[syzbot] [kernel?] INFO: task hung in ret_from_fork (4)

[syzbot] [kernel?] INFO: task hung in ret_from_fork (4)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    2f61f38a2174 net: stmmac: fix timestamping configuration a..
git tree:       net
console output: https://syzkaller.appspot.com/x/log.txt?x=16824d5a580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=665cbf0979cda6c5
dashboard link: https://syzkaller.appspot.com/bug?extid=7c11975a7e4a2735d529
compiler:       Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=10e9955a580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=16b928d6580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/f3c4b4ab812f/disk-2f61f38a.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/a662c736eab0/vmlinux-2f61f38a.xz
kernel image: https://storage.googleapis.com/syzbot-assets/345dc74120a7/bzImage-2f61f38a.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+7c11975a7e4a2735d529@syzkaller.appspotmail.com

INFO: task kworker/1:8:5970 blocked for more than 159 seconds.
      Not tainted syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/1:8     state:D stack:30744 pid:5970  tgid:5970  ppid:2      task_flags:0x4208040 flags:0x00080000
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5295 [inline]
 __schedule+0x1585/0x5340 kernel/sched/core.c:6907
 __schedule_loop kernel/sched/core.c:6989 [inline]
 schedule+0x164/0x360 kernel/sched/core.c:7004
 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:7061
 kthread+0x260/0x470 kernel/kthread.c:451
 ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>

Showing all locks held in the system:
2 locks held by kworker/0:0/9:
1 lock held by kworker/0:1/10:
 #0: ffffffff8e5fec68 (wq_pool_attach_mutex){+.+.}-{4:4}, at: worker_attach_to_pool+0x2e/0x3a0 kernel/workqueue.c:2691
2 locks held by kworker/u8:0/12:
2 locks held by kworker/u8:1/13:
1 lock held by kworker/R-mm_pe/14:
 #0: ffffffff8e5fec68 (wq_pool_attach_mutex){+.+.}-{4:4}, at: worker_detach_from_pool kernel/workqueue.c:2749 [inline]
 #0: ffffffff8e5fec68 (wq_pool_attach_mutex){+.+.}-{4:4}, at: rescuer_thread+0xc4a/0x1120 kernel/workqueue.c:3610
3 locks held by kworker/1:0/24:
 #0: ffff88813fe0f548 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3250 [inline]
 #0: ffff88813fe0f548 ((wq_completion)events){+.+.}-{0:0}, at: process_scheduled_works+0x9ea/0x1830 kernel/workqueue.c:3358
 #1: ffffc900001e7c40 ((work_completion)(&data->fib_event_work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3251 [inline]
 #1: ffffc900001e7c40 ((work_completion)(&data->fib_event_work)){+.+.}-{0:0}, at: process_scheduled_works+0xa25/0x1830 kernel/workqueue.c:3358
 #2: ffff88807c222240 (&data->fib_lock){+.+.}-{4:4}, at: nsim_fib_event_work+0x202/0x3d0 drivers/net/netdevsim/fib.c:1490
1 lock held by khungtaskd/30:
 #0: ffffffff8e7602e0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:312 [inline]
 #0: ffffffff8e7602e0 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:850 [inline]
 #0: ffffffff8e7602e0 (rcu_read_lock){....}-{1:3}, at: debug_show_all_locks+0x2e/0x180 kernel/locking/lockdep.c:6775
8 locks held by kworker/u8:2/35:
3 locks held by kworker/1:1/42:
3 locks held by kworker/u8:3/49:
 #0: ffff88813fe4c148 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3250 [inline]
 #0: ffff88813fe4c148 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_scheduled_works+0x9ea/0x1830 kernel/workqueue.c:3358
 #1: ffffc90000b97c40 ((work_completion)(&pool->idle_cull_work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3251 [inline]
 #1: ffffc90000b97c40 ((work_completion)(&pool->idle_cull_work)){+.+.}-{0:0}, at: process_scheduled_works+0xa25/0x1830 kernel/workqueue.c:3358
 #2: ffffffff8e5fec68 (wq_pool_attach_mutex){+.+.}-{4:4}, at: idle_cull_fn+0xd2/0x740 kernel/workqueue.c:2973
2 locks held by kworker/u8:4/77:
3 locks held by kworker/u8:5/86:
 #0: ffff88813fe4c148 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3250 [inline]
 #0: ffff88813fe4c148 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_scheduled_works+0x9ea/0x1830 kernel/workqueue.c:3358
 #1: ffffc900025dfc40 ((linkwatch_work).work){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3251 [inline]
 #1: ffffc900025dfc40 ((linkwatch_work).work){+.+.}-{0:0}, at: process_scheduled_works+0xa25/0x1830 kernel/workqueue.c:3358
 #2: ffffffff8fbcb888 (rtnl_mutex){+.+.}-{4:4}, at: linkwatch_event+0xe/0x60 net/core/link_watch.c:313
2 locks held by kworker/u8:6/146:
2 locks held by kworker/0:2/796:
2 locks held by kworker/u8:7/1116:
1 lock held by kworker/u8:8/1147:
 #0: ffffffff8e5fec68 (wq_pool_attach_mutex){+.+.}-{4:4}, at: worker_attach_to_pool+0x2e/0x3a0 kernel/workqueue.c:2691
2 locks held by kworker/u8:9/1168:
1 lock held by kworker/1:2/1997:
 #0: ffffffff8e5fec68 (wq_pool_attach_mutex){+.+.}-{4:4}, at: worker_attach_to_pool+0x2e/0x3a0 kernel/workqueue.c:2691
3 locks held by kworker/u8:10/2990:
2 locks held by getty/5581:
 #0: ffff888036c110a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x25/0x70 drivers/tty/tty_ldisc.c:243
 #1: ffffc9000332b2f0 (&ldata->atomic_read_lock){+.+.}-{4:4}, at: n_tty_read+0x45c/0x13c0 drivers/tty/n_tty.c:2211
3 locks held by kworker/1:3/5810:
2 locks held by syz-executor210/5855:
 #0: ffffffff8fbcb888 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_lock net/core/rtnetlink.c:80 [inline]
 #0: ffffffff8fbcb888 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_nets_lock net/core/rtnetlink.c:341 [inline]
 #0: ffffffff8fbcb888 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0x8a1/0x1be0 net/core/rtnetlink.c:4071
 #1: ffff88806d1a5528 (&wg->device_update_lock){+.+.}-{4:4}, at: wg_open+0x227/0x420 drivers/net/wireguard/device.c:50
1 lock held by syz-executor210/5856:
 #0: ffffffff8fbcb888 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_lock net/core/rtnetlink.c:80 [inline]
 #0: ffffffff8fbcb888 (rtnl_mutex){+.+.}-{4:4}, at: rtnetlink_rcv_msg+0x722/0xbe0 net/core/rtnetlink.c:6964
3 locks held by kworker/1:4/5865:
7 locks held by kworker/u9:3/5869:
 #0: ffff88807a26f948 ((wq_completion)hci2){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3250 [inline]
 #0: ffff88807a26f948 ((wq_completion)hci2){+.+.}-{0:0}, at: process_scheduled_works+0x9ea/0x1830 kernel/workqueue.c:3358
 #1: ffffc90003ba7c40 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3251 [inline]
 #1: ffffc90003ba7c40 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_scheduled_works+0xa25/0x1830 kernel/workqueue.c:3358
 #2: ffff888076408ec0 (&hdev->req_lock){+.+.}-{4:4}, at: hci_cmd_sync_work+0x1d3/0x400 net/bluetooth/hci_sync.c:331
 #3: ffff8880764080c0 (&hdev->lock){+.+.}-{4:4}, at: hci_abort_conn_sync+0xa6f/0x1190 net/bluetooth/hci_sync.c:5734
 #4: ffffffff8fd57f28 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_connect_cfm include/net/bluetooth/hci_core.h:2136 [inline]
 #4: ffffffff8fd57f28 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_conn_failed+0x165/0x340 net/bluetooth/hci_conn.c:1342
 #5: ffff888057b3caf8 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x7b/0x5c0 net/bluetooth/l2cap_core.c:1755
 #6: ffffffff8e766578 (rcu_state.exp_mutex){+.+.}-{4:4}, at: exp_funnel_lock kernel/rcu/tree_exp.h:343 [inline]
 #6: ffffffff8e766578 (rcu_state.exp_mutex){+.+.}-{4:4}, at: synchronize_rcu_expedited+0x38d/0x770 kernel/rcu/tree_exp.h:961
5 locks held by kworker/u9:4/5870:
 #0: ffff88807c3fa148 ((wq_completion)hci4){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3250 [inline]
 #0: ffff88807c3fa148 ((wq_completion)hci4){+.+.}-{0:0}, at: process_scheduled_works+0x9ea/0x1830 kernel/workqueue.c:3358


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Forwarded: [PATCH] netdevsim: fib: replace flush_work() with cancel_work_sync() for fib_event_work

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] netdevsim: fib: replace flush_work() with cancel_work_sync() for fib_event_work
Author: kartikey406@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master


flush_work() waits for fib_event_work to finish executing.
However, fib_event_work holds fib_lock while running, and
nsim_fib_flush_work() also tries to acquire fib_lock after
flush_work() returns. If fib_event_work takes a long time
or is blocked, flush_work() can wait indefinitely, causing
a hung task.

Replace all occurrences of flush_work(&data->fib_event_work)
with cancel_work_sync(&data->fib_event_work) to safely cancel
any pending work without waiting indefinitely.

This fixes a hung task reported by syzkaller:
  INFO: task kworker/1:8 blocked for more than 159 seconds

The following call chain triggers the hang:
  nsim_fib_flush_work()
    flush_work(&data->fib_event_work)  <- waits forever
      nsim_fib_event_work()
        mutex_lock(&data->fib_lock)    <- held here

Reported-by: syzbot+7c11975a7e4a2735d529@syzkaller.appspotmail.com
Link: https://syzkaller.appspot.com/bug?extid=7c11975a7e4a2735d529
Signed-off-by: Deepanshu Kartikey <Kartikey406@gmail.com>
---
 drivers/net/netdevsim/fib.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/drivers/net/netdevsim/fib.c b/drivers/net/netdevsim/fib.c
index 1a42bdbfaa41..f08517ee583c 100644
--- a/drivers/net/netdevsim/fib.c
+++ b/drivers/net/netdevsim/fib.c
@@ -1094,7 +1094,7 @@ static void nsim_fib_dump_inconsistent(struct notifier_block *nb)
 	struct nsim_fib_rt *fib_rt, *fib_rt_tmp;
 
 	/* Flush the work to make sure there is no race with notifications. */
-	flush_work(&data->fib_event_work);
+	cancel_work_sync(&data->fib_event_work);
 
 	/* The notifier block is still not registered, so we do not need to
 	 * take any locks here.
@@ -1505,7 +1505,7 @@ static void nsim_fib_flush_work(struct work_struct *work)
 	struct nsim_fib_rt *fib_rt, *fib_rt_tmp;
 
 	/* Process pending work. */
-	flush_work(&data->fib_event_work);
+	cancel_work_sync(&data->fib_event_work);
 
 	mutex_lock(&data->fib_lock);
 	list_for_each_entry_safe(fib_rt, fib_rt_tmp, &data->fib_rt_list, list) {
@@ -1626,7 +1626,7 @@ struct nsim_fib_data *nsim_fib_create(struct devlink *devlink,
 	unregister_nexthop_notifier(devlink_net(devlink), &data->nexthop_nb);
 err_rhashtable_fib_destroy:
 	cancel_work_sync(&data->fib_flush_work);
-	flush_work(&data->fib_event_work);
+	cancel_work_sync(&data->fib_event_work);
 	rhashtable_free_and_destroy(&data->fib_rt_ht, nsim_fib_rt_free,
 				    data);
 err_rhashtable_nexthop_destroy:
@@ -1656,7 +1656,7 @@ void nsim_fib_destroy(struct devlink *devlink, struct nsim_fib_data *data)
 	unregister_fib_notifier(devlink_net(devlink), &data->fib_nb);
 	unregister_nexthop_notifier(devlink_net(devlink), &data->nexthop_nb);
 	cancel_work_sync(&data->fib_flush_work);
-	flush_work(&data->fib_event_work);
+	cancel_work_sync(&data->fib_event_work);
 	rhashtable_free_and_destroy(&data->fib_rt_ht, nsim_fib_rt_free,
 				    data);
 	rhashtable_free_and_destroy(&data->nexthop_ht, nsim_nexthop_free,
-- 
2.43.0

Re: [syzbot] [kernel?] INFO: task hung in ret_from_fork (4)

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in nsim_fib_destroy

------------[ cut here ]------------
!list_empty(&data->fib_event_queue)
WARNING: drivers/net/netdevsim/fib.c:1664 at nsim_fib_destroy+0x16f/0x180 drivers/net/netdevsim/fib.c:1664, CPU#0: syz-executor/6953
Modules linked in:
CPU: 0 UID: 0 PID: 6953 Comm: syz-executor Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
RIP: 0010:nsim_fib_destroy+0x16f/0x180 drivers/net/netdevsim/fib.c:1664
Code: 80 3c 38 00 74 05 e8 50 f3 0e fb 48 8b bb 58 05 00 00 e8 34 36 93 fc 48 89 df 5b 41 5e 41 5f e9 87 d8 02 fb e8 02 b1 a4 fa 90 <0f> 0b 90 eb 80 e8 f7 b0 a4 fa 90 0f 0b 90 eb 9f 90 90 90 90 90 90
RSP: 0018:ffffc90004477910 EFLAGS: 00010293
RAX: ffffffff8720efde RBX: ffff88805e6dd000 RCX: ffff88807c291e80
RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffffc90004477880
RBP: 0000000000000000 R08: ffffc90004477887 R09: 1ffff9200088ef10
R10: dffffc0000000000 R11: fffff5200088ef11 R12: ffff88806c29c800
R13: ffff88805a748498 R14: ffff88805e6dd478 R15: dffffc0000000000
FS:  00005555778a8500(0000) GS:ffff888125460000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055576a2b2950 CR3: 0000000035bdc000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 nsim_dev_reload_destroy+0x2e3/0x490 drivers/net/netdevsim/dev.c:1768
 nsim_drv_remove+0x58/0x170 drivers/net/netdevsim/dev.c:1779
 device_remove drivers/base/dd.c:571 [inline]
 __device_release_driver drivers/base/dd.c:1284 [inline]
 device_release_driver_internal+0x46f/0x860 drivers/base/dd.c:1307
 bus_remove_device+0x34d/0x440 drivers/base/bus.c:616
 device_del+0x527/0x8f0 drivers/base/core.c:3878
 device_unregister+0x21/0xf0 drivers/base/core.c:3919
 nsim_bus_dev_del drivers/net/netdevsim/bus.c:491 [inline]
 del_device_store+0x2b0/0x370 drivers/net/netdevsim/bus.c:244
 kernfs_fop_write_iter+0x3af/0x540 fs/kernfs/file.c:352
 new_sync_write fs/read_write.c:595 [inline]
 vfs_write+0x61d/0xb90 fs/read_write.c:688
 ksys_write+0x150/0x270 fs/read_write.c:740
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fb61355cece
Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 <c3> 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08
RSP: 002b:00007ffc08c9cfc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00005555778a8500 RCX: 00007fb61355cece
RDX: 0000000000000001 RSI: 00007ffc08c9d050 RDI: 0000000000000005
RBP: 00007fb61363343f R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
R13: 00007ffc08c9d050 R14: 00007fb614344620 R15: 0000000000000003
 </TASK>


