syzbot

 sign-in | mailing list | source | docs
🐞 Open [111]
🐞 Fixed [1]
🐞 Invalid [160]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

BUG: soft lockup in addrconf_rs_timer (3)

Status: premoderation: reported on 2025/04/04 20:11
Reported-by: syzbot+5aa405e54f657a441ae8@syzkaller.appspotmail.com
First crash: 46d, last: 46d
Similar bugs (20)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream BUG: soft lockup in addrconf_rs_timer (3) net syz 8 601d 665d 0/28 auto-obsoleted due to no activity on 2024/01/05 16:48
upstream BUG: soft lockup in addrconf_rs_timer (4) net 1 497d 497d 0/28 closed as invalid on 2024/03/12 13:17
android-6-1 BUG: soft lockup in addrconf_rs_timer 1 570d 570d 0/2 auto-obsoleted due to no activity on 2024/01/27 13:54
android-5-10 BUG: soft lockup in addrconf_rs_timer (2) C 265 1d21h 332d 0/2 upstream: reported C repro on 2024/06/22 20:35
android-5-10 BUG: soft lockup in addrconf_rs_timer 2 660d 678d 0/2 auto-obsoleted due to no activity on 2023/10/29 01:38
linux-6.1 BUG: soft lockup in addrconf_rs_timer C done 26 707d 719d 3/3 fixed on 2023/07/30 15:47
linux-4.19 BUG: soft lockup in addrconf_rs_timer syz error 24 842d 1524d 0/1 upstream: reported syz repro on 2021/03/19 06:05
linux-4.14 BUG: soft lockup in addrconf_rs_timer C error 133 879d 2082d 0/1 upstream: reported C repro on 2019/09/08 14:09
linux-5.15 BUG: soft lockup in addrconf_rs_timer C error 36 707d 719d 0/3 auto-obsoleted due to no activity on 2023/08/23 09:06
android-5-15 BUG: soft lockup in addrconf_rs_timer (2) syz 99 146d 389d 0/2 auto-obsoleted due to no activity on 2025/02/14 09:13
android-54 BUG: soft lockup in addrconf_rs_timer 190 321d 376d 0/2 auto-obsoleted due to no activity on 2024/08/22 17:20
upstream BUG: soft lockup in addrconf_rs_timer net 18 1885d 2082d 0/28 auto-closed as invalid on 2020/07/20 22:25
android-6-1 BUG: soft lockup in addrconf_rs_timer (2) syz 176 167d 372d 0/2 auto-obsoleted due to no activity on 2025/01/24 01:43
upstream BUG: soft lockup in addrconf_rs_timer (2) net C 51 699d 720d 23/28 fixed on 2023/07/04 09:17
android-5-15 BUG: soft lockup in addrconf_rs_timer 1 668d 668d 0/2 auto-obsoleted due to no activity on 2023/10/21 14:14
upstream INFO: rcu detected stall in addrconf_rs_timer (4) net C error error 121 1297d 1751d 0/28 closed as invalid on 2022/02/08 10:39
linux-6.1 INFO: rcu detected stall in addrconf_rs_timer 73 19d 361d 0/3 upstream: reported on 2024/05/24 18:08
linux-5.15 INFO: rcu detected stall in addrconf_rs_timer origin:upstream C error 45 30d 528d 0/3 upstream: reported C repro on 2023/12/10 10:27
upstream INFO: rcu detected stall in addrconf_rs_timer (6) netfilter usb syz error error 471 2h59m 354d 0/28 upstream: reported syz repro on 2024/06/01 13:51
upstream INFO: rcu detected stall in addrconf_rs_timer (5) kvm 4 1121d 1121d 0/28 auto-closed as invalid on 2022/06/24 22:41

Sample crash report:
watchdog: BUG: soft lockup - CPU#0 stuck for 246s! [syz.2.116:735]
Modules linked in:
CPU: 0 PID: 735 Comm: syz.2.116 Not tainted 6.1.129-syzkaller-00055-gca24c52e3c25 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
RIP: 0010:unwind_get_return_address+0x0/0x90 arch/x86/kernel/unwind_frame.c:15
Code: 5d c3 48 c7 c1 00 1b 0e 87 80 e1 07 80 c1 03 38 c1 7c af 48 c7 c7 00 1b 0e 87 e8 bb 50 85 00 eb a1 cc cc cc cc cc cc cc cc cc <55> 48 89 e5 41 57 41 56 53 48 89 fb 49 be 00 00 00 00 00 fc ff df
RSP: 0018:ffffc90000007618 EFLAGS: 00000202
RAX: ffffc900000076b0 RBX: ffffc90000007620 RCX: 1ffff92000000ecb
RDX: 1ffff92000000ec6 RSI: ffffc900000076b0 RDI: ffffc90000007620
RBP: ffffc900000076b0 R08: dffffc0000000000 R09: ffffc90000007620
R10: 0000000000000000 R11: dffffc0000000001 R12: ffff8881008ee540
R13: ffffffff8165beb0 R14: ffffc90000007700 R15: 0000000000000000
FS:  00007f573faac6c0(0000) GS:ffff8881f6e00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fb5dcd0cf98 CR3: 000000010f08c000 CR4: 00000000003506b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
Call Trace:
 <IRQ>
 stack_trace_save+0x113/0x1c0 kernel/stacktrace.c:122
 ref_tracker_alloc+0x175/0x450 lib/ref_tracker.c:91
 __netdev_tracker_alloc include/linux/netdevice.h:4082 [inline]
 netdev_hold include/linux/netdevice.h:4111 [inline]
 dst_init+0xe1/0x400 net/core/dst.c:52
 dst_alloc+0x18a/0x1e0 net/core/dst.c:96
 ip6_dst_alloc net/ipv6/route.c:345 [inline]
 icmp6_dst_alloc+0xf8/0x510 net/ipv6/route.c:3274
 ndisc_send_skb+0x288/0xdc0 net/ipv6/ndisc.c:493
 ndisc_send_rs+0x5e1/0x800 net/ipv6/ndisc.c:723
 addrconf_rs_timer+0x2d1/0x600 net/ipv6/addrconf.c:4004
 call_timer_fn+0x3b/0x2d0 kernel/time/timer.c:1510
 expire_timers kernel/time/timer.c:1555 [inline]
 __run_timers+0x72a/0xa10 kernel/time/timer.c:1826
 run_timer_softirq+0x69/0xf0 kernel/time/timer.c:1839
 handle_softirqs+0x1db/0x650 kernel/softirq.c:624
 __do_softirq kernel/softirq.c:662 [inline]
 invoke_softirq kernel/softirq.c:479 [inline]
 __irq_exit_rcu+0x52/0xf0 kernel/softirq.c:711
 irq_exit_rcu+0x9/0x10 kernel/softirq.c:723
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1118 [inline]
 sysvec_apic_timer_interrupt+0xa9/0xc0 arch/x86/kernel/apic/apic.c:1118
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1b/0x20 arch/x86/include/asm/idtentry.h:691
RIP: 0010:preempt_schedule_irq+0xc2/0x140 kernel/sched/core.c:7061
Code: 4c 89 e7 e8 80 14 9c fc f6 44 24 21 02 74 0b 0f 0b 48 f7 03 08 00 00 00 74 4d bf 01 00 00 00 e8 74 7b 2e fc fb bf 01 00 00 00 <e8> 99 e4 ff ff fa bf 01 00 00 00 e8 fe 7c 2e fc 65 48 8b 1d 66 3d
RSP: 0018:ffffc9000133f040 EFLAGS: 00000246
RAX: 1ffff1102011de01 RBX: 1ffff92000267e0c RCX: ffffffff85232f00
RDX: 1ffff1102011dcad RSI: 0000000000000000 RDI: 0000000000000001
RBP: ffffc9000133f0c8 R08: ffffffff87b72000 R09: ffffffff87b72008
R10: ffffffff87b72018 R11: ffffffff87b72010 R12: ffffc9000133f060
R13: 0000000000000000 R14: dffffc0000000000 R15: 1ffff92000267e08
 raw_irqentry_exit_cond_resched+0x2a/0x30 kernel/entry/common.c:396
 irqentry_exit+0x30/0x40 kernel/entry/common.c:439
 sysvec_apic_timer_interrupt+0x64/0xc0 arch/x86/kernel/apic/apic.c:1118
 asm_sysvec_apic_timer_interrupt+0x1b/0x20 arch/x86/include/asm/idtentry.h:691
RIP: 0010:__sanitizer_cov_trace_pc+0x1/0x60 kernel/kcov.c:209
Code: 00 00 00 00 00 0f 1f 40 00 55 48 89 e5 53 48 89 fb e8 13 00 00 00 48 8b 3d e4 52 1d 06 48 89 de e8 34 f0 46 00 5b 5d c3 cc 55 <48> 89 e5 48 8b 45 08 65 48 8b 0d 20 d6 8c 7e 65 8b 15 21 d6 8c 7e
RSP: 0018:ffffc9000133f1c8 EFLAGS: 00000246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff8881008ee540
RDX: ffff8881008ee540 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc9000133f210 R08: ffffffff8184b828 R09: ffffc9000133f160
R10: 0000000000000000 R11: dffffc0000000001 R12: ffff88811ebbc640
R13: ffff88811027e000 R14: ffff88811ebbc640 R15: ffff88811ebbc040
 release_maps kernel/bpf/verifier.c:13200 [inline]
 bpf_check+0x1169b/0x17ed0 kernel/bpf/verifier.c:15673
 bpf_prog_load+0x1304/0x1bf0 kernel/bpf/syscall.c:2626
 __sys_bpf+0x52c/0x7f0 kernel/bpf/syscall.c:5007
 __do_sys_bpf kernel/bpf/syscall.c:5111 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5109 [inline]
 __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5109
 x64_sys_call+0x87f/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:322
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81
 entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7f573eb8d169
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f573faac038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00007f573eda6080 RCX: 00007f573eb8d169
RDX: 0000000000000080 RSI: 0000200000000180 RDI: 0000000000000005
RBP: 00007f573ec0e2a0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f573eda6080 R15: 00007ffee8c0c7c8
 </TASK>
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 PID: 736 Comm: syz.2.116 Not tainted 6.1.129-syzkaller-00055-gca24c52e3c25 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
RIP: 0010:asm_sysvec_apic_timer_interrupt+0x0/0x20 arch/x86/include/asm/idtentry.h:690
Code: e8 35 7d dc ff e9 d0 04 00 00 0f 01 ca fc 6a ff e8 c5 03 00 00 48 89 c4 48 8d 6c 24 01 48 89 e7 e8 55 7c dc ff e9 b0 04 00 00 <0f> 01 ca fc 6a ff e8 a5 03 00 00 48 89 c4 48 8d 6c 24 01 48 89 e7
RSP: 0018:ffffc900001b03d8 EFLAGS: 00000046
RAX: 1ffff11021caca82 RBX: ffff88810e565410 RCX: dffffc0000000000
RDX: 0000000000000100 RSI: 0000000000000000 RDI: 0000000000000001
RBP: ffffc900001b0640 R08: ffffffff840c6b97 R09: ffffffff8403f6b1
R10: 0000000000000002 R11: ffff88810d6d2880 R12: ffff88811ede9500
R13: ffff88811f0a2cd8 R14: 1ffff11023e1459b R15: ffff8881102be284
FS:  00007f573fa8b6c0(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f26268b2ae0 CR3: 000000010f08c000 CR4: 00000000003506a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
Call Trace:
 <NMI>
 </NMI>
 <IRQ>
 dev_queue_xmit include/linux/netdevice.h:3082 [inline]
 neigh_connected_output+0x449/0x4d0 net/core/neighbour.c:1592
 neigh_output include/net/neighbour.h:552 [inline]
 ip6_finish_output2+0x123a/0x1850 net/ipv6/ip6_output.c:138
 __ip6_finish_output net/ipv6/ip6_output.c:205 [inline]
 ip6_finish_output+0x50f/0xa60 net/ipv6/ip6_output.c:216
 NF_HOOK_COND include/linux/netfilter.h:294 [inline]
 ip6_output+0x1f7/0x4c0 net/ipv6/ip6_output.c:237
 dst_output include/net/dst.h:444 [inline]
 NF_HOOK include/linux/netfilter.h:305 [inline]
 ndisc_send_skb+0x7ea/0xdc0 net/ipv6/ndisc.c:513
 ndisc_send_rs+0x5e1/0x800 net/ipv6/ndisc.c:723
 addrconf_rs_timer+0x2d1/0x600 net/ipv6/addrconf.c:4004
 call_timer_fn+0x3b/0x2d0 kernel/time/timer.c:1510
 expire_timers kernel/time/timer.c:1555 [inline]
