From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-oo1-f72.google.com (mail-oo1-f72.google.com [209.85.161.72])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id EB1722FE074
	for <linux-kernel@vger.kernel.org>; Thu, 26 Mar 2026 04:58:03 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.161.72
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1774501086; cv=none; b=Xs56jc+CKRJAeSLOxnrdClnwUOZFq8c9w2obGrK6/8JvRzlyklV3eVPGqYKBjEUR/VR96JPgxPMw+o2Dr8ewnDpZaY5lT0lCyuz2ZgJGvn3c8SxOw4Mync1hX7cV66o5fTlWUg2CUMkvELE/pDRQZRedzWfPM78sSRJ0/JNz0w8=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1774501086; c=relaxed/simple;
	bh=RFEJNtU3k880JIvi7h2wrDcBu1Hgue+JZpdtvLRVpJU=;
	h=MIME-Version:Date:In-Reply-To:Message-ID:Subject:From:To:
	 Content-Type; b=stMxPHs+5Pa4pt90DdIvrTs68fy9Qoo7hqFX80dyWg1L145kaRVOnyz64hGLA2y46TUFPVyAK5IlQ2jSn9AQInCrztIO6KGRDeVXmp6Nwz0+zoymLjsoA/Jk44pw1CttoyC24uuj6yqehhdlRVEu+qn8vecyZM9K9l007fOmuuk=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com; arc=none smtp.client-ip=209.85.161.72
Authentication-Results: smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com
Received: by mail-oo1-f72.google.com with SMTP id 006d021491bc7-672c40f3873so2517120eaf.2
        for <linux-kernel@vger.kernel.org>; Wed, 25 Mar 2026 21:58:03 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1774501083; x=1775105883;
        h=to:from:subject:message-id:in-reply-to:date:mime-version
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=bmK/gKUAjnfb2+cDqXQ9dhAqMwArdZtu7233t0KVmeM=;
        b=HeYFSAjxs6BPsDAcm12t2Jpir4T5seyP/TvoXwMF/jo76S8ESGM/X/B3HXcWLpBJev
         aK6DPcaYqiaPpt6yDA9gG0UE5pfGRA95rxXrLmRpGP2rKYAodBlY9S26jP4Bhhhl++JK
         dHOpXv1YXvpFfc/mClu7e1RiRxofzm8poLTfkP6GPXZq2D95qfWudGAkeeajkMf6WlvA
         W06NfL/jowT5nHkPxIBMX8KlL9fC0P9WAEJMVnMAeU02tQU6t3XQCel/Z6zcyi7VvnqF
         K6utEjelmVDS6uuv6L0pKS2le0f4GRiydBjrMLhHcLokrW0Sq6rH42PlV8ZIpvIQCwo+
         rykA==
X-Forwarded-Encrypted: i=1; AJvYcCVpaNSx88/R4MS1j1Mx+YJnuRhlNRbVfp2VryBc3AD6tesCDO7XfFhDPIWg6h8pxWFgnZ67s+WS6rsalcc=@vger.kernel.org
X-Gm-Message-State: AOJu0YxJyBNyJ3Oc20bVxmxzZ569RTzi++SXpw4RFj6AFedg0LU3LX+Y
	GNW8DqUshbfpZ0o4OP3GG89gxANZYBXgLp1cTMYKVPdAqGXA7LVuJuWrBXgNyvwWOkPGSd4nIRK
	Wz2pZFs/HnvSK/ipwD/Lpa13+H/LSzXUgS51XIzy/0HXDVarYqJeOQVRie2Q=
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Received: by 2002:a05:6820:4c87:b0:67d:bef4:718b with SMTP id
 006d021491bc7-67dff51469amr2812998eaf.60.1774501082972; Wed, 25 Mar 2026
 21:58:02 -0700 (PDT)
Date: Wed, 25 Mar 2026 21:58:02 -0700
In-Reply-To: <20260326042510.19263-1-kartikey406@gmail.com>
X-Google-Appengine-App-Id: s~syzkaller
X-Google-Appengine-App-Id-Alias: syzkaller
Message-ID: <69c4bcda.a70a0220.234938.007a.GAE@google.com>
Subject: Re: [syzbot] [btrfs?] INFO: task hung in btrfs_invalidate_folio (3)
From: syzbot <syzbot+63056bf627663701bbbf@syzkaller.appspotmail.com>
To: kartikey406@gmail.com, linux-kernel@vger.kernel.org, 
	syzkaller-bugs@googlegroups.com
Content-Type: text/plain; charset="UTF-8"

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
INFO: task hung in btrfs_invalidate_folio

INFO: task kworker/u8:13:1428 blocked for more than 143 seconds.
      Not tainted syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/u8:13   state:D stack:21504 pid:1428  tgid:1428  ppid:2      task_flags:0x4208060 flags:0x00080000
Workqueue: writeback wb_workfn (flush-btrfs-3)
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5298 [inline]
 __schedule+0x1553/0x5240 kernel/sched/core.c:6911
 __schedule_loop kernel/sched/core.c:6993 [inline]
 schedule+0x164/0x360 kernel/sched/core.c:7008
 wait_extent_bit fs/btrfs/extent-io-tree.c:811 [inline]
 btrfs_lock_extent_bits+0x59c/0x700 fs/btrfs/extent-io-tree.c:1914
 btrfs_lock_extent fs/btrfs/extent-io-tree.h:152 [inline]
 btrfs_invalidate_folio+0x43d/0xc40 fs/btrfs/inode.c:7718
 extent_writepage fs/btrfs/extent_io.c:1852 [inline]
 extent_write_cache_pages fs/btrfs/extent_io.c:2580 [inline]
 btrfs_writepages+0x1369/0x24a0 fs/btrfs/extent_io.c:2746
 do_writepages+0x32e/0x550 mm/page-writeback.c:2554
 __writeback_single_inode+0x133/0x11a0 fs/fs-writeback.c:1750
 writeback_sb_inodes+0x995/0x19d0 fs/fs-writeback.c:2042
 wb_writeback+0x456/0xb70 fs/fs-writeback.c:2227
 wb_do_writeback fs/fs-writeback.c:2374 [inline]
 wb_workfn+0x41a/0xf60 fs/fs-writeback.c:2414
 process_one_work kernel/workqueue.c:3276 [inline]
 process_scheduled_works+0xb6e/0x18c0 kernel/workqueue.c:3359
 worker_thread+0xa53/0xfc0 kernel/workqueue.c:3440
 kthread+0x388/0x470 kernel/kthread.c:436
 ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
INFO: task syz.2.19:6618 blocked for more than 143 seconds.
      Not tainted syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.2.19        state:D stack:22752 pid:6618  tgid:6617  ppid:6327   task_flags:0x400140 flags:0x00080002
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5298 [inline]
 __schedule+0x1553/0x5240 kernel/sched/core.c:6911
 __schedule_loop kernel/sched/core.c:6993 [inline]
 schedule+0x164/0x360 kernel/sched/core.c:7008
 wait_current_trans+0x39f/0x590 fs/btrfs/transaction.c:535
 start_transaction+0x6a7/0x1650 fs/btrfs/transaction.c:705
 clone_copy_inline_extent fs/btrfs/reflink.c:286 [inline]
 btrfs_clone+0x1275/0x24a0 fs/btrfs/reflink.c:516
 btrfs_clone_files+0x27f/0x410 fs/btrfs/reflink.c:737
 btrfs_remap_file_range+0x764/0x13d0 fs/btrfs/reflink.c:892
 vfs_copy_file_range+0xda7/0x1390 fs/read_write.c:1600
 __do_sys_copy_file_range fs/read_write.c:1683 [inline]
 __se_sys_copy_file_range+0x2fb/0x480 fs/read_write.c:1650
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f995234c799
RSP: 002b:00007f99519ae028 EFLAGS: 00000246 ORIG_RAX: 0000000000000146
RAX: ffffffffffffffda RBX: 00007f99525c5fa0 RCX: 00007f995234c799
RDX: 0000000000000005 RSI: 0000000000000000 RDI: 0000000000000005
RBP: 00007f99523e2c99 R08: 0000000000000863 R09: 0000000000000000
R10: 00002000000000c0 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f99525c6038 R14: 00007f99525c5fa0 R15: 00007ffd56a62508
 </TASK>
INFO: task syz.2.19:6689 blocked for more than 143 seconds.
      Not tainted syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.2.19        state:D stack:24736 pid:6689  tgid:6617  ppid:6327   task_flags:0x400040 flags:0x00080002
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5298 [inline]
 __schedule+0x1553/0x5240 kernel/sched/core.c:6911
 __schedule_loop kernel/sched/core.c:6993 [inline]
 schedule+0x164/0x360 kernel/sched/core.c:7008
 wb_wait_for_completion+0x3e8/0x790 fs/fs-writeback.c:227
 __writeback_inodes_sb_nr+0x24c/0x2d0 fs/fs-writeback.c:2838
 try_to_writeback_inodes_sb+0x9a/0xc0 fs/fs-writeback.c:2886
 btrfs_start_delalloc_flush fs/btrfs/transaction.c:2175 [inline]
 btrfs_commit_transaction+0x82e/0x31a0 fs/btrfs/transaction.c:2364
 btrfs_ioctl+0xca7/0xd00 fs/btrfs/ioctl.c:5212
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:597 [inline]
 __se_sys_ioctl+0xff/0x170 fs/ioctl.c:583
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f995234c799
RSP: 002b:00007f995198d028 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f99525c6090 RCX: 00007f995234c799
RDX: 0000000000000000 RSI: 0000000000009408 RDI: 0000000000000004
RBP: 00007f99523e2c99 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f99525c6128 R14: 00007f99525c6090 R15: 00007ffd56a62508
 </TASK>

Showing all locks held in the system:
6 locks held by kworker/u8:0/12:
 #0: ffff888019c44138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3251 [inline]
 #0: ffff888019c44138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_scheduled_works+0xa52/0x18c0 kernel/workqueue.c:3359
 #1: ffffc90000117c40 ((work_completion)(&(&nsim_dev->trap_data->trap_report_dw)->work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3252 [inline]
 #1: ffffc90000117c40 ((work_completion)(&(&nsim_dev->trap_data->trap_report_dw)->work)){+.+.}-{0:0}, at: process_scheduled_works+0xa8d/0x18c0 kernel/workqueue.c:3359
 #2: ffff88803f648300 (&devlink->lock_key#7){+.+.}-{4:4}, at: nsim_dev_trap_report_work+0x57/0xbc0 drivers/net/netdevsim/dev.c:909
 #3: ffff88802571d120 (&nsim_trap_data->trap_lock){+.+.}-{3:3}, at: spin_lock include/linux/spinlock_rt.h:45 [inline]
 #3: ffff88802571d120 (&nsim_trap_data->trap_lock){+.+.}-{3:3}, at: nsim_dev_trap_report drivers/net/netdevsim/dev.c:862 [inline]
 #3: ffff88802571d120 (&nsim_trap_data->trap_lock){+.+.}-{3:3}, at: nsim_dev_trap_report_work+0x1ad/0xbc0 drivers/net/netdevsim/dev.c:922
 #4: ffffffff8ddcba00 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:312 [inline]
 #4: ffffffff8ddcba00 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:850 [inline]
 #4: ffffffff8ddcba00 (rcu_read_lock){....}-{1:3}, at: __rt_spin_lock kernel/locking/spinlock_rt.c:50 [inline]
 #4: ffffffff8ddcba00 (rcu_read_lock){....}-{1:3}, at: rt_spin_lock+0x1e0/0x400 kernel/locking/spinlock_rt.c:57
 #5: ffff88813fe18d58 (&n->list_lock){+.+.}-{3:3}, at: spin_lock include/linux/spinlock_rt.h:45 [inline]
 #5: ffff88813fe18d58 (&n->list_lock){+.+.}-{3:3}, at: get_partial_node_bulk mm/slub.c:3750 [inline]
 #5: ffff88813fe18d58 (&n->list_lock){+.+.}-{3:3}, at: __refill_objects_node+0x87/0x560 mm/slub.c:7027
3 locks held by kworker/u8:1/13:
 #0: ffff888038bbe938 ((wq_completion)btrfs-flush_delalloc#194){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3251 [inline]
 #0: ffff888038bbe938 ((wq_completion)btrfs-flush_delalloc#194){+.+.}-{0:0}, at: process_scheduled_works+0xa52/0x18c0 kernel/workqueue.c:3359
 #1: ffffc90000127c40 ((work_completion)(&work->normal_work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3252 [inline]
 #1: ffffc90000127c40 ((work_completion)(&work->normal_work)){+.+.}-{0:0}, at: process_scheduled_works+0xa8d/0x18c0 kernel/workqueue.c:3359
 #2: ffff88802a56efb8 (&entry->wait){+.+.}-{3:3}, at: spin_lock include/linux/spinlock_rt.h:45 [inline]
 #2: ffff88802a56efb8 (&entry->wait){+.+.}-{3:3}, at: finish_wait+0xbe/0x1e0 kernel/sched/wait.c:394
1 lock held by khungtaskd/38:
 #0: ffffffff8ddcba00 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:312 [inline]
 #0: ffffffff8ddcba00 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:850 [inline]
 #0: ffffffff8ddcba00 (rcu_read_lock){....}-{1:3}, at: debug_show_all_locks+0x2e/0x180 kernel/locking/lockdep.c:6775
6 locks held by kworker/u8:3/57:
 #0: ffff888019c44138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3251 [inline]
 #0: ffff888019c44138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_scheduled_works+0xa52/0x18c0 kernel/workqueue.c:3359
 #1: ffffc9000123fc40 ((work_completion)(&(&nsim_dev->trap_data->trap_report_dw)->work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3252 [inline]
 #1: ffffc9000123fc40 ((work_completion)(&(&nsim_dev->trap_data->trap_report_dw)->work)){+.+.}-{0:0}, at: process_scheduled_works+0xa8d/0x18c0 kernel/workqueue.c:3359
 #2: ffff8880383c8300 (&devlink->lock_key#3){+.+.}-{4:4}, at: nsim_dev_trap_report_work+0x57/0xbc0 drivers/net/netdevsim/dev.c:909
 #3: ffff888039f30d20 (&nsim_trap_data->trap_lock){+.+.}-{3:3}, at: spin_lock include/linux/spinlock_rt.h:45 [inline]
 #3: ffff888039f30d20 (&nsim_trap_data->trap_lock){+.+.}-{3:3}, at: nsim_dev_trap_report drivers/net/netdevsim/dev.c:862 [inline]
 #3: ffff888039f30d20 (&nsim_trap_data->trap_lock){+.+.}-{3:3}, at: nsim_dev_trap_report_work+0x1ad/0xbc0 drivers/net/netdevsim/dev.c:922
 #4: ffffffff8ddcba00 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:312 [inline]
 #4: ffffffff8ddcba00 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:850 [inline]
 #4: ffffffff8ddcba00 (rcu_read_lock){....}-{1:3}, at: __rt_spin_lock kernel/locking/spinlock_rt.c:50 [inline]
 #4: ffffffff8ddcba00 (rcu_read_lock){....}-{1:3}, at: rt_spin_lock+0x1e0/0x400 kernel/locking/spinlock_rt.c:57
 #5: ffff88813fe18d58 (&n->list_lock){+.+.}-{3:3}, at: spin_lock include/linux/spinlock_rt.h:45 [inline]
 #5: ffff88813fe18d58 (&n->list_lock){+.+.}-{3:3}, at: get_partial_node_bulk mm/slub.c:3750 [inline]
 #5: ffff88813fe18d58 (&n->list_lock){+.+.}-{3:3}, at: __refill_objects_node+0x87/0x560 mm/slub.c:7027
3 locks held by kworker/u8:5/70:
3 locks held by kworker/1:2/809:
6 locks held by kworker/u8:8/1062:
 #0: ffff888019c44138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3251 [inline]
 #0: ffff888019c44138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_scheduled_works+0xa52/0x18c0 kernel/workqueue.c:3359
 #1: ffffc90005827c40 ((work_completion)(&(&nsim_dev->trap_data->trap_report_dw)->work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3252 [inline]
 #1: ffffc90005827c40 ((work_completion)(&(&nsim_dev->trap_data->trap_report_dw)->work)){+.+.}-{0:0}, at: process_scheduled_works+0xa8d/0x18c0 kernel/workqueue.c:3359
 #2: ffff88805af1a300 (&devlink->lock_key#4){+.+.}-{4:4}, at: nsim_dev_trap_report_work+0x57/0xbc0 drivers/net/netdevsim/dev.c:909
 #3: ffff88805b820920 (&nsim_trap_data->trap_lock){+.+.}-{3:3}, at: spin_lock include/linux/spinlock_rt.h:45 [inline]
 #3: ffff88805b820920 (&nsim_trap_data->trap_lock){+.+.}-{3:3}, at: nsim_dev_trap_report drivers/net/netdevsim/dev.c:862 [inline]
 #3: ffff88805b820920 (&nsim_trap_data->trap_lock){+.+.}-{3:3}, at: nsim_dev_trap_report_work+0x1ad/0xbc0 drivers/net/netdevsim/dev.c:922
 #4: ffffffff8ddcba00 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:312 [inline]
 #4: ffffffff8ddcba00 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:850 [inline]
 #4: ffffffff8ddcba00 (rcu_read_lock){....}-{1:3}, at: __rt_spin_lock kernel/locking/spinlock_rt.c:50 [inline]
 #4: ffffffff8ddcba00 (rcu_read_lock){....}-{1:3}, at: rt_spin_lock+0x1e0/0x400 kernel/locking/spinlock_rt.c:57
 #5: ffff88813fe18d58 (&n->list_lock){+.+.}-{3:3}, at: spin_lock include/linux/spinlock_rt.h:45 [inline]
 #5: ffff88813fe18d58 (&n->list_lock){+.+.}-{3:3}, at: get_partial_node_bulk mm/slub.c:3750 [inline]
 #5: ffff88813fe18d58 (&n->list_lock){+.+.}-{3:3}, at: __refill_objects_node+0x87/0x560 mm/slub.c:7027
6 locks held by kworker/u8:9/1382:
 #0: ffff888019c44138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3251 [inline]
 #0: ffff888019c44138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_scheduled_works+0xa52/0x18c0 kernel/workqueue.c:3359
 #1: ffffc90006197c40 ((work_completion)(&(&nsim_dev->trap_data->trap_report_dw)->work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3252 [inline]
 #1: ffffc90006197c40 ((work_completion)(&(&nsim_dev->trap_data->trap_report_dw)->work)){+.+.}-{0:0}, at: process_scheduled_works+0xa8d/0x18c0 kernel/workqueue.c:3359
 #2: ffff888056a46300 (&devlink->lock_key#6){+.+.}-{4:4}, at: nsim_dev_trap_report_work+0x57/0xbc0 drivers/net/netdevsim/dev.c:909
 #3: ffff88805bb0d520 (&nsim_trap_data->trap_lock){+.+.}-{3:3}, at: spin_lock include/linux/spinlock_rt.h:45 [inline]
 #3: ffff88805bb0d520 (&nsim_trap_data->trap_lock){+.+.}-{3:3}, at: nsim_dev_trap_report drivers/net/netdevsim/dev.c:862 [inline]
 #3: ffff88805bb0d520 (&nsim_trap_data->trap_lock){+.+.}-{3:3}, at: nsim_dev_trap_report_work+0x1ad/0xbc0 drivers/net/netdevsim/dev.c:922
 #4: ffffffff8ddcba00 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:312 [inline]
 #4: ffffffff8ddcba00 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:850 [inline]
 #4: ffffffff8ddcba00 (rcu_read_lock){....}-{1:3}, at: __rt_spin_lock kernel/locking/spinlock_rt.c:50 [inline]
 #4: ffffffff8ddcba00 (rcu_read_lock){....}-{1:3}, at: rt_spin_lock+0x1e0/0x400 kernel/locking/spinlock_rt.c:57
 #5: ffff88813fe18d58 (&n->list_lock){+.+.}-{3:3}, at: spin_lock include/linux/spinlock_rt.h:45 [inline]
 #5: ffff88813fe18d58 (&n->list_lock){+.+.}-{3:3}, at: get_partial_node_bulk mm/slub.c:3750 [inline]
 #5: ffff88813fe18d58 (&n->list_lock){+.+.}-{3:3}, at: __refill_objects_node+0x87/0x560 mm/slub.c:7027
3 locks held by kworker/u8:10/1393:
6 locks held by kworker/u8:11/1408:
 #0: ffff888019c44138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3251 [inline]
 #0: ffff888019c44138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_scheduled_works+0xa52/0x18c0 kernel/workqueue.c:3359
 #1: ffffc900064c7c40 ((work_completion)(&(&nsim_dev->trap_data->trap_report_dw)->work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3252 [inline]
 #1: ffffc900064c7c40 ((work_completion)(&(&nsim_dev->trap_data->trap_report_dw)->work)){+.+.}-{0:0}, at: process_scheduled_works+0xa8d/0x18c0 kernel/workqueue.c:3359
 #2: ffff88803c7be300 (&devlink->lock_key#5){+.+.}-{4:4}, at: nsim_dev_trap_report_work+0x57/0xbc0 drivers/net/netdevsim/dev.c:909
 #3: ffff88803a1c3d20 (&nsim_trap_data->trap_lock){+.+.}-{3:3}, at: spin_lock include/linux/spinlock_rt.h:45 [inline]
 #3: ffff88803a1c3d20 (&nsim_trap_data->trap_lock){+.+.}-{3:3}, at: nsim_dev_trap_report drivers/net/netdevsim/dev.c:862 [inline]
 #3: ffff88803a1c3d20 (&nsim_trap_data->trap_lock){+.+.}-{3:3}, at: nsim_dev_trap_report_work+0x1ad/0xbc0 drivers/net/netdevsim/dev.c:922
 #4: ffffffff8ddcba00 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:312 [inline]
 #4: ffffffff8ddcba00 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:850 [inline]
 #4: ffffffff8ddcba00 (rcu_read_lock){....}-{1:3}, at: __rt_spin_lock kernel/locking/spinlock_rt.c:50 [inline]
 #4: ffffffff8ddcba00 (rcu_read_lock){....}-{1:3}, at: rt_spin_lock+0x1e0/0x400 kernel/locking/spinlock_rt.c:57
 #5: ffff88813fe18d58 (&n->list_lock){+.+.}-{3:3}, at: spin_lock include/linux/spinlock_rt.h:45 [inline]
 #5: ffff88813fe18d58 (&n->list_lock){+.+.}-{3:3}, at: get_partial_node_bulk mm/slub.c:3750 [inline]
 #5: ffff88813fe18d58 (&n->list_lock){+.+.}-{3:3}, at: __refill_objects_node+0x87/0x560 mm/slub.c:7027
6 locks held by kworker/u8:12/1421:
 #0: ffff888019c44138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3251 [inline]
 #0: ffff888019c44138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_scheduled_works+0xa52/0x18c0 kernel/workqueue.c:3359
 #1: ffffc900065e7c40 ((work_completion)(&(&nsim_dev->trap_data->trap_report_dw)->work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3252 [inline]
 #1: ffffc900065e7c40 ((work_completion)(&(&nsim_dev->trap_data->trap_report_dw)->work)){+.+.}-{0:0}, at: process_scheduled_works+0xa8d/0x18c0 kernel/workqueue.c:3359
 #2: ffff888062f8c300 (&devlink->lock_key#8){+.+.}-{4:4}, at: nsim_dev_trap_report_work+0x57/0xbc0 drivers/net/netdevsim/dev.c:909
 #3: ffff88802ad00920 (&nsim_trap_data->trap_lock){+.+.}-{3:3}, at: spin_lock include/linux/spinlock_rt.h:45 [inline]
 #3: ffff88802ad00920 (&nsim_trap_data->trap_lock){+.+.}-{3:3}, at: nsim_dev_trap_report drivers/net/netdevsim/dev.c:862 [inline]
 #3: ffff88802ad00920 (&nsim_trap_data->trap_lock){+.+.}-{3:3}, at: nsim_dev_trap_report_work+0x1ad/0xbc0 drivers/net/netdevsim/dev.c:922
 #4: ffffffff8ddcba00 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:312 [inline]
 #4: ffffffff8ddcba00 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:850 [inline]
 #4: ffffffff8ddcba00 (rcu_read_lock){....}-{1:3}, at: __rt_spin_lock kernel/locking/spinlock_rt.c:50 [inline]
 #4: ffffffff8ddcba00 (rcu_read_lock){....}-{1:3}, at: rt_spin_lock+0x1e0/0x400 kernel/locking/spinlock_rt.c:57
 #5: ffff88813fe18d58 (&n->list_lock){+.+.}-{3:3}, at: spin_lock include/linux/spinlock_rt.h:45 [inline]
 #5: ffff88813fe18d58 (&n->list_lock){+.+.}-{3:3}, at: get_partial_node_bulk mm/slub.c:3750 [inline]
 #5: ffff88813fe18d58 (&n->list_lock){+.+.}-{3:3}, at: __refill_objects_node+0x87/0x560 mm/slub.c:7027
2 locks held by kworker/u8:13/1428:
 #0: ffff88801aee4938 ((wq_completion)writeback){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3251 [inline]
 #0: ffff88801aee4938 ((wq_completion)writeback){+.+.}-{0:0}, at: process_scheduled_works+0xa52/0x18c0 kernel/workqueue.c:3359
 #1: ffffc90006657c40 ((work_completion)(&(&wb->dwork)->work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3252 [inline]
 #1: ffffc90006657c40 ((work_completion)(&(&wb->dwork)->work)){+.+.}-{0:0}, at: process_scheduled_works+0xa8d/0x18c0 kernel/workqueue.c:3359
2 locks held by udevd/5165:
 #0: ffffffff8e4dcc58 (tomoyo_ss){.+.+}-{0:0}, at: srcu_lock_acquire include/linux/srcu.h:187 [inline]
 #0: ffffffff8e4dcc58 (tomoyo_ss){.+.+}-{0:0}, at: srcu_read_lock include/linux/srcu.h:294 [inline]
 #0: ffffffff8e4dcc58 (tomoyo_ss){.+.+}-{0:0}, at: tomoyo_read_lock security/tomoyo/common.h:1112 [inline]
 #0: ffffffff8e4dcc58 (tomoyo_ss){.+.+}-{0:0}, at: tomoyo_check_open_permission+0x1d3/0x470 security/tomoyo/file.c:772
 #1: ffff88813fe18d58 (&n->list_lock){+.+.}-{3:3}, at: spin_lock include/linux/spinlock_rt.h:45 [inline]
 #1: ffff88813fe18d58 (&n->list_lock){+.+.}-{3:3}, at: get_partial_node_bulk mm/slub.c:3750 [inline]
 #1: ffff88813fe18d58 (&n->list_lock){+.+.}-{3:3}, at: __refill_objects_node+0x87/0x560 mm/slub.c:7027
2 locks held by getty/5558:
 #0: ffff888037ffe0a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x25/0x70 drivers/tty/tty_ldisc.c:243
 #1: ffffc90003e7e2e0 (&ldata->atomic_read_lock){+.+.}-{4:4}, at: n_tty_read+0x462/0x13c0 drivers/tty/n_tty.c:2211
2 locks held by udevd/6231:
 #0: ffffffff8df09670 (remove_cache_srcu){.+.+}-{0:0}, at: srcu_lock_acquire include/linux/srcu.h:187 [inline]
 #0: ffffffff8df09670 (remove_cache_srcu){.+.+}-{0:0}, at: srcu_read_lock+0x27/0x60 include/linux/srcu.h:294
 #1: ffff88813fe18d58 (&n->list_lock){+.+.}-{3:3}, at: spin_lock include/linux/spinlock_rt.h:45 [inline]
 #1: ffff88813fe18d58 (&n->list_lock){+.+.}-{3:3}, at: __slab_free+0xee/0x2a0 mm/slub.c:5519
3 locks held by syz-executor/6321:
 #0: ffff88805962e0d0 (&type->s_umount_key#56){++++}-{4:4}, at: __super_lock fs/super.c:58 [inline]
 #0: ffff88805962e0d0 (&type->s_umount_key#56){++++}-{4:4}, at: __super_lock_excl fs/super.c:73 [inline]
 #0: ffff88805962e0d0 (&type->s_umount_key#56){++++}-{4:4}, at: deactivate_super+0xa9/0xe0 fs/super.c:508
 #1: ffff88803fb55020 (&fs_info->ordered_operations_mutex){+.+.}-{4:4}, at: btrfs_wait_ordered_roots+0xe7/0x6f0 fs/btrfs/ordered-data.c:823
 #2: ffff888026e2e9a8 (&root->ordered_extent_mutex){+.+.}-{4:4}, at: btrfs_wait_ordered_extents+0x23d/0xcf0 fs/btrfs/ordered-data.c:767
3 locks held by syz-executor/6329:
 #0: ffff88805902e0d0 (&type->s_umount_key#56){++++}-{4:4}, at: __super_lock fs/super.c:58 [inline]
 #0: ffff88805902e0d0 (&type->s_umount_key#56){++++}-{4:4}, at: __super_lock_excl fs/super.c:73 [inline]
 #0: ffff88805902e0d0 (&type->s_umount_key#56){++++}-{4:4}, at: deactivate_super+0xa9/0xe0 fs/super.c:508
 #1: ffff88805902eb08 (&s->s_sync_lock){+.+.}-{4:4}, at: wait_sb_inodes fs/fs-writeback.c:2739 [inline]
 #1: ffff88805902eb08 (&s->s_sync_lock){+.+.}-{4:4}, at: sync_inodes_sb+0x288/0xc10 fs/fs-writeback.c:2927
 #2: ffffffff8da15b68 (&folio_wait_table[i]){+.+.}-{3:3}, at: spin_lock include/linux/spinlock_rt.h:45 [inline]
 #2: ffffffff8da15b68 (&folio_wait_table[i]){+.+.}-{3:3}, at: finish_wait+0xbe/0x1e0 kernel/sched/wait.c:394
1 lock held by syz-executor/6330:
 #0: ffff88805e4280d0 (&type->s_umount_key#56){++++}-{4:4}, at: __super_lock fs/super.c:58 [inline]
 #0: ffff88805e4280d0 (&type->s_umount_key#56){++++}-{4:4}, at: __super_lock_excl fs/super.c:73 [inline]
 #0: ffff88805e4280d0 (&type->s_umount_key#56){++++}-{4:4}, at: deactivate_super+0xa9/0xe0 fs/super.c:508
4 locks held by syz.2.19/6618:
 #0: ffff88802e4d8480 (sb_writers#12){.+.+}-{0:0}, at: file_start_write include/linux/fs.h:2710 [inline]
 #0: ffff88802e4d8480 (sb_writers#12){.+.+}-{0:0}, at: vfs_copy_file_range+0x9bb/0x1390 fs/read_write.c:1588
 #1: ffff88805b0558c8 (&sb->s_type->i_mutex_key#24){+.+.}-{4:4}, at: inode_lock include/linux/fs.h:1028 [inline]
 #1: ffff88805b0558c8 (&sb->s_type->i_mutex_key#24){+.+.}-{4:4}, at: btrfs_inode_lock+0x51/0xe0 fs/btrfs/inode.c:369
 #2: ffff88805b055728 (&ei->i_mmap_lock){++++}-{4:4}, at: btrfs_inode_lock+0xcb/0xe0 fs/btrfs/inode.c:372
 #3: ffff88802e4d8770 (sb_internal#2){.+.+}-{0:0}, at: clone_copy_inline_extent fs/btrfs/reflink.c:286 [inline]
 #3: ffff88802e4d8770 (sb_internal#2){.+.+}-{0:0}, at: btrfs_clone+0x1275/0x24a0 fs/btrfs/reflink.c:516
3 locks held by syz.2.19/6689:
 #0: ffff88803dc2b118 (btrfs_trans_num_writers){++++}-{0:0}, at: join_transaction+0x41b/0xc90 fs/btrfs/transaction.c:298
 #1: ffff88803dc2b140 (btrfs_trans_num_extwriters){++++}-{0:0}, at: join_transaction+0x41b/0xc90 fs/btrfs/transaction.c:298
 #2: ffff88802e4d80d0 (&type->s_umount_key#56){++++}-{4:4}, at: try_to_writeback_inodes_sb+0x22/0xc0 fs/fs-writeback.c:2883
1 lock held by btrfs-transacti/6682:
 #0: ffff88803dc28d98 (&fs_info->transaction_kthread_mutex){+.+.}-{4:4}, at: transaction_kthread+0xe4/0x450 fs/btrfs/disk-io.c:1515
2 locks held by udevd/6732:
 #0: ffffffff8e4dcc58 (tomoyo_ss){.+.+}-{0:0}, at: srcu_lock_acquire include/linux/srcu.h:187 [inline]
 #0: ffffffff8e4dcc58 (tomoyo_ss){.+.+}-{0:0}, at: srcu_read_lock include/linux/srcu.h:294 [inline]
 #0: ffffffff8e4dcc58 (tomoyo_ss){.+.+}-{0:0}, at: tomoyo_read_lock security/tomoyo/common.h:1112 [inline]
 #0: ffffffff8e4dcc58 (tomoyo_ss){.+.+}-{0:0}, at: tomoyo_check_open_permission+0x1d3/0x470 security/tomoyo/file.c:772
 #1: ffff88813fe18d58 (&n->list_lock){+.+.}-{3:3}, at: spin_lock include/linux/spinlock_rt.h:45 [inline]
 #1: ffff88813fe18d58 (&n->list_lock){+.+.}-{3:3}, at: get_partial_node_bulk mm/slub.c:3750 [inline]
 #1: ffff88813fe18d58 (&n->list_lock){+.+.}-{3:3}, at: __refill_objects_node+0x87/0x560 mm/slub.c:7027
1 lock held by udevadm/10426:
 #0: ffff88813fe18d58 (&n->list_lock){+.+.}-{3:3}, at: spin_lock include/linux/spinlock_rt.h:45 [inline]
 #0: ffff88813fe18d58 (&n->list_lock){+.+.}-{3:3}, at: get_partial_node_bulk mm/slub.c:3750 [inline]
 #0: ffff88813fe18d58 (&n->list_lock){+.+.}-{3:3}, at: __refill_objects_node+0x87/0x560 mm/slub.c:7027
1 lock held by udevadm/10431:
1 lock held by udevadm/10447:
2 locks held by udevadm/10452:
2 locks held by syz.0.221/10464:
4 locks held by syz-executor/10467:
 #0: ffff88803644a480 (sb_writers#5){.+.+}-{0:0}, at: mnt_want_write+0x41/0x90 fs/namespace.c:493
 #1: ffff88805c6475d8 (&type->i_mutex_dir_key#5/1){+.+.}-{4:4}, at: inode_lock_nested include/linux/fs.h:1073 [inline]
 #1: ffff88805c6475d8 (&type->i_mutex_dir_key#5/1){+.+.}-{4:4}, at: __start_dirop fs/namei.c:2923 [inline]
 #1: ffff88805c6475d8 (&type->i_mutex_dir_key#5/1){+.+.}-{4:4}, at: start_dirop fs/namei.c:2934 [inline]
 #1: ffff88805c6475d8 (&type->i_mutex_dir_key#5/1){+.+.}-{4:4}, at: filename_create+0x200/0x370 fs/namei.c:4922
 #2: ffffffff8e4dcc58 (tomoyo_ss){.+.+}-{0:0}, at: srcu_lock_acquire include/linux/srcu.h:187 [inline]
 #2: ffffffff8e4dcc58 (tomoyo_ss){.+.+}-{0:0}, at: srcu_read_lock include/linux/srcu.h:294 [inline]
 #2: ffffffff8e4dcc58 (tomoyo_ss){.+.+}-{0:0}, at: tomoyo_read_lock security/tomoyo/common.h:1112 [inline]
 #2: ffffffff8e4dcc58 (tomoyo_ss){.+.+}-{0:0}, at: tomoyo_path_perm+0x251/0x560 security/tomoyo/file.c:826
 #3: ffff88813fe18d58 (&n->list_lock){+.+.}-{3:3}, at: spin_lock include/linux/spinlock_rt.h:45 [inline]
 #3: ffff88813fe18d58 (&n->list_lock){+.+.}-{3:3}, at: get_partial_node_bulk mm/slub.c:3750 [inline]
 #3: ffff88813fe18d58 (&n->list_lock){+.+.}-{3:3}, at: __refill_objects_node+0x87/0x560 mm/slub.c:7027

=============================================

NMI backtrace for cpu 1
CPU: 1 UID: 0 PID: 38 Comm: khungtaskd Not tainted syzkaller #0 PREEMPT_{RT,(full)} 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
Call Trace:
 <TASK>
 dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
 nmi_cpu_backtrace+0x274/0x2d0 lib/nmi_backtrace.c:113
 nmi_trigger_cpumask_backtrace+0x17a/0x300 lib/nmi_backtrace.c:62
 trigger_all_cpu_backtrace include/linux/nmi.h:161 [inline]
 __sys_info lib/sys_info.c:157 [inline]
 sys_info+0x135/0x170 lib/sys_info.c:165
 check_hung_uninterruptible_tasks kernel/hung_task.c:346 [inline]
 watchdog+0xfd9/0x1030 kernel/hung_task.c:515
 kthread+0x388/0x470 kernel/kthread.c:436
 ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted syzkaller #0 PREEMPT_{RT,(full)} 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
RIP: 0010:pv_native_safe_halt+0xf/0x20 arch/x86/kernel/paravirt.c:63
Code: 0e 5d 02 e9 13 c4 03 00 cc cc cc 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 66 90 0f 00 2d f3 1c 26 00 fb f4 <c3> cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 90 90 90 90 90
RSP: 0018:ffffffff8da07dc0 EFLAGS: 00000242
RAX: 00000000000a2791 RBX: ffffffff8199709a RCX: 0000000080000001
RDX: 0000000000000001 RSI: ffffffff8d562e91 RDI: ffffffff8ba66e00
RBP: ffffffff8da07eb0 R08: ffff8880b8833e1b R09: 1ffff110171067c3
R10: dffffc0000000000 R11: ffffed10171067c4 R12: 0000000000000000
R13: 1ffffffff1b605d8 R14: 0000000000000000 R15: 1ffffffff1b605d8
FS:  0000000000000000(0000) GS:ffff888126339000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f9f3ebad400 CR3: 00000000449c8000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 arch_safe_halt arch/x86/kernel/process.c:766 [inline]
 default_idle+0x9/0x20 arch/x86/kernel/process.c:767
 default_idle_call+0x72/0xb0 kernel/sched/idle.c:122
 cpuidle_idle_call kernel/sched/idle.c:199 [inline]
 do_idle+0x36a/0x5f0 kernel/sched/idle.c:352
 cpu_startup_entry+0x43/0x60 kernel/sched/idle.c:451
 rest_init+0x2de/0x300 init/main.c:760
 start_kernel+0x385/0x3d0 init/main.c:1210
 x86_64_start_reservations+0x24/0x30 arch/x86/kernel/head64.c:310
 x86_64_start_kernel+0x143/0x1c0 arch/x86/kernel/head64.c:291
 common_startup_64+0x13e/0x147
 </TASK>


Tested on:

commit:         0138af24 Merge tag 'erofs-for-7.0-rc6-fixes' of git://..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=136c3e02580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=45cb3c58fd963c27
dashboard link: https://syzkaller.appspot.com/bug?extid=63056bf627663701bbbf
compiler:       Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch:          https://syzkaller.appspot.com/x/patch.diff?x=10221cba580000