Re: [syzbot] [btrfs?] INFO: task hung in btrfs_invalidate_folio (3)

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
INFO: task hung in btrfs_invalidate_folio

INFO: task kworker/u8:13:1428 blocked for more than 143 seconds.
      Not tainted syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/u8:13   state:D stack:21504 pid:1428  tgid:1428  ppid:2      task_flags:0x4208060 flags:0x00080000
Workqueue: writeback wb_workfn (flush-btrfs-3)
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5298 [inline]
 __schedule+0x1553/0x5240 kernel/sched/core.c:6911
 __schedule_loop kernel/sched/core.c:6993 [inline]
 schedule+0x164/0x360 kernel/sched/core.c:7008
 wait_extent_bit fs/btrfs/extent-io-tree.c:811 [inline]
 btrfs_lock_extent_bits+0x59c/0x700 fs/btrfs/extent-io-tree.c:1914
 btrfs_lock_extent fs/btrfs/extent-io-tree.h:152 [inline]
 btrfs_invalidate_folio+0x43d/0xc40 fs/btrfs/inode.c:7718
 extent_writepage fs/btrfs/extent_io.c:1852 [inline]
 extent_write_cache_pages fs/btrfs/extent_io.c:2580 [inline]
 btrfs_writepages+0x1369/0x24a0 fs/btrfs/extent_io.c:2746
 do_writepages+0x32e/0x550 mm/page-writeback.c:2554
 __writeback_single_inode+0x133/0x11a0 fs/fs-writeback.c:1750
 writeback_sb_inodes+0x995/0x19d0 fs/fs-writeback.c:2042
 wb_writeback+0x456/0xb70 fs/fs-writeback.c:2227
 wb_do_writeback fs/fs-writeback.c:2374 [inline]
 wb_workfn+0x41a/0xf60 fs/fs-writeback.c:2414
 process_one_work kernel/workqueue.c:3276 [inline]
 process_scheduled_works+0xb6e/0x18c0 kernel/workqueue.c:3359
 worker_thread+0xa53/0xfc0 kernel/workqueue.c:3440
 kthread+0x388/0x470 kernel/kthread.c:436
 ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
INFO: task syz.2.19:6618 blocked for more than 143 seconds.
      Not tainted syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.2.19        state:D stack:22752 pid:6618  tgid:6617  ppid:6327   task_flags:0x400140 flags:0x00080002
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5298 [inline]
 __schedule+0x1553/0x5240 kernel/sched/core.c:6911
 __schedule_loop kernel/sched/core.c:6993 [inline]
 schedule+0x164/0x360 kernel/sched/core.c:7008
 wait_current_trans+0x39f/0x590 fs/btrfs/transaction.c:535
 start_transaction+0x6a7/0x1650 fs/btrfs/transaction.c:705
 clone_copy_inline_extent fs/btrfs/reflink.c:286 [inline]
 btrfs_clone+0x1275/0x24a0 fs/btrfs/reflink.c:516
 btrfs_clone_files+0x27f/0x410 fs/btrfs/reflink.c:737
 btrfs_remap_file_range+0x764/0x13d0 fs/btrfs/reflink.c:892
 vfs_copy_file_range+0xda7/0x1390 fs/read_write.c:1600
 __do_sys_copy_file_range fs/read_write.c:1683 [inline]
 __se_sys_copy_file_range+0x2fb/0x480 fs/read_write.c:1650
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f995234c799
RSP: 002b:00007f99519ae028 EFLAGS: 00000246 ORIG_RAX: 0000000000000146
RAX: ffffffffffffffda RBX: 00007f99525c5fa0 RCX: 00007f995234c799
RDX: 0000000000000005 RSI: 0000000000000000 RDI: 0000000000000005
RBP: 00007f99523e2c99 R08: 0000000000000863 R09: 0000000000000000
R10: 00002000000000c0 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f99525c6038 R14: 00007f99525c5fa0 R15: 00007ffd56a62508
 </TASK>
INFO: task syz.2.19:6689 blocked for more than 143 seconds.
      Not tainted syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.2.19        state:D stack:24736 pid:6689  tgid:6617  ppid:6327   task_flags:0x400040 flags:0x00080002
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5298 [inline]
 __schedule+0x1553/0x5240 kernel/sched/core.c:6911
 __schedule_loop kernel/sched/core.c:6993 [inline]
 schedule+0x164/0x360 kernel/sched/core.c:7008
 wb_wait_for_completion+0x3e8/0x790 fs/fs-writeback.c:227
 __writeback_inodes_sb_nr+0x24c/0x2d0 fs/fs-writeback.c:2838
 try_to_writeback_inodes_sb+0x9a/0xc0 fs/fs-writeback.c:2886
 btrfs_start_delalloc_flush fs/btrfs/transaction.c:2175 [inline]
 btrfs_commit_transaction+0x82e/0x31a0 fs/btrfs/transaction.c:2364
 btrfs_ioctl+0xca7/0xd00 fs/btrfs/ioctl.c:5212
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:597 [inline]
 __se_sys_ioctl+0xff/0x170 fs/ioctl.c:583
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f995234c799
RSP: 002b:00007f995198d028 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f99525c6090 RCX: 00007f995234c799
RDX: 0000000000000000 RSI: 0000000000009408 RDI: 0000000000000004
RBP: 00007f99523e2c99 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f99525c6128 R14: 00007f99525c6090 R15: 00007ffd56a62508
 </TASK>

Showing all locks held in the system:
6 locks held by kworker/u8:0/12:
 #0: ffff888019c44138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3251 [inline]
 #0: ffff888019c44138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_scheduled_works+0xa52/0x18c0 kernel/workqueue.c:3359
 #1: ffffc90000117c40 ((work_completion)(&(&nsim_dev->trap_data->trap_report_dw)->work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3252 [inline]
 #1: ffffc90000117c40 ((work_completion)(&(&nsim_dev->trap_data->trap_report_dw)->work)){+.+.}-{0:0}, at: process_scheduled_works+0xa8d/0x18c0 kernel/workqueue.c:3359
 #2: ffff88803f648300 (&devlink->lock_key#7){+.+.}-{4:4}, at: nsim_dev_trap_report_work+0x57/0xbc0 drivers/net/netdevsim/dev.c:909
 #3: ffff88802571d120 (&nsim_trap_data->trap_lock){+.+.}-{3:3}, at: spin_lock include/linux/spinlock_rt.h:45 [inline]
 #3: ffff88802571d120 (&nsim_trap_data->trap_lock){+.+.}-{3:3}, at: nsim_dev_trap_report drivers/net/netdevsim/dev.c:862 [inline]
 #3: ffff88802571d120 (&nsim_trap_data->trap_lock){+.+.}-{3:3}, at: nsim_dev_trap_report_work+0x1ad/0xbc0 drivers/net/netdevsim/dev.c:922
 #4: ffffffff8ddcba00 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:312 [inline]
 #4: ffffffff8ddcba00 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:850 [inline]
 #4: ffffffff8ddcba00 (rcu_read_lock){....}-{1:3}, at: __rt_spin_lock kernel/locking/spinlock_rt.c:50 [inline]
 #4: ffffffff8ddcba00 (rcu_read_lock){....}-{1:3}, at: rt_spin_lock+0x1e0/0x400 kernel/locking/spinlock_rt.c:57
 #5: ffff88813fe18d58 (&n->list_lock){+.+.}-{3:3}, at: spin_lock include/linux/spinlock_rt.h:45 [inline]
 #5: ffff88813fe18d58 (&n->list_lock){+.+.}-{3:3}, at: get_partial_node_bulk mm/slub.c:3750 [inline]
 #5: ffff88813fe18d58 (&n->list_lock){+.+.}-{3:3}, at: __refill_objects_node+0x87/0x560 mm/slub.c:7027
3 locks held by kworker/u8:1/13:
 #0: ffff888038bbe938 ((wq_completion)btrfs-flush_delalloc#194){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3251 [inline]
 #0: ffff888038bbe938 ((wq_completion)btrfs-flush_delalloc#194){+.+.}-{0:0}, at: process_scheduled_works+0xa52/0x18c0 kernel/workqueue.c:3359
 #1: ffffc90000127c40 ((work_completion)(&work->normal_work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3252 [inline]
 #1: ffffc90000127c40 ((work_completion)(&work->normal_work)){+.+.}-{0:0}, at: process_scheduled_works+0xa8d/0x18c0 kernel/workqueue.c:3359
 #2: ffff88802a56efb8 (&entry->wait){+.+.}-{3:3}, at: spin_lock include/linux/spinlock_rt.h:45 [inline]
 #2: ffff88802a56efb8 (&entry->wait){+.+.}-{3:3}, at: finish_wait+0xbe/0x1e0 kernel/sched/wait.c:394
1 lock held by khungtaskd/38:
 #0: ffffffff8ddcba00 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:312 [inline]
 #0: ffffffff8ddcba00 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:850 [inline]
 #0: ffffffff8ddcba00 (rcu_read_lock){....}-{1:3}, at: debug_show_all_locks+0x2e/0x180 kernel/locking/lockdep.c:6775
6 locks held by kworker/u8:3/57:
 #0: ffff888019c44138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3251 [inline]
 #0: ffff888019c44138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_scheduled_works+0xa52/0x18c0 kernel/workqueue.c:3359
 #1: ffffc9000123fc40 ((work_completion)(&(&nsim_dev->trap_data->trap_report_dw)->work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3252 [inline]
 #1: ffffc9000123fc40 ((work_completion)(&(&nsim_dev->trap_data->trap_report_dw)->work)){+.+.}-{0:0}, at: process_scheduled_works+0xa8d/0x18c0 kernel/workqueue.c:3359
 #2: ffff8880383c8300 (&devlink->lock_key#3){+.+.}-{4:4}, at: nsim_dev_trap_report_work+0x57/0xbc0 drivers/net/netdevsim/dev.c:909
 #3: ffff888039f30d20 (&nsim_trap_data->trap_lock){+.+.}-{3:3}, at: spin_lock include/linux/spinlock_rt.h:45 [inline]
 #3: ffff888039f30d20 (&nsim_trap_data->trap_lock){+.+.}-{3:3}, at: nsim_dev_trap_report drivers/net/netdevsim/dev.c:862 [inline]
 #3: ffff888039f30d20 (&nsim_trap_data->trap_lock){+.+.}-{3:3}, at: nsim_dev_trap_report_work+0x1ad/0xbc0 drivers/net/netdevsim/dev.c:922
 #4: ffffffff8ddcba00 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:312 [inline]
 #4: ffffffff8ddcba00 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:850 [inline]
 #4: ffffffff8ddcba00 (rcu_read_lock){....}-{1:3}, at: __rt_spin_lock kernel/locking/spinlock_rt.c:50 [inline]
 #4: ffffffff8ddcba00 (rcu_read_lock){....}-{1:3}, at: rt_spin_lock+0x1e0/0x400 kernel/locking/spinlock_rt.c:57
 #5: ffff88813fe18d58 (&n->list_lock){+.+.}-{3:3}, at: spin_lock include/linux/spinlock_rt.h:45 [inline]
 #5: ffff88813fe18d58 (&n->list_lock){+.+.}-{3:3}, at: get_partial_node_bulk mm/slub.c:3750 [inline]
 #5: ffff88813fe18d58 (&n->list_lock){+.+.}-{3:3}, at: __refill_objects_node+0x87/0x560 mm/slub.c:7027
3 locks held by kworker/u8:5/70:
3 locks held by kworker/1:2/809:
6 locks held by kworker/u8:8/1062:
 #0: ffff888019c44138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3251 [inline]
 #0: ffff888019c44138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_scheduled_works+0xa52/0x18c0 kernel/workqueue.c:3359
 #1: ffffc90005827c40 ((work_completion)(&(&nsim_dev->trap_data->trap_report_dw)->work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3252 [inline]
 #1: ffffc90005827c40 ((work_completion)(&(&nsim_dev->trap_data->trap_report_dw)->work)){+.+.}-{0:0}, at: process_scheduled_works+0xa8d/0x18c0 kernel/workqueue.c:3359
 #2: ffff88805af1a300 (&devlink->lock_key#4){+.+.}-{4:4}, at: nsim_dev_trap_report_work+0x57/0xbc0 drivers/net/netdevsim/dev.c:909
