syzbot

INFO: task syz.3.4848:15401 blocked for more than 143 seconds.
      Not tainted 6.11.0-syzkaller-12113-ge7ed34365879 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.3.4848      state:D stack:28624 pid:15401 tgid:15397 ppid:5216   flags:0x00000004
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5315 [inline]
 __schedule+0xef5/0x5750 kernel/sched/core.c:6675
 __schedule_loop kernel/sched/core.c:6752 [inline]
 schedule+0xe7/0x350 kernel/sched/core.c:6767
 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6824
 __mutex_lock_common kernel/locking/mutex.c:684 [inline]
 __mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752
 __tun_chr_ioctl+0x621/0x4760 drivers/net/tun.c:3121
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:907 [inline]
 __se_sys_ioctl fs/ioctl.c:893 [inline]
 __x64_sys_ioctl+0x18f/0x220 fs/ioctl.c:893
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f5c6197dff9
RSP: 002b:00007f5c62707038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f5c61b36058 RCX: 00007f5c6197dff9
RDX: 00000000ffff0324 RSI: 00000000400454cd RDI: 0000000000000003
RBP: 00007f5c619f0296 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000001 R14: 00007f5c61b36058 R15: 00007fff22699d18
 </TASK>
INFO: task syz.0.4849:15400 blocked for more than 143 seconds.
      Not tainted 6.11.0-syzkaller-12113-ge7ed34365879 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.0.4849      state:D stack:27888 pid:15400 tgid:15399 ppid:5221   flags:0x00000004
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5315 [inline]
 __schedule+0xef5/0x5750 kernel/sched/core.c:6675
 __schedule_loop kernel/sched/core.c:6752 [inline]
 schedule+0xe7/0x350 kernel/sched/core.c:6767
 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6824
 __mutex_lock_common kernel/locking/mutex.c:684 [inline]
 __mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752
 rtnl_lock net/core/rtnetlink.c:79 [inline]
 rtnl_dumpit+0x18f/0x1f0 net/core/rtnetlink.c:6505
 netlink_dump+0x552/0xcc0 net/netlink/af_netlink.c:2325
 __netlink_dump_start+0x6ca/0x970 net/netlink/af_netlink.c:2440
 netlink_dump_start include/linux/netlink.h:339 [inline]
 rtnetlink_dump_start net/core/rtnetlink.c:6535 [inline]
 rtnetlink_rcv_msg+0xb44/0xea0 net/core/rtnetlink.c:6602
 netlink_rcv_skb+0x16b/0x440 net/netlink/af_netlink.c:2550
 netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline]
 netlink_unicast+0x53c/0x7f0 net/netlink/af_netlink.c:1357
 netlink_sendmsg+0x8b8/0xd70 net/netlink/af_netlink.c:1901
 sock_sendmsg_nosec net/socket.c:729 [inline]
 __sock_sendmsg net/socket.c:744 [inline]
 sock_write_iter+0x4fe/0x5b0 net/socket.c:1165
 new_sync_write fs/read_write.c:590 [inline]
 vfs_write+0x6b5/0x1140 fs/read_write.c:683
 ksys_write+0x1fa/0x260 fs/read_write.c:736
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7faab2d7dff9
RSP: 002b:00007faab3a92038 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007faab2f35f80 RCX: 00007faab2d7dff9
RDX: 0000000000000024 RSI: 0000000020000000 RDI: 0000000000000003
RBP: 00007faab2df0296 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007faab2f35f80 R15: 00007ffc2e012cd8
 </TASK>

Showing all locks held in the system:
2 locks held by kworker/u8:0/11:
 #0: ffff88801b089148 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204
 #1: ffffc90000107d80 ((work_completion)(&pool->idle_cull_work)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205
4 locks held by kworker/u8:1/12:
 #0: ffff8880206f9148 ((wq_completion)writeback){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204
 #1: ffffc90000117d80 ((work_completion)(&(&wb->dwork)->work)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205
 #2: ffff88814ce2c0e0 (&type->s_umount_key#52){++++}-{3:3}, at: super_trylock_shared+0x1e/0xf0 fs/super.c:562
 #3: ffff88814ce2eb98 (&sbi->s_writepages_rwsem){++++}-{0:0}, at: do_writepages+0x1a3/0x7f0 mm/page-writeback.c:2683
6 locks held by kworker/1:0/25:
1 lock held by khungtaskd/30:
 #0: ffffffff8e1b8340 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:337 [inline]
 #0: ffffffff8e1b8340 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:849 [inline]
 #0: ffffffff8e1b8340 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x7f/0x390 kernel/locking/lockdep.c:6720
3 locks held by kworker/u8:2/35:
 #0: ffff88814b959948 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204
 #1: ffffc90000ab7d80 ((work_completion)(&(&net->ipv6.addr_chk_work)->work)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205
 #2: ffffffff8fee0b68 (rtnl_mutex){+.+.}-{3:3}, at: addrconf_verify_work+0x12/0x30 net/ipv6/addrconf.c:4736
2 locks held by kworker/u8:4/62:
3 locks held by syslogd/4656:
2 locks held by udevd/4674:
2 locks held by dhcpcd/4887:
1 lock held by dhcpcd/4888:
2 locks held by getty/4971:
 #0: ffff88803253a0a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x24/0x80 drivers/tty/tty_ldisc.c:243
 #1: ffffc90002f062f0 (&ldata->atomic_read_lock){+.+.}-{3:3}, at: n_tty_read+0xfba/0x1480 drivers/tty/n_tty.c:2211
1 lock held by syz-executor/5206:
1 lock held by syz-executor/5229:
3 locks held by kworker/1:4/5266:
 #0: ffff88801b080948 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204
 #1: ffffc90004297d80 (deferred_process_work){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205
 #2: ffffffff8fee0b68 (rtnl_mutex){+.+.}-{3:3}, at: switchdev_deferred_process_work+0xe/0x20 net/switchdev/switchdev.c:104
3 locks held by kworker/0:6/5329:
3 locks held by syz.4.4843/15390:
 #0: ffff888026e1a0a0 (&tty->ldisc_sem){++++}-{0:0}, at: __tty_ldisc_lock drivers/tty/tty_ldisc.c:289 [inline]
 #0: ffff888026e1a0a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_lock_pair_timeout drivers/tty/tty_ldisc.c:345 [inline]
 #0: ffff888026e1a0a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_lock_pair drivers/tty/tty_ldisc.c:366 [inline]
 #0: ffff888026e1a0a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_release+0x86/0x2a0 drivers/tty/tty_ldisc.c:780
 #1: ffff888026e1c0a0 (&tty->ldisc_sem/1){+.+.}-{0:0}, at: __tty_ldisc_lock_nested drivers/tty/tty_ldisc.c:295 [inline]
 #1: ffff888026e1c0a0 (&tty->ldisc_sem/1){+.+.}-{0:0}, at: tty_ldisc_lock_pair_timeout drivers/tty/tty_ldisc.c:347 [inline]
 #1: ffff888026e1c0a0 (&tty->ldisc_sem/1){+.+.}-{0:0}, at: tty_ldisc_lock_pair drivers/tty/tty_ldisc.c:366 [inline]
 #1: ffff888026e1c0a0 (&tty->ldisc_sem/1){+.+.}-{0:0}, at: tty_ldisc_release+0xb0/0x2a0 drivers/tty/tty_ldisc.c:780
 #2: ffffffff8e1c3cb8 (rcu_state.exp_mutex){+.+.}-{3:3}, at: exp_funnel_lock+0x1a4/0x3b0 kernel/rcu/tree_exp.h:329
3 locks held by syz.3.4848/15398:
1 lock held by syz.3.4848/15401:
 #0: ffffffff8fee0b68 (rtnl_mutex){+.+.}-{3:3}, at: __tun_chr_ioctl+0x621/0x4760 drivers/net/tun.c:3121
2 locks held by syz.0.4849/15400:
 #0: ffff888032afd6c8 (nlk_cb_mutex-ROUTE){+.+.}-{3:3}, at: __netlink_dump_start+0x154/0x970 net/netlink/af_netlink.c:2404
 #1: ffffffff8fee0b68 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:79 [inline]
 #1: ffffffff8fee0b68 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_dumpit+0x18f/0x1f0 net/core/rtnetlink.c:6505

=============================================

NMI backtrace for cpu 0
CPU: 0 UID: 0 PID: 30 Comm: khungtaskd Not tainted 6.11.0-syzkaller-12113-ge7ed34365879 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
 nmi_cpu_backtrace+0x27b/0x390 lib/nmi_backtrace.c:113
 nmi_trigger_cpumask_backtrace+0x29c/0x300 lib/nmi_backtrace.c:62
 trigger_all_cpu_backtrace include/linux/nmi.h:162 [inline]
 check_hung_uninterruptible_tasks kernel/hung_task.c:223 [inline]
 watchdog+0xf0c/0x1240 kernel/hung_task.c:379
 kthread+0x2c1/0x3a0 kernel/kthread.c:389
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 UID: 0 PID: 25 Comm: kworker/1:0 Not tainted 6.11.0-syzkaller-12113-ge7ed34365879 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Workqueue: events nsim_dev_trap_report_work
RIP: 0010:stack_trace_consume_entry+0x93/0x170 kernel/stacktrace.c:89
Code: 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 0f b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 98 00 00 00 <8b> 43 0c 85 c0 75 57 48 b8 00 00 00 00 00 fc ff df 48 89 da 48 c1
RSP: 0018:ffffc90000a17888 EFLAGS: 00000246
RAX: 0000000000000007 RBX: ffffc90000a17968 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff89ec7817 RDI: ffffc90000a17974
RBP: 0000000000000014 R08: ffffc90000a178dc R09: ffffffff918d5d2c
R10: ffffc90000a178a8 R11: 000000000008ec70 R12: ffffffff81795040
R13: ffffc90000a17968 R14: 0000000000000000 R15: ffff88801d6c9e00
FS:  0000000000000000(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fad350656c0 CR3: 000000007b2da000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <NMI>
 </NMI>
 <IRQ>
 arch_stack_walk+0x86/0x100 arch/x86/kernel/stacktrace.c:27
 stack_trace_save+0x95/0xd0 kernel/stacktrace.c:122
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:579
 poison_slab_object mm/kasan/common.c:247 [inline]
 __kasan_slab_free+0x51/0x70 mm/kasan/common.c:264
 kasan_slab_free include/linux/kasan.h:230 [inline]
 slab_free_hook mm/slub.c:2343 [inline]
 slab_free mm/slub.c:4580 [inline]
 kmem_cache_free+0x152/0x4b0 mm/slub.c:4682
 __skb_ext_put+0x102/0x2c0 net/core/skbuff.c:7101
 __skb_ext_del+0xf3/0x340 net/core/skbuff.c:7068
 skb_ext_del include/linux/skbuff.h:4843 [inline]
 nf_bridge_info_free net/bridge/br_netfilter_hooks.c:155 [inline]
 br_nf_dev_queue_xmit+0x6f2/0x2900 net/bridge/br_netfilter_hooks.c:942
 NF_HOOK include/linux/netfilter.h:314 [inline]
 NF_HOOK include/linux/netfilter.h:308 [inline]
 br_nf_post_routing+0x8ee/0x11b0 net/bridge/br_netfilter_hooks.c:989
 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
 nf_hook_slow+0xbb/0x200 net/netfilter/core.c:626
 nf_hook+0x474/0x7d0 include/linux/netfilter.h:269
 NF_HOOK include/linux/netfilter.h:312 [inline]
 br_forward_finish+0xcd/0x130 net/bridge/br_forward.c:66
 br_nf_hook_thresh+0x303/0x410 net/bridge/br_netfilter_hooks.c:1190
 br_nf_forward_finish+0x66a/0xba0 net/bridge/br_netfilter_hooks.c:689
 NF_HOOK include/linux/netfilter.h:314 [inline]
 NF_HOOK include/linux/netfilter.h:308 [inline]
 br_nf_forward_ip.part.0+0x610/0x820 net/bridge/br_netfilter_hooks.c:743
 br_nf_forward_ip net/bridge/br_netfilter_hooks.c:703 [inline]
 br_nf_forward+0xf11/0x1bd0 net/bridge/br_netfilter_hooks.c:800
 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
 nf_hook_slow+0xbb/0x200 net/netfilter/core.c:626
 nf_hook+0x474/0x7d0 include/linux/netfilter.h:269
 NF_HOOK include/linux/netfilter.h:312 [inline]
 __br_forward+0x1be/0x5b0 net/bridge/br_forward.c:115
 deliver_clone+0x5b/0xa0 net/bridge/br_forward.c:131
 maybe_deliver+0xa7/0x120 net/bridge/br_forward.c:190
 br_flood+0x17e/0x5c0 net/bridge/br_forward.c:236
 br_handle_frame_finish+0xda5/0x1c80 net/bridge/br_input.c:215
 br_nf_hook_thresh+0x303/0x410 net/bridge/br_netfilter_hooks.c:1190
 br_nf_pre_routing_finish_ipv6+0x76a/0xfb0 net/bridge/br_netfilter_ipv6.c:154
 NF_HOOK include/linux/netfilter.h:314 [inline]
 br_nf_pre_routing_ipv6+0x3ce/0x8c0 net/bridge/br_netfilter_ipv6.c:184
 br_nf_pre_routing+0x860/0x15b0 net/bridge/br_netfilter_hooks.c:532
 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
 nf_hook_bridge_pre net/bridge/br_input.c:277 [inline]
 br_handle_frame+0x9eb/0x1490 net/bridge/br_input.c:424
 __netif_receive_skb_core.constprop.0+0xa3d/0x4330 net/core/dev.c:5556
 __netif_receive_skb_one_core+0xb1/0x1e0 net/core/dev.c:5660
 __netif_receive_skb+0x1d/0x160 net/core/dev.c:5775
 process_backlog+0x443/0x15f0 net/core/dev.c:6107
 __napi_poll.constprop.0+0xb7/0x550 net/core/dev.c:6771
 napi_poll net/core/dev.c:6840 [inline]
 net_rx_action+0xa92/0x1010 net/core/dev.c:6962
 handle_softirqs+0x213/0x8f0 kernel/softirq.c:554
 do_softirq kernel/softirq.c:455 [inline]
 do_softirq+0xb2/0xf0 kernel/softirq.c:442
 </IRQ>
 <TASK>
 __local_bh_enable_ip+0x100/0x120 kernel/softirq.c:382
 spin_unlock_bh include/linux/spinlock.h:396 [inline]
 nsim_dev_trap_report drivers/net/netdevsim/dev.c:820 [inline]
 nsim_dev_trap_report_work+0x870/0xc80 drivers/net/netdevsim/dev.c:850
 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229
 process_scheduled_works kernel/workqueue.c:3310 [inline]
 worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391
 kthread+0x2c1/0x3a0 kernel/kthread.c:389
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>
net_ratelimit: 26350 callbacks suppressed
bridge0: received packet on veth0_to_bridge with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0)
bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:1b, vlan:0)
bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0)
bridge0: received packet on veth0_to_bridge with own address as source address (addr:52:55:20:d2:88:6e, vlan:0)
bridge0: received packet on veth0_to_bridge with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0)
bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0)
bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:1b, vlan:0)
bridge0: received packet on veth0_to_bridge with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0)
bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0)
bridge0: received packet on veth0_to_bridge with own address as source address (addr:52:55:20:d2:88:6e, vlan:0)