BUG: soft lockup in netlink

Kernel	Title	Count	Last	Reported	Patched	Status
upstream	INFO: rcu detected stall in netlink_release wireless	1	1028d	1028d	0/26	auto-closed as invalid on 2021/10/14 21:29
upstream	INFO: rcu detected stall in netlink_release (3) wireless	1	658d	658d	0/26	auto-closed as invalid on 2022/09/20 00:08
upstream	INFO: rcu detected stall in netlink_release (2) wireless	1	848d	848d	0/26	auto-closed as invalid on 2022/04/13 11:22

watchdog: BUG: soft lockup - CPU#0 stuck for 143s! [syz-executor.3:5980] Modules linked in: irq event stamp: 0 hardirqs last enabled at (0): [<0000000000000000>] 0x0 hardirqs last disabled at (0): [<ffffffff81460ce3>] copy_process+0x2013/0x6fe0 kernel/fork.c:2173 softirqs last enabled at (0): [<ffffffff81460d2b>] copy_process+0x205b/0x6fe0 kernel/fork.c:2177 softirqs last disabled at (0): [<0000000000000000>] 0x0 CPU: 0 PID: 5980 Comm: syz-executor.3 Not tainted 5.18.0-rc3-next-20220422-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:kvm_wait+0x98/0x100 arch/x86/kernel/kvm.c:1058 Code: fa 83 e2 07 38 d0 7f 04 84 c0 75 63 0f b6 07 40 38 c6 74 35 48 83 c4 10 c3 c3 e8 23 91 4b 00 eb 07 0f 00 2d da b1 94 08 fb f4 <48> 83 c4 10 c3 89 74 24 0c 48 89 3c 24 e8 56 8f 4b 00 8b 74 24 0c RSP: 0018:ffffc9001460f9e0 EFLAGS: 00000246 RAX: 0000000000000007 RBX: 0000000000000000 RCX: 1ffffffff1b73199 RDX: 0000000000000000 RSI: ffffffff81807171 RDI: ffffffff8134dffd RBP: ffffffff8cbfc980 R08: 0000000000000000 R09: 0000000000000000 R10: ffffffff81807158 R11: 1ffffffff17b1e31 R12: 0000000000000000 R13: fffffbfff197f930 R14: 0000000000000001 R15: ffff8880b9c3ae40 FS: 0000555556ddc400(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b2dd57000 CR3: 000000001f512000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> pv_wait arch/x86/include/asm/paravirt.h:603 [inline] pv_wait_head_or_lock kernel/locking/qspinlock_paravirt.h:470 [inline] __pv_queued_spin_lock_slowpath+0x8c7/0xb50 kernel/locking/qspinlock.c:511 pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:591 [inline] queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:51 [inline] queued_spin_lock include/asm-generic/qspinlock.h:85 [inline] do_raw_spin_lock+0x200/0x2a0 kernel/locking/spinlock_debug.c:115 spin_lock_bh include/linux/spinlock.h:359 [inline] remove_user_radios drivers/net/wireless/mac80211_hwsim.c:4632 [inline] mac80211_hwsim_netlink_notify+0x13f/0xb20 drivers/net/wireless/mac80211_hwsim.c:4659 notifier_call_chain+0xb5/0x200 kernel/notifier.c:84 blocking_notifier_call_chain kernel/notifier.c:319 [inline] blocking_notifier_call_chain+0x67/0x90 kernel/notifier.c:307 netlink_release+0xcb6/0x1db0 net/netlink/af_netlink.c:790 __sock_release+0xcd/0x280 net/socket.c:650 sock_close+0x18/0x20 net/socket.c:1318 __fput+0x277/0x9d0 fs/file_table.c:317 task_work_run+0xdd/0x1a0 kernel/task_work.c:164 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] exit_to_user_mode_loop kernel/entry/common.c:169 [inline] exit_to_user_mode_prepare+0x23c/0x250 kernel/entry/common.c:201 __syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline] syscall_exit_to_user_mode+0x19/0x50 kernel/entry/common.c:294 do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7fe0e5c3bd2b Code: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8 63 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 fc ff ff 8b 44 RSP: 002b:00007fff768db060 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: 0000000000000000 RBX: 0000000000000007 RCX: 00007fe0e5c3bd2b RDX: 0000000000000000 RSI: 00007fe0e5c00000 