INFO: task syz.0.5227:16070 blocked for more than 127 seconds.
Not tainted syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.0.5227 state:D stack:0 pid:16070 tgid:16068 ppid:11278 flags:0x00004004
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5945 [inline]
__schedule+0x1322/0x1df0 kernel/sched/core.c:7791
__schedule_loop kernel/sched/core.c:7872 [inline]
schedule+0xc6/0x240 kernel/sched/core.c:7887
schedule_timeout+0xb2/0x3a0 kernel/time/timer.c:2595
do_wait_for_common kernel/sched/completion.c:95 [inline]
__wait_for_common kernel/sched/completion.c:116 [inline]
wait_for_common+0x359/0x630 kernel/sched/completion.c:127
wait_for_completion+0x1c/0x40 kernel/sched/completion.c:148
rcu_barrier+0x415/0x530 kernel/rcu/tree.c:4657
flush_rcu_work+0x71/0x90 kernel/workqueue.c:4292
kvfree_rcu_barrier+0x23c/0x2f0 kernel/rcu/tree.c:3955
kmem_cache_destroy+0x32/0x170 mm/slab_common.c:490
p9_client_destroy+0x42b/0x480 net/9p/client.c:1088
v9fs_session_close+0x52/0x1d0 fs/9p/v9fs.c:506
v9fs_kill_super+0x60/0x90 fs/9p/vfs_super.c:196
deactivate_locked_super+0xd8/0x2a0 fs/super.c:476
deactivate_super+0xb8/0xe0 fs/super.c:509
cleanup_mnt+0x3f1/0x480 fs/namespace.c:1370
__cleanup_mnt+0x1d/0x40 fs/namespace.c:1377
task_work_run+0x1e3/0x250 kernel/task_work.c:240
resume_user_mode_work+0x36/0x50 include/linux/resume_user_mode.h:50
exit_to_user_mode_loop kernel/entry/common.c:114 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0x64/0xb0 kernel/entry/common.c:218
do_syscall_64+0x64/0xf0 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x7f8fa3b8ebe9
RSP: 002b:00007f8fa4a3c038 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: fffffffffffffffe RBX: 00007f8fa3dc5fa0 RCX: 00007f8fa3b8ebe9
RDX: 0000200000000040 RSI: 0000200000000000 RDI: 0000000000000000
RBP: 00007f8fa3c11e19 R08: 00002000000003c0 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f8fa3dc6038 R14: 00007f8fa3dc5fa0 R15: 00007ffd553a1b98
</TASK>
NMI backtrace for cpu 1
CPU: 1 UID: 0 PID: 37 Comm: khungtaskd Not tainted syzkaller #0 487852573998b859d95f7a0f07f96e56ce6678e4
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
Call Trace:
<TASK>
__dump_stack+0x21/0x30 lib/dump_stack.c:94
dump_stack_lvl+0x10c/0x190 lib/dump_stack.c:120
dump_stack+0x19/0x20 lib/dump_stack.c:129
nmi_cpu_backtrace+0x2bf/0x2d0 lib/nmi_backtrace.c:113
nmi_trigger_cpumask_backtrace+0x142/0x2c0 lib/nmi_backtrace.c:62
arch_trigger_cpumask_backtrace+0x14/0x20 arch/x86/kernel/apic/hw_nmi.c:41
trigger_all_cpu_backtrace include/linux/nmi.h:158 [inline]
check_hung_uninterruptible_tasks kernel/hung_task.c:267 [inline]
watchdog+0xd8f/0xed0 kernel/hung_task.c:423
kthread+0x2c7/0x370 kernel/kthread.c:389
ret_from_fork+0x67/0xa0 arch/x86/kernel/process.c:153
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 UID: 0 PID: 281 Comm: sshd-session Not tainted syzkaller #0 487852573998b859d95f7a0f07f96e56ce6678e4
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
RIP: 0010:arch_atomic_try_cmpxchg arch/x86/include/asm/atomic.h:107 [inline]
RIP: 0010:raw_atomic_try_cmpxchg_acquire include/linux/atomic/atomic-arch-fallback.h:2170 [inline]
RIP: 0010:atomic_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:1302 [inline]
RIP: 0010:queued_spin_trylock include/asm-generic/qspinlock.h:97 [inline]
RIP: 0010:do_raw_spin_trylock include/linux/spinlock.h:193 [inline]
RIP: 0010:__raw_spin_trylock include/linux/spinlock_api_smp.h:89 [inline]
RIP: 0010:_raw_spin_trylock+0xaf/0x130 kernel/locking/spinlock.c:138
Code: 00 8b 03 89 44 24 20 85 c0 75 33 4c 8d 74 24 20 48 89 df be 04 00 00 00 e8 3e 09 4e fc 4c 89 f7 be 04 00 00 00 e8 31 09 4e fc <8b> 44 24 20 b9 01 00 00 00 ba 01 00 00 00 f0 0f b1 13 74 0b 31 c9
RSP: 0018:ffffc900000074e0 EFLAGS: 00000097
RAX: 0000000000000001 RBX: ffffffff87aa2f80 RCX: ffffffff858e083f
RDX: 0000000000000001 RSI: 0000000000000004 RDI: ffffc90000007500
RBP: ffffc90000007570 R08: 0000000000000003 R09: 0000000000000004
R10: dffffc0000000000 R11: fffff52000000ea0 R12: 1ffff92000000e9c
R13: dffffc0000000000 R14: ffffc90000007500 R15: dffffc0000000000
FS: 00007f5230a2f300(0000) GS:ffff8881f6e00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f1e820f7d60 CR3: 0000000121824000 CR4: 00000000003526b0
Call Trace:
<IRQ>
___ratelimit+0xe5/0x5a0 lib/ratelimit.c:47
net_ratelimit+0x20/0x30 net/core/utils.c:40
br_fdb_update+0x3fb/0x680 net/bridge/br_fdb.c:903
br_handle_frame_finish+0x39c/0x1720 net/bridge/br_input.c:141
nf_hook_bridge_pre net/bridge/br_input.c:301 [inline]
br_handle_frame+0x5a6/0xba0 net/bridge/br_input.c:424
__netif_receive_skb_core+0xf48/0x3940 net/core/dev.c:5651
__netif_receive_skb_one_core net/core/dev.c:5755 [inline]
__netif_receive_skb net/core/dev.c:5870 [inline]
process_backlog+0x3e5/0xae0 net/core/dev.c:6206
__napi_poll+0xd0/0x610 net/core/dev.c:6857
napi_poll net/core/dev.c:6926 [inline]
net_rx_action+0x584/0xce0 net/core/dev.c:7048
handle_softirqs+0x1ab/0x630 kernel/softirq.c:621
__do_softirq+0xf/0x16 kernel/softirq.c:659
do_softirq+0xa6/0x100 kernel/softirq.c:503
</IRQ>
<TASK>
__local_bh_enable_ip+0x74/0x80 kernel/softirq.c:430
__raw_spin_unlock_bh include/linux/spinlock_api_smp.h:167 [inline]
_raw_spin_unlock_bh+0x54/0x60 kernel/locking/spinlock.c:210
spin_unlock_bh include/linux/spinlock.h:396 [inline]
__release_sock+0xa5/0x400 net/core/sock.c:3084
release_sock+0x64/0x1f0 net/core/sock.c:3656
tcp_sendmsg+0x49/0xe0 net/ipv4/tcp.c:1362
inet_sendmsg+0xb7/0x120 net/ipv4/af_inet.c:858
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg net/socket.c:745 [inline]
sock_write_iter+0x3cb/0x4f0 net/socket.c:1166
new_sync_write fs/read_write.c:591 [inline]
vfs_write+0x694/0xe80 fs/read_write.c:684
ksys_write+0x141/0x250 fs/read_write.c:737
__do_sys_write fs/read_write.c:749 [inline]
__se_sys_write fs/read_write.c:746 [inline]
__x64_sys_write+0x7f/0x90 fs/read_write.c:746
x64_sys_call+0x271c/0x2ee0 arch/x86/include/generated/asm/syscalls_64.h:2
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x58/0xf0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x7f52302a7407
Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff
RSP: 002b:00007ffd9d0a69c0 EFLAGS: 00000202 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f5230a2f300 RCX: 00007f52302a7407
RDX: 000000000000007c RSI: 00005582d1163170 RDI: 0000000000000004
RBP: 00005582d1166ca0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000001
R13: 00007ffd9d0a6b10 R14: 0000000000000000 R15: 0000000000000004
</TASK>
net_ratelimit: 126586 callbacks suppressed
bridge0: received packet on veth0_to_bridge with own address as source address (addr:b2:b0:06:d6:87:e6, vlan:0)
bridge0: received packet on veth0_to_bridge with own address as source address (addr:b2:b0:06:d6:87:e6, vlan:0)
bridge0: received packet on veth0_to_bridge with own address as source address (addr:b2:b0:06:d6:87:e6, vlan:0)
bridge0: received packet on veth0_to_bridge with own address as source address (addr:b2:b0:06:d6:87:e6, vlan:0)
bridge0: received packet on veth0_to_bridge with own address as source address (addr:b2:b0:06:d6:87:e6, vlan:0)
bridge0: received packet on veth0_to_bridge with own address as source address (addr:b2:b0:06:d6:87:e6, vlan:0)
bridge0: received packet on veth0_to_bridge with own address as source address (addr:b2:b0:06:d6:87:e6, vlan:0)
bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:0c, vlan:0)
bridge0: received packet on veth0_to_bridge with own address as source address (addr:b2:b0:06:d6:87:e6, vlan:0)
bridge0: received packet on bridge_slave_0 with own address as source address (addr:aa:aa:aa:aa:aa:1b, vlan:0)