bridge0: received packet on bridge_slave_1 with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0) rcu: INFO: rcu_preempt detected stalls on CPUs/tasks: rcu: Tasks blocked on level-0 rcu_node (CPUs 0-1): P10343/1:b..l rcu: (detected by 0, t=10502 jiffies, g=137881, q=2913 ncpus=2) task:syz.2.9689 state:R running task stack:25256 pid:10343 tgid:10343 ppid:7700 task_flags:0x400040 flags:0x00080002 Call Trace: context_switch kernel/sched/core.c:5510 [inline] __schedule+0x17d9/0x56c0 kernel/sched/core.c:7234 preempt_schedule_common+0x82/0xd0 kernel/sched/core.c:7413 preempt_schedule_thunk+0x16/0x40 arch/x86/entry/thunk.S:12 __local_bh_enable_ip+0xe1/0x130 kernel/softirq.c:457 nl80211_netlink_notify+0x46b/0x840 net/wireless/nl80211.c:22948 notifier_call_chain+0x1a5/0x3d0 kernel/notifier.c:85 blocking_notifier_call_chain+0x6a/0x90 kernel/notifier.c:380 netlink_release+0x11f8/0x1a80 net/netlink/af_netlink.c:762 __sock_release net/socket.c:710 [inline] sock_close+0xad/0x220 net/socket.c:1501 __fput+0x418/0xa50 fs/file_table.c:512 task_work_run+0x1d9/0x270 kernel/task_work.c:233 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] __exit_to_user_mode_loop kernel/entry/common.c:70 [inline] exit_to_user_mode_loop+0x1fa/0x730 kernel/entry/common.c:101 __exit_to_user_mode_prepare include/linux/irq-entry-common.h:207 [inline] syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:230 [inline] syscall_exit_to_user_mode include/linux/entry-common.h:318 [inline] do_syscall_64+0x353/0x580 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f3dca19ce59 RSP: 002b:00007ffcb251e8e8 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4 RAX: 0000000000000000 RBX: 00007f3dca417da0 RCX: 00007f3dca19ce59 RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003 RBP: 00007f3dca417da0 R08: 0000000000000006 R09: 0000000000000000 R10: 00007f3dca417cb0 R11: 0000000000000246 R12: 00000000001327a3 R13: 00007f3dca41627c R14: 0000000000132745 R15: 00007f3dca416270 rcu: rcu_preempt kthread starved for 398 jiffies! g137881 f0x0 RCU_GP_WAIT_FQS(5) ->state=0x0 ->cpu=1 rcu: Unless rcu_preempt kthread gets sufficient CPU time, OOM is now expected behavior. rcu: RCU grace-period kthread stack dump: task:rcu_preempt state:R running task stack:27496 pid:16 tgid:16 ppid:2 task_flags:0x208040 flags:0x00080000 Call Trace: context_switch kernel/sched/core.c:5510 [inline] __schedule+0x17d9/0x56c0 kernel/sched/core.c:7234 __schedule_loop kernel/sched/core.c:7311 [inline] schedule+0x164/0x2b0 kernel/sched/core.c:7326 schedule_timeout+0x152/0x2c0 kernel/time/sleep_timeout.c:99 rcu_gp_fqs_loop+0x30c/0x11f0 kernel/rcu/tree.c:2123 rcu_gp_kthread+0x9e/0x2b0 kernel/rcu/tree.c:2325 kthread+0x388/0x470 kernel/kthread.c:436 ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 rcu: Stack dump where RCU GP kthread last ran: Sending NMI from CPU 0 to CPUs 1: NMI backtrace for cpu 1 CPU: 1 UID: 0 PID: 9355 Comm: kworker/1:14 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026 Workqueue: mld mld_ifc_work RIP: 0010:rcu_preempt_read_exit kernel/rcu/tree_plugin.h:396 [inline] RIP: 0010:__rcu_read_unlock+0x32/0xe0 kernel/rcu/tree_plugin.h:435 Code: 41 55 41 54 53 49 bf 00 00 00 00 00 fc ff df 65 48 8b 3d 99 9d 93 11 48 8d 9f c4 04 00 00 49 89 dc 49 c1 ec 03 43 0f b6 04 3c <84> c0 75 4f ff 0b 75 1d 4c 8d b7 c8 04 00 00 4c 89 f0 48 c1 e8 03 RSP: 0000:ffffc90000a071b0 EFLAGS: 00000a07 RAX: 0000000000000000 RBX: ffff88802de223c4 RCX: 0000000000000301 RDX: 0000000000000009 RSI: ffffffff8e25a5be RDI: ffff88802de21f00 RBP: 1ffffffff22b6d01 R08: ffffc900073c7a70 R09: 0000000000000000 R10: ffffc90000a072d8 R11: fffff52000140e5d R12: 1ffff11005bc4478 R13: ffffffff8176f21f R14: ffffc90000a07288 R15: dffffc0000000000 FS: 0000000000000000(0000) GS:ffff888125326000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f78e460efb3 CR3: 000000007a588000 CR4: 00000000003526f0 Call Trace: rcu_read_unlock include/linux/rcupdate.h:873 [inline] class_rcu_destructor include/linux/rcupdate.h:1183 [inline] unwind_next_frame+0x1baf/0x2550 arch/x86/kernel/unwind_orc.c:709 arch_stack_walk+0x11b/0x150 arch/x86/kernel/stacktrace.c:25 stack_trace_save+0xa9/0x100 kernel/stacktrace.c:122 kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:584 poison_slab_object mm/kasan/common.c:253 [inline] __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285 kasan_slab_free include/linux/kasan.h:235 [inline] slab_free_hook mm/slub.c:2705 [inline] slab_free mm/slub.c:6405 [inline] kmem_cache_free+0x182/0x650 mm/slub.c:6532 skb_ext_reset include/linux/skbuff.h:5117 [inline] skb_scrub_packet+0x2c8/0x3d0 net/core/skbuff.c:6278 ____dev_forward_skb include/linux/netdevice.h:4454 [inline] __dev_forward_skb2+0x28c/0x730 net/core/dev.c:2441 veth_forward_skb drivers/net/veth.c:323 [inline] veth_xmit+0x493/0xe60 drivers/net/veth.c:379 __netdev_start_xmit include/linux/netdevice.h:5400 [inline] netdev_start_xmit include/linux/netdevice.h:5409 [inline] xmit_one net/core/dev.c:3889 [inline] dev_hard_start_xmit+0x2cd/0x830 net/core/dev.c:3905 __dev_queue_xmit+0x1435/0x37f0 net/core/dev.c:4872 dev_queue_xmit include/linux/netdevice.h:3446 [inline] br_dev_queue_push_xmit+0x370/0x4b0 net/bridge/br_forward.c:53 NF_HOOK+0x64e/0x6e0 include/linux/netfilter.h:318 br_nf_post_routing+0xa53/0xee0 net/bridge/br_netfilter_hooks.c:964 nf_hook_entry_hookfn include/linux/netfilter.h:158 [inline] nf_hook_slow+0xc5/0x220 net/netfilter/core.c:619 nf_hook include/linux/netfilter.h:273 [inline] NF_HOOK+0x23e/0x3f0 include/linux/netfilter.h:316 br_forward_finish+0xd3/0x130 net/bridge/br_forward.c:66 br_nf_hook_thresh net/bridge/br_netfilter_hooks.c:1165 [inline] br_nf_forward_finish+0xa76/0xea0 net/bridge/br_netfilter_hooks.c:667 NF_HOOK+0x64e/0x6e0 include/linux/netfilter.h:318 br_nf_forward_ip+0x7eb/0xa30 net/bridge/br_netfilter_hooks.c:721 nf_hook_entry_hookfn include/linux/netfilter.h:158 [inline] nf_hook_slow+0xc5/0x220 net/netfilter/core.c:619 nf_hook include/linux/netfilter.h:273 [inline] NF_HOOK+0x23e/0x3f0 include/linux/netfilter.h:316 __br_forward+0x397/0x540 net/bridge/br_forward.c:115 deliver_clone net/bridge/br_forward.c:131 [inline] maybe_deliver net/bridge/br_forward.c:191 [inline] br_flood+0x3e6/0x8d0 net/bridge/br_forward.c:245 br_handle_frame_finish+0x1175/0x1990 net/bridge/br_input.c:229 br_nf_hook_thresh+0x3dd/0x4c0 net/bridge/br_netfilter_hooks.c:-1 br_nf_pre_routing_finish_ipv6+0x90c/0xc40 net/bridge/br_netfilter_ipv6.c:-1 NF_HOOK include/linux/netfilter.h:318 [inline] br_nf_pre_routing_ipv6+0x382/0x6f0 net/bridge/br_netfilter_ipv6.c:183 nf_hook_entry_hookfn include/linux/netfilter.h:158 [inline] nf_hook_bridge_pre net/bridge/br_input.c:291 [inline] br_handle_frame+0x127f/0x1510 net/bridge/br_input.c:442 __netif_receive_skb_core+0x989/0x30b0 net/core/dev.c:6093 __netif_receive_skb_one_core net/core/dev.c:6204 [inline] __netif_receive_skb net/core/dev.c:6319 [inline] process_backlog+0x706/0x1860 net/core/dev.c:6670 __napi_poll+0xaa/0x330 net/core/dev.c:7729 napi_poll net/core/dev.c:7792 [inline] net_rx_action+0x61d/0xf50 net/core/dev.c:7949 handle_softirqs+0x225/0x840 kernel/softirq.c:622 __do_softirq kernel/softirq.c:656 [inline] invoke_softirq kernel/softirq.c:496 [inline] __irq_exit_rcu+0xca/0x220 kernel/softirq.c:735 irq_exit_rcu+0x9/0x30 kernel/softirq.c:752 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1062 [inline] sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1062 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:674 RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:179 [inline] RIP: 0010:_raw_spin_unlock_irqrestore+0x47/0x80 kernel/locking/spinlock.c:198 