RDI: 0000000000000006 RBP: 00007fe0e5d9d960 R08: 0000000000000000 R09: 0000000068c3877e R10: 0000000000000000 R11: 0000000000000293 R12: 00000000000396c5 R13: 00007fff768db160 R14: 00007fff768db180 R15: 0000000000000032 </TASK> Sending NMI from CPU 0 to CPUs 1: NMI backtrace for cpu 1 CPU: 1 PID: 5983 Comm: syz-executor.5 Not tainted 5.18.0-rc3-next-20220422-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:kvm_wait+0x98/0x100 arch/x86/kernel/kvm.c:1058 Code: fa 83 e2 07 38 d0 7f 04 84 c0 75 63 0f b6 07 40 38 c6 74 35 48 83 c4 10 c3 c3 e8 23 91 4b 00 eb 07 0f 00 2d da b1 94 08 fb f4 <48> 83 c4 10 c3 89 74 24 0c 48 89 3c 24 e8 56 8f 4b 00 8b 74 24 0c RSP: 0018:ffffc90000de0488 EFLAGS: 00000246 RAX: 0000000000000007 RBX: 0000000000000000 RCX: 1ffffffff1b73199 RDX: 0000000000000000 RSI: ffffffff81807171 RDI: ffffffff8134dffd RBP: ffff888022878948 R08: 0000000000000000 R09: 0000000000000000 R10: ffffffff81807158 R11: 0000000000000001 R12: 0000000000000000 R13: ffffed100450f129 R14: 0000000000000001 R15: ffff8880b9d3ae40 FS: 00007f534924d700(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020011038 CR3: 000000001c169000 CR4: 00000000003506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <IRQ> pv_wait arch/x86/include/asm/paravirt.h:603 [inline] pv_wait_head_or_lock kernel/locking/qspinlock_paravirt.h:470 [inline] __pv_queued_spin_lock_slowpath+0x8c7/0xb50 kernel/locking/qspinlock.c:511 pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:591 [inline] queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:51 [inline] queued_spin_lock include/asm-generic/qspinlock.h:85 [inline] do_raw_spin_lock+0x200/0x2a0 kernel/locking/spinlock_debug.c:115 spin_lock include/linux/spinlock.h:354 [inline] task_lock include/linux/sched/task.h:170 [inline] __get_task_comm+0x23/0x50 fs/exec.c:1219 __set_page_owner_handle mm/page_owner.c:174 [inline] __set_page_owner+0x253/0x380 mm/page_owner.c:192 prep_new_page mm/page_alloc.c:2394 [inline] get_page_from_freelist+0xba2/0x3e00 mm/page_alloc.c:4135 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5356 alloc_pages+0x1aa/0x310 mm/mempolicy.c:2273 alloc_slab_page mm/slub.c:1797 [inline] allocate_slab+0x26c/0x3c0 mm/slub.c:1942 new_slab mm/slub.c:2002 [inline] ___slab_alloc+0x985/0xd90 mm/slub.c:3002 __slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3089 slab_alloc_node mm/slub.c:3180 [inline] kmem_cache_alloc_node+0x122/0x3f0 mm/slub.c:3264 __alloc_skb+0x215/0x340 net/core/skbuff.c:414 skb_copy+0x139/0x3c0 net/core/skbuff.c:1585 mac80211_hwsim_tx_frame_no_nl.isra.0+0xb7c/0x13b0 drivers/net/wireless/mac80211_hwsim.c:1642 mac80211_hwsim_tx_frame+0x1ee/0x2a0 drivers/net/wireless/mac80211_hwsim.c:1884 mac80211_hwsim_beacon_tx+0x49e/0x920 drivers/net/wireless/mac80211_hwsim.c:1938 __iterate_interfaces+0x1e5/0x560 net/mac80211/util.c:793 ieee80211_iterate_active_interfaces_atomic+0x70/0x180 net/mac80211/util.c:829 mac80211_hwsim_beacon+0xcd/0x1c0 drivers/net/wireless/mac80211_hwsim.c:1961 __run_hrtimer kernel/time/hrtimer.c:1685 [inline] __hrtimer_run_queues+0x609/0xe50 kernel/time/hrtimer.c:1749 hrtimer_run_softirq+0x17b/0x360 kernel/time/hrtimer.c:1766 __do_softirq+0x29b/0x9c2 kernel/softirq.c:558 invoke_softirq kernel/softirq.c:432 [inline] __irq_exit_rcu+0x123/0x180 kernel/softirq.c:637 irq_exit_rcu+0x5/0x20 kernel/softirq.c:649 sysvec_apic_timer_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1106 </IRQ> <TASK> asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:649 RIP: 0010:check_kcov_mode+0x2c/0x40 kernel/kcov.c:177 