 #3: ffff88805b820920 (&nsim_trap_data->trap_lock){+.+.}-{3:3}, at: spin_lock include/linux/spinlock_rt.h:45 [inline]
 #3: ffff88805b820920 (&nsim_trap_data->trap_lock){+.+.}-{3:3}, at: nsim_dev_trap_report drivers/net/netdevsim/dev.c:862 [inline]
 #3: ffff88805b820920 (&nsim_trap_data->trap_lock){+.+.}-{3:3}, at: nsim_dev_trap_report_work+0x1ad/0xbc0 drivers/net/netdevsim/dev.c:922
 #4: ffffffff8ddcba00 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:312 [inline]
 #4: ffffffff8ddcba00 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:850 [inline]
 #4: ffffffff8ddcba00 (rcu_read_lock){....}-{1:3}, at: __rt_spin_lock kernel/locking/spinlock_rt.c:50 [inline]
 #4: ffffffff8ddcba00 (rcu_read_lock){....}-{1:3}, at: rt_spin_lock+0x1e0/0x400 kernel/locking/spinlock_rt.c:57
 #5: ffff88813fe18d58 (&n->list_lock){+.+.}-{3:3}, at: spin_lock include/linux/spinlock_rt.h:45 [inline]
 #5: ffff88813fe18d58 (&n->list_lock){+.+.}-{3:3}, at: get_partial_node_bulk mm/slub.c:3750 [inline]
 #5: ffff88813fe18d58 (&n->list_lock){+.+.}-{3:3}, at: __refill_objects_node+0x87/0x560 mm/slub.c:7027
6 locks held by kworker/u8:9/1382:
 #0: ffff888019c44138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3251 [inline]
 #0: ffff888019c44138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_scheduled_works+0xa52/0x18c0 kernel/workqueue.c:3359
 #1: ffffc90006197c40 ((work_completion)(&(&nsim_dev->trap_data->trap_report_dw)->work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3252 [inline]
 #1: ffffc90006197c40 ((work_completion)(&(&nsim_dev->trap_data->trap_report_dw)->work)){+.+.}-{0:0}, at: process_scheduled_works+0xa8d/0x18c0 kernel/workqueue.c:3359
 #2: ffff888056a46300 (&devlink->lock_key#6){+.+.}-{4:4}, at: nsim_dev_trap_report_work+0x57/0xbc0 drivers/net/netdevsim/dev.c:909
 #3: ffff88805bb0d520 (&nsim_trap_data->trap_lock){+.+.}-{3:3}, at: spin_lock include/linux/spinlock_rt.h:45 [inline]
 #3: ffff88805bb0d520 (&nsim_trap_data->trap_lock){+.+.}-{3:3}, at: nsim_dev_trap_report drivers/net/netdevsim/dev.c:862 [inline]
 #3: ffff88805bb0d520 (&nsim_trap_data->trap_lock){+.+.}-{3:3}, at: nsim_dev_trap_report_work+0x1ad/0xbc0 drivers/net/netdevsim/dev.c:922
 #4: ffffffff8ddcba00 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:312 [inline]
 #4: ffffffff8ddcba00 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:850 [inline]
 #4: ffffffff8ddcba00 (rcu_read_lock){....}-{1:3}, at: __rt_spin_lock kernel/locking/spinlock_rt.c:50 [inline]
 #4: ffffffff8ddcba00 (rcu_read_lock){....}-{1:3}, at: rt_spin_lock+0x1e0/0x400 kernel/locking/spinlock_rt.c:57
 #5: ffff88813fe18d58 (&n->list_lock){+.+.}-{3:3}, at: spin_lock include/linux/spinlock_rt.h:45 [inline]
 #5: ffff88813fe18d58 (&n->list_lock){+.+.}-{3:3}, at: get_partial_node_bulk mm/slub.c:3750 [inline]
 #5: ffff88813fe18d58 (&n->list_lock){+.+.}-{3:3}, at: __refill_objects_node+0x87/0x560 mm/slub.c:7027
3 locks held by kworker/u8:10/1393:
6 locks held by kworker/u8:11/1408:
 #0: ffff888019c44138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3251 [inline]
 #0: ffff888019c44138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_scheduled_works+0xa52/0x18c0 kernel/workqueue.c:3359
 #1: ffffc900064c7c40 ((work_completion)(&(&nsim_dev->trap_data->trap_report_dw)->work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3252 [inline]
 #1: ffffc900064c7c40 ((work_completion)(&(&nsim_dev->trap_data->trap_report_dw)->work)){+.+.}-{0:0}, at: process_scheduled_works+0xa8d/0x18c0 kernel/workqueue.c:3359
 #2: ffff88803c7be300 (&devlink->lock_key#5){+.+.}-{4:4}, at: nsim_dev_trap_report_work+0x57/0xbc0 drivers/net/netdevsim/dev.c:909
 #3: ffff88803a1c3d20 (&nsim_trap_data->trap_lock){+.+.}-{3:3}, at: spin_lock include/linux/spinlock_rt.h:45 [inline]
 #3: ffff88803a1c3d20 (&nsim_trap_data->trap_lock){+.+.}-{3:3}, at: nsim_dev_trap_report drivers/net/netdevsim/dev.c:862 [inline]
 #3: ffff88803a1c3d20 (&nsim_trap_data->trap_lock){+.+.}-{3:3}, at: nsim_dev_trap_report_work+0x1ad/0xbc0 drivers/net/netdevsim/dev.c:922
 #4: ffffffff8ddcba00 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:312 [inline]
 #4: ffffffff8ddcba00 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:850 [inline]
 #4: ffffffff8ddcba00 (rcu_read_lock){....}-{1:3}, at: __rt_spin_lock kernel/locking/spinlock_rt.c:50 [inline]
 #4: ffffffff8ddcba00 (rcu_read_lock){....}-{1:3}, at: rt_spin_lock+0x1e0/0x400 kernel/locking/spinlock_rt.c:57
 #5: ffff88813fe18d58 (&n->list_lock){+.+.}-{3:3}, at: spin_lock include/linux/spinlock_rt.h:45 [inline]
 #5: ffff88813fe18d58 (&n->list_lock){+.+.}-{3:3}, at: get_partial_node_bulk mm/slub.c:3750 [inline]
 #5: ffff88813fe18d58 (&n->list_lock){+.+.}-{3:3}, at: __refill_objects_node+0x87/0x560 mm/slub.c:7027
6 locks held by kworker/u8:12/1421:
 #0: ffff888019c44138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3251 [inline]
 #0: ffff888019c44138 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_scheduled_works+0xa52/0x18c0 kernel/workqueue.c:3359
 #1: ffffc900065e7c40 ((work_completion)(&(&nsim_dev->trap_data->trap_report_dw)->work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3252 [inline]
 #1: ffffc900065e7c40 ((work_completion)(&(&nsim_dev->trap_data->trap_report_dw)->work)){+.+.}-{0:0}, at: process_scheduled_works+0xa8d/0x18c0 kernel/workqueue.c:3359
 #2: ffff888062f8c300 (&devlink->lock_key#8){+.+.}-{4:4}, at: nsim_dev_trap_report_work+0x57/0xbc0 drivers/net/netdevsim/dev.c:909
 #3: ffff88802ad00920 (&nsim_trap_data->trap_lock){+.+.}-{3:3}, at: spin_lock include/linux/spinlock_rt.h:45 [inline]
 #3: ffff88802ad00920 (&nsim_trap_data->trap_lock){+.+.}-{3:3}, at: nsim_dev_trap_report drivers/net/netdevsim/dev.c:862 [inline]
 #3: ffff88802ad00920 (&nsim_trap_data->trap_lock){+.+.}-{3:3}, at: nsim_dev_trap_report_work+0x1ad/0xbc0 drivers/net/netdevsim/dev.c:922
 #4: ffffffff8ddcba00 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:312 [inline]
 #4: ffffffff8ddcba00 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:850 [inline]
 #4: ffffffff8ddcba00 (rcu_read_lock){....}-{1:3}, at: __rt_spin_lock kernel/locking/spinlock_rt.c:50 [inline]
 #4: ffffffff8ddcba00 (rcu_read_lock){....}-{1:3}, at: rt_spin_lock+0x1e0/0x400 kernel/locking/spinlock_rt.c:57
 #5: ffff88813fe18d58 (&n->list_lock){+.+.}-{3:3}, at: spin_lock include/linux/spinlock_rt.h:45 [inline]
 #5: ffff88813fe18d58 (&n->list_lock){+.+.}-{3:3}, at: get_partial_node_bulk mm/slub.c:3750 [inline]
 #5: ffff88813fe18d58 (&n->list_lock){+.+.}-{3:3}, at: __refill_objects_node+0x87/0x560 mm/slub.c:7027
2 locks held by kworker/u8:13/1428:
 #0: ffff88801aee4938 ((wq_completion)writeback){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3251 [inline]
 #0: ffff88801aee4938 ((wq_completion)writeback){+.+.}-{0:0}, at: process_scheduled_works+0xa52/0x18c0 kernel/workqueue.c:3359
 #1: ffffc90006657c40 ((work_completion)(&(&wb->dwork)->work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3252 [inline]
 #1: ffffc90006657c40 ((work_completion)(&(&wb->dwork)->work)){+.+.}-{0:0}, at: process_scheduled_works+0xa8d/0x18c0 kernel/workqueue.c:3359
2 locks held by udevd/5165:
 #0: ffffffff8e4dcc58 (tomoyo_ss){.+.+}-{0:0}, at: srcu_lock_acquire include/linux/srcu.h:187 [inline]
 #0: ffffffff8e4dcc58 (tomoyo_ss){.+.+}-{0:0}, at: srcu_read_lock include/linux/srcu.h:294 [inline]
 #0: ffffffff8e4dcc58 (tomoyo_ss){.+.+}-{0:0}, at: tomoyo_read_lock security/tomoyo/common.h:1112 [inline]
 #0: ffffffff8e4dcc58 (tomoyo_ss){.+.+}-{0:0}, at: tomoyo_check_open_permission+0x1d3/0x470 security/tomoyo/file.c:772
 #1: ffff88813fe18d58 (&n->list_lock){+.+.}-{3:3}, at: spin_lock include/linux/spinlock_rt.h:45 [inline]
 #1: ffff88813fe18d58 (&n->list_lock){+.+.}-{3:3}, at: get_partial_node_bulk mm/slub.c:3750 [inline]
 #1: ffff88813fe18d58 (&n->list_lock){+.+.}-{3:3}, at: __refill_objects_node+0x87/0x560 mm/slub.c:7027
2 locks held by getty/5558:
 #0: ffff888037ffe0a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x25/0x70 drivers/tty/tty_ldisc.c:243
 #1: ffffc90003e7e2e0 (&ldata->atomic_read_lock){+.+.}-{4:4}, at: n_tty_read+0x462/0x13c0 drivers/tty/n_tty.c:2211
2 locks held by udevd/6231:
 #0: ffffffff8df09670 (remove_cache_srcu){.+.+}-{0:0}, at: srcu_lock_acquire include/linux/srcu.h:187 [inline]
 #0: ffffffff8df09670 (remove_cache_srcu){.+.+}-{0:0}, at: srcu_read_lock+0x27/0x60 include/linux/srcu.h:294
 #1: ffff88813fe18d58 (&n->list_lock){+.+.}-{3:3}, at: spin_lock include/linux/spinlock_rt.h:45 [inline]
 #1: ffff88813fe18d58 (&n->list_lock){+.+.}-{3:3}, at: __slab_free+0xee/0x2a0 mm/slub.c:5519
3 locks held by syz-executor/6321:
 #0: ffff88805962e0d0 (&type->s_umount_key#56){++++}-{4:4}, at: __super_lock fs/super.c:58 [inline]
 #0: ffff88805962e0d0 (&type->s_umount_key#56){++++}-{4:4}, at: __super_lock_excl fs/super.c:73 [inline]
 #0: ffff88805962e0d0 (&type->s_umount_key#56){++++}-{4:4}, at: deactivate_super+0xa9/0xe0 fs/super.c:508
 #1: ffff88803fb55020 (&fs_info->ordered_operations_mutex){+.+.}-{4:4}, at: btrfs_wait_ordered_roots+0xe7/0x6f0 fs/btrfs/ordered-data.c:823
 #2: ffff888026e2e9a8 (&root->ordered_extent_mutex){+.+.}-{4:4}, at: btrfs_wait_ordered_extents+0x23d/0xcf0 fs/btrfs/ordered-data.c:767
3 locks held by syz-executor/6329:
 #0: ffff88805902e0d0 (&type->s_umount_key#56){++++}-{4:4}, at: __super_lock fs/super.c:58 [inline]
 #0: ffff88805902e0d0 (&type->s_umount_key#56){++++}-{4:4}, at: __super_lock_excl fs/super.c:73 [inline]
 #0: ffff88805902e0d0 (&type->s_umount_key#56){++++}-{4:4}, at: deactivate_super+0xa9/0xe0 fs/super.c:508
 #1: ffff88805902eb08 (&s->s_sync_lock){+.+.}-{4:4}, at: wait_sb_inodes fs/fs-writeback.c:2739 [inline]
 #1: ffff88805902eb08 (&s->s_sync_lock){+.+.}-{4:4}, at: sync_inodes_sb+0x288/0xc10 fs/fs-writeback.c:2927
 #2: ffffffff8da15b68 (&folio_wait_table[i]){+.+.}-{3:3}, at: spin_lock include/linux/spinlock_rt.h:45 [inline]
 #2: ffffffff8da15b68 (&folio_wait_table[i]){+.+.}-{3:3}, at: finish_wait+0xbe/0x1e0 kernel/sched/wait.c:394
1 lock held by syz-executor/6330:
 #0: ffff88805e4280d0 (&type->s_umount_key#56){++++}-{4:4}, at: __super_lock fs/super.c:58 [inline]
 #0: ffff88805e4280d0 (&type->s_umount_key#56){++++}-{4:4}, at: __super_lock_excl fs/super.c:73 [inline]
 #0: ffff88805e4280d0 (&type->s_umount_key#56){++++}-{4:4}, at: deactivate_super+0xa9/0xe0 fs/super.c:508
4 locks held by syz.2.19/6618:
 #0: ffff88802e4d8480 (sb_writers#12){.+.+}-{0:0}, at: file_start_write include/linux/fs.h:2710 [inline]
 #0: ffff88802e4d8480 (sb_writers#12){.+.+}-{0:0}, at: vfs_copy_file_range+0x9bb/0x1390 fs/read_write.c:1588
 #1: ffff88805b0558c8 (&sb->s_type->i_mutex_key#24){+.+.}-{4:4}, at: inode_lock include/linux/fs.h:1028 [inline]
 #1: ffff88805b0558c8 (&sb->s_type->i_mutex_key#24){+.+.}-{4:4}, at: btrfs_inode_lock+0x51/0xe0 fs/btrfs/inode.c:369
 #2: ffff88805b055728 (&ei->i_mmap_lock){++++}-{4:4}, at: btrfs_inode_lock+0xcb/0xe0 fs/btrfs/inode.c:372
 #3: ffff88802e4d8770 (sb_internal#2){.+.+}-{0:0}, at: clone_copy_inline_extent fs/btrfs/reflink.c:286 [inline]
 #3: ffff88802e4d8770 (sb_internal#2){.+.+}-{0:0}, at: btrfs_clone+0x1275/0x24a0 fs/btrfs/reflink.c:516
3 locks held by syz.2.19/6689:
 #0: ffff88803dc2b118 (btrfs_trans_num_writers){++++}-{0:0}, at: join_transaction+0x41b/0xc90 fs/btrfs/transaction.c:298
 #1: ffff88803dc2b140 (btrfs_trans_num_extwriters){++++}-{0:0}, at: join_transaction+0x41b/0xc90 fs/btrfs/transaction.c:298
 #2: ffff88802e4d80d0 (&type->s_umount_key#56){++++}-{4:4}, at: try_to_writeback_inodes_sb+0x22/0xc0 fs/fs-writeback.c:2883
1 lock held by btrfs-transacti/6682:
 #0: ffff88803dc28d98 (&fs_info->transaction_kthread_mutex){+.+.}-{4:4}, at: transaction_kthread+0xe4/0x450 fs/btrfs/disk-io.c:1515
2 locks held by udevd/6732:
 #0: ffffffff8e4dcc58 (tomoyo_ss){.+.+}-{0:0}, at: srcu_lock_acquire include/linux/srcu.h:187 [inline]
 #0: ffffffff8e4dcc58 (tomoyo_ss){.+.+}-{0:0}, at: srcu_read_lock include/linux/srcu.h:294 [inline]
 #0: ffffffff8e4dcc58 (tomoyo_ss){.+.+}-{0:0}, at: tomoyo_read_lock security/tomoyo/common.h:1112 [inline]
 #0: ffffffff8e4dcc58 (tomoyo_ss){.+.+}-{0:0}, at: tomoyo_check_open_permission+0x1d3/0x470 security/tomoyo/file.c:772
 #1: ffff88813fe18d58 (&n->list_lock){+.+.}-{3:3}, at: spin_lock include/linux/spinlock_rt.h:45 [inline]
 #1: ffff88813fe18d58 (&n->list_lock){+.+.}-{3:3}, at: get_partial_node_bulk mm/slub.c:3750 [inline]
 #1: ffff88813fe18d58 (&n->list_lock){+.+.}-{3:3}, at: __refill_objects_node+0x87/0x560 mm/slub.c:7027
1 lock held by udevadm/10426:
 #0: ffff88813fe18d58 (&n->list_lock){+.+.}-{3:3}, at: spin_lock include/linux/spinlock_rt.h:45 [inline]
 #0: ffff88813fe18d58 (&n->list_lock){+.+.}-{3:3}, at: get_partial_node_bulk mm/slub.c:3750 [inline]
 #0: ffff88813fe18d58 (&n->list_lock){+.+.}-{3:3}, at: __refill_objects_node+0x87/0x560 mm/slub.c:7027
1 lock held by udevadm/10431:
1 lock held by udevadm/10447:
2 locks held by udevadm/10452:
2 locks held by syz.0.221/10464:
4 locks held by syz-executor/10467:
 #0: ffff88803644a480 (sb_writers#5){.+.+}-{0:0}, at: mnt_want_write+0x41/0x90 fs/namespace.c:493
 #1: ffff88805c6475d8 (&type->i_mutex_dir_key#5/1){+.+.}-{4:4}, at: inode_lock_nested include/linux/fs.h:1073 [inline]
 #1: ffff88805c6475d8 (&type->i_mutex_dir_key#5/1){+.+.}-{4:4}, at: __start_dirop fs/namei.c:2923 [inline]
 #1: ffff88805c6475d8 (&type->i_mutex_dir_key#5/1){+.+.}-{4:4}, at: start_dirop fs/namei.c:2934 [inline]
 #1: ffff88805c6475d8 (&type->i_mutex_dir_key#5/1){+.+.}-{4:4}, at: filename_create+0x200/0x370 fs/namei.c:4922
