[syzbot] [io-uring?] INFO: task hung in io_wq_put_and_exit (6)
18 views
Skip to first unread message
syzbot
Aug 18, 2025, 4:05:34 AM8/18/25
to anna-...@linutronix.de, ax...@kernel.dk, fred...@kernel.org, io-u...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com, tg...@linutronix.de
Hello,
syzbot found the following issue on:
HEAD commit: 931e46dcbc7e Add linux-next specific files for 20250814
git tree: linux-next
console+strace: https://syzkaller.appspot.com/x/log.txt?x=16d26ba2580000
kernel config: https://syzkaller.appspot.com/x/.config?x=a286bd75352e92fa
dashboard link: https://syzkaller.appspot.com/bug?extid=4eb282331cab6d5b6588
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13d206f0580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13e993a2580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/fb896162d550/disk-931e46dc.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/45f6f857b82c/vmlinux-931e46dc.xz
kernel image: https://storage.googleapis.com/syzbot-assets/0f16e70143e1/bzImage-931e46dc.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+4eb282...@syzkaller.appspotmail.com
INFO: task syz-executor369:6499 blocked for more than 143 seconds.
Not tainted 6.17.0-rc1-next-20250814-syzkaller #0
Blocked by coredump.
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor369 state:D stack:27984 pid:6499 tgid:6498 ppid:5865 task_flags:0x400548 flags:0x00024002
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5357 [inline]
__schedule+0x1798/0x4cc0 kernel/sched/core.c:6961
__schedule_loop kernel/sched/core.c:7043 [inline]
schedule+0x165/0x360 kernel/sched/core.c:7058
schedule_timeout+0x9a/0x270 kernel/time/sleep_timeout.c:75
do_wait_for_common kernel/sched/completion.c:100 [inline]
__wait_for_common kernel/sched/completion.c:121 [inline]
wait_for_common kernel/sched/completion.c:132 [inline]
wait_for_completion+0x2bf/0x5d0 kernel/sched/completion.c:153
io_wq_exit_workers io_uring/io-wq.c:1327 [inline]
io_wq_put_and_exit+0x316/0x650 io_uring/io-wq.c:1355
io_uring_clean_tctx+0x11f/0x1a0 io_uring/tctx.c:203
io_uring_cancel_generic+0x6ca/0x7d0 io_uring/io_uring.c:3272
io_uring_files_cancel include/linux/io_uring.h:19 [inline]
do_exit+0x345/0x2300 kernel/exit.c:907
do_group_exit+0x21c/0x2d0 kernel/exit.c:1102
get_signal+0x1286/0x1340 kernel/signal.c:3034
arch_do_signal_or_restart+0x9a/0x750 arch/x86/kernel/signal.c:337
exit_to_user_mode_loop+0x75/0x110 kernel/entry/common.c:40
exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
do_syscall_64+0x2bd/0x3b0 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fec3779c659
RSP: 002b:00007fec37752218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007fec37823328 RCX: 00007fec3779c659
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007fec37823328
RBP: 00007fec37823320 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fec377f0270
R13: 0000000000000000 R14: 0000200000000200 R15: 00007ffd3af7b848
</TASK>
INFO: lockdep is turned off.
NMI backtrace for cpu 1
CPU: 1 UID: 0 PID: 31 Comm: khungtaskd Not tainted 6.17.0-rc1-next-20250814-syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
nmi_cpu_backtrace+0x39e/0x3d0 lib/nmi_backtrace.c:113
nmi_trigger_cpumask_backtrace+0x17a/0x300 lib/nmi_backtrace.c:62
trigger_all_cpu_backtrace include/linux/nmi.h:160 [inline]
check_hung_uninterruptible_tasks kernel/hung_task.c:332 [inline]
watchdog+0xf60/0xfa0 kernel/hung_task.c:495
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x3f9/0x770 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 UID: 0 PID: 6811 Comm: iou-wrk-6807 Not tainted 6.17.0-rc1-next-20250814-syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
RIP: 0010:native_read_msr_safe arch/x86/include/asm/msr.h:121 [inline]
RIP: 0010:__rdmsr_safe_on_cpu+0x3c/0x130 arch/x86/lib/msr-smp.c:156
Code: bd 00 00 00 00 00 fc ff df e8 10 d2 bd fc 48 89 d8 48 c1 e8 03 42 0f b6 04 28 84 c0 0f 85 82 00 00 00 44 8b 23 44 89 e1 0f 32 <31> ed 49 89 c7 49 89 d6 0f 1f 44 00 00 e8 e2 d1 bd fc 49 c1 e6 20
RSP: 0018:ffffc90004e17428 EFLAGS: 00000046
RAX: 0000000000000000 RBX: ffffc90004e17600 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff8be34be0 RDI: ffffc90004e17600
RBP: ffffc90004e17538 R08: ffffffff8fa3b137 R09: 1ffffffff1f47626
R10: dffffc0000000000 R11: ffffffff8501d3e0 R12: 0000000000000000
R13: dffffc0000000000 R14: ffffffff8501d3e0 R15: 1ffff920009c2eb9
FS: 00007fec377526c0(0000) GS:ffff888125c0f000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000200000a89000 CR3: 0000000026df2000 CR4: 00000000003526f0
Call Trace:
<TASK>
csd_do_func kernel/smp.c:136 [inline]
generic_exec_single+0x237/0x500 kernel/smp.c:439
smp_call_function_single_async+0x79/0x110 kernel/smp.c:732
rdmsr_safe_on_cpu+0x127/0x230 arch/x86/lib/msr-smp.c:179
msr_read+0x14d/0x250 arch/x86/kernel/msr.c:66
loop_rw_iter+0x425/0x660 include/linux/uio.h:-1
io_iter_do_read io_uring/rw.c:830 [inline]
__io_read+0x1326/0x14f0 io_uring/rw.c:941
io_read+0x1c/0x60 io_uring/rw.c:1020
__io_issue_sqe+0x17e/0x4b0 io_uring/io_uring.c:1773
io_issue_sqe+0x165/0xfd0 io_uring/io_uring.c:1796
io_wq_submit_work+0x6e9/0xb90 io_uring/io_uring.c:1908
io_worker_handle_work+0x7cd/0x1180 io_uring/io-wq.c:650
io_wq_worker+0x42f/0xeb0 io_uring/io-wq.c:704
ret_from_fork+0x3f9/0x770 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 931e46dcbc7e Add linux-next specific files for 20250814
git tree: linux-next
console+strace: https://syzkaller.appspot.com/x/log.txt?x=16d26ba2580000
kernel config: https://syzkaller.appspot.com/x/.config?x=a286bd75352e92fa
dashboard link: https://syzkaller.appspot.com/bug?extid=4eb282331cab6d5b6588
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13d206f0580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=13e993a2580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/fb896162d550/disk-931e46dc.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/45f6f857b82c/vmlinux-931e46dc.xz
kernel image: https://storage.googleapis.com/syzbot-assets/0f16e70143e1/bzImage-931e46dc.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+4eb282...@syzkaller.appspotmail.com
INFO: task syz-executor369:6499 blocked for more than 143 seconds.
Not tainted 6.17.0-rc1-next-20250814-syzkaller #0
Blocked by coredump.
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor369 state:D stack:27984 pid:6499 tgid:6498 ppid:5865 task_flags:0x400548 flags:0x00024002
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5357 [inline]
__schedule+0x1798/0x4cc0 kernel/sched/core.c:6961
__schedule_loop kernel/sched/core.c:7043 [inline]
schedule+0x165/0x360 kernel/sched/core.c:7058
schedule_timeout+0x9a/0x270 kernel/time/sleep_timeout.c:75
do_wait_for_common kernel/sched/completion.c:100 [inline]
__wait_for_common kernel/sched/completion.c:121 [inline]
wait_for_common kernel/sched/completion.c:132 [inline]
wait_for_completion+0x2bf/0x5d0 kernel/sched/completion.c:153
io_wq_exit_workers io_uring/io-wq.c:1327 [inline]
io_wq_put_and_exit+0x316/0x650 io_uring/io-wq.c:1355
io_uring_clean_tctx+0x11f/0x1a0 io_uring/tctx.c:203
io_uring_cancel_generic+0x6ca/0x7d0 io_uring/io_uring.c:3272
io_uring_files_cancel include/linux/io_uring.h:19 [inline]
do_exit+0x345/0x2300 kernel/exit.c:907
do_group_exit+0x21c/0x2d0 kernel/exit.c:1102
get_signal+0x1286/0x1340 kernel/signal.c:3034
arch_do_signal_or_restart+0x9a/0x750 arch/x86/kernel/signal.c:337
exit_to_user_mode_loop+0x75/0x110 kernel/entry/common.c:40
exit_to_user_mode_prepare include/linux/irq-entry-common.h:225 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:175 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:210 [inline]
do_syscall_64+0x2bd/0x3b0 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fec3779c659
RSP: 002b:00007fec37752218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007fec37823328 RCX: 00007fec3779c659
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007fec37823328
RBP: 00007fec37823320 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fec377f0270
R13: 0000000000000000 R14: 0000200000000200 R15: 00007ffd3af7b848
</TASK>
INFO: lockdep is turned off.
NMI backtrace for cpu 1
CPU: 1 UID: 0 PID: 31 Comm: khungtaskd Not tainted 6.17.0-rc1-next-20250814-syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
nmi_cpu_backtrace+0x39e/0x3d0 lib/nmi_backtrace.c:113
nmi_trigger_cpumask_backtrace+0x17a/0x300 lib/nmi_backtrace.c:62
trigger_all_cpu_backtrace include/linux/nmi.h:160 [inline]
check_hung_uninterruptible_tasks kernel/hung_task.c:332 [inline]
watchdog+0xf60/0xfa0 kernel/hung_task.c:495
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x3f9/0x770 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 UID: 0 PID: 6811 Comm: iou-wrk-6807 Not tainted 6.17.0-rc1-next-20250814-syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
RIP: 0010:native_read_msr_safe arch/x86/include/asm/msr.h:121 [inline]
RIP: 0010:__rdmsr_safe_on_cpu+0x3c/0x130 arch/x86/lib/msr-smp.c:156
Code: bd 00 00 00 00 00 fc ff df e8 10 d2 bd fc 48 89 d8 48 c1 e8 03 42 0f b6 04 28 84 c0 0f 85 82 00 00 00 44 8b 23 44 89 e1 0f 32 <31> ed 49 89 c7 49 89 d6 0f 1f 44 00 00 e8 e2 d1 bd fc 49 c1 e6 20
RSP: 0018:ffffc90004e17428 EFLAGS: 00000046
RAX: 0000000000000000 RBX: ffffc90004e17600 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff8be34be0 RDI: ffffc90004e17600
RBP: ffffc90004e17538 R08: ffffffff8fa3b137 R09: 1ffffffff1f47626
R10: dffffc0000000000 R11: ffffffff8501d3e0 R12: 0000000000000000
R13: dffffc0000000000 R14: ffffffff8501d3e0 R15: 1ffff920009c2eb9
FS: 00007fec377526c0(0000) GS:ffff888125c0f000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000200000a89000 CR3: 0000000026df2000 CR4: 00000000003526f0
Call Trace:
<TASK>
csd_do_func kernel/smp.c:136 [inline]
generic_exec_single+0x237/0x500 kernel/smp.c:439
smp_call_function_single_async+0x79/0x110 kernel/smp.c:732
rdmsr_safe_on_cpu+0x127/0x230 arch/x86/lib/msr-smp.c:179
msr_read+0x14d/0x250 arch/x86/kernel/msr.c:66
loop_rw_iter+0x425/0x660 include/linux/uio.h:-1
io_iter_do_read io_uring/rw.c:830 [inline]
__io_read+0x1326/0x14f0 io_uring/rw.c:941
io_read+0x1c/0x60 io_uring/rw.c:1020
__io_issue_sqe+0x17e/0x4b0 io_uring/io_uring.c:1773
io_issue_sqe+0x165/0xfd0 io_uring/io_uring.c:1796
io_wq_submit_work+0x6e9/0xb90 io_uring/io_uring.c:1908
io_worker_handle_work+0x7cd/0x1180 io_uring/io-wq.c:650
io_wq_worker+0x42f/0xeb0 io_uring/io-wq.c:704
ret_from_fork+0x3f9/0x770 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Jens Axboe
Jan 19, 2026, 10:48:40 PM (4 days ago) Jan 19
to syzbot, anna-...@linutronix.de, fred...@kernel.org, io-u...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com, tg...@linutronix.de
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux.git syztest
syzbot
Jan 19, 2026, 11:13:06 PM (4 days ago) Jan 19
to anna-...@linutronix.de, ax...@kernel.dk, fred...@kernel.org, io-u...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com, tg...@linutronix.de
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
INFO: task hung in io_wq_exit_workers
INFO: task syz.2.600:7996 blocked for more than 143 seconds.
Not tainted syzkaller #0
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5260 [inline]
__schedule+0x1138/0x5ee0 kernel/sched/core.c:6867
__schedule_loop kernel/sched/core.c:6949 [inline]
schedule+0xe7/0x3a0 kernel/sched/core.c:6964
schedule_timeout+0x257/0x290 kernel/time/sleep_timeout.c:75
do_wait_for_common kernel/sched/completion.c:100 [inline]
__wait_for_common+0x2fc/0x4e0 kernel/sched/completion.c:121
io_wq_exit_workers+0x3b7/0x8b0 io_uring/io-wq.c:1383
io_wq_put_and_exit+0xba/0x270 io_uring/io-wq.c:1414
io_uring_clean_tctx+0x10d/0x190 io_uring/tctx.c:203
io_uring_cancel_generic+0x69c/0x9a0 io_uring/cancel.c:651
io_uring_files_cancel include/linux/io_uring.h:19 [inline]
do_exit+0x2ce/0x2bd0 kernel/exit.c:911
do_group_exit+0xd3/0x2a0 kernel/exit.c:1112
get_signal+0x2671/0x26d0 kernel/signal.c:3034
arch_do_signal_or_restart+0x8f/0x7e0 arch/x86/kernel/signal.c:337
__exit_to_user_mode_loop kernel/entry/common.c:41 [inline]
exit_to_user_mode_loop+0x8c/0x540 kernel/entry/common.c:75
__exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]
syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:159 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:194 [inline]
do_syscall_64+0x4ee/0xf80 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f22d238f749
RSP: 002b:00007f22d319b0e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007f22d25e5fa8 RCX: 00007f22d238f749
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f22d25e5fa8
RBP: 00007f22d25e5fa0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f22d25e6038 R14: 00007ffdc1419da0 R15: 00007ffdc1419e88
</TASK>
Showing all locks held in the system:
3 locks held by kworker/0:0/9:
#0: ffff88813ff51948 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work+0x128d/0x1b20 kernel/workqueue.c:3232
#1:
ffffc900000e7c90 (deferred_process_work){+.+.}-{0:0}, at: process_one_work+0x914/0x1b20 kernel/workqueue.c:3233
#2: ffffffff901428a8 (rtnl_mutex){+.+.}-{4:4}, at: switchdev_deferred_process_work+0xe/0x20 net/switchdev/switchdev.c:104
3 locks held by kworker/1:0/24:
1 lock held by khungtaskd/31:
#0: ffffffff8e3c9620 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
#0: ffffffff8e3c9620 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:867 [inline]
#0: ffffffff8e3c9620 (rcu_read_lock){....}-{1:3}, at: debug_show_all_locks+0x36/0x1c0 kernel/locking/lockdep.c:6775
2 locks held by kworker/u8:3/37:
#0: ffff88801c7fd148 ((wq_completion)iou_exit){+.+.}-{0:0}, at: process_one_work+0x128d/0x1b20 kernel/workqueue.c:3232
#1: ffffc90000ad7c90 ((work_completion)(&ctx->exit_work)){+.+.}-{0:0}, at: process_one_work+0x914/0x1b20 kernel/workqueue.c:3233
5 locks held by kworker/u8:7/1041:
#0: ffff88801badc948 ((wq_completion)netns){+.+.}-{0:0}, at: process_one_work+0x128d/0x1b20 kernel/workqueue.c:3232
#1: ffffc90003a4fc90 (net_cleanup_work){+.+.}-{0:0}, at: process_one_work+0x914/0x1b20 kernel/workqueue.c:3233
#2: ffffffff9012bdd0 (pernet_ops_rwsem){++++}-{4:4}, at: cleanup_net+0xad/0x830 net/core/net_namespace.c:670
#3: ffffffff901428a8 (rtnl_mutex){+.+.}-{4:4}, at: ops_exit_rtnl_list net/core/net_namespace.c:173 [inline]
#3: ffffffff901428a8 (rtnl_mutex){+.+.}-{4:4}, at: ops_undo_list+0x7e9/0xab0 net/core/net_namespace.c:248
#4: ffffffff8e3d4d78 (rcu_state.exp_mutex){+.+.}-{4:4}, at: exp_funnel_lock+0x284/0x3c0 kernel/rcu/tree_exp.h:311
3 locks held by kworker/u8:9/1147:
#0: ffff88814cf76948 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: process_one_work+0x128d/0x1b20 kernel/workqueue.c:3232
#1: ffffc90003f4fc90 ((work_completion)(&(&net->ipv6.addr_chk_work)->work)){+.+.}-{0:0}, at: process_one_work+0x914/0x1b20 kernel/workqueue.c:3233
#2: ffffffff901428a8 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_net_lock include/linux/rtnetlink.h:130 [inline]
#2: ffffffff901428a8 (rtnl_mutex){+.+.}-{4:4}, at: addrconf_verify_work+0x12/0x30 net/ipv6/addrconf.c:4734
3 locks held by kworker/u8:11/3526:
2 locks held by kworker/u8:12/3877:
#0: ffff88801c7fd148 ((wq_completion)iou_exit){+.+.}-{0:0}, at: process_one_work+0x128d/0x1b20 kernel/workqueue.c:3232
#1: ffffc9000c8b7c90 ((work_completion)(&ctx->exit_work)){+.+.}-{0:0}, at: process_one_work+0x914/0x1b20 kernel/workqueue.c:3233
2 locks held by udevd/5186:
1 lock held by dhcpcd/5481:
#0: ffffffff901428a8 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_net_lock include/linux/rtnetlink.h:130 [inline]
#0: ffffffff901428a8 (rtnl_mutex){+.+.}-{4:4}, at: devinet_ioctl+0x26d/0x1f30 net/ipv4/devinet.c:1120
2 locks held by getty/5573:
#0: ffff8880367330a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x24/0x80 drivers/tty/tty_ldisc.c:243
#1: ffffc9000332e2f0 (&ldata->atomic_read_lock){+.+.}-{4:4}, at: n_tty_read+0x41b/0x1510 drivers/tty/n_tty.c:2211
3 locks held by kworker/1:5/6331:
3 locks held by kworker/u8:16/6619:
#0: ffff88813ff69948 ((wq_completion)events_unbound#2){+.+.}-{0:0}, at: process_one_work+0x128d/0x1b20 kernel/workqueue.c:3232
#1: ffffc90003e1fc90 ((linkwatch_work).work){+.+.}-{0:0}, at: process_one_work+0x914/0x1b20 kernel/workqueue.c:3233
#2: ffffffff901428a8 (rtnl_mutex){+.+.}-{4:4}, at: linkwatch_event+0x51/0xc0 net/core/link_watch.c:303
2 locks held by kworker/u8:18/6822:
#0: ffff88801c7fd148 ((wq_completion)iou_exit){+.+.}-{0:0}, at: process_one_work+0x128d/0x1b20 kernel/workqueue.c:3232
#1: ffffc90003507c90 ((work_completion)(&ctx->exit_work)){+.+.}-{0:0}, at: process_one_work+0x914/0x1b20 kernel/workqueue.c:3233
7 locks held by kworker/1:10/7907:
2 locks held by kworker/u8:22/7948:
1 lock held by iou-wrk-7996/8005:
2 locks held by iou-wrk-8200/8202:
2 locks held by kworker/0:10/8282:
1 lock held by iou-wrk-8313/8318:
2 locks held by syz-executor/8492:
#0: ffffffff90890c48 (&ops->srcu#2){.+.+}-{0:0}, at: srcu_lock_acquire include/linux/srcu.h:185 [inline]
#0: ffffffff90890c48 (&ops->srcu#2){.+.+}-{0:0}, at: srcu_read_lock include/linux/srcu.h:277 [inline]
#0: ffffffff90890c48 (&ops->srcu#2){.+.+}-{0:0}, at: rtnl_link_ops_get+0x113/0x2c0 net/core/rtnetlink.c:574
#1: ffffffff901428a8 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_lock net/core/rtnetlink.c:80 [inline]
#1: ffffffff901428a8 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_nets_lock net/core/rtnetlink.c:341 [inline]
#1: ffffffff901428a8 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0x5f6/0x1f50 net/core/rtnetlink.c:4071
2 locks held by syz-executor/8544:
#0: ffffffff8f4d9ea8 (
&ops->srcu
#2
){.+.+}-{0:0}
, at: srcu_lock_acquire include/linux/srcu.h:185 [inline]
, at: srcu_read_lock include/linux/srcu.h:277 [inline]
, at: rtnl_link_ops_get+0x113/0x2c0 net/core/rtnetlink.c:574
#1: ffffffff901428a8 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_lock net/core/rtnetlink.c:80 [inline]
#1: ffffffff901428a8 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_nets_lock net/core/rtnetlink.c:341 [inline]
#1: ffffffff901428a8 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0x5f6/0x1f50 net/core/rtnetlink.c:4071
1 lock held by syz-executor/8572:
#0: ffffffff901428a8 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_net_lock include/linux/rtnetlink.h:130 [inline]
#0: ffffffff901428a8 (rtnl_mutex){+.+.}-{4:4}, at: inet6_rtm_newaddr+0x4e4/0x1c50 net/ipv6/addrconf.c:5027
1 lock held by syz-executor/8691:
#0:
ffffffff901428a8 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_net_lock include/linux/rtnetlink.h:130 [inline]
ffffffff901428a8 (rtnl_mutex){+.+.}-{4:4}, at: inet_rtm_newaddr+0x30c/0x1540 net/ipv4/devinet.c:978
1 lock held by syz.4.861/8697:
1 lock held by syz.3.862/8699:
=============================================
NMI backtrace for cpu 1
CPU: 1 UID: 0 PID: 31 Comm: khungtaskd Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
nmi_cpu_backtrace+0x27b/0x390 lib/nmi_backtrace.c:113
nmi_trigger_cpumask_backtrace+0x29c/0x300 lib/nmi_backtrace.c:62
trigger_all_cpu_backtrace include/linux/nmi.h:161 [inline]
__sys_info lib/sys_info.c:157 [inline]
sys_info+0x133/0x180 lib/sys_info.c:165
check_hung_uninterruptible_tasks kernel/hung_task.c:346 [inline]
watchdog+0xe66/0x1180 kernel/hung_task.c:515
kthread+0x3c5/0x780 kernel/kthread.c:463
ret_from_fork+0x983/0xb10 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Workqueue: netns cleanup_net
RIP: 0010:__trace_hardirqs_on_caller kernel/locking/lockdep.c:4350 [inline]
RIP: 0010:lockdep_hardirqs_on_prepare+0xc2/0x1b0 kernel/locking/lockdep.c:4410
Code: 48 89 83 08 0b 00 00 e8 1c 02 df 09 be 02 00 00 00 48 89 df 65 ff 05 e5 59 19 12 e8 b8 fe ff ff 85 c0 74 0a 8b 83 10 0b 00 00 <85> c0 75 24 48 c7 c7 45 97 aa 8d e8 ee 01 df 09 b8 ff ff ff ff 65
RSP: 0018:ffffc90000007d10 EFLAGS: 00000002
RAX: 0000000000000000 RBX: ffff88802819c980 RCX: 0000000000000002
RDX: 0000000000000000 RSI: ffff88802819d528 RDI: ffff88802819c980
RBP: 0000000000000202 R08: 0000000000000000 R09: 0000000000000001
R10: ffffffff9088cdd7 R11: ffff88802819d4b0 R12: 0000000000000038
R13: dffffc0000000000 R14: ffff888050975f80 R15: 1ffff92000000faa
FS: 0000000000000000(0000) GS:ffff8881248f1000(0000) knlGS:0000000000000000
Call Trace:
<IRQ>
trace_hardirqs_on+0x36/0x40 kernel/trace/trace_preemptirq.c:78
__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:151 [inline]
_raw_spin_unlock_irqrestore+0x52/0x80 kernel/locking/spinlock.c:194
debug_object_deactivate+0x1ec/0x3a0 lib/debugobjects.c:888
debug_rcu_head_unqueue kernel/rcu/rcu.h:248 [inline]
rcu_do_batch kernel/rcu/tree.c:2597 [inline]
rcu_core+0x72e/0x15f0 kernel/rcu/tree.c:2857
handle_softirqs+0x219/0x950 kernel/softirq.c:622
do_softirq kernel/softirq.c:523 [inline]
do_softirq+0xb2/0xf0 kernel/softirq.c:510
</IRQ>
<TASK>
__local_bh_enable_ip+0x100/0x120 kernel/softirq.c:450
spin_unlock_bh include/linux/spinlock.h:396 [inline]
addrconf_ifdown.isra.0+0x589/0x1b90 net/ipv6/addrconf.c:3907
addrconf_notify+0x220/0x19f0 net/ipv6/addrconf.c:3776
notifier_call_chain+0xbc/0x3e0 kernel/notifier.c:85
call_netdevice_notifiers_info+0xbe/0x110 net/core/dev.c:2243
call_netdevice_notifiers_extack net/core/dev.c:2281 [inline]
call_netdevice_notifiers net/core/dev.c:2295 [inline]
unregister_netdevice_many_notify+0xf81/0x2590 net/core/dev.c:12396
ops_exit_rtnl_list net/core/net_namespace.c:187 [inline]
ops_undo_list+0x8fc/0xab0 net/core/net_namespace.c:248
cleanup_net+0x41b/0x830 net/core/net_namespace.c:696
process_one_work+0x9ba/0x1b20 kernel/workqueue.c:3257
process_scheduled_works kernel/workqueue.c:3340 [inline]
worker_thread+0x6c8/0xf10 kernel/workqueue.c:3421
kthread+0x3c5/0x780 kernel/kthread.c:463
ret_from_fork+0x983/0xb10 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
</TASK>
Tested on:
commit: ad6a6cb9 syztest
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux.git syztest
console output: https://syzkaller.appspot.com/x/log.txt?x=12502b9a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=1859476832863c41
dashboard link: https://syzkaller.appspot.com/bug?extid=4eb282331cab6d5b6588
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
Note: no patches were applied.
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
INFO: task hung in io_wq_exit_workers
INFO: task syz.2.600:7996 blocked for more than 143 seconds.
Not tainted syzkaller #0
Blocked by coredump.
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.2.600 state:D stack:26824 pid:7996 tgid:7995 ppid:6341 task_flags:0x400548 flags:0x00080000
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5260 [inline]
__schedule+0x1138/0x5ee0 kernel/sched/core.c:6867
__schedule_loop kernel/sched/core.c:6949 [inline]
schedule+0xe7/0x3a0 kernel/sched/core.c:6964
schedule_timeout+0x257/0x290 kernel/time/sleep_timeout.c:75
do_wait_for_common kernel/sched/completion.c:100 [inline]
__wait_for_common+0x2fc/0x4e0 kernel/sched/completion.c:121
io_wq_exit_workers+0x3b7/0x8b0 io_uring/io-wq.c:1383
io_wq_put_and_exit+0xba/0x270 io_uring/io-wq.c:1414
io_uring_clean_tctx+0x10d/0x190 io_uring/tctx.c:203
io_uring_cancel_generic+0x69c/0x9a0 io_uring/cancel.c:651
io_uring_files_cancel include/linux/io_uring.h:19 [inline]
do_exit+0x2ce/0x2bd0 kernel/exit.c:911
do_group_exit+0xd3/0x2a0 kernel/exit.c:1112
get_signal+0x2671/0x26d0 kernel/signal.c:3034
arch_do_signal_or_restart+0x8f/0x7e0 arch/x86/kernel/signal.c:337
__exit_to_user_mode_loop kernel/entry/common.c:41 [inline]
exit_to_user_mode_loop+0x8c/0x540 kernel/entry/common.c:75
__exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]
syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:159 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:194 [inline]
do_syscall_64+0x4ee/0xf80 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f22d238f749
RSP: 002b:00007f22d319b0e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007f22d25e5fa8 RCX: 00007f22d238f749
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f22d25e5fa8
RBP: 00007f22d25e5fa0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f22d25e6038 R14: 00007ffdc1419da0 R15: 00007ffdc1419e88
</TASK>
Showing all locks held in the system:
3 locks held by kworker/0:0/9:
#0: ffff88813ff51948 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work+0x128d/0x1b20 kernel/workqueue.c:3232
#1:
ffffc900000e7c90 (deferred_process_work){+.+.}-{0:0}, at: process_one_work+0x914/0x1b20 kernel/workqueue.c:3233
#2: ffffffff901428a8 (rtnl_mutex){+.+.}-{4:4}, at: switchdev_deferred_process_work+0xe/0x20 net/switchdev/switchdev.c:104
3 locks held by kworker/1:0/24:
1 lock held by khungtaskd/31:
#0: ffffffff8e3c9620 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
#0: ffffffff8e3c9620 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:867 [inline]
#0: ffffffff8e3c9620 (rcu_read_lock){....}-{1:3}, at: debug_show_all_locks+0x36/0x1c0 kernel/locking/lockdep.c:6775
2 locks held by kworker/u8:3/37:
#0: ffff88801c7fd148 ((wq_completion)iou_exit){+.+.}-{0:0}, at: process_one_work+0x128d/0x1b20 kernel/workqueue.c:3232
#1: ffffc90000ad7c90 ((work_completion)(&ctx->exit_work)){+.+.}-{0:0}, at: process_one_work+0x914/0x1b20 kernel/workqueue.c:3233
5 locks held by kworker/u8:7/1041:
#0: ffff88801badc948 ((wq_completion)netns){+.+.}-{0:0}, at: process_one_work+0x128d/0x1b20 kernel/workqueue.c:3232
#1: ffffc90003a4fc90 (net_cleanup_work){+.+.}-{0:0}, at: process_one_work+0x914/0x1b20 kernel/workqueue.c:3233
#2: ffffffff9012bdd0 (pernet_ops_rwsem){++++}-{4:4}, at: cleanup_net+0xad/0x830 net/core/net_namespace.c:670
#3: ffffffff901428a8 (rtnl_mutex){+.+.}-{4:4}, at: ops_exit_rtnl_list net/core/net_namespace.c:173 [inline]
#3: ffffffff901428a8 (rtnl_mutex){+.+.}-{4:4}, at: ops_undo_list+0x7e9/0xab0 net/core/net_namespace.c:248
#4: ffffffff8e3d4d78 (rcu_state.exp_mutex){+.+.}-{4:4}, at: exp_funnel_lock+0x284/0x3c0 kernel/rcu/tree_exp.h:311
3 locks held by kworker/u8:9/1147:
#0: ffff88814cf76948 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: process_one_work+0x128d/0x1b20 kernel/workqueue.c:3232
#1: ffffc90003f4fc90 ((work_completion)(&(&net->ipv6.addr_chk_work)->work)){+.+.}-{0:0}, at: process_one_work+0x914/0x1b20 kernel/workqueue.c:3233
#2: ffffffff901428a8 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_net_lock include/linux/rtnetlink.h:130 [inline]
#2: ffffffff901428a8 (rtnl_mutex){+.+.}-{4:4}, at: addrconf_verify_work+0x12/0x30 net/ipv6/addrconf.c:4734
3 locks held by kworker/u8:11/3526:
2 locks held by kworker/u8:12/3877:
#0: ffff88801c7fd148 ((wq_completion)iou_exit){+.+.}-{0:0}, at: process_one_work+0x128d/0x1b20 kernel/workqueue.c:3232
#1: ffffc9000c8b7c90 ((work_completion)(&ctx->exit_work)){+.+.}-{0:0}, at: process_one_work+0x914/0x1b20 kernel/workqueue.c:3233
2 locks held by udevd/5186:
1 lock held by dhcpcd/5481:
#0: ffffffff901428a8 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_net_lock include/linux/rtnetlink.h:130 [inline]
#0: ffffffff901428a8 (rtnl_mutex){+.+.}-{4:4}, at: devinet_ioctl+0x26d/0x1f30 net/ipv4/devinet.c:1120
2 locks held by getty/5573:
#0: ffff8880367330a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x24/0x80 drivers/tty/tty_ldisc.c:243
#1: ffffc9000332e2f0 (&ldata->atomic_read_lock){+.+.}-{4:4}, at: n_tty_read+0x41b/0x1510 drivers/tty/n_tty.c:2211
3 locks held by kworker/1:5/6331:
3 locks held by kworker/u8:16/6619:
#0: ffff88813ff69948 ((wq_completion)events_unbound#2){+.+.}-{0:0}, at: process_one_work+0x128d/0x1b20 kernel/workqueue.c:3232
#1: ffffc90003e1fc90 ((linkwatch_work).work){+.+.}-{0:0}, at: process_one_work+0x914/0x1b20 kernel/workqueue.c:3233
#2: ffffffff901428a8 (rtnl_mutex){+.+.}-{4:4}, at: linkwatch_event+0x51/0xc0 net/core/link_watch.c:303
2 locks held by kworker/u8:18/6822:
#0: ffff88801c7fd148 ((wq_completion)iou_exit){+.+.}-{0:0}, at: process_one_work+0x128d/0x1b20 kernel/workqueue.c:3232
#1: ffffc90003507c90 ((work_completion)(&ctx->exit_work)){+.+.}-{0:0}, at: process_one_work+0x914/0x1b20 kernel/workqueue.c:3233
7 locks held by kworker/1:10/7907:
2 locks held by kworker/u8:22/7948:
1 lock held by iou-wrk-7996/8005:
2 locks held by iou-wrk-8200/8202:
2 locks held by kworker/0:10/8282:
1 lock held by iou-wrk-8313/8318:
2 locks held by syz-executor/8492:
#0: ffffffff90890c48 (&ops->srcu#2){.+.+}-{0:0}, at: srcu_lock_acquire include/linux/srcu.h:185 [inline]
#0: ffffffff90890c48 (&ops->srcu#2){.+.+}-{0:0}, at: srcu_read_lock include/linux/srcu.h:277 [inline]
#0: ffffffff90890c48 (&ops->srcu#2){.+.+}-{0:0}, at: rtnl_link_ops_get+0x113/0x2c0 net/core/rtnetlink.c:574
#1: ffffffff901428a8 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_lock net/core/rtnetlink.c:80 [inline]
#1: ffffffff901428a8 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_nets_lock net/core/rtnetlink.c:341 [inline]
#1: ffffffff901428a8 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0x5f6/0x1f50 net/core/rtnetlink.c:4071
2 locks held by syz-executor/8544:
#0: ffffffff8f4d9ea8 (
&ops->srcu
#2
){.+.+}-{0:0}
, at: srcu_lock_acquire include/linux/srcu.h:185 [inline]
, at: srcu_read_lock include/linux/srcu.h:277 [inline]
, at: rtnl_link_ops_get+0x113/0x2c0 net/core/rtnetlink.c:574
#1: ffffffff901428a8 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_lock net/core/rtnetlink.c:80 [inline]
#1: ffffffff901428a8 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_nets_lock net/core/rtnetlink.c:341 [inline]
#1: ffffffff901428a8 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0x5f6/0x1f50 net/core/rtnetlink.c:4071
1 lock held by syz-executor/8572:
#0: ffffffff901428a8 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_net_lock include/linux/rtnetlink.h:130 [inline]
#0: ffffffff901428a8 (rtnl_mutex){+.+.}-{4:4}, at: inet6_rtm_newaddr+0x4e4/0x1c50 net/ipv6/addrconf.c:5027
1 lock held by syz-executor/8691:
#0:
ffffffff901428a8 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_net_lock include/linux/rtnetlink.h:130 [inline]
ffffffff901428a8 (rtnl_mutex){+.+.}-{4:4}, at: inet_rtm_newaddr+0x30c/0x1540 net/ipv4/devinet.c:978
1 lock held by syz.4.861/8697:
1 lock held by syz.3.862/8699:
=============================================
NMI backtrace for cpu 1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
nmi_cpu_backtrace+0x27b/0x390 lib/nmi_backtrace.c:113
nmi_trigger_cpumask_backtrace+0x29c/0x300 lib/nmi_backtrace.c:62
trigger_all_cpu_backtrace include/linux/nmi.h:161 [inline]
__sys_info lib/sys_info.c:157 [inline]
sys_info+0x133/0x180 lib/sys_info.c:165
check_hung_uninterruptible_tasks kernel/hung_task.c:346 [inline]
watchdog+0xe66/0x1180 kernel/hung_task.c:515
kthread+0x3c5/0x780 kernel/kthread.c:463
ret_from_fork+0x983/0xb10 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
</TASK>
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 UID: 0 PID: 1041 Comm: kworker/u8:7 Not tainted syzkaller #0 PREEMPT(full)
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Workqueue: netns cleanup_net
RIP: 0010:__trace_hardirqs_on_caller kernel/locking/lockdep.c:4350 [inline]
RIP: 0010:lockdep_hardirqs_on_prepare+0xc2/0x1b0 kernel/locking/lockdep.c:4410
Code: 48 89 83 08 0b 00 00 e8 1c 02 df 09 be 02 00 00 00 48 89 df 65 ff 05 e5 59 19 12 e8 b8 fe ff ff 85 c0 74 0a 8b 83 10 0b 00 00 <85> c0 75 24 48 c7 c7 45 97 aa 8d e8 ee 01 df 09 b8 ff ff ff ff 65
RSP: 0018:ffffc90000007d10 EFLAGS: 00000002
RAX: 0000000000000000 RBX: ffff88802819c980 RCX: 0000000000000002
RDX: 0000000000000000 RSI: ffff88802819d528 RDI: ffff88802819c980
RBP: 0000000000000202 R08: 0000000000000000 R09: 0000000000000001
R10: ffffffff9088cdd7 R11: ffff88802819d4b0 R12: 0000000000000038
R13: dffffc0000000000 R14: ffff888050975f80 R15: 1ffff92000000faa
FS: 0000000000000000(0000) GS:ffff8881248f1000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00002000006c6000 CR3: 0000000050306000 CR4: 00000000003526f0
Call Trace:
<IRQ>
trace_hardirqs_on+0x36/0x40 kernel/trace/trace_preemptirq.c:78
__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:151 [inline]
_raw_spin_unlock_irqrestore+0x52/0x80 kernel/locking/spinlock.c:194
debug_object_deactivate+0x1ec/0x3a0 lib/debugobjects.c:888
debug_rcu_head_unqueue kernel/rcu/rcu.h:248 [inline]
rcu_do_batch kernel/rcu/tree.c:2597 [inline]
rcu_core+0x72e/0x15f0 kernel/rcu/tree.c:2857
handle_softirqs+0x219/0x950 kernel/softirq.c:622
do_softirq kernel/softirq.c:523 [inline]
do_softirq+0xb2/0xf0 kernel/softirq.c:510
</IRQ>
<TASK>
__local_bh_enable_ip+0x100/0x120 kernel/softirq.c:450
spin_unlock_bh include/linux/spinlock.h:396 [inline]
addrconf_ifdown.isra.0+0x589/0x1b90 net/ipv6/addrconf.c:3907
addrconf_notify+0x220/0x19f0 net/ipv6/addrconf.c:3776
notifier_call_chain+0xbc/0x3e0 kernel/notifier.c:85
call_netdevice_notifiers_info+0xbe/0x110 net/core/dev.c:2243
call_netdevice_notifiers_extack net/core/dev.c:2281 [inline]
call_netdevice_notifiers net/core/dev.c:2295 [inline]
unregister_netdevice_many_notify+0xf81/0x2590 net/core/dev.c:12396
ops_exit_rtnl_list net/core/net_namespace.c:187 [inline]
ops_undo_list+0x8fc/0xab0 net/core/net_namespace.c:248
cleanup_net+0x41b/0x830 net/core/net_namespace.c:696
process_one_work+0x9ba/0x1b20 kernel/workqueue.c:3257
process_scheduled_works kernel/workqueue.c:3340 [inline]
worker_thread+0x6c8/0xf10 kernel/workqueue.c:3421
kthread+0x3c5/0x780 kernel/kthread.c:463
ret_from_fork+0x983/0xb10 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
</TASK>
Tested on:
commit: ad6a6cb9 syztest
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux.git syztest
console output: https://syzkaller.appspot.com/x/log.txt?x=12502b9a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=1859476832863c41
dashboard link: https://syzkaller.appspot.com/bug?extid=4eb282331cab6d5b6588
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
Note: no patches were applied.
Jens Axboe
Jan 20, 2026, 7:00:27 AM (3 days ago) Jan 20
to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com
syzbot
Jan 20, 2026, 8:07:07 AM (3 days ago) Jan 20
to ax...@kernel.dk, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
failed to checkout kernel repo git://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux.git/syztest: failed to run ["git" "checkout" "FETCH_HEAD" "--force"]: exit status 128
Tested on:
commit: [unknown
syzbot tried to test the proposed patch but the build/boot failed:
failed to checkout kernel repo git://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux.git/syztest: failed to run ["git" "checkout" "FETCH_HEAD" "--force"]: exit status 128
Tested on:
commit: [unknown
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux.git syztest
kernel config: https://syzkaller.appspot.com/x/.config?x=a11e0f726bfb6765
Jens Axboe
Jan 20, 2026, 8:35:53 AM (3 days ago) Jan 20
to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com
syzbot
Jan 20, 2026, 8:37:04 AM (3 days ago) Jan 20
to ax...@kernel.dk, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Jens Axboe
Jan 20, 2026, 10:04:16 AM (3 days ago) Jan 20
to syzbot, anna-...@linutronix.de, fred...@kernel.org, io-u...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com, tg...@linutronix.de
Just to wrap this one up - there's a fairly lengthy explanation posted
here:
https://lore.kernel.org/io-uring/937c3e38-368e-43eb...@kernel.dk/
which details why this isn't really a bug, it's just slow exit due to
the odd huge reads (and number of them) syzbot queues up with io_uring
before exiting.
--
Jens Axboe
here:
https://lore.kernel.org/io-uring/937c3e38-368e-43eb...@kernel.dk/
which details why this isn't really a bug, it's just slow exit due to
the odd huge reads (and number of them) syzbot queues up with io_uring
before exiting.
--
Jens Axboe
Jens Axboe
Jan 20, 2026, 1:05:50 PM (3 days ago) Jan 20
to syzbot, io-u...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
--
Jens Axboe
syzbot
Jan 20, 2026, 1:31:07 PM (3 days ago) Jan 20
to ax...@kernel.dk, io-u...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
INFO: task hung in io_wq_put_and_exit
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
INFO: task syz.1.135:6891 blocked for more than 143 seconds.
Not tainted syzkaller #0
Blocked by coredump.
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.1.135 state:D stack:25688 pid:6891 tgid:6887 ppid:6342 task_flags:0x400548 flags:0x00080000
Blocked by coredump.
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5260 [inline]
__schedule+0xfe4/0x5e10 kernel/sched/core.c:6867
<TASK>
context_switch kernel/sched/core.c:5260 [inline]
__schedule_loop kernel/sched/core.c:6949 [inline]
schedule+0xdd/0x390 kernel/sched/core.c:6964
schedule_timeout+0x1b2/0x280 kernel/time/sleep_timeout.c:75
do_wait_for_common kernel/sched/completion.c:100 [inline]
__wait_for_common+0x2e7/0x4c0 kernel/sched/completion.c:121
io_wq_exit_workers io_uring/io-wq.c:1325 [inline]
io_wq_put_and_exit+0x27b/0x8b0 io_uring/io-wq.c:1353
io_uring_clean_tctx+0x114/0x180 io_uring/tctx.c:203
io_uring_cancel_generic+0x7b9/0x810 io_uring/cancel.c:651
io_uring_files_cancel include/linux/io_uring.h:19 [inline]
do_exit+0x2be/0x2a30 kernel/exit.c:911
do_group_exit+0xd5/0x2a0 kernel/exit.c:1112
get_signal+0x1ec7/0x21e0 kernel/signal.c:3034
arch_do_signal_or_restart+0x91/0x7a0 arch/x86/kernel/signal.c:337
__exit_to_user_mode_loop kernel/entry/common.c:41 [inline]
exit_to_user_mode_loop+0x86/0x4b0 kernel/entry/common.c:75
__exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]
syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:159 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:194 [inline]
do_syscall_64+0x4fe/0xf80 arch/x86/entry/syscall_64.c:100
syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]
syscall_exit_to_user_mode_work include/linux/entry-common.h:159 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:194 [inline]
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fee4299aef9
RSP: 002b:00007fee41fdd0e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007fee42c06098 RCX: 00007fee4299aef9
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007fee42c06098
RBP: 00007fee42c06090 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fee42c06128 R14: 00007fffcc8d1220 R15: 00007fffcc8d1308
</TASK>
Showing all locks held in the system:
Showing all locks held in the system:
1 lock held by khungtaskd/31:
#0: ffffffff8e3ca3a0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
#0: ffffffff8e3ca3a0 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:867 [inline]
#0: ffffffff8e3ca3a0 (rcu_read_lock){....}-{1:3}, at: debug_show_all_locks+0x3d/0x184 kernel/locking/lockdep.c:6775
3 locks held by kworker/u8:4/60:
3 locks held by kworker/u8:6/640:
#0: ffff88813ff69948 ((wq_completion)events_unbound#2){+.+.}-{0:0}, at: process_one_work+0x11ae/0x1840 kernel/workqueue.c:3232
#1: ffffc90003767c98 ((linkwatch_work).work){+.+.}-{0:0}, at: process_one_work+0x927/0x1840 kernel/workqueue.c:3233
#2: ffffffff90158368 (rtnl_mutex){+.+.}-{4:4}, at: linkwatch_event+0x51/0xc0 net/core/link_watch.c:303
1 lock held by klogd/5176:
#0: ffff8880b853ac98 (&rq->__lock){-.-.}-{2:2}, at: raw_spin_rq_lock_nested+0x29/0x130 kernel/sched/core.c:639
2 locks held by getty/5577:
#0: ffff88814e2a20a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x24/0x80 drivers/tty/tty_ldisc.c:243
#1: ffffc9000332b2f0 (&ldata->atomic_read_lock){+.+.}-{4:4}, at: n_tty_read+0x419/0x1500 drivers/tty/n_tty.c:2211
2 locks held by kworker/u8:16/6594:
#0: ffff8880b853ac98 (&rq->__lock){-.-.}-{2:2}, at: raw_spin_rq_lock_nested+0x29/0x130 kernel/sched/core.c:639
#1: ffff8880b8524608 (psi_seq){-.-.}-{0:0}, at: psi_sched_switch kernel/sched/stats.h:225 [inline]
#1: ffff8880b8524608 (psi_seq){-.-.}-{0:0}, at: __schedule+0x2b6f/0x5e10 kernel/sched/core.c:6861
2 locks held by kworker/u8:17/6607:
#0: ffff88801d31e948 ((wq_completion)iou_exit){+.+.}-{0:0}, at: process_one_work+0x11ae/0x1840 kernel/workqueue.c:3232
#1: ffffc90004207c98 ((work_completion)(&ctx->exit_work)){+.+.}-{0:0}, at: process_one_work+0x927/0x1840 kernel/workqueue.c:3233
2 locks held by kworker/u8:21/6678:
#0: ffff88801d31e948 ((wq_completion)iou_exit){+.+.}-{0:0}, at: process_one_work+0x11ae/0x1840 kernel/workqueue.c:3232
#1: ffffc9000465fc98 ((work_completion)(&ctx->exit_work)){+.+.}-{0:0}, at: process_one_work+0x927/0x1840 kernel/workqueue.c:3233
2 locks held by syz.1.135/6891:
1 lock held by iou-wrk-6891/6895:
3 locks held by kworker/u8:23/6986:
#0: ffff88814cced948 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: process_one_work+0x11ae/0x1840 kernel/workqueue.c:3232
#1: ffffc900053d7c98 ((work_completion)(&(&net->ipv6.addr_chk_work)->work)){+.+.}-{0:0}, at: process_one_work+0x927/0x1840 kernel/workqueue.c:3233
#2: ffffffff90158368 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_net_lock include/linux/rtnetlink.h:130 [inline]
#2: ffffffff90158368 (rtnl_mutex){+.+.}-{4:4}, at: addrconf_verify_work+0x12/0x30 net/ipv6/addrconf.c:4734
2 locks held by kworker/u8:24/7246:
#0: ffff88801d31e948 ((wq_completion)iou_exit){+.+.}-{0:0}, at: process_one_work+0x11ae/0x1840 kernel/workqueue.c:3232
#1: ffffc90004b3fc98 ((work_completion)(&ctx->exit_work)){+.+.}-{0:0}, at: process_one_work+0x927/0x1840 kernel/workqueue.c:3233
1 lock held by iou-wrk-7337/7340:
2 locks held by kworker/u8:27/7716:
#0: ffff88801d31e948 ((wq_completion)iou_exit){+.+.}-{0:0}
, at: process_one_work+0x11ae/0x1840 kernel/workqueue.c:3232
#1: ffffc9000bea7c98 ((work_completion)(&ctx->exit_work)){+.+.}-{0:0}, at: process_one_work+0x927/0x1840 kernel/workqueue.c:3233
3 locks held by kworker/u8:28/7784:
3 locks held by kworker/0:11/8074:
#0: ffff88813ff52948 ((wq_completion)events_power_efficient){+.+.}-{0:0}, at: process_one_work+0x11ae/0x1840 kernel/workqueue.c:3232
#1: ffffc9000d847c98 ((reg_check_chans).work){+.+.}-{0:0}, at: process_one_work+0x927/0x1840 kernel/workqueue.c:3233
#2: ffffffff90158368 (rtnl_mutex){+.+.}-{4:4}, at: reg_check_chans_work+0x91/0x10e0 net/wireless/reg.c:2453
3 locks held by syz-executor/8129:
#0: ffffffff8f4e5fe8 (&ops->srcu#2){.+.+}-{0:0}, at: srcu_lock_acquire include/linux/srcu.h:185 [inline]
#0: ffffffff8f4e5fe8 (&ops->srcu#2){.+.+}-{0:0}, at: srcu_read_lock include/linux/srcu.h:277 [inline]
#0: ffffffff8f4e5fe8 (&ops->srcu#2){.+.+}-{0:0}, at: rtnl_link_ops_get+0x113/0x2c0 net/core/rtnetlink.c:574
#1: ffffffff90158368 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_lock net/core/rtnetlink.c:80 [inline]
#1: ffffffff90158368 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_nets_lock net/core/rtnetlink.c:341 [inline]
#1: ffffffff90158368 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0x8bb/0x2380 net/core/rtnetlink.c:4071
#2: ffffffff8e3d5db8 (rcu_state.exp_mutex){+.+.}-{4:4}, at: exp_funnel_lock+0x19e/0x3c0 kernel/rcu/tree_exp.h:343
1 lock held by dhcpcd/8197:
#0: ffff888053802a48 (&sb->s_type->i_mutex_key#12){+.+.}-{4:4}, at: inode_lock include/linux/fs.h:1027 [inline]
#0: ffff888053802a48 (&sb->s_type->i_mutex_key#12){+.+.}-{4:4}, at: __sock_release+0x86/0x260 net/socket.c:661
1 lock held by dhcpcd/8199:
#0: ffff888053803008 (&sb->s_type->i_mutex_key#12){+.+.}-{4:4}, at: inode_lock include/linux/fs.h:1027 [inline]
#0: ffff888053803008 (&sb->s_type->i_mutex_key#12){+.+.}-{4:4}, at: __sock_release+0x86/0x260 net/socket.c:661
2 locks held by dhcpcd/8202:
#0: ffff88805380bb88 (&sb->s_type->i_mutex_key#12){+.+.}-{4:4}, at: inode_lock include/linux/fs.h:1027 [inline]
#0: ffff88805380bb88 (&sb->s_type->i_mutex_key#12){+.+.}-{4:4}, at: __sock_release+0x86/0x260 net/socket.c:661
#1: ffffffff8e3d5db8 (rcu_state.exp_mutex){+.+.}-{4:4}, at: exp_funnel_lock+0x19e/0x3c0 kernel/rcu/tree_exp.h:343
1 lock held by dhcpcd/8205:
#0: ffff88807561b5c8 (&sb->s_type->i_mutex_key#12){+.+.}-{4:4}, at: inode_lock include/linux/fs.h:1027 [inline]
#0: ffff88807561b5c8 (&sb->s_type->i_mutex_key#12){+.+.}-{4:4}, at: __sock_release+0x86/0x260 net/socket.c:661
1 lock held by dhcpcd/8208:
#0: ffff888026d0e260 (sk_lock-AF_PACKET){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1700 [inline]
#0: ffff888026d0e260 (sk_lock-AF_PACKET){+.+.}-{0:0}, at: packet_do_bind+0x2c/0xf50 net/packet/af_packet.c:3197
1 lock held by syz-executor/8219:
#0: ffffffff90158368 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_net_lock include/linux/rtnetlink.h:130 [inline]
#0: ffffffff90158368 (rtnl_mutex){+.+.}-{4:4}, at: inet_rtm_newaddr+0x30c/0x18b0 net/ipv4/devinet.c:978
2 locks held by syz.4.646/8226:
2 locks held by syz.5.647/8228:
=============================================
NMI backtrace for cpu 1
CPU: 1 UID: 0 PID: 31 Comm: khungtaskd Not tainted syzkaller #0 PREEMPT(full)
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
nmi_cpu_backtrace.cold+0x12d/0x151 lib/nmi_backtrace.c:113
nmi_trigger_cpumask_backtrace+0x1d7/0x230 lib/nmi_backtrace.c:62
trigger_all_cpu_backtrace include/linux/nmi.h:161 [inline]
__sys_info lib/sys_info.c:157 [inline]
sys_info+0x141/0x190 lib/sys_info.c:165
__sys_info lib/sys_info.c:157 [inline]
check_hung_uninterruptible_tasks kernel/hung_task.c:346 [inline]
watchdog+0xcc3/0xfe0 kernel/hung_task.c:515
kthread+0x3b3/0x730 kernel/kthread.c:463
ret_from_fork+0x754/0xaf0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
</TASK>
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 UID: 0 PID: 8074 Comm: kworker/0:11 Not tainted syzkaller #0 PREEMPT(full)
</TASK>
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/13/2026
Workqueue: wg-crypt-wg1 wg_packet_encrypt_worker
RIP: 0010:wg_queue_enqueue_per_peer_tx+0x155/0x500 drivers/net/wireguard/queueing.h:183
Code: 00 00 00 00 00 fc ff df 48 8b 2b 48 8d bd b8 05 00 00 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 69 03 00 00 48 8b 85 b8 05 00 00 <48> 8d bb 60 09 00 00 48 89 fa 48 89 44 24 08 48 c1 ea 03 48 b8 00
RSP: 0018:ffffc9000d847a90 EFLAGS: 00000246
RAX: ffff88806967b800 RBX: ffff88807f6c27a0 RCX: ffffffff8686ebc4
RDX: 1ffff1100643ba67 RSI: 0000000000000004 RDI: ffff8880321dd338
RBP: ffff8880321dcd80 R08: 0000000000000001 R09: ffffed100a3aea07
R10: ffff888051d7503b R11: caadeee402246cc6 R12: ffff888051d75000
R13: 0000000000000001 R14: ffff88807f6c2eb0 R15: dffffc0000000000
FS: 0000000000000000(0000) GS:ffff8881248c5000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000020000017c000 CR3: 000000000e186000 CR4: 00000000003526f0
Call Trace:
<TASK>
wg_packet_encrypt_worker+0x7dc/0xbd0 drivers/net/wireguard/send.c:305
process_one_work+0x9c2/0x1840 kernel/workqueue.c:3257
process_scheduled_works kernel/workqueue.c:3340 [inline]
worker_thread+0x5da/0xe40 kernel/workqueue.c:3421
kthread+0x3b3/0x730 kernel/kthread.c:463
ret_from_fork+0x754/0xaf0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
</TASK>
Tested on:
commit: c45d825f Merge branch 'io_uring-6.19' into syztest
</TASK>
Tested on:
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux.git syztest
console output: https://syzkaller.appspot.com/x/log.txt?x=10fe3c44580000
kernel config: https://syzkaller.appspot.com/x/.config?x=8f75eb998b5774eb
dashboard link: https://syzkaller.appspot.com/bug?extid=4eb282331cab6d5b6588
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
Jens Axboe
Jan 21, 2026, 12:40:02 PM (2 days ago) Jan 21
to syzbot, io-u...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
On 1/20/26 11:31 AM, syzbot wrote:
> Hello,
>
> syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> INFO: task hung in io_wq_put_and_exit
>
> INFO: task syz.1.135:6891 blocked for more than 143 seconds.
> Not tainted syzkaller #0
> Blocked by coredump.
> "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
> task:syz.1.135 state:D stack:25688 pid:6891 tgid:6887 ppid:6342 task_flags:0x400548 flags:0x00080000
> Call Trace:
> <TASK>
> context_switch kernel/sched/core.c:5260 [inline]
> __schedule+0xfe4/0x5e10 kernel/sched/core.c:6867
> __schedule_loop kernel/sched/core.c:6949 [inline]
> schedule+0xdd/0x390 kernel/sched/core.c:6964
> schedule_timeout+0x1b2/0x280 kernel/time/sleep_timeout.c:75
> do_wait_for_common kernel/sched/completion.c:100 [inline]
> __wait_for_common+0x2e7/0x4c0 kernel/sched/completion.c:121
> io_wq_exit_workers io_uring/io-wq.c:1325 [inline]
Not sure how much better we can make this. syzbot is running on 2 cpus,
> Hello,
>
> syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> INFO: task hung in io_wq_put_and_exit
>
> INFO: task syz.1.135:6891 blocked for more than 143 seconds.
> Not tainted syzkaller #0
> Blocked by coredump.
> "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
> task:syz.1.135 state:D stack:25688 pid:6891 tgid:6887 ppid:6342 task_flags:0x400548 flags:0x00080000
> Call Trace:
> <TASK>
> context_switch kernel/sched/core.c:5260 [inline]
> __schedule+0xfe4/0x5e10 kernel/sched/core.c:6867
> __schedule_loop kernel/sched/core.c:6949 [inline]
> schedule+0xdd/0x390 kernel/sched/core.c:6964
> schedule_timeout+0x1b2/0x280 kernel/time/sleep_timeout.c:75
> do_wait_for_common kernel/sched/completion.c:100 [inline]
> __wait_for_common+0x2e7/0x4c0 kernel/sched/completion.c:121
> io_wq_exit_workers io_uring/io-wq.c:1325 [inline]
and spawns hundreds of "lets read 2GB from MSR", which are super slow.
So you have 2 cpus wanting to run hundreds of these. And yes that'll
mean that exiting a ring can take a loooong time, because even if it
needs to finish just a single reader, that's a lot of MSR data to read
when you have hundreds of tasks doing the same thing.
IOW, there's no bug here, other than yes if you overload the system so
substantially on a small system, then yes things will take a long time
to finish.
That said, it'd be nice to get this bug flagged as such, however I'm not
aware of any way to really do that. We can obviously work-around this in
io-wq:
diff --git a/io_uring/io-wq.c b/io_uring/io-wq.c
index 2fa7d3601edb..3c94f281ff6b 100644
--- a/io_uring/io-wq.c
+++ b/io_uring/io-wq.c
@@ -17,6 +17,7 @@
#include <linux/task_work.h>
#include <linux/audit.h>
#include <linux/mmu_context.h>
+#include <linux/sched/sysctl.h>
#include <uapi/linux/io_uring.h>
#include "io-wq.h"
@@ -1313,6 +1314,13 @@ static void io_wq_cancel_tw_create(struct io_wq *wq)
static void io_wq_exit_workers(struct io_wq *wq)
{
+ /*
+ * Shut up hung task complaint, see for example
+ *
+ * https://lore.kernel.org/all/696fc9e7.a70a022...@google.com/
+ */
+ unsigned long timeout = sysctl_hung_task_timeout_secs * HZ / 2;
+
if (!wq->task)
return;
@@ -1322,7 +1330,11 @@ static void io_wq_exit_workers(struct io_wq *wq)
io_wq_for_each_worker(wq, io_wq_worker_wake, NULL);
rcu_read_unlock();
io_worker_ref_put(wq);
- wait_for_completion(&wq->worker_done);
+ do {
+ if (wait_for_completion_timeout(&wq->worker_done, timeout))
+ break;
+ printk("io-wq: taking a long time to exit\n");
+ } while (1);
spin_lock_irq(&wq->hash->wait.lock);
list_del_init(&wq->wait.entry);
which we can obviously do, but it's also really annoying imho. But I
guess that can be coupled with a dump, etc.
--
Jens Axboe
Jens Axboe
Jan 21, 2026, 12:41:18 PM (2 days ago) Jan 21
to syzbot, io-u...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
On 1/20/26 8:04 AM, Jens Axboe wrote:
syzbot
Jan 21, 2026, 2:30:05 PM (2 days ago) Jan 21
to ax...@kernel.dk, io-u...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
text=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1
Setting up swapspace version 1, size = 127995904 bytes
[ 74.071984][ T30] audit: type=1400 audit(1769023732.299:71): avc: denied { mount } for pid=5816 comm="syz-executor" name="/" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=filesystem permissive=1
[ 75.027540][ T5816] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k
[ 77.035760][ T30] kauditd_printk_skb: 4 callbacks suppressed
[ 77.035777][ T30] audit: type=1400 audit(1769023735.389:76): avc: denied { execmem } for pid=5827 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1
[ 77.115776][ T30] audit: type=1400 audit(1769023735.469:77): avc: denied { read } for pid=5832 comm="syz-executor" dev="nsfs" ino=4026531833 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1
[ 77.197863][ T30] audit: type=1400 audit(1769023735.469:78): avc: denied { open } for pid=5832 comm="syz-executor" path="net:[4026531833]" dev="nsfs" ino=4026531833 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1
[ 77.256106][ T30] audit: type=1400 audit(1769023735.469:79): avc: denied { mounton } for pid=5832 comm="syz-executor" path="/" dev="sda1" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:root_t tclass=dir permissive=1
[ 77.376461][ T30] audit: type=1400 audit(1769023735.749:80): avc: denied { mounton } for pid=5832 comm="syz-executor" path="/root/syzkaller.ODDuwd/syz-tmp" dev="sda1" ino=2042 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_home_t tclass=dir permissive=1
[ 77.426222][ T30] audit: type=1400 audit(1769023735.769:81): avc: denied { mount } for pid=5832 comm="syz-executor" name="/" dev="tmpfs" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=1
[ 77.455015][ T30] audit: type=1400 audit(1769023735.769:82): avc: denied { mounton } for pid=5832 comm="syz-executor" path="/root/syzkaller.ODDuwd/syz-tmp/newroot/dev" dev="tmpfs" ino=3 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_tmpfs_t tclass=dir permissive=1
[ 77.480585][ T30] audit: type=1400 audit(1769023735.769:83): avc: denied { mount } for pid=5832 comm="syz-executor" name="/" dev="proc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:proc_t tclass=filesystem permissive=1
[ 77.502555][ T30] audit: type=1400 audit(1769023735.779:84): avc: denied { mounton } for pid=5832 comm="syz-executor" path="/root/syzkaller.ODDuwd/syz-tmp/newroot/sys/kernel/debug" dev="debugfs" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:debugfs_t tclass=dir permissive=1
[ 77.530216][ T30] audit: type=1400 audit(1769023735.779:85): avc: denied { mounton } for pid=5832 comm="syz-executor" path="/root/syzkaller.ODDuwd/syz-tmp/newroot/proc/sys/fs/binfmt_misc" dev="proc" ino=4768 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:sysctl_fs_t tclass=dir permissive=1
[ 77.582717][ T5832] soft_limit_in_bytes is deprecated and will be removed. Please report your usecase to linu...@kvack.org if you depend on this functionality.
[ 78.317095][ T5137] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[ 78.335937][ T5137] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[ 78.343994][ T5137] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[ 78.352415][ T5137] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[ 78.359995][ T5137] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[ 79.466468][ T60] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 79.475648][ T60] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[ 79.626085][ T60] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 79.633927][ T60] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
[ 80.241478][ T5888] chnl_net:caif_netlink_parms(): no params data found
[ 80.459107][ T5888] bridge0: port 1(bridge_slave_0) entered blocking state
[ 80.470259][ T5888] bridge0: port 1(bridge_slave_0) entered disabled state
[ 80.477785][ T5888] bridge_slave_0: entered allmulticast mode
[ 80.484650][ T5888] bridge_slave_0: entered promiscuous mode
[ 80.494287][ T5888] bridge0: port 2(bridge_slave_1) entered blocking state
[ 80.501686][ T5888] bridge0: port 2(bridge_slave_1) entered disabled state
[ 80.509461][ T5888] bridge_slave_1: entered allmulticast mode
[ 80.516827][ T5888] bridge_slave_1: entered promiscuous mode
[ 80.549445][ T5888] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[ 80.562530][ T5888] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[ 80.602734][ T5888] team0: Port device team_slave_0 added
[ 80.611369][ T5888] team0: Port device team_slave_1 added
[ 80.637661][ T5888] batman_adv: batadv0: Adding interface: batadv_slave_0
[ 80.644602][ T5888] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem.
[ 80.670855][ T5888] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[ 80.685512][ T5888] batman_adv: batadv0: Adding interface: batadv_slave_1
[ 80.692580][ T5888] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem.
[ 80.719042][ T5888] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[ 80.754334][ T5888] hsr_slave_0: entered promiscuous mode
[ 80.760681][ T5888] hsr_slave_1: entered promiscuous mode
[ 80.873414][ T5888] netdevsim netdevsim2 netdevsim0: renamed from eth0
[ 80.885521][ T5888] netdevsim netdevsim2 netdevsim1: renamed from eth1
[ 80.895484][ T5888] netdevsim netdevsim2 netdevsim2: renamed from eth2
[ 80.905604][ T5888] netdevsim netdevsim2 netdevsim3: renamed from eth3
[ 80.931341][ T5888] bridge0: port 2(bridge_slave_1) entered blocking state
[ 80.938615][ T5888] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 80.947289][ T5888] bridge0: port 1(bridge_slave_0) entered blocking state
[ 80.954444][ T5888] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 80.998830][ T5888] 8021q: adding VLAN 0 to HW filter on device bond0
[ 81.015302][ T60] bridge0: port 1(bridge_slave_0) entered disabled state
[ 81.024604][ T60] bridge0: port 2(bridge_slave_1) entered disabled state
[ 81.041085][ T5888] 8021q: adding VLAN 0 to HW filter on device team0
[ 81.052143][ T12] bridge0: port 1(bridge_slave_0) entered blocking state
[ 81.059263][ T12] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 81.071460][ T60] bridge0: port 2(bridge_slave_1) entered blocking state
[ 81.078564][ T60] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 81.211172][ T5888] 8021q: adding VLAN 0 to HW filter on device batadv0
[ 81.248210][ T5888] veth0_vlan: entered promiscuous mode
[ 81.259263][ T5888] veth1_vlan: entered promiscuous mode
[ 81.283687][ T5888] veth0_macvtap: entered promiscuous mode
[ 81.292476][ T5888] veth1_macvtap: entered promiscuous mode
[ 81.308568][ T5888] batman_adv: batadv0: Interface activated: batadv_slave_0
[ 81.321101][ T5888] batman_adv: batadv0: Interface activated: batadv_slave_1
[ 81.336539][ T60] netdevsim netdevsim2 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
[ 81.348097][ T60] netdevsim netdevsim2 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
[ 81.357060][ T60] netdevsim netdevsim2 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
[ 81.367258][ T60] netdevsim netdevsim2 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
2026/01/21 19:28:59 executed programs: 0
[ 81.507631][ T90] cfg80211: failed to load regulatory.db
[ 81.536157][ T52] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[ 81.544946][ T52] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[ 81.553349][ T52] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[ 81.564963][ T52] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[ 81.584394][ T52] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[ 81.880379][ T5930] chnl_net:caif_netlink_parms(): no params data found
[ 81.938870][ T5930] bridge0: port 1(bridge_slave_0) entered blocking state
[ 81.946021][ T5930] bridge0: port 1(bridge_slave_0) entered disabled state
[ 81.953134][ T5930] bridge_slave_0: entered allmulticast mode
[ 81.960371][ T5930] bridge_slave_0: entered promiscuous mode
[ 81.969459][ T5930] bridge0: port 2(bridge_slave_1) entered blocking state
[ 81.976697][ T5930] bridge0: port 2(bridge_slave_1) entered disabled state
[ 81.983848][ T5930] bridge_slave_1: entered allmulticast mode
[ 81.991570][ T5930] bridge_slave_1: entered promiscuous mode
[ 82.025152][ T5930] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[ 82.037968][ T5930] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[ 82.063977][ T5930] team0: Port device team_slave_0 added
[ 82.073260][ T5930] team0: Port device team_slave_1 added
[ 82.096729][ T5930] batman_adv: batadv0: Adding interface: batadv_slave_0
[ 82.103675][ T5930] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem.
[ 82.129911][ T5930] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[ 82.141687][ T5930] batman_adv: batadv0: Adding interface: batadv_slave_1
[ 82.148881][ T5930] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem.
[ 82.175166][ T5930] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[ 82.213049][ T5930] hsr_slave_0: entered promiscuous mode
[ 82.219381][ T5930] hsr_slave_1: entered promiscuous mode
[ 82.225304][ T5930] debugfs: 'hsr0' already exists in 'hsr'
[ 82.231462][ T5930] Cannot create hsr debugfs directory
[ 82.338888][ T5930] netdevsim netdevsim0 netdevsim0: renamed from eth0
[ 82.349132][ T5930] netdevsim netdevsim0 netdevsim1: renamed from eth1
[ 82.359560][ T5930] netdevsim netdevsim0 netdevsim2: renamed from eth2
[ 82.369490][ T5930] netdevsim netdevsim0 netdevsim3: renamed from eth3
[ 82.431937][ T5930] 8021q: adding VLAN 0 to HW filter on device bond0
[ 82.451444][ T5930] 8021q: adding VLAN 0 to HW filter on device team0
[ 82.462384][ T60] bridge0: port 1(bridge_slave_0) entered blocking state
[ 82.469488][ T60] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 82.488405][ T60] bridge0: port 2(bridge_slave_1) entered blocking state
[ 82.495478][ T60] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 82.634014][ T5930] 8021q: adding VLAN 0 to HW filter on device batadv0
[ 82.669589][ T5930] veth0_vlan: entered promiscuous mode
[ 82.679859][ T5930] veth1_vlan: entered promiscuous mode
[ 82.704326][ T5930] veth0_macvtap: entered promiscuous mode
[ 82.715368][ T5930] veth1_macvtap: entered promiscuous mode
[ 82.734887][ T5930] batman_adv: batadv0: Interface activated: batadv_slave_0
[ 82.750652][ T5930] batman_adv: batadv0: Interface activated: batadv_slave_1
[ 82.762618][ T60] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
[ 82.772242][ T60] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
[ 82.782190][ T60] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
[ 82.793148][ T60] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
[ 82.852368][ T12] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 82.860711][ T12] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[ 82.885601][ T60] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 82.893556][ T60] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
SYZFAIL: failed to recv rpc
[ 83.392967][ T60] netdevsim netdevsim2 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
syzkaller build log:
go env (err=<nil>)
AR='ar'
CC='gcc'
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_ENABLED='1'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
CXX='g++'
GCCGO='gccgo'
GO111MODULE='auto'
GOAMD64='v1'
GOARCH='amd64'
GOAUTH='netrc'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOCACHEPROG=''
GODEBUG=''
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFIPS140='off'
GOFLAGS=''
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build277648876=/tmp/go-build -gno-record-gcc-switches'
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMOD='/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOMODCACHE='/syzkaller/jobs/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTELEMETRY='local'
GOTELEMETRYDIR='/syzkaller/.config/go/telemetry'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.24.4'
GOWORK=''
PKG_CONFIG='pkg-config'
git status (err=<nil>)
HEAD detached at d6526ea3e6
nothing to commit, working tree clean
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=d6526ea3e6ad9081c902859bbb80f9f840377cb4 -X github.com/google/syzkaller/prog.gitRevisionDate=20251126-113115" ./sys/syz-sysgen | grep -q false || go install -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=d6526ea3e6ad9081c902859bbb80f9f840377cb4 -X github.com/google/syzkaller/prog.gitRevisionDate=20251126-113115" ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=d6526ea3e6ad9081c902859bbb80f9f840377cb4 -X github.com/google/syzkaller/prog.gitRevisionDate=20251126-113115" -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"d6526ea3e6ad9081c902859bbb80f9f840377cb4\"
/usr/bin/ld: /tmp/cc0bwYtF.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x386): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
./tools/check-syzos.sh 2>/dev/null
Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=131087fc580000
Tested on:
commit: 994089e6 io_uring/io-wq: don't trigger hung task for s..
syzbot tried to test the proposed patch but the build/boot failed:
text=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1
Setting up swapspace version 1, size = 127995904 bytes
[ 74.071984][ T30] audit: type=1400 audit(1769023732.299:71): avc: denied { mount } for pid=5816 comm="syz-executor" name="/" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=filesystem permissive=1
[ 75.027540][ T5816] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k
[ 77.035760][ T30] kauditd_printk_skb: 4 callbacks suppressed
[ 77.035777][ T30] audit: type=1400 audit(1769023735.389:76): avc: denied { execmem } for pid=5827 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1
[ 77.115776][ T30] audit: type=1400 audit(1769023735.469:77): avc: denied { read } for pid=5832 comm="syz-executor" dev="nsfs" ino=4026531833 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1
[ 77.197863][ T30] audit: type=1400 audit(1769023735.469:78): avc: denied { open } for pid=5832 comm="syz-executor" path="net:[4026531833]" dev="nsfs" ino=4026531833 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1
[ 77.256106][ T30] audit: type=1400 audit(1769023735.469:79): avc: denied { mounton } for pid=5832 comm="syz-executor" path="/" dev="sda1" ino=2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:root_t tclass=dir permissive=1
[ 77.376461][ T30] audit: type=1400 audit(1769023735.749:80): avc: denied { mounton } for pid=5832 comm="syz-executor" path="/root/syzkaller.ODDuwd/syz-tmp" dev="sda1" ino=2042 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_home_t tclass=dir permissive=1
[ 77.426222][ T30] audit: type=1400 audit(1769023735.769:81): avc: denied { mount } for pid=5832 comm="syz-executor" name="/" dev="tmpfs" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=1
[ 77.455015][ T30] audit: type=1400 audit(1769023735.769:82): avc: denied { mounton } for pid=5832 comm="syz-executor" path="/root/syzkaller.ODDuwd/syz-tmp/newroot/dev" dev="tmpfs" ino=3 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:user_tmpfs_t tclass=dir permissive=1
[ 77.480585][ T30] audit: type=1400 audit(1769023735.769:83): avc: denied { mount } for pid=5832 comm="syz-executor" name="/" dev="proc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:proc_t tclass=filesystem permissive=1
[ 77.502555][ T30] audit: type=1400 audit(1769023735.779:84): avc: denied { mounton } for pid=5832 comm="syz-executor" path="/root/syzkaller.ODDuwd/syz-tmp/newroot/sys/kernel/debug" dev="debugfs" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:debugfs_t tclass=dir permissive=1
[ 77.530216][ T30] audit: type=1400 audit(1769023735.779:85): avc: denied { mounton } for pid=5832 comm="syz-executor" path="/root/syzkaller.ODDuwd/syz-tmp/newroot/proc/sys/fs/binfmt_misc" dev="proc" ino=4768 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:sysctl_fs_t tclass=dir permissive=1
[ 77.582717][ T5832] soft_limit_in_bytes is deprecated and will be removed. Please report your usecase to linu...@kvack.org if you depend on this functionality.
[ 78.317095][ T5137] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[ 78.335937][ T5137] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[ 78.343994][ T5137] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[ 78.352415][ T5137] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[ 78.359995][ T5137] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[ 79.466468][ T60] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 79.475648][ T60] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[ 79.626085][ T60] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 79.633927][ T60] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
[ 80.241478][ T5888] chnl_net:caif_netlink_parms(): no params data found
[ 80.459107][ T5888] bridge0: port 1(bridge_slave_0) entered blocking state
[ 80.470259][ T5888] bridge0: port 1(bridge_slave_0) entered disabled state
[ 80.477785][ T5888] bridge_slave_0: entered allmulticast mode
[ 80.484650][ T5888] bridge_slave_0: entered promiscuous mode
[ 80.494287][ T5888] bridge0: port 2(bridge_slave_1) entered blocking state
[ 80.501686][ T5888] bridge0: port 2(bridge_slave_1) entered disabled state
[ 80.509461][ T5888] bridge_slave_1: entered allmulticast mode
[ 80.516827][ T5888] bridge_slave_1: entered promiscuous mode
[ 80.549445][ T5888] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[ 80.562530][ T5888] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[ 80.602734][ T5888] team0: Port device team_slave_0 added
[ 80.611369][ T5888] team0: Port device team_slave_1 added
[ 80.637661][ T5888] batman_adv: batadv0: Adding interface: batadv_slave_0
[ 80.644602][ T5888] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem.
[ 80.670855][ T5888] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[ 80.685512][ T5888] batman_adv: batadv0: Adding interface: batadv_slave_1
[ 80.692580][ T5888] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem.
[ 80.719042][ T5888] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[ 80.754334][ T5888] hsr_slave_0: entered promiscuous mode
[ 80.760681][ T5888] hsr_slave_1: entered promiscuous mode
[ 80.873414][ T5888] netdevsim netdevsim2 netdevsim0: renamed from eth0
[ 80.885521][ T5888] netdevsim netdevsim2 netdevsim1: renamed from eth1
[ 80.895484][ T5888] netdevsim netdevsim2 netdevsim2: renamed from eth2
[ 80.905604][ T5888] netdevsim netdevsim2 netdevsim3: renamed from eth3
[ 80.931341][ T5888] bridge0: port 2(bridge_slave_1) entered blocking state
[ 80.938615][ T5888] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 80.947289][ T5888] bridge0: port 1(bridge_slave_0) entered blocking state
[ 80.954444][ T5888] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 80.998830][ T5888] 8021q: adding VLAN 0 to HW filter on device bond0
[ 81.015302][ T60] bridge0: port 1(bridge_slave_0) entered disabled state
[ 81.024604][ T60] bridge0: port 2(bridge_slave_1) entered disabled state
[ 81.041085][ T5888] 8021q: adding VLAN 0 to HW filter on device team0
[ 81.052143][ T12] bridge0: port 1(bridge_slave_0) entered blocking state
[ 81.059263][ T12] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 81.071460][ T60] bridge0: port 2(bridge_slave_1) entered blocking state
[ 81.078564][ T60] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 81.211172][ T5888] 8021q: adding VLAN 0 to HW filter on device batadv0
[ 81.248210][ T5888] veth0_vlan: entered promiscuous mode
[ 81.259263][ T5888] veth1_vlan: entered promiscuous mode
[ 81.283687][ T5888] veth0_macvtap: entered promiscuous mode
[ 81.292476][ T5888] veth1_macvtap: entered promiscuous mode
[ 81.308568][ T5888] batman_adv: batadv0: Interface activated: batadv_slave_0
[ 81.321101][ T5888] batman_adv: batadv0: Interface activated: batadv_slave_1
[ 81.336539][ T60] netdevsim netdevsim2 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
[ 81.348097][ T60] netdevsim netdevsim2 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
[ 81.357060][ T60] netdevsim netdevsim2 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
[ 81.367258][ T60] netdevsim netdevsim2 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
2026/01/21 19:28:59 executed programs: 0
[ 81.507631][ T90] cfg80211: failed to load regulatory.db
[ 81.536157][ T52] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[ 81.544946][ T52] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[ 81.553349][ T52] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[ 81.564963][ T52] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[ 81.584394][ T52] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[ 81.880379][ T5930] chnl_net:caif_netlink_parms(): no params data found
[ 81.938870][ T5930] bridge0: port 1(bridge_slave_0) entered blocking state
[ 81.946021][ T5930] bridge0: port 1(bridge_slave_0) entered disabled state
[ 81.953134][ T5930] bridge_slave_0: entered allmulticast mode
[ 81.960371][ T5930] bridge_slave_0: entered promiscuous mode
[ 81.969459][ T5930] bridge0: port 2(bridge_slave_1) entered blocking state
[ 81.976697][ T5930] bridge0: port 2(bridge_slave_1) entered disabled state
[ 81.983848][ T5930] bridge_slave_1: entered allmulticast mode
[ 81.991570][ T5930] bridge_slave_1: entered promiscuous mode
[ 82.025152][ T5930] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[ 82.037968][ T5930] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[ 82.063977][ T5930] team0: Port device team_slave_0 added
[ 82.073260][ T5930] team0: Port device team_slave_1 added
[ 82.096729][ T5930] batman_adv: batadv0: Adding interface: batadv_slave_0
[ 82.103675][ T5930] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem.
[ 82.129911][ T5930] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[ 82.141687][ T5930] batman_adv: batadv0: Adding interface: batadv_slave_1
[ 82.148881][ T5930] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem.
[ 82.175166][ T5930] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[ 82.213049][ T5930] hsr_slave_0: entered promiscuous mode
[ 82.219381][ T5930] hsr_slave_1: entered promiscuous mode
[ 82.225304][ T5930] debugfs: 'hsr0' already exists in 'hsr'
[ 82.231462][ T5930] Cannot create hsr debugfs directory
[ 82.338888][ T5930] netdevsim netdevsim0 netdevsim0: renamed from eth0
[ 82.349132][ T5930] netdevsim netdevsim0 netdevsim1: renamed from eth1
[ 82.359560][ T5930] netdevsim netdevsim0 netdevsim2: renamed from eth2
[ 82.369490][ T5930] netdevsim netdevsim0 netdevsim3: renamed from eth3
[ 82.431937][ T5930] 8021q: adding VLAN 0 to HW filter on device bond0
[ 82.451444][ T5930] 8021q: adding VLAN 0 to HW filter on device team0
[ 82.462384][ T60] bridge0: port 1(bridge_slave_0) entered blocking state
[ 82.469488][ T60] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 82.488405][ T60] bridge0: port 2(bridge_slave_1) entered blocking state
[ 82.495478][ T60] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 82.634014][ T5930] 8021q: adding VLAN 0 to HW filter on device batadv0
[ 82.669589][ T5930] veth0_vlan: entered promiscuous mode
[ 82.679859][ T5930] veth1_vlan: entered promiscuous mode
[ 82.704326][ T5930] veth0_macvtap: entered promiscuous mode
[ 82.715368][ T5930] veth1_macvtap: entered promiscuous mode
[ 82.734887][ T5930] batman_adv: batadv0: Interface activated: batadv_slave_0
[ 82.750652][ T5930] batman_adv: batadv0: Interface activated: batadv_slave_1
[ 82.762618][ T60] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
[ 82.772242][ T60] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
[ 82.782190][ T60] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
[ 82.793148][ T60] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
[ 82.852368][ T12] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 82.860711][ T12] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[ 82.885601][ T60] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 82.893556][ T60] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
SYZFAIL: failed to recv rpc
[ 83.392967][ T60] netdevsim netdevsim2 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
syzkaller build log:
go env (err=<nil>)
AR='ar'
CC='gcc'
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_ENABLED='1'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
CXX='g++'
GCCGO='gccgo'
GO111MODULE='auto'
GOAMD64='v1'
GOARCH='amd64'
GOAUTH='netrc'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOCACHEPROG=''
GODEBUG=''
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFIPS140='off'
GOFLAGS=''
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build277648876=/tmp/go-build -gno-record-gcc-switches'
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMOD='/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOMODCACHE='/syzkaller/jobs/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTELEMETRY='local'
GOTELEMETRYDIR='/syzkaller/.config/go/telemetry'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.24.4'
GOWORK=''
PKG_CONFIG='pkg-config'
git status (err=<nil>)
HEAD detached at d6526ea3e6
nothing to commit, working tree clean
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=d6526ea3e6ad9081c902859bbb80f9f840377cb4 -X github.com/google/syzkaller/prog.gitRevisionDate=20251126-113115" ./sys/syz-sysgen | grep -q false || go install -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=d6526ea3e6ad9081c902859bbb80f9f840377cb4 -X github.com/google/syzkaller/prog.gitRevisionDate=20251126-113115" ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=d6526ea3e6ad9081c902859bbb80f9f840377cb4 -X github.com/google/syzkaller/prog.gitRevisionDate=20251126-113115" -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"d6526ea3e6ad9081c902859bbb80f9f840377cb4\"
/usr/bin/ld: /tmp/cc0bwYtF.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x386): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
./tools/check-syzos.sh 2>/dev/null
Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=131087fc580000
Tested on:
commit: 994089e6 io_uring/io-wq: don't trigger hung task for s..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux.git syztest
Jens Axboe
Jan 21, 2026, 4:41:23 PM (2 days ago) Jan 21
to syzbot, io-u...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
On 1/20/26 8:04 AM, Jens Axboe wrote:
unborked itself again:
syzbot
Jan 21, 2026, 4:43:06 PM (2 days ago) Jan 21
to ax...@kernel.dk, io-u...@vger.kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
syzbot tried to test the proposed patch but the build/boot failed:
failed to checkout kernel repo git://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux.git/syztest: failed to run ["git" "checkout" "FETCH_HEAD" "--force"]: exit status 128
Tested on:
commit: [unknown
Tested on:
commit: [unknown
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux.git syztest
kernel config: https://syzkaller.appspot.com/x/.config?x=a11e0f726bfb6765
Jens Axboe
Jan 21, 2026, 6:26:51 PM (2 days ago) Jan 21
to syzbot, syzkall...@googlegroups.com
On 1/20/26 8:04 AM, Jens Axboe wrote:
syzbot
Jan 21, 2026, 9:40:04 PM (2 days ago) Jan 21
to ax...@kernel.dk, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+4eb282...@syzkaller.appspotmail.com
Tested-by: syzbot+4eb282...@syzkaller.appspotmail.com
Tested on:
commit: 57ab5080 io_uring/io-wq: don't trigger hung task for s..
kernel config: https://syzkaller.appspot.com/x/.config?x=8f75eb998b5774eb
dashboard link: https://syzkaller.appspot.com/bug?extid=4eb282331cab6d5b6588
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+4eb282...@syzkaller.appspotmail.com
Tested-by: syzbot+4eb282...@syzkaller.appspotmail.com
Tested on:
commit: 57ab5080 io_uring/io-wq: don't trigger hung task for s..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux.git syztest
console output: https://syzkaller.appspot.com/x/log.txt?x=132ef3fa580000
kernel config: https://syzkaller.appspot.com/x/.config?x=8f75eb998b5774eb
dashboard link: https://syzkaller.appspot.com/bug?extid=4eb282331cab6d5b6588
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
Note: no patches were applied.
Note: testing is done by a robot and is best-effort only.
Reply all
Reply to author
Forward
0 new messages