[Android 6.1] BUG: soft lockup in addrconf_rs_timer (5)
0 views
Skip to first unread message
syzbot
5:46 PM (2 hours ago) 5:46 PM
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 2f67b6088692 ANDROID: KVM: arm64: Check page alignment in ..
git tree: android14-6.1
console output: https://syzkaller.appspot.com/x/log.txt?x=17c9c3ce580000
kernel config: https://syzkaller.appspot.com/x/.config?x=8b77de3a119dd560
dashboard link: https://syzkaller.appspot.com/bug?extid=04aa0ea96895abc877d6
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15deabce580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14fc1ad2580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/3c98d0ab3ca7/disk-2f67b608.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/d38b2df72ec4/vmlinux-2f67b608.xz
kernel image: https://storage.googleapis.com/syzbot-assets/8934775d976d/bzImage-2f67b608.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+04aa0e...@syzkaller.appspotmail.com
RBP: 0000000000038da0 R08: 0000000000000001 R09: 0000000000000000
R10: 0000001b2da20000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f7f97a15fac R14: 00007f7f97a15fa8 R15: 00007f7f97a15fa0
</TASK>
watchdog: BUG: soft lockup - CPU#1 stuck for 237s! [syz.6.30:437]
Modules linked in:
CPU: 1 PID: 437 Comm: syz.6.30 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
RIP: 0010:on_stack arch/x86/include/asm/stacktrace.h:55 [inline]
RIP: 0010:update_stack_state+0x189/0x480 arch/x86/kernel/unwind_frame.c:228
Code: 48 8b 8d 60 ff ff ff e8 65 b7 f7 ff 85 c0 0f 85 2f 01 00 00 48 8b 85 40 ff ff ff 42 80 3c 28 00 74 08 4c 89 f7 e8 b7 5e 81 00 <4d> 8b 3e 48 8b 85 48 ff ff ff 42 80 3c 28 00 74 0c 48 8b bd 70 ff
RSP: 0018:ffffc900001afd78 EFLAGS: 00000246
RAX: 1ffff92000035fda RBX: ffffc900001afec8 RCX: 1ffff92000035fdb
RDX: 1ffff92000035fdc RSI: 1ffff92000035fda RDI: ffffc900001aff20
RBP: ffffc900001afe38 R08: ffffc900001aff90 R09: ffffc900001aff88
R10: 0000000000000016 R11: fffff52000035fe5 R12: 0000000000000000
R13: dffffc0000000000 R14: ffffc900001afed0 R15: ffffc900001b0d70
FS: 0000555590823500(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000038da0 CR3: 000000011e5c3000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<IRQ>
unwind_next_frame+0x3d5/0x700 arch/x86/kernel/unwind_frame.c:315
arch_stack_walk+0x124/0x150 arch/x86/kernel/stacktrace.c:25
stack_trace_save+0xa6/0xf0 kernel/stacktrace.c:122
kasan_save_stack mm/kasan/common.c:46 [inline]
kasan_set_track+0x4b/0x70 mm/kasan/common.c:53
kasan_save_free_info+0x31/0x50 mm/kasan/generic.c:516
____kasan_slab_free+0x132/0x180 mm/kasan/common.c:242
__kasan_slab_free+0x11/0x20 mm/kasan/common.c:250
kasan_slab_free include/linux/kasan.h:178 [inline]
slab_free_hook mm/slub.c:1750 [inline]
slab_free_freelist_hook+0xc2/0x190 mm/slub.c:1776
slab_free mm/slub.c:3712 [inline]
kmem_cache_free+0x12d/0x300 mm/slub.c:3737
kfree_skbmem+0x10c/0x180 net/core/skbuff.c:-1
__kfree_skb net/core/skbuff.c:874 [inline]
consume_skb+0xb3/0x1f0 net/core/skbuff.c:1038
netlink_broadcast+0x1084/0x1180 net/netlink/af_netlink.c:1522
nlmsg_multicast include/net/netlink.h:1071 [inline]
nlmsg_notify+0xe6/0x1a0 net/netlink/af_netlink.c:2564
rtnl_notify+0x9a/0xc0 net/core/rtnetlink.c:796
__neigh_notify+0xd3/0x130 net/core/neighbour.c:3519
neigh_cleanup_and_release+0x2c/0x1a0 net/core/neighbour.c:101
neigh_del net/core/neighbour.c:225 [inline]
neigh_remove_one+0x4b5/0x540 net/core/neighbour.c:246
