watchdog: BUG: soft lockup - CPU#0 stuck for 143s! [syz-executor.3:31971]
Modules linked in:
irq event stamp: 10572529
hardirqs last  enabled at (10572528): [<ffffffff89400c02>] asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:638
hardirqs last disabled at (10572529): [<ffffffff8938e85b>] sysvec_apic_timer_interrupt+0xb/0xc0 arch/x86/kernel/apic/apic.c:1097
softirqs last  enabled at (10562306): [<ffffffff8146d943>] invoke_softirq kernel/softirq.c:432 [inline]
softirqs last  enabled at (10562306): [<ffffffff8146d943>] __irq_exit_rcu+0x123/0x180 kernel/softirq.c:636
softirqs last disabled at (10562309): [<ffffffff8146d943>] invoke_softirq kernel/softirq.c:432 [inline]
softirqs last disabled at (10562309): [<ffffffff8146d943>] __irq_exit_rcu+0x123/0x180 kernel/softirq.c:636
CPU: 0 PID: 31971 Comm: syz-executor.3 Not tainted 5.15.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:preempt_count arch/x86/include/asm/preempt.h:27 [inline]
RIP: 0010:check_kcov_mode kernel/kcov.c:163 [inline]
RIP: 0010:__sanitizer_cov_trace_pc+0x0/0x60 kernel/kcov.c:197
Code: 01 f0 4d 89 03 e9 63 fd ff ff b9 ff ff ff ff ba 08 00 00 00 4d 8b 03 48 0f bd ca 49 8b 45 00 48 63 c9 e9 64 ff ff ff 0f 1f 00 <65> 8b 05 d9 ab 8a 7e 89 c1 48 8b 34 24 81 e1 00 01 00 00 65 48 8b
RSP: 0018:ffffc90000007ba0 EFLAGS: 00000246
RAX: 0000000000000000 RBX: 0000000000070000 RCX: ffff888034bf1d00
RDX: 0000000000000000 RSI: ffff888034bf1d00 RDI: 0000000000000003
RBP: 0000000000070000 R08: 0000000000000001 R09: 0000000000070000
R10: ffffffff85382172 R11: 0000000000000000 R12: ffff88814e1cddc0
R13: ffff88807d70b578 R14: 00000000003f42b4 R15: ffff88807d70b2e0
FS:  00007f5172d04700(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b33a23000 CR3: 0000000152433000 CR4: 00000000003506f0
Call Trace:
 <IRQ>
 mac80211_hwsim_tx_frame_no_nl.isra.0+0xce4/0x1330 drivers/net/wireless/mac80211_hwsim.c:1471
 mac80211_hwsim_tx_frame+0x1ee/0x2a0 drivers/net/wireless/mac80211_hwsim.c:1784
 mac80211_hwsim_beacon_tx+0x49b/0x930 drivers/net/wireless/mac80211_hwsim.c:1838
 __iterate_interfaces+0x1e5/0x520 net/mac80211/util.c:793
 ieee80211_iterate_active_interfaces_atomic+0x70/0x180 net/mac80211/util.c:829
 mac80211_hwsim_beacon+0xcd/0x1c0 drivers/net/wireless/mac80211_hwsim.c:1861
 __run_hrtimer kernel/time/hrtimer.c:1685 [inline]
 __hrtimer_run_queues+0x609/0xe50 kernel/time/hrtimer.c:1749
 hrtimer_run_softirq+0x17b/0x360 kernel/time/hrtimer.c:1766
 __do_softirq+0x29b/0x9c2 kernel/softirq.c:558
 invoke_softirq kernel/softirq.c:432 [inline]
 __irq_exit_rcu+0x123/0x180 kernel/softirq.c:636
 irq_exit_rcu+0x5/0x20 kernel/softirq.c:648
 sysvec_apic_timer_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1097
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:638
RIP: 0010:__sanitizer_cov_trace_pc+0x59/0x60 kernel/kcov.c:205
Code: 74 2b 8b 82 80 15 00 00 83 f8 02 75 20 48 8b 8a 88 15 00 00 8b 92 84 15 00 00 48 8b 01 48 83 c0 01 48 39 c2 76 07 48 89 34 c1 <48> 89 01 c3 0f 1f 00 41 55 41 54 49 89 fc 55 48 bd eb 83 b5 80 46
RSP: 0018:ffffc90009ddf710 EFLAGS: 00000212
RAX: 0000000000033d24 RBX: ffff88814c9a8200 RCX: ffffc900151b9000
RDX: 0000000000040000 RSI: ffffffff81350db8 RDI: 0000000000000003
RBP: ffff8881cc9a8200 R08: ffff8881cc9a8200 R09: ffffffff8fd3ea6f
R10: ffffffff81350dae R11: 0000000000000001 R12: 000000014c9a8200
R13: ffffc90009ddf778 R14: ffffea0000000000 R15: ffff88814c9a8200
 phys_addr_valid arch/x86/mm/physaddr.h:7 [inline]
 __phys_addr+0x58/0x140 arch/x86/mm/physaddr.c:28
 virt_to_head_page include/linux/mm.h:895 [inline]
 qlink_to_cache mm/kasan/quarantine.c:120 [inline]
 qlist_free_all+0x76/0xc0 mm/kasan/quarantine.c:162
 kasan_quarantine_reduce+0x180/0x200 mm/kasan/quarantine.c:272
 __kasan_slab_alloc+0x95/0xb0 mm/kasan/common.c:444
 kasan_slab_alloc include/linux/kasan.h:259 [inline]
 slab_post_alloc_hook mm/slab.h:519 [inline]
 slab_alloc_node mm/slub.c:3213 [inline]
 slab_alloc mm/slub.c:3221 [inline]
 kmem_cache_alloc_trace+0x1f1/0x2b0 mm/slub.c:3238
 kmalloc include/linux/slab.h:591 [inline]
 kzalloc include/linux/slab.h:721 [inline]
 usb_hub_create_port_device+0xb7/0xd50 drivers/usb/core/port.c:541
 hub_configure drivers/usb/core/hub.c:1655 [inline]
 hub_probe.cold+0x247d/0x2a77 drivers/usb/core/hub.c:1889
 usb_probe_interface+0x315/0x7f0 drivers/usb/core/driver.c:396
 call_driver_probe drivers/base/dd.c:517 [inline]
 really_probe+0x245/0xcc0 drivers/base/dd.c:596
 __driver_probe_device+0x338/0x4d0 drivers/base/dd.c:751
 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:781
 __device_attach_driver+0x20b/0x2f0 drivers/base/dd.c:898
 bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:427
 __device_attach+0x228/0x4a0 drivers/base/dd.c:969
 proc_ioctl.part.0+0x48e/0x560 drivers/usb/core/devio.c:2340
 proc_ioctl drivers/usb/core/devio.c:170 [inline]
 proc_ioctl_default drivers/usb/core/devio.c:2375 [inline]
 usbdev_do_ioctl drivers/usb/core/devio.c:2731 [inline]
 usbdev_ioctl+0x2b29/0x36c0 drivers/usb/core/devio.c:2791
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:874 [inline]
 __se_sys_ioctl fs/ioctl.c:860 [inline]
 __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:860
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f517578eae9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f5172d04188 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f51758a1f60 RCX: 00007f517578eae9
RDX: 0000000020000040 RSI: 00000000c0105512 RDI: 0000000000000005
RBP: 00007f51757e8f25 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f5175dd5b2f R14: 00007f5172d04300 R15: 0000000000022000
 </TASK>
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 PID: 31991 Comm: kworker/u4:23 Not tainted 5.15.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events_unbound toggle_allocation_gate
RIP: 0010:check_kcov_mode+0x2c/0x40 kernel/kcov.c:174
Code: 05 29 b4 8a 7e 89 c2 81 e2 00 01 00 00 a9 00 01 ff 00 74 10 31 c0 85 d2 74 15 8b 96 a4 15 00 00 85 d2 74 0b 8b 86 80 15 00 00 <39> f8 0f 94 c0 c3 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 31 c0
RSP: 0018:ffffc90009edf9e8 EFLAGS: 00000246
RAX: 0000000000000000 RBX: ffff8880b9c41d20 RCX: 0000000000000001
RDX: 0000000000000000 RSI: ffff88807c7b8000 RDI: 0000000000000003
RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000001
R10: ffffffff816c4f16 R11: 0000000000000000 R12: ffffed10173883a5
R13: 0000000000000000 R14: ffff8880b9c41d28 R15: 0000000000000001
FS:  0000000000000000(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000c000675390 CR3: 000000000b68e000 CR4: 00000000003506e0
Call Trace:
 <TASK>
 write_comp_data kernel/kcov.c:218 [inline]
 __sanitizer_cov_trace_const_cmp4+0x1c/0x70 kernel/kcov.c:284
 csd_lock_wait kernel/smp.c:440 [inline]
 smp_call_function_many_cond+0x476/0xc20 kernel/smp.c:969
 on_each_cpu_cond_mask+0x56/0xa0 kernel/smp.c:1135
 on_each_cpu include/linux/smp.h:71 [inline]
 text_poke_sync arch/x86/kernel/alternative.c:1112 [inline]
 text_poke_bp_batch+0x1b3/0x560 arch/x86/kernel/alternative.c:1297
 text_poke_flush arch/x86/kernel/alternative.c:1451 [inline]
 text_poke_flush arch/x86/kernel/alternative.c:1448 [inline]
 text_poke_finish+0x16/0x30 arch/x86/kernel/alternative.c:1458
 arch_jump_label_transform_apply+0x13/0x20 arch/x86/kernel/jump_label.c:146
 jump_label_update+0x1d5/0x430 kernel/jump_label.c:830
 static_key_enable_cpuslocked+0x1b1/0x260 kernel/jump_label.c:177
 static_key_enable+0x16/0x20 kernel/jump_label.c:190
 toggle_allocation_gate mm/kfence/core.c:626 [inline]
 toggle_allocation_gate+0x100/0x390 mm/kfence/core.c:618
 process_one_work+0x9b2/0x1690 kernel/workqueue.c:2298
 worker_thread+0x658/0x11f0 kernel/workqueue.c:2445
 kthread+0x405/0x4f0 kernel/kthread.c:327
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
 </TASK>
----------------
Code disassembly (best guess):
   0:	01 f0                	add    %esi,%eax
   2:	4d 89 03             	mov    %r8,(%r11)
   5:	e9 63 fd ff ff       	jmpq   0xfffffd6d
   a:	b9 ff ff ff ff       	mov    $0xffffffff,%ecx
   f:	ba 08 00 00 00       	mov    $0x8,%edx
  14:	4d 8b 03             	mov    (%r11),%r8
  17:	48 0f bd ca          	bsr    %rdx,%rcx
  1b:	49 8b 45 00          	mov    0x0(%r13),%rax
  1f:	48 63 c9             	movslq %ecx,%rcx
  22:	e9 64 ff ff ff       	jmpq   0xffffff8b
  27:	0f 1f 00             	nopl   (%rax)
* 2a:	65 8b 05 d9 ab 8a 7e 	mov    %gs:0x7e8aabd9(%rip),%eax        # 0x7e8aac0a <-- trapping instruction
  31:	89 c1                	mov    %eax,%ecx
  33:	48 8b 34 24          	mov    (%rsp),%rsi
  37:	81 e1 00 01 00 00    	and    $0x100,%ecx
  3d:	65                   	gs
  3e:	48                   	rex.W
  3f:	8b                   	.byte 0x8b