watchdog: BUG: soft lockup - CPU#0 stuck for 22s! [syz-executor.3:9896] Modules linked in: irq event stamp: 4996137 hardirqs last enabled at (4996136): [] restore_regs_and_return_to_kernel+0x0/0x2a hardirqs last disabled at (4996137): [] apic_timer_interrupt+0x8e/0xa0 arch/x86/entry/entry_64.S:793 softirqs last enabled at (37844): [] __do_softirq+0x68b/0x9ff kernel/softirq.c:314 softirqs last disabled at (38889): [] invoke_softirq kernel/softirq.c:368 [inline] softirqs last disabled at (38889): [] irq_exit+0x193/0x240 kernel/softirq.c:409 CPU: 0 PID: 9896 Comm: syz-executor.3 Not tainted 4.14.281-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 task: ffff8880982f8300 task.stack: ffff88804f618000 RIP: 0010:unwind_next_frame+0x296/0x17d0 arch/x86/kernel/unwind_orc.c:349 RSP: 0018:ffff8880ba406b80 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff10 RAX: 0000000000000015 RBX: 1ffff11017480d77 RCX: ffffffff8a729452 RDX: 0000000000000006 RSI: ffffffff8a729452 RDI: ffffffff8a197634 RBP: 0000000000000002 R08: ffffffff8a729456 R09: ffffffff8a729482 R10: 000000000001e639 R11: 0000000000066071 R12: ffff8880ba406c75 R13: ffff8880ba406c78 R14: ffff8880ba406c90 R15: ffff8880ba406c40 FS: 00007f4c8262a700(0000) GS:ffff8880ba400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fbe13d8f000 CR3: 000000009aa5a000 CR4: 00000000003406f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: __save_stack_trace+0x90/0x160 arch/x86/kernel/stacktrace.c:44 save_stack mm/kasan/kasan.c:447 [inline] set_track mm/kasan/kasan.c:459 [inline] kasan_kmalloc+0xeb/0x160 mm/kasan/kasan.c:551 kmem_cache_alloc+0x124/0x3c0 mm/slab.c:3552 kmem_cache_zalloc include/linux/slab.h:651 [inline] fill_pool lib/debugobjects.c:110 [inline] __debug_object_init+0x578/0x7a0 lib/debugobjects.c:341 debug_object_init lib/debugobjects.c:393 [inline] debug_object_activate+0x391/0x490 lib/debugobjects.c:474 debug_rcu_head_queue kernel/rcu/rcu.h:152 [inline] __call_rcu.constprop.0+0x31/0x7d0 kernel/rcu/tree.c:3050 neigh_destroy+0x352/0x470 net/core/neighbour.c:762 neigh_release include/net/neighbour.h:416 [inline] neigh_cleanup_and_release+0x9e/0xc0 net/core/neighbour.c:108 neigh_del+0x161/0x1f0 net/core/neighbour.c:141 neigh_forced_gc net/core/neighbour.c:190 [inline] neigh_alloc net/core/neighbour.c:315 [inline] __neigh_create+0xc71/0x19c0 net/core/neighbour.c:499 ip6_finish_output2+0x802/0x1f10 net/ipv6/ip6_output.c:117 ip6_finish_output+0x5c6/0xd50 net/ipv6/ip6_output.c:192 NF_HOOK_COND include/linux/netfilter.h:239 [inline] ip6_output+0x1c5/0x660 net/ipv6/ip6_output.c:209 dst_output include/net/dst.h:470 [inline] ip6_local_out+0x93/0x170 net/ipv6/output_core.c:160 ip6tunnel_xmit include/net/ip6_tunnel.h:154 [inline] udp_tunnel6_xmit_skb+0x6a9/0xbd0 net/ipv6/ip6_udp_tunnel.c:106 geneve6_xmit_skb drivers/net/geneve.c:916 [inline] geneve_xmit+0x1278/0x2ca0 drivers/net/geneve.c:945 __netdev_start_xmit include/linux/netdevice.h:4054 [inline] netdev_start_xmit include/linux/netdevice.h:4063 [inline] xmit_one net/core/dev.c:3005 [inline] dev_hard_start_xmit+0x188/0x890 net/core/dev.c:3021 __dev_queue_xmit+0x1d7f/0x2480 net/core/dev.c:3521 neigh_hh_output include/net/neighbour.h:490 [inline] neigh_output include/net/neighbour.h:498 [inline] ip6_finish_output2+0xc6a/0x1f10 net/ipv6/ip6_output.c:120 ip6_finish_output+0x5c6/0xd50 net/ipv6/ip6_output.c:192 NF_HOOK_COND include/linux/netfilter.h:239 [inline] ip6_output+0x1c5/0x660 net/ipv6/ip6_output.c:209 dst_output include/net/dst.h:470 [inline] NF_HOOK include/linux/netfilter.h:250 [inline] ndisc_send_skb+0x82a/0x1390 net/ipv6/ndisc.c:483 ndisc_send_rs+0x125/0x630 net/ipv6/ndisc.c:677 addrconf_rs_timer+0x2bb/0x5a0 net/ipv6/addrconf.c:3773 call_timer_fn+0x14a/0x650 kernel/time/timer.c:1280 expire_timers+0x232/0x4d0 kernel/time/timer.c:1319 __run_timers kernel/time/timer.c:1637 [inline] run_timer_softirq+0x1d5/0x5a0 kernel/time/timer.c:1650 __do_softirq+0x24d/0x9ff kernel/softirq.c:288 invoke_softirq kernel/softirq.c:368 [inline] irq_exit+0x193/0x240 kernel/softirq.c:409 exiting_irq arch/x86/include/asm/apic.h:638 [inline] smp_apic_timer_interrupt+0x141/0x5e0 arch/x86/kernel/apic/apic.c:1106 apic_timer_interrupt+0x93/0xa0 arch/x86/entry/entry_64.S:793 RIP: 0010:__sanitizer_cov_trace_pc+0x29/0x50 kernel/kcov.c:71 RSP: 0018:ffff88804f61f350 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff10 RAX: ffff8880982f8300 RBX: ffff8880982f8300 RCX: 0000000000000001 RDX: 0000000000000001 RSI: 0000000000000002 RDI: ffff8880982f8b84 RBP: ffff888094a529d8 R08: 0000000000000000 R09: 0000000000020012 R10: ffff8880982f8bd8 R11: ffff8880982f8300 R12: 0000000000000004 R13: ffff888099cbea80 R14: ffff8880982f8300 R15: ffff888099cbed38 rcu_read_lock include/linux/rcupdate.h:630 [inline] __task_pid_nr_ns+0x4d/0x440 kernel/pid.c:526 perf_event_pid_type kernel/events/core.c:1293 [inline] perf_event_pid kernel/events/core.c:1302 [inline] __perf_event_header__init_id+0x364/0x5a0 kernel/events/core.c:5779 perf_event_header__init_id kernel/events/core.c:5803 [inline] perf_event_comm_output+0x5a4/0x700 kernel/events/core.c:6718 perf_iterate_ctx+0x117/0x610 kernel/events/core.c:6376 perf_iterate_sb+0x62f/0x8a0 kernel/events/core.c:6433 perf_event_comm_event kernel/events/core.c:6753 [inline] perf_event_comm+0x197/0x1f0 kernel/events/core.c:6780 set_task_comm include/linux/sched.h:1559 [inline] comm_write+0x1b1/0x1f0 fs/proc/base.c:1560 __vfs_write+0xe4/0x630 fs/read_write.c:480 __kernel_write+0xf5/0x330 fs/read_write.c:501 write_pipe_buf+0x143/0x1c0 fs/splice.c:797 splice_from_pipe_feed fs/splice.c:502 [inline] __splice_from_pipe+0x326/0x7a0 fs/splice.c:626 splice_from_pipe fs/splice.c:661 [inline] default_file_splice_write+0xc5/0x150 fs/splice.c:809 do_splice_from fs/splice.c:851 [inline] direct_splice_actor+0x115/0x160 fs/splice.c:1018 splice_direct_to_actor+0x27c/0x730 fs/splice.c:973 do_splice_direct+0x164/0x210 fs/splice.c:1061 do_sendfile+0x47f/0xb30 fs/read_write.c:1441 SYSC_sendfile64 fs/read_write.c:1502 [inline] SyS_sendfile64+0xff/0x110 fs/read_write.c:1488 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb RIP: 0033:0x7f4c83cb5109 RSP: 002b:00007f4c8262a168 EFLAGS: 00000246 ORIG_RAX: 0000000000000028 RAX: ffffffffffffffda RBX: 00007f4c83dc7f60 RCX: 00007f4c83cb5109 RDX: 0000000000000000 RSI: 0000000000000007 RDI: 0000000000000006 RBP: 00007f4c83d0f08d R08: 0000000000000000 R09: 0000000000000000 R10: 0000800000000035 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffff5a522bf R14: 00007f4c8262a300 R15: 0000000000022000 Code: 48 b8 00 00 00 00 00 fc ff df 4c 89 c2 48 c1 ea 03 0f b6 04 02 4c 89 c2 83 e2 07 38 d0 7f 08 84 c0 0f 85 63 0e 00 00 0f b6 41 04 0f 0f 84 5c 01 00 00 49 8b 77 48 4d 8d 48 01 48 ba 00 00 00 Sending NMI from CPU 0 to CPUs 1: NMI backtrace for cpu 1 CPU: 1 PID: 9961 Comm: syz-executor.0 Not tainted 4.14.281-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 task: ffff8880916280c0 task.stack: ffff88809ae90000 RIP: 0010:native_apic_mem_write+0x8/0x10 arch/x86/include/asm/apic.h:100 RSP: 0018:ffff8880ba507eb8 EFLAGS: 00000046 RAX: dffffc0000000000 RBX: ffffffff88cca000 RCX: 0000000000000020 RDX: 1ffffffff119941d RSI: 000000000000003e RDI: 0000000000000380 RBP: ffff8880ba5282c0 R08: ffff88823fff7058 R09: ffff88823fff704f R10: ffff88823fff7057 R11: 0000002bd1627d94 R12: 000000000000003e R13: 0000000000000003 R14: 0000002a309cd118 R15: 00000031f39b7100 FS: 00007ff8f720b700(0000) GS:ffff8880ba500000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b2db26000 CR3: 00000000990bd000 CR4: 00000000003406e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: apic_write arch/x86/include/asm/apic.h:385 [inline] lapic_next_event+0x53/0x80 arch/x86/kernel/apic/apic.c:468 clockevents_program_event+0x1f1/0x2d0 kernel/time/clockevents.c:339 tick_program_event+0x78/0xd0 kernel/time/tick-oneshot.c:47 hrtimer_interrupt+0x336/0x5e0 kernel/time/hrtimer.c:1334 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1079 [inline] smp_apic_timer_interrupt+0x117/0x5e0 arch/x86/kernel/apic/apic.c:1104 apic_timer_interrupt+0x93/0xa0 arch/x86/entry/entry_64.S:793 RIP: 0010:__read_once_size include/linux/compiler.h:185 [inline] RIP: 0010:queued_write_lock_slowpath+0x8a/0x1d0 kernel/locking/qrwlock.c:130 RSP: 0018:ffff88809ae96ea8 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff10 RAX: 0000000000000000 RBX: ffffffff89d96430 RCX: 0000000000000d1e RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffffffff89d96430 RBP: ffffffff89d96434 R08: ffffffff8b9ac3b0 R09: 00000000000401a4 R10: ffff888091628970 R11: ffff8880916280c0 R12: fffffbfff13b2c86 R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000000 queued_write_lock include/asm-generic/qrwlock.h:134 [inline] do_raw_write_lock+0xc2/0x1d0 kernel/locking/spinlock_debug.c:203 neigh_ifdown+0x41/0x360 net/core/neighbour.c:295 addrconf_ifdown.isra.0+0xc8/0x1410 net/ipv6/addrconf.c:3589 addrconf_notify+0x116/0x1c50 net/ipv6/addrconf.c:3511 notifier_call_chain+0x108/0x1a0 kernel/notifier.c:93 call_netdevice_notifiers_info net/core/dev.c:1667 [inline] call_netdevice_notifiers_mtu net/core/dev.c:1706 [inline] dev_set_mtu+0x23d/0x3c0 net/core/dev.c:6921 do_setlink+0x4f3/0x2bf0 net/core/rtnetlink.c:2055 rtnl_setlink+0x1f5/0x2e0 net/core/rtnetlink.c:2324 rtnetlink_rcv_msg+0x3be/0xb10 net/core/rtnetlink.c:4322 netlink_rcv_skb+0x125/0x390 net/netlink/af_netlink.c:2454 netlink_unicast_kernel net/netlink/af_netlink.c:1296 [inline] netlink_unicast+0x437/0x610 net/netlink/af_netlink.c:1322 netlink_sendmsg+0x648/0xbc0 net/netlink/af_netlink.c:1893 sock_sendmsg_nosec net/socket.c:646 [inline] sock_sendmsg+0xb5/0x100 net/socket.c:656 sock_write_iter+0x22c/0x370 net/socket.c:925 call_write_iter include/linux/fs.h:1780 [inline] do_iter_readv_writev+0x4cf/0x5f0 fs/read_write.c:675 do_iter_write+0x152/0x550 fs/read_write.c:954 vfs_writev+0x125/0x290 fs/read_write.c:999 do_writev+0xfc/0x2c0 fs/read_write.c:1034 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb RIP: 0033:0x7ff8f88d8109 RSP: 002b:00007ff8f720b168 EFLAGS: 00000246 ORIG_RAX: 0000000000000014 RAX: ffffffffffffffda RBX: 00007ff8f89eb100 RCX: 00007ff8f88d8109 RDX: 0000000000000001 RSI: 00000000200003c0 RDI: 0000000000000007 RBP: 00007ff8f893208d R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffeb3c7325f R14: 00007ff8f720b300 R15: 0000000000022000 Code: 83 3d ec 1a 0c 0a 01 7f 02 5d c3 89 ef 5d e9 52 55 df 05 48 c7 c7 c0 a3 2e 8b e8 e4 75 5c 00 eb df 66 90 89 ff 89 b7 00 c0 5f ff 0f 1f 80 00 00 00 00 48 b8 00 00 00 00 00 fc ff df 53 89 fb ---------------- Code disassembly (best guess): 0: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax 7: fc ff df a: 4c 89 c2 mov %r8,%rdx d: 48 c1 ea 03 shr $0x3,%rdx 11: 0f b6 04 02 movzbl (%rdx,%rax,1),%eax 15: 4c 89 c2 mov %r8,%rdx 18: 83 e2 07 and $0x7,%edx 1b: 38 d0 cmp %dl,%al 1d: 7f 08 jg 0x27 1f: 84 c0 test %al,%al 21: 0f 85 63 0e 00 00 jne 0xe8a 27: 0f b6 41 04 movzbl 0x4(%rcx),%eax * 2b: a8 0f test $0xf,%al <-- trapping instruction 2d: 0f 84 5c 01 00 00 je 0x18f 33: 49 8b 77 48 mov 0x48(%r15),%rsi 37: 4d 8d 48 01 lea 0x1(%r8),%r9 3b: 48 rex.W 3c: ba .byte 0xba 3d: 00 00 add %al,(%rax)