syzbot

 sign-in | mailing list | source | docs
🐞 Open [712]
🐞 Fixed [297]
🐞 Invalid [838]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

BUG: soft lockup in tcp_write_timer (2)

Status: auto-closed as invalid on 2022/03/16 10:56
Reported-by: syzbot+b5a6b390a714cba0eea6@syzkaller.appspotmail.com
First crash: 1164d, last: 1101d
Similar bugs (13)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.19 BUG: soft lockup in tcp_write_timer (3) 2 691d 704d 0/1 upstream: reported on 2022/12/17 21:41
linux-4.14 BUG: soft lockup in tcp_write_timer 2 1658d 1737d 0/1 auto-closed as invalid on 2020/09/05 12:42
linux-5.15 INFO: rcu detected stall in tcp_write_timer 4 38d 90d 0/3 upstream: reported on 2024/08/22 21:30
linux-4.19 BUG: soft lockup in tcp_write_timer 1 1330d 1330d 0/1 auto-closed as invalid on 2021/07/30 14:52
upstream BUG: soft lockup in tcp_write_timer net 11 1937d 1945d 0/28 auto-closed as invalid on 2019/10/25 14:11
upstream BUG: soft lockup in tcp_write_timer (4) kasan mm 4 138d 163d 26/28 fixed on 2024/07/09 19:14
upstream BUG: soft lockup in tcp_write_timer (2) kvm 1 940d 940d 0/28 auto-closed as invalid on 2022/06/24 22:31
upstream BUG: soft lockup in tcp_write_timer (3) net 6 317d 425d 0/28 closed as invalid on 2024/03/18 17:07
android-5-15 BUG: soft lockup in tcp_write_timer 11 101d 214d 0/2 auto-obsoleted due to no activity on 2024/11/10 05:27
upstream INFO: rcu detected stall in tcp_write_timer (2) bpf 2 1388d 1443d 0/28 auto-closed as invalid on 2021/05/03 11:59
upstream INFO: rcu detected stall in tcp_write_timer (4) net 1 129d 129d 0/28 auto-obsoleted due to no activity on 2024/10/13 08:46
upstream INFO: rcu detected stall in tcp_write_timer (3) net 1 1255d 1255d 0/28 auto-closed as invalid on 2021/09/13 13:17
linux-6.1 INFO: rcu detected stall in tcp_write_timer 12 35d 153d 0/3 upstream: reported on 2024/06/21 02:50

Sample crash report:
UDF-fs: warning (device loop4): udf_load_vrs: No anchor found
UDF-fs: Scanning with blocksize 512 failed
watchdog: BUG: soft lockup - CPU#0 stuck for 23s! [syz-executor.0:27471]
Modules linked in:
irq event stamp: 3624209
hardirqs last  enabled at (3624208): [<ffffffff81003ce4>] trace_hardirqs_on_thunk+0x1a/0x1c
hardirqs last disabled at (3624209): [<ffffffff81003d00>] trace_hardirqs_off_thunk+0x1a/0x1c
softirqs last  enabled at (28): [<ffffffff87008a38>] read_pnet include/net/net_namespace.h:307 [inline]
softirqs last  enabled at (28): [<ffffffff87008a38>] sock_net include/net/sock.h:2436 [inline]
softirqs last  enabled at (28): [<ffffffff87008a38>] unix_create1+0x458/0x530 net/unix/af_unix.c:833
softirqs last disabled at (3281): [<ffffffff813927d5>] invoke_softirq kernel/softirq.c:372 [inline]
softirqs last disabled at (3281): [<ffffffff813927d5>] irq_exit+0x215/0x260 kernel/softirq.c:412
CPU: 0 PID: 27471 Comm: syz-executor.0 Not tainted 4.19.211-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:skb_network_header include/linux/skbuff.h:2372 [inline]
RIP: 0010:ip_hdr include/linux/ip.h:25 [inline]
RIP: 0010:ip_finish_output2+0x333/0x15a0 net/ipv4/ip_output.c:222
Code: ac 11 00 00 48 8d bd c4 00 00 00 48 8b 9d d0 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 0f b6 14 02 48 89 f8 <83> e0 07 83 c0 01 38 d0 7c 08 84 d2 0f 85 c0 10 00 00 0f b7 85 c4
RSP: 0018:ffff8880ba007838 EFLAGS: 00000a07 ORIG_RAX: ffffffffffffff13
RAX: ffff8880a8afeeec RBX: ffff888060aba1c0 RCX: ffffffff86d4367a
RDX: 0000000000000000 RSI: ffffffff86d42ce6 RDI: ffff8880a8afeeec
RBP: ffff8880a8afee28 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: ffff88805b250140
R13: ffff88809aa3d300 R14: 000000000000010c R15: ffff888066f9cd40
FS:  00007f222da42700(0000) GS:ffff8880ba000000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f91443e0718 CR3: 00000000b29df000 CR4: 00000000003406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 ip_finish_output+0xae9/0x10b0 net/ipv4/ip_output.c:318
 NF_HOOK_COND include/linux/netfilter.h:278 [inline]
 ip_output+0x203/0x5f0 net/ipv4/ip_output.c:406
 dst_output include/net/dst.h:455 [inline]
 ip_local_out+0xaf/0x170 net/ipv4/ip_output.c:125
 __ip_queue_xmit+0x91e/0x1c10 net/ipv4/ip_output.c:507
 __tcp_transmit_skb+0x1b9c/0x3400 net/ipv4/tcp_output.c:1148
 tcp_transmit_skb net/ipv4/tcp_output.c:1164 [inline]
 tcp_write_wakeup+0x4f1/0x610 net/ipv4/tcp_output.c:3728
 tcp_send_probe0+0x46/0x400 net/ipv4/tcp_output.c:3750
 tcp_probe_timer net/ipv4/tcp_timer.c:380 [inline]
 tcp_write_timer_handler+0x8c2/0xa60 net/ipv4/tcp_timer.c:597
 tcp_write_timer+0x103/0x1b0 net/ipv4/tcp_timer.c:613
 call_timer_fn+0x177/0x700 kernel/time/timer.c:1338
 expire_timers+0x243/0x4e0 kernel/time/timer.c:1375
 __run_timers kernel/time/timer.c:1696 [inline]
 run_timer_softirq+0x21c/0x670 kernel/time/timer.c:1709
 __do_softirq+0x265/0x980 kernel/softirq.c:292
 invoke_softirq kernel/softirq.c:372 [inline]
 irq_exit+0x215/0x260 kernel/softirq.c:412
 exiting_irq arch/x86/include/asm/apic.h:536 [inline]
 smp_apic_timer_interrupt+0x136/0x550 arch/x86/kernel/apic/apic.c:1098
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:894
 </IRQ>
RIP: 0010:__raw_read_unlock_irq include/linux/rwlock_api_smp.h:244 [inline]
RIP: 0010:_raw_read_unlock_irq+0x50/0x80 kernel/locking/spinlock.c:264
Code: c0 98 82 f1 89 48 ba 00 00 00 00 00 fc ff df 48 c1 e8 03 80 3c 10 00 75 31 48 83 3d e1 2a d8 01 00 74 25 fb 66 0f 1f 44 00 00 <bf> 01 00 00 00 e8 06 15 28 f9 65 8b 05 7f 87 e8 77 85 c0 74 02 5d
RSP: 0018:ffff888066487558 EFLAGS: 00000286 ORIG_RAX: ffffffffffffff13
RAX: 1ffffffff13e3053 RBX: 0000000000000000 RCX: 1ffff11011e405c5
RDX: dffffc0000000000 RSI: ffff88808f202e08 RDI: ffff88808f202e04
RBP: ffffffff8ad91760 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: ffff888235faa608 R14: ffff888235faa5d0 R15: 0000000000008000
 __snd_pcm_stream_unlock_mode sound/core/pcm_native.c:145 [inline]
 __snd_pcm_stream_unlock_mode sound/core/pcm_native.c:131 [inline]
 snd_pcm_stream_unlock_irq sound/core/pcm_native.c:202 [inline]
 snd_pcm_prepare+0x2a2/0x8e0 sound/core/pcm_native.c:1744
 snd_pcm_kernel_ioctl+0x2f9/0x3c0 sound/core/pcm_native.c:3019
 snd_pcm_oss_prepare+0x44/0x220 sound/core/oss/pcm_oss.c:1146
 snd_pcm_oss_make_ready+0x161/0x1b0 sound/core/oss/pcm_oss.c:1174
 snd_pcm_oss_set_trigger.isra.0+0x30f/0x6e0 sound/core/oss/pcm_oss.c:2071
 snd_pcm_oss_poll+0x661/0xb10 sound/core/oss/pcm_oss.c:2852
 vfs_poll include/linux/poll.h:90 [inline]
 do_select+0x8e1/0x1610 fs/select.c:507
 core_sys_select+0x3ac/0x7e0 fs/select.c:650
 do_pselect fs/select.c:731 [inline]
