syzbot |
sign-in | mailing list | source | docs | 🏰 |
| ID | Workflow | Result | Correct | Bug | Created | Started | Finished | Revision | Error |
|---|---|---|---|---|---|---|---|---|---|
| fef7ec2e-bb9b-4316-9eb7-e42f3326aa10 | repro | ❓ | BUG: soft lockup in perf_event_open (2) | 2026/03/07 13:46 | 2026/03/07 13:46 | 2026/03/07 13:56 | 31e9c887f7dc24e04b3ca70d0d54fc34141844b0 |
threaded=true,repeat=true,procs=8
r0 = socket$packet(0x11, 0x3, 0x300)
sendto$packet(r0, &(0x7f0000000040)='ffffffffffff00000000000008004500002e00000000401100007f0000017f00000100000000001a0000000000000000000000000000000000000000', 0x3c, 0x0, 0x0, 0x0)
perf_event_open(&(0x7f0000000000)={0x1, 0x70}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x2)
perf_event_open(&(0x7f0000000000)={0x1, 0x70}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
31e9c887f7dc24e04b3ca70d0d54fc34141844b0
watchdog: BUG: soft lockup - CPU#1 stuck for 144s! [syz.2.407:7202] Modules linked in: irq event stamp: 11017141 hardirqs last enabled at (11017140): [<ffffffff8b96fbbc>] irqentry_exit+0x59c/0x620 kernel/entry/common.c:219 hardirqs last disabled at (11017141): [<ffffffff8b96e5ce>] sysvec_apic_timer_interrupt+0xe/0xc0 arch/x86/kernel/apic/apic.c:1056 softirqs last enabled at (1158618): [<ffffffff8186fcaf>] __do_softirq kernel/softirq.c:656 [inline] softirqs last enabled at (1158618): [<ffffffff8186fcaf>] invoke_softirq kernel/softirq.c:496 [inline] softirqs last enabled at (1158618): [<ffffffff8186fcaf>] __irq_exit_rcu+0x5f/0x150 kernel/softirq.c:723 softirqs last disabled at (1158621): [<ffffffff8186fcaf>] __do_softirq kernel/softirq.c:656 [inline] softirqs last disabled at (1158621): [<ffffffff8186fcaf>] invoke_softirq kernel/softirq.c:496 [inline] softirqs last disabled at (1158621): [<ffffffff8186fcaf>] __irq_exit_rcu+0x5f/0x150 kernel/softirq.c:723 CPU: 1 UID: 0 PID: 7202 Comm: syz.2.407 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/13/2026 RIP: 0010:orc_ip arch/x86/kernel/unwind_orc.c:81 [inline] RIP: 0010:__orc_find arch/x86/kernel/unwind_orc.c:103 [inline] RIP: 0010:orc_find arch/x86/kernel/unwind_orc.c:238 [inline] RIP: 0010:unwind_next_frame+0x513/0x23c0 arch/x86/kernel/unwind_orc.c:510 Code: c1 e8 3f 48 01 c8 48 83 e0 fe 4c 8d 3c 45 00 00 00 00 49 01 ef 4c 89 f8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df 0f b6 04 08 <84> c0 75 27 49 63 07 4c 01 f8 49 8d 4f 04 4c 39 e0 48 0f 46 e9 49 RSP: 0018:ffffc90000a08298 EFLAGS: 00000a07 RAX: 0000000000000000 RBX: ffffffff90105e04 RCX: dffffc0000000000 RDX: ffffffff90105db8 RSI: ffffffff909037ee RDI: ffffffff8c073920 RBP: ffffffff90105db8 R08: 0000000000000014 R09: ffffffff8e55a360 R10: ffffc90000a08040 R11: ffffffff81afb170 R12: ffffffff822c920b R13: ffffffff90105db8 R14: ffffc90000a08368 R15: ffffffff90105ddc FS: 00007f5675fa96c0(0000) GS:ffff8881257f5000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f04877456b8 CR3: 00000000758f6000 CR4: 00000000003526f0 Call Trace: <IRQ> arch_stack_walk+0x11b/0x150 arch/x86/kernel/stacktrace.c:25 stack_trace_save+0xa9/0x100 kernel/stacktrace.c:122 kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 unpoison_slab_object mm/kasan/common.c:340 [inline] __kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:366 kasan_slab_alloc include/linux/kasan.h:253 [inline] slab_post_alloc_hook mm/slub.c:4953 [inline] kmem_cache_alloc_bulk_noprof+0x48c/0x740 mm/slub.c:7525 napi_skb_cache_get+0x41e/0x780 net/core/skbuff.c:291 __alloc_skb+0x152/0x390 net/core/skbuff.c:668 napi_alloc_skb+0x84/0x7c0 net/core/skbuff.c:832 page_to_skb+0x2ce/0x870 drivers/net/virtio_net.c:887 receive_mergeable drivers/net/virtio_net.c:2497 [inline] receive_buf+0x546/0x1900 drivers/net/virtio_net.c:2643 virtnet_receive_packets drivers/net/virtio_net.c:2970 [inline] virtnet_receive drivers/net/virtio_net.c:2994 [inline] virtnet_poll+0x21f0/0x2fe0 drivers/net/virtio_net.c:3083 __napi_poll+0xae/0x340 net/core/dev.c:7681 napi_poll net/core/dev.c:7744 [inline] net_rx_action+0x627/0xf70 net/core/dev.c:7896 handle_softirqs+0x22a/0x7c0 kernel/softirq.c:622 __do_softirq kernel/softirq.c:656 [inline] invoke_softirq kernel/softirq.c:496 [inline] __irq_exit_rcu+0x5f/0x150 kernel/softirq.c:723 irq_exit_rcu+0x9/0x30 kernel/softirq.c:739 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1056 [inline] sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1056 </IRQ> <TASK> asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697 RIP: 0010:preempt_schedule_irq+0x48/0xa0 kernel/sched/core.c:7194 Code: 49 be 00 00 00 00 00 fc ff df eb 09 48 f7 03 10 00 00 00 74 53 bf 01 00 00 00 e8 b3 9c fa f5 e8 ae 30 34 f6 fb bf 01 00 00 00 <e8> 43 a9 ff ff 9c 58 fa a9 00 02 00 00 74 05 e8 34 32 34 f6 bf 01 RSP: 0018:ffffc90004b8f530 EFLAGS: 00000202 RAX: 0000000000007025 RBX: 0000000000000000 RCX: 0000000000000001 RDX: 0000000000000007 RSI: ffffffff8dcc9112 RDI: 0000000000000001 RBP: 0000000000000000 R08: ffffffff8fef1a77 R09: 1ffffffff1fde34e R10: dffffc0000000000 R11: fffffbfff1fde34f R12: 0000000000000000 R13: 0000000000000000 R14: dffffc0000000000 R15: 0000000000000000 irqentry_exit+0x597/0x620 kernel/entry/common.c:216 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697 RIP: 0010:orc_find arch/x86/kernel/unwind_orc.c:229 [inline] RIP: 0010:unwind_next_frame+0x223/0x23c0 arch/x86/kernel/unwind_orc.c:510 Code: 86 78 04 00 00 44 89 f8 4c 8d 2c 85 8c eb 2d 91 4c 89 e8 48 c1 e8 03 0f b6 04 28 84 c0 48 89 eb 0f 85 25 1c 00 00 45 8b 6d 00 <44> 89 f8 ff c0 48 8d 2c 85 8c eb 2d 91 48 89 e8 48 c1 e8 03 0f b6 RSP: 0018:ffffc90004b8f658 EFLAGS: 00000246 RAX: 0000000000000000 RBX: dffffc0000000000 RCX: 0000000080000000 RDX: 00000000000a9ab5 RSI: ffffffff8c073960 RDI: ffffffff8c073920 RBP: dffffc0000000000 R08: ffffffff81759195 R09: ffffffff8e55a360 R10: ffffc90004b8f400 R11: ffffffff81afb170 R12: ffffffff81f6b0e8 R13: 0000000000032842 R14: ffffc90004b8f728 R15: 000000000000f6b0 arch_stack_walk+0x11b/0x150 arch/x86/kernel/stacktrace.c:25 stack_trace_save+0xa9/0x100 kernel/stacktrace.c:122 kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 unpoison_slab_object mm/kasan/common.c:340 [inline] __kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:366 kasan_slab_alloc include/linux/kasan.h:253 [inline] slab_post_alloc_hook mm/slub.c:4953 [inline] slab_alloc_node mm/slub.c:5263 [inline] kmem_cache_alloc_node_noprof+0x427/0x6f0 mm/slub.c:5315 perf_event_alloc+0x1cb/0x2e40 kernel/events/core.c:12960 __do_sys_perf_event_open kernel/events/core.c:13590 [inline] __se_sys_perf_event_open+0x7a9/0x1d60 kernel/events/core.c:13471 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f567519aeb9 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f5675fa9028 EFLAGS: 00000246 ORIG_RAX: 000000000000012a RAX: ffffffffffffffda RBX: 00007f5675415fa0 RCX: 00007f567519aeb9 RDX: ffffffffffffffff RSI: 0000000000000000 RDI: 0000200000000440 RBP: 00007f5675208c1f R08: 0000000000000002 R09: 0000000000000000 R10: ffffffffffffffff R11: 0000000000000246 R12: 0000000000000000 R13: 00007f5675416038 R14: 00007f5675415fa0 R15: 00007ffda8335dc8 </TASK> Sending NMI from CPU 1 to CPUs 0: NMI backtrace for cpu 0 CPU: 0 UID: 0 PID: 18 Comm: rcu_exp_gp_kthr Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/13/2026 RIP: 0010:kasan_check_range+0x5/0x2c0 mm/kasan/generic.c:199 Code: 48 c7 c6 a5 56 f3 8d e8 49 64 fb fe 90 0f 0b cc cc cc cc cc cc 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 40 d6 55 <41> 57 41 56 41 55 41 54 53 b0 01 48 85 f6 0f 84 ae 01 00 00 4c 8d RSP: 0018:ffffc90000007a28 EFLAGS: 00000002 RAX: 0000000000000001 RBX: 000000000000000d RCX: ffffffff819f9e7b RDX: 0000000000000001 RSI: 000000000000000d RDI: ffffe8ffffcc4018 RBP: ffffc90000007b60 R08: 0000000000000004 R09: 0000000000000006 R10: dffffc0000000000 R11: fffffbfff175bf69 R12: ffffffff819f9e7b R13: 000000000000000e R14: ffffffff8badfb40 R15: ffffe8ffffcc4018 FS: 0000000000000000(0000) GS:ffff8881256f5000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000200000051000 CR3: 00000000688bc000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600 Call Trace: <IRQ> __asan_memcpy+0x40/0x70 mm/kasan/shadow.c:106 do_perf_trace_lock include/trace/events/lock.h:50 [inline] perf_trace_lock+0x2ab/0x3f0 include/trace/events/lock.h:50 __do_trace_lock_release include/trace/events/lock.h:69 [inline] trace_lock_release include/trace/events/lock.h:69 [inline] lock_release+0x379/0x3a0 kernel/locking/lockdep.c:5879 rcu_lock_release include/linux/rcupdate.h:341 [inline] rcu_read_unlock include/linux/rcupdate.h:897 [inline] select_task_rq_fair+0x2b53/0x43f0 kernel/sched/fair.c:8583 select_task_rq kernel/sched/core.c:3497 [inline] try_to_wake_up+0x4d7/0x1380 kernel/sched/core.c:4206 hrtimer_wakeup+0x4e/0x60 kernel/time/hrtimer.c:2013 __run_hrtimer kernel/time/hrtimer.c:1777 [inline] __hrtimer_run_queues+0x527/0xc30 kernel/time/hrtimer.c:1841 hrtimer_interrupt+0x42b/0x1010 kernel/time/hrtimer.c:1903 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1045 [inline] __sysvec_apic_timer_interrupt+0x102/0x3d0 arch/x86/kernel/apic/apic.c:1062 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1056 [inline] sysvec_apic_timer_interrupt+0xa1/0xc0 arch/x86/kernel/apic/apic.c:1056 </IRQ> <TASK> asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697 RIP: 0010:console_trylock_spinning kernel/printk/printk.c:2037 [inline] RIP: 0010:vprintk_emit+0x45d/0x560 kernel/printk/printk.c:2425 Code: 0f 84 44 ff ff ff e8 e2 45 21 00 fb eb 44 e8 da 45 21 00 e8 a5 bd f3 09 4d 85 f6 74 94 e8 cb 45 21 00 fb 48 c7 c7 60 c7 54 8e <31> f6 ba 01 00 00 00 31 c9 41 b8 01 00 00 00 45 31 c9 53 e8 3b 1b RSP: 0018:ffffc90000177940 EFLAGS: 00000293 RAX: ffffffff81a33185 RBX: ffffffff81a32fff RCX: ffff88801cef1e80 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff8e54c760 RBP: ffffc900001779f0 R08: ffffffff8fef1a77 R09: 1ffffffff1fde34e R10: dffffc0000000000 R11: fffffbfff1fde34f R12: 0000000000000000 R13: 0000000000000041 R14: 0000000000000200 R15: 1ffff9200002ef2c _printk+0xdd/0x130 kernel/printk/printk.c:2451 synchronize_rcu_expedited_stall+0x5f/0x1170 kernel/rcu/tree_exp.h:570 synchronize_rcu_expedited_wait kernel/rcu/tree_exp.h:668 [inline] rcu_exp_wait_wake kernel/rcu/tree_exp.h:687 [inline] rcu_exp_sel_wait_wake+0x897/0xe50 kernel/rcu/tree_exp.h:721 kthread_worker_fn+0x4ee/0xb00 kernel/kthread.c:1005 kthread+0x726/0x8b0 kernel/kthread.c:463 ret_from_fork+0x51b/0xa40 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 </TASK>
| Seq | Timestamp | Type | Name | Duration |
|---|---|---|---|---|
| 0/0 | 2026/03/07 13:46 | flow | repro |
9mResults:map[ReproOpts:threaded=true,repeat=true,procs=8 ReproSyz:r0 = socket$packet(0x11, 0x3, 0x300)
sendto$packet(r0, &(0x7f0000000040)='ffffffffffff00000000000008004500002e00000000401100007f0000017f00000100000000001a0000000000000000000000000000000000000000', 0x3c, 0x0, 0x0, 0x0)
perf_event_open(&(0x7f0000000000)={0x1, 0x70}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x2)
perf_event_open(&(0x7f0000000000)={0x1, 0x70}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
SyzkallerCommit:31e9c887f7dc24e04b3ca70d0d54fc34141844b0] |
| 1/1 | 2026/03/07 13:46 | action | provide-var |
0mResults:map[DescriptionFiles:[acpi_thermal_rel.txt aio.txt auto.txt binfmt.txt bpf.txt bpf_prog.txt bpf_trace.txt cgroup.txt damon.txt dev_ashmem.txt dev_bifrost.txt dev_binder.txt dev_binderfs.txt dev_block.txt dev_bsg.txt dev_bus_usb.txt dev_camx.txt dev_cdrom.txt dev_cec.txt dev_char_usb.txt dev_comedi.txt dev_dma_heap.txt dev_dri.txt dev_dsp.txt dev_dvb_demux.txt dev_dvb_dvr.txt dev_dvb_frontend.txt dev_fb.txt dev_floppy.txt dev_hidraw.txt dev_i2c.txt dev_i915.txt dev_img_rogue.txt dev_infiniband_rdma.txt dev_infiniband_rdma_cm.txt dev_input.txt dev_iommu.txt dev_kvm.txt dev_kvm_amd64.txt dev_kvm_arm64.txt dev_kvm_extra.txt dev_kvm_riscv64.txt dev_loop.txt dev_mali.txt dev_media.txt dev_msm.txt dev_msr.txt dev_nbd.txt dev_net_tun.txt dev_panthor.txt dev_ppp.txt dev_ptmx.txt dev_ptp.txt dev_qat_adf_ctl.txt dev_qrtr_tun.txt dev_random.txt dev_rfkill.txt dev_rtc.txt dev_sequencer.txt dev_sg.txt dev_snapshot.txt dev_snd_control.txt dev_snd_hw.txt dev_snd_midi.txt dev_snd_pcm.txt dev_snd_seq.txt dev_snd_timer.txt dev_sr.txt dev_sw_sync.txt dev_tlk_device.txt dev_trusty.txt dev_udmabuf.txt dev_uhid.txt dev_uinput.txt dev_usb_hiddev.txt dev_usbmon.txt dev_userio.txt dev_vfio.txt dev_vga_arbiter.txt dev_vhci.txt dev_video4linux.txt dev_video4linux_vim2m.txt dev_virtual_nci.txt dev_vtpm.txt fanotify.txt filesystem.txt fs_9p.txt fs_fuse.txt fs_incfs.txt fs_ioctl.txt fs_ioctl_autofs.txt fs_ioctl_btrfs.txt fs_ioctl_ext4.txt fs_ioctl_f2fs.txt fs_ioctl_fat.txt fs_ioctl_fscrypt.txt fs_ioctl_fsverity.txt fs_ioctl_xfs.txt futex.txt hafnium.txt inotify.txt io_uring.txt ipc.txt key.txt kfuzztest.txt l2cap.txt landlock.txt lsm.txt namespaces.txt net_80211.txt netfilter.txt netfilter_arp.txt netfilter_bridge.txt netfilter_ipv4.txt netfilter_ipv6.txt netfilter_ipvs.txt netfilter_targets.txt pagemap_ioctl.txt perf.txt prctl.txt quotactl.txt seccomp.txt security_apparmor.txt security_selinux.txt security_smack.txt socket.txt socket_alg.txt socket_ax25.txt socket_bluetooth.txt socket_caif.txt socket_can.txt socket_ieee802154.txt socket_inet.txt socket_inet6.txt socket_inet_dccp.txt socket_inet_icmp.txt socket_inet_igmp.txt socket_inet_l2tp.txt socket_inet_sctp.txt socket_inet_tcp.txt socket_inet_udp.txt socket_ip_tunnel.txt socket_isdn.txt socket_kcm.txt socket_key.txt socket_llc.txt socket_netlink.txt socket_netlink_audit.txt socket_netlink_crypto.txt socket_netlink_generic.txt socket_netlink_generic_80211.txt socket_netlink_generic_batadv.txt socket_netlink_generic_devlink.txt socket_netlink_generic_ethtool.txt socket_netlink_generic_fou.txt socket_netlink_generic_gtp.txt socket_netlink_generic_mptcp.txt socket_netlink_generic_net_dm.txt socket_netlink_generic_netlabel.txt socket_netlink_generic_nfc.txt socket_netlink_generic_seg6.txt socket_netlink_generic_smc.txt socket_netlink_generic_team.txt socket_netlink_generic_wireguard.txt socket_netlink_netfilter.txt socket_netlink_netfilter_acct.txt socket_netlink_netfilter_conntrack.txt socket_netlink_netfilter_conntrack_exp.txt socket_netlink_netfilter_conntrack_helper.txt socket_netlink_netfilter_ipset.txt socket_netlink_netfilter_log.txt socket_netlink_netfilter_nft_compat.txt socket_netlink_netfilter_nftables.txt socket_netlink_netfilter_osf.txt socket_netlink_netfilter_queue.txt socket_netlink_netfilter_timeout.txt socket_netlink_rdma.txt socket_netlink_route.txt socket_netlink_route_sched.txt socket_netlink_route_sched_retired.txt socket_netlink_sock_diag.txt socket_netlink_xfrm.txt socket_netrom.txt socket_nfc.txt socket_nvme_of_tcp.txt socket_packet.txt socket_phonet.txt socket_pppox.txt socket_qipcrtr.txt socket_rds.txt socket_rose.txt socket_rxrpc.txt socket_tipc.txt socket_tipc_netlink.txt socket_unix.txt socket_vnet.txt socket_x25.txt socket_xdp.txt sys.txt uffd.txt usbip.txt vmw_vmci.txt vnet.txt vnet_mptcp.txt vusb.txt watch_queue.txt xattr.txt] SyzkallerCommit:31e9c887f7dc24e04b3ca70d0d54fc34141844b0] |
| 2/1 | 2026/03/07 13:46 | action | kernel-checkouter |
0mResults:map[KernelSrc:/usr/local/google/home/dvyukov/syzkaller/agent/workdir/cache/src/8c64ca34582568f44cbf475e4f60a6f0b9d98e80] |
| 3/1 | 2026/03/07 13:47 | action | kernel-builder |
6mResults:map[KernelObj:/usr/local/google/home/dvyukov/syzkaller/agent/workdir/cache/build/e08637dc5fcc3e9b3fa5558856247b4e93cfc395] |
| 4/1 | 2026/03/07 13:54 | agent | crash-repro-finder |
2mModel:gemini-3-pro-preview Results: map[ReproOpts:threaded=true,repeat=true,procs=8] Instruction: You are an expert in linux kernel fuzzing. Your goal is to write a syzkaller program to trigger a specific bug. Print only the syz program that could be executed directly, without backticks. Use set-results tool to provide results of the analysis. It must be called exactly once before the final reply. Ignore results of this tool. Prompt: Bug Title: BUG: soft lockup in perf_event_open Original Crash Report: watchdog: BUG: soft lockup - CPU#1 stuck for 144s! [syz.2.407:7202] Modules linked in: irq event stamp: 11017141 hardirqs last enabled at (11017140): [<ffffffff8b96fbbc>] irqentry_exit+0x59c/0x620 kernel/entry/common.c:219 hardirqs last disabled at (11017141): [<ffffffff8b96e5ce>] sysvec_apic_timer_interrupt+0xe/0xc0 arch/x86/kernel/apic/apic.c:1056 softirqs last enabled at (1158618): [<ffffffff8186fcaf>] __do_softirq kernel/softirq.c:656 [inline] softirqs last enabled at (1158618): [<ffffffff8186fcaf>] invoke_softirq kernel/softirq.c:496 [inline] softirqs last enabled at (1158618): [<ffffffff8186fcaf>] __irq_exit_rcu+0x5f/0x150 kernel/softirq.c:723 softirqs last disabled at (1158621): [<ffffffff8186fcaf>] __do_softirq kernel/softirq.c:656 [inline] softirqs last disabled at (1158621): [<ffffffff8186fcaf>] invoke_softirq kernel/softirq.c:496 [inline] softirqs last disabled at (1158621): [<ffffffff8186fcaf>] __irq_exit_rcu+0x5f/0x150 