watchdog: BUG: soft lockup - CPU#0 stuck for 21s! [syz-executor.5:9307] Modules linked in: irq event stamp: 4093655 hardirqs last enabled at (4093654): [] asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:635 hardirqs last disabled at (4093655): [] sysvec_apic_timer_interrupt+0xb/0xa0 arch/x86/kernel/apic/apic.c:1095 softirqs last enabled at (3991338): [] asm_call_irq_on_stack+0x12/0x20 softirqs last disabled at (3991341): [] asm_call_irq_on_stack+0x12/0x20 CPU: 0 PID: 9307 Comm: syz-executor.5 Not tainted 5.10.162 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 RIP: 0010:__should_failslab+0x1/0xf0 mm/failslab.c:18 Code: ff ff 48 c7 c7 60 d6 09 85 e8 0b b1 c1 ff 48 83 c4 20 5b 5d 41 5c e9 1e 61 b4 02 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 53 <48> 89 fb 48 c7 c0 80 1e b3 86 48 ba 00 00 00 00 00 fc ff df 48 c1 RSP: 0018:ffff88806ce09aa0 EFLAGS: 00000246 RAX: 0000000000400140 RBX: 0000000000082a20 RCX: ffffffff831152b7 RDX: 0000000000000000 RSI: 0000000000082a20 RDI: ffff888007c41280 RBP: ffff888007c41280 R08: 0000000000000000 R09: 0000000000000200 R10: fffffbfff0cf2ad5 R11: 0000000000000001 R12: 0000000000082a20 R13: 0000000000000200 R14: 00000000ffffffff R15: ffff8880472ec8c0 FS: 00007f108f9f6700(0000) GS:ffff88806ce00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f22b4266344 CR3: 000000000f4ae000 CR4: 0000000000350ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600 Call Trace: should_failslab+0x5/0x20 mm/slab_common.c:1193 slab_pre_alloc_hook mm/slab.h:515 [inline] slab_alloc_node mm/slub.c:2821 [inline] __kmalloc_node_track_caller+0x74/0x3f0 mm/slub.c:4496 __kmalloc_reserve net/core/skbuff.c:142 [inline] __alloc_skb+0xb1/0x620 net/core/skbuff.c:210 skb_copy+0x137/0x2f0 net/core/skbuff.c:1522 mac80211_hwsim_tx_frame_no_nl.isra.0+0xb1d/0x13d0 drivers/net/wireless/mac80211_hwsim.c:1499 mac80211_hwsim_tx_frame+0x152/0x1e0 drivers/net/wireless/mac80211_hwsim.c:1716 mac80211_hwsim_beacon_tx+0x494/0x8f0 drivers/net/wireless/mac80211_hwsim.c:1770 __iterate_interfaces+0x1f0/0x530 net/mac80211/util.c:792 ieee80211_iterate_active_interfaces_atomic+0x72/0x180 net/mac80211/util.c:828 mac80211_hwsim_beacon+0xd1/0x1d0 drivers/net/wireless/mac80211_hwsim.c:1793 __run_hrtimer kernel/time/hrtimer.c:1583 [inline] __hrtimer_run_queues+0x5e8/0xb50 kernel/time/hrtimer.c:1647 hrtimer_run_softirq+0x148/0x310 kernel/time/hrtimer.c:1664 __do_softirq+0x1b8/0x86b kernel/softirq.c:298 asm_call_irq_on_stack+0x12/0x20 __run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline] run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline] do_softirq_own_stack+0x80/0xa0 arch/x86/kernel/irq_64.c:77 invoke_softirq kernel/softirq.c:393 [inline] __irq_exit_rcu kernel/softirq.c:423 [inline] irq_exit_rcu+0x114/0x1b0 kernel/softirq.c:435 sysvec_apic_timer_interrupt+0x43/0xa0 arch/x86/kernel/apic/apic.c:1095 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:635 RIP: 0010:skb_ext_add+0x2/0x670 net/core/skbuff.c:6302 Code: 00 e8 12 f1 2e fe 4c 89 e0 41 5c e9 98 0a 0f 01 4c 89 e7 e8 c0 9f 5a fe eb df 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 41 57 <41> 56 41 55 41 54 55 48 89 fd 53 48 83 ec 30 89 74 24 04 e8 d6 f0 RSP: 0018:ffff888032d3f5e8 EFLAGS: 00000212 RAX: 000000000003d6d7 RBX: 0000000000000006 RCX: ffffc90004616000 RDX: 0000000000040000 RSI: 0000000000000001 RDI: ffff88804760dc80 RBP: 0000000000000000 R08: 0000000000000001 R09: ffff88800c700ae3 R10: 0000000000000000 R11: 0000000000000001 R12: ffff88800c700ac0 R13: ffff88804760dcfe R14: 0000000000000000 R15: ffff88804760dc80 skb_set_kcov_handle include/linux/skbuff.h:4632 [inline] skb_set_kcov_handle include/linux/skbuff.h:4622 [inline] __alloc_skb+0x3c1/0x620 net/core/skbuff.c:253 alloc_skb include/linux/skbuff.h:1096 [inline] nlmsg_new include/net/netlink.h:953 [inline] rtmsg_fib+0x1b2/0xec0 net/ipv4/fib_semantics.c:520 fib_table_insert+0xab9/0x1af0 net/ipv4/fib_trie.c:1354 fib_magic.isra.0+0x29d/0x2f0 net/ipv4/fib_frontend.c:1090 fib_add_ifaddr+0x628/0x7e0 net/ipv4/fib_frontend.c:1134 fib_netdev_event+0x37e/0x6a0 net/ipv4/fib_frontend.c:1474 notifier_call_chain kernel/notifier.c:83 [inline] raw_notifier_call_chain+0xb3/0x110 kernel/notifier.c:410 call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:2047 call_netdevice_notifiers_extack net/core/dev.c:2059 [inline] call_netdevice_notifiers net/core/dev.c:2073 [inline] __dev_notify_flags+0x110/0x2c0 net/core/dev.c:8530 dev_change_flags+0x100/0x160 net/core/dev.c:8568 dev_ifsioc+0x5b9/0xa00 net/core/dev_ioctl.c:230 dev_ioctl+0x23c/0xcf0 net/core/dev_ioctl.c:481 sock_do_ioctl+0x17d/0x300 net/socket.c:1070 sock_ioctl+0x3ea/0x700 net/socket.c:1187 vfs_ioctl fs/ioctl.c:48 [inline] __do_sys_ioctl fs/ioctl.c:753 [inline] __se_sys_ioctl fs/ioctl.c:739 [inline] __x64_sys_ioctl+0x19a/0x210 fs/ioctl.c:739 do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x61/0xc6 RIP: 0033:0x7f10924a1b19 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f108f9f6188 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f10925b5020 RCX: 00007f10924a1b19 RDX: 0000000020000140 RSI: 0000000000008914 RDI: 0000000000000008 RBP: 00007f10924fbf6d R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffc1fbc384f R14: 00007f108f9f6300 R15: 0000000000022000 Sending NMI from CPU 0 to CPUs 1: NMI backtrace for cpu 1 CPU: 1 PID: 9292 Comm: syz-executor.0 Not tainted 5.10.162 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 RIP: 0010:bytes_is_nonzero mm/kasan/generic.c:90 [inline] RIP: 0010:memory_is_nonzero mm/kasan/generic.c:108 [inline] RIP: 0010:memory_is_poisoned_n mm/kasan/generic.c:134 [inline] RIP: 0010:memory_is_poisoned mm/kasan/generic.c:165 [inline] RIP: 0010:check_memory_region_inline mm/kasan/generic.c:183 [inline] RIP: 0010:check_memory_region+0x193/0x1f0 mm/kasan/generic.c:192 Code: e1 07 49 39 c1 7d 85 41 bb 01 00 00 00 5b 5d 44 89 d8 41 5c e9 2e 6d b4 02 48 85 d2 74 e9 48 01 ea eb 09 48 83 c0 01 48 39 d0 <74> db 80 38 00 74 f2 e9 28 ff ff ff 48 29 c3 48 89 da 49 89 d3 49 RSP: 0018:ffff88806cf09308 EFLAGS: 00000046 RAX: fffffbfff0cf2acd RBX: fffffbfff0cf2acd RCX: ffffffff81269271 RDX: fffffbfff0cf2acd RSI: 0000000000000008 RDI: ffffffff86795660 RBP: fffffbfff0cf2acc R08: 0000000000000000 R09: ffffffff86795667 R10: fffffbfff0cf2acc R11: 0000000000000001 R12: ffff888035aa19c0 R13: ffff888035aa2318 R14: 0000000000000004 R15: 0000000000000001 FS: 0000000000000000(0000) GS:ffff88806cf00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005637aad8f678 CR3: 000000000c5cc000 CR4: 0000000000350ee0 Call Trace: instrument_atomic_read include/linux/instrumented.h:71 [inline] test_bit include/asm-generic/bitops/instrumented-non-atomic.h:134 [inline] hlock_class kernel/locking/lockdep.c:196 [inline] __lock_acquire+0xbb1/0x5b00 kernel/locking/lockdep.c:4951 lock_acquire kernel/locking/lockdep.c:5565 [inline] lock_acquire+0x197/0x490 kernel/locking/lockdep.c:5530 seqcount_lockdep_reader_access include/linux/seqlock.h:103 [inline] ktime_get+0x7f/0x1f0 kernel/time/timekeeping.c:833 hrtimer_forward_now include/linux/hrtimer.h:501 [inline] perf_swevent_hrtimer+0x244/0x3f0 kernel/events/core.c:10397 __run_hrtimer kernel/time/hrtimer.c:1583 [inline] __hrtimer_run_queues+0x1ca/0xb50 kernel/time/hrtimer.c:1647 hrtimer_interrupt+0x2fd/0x9b0 kernel/time/hrtimer.c:1709 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1084 [inline] __sysvec_apic_timer_interrupt+0xfb/0x400 arch/x86/kernel/apic/apic.c:1101 run_sysvec_on_irqstack_cond arch/x86/include/asm/irq_stack.h:91 [inline] sysvec_apic_timer_interrupt+0x3e/0xa0 arch/x86/kernel/apic/apic.c:1095 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:635 RIP: 0010:cpu_relax arch/x86/include/asm/vdso/processor.h:19 [inline] RIP: 0010:virt_spin_lock arch/x86/include/asm/qspinlock.h:100 [inline] RIP: 0010:queued_spin_lock_slowpath+0x122/0x8c0 kernel/locking/qspinlock.c:326 Code: 00 00 00 65 48 2b 04 25 28 00 00 00 0f 85 09 07 00 00 48 81 c4 88 00 00 00 5b 5d 41 5c 41 5d 41 5e 41 5f e9 30 e9 f8 02 f3 90 73 ff ff ff 44 8b 74 24 48 41 81 fe 00 01 00 00 0f 84 e1 00 00 RSP: 0018:ffff88806cf09a38 EFLAGS: 00000202 RAX: 0000000000000000 RBX: ffffffff87930ea0 RCX: ffffffff81275657 RDX: fffffbfff0f261d5 RSI: 0000000000000004 RDI: ffffffff87930ea0 RBP: 0000000000000001 R08: 0000000000000000 R09: ffffffff87930ea3 R10: fffffbfff0f261d4 R11: 0000000000000001 R12: 0000000000000003 R13: fffffbfff0f261d4 R14: 0000000000000001 R15: 1ffff1100d9e1348 queued_spin_lock include/asm-generic/qspinlock.h:85 [inline] do_raw_spin_lock+0x1dc/0x260 kernel/locking/spinlock_debug.c:113 spin_lock include/linux/spinlock.h:354 [inline] mac80211_hwsim_tx_frame_no_nl.isra.0+0x695/0x13d0 drivers/net/wireless/mac80211_hwsim.c:1450 mac80211_hwsim_tx_frame+0x152/0x1e0 drivers/net/wireless/mac80211_hwsim.c:1716 mac80211_hwsim_beacon_tx+0x494/0x8f0 drivers/net/wireless/mac80211_hwsim.c:1770 __iterate_interfaces+0x1f0/0x530 net/mac80211/util.c:792 ieee80211_iterate_active_interfaces_atomic+0x72/0x180 net/mac80211/util.c:828 mac80211_hwsim_beacon+0xd1/0x1d0 drivers/net/wireless/mac80211_hwsim.c:1793 __run_hrtimer kernel/time/hrtimer.c:1583 [inline] __hrtimer_run_queues+0x5e8/0xb50 kernel/time/hrtimer.c:1647 hrtimer_run_softirq+0x148/0x310 kernel/time/hrtimer.c:1664 __do_softirq+0x1b8/0x86b kernel/softirq.c:298 asm_call_irq_on_stack+0x12/0x20 __run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline] run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline] do_softirq_own_stack+0x80/0xa0 arch/x86/kernel/irq_64.c:77 invoke_softirq kernel/softirq.c:393 [inline] __irq_exit_rcu kernel/softirq.c:423 [inline] irq_exit_rcu+0x114/0x1b0 kernel/softirq.c:435 sysvec_apic_timer_interrupt+0x43/0xa0 arch/x86/kernel/apic/apic.c:1095 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:635 RIP: 0010:lock_page_memcg+0x91/0x260 mm/memcontrol.c:2145 Code: ae c0 ff 5a 84 c0 0f 84 e4 00 00 00 0f 1f 44 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8d 7b 38 4c 89 fa 48 c1 ea 03 80 3c 02 00 <0f> 85 97 01 00 00 4d 89 fd 4c 8b 63 38 49 be 00 00 00 00 00 fc ff RSP: 0018:ffff88803dfbf6e8 EFLAGS: 00000246 RAX: dffffc0000000000 RBX: ffffea0000f4a980 RCX: 000000005eb62b4a RDX: 1ffffd40001e9537 RSI: 1c55405fd88a67ed RDI: ffff88806cf3c128 RBP: ffffea0000f4a980 R08: 0000000000000000 R09: ffffffff86795667 R10: 0000000000000246 R11: 0000000000000001 R12: 0000000000000000 R13: ffffea0000f4a988 R14: dffffc0000000000 R15: ffffea0000f4a9b8 page_remove_rmap+0x21/0x7c0 mm/rmap.c:1328 zap_pte_range mm/memory.c:1287 [inline] zap_pmd_range mm/memory.c:1404 [inline] zap_pud_range mm/memory.c:1433 [inline] zap_p4d_range mm/memory.c:1454 [inline] unmap_page_range+0x1119/0x1ea0 mm/memory.c:1475 unmap_single_vma+0x198/0x300 mm/memory.c:1520 unmap_vmas+0x16d/0x300 mm/memory.c:1552 exit_mmap+0x27f/0x4f0 mm/mmap.c:3235 __mmput kernel/fork.c:1090 [inline] mmput+0xca/0x340 kernel/fork.c:1111 exit_mm kernel/exit.c:487 [inline] do_exit+0xa96/0x26a0 kernel/exit.c:798 do_group_exit+0x125/0x310 kernel/exit.c:908 get_signal+0x4bc/0x2340 kernel/signal.c:2751 arch_do_signal_or_restart+0x2b7/0x1990 arch/x86/kernel/signal.c:805 handle_signal_work kernel/entry/common.c:145 [inline] exit_to_user_mode_loop kernel/entry/common.c:169 [inline] exit_to_user_mode_prepare+0x10f/0x190 kernel/entry/common.c:199 syscall_exit_to_user_mode+0x38/0x230 kernel/entry/common.c:274 entry_SYSCALL_64_after_hwframe+0x61/0xc6 RIP: 0033:0x7f30b6dc6b19 Code: Unable to access opcode bytes at RIP 0x7f30b6dc6aef. RSP: 002b:00007f30b433c188 EFLAGS: 00000246 ORIG_RAX: 0000000000000029 RAX: 0000000000000008 RBX: 00007f30b6ed9f60 RCX: 00007f30b6dc6b19 RDX: 0000000000000000 RSI: 0000000000000002 RDI: 000000000000000a RBP: 00007f30b6e20f6d R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffc35950e6f R14: 00007f30b433c300 R15: 0000000000022000 ---------------- Code disassembly (best guess), 2 bytes skipped: 0: 48 c7 c7 60 d6 09 85 mov $0xffffffff8509d660,%rdi 7: e8 0b b1 c1 ff callq 0xffc1b117 c: 48 83 c4 20 add $0x20,%rsp 10: 5b pop %rbx 11: 5d pop %rbp 12: 41 5c pop %r12 14: e9 1e 61 b4 02 jmpq 0x2b46137 19: cc int3 1a: cc int3 1b: cc int3 1c: cc int3 1d: cc int3 1e: cc int3 1f: cc int3 20: cc int3 21: cc int3 22: cc int3 23: cc int3 24: cc int3 25: cc int3 26: cc int3 27: 53 push %rbx * 28: 48 89 fb mov %rdi,%rbx <-- trapping instruction 2b: 48 c7 c0 80 1e b3 86 mov $0xffffffff86b31e80,%rax 32: 48 ba 00 00 00 00 00 movabs $0xdffffc0000000000,%rdx 39: fc ff df 3c: 48 rex.W 3d: c1 .byte 0xc1