IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): vcan0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready watchdog: BUG: soft lockup - CPU#1 stuck for 22s! [syz-executor.0:9519] Modules linked in: irq event stamp: 4323945 hardirqs last enabled at (4323944): [] restore_regs_and_return_to_kernel+0x0/0x2a hardirqs last disabled at (4323945): [] apic_timer_interrupt+0x8e/0xa0 arch/x86/entry/entry_64.S:793 softirqs last enabled at (37328): [] __do_softirq+0x68b/0x9ff kernel/softirq.c:314 softirqs last disabled at (37959): [] invoke_softirq kernel/softirq.c:368 [inline] softirqs last disabled at (37959): [] irq_exit+0x193/0x240 kernel/softirq.c:409 CPU: 1 PID: 9519 Comm: syz-executor.0 Not tainted 4.14.264-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 task: ffff8880b0060540 task.stack: ffff888049660000 RIP: 0010:rol32 include/linux/bitops.h:83 [inline] RIP: 0010:jhash2 include/linux/jhash.h:128 [inline] RIP: 0010:hash_stack lib/stackdepot.c:165 [inline] RIP: 0010:depot_save_stack+0x9a/0x3f0 lib/stackdepot.c:221 RSP: 0018:ffff8880ba507278 EFLAGS: 00000202 ORIG_RAX: ffffffffffffff10 RAX: 000000003830d1d9 RBX: 000000008574a53b RCX: 0000000000000019 RDX: ffff8880ba50733c RSI: 00000000d924dcb1 RDI: 00000000bbb29d81 RBP: ffff8880ba5072d0 R08: 0000000000000000 R09: 0000000000000008 R10: 0000000000000000 R11: ffff8880b0060540 R12: 0000000001080020 R13: 0000000000000017 R14: ffff8880ba5072e8 R15: 00000000000000e8 FS: 00007f36b9ddc700(0000) GS:ffff8880ba500000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f36b9d9a718 CR3: 00000000ab59a000 CR4: 00000000003426e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: save_stack mm/kasan/kasan.c:453 [inline] set_track mm/kasan/kasan.c:459 [inline] kasan_kmalloc+0x139/0x160 mm/kasan/kasan.c:551 kmem_cache_alloc_node+0x146/0x410 mm/slab.c:3642 __alloc_skb+0x5c/0x510 net/core/skbuff.c:193 alloc_skb include/linux/skbuff.h:980 [inline] nlmsg_new include/net/netlink.h:511 [inline] __neigh_notify+0x84/0x150 net/core/neighbour.c:2927 neigh_cleanup_and_release+0x71/0xc0 net/core/neighbour.c:106 neigh_del+0x161/0x1f0 net/core/neighbour.c:141 neigh_forced_gc net/core/neighbour.c:190 [inline] neigh_alloc net/core/neighbour.c:315 [inline] __neigh_create+0xc5d/0x19b0 net/core/neighbour.c:499 ip6_finish_output2+0x802/0x1f10 net/ipv6/ip6_output.c:117 ip6_finish_output+0x5c6/0xd50 net/ipv6/ip6_output.c:192 NF_HOOK_COND include/linux/netfilter.h:239 [inline] ip6_output+0x1c5/0x660 net/ipv6/ip6_output.c:209 dst_output include/net/dst.h:470 [inline] ip6_local_out+0x93/0x170 net/ipv6/output_core.c:160 ip6_send_skb+0x9b/0x2f0 net/ipv6/ip6_output.c:1726 ip6_push_pending_frames+0xaf/0xd0 net/ipv6/ip6_output.c:1746 icmpv6_push_pending_frames+0x284/0x460 net/ipv6/icmp.c:289 icmp6_send+0x18b6/0x1f60 net/ipv6/icmp.c:588 __icmpv6_send include/linux/icmpv6.h:28 [inline] icmpv6_send include/linux/icmpv6.h:49 [inline] ip6_link_failure+0x2b/0x420 net/ipv6/route.c:1440 dst_link_failure include/net/dst.h:453 [inline] ndisc_error_report+0xa7/0x180 net/ipv6/ndisc.c:687 neigh_invalidate+0x21c/0x520 net/core/neighbour.c:897 neigh_timer_handler+0x820/0xa50 net/core/neighbour.c:983 call_timer_fn+0x14a/0x650 kernel/time/timer.c:1280 expire_timers+0x232/0x4d0 kernel/time/timer.c:1319 __run_timers kernel/time/timer.c:1637 [inline] run_timer_softirq+0x1d5/0x5a0 kernel/time/timer.c:1650 __do_softirq+0x24d/0x9ff kernel/softirq.c:288 invoke_softirq kernel/softirq.c:368 [inline] irq_exit+0x193/0x240 kernel/softirq.c:409 exiting_irq arch/x86/include/asm/apic.h:638 [inline] smp_apic_timer_interrupt+0x141/0x5e0 arch/x86/kernel/apic/apic.c:1106 apic_timer_interrupt+0x93/0xa0 arch/x86/entry/entry_64.S:793 RIP: 0010:__read_once_size include/linux/compiler.h:185 [inline] RIP: 0010:csd_lock_wait kernel/smp.c:108 [inline] RIP: 0010:smp_call_function_single+0x181/0x370 kernel/smp.c:302 RSP: 0018:ffff8880496679a0 EFLAGS: 00000212 ORIG_RAX: ffffffffffffff10 RAX: 0000000000040000 RBX: 1ffff110092ccf38 RCX: ffffc90005cc8000 RDX: 0000000000010bd7 RSI: ffffffff814c75cf RDI: 0000000000000286 RBP: ffff888049667a50 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000001 smp_call_function_many+0x60f/0x7a0 kernel/smp.c:434 smp_call_function kernel/smp.c:492 [inline] on_each_cpu+0x40/0x210 kernel/smp.c:602 text_poke_bp+0x90/0x110 arch/x86/kernel/alternative.c:796 __jump_label_transform+0x269/0x300 arch/x86/kernel/jump_label.c:102 arch_jump_label_transform+0x26/0x40 arch/x86/kernel/jump_label.c:110 __jump_label_update+0x113/0x170 kernel/jump_label.c:374 jump_label_update kernel/jump_label.c:741 [inline] jump_label_update+0x140/0x2d0 kernel/jump_label.c:720 static_key_slow_inc_cpuslocked+0x10e/0x170 kernel/jump_label.c:109 static_key_slow_inc+0x16/0x20 kernel/jump_label.c:124 kvm_create_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:717 [inline] kvm_dev_ioctl_create_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:3294 [inline] kvm_dev_ioctl+0x1170/0x1420 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3345 vfs_ioctl fs/ioctl.c:46 [inline] file_ioctl fs/ioctl.c:500 [inline] do_vfs_ioctl+0x75a/0xff0 fs/ioctl.c:684 SYSC_ioctl fs/ioctl.c:701 [inline] SyS_ioctl+0x7f/0xb0 fs/ioctl.c:692 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb RIP: 0033:0x7f36bb467059 RSP: 002b:00007f36b9ddc168 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f36bb579f60 RCX: 00007f36bb467059 RDX: 0000000000000000 RSI: 000000000000ae01 RDI: 0000000000000004 RBP: 00007f36bb4c108d R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffd9a35e26f R14: 00007f36b9ddc300 R15: 0000000000022000 Code: f0 01 de c1 c0 06 31 f8 89 df 89 c3 29 c7 01 f0 c1 c3 08 31 fb 89 df 29 de 01 c3 c1 c7 10 31 fe 89 f7 29 f0 01 de c1 cf 0d 31 f8 <89> c7 29 c3 01 f0 c1 c7 04 31 fb 83 f9 03 77 a3 83 f9 02 0f 84 Sending NMI from CPU 1 to CPUs 0: NMI backtrace for cpu 0 CPU: 0 PID: 9604 Comm: syz-executor.4 Not tainted 4.14.264-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 task: ffff8880a9fd0580 task.stack: ffff8880477e8000 RIP: 0010:__read_once_size include/linux/compiler.h:185 [inline] RIP: 0010:queued_write_lock_slowpath+0x80/0x1d0 kernel/locking/qrwlock.c:130 RSP: 0000:ffff8880ba407808 EFLAGS: 00000286 RAX: 00000000000000ff RBX: ffffffff89d954b0 RCX: 0000000000005e54 RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffffffff89d954b0 RBP: ffffffff89d954b4 R08: ffffffff8b9d0d60 R09: 00000000000421a4 R10: ffff8880a9fd0ea8 R11: ffff8880a9fd0580 R12: fffffbfff13b2a96 R13: 0000000000000001 R14: 0000000000000000 R15: ffff8880abd95080 FS: 00007f5dee48d700(0000) GS:ffff8880ba400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f5dee3c6fc0 CR3: 00000000aa1bb000 CR4: 00000000003426f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: queued_write_lock include/asm-generic/qrwlock.h:134 [inline] do_raw_write_lock+0xc2/0x1d0 kernel/locking/spinlock_debug.c:203 neigh_forced_gc net/core/neighbour.c:176 [inline] neigh_alloc net/core/neighbour.c:315 [inline] __neigh_create+0xb34/0x19b0 net/core/neighbour.c:499 ip6_finish_output2+0x802/0x1f10 net/ipv6/ip6_output.c:117 ip6_finish_output+0x5c6/0xd50 net/ipv6/ip6_output.c:192 NF_HOOK_COND include/linux/netfilter.h:239 [inline] ip6_output+0x1c5/0x660 net/ipv6/ip6_output.c:209 dst_output include/net/dst.h:470 [inline] NF_HOOK include/linux/netfilter.h:250 [inline] mld_sendpack+0x5fe/0xea0 net/ipv6/mcast.c:1657 mld_send_cr net/ipv6/mcast.c:1953 [inline] mld_ifc_timer_expire+0x57c/0xcd0 net/ipv6/mcast.c:2452 call_timer_fn+0x14a/0x650 kernel/time/timer.c:1280 expire_timers+0x232/0x4d0 kernel/time/timer.c:1319 __run_timers kernel/time/timer.c:1637 [inline] run_timer_softirq+0x1d5/0x5a0 kernel/time/timer.c:1650 __do_softirq+0x24d/0x9ff kernel/softirq.c:288 invoke_softirq kernel/softirq.c:368 [inline] irq_exit+0x193/0x240 kernel/softirq.c:409 exiting_irq arch/x86/include/asm/apic.h:638 [inline] smp_apic_timer_interrupt+0x141/0x5e0 arch/x86/kernel/apic/apic.c:1106 apic_timer_interrupt+0x93/0xa0 arch/x86/entry/entry_64.S:793 RIP: 0010:orc_find arch/x86/kernel/unwind_orc.c:108 [inline] RIP: 0010:unwind_next_frame+0x490/0x17d0 arch/x86/kernel/unwind_orc.c:348 RSP: 0000:ffff8880477eebf0 EFLAGS: 00000a07 ORIG_RAX: ffffffffffffff10 RAX: dffffc0000000000 RBX: 1ffff11008efdd85 RCX: ffffffff85e2815d RDX: 000000000004e281 RSI: 000000000004e281 RDI: ffffffff8afa929c RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000001 R10: ffff8880477ef088 R11: 0000000000066071 R12: ffff8880477eece5 R13: ffff8880477eece8 R14: ffff8880477eed00 R15: ffff8880477eecb0 __save_stack_trace+0x90/0x160 arch/x86/kernel/stacktrace.c:44 save_stack mm/kasan/kasan.c:447 [inline] set_track mm/kasan/kasan.c:459 [inline] kasan_kmalloc+0xeb/0x160 mm/kasan/kasan.c:551 kmem_cache_alloc_node_trace+0x153/0x400 mm/slab.c:3661 __do_kmalloc_node mm/slab.c:3681 [inline] __kmalloc_node_track_caller+0x38/0x70 mm/slab.c:3696 __kmalloc_reserve net/core/skbuff.c:137 [inline] pskb_expand_head+0x128/0xd30 net/core/skbuff.c:1471 netlink_trim+0x1ae/0x220 net/netlink/af_netlink.c:1276 netlink_broadcast_filtered+0x5d/0x9e0 net/netlink/af_netlink.c:1473 netlink_broadcast net/netlink/af_netlink.c:1518 [inline] nlmsg_multicast include/net/netlink.h:591 [inline] nlmsg_notify+0x129/0x1b0 net/netlink/af_netlink.c:2489 rtnl_notify net/core/rtnetlink.c:653 [inline] rtmsg_ifinfo_send net/core/rtnetlink.c:2931 [inline] rtmsg_ifinfo_event net/core/rtnetlink.c:2945 [inline] rtmsg_ifinfo_event net/core/rtnetlink.c:2934 [inline] rtmsg_ifinfo+0xd4/0x100 net/core/rtnetlink.c:2951 netdev_state_change net/core/dev.c:1316 [inline] netdev_state_change+0xde/0xf0 net/core/dev.c:1308 do_setlink+0x2508/0x2bf0 net/core/rtnetlink.c:2280 rtnl_group_changelink net/core/rtnetlink.c:2512 [inline] rtnl_newlink+0xccc/0x1860 net/core/rtnetlink.c:2666 rtnetlink_rcv_msg+0x3be/0xb10 net/core/rtnetlink.c:4320 netlink_rcv_skb+0x125/0x390 net/netlink/af_netlink.c:2446 netlink_unicast_kernel net/netlink/af_netlink.c:1294 [inline] netlink_unicast+0x437/0x610 net/netlink/af_netlink.c:1320 netlink_sendmsg+0x648/0xbc0 net/netlink/af_netlink.c:1891 sock_sendmsg_nosec net/socket.c:646 [inline] sock_sendmsg+0xb5/0x100 net/socket.c:656 ___sys_sendmsg+0x6c8/0x800 net/socket.c:2062 __sys_sendmsg+0xa3/0x120 net/socket.c:2096 SYSC_sendmsg net/socket.c:2107 [inline] SyS_sendmsg+0x27/0x40 net/socket.c:2103 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb RIP: 0033:0x7f5defb18059 RSP: 002b:00007f5dee48d168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f5defc2af60 RCX: 00007f5defb18059 RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000006 RBP: 00007f5defb7208d R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffe6e1298af R14: 00007f5dee48d300 R15: 0000000000022000 Code: 0f 84 d3 00 00 00 49 89 dc 49 89 de 41 bd 01 00 00 00 49 c1 ec 03 41 83 e6 07 48 b8 00 00 00 00 00 fc ff df 49 01 c4 eb 02 f3 90 <41> 0f b6 04 24 44 38 f0 7f 08 84 c0 0f 85 f6 00 00 00 0f b6 03 ---------------- Code disassembly (best guess): 0: f0 01 de lock add %ebx,%esi 3: c1 c0 06 rol $0x6,%eax 6: 31 f8 xor %edi,%eax 8: 89 df mov %ebx,%edi a: 89 c3 mov %eax,%ebx c: 29 c7 sub %eax,%edi e: 01 f0 add %esi,%eax 10: c1 c3 08 rol $0x8,%ebx 13: 31 fb xor %edi,%ebx 15: 89 df mov %ebx,%edi 17: 29 de sub %ebx,%esi 19: 01 c3 add %eax,%ebx 1b: c1 c7 10 rol $0x10,%edi 1e: 31 fe xor %edi,%esi 20: 89 f7 mov %esi,%edi 22: 29 f0 sub %esi,%eax 24: 01 de add %ebx,%esi 26: c1 cf 0d ror $0xd,%edi 29: 31 f8 xor %edi,%eax * 2b: 89 c7 mov %eax,%edi <-- trapping instruction 2d: 29 c3 sub %eax,%ebx 2f: 01 f0 add %esi,%eax 31: c1 c7 04 rol $0x4,%edi 34: 31 fb xor %edi,%ebx 36: 83 f9 03 cmp $0x3,%ecx 39: 77 a3 ja 0xffffffde 3b: 83 f9 02 cmp $0x2,%ecx 3e: 0f .byte 0xf 3f: 84 .byte 0x84