[v6.6] INFO: rcu detected stall in __tun_chr_ioctl
0 views
Skip to first unread message
syzbot
Mar 22, 2026, 8:03:24 PM (2 days ago) Mar 22
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 4fc00fe35d46 Linux 6.6.129
git tree: linux-6.6.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1369aada580000
kernel config: https://syzkaller.appspot.com/x/.config?x=c5b35c4db8465904
dashboard link: https://syzkaller.appspot.com/bug?extid=c0d8dcccc8f9d0e3f0d8
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/fbfc516e4992/disk-4fc00fe3.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/e781b8cd32d5/vmlinux-4fc00fe3.xz
kernel image: https://storage.googleapis.com/syzbot-assets/6c03939713f9/bzImage-4fc00fe3.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+c0d8dc...@syzkaller.appspotmail.com
rcu: INFO: rcu_preempt self-detected stall on CPU
rcu: 1-....: (10499 ticks this GP) idle=69c4/1/0x4000000000000000 softirq=19946/19946 fqs=4174
rcu: hardirqs softirqs csw/system
rcu: number: 1277573 0 0
rcu: cputime: 17491 34997 66 ==> 52490(ms)
rcu: (t=10500 jiffies g=22585 q=487 ncpus=2)
CPU: 1 PID: 7795 Comm: syz.2.551 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
RIP: 0010:should_resched arch/x86/include/asm/preempt.h:104 [inline]
RIP: 0010:__local_bh_enable_ip+0x142/0x1c0 kernel/softirq.c:413
Code: 8a e8 52 c6 32 09 65 66 8b 05 ca 51 b1 7e 66 85 c0 75 54 bf 01 00 00 00 e8 7b 22 0a 00 e8 06 28 3b 00 fb 65 8b 05 96 51 b1 7e <85> c0 75 05 e8 15 39 ae ff 48 c7 04 24 0e 36 e0 45 4b c7 04 37 00
RSP: 0018:ffffc900001f0660 EFLAGS: 00000286
RAX: 0000000000000101 RBX: 0000000000000201 RCX: f7b15573f776ee00
RDX: dffffc0000000000 RSI: ffffffff8acac960 RDI: ffffffff8b1c85a0
RBP: ffffc900001f06f0 R08: ffffffff911c15f7 R09: 1ffffffff22382be
R10: dffffc0000000000 R11: fffffbfff22382bf R12: ffffffff887d9294
R13: 000000000000dd86 R14: dffffc0000000000 R15: 1ffff9200003e0cc
FS: 00007fea2eb756c0(0000) GS:ffff8880b8f00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000100000000 CR3: 000000005d9df000 CR4: 00000000003506e0
DR0: 0000200000000300 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
Call Trace:
<IRQ>
neigh_hh_init net/core/neighbour.c:1543 [inline]
neigh_resolve_output+0x2b4/0x730 net/core/neighbour.c:1558
neigh_output include/net/neighbour.h:543 [inline]
ip6_finish_output2+0xe3d/0x1630 net/ipv6/ip6_output.c:141
dst_output include/net/dst.h:467 [inline]
NF_HOOK include/linux/netfilter.h:304 [inline]
ndisc_send_skb+0xc26/0x14f0 net/ipv6/ndisc.c:513
addrconf_rs_timer+0x2d5/0x630 net/ipv6/addrconf.c:4024
call_timer_fn+0x189/0x540 kernel/time/timer.c:1701
expire_timers kernel/time/timer.c:1752 [inline]
__run_timers+0x542/0x800 kernel/time/timer.c:2023
run_timer_softirq+0x67/0xf0 kernel/time/timer.c:2036
handle_softirqs+0x280/0x820 kernel/softirq.c:578
__do_softirq kernel/softirq.c:612 [inline]
invoke_softirq kernel/softirq.c:452 [inline]
__irq_exit_rcu+0xd3/0x190 kernel/softirq.c:661
irq_exit_rcu+0x9/0x20 kernel/softirq.c:673
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1088 [inline]
sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1088
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:687
RIP: 0010:preempt_schedule_irq+0xba/0x150 kernel/sched/core.c:7010
Code: 00 00 43 c6 44 37 04 f8 74 0b 0f 0b 48 f7 03 08 00 00 00 74 6f bf 01 00 00 00 e8 51 2b cf f6 e8 7c 32 00 f7 fb bf 01 00 00 00 <e8> f1 b4 ff ff 43 c6 44 37 08 00 48 c7 44 24 40 00 00 00 00 9c 8f
RSP: 0018:ffffc900102ef540 EFLAGS: 00000286
RAX: f7b15573f776ee00 RBX: ffff888018b81e00 RCX: f7b15573f776ee00
RDX: dffffc0000000000 RSI: ffffffff8acac960 RDI: 0000000000000001
RBP: ffffc900102ef5e0 R08: ffffffff911c150f R09: 1ffffffff22382a1
R10: dffffc0000000000 R11: fffffbfff22382a2 R12: 0000000000000000
R13: 0000000000000000 R14: dffffc0000000000 R15: 1ffff9200205dea8
irqentry_exit+0x67/0x70 kernel/entry/common.c:438
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:687
RIP: 0010:find_stack lib/stackdepot.c:351 [inline]
RIP: 0010:__stack_depot_save+0x162/0x630 lib/stackdepot.c:390
Code: 8c e6 00 13 8b 2d 82 e6 00 13 44 21 e5 4c 8b 2c ee 4d 85 ed 74 33 44 89 f0 eb 09 4d 8b 6d 00 4d 85 ed 74 25 45 39 65 08 75 f1 <45> 39 75 0c 75 eb 31 c9 48 8b 14 cb 49 3b 54 cd 18 75 de 48 ff c1
RSP: 0018:ffffc900102ef6a8 EFLAGS: 00000246
RAX: 000000000000000c RBX: ffffc900102ef700 RCX: 00000000b24ea546
RDX: 00000000f82f7d82 RSI: ffff88823b400000 RDI: 0000000000000dc0
RBP: 00000000000bcd07 R08: 00000000fa23ae79 R09: 000000007ccceed2
R10: dffffc0000000000 R11: fffffbfff1d15dde R12: 00000000cfdbcd07
R13: ffff88805f3abf70 R14: 000000000000000c R15: 0000000000000001
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_set_track+0x5f/0x70 mm/kasan/common.c:53
____kasan_kmalloc mm/kasan/common.c:375 [inline]
__kasan_kmalloc+0x8f/0xa0 mm/kasan/common.c:384
kasan_kmalloc include/linux/kasan.h:198 [inline]
__do_kmalloc_node mm/slab_common.c:1007 [inline]
__kmalloc_node+0xb4/0x230 mm/slab_common.c:1014
kmalloc_node include/linux/slab.h:620 [inline]
kvmalloc_node+0x70/0x180 mm/util.c:617
kvmalloc include/linux/slab.h:738 [inline]
kvmalloc_array include/linux/slab.h:756 [inline]
__ptr_ring_init_queue_alloc include/linux/ptr_ring.h:471 [inline]
ptr_ring_resize include/linux/ptr_ring.h:594 [inline]
tun_attach+0x884/0x1570 drivers/net/tun.c:791
tun_net_init+0x3f3/0x4e0 drivers/net/tun.c:1007
register_netdevice+0x67b/0x1bb0 net/core/dev.c:10233
tun_set_iff+0x848/0xed0 drivers/net/tun.c:2862
__tun_chr_ioctl+0x7ee/0x2000 drivers/net/tun.c:3131
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:871 [inline]
__se_sys_ioctl+0xfd/0x170 fs/ioctl.c:857
do_syscall_x64 arch/x86/entry/common.c:46 [inline]
do_syscall_64+0x55/0xa0 arch/x86/entry/common.c:76
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7fea2dd9c799
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fea2eb75028 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fea2e015fa0 RCX: 00007fea2dd9c799
RDX: 0000200000000040 RSI: 00000000400454ca RDI: 0000000000000009
RBP: 00007fea2de32c99 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fea2e016038 R14: 00007fea2e015fa0 R15: 00007ffee3100448
