BUG: soft lockup in sctp_generate_heartbeat

BUG: soft lockup in sctp_generate_heartbeat_event
Status: auto-closed as invalid on 2020/08/15 07:16
Reported-by: syzbot+4fc65f693a1462d1a901@syzkaller.appspotmail.com
First crash: 602d, last: 558d
similar bugs (3):
Kernel	Title	Count	Last	Reported	Patched	Status
upstream	BUG: soft lockup in sctp_generate_heartbeat_event	1	1257d	1257d	0/22	closed as invalid on 2018/05/19 09:33
linux-4.14	BUG: soft lockup in sctp_generate_heartbeat_event (2)	1	216d	216d	0/1	auto-closed as invalid on 2021/07/22 12:40
linux-4.19	BUG: soft lockup in sctp_generate_heartbeat_event	5	19h01m	173d	0/1	upstream: reported on 2021/05/06 15:10
Sample crash report:
watchdog: BUG: soft lockup - CPU#1 stuck for 120s! [syz-executor.4:25925]
Modules linked in:
irq event stamp: 25451369
hardirqs last  enabled at (25451368): [<ffffffff86600972>] restore_regs_and_return_to_kernel+0x0/0x2e
hardirqs last disabled at (25451369): [<ffffffff86601aba>] apic_timer_interrupt+0x8a/0xa0 arch/x86/entry/entry_64.S:792
softirqs last  enabled at (1022354): [<ffffffff86800664>] __do_softirq+0x664/0x9bf kernel/softirq.c:314
softirqs last disabled at (1027017): [<ffffffff81374eeb>] invoke_softirq kernel/softirq.c:368 [inline]
softirqs last disabled at (1027017): [<ffffffff81374eeb>] irq_exit+0x15b/0x1a0 kernel/softirq.c:409
CPU: 1 PID: 25925 Comm: syz-executor.4 Not tainted 4.14.176-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff88804372c640 task.stack: ffff88820e268000
RIP: 0010:bytes_is_nonzero mm/kasan/kasan.c:167 [inline]
RIP: 0010:memory_is_nonzero mm/kasan/kasan.c:184 [inline]
RIP: 0010:memory_is_poisoned_n mm/kasan/kasan.c:210 [inline]
RIP: 0010:memory_is_poisoned mm/kasan/kasan.c:241 [inline]
RIP: 0010:check_memory_region_inline mm/kasan/kasan.c:257 [inline]
RIP: 0010:check_memory_region+0x108/0x180 mm/kasan/kasan.c:267
RSP: 0018:ffff8880aeb074c0 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff10
RAX: ffffed1015d60eb6 RBX: ffffed1015d60eb3 RCX: ffffffff81281dc5
RDX: 0000000000000001 RSI: 0000000000000058 RDI: ffff8880aeb07598
RBP: ffffed1015d60ebe R08: 0000000000000001 R09: ffffed1015d60ebe
R10: ffffed1015d60ebd R11: ffff8880aeb075ef R12: 0000000000000058
R13: 0000000000000000 R14: dffffc0000000000 R15: ffff8880aeb07598
FS:  00007f17ba7f2700(0000) GS:ffff8880aeb00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b30b2c000 CR3: 000000006d5d5000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 memset+0x20/0x40 mm/kasan/kasan.c:285
 memset include/linux/string.h:332 [inline]
 __unwind_start+0x65/0x800 arch/x86/kernel/unwind_orc.c:511
 unwind_start arch/x86/include/asm/unwind.h:60 [inline]
 __save_stack_trace+0x4a/0xd0 arch/x86/kernel/stacktrace.c:43
 save_stack+0x32/0xa0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc mm/kasan/kasan.c:551 [inline]
 kasan_kmalloc+0xbf/0xe0 mm/kasan/kasan.c:529
 kmem_cache_alloc+0x127/0x770 mm/slab.c:3552
 kmem_cache_zalloc include/linux/slab.h:651 [inline]
 sctp_chunkify+0x46/0x280 net/sctp/sm_make_chunk.c:1326
 _sctp_make_chunk+0x13d/0x250 net/sctp/sm_make_chunk.c:1399
 sctp_make_control+0x30/0x150 net/sctp/sm_make_chunk.c:1429
 sctp_make_heartbeat+0x79/0x240 net/sctp/sm_make_chunk.c:1148
 sctp_sf_heartbeat.isra.0+0x21/0x170 net/sctp/sm_statefuns.c:981
 sctp_sf_sendbeat_8_3+0x34e/0x4f0 net/sctp/sm_statefuns.c:1025
 sctp_do_sm+0xf6/0x4a90 net/sctp/sm_sideeffect.c:1147
 sctp_generate_heartbeat_event+0x1da/0x3f0 net/sctp/sm_sideeffect.c:391
 call_timer_fn+0x14a/0x650 kernel/time/timer.c:1279
 expire_timers kernel/time/timer.c:1318 [inline]
 __run_timers kernel/time/timer.c:1636 [inline]
 __run_timers kernel/time/timer.c:1604 [inline]
 run_timer_softirq+0x52a/0x1390 kernel/time/timer.c:1649
 __do_softirq+0x254/0x9bf kernel/softirq.c:288
 invoke_softirq kernel/softirq.c:368 [inline]
 irq_exit+0x15b/0x1a0 kernel/softirq.c:409
 exiting_irq arch/x86/include/asm/apic.h:648 [inline]
 smp_apic_timer_interrupt+0x141/0x5e0 arch/x86/kernel/apic/apic.c:1102
 apic_timer_interrupt+0x8f/0xa0 arch/x86/entry/entry_64.S:792
 </IRQ>
RIP: 0010:arch_local_irq_restore arch/x86/include/asm/paravirt.h:779 [inline]
RIP: 0010:lock_acquire+0x1ec/0x3f0 kernel/locking/lockdep.c:3997
RSP: 0018:ffff88820e26f700 EFLAGS: 00000282 ORIG_RAX: ffffffffffffff10
RAX: 1ffffffff0fa2cd1 RBX: ffff88804372c640 RCX: 0000000090259772
RDX: dffffc0000000000 RSI: ffff88804372cee8 RDI: 0000000000000282
RBP: ffffffff87d84360 R08: 0000000000000000 R09: 0000000000020012
R10: ffff88804372cee8 R11: ffff88804372c640 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000002
 rcu_lock_acquire include/linux/rcupdate.h:242 [inline]
 rcu_read_lock include/linux/rcupdate.h:629 [inline]
 lock_page_memcg+0x36/0x220 mm/memcontrol.c:1669
 page_remove_file_rmap mm/rmap.c:1211 [inline]
 page_remove_rmap+0x193/0x920 mm/rmap.c:1296
 zap_pte_range mm/memory.c:1342 [inline]
 zap_pmd_range mm/memory.c:1444 [inline]
 zap_pud_range mm/memory.c:1473 [inline]
 zap_p4d_range mm/memory.c:1494 [inline]
 unmap_page_range+0xa60/0x1930 mm/memory.c:1515
 unmap_single_vma+0x147/0x2b0 mm/memory.c:1560
 unmap_vmas+0x9d/0x160 mm/memory.c:1590
 exit_mmap+0x26d/0x4b0 mm/mmap.c:3056
 __mmput kernel/fork.c:930 [inline]
 mmput+0x103/0x420 kernel/fork.c:951
 exit_mm kernel/exit.c:545 [inline]
 do_exit+0x933/0x2b00 kernel/exit.c:845
 do_group_exit+0x100/0x310 kernel/exit.c:955
 get_signal+0x385/0x1ca0 kernel/signal.c:2423
 do_signal+0x7c/0x1690 arch/x86/kernel/signal.c:814
 exit_to_usermode_loop+0x159/0x220 arch/x86/entry/common.c:160
 prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
 do_syscall_64+0x4a3/0x640 arch/x86/entry/common.c:297
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x45c889
RSP: 002b:00007f17ba7f1c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000014
RAX: 0000000000000058 RBX: 00007f17ba7f26d4 RCX: 000000000045c889
RDX: 0000000000000001 RSI: 00000000200000c0 RDI: 0000000000000007
RBP: 000000000076bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 0000000000000d14 R14: 00000000004cb241 R15: 000000000076bf0c
Code: ee 49 8d 04 1c 4d 85 c0 75 25 49 89 e9 49 29 c1 e9 74 ff ff ff 4d 85 c9 74 be 49 01 d9 eb 09 48 83 c0 01 4c 39 c8 74 b0 80 38 00 <74> f2 eb a4 4c 89 c0 49 39 c2 74 4b 5b 5d 41 5c e9 93 0d 00 00 
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 PID: 25927 Comm: syz-executor.5 Not tainted 4.14.176-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff888084a32040 task.stack: ffff888212cf0000
RIP: 0010:lock_is_held_type+0x135/0x210 kernel/locking/lockdep.c:4033
RSP: 0018:ffff8880aea072b8 EFLAGS: 00000807
RAX: dffffc0000000000 RBX: 0000000000000082 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff87d84360 RDI: ffff888084a328bc
RBP: ffff888084a32040 R08: 0000000000000001 R09: 0000000000000007
R10: ffff888084a32a00 R11: ffff888084a32040 R12: 0000000000000001
R13: 000000000000001d R14: 0000000000000001 R15: 0000000000000082
FS:  00007fa79c9df700(0000) GS:ffff8880aea00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000b70004 CR3: 00000000985b5000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 kill_fasync_rcu fs/fcntl.c:1000 [inline]
 kill_fasync fs/fcntl.c:1011 [inline]
 kill_fasync+0x211/0x3c0 fs/fcntl.c:1004
 perf_event_wakeup+0x20c/0x350 kernel/events/core.c:5569
 perf_pending_event+0xa5/0xd0 kernel/events/core.c:5593
 irq_work_run_list+0xf0/0x160 kernel/irq_work.c:156
 irq_work_run+0x4e/0xb0 kernel/irq_work.c:171
 smp_irq_work_interrupt+0xa3/0x4e0 arch/x86/kernel/irq_work.c:21
 irq_work_interrupt+0x8f/0xa0 arch/x86/entry/entry_64.S:823
RIP: 0010:orc_find arch/x86/kernel/unwind_orc.c:111 [inline]
RIP: 0010:unwind_next_frame+0x53e/0x17a0 arch/x86/kernel/unwind_orc.c:348
RSP: 0018:ffff8880aea07480 EFLAGS: 00000202 ORIG_RAX: ffffffffffffff09
RAX: 0000000000008ada RBX: ffff8880aea07530 RCX: 0000000000008ada
RDX: 0000000000000007 RSI: 0000000000000000 RDI: ffffffff89583aa4
RBP: 1ffff11015d40e97 R08: 0000000000000001 R09: ffff888212cf7aa8
R10: ffff8880aea07565 R11: 0000000000058071 R12: ffffffff818ada0e
R13: ffff8880aea07568 R14: ffff8880aea07578 R15: 0000000000000001
 __save_stack_trace+0x6b/0xd0 arch/x86/kernel/stacktrace.c:44
 save_stack+0x32/0xa0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc mm/kasan/kasan.c:551 [inline]
 kasan_kmalloc+0xbf/0xe0 mm/kasan/kasan.c:529
 kmem_cache_alloc_node+0x148/0x7a0 mm/slab.c:3642
 __alloc_skb+0x9a/0x4c0 net/core/skbuff.c:193
 alloc_skb include/linux/skbuff.h:980 [inline]
 _sctp_make_chunk+0x44/0x250 net/sctp/sm_make_chunk.c:1388
 sctp_make_control+0x30/0x150 net/sctp/sm_make_chunk.c:1429
 sctp_make_heartbeat+0x79/0x240 net/sctp/sm_make_chunk.c:1148
 sctp_sf_heartbeat.isra.0+0x21/0x170 net/sctp/sm_statefuns.c:981
 sctp_sf_sendbeat_8_3+0x34e/0x4f0 net/sctp/sm_statefuns.c:1025
 sctp_do_sm+0xf6/0x4a90 net/sctp/sm_sideeffect.c:1147
 sctp_generate_heartbeat_event+0x1da/0x3f0 net/sctp/sm_sideeffect.c:391
 call_timer_fn+0x14a/0x650 kernel/time/timer.c:1279
 expire_timers kernel/time/timer.c:1318 [inline]
 __run_timers kernel/time/timer.c:1636 [inline]
 __run_timers kernel/time/timer.c:1604 [inline]
 run_timer_softirq+0x52a/0x1390 kernel/time/timer.c:1649
 __do_softirq+0x254/0x9bf kernel/softirq.c:288
 invoke_softirq kernel/softirq.c:368 [inline]
 irq_exit+0x15b/0x1a0 kernel/softirq.c:409
 exiting_irq arch/x86/include/asm/apic.h:648 [inline]
 smp_apic_timer_interrupt+0x141/0x5e0 arch/x86/kernel/apic/apic.c:1102
 apic_timer_interrupt+0x8f/0xa0 arch/x86/entry/entry_64.S:792
 </IRQ>
RIP: 0010:inet_diag_dump_icsk+0x692/0x14e0 net/ipv4/inet_diag.c:956
RSP: 0018:ffff888212cf7410 EFLAGS: 00000a06 ORIG_RAX: ffffffffffffff10
RAX: 0000000000000000 RBX: 000000004000003f RCX: ffffc90007c65000
RDX: 0000000000040000 RSI: ffffffff85651f1c RDI: 0000000000000001
RBP: dffffc0000000000 R08: 0000000000000001 R09: 0000000000000004
R10: ffff888084a32960 R11: ffff888084a32040 R12: ffff888062e99790
R13: dffffc0000000000 R14: 0000000000000000 R15: 0000000000000000
 __inet_diag_dump+0x89/0x110 net/ipv4/inet_diag.c:1049
 netlink_dump+0x3da/0xab0 net/netlink/af_netlink.c:2203
 __netlink_dump_start+0x4e2/0x740 net/netlink/af_netlink.c:2300
 netlink_dump_start include/linux/netlink.h:217 [inline]
 inet_diag_handler_cmd+0x1ea/0x290 net/ipv4/inet_diag.c:1170
 __sock_diag_cmd net/core/sock_diag.c:231 [inline]
 sock_diag_rcv_msg+0x28d/0x390 net/core/sock_diag.c:263
 netlink_rcv_skb+0x127/0x370 net/netlink/af_netlink.c:2433
 sock_diag_rcv+0x26/0x40 net/core/sock_diag.c:274
 netlink_unicast_kernel net/netlink/af_netlink.c:1287 [inline]
 netlink_unicast+0x437/0x620 net/netlink/af_netlink.c:1313
 netlink_sendmsg+0x733/0xbe0 net/netlink/af_netlink.c:1878
 sock_sendmsg_nosec net/socket.c:646 [inline]
 sock_sendmsg+0xc5/0x100 net/socket.c:656
 sock_write_iter+0x22c/0x370 net/socket.c:925
 call_write_iter include/linux/fs.h:1778 [inline]
 do_iter_readv_writev+0x3df/0x600 fs/read_write.c:675
 do_iter_write fs/read_write.c:954 [inline]
 do_iter_write+0x152/0x550 fs/read_write.c:935
 vfs_writev+0x170/0x2a0 fs/read_write.c:999
 do_writev+0xfc/0x2c0 fs/read_write.c:1034
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x45c889
RSP: 002b:00007fa79c9dec78 EFLAGS: 00000246 ORIG_RAX: 0000000000000014
RAX: ffffffffffffffda RBX: 00007fa79c9df6d4 RCX: 000000000045c889
RDX: 0000000000000001 RSI: 00000000200000c0 RDI: 0000000000000007
RBP: 000000000076bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 0000000000000d14 R14: 00000000004cb241 R15: 000000000076bf0c
Code: fd ff ff 65 48 8b 2c 25 40 ee 01 00 48 8d bd 7c 08 00 00 41 89 c4 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 0f b6 14 02 <48> 89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 6f 48 c7 c0 88
Crashes (2):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info	Title
ci2-linux-4-14	2020/04/17 07:15	linux-4.14.y	c10b57a567e4	18397578	.config	log	report
ci2-linux-4-14	2020/03/03 22:03	linux-4.14.y	78d697fc93f9	1f73b64b	.config	log	report