 __run_timers+0x72a/0xa10 kernel/time/timer.c:1826
 run_timer_softirq+0x69/0xf0 kernel/time/timer.c:1839
 handle_softirqs+0x1db/0x650 kernel/softirq.c:624
 __do_softirq kernel/softirq.c:662 [inline]
 invoke_softirq kernel/softirq.c:479 [inline]
 __irq_exit_rcu+0x52/0xf0 kernel/softirq.c:711
 irq_exit_rcu+0x9/0x10 kernel/softirq.c:723
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1118 [inline]
 sysvec_apic_timer_interrupt+0xa9/0xc0 arch/x86/kernel/apic/apic.c:1118
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1b/0x20 arch/x86/include/asm/idtentry.h:691
RIP: 0010:__text_poke+0x774/0x830 arch/x86/kernel/alternative.c:1216
Code: 75 18 48 89 df 48 8b 74 24 30 4c 89 fa e8 24 fe e6 03 85 c0 0f 85 c1 00 00 00 f7 44 24 58 00 02 00 00 74 01 fb 48 8b 44 24 68 <42> 80 3c 28 00 74 08 4c 89 f7 e8 ad d2 8c 00 48 8b bc 24 40 01 00
RSP: 0018:ffffc9000dd1f560 EFLAGS: 00000206
RAX: 1ffff92001ba3ed4 RBX: ffffffff814831e9 RCX: 000000000dd1f700
RDX: dffffc0000000000 RSI: ffffc9000dd1f7a0 RDI: ffffc9000dd1f7a0
RBP: ffffc9000dd1f710 R08: ffffffff82774320 R09: ffffed102000c745
R10: 0000000000000000 R11: dffffc0000000001 R12: ffff888100065558
R13: dffffc0000000000 R14: ffffc9000dd1f6a0 R15: 0000000000000001
 text_poke arch/x86/kernel/alternative.c:1240 [inline]
 text_poke_bp_batch+0x158/0x730 arch/x86/kernel/alternative.c:1531
 text_poke_flush arch/x86/kernel/alternative.c:1725 [inline]
 text_poke_finish+0x1a/0x30 arch/x86/kernel/alternative.c:1732
 arch_jump_label_transform_apply+0x15/0x30 arch/x86/kernel/jump_label.c:146
 __jump_label_update+0x36a/0x380 kernel/jump_label.c:451
 jump_label_update+0x3af/0x450 kernel/jump_label.c:797
 static_key_enable_cpuslocked+0x12f/0x250 kernel/jump_label.c:173
 static_key_enable+0x1a/0x30 kernel/jump_label.c:186
 tracepoint_add_func+0x8b2/0x940 kernel/tracepoint.c:361
 tracepoint_probe_register_prio_may_exist+0x11c/0x180 kernel/tracepoint.c:482
 tracepoint_probe_register_may_exist include/linux/tracepoint.h:52 [inline]
 __bpf_probe_register kernel/trace/bpf_trace.c:2347 [inline]
 bpf_probe_register+0x152/0x1e0 kernel/trace/bpf_trace.c:2353
 bpf_raw_tp_link_attach+0x456/0x6b0 kernel/bpf/syscall.c:3372
 bpf_raw_tracepoint_open+0x22d/0x4a0 kernel/bpf/syscall.c:3399
 __sys_bpf+0x4f5/0x7f0 kernel/bpf/syscall.c:5049
 __do_sys_bpf kernel/bpf/syscall.c:5111 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5109 [inline]
 __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5109
 x64_sys_call+0x87f/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:322
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:81
 entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7f573eb8d169
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f573fa8b038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00007f573eda6160 RCX: 00007f573eb8d169
RDX: 0000000000000010 RSI: 0000200000000080 RDI: 0000000000000011
RBP: 00007f573ec0e2a0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f573eda6160 R15: 00007ffee8c0c7c8
 </TASK>

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2025/04/04 20:10 android14-6.1 ca24c52e3c25 1c4febdb .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-6-1-perf BUG: soft lockup in addrconf_rs_timer
* Struck through repros no longer work on HEAD.