 __do_sys_pselect6 fs/select.c:772 [inline]
 __se_sys_pselect6+0x419/0x480 fs/select.c:757
 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7f22304edae9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f222da42188 EFLAGS: 00000246 ORIG_RAX: 000000000000010e
RAX: ffffffffffffffda RBX: 00007f2230601020 RCX: 00007f22304edae9
RDX: 0000000000000000 RSI: 00000000200000c0 RDI: 0000000000000040
RBP: 00007f2230547f6d R08: 0000000020000200 R09: 0000000000000000
R10: 0000000020000140 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffe463674ff R14: 00007f222da42300 R15: 0000000000022000
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 PID: 27461 Comm: syz-executor.5 Not tainted 4.19.211-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:trace_hardirqs_on+0x0/0x210 kernel/trace/trace_preemptirq.c:22
Code: 00 00 c7 43 08 00 00 00 00 48 8b 44 24 78 65 48 2b 04 25 28 00 00 00 75 0b 48 83 ec 80 5b 5d 41 5c 41 5d c3 e8 c1 fc cf ff 90 <41> 56 41 55 41 54 55 53 e8 23 dc fa ff 65 8b 1d dc c2 9a 7e 31 ff
RSP: 0018:ffff8880ba107830 EFLAGS: 00000006
RAX: ffff88805fea6540 RBX: ffff8880a58bbb40 RCX: ffffffff86d43317
RDX: 0000000000000100 RSI: ffffffff86d439b7 RDI: 0000000000000007
RBP: ffff88809f501368 R08: ffffffff8cd32098 R09: 0000000000000000
R10: 0000000000000007 R11: 0000000000000000 R12: 0000000000000206
R13: 0000000000000200 R14: ffff8880a58bbcd8 R15: dffffc0000000000
FS:  00007f0ca825a700(0000) GS:ffff8880ba100000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b31d2a000 CR3: 000000005fe3b000 CR4: 00000000003406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 seqcount_lockdep_reader_access include/linux/seqlock.h:83 [inline]
 read_seqcount_begin include/linux/seqlock.h:164 [inline]
 read_seqbegin include/linux/seqlock.h:440 [inline]
 neigh_hh_output include/net/neighbour.h:461 [inline]
 neigh_output include/net/neighbour.h:499 [inline]
 ip_finish_output2+0xfbc/0x15a0 net/ipv4/ip_output.c:230
 ip_finish_output+0xae9/0x10b0 net/ipv4/ip_output.c:318
 NF_HOOK_COND include/linux/netfilter.h:278 [inline]
 ip_output+0x203/0x5f0 net/ipv4/ip_output.c:406
 dst_output include/net/dst.h:455 [inline]
 ip_local_out+0xaf/0x170 net/ipv4/ip_output.c:125
 __ip_queue_xmit+0x91e/0x1c10 net/ipv4/ip_output.c:507
 __tcp_transmit_skb+0x1b9c/0x3400 net/ipv4/tcp_output.c:1148
 tcp_transmit_skb net/ipv4/tcp_output.c:1164 [inline]
 tcp_write_wakeup+0x4f1/0x610 net/ipv4/tcp_output.c:3728
 tcp_send_probe0+0x46/0x400 net/ipv4/tcp_output.c:3750
 tcp_probe_timer net/ipv4/tcp_timer.c:380 [inline]
 tcp_write_timer_handler+0x8c2/0xa60 net/ipv4/tcp_timer.c:597
 tcp_write_timer+0x103/0x1b0 net/ipv4/tcp_timer.c:613
 call_timer_fn+0x177/0x700 kernel/time/timer.c:1338
 expire_timers+0x243/0x4e0 kernel/time/timer.c:1375
 __run_timers kernel/time/timer.c:1696 [inline]
 run_timer_softirq+0x21c/0x670 kernel/time/timer.c:1709
 __do_softirq+0x265/0x980 kernel/softirq.c:292
 invoke_softirq kernel/softirq.c:372 [inline]
 irq_exit+0x215/0x260 kernel/softirq.c:412
 exiting_irq arch/x86/include/asm/apic.h:536 [inline]
 smp_apic_timer_interrupt+0x136/0x550 arch/x86/kernel/apic/apic.c:1098
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:894
 </IRQ>
RIP: 0010:write_comp_data+0x23/0x70 kernel/kcov.c:122
Code: 1f 84 00 00 00 00 00 49 89 f1 49 89 fa 65 48 8b 34 25 c0 df 01 00 65 8b 05 7a 59 9f 7e a9 00 01 1f 00 75 4f 8b 86 60 13 00 00 <83> f8 03 75 44 48 8b 86 68 13 00 00 8b b6 64 13 00 00 48 8b 38 48
RSP: 0018:ffff8880b41f6ed0 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
RAX: 0000000000000002 RBX: ffff8880b41f6f40 RCX: ffffffff864b15a0
RDX: 0000000000001f40 RSI: ffff88805fea6540 RDI: 0000000000000005
RBP: ffff888099116ec0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000005 R11: 0000000007810df5 R12: ffff888099116ea8
R13: 0000000000001f40 R14: 00000000000f4240 R15: 0000000000000fa0
 snd_interval_mulkdiv+0x220/0x550 sound/core/pcm_lib.c:762
 snd_pcm_hw_rule_mulkdiv+0x106/0x1c0 sound/core/pcm_native.c:2104
 constrain_params_by_rules+0x497/0x10b0 sound/core/pcm_native.c:431
 snd_pcm_hw_refine sound/core/pcm_native.c:537 [inline]
 snd_pcm_hw_refine+0xb9b/0xed0 sound/core/pcm_native.c:515
 snd_pcm_hw_param_first+0x276/0x690 sound/core/pcm_lib.c:1634
 snd_pcm_hw_param_near.constprop.0+0x6d6/0x810 sound/core/oss/pcm_oss.c:457
 snd_pcm_oss_change_params_locked+0x1819/0x39d0 sound/core/oss/pcm_oss.c:954
 snd_pcm_oss_change_params sound/core/oss/pcm_oss.c:1108 [inline]
 snd_pcm_oss_make_ready+0xe7/0x1b0 sound/core/oss/pcm_oss.c:1167
 snd_pcm_oss_set_trigger.isra.0+0x30f/0x6e0 sound/core/oss/pcm_oss.c:2071
 snd_pcm_oss_poll+0x661/0xb10 sound/core/oss/pcm_oss.c:2852
 vfs_poll include/linux/poll.h:90 [inline]
 do_select+0x8e1/0x1610 fs/select.c:507
 core_sys_select+0x3ac/0x7e0 fs/select.c:650
 do_pselect fs/select.c:731 [inline]
 __do_sys_pselect6 fs/select.c:772 [inline]
 __se_sys_pselect6+0x419/0x480 fs/select.c:757
 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7f0caace4ae9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f0ca825a188 EFLAGS: 00000246 ORIG_RAX: 000000000000010e
RAX: ffffffffffffffda RBX: 00007f0caadf7f60 RCX: 00007f0caace4ae9
RDX: 0000000000000000 RSI: 00000000200000c0 RDI: 0000000000000040
RBP: 00007f0caad3ef6d R08: 0000000020000200 R09: 0000000000000000
R10: 0000000020000140 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffe8d8048bf R14: 00007f0ca825a300 R15: 0000000000022000
----------------
Code disassembly (best guess):
   0:	ac                   	lods   %ds:(%rsi),%al
   1:	11 00                	adc    %eax,(%rax)
   3:	00 48 8d             	add    %cl,-0x73(%rax)
   6:	bd c4 00 00 00       	mov    $0xc4,%ebp
   b:	48 8b 9d d0 00 00 00 	mov    0xd0(%rbp),%rbx
  12:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  19:	fc ff df
  1c:	48 89 fa             	mov    %rdi,%rdx
  1f:	48 c1 ea 03          	shr    $0x3,%rdx
  23:	0f b6 14 02          	movzbl (%rdx,%rax,1),%edx
  27:	48 89 f8             	mov    %rdi,%rax
* 2a:	83 e0 07             	and    $0x7,%eax <-- trapping instruction
  2d:	83 c0 01             	add    $0x1,%eax
  30:	38 d0                	cmp    %dl,%al
  32:	7c 08                	jl     0x3c
  34:	84 d2                	test   %dl,%dl
  36:	0f 85 c0 10 00 00    	jne    0x10fc
  3c:	0f                   	.byte 0xf
  3d:	b7 85                	mov    $0x85,%bh
  3f:	c4                   	.byte 0xc4

Crashes (2):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2021/11/16 10:55 linux-4.19.y 3f8a27f9e27b 600426bd .config console log report info ci2-linux-4-19 BUG: soft lockup in tcp_write_timer
2021/09/13 19:46 linux-4.19.y b172b44fcb17 58d09404 .config console log report info ci2-linux-4-19 BUG: soft lockup in tcp_write_timer
* Struck through repros no longer work on HEAD.