[v6.1] BUG: soft lockup in tipc_disc_timeout (2)
0 views
Skip to first unread message
syzbot
May 19, 2026, 11:10:25 AM (6 days ago) May 19
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: c27210688955 Linux 6.1.173
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1117702e580000
kernel config: https://syzkaller.appspot.com/x/.config?x=b1adc0bfde2d8a4a
dashboard link: https://syzkaller.appspot.com/bug?extid=1740cd1278ad039c1d0e
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
userspace arch: arm64
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/4cb5bf5356f0/disk-c2721068.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/b3e6413ae0e6/vmlinux-c2721068.xz
kernel image: https://storage.googleapis.com/syzbot-assets/6903bc5d334e/Image-c2721068.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+1740cd...@syzkaller.appspotmail.com
watchdog: BUG: soft lockup - CPU#0 stuck for 22s! [syz.1.234:5222]
Modules linked in:
irq event stamp: 1098623
hardirqs last enabled at (1098622): [<ffff8000083c18e8>] seqcount_lockdep_reader_access include/linux/seqlock.h:104 [inline]
hardirqs last enabled at (1098622): [<ffff8000083c18e8>] timekeeping_get_delta kernel/time/timekeeping.c:254 [inline]
hardirqs last enabled at (1098622): [<ffff8000083c18e8>] timekeeping_get_ns+0x124/0x3b4 kernel/time/timekeeping.c:388
hardirqs last disabled at (1098623): [<ffff800011a38ba4>] __el1_irq arch/arm64/kernel/entry-common.c:468 [inline]
hardirqs last disabled at (1098623): [<ffff800011a38ba4>] el1_interrupt+0x24/0x54 arch/arm64/kernel/entry-common.c:486
softirqs last enabled at (428): [<ffff80000fdd2728>] local_bh_enable+0x10/0x34 include/linux/bottom_half.h:32
softirqs last disabled at (429): [<ffff800008020164>] __do_softirq+0x14/0x20 kernel/softirq.c:630
CPU: 0 PID: 5222 Comm: syz.1.234 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
pstate: 62400005 (nZCv daif +PAN -UAO +TCO -DIT -SSBS BTYPE=--)
pc : __sanitizer_cov_trace_const_cmp4+0x0/0xb0 kernel/kcov.c:312
lr : cake_heapify+0x1b0/0x530 net/sched/sch_cake.c:1494
sp : ffff800008007190
x29: ffff8000080071a0 x28: 0000000000000000 x27: 00000000000198d0
x26: 00000000000013e2 x25: 0000000000000000 x24: 00000000000009f1
x23: dfff800000000000 x22: 00000000000009f1 x21: 0000000000000000
x20: ffff000103d682d0 x19: 00000000000009f1 x18: 00000000c52f2e35
x17: ffff80001835b000 x16: ffff8000082d93d8 x15: ffff800017e3c000
x14: 0000000000000001 x13: 1ffff00002a44071 x12: 0000000000ff0100
x11: ff00800010066d20 x10: 0000000000000000 x9 : ffff0000da435340
x8 : ffff800010066d20 x7 : ffff8000083c1cf0 x6 : 0000000000000000
x5 : 0000000000000080 x4 : 0000000000000001 x3 : 0000000000000000
x2 : 0000000000000002 x1 : 00000000000009f1 x0 : 0000000000000fff
Call trace:
__sanitizer_cov_trace_const_cmp4+0x0/0xb0 kernel/kcov.c:308
cake_drop net/sched/sch_cake.c:1575 [inline]
cake_enqueue+0x3464/0x680c net/sched/sch_cake.c:1949
cbs_child_enqueue net/sched/sch_cbs.c:95 [inline]