Tested on:

commit:         a989fde7 Merge tag 'libnvdimm-fixes-7.0-rc5' of git://..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=118fd3ef980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=b643133b3e44c9fd
dashboard link: https://syzkaller.appspot.com/bug?extid=7c11975a7e4a2735d529
compiler:       Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch:          https://syzkaller.appspot.com/x/patch.diff?x=17a9b2da580000

Forwarded: [PATCH] netdevsim: fib: replace flush_work() with cancel_work_sync() in nsim_fib_flush_work()

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] netdevsim: fib: replace flush_work() with cancel_work_sync() in nsim_fib_flush_work()
Author: kartikey406@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master


nsim_fib_flush_work() calls flush_work() on fib_event_work before
acquiring fib_lock. However, fib_event_work also acquires fib_lock
while processing fib events. If fib_event_work is processing a large
number of events, flush_work() will wait indefinitely causing a hung
task splat.

Fix this by replacing flush_work() with cancel_work_sync() in
nsim_fib_flush_work() to cancel any pending fib_event_work instead
of waiting for it to complete.

Note that flush_work() is intentionally kept in nsim_fib_destroy()
since fib notifiers are already unregistered at that point, meaning
no new fib events can be queued and it is safe to flush the remaining
events.

The following call chain triggers the hang:
  nsim_fib_flush_work()
    flush_work(&data->fib_event_work)   <- waits forever
      nsim_fib_event_work()
        mutex_lock(&data->fib_lock)     <- held while processing

Reported-by: syzbot+7c11975a7e4a2735d529@syzkaller.appspotmail.com
Link: https://syzkaller.appspot.com/bug?extid=7c11975a7e4a2735d529
Signed-off-by: Deepanshu Kartikey <Kartikey406@gmail.com>
---
 drivers/net/netdevsim/fib.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/netdevsim/fib.c b/drivers/net/netdevsim/fib.c
index 1a42bdbfaa41..bca190aa167e 100644
--- a/drivers/net/netdevsim/fib.c
+++ b/drivers/net/netdevsim/fib.c
@@ -1505,7 +1505,7 @@ static void nsim_fib_flush_work(struct work_struct *work)
 	struct nsim_fib_rt *fib_rt, *fib_rt_tmp;
 
 	/* Process pending work. */
-	flush_work(&data->fib_event_work);
+	cancel_work_sync(&data->fib_event_work);
 
 	mutex_lock(&data->fib_lock);
 	list_for_each_entry_safe(fib_rt, fib_rt_tmp, &data->fib_rt_list, list) {
-- 
2.43.0

Re: [syzbot] [kernel?] INFO: task hung in ret_from_fork (4)

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
INFO: task hung in synchronize_rcu

INFO: task kworker/u8:5:131 blocked for more than 161 seconds.
      Not tainted syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/u8:5    state:D stack:19936 pid:131   tgid:131   ppid:2      task_flags:0x4208060 flags:0x00080000
Workqueue: events_unbound fsnotify_connector_destroy_workfn
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5298 [inline]
 __schedule+0x15dd/0x52d0 kernel/sched/core.c:6911
 __schedule_loop kernel/sched/core.c:6993 [inline]
 schedule+0x164/0x360 kernel/sched/core.c:7008
 schedule_timeout+0xc3/0x2c0 kernel/time/sleep_timeout.c:75
 do_wait_for_common kernel/sched/completion.c:100 [inline]
 __wait_for_common kernel/sched/completion.c:121 [inline]
 wait_for_common kernel/sched/completion.c:132 [inline]
 wait_for_completion+0x2cc/0x5e0 kernel/sched/completion.c:153
 __synchronize_srcu+0x329/0x3e0 kernel/rcu/srcutree.c:1520


Tested on:

commit:         a989fde7 Merge tag 'libnvdimm-fixes-7.0-rc5' of git://..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1724a06a580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=b643133b3e44c9fd
dashboard link: https://syzkaller.appspot.com/bug?extid=7c11975a7e4a2735d529
compiler:       Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch:          https://syzkaller.appspot.com/x/patch.diff?x=1140cf4a580000