neigh_forced_gc net/core/neighbour.c:279 [inline]
neigh_alloc net/core/neighbour.c:485 [inline]
___neigh_create+0x48b/0x1e20 net/core/neighbour.c:648
__neigh_create+0x31/0x40 net/core/neighbour.c:737
ip6_finish_output2+0xa56/0x18a0 net/ipv6/ip6_output.c:129
__ip6_finish_output net/ipv6/ip6_output.c:205 [inline]
ip6_finish_output+0x5f9/0xbb0 net/ipv6/ip6_output.c:216
NF_HOOK_COND include/linux/netfilter.h:294 [inline]
ip6_output+0x1fa/0x410 net/ipv6/ip6_output.c:237
dst_output include/net/dst.h:453 [inline]
NF_HOOK include/linux/netfilter.h:305 [inline]
ndisc_send_skb+0x7dc/0xcc0 net/ipv6/ndisc.c:513
ndisc_send_rs+0x670/0x870 net/ipv6/ndisc.c:723
addrconf_rs_timer+0x2cf/0x610 net/ipv6/addrconf.c:4005
call_timer_fn+0x46/0x2a0 kernel/time/timer.c:1553
expire_timers kernel/time/timer.c:1604 [inline]
__run_timers+0x65b/0x9f0 kernel/time/timer.c:1875
run_timer_softirq+0x6a/0xf0 kernel/time/timer.c:1888
handle_softirqs+0x1d7/0x600 kernel/softirq.c:642
__do_softirq kernel/softirq.c:680 [inline]
invoke_softirq kernel/softirq.c:497 [inline]
__irq_exit_rcu+0x52/0xf0 kernel/softirq.c:729
irq_exit_rcu+0x9/0x10 kernel/softirq.c:741
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1118 [inline]
sysvec_apic_timer_interrupt+0xa9/0xc0 arch/x86/kernel/apic/apic.c:1118
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1b/0x20 arch/x86/include/asm/idtentry.h:691
RIP: 0010:schedule_debug kernel/sched/core.c:5995 [inline]
RIP: 0010:__schedule+0x11d/0x1500 kernel/sched/core.c:6647
Code: 74 08 4c 89 f7 e8 e3 88 b6 fc 4d 8b 36 4c 89 f0 48 c1 e8 03 42 80 3c 20 00 74 08 4c 89 f7 e8 ca 88 b6 fc 49 81 3e 9d 6e ac 57 <0f> 85 6f 0c 00 00 65 8b 05 1e e5 01 7b 25 ff ff ff 7f 83 f8 01 0f
RSP: 0018:ffffc90000c67680 EFLAGS: 00000246
RAX: 1ffff9200018c000 RBX: ffff8881f6f00000 RCX: 348145d4fc290000
RDX: 1ffffffff0f6e608 RSI: ffffffff85ca8a80 RDI: ffffffff85ca8a40
RBP: ffffc90000c67790 R08: ffffffff87b73048 R09: ffffffff87b73058
R10: ffffffff87b73043 R11: 1ffffffff0f6e608 R12: dffffc0000000000
R13: ffff88811e535100 R14: ffffc90000c60000 R15: ffff8881f6f38820
preempt_schedule_irq+0xaa/0x120 kernel/sched/core.c:7067
raw_irqentry_exit_cond_resched+0x29/0x30 kernel/entry/common.c:396
irqentry_exit+0x37/0x40 kernel/entry/common.c:439
sysvec_apic_timer_interrupt+0x64/0xc0 arch/x86/kernel/apic/apic.c:1118
asm_sysvec_apic_timer_interrupt+0x1b/0x20 arch/x86/include/asm/idtentry.h:691
RIP: 0010:stack_trace_consume_entry+0x6/0x290 kernel/stacktrace.c:83
Code: 4c 24 78 75 09 48 8d 65 f0 5b 41 5e 5d c3 e8 31 3f 99 03 90 90 90 90 90 90 90 90 90 90 90 90 b8 b6 63 6b ad 55 48 89 e5 41 57 <41> 56 41 55 41 54 53 48 83 ec 20 48 ba 00 00 00 00 00 fc ff df 4c
RSP: 0018:ffffc90000c67910 EFLAGS: 00000257
RAX: ffffffff81620ff6 RBX: ffffc90000c679e0 RCX: 1ffff9200018cf00
RDX: ffffc90000c67901 RSI: ffffffff81620ff6 RDI: ffffc90000c679e0
RBP: ffffc90000c67918 R08: ffffc90000c67901 R09: ffffc90000c67928
R10: 0000000000000000 R11: fffff5200018cf31 R12: ffff88811e535100
R13: dffffc0000000000 R14: ffffffff81621050 R15: ffffc90000c67928
arch_stack_walk+0x118/0x150 arch/x86/kernel/stacktrace.c:27
stack_trace_save+0xa6/0xf0 kernel/stacktrace.c:122
kasan_save_stack+0x3a/0x60 mm/kasan/common.c:46
__kasan_record_aux_stack+0xb6/0xc0 mm/kasan/generic.c:486
kasan_record_aux_stack+0xe/0x10 mm/kasan/generic.c:491
task_work_add+0x7f/0x330 kernel/task_work.c:48
fput+0xe1/0x1a0 fs/file_table.c:376