Code: f7 e8 2d 5c ec f5 f7 c3 00 02 00 00 74 05 e8 f0 40 18 f6 9c 58 a9 00 02 00 00 75 27 f7 c3 00 02 00 00 74 01 fb bf 01 00 00 00 74 72 dd f5 65 8b 05 4d 33 89 07 85 c0 74 18 5b 41 5e c3 cc cc RSP: 0000:ffffc900073c7638 EFLAGS: 00000206 RAX: 0000000000000006 RBX: 0000000000000246 RCX: 0000000080000001 RDX: 0000000000000007 RSI: ffffffff8dfe0294 RDI: 0000000000000001 RBP: ffffc900073c76e0 R08: ffffffff9032d2f7 R09: 1ffffffff2065a5e R10: dffffc0000000000 R11: fffffbfff2065a5f R12: ffff88813fe24240 R13: 0000000000000000 R14: ffff88813fe24240 R15: 0000000000000000 spin_unlock_irqrestore include/linux/spinlock.h:408 [inline] __slab_free+0x222/0x2c0 mm/slub.c:-1 qlink_free mm/kasan/quarantine.c:163 [inline] qlist_free_all+0x99/0x100 mm/kasan/quarantine.c:179 kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286 __kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:350 kasan_slab_alloc include/linux/kasan.h:253 [inline] slab_post_alloc_hook mm/slub.c:4612 [inline] slab_alloc_node mm/slub.c:4945 [inline] kmem_cache_alloc_node_noprof+0x355/0x610 mm/slub.c:5017 __alloc_skb+0x1d7/0x7a0 net/core/skbuff.c:704 alloc_skb include/linux/skbuff.h:1384 [inline] mld_newpack+0x165/0xcb0 net/ipv6/mcast.c:1773 add_grhead net/ipv6/mcast.c:1884 [inline] add_grec+0x119f/0x19d0 net/ipv6/mcast.c:2023 mld_send_cr net/ipv6/mcast.c:2148 [inline] mld_ifc_work+0x6ea/0xe70 net/ipv6/mcast.c:2694 process_one_work kernel/workqueue.c:3322 [inline] process_scheduled_works+0xa8e/0x14e0 kernel/workqueue.c:3405 worker_thread+0xa47/0xfb0 kernel/workqueue.c:3486 kthread+0x388/0x470 kernel/kthread.c:436 ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 net_ratelimit: 12475 callbacks suppressed bridge0: received packet on veth1_to_bridge with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0) bridge0: received packet on veth1_to_bridge with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0) bridge0: received packet on veth1_to_bridge with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0) bridge0: received packet on veth1_to_bridge with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0) bridge0: received packet on bridge_slave_1 with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0) bridge0: received packet on bridge_slave_1 with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0) bridge0: received packet on veth1_to_bridge with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0) bridge0: received packet on bridge_slave_1 with own address as source address (addr:aa:aa:aa:aa:aa:1c, vlan:0) bridge0: received packet on bridge_slave_1 with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0) bridge0: received packet on veth1_to_bridge with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0) net_ratelimit: 17305 callbacks suppressed bridge0: received packet on veth1_to_bridge with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0) bridge0: received packet on veth1_to_bridge with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0) bridge0: received packet on bridge_slave_1 with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0) bridge0: received packet on bridge_slave_1 with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0) bridge0: received packet on veth1_to_bridge with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0) bridge0: received packet on veth1_to_bridge with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0) bridge0: received packet on bridge_slave_1 with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0) bridge0: received packet on bridge_slave_1 with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0) bridge0: received packet on veth1_to_bridge with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0) bridge0: received packet on bridge_slave_1 with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0)