ci2 starts bisection 2023-07-07 01:30:25.701162893 +0000 UTC m=+141.563030160 bisecting cause commit starting from 879959450ec776f8dde010ed124876a4fe0bbb69 building syzkaller on 1a2f6297df2e11f3ef37e97803568cb1b9ef875b ensuring issue is reproducible on original commit 879959450ec776f8dde010ed124876a4fe0bbb69 testing commit 879959450ec776f8dde010ed124876a4fe0bbb69 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: f2d3fd8bd3e178eef884ef311007f5dde80343216cac88952a33fe9c90def0a8 run #0: basic kernel testing failed: failed to copy binary to VM: failed to run ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-v" "/tmp/syz-executor933523931" "root@10.128.15.195:./syz-executor933523931"]: exit status 1 Executing: program /usr/bin/ssh host 10.128.15.195, user root, command scp -v -t ./syz-executor933523931 OpenSSH_8.4p1 Debian-5+deb11u1, OpenSSL 1.1.1n 15 Mar 2022 debug1: Reading configuration data /dev/null debug1: Connecting to 10.128.15.195 [10.128.15.195] port 22. debug1: fd 3 clearing O_NONBLOCK debug1: Connection established. debug1: identity file /root/.ssh/id_rsa type -1 debug1: identity file /root/.ssh/id_rsa-cert type -1 debug1: identity file /root/.ssh/id_dsa type -1 debug1: identity file /root/.ssh/id_dsa-cert type -1 debug1: identity file /root/.ssh/id_ecdsa type -1 debug1: identity file /root/.ssh/id_ecdsa-cert type -1 debug1: identity file /root/.ssh/id_ecdsa_sk type -1 debug1: identity file /root/.ssh/id_ecdsa_sk-cert type -1 debug1: identity file /root/.ssh/id_ed25519 type -1 debug1: identity file /root/.ssh/id_ed25519-cert type -1 debug1: identity file /root/.ssh/id_ed25519_sk type -1 debug1: identity file /root/.ssh/id_ed25519_sk-cert type -1 debug1: identity file /root/.ssh/id_xmss type -1 debug1: identity file /root/.ssh/id_xmss-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_8.4p1 Debian-5+deb11u1 Connection timed out during banner exchange Connection to 10.128.15.195 port 22 timed out lost connection run #1: crashed: BUG: soft lockup in tc_modify_qdisc run #2: crashed: BUG: soft lockup in tc_modify_qdisc run #3: crashed: BUG: soft lockup in tc_modify_qdisc run #4: crashed: BUG: soft lockup in tc_modify_qdisc run #5: crashed: BUG: soft lockup in tc_modify_qdisc run #6: crashed: BUG: soft lockup in tc_modify_qdisc run #7: crashed: BUG: soft lockup in tc_modify_qdisc run #8: crashed: BUG: soft lockup in tc_modify_qdisc run #9: crashed: BUG: soft lockup in tc_modify_qdisc run #10: crashed: BUG: soft lockup in tc_modify_qdisc run #11: crashed: BUG: soft lockup in tc_modify_qdisc run #12: crashed: BUG: soft lockup in tc_modify_qdisc run #13: crashed: BUG: soft lockup in tc_modify_qdisc run #14: crashed: BUG: soft lockup in tc_modify_qdisc run #15: crashed: BUG: soft lockup in tc_modify_qdisc run #16: crashed: BUG: soft lockup in tc_modify_qdisc run #17: crashed: BUG: soft lockup in tc_modify_qdisc run #18: crashed: BUG: soft lockup in tc_modify_qdisc run #19: crashed: BUG: soft lockup in tc_modify_qdisc run #20: crashed: BUG: soft lockup in tc_modify_qdisc run #21: crashed: BUG: soft lockup in tc_modify_qdisc run #22: crashed: BUG: soft lockup in tc_modify_qdisc run #23: crashed: BUG: soft lockup in tc_modify_qdisc run #24: crashed: BUG: soft lockup in tc_modify_qdisc run #25: crashed: BUG: soft lockup in tc_modify_qdisc run #26: crashed: BUG: soft lockup in tc_modify_qdisc run #27: crashed: BUG: soft lockup in tc_modify_qdisc run #28: crashed: BUG: soft lockup in tc_modify_qdisc run #29: crashed: BUG: soft lockup in tc_modify_qdisc run #30: crashed: BUG: soft lockup in tc_modify_qdisc run #31: crashed: BUG: soft lockup in tc_modify_qdisc run #32: crashed: BUG: soft lockup in tc_modify_qdisc run #33: crashed: no output from test machine run #34: crashed: no output from test machine run #35: crashed: no output from test machine run #36: crashed: no output from test machine run #37: crashed: BUG: soft lockup in tc_modify_qdisc run #38: crashed: BUG: soft lockup in tc_modify_qdisc representative crash: BUG: soft lockup in tc_modify_qdisc, types: [HANG] check whether we can drop unnecessary instrumentation disabling configs for [LEAK UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP], they are not needed testing commit 879959450ec776f8dde010ed124876a4fe0bbb69 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 70c08fb4fcb72dc169cf50077eee955f29bbc4f8489b2b8acc74111ec8284b6e run #0: basic kernel testing failed: failed to copy binary to VM: failed to run ["scp" "-P" "22" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "BatchMode=yes" "-o" "IdentitiesOnly=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-v" "/tmp/syz-executor1608916856" "root@10.128.10.2:./syz-executor1608916856"]: exit status 1 Executing: program /usr/bin/ssh host 10.128.10.2, user root, command scp -v -t ./syz-executor1608916856 OpenSSH_8.4p1 Debian-5+deb11u1, OpenSSL 1.1.1n 15 Mar 2022 debug1: Reading configuration data /dev/null debug1: Connecting to 10.128.10.2 [10.128.10.2] port 22. debug1: fd 3 clearing O_NONBLOCK debug1: Connection established. debug1: identity file /root/.ssh/id_rsa type -1 debug1: identity file /root/.ssh/id_rsa-cert type -1 debug1: identity file /root/.ssh/id_dsa type -1 debug1: identity file /root/.ssh/id_dsa-cert type -1 debug1: identity file /root/.ssh/id_ecdsa type -1 debug1: identity file /root/.ssh/id_ecdsa-cert type -1 debug1: identity file /root/.ssh/id_ecdsa_sk type -1 debug1: identity file /root/.ssh/id_ecdsa_sk-cert type -1 debug1: identity file /root/.ssh/id_ed25519 type -1 debug1: identity file /root/.ssh/id_ed25519-cert type -1 debug1: identity file /root/.ssh/id_ed25519_sk type -1 debug1: identity file /root/.ssh/id_ed25519_sk-cert type -1 debug1: identity file /root/.ssh/id_xmss type -1 debug1: identity file /root/.ssh/id_xmss-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_8.4p1 Debian-5+deb11u1 Connection timed out during banner exchange Connection to 10.128.10.2 port 22 timed out lost connection run #1: crashed: BUG: workqueue lockup run #2: crashed: BUG: workqueue lockup run #3: crashed: BUG: soft lockup in tc_modify_qdisc run #4: crashed: BUG: soft lockup in tc_modify_qdisc run #5: crashed: BUG: soft lockup in tc_modify_qdisc run #6: crashed: BUG: soft lockup in tc_modify_qdisc run #7: crashed: BUG: soft lockup in tc_modify_qdisc run #8: crashed: BUG: soft lockup in tc_modify_qdisc run #9: crashed: BUG: soft lockup in tc_modify_qdisc run #10: crashed: BUG: soft lockup in tc_modify_qdisc run #11: crashed: BUG: soft lockup in tc_modify_qdisc run #12: crashed: BUG: soft lockup in tc_modify_qdisc run #13: crashed: BUG: soft lockup in tc_modify_qdisc run #14: crashed: BUG: soft lockup in tc_modify_qdisc run #15: crashed: no output from test machine run #16: crashed: no output from test machine run #17: crashed: BUG: soft lockup in tc_modify_qdisc run #18: crashed: BUG: soft lockup in tc_modify_qdisc representative crash: BUG: soft lockup in tc_modify_qdisc, types: [HANG] the bug reproduces without the instrumentation disabling configs for [LEAK UBSAN BUG KASAN LOCKDEP ATOMIC_SLEEP], they are not needed testing release v5.15.119 testing commit 4af60700a60cc45ee4fb6d579cccf1b7bca20c34 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 6298b95331230f52c4a9f308a3cfe7b144e3a817a5f603a17e40d7a6901c8fae run #0: crashed: BUG: workqueue lockup run #1: crashed: BUG: workqueue lockup run #2: crashed: BUG: soft lockup in tc_modify_qdisc run #3: crashed: BUG: soft lockup in tc_modify_qdisc run #4: crashed: BUG: soft lockup in tc_modify_qdisc run #5: crashed: BUG: soft lockup in tc_modify_qdisc run #6: crashed: BUG: soft lockup in tc_modify_qdisc run #7: crashed: BUG: soft lockup in tc_modify_qdisc run #8: crashed: BUG: soft lockup in tc_modify_qdisc run #9: crashed: BUG: soft lockup in tc_modify_qdisc run #10: crashed: BUG: soft lockup in tc_modify_qdisc run #11: crashed: BUG: soft lockup in tc_modify_qdisc run #12: crashed: BUG: soft lockup in tc_modify_qdisc run #13: crashed: BUG: soft lockup in tc_modify_qdisc run #14: crashed: BUG: soft lockup in corrupted run #15: crashed: BUG: soft lockup in corrupted run #16: crashed: BUG: soft lockup in tc_modify_qdisc run #17: crashed: BUG: soft lockup in tc_modify_qdisc run #18: crashed: no output from test machine run #19: crashed: no output from test machine representative crash: BUG: soft lockup in tc_modify_qdisc, types: [HANG] testing release v5.15.118 testing commit f67653019430833d5003f16817d7fa85272a6a76 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 1c2861a79eeaf688730656453d0e58c16b7a23ed1c8ed4db8882c4ff81a1dd4d all runs: OK # git bisect start 4af60700a60cc45ee4fb6d579cccf1b7bca20c34 f67653019430833d5003f16817d7fa85272a6a76 Bisecting: 48 revisions left to test after this (roughly 6 steps) [92f73c4f927cff42e69b51b87b1860e741c9c6b0] mmc: mtk-sd: fix deferred probing testing commit 92f73c4f927cff42e69b51b87b1860e741c9c6b0 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 6af3486694ef708efab5b54f3877d5ad7e4009096e6b43ef2199cd7feada2321 all runs: OK # git bisect good 92f73c4f927cff42e69b51b87b1860e741c9c6b0 Bisecting: 24 revisions left to test after this (roughly 5 steps) [7973c4b3b97de1ef33334be444024c089f1d33aa] gpio: Allow per-parent interrupt data testing commit 7973c4b3b97de1ef33334be444024c089f1d33aa gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 95a02f5cbc060fa29b87dbfba8904895a44716973f80e703ff726576b408600c run #0: crashed: BUG: soft lockup in tc_modify_qdisc run #1: crashed: BUG: soft lockup in tc_modify_qdisc run #2: crashed: BUG: soft lockup in tc_modify_qdisc run #3: crashed: BUG: soft lockup in tc_modify_qdisc run #4: crashed: BUG: soft lockup in tc_modify_qdisc run #5: crashed: BUG: soft lockup in tc_modify_qdisc run #6: crashed: BUG: soft lockup in tc_modify_qdisc run #7: crashed: BUG: soft lockup in tc_modify_qdisc run #8: crashed: BUG: soft lockup in tc_modify_qdisc run #9: crashed: BUG: soft lockup in tc_modify_qdisc run #10: crashed: BUG: soft lockup in tc_modify_qdisc run #11: crashed: BUG: soft lockup in tc_modify_qdisc run #12: crashed: BUG: soft lockup in tc_modify_qdisc run #13: crashed: BUG: soft lockup in tc_modify_qdisc run #14: crashed: BUG: soft lockup in tc_modify_qdisc run #15: crashed: BUG: soft lockup in tc_modify_qdisc run #16: crashed: BUG: soft lockup in tc_modify_qdisc run #17: crashed: BUG: soft lockup in tc_modify_qdisc run #18: crashed: no output from test machine run #19: crashed: no output from test machine representative crash: BUG: soft lockup in tc_modify_qdisc, types: [HANG] # git bisect bad 7973c4b3b97de1ef33334be444024c089f1d33aa Bisecting: 11 revisions left to test after this (roughly 4 steps) [314a8697d08092df6d00521450d44c352c602943] netfilter: nf_tables: fix chain binding transaction logic testing commit 314a8697d08092df6d00521450d44c352c602943 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 7a3de0208d238fa5281d5d85a3767c79e945ae49897cb03e5db8b2df48896c24 all runs: OK # git bisect good 314a8697d08092df6d00521450d44c352c602943 Bisecting: 5 revisions left to test after this (roughly 3 steps) [53defc6ecff4fc4189faa9ddcc1ae77eb6e31252] netfilter: nf_tables: disallow updates of anonymous sets testing commit 53defc6ecff4fc4189faa9ddcc1ae77eb6e31252 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: fccc357d8e9cdd76cddf79b65be163988dfe6911191d1ae5b5b84b67aeaf8f78 all runs: OK # git bisect good 53defc6ecff4fc4189faa9ddcc1ae77eb6e31252 Bisecting: 2 revisions left to test after this (roughly 2 steps) [b7db41a865416c849b8140887dc9f87ca6666924] bpf/btf: Accept function names that contain dots testing commit b7db41a865416c849b8140887dc9f87ca6666924 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 1f1d8de9ee50c19d86441dfaac316c426b97c6bbafd24f027a10d774a291f25c all runs: OK # git bisect good b7db41a865416c849b8140887dc9f87ca6666924 Bisecting: 0 revisions left to test after this (roughly 1 step) [c1a2b52d999e9f7d31f2c7de459a2f3269d5fdf4] sch_netem: acquire qdisc lock in netem_change() testing commit c1a2b52d999e9f7d31f2c7de459a2f3269d5fdf4 gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 79f2164f221fcd5bae4ba085bf62d2f425c2035a932aecc1a5a93375ece50ee2 run #0: crashed: BUG: workqueue lockup run #1: crashed: BUG: workqueue lockup run #2: crashed: BUG: soft lockup in tc_modify_qdisc run #3: crashed: BUG: soft lockup in tc_modify_qdisc run #4: crashed: BUG: workqueue lockup run #5: crashed: BUG: workqueue lockup run #6: crashed: BUG: soft lockup in tc_modify_qdisc run #7: crashed: BUG: soft lockup in tc_modify_qdisc run #8: crashed: BUG: soft lockup in tc_modify_qdisc run #9: crashed: BUG: soft lockup in tc_modify_qdisc run #10: crashed: BUG: soft lockup in tc_modify_qdisc run #11: crashed: BUG: soft lockup in tc_modify_qdisc run #12: crashed: BUG: soft lockup in tc_modify_qdisc run #13: crashed: BUG: soft lockup in tc_modify_qdisc run #14: crashed: BUG: soft lockup in tc_modify_qdisc run #15: crashed: BUG: soft lockup in tc_modify_qdisc run #16: crashed: BUG: soft lockup in tc_modify_qdisc run #17: crashed: BUG: soft lockup in tc_modify_qdisc run #18: crashed: no output from test machine run #19: crashed: no output from test machine representative crash: BUG: soft lockup in tc_modify_qdisc, types: [HANG UNKNOWN] # git bisect bad c1a2b52d999e9f7d31f2c7de459a2f3269d5fdf4 Bisecting: 0 revisions left to test after this (roughly 0 steps) [3138c85031e8d1ffe07ebdbc9236388b1185474b] selftests: forwarding: Fix race condition in mirror installation testing commit 3138c85031e8d1ffe07ebdbc9236388b1185474b gcc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.2 kernel signature: 75d6043da43ed92464027749f36000b878cb4f3de414ca0d236549a30f50052d all runs: OK # git bisect good 3138c85031e8d1ffe07ebdbc9236388b1185474b c1a2b52d999e9f7d31f2c7de459a2f3269d5fdf4 is the first bad commit commit c1a2b52d999e9f7d31f2c7de459a2f3269d5fdf4 Author: Eric Dumazet Date: Tue Jun 20 18:44:25 2023 +0000 sch_netem: acquire qdisc lock in netem_change() [ Upstream commit 2174a08db80d1efeea382e25ac41c4e7511eb6d6 ] syzbot managed to trigger a divide error [1] in netem. It could happen if q->rate changes while netem_enqueue() is running, since q->rate is read twice. It turns out netem_change() always lacked proper synchronization. [1] divide error: 0000 [#1] SMP KASAN CPU: 1 PID: 7867 Comm: syz-executor.1 Not tainted 6.1.30-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023 RIP: 0010:div64_u64 include/linux/math64.h:69 [inline] RIP: 0010:packet_time_ns net/sched/sch_netem.c:357 [inline] RIP: 0010:netem_enqueue+0x2067/0x36d0 net/sched/sch_netem.c:576 Code: 89 e2 48 69 da 00 ca 9a 3b 42 80 3c 28 00 4c 8b a4 24 88 00 00 00 74 0d 4c 89 e7 e8 c3 4f 3b fd 48 8b 4c 24 18 48 89 d8 31 d2 <49> f7 34 24 49 01 c7 4c 8b 64 24 48 4d 01 f7 4c 89 e3 48 c1 eb 03 RSP: 0018:ffffc9000dccea60 EFLAGS: 00010246 RAX: 000001a442624200 RBX: 000001a442624200 RCX: ffff888108a4f000 RDX: 0000000000000000 RSI: 000000000000070d RDI: 000000000000070d RBP: ffffc9000dcceb90 R08: ffffffff849c5e26 R09: fffffbfff10e1297 R10: 0000000000000000 R11: dffffc0000000001 R12: ffff888108a4f358 R13: dffffc0000000000 R14: 0000001a8cd9a7ec R15: 0000000000000000 FS: 00007fa73fe18700(0000) GS:ffff8881f6b00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fa73fdf7718 CR3: 000000011d36e000 CR4: 0000000000350ee0 Call Trace: [] __dev_xmit_skb net/core/dev.c:3931 [inline] [] __dev_queue_xmit+0xcf5/0x3370 net/core/dev.c:4290 [] dev_queue_xmit include/linux/netdevice.h:3030 [inline] [] neigh_hh_output include/net/neighbour.h:531 [inline] [] neigh_output include/net/neighbour.h:545 [inline] [] ip_finish_output2+0xb92/0x10d0 net/ipv4/ip_output.c:235 [] __ip_finish_output+0xc3/0x2b0 [] ip_finish_output+0x31/0x2a0 net/ipv4/ip_output.c:323 [] NF_HOOK_COND include/linux/netfilter.h:298 [inline] [] ip_output+0x224/0x2a0 net/ipv4/ip_output.c:437 [] dst_output include/net/dst.h:444 [inline] [] ip_local_out net/ipv4/ip_output.c:127 [inline] [] __ip_queue_xmit+0x1425/0x2000 net/ipv4/ip_output.c:542 [] ip_queue_xmit+0x4c/0x70 net/ipv4/ip_output.c:556 Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Reported-by: syzbot Signed-off-by: Eric Dumazet Cc: Stephen Hemminger Cc: Jamal Hadi Salim Cc: Cong Wang Cc: Jiri Pirko Reviewed-by: Jamal Hadi Salim Reviewed-by: Simon Horman Link: https://lore.kernel.org/r/20230620184425.1179809-1-edumazet@google.com Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin net/sched/sch_netem.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) culprit signature: 79f2164f221fcd5bae4ba085bf62d2f425c2035a932aecc1a5a93375ece50ee2 parent signature: 75d6043da43ed92464027749f36000b878cb4f3de414ca0d236549a30f50052d revisions tested: 11, total time: 7h38m25.065319079s (build: 3h20m21.492450192s, test: 2h11m54.411850514s) first bad commit: c1a2b52d999e9f7d31f2c7de459a2f3269d5fdf4 sch_netem: acquire qdisc lock in netem_change() recipients (to): ["edumazet@google.com" "jhs@mojatatu.com" "pabeni@redhat.com" "sashal@kernel.org" "simon.horman@corigine.com"] recipients (cc): [] crash: BUG: soft lockup in tc_modify_qdisc RBP: 00007f9382e63493 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffcb738fe3f R14: 00007f938298b300 R15: 0000000000022000 watchdog: BUG: soft lockup - CPU#0 stuck for 246s! [syz-executor.0:435] Modules linked in: CPU: 0 PID: 435 Comm: syz-executor.0 Not tainted 5.15.118-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023 RIP: 0010:arch_safe_halt arch/x86/include/asm/irqflags.h:90 [inline] RIP: 0010:kvm_wait arch/x86/kernel/kvm.c:918 [inline] RIP: 0010:kvm_wait+0x3e/0x40 arch/x86/kernel/kvm.c:900 Code: 0b fa 0f b6 07 40 38 f0 74 15 fb c3 0f b6 07 40 38 c6 75 f7 66 90 0f 00 2d 7d 04 35 01 f4 c3 66 90 0f 00 2d 72 04 35 01 fb f4 90 8b 05 aa 39 f7 01 83 f8 ff 74 06 85 c0 0f 95 c0 c3 55 48 89 RSP: 0018:ffffc9000038b7b8 EFLAGS: 00000246 RAX: 0000000000000003 RBX: ffff888237c2b6c0 RCX: 0000000000000008 RDX: 0000000000000000 RSI: 0000000000000003 RDI: ffff8881081d94ac RBP: ffffc9000038b7f8 R08: ffff88823fff1d00 R09: 0000000000000000 R10: 0000000000000001 R11: ffff888237c2b6c0 R12: ffff8881081d94ac R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000100 FS: 00007f938298b700(0000) GS:ffff888237c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000080 CR3: 0000000101992000 CR4: 00000000003506b0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:585 [inline] queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:51 [inline] queued_spin_lock include/asm-generic/qspinlock.h:85 [inline] do_raw_spin_lock include/linux/spinlock.h:187 [inline] __raw_spin_lock_bh include/linux/spinlock_api_smp.h:136 [inline] _raw_spin_lock_bh+0x39/0x40 kernel/locking/spinlock.c:178 spin_lock_bh include/linux/spinlock.h:368 [inline] get_dist_table+0x92/0xd0 net/sched/sch_netem.c:798 netem_change+0xf8/0x610 net/sched/sch_netem.c:988 netem_init+0x41/0x60 net/sched/sch_netem.c:1075 qdisc_create+0x13f/0x590 net/sched/sch_api.c:1264 tc_modify_qdisc+0x13c/0x9c0 net/sched/sch_api.c:1689 rtnetlink_rcv_msg+0x13e/0x380 net/core/rtnetlink.c:5593 netlink_rcv_skb+0x4e/0xf0 net/netlink/af_netlink.c:2504 rtnetlink_rcv+0x10/0x20 net/core/rtnetlink.c:5611 netlink_unicast_kernel net/netlink/af_netlink.c:1330 [inline] netlink_unicast+0x252/0x350 net/netlink/af_netlink.c:1356 netlink_sendmsg+0x241/0x490 net/netlink/af_netlink.c:1923 sock_sendmsg_nosec net/socket.c:704 [inline] sock_sendmsg+0x35/0x40 net/socket.c:724 ____sys_sendmsg+0x23e/0x260 net/socket.c:2412 ___sys_sendmsg+0x74/0xc0 net/socket.c:2466 __sys_sendmsg+0x5d/0xb0 net/socket.c:2495 __do_sys_sendmsg net/socket.c:2504 [inline] __se_sys_sendmsg net/socket.c:2502 [inline] __x64_sys_sendmsg+0x1a/0x20 net/socket.c:2502 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x61/0xcb RIP: 0033:0x7f9382e18389 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f938298b168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f9382f37f80 RCX: 00007f9382e18389 RDX: 0000000000000000 RSI: 0000000020000000 RDI: 0000000000000003 RBP: 00007f9382e63493 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffcb738fe3f R14: 00007f938298b300 R15: 0000000000022000 Sending NMI from CPU 0 to CPUs 1: NMI backtrace for cpu 1 CPU: 1 PID: 11 Comm: kworker/u4:1 Not tainted 5.15.118-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/27/2023 Workqueue: events_unbound toggle_allocation_gate RIP: 0010:csd_lock_wait kernel/smp.c:440 [inline] RIP: 0010:smp_call_function_many_cond+0xcc/0x260 kernel/smp.c:969 Code: 48 89 de e8 a6 34 47 00 3b 05 54 b0 03 02 89 c7 73 21 48 63 c7 49 8b 14 24 48 03 14 c5 80 18 d7 82 8b 42 08 a8 01 74 09 f3 90 <8b> 42 08 a8 01 75 f7 eb cd 48 83 c4 48 5b 41 5c 41 5d 41 5e 41 5f RSP: 0018:ffffc9000005fc68 EFLAGS: 00000202 RAX: 0000000000000011 RBX: ffff888237d2bb08 RCX: 0000000000000000 RDX: ffff888237c30360 RSI: ffff888237d2bb08 RDI: 0000000000000000 RBP: ffffc9000005fcd8 R08: 0000000000000000 R09: 8000000000000063 R10: 0000000000000000 R11: 0000000000000002 R12: ffff888237d2bb00 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000001 FS: 0000000000000000(0000) GS:ffff888237d00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fa74bbdb7c0 CR3: 000000000300b000 CR4: 00000000003506a0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: on_each_cpu_cond_mask+0x44/0x80 kernel/smp.c:1135 on_each_cpu include/linux/smp.h:71 [inline] text_poke_sync arch/x86/kernel/alternative.c:1183 [inline] text_poke_bp_batch+0xa0/0x1f0 arch/x86/kernel/alternative.c:1374 text_poke_flush arch/x86/kernel/alternative.c:1542 [inline] text_poke_finish+0x1a/0x30 arch/x86/kernel/alternative.c:1549 arch_jump_label_transform_apply+0x15/0x30 arch/x86/kernel/jump_label.c:146 __jump_label_update+0xe4/0xf0 kernel/jump_label.c:459 jump_label_update+0xd7/0x100 kernel/jump_label.c:830 static_key_disable_cpuslocked kernel/jump_label.c:207 [inline] static_key_disable_cpuslocked+0x54/0x60 kernel/jump_label.c:195 static_key_disable+0x16/0x30 kernel/jump_label.c:215 toggle_allocation_gate mm/kfence/core.c:743 [inline] toggle_allocation_gate+0x93/0x190 mm/kfence/core.c:721 process_one_work+0x199/0x340 kernel/workqueue.c:2307 worker_thread+0x4e/0x340 kernel/workqueue.c:2454 kthread+0x13a/0x160 kernel/kthread.c:319 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298