[syzbot] [mm?] INFO: task hung in write_cache_pages (2)

[syzbot] [mm?] INFO: task hung in write_cache_pages (2)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    489fa31ea873 Merge branch 'work.misc' of git://git.kernel...
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1034fef8c80000
kernel config:  https://syzkaller.appspot.com/x/.config?x=cbfa7a73c540248d
dashboard link: https://syzkaller.appspot.com/bug?extid=0adf31ecbba886ab504f
compiler:       Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=16dc6960c80000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=16f39d50c80000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/8121ff3f8044/disk-489fa31e.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/ba8296ba1bf7/vmlinux-489fa31e.xz
kernel image: https://storage.googleapis.com/syzbot-assets/6459f50e23f3/bzImage-489fa31e.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/845f6538108c/mount_1.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+0adf31ecbba886ab504f@syzkaller.appspotmail.com

INFO: task kworker/u4:0:9 blocked for more than 143 seconds.
      Not tainted 6.2.0-syzkaller-10827-g489fa31ea873 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/u4:0    state:D stack:21720 pid:9     ppid:2      flags:0x00004000
Workqueue: writeback wb_workfn (flush-7:0)
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5304 [inline]
 __schedule+0x17d8/0x4990 kernel/sched/core.c:6622
 schedule+0xc3/0x180 kernel/sched/core.c:6698
 io_schedule+0x8c/0x100 kernel/sched/core.c:8884
 folio_wait_bit_common+0x86c/0x12b0 mm/filemap.c:1301
 folio_lock include/linux/pagemap.h:952 [inline]
 write_cache_pages+0x58f/0x1450 mm/page-writeback.c:2440
 mpage_writepages+0x107/0x1d0 fs/mpage.c:653
 do_writepages+0x3a6/0x670 mm/page-writeback.c:2551
 __writeback_single_inode+0x1c4/0x15e0 fs/fs-writeback.c:1600
 writeback_sb_inodes+0x92c/0x1360 fs/fs-writeback.c:1891
 __writeback_inodes_wb+0x11b/0x260 fs/fs-writeback.c:1962
 wb_writeback+0x51c/0x1080 fs/fs-writeback.c:2067
 wb_check_background_flush fs/fs-writeback.c:2133 [inline]
 wb_do_writeback fs/fs-writeback.c:2221 [inline]
 wb_workfn+0xd80/0x1100 fs/fs-writeback.c:2248
 process_one_work+0x915/0x13a0 kernel/workqueue.c:2390
 worker_thread+0xa63/0x1210 kernel/workqueue.c:2537
 kthread+0x270/0x300 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
 </TASK>
INFO: task kworker/u4:2:41 blocked for more than 143 seconds.
      Not tainted 6.2.0-syzkaller-10827-g489fa31ea873 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/u4:2    state:D stack:20480 pid:41    ppid:2      flags:0x00004000
Workqueue: writeback wb_workfn (flush-7:5)
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5304 [inline]
 __schedule+0x17d8/0x4990 kernel/sched/core.c:6622
 schedule+0xc3/0x180 kernel/sched/core.c:6698
 io_schedule+0x8c/0x100 kernel/sched/core.c:8884
 folio_wait_bit_common+0x86c/0x12b0 mm/filemap.c:1301
 folio_lock include/linux/pagemap.h:952 [inline]
 write_cache_pages+0x58f/0x1450 mm/page-writeback.c:2440
 mpage_writepages+0x107/0x1d0 fs/mpage.c:653
 do_writepages+0x3a6/0x670 mm/page-writeback.c:2551
 __writeback_single_inode+0x1c4/0x15e0 fs/fs-writeback.c:1600
 writeback_sb_inodes+0x92c/0x1360 fs/fs-writeback.c:1891
 __writeback_inodes_wb+0x11b/0x260 fs/fs-writeback.c:1962
 wb_writeback+0x51c/0x1080 fs/fs-writeback.c:2067
 wb_check_old_data_flush fs/fs-writeback.c:2167 [inline]
 wb_do_writeback fs/fs-writeback.c:2220 [inline]
 wb_workfn+0xccb/0x1100 fs/fs-writeback.c:2248
 process_one_work+0x915/0x13a0 kernel/workqueue.c:2390
 worker_thread+0xa63/0x1210 kernel/workqueue.c:2537
 kthread+0x270/0x300 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
 </TASK>
INFO: task kworker/u4:4:75 blocked for more than 144 seconds.
      Not tainted 6.2.0-syzkaller-10827-g489fa31ea873 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/u4:4    state:D stack:25088 pid:75    ppid:2      flags:0x00004000
Workqueue: writeback wb_workfn (flush-7:1)
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5304 [inline]
 __schedule+0x17d8/0x4990 kernel/sched/core.c:6622
 schedule+0xc3/0x180 kernel/sched/core.c:6698
 io_schedule+0x8c/0x100 kernel/sched/core.c:8884
 folio_wait_bit_common+0x86c/0x12b0 mm/filemap.c:1301
 folio_lock include/linux/pagemap.h:952 [inline]
 write_cache_pages+0x58f/0x1450 mm/page-writeback.c:2440
 mpage_writepages+0x107/0x1d0 fs/mpage.c:653
 do_writepages+0x3a6/0x670 mm/page-writeback.c:2551
 __writeback_single_inode+0x1c4/0x15e0 fs/fs-writeback.c:1600
 writeback_sb_inodes+0x92c/0x1360 fs/fs-writeback.c:1891
 __writeback_inodes_wb+0x11b/0x260 fs/fs-writeback.c:1962
 wb_writeback+0x51c/0x1080 fs/fs-writeback.c:2067
 wb_check_old_data_flush fs/fs-writeback.c:2167 [inline]
 wb_do_writeback fs/fs-writeback.c:2220 [inline]
 wb_workfn+0xccb/0x1100 fs/fs-writeback.c:2248
 process_one_work+0x915/0x13a0 kernel/workqueue.c:2390
 worker_thread+0xa63/0x1210 kernel/workqueue.c:2537
 kthread+0x270/0x300 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
 </TASK>
INFO: task syz-executor359:5222 blocked for more than 144 seconds.
      Not tainted 6.2.0-syzkaller-10827-g489fa31ea873 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor359 state:D stack:26576 pid:5222  ppid:5113   flags:0x00004004
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5304 [inline]
 __schedule+0x17d8/0x4990 kernel/sched/core.c:6622
 schedule+0xc3/0x180 kernel/sched/core.c:6698
 schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:6757
 rwsem_down_read_slowpath+0x5f4/0x950 kernel/locking/rwsem.c:1086
 __down_read_common+0x61/0x2c0 kernel/locking/rwsem.c:1250
 mmap_read_lock include/linux/mmap_lock.h:117 [inline]
 do_user_addr_fault arch/x86/mm/fault.c:1358 [inline]
 handle_page_fault arch/x86/mm/fault.c:1498 [inline]
 exc_page_fault+0x558/0x8a0 arch/x86/mm/fault.c:1554
 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:570
RIP: 0033:0x7fd6f371b888
RSP: 002b:00007ffd6fdf2398 EFLAGS: 00010206
RAX: 00007fd6f374ebd0 RBX: 00007fd6f374d1a8 RCX: 0000000000000001
RDX: 00007fd6f3688d30 RSI: 0000000000000000 RDI: 00007fd6f374ebd0
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000010
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000001 R14: 00007fd6f37543e0 R15: 0000000000000001
 </TASK>
INFO: task syz-executor359:5223 blocked for more than 144 seconds.
      Not tainted 6.2.0-syzkaller-10827-g489fa31ea873 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor359 state:D stack:24840 pid:5223  ppid:5113   flags:0x00004004
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5304 [inline]
 __schedule+0x17d8/0x4990 kernel/sched/core.c:6622
 schedule+0xc3/0x180 kernel/sched/core.c:6698
 io_schedule+0x8c/0x100 kernel/sched/core.c:8884
 folio_wait_bit_common+0x86c/0x12b0 mm/filemap.c:1301
 folio_lock include/linux/pagemap.h:952 [inline]
 write_cache_pages+0x58f/0x1450 mm/page-writeback.c:2440
 mpage_writepages+0x107/0x1d0 fs/mpage.c:653
 do_writepages+0x3a6/0x670 mm/page-writeback.c:2551
 filemap_fdatawrite_wbc+0x125/0x180 mm/filemap.c:390
 __filemap_fdatawrite_range mm/filemap.c:423 [inline]
 file_write_and_wait_range+0x20f/0x300 mm/filemap.c:781
 __generic_file_fsync+0x72/0x190 fs/libfs.c:1132
 fat_file_fsync+0x7e/0x190 fs/fat/file.c:191
 generic_write_sync include/linux/fs.h:2452 [inline]
 generic_file_write_iter+0x2a1/0x310 mm/filemap.c:4090
 call_write_iter include/linux/fs.h:1851 [inline]
 new_sync_write fs/read_write.c:491 [inline]
 vfs_write+0x7b2/0xbb0 fs/read_write.c:584
 ksys_write+0x1a0/0x2c0 fs/read_write.c:637
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fd6f36ca719
RSP: 002b:00007fd6f36762f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007fd6f374f7a0 RCX: 00007fd6f36ca719
RDX: 000000000208e24b RSI: 0000000020000080 RDI: 0000000000000004
RBP: 00007fd6f371c604 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fd6f371c0e0
R13: 0000000020000a80 R14: 0030656c69662f2e R15: 00007fd6f374f7a8
 </TASK>
INFO: task syz-executor359:5229 blocked for more than 144 seconds.
      Not tainted 6.2.0-syzkaller-10827-g489fa31ea873 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor359 state:D stack:26504 pid:5229  ppid:5113   flags:0x00004004
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5304 [inline]
 __schedule+0x17d8/0x4990 kernel/sched/core.c:6622
 schedule+0xc3/0x180 kernel/sched/core.c:6698
 io_schedule+0x8c/0x100 kernel/sched/core.c:8884
 folio_wait_bit_common+0x86c/0x12b0 mm/filemap.c:1301
 folio_wait_writeback+0xec/0x1f0 mm/page-writeback.c:3127
 migrate_folio_unmap mm/migrate.c:1192 [inline]
 migrate_pages_batch mm/migrate.c:1685 [inline]
 migrate_pages+0x2d50/0x6610 mm/migrate.c:1973
 do_mbind mm/mempolicy.c:1338 [inline]
 kernel_mbind mm/mempolicy.c:1485 [inline]
 __do_sys_mbind mm/mempolicy.c:1559 [inline]
 __se_sys_mbind+0x75a/0x9c0 mm/mempolicy.c:1555
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fd6f36ca719
RSP: 002b:00007fd6eb3552e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ed
RAX: ffffffffffffffda RBX: 00007fd6f374f7b0 RCX: 00007fd6f36ca719
RDX: 0000000000000000 RSI: 0000000000800000 RDI: 0000000020001000
RBP: 00007fd6f371c604 R08: 0000000000000000 R09: 0000000000000002
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fd6f371c0e0
R13: 0000000020000a80 R14: 0030656c69662f2e R15: 00007fd6f374f7b8
 </TASK>
INFO: task syz-executor359:5296 blocked for more than 145 seconds.
      Not tainted 6.2.0-syzkaller-10827-g489fa31ea873 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor359 state:D stack:27008 pid:5296  ppid:5112   flags:0x00004004
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5304 [inline]
 __schedule+0x17d8/0x4990 kernel/sched/core.c:6622
 schedule+0xc3/0x180 kernel/sched/core.c:6698
 schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:6757
 rwsem_down_read_slowpath+0x5f4/0x950 kernel/locking/rwsem.c:1086
 __down_read_common+0x61/0x2c0 kernel/locking/rwsem.c:1250
 mmap_read_lock include/linux/mmap_lock.h:117 [inline]
 do_user_addr_fault arch/x86/mm/fault.c:1358 [inline]
 handle_page_fault arch/x86/mm/fault.c:1498 [inline]
 exc_page_fault+0x558/0x8a0 arch/x86/mm/fault.c:1554
 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:570
RIP: 0033:0x7fd6f371b888
RSP: 002b:00007ffd6fdf2398 EFLAGS: 00010206
RAX: 00007fd6f374ebd0 RBX: 00007fd6f374d1a8 RCX: 0000000000000001
RDX: 00007fd6f3688d30 RSI: 0000000000000000 RDI: 00007fd6f374ebd0
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000010
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000001 R14: 00007fd6f37543e0 R15: 0000000000000001
 </TASK>
INFO: task syz-executor359:5298 blocked for more than 145 seconds.
      Not tainted 6.2.0-syzkaller-10827-g489fa31ea873 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor359 state:D stack:24840 pid:5298  ppid:5112   flags:0x00004004
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5304 [inline]
 __schedule+0x17d8/0x4990 kernel/sched/core.c:6622
 schedule+0xc3/0x180 kernel/sched/core.c:6698
 io_schedule+0x8c/0x100 kernel/sched/core.c:8884
 folio_wait_bit_common+0x86c/0x12b0 mm/filemap.c:1301
 folio_lock include/linux/pagemap.h:952 [inline]
 write_cache_pages+0x58f/0x1450 mm/page-writeback.c:2440
 mpage_writepages+0x107/0x1d0 fs/mpage.c:653
 do_writepages+0x3a6/0x670 mm/page-writeback.c:2551
 filemap_fdatawrite_wbc+0x125/0x180 mm/filemap.c:390
 __filemap_fdatawrite_range mm/filemap.c:423 [inline]
 file_write_and_wait_range+0x20f/0x300 mm/filemap.c:781
 __generic_file_fsync+0x72/0x190 fs/libfs.c:1132
 fat_file_fsync+0x7e/0x190 fs/fat/file.c:191
 generic_write_sync include/linux/fs.h:2452 [inline]
 generic_file_write_iter+0x2a1/0x310 mm/filemap.c:4090
 call_write_iter include/linux/fs.h:1851 [inline]
 new_sync_write fs/read_write.c:491 [inline]
 vfs_write+0x7b2/0xbb0 fs/read_write.c:584
 ksys_write+0x1a0/0x2c0 fs/read_write.c:637
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fd6f36ca719
RSP: 002b:00007fd6f36762f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007fd6f374f7a0 RCX: 00007fd6f36ca719
RDX: 000000000208e24b RSI: 0000000020000080 RDI: 0000000000000004
RBP: 00007fd6f371c604 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fd6f371c0e0
R13: 0000000020000a80 R14: 0030656c69662f2e R15: 00007fd6f374f7a8
 </TASK>
INFO: task syz-executor359:5304 blocked for more than 145 seconds.
      Not tainted 6.2.0-syzkaller-10827-g489fa31ea873 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor359 state:D stack:26504 pid:5304  ppid:5112   flags:0x00004004
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5304 [inline]
 __schedule+0x17d8/0x4990 kernel/sched/core.c:6622
 schedule+0xc3/0x180 kernel/sched/core.c:6698
 io_schedule+0x8c/0x100 kernel/sched/core.c:8884
 folio_wait_bit_common+0x86c/0x12b0 mm/filemap.c:1301
 folio_wait_writeback+0xec/0x1f0 mm/page-writeback.c:3127
 migrate_folio_unmap mm/migrate.c:1192 [inline]
 migrate_pages_batch mm/migrate.c:1685 [inline]
 migrate_pages+0x2d50/0x6610 mm/migrate.c:1973
 do_mbind mm/mempolicy.c:1338 [inline]
 kernel_mbind mm/mempolicy.c:1485 [inline]
 __do_sys_mbind mm/mempolicy.c:1559 [inline]
 __se_sys_mbind+0x75a/0x9c0 mm/mempolicy.c:1555
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fd6f36ca719
RSP: 002b:00007fd6eb3552e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ed
RAX: ffffffffffffffda RBX: 00007fd6f374f7b0 RCX: 00007fd6f36ca719
RDX: 0000000000000000 RSI: 0000000000800000 RDI: 0000000020001000
RBP: 00007fd6f371c604 R08: 0000000000000000 R09: 0000000000000002
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fd6f371c0e0
R13: 0000000020000a80 R14: 0030656c69662f2e R15: 00007fd6f374f7b8
 </TASK>
INFO: task syz-executor359:5460 blocked for more than 146 seconds.
      Not tainted 6.2.0-syzkaller-10827-g489fa31ea873 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor359 state:D stack:26520 pid:5460  ppid:5115   flags:0x00004004
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5304 [inline]
 __schedule+0x17d8/0x4990 kernel/sched/core.c:6622
 schedule+0xc3/0x180 kernel/sched/core.c:6698
 schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:6757
 rwsem_down_read_slowpath+0x5f4/0x950 kernel/locking/rwsem.c:1086
 __down_read_common+0x61/0x2c0 kernel/locking/rwsem.c:1250
 mmap_read_lock include/linux/mmap_lock.h:117 [inline]
 do_user_addr_fault arch/x86/mm/fault.c:1358 [inline]
 handle_page_fault arch/x86/mm/fault.c:1498 [inline]
 exc_page_fault+0x558/0x8a0 arch/x86/mm/fault.c:1554
 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:570
RIP: 0033:0x7fd6f371b888
RSP: 002b:00007ffd6fdf2398 EFLAGS: 00010206
RAX: 00007fd6f374ebd0 RBX: 00007fd6f374d1a8 RCX: 0000000000000001
RDX: 00007fd6f3688d30 RSI: 0000000000000000 RDI: 00007fd6f374ebd0
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000010
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000001 R14: 00007fd6f37543e0 R15: 0000000000000001
 </TASK>
Future hung task reports are suppressed, see sysctl kernel.hung_task_warnings

