watchdog: BUG: soft lockup - CPU#1 stuck for 111s! [syz.1.27:6035]
Modules linked in:
irq event stamp: 9476701
hardirqs last  enabled at (9476700): [<ffffffff8b6743d4>] irqentry_exit+0x74/0x90 kernel/entry/common.c:310
hardirqs last disabled at (9476701): [<ffffffff8b672f1e>] sysvec_apic_timer_interrupt+0xe/0xc0 arch/x86/kernel/apic/apic.c:1050
softirqs last  enabled at (7996844): [<ffffffff81859e7a>] __do_softirq kernel/softirq.c:613 [inline]
softirqs last  enabled at (7996844): [<ffffffff81859e7a>] invoke_softirq kernel/softirq.c:453 [inline]
softirqs last  enabled at (7996844): [<ffffffff81859e7a>] __irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:680
softirqs last disabled at (7996847): [<ffffffff81859e7a>] __do_softirq kernel/softirq.c:613 [inline]
softirqs last disabled at (7996847): [<ffffffff81859e7a>] invoke_softirq kernel/softirq.c:453 [inline]
softirqs last disabled at (7996847): [<ffffffff81859e7a>] __irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:680
CPU: 1 UID: 0 PID: 6035 Comm: syz.1.27 Not tainted 6.16.0-rc3-syzkaller-gc4b1be928ea0 #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
RIP: 0010:__rcu_read_unlock+0x6/0xe0 kernel/rcu/tree_plugin.h:431
Code: c1 03 38 c1 7c dc 48 89 df e8 b6 8a 7c 00 eb d2 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 41 57 <41> 56 41 55 41 54 53 49 bf 00 00 00 00 00 fc ff df 65 48 8b 3c 25
RSP: 0018:ffffc90000a08160 EFLAGS: 00000282
RAX: f8da6405c0acca00 RBX: 0000000000000000 RCX: f8da6405c0acca00
RDX: 0000000000000005 RSI: ffffffff8db6fb39 RDI: ffffffff8be291c0
RBP: 0000000000000000 R08: ffffc90000a07f2f R09: 0000000000000000
R10: ffffc90000a07f20 R11: ffffffffa0203950 R12: 000000000000006a
R13: dffffc0000000000 R14: 00007fcfca98e929 R15: 0000000000000000
FS:  00007fcfc87f66c0(0000) GS:ffff888125d4d000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fcfc87d4f98 CR3: 0000000021f00000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 rcu_read_unlock include/linux/rcupdate.h:873 [inline]
 is_bpf_text_address+0x292/0x2b0 kernel/bpf/core.c:774
 kernel_text_address+0xa5/0xe0 kernel/extable.c:125
 __kernel_text_address+0xd/0x40 kernel/extable.c:79
 unwind_get_return_address+0x4d/0x90 arch/x86/kernel/unwind_orc.c:369
 arch_stack_walk+0xfc/0x150 arch/x86/kernel/stacktrace.c:26
 stack_trace_save+0x9c/0xe0 kernel/stacktrace.c:122
 kasan_save_stack+0x3e/0x60 mm/kasan/common.c:47
 kasan_record_aux_stack+0xbd/0xd0 mm/kasan/generic.c:548
 kvfree_call_rcu+0xbb/0x410 mm/slab_common.c:1962
 neigh_remove_one+0x46d/0x4c0 net/core/neighbour.c:239
 neigh_forced_gc net/core/neighbour.c:270 [inline]
 neigh_alloc net/core/neighbour.c:464 [inline]
 ___neigh_create+0x485/0x2260 net/core/neighbour.c:607
 ip6_finish_output2+0xb4d/0x16a0 net/ipv6/ip6_output.c:132
 __ip6_finish_output net/ipv6/ip6_output.c:-1 [inline]
 ip6_finish_output+0x234/0x7d0 net/ipv6/ip6_output.c:226
 NF_HOOK include/linux/netfilter.h:317 [inline]
 ndisc_send_skb+0xb47/0x1400 net/ipv6/ndisc.c:513
 addrconf_rs_timer+0x369/0x670 net/ipv6/addrconf.c:4041
 call_timer_fn+0x17e/0x5f0 kernel/time/timer.c:1747
 expire_timers kernel/time/timer.c:1798 [inline]
 __run_timers kernel/time/timer.c:2372 [inline]
 __run_timer_base+0x61a/0x860 kernel/time/timer.c:2384
 run_timer_base kernel/time/timer.c:2393 [inline]
 run_timer_softirq+0xb7/0x180 kernel/time/timer.c:2403
 handle_softirqs+0x286/0x870 kernel/softirq.c:579
 __do_softirq kernel/softirq.c:613 [inline]
 invoke_softirq kernel/softirq.c:453 [inline]
 __irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:680
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
 instr_sysvec_irq_work arch/x86/kernel/irq_work.c:17 [inline]
 sysvec_irq_work+0xa3/0xc0 arch/x86/kernel/irq_work.c:17
 </IRQ>
 <TASK>
 asm_sysvec_irq_work+0x1a/0x20 arch/x86/include/asm/idtentry.h:738
RIP: 0010:preempt_schedule_irq+0xb0/0x150 kernel/sched/core.c:7108
Code: 24 20 f6 44 24 21 02 74 0c 90 0f 0b 48 f7 03 08 00 00 00 74 64 bf 01 00 00 00 e8 4b 5f 28 f6 e8 c6 7c 5f f6 fb bf 01 00 00 00 <e8> 1b ab ff ff 48 c7 44 24 40 00 00 00 00 9c 8f 44 24 40 8b 44 24
RSP: 0018:ffffc9000b6f75e0 EFLAGS: 00000282
RAX: f8da6405c0acca00 RBX: 0000000000000000 RCX: f8da6405c0acca00
RDX: 0000000000000007 RSI: ffffffff8d982c4e RDI: 0000000000000001
RBP: ffffc9000b6f7690 R08: ffffffff8fa112f7 R09: 1ffffffff1f4225e
R10: dffffc0000000000 R11: fffffbfff1f4225f R12: 0000000000000000
R13: 0000000000000000 R14: dffffc0000000000 R15: 1ffff920016deebc
 irqentry_exit+0x6f/0x90 kernel/entry/common.c:307
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:stack_trace_consume_entry+0x2c/0x280 kernel/stacktrace.c:86
Code: 1e fa 55 41 57 41 56 41 55 41 54 53 48 83 ec 18 48 ba 00 00 00 00 00 fc ff df 4c 8d 47 10 4c 89 c5 48 c1 ed 03 0f b6 44 15 00 <84> c0 0f 85 09 01 00 00 44 8b 4f 10 4c 8d 77 08 4d 89 f5 49 c1 ed
RSP: 0018:ffffc9000b6f7758 EFLAGS: 00000a02
RAX: 0000000000000000 RBX: ffffc9000b6f7860 RCX: 0000000000000000
RDX: dffffc0000000000 RSI: ffffffff823b562f RDI: ffffc9000b6f7860
RBP: 1ffff920016def0e R08: ffffc9000b6f7870 R09: 1ffffffff1f4225e
R10: dffffc0000000000 R11: ffffffff81ace6a0 R12: ffff888031b10000
R13: 1ffff920016def20 R14: ffffffff81ace6a0 R15: ffffc9000b6f77a8
 arch_stack_walk+0x10d/0x150 arch/x86/kernel/stacktrace.c:27
 stack_trace_save+0x9c/0xe0 kernel/stacktrace.c:122
 save_stack+0xf5/0x1f0 mm/page_owner.c:156
 __reset_page_owner+0x71/0x1f0 mm/page_owner.c:308
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1248 [inline]
 __free_frozen_pages+0xc71/0xe70 mm/page_alloc.c:2706
 discard_slab mm/slub.c:2717 [inline]
 __put_partials+0x161/0x1c0 mm/slub.c:3186
 put_cpu_partial+0x17c/0x250 mm/slub.c:3261
 __slab_free+0x2f7/0x400 mm/slub.c:4513
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x97/0x140 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:329
 kasan_slab_alloc include/linux/kasan.h:250 [inline]
 slab_post_alloc_hook mm/slub.c:4148 [inline]
 slab_alloc_node mm/slub.c:4197 [inline]
 kmem_cache_alloc_lru_noprof+0x1c6/0x3d0 mm/slub.c:4216
 __d_alloc+0x31/0x6f0 fs/dcache.c:1690
 d_alloc_pseudo+0x1f/0xb0 fs/dcache.c:1821
 alloc_path_pseudo fs/file_table.c:360 [inline]
 alloc_file_pseudo+0xcc/0x210 fs/file_table.c:376
 sock_alloc_file+0xb8/0x2e0 net/socket.c:470
 sock_map_fd net/socket.c:500 [inline]
 __sys_socket+0x13d/0x1b0 net/socket.c:1692
 __do_sys_socket net/socket.c:1697 [inline]
 __se_sys_socket net/socket.c:1695 [inline]
 __x64_sys_socket+0x7a/0x90 net/socket.c:1695
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fcfca98e929
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fcfc87f6038 EFLAGS: 00000246 ORIG_RAX: 0000000000000029
RAX: ffffffffffffffda RBX: 00007fcfcabb5fa0 RCX: 00007fcfca98e929
RDX: 0000000000000084 RSI: 0000000000000001 RDI: 0000000000000002
RBP: 00007fcfcaa10b39 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007fcfcabb5fa0 R15: 00007ffe9f5dadf8
 </TASK>
Sending NMI from CPU 1 to CPUs 0:
rcu: INFO: rcu_preempt detected stalls on CPUs/tasks:
NMI backtrace for cpu 0
CPU: 0 UID: 0 PID: 6033 Comm: syz.2.26 Not tainted 6.16.0-rc3-syzkaller-gc4b1be928ea0 #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
RIP: 0010:__kasan_check_byte+0x4/0x40 mm/kasan/common.c:555
Code: 01 0f 84 da fe ff ff 48 ff c8 49 89 c4 e9 cf fe ff ff 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f 00 <41> 56 53 48 89 f3 49 89 fe e8 5e 14 00 00 84 c0 75 16 be 01 00 00
RSP: 0000:ffffc90000006988 EFLAGS: 00000002
RAX: 0000000000000001 RBX: 0000000000000000 RCX: 5cb562b06c6b4e00
RDX: 0000000000000000 RSI: ffffffff8b69c1de RDI: ffffffff8e133038
RBP: ffffffff81a126f0 R08: 0000000000000001 R09: 0000000000000000
R10: dffffc0000000000 R11: fffffbfff1bfaa04 R12: 0000000000000000
R13: ffffffff8e133038 R14: 0000000000000000 R15: 0000000000000001
FS:  00007f0cc212b6c0(0000) GS:ffff888125c4d000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f0c2c2e56e8 CR3: 0000000060828000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 kasan_check_byte include/linux/kasan.h:399 [inline]
 lock_acquire+0x8d/0x360 kernel/locking/lockdep.c:5845
 __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
 _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
 console_lock_spinning_enable kernel/printk/printk.c:1918 [inline]
 console_emit_next_record kernel/printk/printk.c:3132 [inline]
 console_flush_all+0x690/0xc40 kernel/printk/printk.c:3226
 __console_flush_and_unlock kernel/printk/printk.c:3285 [inline]
 console_unlock+0xc4/0x270 kernel/printk/printk.c:3325
 vprintk_emit+0x5b7/0x7a0 kernel/printk/printk.c:2450
 _printk+0xcf/0x120 kernel/printk/printk.c:2475
 print_other_cpu_stall+0x189/0x1370 kernel/rcu/tree_stall.h:620
 check_cpu_stall kernel/rcu/tree_stall.h:821 [inline]
 rcu_pending kernel/rcu/tree.c:3642 [inline]
 rcu_sched_clock_irq+0x9d1/0x1090 kernel/rcu/tree.c:2677
 update_process_times+0x23c/0x2f0 kernel/time/timer.c:2473
 tick_sched_handle kernel/time/tick-sched.c:276 [inline]
 tick_nohz_handler+0x39a/0x520 kernel/time/tick-sched.c:297
 __run_hrtimer kernel/time/hrtimer.c:1761 [inline]
 __hrtimer_run_queues+0x4e0/0xc60 kernel/time/hrtimer.c:1825
 hrtimer_interrupt+0x45b/0xaa0 kernel/time/hrtimer.c:1887
 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1039 [inline]
 __sysvec_apic_timer_interrupt+0x10b/0x410 arch/x86/kernel/apic/apic.c:1056
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
 sysvec_apic_timer_interrupt+0x52/0xc0 arch/x86/kernel/apic/apic.c:1050
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:queued_write_lock_slowpath+0x120/0x260 kernel/locking/qrwlock.c:85
Code: ba f6 f0 81 0b 00 01 00 00 43 0f b6 04 27 84 c0 74 35 89 d9 80 e1 07 80 c1 03 38 c1 7c 29 48 89 df e8 24 65 ba f6 eb 1f f3 90 <43> 0f b6 04 27 84 c0 74 14 89 d9 80 e1 07 80 c1 03 38 c1 7c 08 48
RSP: 0000:ffffc900000074e0 EFLAGS: 00000206
RAX: 00000000000001ff RBX: ffffffff8f6223a0 RCX: ffffffff8b69ee78
RDX: 0000000000000001 RSI: 0000000000000004 RDI: ffffffff8f6223a0
RBP: ffffc90000007590 R08: ffffffff8f6223a3 R09: 1ffffffff1ec4474
R10: dffffc0000000000 R11: fffffbfff1ec4475 R12: dffffc0000000000
R13: 1ffff92000000ea0 R14: ffffc90000007530 R15: 1ffffffff1ec4474
 queued_write_lock include/asm-generic/qrwlock.h:101 [inline]
 do_raw_write_lock+0x1f2/0x260 kernel/locking/spinlock_debug.c:211
 neigh_forced_gc net/core/neighbour.c:255 [inline]
 neigh_alloc net/core/neighbour.c:464 [inline]
 ___neigh_create+0x209/0x2260 net/core/neighbour.c:607
 ip6_finish_output2+0xb4d/0x16a0 net/ipv6/ip6_output.c:132
 __ip6_finish_output net/ipv6/ip6_output.c:-1 [inline]
 ip6_finish_output+0x234/0x7d0 net/ipv6/ip6_output.c:226
 NF_HOOK include/linux/netfilter.h:317 [inline]
 ndisc_send_skb+0xb47/0x1400 net/ipv6/ndisc.c:513
 addrconf_rs_timer+0x369/0x670 net/ipv6/addrconf.c:4041
 call_timer_fn+0x17e/0x5f0 kernel/time/timer.c:1747
 expire_timers kernel/time/timer.c:1798 [inline]
 __run_timers kernel/time/timer.c:2372 [inline]
 __run_timer_base+0x61a/0x860 kernel/time/timer.c:2384
 run_timer_base kernel/time/timer.c:2393 [inline]
 run_timer_softirq+0xb7/0x180 kernel/time/timer.c:2403
 handle_softirqs+0x286/0x870 kernel/softirq.c:579
 __do_softirq kernel/softirq.c:613 [inline]
 invoke_softirq kernel/softirq.c:453 [inline]
 __irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:680
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
 sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1050
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:bpf_prog_83d37dda6cf46a9a+0x4/0x23
Code: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 40 00 00 00 cc cc cc cc cc cc cc cc cc cc cc cc f3 0f 1e fa <0f> 1f 44 00 00 0f 1f 00 55 48 89 e5 f3 0f 1e fa 41 56 45 31 f6 31
RSP: 0000:ffffc9000b406d78 EFLAGS: 00000286
RAX: 1ffff9200083ea06 RBX: ffffc900041f5048 RCX: dffffc0000000000
RDX: ffffc9000c24a000 RSI: ffffc900041f5048 RDI: ffffe8ffffc75000
RBP: ffffc9000b406e78 R08: ffffc9000b406e0f R09: 0000000000000000
R10: ffffc9000b406e00 R11: ffffffffa0203950 R12: ffffc900041f5030
R13: ffff88807ed71b98 R14: ffff88807ed71ba8 R15: 0000000000000001
 perf_trace_run_bpf_submit+0x78/0x170 kernel/events/core.c:10891
 do_perf_trace_lock include/trace/events/lock.h:50 [inline]
 perf_trace_lock+0x2f8/0x3b0 include/trace/events/lock.h:50
 __do_trace_lock_release include/trace/events/lock.h:69 [inline]
 trace_lock_release include/trace/events/lock.h:69 [inline]
 lock_release+0x3b2/0x3e0 kernel/locking/lockdep.c:5882
 rcu_lock_release include/linux/rcupdate.h:341 [inline]
 rcu_read_unlock include/linux/rcupdate.h:871 [inline]
 class_rcu_destructor include/linux/rcupdate.h:1155 [inline]
 unwind_next_frame+0x19a9/0x2390 arch/x86/kernel/unwind_orc.c:680
 __unwind_start+0x5b9/0x760 arch/x86/kernel/unwind_orc.c:758
 unwind_start arch/x86/include/asm/unwind.h:64 [inline]
 arch_stack_walk+0xe4/0x150 arch/x86/kernel/stacktrace.c:24
 stack_trace_save+0x9c/0xe0 kernel/stacktrace.c:122
 save_stack+0xf5/0x1f0 mm/page_owner.c:156
 __reset_page_owner+0x71/0x1f0 mm/page_owner.c:308
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1248 [inline]
 __free_frozen_pages+0xc71/0xe70 mm/page_alloc.c:2706
 __slab_free+0x326/0x400 mm/slub.c:4554
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x97/0x140 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:329
 kasan_slab_alloc include/linux/kasan.h:250 [inline]
 slab_post_alloc_hook mm/slub.c:4148 [inline]
 slab_alloc_node mm/slub.c:4197 [inline]
 kmem_cache_alloc_noprof+0x1c1/0x3c0 mm/slub.c:4204
 __kernfs_new_node+0xd7/0x7e0 fs/kernfs/dir.c:637
 kernfs_new_node+0x102/0x210 fs/kernfs/dir.c:713
 __kernfs_create_file+0x4b/0x2e0 fs/kernfs/file.c:1039
 sysfs_add_file_mode_ns+0x238/0x300 fs/sysfs/file.c:319
 create_files fs/sysfs/group.c:76 [inline]
 internal_create_group+0x66d/0x1110 fs/sysfs/group.c:183
 internal_create_groups fs/sysfs/group.c:223 [inline]
 sysfs_create_groups+0x59/0x120 fs/sysfs/group.c:249
 device_add_groups drivers/base/core.c:2839 [inline]
 device_add_attrs+0xe0/0x5a0 drivers/base/core.c:2903
 device_add+0x496/0xb50 drivers/base/core.c:3646
 netdev_register_kobject+0x156/0x2f0 net/core/net-sysfs.c:2336
 register_netdevice+0x126c/0x1ae0 net/core/dev.c:11105
 tun_set_iff+0x844/0xef0 drivers/net/tun.c:2781
 __tun_chr_ioctl+0x788/0x1df0 drivers/net/tun.c:3048
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:907 [inline]
 __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f0cc138e929
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f0cc212b038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f0cc15b5fa0 RCX: 00007f0cc138e929
RDX: 0000200000000000 RSI: 00000000400454ca RDI: 0000000000000008
RBP: 00007f0cc1410b39 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f0cc15b5fa0 R15: 00007ffd5d57ca78
 </TASK>