[v6.6] INFO: rcu detected stall in inet_ioctl
0 views
Skip to first unread message
syzbot
Jun 26, 2026, 3:25:38 PM (2 days ago) Jun 26
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: d1cfde2d5d15 Linux 6.6.143
git tree: linux-6.6.y
console output: https://syzkaller.appspot.com/x/log.txt?x=11abc246580000
kernel config: https://syzkaller.appspot.com/x/.config?x=441765643cbfb8d
dashboard link: https://syzkaller.appspot.com/bug?extid=d936ef673502dbf6f3e0
compiler: Debian clang version 22.1.6 (++20260514074242+fc4aad7b5db3-1~exp1~20260514074407.73), Debian LLD 22.1.6
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/65f04d62b48f/disk-d1cfde2d.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/6a803b737439/vmlinux-d1cfde2d.xz
kernel image: https://storage.googleapis.com/syzbot-assets/e621f8d5e524/bzImage-d1cfde2d.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d936ef...@syzkaller.appspotmail.com
rcu: INFO: rcu_preempt self-detected stall on CPU
rcu: 0-....: (1 GPs behind) idle=dc84/1/0x4000000000000000 softirq=34772/34773 fqs=4271
rcu: hardirqs softirqs csw/system
rcu: number: 1040401 0 0
rcu: cputime: 14762 37727 73 ==> 52490(ms)
rcu: (t=10500 jiffies g=44169 q=1759 ncpus=2)
CPU: 0 PID: 10991 Comm: syz.2.1827 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026
RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:152 [inline]
RIP: 0010:_raw_spin_unlock_irqrestore+0xc0/0x120 kernel/locking/spinlock.c:194
Code: c7 44 24 20 00 00 00 00 9c 8f 44 24 20 f7 44 24 20 00 02 00 00 41 c6 04 07 f8 75 4b f7 c3 00 02 00 00 74 01 fb bf 01 00 00 00 <e8> 4b e4 ce f6 65 8b 05 1c 33 76 75 85 c0 74 3c 48 c7 04 24 0e 36
RSP: 0018:ffffc90000007a40 EFLAGS: 00000206
RAX: dffffc0000000004 RBX: 0000000000000a06 RCX: e422819977466100
RDX: dffffc0000000000 RSI: ffffffff8acacb60 RDI: 0000000000000001
RBP: ffffc90000007ad0 R08: ffffffff911bc557 R09: 1ffffffff22378aa
R10: dffffc0000000000 R11: fffffbfff22378ab R12: dffffc0000000000
R13: 1ffff92000000f5c R14: ffffffff8d8c34d8 R15: 1ffff92000000f48
FS: 00007f97506ad6c0(0000) GS:ffff8880b8e00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f4e515456b8 CR3: 000000001929e000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
Call Trace:
<IRQ>
spin_unlock_irqrestore include/linux/spinlock.h:406 [inline]
mix_pool_bytes drivers/char/random.c:634 [inline]
mix_interrupt_randomness+0x1ef/0x2e0 drivers/char/random.c:1072
call_timer_fn+0x189/0x540 kernel/time/timer.c:1701
expire_timers kernel/time/timer.c:1752 [inline]
__run_timers+0x570/0x810 kernel/time/timer.c:2023
run_timer_softirq+0x67/0xf0 kernel/time/timer.c:2036
handle_softirqs+0x27d/0x820 kernel/softirq.c:578
__do_softirq kernel/softirq.c:612 [inline]
invoke_softirq kernel/softirq.c:452 [inline]
__irq_exit_rcu+0xd3/0x190 kernel/softirq.c:661
irq_exit_rcu+0x9/0x20 kernel/softirq.c:673
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1088 [inline]
sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1088
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:687
RIP: 0010:lock_acquire+0x208/0x420 kernel/locking/lockdep.c:5758
Code: f7 84 24 80 00 00 00 00 02 00 00 43 c6 44 3c 04 f8 0f 85 f0 00 00 00 41 f7 c6 00 02 00 00 74 01 fb 48 c7 44 24 60 0e 36 e0 45 <4b> c7 04 3c 00 00 00 00 43 c7 44 3c 08 00 00 00 00 65 48 8b 04 25
RSP: 0018:ffffc900033169a0 EFLAGS: 00000206
RAX: 0000000000000001 RBX: 0000000000000000 RCX: e422819977466100
RDX: 0000000000000002 RSI: ffffffff8acadce0 RDI: ffffffff8b1c7be0
RBP: ffffc90003316aa8 R08: dffffc0000000000 R09: 1ffffffff274b701
R10: dffffc0000000000 R11: fffffbfff274b702 R12: 1ffff92000662d40
R13: ffffffff8cfa2e38 R14: 0000000000000246 R15: dffffc0000000000
__raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
_raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
spin_lock include/linux/spinlock.h:351 [inline]
pgd_dtor arch/x86/mm/pgtable.c:148 [inline]
pgd_free+0x2c/0x160 arch/x86/mm/pgtable.c:487
mm_free_pgd kernel/fork.c:811 [inline]
__mmdrop+0xb4/0x3d0 kernel/fork.c:927
mmdrop include/linux/sched/mm.h:54 [inline]
mmdrop_sched include/linux/sched/mm.h:82 [inline]
mmdrop_lazy_tlb_sched include/linux/sched/mm.h:109 [inline]
finish_task_switch+0x3da/0x8f0 kernel/sched/core.c:5280
context_switch kernel/sched/core.c:5384 [inline]
__schedule+0x15b6/0x4660 kernel/sched/core.c:6700
preempt_schedule_common+0x82/0xc0 kernel/sched/core.c:6867
preempt_schedule+0xc0/0xd0 kernel/sched/core.c:6891
preempt_schedule_thunk+0x1a/0x30 arch/x86/entry/thunk_64.S:45
__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:152 [inline]
_raw_spin_unlock_irqrestore+0x111/0x120 kernel/locking/spinlock.c:194
__stack_depot_save+0x575/0x660 lib/stackdepot.c:439
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_set_track+0x5f/0x70 mm/kasan/common.c:53
kasan_save_free_info+0x28/0x40 mm/kasan/generic.c:522
____kasan_slab_free+0x126/0x1f0 mm/kasan/common.c:237
kasan_slab_free include/linux/kasan.h:164 [inline]
slab_free_hook mm/slub.c:1811 [inline]
slab_free_freelist_hook+0x130/0x1a0 mm/slub.c:1837
slab_free mm/slub.c:3830 [inline]
__kmem_cache_free+0xba/0x1f0 mm/slub.c:3843
skb_kfree_head net/core/skbuff.c:946 [inline]
skb_free_head net/core/skbuff.c:958 [inline]
skb_release_data+0x609/0x7f0 net/core/skbuff.c:988
skb_release_all net/core/skbuff.c:1054 [inline]
__kfree_skb net/core/skbuff.c:1068 [inline]
consume_skb+0xb2/0x110 net/core/skbuff.c:1284
netlink_broadcast_filtered+0x103c/0x1130 net/netlink/af_netlink.c:1543
netlink_broadcast net/netlink/af_netlink.c:1565 [inline]
nlmsg_multicast include/net/netlink.h:1090 [inline]
nlmsg_notify+0xe3/0x1a0 net/netlink/af_netlink.c:2593
fib_table_delete+0xcd2/0xfc0 net/ipv4/fib_trie.c:1746
fib_magic+0x2ee/0x3b0 net/ipv4/fib_frontend.c:1120
fib_del_ifaddr+0x1018/0x14c0 net/ipv4/fib_frontend.c:1322
fib_inetaddr_event+0xbb/0x1d0 net/ipv4/fib_frontend.c:1462
notifier_call_chain+0x18f/0x380 kernel/notifier.c:93
blocking_notifier_call_chain+0x6a/0x90 kernel/notifier.c:388
__inet_del_ifa+0xaac/0x1090 net/ipv4/devinet.c:446
inet_del_ifa net/ipv4/devinet.c:483 [inline]
devinet_ioctl+0x146c/0x1d70 net/ipv4/devinet.c:1256
inet_ioctl+0x42b/0x560 net/ipv4/af_inet.c:1000
sock_do_ioctl+0xfc/0x310 net/socket.c:1220
sock_ioctl+0x5be/0x7e0 net/socket.c:1341
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:871 [inline]
__se_sys_ioctl+0xfd/0x170 fs/ioctl.c:857
do_syscall_x64 arch/x86/entry/common.c:46 [inline]
do_syscall_64+0x55/0xb0 arch/x86/entry/common.c:76
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7f974f79ce59
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f97506ad028 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f974fa15fa0 RCX: 00007f974f79ce59
RDX: 0000200000000040 RSI: 000000000000891c RDI: 0000000000000008
RBP: 00007f974f832e6f R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f974fa16038 R14: 00007f974fa15fa0 R15: 00007ffdc5df7de8
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: d1cfde2d5d15 Linux 6.6.143
git tree: linux-6.6.y
console output: https://syzkaller.appspot.com/x/log.txt?x=11abc246580000
kernel config: https://syzkaller.appspot.com/x/.config?x=441765643cbfb8d
dashboard link: https://syzkaller.appspot.com/bug?extid=d936ef673502dbf6f3e0
compiler: Debian clang version 22.1.6 (++20260514074242+fc4aad7b5db3-1~exp1~20260514074407.73), Debian LLD 22.1.6
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/65f04d62b48f/disk-d1cfde2d.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/6a803b737439/vmlinux-d1cfde2d.xz
kernel image: https://storage.googleapis.com/syzbot-assets/e621f8d5e524/bzImage-d1cfde2d.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d936ef...@syzkaller.appspotmail.com
rcu: INFO: rcu_preempt self-detected stall on CPU
rcu: 0-....: (1 GPs behind) idle=dc84/1/0x4000000000000000 softirq=34772/34773 fqs=4271
rcu: hardirqs softirqs csw/system
rcu: number: 1040401 0 0
rcu: cputime: 14762 37727 73 ==> 52490(ms)
rcu: (t=10500 jiffies g=44169 q=1759 ncpus=2)
CPU: 0 PID: 10991 Comm: syz.2.1827 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026
RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:152 [inline]
RIP: 0010:_raw_spin_unlock_irqrestore+0xc0/0x120 kernel/locking/spinlock.c:194
Code: c7 44 24 20 00 00 00 00 9c 8f 44 24 20 f7 44 24 20 00 02 00 00 41 c6 04 07 f8 75 4b f7 c3 00 02 00 00 74 01 fb bf 01 00 00 00 <e8> 4b e4 ce f6 65 8b 05 1c 33 76 75 85 c0 74 3c 48 c7 04 24 0e 36
RSP: 0018:ffffc90000007a40 EFLAGS: 00000206
RAX: dffffc0000000004 RBX: 0000000000000a06 RCX: e422819977466100
RDX: dffffc0000000000 RSI: ffffffff8acacb60 RDI: 0000000000000001
RBP: ffffc90000007ad0 R08: ffffffff911bc557 R09: 1ffffffff22378aa
R10: dffffc0000000000 R11: fffffbfff22378ab R12: dffffc0000000000
R13: 1ffff92000000f5c R14: ffffffff8d8c34d8 R15: 1ffff92000000f48
FS: 00007f97506ad6c0(0000) GS:ffff8880b8e00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f4e515456b8 CR3: 000000001929e000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
Call Trace:
<IRQ>
spin_unlock_irqrestore include/linux/spinlock.h:406 [inline]
mix_pool_bytes drivers/char/random.c:634 [inline]
mix_interrupt_randomness+0x1ef/0x2e0 drivers/char/random.c:1072
call_timer_fn+0x189/0x540 kernel/time/timer.c:1701
expire_timers kernel/time/timer.c:1752 [inline]
__run_timers+0x570/0x810 kernel/time/timer.c:2023
run_timer_softirq+0x67/0xf0 kernel/time/timer.c:2036
handle_softirqs+0x27d/0x820 kernel/softirq.c:578
__do_softirq kernel/softirq.c:612 [inline]
invoke_softirq kernel/softirq.c:452 [inline]
__irq_exit_rcu+0xd3/0x190 kernel/softirq.c:661
irq_exit_rcu+0x9/0x20 kernel/softirq.c:673
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1088 [inline]
sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1088
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:687
RIP: 0010:lock_acquire+0x208/0x420 kernel/locking/lockdep.c:5758
Code: f7 84 24 80 00 00 00 00 02 00 00 43 c6 44 3c 04 f8 0f 85 f0 00 00 00 41 f7 c6 00 02 00 00 74 01 fb 48 c7 44 24 60 0e 36 e0 45 <4b> c7 04 3c 00 00 00 00 43 c7 44 3c 08 00 00 00 00 65 48 8b 04 25
RSP: 0018:ffffc900033169a0 EFLAGS: 00000206
RAX: 0000000000000001 RBX: 0000000000000000 RCX: e422819977466100
RDX: 0000000000000002 RSI: ffffffff8acadce0 RDI: ffffffff8b1c7be0
RBP: ffffc90003316aa8 R08: dffffc0000000000 R09: 1ffffffff274b701
R10: dffffc0000000000 R11: fffffbfff274b702 R12: 1ffff92000662d40
R13: ffffffff8cfa2e38 R14: 0000000000000246 R15: dffffc0000000000
__raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
_raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
spin_lock include/linux/spinlock.h:351 [inline]
pgd_dtor arch/x86/mm/pgtable.c:148 [inline]
pgd_free+0x2c/0x160 arch/x86/mm/pgtable.c:487
mm_free_pgd kernel/fork.c:811 [inline]
__mmdrop+0xb4/0x3d0 kernel/fork.c:927
mmdrop include/linux/sched/mm.h:54 [inline]
mmdrop_sched include/linux/sched/mm.h:82 [inline]
mmdrop_lazy_tlb_sched include/linux/sched/mm.h:109 [inline]
finish_task_switch+0x3da/0x8f0 kernel/sched/core.c:5280
context_switch kernel/sched/core.c:5384 [inline]
__schedule+0x15b6/0x4660 kernel/sched/core.c:6700
preempt_schedule_common+0x82/0xc0 kernel/sched/core.c:6867
preempt_schedule+0xc0/0xd0 kernel/sched/core.c:6891
preempt_schedule_thunk+0x1a/0x30 arch/x86/entry/thunk_64.S:45
__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:152 [inline]
_raw_spin_unlock_irqrestore+0x111/0x120 kernel/locking/spinlock.c:194
__stack_depot_save+0x575/0x660 lib/stackdepot.c:439
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_set_track+0x5f/0x70 mm/kasan/common.c:53
kasan_save_free_info+0x28/0x40 mm/kasan/generic.c:522
____kasan_slab_free+0x126/0x1f0 mm/kasan/common.c:237
kasan_slab_free include/linux/kasan.h:164 [inline]
slab_free_hook mm/slub.c:1811 [inline]
slab_free_freelist_hook+0x130/0x1a0 mm/slub.c:1837
slab_free mm/slub.c:3830 [inline]
__kmem_cache_free+0xba/0x1f0 mm/slub.c:3843
skb_kfree_head net/core/skbuff.c:946 [inline]
skb_free_head net/core/skbuff.c:958 [inline]
skb_release_data+0x609/0x7f0 net/core/skbuff.c:988
skb_release_all net/core/skbuff.c:1054 [inline]
__kfree_skb net/core/skbuff.c:1068 [inline]
consume_skb+0xb2/0x110 net/core/skbuff.c:1284
netlink_broadcast_filtered+0x103c/0x1130 net/netlink/af_netlink.c:1543
netlink_broadcast net/netlink/af_netlink.c:1565 [inline]
nlmsg_multicast include/net/netlink.h:1090 [inline]
nlmsg_notify+0xe3/0x1a0 net/netlink/af_netlink.c:2593
fib_table_delete+0xcd2/0xfc0 net/ipv4/fib_trie.c:1746
fib_magic+0x2ee/0x3b0 net/ipv4/fib_frontend.c:1120
fib_del_ifaddr+0x1018/0x14c0 net/ipv4/fib_frontend.c:1322
fib_inetaddr_event+0xbb/0x1d0 net/ipv4/fib_frontend.c:1462
notifier_call_chain+0x18f/0x380 kernel/notifier.c:93
blocking_notifier_call_chain+0x6a/0x90 kernel/notifier.c:388
__inet_del_ifa+0xaac/0x1090 net/ipv4/devinet.c:446
inet_del_ifa net/ipv4/devinet.c:483 [inline]
devinet_ioctl+0x146c/0x1d70 net/ipv4/devinet.c:1256
inet_ioctl+0x42b/0x560 net/ipv4/af_inet.c:1000
sock_do_ioctl+0xfc/0x310 net/socket.c:1220
sock_ioctl+0x5be/0x7e0 net/socket.c:1341
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:871 [inline]
__se_sys_ioctl+0xfd/0x170 fs/ioctl.c:857
do_syscall_x64 arch/x86/entry/common.c:46 [inline]
do_syscall_64+0x55/0xb0 arch/x86/entry/common.c:76
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7f974f79ce59
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f97506ad028 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f974fa15fa0 RCX: 00007f974f79ce59
RDX: 0000200000000040 RSI: 000000000000891c RDI: 0000000000000008
RBP: 00007f974f832e6f R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f974fa16038 R14: 00007f974fa15fa0 R15: 00007ffdc5df7de8
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages