attempt to access beyond end of device loop0: rw=0, want=88, limit=87 watchdog: BUG: soft lockup - CPU#1 stuck for 22s! [syz-executor.3:9615] Modules linked in: irq event stamp: 4236771 hardirqs last enabled at (4236770): [] restore_regs_and_return_to_kernel+0x0/0x2a hardirqs last disabled at (4236771): [] apic_timer_interrupt+0x8e/0xa0 arch/x86/entry/entry_64.S:793 softirqs last enabled at (43676): [] __do_softirq+0x68b/0x9ff kernel/softirq.c:314 softirqs last disabled at (45083): [] invoke_softirq kernel/softirq.c:368 [inline] softirqs last disabled at (45083): [] irq_exit+0x193/0x240 kernel/softirq.c:409 CPU: 1 PID: 9615 Comm: syz-executor.3 Not tainted 4.14.268-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 task: ffff8880503224c0 task.stack: ffff888050348000 RIP: 0010:get_current arch/x86/include/asm/current.h:15 [inline] RIP: 0010:__sanitizer_cov_trace_pc+0x0/0x50 kernel/kcov.c:60 RSP: 0018:ffff8880ba5074e8 EFLAGS: 00000206 ORIG_RAX: ffffffffffffff10 RAX: ffff8880503224c0 RBX: ffff8880503224c0 RCX: 1ffffffff127a3f8 RDX: 0000000000000100 RSI: ffffffff87ccf440 RDI: ffffffff87ccf480 RBP: ffffffff87ccf480 R08: 0000000000000000 R09: 0000000000022012 R10: ffff888050322e60 R11: ffff8880503224c0 R12: 0000000000000001 R13: ffffffff87ccf440 R14: ffff8880a88c1180 R15: ffff88809956ad50 FS: 00007f09b67b7700(0000) GS:ffff8880ba500000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007feebc3ae000 CR3: 00000000a5c19000 CR4: 00000000003406e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: check_preemption_disabled+0x35/0x240 lib/smp_processor_id.c:52 rcu_dynticks_curr_cpu_in_eqs kernel/rcu/tree.c:360 [inline] rcu_is_watching+0x11/0xb0 kernel/rcu/tree.c:1130 rcu_read_lock_held+0xba/0x110 kernel/rcu/update.c:328 sock_def_write_space+0x3e6/0x500 net/core/sock.c:2685 sock_wfree+0xcb/0x130 net/core/sock.c:1828 skb_release_head_state+0x11e/0x250 net/core/skbuff.c:625 skb_release_all net/core/skbuff.c:638 [inline] __kfree_skb net/core/skbuff.c:654 [inline] kfree_skb+0xae/0x390 net/core/skbuff.c:672 vti6_tnl_xmit+0x2a7/0x17d0 net/ipv6/ip6_vti.c:596 __netdev_start_xmit include/linux/netdevice.h:4052 [inline] netdev_start_xmit include/linux/netdevice.h:4061 [inline] xmit_one net/core/dev.c:3005 [inline] dev_hard_start_xmit+0x188/0x890 net/core/dev.c:3021 __dev_queue_xmit+0x1d7f/0x2480 net/core/dev.c:3521 neigh_output include/net/neighbour.h:500 [inline] ip6_finish_output2+0xf48/0x1f10 net/ipv6/ip6_output.c:120 ip6_finish_output+0x5c6/0xd50 net/ipv6/ip6_output.c:192 NF_HOOK_COND include/linux/netfilter.h:239 [inline] ip6_output+0x1c5/0x660 net/ipv6/ip6_output.c:209 dst_output include/net/dst.h:470 [inline] NF_HOOK include/linux/netfilter.h:250 [inline] ndisc_send_skb+0x82a/0x1390 net/ipv6/ndisc.c:483 ndisc_send_rs+0x125/0x630 net/ipv6/ndisc.c:677 addrconf_rs_timer+0x2bb/0x5a0 net/ipv6/addrconf.c:3769 call_timer_fn+0x14a/0x650 kernel/time/timer.c:1280 expire_timers+0x232/0x4d0 kernel/time/timer.c:1319 __run_timers kernel/time/timer.c:1637 [inline] run_timer_softirq+0x1d5/0x5a0 kernel/time/timer.c:1650 __do_softirq+0x24d/0x9ff kernel/softirq.c:288 invoke_softirq kernel/softirq.c:368 [inline] irq_exit+0x193/0x240 kernel/softirq.c:409 exiting_irq arch/x86/include/asm/apic.h:638 [inline] smp_apic_timer_interrupt+0x141/0x5e0 arch/x86/kernel/apic/apic.c:1106 apic_timer_interrupt+0x93/0xa0 arch/x86/entry/entry_64.S:793 RIP: 0010:preempt_schedule_irq+0xa6/0x140 kernel/sched/core.c:3614 RSP: 0018:ffff88805034ef50 EFLAGS: 00000282 ORIG_RAX: ffffffffffffff10 RAX: 1ffffffff11e127b RBX: dffffc0000000000 RCX: 1ffff1100a0645b2 RDX: 0000000000000000 RSI: ffff888050322d70 RDI: ffff888050322d44 RBP: ffffed100a064498 R08: ffff88823fff7058 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffff8880503224c0 R13: ffffffff88f093d8 R14: 0000000000000000 R15: 0000000000000000 retint_kernel+0x1b/0x2d RIP: 0010:preempt_count arch/x86/include/asm/preempt.h:23 [inline] RIP: 0010:preempt_schedule+0x0/0x60 kernel/sched/core.c:3534 RSP: 0018:ffff88805034f020 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff10 RAX: 0000000000000000 RBX: 0000000000000006 RCX: 0000000000000000 RDX: 0000000000000004 RSI: 0000000000000003 RDI: 0000000000000001 RBP: ffff88805034f070 R08: ffffffff8b9d2b30 R09: 0000000000000002 R10: 0000000000000000 R11: ffff8880503224c0 R12: ffff8880554792a0 R13: 0000000000000001 R14: ffff8880555c2110 R15: ffff88805034f210 ___preempt_schedule+0x16/0x18 __raw_spin_unlock include/linux/spinlock_api_smp.h:152 [inline] _raw_spin_unlock+0x3b/0x40 kernel/locking/spinlock.c:184 spin_unlock include/linux/spinlock.h:357 [inline] fat_cache_lookup fs/fat/cache.c:112 [inline] fat_get_cluster+0x702/0xd10 fs/fat/cache.c:247 fat_chain_add+0x31a/0x510 fs/fat/misc.c:113 fat_add_cluster+0x9d/0xc0 fs/fat/inode.c:105 __fat_get_block fs/fat/inode.c:147 [inline] fat_get_block+0x28f/0x750 fs/fat/inode.c:176 __block_write_begin_int+0x35c/0x1090 fs/buffer.c:2038 __block_write_begin fs/buffer.c:2088 [inline] block_write_begin+0x58/0x270 fs/buffer.c:2147 cont_write_begin+0x497/0x730 fs/buffer.c:2497 fat_write_begin+0x89/0x170 fs/fat/inode.c:222 generic_perform_write+0x1c9/0x420 mm/filemap.c:3055 __generic_file_write_iter+0x227/0x590 mm/filemap.c:3180 generic_file_write_iter+0x36f/0x650 mm/filemap.c:3208 call_write_iter include/linux/fs.h:1780 [inline] new_sync_write fs/read_write.c:469 [inline] __vfs_write+0x44c/0x630 fs/read_write.c:482 __kernel_write+0xf5/0x330 fs/read_write.c:501 write_pipe_buf+0x143/0x1c0 fs/splice.c:797 splice_from_pipe_feed fs/splice.c:502 [inline] __splice_from_pipe+0x326/0x7a0 fs/splice.c:626 splice_from_pipe fs/splice.c:661 [inline] default_file_splice_write+0xc5/0x150 fs/splice.c:809 do_splice_from fs/splice.c:851 [inline] direct_splice_actor+0x115/0x160 fs/splice.c:1018 splice_direct_to_actor+0x27c/0x730 fs/splice.c:973 do_splice_direct+0x164/0x210 fs/splice.c:1061 do_sendfile+0x47f/0xb30 fs/read_write.c:1441 SYSC_sendfile64 fs/read_write.c:1502 [inline] SyS_sendfile64+0xff/0x110 fs/read_write.c:1488 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb RIP: 0033:0x7f09b7e42059 RSP: 002b:00007f09b67b7168 EFLAGS: 00000246 ORIG_RAX: 0000000000000028 RAX: ffffffffffffffda RBX: 00007f09b7f54f60 RCX: 00007f09b7e42059 RDX: 0000000000000000 RSI: 0000000000000006 RDI: 0000000000000004 RBP: 00007f09b7e9c08d R08: 0000000000000000 R09: 0000000000000000 R10: 000000000000de00 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffe4319e26f R14: 00007f09b67b7300 R15: 0000000000022000 Code: ff ff 48 89 df e8 81 b1 29 00 e9 9f fe ff ff 4c 89 e7 e8 74 b1 29 00 e9 2c fe ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 <65> 48 8b 04 25 c0 7f 02 00 48 85 c0 74 1a 65 8b 15 1b 3d ad 7e Sending NMI from CPU 1 to CPUs 0: NMI backtrace for cpu 0 skipped: idling at pc 0xffffffff87241fce ---------------- Code disassembly (best guess), 1 bytes skipped: 0: ff 48 89 decl -0x77(%rax) 3: df e8 fucomip %st(0),%st 5: 81 b1 29 00 e9 9f fe xorl $0x4cfffffe,-0x6016ffd7(%rcx) c: ff ff 4c f: 89 e7 mov %esp,%edi 11: e8 74 b1 29 00 callq 0x29b18a 16: e9 2c fe ff ff jmpq 0xfffffe47 1b: 90 nop 1c: 90 nop 1d: 90 nop 1e: 90 nop 1f: 90 nop 20: 90 nop 21: 90 nop 22: 90 nop 23: 90 nop 24: 90 nop 25: 90 nop 26: 90 nop 27: 90 nop 28: 90 nop 29: 90 nop * 2a: 65 48 8b 04 25 c0 7f mov %gs:0x27fc0,%rax <-- trapping instruction 31: 02 00 33: 48 85 c0 test %rax,%rax 36: 74 1a je 0x52 38: 65 8b 15 1b 3d ad 7e mov %gs:0x7ead3d1b(%rip),%edx # 0x7ead3d5a