filp_close+0x111/0x160 fs/open.c:1462
__range_close fs/file.c:718 [inline]
__close_range+0x3a3/0x500 fs/file.c:781
__do_sys_close_range fs/open.c:1501 [inline]
__se_sys_close_range fs/open.c:1498 [inline]
__x64_sys_close_range+0x7a/0x90 fs/open.c:1498
x64_sys_call+0x43b/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:437
do_syscall_x64 arch/x86/entry/common.c:46 [inline]
do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:76
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7f7f9779cdd9
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff380f69b8 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
RAX: ffffffffffffffda RBX: 00007fff380f6aa0 RCX: 00007f7f9779cdd9
RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
RBP: 0000000000038da0 R08: 0000000000000001 R09: 0000000000000000
R10: 0000001b2da20000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f7f97a15fac R14: 00007f7f97a15fa8 R15: 00007f7f97a15fa0
</TASK>
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 PID: 436 Comm: syz.8.26 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
RIP: 0010:check_kcov_mode kernel/kcov.c:182 [inline]
RIP: 0010:__sanitizer_cov_trace_pc+0x1f/0x60 kernel/kcov.c:216
Code: 90 90 90 90 90 90 b8 0c 67 40 a5 55 48 89 e5 48 8b 45 08 65 48 8b 0d 60 f7 90 7e 65 8b 15 61 f7 90 7e 81 e2 00 01 ff 00 74 11 <81> fa 00 01 00 00 75 35 83 b9 6c 0b 00 00 00 74 2c 8b 91 48 0b 00
RSP: 0018:ffffc90000006bd8 EFLAGS: 00000006
RAX: ffffffff8196f7ea RBX: 0000000000000000 RCX: ffff88811e531440
RDX: 0000000000010100 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90000006bd8 R08: ffffc90000006d97 R09: ffffc90000006d60
R10: 0000000000000000 R11: ffffffff810a7780 R12: dffffc0000000000
R13: ffffc90000007000 R14: 000000000000a020 R15: ffff888123905c20
FS: 00005555826b4500(0000) GS:ffff8881f6e00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000000139b CR3: 000000011de54000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<IRQ>
__perf_event_header__init_id+0x2ba/0x550 kernel/events/core.c:6972
perf_prepare_sample+0x18b/0x1d40 kernel/events/core.c:7488
__perf_event_output kernel/events/core.c:7682 [inline]
perf_event_output_forward+0xd1/0x1a0 kernel/events/core.c:7702
__perf_event_overflow+0x437/0x620 kernel/events/core.c:9448
perf_swevent_overflow kernel/events/core.c:9531 [inline]
perf_swevent_event+0x243/0x440 kernel/events/core.c:9582
perf_tp_event+0x75b/0xa20 kernel/events/core.c:10016
perf_trace_run_bpf_submit+0xf3/0x1c0 kernel/events/core.c:9984
perf_trace_x86_irq_vector+0x233/0x2c0 arch/x86/include/asm/trace/irq_vectors.h:13
trace_local_timer_exit arch/x86/include/asm/trace/irq_vectors.h:41 [inline]
__sysvec_apic_timer_interrupt+0x421/0x440 arch/x86/kernel/apic/apic.c:1125
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1118 [inline]
sysvec_apic_timer_interrupt+0x53/0xc0 arch/x86/kernel/apic/apic.c:1118
asm_sysvec_apic_timer_interrupt+0x1b/0x20 arch/x86/include/asm/idtentry.h:691
RIP: 0010:queued_write_lock_slowpath+0x12e/0x3ad kernel/locking/qrwlock.c:85
Code: f0 41 81 0f 00 01 00 00 42 0f b6 04 23 84 c0 74 37 44 89 f9 80 e1 07 80 c1 03 38 c1 7c 2a 4c 89 ff e8 c6 dd b4 fc eb 20 f3 90 <42> 0f b6 04 23 84 c0 74 15 44 89 f9 80 e1 07 80 c1 03 38 c1 7c 08
RSP: 0018:ffffc90000007480 EFLAGS: 00000206
RAX: 00000000000001ff RBX: 1ffffffff0f005ae RCX: ffffffff85023344
RDX: 0000000000000001 RSI: 0000000000000004 RDI: ffffffff87802d70
RBP: ffffc90000007530 R08: ffffffff87802d73 R09: 1ffffffff0f005ae
R10: dffffc0000000000 R11: fffffbfff0f005af R12: dffffc0000000000
R13: 1ffff92000000e94 R14: ffffc900000074d0 R15: ffffffff87802d70
queued_write_lock include/asm-generic/qrwlock.h:101 [inline]
__raw_write_lock_bh include/linux/rwlock_api_smp.h:203 [inline]
_raw_write_lock_bh+0xe2/0xf0 kernel/locking/spinlock.c:334
neigh_forced_gc net/core/neighbour.c:264 [inline]
neigh_alloc net/core/neighbour.c:485 [inline]
___neigh_create+0x214/0x1e20 net/core/neighbour.c:648
__neigh_create+0x31/0x40 net/core/neighbour.c:737
ip6_finish_output2+0xa56/0x18a0 net/ipv6/ip6_output.c:129
__ip6_finish_output net/ipv6/ip6_output.c:205 [inline]
ip6_finish_output+0x5f9/0xbb0 net/ipv6/ip6_output.c:216
NF_HOOK_COND include/linux/netfilter.h:294 [inline]
ip6_output+0x1fa/0x410 net/ipv6/ip6_output.c:237
dst_output include/net/dst.h:453 [inline]
NF_HOOK include/linux/netfilter.h:305 [inline]
ndisc_send_skb+0x7dc/0xcc0 net/ipv6/ndisc.c:513
ndisc_send_rs+0x670/0x870 net/ipv6/ndisc.c:723
addrconf_rs_timer+0x2cf/0x610 net/ipv6/addrconf.c:4005
call_timer_fn+0x46/0x2a0 kernel/time/timer.c:1553
expire_timers kernel/time/timer.c:1604 [inline]
__run_timers+0x65b/0x9f0 kernel/time/timer.c:1875
run_timer_softirq+0x6a/0xf0 kernel/time/timer.c:1888
handle_softirqs+0x1d7/0x600 kernel/softirq.c:642
__do_softirq kernel/softirq.c:680 [inline]
invoke_softirq kernel/softirq.c:497 [inline]
__irq_exit_rcu+0x52/0xf0 kernel/softirq.c:729
irq_exit_rcu+0x9/0x10 kernel/softirq.c:741
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1118 [inline]
sysvec_apic_timer_interrupt+0xa9/0xc0 arch/x86/kernel/apic/apic.c:1118
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1b/0x20 arch/x86/include/asm/idtentry.h:691
RIP: 0010:check_kcov_mode kernel/kcov.c:193 [inline]
RIP: 0010:write_comp_data kernel/kcov.c:245 [inline]
RIP: 0010:__sanitizer_cov_trace_const_cmp8+0x36/0x80 kernel/kcov.c:320
Code: a0 f2 90 7e 65 8b 15 a1 f2 90 7e 81 e2 00 01 ff 00 74 11 81 fa 00 01 00 00 75 57 83 b9 6c 0b 00 00 00 74 4e 8b 91 48 0b 00 00 <83> fa 03 75 43 48 8b 91 50 0b 00 00 44 8b 89 4c 0b 00 00 49 c1 e1
RSP: 0018:ffffc90000c77db0 EFLAGS: 00000246
RAX: ffffffff81674c29 RBX: 0000000000000004 RCX: ffff88811e531440
RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000000
RBP: ffffc90000c77db0 R08: ffffc90000c77e4f R09: ffffc90000c77e40
R10: dffffc0000000000 R11: fffff5200018efca R12: 0000000000000081
R13: 1ffff9200018efc0 R14: 0000000000000004 R15: ffffc90000c77e40
__do_sys_futex kernel/futex/syscalls.c:202 [inline]
__se_sys_futex+0xc9/0x310 kernel/futex/syscalls.c:194
__x64_sys_futex+0xe5/0x100 kernel/futex/syscalls.c:194
x64_sys_call+0x7ec/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:203
do_syscall_x64 arch/x86/entry/common.c:46 [inline]
do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:76
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7facd4d9cdd9
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffc3caf6b48 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007facd4d9cdd9
RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00007facd5015fac
RBP: 000000000000139b R08: 0033129d0da8fe98 R09: 0000000000000000
R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000000000
R13: 00007facd5015fac R14: 00007facd5015fa8 R15: 00007facd5015fa0
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 2f67b6088692 ANDROID: KVM: arm64: Check page alignment in ..
git tree: android14-6.1
console output: https://syzkaller.appspot.com/x/log.txt?x=17c9c3ce580000
kernel config: https://syzkaller.appspot.com/x/.config?x=8b77de3a119dd560
dashboard link: https://syzkaller.appspot.com/bug?extid=04aa0ea96895abc877d6
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15deabce580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14fc1ad2580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/3c98d0ab3ca7/disk-2f67b608.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/d38b2df72ec4/vmlinux-2f67b608.xz
kernel image: https://storage.googleapis.com/syzbot-assets/8934775d976d/bzImage-2f67b608.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+04aa0e...@syzkaller.appspotmail.com
RBP: 0000000000038da0 R08: 0000000000000001 R09: 0000000000000000
R10: 0000001b2da20000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f7f97a15fac R14: 00007f7f97a15fa8 R15: 00007f7f97a15fa0
</TASK>
watchdog: BUG: soft lockup - CPU#1 stuck for 237s! [syz.6.30:437]
Modules linked in:
CPU: 1 PID: 437 Comm: syz.6.30 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
RIP: 0010:on_stack arch/x86/include/asm/stacktrace.h:55 [inline]
RIP: 0010:update_stack_state+0x189/0x480 arch/x86/kernel/unwind_frame.c:228
Code: 48 8b 8d 60 ff ff ff e8 65 b7 f7 ff 85 c0 0f 85 2f 01 00 00 48 8b 85 40 ff ff ff 42 80 3c 28 00 74 08 4c 89 f7 e8 b7 5e 81 00 <4d> 8b 3e 48 8b 85 48 ff ff ff 42 80 3c 28 00 74 0c 48 8b bd 70 ff
RSP: 0018:ffffc900001afd78 EFLAGS: 00000246
RAX: 1ffff92000035fda RBX: ffffc900001afec8 RCX: 1ffff92000035fdb
RDX: 1ffff92000035fdc RSI: 1ffff92000035fda RDI: ffffc900001aff20
RBP: ffffc900001afe38 R08: ffffc900001aff90 R09: ffffc900001aff88
R10: 0000000000000016 R11: fffff52000035fe5 R12: 0000000000000000
R13: dffffc0000000000 R14: ffffc900001afed0 R15: ffffc900001b0d70
FS: 0000555590823500(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000038da0 CR3: 000000011e5c3000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<IRQ>
unwind_next_frame+0x3d5/0x700 arch/x86/kernel/unwind_frame.c:315
arch_stack_walk+0x124/0x150 arch/x86/kernel/stacktrace.c:25
stack_trace_save+0xa6/0xf0 kernel/stacktrace.c:122
kasan_save_stack mm/kasan/common.c:46 [inline]
kasan_set_track+0x4b/0x70 mm/kasan/common.c:53
kasan_save_free_info+0x31/0x50 mm/kasan/generic.c:516
____kasan_slab_free+0x132/0x180 mm/kasan/common.c:242
__kasan_slab_free+0x11/0x20 mm/kasan/common.c:250
kasan_slab_free include/linux/kasan.h:178 [inline]
slab_free_hook mm/slub.c:1750 [inline]
slab_free_freelist_hook+0xc2/0x190 mm/slub.c:1776
slab_free mm/slub.c:3712 [inline]
kmem_cache_free+0x12d/0x300 mm/slub.c:3737
kfree_skbmem+0x10c/0x180 net/core/skbuff.c:-1
__kfree_skb net/core/skbuff.c:874 [inline]
consume_skb+0xb3/0x1f0 net/core/skbuff.c:1038
netlink_broadcast+0x1084/0x1180 net/netlink/af_netlink.c:1522
nlmsg_multicast include/net/netlink.h:1071 [inline]
nlmsg_notify+0xe6/0x1a0 net/netlink/af_netlink.c:2564
rtnl_notify+0x9a/0xc0 net/core/rtnetlink.c:796
__neigh_notify+0xd3/0x130 net/core/neighbour.c:3519
neigh_cleanup_and_release+0x2c/0x1a0 net/core/neighbour.c:101
neigh_del net/core/neighbour.c:225 [inline]
neigh_remove_one+0x4b5/0x540 net/core/neighbour.c:246
neigh_forced_gc net/core/neighbour.c:279 [inline]
neigh_alloc net/core/neighbour.c:485 [inline]
___neigh_create+0x48b/0x1e20 net/core/neighbour.c:648
__neigh_create+0x31/0x40 net/core/neighbour.c:737
ip6_finish_output2+0xa56/0x18a0 net/ipv6/ip6_output.c:129
__ip6_finish_output net/ipv6/ip6_output.c:205 [inline]
ip6_finish_output+0x5f9/0xbb0 net/ipv6/ip6_output.c:216
NF_HOOK_COND include/linux/netfilter.h:294 [inline]
ip6_output+0x1fa/0x410 net/ipv6/ip6_output.c:237
dst_output include/net/dst.h:453 [inline]
NF_HOOK include/linux/netfilter.h:305 [inline]
ndisc_send_skb+0x7dc/0xcc0 net/ipv6/ndisc.c:513
ndisc_send_rs+0x670/0x870 net/ipv6/ndisc.c:723
addrconf_rs_timer+0x2cf/0x610 net/ipv6/addrconf.c:4005
call_timer_fn+0x46/0x2a0 kernel/time/timer.c:1553
expire_timers kernel/time/timer.c:1604 [inline]
__run_timers+0x65b/0x9f0 kernel/time/timer.c:1875
run_timer_softirq+0x6a/0xf0 kernel/time/timer.c:1888
handle_softirqs+0x1d7/0x600 kernel/softirq.c:642
__do_softirq kernel/softirq.c:680 [inline]
invoke_softirq kernel/softirq.c:497 [inline]
__irq_exit_rcu+0x52/0xf0 kernel/softirq.c:729
irq_exit_rcu+0x9/0x10 kernel/softirq.c:741
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1118 [inline]
sysvec_apic_timer_interrupt+0xa9/0xc0 arch/x86/kernel/apic/apic.c:1118
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1b/0x20 arch/x86/include/asm/idtentry.h:691
RIP: 0010:schedule_debug kernel/sched/core.c:5995 [inline]
RIP: 0010:__schedule+0x11d/0x1500 kernel/sched/core.c:6647
Code: 74 08 4c 89 f7 e8 e3 88 b6 fc 4d 8b 36 4c 89 f0 48 c1 e8 03 42 80 3c 20 00 74 08 4c 89 f7 e8 ca 88 b6 fc 49 81 3e 9d 6e ac 57 <0f> 85 6f 0c 00 00 65 8b 05 1e e5 01 7b 25 ff ff ff 7f 83 f8 01 0f
RSP: 0018:ffffc90000c67680 EFLAGS: 00000246
RAX: 1ffff9200018c000 RBX: ffff8881f6f00000 RCX: 348145d4fc290000
RDX: 1ffffffff0f6e608 RSI: ffffffff85ca8a80 RDI: ffffffff85ca8a40
RBP: ffffc90000c67790 R08: ffffffff87b73048 R09: ffffffff87b73058
R10: ffffffff87b73043 R11: 1ffffffff0f6e608 R12: dffffc0000000000
R13: ffff88811e535100 R14: ffffc90000c60000 R15: ffff8881f6f38820
preempt_schedule_irq+0xaa/0x120 kernel/sched/core.c:7067
raw_irqentry_exit_cond_resched+0x29/0x30 kernel/entry/common.c:396
irqentry_exit+0x37/0x40 kernel/entry/common.c:439
sysvec_apic_timer_interrupt+0x64/0xc0 arch/x86/kernel/apic/apic.c:1118
asm_sysvec_apic_timer_interrupt+0x1b/0x20 arch/x86/include/asm/idtentry.h:691
RIP: 0010:stack_trace_consume_entry+0x6/0x290 kernel/stacktrace.c:83
Code: 4c 24 78 75 09 48 8d 65 f0 5b 41 5e 5d c3 e8 31 3f 99 03 90 90 90 90 90 90 90 90 90 90 90 90 b8 b6 63 6b ad 55 48 89 e5 41 57 <41> 56 41 55 41 54 53 48 83 ec 20 48 ba 00 00 00 00 00 fc ff df 4c
RSP: 0018:ffffc90000c67910 EFLAGS: 00000257
RAX: ffffffff81620ff6 RBX: ffffc90000c679e0 RCX: 1ffff9200018cf00
RDX: ffffc90000c67901 RSI: ffffffff81620ff6 RDI: ffffc90000c679e0
RBP: ffffc90000c67918 R08: ffffc90000c67901 R09: ffffc90000c67928
R10: 0000000000000000 R11: fffff5200018cf31 R12: ffff88811e535100
R13: dffffc0000000000 R14: ffffffff81621050 R15: ffffc90000c67928
arch_stack_walk+0x118/0x150 arch/x86/kernel/stacktrace.c:27
stack_trace_save+0xa6/0xf0 kernel/stacktrace.c:122
kasan_save_stack+0x3a/0x60 mm/kasan/common.c:46
__kasan_record_aux_stack+0xb6/0xc0 mm/kasan/generic.c:486
kasan_record_aux_stack+0xe/0x10 mm/kasan/generic.c:491
task_work_add+0x7f/0x330 kernel/task_work.c:48
fput+0xe1/0x1a0 fs/file_table.c:376
filp_close+0x111/0x160 fs/open.c:1462
__range_close fs/file.c:718 [inline]
__close_range+0x3a3/0x500 fs/file.c:781
__do_sys_close_range fs/open.c:1501 [inline]
__se_sys_close_range fs/open.c:1498 [inline]
__x64_sys_close_range+0x7a/0x90 fs/open.c:1498
x64_sys_call+0x43b/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:437
do_syscall_x64 arch/x86/entry/common.c:46 [inline]
do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:76
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7f7f9779cdd9
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff380f69b8 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
RAX: ffffffffffffffda RBX: 00007fff380f6aa0 RCX: 00007f7f9779cdd9
RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
RBP: 0000000000038da0 R08: 0000000000000001 R09: 0000000000000000
R10: 0000001b2da20000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f7f97a15fac R14: 00007f7f97a15fa8 R15: 00007f7f97a15fa0
</TASK>
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 PID: 436 Comm: syz.8.26 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
RIP: 0010:check_kcov_mode kernel/kcov.c:182 [inline]
RIP: 0010:__sanitizer_cov_trace_pc+0x1f/0x60 kernel/kcov.c:216
Code: 90 90 90 90 90 90 b8 0c 67 40 a5 55 48 89 e5 48 8b 45 08 65 48 8b 0d 60 f7 90 7e 65 8b 15 61 f7 90 7e 81 e2 00 01 ff 00 74 11 <81> fa 00 01 00 00 75 35 83 b9 6c 0b 00 00 00 74 2c 8b 91 48 0b 00
RSP: 0018:ffffc90000006bd8 EFLAGS: 00000006
RAX: ffffffff8196f7ea RBX: 0000000000000000 RCX: ffff88811e531440
RDX: 0000000000010100 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90000006bd8 R08: ffffc90000006d97 R09: ffffc90000006d60
R10: 0000000000000000 R11: ffffffff810a7780 R12: dffffc0000000000
R13: ffffc90000007000 R14: 000000000000a020 R15: ffff888123905c20
FS: 00005555826b4500(0000) GS:ffff8881f6e00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000000139b CR3: 000000011de54000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<IRQ>
__perf_event_header__init_id+0x2ba/0x550 kernel/events/core.c:6972
perf_prepare_sample+0x18b/0x1d40 kernel/events/core.c:7488
__perf_event_output kernel/events/core.c:7682 [inline]
perf_event_output_forward+0xd1/0x1a0 kernel/events/core.c:7702
__perf_event_overflow+0x437/0x620 kernel/events/core.c:9448
perf_swevent_overflow kernel/events/core.c:9531 [inline]
perf_swevent_event+0x243/0x440 kernel/events/core.c:9582
perf_tp_event+0x75b/0xa20 kernel/events/core.c:10016
perf_trace_run_bpf_submit+0xf3/0x1c0 kernel/events/core.c:9984
perf_trace_x86_irq_vector+0x233/0x2c0 arch/x86/include/asm/trace/irq_vectors.h:13
trace_local_timer_exit arch/x86/include/asm/trace/irq_vectors.h:41 [inline]
__sysvec_apic_timer_interrupt+0x421/0x440 arch/x86/kernel/apic/apic.c:1125
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1118 [inline]
sysvec_apic_timer_interrupt+0x53/0xc0 arch/x86/kernel/apic/apic.c:1118
asm_sysvec_apic_timer_interrupt+0x1b/0x20 arch/x86/include/asm/idtentry.h:691
RIP: 0010:queued_write_lock_slowpath+0x12e/0x3ad kernel/locking/qrwlock.c:85
Code: f0 41 81 0f 00 01 00 00 42 0f b6 04 23 84 c0 74 37 44 89 f9 80 e1 07 80 c1 03 38 c1 7c 2a 4c 89 ff e8 c6 dd b4 fc eb 20 f3 90 <42> 0f b6 04 23 84 c0 74 15 44 89 f9 80 e1 07 80 c1 03 38 c1 7c 08
RSP: 0018:ffffc90000007480 EFLAGS: 00000206
RAX: 00000000000001ff RBX: 1ffffffff0f005ae RCX: ffffffff85023344
RDX: 0000000000000001 RSI: 0000000000000004 RDI: ffffffff87802d70
RBP: ffffc90000007530 R08: ffffffff87802d73 R09: 1ffffffff0f005ae