kernel/softirq.c:723 CPU: 1 UID: 0 PID: 7202 Comm: syz.2.407 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/13/2026 RIP: 0010:orc_ip arch/x86/kernel/unwind_orc.c:81 [inline] RIP: 0010:__orc_find arch/x86/kernel/unwind_orc.c:103 [inline] RIP: 0010:orc_find arch/x86/kernel/unwind_orc.c:238 [inline] RIP: 0010:unwind_next_frame+0x513/0x23c0 arch/x86/kernel/unwind_orc.c:510 Code: c1 e8 3f 48 01 c8 48 83 e0 fe 4c 8d 3c 45 00 00 00 00 49 01 ef 4c 89 f8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df 0f b6 04 08 <84> c0 75 27 49 63 07 4c 01 f8 49 8d 4f 04 4c 39 e0 48 0f 46 e9 49 RSP: 0018:ffffc90000a08298 EFLAGS: 00000a07 RAX: 0000000000000000 RBX: ffffffff90105e04 RCX: dffffc0000000000 RDX: ffffffff90105db8 RSI: ffffffff909037ee RDI: ffffffff8c073920 RBP: ffffffff90105db8 R08: 0000000000000014 R09: ffffffff8e55a360 R10: ffffc90000a08040 R11: ffffffff81afb170 R12: ffffffff822c920b R13: ffffffff90105db8 R14: ffffc90000a08368 R15: ffffffff90105ddc FS: 00007f5675fa96c0(0000) GS:ffff8881257f5000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f04877456b8 CR3: 00000000758f6000 CR4: 00000000003526f0 Call Trace: <IRQ> arch_stack_walk+0x11b/0x150 arch/x86/kernel/stacktrace.c:25 stack_trace_save+0xa9/0x100 kernel/stacktrace.c:122 kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 unpoison_slab_object mm/kasan/common.c:340 [inline] __kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:366 kasan_slab_alloc include/linux/kasan.h:253 [inline] slab_post_alloc_hook mm/slub.c:4953 [inline] kmem_cache_alloc_bulk_noprof+0x48c/0x740 mm/slub.c:7525 napi_skb_cache_get+0x41e/0x780 net/core/skbuff.c:291 __alloc_skb+0x152/0x390 net/core/skbuff.c:668 napi_alloc_skb+0x84/0x7c0 net/core/skbuff.c:832 page_to_skb+0x2ce/0x870 drivers/net/virtio_net.c:887 receive_mergeable drivers/net/virtio_net.c:2497 [inline] receive_buf+0x546/0x1900 drivers/net/virtio_net.c:2643 virtnet_receive_packets drivers/net/virtio_net.c:2970 [inline] virtnet_receive drivers/net/virtio_net.c:2994 [inline] virtnet_poll+0x21f0/0x2fe0 drivers/net/virtio_net.c:3083 __napi_poll+0xae/0x340 net/core/dev.c:7681 napi_poll net/core/dev.c:7744 [inline] net_rx_action+0x627/0xf70 net/core/dev.c:7896 handle_softirqs+0x22a/0x7c0 kernel/softirq.c:622 __do_softirq kernel/softirq.c:656 [inline] invoke_softirq kernel/softirq.c:496 [inline] __irq_exit_rcu+0x5f/0x150 kernel/softirq.c:723 irq_exit_rcu+0x9/0x30 kernel/softirq.c:739 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1056 [inline] sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1056 </IRQ> <TASK> asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697 RIP: 0010:preempt_schedule_irq+0x48/0xa0 kernel/sched/core.c:7194 Code: 49 be 00 00 00 00 00 fc ff df eb 09 48 f7 03 10 00 00 00 74 53 bf 01 00 00 00 e8 b3 9c fa f5 e8 ae 30 34 f6 fb bf 01 00 00 00 <e8> 43 a9 ff ff 9c 58 fa a9 00 02 00 00 74 05 e8 34 32 34 f6 bf 01 RSP: 0018:ffffc90004b8f530 EFLAGS: 00000202 RAX: 0000000000007025 RBX: 0000000000000000 RCX: 0000000000000001 RDX: 0000000000000007 RSI: ffffffff8dcc9112 RDI: 0000000000000001 RBP: 0000000000000000 R08: ffffffff8fef1a77 R09: 1ffffffff1fde34e R10: dffffc0000000000 R11: fffffbfff1fde34f R12: 0000000000000000 R13: 0000000000000000 R14: dffffc0000000000 R15: 0000000000000000 irqentry_exit+0x597/0x620 kernel/entry/common.c:216 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697 RIP: 0010:orc_find arch/x86/kernel/unwind_orc.c:229 [inline] RIP: 0010:unwind_next_frame+0x223/0x23c0 arch/x86/kernel/unwind_orc.c:510 Code: 86 78 04 00 00 44 89 f8 4c 8d 2c 85 8c eb 2d 91 4c 89 e8 48 c1 e8 03 0f b6 04 28 84 c0 48 89 eb 0f 85 25 1c 00 00 45 8b 6d 00 <44> 89 f8 ff c0 48 8d 2c 85 8c eb 2d 91 48 89 e8 48 c1 e8 03 0f b6 RSP: 0018:ffffc90004b8f658 EFLAGS: 00000246 RAX: 0000000000000000 RBX: dffffc0000000000 RCX: 0000000080000000 RDX: 00000000000a9ab5 RSI: ffffffff8c073960 RDI: ffffffff8c073920 RBP: dffffc0000000000 R08: ffffffff81759195 R09: ffffffff8e55a360 R10: ffffc90004b8f400 R11: ffffffff81afb170 R12: ffffffff81f6b0e8 R13: 0000000000032842 R14: ffffc90004b8f728 R15: 000000000000f6b0 arch_stack_walk+0x11b/0x150 arch/x86/kernel/stacktrace.c:25 stack_trace_save+0xa9/0x100 kernel/stacktrace.c:122 kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 unpoison_slab_object mm/kasan/common.c:340 [inline] __kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:366 kasan_slab_alloc include/linux/kasan.h:253 [inline] slab_post_alloc_hook mm/slub.c:4953 [inline] slab_alloc_node mm/slub.c:5263 [inline] kmem_cache_alloc_node_noprof+0x427/0x6f0 mm/slub.c:5315 perf_event_alloc+0x1cb/0x2e40 kernel/events/core.c:12960 __do_sys_perf_event_open kernel/events/core.c:13590 [inline] __se_sys_perf_event_open+0x7a9/0x1d60 kernel/events/core.c:13471 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f567519aeb9 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f5675fa9028 EFLAGS: 00000246 ORIG_RAX: 000000000000012a RAX: ffffffffffffffda RBX: 00007f5675415fa0 RCX: 00007f567519aeb9 RDX: ffffffffffffffff RSI: 0000000000000000 RDI: 0000200000000440 RBP: 00007f5675208c1f R08: 0000000000000002 R09: 0000000000000000 R10: ffffffffffffffff R11: 0000000000000246 R12: 0000000000000000 R13: 00007f5675416038 R14: 00007f5675415fa0 R15: 00007ffda8335dc8 </TASK> Sending NMI from CPU 1 to CPUs 0: NMI backtrace for cpu 0 CPU: 0 UID: 0 PID: 18 Comm: rcu_exp_gp_kthr Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/13/2026 RIP: 0010:kasan_check_range+0x5/0x2c0 mm/kasan/generic.c:199 Code: 48 c7 c6 a5 56 f3 8d e8 49 64 fb fe 90 0f 0b cc cc cc cc cc cc 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 40 d6 55 <41> 57 41 56 41 55 41 54 53 b0 01 48 85 f6 0f 84 ae 01 00 00 4c 8d RSP: 0018:ffffc90000007a28 EFLAGS: 00000002 RAX: 0000000000000001 RBX: 000000000000000d RCX: ffffffff819f9e7b RDX: 0000000000000001 RSI: 000000000000000d RDI: ffffe8ffffcc4018 RBP: ffffc90000007b60 R08: 0000000000000004 R09: 0000000000000006 R10: dffffc0000000000 R11: fffffbfff175bf69 R12: ffffffff819f9e7b R13: 000000000000000e R14: ffffffff8badfb40 R15: ffffe8ffffcc4018 FS: 0000000000000000(0000) GS:ffff8881256f5000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000200000051000 CR3: 00000000688bc000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600 Call Trace: <IRQ> __asan_memcpy+0x40/0x70 mm/kasan/shadow.c:106 do_perf_trace_lock include/trace/events/lock.h:50 [inline] perf_trace_lock+0x2ab/0x3f0 include/trace/events/lock.h:50 __do_trace_lock_release include/trace/events/lock.h:69 [inline] trace_lock_release include/trace/events/lock.h:69 [inline] lock_release+0x379/0x3a0 kernel/locking/lockdep.c:5879 rcu_lock_release include/linux/rcupdate.h:341 [inline] rcu_read_unlock include/linux/rcupdate.h:897 [inline] select_task_rq_fair+0x2b53/0x43f0 kernel/sched/fair.c:8583 select_task_rq kernel/sched/core.c:3497 [inline] try_to_wake_up+0x4d7/0x1380 kernel/sched/core.c:4206 hrtimer_wakeup+0x4e/0x60 kernel/time/hrtimer.c:2013 __run_hrtimer kernel/time/hrtimer.c:1777 [inline] __hrtimer_run_queues+0x527/0xc30 kernel/time/hrtimer.c:1841 hrtimer_interrupt+0x42b/0x1010 kernel/time/hrtimer.c:1903 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1045 [inline] __sysvec_apic_timer_interrupt+0x102/0x3d0 arch/x86/kernel/apic/apic.c:1062 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1056 [inline] sysvec_apic_timer_interrupt+0xa1/0xc0 arch/x86/kernel/apic/apic.c:1056 </IRQ> <TASK> asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697 RIP: 0010:console_trylock_spinning kernel/printk/printk.c:2037 [inline] RIP: 0010:vprintk_emit+0x45d/0x560 kernel/printk/printk.c:2425 Code: 0f 84 44 ff ff ff e8 e2 45 21 00 fb eb 44 e8 da 45 21 00 e8 a5 bd f3 09 4d 85 f6 74 94 e8 cb 45 21 00 fb 48 c7 c7 60 c7 54 8e <31> f6 ba 01 00 00 00 31 c9 41 b8 01 00 00 00 45 31 c9 53 e8 3b 1b RSP: 0018:ffffc90000177940 EFLAGS: 00000293 RAX: ffffffff81a33185 RBX: ffffffff81a32fff RCX: ffff88801cef1e80 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff8e54c760 RBP: ffffc900001779f0 R08: ffffffff8fef1a77 R09: 1ffffffff1fde34e R10: dffffc0000000000 R11: fffffbfff1fde34f R12: 0000000000000000 R13: 0000000000000041 R14: 0000000000000200 R15: 1ffff9200002ef2c _printk+0xdd/0x130 kernel/printk/printk.c:2451 synchronize_rcu_expedited_stall+0x5f/0x1170 kernel/rcu/tree_exp.h:570 synchronize_rcu_expedited_wait kernel/rcu/tree_exp.h:668 [inline] rcu_exp_wait_wake kernel/rcu/tree_exp.h:687 [inline] rcu_exp_sel_wait_wake+0x897/0xe50 kernel/rcu/tree_exp.h:721 kthread_worker_fn+0x4ee/0xb00 kernel/kthread.c:1005 kthread+0x726/0x8b0 kernel/kthread.c:463 ret_from_fork+0x51b/0xa40 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 </TASK> The list of existing description files: acpi_thermal_rel.txt aio.txt auto.txt binfmt.txt bpf.txt bpf_prog.txt bpf_trace.txt cgroup.txt damon.txt dev_ashmem.txt dev_bifrost.txt dev_binder.txt dev_binderfs.txt dev_block.txt dev_bsg.txt dev_bus_usb.txt dev_camx.txt dev_cdrom.txt dev_cec.txt dev_char_usb.txt dev_comedi.txt dev_dma_heap.txt dev_dri.txt dev_dsp.txt dev_dvb_demux.txt dev_dvb_dvr.txt dev_dvb_frontend.txt dev_fb.txt dev_floppy.txt dev_hidraw.txt dev_i2c.txt dev_i915.txt dev_img_rogue.txt dev_infiniband_rdma.txt dev_infiniband_rdma_cm.txt dev_input.txt dev_iommu.txt dev_kvm.txt dev_kvm_amd64.txt dev_kvm_arm64.txt dev_kvm_extra.txt dev_kvm_riscv64.txt dev_loop.txt dev_mali.txt dev_media.txt dev_msm.txt dev_msr.txt dev_nbd.txt dev_net_tun.txt dev_panthor.txt dev_ppp.txt dev_ptmx.txt dev_ptp.txt dev_qat_adf_ctl.txt dev_qrtr_tun.txt dev_random.txt dev_rfkill.txt dev_rtc.txt dev_sequencer.txt dev_sg.txt dev_snapshot.txt dev_snd_control.txt dev_snd_hw.txt dev_snd_midi.txt dev_snd_pcm.txt dev_snd_seq.txt dev_snd_timer.txt dev_sr.txt dev_sw_sync.txt dev_tlk_device.txt dev_trusty.txt dev_udmabuf.txt dev_uhid.txt dev_uinput.txt dev_usb_hiddev.txt dev_usbmon.txt dev_userio.txt dev_vfio.txt dev_vga_arbiter.txt dev_vhci.txt dev_video4linux.txt dev_video4linux_vim2m.txt dev_virtual_nci.txt dev_vtpm.txt fanotify.txt filesystem.txt fs_9p.txt fs_fuse.txt fs_incfs.txt fs_ioctl.txt fs_ioctl_autofs.txt fs_ioctl_btrfs.txt fs_ioctl_ext4.txt fs_ioctl_f2fs.txt fs_ioctl_fat.txt fs_ioctl_fscrypt.txt fs_ioctl_fsverity.txt fs_ioctl_xfs.txt futex.txt hafnium.txt inotify.txt io_uring.txt ipc.txt key.txt kfuzztest.txt l2cap.txt landlock.txt lsm.txt namespaces.txt net_80211.txt netfilter.txt netfilter_arp.txt netfilter_bridge.txt netfilter_ipv4.txt netfilter_ipv6.txt netfilter_ipvs.txt netfilter_targets.txt pagemap_ioctl.txt perf.txt prctl.txt quotactl.txt seccomp.txt security_apparmor.txt security_selinux.txt security_smack.txt socket.txt socket_alg.txt socket_ax25.txt socket_bluetooth.txt socket_caif.txt socket_can.txt socket_ieee802154.txt socket_inet.txt socket_inet6.txt socket_inet_dccp.txt socket_inet_icmp.txt socket_inet_igmp.txt socket_inet_l2tp.txt socket_inet_sctp.txt socket_inet_tcp.txt socket_inet_udp.txt socket_ip_tunnel.txt socket_isdn.txt socket_kcm.txt socket_key.txt socket_llc.txt socket_netlink.txt socket_netlink_audit.txt socket_netlink_crypto.txt socket_netlink_generic.txt socket_netlink_generic_80211.txt socket_netlink_generic_batadv.txt socket_netlink_generic_devlink.txt socket_netlink_generic_ethtool.txt socket_netlink_generic_fou.txt socket_netlink_generic_gtp.txt socket_netlink_generic_mptcp.txt socket_netlink_generic_net_dm.txt socket_netlink_generic_netlabel.txt socket_netlink_generic_nfc.txt socket_netlink_generic_seg6.txt socket_netlink_generic_smc.txt socket_netlink_generic_team.txt socket_netlink_generic_wireguard.txt socket_netlink_netfilter.txt socket_netlink_netfilter_acct.txt socket_netlink_netfilter_conntrack.txt socket_netlink_netfilter_conntrack_exp.txt socket_netlink_netfilter_conntrack_helper.txt socket_netlink_netfilter_ipset.txt socket_netlink_netfilter_log.txt socket_netlink_netfilter_nft_compat.txt socket_netlink_netfilter_nftables.txt socket_netlink_netfilter_osf.txt socket_netlink_netfilter_queue.txt socket_netlink_netfilter_timeout.txt socket_netlink_rdma.txt socket_netlink_route.txt socket_netlink_route_sched.txt socket_netlink_route_sched_retired.txt socket_netlink_sock_diag.txt socket_netlink_xfrm.txt socket_netrom.txt socket_nfc.txt socket_nvme_of_tcp.txt socket_packet.txt socket_phonet.txt socket_pppox.txt socket_qipcrtr.txt socket_rds.txt socket_rose.txt socket_rxrpc.txt socket_tipc.txt socket_tipc_netlink.txt socket_unix.txt socket_vnet.txt socket_x25.txt socket_xdp.txt sys.txt uffd.txt usbip.txt vmw_vmci.txt vnet.txt vnet_mptcp.txt vusb.txt watch_queue.txt xattr.txt Reply: r0 = socket$packet(0x11, 0x3, 0x300)
sendto$packet(r0, &(0x7f0000000040)='ffffffffffff00000000000008004500002e00000000401100007f0000017f00000100000000001a0000000000000000000000000000000000000000', 0x3c, 0x0, 0x0, 0x0)
perf_event_open(&(0x7f0000000000)={0x1, 0x70}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x2)
perf_event_open(&(0x7f0000000000)={0x1, 0x70}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
|
| 5/2 | 2026/03/07 13:54 | llm | crash-repro-finder |
2mModel:gemini-3-pro-preview Tokens: input: 8375 output: 29 thoughts: 16509 Thoughts: **Analysis and Reproduction Strategy for Soft Lockup in perf_event_open**
Okay, so the goal is to create a syzkaller program that triggers a "soft lockup in `perf_event_open`," specifically the one observed in the crash report. The report indicates a lockup on CPU#1, with a stack trace that involves `perf_event_open` -> `perf_event_alloc` -> `kmem_cache_alloc_node_noprof` -> KASAN instrumentation (like `kasan_save_stack`). The crash is likely due to the interrupt processing of the networking virtio device, specifically `virtnet_poll`. KASAN instrumentation during network activity seems to contribute to the problem. The core idea is that heavy network activity during a memory allocation inside `perf_event_open` is the key.
First, I examined the stack trace and the userspace and kernel registers provided in the crash report. The crucial aspect is the interplay between the `perf_event_open` system call, the interrupt handler (timer), and the network traffic. The networking side (`virtnet_poll` -> `receive_buf` -> `napi_alloc_skb`) suggests the VM is receiving a significant amount of data, possibly from the host or another part of the VM. It seems the problem lies in the interaction between `perf_event_open`'s memory allocation (which can be slow with KASAN) and the high volume of interrupt-driven network RX. The reported registers also show `PERF_FLAG_FD_OUTPUT` (2) set, with `group_fd=-1`. This is a potential problem in the code as `group_fd` should be a valid file descriptor. However, this argument combination does not pass the checks at the beginning of the `perf_event_open` syscall. This means that the provided registers might be from a different call, or maybe the code flow differs from what I understand.
My initial hypothesis is that high network traffic is causing this, so I will try to replicate this behavior. I will craft a syzkaller program that attempts to reproduce this. The program will:
1. Make a call to `perf_event_open` with specific arguments (which might be the cause).
2. Also add a call with standard arguments `flags=0`, just in case that's the one that crashed.
3. Generate network load to simulate an environment where RX is high, similar to `virtnet_receive_packets`.
To achieve this, I will use a packet socket (`socket$packet`). I will send Ethernet packets to mimic network activity and attempt to fill the virtqueue of the virtual network adapter, and hopefully the VM will process these with high CPU utilization. This should allow `perf_event_open` to be interrupted and be the victim of the overload of RX, which would lead to the observed lockup.
I will attempt to set `perf_event_attr` fields that are valid but not too complex (`PERF_TYPE_SOFTWARE`, `PERF_COUNT_SW_CPU_CLOCK`).
Here is the code I will use:
```
r0 = socket$packet(0x11, 0x3, 0x300)
sendto$packet(r0, &(0x7f0000000040)='ffffffffffff00000000000008004500002e00000000401100007f0000017f00000100000000001a0000000000000000000000000000000000000000', 0x3c, 0x0, 0x0, 0x0)
perf_event_open(&(0x7f0000000000)={0x1, 0x70}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x2)
perf_event_open(&(0x7f0000000000)={0x1, 0x70}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
```
I will set the socket protocol to ETH\_P\_ALL (0x0300).
The Ethernet packet uses broadcast.
To maximize the probability of reproducing the issue, I will run the program using `threaded=true`, `repeat=true
|
| 6/2 | 2026/03/07 13:56 | tool | set-results |
0mArgs:map[ReproOpts:threaded=true,repeat=true,procs=8] Results: map[ReproOpts:threaded=true,repeat=true,procs=8] |
| 7/2 | 2026/03/07 13:56 | llm | crash-repro-finder |
0mModel:gemini-3-pro-preview Tokens: input: 25965 output: 298 thoughts: 0 |
| Total Calls | Total Tokens | Avg Tokens | Total Duration (Seconds) | Avg Duration (Seconds) |
|---|
| Total Calls | Total Duration (Seconds) | Avg Duration (Seconds) |
|---|