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 4fc00fe35d46 Linux 6.6.129
git tree: linux-6.6.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1369aada580000
kernel config: https://syzkaller.appspot.com/x/.config?x=c5b35c4db8465904
dashboard link: https://syzkaller.appspot.com/bug?extid=c0d8dcccc8f9d0e3f0d8
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/fbfc516e4992/disk-4fc00fe3.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/e781b8cd32d5/vmlinux-4fc00fe3.xz
kernel image: https://storage.googleapis.com/syzbot-assets/6c03939713f9/bzImage-4fc00fe3.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+c0d8dc...@syzkaller.appspotmail.com
rcu: INFO: rcu_preempt self-detected stall on CPU
rcu: 1-....: (10499 ticks this GP) idle=69c4/1/0x4000000000000000 softirq=19946/19946 fqs=4174
rcu: hardirqs softirqs csw/system
rcu: number: 1277573 0 0
rcu: cputime: 17491 34997 66 ==> 52490(ms)
rcu: (t=10500 jiffies g=22585 q=487 ncpus=2)
CPU: 1 PID: 7795 Comm: syz.2.551 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
RIP: 0010:should_resched arch/x86/include/asm/preempt.h:104 [inline]
RIP: 0010:__local_bh_enable_ip+0x142/0x1c0 kernel/softirq.c:413
Code: 8a e8 52 c6 32 09 65 66 8b 05 ca 51 b1 7e 66 85 c0 75 54 bf 01 00 00 00 e8 7b 22 0a 00 e8 06 28 3b 00 fb 65 8b 05 96 51 b1 7e <85> c0 75 05 e8 15 39 ae ff 48 c7 04 24 0e 36 e0 45 4b c7 04 37 00
RSP: 0018:ffffc900001f0660 EFLAGS: 00000286
RAX: 0000000000000101 RBX: 0000000000000201 RCX: f7b15573f776ee00
RDX: dffffc0000000000 RSI: ffffffff8acac960 RDI: ffffffff8b1c85a0
RBP: ffffc900001f06f0 R08: ffffffff911c15f7 R09: 1ffffffff22382be
R10: dffffc0000000000 R11: fffffbfff22382bf R12: ffffffff887d9294
R13: 000000000000dd86 R14: dffffc0000000000 R15: 1ffff9200003e0cc
FS: 00007fea2eb756c0(0000) GS:ffff8880b8f00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000100000000 CR3: 000000005d9df000 CR4: 00000000003506e0
DR0: 0000200000000300 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
Call Trace:
<IRQ>
neigh_hh_init net/core/neighbour.c:1543 [inline]
neigh_resolve_output+0x2b4/0x730 net/core/neighbour.c:1558
neigh_output include/net/neighbour.h:543 [inline]
ip6_finish_output2+0xe3d/0x1630 net/ipv6/ip6_output.c:141
dst_output include/net/dst.h:467 [inline]
NF_HOOK include/linux/netfilter.h:304 [inline]
ndisc_send_skb+0xc26/0x14f0 net/ipv6/ndisc.c:513
addrconf_rs_timer+0x2d5/0x630 net/ipv6/addrconf.c:4024
call_timer_fn+0x189/0x540 kernel/time/timer.c:1701
expire_timers kernel/time/timer.c:1752 [inline]
__run_timers+0x542/0x800 kernel/time/timer.c:2023
run_timer_softirq+0x67/0xf0 kernel/time/timer.c:2036
handle_softirqs+0x280/0x820 kernel/softirq.c:578
__do_softirq kernel/softirq.c:612 [inline]
invoke_softirq kernel/softirq.c:452 [inline]
__irq_exit_rcu+0xd3/0x190 kernel/softirq.c:661
irq_exit_rcu+0x9/0x20 kernel/softirq.c:673
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1088 [inline]
sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1088
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:687
RIP: 0010:preempt_schedule_irq+0xba/0x150 kernel/sched/core.c:7010
Code: 00 00 43 c6 44 37 04 f8 74 0b 0f 0b 48 f7 03 08 00 00 00 74 6f bf 01 00 00 00 e8 51 2b cf f6 e8 7c 32 00 f7 fb bf 01 00 00 00 <e8> f1 b4 ff ff 43 c6 44 37 08 00 48 c7 44 24 40 00 00 00 00 9c 8f
RSP: 0018:ffffc900102ef540 EFLAGS: 00000286
RAX: f7b15573f776ee00 RBX: ffff888018b81e00 RCX: f7b15573f776ee00
RDX: dffffc0000000000 RSI: ffffffff8acac960 RDI: 0000000000000001
RBP: ffffc900102ef5e0 R08: ffffffff911c150f R09: 1ffffffff22382a1
R10: dffffc0000000000 R11: fffffbfff22382a2 R12: 0000000000000000
R13: 0000000000000000 R14: dffffc0000000000 R15: 1ffff9200205dea8
irqentry_exit+0x67/0x70 kernel/entry/common.c:438
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:687
RIP: 0010:find_stack lib/stackdepot.c:351 [inline]
RIP: 0010:__stack_depot_save+0x162/0x630 lib/stackdepot.c:390
Code: 8c e6 00 13 8b 2d 82 e6 00 13 44 21 e5 4c 8b 2c ee 4d 85 ed 74 33 44 89 f0 eb 09 4d 8b 6d 00 4d 85 ed 74 25 45 39 65 08 75 f1 <45> 39 75 0c 75 eb 31 c9 48 8b 14 cb 49 3b 54 cd 18 75 de 48 ff c1
RSP: 0018:ffffc900102ef6a8 EFLAGS: 00000246
RAX: 000000000000000c RBX: ffffc900102ef700 RCX: 00000000b24ea546
RDX: 00000000f82f7d82 RSI: ffff88823b400000 RDI: 0000000000000dc0
RBP: 00000000000bcd07 R08: 00000000fa23ae79 R09: 000000007ccceed2
R10: dffffc0000000000 R11: fffffbfff1d15dde R12: 00000000cfdbcd07
R13: ffff88805f3abf70 R14: 000000000000000c R15: 0000000000000001
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_set_track+0x5f/0x70 mm/kasan/common.c:53
____kasan_kmalloc mm/kasan/common.c:375 [inline]
__kasan_kmalloc+0x8f/0xa0 mm/kasan/common.c:384
kasan_kmalloc include/linux/kasan.h:198 [inline]
__do_kmalloc_node mm/slab_common.c:1007 [inline]
__kmalloc_node+0xb4/0x230 mm/slab_common.c:1014
kmalloc_node include/linux/slab.h:620 [inline]
kvmalloc_node+0x70/0x180 mm/util.c:617
kvmalloc include/linux/slab.h:738 [inline]
kvmalloc_array include/linux/slab.h:756 [inline]
__ptr_ring_init_queue_alloc include/linux/ptr_ring.h:471 [inline]
ptr_ring_resize include/linux/ptr_ring.h:594 [inline]
tun_attach+0x884/0x1570 drivers/net/tun.c:791
tun_net_init+0x3f3/0x4e0 drivers/net/tun.c:1007
register_netdevice+0x67b/0x1bb0 net/core/dev.c:10233
tun_set_iff+0x848/0xed0 drivers/net/tun.c:2862
__tun_chr_ioctl+0x7ee/0x2000 drivers/net/tun.c:3131
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:871 [inline]
__se_sys_ioctl+0xfd/0x170 fs/ioctl.c:857
do_syscall_x64 arch/x86/entry/common.c:46 [inline]
do_syscall_64+0x55/0xa0 arch/x86/entry/common.c:76
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7fea2dd9c799
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fea2eb75028 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fea2e015fa0 RCX: 00007fea2dd9c799
RDX: 0000200000000040 RSI: 00000000400454ca RDI: 0000000000000009
RBP: 00007fea2de32c99 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fea2e016038 R14: 00007fea2e015fa0 R15: 00007ffee3100448
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages