watchdog: BUG: soft lockup - CPU#0 stuck for 123s! [syz.2.23:6014]
Modules linked in:
irq event stamp: 13006045
hardirqs last  enabled at (13006044): [<ffffffff8b96fbbc>] irqentry_exit+0x59c/0x620 kernel/entry/common.c:219
hardirqs last disabled at (13006045): [<ffffffff8b96e5ce>] sysvec_apic_timer_interrupt+0xe/0xc0 arch/x86/kernel/apic/apic.c:1056
softirqs last  enabled at (11270842): [<ffffffff8186fcaf>] __do_softirq kernel/softirq.c:656 [inline]
softirqs last  enabled at (11270842): [<ffffffff8186fcaf>] invoke_softirq kernel/softirq.c:496 [inline]
softirqs last  enabled at (11270842): [<ffffffff8186fcaf>] __irq_exit_rcu+0x5f/0x150 kernel/softirq.c:723
softirqs last disabled at (11270845): [<ffffffff8186fcaf>] __do_softirq kernel/softirq.c:656 [inline]
softirqs last disabled at (11270845): [<ffffffff8186fcaf>] invoke_softirq kernel/softirq.c:496 [inline]
softirqs last disabled at (11270845): [<ffffffff8186fcaf>] __irq_exit_rcu+0x5f/0x150 kernel/softirq.c:723
CPU: 0 UID: 0 PID: 6014 Comm: syz.2.23 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026
RIP: 0010:orc_find arch/x86/kernel/unwind_orc.c:220 [inline]
RIP: 0010:unwind_next_frame+0x1db/0x23c0 arch/x86/kernel/unwind_orc.c:510
Code: c2 c0 a4 a9 8b 49 29 dc 0f 84 b2 02 00 00 49 81 fc 00 00 00 81 0f 92 c0 49 81 fc b8 b3 9a 8b 0f 93 c1 08 c1 0f 85 05 01 00 00 <48> c7 c0 00 00 00 81 4d 89 e7 49 29 c7 49 c1 ef 08 8b 15 4e 10 82
RSP: 0018:ffffc90000006e18 EFLAGS: 00000246
RAX: 1ffff92000000d00 RBX: 0000000000000001 RCX: 0000000000000100
RDX: ffffffff8ba9a4c0 RSI: ffffffff8c073960 RDI: ffffffff8c073920
RBP: dffffc0000000000 R08: ffffffff81759195 R09: ffffffff8e55a360
R10: ffffc90000006a48 R11: ffffffff81afb170 R12: ffffffff8ae5dd43
R13: ffffc90000006f38 R14: ffffc90000006ee8 R15: ffffc90000006f30
FS:  00007f2bca3f66c0(0000) GS:ffff8881256f5000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055cf4146d2b0 CR3: 000000007a834000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
Call Trace:
 <IRQ>
 arch_stack_walk+0x11b/0x150 arch/x86/kernel/stacktrace.c:25
 stack_trace_save+0xa9/0x100 kernel/stacktrace.c:122
 kasan_save_stack mm/kasan/common.c:57 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
 poison_kmalloc_redzone mm/kasan/common.c:398 [inline]
 __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415
 kasan_kmalloc include/linux/kasan.h:263 [inline]
 __do_kmalloc_node mm/slub.c:5657 [inline]
 __kmalloc_noprof+0x40c/0x7e0 mm/slub.c:5669
 kmalloc_noprof include/linux/slab.h:961 [inline]
 kzalloc_noprof include/linux/slab.h:1094 [inline]
 cfg80211_inform_single_bss_data+0x934/0x1ab0 net/wireless/scan.c:2345
 cfg80211_inform_bss_data+0x23f/0x3c20 net/wireless/scan.c:3228
 cfg80211_inform_bss_frame_data+0x3c7/0x710 net/wireless/scan.c:3319
 ieee80211_bss_info_update+0x794/0xa40 net/mac80211/scan.c:230
 ieee80211_scan_rx+0x552/0xa40 net/mac80211/scan.c:364
 __ieee80211_rx_handle_packet net/mac80211/rx.c:5287 [inline]
 ieee80211_rx_list+0x2508/0x3050 net/mac80211/rx.c:5544
 ieee80211_rx_napi+0x1b1/0x3e0 net/mac80211/rx.c:5567
 ieee80211_rx include/net/mac80211.h:5216 [inline]
 ieee80211_handle_queued_frames+0xe8/0x1e0 net/mac80211/main.c:452
 tasklet_action_common+0x2da/0x4b0 kernel/softirq.c:925
 handle_softirqs+0x22a/0x7c0 kernel/softirq.c:622
 __do_softirq kernel/softirq.c:656 [inline]
 invoke_softirq kernel/softirq.c:496 [inline]
