bisecting fixing commit since 4938296e03bd227e5020d63d418956fe52baf97c building syzkaller on 1b201b48c59d619af21de7fcc5face22824c0285 testing commit 4938296e03bd227e5020d63d418956fe52baf97c compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: 9e98cc47145d5c9531e1be5ba00cd2934405b9c04fb26d124034c96e78c2587b all runs: crashed: BUG: soft lockup in sctp_generate_t1_init_event testing current HEAD e34184f53363f6bb873c2fe0ce1a08ed7d16e94a testing commit e34184f53363f6bb873c2fe0ce1a08ed7d16e94a compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: 9ba4628cc73451c8734e2287ee475ede7359aa542d0a790045e7ac65da78872c all runs: crashed: BUG: soft lockup in sctp_generate_t1_init_event revisions tested: 2, total time: 24m48.320540878s (build: 16m19.912767712s, test: 7m49.093749924s) the crash still happens on HEAD commit msg: Linux 4.19.210 crash: BUG: soft lockup in sctp_generate_t1_init_event ieee802154 phy0 wpan0: encryption failed: -22 ieee802154 phy1 wpan1: encryption failed: -22 watchdog: BUG: soft lockup - CPU#1 stuck for 23s! [syz-executor.1:8450] Modules linked in: irq event stamp: 1705823 hardirqs last enabled at (1705822): [] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160 [inline] hardirqs last enabled at (1705822): [] _raw_spin_unlock_irqrestore+0x82/0xd0 kernel/locking/spinlock.c:184 hardirqs last disabled at (1705823): [] trace_hardirqs_off_thunk+0x1a/0x1c softirqs last enabled at (454420): [] spin_unlock_bh include/linux/spinlock.h:374 [inline] softirqs last enabled at (454420): [] release_sock+0x11f/0x180 net/core/sock.c:2912 softirqs last disabled at (458393): [] invoke_softirq kernel/softirq.c:372 [inline] softirqs last disabled at (458393): [] irq_exit+0x17f/0x1c0 kernel/softirq.c:412 CPU: 1 PID: 8450 Comm: syz-executor.1 Not tainted 4.19.210-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:arch_local_irq_restore arch/x86/include/asm/paravirt.h:789 [inline] RIP: 0010:lock_acquire+0x1f5/0x3a0 kernel/locking/lockdep.c:3911 Code: 00 00 00 00 00 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 99 01 00 00 48 83 3d 5f 81 4a 08 00 0f 84 1c 01 00 00 48 8b 7d c0 57 9d <0f> 1f 44 00 00 48 8d 65 d8 5b 41 5c 41 5d 41 5e 41 5f 5d c3 65 8b RSP: 0018:ffff8880ba306f10 EFLAGS: 00000286 ORIG_RAX: ffffffffffffff13 RAX: dffffc0000000000 RBX: ffff888091ec0480 RCX: 1ffff110123d81b4 RDX: 1ffffffff13224a1 RSI: 0000000000000000 RDI: 0000000000000286 RBP: ffff8880ba306f58 R08: ffff888091ec0da0 R09: 0000000000000003 R10: ffff888091ec0d80 R11: 0000000000000001 R12: 0000000000000002 R13: 0000000000000000 R14: 0000000000000000 R15: ffff888091ec0480 FS: 0000000002aa8400(0000) GS:ffff8880ba300000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fffb7b442bc CR3: 00000000a9d61000 CR4: 00000000003406e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: rcu_lock_acquire include/linux/rcupdate.h:242 [inline] rcu_read_lock include/linux/rcupdate.h:627 [inline] ip6_pol_route+0x123/0xea0 net/ipv6/route.c:1907 ip6_pol_route_output+0x3c/0x70 net/ipv6/route.c:2135 fib6_rule_lookup+0x103/0x480 net/ipv6/fib6_rules.c:118 ip6_route_output_flags+0x22a/0x2c0 net/ipv6/route.c:2163 ip6_dst_lookup_tail+0x469/0x1600 net/ipv6/ip6_output.c:1019 ip6_dst_lookup_flow+0x83/0x170 net/ipv6/ip6_output.c:1120 sctp_v6_get_dst+0x521/0x1660 net/sctp/ipv6.c:291 sctp_transport_pmtu+0x214/0x430 net/sctp/transport.c:242 sctp_transport_route+0x152/0x340 net/sctp/transport.c:319 sctp_packet_config+0xa06/0xd60 net/sctp/output.c:118 sctp_packet_singleton net/sctp/outqueue.c:790 [inline] sctp_outq_flush_ctrl.constprop.4+0x5e2/0xcb0 net/sctp/outqueue.c:923 sctp_outq_flush+0xd0/0x25e0 net/sctp/outqueue.c:1205 sctp_outq_uncork+0x49/0x60 net/sctp/outqueue.c:777 sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1815 [inline] sctp_side_effects net/sctp/sm_sideeffect.c:1199 [inline] sctp_do_sm+0x3a2/0x51f0 net/sctp/sm_sideeffect.c:1170 sctp_generate_timeout_event+0x187/0x320 net/sctp/sm_sideeffect.c:310 sctp_generate_t1_init_event+0x15/0x20 net/sctp/sm_sideeffect.c:336 call_timer_fn+0x14c/0x510 kernel/time/timer.c:1338 expire_timers+0x255/0x3a0 kernel/time/timer.c:1375 __run_timers kernel/time/timer.c:1696 [inline] run_timer_softirq+0x1dc/0x570 kernel/time/timer.c:1709 __do_softirq+0x25f/0x919 kernel/softirq.c:292 invoke_softirq kernel/softirq.c:372 [inline] irq_exit+0x17f/0x1c0 kernel/softirq.c:412 exiting_irq arch/x86/include/asm/apic.h:536 [inline] smp_apic_timer_interrupt+0x13e/0x540 arch/x86/kernel/apic/apic.c:1098 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:894 RIP: 0010:arch_local_irq_restore arch/x86/include/asm/paravirt.h:789 [inline] RIP: 0010:qlink_free mm/kasan/quarantine.c:150 [inline] RIP: 0010:qlist_free_all+0xf4/0x120 mm/kasan/quarantine.c:166 Code: 40 10 00 00 00 00 48 83 c4 10 5b 41 5c 41 5d 41 5e 41 5f 5d c3 e8 7c 2f d4 ff 48 83 3d 6c 41 05 08 00 74 23 48 8b 7d d0 57 9d <0f> 1f 44 00 00 eb ae 48 89 df e8 fd fd ff ff 49 89 c5 e9 2c ff ff RSP: 0018:ffff8880a9cafc50 EFLAGS: 00000286 ORIG_RAX: ffffffffffffff13 RAX: 0000000000000007 RBX: ffff8880988a2d00 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffff888091ec0d08 RDI: 0000000000000286 RBP: ffff8880a9cafc88 R08: ffffed1027fff789 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: ffff88813be46080 R14: ffff8880a1ec1b00 R15: ffffffff89912500 quarantine_reduce+0x167/0x1a0 mm/kasan/quarantine.c:259 kasan_kmalloc+0x9b/0xc0 mm/kasan/kasan.c:538 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:490 slab_post_alloc_hook mm/slab.h:445 [inline] slab_alloc mm/slab.c:3397 [inline] kmem_cache_alloc+0x11b/0x390 mm/slab.c:3557 getname_flags+0xb8/0x510 fs/namei.c:140 getname fs/namei.c:211 [inline] user_path_mountpoint_at+0x1d/0x40 fs/namei.c:2748 ksys_umount+0x12e/0xce0 fs/namespace.c:1654 __do_sys_umount fs/namespace.c:1680 [inline] __se_sys_umount fs/namespace.c:1678 [inline] __x64_sys_umount+0x4f/0x70 fs/namespace.c:1678 do_syscall_64+0xd0/0x4e0 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x467a47 Code: ff d0 48 89 c7 b8 3c 00 00 00 0f 05 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fffb7b44298 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6 RAX: ffffffffffffffda RBX: 0000000000000132 RCX: 0000000000467a47 RDX: 000000000000000c RSI: 0000000000000002 RDI: 00007fffb7b45430 RBP: 00007fffb7b4540c R08: 0000000000000000 R09: 000000135f836c33 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004bee90 R13: 00007fffb7b45430 R14: 0000000000000003 R15: 00007fffb7b45470 Sending NMI from CPU 1 to CPUs 0: NMI backtrace for cpu 0 CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.19.210-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:match_held_lock kernel/locking/lockdep.c:3480 [inline] RIP: 0010:__lock_is_held+0xd3/0x220 kernel/locking/lockdep.c:3728 Code: 49 8d 0c 10 48 8d 7b 22 48 89 f8 48 c1 e8 03 0f b6 34 10 48 89 f8 83 e0 07 83 c0 01 40 38 f0 7c 09 40 84 f6 0f 85 e0 00 00 00 <66> f7 43 22 f0 ff 74 21 4c 89 ee 48 89 df 48 89 4d d0 e8 46 f7 ff RSP: 0018:ffff8880ba207018 EFLAGS: 00000046 RAX: 0000000000000003 RBX: ffffffff89877c88 RCX: fffffbfff130ef90 RDX: dffffc0000000000 RSI: 0000000000000000 RDI: ffffffff89877caa RBP: ffff8880ba207058 R08: 1ffffffff130ef90 R09: ffffed101744455a R10: ffffed101744455a R11: ffff8880ba222ad3 R12: 0000000000000000 R13: ffffffff8a7929a0 R14: ffffffff89877c88 R15: ffffffff89877400 FS: 0000000000000000(0000) GS:ffff8880ba200000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005653ef9ff2c8 CR3: 000000009e749000 CR4: 00000000003406f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: lock_is_held_type+0x118/0x210 kernel/locking/lockdep.c:3946 lock_is_held include/linux/lockdep.h:344 [inline] lockdep_rtnl_is_held+0x15/0x20 net/core/rtnetlink.c:136 __in6_dev_get include/net/addrconf.h:340 [inline] ipv6_dev_get_saddr+0x669/0x920 net/ipv6/addrconf.c:1771 ip6_route_get_saddr include/net/ip6_route.h:124 [inline] ip6_dst_lookup_tail+0xedd/0x1600 net/ipv6/ip6_output.c:997 ip6_dst_lookup_flow+0x83/0x170 net/ipv6/ip6_output.c:1120 sctp_v6_get_dst+0x521/0x1660 net/sctp/ipv6.c:291 sctp_transport_pmtu+0x214/0x430 net/sctp/transport.c:242 sctp_transport_route+0x152/0x340 net/sctp/transport.c:319 sctp_packet_config+0xa06/0xd60 net/sctp/output.c:118 sctp_outq_select_transport+0x1d6/0x730 net/sctp/outqueue.c:878 sctp_outq_flush_ctrl.constprop.4+0x46c/0xcb0 net/sctp/outqueue.c:912 sctp_outq_flush+0xd0/0x25e0 net/sctp/outqueue.c:1205 sctp_outq_uncork+0x49/0x60 net/sctp/outqueue.c:777 sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1815 [inline] sctp_side_effects net/sctp/sm_sideeffect.c:1199 [inline] sctp_do_sm+0x3a2/0x51f0 net/sctp/sm_sideeffect.c:1170 sctp_generate_timeout_event+0x187/0x320 net/sctp/sm_sideeffect.c:310 sctp_generate_t1_init_event+0x15/0x20 net/sctp/sm_sideeffect.c:336 call_timer_fn+0x14c/0x510 kernel/time/timer.c:1338 expire_timers+0x255/0x3a0 kernel/time/timer.c:1375 __run_timers kernel/time/timer.c:1696 [inline] run_timer_softirq+0x1dc/0x570 kernel/time/timer.c:1709 __do_softirq+0x25f/0x919 kernel/softirq.c:292 invoke_softirq kernel/softirq.c:372 [inline] irq_exit+0x17f/0x1c0 kernel/softirq.c:412 exiting_irq arch/x86/include/asm/apic.h:536 [inline] smp_apic_timer_interrupt+0x13e/0x540 arch/x86/kernel/apic/apic.c:1098 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:894 RIP: 0010:native_safe_halt+0x12/0x20 arch/x86/include/asm/irqflags.h:61 Code: 11 ff ff ff 4c 89 e7 e8 2c 25 e6 f9 eb 97 90 90 90 90 90 90 90 90 90 90 55 48 89 e5 e9 07 00 00 00 0f 00 2d 10 3a 61 00 fb f4 <5d> c3 66 66 2e 0f 1f 84 00 00 00 00 00 90 55 48 89 e5 e9 07 00 00 RSP: 0018:ffffffff89807c80 EFLAGS: 00000282 ORIG_RAX: ffffffffffffff13 RAX: dffffc0000000000 RBX: ffffffff89877400 RCX: 0000000000000000 RDX: 1ffffffff13224a4 RSI: 0000000000000001 RDI: ffffffff89912520 RBP: ffffffff89807c80 R08: ffffed101744455b R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: ffffffff89912510 R14: ffffffff8ab98c18 R15: 0000000000000000 arch_safe_halt arch/x86/include/asm/paravirt.h:94 [inline] default_idle+0x51/0x310 arch/x86/kernel/process.c:557 arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:548 default_idle_call+0x6d/0x90 kernel/sched/idle.c:93 cpuidle_idle_call kernel/sched/idle.c:153 [inline] do_idle+0x451/0x570 kernel/sched/idle.c:263 cpu_startup_entry+0xc8/0xe0 kernel/sched/idle.c:369 rest_init+0x237/0x23d init/main.c:441 start_kernel+0x648/0x686 init/main.c:736 x86_64_start_reservations+0x29/0x2b arch/x86/kernel/head64.c:490 x86_64_start_kernel+0x76/0x79 arch/x86/kernel/head64.c:471 secondary_startup_64+0xa4/0xb0 arch/x86/kernel/head_64.S:243 ---------------- Code disassembly (best guess): 0: 00 00 add %al,(%rax) 2: 00 00 add %al,(%rax) 4: 00 48 89 add %cl,-0x77(%rax) 7: fa cli 8: 48 c1 ea 03 shr $0x3,%rdx c: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) 10: 0f 85 99 01 00 00 jne 0x1af 16: 48 83 3d 5f 81 4a 08 cmpq $0x0,0x84a815f(%rip) # 0x84a817d 1d: 00 1e: 0f 84 1c 01 00 00 je 0x140 24: 48 8b 7d c0 mov -0x40(%rbp),%rdi 28: 57 push %rdi 29: 9d popfq * 2a: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1) <-- trapping instruction 2f: 48 8d 65 d8 lea -0x28(%rbp),%rsp 33: 5b pop %rbx 34: 41 5c pop %r12 36: 41 5d pop %r13 38: 41 5e pop %r14 3a: 41 5f pop %r15 3c: 5d pop %rbp 3d: c3 retq 3e: 65 gs 3f: 8b .byte 0x8b