watchdog: BUG: soft lockup - CPU#0 stuck for 22s! [syz-executor.2:9855] Modules linked in: irq event stamp: 3826247 hardirqs last enabled at (3826246): [] restore_regs_and_return_to_kernel+0x0/0x2a hardirqs last disabled at (3826247): [] apic_timer_interrupt+0x8e/0xa0 arch/x86/entry/entry_64.S:793 softirqs last enabled at (45556): [] __do_softirq+0x68b/0x9ff kernel/softirq.c:314 softirqs last disabled at (48355): [] invoke_softirq kernel/softirq.c:368 [inline] softirqs last disabled at (48355): [] irq_exit+0x193/0x240 kernel/softirq.c:409 CPU: 0 PID: 9855 Comm: syz-executor.2 Not tainted 4.14.275-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 task: ffff8880b3ace0c0 task.stack: ffff88808ee10000 RIP: 0010:pcpu_chunk_addr mm/percpu.c:257 [inline] RIP: 0010:pcpu_alloc+0x5e8/0xf50 mm/percpu.c:1480 RSP: 0018:ffff8880ba4079e8 EFLAGS: 00000293 ORIG_RAX: ffffffffffffff10 RAX: 0000000000000000 RBX: dffffc0000000000 RCX: 0000000000000000 RDX: 0000000000000100 RSI: 0000000000000008 RDI: ffffffff8a0950a0 RBP: ffff88823f834000 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000007 R14: fffffbfff1412a4e R15: 0000000000000008 FS: 00007f35d0d36700(0000) GS:ffff8880ba400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b2f02e000 CR3: 00000000a3855000 CR4: 00000000003426f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ip6_dst_alloc+0x11e/0x2d0 net/ipv6/route.c:373 icmp6_dst_alloc+0x155/0x580 net/ipv6/route.c:1768 ndisc_send_skb+0xace/0x1390 net/ipv6/ndisc.c:463 ndisc_send_rs+0x125/0x630 net/ipv6/ndisc.c:677 addrconf_rs_timer+0x2bb/0x5a0 net/ipv6/addrconf.c:3769 call_timer_fn+0x14a/0x650 kernel/time/timer.c:1280 expire_timers+0x232/0x4d0 kernel/time/timer.c:1319 __run_timers kernel/time/timer.c:1637 [inline] run_timer_softirq+0x1d5/0x5a0 kernel/time/timer.c:1650 __do_softirq+0x24d/0x9ff kernel/softirq.c:288 invoke_softirq kernel/softirq.c:368 [inline] irq_exit+0x193/0x240 kernel/softirq.c:409 exiting_irq arch/x86/include/asm/apic.h:638 [inline] smp_apic_timer_interrupt+0x141/0x5e0 arch/x86/kernel/apic/apic.c:1106 apic_timer_interrupt+0x93/0xa0 arch/x86/entry/entry_64.S:793 RIP: 0010:zap_pte_range mm/memory.c:1349 [inline] RIP: 0010:zap_pmd_range mm/memory.c:1466 [inline] RIP: 0010:zap_pud_range mm/memory.c:1495 [inline] RIP: 0010:zap_p4d_range mm/memory.c:1516 [inline] RIP: 0010:unmap_page_range+0xd04/0x1ce0 mm/memory.c:1537 RSP: 0018:ffff88808ee177c0 EFLAGS: 00000297 ORIG_RAX: ffffffffffffff10 RAX: ffff8880b3ace0c0 RBX: dffffc0000000000 RCX: 0000000000000001 RDX: 0000000000000000 RSI: 00007f35d2380000 RDI: 000000008c62b025 RBP: ffff8880ab104c00 R08: 0000000000000000 R09: 0000000000000001 R10: 0000000000000000 R11: ffff8880b3ace0c0 R12: ffffea0002318ac0 R13: 0000000000000025 R14: 00007f35d2381000 R15: 0000000000000000 unmap_single_vma+0x147/0x2b0 mm/memory.c:1582 unmap_vmas+0x9d/0x160 mm/memory.c:1612 exit_mmap+0x270/0x4d0 mm/mmap.c:3058 __mmput kernel/fork.c:931 [inline] mmput kernel/fork.c:952 [inline] mmput+0xfa/0x420 kernel/fork.c:947 exit_mm kernel/exit.c:548 [inline] do_exit+0x984/0x2850 kernel/exit.c:855 do_group_exit+0x100/0x2e0 kernel/exit.c:965 get_signal+0x38d/0x1ca0 kernel/signal.c:2412 do_signal+0x7c/0x1550 arch/x86/kernel/signal.c:792 exit_to_usermode_loop+0x160/0x200 arch/x86/entry/common.c:160 prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline] syscall_return_slowpath arch/x86/entry/common.c:270 [inline] do_syscall_64+0x4a3/0x640 arch/x86/entry/common.c:297 entry_SYSCALL_64_after_hwframe+0x46/0xbb RIP: 0033:0x7f35d23c1049 RSP: 002b:00007f35d0d36218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca RAX: fffffffffffffe00 RBX: 00007f35d24d3f68 RCX: 00007f35d23c1049 RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f35d24d3f68 RBP: 00007f35d24d3f60 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f35d24d3f6c R13: 00007ffdad2f771f R14: 00007f35d0d36300 R15: 0000000000022000 Code: 18 41 83 e5 07 48 bb 00 00 00 00 00 fc ff df 49 c1 ee 03 48 c1 e8 03 41 bc ff ff ff ff 49 01 de 41 83 c5 03 48 89 44 24 10 eb 4c 03 b1 e3 ff 48 8b 44 24 10 80 3c 18 00 0f 85 11 08 00 00 48 Sending NMI from CPU 0 to CPUs 1: NMI backtrace for cpu 1 CPU: 1 PID: 9847 Comm: syz-executor.0 Not tainted 4.14.275-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 task: ffff88808ed8e2c0 task.stack: ffff88808ec68000 RIP: 0010:native_apic_mem_write+0x8/0x10 arch/x86/include/asm/apic.h:100 RSP: 0018:ffff8880ba507eb8 EFLAGS: 00000046 RAX: dffffc0000000000 RBX: ffffffff88cc9000 RCX: 0000000000000020 RDX: 1ffffffff119921d RSI: 0000000000000128 RDI: 0000000000000380 RBP: ffff8880ba5282c0 R08: ffff88823fff7058 R09: ffff88823fff704f R10: ffff88823fff7057 R11: 00000018d50c0d5b R12: 0000000000000128 R13: 0000000000000003 R14: 0000001779a686fd R15: 0000001779a686fd FS: 00007f72fc341700(0000) GS:ffff8880ba500000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffd005bec10 CR3: 0000000096bbd000 CR4: 00000000003426e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: apic_write arch/x86/include/asm/apic.h:385 [inline] lapic_next_event+0x53/0x80 arch/x86/kernel/apic/apic.c:468 clockevents_program_event+0x1f1/0x2d0 kernel/time/clockevents.c:339 tick_program_event+0x78/0xd0 kernel/time/tick-oneshot.c:47 hrtimer_interrupt+0x336/0x5e0 kernel/time/hrtimer.c:1334 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1079 [inline] smp_apic_timer_interrupt+0x117/0x5e0 arch/x86/kernel/apic/apic.c:1104 apic_timer_interrupt+0x93/0xa0 arch/x86/entry/entry_64.S:793 RIP: 0010:arch_local_irq_restore arch/x86/include/asm/paravirt.h:779 [inline] RIP: 0010:lock_acquire+0x1ec/0x3f0 kernel/locking/lockdep.c:4001 RSP: 0018:ffff88808ec6f658 EFLAGS: 00000286 ORIG_RAX: ffffffffffffff10 RAX: 1ffffffff11e1309 RBX: ffff88808ed8e2c0 RCX: f9938e99191d867f RDX: dffffc0000000000 RSI: 0000000000000001 RDI: 0000000000000286 RBP: ffff88808d4a59e0 R08: 0000000000000001 R09: 00000000000483aa R10: ffff88808ed8eb98 R11: ffff88808ed8e2c0 R12: 0000000000000000 R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 __raw_spin_trylock_bh include/linux/spinlock_api_smp.h:183 [inline] _raw_spin_trylock_bh+0x5f/0x70 kernel/locking/spinlock.c:144 spin_trylock_bh include/linux/spinlock.h:377 [inline] tipc_sk_rcv+0x25c/0x1660 net/tipc/socket.c:1836 tipc_node_xmit net/tipc/node.c:1189 [inline] tipc_node_xmit_skb+0x13c/0x160 net/tipc/node.c:1238 tipc_sk_respond+0x2f9/0x4a0 net/tipc/socket.c:239 __tipc_shutdown+0x501/0x920 net/tipc/socket.c:511 tipc_release+0x77/0xcd0 net/tipc/socket.c:560 __sock_release+0xcd/0x2b0 net/socket.c:602 sock_close+0x15/0x20 net/socket.c:1139 __fput+0x25f/0x7a0 fs/file_table.c:210 task_work_run+0x11f/0x190 kernel/task_work.c:113 get_signal+0x18a3/0x1ca0 kernel/signal.c:2223 do_signal+0x7c/0x1550 arch/x86/kernel/signal.c:792 exit_to_usermode_loop+0x160/0x200 arch/x86/entry/common.c:160 prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline] syscall_return_slowpath arch/x86/entry/common.c:270 [inline] do_syscall_64+0x4a3/0x640 arch/x86/entry/common.c:297 entry_SYSCALL_64_after_hwframe+0x46/0xbb RIP: 0033:0x7f72fd9cc049 RSP: 002b:00007f72fc341168 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: 0000000000192d50 RBX: 00007f72fdadef60 RCX: 00007f72fd9cc049 RDX: 000000002000011a RSI: 0000000020000040 RDI: 0000000000000004 RBP: 00007f72fda2608d R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffe835bcb6f R14: 00007f72fc341300 R15: 0000000000022000 Code: 83 3d dc 0c 0c 0a 01 7f 02 5d c3 89 ef 5d e9 12 1b df 05 48 c7 c7 c0 93 2e 8b e8 c4 6b 5c 00 eb df 66 90 89 ff 89 b7 00 c0 5f ff 0f 1f 80 00 00 00 00 48 b8 00 00 00 00 00 fc ff df 53 89 fb ---------------- Code disassembly (best guess): 0: 18 41 83 sbb %al,-0x7d(%rcx) 3: e5 07 in $0x7,%eax 5: 48 bb 00 00 00 00 00 movabs $0xdffffc0000000000,%rbx c: fc ff df f: 49 c1 ee 03 shr $0x3,%r14 13: 48 c1 e8 03 shr $0x3,%rax 17: 41 bc ff ff ff ff mov $0xffffffff,%r12d 1d: 49 01 de add %rbx,%r14 20: 41 83 c5 03 add $0x3,%r13d 24: 48 89 44 24 10 mov %rax,0x10(%rsp) 29: eb 4c jmp 0x77 * 2b: e8 03 b1 e3 ff callq 0xffe3b133 <-- trapping instruction 30: 48 8b 44 24 10 mov 0x10(%rsp),%rax 35: 80 3c 18 00 cmpb $0x0,(%rax,%rbx,1) 39: 0f 85 11 08 00 00 jne 0x850 3f: 48 rex.W