Showing all locks held in the system:
3 locks held by kworker/u4:0/9:
 #0: ffff8881451bb938 ((wq_completion)writeback){+.+.}-{0:0}, at: process_one_work+0x77f/0x13a0
 #1: ffffc900000e7d20 ((work_completion)(&(&wb->dwork)->work)){+.+.}-{0:0}, at: process_one_work+0x7c6/0x13a0 kernel/workqueue.c:2365
 #2: ffff88807dfe20e0 (&type->s_umount_key#43){++++}-{3:3}, at: trylock_super+0x1f/0xf0 fs/super.c:414
1 lock held by rcu_tasks_kthre/12:
 #0: ffffffff8d127cf0 (rcu_tasks.tasks_gp_mutex){+.+.}-{3:3}, at: rcu_tasks_one_gp+0x29/0xd20 kernel/rcu/tasks.h:510
1 lock held by rcu_tasks_trace/13:
 #0: ffffffff8d1284f0 (rcu_tasks_trace.tasks_gp_mutex){+.+.}-{3:3}, at: rcu_tasks_one_gp+0x29/0xd20 kernel/rcu/tasks.h:510
1 lock held by khungtaskd/28:
 #0: ffffffff8d127b20 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire+0x0/0x30
3 locks held by kworker/u4:2/41:
 #0: ffff8881451bb938 ((wq_completion)writeback){+.+.}-{0:0}, at: process_one_work+0x77f/0x13a0
 #1: ffffc90000b27d20 ((work_completion)(&(&wb->dwork)->work)){+.+.}-{0:0}, at: process_one_work+0x7c6/0x13a0 kernel/workqueue.c:2365
 #2: ffff88801d8680e0 (&type->s_umount_key#43){++++}-{3:3}, at: trylock_super+0x1f/0xf0 fs/super.c:414
3 locks held by kworker/u4:4/75:
 #0: ffff8881451bb938 ((wq_completion)writeback){+.+.}-{0:0}, at: process_one_work+0x77f/0x13a0
 #1: ffffc900020efd20 ((work_completion)(&(&wb->dwork)->work)){+.+.}-{0:0}, at: process_one_work+0x7c6/0x13a0 kernel/workqueue.c:2365
 #2: ffff88802c2640e0 (&type->s_umount_key#43){++++}-{3:3}, at: trylock_super+0x1f/0xf0 fs/super.c:414
2 locks held by kworker/1:2/2494:
 #0: ffff888012472538 ((wq_completion)rcu_gp){+.+.}-{0:0}, at: process_one_work+0x77f/0x13a0
 #1: ffffc9000a86fd20 ((work_completion)(&rew->rew_work)){+.+.}-{0:0}, at: process_one_work+0x7c6/0x13a0 kernel/workqueue.c:2365
2 locks held by getty/4750:
 #0: ffff88814a0e2098 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x25/0x70 drivers/tty/tty_ldisc.c:244
 #1: ffffc900015802f0 (&ldata->atomic_read_lock){+.+.}-{3:3}, at: n_tty_read+0x6ab/0x1db0 drivers/tty/n_tty.c:2177
1 lock held by syz-executor359/5222:
 #0: ffff88807d1df698 (&mm->mmap_lock){++++}-{3:3}, at: mmap_read_lock include/linux/mmap_lock.h:117 [inline]
 #0: ffff88807d1df698 (&mm->mmap_lock){++++}-{3:3}, at: do_user_addr_fault arch/x86/mm/fault.c:1358 [inline]
 #0: ffff88807d1df698 (&mm->mmap_lock){++++}-{3:3}, at: handle_page_fault arch/x86/mm/fault.c:1498 [inline]
 #0: ffff88807d1df698 (&mm->mmap_lock){++++}-{3:3}, at: exc_page_fault+0x558/0x8a0 arch/x86/mm/fault.c:1554
2 locks held by syz-executor359/5223:
 #0: ffff888021e0f768 (&f->f_pos_lock){+.+.}-{3:3}, at: __fdget_pos+0x254/0x2f0 fs/file.c:1046
 #1: ffff88802c264460 (sb_writers#9){.+.+}-{0:0}, at: vfs_write+0x26d/0xbb0 fs/read_write.c:580
1 lock held by syz-executor359/5229:
 #0: ffff88807d1df698 (&mm->mmap_lock){++++}-{3:3}, at: mmap_write_lock include/linux/mmap_lock.h:71 [inline]
 #0: ffff88807d1df698 (&mm->mmap_lock){++++}-{3:3}, at: do_mbind mm/mempolicy.c:1312 [inline]
 #0: ffff88807d1df698 (&mm->mmap_lock){++++}-{3:3}, at: kernel_mbind mm/mempolicy.c:1485 [inline]
 #0: ffff88807d1df698 (&mm->mmap_lock){++++}-{3:3}, at: __do_sys_mbind mm/mempolicy.c:1559 [inline]
 #0: ffff88807d1df698 (&mm->mmap_lock){++++}-{3:3}, at: __se_sys_mbind+0x47d/0x9c0 mm/mempolicy.c:1555
1 lock held by syz-executor359/5296:
 #0: ffff88802cd0ae98 (&mm->mmap_lock){++++}-{3:3}, at: mmap_read_lock include/linux/mmap_lock.h:117 [inline]
 #0: ffff88802cd0ae98 (&mm->mmap_lock){++++}-{3:3}, at: do_user_addr_fault arch/x86/mm/fault.c:1358 [inline]
 #0: ffff88802cd0ae98 (&mm->mmap_lock){++++}-{3:3}, at: handle_page_fault arch/x86/mm/fault.c:1498 [inline]
 #0: ffff88802cd0ae98 (&mm->mmap_lock){++++}-{3:3}, at: exc_page_fault+0x558/0x8a0 arch/x86/mm/fault.c:1554
2 locks held by syz-executor359/5298:
 #0: ffff88807e2b0fe8 (&f->f_pos_lock){+.+.}-{3:3}, at: __fdget_pos+0x254/0x2f0 fs/file.c:1046
 #1: ffff88807dfe2460 (sb_writers#9){.+.+}-{0:0}, at: vfs_write+0x26d/0xbb0 fs/read_write.c:580
1 lock held by syz-executor359/5304:
 #0: ffff88802cd0ae98 (&mm->mmap_lock){++++}-{3:3}, at: mmap_write_lock include/linux/mmap_lock.h:71 [inline]
 #0: ffff88802cd0ae98 (&mm->mmap_lock){++++}-{3:3}, at: do_mbind mm/mempolicy.c:1312 [inline]
 #0: ffff88802cd0ae98 (&mm->mmap_lock){++++}-{3:3}, at: kernel_mbind mm/mempolicy.c:1485 [inline]
 #0: ffff88802cd0ae98 (&mm->mmap_lock){++++}-{3:3}, at: __do_sys_mbind mm/mempolicy.c:1559 [inline]
 #0: ffff88802cd0ae98 (&mm->mmap_lock){++++}-{3:3}, at: __se_sys_mbind+0x47d/0x9c0 mm/mempolicy.c:1555
1 lock held by syz-executor359/5460:
 #0: ffff888022485298 (&mm->mmap_lock){++++}-{3:3}, at: mmap_read_lock include/linux/mmap_lock.h:117 [inline]
 #0: ffff888022485298 (&mm->mmap_lock){++++}-{3:3}, at: do_user_addr_fault arch/x86/mm/fault.c:1358 [inline]
 #0: ffff888022485298 (&mm->mmap_lock){++++}-{3:3}, at: handle_page_fault arch/x86/mm/fault.c:1498 [inline]
 #0: ffff888022485298 (&mm->mmap_lock){++++}-{3:3}, at: exc_page_fault+0x558/0x8a0 arch/x86/mm/fault.c:1554
2 locks held by syz-executor359/5461:
 #0: ffff88801da66ae8 (&f->f_pos_lock){+.+.}-{3:3}, at: __fdget_pos+0x254/0x2f0 fs/file.c:1046
 #1: ffff888148d0a460 (sb_writers#9){.+.+}-{0:0}, at: vfs_write+0x26d/0xbb0 fs/read_write.c:580
1 lock held by syz-executor359/5467:
 #0: ffff888022485298 (&mm->mmap_lock){++++}-{3:3}, at: mmap_write_lock include/linux/mmap_lock.h:71 [inline]
 #0: ffff888022485298 (&mm->mmap_lock){++++}-{3:3}, at: do_mbind mm/mempolicy.c:1312 [inline]
 #0: ffff888022485298 (&mm->mmap_lock){++++}-{3:3}, at: kernel_mbind mm/mempolicy.c:1485 [inline]
 #0: ffff888022485298 (&mm->mmap_lock){++++}-{3:3}, at: __do_sys_mbind mm/mempolicy.c:1559 [inline]
 #0: ffff888022485298 (&mm->mmap_lock){++++}-{3:3}, at: __se_sys_mbind+0x47d/0x9c0 mm/mempolicy.c:1555
1 lock held by syz-executor359/5570:
 #0: ffff88807d295298 (&mm->mmap_lock){++++}-{3:3}, at: mmap_read_lock include/linux/mmap_lock.h:117 [inline]
 #0: ffff88807d295298 (&mm->mmap_lock){++++}-{3:3}, at: do_user_addr_fault arch/x86/mm/fault.c:1358 [inline]
 #0: ffff88807d295298 (&mm->mmap_lock){++++}-{3:3}, at: handle_page_fault arch/x86/mm/fault.c:1498 [inline]
 #0: ffff88807d295298 (&mm->mmap_lock){++++}-{3:3}, at: exc_page_fault+0x558/0x8a0 arch/x86/mm/fault.c:1554
2 locks held by syz-executor359/5571:
 #0: ffff88807838a5e8 (&f->f_pos_lock){+.+.}-{3:3}, at: __fdget_pos+0x254/0x2f0 fs/file.c:1046
 #1: ffff88801d868460 (sb_writers#9){.+.+}-{0:0}, at: vfs_write+0x26d/0xbb0 fs/read_write.c:580
1 lock held by syz-executor359/5575:
 #0: ffff88807d295298 (&mm->mmap_lock){++++}-{3:3}, at: mmap_write_lock include/linux/mmap_lock.h:71 [inline]
 #0: ffff88807d295298 (&mm->mmap_lock){++++}-{3:3}, at: do_mbind mm/mempolicy.c:1312 [inline]
 #0: ffff88807d295298 (&mm->mmap_lock){++++}-{3:3}, at: kernel_mbind mm/mempolicy.c:1485 [inline]
 #0: ffff88807d295298 (&mm->mmap_lock){++++}-{3:3}, at: __do_sys_mbind mm/mempolicy.c:1559 [inline]
 #0: ffff88807d295298 (&mm->mmap_lock){++++}-{3:3}, at: __se_sys_mbind+0x47d/0x9c0 mm/mempolicy.c:1555
1 lock held by syz-executor359/5572:
 #0: ffff88807d1dc098 (&mm->mmap_lock){++++}-{3:3}, at: mmap_read_lock include/linux/mmap_lock.h:117 [inline]
 #0: ffff88807d1dc098 (&mm->mmap_lock){++++}-{3:3}, at: do_user_addr_fault arch/x86/mm/fault.c:1358 [inline]
 #0: ffff88807d1dc098 (&mm->mmap_lock){++++}-{3:3}, at: handle_page_fault arch/x86/mm/fault.c:1498 [inline]
 #0: ffff88807d1dc098 (&mm->mmap_lock){++++}-{3:3}, at: exc_page_fault+0x558/0x8a0 arch/x86/mm/fault.c:1554
2 locks held by syz-executor359/5573:
 #0: ffff888026d84d68 (&f->f_pos_lock){+.+.}-{3:3}, at: __fdget_pos+0x254/0x2f0 fs/file.c:1046
 #1: ffff88807b6ac460 (sb_writers#9){.+.+}-{0:0}, at: vfs_write+0x26d/0xbb0 fs/read_write.c:580
1 lock held by syz-executor359/5576:
 #0: ffff88807d1dc098 (&mm->mmap_lock){++++}-{3:3}, at: mmap_write_lock include/linux/mmap_lock.h:71 [inline]
 #0: ffff88807d1dc098 (&mm->mmap_lock){++++}-{3:3}, at: do_mbind mm/mempolicy.c:1312 [inline]
 #0: ffff88807d1dc098 (&mm->mmap_lock){++++}-{3:3}, at: kernel_mbind mm/mempolicy.c:1485 [inline]
 #0: ffff88807d1dc098 (&mm->mmap_lock){++++}-{3:3}, at: __do_sys_mbind mm/mempolicy.c:1559 [inline]
 #0: ffff88807d1dc098 (&mm->mmap_lock){++++}-{3:3}, at: __se_sys_mbind+0x47d/0x9c0 mm/mempolicy.c:1555
3 locks held by kworker/u4:3/5614:
 #0: ffff8881451bb938 ((wq_completion)writeback){+.+.}-{0:0}, at: process_one_work+0x77f/0x13a0
 #1: ffffc90004defd20 ((work_completion)(&(&wb->dwork)->work)){+.+.}-{0:0}, at: process_one_work+0x7c6/0x13a0 kernel/workqueue.c:2365
 #2: ffff88807b6ac0e0 (&type->s_umount_key#43){++++}-{3:3}, at: trylock_super+0x1f/0xf0 fs/super.c:414
3 locks held by kworker/u4:5/6087:
 #0: ffff8881451bb938 ((wq_completion)writeback){+.+.}-{0:0}, at: process_one_work+0x77f/0x13a0
 #1: ffffc900055b7d20 ((work_completion)(&(&wb->dwork)->work)){+.+.}-{0:0}, at: process_one_work+0x7c6/0x13a0 kernel/workqueue.c:2365
 #2: ffff888148d0a0e0 (&type->s_umount_key#43){++++}-{3:3}, at: trylock_super+0x1f/0xf0 fs/super.c:414
1 lock held by syz-executor359/12461:
 #0: ffffffff8d12d1f8 (rcu_state.exp_mutex){+.+.}-{3:3}, at: exp_funnel_lock kernel/rcu/tree_exp.h:293 [inline]
 #0: ffffffff8d12d1f8 (rcu_state.exp_mutex){+.+.}-{3:3}, at: synchronize_rcu_expedited+0x3a3/0x890 kernel/rcu/tree_exp.h:989

=============================================

NMI backtrace for cpu 0
CPU: 0 PID: 28 Comm: khungtaskd Not tainted 6.2.0-syzkaller-10827-g489fa31ea873 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/16/2023
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
 nmi_cpu_backtrace+0x4e5/0x560 lib/nmi_backtrace.c:113
 nmi_trigger_cpumask_backtrace+0x1b4/0x410 lib/nmi_backtrace.c:62
 trigger_all_cpu_backtrace include/linux/nmi.h:148 [inline]
 check_hung_uninterruptible_tasks kernel/hung_task.c:222 [inline]
 watchdog+0x1024/0x1070 kernel/hung_task.c:379
 kthread+0x270/0x300 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
 </TASK>
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 PID: 6343 Comm: kworker/u4:9 Not tainted 6.2.0-syzkaller-10827-g489fa31ea873 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/16/2023
Workqueue: events_unbound toggle_allocation_gate
RIP: 0010:rcu_sync_is_idle include/linux/rcu_sync.h:36 [inline]
RIP: 0010:percpu_up_read include/linux/percpu-rwsem.h:105 [inline]
RIP: 0010:cpus_read_unlock+0x5f/0x130 kernel/cpu.c:322
Code: 85 db 74 1b e8 c2 4f 20 00 89 c3 31 ff 89 c6 e8 87 23 39 00 85 db 74 5b e8 ce 1f 39 00 eb 05 e8 c7 1f 39 00 8b 1d 41 be a8 0b <31> ff 89 de e8 68 23 39 00 85 db 0f 85 8c 00 00 00 e8 ab 1f 39 00
RSP: 0018:ffffc90005757b70 EFLAGS: 00000293
RAX: ffffffff81538cb2 RBX: 0000000000000000 RCX: ffff888028643a80
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
RBP: ffffc90005757c50 R08: ffffffff81538ca9 R09: fffffbfff1ce8d2e
R10: 0000000000000000 R11: dffffc0000000001 R12: dffffc0000000000
R13: 1ffff1104779cc03 R14: 0000000000000000 R15: 1ffff92000aeaf70
FS:  0000000000000000(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffd6fdf0bb8 CR3: 000000000cf30000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 toggle_allocation_gate+0xb5/0x250 mm/kfence/core.c:799
 process_one_work+0x915/0x13a0 kernel/workqueue.c:2390
 worker_thread+0xa63/0x1210 kernel/workqueue.c:2537
 kthread+0x270/0x300 kernel/kthread.c:376
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
 </TASK>


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches

Re: [syzbot] [mm?] INFO: task hung in write_cache_pages (2)

[syzbot]

syzbot has bisected this issue to:

commit 17bb55487988c5dac32d55a4f085e52f875f98cc
Author: Matthew Wilcox (Oracle) <willy@infradead.org>
Date:   Tue May 17 22:12:25 2022 +0000

    ntfs: Remove check for PageError

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=13fd6e54c80000
start commit:   489fa31ea873 Merge branch 'work.misc' of git://git.kernel...
git tree:       upstream
final oops:     https://syzkaller.appspot.com/x/report.txt?x=10036e54c80000
console output: https://syzkaller.appspot.com/x/log.txt?x=17fd6e54c80000
kernel config:  https://syzkaller.appspot.com/x/.config?x=cbfa7a73c540248d
dashboard link: https://syzkaller.appspot.com/bug?extid=0adf31ecbba886ab504f
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=16dc6960c80000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=16f39d50c80000

Reported-by: syzbot+0adf31ecbba886ab504f@syzkaller.appspotmail.com
Fixes: 17bb55487988 ("ntfs: Remove check for PageError")

For information about bisection process see: https://goo.gl/tpsmEJ#bisection

Re: [syzbot] [mm?] INFO: task hung in write_cache_pages (2)

[Matthew Wilcox]

On Thu, Mar 02, 2023 at 04:06:28AM -0800, syzbot wrote:
> syzbot has bisected this issue to:
> 
> commit 17bb55487988c5dac32d55a4f085e52f875f98cc
> Author: Matthew Wilcox (Oracle) <willy@infradead.org>
> Date:   Tue May 17 22:12:25 2022 +0000
> 
>     ntfs: Remove check for PageError

Syzbot has bisected to the wrong commit.  That code (a) isn't going
to be executed by this test, since it doesn't have an ntfs image and
(b) was dead.  Never could have been executed.

> bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=13fd6e54c80000
> start commit:   489fa31ea873 Merge branch 'work.misc' of git://git.kernel...
> git tree:       upstream
> final oops:     https://syzkaller.appspot.com/x/report.txt?x=10036e54c80000
> console output: https://syzkaller.appspot.com/x/log.txt?x=17fd6e54c80000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=cbfa7a73c540248d
> dashboard link: https://syzkaller.appspot.com/bug?extid=0adf31ecbba886ab504f
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=16dc6960c80000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=16f39d50c80000
> 
> Reported-by: syzbot+0adf31ecbba886ab504f@syzkaller.appspotmail.com
> Fixes: 17bb55487988 ("ntfs: Remove check for PageError")
> 
> For information about bisection process see: https://goo.gl/tpsmEJ#bisection

Re: [syzbot] [mm?] INFO: task hung in write_cache_pages (2)

[Yang Shi]

On Wed, Mar 1, 2023 at 4:36 PM syzbot
<syzbot+0adf31ecbba886ab504f@syzkaller.appspotmail.com> wrote:
>
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit:    489fa31ea873 Merge branch 'work.misc' of git://git.kernel...
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=1034fef8c80000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=cbfa7a73c540248d
> dashboard link: https://syzkaller.appspot.com/bug?extid=0adf31ecbba886ab504f
> compiler:       Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=16dc6960c80000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=16f39d50c80000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/8121ff3f8044/disk-489fa31e.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/ba8296ba1bf7/vmlinux-489fa31e.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/6459f50e23f3/bzImage-489fa31e.xz
> mounted in repro: https://storage.googleapis.com/syzbot-assets/845f6538108c/mount_1.gz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+0adf31ecbba886ab504f@syzkaller.appspotmail.com
>
> INFO: task kworker/u4:0:9 blocked for more than 143 seconds.
>       Not tainted 6.2.0-syzkaller-10827-g489fa31ea873 #0
> "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
> task:kworker/u4:0    state:D stack:21720 pid:9     ppid:2      flags:0x00004000
> Workqueue: writeback wb_workfn (flush-7:0)
> Call Trace:
>  <TASK>
>  context_switch kernel/sched/core.c:5304 [inline]
>  __schedule+0x17d8/0x4990 kernel/sched/core.c:6622
>  schedule+0xc3/0x180 kernel/sched/core.c:6698
>  io_schedule+0x8c/0x100 kernel/sched/core.c:8884
>  folio_wait_bit_common+0x86c/0x12b0 mm/filemap.c:1301
>  folio_lock include/linux/pagemap.h:952 [inline]
>  write_cache_pages+0x58f/0x1450 mm/page-writeback.c:2440
>  mpage_writepages+0x107/0x1d0 fs/mpage.c:653
>  do_writepages+0x3a6/0x670 mm/page-writeback.c:2551
>  __writeback_single_inode+0x1c4/0x15e0 fs/fs-writeback.c:1600
>  writeback_sb_inodes+0x92c/0x1360 fs/fs-writeback.c:1891
>  __writeback_inodes_wb+0x11b/0x260 fs/fs-writeback.c:1962
>  wb_writeback+0x51c/0x1080 fs/fs-writeback.c:2067
>  wb_check_background_flush fs/fs-writeback.c:2133 [inline]
>  wb_do_writeback fs/fs-writeback.c:2221 [inline]
>  wb_workfn+0xd80/0x1100 fs/fs-writeback.c:2248
>  process_one_work+0x915/0x13a0 kernel/workqueue.c:2390
>  worker_thread+0xa63/0x1210 kernel/workqueue.c:2537
>  kthread+0x270/0x300 kernel/kthread.c:376
>  ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
>  </TASK>
> INFO: task kworker/u4:2:41 blocked for more than 143 seconds.
>       Not tainted 6.2.0-syzkaller-10827-g489fa31ea873 #0
> "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
> task:kworker/u4:2    state:D stack:20480 pid:41    ppid:2      flags:0x00004000
> Workqueue: writeback wb_workfn (flush-7:5)
> Call Trace:
>  <TASK>
>  context_switch kernel/sched/core.c:5304 [inline]
>  __schedule+0x17d8/0x4990 kernel/sched/core.c:6622
>  schedule+0xc3/0x180 kernel/sched/core.c:6698
>  io_schedule+0x8c/0x100 kernel/sched/core.c:8884
>  folio_wait_bit_common+0x86c/0x12b0 mm/filemap.c:1301
>  folio_lock include/linux/pagemap.h:952 [inline]
>  write_cache_pages+0x58f/0x1450 mm/page-writeback.c:2440
>  mpage_writepages+0x107/0x1d0 fs/mpage.c:653
>  do_writepages+0x3a6/0x670 mm/page-writeback.c:2551
>  __writeback_single_inode+0x1c4/0x15e0 fs/fs-writeback.c:1600
>  writeback_sb_inodes+0x92c/0x1360 fs/fs-writeback.c:1891
>  __writeback_inodes_wb+0x11b/0x260 fs/fs-writeback.c:1962
>  wb_writeback+0x51c/0x1080 fs/fs-writeback.c:2067
>  wb_check_old_data_flush fs/fs-writeback.c:2167 [inline]
>  wb_do_writeback fs/fs-writeback.c:2220 [inline]
>  wb_workfn+0xccb/0x1100 fs/fs-writeback.c:2248
>  process_one_work+0x915/0x13a0 kernel/workqueue.c:2390
>  worker_thread+0xa63/0x1210 kernel/workqueue.c:2537
>  kthread+0x270/0x300 kernel/kthread.c:376
>  ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
>  </TASK>
> INFO: task kworker/u4:4:75 blocked for more than 144 seconds.
>       Not tainted 6.2.0-syzkaller-10827-g489fa31ea873 #0
> "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
> task:kworker/u4:4    state:D stack:25088 pid:75    ppid:2      flags:0x00004000
> Workqueue: writeback wb_workfn (flush-7:1)
> Call Trace:
>  <TASK>
>  context_switch kernel/sched/core.c:5304 [inline]
>  __schedule+0x17d8/0x4990 kernel/sched/core.c:6622
>  schedule+0xc3/0x180 kernel/sched/core.c:6698
>  io_schedule+0x8c/0x100 kernel/sched/core.c:8884
>  folio_wait_bit_common+0x86c/0x12b0 mm/filemap.c:1301
>  folio_lock include/linux/pagemap.h:952 [inline]
>  write_cache_pages+0x58f/0x1450 mm/page-writeback.c:2440
>  mpage_writepages+0x107/0x1d0 fs/mpage.c:653
>  do_writepages+0x3a6/0x670 mm/page-writeback.c:2551
>  __writeback_single_inode+0x1c4/0x15e0 fs/fs-writeback.c:1600
>  writeback_sb_inodes+0x92c/0x1360 fs/fs-writeback.c:1891
>  __writeback_inodes_wb+0x11b/0x260 fs/fs-writeback.c:1962
>  wb_writeback+0x51c/0x1080 fs/fs-writeback.c:2067
>  wb_check_old_data_flush fs/fs-writeback.c:2167 [inline]
>  wb_do_writeback fs/fs-writeback.c:2220 [inline]
>  wb_workfn+0xccb/0x1100 fs/fs-writeback.c:2248
>  process_one_work+0x915/0x13a0 kernel/workqueue.c:2390
>  worker_thread+0xa63/0x1210 kernel/workqueue.c:2537
>  kthread+0x270/0x300 kernel/kthread.c:376
>  ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
>  </TASK>
> INFO: task syz-executor359:5222 blocked for more than 144 seconds.
>       Not tainted 6.2.0-syzkaller-10827-g489fa31ea873 #0
> "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
> task:syz-executor359 state:D stack:26576 pid:5222  ppid:5113   flags:0x00004004
> Call Trace:
>  <TASK>
>  context_switch kernel/sched/core.c:5304 [inline]
>  __schedule+0x17d8/0x4990 kernel/sched/core.c:6622
>  schedule+0xc3/0x180 kernel/sched/core.c:6698
>  schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:6757
>  rwsem_down_read_slowpath+0x5f4/0x950 kernel/locking/rwsem.c:1086
>  __down_read_common+0x61/0x2c0 kernel/locking/rwsem.c:1250
>  mmap_read_lock include/linux/mmap_lock.h:117 [inline]
>  do_user_addr_fault arch/x86/mm/fault.c:1358 [inline]
>  handle_page_fault arch/x86/mm/fault.c:1498 [inline]
>  exc_page_fault+0x558/0x8a0 arch/x86/mm/fault.c:1554
>  asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:570
> RIP: 0033:0x7fd6f371b888
> RSP: 002b:00007ffd6fdf2398 EFLAGS: 00010206
> RAX: 00007fd6f374ebd0 RBX: 00007fd6f374d1a8 RCX: 0000000000000001
> RDX: 00007fd6f3688d30 RSI: 0000000000000000 RDI: 00007fd6f374ebd0
> RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000010
> R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
> R13: 0000000000000001 R14: 00007fd6f37543e0 R15: 0000000000000001
>  </TASK>
> INFO: task syz-executor359:5223 blocked for more than 144 seconds.
>       Not tainted 6.2.0-syzkaller-10827-g489fa31ea873 #0
> "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
> task:syz-executor359 state:D stack:24840 pid:5223  ppid:5113   flags:0x00004004
> Call Trace:
>  <TASK>
>  context_switch kernel/sched/core.c:5304 [inline]
>  __schedule+0x17d8/0x4990 kernel/sched/core.c:6622
>  schedule+0xc3/0x180 kernel/sched/core.c:6698
>  io_schedule+0x8c/0x100 kernel/sched/core.c:8884
>  folio_wait_bit_common+0x86c/0x12b0 mm/filemap.c:1301
>  folio_lock include/linux/pagemap.h:952 [inline]
>  write_cache_pages+0x58f/0x1450 mm/page-writeback.c:2440
>  mpage_writepages+0x107/0x1d0 fs/mpage.c:653
>  do_writepages+0x3a6/0x670 mm/page-writeback.c:2551
>  filemap_fdatawrite_wbc+0x125/0x180 mm/filemap.c:390
>  __filemap_fdatawrite_range mm/filemap.c:423 [inline]
>  file_write_and_wait_range+0x20f/0x300 mm/filemap.c:781
>  __generic_file_fsync+0x72/0x190 fs/libfs.c:1132
>  fat_file_fsync+0x7e/0x190 fs/fat/file.c:191
>  generic_write_sync include/linux/fs.h:2452 [inline]
>  generic_file_write_iter+0x2a1/0x310 mm/filemap.c:4090
>  call_write_iter include/linux/fs.h:1851 [inline]
>  new_sync_write fs/read_write.c:491 [inline]
>  vfs_write+0x7b2/0xbb0 fs/read_write.c:584
>  ksys_write+0x1a0/0x2c0 fs/read_write.c:637
>  do_syscall_x64 arch/x86/entry/common.c:50 [inline]
>  do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
>  entry_SYSCALL_64_after_hwframe+0x63/0xcd
> RIP: 0033:0x7fd6f36ca719
> RSP: 002b:00007fd6f36762f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
> RAX: ffffffffffffffda RBX: 00007fd6f374f7a0 RCX: 00007fd6f36ca719
> RDX: 000000000208e24b RSI: 0000000020000080 RDI: 0000000000000004
> RBP: 00007fd6f371c604 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 00007fd6f371c0e0
> R13: 0000000020000a80 R14: 0030656c69662f2e R15: 00007fd6f374f7a8
>  </TASK>
> INFO: task syz-executor359:5229 blocked for more than 144 seconds.
>       Not tainted 6.2.0-syzkaller-10827-g489fa31ea873 #0
> "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
> task:syz-executor359 state:D stack:26504 pid:5229  ppid:5113   flags:0x00004004
> Call Trace:
>  <TASK>
>  context_switch kernel/sched/core.c:5304 [inline]
>  __schedule+0x17d8/0x4990 kernel/sched/core.c:6622
>  schedule+0xc3/0x180 kernel/sched/core.c:6698
>  io_schedule+0x8c/0x100 kernel/sched/core.c:8884
>  folio_wait_bit_common+0x86c/0x12b0 mm/filemap.c:1301
>  folio_wait_writeback+0xec/0x1f0 mm/page-writeback.c:3127
>  migrate_folio_unmap mm/migrate.c:1192 [inline]
>  migrate_pages_batch mm/migrate.c:1685 [inline]
>  migrate_pages+0x2d50/0x6610 mm/migrate.c:1973

The migration has locked the page, but is waiting for writeback. The
writeback is waiting for the page lock...

I recalled Huge reported the same bug. There is a patch to solve it,
but may be not shown in linus's tree yet. And It seems like the
reproducer is dirtying some files on loop device and calling mbind at
the same time. This does match the reproducer mentioned by Hugh.

>  do_mbind mm/mempolicy.c:1338 [inline]
>  kernel_mbind mm/mempolicy.c:1485 [inline]
>  __do_sys_mbind mm/mempolicy.c:1559 [inline]
>  __se_sys_mbind+0x75a/0x9c0 mm/mempolicy.c:1555
>  do_syscall_x64 arch/x86/entry/common.c:50 [inline]
>  do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
>  entry_SYSCALL_64_after_hwframe+0x63/0xcd
> RIP: 0033:0x7fd6f36ca719
> RSP: 002b:00007fd6eb3552e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ed
> RAX: ffffffffffffffda RBX: 00007fd6f374f7b0 RCX: 00007fd6f36ca719
> RDX: 0000000000000000 RSI: 0000000000800000 RDI: 0000000020001000
> RBP: 00007fd6f371c604 R08: 0000000000000000 R09: 0000000000000002
> R10: 0000000000000000 R11: 0000000000000246 R12: 00007fd6f371c0e0
> R13: 0000000020000a80 R14: 0030656c69662f2e R15: 00007fd6f374f7b8
>  </TASK>
> INFO: task syz-executor359:5296 blocked for more than 145 seconds.
>       Not tainted 6.2.0-syzkaller-10827-g489fa31ea873 #0
> "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
> task:syz-executor359 state:D stack:27008 pid:5296  ppid:5112   flags:0x00004004
> Call Trace:
>  <TASK>
>  context_switch kernel/sched/core.c:5304 [inline]
>  __schedule+0x17d8/0x4990 kernel/sched/core.c:6622
>  schedule+0xc3/0x180 kernel/sched/core.c:6698
>  schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:6757
>  rwsem_down_read_slowpath+0x5f4/0x950 kernel/locking/rwsem.c:1086
>  __down_read_common+0x61/0x2c0 kernel/locking/rwsem.c:1250
>  mmap_read_lock include/linux/mmap_lock.h:117 [inline]
>  do_user_addr_fault arch/x86/mm/fault.c:1358 [inline]
>  handle_page_fault arch/x86/mm/fault.c:1498 [inline]
>  exc_page_fault+0x558/0x8a0 arch/x86/mm/fault.c:1554
>  asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:570
> RIP: 0033:0x7fd6f371b888
> RSP: 002b:00007ffd6fdf2398 EFLAGS: 00010206
> RAX: 00007fd6f374ebd0 RBX: 00007fd6f374d1a8 RCX: 0000000000000001
> RDX: 00007fd6f3688d30 RSI: 0000000000000000 RDI: 00007fd6f374ebd0
> RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000010
> R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
> R13: 0000000000000001 R14: 00007fd6f37543e0 R15: 0000000000000001
>  </TASK>
> INFO: task syz-executor359:5298 blocked for more than 145 seconds.
>       Not tainted 6.2.0-syzkaller-10827-g489fa31ea873 #0
> "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
> task:syz-executor359 state:D stack:24840 pid:5298  ppid:5112   flags:0x00004004
> Call Trace:
>  <TASK>
>  context_switch kernel/sched/core.c:5304 [inline]
>  __schedule+0x17d8/0x4990 kernel/sched/core.c:6622
>  schedule+0xc3/0x180 kernel/sched/core.c:6698
>  io_schedule+0x8c/0x100 kernel/sched/core.c:8884
>  folio_wait_bit_common+0x86c/0x12b0 mm/filemap.c:1301
>  folio_lock include/linux/pagemap.h:952 [inline]
>  write_cache_pages+0x58f/0x1450 mm/page-writeback.c:2440
>  mpage_writepages+0x107/0x1d0 fs/mpage.c:653
>  do_writepages+0x3a6/0x670 mm/page-writeback.c:2551
>  filemap_fdatawrite_wbc+0x125/0x180 mm/filemap.c:390
>  __filemap_fdatawrite_range mm/filemap.c:423 [inline]
>  file_write_and_wait_range+0x20f/0x300 mm/filemap.c:781
>  __generic_file_fsync+0x72/0x190 fs/libfs.c:1132
>  fat_file_fsync+0x7e/0x190 fs/fat/file.c:191
>  generic_write_sync include/linux/fs.h:2452 [inline]
>  generic_file_write_iter+0x2a1/0x310 mm/filemap.c:4090
>  call_write_iter include/linux/fs.h:1851 [inline]
>  new_sync_write fs/read_write.c:491 [inline]
>  vfs_write+0x7b2/0xbb0 fs/read_write.c:584
>  ksys_write+0x1a0/0x2c0 fs/read_write.c:637
>  do_syscall_x64 arch/x86/entry/common.c:50 [inline]
>  do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
>  entry_SYSCALL_64_after_hwframe+0x63/0xcd
> RIP: 0033:0x7fd6f36ca719
> RSP: 002b:00007fd6f36762f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
> RAX: ffffffffffffffda RBX: 00007fd6f374f7a0 RCX: 00007fd6f36ca719
> RDX: 000000000208e24b RSI: 0000000020000080 RDI: 0000000000000004
> RBP: 00007fd6f371c604 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 00007fd6f371c0e0
> R13: 0000000020000a80 R14: 0030656c69662f2e R15: 00007fd6f374f7a8
>  </TASK>
> INFO: task syz-executor359:5304 blocked for more than 145 seconds.
>       Not tainted 6.2.0-syzkaller-10827-g489fa31ea873 #0
> "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
> task:syz-executor359 state:D stack:26504 pid:5304  ppid:5112   flags:0x00004004
> Call Trace:
>  <TASK>
>  context_switch kernel/sched/core.c:5304 [inline]
>  __schedule+0x17d8/0x4990 kernel/sched/core.c:6622
>  schedule+0xc3/0x180 kernel/sched/core.c:6698
>  io_schedule+0x8c/0x100 kernel/sched/core.c:8884
>  folio_wait_bit_common+0x86c/0x12b0 mm/filemap.c:1301
>  folio_wait_writeback+0xec/0x1f0 mm/page-writeback.c:3127
>  migrate_folio_unmap mm/migrate.c:1192 [inline]
>  migrate_pages_batch mm/migrate.c:1685 [inline]
>  migrate_pages+0x2d50/0x6610 mm/migrate.c:1973
>  do_mbind mm/mempolicy.c:1338 [inline]
>  kernel_mbind mm/mempolicy.c:1485 [inline]
>  __do_sys_mbind mm/mempolicy.c:1559 [inline]
>  __se_sys_mbind+0x75a/0x9c0 mm/mempolicy.c:1555
>  do_syscall_x64 arch/x86/entry/common.c:50 [inline]
>  do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
>  entry_SYSCALL_64_after_hwframe+0x63/0xcd
> RIP: 0033:0x7fd6f36ca719
> RSP: 002b:00007fd6eb3552e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ed
> RAX: ffffffffffffffda RBX: 00007fd6f374f7b0 RCX: 00007fd6f36ca719
> RDX: 0000000000000000 RSI: 0000000000800000 RDI: 0000000020001000
> RBP: 00007fd6f371c604 R08: 0000000000000000 R09: 0000000000000002
> R10: 0000000000000000 R11: 0000000000000246 R12: 00007fd6f371c0e0
> R13: 0000000020000a80 R14: 0030656c69662f2e R15: 00007fd6f374f7b8
>  </TASK>
> INFO: task syz-executor359:5460 blocked for more than 146 seconds.
>       Not tainted 6.2.0-syzkaller-10827-g489fa31ea873 #0
> "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
> task:syz-executor359 state:D stack:26520 pid:5460  ppid:5115   flags:0x00004004
> Call Trace:
>  <TASK>
>  context_switch kernel/sched/core.c:5304 [inline]
>  __schedule+0x17d8/0x4990 kernel/sched/core.c:6622
>  schedule+0xc3/0x180 kernel/sched/core.c:6698
>  schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:6757
>  rwsem_down_read_slowpath+0x5f4/0x950 kernel/locking/rwsem.c:1086
>  __down_read_common+0x61/0x2c0 kernel/locking/rwsem.c:1250
>  mmap_read_lock include/linux/mmap_lock.h:117 [inline]
>  do_user_addr_fault arch/x86/mm/fault.c:1358 [inline]
>  handle_page_fault arch/x86/mm/fault.c:1498 [inline]
>  exc_page_fault+0x558/0x8a0 arch/x86/mm/fault.c:1554
>  asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:570
> RIP: 0033:0x7fd6f371b888
> RSP: 002b:00007ffd6fdf2398 EFLAGS: 00010206
> RAX: 00007fd6f374ebd0 RBX: 00007fd6f374d1a8 RCX: 0000000000000001
> RDX: 00007fd6f3688d30 RSI: 0000000000000000 RDI: 00007fd6f374ebd0
> RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000010
> R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
> R13: 0000000000000001 R14: 00007fd6f37543e0 R15: 0000000000000001
>  </TASK>
> Future hung task reports are suppressed, see sysctl kernel.hung_task_warnings
>
> Showing all locks held in the system:
> 3 locks held by kworker/u4:0/9:
>  #0: ffff8881451bb938 ((wq_completion)writeback){+.+.}-{0:0}, at: process_one_work+0x77f/0x13a0
>  #1: ffffc900000e7d20 ((work_completion)(&(&wb->dwork)->work)){+.+.}-{0:0}, at: process_one_work+0x7c6/0x13a0 kernel/workqueue.c:2365
>  #2: ffff88807dfe20e0 (&type->s_umount_key#43){++++}-{3:3}, at: trylock_super+0x1f/0xf0 fs/super.c:414
> 1 lock held by rcu_tasks_kthre/12:
>  #0: ffffffff8d127cf0 (rcu_tasks.tasks_gp_mutex){+.+.}-{3:3}, at: rcu_tasks_one_gp+0x29/0xd20 kernel/rcu/tasks.h:510
> 1 lock held by rcu_tasks_trace/13:
>  #0: ffffffff8d1284f0 (rcu_tasks_trace.tasks_gp_mutex){+.+.}-{3:3}, at: rcu_tasks_one_gp+0x29/0xd20 kernel/rcu/tasks.h:510
> 1 lock held by khungtaskd/28:
>  #0: ffffffff8d127b20 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire+0x0/0x30
> 3 locks held by kworker/u4:2/41:
>  #0: ffff8881451bb938 ((wq_completion)writeback){+.+.}-{0:0}, at: process_one_work+0x77f/0x13a0
>  #1: ffffc90000b27d20 ((work_completion)(&(&wb->dwork)->work)){+.+.}-{0:0}, at: process_one_work+0x7c6/0x13a0 kernel/workqueue.c:2365
>  #2: ffff88801d8680e0 (&type->s_umount_key#43){++++}-{3:3}, at: trylock_super+0x1f/0xf0 fs/super.c:414
> 3 locks held by kworker/u4:4/75:
>  #0: ffff8881451bb938 ((wq_completion)writeback){+.+.}-{0:0}, at: process_one_work+0x77f/0x13a0
>  #1: ffffc900020efd20 ((work_completion)(&(&wb->dwork)->work)){+.+.}-{0:0}, at: process_one_work+0x7c6/0x13a0 kernel/workqueue.c:2365
>  #2: ffff88802c2640e0 (&type->s_umount_key#43){++++}-{3:3}, at: trylock_super+0x1f/0xf0 fs/super.c:414
> 2 locks held by kworker/1:2/2494:
>  #0: ffff888012472538 ((wq_completion)rcu_gp){+.+.}-{0:0}, at: process_one_work+0x77f/0x13a0
>  #1: ffffc9000a86fd20 ((work_completion)(&rew->rew_work)){+.+.}-{0:0}, at: process_one_work+0x7c6/0x13a0 kernel/workqueue.c:2365
> 2 locks held by getty/4750:
>  #0: ffff88814a0e2098 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x25/0x70 drivers/tty/tty_ldisc.c:244
>  #1: ffffc900015802f0 (&ldata->atomic_read_lock){+.+.}-{3:3}, at: n_tty_read+0x6ab/0x1db0 drivers/tty/n_tty.c:2177
> 1 lock held by syz-executor359/5222:
>  #0: ffff88807d1df698 (&mm->mmap_lock){++++}-{3:3}, at: mmap_read_lock include/linux/mmap_lock.h:117 [inline]
>  #0: ffff88807d1df698 (&mm->mmap_lock){++++}-{3:3}, at: do_user_addr_fault arch/x86/mm/fault.c:1358 [inline]
>  #0: ffff88807d1df698 (&mm->mmap_lock){++++}-{3:3}, at: handle_page_fault arch/x86/mm/fault.c:1498 [inline]
>  #0: ffff88807d1df698 (&mm->mmap_lock){++++}-{3:3}, at: exc_page_fault+0x558/0x8a0 arch/x86/mm/fault.c:1554
> 2 locks held by syz-executor359/5223:
>  #0: ffff888021e0f768 (&f->f_pos_lock){+.+.}-{3:3}, at: __fdget_pos+0x254/0x2f0 fs/file.c:1046
>  #1: ffff88802c264460 (sb_writers#9){.+.+}-{0:0}, at: vfs_write+0x26d/0xbb0 fs/read_write.c:580
> 1 lock held by syz-executor359/5229:
>  #0: ffff88807d1df698 (&mm->mmap_lock){++++}-{3:3}, at: mmap_write_lock include/linux/mmap_lock.h:71 [inline]
>  #0: ffff88807d1df698 (&mm->mmap_lock){++++}-{3:3}, at: do_mbind mm/mempolicy.c:1312 [inline]
>  #0: ffff88807d1df698 (&mm->mmap_lock){++++}-{3:3}, at: kernel_mbind mm/mempolicy.c:1485 [inline]
>  #0: ffff88807d1df698 (&mm->mmap_lock){++++}-{3:3}, at: __do_sys_mbind mm/mempolicy.c:1559 [inline]
>  #0: ffff88807d1df698 (&mm->mmap_lock){++++}-{3:3}, at: __se_sys_mbind+0x47d/0x9c0 mm/mempolicy.c:1555
> 1 lock held by syz-executor359/5296:
>  #0: ffff88802cd0ae98 (&mm->mmap_lock){++++}-{3:3}, at: mmap_read_lock include/linux/mmap_lock.h:117 [inline]
>  #0: ffff88802cd0ae98 (&mm->mmap_lock){++++}-{3:3}, at: do_user_addr_fault arch/x86/mm/fault.c:1358 [inline]
>  #0: ffff88802cd0ae98 (&mm->mmap_lock){++++}-{3:3}, at: handle_page_fault arch/x86/mm/fault.c:1498 [inline]
>  #0: ffff88802cd0ae98 (&mm->mmap_lock){++++}-{3:3}, at: exc_page_fault+0x558/0x8a0 arch/x86/mm/fault.c:1554
> 2 locks held by syz-executor359/5298:
>  #0: ffff88807e2b0fe8 (&f->f_pos_lock){+.+.}-{3:3}, at: __fdget_pos+0x254/0x2f0 fs/file.c:1046
>  #1: ffff88807dfe2460 (sb_writers#9){.+.+}-{0:0}, at: vfs_write+0x26d/0xbb0 fs/read_write.c:580
> 1 lock held by syz-executor359/5304:
>  #0: ffff88802cd0ae98 (&mm->mmap_lock){++++}-{3:3}, at: mmap_write_lock include/linux/mmap_lock.h:71 [inline]
>  #0: ffff88802cd0ae98 (&mm->mmap_lock){++++}-{3:3}, at: do_mbind mm/mempolicy.c:1312 [inline]
>  #0: ffff88802cd0ae98 (&mm->mmap_lock){++++}-{3:3}, at: kernel_mbind mm/mempolicy.c:1485 [inline]
>  #0: ffff88802cd0ae98 (&mm->mmap_lock){++++}-{3:3}, at: __do_sys_mbind mm/mempolicy.c:1559 [inline]
>  #0: ffff88802cd0ae98 (&mm->mmap_lock){++++}-{3:3}, at: __se_sys_mbind+0x47d/0x9c0 mm/mempolicy.c:1555
> 1 lock held by syz-executor359/5460:
>  #0: ffff888022485298 (&mm->mmap_lock){++++}-{3:3}, at: mmap_read_lock include/linux/mmap_lock.h:117 [inline]
>  #0: ffff888022485298 (&mm->mmap_lock){++++}-{3:3}, at: do_user_addr_fault arch/x86/mm/fault.c:1358 [inline]
>  #0: ffff888022485298 (&mm->mmap_lock){++++}-{3:3}, at: handle_page_fault arch/x86/mm/fault.c:1498 [inline]
>  #0: ffff888022485298 (&mm->mmap_lock){++++}-{3:3}, at: exc_page_fault+0x558/0x8a0 arch/x86/mm/fault.c:1554
> 2 locks held by syz-executor359/5461:
>  #0: ffff88801da66ae8 (&f->f_pos_lock){+.+.}-{3:3}, at: __fdget_pos+0x254/0x2f0 fs/file.c:1046
>  #1: ffff888148d0a460 (sb_writers#9){.+.+}-{0:0}, at: vfs_write+0x26d/0xbb0 fs/read_write.c:580
> 1 lock held by syz-executor359/5467:
>  #0: ffff888022485298 (&mm->mmap_lock){++++}-{3:3}, at: mmap_write_lock include/linux/mmap_lock.h:71 [inline]
>  #0: ffff888022485298 (&mm->mmap_lock){++++}-{3:3}, at: do_mbind mm/mempolicy.c:1312 [inline]
>  #0: ffff888022485298 (&mm->mmap_lock){++++}-{3:3}, at: kernel_mbind mm/mempolicy.c:1485 [inline]
>  #0: ffff888022485298 (&mm->mmap_lock){++++}-{3:3}, at: __do_sys_mbind mm/mempolicy.c:1559 [inline]
>  #0: ffff888022485298 (&mm->mmap_lock){++++}-{3:3}, at: __se_sys_mbind+0x47d/0x9c0 mm/mempolicy.c:1555
> 1 lock held by syz-executor359/5570:
>  #0: ffff88807d295298 (&mm->mmap_lock){++++}-{3:3}, at: mmap_read_lock include/linux/mmap_lock.h:117 [inline]
>  #0: ffff88807d295298 (&mm->mmap_lock){++++}-{3:3}, at: do_user_addr_fault arch/x86/mm/fault.c:1358 [inline]
>  #0: ffff88807d295298 (&mm->mmap_lock){++++}-{3:3}, at: handle_page_fault arch/x86/mm/fault.c:1498 [inline]
>  #0: ffff88807d295298 (&mm->mmap_lock){++++}-{3:3}, at: exc_page_fault+0x558/0x8a0 arch/x86/mm/fault.c:1554
> 2 locks held by syz-executor359/5571:
>  #0: ffff88807838a5e8 (&f->f_pos_lock){+.+.}-{3:3}, at: __fdget_pos+0x254/0x2f0 fs/file.c:1046
>  #1: ffff88801d868460 (sb_writers#9){.+.+}-{0:0}, at: vfs_write+0x26d/0xbb0 fs/read_write.c:580
> 1 lock held by syz-executor359/5575:
>  #0: ffff88807d295298 (&mm->mmap_lock){++++}-{3:3}, at: mmap_write_lock include/linux/mmap_lock.h:71 [inline]
>  #0: ffff88807d295298 (&mm->mmap_lock){++++}-{3:3}, at: do_mbind mm/mempolicy.c:1312 [inline]
>  #0: ffff88807d295298 (&mm->mmap_lock){++++}-{3:3}, at: kernel_mbind mm/mempolicy.c:1485 [inline]
>  #0: ffff88807d295298 (&mm->mmap_lock){++++}-{3:3}, at: __do_sys_mbind mm/mempolicy.c:1559 [inline]
>  #0: ffff88807d295298 (&mm->mmap_lock){++++}-{3:3}, at: __se_sys_mbind+0x47d/0x9c0 mm/mempolicy.c:1555
> 1 lock held by syz-executor359/5572:
>  #0: ffff88807d1dc098 (&mm->mmap_lock){++++}-{3:3}, at: mmap_read_lock include/linux/mmap_lock.h:117 [inline]
>  #0: ffff88807d1dc098 (&mm->mmap_lock){++++}-{3:3}, at: do_user_addr_fault arch/x86/mm/fault.c:1358 [inline]
>  #0: ffff88807d1dc098 (&mm->mmap_lock){++++}-{3:3}, at: handle_page_fault arch/x86/mm/fault.c:1498 [inline]
>  #0: ffff88807d1dc098 (&mm->mmap_lock){++++}-{3:3}, at: exc_page_fault+0x558/0x8a0 arch/x86/mm/fault.c:1554
> 2 locks held by syz-executor359/5573:
>  #0: ffff888026d84d68 (&f->f_pos_lock){+.+.}-{3:3}, at: __fdget_pos+0x254/0x2f0 fs/file.c:1046
>  #1: ffff88807b6ac460 (sb_writers#9){.+.+}-{0:0}, at: vfs_write+0x26d/0xbb0 fs/read_write.c:580
> 1 lock held by syz-executor359/5576:
>  #0: ffff88807d1dc098 (&mm->mmap_lock){++++}-{3:3}, at: mmap_write_lock include/linux/mmap_lock.h:71 [inline]
>  #0: ffff88807d1dc098 (&mm->mmap_lock){++++}-{3:3}, at: do_mbind mm/mempolicy.c:1312 [inline]
>  #0: ffff88807d1dc098 (&mm->mmap_lock){++++}-{3:3}, at: kernel_mbind mm/mempolicy.c:1485 [inline]
>  #0: ffff88807d1dc098 (&mm->mmap_lock){++++}-{3:3}, at: __do_sys_mbind mm/mempolicy.c:1559 [inline]
>  #0: ffff88807d1dc098 (&mm->mmap_lock){++++}-{3:3}, at: __se_sys_mbind+0x47d/0x9c0 mm/mempolicy.c:1555
> 3 locks held by kworker/u4:3/5614:
>  #0: ffff8881451bb938 ((wq_completion)writeback){+.+.}-{0:0}, at: process_one_work+0x77f/0x13a0
>  #1: ffffc90004defd20 ((work_completion)(&(&wb->dwork)->work)){+.+.}-{0:0}, at: process_one_work+0x7c6/0x13a0 kernel/workqueue.c:2365
>  #2: ffff88807b6ac0e0 (&type->s_umount_key#43){++++}-{3:3}, at: trylock_super+0x1f/0xf0 fs/super.c:414
> 3 locks held by kworker/u4:5/6087:
>  #0: ffff8881451bb938 ((wq_completion)writeback){+.+.}-{0:0}, at: process_one_work+0x77f/0x13a0
>  #1: ffffc900055b7d20 ((work_completion)(&(&wb->dwork)->work)){+.+.}-{0:0}, at: process_one_work+0x7c6/0x13a0 kernel/workqueue.c:2365
>  #2: ffff888148d0a0e0 (&type->s_umount_key#43){++++}-{3:3}, at: trylock_super+0x1f/0xf0 fs/super.c:414
> 1 lock held by syz-executor359/12461:
>  #0: ffffffff8d12d1f8 (rcu_state.exp_mutex){+.+.}-{3:3}, at: exp_funnel_lock kernel/rcu/tree_exp.h:293 [inline]
>  #0: ffffffff8d12d1f8 (rcu_state.exp_mutex){+.+.}-{3:3}, at: synchronize_rcu_expedited+0x3a3/0x890 kernel/rcu/tree_exp.h:989
>
> =============================================
>
> NMI backtrace for cpu 0
> CPU: 0 PID: 28 Comm: khungtaskd Not tainted 6.2.0-syzkaller-10827-g489fa31ea873 #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/16/2023
> Call Trace:
>  <TASK>
>  __dump_stack lib/dump_stack.c:88 [inline]
>  dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
>  nmi_cpu_backtrace+0x4e5/0x560 lib/nmi_backtrace.c:113
>  nmi_trigger_cpumask_backtrace+0x1b4/0x410 lib/nmi_backtrace.c:62
>  trigger_all_cpu_backtrace include/linux/nmi.h:148 [inline]
>  check_hung_uninterruptible_tasks kernel/hung_task.c:222 [inline]
>  watchdog+0x1024/0x1070 kernel/hung_task.c:379
>  kthread+0x270/0x300 kernel/kthread.c:376
>  ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
>  </TASK>
> Sending NMI from CPU 0 to CPUs 1:
> NMI backtrace for cpu 1
> CPU: 1 PID: 6343 Comm: kworker/u4:9 Not tainted 6.2.0-syzkaller-10827-g489fa31ea873 #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/16/2023
> Workqueue: events_unbound toggle_allocation_gate
> RIP: 0010:rcu_sync_is_idle include/linux/rcu_sync.h:36 [inline]
> RIP: 0010:percpu_up_read include/linux/percpu-rwsem.h:105 [inline]
> RIP: 0010:cpus_read_unlock+0x5f/0x130 kernel/cpu.c:322
> Code: 85 db 74 1b e8 c2 4f 20 00 89 c3 31 ff 89 c6 e8 87 23 39 00 85 db 74 5b e8 ce 1f 39 00 eb 05 e8 c7 1f 39 00 8b 1d 41 be a8 0b <31> ff 89 de e8 68 23 39 00 85 db 0f 85 8c 00 00 00 e8 ab 1f 39 00
> RSP: 0018:ffffc90005757b70 EFLAGS: 00000293
> RAX: ffffffff81538cb2 RBX: 0000000000000000 RCX: ffff888028643a80
> RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
> RBP: ffffc90005757c50 R08: ffffffff81538ca9 R09: fffffbfff1ce8d2e
> R10: 0000000000000000 R11: dffffc0000000001 R12: dffffc0000000000
> R13: 1ffff1104779cc03 R14: 0000000000000000 R15: 1ffff92000aeaf70
> FS:  0000000000000000(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007ffd6fdf0bb8 CR3: 000000000cf30000 CR4: 00000000003506e0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
>  <TASK>
>  toggle_allocation_gate+0xb5/0x250 mm/kfence/core.c:799
>  process_one_work+0x915/0x13a0 kernel/workqueue.c:2390
>  worker_thread+0xa63/0x1210 kernel/workqueue.c:2537
>  kthread+0x270/0x300 kernel/kthread.c:376
>  ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
>  </TASK>
>
>
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
>
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> syzbot can test patches for this issue, for details see:
> https://goo.gl/tpsmEJ#testing-patches
>

Re: [syzbot] [mm?] INFO: task hung in write_cache_pages (2)

[Huang, Ying]

Yang Shi <shy828301@gmail.com> writes:

> On Wed, Mar 1, 2023 at 4:36 PM syzbot
> <syzbot+0adf31ecbba886ab504f@syzkaller.appspotmail.com> wrote:
>>
>> Hello,
>>
>> syzbot found the following issue on:
>>
>> HEAD commit:    489fa31ea873 Merge branch 'work.misc' of git://git.kernel...
>> git tree:       upstream
>> console output: https://syzkaller.appspot.com/x/log.txt?x=1034fef8c80000
>> kernel config:  https://syzkaller.appspot.com/x/.config?x=cbfa7a73c540248d
>> dashboard link: https://syzkaller.appspot.com/bug?extid=0adf31ecbba886ab504f
>> compiler:       Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
>> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=16dc6960c80000
>> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=16f39d50c80000
>>
>> Downloadable assets:
>> disk image: https://storage.googleapis.com/syzbot-assets/8121ff3f8044/disk-489fa31e.raw.xz
>> vmlinux: https://storage.googleapis.com/syzbot-assets/ba8296ba1bf7/vmlinux-489fa31e.xz
>> kernel image: https://storage.googleapis.com/syzbot-assets/6459f50e23f3/bzImage-489fa31e.xz
>> mounted in repro: https://storage.googleapis.com/syzbot-assets/845f6538108c/mount_1.gz
>>
>> IMPORTANT: if you fix the issue, please add the following tag to the commit:
>> Reported-by: syzbot+0adf31ecbba886ab504f@syzkaller.appspotmail.com
>>
>> INFO: task kworker/u4:0:9 blocked for more than 143 seconds.
>>       Not tainted 6.2.0-syzkaller-10827-g489fa31ea873 #0
>> "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
>> task:kworker/u4:0    state:D stack:21720 pid:9     ppid:2      flags:0x00004000
>> Workqueue: writeback wb_workfn (flush-7:0)
>> Call Trace:
>>  <TASK>
>>  context_switch kernel/sched/core.c:5304 [inline]
>>  __schedule+0x17d8/0x4990 kernel/sched/core.c:6622
>>  schedule+0xc3/0x180 kernel/sched/core.c:6698
>>  io_schedule+0x8c/0x100 kernel/sched/core.c:8884
>>  folio_wait_bit_common+0x86c/0x12b0 mm/filemap.c:1301
>>  folio_lock include/linux/pagemap.h:952 [inline]
>>  write_cache_pages+0x58f/0x1450 mm/page-writeback.c:2440
>>  mpage_writepages+0x107/0x1d0 fs/mpage.c:653
>>  do_writepages+0x3a6/0x670 mm/page-writeback.c:2551
>>  __writeback_single_inode+0x1c4/0x15e0 fs/fs-writeback.c:1600
>>  writeback_sb_inodes+0x92c/0x1360 fs/fs-writeback.c:1891
>>  __writeback_inodes_wb+0x11b/0x260 fs/fs-writeback.c:1962
>>  wb_writeback+0x51c/0x1080 fs/fs-writeback.c:2067
>>  wb_check_background_flush fs/fs-writeback.c:2133 [inline]
>>  wb_do_writeback fs/fs-writeback.c:2221 [inline]
>>  wb_workfn+0xd80/0x1100 fs/fs-writeback.c:2248
>>  process_one_work+0x915/0x13a0 kernel/workqueue.c:2390
>>  worker_thread+0xa63/0x1210 kernel/workqueue.c:2537
>>  kthread+0x270/0x300 kernel/kthread.c:376
>>  ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
>>  </TASK>
>> INFO: task kworker/u4:2:41 blocked for more than 143 seconds.
>>       Not tainted 6.2.0-syzkaller-10827-g489fa31ea873 #0
>> "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
>> task:kworker/u4:2    state:D stack:20480 pid:41    ppid:2      flags:0x00004000
>> Workqueue: writeback wb_workfn (flush-7:5)
>> Call Trace:
>>  <TASK>
>>  context_switch kernel/sched/core.c:5304 [inline]
>>  __schedule+0x17d8/0x4990 kernel/sched/core.c:6622
>>  schedule+0xc3/0x180 kernel/sched/core.c:6698
>>  io_schedule+0x8c/0x100 kernel/sched/core.c:8884
>>  folio_wait_bit_common+0x86c/0x12b0 mm/filemap.c:1301
>>  folio_lock include/linux/pagemap.h:952 [inline]
>>  write_cache_pages+0x58f/0x1450 mm/page-writeback.c:2440
>>  mpage_writepages+0x107/0x1d0 fs/mpage.c:653
>>  do_writepages+0x3a6/0x670 mm/page-writeback.c:2551
>>  __writeback_single_inode+0x1c4/0x15e0 fs/fs-writeback.c:1600
>>  writeback_sb_inodes+0x92c/0x1360 fs/fs-writeback.c:1891
>>  __writeback_inodes_wb+0x11b/0x260 fs/fs-writeback.c:1962
>>  wb_writeback+0x51c/0x1080 fs/fs-writeback.c:2067
>>  wb_check_old_data_flush fs/fs-writeback.c:2167 [inline]
>>  wb_do_writeback fs/fs-writeback.c:2220 [inline]
>>  wb_workfn+0xccb/0x1100 fs/fs-writeback.c:2248
>>  process_one_work+0x915/0x13a0 kernel/workqueue.c:2390
>>  worker_thread+0xa63/0x1210 kernel/workqueue.c:2537
>>  kthread+0x270/0x300 kernel/kthread.c:376
>>  ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
>>  </TASK>
>> INFO: task kworker/u4:4:75 blocked for more than 144 seconds.
>>       Not tainted 6.2.0-syzkaller-10827-g489fa31ea873 #0
>> "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
>> task:kworker/u4:4    state:D stack:25088 pid:75    ppid:2      flags:0x00004000
>> Workqueue: writeback wb_workfn (flush-7:1)
>> Call Trace:
>>  <TASK>
>>  context_switch kernel/sched/core.c:5304 [inline]
>>  __schedule+0x17d8/0x4990 kernel/sched/core.c:6622
>>  schedule+0xc3/0x180 kernel/sched/core.c:6698
>>  io_schedule+0x8c/0x100 kernel/sched/core.c:8884
>>  folio_wait_bit_common+0x86c/0x12b0 mm/filemap.c:1301
>>  folio_lock include/linux/pagemap.h:952 [inline]
>>  write_cache_pages+0x58f/0x1450 mm/page-writeback.c:2440
>>  mpage_writepages+0x107/0x1d0 fs/mpage.c:653
>>  do_writepages+0x3a6/0x670 mm/page-writeback.c:2551
>>  __writeback_single_inode+0x1c4/0x15e0 fs/fs-writeback.c:1600
>>  writeback_sb_inodes+0x92c/0x1360 fs/fs-writeback.c:1891
>>  __writeback_inodes_wb+0x11b/0x260 fs/fs-writeback.c:1962
>>  wb_writeback+0x51c/0x1080 fs/fs-writeback.c:2067
>>  wb_check_old_data_flush fs/fs-writeback.c:2167 [inline]
>>  wb_do_writeback fs/fs-writeback.c:2220 [inline]
>>  wb_workfn+0xccb/0x1100 fs/fs-writeback.c:2248
>>  process_one_work+0x915/0x13a0 kernel/workqueue.c:2390
>>  worker_thread+0xa63/0x1210 kernel/workqueue.c:2537
>>  kthread+0x270/0x300 kernel/kthread.c:376
>>  ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
>>  </TASK>
>> INFO: task syz-executor359:5222 blocked for more than 144 seconds.
>>       Not tainted 6.2.0-syzkaller-10827-g489fa31ea873 #0
>> "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
>> task:syz-executor359 state:D stack:26576 pid:5222  ppid:5113   flags:0x00004004
>> Call Trace:
>>  <TASK>
>>  context_switch kernel/sched/core.c:5304 [inline]
>>  __schedule+0x17d8/0x4990 kernel/sched/core.c:6622
>>  schedule+0xc3/0x180 kernel/sched/core.c:6698
>>  schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:6757
>>  rwsem_down_read_slowpath+0x5f4/0x950 kernel/locking/rwsem.c:1086
>>  __down_read_common+0x61/0x2c0 kernel/locking/rwsem.c:1250
>>  mmap_read_lock include/linux/mmap_lock.h:117 [inline]
>>  do_user_addr_fault arch/x86/mm/fault.c:1358 [inline]
>>  handle_page_fault arch/x86/mm/fault.c:1498 [inline]
>>  exc_page_fault+0x558/0x8a0 arch/x86/mm/fault.c:1554
>>  asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:570
>> RIP: 0033:0x7fd6f371b888
>> RSP: 002b:00007ffd6fdf2398 EFLAGS: 00010206
>> RAX: 00007fd6f374ebd0 RBX: 00007fd6f374d1a8 RCX: 0000000000000001
>> RDX: 00007fd6f3688d30 RSI: 0000000000000000 RDI: 00007fd6f374ebd0
>> RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000010
>> R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
>> R13: 0000000000000001 R14: 00007fd6f37543e0 R15: 0000000000000001
>>  </TASK>
>> INFO: task syz-executor359:5223 blocked for more than 144 seconds.
>>       Not tainted 6.2.0-syzkaller-10827-g489fa31ea873 #0
>> "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
>> task:syz-executor359 state:D stack:24840 pid:5223  ppid:5113   flags:0x00004004
>> Call Trace:
>>  <TASK>
>>  context_switch kernel/sched/core.c:5304 [inline]
>>  __schedule+0x17d8/0x4990 kernel/sched/core.c:6622
>>  schedule+0xc3/0x180 kernel/sched/core.c:6698
>>  io_schedule+0x8c/0x100 kernel/sched/core.c:8884
>>  folio_wait_bit_common+0x86c/0x12b0 mm/filemap.c:1301
>>  folio_lock include/linux/pagemap.h:952 [inline]
>>  write_cache_pages+0x58f/0x1450 mm/page-writeback.c:2440
>>  mpage_writepages+0x107/0x1d0 fs/mpage.c:653
>>  do_writepages+0x3a6/0x670 mm/page-writeback.c:2551
>>  filemap_fdatawrite_wbc+0x125/0x180 mm/filemap.c:390
>>  __filemap_fdatawrite_range mm/filemap.c:423 [inline]
>>  file_write_and_wait_range+0x20f/0x300 mm/filemap.c:781
>>  __generic_file_fsync+0x72/0x190 fs/libfs.c:1132
>>  fat_file_fsync+0x7e/0x190 fs/fat/file.c:191
>>  generic_write_sync include/linux/fs.h:2452 [inline]
>>  generic_file_write_iter+0x2a1/0x310 mm/filemap.c:4090
>>  call_write_iter include/linux/fs.h:1851 [inline]
>>  new_sync_write fs/read_write.c:491 [inline]
>>  vfs_write+0x7b2/0xbb0 fs/read_write.c:584
>>  ksys_write+0x1a0/0x2c0 fs/read_write.c:637
>>  do_syscall_x64 arch/x86/entry/common.c:50 [inline]
>>  do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
>>  entry_SYSCALL_64_after_hwframe+0x63/0xcd
>> RIP: 0033:0x7fd6f36ca719
>> RSP: 002b:00007fd6f36762f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
>> RAX: ffffffffffffffda RBX: 00007fd6f374f7a0 RCX: 00007fd6f36ca719
>> RDX: 000000000208e24b RSI: 0000000020000080 RDI: 0000000000000004
>> RBP: 00007fd6f371c604 R08: 0000000000000000 R09: 0000000000000000
>> R10: 0000000000000000 R11: 0000000000000246 R12: 00007fd6f371c0e0
>> R13: 0000000020000a80 R14: 0030656c69662f2e R15: 00007fd6f374f7a8
>>  </TASK>
>> INFO: task syz-executor359:5229 blocked for more than 144 seconds.
>>       Not tainted 6.2.0-syzkaller-10827-g489fa31ea873 #0
>> "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
>> task:syz-executor359 state:D stack:26504 pid:5229  ppid:5113   flags:0x00004004
>> Call Trace:
>>  <TASK>
>>  context_switch kernel/sched/core.c:5304 [inline]
>>  __schedule+0x17d8/0x4990 kernel/sched/core.c:6622
>>  schedule+0xc3/0x180 kernel/sched/core.c:6698
>>  io_schedule+0x8c/0x100 kernel/sched/core.c:8884
>>  folio_wait_bit_common+0x86c/0x12b0 mm/filemap.c:1301
>>  folio_wait_writeback+0xec/0x1f0 mm/page-writeback.c:3127
>>  migrate_folio_unmap mm/migrate.c:1192 [inline]
>>  migrate_pages_batch mm/migrate.c:1685 [inline]
>>  migrate_pages+0x2d50/0x6610 mm/migrate.c:1973
>
> The migration has locked the page, but is waiting for writeback. The
> writeback is waiting for the page lock...
>
> I recalled Huge reported the same bug. There is a patch to solve it,
> but may be not shown in linus's tree yet. And It seems like the
> reproducer is dirtying some files on loop device and calling mbind at
> the same time. This does match the reproducer mentioned by Hugh.

Yes.  We have fixed a bug report similar.  The fix patchset is as
follows,

https://lore.kernel.org/linux-mm/20230224141145.96814-1-ying.huang@intel.com/

It will take some time for it to land in Linus's tree.

Best Regards,
Huang, Ying

>>  do_mbind mm/mempolicy.c:1338 [inline]
>>  kernel_mbind mm/mempolicy.c:1485 [inline]
>>  __do_sys_mbind mm/mempolicy.c:1559 [inline]
>>  __se_sys_mbind+0x75a/0x9c0 mm/mempolicy.c:1555
>>  do_syscall_x64 arch/x86/entry/common.c:50 [inline]
>>  do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
>>  entry_SYSCALL_64_after_hwframe+0x63/0xcd
>> RIP: 0033:0x7fd6f36ca719
>> RSP: 002b:00007fd6eb3552e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ed
>> RAX: ffffffffffffffda RBX: 00007fd6f374f7b0 RCX: 00007fd6f36ca719
>> RDX: 0000000000000000 RSI: 0000000000800000 RDI: 0000000020001000
>> RBP: 00007fd6f371c604 R08: 0000000000000000 R09: 0000000000000002
>> R10: 0000000000000000 R11: 0000000000000246 R12: 00007fd6f371c0e0
>> R13: 0000000020000a80 R14: 0030656c69662f2e R15: 00007fd6f374f7b8
>>  </TASK>
>> INFO: task syz-executor359:5296 blocked for more than 145 seconds.
>>       Not tainted 6.2.0-syzkaller-10827-g489fa31ea873 #0
>> "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
>> task:syz-executor359 state:D stack:27008 pid:5296  ppid:5112   flags:0x00004004
>> Call Trace:
>>  <TASK>
>>  context_switch kernel/sched/core.c:5304 [inline]
>>  __schedule+0x17d8/0x4990 kernel/sched/core.c:6622
>>  schedule+0xc3/0x180 kernel/sched/core.c:6698
>>  schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:6757
>>  rwsem_down_read_slowpath+0x5f4/0x950 kernel/locking/rwsem.c:1086
>>  __down_read_common+0x61/0x2c0 kernel/locking/rwsem.c:1250
>>  mmap_read_lock include/linux/mmap_lock.h:117 [inline]
>>  do_user_addr_fault arch/x86/mm/fault.c:1358 [inline]
>>  handle_page_fault arch/x86/mm/fault.c:1498 [inline]
>>  exc_page_fault+0x558/0x8a0 arch/x86/mm/fault.c:1554
>>  asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:570
>> RIP: 0033:0x7fd6f371b888
>> RSP: 002b:00007ffd6fdf2398 EFLAGS: 00010206
>> RAX: 00007fd6f374ebd0 RBX: 00007fd6f374d1a8 RCX: 0000000000000001
>> RDX: 00007fd6f3688d30 RSI: 0000000000000000 RDI: 00007fd6f374ebd0
>> RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000010
>> R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
>> R13: 0000000000000001 R14: 00007fd6f37543e0 R15: 0000000000000001
>>  </TASK>
>> INFO: task syz-executor359:5298 blocked for more than 145 seconds.
>>       Not tainted 6.2.0-syzkaller-10827-g489fa31ea873 #0
>> "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
>> task:syz-executor359 state:D stack:24840 pid:5298  ppid:5112   flags:0x00004004
>> Call Trace:
>>  <TASK>
>>  context_switch kernel/sched/core.c:5304 [inline]
>>  __schedule+0x17d8/0x4990 kernel/sched/core.c:6622
>>  schedule+0xc3/0x180 kernel/sched/core.c:6698
>>  io_schedule+0x8c/0x100 kernel/sched/core.c:8884
>>  folio_wait_bit_common+0x86c/0x12b0 mm/filemap.c:1301
>>  folio_lock include/linux/pagemap.h:952 [inline]
>>  write_cache_pages+0x58f/0x1450 mm/page-writeback.c:2440
>>  mpage_writepages+0x107/0x1d0 fs/mpage.c:653
>>  do_writepages+0x3a6/0x670 mm/page-writeback.c:2551
>>  filemap_fdatawrite_wbc+0x125/0x180 mm/filemap.c:390
>>  __filemap_fdatawrite_range mm/filemap.c:423 [inline]
>>  file_write_and_wait_range+0x20f/0x300 mm/filemap.c:781
>>  __generic_file_fsync+0x72/0x190 fs/libfs.c:1132
>>  fat_file_fsync+0x7e/0x190 fs/fat/file.c:191
>>  generic_write_sync include/linux/fs.h:2452 [inline]
>>  generic_file_write_iter+0x2a1/0x310 mm/filemap.c:4090
>>  call_write_iter include/linux/fs.h:1851 [inline]
>>  new_sync_write fs/read_write.c:491 [inline]
>>  vfs_write+0x7b2/0xbb0 fs/read_write.c:584
>>  ksys_write+0x1a0/0x2c0 fs/read_write.c:637
>>  do_syscall_x64 arch/x86/entry/common.c:50 [inline]
>>  do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
>>  entry_SYSCALL_64_after_hwframe+0x63/0xcd
>> RIP: 0033:0x7fd6f36ca719
>> RSP: 002b:00007fd6f36762f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
>> RAX: ffffffffffffffda RBX: 00007fd6f374f7a0 RCX: 00007fd6f36ca719
>> RDX: 000000000208e24b RSI: 0000000020000080 RDI: 0000000000000004
>> RBP: 00007fd6f371c604 R08: 0000000000000000 R09: 0000000000000000
>> R10: 0000000000000000 R11: 0000000000000246 R12: 00007fd6f371c0e0
>> R13: 0000000020000a80 R14: 0030656c69662f2e R15: 00007fd6f374f7a8
>>  </TASK>
>> INFO: task syz-executor359:5304 blocked for more than 145 seconds.
>>       Not tainted 6.2.0-syzkaller-10827-g489fa31ea873 #0
>> "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
>> task:syz-executor359 state:D stack:26504 pid:5304  ppid:5112   flags:0x00004004
>> Call Trace:
>>  <TASK>
>>  context_switch kernel/sched/core.c:5304 [inline]
>>  __schedule+0x17d8/0x4990 kernel/sched/core.c:6622
>>  schedule+0xc3/0x180 kernel/sched/core.c:6698
>>  io_schedule+0x8c/0x100 kernel/sched/core.c:8884
>>  folio_wait_bit_common+0x86c/0x12b0 mm/filemap.c:1301
>>  folio_wait_writeback+0xec/0x1f0 mm/page-writeback.c:3127
>>  migrate_folio_unmap mm/migrate.c:1192 [inline]
>>  migrate_pages_batch mm/migrate.c:1685 [inline]
>>  migrate_pages+0x2d50/0x6610 mm/migrate.c:1973
>>  do_mbind mm/mempolicy.c:1338 [inline]
>>  kernel_mbind mm/mempolicy.c:1485 [inline]
>>  __do_sys_mbind mm/mempolicy.c:1559 [inline]
>>  __se_sys_mbind+0x75a/0x9c0 mm/mempolicy.c:1555
>>  do_syscall_x64 arch/x86/entry/common.c:50 [inline]
>>  do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
>>  entry_SYSCALL_64_after_hwframe+0x63/0xcd
>> RIP: 0033:0x7fd6f36ca719
>> RSP: 002b:00007fd6eb3552e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ed
>> RAX: ffffffffffffffda RBX: 00007fd6f374f7b0 RCX: 00007fd6f36ca719
>> RDX: 0000000000000000 RSI: 0000000000800000 RDI: 0000000020001000
>> RBP: 00007fd6f371c604 R08: 0000000000000000 R09: 0000000000000002
>> R10: 0000000000000000 R11: 0000000000000246 R12: 00007fd6f371c0e0
>> R13: 0000000020000a80 R14: 0030656c69662f2e R15: 00007fd6f374f7b8
>>  </TASK>
>> INFO: task syz-executor359:5460 blocked for more than 146 seconds.
>>       Not tainted 6.2.0-syzkaller-10827-g489fa31ea873 #0
>> "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
>> task:syz-executor359 state:D stack:26520 pid:5460  ppid:5115   flags:0x00004004
>> Call Trace:
>>  <TASK>
>>  context_switch kernel/sched/core.c:5304 [inline]
>>  __schedule+0x17d8/0x4990 kernel/sched/core.c:6622
>>  schedule+0xc3/0x180 kernel/sched/core.c:6698
>>  schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:6757
>>  rwsem_down_read_slowpath+0x5f4/0x950 kernel/locking/rwsem.c:1086
>>  __down_read_common+0x61/0x2c0 kernel/locking/rwsem.c:1250
>>  mmap_read_lock include/linux/mmap_lock.h:117 [inline]
>>  do_user_addr_fault arch/x86/mm/fault.c:1358 [inline]
>>  handle_page_fault arch/x86/mm/fault.c:1498 [inline]
>>  exc_page_fault+0x558/0x8a0 arch/x86/mm/fault.c:1554
>>  asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:570
>> RIP: 0033:0x7fd6f371b888
>> RSP: 002b:00007ffd6fdf2398 EFLAGS: 00010206
>> RAX: 00007fd6f374ebd0 RBX: 00007fd6f374d1a8 RCX: 0000000000000001
>> RDX: 00007fd6f3688d30 RSI: 0000000000000000 RDI: 00007fd6f374ebd0
>> RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000010
>> R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
>> R13: 0000000000000001 R14: 00007fd6f37543e0 R15: 0000000000000001
>>  </TASK>
>> Future hung task reports are suppressed, see sysctl kernel.hung_task_warnings
>>
>> Showing all locks held in the system:
>> 3 locks held by kworker/u4:0/9:
>>  #0: ffff8881451bb938 ((wq_completion)writeback){+.+.}-{0:0}, at: process_one_work+0x77f/0x13a0
>>  #1: ffffc900000e7d20 ((work_completion)(&(&wb->dwork)->work)){+.+.}-{0:0}, at: process_one_work+0x7c6/0x13a0 kernel/workqueue.c:2365
>>  #2: ffff88807dfe20e0 (&type->s_umount_key#43){++++}-{3:3}, at: trylock_super+0x1f/0xf0 fs/super.c:414
>> 1 lock held by rcu_tasks_kthre/12:
>>  #0: ffffffff8d127cf0 (rcu_tasks.tasks_gp_mutex){+.+.}-{3:3}, at: rcu_tasks_one_gp+0x29/0xd20 kernel/rcu/tasks.h:510
>> 1 lock held by rcu_tasks_trace/13:
>>  #0: ffffffff8d1284f0 (rcu_tasks_trace.tasks_gp_mutex){+.+.}-{3:3}, at: rcu_tasks_one_gp+0x29/0xd20 kernel/rcu/tasks.h:510
>> 1 lock held by khungtaskd/28:
>>  #0: ffffffff8d127b20 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire+0x0/0x30
>> 3 locks held by kworker/u4:2/41:
>>  #0: ffff8881451bb938 ((wq_completion)writeback){+.+.}-{0:0}, at: process_one_work+0x77f/0x13a0
>>  #1: ffffc90000b27d20 ((work_completion)(&(&wb->dwork)->work)){+.+.}-{0:0}, at: process_one_work+0x7c6/0x13a0 kernel/workqueue.c:2365
>>  #2: ffff88801d8680e0 (&type->s_umount_key#43){++++}-{3:3}, at: trylock_super+0x1f/0xf0 fs/super.c:414
>> 3 locks held by kworker/u4:4/75:
>>  #0: ffff8881451bb938 ((wq_completion)writeback){+.+.}-{0:0}, at: process_one_work+0x77f/0x13a0
>>  #1: ffffc900020efd20 ((work_completion)(&(&wb->dwork)->work)){+.+.}-{0:0}, at: process_one_work+0x7c6/0x13a0 kernel/workqueue.c:2365
>>  #2: ffff88802c2640e0 (&type->s_umount_key#43){++++}-{3:3}, at: trylock_super+0x1f/0xf0 fs/super.c:414
>> 2 locks held by kworker/1:2/2494:
>>  #0: ffff888012472538 ((wq_completion)rcu_gp){+.+.}-{0:0}, at: process_one_work+0x77f/0x13a0
>>  #1: ffffc9000a86fd20 ((work_completion)(&rew->rew_work)){+.+.}-{0:0}, at: process_one_work+0x7c6/0x13a0 kernel/workqueue.c:2365
>> 2 locks held by getty/4750:
>>  #0: ffff88814a0e2098 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x25/0x70 drivers/tty/tty_ldisc.c:244
>>  #1: ffffc900015802f0 (&ldata->atomic_read_lock){+.+.}-{3:3}, at: n_tty_read+0x6ab/0x1db0 drivers/tty/n_tty.c:2177
>> 1 lock held by syz-executor359/5222:
>>  #0: ffff88807d1df698 (&mm->mmap_lock){++++}-{3:3}, at: mmap_read_lock include/linux/mmap_lock.h:117 [inline]
>>  #0: ffff88807d1df698 (&mm->mmap_lock){++++}-{3:3}, at: do_user_addr_fault arch/x86/mm/fault.c:1358 [inline]
>>  #0: ffff88807d1df698 (&mm->mmap_lock){++++}-{3:3}, at: handle_page_fault arch/x86/mm/fault.c:1498 [inline]
>>  #0: ffff88807d1df698 (&mm->mmap_lock){++++}-{3:3}, at: exc_page_fault+0x558/0x8a0 arch/x86/mm/fault.c:1554
>> 2 locks held by syz-executor359/5223:
>>  #0: ffff888021e0f768 (&f->f_pos_lock){+.+.}-{3:3}, at: __fdget_pos+0x254/0x2f0 fs/file.c:1046
>>  #1: ffff88802c264460 (sb_writers#9){.+.+}-{0:0}, at: vfs_write+0x26d/0xbb0 fs/read_write.c:580
>> 1 lock held by syz-executor359/5229:
>>  #0: ffff88807d1df698 (&mm->mmap_lock){++++}-{3:3}, at: mmap_write_lock include/linux/mmap_lock.h:71 [inline]
>>  #0: ffff88807d1df698 (&mm->mmap_lock){++++}-{3:3}, at: do_mbind mm/mempolicy.c:1312 [inline]
>>  #0: ffff88807d1df698 (&mm->mmap_lock){++++}-{3:3}, at: kernel_mbind mm/mempolicy.c:1485 [inline]
>>  #0: ffff88807d1df698 (&mm->mmap_lock){++++}-{3:3}, at: __do_sys_mbind mm/mempolicy.c:1559 [inline]
>>  #0: ffff88807d1df698 (&mm->mmap_lock){++++}-{3:3}, at: __se_sys_mbind+0x47d/0x9c0 mm/mempolicy.c:1555
>> 1 lock held by syz-executor359/5296:
>>  #0: ffff88802cd0ae98 (&mm->mmap_lock){++++}-{3:3}, at: mmap_read_lock include/linux/mmap_lock.h:117 [inline]
>>  #0: ffff88802cd0ae98 (&mm->mmap_lock){++++}-{3:3}, at: do_user_addr_fault arch/x86/mm/fault.c:1358 [inline]
>>  #0: ffff88802cd0ae98 (&mm->mmap_lock){++++}-{3:3}, at: handle_page_fault arch/x86/mm/fault.c:1498 [inline]
>>  #0: ffff88802cd0ae98 (&mm->mmap_lock){++++}-{3:3}, at: exc_page_fault+0x558/0x8a0 arch/x86/mm/fault.c:1554
>> 2 locks held by syz-executor359/5298:
>>  #0: ffff88807e2b0fe8 (&f->f_pos_lock){+.+.}-{3:3}, at: __fdget_pos+0x254/0x2f0 fs/file.c:1046
>>  #1: ffff88807dfe2460 (sb_writers#9){.+.+}-{0:0}, at: vfs_write+0x26d/0xbb0 fs/read_write.c:580
>> 1 lock held by syz-executor359/5304:
>>  #0: ffff88802cd0ae98 (&mm->mmap_lock){++++}-{3:3}, at: mmap_write_lock include/linux/mmap_lock.h:71 [inline]
>>  #0: ffff88802cd0ae98 (&mm->mmap_lock){++++}-{3:3}, at: do_mbind mm/mempolicy.c:1312 [inline]
>>  #0: ffff88802cd0ae98 (&mm->mmap_lock){++++}-{3:3}, at: kernel_mbind mm/mempolicy.c:1485 [inline]
>>  #0: ffff88802cd0ae98 (&mm->mmap_lock){++++}-{3:3}, at: __do_sys_mbind mm/mempolicy.c:1559 [inline]
>>  #0: ffff88802cd0ae98 (&mm->mmap_lock){++++}-{3:3}, at: __se_sys_mbind+0x47d/0x9c0 mm/mempolicy.c:1555
>> 1 lock held by syz-executor359/5460:
>>  #0: ffff888022485298 (&mm->mmap_lock){++++}-{3:3}, at: mmap_read_lock include/linux/mmap_lock.h:117 [inline]
>>  #0: ffff888022485298 (&mm->mmap_lock){++++}-{3:3}, at: do_user_addr_fault arch/x86/mm/fault.c:1358 [inline]
>>  #0: ffff888022485298 (&mm->mmap_lock){++++}-{3:3}, at: handle_page_fault arch/x86/mm/fault.c:1498 [inline]
>>  #0: ffff888022485298 (&mm->mmap_lock){++++}-{3:3}, at: exc_page_fault+0x558/0x8a0 arch/x86/mm/fault.c:1554
>> 2 locks held by syz-executor359/5461:
>>  #0: ffff88801da66ae8 (&f->f_pos_lock){+.+.}-{3:3}, at: __fdget_pos+0x254/0x2f0 fs/file.c:1046
>>  #1: ffff888148d0a460 (sb_writers#9){.+.+}-{0:0}, at: vfs_write+0x26d/0xbb0 fs/read_write.c:580
>> 1 lock held by syz-executor359/5467:
>>  #0: ffff888022485298 (&mm->mmap_lock){++++}-{3:3}, at: mmap_write_lock include/linux/mmap_lock.h:71 [inline]
>>  #0: ffff888022485298 (&mm->mmap_lock){++++}-{3:3}, at: do_mbind mm/mempolicy.c:1312 [inline]
>>  #0: ffff888022485298 (&mm->mmap_lock){++++}-{3:3}, at: kernel_mbind mm/mempolicy.c:1485 [inline]
>>  #0: ffff888022485298 (&mm->mmap_lock){++++}-{3:3}, at: __do_sys_mbind mm/mempolicy.c:1559 [inline]
>>  #0: ffff888022485298 (&mm->mmap_lock){++++}-{3:3}, at: __se_sys_mbind+0x47d/0x9c0 mm/mempolicy.c:1555
>> 1 lock held by syz-executor359/5570:
>>  #0: ffff88807d295298 (&mm->mmap_lock){++++}-{3:3}, at: mmap_read_lock include/linux/mmap_lock.h:117 [inline]
>>  #0: ffff88807d295298 (&mm->mmap_lock){++++}-{3:3}, at: do_user_addr_fault arch/x86/mm/fault.c:1358 [inline]
>>  #0: ffff88807d295298 (&mm->mmap_lock){++++}-{3:3}, at: handle_page_fault arch/x86/mm/fault.c:1498 [inline]
>>  #0: ffff88807d295298 (&mm->mmap_lock){++++}-{3:3}, at: exc_page_fault+0x558/0x8a0 arch/x86/mm/fault.c:1554
>> 2 locks held by syz-executor359/5571:
>>  #0: ffff88807838a5e8 (&f->f_pos_lock){+.+.}-{3:3}, at: __fdget_pos+0x254/0x2f0 fs/file.c:1046
>>  #1: ffff88801d868460 (sb_writers#9){.+.+}-{0:0}, at: vfs_write+0x26d/0xbb0 fs/read_write.c:580
>> 1 lock held by syz-executor359/5575:
>>  #0: ffff88807d295298 (&mm->mmap_lock){++++}-{3:3}, at: mmap_write_lock include/linux/mmap_lock.h:71 [inline]
>>  #0: ffff88807d295298 (&mm->mmap_lock){++++}-{3:3}, at: do_mbind mm/mempolicy.c:1312 [inline]
>>  #0: ffff88807d295298 (&mm->mmap_lock){++++}-{3:3}, at: kernel_mbind mm/mempolicy.c:1485 [inline]
>>  #0: ffff88807d295298 (&mm->mmap_lock){++++}-{3:3}, at: __do_sys_mbind mm/mempolicy.c:1559 [inline]
>>  #0: ffff88807d295298 (&mm->mmap_lock){++++}-{3:3}, at: __se_sys_mbind+0x47d/0x9c0 mm/mempolicy.c:1555
>> 1 lock held by syz-executor359/5572:
>>  #0: ffff88807d1dc098 (&mm->mmap_lock){++++}-{3:3}, at: mmap_read_lock include/linux/mmap_lock.h:117 [inline]
>>  #0: ffff88807d1dc098 (&mm->mmap_lock){++++}-{3:3}, at: do_user_addr_fault arch/x86/mm/fault.c:1358 [inline]
>>  #0: ffff88807d1dc098 (&mm->mmap_lock){++++}-{3:3}, at: handle_page_fault arch/x86/mm/fault.c:1498 [inline]
>>  #0: ffff88807d1dc098 (&mm->mmap_lock){++++}-{3:3}, at: exc_page_fault+0x558/0x8a0 arch/x86/mm/fault.c:1554
>> 2 locks held by syz-executor359/5573:
>>  #0: ffff888026d84d68 (&f->f_pos_lock){+.+.}-{3:3}, at: __fdget_pos+0x254/0x2f0 fs/file.c:1046
>>  #1: ffff88807b6ac460 (sb_writers#9){.+.+}-{0:0}, at: vfs_write+0x26d/0xbb0 fs/read_write.c:580
>> 1 lock held by syz-executor359/5576:
>>  #0: ffff88807d1dc098 (&mm->mmap_lock){++++}-{3:3}, at: mmap_write_lock include/linux/mmap_lock.h:71 [inline]
>>  #0: ffff88807d1dc098 (&mm->mmap_lock){++++}-{3:3}, at: do_mbind mm/mempolicy.c:1312 [inline]
>>  #0: ffff88807d1dc098 (&mm->mmap_lock){++++}-{3:3}, at: kernel_mbind mm/mempolicy.c:1485 [inline]
>>  #0: ffff88807d1dc098 (&mm->mmap_lock){++++}-{3:3}, at: __do_sys_mbind mm/mempolicy.c:1559 [inline]
>>  #0: ffff88807d1dc098 (&mm->mmap_lock){++++}-{3:3}, at: __se_sys_mbind+0x47d/0x9c0 mm/mempolicy.c:1555
>> 3 locks held by kworker/u4:3/5614:
>>  #0: ffff8881451bb938 ((wq_completion)writeback){+.+.}-{0:0}, at: process_one_work+0x77f/0x13a0
>>  #1: ffffc90004defd20 ((work_completion)(&(&wb->dwork)->work)){+.+.}-{0:0}, at: process_one_work+0x7c6/0x13a0 kernel/workqueue.c:2365
>>  #2: ffff88807b6ac0e0 (&type->s_umount_key#43){++++}-{3:3}, at: trylock_super+0x1f/0xf0 fs/super.c:414
>> 3 locks held by kworker/u4:5/6087:
>>  #0: ffff8881451bb938 ((wq_completion)writeback){+.+.}-{0:0}, at: process_one_work+0x77f/0x13a0
>>  #1: ffffc900055b7d20 ((work_completion)(&(&wb->dwork)->work)){+.+.}-{0:0}, at: process_one_work+0x7c6/0x13a0 kernel/workqueue.c:2365
>>  #2: ffff888148d0a0e0 (&type->s_umount_key#43){++++}-{3:3}, at: trylock_super+0x1f/0xf0 fs/super.c:414
>> 1 lock held by syz-executor359/12461:
>>  #0: ffffffff8d12d1f8 (rcu_state.exp_mutex){+.+.}-{3:3}, at: exp_funnel_lock kernel/rcu/tree_exp.h:293 [inline]
>>  #0: ffffffff8d12d1f8 (rcu_state.exp_mutex){+.+.}-{3:3}, at: synchronize_rcu_expedited+0x3a3/0x890 kernel/rcu/tree_exp.h:989
>>
>> =============================================
>>
>> NMI backtrace for cpu 0
>> CPU: 0 PID: 28 Comm: khungtaskd Not tainted 6.2.0-syzkaller-10827-g489fa31ea873 #0
>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/16/2023
>> Call Trace:
>>  <TASK>
>>  __dump_stack lib/dump_stack.c:88 [inline]
>>  dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
>>  nmi_cpu_backtrace+0x4e5/0x560 lib/nmi_backtrace.c:113
>>  nmi_trigger_cpumask_backtrace+0x1b4/0x410 lib/nmi_backtrace.c:62
>>  trigger_all_cpu_backtrace include/linux/nmi.h:148 [inline]
>>  check_hung_uninterruptible_tasks kernel/hung_task.c:222 [inline]
>>  watchdog+0x1024/0x1070 kernel/hung_task.c:379
>>  kthread+0x270/0x300 kernel/kthread.c:376
>>  ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
>>  </TASK>
>> Sending NMI from CPU 0 to CPUs 1:
>> NMI backtrace for cpu 1
>> CPU: 1 PID: 6343 Comm: kworker/u4:9 Not tainted 6.2.0-syzkaller-10827-g489fa31ea873 #0
>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/16/2023
>> Workqueue: events_unbound toggle_allocation_gate
>> RIP: 0010:rcu_sync_is_idle include/linux/rcu_sync.h:36 [inline]
>> RIP: 0010:percpu_up_read include/linux/percpu-rwsem.h:105 [inline]
>> RIP: 0010:cpus_read_unlock+0x5f/0x130 kernel/cpu.c:322
>> Code: 85 db 74 1b e8 c2 4f 20 00 89 c3 31 ff 89 c6 e8 87 23 39 00 85
> db 74 5b e8 ce 1f 39 00 eb 05 e8 c7 1f 39 00 8b 1d 41 be a8 0b <31> ff
> 89 de e8 68 23 39 00 85 db 0f 85 8c 00 00 00 e8 ab 1f 39 00
>> RSP: 0018:ffffc90005757b70 EFLAGS: 00000293
>> RAX: ffffffff81538cb2 RBX: 0000000000000000 RCX: ffff888028643a80
>> RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
>> RBP: ffffc90005757c50 R08: ffffffff81538ca9 R09: fffffbfff1ce8d2e
>> R10: 0000000000000000 R11: dffffc0000000001 R12: dffffc0000000000
>> R13: 1ffff1104779cc03 R14: 0000000000000000 R15: 1ffff92000aeaf70
>> FS:  0000000000000000(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
>> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>> CR2: 00007ffd6fdf0bb8 CR3: 000000000cf30000 CR4: 00000000003506e0
>> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
>> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
>> Call Trace:
>>  <TASK>
>>  toggle_allocation_gate+0xb5/0x250 mm/kfence/core.c:799
>>  process_one_work+0x915/0x13a0 kernel/workqueue.c:2390
>>  worker_thread+0xa63/0x1210 kernel/workqueue.c:2537
>>  kthread+0x270/0x300 kernel/kthread.c:376
>>  ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
>>  </TASK>
>>
>>
>> ---
>> This report is generated by a bot. It may contain errors.
>> See https://goo.gl/tpsmEJ for more information about syzbot.
>> syzbot engineers can be reached at syzkaller@googlegroups.com.
>>
>> syzbot will keep track of this issue. See:
>> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
>> syzbot can test patches for this issue, for details see:
>> https://goo.gl/tpsmEJ#testing-patches
>>

Re: [syzbot] [mm?] INFO: task hung in write_cache_pages (2)

[Dmitry Vyukov]

On Fri, 3 Mar 2023 at 00:43, Huang, Ying <ying.huang@intel.com> wrote:
>
> Yang Shi <shy828301@gmail.com> writes:
>
> > On Wed, Mar 1, 2023 at 4:36 PM syzbot
> > <syzbot+0adf31ecbba886ab504f@syzkaller.appspotmail.com> wrote:
> >>
> >> Hello,
> >>
> >> syzbot found the following issue on:
> >>
> >> HEAD commit:    489fa31ea873 Merge branch 'work.misc' of git://git.kernel...
> >> git tree:       upstream
> >> console output: https://syzkaller.appspot.com/x/log.txt?x=1034fef8c80000
> >> kernel config:  https://syzkaller.appspot.com/x/.config?x=cbfa7a73c540248d
> >> dashboard link: https://syzkaller.appspot.com/bug?extid=0adf31ecbba886ab504f
> >> compiler:       Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2
> >> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=16dc6960c80000
> >> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=16f39d50c80000
> >>
> >> Downloadable assets:
> >> disk image: https://storage.googleapis.com/syzbot-assets/8121ff3f8044/disk-489fa31e.raw.xz
> >> vmlinux: https://storage.googleapis.com/syzbot-assets/ba8296ba1bf7/vmlinux-489fa31e.xz
> >> kernel image: https://storage.googleapis.com/syzbot-assets/6459f50e23f3/bzImage-489fa31e.xz
> >> mounted in repro: https://storage.googleapis.com/syzbot-assets/845f6538108c/mount_1.gz
> >>
> >> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> >> Reported-by: syzbot+0adf31ecbba886ab504f@syzkaller.appspotmail.com
> >>
> >> INFO: task kworker/u4:0:9 blocked for more than 143 seconds.
> >>       Not tainted 6.2.0-syzkaller-10827-g489fa31ea873 #0
> >> "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
> >> task:kworker/u4:0    state:D stack:21720 pid:9     ppid:2      flags:0x00004000
> >> Workqueue: writeback wb_workfn (flush-7:0)
> >> Call Trace:
> >>  <TASK>
> >>  context_switch kernel/sched/core.c:5304 [inline]
> >>  __schedule+0x17d8/0x4990 kernel/sched/core.c:6622
> >>  schedule+0xc3/0x180 kernel/sched/core.c:6698
> >>  io_schedule+0x8c/0x100 kernel/sched/core.c:8884
> >>  folio_wait_bit_common+0x86c/0x12b0 mm/filemap.c:1301
> >>  folio_lock include/linux/pagemap.h:952 [inline]
> >>  write_cache_pages+0x58f/0x1450 mm/page-writeback.c:2440
> >>  mpage_writepages+0x107/0x1d0 fs/mpage.c:653
> >>  do_writepages+0x3a6/0x670 mm/page-writeback.c:2551
> >>  __writeback_single_inode+0x1c4/0x15e0 fs/fs-writeback.c:1600
> >>  writeback_sb_inodes+0x92c/0x1360 fs/fs-writeback.c:1891
> >>  __writeback_inodes_wb+0x11b/0x260 fs/fs-writeback.c:1962
> >>  wb_writeback+0x51c/0x1080 fs/fs-writeback.c:2067
> >>  wb_check_background_flush fs/fs-writeback.c:2133 [inline]
> >>  wb_do_writeback fs/fs-writeback.c:2221 [inline]
> >>  wb_workfn+0xd80/0x1100 fs/fs-writeback.c:2248
> >>  process_one_work+0x915/0x13a0 kernel/workqueue.c:2390
> >>  worker_thread+0xa63/0x1210 kernel/workqueue.c:2537
> >>  kthread+0x270/0x300 kernel/kthread.c:376
> >>  ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
> >>  </TASK>
> >> INFO: task kworker/u4:2:41 blocked for more than 143 seconds.
> >>       Not tainted 6.2.0-syzkaller-10827-g489fa31ea873 #0
> >> "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
> >> task:kworker/u4:2    state:D stack:20480 pid:41    ppid:2      flags:0x00004000
> >> Workqueue: writeback wb_workfn (flush-7:5)
> >> Call Trace:
> >>  <TASK>
> >>  context_switch kernel/sched/core.c:5304 [inline]
> >>  __schedule+0x17d8/0x4990 kernel/sched/core.c:6622
> >>  schedule+0xc3/0x180 kernel/sched/core.c:6698
> >>  io_schedule+0x8c/0x100 kernel/sched/core.c:8884
> >>  folio_wait_bit_common+0x86c/0x12b0 mm/filemap.c:1301
> >>  folio_lock include/linux/pagemap.h:952 [inline]
> >>  write_cache_pages+0x58f/0x1450 mm/page-writeback.c:2440
> >>  mpage_writepages+0x107/0x1d0 fs/mpage.c:653
> >>  do_writepages+0x3a6/0x670 mm/page-writeback.c:2551
> >>  __writeback_single_inode+0x1c4/0x15e0 fs/fs-writeback.c:1600
> >>  writeback_sb_inodes+0x92c/0x1360 fs/fs-writeback.c:1891
> >>  __writeback_inodes_wb+0x11b/0x260 fs/fs-writeback.c:1962
> >>  wb_writeback+0x51c/0x1080 fs/fs-writeback.c:2067
> >>  wb_check_old_data_flush fs/fs-writeback.c:2167 [inline]
> >>  wb_do_writeback fs/fs-writeback.c:2220 [inline]
> >>  wb_workfn+0xccb/0x1100 fs/fs-writeback.c:2248
> >>  process_one_work+0x915/0x13a0 kernel/workqueue.c:2390
> >>  worker_thread+0xa63/0x1210 kernel/workqueue.c:2537
> >>  kthread+0x270/0x300 kernel/kthread.c:376
> >>  ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
> >>  </TASK>
> >> INFO: task kworker/u4:4:75 blocked for more than 144 seconds.
> >>       Not tainted 6.2.0-syzkaller-10827-g489fa31ea873 #0
> >> "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
> >> task:kworker/u4:4    state:D stack:25088 pid:75    ppid:2      flags:0x00004000
> >> Workqueue: writeback wb_workfn (flush-7:1)
> >> Call Trace:
> >>  <TASK>
> >>  context_switch kernel/sched/core.c:5304 [inline]
> >>  __schedule+0x17d8/0x4990 kernel/sched/core.c:6622
> >>  schedule+0xc3/0x180 kernel/sched/core.c:6698
> >>  io_schedule+0x8c/0x100 kernel/sched/core.c:8884
> >>  folio_wait_bit_common+0x86c/0x12b0 mm/filemap.c:1301
> >>  folio_lock include/linux/pagemap.h:952 [inline]
> >>  write_cache_pages+0x58f/0x1450 mm/page-writeback.c:2440
> >>  mpage_writepages+0x107/0x1d0 fs/mpage.c:653
> >>  do_writepages+0x3a6/0x670 mm/page-writeback.c:2551
> >>  __writeback_single_inode+0x1c4/0x15e0 fs/fs-writeback.c:1600
> >>  writeback_sb_inodes+0x92c/0x1360 fs/fs-writeback.c:1891
> >>  __writeback_inodes_wb+0x11b/0x260 fs/fs-writeback.c:1962
> >>  wb_writeback+0x51c/0x1080 fs/fs-writeback.c:2067
> >>  wb_check_old_data_flush fs/fs-writeback.c:2167 [inline]
> >>  wb_do_writeback fs/fs-writeback.c:2220 [inline]
> >>  wb_workfn+0xccb/0x1100 fs/fs-writeback.c:2248
> >>  process_one_work+0x915/0x13a0 kernel/workqueue.c:2390
> >>  worker_thread+0xa63/0x1210 kernel/workqueue.c:2537
> >>  kthread+0x270/0x300 kernel/kthread.c:376
> >>  ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
> >>  </TASK>
> >> INFO: task syz-executor359:5222 blocked for more than 144 seconds.
> >>       Not tainted 6.2.0-syzkaller-10827-g489fa31ea873 #0
> >> "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
> >> task:syz-executor359 state:D stack:26576 pid:5222  ppid:5113   flags:0x00004004
> >> Call Trace:
> >>  <TASK>
> >>  context_switch kernel/sched/core.c:5304 [inline]
> >>  __schedule+0x17d8/0x4990 kernel/sched/core.c:6622
> >>  schedule+0xc3/0x180 kernel/sched/core.c:6698
> >>  schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:6757
> >>  rwsem_down_read_slowpath+0x5f4/0x950 kernel/locking/rwsem.c:1086
> >>  __down_read_common+0x61/0x2c0 kernel/locking/rwsem.c:1250
> >>  mmap_read_lock include/linux/mmap_lock.h:117 [inline]
> >>  do_user_addr_fault arch/x86/mm/fault.c:1358 [inline]
> >>  handle_page_fault arch/x86/mm/fault.c:1498 [inline]
> >>  exc_page_fault+0x558/0x8a0 arch/x86/mm/fault.c:1554
> >>  asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:570
> >> RIP: 0033:0x7fd6f371b888
> >> RSP: 002b:00007ffd6fdf2398 EFLAGS: 00010206
> >> RAX: 00007fd6f374ebd0 RBX: 00007fd6f374d1a8 RCX: 0000000000000001
> >> RDX: 00007fd6f3688d30 RSI: 0000000000000000 RDI: 00007fd6f374ebd0
> >> RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000010
> >> R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
> >> R13: 0000000000000001 R14: 00007fd6f37543e0 R15: 0000000000000001
> >>  </TASK>
> >> INFO: task syz-executor359:5223 blocked for more than 144 seconds.
> >>       Not tainted 6.2.0-syzkaller-10827-g489fa31ea873 #0
> >> "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
> >> task:syz-executor359 state:D stack:24840 pid:5223  ppid:5113   flags:0x00004004
> >> Call Trace:
> >>  <TASK>
> >>  context_switch kernel/sched/core.c:5304 [inline]
> >>  __schedule+0x17d8/0x4990 kernel/sched/core.c:6622
> >>  schedule+0xc3/0x180 kernel/sched/core.c:6698
> >>  io_schedule+0x8c/0x100 kernel/sched/core.c:8884
> >>  folio_wait_bit_common+0x86c/0x12b0 mm/filemap.c:1301
> >>  folio_lock include/linux/pagemap.h:952 [inline]
> >>  write_cache_pages+0x58f/0x1450 mm/page-writeback.c:2440
> >>  mpage_writepages+0x107/0x1d0 fs/mpage.c:653
> >>  do_writepages+0x3a6/0x670 mm/page-writeback.c:2551
> >>  filemap_fdatawrite_wbc+0x125/0x180 mm/filemap.c:390
> >>  __filemap_fdatawrite_range mm/filemap.c:423 [inline]
> >>  file_write_and_wait_range+0x20f/0x300 mm/filemap.c:781
> >>  __generic_file_fsync+0x72/0x190 fs/libfs.c:1132
> >>  fat_file_fsync+0x7e/0x190 fs/fat/file.c:191
> >>  generic_write_sync include/linux/fs.h:2452 [inline]
> >>  generic_file_write_iter+0x2a1/0x310 mm/filemap.c:4090
> >>  call_write_iter include/linux/fs.h:1851 [inline]
> >>  new_sync_write fs/read_write.c:491 [inline]
> >>  vfs_write+0x7b2/0xbb0 fs/read_write.c:584
> >>  ksys_write+0x1a0/0x2c0 fs/read_write.c:637
> >>  do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> >>  do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
> >>  entry_SYSCALL_64_after_hwframe+0x63/0xcd
> >> RIP: 0033:0x7fd6f36ca719
> >> RSP: 002b:00007fd6f36762f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
> >> RAX: ffffffffffffffda RBX: 00007fd6f374f7a0 RCX: 00007fd6f36ca719
> >> RDX: 000000000208e24b RSI: 0000000020000080 RDI: 0000000000000004
> >> RBP: 00007fd6f371c604 R08: 0000000000000000 R09: 0000000000000000
> >> R10: 0000000000000000 R11: 0000000000000246 R12: 00007fd6f371c0e0
> >> R13: 0000000020000a80 R14: 0030656c69662f2e R15: 00007fd6f374f7a8
> >>  </TASK>
> >> INFO: task syz-executor359:5229 blocked for more than 144 seconds.
> >>       Not tainted 6.2.0-syzkaller-10827-g489fa31ea873 #0
> >> "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
> >> task:syz-executor359 state:D stack:26504 pid:5229  ppid:5113   flags:0x00004004
> >> Call Trace:
> >>  <TASK>
> >>  context_switch kernel/sched/core.c:5304 [inline]
> >>  __schedule+0x17d8/0x4990 kernel/sched/core.c:6622
> >>  schedule+0xc3/0x180 kernel/sched/core.c:6698
> >>  io_schedule+0x8c/0x100 kernel/sched/core.c:8884
> >>  folio_wait_bit_common+0x86c/0x12b0 mm/filemap.c:1301
> >>  folio_wait_writeback+0xec/0x1f0 mm/page-writeback.c:3127
> >>  migrate_folio_unmap mm/migrate.c:1192 [inline]
> >>  migrate_pages_batch mm/migrate.c:1685 [inline]
> >>  migrate_pages+0x2d50/0x6610 mm/migrate.c:1973
> >
> > The migration has locked the page, but is waiting for writeback. The
> > writeback is waiting for the page lock...
> >
> > I recalled Huge reported the same bug. There is a patch to solve it,
> > but may be not shown in linus's tree yet. And It seems like the
> > reproducer is dirtying some files on loop device and calling mbind at
> > the same time. This does match the reproducer mentioned by Hugh.
>
> Yes.  We have fixed a bug report similar.  The fix patchset is as
> follows,
>
> https://lore.kernel.org/linux-mm/20230224141145.96814-1-ying.huang@intel.com/
>
> It will take some time for it to land in Linus's tree.

Let's tell the bot about the fix so that it reports similar issues in future:
#syz fix: migrate_pages: fix deadlock in batched migration



> Best Regards,
> Huang, Ying
>
> >>  do_mbind mm/mempolicy.c:1338 [inline]
> >>  kernel_mbind mm/mempolicy.c:1485 [inline]
> >>  __do_sys_mbind mm/mempolicy.c:1559 [inline]
> >>  __se_sys_mbind+0x75a/0x9c0 mm/mempolicy.c:1555
> >>  do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> >>  do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
> >>  entry_SYSCALL_64_after_hwframe+0x63/0xcd
> >> RIP: 0033:0x7fd6f36ca719
> >> RSP: 002b:00007fd6eb3552e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ed
> >> RAX: ffffffffffffffda RBX: 00007fd6f374f7b0 RCX: 00007fd6f36ca719
> >> RDX: 0000000000000000 RSI: 0000000000800000 RDI: 0000000020001000
> >> RBP: 00007fd6f371c604 R08: 0000000000000000 R09: 0000000000000002
> >> R10: 0000000000000000 R11: 0000000000000246 R12: 00007fd6f371c0e0
> >> R13: 0000000020000a80 R14: 0030656c69662f2e R15: 00007fd6f374f7b8
> >>  </TASK>
> >> INFO: task syz-executor359:5296 blocked for more than 145 seconds.
> >>       Not tainted 6.2.0-syzkaller-10827-g489fa31ea873 #0
> >> "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
> >> task:syz-executor359 state:D stack:27008 pid:5296  ppid:5112   flags:0x00004004
> >> Call Trace:
> >>  <TASK>
> >>  context_switch kernel/sched/core.c:5304 [inline]
> >>  __schedule+0x17d8/0x4990 kernel/sched/core.c:6622
> >>  schedule+0xc3/0x180 kernel/sched/core.c:6698
> >>  schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:6757
> >>  rwsem_down_read_slowpath+0x5f4/0x950 kernel/locking/rwsem.c:1086
> >>  __down_read_common+0x61/0x2c0 kernel/locking/rwsem.c:1250
> >>  mmap_read_lock include/linux/mmap_lock.h:117 [inline]
> >>  do_user_addr_fault arch/x86/mm/fault.c:1358 [inline]
> >>  handle_page_fault arch/x86/mm/fault.c:1498 [inline]
> >>  exc_page_fault+0x558/0x8a0 arch/x86/mm/fault.c:1554
> >>  asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:570
> >> RIP: 0033:0x7fd6f371b888
> >> RSP: 002b:00007ffd6fdf2398 EFLAGS: 00010206
> >> RAX: 00007fd6f374ebd0 RBX: 00007fd6f374d1a8 RCX: 0000000000000001
> >> RDX: 00007fd6f3688d30 RSI: 0000000000000000 RDI: 00007fd6f374ebd0
> >> RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000010
> >> R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
> >> R13: 0000000000000001 R14: 00007fd6f37543e0 R15: 0000000000000001
> >>  </TASK>
> >> INFO: task syz-executor359:5298 blocked for more than 145 seconds.
> >>       Not tainted 6.2.0-syzkaller-10827-g489fa31ea873 #0
> >> "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
> >> task:syz-executor359 state:D stack:24840 pid:5298  ppid:5112   flags:0x00004004
> >> Call Trace:
> >>  <TASK>
> >>  context_switch kernel/sched/core.c:5304 [inline]
> >>  __schedule+0x17d8/0x4990 kernel/sched/core.c:6622
> >>  schedule+0xc3/0x180 kernel/sched/core.c:6698
> >>  io_schedule+0x8c/0x100 kernel/sched/core.c:8884
> >>  folio_wait_bit_common+0x86c/0x12b0 mm/filemap.c:1301
> >>  folio_lock include/linux/pagemap.h:952 [inline]
> >>  write_cache_pages+0x58f/0x1450 mm/page-writeback.c:2440
> >>  mpage_writepages+0x107/0x1d0 fs/mpage.c:653
> >>  do_writepages+0x3a6/0x670 mm/page-writeback.c:2551
> >>  filemap_fdatawrite_wbc+0x125/0x180 mm/filemap.c:390
> >>  __filemap_fdatawrite_range mm/filemap.c:423 [inline]
> >>  file_write_and_wait_range+0x20f/0x300 mm/filemap.c:781
> >>  __generic_file_fsync+0x72/0x190 fs/libfs.c:1132
> >>  fat_file_fsync+0x7e/0x190 fs/fat/file.c:191
> >>  generic_write_sync include/linux/fs.h:2452 [inline]
> >>  generic_file_write_iter+0x2a1/0x310 mm/filemap.c:4090
> >>  call_write_iter include/linux/fs.h:1851 [inline]
> >>  new_sync_write fs/read_write.c:491 [inline]
> >>  vfs_write+0x7b2/0xbb0 fs/read_write.c:584
> >>  ksys_write+0x1a0/0x2c0 fs/read_write.c:637
> >>  do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> >>  do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
> >>  entry_SYSCALL_64_after_hwframe+0x63/0xcd
> >> RIP: 0033:0x7fd6f36ca719
> >> RSP: 002b:00007fd6f36762f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
> >> RAX: ffffffffffffffda RBX: 00007fd6f374f7a0 RCX: 00007fd6f36ca719
> >> RDX: 000000000208e24b RSI: 0000000020000080 RDI: 0000000000000004
> >> RBP: 00007fd6f371c604 R08: 0000000000000000 R09: 0000000000000000
> >> R10: 0000000000000000 R11: 0000000000000246 R12: 00007fd6f371c0e0
> >> R13: 0000000020000a80 R14: 0030656c69662f2e R15: 00007fd6f374f7a8
> >>  </TASK>
> >> INFO: task syz-executor359:5304 blocked for more than 145 seconds.
> >>       Not tainted 6.2.0-syzkaller-10827-g489fa31ea873 #0
> >> "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
> >> task:syz-executor359 state:D stack:26504 pid:5304  ppid:5112   flags:0x00004004
> >> Call Trace:
> >>  <TASK>
> >>  context_switch kernel/sched/core.c:5304 [inline]
> >>  __schedule+0x17d8/0x4990 kernel/sched/core.c:6622
> >>  schedule+0xc3/0x180 kernel/sched/core.c:6698
> >>  io_schedule+0x8c/0x100 kernel/sched/core.c:8884
> >>  folio_wait_bit_common+0x86c/0x12b0 mm/filemap.c:1301
> >>  folio_wait_writeback+0xec/0x1f0 mm/page-writeback.c:3127
> >>  migrate_folio_unmap mm/migrate.c:1192 [inline]
> >>  migrate_pages_batch mm/migrate.c:1685 [inline]
> >>  migrate_pages+0x2d50/0x6610 mm/migrate.c:1973
> >>  do_mbind mm/mempolicy.c:1338 [inline]
> >>  kernel_mbind mm/mempolicy.c:1485 [inline]
> >>  __do_sys_mbind mm/mempolicy.c:1559 [inline]
> >>  __se_sys_mbind+0x75a/0x9c0 mm/mempolicy.c:1555
> >>  do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> >>  do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
> >>  entry_SYSCALL_64_after_hwframe+0x63/0xcd
> >> RIP: 0033:0x7fd6f36ca719
> >> RSP: 002b:00007fd6eb3552e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ed
> >> RAX: ffffffffffffffda RBX: 00007fd6f374f7b0 RCX: 00007fd6f36ca719
> >> RDX: 0000000000000000 RSI: 0000000000800000 RDI: 0000000020001000
> >> RBP: 00007fd6f371c604 R08: 0000000000000000 R09: 0000000000000002
> >> R10: 0000000000000000 R11: 0000000000000246 R12: 00007fd6f371c0e0
> >> R13: 0000000020000a80 R14: 0030656c69662f2e R15: 00007fd6f374f7b8
> >>  </TASK>
> >> INFO: task syz-executor359:5460 blocked for more than 146 seconds.
> >>       Not tainted 6.2.0-syzkaller-10827-g489fa31ea873 #0
> >> "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
> >> task:syz-executor359 state:D stack:26520 pid:5460  ppid:5115   flags:0x00004004
> >> Call Trace:
> >>  <TASK>
> >>  context_switch kernel/sched/core.c:5304 [inline]
> >>  __schedule+0x17d8/0x4990 kernel/sched/core.c:6622
> >>  schedule+0xc3/0x180 kernel/sched/core.c:6698
> >>  schedule_preempt_disabled+0x13/0x20 kernel/sched/core.c:6757
> >>  rwsem_down_read_slowpath+0x5f4/0x950 kernel/locking/rwsem.c:1086
> >>  __down_read_common+0x61/0x2c0 kernel/locking/rwsem.c:1250
> >>  mmap_read_lock include/linux/mmap_lock.h:117 [inline]
> >>  do_user_addr_fault arch/x86/mm/fault.c:1358 [inline]
> >>  handle_page_fault arch/x86/mm/fault.c:1498 [inline]
> >>  exc_page_fault+0x558/0x8a0 arch/x86/mm/fault.c:1554
> >>  asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:570
> >> RIP: 0033:0x7fd6f371b888
> >> RSP: 002b:00007ffd6fdf2398 EFLAGS: 00010206
> >> RAX: 00007fd6f374ebd0 RBX: 00007fd6f374d1a8 RCX: 0000000000000001
> >> RDX: 00007fd6f3688d30 RSI: 0000000000000000 RDI: 00007fd6f374ebd0
> >> RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000010
> >> R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
> >> R13: 0000000000000001 R14: 00007fd6f37543e0 R15: 0000000000000001
> >>  </TASK>
> >> Future hung task reports are suppressed, see sysctl kernel.hung_task_warnings
> >>
> >> Showing all locks held in the system:
> >> 3 locks held by kworker/u4:0/9:
> >>  #0: ffff8881451bb938 ((wq_completion)writeback){+.+.}-{0:0}, at: process_one_work+0x77f/0x13a0
> >>  #1: ffffc900000e7d20 ((work_completion)(&(&wb->dwork)->work)){+.+.}-{0:0}, at: process_one_work+0x7c6/0x13a0 kernel/workqueue.c:2365
> >>  #2: ffff88807dfe20e0 (&type->s_umount_key#43){++++}-{3:3}, at: trylock_super+0x1f/0xf0 fs/super.c:414
> >> 1 lock held by rcu_tasks_kthre/12:
> >>  #0: ffffffff8d127cf0 (rcu_tasks.tasks_gp_mutex){+.+.}-{3:3}, at: rcu_tasks_one_gp+0x29/0xd20 kernel/rcu/tasks.h:510
> >> 1 lock held by rcu_tasks_trace/13:
> >>  #0: ffffffff8d1284f0 (rcu_tasks_trace.tasks_gp_mutex){+.+.}-{3:3}, at: rcu_tasks_one_gp+0x29/0xd20 kernel/rcu/tasks.h:510
> >> 1 lock held by khungtaskd/28:
> >>  #0: ffffffff8d127b20 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire+0x0/0x30
> >> 3 locks held by kworker/u4:2/41:
> >>  #0: ffff8881451bb938 ((wq_completion)writeback){+.+.}-{0:0}, at: process_one_work+0x77f/0x13a0
> >>  #1: ffffc90000b27d20 ((work_completion)(&(&wb->dwork)->work)){+.+.}-{0:0}, at: process_one_work+0x7c6/0x13a0 kernel/workqueue.c:2365
> >>  #2: ffff88801d8680e0 (&type->s_umount_key#43){++++}-{3:3}, at: trylock_super+0x1f/0xf0 fs/super.c:414
> >> 3 locks held by kworker/u4:4/75:
> >>  #0: ffff8881451bb938 ((wq_completion)writeback){+.+.}-{0:0}, at: process_one_work+0x77f/0x13a0
> >>  #1: ffffc900020efd20 ((work_completion)(&(&wb->dwork)->work)){+.+.}-{0:0}, at: process_one_work+0x7c6/0x13a0 kernel/workqueue.c:2365
> >>  #2: ffff88802c2640e0 (&type->s_umount_key#43){++++}-{3:3}, at: trylock_super+0x1f/0xf0 fs/super.c:414
> >> 2 locks held by kworker/1:2/2494:
> >>  #0: ffff888012472538 ((wq_completion)rcu_gp){+.+.}-{0:0}, at: process_one_work+0x77f/0x13a0
> >>  #1: ffffc9000a86fd20 ((work_completion)(&rew->rew_work)){+.+.}-{0:0}, at: process_one_work+0x7c6/0x13a0 kernel/workqueue.c:2365
> >> 2 locks held by getty/4750:
> >>  #0: ffff88814a0e2098 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x25/0x70 drivers/tty/tty_ldisc.c:244
> >>  #1: ffffc900015802f0 (&ldata->atomic_read_lock){+.+.}-{3:3}, at: n_tty_read+0x6ab/0x1db0 drivers/tty/n_tty.c:2177
> >> 1 lock held by syz-executor359/5222:
> >>  #0: ffff88807d1df698 (&mm->mmap_lock){++++}-{3:3}, at: mmap_read_lock include/linux/mmap_lock.h:117 [inline]
> >>  #0: ffff88807d1df698 (&mm->mmap_lock){++++}-{3:3}, at: do_user_addr_fault arch/x86/mm/fault.c:1358 [inline]
> >>  #0: ffff88807d1df698 (&mm->mmap_lock){++++}-{3:3}, at: handle_page_fault arch/x86/mm/fault.c:1498 [inline]
> >>  #0: ffff88807d1df698 (&mm->mmap_lock){++++}-{3:3}, at: exc_page_fault+0x558/0x8a0 arch/x86/mm/fault.c:1554
> >> 2 locks held by syz-executor359/5223:
> >>  #0: ffff888021e0f768 (&f->f_pos_lock){+.+.}-{3:3}, at: __fdget_pos+0x254/0x2f0 fs/file.c:1046
> >>  #1: ffff88802c264460 (sb_writers#9){.+.+}-{0:0}, at: vfs_write+0x26d/0xbb0 fs/read_write.c:580
> >> 1 lock held by syz-executor359/5229:
> >>  #0: ffff88807d1df698 (&mm->mmap_lock){++++}-{3:3}, at: mmap_write_lock include/linux/mmap_lock.h:71 [inline]
> >>  #0: ffff88807d1df698 (&mm->mmap_lock){++++}-{3:3}, at: do_mbind mm/mempolicy.c:1312 [inline]
> >>  #0: ffff88807d1df698 (&mm->mmap_lock){++++}-{3:3}, at: kernel_mbind mm/mempolicy.c:1485 [inline]
> >>  #0: ffff88807d1df698 (&mm->mmap_lock){++++}-{3:3}, at: __do_sys_mbind mm/mempolicy.c:1559 [inline]
> >>  #0: ffff88807d1df698 (&mm->mmap_lock){++++}-{3:3}, at: __se_sys_mbind+0x47d/0x9c0 mm/mempolicy.c:1555
> >> 1 lock held by syz-executor359/5296:
> >>  #0: ffff88802cd0ae98 (&mm->mmap_lock){++++}-{3:3}, at: mmap_read_lock include/linux/mmap_lock.h:117 [inline]
> >>  #0: ffff88802cd0ae98 (&mm->mmap_lock){++++}-{3:3}, at: do_user_addr_fault arch/x86/mm/fault.c:1358 [inline]
> >>  #0: ffff88802cd0ae98 (&mm->mmap_lock){++++}-{3:3}, at: handle_page_fault arch/x86/mm/fault.c:1498 [inline]
> >>  #0: ffff88802cd0ae98 (&mm->mmap_lock){++++}-{3:3}, at: exc_page_fault+0x558/0x8a0 arch/x86/mm/fault.c:1554
> >> 2 locks held by syz-executor359/5298:
> >>  #0: ffff88807e2b0fe8 (&f->f_pos_lock){+.+.}-{3:3}, at: __fdget_pos+0x254/0x2f0 fs/file.c:1046
> >>  #1: ffff88807dfe2460 (sb_writers#9){.+.+}-{0:0}, at: vfs_write+0x26d/0xbb0 fs/read_write.c:580
> >> 1 lock held by syz-executor359/5304:
> >>  #0: ffff88802cd0ae98 (&mm->mmap_lock){++++}-{3:3}, at: mmap_write_lock include/linux/mmap_lock.h:71 [inline]
> >>  #0: ffff88802cd0ae98 (&mm->mmap_lock){++++}-{3:3}, at: do_mbind mm/mempolicy.c:1312 [inline]
> >>  #0: ffff88802cd0ae98 (&mm->mmap_lock){++++}-{3:3}, at: kernel_mbind mm/mempolicy.c:1485 [inline]
> >>  #0: ffff88802cd0ae98 (&mm->mmap_lock){++++}-{3:3}, at: __do_sys_mbind mm/mempolicy.c:1559 [inline]
> >>  #0: ffff88802cd0ae98 (&mm->mmap_lock){++++}-{3:3}, at: __se_sys_mbind+0x47d/0x9c0 mm/mempolicy.c:1555
> >> 1 lock held by syz-executor359/5460:
> >>  #0: ffff888022485298 (&mm->mmap_lock){++++}-{3:3}, at: mmap_read_lock include/linux/mmap_lock.h:117 [inline]
> >>  #0: ffff888022485298 (&mm->mmap_lock){++++}-{3:3}, at: do_user_addr_fault arch/x86/mm/fault.c:1358 [inline]
> >>  #0: ffff888022485298 (&mm->mmap_lock){++++}-{3:3}, at: handle_page_fault arch/x86/mm/fault.c:1498 [inline]
> >>  #0: ffff888022485298 (&mm->mmap_lock){++++}-{3:3}, at: exc_page_fault+0x558/0x8a0 arch/x86/mm/fault.c:1554
> >> 2 locks held by syz-executor359/5461:
> >>  #0: ffff88801da66ae8 (&f->f_pos_lock){+.+.}-{3:3}, at: __fdget_pos+0x254/0x2f0 fs/file.c:1046
> >>  #1: ffff888148d0a460 (sb_writers#9){.+.+}-{0:0}, at: vfs_write+0x26d/0xbb0 fs/read_write.c:580
> >> 1 lock held by syz-executor359/5467:
> >>  #0: ffff888022485298 (&mm->mmap_lock){++++}-{3:3}, at: mmap_write_lock include/linux/mmap_lock.h:71 [inline]
> >>  #0: ffff888022485298 (&mm->mmap_lock){++++}-{3:3}, at: do_mbind mm/mempolicy.c:1312 [inline]
> >>  #0: ffff888022485298 (&mm->mmap_lock){++++}-{3:3}, at: kernel_mbind mm/mempolicy.c:1485 [inline]
> >>  #0: ffff888022485298 (&mm->mmap_lock){++++}-{3:3}, at: __do_sys_mbind mm/mempolicy.c:1559 [inline]
> >>  #0: ffff888022485298 (&mm->mmap_lock){++++}-{3:3}, at: __se_sys_mbind+0x47d/0x9c0 mm/mempolicy.c:1555
> >> 1 lock held by syz-executor359/5570:
> >>  #0: ffff88807d295298 (&mm->mmap_lock){++++}-{3:3}, at: mmap_read_lock include/linux/mmap_lock.h:117 [inline]
> >>  #0: ffff88807d295298 (&mm->mmap_lock){++++}-{3:3}, at: do_user_addr_fault arch/x86/mm/fault.c:1358 [inline]
> >>  #0: ffff88807d295298 (&mm->mmap_lock){++++}-{3:3}, at: handle_page_fault arch/x86/mm/fault.c:1498 [inline]
> >>  #0: ffff88807d295298 (&mm->mmap_lock){++++}-{3:3}, at: exc_page_fault+0x558/0x8a0 arch/x86/mm/fault.c:1554
> >> 2 locks held by syz-executor359/5571:
> >>  #0: ffff88807838a5e8 (&f->f_pos_lock){+.+.}-{3:3}, at: __fdget_pos+0x254/0x2f0 fs/file.c:1046
> >>  #1: ffff88801d868460 (sb_writers#9){.+.+}-{0:0}, at: vfs_write+0x26d/0xbb0 fs/read_write.c:580
> >> 1 lock held by syz-executor359/5575:
> >>  #0: ffff88807d295298 (&mm->mmap_lock){++++}-{3:3}, at: mmap_write_lock include/linux/mmap_lock.h:71 [inline]
> >>  #0: ffff88807d295298 (&mm->mmap_lock){++++}-{3:3}, at: do_mbind mm/mempolicy.c:1312 [inline]
> >>  #0: ffff88807d295298 (&mm->mmap_lock){++++}-{3:3}, at: kernel_mbind mm/mempolicy.c:1485 [inline]
> >>  #0: ffff88807d295298 (&mm->mmap_lock){++++}-{3:3}, at: __do_sys_mbind mm/mempolicy.c:1559 [inline]
> >>  #0: ffff88807d295298 (&mm->mmap_lock){++++}-{3:3}, at: __se_sys_mbind+0x47d/0x9c0 mm/mempolicy.c:1555
> >> 1 lock held by syz-executor359/5572:
> >>  #0: ffff88807d1dc098 (&mm->mmap_lock){++++}-{3:3}, at: mmap_read_lock include/linux/mmap_lock.h:117 [inline]
> >>  #0: ffff88807d1dc098 (&mm->mmap_lock){++++}-{3:3}, at: do_user_addr_fault arch/x86/mm/fault.c:1358 [inline]
> >>  #0: ffff88807d1dc098 (&mm->mmap_lock){++++}-{3:3}, at: handle_page_fault arch/x86/mm/fault.c:1498 [inline]
> >>  #0: ffff88807d1dc098 (&mm->mmap_lock){++++}-{3:3}, at: exc_page_fault+0x558/0x8a0 arch/x86/mm/fault.c:1554
> >> 2 locks held by syz-executor359/5573:
> >>  #0: ffff888026d84d68 (&f->f_pos_lock){+.+.}-{3:3}, at: __fdget_pos+0x254/0x2f0 fs/file.c:1046
> >>  #1: ffff88807b6ac460 (sb_writers#9){.+.+}-{0:0}, at: vfs_write+0x26d/0xbb0 fs/read_write.c:580
> >> 1 lock held by syz-executor359/5576:
> >>  #0: ffff88807d1dc098 (&mm->mmap_lock){++++}-{3:3}, at: mmap_write_lock include/linux/mmap_lock.h:71 [inline]
> >>  #0: ffff88807d1dc098 (&mm->mmap_lock){++++}-{3:3}, at: do_mbind mm/mempolicy.c:1312 [inline]
> >>  #0: ffff88807d1dc098 (&mm->mmap_lock){++++}-{3:3}, at: kernel_mbind mm/mempolicy.c:1485 [inline]
> >>  #0: ffff88807d1dc098 (&mm->mmap_lock){++++}-{3:3}, at: __do_sys_mbind mm/mempolicy.c:1559 [inline]
> >>  #0: ffff88807d1dc098 (&mm->mmap_lock){++++}-{3:3}, at: __se_sys_mbind+0x47d/0x9c0 mm/mempolicy.c:1555
> >> 3 locks held by kworker/u4:3/5614:
> >>  #0: ffff8881451bb938 ((wq_completion)writeback){+.+.}-{0:0}, at: process_one_work+0x77f/0x13a0
> >>  #1: ffffc90004defd20 ((work_completion)(&(&wb->dwork)->work)){+.+.}-{0:0}, at: process_one_work+0x7c6/0x13a0 kernel/workqueue.c:2365
> >>  #2: ffff88807b6ac0e0 (&type->s_umount_key#43){++++}-{3:3}, at: trylock_super+0x1f/0xf0 fs/super.c:414
> >> 3 locks held by kworker/u4:5/6087:
> >>  #0: ffff8881451bb938 ((wq_completion)writeback){+.+.}-{0:0}, at: process_one_work+0x77f/0x13a0
> >>  #1: ffffc900055b7d20 ((work_completion)(&(&wb->dwork)->work)){+.+.}-{0:0}, at: process_one_work+0x7c6/0x13a0 kernel/workqueue.c:2365
> >>  #2: ffff888148d0a0e0 (&type->s_umount_key#43){++++}-{3:3}, at: trylock_super+0x1f/0xf0 fs/super.c:414
> >> 1 lock held by syz-executor359/12461:
> >>  #0: ffffffff8d12d1f8 (rcu_state.exp_mutex){+.+.}-{3:3}, at: exp_funnel_lock kernel/rcu/tree_exp.h:293 [inline]
> >>  #0: ffffffff8d12d1f8 (rcu_state.exp_mutex){+.+.}-{3:3}, at: synchronize_rcu_expedited+0x3a3/0x890 kernel/rcu/tree_exp.h:989
> >>
> >> =============================================
> >>
> >> NMI backtrace for cpu 0
> >> CPU: 0 PID: 28 Comm: khungtaskd Not tainted 6.2.0-syzkaller-10827-g489fa31ea873 #0
> >> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/16/2023
> >> Call Trace:
> >>  <TASK>
> >>  __dump_stack lib/dump_stack.c:88 [inline]
> >>  dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
> >>  nmi_cpu_backtrace+0x4e5/0x560 lib/nmi_backtrace.c:113
> >>  nmi_trigger_cpumask_backtrace+0x1b4/0x410 lib/nmi_backtrace.c:62
> >>  trigger_all_cpu_backtrace include/linux/nmi.h:148 [inline]
> >>  check_hung_uninterruptible_tasks kernel/hung_task.c:222 [inline]
> >>  watchdog+0x1024/0x1070 kernel/hung_task.c:379
> >>  kthread+0x270/0x300 kernel/kthread.c:376
> >>  ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
> >>  </TASK>
> >> Sending NMI from CPU 0 to CPUs 1:
> >> NMI backtrace for cpu 1
> >> CPU: 1 PID: 6343 Comm: kworker/u4:9 Not tainted 6.2.0-syzkaller-10827-g489fa31ea873 #0
> >> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/16/2023
> >> Workqueue: events_unbound toggle_allocation_gate
> >> RIP: 0010:rcu_sync_is_idle include/linux/rcu_sync.h:36 [inline]
> >> RIP: 0010:percpu_up_read include/linux/percpu-rwsem.h:105 [inline]
> >> RIP: 0010:cpus_read_unlock+0x5f/0x130 kernel/cpu.c:322
> >> Code: 85 db 74 1b e8 c2 4f 20 00 89 c3 31 ff 89 c6 e8 87 23 39 00 85
> > db 74 5b e8 ce 1f 39 00 eb 05 e8 c7 1f 39 00 8b 1d 41 be a8 0b <31> ff
> > 89 de e8 68 23 39 00 85 db 0f 85 8c 00 00 00 e8 ab 1f 39 00
> >> RSP: 0018:ffffc90005757b70 EFLAGS: 00000293
> >> RAX: ffffffff81538cb2 RBX: 0000000000000000 RCX: ffff888028643a80
> >> RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
> >> RBP: ffffc90005757c50 R08: ffffffff81538ca9 R09: fffffbfff1ce8d2e
> >> R10: 0000000000000000 R11: dffffc0000000001 R12: dffffc0000000000
> >> R13: 1ffff1104779cc03 R14: 0000000000000000 R15: 1ffff92000aeaf70
> >> FS:  0000000000000000(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
> >> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> >> CR2: 00007ffd6fdf0bb8 CR3: 000000000cf30000 CR4: 00000000003506e0
> >> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> >> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> >> Call Trace:
> >>  <TASK>
> >>  toggle_allocation_gate+0xb5/0x250 mm/kfence/core.c:799
> >>  process_one_work+0x915/0x13a0 kernel/workqueue.c:2390
> >>  worker_thread+0xa63/0x1210 kernel/workqueue.c:2537
> >>  kthread+0x270/0x300 kernel/kthread.c:376
> >>  ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308
> >>  </TASK>
> >>
> >>
> >> ---
> >> This report is generated by a bot. It may contain errors.
> >> See https://goo.gl/tpsmEJ for more information about syzbot.
> >> syzbot engineers can be reached at syzkaller@googlegroups.com.
> >>
> >> syzbot will keep track of this issue. See:
> >> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> >> syzbot can test patches for this issue, for details see:
> >> https://goo.gl/tpsmEJ#testing-patches