Code: 05 e9 54 88 7e 89 c2 81 e2 00 01 00 00 a9 00 01 ff 00 74 10 31 c0 85 d2 74 15 8b 96 ac 15 00 00 85 d2 74 0b 8b 86 88 15 00 00 <39> f8 0f 94 c0 c3 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 31 c0 RSP: 0018:ffffc9001464ef28 EFLAGS: 00000246 RAX: 0000000000000002 RBX: 000000000000000f RCX: 000000000000000e RDX: 0000000000000000 RSI: ffff888022878000 RDI: 0000000000000003 RBP: ffff8880123c3468 R08: 000000000000000f R09: ffff888022878838 R10: ffffffff83faa4e6 R11: 0000000000000001 R12: 000000000000000e R13: 0000000000000010 R14: ffff8880123c3448 R15: 0000000000000007 write_comp_data kernel/kcov.c:221 [inline] __sanitizer_cov_trace_cmp8+0x1d/0x70 kernel/kcov.c:267 strscpy_pad+0x46/0x70 lib/string_helpers.c:789 __get_task_comm+0x35/0x50 fs/exec.c:1221 __set_page_owner_handle mm/page_owner.c:174 [inline] __set_page_owner+0x253/0x380 mm/page_owner.c:192 prep_new_page mm/page_alloc.c:2394 [inline] get_page_from_freelist+0xba2/0x3e00 mm/page_alloc.c:4135 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5356 __alloc_pages_bulk+0xbef/0x1a10 mm/page_alloc.c:5302 alloc_pages_bulk_array_mempolicy+0x1c3/0x4d0 mm/mempolicy.c:2368 vm_area_alloc_pages mm/vmalloc.c:2898 [inline] __vmalloc_area_node mm/vmalloc.c:2990 [inline] __vmalloc_node_range+0xd35/0x13c0 mm/vmalloc.c:3161 __vmalloc_node mm/vmalloc.c:3226 [inline] vmalloc+0x67/0x80 mm/vmalloc.c:3259 netlink_alloc_large_skb net/netlink/af_netlink.c:1196 [inline] netlink_sendmsg+0x687/0xe00 net/netlink/af_netlink.c:1896 sock_sendmsg_nosec net/socket.c:705 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:725 sock_no_sendpage+0xf6/0x140 net/core/sock.c:3126 kernel_sendpage.part.0+0x1ff/0x7b0 net/socket.c:3524 kernel_sendpage net/socket.c:3521 [inline] sock_sendpage+0xdf/0x140 net/socket.c:1007 pipe_to_sendpage+0x2ad/0x380 fs/splice.c:364 splice_from_pipe_feed fs/splice.c:418 [inline] __splice_from_pipe+0x43e/0x8a0 fs/splice.c:562 splice_from_pipe fs/splice.c:597 [inline] generic_splice_sendpage+0xd4/0x140 fs/splice.c:746 do_splice_from fs/splice.c:767 [inline] direct_splice_actor+0x110/0x180 fs/splice.c:936 splice_direct_to_actor+0x34b/0x8c0 fs/splice.c:891 do_splice_direct+0x1a7/0x270 fs/splice.c:979 do_sendfile+0xae0/0x1240 fs/read_write.c:1246 __do_sys_sendfile64 fs/read_write.c:1311 [inline] __se_sys_sendfile64 fs/read_write.c:1297 [inline] __x64_sys_sendfile64+0x1cc/0x210 fs/read_write.c:1297 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f53480890e9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f534924d168 EFLAGS: 00000246 ORIG_RAX: 0000000000000028 RAX: ffffffffffffffda RBX: 00007f534819bf60 RCX: 00007f53480890e9 RDX: 0000000000000000 RSI: 0000000000000005 RDI: 0000000000000006 RBP: 00007f53480e308d R08: 0000000000000000 R09: 0000000000000000 R10: 000000010000a006 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffcc7869edf R14: 00007f534924d300 R15: 0000000000022000 </TASK> ---------------- Code disassembly (best guess): 0: fa cli 1: 83 e2 07 and $0x7,%edx 4: 38 d0 cmp %dl,%al 6: 7f 04 jg 0xc 8: 84 c0 test %al,%al a: 75 63 jne 0x6f c: 0f b6 07 movzbl (%rdi),%eax f: 40 38 c6 cmp %al,%sil 12: 74 35 je 0x49 14: 48 83 c4 10 add $0x10,%rsp 18: c3 retq 19: c3 retq 1a: e8 23 91 4b 00 callq 0x4b9142 1f: eb 07 jmp 0x28 21: 0f 00 2d da b1 94 08 verw 0x894b1da(%rip) # 0x894b202 28: fb sti 29: f4 hlt * 2a: 48 83 c4 10 add $0x10,%rsp <-- trapping instruction 2e: c3 retq 2f: 89 74 24 0c mov %esi,0xc(%rsp) 33: 48 89 3c 24 mov %rdi,(%rsp) 37: e8 56 8f 4b 00 callq 0x4b8f92 3c: 8b 74 24 0c mov 0xc(%rsp),%esi