INFO: task syz.5.1304:11107 blocked for more than 152 seconds. Tainted: G L syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz.5.1304 state:D stack:28744 pid:11107 tgid:11106 ppid:6033 task_flags:0x400140 flags:0x00080002 Call Trace: context_switch kernel/sched/core.c:5256 [inline] __schedule+0x1139/0x6150 kernel/sched/core.c:6863 __schedule_loop kernel/sched/core.c:6945 [inline] schedule+0xe7/0x3a0 kernel/sched/core.c:6960 schedule_timeout+0x257/0x290 kernel/time/sleep_timeout.c:75 ___down_common kernel/locking/semaphore.c:268 [inline] __down_common+0x31f/0x6e0 kernel/locking/semaphore.c:293 down+0x74/0xa0 kernel/locking/semaphore.c:100 console_lock+0x5b/0xa0 kernel/printk/printk.c:2843 class_console_lock_constructor include/linux/console.h:737 [inline] vcs_open+0x64/0xc0 drivers/tty/vt/vc_screen.c:746 chrdev_open+0x234/0x6a0 fs/char_dev.c:414 do_dentry_open+0x748/0x1590 fs/open.c:962 vfs_open+0x82/0x3f0 fs/open.c:1094 do_open fs/namei.c:4637 [inline] path_openat+0x2078/0x3140 fs/namei.c:4796 do_filp_open+0x20b/0x470 fs/namei.c:4823 do_sys_openat2+0x121/0x290 fs/open.c:1430 do_sys_open fs/open.c:1436 [inline] __do_sys_openat fs/open.c:1452 [inline] __se_sys_openat fs/open.c:1447 [inline] __x64_sys_openat+0x174/0x210 fs/open.c:1447 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f554698f749 RSP: 002b:00007f55477ae038 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 RAX: ffffffffffffffda RBX: 00007f5546be5fa0 RCX: 00007f554698f749 RDX: 0000000000101402 RSI: 0000200000000000 RDI: ffffffffffffff9c RBP: 00007f5546a13f91 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f5546be6038 R14: 00007f5546be5fa0 R15: 00007ffed3061888 Showing all locks held in the system: 1 lock held by kthreadd/2: 3 locks held by kworker/u8:1/13: 1 lock held by khungtaskd/31: #0: ffffffff8e3c96a0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline] #0: ffffffff8e3c96a0 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:867 [inline] #0: ffffffff8e3c96a0 (rcu_read_lock){....}-{1:3}, at: debug_show_all_locks+0x36/0x1c0 kernel/locking/lockdep.c:6775 3 locks held by kworker/u8:2/36: 4 locks held by kworker/u8:4/61: 4 locks held by kworker/u8:5/219: 3 locks held by kworker/1:2/790: #0: ffff88807a631148 ((wq_completion)wg-kex-wg0#2){+.+.}-{0:0}, at: process_one_work+0x128d/0x1b20 kernel/workqueue.c:3232 #1: ffffc900036e7c90 ((work_completion)(&({ do { const void *__vpp_verify = (typeof((worker) + 0))((void *)0); (void)__vpp_verify; } while (0); ({ unsigned long __ptr; __asm__ ("" : "=r"(__ptr) : "0"((__typeof__(*((worker))) *)(( unsigned long)((worker))))); (typeof((__typeof__(*((worker))) *)(( unsigned long)((worker))))) (__ptr + (((__per_cpu_offset[(cpu)])))); }); })->work)){+.+.}-{0:0}, at: process_one_work+0x914/0x1b20 kernel/workqueue.c:3233 #2: ffff8880265c7030 (&handshake->lock){++++}-{4:4}, at: wg_noise_handshake_begin_session+0x30/0xe80 drivers/net/wireguard/noise.c:822 3 locks held by kworker/u8:6/1119: 3 locks held by kworker/u8:7/1131: 3 locks held by kworker/u8:8/1159: 3 locks held by kworker/u8:9/1163: 3 locks held by kworker/u8:10/2109: 2 locks held by kworker/R-bat_e/3405: 4 locks held by kworker/u8:11/3590: 3 locks held by kworker/u8:12/3816: 4 locks held by kworker/u8:13/3934: 3 locks held by kworker/u8:14/4094: 4 locks held by kworker/u8:15/4127: 4 locks held by kworker/u8:16/4180: 4 locks held by kworker/u8:17/4254: 1 lock held by klogd/5177: 1 lock held by udevd/5188: 1 lock held by dhcpcd/5482: 4 locks held by dhcpcd/5483: 2 locks held by getty/5576: #0: ffff88814d78b0a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x24/0x80 drivers/tty/tty_ldisc.c:243 #1: ffffc9000332b2f0 (&ldata->atomic_read_lock){+.+.}-{4:4}, at: n_tty_read+0x41b/0x1510 drivers/tty/n_tty.c:2211 1 lock held by syz-executor/5801: 2 locks held by syz-executor/5817: 5 locks held by kworker/0:4/5863: 4 locks held by kworker/0:6/5877: #0: ffff888035a7a948 ((wq_completion)wg-kex-wg1#4){+.+.}-{0:0}, at: process_one_work+0x128d/0x1b20 kernel/workqueue.c:3232 #1: ffffc9000441fc90 ((work_completion)(&({ do { const void *__vpp_verify = (typeof((worker) + 0))((void *)0); (void)__vpp_verify; } while (0); ({ unsigned long __ptr; __asm__ ("" : "=r"(__ptr) : "0"((__typeof__(*((worker))) *)(( unsigned long)((worker))))); (typeof((__typeof__(*((worker))) *)(( unsigned long)((worker))))) (__ptr + (((__per_cpu_offset[(cpu)])))); }); })->work)){+.+.}-{0:0}, at: process_one_work+0x914/0x1b20 kernel/workqueue.c:3233 #2: ffff88807da61308 (&wg->static_identity.lock){++++}-{4:4}, at: wg_noise_handshake_consume_initiation+0x1c2/0x880 drivers/net/wireguard/noise.c:598 #3: ffff8880265c5c60 (&handshake->lock){++++}-{4:4}, at: wg_noise_handshake_consume_initiation+0x5ac/0x880 drivers/net/wireguard/noise.c:632 3 locks held by kworker/0:7/5884: 3 locks held by kworker/1:5/5925: 3 locks held by kworker/0:8/5944: 3 locks held by kworker/u8:18/6029: 3 locks held by kworker/u8:19/6164: 4 locks held by kworker/1:8/6324: #0: ffff888058fbf148 ((wq_completion)wg-kex-wg1#8){+.+.}-{0:0}, at: process_one_work+0x128d/0x1b20 kernel/workqueue.c:3232 #1: ffffc900046afc90 ((work_completion)(&({ do { const void *__vpp_verify = (typeof((worker) + 0))((void *)0); (void)__vpp_verify; } while (0); ({ unsigned long __ptr; __asm__ ("" : "=r"(__ptr) : "0"((__typeof__(*((worker))) *)(( unsigned long)((worker))))); (typeof((__typeof__(*((worker))) *)(( unsigned long)((worker))))) (__ptr + (((__per_cpu_offset[(cpu)])))); }); })->work)){+.+.}-{0:0}, at: process_one_work+0x914/0x1b20 kernel/workqueue.c:3233 #2: ffff88807daed308 (&wg->static_identity.lock){++++}-{4:4}, at: wg_noise_handshake_consume_initiation+0x1c2/0x880 drivers/net/wireguard/noise.c:598 #3: ffff88802945bea8 (&handshake->lock){++++}-{4:4}, at: wg_noise_handshake_consume_initiation+0x666/0x880 drivers/net/wireguard/noise.c:643 3 locks held by kworker/1:9/6503: 3 locks held by kworker/u8:20/6504: 3 locks held by kworker/u8:21/6665: 4 locks held by kworker/u8:22/6856: 4 locks held by kworker/0:11/7323: 3 locks held by kworker/u8:23/7714: 3 locks held by kworker/1:10/8746: 2 locks held by kworker/1:11/9139: 4 locks held by kworker/1:12/9344: #0: ffff8880589f5548 ((wq_completion)wg-kex-wg2#8){+.+.}-{0:0}, at: process_one_work+0x128d/0x1b20 kernel/workqueue.c:3232 #1: ffffc9000438fc90 ((work_completion)(&({ do { const void *__vpp_verify = (typeof((worker) + 0))((void *)0); (void)__vpp_verify; } while (0); ({ unsigned long __ptr; __asm__ ("" : "=r"(__ptr) : "0"((__typeof__(*((worker))) *)(( unsigned long)((worker))))); (typeof((__typeof__(*((worker))) *)(( unsigned long)((worker))))) (__ptr + (((__per_cpu_offset[(cpu)])))); }); })->work)){+.+.}-{0:0}, at: process_one_work+0x914/0x1b20 kernel/workqueue.c:3233 #2: ffff8880589a5308 (&wg->static_identity.lock){++++}-{4:4}, at: wg_noise_handshake_consume_initiation+0x1c2/0x880 drivers/net/wireguard/noise.c:598 #3: ffff88802945d278 (&handshake->lock){++++}-{4:4}, at: wg_noise_handshake_consume_initiation+0x5ac/0x880 drivers/net/wireguard/noise.c:632 7 locks held by syz.1.1291/11057: 2 locks held by kworker/0:12/11062: 3 locks held by syz.3.1293/11071: 7 locks held by kworker/u8:0/11086: 5 locks held by kworker/u9:0/11093: #0: ffff888036ae1948 ((wq_completion)hci5){+.+.}-{0:0}, at: process_one_work+0x128d/0x1b20 kernel/workqueue.c:3232 #1: ffffc900036c7c90 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_one_work+0x914/0x1b20 kernel/workqueue.c:3233 #2: ffff88805714cec0 (&hdev->req_lock){+.+.}-{4:4}, at: hci_cmd_sync_work+0x175/0x470 net/bluetooth/hci_sync.c:331 #3: ffff88805714c0c0 (&hdev->lock){+.+.}-{4:4}, at: hci_abort_conn_sync+0x13f/0xb20 net/bluetooth/hci_sync.c:5702 #4: ffffffff903bf648 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_connect_cfm include/net/bluetooth/hci_core.h:2128 [inline] #4: ffffffff903bf648 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_conn_failed+0x14f/0x360 net/bluetooth/hci_conn.c:1336 4 locks held by kworker/u8:24/11110: 6 locks held by syz-executor/11118: 4 locks held by syz-executor/11119: 5 locks held by kworker/u9:1/11123: #0: ffff8880564bd948 ((wq_completion)hci7){+.+.}-{0:0}, at: process_one_work+0x128d/0x1b20 kernel/workqueue.c:3232 #1: ffffc90002ea7c90 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_one_work+0x914/0x1b20 kernel/workqueue.c:3233 #2: ffff888036c00ec0 (&hdev->req_lock){+.+.}-{4:4}, at: hci_cmd_sync_work+0x175/0x470 net/bluetooth/hci_sync.c:331 #3: ffff888036c000c0 (&hdev->lock){+.+.}-{4:4}, at: hci_abort_conn_sync+0x13f/0xb20 net/bluetooth/hci_sync.c:5702 #4: ffffffff903bf648 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_connect_cfm include/net/bluetooth/hci_core.h:2128 [inline] #4: ffffffff903bf648 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_conn_failed+0x14f/0x360 net/bluetooth/hci_conn.c:1336 7 locks held by kworker/u9:2/11125: #0: ffff888025a49148 ((wq_completion)hci6){+.+.}-{0:0}, at: process_one_work+0x128d/0x1b20 kernel/workqueue.c:3232 #1: ffffc9000eb47c90 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_one_work+0x914/0x1b20 kernel/workqueue.c:3233 #2: ffff888045028ec0 (&hdev->req_lock){+.+.}-{4:4}, at: hci_cmd_sync_work+0x175/0x470 net/bluetooth/hci_sync.c:331 #3: ffff8880450280c0 (&hdev->lock){+.+.}-{4:4}, at: hci_abort_conn_sync+0x13f/0xb20 net/bluetooth/hci_sync.c:5702 #4: ffffffff903bf648 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_connect_cfm include/net/bluetooth/hci_core.h:2128 [inline] #4: ffffffff903bf648 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_conn_failed+0x14f/0x360 net/bluetooth/hci_conn.c:1336 #5: ffff888054ffdb38 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x80/0x760 net/bluetooth/l2cap_core.c:1763 #6: ffffffff8e3d4df8 (rcu_state.exp_mutex){+.+.}-{4:4}, at: exp_funnel_lock+0x284/0x3c0 kernel/rcu/tree_exp.h:311 4 locks held by syz-executor/11127: #0: ffffffff9012bb90 (pernet_ops_rwsem){++++}-{4:4}, at: copy_net_ns+0x333/0x7c0 net/core/net_namespace.c:577 #1: ffffffff8fd6c830 (devices_rwsem){++++}-{4:4}, at: rdma_dev_init_net+0x28c/0x590 drivers/infiniband/core/device.c:1215 #2: ffffffff8fd6c5b0 (rdma_nets_rwsem){++++}-{4:4}, at: rdma_dev_init_net+0x2ff/0x590 drivers/infiniband/core/device.c:1220 #3: ffff8880559d0f98 (&device->compat_devs_mutex){+.+.}-{4:4}, at: add_one_compat_dev+0x112/0x820 drivers/infiniband/core/device.c:979 2 locks held by syz-executor/11129: 4 locks held by kworker/u8:25/11130: 4 locks held by kworker/u8:26/11132: ============================================= NMI backtrace for cpu 1 CPU: 1 UID: 0 PID: 31 Comm: khungtaskd Tainted: G L syzkaller #0 PREEMPT(full) Tainted: [L]=SOFTLOCKUP Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 nmi_cpu_backtrace+0x27b/0x390 lib/nmi_backtrace.c:113 nmi_trigger_cpumask_backtrace+0x29c/0x300 lib/nmi_backtrace.c:62 trigger_all_cpu_backtrace include/linux/nmi.h:160 [inline] __sys_info lib/sys_info.c:157 [inline] sys_info+0x133/0x180 lib/sys_info.c:165 check_hung_uninterruptible_tasks kernel/hung_task.c:346 [inline] watchdog+0xe66/0x1180 kernel/hung_task.c:515 kthread+0x3c5/0x780 kernel/kthread.c:463 ret_from_fork+0x983/0xb10 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 Sending NMI from CPU 1 to CPUs 0: NMI backtrace for cpu 0 CPU: 0 UID: 0 PID: 11086 Comm: kworker/u8:0 Tainted: G L syzkaller #0 PREEMPT(full) Tainted: [L]=SOFTLOCKUP Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 Workqueue: events_unbound cfg80211_wiphy_work RIP: 0010:debug_check_no_obj_freed+0x4/0x600 lib/debugobjects.c:1127 Code: e8 31 7d 73 fd e9 27 ff ff ff 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa <55> 48 89 e5 41 57 41 56 41 55 41 54 53 48 83 e4 f0 48 81 ec 00 01 RSP: 0018:ffffc90000006ef8 EFLAGS: 00000246 RAX: 0000000000000046 RBX: ffff8880ae9543c0 RCX: ffff88803333d5a0 RDX: ffffffff8e3c96c8 RSI: 00000000000000f0 RDI: ffff8880ae9543c0 RBP: ffffc90000006f60 R08: 0000000000000007 R09: 0000000000000000 R10: ffffea0002ba5500 R11: 0000000000002ba1 R12: ffff888141afea00 R13: 0000000000212110 R14: 0000000000000000 R15: ffffea0002ba5500 FS: 0000000000000000(0000) GS:ffff8881248f4000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f6a8b25d700 CR3: 000000005c889000 CR4: 00000000003526f0 Call Trace: slab_free_hook mm/slub.c:2471 [inline] slab_free mm/slub.c:6670 [inline] kmem_cache_free+0x2b1/0x770 mm/slub.c:6781 kfree_skbmem+0x1a4/0x1f0 net/core/skbuff.c:1130 __kfree_skb net/core/skbuff.c:1197 [inline] sk_skb_reason_drop+0x136/0x1a0 net/core/skbuff.c:1234 kfree_skb_reason include/linux/skbuff.h:1322 [inline] kfree_skb include/linux/skbuff.h:1331 [inline] ip6_mc_input+0x82c/0xf60 net/ipv6/ip6_input.c:593 dst_input include/net/dst.h:474 [inline] dst_input include/net/dst.h:472 [inline] ip6_rcv_finish+0x3df/0x580 net/ipv6/ip6_input.c:79 ip_sabotage_in+0x21e/0x290 net/bridge/br_netfilter_hooks.c:990 nf_hook_entry_hookfn include/linux/netfilter.h:158 [inline] nf_hook_slow+0xbe/0x200 net/netfilter/core.c:623 nf_hook.constprop.0+0x424/0x750 include/linux/netfilter.h:273 NF_HOOK include/linux/netfilter.h:316 [inline] ipv6_rcv+0xa4/0x650 net/ipv6/ip6_input.c:311 __netif_receive_skb_one_core+0x12d/0x1e0 net/core/dev.c:6139 __netif_receive_skb+0x1d/0x160 net/core/dev.c:6252 netif_receive_skb_internal net/core/dev.c:6338 [inline] netif_receive_skb+0x137/0x760 net/core/dev.c:6397 NF_HOOK include/linux/netfilter.h:318 [inline] NF_HOOK include/linux/netfilter.h:312 [inline] br_pass_frame_up+0x346/0x490 net/bridge/br_input.c:70 br_handle_frame_finish+0x10e8/0x1f00 net/bridge/br_input.c:235 br_nf_hook_thresh+0x307/0x410 net/bridge/br_netfilter_hooks.c:1167 br_nf_pre_routing_finish_ipv6+0x76a/0xfc0 net/bridge/br_netfilter_ipv6.c:154 NF_HOOK include/linux/netfilter.h:318 [inline] br_nf_pre_routing_ipv6+0x3cd/0x8c0 net/bridge/br_netfilter_ipv6.c:184 br_nf_pre_routing+0x860/0x15b0 net/bridge/br_netfilter_hooks.c:508 nf_hook_entry_hookfn include/linux/netfilter.h:158 [inline] nf_hook_bridge_pre net/bridge/br_input.c:291 [inline] br_handle_frame+0xb28/0x14e0 net/bridge/br_input.c:442 __netif_receive_skb_core.constprop.0+0x6b3/0x35b0 net/core/dev.c:6026 __netif_receive_skb_one_core+0xb0/0x1e0 net/core/dev.c:6137 __netif_receive_skb+0x1d/0x160 net/core/dev.c:6252 process_backlog+0x4a2/0x1650 net/core/dev.c:6604 __napi_poll.constprop.0+0xb3/0x540 net/core/dev.c:7668 napi_poll net/core/dev.c:7731 [inline] net_rx_action+0x9f9/0xfa0 net/core/dev.c:7883 handle_softirqs+0x219/0x950 kernel/softirq.c:622 do_softirq kernel/softirq.c:523 [inline] do_softirq+0xb2/0xf0 kernel/softirq.c:510 __local_bh_enable_ip+0x100/0x120 kernel/softirq.c:450 spin_unlock_bh include/linux/spinlock.h:396 [inline] cfg80211_inform_single_bss_data+0x9ad/0x1d30 net/wireless/scan.c:2389 cfg80211_inform_bss_data+0x22b/0x3be0 net/wireless/scan.c:3228 cfg80211_inform_bss_frame_data+0x26f/0x720 net/wireless/scan.c:3319 ieee80211_bss_info_update+0x310/0xab0 net/mac80211/scan.c:230 ieee80211_rx_bss_info net/mac80211/ibss.c:1094 [inline] ieee80211_rx_mgmt_probe_beacon net/mac80211/ibss.c:1575 [inline] ieee80211_ibss_rx_queued_mgmt+0x1927/0x2fc0 net/mac80211/ibss.c:1602 ieee80211_iface_process_skb net/mac80211/iface.c:1736 [inline] ieee80211_iface_work+0xe28/0x1350 net/mac80211/iface.c:1790 cfg80211_wiphy_work+0x3fb/0x560 net/wireless/core.c:438 process_one_work+0x9ba/0x1b20 kernel/workqueue.c:3257 process_scheduled_works kernel/workqueue.c:3340 [inline] worker_thread+0x6c8/0xf10 kernel/workqueue.c:3421 kthread+0x3c5/0x780 kernel/kthread.c:463 ret_from_fork+0x983/0xb10 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246