R10: dffffc0000000000 R11: fffffbfff0f005af R12: dffffc0000000000
R13: 1ffff92000000e94 R14: ffffc900000074d0 R15: ffffffff87802d70
queued_write_lock include/asm-generic/qrwlock.h:101 [inline]
__raw_write_lock_bh include/linux/rwlock_api_smp.h:203 [inline]
_raw_write_lock_bh+0xe2/0xf0 kernel/locking/spinlock.c:334
neigh_forced_gc net/core/neighbour.c:264 [inline]
neigh_alloc net/core/neighbour.c:485 [inline]
___neigh_create+0x214/0x1e20 net/core/neighbour.c:648
__neigh_create+0x31/0x40 net/core/neighbour.c:737
ip6_finish_output2+0xa56/0x18a0 net/ipv6/ip6_output.c:129
__ip6_finish_output net/ipv6/ip6_output.c:205 [inline]
ip6_finish_output+0x5f9/0xbb0 net/ipv6/ip6_output.c:216
NF_HOOK_COND include/linux/netfilter.h:294 [inline]
ip6_output+0x1fa/0x410 net/ipv6/ip6_output.c:237
dst_output include/net/dst.h:453 [inline]
NF_HOOK include/linux/netfilter.h:305 [inline]
ndisc_send_skb+0x7dc/0xcc0 net/ipv6/ndisc.c:513
ndisc_send_rs+0x670/0x870 net/ipv6/ndisc.c:723
addrconf_rs_timer+0x2cf/0x610 net/ipv6/addrconf.c:4005
call_timer_fn+0x46/0x2a0 kernel/time/timer.c:1553
expire_timers kernel/time/timer.c:1604 [inline]
__run_timers+0x65b/0x9f0 kernel/time/timer.c:1875
run_timer_softirq+0x6a/0xf0 kernel/time/timer.c:1888
handle_softirqs+0x1d7/0x600 kernel/softirq.c:642
__do_softirq kernel/softirq.c:680 [inline]
invoke_softirq kernel/softirq.c:497 [inline]
__irq_exit_rcu+0x52/0xf0 kernel/softirq.c:729
irq_exit_rcu+0x9/0x10 kernel/softirq.c:741
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1118 [inline]
sysvec_apic_timer_interrupt+0xa9/0xc0 arch/x86/kernel/apic/apic.c:1118
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1b/0x20 arch/x86/include/asm/idtentry.h:691
RIP: 0010:check_kcov_mode kernel/kcov.c:193 [inline]
RIP: 0010:write_comp_data kernel/kcov.c:245 [inline]
RIP: 0010:__sanitizer_cov_trace_const_cmp8+0x36/0x80 kernel/kcov.c:320
Code: a0 f2 90 7e 65 8b 15 a1 f2 90 7e 81 e2 00 01 ff 00 74 11 81 fa 00 01 00 00 75 57 83 b9 6c 0b 00 00 00 74 4e 8b 91 48 0b 00 00 <83> fa 03 75 43 48 8b 91 50 0b 00 00 44 8b 89 4c 0b 00 00 49 c1 e1
RSP: 0018:ffffc90000c77db0 EFLAGS: 00000246
RAX: ffffffff81674c29 RBX: 0000000000000004 RCX: ffff88811e531440
RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000000
RBP: ffffc90000c77db0 R08: ffffc90000c77e4f R09: ffffc90000c77e40
R10: dffffc0000000000 R11: fffff5200018efca R12: 0000000000000081
R13: 1ffff9200018efc0 R14: 0000000000000004 R15: ffffc90000c77e40
__do_sys_futex kernel/futex/syscalls.c:202 [inline]
__se_sys_futex+0xc9/0x310 kernel/futex/syscalls.c:194
__x64_sys_futex+0xe5/0x100 kernel/futex/syscalls.c:194
x64_sys_call+0x7ec/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:203
do_syscall_x64 arch/x86/entry/common.c:46 [inline]
do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:76
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7facd4d9cdd9
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffc3caf6b48 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007facd4d9cdd9
RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00007facd5015fac
RBP: 000000000000139b R08: 0033129d0da8fe98 R09: 0000000000000000
R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000000000
R13: 00007facd5015fac R14: 00007facd5015fa8 R15: 00007facd5015fa0
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages