Extracting prog: 7m47.013110451s Minimizing prog: 1h13m0.124529409s Simplifying prog options: 14m8.427795163s Extracting C: 3m3.73909412s Simplifying C: 0s extracting reproducer from 1 programs testing a last program of every proc single: executing 1 programs separately with timeout 30s testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket-ioctl$ifreq_SIOCGIFINDEX_team-socket$netlink-sendmsg$nl_route_sched detailed listing: executing program 0: r0 = socket(0x11, 0x800000003, 0x0) ioctl$ifreq_SIOCGIFINDEX_team(r0, 0x8933, &(0x7f0000000600)={'team0\x00', 0x0}) r2 = socket$netlink(0x10, 0x3, 0x0) sendmsg$nl_route_sched(r2, &(0x7f00000007c0)={0x0, 0x0, &(0x7f0000000780)={&(0x7f0000000400)=@newqdisc={0xa4, 0x24, 0xf0b, 0x0, 0x0, {0x0, 0x0, 0x12, r1, {}, {0xffff, 0xffff}}, [@qdisc_kind_options=@q_taprio={{0xb}, {0x74, 0x2, [@TCA_TAPRIO_ATTR_PRIOMAP={0x56, 0x1, {0x2, [], 0x0, [0x8, 0x4], [0x0, 0x8]}}, @TCA_TAPRIO_ATTR_SCHED_CLOCKID={0x8, 0x5, 0x7}, @TCA_TAPRIO_ATTR_SCHED_ENTRY_LIST={0x10, 0x2, 0x0, 0x1, [{0xc, 0x1, 0x0, 0x1, [@TCA_TAPRIO_SCHED_ENTRY_INTERVAL={0x8, 0x4, 0xcb2}]}]}]}}]}, 0xa4}}, 0x0) program did not crash single: failed to extract reproducer single: executing 1 programs separately with timeout 6m0s testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket-ioctl$ifreq_SIOCGIFINDEX_team-socket$netlink-sendmsg$nl_route_sched detailed listing: executing program 0: r0 = socket(0x11, 0x800000003, 0x0) ioctl$ifreq_SIOCGIFINDEX_team(r0, 0x8933, &(0x7f0000000600)={'team0\x00', 0x0}) r2 = socket$netlink(0x10, 0x3, 0x0) sendmsg$nl_route_sched(r2, &(0x7f00000007c0)={0x0, 0x0, &(0x7f0000000780)={&(0x7f0000000400)=@newqdisc={0xa4, 0x24, 0xf0b, 0x0, 0x0, {0x0, 0x0, 0x12, r1, {}, {0xffff, 0xffff}}, [@qdisc_kind_options=@q_taprio={{0xb}, {0x74, 0x2, [@TCA_TAPRIO_ATTR_PRIOMAP={0x56, 0x1, {0x2, [], 0x0, [0x8, 0x4], [0x0, 0x8]}}, @TCA_TAPRIO_ATTR_SCHED_CLOCKID={0x8, 0x5, 0x7}, @TCA_TAPRIO_ATTR_SCHED_ENTRY_LIST={0x10, 0x2, 0x0, 0x1, [{0xc, 0x1, 0x0, 0x1, [@TCA_TAPRIO_SCHED_ENTRY_INTERVAL={0x8, 0x4, 0xcb2}]}]}]}}]}, 0xa4}}, 0x0) program crashed: INFO: task hung in addrconf_dad_work single: successfully extracted reproducer found reproducer with 4 syscalls minimizing guilty program testing program (duration=7m54.477476683s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket-ioctl$ifreq_SIOCGIFINDEX_team-socket$netlink detailed listing: executing program 0: r0 = socket(0x11, 0x800000003, 0x0) ioctl$ifreq_SIOCGIFINDEX_team(r0, 0x8933, &(0x7f0000000600)) socket$netlink(0x10, 0x3, 0x0) program did not crash testing program (duration=7m54.477476683s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket-ioctl$ifreq_SIOCGIFINDEX_team-sendmsg$nl_route_sched detailed listing: executing program 0: r0 = socket(0x11, 0x800000003, 0x0) ioctl$ifreq_SIOCGIFINDEX_team(r0, 0x8933, &(0x7f0000000600)={'team0\x00', 0x0}) sendmsg$nl_route_sched(0xffffffffffffffff, &(0x7f00000007c0)={0x0, 0x0, &(0x7f0000000780)={&(0x7f0000000400)=@newqdisc={0xa4, 0x24, 0xf0b, 0x0, 0x0, {0x0, 0x0, 0x12, r1, {}, {0xffff, 0xffff}}, [@qdisc_kind_options=@q_taprio={{0xb}, {0x74, 0x2, [@TCA_TAPRIO_ATTR_PRIOMAP={0x56, 0x1, {0x2, [], 0x0, [0x8, 0x4], [0x0, 0x8]}}, @TCA_TAPRIO_ATTR_SCHED_CLOCKID={0x8, 0x5, 0x7}, @TCA_TAPRIO_ATTR_SCHED_ENTRY_LIST={0x10, 0x2, 0x0, 0x1, [{0xc, 0x1, 0x0, 0x1, [@TCA_TAPRIO_SCHED_ENTRY_INTERVAL={0x8, 0x4, 0xcb2}]}]}]}}]}, 0xa4}}, 0x0) program did not crash testing program (duration=7m54.477476683s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket-socket$netlink-sendmsg$nl_route_sched detailed listing: executing program 0: socket(0x11, 0x800000003, 0x0) r0 = socket$netlink(0x10, 0x3, 0x0) sendmsg$nl_route_sched(r0, &(0x7f00000007c0)={0x0, 0x0, &(0x7f0000000780)={&(0x7f0000000400)=@newqdisc={0xa4, 0x24, 0xf0b, 0x0, 0x0, {0x0, 0x0, 0x12, 0x0, {}, {0xffff, 0xffff}}, [@qdisc_kind_options=@q_taprio={{0xb}, {0x74, 0x2, [@TCA_TAPRIO_ATTR_PRIOMAP={0x56, 0x1, {0x2, [], 0x0, [0x8, 0x4], [0x0, 0x8]}}, @TCA_TAPRIO_ATTR_SCHED_CLOCKID={0x8, 0x5, 0x7}, @TCA_TAPRIO_ATTR_SCHED_ENTRY_LIST={0x10, 0x2, 0x0, 0x1, [{0xc, 0x1, 0x0, 0x1, [@TCA_TAPRIO_SCHED_ENTRY_INTERVAL={0x8, 0x4, 0xcb2}]}]}]}}]}, 0xa4}}, 0x0) program did not crash testing program (duration=7m54.477476683s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): ioctl$ifreq_SIOCGIFINDEX_team-socket$netlink-sendmsg$nl_route_sched detailed listing: executing program 0: ioctl$ifreq_SIOCGIFINDEX_team(0xffffffffffffffff, 0x8933, &(0x7f0000000600)={'team0\x00', 0x0}) r1 = socket$netlink(0x10, 0x3, 0x0) sendmsg$nl_route_sched(r1, &(0x7f00000007c0)={0x0, 0x0, &(0x7f0000000780)={&(0x7f0000000400)=@newqdisc={0xa4, 0x24, 0xf0b, 0x0, 0x0, {0x0, 0x0, 0x12, r0, {}, {0xffff, 0xffff}}, [@qdisc_kind_options=@q_taprio={{0xb}, {0x74, 0x2, [@TCA_TAPRIO_ATTR_PRIOMAP={0x56, 0x1, {0x2, [], 0x0, [0x8, 0x4], [0x0, 0x8]}}, @TCA_TAPRIO_ATTR_SCHED_CLOCKID={0x8, 0x5, 0x7}, @TCA_TAPRIO_ATTR_SCHED_ENTRY_LIST={0x10, 0x2, 0x0, 0x1, [{0xc, 0x1, 0x0, 0x1, [@TCA_TAPRIO_SCHED_ENTRY_INTERVAL={0x8, 0x4, 0xcb2}]}]}]}}]}, 0xa4}}, 0x0) program did not crash testing program (duration=7m54.477476683s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket-ioctl$ifreq_SIOCGIFINDEX_team-socket$netlink-sendmsg$nl_route_sched detailed listing: executing program 0: r0 = socket(0x11, 0x800000003, 0x0) ioctl$ifreq_SIOCGIFINDEX_team(r0, 0x8933, 0x0) r1 = socket$netlink(0x10, 0x3, 0x0) sendmsg$nl_route_sched(r1, &(0x7f00000007c0)={0x0, 0x0, &(0x7f0000000780)={&(0x7f0000000400)=@newqdisc={0xa4, 0x24, 0xf0b, 0x0, 0x0, {0x0, 0x0, 0x12, 0x0, {}, {0xffff, 0xffff}}, [@qdisc_kind_options=@q_taprio={{0xb}, {0x74, 0x2, [@TCA_TAPRIO_ATTR_PRIOMAP={0x56, 0x1, {0x2, [], 0x0, [0x8, 0x4], [0x0, 0x8]}}, @TCA_TAPRIO_ATTR_SCHED_CLOCKID={0x8, 0x5, 0x7}, @TCA_TAPRIO_ATTR_SCHED_ENTRY_LIST={0x10, 0x2, 0x0, 0x1, [{0xc, 0x1, 0x0, 0x1, [@TCA_TAPRIO_SCHED_ENTRY_INTERVAL={0x8, 0x4, 0xcb2}]}]}]}}]}, 0xa4}}, 0x0) program did not crash testing program (duration=7m54.477476683s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket-ioctl$ifreq_SIOCGIFINDEX_team-socket$netlink-sendmsg$nl_route_sched detailed listing: executing program 0: r0 = socket(0x11, 0x800000003, 0x0) ioctl$ifreq_SIOCGIFINDEX_team(r0, 0x8933, &(0x7f0000000600)) r1 = socket$netlink(0x10, 0x3, 0x0) sendmsg$nl_route_sched(r1, 0x0, 0x0) program did not crash testing program (duration=7m54.477476683s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket-ioctl$ifreq_SIOCGIFINDEX_team-socket$netlink-sendmsg$nl_route_sched detailed listing: executing program 0: r0 = socket(0x11, 0x800000003, 0x0) ioctl$ifreq_SIOCGIFINDEX_team(r0, 0x8933, &(0x7f0000000600)) r1 = socket$netlink(0x10, 0x3, 0x0) sendmsg$nl_route_sched(r1, &(0x7f00000007c0)={0x0, 0x0, 0x0}, 0x0) program did not crash testing program (duration=7m54.477476683s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket-ioctl$ifreq_SIOCGIFINDEX_team-socket$netlink-sendmsg$nl_route_sched detailed listing: executing program 0: r0 = socket(0x11, 0x800000003, 0x0) ioctl$ifreq_SIOCGIFINDEX_team(r0, 0x8933, &(0x7f0000000600)) r1 = socket$netlink(0x10, 0x3, 0x0) sendmsg$nl_route_sched(r1, &(0x7f00000007c0)={0x0, 0x0, &(0x7f0000000780)={0x0}}, 0x0) program did not crash testing program (duration=7m54.477476683s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket-ioctl$ifreq_SIOCGIFINDEX_team-socket$netlink-sendmsg$nl_route_sched detailed listing: executing program 0: r0 = socket(0x11, 0x800000003, 0x0) ioctl$ifreq_SIOCGIFINDEX_team(r0, 0x8933, &(0x7f0000000600)={'team0\x00', 0x0}) r2 = socket$netlink(0x10, 0x3, 0x0) sendmsg$nl_route_sched(r2, &(0x7f00000007c0)={0x0, 0x0, &(0x7f0000000780)={&(0x7f0000000400)=@newqdisc={0x34, 0x24, 0xf0b, 0x0, 0x0, {0x0, 0x0, 0x12, r1, {}, {0xffff, 0xffff}}, [@qdisc_kind_options=@q_taprio={{0xb}, {0x4}}]}, 0x34}}, 0x0) program did not crash extracting C reproducer testing compiled C program (duration=7m54.477476683s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket-ioctl$ifreq_SIOCGIFINDEX_team-socket$netlink-sendmsg$nl_route_sched program crashed: INFO: rcu detected stall in worker_thread a never seen crash title: INFO: rcu detected stall in worker_thread, ignore simplifying guilty program options testing program (duration=7m54.477476683s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket-ioctl$ifreq_SIOCGIFINDEX_team-socket$netlink-sendmsg$nl_route_sched detailed listing: executing program 0: r0 = socket(0x11, 0x800000003, 0x0) ioctl$ifreq_SIOCGIFINDEX_team(r0, 0x8933, &(0x7f0000000600)={'team0\x00', 0x0}) r2 = socket$netlink(0x10, 0x3, 0x0) sendmsg$nl_route_sched(r2, &(0x7f00000007c0)={0x0, 0x0, &(0x7f0000000780)={&(0x7f0000000400)=@newqdisc={0xa4, 0x24, 0xf0b, 0x0, 0x0, {0x0, 0x0, 0x12, r1, {}, {0xffff, 0xffff}}, [@qdisc_kind_options=@q_taprio={{0xb}, {0x74, 0x2, [@TCA_TAPRIO_ATTR_PRIOMAP={0x56, 0x1, {0x2, [], 0x0, [0x8, 0x4], [0x0, 0x8]}}, @TCA_TAPRIO_ATTR_SCHED_CLOCKID={0x8, 0x5, 0x7}, @TCA_TAPRIO_ATTR_SCHED_ENTRY_LIST={0x10, 0x2, 0x0, 0x1, [{0xc, 0x1, 0x0, 0x1, [@TCA_TAPRIO_SCHED_ENTRY_INTERVAL={0x8, 0x4, 0xcb2}]}]}]}}]}, 0xa4}}, 0x0) program crashed: no output from test machine a never seen crash title: no output from test machine, ignore testing program (duration=7m54.477476683s, {Threaded:true Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket-ioctl$ifreq_SIOCGIFINDEX_team-socket$netlink-sendmsg$nl_route_sched detailed listing: executing program 0: r0 = socket(0x11, 0x800000003, 0x0) ioctl$ifreq_SIOCGIFINDEX_team(r0, 0x8933, &(0x7f0000000600)={'team0\x00', 0x0}) r2 = socket$netlink(0x10, 0x3, 0x0) sendmsg$nl_route_sched(r2, &(0x7f00000007c0)={0x0, 0x0, &(0x7f0000000780)={&(0x7f0000000400)=@newqdisc={0xa4, 0x24, 0xf0b, 0x0, 0x0, {0x0, 0x0, 0x12, r1, {}, {0xffff, 0xffff}}, [@qdisc_kind_options=@q_taprio={{0xb}, {0x74, 0x2, [@TCA_TAPRIO_ATTR_PRIOMAP={0x56, 0x1, {0x2, [], 0x0, [0x8, 0x4], [0x0, 0x8]}}, @TCA_TAPRIO_ATTR_SCHED_CLOCKID={0x8, 0x5, 0x7}, @TCA_TAPRIO_ATTR_SCHED_ENTRY_LIST={0x10, 0x2, 0x0, 0x1, [{0xc, 0x1, 0x0, 0x1, [@TCA_TAPRIO_SCHED_ENTRY_INTERVAL={0x8, 0x4, 0xcb2}]}]}]}}]}, 0xa4}}, 0x0) program crashed: INFO: task hung in linkwatch_event a never seen crash title: INFO: task hung in linkwatch_event, ignore reproducing took 1h37m59.30454241s repro crashed as (corrupted=false): INFO: task kworker/u8:1:12 blocked for more than 177 seconds. Not tainted 6.13.0-syzkaller-09690-g3f1baa91a1fd #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/u8:1 state:D stack:22360 pid:12 tgid:12 ppid:2 task_flags:0x4208160 flags:0x00004000 Workqueue: ipv6_addrconf addrconf_dad_work Call Trace: context_switch kernel/sched/core.c:5377 [inline] __schedule+0x190e/0x4c90 kernel/sched/core.c:6764 __schedule_loop kernel/sched/core.c:6841 [inline] schedule+0x14b/0x320 kernel/sched/core.c:6856 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6913 __mutex_lock_common kernel/locking/mutex.c:662 [inline] __mutex_lock+0x817/0x1010 kernel/locking/mutex.c:730 rtnl_net_lock include/linux/rtnetlink.h:129 [inline] addrconf_dad_work+0x10e/0x16a0 net/ipv6/addrconf.c:4190 process_one_work kernel/workqueue.c:3236 [inline] process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3317 worker_thread+0x870/0xd30 kernel/workqueue.c:3398 kthread+0x7a9/0x920 kernel/kthread.c:464 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 INFO: task kworker/u8:2:35 blocked for more than 177 seconds. Not tainted 6.13.0-syzkaller-09690-g3f1baa91a1fd #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/u8:2 state:D stack:23600 pid:35 tgid:35 ppid:2 task_flags:0x4208060 flags:0x00004000 Workqueue: events_unbound linkwatch_event Call Trace: context_switch kernel/sched/core.c:5377 [inline] __schedule+0x190e/0x4c90 kernel/sched/core.c:6764 __schedule_loop kernel/sched/core.c:6841 [inline] schedule+0x14b/0x320 kernel/sched/core.c:6856 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6913 __mutex_lock_common kernel/locking/mutex.c:662 [inline] __mutex_lock+0x817/0x1010 kernel/locking/mutex.c:730 linkwatch_event+0xe/0x60 net/core/link_watch.c:285 process_one_work kernel/workqueue.c:3236 [inline] process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3317 worker_thread+0x870/0xd30 kernel/workqueue.c:3398 kthread+0x7a9/0x920 kernel/kthread.c:464 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 INFO: task syz-executor:5957 blocked for more than 177 seconds. Not tainted 6.13.0-syzkaller-09690-g3f1baa91a1fd #0 Blocked by coredump. "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz-executor state:D stack:20384 pid:5957 tgid:5957 ppid:1 task_flags:0x40054c flags:0x00004006 Call Trace: context_switch kernel/sched/core.c:5377 [inline] __schedule+0x190e/0x4c90 kernel/sched/core.c:6764 __schedule_loop kernel/sched/core.c:6841 [inline] schedule+0x14b/0x320 kernel/sched/core.c:6856 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6913 __mutex_lock_common kernel/locking/mutex.c:662 [inline] __mutex_lock+0x817/0x1010 kernel/locking/mutex.c:730 tun_detach drivers/net/tun.c:702 [inline] tun_chr_close+0x3b/0x1b0 drivers/net/tun.c:3521 __fput+0x3e9/0x9f0 fs/file_table.c:450 task_work_run+0x24f/0x310 kernel/task_work.c:227 exit_task_work include/linux/task_work.h:40 [inline] do_exit+0xa2a/0x28e0 kernel/exit.c:938 do_group_exit+0x207/0x2c0 kernel/exit.c:1087 get_signal+0x16b2/0x1750 kernel/signal.c:3036 arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:337 exit_to_user_mode_loop kernel/entry/common.c:111 [inline] exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline] __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline] syscall_exit_to_user_mode+0xce/0x340 kernel/entry/common.c:218 do_syscall_64+0x100/0x230 arch/x86/entry/common.c:89 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f6b46d8ec3c RSP: 002b:00007ffdd2d56f90 EFLAGS: 00000293 ORIG_RAX: 000000000000002c RAX: 0000000000000028 RBX: 00007f6b47ad4620 RCX: 00007f6b46d8ec3c RDX: 0000000000000028 RSI: 00007f6b47ad4670 RDI: 0000000000000003 RBP: 0000000000000000 R08: 00007ffdd2d56fe4 R09: 000000000000000c R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000003 R13: 0000000000000000 R14: 00007f6b47ad4670 R15: 0000000000000000 INFO: task syz-executor:5972 blocked for more than 178 seconds. Not tainted 6.13.0-syzkaller-09690-g3f1baa91a1fd #0 Blocked by coredump. "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz-executor state:D stack:20000 pid:5972 tgid:5972 ppid:1 task_flags:0x40054c flags:0x00004006 Call Trace: context_switch kernel/sched/core.c:5377 [inline] __schedule+0x190e/0x4c90 kernel/sched/core.c:6764 __schedule_loop kernel/sched/core.c:6841 [inline] schedule+0x14b/0x320 kernel/sched/core.c:6856 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6913 __mutex_lock_common kernel/locking/mutex.c:662 [inline] __mutex_lock+0x817/0x1010 kernel/locking/mutex.c:730 tun_detach drivers/net/tun.c:702 [inline] tun_chr_close+0x3b/0x1b0 drivers/net/tun.c:3521 __fput+0x3e9/0x9f0 fs/file_table.c:450 task_work_run+0x24f/0x310 kernel/task_work.c:227 exit_task_work include/linux/task_work.h:40 [inline] do_exit+0xa2a/0x28e0 kernel/exit.c:938 do_group_exit+0x207/0x2c0 kernel/exit.c:1087 get_signal+0x16b2/0x1750 kernel/signal.c:3036 arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:337 exit_to_user_mode_loop kernel/entry/common.c:111 [inline] exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline] __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline] syscall_exit_to_user_mode+0xce/0x340 kernel/entry/common.c:218 do_syscall_64+0x100/0x230 arch/x86/entry/common.c:89 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fba2ad8ec3c RSP: 002b:00007ffcb89c4610 EFLAGS: 00000293 ORIG_RAX: 000000000000002c RAX: 000000000000002c RBX: 00007fba2bad4620 RCX: 00007fba2ad8ec3c RDX: 000000000000002c RSI: 00007fba2bad4670 RDI: 0000000000000003 RBP: 0000000000000000 R08: 00007ffcb89c4664 R09: 000000000000000c R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000003 R13: 0000000000000000 R14: 00007fba2bad4670 R15: 0000000000000000 INFO: task syz-executor:6049 blocked for more than 178 seconds. Not tainted 6.13.0-syzkaller-09690-g3f1baa91a1fd #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz-executor state:D stack:22912 pid:6049 tgid:6049 ppid:6048 task_flags:0x400140 flags:0x00004000 Call Trace: context_switch kernel/sched/core.c:5377 [inline] __schedule+0x190e/0x4c90 kernel/sched/core.c:6764 __schedule_loop kernel/sched/core.c:6841 [inline] schedule+0x14b/0x320 kernel/sched/core.c:6856 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6913 __mutex_lock_common kernel/locking/mutex.c:662 [inline] __mutex_lock+0x817/0x1010 kernel/locking/mutex.c:730 register_nexthop_notifier+0x84/0x290 net/ipv4/nexthop.c:3878 ops_init+0x31e/0x590 net/core/net_namespace.c:138 setup_net+0x287/0x9e0 net/core/net_namespace.c:362 copy_net_ns+0x33f/0x570 net/core/net_namespace.c:516 create_new_namespaces+0x425/0x7b0 kernel/nsproxy.c:110 unshare_nsproxy_namespaces+0x124/0x180 kernel/nsproxy.c:228 ksys_unshare+0x57d/0xa70 kernel/fork.c:3331 __do_sys_unshare kernel/fork.c:3402 [inline] __se_sys_unshare kernel/fork.c:3400 [inline] __x64_sys_unshare+0x38/0x40 kernel/fork.c:3400 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f887918e5a7 RSP: 002b:00007fff3b56b038 EFLAGS: 00000202 ORIG_RAX: 0000000000000110 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f887918e5a7 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000040000000 RBP: 00007fff3b56b0a0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000202 R12: 00007fff3b56b0a0 R13: 00007fff3b56b0a8 R14: 0000000000000009 R15: 0000000000000000 INFO: task syz-executor:6055 blocked for more than 178 seconds. Not tainted 6.13.0-syzkaller-09690-g3f1baa91a1fd #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz-executor state:D stack:24864 pid:6055 tgid:6055 ppid:1 task_flags:0x400140 flags:0x00004004 Call Trace: context_switch kernel/sched/core.c:5377 [inline] __schedule+0x190e/0x4c90 kernel/sched/core.c:6764 __schedule_loop kernel/sched/core.c:6841 [inline] schedule+0x14b/0x320 kernel/sched/core.c:6856 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6913 __mutex_lock_common kernel/locking/mutex.c:662 [inline] __mutex_lock+0x817/0x1010 kernel/locking/mutex.c:730 register_nexthop_notifier+0x84/0x290 net/ipv4/nexthop.c:3878 ops_init+0x31e/0x590 net/core/net_namespace.c:138 setup_net+0x287/0x9e0 net/core/net_namespace.c:362 copy_net_ns+0x33f/0x570 net/core/net_namespace.c:516 create_new_namespaces+0x425/0x7b0 kernel/nsproxy.c:110 unshare_nsproxy_namespaces+0x124/0x180 kernel/nsproxy.c:228 ksys_unshare+0x57d/0xa70 kernel/fork.c:3331 __do_sys_unshare kernel/fork.c:3402 [inline] __se_sys_unshare kernel/fork.c:3400 [inline] __x64_sys_unshare+0x38/0x40 kernel/fork.c:3400 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f3a4478e5a7 RSP: 002b:00007ffe0f705e08 EFLAGS: 00000206 ORIG_RAX: 0000000000000110 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f3a4478e5a7 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000040000000 RBP: 00007ffe0f705e70 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000206 R12: 00007ffe0f705e70 R13: 00007ffe0f705e78 R14: 0000000000000009 R15: 0000000000000000 INFO: task syz-executor:6064 blocked for more than 205 seconds. Not tainted 6.13.0-syzkaller-09690-g3f1baa91a1fd #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz-executor state:D stack:25368 pid:6064 tgid:6064 ppid:6061 task_flags:0x400140 flags:0x00004002 Call Trace: context_switch kernel/sched/core.c:5377 [inline] __schedule+0x190e/0x4c90 kernel/sched/core.c:6764 __schedule_loop kernel/sched/core.c:6841 [inline] schedule+0x14b/0x320 kernel/sched/core.c:6856 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6913 __mutex_lock_common kernel/locking/mutex.c:662 [inline] __mutex_lock+0x817/0x1010 kernel/locking/mutex.c:730 rtnl_net_lock include/linux/rtnetlink.h:129 [inline] inet_rtm_newaddr+0x47e/0x1bd0 net/ipv4/devinet.c:987 rtnetlink_rcv_msg+0x791/0xcf0 net/core/rtnetlink.c:6911 netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543 netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline] netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1348 netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1892 sock_sendmsg_nosec net/socket.c:713 [inline] __sock_sendmsg+0x221/0x270 net/socket.c:728 __sys_sendto+0x363/0x4c0 net/socket.c:2182 __do_sys_sendto net/socket.c:2189 [inline] __se_sys_sendto net/socket.c:2185 [inline] __x64_sys_sendto+0xde/0x100 net/socket.c:2185 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f620698ec3c RSP: 002b:00007ffeeae7c5d0 EFLAGS: 00000293 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 00007f62076d4620 RCX: 00007f620698ec3c RDX: 0000000000000028 RSI: 00007f62076d4670 RDI: 0000000000000003 RBP: 0000000000000000 R08: 00007ffeeae7c624 R09: 000000000000000c R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000003 R13: 0000000000000000 R14: 00007f62076d4670 R15: 0000000000000000 INFO: task syz-executor:6065 blocked for more than 205 seconds. Not tainted 6.13.0-syzkaller-09690-g3f1baa91a1fd #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz-executor state:D stack:25456 pid:6065 tgid:6065 ppid:6060 task_flags:0x400140 flags:0x00004002 Call Trace: context_switch kernel/sched/core.c:5377 [inline] __schedule+0x190e/0x4c90 kernel/sched/core.c:6764 __schedule_loop kernel/sched/core.c:6841 [inline] schedule+0x14b/0x320 kernel/sched/core.c:6856 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6913 __mutex_lock_common kernel/locking/mutex.c:662 [inline] __mutex_lock+0x817/0x1010 kernel/locking/mutex.c:730 rtnl_net_lock include/linux/rtnetlink.h:129 [inline] inet_rtm_newaddr+0x47e/0x1bd0 net/ipv4/devinet.c:987 rtnetlink_rcv_msg+0x791/0xcf0 net/core/rtnetlink.c:6911 netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543 netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline] netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1348 netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1892 sock_sendmsg_nosec net/socket.c:713 [inline] __sock_sendmsg+0x221/0x270 net/socket.c:728 __sys_sendto+0x363/0x4c0 net/socket.c:2182 __do_sys_sendto net/socket.c:2189 [inline] __se_sys_sendto net/socket.c:2185 [inline] __x64_sys_sendto+0xde/0x100 net/socket.c:2185 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb8b9d8ec3c RSP: 002b:00007ffe449435e0 EFLAGS: 00000293 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 00007fb8baad4620 RCX: 00007fb8b9d8ec3c RDX: 0000000000000028 RSI: 00007fb8baad4670 RDI: 0000000000000003 RBP: 0000000000000000 R08: 00007ffe44943634 R09: 000000000000000c R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000003 R13: 0000000000000000 R14: 00007fb8baad4670 R15: 0000000000000000 Showing all locks held in the system: 3 locks held by kworker/0:0/8: 3 locks held by kworker/u8:1/12: #0: ffff88814d3c5948 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3211 [inline] #0: ffff88814d3c5948 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1840 kernel/workqueue.c:3317 #1: ffffc90000117c60 ((work_completion)(&(&ifa->dad_work)->work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3212 [inline] #1: ffffc90000117c60 ((work_completion)(&(&ifa->dad_work)->work)){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1840 kernel/workqueue.c:3317 #2: ffffffff8fcbf088 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_net_lock include/linux/rtnetlink.h:129 [inline] #2: ffffffff8fcbf088 (rtnl_mutex){+.+.}-{4:4}, at: addrconf_dad_work+0x10e/0x16a0 net/ipv6/addrconf.c:4190 3 locks held by kworker/1:0/25: #0: ffff88801ac80d48 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3211 [inline] #0: ffff88801ac80d48 ((wq_completion)events){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1840 kernel/workqueue.c:3317 #1: ffffc900001f7c60 ((work_completion)(&data->fib_event_work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3212 [inline] #1: ffffc900001f7c60 ((work_completion)(&data->fib_event_work)){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1840 kernel/workqueue.c:3317 #2: ffff888078bca240 (&data->fib_lock){+.+.}-{4:4}, at: nsim_fib_event_work+0x2d1/0x4130 drivers/net/netdevsim/fib.c:1490 1 lock held by khungtaskd/30: #0: ffffffff8e938760 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:337 [inline] #0: ffffffff8e938760 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:849 [inline] #0: ffffffff8e938760 (rcu_read_lock){....}-{1:3}, at: debug_show_all_locks+0x55/0x2a0 kernel/locking/lockdep.c:6746 3 locks held by kworker/u8:2/35: #0: ffff88801ac89148 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3211 [inline] #0: ffff88801ac89148 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1840 kernel/workqueue.c:3317 #1: ffffc90000ab7c60 ((linkwatch_work).work){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3212 [inline] #1: ffffc90000ab7c60 ((linkwatch_work).work){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1840 kernel/workqueue.c:3317 #2: ffffffff8fcbf088 (rtnl_mutex){+.+.}-{4:4}, at: linkwatch_event+0xe/0x60 net/core/link_watch.c:285 5 locks held by kworker/u9:0/54: #0: ffff88807950d948 ((wq_completion)hci5){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3211 [inline] #0: ffff88807950d948 ((wq_completion)hci5){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1840 kernel/workqueue.c:3317 #1: ffffc90000bf7c60 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3212 [inline] #1: ffffc90000bf7c60 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1840 kernel/workqueue.c:3317 #2: ffff888021fbcd80 (&hdev->req_lock){+.+.}-{4:4}, at: hci_cmd_sync_work+0x1ec/0x400 net/bluetooth/hci_sync.c:331 #3: ffff888021fbc078 (&hdev->lock){+.+.}-{4:4}, at: hci_abort_conn_sync+0x1e4/0x11f0 net/bluetooth/hci_sync.c:5569 #4: ffffffff8e93dc38 (rcu_state.exp_mutex){+.+.}-{4:4}, at: exp_funnel_lock kernel/rcu/tree_exp.h:334 [inline] #4: ffffffff8e93dc38 (rcu_state.exp_mutex){+.+.}-{4:4}, at: synchronize_rcu_expedited+0x451/0x830 kernel/rcu/tree_exp.h:996 5 locks held by kworker/u8:9/3555: 4 locks held by kworker/u9:1/5147: #0: ffff88807d358948 ((wq_completion)hci7){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3211 [inline] #0: ffff88807d358948 ((wq_completion)hci7){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1840 kernel/workqueue.c:3317 #1: ffffc9001024fc60 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3212 [inline] #1: ffffc9001024fc60 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1840 kernel/workqueue.c:3317 #2: ffff888022f10d80 (&hdev->req_lock){+.+.}-{4:4}, at: hci_cmd_sync_work+0x1ec/0x400 net/bluetooth/hci_sync.c:331 #3: ffff888022f10078 (&hdev->lock){+.+.}-{4:4}, at: hci_abort_conn_sync+0x1e4/0x11f0 net/bluetooth/hci_sync.c:5569 2 locks held by getty/5587: #0: ffff88803167f0a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x25/0x70 drivers/tty/tty_ldisc.c:243 #1: ffffc90002fde2f0 (&ldata->atomic_read_lock){+.+.}-{4:4}, at: n_tty_read+0x6a6/0x1e00 drivers/tty/n_tty.c:2211 3 locks held by kworker/1:3/5817: #0: ffff88801ac80d48 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3211 [inline] #0: ffff88801ac80d48 ((wq_completion)events){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1840 kernel/workqueue.c:3317 #1: ffffc90003d9fc60 ((work_completion)(&data->fib_event_work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3212 [inline] #1: ffffc90003d9fc60 ((work_completion)(&data->fib_event_work)){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1840 kernel/workqueue.c:3317 #2: ffff88802e0c6240 (&data->fib_lock){+.+.}-{4:4}, at: nsim_fib_event_work+0x2d1/0x4130 drivers/net/netdevsim/fib.c:1490 3 locks held by kworker/0:3/5948: #0: ffff88801ac81d48 ((wq_completion)events_power_efficient){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3211 [inline] #0: ffff88801ac81d48 ((wq_completion)events_power_efficient){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1840 kernel/workqueue.c:3317 #1: ffffc9000421fc60 ((reg_check_chans).work){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3212 [inline] #1: ffffc9000421fc60 ((reg_check_chans).work){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1840 kernel/workqueue.c:3317 #2: ffffffff8fcbf088 (rtnl_mutex){+.+.}-{4:4}, at: reg_check_chans_work+0x99/0xfb0 net/wireless/reg.c:2480 1 lock held by syz-executor/5957: #0: ffffffff8fcbf088 (rtnl_mutex){+.+.}-{4:4}, at: tun_detach drivers/net/tun.c:702 [inline] #0: ffffffff8fcbf088 (rtnl_mutex){+.+.}-{4:4}, at: tun_chr_close+0x3b/0x1b0 drivers/net/tun.c:3521 3 locks held by syz-executor/5958: 1 lock held by syz-executor/5960: #0: ffffffff8fcbf088 (rtnl_mutex){+.+.}-{4:4}, at: tun_detach drivers/net/tun.c:702 [inline] #0: ffffffff8fcbf088 (rtnl_mutex){+.+.}-{4:4}, at: tun_chr_close+0x3b/0x1b0 drivers/net/tun.c:3521 4 locks held by kworker/u9:3/5961: #0: ffff88807faa9148 ((wq_completion)hci9){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3211 [inline] #0: ffff88807faa9148 ((wq_completion)hci9){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1840 kernel/workqueue.c:3317 #1: ffffc9000425fc60 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3212 [inline] #1: ffffc9000425fc60 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1840 kernel/workqueue.c:3317 #2: ffff888024e80d80 (&hdev->req_lock){+.+.}-{4:4}, at: hci_cmd_sync_work+0x1ec/0x400 net/bluetooth/hci_sync.c:331 #3: ffff888024e80078 (&hdev->lock){+.+.}-{4:4}, at: hci_abort_conn_sync+0x1e4/0x11f0 net/bluetooth/hci_sync.c:5569 4 locks held by kworker/u9:4/5964: #0: ffff88807faae948 ((wq_completion)hci8){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3211 [inline] #0: ffff88807faae948 ((wq_completion)hci8){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1840 kernel/workqueue.c:3317 #1: ffffc9000428fc60 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3212 [inline] #1: ffffc9000428fc60 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1840 kernel/workqueue.c:3317 #2: ffff88801cf98d80 (&hdev->req_lock){+.+.}-{4:4}, at: hci_cmd_sync_work+0x1ec/0x400 net/bluetooth/hci_sync.c:331 #3: ffff88801cf98078 (&hdev->lock){+.+.}-{4:4}, at: hci_abort_conn_sync+0x1e4/0x11f0 net/bluetooth/hci_sync.c:5569 4 locks held by kworker/u9:6/5967: #0: ffff888029075948 ((wq_completion)hci6){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3211 [inline] #0: ffff888029075948 ((wq_completion)hci6){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1840 kernel/workqueue.c:3317 #1: ffffc9000434fc60 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3212 [inline] #1: ffffc9000434fc60 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1840 kernel/workqueue.c:3317 #2: ffff888020b3cd80 (&hdev->req_lock){+.+.}-{4:4}, at: hci_cmd_sync_work+0x1ec/0x400 net/bluetooth/hci_sync.c:331 #3: ffff888020b3c078 (&hdev->lock){+.+.}-{4:4}, at: hci_abort_conn_sync+0x1e4/0x11f0 net/bluetooth/hci_sync.c:5569 1 lock held by syz-executor/5972: #0: ffffffff8fcbf088 (rtnl_mutex){+.+.}-{4:4}, at: tun_detach drivers/net/tun.c:702 [inline] #0: ffffffff8fcbf088 (rtnl_mutex){+.+.}-{4:4}, at: tun_chr_close+0x3b/0x1b0 drivers/net/tun.c:3521 3 locks held by kworker/1:4/6021: #0: ffff88801ac80d48 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3211 [inline] #0: ffff88801ac80d48 ((wq_completion)events){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1840 kernel/workqueue.c:3317 #1: ffffc90003587c60 ((work_completion)(&data->fib_event_work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3212 [inline] #1: ffffc90003587c60 ((work_completion)(&data->fib_event_work)){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1840 kernel/workqueue.c:3317 #2: ffff888034e42240 (&data->fib_lock){+.+.}-{4:4}, at: nsim_fib_event_work+0x2d1/0x4130 drivers/net/netdevsim/fib.c:1490 1 lock held by syz.2.23/6045: #0: ffffffff8e93db00 (rcu_state.barrier_mutex){+.+.}-{4:4}, at: rcu_barrier+0x4c/0x530 kernel/rcu/tree.c:3741 2 locks held by syz-executor/6049: #0: ffffffff8fcb2b10 (pernet_ops_rwsem){++++}-{4:4}, at: copy_net_ns+0x328/0x570 net/core/net_namespace.c:512 #1: ffffffff8fcbf088 (rtnl_mutex){+.+.}-{4:4}, at: register_nexthop_notifier+0x84/0x290 net/ipv4/nexthop.c:3878 3 locks held by kworker/1:5/6050: #0: ffff88801ac80d48 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3211 [inline] #0: ffff88801ac80d48 ((wq_completion)events){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1840 kernel/workqueue.c:3317 #1: ffffc90003f4fc60 (deferred_process_work){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3212 [inline] #1: ffffc90003f4fc60 (deferred_process_work){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1840 kernel/workqueue.c:3317 #2: ffffffff8fcbf088 (rtnl_mutex){+.+.}-{4:4}, at: switchdev_deferred_process_work+0xe/0x20 net/switchdev/switchdev.c:104 2 locks held by syz-executor/6055: #0: ffffffff8fcb2b10 (pernet_ops_rwsem){++++}-{4:4}, at: copy_net_ns+0x328/0x570 net/core/net_namespace.c:512 #1: ffffffff8fcbf088 (rtnl_mutex){+.+.}-{4:4}, at: register_nexthop_notifier+0x84/0x290 net/ipv4/nexthop.c:3878 1 lock held by syz-executor/6062: #0: ffffffff8fcbf088 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_net_lock include/linux/rtnetlink.h:129 [inline] #0: ffffffff8fcbf088 (rtnl_mutex){+.+.}-{4:4}, at: inet_rtm_newaddr+0x47e/0x1bd0 net/ipv4/devinet.c:987 1 lock held by syz-executor/6064: #0: ffffffff8fcbf088 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_net_lock include/linux/rtnetlink.h:129 [inline] #0: ffffffff8fcbf088 (rtnl_mutex){+.+.}-{4:4}, at: inet_rtm_newaddr+0x47e/0x1bd0 net/ipv4/devinet.c:987 1 lock held by syz-executor/6065: #0: ffffffff8fcbf088 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_net_lock include/linux/rtnetlink.h:129 [inline] #0: ffffffff8fcbf088 (rtnl_mutex){+.+.}-{4:4}, at: inet_rtm_newaddr+0x47e/0x1bd0 net/ipv4/devinet.c:987 1 lock held by dhcpcd/6077: 1 lock held by dhcpcd/6078: 1 lock held by dhcpcd/6079: 1 lock held by dhcpcd/6080: 1 lock held by dhcpcd/6081: 1 lock held by dhcpcd/6082: 2 locks held by syz-executor/6084: ============================================= NMI backtrace for cpu 0 CPU: 0 UID: 0 PID: 30 Comm: khungtaskd Not tainted 6.13.0-syzkaller-09690-g3f1baa91a1fd #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 nmi_cpu_backtrace+0x49c/0x4d0 lib/nmi_backtrace.c:113 nmi_trigger_cpumask_backtrace+0x198/0x320 lib/nmi_backtrace.c:62 trigger_all_cpu_backtrace include/linux/nmi.h:162 [inline] check_hung_uninterruptible_tasks kernel/hung_task.c:236 [inline] watchdog+0x1058/0x10a0 kernel/hung_task.c:399 kthread+0x7a9/0x920 kernel/kthread.c:464 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Sending NMI from CPU 0 to CPUs 1: NMI backtrace for cpu 1 CPU: 1 UID: 0 PID: 6084 Comm: syz-executor Not tainted 6.13.0-syzkaller-09690-g3f1baa91a1fd #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024 RIP: 0010:rb_add_cached include/linux/rbtree.h:172 [inline] RIP: 0010:timerqueue_add+0x59/0x290 lib/timerqueue.c:40 Code: 7c 1d 00 00 74 08 4c 89 ff e8 c3 cf 34 f6 49 8b 1f 48 89 df 4c 89 fe e8 15 3d ce f5 4c 39 fb 0f 85 21 02 00 00 e8 a7 3a ce f5 <4c> 89 e3 48 c1 eb 03 48 b8 00 00 00 00 00 fc ff df 80 3c 03 00 74 RSP: 0000:ffffc90000a18cd8 EFLAGS: 00000006 RAX: ffffffff8bf131e9 RBX: ffff8880222b2340 RCX: ffff88802636da00 RDX: 0000000000010000 RSI: ffff8880222b2340 RDI: ffff8880222b2340 RBP: 1ffff11004456468 R08: ffffffff8bf131db R09: 1ffffffff203680e R10: dffffc0000000000 R11: fffffbfff203680f R12: ffff8880b872c6d0 R13: dffffc0000000000 R14: ffff8880222b2340 R15: ffff8880222b2340 FS: 0000000000000000(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fdb4dcef000 CR3: 00000000212a2000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: __run_hrtimer kernel/time/hrtimer.c:1755 [inline] __hrtimer_run_queues+0x6cb/0xd30 kernel/time/hrtimer.c:1802 hrtimer_interrupt+0x403/0xa40 kernel/time/hrtimer.c:1864 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1038 [inline] __sysvec_apic_timer_interrupt+0x110/0x420 arch/x86/kernel/apic/apic.c:1055 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline] sysvec_apic_timer_interrupt+0xa1/0xc0 arch/x86/kernel/apic/apic.c:1049 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702 RIP: 0010:__pte_offset_map_lock+0x78/0x300 mm/pgtable-generic.c:393 Code: 40 b3 8a b5 41 48 c7 44 24 48 03 81 0a 8e 48 c7 44 24 50 f0 53 12 82 4c 8d 64 24 40 49 c1 ec 03 48 b8 f1 f1 f1 f1 00 f2 f2 f2 <49> 89 04 1c 66 41 c7 44 1c 09 f3 f3 41 c6 44 1c 0b f3 e8 11 18 ad RSP: 0000:ffffc900033c7760 EFLAGS: 00000a02 RAX: f2f2f200f1f1f1f1 RBX: dffffc0000000000 RCX: ffffc900033c7dc0 RDX: 00007fdb4dcef000 RSI: ffff888031f9a370 RDI: ffff88806c9eda00 RBP: ffffc900033c7850 R08: ffffffff820d0841 R09: 1ffffd40003a0bf8 R10: dffffc0000000000 R11: fffff940003a0bf9 R12: 1ffff92000678ef4 R13: ffff888031f9a370 R14: 00007fdb4dcef000 R15: ffffc900033c77e0 pte_offset_map_lock include/linux/mm.h:3047 [inline] finish_fault+0x707/0x11d0 mm/memory.c:5239 do_cow_fault mm/memory.c:5434 [inline] do_fault mm/memory.c:5528 [inline] do_pte_missing mm/memory.c:4047 [inline] handle_pte_fault mm/memory.c:5889 [inline] __handle_mm_fault+0x47db/0x70f0 mm/memory.c:6032 handle_mm_fault+0x3e5/0x8d0 mm/memory.c:6201 do_user_addr_fault arch/x86/mm/fault.c:1338 [inline] handle_page_fault arch/x86/mm/fault.c:1481 [inline] exc_page_fault+0x459/0x8b0 arch/x86/mm/fault.c:1539 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623 RIP: 0033:0x7fdb4dba4fc4 Code: 66 0f 1f 44 00 00 48 8b 38 8b 50 08 4c 01 ff 48 83 fa 26 74 0a 48 83 fa 08 0f 85 1b 0a 00 00 48 8b 50 10 48 83 c0 18 4c 01 fa <48> 89 17 48 39 d8 72 d4 4c 8b b1 e8 01 00 00 49 01 f0 4d 85 f6 0f RSP: 002b:00007ffc5c192f80 EFLAGS: 00010202 RAX: 00007fdb4da13728 RBX: 00007fdb4da47088 RCX: 00007fdb4dd7d700 RDX: 00007fdb4dbf96a8 RSI: 00007fdb4da003c0 RDI: 00007fdb4dcef000 RBP: 00007fdb4dd7d700 R08: 00000000000470b8 R09: 00007fdb4da47478 R10: 0000000070000025 R11: 00007fdb4da003a0 R12: 00007ffc5c192fc0 R13: 00007ffc5c193148 R14: 00007ffc5c1930e0 R15: 00007fdb4da00000 final repro crashed as (corrupted=false): INFO: task kworker/u8:1:12 blocked for more than 177 seconds. Not tainted 6.13.0-syzkaller-09690-g3f1baa91a1fd #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/u8:1 state:D stack:22360 pid:12 tgid:12 ppid:2 task_flags:0x4208160 flags:0x00004000 Workqueue: ipv6_addrconf addrconf_dad_work Call Trace: context_switch kernel/sched/core.c:5377 [inline] __schedule+0x190e/0x4c90 kernel/sched/core.c:6764 __schedule_loop kernel/sched/core.c:6841 [inline] schedule+0x14b/0x320 kernel/sched/core.c:6856 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6913 __mutex_lock_common kernel/locking/mutex.c:662 [inline] __mutex_lock+0x817/0x1010 kernel/locking/mutex.c:730 rtnl_net_lock include/linux/rtnetlink.h:129 [inline] addrconf_dad_work+0x10e/0x16a0 net/ipv6/addrconf.c:4190 process_one_work kernel/workqueue.c:3236 [inline] process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3317 worker_thread+0x870/0xd30 kernel/workqueue.c:3398 kthread+0x7a9/0x920 kernel/kthread.c:464 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 INFO: task kworker/u8:2:35 blocked for more than 177 seconds. Not tainted 6.13.0-syzkaller-09690-g3f1baa91a1fd #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/u8:2 state:D stack:23600 pid:35 tgid:35 ppid:2 task_flags:0x4208060 flags:0x00004000 Workqueue: events_unbound linkwatch_event Call Trace: context_switch kernel/sched/core.c:5377 [inline] __schedule+0x190e/0x4c90 kernel/sched/core.c:6764 __schedule_loop kernel/sched/core.c:6841 [inline] schedule+0x14b/0x320 kernel/sched/core.c:6856 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6913 __mutex_lock_common kernel/locking/mutex.c:662 [inline] __mutex_lock+0x817/0x1010 kernel/locking/mutex.c:730 linkwatch_event+0xe/0x60 net/core/link_watch.c:285 process_one_work kernel/workqueue.c:3236 [inline] process_scheduled_works+0xa66/0x1840 kernel/workqueue.c:3317 worker_thread+0x870/0xd30 kernel/workqueue.c:3398 kthread+0x7a9/0x920 kernel/kthread.c:464 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 INFO: task syz-executor:5957 blocked for more than 177 seconds. Not tainted 6.13.0-syzkaller-09690-g3f1baa91a1fd #0 Blocked by coredump. "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz-executor state:D stack:20384 pid:5957 tgid:5957 ppid:1 task_flags:0x40054c flags:0x00004006 Call Trace: context_switch kernel/sched/core.c:5377 [inline] __schedule+0x190e/0x4c90 kernel/sched/core.c:6764 __schedule_loop kernel/sched/core.c:6841 [inline] schedule+0x14b/0x320 kernel/sched/core.c:6856 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6913 __mutex_lock_common kernel/locking/mutex.c:662 [inline] __mutex_lock+0x817/0x1010 kernel/locking/mutex.c:730 tun_detach drivers/net/tun.c:702 [inline] tun_chr_close+0x3b/0x1b0 drivers/net/tun.c:3521 __fput+0x3e9/0x9f0 fs/file_table.c:450 task_work_run+0x24f/0x310 kernel/task_work.c:227 exit_task_work include/linux/task_work.h:40 [inline] do_exit+0xa2a/0x28e0 kernel/exit.c:938 do_group_exit+0x207/0x2c0 kernel/exit.c:1087 get_signal+0x16b2/0x1750 kernel/signal.c:3036 arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:337 exit_to_user_mode_loop kernel/entry/common.c:111 [inline] exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline] __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline] syscall_exit_to_user_mode+0xce/0x340 kernel/entry/common.c:218 do_syscall_64+0x100/0x230 arch/x86/entry/common.c:89 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f6b46d8ec3c RSP: 002b:00007ffdd2d56f90 EFLAGS: 00000293 ORIG_RAX: 000000000000002c RAX: 0000000000000028 RBX: 00007f6b47ad4620 RCX: 00007f6b46d8ec3c RDX: 0000000000000028 RSI: 00007f6b47ad4670 RDI: 0000000000000003 RBP: 0000000000000000 R08: 00007ffdd2d56fe4 R09: 000000000000000c R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000003 R13: 0000000000000000 R14: 00007f6b47ad4670 R15: 0000000000000000 INFO: task syz-executor:5972 blocked for more than 178 seconds. Not tainted 6.13.0-syzkaller-09690-g3f1baa91a1fd #0 Blocked by coredump. "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz-executor state:D stack:20000 pid:5972 tgid:5972 ppid:1 task_flags:0x40054c flags:0x00004006 Call Trace: context_switch kernel/sched/core.c:5377 [inline] __schedule+0x190e/0x4c90 kernel/sched/core.c:6764 __schedule_loop kernel/sched/core.c:6841 [inline] schedule+0x14b/0x320 kernel/sched/core.c:6856 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6913 __mutex_lock_common kernel/locking/mutex.c:662 [inline] __mutex_lock+0x817/0x1010 kernel/locking/mutex.c:730 tun_detach drivers/net/tun.c:702 [inline] tun_chr_close+0x3b/0x1b0 drivers/net/tun.c:3521 __fput+0x3e9/0x9f0 fs/file_table.c:450 task_work_run+0x24f/0x310 kernel/task_work.c:227 exit_task_work include/linux/task_work.h:40 [inline] do_exit+0xa2a/0x28e0 kernel/exit.c:938 do_group_exit+0x207/0x2c0 kernel/exit.c:1087 get_signal+0x16b2/0x1750 kernel/signal.c:3036 arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:337 exit_to_user_mode_loop kernel/entry/common.c:111 [inline] exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline] __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline] syscall_exit_to_user_mode+0xce/0x340 kernel/entry/common.c:218 do_syscall_64+0x100/0x230 arch/x86/entry/common.c:89 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fba2ad8ec3c RSP: 002b:00007ffcb89c4610 EFLAGS: 00000293 ORIG_RAX: 000000000000002c RAX: 000000000000002c RBX: 00007fba2bad4620 RCX: 00007fba2ad8ec3c RDX: 000000000000002c RSI: 00007fba2bad4670 RDI: 0000000000000003 RBP: 0000000000000000 R08: 00007ffcb89c4664 R09: 000000000000000c R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000003 R13: 0000000000000000 R14: 00007fba2bad4670 R15: 0000000000000000 INFO: task syz-executor:6049 blocked for more than 178 seconds. Not tainted 6.13.0-syzkaller-09690-g3f1baa91a1fd #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz-executor state:D stack:22912 pid:6049 tgid:6049 ppid:6048 task_flags:0x400140 flags:0x00004000 Call Trace: context_switch kernel/sched/core.c:5377 [inline] __schedule+0x190e/0x4c90 kernel/sched/core.c:6764 __schedule_loop kernel/sched/core.c:6841 [inline] schedule+0x14b/0x320 kernel/sched/core.c:6856 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6913 __mutex_lock_common kernel/locking/mutex.c:662 [inline] __mutex_lock+0x817/0x1010 kernel/locking/mutex.c:730 register_nexthop_notifier+0x84/0x290 net/ipv4/nexthop.c:3878 ops_init+0x31e/0x590 net/core/net_namespace.c:138 setup_net+0x287/0x9e0 net/core/net_namespace.c:362 copy_net_ns+0x33f/0x570 net/core/net_namespace.c:516 create_new_namespaces+0x425/0x7b0 kernel/nsproxy.c:110 unshare_nsproxy_namespaces+0x124/0x180 kernel/nsproxy.c:228 ksys_unshare+0x57d/0xa70 kernel/fork.c:3331 __do_sys_unshare kernel/fork.c:3402 [inline] __se_sys_unshare kernel/fork.c:3400 [inline] __x64_sys_unshare+0x38/0x40 kernel/fork.c:3400 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f887918e5a7 RSP: 002b:00007fff3b56b038 EFLAGS: 00000202 ORIG_RAX: 0000000000000110 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f887918e5a7 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000040000000 RBP: 00007fff3b56b0a0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000202 R12: 00007fff3b56b0a0 R13: 00007fff3b56b0a8 R14: 0000000000000009 R15: 0000000000000000 INFO: task syz-executor:6055 blocked for more than 178 seconds. Not tainted 6.13.0-syzkaller-09690-g3f1baa91a1fd #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz-executor state:D stack:24864 pid:6055 tgid:6055 ppid:1 task_flags:0x400140 flags:0x00004004 Call Trace: context_switch kernel/sched/core.c:5377 [inline] __schedule+0x190e/0x4c90 kernel/sched/core.c:6764 __schedule_loop kernel/sched/core.c:6841 [inline] schedule+0x14b/0x320 kernel/sched/core.c:6856 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6913 __mutex_lock_common kernel/locking/mutex.c:662 [inline] __mutex_lock+0x817/0x1010 kernel/locking/mutex.c:730 register_nexthop_notifier+0x84/0x290 net/ipv4/nexthop.c:3878 ops_init+0x31e/0x590 net/core/net_namespace.c:138 setup_net+0x287/0x9e0 net/core/net_namespace.c:362 copy_net_ns+0x33f/0x570 net/core/net_namespace.c:516 create_new_namespaces+0x425/0x7b0 kernel/nsproxy.c:110 unshare_nsproxy_namespaces+0x124/0x180 kernel/nsproxy.c:228 ksys_unshare+0x57d/0xa70 kernel/fork.c:3331 __do_sys_unshare kernel/fork.c:3402 [inline] __se_sys_unshare kernel/fork.c:3400 [inline] __x64_sys_unshare+0x38/0x40 kernel/fork.c:3400 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f3a4478e5a7 RSP: 002b:00007ffe0f705e08 EFLAGS: 00000206 ORIG_RAX: 0000000000000110 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f3a4478e5a7 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000040000000 RBP: 00007ffe0f705e70 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000206 R12: 00007ffe0f705e70 R13: 00007ffe0f705e78 R14: 0000000000000009 R15: 0000000000000000 INFO: task syz-executor:6064 blocked for more than 205 seconds. Not tainted 6.13.0-syzkaller-09690-g3f1baa91a1fd #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz-executor state:D stack:25368 pid:6064 tgid:6064 ppid:6061 task_flags:0x400140 flags:0x00004002 Call Trace: context_switch kernel/sched/core.c:5377 [inline] __schedule+0x190e/0x4c90 kernel/sched/core.c:6764 __schedule_loop kernel/sched/core.c:6841 [inline] schedule+0x14b/0x320 kernel/sched/core.c:6856 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6913 __mutex_lock_common kernel/locking/mutex.c:662 [inline] __mutex_lock+0x817/0x1010 kernel/locking/mutex.c:730 rtnl_net_lock include/linux/rtnetlink.h:129 [inline] inet_rtm_newaddr+0x47e/0x1bd0 net/ipv4/devinet.c:987 rtnetlink_rcv_msg+0x791/0xcf0 net/core/rtnetlink.c:6911 netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543 netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline] netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1348 netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1892 sock_sendmsg_nosec net/socket.c:713 [inline] __sock_sendmsg+0x221/0x270 net/socket.c:728 __sys_sendto+0x363/0x4c0 net/socket.c:2182 __do_sys_sendto net/socket.c:2189 [inline] __se_sys_sendto net/socket.c:2185 [inline] __x64_sys_sendto+0xde/0x100 net/socket.c:2185 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f620698ec3c RSP: 002b:00007ffeeae7c5d0 EFLAGS: 00000293 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 00007f62076d4620 RCX: 00007f620698ec3c RDX: 0000000000000028 RSI: 00007f62076d4670 RDI: 0000000000000003 RBP: 0000000000000000 R08: 00007ffeeae7c624 R09: 000000000000000c R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000003 R13: 0000000000000000 R14: 00007f62076d4670 R15: 0000000000000000 INFO: task syz-executor:6065 blocked for more than 205 seconds. Not tainted 6.13.0-syzkaller-09690-g3f1baa91a1fd #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz-executor state:D stack:25456 pid:6065 tgid:6065 ppid:6060 task_flags:0x400140 flags:0x00004002 Call Trace: context_switch kernel/sched/core.c:5377 [inline] __schedule+0x190e/0x4c90 kernel/sched/core.c:6764 __schedule_loop kernel/sched/core.c:6841 [inline] schedule+0x14b/0x320 kernel/sched/core.c:6856 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6913 __mutex_lock_common kernel/locking/mutex.c:662 [inline] __mutex_lock+0x817/0x1010 kernel/locking/mutex.c:730 rtnl_net_lock include/linux/rtnetlink.h:129 [inline] inet_rtm_newaddr+0x47e/0x1bd0 net/ipv4/devinet.c:987 rtnetlink_rcv_msg+0x791/0xcf0 net/core/rtnetlink.c:6911 netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543 netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline] netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1348 netlink_sendmsg+0x8e4/0xcb0 net/netlink/af_netlink.c:1892 sock_sendmsg_nosec net/socket.c:713 [inline] __sock_sendmsg+0x221/0x270 net/socket.c:728 __sys_sendto+0x363/0x4c0 net/socket.c:2182 __do_sys_sendto net/socket.c:2189 [inline] __se_sys_sendto net/socket.c:2185 [inline] __x64_sys_sendto+0xde/0x100 net/socket.c:2185 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb8b9d8ec3c RSP: 002b:00007ffe449435e0 EFLAGS: 00000293 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 00007fb8baad4620 RCX: 00007fb8b9d8ec3c RDX: 0000000000000028 RSI: 00007fb8baad4670 RDI: 0000000000000003 RBP: 0000000000000000 R08: 00007ffe44943634 R09: 000000000000000c R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000003 R13: 0000000000000000 R14: 00007fb8baad4670 R15: 0000000000000000 Showing all locks held in the system: 3 locks held by kworker/0:0/8: 3 locks held by kworker/u8:1/12: #0: ffff88814d3c5948 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3211 [inline] #0: ffff88814d3c5948 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1840 kernel/workqueue.c:3317 #1: ffffc90000117c60 ((work_completion)(&(&ifa->dad_work)->work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3212 [inline] #1: ffffc90000117c60 ((work_completion)(&(&ifa->dad_work)->work)){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1840 kernel/workqueue.c:3317 #2: ffffffff8fcbf088 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_net_lock include/linux/rtnetlink.h:129 [inline] #2: ffffffff8fcbf088 (rtnl_mutex){+.+.}-{4:4}, at: addrconf_dad_work+0x10e/0x16a0 net/ipv6/addrconf.c:4190 3 locks held by kworker/1:0/25: #0: ffff88801ac80d48 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3211 [inline] #0: ffff88801ac80d48 ((wq_completion)events){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1840 kernel/workqueue.c:3317 #1: ffffc900001f7c60 ((work_completion)(&data->fib_event_work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3212 [inline] #1: ffffc900001f7c60 ((work_completion)(&data->fib_event_work)){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1840 kernel/workqueue.c:3317 #2: ffff888078bca240 (&data->fib_lock){+.+.}-{4:4}, at: nsim_fib_event_work+0x2d1/0x4130 drivers/net/netdevsim/fib.c:1490 1 lock held by khungtaskd/30: #0: ffffffff8e938760 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:337 [inline] #0: ffffffff8e938760 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:849 [inline] #0: ffffffff8e938760 (rcu_read_lock){....}-{1:3}, at: debug_show_all_locks+0x55/0x2a0 kernel/locking/lockdep.c:6746 3 locks held by kworker/u8:2/35: #0: ffff88801ac89148 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3211 [inline] #0: ffff88801ac89148 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1840 kernel/workqueue.c:3317 #1: ffffc90000ab7c60 ((linkwatch_work).work){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3212 [inline] #1: ffffc90000ab7c60 ((linkwatch_work).work){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1840 kernel/workqueue.c:3317 #2: ffffffff8fcbf088 (rtnl_mutex){+.+.}-{4:4}, at: linkwatch_event+0xe/0x60 net/core/link_watch.c:285 5 locks held by kworker/u9:0/54: #0: ffff88807950d948 ((wq_completion)hci5){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3211 [inline] #0: ffff88807950d948 ((wq_completion)hci5){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1840 kernel/workqueue.c:3317 #1: ffffc90000bf7c60 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3212 [inline] #1: ffffc90000bf7c60 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1840 kernel/workqueue.c:3317 #2: ffff888021fbcd80 (&hdev->req_lock){+.+.}-{4:4}, at: hci_cmd_sync_work+0x1ec/0x400 net/bluetooth/hci_sync.c:331 #3: ffff888021fbc078 (&hdev->lock){+.+.}-{4:4}, at: hci_abort_conn_sync+0x1e4/0x11f0 net/bluetooth/hci_sync.c:5569 #4: ffffffff8e93dc38 (rcu_state.exp_mutex){+.+.}-{4:4}, at: exp_funnel_lock kernel/rcu/tree_exp.h:334 [inline] #4: ffffffff8e93dc38 (rcu_state.exp_mutex){+.+.}-{4:4}, at: synchronize_rcu_expedited+0x451/0x830 kernel/rcu/tree_exp.h:996 5 locks held by kworker/u8:9/3555: 4 locks held by kworker/u9:1/5147: #0: ffff88807d358948 ((wq_completion)hci7){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3211 [inline] #0: ffff88807d358948 ((wq_completion)hci7){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1840 kernel/workqueue.c:3317 #1: ffffc9001024fc60 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3212 [inline] #1: ffffc9001024fc60 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1840 kernel/workqueue.c:3317 #2: ffff888022f10d80 (&hdev->req_lock){+.+.}-{4:4}, at: hci_cmd_sync_work+0x1ec/0x400 net/bluetooth/hci_sync.c:331 #3: ffff888022f10078 (&hdev->lock){+.+.}-{4:4}, at: hci_abort_conn_sync+0x1e4/0x11f0 net/bluetooth/hci_sync.c:5569 2 locks held by getty/5587: #0: ffff88803167f0a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x25/0x70 drivers/tty/tty_ldisc.c:243 #1: ffffc90002fde2f0 (&ldata->atomic_read_lock){+.+.}-{4:4}, at: n_tty_read+0x6a6/0x1e00 drivers/tty/n_tty.c:2211 3 locks held by kworker/1:3/5817: #0: ffff88801ac80d48 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3211 [inline] #0: ffff88801ac80d48 ((wq_completion)events){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1840 kernel/workqueue.c:3317 #1: ffffc90003d9fc60 ((work_completion)(&data->fib_event_work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3212 [inline] #1: ffffc90003d9fc60 ((work_completion)(&data->fib_event_work)){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1840 kernel/workqueue.c:3317 #2: ffff88802e0c6240 (&data->fib_lock){+.+.}-{4:4}, at: nsim_fib_event_work+0x2d1/0x4130 drivers/net/netdevsim/fib.c:1490 3 locks held by kworker/0:3/5948: #0: ffff88801ac81d48 ((wq_completion)events_power_efficient){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3211 [inline] #0: ffff88801ac81d48 ((wq_completion)events_power_efficient){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1840 kernel/workqueue.c:3317 #1: ffffc9000421fc60 ((reg_check_chans).work){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3212 [inline] #1: ffffc9000421fc60 ((reg_check_chans).work){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1840 kernel/workqueue.c:3317 #2: ffffffff8fcbf088 (rtnl_mutex){+.+.}-{4:4}, at: reg_check_chans_work+0x99/0xfb0 net/wireless/reg.c:2480 1 lock held by syz-executor/5957: #0: ffffffff8fcbf088 (rtnl_mutex){+.+.}-{4:4}, at: tun_detach drivers/net/tun.c:702 [inline] #0: ffffffff8fcbf088 (rtnl_mutex){+.+.}-{4:4}, at: tun_chr_close+0x3b/0x1b0 drivers/net/tun.c:3521 3 locks held by syz-executor/5958: 1 lock held by syz-executor/5960: #0: ffffffff8fcbf088 (rtnl_mutex){+.+.}-{4:4}, at: tun_detach drivers/net/tun.c:702 [inline] #0: ffffffff8fcbf088 (rtnl_mutex){+.+.}-{4:4}, at: tun_chr_close+0x3b/0x1b0 drivers/net/tun.c:3521 4 locks held by kworker/u9:3/5961: #0: ffff88807faa9148 ((wq_completion)hci9){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3211 [inline] #0: ffff88807faa9148 ((wq_completion)hci9){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1840 kernel/workqueue.c:3317 #1: ffffc9000425fc60 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3212 [inline] #1: ffffc9000425fc60 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1840 kernel/workqueue.c:3317 #2: ffff888024e80d80 (&hdev->req_lock){+.+.}-{4:4}, at: hci_cmd_sync_work+0x1ec/0x400 net/bluetooth/hci_sync.c:331 #3: ffff888024e80078 (&hdev->lock){+.+.}-{4:4}, at: hci_abort_conn_sync+0x1e4/0x11f0 net/bluetooth/hci_sync.c:5569 4 locks held by kworker/u9:4/5964: #0: ffff88807faae948 ((wq_completion)hci8){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3211 [inline] #0: ffff88807faae948 ((wq_completion)hci8){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1840 kernel/workqueue.c:3317 #1: ffffc9000428fc60 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3212 [inline] #1: ffffc9000428fc60 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1840 kernel/workqueue.c:3317 #2: ffff88801cf98d80 (&hdev->req_lock){+.+.}-{4:4}, at: hci_cmd_sync_work+0x1ec/0x400 net/bluetooth/hci_sync.c:331 #3: ffff88801cf98078 (&hdev->lock){+.+.}-{4:4}, at: hci_abort_conn_sync+0x1e4/0x11f0 net/bluetooth/hci_sync.c:5569 4 locks held by kworker/u9:6/5967: #0: ffff888029075948 ((wq_completion)hci6){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3211 [inline] #0: ffff888029075948 ((wq_completion)hci6){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1840 kernel/workqueue.c:3317 #1: ffffc9000434fc60 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3212 [inline] #1: ffffc9000434fc60 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1840 kernel/workqueue.c:3317 #2: ffff888020b3cd80 (&hdev->req_lock){+.+.}-{4:4}, at: hci_cmd_sync_work+0x1ec/0x400 net/bluetooth/hci_sync.c:331 #3: ffff888020b3c078 (&hdev->lock){+.+.}-{4:4}, at: hci_abort_conn_sync+0x1e4/0x11f0 net/bluetooth/hci_sync.c:5569 1 lock held by syz-executor/5972: #0: ffffffff8fcbf088 (rtnl_mutex){+.+.}-{4:4}, at: tun_detach drivers/net/tun.c:702 [inline] #0: ffffffff8fcbf088 (rtnl_mutex){+.+.}-{4:4}, at: tun_chr_close+0x3b/0x1b0 drivers/net/tun.c:3521 3 locks held by kworker/1:4/6021: #0: ffff88801ac80d48 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3211 [inline] #0: ffff88801ac80d48 ((wq_completion)events){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1840 kernel/workqueue.c:3317 #1: ffffc90003587c60 ((work_completion)(&data->fib_event_work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3212 [inline] #1: ffffc90003587c60 ((work_completion)(&data->fib_event_work)){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1840 kernel/workqueue.c:3317 #2: ffff888034e42240 (&data->fib_lock){+.+.}-{4:4}, at: nsim_fib_event_work+0x2d1/0x4130 drivers/net/netdevsim/fib.c:1490 1 lock held by syz.2.23/6045: #0: ffffffff8e93db00 (rcu_state.barrier_mutex){+.+.}-{4:4}, at: rcu_barrier+0x4c/0x530 kernel/rcu/tree.c:3741 2 locks held by syz-executor/6049: #0: ffffffff8fcb2b10 (pernet_ops_rwsem){++++}-{4:4}, at: copy_net_ns+0x328/0x570 net/core/net_namespace.c:512 #1: ffffffff8fcbf088 (rtnl_mutex){+.+.}-{4:4}, at: register_nexthop_notifier+0x84/0x290 net/ipv4/nexthop.c:3878 3 locks held by kworker/1:5/6050: #0: ffff88801ac80d48 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3211 [inline] #0: ffff88801ac80d48 ((wq_completion)events){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1840 kernel/workqueue.c:3317 #1: ffffc90003f4fc60 (deferred_process_work){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3212 [inline] #1: ffffc90003f4fc60 (deferred_process_work){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1840 kernel/workqueue.c:3317 #2: ffffffff8fcbf088 (rtnl_mutex){+.+.}-{4:4}, at: switchdev_deferred_process_work+0xe/0x20 net/switchdev/switchdev.c:104 2 locks held by syz-executor/6055: #0: ffffffff8fcb2b10 (pernet_ops_rwsem){++++}-{4:4}, at: copy_net_ns+0x328/0x570 net/core/net_namespace.c:512 #1: ffffffff8fcbf088 (rtnl_mutex){+.+.}-{4:4}, at: register_nexthop_notifier+0x84/0x290 net/ipv4/nexthop.c:3878 1 lock held by syz-executor/6062: #0: ffffffff8fcbf088 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_net_lock include/linux/rtnetlink.h:129 [inline] #0: ffffffff8fcbf088 (rtnl_mutex){+.+.}-{4:4}, at: inet_rtm_newaddr+0x47e/0x1bd0 net/ipv4/devinet.c:987 1 lock held by syz-executor/6064: #0: ffffffff8fcbf088 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_net_lock include/linux/rtnetlink.h:129 [inline] #0: ffffffff8fcbf088 (rtnl_mutex){+.+.}-{4:4}, at: inet_rtm_newaddr+0x47e/0x1bd0 net/ipv4/devinet.c:987 1 lock held by syz-executor/6065: #0: ffffffff8fcbf088 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_net_lock include/linux/rtnetlink.h:129 [inline] #0: ffffffff8fcbf088 (rtnl_mutex){+.+.}-{4:4}, at: inet_rtm_newaddr+0x47e/0x1bd0 net/ipv4/devinet.c:987 1 lock held by dhcpcd/6077: 1 lock held by dhcpcd/6078: 1 lock held by dhcpcd/6079: 1 lock held by dhcpcd/6080: 1 lock held by dhcpcd/6081: 1 lock held by dhcpcd/6082: 2 locks held by syz-executor/6084: ============================================= NMI backtrace for cpu 0 CPU: 0 UID: 0 PID: 30 Comm: khungtaskd Not tainted 6.13.0-syzkaller-09690-g3f1baa91a1fd #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 nmi_cpu_backtrace+0x49c/0x4d0 lib/nmi_backtrace.c:113 nmi_trigger_cpumask_backtrace+0x198/0x320 lib/nmi_backtrace.c:62 trigger_all_cpu_backtrace include/linux/nmi.h:162 [inline] check_hung_uninterruptible_tasks kernel/hung_task.c:236 [inline] watchdog+0x1058/0x10a0 kernel/hung_task.c:399 kthread+0x7a9/0x920 kernel/kthread.c:464 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Sending NMI from CPU 0 to CPUs 1: NMI backtrace for cpu 1 CPU: 1 UID: 0 PID: 6084 Comm: syz-executor Not tainted 6.13.0-syzkaller-09690-g3f1baa91a1fd #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024 RIP: 0010:rb_add_cached include/linux/rbtree.h:172 [inline] RIP: 0010:timerqueue_add+0x59/0x290 lib/timerqueue.c:40 Code: 7c 1d 00 00 74 08 4c 89 ff e8 c3 cf 34 f6 49 8b 1f 48 89 df 4c 89 fe e8 15 3d ce f5 4c 39 fb 0f 85 21 02 00 00 e8 a7 3a ce f5 <4c> 89 e3 48 c1 eb 03 48 b8 00 00 00 00 00 fc ff df 80 3c 03 00 74 RSP: 0000:ffffc90000a18cd8 EFLAGS: 00000006 RAX: ffffffff8bf131e9 RBX: ffff8880222b2340 RCX: ffff88802636da00 RDX: 0000000000010000 RSI: ffff8880222b2340 RDI: ffff8880222b2340 RBP: 1ffff11004456468 R08: ffffffff8bf131db R09: 1ffffffff203680e R10: dffffc0000000000 R11: fffffbfff203680f R12: ffff8880b872c6d0 R13: dffffc0000000000 R14: ffff8880222b2340 R15: ffff8880222b2340 FS: 0000000000000000(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fdb4dcef000 CR3: 00000000212a2000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: __run_hrtimer kernel/time/hrtimer.c:1755 [inline] __hrtimer_run_queues+0x6cb/0xd30 kernel/time/hrtimer.c:1802 hrtimer_interrupt+0x403/0xa40 kernel/time/hrtimer.c:1864 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1038 [inline] __sysvec_apic_timer_interrupt+0x110/0x420 arch/x86/kernel/apic/apic.c:1055 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline] sysvec_apic_timer_interrupt+0xa1/0xc0 arch/x86/kernel/apic/apic.c:1049 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702 RIP: 0010:__pte_offset_map_lock+0x78/0x300 mm/pgtable-generic.c:393 Code: 40 b3 8a b5 41 48 c7 44 24 48 03 81 0a 8e 48 c7 44 24 50 f0 53 12 82 4c 8d 64 24 40 49 c1 ec 03 48 b8 f1 f1 f1 f1 00 f2 f2 f2 <49> 89 04 1c 66 41 c7 44 1c 09 f3 f3 41 c6 44 1c 0b f3 e8 11 18 ad RSP: 0000:ffffc900033c7760 EFLAGS: 00000a02 RAX: f2f2f200f1f1f1f1 RBX: dffffc0000000000 RCX: ffffc900033c7dc0 RDX: 00007fdb4dcef000 RSI: ffff888031f9a370 RDI: ffff88806c9eda00 RBP: ffffc900033c7850 R08: ffffffff820d0841 R09: 1ffffd40003a0bf8 R10: dffffc0000000000 R11: fffff940003a0bf9 R12: 1ffff92000678ef4 R13: ffff888031f9a370 R14: 00007fdb4dcef000 R15: ffffc900033c77e0 pte_offset_map_lock include/linux/mm.h:3047 [inline] finish_fault+0x707/0x11d0 mm/memory.c:5239 do_cow_fault mm/memory.c:5434 [inline] do_fault mm/memory.c:5528 [inline] do_pte_missing mm/memory.c:4047 [inline] handle_pte_fault mm/memory.c:5889 [inline] __handle_mm_fault+0x47db/0x70f0 mm/memory.c:6032 handle_mm_fault+0x3e5/0x8d0 mm/memory.c:6201 do_user_addr_fault arch/x86/mm/fault.c:1338 [inline] handle_page_fault arch/x86/mm/fault.c:1481 [inline] exc_page_fault+0x459/0x8b0 arch/x86/mm/fault.c:1539 asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623 RIP: 0033:0x7fdb4dba4fc4 Code: 66 0f 1f 44 00 00 48 8b 38 8b 50 08 4c 01 ff 48 83 fa 26 74 0a 48 83 fa 08 0f 85 1b 0a 00 00 48 8b 50 10 48 83 c0 18 4c 01 fa <48> 89 17 48 39 d8 72 d4 4c 8b b1 e8 01 00 00 49 01 f0 4d 85 f6 0f RSP: 002b:00007ffc5c192f80 EFLAGS: 00010202 RAX: 00007fdb4da13728 RBX: 00007fdb4da47088 RCX: 00007fdb4dd7d700 RDX: 00007fdb4dbf96a8 RSI: 00007fdb4da003c0 RDI: 00007fdb4dcef000 RBP: 00007fdb4dd7d700 R08: 00000000000470b8 R09: 00007fdb4da47478 R10: 0000000070000025 R11: 00007fdb4da003a0 R12: 00007ffc5c192fc0 R13: 00007ffc5c193148 R14: 00007ffc5c1930e0 R15: 00007fdb4da00000