syzbot has found a reproducer for the following issue on: HEAD commit: de5cb0dcb74c Merge branch 'address-masking' git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=15ee0c80580000 kernel config: https://syzkaller.appspot.com/x/.config?x=f99f4d8e33bb9c3 dashboard link: https://syzkaller.appspot.com/bug?extid=50499e163bfa302dfe7b compiler: arm-linux-gnueabi-gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 userspace arch: arm syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10fa1e07980000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13e1a107980000 Downloadable assets: disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/8ead8862021c/non_bootable_disk-de5cb0dc.raw.xz vmlinux: https://storage.googleapis.com/syzbot-assets/2b69b8a02541/vmlinux-de5cb0dc.xz kernel image: https://storage.googleapis.com/syzbot-assets/1d8b6c7690df/zImage-de5cb0dc.xz IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+50499e163bfa302dfe7b@xxxxxxxxxxxxxxxxxxxxxxxxx INFO: task kworker/1:3:111 blocked for more than 450 seconds. Not tainted 6.11.0-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/1:3 state:D stack:0 pid:111 tgid:111 ppid:2 flags:0x00000000 Workqueue: events rfkill_global_led_trigger_worker Call trace: [<819b466c>] (__schedule) from [<819b52ac>] (__schedule_loop kernel/sched/core.c:6751 [inline]) [<819b466c>] (__schedule) from [<819b52ac>] (schedule+0x2c/0xfc kernel/sched/core.c:6766) r10:82c18205 r9:00000000 r8:827ec108 r7:00000002 r6:df9a1e74 r5:834d9800 r4:834d9800 [<819b5280>] (schedule) from [<819b5660>] (schedule_preempt_disabled+0x18/0x24 kernel/sched/core.c:6823) r5:834d9800 r4:827ec104 [<819b5648>] (schedule_preempt_disabled) from [<819b8138>] (__mutex_lock_common kernel/locking/mutex.c:684 [inline]) [<819b5648>] (schedule_preempt_disabled) from [<819b8138>] (__mutex_lock.constprop.0+0x2e8/0xae0 kernel/locking/mutex.c:752) [<819b7e50>] (__mutex_lock.constprop.0) from [<819b8a04>] (__mutex_lock_slowpath+0x14/0x18 kernel/locking/mutex.c:1040) r10:82c18205 r9:834d9800 r8:01800000 r7:ddde40c0 r6:82c18200 r5:82931dd4 r4:827ec104 [<819b89f0>] (__mutex_lock_slowpath) from [<819b8a44>] (mutex_lock+0x3c/0x40 kernel/locking/mutex.c:286) [<819b8a08>] (mutex_lock) from [<818bbfb8>] (rfkill_global_led_trigger_worker+0x1c/0xc0 net/rfkill/core.c:182) [<818bbf9c>] (rfkill_global_led_trigger_worker) from [<80266148>] (process_one_work+0x1b4/0x4f4 kernel/workqueue.c:3229) r5:82931dd4 r4:8346f880 [<80265f94>] (process_one_work) from [<80266d2c>] (process_scheduled_works kernel/workqueue.c:3310 [inline]) [<80265f94>] (process_one_work) from [<80266d2c>] (worker_thread+0x1ec/0x3bc kernel/workqueue.c:3391) r10:834d9800 r9:8346f8ac r8:61c88647 r7:ddde40e0 r6:82604d40 r5:ddde40c0 r4:8346f880 [<80266b40>] (worker_thread) from [<8026fd9c>] (kthread+0x104/0x134 kernel/kthread.c:389) r10:00000000 r9:df921e78 r8:82f39c00 r7:8346f880 r6:80266b40 r5:834d9800 r4:8368ab80 [<8026fc98>] (kthread) from [<80200114>] (ret_from_fork+0x14/0x20 arch/arm/kernel/entry-common.S:137) Exception stack(0xdf9a1fb0 to 0xdf9a1ff8) 1fa0: 00000000 00000000 00000000 00000000 1fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 1fe0: 00000000 00000000 00000000 00000000 00000013 00000000 r9:00000000 r8:00000000 r7:00000000 r6:00000000 r5:8026fc98 r4:8368ab80 INFO: task kworker/1:0:3121 blocked for more than 450 seconds. Not tainted 6.11.0-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/1:0 state:D stack:0 pid:3121 tgid:3121 ppid:2 flags:0x00000000 Workqueue: events rfkill_sync_work Call trace: [<819b466c>] (__schedule) from [<819b52ac>] (__schedule_loop kernel/sched/core.c:6751 [inline]) [<819b466c>] (__schedule) from [<819b52ac>] (schedule+0x2c/0xfc kernel/sched/core.c:6766) r10:82c18205 r9:00000000 r8:827ec108 r7:00000002 r6:ec251e74 r5:83e02400 r4:83e02400 [<819b5280>] (schedule) from [<819b5660>] (schedule_preempt_disabled+0x18/0x24 kernel/sched/core.c:6823) r5:83e02400 r4:827ec104 [<819b5648>] (schedule_preempt_disabled) from [<819b8138>] (__mutex_lock_common kernel/locking/mutex.c:684 [inline]) [<819b5648>] (schedule_preempt_disabled) from [<819b8138>] (__mutex_lock.constprop.0+0x2e8/0xae0 kernel/locking/mutex.c:752) [<819b7e50>] (__mutex_lock.constprop.0) from [<819b8a04>] (__mutex_lock_slowpath+0x14/0x18 kernel/locking/mutex.c:1040) r10:82c18205 r9:83e02400 r8:01800000 r7:ddde40c0 r6:82c18200 r5:8444e684 r4:8444e684 [<819b89f0>] (__mutex_lock_slowpath) from [<819b8a44>] (mutex_lock+0x3c/0x40 kernel/locking/mutex.c:286) [<819b8a08>] (mutex_lock) from [<818bd800>] (rfkill_sync_work+0x1c/0x5c net/rfkill/core.c:1055) [<818bd7e4>] (rfkill_sync_work) from [<80266148>] (process_one_work+0x1b4/0x4f4 kernel/workqueue.c:3229) r5:8444e684 r4:8467cc00 [<80265f94>] (process_one_work) from [<80266d2c>] (process_scheduled_works kernel/workqueue.c:3310 [inline]) [<80265f94>] (process_one_work) from [<80266d2c>] (worker_thread+0x1ec/0x3bc kernel/workqueue.c:3391) r10:83e02400 r9:8467cc2c r8:61c88647 r7:ddde40e0 r6:82604d40 r5:ddde40c0 r4:8467cc00 [<80266b40>] (worker_thread) from [<8026fd9c>] (kthread+0x104/0x134 kernel/kthread.c:389) r10:00000000 r9:df931e78 r8:84496980 r7:8467cc00 r6:80266b40 r5:83e02400 r4:84496ac0 [<8026fc98>] (kthread) from [<80200114>] (ret_from_fork+0x14/0x20 arch/arm/kernel/entry-common.S:137) Exception stack(0xec251fb0 to 0xec251ff8) 1fa0: 00000000 00000000 00000000 00000000 1fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 1fe0: 00000000 00000000 00000000 00000000 00000013 00000000 r9:00000000 r8:00000000 r7:00000000 r6:00000000 r5:8026fc98 r4:84496ac0 INFO: task syz-executor355:3616 blocked for more than 450 seconds. Not tainted 6.11.0-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz-executor355 state:D stack:0 pid:3616 tgid:3616 ppid:3127 flags:0x00000005 Call trace: [<819b466c>] (__schedule) from [<819b52ac>] (__schedule_loop kernel/sched/core.c:6751 [inline]) [<819b466c>] (__schedule) from [<819b52ac>] (schedule+0x2c/0xfc kernel/sched/core.c:6766) r10:81c7ff84 r9:00000000 r8:83efc860 r7:00000002 r6:dfc05de4 r5:83701800 r4:83701800 [<819b5280>] (schedule) from [<819b5660>] (schedule_preempt_disabled+0x18/0x24 kernel/sched/core.c:6823) r5:83701800 r4:83efc85c [<819b5648>] (schedule_preempt_disabled) from [<819b8138>] (__mutex_lock_common kernel/locking/mutex.c:684 [inline]) [<819b5648>] (schedule_preempt_disabled) from [<819b8138>] (__mutex_lock.constprop.0+0x2e8/0xae0 kernel/locking/mutex.c:752) [<819b7e50>] (__mutex_lock.constprop.0) from [<819b8a04>] (__mutex_lock_slowpath+0x14/0x18 kernel/locking/mutex.c:1040) r10:81c7ff84 r9:200000c0 r8:00000000 r7:83701800 r6:00000001 r5:83efc85c r4:83efc800 [<819b89f0>] (__mutex_lock_slowpath) from [<819b8a44>] (mutex_lock+0x3c/0x40 kernel/locking/mutex.c:286) [<819b8a08>] (mutex_lock) from [<819016f8>] (device_lock include/linux/device.h:1014 [inline]) [<819b8a08>] (mutex_lock) from [<819016f8>] (nfc_dev_down+0x20/0xc8 net/nfc/core.c:143) [<819016d8>] (nfc_dev_down) from [<819017cc>] (nfc_rfkill_set_block+0x2c/0x68 net/nfc/core.c:179) r7:83701800 r6:00000001 r5:83efc800 r4:00000001 [<819017a0>] (nfc_rfkill_set_block) from [<818bcda0>] (rfkill_set_block+0x90/0x144 net/rfkill/core.c:346) r5:00000001 r4:83efe800 [<818bcd10>] (rfkill_set_block) from [<818bd358>] (rfkill_fop_write+0x1a8/0x258 net/rfkill/core.c:1301) r7:83701800 r6:83efe800 r5:827ec118 r4:00000008 [<818bd1b0>] (rfkill_fop_write) from [<805168b8>] (vfs_write+0xac/0x44c fs/read_write.c:681) r6:00000008 r5:84667780 r4:818bd1b0 [<8051680c>] (vfs_write) from [<80516e28>] (ksys_write+0xc4/0xf8 fs/read_write.c:736) r10:00000004 r9:83701800 r8:8020029c r7:00000008 r6:200000c0 r5:84667780 r4:84667780 [<80516d64>] (ksys_write) from [<80516e6c>] (__do_sys_write fs/read_write.c:748 [inline]) [<80516d64>] (ksys_write) from [<80516e6c>] (sys_write+0x10/0x14 fs/read_write.c:745) r7:00000004 r6:7edc3160 r5:00000000 r4:ffffffff [<80516e5c>] (sys_write) from [<80200060>] (ret_fast_syscall+0x0/0x1c arch/arm/mm/proc-v7.S:67) Exception stack(0xdfc05fa8 to 0xdfc05ff0) 5fa0: ffffffff 00000000 00000004 200000c0 00000008 00000000 5fc0: ffffffff 00000000 7edc3160 00000004 7e85fc6c 00002710 000f4240 00000000 5fe0: 7e85fc58 7e85fc48 000106d8 0002ea30 INFO: task syz-executor355:3617 blocked for more than 450 seconds. Not tainted 6.11.0-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz-executor355 state:D stack:0 pid:3617 tgid:3617 ppid:3125 flags:0x00000004 Call trace: [<819b466c>] (__schedule) from [<819b52ac>] (__schedule_loop kernel/sched/core.c:6751 [inline]) [<819b466c>] (__schedule) from [<819b52ac>] (schedule+0x2c/0xfc kernel/sched/core.c:6766) r10:000000f8 r9:00000000 r8:827ec108 r7:00000002 r6:dfc25e04 r5:83702400 r4:83702400 [<819b5280>] (schedule) from [<819b5660>] (schedule_preempt_disabled+0x18/0x24 kernel/sched/core.c:6823) r5:83702400 r4:827ec104 [<819b5648>] (schedule_preempt_disabled) from [<819b8138>] (__mutex_lock_common kernel/locking/mutex.c:684 [inline]) [<819b5648>] (schedule_preempt_disabled) from [<819b8138>] (__mutex_lock.constprop.0+0x2e8/0xae0 kernel/locking/mutex.c:752) [<819b7e50>] (__mutex_lock.constprop.0) from [<819b8a04>] (__mutex_lock_slowpath+0x14/0x18 kernel/locking/mutex.c:1040) r10:000000f8 r9:00000000 r8:82cad790 r7:83f7b000 r6:83f7b024 r5:83efea40 r4:83efe800 [<819b89f0>] (__mutex_lock_slowpath) from [<819b8a44>] (mutex_lock+0x3c/0x40 kernel/locking/mutex.c:286) [<819b8a08>] (mutex_lock) from [<818bca90>] (rfkill_unregister+0x5c/0xc4 net/rfkill/core.c:1145) [<818bca34>] (rfkill_unregister) from [<81900e80>] (nfc_unregister_device+0x44/0x118 net/nfc/core.c:1167) r5:83efc85c r4:83efc800 [<81900e3c>] (nfc_unregister_device) from [<8190de2c>] (nci_unregister_device+0x94/0x98 net/nfc/nci/core.c:1312) r5:83f7b024 r4:83f7b024 [<8190dd98>] (nci_unregister_device) from [<80b011c0>] (virtual_ncidev_close+0x18/0x30 drivers/nfc/virtual_ncidev.c:172) r9:00000000 r8:82cad790 r7:83867e58 r6:83022ee0 r5:000e001b r4:843549c0 [<80b011a8>] (virtual_ncidev_close) from [<80518350>] (__fput+0xdc/0x2e4 fs/file_table.c:431) r5:000e001b r4:84686cc0 [<80518274>] (__fput) from [<805185e0>] (____fput+0x14/0x18 fs/file_table.c:459) r9:00000000 r8:82871694 r7:83702400 r6:83702c84 r5:83702c54 r4:00000000 [<805185cc>] (____fput) from [<8026c6e4>] (task_work_run+0x90/0xb8 kernel/task_work.c:228) [<8026c654>] (task_work_run) from [<80248f4c>] (exit_task_work include/linux/task_work.h:40 [inline]) [<8026c654>] (task_work_run) from [<80248f4c>] (do_exit+0x304/0xaa0 kernel/exit.c:939) r9:00000000 r8:dfc25f50 r7:83702c80 r6:83ee0978 r5:83ee0900 r4:83702400 [<80248c48>] (do_exit) from [<802498ac>] (do_group_exit+0x40/0x8c kernel/exit.c:1088) r7:83ecdf80 [<8024986c>] (do_group_exit) from [<80249910>] (__do_sys_exit_group kernel/exit.c:1099 [inline]) [<8024986c>] (do_group_exit) from [<80249910>] (pid_child_should_wake+0x0/0x6c kernel/exit.c:1097) r7:000000f8 r4:00000001 [<802498f8>] (sys_exit_group) from [<80200060>] (ret_fast_syscall+0x0/0x1c arch/arm/mm/proc-v7.S:67) Exception stack(0xdfc25fa8 to 0xdfc25ff0) 5fa0: 00000001 0008b3ac 00000000 00000000 00000000 00000000 5fc0: 00000001 0008b3ac 00000000 000000f8 0008b8d0 00089158 00089158 0008b8d0 5fe0: 128a5b9d 7e85fc28 00016fa8 0002bdb4 NMI backtrace for cpu 1 CPU: 1 UID: 0 PID: 32 Comm: khungtaskd Not tainted 6.11.0-syzkaller #0 Hardware name: ARM-Versatile Express Call trace: [<81992360>] (dump_backtrace) from [<8199245c>] (show_stack+0x18/0x1c arch/arm/kernel/traps.c:257) r7:00000000 r6:00000013 r5:60000093 r4:82039e28 [<81992444>] (show_stack) from [<819b0758>] (__dump_stack lib/dump_stack.c:94 [inline]) [<81992444>] (show_stack) from [<819b0758>] (dump_stack_lvl+0x70/0x7c lib/dump_stack.c:120) [<819b06e8>] (dump_stack_lvl) from [<819b077c>] (dump_stack+0x18/0x1c lib/dump_stack.c:129) r5:00000001 r4:00000001 [<819b0764>] (dump_stack) from [<8197f620>] (nmi_cpu_backtrace+0x160/0x17c lib/nmi_backtrace.c:113) [<8197f4c0>] (nmi_cpu_backtrace) from [<8197f76c>] (nmi_trigger_cpumask_backtrace+0x130/0x1d8 lib/nmi_backtrace.c:62) r7:00000001 r6:8260c5d0 r5:8261a88c r4:ffffffff [<8197f63c>] (nmi_trigger_cpumask_backtrace) from [<802103e8>] (arch_trigger_cpumask_backtrace+0x18/0x1c arch/arm/kernel/smp.c:851) r9:00019000 r8:828b6cf8 r7:8260c730 r6:00007f60 r5:8261ae48 r4:8351451c [<802103d0>] (arch_trigger_cpumask_backtrace) from [<803582e0>] (trigger_all_cpu_backtrace include/linux/nmi.h:162 [inline]) [<802103d0>] (arch_trigger_cpumask_backtrace) from [<803582e0>] (check_hung_uninterruptible_tasks kernel/hung_task.c:223 [inline]) [<802103d0>] (arch_trigger_cpumask_backtrace) from [<803582e0>] (watchdog+0x498/0x5b8 kernel/hung_task.c:379) [<80357e48>] (watchdog) from [<8026fd9c>] (kthread+0x104/0x134 kernel/kthread.c:389) r10:00000000 r9:df819e58 r8:82f23980 r7:00000000 r6:80357e48 r5:82e59800 r4:82ec84c0 [<8026fc98>] (kthread) from [<80200114>] (ret_from_fork+0x14/0x20 arch/arm/kernel/entry-common.S:137) Exception stack(0xdf8e1fb0 to 0xdf8e1ff8) 1fa0: 00000000 00000000 00000000 00000000 1fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 1fe0: 00000000 00000000 00000000 00000000 00000013 00000000 r9:00000000 r8:00000000 r7:00000000 r6:00000000 r5:8026fc98 r4:82ec84c0 Sending NMI from CPU 1 to CPUs 0: NMI backtrace for cpu 0 CPU: 0 UID: 0 PID: 2932 Comm: klogd Not tainted 6.11.0-syzkaller #0 Hardware name: ARM-Versatile Express PC is at 0x76dbd918 LR is at 0x76db8460 pc : [<76dbd918>] lr : [<76db8460>] psr: 60000010 sp : 7eec3bc8 ip : 00000000 fp : 017e4b1b r10: 76e30e60 r9 : 00000013 r8 : 00000000 r7 : 00000121 r6 : 76f665a0 r5 : 76f665a0 r4 : 017dd1a8 r3 : 00004000 r2 : 0000003e r1 : 017e4b18 r0 : 0000003e Flags: nZCv IRQs on FIQs on Mode USER_32 ISA ARM Segment user Control: 30c5387d Table: 84347480 DAC: fffffffd Call trace: invalid frame pointer 0x017e4b1b --- If you want syzbot to run the reproducer, reply with: #syz test: git://repo/address.git branch-or-commit-hash If you attach or paste a git patch, syzbot will apply it before testing.