 #2: ffffffff8e4dcc58 (tomoyo_ss){.+.+}-{0:0}, at: srcu_lock_acquire include/linux/srcu.h:187 [inline]
 #2: ffffffff8e4dcc58 (tomoyo_ss){.+.+}-{0:0}, at: srcu_read_lock include/linux/srcu.h:294 [inline]
 #2: ffffffff8e4dcc58 (tomoyo_ss){.+.+}-{0:0}, at: tomoyo_read_lock security/tomoyo/common.h:1112 [inline]
 #2: ffffffff8e4dcc58 (tomoyo_ss){.+.+}-{0:0}, at: tomoyo_path_perm+0x251/0x560 security/tomoyo/file.c:826
 #3: ffff88813fe18d58 (&n->list_lock){+.+.}-{3:3}, at: spin_lock include/linux/spinlock_rt.h:45 [inline]
 #3: ffff88813fe18d58 (&n->list_lock){+.+.}-{3:3}, at: get_partial_node_bulk mm/slub.c:3750 [inline]
 #3: ffff88813fe18d58 (&n->list_lock){+.+.}-{3:3}, at: __refill_objects_node+0x87/0x560 mm/slub.c:7027

=============================================

NMI backtrace for cpu 1
CPU: 1 UID: 0 PID: 38 Comm: khungtaskd Not tainted syzkaller #0 PREEMPT_{RT,(full)} 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
Call Trace:
 <TASK>
 dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
 nmi_cpu_backtrace+0x274/0x2d0 lib/nmi_backtrace.c:113
 nmi_trigger_cpumask_backtrace+0x17a/0x300 lib/nmi_backtrace.c:62
 trigger_all_cpu_backtrace include/linux/nmi.h:161 [inline]
 __sys_info lib/sys_info.c:157 [inline]
 sys_info+0x135/0x170 lib/sys_info.c:165
 check_hung_uninterruptible_tasks kernel/hung_task.c:346 [inline]
 watchdog+0xfd9/0x1030 kernel/hung_task.c:515
 kthread+0x388/0x470 kernel/kthread.c:436
 ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted syzkaller #0 PREEMPT_{RT,(full)} 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
RIP: 0010:pv_native_safe_halt+0xf/0x20 arch/x86/kernel/paravirt.c:63
Code: 0e 5d 02 e9 13 c4 03 00 cc cc cc 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 66 90 0f 00 2d f3 1c 26 00 fb f4 <c3> cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 90 90 90 90 90
RSP: 0018:ffffffff8da07dc0 EFLAGS: 00000242
RAX: 00000000000a2791 RBX: ffffffff8199709a RCX: 0000000080000001
RDX: 0000000000000001 RSI: ffffffff8d562e91 RDI: ffffffff8ba66e00
RBP: ffffffff8da07eb0 R08: ffff8880b8833e1b R09: 1ffff110171067c3
R10: dffffc0000000000 R11: ffffed10171067c4 R12: 0000000000000000
R13: 1ffffffff1b605d8 R14: 0000000000000000 R15: 1ffffffff1b605d8
FS:  0000000000000000(0000) GS:ffff888126339000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f9f3ebad400 CR3: 00000000449c8000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 arch_safe_halt arch/x86/kernel/process.c:766 [inline]
 default_idle+0x9/0x20 arch/x86/kernel/process.c:767
 default_idle_call+0x72/0xb0 kernel/sched/idle.c:122
 cpuidle_idle_call kernel/sched/idle.c:199 [inline]
 do_idle+0x36a/0x5f0 kernel/sched/idle.c:352
 cpu_startup_entry+0x43/0x60 kernel/sched/idle.c:451
 rest_init+0x2de/0x300 init/main.c:760
 start_kernel+0x385/0x3d0 init/main.c:1210
 x86_64_start_reservations+0x24/0x30 arch/x86/kernel/head64.c:310
 x86_64_start_kernel+0x143/0x1c0 arch/x86/kernel/head64.c:291
 common_startup_64+0x13e/0x147
 </TASK>


Tested on:

commit:         0138af24 Merge tag 'erofs-for-7.0-rc6-fixes' of git://..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=136c3e02580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=45cb3c58fd963c27
dashboard link: https://syzkaller.appspot.com/bug?extid=63056bf627663701bbbf
compiler:       Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch:          https://syzkaller.appspot.com/x/patch.diff?x=10221cba580000