 __irq_exit_rcu+0x5f/0x150 kernel/softirq.c:723
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:739
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1056 [inline]
 sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1056
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
RIP: 0010:rcu_read_unlock_special+0x1d/0x420 kernel/rcu/tree_plugin.h:770
Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 55 41 57 41 56 41 55 41 54 53 48 83 ec 10 65 8b 2d 7b 50 48 11 f7 c5 00 00 f0 00 74 14 <48> 83 c4 10 5b 41 5c 41 5d 41 5e 41 5f 5d e9 90 73 ef 09 cc 49 89
RSP: 0018:ffffc9000506e900 EFLAGS: 00000206
RAX: 0000000000000002 RBX: 0000000000000246 RCX: 0000000000000001
RDX: 0000000000000000 RSI: ffffffff8dcc9112 RDI: ffffffff8c073980
RBP: ffff8881256f5000 R08: ffffffff8fef1a77 R09: 1ffffffff1fde34e
R10: dffffc0000000000 R11: fffffbfff1fde34f R12: ffffffff8e560578
R13: dffffc0000000000 R14: 0000000000000001 R15: ffff8880b863b8e8
 __rcu_read_unlock+0x83/0xe0 kernel/rcu/tree_plugin.h:438
 rcu_read_unlock include/linux/rcupdate.h:899 [inline]
 class_rcu_destructor include/linux/rcupdate.h:1195 [inline]
 unwind_next_frame+0x1aaf/0x23c0 arch/x86/kernel/unwind_orc.c:695
 arch_stack_walk+0x11b/0x150 arch/x86/kernel/stacktrace.c:25
 stack_trace_save+0xa9/0x100 kernel/stacktrace.c:122
 kasan_save_stack+0x3e/0x60 mm/kasan/common.c:57
 kasan_record_aux_stack+0xbd/0xd0 mm/kasan/generic.c:556
 __call_rcu_common kernel/rcu/tree.c:3119 [inline]
 call_rcu+0xee/0x890 kernel/rcu/tree.c:3239
 context_switch kernel/sched/core.c:5263 [inline]
 __schedule+0x14f2/0x5050 kernel/sched/core.c:6867
 preempt_schedule_irq+0x4d/0xa0 kernel/sched/core.c:7194
 irqentry_exit+0x597/0x620 kernel/entry/common.c:216
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
RIP: 0010:__kernel_text_address+0x0/0x30 kernel/extable.c:78
Code: c1 03 38 c1 7c c1 48 c7 c7 80 d8 ee 8f e8 d8 01 9e 00 eb b3 66 0f 1f 44 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 <0f> 1f 40 d6 53 48 89 fb e8 33 00 00 00 48 81 fb 00 60 58 91 0f 93
RSP: 0018:ffffc9000506f180 EFLAGS: 00000246
RAX: 0000000000000000 RBX: ffffc9000506f1f0 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff8dcc9112 RDI: ffffffff81d61fc7
RBP: ffffc9000506f230 R08: ffffffff8fef1a77 R09: 1ffffffff1fde34e
R10: dffffc0000000000 R11: fffffbfff1fde34f R12: ffff88801cbe3d00
R13: 1ffff1100397c85a R14: dffffc0000000000 R15: 1ffff92000a0de3e
 unwind_get_return_address+0x4d/0x90 arch/x86/kernel/unwind_orc.c:385
 arch_stack_walk+0xfb/0x150 arch/x86/kernel/stacktrace.c:26
 stack_trace_save+0xa9/0x100 kernel/stacktrace.c:122
 save_stack+0x122/0x230 mm/page_owner.c:165
 __reset_page_owner+0x71/0x1f0 mm/page_owner.c:320
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1433 [inline]
 __free_frozen_pages+0xbf8/0xd70 mm/page_alloc.c:2973
 __folio_put+0x414/0x4f0 mm/swap.c:112
 page_pool_empty_ring net/core/page_pool.c:1117 [inline]
 page_pool_scrub net/core/page_pool.c:1183 [inline]
 page_pool_release+0x858/0xd90 net/core/page_pool.c:1191
 page_pool_destroy+0x1d5/0x3f0 net/core/page_pool.c:1300
 xdp_test_run_teardown net/bpf/test_run.c:207 [inline]
 bpf_test_run_xdp_live+0x1c52/0x1cf0 net/bpf/test_run.c:385
 bpf_prog_test_run_xdp+0x81c/0x1160 net/bpf/test_run.c:1396
 bpf_prog_test_run+0x2c7/0x340 kernel/bpf/syscall.c:4703
 __sys_bpf+0x5cb/0x920 kernel/bpf/syscall.c:6182
 __do_sys_bpf kernel/bpf/syscall.c:6274 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:6272 [inline]
 __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:6272
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f2bcc19aeb9
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f2bca3f6028 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00007f2bcc415fa0 RCX: 00007f2bcc19aeb9
RDX: 0000000000000048 RSI: 0000200000000600 RDI: 000000000000000a
RBP: 00007f2bcc208c1f R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f2bcc416038 R14: 00007f2bcc415fa0 R15: 00007ffebde3b928
 </TASK>
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 UID: 0 PID: 70 Comm: kworker/u8:4 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026
Workqueue: writeback wb_workfn (flush-8:0)
RIP: 0010:csd_lock_wait kernel/smp.c:342 [inline]
RIP: 0010:smp_call_function_many_cond+0xce5/0x1270 kernel/smp.c:877
Code: 45 8b 2c 24 44 89 ee 83 e6 01 31 ff e8 c4 db 0b 00 41 83 e5 01 49 bd 00 00 00 00 00 fc ff df 75 07 e8 6f d7 0b 00 eb 38 f3 90 <42> 0f b6 04 2b 84 c0 75 11 41 f7 04 24 01 00 00 00 74 1e e8 53 d7
RSP: 0018:ffffc9000215e520 EFLAGS: 00000293
RAX: ffffffff81b89ffd RBX: 1ffff110170c856d RCX: ffff88801b7f3d00
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
RBP: ffffc9000215e650 R08: ffff88807798b047 R09: 1ffff1100ef31608
R10: dffffc0000000000 R11: ffffffff81778480 R12: ffff8880b8642b68
R13: dffffc0000000000 R14: ffff8880b873bb00 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff8881257f5000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055cf41330040 CR3: 0000000027314000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
Call Trace:
 <TASK>
 on_each_cpu_cond_mask+0x3f/0x80 kernel/smp.c:1043
 __flush_tlb_multi arch/x86/include/asm/paravirt.h:91 [inline]
 flush_tlb_multi arch/x86/mm/tlb.c:1382 [inline]
 flush_tlb_mm_range+0x5c3/0x10c0 arch/x86/mm/tlb.c:1472
 flush_tlb_page arch/x86/include/asm/tlbflush.h:324 [inline]
 ptep_clear_flush+0x120/0x170 mm/pgtable-generic.c:103
 page_vma_mkclean_one+0x415/0x790 mm/rmap.c:1017
 page_mkclean_one+0x1d8/0x2b0 mm/rmap.c:1065
 __rmap_walk_file+0x467/0x620 mm/rmap.c:2924
 rmap_walk mm/rmap.c:2968 [inline]
 folio_mkclean+0x2bb/0x3d0 mm/rmap.c:1097
 folio_clear_dirty_for_io+0x1a5/0x710 mm/page-writeback.c:2932
 mpage_submit_folio+0x86/0x2b0 fs/ext4/inode.c:2068
 mpage_map_and_submit_buffers fs/ext4/inode.c:2330 [inline]
 mpage_map_and_submit_extent fs/ext4/inode.c:2520 [inline]
 ext4_do_writepages+0x205b/0x4600 fs/ext4/inode.c:2932
 ext4_writepages+0x241/0x3b0 fs/ext4/inode.c:3026
 do_writepages+0x32e/0x550 mm/page-writeback.c:2598
 __writeback_single_inode+0x133/0x1230 fs/fs-writeback.c:1737
 writeback_sb_inodes+0x92e/0x1940 fs/fs-writeback.c:2030
 __writeback_inodes_wb+0x111/0x240 fs/fs-writeback.c:2107
 wb_writeback+0x459/0xad0 fs/fs-writeback.c:2218
 wb_check_old_data_flush fs/fs-writeback.c:2322 [inline]
 wb_do_writeback fs/fs-writeback.c:2375 [inline]
 wb_workfn+0xaee/0xef0 fs/fs-writeback.c:2403
 process_one_work kernel/workqueue.c:3257 [inline]
 process_scheduled_works+0xaec/0x17a0 kernel/workqueue.c:3340
 worker_thread+0xda6/0x1360 kernel/workqueue.c:3421
 kthread+0x726/0x8b0 kernel/kthread.c:463
 ret_from_fork+0x51b/0xa40 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
 </TASK>