watchdog: BUG: soft lockup - CPU#0 stuck for 143s! [syz-executor.3:5980]
Modules linked in:
irq event stamp: 0
hardirqs last  enabled at (0): [<0000000000000000>] 0x0
hardirqs last disabled at (0): [<ffffffff81460ce3>] copy_process+0x2013/0x6fe0 kernel/fork.c:2173
softirqs last  enabled at (0): [<ffffffff81460d2b>] copy_process+0x205b/0x6fe0 kernel/fork.c:2177
softirqs last disabled at (0): [<0000000000000000>] 0x0
CPU: 0 PID: 5980 Comm: syz-executor.3 Not tainted 5.18.0-rc3-next-20220422-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:kvm_wait+0x98/0x100 arch/x86/kernel/kvm.c:1058
Code: fa 83 e2 07 38 d0 7f 04 84 c0 75 63 0f b6 07 40 38 c6 74 35 48 83 c4 10 c3 c3 e8 23 91 4b 00 eb 07 0f 00 2d da b1 94 08 fb f4 <48> 83 c4 10 c3 89 74 24 0c 48 89 3c 24 e8 56 8f 4b 00 8b 74 24 0c
RSP: 0018:ffffc9001460f9e0 EFLAGS: 00000246
RAX: 0000000000000007 RBX: 0000000000000000 RCX: 1ffffffff1b73199
RDX: 0000000000000000 RSI: ffffffff81807171 RDI: ffffffff8134dffd
RBP: ffffffff8cbfc980 R08: 0000000000000000 R09: 0000000000000000
R10: ffffffff81807158 R11: 1ffffffff17b1e31 R12: 0000000000000000
R13: fffffbfff197f930 R14: 0000000000000001 R15: ffff8880b9c3ae40
FS:  0000555556ddc400(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b2dd57000 CR3: 000000001f512000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 pv_wait arch/x86/include/asm/paravirt.h:603 [inline]
 pv_wait_head_or_lock kernel/locking/qspinlock_paravirt.h:470 [inline]
 __pv_queued_spin_lock_slowpath+0x8c7/0xb50 kernel/locking/qspinlock.c:511
 pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:591 [inline]
 queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:51 [inline]
 queued_spin_lock include/asm-generic/qspinlock.h:85 [inline]
 do_raw_spin_lock+0x200/0x2a0 kernel/locking/spinlock_debug.c:115
 spin_lock_bh include/linux/spinlock.h:359 [inline]
 remove_user_radios drivers/net/wireless/mac80211_hwsim.c:4632 [inline]
 mac80211_hwsim_netlink_notify+0x13f/0xb20 drivers/net/wireless/mac80211_hwsim.c:4659
 notifier_call_chain+0xb5/0x200 kernel/notifier.c:84
 blocking_notifier_call_chain kernel/notifier.c:319 [inline]
 blocking_notifier_call_chain+0x67/0x90 kernel/notifier.c:307
 netlink_release+0xcb6/0x1db0 net/netlink/af_netlink.c:790
 __sock_release+0xcd/0x280 net/socket.c:650
 sock_close+0x18/0x20 net/socket.c:1318
 __fput+0x277/0x9d0 fs/file_table.c:317
 task_work_run+0xdd/0x1a0 kernel/task_work.c:164
 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:169 [inline]
 exit_to_user_mode_prepare+0x23c/0x250 kernel/entry/common.c:201
 __syscall_exit_to_user_mode_work kernel/entry/common.c:283 [inline]
 syscall_exit_to_user_mode+0x19/0x50 kernel/entry/common.c:294
 do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7fe0e5c3bd2b
Code: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8 63 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 fc ff ff 8b 44
RSP: 002b:00007fff768db060 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000007 RCX: 00007fe0e5c3bd2b
RDX: 0000000000000000 RSI: 00007fe0e5c00000 RDI: 0000000000000006
RBP: 00007fe0e5d9d960 R08: 0000000000000000 R09: 0000000068c3877e
R10: 0000000000000000 R11: 0000000000000293 R12: 00000000000396c5
R13: 00007fff768db160 R14: 00007fff768db180 R15: 0000000000000032
 </TASK>
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 PID: 5983 Comm: syz-executor.5 Not tainted 5.18.0-rc3-next-20220422-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:kvm_wait+0x98/0x100 arch/x86/kernel/kvm.c:1058
Code: fa 83 e2 07 38 d0 7f 04 84 c0 75 63 0f b6 07 40 38 c6 74 35 48 83 c4 10 c3 c3 e8 23 91 4b 00 eb 07 0f 00 2d da b1 94 08 fb f4 <48> 83 c4 10 c3 89 74 24 0c 48 89 3c 24 e8 56 8f 4b 00 8b 74 24 0c
RSP: 0018:ffffc90000de0488 EFLAGS: 00000246
RAX: 0000000000000007 RBX: 0000000000000000 RCX: 1ffffffff1b73199
RDX: 0000000000000000 RSI: ffffffff81807171 RDI: ffffffff8134dffd
RBP: ffff888022878948 R08: 0000000000000000 R09: 0000000000000000
R10: ffffffff81807158 R11: 0000000000000001 R12: 0000000000000000
R13: ffffed100450f129 R14: 0000000000000001 R15: ffff8880b9d3ae40
FS:  00007f534924d700(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020011038 CR3: 000000001c169000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 pv_wait arch/x86/include/asm/paravirt.h:603 [inline]
 pv_wait_head_or_lock kernel/locking/qspinlock_paravirt.h:470 [inline]
 __pv_queued_spin_lock_slowpath+0x8c7/0xb50 kernel/locking/qspinlock.c:511
 pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:591 [inline]
 queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:51 [inline]
 queued_spin_lock include/asm-generic/qspinlock.h:85 [inline]
 do_raw_spin_lock+0x200/0x2a0 kernel/locking/spinlock_debug.c:115
 spin_lock include/linux/spinlock.h:354 [inline]
 task_lock include/linux/sched/task.h:170 [inline]
 __get_task_comm+0x23/0x50 fs/exec.c:1219
 __set_page_owner_handle mm/page_owner.c:174 [inline]
 __set_page_owner+0x253/0x380 mm/page_owner.c:192
 prep_new_page mm/page_alloc.c:2394 [inline]
 get_page_from_freelist+0xba2/0x3e00 mm/page_alloc.c:4135
 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5356
 alloc_pages+0x1aa/0x310 mm/mempolicy.c:2273
 alloc_slab_page mm/slub.c:1797 [inline]
 allocate_slab+0x26c/0x3c0 mm/slub.c:1942
 new_slab mm/slub.c:2002 [inline]
 ___slab_alloc+0x985/0xd90 mm/slub.c:3002
 __slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3089
 slab_alloc_node mm/slub.c:3180 [inline]
 kmem_cache_alloc_node+0x122/0x3f0 mm/slub.c:3264
 __alloc_skb+0x215/0x340 net/core/skbuff.c:414
 skb_copy+0x139/0x3c0 net/core/skbuff.c:1585
 mac80211_hwsim_tx_frame_no_nl.isra.0+0xb7c/0x13b0 drivers/net/wireless/mac80211_hwsim.c:1642
 mac80211_hwsim_tx_frame+0x1ee/0x2a0 drivers/net/wireless/mac80211_hwsim.c:1884
 mac80211_hwsim_beacon_tx+0x49e/0x920 drivers/net/wireless/mac80211_hwsim.c:1938
 __iterate_interfaces+0x1e5/0x560 net/mac80211/util.c:793
 ieee80211_iterate_active_interfaces_atomic+0x70/0x180 net/mac80211/util.c:829
 mac80211_hwsim_beacon+0xcd/0x1c0 drivers/net/wireless/mac80211_hwsim.c:1961
 __run_hrtimer kernel/time/hrtimer.c:1685 [inline]
 __hrtimer_run_queues+0x609/0xe50 kernel/time/hrtimer.c:1749
 hrtimer_run_softirq+0x17b/0x360 kernel/time/hrtimer.c:1766
 __do_softirq+0x29b/0x9c2 kernel/softirq.c:558
 invoke_softirq kernel/softirq.c:432 [inline]
 __irq_exit_rcu+0x123/0x180 kernel/softirq.c:637
 irq_exit_rcu+0x5/0x20 kernel/softirq.c:649
 sysvec_apic_timer_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1106
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:649
RIP: 0010:check_kcov_mode+0x2c/0x40 kernel/kcov.c:177
Code: 05 e9 54 88 7e 89 c2 81 e2 00 01 00 00 a9 00 01 ff 00 74 10 31 c0 85 d2 74 15 8b 96 ac 15 00 00 85 d2 74 0b 8b 86 88 15 00 00 <39> f8 0f 94 c0 c3 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 31 c0
RSP: 0018:ffffc9001464ef28 EFLAGS: 00000246
RAX: 0000000000000002 RBX: 000000000000000f RCX: 000000000000000e
RDX: 0000000000000000 RSI: ffff888022878000 RDI: 0000000000000003
RBP: ffff8880123c3468 R08: 000000000000000f R09: ffff888022878838
R10: ffffffff83faa4e6 R11: 0000000000000001 R12: 000000000000000e
R13: 0000000000000010 R14: ffff8880123c3448 R15: 0000000000000007
 write_comp_data kernel/kcov.c:221 [inline]
 __sanitizer_cov_trace_cmp8+0x1d/0x70 kernel/kcov.c:267
 strscpy_pad+0x46/0x70 lib/string_helpers.c:789
 __get_task_comm+0x35/0x50 fs/exec.c:1221
 __set_page_owner_handle mm/page_owner.c:174 [inline]
 __set_page_owner+0x253/0x380 mm/page_owner.c:192
 prep_new_page mm/page_alloc.c:2394 [inline]
 get_page_from_freelist+0xba2/0x3e00 mm/page_alloc.c:4135
 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5356
 __alloc_pages_bulk+0xbef/0x1a10 mm/page_alloc.c:5302
 alloc_pages_bulk_array_mempolicy+0x1c3/0x4d0 mm/mempolicy.c:2368
 vm_area_alloc_pages mm/vmalloc.c:2898 [inline]
 __vmalloc_area_node mm/vmalloc.c:2990 [inline]
 __vmalloc_node_range+0xd35/0x13c0 mm/vmalloc.c:3161
 __vmalloc_node mm/vmalloc.c:3226 [inline]
 vmalloc+0x67/0x80 mm/vmalloc.c:3259
 netlink_alloc_large_skb net/netlink/af_netlink.c:1196 [inline]
 netlink_sendmsg+0x687/0xe00 net/netlink/af_netlink.c:1896
 sock_sendmsg_nosec net/socket.c:705 [inline]
 sock_sendmsg+0xcf/0x120 net/socket.c:725
 sock_no_sendpage+0xf6/0x140 net/core/sock.c:3126
 kernel_sendpage.part.0+0x1ff/0x7b0 net/socket.c:3524
 kernel_sendpage net/socket.c:3521 [inline]
 sock_sendpage+0xdf/0x140 net/socket.c:1007
 pipe_to_sendpage+0x2ad/0x380 fs/splice.c:364
 splice_from_pipe_feed fs/splice.c:418 [inline]
 __splice_from_pipe+0x43e/0x8a0 fs/splice.c:562
 splice_from_pipe fs/splice.c:597 [inline]
 generic_splice_sendpage+0xd4/0x140 fs/splice.c:746
 do_splice_from fs/splice.c:767 [inline]
 direct_splice_actor+0x110/0x180 fs/splice.c:936
 splice_direct_to_actor+0x34b/0x8c0 fs/splice.c:891
 do_splice_direct+0x1a7/0x270 fs/splice.c:979
 do_sendfile+0xae0/0x1240 fs/read_write.c:1246
 __do_sys_sendfile64 fs/read_write.c:1311 [inline]
 __se_sys_sendfile64 fs/read_write.c:1297 [inline]
 __x64_sys_sendfile64+0x1cc/0x210 fs/read_write.c:1297
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f53480890e9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f534924d168 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
RAX: ffffffffffffffda RBX: 00007f534819bf60 RCX: 00007f53480890e9
RDX: 0000000000000000 RSI: 0000000000000005 RDI: 0000000000000006
RBP: 00007f53480e308d R08: 0000000000000000 R09: 0000000000000000
R10: 000000010000a006 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffcc7869edf R14: 00007f534924d300 R15: 0000000000022000
 </TASK>
----------------
Code disassembly (best guess):
   0:	fa                   	cli
   1:	83 e2 07             	and    $0x7,%edx
   4:	38 d0                	cmp    %dl,%al
   6:	7f 04                	jg     0xc
   8:	84 c0                	test   %al,%al
   a:	75 63                	jne    0x6f
   c:	0f b6 07             	movzbl (%rdi),%eax
   f:	40 38 c6             	cmp    %al,%sil
  12:	74 35                	je     0x49
  14:	48 83 c4 10          	add    $0x10,%rsp
  18:	c3                   	retq
  19:	c3                   	retq
  1a:	e8 23 91 4b 00       	callq  0x4b9142
  1f:	eb 07                	jmp    0x28
  21:	0f 00 2d da b1 94 08 	verw   0x894b1da(%rip)        # 0x894b202
  28:	fb                   	sti
  29:	f4                   	hlt
* 2a:	48 83 c4 10          	add    $0x10,%rsp <-- trapping instruction
  2e:	c3                   	retq
  2f:	89 74 24 0c          	mov    %esi,0xc(%rsp)
  33:	48 89 3c 24          	mov    %rdi,(%rsp)
  37:	e8 56 8f 4b 00       	callq  0x4b8f92
  3c:	8b 74 24 0c          	mov    0xc(%rsp),%esi