cbs_enqueue_soft+0x14c/0x230 net/sched/sch_cbs.c:128
cbs_enqueue+0x54/0x68 net/sched/sch_cbs.c:136
dev_qdisc_enqueue+0x5c/0x388 net/core/dev.c:3900
__dev_xmit_skb net/core/dev.c:3989 [inline]
__dev_queue_xmit+0xaf8/0x3118 net/core/dev.c:4337
dev_queue_xmit include/linux/netdevice.h:3051 [inline]
tipc_l2_send_msg+0x29c/0x35c net/tipc/bearer.c:518
tipc_bearer_xmit_skb+0x240/0x380 net/tipc/bearer.c:577
tipc_disc_timeout+0x4d8/0x628 net/tipc/discover.c:338
call_timer_fn+0x1b8/0x95c kernel/time/timer.c:1701
expire_timers kernel/time/timer.c:1752 [inline]
__run_timers+0x478/0x6f0 kernel/time/timer.c:2023
run_timer_softirq+0x7c/0x114 kernel/time/timer.c:2036
handle_softirqs+0x318/0xc60 kernel/softirq.c:596
__do_softirq+0x14/0x20 kernel/softirq.c:630
____do_softirq+0x14/0x20 arch/arm64/kernel/irq.c:80
call_on_irq_stack+0x30/0x48 arch/arm64/kernel/entry.S:897
do_softirq_own_stack+0x20/0x2c arch/arm64/kernel/irq.c:85
do_softirq+0xf8/0x1a8 kernel/softirq.c:497
__local_bh_enable_ip+0x250/0x37c kernel/softirq.c:421
local_bh_enable+0x28/0x34 include/linux/bottom_half.h:33
rcu_read_unlock_bh include/linux/rcupdate.h:861 [inline]
__dev_queue_xmit+0x1720/0x3118 net/core/dev.c:4411
dev_queue_xmit include/linux/netdevice.h:3051 [inline]
neigh_hh_output include/net/neighbour.h:529 [inline]
neigh_output include/net/neighbour.h:543 [inline]
ip6_finish_output2+0xd28/0x1840 net/ipv6/ip6_output.c:138
__ip6_finish_output net/ipv6/ip6_output.c:205 [inline]
ip6_finish_output+0x594/0x92c net/ipv6/ip6_output.c:216
NF_HOOK_COND include/linux/netfilter.h:291 [inline]
ip6_output+0x274/0x500 net/ipv6/ip6_output.c:237
dst_output include/net/dst.h:453 [inline]
NF_HOOK include/linux/netfilter.h:302 [inline]
ip6_xmit+0x119c/0x1b08 net/ipv6/ip6_output.c:360
sctp_v6_xmit+0x818/0xf20 net/sctp/ipv6.c:250
sctp_packet_transmit+0x1dec/0x22d4 net/sctp/output.c:653
sctp_packet_singleton+0x1dc/0x2d0 net/sctp/outqueue.c:783
sctp_outq_flush_ctrl net/sctp/outqueue.c:914 [inline]
sctp_outq_flush+0x410/0x27d0 net/sctp/outqueue.c:1212
sctp_outq_uncork+0x84/0xc0 net/sctp/outqueue.c:764
sctp_cmd_interpreter net/sctp/sm_sideeffect.c:-1 [inline]
sctp_side_effects net/sctp/sm_sideeffect.c:1199 [inline]
sctp_do_sm+0x41dc/0x481c net/sctp/sm_sideeffect.c:1170
sctp_primitive_ASSOCIATE+0x98/0xc8 net/sctp/primitive.c:73
sctp_sendmsg_to_asoc+0xce0/0x1354 net/sctp/socket.c:1838
sctp_sendmsg+0x13a8/0x20b4 net/sctp/socket.c:2028
inet_sendmsg+0x154/0x284 net/ipv4/af_inet.c:841
sock_sendmsg_nosec net/socket.c:718 [inline]
__sock_sendmsg net/socket.c:730 [inline]
____sys_sendmsg+0x5c8/0x938 net/socket.c:2518
___sys_sendmsg net/socket.c:2572 [inline]
__sys_sendmsg+0x288/0x374 net/socket.c:2601
__do_sys_sendmsg net/socket.c:2610 [inline]
__se_sys_sendmsg net/socket.c:2608 [inline]
__arm64_sys_sendmsg+0x80/0x94 net/socket.c:2608
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b4 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:140
do_el0_svc+0x58/0x130 arch/arm64/kernel/syscall.c:204
el0_svc+0x58/0x128 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: c27210688955 Linux 6.1.173
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1117702e580000
kernel config: https://syzkaller.appspot.com/x/.config?x=b1adc0bfde2d8a4a
dashboard link: https://syzkaller.appspot.com/bug?extid=1740cd1278ad039c1d0e
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
userspace arch: arm64
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/4cb5bf5356f0/disk-c2721068.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/b3e6413ae0e6/vmlinux-c2721068.xz
kernel image: https://storage.googleapis.com/syzbot-assets/6903bc5d334e/Image-c2721068.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+1740cd...@syzkaller.appspotmail.com
watchdog: BUG: soft lockup - CPU#0 stuck for 22s! [syz.1.234:5222]
Modules linked in:
irq event stamp: 1098623
hardirqs last enabled at (1098622): [<ffff8000083c18e8>] seqcount_lockdep_reader_access include/linux/seqlock.h:104 [inline]
hardirqs last enabled at (1098622): [<ffff8000083c18e8>] timekeeping_get_delta kernel/time/timekeeping.c:254 [inline]
hardirqs last enabled at (1098622): [<ffff8000083c18e8>] timekeeping_get_ns+0x124/0x3b4 kernel/time/timekeeping.c:388
hardirqs last disabled at (1098623): [<ffff800011a38ba4>] __el1_irq arch/arm64/kernel/entry-common.c:468 [inline]
hardirqs last disabled at (1098623): [<ffff800011a38ba4>] el1_interrupt+0x24/0x54 arch/arm64/kernel/entry-common.c:486
softirqs last enabled at (428): [<ffff80000fdd2728>] local_bh_enable+0x10/0x34 include/linux/bottom_half.h:32
softirqs last disabled at (429): [<ffff800008020164>] __do_softirq+0x14/0x20 kernel/softirq.c:630
CPU: 0 PID: 5222 Comm: syz.1.234 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
pstate: 62400005 (nZCv daif +PAN -UAO +TCO -DIT -SSBS BTYPE=--)
pc : __sanitizer_cov_trace_const_cmp4+0x0/0xb0 kernel/kcov.c:312
lr : cake_heapify+0x1b0/0x530 net/sched/sch_cake.c:1494
sp : ffff800008007190
x29: ffff8000080071a0 x28: 0000000000000000 x27: 00000000000198d0
x26: 00000000000013e2 x25: 0000000000000000 x24: 00000000000009f1
x23: dfff800000000000 x22: 00000000000009f1 x21: 0000000000000000
x20: ffff000103d682d0 x19: 00000000000009f1 x18: 00000000c52f2e35
x17: ffff80001835b000 x16: ffff8000082d93d8 x15: ffff800017e3c000
x14: 0000000000000001 x13: 1ffff00002a44071 x12: 0000000000ff0100
x11: ff00800010066d20 x10: 0000000000000000 x9 : ffff0000da435340
x8 : ffff800010066d20 x7 : ffff8000083c1cf0 x6 : 0000000000000000
x5 : 0000000000000080 x4 : 0000000000000001 x3 : 0000000000000000
x2 : 0000000000000002 x1 : 00000000000009f1 x0 : 0000000000000fff
Call trace:
__sanitizer_cov_trace_const_cmp4+0x0/0xb0 kernel/kcov.c:308
cake_drop net/sched/sch_cake.c:1575 [inline]
cake_enqueue+0x3464/0x680c net/sched/sch_cake.c:1949
cbs_child_enqueue net/sched/sch_cbs.c:95 [inline]
cbs_enqueue_soft+0x14c/0x230 net/sched/sch_cbs.c:128
cbs_enqueue+0x54/0x68 net/sched/sch_cbs.c:136
dev_qdisc_enqueue+0x5c/0x388 net/core/dev.c:3900
__dev_xmit_skb net/core/dev.c:3989 [inline]
__dev_queue_xmit+0xaf8/0x3118 net/core/dev.c:4337
dev_queue_xmit include/linux/netdevice.h:3051 [inline]
tipc_l2_send_msg+0x29c/0x35c net/tipc/bearer.c:518
tipc_bearer_xmit_skb+0x240/0x380 net/tipc/bearer.c:577
tipc_disc_timeout+0x4d8/0x628 net/tipc/discover.c:338
call_timer_fn+0x1b8/0x95c kernel/time/timer.c:1701
expire_timers kernel/time/timer.c:1752 [inline]
__run_timers+0x478/0x6f0 kernel/time/timer.c:2023
run_timer_softirq+0x7c/0x114 kernel/time/timer.c:2036
handle_softirqs+0x318/0xc60 kernel/softirq.c:596
__do_softirq+0x14/0x20 kernel/softirq.c:630
____do_softirq+0x14/0x20 arch/arm64/kernel/irq.c:80
call_on_irq_stack+0x30/0x48 arch/arm64/kernel/entry.S:897
do_softirq_own_stack+0x20/0x2c arch/arm64/kernel/irq.c:85
do_softirq+0xf8/0x1a8 kernel/softirq.c:497
__local_bh_enable_ip+0x250/0x37c kernel/softirq.c:421
local_bh_enable+0x28/0x34 include/linux/bottom_half.h:33
rcu_read_unlock_bh include/linux/rcupdate.h:861 [inline]
__dev_queue_xmit+0x1720/0x3118 net/core/dev.c:4411
dev_queue_xmit include/linux/netdevice.h:3051 [inline]
neigh_hh_output include/net/neighbour.h:529 [inline]
neigh_output include/net/neighbour.h:543 [inline]
ip6_finish_output2+0xd28/0x1840 net/ipv6/ip6_output.c:138
__ip6_finish_output net/ipv6/ip6_output.c:205 [inline]
ip6_finish_output+0x594/0x92c net/ipv6/ip6_output.c:216
NF_HOOK_COND include/linux/netfilter.h:291 [inline]
ip6_output+0x274/0x500 net/ipv6/ip6_output.c:237
dst_output include/net/dst.h:453 [inline]
NF_HOOK include/linux/netfilter.h:302 [inline]
ip6_xmit+0x119c/0x1b08 net/ipv6/ip6_output.c:360
sctp_v6_xmit+0x818/0xf20 net/sctp/ipv6.c:250
sctp_packet_transmit+0x1dec/0x22d4 net/sctp/output.c:653
sctp_packet_singleton+0x1dc/0x2d0 net/sctp/outqueue.c:783
sctp_outq_flush_ctrl net/sctp/outqueue.c:914 [inline]
sctp_outq_flush+0x410/0x27d0 net/sctp/outqueue.c:1212
sctp_outq_uncork+0x84/0xc0 net/sctp/outqueue.c:764
sctp_cmd_interpreter net/sctp/sm_sideeffect.c:-1 [inline]
sctp_side_effects net/sctp/sm_sideeffect.c:1199 [inline]
sctp_do_sm+0x41dc/0x481c net/sctp/sm_sideeffect.c:1170
sctp_primitive_ASSOCIATE+0x98/0xc8 net/sctp/primitive.c:73
sctp_sendmsg_to_asoc+0xce0/0x1354 net/sctp/socket.c:1838
sctp_sendmsg+0x13a8/0x20b4 net/sctp/socket.c:2028
inet_sendmsg+0x154/0x284 net/ipv4/af_inet.c:841
sock_sendmsg_nosec net/socket.c:718 [inline]
__sock_sendmsg net/socket.c:730 [inline]
____sys_sendmsg+0x5c8/0x938 net/socket.c:2518
___sys_sendmsg net/socket.c:2572 [inline]
__sys_sendmsg+0x288/0x374 net/socket.c:2601
__do_sys_sendmsg net/socket.c:2610 [inline]
__se_sys_sendmsg net/socket.c:2608 [inline]
__arm64_sys_sendmsg+0x80/0x94 net/socket.c:2608
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b4 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:140
do_el0_svc+0x58/0x130 arch/arm64/kernel/syscall.c:204
el0_svc+0x58/0x128 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages