/base/core.c:4917
 dev_printk_emit+0xe0/0x130 drivers/base/core.c:4928
 _dev_warn+0x10a/0x160 drivers/base/core.c:4984
 hid_parser_main+0x8b8/0xc40 drivers/hid/hid-core.c:-1
 hid_open_report+0x85b/0xee0 drivers/hid/hid-core.c:1328
 hid_parse include/linux/hid.h:1126 [inline]
 hid_generic_probe+0x3d/0x90 drivers/hid/hid-generic.c:66
 __hid_device_probe drivers/hid/hid-core.c:2717 [inline]
 hid_device_probe+0x39a/0x710 drivers/hid/hid-core.c:2754
 call_driver_probe drivers/base/dd.c:-1 [inline]
 really_probe+0x26d/0x9a0 drivers/base/dd.c:657
 __driver_probe_device+0x18c/0x2f0 drivers/base/dd.c:799
 driver_probe_device+0x4f/0x430 drivers/base/dd.c:829
 __device_attach_driver+0x2ce/0x530 drivers/base/dd.c:957
 bus_for_each_drv+0x251/0x2e0 drivers/base/bus.c:462
 __device_attach+0x2b8/0x400 drivers/base/dd.c:1029
 bus_probe_device+0x185/0x260 drivers/base/bus.c:537
 device_add+0x7b6/0xb50 drivers/base/core.c:3692
 hid_add_device+0x398/0x540 drivers/hid/hid-core.c:2900
 uhid_device_add_worker+0x43/0xf0 drivers/hid/uhid.c:73
 process_one_work kernel/workqueue.c:3238 [inline]
 process_scheduled_works+0xade/0x17a0 kernel/workqueue.c:3319
 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3400
 kthread+0x711/0x8a0 kernel/kthread.c:464
 ret_from_fork+0x4e/0x80 arch/x86/kernel/process.c:153
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>

final repro crashed as (corrupted=false):
INFO: task syz.1.17:6100 blocked for more than 143 seconds.
      Not tainted 6.15.0-rc3-syzkaller-00342-g5bc1018675ec #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.1.17        state:D
 stack:26744 pid:6100  tgid:6100  ppid:5962   task_flags:0x400040 flags:0x00000004
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5382 [inline]
 __schedule+0x16e2/0x4cd0 kernel/sched/core.c:6767
 __schedule_loop kernel/sched/core.c:6845 [inline]
 schedule+0x165/0x360 kernel/sched/core.c:6860
 schedule_timeout+0x9a/0x270 kernel/time/sleep_timeout.c:75
 do_wait_for_common kernel/sched/completion.c:95 [inline]
 __wait_for_common kernel/sched/completion.c:116 [inline]
 wait_for_common kernel/sched/completion.c:127 [inline]
 wait_for_completion+0x2bf/0x5d0 kernel/sched/completion.c:148
 __flush_work+0x9b9/0xbc0 kernel/workqueue.c:4244
 __cancel_work_sync+0xbe/0x110 kernel/workqueue.c:4364
 uhid_dev_destroy drivers/hid/uhid.c:584 [inline]
 uhid_char_release+0xac/0x600 drivers/hid/uhid.c:662
 __fput+0x44c/0xa70 fs/file_table.c:465
 task_work_run+0x1d4/0x260 kernel/task_work.c:227
 resume_user_mode_work+0x5e/0x80 include/linux/resume_user_mode.h:50
 exit_to_user_mode_loop kernel/entry/common.c:114 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
 syscall_exit_to_user_mode+0x9a/0x120 kernel/entry/common.c:218
 do_syscall_64+0x103/0x210 arch/x86/entry/syscall_64.c:100
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fcd19f8e969
RSP: 002b:00007ffc732a0858 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
RAX: 0000000000000000 RBX: 000000000004e223 RCX: 00007fcd19f8e969
RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000000000001 R09: 00000002732a0b4f
R10: 00007fcd19e00000 R11: 0000000000000246 R12: 00007fcd1a1b5fac
R13: 00007fcd1a1b5fa0 R14: ffffffffffffffff R15: 0000000000000003
 </TASK>
INFO: task syz.5.23:6106 blocked for more than 143 seconds.
      Not tainted 6.15.0-rc3-syzkaller-00342-g5bc1018675ec #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.5.23        state:D stack:27992 pid:6106  tgid:6106  ppid:5967   task_flags:0x400040 flags:0x00000004
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5382 [inline]
 __schedule+0x16e2/0x4cd0 kernel/sched/core.c:6767
 __schedule_loop kernel/sched/core.c:6845 [inline]
 schedule+0x165/0x360 kernel/sched/core.c:6860
 schedule_timeout+0x9a/0x270 kernel/time/sleep_timeout.c:75
 do_wait_for_common kernel/sched/completion.c:95 [inline]
 __wait_for_common kernel/sched/completion.c:116 [inline]
 wait_for_common kernel/sched/completion.c:127 [inline]
 wait_for_completion+0x2bf/0x5d0 kernel/sched/completion.c:148
 __flush_work+0x9b9/0xbc0 kernel/workqueue.c:4244
 __cancel_work_sync+0xbe/0x110 kernel/workqueue.c:4364
 uhid_dev_destroy drivers/hid/uhid.c:584 [inline]
 uhid_char_release+0xac/0x600 drivers/hid/uhid.c:662
 __fput+0x44c/0xa70 fs/file_table.c:465
 task_work_run+0x1d4/0x260 kernel/task_work.c:227
 resume_user_mode_work+0x5e/0x80 include/linux/resume_user_mode.h:50
 exit_to_user_mode_loop kernel/entry/common.c:114 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
 syscall_exit_to_user_mode+0x9a/0x120 kernel/entry/common.c:218
 do_syscall_64+0x103/0x210 arch/x86/entry/syscall_64.c:100
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f1796d8e969
RSP: 002b:00007ffd5e38d898 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
RAX: 0000000000000000 RBX: 000000000004e953 RCX: 00007f1796d8e969
RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000000000001 R09: 000000025e38db8f
R10: 00007f1796c00000 R11: 0000000000000246 R12: 00007f1796fb5fac
R13: 00007f1796fb5fa0 R14: ffffffffffffffff R15: 0000000000000003
 </TASK>
INFO: task syz.3.25:6110 blocked for more than 144 seconds.
      Not tainted 6.15.0-rc3-syzkaller-00342-g5bc1018675ec #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.3.25        state:D stack:27288 pid:6110  tgid:6110  ppid:5966   task_flags:0x400040 flags:0x00000004
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5382 [inline]
 __schedule+0x16e2/0x4cd0 kernel/sched/core.c:6767
 __schedule_loop kernel/sched/core.c:6845 [inline]
 schedule+0x165/0x360 kernel/sched/core.c:6860
 schedule_timeout+0x9a/0x270 kernel/time/sleep_timeout.c:75
 do_wait_for_common kernel/sched/completion.c:95 [inline]
 __wait_for_common kernel/sched/completion.c:116 [inline]
 wait_for_common kernel/sched/completion.c:127 [inline]
 wait_for_completion+0x2bf/0x5d0 kernel/sched/completion.c:148
 __flush_work+0x9b9/0xbc0 kernel/workqueue.c:4244
 __cancel_work_sync+0xbe/0x110 kernel/workqueue.c:4364
 uhid_dev_destroy drivers/hid/uhid.c:584 [inline]
 uhid_char_release+0xac/0x600 drivers/hid/uhid.c:662
 __fput+0x44c/0xa70 fs/file_table.c:465
 task_work_run+0x1d4/0x260 kernel/task_work.c:227
 resume_user_mode_work+0x5e/0x80 include/linux/resume_user_mode.h:50
 exit_to_user_mode_loop kernel/entry/common.c:114 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
 syscall_exit_to_user_mode+0x9a/0x120 kernel/entry/common.c:218
 do_syscall_64+0x103/0x210 arch/x86/entry/syscall_64.c:100
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f1b6478e969
RSP: 002b:00007ffe60940478 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
RAX: 0000000000000000 RBX: 000000000004f082 RCX: 00007f1b6478e969
RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000000000001 R09: 000000026094076f
R10: 00007f1b64600000 R11: 0000000000000246 R12: 00007f1b649b5fac
R13: 00007f1b649b5fa0 R14: ffffffffffffffff R15: 0000000000000003
 </TASK>

Showing all locks held in the system:
5 locks held by kworker/u8:1/13:
1 lock held by khungtaskd/31:
 #0: ffffffff8df3b860 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
 #0: ffffffff8df3b860 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:841 [inline]
 #0: ffffffff8df3b860 (rcu_read_lock){....}-{1:3}, at: debug_show_all_locks+0x2e/0x180 kernel/locking/lockdep.c:6764
8 locks held by kworker/1:1/47:
3 locks held by kworker/1:2/968:
4 locks held by kworker/u8:6/1157:
3 locks held by kworker/u8:7/1330:
 #0: ffff88814ce09148 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3213 [inline]
 #0: ffff88814ce09148 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: process_scheduled_works+0x9b1/0x17a0 kernel/workqueue.c:3319
 #1: ffffc900044cfc60 ((work_completion)(&(&ifa->dad_work)->work)
){+.+.}-{0:0}
, at: process_one_work kernel/workqueue.c:3214 [inline]
, at: process_scheduled_works+0x9ec/0x17a0 kernel/workqueue.c:3319
 #2: 
ffffffff8f2f37c8
 (
rtnl_mutex
){+.+.}-{4:4}
, at: rtnl_net_lock include/linux/rtnetlink.h:130 [inline]
, at: addrconf_dad_work+0x112/0x14b0 net/ipv6/addrconf.c:4195
2 locks held by dhcpcd/5490:
 #0: 
ffff88805f9496d0
 (
nlk_cb_mutex-ROUTE
){+.+.}-{4:4}
, at: netlink_dump+0xcd/0xe70 net/netlink/af_netlink.c:2255
 #1: 
ffffffff8f2f37c8
 (
rtnl_mutex
){+.+.}-{4:4}
, at: rtnl_lock net/core/rtnetlink.c:80 [inline]
, at: rtnl_dumpit+0x92/0x200 net/core/rtnetlink.c:6823
2 locks held by getty/5581:
 #0: 
ffff88802fd6f0a0
 (
&tty->ldisc_sem
){++++}-{0:0}
, at: tty_ldisc_ref_wait+0x25/0x70 drivers/tty/tty_ldisc.c:243
 #1: 
ffffc90002ffe2f0
 (&ldata->atomic_read_lock
){+.+.}-{4:4}, at: n_tty_read+0x43e/0x1400 drivers/tty/n_tty.c:2222
8 locks held by kworker/1:6/6082:
3 locks held by kworker/u8:9/6211:
 #0: ffff88801a081148 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3213 [inline]
 #0: ffff88801a081148 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_scheduled_works+0x9b1/0x17a0 kernel/workqueue.c:3319
 #1: ffffc90003d4fc60 ((linkwatch_work).work){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3214 [inline]
 #1: ffffc90003d4fc60 ((linkwatch_work).work){+.+.}-{0:0}, at: process_scheduled_works+0x9ec/0x17a0 kernel/workqueue.c:3319
 #2: ffffffff8f2f37c8 (rtnl_mutex){+.+.}-{4:4}, at: linkwatch_event+0xe/0x60 net/core/link_watch.c:303
4 locks held by syz-executor/6237:
 #0: ffff88803432c420 (sb_writers#7){.+.+}-{0:0}, at: file_start_write include/linux/fs.h:3041 [inline]
 #0: ffff88803432c420 (sb_writers#7){.+.+}-{0:0}, at: vfs_write+0x211/0xa90 fs/read_write.c:680
 #1: ffff88802813d888 (&of->mutex){+.+.}-{4:4}, at: kernfs_fop_write_iter+0x1e0/0x4f0 fs/kernfs/file.c:325
 #2: ffff8880267242d8 (kn->active#55){.+.+}-{0:0}, at: kernfs_fop_write_iter+0x203/0x4f0 fs/kernfs/file.c:326
 #3: ffffffff8eb943a8 (nsim_bus_dev_list_lock){+.+.}-{4:4}, at: del_device_store+0xd1/0x360 drivers/net/netdevsim/bus.c:216
4 locks held by syz-executor/6241:
 #0: ffff88803432c420 (sb_writers#7){.+.+}-{0:0}, at: file_start_write include/linux/fs.h:3041 [inline]
 #0: ffff88803432c420 (sb_writers#7){.+.+}-{0:0}, at: vfs_write+0x211/0xa90 fs/read_write.c:680
 #1: ffff888055d12088 (&of->mutex){+.+.}-{4:4}, at: kernfs_fop_write_iter+0x1e0/0x4f0 fs/kernfs/file.c:325
 #2: ffff8880267241e8 (kn->active#56){.+.+}-{0:0}, at: kernfs_fop_write_iter+0x203/0x4f0 fs/kernfs/file.c:326
 #3: ffffffff8eb943a8 (nsim_bus_dev_list_lock){+.+.}-{4:4}, at: new_device_store+0x12c/0x6f0 drivers/net/netdevsim/bus.c:166
7 locks held by syz-executor/6248:
 #0: 
ffff88803432c420
 (
sb_writers
#7
){.+.+}-{0:0}
, at: file_start_write include/linux/fs.h:3041 [inline]
, at: vfs_write+0x211/0xa90 fs/read_write.c:680
 #1: ffff88805a140488 (&of->mutex){+.+.}-{4:4}, at: kernfs_fop_write_iter+0x1e0/0x4f0 fs/kernfs/file.c:325
 #2: 
ffff8880267241e8
 (
kn->active
#56
){.+.+}-{0:0}
, at: kernfs_fop_write_iter+0x203/0x4f0 fs/kernfs/file.c:326
 #3: 
ffffffff8eb943a8
 (
nsim_bus_dev_list_lock
){+.+.}-{4:4}
, at: new_device_store+0x12c/0x6f0 drivers/net/netdevsim/bus.c:166
 #4: 
ffff8880217440e8
 (
&dev->mutex){....}-{4:4}
, at: device_lock include/linux/device.h:922 [inline]
, at: __device_attach+0x88/0x400 drivers/base/dd.c:1004
 #5: 
ffff888021745250
 (&devlink->lock_key#14){+.+.}-{4:4}, at: nsim_drv_probe+0xc1/0xb70 drivers/net/netdevsim/dev.c:1537
 #6: ffffffff8f2f37c8 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_net_lock include/linux/rtnetlink.h:130 [inline]
 #6: ffffffff8f2f37c8 (rtnl_mutex){+.+.}-{4:4}, at: register_netdevice_notifier_net+0x1a/0xa0 net/core/dev.c:2029
1 lock held by syz-executor/6254:
 #0: ffffffff8f2f37c8 (rtnl_mutex){+.+.}-{4:4}, at: tun_detach drivers/net/tun.c:633 [inline]
 #0: ffffffff8f2f37c8 (rtnl_mutex){+.+.}-{4:4}, at: tun_chr_close+0x3e/0x1c0 drivers/net/tun.c:3390
2 locks held by syz-executor/6399:
 #0: ffffffff8f80cab8 (&ops->srcu#2){.+.+}-{0:0}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
 #0: ffffffff8f80cab8 (&ops->srcu#2){.+.+}-{0:0}, at: rcu_read_lock include/linux/rcupdate.h:841 [inline]
 #0: ffffffff8f80cab8 (&ops->srcu#2){.+.+}-{0:0}, at: rtnl_link_ops_get+0x23/0x250 net/core/rtnetlink.c:570
 #1: ffffffff8f2f37c8 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_lock net/core/rtnetlink.c:80 [inline]
 #1: ffffffff8f2f37c8 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_nets_lock net/core/rtnetlink.c:341 [inline]
 #1: ffffffff8f2f37c8 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0x8db/0x1c70 net/core/rtnetlink.c:4064
2 locks held by syz-executor/6402:
 #0: ffffffff8f7f01b0 (&ops->srcu#2){.+.+}-{0:0}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
 #0: ffffffff8f7f01b0 (&ops->srcu#2){.+.+}-{0:0}, at: rcu_read_lock include/linux/rcupdate.h:841 [inline]
 #0: ffffffff8f7f01b0 (&ops->srcu#2){.+.+}-{0:0}, at: rtnl_link_ops_get+0x23/0x250 net/core/rtnetlink.c:570
 #1: ffffffff8f2f37c8 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_lock net/core/rtnetlink.c:80 [inline]
 #1: ffffffff8f2f37c8 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_nets_lock net/core/rtnetlink.c:341 [inline]
 #1: ffffffff8f2f37c8 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0x8db/0x1c70 net/core/rtnetlink.c:4064
2 locks held by syz-executor/6405:
 #0: ffffffff8f7f0d08 (&ops->srcu#2){.+.+}-{0:0}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
 #0: ffffffff8f7f0d08 (&ops->srcu#2){.+.+}-{0:0}, at: rcu_read_lock include/linux/rcupdate.h:841 [inline]
 #0: ffffffff8f7f0d08 (&ops->srcu#2){.+.+}-{0:0}, at: rtnl_link_ops_get+0x23/0x250 net/core/rtnetlink.c:570
 #1: ffffffff8f2f37c8 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_lock net/core/rtnetlink.c:80 [inline]
 #1: ffffffff8f2f37c8 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_nets_lock net/core/rtnetlink.c:341 [inline]
 #1: ffffffff8f2f37c8 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0x8db/0x1c70 net/core/rtnetlink.c:4064
2 locks held by syz-executor/6408:
 #0: ffffffff8f80ad58 (&ops->srcu#2){.+.+}-{0:0}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
 #0: ffffffff8f80ad58 (&ops->srcu#2){.+.+}-{0:0}, at: rcu_read_lock include/linux/rcupdate.h:841 [inline]
 #0: ffffffff8f80ad58 (&ops->srcu#2){.+.+}-{0:0}, at: rtnl_link_ops_get+0x23/0x250 net/core/rtnetlink.c:570
 #1: ffffffff8f2f37c8 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_lock net/core/rtnetlink.c:80 [inline]
 #1: ffffffff8f2f37c8 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_nets_lock net/core/rtnetlink.c:341 [inline]
 #1: ffffffff8f2f37c8 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0x8db/0x1c70 net/core/rtnetlink.c:4064
2 locks held by syz-executor/6414:
 #0: ffffffff8f2e6c90 (pernet_ops_rwsem){++++}-{4:4}, at: copy_net_ns+0x317/0x590 net/core/net_namespace.c:514
 #1: ffffffff8f2f37c8 (rtnl_mutex){+.+.}-{4:4}, at: ip_tunnel_init_net+0x2ab/0x800 net/ipv4/ip_tunnel.c:1160
1 lock held by syz-executor/6439:
 #0: ffffffff8f2f37c8 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_net_lock include/linux/rtnetlink.h:130 [inline]
 #0: ffffffff8f2f37c8 (rtnl_mutex){+.+.}-{4:4}, at: inet_rtm_newaddr+0x3b0/0x18b0 net/ipv4/devinet.c:979

=============================================

NMI backtrace for cpu 0
CPU: 0 UID: 0 PID: 31 Comm: khungtaskd Not tainted 6.15.0-rc3-syzkaller-00342-g5bc1018675ec #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/19/2025
Call Trace:
 <TASK>
 dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
 nmi_cpu_backtrace+0x39e/0x3d0 lib/nmi_backtrace.c:113
 nmi_trigger_cpumask_backtrace+0x17a/0x300 lib/nmi_backtrace.c:62
 trigger_all_cpu_backtrace include/linux/nmi.h:158 [inline]
 check_hung_uninterruptible_tasks kernel/hung_task.c:274 [inline]
 watchdog+0xfee/0x1030 kernel/hung_task.c:437
 kthread+0x711/0x8a0 kernel/kthread.c:464
 ret_from_fork+0x4e/0x80 arch/x86/kernel/process.c:153
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 UID: 0 PID: 6082 Comm: kworker/1:6 Not tainted 6.15.0-rc3-syzkaller-00342-g5bc1018675ec #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/19/2025
Workqueue: events uhid_device_add_worker
RIP: 0010:orc_find arch/x86/kernel/unwind_orc.c:217 [inline]
RIP: 0010:unwind_next_frame+0x214/0x2390 arch/x86/kernel/unwind_orc.c:494
Code: ef 08 8b 15 be 35 25 0c 8d 42 ff 44 39 f8 0f 86 65 18 00 00 44 89 f8 4c 8d 2c 85 2c 1d b8 90 4c 89 e8 48 c1 e8 03 0f b6 04 28 <84> c0 48 89 eb 0f 85 1c 1c 00 00 45 8b 6d 00 44 89 f8 ff c0 48 8d
RSP: 0018:ffffc90000a08378 EFLAGS: 00000213
RAX: 0000000000000000 RBX: 0000000000000001 RCX: f6c9e215fa3bcf00
RDX: 00000000000a595b RSI: ffffffff8bc1cdc0 RDI: ffffffff8bc1cd80
RBP: dffffc0000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: ffffffff817199f5 R12: ffffffff86e7264a
R13: ffffffff90cfb9c4 R14: ffffc90000a08448 R15: 000000000005e726
FS:  0000000000000000(0000) GS:ffff8881261cc000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005573712d6d88 CR3: 0000000031b94000 CR4: 0000000000350ef0
Call Trace:
 <IRQ>
 arch_stack_walk+0x11c/0x150 arch/x86/kernel/stacktrace.c:25
 stack_trace_save+0x9c/0xe0 kernel/stacktrace.c:122
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
 unpoison_slab_object mm/kasan/common.c:319 [inline]
 __kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:345
 kasan_slab_alloc include/linux/kasan.h:250 [inline]
 slab_post_alloc_hook mm/slub.c:4161 [inline]
 slab_alloc_node mm/slub.c:4210 [inline]
 kmem_cache_alloc_node_noprof+0x1bb/0x3c0 mm/slub.c:4262
 kmalloc_reserve+0xbd/0x290 net/core/skbuff.c:577
 __alloc_skb+0x142/0x2d0 net/core/skbuff.c:668
 skb_copy+0x188/0x800 net/core/skbuff.c:2131
 mac80211_hwsim_tx_frame_no_nl+0xc85/0x1180 drivers/net/wireless/virtual/mac80211_hwsim.c:1866
 mac80211_hwsim_tx_frame+0x1b5/0x200 drivers/net/wireless/virtual/mac80211_hwsim.c:2217
 mac80211_hwsim_beacon_tx+0x3f6/0x860 drivers/net/wireless/virtual/mac80211_hwsim.c:2317
 __iterate_interfaces+0x2ab/0x590 net/mac80211/util.c:761
 ieee80211_iterate_active_interfaces_atomic+0xdb/0x180 net/mac80211/util.c:797
 mac80211_hwsim_beacon+0xbb/0x1c0 drivers/net/wireless/virtual/mac80211_hwsim.c:2347
 __run_hrtimer kernel/time/hrtimer.c:1761 [inline]
 __hrtimer_run_queues+0x52c/0xc60 kernel/time/hrtimer.c:1825
 hrtimer_run_softirq+0x187/0x2b0 kernel/time/hrtimer.c:1842
 handle_softirqs+0x286/0x870 kernel/softirq.c:579
 __do_softirq kernel/softirq.c:613 [inline]
 invoke_softirq kernel/softirq.c:453 [inline]
 __irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:680
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline]
 sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1049
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:console_flush_all+0x7f7/0xc40 kernel/printk/printk.c:3227
Code: 48 21 c3 0f 85 e9 01 00 00 e8 85 b5 1e 00 48 8b 5c 24 20 4d 85 f6 75 07 e8 76 b5 1e 00 eb 06 e8 6f b5 1e 00 fb 48 8b 44 24 28 <42> 80 3c 20 00 74 08 48 89 df e8 5a aa 80 00 48 8b 1b 48 8b 44 24
RSP: 0018:ffffc90002ed6ee0 EFLAGS: 00000293
RAX: 1ffffffff1cf3eeb RBX: ffffffff8e79f758 RCX: ffff8880290f0000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90002ed7030 R08: ffffffff8f7ec977 R09: 1ffffffff1efd92e
R10: dffffc0000000000 R11: fffffbfff1efd92f R12: dffffc0000000000
R13: 0000000000000001 R14: 0000000000000200 R15: ffffffff8e79f700
 __console_flush_and_unlock kernel/printk/printk.c:3285 [inline]
 console_unlock+0xc4/0x270 kernel/printk/printk.c:3325
 vprintk_emit+0x5b7/0x7a0 kernel/printk/printk.c:2450
 dev_vprintk_emit+0x337/0x3f0 drivers/base/core.c:4917
 dev_printk_emit+0xe0/0x130 drivers/base/core.c:4928
 _dev_warn+0x10a/0x160 drivers/base/core.c:4984
 hid_parser_main+0x8b8/0xc40 drivers/hid/hid-core.c:-1
 hid_open_report+0x85b/0xee0 drivers/hid/hid-core.c:1328
 hid_parse include/linux/hid.h:1126 [inline]
 hid_generic_probe+0x3d/0x90 drivers/hid/hid-generic.c:66
 __hid_device_probe drivers/hid/hid-core.c:2717 [inline]
 hid_device_probe+0x39a/0x710 drivers/hid/hid-core.c:2754
 call_driver_probe drivers/base/dd.c:-1 [inline]
 really_probe+0x26d/0x9a0 drivers/base/dd.c:657
 __driver_probe_device+0x18c/0x2f0 drivers/base/dd.c:799
 driver_probe_device+0x4f/0x430 drivers/base/dd.c:829
 __device_attach_driver+0x2ce/0x530 drivers/base/dd.c:957
 bus_for_each_drv+0x251/0x2e0 drivers/base/bus.c:462
 __device_attach+0x2b8/0x400 drivers/base/dd.c:1029
 bus_probe_device+0x185/0x260 drivers/base/bus.c:537
 device_add+0x7b6/0xb50 drivers/base/core.c:3692
 hid_add_device+0x398/0x540 drivers/hid/hid-core.c:2900
 uhid_device_add_worker+0x43/0xf0 drivers/hid/uhid.c:73
 process_one_work kernel/workqueue.c:3238 [inline]
 process_scheduled_works+0xade/0x17a0 kernel/workqueue.c:3319
 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3400
 kthread+0x711/0x8a0 kernel/kthread.c:464
 ret_from_fork+0x4e/0x80 arch/x86/kernel/process.c:153
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>